Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report cmd.exe

Overview

General Information

Sample Name:cmd.exe
Analysis ID:479857
MD5:d0fce3afa6aa1d58ce9fa336cc2b675b
SHA1:4048488de6ba4bfef9edf103755519f1f762668f
SHA256:4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22
Infos:

Most interesting Screenshot:

Detection

Score:8
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Uses 32bit PE files
PE file contains strange resources
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Binary contains a suspicious time stamp
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Found large amount of non-executed APIs
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 6644 cmdline: 'C:\Users\user\Desktop\cmd.exe' MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • conhost.exe (PID: 6720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: cmd.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: cmd.exeStatic PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: cmd.pdbUGP source: cmd.exe
Source: Binary string: cmd.pdb source: cmd.exe
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_01040207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,0_2_01040207
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_0104589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,0_2_0104589A
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_0103532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,0_2_0103532E
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_01053E66 FindFirstFileW,FindNextFileW,FindClose,0_2_01053E66
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_01044EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,0_2_01044EC1
Source: cmd.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: cmd.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cmd.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cmd.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_010541910_2_01054191
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_0103D6600_2_0103D660
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_0105769E0_2_0105769E
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_010391440_2_01039144
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_0105695A0_2_0105695A
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_0103540A0_2_0103540A
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_01034C100_2_01034C10
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_010448750_2_01044875
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_010374B10_2_010374B1
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_01036B200_2_01036B20
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_010407400_2_01040740
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_01040BF00_2_01040BF0
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_0103EE030_2_0103EE03
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_01037A340_2_01037A34
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_01036E570_2_01036E57
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_01053E660_2_01053E66
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_01045A860_2_01045A86
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_01043EB30_2_01043EB3
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_01044EC10_2_01044EC1
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_01039458 InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,lstrcmpW,CreateProcessW,CloseHandle,GetLastError,GetLastError,DeleteProcThreadAttributeList,_local_unwind4,CreateProcessAsUserW,GetLastError,CloseHandle,0_2_01039458
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_01046500 NtQueryInformationToken,NtQueryInformationToken,0_2_01046500
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_0104643A NtOpenThreadToken,NtOpenProcessToken,NtClose,0_2_0104643A
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_010464CA NtQueryInformationToken,0_2_010464CA
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_0105A135 NtSetInformationFile,0_2_0105A135
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_0105C1FA SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,0_2_0105C1FA
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_01044823 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,0_2_01044823
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_01057460 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,0_2_01057460
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_01044759 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,0_2_01044759
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_01034E3B _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,0_2_01034E3B
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_01034C10: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z,0_2_01034C10
Source: cmd.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\cmd.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\cmd.exe 'C:\Users\user\Desktop\cmd.exe'
Source: C:\Users\user\Desktop\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6720:120:WilError_01
Source: classification engineClassification label: clean8.winEXE@2/0@0/0
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_0105A759 memset,GetDiskFreeSpaceExW,??_V@YAXPAX@Z,0_2_0105A759
Source: cmd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: cmd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: cmd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: cmd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: cmd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: cmd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: cmd.exeStatic PE information: GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: cmd.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: cmd.pdbUGP source: cmd.exe
Source: Binary string: cmd.pdb source: cmd.exe
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_010471ED push ecx; ret 0_2_01047200
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_0104722B push ecx; ret 0_2_0104723E
Source: cmd.exeStatic PE information: section name: .didat
Source: cmd.exeStatic PE information: 0xF8D87E17 [Thu Apr 20 00:53:43 2102 UTC]
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\cmd.exeAPI coverage: 10.0 %
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_01040207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,0_2_01040207
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_0104589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,0_2_0104589A
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_0103532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,0_2_0103532E
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_01053E66 FindFirstFileW,FindNextFileW,FindClose,0_2_01053E66
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_01044EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,0_2_01044EC1
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_01052E37 IsDebuggerPresent,0_2_01052E37
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_0105C1FA mov eax, dword ptr fs:[00000030h]0_2_0105C1FA
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_0103C570 GetProcessHeap,RtlFreeHeap,_setjmp3,VirtualFree,0_2_0103C570
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_0104677C LdrResolveDelayLoadedAPI,0_2_0104677C
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_01046EC0 SetUnhandledExceptionFilter,0_2_01046EC0
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_01046B40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_01046B40
Source: C:\Users\user\Desktop\cmd.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,0_2_01038572
Source: C:\Users\user\Desktop\cmd.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc,0_2_01036854
Source: C:\Users\user\Desktop\cmd.exeCode function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,0_2_01039310
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_01034D08 GetVersion,0_2_01034D08
Source: C:\Users\user\Desktop\cmd.exeCode function: 0_2_01054953 _get_osfhandle,GetLocalTime,SetLocalTime,SetLocalTime,GetLastError,GetLastError,0_2_01054953

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1Windows Management InstrumentationValid Accounts1Valid Accounts1Valid Accounts1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsAccess Token Manipulation1Access Token Manipulation1LSASS MemorySecurity Software Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Process Injection1Process Injection1Security Account ManagerFile and Directory Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Timestomp1NTDSSystem Information Discovery14Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptObfuscated Files or Information1LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 479857 Sample: cmd.exe Startdate: 08/09/2021 Architecture: WINDOWS Score: 8 5 cmd.exe 1 2->5         started        process3 7 conhost.exe 5->7         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
cmd.exe0%VirustotalBrowse
cmd.exe0%MetadefenderBrowse
cmd.exe0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:33.0.0 White Diamond
Analysis ID:479857
Start date:08.09.2021
Start time:15:30:32
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 5m 45s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:cmd.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:20
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean8.winEXE@2/0@0/0
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 94.4% (good quality ratio 85.8%)
  • Quality average: 69.6%
  • Quality standard deviation: 31.7%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
  • Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):6.4416694948877025
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.96%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:cmd.exe
File size:236544
MD5:d0fce3afa6aa1d58ce9fa336cc2b675b
SHA1:4048488de6ba4bfef9edf103755519f1f762668f
SHA256:4d89fc34d5f0f9babd022271c585a9477bf41e834e46b991deaa0530fdb25e22
SHA512:80e127ef81752cd50f9ea2d662dc4d3bf8db8d29680e75fa5fc406ca22cafa5c4d89ef2eac65b486413d3cdd57a2c12a1cb75f65d1e312a717d262265736d1c2
SSDEEP:6144:i4VU52dn+OAdUV0RzCcXkThYrK9qqUtmtime:i4K2B+Ob2h0NXIn
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+.l.J.?.J.?.J.?.2(?.J.?.!.>.J.?.!.>.J.?.J.?.K.?.!.>.J.?.!.>.J.?.!.>.J.?.!D?.J.?.!.>.J.?Rich.J.?................PE..L....~.....

File Icon

Icon Hash:b0ef7ac32101a5a0

Static PE Info

General

Entrypoint:0x416b20
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows cui
Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:GUARD_CF, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:0xF8D87E17 [Thu Apr 20 00:53:43 2102 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:10
OS Version Minor:0
File Version Major:10
File Version Minor:0
Subsystem Version Major:10
Subsystem Version Minor:0
Import Hash:392b4d61b1d1dadc1f06444df258188a

Entrypoint Preview

Instruction
call 00007FA480A66015h
jmp 00007FA480A6581Eh
int3
int3
int3
int3
int3
int3
cmp ecx, dword ptr [0042E0B4h]
jne 00007FA480A65A45h
retn 0000h
jmp 00007FA480A65A6Fh
mov edi, edi
push ebp
mov ebp, esp
push 00000000h
call dword ptr [0044A08Ch]
push dword ptr [ebp+08h]
call dword ptr [0044A088h]
push C0000409h
call dword ptr [0044A214h]
push eax
call dword ptr [0044A20Ch]
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000324h
mov dword ptr [0042E2B8h], eax
mov dword ptr [0042E2B4h], ecx
mov dword ptr [0042E2B0h], edx
mov dword ptr [0042E2ACh], ebx
mov dword ptr [0042E2A8h], esi
mov dword ptr [0042E2A4h], edi
mov word ptr [0042E2D0h], ss
mov word ptr [0042E2C4h], cs
mov word ptr [0042E2A0h], ds
mov word ptr [0042E29Ch], es
mov word ptr [0042E298h], fs
mov word ptr [0042E294h], gs
pushfd
pop dword ptr [0042E2C8h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0042E2BCh], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [0042E2C0h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [0042E2CCh], eax
mov eax, dword ptr [ebp-00000324h]

Rich Headers

Programming Language:
  • [IMP] VS2008 SP1 build 30729

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x4a4c80x2f8.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x4e0000x84f8.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x570000x25f0.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x35a00x54.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x15d00xac.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x4a0000x4c4.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x2cd9c0x80.text
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x2c0140x2c200False0.565775495751COM executable for DOS6.55332986326IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data0x2e0000x1b5380x200False0.361328125data2.96564783165IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata0x4a0000x24c40x2600False0.384662828947data5.39610584793IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.didat0x4d0000x480x200False0.109375data0.693504884204IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc0x4e0000x84f80x8600False0.282678404851data4.35871392052IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x570000x25f00x2600False0.826171875data6.79918405865IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountry
MUI0x564200xd8dataEnglishUnited States
RT_ICON0x4e7780x668dataEnglishUnited States
RT_ICON0x4ede00x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 356432, next used block 458800EnglishUnited States
RT_ICON0x4f0c80x128GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x4f1f00xea8dataEnglishUnited States
RT_ICON0x500980x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
RT_ICON0x509400x568GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_ICON0x50ea80x169ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
RT_ICON0x525480x25a8dataEnglishUnited States
RT_ICON0x54af00x10a8dataEnglishUnited States
RT_ICON0x55b980x468GLS_BINARY_LSB_FIRSTEnglishUnited States
RT_GROUP_ICON0x560000x92dataEnglishUnited States
RT_VERSION0x560980x388dataEnglishUnited States
RT_MANIFEST0x4e3500x426XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

Imports

DLLImport
msvcrt.dll__dllonexit, _unlock, _lock, _initterm, wcsspn, _tell, _except_handler4_common, __setusermatherr, __p__fmode, _cexit, _exit, __set_app_type, __getmainargs, _amsg_exit, __p__commode, _XcptFilter, calloc, free, _purecall, __CxxFrameHandler3, ?terminate@@YAXXZ, _wcslwr, _controlfp, _dup2, memcmp, _local_unwind4, _dup, ??1type_info@@UAE@XZ, _close, _open_osfhandle, swscanf, _ultoa, _pipe, memmove, wcsncmp, _setmode, exit, _getch, iswspace, wcschr, iswxdigit, _setjmp3, time, srand, _wtol, fflush, wcsstr, iswalpha, wcstoul, ??3@YAXPAX@Z, _errno, ??_V@YAXPAX@Z, printf, memcpy_s, _onexit, fgets, qsort, rand, _pclose, fprintf, wcsrchr, ferror, realloc, towlower, setlocale, towupper, _wcsupr, feof, _wpopen, _wcsnicmp, _get_osfhandle, longjmp, iswdigit, wcstol, _vsnwprintf, _wcsicmp, __iob_func, malloc, _callnewh, ??0exception@@QAE@ABQBD@Z, ??0exception@@QAE@ABQBDH@Z, ??0exception@@QAE@ABV0@@Z, ??1exception@@UAE@XZ, ?what@exception@@UBEPBDXZ, _CxxThrowException, memcpy, memset
ntdll.dllNtOpenProcessToken, NtQueryInformationToken, NtClose, NtOpenThreadToken, NtFsControlFile, RtlDosPathNameToNtPathName_U, RtlFindLeastSignificantBit, RtlFreeHeap, RtlReleaseRelativeName, NtOpenFile, RtlDosPathNameToRelativeNtPathName_U_WithStatus, NtSetInformationFile, NtQueryVolumeInformationFile, NtSetInformationProcess, NtQueryInformationProcess, RtlNtStatusToDosError, NtCancelSynchronousIoFile, RtlCreateUnicodeStringFromAsciiz, RtlFreeUnicodeString
api-ms-win-core-kernel32-legacy-l1-1-0.dllGetConsoleWindow, CopyFileW
api-ms-win-core-libraryloader-l1-2-0.dllGetProcAddress, GetModuleFileNameA, LoadLibraryExW, GetModuleHandleW, GetModuleHandleExW, GetModuleFileNameW
api-ms-win-core-synch-l1-1-0.dllWaitForSingleObject, TryAcquireSRWLockExclusive, CreateSemaphoreExW, CreateMutexExW, OpenSemaphoreW, AcquireSRWLockShared, ReleaseSRWLockShared, InitializeCriticalSection, EnterCriticalSection, ReleaseSemaphore, ReleaseSRWLockExclusive, LeaveCriticalSection, ReleaseMutex, WaitForSingleObjectEx
api-ms-win-core-heap-l1-1-0.dllHeapAlloc, HeapSetInformation, HeapReAlloc, GetProcessHeap, HeapSize, HeapFree
api-ms-win-core-errorhandling-l1-1-0.dllSetLastError, GetLastError, SetErrorMode, UnhandledExceptionFilter, SetUnhandledExceptionFilter
api-ms-win-core-processthreads-l1-1-0.dllGetStartupInfoW, GetCurrentThreadId, CreateProcessW, CreateProcessAsUserW, UpdateProcThreadAttribute, InitializeProcThreadAttributeList, GetExitCodeProcess, TerminateProcess, GetCurrentProcessId, GetCurrentProcess, DeleteProcThreadAttributeList, OpenThread, ResumeThread
api-ms-win-core-localization-l1-2-0.dllGetLocaleInfoW, FormatMessageW, SetThreadLocale, GetACP, GetThreadLocale, GetUserDefaultLCID, GetCPInfo
api-ms-win-core-debug-l1-1-0.dllOutputDebugStringW, IsDebuggerPresent, DebugBreak
api-ms-win-core-handle-l1-1-0.dllCloseHandle, DuplicateHandle
api-ms-win-core-memory-l1-1-0.dllVirtualFree, VirtualAlloc, VirtualQuery, ReadProcessMemory
api-ms-win-core-console-l1-1-0.dllReadConsoleW, WriteConsoleW, GetConsoleMode, SetConsoleMode, SetConsoleCtrlHandler, GetConsoleOutputCP
api-ms-win-core-file-l1-1-0.dllReadFile, GetFileAttributesW, GetFileSize, SetFilePointer, GetFullPathNameW, GetVolumePathNameW, CreateFileW, WriteFile, SetFilePointerEx, FindFirstFileExW, GetDiskFreeSpaceExW, FileTimeToLocalFileTime, CompareFileTime, RemoveDirectoryW, FindFirstFileW, GetFileType, FindNextFileW, FindClose, GetVolumeInformationW, SetFileTime, DeleteFileW, SetEndOfFile, SetFileAttributesW, CreateDirectoryW, GetDriveTypeW, FlushFileBuffers, GetFileAttributesExW
api-ms-win-core-string-l1-1-0.dllWideCharToMultiByte, MultiByteToWideChar
api-ms-win-core-processenvironment-l1-1-0.dllSetEnvironmentStringsW, GetStdHandle, SetEnvironmentVariableW, GetCurrentDirectoryW, FreeEnvironmentStringsW, ExpandEnvironmentStringsW, GetEnvironmentVariableW, GetEnvironmentStringsW, SetCurrentDirectoryW, SearchPathW, GetCommandLineW
api-ms-win-core-console-l2-1-0.dllSetConsoleTextAttribute, GetConsoleScreenBufferInfo, FillConsoleOutputAttribute, FlushConsoleInputBuffer, FillConsoleOutputCharacterW, SetConsoleCursorPosition, ScrollConsoleScreenBufferW
api-ms-win-security-base-l1-1-0.dllRevertToSelf, GetSecurityDescriptorOwner, GetFileSecurityW
api-ms-win-core-sysinfo-l1-1-0.dllGetSystemTimeAsFileTime, GetSystemTime, GetTickCount, SetLocalTime, GetLocalTime, GetVersion, GetWindowsDirectoryW
api-ms-win-core-timezone-l1-1-0.dllFileTimeToSystemTime, SystemTimeToFileTime
api-ms-win-core-datetime-l1-1-0.dllGetTimeFormatW, GetDateFormatW
api-ms-win-core-systemtopology-l1-1-0.dllGetNumaHighestNodeNumber, GetNumaNodeProcessorMaskEx
api-ms-win-core-console-l2-2-0.dllSetConsoleTitleW, GetConsoleTitleW
api-ms-win-core-processenvironment-l1-2-0.dllNeedCurrentDirectoryForExePathW
api-ms-win-core-registry-l1-1-0.dllRegSetValueExW, RegCreateKeyExW, RegOpenKeyExW, RegQueryValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyExW, RegEnumKeyExW
api-ms-win-core-file-l2-1-0.dllCreateSymbolicLinkW, GetFileInformationByHandleEx, MoveFileExW, MoveFileWithProgressW, CreateHardLinkW
api-ms-win-core-heap-l2-1-0.dllGlobalFree, GlobalAlloc, LocalFree
api-ms-win-core-io-l1-1-0.dllDeviceIoControl
api-ms-win-core-winrt-l1-1-0.dllRoInitialize, RoUninitialize
api-ms-win-core-processtopology-l1-1-0.dllGetThreadGroupAffinity
api-ms-win-core-synch-l1-2-0.dllSleep
api-ms-win-core-profile-l1-1-0.dllQueryPerformanceCounter
api-ms-win-core-string-obsolete-l1-1-0.dlllstrcmpW, lstrcmpiW
api-ms-win-core-processtopology-obsolete-l1-1-0.dllSetProcessAffinityMask
api-ms-win-core-apiquery-l1-1-0.dllApiSetQueryApiSetPresence
api-ms-win-core-delayload-l1-1-1.dllResolveDelayLoadedAPI
api-ms-win-core-delayload-l1-1-0.dllDelayLoadFailureHook

Version Infos

DescriptionData
LegalCopyright Microsoft Corporation. All rights reserved.
InternalNamecmd
FileVersion10.0.19041.746 (WinBuild.160101.0800)
CompanyNameMicrosoft Corporation
ProductNameMicrosoft Windows Operating System
ProductVersion10.0.19041.746
FileDescriptionWindows Command Processor
OriginalFilenameCmd.Exe
Translation0x0409 0x04b0

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: cmd.exe PID: 6644 Parent PID: 4504

General

Start time:15:31:35
Start date:08/09/2021
Path:C:\Users\user\Desktop\cmd.exe
Wow64 process (32bit):true
Commandline:'C:\Users\user\Desktop\cmd.exe'
Imagebase:0x1030000
File size:236544 bytes
MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low

Chronological Activities

Analysis Process: conhost.exe PID: 6720 Parent PID: 6644

General

Start time:15:31:37
Start date:08/09/2021
Path:C:\Windows\System32\conhost.exe
Wow64 process (32bit):false
Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:0x7ff7ecfc0000
File size:625664 bytes
MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high

Chronological Activities

Disassembly

Code Analysis

Reset < >

    Analysis Process: cmd.exe PID: 6644 Parent PID: 4504 cmd.exeCOMMON

    Executed Functions

    Function 01054191, Relevance: 65.1, APIs: 30, Strings: 7, Instructions: 353memoryCOMMONCrypto
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 1054191-10541c6 GetStdHandle 1 10541d5-10541dc 0->1 2 10541c8-10541d1 _get_osfhandle 0->2 3 10541e2-10541ec 1->3 4 10545bd-10545e3 AcquireSRWLockShared ReadConsoleW ReleaseSRWLockShared 1->4 2->1 3->4 6 10541f2-10541f9 3->6 5 10545e5-10545f6 call 1046b30 4->5 6->4 8 10541ff-105420d GetConsoleScreenBufferInfo 6->8 8->4 10 1054213-1054261 call 105c0f8 8->10 13 1054267-10542a9 AcquireSRWLockShared ReadConsoleW ReleaseSRWLockShared 10->13 14 10542e5 13->14 15 10542ab-10542cc EnterCriticalSection LeaveCriticalSection 13->15 18 10542e7-10542ec 14->18 16 10542df-10542e3 15->16 17 10542ce-10542d9 GetProcessHeap RtlFreeHeap 15->17 16->18 17->16 19 1054327-1054329 18->19 20 10542ee-1054301 18->20 22 105433c-1054340 19->22 23 105432b-1054336 GetProcessHeap RtlFreeHeap 19->23 20->19 21 1054303-105430a 20->21 24 105430c-1054313 21->24 25 1054359-105435b 21->25 22->5 23->22 27 1054315-105431c 24->27 28 1054353-1054357 24->28 26 105435f-1054362 25->26 26->19 29 1054364-1054367 26->29 30 1054345-1054351 27->30 31 105431e-1054325 27->31 28->29 29->19 32 1054369-1054377 29->32 30->26 31->19 31->21 33 10543b4 32->33 34 1054379-105437b 32->34 36 10543bc-10543c2 33->36 35 105437d-1054383 34->35 37 10543a5-10543aa 35->37 38 1054385-1054388 35->38 39 105446f-1054491 call 105bed0 36->39 40 10543c8-10543cd 36->40 44 10543ac-10543b2 37->44 41 105439f-10543a3 38->41 42 105438a-1054392 38->42 51 1054497-10544ad call 1059f18 GetConsoleScreenBufferInfo 39->51 52 1054532-1054539 call 10472ef 39->52 40->39 45 10543d3-10543e6 _wcsnicmp 40->45 41->44 42->37 48 1054394-105439d 42->48 44->33 44->36 46 1054466-1054469 45->46 47 10543e8-10543fb _wcsnicmp 45->47 46->39 47->46 50 10543fd-1054410 _wcsnicmp 47->50 48->35 48->41 50->46 53 1054412-1054425 _wcsnicmp 50->53 62 10544d1-10544d3 51->62 63 10544af-10544cd 51->63 60 1054543-1054545 52->60 61 105453b 52->61 53->46 56 1054427-105443a _wcsnicmp 53->56 56->46 59 105443c-105444f _wcsnicmp 56->59 59->46 65 1054451-1054464 _wcsnicmp 59->65 66 1054548-1054553 60->66 61->60 64 10544d6-10544e1 62->64 63->62 64->64 67 10544e3-1054530 SetConsoleCursorPosition FillConsoleOutputCharacterW WriteConsoleW call 103e310 64->67 65->46 68 105446b 65->68 66->66 69 1054555-1054559 66->69 71 105455d-105455f 67->71 68->39 69->71 73 1054574 71->73 74 1054561-1054572 GetProcessHeap RtlFreeHeap 71->74 75 1054576-1054578 73->75 74->75 76 105457b-1054584 75->76 76->76 77 1054586-10545a6 GetProcessHeap HeapAlloc 76->77 78 10545b9-10545bb 77->78 79 10545a8-10545b4 call 103f3a0 77->79 78->5 79->13
    C-Code - Quality: 48%
    			E01054191(void __ecx, signed int __edx, long _a4, DWORD* _a8) {
				signed int _v8;
				signed int _v16;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v32;
				unsigned int _v36;
				intOrPtr _v40;
				unsigned int _v44;
				intOrPtr _v50;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v56;
				signed int _v68;
				void* _v76;
				void* _v80;
				DWORD* _v84;
				long _v88;
				void* _v90;
				signed int _v92;
				int _v96;
				void* _v100;
				long _v108;
				signed int _v112;
				void* _v120;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t83;
				void* _t85;
				int _t86;
				int _t87;
				int _t89;
				int _t93;
				signed int _t95;
				void* _t99;
				void* _t104;
				void* _t105;
				void _t106;
				void _t107;
				signed int _t108;
				void* _t118;
				void _t119;
				signed int _t133;
				signed int _t134;
				void* _t141;
				void* _t142;
				long _t143;
				void* _t147;
				signed char _t149;
				signed int _t152;
				void* _t156;
				signed int _t157;
				void* _t159;
				void* _t163;
				void* _t168;
				void* _t169;
				int _t170;
				void* _t177;
				void* _t178;
				void* _t181;
				void* _t182;
				void* _t184;
				void* _t185;
				DWORD* _t187;
				void* _t189;
				struct _COORD _t190;
				signed int _t191;
				signed int _t193;
				void* _t196;
				void* _t197;
				void* _t206;
				void* _t207;

				_t173 = __edx;
				_t193 = (_t191 & 0xfffffff8) - 0x54;
				_t83 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t83 ^ _t193;
				_t187 = _a8;
				_t184 = __edx;
				_v56.dwCursorPosition = __ecx;
				_v80 = _t187;
				_t85 = GetStdHandle(0xfffffff5);
				_v76 = _t85;
				if(_t85 == 0xffffffff) {
					__imp___get_osfhandle(1);
					_v76 = _t85;
				}
				if( *0x1066755 == 0) {
					L66:
					__imp__AcquireSRWLockShared(0x1078e04);
					_t86 = ReadConsoleW(_v56.dwSize, _t184, _a4, _t187, 0);
					__imp__ReleaseSRWLockShared(0x1078e04);
					_t87 = _t86;
				} else {
					_t147 = 0x20;
					_t196 =  *0x105e0d0 - _t147; // 0x9
					if(_t196 >= 0) {
						goto L66;
					} else {
						_t197 =  *0x105e0cc - _t147; // 0x9
						if(_t197 >= 0) {
							goto L66;
						} else {
							_t89 = GetConsoleScreenBufferInfo(_t85,  &_v32); // executed
							if(_t89 == 0) {
								goto L66;
							} else {
								_t149 =  *0x105e0d0; // 0x9
								_t190 = _v32.dwCursorPosition;
								_t142 = 0;
								_t173 = 1 << _t149;
								asm("bts edx, eax");
								_v68 = _t190;
								_v56.wAttributes = 0x10;
								_v56.dwSize = 0;
								_v44 = 0;
								_v40 = 1;
								_v36 = 0;
								E0105C0F8( *0x105e0cc & 0x0000ffff);
								 *0x106672c = 0;
								 *0x1066724 = 0;
								 *0x1066720 = 0;
								 *0x1066728 = 0;
								while(1) {
									L7:
									__imp__AcquireSRWLockShared(0x1078e04);
									_t93 = ReadConsoleW(_v56.dwSize, _t184, _a4, _v84,  &(_v56.dwCursorPosition)); // executed
									_v92 = _t93;
									__imp__ReleaseSRWLockShared(0x1078e04);
									_v68 =  *_v88;
									if( *0x106259c == 0) {
										_t95 = 0;
										__eflags = 0;
									} else {
										EnterCriticalSection( *0x10625a4);
										 *0x106259c = 0;
										LeaveCriticalSection( *0x10625a4);
										if(_t142 != 0) {
											RtlFreeHeap(GetProcessHeap(), 0, _t142);
										}
										_t95 = 0;
										_t142 = 0;
									}
									if(_v96 == 0) {
										break;
									}
									_t173 = _t173 | 0xffffffff;
									_v92 = _v92 | 0xffffffff;
									_v80 = _t95;
									if( *_v88 <= 0) {
										break;
									} else {
										while(1) {
											_t152 =  *(_t184 + _t95 * 2) & 0x0000ffff;
											if(_t152 == 0xd) {
												break;
											}
											_t206 = _t152 -  *0x105e0d0; // 0x9
											if(_t206 == 0) {
												_v92 = _t95;
												goto L25;
											} else {
												_t207 = _t152 -  *0x105e0cc; // 0x9
												if(_t207 == 0) {
													_v92 = _t95;
													_v80 = 1;
													L24:
													__eflags = _t173 - 0xffffffff;
													if(_t173 != 0xffffffff) {
														goto L18;
													} else {
														L25:
														__eflags = _t95 - 0xffffffff;
														if(_t95 == 0xffffffff) {
															goto L18;
														} else {
															 *_v88 = _t95;
															 *(_t184 + _t95 * 2) = 0;
															__eflags = _t142;
															if(_t142 == 0) {
																L35:
																_v96 = 1;
															} else {
																_t169 = _t142;
																_t133 = _t184;
																while(1) {
																	_t181 =  *_t133;
																	__eflags = _t181 -  *_t169;
																	if(_t181 !=  *_t169) {
																		break;
																	}
																	__eflags = _t181;
																	if(_t181 == 0) {
																		L32:
																		_t170 = 0;
																		_t134 = 0;
																	} else {
																		_t182 =  *((intOrPtr*)(_t133 + 2));
																		__eflags = _t182 -  *((intOrPtr*)(_t169 + 2));
																		if(_t182 !=  *((intOrPtr*)(_t169 + 2))) {
																			break;
																		} else {
																			_t133 = _t133 + 4;
																			_t169 = _t169 + 4;
																			__eflags = _t182;
																			if(_t182 != 0) {
																				continue;
																			} else {
																				goto L32;
																			}
																		}
																	}
																	L34:
																	_v96 = _t170;
																	__eflags = _t134;
																	if(_t134 != 0) {
																		goto L35;
																	}
																	goto L36;
																}
																asm("sbb eax, eax");
																_t134 = _t133 | 0x00000001;
																_t170 = 0;
																__eflags = 0;
																goto L34;
															}
															L36:
															_t99 = _v80;
															__eflags = _t99;
															if(__eflags == 0) {
																__eflags = _v92 - 2;
																if(__eflags > 0) {
																	__imp___wcsnicmp(_t184, L"cd ", 3);
																	_t193 = _t193 + 0xc;
																	__eflags = _t99;
																	if(__eflags == 0) {
																		L45:
																		_t99 = 1;
																	} else {
																		__imp___wcsnicmp(_t184, L"rd ", 3);
																		_t193 = _t193 + 0xc;
																		__eflags = _t99;
																		if(__eflags == 0) {
																			goto L45;
																		} else {
																			__imp___wcsnicmp(_t184, L"md ", 3);
																			_t193 = _t193 + 0xc;
																			__eflags = _t99;
																			if(__eflags == 0) {
																				goto L45;
																			} else {
																				__imp___wcsnicmp(_t184, L"chdir ", 6);
																				_t193 = _t193 + 0xc;
																				__eflags = _t99;
																				if(__eflags == 0) {
																					goto L45;
																				} else {
																					__imp___wcsnicmp(_t184, L"rmdir ", 6);
																					_t193 = _t193 + 0xc;
																					__eflags = _t99;
																					if(__eflags == 0) {
																						goto L45;
																					} else {
																						__imp___wcsnicmp(_t184, L"mkdir ", 6);
																						_t193 = _t193 + 0xc;
																						__eflags = _t99;
																						if(__eflags == 0) {
																							goto L45;
																						} else {
																							__imp___wcsnicmp(_t184, L"pushd ", 6);
																							_t193 = _t193 + 0xc;
																							__eflags = _t99;
																							if(__eflags != 0) {
																								_t99 = _v80;
																							} else {
																								goto L45;
																							}
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
															_push(_v96);
															_t155 = _t184;
															_push(_t99);
															_push( !(_v44 >> 4) & 0x00000001);
															_push(_v92);
															_t104 = E0105BED0(_t142, _t184, _a4, _t184, _t190, __eflags);
															__eflags = _t104;
															if(_t104 == 0) {
																_t105 = E010472EF(_t155);
																__eflags = _t105;
																if(_t105 != 0) {
																	 *0x107d014(0xffffffff);
																}
																_t156 = _t184;
																_t177 = _t156 + 2;
																do {
																	_t106 =  *_t156;
																	_t156 = _t156 + 2;
																	__eflags = _t106 - _v80;
																} while (_t106 != _v80);
																_t157 = _t156 - _t177;
																__eflags = _t157;
																_v68 = _t157 >> 1;
															} else {
																E01059F18();
																_t118 = GetConsoleScreenBufferInfo(_v100,  &_v56);
																__eflags = _t118;
																if(_t118 != 0) {
																	_t168 = _v50 - (_v92 + _v108) / _v56;
																	__eflags = _t168;
																	_v90 = _t168;
																	_t190 = _v92;
																}
																_t163 = _t184;
																_t178 = _t163 + 2;
																do {
																	_t119 =  *_t163;
																	_t163 = _t163 + 2;
																	__eflags = _t119 - _v80;
																} while (_t119 != _v80);
																_v88 = _t163 - _t178 >> 1;
																SetConsoleCursorPosition(_v100, _t190);
																_push( &_v84);
																_push(_t190);
																_push(_v84);
																_push(0x20);
																_push(_v100);
																FillConsoleOutputCharacterW();
																WriteConsoleW(_v120, _t184, _v108,  &_v108, 0);
																_v88 = _v108;
																E0103E310(_v108);
															}
															__eflags = _t142;
															if(_t142 == 0) {
																_t143 = 0;
																__eflags = 0;
															} else {
																_t143 = 0;
																RtlFreeHeap(GetProcessHeap(), 0, _t142);
															}
															_t159 = _t184;
															_t173 = _t159 + 2;
															do {
																_t107 =  *_t159;
																_t159 = _t159 + 2;
																__eflags = _t107 - _t143;
															} while (_t107 != _t143);
															_t108 = (_t159 - _t173 >> 1) + 1;
															_v112 = _t108;
															_t142 = HeapAlloc(GetProcessHeap(), _t143, _t108 + _t108);
															__eflags = _t142;
															if(_t142 == 0) {
																_t87 = 0;
															} else {
																_t173 = _v112;
																E0103F3A0(_t142, _t173, _t184);
																goto L7;
															}
														}
													}
												} else {
													_t95 = _t95 + 1;
													if(_t95 <  *_v88) {
														continue;
													} else {
														goto L18;
													}
												}
											}
											goto L67;
										}
										_t173 = _t95;
										_t95 = _v92;
										goto L24;
									}
									goto L67;
								}
								L18:
								if(_t142 != 0) {
									RtlFreeHeap(GetProcessHeap(), 0, _t142);
								}
								_t87 = _v96;
							}
						}
					}
				}
				L67:
				_pop(_t185);
				_pop(_t189);
				_pop(_t141);
				return E01046B30(_t87, _t141, _v16 ^ _t193, _t173, _t185, _t189);
			}








































































    0x01054191
    0x01054199
    0x0105419c
    0x010541a3
    0x010541a9
    0x010541af
    0x010541b1
    0x010541b5
    0x010541b9
    0x010541bf
    0x010541c6
    0x010541ca
    0x010541d1
    0x010541d1
    0x010541dc
    0x010545bd
    0x010545c3
    0x010545d4
    0x010545dd
    0x010545e3
    0x010541e2
    0x010541e4
    0x010541e5
    0x010541ec
    0x00000000
    0x010541f2
    0x010541f2
    0x010541f9
    0x00000000
    0x010541ff
    0x01054205
    0x0105420d
    0x00000000
    0x01054213
    0x01054213
    0x01054223
    0x01054227
    0x01054229
    0x0105422b
    0x0105422e
    0x01054232
    0x0105423a
    0x0105423e
    0x01054242
    0x01054246
    0x0105424a
    0x0105424f
    0x01054255
    0x0105425b
    0x01054261
    0x01054267
    0x01054267
    0x0105426c
    0x01054283
    0x0105428e
    0x01054292
    0x010542a5
    0x010542a9
    0x010542e5
    0x010542e5
    0x010542ab
    0x010542b1
    0x010542bf
    0x010542c4
    0x010542cc
    0x010542d9
    0x010542d9
    0x010542df
    0x010542e1
    0x010542e1
    0x010542ec
    0x00000000
    0x00000000
    0x010542f2
    0x010542f5
    0x010542fa
    0x01054301
    0x00000000
    0x01054303
    0x01054303
    0x01054303
    0x0105430a
    0x00000000
    0x00000000
    0x0105430c
    0x01054313
    0x01054353
    0x00000000
    0x01054315
    0x01054315
    0x0105431c
    0x01054345
    0x01054349
    0x0105435f
    0x0105435f
    0x01054362
    0x00000000
    0x01054364
    0x01054364
    0x01054364
    0x01054367
    0x00000000
    0x01054369
    0x0105436d
    0x01054371
    0x01054375
    0x01054377
    0x010543b4
    0x010543b4
    0x01054379
    0x01054379
    0x0105437b
    0x0105437d
    0x0105437d
    0x01054380
    0x01054383
    0x00000000
    0x00000000
    0x01054385
    0x01054388
    0x0105439f
    0x0105439f
    0x010543a1
    0x0105438a
    0x0105438a
    0x0105438e
    0x01054392
    0x00000000
    0x01054394
    0x01054394
    0x01054397
    0x0105439a
    0x0105439d
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0105439d
    0x01054392
    0x010543ac
    0x010543ac
    0x010543b0
    0x010543b2
    0x00000000
    0x00000000
    0x00000000
    0x010543b2
    0x010543a5
    0x010543a7
    0x010543aa
    0x010543aa
    0x00000000
    0x010543aa
    0x010543bc
    0x010543bc
    0x010543c0
    0x010543c2
    0x010543c8
    0x010543cd
    0x010543db
    0x010543e1
    0x010543e4
    0x010543e6
    0x01054466
    0x01054468
    0x010543e8
    0x010543f0
    0x010543f6
    0x010543f9
    0x010543fb
    0x00000000
    0x010543fd
    0x01054405
    0x0105440b
    0x0105440e
    0x01054410
    0x00000000
    0x01054412
    0x0105441a
    0x01054420
    0x01054423
    0x01054425
    0x00000000
    0x01054427
    0x0105442f
    0x01054435
    0x01054438
    0x0105443a
    0x00000000
    0x0105443c
    0x01054444
    0x0105444a
    0x0105444d
    0x0105444f
    0x00000000
    0x01054451
    0x01054459
    0x0105445f
    0x01054462
    0x01054464
    0x0105446b
    0x00000000
    0x00000000
    0x00000000
    0x01054464
    0x0105444f
    0x0105443a
    0x01054425
    0x01054410
    0x010543fb
    0x010543e6
    0x010543cd
    0x0105446f
    0x01054476
    0x01054478
    0x01054485
    0x01054486
    0x0105448a
    0x0105448f
    0x01054491
    0x01054532
    0x01054537
    0x01054539
    0x0105453d
    0x0105453d
    0x01054543
    0x01054545
    0x01054548
    0x01054548
    0x0105454b
    0x0105454e
    0x0105454e
    0x01054555
    0x01054555
    0x01054559
    0x01054497
    0x01054497
    0x010544a5
    0x010544ab
    0x010544ad
    0x010544c6
    0x010544c6
    0x010544c8
    0x010544cd
    0x010544cd
    0x010544d1
    0x010544d3
    0x010544d6
    0x010544d6
    0x010544d9
    0x010544dc
    0x010544dc
    0x010544ec
    0x010544f0
    0x010544fa
    0x010544fb
    0x010544fc
    0x01054500
    0x01054502
    0x01054506
    0x0105451d
    0x01054527
    0x0105452b
    0x0105452b
    0x0105455d
    0x0105455f
    0x01054574
    0x01054574
    0x01054561
    0x01054562
    0x0105456c
    0x0105456c
    0x01054576
    0x01054578
    0x0105457b
    0x0105457b
    0x0105457e
    0x01054581
    0x01054581
    0x0105458a
    0x0105458d
    0x010545a2
    0x010545a4
    0x010545a6
    0x010545b9
    0x010545a8
    0x010545a8
    0x010545af
    0x00000000
    0x010545af
    0x010545a6
    0x01054367
    0x0105431e
    0x01054322
    0x01054325
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x01054325
    0x0105431c
    0x00000000
    0x01054313
    0x01054359
    0x0105435b
    0x00000000
    0x0105435b
    0x00000000
    0x01054301
    0x01054327
    0x01054329
    0x01054336
    0x01054336
    0x0105433c
    0x0105433c
    0x0105420d
    0x010541f9
    0x010541ec
    0x010545e5
    0x010545e9
    0x010545ea
    0x010545eb
    0x010545f6

    APIs
    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,?,00000000,00000001), ref: 010541B9
    • _get_osfhandle.MSVCRT ref: 010541CA
    • GetConsoleScreenBufferInfo.KERNELBASE(00000000,?), ref: 01054205
    • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01078E04), ref: 0105426C
    • ReadConsoleW.KERNELBASE(?,?,01059E02,?,00000010), ref: 01054283
    • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01078E04), ref: 01054292
    • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 010542B1
    • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 010542C4
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 010542D2
    • RtlFreeHeap.NTDLL(00000000), ref: 010542D9
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 0105432F
    • RtlFreeHeap.NTDLL(00000000), ref: 01054336
    • _wcsnicmp.MSVCRT ref: 010543DB
    • _wcsnicmp.MSVCRT ref: 010543F0
    • _wcsnicmp.MSVCRT ref: 01054405
    • _wcsnicmp.MSVCRT ref: 0105441A
    • _wcsnicmp.MSVCRT ref: 0105442F
    • _wcsnicmp.MSVCRT ref: 01054444
    • _wcsnicmp.MSVCRT ref: 01054459
    • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,00000001,?), ref: 010544A5
    • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?), ref: 010544F0
    • FillConsoleOutputCharacterW.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,00000020,?,?,?), ref: 01054506
    • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,?,?,00000000), ref: 0105451D
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 01054565
    • RtlFreeHeap.NTDLL(00000000), ref: 0105456C
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,00000001), ref: 01054595
    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0105459C
    • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01078E04), ref: 010545C3
    • ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?,01059E02,?,00000000), ref: 010545D4
    • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01078E04), ref: 010545DD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: Heap$Console_wcsnicmp$LockProcessShared$Free$AcquireBufferCriticalInfoReadReleaseScreenSection$AllocCharacterCursorEnterFillHandleLeaveOutputPositionWrite_get_osfhandle
    • String ID: cd $chdir $md $mkdir $pushd $rd $rmdir
    • API String ID: 2991647268-3100821235
    • Opcode ID: 85028897f9ea2a35a4edd83ff241dcbe31c5b83082813ebcb838f0fabf8bf0e6
    • Instruction ID: 924800fbc6a7444fdc2d2acaa86cc2e833157fb06b084d8c4ff2fca135893419
    • Opcode Fuzzy Hash: 85028897f9ea2a35a4edd83ff241dcbe31c5b83082813ebcb838f0fabf8bf0e6
    • Instruction Fuzzy Hash: A5C1C230A04301DBD7A09F28D848AAFBBE5FB88754F04892DF9D6D7195E73AC584CB51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0103D660, Relevance: 48.5, APIs: 32, Instructions: 507fileCOMMONCrypto
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 178 103d660-103d6aa EnterCriticalSection LeaveCriticalSection 179 103d991-103d996 178->179 180 103d6b0-103d6b3 178->180 181 104d579-104d57c 179->181 182 103d99c-103d9bf call 103f3a0 179->182 183 104d587-104d58d 180->183 184 103d6b9-103d6c0 180->184 181->180 185 104d582 181->185 196 103d9c2-103d9cb 182->196 187 104d5a3 call 105769e 183->187 188 104d58f-104d59b call 10363bd 183->188 184->183 189 103d6c6-103d6ef EnterCriticalSection LeaveCriticalSection 184->189 190 103d971-103d990 call 103da30 185->190 198 104d5a8 187->198 188->187 194 104d5b7-104d5c0 call 1059fcf 189->194 195 103d6f5-103d74c _get_osfhandle SetFilePointer AcquireSRWLockShared ReadFile ReleaseSRWLockShared 189->195 210 104d5c6-104d5cf call 103dd98 194->210 211 104d6bd-104d6c4 194->211 201 103d752-103d754 195->201 202 104d733 195->202 196->196 205 103d9cd-103d9d9 196->205 198->194 203 103d9f0 201->203 204 103d75a-103d76e 201->204 209 104d73a-104d73c 202->209 216 103d9f7-103d9fe GetLastError 203->216 208 103d774-103d77b 204->208 204->209 205->190 212 103d7b2-103d7b5 208->212 213 103d77d 208->213 209->208 214 104d742-104d75a memcmp 209->214 225 104d5d1-104d5d8 210->225 226 104d5de-104d5e5 210->226 215 104d6c6-104d6ed _get_osfhandle call 10545f9 211->215 222 103d7d9-103d7e6 call 103e248 212->222 219 103d780-103d783 213->219 220 104d777-104d77a 214->220 221 104d75c-104d772 214->221 237 104d6fc-104d700 215->237 238 104d6ef-104d6fa GetLastError 215->238 224 103da04-103da07 216->224 227 103d793-103d79d 219->227 228 103d785-103d789 219->228 220->208 221->208 251 104d7e9 222->251 252 103d7ec-103d807 MultiByteToWideChar 222->252 231 103da0a-103da0d 224->231 225->211 225->226 226->195 232 104d5eb-104d5f4 call 103dd98 226->232 235 103d7a3-103d7b0 227->235 236 104d78e-104d791 227->236 233 104d77f-104d783 228->233 234 103d78f-103d791 228->234 240 103d833-103d83a 231->240 265 104d6b3-104d6b8 232->265 266 104d5fa-104d601 232->266 245 104d789 233->245 246 103d7bd-103d7d3 SetFilePointer 233->246 234->227 244 103d7b7-103d7bb 234->244 235->212 235->219 247 104d7a0-104d7cf AcquireSRWLockShared ReadFile ReleaseSRWLockShared 236->247 248 104d793-104d796 236->248 249 104d728-104d72b 237->249 250 104d702-104d715 237->250 238->237 238->249 242 103da12-103da14 240->242 243 103d840-103d847 240->243 242->243 256 103da1a 242->256 254 103d855-103d85b 243->254 255 103d849-103d84b 243->255 244->227 244->246 245->227 246->222 257 104d7e0-104d7e4 247->257 258 104d7d1-104d7d5 247->258 248->247 249->202 250->240 259 104d71b-104d721 250->259 263 104d7f0-104d819 EnterCriticalSection LeaveCriticalSection longjmp 251->263 260 103d809-103d816 252->260 268 103d861-103d870 254->268 269 104d86b-104d86d 254->269 255->254 267 103d84d-103d84f 255->267 270 104d81f-104d828 call 103dd98 256->270 257->260 258->257 261 104d7d7-104d7db 258->261 259->215 262 104d723 259->262 260->263 264 103d81c-103d81e 260->264 261->222 262->240 263->270 264->216 271 103d824-103d826 264->271 265->195 266->265 273 104d607-104d60e 266->273 267->254 274 104d85c-104d866 267->274 275 103d872-103d87a 268->275 276 104d879-104d87c 269->276 283 104d84a-104d856 call 1059922 longjmp 270->283 284 104d82a-104d831 270->284 271->216 277 103d82c 271->277 279 104d610-104d61a call 1057613 273->279 280 104d61f-104d660 EnterCriticalSection LeaveCriticalSection _get_osfhandle call 1054191 273->280 274->254 281 103d898-103d89a 275->281 282 103d87c-103d883 275->282 277->240 279->224 293 104d665-104d667 280->293 281->276 288 103d8a0-103d8b1 281->288 282->281 286 103d885-103d891 282->286 283->274 284->283 289 104d833-104d845 284->289 286->275 292 103d893 286->292 294 103d8b4-103d8bd 288->294 289->254 292->276 293->216 297 104d66d-104d675 293->297 294->294 295 103d8bf-103d8d5 294->295 298 103d8d7-103d8eb wcschr 295->298 299 103d8f9-103d8fe 295->299 300 104d677-104d687 GetLastError 297->300 301 104d6ac-104d6ae 297->301 304 103d8f6 298->304 305 103d8ed-103d8f4 298->305 306 103d904-103d918 299->306 307 103d9db-103d9dd 299->307 302 104d69e-104d6a9 call 1039950 300->302 303 104d689-104d698 call 1039950 longjmp 300->303 301->231 302->301 303->302 304->299 305->298 305->304 310 104d908-104d910 306->310 311 103d91e-103d921 306->311 307->306 312 103d9e3-103d9e9 307->312 315 103d927-103d931 311->315 316 103da1f-103da26 311->316 312->190 317 103d9eb-104d888 312->317 318 103d932-103d947 call 103dd98 315->318 316->318 320 104d8d3-104d8e9 call 10378e4 317->320 321 104d88a-104d891 317->321 318->190 330 103d949-103d96b _get_osfhandle SetFilePointer 318->330 331 104d8fb-104d902 longjmp 320->331 332 104d8eb-104d8f4 call 103dd98 320->332 324 104d8b2-104d8cd call 10378e4 call 1059922 longjmp 321->324 325 104d893-104d8af call 105769e call 1039950 * 2 321->325 324->320 325->324 330->190 335 104d915-104d91c 330->335 331->310 332->331 344 104d8f6 call 105a0da 332->344 335->190 338 104d922-104d927 335->338 342 104d92a-104d933 338->342 342->342 346 104d935-104d943 call 103998d 342->346 344->331 346->190
    C-Code - Quality: 48%
    			E0103D660() {
				long _v8;
				int _v12;
				LONG* _v16;
				long _v20;
				char* _v24;
				void* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t83;
				void* _t85;
				int _t86;
				int _t88;
				int _t89;
				signed short _t90;
				long _t91;
				signed int _t92;
				long _t94;
				void* _t96;
				signed short* _t98;
				int _t100;
				void* _t102;
				int _t103;
				wchar_t* _t110;
				signed int* _t111;
				int _t112;
				long _t115;
				int _t116;
				long _t117;
				int _t119;
				long _t120;
				int _t122;
				int _t126;
				long _t127;
				signed char _t128;
				int _t131;
				int _t133;
				long _t134;
				int _t141;
				int _t143;
				void* _t144;
				int _t145;
				int _t146;
				signed int _t150;
				int _t154;
				signed short* _t155;
				int _t157;
				signed short* _t159;
				signed int _t164;
				void* _t168;
				int _t169;
				int _t170;
				signed short* _t174;
				int _t178;
				signed short _t181;
				signed short* _t182;
				int _t185;
				int _t186;
				signed short* _t189;
				LONG* _t190;
				void* _t192;
				signed short* _t194;
				signed short* _t195;
				signed int _t196;
				int _t200;
				long _t202;
				void* _t203;

				EnterCriticalSection( *0x10625a4);
				 *0x106259c = 0;
				LeaveCriticalSection( *0x10625a4);
				_t150 =  *0x10665d8;
				 *0x10625c0 =  *((intOrPtr*)( *0x10665cc - 2));
				_t83 = _t150 & 0x00000003;
				if(_t83 != 3) {
					_t178 = _t83 - 1;
					__eflags = _t178;
					if(_t178 != 0) {
						__eflags = _t178 - 1;
						if(__eflags == 0) {
							goto L1;
						}
						L50:
						 *0x10665cc = 0x10625c2;
						E0103DA30(_t143, _t190, _t243);
						_t98 =  *0x10665cc;
						 *0x10665c8 = _t98;
						return _t98;
					}
					_t202 =  *0x10665d4;
					__eflags = 0;
					 *0x10665c2 = 0;
					E0103F3A0(0x10625c2, 0x2002, _t202);
					_t174 = 0x10625c2;
					_t34 =  &(_t174[1]); // 0x10625c4
					_t189 = _t34;
					do {
						_t141 =  *_t174;
						_t174 =  &(_t174[1]);
						__eflags = _t141;
					} while (__eflags != 0);
					 *0x10665d4 = _t202 + (_t174 - _t189 >> 1) * 2;
					goto L50;
				}
				L1:
				if(_t83 == 2 ||  *0x10665d4 == 0) {
					__eflags = _t150 & 0x00008000;
					if((_t150 & 0x00008000) == 0) {
						E0105769E(_t150); // executed
						 *0x10665d8 =  *0x10665d8 | 0x00008000;
					} else {
						_push(0);
						_push(0x2352);
						E010363BD(_t150);
						_t203 = _t203 + 8;
					}
				}
				EnterCriticalSection( *0x10625a4);
				 *0x106259c = 0;
				LeaveCriticalSection( *0x10625a4);
				_t85 =  *0x10665d4;
				if(_t85 == 0) {
					_t86 = E01059FCF(_t85, 0);
					__eflags = _t86;
					if(_t86 != 0) {
						L85:
						_v8 = 0;
						__eflags = 0;
						do {
							__imp___get_osfhandle( &_v16);
							_t203 = _t203 + 4;
							_t88 = E010545F9( &_v16, 0x106ca30,  *0x10665d4, 1);
							__eflags = _t88;
							if(_t88 != 0) {
								L88:
								__eflags = _v16;
								if(_v16 == 0) {
									L92:
									_t154 = _v8;
									_v12 = _t154;
									goto L26;
								}
								_t154 = _v8 + 1;
								_v12 = _t154;
								_v8 = _t154;
								__eflags =  *((short*)(0x106ca2e + _t154 * 2)) - 0xa;
								if( *((short*)(0x106ca2e + _t154 * 2)) == 0xa) {
									goto L26;
								}
								goto L90;
							}
							_t115 = GetLastError();
							__eflags = _t115 - 0xea;
							if(_t115 != 0xea) {
								goto L92;
							}
							goto L88;
							L90:
							__eflags = _t154 - 0x2000;
						} while (_t154 < 0x2000);
						goto L26;
					}
					_t116 = E0103DD98(_t86); // executed
					__eflags = _t116;
					if(_t116 == 0) {
						L73:
						_t85 =  *0x10665d4;
						__eflags = _t85;
						if(_t85 != 0) {
							goto L4;
						}
						_t131 = E0103DD98(_t85); // executed
						__eflags = _t131;
						if(_t131 == 0) {
							L84:
							_t85 =  *0x10665d4;
							goto L4;
						}
						__eflags =  *0x106671c & 0x00000001;
						if(( *0x106671c & 0x00000001) == 0) {
							goto L84;
						}
						__eflags =  *0x1079518;
						if( *0x1079518 == 0) {
							EnterCriticalSection( *0x10625a4);
							 *0x106259c = 0;
							LeaveCriticalSection( *0x10625a4);
							__imp___get_osfhandle( &_v8);
							_t203 = _t203 + 4;
							_t133 = E01054191( &_v8, 0x106ca30,  *0x10665d4, 0x2000); // executed
							__eflags = _t133;
							if(_t133 == 0) {
								goto L59;
							}
							_t154 = _v8;
							_v12 = _t154;
							__eflags = _t154;
							if(_t154 == 0) {
								_t134 = GetLastError();
								_push(L"\r\n");
								__eflags = _t134 - 0x3e3;
								if(_t134 == 0x3e3) {
									E01039950();
									_t203 = _t203 + 4;
									__imp__longjmp(0x1070a70, 0xffffffff);
								}
								E01039950();
								_t154 = _v8;
								_t203 = _t203 + 4;
								_v12 = _t154;
							}
							_t120 = 0;
							goto L61;
						}
						_t120 = E01057613( &_v8, 0, 0,  &_v8);
						goto L60;
					}
					__eflags =  *0x106671c & 0x00000001;
					if(( *0x106671c & 0x00000001) == 0) {
						goto L85;
					}
					goto L73;
				} else {
					L4:
					__imp___get_osfhandle(_t85);
					_t203 = _t203 + 4;
					_t144 = _t85;
					_v28 = _t144;
					_t192 = 0x106a7f0;
					_t117 = SetFilePointer(_t144, 0, 0, 1);
					_v24 = _t117;
					__imp__AcquireSRWLockShared(0x1078e04);
					_t119 = ReadFile(_t144, 0x106a7f0, 0x1fff,  &_v8, 0);
					__imp__ReleaseSRWLockShared(0x1078e04);
					_t154 = _v8;
					_v12 = _t154;
					if(_t119 == 0) {
						_t89 = 0;
						L22:
						if( *0x106259c != 0) {
							EnterCriticalSection( *0x10625a4);
							 *0x106259c = 0;
							LeaveCriticalSection( *0x10625a4);
							__imp__longjmp(0x1070a70, 0xffffffff);
							L108:
							_t154 = 0;
							_t112 = E0103DD98(_t89);
							__eflags = _t112;
							if(_t112 == 0) {
								L111:
								E01059922();
								__imp__longjmp(0x1070a30, 2);
								L112:
								 *0x1079054 = 1;
								L30:
								if(_t154 > 0x7ffffffe) {
									_t181 = 0;
									 *0x10625c2 = 0;
									L38:
									_t155 = 0x10625c2;
									_t23 =  &(_t155[1]); // 0x10625c4
									_t194 = _t23;
									do {
										_t90 =  *_t155;
										_t155 =  &(_t155[1]);
									} while (_t90 != 0);
									_t91 = _t181 & 0x0000ffff;
									_t157 = _t155 - _t194 >> 1;
									_t190 = 0;
									_v8 = _t157;
									_t143 = _t157;
									_t195 = 0x10625c2;
									if(_t91 == 0) {
										L44:
										_v16 = _t190;
										if(_t190 >= _t143) {
											__eflags = _t157;
											if(_t157 == 0) {
												goto L45;
											}
											__eflags = _t190 - 0x2000;
											if(__eflags < 0) {
												goto L50;
											}
											__eflags =  *0x10665ec - 3;
											if( *0x10665ec == 3) {
												__eflags =  *0x105e0c0 - 1;
												if( *0x105e0c0 == 1) {
													E0105769E(_t157);
													E01039950(0x10625c2);
													E01039950(L"\r\n");
													_t203 = _t203 + 8;
												}
												E010378E4(_t157);
												_t203 = _t203 + 8;
												E01059922();
												__imp__longjmp(0x1070a30, 1, 0x233f, 0);
											}
											_push(0);
											_push(0x233f);
											_t102 = E010378E4(_t157);
											_t203 = _t203 + 8;
											__eflags =  *0x10665d4;
											if( *0x10665d4 == 0) {
												_t157 = 0;
												_t103 = E0103DD98(_t102);
												__eflags = _t103;
												if(_t103 != 0) {
													E0105A0DA(_t143, _t190, _t195);
												}
											}
											__imp__longjmp(0x1070a70, 0xffffffff);
											L123:
											 *_t181 = 0xa;
											L47:
											_t181 = _t181 + 2;
											_t94 = 1;
											_t190 = _t190 - _t157 + 1;
											L48:
											_v16 = _t94;
											 *_t181 = 0;
											_t96 = E0103DD98(0);
											if(_t96 != 0) {
												goto L50;
											}
											__imp___get_osfhandle(_v16);
											SetFilePointer(_t96,  *0x10665d4, _t190, _t96);
											_t243 =  *0x10665d4;
											if( *0x10665d4 == 0) {
												__eflags =  *0x107951c;
												if(__eflags != 0) {
													goto L50;
												}
												_t182 = 0x10625c2;
												_t79 =  &(_t182[1]); // 0x10625c4
												_t159 = _t79;
												do {
													_t100 =  *_t182;
													_t182 =  &(_t182[1]);
													__eflags = _t100;
												} while (_t100 != 0);
												E0103998D(0x10625c2, _t182 - _t159 >> 1);
											}
											goto L50;
										}
										L45:
										_t92 = 0x10625c2[_t190] & 0x0000ffff;
										_t181 =  &(0x10625c2[_t190]);
										_t196 = _t92;
										if(_t92 == 0x1a) {
											goto L123;
										}
										if(_t196 != 0xa) {
											_t94 = 2;
											_t190 = 0;
											goto L48;
										}
										goto L47;
									} else {
										goto L41;
									}
									while(1) {
										L41:
										_t195 =  &(_t195[1]);
										_t110 = wcschr(0x10322d8, _t91);
										_t203 = _t203 + 8;
										if(_t110 != 0) {
											break;
										}
										_t91 =  *_t195 & 0x0000ffff;
										_t190 =  &(_t190[0]);
										if(_t91 != 0) {
											continue;
										}
										break;
									}
									_t157 = _v8;
									goto L44;
								}
								_t111 = 0x10625c2;
								_t185 = 0x2002;
								while(_t154 + 0xffffdffe + _t185 != 0) {
									_t164 =  *(0xa46e + _t111) & 0x0000ffff;
									if(_t164 == 0) {
										break;
									}
									 *_t111 = _t164;
									_t111 =  &(_t111[0]);
									_t154 = _v12;
									_t185 = _t185 - 1;
									if(_t185 != 0) {
										continue;
									}
									L114:
									_t111 = _t111 - 2;
									L37:
									 *_t111 = 0;
									_t181 =  *0x10625c2;
									goto L38;
								}
								__eflags = _t185;
								if(_t185 == 0) {
									goto L114;
								}
								goto L37;
							}
							__eflags =  *0x1079054;
							if( *0x1079054 == 0) {
								goto L111;
							}
							_t154 = _v8 + 1;
							 *0x106ca30 = 0xa;
							_v12 = _t154;
							goto L30;
						}
						if(_t89 == 0 || _t154 <= 0) {
							L59:
							_v8 = 0;
							_t120 = GetLastError();
							L60:
							_t154 = _v8;
							_v12 = _t154;
							L61:
							_v16 = _t120;
							goto L26;
						} else {
							_v16 = 0;
							L26:
							_t89 =  *0x10665d4;
							if(_t154 == 0) {
								__eflags = _t89;
								if(_t89 != 0) {
									goto L27;
								}
								goto L108;
							}
							L27:
							if( *0x1079054 != 0 || _t154 == 0 || _t89 != 0) {
								goto L30;
							} else {
								goto L112;
							}
						}
					}
					if(_t154 == 0) {
						_t89 = 0;
						goto L22;
					}
					_t200 = _t154;
					_t186 = _v24;
					_t145 = _t154;
					_v20 = _t200;
					if( *0x10625a0 == 0xfde9) {
						__eflags = _t186;
						if(_t186 == 0) {
							_push(3);
							_push(0x10334f8);
							_push(0x106a7f0);
							L01047FB7();
							_t203 = _t203 + 0xc;
							_t170 = _t145;
							__eflags = _t119;
							if(_t119 != 0) {
								_t186 = _v24;
							} else {
								_t65 = _t170 - 3; // 0x103cfb4
								_t145 = _t65;
								_t192 = 0x106a7f3;
								_t200 = _t145;
								_v12 = _t145;
								_t67 = _t119 + 3; // 0x3
								_t186 = _t67;
								_v8 = _t145;
								_v20 = _t200;
							}
						}
					}
					_t168 = _t192;
					_v24 = _t168;
					if(_t145 <= 0) {
						L15:
						_t146 = _v12;
						goto L18;
					} else {
						do {
							if(_t200 < 3) {
								L12:
								if( *((char*)(( *_t192 & 0x000000ff) + 0x1078af0)) != 0) {
									__eflags = _t200 - 1;
									if(_t200 == 1) {
										__imp__AcquireSRWLockShared(0x1078e04);
										_t73 = _t192 + 1; // 0x106a7f1
										_t126 = ReadFile(_v28, _t73, 1,  &_v20, 0);
										__imp__ReleaseSRWLockShared(0x1078e04);
										__eflags = _t126;
										if(_t126 == 0) {
											L105:
											_t154 = 0;
											_t89 = 0;
											L21:
											_v8 = _t154;
											_v12 = _t154;
											goto L22;
										}
										__eflags = _v20;
										if(_v20 == 0) {
											goto L105;
										}
										_t146 = _v12 + 1;
										L18:
										_t169 =  *0x10625a0;
										if(E0103E248(_t169) == 0) {
											_t122 = 0;
										} else {
											_t122 = 1;
										}
										_t89 = MultiByteToWideChar(_t169, _t122, _v24, _t146, 0x106ca30, 0x1fff);
										_t154 = _t89;
										goto L21;
									}
									_t200 = _t200 + 0xfffffffe;
									_t127 = 2;
								} else {
									_t200 = _t200 - 1;
									_t127 = 1;
								}
								goto L14;
							}
							_t128 =  *_t192;
							if(_t128 == 0xa) {
								__eflags =  *(_t192 + 1) - 0xd;
								if( *(_t192 + 1) == 0xd) {
									L17:
									 *((char*)(_t192 + 2)) = 0;
									_t146 = _t192 - _t168 + 2;
									__eflags = _t146;
									SetFilePointer(_v28, _t146 + _t186, 0, 0);
									goto L18;
								}
								goto L12;
							}
							if(_t128 == 0xd) {
								__eflags =  *(_t192 + 1) - 0xa;
								if( *(_t192 + 1) != 0xa) {
									goto L12;
								}
								goto L17;
							}
							goto L12;
							L14:
							_t192 = _t192 + _t127;
							_v20 = _t200;
						} while (_t200 > 0);
						goto L15;
					}
				}
			}







































































    0x0103d671
    0x0103d67d
    0x0103d687
    0x0103d692
    0x0103d69c
    0x0103d6a4
    0x0103d6aa
    0x0103d993
    0x0103d993
    0x0103d996
    0x0104d579
    0x0104d57c
    0x00000000
    0x00000000
    0x0103d971
    0x0103d971
    0x0103d97b
    0x0103d980
    0x0103d987
    0x0103d990
    0x0103d990
    0x0103d99c
    0x0103d9a2
    0x0103d9aa
    0x0103d9b5
    0x0103d9ba
    0x0103d9bf
    0x0103d9bf
    0x0103d9c2
    0x0103d9c2
    0x0103d9c5
    0x0103d9c8
    0x0103d9c8
    0x0103d9d4
    0x00000000
    0x0103d9d4
    0x0103d6b0
    0x0103d6b3
    0x0104d587
    0x0104d58d
    0x0104d5a3
    0x0104d5a8
    0x0104d58f
    0x0104d58f
    0x0104d591
    0x0104d596
    0x0104d59b
    0x0104d59b
    0x0104d58d
    0x0103d6cc
    0x0103d6d8
    0x0103d6e2
    0x0103d6e8
    0x0103d6ef
    0x0104d5b9
    0x0104d5be
    0x0104d5c0
    0x0104d6bd
    0x0104d6bd
    0x0104d6c4
    0x0104d6c6
    0x0104d6d9
    0x0104d6df
    0x0104d6e6
    0x0104d6eb
    0x0104d6ed
    0x0104d6fc
    0x0104d6fc
    0x0104d700
    0x0104d728
    0x0104d728
    0x0104d72b
    0x00000000
    0x0104d72b
    0x0104d705
    0x0104d706
    0x0104d709
    0x0104d70c
    0x0104d715
    0x00000000
    0x00000000
    0x00000000
    0x0104d715
    0x0104d6ef
    0x0104d6f5
    0x0104d6fa
    0x00000000
    0x00000000
    0x00000000
    0x0104d71b
    0x0104d71b
    0x0104d71b
    0x00000000
    0x0104d723
    0x0104d5c8
    0x0104d5cd
    0x0104d5cf
    0x0104d5de
    0x0104d5de
    0x0104d5e3
    0x0104d5e5
    0x00000000
    0x00000000
    0x0104d5ed
    0x0104d5f2
    0x0104d5f4
    0x0104d6b3
    0x0104d6b3
    0x00000000
    0x0104d6b3
    0x0104d5fa
    0x0104d601
    0x00000000
    0x00000000
    0x0104d607
    0x0104d60e
    0x0104d625
    0x0104d631
    0x0104d63b
    0x0104d650
    0x0104d656
    0x0104d660
    0x0104d665
    0x0104d667
    0x00000000
    0x00000000
    0x0104d66d
    0x0104d670
    0x0104d673
    0x0104d675
    0x0104d677
    0x0104d67d
    0x0104d682
    0x0104d687
    0x0104d689
    0x0104d68e
    0x0104d698
    0x0104d698
    0x0104d69e
    0x0104d6a3
    0x0104d6a6
    0x0104d6a9
    0x0104d6a9
    0x0104d6ac
    0x00000000
    0x0104d6ac
    0x0104d615
    0x00000000
    0x0104d615
    0x0104d5d1
    0x0104d5d8
    0x00000000
    0x00000000
    0x00000000
    0x0103d6f5
    0x0103d6f5
    0x0103d6f6
    0x0103d6fc
    0x0103d6ff
    0x0103d701
    0x0103d704
    0x0103d710
    0x0103d71b
    0x0103d71e
    0x0103d731
    0x0103d73e
    0x0103d744
    0x0103d747
    0x0103d74c
    0x0104d733
    0x0103d80f
    0x0103d816
    0x0104d7f6
    0x0104d802
    0x0104d80c
    0x0104d819
    0x0104d81f
    0x0104d81f
    0x0104d821
    0x0104d826
    0x0104d828
    0x0104d84a
    0x0104d84a
    0x0104d856
    0x0104d85c
    0x0104d85c
    0x0103d855
    0x0103d85b
    0x0104d86b
    0x0104d86d
    0x0103d8ac
    0x0103d8ac
    0x0103d8b1
    0x0103d8b1
    0x0103d8b4
    0x0103d8b4
    0x0103d8b7
    0x0103d8ba
    0x0103d8c1
    0x0103d8c4
    0x0103d8c6
    0x0103d8c8
    0x0103d8cb
    0x0103d8cd
    0x0103d8d5
    0x0103d8f9
    0x0103d8f9
    0x0103d8fe
    0x0103d9db
    0x0103d9dd
    0x00000000
    0x00000000
    0x0103d9e3
    0x0103d9e9
    0x00000000
    0x00000000
    0x0104d881
    0x0104d888
    0x0104d88a
    0x0104d891
    0x0104d893
    0x0104d89d
    0x0104d8aa
    0x0104d8af
    0x0104d8af
    0x0104d8b9
    0x0104d8be
    0x0104d8c1
    0x0104d8cd
    0x0104d8cd
    0x0104d8d3
    0x0104d8d5
    0x0104d8da
    0x0104d8df
    0x0104d8e2
    0x0104d8e9
    0x0104d8eb
    0x0104d8ed
    0x0104d8f2
    0x0104d8f4
    0x0104d8f6
    0x0104d8f6
    0x0104d8f4
    0x0104d902
    0x0104d908
    0x0104d90d
    0x0103d927
    0x0103d929
    0x0103d92c
    0x0103d931
    0x0103d932
    0x0103d938
    0x0103d93d
    0x0103d940
    0x0103d947
    0x00000000
    0x00000000
    0x0103d954
    0x0103d95e
    0x0103d964
    0x0103d96b
    0x0104d915
    0x0104d91c
    0x00000000
    0x00000000
    0x0104d922
    0x0104d927
    0x0104d927
    0x0104d92a
    0x0104d92a
    0x0104d92d
    0x0104d930
    0x0104d930
    0x0104d93e
    0x0104d93e
    0x00000000
    0x0103d96b
    0x0103d904
    0x0103d904
    0x0103d90c
    0x0103d913
    0x0103d918
    0x00000000
    0x00000000
    0x0103d921
    0x0103da1f
    0x0103da24
    0x00000000
    0x0103da24
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0103d8d7
    0x0103d8d7
    0x0103d8dd
    0x0103d8e0
    0x0103d8e6
    0x0103d8eb
    0x00000000
    0x00000000
    0x0103d8ed
    0x0103d8f0
    0x0103d8f4
    0x00000000
    0x00000000
    0x00000000
    0x0103d8f4
    0x0103d8f6
    0x00000000
    0x0103d8f6
    0x0103d861
    0x0103d86b
    0x0103d872
    0x0103d87c
    0x0103d883
    0x00000000
    0x00000000
    0x0103d885
    0x0103d888
    0x0103d88b
    0x0103d88e
    0x0103d891
    0x00000000
    0x00000000
    0x0104d879
    0x0104d879
    0x0103d8a0
    0x0103d8a2
    0x0103d8a5
    0x00000000
    0x0103d8a5
    0x0103d898
    0x0103d89a
    0x00000000
    0x00000000
    0x00000000
    0x0103d89a
    0x0104d82a
    0x0104d831
    0x00000000
    0x00000000
    0x0104d83b
    0x0104d83c
    0x0104d842
    0x00000000
    0x0104d842
    0x0103d81e
    0x0103d9f7
    0x0103d9f7
    0x0103d9fe
    0x0103da04
    0x0103da04
    0x0103da07
    0x0103da0a
    0x0103da0a
    0x00000000
    0x0103d82c
    0x0103d82c
    0x0103d833
    0x0103d833
    0x0103d83a
    0x0103da12
    0x0103da14
    0x00000000
    0x00000000
    0x00000000
    0x0103da1a
    0x0103d840
    0x0103d847
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0103d847
    0x0103d81e
    0x0103d754
    0x0103d9f0
    0x00000000
    0x0103d9f0
    0x0103d764
    0x0103d766
    0x0103d769
    0x0103d76b
    0x0103d76e
    0x0104d73a
    0x0104d73c
    0x0104d742
    0x0104d744
    0x0104d749
    0x0104d74e
    0x0104d753
    0x0104d756
    0x0104d758
    0x0104d75a
    0x0104d777
    0x0104d75c
    0x0104d75c
    0x0104d75c
    0x0104d75f
    0x0104d764
    0x0104d766
    0x0104d769
    0x0104d769
    0x0104d76c
    0x0104d76f
    0x0104d76f
    0x0104d75a
    0x0104d73c
    0x0103d774
    0x0103d776
    0x0103d77b
    0x0103d7b2
    0x0103d7b2
    0x00000000
    0x0103d780
    0x0103d780
    0x0103d783
    0x0103d793
    0x0103d79d
    0x0104d78e
    0x0104d791
    0x0104d7a5
    0x0104d7b3
    0x0104d7ba
    0x0104d7c7
    0x0104d7cd
    0x0104d7cf
    0x0104d7e0
    0x0104d7e0
    0x0104d7e2
    0x0103d809
    0x0103d809
    0x0103d80c
    0x00000000
    0x0103d80c
    0x0104d7d1
    0x0104d7d5
    0x00000000
    0x00000000
    0x0104d7da
    0x0103d7d9
    0x0103d7d9
    0x0103d7e6
    0x0104d7e9
    0x0103d7ec
    0x0103d7ec
    0x0103d7ec
    0x0103d801
    0x0103d807
    0x00000000
    0x0103d807
    0x0104d793
    0x0104d796
    0x0103d7a3
    0x0103d7a3
    0x0103d7a4
    0x0103d7a4
    0x00000000
    0x0103d79d
    0x0103d785
    0x0103d789
    0x0104d77f
    0x0104d783
    0x0103d7bd
    0x0103d7bf
    0x0103d7c5
    0x0103d7c5
    0x0103d7d3
    0x00000000
    0x0103d7d3
    0x00000000
    0x0104d789
    0x0103d791
    0x0103d7b7
    0x0103d7bb
    0x00000000
    0x00000000
    0x00000000
    0x0103d7bb
    0x00000000
    0x0103d7a9
    0x0103d7a9
    0x0103d7ab
    0x0103d7ae
    0x00000000
    0x0103d780
    0x0103d77b

    APIs
    • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(0103C64D,00000001,?,?,?,?,?,010480CD,?,0103CFB7,00000001,00000000,00000001,0103A8F8,00000004), ref: 0103D671
    • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,010480CD,?,0103CFB7,00000001,00000000,00000001,0103A8F8,00000004), ref: 0103D687
    • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,010480CD,?,0103CFB7,00000001,00000000,00000001,0103A8F8,00000004), ref: 0103D6CC
    • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,010480CD,?,0103CFB7,00000001,00000000,00000001,0103A8F8,00000004), ref: 0103D6E2
    • _get_osfhandle.MSVCRT ref: 0103D6F6
    • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000000,00000001,?,?,?,?,?,010480CD,?,0103CFB7,00000001,00000000,00000001,0103A8F8), ref: 0103D710
    • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01078E04,?,?,?,?,?,010480CD,?,0103CFB7,00000001,00000000,00000001,0103A8F8,00000004), ref: 0103D71E
    • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0106A7F0,00001FFF,0103CFB7,00000000,?,?,?,?,?,010480CD,?,0103CFB7,00000001,00000000,00000001), ref: 0103D731
    • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01078E04,?,?,?,?,?,010480CD,?,0103CFB7,00000001,00000000,00000001,0103A8F8,00000004), ref: 0103D73E
    • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,00000000,?,?,?,?,?,010480CD,?,0103CFB7,00000001,00000000,00000001,0103A8F8), ref: 0103D7D3
    • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(?,00000001,?,?,0106CA30,00001FFF,?,?,?,?,?,010480CD,?,0103CFB7,00000001,00000000), ref: 0103D801
    • wcschr.MSVCRT ref: 0103D8E0
    • _get_osfhandle.MSVCRT ref: 0103D954
    • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 0103D95E
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000001,?,?,0106CA30,00001FFF,?,?,?,?,?,010480CD), ref: 0103D9FE
    • memcmp.MSVCRT ref: 0104D74E
    • longjmp.MSVCRT(01070A30,00000001), ref: 0104D8CD
    • longjmp.MSVCRT(01070A70,000000FF), ref: 0104D902
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: CriticalFileSection$Pointer$EnterLeaveLockShared_get_osfhandlelongjmp$AcquireByteCharErrorLastMultiReadReleaseWidememcmpwcschr
    • String ID:
    • API String ID: 2422554150-0
    • Opcode ID: 95a3e4566f9a462cf3c6e71948d6eec9b47bd2cc6493afef99ac4d305ea7e7be
    • Instruction ID: e1c815eab5997566434fa49cc8ce5e2b00242a6b38070728550090b663418259
    • Opcode Fuzzy Hash: 95a3e4566f9a462cf3c6e71948d6eec9b47bd2cc6493afef99ac4d305ea7e7be
    • Instruction Fuzzy Hash: 1B023474A00201DFEB359FE8D85977E3BA9BF94304F44416DE9C6E7298EB7A8900CB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01038572, Relevance: 45.9, APIs: 15, Strings: 11, Instructions: 392COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 351 1038572-10385a6 call 1038791 GetLocaleInfoW 354 104b2f9-104b300 351->354 355 10385ac-10385c4 GetLocaleInfoW 351->355 356 104b302-104b30a 354->356 357 1038602-103861c GetLocaleInfoW 355->357 358 10385c6-10385cb 355->358 361 104b320-104b322 356->361 362 104b30c-104b313 356->362 359 103863e-103865e GetLocaleInfoW 357->359 360 103861e-1038628 357->360 363 10385d1-10385d7 358->363 366 1038673-1038685 GetLocaleInfoW 359->366 367 1038660-1038667 359->367 364 104b331-104b334 360->364 365 103862e-1038634 360->365 369 104b324 361->369 370 104b327-104b329 361->370 362->361 368 104b315-104b31e 362->368 371 1038787-1038789 363->371 372 10385dd-10385e0 363->372 378 104b336-104b339 364->378 379 104b358-104b36c 364->379 365->359 374 104b371-104b378 366->374 375 103868b-10386a0 GetLocaleInfoW 366->375 367->366 373 1038669 367->373 368->356 368->361 369->370 370->364 371->354 376 10385e2-10385ea 372->376 377 10385fb-10385fd 372->377 373->366 380 104b37a-104b382 374->380 381 10386a6-10386b8 GetLocaleInfoW 375->381 382 104b3a9-104b3b0 375->382 376->371 383 10385f0-10385f9 376->383 377->357 378->359 384 104b33f-104b353 378->384 379->359 385 104b384-104b38b 380->385 386 104b398-104b39a 380->386 387 104b3e1-104b3e8 381->387 388 10386be-10386d0 GetLocaleInfoW 381->388 389 104b3b2-104b3ba 382->389 383->363 383->377 384->359 385->386 391 104b38d-104b396 385->391 392 104b39c 386->392 393 104b39f-104b3a1 386->393 390 104b3ea-104b3f2 387->390 394 10386d6-10386e8 GetLocaleInfoW 388->394 395 104b419-104b420 388->395 396 104b3d0-104b3d2 389->396 397 104b3bc-104b3c3 389->397 398 104b3f4-104b3fb 390->398 399 104b408-104b40a 390->399 391->380 391->386 392->393 393->382 401 104b451-104b458 394->401 402 10386ee-1038700 GetLocaleInfoW 394->402 400 104b422-104b42a 395->400 404 104b3d4 396->404 405 104b3d7-104b3d9 396->405 397->396 403 104b3c5-104b3ce 397->403 398->399 407 104b3fd-104b406 398->407 408 104b40c 399->408 409 104b40f-104b411 399->409 410 104b440-104b442 400->410 411 104b42c-104b433 400->411 406 104b45a-104b462 401->406 412 1038706-1038718 GetLocaleInfoW 402->412 413 104b489-104b490 402->413 403->389 403->396 404->405 405->387 414 104b464-104b46b 406->414 415 104b478-104b47a 406->415 407->390 407->399 408->409 409->395 420 104b444 410->420 421 104b447-104b449 410->421 411->410 417 104b435-104b43e 411->417 418 104b4c1-104b4c8 412->418 419 103871e-1038730 GetLocaleInfoW 412->419 416 104b492-104b49a 413->416 414->415 423 104b46d-104b476 414->423 424 104b47c 415->424 425 104b47f-104b481 415->425 426 104b4b0-104b4b2 416->426 427 104b49c-104b4a3 416->427 417->400 417->410 422 104b4ca-104b4d2 418->422 428 1038736-103874b GetLocaleInfoW 419->428 429 104b4f9-104b4fe 419->429 420->421 421->401 430 104b4d4-104b4db 422->430 431 104b4e8-104b4ea 422->431 423->406 423->415 424->425 425->413 434 104b4b4 426->434 435 104b4b7-104b4b9 426->435 427->426 433 104b4a5-104b4ae 427->433 436 1038751-1038763 GetLocaleInfoW 428->436 437 104b52f-104b536 428->437 432 104b500-104b508 429->432 430->431 439 104b4dd-104b4e6 430->439 440 104b4ec 431->440 441 104b4ef-104b4f1 431->441 442 104b51e-104b520 432->442 443 104b50a-104b511 432->443 433->416 433->426 434->435 435->418 444 104b567-104b56c 436->444 445 1038769-1038786 setlocale call 1046b30 436->445 438 104b538-104b540 437->438 447 104b556-104b558 438->447 448 104b542-104b549 438->448 439->422 439->431 440->441 441->429 451 104b525-104b527 442->451 452 104b522 442->452 443->442 450 104b513-104b51c 443->450 449 104b56e-104b576 444->449 455 104b55d-104b55f 447->455 456 104b55a 447->456 448->447 454 104b54b-104b554 448->454 457 104b58c-104b58e 449->457 458 104b578-104b57f 449->458 450->432 450->442 451->437 452->451 454->438 454->447 455->444 456->455 460 104b590 457->460 461 104b593-104b595 457->461 458->457 459 104b581-104b58a 458->459 459->449 459->457 460->461
    C-Code - Quality: 92%
    			E01038572() {
				signed int _v8;
				short _v264;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t33;
				int _t35;
				int _t44;
				signed int _t75;
				signed int _t76;
				signed int _t77;
				signed int _t78;
				signed int _t79;
				signed int _t80;
				signed int _t81;
				signed int _t82;
				signed int _t83;
				signed int _t84;
				signed int _t86;
				void* _t87;
				signed int _t89;
				signed int _t90;
				signed int _t91;
				int _t92;
				int _t93;
				void* _t94;
				int _t95;
				int _t96;
				int _t97;
				int _t98;
				int _t99;
				int _t100;
				int _t101;
				void* _t103;
				int _t104;
				void* _t106;
				char* _t111;
				void* _t113;
				void* _t117;
				void* _t119;
				void* _t121;
				void* _t123;
				void* _t125;
				intOrPtr _t127;
				int _t129;
				short* _t130;
				short* _t131;
				short* _t132;
				short* _t133;
				short* _t134;
				short* _t135;
				short* _t136;
				int _t137;
				short* _t138;
				short* _t140;
				int _t141;
				short* _t142;
				short* _t143;
				signed int _t144;

				_t33 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t33 ^ _t144;
				_t35 = E01038791();
				_t129 = 8;
				_t138 = 0x106c9e0;
				_t92 = _t35;
				if(GetLocaleInfoW(_t92, 0x1e, 0x106c9e0, _t129) == 0) {
					_t93 = _t129;
					_t113 = ":" - 0x106c9e0;
					while(1) {
						_t11 = _t93 + 0x7ffffff6; // 0x7ffffffe
						if(_t11 == 0) {
							break;
						}
						_t91 =  *(_t113 + _t138) & 0x0000ffff;
						if(_t91 == 0) {
							break;
						}
						 *_t138 = _t91;
						_t138 =  &(_t138[1]);
						_t93 = _t93 - 1;
						if(_t93 != 0) {
							continue;
						}
						break;
					}
					if(_t93 == 0) {
						_t138 = _t138 - 2;
					}
					 *_t138 = 0;
				}
				if(GetLocaleInfoW(_t92, 0x23,  &_v264, 0x80) == 0) {
					L9:
					 *0x105e58c =  *0x105e58c & 0x00000000;
					if(GetLocaleInfoW(_t92, 0x21,  &_v264, 0x80) != 0) {
						_t86 = (_v264 & 0x0000ffff) - 0x30;
						if(_t86 != 0) {
							_t87 = _t86 - 1;
							if(_t87 == 0) {
								 *0x105e58c = 1;
								 *0x105e588 = L"dd/MM/yy";
							} else {
								if(_t87 == 1) {
									 *0x105e58c = 2;
									 *0x105e588 = L"yy/MM/dd";
								}
							}
						} else {
							 *0x105e58c =  *0x105e58c & _t86;
							 *0x105e588 = L"MM/dd/yy";
						}
					}
					 *0x105e584 = 2;
					_t44 = GetLocaleInfoW(_t92, 0x24,  &_v264, 0x80);
					_t94 = 0x31;
					if(_t44 != 0 && _v264 == _t94) {
						 *0x105e584 = 4;
					}
					_t140 = 0x106c9d0;
					if(GetLocaleInfoW(_t92, 0x1d, 0x106c9d0, _t129) == 0) {
						_t95 = _t129;
						while(1) {
							_t13 = _t95 + 0x7ffffff6; // 0x7ffffffe
							if(_t13 == 0) {
								break;
							}
							_t84 =  *(0xfffffffffffc6e10 + _t140) & 0x0000ffff;
							if(_t84 == 0) {
								break;
							}
							 *_t140 = _t84;
							_t140 =  &(_t140[1]);
							_t95 = _t95 - 1;
							if(_t95 != 0) {
								continue;
							}
							break;
						}
						if(_t95 == 0) {
							_t140 = _t140 - 2;
						}
						 *_t140 = 0;
						goto L16;
					} else {
						L16:
						_t141 = 0x20;
						_t130 = 0x106c970;
						if(GetLocaleInfoW(_t92, 0x31, 0x106c970, _t141) == 0) {
							_t96 = _t141;
							_t117 = L"Mon" - 0x106c970;
							while(1) {
								_t15 = _t96 + 0x7fffffde; // 0x7ffffffe
								if(_t15 == 0) {
									break;
								}
								_t83 =  *(_t117 + _t130) & 0x0000ffff;
								if(_t83 == 0) {
									break;
								}
								 *_t130 = _t83;
								_t130 =  &(_t130[1]);
								_t96 = _t96 - 1;
								if(_t96 != 0) {
									continue;
								}
								break;
							}
							if(_t96 == 0) {
								_t130 = _t130 - 2;
							}
							 *_t130 = 0;
						}
						_t131 = 0x106c930;
						if(GetLocaleInfoW(_t92, 0x32, 0x106c930, _t141) == 0) {
							_t97 = _t141;
							_t119 = L"Tue" - 0x106c930;
							while(1) {
								_t17 = _t97 + 0x7fffffde; // 0x7ffffffe
								if(_t17 == 0) {
									break;
								}
								_t82 =  *(_t119 + _t131) & 0x0000ffff;
								if(_t82 == 0) {
									break;
								}
								 *_t131 = _t82;
								_t131 =  &(_t131[1]);
								_t97 = _t97 - 1;
								if(_t97 != 0) {
									continue;
								}
								break;
							}
							if(_t97 == 0) {
								_t131 = _t131 - 2;
							}
							 *_t131 = 0;
						}
						_t132 = 0x106c8f0;
						if(GetLocaleInfoW(_t92, 0x33, 0x106c8f0, _t141) == 0) {
							_t98 = _t141;
							_t121 = L"Wed" - 0x106c8f0;
							while(1) {
								_t19 = _t98 + 0x7fffffde; // 0x7ffffffe
								if(_t19 == 0) {
									break;
								}
								_t81 =  *(_t121 + _t132) & 0x0000ffff;
								if(_t81 == 0) {
									break;
								}
								 *_t132 = _t81;
								_t132 =  &(_t132[1]);
								_t98 = _t98 - 1;
								if(_t98 != 0) {
									continue;
								}
								break;
							}
							if(_t98 == 0) {
								_t132 = _t132 - 2;
							}
							 *_t132 = 0;
						}
						_t133 = 0x106c8b0;
						if(GetLocaleInfoW(_t92, 0x34, 0x106c8b0, _t141) == 0) {
							_t99 = _t141;
							_t123 = L"Thu" - 0x106c8b0;
							while(1) {
								_t21 = _t99 + 0x7fffffde; // 0x7ffffffe
								if(_t21 == 0) {
									break;
								}
								_t80 =  *(_t123 + _t133) & 0x0000ffff;
								if(_t80 == 0) {
									break;
								}
								 *_t133 = _t80;
								_t133 =  &(_t133[1]);
								_t99 = _t99 - 1;
								if(_t99 != 0) {
									continue;
								}
								break;
							}
							if(_t99 == 0) {
								_t133 = _t133 - 2;
							}
							 *_t133 = 0;
						}
						_t134 = 0x106c870;
						if(GetLocaleInfoW(_t92, 0x35, 0x106c870, _t141) == 0) {
							_t100 = _t141;
							_t125 = L"Fri" - 0x106c870;
							while(1) {
								_t23 = _t100 + 0x7fffffde; // 0x7ffffffe
								if(_t23 == 0) {
									break;
								}
								_t79 =  *(_t125 + _t134) & 0x0000ffff;
								if(_t79 == 0) {
									break;
								}
								 *_t134 = _t79;
								_t134 =  &(_t134[1]);
								_t100 = _t100 - 1;
								if(_t100 != 0) {
									continue;
								}
								break;
							}
							if(_t100 == 0) {
								_t134 = _t134 - 2;
							}
							 *_t134 = 0;
						}
						_t135 = 0x106c830;
						if(GetLocaleInfoW(_t92, 0x36, 0x106c830, _t141) == 0) {
							_t101 = _t141;
							_t127 = L"Sat" - 0x106c830;
							while(1) {
								_t25 = _t101 + 0x7fffffde; // 0x7ffffffe
								if(_t25 == 0) {
									break;
								}
								_t78 =  *(_t127 + _t135) & 0x0000ffff;
								if(_t78 == 0) {
									break;
								}
								 *_t135 = _t78;
								_t135 =  &(_t135[1]);
								_t101 = _t101 - 1;
								if(_t101 != 0) {
									continue;
								}
								break;
							}
							if(_t101 == 0) {
								_t135 = _t135 - 2;
							}
							 *_t135 = 0;
						}
						_t136 = 0x106c7f0;
						if(GetLocaleInfoW(_t92, 0x37, 0x106c7f0, _t141) == 0) {
							_t103 = L"Sun" - 0x106c7f0;
							while(1) {
								_t27 = _t141 + 0x7fffffde; // 0x7ffffffe
								if(_t27 == 0) {
									break;
								}
								_t77 =  *(_t103 + _t136) & 0x0000ffff;
								if(_t77 == 0) {
									break;
								}
								 *_t136 = _t77;
								_t136 =  &(_t136[1]);
								_t141 = _t141 - 1;
								if(_t141 != 0) {
									continue;
								}
								break;
							}
							if(_t141 == 0) {
								_t136 = _t136 - 2;
							}
							 *_t136 = 0;
						}
						_t137 = 8;
						_t142 = 0x106c9c0;
						if(GetLocaleInfoW(_t92, 0xe, 0x106c9c0, _t137) == 0) {
							_t104 = _t137;
							_t127 = "." - 0x106c9c0;
							while(1) {
								_t29 = _t104 + 0x7ffffff6; // 0x7ffffffe
								if(_t29 == 0) {
									break;
								}
								_t76 =  *(_t127 + _t142) & 0x0000ffff;
								if(_t76 == 0) {
									break;
								}
								 *_t142 = _t76;
								_t142 =  &(_t142[1]);
								_t104 = _t104 - 1;
								if(_t104 != 0) {
									continue;
								}
								break;
							}
							if(_t104 == 0) {
								_t142 = _t142 - 2;
							}
							 *_t142 = 0;
						}
						_t143 = 0x106c9b0;
						if(GetLocaleInfoW(_t92, 0xf, 0x106c9b0, _t137) == 0) {
							_t106 = "," - 0x106c9b0;
							while(1) {
								_t31 = _t137 + 0x7ffffff6; // 0x7ffffffe
								if(_t31 == 0) {
									break;
								}
								_t75 =  *(_t106 + _t143) & 0x0000ffff;
								if(_t75 == 0) {
									break;
								}
								 *_t143 = _t75;
								_t143 =  &(_t143[1]);
								_t137 = _t137 - 1;
								if(_t137 != 0) {
									continue;
								}
								break;
							}
							if(_t137 == 0) {
								_t143 = _t143 - 2;
							}
							 *_t143 = 0;
						}
						__imp__setlocale(".OCP"); // executed
						return E01046B30(0, _t92, _v8 ^ _t144, _t127, _t137, _t143, 0);
					}
				} else {
					_t111 = "1";
					_t89 =  &_v264;
					while(1) {
						_t127 =  *_t89;
						if(_t127 !=  *_t111) {
							break;
						}
						if(_t127 == 0) {
							L7:
							_t90 = 0;
							L8:
							 *0x105e0c4 = _t90;
							goto L9;
						}
						_t127 =  *((intOrPtr*)(_t89 + 2));
						_t5 =  &(_t111[2]); // 0x430000
						if(_t127 !=  *_t5) {
							break;
						}
						_t89 = _t89 + 4;
						_t111 =  &(_t111[4]);
						if(_t127 != 0) {
							continue;
						}
						goto L7;
					}
					asm("sbb eax, eax");
					_t90 = _t89 | 0x00000001;
					goto L8;
				}
			}






























































    0x0103857d
    0x01038584
    0x0103858a
    0x01038591
    0x01038593
    0x01038598
    0x010385a6
    0x0104b2fe
    0x0104b300
    0x0104b302
    0x0104b302
    0x0104b30a
    0x00000000
    0x00000000
    0x0104b30c
    0x0104b313
    0x00000000
    0x00000000
    0x0104b315
    0x0104b318
    0x0104b31b
    0x0104b31e
    0x00000000
    0x00000000
    0x00000000
    0x0104b31e
    0x0104b322
    0x0104b324
    0x0104b324
    0x0104b329
    0x0104b329
    0x010385c4
    0x01038602
    0x01038602
    0x0103861c
    0x01038625
    0x01038628
    0x0104b331
    0x0104b334
    0x0104b358
    0x0104b362
    0x0104b336
    0x0104b339
    0x0104b33f
    0x0104b349
    0x0104b349
    0x0104b339
    0x0103862e
    0x0103862e
    0x01038634
    0x01038634
    0x01038628
    0x01038645
    0x01038653
    0x0103865b
    0x0103865e
    0x01038669
    0x01038669
    0x01038674
    0x01038685
    0x0104b376
    0x0104b37a
    0x0104b37a
    0x0104b382
    0x00000000
    0x00000000
    0x0104b384
    0x0104b38b
    0x00000000
    0x00000000
    0x0104b38d
    0x0104b390
    0x0104b393
    0x0104b396
    0x00000000
    0x00000000
    0x00000000
    0x0104b396
    0x0104b39a
    0x0104b39c
    0x0104b39c
    0x0104b3a1
    0x00000000
    0x0103868b
    0x0103868b
    0x0103868d
    0x0103868f
    0x010386a0
    0x0104b3ae
    0x0104b3b0
    0x0104b3b2
    0x0104b3b2
    0x0104b3ba
    0x00000000
    0x00000000
    0x0104b3bc
    0x0104b3c3
    0x00000000
    0x00000000
    0x0104b3c5
    0x0104b3c8
    0x0104b3cb
    0x0104b3ce
    0x00000000
    0x00000000
    0x00000000
    0x0104b3ce
    0x0104b3d2
    0x0104b3d4
    0x0104b3d4
    0x0104b3d9
    0x0104b3d9
    0x010386a7
    0x010386b8
    0x0104b3e6
    0x0104b3e8
    0x0104b3ea
    0x0104b3ea
    0x0104b3f2
    0x00000000
    0x00000000
    0x0104b3f4
    0x0104b3fb
    0x00000000
    0x00000000
    0x0104b3fd
    0x0104b400
    0x0104b403
    0x0104b406
    0x00000000
    0x00000000
    0x00000000
    0x0104b406
    0x0104b40a
    0x0104b40c
    0x0104b40c
    0x0104b411
    0x0104b411
    0x010386bf
    0x010386d0
    0x0104b41e
    0x0104b420
    0x0104b422
    0x0104b422
    0x0104b42a
    0x00000000
    0x00000000
    0x0104b42c
    0x0104b433
    0x00000000
    0x00000000
    0x0104b435
    0x0104b438
    0x0104b43b
    0x0104b43e
    0x00000000
    0x00000000
    0x00000000
    0x0104b43e
    0x0104b442
    0x0104b444
    0x0104b444
    0x0104b449
    0x0104b449
    0x010386d7
    0x010386e8
    0x0104b456
    0x0104b458
    0x0104b45a
    0x0104b45a
    0x0104b462
    0x00000000
    0x00000000
    0x0104b464
    0x0104b46b
    0x00000000
    0x00000000
    0x0104b46d
    0x0104b470
    0x0104b473
    0x0104b476
    0x00000000
    0x00000000
    0x00000000
    0x0104b476
    0x0104b47a
    0x0104b47c
    0x0104b47c
    0x0104b481
    0x0104b481
    0x010386ef
    0x01038700
    0x0104b48e
    0x0104b490
    0x0104b492
    0x0104b492
    0x0104b49a
    0x00000000
    0x00000000
    0x0104b49c
    0x0104b4a3
    0x00000000
    0x00000000
    0x0104b4a5
    0x0104b4a8
    0x0104b4ab
    0x0104b4ae
    0x00000000
    0x00000000
    0x00000000
    0x0104b4ae
    0x0104b4b2
    0x0104b4b4
    0x0104b4b4
    0x0104b4b9
    0x0104b4b9
    0x01038707
    0x01038718
    0x0104b4c6
    0x0104b4c8
    0x0104b4ca
    0x0104b4ca
    0x0104b4d2
    0x00000000
    0x00000000
    0x0104b4d4
    0x0104b4db
    0x00000000
    0x00000000
    0x0104b4dd
    0x0104b4e0
    0x0104b4e3
    0x0104b4e6
    0x00000000
    0x00000000
    0x00000000
    0x0104b4e6
    0x0104b4ea
    0x0104b4ec
    0x0104b4ec
    0x0104b4f1
    0x0104b4f1
    0x0103871f
    0x01038730
    0x0104b4fe
    0x0104b500
    0x0104b500
    0x0104b508
    0x00000000
    0x00000000
    0x0104b50a
    0x0104b511
    0x00000000
    0x00000000
    0x0104b513
    0x0104b516
    0x0104b519
    0x0104b51c
    0x00000000
    0x00000000
    0x00000000
    0x0104b51c
    0x0104b520
    0x0104b522
    0x0104b522
    0x0104b527
    0x0104b527
    0x01038738
    0x0103873a
    0x0103874b
    0x0104b534
    0x0104b536
    0x0104b538
    0x0104b538
    0x0104b540
    0x00000000
    0x00000000
    0x0104b542
    0x0104b549
    0x00000000
    0x00000000
    0x0104b54b
    0x0104b54e
    0x0104b551
    0x0104b554
    0x00000000
    0x00000000
    0x00000000
    0x0104b554
    0x0104b558
    0x0104b55a
    0x0104b55a
    0x0104b55f
    0x0104b55f
    0x01038752
    0x01038763
    0x0104b56c
    0x0104b56e
    0x0104b56e
    0x0104b576
    0x00000000
    0x00000000
    0x0104b578
    0x0104b57f
    0x00000000
    0x00000000
    0x0104b581
    0x0104b584
    0x0104b587
    0x0104b58a
    0x00000000
    0x00000000
    0x00000000
    0x0104b58a
    0x0104b58e
    0x0104b590
    0x0104b590
    0x0104b595
    0x0104b595
    0x01038770
    0x01038786
    0x01038786
    0x010385c6
    0x010385c6
    0x010385cb
    0x010385d1
    0x010385d1
    0x010385d7
    0x00000000
    0x00000000
    0x010385e0
    0x010385fb
    0x010385fb
    0x010385fd
    0x010385fd
    0x00000000
    0x010385fd
    0x010385e2
    0x010385e6
    0x010385ea
    0x00000000
    0x00000000
    0x010385f0
    0x010385f3
    0x010385f9
    0x00000000
    0x00000000
    0x00000000
    0x010385f9
    0x01038787
    0x01038789
    0x00000000
    0x01038789

    APIs
      • Part of subcall function 01038791: GetUserDefaultLCID.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(01036906,0000001F,?,00000080), ref: 01038791
    • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000001E,0106C9E0,00000008), ref: 0103859E
    • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000023,?,00000080), ref: 010385BC
    • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000021,?,00000080), ref: 01038614
    • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000024,?,00000080), ref: 01038653
    • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000001D,0106C9D0,00000008), ref: 0103867D
    • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000031,0106C970,00000020), ref: 01038698
    • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000032,0106C930,00000020), ref: 010386B0
    • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000033,0106C8F0,00000020), ref: 010386C8
    • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000034,0106C8B0,00000020), ref: 010386E0
    • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000035,0106C870,00000020), ref: 010386F8
    • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000036,0106C830,00000020), ref: 01038710
    • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000037,0106C7F0,00000020), ref: 01038728
    • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000000E,0106C9C0,00000008), ref: 01038743
    • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000000F,0106C9B0,00000008), ref: 0103875B
    • setlocale.MSVCRT ref: 01038770
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: InfoLocale$DefaultUsersetlocale
    • String ID: .OCP$Fri$MM/dd/yy$Mon$Sat$Sun$Thu$Tue$Wed$dd/MM/yy$yy/MM/dd
    • API String ID: 1351325837-2236139042
    • Opcode ID: 11a0a31d71cd8bbb8c24a40c8bb6afb9946060447e0ab8dcbf5a7b369535f145
    • Instruction ID: ba7f08ded73e360627689c1883d4bfa53b72278b25544b33f76c2baaa382b0fa
    • Opcode Fuzzy Hash: 11a0a31d71cd8bbb8c24a40c8bb6afb9946060447e0ab8dcbf5a7b369535f145
    • Instruction Fuzzy Hash: 5BC1D4B570021297EB704E3DC98877B7BEDAFC0650F1452BAE9C6DB189EE69C541C360
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0105769E, Relevance: 19.7, APIs: 7, Strings: 4, Instructions: 464COMMONCrypto
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1176 105769e-10576fb 1177 10576fd-1057722 call 10363bd EnterCriticalSection LeaveCriticalSection 1176->1177 1178 1057728-105772e 1176->1178 1177->1178 1180 1057734-105773a 1178->1180 1181 1057d26-1057d43 call 1046b30 1178->1181 1184 1057747-105774e 1180->1184 1185 105773c-1057741 call 1039950 1180->1185 1186 1057750-105775b 1184->1186 1187 105775d-1057771 call 103ec2e 1184->1187 1190 1057746 1185->1190 1191 1057792-105779a 1186->1191 1187->1191 1196 1057773-105778b call 103f3a0 1187->1196 1190->1184 1194 10577a1-10577c0 call 1038e9e call 1057654 1191->1194 1195 105779c 1191->1195 1194->1181 1203 10577c6-10577e8 1194->1203 1195->1194 1196->1191 1204 10577ee-10577f4 1203->1204 1205 1057c99-1057ca0 1203->1205 1204->1205 1206 10577fa-10577fd 1204->1206 1207 1057ca7-1057cc2 call 1039abf 1205->1207 1208 1057ca2 1205->1208 1209 1057cd6 1206->1209 1210 1057803-1057807 1206->1210 1216 1057cc4-1057ccd 1207->1216 1208->1207 1212 1057cd8-1057ce5 1209->1212 1213 1057895-10578ae 1210->1213 1214 105780d-105782b call 1039abf 1210->1214 1218 1057ce8-1057cf1 1212->1218 1217 10578b8-10578cc towupper 1213->1217 1228 105782d-1057836 1214->1228 1216->1216 1220 1057ccf-1057cd3 1216->1220 1221 10578e7 1217->1221 1222 10578ce-10578e3 1217->1222 1218->1218 1223 1057cf3-1057cf9 call 103998d 1218->1223 1220->1209 1226 10578e9-10578ff 1221->1226 1222->1217 1225 10578e5 1222->1225 1230 1057cfe-1057d05 1223->1230 1225->1226 1226->1212 1229 1057905-105790f 1226->1229 1228->1228 1231 1057838-1057858 call 1039434 1228->1231 1232 1057911-1057933 call 1039abf 1229->1232 1233 105794b-1057951 1229->1233 1230->1181 1234 1057d07-1057d20 EnterCriticalSection LeaveCriticalSection 1230->1234 1243 105788a-1057890 1231->1243 1244 105785a-1057872 call 105814e 1231->1244 1256 1057935-105793e 1232->1256 1238 1057957 1233->1238 1239 1057c30-1057c37 1233->1239 1234->1181 1238->1239 1245 1057974-1057980 call 1036854 1238->1245 1246 1057a57-1057a70 call 103f3a0 1238->1246 1247 1057a16-1057a23 1238->1247 1248 10579c3-10579fc call 1034d08 call 104640a call 1039abf LocalFree 1238->1248 1249 1057982-1057989 1238->1249 1250 105795e-1057965 call 1039310 1238->1250 1251 1057a88-1057a8f 1238->1251 1252 1057ac8-1057acf 1238->1252 1240 1057c3e-1057c5c call 1039abf 1239->1240 1241 1057c39 1239->1241 1285 1057c5e-1057c67 1240->1285 1241->1240 1253 1057c82-1057c94 1243->1253 1289 1057874-1057883 1244->1289 1290 1057888 1244->1290 1270 105796a-105796f 1245->1270 1281 1057a72-1057a7b 1246->1281 1254 1057a25 1247->1254 1255 1057a2a-1057a3f call 103f3a0 1247->1255 1307 10579fe-1057a07 1248->1307 1262 1057990-10579ab call 1039abf 1249->1262 1263 105798b 1249->1263 1250->1270 1251->1253 1259 1057a95-1057a9b 1251->1259 1252->1253 1264 1057ad5-1057ae5 1252->1264 1253->1206 1254->1255 1293 1057a41-1057a4a 1255->1293 1256->1256 1268 1057940-1057946 1256->1268 1271 1057abe-1057ac1 1259->1271 1297 10579ad-10579b6 1262->1297 1263->1262 1275 1057ae7 1264->1275 1276 1057aec-1057af5 1264->1276 1280 1057c6f-1057c73 1268->1280 1282 1057c76-1057c7c 1270->1282 1283 1057ac3 1271->1283 1284 1057a9d-1057aa2 1271->1284 1275->1276 1287 1057af7 1276->1287 1288 1057afc-1057b1e GetDriveTypeW 1276->1288 1280->1282 1281->1281 1294 1057a7d-1057a83 1281->1294 1282->1253 1283->1253 1284->1253 1295 1057aa8-1057ab8 1284->1295 1285->1285 1296 1057c69 1285->1296 1287->1288 1288->1253 1298 1057b24-1057b3e call 10472ef 1288->1298 1289->1253 1290->1243 1293->1293 1300 1057a4c-1057a52 1293->1300 1294->1280 1295->1271 1296->1280 1297->1297 1301 10579b8-10579be 1297->1301 1305 1057b60 1298->1305 1306 1057b40-1057b5e 1298->1306 1300->1280 1301->1280 1308 1057b6a-1057bb9 1305->1308 1306->1308 1307->1307 1309 1057a09-1057a11 1307->1309 1312 1057bbb-1057bc5 1308->1312 1313 1057bfa-1057c1b call 1039abf 1308->1313 1309->1280 1312->1253 1314 1057bcb-1057be5 call 1039abf 1312->1314 1319 1057c1d-1057c26 1313->1319 1320 1057be7-1057bf0 1314->1320 1319->1319 1321 1057c28-1057c2e 1319->1321 1320->1320 1322 1057bf2-1057bf8 1320->1322 1321->1280 1322->1280
    C-Code - Quality: 73%
    			E0105769E(void* __ecx) {
				intOrPtr _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				intOrPtr _v36;
				signed int _v48;
				void _v50;
				void _v52;
				void _v54;
				short _v56;
				char _v124;
				char _v644;
				void* _v648;
				void* _v652;
				signed int _v656;
				signed short* _v660;
				signed short* _v664;
				WCHAR* _v668;
				signed int _v672;
				void* _v676;
				char _v680;
				char _v684;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t111;
				signed int _t112;
				intOrPtr _t119;
				void _t121;
				signed short _t122;
				signed int _t125;
				signed int _t126;
				void _t131;
				void _t136;
				intOrPtr* _t138;
				void _t142;
				signed int _t153;
				signed short* _t163;
				intOrPtr* _t164;
				void* _t167;
				signed short* _t173;
				signed int _t174;
				void* _t184;
				signed int _t187;
				void* _t188;
				signed int _t189;
				signed int _t190;
				void* _t191;
				signed int _t193;
				void* _t196;
				void* _t199;
				signed short* _t200;
				void* _t201;
				intOrPtr* _t202;
				signed int _t204;
				void* _t207;
				void* _t209;
				void* _t210;
				void* _t211;
				signed short* _t213;
				void* _t214;
				signed int _t219;
				signed int _t221;
				intOrPtr _t222;
				intOrPtr _t227;

				_t153 = _t219;
				_push(__ecx);
				_push(__ecx);
				_t221 = (_t219 & 0xfffffff8) + 4;
				_v8 =  *((intOrPtr*)(_t153 + 4));
				_t217 = _t221;
				_push(0xfffffffe);
				_push(0x105cd60);
				_push(E01046E00);
				_push( *[fs:0x0]);
				_push(__ecx);
				_push(__ecx);
				_push(_t153);
				_t222 = _t221 - 0x288;
				_t111 =  *0x105e0b4; // 0x6030efd1
				_v20 = _v20 ^ _t111;
				_t112 = _t111 ^ _t221;
				_v48 = _t112;
				_push(_t112);
				_t113 =  &_v28;
				 *[fs:0x0] =  &_v28;
				_v36 = _t222;
				_v672 = 0;
				if( *0x106259c != 0) {
					_push(0);
					_push(0x2335);
					_t113 = E010363BD(__ecx);
					EnterCriticalSection( *0x10625a4);
					 *0x106259c = 0;
					LeaveCriticalSection( *0x10625a4);
				}
				_t227 =  *0x105e0c0; // 0x1
				if(_t227 == 0) {
					L96:
					 *[fs:0x0] = _v28;
					_pop(_t199);
					_pop(_t207);
					return E01046B30(_t113, _t153, _v48 ^ _t217, _t182, _t199, _t207);
				} else {
					if( *0x1066790 == 0) {
						E01039950(L"\r\n"); // executed
					}
					if( *0x10665c6 == 0) {
						_t200 = E0103EC2E(L"PROMPT");
						_v660 = _t200;
						if(_t200 != 0) {
							_v660 = 0x1079100;
							E0103F3A0(0x1079100, 0x200, _t200);
							 *0x10665c6 = 1;
						}
					} else {
						_v660 = 0x1079100;
					}
					_t160 =  *0x1078df8;
					if( *0x1078df8 == 0) {
						_t160 = 0x1078bf0;
					}
					_t182 =  *0x1078e00;
					E01038E9E(_t153, _t160,  *0x1078e00, 0);
					_t113 = E01057654( &_v680);
					_v676 = _t113;
					if(_t113 == 0) {
						goto L96;
					} else {
						_t201 = _t113;
						_v652 = _t201;
						 *_t113 = 0;
						_t209 = _v680 - 1;
						_v648 = _t209;
						_t163 = _v660;
						if(_t163 == 0) {
							L86:
							_t117 =  *0x1078df8;
							if( *0x1078df8 == 0) {
								_t117 = 0x1078bf0;
							}
							_t202 = _v676;
							E01039ABF(_t202, _t209, L"%s>", _t117);
							_t164 = _t202;
							_t103 = _t164 + 2; // 0x2
							_t210 = _t103;
							do {
								_t119 =  *_t164;
								_t164 = _t164 + 2;
							} while (_t119 != 0);
							_t201 = _t202 + (_t164 - _t210 >> 1) * 2;
							L91:
							_t167 = 0;
							L92:
							 *_t201 = 0;
							_t203 = _v676;
							_t184 = _v676;
							_t107 = _t184 + 2; // 0x2
							_t211 = _t107;
							do {
								_t121 =  *_t184;
								_t184 = _t184 + 2;
							} while (_t121 != _t167);
							_t182 = _t184 - _t211 >> 1;
							_t113 = E0103998D(_t203, _t184 - _t211 >> 1); // executed
							if( *0x106259c != 0) {
								EnterCriticalSection( *0x10625a4);
								 *0x106259c =  *0x106259c & 0x00000000;
								LeaveCriticalSection( *0x10625a4);
							}
							goto L96;
						}
						_t122 =  *_t163 & 0x0000ffff;
						if(_t122 == 0) {
							goto L86;
						}
						L14:
						while(_t122 != 0) {
							if(_t122 == 0x24) {
								_t213 =  &(_v660[1]);
								_v660 = _t213;
								_v664 = _t213;
								_t204 = 0;
								_v656 = 0x1033da0;
								while(towupper( *_t213 & 0x0000ffff) !=  *_v656) {
									_t204 = _t204 + 1;
									_t35 = 0x1033da0 + _t204 * 6; // 0x30050
									_t138 = _t35;
									_v656 = _t138;
									_t167 = 0;
									if( *_t138 != 0) {
										continue;
									}
									L28:
									_t125 = _t204 * 6;
									_t201 = _v652;
									_t214 = _v648;
									if( *((intOrPtr*)(_t125 + 0x1033da0)) == _t167) {
										goto L92;
									}
									_t40 = _t125 + 0x1033da2; // 0x3
									_t187 =  *_t40 & 0x0000ffff;
									if(_t187 != 8) {
										_t45 = _t187 - 1; // 0x2
										_t126 = _t45;
										if(_t126 > 9) {
											L78:
											_t127 =  *0x1078df8;
											if( *0x1078df8 == 0) {
												_t127 = 0x1078bf0;
											}
											E01039ABF(_t201, _t214, L"%c",  *_t127 & 0x0000ffff);
											_t222 = _t222 + 0x10;
											_t188 = _t201;
											_v664 = _t188 + 2;
											do {
												_t131 =  *_t188;
												_t188 = _t188 + 2;
											} while (_t131 != 0);
											_t189 = _t188 - _v664;
											L83:
											_t190 = _t189 >> 1;
											_t209 = _t214 - _t190;
											_t201 = _t201 + _t190 * 2;
											L84:
											_v648 = _t209;
											_v652 = _t201;
											L85:
											_t173 =  &(_v660[1]);
											_v660 = _t173;
											_t122 =  *_t173 & 0x0000ffff;
											goto L14;
										}
										switch( *((intOrPtr*)(_t126 * 4 +  &M01057D46))) {
											case 0:
												_t132 = E01039310(0, 1, _t201, _t214);
												goto L36;
											case 1:
												__edx = 0;
												__edx = 1;
												__ecx = 0;
												__eax = E01036854(0, 1, __edi, __esi);
												L36:
												_t201 = _t201 + _t132 * 2;
												_t209 = _t214 - _t132;
												goto L84;
											case 2:
												__eax =  *0x1078df8;
												if( *0x1078df8 == 0) {
													__eax = 0x1078bf0;
												}
												__eax = E01039ABF(__edi, __esi, 0x1031f00, __eax);
												__edx = __edi;
												__eax = __edx + 2;
												_v656 = __edx + 2;
												__ecx = 0;
												do {
													__ax =  *__edx;
													__edx = __edx + 2;
												} while (__ax != __cx);
												__edx = __edx - _v656;
												goto L83;
											case 3:
												__ecx =  &_v124;
												E01034D08(__ecx) =  &_v124;
												__esi = E0104640A(__ecx, 0x2350,  &_v124);
												E01039ABF(__edi, _v648, 0x1031f00, __esi) = LocalFree(__esi);
												__edx = __edi;
												__esi = __edx + 2;
												__ecx = 0;
												do {
													__ax =  *__edx;
													__edx = __edx + 2;
												} while (__ax != __cx);
												__edx = __edx - __esi;
												__esi = _v648;
												goto L83;
											case 4:
												__eax = 0x1033b88;
												if(_v672 == 0) {
													__eax = 0x1033b98;
												}
												__edx = __esi;
												__ecx = __edi;
												__eax = E0103F3A0(__edi, __esi, __eax);
												__edx = __edi;
												__eax = __edx + 2;
												_v656 = __edx + 2;
												__ecx = 0;
												do {
													__ax =  *__edx;
													__edx = __edx + 2;
												} while (__ax != __cx);
												__edx = __edx - _v656;
												goto L83;
											case 5:
												__edx = __esi;
												__ecx = __edi;
												__eax = E0103F3A0(__edi, __esi, L"\r\n");
												__edx = __edi;
												__eax = __edx + 2;
												_v656 = __edx + 2;
												__ecx = 0;
												do {
													__ax =  *__edx;
													__edx = __edx + 2;
												} while (__ax != __cx);
												__edx = __edx - _v656;
												goto L83;
											case 6:
												goto L78;
											case 7:
												if( *0x1066755 == 0) {
													goto L85;
												}
												__ecx =  *0x1066798;
												while(__esi > 1) {
													__eax = __ecx;
													__ecx = __ecx - 1;
													if(__eax == 0) {
														goto L85;
													}
													_push(0x2b);
													_pop(__eax);
													 *__edi = __ax;
													__edi = __edi + 2;
													_v652 = __edi;
													__esi = __esi - 1;
													_v648 = __esi;
												}
												goto L85;
											case 8:
												if( *0x1066755 == 0) {
													goto L85;
												}
												_v668 = __ecx;
												__ecx =  *0x1078df8;
												__eax = __ecx;
												if(__ecx == 0) {
													__eax = 0x1078bf0;
												}
												__ax =  *__eax;
												_v56 =  *__eax;
												if(__ecx == 0) {
													__ecx = 0x1078bf0;
												}
												__ax =  *((intOrPtr*)(__ecx + 2));
												_v54 = __ax;
												_push(0x5c);
												_pop(__eax);
												_v52 = __ax;
												__eax = 0;
												_v50 = __ax;
												__eax =  &_v56;
												if(GetDriveTypeW( &_v56) != 4) {
													goto L85;
												} else {
													__eax = 0;
													_v52 = __ax;
													_v684 = 0x104;
													_v16 = _v16 & 0;
													__eax = E010472EF(__ecx);
													if(__al == 0) {
														_v668 = 0x78;
													} else {
														__eax =  &_v684;
														_push( &_v684);
														__eax =  &_v644;
														_push( &_v644);
														__eax =  &_v56;
														_push( &_v56);
														__eax =  *0x107d028();
														_v668 =  &_v56;
													}
													_v16 = 0xfffffffe;
													if(_v668 == 0) {
														 &_v644 = E01039ABF(__edi, __esi, L"%s ",  &_v644);
														__edx = __edi;
														__eax = __edx + 2;
														_v664 = __edx + 2;
														__ecx = 0;
														do {
															__ax =  *__edx;
															__edx = __edx + 2;
														} while (__ax != __cx);
														__edx = __edx - _v664;
													} else {
														if(_v668 == 0x8ca) {
															goto L85;
														}
														_push(L"Unknown");
														_push(__esi);
														_push(__edi);
														__eax = E01039ABF();
														__esp = __esp + 0xc;
														__edx = __edi;
														__eax = __edx + 2;
														_v664 = __edx + 2;
														__ecx = 0;
														do {
															__ax =  *__edx;
															__edx = __edx + 2;
														} while (__ax != __cx);
														__edx = __edx - _v664;
													}
													goto L83;
												}
										}
									}
									_t41 = _t125 + 0x1033da4; // 0x450000
									E01039ABF(_t201, _t214, L"%c",  *_t41 & 0x0000ffff);
									_t222 = _t222 + 0x10;
									_t196 = _t201;
									_v656 = _t196 + 2;
									do {
										_t136 =  *_t196;
										_t196 = _t196 + 2;
									} while (_t136 != 0);
									_t189 = _t196 - _v656;
									goto L83;
								}
								_t167 = 0;
								goto L28;
							}
							E01039ABF(_t201, _t209, L"%c", _t122 & 0x0000ffff);
							_t222 = _t222 + 0x10;
							_t191 = _t201;
							_t18 = _t191 + 2; // 0x2
							_v656 = _t18;
							_t174 = 0;
							do {
								_t142 =  *_t191;
								_t191 = _t191 + 2;
							} while (_t142 != 0);
							_t193 = _t191 - _v656 >> 1;
							_t201 = _t201 + _t193 * 2;
							_v652 = _t201;
							_t209 = _t209 - _t193;
							_v648 = _t209;
							if(E01039434() == 0) {
								L22:
								_v672 = _t174;
								goto L85;
							}
							_v656 =  *_v660 & 0x0000ffff;
							if(E0105814E( *_v660 & 0x0000ffff) == 0) {
								_t174 = 0;
								goto L22;
							}
							_v672 = _v656 & 0x0000ffff;
							goto L85;
						}
						goto L91;
					}
				}
			}




































































    0x010576a1
    0x010576a3
    0x010576a4
    0x010576a8
    0x010576af
    0x010576b3
    0x010576b5
    0x010576b7
    0x010576bc
    0x010576c7
    0x010576c8
    0x010576c9
    0x010576ca
    0x010576cb
    0x010576d1
    0x010576d6
    0x010576d9
    0x010576db
    0x010576e0
    0x010576e1
    0x010576e4
    0x010576ea
    0x010576ef
    0x010576fb
    0x010576fd
    0x010576fe
    0x01057703
    0x01057710
    0x01057716
    0x01057722
    0x01057722
    0x01057728
    0x0105772e
    0x01057d26
    0x01057d29
    0x01057d31
    0x01057d32
    0x01057d43
    0x01057734
    0x0105773a
    0x01057741
    0x01057746
    0x0105774e
    0x01057767
    0x01057769
    0x01057771
    0x0105777e
    0x01057786
    0x0105778b
    0x0105778b
    0x01057750
    0x01057755
    0x01057755
    0x01057792
    0x0105779a
    0x0105779c
    0x0105779c
    0x010577a2
    0x010577a8
    0x010577b3
    0x010577b8
    0x010577c0
    0x00000000
    0x010577c6
    0x010577c6
    0x010577c8
    0x010577d0
    0x010577d9
    0x010577da
    0x010577e0
    0x010577e8
    0x01057c99
    0x01057c99
    0x01057ca0
    0x01057ca2
    0x01057ca2
    0x01057cae
    0x01057cb5
    0x01057cbd
    0x01057cbf
    0x01057cbf
    0x01057cc4
    0x01057cc4
    0x01057cc7
    0x01057cca
    0x01057cd3
    0x01057cd6
    0x01057cd6
    0x01057cd8
    0x01057cda
    0x01057cdd
    0x01057ce3
    0x01057ce5
    0x01057ce5
    0x01057ce8
    0x01057ce8
    0x01057ceb
    0x01057cee
    0x01057cf5
    0x01057cf9
    0x01057d05
    0x01057d0d
    0x01057d13
    0x01057d20
    0x01057d20
    0x00000000
    0x01057d05
    0x010577ee
    0x010577f4
    0x00000000
    0x00000000
    0x00000000
    0x010577fa
    0x01057807
    0x0105789b
    0x0105789e
    0x010578a4
    0x010578ac
    0x010578ae
    0x010578b8
    0x010578ce
    0x010578d2
    0x010578d2
    0x010578d8
    0x010578de
    0x010578e3
    0x00000000
    0x00000000
    0x010578e9
    0x010578e9
    0x010578f3
    0x010578f9
    0x010578ff
    0x00000000
    0x00000000
    0x01057905
    0x01057905
    0x0105790f
    0x0105794b
    0x0105794b
    0x01057951
    0x01057c30
    0x01057c30
    0x01057c37
    0x01057c39
    0x01057c39
    0x01057c49
    0x01057c4e
    0x01057c51
    0x01057c56
    0x01057c5e
    0x01057c5e
    0x01057c61
    0x01057c64
    0x01057c69
    0x01057c6f
    0x01057c6f
    0x01057c71
    0x01057c73
    0x01057c76
    0x01057c76
    0x01057c7c
    0x01057c82
    0x01057c88
    0x01057c8b
    0x01057c91
    0x00000000
    0x01057c91
    0x01057957
    0x00000000
    0x01057965
    0x00000000
    0x00000000
    0x01057976
    0x01057978
    0x01057979
    0x0105797b
    0x0105796a
    0x0105796a
    0x0105796d
    0x00000000
    0x00000000
    0x01057982
    0x01057989
    0x0105798b
    0x0105798b
    0x01057998
    0x010579a0
    0x010579a2
    0x010579a5
    0x010579ab
    0x010579ad
    0x010579ad
    0x010579b0
    0x010579b3
    0x010579b8
    0x00000000
    0x00000000
    0x010579c3
    0x010579cb
    0x010579d9
    0x010579f1
    0x010579f7
    0x010579f9
    0x010579fc
    0x010579fe
    0x010579fe
    0x01057a01
    0x01057a04
    0x01057a09
    0x01057a0b
    0x00000000
    0x00000000
    0x01057a1e
    0x01057a23
    0x01057a25
    0x01057a25
    0x01057a2b
    0x01057a2d
    0x01057a2f
    0x01057a34
    0x01057a36
    0x01057a39
    0x01057a3f
    0x01057a41
    0x01057a41
    0x01057a44
    0x01057a47
    0x01057a4c
    0x00000000
    0x00000000
    0x01057a5c
    0x01057a5e
    0x01057a60
    0x01057a65
    0x01057a67
    0x01057a6a
    0x01057a70
    0x01057a72
    0x01057a72
    0x01057a75
    0x01057a78
    0x01057a7d
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x01057a8f
    0x00000000
    0x00000000
    0x01057a95
    0x01057abe
    0x01057a9d
    0x01057a9f
    0x01057aa2
    0x00000000
    0x00000000
    0x01057aa8
    0x01057aaa
    0x01057aab
    0x01057aae
    0x01057ab1
    0x01057ab7
    0x01057ab8
    0x01057ab8
    0x00000000
    0x00000000
    0x01057acf
    0x00000000
    0x00000000
    0x01057ad5
    0x01057adb
    0x01057ae3
    0x01057ae5
    0x01057ae7
    0x01057ae7
    0x01057aec
    0x01057aef
    0x01057af5
    0x01057af7
    0x01057af7
    0x01057afc
    0x01057b00
    0x01057b04
    0x01057b06
    0x01057b07
    0x01057b0b
    0x01057b0d
    0x01057b11
    0x01057b1e
    0x00000000
    0x01057b24
    0x01057b24
    0x01057b26
    0x01057b2a
    0x01057b34
    0x01057b37
    0x01057b3e
    0x01057b60
    0x01057b40
    0x01057b40
    0x01057b46
    0x01057b47
    0x01057b4d
    0x01057b4e
    0x01057b51
    0x01057b52
    0x01057b58
    0x01057b58
    0x01057b6a
    0x01057bb9
    0x01057c08
    0x01057c10
    0x01057c12
    0x01057c15
    0x01057c1b
    0x01057c1d
    0x01057c1d
    0x01057c20
    0x01057c23
    0x01057c28
    0x01057bbb
    0x01057bc5
    0x00000000
    0x00000000
    0x01057bcb
    0x01057bd0
    0x01057bd1
    0x01057bd2
    0x01057bd7
    0x01057bda
    0x01057bdc
    0x01057bdf
    0x01057be5
    0x01057be7
    0x01057be7
    0x01057bea
    0x01057bed
    0x01057bf2
    0x01057bf2
    0x00000000
    0x01057bb9
    0x00000000
    0x01057957
    0x01057911
    0x01057920
    0x01057925
    0x01057928
    0x0105792d
    0x01057935
    0x01057935
    0x01057938
    0x0105793b
    0x01057940
    0x00000000
    0x01057940
    0x010578e7
    0x00000000
    0x010578e7
    0x01057818
    0x0105781d
    0x01057820
    0x01057822
    0x01057825
    0x0105782b
    0x0105782d
    0x0105782d
    0x01057830
    0x01057833
    0x0105783e
    0x01057840
    0x01057843
    0x01057849
    0x0105784b
    0x01057858
    0x0105788a
    0x0105788a
    0x00000000
    0x0105788a
    0x01057863
    0x01057872
    0x01057888
    0x00000000
    0x01057888
    0x0105787d
    0x00000000
    0x0105787d
    0x00000000
    0x010577fa
    0x010577c0

    APIs
    • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(6030EFD1,00000000,?), ref: 01057710
    • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 01057722
      • Part of subcall function 0103EC2E: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,$P$G,00002000,?,01078BF0,00000000,?,?,01038F0D), ref: 0103EC51
    • towupper.MSVCRT ref: 010578BC
    • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 010579F1
    • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,01031F8C,01033B98), ref: 01057B15
    • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,6030EFD1,00000000,?), ref: 01057D0D
    • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 01057D20
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave$DriveEnvironmentFreeLocalTypeVariabletowupper
    • String ID: %s $%s>$PROMPT$Unknown
    • API String ID: 708651206-3050974680
    • Opcode ID: 03f265f2a0cfc255762f7e7b97759797512defcfbd58502b6714cbeccd4007a1
    • Instruction ID: 5311def91148103b640f3411039ee8f0196893b832b4c569d3b9748e2d4101ca
    • Opcode Fuzzy Hash: 03f265f2a0cfc255762f7e7b97759797512defcfbd58502b6714cbeccd4007a1
    • Instruction Fuzzy Hash: 1702E7759011168BCBB4DF28C849ABBB7B9FF84300F4482DEE989E7244EB355981DF54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01040207, Relevance: 9.2, APIs: 6, Instructions: 154fileCOMMON
    Download Yara Rule
    C-Code - Quality: 58%
    			E01040207(WCHAR* __ecx, signed int __edx, intOrPtr _a4) {
				signed int _v8;
				struct _WIN32_FIND_DATAW _v604;
				signed int _v608;
				void _v612;
				signed int _v616;
				void* _v620;
				intOrPtr _v624;
				WCHAR* _v628;
				void* _v632;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t42;
				intOrPtr _t44;
				void* _t45;
				void _t47;
				void* _t50;
				void* _t53;
				void _t54;
				void _t58;
				char* _t69;
				char* _t71;
				intOrPtr* _t73;
				signed int _t75;
				void* _t76;
				WCHAR* _t77;
				void* _t80;
				void* _t81;
				signed int _t83;
				void* _t84;
				void* _t91;
				void* _t96;
				void* _t97;
				short* _t99;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				int _t104;
				void* _t105;
				signed int _t106;
				signed int _t108;

				_t90 = __edx;
				_t77 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x274;
				_t42 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t42 ^ _t108;
				_t73 = __ecx;
				_v616 = __edx;
				_v628 = __ecx;
				_v624 = 0;
				_t99 =  &(__ecx[1]);
				do {
					_t44 =  *_t73;
					_t73 = _t73 + 2;
				} while (_t44 != 0);
				_t75 = _t73 - _t99 >> 1;
				if(_t75 > __edx) {
					L21:
					_t45 = 0;
				} else {
					_t97 =  &(__ecx[3]);
					_t101 = _t97;
					_v632 = _t101;
					do {
						_t47 =  *_t97 & 0x0000ffff;
						_v612 = _t47;
						if(_t47 == 0 || _t47 == 0x5c) {
							 *_t97 = 0;
							_t50 = FindFirstFileW(_t77,  &_v604); // executed
							_t80 = _t50;
							_t47 = _v612;
							 *_t97 = _t47;
							if(_t80 == 0xffffffff) {
								_t97 = _t97 + 2;
								_t101 = _t97;
								goto L17;
							} else {
								FindClose(_t80); // executed
								if(_v604.cAlternateFileName != 0) {
									if(_a4 != 0) {
										L23:
										_t53 =  &(_v604.cAlternateFileName);
										goto L12;
									} else {
										_t69 =  &(_v604.cAlternateFileName);
										__imp___wcsnicmp(_t69, _t101, _t97 - _t101 >> 1);
										_t108 = _t108 + 0xc;
										if(_t69 != 0) {
											goto L11;
										} else {
											_t71 =  &(_v604.cFileName);
											__imp___wcsicmp(_t71,  &(_v604.cAlternateFileName));
											if(_t71 == 0) {
												goto L11;
											} else {
												goto L23;
											}
										}
									}
									L14:
									_t83 = _t81 - _t91 >> 1;
									_t90 = _t83 - (_t97 - _t101 >> 1);
									_v608 = _t83;
									_t75 = _t75 + _t90;
									if(_t75 >= _v616) {
										goto L21;
									} else {
										if(_t90 > 0) {
											_t84 = _t97;
											_t102 = _t84 + 2;
											do {
												_t58 =  *_t84;
												_t84 = _t84 + 2;
											} while (_t58 != _v624);
											_t103 = _t97 + _t90 * 2;
											memmove(_t103, _t97, 1 + (_t84 - _t102 >> 1) * 2);
											_t83 = _v608;
											_t108 = _t108 + 0xc;
											_t97 = _t103;
										}
										_t104 = _t83 + _t83;
										memcpy(_v632, _v620, _t104);
										_v632 = _v632 + _t104;
										_t108 = _t108 + 0xc;
										_t105 = _v632;
										_t90 = _v616 - (_t105 - _v628 >> 1);
										E0103F3A0(_t105, _v616 - (_t105 - _v628 >> 1), _t97);
										_t47 = _v616;
										_t101 = _t105 + 2;
										_t97 = _t101;
										L17:
										_t77 = _v628;
										_v632 = _t101;
										goto L6;
									}
									goto L8;
								} else {
									L11:
									_t53 =  &(_v604.cFileName);
								}
								L12:
								_t81 = _t53;
								_v620 = _t53;
								_t91 = _t81 + 2;
								do {
									_t54 =  *_t81;
									_t81 = _t81 + 2;
								} while (_t54 != _v624);
								goto L14;
							}
						} else {
							goto L6;
						}
						goto L8;
						L6:
						_t97 = _t97 + 2;
					} while (_t47 != 0);
					_t45 = 1;
				}
				L8:
				_pop(_t96);
				_pop(_t100);
				_pop(_t76);
				return E01046B30(_t45, _t76, _v8 ^ _t108, _t90, _t96, _t100);
			}













































    0x01040207
    0x01040207
    0x0104020f
    0x01040215
    0x0104021c
    0x01040225
    0x01040227
    0x0104022e
    0x01040232
    0x01040236
    0x01040239
    0x01040239
    0x0104023c
    0x0104023f
    0x01040246
    0x0104024a
    0x0104037d
    0x0104037d
    0x01040250
    0x01040250
    0x01040253
    0x01040255
    0x01040259
    0x01040259
    0x0104025c
    0x01040263
    0x0104028e
    0x01040297
    0x0104029d
    0x0104029f
    0x010402a3
    0x010402a9
    0x0104e798
    0x0104e79b
    0x00000000
    0x010402af
    0x010402b0
    0x010402bf
    0x01040351
    0x0104e756
    0x0104e756
    0x00000000
    0x01040357
    0x0104035e
    0x01040367
    0x0104036d
    0x01040372
    0x00000000
    0x01040378
    0x0104e741
    0x0104e746
    0x0104e750
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0104e750
    0x01040372
    0x010402df
    0x010402e3
    0x010402eb
    0x010402ed
    0x010402f1
    0x010402f7
    0x00000000
    0x010402fd
    0x010402ff
    0x0104e762
    0x0104e764
    0x0104e767
    0x0104e767
    0x0104e76a
    0x0104e76d
    0x0104e776
    0x0104e785
    0x0104e78a
    0x0104e78e
    0x0104e791
    0x0104e791
    0x01040305
    0x01040311
    0x01040316
    0x0104031a
    0x0104031d
    0x01040330
    0x01040332
    0x01040337
    0x0104033b
    0x0104033e
    0x01040340
    0x01040340
    0x01040344
    0x00000000
    0x01040344
    0x00000000
    0x010402c5
    0x010402c5
    0x010402c5
    0x010402c5
    0x010402c9
    0x010402c9
    0x010402cb
    0x010402cf
    0x010402d2
    0x010402d2
    0x010402d5
    0x010402d8
    0x00000000
    0x010402d2
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0104026a
    0x0104026a
    0x0104026d
    0x01040274
    0x01040274
    0x01040275
    0x0104027c
    0x0104027d
    0x0104027e
    0x01040289

    APIs
    • FindFirstFileW.KERNELBASE(?,?,00000000,00000000,00000000), ref: 01040297
    • FindClose.KERNELBASE(00000000), ref: 010402B0
    • memcpy.MSVCRT ref: 01040311
    • _wcsnicmp.MSVCRT ref: 01040367
    • _wcsicmp.MSVCRT ref: 0104E746
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: Find$CloseFileFirst_wcsicmp_wcsnicmpmemcpy
    • String ID:
    • API String ID: 242869866-0
    • Opcode ID: a414870a2ab4b8a6ed75f66b884daa0c42a92a21ab1d49f25830e6ec2454ed8b
    • Instruction ID: 141e0cdaa93f94c7d8fe8bd35f48b318aaaea892962c2297a31c97889d725e20
    • Opcode Fuzzy Hash: a414870a2ab4b8a6ed75f66b884daa0c42a92a21ab1d49f25830e6ec2454ed8b
    • Instruction Fuzzy Hash: C751B3B56083118BC724DF28D8845AFB7E5BFC4310F14892DF9C997284E735D905CB96
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0103C570, Relevance: 6.1, APIs: 4, Instructions: 101memoryCOMMON
    Download Yara Rule
    C-Code - Quality: 84%
    			E0103C570(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebx;
				intOrPtr _t12;
				void* _t13;
				short _t17;
				intOrPtr* _t18;
				intOrPtr _t19;
				void* _t26;
				void* _t35;
				void* _t37;
				intOrPtr _t39;
				short _t40;
				intOrPtr* _t41;

				_v12 = __edx;
				_t39 = _a4;
				_v8 = __ecx;
				 *0x10665ec = __ecx;
				_t12 =  *0x1066778;
				if(_t12 <= _t39) {
					L3:
					_t40 = 0;
					_t26 = 0;
					_t6 = _t40 + 4; // 0x4
					_t37 = _t6;
					do {
						if(_t40 <= 1) {
							_t13 =  *(_t26 + 0x106677c);
							if(_t13 != 0) {
								VirtualFree(_t13, 0, 0x8000);
								 *(_t26 + 0x106677c) = 0;
							}
						}
						_t40 = _t40 + 1;
						_t26 = _t37;
						_t37 = _t37 + 4;
					} while (_t40 < 2);
					 *0x10665d8 = _v8;
					 *0x10665d4 = _v12;
					_t17 = 0;
					_push(0);
					_push(0x1070ab0);
					 *0x10625c2 = 0;
					 *0x10665cc = 0x10625c2;
					 *0x10665c8 = 0x10625c2;
					L01047FB1();
					if(0 == 0) {
						 *0x10666f8 = 0;
						 *0x10665f0 = 0; // executed
						_t18 = E0103A8C4(_t26, 0); // executed
						_t41 = _t18;
						if(_t41 == 0) {
							_t19 = 1;
						} else {
							if( *((short*)( *0x10665cc)) != 0 && E0103CC70(0) != 0xa &&  *0x1066700 != 0) {
								E01058959(_t21, 0);
							}
							_t19 = 0;
						}
						 *0x1066790 = _t19;
						if( *0x107905a != 0) {
							E01058791(_t41, 0);
						}
						_t17 = _t41;
					}
					return _t17;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t35 =  *0x1066784;
					if(_t35 == 0) {
						goto L3;
					}
					 *_t35 = 0;
					 *0x1066784 =  *(_t35 + 4);
					 *0x1066778 = _t12 - 1;
					 *(_t35 + 4) = 0;
					RtlFreeHeap(GetProcessHeap(), 0, _t35);
					_t12 =  *0x1066778;
					if(_t12 > _t39) {
						continue;
					}
					goto L3;
				}
				goto L3;
			}

















    0x0103c57a
    0x0103c57f
    0x0103c582
    0x0103c585
    0x0103c58a
    0x0103c592
    0x0103c5d3
    0x0103c5d3
    0x0103c5d5
    0x0103c5d7
    0x0103c5d7
    0x0103c5e0
    0x0103c5e3
    0x0103c5e5
    0x0103c5ed
    0x0103c69d
    0x0103c6a3
    0x0103c6a3
    0x0103c5ed
    0x0103c5f3
    0x0103c5f4
    0x0103c5f6
    0x0103c5f9
    0x0103c601
    0x0103c609
    0x0103c60e
    0x0103c610
    0x0103c611
    0x0103c616
    0x0103c61c
    0x0103c626
    0x0103c630
    0x0103c63a
    0x0103c63e
    0x0103c643
    0x0103c648
    0x0103c64d
    0x0103c651
    0x0103c68e
    0x0103c653
    0x0103c65d
    0x0104d0dd
    0x0104d0dd
    0x0103c66f
    0x0103c66f
    0x0103c678
    0x0103c67d
    0x0104d0eb
    0x0104d0eb
    0x0103c683
    0x0103c683
    0x0103c68b
    0x00000000
    0x00000000
    0x00000000
    0x0103c594
    0x0103c594
    0x0103c594
    0x0103c59c
    0x00000000
    0x00000000
    0x0103c5a3
    0x0103c5ab
    0x0103c5b1
    0x0103c5b6
    0x0103c5c4
    0x0103c5ca
    0x0103c5d1
    0x00000000
    0x00000000
    0x00000000
    0x0103c5d1
    0x00000000

    APIs
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0103C5BD
    • RtlFreeHeap.NTDLL(00000000), ref: 0103C5C4
    • _setjmp3.MSVCRT ref: 0103C630
    • VirtualFree.API-MS-WIN-CORE-MEMORY-L1-1-0(?,00000000,00008000,00000000,00000000,00000000,00000000,00000000), ref: 0103C69D
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: FreeHeap$ProcessVirtual_setjmp3
    • String ID:
    • API String ID: 2613391085-0
    • Opcode ID: 2b8bfda67f06548fc27c3c1ce800777df420409a65b1f9abb9e160f9d5c4b223
    • Instruction ID: 638cfc19030b97e0a72c9764e5425d5fea089ace91bf19207d8e67f701a9f365
    • Opcode Fuzzy Hash: 2b8bfda67f06548fc27c3c1ce800777df420409a65b1f9abb9e160f9d5c4b223
    • Instruction Fuzzy Hash: 4B315E71B003019BFB60DF68E94575A7BF8FB98700F14407AE8C9E7258E77B98448B95
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0104643A, Relevance: 4.6, APIs: 3, Instructions: 69nativethreadCOMMON
    Download Yara Rule
    C-Code - Quality: 75%
    			E0104643A(signed int* __edx) {
				void* _v8;
				char _v12;
				char _v16;
				long _t20;
				long _t25;
				HANDLE* _t27;
				void* _t29;
				signed int _t33;
				signed int* _t37;
				long _t38;

				_v8 = _v8 & 0x00000000;
				_t37 = __edx;
				_t38 = NtOpenThreadToken(0xfffffffe, 8, 0,  &_v8);
				if(_t38 == 0xc000007c) {
					_t27 =  &_v8;
					__imp__NtOpenProcessToken(0xffffffff, 8, _t27);
					_t38 = _t27;
				}
				if(_t38 < 0) {
					L11:
					return _t38;
				} else {
					_t29 = _v8;
					_t20 = E01046500(_t29,  &_v12,  &_v16); // executed
					_t38 = _t20;
					if(_t38 < 0) {
						L8:
						if(_t29 != 0) {
							NtClose(_t29); // executed
						}
						goto L11;
					}
					if(_v12 == 0) {
						 *_t37 = (0 | _v16 == 0x00000000) + 1;
					} else {
						 *_t37 =  *_t37 & 0x00000000;
					}
					_t25 = E010464CA(_v8,  &_v16); // executed
					_t38 = _t25;
					if(_t38 >= 0 && _v16 != 0) {
						_t33 =  *_t37;
						if(_t33 - 0x10 > 2) {
							_t33 = _t33 + 0x10;
						}
						 *_t37 = _t33;
					}
					goto L8;
				}
			}













    0x01046442
    0x01046452
    0x0104645a
    0x01046462
    0x01046464
    0x0104646c
    0x01046472
    0x01046472
    0x01046476
    0x010464c5
    0x010464c9
    0x01046478
    0x01046479
    0x01046485
    0x0104648a
    0x0104648e
    0x010464b8
    0x010464ba
    0x010464bd
    0x010464bd
    0x00000000
    0x010464c3
    0x01046494
    0x01051ff3
    0x0104649a
    0x0104649a
    0x0104649a
    0x010464a3
    0x010464a8
    0x010464ac
    0x01051ffa
    0x01052002
    0x01052004
    0x01052004
    0x01052007
    0x01052007
    0x00000000
    0x010464ac

    APIs
    • NtOpenThreadToken.NTDLL(000000FE,00000008,00000000,00000000), ref: 01046454
    • NtOpenProcessToken.NTDLL(000000FF,00000008,00000000), ref: 0104646C
    • NtClose.NTDLL(00000000), ref: 010464BD
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: OpenToken$CloseProcessThread
    • String ID:
    • API String ID: 2991381754-0
    • Opcode ID: a2b0af252d15b79269021705a306c26edecfa728a41f82989dec8f8281f87dfd
    • Instruction ID: 3bf5e4f850e4be4fe71efd2aa4f656cd01242de479720addede8a2061bf7fd0a
    • Opcode Fuzzy Hash: a2b0af252d15b79269021705a306c26edecfa728a41f82989dec8f8281f87dfd
    • Instruction Fuzzy Hash: F3112C72D01316EFDF208B64C888B9EB7B9EB84725F114674D991A3280EF3ADE04C790
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01034D08, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25COMMON
    Download Yara Rule
    C-Code - Quality: 46%
    			E01034D08(void* __ecx) {
				void* _t2;
				signed char _t5;
				void* _t12;

				_t12 = __ecx;
				_t5 = GetVersion(); // executed
				_t2 = E01034D42(); // executed
				_push(_t2);
				_push(_t5 >> 0x10);
				_push(_t5 >> 0x00000008 & 0x000000ff);
				return E01039ABF(_t12, 0x20, L"%d.%d.%05d.%d", _t5 & 0x000000ff);
			}






    0x01034d0c
    0x01034d14
    0x01034d16
    0x01034d1b
    0x01034d26
    0x01034d2d
    0x01034d41

    APIs
    • GetVersion.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,01034DCB), ref: 01034D0E
      • Part of subcall function 01034D42: RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,02000000,?), ref: 01034D66
      • Part of subcall function 01034D42: RegQueryValueExW.ADVAPI32(?,UBR,00000000,?,?,?), ref: 01034D8A
      • Part of subcall function 01034D42: RegCloseKey.ADVAPI32(?), ref: 01034D95
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: CloseOpenQueryValueVersion
    • String ID: %d.%d.%05d.%d
    • API String ID: 2996790148-3457777122
    • Opcode ID: 44fd1b1969f37964d0fbd44df67158706bb8977e2237c5cf6f1ea2d5486ce24c
    • Instruction ID: 0a5363f7a59d54ab791fb2c368d92a343a95bb5ba999087346e5c19785de95b7
    • Opcode Fuzzy Hash: 44fd1b1969f37964d0fbd44df67158706bb8977e2237c5cf6f1ea2d5486ce24c
    • Instruction Fuzzy Hash: 27D05BB1B401213BD614356A1C59EBF108DC6DC112744416EB541EB3C6D9BD5C1553B4
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01046500, Relevance: 3.0, APIs: 2, Instructions: 49nativeCOMMON
    Download Yara Rule
    APIs
    • NtQueryInformationToken.NTDLL(00000000,00000012,0104648A,00000004,?), ref: 0104652A
    • NtQueryInformationToken.NTDLL(00000000,00000014,?,00000004,?), ref: 01052028
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: InformationQueryToken
    • String ID:
    • API String ID: 4239771691-0
    • Opcode ID: ca01b4acdae0f4bb21b489d38b1842e288273d4c6d59495b2f1d94d797ebba33
    • Instruction ID: 27c128eee91b9ee783a359a1fbd3318eb43fb1d6e24865bd348946f0e50b0ecd
    • Opcode Fuzzy Hash: ca01b4acdae0f4bb21b489d38b1842e288273d4c6d59495b2f1d94d797ebba33
    • Instruction Fuzzy Hash: 290175B1A00208FBE721CB58C884BEEB7FCEB45715F1440B6E740E7044E7759A85DBA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 010464CA, Relevance: 1.5, APIs: 1, Instructions: 28nativeCOMMON
    Download Yara Rule
    APIs
    • NtQueryInformationToken.NTDLL(00000000,0000001A,?,00000004,010464A8), ref: 010464E9
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: InformationQueryToken
    • String ID:
    • API String ID: 4239771691-0
    • Opcode ID: d06780d5174d11eabaab5ffeb2289df979129601acf70a1dd9622ee9b0655c4a
    • Instruction ID: 31fb6abb15e6ac7523c8410f7eb09762edd6182a1fd54d7767b7dbe4cbf67058
    • Opcode Fuzzy Hash: d06780d5174d11eabaab5ffeb2289df979129601acf70a1dd9622ee9b0655c4a
    • Instruction Fuzzy Hash: 3EE012F2610208FFEB188F55D846EEE7BACEB80711F14417EA58692140E7759A40D764
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0104677C, Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON
    Download Yara Rule
    APIs
    • LdrResolveDelayLoadedAPI.NTDLL(01030000,?,01057EF0,?), ref: 0104679D
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: DelayLoadedResolve
    • String ID:
    • API String ID: 841769287-0
    • Opcode ID: c7132be783c249cb845a89ad4d8c2f91fa346e0192ee01a08d7d3fc6ccece4b5
    • Instruction ID: 872a625d1fa63cbb53dfbbc671f96e130ea81a70bb14a7d6a2de00d9a32aea29
    • Opcode Fuzzy Hash: c7132be783c249cb845a89ad4d8c2f91fa346e0192ee01a08d7d3fc6ccece4b5
    • Instruction Fuzzy Hash: CED01233240208FB8F531FC2EC05D8A7F2EE798710B048000F68819414C6775430FB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01046EC0, Relevance: 1.5, APIs: 1, Instructions: 4COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E01046EC0() {

				SetUnhandledExceptionFilter(E01046E70); // executed
				return 0;
			}



    0x01046ec5
    0x01046ecd

    APIs
    • SetUnhandledExceptionFilter.KERNELBASE(Function_00016E70), ref: 01046EC5
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: ExceptionFilterUnhandled
    • String ID:
    • API String ID: 3192549508-0
    • Opcode ID: 941bd6822c6175ae6f24fe314322d72b11431f13957eadb7ccffdb7cc3ed3624
    • Instruction ID: 600dd25195c12eb3572aa17517b52623bae689e60273581c67bfc393815d1601
    • Opcode Fuzzy Hash: 941bd6822c6175ae6f24fe314322d72b11431f13957eadb7ccffdb7cc3ed3624
    • Instruction Fuzzy Hash: 0F9002F0791200C7962157B3984940976F15A497037454864F0C1DA008EB6E40045665
    Uniqueness

    Uniqueness Score: -1.00%

    Function 010387CA, Relevance: 49.3, APIs: 24, Strings: 4, Instructions: 270memorylibraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 82 10387ca-1038870 InitializeCriticalSection EnterCriticalSection LeaveCriticalSection SetConsoleCtrlHandler _get_osfhandle GetConsoleMode _get_osfhandle GetConsoleMode call 103e310 call 103a9d4 call 1038b96 call 1038273 GetCommandLineW 91 1038873-103887c 82->91 91->91 92 103887e-103888a 91->92 93 1038890-103889f call 1041a05 92->93 94 1038b37-1038b38 92->94 99 10388a5-10388db GetCommandLineW call 103f3a0 call 103e3f0 93->99 100 1038b2f-1038b35 93->100 95 1038b3d-1038b43 call 10378e4 94->95 103 1038b44-1038b4c call 1047d18 95->103 99->100 109 10388e1-10388e9 99->109 100->95 110 10388f0-1038903 call 1038e9e call 10400e9 109->110 111 10388eb 109->111 116 1038906-103890f 110->116 111->110 116->116 117 1038911-1038930 call 103a24c 116->117 120 1038932 117->120 121 1038934-103893d 117->121 120->121 122 10389ab-10389e1 GetConsoleOutputCP GetCPInfo call 1038572 GetProcessHeap HeapAlloc 121->122 123 103893f-1038943 121->123 129 10389e3-10389f1 GetConsoleTitleW 122->129 130 10389fd-1038a03 122->130 125 1038947-1038951 123->125 126 1038945 123->126 125->122 128 1038953-103895a 125->128 126->125 128->122 131 103895c-103895e 128->131 129->130 132 10389f3-10389fa 129->132 133 1038a51-1038a57 130->133 134 1038a05-1038a0f call 1039a11 130->134 135 1038962-1038979 call 10378e4 131->135 136 1038960 131->136 132->130 137 1038abb-1038b08 GetModuleHandleW GetProcAddress * 3 133->137 138 1038a59-1038a8b call 10570d6 call 1034d08 call 10363bd call 1039950 133->138 134->133 149 1038a11-1038a1b 134->149 150 1038980-103898f GetWindowsDirectoryW 135->150 151 103897b 135->151 136->135 142 1038b14-1038b16 137->142 143 1038b0a-1038b0d 137->143 169 1038aa7-1038ab0 call 10378e4 138->169 170 1038a8d-1038a9d call 1039950 * 2 138->170 148 1038b17-1038b28 free call 1046b30 142->148 143->142 147 1038b0f-1038b12 143->147 147->142 147->148 158 1038b2d-1038b2e 148->158 154 1038a1d-1038a32 GetStdHandle GetConsoleScreenBufferInfo 149->154 155 1038a4c call 1058496 149->155 150->103 156 1038995-103899d 150->156 151->150 159 1038a40-1038a4a 154->159 160 1038a34-1038a3e 154->160 155->133 161 10389a4-10389a6 call 1038bc7 156->161 162 103899f 156->162 159->133 159->155 160->133 161->122 162->161 175 1038ab1-1038ab5 GlobalFree 169->175 177 1038aa2-1038aa5 170->177 175->137 177->175
    C-Code - Quality: 70%
    			E010387CA(void* __ebx, intOrPtr* __ecx) {
				signed int _v8;
				char _v72;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v96;
				void* _v100;
				intOrPtr* _v104;
				void* __edi;
				void* __esi;
				signed int _t32;
				void* _t35;
				void* _t36;
				int _t37;
				WCHAR* _t42;
				signed int _t48;
				int _t49;
				WCHAR* _t54;
				void* _t61;
				intOrPtr _t64;
				WCHAR* _t66;
				int _t67;
				intOrPtr _t72;
				struct HINSTANCE__* _t73;
				intOrPtr* _t77;
				void* _t80;
				void* _t85;
				void* _t91;
				int _t95;
				WCHAR* _t98;
				void* _t101;
				void* _t102;
				void* _t106;
				short _t108;
				intOrPtr _t114;
				intOrPtr* _t120;
				WCHAR* _t124;
				WCHAR* _t135;
				int _t138;
				int _t139;
				void* _t141;
				void* _t143;
				long _t144;
				void* _t150;
				void* _t151;
				intOrPtr* _t152;
				void* _t155;
				void* _t156;
				void* _t157;
				void* _t158;
				void* _t159;
				signed int _t162;
				void* _t163;

				_t101 = __ebx;
				_t160 = _t162;
				_t163 = _t162 - 0x64;
				_t32 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t32 ^ _t162;
				_t152 = __ecx;
				_v104 = __ecx;
				 *0x10625a4 = 0x106ca04;
				InitializeCriticalSection(0x106ca04);
				EnterCriticalSection( *0x10625a4);
				_t144 = 0;
				 *0x106259c = 0;
				LeaveCriticalSection( *0x10625a4);
				_t35 = SetConsoleCtrlHandler(E01057460, 1); // executed
				__imp___get_osfhandle(0x106ca20, _t143, _t151, _t159);
				_t36 = GetConsoleMode(_t35, 1); // executed
				__imp___get_osfhandle(0, 0x106ca1c);
				_pop(_t106);
				_t37 = GetConsoleMode(_t36, ??); // executed
				E0103E310(_t37);
				 *0x1062594 = E0103A9D4();
				 *0x1062590 = E01038B96(_t106); // executed
				E01038273(_t152); // executed
				_t42 = GetCommandLineW();
				_t3 =  &(_t42[1]); // 0x2
				_t137 = _t3;
				do {
					_t108 =  *_t42;
					_t42 =  &(_t42[1]);
				} while (_t108 != 0);
				_t109 = 0x2000;
				_t170 = 1 + (_t42 - _t137 >> 1) - 0x2000;
				if(1 + (_t42 - _t137 >> 1) > 0x2000) {
					_push(0);
					_push(0x400023df);
					goto L46;
				} else {
					_t137 = 0x2000;
					_t109 =  &_v100;
					E01041A05( &_v100, 0x2000, _t170);
					_t152 = _v100;
					if(_t152 == 0) {
						L44:
						_push(_t144);
						_push(0x2374);
						L46:
						E010378E4(_t109);
						goto L47;
					} else {
						_t54 = GetCommandLineW();
						_t137 = 0x2000;
						E0103F3A0(_t152, 0x2000, _t54);
						_t109 = 0x1078bf0;
						_t61 = E0103E3F0(((0 |  *0x1078dfc == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104); // executed
						if(_t61 < 0) {
							goto L44;
						} else {
							_t119 =  *0x1078df8;
							if( *0x1078df8 == 0) {
								_t119 = 0x1078bf0;
							}
							E01038E9E(_t101, _t119,  *0x1078e00, _t144); // executed
							E010400E9(_t144); // executed
							_t120 = _t152;
							_t141 = _t120 + 2;
							do {
								_t64 =  *_t120;
								_t120 = _t120 + 2;
								_t175 = _t64 - _t144;
							} while (_t64 != _t144);
							_push(_t120 - _t141 >> 1);
							E0103A24C(_v104, _t175, 4, _t152); // executed
							_t66 =  *0x1078df8;
							_t137 = 0x1078bf0;
							_t124 = _t66;
							if(_t66 == 0) {
								_t124 = 0x1078bf0;
							}
							_t155 = 0x5c;
							_t156 = _v100;
							if( *_t124 != _t155) {
								L24:
								_t67 = GetConsoleOutputCP(); // executed
								 *0x10625a0 = _t67;
								GetCPInfo(_t67, 0x106c9f0); // executed
								E01038572(); // executed
								_t71 = HeapAlloc(GetProcessHeap(), _t144, "true");
								 *0x10625a8 = _t71;
								if(_t71 != 0) {
									_t71 = GetConsoleTitleW(_t71, 0x104); // executed
									if(_t71 == 0) {
										_t71 =  *0x10625a8;
										 *( *0x10625a8) = 0;
									}
								}
								if( *0x1066758 == _t144) {
									_t91 = E01039A11(_t71); // executed
									if(_t91 != 0) {
										_t133 =  *0x1066764;
										if( *0x1066764 != 0) {
											L33:
											E01058496(_t133);
										} else {
											_t95 = GetConsoleScreenBufferInfo(GetStdHandle(0xfffffff5),  &_v96); // executed
											if(_t95 == 0) {
												_t133 =  *0x1066764;
												__eflags =  *0x1066764;
												if(__eflags != 0) {
													goto L33;
												}
											} else {
												 *0x1066764 = _v96.wAttributes;
											}
										}
									}
								}
								_t72 = _v104;
								_t193 =  *((intOrPtr*)(_t72 + 8)) - _t144;
								if( *((intOrPtr*)(_t72 + 8)) == _t144) {
									_t80 = E010570D6(_t193); // executed
									_v100 = _t80;
									E01034D08( &_v72);
									E010363BD( &_v72, 0x2350, 1,  &_v72); // executed
									E01039950(L"\r\n"); // executed
									_t85 = _v100;
									if(_t85 == 0) {
										_push(_t144);
										_push(8);
										E010378E4( &_v72);
									} else {
										_push(_t85);
										E01039950(0x1031f00); // executed
										E01039950(L"\r\n"); // executed
									}
									GlobalFree(_v100);
								}
								_t73 = GetModuleHandleW(L"KERNEL32.DLL");
								 *0x105e0c8 = _t73;
								 *0x10625b8 = GetProcAddress(_t73, "CopyFileExW");
								GetProcAddress( *0x105e0c8, "IsDebuggerPresent");
								 *0x10625b4 = GetProcAddress( *0x105e0c8, "SetConsoleInputExeNameW");
								_t77 = _v104;
								if( *_t77 != _t144 ||  *((intOrPtr*)(_t77 + 4)) != _t144 ||  *((intOrPtr*)(_t77 + 8)) != _t144) {
									_t144 = 1;
								}
								free(_t156); // executed
								_pop(_t150);
								_pop(_t157);
								return E01046B30(_t144, _t101, _v8 ^ _t160, _t137, _t150, _t157);
							} else {
								_t135 = _t66;
								if(_t66 == 0) {
									_t135 = _t137;
								}
								_t158 = 0x5c;
								_t156 = _v100;
								if(_t135[1] != _t158 ||  *0x1079051 != 0) {
									goto L24;
								} else {
									if(_t66 == 0) {
										_t66 = _t137;
									}
									E010378E4(_t135, 0x400023c8, 1, _t66);
									_t98 =  *0x1078df8;
									_t163 = _t163 + 0xc;
									if(_t98 == 0) {
										_t98 = 0x1078bf0;
									}
									if(GetWindowsDirectoryW(_t98,  *0x1078e00) == 0) {
										L47:
										E01047D18(1, _t137, __eflags);
										asm("int3");
										_t138 =  *0x10667bc;
										_t48 = 0;
										_push(_t101);
										_t102 = 1;
										__eflags = _t138;
										if(_t138 > 0) {
											_t114 =  *0x10667b8;
											while(1) {
												__eflags =  *(_t114 + _t48 * 4) - _t102;
												if( *(_t114 + _t48 * 4) == _t102) {
													break;
												}
												_t48 = 1 + _t48;
												__eflags = _t48 - _t138;
												if(_t48 < _t138) {
													continue;
												} else {
													break;
												}
												L55:
												__eflags = 0;
												return 0;
												goto L60;
											}
											__eflags = _t48 - _t138;
											if(_t48 < _t138) {
												_t139 = _t138 - 1;
												__eflags = _t48 - _t139;
												if(_t48 < _t139) {
													_push(_t152);
													_push(_t144);
													_t30 = _t114 + _t48 * 4 + 4; // 0x4
													memcpy(_t114 + _t48 * 4, _t30, _t139 - _t48 << 2);
												}
												 *0x10667bc = _t139;
											}
										}
										_t49 = FindClose(_t102);
										__eflags = _t49;
										if(_t49 == 0) {
											return GetLastError();
										}
										goto L55;
									} else {
										_t136 =  *0x1078df8;
										if( *0x1078df8 == 0) {
											_t136 = 0x1078bf0;
										}
										_t137 = 0;
										E01038BC7(_t101, _t136, 0, _t144, _t156, 0); // executed
										goto L24;
									}
								}
							}
						}
					}
				}
				L60:
			}





















































    0x010387ca
    0x010387cd
    0x010387cf
    0x010387d2
    0x010387d9
    0x010387e2
    0x010387e6
    0x010387e9
    0x010387ee
    0x010387fa
    0x01038806
    0x01038808
    0x0103880e
    0x0103881b
    0x01038828
    0x01038830
    0x0103883c
    0x01038842
    0x01038844
    0x0103884a
    0x01038854
    0x01038860
    0x01038865
    0x0103886a
    0x01038870
    0x01038870
    0x01038873
    0x01038873
    0x01038876
    0x01038879
    0x01038880
    0x01038888
    0x0103888a
    0x01038b37
    0x01038b38
    0x00000000
    0x01038890
    0x01038890
    0x01038892
    0x01038895
    0x0103889a
    0x0103889f
    0x01038b2f
    0x01038b2f
    0x01038b30
    0x01038b3d
    0x01038b3d
    0x00000000
    0x010388a5
    0x010388a5
    0x010388ac
    0x010388b3
    0x010388ba
    0x010388d4
    0x010388db
    0x00000000
    0x010388e1
    0x010388e1
    0x010388e9
    0x010388eb
    0x010388eb
    0x010388f7
    0x010388fc
    0x01038901
    0x01038903
    0x01038906
    0x01038906
    0x01038909
    0x0103890c
    0x0103890c
    0x01038915
    0x0103891d
    0x01038922
    0x01038927
    0x0103892c
    0x01038930
    0x01038932
    0x01038932
    0x01038936
    0x0103893a
    0x0103893d
    0x010389ab
    0x010389ab
    0x010389b7
    0x010389bc
    0x010389c2
    0x010389d4
    0x010389da
    0x010389e1
    0x010389e9
    0x010389f1
    0x010389f3
    0x010389fa
    0x010389fa
    0x010389f1
    0x01038a03
    0x01038a08
    0x01038a0f
    0x01038a11
    0x01038a1b
    0x01038a4c
    0x01038a4c
    0x01038a1d
    0x01038a2a
    0x01038a32
    0x01038a40
    0x01038a47
    0x01038a4a
    0x00000000
    0x00000000
    0x01038a34
    0x01038a38
    0x01038a38
    0x01038a32
    0x01038a1b
    0x01038a0f
    0x01038a51
    0x01038a54
    0x01038a57
    0x01038a59
    0x01038a61
    0x01038a64
    0x01038a74
    0x01038a7e
    0x01038a83
    0x01038a8b
    0x01038aa7
    0x01038aa8
    0x01038aaa
    0x01038a8d
    0x01038a8d
    0x01038a93
    0x01038a9d
    0x01038aa2
    0x01038ab5
    0x01038ab5
    0x01038ac0
    0x01038acc
    0x01038ae2
    0x01038ae7
    0x01038afe
    0x01038b03
    0x01038b08
    0x01038b16
    0x01038b16
    0x01038b18
    0x01038b24
    0x01038b27
    0x01038b2e
    0x0103893f
    0x0103893f
    0x01038943
    0x01038945
    0x01038945
    0x01038949
    0x0103894e
    0x01038951
    0x00000000
    0x0103895c
    0x0103895e
    0x01038960
    0x01038960
    0x0103896a
    0x0103896f
    0x01038974
    0x01038979
    0x0103897b
    0x0103897b
    0x0103898f
    0x01038b44
    0x01038b47
    0x01038b4c
    0x01038b4d
    0x01038b53
    0x01038b55
    0x01038b56
    0x01038b58
    0x01038b5a
    0x01038b5c
    0x01038b62
    0x01038b62
    0x01038b65
    0x00000000
    0x00000000
    0x01038b8f
    0x01038b90
    0x01038b92
    0x00000000
    0x01038b94
    0x00000000
    0x01038b94
    0x01038b86
    0x01038b86
    0x01038b88
    0x00000000
    0x01038b88
    0x01038b67
    0x01038b69
    0x01038b6b
    0x01038b6c
    0x01038b6e
    0x0104b59d
    0x0104b59e
    0x0104b5a4
    0x0104b5a9
    0x0104b5ac
    0x01038b74
    0x01038b74
    0x01038b69
    0x01038b7b
    0x01038b82
    0x01038b84
    0x01038b89
    0x01038b89
    0x00000000
    0x01038995
    0x01038995
    0x0103899d
    0x0103899f
    0x0103899f
    0x010389a4
    0x010389a6
    0x00000000
    0x010389a6
    0x0103898f
    0x01038951
    0x0103893d
    0x010388db
    0x0103889f
    0x00000000

    APIs
    • InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(0106CA04), ref: 010387EE
    • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 010387FA
    • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 0103880E
    • SetConsoleCtrlHandler.KERNELBASE(01057460,00000001), ref: 0103881B
    • _get_osfhandle.MSVCRT ref: 01038828
    • GetConsoleMode.KERNELBASE(00000000), ref: 01038830
    • _get_osfhandle.MSVCRT ref: 0103883C
    • GetConsoleMode.KERNELBASE(00000000), ref: 01038844
      • Part of subcall function 0103E310: _get_osfhandle.MSVCRT ref: 0103E318
      • Part of subcall function 0103E310: SetConsoleMode.KERNELBASE(00000000), ref: 0103E322
      • Part of subcall function 0103E310: _get_osfhandle.MSVCRT ref: 0103E32F
      • Part of subcall function 0103E310: GetConsoleMode.KERNELBASE(00000000), ref: 0103E339
      • Part of subcall function 0103E310: _get_osfhandle.MSVCRT ref: 0103E35E
      • Part of subcall function 0103E310: GetConsoleMode.KERNELBASE(00000000), ref: 0103E368
      • Part of subcall function 0103E310: _get_osfhandle.MSVCRT ref: 0103E390
      • Part of subcall function 0103E310: SetConsoleMode.KERNELBASE(00000000), ref: 0103E39A
      • Part of subcall function 0103A9D4: GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,00000000,0103A9C5), ref: 0103A9D8
      • Part of subcall function 0103A9D4: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000,00000000), ref: 0103A9F3
      • Part of subcall function 0103A9D4: RtlAllocateHeap.NTDLL(00000000), ref: 0103A9FA
      • Part of subcall function 0103A9D4: memcpy.MSVCRT ref: 0103AA09
      • Part of subcall function 0103A9D4: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000), ref: 0103AA12
      • Part of subcall function 01038B96: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000004,?,0103885E), ref: 01038B9D
      • Part of subcall function 01038B96: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0103885E), ref: 01038BA4
      • Part of subcall function 01038273: RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Command Processor,00000000,02000000,?), ref: 010382D3
      • Part of subcall function 01038273: RegQueryValueExW.ADVAPI32(?,DisableUNCCheck,00000000,?,?,?), ref: 01038313
      • Part of subcall function 01038273: RegQueryValueExW.ADVAPI32(?,EnableExtensions,00000000,00000001,?,00001000), ref: 0103834D
      • Part of subcall function 01038273: RegQueryValueExW.ADVAPI32(?,DelayedExpansion,00000000,00000001,?,00001000), ref: 0103839D
      • Part of subcall function 01038273: RegQueryValueExW.ADVAPI32(?,DefaultColor,00000000,00000001,?,00001000), ref: 010383D7
    • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 0103886A
    • GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 010388A5
    • GetWindowsDirectoryW.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,00000000,-00000105,00000000), ref: 01038987
    • GetConsoleOutputCP.KERNELBASE(?,?,00000000,-00000105,00000000), ref: 010389AB
    • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0106C9F0), ref: 010389BC
      • Part of subcall function 01038572: GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000001E,0106C9E0,00000008), ref: 0103859E
      • Part of subcall function 01038572: GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000023,?,00000080), ref: 010385BC
      • Part of subcall function 01038572: GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000021,?,00000080), ref: 01038614
      • Part of subcall function 01038572: GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000024,?,00000080), ref: 01038653
      • Part of subcall function 01038572: GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000001D,0106C9D0,00000008), ref: 0103867D
      • Part of subcall function 01038572: GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000031,0106C970,00000020), ref: 01038698
      • Part of subcall function 01038572: GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000032,0106C930,00000020), ref: 010386B0
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,0000020C), ref: 010389CD
    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 010389D4
    • GetConsoleTitleW.KERNELBASE(00000000,00000104), ref: 010389E9
    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,?), ref: 01038A23
    • GetConsoleScreenBufferInfo.KERNELBASE(00000000), ref: 01038A2A
    • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?), ref: 01038AB5
    • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(KERNEL32.DLL), ref: 01038AC0
    • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,CopyFileExW), ref: 01038AD1
    • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(IsDebuggerPresent), ref: 01038AE7
    • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(SetConsoleInputExeNameW), ref: 01038AF8
    • free.MSVCRT(?), ref: 01038B18
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: Console$Info$Locale$HeapMode_get_osfhandle$QueryValue$AddressCriticalProcProcessSection$AllocCommandEnvironmentFreeHandleLineStrings$AllocateBufferCtrlDirectoryEnterGlobalHandlerInitializeLeaveModuleOpenOutputScreenTitleWindowsfreememcpy
    • String ID: CopyFileExW$IsDebuggerPresent$KERNEL32.DLL$SetConsoleInputExeNameW
    • API String ID: 3313898297-3021193919
    • Opcode ID: 53b578871180de763bb0e7824f668dfcf7bdfd4ece802185e658ebb8c6a3b574
    • Instruction ID: 9910ffa64f4e699c586bcabfee1e7a6346e31b2ca63e2c1bf89ca13de915bcd2
    • Opcode Fuzzy Hash: 53b578871180de763bb0e7824f668dfcf7bdfd4ece802185e658ebb8c6a3b574
    • Instruction Fuzzy Hash: 9891EA71B00301DBEB35AB68E81DAAE37ADFBC4341B08855BF5C6EB145DB7A8841C751
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01038273, Relevance: 45.8, APIs: 18, Strings: 8, Instructions: 309registryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 462 1038273-10382b7 call 1047f80 465 10382bd-10382db RegOpenKeyExW 462->465 466 10382e1-103831b RegQueryValueExW 465->466 467 1038540-103854c 465->467 468 1038321-1038355 RegQueryValueExW 466->468 469 104b0f1-104b0f8 466->469 467->465 470 1038552-1038571 time srand call 1046b30 467->470 471 1038371-10383a5 RegQueryValueExW 468->471 472 1038357-103835e 468->472 474 104b10d-104b114 469->474 475 104b0fa-104b108 469->475 478 104b165-104b16c 471->478 479 10383ab-10383df RegQueryValueExW 471->479 476 1038364-103836a 472->476 477 104b139-104b140 472->477 474->468 481 104b11a-104b134 _wtol 474->481 475->468 476->471 477->471 482 104b146-104b160 _wtol 477->482 483 104b181-104b188 478->483 484 104b16e-104b17c 478->484 485 10383e1-10383e8 479->485 486 10383fb-103842f RegQueryValueExW 479->486 481->468 482->471 483->479 487 104b18e-104b1a8 _wtol 483->487 484->479 488 104b1ad-104b1b4 485->488 489 10383ee-10383f5 485->489 490 1038431-1038438 486->490 491 103846c-10384a0 RegQueryValueExW 486->491 487->479 488->486 492 104b1ba-104b1cb wcstol 488->492 489->486 493 104b1d3-104b1da 490->493 494 103843e-103844e 490->494 495 10384a6-10384ad 491->495 496 104b24c-104b254 491->496 492->493 499 104b1f5 493->499 500 104b1dc-104b1ed wcstol 493->500 501 104b200-104b202 494->501 502 1038454-103845d 494->502 497 10384b3-10384c3 495->497 498 104b20f-104b216 495->498 507 104b25a-104b25d 496->507 503 104b23c-104b23e 497->503 504 10384c9-10384d2 497->504 505 104b231 498->505 506 104b218-104b229 wcstol 498->506 499->501 500->499 509 104b203-104b20a 501->509 508 1038463-1038466 502->508 502->509 510 104b23f-104b241 503->510 504->510 511 10384d8-10384db 504->511 505->503 506->505 512 10384f4 507->512 513 104b263-104b269 507->513 508->491 508->509 509->491 510->496 511->510 514 10384e1-10384eb 511->514 515 10384fa-103852e RegQueryValueExW 512->515 516 104b26e-104b271 512->516 513->515 514->507 517 10384f1 514->517 518 104b283-104b28a 515->518 519 1038534-103853a RegCloseKey 515->519 516->515 520 104b277-104b27e 516->520 517->512 521 104b28c-104b2b5 ExpandEnvironmentStringsW 518->521 522 104b2d9-104b2e1 518->522 519->467 520->515 523 104b2b7-104b2c8 call 103f3a0 521->523 524 104b2ca-104b2cc 521->524 522->519 525 104b2e7-104b2f4 call 103acb0 522->525 527 104b2d3 523->527 524->527 525->519 527->522
    C-Code - Quality: 74%
    			E01038273(intOrPtr* __ecx) {
				signed int _v8;
				char _v4100;
				long _v4104;
				int _v4108;
				int _v4112;
				void* _v4116;
				intOrPtr _v4120;
				intOrPtr _v4124;
				char _v4128;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t85;
				int _t88;
				long _t93;
				long _t97;
				long _t101;
				long _t105;
				long _t109;
				long _t113;
				long _t114;
				long _t118;
				long _t127;
				long _t130;
				wchar_t* _t131;
				wchar_t* _t135;
				wchar_t* _t139;
				void* _t144;
				long _t146;
				void* _t151;
				long _t152;
				void* _t153;
				signed int _t159;
				intOrPtr* _t162;
				intOrPtr _t163;
				signed int _t166;
				void* _t167;
				void* _t189;

				E01047F80(0x101c);
				_t85 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t85 ^ _t166;
				_t162 = __ecx;
				_v4128 = 0x80000002;
				_v4124 = 0x80000001;
				_t163 = 2;
				 *0x1066755 = 1;
				_t144 =  &_v4128 - __ecx;
				_v4120 = _t163;
				while(1) {
					_t88 = RegOpenKeyExW( *(_t144 + _t162), L"Software\\Microsoft\\Command Processor", 0, 0x2000000,  &_v4116); // executed
					if(_t88 != 0) {
						goto L30;
					} else {
						_v4108 = _v4108 & _t88;
						_v4112 = 0x1000;
						_t93 = RegQueryValueExW(_v4116, L"DisableUNCCheck", 0,  &_v4108,  &_v4104,  &_v4112); // executed
						if(_t93 == 0) {
							if(_v4108 != 4) {
								if(_v4108 == 1) {
									_t139 =  &_v4104;
									__imp___wtol(_t139);
									asm("sbb al, al");
									 *0x1079051 =  ~(_t139 - 1) + 1;
								}
							} else {
								 *0x1079051 = _v4104 != 0;
							}
						}
					}
					_v4112 = 0x1000;
					_t97 = RegQueryValueExW(_v4116, L"EnableExtensions", 0,  &_v4108,  &_v4104,  &_v4112); // executed
					if(_t97 == 0) {
						if(_v4108 != 4) {
							if(_v4108 == 1) {
								_t135 =  &_v4104;
								__imp___wtol(_t135);
								asm("sbb al, al");
								 *0x1066755 =  ~(_t135 - 1) + 1;
							}
						} else {
							 *0x1066755 = _v4104 != _t97;
						}
					}
					_v4112 = 0x1000;
					_t101 = RegQueryValueExW(_v4116, L"DelayedExpansion", 0,  &_v4108,  &_v4104,  &_v4112); // executed
					if(_t101 == 0) {
						if(_v4108 != 4) {
							if(_v4108 == 1) {
								_t131 =  &_v4104;
								__imp___wtol(_t131);
								asm("sbb al, al");
								 *0x1066754 =  ~(_t131 - 1) + 1;
							}
						} else {
							 *0x1066754 = _v4104 != 0;
						}
					}
					_v4112 = 0x1000;
					_t105 = RegQueryValueExW(_v4116, L"DefaultColor", 0,  &_v4108,  &_v4104,  &_v4112); // executed
					if(_t105 != 0) {
						L11:
						_v4112 = 0x1000;
						_t109 = RegQueryValueExW(_v4116, L"CompletionChar", 0,  &_v4108,  &_v4104,  &_v4112); // executed
						if(_t109 != 0) {
							L18:
							_v4112 = 0x1000;
							_t113 = RegQueryValueExW(_v4116, L"PathCompletionChar", 0,  &_v4108,  &_v4104,  &_v4112); // executed
							if(_t113 != 0) {
								_t114 =  *0x105e0cc; // 0x9
								0x800 = 0x20;
								L25:
								_t146 =  *0x105e0d0; // 0x9
								if(_t146 == 0x800) {
									if(_t114 >= 0x800) {
										goto L27;
									}
									 *0x105e0d0 = _t114;
									goto L28;
								} else {
									_t189 = _t114 - 0x800;
									L27:
									if(_t189 == 0) {
										if(_t146 < 0x800) {
											 *0x105e0cc = _t146;
										}
									}
									L28:
									_v4112 = 0x1000;
									_t118 = RegQueryValueExW(_v4116, L"AutoRun", 0,  &_v4108,  &_v4104,  &_v4112); // executed
									if(_t118 == 0) {
										if(_v4108 == 2) {
											_t159 = _v4112 >> 1;
											_t165 =  &_v4100 + _t159 * 2;
											if(ExpandEnvironmentStringsW( &_v4104,  &_v4100 + _t159 * 2, 0x7fe - _t159) == 0) {
												_v4104 = 0;
											} else {
												E0103F3A0( &_v4104, 0x800, _t165);
											}
											_t163 = _v4120;
										}
										if(_v4104 != 0) {
											 *_t162 = E0103ACB0( &_v4104);
										}
									}
									_t88 = RegCloseKey(_v4116); // executed
									goto L30;
								}
							}
							if(_v4108 != 4) {
								if(_v4108 != 1) {
									_t114 =  *0x105e0cc; // 0x9
									goto L22;
								}
								_t114 = wcstol( &_v4104, 0, 0);
								_t167 = _t167 + 0xc;
								goto L21;
							} else {
								_t114 = _v4104;
								L21:
								 *0x105e0cc = _t114;
								L22:
								if(_t114 == 0) {
									0x800 = 0x20;
									L53:
									_t114 = 0x800;
									 *0x105e0cc = 0x800;
									goto L25;
								}
								_t151 = 0xd;
								0x800 = 0x20;
								if(_t114 == _t151 || _t114 > 0x800) {
									goto L53;
								} else {
									goto L25;
								}
							}
						}
						if(_v4108 != 4) {
							if(_v4108 != 1) {
								_t127 =  *0x105e0d0; // 0x9
								goto L15;
							}
							_t127 = wcstol( &_v4104, 0, 0);
							_t167 = _t167 + 0xc;
							goto L14;
						} else {
							_t127 = _v4104;
							L14:
							 *0x105e0d0 = _t127;
							L15:
							if(_t127 == 0) {
								_t152 = 0x20;
								L48:
								 *0x105e0d0 = _t152;
								goto L18;
							}
							_t153 = 0xd;
							_t152 = 0x20;
							if(_t127 == _t153 || _t127 > _t152) {
								goto L48;
							} else {
								goto L18;
							}
						}
					} else {
						if(_v4108 != 4) {
							if(_v4108 != 1) {
								goto L11;
							}
							_t130 = wcstol( &_v4104, 0, 0);
							_t167 = _t167 + 0xc;
							goto L10;
						} else {
							_t130 = _v4104;
							L10:
							 *0x1066764 = _t130;
							goto L11;
						}
					}
					L30:
					_t162 = _t162 + 4;
					_t163 = _t163 - 1;
					_v4120 = _t163;
					if(_t163 == 0) {
						__imp__time();
						srand(_t88);
						return E01046B30(_t88, _t144, _v8 ^ _t166, 0x800, _t162, _t163, 0);
					}
				}
			}









































    0x0103827d
    0x01038282
    0x01038289
    0x01038291
    0x01038293
    0x010382a3
    0x010382ad
    0x010382ae
    0x010382b5
    0x010382b7
    0x010382bd
    0x010382d3
    0x010382db
    0x00000000
    0x010382e1
    0x010382e1
    0x010382f4
    0x01038313
    0x0103831b
    0x0104b0f8
    0x0104b114
    0x0104b11a
    0x0104b121
    0x0104b12b
    0x0104b12f
    0x0104b12f
    0x0104b0fa
    0x0104b101
    0x0104b101
    0x0104b0f8
    0x0103831b
    0x01038327
    0x0103834d
    0x01038355
    0x0103835e
    0x0104b140
    0x0104b146
    0x0104b14d
    0x0104b157
    0x0104b15b
    0x0104b15b
    0x01038364
    0x0103836a
    0x0103836a
    0x0103835e
    0x01038377
    0x0103839d
    0x010383a5
    0x0104b16c
    0x0104b188
    0x0104b18e
    0x0104b195
    0x0104b19f
    0x0104b1a3
    0x0104b1a3
    0x0104b16e
    0x0104b175
    0x0104b175
    0x0104b16c
    0x010383b1
    0x010383d7
    0x010383df
    0x010383fb
    0x01038401
    0x01038427
    0x0103842f
    0x0103846c
    0x01038472
    0x01038498
    0x010384a0
    0x0104b24c
    0x0104b254
    0x010384e1
    0x010384e1
    0x010384eb
    0x0104b25d
    0x00000000
    0x00000000
    0x0104b263
    0x00000000
    0x010384f1
    0x010384f1
    0x010384f4
    0x010384f4
    0x0104b271
    0x0104b277
    0x0104b277
    0x0104b271
    0x010384fa
    0x01038500
    0x01038526
    0x0103852e
    0x0104b28a
    0x0104b298
    0x0104b2a8
    0x0104b2b5
    0x0104b2cc
    0x0104b2b7
    0x0104b2c3
    0x0104b2c3
    0x0104b2d3
    0x0104b2d3
    0x0104b2e1
    0x0104b2f2
    0x0104b2f2
    0x0104b2e1
    0x0103853a
    0x00000000
    0x0103853a
    0x010384eb
    0x010384ad
    0x0104b216
    0x0104b231
    0x00000000
    0x0104b231
    0x0104b223
    0x0104b229
    0x00000000
    0x010384b3
    0x010384b3
    0x010384ba
    0x010384ba
    0x010384c0
    0x010384c3
    0x0104b23e
    0x0104b23f
    0x0104b23f
    0x0104b241
    0x00000000
    0x0104b241
    0x010384cb
    0x010384ce
    0x010384d2
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x010384d2
    0x010384ad
    0x01038438
    0x0104b1da
    0x0104b1f5
    0x00000000
    0x0104b1f5
    0x0104b1e7
    0x0104b1ed
    0x00000000
    0x0103843e
    0x0103843e
    0x01038445
    0x01038445
    0x0103844b
    0x0103844e
    0x0104b202
    0x0104b203
    0x0104b203
    0x00000000
    0x0104b203
    0x01038456
    0x0103845c
    0x0103845d
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0103845d
    0x010383e1
    0x010383e8
    0x0104b1b4
    0x00000000
    0x00000000
    0x0104b1c5
    0x0104b1cb
    0x00000000
    0x010383ee
    0x010383ee
    0x010383f5
    0x010383f5
    0x00000000
    0x010383f5
    0x010383e8
    0x01038540
    0x01038540
    0x01038543
    0x01038546
    0x0103854c
    0x01038554
    0x0103855b
    0x01038571
    0x01038571
    0x0103854c

    APIs
    • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Command Processor,00000000,02000000,?), ref: 010382D3
    • RegQueryValueExW.ADVAPI32(?,DisableUNCCheck,00000000,?,?,?), ref: 01038313
    • RegQueryValueExW.ADVAPI32(?,EnableExtensions,00000000,00000001,?,00001000), ref: 0103834D
    • RegQueryValueExW.ADVAPI32(?,DelayedExpansion,00000000,00000001,?,00001000), ref: 0103839D
    • RegQueryValueExW.ADVAPI32(?,DefaultColor,00000000,00000001,?,00001000), ref: 010383D7
    • RegQueryValueExW.ADVAPI32(?,CompletionChar,00000000,00000001,?,00001000), ref: 01038427
    • RegQueryValueExW.ADVAPI32(?,PathCompletionChar,00000000,00000001,?,00001000), ref: 01038498
    • RegQueryValueExW.ADVAPI32(?,AutoRun,00000000,00000004,?,00001000), ref: 01038526
    • RegCloseKey.ADVAPI32(?), ref: 0103853A
    • time.MSVCRT ref: 01038554
    • srand.MSVCRT ref: 0103855B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: QueryValue$CloseOpensrandtime
    • String ID: AutoRun$CompletionChar$DefaultColor$DelayedExpansion$DisableUNCCheck$EnableExtensions$PathCompletionChar$Software\Microsoft\Command Processor
    • API String ID: 145004033-3846321370
    • Opcode ID: e476f6895baeaafbf784c736eee2e966054b1f12e8698275ce6d35a7abce318d
    • Instruction ID: 586e250d83872f92cb3054a7abb5b8bc8f76ed12a483cd376ab8f0c1aedcd8bb
    • Opcode Fuzzy Hash: e476f6895baeaafbf784c736eee2e966054b1f12e8698275ce6d35a7abce318d
    • Instruction Fuzzy Hash: 5AC180759002A8DAEF328B54DD44BDDB7B8FB08302F0081E6F6C9A2194D6B99AC4CF14
    Uniqueness

    Uniqueness Score: -1.00%

    Function 010409B1, Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 242registrythreadmemoryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 531 10409b1-1040a12 GetCurrentThreadId OpenThread call 103e2af HeapSetInformation RegOpenKeyExW 534 104e9c5-104e9ea RegQueryValueExW RegCloseKey 531->534 535 1040a18-1040a50 call 1041f5b call 1041f1a call 10387ca 531->535 538 104e9f5-104ea03 call 10363bd call 1054840 534->538 545 1040a55-1040a59 535->545 546 104ea08-104ea10 call 1041e70 538->546 545->538 547 1040a5f-1040a66 545->547 556 104ea12 546->556 549 1040a6c-1040a81 _setjmp3 547->549 550 104ea58-104ea6d _setjmp3 547->550 554 1040a87 549->554 555 104ea1c-104ea24 549->555 552 104ea82-104ea85 550->552 553 104ea6f-104ea71 550->553 557 104ea87-104ea95 call 10363bd call 1054840 552->557 558 104eaaa-104eab3 call 103dd98 552->558 553->552 559 104ea73-104ea7b call 1041e70 553->559 560 1040a8a-1040a8c 554->560 555->560 561 104ea2a-104ea2d 555->561 556->555 581 104ea9a-104eaa2 call 1041e70 557->581 575 104eab5-104eac5 _setmode 558->575 576 104eac6-104eac7 call 10462c0 558->576 577 104ea7d 559->577 565 1040ac5-1040ac7 560->565 566 1040a8e 560->566 561->560 568 104ea52 565->568 569 1040acd-1040ad5 call 1041e70 565->569 572 1040a90-1040a96 566->572 568->550 588 1040ad7 569->588 578 1040ae0-1040af1 call 103c570 572->578 579 1040a98-1040a9c 572->579 575->576 590 104eacc-104eaf5 EnterCriticalSection LeaveCriticalSection call 103c570 576->590 585 104eb7f 577->585 595 1040af7-1040afa 578->595 596 104ea41-104ea49 call 1041e70 578->596 579->572 580 1040a9e-1040abf call 103e310 GetConsoleOutputCP GetCPInfo call 103e2af 579->580 580->565 600 104eaa4 581->600 594 1040ada exit 588->594 597 104eafa-104eaff 590->597 594->578 601 1040b00-1040b0b call 103e470 595->601 602 104ea32-104ea3a call 1041e70 595->602 612 104ea4b-104ea4d 596->612 597->590 605 104eb01-104eb04 597->605 600->558 601->579 613 1040b0d-1040b10 601->613 614 104ea3c 602->614 610 104eb75-104eb7d call 1041e70 605->610 611 104eb06-104eb70 EnterCriticalSection LeaveCriticalSection GetConsoleOutputCP GetCPInfo call 103e2af call 103e470 call 103e310 GetConsoleOutputCP GetCPInfo call 103e2af 605->611 610->585 611->590 612->594 613->579 614->585
    C-Code - Quality: 69%
    			E010409B1() {
				signed int _v8;
				char _v24;
				int* _v28;
				char _v29;
				char _v36;
				void* _v40;
				int* _v44;
				int _v48;
				int _v52;
				signed int _t26;
				long _t32;
				void* _t39;
				intOrPtr _t44;
				intOrPtr _t48;
				intOrPtr _t51;
				int _t53;
				intOrPtr _t55;
				char* _t57;
				int _t59;
				void* _t62;
				int _t64;
				void* _t73;
				intOrPtr _t81;
				void* _t83;
				void* _t94;
				char* _t95;
				signed int _t96;
				signed int _t97;

				_t26 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t26 ^ _t97;
				_v44 = 0;
				 *0x10665e0 = OpenThread(0x1fffff, 0, GetCurrentThreadId());
				E0103E2AF();
				__imp__HeapSetInformation(0, 1, 0, 0, _t94, _t96, _t73);
				_v36 = 0;
				_t32 = RegOpenKeyExW(0x80000001, L"Software\\Policies\\Microsoft\\Windows\\System", 0, 0x20019,  &_v40); // executed
				if(_t32 == 0) {
					_v48 = 4;
					RegQueryValueExW(_v40, L"DisableCMD", 0,  &_v52,  &_v36,  &_v48);
					RegCloseKey(_v40);
				}
				 *0x105e57c = 1;
				_t92 = 0x106a7e0;
				 *0x105e574 =  &_v29;
				_t39 = E01041F5B(0x106a7e0);
				asm("sbb al, al");
				 *0x105e57c =  *0x105e57c &  ~(_t39 - 1);
				E01041F1A();
				_v28 = 0;
				_t95 =  &_v24;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd"); // executed
				_t44 = E010387CA(0,  &_v24); // executed
				if(_v36 == 1) {
					_push(0);
					_push(0x40002729);
					E010363BD( &_v24);
					E01054840(__eflags, 0);
					do {
						__eflags = E01041E70(__eflags, 0);
					} while (__eflags == 0);
					_push(0xff);
					goto L13;
				} else {
					_t95 = 0xff;
					if(_t44 == 0) {
						L29:
						_push(0);
						L01047FB1();
						_v28 = _t44;
						_t83 = 0x1070a30;
						_t96 = 2;
						__eflags = _t44;
						if(_t44 == 0) {
							L33:
							__eflags = _v36 - _t96;
							if(_v36 != _t96) {
								_t55 = E0103DD98(_t44); // executed
								__eflags = _t55;
								if(_t55 == 0) {
									_t96 = 3;
									__imp___setmode(0x8000);
									0 = 0;
								}
								E010462C0(0, 0); // executed
								while(1) {
									L40:
									 *0x1066744 = 0;
									EnterCriticalSection( *0x10625a4);
									 *0x106259c = 0;
									LeaveCriticalSection( *0x10625a4);
									_t92 = 0;
									_t57 = E0103C570(_t96, 0, 0); // executed
									_t95 = _t57;
									__eflags = _t95 - 1;
									if(_t95 == 1) {
										continue;
									}
									L41:
									__eflags = _t95 - 0xffffffff;
									if(__eflags == 0) {
										do {
											__eflags = E01041E70(__eflags, 0);
										} while (__eflags == 0);
										L44:
										_push(0);
										L13:
										exit();
										L14:
										_t48 = E0103C570(1, _t92,  *0x1066778);
										if(_t48 == 1) {
											do {
												__eflags = E01041E70(__eflags, 0);
											} while (__eflags == 0);
											_push(1);
											goto L13;
										}
										if(_t48 == 0xffffffff) {
											do {
												__eflags = E01041E70(__eflags, 0);
											} while (__eflags == 0);
											goto L44;
										}
										_t92 = _t48;
										_t51 = E0103E470(0, _t48);
										if(_t51 != 0) {
											_v28 = _t51;
										}
										L8:
										_t96 = _t96 + 1;
										if(_t96 < 3) {
											L7:
											_t92 =  *((intOrPtr*)(_t97 + _t96 * 4 - 0x14));
											if( *((intOrPtr*)(_t97 + _t96 * 4 - 0x14)) != 0) {
												goto L14;
											}
											goto L8;
										}
										E0103E310(_t51);
										_t53 = GetConsoleOutputCP();
										 *0x10625a0 = _t53;
										GetCPInfo(_t53, 0x106c9f0);
										_t44 = E0103E2AF();
										_t81 =  *0x1066758;
										L10:
										_t105 = _t81;
										if(_t81 == 0) {
											 *0x107904c = 0;
											goto L29;
										} else {
											goto L11;
										}
										do {
											L11:
										} while (E01041E70(_t105, 0) == 0);
										_push(_v28);
										goto L13;
									}
									EnterCriticalSection( *0x10625a4);
									 *0x106259c = 0;
									LeaveCriticalSection( *0x10625a4);
									_t59 = GetConsoleOutputCP();
									 *0x10625a0 = _t59;
									GetCPInfo(_t59, 0x106c9f0);
									E0103E2AF();
									_t62 = E0103E470(0, _t95);
									 *0x106675c = 0;
									E0103E310(_t62);
									_t64 = GetConsoleOutputCP();
									 *0x10625a0 = _t64;
									GetCPInfo(_t64, 0x106c9f0);
									E0103E2AF();
									do {
										goto L40;
									} while (_t95 == 1);
									goto L41;
									L40:
									 *0x1066744 = 0;
									EnterCriticalSection( *0x10625a4);
									 *0x106259c = 0;
									LeaveCriticalSection( *0x10625a4);
									_t92 = 0;
									_t57 = E0103C570(_t96, 0, 0); // executed
									_t95 = _t57;
									__eflags = _t95 - 1;
								}
							}
							_push(0);
							_push(0x40002729);
							E010363BD(_t83);
							E01054840(__eflags, 0);
							do {
								__eflags = E01041E70(__eflags, 0);
							} while (__eflags == 0);
							_push(_t95);
							goto L13;
						}
						__eflags = _t44 - _t96;
						if(__eflags != 0) {
							goto L33;
						} else {
							goto L31;
						}
						do {
							L31:
							__eflags = E01041E70(__eflags, 0);
						} while (__eflags == 0);
						goto L44;
					}
					_push(0);
					_push(0x1070a30);
					L01047FB1();
					_t81 =  *0x1066758;
					if(_t44 != 0) {
						_t44 = 1;
						_v44 = 1;
						__eflags = _t81;
						if(__eflags != 0) {
							_v28 = 0xff;
						}
					} else {
						_t44 = _v44;
					}
					if(_t44 != 0) {
						goto L10;
					} else {
						_t96 = 0;
						goto L7;
					}
				}
			}































    0x010409b9
    0x010409c0
    0x010409c8
    0x010409de
    0x010409e3
    0x010409ed
    0x010409f6
    0x01040a0a
    0x01040a12
    0x0104e9c8
    0x0104e9e1
    0x0104e9ea
    0x0104e9ea
    0x01040a1b
    0x01040a22
    0x01040a27
    0x01040a2c
    0x01040a34
    0x01040a36
    0x01040a3c
    0x01040a43
    0x01040a46
    0x01040a49
    0x01040a4d
    0x01040a4e
    0x01040a4f
    0x01040a50
    0x01040a59
    0x0104e9f5
    0x0104e9f6
    0x0104e9fb
    0x0104ea03
    0x0104ea08
    0x0104ea0e
    0x0104ea0e
    0x0104ea12
    0x00000000
    0x01040a5f
    0x01040a5f
    0x01040a66
    0x0104ea58
    0x0104ea58
    0x0104ea5e
    0x0104ea63
    0x0104ea67
    0x0104ea6a
    0x0104ea6b
    0x0104ea6d
    0x0104ea82
    0x0104ea82
    0x0104ea85
    0x0104eaac
    0x0104eab1
    0x0104eab3
    0x0104eab7
    0x0104eabe
    0x0104eac5
    0x0104eac5
    0x0104eac7
    0x0104eacc
    0x0104eacc
    0x0104ead2
    0x0104ead8
    0x0104eae4
    0x0104eaea
    0x0104eaf1
    0x0104eaf5
    0x0104eafa
    0x0104eafc
    0x0104eaff
    0x00000000
    0x00000000
    0x0104eb01
    0x0104eb01
    0x0104eb04
    0x0104eb75
    0x0104eb7b
    0x0104eb7b
    0x0104eb7f
    0x0104eb7f
    0x01040ada
    0x01040ada
    0x01040ae0
    0x01040ae9
    0x01040af1
    0x0104ea41
    0x0104ea47
    0x0104ea47
    0x0104ea4b
    0x00000000
    0x0104ea4b
    0x01040afa
    0x0104ea32
    0x0104ea38
    0x0104ea38
    0x00000000
    0x0104ea3c
    0x01040b00
    0x01040b04
    0x01040b0b
    0x01040b0d
    0x01040b0d
    0x01040a98
    0x01040a98
    0x01040a9c
    0x01040a90
    0x01040a90
    0x01040a96
    0x00000000
    0x00000000
    0x00000000
    0x01040a96
    0x01040a9e
    0x01040aa3
    0x01040aaf
    0x01040ab4
    0x01040aba
    0x01040abf
    0x01040ac5
    0x01040ac5
    0x01040ac7
    0x0104ea52
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x01040acd
    0x01040acd
    0x01040ad3
    0x01040ad7
    0x00000000
    0x01040ad7
    0x0104eb0c
    0x0104eb18
    0x0104eb1e
    0x0104eb24
    0x0104eb30
    0x0104eb35
    0x0104eb3b
    0x0104eb44
    0x0104eb49
    0x0104eb4f
    0x0104eb54
    0x0104eb60
    0x0104eb65
    0x0104eb6b
    0x0104eacc
    0x00000000
    0x00000000
    0x00000000
    0x0104eacc
    0x0104ead2
    0x0104ead8
    0x0104eae4
    0x0104eaea
    0x0104eaf1
    0x0104eaf5
    0x0104eafa
    0x0104eafc
    0x0104eafc
    0x0104eacc
    0x0104ea87
    0x0104ea88
    0x0104ea8d
    0x0104ea95
    0x0104ea9a
    0x0104eaa0
    0x0104eaa0
    0x0104eaa4
    0x00000000
    0x0104eaa4
    0x0104ea6f
    0x0104ea71
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0104ea73
    0x0104ea73
    0x0104ea79
    0x0104ea79
    0x00000000
    0x0104ea7d
    0x01040a6c
    0x01040a6d
    0x01040a72
    0x01040a79
    0x01040a81
    0x0104ea1e
    0x0104ea1f
    0x0104ea22
    0x0104ea24
    0x0104ea2a
    0x0104ea2a
    0x01040a87
    0x01040a87
    0x01040a87
    0x01040a8c
    0x00000000
    0x01040a8e
    0x01040a8e
    0x00000000
    0x01040a8e
    0x01040a8c

    APIs
    • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 010409CB
    • OpenThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(001FFFFF,00000000,00000000), ref: 010409D8
      • Part of subcall function 0103E2AF: SetThreadUILanguage.KERNELBASE ref: 0103E2C6
    • HeapSetInformation.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000001,00000000,00000000), ref: 010409ED
    • RegOpenKeyExW.ADVAPI32(80000001,Software\Policies\Microsoft\Windows\System,00000000,00020019,?), ref: 01040A0A
    • _setjmp3.MSVCRT ref: 01040A72
    • GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 01040AA3
    • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0106C9F0), ref: 01040AB4
    • exit.MSVCRT ref: 01040ADA
    • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DisableCMD,00000000,?,?,?), ref: 0104E9E1
    • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 0104E9EA
      • Part of subcall function 01041F5B: VirtualQuery.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,0000001C,00000000,?,00000000,?,?,?,?,?,?,0104EF7C,?,00000000,00000000), ref: 01041FB2
      • Part of subcall function 01041F5B: VirtualQuery.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,0000001C,?,?,?,?,?,?,0104EF7C,?,00000000,00000000), ref: 01041FCE
      • Part of subcall function 01041F1A: GetConsoleOutputCP.KERNELBASE(01040A41), ref: 01041F1A
      • Part of subcall function 01041F1A: GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0106C9F0), ref: 01041F2B
      • Part of subcall function 01041F1A: memset.MSVCRT ref: 01041F45
      • Part of subcall function 010387CA: InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(0106CA04), ref: 010387EE
      • Part of subcall function 010387CA: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 010387FA
      • Part of subcall function 010387CA: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 0103880E
      • Part of subcall function 010387CA: SetConsoleCtrlHandler.KERNELBASE(01057460,00000001), ref: 0103881B
      • Part of subcall function 010387CA: _get_osfhandle.MSVCRT ref: 01038828
      • Part of subcall function 010387CA: GetConsoleMode.KERNELBASE(00000000), ref: 01038830
      • Part of subcall function 010387CA: _get_osfhandle.MSVCRT ref: 0103883C
      • Part of subcall function 010387CA: GetConsoleMode.KERNELBASE(00000000), ref: 01038844
      • Part of subcall function 010387CA: GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 0103886A
      • Part of subcall function 010387CA: GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 010388A5
    • _setjmp3.MSVCRT ref: 0104EA5E
    Strings
    • DisableCMD, xrefs: 0104E9D9
    • Software\Policies\Microsoft\Windows\System, xrefs: 01040A00
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: Console$CriticalQuerySectionThread$CommandInfoLineModeOpenOutputVirtual_get_osfhandle_setjmp3$CloseCtrlCurrentEnterHandlerHeapInformationInitializeLanguageLeaveValueexitmemset
    • String ID: DisableCMD$Software\Policies\Microsoft\Windows\System
    • API String ID: 4238206819-1920437939
    • Opcode ID: 1a3acb8955a948ad17b98afc6b0ec486f1385dd5b84bee48e8ede4d54c6365c1
    • Instruction ID: 0cffd85450f14417f74a2e55746f9e63fe4ce8fe2b1c25c59febe934caf893b2
    • Opcode Fuzzy Hash: 1a3acb8955a948ad17b98afc6b0ec486f1385dd5b84bee48e8ede4d54c6365c1
    • Instruction Fuzzy Hash: 4C71A8B1A00206AFEB61AB75DC859AF7AADFF54340B144539F6C2F2194EA3ED4418B60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0103CF10, Relevance: 33.7, APIs: 15, Strings: 4, Instructions: 446COMMON
    Download Yara Rule
    C-Code - Quality: 94%
    			E0103CF10(signed int __eax, long* __ecx, intOrPtr __edx, signed int _a4) {
				long* _v8;
				long _v12;
				intOrPtr _v16;
				signed short* _v20;
				long _v24;
				signed int _t96;
				long _t103;
				signed int _t108;
				signed char _t109;
				int _t110;
				wchar_t* _t111;
				wchar_t* _t112;
				int _t113;
				signed int _t119;
				long _t120;
				int _t121;
				wchar_t* _t122;
				signed int _t129;
				int _t130;
				signed int _t136;
				int _t137;
				signed int _t140;
				signed short* _t142;
				int _t149;
				long _t153;
				int _t154;
				int _t156;
				wchar_t* _t157;
				wchar_t* _t158;
				signed short _t164;
				int _t165;
				wchar_t* _t166;
				wchar_t* _t167;
				signed short* _t168;
				signed int _t170;
				signed int _t174;
				long* _t175;
				signed short* _t178;
				signed short* _t179;
				signed int _t180;
				intOrPtr _t184;
				long* _t187;
				long* _t188;
				long* _t189;
				long _t190;
				long _t191;
				long _t192;
				void* _t193;
				void* _t194;
				void* _t197;

				_t96 = __eax;
				_push(0);
				_push(0x1070a70);
				_v16 = __edx;
				_v8 = __ecx;
				L01047FB1();
				_t194 = _t193 + 8;
				if(__eax != 0) {
					L141:
					return _t96 | 0xffffffff;
				}
				_t187 = _v8;
				if(_t187 == 0) {
					if( *0x1079059 != 0) {
						_push( *0x10665c8);
						E01039950(L"Ungetting: \'%s\'\n");
					}
					 *0x10665cc =  *0x10665c8;
					return 0;
				} else {
					if(_v16 < 6) {
						goto L141;
					}
					_t170 = _a4;
					 *0x10665c8 =  *0x10665cc;
					_v20 = _t187;
					if((_t170 & 0x00000021) == 0) {
						while(1) {
							_t164 = E0103D600(); // executed
							_t192 = _t164 & 0x0000ffff;
							_t165 = iswspace(_t192);
							_t194 = _t194 + 4;
							if(_t165 != 0 && _t192 != 0xa) {
								goto L6;
							} else {
								continue;
							}
							do {
								_t164 = E0103D600(); // executed
								_t192 = _t164 & 0x0000ffff;
								_t165 = iswspace(_t192);
								_t194 = _t194 + 4;
							} while (_t165 != 0 && _t192 != 0xa);
							L6:
							if((_t170 & 0x00000004) != 0) {
								_t166 = 0x10322d2;
							} else {
								_t166 = L"=,;";
							}
							_t167 = wcschr(_t166, _t192);
							_t194 = _t194 + 8;
							if(_t167 != 0) {
								if(_t192 == 0) {
									goto L9;
								} else {
									continue;
								}
								L70:
								return 0x4000;
							}
							L9:
							_t168 =  *0x10665cc;
							if(_t168 != 0x10625c0) {
								 *0x10665cc = _t168 - 2;
							}
							goto L11;
						}
					}
					L11:
					_t190 = E0103D600() & 0x0000ffff;
					if( *0x107952c != 0) {
						 *0x107952c = 0;
						if((_t170 & 0x00000040) != 0) {
							goto L41;
						} else {
							_t190 = E0103D600() & 0x0000ffff;
							goto L12;
						}
						goto L70;
					} else {
						L12:
						_t129 = _t190 & 0x0000ffff;
						if(_t129 != 0xa) {
							if(_t129 >= 0x41) {
								if(_t129 >= 0x7c) {
									goto L25;
								} else {
									goto L33;
								}
							} else {
								L25:
								if(_t129 > 0x7c) {
									goto L33;
								} else {
									_t16 = _t129 + 0x103d4e0; // 0x5050500
									switch( *((intOrPtr*)(( *_t16 & 0x000000ff) * 4 +  &M0103D4C8))) {
										case 0:
											goto L13;
										case 1:
											goto L14;
										case 2:
											L27:
											if((_t170 & 0x0000002a) == 8) {
												goto L28;
											}
											goto L33;
										case 3:
											L28:
											if((_t170 & 0x00000022) == 0) {
												if((_t170 & 0x00000010) != 0 || _t190 != 0x29) {
													goto L13;
												} else {
												}
											}
											goto L33;
										case 4:
											if((__bl & 0x00000022) != 0) {
												goto L33;
											} else {
												if( *0x10665d0 != 0) {
													goto L27;
												} else {
													goto L41;
												}
											}
											goto L70;
										case 5:
											goto L33;
									}
								}
							}
						} else {
							L13:
							_t170 = _t170 & 0xffffffdd;
							_a4 = _t170;
							L14:
							if((_t170 & 0x00000022) == 0) {
								L15:
								 *_t187 = _t190;
								_t189 =  &(_t187[0]);
								_v8 = _t189;
								_t175 = _t189;
								_t137 = iswdigit(_t190);
								_t197 = _t194 + 4;
								if(_t137 != 0) {
									_t190 = E0103D600() & 0x0000ffff;
									_t71 =  &(_t189[0]); // 0x103c64d
									_t175 = _t71;
									 *_t189 = _t190;
									_t189 = _t175;
									_v8 = _t189;
								}
								if(_t190 == 0x3e || _t190 == 0x26 || _t190 == 0x7c || _t190 == 0x3c) {
									_t140 = E0103D600() & 0x0000ffff;
									_t59 = _t189 - 2; // 0xffffe277
									if(_t140 ==  *_t59) {
										 *_t189 = _t140;
										_t62 =  &(_t175[0]); // 0x103c64d
										_t189 = _t62;
										_v8 = _t189;
										_t140 = E0103D600() & 0x0000ffff;
										_t175 = _t189;
									}
									_t60 = _t189 - 2; // 0xffffe277
									_t180 =  *_t60 & 0x0000ffff;
									if(_t180 != 0x3e) {
										if(_t180 != 0x3c) {
											goto L82;
										}
										goto L81;
									} else {
										L81:
										if(_t140 == 0x26) {
											 *_t189 = 0x26;
											_t81 =  &(_t175[0]); // 0x103c64f
											_t189 = _t81;
											_v8 = _t189;
											do {
												_t191 = E0103D600() & 0x0000ffff;
												_t149 = iswspace(_t191);
												_t197 = _t197 + 4;
											} while (_t149 != 0 || E0103A62F(L"=,;", _t191) != 0);
											if(iswdigit(_t191) != 0) {
												 *_t189 = _t191;
												_t189 =  &(_t189[0]);
												_v8 = _t189;
												E0103D600();
											}
										}
										L82:
										_t142 =  *0x10665cc;
										if(_t142 != 0x10625c0) {
											 *0x10665cc = _t142 - 2;
										}
										goto L20;
									}
								} else {
									L20:
									 *_t189 = 0;
									return  *_v20 & 0x0000ffff;
								}
							}
							L33:
							if(_t190 == 0x5e) {
								if((_t170 & 0x00000022) != 0) {
									goto L34;
								} else {
									_t190 = E0103D600() & 0x0000ffff;
									if(_t190 == 0) {
										goto L15;
									}
									if(_t190 != 0xa) {
										goto L41;
									} else {
										_t190 = E0103D600() & 0x0000ffff;
										if(_t190 != 0) {
											goto L41;
										} else {
											goto L15;
										}
									}
								}
								goto L70;
							} else {
								L34:
								if(_t190 == 0x22) {
									_t170 = _t170 ^ 0x00000002;
									_a4 = _t170;
								}
								if((_t170 & 0x00000023) == 0) {
									_t156 = iswspace(_t190);
									_t194 = _t194 + 4;
									if(_t156 != 0) {
										goto L15;
									}
									if((_t170 & 0x00000004) != 0) {
										_t157 = 0x10322d2;
									} else {
										_t157 = L"=,;";
									}
									_t158 = wcschr(_t157, _t190);
									_t194 = _t194 + 8;
									if(_t158 != 0) {
										goto L15;
									}
								}
								_t130 = iswdigit(_t190);
								_t194 = _t194 + 4;
								if(_t130 != 0) {
									_t179 =  *0x10665cc;
									if((_t179 - 0x10625be & 0xfffffffe) < 4) {
										L92:
										_t136 =  *( *0x10665cc) & 0x0000ffff;
										if(_t136 != 0x3e) {
											if(_t136 != 0x3c) {
												goto L41;
											} else {
												goto L93;
											}
										} else {
											L93:
											if((_t170 & 0x00000022) == 0) {
												goto L15;
											}
											goto L41;
										}
									} else {
										_t153 =  *(_t179 - 4) & 0x0000ffff;
										_v12 = _t153;
										_t154 = iswspace(_t153);
										_t194 = _t194 + 4;
										if(_t154 == 0) {
											if(E0103A62F(L"()|&=,;\"", _v12) != 0) {
												goto L92;
											} else {
												goto L41;
											}
										} else {
											goto L92;
										}
									}
									goto L70;
								}
							}
						}
					}
					L41:
					_t184 = _v16;
					 *_t187 = _t190;
					_t188 =  &(_t187[0]);
					_a4 = _t170 | 0x00000040;
					_t30 = _t184 - 1; // 0x5
					_t103 = _t30;
					_t174 = _t188 - _v20 >> 1;
					_v8 = _t188;
					 *0x10665d0 = 0;
					_v12 = _t103;
					if(_t174 < _t103) {
						do {
							_t190 = E0103D600() & 0x0000ffff;
							if( *0x107952c != 0) {
								 *0x107952c = 0;
								if((_a4 & 0x00000040) != 0) {
									goto L50;
								} else {
									_t190 = E0103D600() & 0x0000ffff;
									goto L44;
								}
								goto L70;
							} else {
								L44:
								_t108 = _t190 & 0x0000ffff;
								if(_t108 < 0x41 || _t108 >= 0x7c) {
									if(_t108 > 0x7c) {
										goto L46;
									} else {
										_t38 = _t108 + 0x103d578; // 0x5050500
										switch( *((intOrPtr*)(( *_t38 & 0x000000ff) * 4 +  &M0103D560))) {
											case 0:
												_t126 = _a4;
												goto L55;
											case 1:
												__eax = _a4;
												goto L56;
											case 2:
												__eax = _a4;
												goto L120;
											case 3:
												L106:
												__eax = _a4;
												if((__al & 0x00000022) != 0) {
													goto L46;
												} else {
													if((__al & 0x00000010) != 0) {
														L55:
														_t127 = _t126 & 0xffffffdd;
														_a4 = _t127;
														L56:
														if((_t127 & 0x00000022) == 0) {
															goto L64;
														} else {
															goto L46;
														}
														goto L65;
													} else {
														if(__si == 0x29) {
															goto L46;
														} else {
															goto L55;
														}
													}
												}
												goto L70;
											case 4:
												__eax = _a4;
												if((__al & 0x00000022) != 0) {
													goto L46;
												} else {
													if( *0x10665d0 == 0) {
														goto L50;
													} else {
														L120:
														__al = __al & 0x0000002a;
														if(__al != 8) {
															goto L46;
														} else {
															goto L106;
														}
													}
												}
												goto L70;
											case 5:
												goto L46;
										}
									}
								} else {
									L46:
									_t109 = _a4;
									if(_t190 == 0x5e) {
										if((_t109 & 0x00000022) != 0) {
											goto L47;
										} else {
											_t190 = E0103D600() & 0x0000ffff;
											if(_t190 == 0) {
												goto L64;
											} else {
												if(_t190 != 0xa) {
													goto L50;
												} else {
													_t190 = E0103D600() & 0x0000ffff;
													if(_t190 == 0) {
														goto L64;
													} else {
														goto L50;
													}
												}
											}
										}
										goto L70;
									} else {
										L47:
										if(_t190 == 0x22) {
											_t109 = _t109 ^ 0x00000002;
											_a4 = _t109;
										}
										if((_t109 & 0x00000023) == 0) {
											_t110 = iswspace(_t190);
											_t194 = _t194 + 4;
											if(_t110 != 0) {
												goto L64;
											} else {
												if((_a4 & 0x00000004) != 0) {
													_t111 = 0x10322d2;
												} else {
													_t111 = L"=,;";
												}
												_t112 = wcschr(_t111, _t190);
												_t194 = _t194 + 8;
												if(_t112 == 0) {
													goto L49;
												} else {
													goto L64;
												}
											}
										} else {
											L49:
											_t113 = iswdigit(_t190);
											_t194 = _t194 + 4;
											if(_t113 != 0) {
												_t178 =  *0x10665cc;
												if((_t178 - 0x10625be & 0xfffffffe) < 4) {
													L74:
													_t119 =  *( *0x10665cc) & 0x0000ffff;
													if(_t119 == 0x3e) {
														L63:
														if((_a4 & 0x00000022) != 0) {
															goto L50;
														} else {
															L64:
															_t103 = _v12;
														}
														goto L65;
													} else {
														if(_t119 != 0x3c) {
															goto L50;
														} else {
															goto L63;
														}
													}
												} else {
													_t120 =  *(_t178 - 4) & 0x0000ffff;
													_v24 = _t120;
													_t121 = iswspace(_t120);
													_t194 = _t194 + 4;
													if(_t121 != 0) {
														goto L74;
													} else {
														_t122 = wcschr(L"()|&=,;\"", _v24);
														_t194 = _t194 + 8;
														if(_t122 == 0) {
															goto L50;
														} else {
															goto L74;
														}
													}
												}
												goto L70;
											} else {
												goto L50;
											}
										}
									}
								}
							}
							L65:
							_t184 = _v16;
							goto L66;
							L50:
							_t103 = _v12;
							_t174 = _t174 + 1;
							 *_t188 = _t190;
							_t188 =  &(_t188[0]);
							_v8 = _t188;
						} while (_t174 < _t103);
						goto L65;
					}
					L66:
					_a4 = _a4 & 0xffffffbf;
					_t177 = 0;
					 *_t188 = 0;
					if(_t174 < _t103) {
						_t177 =  *0x10665cc;
						if( *0x10665cc != 0x10625c0) {
							 *0x10665cc =  *0x10665cc - 2;
						}
					}
					if(_t174 >= _t184) {
						if(_t190 != 0xffff) {
							_t96 = E010378E4(_t177, 0x234f, 1, _v20);
							goto L141;
						}
					}
					goto L70;
				}
				goto L142;
			}





















































    0x0103cf10
    0x0103cf1b
    0x0103cf1d
    0x0103cf22
    0x0103cf25
    0x0103cf28
    0x0103cf2d
    0x0103cf32
    0x0104d571
    0x00000000
    0x0104d571
    0x0103cf38
    0x0103cf3d
    0x0103d042
    0x0104d4ba
    0x0104d4c5
    0x0104d4ca
    0x0103d04d
    0x0103d05a
    0x0103cf43
    0x0103cf47
    0x00000000
    0x00000000
    0x0103cf4d
    0x0103cf55
    0x0103cf5a
    0x0103cf60
    0x0103cf62
    0x0103cf62
    0x0103cf67
    0x0103cf6b
    0x0103cf71
    0x0103cf76
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0103cf62
    0x0103cf62
    0x0103cf67
    0x0103cf6b
    0x0103cf71
    0x0103cf74
    0x0103cf7d
    0x0103cf80
    0x0103d35c
    0x0103cf86
    0x0103cf86
    0x0103cf86
    0x0103cf8d
    0x0103cf93
    0x0103cf98
    0x0103d2fe
    0x00000000
    0x0103d304
    0x00000000
    0x0103d304
    0x0103d21a
    0x0103d223
    0x0103d223
    0x0103cf9e
    0x0103cf9e
    0x0103cfa8
    0x0103cfad
    0x0103cfad
    0x00000000
    0x0103cfa8
    0x0103cf62
    0x0103cfb2
    0x0103cfbe
    0x0103cfc1
    0x0104d4d2
    0x0104d4df
    0x00000000
    0x0104d4e5
    0x0104d4ea
    0x00000000
    0x0104d4ea
    0x00000000
    0x0103cfc7
    0x0103cfc7
    0x0103cfc7
    0x0103cfcd
    0x0103d060
    0x0103d09a
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0103d062
    0x0103d062
    0x0103d065
    0x00000000
    0x0103d067
    0x0103d067
    0x0103d06e
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0103d075
    0x0103d07b
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0103d07d
    0x0103d080
    0x0103d085
    0x00000000
    0x00000000
    0x0103d095
    0x0103d085
    0x00000000
    0x00000000
    0x0103d3b1
    0x00000000
    0x0103d3b7
    0x0103d3be
    0x00000000
    0x0103d3c4
    0x00000000
    0x0103d3c4
    0x0103d3be
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0103d06e
    0x0103d065
    0x0103cfd3
    0x0103cfd3
    0x0103cfd3
    0x0103cfd6
    0x0103cfd9
    0x0103cfdc
    0x0103cfe2
    0x0103cfe2
    0x0103cfe5
    0x0103cfe9
    0x0103cfec
    0x0103cfee
    0x0103cff4
    0x0103cff9
    0x0103d385
    0x0103d388
    0x0103d388
    0x0103d38b
    0x0103d38e
    0x0103d390
    0x0103d390
    0x0103d003
    0x0103d2a5
    0x0103d2a8
    0x0103d2ac
    0x0103d2e6
    0x0103d2e9
    0x0103d2e9
    0x0103d2ec
    0x0103d2f4
    0x0103d2f7
    0x0103d2f7
    0x0103d2ae
    0x0103d2ae
    0x0103d2b5
    0x0103d30c
    0x00000000
    0x00000000
    0x00000000
    0x0103d2b7
    0x0103d2b7
    0x0103d2bb
    0x0103d3f0
    0x0103d3f3
    0x0103d3f3
    0x0103d3f6
    0x0103d400
    0x0103d405
    0x0103d409
    0x0103d40f
    0x0103d412
    0x0103d432
    0x0103d438
    0x0103d43b
    0x0103d43e
    0x0103d441
    0x0103d441
    0x0103d432
    0x0103d2c1
    0x0103d2c1
    0x0103d2cb
    0x0103d2d4
    0x0103d2d4
    0x00000000
    0x0103d2cb
    0x0103d027
    0x0103d027
    0x0103d029
    0x00000000
    0x0103d02f
    0x0103d003
    0x0103d09c
    0x0103d0a0
    0x0103d4a1
    0x00000000
    0x0103d4a7
    0x0103d4ac
    0x0103d4b2
    0x00000000
    0x00000000
    0x0103d4bb
    0x00000000
    0x0103d4c1
    0x0104d4f7
    0x0104d4fd
    0x00000000
    0x0104d503
    0x00000000
    0x0104d503
    0x0104d4fd
    0x0103d4bb
    0x00000000
    0x0103d0a6
    0x0103d0a6
    0x0103d0aa
    0x0103d398
    0x0103d39b
    0x0103d39b
    0x0103d0b3
    0x0103d0b6
    0x0103d0bc
    0x0103d0c1
    0x00000000
    0x00000000
    0x0103d0ca
    0x0103d366
    0x0103d0d0
    0x0103d0d0
    0x0103d0d0
    0x0103d0d7
    0x0103d0dd
    0x0103d0e2
    0x00000000
    0x00000000
    0x0103d0e2
    0x0103d0e9
    0x0103d0ef
    0x0103d0f4
    0x0103d310
    0x0103d326
    0x0103d341
    0x0103d346
    0x0103d34c
    0x0103d3a6
    0x00000000
    0x0103d3ac
    0x00000000
    0x0103d3ac
    0x0103d34e
    0x0103d34e
    0x0103d351
    0x00000000
    0x00000000
    0x00000000
    0x0103d357
    0x0103d328
    0x0103d328
    0x0103d32d
    0x0103d330
    0x0103d336
    0x0103d33b
    0x0103d493
    0x00000000
    0x0103d499
    0x00000000
    0x0103d499
    0x00000000
    0x00000000
    0x00000000
    0x0103d33b
    0x00000000
    0x0103d326
    0x0103d0f4
    0x0103d0a0
    0x0103cfcd
    0x0103d0fa
    0x0103d0fa
    0x0103d100
    0x0103d103
    0x0103d106
    0x0103d10e
    0x0103d10e
    0x0103d111
    0x0103d113
    0x0103d116
    0x0103d120
    0x0103d125
    0x0103d130
    0x0103d13c
    0x0103d13f
    0x0104d50c
    0x0104d516
    0x00000000
    0x0104d51c
    0x0104d521
    0x00000000
    0x0104d521
    0x00000000
    0x0103d145
    0x0103d145
    0x0103d145
    0x0103d14b
    0x0103d195
    0x00000000
    0x0103d197
    0x0103d197
    0x0103d19e
    0x00000000
    0x0103d1a5
    0x00000000
    0x00000000
    0x0103d2de
    0x00000000
    0x00000000
    0x0103d472
    0x00000000
    0x00000000
    0x0103d3c9
    0x0103d3c9
    0x0103d3ce
    0x00000000
    0x0103d3d4
    0x0103d3d6
    0x0103d1a8
    0x0103d1a8
    0x0103d1ab
    0x0103d1ae
    0x0103d1b0
    0x00000000
    0x0103d1b2
    0x00000000
    0x0103d1b2
    0x00000000
    0x0103d3dc
    0x0103d3e0
    0x00000000
    0x0103d3e6
    0x00000000
    0x0103d3e6
    0x0103d3e0
    0x0103d3d6
    0x00000000
    0x00000000
    0x0103d370
    0x0103d375
    0x00000000
    0x0103d37b
    0x0104d530
    0x00000000
    0x0104d536
    0x0103d475
    0x0103d475
    0x0103d479
    0x00000000
    0x0103d47f
    0x00000000
    0x0103d47f
    0x0103d479
    0x0104d530
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0103d19e
    0x0103d152
    0x0103d152
    0x0103d152
    0x0103d159
    0x0103d44d
    0x00000000
    0x0103d453
    0x0103d458
    0x0103d45e
    0x00000000
    0x0103d464
    0x0103d467
    0x00000000
    0x0103d46d
    0x0104d540
    0x0104d546
    0x00000000
    0x0104d54c
    0x00000000
    0x0104d54c
    0x0104d546
    0x0103d467
    0x0103d45e
    0x00000000
    0x0103d15f
    0x0103d15f
    0x0103d163
    0x0103d295
    0x0103d298
    0x0103d298
    0x0103d16b
    0x0103d1b5
    0x0103d1bb
    0x0103d1c0
    0x00000000
    0x0103d1c2
    0x0103d1c6
    0x0103d28b
    0x0103d1cc
    0x0103d1cc
    0x0103d1cc
    0x0103d1d3
    0x0103d1d9
    0x0103d1de
    0x00000000
    0x0103d1e0
    0x00000000
    0x0103d1e0
    0x0103d1de
    0x0103d16d
    0x0103d16d
    0x0103d16e
    0x0103d174
    0x0103d179
    0x0103d226
    0x0103d23c
    0x0103d26c
    0x0103d271
    0x0103d277
    0x0103d1e2
    0x0103d1e6
    0x00000000
    0x0103d1e8
    0x0103d1e8
    0x0103d1e8
    0x0103d1e8
    0x00000000
    0x0103d27d
    0x0103d280
    0x00000000
    0x0103d286
    0x00000000
    0x0103d286
    0x0103d280
    0x0103d23e
    0x0103d23e
    0x0103d243
    0x0103d246
    0x0103d24c
    0x0103d251
    0x00000000
    0x0103d253
    0x0103d25b
    0x0103d261
    0x0103d266
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0103d266
    0x0103d251
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0103d179
    0x0103d16b
    0x0103d159
    0x0103d14b
    0x0103d1eb
    0x0103d1eb
    0x00000000
    0x0103d17f
    0x0103d17f
    0x0103d182
    0x0103d183
    0x0103d186
    0x0103d189
    0x0103d18c
    0x00000000
    0x0103d190
    0x0103d1ee
    0x0103d1ee
    0x0103d1f2
    0x0103d1f4
    0x0103d1f9
    0x0103d1fb
    0x0103d207
    0x0103d209
    0x0103d209
    0x0103d207
    0x0103d212
    0x0104d559
    0x0104d569
    0x00000000
    0x0104d56e
    0x0104d559
    0x00000000
    0x0103d212
    0x00000000

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: iswdigit$iswspacewcschr$_setjmp3
    • String ID: ()|&=,;"$=,;$@$Ungetting: '%s'
    • API String ID: 684130364-3872429996
    • Opcode ID: cab3a469a9cc041d621d42c4b017093b8a09f62f30a5dbd961a903a43989dd97
    • Instruction ID: 031b91dce8824c1ec0da2dd53ad262fa9dec593f34059ffd4a74bf7ce9a7356a
    • Opcode Fuzzy Hash: cab3a469a9cc041d621d42c4b017093b8a09f62f30a5dbd961a903a43989dd97
    • Instruction Fuzzy Hash: 6FE103B1A00201ABDB714FECD8843BE7BECAFD1290F9440A6ECC5E7255E739C9518796
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0103790C, Relevance: 28.7, APIs: 19, Instructions: 208COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 800 103790c-103793c call 1039a11 803 1037942-1037959 _get_osfhandle GetConsoleScreenBufferInfo 800->803 804 10379f9-10379fb 800->804 803->804 805 103795f-103796a 803->805 806 103796d-103798f call 1037e93 804->806 805->806 809 1037995-1037997 806->809 810 1037a2f-1037a32 806->810 811 1037a00-1037a12 call 1039b3b 809->811 812 1037999-10379a0 809->812 813 10379e0-10379e2 810->813 826 1037a14-1037a1a 811->826 827 1037a1c-1037a25 GetLastError 811->827 814 10379a6-10379b1 812->814 815 104ab9c-104aba4 812->815 816 104accf-104acd3 813->816 817 10379e8-10379f6 call 1046b30 813->817 820 10379b3 814->820 821 10379b5-10379c6 WriteConsoleW 814->821 823 104ac73-104ac80 815->823 824 104abaa-104abbf GetConsoleScreenBufferInfo 815->824 816->817 822 104acd9-104ace2 call 1041e70 816->822 820->821 829 1037a27-1037a2d GetLastError 821->829 830 10379c8 821->830 842 104ace4-104acec exit 822->842 833 104ac82-104ac84 823->833 834 104ac9d-104ac9f 823->834 831 104abc5-104abdf WriteConsoleW 824->831 832 104ac6a-104ac70 824->832 826->827 826->830 827->813 836 10379ca-10379de 829->836 830->836 831->832 838 104abe5-104ac65 GetStdHandle FlushConsoleInputBuffer GetConsoleMode SetConsoleMode _getch SetConsoleMode GetConsoleScreenBufferInfo FillConsoleOutputCharacterW SetConsoleCursorPosition 831->838 832->823 839 104ac86-104ac8f 833->839 840 104ac97 833->840 841 104aca6-104acca EnterCriticalSection LeaveCriticalSection 834->841 836->809 836->813 838->841 843 104ac67 838->843 844 104ac91 839->844 845 104ac92-104ac95 839->845 840->834 841->817 846 104aced-104acf2 842->846 843->832 844->845 845->833 845->840 848 104acf7 846->848 849 104ad02-104ad07 848->849 850 104ad0f-104ad18 call 1044ea8 849->850 851 104ad09 849->851 854 104ad1e-104ad23 850->854 855 1037c4e-1037c53 850->855 851->850 858 104ad25 854->858 859 104ad2b-104ad32 854->859 856 104ad37 855->856 857 1037c59-1037c5b 855->857 861 104ad42 856->861 860 1037c60-1037c68 857->860 858->859 859->860 862 104ae38-104ae41 860->862 863 1037c6e-1037c76 860->863 867 104ad4c 861->867 864 104ae47-104ae48 862->864 865 1037bbf-1037bc7 862->865 863->861 866 1037c7c-1037c90 call 103a641 863->866 872 104ae4f-104ae6a call 1059922 longjmp 864->872 868 1037bd1-1037bd9 865->868 869 1037bc9-1037bd0 ??_V@YAXPAX@Z 865->869 866->867 875 1037c96 866->875 877 104ad57-104ad5f 867->877 873 1037be3-1037bfb call 1046b30 868->873 874 1037bdb-1037be2 ??_V@YAXPAX@Z 868->874 869->868 872->865 889 104ae70-104ae71 872->889 874->873 879 1037c99-1037ca6 875->879 881 104ad67 877->881 882 104ad61 877->882 879->879 884 1037ca8-1037cb8 879->884 886 104ad6a-104ad73 881->886 882->881 887 104ae23-104ae2a 884->887 888 1037cbe-1037cc4 884->888 886->886 890 104ad75-104ad81 886->890 887->865 894 104ae30-104ae31 887->894 891 1037cc6-1037ccb 888->891 892 1037cda-1037ce2 888->892 890->892 893 104ad87-104ad8e 890->893 891->877 895 1037cd1-1037cd4 891->895 896 1037d55-1037d5b 892->896 897 1037ce4-1037cf6 call 104054b 892->897 893->892 898 104ad94-104ad98 893->898 894->862 895->877 895->892 896->897 903 1037cf8-1037d0a call 104054b 897->903 904 1037d5d-1037d63 897->904 898->892 900 104ad9e-104adae call 104232c 898->900 900->892 908 1037d10-1037d42 call 104054b 903->908 909 104adb3-104adc1 _wcsicmp 903->909 904->846 904->903 915 1037d48-1037d50 908->915 916 1037b3c-1037b40 908->916 910 104ae05 909->910 911 104adc3-104adcf call 103dcd0 909->911 918 104ae0d-104ae16 910->918 911->872 919 104add1-104adfe call 104054b 911->919 915->865 920 1037b43-1037b50 916->920 918->865 921 104ae1c-104ae1e 918->921 919->910 920->920 923 1037b52-1037b65 call 10423f0 920->923 924 1037bb8-1037bbe call 10378e4 921->924 930 1037b67-1037b6f 923->930 931 1037b75-1037b7c 923->931 924->865 930->918 930->931 932 1037b92-1037ba6 call 103802c 931->932 933 1037b7e-1037b90 call 103780a call 103dc60 931->933 938 1037ba8-1037baf 932->938 939 1037bfe-1037c06 932->939 933->932 938->865 943 1037bb1-1037bb2 938->943 939->846 942 1037c0c-1037c22 call 103a641 call 1036468 939->942 942->848 948 1037c28 942->948 943->924 949 1037c2b-1037c34 948->949 949->949 950 1037c36-1037c3f 949->950 950->860 951 1037c41-1037c48 950->951 951->849 951->855
    C-Code - Quality: 68%
    			E0103790C(void* __ecx, intOrPtr __edx, intOrPtr _a4, signed int _a8) {
				signed int _v8;
				short _v16;
				short _v20;
				signed int _v26;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v32;
				signed short _v50;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v56;
				long _v60;
				signed int _v64;
				void* _v68;
				long _v72;
				intOrPtr _v76;
				long _v80;
				intOrPtr _v84;
				char _v88;
				char _v548;
				signed int _v564;
				char _v1084;
				char _v1085;
				signed int _v1086;
				signed int* _v1092;
				intOrPtr _v1096;
				signed int _v1100;
				intOrPtr _v1104;
				intOrPtr _v1108;
				intOrPtr _v1112;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t132;
				void* _t135;
				long _t136;
				long _t137;
				void* _t142;
				char* _t147;
				void* _t149;
				void* _t153;
				signed int _t154;
				intOrPtr _t156;
				void* _t157;
				signed int _t158;
				signed int _t160;
				signed int _t169;
				void* _t170;
				short* _t173;
				signed int _t177;
				intOrPtr _t180;
				int _t182;
				signed int _t183;
				signed int _t185;
				signed int _t187;
				signed short _t192;
				struct _COORD _t197;
				int _t203;
				void* _t207;
				void* _t208;
				long _t213;
				signed int _t216;
				signed int _t218;
				signed int _t221;
				signed int _t222;
				signed int _t231;
				intOrPtr _t237;
				void* _t238;
				signed int _t244;
				signed int _t246;
				signed int _t253;
				signed int _t260;
				long _t265;
				void* _t266;
				void* _t267;
				signed int* _t268;
				signed int _t269;
				signed int _t270;
				void* _t275;
				long _t276;
				void* _t277;
				signed int _t278;
				struct _COORD _t279;
				void* _t280;
				signed int _t281;
				signed int* _t282;
				signed int _t284;
				void* _t285;
				signed int _t294;
				signed int _t297;

				_t294 = _t297;
				_t132 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t132 ^ _t294;
				_v64 = _a8;
				_t275 = __ecx;
				_v76 = __edx;
				_t265 = 0;
				_v72 = 0;
				_t135 = E01039A11(_a8); // executed
				if(_t135 == 0) {
					L13:
					_t207 = 0;
				} else {
					__imp___get_osfhandle(__edx);
					_t207 = _t135;
					_t203 = GetConsoleScreenBufferInfo(_t207,  &_v32); // executed
					if(_t203 == 0) {
						goto L13;
					} else {
						_t265 = _v16 - _v20 - 1;
						_v72 = _t265;
					}
				}
				_v60 = _v60 & 0x00000000;
				_t136 = E01037E93(_t275, _a4, _v64); // executed
				_t213 = _t136;
				_t258 = 0x1070af0;
				_v64 = _t213;
				_t276 = _t213;
				_v68 = 0x1070af0;
				if(_t213 == 0) {
					_t137 = _v60;
					goto L11;
				} else {
					do {
						if(_t207 == 0) {
							_t177 = E01039B3B(_t276 + _t276, _t258, _t276 + _t276,  &_v88);
							__eflags = _t177;
							if(_t177 == 0) {
								L16:
								_t137 = GetLastError();
								_v60 = _t137;
								break;
							} else {
								__eflags = _v88 - _t276 + _t276;
								if(_v88 == _t276 + _t276) {
									goto L9;
								} else {
									goto L16;
								}
							}
						} else {
							if( *0x107905b != 0) {
								_t253 =  *0x107950c;
								__eflags = _t253 - _t265;
								if(_t253 < _t265) {
									L65:
									_t285 = _t258;
									_t180 = _t258 + _v64 * 2;
									_v84 = _t180;
									__eflags = _t258 - _t180;
									if(_t258 < _t180) {
										while(1) {
											__eflags = _t253 - _t265;
											if(_t253 >= _t265) {
												break;
											}
											_t183 =  *_t285 & 0x0000ffff;
											_t285 = _t285 + 2;
											__eflags = _t183 - 0xa;
											if(_t183 == 0xa) {
												_t253 = _t253 + 1;
												__eflags = _t253;
											}
											__eflags = _t285 - _v84;
											if(_t285 < _v84) {
												continue;
											}
											break;
										}
										 *0x107950c = _t253;
									}
									_t276 = _t285 - _t258 >> 1;
									goto L8;
								} else {
									 *0x107950c = 0;
									_t185 = GetConsoleScreenBufferInfo(_t207,  &_v32);
									__eflags = _t185;
									if(_t185 == 0) {
										L64:
										_t253 =  *0x107950c;
										_t258 = _v68;
										goto L65;
									} else {
										_t187 = WriteConsoleW(_t207,  *0x1079508,  *0x1079504,  &_v60, 0);
										__eflags = _t187;
										if(_t187 == 0) {
											goto L64;
										} else {
											FlushConsoleInputBuffer(GetStdHandle(0xfffffff6));
											GetConsoleMode(_t207,  &_v80);
											_t192 = SetConsoleMode(_t207, 0);
											__imp___getch();
											SetConsoleMode(_t207, _v80);
											GetConsoleScreenBufferInfo(_t207,  &_v56);
											_t258 = _v32.dwSize * _v26;
											_push( &_v60);
											_t197 = _v32.dwCursorPosition;
											_push(_t197);
											_push(_v56.dwSize * _v50 - _v32.dwSize * _v26 + _t197 + _v56.dwCursorPosition);
											_push(0x20);
											_push(_t207);
											FillConsoleOutputCharacterW();
											SetConsoleCursorPosition(_t207, _v32.dwCursorPosition);
											__eflags = (_t192 & 0x0000ffff) - 3;
											if((_t192 & 0x0000ffff) == 3) {
												EnterCriticalSection( *0x10625a4);
												 *0x106259c = 1;
												LeaveCriticalSection( *0x10625a4);
												_t137 = 0;
												L12:
												_pop(_t266);
												_pop(_t277);
												_pop(_t208);
												return E01046B30(_t137, _t208, _v8 ^ _t294, _t258, _t266, _t277);
											} else {
												_t265 = _v72;
												goto L64;
											}
										}
									}
								}
							} else {
								_t276 = 0xa0;
								if(_t213 <= 0xa0) {
									_t276 = _t213;
								}
								L8:
								_t182 = WriteConsoleW(_t207, _t258, _t276,  &_v60, 0); // executed
								if(_t182 == 0) {
									_t137 = GetLastError();
								} else {
									L9:
									_t137 = 0;
								}
								goto L10;
							}
						}
						goto L108;
						L10:
						_t213 = _v64 - _t276;
						_v60 = _t137;
						_v64 = _t213;
						_t258 = _v68 + _t276 * 2;
						_v68 = _t258;
					} while (_t213 != 0);
					L11:
					if(_t137 != 0) {
						__eflags = _v76 - 2;
						if(__eflags != 0) {
							goto L12;
						} else {
							do {
								__eflags = E01041E70(__eflags, 0);
							} while (__eflags == 0);
							exit(1);
							asm("int3");
							while(1) {
								_t216 = 0x1078bf0;
								do {
									E0103A641(_t216);
									E01036468();
									_t218 = _v32.dwCursorPosition;
									__eflags = _t218;
									if(_t218 == 0) {
										_t218 =  &_v548;
									}
									_t259 = _t218 + 2;
									do {
										_t142 =  *_t218;
										_t218 = _t218 + 2;
										__eflags = _t142 - _t276;
									} while (_t142 != _t276);
									_t220 = _t218 - _t259 >> 1;
									_t278 = _t220;
									__eflags = _t278 - 3;
									if(_t278 > 3) {
										__eflags = _v1086;
										if(_v1086 != 0) {
											_t248 = _v32.dwCursorPosition;
											__eflags = _v32.dwCursorPosition;
											if(_v32.dwCursorPosition == 0) {
												_t248 =  &_v548;
											}
											_t173 = E01044EA8(_t248);
											__eflags =  *_t173 - 0x2e;
											if( *_t173 != 0x2e) {
												goto L40;
											} else {
												_t220 = _v32.dwCursorPosition;
												__eflags = _t220;
												if(_t220 == 0) {
													_t220 =  &_v548;
												}
												 *((short*)(_t220 + _t278 * 2 - 4)) = 0;
											}
										} else {
											L40:
											__eflags = _v32.dwCursorPosition;
											if(_v32.dwCursorPosition == 0) {
												_t220 =  &_v548;
											}
											__eflags = 0;
											 *((short*)(_t220 + _t278 * 2 - 2)) = 0;
										}
									}
									__eflags = _t278 + 1 - 0x7fe7;
									if(_t278 + 1 > 0x7fe7) {
										_t279 = 0;
										__eflags = _v1085;
										if(_v1085 != 0) {
											_push(0);
											_push(2);
											goto L28;
										}
									} else {
										_t147 =  *(_t265 + 0x10);
										__eflags =  *_t147;
										if( *_t147 == 0) {
											_t147 = "*";
										}
										E0103A641(_t147);
										_t231 = _v564;
										__eflags = _t231;
										if(_t231 == 0) {
											_t231 =  &_v1084;
										}
										_t259 = _t231 + 2;
										do {
											_t149 =  *_t231;
											_t231 = _t231 + 2;
											__eflags = _t149 - _v1096;
										} while (_t149 != _v1096);
										_t220 = _t231 - _t259 >> 1;
										_t279 = 0;
										__eflags = _t278 + 1 + (_t231 - _t259 >> 1) - 0x7fe7;
										if(_t278 + 1 + (_t231 - _t259 >> 1) > 0x7fe7) {
											__eflags = _v1085;
											if(_v1085 != 0) {
												_push(0);
												_push(0x6f);
												goto L28;
											}
										} else {
											__eflags =  *( *(_t265 + 0x10));
											if( *( *(_t265 + 0x10)) != 0) {
												_t169 =  *(_t265 + 0x14);
												__eflags = _t169;
												if(_t169 == 0) {
													L87:
													_t244 = _v564;
													__eflags = _t244;
													if(_t244 == 0) {
														_t244 =  &_v1084;
													}
													_t259 = _t244 + 2;
													do {
														_t170 =  *_t244;
														_t244 = _t244 + 2;
														__eflags = _t170 - _t279;
													} while (_t170 != _t279);
													_t246 = _t244 - _t259 >> 1;
													__eflags = _t246 + 3 - 0x7fe7;
													if(_t246 + 3 <= 0x7fe7) {
														__eflags = _v1086;
														if(_v1086 != 0) {
															__eflags =  *((char*)(_t207 + 8));
															if( *((char*)(_t207 + 8)) != 0) {
																E0104232C(_t259, L".*");
															}
														}
													}
												} else {
													__eflags =  *_t169;
													if( *_t169 == 0) {
														goto L87;
													}
												}
											}
											_t233 = _v564;
											__eflags = _v564;
											if(_v564 == 0) {
												_t233 =  &_v1084;
											}
											_t153 = E0104054B(_t207, _t233, _t265, _t279);
											_t281 = _v1092;
											 *_t281 = _t153;
											_t234 = _v32.dwCursorPosition;
											__eflags = _v32.dwCursorPosition;
											if(_v32.dwCursorPosition == 0) {
												_t234 =  &_v548;
											}
											_t154 = E0104054B(_t207, _t234, _t265, _t281);
											_t268 = _v1100;
											 *(_t281 + 4) = _t154;
											__eflags = _t268[1];
											if(_t268[1] != 0) {
												__imp___wcsicmp(_t268[1], _t154);
												__eflags = _t154;
												if(_t154 == 0) {
													_t268[2] = _t268[2] + 1;
													goto L55;
												} else {
													_t220 = 0x30;
													_t284 = E0103DCD0(_t220);
													__eflags = _t284;
													if(_t284 == 0) {
														E01059922();
														__imp__longjmp(0x1070a30, 1);
														_t279 = 0;
														__eflags = _v1085;
														if(_v1085 != 0) {
															_push(0);
															_push(0x2374);
															goto L28;
														}
													} else {
														 *_t268 = _t284;
														_t270 = _v1092;
														_v1100 = _t284;
														 *((intOrPtr*)(_t284 + 4)) = E0104054B(_t207,  *((intOrPtr*)(_t270 + 4)), _t270, _t284);
														 *_t284 = 0;
														 *((char*)(_t284 + 0x10)) =  *((intOrPtr*)(_t270 + 8));
														 *(_t284 + 0xc) = _t270;
														 *(_t284 + 8) = 1;
														_t281 = _t270;
														goto L55;
													}
												}
											} else {
												_t268[1] = E0104054B(_t207, _t154, _t268, _t281);
												_t268[4] =  *((intOrPtr*)(_t281 + 8));
												_t268[3] = _t281;
												L55:
												_t237 = _v1112;
												_t156 = _v1104 + 1;
												_t282 =  *(_t281 + 0xc);
												_v1104 = _t156;
												_v1092 = _t282;
												__eflags = _t156 -  *((intOrPtr*)(_t237 + 0x48));
												if(_t156 <=  *((intOrPtr*)(_t237 + 0x48))) {
													_t269 =  *_t282;
													_t260 = _t269;
													_t238 = _t260 + 2;
													do {
														_t157 =  *_t260;
														_t260 = _t260 + 2;
														__eflags = _t157 - _v1096;
													} while (_t157 != _v1096);
													_t259 = _t260 - _t238 >> 1;
													_t158 = E010423F0(_t269, _t260 - _t238 >> 1);
													_v1086 = _t158;
													__eflags = _t158;
													if(_t158 != 0) {
														L23:
														__eflags =  *((char*)(_t207 + 8));
														_t282[2] = _t158;
														if( *((char*)(_t207 + 8)) != 0) {
															_t259 = _t158;
															_t160 = E0103780A(_t269, _t158);
															E0103DC60(_t269);
															_t269 = _t160;
														}
														_t276 = 0;
														_t220 = _t269;
														 *0x10667a8 = 0;
														_t265 = E0103802C(_t207, _t269, _t269);
														__eflags = _t265 - 1;
														if(_t265 != 1) {
															goto L34;
														} else {
															__eflags = _v1085;
															if(_v1085 != 0) {
																_push(0);
																_push( *0x10667a8);
																goto L28;
															}
														}
													} else {
														_t220 =  *0x10667a8;
														__eflags = _t220;
														if(_t220 != 0) {
															_t279 = 0;
															__eflags = _v1085;
															if(_v1085 != 0) {
																_push(0);
																_push(_t220);
																L28:
																E010378E4(_t220);
															}
														} else {
															goto L23;
														}
													}
												} else {
													_t279 = 0;
													_v1108 = 0;
												}
											}
										}
									}
									_t221 = _v564;
									__eflags = _t221;
									if(_t221 != 0) {
										__imp__??_V@YAXPAX@Z(_t221);
									}
									_t222 = _v32.dwCursorPosition;
									_v32.dwCursorPosition = _t279;
									__eflags = _t222;
									if(_t222 != 0) {
										__imp__??_V@YAXPAX@Z(_t222);
									}
									__eflags = _v8 ^ _t294;
									_pop(_t267);
									_pop(_t280);
									return E01046B30(_v1108, _t207, _v8 ^ _t294, _t259, _t267, _t280);
									goto L108;
									L34:
									_t216 =  *0x1078df8;
									__eflags = _t216;
								} while (_t216 != 0);
							}
						}
					} else {
						goto L12;
					}
				}
				L108:
			}


























































































    0x0103790f
    0x01037914
    0x0103791b
    0x01037925
    0x01037929
    0x0103792b
    0x0103792e
    0x01037932
    0x01037935
    0x0103793c
    0x010379f9
    0x010379f9
    0x01037942
    0x01037943
    0x01037949
    0x01037951
    0x01037959
    0x00000000
    0x0103795f
    0x01037969
    0x0103796a
    0x0103796a
    0x01037959
    0x01037970
    0x01037979
    0x0103797e
    0x01037980
    0x01037985
    0x01037988
    0x0103798a
    0x0103798f
    0x01037a2f
    0x00000000
    0x01037995
    0x01037995
    0x01037997
    0x01037a0b
    0x01037a10
    0x01037a12
    0x01037a1c
    0x01037a1c
    0x01037a22
    0x00000000
    0x01037a14
    0x01037a17
    0x01037a1a
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x01037a1a
    0x01037999
    0x010379a0
    0x0104ab9c
    0x0104aba2
    0x0104aba4
    0x0104ac73
    0x0104ac76
    0x0104ac78
    0x0104ac7b
    0x0104ac7e
    0x0104ac80
    0x0104ac82
    0x0104ac82
    0x0104ac84
    0x00000000
    0x00000000
    0x0104ac86
    0x0104ac89
    0x0104ac8c
    0x0104ac8f
    0x0104ac91
    0x0104ac91
    0x0104ac91
    0x0104ac92
    0x0104ac95
    0x00000000
    0x00000000
    0x00000000
    0x0104ac95
    0x0104ac97
    0x0104ac97
    0x0104ac9f
    0x00000000
    0x0104abaa
    0x0104abb1
    0x0104abb7
    0x0104abbd
    0x0104abbf
    0x0104ac6a
    0x0104ac6a
    0x0104ac70
    0x00000000
    0x0104abc5
    0x0104abd7
    0x0104abdd
    0x0104abdf
    0x00000000
    0x0104abe5
    0x0104abee
    0x0104abf9
    0x0104ac01
    0x0104ac07
    0x0104ac14
    0x0104ac1f
    0x0104ac34
    0x0104ac3b
    0x0104ac3c
    0x0104ac42
    0x0104ac4e
    0x0104ac4f
    0x0104ac51
    0x0104ac52
    0x0104ac5c
    0x0104ac62
    0x0104ac65
    0x0104acac
    0x0104acb8
    0x0104acc2
    0x0104acc8
    0x010379e8
    0x010379eb
    0x010379ec
    0x010379ef
    0x010379f6
    0x0104ac67
    0x0104ac67
    0x00000000
    0x0104ac67
    0x0104ac65
    0x0104abdf
    0x0104abbf
    0x010379a6
    0x010379a6
    0x010379b1
    0x010379b3
    0x010379b3
    0x010379b5
    0x010379be
    0x010379c6
    0x01037a27
    0x010379c8
    0x010379c8
    0x010379c8
    0x010379c8
    0x00000000
    0x010379c6
    0x010379a0
    0x00000000
    0x010379ca
    0x010379d0
    0x010379d2
    0x010379d5
    0x010379d8
    0x010379db
    0x010379db
    0x010379e0
    0x010379e2
    0x0104accf
    0x0104acd3
    0x00000000
    0x0104acd9
    0x0104acd9
    0x0104ace0
    0x0104ace0
    0x0104ace6
    0x0104acec
    0x0104aced
    0x0104aced
    0x01037c0c
    0x01037c13
    0x01037c18
    0x01037c1d
    0x01037c20
    0x01037c22
    0x0104acf7
    0x0104acf7
    0x01037c28
    0x01037c2b
    0x01037c2b
    0x01037c2e
    0x01037c31
    0x01037c31
    0x01037c38
    0x01037c3a
    0x01037c3c
    0x01037c3f
    0x01037c41
    0x01037c48
    0x0104ad02
    0x0104ad05
    0x0104ad07
    0x0104ad09
    0x0104ad09
    0x0104ad0f
    0x0104ad14
    0x0104ad18
    0x00000000
    0x0104ad1e
    0x0104ad1e
    0x0104ad21
    0x0104ad23
    0x0104ad25
    0x0104ad25
    0x0104ad2d
    0x0104ad2d
    0x01037c4e
    0x01037c4e
    0x01037c51
    0x01037c53
    0x0104ad37
    0x0104ad37
    0x01037c59
    0x01037c5b
    0x01037c5b
    0x01037c48
    0x01037c63
    0x01037c68
    0x0104ae38
    0x0104ae3a
    0x0104ae41
    0x0104ae47
    0x0104ae48
    0x00000000
    0x0104ae48
    0x01037c6e
    0x01037c6e
    0x01037c73
    0x01037c76
    0x0104ad42
    0x0104ad42
    0x01037c83
    0x01037c88
    0x01037c8e
    0x01037c90
    0x0104ad4c
    0x0104ad4c
    0x01037c96
    0x01037c99
    0x01037c99
    0x01037c9c
    0x01037c9f
    0x01037c9f
    0x01037cad
    0x01037caf
    0x01037cb3
    0x01037cb8
    0x0104ae23
    0x0104ae2a
    0x0104ae30
    0x0104ae31
    0x00000000
    0x0104ae31
    0x01037cbe
    0x01037cc1
    0x01037cc4
    0x01037cc6
    0x01037cc9
    0x01037ccb
    0x0104ad57
    0x0104ad57
    0x0104ad5d
    0x0104ad5f
    0x0104ad61
    0x0104ad61
    0x0104ad67
    0x0104ad6a
    0x0104ad6a
    0x0104ad6d
    0x0104ad70
    0x0104ad70
    0x0104ad77
    0x0104ad7c
    0x0104ad81
    0x0104ad87
    0x0104ad8e
    0x0104ad94
    0x0104ad98
    0x0104ada9
    0x0104ada9
    0x0104ad98
    0x0104ad8e
    0x01037cd1
    0x01037cd1
    0x01037cd4
    0x00000000
    0x00000000
    0x01037cd4
    0x01037ccb
    0x01037cda
    0x01037ce0
    0x01037ce2
    0x01037d55
    0x01037d55
    0x01037ce4
    0x01037ce9
    0x01037cef
    0x01037cf1
    0x01037cf4
    0x01037cf6
    0x01037d5d
    0x01037d5d
    0x01037cf8
    0x01037cfd
    0x01037d03
    0x01037d06
    0x01037d0a
    0x0104adb7
    0x0104adbf
    0x0104adc1
    0x0104ae05
    0x00000000
    0x0104adc3
    0x0104adc5
    0x0104adcb
    0x0104adcd
    0x0104adcf
    0x0104ae4f
    0x0104ae5b
    0x0104ae61
    0x0104ae63
    0x0104ae6a
    0x0104ae70
    0x0104ae71
    0x00000000
    0x0104ae71
    0x0104add1
    0x0104add1
    0x0104add3
    0x0104add9
    0x0104ade7
    0x0104adec
    0x0104adf1
    0x0104adf4
    0x0104adf7
    0x0104adfe
    0x00000000
    0x0104adfe
    0x0104adcf
    0x01037d10
    0x01037d17
    0x01037d1d
    0x01037d20
    0x01037d23
    0x01037d29
    0x01037d2f
    0x01037d30
    0x01037d33
    0x01037d39
    0x01037d3f
    0x01037d42
    0x01037b3c
    0x01037b3e
    0x01037b40
    0x01037b43
    0x01037b43
    0x01037b46
    0x01037b49
    0x01037b49
    0x01037b56
    0x01037b58
    0x01037b5d
    0x01037b63
    0x01037b65
    0x01037b75
    0x01037b75
    0x01037b79
    0x01037b7c
    0x01037b7e
    0x01037b82
    0x01037b8b
    0x01037b90
    0x01037b90
    0x01037b92
    0x01037b94
    0x01037b96
    0x01037ba1
    0x01037ba3
    0x01037ba6
    0x00000000
    0x01037ba8
    0x01037ba8
    0x01037baf
    0x01037bb1
    0x01037bb2
    0x00000000
    0x01037bb2
    0x01037baf
    0x01037b67
    0x01037b67
    0x01037b6d
    0x01037b6f
    0x0104ae0d
    0x0104ae0f
    0x0104ae16
    0x0104ae1c
    0x0104ae1d
    0x01037bb8
    0x01037bb8
    0x01037bbe
    0x00000000
    0x00000000
    0x00000000
    0x01037b6f
    0x01037d48
    0x01037d48
    0x01037d4a
    0x01037d4a
    0x01037d42
    0x01037d0a
    0x01037cb8
    0x01037bbf
    0x01037bc5
    0x01037bc7
    0x01037bca
    0x01037bd0
    0x01037bd1
    0x01037bd4
    0x01037bd7
    0x01037bd9
    0x01037bdc
    0x01037be2
    0x01037bec
    0x01037bee
    0x01037bef
    0x01037bfb
    0x00000000
    0x01037bfe
    0x01037bfe
    0x01037c04
    0x01037c04
    0x01037c0c
    0x0104aced
    0x00000000
    0x00000000
    0x00000000
    0x010379e2
    0x00000000

    APIs
      • Part of subcall function 01039A11: _get_osfhandle.MSVCRT ref: 01039A1C
      • Part of subcall function 01039A11: GetFileType.KERNELBASE(00000000,0103793A,00000104,?), ref: 01039A2B
      • Part of subcall function 01039A11: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,01037908,00002374,-00000001), ref: 01039A47
      • Part of subcall function 01039A11: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01078E04,00000002,?,?,?,?,?,?,?,?,?,?,?,?,01037908,00002374), ref: 01039A56
      • Part of subcall function 01039A11: GetConsoleMode.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,01037908,00002374), ref: 01039A61
      • Part of subcall function 01039A11: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01078E04,?,?,?,?,?,?,?,?,?,?,?,?,01037908,00002374,-00000001), ref: 01039A6A
    • _get_osfhandle.MSVCRT ref: 01037943
    • GetConsoleScreenBufferInfo.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,01037908,00002374,-00000001), ref: 01037951
    • WriteConsoleW.KERNELBASE(00000000,01070AF0,000000A0,00000000,00000000,00000000,?,00000104,?), ref: 010379BE
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,?,00000104,?), ref: 01037A1C
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 01037A27
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: Console$ErrorLastLockShared_get_osfhandle$AcquireBufferFileHandleInfoModeReleaseScreenTypeWrite
    • String ID:
    • API String ID: 2173784998-0
    • Opcode ID: 112bde1563cd06c182f024c6c6a37e0fbf25fd3de3ac6e696345532efe891b8d
    • Instruction ID: 7e8af9e2cf79ce602d3d7df0faeace09a90e31bec4de3fe6a63d566b374c5529
    • Opcode Fuzzy Hash: 112bde1563cd06c182f024c6c6a37e0fbf25fd3de3ac6e696345532efe891b8d
    • Instruction Fuzzy Hash: 267163B1E00119DFDB65DFA8D884AAEBBBDFF44311F04452AF986E3144DB399841CB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 010400E9, Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 169COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 952 10400e9-1040140 memset call 103e3f0 955 104e615-104e61d call 1041e70 952->955 956 1040146-104014b 952->956 963 104e61f-104e621 exit 955->963 957 104e627 956->957 958 1040151-104016a GetModuleFileNameW call 103ec2e 956->958 964 104e632-104e63e call 103a976 957->964 958->964 965 1040170-104017e call 103ec2e 958->965 963->957 970 104e643-104e64f call 103a976 964->970 965->970 971 1040184-1040192 call 103ec2e 965->971 976 104e654-104e660 call 103a976 970->976 971->976 977 1040198-10401a4 call 103ec2e 971->977 982 104e665-104e66a 976->982 977->982 983 10401aa-10401b6 call 103ec2e 977->983 984 104e672-104e67c call 103a62f 982->984 985 104e66c 982->985 990 104e714-104e724 _wcsicmp 983->990 991 10401bc-10401c4 983->991 995 104e67e-104e691 _wcsupr 984->995 996 104e6f8-104e6fd 984->996 985->984 990->991 994 104e72a-104e734 990->994 992 10401c6-10401d8 call 1038bc7 991->992 993 10401ee-10401f3 991->993 1006 10401e2-10401ed call 1046b30 992->1006 1007 10401da-10401e1 ??_V@YAXPAX@Z 992->1007 993->992 994->991 997 104e693 995->997 998 104e699 995->998 1000 104e705-104e70f call 103a976 996->1000 1001 104e6ff 996->1001 997->998 1002 104e69c-104e6a5 998->1002 1000->990 1001->1000 1002->1002 1005 104e6a7-104e6b0 1002->1005 1009 104e6b2-104e6b8 1005->1009 1010 104e6ba-104e6ce call 10401f5 1005->1010 1007->1006 1009->1010 1015 104e6d0-104e6d2 1010->1015 1016 104e6e1-104e6e3 1010->1016 1017 104e6d4 1015->1017 1018 104e6da-104e6df 1015->1018 1019 104e6e5 1016->1019 1020 104e6eb 1016->1020 1017->1018 1021 104e6f0-104e6f3 call 103fc40 1018->1021 1019->1020 1020->1021 1021->996
    C-Code - Quality: 69%
    			E010400E9(void* __edi) {
				signed int _v8;
				long _v12;
				char _v16;
				struct HINSTANCE__* _v20;
				void _v540;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t31;
				void* _t40;
				WCHAR* _t42;
				void* _t51;
				void* _t53;
				struct HINSTANCE__* _t55;
				void* _t57;
				void* _t58;
				void* _t62;
				void* _t81;
				void* _t82;
				void* _t84;
				void* _t88;
				void* _t92;
				void* _t93;
				void* _t95;
				void* _t96;
				void* _t102;
				intOrPtr* _t103;
				signed int _t105;

				_t95 = __edi;
				_t31 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t31 ^ _t105;
				_v16 = 1;
				_v12 = 0x104;
				_v20 = 0;
				memset( &_v540, 0, 0x104);
				_t40 = E0103E3F0(((0 | _v16 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104); // executed
				if(_t40 < 0) {
					do {
						__eflags = E01041E70(__eflags, 0);
					} while (__eflags == 0);
					exit(1);
					L14:
					_t42 =  &_v540;
					L2:
					GetModuleFileNameW(0, _t42, _v12);
					if(E0103EC2E(L"PATH") == 0) {
						E0103A976(L"PATH", 0x10320b8);
					}
					if(E0103EC2E(L"PATHEXT") == 0) {
						E0103A976(L"PATHEXT", L".COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC");
					}
					_t101 = L"PROMPT";
					if(E0103EC2E(L"PROMPT") == 0) {
						E0103A976(L"PROMPT", L"$P$G");
					}
					if(E0103EC2E(L"COMSPEC") == 0) {
						_t71 = _v20;
						__eflags = _v20;
						if(_v20 == 0) {
							_t71 =  &_v540;
						}
						_t88 = 0x2e;
						_t51 = E0103A62F(_t71, _t88);
						__eflags = _t51;
						if(_t51 != 0) {
							L35:
							_t89 = _v20;
							__eflags = _v20;
							if(_v20 == 0) {
								_t89 =  &_v540;
							}
							E0103A976(L"COMSPEC", _t89);
							goto L6;
						} else {
							__imp___wcsupr(L"CMD.EXE");
							_t81 = _v20;
							_t103 = _t81;
							__eflags = _t81;
							if(_t81 == 0) {
								_t103 =  &_v540;
							}
							_t92 = _t103 + 2;
							do {
								_t57 =  *_t103;
								_t103 = _t103 + 2;
								__eflags = _t57;
							} while (_t57 != 0);
							_t101 = _t103 - _t92 >> 1;
							_push(_t95);
							_t96 = _t81;
							__eflags = _t81;
							if(_t81 == 0) {
								_t96 =  &_v540;
								_t81 = _t96;
							}
							_t93 = 0x5c;
							_t58 = E010401F5(_t81, _t93);
							_t82 = _t96 - 2;
							__eflags = _t82 + _t101 * 2 - _t58;
							_t84 = _v20;
							_pop(_t95);
							if(_t82 + _t101 * 2 == _t58) {
								__eflags = _t84;
								if(_t84 == 0) {
									_t84 =  &_v540;
								}
								_push(L"CMD.EXE");
							} else {
								__eflags = _t84;
								if(_t84 == 0) {
									_t84 =  &_v540;
								}
								_push(L"\\CMD.EXE");
							}
							E0103FC40(_t84, _v12);
							goto L35;
						}
					} else {
						L6:
						_t53 = E0103EC2E(L"KEYS");
						if(_t53 != 0) {
							__imp___wcsicmp(_t53, L"ON");
							__eflags = _t53;
							if(__eflags == 0) {
								 *0x1079518 = 1;
							}
						}
						_t76 =  *0x1078df8;
						_t116 =  *0x1078df8;
						if( *0x1078df8 == 0) {
							_t76 = 0x1078bf0;
						}
						E01038BC7(0, _t76, 1, _t95, _t101, _t116); // executed
						_t55 = _v20;
						_v20 = 0;
						_pop(_t102);
						_pop(_t62);
						if(_t55 != 0) {
							__imp__??_V@YAXPAX@Z(_t55);
						}
						return E01046B30(_t55, _t62, _v8 ^ _t105, 1, _t95, _t102);
					}
				}
				_t42 = _v20;
				if(_t42 == 0) {
					goto L14;
				}
				goto L2;
			}































    0x010400e9
    0x010400f4
    0x010400fb
    0x01040105
    0x0104010b
    0x01040115
    0x0104011a
    0x01040139
    0x01040140
    0x0104e615
    0x0104e61b
    0x0104e61b
    0x0104e621
    0x0104e627
    0x0104e627
    0x01040151
    0x01040156
    0x0104016a
    0x0104e639
    0x0104e639
    0x0104017e
    0x0104e64a
    0x0104e64a
    0x01040184
    0x01040192
    0x0104e65b
    0x0104e65b
    0x010401a4
    0x0104e665
    0x0104e668
    0x0104e66a
    0x0104e66c
    0x0104e66c
    0x0104e674
    0x0104e675
    0x0104e67a
    0x0104e67c
    0x0104e6f8
    0x0104e6f8
    0x0104e6fb
    0x0104e6fd
    0x0104e6ff
    0x0104e6ff
    0x0104e70a
    0x00000000
    0x0104e67e
    0x0104e683
    0x0104e68a
    0x0104e68d
    0x0104e68f
    0x0104e691
    0x0104e693
    0x0104e693
    0x0104e699
    0x0104e69c
    0x0104e69c
    0x0104e69f
    0x0104e6a2
    0x0104e6a2
    0x0104e6a9
    0x0104e6ab
    0x0104e6ac
    0x0104e6ae
    0x0104e6b0
    0x0104e6b2
    0x0104e6b8
    0x0104e6b8
    0x0104e6bc
    0x0104e6bd
    0x0104e6c2
    0x0104e6c8
    0x0104e6ca
    0x0104e6cd
    0x0104e6ce
    0x0104e6e1
    0x0104e6e3
    0x0104e6e5
    0x0104e6e5
    0x0104e6eb
    0x0104e6d0
    0x0104e6d0
    0x0104e6d2
    0x0104e6d4
    0x0104e6d4
    0x0104e6da
    0x0104e6da
    0x0104e6f3
    0x00000000
    0x0104e6f3
    0x010401aa
    0x010401aa
    0x010401af
    0x010401b6
    0x0104e71a
    0x0104e722
    0x0104e724
    0x0104e72a
    0x0104e72a
    0x0104e724
    0x010401bc
    0x010401c2
    0x010401c4
    0x010401ee
    0x010401ee
    0x010401c9
    0x010401ce
    0x010401d1
    0x010401d4
    0x010401d5
    0x010401d8
    0x010401db
    0x010401e1
    0x010401ed
    0x010401ed
    0x010401a4
    0x01040146
    0x0104014b
    0x00000000
    0x00000000
    0x00000000

    APIs
    • memset.MSVCRT ref: 0104011A
      • Part of subcall function 0103E3F0: memset.MSVCRT ref: 0103E455
    • GetModuleFileNameW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,?,?,-00000001,?,?,00000000), ref: 01040156
      • Part of subcall function 0103EC2E: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,$P$G,00002000,?,01078BF0,00000000,?,?,01038F0D), ref: 0103EC51
      • Part of subcall function 0103EC2E: _wcsicmp.MSVCRT ref: 0103EC77
      • Part of subcall function 0103EC2E: _wcsicmp.MSVCRT ref: 0103EC8D
      • Part of subcall function 0103EC2E: _wcsicmp.MSVCRT ref: 0103ECA3
      • Part of subcall function 0103EC2E: _wcsicmp.MSVCRT ref: 0103ECB9
      • Part of subcall function 0103EC2E: _wcsicmp.MSVCRT ref: 0103ECCF
      • Part of subcall function 0103EC2E: _wcsicmp.MSVCRT ref: 0103ECE5
      • Part of subcall function 0103EC2E: _wcsicmp.MSVCRT ref: 0103ECF7
      • Part of subcall function 0103EC2E: _wcsicmp.MSVCRT ref: 0103ED0D
    • ??_V@YAXPAX@Z.MSVCRT ref: 010401DB
    • exit.MSVCRT ref: 0104E621
    • _wcsupr.MSVCRT ref: 0104E683
    • _wcsicmp.MSVCRT ref: 0104E71A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: _wcsicmp$memset$EnvironmentFileModuleNameVariable_wcsuprexit
    • String ID: $P$G$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$KEYS$PATH$PATHEXT$PROMPT$\CMD.EXE
    • API String ID: 2336066422-4197029667
    • Opcode ID: 79149c23e70c0c262d6da9c9a7ae0549942fdfedc3291b9cccf0c078224f3928
    • Instruction ID: f5b625c84252473253b74c54b447d6881c0c8e1bd36a4b9ecf00a5b7888894ec
    • Opcode Fuzzy Hash: 79149c23e70c0c262d6da9c9a7ae0549942fdfedc3291b9cccf0c078224f3928
    • Instruction Fuzzy Hash: 7351E7B1F0021A8BDF68DA65CCD46FE77A9BFD4244F0445B9EAC2B7184EF3899418790
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01038BC7, Relevance: 24.3, APIs: 16, Instructions: 312COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1023 1038bc7-1038be4 call 1047d90 1026 104b5d4-104b5d8 1023->1026 1027 1038bea-1038c16 call 1045a2e call 103e3f0 1023->1027 1026->1027 1029 104b5de-104b5e3 1026->1029 1034 104b774-104b77a call 10461e6 1027->1034 1035 1038c1c-1038c2d call 103acb0 1027->1035 1031 1038e67-1038e76 1029->1031 1038 104b77f 1034->1038 1035->1034 1041 1038c33-1038c3a 1035->1041 1040 104b781 1038->1040 1042 1038c3d-1038c46 1041->1042 1042->1042 1043 1038c48-1038c4c 1042->1043 1044 1038c4f-1038c59 1043->1044 1045 1038c66-1038c70 1044->1045 1046 1038c5b-1038c60 1044->1046 1048 104b5f0 1045->1048 1049 1038c76-1038c85 GetCurrentDirectoryW 1045->1049 1046->1045 1047 104b5e8-104b5eb 1046->1047 1047->1044 1051 104b5fb 1048->1051 1050 1038c8b-1038cb0 towupper iswalpha 1049->1050 1049->1051 1052 104b606 1050->1052 1053 1038cb6-1038cba 1050->1053 1051->1052 1055 104b60f 1052->1055 1053->1052 1054 1038cc0-1038cde towupper 1053->1054 1054->1055 1056 1038ce4-1038cf8 GetFullPathNameW 1054->1056 1058 104b61a-104b622 GetLastError 1055->1058 1057 1038cfe-1038d01 1056->1057 1056->1058 1060 1038d07-1038d0e 1057->1060 1061 104b64c-104b66a call 10461e6 _local_unwind4 1057->1061 1059 104b627-104b647 call 10461e6 _local_unwind4 1058->1059 1062 104b674 1060->1062 1063 1038d14-1038d19 1060->1063 1061->1062 1071 104b67f 1062->1071 1066 104b747-104b767 call 10461e6 _local_unwind4 1063->1066 1067 1038d1f-1038d23 1063->1067 1066->1040 1070 1038d29-1038d2d 1067->1070 1067->1071 1070->1066 1073 1038d33-1038d37 1070->1073 1075 104b68a 1071->1075 1073->1075 1076 1038d3d 1073->1076 1079 104b695 1075->1079 1077 1038d40-1038d4a 1076->1077 1077->1077 1078 1038d4c-1038d52 1077->1078 1078->1079 1080 1038d58 1078->1080 1082 104b6a0 1079->1082 1081 1038d5b-1038d73 call 1047d82 1080->1081 1086 1038d82-1038d8c 1081->1086 1087 1038d75-1038d7c 1081->1087 1085 104b6ab-104b6b6 GetLastError 1082->1085 1088 1038da2-1038da9 1085->1088 1089 104b6bc-104b6bf 1085->1089 1086->1082 1091 1038d92-1038d9c GetFileAttributesW 1086->1091 1087->1086 1090 1038e77-1038e7a 1087->1090 1093 1038dab-1038db0 1088->1093 1094 1038dc9-1038dd2 1088->1094 1089->1088 1092 104b6c5-104b6c8 1089->1092 1090->1081 1091->1085 1091->1088 1092->1059 1099 104b6ce 1092->1099 1095 1038db6-1038dbc call 1040207 1093->1095 1096 104b6d3 1093->1096 1097 1038dd4-1038dd9 1094->1097 1098 1038dfa-1038dfc 1094->1098 1105 1038dc1-1038dc3 1095->1105 1101 104b6de 1096->1101 1097->1101 1102 1038ddf-1038de9 GetFileAttributesW 1097->1102 1103 1038e09-1038e0e 1098->1103 1104 1038dfe-1038e01 1098->1104 1099->1088 1107 104b6e9-104b6f4 GetLastError 1101->1107 1106 1038def-1038df4 1102->1106 1102->1107 1110 1038e10-1038e19 SetCurrentDirectoryW 1103->1110 1111 1038e87-1038e8d 1103->1111 1108 1038e03-1038e07 1104->1108 1109 1038e1f-1038e24 1104->1109 1105->1061 1105->1094 1106->1098 1113 104b6ff-104b722 call 10461e6 _local_unwind4 1106->1113 1107->1059 1112 104b6fa 1107->1112 1108->1103 1108->1109 1114 1038e26-1038e30 call 103a976 1109->1114 1115 1038e8f-1038e95 1109->1115 1110->1058 1110->1109 1111->1110 1112->1059 1113->1031 1121 104b727-104b745 call 10461e6 _local_unwind4 1114->1121 1122 1038e36-1038e3e 1114->1122 1115->1114 1121->1038 1123 1038e40-1038e65 call 1038e9e call 1038e7f call 10461e6 1122->1123 1124 1038e97-1038e9c 1122->1124 1123->1031 1124->1123
    C-Code - Quality: 86%
    			E01038BC7(void* __ebx, intOrPtr* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t77;
				void* _t84;
				long _t86;
				short _t88;
				WCHAR* _t89;
				WCHAR* _t90;
				signed short* _t92;
				short _t95;
				int _t96;
				WCHAR* _t98;
				long _t99;
				WCHAR* _t105;
				WCHAR* _t108;
				short _t109;
				WCHAR* _t113;
				long _t114;
				WCHAR* _t116;
				WCHAR* _t125;
				signed int _t126;
				void* _t131;
				void* _t132;
				short _t138;
				WCHAR* _t146;
				WCHAR* _t149;
				WCHAR* _t157;
				short* _t168;
				WCHAR* _t170;
				signed int _t172;
				WCHAR* _t173;
				WCHAR* _t179;
				intOrPtr* _t181;
				short _t183;
				long _t184;
				short* _t185;
				WCHAR* _t186;
				intOrPtr _t187;
				void* _t188;

				_push(0x240);
				_push(0x105c9b0);
				E01047D90(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t188 - 0x24c)) = __edx;
				_t181 = __ecx;
				_t77 = 0x5c;
				if( *__ecx == _t77) {
					if( *((intOrPtr*)(__ecx + 2)) != _t77) {
						goto L1;
					} else {
						_t86 = 0x400023c9;
					}
				} else {
					L1:
					E01045A2E(_t188 - 0x244);
					_t84 = E0103E3F0(((0 |  *((intOrPtr*)(_t188 - 0x38)) == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104); // executed
					if(_t84 < 0) {
						L77:
						E010461E6(_t188 - 0x244);
						goto L78;
					} else {
						_t179 = E0103ACB0(_t181);
						 *(_t188 - 0x250) = _t179;
						if(_t179 == 0) {
							goto L77;
						} else {
							 *((intOrPtr*)(_t188 - 4)) = 0;
							_t146 = _t179;
							_t9 =  &(_t146[1]); // 0x2
							_t168 = _t9;
							do {
								_t88 =  *_t146;
								_t146 =  &(_t146[1]);
							} while (_t88 != 0);
							_t89 =  &(_t179[_t146 - _t168 >> 1]);
							while(1) {
								_t149 = _t89;
								 *(_t188 - 0x248) = _t89;
								if(_t149 <= _t179 ||  *((short*)(_t89 - 2)) != 0x20) {
									break;
								}
								_t53 = _t149 - 2; // -2
								_t89 = _t53;
							}
							 *_t89 = 0;
							_t90 =  *(_t188 - 0x3c);
							if(_t90 == 0) {
								_t90 = _t188 - 0x244;
							}
							GetCurrentDirectoryW( *(_t188 - 0x34), _t90);
							_t92 =  *(_t188 - 0x3c);
							if(_t92 == 0) {
								_t92 = _t188 - 0x244;
							}
							_t138 = towupper( *_t92 & 0x0000ffff);
							_t95 = 0x3d;
							 *((short*)(_t188 - 0x28)) = _t95;
							_t96 = iswalpha( *_t179 & 0x0000ffff);
							_t183 = 0x3a;
							if(_t96 == 0 || _t179[1] != _t183) {
								 *((short*)(_t188 - 0x26)) = _t138;
							} else {
								 *((short*)(_t188 - 0x26)) = towupper( *_t179 & 0x0000ffff);
							}
							 *((short*)(_t188 - 0x24)) = _t183;
							 *((short*)(_t188 - 0x22)) = 0;
							_t98 =  *(_t188 - 0x3c);
							if(_t98 == 0) {
								_t98 = _t188 - 0x244;
							}
							_t99 = GetFullPathNameW(_t179,  *(_t188 - 0x34), _t98, _t188 - 0x248);
							if(_t99 == 0) {
								L57:
								_t184 = GetLastError();
								goto L59;
							} else {
								if(_t99 >  *(_t188 - 0x34)) {
									L60:
									E010461E6(_t188 - 0x244);
									_push(0xfffffffe);
									_push(_t188 - 0x10);
									_push(0x105e0b4);
									L01047FAB();
									_t86 = 0xce;
								} else {
									_t157 =  *(_t188 - 0x3c);
									_t105 = _t157;
									if(_t157 == 0) {
										_t105 = _t188 - 0x244;
									}
									if( *_t105 == 0) {
										L76:
										E010461E6(_t188 - 0x244);
										_push(0xfffffffe);
										_push(_t188 - 0x10);
										_push(0x105e0b4);
										L01047FAB();
										_push(3);
										goto L79;
									} else {
										_t108 = _t157;
										if(_t157 == 0) {
											_t108 = _t188 - 0x244;
										}
										if(_t108[1] != _t183) {
											goto L76;
										} else {
											_t170 = _t157;
											if(_t157 == 0) {
												_t170 = _t188 - 0x244;
											}
											_t185 =  &(_t170[1]);
											do {
												_t109 =  *_t170;
												_t170 =  &(_t170[1]);
											} while (_t109 !=  *((intOrPtr*)(_t188 - 4)));
											_t172 = _t170 - _t185 >> 1;
											if(_t157 == 0) {
												_t157 = _t188 - 0x244;
											}
											_t173 =  &(_t157[_t172]);
											while(1) {
												_t186 = _t173;
												 *(_t188 - 0x248) = _t173;
												if(_t186 <= E01047D82(_t188 - 0x244) + 6) {
													break;
												}
												_t132 = 0x5c;
												if( *((intOrPtr*)(_t173 - 2)) == _t132) {
													_t173 = _t186 - 2;
													continue;
												}
												break;
											}
											 *_t173 = 0;
											_t113 =  *(_t188 - 0x3c);
											if(_t113 == 0) {
												_t113 = _t188 - 0x244;
											}
											_t114 = GetFileAttributesW(_t113); // executed
											if(_t114 == 0xffffffff) {
												_t184 = GetLastError();
												if(_t184 == 2 || _t184 == 3) {
													goto L29;
												} else {
													if(_t184 != 0x7b) {
														goto L59;
													} else {
														goto L29;
													}
												}
											} else {
												L29:
												if( *0x1066755 == 0) {
													L32:
													_t187 =  *((intOrPtr*)(_t188 - 0x24c));
													if(_t187 == 2) {
														L36:
														if(_t187 == 0 || _t187 == 1 && _t138 ==  *((intOrPtr*)(_t188 - 0x26))) {
															_t116 =  *(_t188 - 0x3c);
															if(_t116 == 0) {
																_t116 = _t188 - 0x244;
															}
															if(SetCurrentDirectoryW(_t116) == 0) {
																goto L57;
															} else {
																goto L41;
															}
														} else {
															L41:
															_t174 =  *(_t188 - 0x3c);
															if( *(_t188 - 0x3c) == 0) {
																_t174 = _t188 - 0x244;
															}
															if(E0103A976(_t188 - 0x28, _t174) != 0) {
																E010461E6(_t188 - 0x244);
																_push(0xfffffffe);
																_push(_t188 - 0x10);
																_push(0x105e0b4);
																L01047FAB();
																L78:
																_push(8);
																L79:
																_pop(_t86);
															} else {
																_t162 =  *0x1078df8;
																if( *0x1078df8 == 0) {
																	_t162 = 0x1078bf0;
																}
																E01038E9E(_t138, _t162,  *0x1078e00, 0);
																 *((intOrPtr*)(_t188 - 4)) = 0xfffffffe;
																E01038E7F(_t179);
																E010461E6(_t188 - 0x244);
																_t86 = 0;
															}
														}
													} else {
														_t125 =  *(_t188 - 0x3c);
														if(_t125 == 0) {
															_t125 = _t188 - 0x244;
														}
														_t126 = GetFileAttributesW(_t125); // executed
														if(_t126 == 0xffffffff) {
															_t184 = GetLastError();
															if(_t184 == 2) {
																_t184 = 3;
															}
															L59:
															E010461E6(_t188 - 0x244);
															_push(0xfffffffe);
															_push(_t188 - 0x10);
															_push(0x105e0b4);
															L01047FAB();
															_t86 = _t184;
														} else {
															if((_t126 & 0x00000410) == 0) {
																E010461E6(_t188 - 0x244);
																_push(0xfffffffe);
																_push(_t188 - 0x10);
																_push(0x105e0b4);
																L01047FAB();
																_t86 = 0x10b;
															} else {
																goto L36;
															}
														}
													}
												} else {
													_t165 =  *(_t188 - 0x3c);
													if( *(_t188 - 0x3c) == 0) {
														_t165 = _t188 - 0x244;
													}
													_t131 = E01040207(_t165,  *(_t188 - 0x34), 0); // executed
													if(_t131 == 0) {
														goto L60;
													} else {
														goto L32;
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t188 - 0x10));
				return _t86;
			}








































    0x01038bc7
    0x01038bcc
    0x01038bd1
    0x01038bd6
    0x01038bdc
    0x01038be0
    0x01038be4
    0x0104b5d8
    0x00000000
    0x0104b5de
    0x0104b5de
    0x0104b5de
    0x01038bea
    0x01038bea
    0x01038bf0
    0x01038c0f
    0x01038c16
    0x0104b774
    0x0104b77a
    0x00000000
    0x01038c1c
    0x01038c23
    0x01038c25
    0x01038c2d
    0x00000000
    0x01038c33
    0x01038c35
    0x01038c38
    0x01038c3a
    0x01038c3a
    0x01038c3d
    0x01038c3d
    0x01038c40
    0x01038c43
    0x01038c4c
    0x01038c4f
    0x01038c4f
    0x01038c51
    0x01038c59
    0x00000000
    0x00000000
    0x0104b5e8
    0x0104b5e8
    0x0104b5e8
    0x01038c68
    0x01038c6b
    0x01038c70
    0x0104b5f0
    0x0104b5f0
    0x01038c7a
    0x01038c80
    0x01038c85
    0x0104b5fb
    0x0104b5fb
    0x01038c96
    0x01038c9b
    0x01038c9c
    0x01038ca4
    0x01038cad
    0x01038cb0
    0x0104b606
    0x01038cc0
    0x01038ccb
    0x01038ccb
    0x01038ccf
    0x01038cd5
    0x01038cd9
    0x01038cde
    0x0104b60f
    0x0104b60f
    0x01038cf0
    0x01038cf8
    0x0104b61a
    0x0104b620
    0x00000000
    0x01038cfe
    0x01038d01
    0x0104b64c
    0x0104b652
    0x0104b657
    0x0104b65c
    0x0104b65d
    0x0104b662
    0x0104b66a
    0x01038d07
    0x01038d07
    0x01038d0c
    0x01038d0e
    0x0104b674
    0x0104b674
    0x01038d19
    0x0104b747
    0x0104b74d
    0x0104b752
    0x0104b757
    0x0104b758
    0x0104b75d
    0x0104b765
    0x00000000
    0x01038d1f
    0x01038d21
    0x01038d23
    0x0104b67f
    0x0104b67f
    0x01038d2d
    0x00000000
    0x01038d33
    0x01038d35
    0x01038d37
    0x0104b68a
    0x0104b68a
    0x01038d3d
    0x01038d40
    0x01038d40
    0x01038d43
    0x01038d46
    0x01038d4e
    0x01038d52
    0x0104b695
    0x0104b695
    0x01038d58
    0x01038d5b
    0x01038d5b
    0x01038d5d
    0x01038d73
    0x00000000
    0x00000000
    0x01038d77
    0x01038d7c
    0x01038e77
    0x00000000
    0x01038e77
    0x00000000
    0x01038d7c
    0x01038d84
    0x01038d87
    0x01038d8c
    0x0104b6a0
    0x0104b6a0
    0x01038d93
    0x01038d9c
    0x0104b6b1
    0x0104b6b6
    0x00000000
    0x0104b6c5
    0x0104b6c8
    0x00000000
    0x0104b6ce
    0x00000000
    0x0104b6ce
    0x0104b6c8
    0x01038da2
    0x01038da2
    0x01038da9
    0x01038dc9
    0x01038dc9
    0x01038dd2
    0x01038dfa
    0x01038dfc
    0x01038e09
    0x01038e0e
    0x01038e87
    0x01038e87
    0x01038e19
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x01038e1f
    0x01038e1f
    0x01038e1f
    0x01038e24
    0x01038e8f
    0x01038e8f
    0x01038e30
    0x0104b72d
    0x0104b732
    0x0104b737
    0x0104b738
    0x0104b73d
    0x0104b77f
    0x0104b77f
    0x0104b781
    0x0104b781
    0x01038e36
    0x01038e36
    0x01038e3e
    0x01038e97
    0x01038e97
    0x01038e49
    0x01038e4e
    0x01038e55
    0x01038e60
    0x01038e65
    0x01038e65
    0x01038e30
    0x01038dd4
    0x01038dd4
    0x01038dd9
    0x0104b6de
    0x0104b6de
    0x01038de0
    0x01038de9
    0x0104b6ef
    0x0104b6f4
    0x0104b626
    0x0104b626
    0x0104b627
    0x0104b62d
    0x0104b632
    0x0104b637
    0x0104b638
    0x0104b63d
    0x0104b645
    0x01038def
    0x01038df4
    0x0104b705
    0x0104b70a
    0x0104b70f
    0x0104b710
    0x0104b715
    0x0104b71d
    0x00000000
    0x00000000
    0x00000000
    0x01038df4
    0x01038de9
    0x01038dab
    0x01038dab
    0x01038db0
    0x0104b6d3
    0x0104b6d3
    0x01038dbc
    0x01038dc3
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x01038dc3
    0x01038da9
    0x01038d9c
    0x01038d2d
    0x01038d19
    0x01038d01
    0x01038cf8
    0x01038c2d
    0x01038c16
    0x01038e6a
    0x01038e76

    APIs
      • Part of subcall function 01045A2E: memset.MSVCRT ref: 01045A5A
      • Part of subcall function 0103E3F0: memset.MSVCRT ref: 0103E455
    • GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,-00000105,0105C9B0,00000240,01041E92,00000000,00000000,0104ACE0,00000000,00000000,?,00000104,?), ref: 01038C7A
    • towupper.MSVCRT ref: 01038C8F
    • iswalpha.MSVCRT ref: 01038CA4
    • towupper.MSVCRT ref: 01038CC4
    • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,?), ref: 01038CF0
    • GetFileAttributesW.KERNELBASE(?), ref: 01038D93
    • GetFileAttributesW.KERNELBASE(?), ref: 01038DE0
    • SetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?), ref: 01038E11
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0104B6AB
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: AttributesCurrentDirectoryFilememsettowupper$ErrorFullLastNamePathiswalpha
    • String ID:
    • API String ID: 1133067188-0
    • Opcode ID: 9cfaf2a148f0951edd155ca797e96f607cfc70857808ae65cde1e32635c432c9
    • Instruction ID: 4a91ae5c4c84da5a201426d16613d82c71527ae5a468450380e21e93be38d98e
    • Opcode Fuzzy Hash: 9cfaf2a148f0951edd155ca797e96f607cfc70857808ae65cde1e32635c432c9
    • Instruction Fuzzy Hash: 39B1A771A001158BDB68EF68D985BFDB7B8EF54300F1486EAE5DAE7190EB34DA40CB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0103E310, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 78COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1133 103e310-103e341 _get_osfhandle SetConsoleMode _get_osfhandle GetConsoleMode 1134 103e343-103e355 1133->1134 1135 103e357-103e370 _get_osfhandle GetConsoleMode 1133->1135 1134->1135 1136 103e3bc-103e3d9 _get_osfhandle SetConsoleMode 1134->1136 1137 103e372-103e37f 1135->1137 1138 103e3bb 1135->1138 1136->1135 1141 103e3df-104dc17 1136->1141 1139 103e381-103e39a _get_osfhandle SetConsoleMode 1137->1139 1140 103e3a0-103e3a9 1137->1140 1139->1140 1142 103e3ab-103e3b8 1140->1142 1143 103e3ba 1140->1143 1141->1135 1145 104dc1d-104dc45 _get_osfhandle SetConsoleMode 1141->1145 1142->1143 1143->1138 1145->1135
    C-Code - Quality: 28%
    			E0103E310(void* __eax) {
				void* _t3;
				void* _t4;
				int _t5;
				void* _t7;
				void* _t12;
				signed int _t13;
				signed int _t16;
				signed int _t17;
				signed int _t18;
				signed int _t19;
				intOrPtr* _t21;
				void* _t23;
				void* _t25;

				__imp___get_osfhandle( *0x10625ac);
				_t3 = SetConsoleMode(__eax, 1); // executed
				__imp___get_osfhandle(0x10625ac);
				_t25 = _t23 + 8;
				_t4 = GetConsoleMode(_t3, 1); // executed
				if(_t4 == 0) {
					L2:
					__imp___get_osfhandle(0x10625b0);
					_t5 = GetConsoleMode(_t4, 0); // executed
					if(_t5 == 0) {
						return _t5;
					}
					_t13 =  *0x10625b0;
					_t7 = _t13 & 0x00000017;
					if(_t7 != 7) {
						_t16 = _t13 & 0xffffffef | 0x00000007;
						 *0x10625b0 = _t16;
						__imp___get_osfhandle(_t16);
						_t7 = SetConsoleMode(_t7, 0); // executed
					}
					_t21 =  *0x10625b4;
					if(_t21 != 0) {
						 *0x107a4c4(L"CMD.EXE");
						_t7 =  *_t21();
					}
					return _t7;
				}
				_t17 =  *0x105e0e0; // 0x7
				_t18 =  *0x10625ac;
				_t4 = _t17 & _t18;
				if(_t4 != _t17) {
					_t19 = _t18 | _t17;
					 *0x10625ac = _t19;
					__imp___get_osfhandle(_t19);
					_t25 = _t25 + 4;
					_t4 = SetConsoleMode(_t4, 1); // executed
					if(_t4 != 0) {
						goto L2;
					}
					_t4 =  *0x105e0e0; // 0x7
					if((_t4 & 0x00000004) != 0) {
						 *0x105e0e0 = _t4 & 0xfffffffb;
						_t12 =  *0x10625ac & 0xfffffffb;
						 *0x10625ac = _t12;
						__imp___get_osfhandle(_t12);
						_t25 = _t25 + 4;
						_t4 = SetConsoleMode(_t12, 1);
					}
				}
				goto L2;
			}
















    0x0103e318
    0x0103e322
    0x0103e32f
    0x0103e335
    0x0103e339
    0x0103e341
    0x0103e357
    0x0103e35e
    0x0103e368
    0x0103e370
    0x0103e3bb
    0x0103e3bb
    0x0103e372
    0x0103e37a
    0x0103e37f
    0x0103e384
    0x0103e38a
    0x0103e390
    0x0103e39a
    0x0103e39a
    0x0103e3a1
    0x0103e3a9
    0x0103e3b2
    0x0103e3b8
    0x0103e3b8
    0x00000000
    0x0103e3ba
    0x0103e343
    0x0103e34b
    0x0103e351
    0x0103e355
    0x0103e3bc
    0x0103e3c1
    0x0103e3c7
    0x0103e3cd
    0x0103e3d1
    0x0103e3d9
    0x00000000
    0x00000000
    0x0104dc10
    0x0104dc17
    0x0104dc20
    0x0104dc2a
    0x0104dc30
    0x0104dc35
    0x0104dc3b
    0x0104dc3f
    0x0104dc3f
    0x0104dc17
    0x00000000

    APIs
    • _get_osfhandle.MSVCRT ref: 0103E318
    • SetConsoleMode.KERNELBASE(00000000), ref: 0103E322
    • _get_osfhandle.MSVCRT ref: 0103E32F
    • GetConsoleMode.KERNELBASE(00000000), ref: 0103E339
    • _get_osfhandle.MSVCRT ref: 0103E35E
    • GetConsoleMode.KERNELBASE(00000000), ref: 0103E368
    • _get_osfhandle.MSVCRT ref: 0103E390
    • SetConsoleMode.KERNELBASE(00000000), ref: 0103E39A
    • _get_osfhandle.MSVCRT ref: 0103E3C7
    • SetConsoleMode.KERNELBASE(00000000), ref: 0103E3D1
    • _get_osfhandle.MSVCRT ref: 0104DC35
    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 0104DC3F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: ConsoleMode_get_osfhandle
    • String ID: CMD.EXE
    • API String ID: 1606018815-3025314500
    • Opcode ID: 8e638aa9f5d7a3cca4363209d7b1f638ef7f1a813fb6ae174db1eb93f2bc1477
    • Instruction ID: 16c79016ce214080f8bc1b382e2e2db9ff3c9900d1a8bc9070650a6305e13dcc
    • Opcode Fuzzy Hash: 8e638aa9f5d7a3cca4363209d7b1f638ef7f1a813fb6ae174db1eb93f2bc1477
    • Instruction Fuzzy Hash: 23214FB0B002009BE7345B38EC1EB5E3A58AB80716B088A28F5C7E72D9DB7FD5148B51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01037E93, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 146windowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1147 1037e93-1037ebb 1148 1037ec1-1037edc FormatMessageW 1147->1148 1149 104afc2-104b00a _ultoa GetACP call 103e248 MultiByteToWideChar 1147->1149 1148->1149 1150 1037ee2-1037ee9 1148->1150 1155 104b011-104b029 1149->1155 1156 104b00c 1149->1156 1152 1037eea-1037ef5 call 103a62f 1150->1152 1158 1037f31-1037f3e 1152->1158 1159 1037ef7-1037efd 1152->1159 1156->1155 1162 104af36-104af39 1158->1162 1163 1037f44-1037f45 1158->1163 1160 1037f03-1037f1e FormatMessageW 1159->1160 1161 104af47-104af60 GetProcessHeap HeapAlloc 1159->1161 1166 1037f20-1037f2e call 1046b30 1160->1166 1165 104af66-104af6a 1161->1165 1161->1166 1162->1152 1164 104af3f-104af42 1162->1164 1163->1152 1164->1152 1167 104af90-104afb7 FormatMessageW GetProcessHeap RtlFreeHeap 1165->1167 1168 104af6c-104af6f 1165->1168 1167->1149 1170 104af72-104af74 1168->1170 1172 104af76-104af7e 1170->1172 1173 104af80 1170->1173 1174 104af85-104af8b 1172->1174 1173->1174 1174->1170 1175 104af8d 1174->1175 1175->1167
    C-Code - Quality: 43%
    			E01037E93(long __ecx, intOrPtr _a4, void* _a8) {
				signed int _v8;
				char _v40;
				short _v104;
				void* _v108;
				long _v112;
				char* _v116;
				char _v120;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t22;
				signed int _t28;
				char* _t33;
				long _t38;
				void* _t39;
				char* _t47;
				intOrPtr _t50;
				WCHAR* _t55;
				void* _t56;
				signed int _t57;
				signed int _t59;
				long _t60;
				void* _t61;
				int _t62;
				signed int _t63;

				_t22 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t22 ^ _t63;
				_t49 = _a8;
				_t60 = __ecx;
				_v108 = _a8;
				_t62 = 0;
				_v112 = __ecx;
				if(__ecx == 0x13d) {
					L22:
					__imp___ultoa(_t60,  &_v40, 0x10);
					_t28 = E0103E248(GetACP());
					asm("sbb eax, eax");
					MultiByteToWideChar(_t62,  ~( ~_t28),  &_v40, 0xffffffff,  &_v104, 0x20);
					_v120 =  &_v104;
					_t33 = L"Application";
					if(_t60 < 0x2328) {
						_t33 = L"System";
					}
					_v116 = _t33;
					_push( &_v120);
					_push(0x2000);
					_push(0x1070af0);
					_push(_t62);
					_push(0x13d);
					_push(_t62);
					_push(0x3000);
					L6:
					_t62 = FormatMessageW();
					L7:
					_t36 = _t62;
					L8:
					return E01046B30(_t36, _t49, _v8 ^ _t63, _t58, _t60, _t62);
				}
				_t38 = FormatMessageW(0x1a00, 0, __ecx, 0, 0x1070af0, 0x2000, 0); // executed
				if(_t38 == 0) {
					goto L22;
				} else {
					_t55 = 0x1070af0;
					_t50 = 0x25;
					while(1) {
						_t58 = _t50;
						_t39 = E0103A62F(_t55, _t50);
						_t56 = _t39;
						if(_t56 == 0) {
							break;
						}
						_t55 = _t56 + 2;
						_t59 =  *_t55 & 0x0000ffff;
						if(_t59 - 0x31 > 8) {
							if(_t59 == _t50) {
								_t55 =  &(_t55[1]);
							}
						} else {
							_t62 = _t62 + 1;
						}
					}
					_t49 = _v108;
					if(_t62 > _a4) {
						_t49 = HeapAlloc(GetProcessHeap(), 0, _t62 << 2);
						if(_t49 == 0) {
							goto L8;
						}
						_t57 = 0;
						if(_t62 == 0) {
							L21:
							_t62 = FormatMessageW(0x3800, 0, _t60, 0, 0x1070af0, 0x2000, _t49);
							RtlFreeHeap(GetProcessHeap(), 0, _t49);
							goto L7;
						}
						_t58 = _a4;
						_t61 = _v108;
						do {
							if(_t57 >= _t58) {
								_t47 = " ";
							} else {
								 *_t61 =  *_t61 + 4;
								_t47 =  *( *_t61 - 4);
							}
							 *(_t49 + _t57 * 4) = _t47;
							_t57 = _t57 + 1;
						} while (_t57 < _t62);
						_t60 = _v112;
						goto L21;
					}
					_push(_t49);
					_push(0x2000);
					_push(0x1070af0);
					_push(_t39);
					_push(_t60);
					_push(_t39);
					_push(0x1800);
					goto L6;
				}
			}




























    0x01037e9b
    0x01037ea2
    0x01037ea6
    0x01037eab
    0x01037ead
    0x01037eb0
    0x01037eb2
    0x01037ebb
    0x0104afc2
    0x0104afc9
    0x0104afe6
    0x0104afed
    0x0104aff3
    0x0104affc
    0x0104afff
    0x0104b00a
    0x0104b00c
    0x0104b00c
    0x0104b011
    0x0104b017
    0x0104b018
    0x0104b01d
    0x0104b022
    0x0104b023
    0x0104b028
    0x0104b029
    0x01037f16
    0x01037f1c
    0x01037f1e
    0x01037f1e
    0x01037f20
    0x01037f2e
    0x01037f2e
    0x01037ed4
    0x01037edc
    0x00000000
    0x01037ee2
    0x01037ee4
    0x01037ee9
    0x01037eea
    0x01037eea
    0x01037eec
    0x01037ef1
    0x01037ef5
    0x00000000
    0x00000000
    0x01037f31
    0x01037f34
    0x01037f3e
    0x0104af39
    0x0104af3f
    0x0104af3f
    0x01037f44
    0x01037f44
    0x01037f44
    0x01037f3e
    0x01037ef7
    0x01037efd
    0x0104af5c
    0x0104af60
    0x00000000
    0x00000000
    0x0104af66
    0x0104af6a
    0x0104af90
    0x0104afae
    0x0104afb7
    0x00000000
    0x0104afb7
    0x0104af6c
    0x0104af6f
    0x0104af72
    0x0104af74
    0x0104af80
    0x0104af76
    0x0104af76
    0x0104af7b
    0x0104af7b
    0x0104af85
    0x0104af88
    0x0104af89
    0x0104af8d
    0x00000000
    0x0104af8d
    0x01037f03
    0x01037f04
    0x01037f09
    0x01037f0e
    0x01037f0f
    0x01037f10
    0x01037f11
    0x00000000
    0x01037f11

    APIs
    • FormatMessageW.KERNELBASE(00001A00,00000000,00000000,00000000,01070AF0,00002000,00000000,00000000,00000000,00000000), ref: 01037ED4
      • Part of subcall function 0103A62F: wcschr.MSVCRT ref: 0103A635
    • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001800,00000000,00000000,00000000,01070AF0,00002000,?), ref: 01037F16
    • _ultoa.MSVCRT ref: 0104AFC9
    • GetACP.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,000000FF,?,00000020), ref: 0104AFDE
    • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00000000), ref: 0104AFF3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: FormatMessage$ByteCharMultiWide_ultoawcschr
    • String ID: Application$System
    • API String ID: 3538039442-3455788185
    • Opcode ID: afa248d6110626bf5074a69b033053d93a4c03b61a4cd94288c1dbca0f000416
    • Instruction ID: e2f3eae88cd2aa42ba297c8de96661bb68b6e961f2d294ffd18142df99bd1da3
    • Opcode Fuzzy Hash: afa248d6110626bf5074a69b033053d93a4c03b61a4cd94288c1dbca0f000416
    • Instruction Fuzzy Hash: 6041C3B1B40315EBEB209AA5DC89FAE7BADEB45751F140129F682EB2C0D674AD00C764
    Uniqueness

    Uniqueness Score: -1.00%

    Function 010462C0, Relevance: 10.7, APIs: 7, Instructions: 171COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1323 10462c0-10462fc call 104643a 1326 1051ef3-1051efb RtlNtStatusToDosError SetLastError 1323->1326 1327 1046302-104630b 1323->1327 1328 1051f01-1051f03 1326->1328 1329 1051f51 1327->1329 1330 1046311-1046313 1327->1330 1331 1051fe1-1051fe3 1328->1331 1332 1051f09-1051f15 call 103ab7f 1328->1332 1334 1051f59-1051f73 GetConsoleTitleW 1329->1334 1330->1328 1333 1046319-104632d call 104640a 1330->1333 1341 10463c1-10463cb 1332->1341 1342 1051f1b-1051f1f 1332->1342 1338 1046332-104633b 1333->1338 1339 10463cd-10463cf 1334->1339 1340 1051f79-1051f90 wcsstr 1334->1340 1343 1051f40-1051f45 call 10378e4 1338->1343 1344 1046341-1046345 1338->1344 1345 10463d1-10463d3 call 103dc60 1339->1345 1346 10463d8-10463e0 1339->1346 1347 1051fc2-1051fd6 call 103fc40 1340->1347 1348 1051f92-1051f9e 1340->1348 1341->1339 1341->1346 1350 1051f22-1051f2b 1342->1350 1360 1051f4a-1051f4c 1343->1360 1351 1046348-1046351 1344->1351 1345->1346 1354 10463e2-10463e3 LocalFree 1346->1354 1355 10463e9-10463eb 1346->1355 1347->1339 1363 1051fdc 1347->1363 1356 1051fa0-1051fae wcsstr 1348->1356 1350->1350 1358 1051f2d-1051f37 1350->1358 1351->1351 1359 1046353-104635d 1351->1359 1354->1355 1355->1343 1361 10463f1-1046401 call 1046b30 1355->1361 1356->1356 1362 1051fb0-1051fbc 1356->1362 1364 10463b0-10463b2 1358->1364 1365 1051f3d-1051f3f 1358->1365 1359->1346 1366 104635f-1046373 call 103dcd0 1359->1366 1362->1347 1363->1331 1364->1341 1368 10463b4-10463bb SetConsoleTitleW 1364->1368 1365->1343 1366->1346 1372 1046375-104638f call 103f3a0 1366->1372 1368->1341 1372->1334 1375 1046395-1046399 1372->1375 1376 1046404-1046408 1375->1376 1377 104639b-10463ac call 103fc40 1375->1377 1376->1339 1377->1339 1380 10463ae 1377->1380 1380->1364
    C-Code - Quality: 77%
    			E010462C0(WCHAR* __ecx, signed int _a4) {
				signed int _v12;
				long _v536;
				wchar_t* _v540;
				wchar_t* _v544;
				wchar_t* _v548;
				signed int _v552;
				WCHAR* _v556;
				intOrPtr _v560;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				long _t35;
				void* _t38;
				short _t47;
				wchar_t* _t48;
				intOrPtr _t49;
				intOrPtr* _t50;
				intOrPtr _t51;
				signed int _t54;
				WCHAR* _t55;
				signed int _t62;
				intOrPtr* _t63;
				WCHAR* _t70;
				intOrPtr _t77;
				wchar_t* _t79;
				WCHAR* _t80;
				wchar_t* _t81;
				signed int _t82;

				_t65 = __ecx;
				_t32 =  *0x105e0b4; // 0x6030efd1
				_v12 = _t32 ^ _t82;
				_t62 = _a4;
				_t76 =  &_v544;
				_v552 = _t62;
				_v548 = 0;
				_v540 = 0;
				_t35 = E0104643A( &_v544); // executed
				if(_t35 < 0) {
					SetLastError(RtlNtStatusToDosError(_t35));
					L23:
					if(_t62 == 0) {
						_t62 = 0;
						_t80 = 0;
						L12:
						if(_t80 != 0) {
							SetConsoleTitleW(_t80);
							 *0x106675c = _t62;
						}
						L14:
						_t77 = 0;
						if(_v548 == 0) {
							L17:
							_t38 = _v540;
							if(_t38 != 0) {
								LocalFree(_t38);
							}
							if(_t77 != 0) {
								L29:
								_push(0);
								_push(8); // executed
								E010378E4(_t65); // executed
								goto L20;
							} else {
								L20:
								return E01046B30(_t77, _t62, _v12 ^ _t82, _t76, _t77, _t80);
							}
						}
						L15:
						if(_t80 != 0) {
							_t65 = _t80;
							E0103DC60(_t80);
						}
						goto L17;
					}
					_t65 =  *(_t62 + 0x3c);
					_t80 = E0103AB7F( *(_t62 + 0x3c));
					if(_t80 == 0) {
						goto L14;
					}
					_t70 = _t80;
					_t62 = 0;
					_t21 =  &(_t70[1]); // 0x2
					_t76 = _t21;
					do {
						_t47 =  *_t70;
						_t70 =  &(_t70[1]);
					} while (_t47 != 0);
					_t65 = _t70 - _t76 >> 1;
					if(_t70 - _t76 >> 1 < 0x104) {
						goto L12;
					}
					_t77 = 1;
					goto L29;
				}
				_t48 = _v544;
				if(_t48 >= 3) {
					_t48 = _t48 + 0xfffffff0;
				}
				if(_t48 != 0) {
					goto L23;
				} else {
					_t49 = _t48 + 1;
					_t77 = _t49;
					_v548 = _t49;
					_v560 = _t77;
					_t50 = E0104640A(_t65); // executed
					_v540 = _t50;
					_t65 = 0x40002748;
					if(_t50 == 0) {
						goto L29;
					} else {
						_t63 = _t50;
						_t76 = 0;
						_t11 = _t63 + 2; // 0x2
						_t65 = _t11;
						do {
							_t51 =  *_t63;
							_t63 = _t63 + 2;
						} while (_t51 != 0);
						_t62 = _t63 - _t65 >> 1;
						if(_t62 >= 0x104) {
							goto L17;
						}
						_t65 = 0x208;
						_t80 = E0103DCD0(0x208);
						_v556 = _t80;
						if(_t80 == 0) {
							goto L17;
						}
						_t76 = 0x104;
						_t65 = _t80;
						E0103F3A0(_t80, 0x104, _v540);
						_t54 = _v552;
						if(_t54 == 0) {
							_t55 =  &_v536;
							_v544 = _t55;
							if(GetConsoleTitleW(_t55, 0x104) == 0) {
								goto L15;
							}
							if(wcsstr( &_v536, _v540) == 0) {
								L36:
								_t76 = 0x104;
								_t65 = _t80;
								if(E0103FC40(_t80, 0x104, _v544) != 0) {
									goto L15;
								}
								L11:
								_t62 = 0;
								goto L12;
							}
							_t79 = _v540;
							_t81 =  &_v536;
							_t62 = _t62 + _t62;
							do {
								_t81 = _t81 + _t62;
							} while (wcsstr(_t81, _t79) != 0);
							_t77 = _v560;
							_v544 = _t81;
							_t80 = _v556;
							goto L36;
						}
						if( *((intOrPtr*)(_t54 + 0x3c)) == 0) {
							_t65 = 0;
							_t77 = 0;
							goto L15;
						}
						_t76 = 0x104;
						_t65 = _t80;
						if(E0103FC40(_t80, 0x104,  *((intOrPtr*)(_t54 + 0x3c))) != 0) {
							goto L15;
						}
						goto L11;
					}
				}
			}
































    0x010462c0
    0x010462cb
    0x010462d2
    0x010462d6
    0x010462d9
    0x010462e2
    0x010462e9
    0x010462ef
    0x010462f5
    0x010462fc
    0x01051efb
    0x01051f01
    0x01051f03
    0x01051fe1
    0x01051fe3
    0x010463b0
    0x010463b2
    0x010463b5
    0x010463bb
    0x010463bb
    0x010463c1
    0x010463c3
    0x010463cb
    0x010463d8
    0x010463d8
    0x010463e0
    0x010463e3
    0x010463e3
    0x010463eb
    0x01051f40
    0x01051f42
    0x01051f43
    0x01051f45
    0x00000000
    0x010463f1
    0x010463f1
    0x01046401
    0x01046401
    0x010463eb
    0x010463cd
    0x010463cf
    0x010463d1
    0x010463d3
    0x010463d3
    0x00000000
    0x010463cf
    0x01051f09
    0x01051f11
    0x01051f15
    0x00000000
    0x00000000
    0x01051f1b
    0x01051f1d
    0x01051f1f
    0x01051f1f
    0x01051f22
    0x01051f22
    0x01051f25
    0x01051f28
    0x01051f2f
    0x01051f37
    0x00000000
    0x00000000
    0x01051f3f
    0x00000000
    0x01051f3f
    0x01046302
    0x0104630b
    0x01051f51
    0x01051f51
    0x01046313
    0x00000000
    0x01046319
    0x01046319
    0x0104631a
    0x0104631c
    0x01046327
    0x0104632d
    0x01046332
    0x01046338
    0x0104633b
    0x00000000
    0x01046341
    0x01046341
    0x01046343
    0x01046345
    0x01046345
    0x01046348
    0x01046348
    0x0104634b
    0x0104634e
    0x01046355
    0x0104635d
    0x00000000
    0x00000000
    0x0104635f
    0x01046369
    0x0104636b
    0x01046373
    0x00000000
    0x00000000
    0x0104637b
    0x01046380
    0x01046382
    0x01046387
    0x0104638f
    0x01051f59
    0x01051f65
    0x01051f73
    0x00000000
    0x00000000
    0x01051f90
    0x01051fc2
    0x01051fc8
    0x01051fcd
    0x01051fd6
    0x00000000
    0x00000000
    0x010463ae
    0x010463ae
    0x00000000
    0x010463ae
    0x01051f92
    0x01051f98
    0x01051f9e
    0x01051fa0
    0x01051fa0
    0x01051fac
    0x01051fb0
    0x01051fb6
    0x01051fbc
    0x00000000
    0x01051fbc
    0x01046399
    0x01046404
    0x01046406
    0x00000000
    0x01046406
    0x0104639e
    0x010463a3
    0x010463ac
    0x00000000
    0x00000000
    0x00000000
    0x010463ac
    0x0104633b

    APIs
      • Part of subcall function 0104643A: NtOpenThreadToken.NTDLL(000000FE,00000008,00000000,00000000), ref: 01046454
      • Part of subcall function 0104643A: NtOpenProcessToken.NTDLL(000000FF,00000008,00000000), ref: 0104646C
      • Part of subcall function 0104643A: NtClose.NTDLL(00000000), ref: 010464BD
    • SetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(00000000), ref: 010463B5
    • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?), ref: 010463E3
    • RtlNtStatusToDosError.NTDLL ref: 01051EF4
    • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 01051EFB
    • GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(?,00000104,?,000000FF,00000002,00000000), ref: 01051F6B
    • wcsstr.MSVCRT ref: 01051F86
    • wcsstr.MSVCRT ref: 01051FA4
      • Part of subcall function 0104640A: FormatMessageW.KERNELBASE(00001900,00000000,?,00000000,?,00000000,?,?,?,?,01059C96,0104FDFA,00000000,?), ref: 0104642F
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: ConsoleErrorOpenTitleTokenwcsstr$CloseFormatFreeLastLocalMessageProcessStatusThread
    • String ID:
    • API String ID: 1313749407-0
    • Opcode ID: a839471a2dcc1a67aeeb293d9f0d13afade1c125f8b49533888f7ce36e3a7222
    • Instruction ID: aa76e288218708a5ed3b57daab670e1a11d92df625d3ca8341ff09af86f37c4e
    • Opcode Fuzzy Hash: a839471a2dcc1a67aeeb293d9f0d13afade1c125f8b49533888f7ce36e3a7222
    • Instruction Fuzzy Hash: 22511771A0021A8BDFA09F689CC47EE77E5AB55310F0440F9EE85E7240EB75DD818B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01046903, Relevance: 10.6, APIs: 7, Instructions: 105sleepCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1381 1046903-104691d call 10471a8 1384 104691f-104692e 1381->1384 1385 1046930-1046932 1384->1385 1386 1046948-104694a 1384->1386 1387 1046934-1046939 1385->1387 1388 104693b-1046946 Sleep 1385->1388 1389 104694b-1046951 1386->1389 1387->1389 1388->1384 1390 1046953-104695b _amsg_exit 1389->1390 1391 104695d-1046963 1389->1391 1394 1046997-104699d 1390->1394 1392 1046965-1046975 call 1046a7c 1391->1392 1393 1046991 1391->1393 1398 104697a-104697e 1392->1398 1393->1394 1396 104699f-10469b0 _initterm 1394->1396 1397 10469ba-10469bc 1394->1397 1396->1397 1399 10469c7-10469ce 1397->1399 1400 10469be-10469c5 1397->1400 1398->1394 1401 1046980-104698c 1398->1401 1402 10469d0-10469dd call 1047000 1399->1402 1403 10469f3-1046a05 call 10409b1 1399->1403 1400->1399 1405 1046a6c-1046a7b 1401->1405 1402->1403 1411 10469df-10469f1 1402->1411 1407 1046a0a-1046a19 1403->1407 1409 1046a51-1046a58 1407->1409 1410 1046a1b-1046a35 exit _XcptFilter 1407->1410 1412 1046a65 1409->1412 1413 1046a5a-1046a60 _cexit 1409->1413 1411->1403 1412->1405 1413->1412
    C-Code - Quality: 39%
    			E01046903() {
				int _t11;
				intOrPtr _t13;
				void* _t16;
				intOrPtr* _t22;
				void* _t34;
				int _t35;
				void* _t37;
				intOrPtr _t38;
				int _t40;
				intOrPtr* _t42;
				void* _t44;
				void* _t52;
				void* _t53;

				_push(0xc);
				_push(0x105ca98);
				E010471A8(_t16, _t34, _t37);
				 *((intOrPtr*)(_t44 - 4)) = 0;
				_t38 =  *((intOrPtr*)( *[fs:0x18] + 4));
				_t35 = 0;
				while(1) {
					_t11 = 0;
					asm("lock cmpxchg [edx], ecx");
					if(0 == 0) {
						break;
					}
					if(0 != _t38) {
						Sleep(0x3e8);
						continue;
					} else {
						_t40 = 1;
						_t35 = 1;
					}
					L6:
					_t52 =  *0x105e528 - _t40; // 0x2
					if(_t52 != 0) {
						__eflags =  *0x105e528; // 0x2
						if(__eflags != 0) {
							 *0x105e19c = _t40;
							goto L12;
						} else {
							 *0x105e528 = _t40;
							_t11 = E01046A7C(0x1031c98, 0x1031ca4); // executed
							__eflags = _t11;
							if(__eflags == 0) {
								goto L12;
							} else {
								 *((intOrPtr*)(_t44 - 4)) = 0xfffffffe;
								_t11 = 0xff;
								goto L24;
							}
						}
					} else {
						_push(0x1f);
						L01046F7E();
						L12:
						_t53 =  *0x105e528 - _t40; // 0x2
						if(_t53 == 0) {
							_push(0x1031c94);
							_push(0x1031c6c);
							L010471A0();
							 *0x105e528 = 2;
						}
						if(_t35 == 0) {
							_t11 =  *0x105e524;
							 *0x105e524 = 0;
						}
						_t56 =  *0x105e534;
						if( *0x105e534 != 0) {
							_t11 = E01047000(_t56, 0x105e534);
							if(_t11 != 0) {
								_t42 =  *0x105e534; // 0x0
								 *0x107a4c4(0, 2, 0);
								_t11 =  *_t42();
							}
						}
						_push( *0x105e1a8);
						_push( *0x105e1a4);
						_push( *0x105e1a0); // executed
						E010409B1(); // executed
						 *0x105e198 = _t11;
						if( *0x105e1b0 != 0) {
							__eflags =  *0x105e19c;
							if( *0x105e19c == 0) {
								__imp___cexit();
								_t11 =  *0x105e198; // 0x0
							}
							 *((intOrPtr*)(_t44 - 4)) = 0xfffffffe;
							L24:
							 *[fs:0x0] =  *((intOrPtr*)(_t44 - 0x10));
							return _t11;
						} else {
							exit(_t11);
							_t22 =  *((intOrPtr*)(_t44 - 0x14));
							_t13 =  *((intOrPtr*)( *_t22));
							 *((intOrPtr*)(_t44 - 0x1c)) = _t13;
							_push(_t22);
							_push(_t13);
							L01046ECE();
							return _t13;
						}
					}
				}
				_t40 = 1;
				__eflags = 1;
				goto L6;
			}
















    0x01046903
    0x01046905
    0x0104690a
    0x01046911
    0x0104691a
    0x0104691d
    0x0104691f
    0x01046926
    0x01046928
    0x0104692e
    0x00000000
    0x00000000
    0x01046932
    0x01046940
    0x00000000
    0x01046934
    0x01046936
    0x01046937
    0x01046937
    0x0104694b
    0x0104694b
    0x01046951
    0x0104695d
    0x01046963
    0x01046991
    0x00000000
    0x01046965
    0x01046965
    0x01046975
    0x0104697c
    0x0104697e
    0x00000000
    0x01046980
    0x01046980
    0x01046987
    0x00000000
    0x01046987
    0x0104697e
    0x01046953
    0x01046953
    0x01046955
    0x01046997
    0x01046997
    0x0104699d
    0x0104699f
    0x010469a4
    0x010469a9
    0x010469b0
    0x010469b0
    0x010469bc
    0x010469c5
    0x010469c5
    0x010469c5
    0x010469c7
    0x010469ce
    0x010469d5
    0x010469dd
    0x010469e3
    0x010469eb
    0x010469f1
    0x010469f1
    0x010469dd
    0x010469f3
    0x010469f9
    0x010469ff
    0x01046a05
    0x01046a0d
    0x01046a19
    0x01046a51
    0x01046a58
    0x01046a5a
    0x01046a60
    0x01046a60
    0x01046a65
    0x01046a6c
    0x01046a6f
    0x01046a7b
    0x01046a1b
    0x01046a1c
    0x01046a22
    0x01046a27
    0x01046a29
    0x01046a2c
    0x01046a2d
    0x01046a2e
    0x01046a35
    0x01046a35
    0x01046a19
    0x01046951
    0x0104694a
    0x0104694a
    0x00000000

    APIs
    • Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0(000003E8,0105CA98,0000000C), ref: 01046940
    • _amsg_exit.MSVCRT ref: 01046955
    • _initterm.MSVCRT ref: 010469A9
    • __IsNonwritableInCurrentImage.LIBCMT ref: 010469D5
    • exit.MSVCRT ref: 01046A1C
    • _XcptFilter.MSVCRT ref: 01046A2E
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: CurrentFilterImageNonwritableSleepXcpt_amsg_exit_inittermexit
    • String ID:
    • API String ID: 796493780-0
    • Opcode ID: e0ac6276e164ea750c475517c4ea0b726914d7af877ffba3c47b41f11953b8ae
    • Instruction ID: de5957ac9026077bcfec27622b2340bcf201c705a2de0c2010cb09029d1a2377
    • Opcode Fuzzy Hash: e0ac6276e164ea750c475517c4ea0b726914d7af877ffba3c47b41f11953b8ae
    • Instruction Fuzzy Hash: 4931E5F9604311CFEB729F59E8856AAB7A4E749724F10007DE6C197284FB7B5A40CB44
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0103E2AF, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 34threadlibraryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 1415 103e2af-103e2ba 1416 103e2ca-103e2d2 1415->1416 1417 103e2bc-103e2c9 SetThreadUILanguage 1415->1417 1418 103e2d4-103e2ed GetModuleHandleW 1416->1418 1419 103e2ef-103e2f1 1416->1419 1418->1419 1421 103e307-103e309 1418->1421 1419->1421 1422 103e2f3-103e301 GetProcAddress 1419->1422 1421->1417 1423 103e30b-104dc0f SetThreadLocale 1421->1423 1422->1421
    C-Code - Quality: 50%
    			E0103E2AF() {
				struct HINSTANCE__* _t1;
				void* _t3;
				intOrPtr* _t7;

				_t7 =  *0x1066730;
				if(_t7 == 0) {
					_t1 =  *0x105e0c8; // 0x75130000
					if(_t1 != 0xffffffff) {
						L4:
						if(_t1 != 0) {
							_t7 = GetProcAddress(_t1, "SetThreadUILanguage");
							 *0x1066730 = _t7;
						}
					} else {
						_t1 = GetModuleHandleW(L"KERNEL32.DLL");
						_t7 =  *0x1066730;
						 *0x105e0c8 = _t1;
						if(_t1 != 0xffffffff) {
							goto L4;
						}
					}
					if(_t7 != 0) {
						goto L1;
					} else {
						return SetThreadLocale(0x409);
					}
				} else {
					L1:
					 *0x107a4c4(0); // executed
					_t3 =  *_t7(); // executed
					return _t3;
				}
			}






    0x0103e2b2
    0x0103e2ba
    0x0103e2ca
    0x0103e2d2
    0x0103e2ef
    0x0103e2f1
    0x0103e2ff
    0x0103e301
    0x0103e301
    0x0103e2d4
    0x0103e2d9
    0x0103e2df
    0x0103e2e5
    0x0103e2ed
    0x00000000
    0x00000000
    0x0103e2ed
    0x0103e309
    0x00000000
    0x0103e30b
    0x0104dc0f
    0x0104dc0f
    0x0103e2bc
    0x0103e2bc
    0x0103e2c0
    0x0103e2c6
    0x0103e2c9
    0x0103e2c9

    APIs
    • SetThreadUILanguage.KERNELBASE ref: 0103E2C6
    • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(KERNEL32.DLL,00000000,0103B952), ref: 0103E2D9
    • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(75130000,SetThreadUILanguage,00000000,0103B952), ref: 0103E2F9
    • SetThreadLocale.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000409,00000000,0103B952), ref: 0104DC08
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: Thread$AddressHandleLanguageLocaleModuleProc
    • String ID: KERNEL32.DLL$SetThreadUILanguage
    • API String ID: 1264603166-2530943252
    • Opcode ID: 14d8de7efdb6427e65f545ff4f97533b038cf07a2127ed82e57fea1415056939
    • Instruction ID: b58c468aa453bdead0dd4641ee9c6f0a17c0e8815f729fe27f94bbef7ceb1458
    • Opcode Fuzzy Hash: 14d8de7efdb6427e65f545ff4f97533b038cf07a2127ed82e57fea1415056939
    • Instruction Fuzzy Hash: 38F09A31A00220CBEB715A28F90C65D3A98BB84A71B190380F9D6F32C8D73E9C418BE0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0103998D, Relevance: 9.1, APIs: 6, Instructions: 89COMMON
    Download Yara Rule
    C-Code - Quality: 20%
    			E0103998D(long __ecx, DWORD* __edx) {
				void _v8;
				void* _t4;
				long _t5;
				void* _t6;
				int _t8;
				int _t21;
				long _t43;

				_push(__ecx);
				_t40 = __edx;
				_t43 = 0;
				if(__edx <= 0) {
					L5:
					_t5 = _t43;
					L6:
					return _t5;
				}
				_t6 = E01039A11(_t4); // executed
				if(_t6 != 0) {
					__imp__AcquireSRWLockShared(0x1078e04);
					_t7 =  &_v8;
					__imp___get_osfhandle(0);
					_t8 = WriteConsoleW( &_v8, 1, __ecx, __edx, _t7); // executed
					_t21 = _t8;
					if(_t21 == 0) {
						_t43 = GetLastError();
					}
					__imp__ReleaseSRWLockShared(0x1078e04);
				} else {
					_t40 = __edx + __edx;
					_t21 = E01039B3B( &_v8, __ecx, _t40,  &_v8);
				}
				if(_t21 == 0 || _v8 != _t40) {
					_t43 = GetLastError();
					if(_t43 == 0) {
						_t43 = 0x70;
					}
					if(E0103DD98(_t10) == 0) {
						if(E01059FCF(_t11, 1) == 0) {
							E01059EDB(_t43);
						} else {
							_push(0);
							_push(0x2364);
							E010378E4(1);
						}
						_t5 = 1;
						goto L6;
					} else {
						_push(0);
						_push(0x1d);
						E010378E4(1);
						goto L5;
					}
				} else {
					goto L5;
				}
			}










    0x01039992
    0x01039996
    0x01039998
    0x0103999e
    0x010399d0
    0x010399d0
    0x010399d2
    0x010399d6
    0x010399d6
    0x010399a3
    0x010399aa
    0x010399dc
    0x010399e4
    0x010399ec
    0x010399f4
    0x010399fa
    0x010399fe
    0x0104c030
    0x0104c030
    0x01039a09
    0x010399ac
    0x010399af
    0x010399bd
    0x010399bd
    0x010399c1
    0x0104c03d
    0x0104c041
    0x0104c045
    0x0104c045
    0x0104c052
    0x0104c06d
    0x0104c081
    0x0104c06f
    0x0104c06f
    0x0104c071
    0x0104c076
    0x0104c07c
    0x0104c086
    0x00000000
    0x0104c054
    0x0104c054
    0x0104c056
    0x0104c058
    0x00000000
    0x0104c05e
    0x00000000
    0x00000000
    0x00000000

    APIs
      • Part of subcall function 01039A11: _get_osfhandle.MSVCRT ref: 01039A1C
      • Part of subcall function 01039A11: GetFileType.KERNELBASE(00000000,0103793A,00000104,?), ref: 01039A2B
      • Part of subcall function 01039A11: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,01037908,00002374,-00000001), ref: 01039A47
      • Part of subcall function 01039A11: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01078E04,00000002,?,?,?,?,?,?,?,?,?,?,?,?,01037908,00002374), ref: 01039A56
      • Part of subcall function 01039A11: GetConsoleMode.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,01037908,00002374), ref: 01039A61
      • Part of subcall function 01039A11: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01078E04,?,?,?,?,?,?,?,?,?,?,?,?,01037908,00002374,-00000001), ref: 01039A6A
    • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01078E04,?,?,?,01070AF0,00000002,?,?,0104A669,%s %s ,?,?,00000000), ref: 010399DC
    • _get_osfhandle.MSVCRT ref: 010399EC
    • WriteConsoleW.KERNELBASE(00000000,0104A669,%s %s ,?,?,00000000), ref: 010399F4
    • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01078E04), ref: 01039A09
      • Part of subcall function 01039B3B: _get_osfhandle.MSVCRT ref: 01039B4E
      • Part of subcall function 01039B3B: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,01070AF0,000000FF,0106A7F0,00002000,00000000,00000000), ref: 01039B8E
      • Part of subcall function 01039B3B: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,0106A7F0,-00000001,?,00000000), ref: 01039BA3
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: LockShared$_get_osfhandle$AcquireConsoleFileReleaseWrite$ByteCharHandleModeMultiTypeWide
    • String ID:
    • API String ID: 4057327938-0
    • Opcode ID: 33b159f0bc70455419355ebf99b87eea9dd7ea04af43391599dc5fe880734fc5
    • Instruction ID: 1b1931dabc35e004b7058f1b3771e257c9263817b550edf902eb38b467d8884f
    • Opcode Fuzzy Hash: 33b159f0bc70455419355ebf99b87eea9dd7ea04af43391599dc5fe880734fc5
    • Instruction Fuzzy Hash: 36210572740303ABE7356AAD59C9B6F229C9BC1759F14007FFAC6D6180EEA5CC0082A0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0103DD98, Relevance: 9.1, APIs: 6, Instructions: 61COMMON
    Download Yara Rule
    APIs
    • _get_osfhandle.MSVCRT ref: 0103DDA3
    • GetFileType.KERNELBASE(00000000,0104C050), ref: 0103DDAD
    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6), ref: 0103DDD6
    • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01078E04,00000001), ref: 0103DDE5
    • GetConsoleMode.KERNELBASE(00000000,?), ref: 0103DDF0
    • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01078E04), ref: 0103DDF9
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
    • String ID:
    • API String ID: 513048808-0
    • Opcode ID: 8b251cd84f9c81b8f56f360fdc40e2ee959a0ca65365f1e97e74d8fd44226ec2
    • Instruction ID: 17a75b4b877ffb40d37b360d7e9d433e69de39da45cf2e44a70ecda4adc586e3
    • Opcode Fuzzy Hash: 8b251cd84f9c81b8f56f360fdc40e2ee959a0ca65365f1e97e74d8fd44226ec2
    • Instruction Fuzzy Hash: 8711E033D14214EBE72266ECD94C72E7AECFB86325F580666E8D1E3094DA3E4901CB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01039A11, Relevance: 9.1, APIs: 6, Instructions: 53COMMON
    Download Yara Rule
    APIs
    • _get_osfhandle.MSVCRT ref: 01039A1C
    • GetFileType.KERNELBASE(00000000,0103793A,00000104,?), ref: 01039A2B
    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,01037908,00002374,-00000001), ref: 01039A47
    • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01078E04,00000002,?,?,?,?,?,?,?,?,?,?,?,?,01037908,00002374), ref: 01039A56
    • GetConsoleMode.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,01037908,00002374), ref: 01039A61
    • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01078E04,?,?,?,?,?,?,?,?,?,?,?,?,01037908,00002374,-00000001), ref: 01039A6A
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
    • String ID:
    • API String ID: 513048808-0
    • Opcode ID: 3255f1e0304f781c9c598e3da348b0ea7c46160cd9b2e8d1e3b710c4fc64cf90
    • Instruction ID: 5c128affc3a7b6ba0711ac59ebf2ce4b7c88aa3918f00ca7c7979a670795d846
    • Opcode Fuzzy Hash: 3255f1e0304f781c9c598e3da348b0ea7c46160cd9b2e8d1e3b710c4fc64cf90
    • Instruction Fuzzy Hash: 6D01A733D04820AB9E3246BD9C4D97E3A9CE6C6739B290755F8E6F31C4D9B58C0382D0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 010570D6, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 124memoryCOMMON
    Download Yara Rule
    C-Code - Quality: 72%
    			E010570D6(void* __eflags) {
				signed int _v8;
				char _v68;
				void* _v72;
				signed int _v76;
				void* _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t28;
				signed int _t30;
				void _t31;
				signed int _t36;
				void* _t38;
				short _t39;
				short _t40;
				signed int _t41;
				signed int _t43;
				signed int _t44;
				void* _t46;
				signed int _t47;
				signed int _t49;
				void* _t53;
				signed int _t56;
				short* _t57;
				signed int _t58;
				void* _t59;
				void* _t60;
				signed int _t61;
				signed int _t65;
				void* _t66;
				signed int _t70;

				_t21 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t21 ^ _t70;
				_t49 = 0xe;
				_t67 = "Copyright (c) Microsoft Corporation. All rights reserved.";
				memcpy( &_v68, "Copyright (c) Microsoft Corporation. All rights reserved.", _t49 << 2);
				asm("movsw");
				_t65 = 0;
				_t47 = 0;
				if(E0104728F(0) == 0) {
					if(RtlCreateUnicodeStringFromAsciiz( &_v84,  &_v68) == 0) {
						goto L26;
					} else {
						_t67 = _v80;
						_v72 = _t67;
						goto L4;
					}
				} else {
					_t46 =  *0x107d000(L"%WINDOWS_COPYRIGHT%"); // executed
					_t67 = _t46;
					_v72 = _t46;
					L4:
					if(_t67 == 0) {
						L26:
						_t28 = 0;
					} else {
						_t30 =  *_t67 & 0x0000ffff;
						_t60 = _t67;
						if(_t30 != 0) {
							_t58 = _t30;
							do {
								if(_t58 == 0xae || _t58 == 0xa9) {
									_t43 = 1;
								} else {
									_t43 = _t65;
								}
								_t60 = _t60 + 2;
								_t47 = _t47 + _t43;
								_t44 =  *_t60 & 0x0000ffff;
								_t58 = _t44;
							} while (_t44 != 0);
							_t67 = _v72;
						}
						_t53 = _t67;
						_t59 = _t53 + 2;
						do {
							_t31 =  *_t53;
							_t53 = _t53 + 2;
						} while (_t31 != _t65);
						_t47 = GlobalAlloc(0x40, 2 + ((_t53 - _t59 >> 1) + _t47 * 2) * 2);
						_v76 = _t47;
						if(_t47 != 0) {
							_t36 =  *_t67 & 0x0000ffff;
							_t66 = _t67;
							_t56 = _t47;
							if(_t36 != 0) {
								_t61 = _t36;
								do {
									if(_t61 == 0xae || _t61 == 0xa9) {
										_t38 = 0x28;
										 *_t56 = _t38;
										_t39 = 0x63;
										 *((short*)(_t56 + 2)) = _t39;
										_t57 = _t56 + 4;
										_t40 = 0x29;
										 *_t57 = _t40;
									} else {
										 *_t56 = _t61;
									}
									_t66 = _t66 + 2;
									_t56 = _t57 + 2;
									_t41 =  *_t66 & 0x0000ffff;
									_t61 = _t41;
								} while (_t41 != 0);
								_t67 = _v72;
								_t47 = _v76;
							}
							_t65 = _t47;
							 *_t56 = 0;
						}
						GlobalFree(_t67);
						_t28 = _t65;
					}
				}
				return E01046B30(_t28, _t47, _v8 ^ _t70, _t59, _t65, _t67);
			}




































    0x010570de
    0x010570e5
    0x010570ed
    0x010570ee
    0x010570f6
    0x010570f8
    0x010570fa
    0x010570fc
    0x01057105
    0x01057129
    0x00000000
    0x0105712f
    0x0105712f
    0x01057132
    0x00000000
    0x01057132
    0x01057107
    0x0105710c
    0x01057112
    0x01057114
    0x01057135
    0x01057137
    0x01057209
    0x01057209
    0x0105713d
    0x0105713d
    0x01057140
    0x01057145
    0x01057147
    0x0105714e
    0x01057151
    0x01057163
    0x0105715d
    0x0105715d
    0x0105715d
    0x01057164
    0x01057167
    0x01057169
    0x0105716c
    0x0105716e
    0x01057173
    0x01057173
    0x01057176
    0x01057178
    0x0105717b
    0x0105717b
    0x0105717e
    0x01057181
    0x0105719d
    0x0105719f
    0x010571a4
    0x010571a6
    0x010571a9
    0x010571ab
    0x010571b0
    0x010571b7
    0x010571bc
    0x010571bf
    0x010571cd
    0x010571ce
    0x010571d3
    0x010571d4
    0x010571d8
    0x010571dd
    0x010571de
    0x010571c6
    0x010571c6
    0x010571c6
    0x010571e1
    0x010571e4
    0x010571e7
    0x010571ea
    0x010571ec
    0x010571f1
    0x010571f4
    0x010571f4
    0x010571f9
    0x010571fb
    0x010571fb
    0x010571ff
    0x01057205
    0x01057205
    0x01057137
    0x01057219

    APIs
    • RtlCreateUnicodeStringFromAsciiz.NTDLL ref: 01057121
    • GlobalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000040,00000000), ref: 01057197
    • GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?), ref: 010571FF
    Strings
    • %WINDOWS_COPYRIGHT%, xrefs: 01057107
    • Copyright (c) Microsoft Corporation. All rights reserved., xrefs: 010570EE
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: Global$AllocAsciizCreateFreeFromStringUnicode
    • String ID: %WINDOWS_COPYRIGHT%$Copyright (c) Microsoft Corporation. All rights reserved.
    • API String ID: 1103618819-4062316587
    • Opcode ID: 639c814d28a47e265b2664aeecea7e92b7b92a2699347ca578527aec57a365df
    • Instruction ID: 56e45bad5f2163e3ebb93d6289e00a87ba1f4e10cc8e76652a1eb7914afc2b0b
    • Opcode Fuzzy Hash: 639c814d28a47e265b2664aeecea7e92b7b92a2699347ca578527aec57a365df
    • Instruction Fuzzy Hash: 5941F635B0021587DFA0CF6C88947BF77E6FF48740B9800A9ED81EB340EA659D42D354
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01034D42, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43registryCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E01034D42() {
				void* _v8;
				int _v12;
				int _v16;
				char _v20;
				long _t12;
				long _t17;
				int _t20;

				_t20 = 4;
				_v16 = _t20;
				_t12 = RegOpenKeyExW(0x80000002, L"Software\\Microsoft\\Windows NT\\CurrentVersion", 0, 0x2000000,  &_v8); // executed
				if(_t12 != 0) {
					L5:
					return 0;
				}
				_v12 = _t20;
				_t17 = RegQueryValueExW(_v8, L"UBR", 0,  &_v12,  &_v20,  &_v16); // executed
				RegCloseKey(_v8); // executed
				if(_t17 != 0 || _v12 != _t20) {
					goto L5;
				} else {
					return _v20;
				}
			}










    0x01034d4d
    0x01034d51
    0x01034d66
    0x01034d6e
    0x01034dab
    0x00000000
    0x01034dab
    0x01034d74
    0x01034d8a
    0x01034d95
    0x01034d9e
    0x00000000
    0x01034da5
    0x00000000
    0x01034da5

    APIs
    • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,02000000,?), ref: 01034D66
    • RegQueryValueExW.ADVAPI32(?,UBR,00000000,?,?,?), ref: 01034D8A
    • RegCloseKey.ADVAPI32(?), ref: 01034D95
    Strings
    • Software\Microsoft\Windows NT\CurrentVersion, xrefs: 01034D5C
    • UBR, xrefs: 01034D82
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: CloseOpenQueryValue
    • String ID: Software\Microsoft\Windows NT\CurrentVersion$UBR
    • API String ID: 3677997916-3870813718
    • Opcode ID: 0364a7839905062d3779750d406e835f655ad0fafeea508896f5336dea3ad139
    • Instruction ID: 1d96cf711acaad56074e658b40e2a49de3d36fb6b29344d7082815372bd1d787
    • Opcode Fuzzy Hash: 0364a7839905062d3779750d406e835f655ad0fafeea508896f5336dea3ad139
    • Instruction Fuzzy Hash: CB016D76E00218FBDB219A99DC49FDEBBBCEBC8700F140496EA41F6144D2719A01CB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01041F1A, Relevance: 7.6, APIs: 5, Instructions: 52threadCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E01041F1A() {
				int _t3;
				signed int _t6;
				void* _t7;
				void* _t8;
				signed int _t10;
				signed int _t13;
				signed char* _t15;
				void* _t17;
				void* _t18;

				_t3 = GetConsoleOutputCP(); // executed
				 *0x10625a0 = _t3;
				if(GetCPInfo(_t3, 0x106c9f0) == 0) {
					_t6 = GetThreadLocale() & 0x000003ff;
					if(_t6 != 0x11) {
						if(_t6 == 4 || _t6 == 0x12) {
							 *0x106c9f6 = 0xfe81;
						} else {
							 *0x106c9f6 = 0;
						}
					} else {
						 *0x106c9f6 = 0xfce09f81;
						 *0x106c9fa = 0;
					}
				}
				_t7 = memset(0x1078af0, 0, 0x100);
				_t18 = _t17 + 0xc;
				if( *0x106c9f6 != 0) {
					_t15 = 0x106c9f6;
					while(1) {
						_t8 = _t15[1];
						if(_t8 == 0) {
							break;
						}
						_t13 =  *_t15 & 0x000000ff;
						_t10 = _t8 & 0x000000ff;
						if(_t13 <= _t10) {
							_t8 = memset(0x1078af0 + _t13, 1, _t10 - _t13 + 1);
							_t18 = _t18 + 0xc;
						}
						_t15 =  &(_t15[2]);
						if( *_t15 != 0) {
							continue;
						}
						break;
					}
					return _t8;
				} else {
					return _t7;
				}
			}












    0x01041f1a
    0x01041f26
    0x01041f33
    0x0104f18b
    0x0104f194
    0x0104f1b2
    0x0104f1c8
    0x0104f1ba
    0x0104f1ba
    0x0104f1ba
    0x0104f196
    0x0104f196
    0x0104f1a0
    0x0104f1a0
    0x0104f194
    0x01041f45
    0x01041f4a
    0x01041f54
    0x0104f1d8
    0x0104f1dd
    0x0104f1dd
    0x0104f1e2
    0x00000000
    0x00000000
    0x0104f1e4
    0x0104f1e7
    0x0104f1ec
    0x0104f1fb
    0x0104f200
    0x0104f200
    0x0104f203
    0x0104f209
    0x00000000
    0x00000000
    0x00000000
    0x0104f209
    0x0104f20c
    0x01041f5a
    0x01041f5a
    0x01041f5a

    APIs
    • GetConsoleOutputCP.KERNELBASE(01040A41), ref: 01041F1A
    • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0106C9F0), ref: 01041F2B
    • memset.MSVCRT ref: 01041F45
    • GetThreadLocale.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 0104F185
    • memset.MSVCRT ref: 0104F1FB
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: memset$ConsoleInfoLocaleOutputThread
    • String ID:
    • API String ID: 1263632223-0
    • Opcode ID: 6f03470d32bc6a993264c2cb32c4345d5bdded80af7b3cfeb58eed878e4ca2a8
    • Instruction ID: 4231db4df1f2c7ece11a179c259991b08790162cb580fa5006ab8e8bea7a2855
    • Opcode Fuzzy Hash: 6f03470d32bc6a993264c2cb32c4345d5bdded80af7b3cfeb58eed878e4ca2a8
    • Instruction Fuzzy Hash: 60114CF1D043435BFB315B1CE98D7693AD4A701300F08017EE9E2E6169D77D50828769
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0103A9D4, Relevance: 7.5, APIs: 5, Instructions: 32memoryCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0103A9D4() {
				void* _t5;
				int _t9;
				void* _t12;
				WCHAR* _t13;

				_t13 = GetEnvironmentStringsW();
				_t12 = 0;
				if(_t13 != 0) {
					_t9 = E0103AA20(_t13);
					_t5 = RtlAllocateHeap(GetProcessHeap(), 8, _t9); // executed
					_t12 = _t5;
					if(_t12 != 0) {
						memcpy(_t12, _t13, _t9);
					}
					FreeEnvironmentStringsW(_t13);
				}
				return _t12;
			}







    0x0103a9de
    0x0103a9e0
    0x0103a9e4
    0x0103a9ee
    0x0103a9fa
    0x0103aa00
    0x0103aa04
    0x0103aa09
    0x0103aa0e
    0x0103aa12
    0x0103aa18
    0x0103aa1d

    APIs
    • GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,00000000,0103A9C5), ref: 0103A9D8
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000,00000000), ref: 0103A9F3
    • RtlAllocateHeap.NTDLL(00000000), ref: 0103A9FA
    • memcpy.MSVCRT ref: 0103AA09
    • FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000), ref: 0103AA12
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: EnvironmentHeapStrings$AllocateFreeProcessmemcpy
    • String ID:
    • API String ID: 429350006-0
    • Opcode ID: 9f6b2e3021e28affc3bc6be22548169da5b397810e537dfabaea24284a63ca41
    • Instruction ID: 3530571812bf422091355fc840dc0a5db2c04dadadbe777ad98ef871ed2f2d09
    • Opcode Fuzzy Hash: 9f6b2e3021e28affc3bc6be22548169da5b397810e537dfabaea24284a63ca41
    • Instruction Fuzzy Hash: 41E01277B01521A7E62126697D88DAF2A9DDBC55A2B090064F9C9E3244DF2A8C0747B1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0103E3F0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55COMMON
    Download Yara Rule
    C-Code - Quality: 63%
    			E0103E3F0(int _a4) {
				void* _v0;
				void* __ebp;
				void* _t17;
				void* _t20;
				void* _t22;
				void* _t28;
				int _t32;
				void* _t33;
				void* _t34;
				void* _t35;

				_t33 = _t22;
				_t32 = _a4;
				_t37 = _t32 -  *(_t33 + 0x210);
				if(_t32 <=  *(_t33 + 0x210)) {
					L5:
					return 0;
				}
				_push(0x1032734);
				_t17 = E01046E25( ~(0 | _t37 > 0x00000000) | _t32 * 0x00000002); // executed
				_t35 = _t34 + 8;
				if(_t17 == 0) {
					E010534D4("onecore\\base\\cmd\\maxpathawarestring.cpp", 0x8007000e);
					return 0x8007000e;
				}
				_t28 =  *(_t33 + 0x208);
				 *(_t33 + 0x208) = _t17;
				if(_t28 != 0) {
					__imp__??_V@YAXPAX@Z(_t28);
					_t35 = _t35 + 4;
				}
				_t20 =  *(_t33 + 0x208);
				 *(_t33 + 0x210) = _t32;
				if(_t20 == 0) {
					_t20 = _t33;
				}
				memset(_t20, 0, _t32);
				goto L5;
			}













    0x0103e3f7
    0x0103e3fa
    0x0103e3fd
    0x0103e403
    0x0103e45d
    0x00000000
    0x0103e45d
    0x0103e410
    0x0103e41d
    0x0103e422
    0x0103e427
    0x0104dc5c
    0x00000000
    0x0104dc61
    0x0103e42d
    0x0103e433
    0x0103e43b
    0x0104dc6c
    0x0104dc72
    0x0104dc72
    0x0103e441
    0x0103e447
    0x0103e44f
    0x0103e466
    0x0103e466
    0x0103e455
    0x00000000

    APIs
    Strings
    • onecore\base\cmd\maxpathawarestring.cpp, xrefs: 0104DC57
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: memset
    • String ID: onecore\base\cmd\maxpathawarestring.cpp
    • API String ID: 2221118986-3416068913
    • Opcode ID: 80c70a525af4aed2950926cc41089766a34b522eac31c99c365dd0896a1b5838
    • Instruction ID: 11923d104d48723398048b8645d220c2ac629904f60ac11edccf0d9f0b38eda5
    • Opcode Fuzzy Hash: 80c70a525af4aed2950926cc41089766a34b522eac31c99c365dd0896a1b5838
    • Instruction Fuzzy Hash: 710128B1700305A7D7688629DC49B6BB6CDDBD5350F04463DF9DADB280DEA6FC0082A1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0103A976, Relevance: 4.5, APIs: 3, Instructions: 37memoryCOMMON
    Download Yara Rule
    C-Code - Quality: 92%
    			E0103A976(WCHAR* __ecx, signed int __edx) {
				int _t4;
				intOrPtr _t10;
				signed int _t11;
				long _t12;
				WCHAR* _t13;
				void* _t16;
				intOrPtr* _t21;

				_t14 = __edx;
				_t13 = __ecx;
				_t12 = _t11 ^ _t11;
				 *0x10665c6 = _t12;
				if(__edx != 0) {
					_t21 = __edx;
					_t16 = __edx + 2;
					do {
						_t10 =  *_t21;
						_t21 = _t21 + 2;
					} while (_t10 != _t12);
					asm("sbb esi, esi");
					_t14 = __edx &  ~(_t21 - _t16 >> 1);
				}
				_t4 = SetEnvironmentVariableW(_t13, _t14); // executed
				RtlFreeHeap(GetProcessHeap(), _t12,  *0x1062594);
				 *0x1062594 = E0103A9D4();
				return 0 | _t4 == 0x00000000;
			}










    0x0103a976
    0x0103a976
    0x0103a979
    0x0103a97b
    0x0103a984
    0x0103a986
    0x0103a989
    0x0103a98c
    0x0103a98c
    0x0103a98f
    0x0103a992
    0x0103a99e
    0x0103a9a0
    0x0103a9a0
    0x0103a9a4
    0x0103a9ba
    0x0103a9c5
    0x0103a9d3

    APIs
    • SetEnvironmentVariableW.KERNELBASE(01037908,?,?,00000000,01038E2E), ref: 0103A9A4
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0103A9B3
    • RtlFreeHeap.NTDLL(00000000), ref: 0103A9BA
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: Heap$EnvironmentFreeProcessVariable
    • String ID:
    • API String ID: 2643372051-0
    • Opcode ID: ec6db6923eb56988b39fb245fa738fe9a7b9873fd0b3c97c3549c7ce1ccbbf72
    • Instruction ID: d2d5896e2aa702eb381b9c5ad6abccd241fecce19d3a4ed4971128970f2f50c7
    • Opcode Fuzzy Hash: ec6db6923eb56988b39fb245fa738fe9a7b9873fd0b3c97c3549c7ce1ccbbf72
    • Instruction Fuzzy Hash: 17F0E977E01220DBE7345B786D08467BA69A9C465130A8565ECD5B7108D53A8C0183A0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0104742D, Relevance: 4.5, APIs: 3, Instructions: 28COMMON
    Download Yara Rule
    C-Code - Quality: 41%
    			E0104742D(int _a4) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				char _v20;
				intOrPtr _v28;
				char _v48;
				void* _v56;
				intOrPtr _v76;
				void* _v84;
				void* _v88;
				void* _v104;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t31;
				intOrPtr _t38;
				void* _t41;
				intOrPtr _t42;
				void _t43;
				intOrPtr _t47;
				void _t48;
				intOrPtr* _t56;
				void* _t57;
				void* _t65;
				void* _t67;
				void _t69;
				intOrPtr _t72;
				int _t73;
				intOrPtr _t75;
				void* _t78;
				void* _t79;
				void* _t83;
				void* _t84;
				void* _t85;
				void* _t86;
				void* _t88;
				void* _t89;
				void* _t90;
				void* _t91;

				while(1) {
					_t31 = malloc(_a4); // executed
					if(_t31 != 0) {
						break;
					}
					_push(_a4);
					L01047C04();
					if(_t31 == 0) {
						_t83 = _t88;
						_t89 = _t88 - 0xc;
						E010474D1( &_v20);
						_push(0x105cbf8);
						_push( &_v20);
						L01047C36();
						asm("int3");
						_push("string too long");
						L7();
						asm("int3");
						_push(_t83);
						_t84 = _t89;
						_t90 = _t89 - 0xc;
						E01047521( &_v48, _v28);
						_push(0x105cc68);
						_push( &_v48);
						L01047C36();
						asm("int3");
						_push(_t84);
						_t85 = _t90;
						_t91 = _t90 - 0xc;
						_t65 = _t85 - 0xc;
						E01047521(_t65,  *((intOrPtr*)(_t85 + 8)));
						_push(0x105cca4);
						_push(_t85 - 0xc);
						L01047C36();
						asm("int3");
						_push("invalid string position");
						L8();
						asm("int3");
						_push(_t85);
						_t86 = _t91;
						_t38 = _v76;
						_t56 =  *((intOrPtr*)(_t86 + 8));
						_t78 = _t65;
						_t72 =  *((intOrPtr*)(_t56 + 0x10));
						if(_t72 < _t38) {
							L9();
							asm("int3");
							_push(_t86);
							_push(_t56);
							_t57 =  *(_t91 + 8);
							_push(_t78);
							_t79 = _t65;
							if(E01047759(_t65, _t57) == 0) {
								_push(_t72);
								_t73 = _v12;
								_push(0);
								if(E010476FB(_t79, _t73) != 0) {
									_t42 =  *((intOrPtr*)(_t79 + 0x14));
									if(_t42 < 0x10) {
										_t67 = _t79;
									} else {
										_t67 =  *_t79;
									}
									if(_t73 != 0) {
										memcpy(_t67, _t57, _t73);
										_t42 =  *((intOrPtr*)(_t79 + 0x14));
									}
									 *(_t79 + 0x10) = _t73;
									if(_t42 < 0x10) {
										_t43 = _t79;
									} else {
										_t43 =  *_t79;
									}
									 *((char*)(_t43 + _t73)) = 0;
								}
								_t41 = _t79;
							} else {
								if( *((intOrPtr*)(_t79 + 0x14)) < 0x10) {
									_t41 = _t79;
								} else {
									_t41 =  *_t79;
								}
								_push(_v12);
								_push(_t57 - _t41);
								_push(_t79);
								L10();
							}
							return _t41;
						} else {
							_t75 = _t72 - _t38;
							if(_v4 < _t75) {
								_t75 = _v4;
							}
							if(_t78 != _t56) {
								_push(0);
								if(E010476FB(_t65, _t75) != 0) {
									if( *((intOrPtr*)(_t56 + 0x14)) >= 0x10) {
										_t56 =  *_t56;
									}
									_t47 =  *((intOrPtr*)(_t78 + 0x14));
									if(_t47 < 0x10) {
										_t69 = _t78;
									} else {
										_t69 =  *_t78;
									}
									if(_t75 != 0) {
										_push(_t75);
										_push(_v8 + _t56);
										_push(_t69);
										L01047C3C();
										_t47 =  *((intOrPtr*)(_t78 + 0x14));
									}
									 *((intOrPtr*)(_t78 + 0x10)) = _t75;
									if(_t47 < 0x10) {
										_t48 = _t78;
									} else {
										_t48 =  *_t78;
									}
									 *((char*)(_t48 + _t75)) = 0;
								}
							} else {
								_push(_t38 + _t75);
								E01047A13(_t56, _t65, _t75, _t78);
								_push(_v8);
								E01047A3F(_t56, _t78, _t75, _t78, 0);
							}
							return _t78;
						}
					} else {
						continue;
					}
					L46:
				}
				return _t31;
				goto L46;
			}










































    0x01047441
    0x01047444
    0x0104744d
    0x00000000
    0x00000000
    0x01047434
    0x01047437
    0x0104743f
    0x010477df
    0x010477e1
    0x010477e7
    0x010477ec
    0x010477f4
    0x010477f5
    0x010477fa
    0x010477fb
    0x01047800
    0x01047805
    0x01047808
    0x01047809
    0x0104780b
    0x01047814
    0x01047819
    0x01047821
    0x01047822
    0x01047827
    0x0104782a
    0x0104782b
    0x0104782d
    0x01047830
    0x01047836
    0x0104783b
    0x01047843
    0x01047844
    0x01047849
    0x0104784a
    0x0104784f
    0x01047854
    0x01047857
    0x01047858
    0x0104785a
    0x0104785e
    0x01047863
    0x01047865
    0x0104786a
    0x010478e5
    0x010478ea
    0x010478ed
    0x010478f0
    0x010478f1
    0x010478f4
    0x010478f6
    0x010478ff
    0x0104791d
    0x0104791e
    0x01047923
    0x0104792d
    0x0104792f
    0x01047935
    0x0104793b
    0x01047937
    0x01047937
    0x01047937
    0x0104793f
    0x01047944
    0x01047949
    0x0104794c
    0x0104794f
    0x01047955
    0x0104795b
    0x01047957
    0x01047957
    0x01047957
    0x0104795d
    0x0104795d
    0x01047961
    0x01047901
    0x01047905
    0x0104790b
    0x01047907
    0x01047907
    0x01047907
    0x0104790d
    0x01047914
    0x01047915
    0x01047916
    0x01047916
    0x01047967
    0x0104786c
    0x0104786c
    0x01047871
    0x01047873
    0x01047873
    0x01047878
    0x01047891
    0x0104789b
    0x010478a1
    0x010478a3
    0x010478a3
    0x010478a5
    0x010478ab
    0x010478b1
    0x010478ad
    0x010478ad
    0x010478ad
    0x010478b5
    0x010478ba
    0x010478bd
    0x010478be
    0x010478bf
    0x010478c4
    0x010478c7
    0x010478ca
    0x010478d0
    0x010478d6
    0x010478d2
    0x010478d2
    0x010478d2
    0x010478d8
    0x010478d8
    0x0104787a
    0x0104787c
    0x0104787d
    0x01047887
    0x0104788a
    0x0104788a
    0x010478e2
    0x010478e2
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0104743f
    0x01047450
    0x00000000

    APIs
    • _callnewh.MSVCRT ref: 01047437
      • Part of subcall function 010474D1: ??0exception@@QAE@ABQBDH@Z.MSVCRT(010477EC,00000001), ref: 010474E7
    • malloc.MSVCRT ref: 01047444
    • _CxxThrowException.MSVCRT(?,0105CBF8), ref: 010477F5
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: ??0exception@@ExceptionThrow_callnewhmalloc
    • String ID:
    • API String ID: 813871643-0
    • Opcode ID: e00286aad6215d293956df2062bdafd97fb3d2ab277c97fad61ed2665d01497a
    • Instruction ID: 1d2bd60709a4bedccd8ccb7ddb81796c6de727f42cffe0ebacb1f15e7b9c31f7
    • Opcode Fuzzy Hash: e00286aad6215d293956df2062bdafd97fb3d2ab277c97fad61ed2665d01497a
    • Instruction Fuzzy Hash: F0E048B550020EB79F2066A5DCC89FE3F6C5AC0220B548074AD9996450DF31D555C5D5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0103CC70, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39COMMON
    Download Yara Rule
    C-Code - Quality: 27%
    			E0103CC70(signed int __ecx) {
				signed int _t2;
				intOrPtr _t3;
				intOrPtr* _t6;
				intOrPtr _t12;
				intOrPtr _t14;
				void* _t15;

				_t10 = __ecx;
				if( *0x10665f0 != 0) {
					_t10 = __ecx | 0x00000010;
				}
				_t3 = E0103CF10(_t2, 0x1074af0, 0x2000, _t10); // executed
				_t14 = _t3;
				 *0x1066700 = _t14;
				if(_t14 == 0xffffffff) {
					 *0x10665ec = 0x234a;
					__imp__longjmp(0x1070ab0, 1);
					goto L8;
				} else {
					_t6 = 0x1074af0;
					_t1 = _t6 + 2; // 0x1074af2
					_t15 = _t1;
					do {
						_t12 =  *_t6;
						_t6 = _t6 + 2;
					} while (_t12 != 0);
					 *0x10666fc = (_t6 - _t15 >> 1) + 1;
					if( *0x1079059 != _t12) {
						L8:
						_push(0x1074af0);
						_push(_t14);
						E01039950(L"GeToken: (%x) \'%s\'\n");
						_t14 =  *0x1066700;
					}
				}
				return _t14;
			}









    0x0103cc70
    0x0103cc78
    0x0103ccc8
    0x0103ccc8
    0x0103cc85
    0x0103cc8a
    0x0103cc8c
    0x0103cc95
    0x0104d43b
    0x0104d445
    0x00000000
    0x0103cc9b
    0x0103cc9b
    0x0103cca0
    0x0103cca0
    0x0103cca3
    0x0103cca3
    0x0103cca6
    0x0103cca9
    0x0103ccb3
    0x0103ccbe
    0x0104d44b
    0x0104d44b
    0x0104d450
    0x0104d456
    0x0104d45e
    0x0104d45e
    0x0103ccbe
    0x0103ccc7

    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID:
    • String ID: GeToken: (%x) '%s'
    • API String ID: 0-1994581435
    • Opcode ID: ad25158b88ddac87a7527f49a21acc42015af6bad17e5b100631b11dad63f97b
    • Instruction ID: 98a99031d065332e95378e8127c18203951796030a2a1cf3dc7220fcc8fe0bd6
    • Opcode Fuzzy Hash: ad25158b88ddac87a7527f49a21acc42015af6bad17e5b100631b11dad63f97b
    • Instruction Fuzzy Hash: 0DF028B1A141019FE720AB1CB919B663695F7C1314F048265F0C7EB2D9D77B94068B94
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0103DCD0, Relevance: 3.0, APIs: 2, Instructions: 27memoryCOMMON
    Download Yara Rule
    C-Code - Quality: 30%
    			E0103DCD0(void* __ecx) {
				void* _t6;
				long _t10;

				_t8 = __ecx;
				_t10 = __ecx + 8;
				if(_t10 < __ecx) {
					L3:
					_push(0);
					_push(8);
					E010378E4(_t8);
					return 0;
				} else {
					_t6 = RtlAllocateHeap(GetProcessHeap(), 8, _t10); // executed
					if(_t6 == 0) {
						goto L3;
					} else {
						 *0x1066778 =  *0x1066778 + 1;
						 *_t6 = _t10;
						 *(_t6 + 4) =  *0x1066784;
						 *0x1066784 = _t6;
						return _t6 + 8;
					}
				}
			}





    0x0103dcd0
    0x0103dcd3
    0x0103dcd8
    0x0104d9da
    0x0104d9da
    0x0104d9dc
    0x0104d9de
    0x0104d9e9
    0x0103dcde
    0x0103dce8
    0x0103dcf0
    0x00000000
    0x0103dcf6
    0x0103dcfc
    0x0103dd02
    0x0103dd04
    0x0103dd07
    0x0103dd10
    0x0103dd10
    0x0103dcf0

    APIs
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0103ACD8,00000001,?,00000000,01038C23,-00000105,0105C9B0,00000240,01041E92,00000000,00000000,0104ACE0,00000000), ref: 0103DCE1
    • RtlAllocateHeap.NTDLL(00000000,?,0103ACD8,00000001,?,00000000,01038C23,-00000105,0105C9B0,00000240,01041E92,00000000,00000000,0104ACE0,00000000,00000000), ref: 0103DCE8
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: Heap$AllocateProcess
    • String ID:
    • API String ID: 1357844191-0
    • Opcode ID: 38f4e3c8ccc59d98b81ef177f3be5e98bfb4e989511f8a1d15abc764e39f09a9
    • Instruction ID: 2b9d63ddb3a999ebeb42f34f593d8dc0622c475bab26cacf7a8c010abd7cb6c2
    • Opcode Fuzzy Hash: 38f4e3c8ccc59d98b81ef177f3be5e98bfb4e989511f8a1d15abc764e39f09a9
    • Instruction Fuzzy Hash: 88E065716412109BD7605B54BC48B853B69F790312F094066E589D7148DA6A9841D750
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01059FCF, Relevance: 3.0, APIs: 2, Instructions: 13COMMON
    Download Yara Rule
    C-Code - Quality: 37%
    			E01059FCF(void* __eax, void* __ecx) {
				signed int _t4;

				__imp___get_osfhandle(__ecx);
				_t4 = GetFileType(__eax); // executed
				 *0x106671c =  *0x106671c & 0x00000000;
				return 0 | (_t4 & 0xffff7fff) == 0x00000003;
			}




    0x01059fd2
    0x01059fda
    0x01059fe0
    0x01059ff7

    APIs
    • _get_osfhandle.MSVCRT ref: 01059FD2
    • GetFileType.KERNELBASE(00000000), ref: 01059FDA
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: FileType_get_osfhandle
    • String ID:
    • API String ID: 2312334805-0
    • Opcode ID: 359eb700457e9153ffa3f678dfb54446484d734fd3f1a59556ab8e1729fb38cb
    • Instruction ID: 9cff997558299c410848ca20e50ad58719ddcfd2c3a6196c724691a98e66b447
    • Opcode Fuzzy Hash: 359eb700457e9153ffa3f678dfb54446484d734fd3f1a59556ab8e1729fb38cb
    • Instruction Fuzzy Hash: 1BC012376202008BCB291BB0A92D76EBAA4FB842B2F184918F053860D4EF3F85008B84
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0103A8C4, Relevance: 1.5, APIs: 1, Instructions: 40COMMON
    Download Yara Rule
    C-Code - Quality: 62%
    			E0103A8C4(void* __ebx, char __ecx) {
				intOrPtr _t2;
				signed short* _t6;
				void* _t9;
				char _t11;
				signed int _t14;
				intOrPtr _t15;

				_push(__ecx);
				_t2 =  *0x10666f8;
				_t11 = __ecx;
				 *((char*)(_t2 + 0x10665f8)) = __ecx;
				 *0x10666f8 = _t2 + 1;
				if(__ecx == 0x33) {
					 *0x10665f0 =  *0x10665f0 + 1;
				}
				_t14 = 8;
				 *0x10665d0 = 1;
				E0103CC70(_t14);
				 *0x10665d0 =  *0x10665d0 & 0x00000000;
				if( *0x1066700 == 0) {
					__imp__longjmp(0x1070ab0, 0xffffffff);
					asm("int3"); // executed
					while(1) {
						L14:
						E0103D660(); // executed
						_t6 =  *0x10665cc;
						_t15 =  *0x1079528;
						while( *_t6 == 0xd) {
							if(_t15 != 0) {
								L12:
								 *0x1079528 = 0;
							} else {
								_t6 =  &(_t6[1]);
								 *0x10665cc = _t6;
								if( *_t6 == 0) {
									goto L14;
								}
								continue;
							}
							L9:
							 *0x10665cc =  &(_t6[1]);
							return  *_t6 & 0x0000ffff;
							goto L15;
						}
						if(_t15 != 0) {
							goto L12;
						}
						goto L9;
					}
				} else {
					_t9 = E0103BAB0();
					 *0x10666f8 =  *0x10666f8 - 1;
					if(_t11 == 0x33) {
						 *0x10665f0 =  *0x10665f0 - 1;
					}
					return _t9;
				}
				L15:
			}









    0x0103a8cc
    0x0103a8cd
    0x0103a8d3
    0x0103a8d5
    0x0103a8dc
    0x0103a8e4
    0x0103a921
    0x0103a921
    0x0103a8e8
    0x0103a8e9
    0x0103a8f3
    0x0103a8f8
    0x0103a906
    0x010480c1
    0x010480c7
    0x010480c8
    0x010480c8
    0x010480c8
    0x010480cd
    0x010480d2
    0x0103d61d
    0x0103d63b
    0x0103d647
    0x0103d647
    0x0103d63d
    0x0103d63d
    0x0103d640
    0x0103d617
    0x00000000
    0x00000000
    0x00000000
    0x0103d617
    0x0103d627
    0x0103d62d
    0x0103d638
    0x00000000
    0x0103d638
    0x0103d625
    0x00000000
    0x00000000
    0x00000000
    0x0103d625
    0x0103a90c
    0x0103a90c
    0x0103a911
    0x0103a91a
    0x0103a929
    0x0103a929
    0x0103a920
    0x0103a920
    0x00000000

    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: e2fa13dc6feaf4f2661fd98593fa543143745555387affe7b9311709d2b9ffdc
    • Instruction ID: cd95ea3b97fb86c16986021a7f06225a8a0939be4b276dd56908023e9bf73bd6
    • Opcode Fuzzy Hash: e2fa13dc6feaf4f2661fd98593fa543143745555387affe7b9311709d2b9ffdc
    • Instruction Fuzzy Hash: 1D018171618206EBD3649B99F489B5437B9F388320F55036AE5E9D31E9DB3B08809B85
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0104640A, Relevance: 1.5, APIs: 1, Instructions: 22windowCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0104640A(void* __ecx, long _a4, char _a8) {
				short _v8;
				char* _v12;

				_v12 =  &_a8;
				_v8 = 0;
				FormatMessageW(0x1900, 0, _a4, 0,  &_v8, 0,  &_v12); // executed
				return _v8;
			}





    0x01046416
    0x01046421
    0x0104642f
    0x01046439

    APIs
    • FormatMessageW.KERNELBASE(00001900,00000000,?,00000000,?,00000000,?,?,?,?,01059C96,0104FDFA,00000000,?), ref: 0104642F
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: FormatMessage
    • String ID:
    • API String ID: 1306739567-0
    • Opcode ID: 2b41421d36cf9d9f505d828ea475d2ca5e7997a497b1de6cf18a71d98239a340
    • Instruction ID: 79548694cdb710345648970216884a015daad9f31434bf8d309ced1f3dc04cfe
    • Opcode Fuzzy Hash: 2b41421d36cf9d9f505d828ea475d2ca5e7997a497b1de6cf18a71d98239a340
    • Instruction Fuzzy Hash: 39E0BFB591010CFFAB09CF90D846CEE7BBCEB48355B10415AB51596140E670AF449B60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01046E30, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E01046E30(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				void* _t6;
				void* _t12;

				E0104723F(E0104802A, __ebx, __edi, __esi);
				 *(_t12 - 4) =  *(_t12 - 4) & 0x00000000;
				_t6 = E0104742D( *((intOrPtr*)(_t12 + 8)), 8); // executed
				return E0104722B(_t6);
			}





    0x01046e37
    0x01046e3f
    0x01046e43
    0x01046e5d

    APIs
    • __EH_prolog3_catch.LIBCMT ref: 01046E37
      • Part of subcall function 0104742D: malloc.MSVCRT ref: 01047444
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: H_prolog3_catchmalloc
    • String ID:
    • API String ID: 125873668-0
    • Opcode ID: 5106200f83d1c86c12303b3809f1ff04f3ac36a92f3e7a8072969ae0d6ca6af6
    • Instruction ID: fcf86e3d0442778cbb17b08fa3bc314f118f67d5de67a3d093c01712eb097661
    • Opcode Fuzzy Hash: 5106200f83d1c86c12303b3809f1ff04f3ac36a92f3e7a8072969ae0d6ca6af6
    • Instruction Fuzzy Hash: BCC08CE1120102E7CB4037E0E1807AC3A10BB60A42F8084A4B0C019080EF7549501A51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01041A05, Relevance: 1.3, APIs: 1, Instructions: 34COMMON
    Download Yara Rule
    C-Code - Quality: 88%
    			E01041A05(void** __ecx, signed int __edx, void* __eflags) {
				void* _t9;
				int _t15;
				signed int _t17;
				void** _t22;
				void* _t23;

				_t22 = __ecx;
				_t17 = 2;
				_push(0x1032734);
				_t15 =  ~(0 | __eflags > 0x00000000) | __edx * _t17;
				_t9 = E01046E25(_t15); // executed
				_t23 = _t9;
				if(_t23 == 0) {
					_t23 = 0;
				} else {
					memset(_t23, 0, _t15);
				}
				 *_t22 = _t23;
				return _t22;
			}








    0x01041a0c
    0x01041a10
    0x01041a15
    0x01041a1f
    0x01041a22
    0x01041a27
    0x01041a2d
    0x01041a43
    0x01041a2f
    0x01041a33
    0x01041a38
    0x01041a3b
    0x01041a42

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: memset
    • String ID:
    • API String ID: 2221118986-0
    • Opcode ID: a5dc67e291a96a55a4565395a6219985647983c394196b77f294e13425425e5a
    • Instruction ID: 794ecbfa537471b4b40859c381d27ea1108d1dc0ddbd747599d28256778175ae
    • Opcode Fuzzy Hash: a5dc67e291a96a55a4565395a6219985647983c394196b77f294e13425425e5a
    • Instruction Fuzzy Hash: 8BE026F77062222BE22C14A9ACC6F578ADDCBC0A70F29003AF6448A180EAE15C0402E4
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    Function 01045A86, Relevance: 162.1, APIs: 71, Strings: 21, Instructions: 1108threadmemoryprocessCOMMONCrypto
    Download Yara Rule
    C-Code - Quality: 44%
    			E01045A86(long __ecx, WCHAR* __edx) {
				signed int _v8;
				char _v532;
				char _v536;
				char _v548;
				int _v556;
				int _v560;
				int _v564;
				long _v568;
				void* _v636;
				void _v1084;
				WCHAR* _v1128;
				char _v1184;
				struct _STARTUPINFOW _v1252;
				void* _v1260;
				void* _v1264;
				void* _v1268;
				signed short _v1276;
				signed int _v1280;
				long _v1312;
				void* _v1316;
				void _v1324;
				void* _v1340;
				struct _STARTUPINFOW _v1412;
				int _v1414;
				int _v1417;
				char _v1418;
				int _v1419;
				char _v1422;
				char _v1425;
				int _v1426;
				struct _PROCESS_INFORMATION _v1428;
				int _v1429;
				long _v1432;
				int _v1433;
				int _v1437;
				signed int _v1440;
				char _v1444;
				void* _v1448;
				void* _v1452;
				void* _v1456;
				intOrPtr _v1464;
				WCHAR* _v1468;
				WCHAR* _v1476;
				intOrPtr _v1484;
				long _v1488;
				char _v1492;
				signed int _v1496;
				intOrPtr _v1500;
				intOrPtr _v1504;
				signed int _v1508;
				char _v1520;
				char _v1522;
				char _v1525;
				char _v1526;
				signed int _v1528;
				signed int _v1529;
				char _v1531;
				char _v1536;
				char _v1537;
				signed int _v1544;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t274;
				intOrPtr _t292;
				int _t295;
				short* _t296;
				wchar_t* _t297;
				intOrPtr _t299;
				long _t300;
				intOrPtr _t301;
				intOrPtr _t302;
				intOrPtr _t303;
				intOrPtr _t304;
				intOrPtr _t305;
				int _t306;
				short* _t307;
				long _t308;
				void* _t312;
				void* _t318;
				long _t319;
				long _t322;
				int _t329;
				long _t333;
				char* _t336;
				int* _t350;
				long _t351;
				short _t352;
				long _t353;
				int _t359;
				long _t365;
				short _t366;
				void* _t367;
				signed char _t368;
				signed int _t371;
				long _t373;
				void* _t374;
				signed int _t378;
				long _t381;
				long _t382;
				long _t387;
				signed int _t390;
				long _t393;
				long _t397;
				void* _t404;
				signed short* _t409;
				long _t411;
				void* _t413;
				int _t414;
				short _t418;
				signed short _t421;
				long _t422;
				long _t423;
				signed short _t429;
				long _t430;
				long _t431;
				WCHAR* _t432;
				long _t434;
				long _t436;
				long _t439;
				void* _t440;
				long _t441;
				void* _t442;
				long _t444;
				long _t445;
				long _t448;
				long _t455;
				void* _t456;
				long _t458;
				signed short _t461;
				void* _t467;
				int _t473;
				void* _t474;
				void* _t475;
				signed int _t478;
				long _t479;
				long _t480;
				intOrPtr _t489;
				void* _t503;
				WCHAR* _t516;
				signed int _t518;
				intOrPtr _t520;
				signed int _t524;
				long* _t526;
				void* _t534;
				signed int _t539;
				signed int _t550;
				WCHAR* _t551;
				signed int _t555;
				void* _t568;
				wchar_t* _t569;
				long _t570;
				long _t574;
				void* _t581;
				void* _t583;
				short* _t620;
				long* _t622;
				signed int _t623;
				void* _t626;
				void* _t635;
				long _t637;
				short* _t639;
				void* _t646;
				WCHAR* _t648;
				long _t651;
				void* _t652;
				int _t655;
				void* _t657;
				wchar_t* _t659;
				signed int _t660;
				signed int _t662;
				void* _t663;
				signed int _t664;

				_t613 = __edx;
				_t662 = (_t660 & 0xfffffff8) - 0x59c;
				_t274 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t274 ^ _t662;
				_v1412.dwYCountChars = _v1412.dwYCountChars | 0xffffffff;
				_v1412.cb = __ecx;
				_v1412.dwYSize = 0xffff;
				asm("movsd");
				_t473 = 1;
				_v1412.dwX = 0;
				_v1425 = 0;
				asm("movsd");
				_v1412.dwXCountChars = 0;
				_v1412.hStdInput = 0;
				_v1412.dwFlags = 0;
				asm("movsd");
				_v1412.lpDesktop = 0;
				_v1426 = 0;
				_v1417 = 0;
				asm("movsd");
				_v1419 = 0;
				asm("stosd");
				_t655 = 0x48;
				asm("stosd");
				_v1412.lpReserved2 = 1;
				asm("stosd");
				asm("stosd");
				memset( &_v1324, 0, _t655);
				_t663 = _t662 + 0xc;
				_v1440 = 0x80010;
				_v1324 = _t655;
				_v1276 = 1;
				_v1268 = GetStdHandle(0xfffffff6);
				_v1264 = GetStdHandle(0xfffffff5);
				_v1260 = GetStdHandle(0xfffffff4);
				if(_v1412.cb == 0) {
					_v1412.cb =  &_v548;
				}
				_v560 = _t473;
				_v564 = 0;
				_v556 = 0x104;
				memset( &_v1084, 0, 0x104);
				_t664 = _t663 + 0xc;
				if(E0103E3F0(((0 | _v560 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					L60:
					_t292 = _v564;
					_v564 = 0;
					if(_t292 != 0) {
						__imp__??_V@YAXPAX@Z(_t292);
					}
					_pop(_t646);
					_pop(_t657);
					_pop(_t474);
					return E01046B30(_t473, _t474, _v8 ^ _t664, _t613, _t646, _t657);
				} else {
					_push(0x1032734);
					_t295 = E01046E25(0x4000);
					_push(0x1032734);
					_v1428.dwThreadId = _t295;
					_t296 = E01046E25(0x4000);
					_push(0x1032734);
					_v1412.lpTitle = _t296;
					_t297 = E01046E25(0x4000);
					_push(0x1032734);
					_t659 = _t297;
					_t648 = E01046E25(0x4000);
					_push(0x1032734);
					_v1412.wShowWindow = _t648;
					_t299 = E01046E25(0x4000);
					_push(0x1032734);
					_v1412.dwFillAttribute = _t299;
					_t300 = E01046E25(0x4000);
					_push(0x1032734);
					_v1412.dwXSize = _t300;
					_t301 = E01046E25(0x4000);
					_t664 = _t664 + 0x38;
					_t489 = _t301;
					_v1412.dwY = _t489;
					if(_v1428.dwThreadId == 0) {
						L46:
						_t302 = _v1412.dwY;
						if(_t302 != 0) {
							__imp__??_V@YAXPAX@Z(_t302);
						}
						_t303 = _v1412.dwXSize;
						if(_t303 != 0) {
							__imp__??_V@YAXPAX@Z(_t303);
						}
						_t304 = _v1412.dwFillAttribute;
						if(_t304 != 0) {
							__imp__??_V@YAXPAX@Z(_t304);
						}
						if(_t648 != 0) {
							__imp__??_V@YAXPAX@Z(_t648);
						}
						if(_t659 != 0) {
							__imp__??_V@YAXPAX@Z(_t659);
						}
						_t305 = _v1412.lpTitle;
						if(_t305 != 0) {
							__imp__??_V@YAXPAX@Z(_t305);
						}
						_t306 = _v1428.dwThreadId;
						if(_t306 != 0) {
							__imp__??_V@YAXPAX@Z(_t306);
						}
						goto L60;
					}
					_t307 = _v1412.lpTitle;
					if(_t307 == 0 || _t659 == 0 || _t648 == 0 || _v1412.dwFillAttribute == 0 || _v1412.dwXSize == 0 || _t489 == 0) {
						goto L46;
					} else {
						_v1412.hStdOutput = 5;
						 *_t648 = 0;
						 *_t307 = 0;
						_t308 = _v1412.cb;
						while( *_t308 != 0) {
							_t409 = E0103AB7F(_t308);
							_t635 = 0x22;
							_v1432 = _t409;
							_t539 =  *_t409 & 0x0000ffff;
							if(_t539 == _t635) {
								__eflags = _v1312;
								if(_v1312 != 0) {
									goto L12;
								}
								_t613 =  &_v1432;
								_t467 = E01046162(_t473,  &_v1432,  &_v532, 0x104);
								__eflags = _t467 - _t473;
								if(_t467 == _t473) {
									goto L46;
								}
								E0103F3A0( &_v532, 0x104, E01040060( &_v532, _t648));
								_v1429 = _t473;
								_v1316 =  &_v536;
								L76:
								_t308 = _v1432;
								continue;
							}
							L12:
							_t613 =  &_v1432;
							_push(0x2000);
							if(_t539 == 0x2f) {
								_push(_t659);
								_v1432 =  &(_t409[1]);
								_t411 = E01046162(_t473,  &_v1432);
								__eflags = _t411 - _t473;
								if(_t411 == _t473) {
									goto L46;
								}
								__imp___wcsicmp(_t659, L"AFFINITY");
								__eflags = _t411;
								if(_t411 == 0) {
									_v1432 = E0103AB7F(_v1432);
									_t413 = E01046162(_t473,  &_v1432, _t659, 0x2000);
									__eflags = _t413 - _t473;
									if(_t413 == _t473) {
										L140:
										_t414 = _v1428.dwThreadId;
										__eflags = 0x10337e0;
										_t480 = 0x2000;
										_t637 = _t414;
										_t652 = 0x10337e0 - _t414;
										while(1) {
											_t202 = _t480 + 0x7fffdffe; // 0x7ffffffe
											__eflags = _t202;
											if(_t202 == 0) {
												break;
											}
											_t550 =  *(_t637 + _t652) & 0x0000ffff;
											__eflags = _t550;
											if(_t550 == 0) {
												break;
											}
											 *_t637 = _t550;
											_t637 = _t637 + 2;
											_t480 = _t480 - 1;
											__eflags = _t480;
											if(_t480 != 0) {
												continue;
											}
											break;
										}
										_t648 = _v1412.wShowWindow;
										__eflags = _t480;
										if(_t480 == 0) {
											_t637 = _t637 - 2;
											__eflags = _t637;
										}
										 *_t637 = 0;
										_t613 = 0x2000;
										_t549 = _t414;
										E0103FC40(_t414, 0x2000, _t659);
										_push(_v1428.dwProcessId);
										_t473 = 1;
										__eflags = 1;
										_push(1);
										_push(0x2375);
										L139:
										E010378E4(_t549);
										_t664 = _t664 + 0xc;
										goto L46;
									}
									__eflags =  *_t659 - 0x30;
									_t613 = _t659;
									_v1412.cb = _t613;
									if( *_t659 != 0x30) {
										L88:
										_t551 = _t613;
										_t130 =  &(_t551[1]); // 0x6
										_v1428.hThread = _t130;
										do {
											_t418 =  *_t551;
											_t551 =  &(_t551[1]);
											__eflags = _t418 - _v1412.dwX;
										} while (_t418 != _v1412.dwX);
										_t549 = _t551 - _v1428.hThread >> 1;
										__eflags = _t551 - _v1428.hThread >> 1 - 8;
										if(_t551 - _v1428.hThread >> 1 > 8) {
											L124:
											_push(_t659);
											L125:
											_push(_t473);
											_push(0x2362);
											goto L139;
										}
										_v1412.lpDesktop = 0;
										_t421 = towlower( *_t613 & 0x0000ffff);
										_v1412.cb = _v1412.cb + 2;
										_t422 = _t421 & 0x0000ffff;
										_v1428.hThread = _t422;
										_t423 = iswspace(_t422);
										_pop(_t549);
										__eflags = _t423;
										if(_t423 != 0) {
											goto L124;
										} else {
											goto L92;
										}
										while(1) {
											L92:
											_t549 = _v1428.hThread;
											__eflags = _t549;
											if(_t549 == 0) {
												break;
											}
											_t613 = _v1412.lpDesktop << 4;
											__eflags = _t549 - 0x30 - 9;
											if(_t549 - 0x30 > 9) {
												__eflags = _t549 - 0x61 - _v1412.hStdOutput;
												if(_t549 - 0x61 > _v1412.hStdOutput) {
													goto L124;
												}
												_t639 =  &(_t613[0xffffffffffffffd5]);
												__eflags = _t639;
												L97:
												_t613 = _t639 + (_t549 & 0x0000ffff);
												_v1412.lpDesktop = _t639 + (_t549 & 0x0000ffff);
												_t429 = towlower( *(_v1412.cb) & 0x0000ffff);
												_v1412.cb = _v1412.cb + 2;
												_t430 = _t429 & 0x0000ffff;
												_v1428.hThread = _t430;
												_t431 = iswspace(_t430);
												_pop(_t549);
												__eflags = _t431;
												if(_t431 == 0) {
													continue;
												}
												break;
											}
											_t639 =  &(_t613[0xffffffffffffffe8]);
											goto L97;
										}
										__eflags = _v1412.lpDesktop;
										if(_v1412.lpDesktop == 0) {
											goto L124;
										}
										_v1440 = _v1440 | 0x00000004;
										_v1419 = _t473;
										goto L76;
									}
									_t555 = _t659[0] & 0x0000ffff;
									_t432 = _t613;
									__eflags = _t555 - 0x78;
									if(_t555 == 0x78) {
										L87:
										_t128 =  &(_t432[2]); // 0x4
										_t613 = _t128;
										_v1412.cb = _t613;
										goto L88;
									}
									__eflags = _t555 - 0x58;
									if(_t555 != 0x58) {
										goto L88;
									}
									goto L87;
								}
								__imp___wcsicmp(_t659, L"ABOVENORMAL");
								__eflags = _t411;
								if(_t411 == 0) {
									_v1440 = _v1440 | 0x00008000;
									goto L76;
								}
								__imp___wcsicmp(_t659, L"BELOWNORMAL");
								__eflags = _t411;
								if(_t411 == 0) {
									_v1440 = _v1440 | 0x00004000;
									goto L76;
								}
								__imp___wcsicmp(_t659, "B");
								__eflags = _t411;
								if(_t411 == 0) {
									_v1426 = _t473;
									_v1440 = _v1440 & 0xffffffef | 0x00000200;
									goto L76;
								}
								__imp___wcsicmp(_t659, L"NEWWINDOW");
								__eflags = _t411;
								if(_t411 == 0) {
									_v1412.lpReserved2 = 2;
									goto L76;
								}
								_t434 = towupper( *_t659 & 0x0000ffff);
								_t568 = 0x44;
								__eflags = _t434 - _t568;
								if(_t434 == _t568) {
									_t160 =  &(_t659[0]); // 0x2
									_t640 = _t160;
									_t569 = _t160;
									_t161 =  &(_t569[0]); // 0x4
									_v1428.hThread = _t161;
									do {
										_t436 =  *_t569;
										_t569 =  &(_t569[0]);
										__eflags = _t436 - _v1412.dwX;
									} while (_t436 != _v1412.dwX);
									_t570 = _t569 - _v1428.hThread;
									__eflags = _t570;
									if(_t570 != 0) {
										L109:
										E0103A641(E01040060(_t640, _t648));
										_t439 = _v568;
										_v1412.dwYSize = _t439;
										__eflags = _t439;
										if(_t439 == 0) {
											_t439 =  &_v1084;
											_v1412.dwXCountChars = _t439;
										}
										_t574 = _t439;
										_t613 = _t574 + 2;
										do {
											_t440 =  *_t574;
											_t574 = _t574 + 2;
											__eflags = _t440 - _v1412.dwX;
										} while (_t440 != _v1412.dwX);
										_t549 = _t574 - _t613 >> 1;
										__eflags = _t574 - _t613 >> 1 - 0x7fe7;
										if(_t574 - _t613 >> 1 <= 0x7fe7) {
											goto L76;
										}
										_push(_v1412.dwXCountChars);
										goto L125;
									}
									_t441 = E0103AB7F(_v1432);
									_t613 =  &_v1432;
									_v1432 = _t441;
									_t442 = E01046162(_t473,  &_v1432, _t659, 0x2000);
									__eflags = _t442 - _t473;
									if(_t442 == _t473) {
										goto L46;
									}
									_t640 = _t659;
									goto L109;
								}
								__imp___wcsicmp(_t659, L"HIGH");
								__eflags = _t434;
								if(_t434 == 0) {
									_v1440 = _v1440 | 0x00000080;
									goto L76;
								}
								_t444 = towupper( *_t659 & 0x0000ffff);
								__eflags = _t444 - 0x49;
								if(_t444 == 0x49) {
									_t445 =  *0x1062590;
									__eflags = _t445;
									if(_t445 != 0) {
										_v1412.dwFlags =  *_t445;
									}
									goto L76;
								}
								_t448 = towupper( *_t659 & 0x0000ffff);
								_pop(_t581);
								__eflags = _t448 - 0x3f;
								if(__eflags == 0) {
									E01059A0E( &_v1432, __eflags);
									_push(0);
									E010363BD(_t581);
									__eflags =  *0x1066755;
									_t583 = 0x40002397;
									if( *0x1066755 != 0) {
										__eflags = 0;
										_push(0);
										_push(0x400023bf);
										E010363BD(_t583);
									}
									 *0x107905b = 0;
									 *0x107950c = 0;
									goto L46;
								}
								__imp___wcsicmp(_t659, L"LOW");
								__eflags = _t448;
								if(_t448 == 0) {
									_v1440 = _v1440 | 0x00000040;
									goto L76;
								}
								__imp___wcsicmp(_t659, L"MIN");
								__eflags = _t448;
								if(_t448 != 0) {
									__imp___wcsicmp(_t659, L"MAX");
									__eflags = _t448;
									if(_t448 != 0) {
										__imp___wcsicmp(_t659, L"NODE");
										__eflags = _t448;
										if(_t448 != 0) {
											__imp___wcsicmp(_t659, L"NORMAL");
											__eflags = _t448;
											if(_t448 != 0) {
												__imp___wcsicmp(_t659, L"REALTIME");
												__eflags = _t448;
												if(_t448 != 0) {
													__imp___wcsicmp(_t659, L"SEPARATE");
													__eflags = _t448;
													if(_t448 != 0) {
														__imp___wcsicmp(_t659, L"SHARED");
														__eflags = _t448;
														if(_t448 != 0) {
															__imp___wcsicmp(_t659, L"WAIT");
															__eflags = _t448;
															if(_t448 == 0) {
																L136:
																_v1417 = _t473;
																goto L76;
															}
															__imp___wcsicmp(_t659, "W");
															__eflags = _t448;
															if(_t448 != 0) {
																goto L140;
															}
															goto L136;
														}
														_v1440 = _v1440 | 0x00001000;
														goto L76;
													}
													_v1440 = _v1440 | 0x00000800;
													goto L76;
												}
												_v1440 = _v1440 | 0x00000100;
												goto L76;
											}
											_v1440 = _v1440 | 0x00000020;
											goto L76;
										}
										_v1428.hThread = _t448;
										_t455 = E0103AB7F(_v1432);
										_t613 =  &_v1432;
										_v1432 = _t455;
										_t549 = _t473;
										_t456 = E01046162(_t473,  &_v1432, _t659, 0x2000);
										__eflags = _t456 - _t473;
										if(_t456 == _t473) {
											goto L140;
										}
										_t458 = wcstoul(_t659,  &(_v1428.hThread), 0xa);
										_t664 = _t664 + 0xc;
										_v1412.dwYSize = _t458;
										__eflags = _t458;
										if(_t458 != 0) {
											L123:
											_push( &(_v1412.lpReserved));
											"0r0wPH;w"();
											__eflags = _v1412.dwXSize - _v1412.cb;
											if(_v1412.dwXSize <= _v1412.cb) {
												goto L76;
											}
											goto L124;
										}
										_t549 = _v1428.hThread;
										__eflags =  *(_v1428.hThread) - _t458;
										if( *(_v1428.hThread) != _t458) {
											goto L124;
										}
										goto L123;
									}
									_v1280 = _v1280 | _t473;
									_t461 = 3;
									_v1276 = _v1276 | _t461;
									goto L76;
								}
								_v1280 = _v1280 | _t473;
								_t106 =  &_v1276;
								 *_t106 = _v1276 | 0x00000007;
								__eflags =  *_t106;
								goto L76;
							}
							_push(_t648);
							if(E01046162(0,  &_v1432) == _t473) {
								goto L46;
							}
							_t463 = _v1432;
							if( *_v1432 != 0) {
								E0103F3A0(_v1412.lpTitle, 0x2000, _t463);
								_v1412.lpReserved2 = _v1412.lpDesktop;
							}
							break;
						}
						if( *_t648 == 0) {
							E0103F3A0(_t648, 0x2000,  &_v548);
						}
						_t312 = 0x22;
						if( *_t648 == _t312 || wcschr(_t648, 0x20) == 0) {
							E0103F3A0(_v1412.dwY, 0x2000, _t648);
							E0103F3A0(_t648, 0x2000, E01040060(_t648, _t648));
						} else {
							E01039ABF(_v1412.dwY, 0x2000, L"\"%s\"", E01040060(_t648, _t648));
							_t664 = _t664 + 0x10;
						}
						_t613 = _t648;
						_v1418 = 0;
						_v1433 = 0;
						_push( &_v1432);
						_t503 = 0x2d;
						_t318 = E0103ED90(_t503, _t648);
						_t684 = _t318 - 0xffffffff;
						if(_t318 != 0xffffffff) {
							L154:
							_t319 = E0103EC2E(L"COMSPEC");
							_v1412.lpReserved = _t319;
							__eflags = _t319;
							if(_t319 != 0) {
								E01039ABF(_v1412.cb, 0x2000, L" /K %s", _v1412.dwXSize);
								_t664 = _t664 + 0x10;
								E0103F3A0(_t648, 0x2000, _v1412.lpDesktop);
								_t322 = E0103F3A0(_v1412.dwY, 0x2000, _t648);
								__imp___wcsicmp(_v1428.dwProcessId, L" /K ");
								__eflags = _t322;
								if(_t322 == 0) {
									L165:
									_v1412.hStdOutput = _v1412.cb;
									_v1414 = _t473;
									goto L25;
								}
								_t526 = _v1412.dwX;
								__eflags =  *_t526;
								if( *_t526 == 0) {
									goto L165;
								}
								_t622 = _t526;
								_v1412.lpDesktop =  &(_t622[0]);
								do {
									_t397 =  *_t622;
									_t622 =  &(_t622[0]);
									__eflags = _t397 - _v1412.dwY;
								} while (_t397 != _v1412.dwY);
								_t623 = _t622 - _v1412.lpDesktop;
								__eflags = _t623;
								_t398 = _v1412.cb;
								_t651 = _v1412.cb;
								_v1428.dwProcessId = _t623 >> 1;
								_v1412.hStdError = _t651 + 2;
								do {
									_t626 =  *_t651;
									_t651 = _t651 + 2;
									__eflags = _t626 - _v1412.dwY;
								} while (_t626 != _v1412.dwY);
								_v1412.lpDesktop = _t651;
								_t648 = _v1412.lpReserved2;
								__eflags = (_t651 - _v1412.hStdError >> 1) + _v1428.dwProcessId - 0x2000;
								if((_t651 - _v1412.hStdError >> 1) + _v1428.dwProcessId >= 0x2000) {
									E010378E4(_t526, 0x2363, _t473, _t526);
									_t664 = _t664 + 0xc;
								} else {
									E0103FC40(_t398, 0x2000, " ");
									E0103FC40(_v1428.dwThreadId, 0x2000, _v1412.lpTitle);
								}
								goto L165;
							}
							_push(_t319);
							_push(0x400023d2);
							E010378E4(L"COMSPEC");
							goto L46;
						} else {
							E0103F3A0(_v1412.dwFillAttribute, 0x2000, _t648);
							_t613 = _t648;
							_v1128 = _t648;
							_t404 = E0103F410( &_v1184, _t648, _t684, 0x2000);
							if(_t404 == 3) {
								L152:
								E01055C54(_t648);
								goto L46;
							}
							if(_t404 == 0) {
								L153:
								E0103F3A0(_t648, 0x2000, _v1412.dwFillAttribute);
								_v1437 = _t473;
								L25:
								E0103F3A0(_v1412.dwYSize, 0x2000, _v1412.dwXSize);
								_t510 = _v1412.dwXSize;
								_t613 = 0x2000;
								E0103FC40(_v1412.dwXSize, 0x2000, " ");
								_t326 = _v1412.lpReserved2;
								if(_v1412.lpReserved2 != 0) {
									_t510 = _v1412.dwYSize;
									_t613 = 0x2000;
									E0103FC40(_v1412.dwYSize, 0x2000, _t326);
								}
								if(_v1422 != 0) {
									SetConsoleCtrlHandler(0, _t473);
								}
								_t329 = 0x44;
								memset( &_v1252, 0, _t329);
								_t664 = _t664 + 0xc;
								_t333 = 0x44;
								_v1252.cb = _t333;
								GetStartupInfoW( &_v1252);
								_v1316 = _v1252.lpDesktop;
								if(_v1433 != 0) {
									__eflags = _v1412.lpReserved2 - 2;
									if(_v1412.lpReserved2 == 2) {
										goto L29;
									}
									__eflags = _v1412.lpDesktop;
									if(_v1412.lpDesktop != 0) {
										goto L29;
									}
									__eflags = _v1412.dwYSize - 0xffff;
									if(_v1412.dwYSize != 0xffff) {
										goto L29;
									}
									__eflags = _v1412.dwFlags;
									if(_v1412.dwFlags != 0) {
										goto L29;
									}
									_t393 = E010473E8(_t510);
									__eflags = _t393;
									if(_t393 == 0) {
										goto L29;
									}
									_v1433 = _t473;
									goto L36;
								} else {
									L29:
									_t336 =  &(_v1412.hStdError);
									_v1433 = 0;
									_v1412.hStdError = 0;
									__imp__InitializeProcThreadAttributeList(0, 2, 0, _t336);
									if(_t336 != 0) {
										 *0x10667a8 = 0x54f;
										goto L152;
									}
									if(GetLastError() != 0x7a) {
										 *0x10667a8 = GetLastError();
										goto L152;
									}
									_t475 = HeapAlloc(GetProcessHeap(), 8, _v1412.wShowWindow);
									if(_t475 == 0) {
										 *0x10667a8 = GetLastError();
										L177:
										E01055C54(_t648);
										_t473 = 1;
										goto L46;
									}
									__imp__InitializeProcThreadAttributeList(_t475, 2, 0,  &(_v1412.wShowWindow));
									if(0 == 0) {
										 *0x10667a8 = GetLastError();
										L176:
										__eflags = 0;
										RtlFreeHeap(GetProcessHeap(), 0, _t475);
										goto L177;
									}
									_v1412.dwYCountChars = 1;
									_t350 =  &(_v1412.dwYCountChars);
									__imp__UpdateProcThreadAttribute(_t475, 0, 0x60001, _t350, 4, 0, 0);
									if(_t350 == 0) {
										L178:
										_t351 = GetLastError();
										 *0x10667a8 = _t351;
										__imp__DeleteProcThreadAttributeList(_t475);
										goto L176;
									}
									_t352 = _v1444;
									_v1316 = _t475;
									if(_t352 != 0xffff) {
										_v1492 = _t352;
										_t353 =  &_v1492;
										__imp__UpdateProcThreadAttribute(_t475, 0, 0x20004, _t353, 2, 0, 0);
										__eflags = _t353;
										if(_t353 == 0) {
											goto L178;
										}
									}
									_t359 = CreateProcessW(_t648, _v1476, 0, 0, 1, _v1528 | 0x00000400, _v1456, _v1468,  &_v1412,  &_v1428);
									_v1520 = _t359 != 0;
									__imp__DeleteProcThreadAttributeList(_t475);
									RtlFreeHeap(GetProcessHeap(), 0, _t475);
									_t473 = 1;
									L36:
									if(_v1526 != 0) {
										SetConsoleCtrlHandler(0, 0);
									}
									_t365 = GetLastError();
									 *0x10667a8 = _t365;
									if(_v1537 != 0) {
										L196:
										_t516 = _t648;
										_t257 =  &(_t516[1]); // 0x2
										_t620 = _t257;
										do {
											_t366 =  *_t516;
											_t516 =  &(_t516[1]);
											__eflags = _t366 - _v1500;
										} while (_t366 != _v1500);
										_t518 = _t516 - _t620 >> 1;
										_t367 = 5;
										__eflags = _t518 - _t367;
										if(_t518 < _t367) {
											_t368 = _v1529;
										} else {
											_t378 =  &(_t648[_t518 + 0xfffffffc]);
											__imp___wcsnicmp(_t378, L".LNK", _t367);
											_t664 = _t664 + 0xc;
											asm("sbb al, al");
											_t368 =  ~_t378 & _v1529;
										}
										_v1544 = _v1544 & 0xfffffffb;
										asm("sbb eax, eax");
										_t371 =  ~(_t368 & 0x000000ff) &  &_v636;
										__eflags = _v1522;
										_t520 = _v1520;
										if(_v1522 == 0) {
											_t520 = _v1504;
										}
										_push(_t520);
										_t613 = _t648;
										_t373 = E0105B701(_v1412.dwXCountChars & 0x0000ffff, _v1544, _t648, _t520, _v1484, _v1412.dwXCountChars & 0x0000ffff, _v1464, _t371,  &_v1444);
										__eflags = _t373;
										if(_t373 == 0) {
											goto L152;
										} else {
											goto L42;
										}
									} else {
										if(_v1536 == 0) {
											__eflags =  *0x1066755;
											if( *0x1066755 == 0) {
												L195:
												__eflags = _t365 - 0x2e4;
												if(_t365 != 0x2e4) {
													goto L152;
												}
												goto L196;
											}
											__eflags = _t365 - 0xc1;
											if(_t365 == 0xc1) {
												goto L196;
											}
											goto L195;
										}
										_t478 = _v1508;
										if(_t478 != 0) {
											asm("stosd");
											asm("stosd");
											asm("stosd");
											_t381 =  &(_v1252.lpReserved2);
											__imp__GetThreadGroupAffinity(_v1440, _t381);
											__eflags = _t381;
											if(_t381 != 0) {
												_v1488 = _v1252.dwFlags;
											}
											_t524 = _v1496;
											__eflags = _t524 - 0xffff;
											if(_t524 == 0xffff) {
												L189:
												_t382 = _v1488;
												_t479 = _t478 & _t382;
												__eflags = _t479;
												if(_t479 != 0) {
													_t382 = _t479;
												}
												SetProcessAffinityMask(_v1452, _t382);
												_t648 = _v1476;
												goto L40;
											} else {
												asm("stosd");
												asm("stosd");
												asm("stosd");
												_t387 =  &(_v1252.dwXCountChars);
												__imp__GetNumaNodeProcessorMaskEx(_t524, _t387);
												__eflags = _t387;
												if(_t387 == 0) {
													L188:
													__eflags = 0;
													_t478 = 0;
													goto L189;
												}
												_t390 = _v1252.dwXSize & _v1496;
												__eflags = _t390;
												if(_t390 == 0) {
													goto L188;
												}
												_v1496 = _t390;
												__imp__RtlFindLeastSignificantBit(_v1252.dwXSize, 0);
												_t478 = _t478 << 0;
												goto L189;
											}
										}
										L40:
										if(_v1531 != 0) {
											ResumeThread(_v1448);
										}
										CloseHandle(_v1448);
										L42:
										_t374 = _v1448;
										if(_t374 != 0) {
											if(_v1525 != 0) {
												 *0x10665dc = E010381EC(_t374);
											} else {
												CloseHandle(_t374);
											}
										}
										_t473 = 0;
										goto L46;
									}
								}
							}
							_t534 = 5;
							if(_t404 == _t534) {
								goto L153;
							}
							if(_t404 == 2) {
								goto L154;
							}
							goto L25;
						}
					}
				}
			}

















































































































































































    0x01045a86
    0x01045a8e
    0x01045a94
    0x01045a9b
    0x01045aaa
    0x01045ab6
    0x01045abc
    0x01045ac8
    0x01045ac9
    0x01045acc
    0x01045ad0
    0x01045ad4
    0x01045ad5
    0x01045ad9
    0x01045add
    0x01045ae1
    0x01045ae2
    0x01045ae6
    0x01045aea
    0x01045aee
    0x01045af3
    0x01045af7
    0x01045af8
    0x01045afb
    0x01045afc
    0x01045b00
    0x01045b01
    0x01045b0a
    0x01045b0f
    0x01045b12
    0x01045b1a
    0x01045b21
    0x01045b33
    0x01045b42
    0x01045b54
    0x01045b5b
    0x0105162f
    0x0105162f
    0x01045b63
    0x01045b6f
    0x01045b7f
    0x01045b87
    0x01045b95
    0x01045bb2
    0x01046005
    0x01046005
    0x0104600e
    0x01046017
    0x0104601a
    0x01046020
    0x0104602a
    0x0104602b
    0x0104602c
    0x01046037
    0x01045bb8
    0x01045bc2
    0x01045bc4
    0x01045bc9
    0x01045bcb
    0x01045bcf
    0x01045bd4
    0x01045bd6
    0x01045bda
    0x01045bdf
    0x01045be5
    0x01045bec
    0x01045bee
    0x01045bf8
    0x01045bff
    0x01045c04
    0x01045c0e
    0x01045c15
    0x01045c1a
    0x01045c24
    0x01045c28
    0x01045c2d
    0x01045c30
    0x01045c37
    0x01045c3b
    0x01045f9d
    0x01045f9d
    0x01045fa3
    0x01045fa6
    0x01045fac
    0x01045fad
    0x01045fb3
    0x01045fb6
    0x01045fbc
    0x01045fbd
    0x01045fc3
    0x01045fc6
    0x01045fcc
    0x01045fcf
    0x01045fd2
    0x01045fd8
    0x01045fdb
    0x01045fde
    0x01045fe4
    0x01045fe5
    0x01045feb
    0x01045fee
    0x01045ff4
    0x01045ff5
    0x01045ffb
    0x01045ffe
    0x01046004
    0x00000000
    0x01045ffb
    0x01045c41
    0x01045c47
    0x00000000
    0x01045c7b
    0x01045c7d
    0x01045c85
    0x01045c88
    0x01045c8b
    0x01045c8f
    0x01045c98
    0x01045c9f
    0x01045ca0
    0x01045ca4
    0x01045caa
    0x01051638
    0x01051640
    0x00000000
    0x00000000
    0x01051655
    0x01051659
    0x0105165e
    0x01051660
    0x00000000
    0x00000000
    0x0105167f
    0x0105168b
    0x0105168f
    0x01046148
    0x01046148
    0x00000000
    0x01046148
    0x01045cb0
    0x01045cb0
    0x01045cb4
    0x01045cbc
    0x0104603d
    0x0104603e
    0x01046042
    0x01046047
    0x01046049
    0x00000000
    0x00000000
    0x01046055
    0x0104605d
    0x0104605f
    0x010516ae
    0x010516b4
    0x010516b9
    0x010516bb
    0x01051a2a
    0x01051a2a
    0x01051a33
    0x01051a35
    0x01051a3a
    0x01051a3c
    0x01051a3e
    0x01051a3e
    0x01051a44
    0x01051a46
    0x00000000
    0x00000000
    0x01051a48
    0x01051a4c
    0x01051a4f
    0x00000000
    0x00000000
    0x01051a51
    0x01051a54
    0x01051a57
    0x01051a57
    0x01051a5a
    0x00000000
    0x00000000
    0x00000000
    0x01051a5a
    0x01051a5c
    0x01051a60
    0x01051a62
    0x010519fb
    0x010519fb
    0x010519fb
    0x01051a00
    0x01051a03
    0x01051a09
    0x01051a0b
    0x01051a10
    0x01051a16
    0x01051a16
    0x01051a17
    0x01051a18
    0x01051a1d
    0x01051a1d
    0x01051a22
    0x00000000
    0x01051a22
    0x010516c1
    0x010516c5
    0x010516c7
    0x010516cb
    0x010516e4
    0x010516e4
    0x010516e6
    0x010516e9
    0x010516ed
    0x010516ed
    0x010516f0
    0x010516f3
    0x010516f3
    0x010516fe
    0x01051700
    0x01051703
    0x01051949
    0x01051949
    0x0105194a
    0x0105194a
    0x0105194b
    0x00000000
    0x0105194b
    0x0105170b
    0x01051713
    0x01051719
    0x0105171e
    0x01051723
    0x01051727
    0x0105172d
    0x0105172e
    0x01051730
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x01051736
    0x01051736
    0x01051736
    0x0105173a
    0x0105173d
    0x00000000
    0x00000000
    0x01051746
    0x01051749
    0x0105174d
    0x01051757
    0x0105175c
    0x00000000
    0x00000000
    0x01051762
    0x01051762
    0x01051765
    0x01051768
    0x0105176e
    0x01051776
    0x0105177c
    0x01051781
    0x01051786
    0x0105178a
    0x01051790
    0x01051791
    0x01051793
    0x00000000
    0x00000000
    0x00000000
    0x01051793
    0x0105174f
    0x00000000
    0x0105174f
    0x01051795
    0x0105179a
    0x00000000
    0x00000000
    0x010517a0
    0x010517a5
    0x00000000
    0x010517a5
    0x010516cd
    0x010516d1
    0x010516d3
    0x010516d6
    0x010516dd
    0x010516dd
    0x010516dd
    0x010516e0
    0x00000000
    0x010516e0
    0x010516d8
    0x010516db
    0x00000000
    0x00000000
    0x00000000
    0x010516db
    0x0104606b
    0x01046073
    0x01046075
    0x010517ae
    0x00000000
    0x010517ae
    0x01046081
    0x01046089
    0x0104608b
    0x010517bb
    0x00000000
    0x010517bb
    0x01046097
    0x0104609f
    0x010460a1
    0x010517cf
    0x010517d9
    0x00000000
    0x010517d9
    0x010460ad
    0x010460b5
    0x010460b7
    0x010517e2
    0x00000000
    0x010517e2
    0x010460c1
    0x010460ca
    0x010460cb
    0x010460ce
    0x010517ef
    0x010517ef
    0x010517f2
    0x010517f4
    0x010517f7
    0x010517fb
    0x010517fb
    0x010517fe
    0x01051801
    0x01051801
    0x01051808
    0x01051808
    0x0105180e
    0x01051838
    0x01051847
    0x0105184c
    0x01051853
    0x01051857
    0x01051859
    0x0105185b
    0x01051862
    0x01051862
    0x01051866
    0x01051868
    0x0105186b
    0x0105186b
    0x0105186e
    0x01051871
    0x01051871
    0x0105187a
    0x0105187c
    0x01051882
    0x00000000
    0x00000000
    0x01051888
    0x00000000
    0x01051888
    0x01051814
    0x0105181f
    0x01051823
    0x01051829
    0x0105182e
    0x01051830
    0x00000000
    0x00000000
    0x01051836
    0x00000000
    0x01051836
    0x010460da
    0x010460e2
    0x010460e4
    0x01046151
    0x00000000
    0x01046151
    0x010460ea
    0x010460f1
    0x010460f5
    0x01051891
    0x01051896
    0x01051898
    0x010518a0
    0x010518a0
    0x00000000
    0x01051898
    0x010460ff
    0x01046105
    0x01046106
    0x0104610a
    0x01051a66
    0x01051a6d
    0x01051a73
    0x01051a78
    0x01051a80
    0x01051a81
    0x01051a83
    0x01051a85
    0x01051a86
    0x01051a8b
    0x01051a91
    0x01051a94
    0x01051a99
    0x00000000
    0x01051a99
    0x01046116
    0x0104611e
    0x01046120
    0x0104615b
    0x00000000
    0x0104615b
    0x01046128
    0x01046130
    0x01046132
    0x010518af
    0x010518b7
    0x010518b9
    0x010518d8
    0x010518e0
    0x010518e2
    0x0105195b
    0x01051963
    0x01051965
    0x01051977
    0x0105197f
    0x01051981
    0x01051996
    0x0105199e
    0x010519a0
    0x010519b5
    0x010519bd
    0x010519bf
    0x010519d4
    0x010519dc
    0x010519de
    0x010519f2
    0x010519f2
    0x00000000
    0x010519f2
    0x010519e6
    0x010519ee
    0x010519f0
    0x00000000
    0x00000000
    0x00000000
    0x010519f0
    0x010519c1
    0x00000000
    0x010519c1
    0x010519a2
    0x00000000
    0x010519a2
    0x01051983
    0x00000000
    0x01051983
    0x01051967
    0x00000000
    0x01051967
    0x010518e8
    0x010518ec
    0x010518f7
    0x010518fb
    0x010518ff
    0x01051901
    0x01051906
    0x01051908
    0x00000000
    0x00000000
    0x01051916
    0x0105191c
    0x0105191f
    0x01051923
    0x01051925
    0x01051930
    0x01051934
    0x01051935
    0x0105193f
    0x01051943
    0x00000000
    0x00000000
    0x00000000
    0x01051943
    0x01051927
    0x0105192b
    0x0105192e
    0x00000000
    0x00000000
    0x00000000
    0x0105192e
    0x010518bb
    0x010518c4
    0x010518c5
    0x00000000
    0x010518c5
    0x01046138
    0x0104613f
    0x0104613f
    0x0104613f
    0x00000000
    0x0104613f
    0x01045cc2
    0x01045ccc
    0x00000000
    0x00000000
    0x01045cd2
    0x01045cdb
    0x01045ce7
    0x01045cf0
    0x01045cf0
    0x00000000
    0x01045cdb
    0x01045cf9
    0x01051ab2
    0x01051ab2
    0x01045d01
    0x01045d05
    0x01045d24
    0x01045d38
    0x01051abc
    0x01051ad2
    0x01051ad7
    0x01051ad7
    0x01045d3f
    0x01045d41
    0x01045d45
    0x01045d4d
    0x01045d50
    0x01045d51
    0x01045d56
    0x01045d59
    0x01051b0f
    0x01051b14
    0x01051b19
    0x01051b1d
    0x01051b1f
    0x01051b45
    0x01051b4a
    0x01051b58
    0x01051b67
    0x01051b75
    0x01051b7d
    0x01051b7f
    0x01051c1e
    0x01051c22
    0x01051c26
    0x00000000
    0x01051c26
    0x01051b85
    0x01051b8b
    0x01051b8e
    0x00000000
    0x00000000
    0x01051b94
    0x01051b99
    0x01051b9d
    0x01051b9d
    0x01051ba0
    0x01051ba3
    0x01051ba3
    0x01051baa
    0x01051baa
    0x01051bae
    0x01051bb2
    0x01051bb6
    0x01051bbd
    0x01051bc1
    0x01051bc1
    0x01051bc4
    0x01051bc7
    0x01051bc7
    0x01051bd0
    0x01051bd8
    0x01051be2
    0x01051be8
    0x01051c16
    0x01051c1b
    0x01051bea
    0x01051bf6
    0x01051c08
    0x01051c08
    0x00000000
    0x01051be8
    0x01051b21
    0x01051b22
    0x01051b27
    0x00000000
    0x01045d5f
    0x01045d69
    0x01045d73
    0x01045d75
    0x01045d83
    0x01045d8b
    0x01051aea
    0x01051aec
    0x00000000
    0x01051aec
    0x01045d93
    0x01051af6
    0x01051b01
    0x01051b06
    0x01045dad
    0x01045dba
    0x01045dbf
    0x01045dc3
    0x01045dcd
    0x01045dd2
    0x01045dd8
    0x01045dda
    0x01045dde
    0x01045de4
    0x01045de4
    0x01045dee
    0x01051c33
    0x01051c33
    0x01045df6
    0x01045e03
    0x01045e08
    0x01045e0d
    0x01045e0e
    0x01045e1d
    0x01045e2f
    0x01045e36
    0x01051c3e
    0x01051c43
    0x00000000
    0x00000000
    0x01051c49
    0x01051c4e
    0x00000000
    0x00000000
    0x01051c54
    0x01051c5c
    0x00000000
    0x00000000
    0x01051c62
    0x01051c67
    0x00000000
    0x00000000
    0x01051c6d
    0x01051c72
    0x01051c74
    0x00000000
    0x00000000
    0x01051c7a
    0x00000000
    0x01045e3c
    0x01045e3c
    0x01045e3e
    0x01045e47
    0x01045e4b
    0x01045e4f
    0x01045e57
    0x01051c83
    0x00000000
    0x01051c83
    0x01045e66
    0x01051ae5
    0x00000000
    0x01051ae5
    0x01045e7f
    0x01045e83
    0x01051c98
    0x01051cbb
    0x01051cbd
    0x01051cc4
    0x00000000
    0x01051cc4
    0x01045e94
    0x01045e9c
    0x01051ca5
    0x01051caa
    0x01051cab
    0x01051cb5
    0x00000000
    0x01051cb5
    0x01045ea4
    0x01045eb0
    0x01045ebc
    0x01045ec4
    0x01051cca
    0x01051cca
    0x01051cd1
    0x01051cd6
    0x00000000
    0x01051cd6
    0x01045eca
    0x01045ece
    0x01045eda
    0x01051ce0
    0x01051ce9
    0x01051cf5
    0x01051cfb
    0x01051cfd
    0x00000000
    0x00000000
    0x01051cff
    0x01045f0a
    0x01045f13
    0x01045f18
    0x01045f29
    0x01045f31
    0x01045f32
    0x01045f37
    0x01051d08
    0x01051d08
    0x01045f3d
    0x01045f48
    0x01045f4d
    0x01051dde
    0x01051dde
    0x01051de0
    0x01051de0
    0x01051de3
    0x01051de3
    0x01051de6
    0x01051de9
    0x01051de9
    0x01051df4
    0x01051df6
    0x01051df7
    0x01051df9
    0x01051e1b
    0x01051dfb
    0x01051e04
    0x01051e08
    0x01051e0e
    0x01051e13
    0x01051e15
    0x01051e15
    0x01051e1f
    0x01051e30
    0x01051e32
    0x01051e34
    0x01051e39
    0x01051e3d
    0x01051e3f
    0x01051e3f
    0x01051e43
    0x01051e56
    0x01051e62
    0x01051e67
    0x01051e69
    0x00000000
    0x01051e6f
    0x00000000
    0x01051e6f
    0x01045f53
    0x01045f58
    0x01051dc3
    0x01051dca
    0x01051dd3
    0x01051dd3
    0x01051dd8
    0x00000000
    0x00000000
    0x00000000
    0x01051dd8
    0x01051dcc
    0x01051dd1
    0x00000000
    0x00000000
    0x00000000
    0x01051dd1
    0x01045f5e
    0x01045f64
    0x01051d1c
    0x01051d1d
    0x01051d1e
    0x01051d1f
    0x01051d2b
    0x01051d31
    0x01051d33
    0x01051d3c
    0x01051d3c
    0x01051d40
    0x01051d44
    0x01051d4a
    0x01051d96
    0x01051d96
    0x01051d9a
    0x01051d9a
    0x01051d9c
    0x01051d9e
    0x01051d9e
    0x01051da5
    0x01051dab
    0x00000000
    0x01051d4c
    0x01051d55
    0x01051d56
    0x01051d57
    0x01051d58
    0x01051d61
    0x01051d67
    0x01051d69
    0x01051d92
    0x01051d92
    0x01051d94
    0x00000000
    0x01051d94
    0x01051d72
    0x01051d72
    0x01051d76
    0x00000000
    0x00000000
    0x01051d78
    0x01051d86
    0x01051d8e
    0x00000000
    0x01051d8e
    0x01051d4a
    0x01045f6a
    0x01045f6f
    0x01051db8
    0x01051db8
    0x01045f79
    0x01045f7f
    0x01045f7f
    0x01045f85
    0x01045f8c
    0x01051e7b
    0x01045f92
    0x01045f93
    0x01045f93
    0x01045f8c
    0x01045f9b
    0x00000000
    0x01045f9b
    0x01045f4d
    0x01045e36
    0x01045d9b
    0x01045d9e
    0x00000000
    0x00000000
    0x01045da7
    0x00000000
    0x00000000
    0x00000000
    0x01045da7
    0x01045d59
    0x01045c47

    APIs
    • memset.MSVCRT ref: 01045B0A
    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6), ref: 01045B2B
    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5), ref: 01045B3A
    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F4), ref: 01045B49
    • memset.MSVCRT ref: 01045B87
      • Part of subcall function 0103E3F0: memset.MSVCRT ref: 0103E455
    • wcschr.MSVCRT ref: 01045D0A
    • memset.MSVCRT ref: 01045E03
    • GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?), ref: 01045E1D
    • InitializeProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000002,00000000,?), ref: 01045E4F
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 01045E5D
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?), ref: 01045E72
    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 01045E79
    • InitializeProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000002,00000000,?), ref: 01045E94
    • UpdateProcThreadAttribute.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,00000000,00060001,?,00000004,00000000,00000000), ref: 01045EBC
    • CreateProcessW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,00000000,00000000,00000001,?,?,?,?,?), ref: 01045F0A
    • DeleteProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,00000000), ref: 01045F18
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 01045F22
    • RtlFreeHeap.NTDLL(00000000), ref: 01045F29
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 01045F3D
    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 01045F79
    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 01045F93
    • ??_V@YAXPAX@Z.MSVCRT ref: 01045FA6
    • ??_V@YAXPAX@Z.MSVCRT ref: 01045FB6
    • ??_V@YAXPAX@Z.MSVCRT ref: 01045FC6
    • ??_V@YAXPAX@Z.MSVCRT ref: 01045FD2
    • ??_V@YAXPAX@Z.MSVCRT ref: 01045FDE
    • ??_V@YAXPAX@Z.MSVCRT ref: 01045FEE
    • ??_V@YAXPAX@Z.MSVCRT ref: 01045FFE
    • ??_V@YAXPAX@Z.MSVCRT ref: 0104601A
    • _wcsicmp.MSVCRT ref: 01046055
    • _wcsicmp.MSVCRT ref: 0104606B
    • _wcsicmp.MSVCRT ref: 01046081
    • _wcsicmp.MSVCRT ref: 01046097
    • _wcsicmp.MSVCRT ref: 010460AD
    • towupper.MSVCRT ref: 010460C1
    • _wcsicmp.MSVCRT ref: 010460DA
    • towupper.MSVCRT ref: 010460EA
    • towupper.MSVCRT ref: 010460FF
    • _wcsicmp.MSVCRT ref: 01046116
    • _wcsicmp.MSVCRT ref: 01046128
      • Part of subcall function 0103F410: _wcsnicmp.MSVCRT ref: 0103F483
      • Part of subcall function 0103F410: memset.MSVCRT ref: 0103F4BA
    • _wcsicmp.MSVCRT ref: 01051B75
    • GetThreadGroupAffinity.API-MS-WIN-CORE-PROCESSTOPOLOGY-L1-1-0(?,?), ref: 01051D2B
    • GetNumaNodeProcessorMaskEx.API-MS-WIN-CORE-SYSTEMTOPOLOGY-L1-1-0(?,?), ref: 01051D61
    • RtlFindLeastSignificantBit.NTDLL ref: 01051D86
    • SetProcessAffinityMask.API-MS-WIN-CORE-PROCESSTOPOLOGY-OBSOLETE-L1-1-0(?,?), ref: 01051DA5
    • ResumeThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?), ref: 01051DB8
    • _wcsnicmp.MSVCRT ref: 01051E08
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: _wcsicmp$Thread$Handlememset$AttributeHeapProcProcess$Listtowupper$AffinityCloseErrorInitializeLastMask_wcsnicmp$AllocCreateDeleteFindFreeGroupInfoLeastNodeNumaProcessorResumeSignificantStartupUpdatewcschr
    • String ID: $ /K $ /K %s$"%s"$.LNK$ABOVENORMAL$AFFINITY$BELOWNORMAL$COMSPEC$HIGH$LOW$MAX$MIN$NEWWINDOW$NODE$NORMAL$REALTIME$SEPARATE$SHARED$WAIT$cmd.exe
    • API String ID: 1850954338-2837462620
    • Opcode ID: 466aa3c42814d90f94ebf4b263d40b9c9fe0bc8f60601e5ffc10209d081cde09
    • Instruction ID: 3b294cf70ef531caaf179f1fda62529e4abec092f4d73964835e6e809b5bd97e
    • Opcode Fuzzy Hash: 466aa3c42814d90f94ebf4b263d40b9c9fe0bc8f60601e5ffc10209d081cde09
    • Instruction Fuzzy Hash: F882A0B06083419FE7659B28D888B6FBBE9EF85310F14492DF9C5D7190EB79C944CB12
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01040BF0, Relevance: 65.6, APIs: 30, Strings: 7, Instructions: 828COMMONCrypto
    Download Yara Rule
    C-Code - Quality: 74%
    			E01040BF0(intOrPtr __ecx, signed int __edx) {
				wchar_t* _v8;
				WCHAR* _v12;
				long _v16;
				int _v20;
				signed int _v24;
				intOrPtr _v28;
				struct _IO_FILE* _v32;
				long _v36;
				wchar_t* _v40;
				signed int _v44;
				signed int _v48;
				long _v52;
				signed int _v56;
				signed int _v60;
				short* _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				wchar_t* _v80;
				int _v84;
				signed int _v88;
				long _v92;
				signed int _v96;
				long _v100;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				wchar_t* _t233;
				short* _t241;
				short _t247;
				signed int _t248;
				WCHAR* _t249;
				struct _IO_FILE* _t255;
				int _t259;
				long _t261;
				signed int _t267;
				short* _t268;
				wchar_t* _t270;
				signed int _t271;
				signed int _t277;
				signed int _t279;
				long _t280;
				signed short _t281;
				long _t283;
				wchar_t* _t286;
				signed int _t288;
				long _t291;
				wchar_t* _t293;
				long _t294;
				int _t301;
				wchar_t* _t303;
				int _t309;
				char* _t314;
				intOrPtr _t315;
				int _t316;
				intOrPtr* _t317;
				signed int _t321;
				signed int _t322;
				signed int _t323;
				intOrPtr _t324;
				intOrPtr _t326;
				wchar_t* _t333;
				signed int _t344;
				wchar_t* _t347;
				signed int _t348;
				void* _t349;
				signed int _t350;
				void* _t351;
				void* _t352;
				wchar_t* _t353;
				long* _t355;
				struct _IO_FILE* _t356;
				signed int _t359;
				signed int _t364;
				WCHAR* _t365;
				int _t369;
				signed int _t374;
				signed int _t375;
				long _t377;
				signed short _t378;
				int _t379;
				long _t382;
				signed int _t384;
				long _t386;
				void* _t393;
				long _t399;
				wchar_t* _t403;
				signed short* _t405;
				signed int _t410;
				WCHAR* _t412;
				signed int _t414;
				int _t416;
				long _t417;
				signed int _t418;
				signed int _t420;
				signed int _t421;
				signed int _t424;
				intOrPtr _t427;
				void* _t429;
				long _t431;
				signed int _t432;
				void* _t433;
				long _t434;
				void* _t440;
				intOrPtr* _t441;
				intOrPtr _t442;
				intOrPtr _t443;
				WCHAR* _t444;
				wchar_t* _t448;
				short* _t449;
				short* _t450;
				intOrPtr* _t451;
				signed int _t452;
				signed int _t454;
				void* _t456;
				long _t457;
				signed int _t458;
				signed short* _t459;
				void* _t460;
				void* _t462;
				void* _t464;
				void* _t465;
				void* _t468;

				_t443 = __ecx;
				_v24 = __edx;
				_v28 = __ecx;
				_v84 = 1;
				_v92 = 1;
				_v72 = 0x3b;
				_t233 = E0104054B(_t349, L" \t", _t433, __ecx);
				_t362 =  *(__ecx + 0x4c);
				_t350 = 1;
				_v40 = _t233;
				_t434 = 0;
				_v68 = 0;
				_v16 = 1;
				_v44 = 1;
				_v76 = 0;
				_v20 = 0;
				if(_t362 == 0) {
					L25:
					_t444 =  *(_t443 + 0x3c);
					_v12 = _t444;
					asm("sbb eax, eax");
					_t350 = ( ~_t434 & 0x00000005) + 0x00000022 & 0x0000ffff;
					asm("sbb edi, edi");
					_v96 = _t350;
					_t434 = ( ~_t434 & 0x00000039) + 0x00000027 & 0x0000ffff;
					_v100 = _t434;
					if(_t444 == 0) {
						L144:
						_push(0);
						_t444 = E0103BC30(_t444, 0);
						_v12 = _t444;
						_t410 =  *_t444 & 0x0000ffff;
						L28:
						_v80 = 0;
						if(_t410 == 0) {
							L80:
							if(_v16 > 1) {
								_t241 =  *0x1066740;
								if(_t241 != 0 &&  *_t241 != 0) {
									_t364 = _v24;
									 *((short*)(_t241 + 2 + _t364 * 2)) = 0;
									 *((intOrPtr*)( *0x106673c + 4 + _t364 * 4)) = 0;
								}
							}
							return _v92;
						}
						L30:
						if( *0x1066744 != 0) {
							goto L80;
						}
						if( *0x1066738 != 0) {
							L178:
							 *0x1066740 =  *0x10790e4;
							 *0x1066738 = 0;
							 *0x106673c =  *0x10790e0;
						}
						if( *0x106259c != 0) {
							E010598B5(_t350, _t434);
						}
						_t412 = _t444;
						_v8 = 0;
						_v32 = 0;
						_v88 = _v68;
						_t365 =  &(_t412[1]);
						do {
							_t247 =  *_t412;
							_t412 =  &(_t412[1]);
						} while (_t247 != 0);
						_t248 =  *_t444 & 0x0000ffff;
						_t414 = _t412 - _t365 >> 1;
						_v56 = _t414;
						if(_t248 == _t434) {
							if(_t414 <= 1 ||  *((intOrPtr*)(_t444 + _t414 * 2 - 2)) != _t434) {
								goto L36;
							} else {
								_t450 =  &(_t444[1]);
								_t421 = _t414 - 2;
								_v12 = _t450;
								_v56 = _t421;
								_t450[_t421] = 0;
								__imp___wpopen(_t450, L"rb");
								_t462 = _t460 + 8;
								_v32 = 0;
								if(0 == 0) {
									E010378E4(_t365, 0x2331, 1, _t450);
									return GetLastError();
								}
								_t352 = 0;
								_t434 = 0;
								_t451 = 0;
								_t301 = feof(0);
								_t464 = _t462 + 4;
								if(_t301 != 0) {
									L134:
									_pclose(_v32);
									_t465 = _t464 + 4;
									_t391 = _t451;
									_t303 = E0103DD20(_t451, 4 + _t434 * 2);
									_t353 = _t303;
									_v32 = _t303;
									if(_t353 == 0) {
										_t391 = _t451;
										E0103DC60(_t451);
										_t353 = 0;
										_v32 = 0;
									}
									if( *0x1066740 == 0 ||  *0x106673c == 0 || _t353 == 0) {
										E010378E4(_t391, 0x2374, 1, _v12);
										return 8;
									} else {
										memmove(_t353 + _t434, _t353, _t434);
										_t460 = _t465 + 0xc;
										_v36 = _t434;
										L139:
										_t369 =  *0x10625a0;
										if(E0103E248(_t369) == 0) {
											_t416 = 0;
										} else {
											_t416 = 1;
										}
										_t267 = MultiByteToWideChar(_t369, _t416, _t353 + _t434, _t434, _t353, _t434);
										_v8 = _t353;
										_t268 = _t353 + _t267 * 2;
										_v64 = _t268;
										if(_t268 == _t353 ||  *((short*)(_t268 - 2)) != 0xa) {
											 *_t268 = 0xa;
											_t268 =  &(_t268[1]);
											_v64 = _t268;
										}
										 *_t268 = 0;
										L40:
										if(_v8 >= _t268) {
											L78:
											_t262 = _v32;
											if(_v32 != 0) {
												E0103DC60(_t262);
											}
											_t444 =  &(( &(_v12[_v56]))[1]);
											_v12 = _t444;
											if( *_t444 != 0) {
												_t350 = _v96;
												_t434 = _v100;
												goto L30;
											} else {
												goto L80;
											}
										}
										while( *0x1066744 == 0) {
											if( *0x106259c != 0) {
												E010598B5(_t353, _t434);
											}
											_t448 = _v8;
											_t270 = wcschr(_t448, 0xa);
											_t460 = _t460 + 8;
											_v8 = _t270;
											if(_t270 == 0) {
												goto L78;
											} else {
												if(_t270 > _t448 &&  *((short*)(_t270 - 2)) == 0xd) {
													 *((short*)(_t270 - 2)) = 0;
													_t270 = _v8;
												}
												 *_t270 = 0;
												_v8 =  &(_v8[0]);
												_t271 = _v88;
												if(_t271 != 0) {
													_v88 = _t271 - 1;
													goto L77;
												} else {
													_t417 = _v16;
													_t374 = _v24 * 4;
													_v60 = _t374;
													if(_t417 > 1) {
														_t440 =  *0x106673c + 4 + _t374;
														_t154 = _t417 - 1; // 0x0
														_t375 = _t154;
														memset(_t440, 0, _t375 << 2);
														_t460 = _t460 + 0xc;
														_t434 = _t440 + _t375;
													} else {
														_v60 = _t374;
													}
													_t277 =  *_t448 & 0x0000ffff;
													_t418 = 0;
													_v48 = 0;
													_v20 = 0;
													if(_t277 == 0) {
														L77:
														if(_v8 < _v64) {
															continue;
														}
														goto L78;
													} else {
														_t377 = 1;
														_v52 = 1;
														while(1) {
															_t353 = _v40;
															if(_t277 == 0) {
																goto L57;
															}
															L54:
															_t386 = _t277 & 0x0000ffff;
															while(1) {
																_t293 = wcschr(_t353, _t386);
																_t460 = _t460 + 8;
																if(_t293 == 0) {
																	break;
																}
																_t294 = _t448[0] & 0x0000ffff;
																_t448 =  &(_t448[0]);
																_t386 = _t294;
																if(_t294 != 0) {
																	continue;
																}
																break;
															}
															_t418 = _v48;
															_t377 = _v52;
															L57:
															if(_t418 == 0) {
																if( *_t448 != _v72) {
																	goto L58;
																}
																L72:
																_t379 = _v20;
																L73:
																if(_t379 != 0) {
																	_t283 = E01040BBB(_t353,  *((intOrPtr*)(_v28 + 0x40)), _v84, _t434);
																	_t353 = _v80;
																	_v92 = _t283;
																	if(_t353 != 0) {
																		E0104198F(_t353, _t434);
																	} else {
																		_t353 =  *0x1066778;
																	}
																	_v80 = _t353;
																	_v84 = 0;
																}
																goto L77;
															}
															L58:
															_t279 = _v76;
															_t434 = _t448;
															if(_t279 != 0) {
																if(_t377 != _t279) {
																	goto L59;
																}
																 *( *0x106673c + (_v20 + _v24) * 4) = _t448;
																_t379 = _v20 + 1;
																goto L73;
															}
															L59:
															_t280 =  *_t448 & 0x0000ffff;
															if(_t280 == 0) {
																L67:
																_t281 =  *_t448 & 0x0000ffff;
																_t378 = _t281;
																if(_t281 != 0) {
																	 *_t448 = 0;
																	_t448 =  &(_t448[0]);
																	_t378 =  *_t448 & 0x0000ffff;
																}
																_t277 = _t378 & 0x0000ffff;
																if(_t378 == 0) {
																	goto L72;
																} else {
																	_t377 = _v52;
																	_t353 = _v40;
																	if(_t277 == 0) {
																		goto L57;
																	}
																	goto L54;
																}
															}
															_t382 = _t280;
															while(1) {
																_t286 = wcschr(_t353, _t382);
																_t460 = _t460 + 8;
																if(_t286 != 0) {
																	break;
																}
																_t291 = _t448[0] & 0x0000ffff;
																_t448 =  &(_t448[0]);
																_t382 = _t291;
																if(_t291 != 0) {
																	continue;
																}
																break;
															}
															_t418 = _v48;
															if(_t434 != _t448 && _t418 < 0x20) {
																_t288 = 1 << _t418;
																_t418 = _t418 + 1;
																_v48 = _t418;
																if((_t288 & _v44) != 0) {
																	_t384 = _v60;
																	_v20 = _v20 + 1;
																	 *(_t384 +  *0x106673c) = _t434;
																	_v52 = _v52 + 1;
																	_v60 = _t384 + 4;
																}
															}
															goto L67;
														}
													}
												}
											}
										}
										goto L78;
									}
								} else {
									goto L128;
								}
								while(1) {
									L128:
									_t309 = ferror(_v32);
									_t464 = _t464 + 4;
									if(_t309 != 0) {
										goto L134;
									}
									if(_t352 - _t434 >= 0x200) {
										L133:
										 *(_t451 + _t434) = 0;
										_t314 = fgets(_t451 + _t434, _t352 - _t434, _v32);
										_t464 = _t464 + 0xc;
										if(_t314 != 0) {
											_t441 = _t451;
											_t200 = _t441 + 1; // 0x1
											_t393 = _t200;
											do {
												_t315 =  *_t441;
												_t441 = _t441 + 1;
											} while (_t315 != 0);
											_t434 = _t441 - _t393;
											_t316 = feof(_v32);
											_t464 = _t464 + 4;
											if(_t316 == 0) {
												continue;
											}
										}
										goto L134;
									}
									_t352 = _t352 + 0x100;
									if(_t451 != 0) {
										_t317 = E0103DD20(_t451, _t352);
										if(_t317 != 0) {
											L132:
											_t451 = _t317;
											if(_t451 == 0) {
												L186:
												_pclose(_v32);
												return 8;
											}
											goto L133;
										}
										E0103DC60(_t451);
										goto L186;
									}
									_t317 = E0103DCD0(_t352);
									goto L132;
								}
								goto L134;
							}
						}
						L36:
						if(_t248 != _t350 || _t414 <= 1 ||  *((intOrPtr*)(_t444 + _t414 * 2 - 2)) != _t350) {
							if(_t248 == 0x22) {
								_t444 =  &(_t444[1]);
								_v12 = _t444;
								_t249 = _t444;
								_v56 = _t414 - 1;
								_t365 = _t444;
								if( *_t444 == 0) {
									L168:
									_v8 = _t365;
									if( *_t365 != 0x22) {
										goto L146;
									}
									while(1) {
										 *_t365 = 0;
										_t365 = _v8 - 2;
										_v8 = _t365;
										if(_t365 < _t444 ||  *_t365 != 0x20) {
											goto L146;
										}
									}
									goto L146;
								} else {
									goto L167;
								}
								do {
									L167:
									_t365 = _t249;
									_t249 =  &(_t249[1]);
								} while ( *_t249 != 0);
								goto L168;
							}
							L146:
							_t351 = CreateFileW(_t444, 0x80000000, 5, 0, 3, 0, 0);
							if(_t351 == 0xffffffff) {
								E010378E4(_t365, 0x2363, 1, _t444);
								return GetLastError();
							}
							_t434 = SetFilePointer(_t351, 0, 0, 2);
							SetFilePointer(_t351, 0, 0, 0);
							_t255 = E0103DCD0(4 + _t434 * 2);
							_v32 = _t255;
							if(_t255 == 0) {
								CloseHandle(_t351);
								return 8;
							}
							_v36 = 0xffffffff;
							_t259 = ReadFile(_t351, _t255 + _t434, _t434,  &_v36, 0);
							CloseHandle(_t351);
							if(_t259 == 0) {
								_t261 = 0;
								_v36 = 0;
							} else {
								_t261 = _v36;
							}
							if(_t261 != _t434) {
								goto L78;
							} else {
								_t353 = _v32;
								goto L139;
							}
						} else {
							 *((short*)(_t444 + _t414 * 2 - 2)) = 0xa;
							_t449 =  &(_t444[1]);
							_t420 = _t414 - 2;
							_v12 = _t449;
							_v56 = _t420;
							_v8 = _t449;
							_t268 =  &(_t449[_t420 + 1]);
							_v64 = _t268;
							goto L40;
						}
					}
					_t321 =  *_t444 & 0x0000ffff;
					_t410 = _t321;
					if(_t321 == _t434 || _t321 == _t350) {
						goto L28;
					} else {
						goto L144;
					}
				}
				_v8 = _t362;
				_t322 =  *_t362 & 0x0000ffff;
				if(_t322 != 0x22) {
					if(_t322 == 0x27) {
						goto L2;
					}
					_t452 = 0;
					L3:
					_t323 = _t362;
					_v32 = _t452;
					if(_t323 == 0) {
						L24:
						_t443 = _v28;
						goto L25;
					} else {
						goto L4;
					}
					while(1) {
						L4:
						_t424 =  *_t362 & 0x0000ffff;
						if(_t424 == 0) {
							break;
						} else {
						}
						while(_t424 <= 0x20) {
							_t362 =  &(_t362[0]);
							_v8 = _t362;
							_t323 =  *_t362 & 0x0000ffff;
							_t424 = _t323;
							if(_t323 != 0) {
								continue;
							}
							break;
						}
						if( *_t362 == _t452) {
							break;
						}
						__imp___wcsnicmp(_t362, L"usebackq", 8);
						_t460 = _t460 + 0xc;
						if(_t323 == 0) {
							_t434 = 1;
							_t362 =  &(_v8[4]);
							_v20 = 1;
							_v8 = _t362;
							L90:
							_t452 = _v32;
							if(_t362 != 0) {
								continue;
							}
							break;
						}
						__imp___wcsnicmp(_v8, L"useback", 7);
						_t460 = _t460 + 0xc;
						if(_t323 == 0) {
							_t434 = 1;
							_t362 =  &(_v8[3]);
							_v20 = 1;
							_v8 = _t362;
							goto L90;
						}
						__imp___wcsnicmp(_v8, L"eol=", 4);
						_t460 = _t460 + 0xc;
						if(_t323 == 0) {
							_t403 = _v8;
							_t323 =  *(_t403 + 8) & 0x0000ffff;
							_t362 = _t403 + 0xa;
							_v72 = _t323;
							_v8 = _t362;
							goto L90;
						}
						__imp___wcsnicmp(_v8, L"delims=", 7);
						_t460 = _t460 + 0xc;
						if(_t323 != 0) {
							__imp___wcsnicmp(_v8, L"skip=", 5);
							_t468 = _t460 + 0xc;
							if(_t323 == 0) {
								_t362 =  &_v8;
								_t333 =  &(_v8[2]);
								_v8 = _t333;
								_t323 = wcstol(_t333,  &_v8, 0);
								_t460 = _t468 + 0xc;
								_v68 = _t323;
								if(_t323 <= 0) {
									L176:
									E010378E4(_t362, 0x234a, 1, _v8);
									return 1;
								}
								_t362 = _v8;
								goto L90;
							}
							__imp___wcsnicmp(_v8, L"tokens=", 7);
							_t460 = _t468 + 0xc;
							if(_t323 != 0) {
								goto L176;
							}
							_t350 = 0;
							_t362 =  &(_v8[3]);
							_v44 = _t323;
							_v8 = _t362;
							_t323 =  *_t362 & 0x0000ffff;
							if(_t323 == 0) {
								L108:
								if(_t350 <= _v16) {
									_t350 = _v16;
								} else {
									_v16 = _t350;
								}
								goto L90;
							}
							while(_t323 != _t452) {
								if(_t323 == 0x2a) {
									_t362 =  &(_t362[0]);
									_t350 = _t350 + 1;
									_v8 = _t362;
									_v76 = _t350;
									goto L108;
								}
								_t457 = wcstol(_t362,  &_v8, 0);
								_t460 = _t460 + 0xc;
								if(_t457 <= 0) {
									goto L176;
								}
								_t362 = _v8;
								if( *_t362 == 0x2d) {
									_t165 =  &(_t362[0]); // 0x3
									_t431 = wcstol(_t165,  &_v8, 0);
									_t460 = _t460 + 0xc;
									if(_t431 <= 0) {
										goto L176;
									}
									_t362 = _v8;
									L101:
									if(_t431 >= 0x20 || _t457 > _t431) {
										L106:
										_t323 =  *_t362 & 0x0000ffff;
										if(_t323 == 0x2c) {
											_t362 =  &(_t362[0]);
											_v8 = _t362;
											L117:
											_t323 =  *_t362 & 0x0000ffff;
											_t452 = _v32;
											if(_t323 != 0) {
												continue;
											}
											goto L108;
										}
										if(_t323 == 0x2a) {
											goto L117;
										}
										goto L108;
									} else {
										_v88 = _t350 + 1 + _t431 - _t457;
										_t359 = _v44;
										do {
											_t457 = _t457 + 1;
											asm("bts ebx, eax");
										} while (_t457 <= _t431);
										_t434 = _v20;
										_v44 = _t359;
										_t350 = _v88;
										goto L106;
									}
								}
								_t431 = _t457;
								goto L101;
							}
							goto L108;
						}
						_t355 =  &(_v8[3]);
						_t405 = _t355;
						_v88 = _t355;
						_v8 = _t405;
						_t344 =  *_t405 & 0x0000ffff;
						if(_t344 == 0) {
							L88:
							_t458 =  *_t405 & 0x0000ffff;
							 *_t405 = 0;
							E0103DC60(_v40);
							_t347 = E0104054B(_t355, _t355, _t434, _t458);
							_t350 = _v16;
							_v40 = _t347;
							_t323 = _v8;
							 *_t323 = _t458;
							_t362 = _v8;
							if( *_t362 != 0) {
								_t362 =  &(_t362[0]);
								_v8 = _t362;
							}
							goto L90;
						} else {
							_t459 = _t355;
							_t432 = _t344;
							_t356 = _v32;
							while(_t432 != _t356) {
								if(_t432 == 0x20) {
									if(_t405[1] == _t356) {
										goto L16;
									}
									break;
								}
								L16:
								_t23 =  &(_t459[1]); // -11
								_t405 = _t23;
								_v8 = _t405;
								_t459 = _t405;
								_t348 =  *_t405 & 0x0000ffff;
								_t432 = _t348;
								if(_t348 != 0) {
									continue;
								} else {
									break;
								}
							}
							_t355 = _v88;
							goto L88;
						}
					}
					if(_t350 <= 1) {
						goto L24;
					}
					_t444 = _v24 + _t350;
					_t324 = E0103DD20( *0x1066740, 2 + _t444 * 2);
					_t398 =  *0x106673c;
					 *0x1066740 = _t324;
					_t427 = E0103DD20( *0x106673c, 4 + _t444 * 4);
					_t326 =  *0x1066740;
					 *0x106673c = _t427;
					if(_t326 == 0 || _t427 == 0) {
						E010378E4(_t398);
						_t460 = _t460 + 8;
						E01059922();
						__imp__longjmp(0x1070a30, 1, 0x2374, 0);
						goto L178;
					} else {
						_t454 = _v24;
						_t399 = 1;
						_t442 = _v28;
						_t429 = _t427 + _t454 * 4 + 4;
						_t456 = _t326 + (_t454 + 1) * 2;
						do {
							_t37 = _t456 + 2; // 0xfff85db
							_t456 = _t37;
							_t429 = _t429 + 4;
							 *((short*)(_t456 - 2)) =  *((intOrPtr*)(_t442 + 0x44)) + _t399;
							_t399 = _t399 + 1;
							 *(_t429 - 4) = 0;
						} while (_t399 < _t350);
						_t434 = _v20;
						 *((short*)( *0x1066740 + (_t399 + _v24) * 2)) = 0;
						goto L24;
					}
				}
				L2:
				_t362 =  &(_t362[0]);
				_t452 = _t322;
				_v8 = _t362;
				goto L3;
			}































































































































    0x01040bfa
    0x01040bfc
    0x01040c05
    0x01040c08
    0x01040c0f
    0x01040c16
    0x01040c1d
    0x01040c22
    0x01040c25
    0x01040c2a
    0x01040c2d
    0x01040c31
    0x01040c38
    0x01040c3b
    0x01040c3e
    0x01040c41
    0x01040c46
    0x01040de4
    0x01040de4
    0x01040deb
    0x01040dee
    0x01040df8
    0x01040dfb
    0x01040dfd
    0x01040e06
    0x01040e09
    0x01040e0e
    0x01041415
    0x01041415
    0x01041420
    0x01041422
    0x01041425
    0x01040e27
    0x01040e27
    0x01040e31
    0x010410ae
    0x010410b2
    0x010410b4
    0x010410bb
    0x010410c3
    0x010410c8
    0x010410d2
    0x010410d2
    0x010410bb
    0x00000000
    0x010410d6
    0x01040e40
    0x01040e47
    0x00000000
    0x00000000
    0x01040e54
    0x0104ec48
    0x0104ec4d
    0x0104ec57
    0x0104ec61
    0x0104ec61
    0x01040e61
    0x0104ec6b
    0x0104ec6b
    0x01040e6a
    0x01040e6c
    0x01040e73
    0x01040e7a
    0x01040e7d
    0x01040e80
    0x01040e80
    0x01040e83
    0x01040e86
    0x01040e8b
    0x01040e90
    0x01040e92
    0x01040e98
    0x010412c2
    0x00000000
    0x010412d3
    0x010412d3
    0x010412d6
    0x010412db
    0x010412e4
    0x010412e7
    0x010412eb
    0x010412f1
    0x010412f4
    0x010412f9
    0x0104eced
    0x00000000
    0x0104ecf5
    0x01041300
    0x01041302
    0x01041304
    0x01041306
    0x0104130c
    0x01041311
    0x0104136e
    0x01041371
    0x01041377
    0x01041381
    0x01041383
    0x01041388
    0x0104138a
    0x0104138f
    0x0104ec75
    0x0104ec77
    0x0104ec7c
    0x0104ec7e
    0x0104ec7e
    0x0104139c
    0x0104ecd3
    0x00000000
    0x010413b7
    0x010413bd
    0x010413c2
    0x010413c5
    0x010413c8
    0x010413c8
    0x010413d5
    0x0104ec90
    0x010413db
    0x010413db
    0x010413db
    0x010413e9
    0x010413ef
    0x010413f2
    0x010413f5
    0x010413fa
    0x010414cb
    0x010414ce
    0x010414d1
    0x010414d1
    0x0104140d
    0x01040edd
    0x01040ee0
    0x0104108a
    0x0104108a
    0x0104108f
    0x01041290
    0x01041290
    0x0104109e
    0x010410a1
    0x010410a8
    0x0104eca1
    0x0104eca4
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x010410a8
    0x01040ef0
    0x01040f04
    0x0104ec97
    0x0104ec97
    0x01040f0a
    0x01040f10
    0x01040f16
    0x01040f19
    0x01040f1e
    0x00000000
    0x01040f24
    0x01040f26
    0x01040f31
    0x01040f35
    0x01040f35
    0x01040f3a
    0x01040f3d
    0x01040f41
    0x01040f46
    0x0104155b
    0x00000000
    0x01040f4c
    0x01040f4f
    0x01040f52
    0x01040f59
    0x01040f5f
    0x01041224
    0x01041226
    0x01041226
    0x0104122b
    0x0104122b
    0x0104122b
    0x01040f65
    0x01040f65
    0x01040f65
    0x01040f68
    0x01040f6b
    0x01040f6d
    0x01040f70
    0x01040f76
    0x0104107e
    0x01041084
    0x00000000
    0x00000000
    0x00000000
    0x01040f7c
    0x01040f7c
    0x01040f81
    0x01040f84
    0x01040f84
    0x01040f8a
    0x00000000
    0x00000000
    0x01040f8c
    0x01040f8c
    0x01040f90
    0x01040f92
    0x01040f98
    0x01040f9d
    0x00000000
    0x00000000
    0x01041277
    0x0104127b
    0x0104127e
    0x01041283
    0x00000000
    0x00000000
    0x00000000
    0x01041289
    0x01040fa3
    0x01040fa6
    0x01040fa9
    0x01040fab
    0x01041045
    0x00000000
    0x00000000
    0x0104104b
    0x0104104b
    0x0104104e
    0x01041050
    0x0104105b
    0x01041060
    0x01041063
    0x01041068
    0x01041234
    0x0104106e
    0x0104106e
    0x0104106e
    0x01041074
    0x01041077
    0x01041077
    0x00000000
    0x01041050
    0x01040fb1
    0x01040fb1
    0x01040fb4
    0x01040fb8
    0x01041240
    0x00000000
    0x00000000
    0x01041251
    0x01041257
    0x00000000
    0x01041257
    0x01040fbe
    0x01040fbe
    0x01040fc4
    0x0104101a
    0x0104101a
    0x0104101d
    0x01041022
    0x01041026
    0x01041029
    0x0104102c
    0x0104102c
    0x0104102f
    0x01041035
    0x00000000
    0x01041037
    0x01041037
    0x01040f84
    0x01040f8a
    0x00000000
    0x00000000
    0x00000000
    0x01040f8a
    0x01041035
    0x01040fc6
    0x01040fc8
    0x01040fca
    0x01040fd0
    0x01040fd5
    0x00000000
    0x00000000
    0x01040fd7
    0x01040fdb
    0x01040fde
    0x01040fe3
    0x00000000
    0x00000000
    0x00000000
    0x01040fe3
    0x01040fe5
    0x01040fea
    0x01040ff8
    0x01040ffa
    0x01040ffb
    0x01041001
    0x01041003
    0x0104100b
    0x0104100e
    0x01041014
    0x01041017
    0x01041017
    0x01041001
    0x00000000
    0x01040fea
    0x01040f84
    0x01040f76
    0x01040f46
    0x01040f1e
    0x00000000
    0x01040ef0
    0x00000000
    0x00000000
    0x00000000
    0x01041313
    0x01041313
    0x01041316
    0x0104131c
    0x01041321
    0x00000000
    0x00000000
    0x0104132c
    0x0104134d
    0x01041352
    0x0104135d
    0x01041363
    0x01041368
    0x010414d9
    0x010414db
    0x010414db
    0x010414e0
    0x010414e0
    0x010414e2
    0x010414e3
    0x010414ea
    0x010414ec
    0x010414f2
    0x010414f7
    0x00000000
    0x00000000
    0x010414fd
    0x00000000
    0x01041368
    0x0104132e
    0x01041336
    0x01041539
    0x01041540
    0x01041343
    0x01041343
    0x01041347
    0x0104ecb3
    0x0104ecb6
    0x00000000
    0x0104ecbf
    0x00000000
    0x01041347
    0x0104ecae
    0x00000000
    0x0104ecae
    0x0104133e
    0x00000000
    0x0104133e
    0x00000000
    0x01041313
    0x010412c2
    0x01040e9e
    0x01040ea1
    0x01041430
    0x0104158f
    0x01041593
    0x01041596
    0x01041598
    0x0104159b
    0x010415a1
    0x010415ae
    0x010415ae
    0x010415b5
    0x00000000
    0x00000000
    0x010415c0
    0x010415c2
    0x010415c8
    0x010415cb
    0x010415d0
    0x00000000
    0x00000000
    0x010415e0
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x010415a3
    0x010415a3
    0x010415a3
    0x010415a5
    0x010415a8
    0x00000000
    0x010415a3
    0x01041436
    0x0104144c
    0x01041451
    0x0104ed19
    0x00000000
    0x0104ed21
    0x0104146b
    0x0104146d
    0x0104147a
    0x0104147f
    0x01041484
    0x0104ed01
    0x00000000
    0x0104ed07
    0x0104148f
    0x0104149c
    0x010414a5
    0x010414ad
    0x0104ec86
    0x0104ec88
    0x010414b3
    0x010414b3
    0x010414b3
    0x010414b8
    0x00000000
    0x010414be
    0x010414be
    0x00000000
    0x010414be
    0x01040ebb
    0x01040ec0
    0x01040ec5
    0x01040ec8
    0x01040ecb
    0x01040ece
    0x01040ed1
    0x01040ed7
    0x01040eda
    0x00000000
    0x01040eda
    0x01040ea1
    0x01040e14
    0x01040e17
    0x01040e1c
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x01040e1c
    0x01040c4c
    0x01040c4f
    0x01040c55
    0x0104ebe8
    0x00000000
    0x00000000
    0x0104ebee
    0x01040c63
    0x01040c63
    0x01040c65
    0x01040c6a
    0x01040de1
    0x01040de1
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x01040c70
    0x01040c70
    0x01040c70
    0x01040c76
    0x00000000
    0x00000000
    0x00000000
    0x01040c80
    0x01041202
    0x01041205
    0x01041208
    0x0104120b
    0x01041210
    0x00000000
    0x00000000
    0x00000000
    0x01041216
    0x01040c8d
    0x00000000
    0x00000000
    0x01040c9b
    0x01040ca1
    0x01040ca6
    0x01041522
    0x01041527
    0x0104152a
    0x0104152d
    0x01041121
    0x01041121
    0x01041126
    0x00000000
    0x00000000
    0x00000000
    0x0104112c
    0x01040cb6
    0x01040cbc
    0x01040cc1
    0x0104ebf8
    0x0104ebfd
    0x0104ec00
    0x0104ec03
    0x00000000
    0x0104ec03
    0x01040cd1
    0x01040cd7
    0x01040cdc
    0x01041502
    0x01041505
    0x01041509
    0x0104150c
    0x0104150f
    0x00000000
    0x0104150f
    0x01040cec
    0x01040cf2
    0x01040cf7
    0x0104113b
    0x01041141
    0x01041146
    0x01041566
    0x0104156b
    0x01041570
    0x01041573
    0x01041579
    0x0104157c
    0x01041581
    0x0104ec0b
    0x0104ec15
    0x00000000
    0x0104ec1d
    0x01041587
    0x00000000
    0x01041587
    0x01041156
    0x0104115c
    0x01041161
    0x00000000
    0x00000000
    0x0104116a
    0x0104116c
    0x0104116f
    0x01041172
    0x01041175
    0x0104117b
    0x010411f1
    0x010411f4
    0x01041517
    0x010411fa
    0x010411fa
    0x010411fa
    0x00000000
    0x010411f4
    0x01041180
    0x01041189
    0x0104154b
    0x0104154e
    0x0104154f
    0x01041552
    0x00000000
    0x01041552
    0x0104119c
    0x0104119e
    0x010411a3
    0x00000000
    0x00000000
    0x010411a9
    0x010411b0
    0x010412a0
    0x010412aa
    0x010412ac
    0x010412b1
    0x00000000
    0x00000000
    0x010412b7
    0x010411b8
    0x010411bb
    0x010411e4
    0x010411e4
    0x010411ea
    0x0104125d
    0x01041260
    0x01041263
    0x01041263
    0x01041266
    0x0104126c
    0x00000000
    0x00000000
    0x00000000
    0x01041272
    0x010411ef
    0x00000000
    0x00000000
    0x00000000
    0x010411c1
    0x010411c8
    0x010411cb
    0x010411d0
    0x010411d3
    0x010411d4
    0x010411d7
    0x010411db
    0x010411de
    0x010411e1
    0x00000000
    0x010411e1
    0x010411bb
    0x010411b6
    0x00000000
    0x010411b6
    0x00000000
    0x01041180
    0x01040d00
    0x01040d03
    0x01040d05
    0x01040d08
    0x01040d0b
    0x01040d11
    0x010410ef
    0x010410ef
    0x010410f4
    0x010410fa
    0x01041101
    0x01041106
    0x01041109
    0x0104110c
    0x0104110f
    0x01041112
    0x01041119
    0x0104111b
    0x0104111e
    0x0104111e
    0x00000000
    0x01040d17
    0x01040d17
    0x01040d19
    0x01040d1b
    0x01040d20
    0x01040d2d
    0x010410e6
    0x00000000
    0x00000000
    0x00000000
    0x010410e6
    0x01040d33
    0x01040d33
    0x01040d33
    0x01040d36
    0x01040d39
    0x01040d3b
    0x01040d3e
    0x01040d43
    0x00000000
    0x01040d45
    0x00000000
    0x01040d45
    0x01040d43
    0x010410ec
    0x00000000
    0x010410ec
    0x01040d11
    0x01040d4d
    0x00000000
    0x00000000
    0x01040d5c
    0x01040d65
    0x01040d6a
    0x01040d77
    0x01040d81
    0x01040d83
    0x01040d88
    0x01040d90
    0x0104ec2e
    0x0104ec33
    0x0104ec36
    0x0104ec42
    0x00000000
    0x01040d9e
    0x01040d9e
    0x01040da1
    0x01040da6
    0x01040dac
    0x01040db0
    0x01040db3
    0x01040db7
    0x01040db7
    0x01040dbd
    0x01040dc0
    0x01040dc4
    0x01040dc5
    0x01040dcc
    0x01040dda
    0x01040ddd
    0x00000000
    0x01040ddd
    0x01040d90
    0x01040c5b
    0x01040c5b
    0x01040c5e
    0x01040c60
    0x00000000

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: _wcsnicmp$longjmpwcschr
    • String ID: ;$delims=$eol=$skip=$tokens=$useback$usebackq
    • API String ID: 2906524769-160831338
    • Opcode ID: 46648d9b2f51b6d413da0af480018cf9368cb66dbfba7ecc857edd81b498ee8c
    • Instruction ID: 9fa1bd8dcad8a5cbf820947372fb918f955c2d22f78fad94acea1cac2863b998
    • Opcode Fuzzy Hash: 46648d9b2f51b6d413da0af480018cf9368cb66dbfba7ecc857edd81b498ee8c
    • Instruction Fuzzy Hash: 20628FB0E00219DBDB24DF99D8C47ADB7F5FF44300F148079E986A7295EB7AA981CB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01043EB3, Relevance: 60.8, APIs: 32, Strings: 2, Instructions: 1338COMMONCrypto
    Download Yara Rule
    C-Code - Quality: 77%
    			E01043EB3(void* __ecx, signed int __edx) {
				signed int _v8;
				int _v20;
				char _v24;
				int _v28;
				void _v548;
				int _v556;
				char _v560;
				int _v564;
				void _v1084;
				int _v1092;
				char _v1096;
				void* _v1100;
				void* _v1120;
				void _v1620;
				int _v1628;
				char _v1632;
				int _v1636;
				void* _v1640;
				void* _v1648;
				void* _v1656;
				void* _v1668;
				void* _v1680;
				void _v2156;
				void* _v2176;
				char _v2180;
				int _v2184;
				int _v2188;
				signed int _v2192;
				void _v2196;
				signed int _v2200;
				int _v2204;
				signed int _v2208;
				int _v2212;
				int _v2216;
				int _v2220;
				int _v2224;
				signed int _v2228;
				int _v2232;
				int _v2236;
				void* _v2240;
				signed int _v2244;
				long _v2248;
				signed int _v2252;
				signed int _v2256;
				void* _v2260;
				long _v2264;
				void* _v2268;
				void* _v2272;
				void _v2276;
				signed int _v2280;
				void* _v2284;
				void* _v2288;
				void* _v2292;
				void* _v2296;
				void* _v2300;
				void* _v2304;
				void* _v2312;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t420;
				intOrPtr _t423;
				unsigned int _t424;
				int _t450;
				signed int _t473;
				signed int _t475;
				intOrPtr _t477;
				int _t478;
				intOrPtr _t479;
				signed int _t488;
				signed int _t495;
				signed int _t498;
				intOrPtr* _t500;
				signed int _t503;
				signed int _t505;
				void* _t506;
				signed int _t507;
				signed char _t508;
				void* _t509;
				void* _t516;
				void* _t520;
				WCHAR* _t523;
				signed char _t524;
				signed int _t526;
				signed int _t528;
				signed char _t530;
				void* _t531;
				signed int _t533;
				WCHAR* _t538;
				signed int _t542;
				void* _t543;
				signed int _t544;
				void* _t545;
				signed int _t546;
				void* _t547;
				signed int _t548;
				signed int _t551;
				void* _t552;
				signed int _t553;
				void* _t554;
				signed int _t555;
				void* _t556;
				signed int _t557;
				int _t561;
				signed int _t568;
				int _t573;
				long _t574;
				signed int _t576;
				signed int* _t578;
				WCHAR* _t579;
				signed int _t580;
				signed int _t582;
				void* _t584;
				signed int _t586;
				signed int _t587;
				void* _t591;
				void* _t592;
				void* _t594;
				long _t595;
				void* _t596;
				long _t597;
				signed int _t598;
				signed int _t604;
				signed int _t608;
				signed int _t610;
				signed int _t612;
				signed int _t615;
				WCHAR* _t616;
				signed int _t623;
				signed int _t624;
				signed int _t625;
				void* _t629;
				signed int _t635;
				signed int _t640;
				signed int _t648;
				signed int _t649;
				signed int _t651;
				signed int _t653;
				signed int _t654;
				void* _t655;
				void* _t656;
				signed int _t659;
				int _t678;
				long _t689;
				LONG* _t690;
				signed int _t706;
				signed int _t709;
				void* _t714;
				signed int _t716;
				intOrPtr* _t718;
				signed int _t721;
				signed char _t722;
				signed char _t723;
				signed int _t725;
				intOrPtr _t726;
				intOrPtr _t727;
				signed int _t741;
				signed int _t747;
				signed int _t750;
				signed int _t754;
				void* _t757;
				void* _t762;
				WCHAR* _t768;
				void* _t770;
				signed int _t776;
				signed int _t783;
				signed int _t786;
				signed char _t801;
				signed int _t802;
				signed int _t816;
				signed int _t827;
				void* _t828;
				signed int _t829;
				void* _t831;
				signed int _t832;
				void* _t833;
				signed int _t834;
				LONG* _t835;
				signed int _t839;
				DWORD* _t840;
				signed int _t841;
				void* _t844;
				void* _t845;
				signed int _t846;
				signed int _t848;
				signed int _t849;
				LONG* _t853;
				DWORD* _t854;
				signed int _t856;
				intOrPtr* _t858;
				signed int _t860;
				signed int _t862;
				signed int _t866;

				_t789 = __edx;
				_t862 = (_t860 & 0xfffffff8) - 0x8d4;
				_t420 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t420 ^ _t862;
				_push(_t654);
				_t827 = __edx;
				_v2192 = 1;
				_t844 = __ecx;
				_v2228 = __edx;
				_t655 = _t654 | 0xffffffff;
				_v2260 = _t655;
				_v2204 = 0;
				_v2236 = 0;
				_t423 =  *((intOrPtr*)(__edx + 0x20));
				_v2224 = 0;
				_v2220 = 0;
				_v2196 = 0;
				_v2212 = 0;
				_v2184 = 0;
				_v2232 = 0;
				if(_t423 == 0) {
					_t424 =  *(__edx + 0x1c);
				} else {
					_t424 =  *(_t423 + 0x1c);
				}
				_v2188 = 0;
				_v2200 = _t424 >> 0x00000001 & 0x00000008;
				_v1628 = 0x104;
				_v2216 = 0;
				_v1636 = 0;
				_v1632 = 1;
				memset( &_v2156, 0, 0x104);
				_v24 = 1;
				_v20 = 0x104;
				_v28 = 0;
				memset( &_v548, 0, 0x104);
				_v560 = 1;
				_v556 = 0x104;
				_v564 = 0;
				memset( &_v1084, 0, 0x104);
				_v1096 = 1;
				_v1092 = 0x104;
				_v1100 = 0;
				memset( &_v1620, 0, 0x104);
				_t866 = _t862 + 0x30;
				if(E0103E3F0(((0 | _v1632 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0 || E0103E3F0(((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0 || E0103E3F0(((0 | _v560 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0 || E0103E3F0(((0 | _v1096 == 0x00000000) - 0x00000001 & 0x0000fdc6) + 0x208) < 0) {
					L342:
					E010461E6( &_v1620);
					E010461E6( &_v1084);
					E010461E6( &_v548);
					E010461E6( &_v2156);
					_t450 = 1;
					goto L90;
				} else {
					E0103A641(" ");
					_t473 = E0104522C(0xfe00,  &_v2212, 0);
					_v2252 = _t473;
					if(_t473 == 0) {
						goto L342;
					}
					if( *0x1066708 != 0) {
						_t475 = E0104522C(_v2208,  &_v2236, 1);
						_v2232 = _t475;
						__eflags = _t475;
						if(_t475 == 0) {
							goto L342;
						}
						_v2204 = _v2236;
					}
					_t846 =  *((intOrPtr*)(_t844 + 0x20));
					_v2256 = _t846;
					if(_t846 == 0) {
						L80:
						if( *0x1066704 == 3) {
							__eflags = _t655 - 0xffffffff;
							if(_t655 != 0xffffffff) {
								_t789 = _t827;
								E01044C40(_t846, _t827, _t655, 0);
							}
						}
						_t477 = _v1100;
						_v1100 = 0;
						if(_t477 != 0) {
							__imp__??_V@YAXPAX@Z(_t477);
						}
						_t478 = _v564;
						_v564 = 0;
						if(_t478 != 0) {
							__imp__??_V@YAXPAX@Z(_t478);
						}
						_t479 = _v28;
						_v28 = 0;
						if(_t479 != 0) {
							__imp__??_V@YAXPAX@Z(_t479);
						}
						_t678 = _v1636;
						_v1636 = 0;
						if(_t678 != 0) {
							__imp__??_V@YAXPAX@Z(_t678);
						}
						_t450 = _v2220;
						L90:
						_pop(_t828);
						_pop(_t845);
						_pop(_t656);
						return E01046B30(_t450, _t656, _v8 ^ _t866, _t789, _t828, _t845);
					} else {
						goto L9;
					}
					while( *0x106259c == 0) {
						if(_v28 == 0) {
							_t789 =  &_v548;
						}
						if(E01044D28(_t848, _t789, _v20) == 1) {
							L341:
							E01038B4D(_v2248);
							goto L342;
						} else {
							if( *0x106670c != 0) {
								L91:
								_t495 =  *0x1066704;
								L16:
								if(( *(_t848 + 0x1c) & 0x00000008) == 0) {
									__eflags = _t495 - 3;
									if(_t495 != 3) {
										L18:
										_t496 = _v1636;
										if(_v1636 == 0) {
											_t496 =  &_v2156;
										}
										_t789 = _v2228;
										_t699 = _t848;
										if(E01043CD0(_t848, _v2228, _t496, _v1628, 0) == 1) {
											goto L341;
										} else {
											if( *0x1066704 == 3) {
												_t498 = _v1636;
												__eflags = _t498;
												if(_t498 == 0) {
													_t498 =  &_v2156;
												}
												_t699 = _v564;
												__eflags = _t699;
												if(_t699 == 0) {
													_t699 =  &_v1084;
												}
												E0103F3A0(_t699, _v556, _t498);
											}
											_t500 = _v1636;
											if(_t500 == 0) {
												_t500 =  &_v2156;
											}
											if( *_t500 == 0) {
												L76:
												_t135 = _t848 + 0x18; // 0x5b002f
												_t789 =  *_t135;
												if(E01045851(E010459D0,  *_t135, 0x21, _v2248) != 0) {
													continue;
												} else {
													E01038B4D(_v2248);
													L78:
													_t137 = _t848 + 0x20; // 0x220009
													_t846 =  *_t137;
													_v2256 = _t846;
													if(_t846 != 0) {
														L9:
														_t829 = _v2256;
														_t789 = E01040060( *_t829, _t829);
														if(E0104589A(E010459D0, _t482, 0x21, 0,  *((intOrPtr*)(_t846 + 0x18)),  &_v2248) == 0) {
															goto L126;
														} else {
															_t848 = _t829;
															continue;
														}
													} else {
														_t827 = _v2228;
														goto L80;
													}
												}
											} else {
												L23:
												_t68 = _t848 + 4; // 0x450052
												_t503 = E0104654B( *_t68, 0, _t699, _t699);
												_v2252 = _t503;
												if(_t503 == 0xffffffff) {
													E01059EDB( *0x10667a8);
													__eflags =  *0x1066704 - 3;
													if( *0x1066704 != 3) {
														L149:
														_v2220 = 1;
														goto L76;
													}
													__eflags = _t655 - 0xffffffff;
													if(_t655 != 0xffffffff) {
														goto L149;
													}
													_t704 = _v1636;
													__eflags = _v1636;
													if(_v1636 == 0) {
														_t704 =  &_v2156;
													}
													_t203 = _t848 + 4; // 0x450052
													_t505 = E010595F2(_t704,  *_t203);
													__eflags = _t505;
													if(_t505 == 0) {
														goto L149;
													} else {
														_t689 = _v2248;
														L336:
														E01038B4D(_t689);
														_t789 = 1;
														_t690 = 0;
														L338:
														_t488 = E01058C50(_t690, _t789);
														L339:
														__eflags = 0;
														_push(0);
														_push(_t488);
														E010363BD(0);
														L340:
														E0103A16C(_v2244);
														goto L341;
													}
												}
												_t506 = E0103DD98(_t503);
												if(_t506 != 0) {
													 *(_t848 + 0x1c) =  *(_t848 + 0x1c) | 0x00000080;
													_t208 = _t848 + 0x1c; // 0x20005d
													_t507 =  *_t208;
													_v2236 = 0x80;
													__eflags = _t507 & 0x00000001;
													if((_t507 & 0x00000001) != 0) {
														_t507 = _t507 & 0xfffffffe | 0x00000004;
														 *(_t848 + 0x1c) = _t507;
													}
													L28:
													if((_t507 & 0x00000004) != 0) {
														_t508 = _t507 & 0xfffffffb;
														__eflags = _t508 & 0x00000080;
														_t706 = 0;
														_t709 = (_t706 & 0xffffff00 | (_t508 & 0x00000080) != 0x00000000) + 0x00000001 | _t508;
														__eflags =  *0x1066755;
														 *(_t848 + 0x1c) = _t709;
														if( *0x1066755 == 0) {
															__eflags =  *0x106670c;
															if( *0x106670c != 0) {
																__eflags = _t709 & 0x00000008;
																if((_t709 & 0x00000008) == 0) {
																	__eflags =  *0x1066704 - 3;
																	if( *0x1066704 == 3) {
																		 *(_t848 + 0x1c) = _t709 & 0xfffffffe | 0x00000002;
																	}
																}
															}
														}
													} else {
														_v2232 = _t507;
													}
													_t710 = _v1100;
													if(_v1100 == 0) {
														_t710 =  &_v1620;
													}
													_t78 = _t848 + 4; // 0x450052
													_t509 = E01041CD5(_t710, _v1092,  *_t78);
													_t711 = _v1640;
													_t831 = _t509;
													if(_v1640 == 0) {
														_t711 =  &_v2156;
													}
													_v2188 = E01044CA0(_v2244, _v2240, 0x200,  &_v2252, _t848, _t655, E01040060(_t711, _t831));
													if( *0x10667a8 != 0) {
														E0103A16C(_v2244);
														_t714 = 0x6e;
														E01059EDB(_t714);
														__eflags =  *0x1066704 - 3;
														if( *0x1066704 != 3) {
															goto L149;
														}
														_t689 = _v2248;
														goto L336;
													} else {
														_t849 =  *0x1066704;
														if(_t849 == 3) {
															__eflags =  *0x106670c;
															if( *0x106670c != 0) {
																goto L34;
															}
															_t832 = _v2256;
															L52:
															_t802 = _v2232;
															if(_v2184 == 1) {
																__eflags = _t849 - 3;
																if(_t849 == 3) {
																	_t283 = _t832 + 0x1c; // 0x20005d
																	_t623 =  *_t283 & 0xfffffffe;
																	__eflags = _t802;
																	if(_t802 != 0) {
																		_t624 = _t623 | _t802;
																		__eflags = _t624;
																	} else {
																		_t624 = _t623 | 0x00000002;
																	}
																	 *(_t832 + 0x1c) = _t624;
																}
															}
															_t103 = _t832 + 0x1c; // 0x20005d
															_t722 =  *_t103;
															_t530 = _t722;
															if((_t722 & 0x00000008) == 0) {
																_t530 = _t722;
																__eflags = _t849 - 3;
																if(_t849 == 3) {
																	_t530 = _t722;
																	__eflags = _t802;
																	if(_t802 == 0) {
																		_t530 = _t530 & 0xfffffffe | 0x00000002;
																		 *(_t832 + 0x1c) = _t530;
																	}
																}
															}
															_t723 = _t530;
															if((_t530 & 0x00000008) != 0 && _t849 == 3) {
																__eflags = _v2216;
																_t723 = _t530;
																if(_v2216 == 0) {
																	__eflags = _t802;
																	if(_t802 == 0) {
																		 *(_t832 + 0x1c) = _t723;
																	}
																}
															}
															_t833 = _v2240;
															_t531 = E01044C75(_t833,  &_v2252, _t723);
															_t848 = _v2260;
															if(_t849 == 3) {
																L279:
																__eflags = _t655 - 0xffffffff;
																if(_t655 == 0xffffffff) {
																	_t725 = _v1636;
																	__eflags = _t725;
																	if(_t725 == 0) {
																		_t725 =  &_v2156;
																	}
																	_t655 = E0104654B(_t725, 1, _t725, _t725);
																	_v2268 = _t655;
																	__eflags = _t655 - 0xffffffff;
																	if(_t655 != 0xffffffff) {
																		L281:
																		__eflags =  *0x106670c;
																		if( *0x106670c == 0) {
																			__eflags =  *0x1066704 - 3;
																			if( *0x1066704 == 3) {
																				_t349 = _t848 + 0x1c; // 0x20005d
																				__eflags = ( *_t349 & 0x00004002) - 0x4002;
																				if(( *_t349 & 0x00004002) == 0x4002) {
																					_t561 = _v2252 - 2;
																					__eflags = _t561;
																					_v2252 = _t561;
																					memmove(_t833, _t833 + 2, _t561);
																					_t866 = _t866 + 0xc;
																				}
																			}
																		}
																		__eflags =  *(_t848 + 0x1c) & 0x00004000;
																		if(( *(_t848 + 0x1c) & 0x00004000) != 0) {
																			_t741 = _v2228;
																			_t557 =  *(_t741 + 0x20);
																			__eflags = _t557;
																			if(_t557 == 0) {
																				_t365 = _t741 + 0x1c;
																				 *_t365 =  *(_t741 + 0x1c) | 0x00004000;
																				__eflags =  *_t365;
																			} else {
																				 *(_t557 + 0x1c) =  *(_t557 + 0x1c) | 0x00004000;
																			}
																		}
																		_t533 =  *0x10667a0;
																		__eflags = _t533;
																		if(_t533 == 0) {
																			_t726 =  *((intOrPtr*)(_t866 + 0x6c));
																			_t834 = _v2244;
																			while(1) {
																				__eflags = _t726 - 1;
																				if(_t726 != 1) {
																					break;
																				}
																				_t546 = _v1636;
																				__eflags = _t546;
																				if(_t546 == 0) {
																					_t546 =  &_v2156;
																				}
																				_t547 = E01059809(_t655, _v2240, _v2252, _t546, _t834);
																				__eflags =  *0x1066708;
																				if( *0x1066708 == 0) {
																					L317:
																					_t548 = _v1636;
																					__eflags = _t548;
																					if(_t548 == 0) {
																						_t548 =  &_v2156;
																					}
																					_t726 = E01044CA0(_t834, _v2240, _v2236,  &_v2252, _t848, _t655, _t548);
																					_t533 =  *0x10667a0;
																					__eflags = _t533;
																					if(_t533 == 0) {
																						continue;
																					} else {
																						break;
																					}
																				} else {
																					_t551 = E0103DD98(_t547);
																					__eflags = _t551;
																					if(_t551 != 0) {
																						goto L317;
																					}
																					_t812 = _v1636;
																					__eflags = _v1636;
																					if(__eflags == 0) {
																						_t812 =  &_v2156;
																					}
																					_t552 = E01058B6C(_t551,  &_v2260, _t812, __eflags, _v2252, _v2240, _v2224);
																					__eflags = _t552 - 1;
																					if(_t552 == 1) {
																						_t689 = _v2248;
																						goto L336;
																					} else {
																						_t655 = _v2260;
																						goto L317;
																					}
																				}
																			}
																			__eflags = _t533;
																			if(_t533 == 0) {
																				goto L273;
																			}
																			__eflags = _v2252;
																			if(_v2252 <= 0) {
																				goto L273;
																			}
																			__eflags = _t726 - 1;
																			if(_t726 != 1) {
																				goto L273;
																			}
																			_t542 = _v1636;
																			__eflags = _t542;
																			if(_t542 == 0) {
																				_t542 =  &_v2156;
																			}
																			_t836 = _v2240;
																			_t543 = E01059809(_t655, _v2240, _v2252, _t542, _t834);
																			__eflags =  *0x1066708;
																			if( *0x1066708 == 0) {
																				goto L273;
																			} else {
																				_t544 = E0103DD98(_t543);
																				__eflags = _t544;
																				if(_t544 != 0) {
																					goto L273;
																				}
																				_t809 = _v1636;
																				__eflags = _v1636;
																				if(__eflags == 0) {
																					_t809 =  &_v2156;
																				}
																				_t545 = E01058B6C(_t544,  &_v2260, _t809, __eflags, _v2252, _t836, _v2224);
																				__eflags = _t545 - 1;
																				if(_t545 != 1) {
																					goto L306;
																				} else {
																					_t689 = _v2248;
																					goto L336;
																				}
																			}
																		} else {
																			__eflags = _v2252;
																			if(_v2252 <= 0) {
																				goto L273;
																			}
																			_t553 = _v1636;
																			__eflags = _t553;
																			if(_t553 == 0) {
																				_t553 =  &_v2156;
																			}
																			_t554 = E01059809(_t655, _t833, _v2252, _t553, _v2244);
																			__eflags =  *0x1066708;
																			if( *0x1066708 == 0) {
																				goto L273;
																			} else {
																				_t555 = E0103DD98(_t554);
																				__eflags = _t555;
																				if(_t555 != 0) {
																					goto L273;
																				}
																				_t814 = _v1636;
																				__eflags = _v1636;
																				if(__eflags == 0) {
																					_t814 =  &_v2156;
																				}
																				_t556 = E01058B6C(_t555,  &_v2260, _t814, __eflags, _v2252, _t833, _v2224);
																				__eflags = _t556 - 1;
																				if(_t556 != 1) {
																					L306:
																					_t655 = _v2260;
																					goto L273;
																				} else {
																					_t689 = _v2248;
																					goto L336;
																				}
																			}
																		}
																	} else {
																		E0103A16C(_v2244);
																		__eflags =  *0x1066768;
																		if( *0x1066768 == 0) {
																			E01059EDB( *0x10667a8);
																		}
																		__eflags =  *0x1066704 - 3;
																		if( *0x1066704 != 3) {
																			goto L149;
																		} else {
																			_t689 = _v2248;
																			goto L336;
																		}
																	}
																}
																__imp___get_osfhandle(_t655);
																SetEndOfFile(_t531);
																goto L281;
															} else {
																_t111 = _t848 + 0x1c; // 0x20005d
																_t531 =  *_t111;
																if((_t531 & 0x00000001) == 0) {
																	goto L279;
																} else {
																	_t659 = _t531 & 0x00000800;
																	asm("sbb edi, edi");
																	_t839 =  ~_t659 & 0x00000800;
																	_t747 = _v2260;
																	if(_t747 != 0xffffffff) {
																		E0103A16C(_t747);
																		_t179 = _t848 + 0x1c; // 0x20005d
																		_t531 =  *_t179;
																		_v2260 = _t747 | 0xffffffff;
																	}
																	if((_t531 & 0x00000400) != 0) {
																		_t288 = _t848 + 4; // 0x450052
																		_t568 = E01059FF8( *_t288);
																		__eflags = _t568;
																		if(_t568 != 0) {
																			L219:
																			_t816 = 1;
																			__eflags = 1;
																			L220:
																			_t750 = _v1636;
																			__eflags = _t750;
																			if(_t750 == 0) {
																				_t750 =  &_v2156;
																			}
																			_t835 = 0;
																			_t294 = _t848 + 4; // 0x450052
																			 *0x107a4c4( *_t294, _t750, E01058AA0, _t816, 0, _v2200 | _t839 | 0x00000002);
																			_t573 =  *((intOrPtr*)( *0x10625b8))();
																			L63:
																			_t848 = _v2280;
																			L64:
																			if(_t573 == 0) {
																				_t574 = GetLastError();
																				 *0x10667a8 = _t574;
																				__eflags = _t574 - 1;
																				if(_t574 == 1) {
																					__eflags = _t659;
																					if(_t659 != 0) {
																						_t301 = _t848 + 0x18; // 0x5b002f
																						_t578 =  *_t301;
																						__eflags =  *_t578 & 0x00000400;
																						if(( *_t578 & 0x00000400) != 0) {
																							 *0x10667a8 = 0x40002730;
																						}
																					}
																				}
																				E0103A16C(_v2268);
																				_t576 = _v2236;
																				_t753 =  *0x10667a8;
																				 *0x10667a0 = _t835;
																				asm("sbb esi, esi");
																				_t853 =  ~_t576 & 0x0000001d;
																				__eflags =  *0x10667a8;
																				if( *0x10667a8 == 0) {
																					_t753 = 0x70;
																					 *0x10667a8 = _t753;
																				}
																				__eflags =  *0x106259c;
																				if( *0x106259c == 0) {
																					__eflags = _t576;
																					if(_t576 == 0) {
																						E01059EDB(_t753);
																					}
																				} else {
																					_t853 = _t835;
																				}
																				__eflags = _v2220;
																				if(_v2220 != 0) {
																					_t690 = _t853;
																					_t789 = 1;
																					__eflags = 1;
																					goto L338;
																				} else {
																					_t655 = _v2284;
																					_t848 = _v2280;
																					_v2244 = 1;
																					goto L76;
																				}
																			}
																			if(_v2236 != 0) {
																				L71:
																				_t655 = _v2284;
																				L72:
																				_t126 = _t848 + 0x18; // 0x5b002f
																				_t727 =  *_t126;
																				 *0x10667a0 = _t835;
																				 *((intOrPtr*)(_t866 + 0x70)) =  *((intOrPtr*)(_t727 + 0x14));
																				 *((intOrPtr*)(_t866 + 0x74)) =  *((intOrPtr*)(_t727 + 0x18));
																				E0103A16C(_v2244);
																				if( *0x1066704 != 3) {
																					if( *0x106259c != 0) {
																						E0103A16C(_t655);
																						_t538 = _v1636;
																						__eflags = _t538;
																						if(_t538 == 0) {
																							_t538 =  &_v2156;
																						}
																						DeleteFileW(_t538);
																						_v2220 = 1;
																					} else {
																						E01044C40(_t848, _v2228, _t655, _t866 + 0x70);
																					}
																				}
																				 *0x106670c = _t835;
																				goto L76;
																			}
																			_t579 =  *(_t866 + 0x280);
																			if(_t579 == 0) {
																				_t579 =  &_v2180;
																			}
																			_t580 = GetFileAttributesW(_t579);
																			if(_t580 != 0xffffffff) {
																				_t768 =  *(_t866 + 0x280);
																				if(_t768 == 0) {
																					_t768 =  &_v2180;
																				}
																				SetFileAttributesW(_t768, _t580 & 0xfffffffe);
																			}
																			if( *0x1066708 != 0) {
																				_t754 =  *(_t866 + 0x280);
																				__eflags = _t754;
																				if(_t754 == 0) {
																					_t754 =  &_v2180;
																				}
																				_t655 = E0104654B(_t754, 1, _t754, _t754);
																				_v2292 = _t655;
																				__eflags = _t655 - 0xffffffff;
																				if(_t655 == 0xffffffff) {
																					L262:
																					_t582 =  *(_t866 + 0x280);
																					__eflags = _t582;
																					if(_t582 == 0) {
																						_t582 =  &_v2180;
																					}
																					E010378E4(_t754, 0x4000271f, 1, _t582);
																					_t866 = _t866 + 0xc;
																					goto L72;
																				} else {
																					_t584 = E0103DD98(_t581);
																					__eflags = _t584;
																					if(_t584 != 0) {
																						L267:
																						E0103A16C(_t655);
																						_t655 = _t655 | 0xffffffff;
																						_v2284 = _t655;
																						goto L72;
																					}
																					__imp___get_osfhandle();
																					_t757 = _t655;
																					_t586 = FlushFileBuffers(_t584);
																					__eflags = _t586;
																					if(_t586 == 0) {
																						L268:
																						_t587 =  *(_t866 + 0x280);
																						__eflags = _t587;
																						if(_t587 == 0) {
																							_t587 =  &_v2180;
																						}
																						E010378E4(_t757, 0x4000271f, 1, _t587);
																						_t866 = _t866 + 0xc;
																						goto L267;
																					}
																					E0103A16C(_t655);
																					_t754 =  *(_t866 + 0x280);
																					__eflags = _t754;
																					if(_t754 == 0) {
																						_t754 =  &_v2180;
																					}
																					_t655 = E0104654B(_t754, 0, _t754, _t754);
																					_v2292 = _t655;
																					__eflags = _t655 - 0xffffffff;
																					if(_t655 == 0xffffffff) {
																						goto L262;
																					} else {
																						_t757 = _t655;
																						_t591 = E0103DD98(_t590);
																						__eflags = _t591;
																						if(_t591 != 0) {
																							goto L268;
																						}
																						_t854 = _v2268;
																						__imp___get_osfhandle(_t835);
																						_t592 = SetFilePointer(_t591, _t854, _t835, _t835);
																						__imp___get_osfhandle(_t835);
																						SetFilePointer(_t592, _t655, _t835, _t835);
																						_t594 =  &_v2204;
																						__imp___get_osfhandle(_t594);
																						_t595 = GetFileSize(_t594, _t854);
																						_t596 =  &_v2200;
																						__imp___get_osfhandle(_t596);
																						_t762 = _t655;
																						_t597 = GetFileSize(_t596, ??);
																						__eflags = _t595 - _t597;
																						if(_t595 != _t597) {
																							L276:
																							_t598 =  *(_t866 + 0x280);
																							__eflags = _t598;
																							if(_t598 == 0) {
																								_t598 =  &_v2180;
																							}
																							E010378E4(_t762, 0x4000271f, 1, _t598);
																							_t866 = _t866 + 0xc;
																							E0103A16C(_t655);
																							_t848 = _v2280;
																							_t655 = _t655 | 0xffffffff;
																							_v2284 = _t655;
																							goto L72;
																						}
																						__eflags = _v2204 - _v2200;
																						if(_v2204 != _v2200) {
																							goto L276;
																						}
																						_t856 = _t835;
																						_t840 = _v2260;
																						while(1) {
																							__imp___get_osfhandle(0);
																							_t604 = ReadFile( &_v2276, _v2268, _v2264, _t840,  &_v2276);
																							__eflags = _t604;
																							if(_t604 == 0) {
																								break;
																							}
																							__eflags = _v2276;
																							if(_v2276 == 0) {
																								break;
																							}
																							__imp___get_osfhandle(0);
																							_t608 = ReadFile( &_v2196, _t655, _v2248, _v2276,  &_v2196);
																							__eflags = _t608;
																							if(_t608 == 0) {
																								L274:
																								_t767 = _t655;
																								E0103A16C(_t655);
																								_t610 =  *(_t866 + 0x280);
																								_t655 = _t655 | 0xffffffff;
																								_v2284 = _t655;
																								__eflags = _t610;
																								if(_t610 == 0) {
																									_t610 =  &_v2180;
																								}
																								E010378E4(_t767, 0x4000271f, 1, _t610);
																								_t866 = _t866 + 0xc;
																								L272:
																								_t848 = _v2280;
																								L273:
																								_t835 = 0;
																								goto L72;
																							}
																							_t612 = _v2276;
																							__eflags = _v2196 - _t612;
																							if(_v2196 != _t612) {
																								goto L274;
																							}
																							__eflags = _t840 - _t612;
																							if(_t840 != _t612) {
																								_t856 = 1;
																								__eflags = 1;
																							}
																							_push(_t612);
																							_push(_v2248);
																							_push(_v2264);
																							L01047FB7();
																							_t866 = _t866 + 0xc;
																							__eflags = _t612;
																							if(_t612 != 0) {
																								goto L274;
																							} else {
																								__eflags = _t856;
																								if(_t856 == 0) {
																									continue;
																								}
																								break;
																							}
																						}
																						E0103A16C(_t655);
																						_t655 = _t655 | 0xffffffff;
																						_v2284 = _t655;
																						goto L272;
																					}
																				}
																			} else {
																				goto L71;
																			}
																		}
																		_t769 = _v1636;
																		__eflags = _v1636;
																		if(_v1636 == 0) {
																			_t769 =  &_v2156;
																		}
																		_t615 = E01059FF8(_t769);
																		__eflags = _t615;
																		if(_t615 != 0) {
																			goto L219;
																		} else {
																			_t816 = _t615;
																			goto L220;
																		}
																	}
																	_t858 =  *0x10625b8;
																	if(_t858 == 0) {
																		_t616 = _v1636;
																		__eflags = _t616;
																		if(_t616 == 0) {
																			_t616 =  &_v2156;
																		}
																		_t848 = _v2256;
																		_t573 = CopyFileW( *(_t848 + 4), _t616, _v2200);
																		_t835 = 0;
																		goto L64;
																	}
																	_t770 = _v1636;
																	if(_t770 == 0) {
																		_t770 =  &_v2156;
																	}
																	_t841 = _v2256;
																	_t120 = _t841 + 4; // 0x450052
																	 *0x107a4c4( *_t120, _t770, 0, 0, 0x106259c, _v2200 | _t839);
																	_t573 =  *_t858();
																	_t835 = 0;
																	goto L63;
																}
															}
														}
														L34:
														_t515 = _v1636;
														if(_v1636 == 0) {
															_t515 =  &_v2156;
														}
														_t797 = _v1100;
														if(_v1100 == 0) {
															_t797 =  &_v1620;
														}
														_t516 = E01043AEF(_t831, _t797, _t515);
														_t848 = _v2260;
														if(_t516 != 0) {
															__eflags =  *(_t848 + 0x1c) & 0x00000080;
															if(( *(_t848 + 0x1c) & 0x00000080) != 0) {
																goto L37;
															}
															E0103A16C(_v2244);
															_t842 = _v2240;
															E0105974B(_t848,  &_v2260, _v2244, _v2240, _v2236, _v2248);
															__eflags =  *0x106670c;
															if( *0x106670c != 0) {
																__eflags =  *0x1066704 - 3;
																if( *0x1066704 == 3) {
																	_t234 = _t848 + 0x1c; // 0x20005d
																	_t783 = _v2232;
																	_t648 =  *_t234 & 0xfffffffe;
																	__eflags = _t783;
																	if(_t783 != 0) {
																		_t649 = _t648 | _t783;
																		__eflags = _t649;
																	} else {
																		_t649 = _t648 | 0x00000002;
																	}
																	 *(_t848 + 0x1c) = _t649;
																}
																_v2184 = 1;
															}
															_t238 = _t848 + 0x1c; // 0x20005d
															E01044C75(_t842,  &_v2252,  *_t238);
															_t655 = _v2264;
															 *0x106670c = 0;
															goto L76;
														} else {
															L37:
															_t716 = _v2228;
															_t789 = 1;
															 *0x1066770 = 1;
															if( *0x106670c != 0) {
																__eflags =  *(_t716 + 0x20);
																if( *(_t716 + 0x20) == 0) {
																	goto L38;
																}
																 *0x10667a8 = 0;
																 *0x106676c = 1;
																E01038F21( *(_t716 + 0x20));
																_t488 =  *0x10667a8;
																__eflags = _t488 - 0x15;
																if(_t488 == 0x15) {
																	goto L339;
																}
																__eflags = _t488 - 0x458;
																if(_t488 == 0x458) {
																	goto L339;
																} else {
																	_t716 = _v2220;
																	_t789 = 1;
																	goto L38;
																}
															}
															L38:
															_t518 = _v1636;
															if(_v1636 == 0) {
																_t518 =  &_v2156;
															}
															_t789 = _t716;
															if(E01043CD0(_t848, _t716, _t518, _v1628, _t716) == 1) {
																goto L340;
															} else {
																_t520 = _v1636;
																_t718 = _t520;
																if(_t520 == 0) {
																	_t718 =  &_v2156;
																}
																if( *_t718 == 0) {
																	E0103A16C(_v2244);
																	goto L76;
																} else {
																	if(_t520 == 0) {
																		_t520 =  &_v2156;
																	}
																	_t800 = _v1100;
																	if(_v1100 == 0) {
																		_t800 =  &_v1620;
																	}
																	if(E01043AEF(_t831, _t800, _t520) != 0) {
																		__eflags =  *(_t848 + 0x1c) & 0x00000080;
																		if(( *(_t848 + 0x1c) & 0x00000080) == 0) {
																			_t777 = _v2244;
																			E0103A16C(_v2244);
																			__eflags =  *0x106670c;
																			if( *0x106670c != 0) {
																				_t640 =  *(_v2228 + 0x20);
																				__eflags = _t640;
																				if(_t640 != 0) {
																					__eflags =  *(_t640 + 0x1c) & 0x00000008;
																					if(( *(_t640 + 0x1c) & 0x00000008) != 0) {
																						__eflags =  *(_t848 + 0x20);
																						if( *(_t848 + 0x20) == 0) {
																							 *0x1066704 = 1;
																						}
																					}
																				}
																			}
																			E0105974B(_t848,  &_v2260, _t777, _v2240, _v2236, _v2248);
																			_t655 = _v2276;
																		}
																	}
																	_t523 = _v1636;
																	if(_t523 == 0) {
																		_t523 =  &_v2156;
																	}
																	_t524 = GetFileAttributesW(_t523);
																	_t721 = _v2232;
																	_t801 = _t524;
																	_t849 =  *0x1066704;
																	if(_t721 == 0) {
																		__eflags = _v2192;
																		if(_v2192 == 0) {
																			L102:
																			_t832 = _v2256;
																			_t164 = _t832 + 0x1c; // 0x20005d
																			_t526 =  *_t164 & 0xfffffffb;
																			__eflags =  *0x1066755;
																			 *(_t832 + 0x1c) = _t526;
																			if( *0x1066755 == 0) {
																				__eflags = _t526 & 0x00000008;
																				if((_t526 & 0x00000008) == 0) {
																					goto L103;
																				}
																				__eflags = _t849 - 3;
																				if(_t849 != 3) {
																					goto L103;
																				}
																				__eflags = _v2216;
																				_v2188 = _t849;
																				if(_v2216 != 0) {
																					goto L48;
																				}
																				_t776 =  *(_v2228 + 0x20);
																				__eflags = _t776;
																				if(_t776 == 0) {
																					L195:
																					_t635 = _t526 | 0x00000002;
																					__eflags = _t635;
																					L196:
																					_t721 = _v2232;
																					 *(_t832 + 0x1c) = _t635;
																					goto L48;
																				}
																				__eflags =  *(_t776 + 0x1c) & 0x00000008;
																				if(( *(_t776 + 0x1c) & 0x00000008) == 0) {
																					goto L195;
																				}
																				_t635 = _t526 | 0x00000001;
																				goto L196;
																			}
																			L103:
																			__eflags = _v2216;
																			if(_v2216 != 0) {
																				__eflags = _v2188 - 3;
																				if(_v2188 == 3) {
																					 *(_t832 + 0x1c) = _t526 | 0x00000001;
																				}
																			}
																			goto L48;
																		}
																		_v2216 = 0;
																		__eflags = _t801 - 0xffffffff;
																		if(_t801 != 0xffffffff) {
																			__eflags = _t801 & 0x00000010;
																			if((_t801 & 0x00000010) != 0) {
																				_v2216 = 1;
																			}
																		}
																		_v2192 = 0;
																		goto L102;
																	} else {
																		_t832 = _v2256;
																		L48:
																		if( *0x106670c != 0) {
																			_t528 =  *(_v2228 + 0x20);
																			__eflags = _t528;
																			if(_t528 != 0) {
																				__eflags =  *(_t528 + 0x1c) & 0x00000008;
																				if(( *(_t528 + 0x1c) & 0x00000008) != 0) {
																					__eflags =  *(_t832 + 0x20);
																					if( *(_t832 + 0x20) == 0) {
																						_t849 = 1;
																						 *0x1066704 = 1;
																					}
																				}
																			}
																			__eflags = _t849 - 3;
																			if(_t849 == 3) {
																				__eflags = _t721;
																				if(_t721 != 0) {
																					 *(_t832 + 0x1c) = _t721;
																				} else {
																					_t276 = _t832 + 0x1c; // 0x20005d
																					 *(_t832 + 0x1c) =  *_t276 & 0xfffffffe | 0x00000002;
																				}
																			}
																		}
																		if((_t801 & 0x00000006) == 0) {
																			__eflags =  *(_t832 + 0x1c) & 0x00000400;
																			if(( *(_t832 + 0x1c) & 0x00000400) == 0) {
																				_t774 = _v1636;
																				__eflags = _v1636;
																				if(__eflags == 0) {
																					_t774 =  &_v2156;
																				}
																				_t629 = E01045643(_t774, __eflags);
																				_t849 =  *0x1066704;
																				_t655 = _t629;
																				_v2260 = _t655;
																			}
																			_t529 = 0;
																			_v2212 = 0;
																			__eflags = _t655 - 0xffffffff;
																			if(_t655 == 0xffffffff) {
																				goto L51;
																			} else {
																				_v2196 = 1;
																				_t625 = E0103DD98(0);
																				__eflags = _t625;
																				if(_t625 != 0) {
																					__eflags = _v2232;
																					_v2212 = 1;
																					if(_v2232 == 0) {
																						_t281 = _t832 + 0x1c; // 0x20005d
																						 *(_t832 + 0x1c) =  *_t281 & 0xfffffffe | 0x00000002;
																					}
																				}
																				_t849 =  *0x1066704;
																				goto L52;
																			}
																		} else {
																			_t655 = _t655 | 0xffffffff;
																			 *0x10667a8 = 5;
																			_v2260 = _t655;
																			_t529 = 0;
																			L51:
																			_v2196 = _t529;
																			_v2212 = _t529;
																			goto L52;
																		}
																	}
																}
															}
														}
													}
												}
												if( *0x1066708 != _t506) {
													_t651 = _v2204;
													__eflags = _v2208 - _t651;
													if(_v2208 < _t651) {
														goto L26;
													}
													_t786 = _t651;
													_v2236 = _t651;
													L27:
													_t72 = _t848 + 0x1c; // 0x20005d
													_t507 =  *_t72;
													_v2204 = _t786;
													goto L28;
												}
												L26:
												_t786 = _v2208;
												_v2236 = _t786;
												goto L27;
											}
										}
									} else {
										goto L17;
									}
								}
								L17:
								_t63 = _t848 + 4; // 0x450052
								_push( *_t63);
								E01039950(L"%s\r\n");
								_pop(_t699);
								if( *0x1066704 == 3) {
									__eflags =  *0x106670c;
									if( *0x106670c == 0) {
										goto L23;
									}
								}
								goto L18;
							}
							_t495 =  *0x1066704;
							if(_t495 == 3) {
								_t788 = _v564;
								__eflags = _v564;
								if(_v564 == 0) {
									_t788 =  &_v1084;
								}
								_t193 = _t848 + 4; // 0x450052
								_t653 = E010595F2(_t788,  *_t193);
								__eflags = _t653;
								if(_t653 != 0) {
									goto L76;
								} else {
									goto L91;
								}
							}
							goto L16;
						}
					}
					E01038B4D(_v2248);
					__eflags = _t655 - 0xffffffff;
					if(_t655 != 0xffffffff) {
						E0103A16C(_t655);
					}
					goto L342;
					L126:
					__eflags =  *0x1066704 - 3;
					if( *0x1066704 != 3) {
						L334:
						_push( *_t829);
						E01039950(L"%s ");
						E01039950(L"\r\n");
						_t866 = _t866 + 0xc;
						E01059EDB( *0x10667a8);
						_t689 = _v2248;
						goto L336;
					}
					__eflags =  *0x106670c;
					if( *0x106670c != 0) {
						goto L334;
					}
					_t848 = _v2256;
					goto L78;
				}
			}




































































































































































































    0x01043eb3
    0x01043ebb
    0x01043ec1
    0x01043ec8
    0x01043ecf
    0x01043ed2
    0x01043ed4
    0x01043edc
    0x01043ede
    0x01043ee4
    0x01043ee9
    0x01043eed
    0x01043ef1
    0x01043ef5
    0x01043ef8
    0x01043efc
    0x01043f00
    0x01043f04
    0x01043f08
    0x01043f0c
    0x01043f12
    0x0104fe30
    0x01043f18
    0x01043f18
    0x01043f18
    0x01043f20
    0x01043f24
    0x01043f2e
    0x01043f3b
    0x01043f3f
    0x01043f46
    0x01043f4e
    0x01043f56
    0x01043f65
    0x01043f6c
    0x01043f7d
    0x01043f85
    0x01043f94
    0x01043f9b
    0x01043fac
    0x01043fb4
    0x01043fc3
    0x01043fca
    0x01043fdb
    0x01043fe9
    0x01044009
    0x010508ed
    0x010508f4
    0x01050900
    0x0105090c
    0x01050915
    0x0105091c
    0x00000000
    0x01044093
    0x0104409f
    0x010440b1
    0x010440b6
    0x010440bc
    0x00000000
    0x00000000
    0x010440c9
    0x0104fe43
    0x0104fe48
    0x0104fe4c
    0x0104fe4e
    0x00000000
    0x00000000
    0x0104fe58
    0x0104fe58
    0x010440cf
    0x010440d2
    0x010440d8
    0x01044545
    0x0104454c
    0x01050939
    0x0105093c
    0x01050944
    0x0105094a
    0x0105094a
    0x0105093c
    0x01044552
    0x0104455b
    0x01044564
    0x01044567
    0x0104456d
    0x0104456e
    0x01044575
    0x0104457e
    0x01044581
    0x01044587
    0x01044588
    0x0104458f
    0x01044598
    0x0104459b
    0x010445a1
    0x010445a2
    0x010445a9
    0x010445b2
    0x010445b5
    0x010445bb
    0x010445bc
    0x010445c0
    0x010445c7
    0x010445c8
    0x010445c9
    0x010445d4
    0x00000000
    0x00000000
    0x00000000
    0x0104410d
    0x01044123
    0x0104fe84
    0x0104fe84
    0x0104413a
    0x010508e4
    0x010508e8
    0x00000000
    0x01044140
    0x01044147
    0x010445d5
    0x010445d5
    0x0104415b
    0x0104415f
    0x010446af
    0x010446b2
    0x01044181
    0x01044181
    0x0104418a
    0x0104fec9
    0x0104fec9
    0x01044190
    0x0104419e
    0x010441a9
    0x00000000
    0x010441af
    0x010441b6
    0x0104fed2
    0x0104fed9
    0x0104fedb
    0x0104fedd
    0x0104fedd
    0x0104fee1
    0x0104fee8
    0x0104feea
    0x0104feec
    0x0104feec
    0x0104fefb
    0x0104fefb
    0x010441bc
    0x010441c5
    0x0104ff05
    0x0104ff05
    0x010441ce
    0x0104450e
    0x01044512
    0x01044512
    0x01044523
    0x00000000
    0x01044529
    0x0104452d
    0x01044532
    0x01044532
    0x01044532
    0x01044535
    0x0104453b
    0x010440de
    0x010440de
    0x010440f0
    0x01044105
    0x00000000
    0x0104410b
    0x0104410b
    0x00000000
    0x0104410b
    0x01044541
    0x01044541
    0x00000000
    0x01044541
    0x0104453b
    0x010441d4
    0x010441d4
    0x010441d6
    0x010441db
    0x010441e0
    0x010441e7
    0x0104ff14
    0x0104ff19
    0x0104ff20
    0x0104ff4b
    0x0104ff4b
    0x00000000
    0x0104ff4b
    0x0104ff22
    0x0104ff25
    0x00000000
    0x00000000
    0x0104ff27
    0x0104ff2e
    0x0104ff30
    0x0104ff32
    0x0104ff32
    0x0104ff36
    0x0104ff39
    0x0104ff3e
    0x0104ff40
    0x00000000
    0x0104ff42
    0x0104ff42
    0x010508ba
    0x010508ba
    0x010508c1
    0x010508c2
    0x010508cb
    0x010508cb
    0x010508d0
    0x010508d0
    0x010508d2
    0x010508d3
    0x010508d4
    0x010508db
    0x010508df
    0x00000000
    0x010508df
    0x0104ff40
    0x010441ef
    0x010441f6
    0x0104ff58
    0x0104ff5f
    0x0104ff5f
    0x0104ff62
    0x0104ff6a
    0x0104ff6c
    0x0104ff75
    0x0104ff78
    0x0104ff78
    0x01044217
    0x01044219
    0x010445df
    0x010445e2
    0x010445e6
    0x010445eb
    0x010445ed
    0x010445f4
    0x010445f7
    0x0104ff99
    0x0104ffa0
    0x0104ffa6
    0x0104ffa9
    0x0104ffaf
    0x0104ffb6
    0x0104ffc2
    0x0104ffc2
    0x0104ffb6
    0x0104ffa9
    0x0104ffa0
    0x0104421f
    0x0104421f
    0x0104421f
    0x01044223
    0x0104422c
    0x0104ffca
    0x0104ffca
    0x01044232
    0x0104423c
    0x01044241
    0x01044248
    0x0104424c
    0x0104ffd6
    0x0104ffd6
    0x01044278
    0x0104427c
    0x0104ffe3
    0x0104ffea
    0x0104ffeb
    0x0104fff0
    0x0104fff7
    0x00000000
    0x00000000
    0x0104fffd
    0x00000000
    0x01044282
    0x01044282
    0x0104428b
    0x01050006
    0x0105000d
    0x00000000
    0x00000000
    0x01050013
    0x010443aa
    0x010443af
    0x010443b3
    0x010501f3
    0x010501f6
    0x010501fc
    0x010501ff
    0x01050202
    0x01050204
    0x0105020b
    0x0105020b
    0x01050206
    0x01050206
    0x01050206
    0x0105020d
    0x0105020d
    0x010501f6
    0x010443b9
    0x010443b9
    0x010443bc
    0x010443c1
    0x01044713
    0x01044715
    0x01044718
    0x01050215
    0x01050217
    0x01050219
    0x01050222
    0x01050225
    0x01050225
    0x01050219
    0x01044718
    0x010443c7
    0x010443cb
    0x0105022d
    0x01050232
    0x01050234
    0x0105023a
    0x0105023c
    0x01050248
    0x01050248
    0x0105023c
    0x01050234
    0x010443d6
    0x010443e1
    0x010443e9
    0x010443ed
    0x010505df
    0x010505df
    0x010505e2
    0x01050646
    0x0105064d
    0x0105064f
    0x01050651
    0x01050651
    0x0105065f
    0x01050661
    0x01050665
    0x01050668
    0x010505f3
    0x010505f3
    0x010505fa
    0x010505fc
    0x01050603
    0x01050605
    0x0105060f
    0x01050611
    0x01050617
    0x01050617
    0x0105061b
    0x01050624
    0x01050629
    0x01050629
    0x01050611
    0x01050603
    0x01050631
    0x01050634
    0x01050636
    0x0105063a
    0x0105063d
    0x0105063f
    0x0105069d
    0x0105069d
    0x0105069d
    0x01050641
    0x01050641
    0x01050641
    0x0105063f
    0x010506a0
    0x010506a5
    0x010506a7
    0x0105072d
    0x01050731
    0x01050735
    0x01050735
    0x01050738
    0x00000000
    0x00000000
    0x0105073e
    0x01050745
    0x01050747
    0x01050749
    0x01050749
    0x01050759
    0x0105075e
    0x01050765
    0x010507a3
    0x010507a3
    0x010507aa
    0x010507ac
    0x010507ae
    0x010507ae
    0x010507c9
    0x010507cb
    0x010507d0
    0x010507d2
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x01050767
    0x01050769
    0x0105076e
    0x01050770
    0x00000000
    0x00000000
    0x01050772
    0x01050779
    0x0105077b
    0x0105077d
    0x0105077d
    0x01050791
    0x01050796
    0x01050799
    0x010508b6
    0x00000000
    0x0105079f
    0x0105079f
    0x00000000
    0x0105079f
    0x01050799
    0x01050765
    0x010507d8
    0x010507da
    0x00000000
    0x00000000
    0x010507e0
    0x010507e5
    0x00000000
    0x00000000
    0x010507eb
    0x010507ee
    0x00000000
    0x00000000
    0x010507f4
    0x010507fb
    0x010507fd
    0x010507ff
    0x010507ff
    0x01050804
    0x01050811
    0x01050816
    0x0105081d
    0x00000000
    0x01050823
    0x01050825
    0x0105082a
    0x0105082c
    0x00000000
    0x00000000
    0x01050832
    0x01050839
    0x0105083b
    0x0105083d
    0x0105083d
    0x0105084e
    0x01050853
    0x01050856
    0x00000000
    0x0105085c
    0x0105085c
    0x00000000
    0x0105085c
    0x01050856
    0x010506ad
    0x010506ad
    0x010506b2
    0x00000000
    0x00000000
    0x010506b8
    0x010506bf
    0x010506c1
    0x010506c3
    0x010506c3
    0x010506d4
    0x010506d9
    0x010506e0
    0x00000000
    0x010506e6
    0x010506e8
    0x010506ed
    0x010506ef
    0x00000000
    0x00000000
    0x010506f5
    0x010506fc
    0x010506fe
    0x01050700
    0x01050700
    0x01050711
    0x01050716
    0x01050719
    0x01050724
    0x01050724
    0x00000000
    0x0105071b
    0x0105071b
    0x00000000
    0x0105071b
    0x01050719
    0x010506e0
    0x0105066a
    0x0105066e
    0x01050673
    0x0105067a
    0x01050682
    0x01050682
    0x01050687
    0x0105068e
    0x00000000
    0x01050694
    0x01050694
    0x00000000
    0x01050694
    0x0105068e
    0x01050668
    0x010505e5
    0x010505ed
    0x00000000
    0x010443f3
    0x010443f3
    0x010443f3
    0x010443f8
    0x00000000
    0x010443fe
    0x01044405
    0x0104440b
    0x0104440d
    0x0104440f
    0x01044416
    0x01044723
    0x01044728
    0x01044728
    0x0104472e
    0x0104472e
    0x01044421
    0x01050250
    0x01050253
    0x01050258
    0x0105025a
    0x01050278
    0x0105027a
    0x0105027a
    0x0105027b
    0x0105027b
    0x01050282
    0x01050284
    0x01050286
    0x01050286
    0x01050290
    0x0105029e
    0x010502a9
    0x010502af
    0x01044468
    0x01044468
    0x0104446c
    0x0104446e
    0x010502e7
    0x010502ed
    0x010502f2
    0x010502f5
    0x010502f7
    0x010502f9
    0x010502fb
    0x010502fb
    0x010502fe
    0x01050304
    0x01050306
    0x01050306
    0x01050304
    0x010502f9
    0x01050314
    0x01050319
    0x0105031f
    0x01050327
    0x0105032d
    0x0105032f
    0x01050332
    0x01050334
    0x01050338
    0x01050339
    0x01050339
    0x0105033f
    0x01050346
    0x0105034c
    0x0105034e
    0x01050350
    0x01050350
    0x01050348
    0x01050348
    0x01050348
    0x01050355
    0x0105035a
    0x010508c8
    0x010508ca
    0x010508ca
    0x00000000
    0x01050360
    0x01050360
    0x01050364
    0x01050368
    0x00000000
    0x01050368
    0x0105035a
    0x01044479
    0x010444bd
    0x010444bd
    0x010444c1
    0x010444c1
    0x010444c1
    0x010444c4
    0x010444cd
    0x010444d8
    0x010444dc
    0x010444e8
    0x010444f1
    0x01050864
    0x01050869
    0x01050870
    0x01050872
    0x01050874
    0x01050874
    0x01050879
    0x0105087f
    0x010444f7
    0x01044503
    0x01044503
    0x010444f1
    0x01044508
    0x00000000
    0x01044508
    0x0104447b
    0x01044484
    0x01050375
    0x01050375
    0x0104448b
    0x01044494
    0x01044496
    0x0104449f
    0x0105037e
    0x0105037e
    0x010444aa
    0x010444aa
    0x010444b7
    0x01050387
    0x0105038e
    0x01050390
    0x01050392
    0x01050392
    0x010503a0
    0x010503a2
    0x010503a6
    0x010503a9
    0x01050517
    0x01050517
    0x0105051e
    0x01050520
    0x01050522
    0x01050522
    0x0105052e
    0x01050533
    0x00000000
    0x010503af
    0x010503b1
    0x010503b6
    0x010503b8
    0x0105054f
    0x01050551
    0x01050556
    0x01050559
    0x00000000
    0x01050559
    0x010503bf
    0x010503c5
    0x010503c7
    0x010503cd
    0x010503cf
    0x01050562
    0x01050562
    0x01050569
    0x0105056b
    0x0105053b
    0x0105053b
    0x01050547
    0x0105054c
    0x00000000
    0x0105054c
    0x010503d7
    0x010503dc
    0x010503e3
    0x010503e5
    0x010503e7
    0x010503e7
    0x010503f4
    0x010503f6
    0x010503fa
    0x010503fd
    0x00000000
    0x01050403
    0x01050403
    0x01050405
    0x0105040a
    0x0105040c
    0x00000000
    0x00000000
    0x01050412
    0x0105041a
    0x01050422
    0x0105042c
    0x01050434
    0x0105043a
    0x01050440
    0x01050448
    0x01050450
    0x01050456
    0x0105045c
    0x0105045e
    0x01050464
    0x01050466
    0x010505a9
    0x010505a9
    0x010505b0
    0x010505b2
    0x010505b4
    0x010505b4
    0x010505c0
    0x010505c5
    0x010505ca
    0x010505cf
    0x010505d3
    0x010505d6
    0x00000000
    0x010505d6
    0x01050470
    0x01050474
    0x00000000
    0x00000000
    0x0105047a
    0x0105047c
    0x01050480
    0x01050491
    0x01050499
    0x0105049f
    0x010504a1
    0x00000000
    0x00000000
    0x010504a3
    0x010504a8
    0x00000000
    0x00000000
    0x010504bb
    0x010504c3
    0x010504c9
    0x010504cb
    0x0105058e
    0x0105058e
    0x01050590
    0x01050595
    0x0105059c
    0x0105059f
    0x010505a3
    0x010505a5
    0x0105056f
    0x0105056f
    0x0105057b
    0x01050580
    0x01050583
    0x01050583
    0x01050587
    0x01050587
    0x00000000
    0x01050587
    0x010504d1
    0x010504d5
    0x010504d9
    0x00000000
    0x00000000
    0x010504df
    0x010504e1
    0x010504e5
    0x010504e5
    0x010504e5
    0x010504e6
    0x010504e7
    0x010504eb
    0x010504ef
    0x010504f4
    0x010504f7
    0x010504f9
    0x00000000
    0x010504ff
    0x010504ff
    0x01050501
    0x00000000
    0x00000000
    0x00000000
    0x01050501
    0x010504f9
    0x01050509
    0x0105050e
    0x01050511
    0x00000000
    0x01050511
    0x010503fd
    0x00000000
    0x00000000
    0x00000000
    0x010444b7
    0x0105025c
    0x01050263
    0x01050265
    0x01050267
    0x01050267
    0x0105026b
    0x01050270
    0x01050272
    0x00000000
    0x01050274
    0x01050274
    0x00000000
    0x01050274
    0x01050272
    0x01044427
    0x0104442f
    0x010502b6
    0x010502bd
    0x010502bf
    0x010502c1
    0x010502c1
    0x010502c9
    0x010502d1
    0x010502d7
    0x00000000
    0x010502d7
    0x01044435
    0x0104443e
    0x010502de
    0x010502de
    0x0104444a
    0x01044459
    0x0104445e
    0x01044464
    0x01044466
    0x00000000
    0x01044466
    0x010443f8
    0x010443ed
    0x01044291
    0x01044291
    0x0104429a
    0x0105001c
    0x0105001c
    0x010442a0
    0x010442a9
    0x01050025
    0x01050025
    0x010442b2
    0x010442b7
    0x010442bd
    0x01050031
    0x01050035
    0x00000000
    0x00000000
    0x0105003f
    0x01050048
    0x01050058
    0x0105005d
    0x01050064
    0x01050066
    0x0105006d
    0x0105006f
    0x01050072
    0x01050076
    0x01050079
    0x0105007b
    0x01050082
    0x01050082
    0x0105007d
    0x0105007d
    0x0105007d
    0x01050084
    0x01050084
    0x01050087
    0x01050087
    0x0105008f
    0x01050098
    0x0105009d
    0x010500a3
    0x00000000
    0x010442c3
    0x010442c3
    0x010442c3
    0x010442c9
    0x010442cc
    0x010442d8
    0x01044602
    0x01044605
    0x00000000
    0x00000000
    0x0104460b
    0x01044613
    0x01044619
    0x0104461e
    0x01044623
    0x01044626
    0x00000000
    0x00000000
    0x0104462c
    0x01044631
    0x00000000
    0x01044637
    0x01044637
    0x0104463d
    0x00000000
    0x0104463d
    0x01044631
    0x010442de
    0x010442de
    0x010442e7
    0x010500ad
    0x010500ad
    0x010442f5
    0x01044302
    0x00000000
    0x01044308
    0x01044308
    0x0104430f
    0x01044313
    0x010500b6
    0x010500b6
    0x0104431e
    0x010500c3
    0x00000000
    0x01044324
    0x01044326
    0x010500cd
    0x010500cd
    0x0104432c
    0x01044335
    0x010500d6
    0x010500d6
    0x01044345
    0x010500e2
    0x010500e6
    0x010500ec
    0x010500f0
    0x010500f5
    0x010500fc
    0x01050102
    0x01050105
    0x01050107
    0x01050109
    0x0105010d
    0x01050111
    0x01050114
    0x01050116
    0x01050116
    0x01050114
    0x0105010d
    0x01050107
    0x01050133
    0x01050138
    0x01050138
    0x010500e6
    0x0104434b
    0x01044354
    0x01050141
    0x01050141
    0x0104435b
    0x01044361
    0x01044365
    0x01044367
    0x0104436f
    0x01044643
    0x01044648
    0x01044662
    0x01044662
    0x01044666
    0x01044669
    0x0104466c
    0x01044673
    0x01044676
    0x01050157
    0x01050159
    0x00000000
    0x00000000
    0x0105015f
    0x01050162
    0x00000000
    0x00000000
    0x01050168
    0x0105016d
    0x01050171
    0x00000000
    0x00000000
    0x0105017b
    0x0105017e
    0x01050180
    0x0105018d
    0x0105018d
    0x0105018d
    0x01050190
    0x01050190
    0x01050194
    0x00000000
    0x01050194
    0x01050182
    0x01050186
    0x00000000
    0x00000000
    0x01050188
    0x00000000
    0x01050188
    0x0104467c
    0x0104467c
    0x01044681
    0x0105019c
    0x010501a1
    0x010501aa
    0x010501aa
    0x010501a1
    0x00000000
    0x01044681
    0x0104464c
    0x01044650
    0x01044653
    0x01044655
    0x01044658
    0x0105014a
    0x0105014a
    0x01044658
    0x0104465e
    0x00000000
    0x01044375
    0x01044375
    0x01044379
    0x01044380
    0x01044690
    0x01044693
    0x01044695
    0x01044697
    0x0104469b
    0x01044739
    0x0104473c
    0x01044744
    0x01044745
    0x01044745
    0x0104473c
    0x0104469b
    0x010446a1
    0x010446a4
    0x010501b2
    0x010501b4
    0x010501c7
    0x010501b6
    0x010501b6
    0x010501bf
    0x010501bf
    0x010501b4
    0x010446a4
    0x01044389
    0x010446bd
    0x010446c4
    0x010446c6
    0x010446cd
    0x010446cf
    0x01044750
    0x01044750
    0x010446d1
    0x010446d6
    0x010446dc
    0x010446de
    0x010446de
    0x010446e2
    0x010446e4
    0x010446e8
    0x010446eb
    0x00000000
    0x010446f1
    0x010446f3
    0x010446fb
    0x01044700
    0x01044702
    0x010501cf
    0x010501d4
    0x010501dc
    0x010501e2
    0x010501eb
    0x010501eb
    0x010501dc
    0x01044708
    0x00000000
    0x01044708
    0x0104438f
    0x0104438f
    0x01044392
    0x0104439c
    0x010443a0
    0x010443a2
    0x010443a2
    0x010443a6
    0x00000000
    0x010443a6
    0x01044389
    0x0104436f
    0x0104431e
    0x01044302
    0x010442bd
    0x0104427c
    0x01044202
    0x0104ff80
    0x0104ff84
    0x0104ff88
    0x00000000
    0x00000000
    0x0104ff8e
    0x0104ff90
    0x01044210
    0x01044210
    0x01044210
    0x01044213
    0x00000000
    0x01044213
    0x01044208
    0x01044208
    0x0104420c
    0x00000000
    0x0104420c
    0x010441ce
    0x010446b8
    0x00000000
    0x010446b8
    0x010446b2
    0x01044165
    0x01044165
    0x01044165
    0x0104416d
    0x0104417a
    0x0104417b
    0x0104feb7
    0x0104febe
    0x00000000
    0x00000000
    0x0104fec4
    0x00000000
    0x0104417b
    0x0104414d
    0x01044155
    0x0104fe90
    0x0104fe97
    0x0104fe99
    0x0104fe9b
    0x0104fe9b
    0x0104fea2
    0x0104fea5
    0x0104feaa
    0x0104feac
    0x00000000
    0x0104feb2
    0x00000000
    0x0104feb2
    0x0104feac
    0x00000000
    0x01044155
    0x0104413a
    0x01050926
    0x0105092b
    0x0105092e
    0x01050932
    0x01050932
    0x00000000
    0x0104fe61
    0x0104fe61
    0x0104fe68
    0x0105088c
    0x0105088c
    0x01050893
    0x0105089d
    0x010508a8
    0x010508ab
    0x010508b0
    0x00000000
    0x010508b0
    0x0104fe6e
    0x0104fe75
    0x00000000
    0x00000000
    0x0104fe7b
    0x00000000
    0x0104fe7b

    APIs
    • memset.MSVCRT ref: 01043F4E
    • memset.MSVCRT ref: 01043F7D
    • memset.MSVCRT ref: 01043FAC
    • memset.MSVCRT ref: 01043FDB
      • Part of subcall function 0103E3F0: memset.MSVCRT ref: 0103E455
    • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,00000001,?,00000200,?,0103234C,?,00000000,00450052,?,?,?,?), ref: 0104435B
    • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 0104448B
    • SetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000), ref: 010444AA
    • ??_V@YAXPAX@Z.MSVCRT ref: 01044567
    • ??_V@YAXPAX@Z.MSVCRT ref: 01044581
    • ??_V@YAXPAX@Z.MSVCRT ref: 0104459B
    • ??_V@YAXPAX@Z.MSVCRT ref: 010445B5
      • Part of subcall function 0104522C: VirtualAlloc.API-MS-WIN-CORE-MEMORY-L1-1-0(00000000,0000FE00,00001000,00000004,?,00000000,00000104,?,01058DFD,?,00000000,-00000001,-00000001,-00000001), ref: 01045242
      • Part of subcall function 01040060: wcschr.MSVCRT ref: 0104006C
      • Part of subcall function 0104589A: FindFirstFileExW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,?,00000000,00000000,00000002,00000000,00000000,?,010459D0,?,01036054,-00001038,00000000,?,?), ref: 010458BB
      • Part of subcall function 0104589A: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,010459D0,?,01036054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 010458CD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: memset$File$Attributes$AllocErrorFindFirstLastVirtualwcschr
    • String ID: %s$%s
    • API String ID: 3081143564-3518022669
    • Opcode ID: 6d4eb953420c6fedf23427734b75188948cd5a1f58b4451e9be63ab68aa85b3d
    • Instruction ID: 0f09043a6cf946357dee6e5b65998dd1e1b46da83ecef580174b1d11df0fed0d
    • Opcode Fuzzy Hash: 6d4eb953420c6fedf23427734b75188948cd5a1f58b4451e9be63ab68aa85b3d
    • Instruction Fuzzy Hash: 3DB27EB0608341DBEBA4CE28C884B6FB7E5BB84314F04896DF9D6C7295EB35D845CB52
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01039458, Relevance: 42.3, APIs: 15, Strings: 9, Instructions: 328threadprocessstringCOMMON
    Download Yara Rule
    C-Code - Quality: 83%
    			E01039458(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t69;
				struct _SECURITY_ATTRIBUTES* _t72;
				void* _t74;
				intOrPtr _t83;
				intOrPtr _t89;
				WCHAR* _t91;
				void* _t93;
				WCHAR* _t94;
				int _t97;
				long _t98;
				signed int _t100;
				void* _t103;
				struct _SECURITY_ATTRIBUTES* _t107;
				void* _t115;
				void* _t120;
				WCHAR* _t127;
				WCHAR* _t133;
				void* _t135;
				void* _t149;
				signed int _t156;
				WCHAR* _t165;
				void* _t167;
				signed int _t169;
				void* _t171;
				WCHAR* _t176;
				struct _SECURITY_ATTRIBUTES* _t178;
				signed int _t180;
				struct _SECURITY_ATTRIBUTES* _t182;
				void* _t184;
				void* _t185;

				E01047D90(__ebx, __edi, __esi);
				 *(_t185 - 0xa8) = __edx;
				 *((intOrPtr*)(_t185 - 0xbc)) = __ecx;
				_t176 =  *(_t185 + 0xc);
				_t133 =  *(_t185 + 0x10);
				_t182 = 0;
				 *(_t185 - 0xac) = 0;
				 *(_t185 - 0xa4) = 0;
				 *((intOrPtr*)(_t185 - 0xb0)) = 0;
				 *((intOrPtr*)(_t185 - 0xb4)) = 0x20;
				_t69 = _t185 - 0xa0;
				__imp__InitializeProcThreadAttributeList(_t69, 1, 0, _t185 - 0xb4, 0x105c9d0, 0x108);
				if(_t69 == 0) {
					 *0x10667a8 = GetLastError();
					E01055C54(_t133);
					_t72 = 1;
					L21:
					 *[fs:0x0] =  *((intOrPtr*)(_t185 - 0x10));
					return _t72;
				}
				 *((intOrPtr*)(_t185 - 0xb8)) = 1;
				_t74 = _t185 - 0xa0;
				__imp__UpdateProcThreadAttribute(_t74, 0, 0x60001, _t185 - 0xb8, 4, 0, 0);
				if(_t74 == 0) {
					 *0x10667a8 = GetLastError();
					E01055C54(_t133);
					__imp__DeleteProcThreadAttributeList(_t185 - 0xa0);
					goto L34;
				} else {
					memset(_t185 - 0x118, 0, 0x48);
					 *((intOrPtr*)(_t185 - 0xd4)) = _t185 - 0xa0;
					 *(_t185 - 0x118) = 0x48;
					 *((intOrPtr*)(_t185 - 0x10c)) =  *((intOrPtr*)(_t185 + 0x14));
					 *((intOrPtr*)(_t185 - 0x108)) = 0;
					 *((intOrPtr*)(_t185 - 0x104)) = 1;
					_t83 = 0x64;
					 *((intOrPtr*)(_t185 - 0x100)) = _t83;
					 *((intOrPtr*)(_t185 - 0xfc)) = _t83;
					 *((intOrPtr*)(_t185 - 0xec)) = 0;
					 *(_t185 - 0xe8) = 1;
					memset(_t185 - 0x68, 0, 0x44);
					 *(_t185 - 0x68) = 0x44;
					GetStartupInfoW(_t185 - 0x68);
					 *((intOrPtr*)(_t185 - 0x110)) =  *((intOrPtr*)(_t185 - 0x60));
					 *((intOrPtr*)(_t185 - 4)) = 0;
					if(E01041D90(L"COPYCMD") == 0) {
					}
					_t89 = E0103ACB0(0x10320b8);
					 *((intOrPtr*)(_t185 - 0xb0)) = _t89;
					if(_t89 == 0) {
						L33:
						_push(0xfffffffe);
						_push(_t185 - 0x10);
						_push(0x105e0b4);
						L01047FAB();
						L34:
						_t72 = 1;
						goto L21;
					}
					if( *0x1066758 == 0) {
						__eflags =  *0x107904c;
						if( *0x107904c != 0) {
							goto L6;
						}
						__eflags =  *0x1066748;
						if( *0x1066748 == 0) {
							L8:
							E01038235();
							_t93 =  *0x1066748;
							if(_t93 != 0) {
								_t149 =  *(_t93 + 0x30);
								__eflags = _t149;
								if(_t149 == 0) {
									goto L9;
								} else {
									_t127 =  *0x1078df8;
									__eflags = _t127;
									if(_t127 == 0) {
										_t127 = 0x1078bf0;
									}
									_t97 = CreateProcessAsUserW(_t149, _t133, _t176, _t182, _t182, 1, 0x80000, _t182, _t127, _t185 - 0x118, _t185 - 0xcc);
									L11:
									_t178 = _t97;
									if(_t178 == 0) {
										_t98 = GetLastError();
										 *(_t185 - 0xac) = _t98;
										 *0x10667a8 = _t98;
									} else {
										 *(_t185 - 0xa4) =  *(_t185 - 0xcc);
										CloseHandle( *(_t185 - 0xc8));
									}
									_t152 = L"COPYCMD";
									E0103A976(L"COPYCMD",  *((intOrPtr*)(_t185 - 0xb0)));
									if(_t178 == 0) {
										__eflags =  *0x1066755;
										if( *0x1066755 == 0) {
											L46:
											__eflags =  *0x10667a8 - 0x2e4;
											if( *0x10667a8 != 0x2e4) {
												L52:
												__eflags = _t178;
												if(_t178 != 0) {
													goto L14;
												}
												_t184 = E0103DCD0(0xffce);
												__eflags = _t184;
												if(_t184 != 0) {
													E0103F3A0(_t184, 0x7fe7, _t133);
													E01055C54(_t184);
													E0103DC60(_t184);
												}
												goto L33;
											}
											L47:
											_t120 = E010472EF(_t152);
											__eflags = _t120;
											if(_t120 == 0) {
												_t178 = _t182;
											} else {
												_t165 =  *0x1078df8;
												__eflags = _t165;
												if(_t165 == 0) {
													_t165 = 0x1078bf0;
												}
												_t178 =  *0x107d01c(_t182, _t133,  *((intOrPtr*)( *((intOrPtr*)(_t185 - 0xbc)) + 0x3c)), _t165,  *(_t185 - 0xe8) & 0x0000ffff, _t185 - 0xa4, 0x10667a8);
											}
											goto L52;
										}
										__eflags =  *0x10667a8 - 0xc1;
										if( *0x10667a8 == 0xc1) {
											goto L47;
										}
										goto L46;
									} else {
										L14:
										_t100 =  *(_t185 - 0xa4);
										_t180 = _t100 & 1;
										_t169 = 2;
										_t156 = _t100 & _t169;
										if(_t100 == 0) {
											L29:
											_t135 = 4;
											L16:
											 *(_t185 - 0xac) = _t182;
											 *0x1062598 = 1;
											if(_t135 != 0) {
												L26:
												__eflags = _t135 - 4;
												if(_t135 == 4) {
													_t103 =  *(_t185 - 0xa4);
													__eflags = _t103;
													if(_t103 != 0) {
														CloseHandle(_t103);
														 *(_t185 - 0xa4) = _t182;
													}
												} else {
													__eflags = _t135 - _t169;
													if(_t135 == _t169) {
														 *0x10665e4 =  *(_t185 - 0xa4);
													}
												}
												L20:
												 *((intOrPtr*)(_t185 - 4)) = 0xfffffffe;
												E0103974A();
												_t72 = _t182;
												goto L21;
											}
											_t107 = E010381EC( *(_t185 - 0xa4));
											 *0x10665dc = _t107;
											 *(_t185 - 0xa4) = _t182;
											_t182 = _t107;
											 *(_t185 - 0xac) = _t182;
											E01039ABF(_t185 - 0x4c, 0x14, L"%08X", _t182);
											E0103A976(L"=ExitCode", _t185 - 0x4c);
											if(_t182 >= 0x20) {
												__eflags = _t182 - 0x7e;
												if(_t182 > 0x7e) {
													goto L18;
												}
												E01039ABF(_t185 - 0x80, 0xc, L"%01C", _t182);
												_t171 = _t185 - 0x80;
												L19:
												E0103A976(L"=ExitCodeAscii", _t171);
												if(_t180 != 0) {
													E010563F3(__eflags);
												}
												goto L20;
											}
											L18:
											_t171 = 0x1032094;
											goto L19;
										}
										_t135 =  *(_t185 - 0xa8);
										if( *0x1066758 == 0) {
											__eflags =  *0x1066748;
											if( *0x1066748 != 0) {
												goto L16;
											}
											__eflags =  *0x1066755;
											if( *0x1066755 == 0) {
												goto L16;
											} else {
												__eflags =  *0x107904c;
												if( *0x107904c != 0) {
													goto L16;
												}
												__eflags = _t135;
												if(_t135 != 0) {
													goto L16;
												}
												__eflags = _t156;
												if(_t156 != 0) {
													goto L29;
												}
												_t115 = E01055F2B(_t100, _t169);
												_t169 = 2;
												__eflags = _t169 - _t115;
												if(_t169 != _t115) {
													goto L16;
												}
												goto L29;
											}
											goto L26;
										}
										goto L16;
									}
								}
							}
							L9:
							_t94 =  *0x1078df8;
							if(_t94 == 0) {
								_t94 = 0x1078bf0;
							}
							_t97 = CreateProcessW(_t133, _t176, _t182, _t182, 1, 0x80000, _t182, _t94, _t185 - 0x118, _t185 - 0xcc);
							goto L11;
						}
					}
					L6:
					_t167 = 0x5c;
					_t91 = E010401F5(_t133, _t167);
					if(_t91 != 0 && lstrcmpW(_t91, L"\\XCOPY.EXE") == 0) {
						E010550D8();
					}
					goto L8;
				}
			}

































    0x01039462
    0x01039467
    0x0103946d
    0x01039473
    0x01039476
    0x01039479
    0x0103947b
    0x01039481
    0x01039487
    0x0103948d
    0x010394a3
    0x010394aa
    0x010394b2
    0x0104bdf7
    0x0104bdfe
    0x0104be05
    0x010396f4
    0x010396f7
    0x01039703
    0x01039703
    0x010394bb
    0x010394d2
    0x010394d9
    0x010394e1
    0x0104be13
    0x0104be1a
    0x0104be26
    0x00000000
    0x010394e7
    0x010394f1
    0x010394ff
    0x01039505
    0x01039512
    0x01039518
    0x01039521
    0x01039529
    0x0103952a
    0x01039530
    0x01039536
    0x0103953c
    0x0103954a
    0x01039552
    0x0103955d
    0x01039566
    0x0103956c
    0x0103957b
    0x0103957d
    0x01039584
    0x01039589
    0x01039591
    0x0104be49
    0x0104be49
    0x0104be4e
    0x0104be4f
    0x0104be54
    0x0104be5c
    0x0104be5e
    0x00000000
    0x0104be5e
    0x0103959e
    0x0104be64
    0x0104be6b
    0x00000000
    0x00000000
    0x0104be71
    0x0104be78
    0x010395c6
    0x010395c6
    0x010395cb
    0x010395d2
    0x01039706
    0x01039709
    0x0103970b
    0x00000000
    0x01039711
    0x0104be8d
    0x0104be92
    0x0104be94
    0x0104be96
    0x0104be96
    0x0104beb9
    0x01039608
    0x01039608
    0x0103960c
    0x0104bece
    0x0104bed4
    0x0104beda
    0x01039612
    0x01039618
    0x01039624
    0x01039624
    0x01039630
    0x01039635
    0x0103963c
    0x0104bee4
    0x0104beeb
    0x0104bef9
    0x0104bef9
    0x0104bf03
    0x0104bf49
    0x0104bf49
    0x0104bf4b
    0x00000000
    0x00000000
    0x0104bf5b
    0x0104bf5d
    0x0104bf5f
    0x0104be36
    0x0104be3d
    0x0104be44
    0x0104be44
    0x00000000
    0x0104bf5f
    0x0104bf05
    0x0104bf05
    0x0104bf0a
    0x0104bf0c
    0x0104bf47
    0x0104bf0e
    0x0104bf0e
    0x0104bf14
    0x0104bf16
    0x0104bf18
    0x0104bf18
    0x0104bf43
    0x0104bf43
    0x00000000
    0x0104bf0c
    0x0104beed
    0x0104bef7
    0x00000000
    0x00000000
    0x00000000
    0x01039642
    0x01039642
    0x01039642
    0x0103964d
    0x01039653
    0x01039654
    0x01039658
    0x01039742
    0x01039744
    0x01039671
    0x01039671
    0x0103967a
    0x01039681
    0x01039728
    0x01039728
    0x0103972b
    0x0104bfdb
    0x0104bfe1
    0x0104bfe3
    0x0104bfea
    0x0104bff0
    0x0104bff0
    0x01039731
    0x01039731
    0x01039733
    0x0103973b
    0x0103973b
    0x01039733
    0x010396e6
    0x010396e6
    0x010396ed
    0x010396f2
    0x00000000
    0x010396f2
    0x0103968d
    0x01039692
    0x01039697
    0x0103969d
    0x0103969f
    0x010396b1
    0x010396c1
    0x010396c9
    0x0104bfac
    0x0104bfaf
    0x00000000
    0x00000000
    0x0104bfc1
    0x0104bfc9
    0x010396d4
    0x010396d9
    0x010396e0
    0x0104bfd1
    0x0104bfd1
    0x00000000
    0x010396e0
    0x010396cf
    0x010396cf
    0x00000000
    0x010396cf
    0x0103965e
    0x0103966b
    0x01039716
    0x0103971d
    0x00000000
    0x00000000
    0x0104bf6a
    0x0104bf71
    0x00000000
    0x0104bf77
    0x0104bf77
    0x0104bf7e
    0x00000000
    0x00000000
    0x0104bf84
    0x0104bf86
    0x00000000
    0x00000000
    0x0104bf8c
    0x0104bf8e
    0x00000000
    0x00000000
    0x0104bf96
    0x0104bf9d
    0x0104bf9e
    0x0104bfa1
    0x00000000
    0x00000000
    0x00000000
    0x0104bfa7
    0x00000000
    0x0104bf71
    0x00000000
    0x0103966b
    0x0103963c
    0x0103970b
    0x010395d8
    0x010395d8
    0x010395df
    0x0104bec4
    0x0104bec4
    0x01039602
    0x00000000
    0x01039602
    0x0104be7e
    0x010395a4
    0x010395a6
    0x010395a9
    0x010395b0
    0x0104be83
    0x0104be83
    0x00000000
    0x010395b0

    APIs
    • InitializeProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,00000001,00000000,00000020,0105C9D0,00000108,01042107,?,00000000,00000000,00000000), ref: 010394AA
    • UpdateProcThreadAttribute.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,00000000,00060001,?,00000004,00000000,00000000,?,00000000,00000000,00000000), ref: 010394D9
    • memset.MSVCRT ref: 010394F1
    • memset.MSVCRT ref: 0103954A
    • GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000044), ref: 0103955D
      • Part of subcall function 01041D90: _wcsnicmp.MSVCRT ref: 01041E14
    • lstrcmpW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(00000000,\XCOPY.EXE), ref: 010395B8
    • CreateProcessW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,00000000,00000000,00000001,00080000,00000000,?,?,?), ref: 01039602
    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 01039624
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00000000,00000000), ref: 0104BDF1
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00000000,00000000), ref: 0104BE0D
    • DeleteProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,00000000,00000000,00000000), ref: 0104BE26
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: AttributeProcThread$ErrorLastListmemset$CloseCreateDeleteHandleInfoInitializeProcessStartupUpdate_wcsnicmplstrcmp
    • String ID: $%01C$%08X$=ExitCode$=ExitCodeAscii$COPYCMD$D$H$\XCOPY.EXE
    • API String ID: 1449572041-3461277227
    • Opcode ID: e572af9709e779ddf3a5678b60e3a5232f1df14ff5f0f1d6a56a20f5d9c1014a
    • Instruction ID: 72fa79b68cc32102436264658d9dd49dcc423a34fecb9f9992f6e987d2abbe7c
    • Opcode Fuzzy Hash: e572af9709e779ddf3a5678b60e3a5232f1df14ff5f0f1d6a56a20f5d9c1014a
    • Instruction Fuzzy Hash: D0C173B1A013159FEB749F59DC84BAE77BCEB85304F0440AAE6CAE7140EBB58984CF51
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0103EE03, Relevance: 37.5, APIs: 20, Strings: 1, Instructions: 744COMMONCrypto
    Download Yara Rule
    C-Code - Quality: 81%
    			E0103EE03(signed int __ecx, signed short* __edx, intOrPtr* _a4, WCHAR* _a8, intOrPtr _a12) {
				signed int _v12;
				struct _SYSTEMTIME _v32;
				signed short _v36;
				intOrPtr _v40;
				struct _FILETIME _v48;
				void _v68;
				int _v80;
				signed int _v84;
				int _v88;
				void _v608;
				union _GET_FILEEX_INFO_LEVELS _v612;
				signed int _v616;
				WCHAR* _v620;
				union _GET_FILEEX_INFO_LEVELS _v624;
				signed int _v628;
				WCHAR* _v632;
				wchar_t* _v636;
				wchar_t* _v640;
				signed int* _v644;
				WCHAR* _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				signed int _v664;
				signed int _v668;
				intOrPtr _v672;
				signed int _v676;
				signed int _v680;
				signed int _v684;
				signed int _v688;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t206;
				long _t209;
				WCHAR* _t210;
				wchar_t* _t212;
				signed int* _t215;
				long _t219;
				long _t221;
				signed int _t224;
				signed int _t228;
				signed int _t230;
				signed int _t233;
				signed int _t235;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				signed int _t248;
				signed int _t251;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				wchar_t* _t262;
				signed int _t263;
				signed int _t275;
				signed int _t276;
				signed int _t283;
				void* _t286;
				signed int _t299;
				signed int _t302;
				signed int _t303;
				signed int _t306;
				signed int _t307;
				void* _t310;
				signed int _t311;
				void* _t314;
				signed int _t316;
				signed short* _t319;
				signed int* _t320;
				void* _t326;
				signed int _t328;
				WCHAR* _t329;
				wchar_t* _t330;
				wchar_t* _t339;
				void* _t340;
				wchar_t* _t343;
				wchar_t* _t345;
				signed int _t348;
				long _t349;
				signed int _t350;
				signed int _t351;
				signed int _t352;
				signed int _t355;
				signed int _t356;
				signed int _t358;
				WCHAR* _t360;
				signed char _t363;
				intOrPtr* _t365;
				WCHAR* _t373;
				void* _t375;
				WCHAR* _t378;
				signed int _t379;
				signed int _t424;
				signed int _t425;
				WCHAR* _t429;
				void* _t430;
				signed int _t432;
				signed int _t435;
				signed int _t445;
				signed int _t449;
				signed int _t458;
				signed int _t460;
				signed int _t462;
				signed short* _t463;
				void* _t466;
				signed short* _t467;
				signed int _t468;
				signed int _t473;
				signed int _t474;
				signed int _t475;
				wchar_t* _t476;
				signed int _t477;
				WCHAR* _t478;
				signed int _t480;

				_t206 =  *0x105e0b4; // 0x6030efd1
				_v12 = _t206 ^ _t480;
				_t478 = _a8;
				_v628 = __ecx;
				_t365 = _a4;
				_t465 = __edx;
				_v644 = _t365;
				_t448 = 0;
				_v640 = _t478;
				_t360 = 0;
				_v652 = _a12;
				 *_t365 = 0;
				if( *0x1066755 == 0 ||  *((short*)(__edx)) != 0x7e) {
					_t209 =  *_t465 & 0x0000ffff;
					if(_t209 == 0) {
						goto L5;
					}
					_t212 = wcsrchr(_t478, _t209);
					if(_t212 != 0) {
						_t360 =  *(_v652 + (_t212 - _t478 >> 1) * 4);
						_t215 = _v644;
						 *_t215 =  *_t215 + 1;
						__eflags =  *_t215;
						goto L8;
					}
					goto L4;
				} else {
					_v612 = 0;
					_t467 = __edx + 2;
					_v624 = 0;
					_v636 = __edx - 2;
					__eflags =  *_t467;
					if(__eflags == 0) {
						L96:
						_t468 = _v628;
						__eflags = _t468;
						if(_t468 != 0) {
							L114:
							_push(0xffffffff);
							_push(_t468);
							L116:
							__imp__longjmp();
							L117:
							_t468 = _v628;
							__eflags = _t468;
							if(_t468 == 0) {
								L99:
								__imp__??_V@YAXPAX@Z(_t478);
								L100:
								_t210 = 0;
								L6:
								_pop(_t466);
								return E01046B30(_t210, _t360, _v12 ^ _t480, _t448, _t466, _t478);
							}
							goto L114;
						}
						goto L100;
					}
					_t448 = 0xffce;
					E01041A05( &_v620, 0xffce, __eflags);
					_t478 = _v620;
					_v648 = _t478;
					__eflags = _t478;
					if(_t478 == 0) {
						goto L96;
					}
					_t219 =  *_t467 & 0x0000ffff;
					_t373 = _t467;
					_v620 = _t373;
					_t448 = 0x24;
					__eflags = _t219;
					if(_t219 == 0) {
						L17:
						_v616 = 0;
						_t221 =  *_t467 & 0x0000ffff;
						__eflags = _t221;
						if(_t221 == 0) {
							_t467 = _t373;
							L88:
							_v612 = _v624;
							L20:
							_t224 = wcsrchr(_v640,  *_t467 & 0x0000ffff);
							_pop(_t375);
							__eflags = _t224;
							if(_t224 == 0) {
								goto L112;
							}
							_t360 =  *(_v652 + (_t224 - _v640 >> 1) * 4);
							__eflags = _t360;
							if(_t360 == 0) {
								L24:
								_t228 = _v612;
								_t448 = _v616;
								L25:
								 *_v644 = (_t467 - _v636 + 2 >> 1) - 1;
								__eflags = _t360;
								if(_t360 == 0) {
									L58:
									__eflags = _t478;
									if(_t478 != 0) {
										L29:
										__imp__??_V@YAXPAX@Z(_t478);
										goto L8;
									} else {
										L8:
										__eflags = _t360;
										if(_t360 != 0) {
											L5:
											_t210 = _t360;
											goto L6;
										} else {
											L4:
											_t210 = 0x10320b8;
											if( *_v644 != 0) {
												goto L6;
											}
											goto L5;
										}
									}
								}
								_t378 = 0;
								__eflags =  *_t360;
								if( *_t360 == 0) {
									goto L58;
								}
								__eflags = _t228 & 0x0000c000;
								if((_t228 & 0x0000c000) != 0) {
									 *_t478 = 0;
									__eflags = _t448;
									if(_t448 != 0) {
										__eflags = _t448 - 0xffffffff;
										if(_t448 == 0xffffffff) {
											_t473 = 0;
											L126:
											_t360 = _t378;
											goto L32;
										}
										_t473 = SearchPathW(_t448, _t360, 0, 0xffce, _t478,  &_v632);
										__eflags = _t473;
										if(_t473 == 0) {
											_t378 = 0;
											__eflags = 0;
											goto L126;
										}
										_t230 = _v612;
										__eflags = _t230;
										if(_t230 == 0) {
											_t230 = _t230 | 0x00008001;
											_v612 = _t230;
										}
										goto L33;
									} else {
										_t473 = GetFullPathNameW(_t360, 0xffce, _t478,  &_v632);
										L32:
										_t230 = _v612;
										L33:
										_t379 = 0x20;
										_t448 = 0xffce;
										_v648 = _t230 & _t379;
										E01040207(_t478, 0xffce, _t230 & _t379);
										_t233 = wcsrchr(_t478, 0x5c);
										_v632 = _t233;
										__eflags = _t233;
										if(_t233 == 0) {
											_t235 = wcsrchr(_t478, 0);
										} else {
											_t235 = _t233 + 2;
											__eflags = _t235;
										}
										_v632 = _t235;
										__eflags = _t473;
										if(_t473 == 0) {
											goto L58;
										} else {
											_v84 = 1;
											_t360 = 0;
											_v80 = 0x104;
											_v88 = 0;
											memset( &_v608, 0, 0x104);
											__eflags = _v84;
											_t244 = E0103E3F0(((0 | _v84 == 0x00000000) - 0x00000001 & 0x0000fdc6) + 0x208);
											__eflags = _t244;
											if(_t244 < 0) {
												_t245 = _v628;
												__eflags = _t245;
												if(_t245 != 0) {
													_push(0xffffffff);
													_push(_t245);
													goto L116;
												}
												_t246 = _v88;
												_v88 = 0;
												__eflags = _t246;
												if(_t246 != 0) {
													__imp__??_V@YAXPAX@Z(_t246);
												}
												goto L99;
											}
											_t449 = _v88;
											_t474 = _t449;
											__eflags = _t449;
											if(_t449 == 0) {
												_t474 =  &_v608;
											}
											_t363 = _v612;
											_t248 = _t363 & 0x00004000;
											__eflags = _t248;
											_v624 = _t248;
											if(_t248 != 0) {
												_t251 = GetFileAttributesExW(_t478, 0,  &_v68);
												__eflags = _t251;
												if(_t251 == 0) {
													L174:
													_t449 = _v88;
													L175:
													_t248 = _v624;
													goto L39;
												}
												__eflags = _t363 & 0x00000100;
												if((_t363 & 0x00000100) == 0) {
													L142:
													_t449 = _v88;
													L143:
													__eflags = _t363 & 0x00000200;
													if((_t363 & 0x00000200) != 0) {
														FileTimeToSystemTime( &_v48,  &_v32);
														_t458 = _v88;
														_v668 = _v32.wYear & 0x0000ffff;
														_v672 = (_v32.wMonth & 0x0000ffff) - 1;
														_v676 = _v32.wDay & 0x0000ffff;
														_v680 = _v32.wHour & 0x0000ffff;
														_v684 = _v32.wMinute & 0x0000ffff;
														_v688 = _v32.wSecond & 0x0000ffff;
														_v664 = _v32.wDayOfWeek & 0x0000ffff;
														_v660 = 0;
														_v656 = 0;
														_t299 = _t458;
														__eflags = _t458;
														if(_t458 == 0) {
															_t299 =  &_v608;
														}
														__eflags = _t474 - _t299;
														if(_t474 != _t299) {
															_t311 = _t458;
															__eflags = _t458;
															if(_t458 == 0) {
																_t311 =  &_v608;
															}
															__eflags = _t474 - _t311 >> 1 - _v80 - 1;
															if(_t474 - _t311 >> 1 < _v80 - 1) {
																_t314 = 0x20;
																 *_t474 = _t314;
																_t474 = _t474 + 2;
																__eflags = _t474;
																_t458 = _v88;
															}
														}
														__eflags = _t458;
														if(_t458 == 0) {
															_t458 =  &_v608;
														}
														_t302 = E01036854( &_v688, 0, _t474, _v80 - (_t474 - _t458 >> 1));
														_t460 = _v88;
														_t475 = _t474 + _t302 * 2;
														_t303 = _t460;
														__eflags = _t460;
														if(_t460 == 0) {
															_t303 =  &_v608;
														}
														__eflags = _t475 - _t303;
														if(_t475 != _t303) {
															_t307 = _t460;
															__eflags = _t460;
															if(_t460 == 0) {
																_t307 =  &_v608;
															}
															__eflags = _t475 - _t307 >> 1 - _v80 - 1;
															if(_t475 - _t307 >> 1 < _v80 - 1) {
																_t310 = 0x20;
																 *_t475 = _t310;
																_t475 = _t475 + 2;
																__eflags = _t475;
																_t460 = _v88;
															}
														}
														__eflags = _t460;
														if(_t460 == 0) {
															_t460 =  &_v608;
														}
														__eflags = _v80 - (_t475 - _t460 >> 1);
														_t306 = E01039310( &_v688, 0, _t475, _v80 - (_t475 - _t460 >> 1));
														_t449 = _v88;
														_t474 = _t475 + _t306 * 2;
													}
													__eflags = _t363 & 0x00000400;
													if((_t363 & 0x00000400) == 0) {
														goto L175;
													} else {
														_t276 = _t449;
														__eflags = _t449;
														if(_t449 == 0) {
															_t276 =  &_v608;
														}
														__eflags = _t474 - _t276;
														if(_t474 != _t276) {
															_t283 = _t449;
															__eflags = _t449;
															if(_t449 == 0) {
																_t283 =  &_v608;
															}
															__eflags = _t474 - _t283 >> 1 - _v80 - 1;
															if(_t474 - _t283 >> 1 < _v80 - 1) {
																_t286 = 0x20;
																 *_t474 = _t286;
																_t474 = _t474 + 2;
																__eflags = _t474;
																_t449 = _v88;
															}
														}
														_v32.wHour = _v36;
														_v32.wSecond = _v40;
														__eflags = _t449;
														if(_t449 == 0) {
															_t449 =  &_v608;
														}
														__eflags = 0;
														_t474 = _t474 + E0105B325(0,  &(_v32.wHour), 0, _t474, _v80 - (_t474 - _t449 >> 1)) * 2;
														goto L174;
													}
												}
												_v636 = 0x1033d44;
												_v32.wSecond = _v68;
												while(1) {
													_t449 = _v88;
													_t316 = _t449;
													__eflags = _t449;
													if(_t449 == 0) {
														_t316 =  &_v608;
													}
													__eflags = _t474 - _t316 >> 1 - _v80 - 1;
													if(_t474 - _t316 >> 1 >= _v80 - 1) {
														goto L143;
													}
													_t319 = _v636;
													_t424 = _v32.wSecond;
													__eflags =  *(_t319 - 4) & _t424;
													if(( *(_t319 - 4) & _t424) == 0) {
														_t425 = 0x2d;
													} else {
														_t425 =  *_t319 & 0x0000ffff;
													}
													_t320 =  &(_t319[4]);
													 *_t474 = _t425;
													_v636 = _t320;
													_t474 = _t474 + 2;
													__eflags =  *_t320;
													if( *_t320 != 0) {
														continue;
													} else {
														goto L142;
													}
												}
												goto L143;
											} else {
												L39:
												__eflags = _t363 & 0x00008000;
												if((_t363 & 0x00008000) == 0) {
													__eflags = _t248;
													if(_t248 != 0) {
														L55:
														__eflags = _t449;
														if(_t449 == 0) {
															_t448 =  &_v608;
														}
														_t360 = E0103ACB0(_t448);
														_t253 = _v88;
														_v88 = 0;
														__eflags = _t253;
														if(_t253 != 0) {
															__imp__??_V@YAXPAX@Z(_t253);
														}
														goto L58;
													}
												}
												_t254 = _t449;
												__eflags = _t449;
												if(_t449 == 0) {
													_t254 =  &_v608;
												}
												__eflags = _t474 - _t254;
												if(_t474 != _t254) {
													_t255 = _t449;
													__eflags = _t449;
													if(_t449 == 0) {
														_t255 =  &_v608;
													}
													__eflags = _t474 - _t255 >> 1 - _v80 - 1;
													if(_t474 - _t255 >> 1 < _v80 - 1) {
														_t275 = 0x20;
														 *_t474 = _t275;
														_t474 = _t474 + 2;
														_t449 = _v88;
													}
												}
												__eflags = _t363 & 0x00000001;
												if((_t363 & 0x00000001) != 0) {
													L53:
													__eflags = _t449;
													if(_t449 == 0) {
														_t449 =  &_v608;
													}
													__eflags = _v80 - (_t474 - _t449 >> 1);
													E0103F3A0(_t474, _v80 - (_t474 - _t449 >> 1), _t478);
													_t449 = _v88;
													goto L55;
												} else {
													__eflags = _v648;
													if(_v648 != 0) {
														__eflags = _t363 & 0x0000001e;
														if((_t363 & 0x0000001e) == 0) {
															goto L53;
														}
													}
													_t394 =  &(_t478[2]);
													_v636 =  &(_t478[2]);
													__eflags = _t363 & 0x00000002;
													if((_t363 & 0x00000002) != 0) {
														_t262 = _v632;
													} else {
														E0103F3A0(_t478, 0xffce, _t394);
														_t394 = _t478;
														_t262 = _v632 - 4;
														__eflags = _t262;
														_v636 = _t478;
														_v632 = _t262;
													}
													__eflags = _t363 & 0x00000004;
													if((_t363 & 0x00000004) == 0) {
														__eflags = 0xffce;
														E0103F3A0(_t394, 0xffce - (_t394 - _t478 >> 1), _t262);
														_t262 = _v636;
														_v632 = _t262;
													}
													_t263 = wcsrchr(_t262, 0x2e);
													__eflags = _t263;
													if(_t263 == 0) {
														_v612 = 0;
														_t263 =  &_v612;
													}
													__eflags = _t363 & 0x00000010;
													if((_t363 & 0x00000010) == 0) {
														__eflags = 0;
														 *_t263 = 0;
													}
													__eflags = _t363 & 0x00000008;
													if((_t363 & 0x00000008) == 0) {
														E0103F3A0(_v632, 0xffce - (_v632 - _t478 >> 1), _t263);
													}
													_t449 = _v88;
													goto L53;
												}
											}
										}
									}
								} else {
									_t360 = E0103ACB0(_t360);
									goto L29;
								}
							}
							_t326 = 0x22;
							__eflags =  *_t360 - _t326;
							if( *_t360 == _t326) {
								_t360 = E0103ACB0( &(_t360[1]));
								__eflags = _t360;
								if(_t360 == 0) {
									goto L117;
								}
								_t328 =  *_t360 & 0x0000ffff;
								_t429 = _t360;
								_t462 = _t328;
								__eflags = _t328;
								if(_t328 == 0) {
									_t329 = _t360;
									L80:
									_t430 = 0x22;
									__eflags = _t462 - _t430;
									if(_t462 == _t430) {
										 *_t329 = 0;
									}
									goto L24;
								}
								__eflags = 0;
								do {
									_t463 = _t429;
									_t329 = _t429;
									_t429 =  &(_t429[1]);
									__eflags =  *_t429;
								} while ( *_t429 != 0);
								_t462 =  *_t463 & 0x0000ffff;
								_t478 = _v648;
								goto L80;
							}
							__eflags =  *_t467 - 0x30;
							if( *_t467 == 0x30) {
								_t432 =  *0x1066748;
								_t448 = _v616;
								_t228 = _v612;
								__eflags = _t432;
								if(_t432 != 0) {
									__eflags =  *((intOrPtr*)(_t432 + 0x8c)) - _t360;
									if( *((intOrPtr*)(_t432 + 0x8c)) == _t360) {
										__eflags = _t448;
										if(_t448 == 0) {
											__eflags = _t228 & 0x0000c000;
											if((_t228 & 0x0000c000) != 0) {
												_t360 =  *_t432;
											}
										}
									}
								}
								goto L25;
							}
							goto L24;
						}
						__eflags = _t221 - _t448;
						if(_t221 == _t448) {
							_t476 =  &(_t467[1]);
							_v624 = _t476;
							_t330 = wcschr(_t476, 0x3a);
							_t477 = _t330;
							_pop(_t375);
							__eflags = _t477;
							if(_t477 == 0) {
								goto L112;
							}
							_v616 = (_t330 - _v624 >> 1) + 1;
							_t435 = E0103DCD0((_t330 - _v624 >> 1) + 1 + (_t330 - _v624 >> 1) + 1);
							_v620 = _t435;
							__eflags = _t435;
							if(_t435 != 0) {
								_t448 = _v616;
								E01042298(_t435, _v616, _v624, _v616 - 1);
								_v616 = E01041D90(_v620);
								E0103DC60(_v620);
								__eflags = _v616;
								if(_v616 == 0) {
									_t109 =  &_v616;
									 *_t109 = _v616 | 0xffffffff;
									__eflags =  *_t109;
								}
								_t467 = _t477 + 2;
								_v612 = _t360;
								goto L20;
							}
							_t468 = _v628;
							__eflags = _t468;
							if(_t468 != 0) {
								goto L114;
							}
							goto L99;
						}
						_t339 = wcsrchr(_v640, _t221);
						__eflags = _t339;
						if(_t339 == 0) {
							_t467 = _v620;
							goto L88;
						}
						goto L20;
					} else {
						_t448 = _t219;
						while(1) {
							_t340 = 0x24;
							__eflags = _t448 - _t340;
							if(_t448 == _t340) {
								break;
							}
							_t343 = wcsrchr(L"fdpnxsatz", towlower(_t448) & 0x0000ffff);
							__eflags = _t343;
							if(_t343 != 0) {
								_t345 = wcsrchr(_v640,  *_t467 & 0x0000ffff);
								__eflags = _t345;
								if(_t345 != 0) {
									_v620 = _t467;
									_v624 = _t360;
								}
								_t348 = towlower( *_t467 & 0x0000ffff) & 0x0000ffff;
								_pop(_t375);
								__eflags = _t348 - 0x70;
								if(__eflags == 0) {
									_t445 = 0x8004;
								} else {
									if(__eflags > 0) {
										_t350 = _t348 - 0x73;
										__eflags = _t350;
										if(_t350 == 0) {
											_t445 = 0x8020;
											L68:
											_t467 =  &(_t467[1]);
											_t360 = _t445 | _t360;
											_v612 = _t360;
											_t349 =  *_t467 & 0x0000ffff;
											_t448 = _t349;
											__eflags = _t349;
											if(_t349 != 0) {
												continue;
											}
											_v612 = _t360;
											break;
										}
										_t351 = _t350 - 1;
										__eflags = _t351;
										if(_t351 == 0) {
											_t445 = 0x4200;
											goto L68;
										}
										_t352 = _t351 - 4;
										__eflags = _t352;
										if(_t352 != 0) {
											__eflags = _t352 != 0;
											if(_t352 != 0) {
												L112:
												_t468 = _v628;
												__eflags = _t468;
												if(_t468 == 0) {
													goto L99;
												}
												E010378E4(_t375, 0x400023a8, 1, _v636);
												goto L114;
											}
											_t445 = 0x4400;
											goto L68;
										}
										_t445 = 0x8010;
										goto L68;
									}
									_t355 = _t348 - 0x61;
									__eflags = _t355;
									if(_t355 == 0) {
										_t445 = 0x4100;
										goto L68;
									}
									_t356 = _t355 - 3;
									__eflags = _t356;
									if(_t356 == 0) {
										_t445 = 0x8002;
										goto L68;
									}
									_t358 = _t356;
									__eflags = _t358;
									if(_t358 == 0) {
										_t445 = 0x8001;
										goto L68;
									}
									__eflags = _t358 != 8;
									if(_t358 != 8) {
										goto L112;
									}
									_t445 = 0x8008;
								}
								goto L68;
							}
							break;
						}
						_t373 = _v620;
						_t448 = 0x24;
						goto L17;
					}
				}
			}






















































































































    0x0103ee0e
    0x0103ee15
    0x0103ee1d
    0x0103ee20
    0x0103ee26
    0x0103ee2a
    0x0103ee2c
    0x0103ee32
    0x0103ee34
    0x0103ee3a
    0x0103ee3c
    0x0103ee42
    0x0103ee4a
    0x0103ee52
    0x0103ee58
    0x00000000
    0x00000000
    0x0103ee5c
    0x0103ee66
    0x0103ee96
    0x0103ee99
    0x0103ee9f
    0x0103ee9f
    0x00000000
    0x0103ee9f
    0x00000000
    0x0103eea7
    0x0103eeaa
    0x0103eeb0
    0x0103eeb3
    0x0103eeb9
    0x0103eebf
    0x0103eec2
    0x0104de31
    0x0104de31
    0x0104de37
    0x0104de39
    0x0104df48
    0x0104df48
    0x0104df4a
    0x0104df50
    0x0104df50
    0x0104df56
    0x0104df56
    0x0104df5c
    0x0104df5e
    0x0104de49
    0x0104de4a
    0x0104de51
    0x0104de51
    0x0103ee7b
    0x0103ee7e
    0x0103ee89
    0x0103ee89
    0x00000000
    0x0104df64
    0x00000000
    0x0104de3f
    0x0103eec8
    0x0103eed3
    0x0103eed8
    0x0103eede
    0x0103eee4
    0x0103eee6
    0x00000000
    0x00000000
    0x0103eeec
    0x0103eeef
    0x0103eef1
    0x0103eef9
    0x0103eefa
    0x0103eefd
    0x0103ef33
    0x0103ef35
    0x0103ef3b
    0x0103ef3e
    0x0103ef41
    0x0103f391
    0x0103f347
    0x0103f34d
    0x0103ef67
    0x0103ef71
    0x0103ef78
    0x0103ef79
    0x0103ef7b
    0x00000000
    0x00000000
    0x0103ef8f
    0x0103ef92
    0x0103ef94
    0x0103efac
    0x0103efac
    0x0103efb2
    0x0103efb8
    0x0103efca
    0x0103efcc
    0x0103efce
    0x0103f1d0
    0x0103f1d0
    0x0103f1d2
    0x0103efef
    0x0103eff0
    0x00000000
    0x0103f1d8
    0x0103eea1
    0x0103eea1
    0x0103eea3
    0x0103ee79
    0x0103ee79
    0x00000000
    0x0103eea5
    0x0103ee68
    0x0103ee72
    0x0103ee77
    0x00000000
    0x00000000
    0x00000000
    0x0103ee77
    0x0103eea3
    0x0103f1d2
    0x0103efd4
    0x0103efd6
    0x0103efd9
    0x00000000
    0x00000000
    0x0103efdf
    0x0103efe4
    0x0103effe
    0x0103f001
    0x0103f003
    0x0104df6d
    0x0104df70
    0x0104dfac
    0x0104dfb2
    0x0104dfb2
    0x00000000
    0x0104dfb2
    0x0104df88
    0x0104df8a
    0x0104df8c
    0x0104dfb0
    0x0104dfb0
    0x00000000
    0x0104dfb0
    0x0104df8e
    0x0104df94
    0x0104df96
    0x0104df9c
    0x0104dfa1
    0x0104dfa1
    0x00000000
    0x0103f009
    0x0103f01d
    0x0103f01f
    0x0103f01f
    0x0103f025
    0x0103f027
    0x0103f02a
    0x0103f032
    0x0103f038
    0x0103f040
    0x0103f046
    0x0103f04e
    0x0103f050
    0x0104dfbd
    0x0103f056
    0x0103f056
    0x0103f056
    0x0103f056
    0x0103f059
    0x0103f05f
    0x0103f061
    0x00000000
    0x0103f067
    0x0103f06c
    0x0103f071
    0x0103f073
    0x0103f07c
    0x0103f081
    0x0103f091
    0x0103f0a3
    0x0103f0a8
    0x0103f0aa
    0x0104dfca
    0x0104dfd0
    0x0104dfd2
    0x0104df4d
    0x0104df4f
    0x00000000
    0x0104df4f
    0x0104dfd8
    0x0104dfdb
    0x0104dfde
    0x0104dfe0
    0x0104de42
    0x0104de48
    0x00000000
    0x0104dfe0
    0x0103f0b0
    0x0103f0b3
    0x0103f0b5
    0x0103f0b7
    0x0104dfeb
    0x0104dfeb
    0x0103f0bd
    0x0103f0c5
    0x0103f0c5
    0x0103f0ca
    0x0103f0d0
    0x0104dffe
    0x0104e004
    0x0104e006
    0x0104e213
    0x0104e213
    0x0104e216
    0x0104e216
    0x00000000
    0x0104e216
    0x0104e00c
    0x0104e012
    0x0104e06d
    0x0104e06d
    0x0104e070
    0x0104e070
    0x0104e076
    0x0104e084
    0x0104e08e
    0x0104e091
    0x0104e09c
    0x0104e0a6
    0x0104e0b0
    0x0104e0ba
    0x0104e0c4
    0x0104e0ce
    0x0104e0d6
    0x0104e0dc
    0x0104e0e2
    0x0104e0e4
    0x0104e0e6
    0x0104e0e8
    0x0104e0e8
    0x0104e0ee
    0x0104e0f0
    0x0104e0f2
    0x0104e0f4
    0x0104e0f6
    0x0104e0f8
    0x0104e0f8
    0x0104e108
    0x0104e10a
    0x0104e10e
    0x0104e10f
    0x0104e112
    0x0104e112
    0x0104e115
    0x0104e115
    0x0104e10a
    0x0104e118
    0x0104e11a
    0x0104e11c
    0x0104e11c
    0x0104e137
    0x0104e13c
    0x0104e13f
    0x0104e142
    0x0104e144
    0x0104e146
    0x0104e148
    0x0104e148
    0x0104e14e
    0x0104e150
    0x0104e152
    0x0104e154
    0x0104e156
    0x0104e158
    0x0104e158
    0x0104e168
    0x0104e16a
    0x0104e16e
    0x0104e16f
    0x0104e172
    0x0104e172
    0x0104e175
    0x0104e175
    0x0104e16a
    0x0104e178
    0x0104e17a
    0x0104e17c
    0x0104e17c
    0x0104e18d
    0x0104e197
    0x0104e19c
    0x0104e19f
    0x0104e19f
    0x0104e1a2
    0x0104e1a8
    0x00000000
    0x0104e1aa
    0x0104e1aa
    0x0104e1ac
    0x0104e1ae
    0x0104e1b0
    0x0104e1b0
    0x0104e1b6
    0x0104e1b8
    0x0104e1ba
    0x0104e1bc
    0x0104e1be
    0x0104e1c0
    0x0104e1c0
    0x0104e1d0
    0x0104e1d2
    0x0104e1d6
    0x0104e1d7
    0x0104e1da
    0x0104e1da
    0x0104e1dd
    0x0104e1dd
    0x0104e1d2
    0x0104e1e3
    0x0104e1e9
    0x0104e1ec
    0x0104e1ee
    0x0104e1f0
    0x0104e1f0
    0x0104e208
    0x0104e210
    0x00000000
    0x0104e210
    0x0104e1a8
    0x0104e017
    0x0104e021
    0x0104e024
    0x0104e024
    0x0104e027
    0x0104e029
    0x0104e02b
    0x0104e02d
    0x0104e02d
    0x0104e03d
    0x0104e03f
    0x00000000
    0x00000000
    0x0104e041
    0x0104e047
    0x0104e04a
    0x0104e04d
    0x0104e056
    0x0104e04f
    0x0104e04f
    0x0104e04f
    0x0104e057
    0x0104e05a
    0x0104e05f
    0x0104e065
    0x0104e068
    0x0104e06b
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0104e06b
    0x00000000
    0x0103f0d6
    0x0103f0d6
    0x0103f0d6
    0x0103f0dc
    0x0104e221
    0x0104e223
    0x0103f1ab
    0x0103f1ab
    0x0103f1ad
    0x0104e295
    0x0104e295
    0x0103f1ba
    0x0103f1be
    0x0103f1c1
    0x0103f1c4
    0x0103f1c6
    0x0103f1c9
    0x0103f1cf
    0x00000000
    0x0103f1c6
    0x0104e229
    0x0103f0e2
    0x0103f0e4
    0x0103f0e6
    0x0104e22e
    0x0104e22e
    0x0103f0ec
    0x0103f0ee
    0x0104e239
    0x0104e23b
    0x0104e23d
    0x0104e23f
    0x0104e23f
    0x0104e24f
    0x0104e251
    0x0104e259
    0x0104e25a
    0x0104e25d
    0x0104e260
    0x0104e260
    0x0104e251
    0x0103f0f4
    0x0103f0f7
    0x0103f18d
    0x0103f18d
    0x0103f18f
    0x0104e28a
    0x0104e28a
    0x0103f1a1
    0x0103f1a3
    0x0103f1a8
    0x00000000
    0x0103f0fd
    0x0103f0fd
    0x0103f104
    0x0104e268
    0x0104e26b
    0x00000000
    0x00000000
    0x0104e271
    0x0103f10a
    0x0103f10d
    0x0103f113
    0x0103f116
    0x0103f307
    0x0103f11c
    0x0103f124
    0x0103f12f
    0x0103f131
    0x0103f131
    0x0103f134
    0x0103f13a
    0x0103f13a
    0x0103f140
    0x0103f143
    0x0103f151
    0x0103f153
    0x0103f158
    0x0103f15e
    0x0103f15e
    0x0103f167
    0x0103f16f
    0x0103f171
    0x0104e278
    0x0104e27f
    0x0104e27f
    0x0103f177
    0x0103f17a
    0x0103f17c
    0x0103f17e
    0x0103f17e
    0x0103f181
    0x0103f184
    0x0103f326
    0x0103f326
    0x0103f18a
    0x00000000
    0x0103f18a
    0x0103f0f7
    0x0103f0d0
    0x0103f061
    0x0103efe6
    0x0103efed
    0x00000000
    0x0103efed
    0x0103efe4
    0x0103ef98
    0x0103ef99
    0x0103ef9c
    0x0103f2ac
    0x0103f2ae
    0x0103f2b0
    0x00000000
    0x00000000
    0x0103f2b6
    0x0103f2b9
    0x0103f2bb
    0x0103f2bd
    0x0103f2c0
    0x0104df66
    0x0103f2dd
    0x0103f2df
    0x0103f2e0
    0x0103f2e3
    0x0103f2eb
    0x0103f2eb
    0x00000000
    0x0103f2e3
    0x0103f2c6
    0x0103f2c8
    0x0103f2c8
    0x0103f2ca
    0x0103f2cc
    0x0103f2cf
    0x0103f2cf
    0x0103f2d4
    0x0103f2d7
    0x00000000
    0x0103f2d7
    0x0103efa2
    0x0103efa6
    0x0103f264
    0x0103f26a
    0x0103f270
    0x0103f276
    0x0103f278
    0x0103f27e
    0x0103f284
    0x0103f28a
    0x0103f28c
    0x0103f292
    0x0103f297
    0x0103f29d
    0x0103f29d
    0x0103f297
    0x0103f28c
    0x0103f284
    0x00000000
    0x0103f278
    0x00000000
    0x0103efa6
    0x0103ef47
    0x0103ef4a
    0x0104de80
    0x0104de86
    0x0104de8c
    0x0104de92
    0x0104de95
    0x0104de96
    0x0104de98
    0x00000000
    0x00000000
    0x0104dea7
    0x0104deb5
    0x0104deb7
    0x0104debd
    0x0104debf
    0x0104ded0
    0x0104dee0
    0x0104def6
    0x0104defc
    0x0104df01
    0x0104df08
    0x0104df0a
    0x0104df0a
    0x0104df0a
    0x0104df0a
    0x0104df11
    0x0104df1a
    0x00000000
    0x0104df1a
    0x0104dec1
    0x0104dec7
    0x0104dec9
    0x00000000
    0x00000000
    0x00000000
    0x0104decb
    0x0103ef57
    0x0103ef5f
    0x0103ef61
    0x0103f341
    0x00000000
    0x0103f341
    0x00000000
    0x0103eeff
    0x0103eeff
    0x0103ef01
    0x0103ef03
    0x0103ef04
    0x0103ef07
    0x00000000
    0x00000000
    0x0103ef1a
    0x0103ef22
    0x0103ef24
    0x0103f1e7
    0x0103f1ef
    0x0103f1f1
    0x0103f330
    0x0103f336
    0x0103f336
    0x0103f201
    0x0103f204
    0x0103f205
    0x0103f208
    0x0103f2fd
    0x0103f20e
    0x0103f20e
    0x0103f36c
    0x0103f36c
    0x0103f36f
    0x0104de76
    0x0103f23e
    0x0103f23e
    0x0103f243
    0x0103f245
    0x0103f24b
    0x0103f24e
    0x0103f250
    0x0103f253
    0x00000000
    0x00000000
    0x0103f259
    0x00000000
    0x0103f259
    0x0103f375
    0x0103f375
    0x0103f378
    0x0104de6c
    0x00000000
    0x0104de6c
    0x0103f37e
    0x0103f37e
    0x0103f381
    0x0104de59
    0x0104de5c
    0x0104df25
    0x0104df25
    0x0104df2b
    0x0104df2d
    0x00000000
    0x00000000
    0x0104df40
    0x00000000
    0x0104df45
    0x0104de62
    0x00000000
    0x0104de62
    0x0103f387
    0x00000000
    0x0103f387
    0x0103f214
    0x0103f214
    0x0103f217
    0x0103f358
    0x00000000
    0x0103f358
    0x0103f21d
    0x0103f21d
    0x0103f220
    0x0103f2f3
    0x00000000
    0x0103f2f3
    0x0103f227
    0x0103f227
    0x0103f22a
    0x0103f362
    0x00000000
    0x0103f362
    0x0103f230
    0x0103f233
    0x00000000
    0x00000000
    0x0103f239
    0x0103f239
    0x00000000
    0x0103f208
    0x00000000
    0x0103ef24
    0x0103ef2a
    0x0103ef32
    0x00000000
    0x0103ef32
    0x0103eefd

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: wcsrchr$Pathtowlower$FullNameSearchmemset
    • String ID: fdpnxsatz
    • API String ID: 1385210497-1106894203
    • Opcode ID: 87317be38f7bfd838867e666f779d6a2f57a57c3d6f7e24358ab0b85580c46ad
    • Instruction ID: 88c8b1a3a6db923fe3d7f845ce6206b72ece6dcab0ff4ee8af8589ae2dfaa2d6
    • Opcode Fuzzy Hash: 87317be38f7bfd838867e666f779d6a2f57a57c3d6f7e24358ab0b85580c46ad
    • Instruction Fuzzy Hash: F1429375E0421A8BDF64DE6CC8886BEB7F5FF94300F1481A9E985E7284EB359981CB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0103540A, Relevance: 35.6, APIs: 18, Strings: 2, Instructions: 614COMMONCrypto
    Download Yara Rule
    C-Code - Quality: 62%
    			E0103540A(long __ecx, long __edx, char _a4, intOrPtr _a8, signed int _a12) {
				signed int _v8;
				short _v12;
				void* _v20;
				void* _v22;
				void* _v24;
				void* _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				long _v564;
				char _v568;
				LPWSTR* _v572;
				void* _v576;
				void* _v584;
				void* _v592;
				void _v1092;
				long _v1100;
				char _v1104;
				LPWSTR* _v1108;
				signed int _v1112;
				void* _v1116;
				void* _v1120;
				void* _v1124;
				void* _v1128;
				void _v1628;
				intOrPtr _v1632;
				char _v1644;
				LPWSTR* _v1648;
				long _v1652;
				int _v1656;
				signed int _v1660;
				char _v1664;
				intOrPtr _v1668;
				int _v1672;
				void* _v1676;
				void* _v1680;
				void* _v1681;
				char _v1682;
				void* _v1684;
				void* _v1688;
				void* _v1692;
				void* _v1693;
				void* _v1694;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t171;
				signed int _t188;
				signed int _t189;
				signed int _t190;
				char _t198;
				short _t199;
				short _t200;
				void* _t202;
				intOrPtr _t204;
				signed int _t209;
				void* _t211;
				signed int _t214;
				void* _t223;
				signed int _t230;
				signed int _t240;
				signed int _t243;
				long _t244;
				signed int _t245;
				LPWSTR* _t255;
				LPWSTR* _t256;
				signed int _t258;
				signed int _t260;
				WCHAR* _t262;
				long _t263;
				signed int _t264;
				long _t265;
				void* _t266;
				WCHAR* _t267;
				long _t268;
				signed int _t271;
				void* _t272;
				signed int _t278;
				long _t282;
				signed int _t285;
				long _t286;
				char _t290;
				void* _t292;
				signed int _t297;
				void* _t307;
				void* _t313;
				signed int _t319;
				signed int _t326;
				signed int _t328;
				WCHAR* _t332;
				long _t335;
				signed int _t338;
				signed int _t348;
				signed int _t351;
				void* _t358;
				void* _t363;
				void* _t366;
				signed int _t368;
				long _t371;
				void* _t372;
				signed int _t375;
				signed int _t377;
				void* _t381;
				long _t382;
				signed int _t385;
				void* _t387;
				long _t390;
				void* _t391;
				void* _t395;
				signed int _t397;
				signed int _t398;
				signed int _t400;
				signed int _t402;

				_t357 = __edx;
				_t400 = (_t398 & 0xfffffff8) - 0x68c;
				_t171 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t171 ^ _t400;
				_v1668 = _a8;
				_v1652 = __edx;
				_v1648 = 0;
				_t371 = __ecx;
				_v572 = 0;
				_v568 = 1;
				_v564 = 0x104;
				memset( &_v1092, 0, 0x104);
				_v1108 = 0;
				_v1104 = 1;
				_v1100 = 0x104;
				memset( &_v1628, 0, 0x104);
				_t402 = _t400 + 0x18;
				_t290 = 0x7ee3;
				if(E0103E3F0(((0 | _v568 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0 || E0103E3F0(((0 | _v1104 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					_t300 = 0x2374;
					goto L67;
				} else {
					_t198 = E01035929(_t371);
					_t290 = _t198;
					_t382 = _t371;
					_t199 = 0x2a;
					 *((short*)(_t402 + 0x690)) = _t199;
					_t200 = 0x3f;
					 *((short*)(_t402 + 0x68e)) = _t200;
					_t307 = _t382 + 2;
					_v12 = 0;
					_t358 = 2;
					do {
						_t202 =  *_t382;
						_t382 = _t382 + _t358;
					} while (_t202 != _v1648);
					_t357 = _t402 + 0x68c;
					E01039EBA(_t371, _t402 + 0x68c);
					asm("sbb esi, esi");
					_t385 =  ~(_t382 - _t307 >> 1);
					 *(_t402 + 0x34) = _t385;
					if(_t290 == 0xffffffff) {
						__eflags = _a12;
						if(_a12 == 0) {
							L7:
							_t290 = 2;
							 *((char*)(_t402 + 0x12)) = _t290;
							L8:
							 *((char*)(_t402 + 0x13)) = 1;
							L9:
							_t204 = 0x20;
							 *((intOrPtr*)(_t402 + 0x38)) = _t204;
							if(E0104589A(E010459D0, _t371, _t204, 0,  *(_v1668 + 0x18),  &_v1664) == 0) {
								_t313 = 0x10;
								 *((intOrPtr*)(_t402 + 0x38)) = E010459D0;
								_t209 = E0104589A(E010459D0, _t371, _t313, 0,  *(_v1668 + 0x18),  &_v1664);
								__eflags = _t209;
								if(_t209 != 0) {
									goto L10;
								}
								_t282 =  *0x10667a8;
								__eflags = _t282 - 0x12;
								if(__eflags != 0) {
									_t357 = 0x234d;
									__eflags = _t385;
									if(__eflags == 0) {
										_t357 = _t282;
									}
								} else {
									_t357 = 2;
								}
								_t300 = _t357;
								L67:
								L0105693A(_t290, _t300, __eflags);
								L68:
								E01036468();
								E01039ABF(0x1078e30, 0x104, L"%9d", 1);
								E010363BD(_t300, 0x236d, 1, 0x1078e30);
								_t188 = _v1108;
								_t402 = _t402 + 0x1c;
								_v1108 = 0;
								__eflags = _t188;
								if(_t188 != 0) {
									__imp__??_V@YAXPAX@Z(_t188);
								}
								_t189 = _v572;
								_v572 = 0;
								__eflags = _t189;
								if(_t189 != 0) {
									__imp__??_V@YAXPAX@Z(_t189);
								}
								_t190 = 0;
								L46:
								_pop(_t372);
								_pop(_t381);
								_pop(_t292);
								return E01046B30(_t190, _t292, _v8 ^ _t402, _t357, _t372, _t381);
							}
							L10:
							_v1656 = 0;
							_v1672 = 0;
							E0103A641(_t371);
							_t317 = _v576;
							if(_v576 == 0) {
								_t317 =  &_v1092;
							}
							_t357 = 0x5c;
							_t211 = E010401F5(_t317, _t357);
							_t386 = _t290 + _t211;
							_v1632 = _t290 + _t211;
							while( *0x106259c == 0) {
								_t322 = _v572;
								if(_v572 == 0) {
									_t322 =  &_v1092;
								}
								_t373 = _v1668;
								E0103F3A0(_t386, _v564 - (_t386 - _t322 >> 1),  &(( *(_v1668 + 0x18))[0xb]));
								E0103A641(_v1656);
								if(_v1682 == 1) {
									_t325 = _v1108;
									__eflags = _v1108;
									if(_v1108 == 0) {
										_t325 =  &_v1628;
									}
									_t363 = 0x5c;
									_t223 = E010401F5(_t325, _t363);
									_t326 = _v1108;
									_t387 = _t290 + _t223;
									__eflags = _t326;
									if(_t326 == 0) {
										_t326 =  &_v1628;
									}
									E0103F3A0(_t387, _v1100 - (_t387 - _t326 >> 1),  *((intOrPtr*)(_t373 + 0x18)) + 0x2c);
									_t328 = _v1112;
									__eflags = _t328;
									if(_t328 == 0) {
										_t328 =  &_v1628;
									}
									_t357 = _t328 + 2;
									__eflags = 0;
									do {
										_t230 =  *_t328;
										_t328 = _t328 + _t290;
										__eflags = _t230;
									} while (_t230 != 0);
									__eflags = _t328 - _t357 >> 1 - 0x7fe7;
									if(_t328 - _t357 >> 1 <= 0x7fe7) {
										goto L15;
									}
									E01038B4D(_v1664);
									E01036468();
									_t300 = 0x232e;
									goto L67;
								} else {
									L15:
									 *((char*)(_t402 + 0x67c)) = 1;
									 *(_t402 + 0x678) = 0;
									 *(_t402 + 0x688) = 0x104;
									memset(_t402 + 0x478, 0, 0x104);
									_t402 = _t402 + 0xc;
									if(E0103E3F0(((0 |  *((intOrPtr*)(_t402 + 0x67c)) == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
										_t240 =  *(_t402 + 0x678);
										_t332 = 0;
										 *(_t402 + 0x678) = 0;
										_t390 = 8;
										_v1672 = 0x104;
										__eflags = _t240;
										if(_t240 != 0) {
											__imp__??_V@YAXPAX@Z();
											_t332 = _t240;
										}
										L109:
										__eflags =  *(_t402 + 0x34);
										if( *(_t402 + 0x34) != 0) {
											_t260 = _v572;
											__eflags = _t260;
											if(_t260 == 0) {
												_t260 =  &_v1092;
											}
											E01039950(L"%s\r\n");
											_t332 = _t260;
										}
										_push(0);
										_push(_t390);
										E010378E4(_t332);
										_t357 = _v1108;
										_t335 = _t357;
										__eflags = _t357;
										if(_t357 == 0) {
											_t335 =  &_v1628;
										}
										_t391 = _t335 + 2;
										__eflags = 0;
										do {
											_t243 =  *_t335;
											_t335 = _t335 + _t290;
											__eflags = _t243;
										} while (_t243 != 0);
										_t244 = _t357;
										_t338 = (_t335 - _t391 >> 1) - 1;
										_v1660 = _t338;
										__eflags = _t357;
										if(_t357 == 0) {
											_t244 =  &_v1628;
										}
										__eflags =  *((short*)(_t244 + _t338 * 2)) - 0x2e;
										if( *((short*)(_t244 + _t338 * 2)) == 0x2e) {
											__eflags = _t357;
											if(_t357 == 0) {
												_t357 =  &_v1628;
											}
											__eflags = 0;
											 *((short*)(_t357 + _t338 * 2)) = 0;
											_t357 = _v1108;
										}
										__eflags = _t357;
										if(_t357 == 0) {
											_t357 =  &_v1628;
										}
										_t245 = _v572;
										__eflags = _t245;
										if(_t245 == 0) {
											_t245 =  &_v1092;
										}
										__imp___wcsicmp(_t245, _t357);
										__eflags = _t245;
										if(_t245 == 0) {
											L41:
											E01038B4D(_v1664);
											E01036468();
											E01039ABF(0x1078e30, 0x104, L"%9d", _v1656);
											asm("sbb eax, eax");
											E010363BD(_v1668,  ~( *( *(_v1668 + 0x18)) & 0x10) + 0x236e, 1, 0x1078e30);
											_t255 = _v1108;
											_t402 = _t402 + 0x1c;
											_t297 = 0 | _v1672 != 0x00000000;
											_v1108 = 0;
											if(_t255 != 0) {
												__imp__??_V@YAXPAX@Z(_t255);
											}
											_t256 = _v572;
											_v572 = 0;
											if(_t256 != 0) {
												__imp__??_V@YAXPAX@Z(_t256);
											}
											_t190 = _t297;
											goto L46;
										} else {
											L40:
											if( *((char*)(_t402 + 0x13)) == 0) {
												L96:
												_t357 =  *(_v1668 + 0x18);
												_t258 = E01045851(E010459D0,  *(_v1668 + 0x18),  *((intOrPtr*)(_t402 + 0x3c)), _v1664);
												__eflags = _t258;
												if(_t258 == 0) {
													goto L41;
												}
												_t386 = _v1632;
												continue;
											}
											goto L41;
										}
									}
									if( *(_t402 + 0x678) == 0) {
										_t332 = _t402 + 0x470;
									}
									_t262 = _v1108;
									if(_t262 == 0) {
										_t262 =  &_v1628;
									}
									_t263 = GetFullPathNameW(_t262, _v1100, _t332, 0);
									if(_t263 == 0 || _t263 >= 0x7fe7) {
										L102:
										_t264 =  *(_t402 + 0x678);
										 *(_t402 + 0x678) = 0;
										__eflags = _t264;
										if(_t264 != 0) {
											__imp__??_V@YAXPAX@Z();
											_t332 = _t264;
										}
										goto L104;
									} else {
										_t348 =  *(_t402 + 0x678);
										_t375 = _t348;
										if(_t348 == 0) {
											_t375 = _t402 + 0x470;
										}
										_t366 = _t375 + 2;
										do {
											_t266 =  *_t375;
											_t375 = _t375 + _t290;
										} while (_t266 != 0);
										_t377 = _t375 - _t366 >> 1;
										if(_t348 == 0) {
											_t332 = _t402 + 0x470;
										}
										_t267 = _v572;
										if(_t267 == 0) {
											_t267 =  &_v1092;
										}
										_t268 = GetFullPathNameW(_t267, _v564, _t332, 0);
										if(_t268 == 0 || _t268 >= 0x7fe7) {
											goto L102;
										} else {
											_t349 =  *(_t402 + 0x678);
											if( *(_t402 + 0x678) == 0) {
												_t349 = _t402 + 0x470;
											}
											if(E0103532E(_t349,  *((intOrPtr*)(_t402 + 0x680)),  &_v1660) == 0) {
												_t271 =  *(_t402 + 0x678);
												 *(_t402 + 0x678) = 0;
												__eflags = _t271;
												if(_t271 != 0) {
													__imp__??_V@YAXPAX@Z(_t271);
												}
												goto L96;
											} else {
												_t368 =  *(_t402 + 0x678);
												_t351 = _t368;
												if(_t368 == 0) {
													_t351 = _t402 + 0x470;
												}
												_t395 = _t351 + 2;
												goto L31;
												L34:
												if(_t397 + _t377 > 0x7fe7) {
													_t390 = 0xce;
													L108:
													_v1672 = _t390;
													goto L109;
												}
												if(_v1108 == 0) {
													_t357 =  &_v1628;
												}
												if(_v572 == 0) {
													_t332 =  &_v1092;
												}
												if(E010353CB(_t332, _t357,  &_a4,  &_v1644) == 0) {
													L104:
													_t265 = GetLastError();
													_t390 = _t265;
													_v1672 = _t265;
													__eflags = _t390 - 0xb7;
													if(_t390 != 0xb7) {
														__eflags = _t390 - 1;
														if(_t390 != 1) {
															goto L109;
														}
														_t390 = 0x40002730;
														goto L108;
													}
													_t390 = 0x234d;
													goto L108;
												} else {
													if(_v1644 != 0) {
														_v1656 = _v1656 + 1;
														if( *(_t402 + 0x34) != 0) {
															_t278 = _v572;
															__eflags = _t278;
															if(_t278 == 0) {
																_t278 =  &_v1092;
															}
															_push(_t278);
															E01039950(L"%s\r\n");
														}
													}
													goto L40;
												}
												L31:
												_t272 =  *_t351;
												_t351 = _t351 + _t290;
												if(_t272 != _v1648) {
													goto L31;
												} else {
													_t332 = _t351 - _t395 >> 1;
													_t397 = _v1660 - _t332;
													 *(_t402 + 0x678) = 0;
													_v1660 = _t397;
													if(_t368 != 0) {
														__imp__??_V@YAXPAX@Z();
														_t332 = _t368;
													}
													goto L34;
												}
											}
										}
									}
								}
							}
							E01038B4D(_v1664);
							E01036468();
							_t214 = _v1108;
							_v1108 = 0;
							__eflags = _t214;
							if(_t214 != 0) {
								__imp__??_V@YAXPAX@Z(_t214);
							}
							_t319 = _v572;
							_v572 = 0;
							__eflags = _t319;
							if(_t319 != 0) {
								__imp__??_V@YAXPAX@Z(_t319);
							}
							_t190 = 1;
							goto L46;
						}
						_t357 = _v1652;
						_t300 = _t371;
						_t285 = E010353CB(_t371, _v1652,  &_a4,  &_v1644);
						__eflags = _t285;
						if(_t285 != 0) {
							goto L68;
						}
						_t286 = GetLastError();
						__eflags = _t286 - 0xb7;
						if(__eflags != 0) {
							__eflags = _t286 - 1;
							if(__eflags == 0) {
								_t286 = 0x40002730;
							}
						} else {
							_t286 = 0x234d;
						}
						_t300 = _t286;
						goto L67;
					}
					if(_t290 > 1) {
						__eflags = _a12;
						if(__eflags == 0) {
							_t300 = 0x40002720;
							goto L67;
						}
						 *((char*)(_t402 + 0x12)) = 1;
						 *((char*)(_t402 + 0x17)) = 0;
						_t290 = 2;
						goto L9;
					}
					if(_a12 != 0) {
						 *((char*)(_t402 + 0x16)) = 1;
						_t290 = 2;
						goto L8;
					}
					goto L7;
				}
			}




















































































































    0x0103540a
    0x01035412
    0x01035418
    0x0103541f
    0x01035431
    0x01035437
    0x01035443
    0x01035449
    0x0103544b
    0x01035452
    0x0103545a
    0x01035461
    0x01035469
    0x01035474
    0x0103547c
    0x01035486
    0x01035494
    0x01035497
    0x010354b3
    0x010496b3
    0x00000000
    0x010354dc
    0x010354de
    0x010354e5
    0x010354e7
    0x010354e9
    0x010354ec
    0x010354f4
    0x010354f5
    0x010354fd
    0x01035504
    0x0103550c
    0x0103550d
    0x0103550d
    0x01035510
    0x01035512
    0x0103551b
    0x01035526
    0x0103552d
    0x0103552f
    0x01035531
    0x01035538
    0x0104966f
    0x01049673
    0x01035551
    0x01035553
    0x01035554
    0x01035558
    0x01035558
    0x0103555d
    0x0103555f
    0x01035564
    0x01035582
    0x0104974b
    0x01049750
    0x01049767
    0x0104976c
    0x0104976e
    0x00000000
    0x00000000
    0x01049774
    0x01049779
    0x0104977c
    0x01049783
    0x01049788
    0x0104978a
    0x0104978c
    0x0104978c
    0x0104977e
    0x01049780
    0x01049780
    0x0104978e
    0x010496b8
    0x010496b8
    0x010496bd
    0x010496bd
    0x010496d4
    0x010496e1
    0x010496e6
    0x010496ef
    0x010496f2
    0x010496f9
    0x010496fb
    0x010496fe
    0x01049704
    0x01049705
    0x0104970c
    0x01049713
    0x01049715
    0x01049718
    0x0104971e
    0x0104971f
    0x01035864
    0x0103586b
    0x0103586c
    0x0103586d
    0x01035878
    0x01035878
    0x01035588
    0x0103558a
    0x0103558e
    0x0103559a
    0x0103559f
    0x010355a8
    0x01049795
    0x01049795
    0x010355b0
    0x010355b1
    0x010355b6
    0x010355b9
    0x010355bd
    0x010355ca
    0x010355d3
    0x010497a1
    0x010497a1
    0x010355d9
    0x010355f5
    0x01035602
    0x0103560c
    0x0103587b
    0x01035882
    0x01035884
    0x010497ad
    0x010497ad
    0x0103588c
    0x0103588d
    0x01035892
    0x01035899
    0x0103589c
    0x0103589e
    0x010497b6
    0x010497b6
    0x010358bc
    0x010358c1
    0x010358c8
    0x010358ca
    0x0103591a
    0x0103591a
    0x010358cc
    0x010358cf
    0x010358d1
    0x010358d1
    0x010358d4
    0x010358d6
    0x010358d6
    0x010358df
    0x010358e5
    0x00000000
    0x00000000
    0x01049994
    0x01049999
    0x0104999e
    0x00000000
    0x01035612
    0x01035612
    0x01035614
    0x01035621
    0x01035631
    0x01035639
    0x01035647
    0x01035664
    0x010497bf
    0x010497c6
    0x010497c8
    0x010497d1
    0x010497d2
    0x010497d6
    0x010497d8
    0x010497df
    0x010497e5
    0x010497e5
    0x010498df
    0x010498df
    0x010498e4
    0x010498e6
    0x010498ed
    0x010498ef
    0x010498f1
    0x010498f1
    0x010498fe
    0x01049904
    0x01049904
    0x01049907
    0x01049908
    0x01049909
    0x0104990e
    0x01049917
    0x01049919
    0x0104991b
    0x0104991d
    0x0104991d
    0x01049921
    0x01049924
    0x01049926
    0x01049926
    0x01049929
    0x0104992b
    0x0104992b
    0x01049932
    0x01049936
    0x01049937
    0x0104993b
    0x0104993d
    0x0104993f
    0x0104993f
    0x01049943
    0x01049948
    0x0104994a
    0x0104994c
    0x0104994e
    0x0104994e
    0x01049952
    0x01049954
    0x01049958
    0x01049958
    0x0104995f
    0x01049961
    0x01049963
    0x01049963
    0x01049967
    0x0104996e
    0x01049970
    0x01049972
    0x01049972
    0x0104997b
    0x01049983
    0x01049985
    0x010357d7
    0x010357db
    0x010357e0
    0x01035803
    0x01035811
    0x0103581b
    0x01035820
    0x01035829
    0x01035830
    0x01035835
    0x0103583e
    0x01035841
    0x01035847
    0x01035848
    0x0103584f
    0x01035858
    0x0103585b
    0x01035861
    0x01035862
    0x00000000
    0x0104998b
    0x010357cc
    0x010357d1
    0x0104984a
    0x0104985b
    0x0104985e
    0x01049863
    0x01049865
    0x00000000
    0x00000000
    0x0104986b
    0x00000000
    0x0104986b
    0x00000000
    0x010357d1
    0x01049985
    0x01035673
    0x010497eb
    0x010497eb
    0x01035679
    0x01035682
    0x010497f7
    0x010497f7
    0x01035694
    0x0103569c
    0x0104989c
    0x0104989c
    0x010498a3
    0x010498aa
    0x010498ac
    0x010498af
    0x010498b5
    0x010498b5
    0x00000000
    0x010356ad
    0x010356ad
    0x010356b4
    0x010356b8
    0x01049800
    0x01049800
    0x010356be
    0x010356c1
    0x010356c1
    0x010356c4
    0x010356c6
    0x010356cd
    0x010356d1
    0x0104980c
    0x0104980c
    0x010356d7
    0x010356e0
    0x01049818
    0x01049818
    0x010356f0
    0x010356f8
    0x00000000
    0x01035709
    0x01035709
    0x01035712
    0x01049824
    0x01049824
    0x0103572b
    0x01049830
    0x01049837
    0x0104983e
    0x01049840
    0x01049843
    0x01049849
    0x00000000
    0x01035731
    0x01035731
    0x01035738
    0x0103573c
    0x01049874
    0x01049874
    0x01035742
    0x01035742
    0x01035774
    0x0103577c
    0x01049880
    0x010498db
    0x010498db
    0x00000000
    0x010498db
    0x0103578b
    0x01049887
    0x01049887
    0x0103579a
    0x01049890
    0x01049890
    0x010357b0
    0x010498b6
    0x010498b6
    0x010498bc
    0x010498be
    0x010498c2
    0x010498c8
    0x010498d1
    0x010498d4
    0x00000000
    0x00000000
    0x010498d6
    0x00000000
    0x010498d6
    0x010498ca
    0x00000000
    0x010357b6
    0x010357bb
    0x010357bd
    0x010357c6
    0x010358fd
    0x01035904
    0x01035906
    0x01035920
    0x01035920
    0x01035908
    0x0103590e
    0x01035914
    0x010357c6
    0x00000000
    0x010357bb
    0x01035745
    0x01035745
    0x01035748
    0x0103574f
    0x00000000
    0x01035751
    0x01035759
    0x0103575b
    0x0103575d
    0x01035764
    0x0103576a
    0x0103576d
    0x01035773
    0x01035773
    0x00000000
    0x0103576a
    0x0103574f
    0x0103572b
    0x010356f8
    0x0103569c
    0x0103560c
    0x010499ac
    0x010499b1
    0x010499b6
    0x010499bf
    0x010499c6
    0x010499c8
    0x010499cb
    0x010499d1
    0x010499d2
    0x010499d9
    0x010499e0
    0x010499e2
    0x010499e5
    0x010499eb
    0x010499ee
    0x00000000
    0x010499ee
    0x01049679
    0x01049685
    0x01049688
    0x0104968d
    0x0104968f
    0x00000000
    0x00000000
    0x01049691
    0x01049697
    0x0104969c
    0x010496a5
    0x010496a8
    0x010496aa
    0x010496aa
    0x0104969e
    0x0104969e
    0x0104969e
    0x010496af
    0x00000000
    0x010496af
    0x01035541
    0x01049726
    0x0104972a
    0x0104973f
    0x00000000
    0x0104973f
    0x0104972e
    0x01049735
    0x01049739
    0x00000000
    0x01049739
    0x0103554b
    0x010358f2
    0x010358f7
    0x00000000
    0x010358f7
    0x00000000
    0x0103554b

    APIs
    • memset.MSVCRT ref: 01035461
    • memset.MSVCRT ref: 01035486
      • Part of subcall function 0103E3F0: memset.MSVCRT ref: 0103E455
    • memset.MSVCRT ref: 01035639
    • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00000000,-00000001,?,-00000001,-00000001,?,?,?,00000104,00000000,00000000), ref: 01035694
    • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00000000,?,-00000001,-00000001,?,?,?,00000104,00000000,00000000), ref: 010356F0
    • ??_V@YAXPAX@Z.MSVCRT ref: 0103576D
    • ??_V@YAXPAX@Z.MSVCRT ref: 01035841
      • Part of subcall function 010401F5: wcsrchr.MSVCRT ref: 010401FB
    • ??_V@YAXPAX@Z.MSVCRT ref: 0103585B
    • ??_V@YAXPAX@Z.MSVCRT ref: 010496FE
    • ??_V@YAXPAX@Z.MSVCRT ref: 01049718
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: memset$FullNamePath$wcsrchr
    • String ID: %9d$%s
    • API String ID: 432913563-3662383364
    • Opcode ID: 96b47ebf29cffcf21aa59476c69e1f271b2adf2b607d195e269664bb1f15fdcc
    • Instruction ID: 73aee211bfd2c05c90a26c50b154aad67c91e6bc2d55e8c3772e6ef1eb7058d9
    • Opcode Fuzzy Hash: 96b47ebf29cffcf21aa59476c69e1f271b2adf2b607d195e269664bb1f15fdcc
    • Instruction Fuzzy Hash: 6822AEB1608342DBE778DF28C884AAF77E9AFC8314F04497DE9C997290EB359944C752
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01034C10, Relevance: 33.8, APIs: 14, Strings: 5, Instructions: 552COMMONCrypto
    Download Yara Rule
    C-Code - Quality: 76%
    			E01034C10(char _a4, void* _a8, char _a12, signed int* _a16, char _a20, long _a24, char _a28, void* _a30, long _a32, int _a36, void _a40, void* _a552, int _a556, int _a560, signed int _a564, int _a568, void* _a608, void* _a632, char _a636, void* _a660, intOrPtr _a664, void _a668, void _a672, void* _a674, signed int _a676, signed short _a678, void* _a1172, void* _a1188, int _a1192, signed int _a1196, int _a1200, signed int _a17068) {
				void* _v0;
				void* _v4;
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* _v24;
				void* _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t187;
				signed int _t190;
				signed int _t191;
				void* _t192;
				signed int _t195;
				signed int _t201;
				signed int _t210;
				signed int _t211;
				signed int _t215;
				signed int _t216;
				intOrPtr _t217;
				intOrPtr _t218;
				signed int _t220;
				signed int _t222;
				signed int _t224;
				signed int _t225;
				signed int* _t230;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				WCHAR* _t244;
				void* _t245;
				signed int _t246;
				void* _t248;
				signed int _t259;
				void* _t260;
				signed int _t275;
				signed int _t280;
				signed int _t284;
				WCHAR* _t285;
				signed int _t286;
				signed int _t289;
				signed int _t290;
				signed int _t310;
				void* _t314;
				signed int _t315;
				void* _t316;
				struct _SECURITY_DESCRIPTOR* _t318;
				void* _t319;
				void* _t320;
				intOrPtr _t321;
				intOrPtr* _t336;
				int _t343;
				int _t351;
				int _t370;
				void* _t377;
				void* _t379;
				intOrPtr _t380;
				intOrPtr _t387;
				intOrPtr _t394;
				intOrPtr _t395;
				signed int* _t400;
				void* _t401;
				int _t402;
				int _t405;
				void* _t406;
				signed int _t407;
				signed int _t408;

				_t408 = _t407 & 0xfffffff8;
				E01047F80(0x42b4);
				_t187 =  *0x105e0b4; // 0x6030efd1
				_a17068 = _t187 ^ _t408;
				_t377 = _a4;
				_t314 = _a8;
				_t405 = _a12;
				_t400 = _a16;
				_t320 = _t314 + 4;
				_v0 = _t320;
				_t321 =  *((intOrPtr*)(_t320 + 0x1c));
				 *((intOrPtr*)(_t377 + 0x28)) =  *((intOrPtr*)(_t377 + 0x28)) +  *((intOrPtr*)(_t320 + 0x20));
				_a8 = _t377;
				asm("adc [edx+0x2c], ecx");
				_t190 =  *_t400;
				_t378 = _t190;
				_v4 = _t314;
				_a16 = _t400;
				if((_t190 & 0x00000010) != 0) {
					__eflags = _t190;
					if(_t190 < 0) {
						goto L1;
					}
					 *_t400 = _t190 & 0xffffffef;
					_t195 = E01034BF0(_t400, _a8, _t405, _t400);
					_t378 =  *_t400 | 0x00000010;
					 *_t400 = _t378;
					__eflags = _t195;
					if(_t195 != 0) {
						L5:
						_pop(_t401);
						_pop(_t406);
						_pop(_t316);
						return E01046B30(_t195, _t316, _a17068 ^ _t408, _t378, _t401, _t406);
					} else {
						_t378 = _t378 | 0x80000000;
						 *_t400 = _t378;
						goto L1;
					}
				}
				L1:
				if((_t378 & 0x00000040) == 0) {
					__eflags = _t378 & 0x00000004;
					if((_t378 & 0x00000004) == 0) {
						__eflags = _t378 & 0x00000402;
						if(__eflags == 0) {
							_t191 =  *(_t314 + 2) & 0x0000ffff;
							__eflags = _t191;
							if(_t191 == 0) {
								_t192 = 0x2c;
							} else {
								_t192 = 0x2c + _t191 * 2;
							}
							_t315 = E0105AB22(_t405, _t378, _t192 + _t314 + 4, _t321);
							__eflags = _t315;
							if(_t315 == 0) {
								_t379 = 0xe;
								E010580B1(_t405, _t379);
								_t378 = _t400[0x17];
								_t315 = E0105AA73(_t405, _t400[0x17],  *_t400, _v0);
							}
							__eflags =  *(_t405 + 8);
							if( *(_t405 + 8) != 0) {
								_t195 = E010349F8(_t315, _t405, _t400);
								__eflags = _t195;
								if(_t195 != 0) {
									goto L5;
								}
							}
							goto L4;
						}
						_t329 = _t405;
						_t378 = _t400[0x17];
						_t315 = E0105A94D(_t314, _t405, _t400[0x17], __eflags, _t400[0x17], _v0);
						_t200 = 0;
						_a16 = 0;
						__eflags = _t315;
						if(_t315 != 0) {
							L72:
							__eflags =  *(_t405 + 8) - _t200;
							if( *(_t405 + 8) == _t200) {
								L74:
								__eflags =  *_t400 & 0x00100000;
								if(( *_t400 & 0x00100000) == 0) {
									goto L4;
								}
								_t201 = E010472EF(_t329);
								__eflags = _t201;
								if(_t201 == 0) {
									goto L4;
								}
								_a1196 = 1;
								_a1200 = 0x104;
								_a1192 = 0;
								memset( &_a672, 0, 0x104);
								_t408 = _t408 + 0xc;
								__eflags = _a1196;
								_t210 = E0103E3F0(((0 | _a1196 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104);
								__eflags = _t210;
								if(_t210 < 0) {
									L95:
									_t211 = _a1192;
									_a1192 = 0;
									__eflags = _t211;
									if(_t211 != 0) {
										__imp__??_V@YAXPAX@Z(_t211);
									}
									goto L4;
								}
								_t334 = _a1192;
								__eflags = _a1192;
								if(_a1192 == 0) {
									_t334 =  &_a672;
								}
								_t378 = _a1200;
								_t215 = E010434B8(_t334, _a1200,  *((intOrPtr*)(_a8 + 4)), _v0 + 0x2c);
								__eflags = _t215;
								if(_t215 == 0) {
									_t216 = _a1192;
									__eflags = _t216;
									if(_t216 == 0) {
										_t216 =  &_a672;
									}
									_t378 = 0;
									_t217 =  *0x107d038(_t216, 0,  &_a40, 0);
									_v20 = _t217;
									__eflags = _t217 - 0xffffffff;
									if(_t217 != 0xffffffff) {
										do {
											_t336 =  &_a32;
											_t378 = _t336 + 2;
											do {
												_t218 =  *_t336;
												_t336 = _t336 + 2;
												__eflags = _t218 - _a8;
											} while (_t218 != _a8);
											__eflags = _t336 - _t378 >> 1 - 2;
											if(__eflags < 0) {
												L87:
												_t378 =  *_t400;
												_t220 = E0105A65F(_t405,  *_t400, __eflags, _v16,  &_a24);
												_t315 = _t220;
												__eflags = _t315;
												if(_t315 != 0) {
													goto L93;
												}
												__eflags =  *(_t405 + 8) - _t220;
												if( *(_t405 + 8) == _t220) {
													goto L93;
												}
												_t224 = E010349F8(_t315, _t405, _t400);
												_v0 = _t224;
												__eflags = _t224;
												if(_t224 == 0) {
													goto L93;
												}
												_t225 =  *(_t408 + 0x4b8);
												 *(_t408 + 0x4b8) = 0;
												__eflags = _t225;
												if(_t225 != 0) {
													__imp__??_V@YAXPAX@Z(_t225);
												}
												_t195 = _v0;
												goto L5;
											}
											__eflags =  *((short*)(_t408 + 0x42)) - 0x3a;
											if(__eflags == 0) {
												goto L93;
											}
											goto L87;
											L93:
											_t222 =  *0x107d00c(_v20,  &_a24);
											__eflags = _t222;
										} while (_t222 != 0);
										FindClose( *(_t408 + 0xc));
									}
								}
								goto L95;
							}
							_t329 = _t405;
							_t195 = E010349F8(_t315, _t405, _t400);
							__eflags = _t195;
							if(_t195 != 0) {
								goto L5;
							}
							goto L74;
						}
						__eflags =  *_t400 & 0x00000400;
						if(( *_t400 & 0x00000400) == 0) {
							_t380 =  *0x105e190; // 0x13
							_t381 = _t380 + 0x13;
							__eflags = _t380 + 0x13;
						} else {
							_t319 = _v4;
							__eflags =  *(_t319 + 2);
							if( *(_t319 + 2) != 0) {
								_t395 =  *0x105e190; // 0x13
								_t370 = _t405;
								E010580B1(_t370, _t395 + 0x13);
								_push(_t370);
								E01034898(_t405,  *_t400, _t319 + 0x30 + ( *(_t319 + 2) & 0x0000ffff) * 2);
							}
							_t394 =  *0x105e190; // 0x13
							_t381 = _t394 + 0x20;
						}
						_t343 = _t405;
						E010580B1(_t343, _t381);
						__eflags =  *_t400 & 0x00040000;
						_t317 = L"...";
						_a4 = L"...";
						if(( *_t400 & 0x00040000) == 0) {
							L43:
							_t378 =  *_t400;
							_push(_t343);
							_t329 = _t405;
							_a12 = _v0 + 0x2c;
							_t315 = E01034898(_t405,  *_t400, _v0 + 0x2c);
							_t230 = _v8;
							__eflags =  *_t230 & 0x00000400;
							if(( *_t230 & 0x00000400) == 0) {
								L71:
								_t200 = 0;
								__eflags = 0;
								goto L72;
							}
							__eflags = _t230[9] & 0x20000000;
							if((_t230[9] & 0x20000000) == 0) {
								goto L71;
							}
							_a560 = 1;
							_a564 = 0x104;
							_a556 = 0;
							memset( &_a36, 0, 0x104);
							_t408 = _t408 + 0xc;
							__eflags = _a560;
							_t239 = E0103E3F0(((0 | _a560 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104);
							__eflags = _t239;
							if(_t239 < 0) {
								L68:
								_t378 = 0x1031f00;
								E01046604(_t405, 0x1031f00, L" [.]");
								L69:
								_t241 = _a556;
								_t329 = 0;
								_a556 = 0;
								__eflags = _t241;
								if(_t241 != 0) {
									__imp__??_V@YAXPAX@Z();
									_t329 = _t241;
								}
								goto L71;
							}
							_t347 = _a556;
							__eflags = _a556;
							if(_a556 == 0) {
								_t347 =  &_a36;
							}
							_t243 = E010434B8(_t347, _a564,  *((intOrPtr*)(_a4 + 4)), _a8);
							__eflags = _t243;
							if(_t243 != 0) {
								goto L68;
							} else {
								_t244 = _a556;
								__eflags = _t244;
								if(_t244 == 0) {
									_t244 =  &_a36;
								}
								_t245 = CreateFileW(_t244, 8, 7, 0, 3, 0x2200000, 0);
								_a8 = _t245;
								__eflags = _t245 - 0xffffffff;
								if(_t245 != 0xffffffff) {
									_t246 = DeviceIoControl(_t245, 0x900a8, 0, 0,  &_a668, 0x4002,  &_a24, 0);
									_t378 = 0x1031f00;
									_t351 = _t405;
									__eflags = _t246;
									if(_t246 != 0) {
										E01046604(_t351, 0x1031f00, L" [");
										__eflags = _a664 - 0xa0000003;
										if(_a664 != 0xa0000003) {
											__eflags = _a668 - 0xa000000c;
											if(_a668 != 0xa000000c) {
												_t402 = 6;
												L64:
												_t130 = _t402 + 2; // 0x8
												_t248 = E0103DCD0(_t130);
												_v8 = _t248;
												__eflags = _t248;
												if(_t248 != 0) {
													memcpy(_t248, _v0, _t402);
													_t408 = _t408 + 0xc;
													__eflags = 0;
													 *((short*)(_v8 + (_t402 >> 1) * 2)) = 0;
													E01046604(_t405, 0x1031f00, _v8);
													E0103DC60(_v12);
												}
												_t378 = 0x1031f00;
												E01046604(_t405, 0x1031f00, "]");
												_t400 = _a8;
												goto L67;
											}
											_t402 =  *(_t408 + 0x2be) & 0x0000ffff;
											_v0 = _t408 + 0x2c4 + (( *(_t408 + 0x2bc) & 0x0000ffff) >> 1) * 2;
											__eflags = _t402;
											if(_t402 != 0) {
												goto L64;
											}
											_t259 = (_a676 & 0x0000ffff) >> 1;
											__eflags = _t259;
											_t260 = _t408 + 0x2c4 + _t259 * 2;
											L62:
											_t402 = _a678 & 0x0000ffff;
											_v0 = _t260;
											goto L64;
										}
										_t402 =  *(_t408 + 0x2be) & 0x0000ffff;
										_v0 = _t408 + 0x2c0 + (( *(_t408 + 0x2bc) & 0x0000ffff) >> 1) * 2;
										__eflags = _t402;
										if(_t402 != 0) {
											goto L64;
										}
										_t260 = _t408 + 0x2c0 + ((_a676 & 0x0000ffff) >> 1) * 2;
										goto L62;
									}
									_push(L" [...]");
									goto L55;
								} else {
									_push(L" [..]");
									_t378 = 0x1031f00;
									_t351 = _t405;
									L55:
									E01046604(_t351, _t378);
									L67:
									CloseHandle(_a8);
									goto L69;
								}
							}
						} else {
							_a12 = 0x101;
							_v4 = 0;
							_a560 = 0;
							_a20 = 0x10;
							_a564 = 1;
							_a568 = 0x104;
							memset( &_a40, 0, 0x104);
							_t408 = _t408 + 0xc;
							__eflags = _a564;
							_t275 = E0103E3F0(((0 | _a564 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104);
							__eflags = _t275;
							if(_t275 >= 0) {
								_t318 = E0103DCD0(0x10000);
								__eflags = _t318;
								if(_t318 != 0) {
									_t360 = _a560;
									__eflags = _a560;
									if(_a560 == 0) {
										_t360 =  &_a40;
									}
									_t280 = E010434B8(_t360, _a568,  *((intOrPtr*)(_a8 + 4)), _v0 + 0x2c);
									__eflags = _t280;
									if(_t280 != 0) {
										L35:
										E01046604(_t405, 0x1031f00, L"...");
										goto L36;
									} else {
										_t285 = _a560;
										__eflags = _t285;
										if(_t285 == 0) {
											_t285 =  &_a40;
										}
										_t286 = GetFileSecurityW(_t285, 1, _t318, 0x10000,  &_a32);
										__eflags = _t286;
										if(_t286 == 0) {
											goto L35;
										} else {
											_t289 = GetSecurityDescriptorOwner(_t318,  &_v4,  &_a36);
											__eflags = _t289;
											if(_t289 == 0) {
												goto L35;
											}
											_t290 = E010472EF( &_a32);
											__eflags = _t290;
											if(_t290 == 0) {
												L33:
												_push(L"...");
												L34:
												E01046604(_t405, 0x1031f00);
												_v8 = 0;
												L36:
												E0103DC60(_t318);
												L37:
												__eflags =  *_t400 & 0x00000400;
												_t387 =  *0x105e190; // 0x13
												if(( *_t400 & 0x00000400) == 0) {
													_t388 = _t387 + 0x2a;
													__eflags = _t387 + 0x2a;
												} else {
													_t388 = _t387 + 0x37;
												}
												E010580B1(_t405, _t388);
												L41:
												_t284 = _a560;
												_t343 = 0;
												_a560 = 0;
												__eflags = _t284;
												if(_t284 != 0) {
													__imp__??_V@YAXPAX@Z();
													_t343 = _t284;
												}
												goto L43;
											}
											 *0x107d034(0, _v4,  &_a672,  &_a12, _t408 + 0x298,  &_a20,  &_a28);
											__eflags = 0;
											if(0 == 0) {
												goto L33;
											}
											E01046604(_t405, 0x1031f00, _t408 + 0x290);
											E01046604(_t405, 0x1031f00, "\\");
											_push( &_a636);
											goto L34;
										}
									}
								}
								E01046604(_t405, 0x1031f00, L"...");
								goto L37;
							}
							E01046604(_t405, 0x1031f00, _t317);
							goto L41;
						}
					}
					_t310 = E0105B222(_t405, _t378, _v0);
					goto L3;
				} else {
					_t310 = E01034AB1(_t405, _t378,  *((intOrPtr*)(_a8 + 4)), _v0);
					L3:
					_t315 = _t310;
					L4:
					_t195 = _t315;
					goto L5;
				}
			}









































































    0x01034c15
    0x01034c1d
    0x01034c22
    0x01034c29
    0x01034c30
    0x01034c34
    0x01034c38
    0x01034c3c
    0x01034c3f
    0x01034c45
    0x01034c49
    0x01034c4c
    0x01034c4f
    0x01034c53
    0x01034c56
    0x01034c58
    0x01034c5a
    0x01034c5e
    0x01034c64
    0x010488c8
    0x010488ca
    0x00000000
    0x00000000
    0x010488d9
    0x010488db
    0x010488e2
    0x010488e5
    0x010488e7
    0x010488e9
    0x01034c8a
    0x01034c91
    0x01034c92
    0x01034c93
    0x01034c9e
    0x010488ef
    0x010488ef
    0x010488f5
    0x00000000
    0x010488f5
    0x010488e9
    0x01034c6a
    0x01034c6d
    0x010488fc
    0x010488ff
    0x01048912
    0x01048918
    0x01048f8d
    0x01048f91
    0x01048f94
    0x01048fa1
    0x01048f96
    0x01048f96
    0x01048f96
    0x01048fb0
    0x01048fb2
    0x01048fb4
    0x01048fb8
    0x01048fbb
    0x01048fc4
    0x01048fd0
    0x01048fd0
    0x01048fd2
    0x01048fd6
    0x01048fde
    0x01048fe3
    0x01048fe5
    0x00000000
    0x00000000
    0x01048feb
    0x00000000
    0x01048fd6
    0x01048922
    0x01048925
    0x0104892d
    0x0104892f
    0x01048931
    0x01048935
    0x01048937
    0x01048de5
    0x01048de5
    0x01048de8
    0x01048df9
    0x01048df9
    0x01048dff
    0x00000000
    0x00000000
    0x01048e05
    0x01048e0a
    0x01048e0c
    0x00000000
    0x00000000
    0x01048e17
    0x01048e21
    0x01048e2a
    0x01048e39
    0x01048e47
    0x01048e4a
    0x01048e60
    0x01048e65
    0x01048e67
    0x01048f68
    0x01048f68
    0x01048f71
    0x01048f78
    0x01048f7a
    0x01048f81
    0x01048f87
    0x00000000
    0x01048f7a
    0x01048e6d
    0x01048e74
    0x01048e76
    0x01048e78
    0x01048e78
    0x01048e83
    0x01048e95
    0x01048e9a
    0x01048e9c
    0x01048ea2
    0x01048ea9
    0x01048eab
    0x01048ead
    0x01048ead
    0x01048eb4
    0x01048ebe
    0x01048ec4
    0x01048ec8
    0x01048ecb
    0x01048ed1
    0x01048ed1
    0x01048ed5
    0x01048ed8
    0x01048ed8
    0x01048edb
    0x01048ede
    0x01048ede
    0x01048ee9
    0x01048eec
    0x01048ef6
    0x01048ef6
    0x01048f03
    0x01048f08
    0x01048f0a
    0x01048f0c
    0x00000000
    0x00000000
    0x01048f0e
    0x01048f11
    0x00000000
    0x00000000
    0x01048f15
    0x01048f1a
    0x01048f1e
    0x01048f20
    0x00000000
    0x00000000
    0x01048f22
    0x01048f2b
    0x01048f32
    0x01048f34
    0x01048f37
    0x01048f3d
    0x01048f3e
    0x00000000
    0x01048f3e
    0x01048eee
    0x01048ef4
    0x00000000
    0x00000000
    0x00000000
    0x01048f47
    0x01048f50
    0x01048f56
    0x01048f56
    0x01048f62
    0x01048f62
    0x01048ecb
    0x00000000
    0x01048e9c
    0x01048dea
    0x01048dec
    0x01048df1
    0x01048df3
    0x00000000
    0x00000000
    0x00000000
    0x01048df3
    0x0104893d
    0x01048943
    0x0104897f
    0x01048985
    0x01048985
    0x01048945
    0x01048945
    0x01048949
    0x0104894d
    0x0104894f
    0x01048955
    0x0104895a
    0x01048965
    0x0104896f
    0x0104896f
    0x01048974
    0x0104897a
    0x0104897a
    0x01048988
    0x0104898a
    0x0104898f
    0x01048995
    0x0104899a
    0x0104899e
    0x01048b89
    0x01048b8d
    0x01048b92
    0x01048b94
    0x01048b96
    0x01048b9f
    0x01048ba1
    0x01048ba5
    0x01048bab
    0x01048de3
    0x01048de3
    0x01048de3
    0x00000000
    0x01048de3
    0x01048bb1
    0x01048bb8
    0x00000000
    0x00000000
    0x01048bc3
    0x01048bcd
    0x01048bd6
    0x01048be2
    0x01048bed
    0x01048bf0
    0x01048c06
    0x01048c0b
    0x01048c0d
    0x01048db6
    0x01048dbb
    0x01048dc2
    0x01048dc7
    0x01048dc7
    0x01048dce
    0x01048dd0
    0x01048dd7
    0x01048dd9
    0x01048ddc
    0x01048de2
    0x01048de2
    0x00000000
    0x01048dd9
    0x01048c13
    0x01048c1a
    0x01048c1c
    0x01048c1e
    0x01048c1e
    0x01048c34
    0x01048c39
    0x01048c3b
    0x00000000
    0x01048c41
    0x01048c41
    0x01048c48
    0x01048c4a
    0x01048c4c
    0x01048c4c
    0x01048c60
    0x01048c66
    0x01048c6a
    0x01048c6d
    0x01048c9a
    0x01048ca0
    0x01048ca5
    0x01048ca7
    0x01048ca9
    0x01048cbf
    0x01048cc4
    0x01048ccf
    0x01048d05
    0x01048d10
    0x01048d54
    0x01048d55
    0x01048d55
    0x01048d58
    0x01048d5d
    0x01048d61
    0x01048d63
    0x01048d6b
    0x01048d74
    0x01048d79
    0x01048d81
    0x01048d87
    0x01048d90
    0x01048d90
    0x01048d9a
    0x01048da1
    0x01048da6
    0x00000000
    0x01048da6
    0x01048d1a
    0x01048d2b
    0x01048d2f
    0x01048d31
    0x00000000
    0x00000000
    0x01048d3b
    0x01048d3b
    0x01048d3d
    0x01048d44
    0x01048d44
    0x01048d4c
    0x00000000
    0x01048d4c
    0x01048cd9
    0x01048cea
    0x01048cee
    0x01048cf0
    0x00000000
    0x00000000
    0x01048cfc
    0x00000000
    0x01048cfc
    0x01048cab
    0x00000000
    0x01048c6f
    0x01048c6f
    0x01048c74
    0x01048c79
    0x01048cb0
    0x01048cb0
    0x01048daa
    0x01048dae
    0x00000000
    0x01048dae
    0x01048c6d
    0x010489a4
    0x010489a6
    0x010489b3
    0x010489b9
    0x010489c5
    0x010489cd
    0x010489d5
    0x010489dc
    0x010489e7
    0x010489ea
    0x01048a00
    0x01048a05
    0x01048a07
    0x01048a25
    0x01048a27
    0x01048a29
    0x01048a41
    0x01048a48
    0x01048a4a
    0x01048a4c
    0x01048a4c
    0x01048a66
    0x01048a6b
    0x01048a6d
    0x01048b38
    0x01048b44
    0x00000000
    0x01048a73
    0x01048a73
    0x01048a7a
    0x01048a7c
    0x01048a7e
    0x01048a7e
    0x01048a90
    0x01048a96
    0x01048a98
    0x00000000
    0x01048a9e
    0x01048aa9
    0x01048aaf
    0x01048ab1
    0x00000000
    0x00000000
    0x01048ab7
    0x01048abc
    0x01048abe
    0x01048b1f
    0x01048b1f
    0x01048b24
    0x01048b2b
    0x01048b32
    0x01048b49
    0x01048b4b
    0x01048b50
    0x01048b50
    0x01048b56
    0x01048b5c
    0x01048b63
    0x01048b63
    0x01048b5e
    0x01048b5e
    0x01048b5e
    0x01048b68
    0x01048b6d
    0x01048b6d
    0x01048b74
    0x01048b76
    0x01048b7d
    0x01048b7f
    0x01048b82
    0x01048b88
    0x01048b88
    0x00000000
    0x01048b7f
    0x01048ae6
    0x01048aec
    0x01048aee
    0x00000000
    0x00000000
    0x01048aff
    0x01048b10
    0x01048b1c
    0x00000000
    0x01048b1c
    0x01048a98
    0x01048a6d
    0x01048a37
    0x00000000
    0x01048a37
    0x01048a11
    0x00000000
    0x01048a11
    0x0104899e
    0x01048908
    0x00000000
    0x01034c73
    0x01034c81
    0x01034c86
    0x01034c86
    0x01034c88
    0x01034c88
    0x00000000
    0x01034c88

    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID:
    • String ID: [...]$ [..]$ [.]$...$:
    • API String ID: 0-1980097535
    • Opcode ID: b3b4926842f7e1a9fb3c3dc717e0e4427773947159e2168dbd4e7c51cc18e3ea
    • Instruction ID: a9f96d8998715bc809196d4f66d345092d1029b6d5e30f8db3c9f8c686968046
    • Opcode Fuzzy Hash: b3b4926842f7e1a9fb3c3dc717e0e4427773947159e2168dbd4e7c51cc18e3ea
    • Instruction Fuzzy Hash: F41271B02043429BD765DB68C884AAFB7E9EFD8344F04892EF9C9D7241EB74D845CB52
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01036854, Relevance: 31.9, APIs: 14, Strings: 4, Instructions: 366timeCOMMON
    Download Yara Rule
    C-Code - Quality: 75%
    			E01036854(void* __ecx, intOrPtr __edx, signed int _a4, intOrPtr _a8) {
				signed int _v8;
				char _v76;
				short _v332;
				signed short _v342;
				signed short _v344;
				signed short _v346;
				struct _SYSTEMTIME _v348;
				int _v352;
				int _v356;
				intOrPtr _v360;
				intOrPtr _v364;
				signed int _v368;
				struct _FILETIME _v376;
				struct _FILETIME _v384;
				void _v420;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t78;
				intOrPtr _t89;
				void* _t90;
				signed int _t96;
				signed int _t97;
				void* _t100;
				void* _t101;
				void* _t110;
				void* _t111;
				signed short _t118;
				long _t128;
				short* _t130;
				void* _t136;
				signed int _t139;
				void* _t143;
				void _t145;
				void _t149;
				signed int _t157;
				signed int _t159;
				signed int _t161;
				void* _t172;
				signed int _t173;
				signed int _t181;
				signed int _t185;
				void* _t186;
				void* _t189;
				intOrPtr _t197;
				signed int _t202;
				void* _t206;
				void* _t210;
				void* _t211;
				signed int _t212;
				void* _t213;

				_t78 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t78 ^ _t212;
				_t157 = _a4;
				_v364 = __edx;
				_v368 = _t157;
				_v360 = 1;
				if(__ecx != 0) {
					_t161 = 9;
					memcpy( &_v420, __ecx, _t161 << 2);
					_t213 = _t213 + 0xc;
					E010548D7( &_v420,  &_v376);
				} else {
					GetSystemTime( &_v348);
					SystemTimeToFileTime( &_v348,  &_v376);
				}
				FileTimeToLocalFileTime( &_v376,  &_v384);
				FileTimeToSystemTime( &_v384,  &_v348);
				_v352 = 0;
				if( *0x1066755 == 0) {
					_t194 = _v348 & 0x0000ffff;
					_t208 = _v346 & 0x0000ffff;
					_t206 = _v342 & 0x0000ffff;
					_v352 = _t194;
					if(_v364 == 0) {
						_t181 = 0x64;
						_t194 = _t194 % _t181;
						_v352 = _t194;
					}
					_t89 =  *0x105e58c; // 0x0
					if(_t89 != 2) {
						if(_t89 == 1) {
							_t110 = _t208;
							_t208 = _t206;
							_t206 = _t110;
						}
					} else {
						_t111 = _t194;
						_t194 = _t206;
						_t206 = _t208;
						_v352 = _t194;
						_t208 = _t111;
					}
					_t164 =  *0x1066750;
					if( *0x1066750 >= 0x20) {
						_t90 =  *0x106674c;
						goto L63;
					} else {
						_t90 = realloc( *0x106674c, 0x40);
						_pop(0);
						if(_t90 != 0) {
							_t194 = _v352;
							_t164 = 0x20;
							 *0x106674c = _t90;
							 *0x1066750 = _t164;
							L63:
							_push(_t194);
							_push(0x106c9d0);
							_push(_t206);
							_push(0x106c9d0);
							E01039ABF(_t90, _t164, L"%02d%s%02d%s%02d", _t208);
							_t213 = _t213 + 0x20;
							_t206 = 2;
							goto L35;
						}
						_push(_t90);
						goto L50;
					}
				} else {
					_v356 = 0;
					if(GetLocaleInfoW(E01038791(), 0x1f,  &_v332, 0x80) == 0) {
						_t194 = 0x80;
						E0103F3A0( &_v332, 0x80,  *0x105e588);
					}
					_t118 = _v332;
					_t210 =  &_v332;
					_t206 = 2;
					if(_t118 == 0) {
						L13:
						if(GetDateFormatW(E01038791(), 0,  &_v348,  &_v332,  *0x106674c,  *0x1066750) == 0) {
							L32:
							_t208 = GetDateFormatW(E01038791(), 0,  &_v348,  &_v332, 0, 0);
							if(_t208 == 0) {
								_t128 = GetLastError();
								_push(0);
								L48:
								 *0x10667a8 = _t128;
								_push(_t128);
								L51:
								E010378E4(0);
								_t97 = 0;
								L25:
								return E01046B30(_t97, _t157, _v8 ^ _t212, _t194, _t206, _t208);
							}
							_t208 = _t208 + 1;
							_t130 = realloc( *0x106674c, _t208 + _t208);
							_pop(0);
							if(_t130 == 0) {
								_push(0);
								L50:
								_push(8);
								goto L51;
							}
							 *0x106674c = _t130;
							 *0x1066750 = _t208;
							_t208 = 0;
							if(GetDateFormatW(E01038791(), 0,  &_v348,  &_v332, _t130, 0) == 0) {
								_t128 = GetLastError();
								_push(0);
								goto L48;
							}
							L35:
							_t208 =  *0x106674c;
							L15:
							_push(E01035E68(_v344 & 0x0000ffff));
							_t194 = 0x20;
							E0103F3A0( &_v76, _t194);
							if(_t157 == 0) {
								if(_v360 != 0) {
									if(E01039434() == 0) {
										_push(_t208);
										_push( &_v76);
									} else {
										_push( &_v76);
										_push(_t208);
									}
									_t96 = E01039950(L"%s %s ");
								} else {
									_push(_t208);
									_t96 = E01039950(L"%s ");
								}
								_t157 = _t96;
								L24:
								_t97 = _t157;
								goto L25;
							}
							if(_v360 == 0 || _v364 != 1) {
								E0103F3A0(_t157, _a8, _t208);
							} else {
								_t101 = E01039434();
								_t197 = _a8;
								_t173 = _t157;
								if(_t101 != 0) {
									E0103F3A0(_t173, _t197, _t208);
									E0103FC40(_t157, _a8, " ");
									_push( &_v76);
								} else {
									E0103F3A0(_t173, _t197,  &_v76);
									E0103FC40(_t157, _a8, " ");
									_push(_t208);
								}
								E0103FC40(_t157, _a8);
							}
							_t172 = _t157 + 2;
							_t194 = 0;
							do {
								_t100 =  *_t157;
								_t157 = _t206 + _t157;
							} while (_t100 != 0);
							_t157 = _t157 - _t172 >> 1;
							goto L24;
						}
						_t208 =  *0x106674c;
						if(_t208 == 0) {
							goto L32;
						}
						goto L15;
					} else {
						_t159 = _v356;
						_t185 = _t118 & 0x0000ffff;
						_t136 = 0x64;
						do {
							if(_t185 == 0x27) {
								_t210 = _t210 + _t206;
								_t159 = 0 | _t159 == 0x00000000;
								goto L11;
							}
							if(_t159 != 0 || _t185 != _t136 && _t185 != 0x4d) {
								_t210 = _t210 + _t206;
							} else {
								_t202 = 0;
								do {
									_t210 = _t210 + _t206;
									_t202 = _t202 + 1;
								} while ( *_t210 == _t185);
								_v356 = _t210;
								_t211 = _t210 +  ~_t202 * 2;
								if(_t202 != 1) {
									_t143 = 0x64;
									if(_t185 == _t143) {
										_v360 = 0;
									}
									if(_t202 <= 3) {
										_t210 = _v356;
									} else {
										_t194 = _v356;
										_t186 = _t194;
										_v356 = _t186 + 2;
										do {
											_t145 =  *_t186;
											_t186 = _t186 + _t206;
										} while (_t145 != _v352);
										_t210 = _t211 + 6;
										memmove(_t210, _t194, 2 + (_t186 - _v356 >> 1) * 2);
										_t213 = _t213 + 0xc;
									}
									goto L11;
								}
								_t189 = _t211;
								_t194 = _t189 + 2;
								do {
									_t149 =  *_t189;
									_t189 = _t189 + _t206;
								} while (_t149 != _v352);
								memmove(_t211 + 2, _t211, 2 + (_t189 - _t194 >> 1) * 2);
								_t213 = _t213 + 0xc;
								_t210 = _t211 + 4;
							}
							L11:
							_t139 =  *_t210 & 0x0000ffff;
							_t185 = _t139;
							_t136 = 0x64;
						} while (_t139 != 0);
						_t157 = _v368;
						goto L13;
					}
				}
			}






















































    0x0103685f
    0x01036866
    0x0103686a
    0x01036870
    0x01036876
    0x0103687c
    0x01036889
    0x0104a4a8
    0x0104a4af
    0x0104a4af
    0x0104a4bd
    0x0103688f
    0x01036896
    0x010368aa
    0x010368aa
    0x010368be
    0x010368d2
    0x010368da
    0x010368e6
    0x0104a57d
    0x0104a584
    0x0104a58b
    0x0104a592
    0x0104a59e
    0x0104a5a6
    0x0104a5a7
    0x0104a5a9
    0x0104a5a9
    0x0104a5af
    0x0104a5b7
    0x0104a5cc
    0x0104a5ce
    0x0104a5d0
    0x0104a5d2
    0x0104a5d2
    0x0104a5b9
    0x0104a5b9
    0x0104a5bb
    0x0104a5bd
    0x0104a5bf
    0x0104a5c5
    0x0104a5c5
    0x0104a5d4
    0x0104a5dd
    0x0104a60f
    0x00000000
    0x0104a5df
    0x0104a5e7
    0x0104a5ee
    0x0104a5f1
    0x0104a5f9
    0x0104a601
    0x0104a602
    0x0104a607
    0x0104a614
    0x0104a614
    0x0104a61a
    0x0104a61b
    0x0104a61c
    0x0104a625
    0x0104a62a
    0x0104a62f
    0x00000000
    0x0104a62f
    0x0104a5f3
    0x00000000
    0x0104a5f3
    0x010368ec
    0x010368ec
    0x0103690f
    0x0104a4cd
    0x0104a4d5
    0x0104a4d5
    0x01036915
    0x0103691c
    0x01036924
    0x01036928
    0x0103696c
    0x01036997
    0x01036a96
    0x01036ab5
    0x01036ab9
    0x0104a550
    0x0104a558
    0x0104a562
    0x0104a562
    0x0104a567
    0x0104a56f
    0x0104a56f
    0x0104a576
    0x01036a2f
    0x01036a3d
    0x01036a3d
    0x01036abf
    0x01036aca
    0x01036ad1
    0x01036ad4
    0x0104a56c
    0x0104a56d
    0x0104a56d
    0x00000000
    0x0104a56d
    0x01036adc
    0x01036aee
    0x01036af5
    0x01036b06
    0x0104a55b
    0x0104a561
    0x00000000
    0x0104a561
    0x01036b0c
    0x01036b0c
    0x010369ab
    0x010369b7
    0x010369ba
    0x010369be
    0x010369c5
    0x0104a63c
    0x0104a657
    0x0104a65d
    0x0104a65e
    0x0104a659
    0x0104a659
    0x0104a65a
    0x0104a65a
    0x0104a664
    0x0104a63e
    0x0104a63e
    0x0104a644
    0x0104a64a
    0x0104a66c
    0x01036a2d
    0x01036a2d
    0x00000000
    0x01036a2d
    0x010369d2
    0x0104a697
    0x010369e5
    0x010369e5
    0x010369ea
    0x010369ed
    0x010369f1
    0x0104a674
    0x0104a683
    0x0104a68b
    0x010369f7
    0x010369fb
    0x01036a0a
    0x01036a0f
    0x01036a0f
    0x01036a15
    0x01036a15
    0x01036a1a
    0x01036a1d
    0x01036a1f
    0x01036a1f
    0x01036a22
    0x01036a24
    0x01036a2b
    0x00000000
    0x01036a2b
    0x0103699d
    0x010369a5
    0x00000000
    0x00000000
    0x00000000
    0x0103692a
    0x0103692a
    0x01036932
    0x01036935
    0x01036936
    0x0103693a
    0x0104a4e1
    0x0104a4e8
    0x00000000
    0x0104a4e8
    0x01036942
    0x01036957
    0x01036a40
    0x01036a42
    0x01036a44
    0x01036a44
    0x01036a46
    0x01036a47
    0x01036a4e
    0x01036a56
    0x01036a5c
    0x0104a4f1
    0x0104a4f5
    0x0104a4f9
    0x0104a4f9
    0x0104a502
    0x0104a545
    0x0104a504
    0x0104a504
    0x0104a50a
    0x0104a50f
    0x0104a515
    0x0104a515
    0x0104a518
    0x0104a51a
    0x0104a529
    0x0104a538
    0x0104a53d
    0x0104a53d
    0x00000000
    0x0104a502
    0x01036a62
    0x01036a64
    0x01036a67
    0x01036a67
    0x01036a6a
    0x01036a6c
    0x01036a86
    0x01036a8b
    0x01036a8e
    0x01036a8e
    0x01036959
    0x01036959
    0x0103695e
    0x01036963
    0x01036963
    0x01036966
    0x00000000
    0x01036966
    0x01036928

    APIs
    • GetSystemTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,$P$G,?,00002000), ref: 01036896
    • SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 010368AA
    • FileTimeToLocalFileTime.API-MS-WIN-CORE-FILE-L1-1-0(?,?), ref: 010368BE
    • FileTimeToSystemTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 010368D2
    • realloc.MSVCRT ref: 0104A5E7
      • Part of subcall function 01038791: GetUserDefaultLCID.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(01036906,0000001F,?,00000080), ref: 01038791
    • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000001F,?,00000080), ref: 01036907
    • GetDateFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000000,00000000,?,?), ref: 0103698F
    • memmove.MSVCRT ref: 01036A86
    • GetDateFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000000,00000000,?,?,00000000,00000000), ref: 01036AAF
    • realloc.MSVCRT ref: 01036ACA
    • GetDateFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000000,00000000,?,?,00000000,00000001), ref: 01036AFE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: Time$File$DateFormatSystem$realloc$DefaultInfoLocalLocaleUsermemmove
    • String ID: $P$G$%02d%s%02d%s%02d$%s $%s %s
    • API String ID: 2927284792-3792846528
    • Opcode ID: 0112c9a6f10a9b45a11097cfaa0a4226c8f86036f422223489e19ceab948494e
    • Instruction ID: f2e8fc70f77d79ecef435d79685c147bb73fb3825cc890921907eb7a60d9b058
    • Opcode Fuzzy Hash: 0112c9a6f10a9b45a11097cfaa0a4226c8f86036f422223489e19ceab948494e
    • Instruction Fuzzy Hash: 3FC1BAB1A00215EBDB65DF55DC44AEF77BDEBC8300F0440A6E58AE7140EB369A85CF90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01044EC1, Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 395fileCOMMONCrypto
    Download Yara Rule
    C-Code - Quality: 76%
    			E01044EC1(WCHAR* __ecx, long __edx) {
				signed int _v8;
				int _v20;
				char _v24;
				long _v28;
				void _v548;
				struct _WIN32_FIND_DATAW _v1140;
				WCHAR* _v1144;
				long _v1148;
				void* _v1152;
				char _v1156;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t105;
				void* _t115;
				long _t116;
				short _t119;
				void* _t123;
				signed int _t124;
				signed int _t126;
				WCHAR* _t128;
				void* _t129;
				void* _t132;
				void* _t138;
				intOrPtr _t141;
				long _t142;
				WCHAR* _t146;
				intOrPtr _t149;
				void* _t155;
				void* _t160;
				WCHAR* _t161;
				signed int _t166;
				signed int _t167;
				signed int _t168;
				signed int _t169;
				void* _t170;
				void* _t175;
				long _t180;
				void* _t181;
				short* _t187;
				signed int _t189;
				long _t193;
				signed int _t194;
				signed int _t195;
				intOrPtr* _t198;
				signed int _t199;
				signed int _t200;
				intOrPtr* _t204;
				WCHAR* _t208;
				char* _t209;
				char* _t210;
				long _t215;
				signed int _t222;
				void* _t223;
				void* _t224;
				intOrPtr* _t225;
				signed int _t226;
				WCHAR* _t227;
				signed int _t228;
				signed int _t229;
				signed int _t230;
				void* _t231;
				void* _t232;

				_t218 = __edx;
				_t105 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t105 ^ _t230;
				_v24 = 1;
				_v28 = 0;
				_v20 = 0x104;
				_t225 = __edx;
				_t178 = __ecx;
				_v1148 = __edx;
				_v1144 = __ecx;
				memset( &_v548, 0, 0x104);
				_t232 = _t231 + 0xc;
				_t115 = E0103E3F0(((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104);
				_t222 = 0;
				if(_t115 < 0) {
					_t226 = 8;
					goto L42;
				} else {
					 *_t225 = 1;
					_t227 = _t178;
					_t187 =  &(_t227[1]);
					do {
						_t119 =  *_t227;
						_t227 =  &(_t227[1]);
					} while (_t119 != 0);
					_t228 = _t227 - _t187;
					_t229 = _t228 >> 1;
					if(_t228 == 0) {
						_t226 = 0xa1;
						L42:
						_t116 = _v28;
						_v28 = _t222;
						if(_t116 != 0) {
							__imp__??_V@YAXPAX@Z(_t116);
						}
						return E01046B30(_t226, _t178, _v8 ^ _t230, _t218, _t222, _t226);
					}
					if(_t229 + 3 > 0x7fe7) {
						L41:
						_t226 = E01045271(_t178);
						goto L42;
					}
					_t123 = FindFirstFileW(_t178,  &_v1140);
					if(_t123 == 0xffffffff) {
						_t124 = 0x10;
						_t189 = 0;
						_v1140.dwFileAttributes = _t124;
						_v1140.dwReserved0 = 0;
					} else {
						FindClose(_t123);
						_t189 = _v1140.dwReserved0;
						_t124 = _v1140.dwFileAttributes;
					}
					if((_t124 & 0x00000010) == 0) {
						goto L41;
					} else {
						if((_t124 & 0x00000400) != 0) {
							if((_t189 & 0x20000000) != 0) {
								goto L41;
							}
						}
						E0103A641(_t178);
						_t126 =  *(_t178 + _t229 * 2 - 2) & 0x0000ffff;
						if(_t126 != 0x3a && _t126 != 0x5c) {
							E0104232C(_t218, "\\");
							_t229 = _t229 + 1;
						}
						E0104232C(_t218, "*");
						_t128 = _v28;
						if(_t128 == 0) {
							_t128 =  &_v548;
						}
						_t129 = FindFirstFileW(_t128,  &_v1140);
						_v1152 = _t129;
						if(_t129 == 0xffffffff) {
							goto L41;
						} else {
							L14:
							while( *0x106259c == 0) {
								_t218 =  &(_v1140.cAlternateFileName);
								_t193 = _t218;
								_t223 = _t193 + 2;
								do {
									_t132 =  *_t193;
									_t193 = _t193 + 2;
								} while (_t132 != 0);
								_t194 = _t193 - _t223;
								_t195 = _t194 >> 1;
								if(_t194 != 0) {
									L21:
									if(_t195 + _t229 >= 0x7fe7) {
										_t222 = 0;
										_t178 = _v1144;
										_push(_t218);
										 *_v1148 = 0;
										E010378E4(_t195, 0x400023da, 2, _v1144);
										L40:
										FindClose(_v1152);
										if( *0x106259c != 0) {
											_t226 = _t222;
											goto L42;
										}
										goto L41;
									}
									_t136 = _v28;
									if(_v28 == 0) {
										_t136 =  &_v548;
									}
									E0103F3A0(_t136 + _t229 * 2, _v20 - _t229, _t218);
									_t180 = _v1140.dwFileAttributes;
									if((_t180 & 0x00000010) == 0) {
										if((_t180 & 0x00000001) != 0) {
											_t208 = _v28;
											if(_t208 == 0) {
												_t208 =  &_v548;
											}
											SetFileAttributesW(_t208, _t180 & 0xfffffffe);
										}
										_t197 = _v28;
										if(_v28 == 0) {
											_t197 =  &_v548;
										}
										_t218 = _t180;
										_t138 = E01044759(_t197, _t180);
										if(_t138 == 0) {
											_t222 = 0;
											goto L38;
										} else {
											if(_t138 == 0x4d3) {
												_t222 = 0;
												break;
											}
											if(_t138 != 3) {
												L80:
												_t222 = 0;
												L81:
												_t198 =  &(_v1140.cAlternateFileName);
												_t218 = _t198 + 2;
												do {
													_t141 =  *_t198;
													_t198 = _t198 + 2;
												} while (_t141 != _t222);
												_t142 = _v28;
												_t199 = _t198 - _t218;
												_t200 = _t199 >> 1;
												if(_t199 == 0) {
													L90:
													if(_t142 == 0) {
														_t142 =  &_v548;
													}
													E010378E4(_t200, 0x4000271b, 1, _t142);
													_t232 = _t232 + 0xc;
													L93:
													_push(_t222);
													_push(GetLastError());
													E010378E4(_t200);
													_t146 = _v28;
													if(_t146 == 0) {
														_t146 =  &_v548;
													}
													SetFileAttributesW(_t146, _t180);
													 *_v1148 = _t222;
													goto L38;
												}
												if(_t142 == 0) {
													_t142 =  &_v548;
												}
												 *((short*)(_t142 + _t229 * 2)) = 0;
												_t204 =  &(_v1140.cFileName);
												_t218 = _t204 + 2;
												do {
													_t149 =  *_t204;
													_t204 = _t204 + 2;
												} while (_t149 != _t222);
												_t200 =  &_v548;
												if((_t204 - _t218 >> 1) + _t229 < 0x7fe7) {
													E0104232C(_t218,  &(_v1140.cFileName));
													_t153 = _v28;
													if(_v28 == 0) {
														_t153 =  &_v548;
													}
													E010378E4(_t200, 0x4000271b, 1, _t153);
													_t155 = _v28;
													_t232 = _t232 + 0xc;
													if(_t155 == 0) {
														_t155 =  &_v548;
													}
													 *((short*)(_t155 + _t229 * 2)) = 0;
													_t200 =  &_v548;
													E0104232C(_t218,  &(_v1140.cAlternateFileName));
													goto L93;
												}
												E0104232C(_t218,  &(_v1140.cAlternateFileName));
												_t142 = _v28;
												goto L90;
											}
											_t160 = _v28;
											if(_t160 == 0) {
												_t160 =  &_v548;
											}
											__imp___wcsnicmp(_t160, L"\\\\?\\", 4);
											_t232 = _t232 + 0xc;
											if(_t160 == 0) {
												goto L80;
											} else {
												_t161 = _v28;
												if(_t161 == 0) {
													_t161 =  &_v548;
												}
												_t222 = 0;
												if(GetFullPathNameW(_t161, 0, 0, 0) > 0x7fe7) {
													SetLastError(0x6f);
												}
												goto L81;
											}
										}
									} else {
										_t209 = ".";
										_t166 =  &(_v1140.cFileName);
										_t181 = 4;
										while(1) {
											_t218 =  *_t166;
											if(_t218 !=  *_t209) {
												break;
											}
											if(_t218 == 0) {
												L29:
												_t222 = 0;
												_t167 = 0;
												L30:
												if(_t167 == 0) {
													L38:
													if(FindNextFileW(_v1152,  &_v1140) != 0) {
														goto L14;
													}
													goto L39;
												}
												_t210 = L"..";
												_t168 =  &(_v1140.cFileName);
												while(1) {
													_t218 =  *_t168;
													if(_t218 !=  *_t210) {
														break;
													}
													if(_t218 == 0) {
														L36:
														_t169 = _t222;
														L37:
														if(_t169 != 0) {
															_t211 = _v28;
															if(_v28 == 0) {
																_t211 =  &_v548;
															}
															_t218 =  &_v1156;
															_t170 = E01044EC1(_t211,  &_v1156);
															if( *0x106259c != 0) {
																goto L39;
															} else {
																if(_t170 != 0) {
																	_t212 = _v1148;
																	 *_v1148 = _t222;
																	if(_t170 != 0x91 || _v1156 != 0) {
																		_t171 = _v28;
																		if(_v28 == 0) {
																			_t171 =  &_v548;
																		}
																		E010378E4(_t212, 0x4000271b, 1, _t171);
																		_t232 = _t232 + 0xc;
																		_push(_t222);
																		_push(GetLastError());
																		E010378E4(_t212);
																	}
																}
																goto L38;
															}
														}
														goto L38;
													}
													_t218 =  *((intOrPtr*)(_t168 + 2));
													_t47 =  &(_t210[2]); // 0x2e
													if(_t218 !=  *_t47) {
														break;
													}
													_t168 = _t168 + _t181;
													_t210 =  &(_t210[_t181]);
													if(_t218 != 0) {
														continue;
													}
													goto L36;
												}
												asm("sbb eax, eax");
												_t169 = _t168 | 0x00000001;
												goto L37;
											}
											_t218 =  *((intOrPtr*)(_t166 + 2));
											_t44 =  &(_t209[2]); // 0x750000
											if(_t218 !=  *_t44) {
												break;
											}
											_t166 = _t166 + _t181;
											_t209 =  &(_t209[_t181]);
											if(_t218 != 0) {
												continue;
											}
											goto L29;
										}
										asm("sbb eax, eax");
										_t167 = _t166 | 0x00000001;
										_t222 = 0;
										goto L30;
									}
								}
								_t218 =  &(_v1140.cFileName);
								_t215 = _t218;
								_t224 = _t215 + 2;
								do {
									_t175 =  *_t215;
									_t215 = _t215 + 2;
								} while (_t175 != 0);
								_t195 = _t215 - _t224 >> 1;
								goto L21;
							}
							L39:
							_t178 = _v1144;
							goto L40;
						}
					}
				}
			}


































































    0x01044ec1
    0x01044ecc
    0x01044ed3
    0x01044edb
    0x01044ee4
    0x01044eef
    0x01044ef2
    0x01044ef4
    0x01044ef7
    0x01044efd
    0x01044f03
    0x01044f10
    0x01044f22
    0x01044f27
    0x01044f2b
    0x0104516e
    0x00000000
    0x01044f31
    0x01044f31
    0x01044f37
    0x01044f39
    0x01044f3c
    0x01044f3c
    0x01044f3f
    0x01044f42
    0x01044f47
    0x01044f49
    0x01044f4b
    0x01050c9f
    0x01045136
    0x01045136
    0x01045139
    0x0104513e
    0x01045141
    0x01045147
    0x01045158
    0x01045158
    0x01044f59
    0x0104512d
    0x01045134
    0x00000000
    0x01045134
    0x01044f67
    0x01044f70
    0x01050cab
    0x01050cac
    0x01050cae
    0x01050cb4
    0x01044f76
    0x01044f77
    0x01044f7d
    0x01044f83
    0x01044f83
    0x01044f8b
    0x00000000
    0x01044f91
    0x01044f96
    0x01050cc5
    0x00000000
    0x00000000
    0x01050ccb
    0x01044fa3
    0x01044fa8
    0x01044fb0
    0x01044fc2
    0x01044fc7
    0x01044fc7
    0x01044fd3
    0x01044fd8
    0x01044fdd
    0x01050cd0
    0x01050cd0
    0x01044feb
    0x01044ff1
    0x01044ffa
    0x00000000
    0x01045000
    0x00000000
    0x01045000
    0x0104500d
    0x01045015
    0x01045017
    0x0104501a
    0x0104501a
    0x0104501d
    0x01045020
    0x01045025
    0x01045027
    0x01045029
    0x01045045
    0x0104504d
    0x01050f08
    0x01050f0a
    0x01050f10
    0x01050f19
    0x01050f1b
    0x01045117
    0x0104511e
    0x0104512b
    0x01045171
    0x00000000
    0x01045171
    0x00000000
    0x0104512b
    0x01045053
    0x01045058
    0x01050cdb
    0x01050cdb
    0x01045067
    0x0104506c
    0x01045075
    0x01050d63
    0x01050d65
    0x01050d6a
    0x01050d6c
    0x01050d6c
    0x01050d79
    0x01050d79
    0x01050d7f
    0x01050d84
    0x01050d86
    0x01050d86
    0x01050d8c
    0x01050d8e
    0x01050d95
    0x01050efb
    0x00000000
    0x01050d9b
    0x01050da0
    0x01050f28
    0x00000000
    0x01050f28
    0x01050da9
    0x01050df7
    0x01050df7
    0x01050df9
    0x01050df9
    0x01050dff
    0x01050e02
    0x01050e02
    0x01050e05
    0x01050e08
    0x01050e0d
    0x01050e10
    0x01050e12
    0x01050e14
    0x01050e5d
    0x01050e5f
    0x01050e61
    0x01050e61
    0x01050e6f
    0x01050e74
    0x01050e77
    0x01050e77
    0x01050e7e
    0x01050e7f
    0x01050e84
    0x01050e8b
    0x01050e8d
    0x01050e8d
    0x01050e95
    0x01050ea1
    0x00000000
    0x01050ea1
    0x01050e18
    0x01050e1a
    0x01050e1a
    0x01050e22
    0x01050e26
    0x01050e2c
    0x01050e2f
    0x01050e2f
    0x01050e32
    0x01050e35
    0x01050e41
    0x01050e4c
    0x01050eaf
    0x01050eb4
    0x01050eb9
    0x01050ebb
    0x01050ebb
    0x01050ec9
    0x01050ece
    0x01050ed1
    0x01050ed6
    0x01050ed8
    0x01050ed8
    0x01050ee0
    0x01050eeb
    0x01050ef1
    0x00000000
    0x01050ef1
    0x01050e55
    0x01050e5a
    0x00000000
    0x01050e5a
    0x01050dab
    0x01050db0
    0x01050db2
    0x01050db2
    0x01050dc0
    0x01050dc6
    0x01050dcb
    0x00000000
    0x01050dcd
    0x01050dcd
    0x01050dd2
    0x01050dd4
    0x01050dd4
    0x01050dda
    0x01050deb
    0x01050def
    0x01050def
    0x00000000
    0x01050deb
    0x01050dcb
    0x0104507b
    0x0104507d
    0x01045082
    0x01045088
    0x01045089
    0x01045089
    0x0104508f
    0x00000000
    0x00000000
    0x01045098
    0x010450b1
    0x010450b1
    0x010450b3
    0x010450b5
    0x010450b7
    0x010450f6
    0x0104510b
    0x00000000
    0x00000000
    0x00000000
    0x0104510b
    0x010450b9
    0x010450be
    0x010450c4
    0x010450c4
    0x010450ca
    0x00000000
    0x00000000
    0x010450d3
    0x010450ec
    0x010450ec
    0x010450ee
    0x010450f0
    0x01050ce6
    0x01050ceb
    0x01050ced
    0x01050ced
    0x01050cf3
    0x01050cf9
    0x01050d05
    0x00000000
    0x01050d0b
    0x01050d0d
    0x01050d13
    0x01050d19
    0x01050d20
    0x01050d2f
    0x01050d34
    0x01050d36
    0x01050d36
    0x01050d44
    0x01050d49
    0x01050d4c
    0x01050d53
    0x01050d54
    0x01050d5a
    0x01050d20
    0x00000000
    0x01050d0d
    0x01050d05
    0x00000000
    0x010450f0
    0x010450d5
    0x010450d9
    0x010450dd
    0x00000000
    0x00000000
    0x010450e3
    0x010450e5
    0x010450ea
    0x00000000
    0x00000000
    0x00000000
    0x010450ea
    0x01045165
    0x01045167
    0x00000000
    0x01045167
    0x0104509a
    0x0104509e
    0x010450a2
    0x00000000
    0x00000000
    0x010450a8
    0x010450aa
    0x010450af
    0x00000000
    0x00000000
    0x00000000
    0x010450af
    0x01045159
    0x0104515b
    0x0104515e
    0x00000000
    0x0104515e
    0x01045075
    0x0104502b
    0x01045031
    0x01045033
    0x01045036
    0x01045036
    0x01045039
    0x0104503c
    0x01045043
    0x00000000
    0x01045043
    0x01045111
    0x01045111
    0x00000000
    0x01045111
    0x01044ffa
    0x01044f8b

    APIs
    • memset.MSVCRT ref: 01044F03
      • Part of subcall function 0103E3F0: memset.MSVCRT ref: 0103E455
    • FindFirstFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,-00000001), ref: 01044F67
    • FindClose.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,-00000001), ref: 01044F77
    • FindFirstFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,01032670,?,?,?,-00000001), ref: 01044FEB
    • FindNextFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,?,-00000001), ref: 01045103
    • FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,-00000001), ref: 0104511E
    • ??_V@YAXPAX@Z.MSVCRT ref: 01045141
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: Find$File$CloseFirstmemset$Next
    • String ID: \\?\
    • API String ID: 3059144641-4282027825
    • Opcode ID: bbf0bb58f9ed9b2f497e9ecbb6cd07561040cd9f55d9326f691d8a9ff15a3906
    • Instruction ID: c1ccc269d57383d03a2d377cafa1afbd77efa9d9a7a37c60c83513401384c85a
    • Opcode Fuzzy Hash: bbf0bb58f9ed9b2f497e9ecbb6cd07561040cd9f55d9326f691d8a9ff15a3906
    • Instruction Fuzzy Hash: 12E1D4B1A0010A9BDB75DB68CCC5BFE77B8EF44304F4404E9EA8AE7185E7359A85CB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0105695A, Relevance: 21.6, APIs: 14, Instructions: 552COMMONCrypto
    Download Yara Rule
    C-Code - Quality: 71%
    			E0105695A(intOrPtr __ecx) {
				signed int _v8;
				short _v12;
				short _v14;
				char _v16;
				int _v20;
				char _v24;
				int _v28;
				void _v548;
				int _v552;
				char _v556;
				int _v560;
				void _v1080;
				int _v1084;
				signed int _v1088;
				signed int _v1092;
				void _v1612;
				char _v1616;
				intOrPtr* _v1620;
				intOrPtr _v1624;
				int _v1628;
				signed int _v1632;
				long _v1636;
				signed int _v1640;
				intOrPtr _v1644;
				intOrPtr _v1648;
				void* __edi;
				void* __esi;
				signed int _t183;
				signed int _t184;
				signed int _t186;
				intOrPtr* _t189;
				void* _t213;
				signed int _t216;
				int _t218;
				signed int _t227;
				signed int _t229;
				short _t230;
				short _t231;
				signed int _t233;
				void* _t234;
				intOrPtr _t235;
				signed int _t236;
				signed int _t237;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed char* _t243;
				signed int _t244;
				signed int _t248;
				void* _t251;
				signed int _t256;
				signed int _t258;
				signed int _t259;
				signed int _t264;
				signed int _t265;
				signed int _t266;
				long _t267;
				intOrPtr _t272;
				void* _t274;
				signed int _t281;
				intOrPtr _t283;
				signed int _t284;
				long _t287;
				intOrPtr _t292;
				void* _t293;
				intOrPtr _t295;
				intOrPtr _t298;
				void* _t299;
				signed int _t313;
				void* _t315;
				signed int _t318;
				short _t319;
				void* _t320;
				signed int _t333;
				signed int _t339;
				void* _t348;
				signed int _t349;
				signed int _t353;
				signed int _t355;
				void* _t364;
				void* _t367;
				void* _t373;
				intOrPtr _t374;
				void* _t375;
				signed int _t380;
				void* _t383;
				intOrPtr* _t384;
				signed int _t386;
				signed int _t389;
				intOrPtr _t390;
				signed int _t395;
				intOrPtr* _t396;
				signed int _t402;
				signed int _t404;
				signed int _t405;
				intOrPtr* _t407;
				signed int _t409;
				signed int _t410;
				void* _t411;
				signed int _t412;
				signed int _t413;
				void* _t414;
				intOrPtr* _t415;
				signed int _t417;
				intOrPtr* _t418;
				signed int _t421;
				void* _t422;

				_t183 =  *0x105e0b4; // 0x6030efd1
				_t184 = _t183 ^ _t421;
				_v8 = _t184;
				_t398 = 0;
				_v1648 = __ecx;
				_push(0);
				_push(0x1070a70);
				_v1628 = 0;
				L01047FB1();
				if(_t184 != 0) {
					L121:
					_t186 = 1;
					__eflags = 1;
					L122:
					__eflags = _v8 ^ _t421;
					return E01046B30(_t186, _t299, _v8 ^ _t421, _t371, _t395, _t398);
				}
				_push(0);
				_t396 = E0103BC30( *((intOrPtr*)(_v1648 + 0x3c)), 0);
				_t189 = E0103A7D5(_t396);
				_v1620 = _t189;
				if( *_t396 == 0 ||  *_t189 == 0 ||  *((intOrPtr*)(E0103A7D5(_t189))) != 0) {
					L55:
					_t308 = 0x232a;
				} else {
					_t415 = _t396;
					_t7 = _t415 + 2; // 0x2
					_t364 = _t7;
					do {
						_t292 =  *_t415;
						_t415 = _t415 + 2;
					} while (_t292 != 0);
					_t417 = _t415 - _t364 >> 1;
					_t293 = E01040060(_t396, _t396);
					_t8 = _t417 + 1; // -1
					E0103F3A0(_t396, _t8, _t293);
					_t393 = _v1620;
					_t418 = _v1620;
					_t367 = _t418 + 2;
					do {
						_t295 =  *_t418;
						_t418 = _t418 + 2;
					} while (_t295 != _v1628);
					E0103F3A0(_v1620, (_t418 - _t367 >> 1) + 1, E01040060(_t393, _t396));
					_t298 = E0103802C(_t299, _t396, _t396);
					_v1624 = _t298;
					_t431 = _t298 - 1;
					if(_t298 != 1) {
						L11:
						_v24 = 1;
						_v20 = 0x104;
						_v28 = 0;
						memset( &_v548, 0, 0x104);
						_v560 = 0;
						_v552 = 0x104;
						_v556 = 1;
						memset( &_v1080, 0, 0x104);
						_t422 = _t422 + 0x18;
						if(E0103E3F0(((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0 || E0103E3F0(((0 | _v556 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
							L36:
							_t308 = 0x2374;
							goto L10;
						} else {
							_t209 =  *0x1078df8;
							if( *0x1078df8 == 0) {
								_t209 = 0x1078bf0;
							}
							E0103A641(_t209);
							_t211 =  *0x1078df8;
							if( *0x1078df8 == 0) {
								_t211 = 0x1078bf0;
							}
							E0103A641(_t211);
							_t313 = _v28;
							_t402 = _t313;
							if(_t313 == 0) {
								_t402 =  &_v548;
							}
							_t373 = _t402 + 2;
							do {
								_t213 =  *_t402;
								_t402 = _t402 + 2;
							} while (_t213 != _v1628);
							_t374 = _v1624;
							_t404 = _t402 - _t373 >> 1;
							_v1632 = _t404;
							if(( *( *(_t374 + 0x18)) & 0x00000010) != 0) {
								_t405 = _t404 - 1;
								_v1632 = _t405;
								__eflags = _t313;
								if(_t313 == 0) {
									_t313 =  &_v548;
								}
								 *((short*)(_t313 + _t405 * 2)) = 0;
								_t216 = _v560;
								__eflags = _t216;
								if(_t216 == 0) {
									_t216 =  &_v1080;
								}
								__eflags = 0;
								 *((short*)(_t216 + _t405 * 2)) = 0;
							} else {
								E0104232C(_t374,  *((intOrPtr*)(_t374 + 0x10)));
								_t374 = _v1624;
							}
							if(( *(_t374 + 0x1c) & 0x00000008) != 0) {
								L33:
								_t217 = _v1620;
								_t315 = 0x3a;
								__eflags =  *((intOrPtr*)(_v1620 + 2)) - _t315;
								if(__eflags == 0) {
									goto L55;
								}
								_t375 = 0x5c;
								_t218 = E0103A62F(_t217, _t375);
								__eflags = _t218;
								if(__eflags != 0) {
									goto L55;
								}
								_v1092 = _t218;
								_v1088 = 1;
								_v1084 = 0x104;
								memset( &_v1612, _t218, 0x104);
								_t422 = _t422 + 0xc;
								__eflags = _v1088;
								__eflags = E0103E3F0(((0 | _v1088 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104);
								if(__eflags >= 0) {
									_t227 =  *0x1078df8;
									__eflags = _t227;
									if(_t227 == 0) {
										_t227 = 0x1078bf0;
									}
									_t318 = _v1092;
									__eflags = _t318;
									if(_t318 == 0) {
										_t318 =  &_v1612;
									}
									 *_t318 =  *_t227;
									_t229 = _v1092;
									__eflags = _t229;
									if(_t229 == 0) {
										_t229 =  &_v1612;
									}
									_t319 = 0x3a;
									 *((short*)(_t229 + 2)) = _t319;
									_t407 = _t396;
									_t230 = 0x2a;
									_v16 = _t230;
									_t231 = 0x3f;
									_v14 = _t231;
									_t78 = _t407 + 2; // 0x2
									_t320 = _t78;
									__eflags = 0;
									_v12 = 0;
									do {
										_t233 =  *_t407;
										_t407 = _t407 + 2;
										__eflags = _t233;
									} while (_t233 != 0);
									_t409 = _t407 - _t320 >> 1;
									_t234 = E01039EBA(_t396,  &_v16);
									_t371 = _v28;
									__eflags = _t234 - _t409;
									asm("sbb esi, esi");
									_t410 =  ~_t409;
									_t235 = 0x20;
									_v1644 = _t235;
									__eflags = _v28;
									if(_v28 == 0) {
										_t371 =  &_v548;
									}
									_t396 = _v1624;
									_t236 = E0104589A(E010459D0, _t371, _t235, 0,  *((intOrPtr*)(_t396 + 0x18)),  &_v1616);
									__eflags = _t236;
									if(_t236 != 0) {
										L56:
										_t237 = _v28;
										__eflags = _t237;
										if(_t237 == 0) {
											_t237 =  &_v548;
										}
										_t395 = _v1632;
										_t398 = 0;
										__eflags = 0;
										_v1636 = 0;
										 *((short*)(_t237 + _t395 * 2)) = 0;
										while(1) {
											__eflags =  *0x106259c;
											if( *0x106259c != 0) {
												break;
											}
											_t330 = _v1624;
											_t243 =  *(_v1624 + 0x18);
											__eflags =  *_t243 & 0x00000010;
											if(( *_t243 & 0x00000010) == 0) {
												_t244 = _v28;
												__eflags = _t244;
												if(_t244 == 0) {
													_t244 =  &_v548;
												}
												 *((short*)(_t244 + _t395 * 2)) = 0;
												E0104232C(0,  *((intOrPtr*)(_t330 + 0x18)) + 0x2c);
												_t248 = _v28;
												__eflags = _t248;
												if(_t248 == 0) {
													_t248 =  &_v548;
												}
												_t332 = _v1092;
												__eflags = _v1092;
												if(_v1092 == 0) {
													_t332 =  &_v1612;
												}
												E01043719(_t332, _v1084, _v1620, _t248 + _t395 * 2);
												_t380 = _v1092;
												_t333 = _t380;
												__eflags = _t380;
												if(_t380 == 0) {
													_t333 =  &_v1612;
												}
												_t411 = _t333 + 2;
												do {
													_t251 =  *_t333;
													_t333 = _t333 + 2;
													__eflags = _t251 - _v1628;
												} while (_t251 != _v1628);
												__eflags = _t395 + 1 + (_t333 - _t411 >> 1) - 0x7fe7;
												if(_t395 + 1 + (_t333 - _t411 >> 1) > 0x7fe7) {
													L107:
													E01038B4D(_v1616);
													E01036468();
													_t308 = 0x232e;
													goto L10;
												}
												_t256 = _v560;
												__eflags = _t256;
												if(_t256 == 0) {
													_t256 =  &_v1080;
												}
												 *((short*)(_t256 + _t395 * 2)) = 0;
												__eflags = _t380;
												if(_t380 == 0) {
													_t380 =  &_v1612;
												}
												E0104232C(_t380, _t380);
												L96:
												_t339 = _v560;
												__eflags = _t339;
												if(_t339 == 0) {
													_t339 =  &_v1080;
												}
												_t258 = _v28;
												__eflags = _t258;
												if(_t258 == 0) {
													_t258 =  &_v548;
												}
												__imp__MoveFileWithProgressW(_t258, _t339, 0, 0, 2);
												__eflags = _t258;
												if(_t258 != 0) {
													_t412 = _v1636;
												} else {
													_t267 = GetLastError();
													_t412 = _t267;
													_v1636 = _t267;
													__eflags = _t412 - 0xb7;
													if(_t412 == 0xb7) {
														_t412 = 0x234d;
														_v1636 = 0x234d;
													}
													_push(0);
													_push(_t412);
													E010378E4(_t339);
												}
												_t371 =  *(_v1624 + 0x18);
												_t259 = E01045851(E010459D0,  *(_v1624 + 0x18), _v1644, _v1616);
												__eflags = _t259;
												if(_t259 == 0) {
													E01038B4D(_v1616);
													E01036468();
													__eflags = _t412;
													_t398 = 0;
													_v1640 = 0 | _t412 != 0x00000000;
													_t264 = _v1092;
													_v1092 = 0;
													__eflags = _t264;
													if(_t264 != 0) {
														__imp__??_V@YAXPAX@Z(_t264);
													}
													_t265 = _v560;
													_v560 = _t398;
													__eflags = _t265;
													if(_t265 != 0) {
														__imp__??_V@YAXPAX@Z(_t265);
													}
													_t266 = _v28;
													_v28 = _t398;
													__eflags = _t266;
													if(_t266 != 0) {
														__imp__??_V@YAXPAX@Z(_t266);
													}
													_t186 = _v1640;
													goto L122;
												} else {
													_t398 = 0;
													continue;
												}
											}
											_t347 = _v560;
											__eflags = _v560;
											if(_v560 == 0) {
												_t347 =  &_v1080;
											}
											_t383 = 0x5c;
											_t395 = E010401F5(_t347, _t383);
											__eflags = _t395;
											if(_t395 == 0) {
												goto L107;
											} else {
												_t384 = _v1620;
												__eflags = 0;
												 *((short*)(_t395 + 2)) = 0;
												_t348 = _t384 + 2;
												do {
													_t272 =  *_t384;
													_t384 = _t384 + 2;
													__eflags = _t272 - _t398;
												} while (_t272 != _t398);
												_t413 = _v560;
												_t386 = _t384 - _t348 >> 1;
												_t349 = _t413;
												__eflags = _t413;
												if(_t413 == 0) {
													_t349 =  &_v1080;
												}
												_v1640 = _t349 + 2;
												do {
													_t274 =  *_t349;
													_t349 = _t349 + 2;
													__eflags = _t274 - _v1628;
												} while (_t274 != _v1628);
												__eflags = _t386 + 1 + (_t349 - _v1640 >> 1) - 0x7fe7;
												if(_t386 + 1 + (_t349 - _v1640 >> 1) > 0x7fe7) {
													goto L107;
												}
												__eflags = _t413;
												if(_t413 == 0) {
													_t413 =  &_v1080;
												}
												_t117 = _t395 + 2; // 0x2
												_t119 = _t395 + 2; // 0x2
												E0103F3A0(_t119, _v552 - (_t117 - _t413 >> 1), _v1620);
												_t389 = _v560;
												_t353 = _t389;
												__eflags = _t389;
												if(_t389 == 0) {
													_t353 =  &_v1080;
												}
												_t414 = _t353 + 2;
												__eflags = 0;
												do {
													_t281 =  *_t353;
													_t353 = _t353 + 2;
													__eflags = _t281;
												} while (_t281 != 0);
												_t355 = _t353 - _t414 >> 1;
												__eflags = _t389;
												if(_t389 == 0) {
													_t389 =  &_v1080;
												}
												_t395 = _v1632;
												 *((short*)(_t389 + _t355 * 2)) = 0;
												goto L96;
											}
										}
										E01038B4D(_v1616);
										E01036468();
										_t240 = _v1092;
										_v1092 = _t398;
										__eflags = _t240;
										if(_t240 != 0) {
											__imp__??_V@YAXPAX@Z(_t240);
										}
										_t241 = _v560;
										_v560 = _t398;
										__eflags = _t241;
										if(_t241 != 0) {
											__imp__??_V@YAXPAX@Z(_t241);
										}
										_t242 = _v28;
										_v28 = _t398;
										__eflags = _t242;
										if(_t242 != 0) {
											__imp__??_V@YAXPAX@Z(_t242);
										}
										goto L121;
									} else {
										_t371 = _v28;
										_t283 = 0x10;
										_v1644 = _t283;
										__eflags = _v28;
										if(_v28 == 0) {
											_t371 =  &_v548;
										}
										_t284 = E0104589A(E010459D0, _t371, _t283, 0,  *((intOrPtr*)(_t396 + 0x18)),  &_v1616);
										__eflags = _t284;
										if(_t284 != 0) {
											__eflags = _t410;
											if(_t410 == 0) {
												goto L56;
											}
											E01038B4D(_v1616);
											goto L55;
										} else {
											_t308 =  *0x10667a8;
											__eflags =  *0x10667a8 - 0x12;
											if(__eflags == 0) {
												_t308 = 2;
												 *0x10667a8 = _t308;
											}
											goto L10;
										}
									}
								}
								goto L36;
							} else {
								_t360 = _v28;
								if(_v28 == 0) {
									_t360 =  &_v548;
								}
								_t287 = GetFileAttributesW(E01040060(_t360, _t395));
								_t390 = _v1624;
								 *( *(_t390 + 0x18)) = _t287;
								_t431 =  *( *(_t390 + 0x18)) - 0xffffffff;
								if( *( *(_t390 + 0x18)) != 0xffffffff) {
									goto L33;
								} else {
									_t308 = GetLastError();
									L10:
									L0105693A(_t299, _t308, _t431);
									goto L11;
								}
							}
						}
					}
					_t308 =  *0x10667a8;
				}
			}














































































































    0x01056965
    0x0105696a
    0x0105696c
    0x01056971
    0x01056973
    0x01056979
    0x0105697a
    0x0105697f
    0x01056985
    0x0105698e
    0x010570ac
    0x010570ae
    0x010570ae
    0x010570af
    0x010570b3
    0x010570bc
    0x010570bc
    0x0105699c
    0x010569a5
    0x010569a9
    0x010569ae
    0x010569b7
    0x01056d5b
    0x01056d5b
    0x010569d6
    0x010569d6
    0x010569da
    0x010569da
    0x010569dd
    0x010569dd
    0x010569e0
    0x010569e3
    0x010569ec
    0x010569ee
    0x010569f4
    0x010569f9
    0x010569fe
    0x01056a04
    0x01056a06
    0x01056a09
    0x01056a09
    0x01056a0c
    0x01056a0f
    0x01056a2d
    0x01056a34
    0x01056a39
    0x01056a3f
    0x01056a42
    0x01056a4f
    0x01056a54
    0x01056a5b
    0x01056a64
    0x01056a69
    0x01056a73
    0x01056a7a
    0x01056a88
    0x01056a8f
    0x01056a9c
    0x01056aba
    0x01056c46
    0x01056c46
    0x00000000
    0x01056ae7
    0x01056ae7
    0x01056af3
    0x01056af5
    0x01056af5
    0x01056afe
    0x01056b03
    0x01056b0a
    0x01056b0c
    0x01056b0c
    0x01056b15
    0x01056b1a
    0x01056b1d
    0x01056b21
    0x01056b23
    0x01056b23
    0x01056b29
    0x01056b2c
    0x01056b2c
    0x01056b2f
    0x01056b32
    0x01056b3d
    0x01056b43
    0x01056b45
    0x01056b51
    0x01056b69
    0x01056b6a
    0x01056b70
    0x01056b72
    0x01056b74
    0x01056b74
    0x01056b7c
    0x01056b80
    0x01056b86
    0x01056b88
    0x01056b8a
    0x01056b8a
    0x01056b90
    0x01056b92
    0x01056b53
    0x01056b5c
    0x01056b61
    0x01056b61
    0x01056b9a
    0x01056bd5
    0x01056bd5
    0x01056bdd
    0x01056bde
    0x01056be2
    0x00000000
    0x00000000
    0x01056bea
    0x01056bed
    0x01056bf2
    0x01056bf4
    0x00000000
    0x00000000
    0x01056bff
    0x01056c0d
    0x01056c15
    0x01056c1b
    0x01056c28
    0x01056c2b
    0x01056c42
    0x01056c44
    0x01056c50
    0x01056c55
    0x01056c57
    0x01056c59
    0x01056c59
    0x01056c5e
    0x01056c64
    0x01056c66
    0x01056c68
    0x01056c68
    0x01056c71
    0x01056c74
    0x01056c7a
    0x01056c7c
    0x01056c7e
    0x01056c7e
    0x01056c86
    0x01056c87
    0x01056c8b
    0x01056c8f
    0x01056c90
    0x01056c96
    0x01056c97
    0x01056c9b
    0x01056c9b
    0x01056ca0
    0x01056ca2
    0x01056ca6
    0x01056ca6
    0x01056ca9
    0x01056cac
    0x01056cac
    0x01056cb8
    0x01056cba
    0x01056cbf
    0x01056cc2
    0x01056cc6
    0x01056cc8
    0x01056cca
    0x01056ccb
    0x01056cd1
    0x01056cd3
    0x01056cd5
    0x01056cd5
    0x01056cdb
    0x01056cf4
    0x01056cf9
    0x01056cfb
    0x01056d65
    0x01056d65
    0x01056d68
    0x01056d6a
    0x01056d6c
    0x01056d6c
    0x01056d72
    0x01056d7a
    0x01056d7a
    0x01056d7c
    0x01056d82
    0x01056d86
    0x01056d86
    0x01056d8d
    0x00000000
    0x00000000
    0x01056d93
    0x01056d99
    0x01056d9c
    0x01056d9f
    0x01056e8f
    0x01056e92
    0x01056e94
    0x01056e96
    0x01056e96
    0x01056e9e
    0x01056eaf
    0x01056eb4
    0x01056eb7
    0x01056eb9
    0x01056ebb
    0x01056ebb
    0x01056ec1
    0x01056ec7
    0x01056ec9
    0x01056ecb
    0x01056ecb
    0x01056ee1
    0x01056ee6
    0x01056eec
    0x01056eee
    0x01056ef0
    0x01056ef2
    0x01056ef2
    0x01056ef8
    0x01056efb
    0x01056efb
    0x01056efe
    0x01056f01
    0x01056f01
    0x01056f13
    0x01056f18
    0x01056fd7
    0x01056fdd
    0x01056fe2
    0x01056fe7
    0x00000000
    0x01056fe7
    0x01056f1e
    0x01056f24
    0x01056f26
    0x01056f28
    0x01056f28
    0x01056f30
    0x01056f34
    0x01056f36
    0x01056f38
    0x01056f38
    0x01056f45
    0x01056f4a
    0x01056f4a
    0x01056f50
    0x01056f52
    0x01056f54
    0x01056f54
    0x01056f5a
    0x01056f5d
    0x01056f5f
    0x01056f61
    0x01056f61
    0x01056f6f
    0x01056f75
    0x01056f77
    0x01056fa7
    0x01056f79
    0x01056f79
    0x01056f7f
    0x01056f81
    0x01056f87
    0x01056f8d
    0x01056f8f
    0x01056f94
    0x01056f94
    0x01056f9c
    0x01056f9d
    0x01056f9e
    0x01056fa4
    0x01056fc4
    0x01056fc7
    0x01056fcc
    0x01056fce
    0x01056ff7
    0x01056ffc
    0x01057003
    0x01057008
    0x0105700a
    0x01057010
    0x01057016
    0x0105701c
    0x0105701e
    0x01057021
    0x01057027
    0x01057028
    0x0105702e
    0x01057034
    0x01057036
    0x01057039
    0x0105703f
    0x01057040
    0x01057043
    0x01057046
    0x01057048
    0x0105704b
    0x01057051
    0x01057052
    0x00000000
    0x01056fd0
    0x01056fd0
    0x00000000
    0x01056fd0
    0x01056fce
    0x01056da5
    0x01056dab
    0x01056dad
    0x01056daf
    0x01056daf
    0x01056db7
    0x01056dbd
    0x01056dbf
    0x01056dc1
    0x00000000
    0x01056dc7
    0x01056dc7
    0x01056dcd
    0x01056dcf
    0x01056dd3
    0x01056dd6
    0x01056dd6
    0x01056dd9
    0x01056ddc
    0x01056ddc
    0x01056de1
    0x01056de9
    0x01056deb
    0x01056ded
    0x01056def
    0x01056df1
    0x01056df1
    0x01056dfa
    0x01056e00
    0x01056e00
    0x01056e03
    0x01056e06
    0x01056e06
    0x01056e1c
    0x01056e21
    0x00000000
    0x00000000
    0x01056e27
    0x01056e29
    0x01056e2b
    0x01056e2b
    0x01056e37
    0x01056e42
    0x01056e49
    0x01056e4e
    0x01056e54
    0x01056e56
    0x01056e58
    0x01056e5a
    0x01056e5a
    0x01056e60
    0x01056e63
    0x01056e65
    0x01056e65
    0x01056e68
    0x01056e6b
    0x01056e6b
    0x01056e72
    0x01056e74
    0x01056e76
    0x01056e78
    0x01056e78
    0x01056e7e
    0x01056e86
    0x00000000
    0x01056e86
    0x01056dc1
    0x01057060
    0x01057065
    0x0105706a
    0x01057070
    0x01057076
    0x01057078
    0x0105707b
    0x01057081
    0x01057082
    0x01057088
    0x0105708e
    0x01057090
    0x01057093
    0x01057099
    0x0105709a
    0x0105709d
    0x010570a0
    0x010570a2
    0x010570a5
    0x010570ab
    0x00000000
    0x01056cfd
    0x01056cfd
    0x01056d02
    0x01056d03
    0x01056d09
    0x01056d0b
    0x01056d0d
    0x01056d0d
    0x01056d26
    0x01056d2b
    0x01056d2d
    0x01056d4c
    0x01056d4e
    0x00000000
    0x00000000
    0x01056d56
    0x00000000
    0x01056d2f
    0x01056d2f
    0x01056d35
    0x01056d38
    0x01056d40
    0x01056d41
    0x01056d41
    0x00000000
    0x01056d38
    0x01056d2d
    0x01056cfb
    0x00000000
    0x01056b9c
    0x01056b9c
    0x01056ba1
    0x01056ba3
    0x01056ba3
    0x01056baf
    0x01056bb5
    0x01056bbe
    0x01056bc3
    0x01056bc6
    0x00000000
    0x01056bc8
    0x01056bce
    0x01056a4a
    0x01056a4a
    0x00000000
    0x01056a4a
    0x01056bc6
    0x01056b9a
    0x01056aba
    0x01056a44
    0x01056a44

    APIs
    • _setjmp3.MSVCRT ref: 01056985
      • Part of subcall function 0103BC30: wcschr.MSVCRT ref: 0103BCA7
      • Part of subcall function 0103BC30: iswspace.MSVCRT ref: 0103BD1D
      • Part of subcall function 0103BC30: wcschr.MSVCRT ref: 0103BD39
      • Part of subcall function 0103BC30: wcschr.MSVCRT ref: 0103BD5D
    • memset.MSVCRT ref: 01056A69
    • memset.MSVCRT ref: 01056A8F
    • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,01078BF0,01078BF0,-00000001,-00000001,?,00000020,00000000,?,?,-00000001,?,-00000001,-00000001), ref: 01056BAF
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00000000,00000000,?,-00000002), ref: 01056BC8
    • memset.MSVCRT ref: 01056C1B
    • MoveFileWithProgressW.API-MS-WIN-CORE-FILE-L2-1-0(?,?,00000000,00000000,00000002,?,?,?,?,00000020,00000000,?,?,-00000001,?,-00000001), ref: 01056F6F
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00000000,00000000,?,-00000002), ref: 01056F79
    • ??_V@YAXPAX@Z.MSVCRT ref: 01057021
    • ??_V@YAXPAX@Z.MSVCRT ref: 01057039
      • Part of subcall function 01038B4D: FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,010599FD,00000000,?,00000000,0104CF94,00000000,?), ref: 01038B7B
    • ??_V@YAXPAX@Z.MSVCRT ref: 0105704B
    • ??_V@YAXPAX@Z.MSVCRT ref: 0105707B
    • ??_V@YAXPAX@Z.MSVCRT ref: 01057093
    • ??_V@YAXPAX@Z.MSVCRT ref: 010570A5
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: memsetwcschr$ErrorFileLast$AttributesCloseFindMoveProgressWith_setjmp3iswspace
    • String ID:
    • API String ID: 2027377737-0
    • Opcode ID: 370539a18c306244ece7c14eb2cb7059e2af800ee4be2455950b9d59db31d961
    • Instruction ID: 4ccd1443a3146a9dfd19d994b38d9e87b9d817cad2b730e9d22512e77b99e3d8
    • Opcode Fuzzy Hash: 370539a18c306244ece7c14eb2cb7059e2af800ee4be2455950b9d59db31d961
    • Instruction Fuzzy Hash: 7E229271E002269BDF65DB28CC94AEFB7B5EF94310F4441D9D989A7241EB329E81CF90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0103532E, Relevance: 19.8, APIs: 13, Instructions: 272COMMON
    Download Yara Rule
    C-Code - Quality: 56%
    			E0103532E(WCHAR* __ecx, short* __edx, signed int _a4) {
				signed int _v12;
				int _v24;
				char _v28;
				int _v32;
				void _v552;
				struct _WIN32_FIND_DATAW _v1144;
				int _v1148;
				signed int _v1152;
				void* _v1156;
				char _v1160;
				intOrPtr _v1164;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t75;
				intOrPtr _t78;
				void* _t80;
				intOrPtr _t82;
				intOrPtr _t83;
				signed char _t84;
				short _t87;
				short _t88;
				void* _t90;
				signed int _t91;
				signed int _t92;
				signed int _t98;
				signed int _t99;
				intOrPtr _t100;
				signed int _t101;
				int _t111;
				intOrPtr _t113;
				int _t119;
				signed int _t120;
				int _t121;
				WCHAR* _t124;
				intOrPtr* _t129;
				WCHAR* _t134;
				intOrPtr* _t136;
				signed int _t137;
				intOrPtr* _t139;
				signed int _t141;
				signed int _t144;
				short* _t146;
				void* _t148;
				short* _t150;
				void* _t151;
				int _t154;
				intOrPtr* _t155;
				void* _t159;
				signed int _t160;
				void* _t161;

				_t145 = __edx;
				_t75 =  *0x105e0b4; // 0x6030efd1
				_v12 = _t75 ^ _t160;
				_t124 = __ecx;
				_v1152 = _a4;
				_t155 = __ecx;
				_v1148 = 0;
				_t150 =  &(__ecx[1]);
				do {
					_t78 =  *_t155;
					_t155 = _t155 + 2;
				} while (_t78 != 0);
				_t157 = _t155 - _t150 >> 1;
				if((_t155 - _t150 >> 1) + 2 > __edx) {
					L9:
					_t80 = 0;
					goto L8;
				} else {
					_t129 = __ecx;
					_t145 =  &(__ecx[1]);
					do {
						_t82 =  *_t129;
						_t129 = _t129 + 2;
					} while (_t82 != 0);
					_t157 = _v1152;
					_t131 = _t129 - _t145 >> 1;
					_t83 = (_t129 - _t145 >> 1) - 2;
					_v1164 = _t83;
					 *_t157 = _t83;
					_t84 = GetFileAttributesW(__ecx);
					if(_t84 == 0xffffffff) {
						_push(0);
						_push(GetLastError());
						L13:
						E010378E4(_t131);
						goto L9;
					}
					if((_t84 & 0x00000010) != 0) {
						_t134 = _t124;
						_t146 =  &(_t134[1]);
						do {
							_t87 =  *_t134;
							_t134 =  &(_t134[1]);
						} while (_t87 != 0);
						_t131 = _t134 - _t146 >> 1;
						_t88 = 0x5c;
						_push(0x2a);
						if( *((intOrPtr*)(_t124 + _t131 * 2 - 2)) != _t88) {
							 *((short*)(_t124 + 4 + _t131 * 2)) = 0;
							_pop(_t145);
						} else {
							_t145 = 0;
							_pop(_t88);
						}
						_t124[_t131] = _t88;
						 *(_t124 + 2 + _t131 * 2) = _t145;
						_t90 = FindFirstFileW(_t124,  &_v1144);
						_v1156 = _t90;
						if(_t90 != 0xffffffff) {
							_t154 = 1;
							do {
								_t131 = ".";
								_t91 =  &(_v1144.cFileName);
								while(1) {
									_t145 =  *_t91;
									if(_t145 !=  *_t131) {
										break;
									}
									if(_t145 == 0) {
										L29:
										_t92 = 0;
										L31:
										if(_t92 == 0) {
											goto L61;
										}
										_t131 = L"..";
										_t98 =  &(_v1144.cFileName);
										while(1) {
											_t145 =  *_t98;
											if(_t145 !=  *_t131) {
												break;
											}
											if(_t145 == 0) {
												L37:
												_t99 = 0;
												L39:
												if(_t99 == 0) {
													goto L61;
												}
												_t136 =  &(_v1144.cFileName);
												_t145 = _t136 + 2;
												do {
													_t100 =  *_t136;
													_t136 = _t136 + 2;
												} while (_t100 != _v1148);
												_t137 = _t136 - _t145;
												_t131 = _t137 >> 1;
												if(_t137 == 0) {
													goto L61;
												}
												if((_v1144.dwFileAttributes & 0x00000010) != 0) {
													_t101 =  *_t157;
													if(_t101 <= _t131) {
														_t101 = _t131;
													}
													 *_t157 = _t101;
													goto L61;
												}
												_v28 = 1;
												_v24 = 0x104;
												_v32 = 0;
												memset( &_v552, 0, 0x104);
												_t131 =  &_v552;
												_t161 = _t161 + 0xc;
												if(E0103E3F0(((0 | _v28 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
													SetLastError(8);
													_t111 = _v32;
													_v32 = 0;
													if(_t111 != 0) {
														__imp__??_V@YAXPAX@Z();
														_t131 = _t111;
													}
													L67:
													_t124 = 0;
													L68:
													_t157 = GetLastError();
													FindClose(_v1156);
													if(_t154 != 0) {
														goto L9;
													}
													if(_t157 == 0x12) {
														goto L7;
													}
													_push(_t124);
													goto L12;
												}
												E0103A641(_t124);
												_t148 = _v32;
												_t139 = _t148;
												if(_t148 == 0) {
													_t139 =  &_v552;
												}
												_t159 = _t139 + 2;
												do {
													_t113 =  *_t139;
													_t139 = _t139 + 2;
												} while (_t113 != _v1148);
												_t141 = _t139 - _t159 >> 1;
												if(_t148 == 0) {
													_t148 =  &_v552;
												}
												 *((short*)(_t148 + _t141 * 2 - 2)) = 0;
												E0104232C(_t148,  &(_v1144.cFileName));
												_t131 = _v32;
												if(_v32 == 0) {
													_t131 =  &_v552;
												}
												_t145 = _v24;
												if(E0103532E(_t131, _v24,  &_v1160) == 0) {
													_t119 = _v32;
													_t124 = 0;
													_v32 = 0;
													if(_t119 != 0) {
														__imp__??_V@YAXPAX@Z();
														_t131 = _t119;
													}
													goto L68;
												} else {
													_t157 = _v1152;
													_t144 = _v1164 + _v1160;
													_t120 =  *_t157;
													if(_t120 <= _t144) {
														_t120 = _t144;
													}
													 *_t157 = _t120;
													_t131 = 0;
													_t121 = _v32;
													_v32 = 0;
													if(_t121 != 0) {
														__imp__??_V@YAXPAX@Z();
														_t131 = _t121;
													}
													goto L61;
												}
											}
											_t145 =  *((intOrPtr*)(_t98 + 2));
											_t33 = _t131 + 2; // 0x2e
											if(_t145 !=  *_t33) {
												break;
											}
											_t98 = _t98 + 4;
											_t131 = _t131 + 4;
											if(_t145 != 0) {
												continue;
											}
											goto L37;
										}
										asm("sbb eax, eax");
										_t99 = _t98 | 0x00000001;
										goto L39;
									}
									_t145 =  *((intOrPtr*)(_t91 + 2));
									_t30 = _t131 + 2; // 0x750000
									if(_t145 !=  *_t30) {
										break;
									}
									_t91 = _t91 + 4;
									_t131 = _t131 + 4;
									if(_t145 != 0) {
										continue;
									}
									goto L29;
								}
								asm("sbb eax, eax");
								_t92 = _t91 | 0x00000001;
								goto L31;
								L61:
								_t154 = FindNextFileW(_v1156,  &_v1144);
							} while (_t154 != 0);
							goto L67;
						} else {
							_t157 = GetLastError();
							FindClose(0xffffffff);
							if(_t157 == 2 || _t157 == 0x12) {
								goto L7;
							} else {
								_push(0);
								L12:
								_push(_t157);
								goto L13;
							}
						}
					}
					L7:
					_t80 = 1;
					L8:
					_pop(_t151);
					return E01046B30(_t80, _t124, _v12 ^ _t160, _t145, _t151, _t157);
				}
			}






















































    0x0103532e
    0x01035339
    0x01035340
    0x01035347
    0x01035349
    0x01035350
    0x01035355
    0x0103535b
    0x0103535e
    0x0103535e
    0x01035361
    0x01035364
    0x0103536b
    0x01035372
    0x010353c7
    0x010353c7
    0x00000000
    0x01035374
    0x01035374
    0x01035378
    0x0103537b
    0x0103537b
    0x0103537e
    0x01035381
    0x01035386
    0x0103538e
    0x01035391
    0x01035394
    0x0103539a
    0x0103539c
    0x010353a5
    0x0104936d
    0x01049374
    0x01049379
    0x01049379
    0x00000000
    0x0104937f
    0x010353ad
    0x01049385
    0x01049387
    0x0104938a
    0x0104938a
    0x0104938d
    0x01049390
    0x01049397
    0x0104939b
    0x0104939c
    0x010493a3
    0x010493ac
    0x010493b1
    0x010493a5
    0x010493a5
    0x010493a7
    0x010493a7
    0x010493b2
    0x010493be
    0x010493c3
    0x010493c9
    0x010493d2
    0x010493fd
    0x010493fe
    0x010493fe
    0x01049403
    0x01049409
    0x01049409
    0x0104940f
    0x00000000
    0x00000000
    0x01049414
    0x0104942b
    0x0104942b
    0x01049434
    0x01049436
    0x00000000
    0x00000000
    0x0104943c
    0x01049441
    0x01049447
    0x01049447
    0x0104944d
    0x00000000
    0x00000000
    0x01049452
    0x01049469
    0x01049469
    0x01049472
    0x01049474
    0x00000000
    0x00000000
    0x0104947a
    0x01049480
    0x01049483
    0x01049483
    0x01049486
    0x01049489
    0x01049492
    0x01049494
    0x01049496
    0x00000000
    0x00000000
    0x010494a3
    0x01049598
    0x0104959c
    0x0104959e
    0x0104959e
    0x010495a0
    0x00000000
    0x010495a0
    0x010494ae
    0x010494b5
    0x010494be
    0x010494c3
    0x010494ca
    0x010494d0
    0x010494ec
    0x010495d9
    0x010495df
    0x010495e2
    0x010495e7
    0x010495ea
    0x010495f0
    0x010495f0
    0x010495f1
    0x010495f1
    0x010495f3
    0x010495ff
    0x01049601
    0x01049609
    0x00000000
    0x00000000
    0x01049612
    0x00000000
    0x00000000
    0x01049618
    0x00000000
    0x01049618
    0x010494f9
    0x010494fe
    0x01049501
    0x01049505
    0x01049507
    0x01049507
    0x0104950d
    0x01049510
    0x01049510
    0x01049513
    0x01049516
    0x01049521
    0x01049525
    0x01049527
    0x01049527
    0x0104952f
    0x01049541
    0x01049546
    0x0104954b
    0x0104954d
    0x0104954d
    0x01049553
    0x01049564
    0x010495c1
    0x010495c4
    0x010495c6
    0x010495cb
    0x010495ce
    0x010495d4
    0x010495d4
    0x00000000
    0x01049566
    0x01049566
    0x01049572
    0x01049578
    0x0104957c
    0x0104957e
    0x0104957e
    0x01049580
    0x01049582
    0x01049584
    0x01049587
    0x0104958c
    0x0104958f
    0x01049595
    0x01049595
    0x00000000
    0x0104958c
    0x01049564
    0x01049454
    0x01049458
    0x0104945c
    0x00000000
    0x00000000
    0x0104945e
    0x01049461
    0x01049467
    0x00000000
    0x00000000
    0x00000000
    0x01049467
    0x0104946d
    0x0104946f
    0x00000000
    0x0104946f
    0x01049416
    0x0104941a
    0x0104941e
    0x00000000
    0x00000000
    0x01049420
    0x01049423
    0x01049429
    0x00000000
    0x00000000
    0x00000000
    0x01049429
    0x0104942f
    0x01049431
    0x00000000
    0x010495a2
    0x010495b5
    0x010495b7
    0x00000000
    0x010493d4
    0x010493dc
    0x010493de
    0x010493e7
    0x00000000
    0x010493f6
    0x01049377
    0x01049378
    0x01049378
    0x00000000
    0x01049378
    0x010493e7
    0x010493d2
    0x010353b3
    0x010353b5
    0x010353b6
    0x010353b9
    0x010353c4
    0x010353c4

    APIs
    • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,00000002), ref: 0103539C
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: AttributesFile
    • String ID:
    • API String ID: 3188754299-0
    • Opcode ID: a1b6b9c65c935486cf602f7dacd64b7420c2e10d2a9de3f6c3f467a8004488fb
    • Instruction ID: c0b650e0318b6628f73ed71b15a366197d94c4e89311196f84f0732a7b379a0b
    • Opcode Fuzzy Hash: a1b6b9c65c935486cf602f7dacd64b7420c2e10d2a9de3f6c3f467a8004488fb
    • Instruction Fuzzy Hash: 0EA105B1A001068BDB659F68C884AEFB7F5EF88314F5485F9E9C6E3240EB319981CB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0105C1FA, Relevance: 19.7, APIs: 13, Instructions: 179filememorynativeCOMMON
    Download Yara Rule
    C-Code - Quality: 93%
    			E0105C1FA(void* __ecx, void* __eflags) {
				int _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				void* _v40;
				void* _v48;
				void* _t60;
				void _t64;
				void* _t68;
				signed int _t77;
				void _t80;
				signed short _t81;
				long _t88;
				WCHAR* _t91;
				void* _t97;
				intOrPtr* _t102;
				void* _t104;
				void* _t109;
				void* _t111;
				long _t114;
				void* _t115;
				void* _t116;
				void* _t117;

				_t115 = __ecx;
				_v40 = 0;
				_t114 = 1;
				_v16 = 0;
				_v36 = 0;
				_v24 = 0;
				_t91 = E0105C135( *((intOrPtr*)(__ecx + 8)));
				_t116 = E0105C135( *((intOrPtr*)(_t115 + 0xc)));
				if(_t91 == 0 || _t116 == 0) {
					L19:
					if(_v36 != 0) {
						RtlFreeHeap( *( *[fs:0x30] + 0x18), 0, _v36);
					}
					if(_t114 != 0 && _v24 != 0) {
						RemoveDirectoryW(_t91);
					}
					return _t114;
				} else {
					if(E0105C5F2(_t91, 0, 1) != 0) {
						if(E0105C535(_t116) != 0) {
							if(CreateDirectoryW(_t91, 0) == 0) {
								goto L19;
							}
							_v24 = 1;
							_t60 = CreateFileW(_t91, 0x40000000, 1, 0, 3, 0x2000000, 0);
							_v20 = _t60;
							if(_t60 == 0xffffffff) {
								goto L19;
							}
							RtlDosPathNameToNtPathName_U(_t116,  &_v40, 0, 0);
							_t97 = _t116;
							_t10 = _t97 + 2; // 0x2
							_t109 = _t10;
							do {
								_t64 =  *_t97;
								_t97 = _t97 + 2;
							} while (_t64 != _v16);
							_v8 = (_v40 & 0x0000ffff) + (_t97 - _t109 >> 1) * 2 + 0x14;
							_t68 = E0103DCD0((_v40 & 0x0000ffff) + (_t97 - _t109 >> 1) * 2 + 0x14);
							_v12 = _t68;
							if(_t68 == 0) {
								_t117 = _v20;
								L18:
								CloseHandle(_t117);
								goto L19;
							}
							memset(_t68, 0, _v8);
							_t102 = _v12;
							 *((short*)(_t102 + 4)) = _v8 + 0xfffffff8;
							 *_t102 = 0xa0000003;
							 *((short*)(_t102 + 8)) = 0;
							 *((short*)(_t102 + 0xa)) = _v40;
							memcpy(_t102 + 0x10, _v36, _v40 & 0x0000ffff);
							_t111 = _v12;
							_t77 =  *(_t111 + 0xa) & 0x0000ffff;
							_v32 = _t77;
							_t104 = _t116;
							 *((short*)(_t111 + 0xc)) = _t77 + 2;
							_t31 = _t104 + 2; // 0x2
							_v28 = _t31;
							do {
								_t80 =  *_t104;
								_t104 = _t104 + 2;
							} while (_t80 != _v16);
							_t81 = (_t104 - _v28 >> 1) + (_t104 - _v28 >> 1);
							 *(_t111 + 0xe) = _t81;
							memcpy((_v32 & 0x0000ffff) + _t111 + 0x12, _t116, _t81 & 0x0000ffff);
							_t117 = _v20;
							_t88 = NtFsControlFile(_t117, 0, 0, 0,  &_v48, 0x900a4, _v12, _v8, 0, 0);
							if(_t88 >= 0) {
								_t114 = 0;
							} else {
								SetLastError(RtlNtStatusToDosError(_t88));
							}
							goto L18;
						}
						_push(0x40002749);
						L4:
						SetLastError();
						goto L19;
					}
					_push(0x4000272e);
					goto L4;
				}
			}






























    0x0105c204
    0x0105c20b
    0x0105c20e
    0x0105c20f
    0x0105c215
    0x0105c218
    0x0105c223
    0x0105c22a
    0x0105c22e
    0x0105c3bc
    0x0105c3c0
    0x0105c3d1
    0x0105c3d1
    0x0105c3d9
    0x0105c3e2
    0x0105c3e2
    0x0105c3ee
    0x0105c23c
    0x0105c248
    0x0105c263
    0x0105c278
    0x00000000
    0x00000000
    0x0105c280
    0x0105c293
    0x0105c299
    0x0105c29f
    0x00000000
    0x00000000
    0x0105c2ae
    0x0105c2b4
    0x0105c2b6
    0x0105c2b6
    0x0105c2b9
    0x0105c2b9
    0x0105c2bc
    0x0105c2bf
    0x0105c2d5
    0x0105c2d8
    0x0105c2dd
    0x0105c2e2
    0x0105c3b2
    0x0105c3b5
    0x0105c3b6
    0x00000000
    0x0105c3b6
    0x0105c2ef
    0x0105c2f4
    0x0105c300
    0x0105c309
    0x0105c30f
    0x0105c317
    0x0105c324
    0x0105c329
    0x0105c32f
    0x0105c338
    0x0105c33b
    0x0105c33d
    0x0105c341
    0x0105c344
    0x0105c347
    0x0105c347
    0x0105c34a
    0x0105c34d
    0x0105c358
    0x0105c35b
    0x0105c370
    0x0105c378
    0x0105c392
    0x0105c39a
    0x0105c3ae
    0x0105c39c
    0x0105c3a4
    0x0105c3a4
    0x00000000
    0x0105c39a
    0x0105c265
    0x0105c24f
    0x0105c24f
    0x00000000
    0x0105c24f
    0x0105c24a
    0x00000000
    0x0105c24a

    APIs
      • Part of subcall function 0105C135: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,?), ref: 0105C14E
      • Part of subcall function 0105C135: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000008,?,00000000,00000000,?), ref: 0105C16A
      • Part of subcall function 0105C135: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,?,?,00000000,00000000,?), ref: 0105C17B
    • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(40002749,00000001), ref: 0105C24F
    • CreateDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000001), ref: 0105C270
    • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,40000000,00000001,00000000,00000003,02000000,00000000), ref: 0105C293
    • RtlDosPathNameToNtPathName_U.NTDLL(00000000,?,00000000,00000000), ref: 0105C2AE
    • memset.MSVCRT ref: 0105C2EF
    • memcpy.MSVCRT ref: 0105C324
    • memcpy.MSVCRT ref: 0105C370
    • NtFsControlFile.NTDLL(?,00000000,00000000,00000000,?,000900A4,?,?,00000000,00000000), ref: 0105C392
    • RtlNtStatusToDosError.NTDLL ref: 0105C39D
    • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 0105C3A4
    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 0105C3B6
    • RtlFreeHeap.NTDLL(?,00000000,00000000), ref: 0105C3D1
    • RemoveDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 0105C3E2
      • Part of subcall function 0105C5F2: memset.MSVCRT ref: 0105C62E
      • Part of subcall function 0105C5F2: memset.MSVCRT ref: 0105C656
      • Part of subcall function 0105C5F2: GetVolumePathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,-00000105,-00000105,?,?,?,00000001,00000000,00000000), ref: 0105C6C7
      • Part of subcall function 0105C5F2: GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,00000001,00000000,00000000), ref: 0105C6E6
      • Part of subcall function 0105C5F2: GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,00000000,?,?,?,00000001,?,?,?,00000001,00000000,00000000), ref: 0105C72A
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: Path$ErrorName$Lastmemset$CreateDirectoryFileFullVolumememcpy$CloseControlDriveFreeHandleHeapInformationName_RemoveStatusType
    • String ID:
    • API String ID: 223857506-0
    • Opcode ID: 6c9c5f4060d0766200e84da4b1e4439b46aad4a18f6fa24922da43fe0df282c5
    • Instruction ID: f3a859df774cb6c213dfcbdd50cc1005656cfc40e7a4968df0cb4b2ef5ad11ef
    • Opcode Fuzzy Hash: 6c9c5f4060d0766200e84da4b1e4439b46aad4a18f6fa24922da43fe0df282c5
    • Instruction Fuzzy Hash: 2951C571A00209AFEB559FB8CD44ABFB7BCEF48204B044569E946E7251E735DE01C7A4
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01039310, Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 249timeCOMMON
    Download Yara Rule
    C-Code - Quality: 71%
    			E01039310(void* __ecx, signed int __edx, int _a4, signed int _a8) {
				signed int _v8;
				short _v76;
				short _v332;
				signed short _v334;
				signed short _v336;
				signed int _v338;
				signed int _v340;
				struct _SYSTEMTIME _v348;
				signed int _v352;
				void* _v356;
				signed int _v360;
				int _v364;
				struct _FILETIME _v372;
				struct _FILETIME _v380;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t62;
				char* _t71;
				void* _t77;
				intOrPtr _t80;
				signed int _t81;
				int _t84;
				signed short _t85;
				int _t90;
				intOrPtr* _t93;
				signed int _t94;
				int _t97;
				signed int _t104;
				signed int _t105;
				void* _t111;
				int _t116;
				int _t118;
				void* _t120;
				void* _t123;
				signed int _t125;
				intOrPtr* _t126;
				signed int _t127;
				int _t130;
				signed int _t131;
				intOrPtr* _t137;
				signed int _t138;
				int _t139;
				signed int _t140;
				void* _t141;
				int _t143;
				signed int _t145;
				int _t146;
				void* _t147;
				int _t148;
				signed int _t149;
				signed int _t150;
				signed int _t152;
				void* _t153;

				_t62 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t62 ^ _t152;
				_t148 = _a4;
				_v364 = _t148;
				_t145 = __edx;
				if(__ecx != 0) {
					E010548D7(__ecx,  &_v372);
				} else {
					GetSystemTime( &_v348);
					SystemTimeToFileTime( &_v348,  &_v372);
				}
				FileTimeToLocalFileTime( &_v372,  &_v380);
				FileTimeToSystemTime( &_v380,  &_v348);
				if(_t145 != 1) {
					_t145 = 0;
					__eflags =  *0x1066755;
					_t116 = 2;
					if( *0x1066755 == 0) {
						_t71 = "a";
						_t118 = _v340 & 0x0000ffff;
						__eflags =  *0x105e0c4 - _t145; // 0xffffffff
						if(__eflags == 0) {
							_t71 = " ";
						} else {
							_t139 = 0xc;
							__eflags = _t118 - _t139;
							if(__eflags < 0) {
								__eflags = _t118;
								if(_t118 == 0) {
									_t118 = _t139;
								}
							} else {
								if(__eflags > 0) {
									__eflags = _t118;
								}
								_t71 = "p";
							}
						}
						_push(_t71);
						_push(_v338 & 0x0000ffff);
						_push(0x106c9e0);
						E01039ABF( &_v76, 0x20, L"%02d%s%02d%s", _t118);
						L40:
						__eflags = _t148;
						if(_t148 != 0) {
							_t136 = _a8;
							E0103F3A0(_t148, _a8,  &_v76);
							_t120 = _t148 + 2;
							do {
								_t77 =  *_t148;
								_t148 = _t148 + _t116;
								__eflags = _t77 - _t145;
							} while (_t77 != _t145);
							_t149 = _t148 - _t120;
							goto L7;
						}
						_t137 =  &_v76;
						_t123 = _t137 + 2;
						do {
							_t80 =  *_t137;
							_t137 = _t137 + _t116;
							__eflags = _t80 - _t145;
						} while (_t80 != _t145);
						_t138 = _t137 - _t123;
						__eflags = _t138;
						_t136 = _t138 >> 1;
						_t81 = E0103998D( &_v76, _t138 >> 1);
						goto L44;
					}
					_v352 = 0;
					_t25 = _t116 + 0x7e; // 0x80
					_t146 = _t25;
					_t84 = GetLocaleInfoW(E01038791(), 0x1003,  &_v332, _t146);
					__eflags = _t84;
					if(_t84 != 0) {
						L20:
						_t85 = _v332;
						_t147 =  &_v332;
						__eflags = _t85;
						if(_t85 == 0) {
							L37:
							_t90 = GetTimeFormatW(E01038791(), _t116,  &_v348,  &_v332,  &_v76, 0x20);
							__eflags = _t90;
							if(_t90 == 0) {
								_v76 = _t90;
							}
							_t145 = 0;
							__eflags = 0;
							goto L40;
						}
						_t125 = _t85 & 0x0000ffff;
						__eflags = 0;
						_v360 = _t125;
						do {
							__eflags = _t125 - 0x27;
							if(_t125 != 0x27) {
								__eflags = _v352;
								if(_v352 == 0) {
									__eflags = _t125 - 0x68;
									if(_t125 == 0x68) {
										L29:
										_t140 = 0;
										do {
											_t147 = _t147 + _t116;
											_t140 = _t140 + 1;
											__eflags =  *_t147 - _t125;
										} while ( *_t147 == _t125);
										_t93 = _t147 +  ~_t140 * 2;
										_v356 = _t93;
										_t40 = _t93 + 2; // 0x3
										_t147 = _t40;
										__eflags = _t140 - 1;
										if(_t140 != 1) {
											goto L35;
										}
										_t126 = _t93;
										_t41 = _t126 + 2; // 0x3
										_t141 = _t41;
										do {
											_t97 =  *_t126;
											_t126 = _t126 + _t116;
											__eflags = _t97;
										} while (_t97 != 0);
										_t127 = _t126 - _t141;
										__eflags = _t127;
										memmove(_t147, _v356, 2 + (_t127 >> 1) * 2);
										_t153 = _t153 + 0xc;
										 *_v356 = _v360;
										goto L35;
									}
									__eflags = _t125 - 0x48;
									if(_t125 == 0x48) {
										goto L29;
									}
									__eflags = _t125 - 0x6d;
									if(_t125 != 0x6d) {
										goto L35;
									}
									goto L29;
								}
								_t147 = _t147 + _t116;
								goto L35;
							}
							_t147 = _t147 + _t116;
							__eflags = _v352;
							_v352 = 0 | _v352 == 0x00000000;
							L35:
							_t147 = _t147 + _t116;
							_t94 =  *_t147 & 0x0000ffff;
							_t125 = _t94;
							_v360 = _t125;
							__eflags = _t94;
						} while (_t94 != 0);
						_t148 = _v364;
						goto L37;
					}
					_t130 =  &_v332;
					_t143 = L"HH:mm:ss t" - _t130;
					__eflags = _t143;
					while(1) {
						_t27 = _t146 + 0x7fffff7e; // 0x7ffffffe
						__eflags = _t27;
						if(_t27 == 0) {
							break;
						}
						_t104 =  *(_t143 + _t130) & 0x0000ffff;
						__eflags = _t104;
						if(_t104 == 0) {
							break;
						}
						 *_t130 = _t104;
						_t130 = _t130 + _t116;
						_t146 = _t146 - 1;
						__eflags = _t146;
						if(_t146 != 0) {
							continue;
						}
						break;
					}
					__eflags = _t146;
					if(_t146 == 0) {
						_t130 = _t130 - _t116;
						__eflags = _t130;
					}
					__eflags = 0;
					 *_t130 = 0;
					goto L20;
				} else {
					_t105 = _v334 & 0x0000ffff;
					_t131 = 0xa;
					_t136 = _t105 % _t131;
					_push(_t105 / _t131);
					_push(0x106c9c0);
					_push(_v336 & 0x0000ffff);
					_push(0x106c9e0);
					_push(_v338 & 0x0000ffff);
					_push(0x106c9e0);
					_push(_v340 & 0x0000ffff);
					_push(L"%2d%s%02d%s%02d%s%02d");
					if(_t148 == 0) {
						_t81 = E01039950();
						L44:
						_t150 = _t81;
						goto L8;
					} else {
						_push(_a8);
						_push(_t148);
						E01039ABF();
						_t136 = _t148 + 2;
						_t116 = 2;
						do {
							_t111 =  *_t148;
							_t148 = _t148 + _t116;
						} while (_t111 != 0);
						_t149 = _t148 - _t136;
						L7:
						_t150 = _t149 >> 1;
						L8:
						return E01046B30(_t150, _t116, _v8 ^ _t152, _t136, _t145, _t150);
					}
				}
			}

























































    0x0103931b
    0x01039322
    0x01039327
    0x0103932a
    0x01039331
    0x01039335
    0x0104bbc2
    0x0103933b
    0x01039342
    0x01039356
    0x01039356
    0x0103936a
    0x0103937e
    0x01039387
    0x0104bbdb
    0x0104bbdd
    0x0104bbe4
    0x0104bbe5
    0x0104bd68
    0x0104bd6d
    0x0104bd74
    0x0104bd7a
    0x0104bd96
    0x0104bd7c
    0x0104bd7e
    0x0104bd7f
    0x0104bd81
    0x0104bd8e
    0x0104bd90
    0x0104bd92
    0x0104bd92
    0x0104bd83
    0x0104bd83
    0x0104bd85
    0x0104bd85
    0x0104bd87
    0x0104bd87
    0x0104bd81
    0x0104bd9b
    0x0104bda3
    0x0104bda4
    0x0104bdb5
    0x0104bd41
    0x0104bd41
    0x0104bd43
    0x0104bdbf
    0x0104bdc8
    0x0104bdcd
    0x0104bdd0
    0x0104bdd0
    0x0104bdd3
    0x0104bdd5
    0x0104bdd5
    0x0104bdda
    0x00000000
    0x0104bdda
    0x0104bd45
    0x0104bd48
    0x0104bd4b
    0x0104bd4b
    0x0104bd4e
    0x0104bd50
    0x0104bd50
    0x0104bd55
    0x0104bd55
    0x0104bd5a
    0x0104bd5c
    0x00000000
    0x0104bd5c
    0x0104bbeb
    0x0104bbf7
    0x0104bbf7
    0x0104bc07
    0x0104bc0d
    0x0104bc0f
    0x0104bc48
    0x0104bc48
    0x0104bc4f
    0x0104bc55
    0x0104bc58
    0x0104bd16
    0x0104bd31
    0x0104bd37
    0x0104bd39
    0x0104bd3b
    0x0104bd3b
    0x0104bd3f
    0x0104bd3f
    0x00000000
    0x0104bd3f
    0x0104bc5e
    0x0104bc61
    0x0104bc63
    0x0104bc69
    0x0104bc69
    0x0104bc6d
    0x0104bc84
    0x0104bc8a
    0x0104bc90
    0x0104bc94
    0x0104bca2
    0x0104bca2
    0x0104bca4
    0x0104bca4
    0x0104bca6
    0x0104bca7
    0x0104bca7
    0x0104bcb0
    0x0104bcb3
    0x0104bcb9
    0x0104bcb9
    0x0104bcbc
    0x0104bcbf
    0x00000000
    0x00000000
    0x0104bcc1
    0x0104bcc3
    0x0104bcc3
    0x0104bcc6
    0x0104bcc6
    0x0104bcc9
    0x0104bccb
    0x0104bccb
    0x0104bcd0
    0x0104bcd0
    0x0104bce3
    0x0104bcee
    0x0104bcf7
    0x00000000
    0x0104bcf7
    0x0104bc96
    0x0104bc9a
    0x00000000
    0x00000000
    0x0104bc9c
    0x0104bca0
    0x00000000
    0x00000000
    0x00000000
    0x0104bca0
    0x0104bc8c
    0x00000000
    0x0104bc8c
    0x0104bc71
    0x0104bc73
    0x0104bc7c
    0x0104bcfa
    0x0104bcfa
    0x0104bcfc
    0x0104bcff
    0x0104bd01
    0x0104bd07
    0x0104bd07
    0x0104bd10
    0x00000000
    0x0104bd10
    0x0104bc11
    0x0104bc1e
    0x0104bc1e
    0x0104bc20
    0x0104bc20
    0x0104bc26
    0x0104bc28
    0x00000000
    0x00000000
    0x0104bc2a
    0x0104bc2e
    0x0104bc31
    0x00000000
    0x00000000
    0x0104bc33
    0x0104bc36
    0x0104bc38
    0x0104bc38
    0x0104bc3b
    0x00000000
    0x00000000
    0x00000000
    0x0104bc3b
    0x0104bc3d
    0x0104bc3f
    0x0104bc41
    0x0104bc41
    0x0104bc41
    0x0104bc43
    0x0104bc45
    0x00000000
    0x0103938d
    0x0103938d
    0x01039398
    0x01039399
    0x010393a0
    0x010393a8
    0x010393ad
    0x010393b5
    0x010393b6
    0x010393be
    0x010393bf
    0x010393c0
    0x010393c7
    0x0104bbcc
    0x0104bd61
    0x0104bd61
    0x00000000
    0x010393cd
    0x010393cd
    0x010393d0
    0x010393d1
    0x010393d9
    0x010393e0
    0x010393e1
    0x010393e1
    0x010393e4
    0x010393e6
    0x010393eb
    0x010393ed
    0x010393ed
    0x010393ef
    0x010393ff
    0x010393ff
    0x010393c7

    APIs
    • GetSystemTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,$P$G,?,00002000), ref: 01039342
    • SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 01039356
    • FileTimeToLocalFileTime.API-MS-WIN-CORE-FILE-L1-1-0(?,?), ref: 0103936A
    • FileTimeToSystemTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 0103937E
    • GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00001003,?,00000080), ref: 0104BC07
    • GetTimeFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000000,00000002,?,?,?,00000020), ref: 0104BD31
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: Time$File$System$FormatInfoLocalLocale
    • String ID: $P$G$%02d%s%02d%s$%2d%s%02d%s%02d%s%02d$HH:mm:ss t
    • API String ID: 55602301-1259282179
    • Opcode ID: 8bcf6b8f82949fc5091c841941c61334c2d7c03b3e85e704e903a112104f6aad
    • Instruction ID: cfdf8578546c382e9332c5377321dfcae07a0f0aa9456a49fc9137eaeb8cd369
    • Opcode Fuzzy Hash: 8bcf6b8f82949fc5091c841941c61334c2d7c03b3e85e704e903a112104f6aad
    • Instruction Fuzzy Hash: B281DAB6D002199BDF659F68CCC4AFE77B9BF84300F4441EAE5C9D7140EA359A82CB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0104589A, Relevance: 15.1, APIs: 10, Instructions: 106memoryfileCOMMON
    Download Yara Rule
    C-Code - Quality: 61%
    			E0104589A(intOrPtr* __ecx, WCHAR* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12, void** _a16) {
				intOrPtr* _v8;
				void* _t18;
				intOrPtr _t21;
				void* _t24;
				void* _t35;
				void* _t40;
				signed int _t42;
				void* _t45;
				void** _t48;

				_push(__ecx);
				_v8 = __ecx;
				_t35 = 0;
				_t18 = FindFirstFileExW(__edx, 0 | _a8 == 0x00000000, _a12, 0, 0, 2);
				_t48 = _a16;
				_t45 = _t18;
				 *_t48 = _t45;
				while(_t45 != 0xffffffff) {
					_push(_a4);
					_push(_a12);
					if(_v8 != E010459D0) {
						 *0x107a4c4();
						_t21 =  *_v8();
						_t45 =  *_t48;
					} else {
						_t21 = E010459D0();
					}
					if(_t21 == 0) {
						if(FindNextFileW(_t45, _a12) == 0) {
							FindClose( *_t48);
							 *_t48 =  *_t48 | 0xffffffff;
							_t45 = _t45 | 0xffffffff;
							goto L9;
						}
						_t45 =  *_t48;
						continue;
					} else {
						 *0x10667a8 =  *0x10667a8 & 0x00000000;
						_t35 = 1;
						L9:
						if(_t45 == 0xffffffff) {
							L15:
							if(_t35 != 0) {
								L3:
								_t24 = _t35;
								L4:
								return _t24;
							}
							break;
						}
						_t40 =  *0x10667b8;
						if(_t40 == 0) {
							_t40 = HeapAlloc(GetProcessHeap(), 0, 0x14);
							L18:
							_t42 =  *0x10667bc;
							 *0x10667b8 = _t40;
							L12:
							if(_t40 != 0) {
								 *(_t40 + _t42 * 4) =  *_t48;
								 *0x10667bc = _t42 + 1;
							}
							_t35 = 1;
							goto L15;
						}
						_t42 =  *0x10667bc;
						if(_t42 >=  *0x10667c0) {
							_t40 = HeapReAlloc(GetProcessHeap(), 0, _t40, 4 + _t42 * 4);
							if(_t40 == 0) {
								 *0x10667a8 = GetLastError();
								FindClose( *_t48);
								 *_t48 =  *_t48 | 0xffffffff;
								_t24 = 0;
								goto L4;
							}
							 *0x10667c0 =  *0x10667c0 + 1;
							goto L18;
						}
						goto L12;
					}
				}
				 *0x10667a8 = GetLastError();
				goto L3;
			}












    0x0104589f
    0x010458a9
    0x010458b1
    0x010458bb
    0x010458c1
    0x010458c4
    0x010458c6
    0x010458c8
    0x010458e1
    0x010458e7
    0x010458ef
    0x010459a2
    0x010459ab
    0x010459ad
    0x010458f5
    0x010458f5
    0x010458f5
    0x010458fc
    0x01045997
    0x010459b6
    0x010459bc
    0x010459bf
    0x00000000
    0x010459bf
    0x01045999
    0x00000000
    0x01045902
    0x01045902
    0x01045909
    0x0104590b
    0x0104590e
    0x0104593a
    0x0104593c
    0x010458d8
    0x010458d8
    0x010458da
    0x010458de
    0x010458de
    0x00000000
    0x0104593e
    0x01045910
    0x01045918
    0x01045951
    0x01045953
    0x01045953
    0x01045959
    0x01045928
    0x0104592a
    0x0104592e
    0x01045932
    0x01045932
    0x01045938
    0x00000000
    0x01045938
    0x0104591a
    0x01045926
    0x01045979
    0x0104597d
    0x01051613
    0x01051618
    0x0105161e
    0x01051621
    0x00000000
    0x01051621
    0x01045983
    0x00000000
    0x01045983
    0x00000000
    0x01045926
    0x010458fc
    0x010458d3
    0x00000000

    APIs
    • FindFirstFileExW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,?,00000000,00000000,00000002,00000000,00000000,?,010459D0,?,01036054,-00001038,00000000,?,?), ref: 010458BB
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,010459D0,?,01036054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 010458CD
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000014,?,010459D0,?,01036054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 01045944
    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,010459D0,?,01036054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 0104594B
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,?,010459D0,?,01036054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 0104596C
    • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,010459D0,?,01036054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 01045973
    • FindNextFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,010459D0,?,01036054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 0104598F
    • FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,?,010459D0,?,01036054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 010459B6
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,010459D0,?,01036054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 0105160B
    • FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,?,010459D0,?,01036054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 01051618
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: FindHeap$AllocCloseErrorFileLastProcess$FirstNext
    • String ID:
    • API String ID: 3609286125-0
    • Opcode ID: bbbc512d3a64e7f7d20818bc960b3400bb556d8e3b6d52f79bc50084285fd212
    • Instruction ID: 29a21e131e8703469f1673beaf3961dba549fa3a22545141bd0a99e9dccb0e02
    • Opcode Fuzzy Hash: bbbc512d3a64e7f7d20818bc960b3400bb556d8e3b6d52f79bc50084285fd212
    • Instruction Fuzzy Hash: 7D3191B5601201EFEB218F64EC88B6E3BF5FB46321F244528E5D6932D4E73B9805DB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01054953, Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 260timeCOMMON
    Download Yara Rule
    C-Code - Quality: 40%
    			E01054953(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v34;
				short _v36;
				short _v38;
				char _v40;
				char _v72;
				char _v604;
				struct _SYSTEMTIME _v620;
				signed int _v624;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t36;
				short _t38;
				short _t39;
				intOrPtr _t42;
				void* _t43;
				void* _t44;
				void* _t49;
				signed int _t51;
				intOrPtr* _t56;
				void* _t62;
				intOrPtr _t68;
				signed int* _t79;
				void* _t82;
				signed int _t90;
				intOrPtr* _t91;
				signed int _t92;
				void* _t94;
				void* _t96;
				signed short* _t105;
				signed int _t110;
				intOrPtr* _t114;
				void* _t121;
				signed int* _t124;
				signed int _t129;
				void* _t132;
				signed int _t133;
				void* _t134;
				void* _t135;
				intOrPtr* _t136;
				signed int _t137;
				void* _t139;
				signed int _t140;
				signed int _t143;
				void* _t144;

				_t36 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t36 ^ _t143;
				_t140 = __edx;
				_t91 = __ecx;
				_t96 = 0xd;
				if(__edx != 0) {
					_t38 = 0x3a;
					_v40 = _t38;
					_t39 = 0x2e;
					_v38 = _t39;
					_t97 =  &_v34;
					_v36 =  *0x106c9e0;
					E0103F3A0( &_v34, _t96, 0x106c9c0);
					goto L9;
				} else {
					_t124 =  &_v40;
					_t134 = 0x10;
					_t139 = L"/-." - _t124;
					while(1) {
						_t3 = _t134 + 0x7fffffee; // 0x7ffffffe
						if(_t3 == 0) {
							break;
						}
						_t90 =  *(_t139 + _t124) & 0x0000ffff;
						if(_t90 == 0) {
							break;
						}
						 *_t124 = _t90;
						_t124 =  &(_t124[0]);
						_t134 = _t134 - 1;
						if(_t134 != 0) {
							continue;
						}
						break;
					}
					if(_t134 == 0) {
						_t124 = _t124 - 2;
					}
					_push(0x106c9d0);
					 *_t124 = 0;
					_t97 =  &_v40;
					_t135 = 0x10;
					E0103FC40( &_v40, _t135);
					L9:
					_t136 = 0;
					L10:
					while(1) {
						if(_t91 == 0 ||  *_t91 == _t136) {
							_t42 =  *0x105e58c; // 0x0
							_t43 = _t42 - _t136;
							if(_t43 == 0) {
								_t44 = 0x2342;
							} else {
								if(_t43 == 0) {
									_t44 = 0x4000271d;
								} else {
									_t44 = 0x4000271e;
								}
							}
							if(_t140 != 0) {
								_push(_t136);
								_push(0x2343);
								E010363BD(_t97);
							} else {
								E010363BD(_t97, _t44, 1, 0x106c9d0);
								_t144 = _t144 + 0xc;
							}
							__imp___get_osfhandle( &_v624);
							_t127 =  &_v604;
							if(E01054799( &_v624,  &_v604, _t136, 0x104) == 0) {
								goto L57;
							} else {
								_t51 = _v624;
								if(_t51 == 0) {
									goto L57;
								}
								 *((short*)(_t143 + _t51 * 2 - 0x258)) = 0;
								_t105 =  &_v604;
								_t52 = _v604;
								if(_t52 == 0) {
									L33:
									if(E0103DD98(_t52) == 0) {
										_push( &_v604);
										E01039950(L"%s\r\n");
									}
									goto L35;
								}
								_t133 = _t52 & 0x0000ffff;
								while(_t133 != 0xa) {
									_t82 = 0xd;
									if(_t133 == _t82) {
										break;
									}
									_t105 =  &(_t105[1]);
									_t52 =  *_t105 & 0x0000ffff;
									_t133 = _t52;
									if(_t52 != 0) {
										continue;
									}
									goto L33;
								}
								_t52 = 0;
								 *_t105 = 0;
								goto L33;
							}
						} else {
							_t114 = _t91;
							_t10 = _t114 + 2; // 0x2
							_t127 = _t10;
							do {
								_t68 =  *_t114;
								_t114 = _t114 + 2;
							} while (_t68 != _t136);
							_t116 = _t114 - _t127 >> 1;
							if(_t114 - _t127 >> 1 >= 0x104) {
								_push(_t136);
								asm("sbb esi, esi");
								_push(_t140);
								E010363BD(_t116);
								L56:
								L57:
								_t49 = 1;
								L58:
								return E01046B30(_t49, _t91, _v8 ^ _t143, _t127, _t136, _t140);
							}
							E0103F3A0( &_v604, 0x105, _t91);
							L35:
							_push( &_v40);
							_t92 = 0x10;
							E0103F3A0( &_v72, _t92);
							_t129 = _t92;
							_t56 =  &_v72;
							while( *_t56 != _t136) {
								_t56 = _t56 + 2;
								_t129 = _t129 - 1;
								if(_t129 != 0) {
									continue;
								}
								break;
							}
							asm("sbb ecx, ecx");
							_t110 =  ~_t129 & _t92 - _t129;
							if(_t129 == 0) {
								L47:
								_push(2);
								_t127 =  &_v72;
								_t136 = E0103BC30( &_v604,  &_v72);
								_t91 = 0;
								if( *_t136 == 0) {
									L60:
									_t49 = 0;
									goto L58;
								}
								GetLocalTime( &_v620);
								_t127 = _t136;
								_t112 =  &_v620;
								_push( &_v40);
								if(_t140 != 0) {
									_t62 = E01054DBD( &_v620, _t127);
								} else {
									_t62 = E01054C42( &_v620, _t127, _t140);
								}
								if(_t62 == 0) {
									L54:
									_t136 = 0;
									_push(0);
									asm("sbb eax, eax");
									_push(( ~_t140 & 0x00000003) + 0x232f);
									E010363BD(_t112);
									_pop(_t97);
									continue;
								} else {
									SetLocalTime( &_v620);
									if(SetLocalTime( &_v620) != 0) {
										goto L60;
									}
									if(GetLastError() == 0x522) {
										_push(_t91);
										_push(GetLastError());
										E010378E4(_t112);
										goto L56;
									}
									goto L54;
								}
							}
							_t79 =  &_v72 + _t110 * 2;
							_t132 = _t92 - _t110;
							if(_t132 == 0) {
								L45:
								_t79 = _t79 - 2;
								L46:
								 *_t79 = 0;
								goto L47;
							}
							_t121 = 0x7ffffffe;
							_t94 = ";" - _t79;
							while(_t121 != 0) {
								_t137 =  *(_t94 + _t79) & 0x0000ffff;
								if(_t137 == 0) {
									break;
								}
								 *_t79 = _t137;
								_t79 =  &(_t79[0]);
								_t121 = _t121 - 1;
								_t132 = _t132 - 1;
								if(_t132 != 0) {
									continue;
								}
								break;
							}
							if(_t132 != 0) {
								goto L46;
							}
							goto L45;
						}
					}
				}
			}

















































    0x0105495e
    0x01054965
    0x0105496b
    0x0105496d
    0x01054971
    0x01054974
    0x010549c3
    0x010549c6
    0x010549cc
    0x010549cd
    0x010549d1
    0x010549df
    0x010549e3
    0x00000000
    0x01054976
    0x01054976
    0x01054982
    0x01054983
    0x01054985
    0x01054985
    0x0105498d
    0x00000000
    0x00000000
    0x0105498f
    0x01054996
    0x00000000
    0x00000000
    0x01054998
    0x0105499b
    0x0105499e
    0x010549a1
    0x00000000
    0x00000000
    0x00000000
    0x010549a1
    0x010549a5
    0x010549a7
    0x010549a7
    0x010549aa
    0x010549b3
    0x010549b6
    0x010549b9
    0x010549ba
    0x010549e8
    0x010549e8
    0x00000000
    0x010549ea
    0x010549ec
    0x01054a29
    0x01054a2e
    0x01054a30
    0x01054a46
    0x01054a32
    0x01054a36
    0x01054a3f
    0x01054a38
    0x01054a38
    0x01054a38
    0x01054a36
    0x01054a4d
    0x01054a61
    0x01054a62
    0x01054a67
    0x01054a4f
    0x01054a57
    0x01054a5c
    0x01054a5c
    0x01054a7b
    0x01054a82
    0x01054a91
    0x00000000
    0x01054a97
    0x01054a97
    0x01054a9f
    0x00000000
    0x00000000
    0x01054aa7
    0x01054aaf
    0x01054ab5
    0x01054abf
    0x01054ae6
    0x01054aef
    0x01054af7
    0x01054afd
    0x01054b03
    0x00000000
    0x01054aef
    0x01054ac1
    0x01054ac4
    0x01054acc
    0x01054ad0
    0x00000000
    0x00000000
    0x01054ad2
    0x01054ad5
    0x01054ad8
    0x01054add
    0x00000000
    0x00000000
    0x00000000
    0x01054adf
    0x01054ae1
    0x01054ae3
    0x00000000
    0x01054ae3
    0x010549f3
    0x010549f3
    0x010549f5
    0x010549f5
    0x010549f8
    0x010549f8
    0x010549fb
    0x010549fe
    0x01054a05
    0x01054a0d
    0x01054c09
    0x01054c0a
    0x01054c15
    0x01054c16
    0x01054c1b
    0x01054c1d
    0x01054c1f
    0x01054c20
    0x01054c2e
    0x01054c2e
    0x01054a1f
    0x01054b04
    0x01054b07
    0x01054b0a
    0x01054b10
    0x01054b15
    0x01054b17
    0x01054b1a
    0x01054b1f
    0x01054b22
    0x01054b25
    0x00000000
    0x00000000
    0x00000000
    0x01054b25
    0x01054b2f
    0x01054b31
    0x01054b35
    0x01054b74
    0x01054b74
    0x01054b76
    0x01054b84
    0x01054b86
    0x01054b8b
    0x01054c3e
    0x01054c3e
    0x00000000
    0x01054c3e
    0x01054b98
    0x01054ba1
    0x01054ba3
    0x01054ba9
    0x01054bac
    0x01054bb5
    0x01054bae
    0x01054bae
    0x01054bae
    0x01054bbc
    0x01054be9
    0x01054be9
    0x01054bef
    0x01054bf0
    0x01054bfa
    0x01054bfb
    0x01054c01
    0x00000000
    0x01054bbe
    0x01054bc5
    0x01054bda
    0x00000000
    0x00000000
    0x01054be7
    0x01054c2f
    0x01054c36
    0x01054c37
    0x00000000
    0x01054c37
    0x00000000
    0x01054be7
    0x01054bbc
    0x01054b3c
    0x01054b3f
    0x01054b41
    0x01054b6c
    0x01054b6c
    0x01054b6f
    0x01054b71
    0x00000000
    0x01054b71
    0x01054b48
    0x01054b4d
    0x01054b4f
    0x01054b53
    0x01054b5a
    0x00000000
    0x00000000
    0x01054b5c
    0x01054b5f
    0x01054b62
    0x01054b63
    0x01054b66
    0x00000000
    0x00000000
    0x00000000
    0x01054b66
    0x01054b6a
    0x00000000
    0x00000000
    0x00000000
    0x01054b6a
    0x010549ec
    0x010549ea

    APIs
    • _get_osfhandle.MSVCRT ref: 01054A7B
    • GetLocalTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,00000002,?), ref: 01054B98
    • SetLocalTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?), ref: 01054BC5
    • SetLocalTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?), ref: 01054BD2
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 01054BDC
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 01054C30
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: LocalTime$ErrorLast$_get_osfhandle
    • String ID: %s$/-.
    • API String ID: 1033501010-531045382
    • Opcode ID: a86534bd4e8d532d9f867690c6fb5c4cfc3dba99a98e162742e8cc312ceca4df
    • Instruction ID: d2fa08ef7e1ec666404ad48b123b0c332c09e0c7327f39cbb3133bc45caf656c
    • Opcode Fuzzy Hash: a86534bd4e8d532d9f867690c6fb5c4cfc3dba99a98e162742e8cc312ceca4df
    • Instruction Fuzzy Hash: 05813636A0021686EFE59A78C845AFF37F8EFC4600F1441AADDC2DB194FE769A85C714
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01044759, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 81filenativeCOMMON
    Download Yara Rule
    C-Code - Quality: 72%
    			E01044759(WCHAR* __ecx, signed int __edx) {
				void* _v8;
				void* _v16;
				void* _v24;
				long _v32;
				char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				void* _v64;
				struct _EXCEPTION_RECORD _t30;
				long _t31;
				long _t35;
				WCHAR* _t41;
				char* _t43;
				long _t47;
				void* _t49;

				_t47 = 0;
				_t41 = __ecx;
				if((__edx & 0x00000400) != 0) {
					L11:
					if(DeleteFileW(_t41) == 0) {
						_t47 = GetLastError();
					}
					L8:
					return _t47;
				}
				_v8 = _v8 | 0xffffffff;
				_t30 =  &_v16;
				__imp__RtlDosPathNameToRelativeNtPathName_U_WithStatus(__ecx, _t30, 0,  &_v40);
				if(_t30 < 0) {
					goto L11;
				}
				if(_v40 > 0) {
					_t31 = _v32;
					_t43 =  &_v40;
				} else {
					_t31 = 0;
					_t43 =  &_v16;
					_v32 = 0;
				}
				_v60 = _t31;
				_v64 = 0x18;
				_v52 = 0x40;
				_v56 = _t43;
				_v48 = _t47;
				_v44 = _t47;
				_t35 = NtOpenFile( &_v8, 0x10000,  &_v64,  &_v24, 4, 0x5040);
				__imp__RtlReleaseRelativeName( &_v40);
				RtlFreeUnicodeString( &_v16);
				if(_t35 < 0) {
					goto L11;
				} else {
					if(E01044823(_v8) != 0) {
						_t49 = E0105A135(_v8);
					} else {
						_t49 = 1;
					}
					CloseHandle(_v8);
					if(_t49 == 0) {
						goto L11;
					} else {
						goto L8;
					}
				}
			}





















    0x01044764
    0x01044766
    0x0104476e
    0x0105096e
    0x01050977
    0x01050983
    0x01050983
    0x0104481c
    0x01044822
    0x01044822
    0x01044774
    0x0104477d
    0x01044782
    0x0104478a
    0x00000000
    0x00000000
    0x01044794
    0x01050954
    0x01050957
    0x0104479a
    0x0104479a
    0x0104479c
    0x0104479f
    0x0104479f
    0x010447a7
    0x010447b3
    0x010447c3
    0x010447cb
    0x010447ce
    0x010447d1
    0x010447d4
    0x010447e0
    0x010447ea
    0x010447f2
    0x00000000
    0x010447f8
    0x01044802
    0x01050967
    0x01044808
    0x0104480a
    0x0104480a
    0x0104480e
    0x01044816
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x01044816

    APIs
    • RtlDosPathNameToRelativeNtPathName_U_WithStatus.NTDLL ref: 01044782
    • NtOpenFile.NTDLL(000000FF,00010000,?,?,00000004,00005040), ref: 010447D4
    • RtlReleaseRelativeName.NTDLL(?), ref: 010447E0
    • RtlFreeUnicodeString.NTDLL(?), ref: 010447EA
      • Part of subcall function 01044823: NtQueryVolumeInformationFile.NTDLL(000000FF,?,?,00000008,00000004), ref: 0104484F
    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(000000FF), ref: 0104480E
    • DeleteFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00000001), ref: 0105096F
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0105097D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: File$NamePathRelative$CloseDeleteErrorFreeHandleInformationLastName_OpenQueryReleaseStatusStringUnicodeVolumeWith
    • String ID: @
    • API String ID: 2968197161-2766056989
    • Opcode ID: 470f61f0be5e85ccfb0e88bd549b6c92e8f8531f739db8480ee37b0b490ba340
    • Instruction ID: 3e378441cf57e6a0dd361dcc1559e42fadaa098facc29f8fd25d747d9c3c794f
    • Opcode Fuzzy Hash: 470f61f0be5e85ccfb0e88bd549b6c92e8f8531f739db8480ee37b0b490ba340
    • Instruction Fuzzy Hash: E32121B1E00209EBDB21DFA5D984ADFBBB8AB44750F144169FA42F3244DB359E05CB60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01057460, Relevance: 13.6, APIs: 9, Instructions: 66filenativeCOMMON
    Download Yara Rule
    C-Code - Quality: 31%
    			E01057460(void* __edi, intOrPtr _a4) {
				char _v12;
				void* __ecx;
				int _t4;
				void* _t6;
				void* _t7;
				struct _IO_FILE* _t10;
				void* _t13;
				void* _t16;

				_t16 = __edi;
				_push(_t13);
				_push(_t13);
				if(_a4 == 0 || _a4 == 1) {
					EnterCriticalSection( *0x10625a4);
					 *0x106259c = 1;
					LeaveCriticalSection( *0x10625a4);
					if( *0x105e0d3 != 0 &&  *0x1066748 != 0) {
						_push("^C");
						_t10 = E0104727B(_t4, 2);
						_pop(_t13);
						_t4 = fflush(E0104727B(fprintf(_t10, ??), 2));
					}
					if( *0x10665e0 != 0xffffffff) {
						__imp__TryAcquireSRWLockExclusive(0x1078e04, _t16);
						if(_t4 != 0) {
							__imp__NtCancelSynchronousIoFile( *0x10665e0, 0,  &_v12);
							__imp__ReleaseSRWLockExclusive(0x1078e04);
						}
					}
					if(E010472EF(_t13) == 0) {
						_t7 = E0103DD98(_t5);
						if(_t7 != 0) {
							__imp___get_osfhandle(0);
							FlushConsoleInputBuffer(_t7);
						}
					}
					_t6 = 1;
				} else {
					_t6 = 0;
				}
				return _t6;
			}











    0x01057460
    0x01057465
    0x01057466
    0x0105746f
    0x01057483
    0x0105748f
    0x01057495
    0x010574a2
    0x010574ad
    0x010574b4
    0x010574b9
    0x010574c9
    0x010574cf
    0x010574d9
    0x010574e2
    0x010574ea
    0x010574f8
    0x010574ff
    0x010574ff
    0x01057505
    0x0105750d
    0x01057511
    0x01057518
    0x0105751c
    0x01057524
    0x01057524
    0x01057518
    0x0105752a
    0x01057476
    0x01057476
    0x01057476
    0x0105752e

    APIs
    • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 01057483
    • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 01057495
    • fprintf.MSVCRT ref: 010574BB
    • fflush.MSVCRT ref: 010574C9
    • TryAcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(01078E04), ref: 010574E2
    • NtCancelSynchronousIoFile.NTDLL(00000000,00000000), ref: 010574F8
    • ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(01078E04), ref: 010574FF
    • _get_osfhandle.MSVCRT ref: 0105751C
    • FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000), ref: 01057524
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: CriticalExclusiveLockSection$AcquireBufferCancelConsoleEnterFileFlushInputLeaveReleaseSynchronous_get_osfhandlefflushfprintf
    • String ID:
    • API String ID: 3139166086-0
    • Opcode ID: 2ba4d923fdfda1a7a76e49a46a14174bda4b1d19f6ea1807b7827f8db2f0f676
    • Instruction ID: df3bed908b6260a29b38107f9e9bec5dbe2f8557112ff55294e699b94db18dcb
    • Opcode Fuzzy Hash: 2ba4d923fdfda1a7a76e49a46a14174bda4b1d19f6ea1807b7827f8db2f0f676
    • Instruction Fuzzy Hash: F011B430600210EBEBB52B68E90DB6F3F68FB44715F484019F9C1A2095DB7F8541DB60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01044875, Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 376COMMONCrypto
    Download Yara Rule
    C-Code - Quality: 92%
    			E01044875(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8, WCHAR* _a12, short* _a16, intOrPtr* _a20, intOrPtr* _a24) {
				signed int _v8;
				int _v20;
				char _v24;
				int _v28;
				void _v548;
				intOrPtr _v552;
				int _v556;
				intOrPtr* _v560;
				WCHAR* _v564;
				intOrPtr* _v568;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t85;
				short _t96;
				short _t98;
				void* _t99;
				intOrPtr _t101;
				signed int _t113;
				signed int _t114;
				long _t119;
				signed int _t121;
				void* _t122;
				short _t123;
				signed char _t125;
				void* _t126;
				intOrPtr* _t127;
				void* _t128;
				short _t129;
				int _t133;
				long _t138;
				signed short* _t139;
				short _t148;
				short _t149;
				void* _t150;
				signed int _t152;
				signed int _t155;
				signed int _t156;
				signed int _t157;
				short _t158;
				signed int _t163;
				WCHAR* _t164;
				intOrPtr* _t165;
				short* _t171;
				long _t172;
				short* _t173;
				signed int _t179;
				short _t180;
				WCHAR* _t184;
				WCHAR* _t185;
				signed int _t189;
				short* _t190;
				WCHAR* _t200;
				short* _t203;
				void* _t206;
				signed int _t207;
				signed int _t209;
				signed int _t210;
				signed int _t211;
				signed int _t222;
				void* _t227;
				void* _t228;
				short* _t230;
				short _t233;
				void* _t234;
				WCHAR* _t235;
				intOrPtr _t238;
				void* _t239;
				WCHAR* _t240;
				signed int _t242;
				intOrPtr* _t246;
				intOrPtr* _t247;
				signed int _t248;
				signed int _t249;
				void* _t250;
				WCHAR* _t252;
				signed int _t254;
				short* _t256;
				WCHAR* _t258;
				signed int _t259;
				signed int _t260;
				WCHAR* _t262;
				WCHAR* _t267;
				void* _t269;
				intOrPtr _t270;
				signed int _t271;

				_t85 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t85 ^ _t271;
				_v552 = _a4;
				_v564 = _a12;
				_v560 = _a20;
				_t239 = __edx;
				_v568 = _a24;
				E01044BAF(E01041D90(L"COPYCMD"), _t239);
				_v556 = 0;
				_t164 = E0103BC30( *((intOrPtr*)(__ecx + 0x3c)), 0, 0, _t238);
				if(E01044BAF(_t164, _t239) == 0) {
					L2:
					_t258 = _t164;
					_t12 =  &(_t258[1]); // 0x0
					_t171 = _t12;
					do {
						_t96 =  *_t258;
						_t258 =  &(_t258[1]);
					} while (_t96 != 0);
					_t259 = _t258 - _t171;
					_t260 = _t259 >> 1;
					if(_t259 == 0) {
						L49:
						_t172 = 0x232a;
						L50:
						L0105693A(_t164, _t172, __eflags);
						L51:
						_t172 = 0x2374;
						goto L50;
					}
					if(_t260 >= 0x7fe7) {
						L82:
						_t172 = 0x232e;
						goto L50;
					}
					_t240 = _t164;
					_t13 =  &(_t240[1]); // 0x0
					_t173 = _t13;
					do {
						_t98 =  *_t240;
						_t240 =  &(_t240[1]);
					} while (_t98 != 0);
					_t242 = _t240 - _t173 >> 1;
					_t99 = E01040060(_t164, _t242);
					_t14 = _t242 + 1; // -3
					E0103F3A0(_t164, _t14, _t99);
					_t101 = E0103802C(_t164, _t164, _t242);
					 *_v560 = _t101;
					if(_t101 == 1) {
						_t172 =  *0x10667a8;
						goto L50;
					}
					_v24 = 1;
					_v28 = 0;
					_v20 = 0x104;
					memset( &_v548, 0, 0x104);
					if(E0103E3F0(((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
						goto L51;
					}
					_t262 =  &(_t164[_t260 + 1]);
					if( *_t262 == 0) {
						_t179 = _v28;
						__eflags = _t179;
						if(_t179 == 0) {
							_t179 =  &_v548;
						}
						 *_t179 =  *((intOrPtr*)( *0x10667a4));
						_t113 = _v28;
						__eflags = _t113;
						if(_t113 == 0) {
							_t113 =  &_v548;
						}
						_t180 = 0x3a;
						 *((short*)(_t113 + 2)) = _t180;
						_t114 = _v28;
						__eflags = _t114;
						if(_t114 == 0) {
							_t114 =  &_v548;
						}
						 *((short*)(_t114 + 4)) = 0;
						L19:
						_t245 = _a8;
						_t263 = _v552;
						if(E01041CD5(_v552, _a8, _t164) != 0) {
							goto L82;
						}
						_t165 = _v560;
						if(( *( *( *_t165 + 0x18)) & 0x00000010) == 0) {
							_t227 = 0x5c;
							_t269 = E010401F5(_t263, _t227);
							if(_t269 == 0) {
								_t270 = _v552;
							} else {
								_t270 = _t269 + 2;
							}
							_t228 = 0x5c;
							if(E010401F5( *((intOrPtr*)( *_t165 + 0x10)), _t228) == 0) {
								_t141 =  *((intOrPtr*)( *_t165 + 0x10));
							}
							E0103F3A0(_t270, _t245 - (_t270 - _v552 >> 1), _t141);
						}
						_t118 = _v28;
						if(_v28 == 0) {
							_t118 =  &_v548;
						}
						_t164 = _v564;
						_t119 = E01041CD5(_t164, _a16, _t118);
						if(_t119 != 0) {
							goto L82;
						} else {
							_t264 = _t119;
							 *0x10667a8 = _t119;
							SetLastError(_t119);
							_t246 = _v568;
							_t184 = _t164;
							 *_t246 = 0;
							_t121 =  *_t164 & 0x0000ffff;
							_t222 = _t121;
							if(_t121 == 0) {
								L32:
								_t122 = 0x5c;
								if(_t222 == _t122) {
									_t185 = _t164;
									_t264 = 1;
									__eflags = 1;
									_t223 =  &(_t185[1]);
									do {
										_t123 =  *_t185;
										_t185 =  &(_t185[1]);
										__eflags = _t123 - _v556;
									} while (_t123 != _v556);
									 *((short*)(_t164 + (_t185 - _t223 >> 1) * 2 - 2)) = 0;
								}
								_t125 = GetFileAttributesW(_t164);
								if(_t125 != 0xffffffff) {
									__eflags = _t125 & 0x00000010;
									if((_t125 & 0x00000010) != 0) {
										 *_t246 = 1;
										_t264 = 1;
									}
									L36:
									if(_t264 != 0) {
										_t126 = 0x5c;
										_t127 = E010401F5(_v552, _t126);
										_t225 = _t127;
										__eflags = 0;
										_t247 = _t127;
										_t50 = _t247 + 2; // 0x2
										_t128 = _t50;
										do {
											_t189 =  *_t247;
											_t247 = _t247 + 2;
											__eflags = _t189;
										} while (_t189 != 0);
										_t267 = _t164;
										_t248 = _t247 - _t128;
										__eflags = _t248;
										_t249 = _t248 >> 1;
										_t190 =  &(_t267[1]);
										do {
											_t129 =  *_t267;
											_t267 =  &(_t267[1]);
											__eflags = _t129 - _v556;
										} while (_t129 != _v556);
										_t53 = _t249 + 1; // -1
										_t264 = _t267 - _t190 >> 1;
										__eflags = _t53 + (_t267 - _t190 >> 1) - 0x7fe7;
										if(__eflags > 0) {
											goto L82;
										}
										_t223 = _a16;
										E0103FC40(_t164, _a16, _t225);
									}
									_t133 = _v28;
									_v28 = 0;
									if(_t133 != 0) {
										__imp__??_V@YAXPAX@Z(_t133);
									}
									_pop(_t250);
									return E01046B30(0, _t164, _v8 ^ _t271, _t223, _t250, _t264);
								}
								_t138 = GetLastError();
								 *0x10667a8 = _t138;
								if(_t138 == 0 || _t138 == 2) {
									goto L36;
								} else {
									__eflags = _t138 - 3;
									if(__eflags == 0) {
										goto L36;
									}
									_t172 = _t138;
									goto L50;
								}
							}
							do {
								_t139 = _t184;
								_t184 =  &(_t184[1]);
							} while ( *_t184 != 0);
							_t222 =  *_t139 & 0x0000ffff;
							goto L32;
						}
					}
					_t200 = _t262;
					if( *((intOrPtr*)(E0103A7D5(_t200))) != 0) {
						goto L49;
					}
					_t230 =  &(_t200[1]);
					do {
						_t148 =  *_t200;
						_t200 =  &(_t200[1]);
					} while (_t148 != 0);
					if(_t200 - _t230 >> 1 > 0x7fe7) {
						goto L82;
					}
					_t252 = _t262;
					_t27 =  &(_t252[1]); // -1
					_t203 = _t27;
					do {
						_t149 =  *_t252;
						_t252 =  &(_t252[1]);
					} while (_t149 != 0);
					_t254 = _t252 - _t203 >> 1;
					_t150 = E01040060(_t262, _t254);
					_t28 = _t254 + 1; // -4
					E0103F3A0(_t262, _t28, _t150);
					_t152 = _t262[1] & 0x0000ffff;
					_t233 = 0x3a;
					if(_t152 != _t233) {
						_t206 = 0x5c;
						__eflags =  *_t262 - _t206;
						if( *_t262 != _t206) {
							L61:
							_t207 = _v28;
							__eflags = _t207;
							if(_t207 == 0) {
								_t207 =  &_v548;
							}
							 *_t207 =  *((intOrPtr*)( *0x10667a4));
							_t155 = _v28;
							__eflags = _t155;
							if(_t155 == 0) {
								_t155 =  &_v548;
							}
							 *((short*)(_t155 + 2)) = _t233;
							_t156 = _v28;
							__eflags = _t156;
							if(_t156 == 0) {
								_t156 =  &_v548;
							}
							 *((short*)(_t156 + 4)) = 0;
							_t209 = _v28;
							__eflags = _t209;
							if(_t209 == 0) {
								_t209 =  &_v548;
							}
							_t234 = _t209 + 2;
							__eflags = 0;
							do {
								_t157 =  *_t209;
								_t209 = _t209 + 2;
								__eflags = _t157;
							} while (_t157 != 0);
							_t210 = _t209 - _t234;
							__eflags = _t210;
							_t235 = _t262;
							_t211 = _t210 >> 1;
							_t74 =  &(_t235[1]); // 0x1
							_t256 = _t74;
							do {
								_t158 =  *_t235;
								_t235 =  &(_t235[1]);
								__eflags = _t158 - _v556;
							} while (_t158 != _v556);
							_t237 = _t235 - _t256 >> 1;
							__eflags = _t211 + 1 + (_t235 - _t256 >> 1) - 0x7fe7;
							if(__eflags > 0) {
								goto L82;
							}
							E0104232C(_t237, _t262);
							goto L19;
						}
						__eflags = _t152 - _t206;
						if(_t152 == _t206) {
							goto L18;
						}
						goto L61;
					}
					L18:
					E0103A641(_t262);
					goto L19;
				} else {
					goto L1;
				}
				do {
					L1:
					_t163 =  *_t164 & 0x0000ffff;
					_t164 =  &(_t164[1]);
				} while (_t163 != 0);
				goto L2;
			}

























































































    0x01044880
    0x01044887
    0x0104488d
    0x01044897
    0x010448a3
    0x010448b2
    0x010448b4
    0x010448c3
    0x010448d0
    0x010448db
    0x010448e8
    0x010448f5
    0x010448f5
    0x010448f9
    0x010448f9
    0x010448fc
    0x010448fc
    0x010448ff
    0x01044902
    0x01044907
    0x01044909
    0x0104490b
    0x010509c4
    0x010509c4
    0x010509c9
    0x010509c9
    0x010509ce
    0x010509ce
    0x00000000
    0x010509ce
    0x01044917
    0x01050b09
    0x01050b09
    0x00000000
    0x01050b09
    0x0104491d
    0x0104491f
    0x0104491f
    0x01044922
    0x01044922
    0x01044925
    0x01044928
    0x01044931
    0x01044933
    0x01044939
    0x0104493e
    0x01044945
    0x01044950
    0x01044955
    0x010509bc
    0x00000000
    0x010509bc
    0x0104495d
    0x01044966
    0x01044971
    0x01044975
    0x0104499b
    0x00000000
    0x00000000
    0x010449a4
    0x010449aa
    0x010509d5
    0x010509d8
    0x010509da
    0x010509dc
    0x010509dc
    0x010509ea
    0x010509ed
    0x010509f0
    0x010509f2
    0x010509f4
    0x010509f4
    0x010509fc
    0x010509fd
    0x01050a01
    0x01050a04
    0x01050a06
    0x01050a08
    0x01050a08
    0x01050a10
    0x01044a22
    0x01044a22
    0x01044a27
    0x01044a37
    0x00000000
    0x00000000
    0x01044a3d
    0x01044a4b
    0x01044a4f
    0x01044a57
    0x01044a5b
    0x01050abc
    0x01044a61
    0x01044a61
    0x01044a61
    0x01044a68
    0x01044a73
    0x01044a77
    0x01044a77
    0x01044a8b
    0x01044a8b
    0x01044a90
    0x01044a95
    0x01050ac7
    0x01050ac7
    0x01044a9b
    0x01044aa7
    0x01044aae
    0x00000000
    0x01044ab4
    0x01044ab5
    0x01044ab7
    0x01044abc
    0x01044ac2
    0x01044aca
    0x01044acc
    0x01044ace
    0x01044ad1
    0x01044ad6
    0x01044ae7
    0x01044ae9
    0x01044aed
    0x01050ad2
    0x01050ad6
    0x01050ad6
    0x01050ad7
    0x01050ada
    0x01050ada
    0x01050add
    0x01050ae0
    0x01050ae0
    0x01050aef
    0x01050aef
    0x01044af4
    0x01044afd
    0x01044b42
    0x01044b44
    0x01044b49
    0x01044b4b
    0x01044b4b
    0x01044b17
    0x01044b19
    0x01044b57
    0x01044b5a
    0x01044b5f
    0x01044b61
    0x01044b63
    0x01044b65
    0x01044b65
    0x01044b68
    0x01044b68
    0x01044b6b
    0x01044b6e
    0x01044b6e
    0x01044b73
    0x01044b75
    0x01044b75
    0x01044b77
    0x01044b79
    0x01044b7c
    0x01044b7c
    0x01044b7f
    0x01044b82
    0x01044b82
    0x01044b8d
    0x01044b90
    0x01044b94
    0x01044b99
    0x00000000
    0x00000000
    0x01044ba0
    0x01044ba5
    0x01044ba5
    0x01044b1b
    0x01044b20
    0x01044b25
    0x01044b28
    0x01044b2e
    0x01044b34
    0x01044b3f
    0x01044b3f
    0x01044aff
    0x01044b05
    0x01044b0c
    0x00000000
    0x01050af9
    0x01050af9
    0x01050afc
    0x00000000
    0x00000000
    0x01050b02
    0x00000000
    0x01050b02
    0x01044b0c
    0x01044ada
    0x01044ada
    0x01044adc
    0x01044adf
    0x01044ae4
    0x00000000
    0x01044ae4
    0x01044aae
    0x010449b0
    0x010449ba
    0x00000000
    0x00000000
    0x010449c0
    0x010449c3
    0x010449c3
    0x010449c6
    0x010449c9
    0x010449d8
    0x00000000
    0x00000000
    0x010449de
    0x010449e2
    0x010449e2
    0x010449e5
    0x010449e5
    0x010449e8
    0x010449eb
    0x010449f4
    0x010449f6
    0x010449fc
    0x01044a01
    0x01044a06
    0x01044a0c
    0x01044a10
    0x01050a1b
    0x01050a1c
    0x01050a1f
    0x01050a2a
    0x01050a2a
    0x01050a2d
    0x01050a2f
    0x01050a31
    0x01050a31
    0x01050a3f
    0x01050a42
    0x01050a45
    0x01050a47
    0x01050a49
    0x01050a49
    0x01050a4f
    0x01050a53
    0x01050a56
    0x01050a58
    0x01050a5a
    0x01050a5a
    0x01050a62
    0x01050a66
    0x01050a69
    0x01050a6b
    0x01050a6d
    0x01050a6d
    0x01050a73
    0x01050a76
    0x01050a78
    0x01050a78
    0x01050a7b
    0x01050a7e
    0x01050a7e
    0x01050a83
    0x01050a83
    0x01050a85
    0x01050a87
    0x01050a89
    0x01050a89
    0x01050a8c
    0x01050a8c
    0x01050a8f
    0x01050a92
    0x01050a92
    0x01050aa0
    0x01050aa4
    0x01050aa9
    0x00000000
    0x00000000
    0x01050ab2
    0x00000000
    0x01050ab2
    0x01050a21
    0x01050a24
    0x00000000
    0x00000000
    0x00000000
    0x01050a24
    0x01044a16
    0x01044a1d
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x010448ea
    0x010448ea
    0x010448ea
    0x010448ed
    0x010448f0
    0x00000000

    APIs
      • Part of subcall function 01041D90: _wcsnicmp.MSVCRT ref: 01041E14
      • Part of subcall function 0103BC30: wcschr.MSVCRT ref: 0103BCA7
      • Part of subcall function 0103BC30: iswspace.MSVCRT ref: 0103BD1D
      • Part of subcall function 0103BC30: wcschr.MSVCRT ref: 0103BD39
      • Part of subcall function 0103BC30: wcschr.MSVCRT ref: 0103BD5D
      • Part of subcall function 01044BAF: _wcsnicmp.MSVCRT ref: 01044C1A
      • Part of subcall function 01044BAF: _wcsnicmp.MSVCRT ref: 01050B39
    • memset.MSVCRT ref: 01044975
    • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,-00000001,00000000,-00000001,00000104,00000000,00000001), ref: 01044ABC
    • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 01044AF4
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 01044AFF
    • ??_V@YAXPAX@Z.MSVCRT ref: 01044B28
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: _wcsnicmpwcschr$ErrorLast$AttributesFileiswspacememset
    • String ID: COPYCMD
    • API String ID: 1068965577-3727491224
    • Opcode ID: d986d9ac1bdb1a35d2bc9463c64c3aac70e19b85e22dcd9357e60796cefdf6ba
    • Instruction ID: d3dca360e7b61da7ce3754cb1255a3dba1d45379d83f9aa4011d4f82841f1453
    • Opcode Fuzzy Hash: d986d9ac1bdb1a35d2bc9463c64c3aac70e19b85e22dcd9357e60796cefdf6ba
    • Instruction Fuzzy Hash: 5DD1E475A001168BDB65DF68C894BAFB3F5FF88300F4545A9ED86D7288EA34AD41CB80
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01034E3B, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135nativeCOMMON
    Download Yara Rule
    C-Code - Quality: 83%
    			E01034E3B() {
				intOrPtr _v8;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				void _v28;
				void _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				void* __ebx;
				void* __ecx;
				signed int _t22;
				long _t40;
				intOrPtr _t45;
				intOrPtr* _t49;
				intOrPtr* _t57;
				intOrPtr _t60;
				intOrPtr* _t62;
				void* _t67;

				_t44 = _t67;
				_push(_t45);
				_push(_t45);
				_v8 =  *((intOrPtr*)(_t67 + 4));
				_t22 =  *0x1079058 & 0x000000ff;
				_v24 = _t45;
				_push(0);
				_push(0x1070a70);
				_v16 = 0;
				_v20 = 0xc0000001;
				 *0x1066708 = _t22;
				L01047FB1();
				if(_t22 != 0) {
					_t60 = 1;
					_v16 = 1;
				} else {
					_t48 =  *0x1078df8;
					if( *0x1078df8 == 0) {
						_t48 = 0x1078bf0;
					}
					_t51 =  *0x1078e00;
					E01038E9E(_t44, _t48,  *0x1078e00, 0);
					 *0x1066714 = 0;
					 *0x1066770 = 0;
					 *0x106670c = 1;
					 *0x1066704 = 1;
					 *0x105e0d4 = 1;
					_t49 = 0x24;
					 *0x106676c = 0;
					 *0x1066768 = 0;
					 *0x1066710 =  *0x10667bc;
					_t62 = E0103DCD0(_t49);
					if(_t62 == 0) {
						L14:
						E01059922();
						__imp__longjmp(0x1070a30, 1);
						goto L15;
					} else {
						 *_t62 = 0;
						 *((intOrPtr*)(_t62 + 0x1c)) = 0;
						_t49 = 0x24;
						_v36 = _t62;
						 *((intOrPtr*)(_t62 + 0x20)) = 0;
						_t57 = E0103DCD0(_t49);
						if(_t57 == 0) {
							goto L14;
						} else {
							 *_t57 = 0;
							 *((intOrPtr*)(_t57 + 0x1c)) = 0;
							_v40 = _t57;
							 *((intOrPtr*)(_t57 + 0x20)) = 0;
							E01035B93(_v24, _t62, _t57);
							_t40 = NtQueryInformationProcess(0xffffffff, 0x27,  &_v32, 4, 0);
							_v20 = _t40;
							if(_t40 >= 0) {
								_v28 = 2;
								NtSetInformationProcess(0xffffffff, 0x27,  &_v28, 4);
							}
							_t51 = _t57;
							_t49 = _t62;
							if( *0x1066704 == 4) {
								L15:
								L01058CCB(_t49, _t51);
								_t60 = _v16;
							} else {
								_t60 = E01043EB3(_t49, _t51);
								_v16 = _t60;
							}
						}
					}
					E01039ABF(0x1078e30, 0x104, L"%9d",  *0x1066714);
					E010363BD(_t49, 0x2336, 1, 0x1078e30);
					 *0x1066708 =  *0x1079058 & 0x000000ff;
				}
				if(_v20 >= 0) {
					NtSetInformationProcess(0xffffffff, 0x27,  &_v32, 4);
				}
				return _t60;
			}





















    0x01034e3e
    0x01034e40
    0x01034e41
    0x01034e4c
    0x01034e55
    0x01034e60
    0x01034e63
    0x01034e64
    0x01034e69
    0x01034e6c
    0x01034e73
    0x01034e78
    0x01034e81
    0x010491a9
    0x010491aa
    0x01034e87
    0x01034e87
    0x01034e8f
    0x010491b2
    0x010491b2
    0x01034e95
    0x01034e9c
    0x01034ea3
    0x01034eaa
    0x01034eb2
    0x01034eb7
    0x01034ebc
    0x01034ec6
    0x01034ec7
    0x01034ecd
    0x01034ed3
    0x01034edd
    0x01034ee1
    0x010491bc
    0x010491bc
    0x010491c8
    0x00000000
    0x01034ee7
    0x01034ee7
    0x01034eeb
    0x01034eee
    0x01034eef
    0x01034ef2
    0x01034efa
    0x01034efe
    0x00000000
    0x01034f04
    0x01034f09
    0x01034f0d
    0x01034f11
    0x01034f14
    0x01034f17
    0x01034f28
    0x01034f2e
    0x01034f33
    0x01034f3a
    0x01034f46
    0x01034f46
    0x01034f53
    0x01034f55
    0x01034f57
    0x010491ce
    0x010491ce
    0x010491d3
    0x01034f5d
    0x01034f62
    0x01034f64
    0x01034f64
    0x01034f57
    0x01034efe
    0x01034f7d
    0x01034f8a
    0x01034f99
    0x01034f99
    0x01034fa2
    0x01034fae
    0x01034fae
    0x01034fbe

    APIs
    • _setjmp3.MSVCRT ref: 01034E78
      • Part of subcall function 01038E9E: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,01078BF0,00000000,?), ref: 01038EC3
      • Part of subcall function 0103DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0103ACD8,00000001,?,00000000,01038C23,-00000105,0105C9B0,00000240,01041E92,00000000,00000000,0104ACE0,00000000), ref: 0103DCE1
      • Part of subcall function 0103DCD0: RtlAllocateHeap.NTDLL(00000000,?,0103ACD8,00000001,?,00000000,01038C23,-00000105,0105C9B0,00000240,01041E92,00000000,00000000,0104ACE0,00000000,00000000), ref: 0103DCE8
    • NtQueryInformationProcess.NTDLL(000000FF,00000027,?,00000004,00000000), ref: 01034F28
    • NtSetInformationProcess.NTDLL(000000FF,00000027,?,00000004), ref: 01034F46
    • NtSetInformationProcess.NTDLL(000000FF,00000027,?,00000004), ref: 01034FAE
    • longjmp.MSVCRT(01070A30,00000001,00000000), ref: 010491C8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: Process$Information$Heap$AllocateCurrentDirectoryQuery_setjmp3longjmp
    • String ID: %9d
    • API String ID: 1152428509-2241623522
    • Opcode ID: 073c3ed9250bbc8622388c2662ba198b3ba4e16df1469c1e6b62c0aff18150f6
    • Instruction ID: a09ae0367effcce323f042a9836790a1b2331b2dfd13a4f80b6e2361432c2b0c
    • Opcode Fuzzy Hash: 073c3ed9250bbc8622388c2662ba198b3ba4e16df1469c1e6b62c0aff18150f6
    • Instruction Fuzzy Hash: E741E9B0D00301EFD720DF59D849A6ABBF8FB84710F14412EE6D4E7294E7BA5900CB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01037A34, Relevance: 9.3, APIs: 6, Instructions: 338COMMONCrypto
    Download Yara Rule
    C-Code - Quality: 62%
    			E01037A34(intOrPtr __ecx, signed int __edx) {
				intOrPtr _v8;
				signed int _v16;
				int _v28;
				char _v32;
				int _v36;
				void _v556;
				int _v564;
				char _v568;
				void* _v572;
				void _v1092;
				char _v1093;
				signed int _v1094;
				signed int* _v1100;
				int _v1104;
				signed int _v1108;
				intOrPtr _v1112;
				char _v1116;
				intOrPtr _v1120;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t105;
				void* _t124;
				signed int _t125;
				intOrPtr _t129;
				intOrPtr _t133;
				void* _t137;
				intOrPtr _t138;
				intOrPtr _t140;
				intOrPtr* _t147;
				intOrPtr _t148;
				signed int _t154;
				signed int _t156;
				intOrPtr _t161;
				int _t162;
				void* _t169;
				void* _t170;
				intOrPtr* _t174;
				intOrPtr* _t178;
				intOrPtr* _t187;
				signed int _t196;
				intOrPtr _t199;
				void* _t200;
				signed int _t201;
				void* _t202;
				signed int* _t203;
				signed int _t204;
				signed int* _t206;
				int _t207;
				void* _t208;
				signed int* _t209;
				signed int _t210;
				signed int _t211;
				signed int _t212;
				signed int _t218;

				_t195 = __edx;
				_t156 = _t218;
				_push(__ecx);
				_push(__ecx);
				_v8 =  *((intOrPtr*)(_t156 + 4));
				_t216 = (_t218 & 0xfffffff8) + 4;
				_t105 =  *0x105e0b4; // 0x6030efd1
				_v16 = _t105 ^ (_t218 & 0xfffffff8) + 0x00000004;
				_v1093 = __edx;
				_t206 =  *(_t156 + 0xc);
				_v1116 = 1;
				_t199 = __ecx;
				_v32 = 1;
				_v1120 = __ecx;
				_v28 = 0x104;
				_v1104 = 0;
				 *0x10667a8 = 0;
				_v36 = 0;
				memset( &_v556, 0, 0x104);
				_v568 = 1;
				_v564 = 0x104;
				_v572 = 0;
				memset( &_v1092, 0, 0x104);
				_t160 =  &_v556;
				if(E0103E3F0(0x7fe9) < 0) {
					L74:
					_t207 = 0;
					if(_v1093 == 0) {
						L14:
						_t161 = _v572;
						if(_t161 != 0) {
							__imp__??_V@YAXPAX@Z(_t161);
						}
						_t162 = _v36;
						_v36 = _t207;
						if(_t162 != 0) {
							__imp__??_V@YAXPAX@Z(_t162);
						}
						_pop(_t200);
						_pop(_t208);
						return E01046B30(_v1116, _t156, _v16 ^ _t216, _t195, _t200, _t208);
					}
					_push(0);
					_push(0x2374);
					L13:
					E010378E4(_t160);
					goto L14;
				}
				_t160 =  &_v1092;
				if(E0103E3F0(0x7fe9) < 0) {
					goto L74;
				}
				_t169 = 0x30;
				_t160 = E0103DCD0(_t169);
				_v1108 = _t160;
				if(_t160 == 0) {
					L73:
					E01059922();
					__imp__longjmp(0x1070a30, 1);
					goto L74;
				}
				 *_t206 = _t160;
				 *_t160 = 0;
				_t209 = _t199 + 0x4c;
				 *((intOrPtr*)(_t160 + 4)) = 0;
				 *((intOrPtr*)(_t160 + 8)) = 1;
				_v1112 = 1;
				_v1100 = _t209;
				if( *((intOrPtr*)(_t199 + 0x48)) < 1) {
					L41:
					_t207 = 0;
					_v1116 = 0;
					goto L14;
				} else {
					goto L4;
				}
				do {
					L4:
					_t201 =  *_t209;
					_t196 = _t201;
					_t170 = _t196 + 2;
					do {
						_t124 =  *_t196;
						_t196 = _t196 + 2;
					} while (_t124 != _v1104);
					_t195 = _t196 - _t170 >> 1;
					_t125 = E010423F0(_t201, _t196 - _t170 >> 1);
					_v1094 = _t125;
					if(_t125 != 0) {
						L8:
						_t209[2] = _t125;
						if( *((char*)(_t156 + 8)) != 0) {
							_t195 = _t125;
							_t154 = E0103780A(_t201, _t125);
							E0103DC60(_t201);
							_t201 = _t154;
						}
						_t207 = 0;
						_t160 = _t201;
						 *0x10667a8 = 0;
						_t202 = E0103802C(_t156, _t201, _t201);
						if(_t202 != 1) {
							_t172 =  *0x1078df8;
							if( *0x1078df8 == 0) {
								_t172 = 0x1078bf0;
							}
							E0103A641(_t172);
							E01036468();
							_t174 = _v36;
							if(_t174 == 0) {
								_t174 =  &_v556;
							}
							_t195 = _t174 + 2;
							do {
								_t129 =  *_t174;
								_t174 = _t174 + 2;
							} while (_t129 != _t207);
							_t160 = _t174 - _t195 >> 1;
							_t210 = _t160;
							if(_t210 <= 3) {
								L27:
								if(_t210 + 1 > 0x7fe7) {
									_t207 = 0;
									if(_v1093 == 0) {
										goto L14;
									}
									_push(0);
									_push(2);
									goto L13;
								}
								_t131 =  *(_t202 + 0x10);
								if( *( *(_t202 + 0x10)) == 0) {
									_t131 = "*";
								}
								E0103A641(_t131);
								_t178 = _v572;
								if(_t178 == 0) {
									_t178 =  &_v1092;
								}
								_t195 = _t178 + 2;
								do {
									_t133 =  *_t178;
									_t178 = _t178 + 2;
								} while (_t133 != _v1104);
								_t160 = _t178 - _t195 >> 1;
								_t207 = 0;
								if(_t210 + 1 + (_t178 - _t195 >> 1) > 0x7fe7) {
									if(_v1093 == 0) {
										goto L14;
									}
									_push(0);
									_push(0x6f);
									goto L13;
								}
								if( *( *(_t202 + 0x10)) == 0) {
									L36:
									_t180 = _v572;
									if(_v572 == 0) {
										_t180 =  &_v1092;
									}
									_t137 = E0104054B(_t156, _t180, _t202, _t207);
									_t211 = _v1100;
									 *_t211 = _t137;
									_t181 = _v36;
									if(_v36 == 0) {
										_t181 =  &_v556;
									}
									_t138 = E0104054B(_t156, _t181, _t202, _t211);
									_t203 = _v1108;
									 *((intOrPtr*)(_t211 + 4)) = _t138;
									if(_t203[1] != 0) {
										__imp___wcsicmp(_t203[1], _t138);
										if(_t138 == 0) {
											_t203[2] = _t203[2] + 1;
											goto L40;
										}
										_t160 = 0x30;
										_t212 = E0103DCD0(_t160);
										if(_t212 == 0) {
											goto L73;
										}
										 *_t203 = _t212;
										_t204 = _v1100;
										_v1108 = _t212;
										 *((intOrPtr*)(_t212 + 4)) = E0104054B(_t156,  *((intOrPtr*)(_t204 + 4)), _t204, _t212);
										 *_t212 = 0;
										 *((char*)(_t212 + 0x10)) =  *((intOrPtr*)(_t204 + 8));
										 *(_t212 + 0xc) = _t204;
										 *((intOrPtr*)(_t212 + 8)) = 1;
										_t211 = _t204;
									} else {
										_t203[1] = E0104054B(_t156, _t138, _t203, _t211);
										_t203[4] =  *((intOrPtr*)(_t211 + 8));
										_t203[3] = _t211;
									}
									goto L40;
								}
								_t147 =  *((intOrPtr*)(_t202 + 0x14));
								if(_t147 == 0 ||  *_t147 == 0) {
									_t187 = _v572;
									if(_t187 == 0) {
										_t187 =  &_v1092;
									}
									_t195 = _t187 + 2;
									do {
										_t148 =  *_t187;
										_t187 = _t187 + 2;
									} while (_t148 != _t207);
									if((_t187 - _t195 >> 1) + 3 <= 0x7fe7 && _v1094 != 0 &&  *((char*)(_t156 + 8)) != 0) {
										E0104232C(_t195, L".*");
									}
								}
								goto L36;
							}
							if(_v1094 != 0) {
								_t191 = _v36;
								if(_v36 == 0) {
									_t191 =  &_v556;
								}
								if( *((short*)(E01044EA8(_t191))) != 0x2e) {
									goto L25;
								} else {
									_t160 = _v36;
									if(_t160 == 0) {
										_t160 =  &_v556;
									}
									 *((short*)(_t160 + _t210 * 2 - 4)) = 0;
									goto L27;
								}
							}
							L25:
							if(_v36 == 0) {
								_t160 =  &_v556;
							}
							 *((short*)(_t160 + _t210 * 2 - 2)) = 0;
							goto L27;
						} else {
							if(_v1093 == 0) {
								goto L14;
							}
							_push(0);
							_push( *0x10667a8);
							goto L13;
						}
					}
					_t160 =  *0x10667a8;
					if(_t160 != 0) {
						_t207 = 0;
						if(_v1093 == 0) {
							goto L14;
						}
						_push(0);
						_push(_t160);
						goto L13;
					}
					goto L8;
					L40:
					_t140 = _v1112 + 1;
					_t209 =  *(_t211 + 0xc);
					_v1112 = _t140;
					_v1100 = _t209;
				} while (_t140 <=  *((intOrPtr*)(_v1120 + 0x48)));
				goto L41;
			}



























































    0x01037a34
    0x01037a37
    0x01037a39
    0x01037a3a
    0x01037a45
    0x01037a49
    0x01037a51
    0x01037a58
    0x01037a5d
    0x01037a65
    0x01037a69
    0x01037a6f
    0x01037a71
    0x01037a7b
    0x01037a82
    0x01037a8d
    0x01037a93
    0x01037a99
    0x01037a9c
    0x01037aa4
    0x01037ab2
    0x01037ab8
    0x01037ac7
    0x01037acf
    0x01037ae1
    0x0104ae61
    0x0104ae61
    0x0104ae6a
    0x01037bbf
    0x01037bbf
    0x01037bc7
    0x01037bca
    0x01037bd0
    0x01037bd1
    0x01037bd4
    0x01037bd9
    0x01037bdc
    0x01037be2
    0x01037bee
    0x01037bef
    0x01037bfb
    0x01037bfb
    0x0104ae70
    0x0104ae71
    0x01037bb8
    0x01037bb8
    0x00000000
    0x01037bbe
    0x01037aec
    0x01037af9
    0x00000000
    0x00000000
    0x01037b01
    0x01037b07
    0x01037b09
    0x01037b11
    0x0104ae4f
    0x0104ae4f
    0x0104ae5b
    0x00000000
    0x0104ae5b
    0x01037b17
    0x01037b1b
    0x01037b1d
    0x01037b20
    0x01037b24
    0x01037b27
    0x01037b2d
    0x01037b36
    0x01037d48
    0x01037d48
    0x01037d4a
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x01037b3c
    0x01037b3c
    0x01037b3c
    0x01037b3e
    0x01037b40
    0x01037b43
    0x01037b43
    0x01037b46
    0x01037b49
    0x01037b56
    0x01037b58
    0x01037b5d
    0x01037b65
    0x01037b75
    0x01037b79
    0x01037b7c
    0x01037b7e
    0x01037b82
    0x01037b8b
    0x01037b90
    0x01037b90
    0x01037b92
    0x01037b94
    0x01037b96
    0x01037ba1
    0x01037ba6
    0x01037bfe
    0x01037c06
    0x0104aced
    0x0104aced
    0x01037c13
    0x01037c18
    0x01037c1d
    0x01037c22
    0x0104acf7
    0x0104acf7
    0x01037c28
    0x01037c2b
    0x01037c2b
    0x01037c2e
    0x01037c31
    0x01037c38
    0x01037c3a
    0x01037c3f
    0x01037c60
    0x01037c68
    0x0104ae38
    0x0104ae41
    0x00000000
    0x00000000
    0x0104ae47
    0x0104ae48
    0x00000000
    0x0104ae48
    0x01037c6e
    0x01037c76
    0x0104ad42
    0x0104ad42
    0x01037c83
    0x01037c88
    0x01037c90
    0x0104ad4c
    0x0104ad4c
    0x01037c96
    0x01037c99
    0x01037c99
    0x01037c9c
    0x01037c9f
    0x01037cad
    0x01037caf
    0x01037cb8
    0x0104ae2a
    0x00000000
    0x00000000
    0x0104ae30
    0x0104ae31
    0x00000000
    0x0104ae31
    0x01037cc4
    0x01037cda
    0x01037cda
    0x01037ce2
    0x01037d55
    0x01037d55
    0x01037ce4
    0x01037ce9
    0x01037cef
    0x01037cf1
    0x01037cf6
    0x01037d5d
    0x01037d5d
    0x01037cf8
    0x01037cfd
    0x01037d03
    0x01037d0a
    0x0104adb7
    0x0104adc1
    0x0104ae05
    0x00000000
    0x0104ae05
    0x0104adc5
    0x0104adcb
    0x0104adcf
    0x00000000
    0x00000000
    0x0104add1
    0x0104add3
    0x0104add9
    0x0104ade7
    0x0104adec
    0x0104adf1
    0x0104adf4
    0x0104adf7
    0x0104adfe
    0x01037d10
    0x01037d17
    0x01037d1d
    0x01037d20
    0x01037d20
    0x00000000
    0x01037d0a
    0x01037cc6
    0x01037ccb
    0x0104ad57
    0x0104ad5f
    0x0104ad61
    0x0104ad61
    0x0104ad67
    0x0104ad6a
    0x0104ad6a
    0x0104ad6d
    0x0104ad70
    0x0104ad81
    0x0104ada9
    0x0104ada9
    0x0104ad81
    0x00000000
    0x01037ccb
    0x01037c48
    0x0104ad02
    0x0104ad07
    0x0104ad09
    0x0104ad09
    0x0104ad18
    0x00000000
    0x0104ad1e
    0x0104ad1e
    0x0104ad23
    0x0104ad25
    0x0104ad25
    0x0104ad2d
    0x00000000
    0x0104ad2d
    0x0104ad18
    0x01037c4e
    0x01037c53
    0x0104ad37
    0x0104ad37
    0x01037c5b
    0x00000000
    0x01037ba8
    0x01037baf
    0x00000000
    0x00000000
    0x01037bb1
    0x01037bb2
    0x00000000
    0x01037bb2
    0x01037ba6
    0x01037b67
    0x01037b6f
    0x0104ae0d
    0x0104ae16
    0x00000000
    0x00000000
    0x0104ae1c
    0x0104ae1d
    0x00000000
    0x0104ae1d
    0x00000000
    0x01037d23
    0x01037d2f
    0x01037d30
    0x01037d33
    0x01037d39
    0x01037d3f
    0x00000000

    APIs
    • memset.MSVCRT ref: 01037A9C
    • memset.MSVCRT ref: 01037AC7
      • Part of subcall function 0103E3F0: memset.MSVCRT ref: 0103E455
      • Part of subcall function 0103DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0103ACD8,00000001,?,00000000,01038C23,-00000105,0105C9B0,00000240,01041E92,00000000,00000000,0104ACE0,00000000), ref: 0103DCE1
      • Part of subcall function 0103DCD0: RtlAllocateHeap.NTDLL(00000000,?,0103ACD8,00000001,?,00000000,01038C23,-00000105,0105C9B0,00000240,01041E92,00000000,00000000,0104ACE0,00000000,00000000), ref: 0103DCE8
    • ??_V@YAXPAX@Z.MSVCRT ref: 01037BCA
    • ??_V@YAXPAX@Z.MSVCRT ref: 01037BDC
    • longjmp.MSVCRT(01070A30,00000001,00007FE9,00007FE9,?,?,?,?,00000000,?), ref: 0104AE5B
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: memset$Heap$AllocateProcesslongjmp
    • String ID:
    • API String ID: 1548198433-0
    • Opcode ID: 6a49e1b441a3b7560e736595cc0688100058dd509ea555fb8b1c1a704da74300
    • Instruction ID: 2cf90809a00347c63e2070da858dbd3b194e9a194b778acee1ecfa907b2cf279
    • Opcode Fuzzy Hash: 6a49e1b441a3b7560e736595cc0688100058dd509ea555fb8b1c1a704da74300
    • Instruction Fuzzy Hash: 76D1E5F0A002159BDB79DF28C8847AEBBB5BF44300F4441EDD6CAA7281D771AE80CB95
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01036E57, Relevance: 9.3, APIs: 6, Instructions: 326COMMONCrypto
    Download Yara Rule
    C-Code - Quality: 88%
    			E01036E57(void* __ebx, intOrPtr __ecx, intOrPtr* __edx, signed int _a4, intOrPtr* _a8) {
				signed int _v8;
				void* _v560;
				char _v604;
				signed int _v608;
				intOrPtr _v612;
				intOrPtr _v616;
				char _v620;
				intOrPtr* _v624;
				signed int _v628;
				intOrPtr* _v632;
				signed int _v636;
				signed int _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				void* _v652;
				void* __edi;
				void* __esi;
				signed int _t89;
				intOrPtr _t96;
				signed int _t105;
				signed int _t108;
				intOrPtr _t109;
				intOrPtr _t110;
				void* _t111;
				signed short _t113;
				signed int _t114;
				char _t124;
				signed int _t126;
				signed int _t129;
				intOrPtr _t131;
				intOrPtr _t132;
				intOrPtr _t136;
				signed int _t140;
				signed int _t141;
				signed int _t142;
				signed int _t143;
				intOrPtr _t146;
				signed int _t148;
				signed int _t150;
				intOrPtr* _t156;
				void* _t157;
				void* _t162;
				intOrPtr* _t174;
				signed int _t175;
				signed short _t178;
				void* _t184;
				intOrPtr* _t187;
				char* _t195;
				char* _t196;
				signed int _t208;
				void* _t209;
				intOrPtr* _t211;
				void* _t217;
				intOrPtr _t218;
				signed int _t220;
				signed int _t221;
				signed int _t224;
				signed int _t225;
				void* _t226;
				void _t229;
				void* _t230;
				void* _t233;
				intOrPtr* _t234;
				signed int _t236;
				intOrPtr* _t237;
				void* _t238;
				void* _t239;
				signed int _t242;
				signed int _t246;
				signed int _t248;

				_t248 = (_t246 & 0xfffffff8) - 0x28c;
				_t89 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t89 ^ _t248;
				_push(__ebx);
				_t156 = _a8;
				_v632 = __edx;
				_t208 = 0;
				_v636 = _a4;
				_t92 = 0;
				_t229 = 0;
				_v648 = __ecx;
				_v644 = 1;
				_v628 = 0;
				_v640 = 0;
				if( *_t156 == 0) {
					L12:
					_pop(_t230);
					_pop(_t233);
					_pop(_t157);
					return E01046B30(_t92, _t157, _v8 ^ _t248, _t208, _t230, _t233);
				} else {
					while( *0x1066744 == 0) {
						E01042040(_t92);
						if( *0x106259c != 0) {
							E010598B5(_t156, _t229);
							_t208 = 0;
						}
						_t234 = _t156;
						_t10 = _t234 + 2; // 0x2
						_t162 = _t10;
						do {
							_t96 =  *_t234;
							_t234 = _t234 + 2;
						} while (_t96 != _t208);
						_t236 = _t234 - _t162 >> 1;
						_t209 = 0x2a;
						_v608 = _t236;
						if(E0103A62F(_t156, _t209) != 0) {
							L14:
							_v616 = E0103ACB0(E01040060(_t156, _t229));
							asm("sbb eax, eax");
							_v612 = ( ~( *(_v648 + 0x48) & 2) & 0x00001010) + 0x25;
							_t105 = E0104589A(E010459D0, _t99, ( ~( *(_v648 + 0x48) & 2) & 0x00001010) + 0x25, 0,  &_v604,  &_v620);
							__eflags = _t105;
							if(_t105 == 0) {
								L38:
								_t92 = E0103DC60(_v616);
								_t208 = 0;
								goto L10;
							} else {
								_t237 = _v632;
								 *_t237 = _v616;
								E01038F21(_t237);
								_t108 =  *(_t237 + 0xc);
								_t211 =  *_t237;
								__eflags = _t108;
								if(_t108 == 0) {
									_t109 = 0;
								} else {
									_t150 = _t108 - _t211;
									__eflags = _t150;
									_t109 = 2 + (_t150 >> 1) * 2;
								}
								_t174 = _t211;
								_v616 = _t109;
								_t238 = _t174 + 2;
								do {
									_t110 =  *_t174;
									_t174 = _t174 + 2;
									__eflags = _t110 - _v620;
								} while (_t110 != _v620);
								_t175 = _t174 - _t238;
								__eflags = _t175;
								if(_t175 == 0) {
									L71:
									_t111 = E01059922();
									__imp__longjmp(0x1070a30, 1);
									asm("int3");
									E010421D2(_t111,  *0x10625a8);
									_t239 =  *0x10665dc;
									do {
										_t113 = E01041E70(__eflags, 0);
										__eflags = _t113;
									} while (__eflags == 0);
									exit(_t239);
									asm("int3");
									__eflags = _t113 - 0x7a;
									if(_t113 > 0x7a) {
										_t178 = _t113;
									} else {
										_t178 = _t113 + 0xffffffe0 & 0x0000ffff;
									}
									_t114 =  *0x1078df8;
									__eflags = _t114;
									if(_t114 == 0) {
										_t114 = 0x1078bf0;
									}
									__eflags =  *_t114 - _t178;
									if( *_t114 != _t178) {
										E01059A7D((_t178 & 0x0000ffff) - 0x40, _t211);
										_t229 =  *_t239;
									}
									__eflags = 1;
									E01038BC7(_t156, _t229, 1, _t229, _t239, 1);
									RtlFreeHeap(GetProcessHeap(), 0,  *_t239);
									E010372EE( *((intOrPtr*)(_t239 + 4)));
									E010372C6( *((intOrPtr*)(_t239 + 4)));
									 *0x1066755 =  *((intOrPtr*)(_t239 + 8));
									 *0x1066754 =  *((intOrPtr*)(_t239 + 9));
									_t124 = RtlFreeHeap(GetProcessHeap(), 0, _t239);
									return _t124;
								} else {
									_t184 = _t211 + 2;
									__eflags = 0;
									do {
										_t126 =  *_t211;
										_t211 = _t211 + 2;
										__eflags = _t126;
									} while (_t126 != 0);
									_v644 = _t211 + 1;
									_t242 = E0103DCD0(_t211 + 1 + _t211 + 1);
									__eflags = _t242;
									if(_t242 == 0) {
										goto L71;
									} else {
										_t129 = E0103F3A0(_t242, _v644,  *_v624);
										do {
											E01042040(_t129);
											_t187 = _t248 + 0x6c;
											_t217 = _t187 + 2;
											do {
												_t131 =  *_t187;
												_t187 = _t187 + 2;
												__eflags = _t131 - _v620;
											} while (_t131 != _v620);
											_t218 = _v644;
											_t132 = (_t187 - _t217 >> 1) + _t218;
											__eflags = _t218 - _t132;
											if(_t218 >= _t132) {
												L31:
												 *((short*)(_v616 + _t242)) = 0;
												E0103FC40(_t242, _t218, _t248 + 0x6c);
												_t136 = _v644;
												__eflags =  *(_t136 + 0x48) & 0x00000002;
												if(( *(_t136 + 0x48) & 0x00000002) != 0) {
													__eflags =  *(_t248 + 0x40) & 0x00000010;
													if(( *(_t248 + 0x40) & 0x00000010) != 0) {
														_t195 = ".";
														_t140 = _t248 + 0x6c;
														while(1) {
															_t220 =  *_t140;
															__eflags = _t220 -  *_t195;
															if(_t220 !=  *_t195) {
																break;
															}
															__eflags = _t220;
															if(_t220 == 0) {
																L56:
																_t141 = 0;
															} else {
																_t225 =  *((intOrPtr*)(_t140 + 2));
																_t85 =  &(_t195[2]); // 0x750000
																__eflags = _t225 -  *_t85;
																if(_t225 !=  *_t85) {
																	break;
																} else {
																	_t140 = _t140 + 4;
																	_t195 =  &(_t195[4]);
																	__eflags = _t225;
																	if(_t225 != 0) {
																		continue;
																	} else {
																		goto L56;
																	}
																}
															}
															L58:
															__eflags = _t141;
															if(_t141 != 0) {
																_t196 = L"..";
																_t142 = _t248 + 0x6c;
																while(1) {
																	_t221 =  *_t142;
																	__eflags = _t221 -  *_t196;
																	if(_t221 !=  *_t196) {
																		break;
																	}
																	__eflags = _t221;
																	if(_t221 == 0) {
																		L64:
																		_t143 = 0;
																	} else {
																		_t224 =  *((intOrPtr*)(_t142 + 2));
																		_t88 =  &(_t196[2]); // 0x2e
																		__eflags = _t224 -  *_t88;
																		if(_t224 !=  *_t88) {
																			break;
																		} else {
																			_t142 = _t142 + 4;
																			_t196 =  &(_t196[4]);
																			__eflags = _t224;
																			if(_t224 != 0) {
																				continue;
																			} else {
																				goto L64;
																			}
																		}
																	}
																	L66:
																	__eflags = _t143;
																	if(_t143 != 0) {
																		goto L32;
																	}
																	goto L33;
																}
																asm("sbb eax, eax");
																_t143 = _t142 | 0x00000001;
																__eflags = _t143;
																goto L66;
															}
															goto L33;
														}
														asm("sbb eax, eax");
														_t141 = _t140 | 0x00000001;
														__eflags = _t141;
														goto L58;
													}
												} else {
													L32:
													 *( *0x106673c + _v628 * 4) = _t242;
													_t146 = E01040BBB(_t156,  *((intOrPtr*)(_v640 + 0x40)), _v636, _t229);
													__eflags = 0;
													_v632 = _t146;
													_v636 = 0;
													 *((intOrPtr*)( *0x106673c + _v628 * 4)) = 0;
												}
												L33:
												__eflags =  *0x106259c;
												if( *0x106259c != 0) {
													E010598B5(_t156, _t229);
												}
												_t129 = E01045851(E010459D0, _t248 + 0x44, _v604, _v612);
												__eflags = _t129;
												if(_t129 != 0) {
													goto L68;
												} else {
													L35:
													__eflags = _t229;
													if(_t229 != 0) {
														E0104198F(_t229, _t229);
													} else {
														_t229 =  *0x1066778;
													}
													E01038B4D(_v612);
													_t236 =  *(_t248 + 0x3c);
													goto L38;
												}
											} else {
												_v644 = _t132;
												_t211 = _t132 + _t132;
												__eflags = _t242;
												if(_t242 == 0) {
													_t148 = E0103DCD0(_t211);
													goto L29;
												} else {
													_t148 = E0103DD20(_t242, _t211);
													__eflags = _t148;
													if(_t148 == 0) {
														E0103DC60(_t242);
														goto L71;
													} else {
														L29:
														_t242 = _t148;
														__eflags = _t242;
														if(_t242 == 0) {
															goto L71;
														} else {
															_t218 = _v644;
															goto L31;
														}
													}
												}
											}
											goto L78;
											L68:
											__eflags =  *0x1066744;
										} while ( *0x1066744 == 0);
										goto L35;
									}
								}
							}
						} else {
							_t226 = 0x3f;
							if(E0103A62F(_t156, _t226) != 0) {
								goto L14;
							} else {
								 *((intOrPtr*)( *0x106673c + _v636 * 4)) = _t156;
								_v640 = E01040BBB(_t156,  *((intOrPtr*)(_v648 + 0x40)), _v644, _t229);
								if(_t229 != 0) {
									_t92 = E0104198F(_t229, _t229);
								} else {
									_t229 =  *0x1066778;
								}
								_t208 = 0;
								_v644 = 0;
								L10:
								_t156 = _t156 + _t236 * 2 + 2;
								if( *_t156 != _t208) {
									continue;
								} else {
									break;
								}
							}
						}
						goto L78;
					}
					_t92 = _v640;
					goto L12;
				}
				L78:
			}









































































    0x01036e5f
    0x01036e65
    0x01036e6c
    0x01036e76
    0x01036e77
    0x01036e7a
    0x01036e7e
    0x01036e81
    0x01036e85
    0x01036e88
    0x01036e8a
    0x01036e8e
    0x01036e96
    0x01036e9a
    0x01036ea1
    0x01036f3d
    0x01036f44
    0x01036f45
    0x01036f46
    0x01036f51
    0x01036ea7
    0x01036ea7
    0x01036eb4
    0x01036ec0
    0x0104a746
    0x0104a74b
    0x0104a74b
    0x01036ec6
    0x01036ec8
    0x01036ec8
    0x01036ecb
    0x01036ecb
    0x01036ece
    0x01036ed1
    0x01036edc
    0x01036ede
    0x01036edf
    0x01036eea
    0x01036f5d
    0x01036f71
    0x01036f8a
    0x01036f9d
    0x01036fa1
    0x01036fa6
    0x01036fa8
    0x0103711d
    0x01037121
    0x01037126
    0x00000000
    0x01036fae
    0x01036fae
    0x01036fb8
    0x01036fba
    0x01036fbf
    0x01036fc2
    0x01036fc4
    0x01036fc6
    0x0104a752
    0x01036fcc
    0x01036fcc
    0x01036fcc
    0x01036fd0
    0x01036fd0
    0x01036fd7
    0x01036fd9
    0x01036fdd
    0x01036fe0
    0x01036fe0
    0x01036fe3
    0x01036fe6
    0x01036fe6
    0x01036fed
    0x01036fed
    0x01036ff1
    0x0104a806
    0x0104a806
    0x0104a812
    0x0104a818
    0x0104a81f
    0x0104a824
    0x0104a82a
    0x0104a82c
    0x0104a831
    0x0104a831
    0x0104a836
    0x0104a83c
    0x0104a83d
    0x0104a840
    0x0103725d
    0x0104a846
    0x0104a849
    0x0104a849
    0x0103725f
    0x01037264
    0x01037266
    0x010372bf
    0x010372bf
    0x01037268
    0x0103726b
    0x0104a857
    0x0104a85c
    0x0104a85c
    0x01037275
    0x01037276
    0x01037286
    0x0103728f
    0x01037297
    0x0103729f
    0x010372aa
    0x010372b6
    0x010372be
    0x01036ff7
    0x01036ff7
    0x01036ffa
    0x01036ffc
    0x01036ffc
    0x01036fff
    0x01037002
    0x01037002
    0x01037011
    0x0103701a
    0x0103701c
    0x0103701e
    0x00000000
    0x01037024
    0x01037030
    0x01037035
    0x01037035
    0x0103703a
    0x0103703e
    0x01037041
    0x01037041
    0x01037044
    0x01037047
    0x01037047
    0x01037050
    0x01037056
    0x01037059
    0x0103705b
    0x01037089
    0x0103708f
    0x0103709a
    0x0103709f
    0x010370a3
    0x010370a7
    0x0104a765
    0x0104a76a
    0x0104a770
    0x0104a775
    0x0104a779
    0x0104a779
    0x0104a77c
    0x0104a77f
    0x00000000
    0x00000000
    0x0104a781
    0x0104a784
    0x0104a79b
    0x0104a79b
    0x0104a786
    0x0104a786
    0x0104a78a
    0x0104a78a
    0x0104a78e
    0x00000000
    0x0104a790
    0x0104a790
    0x0104a793
    0x0104a796
    0x0104a799
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0104a799
    0x0104a78e
    0x0104a7a4
    0x0104a7a4
    0x0104a7a6
    0x0104a7ac
    0x0104a7b1
    0x0104a7b5
    0x0104a7b5
    0x0104a7b8
    0x0104a7bb
    0x00000000
    0x00000000
    0x0104a7bd
    0x0104a7c0
    0x0104a7d7
    0x0104a7d7
    0x0104a7c2
    0x0104a7c2
    0x0104a7c6
    0x0104a7c6
    0x0104a7ca
    0x00000000
    0x0104a7cc
    0x0104a7cc
    0x0104a7cf
    0x0104a7d2
    0x0104a7d5
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0104a7d5
    0x0104a7ca
    0x0104a7e0
    0x0104a7e0
    0x0104a7e2
    0x00000000
    0x0104a7e8
    0x00000000
    0x0104a7e2
    0x0104a7db
    0x0104a7dd
    0x0104a7dd
    0x00000000
    0x0104a7dd
    0x00000000
    0x0104a7a6
    0x0104a79f
    0x0104a7a1
    0x0104a7a1
    0x00000000
    0x0104a7a1
    0x010370ad
    0x010370ad
    0x010370ba
    0x010370c4
    0x010370cd
    0x010370cf
    0x010370d8
    0x010370dc
    0x010370dc
    0x010370df
    0x010370df
    0x010370e6
    0x0103712d
    0x0103712d
    0x010370f9
    0x010370fe
    0x01037100
    0x00000000
    0x01037106
    0x01037106
    0x01037106
    0x01037108
    0x01037136
    0x0103710a
    0x0103710a
    0x0103710a
    0x01037114
    0x01037119
    0x00000000
    0x01037119
    0x0103705d
    0x0103705d
    0x01037061
    0x01037064
    0x01037066
    0x0104a75b
    0x00000000
    0x0103706c
    0x0103706e
    0x01037073
    0x01037075
    0x0104a801
    0x00000000
    0x0103707b
    0x0103707b
    0x0103707b
    0x0103707d
    0x0103707f
    0x00000000
    0x01037085
    0x01037085
    0x00000000
    0x01037085
    0x0103707f
    0x01037075
    0x01037066
    0x00000000
    0x0104a7ed
    0x0104a7ed
    0x0104a7ed
    0x00000000
    0x0104a7fa
    0x0103701e
    0x01036ff1
    0x01036eec
    0x01036eee
    0x01036ef8
    0x00000000
    0x01036efa
    0x01036f07
    0x01036f16
    0x01036f1c
    0x01036f56
    0x01036f1e
    0x01036f1e
    0x01036f1e
    0x01036f24
    0x01036f26
    0x01036f2a
    0x01036f2d
    0x01036f33
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x01036f33
    0x01036ef8
    0x00000000
    0x01036eea
    0x01036f39
    0x00000000
    0x01036f39
    0x00000000

    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave
    • String ID:
    • API String ID: 3168844106-0
    • Opcode ID: d26c4c4b489a4d3ad449c83bcebf3ed4f95d2963139641af1844adf15104c012
    • Instruction ID: bda40d40363bc34fafbe0c1df0ee468c352e4926788d8b52216033e39a5894f5
    • Opcode Fuzzy Hash: d26c4c4b489a4d3ad449c83bcebf3ed4f95d2963139641af1844adf15104c012
    • Instruction Fuzzy Hash: 7AC1F3B5604202CFD725EF28C880A6AB7E6FFD8300F44896DE9C687355EB36D945CB81
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01040740, Relevance: 7.8, APIs: 5, Instructions: 290COMMONCrypto
    Download Yara Rule
    C-Code - Quality: 79%
    			E01040740(void* __eflags, WCHAR* _a4) {
				signed int _v8;
				char _v72;
				long _v76;
				wchar_t** _v80;
				LPWSTR* _v84;
				long _v88;
				WCHAR* _v92;
				LPWSTR* _v96;
				intOrPtr _v100;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t80;
				wchar_t** _t82;
				WCHAR* _t83;
				WCHAR* _t85;
				WCHAR* _t86;
				intOrPtr _t98;
				short _t100;
				LPWSTR* _t108;
				signed int _t114;
				long _t117;
				signed int _t119;
				WCHAR* _t122;
				signed short* _t124;
				short _t127;
				WCHAR* _t128;
				WCHAR* _t133;
				short* _t134;
				signed int _t135;
				void* _t139;
				WCHAR* _t142;
				void* _t143;
				void* _t144;
				WCHAR* _t145;
				long _t149;
				WCHAR* _t150;
				intOrPtr _t156;
				WCHAR* _t173;
				short* _t180;
				signed int _t182;
				WCHAR* _t183;
				WCHAR* _t185;
				signed int _t189;
				void* _t190;
				void* _t193;

				_t80 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t80 ^ _t189;
				_t185 = _a4;
				_v96 = 0;
				_t182 = 0;
				_v84 = 0;
				 *0x1066738 = 0;
				_t133 = 1;
				_t139 = 0x24;
				_v92 = _t185;
				_t82 = E0103DCD0(_t139);
				_v80 = _t82;
				if(_t82 == 0) {
					L58:
					_t83 = _t133;
					L20:
					return E01046B30(_t83, _t133, _v8 ^ _t189, _t170, _t182, _t185);
				}
				_t142 =  *0x1066740;
				_v76 = _t142;
				if(_t142 == 0) {
					_t143 = 4;
					_t85 = E0103DCD0(_t143);
					_t144 = 4;
					 *0x1066740 = _t85;
					_t86 = E0103DCD0(_t144);
					L6:
					_t145 =  *0x1066740;
					 *0x106673c = _t86;
					if(_t145 == 0 || _t86 == 0) {
						goto L58;
					} else {
						_t145[_t182] = _t185[0x22];
						 *((short*)(_t145 + 2 + _t182 * 2)) = 0;
						if((_t185[0x24] & 0x00000001) != 0) {
							_push(0);
							_v88 = wcstol(E0103BC30(_t185[0x1e], 0), 0, 0);
							_v76 = wcstol(E0103A7D5(_t90), 0, 0);
							_t149 = wcstol(E0103A7D5(_t93), 0, 0);
							_v80 = 0;
							_t185 = _v92;
							_t193 = _t190 + 0x24;
							_t98 = _v88;
							_v100 = _t149;
							L26:
							while(1) {
								if(_v76 < 0) {
									if(_t98 < _t149) {
										L33:
										_t170 = _v84;
										L12:
										_t133 = 0;
										L13:
										if(_t182 == 0) {
											 *0x1066740 = _t133;
											 *0x106673c = _t133;
											L19:
											_t83 = _t170;
											goto L20;
										}
										_t185 =  *0x1066740;
										if(_t185 == 0) {
											if( *_t185 == _t133) {
												L18:
												 *( *0x106673c + _t182 * 4) = _t133;
												goto L19;
											}
										}
										_t150 = _t185;
										_t134 =  &(_t150[1]);
										do {
											_t100 =  *_t150;
											_t150 =  &(_t150[1]);
										} while (_t100 != _v96);
										_t133 = 0;
										 *((short*)(_t185 + (_t150 - _t134 >> 1) * 2 - 2)) = 0;
										goto L18;
									}
									L28:
									E01042040(_t98);
									if( *0x106259c != 0) {
										E010598B5(_t133, _t182);
									}
									E01039ABF( &_v72, 0x20, L"%d", _v88);
									_t193 = _t193 + 0x10;
									 *( *0x106673c + _t182 * 4) =  &_v72;
									_t108 = E01040BBB(_t133, _t185[0x20], _t133, _t182);
									_t133 = 0;
									_v84 = _t108;
									_t109 = _v80;
									 *( *0x106673c + _t182 * 4) = 0;
									if(_v80 == 0) {
										_t156 =  *0x1066778;
									} else {
										E0104198F(_t109, _t182);
										_t156 = _v80;
									}
									_t98 = _v88 + _v76;
									_v80 = _t156;
									_t149 = _v100;
									_v88 = _t98;
									continue;
								}
								if(_t98 > _t149) {
									goto L33;
								}
								goto L28;
							}
						}
						if((_t185[0x24] & 0x00000008) == 0) {
							if((_t185[0x24] & 0x00000004) != 0) {
								_t158 = _t185[0x26];
								if(_t185[0x26] == 0) {
									_t158 = L".\\";
								}
								_t185 = E01040060(_t158, _t182);
								_v84 = _t185;
								_t114 = GetFullPathNameW(_t185, 0, 0, 0);
								_v76 = _t114;
								if(_t114 != 0) {
									_t158 = 2 + _t114 * 2;
									_t185 = E0103DCD0(2 + _t114 * 2);
									if(_t185 == 0) {
										goto L45;
									}
									_t117 = GetFullPathNameW(_v84, _v76, _t185, 0);
									if(_t117 == 0) {
										L43:
										_push(_v84);
										goto L44;
									}
									_t158 = _v76;
									if(_t117 >= _v76) {
										goto L43;
									}
									_t119 =  *_t185 & 0x0000ffff;
									_t173 = _t185;
									_t135 = _t119;
									if(_t119 == 0) {
										L53:
										if(_t135 != 0x5c) {
											E0103FC40(_t185,  &(_t158[1]), "\\");
										}
										_push(0);
										_t122 = E01053E66(_t185, _v92, _v80, _t182, E0103BC30(_v92[0x1e], 0));
										L11:
										_t170 = _t122;
										goto L12;
									}
									do {
										_t124 = _t173;
										_t173 =  &(_t173[1]);
									} while ( *_t173 != 0);
									_t135 =  *_t124 & 0x0000ffff;
									goto L53;
								} else {
									_push(_t185);
									L44:
									_push(_t133);
									_push(0x400023d9);
									E010378E4(_t158);
									L45:
									_t170 = _t133;
									goto L12;
								}
							}
							_t133 = 0;
							_push(0);
							_t170 = E01036E57(0, _t185, _v80, _t182, E0103BC30(_t185[0x1e], 0), _t185[0x1e]);
							goto L13;
						}
						_t122 = E01040BF0(_t185, _t182, _t133);
						goto L11;
					}
				}
				_t183 = _t142;
				_t180 =  &(_t183[1]);
				do {
					_t127 =  *_t183;
					_t183 =  &(_t183[1]);
				} while (_t127 != _v96);
				_t182 = _t183 - _t180 >> 1;
				_t128 = E0103DD20(_t142, 4 + _t182 * 2);
				if(_t128 == 0) {
					E0103DC60(_v76);
					_t128 = 0;
				}
				 *0x1066740 = _t128;
				_t170 = 4 + _t182 * 4;
				_v76 =  *0x106673c;
				_t86 = E0103DD20( *0x106673c, 4 + _t182 * 4);
				if(_t86 == 0) {
					E0103DC60(_v76);
					_t86 = 0;
				}
				goto L6;
			}


















































    0x01040748
    0x0104074f
    0x01040754
    0x0104075c
    0x0104075f
    0x01040761
    0x01040766
    0x0104076c
    0x0104076d
    0x0104076e
    0x01040771
    0x01040776
    0x0104077b
    0x0104e9be
    0x0104e9be
    0x01040864
    0x01040872
    0x01040872
    0x01040781
    0x01040787
    0x0104078c
    0x0104089f
    0x010408a0
    0x010408a7
    0x010408a8
    0x010408ad
    0x010407de
    0x010407de
    0x010407e4
    0x010407eb
    0x00000000
    0x010407f9
    0x010407fd
    0x01040803
    0x0104080c
    0x010408ca
    0x010408e2
    0x010408fc
    0x01040911
    0x01040913
    0x01040916
    0x01040919
    0x0104091c
    0x0104091f
    0x00000000
    0x01040922
    0x01040926
    0x0104e8e1
    0x010409a2
    0x010409a2
    0x01040824
    0x01040824
    0x01040826
    0x01040828
    0x010408b7
    0x010408bd
    0x01040862
    0x01040862
    0x00000000
    0x01040862
    0x0104082e
    0x01040836
    0x0104e9b3
    0x0104085a
    0x0104085f
    0x00000000
    0x0104085f
    0x0104e9b9
    0x0104083c
    0x0104083e
    0x01040841
    0x01040841
    0x01040844
    0x01040847
    0x01040853
    0x01040855
    0x00000000
    0x01040855
    0x01040930
    0x01040930
    0x0104093c
    0x010409aa
    0x010409aa
    0x0104094d
    0x0104095a
    0x0104095f
    0x01040965
    0x01040970
    0x01040972
    0x01040975
    0x01040978
    0x0104097d
    0x0104099a
    0x0104097f
    0x01040981
    0x01040986
    0x01040986
    0x0104098c
    0x0104098f
    0x01040992
    0x01040995
    0x00000000
    0x01040995
    0x0104092e
    0x00000000
    0x00000000
    0x00000000
    0x0104092e
    0x01040922
    0x01040816
    0x01040879
    0x0104e8ec
    0x0104e8f1
    0x0104e8f3
    0x0104e8f3
    0x0104e8fd
    0x0104e905
    0x0104e908
    0x0104e90e
    0x0104e913
    0x0104e930
    0x0104e93c
    0x0104e940
    0x00000000
    0x00000000
    0x0104e94c
    0x0104e954
    0x0104e918
    0x0104e918
    0x00000000
    0x0104e918
    0x0104e956
    0x0104e95b
    0x00000000
    0x00000000
    0x0104e95d
    0x0104e960
    0x0104e962
    0x0104e967
    0x0104e978
    0x0104e97c
    0x0104e988
    0x0104e988
    0x0104e992
    0x0104e9a6
    0x01040822
    0x01040822
    0x00000000
    0x01040822
    0x0104e96b
    0x0104e96b
    0x0104e96d
    0x0104e970
    0x0104e975
    0x00000000
    0x0104e915
    0x0104e915
    0x0104e91b
    0x0104e91b
    0x0104e91c
    0x0104e921
    0x0104e929
    0x0104e929
    0x00000000
    0x0104e929
    0x0104e913
    0x01040882
    0x01040884
    0x01040899
    0x00000000
    0x01040899
    0x0104081d
    0x00000000
    0x0104081d
    0x010407eb
    0x01040792
    0x01040794
    0x01040797
    0x01040797
    0x0104079a
    0x0104079d
    0x010407a5
    0x010407ae
    0x010407b5
    0x0104e8c0
    0x0104e8c7
    0x0104e8c7
    0x010407bb
    0x010407c0
    0x010407ce
    0x010407d1
    0x010407d8
    0x0104e8d1
    0x0104e8d8
    0x0104e8d8
    0x00000000

    APIs
      • Part of subcall function 0103DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0103ACD8,00000001,?,00000000,01038C23,-00000105,0105C9B0,00000240,01041E92,00000000,00000000,0104ACE0,00000000), ref: 0103DCE1
      • Part of subcall function 0103DCD0: RtlAllocateHeap.NTDLL(00000000,?,0103ACD8,00000001,?,00000000,01038C23,-00000105,0105C9B0,00000240,01041E92,00000000,00000000,0104ACE0,00000000,00000000), ref: 0103DCE8
    • wcstol.MSVCRT ref: 010408D9
    • wcstol.MSVCRT ref: 010408F3
    • wcstol.MSVCRT ref: 0104090B
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: wcstol$Heap$AllocateProcess
    • String ID:
    • API String ID: 2504042261-0
    • Opcode ID: b53cd024335ee8d32120e59a82f4da483c3024d92adbf351a0886d7ea1d1d5ea
    • Instruction ID: b3a891ee428b1e826f5ee937492ba694d378d6abd695c012fbe8c0b2eacfbbf4
    • Opcode Fuzzy Hash: b53cd024335ee8d32120e59a82f4da483c3024d92adbf351a0886d7ea1d1d5ea
    • Instruction Fuzzy Hash: C8A163B4A002169BEB64DFA9D8945AEB7F5FF84300F04447DEAC5A7348EB759C41C790
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01036B20, Relevance: 7.8, APIs: 5, Instructions: 272COMMONCrypto
    Download Yara Rule
    C-Code - Quality: 61%
    			E01036B20(void* __ecx, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v20;
				signed int _v28;
				char _v548;
				signed int _v552;
				intOrPtr _v556;
				intOrPtr* _v560;
				void** _v564;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t60;
				void** _t61;
				signed int _t63;
				signed int _t67;
				void* _t69;
				void* _t71;
				intOrPtr* _t77;
				signed int _t78;
				intOrPtr _t91;
				void* _t101;
				signed int _t104;
				long _t114;
				void* _t116;
				void* _t118;
				signed int _t123;
				signed int _t158;
				void* _t160;
				intOrPtr* _t162;
				void** _t164;
				void* _t166;
				signed int _t168;
				signed int _t169;
				signed int _t170;
				void* _t171;

				_t170 = _t169 & 0xfffffff8;
				_push(__ecx);
				_t60 = _a4;
				_t158 =  *(_t60 + 0x38);
				_t114 =  *((intOrPtr*)(_t60 + 0x3c));
				_t118 = 0x28;
				_t61 = E0103DCD0(_t118);
				_t164 = _t61;
				if(_t164 == 0) {
					L37:
					_t63 = 1;
					goto L20;
				} else {
					__imp___pipe(_t164, 0, 0x8000);
					_t171 = _t170 + 0xc;
					if(_t61 != 0) {
						_push(0);
						_push(8);
						E010378E4(_t118);
						goto L37;
					} else {
						E01036443( *_t164);
						E01036443(_t164[1]);
						_t67 =  *0x10665e8;
						_t123 = _t67;
						 *0x10665e8 = _t67 + 1;
						if(_t123 != 0) {
							_t69 =  *0x1066788;
							 *(_t69 + 0x24) = _t164;
							_t164[9] = _t164[9] & 0x00000000;
							_t164[8] = _t69;
						} else {
							_t164[8] = _t164[8] & _t123;
							 *0x106678c = _t164;
						}
						_t125 = 1;
						 *0x1066788 = _t164;
						_t71 = E0103A1A8(_t164, 1);
						_t164[3] = _t71;
						if(_t71 == 0xffffffff) {
							_t164[3] = _t164[3] | 0xffffffff;
							goto L40;
						} else {
							_t125 = _t164[1];
							_t150 = 1;
							if(E0103A1D6(_t164[1], 1) == 0xffffffff) {
								L40:
								_push(0);
								E010378E4(_t125);
								_t127 = 0x2351;
								goto L41;
							} else {
								E0103A16C(_t164[1]);
								_t164[1] = _t164[1] & 0x00000000;
								if( *_t158 <= 0) {
									E0103E950(_t158,  &_v8);
								}
								_t158 = E0103E470(1, _t158);
								if( *0x10665e4 != 0) {
									__imp___get_osfhandle(1);
									DuplicateHandle( *0x10665e4, 0,  *_t164, 0, 0, 0, 0);
								}
								_t125 = _t164[3];
								_t150 = 1;
								if(E0103A1D6(_t164[3], 1) == 0xffffffff) {
									goto L40;
								} else {
									E0103A16C(_t164[3]);
									_t127 = 0;
									_t164[3] = 0;
									if(_t158 != 0) {
										L41:
										E01059922();
										__imp__longjmp(0x1070a30, 1);
										asm("int3");
										while(_t158 == 2) {
											do {
												if(_t158 == 2) {
													_t128 = _v28;
													if(_v28 == 0) {
														_t128 =  &_v548;
													}
													_t150 = _v20;
													_t158 = E010434B8(_t128, _v20,  *((intOrPtr*)(_t114 + 4)),  *((intOrPtr*)( *((intOrPtr*)(_t114 + 0xc)))));
													_v552 = _t158;
													if(_t158 == 0) {
														_t92 = _v28;
														if(_v28 == 0) {
															_t92 =  &_v548;
														}
														E010378E4(_t128, 0x40002712, 1, _t92);
														_t171 = _t171 + 0xc;
													}
												}
												E0103DC60( *((intOrPtr*)(_t114 + 4)));
												_t77 =  *((intOrPtr*)(_t114 + 0xc));
												_t131 = 1;
												_v560 = _t77;
												_v556 = 1;
												if( *((intOrPtr*)(_t114 + 8)) >= 1) {
													_t162 = _t77;
													do {
														E0103DC60( *_t162);
														E0103DC60( *((intOrPtr*)(_t162 + 4)));
														_t131 = _t162;
														E0103DC60(_t162);
														_t162 =  *((intOrPtr*)(_t162 + 0xc));
														_t91 = _v556 + 1;
														_v556 = _t91;
													} while (_t91 <=  *((intOrPtr*)(_t114 + 8)));
													_t158 = _v552;
													_t164 = _v564;
												}
												_t114 =  *_t114;
												if(_t114 != 0) {
													_t150 = 0;
													_t127 = _t114;
													_t158 = E01036488(_t114, 0, _t164[1], _t164[2], ( *_t164 & 0x10 | 0x00000040) >> 4, _t164, _t131, 0, E010438D0, 0);
													_v552 = _t158;
													if(_t158 == 1) {
														_t158 = 1;
													} else {
														goto L29;
													}
												}
												L24:
												_t78 = _v28;
												_v28 = _v28 & 0x00000000;
												if(_t78 != 0) {
													__imp__??_V@YAXPAX@Z(_t78);
												}
												_pop(_t160);
												_pop(_t166);
												_pop(_t116);
												return E01046B30(_t158, _t116, _v8 ^ _t168, _t150, _t160, _t166);
												goto L50;
												L29:
											} while (_t158 == 0);
										}
										_push(0);
										_push(_t158);
										E010378E4(_t127);
										goto L24;
									} else {
										_t164[4] =  *0x10665e4;
										_t164[6] =  *0x1062598;
										 *0x10665e4 = 0;
										 *0x1062598 = 0;
										_t101 = E0103A1A8( *0x1062598, 0);
										_t164[2] = _t101;
										if(_t101 == 0xffffffff) {
											_t164[2] = _t164[2] | 0xffffffff;
											goto L40;
										} else {
											_t125 =  *_t164;
											_t150 = 0;
											if(E0103A1D6( *_t164, 0) == 0xffffffff) {
												goto L40;
											} else {
												E0103A16C( *_t164);
												 *_t164 =  *_t164 & _t158;
												if( *_t114 <= _t158) {
													E0103E950(_t114,  &_v8);
												}
												_t104 = E0103E470(1, _t114);
												_t125 = _t164[2];
												_t150 = 0;
												_t158 = _t104;
												if(E0103A1D6(_t164[2], 0) == 0xffffffff) {
													goto L40;
												} else {
													E0103A16C(_t164[2]);
													_t127 = 0;
													_t164[2] = 0;
													if(_t158 != 0) {
														goto L41;
													} else {
														 *0x10665e8 =  *0x10665e8 - 1;
														_t164[5] =  *0x10665e4;
														_t164[7] =  *0x1062598;
														 *0x10665e4 = 0;
														 *0x1062598 = 0;
														if( *0x10665e8 != 0) {
															_t63 = 0;
														} else {
															_t63 = E010363DE();
														}
														L20:
														return _t63;
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				L50:
			}






































    0x01036b25
    0x01036b28
    0x01036b29
    0x01036b2f
    0x01036b32
    0x01036b37
    0x01036b38
    0x01036b3d
    0x01036b41
    0x0104a6ac
    0x0104a6ae
    0x00000000
    0x01036b47
    0x01036b4f
    0x01036b55
    0x01036b5a
    0x0104a6a1
    0x0104a6a3
    0x0104a6a5
    0x00000000
    0x01036b60
    0x01036b62
    0x01036b6a
    0x01036b6f
    0x01036b74
    0x01036b77
    0x01036b7e
    0x01036cf2
    0x01036cf7
    0x01036cfa
    0x01036cfe
    0x01036b84
    0x01036b84
    0x01036b87
    0x01036b87
    0x01036b91
    0x01036b92
    0x01036b97
    0x01036b9c
    0x01036ba2
    0x0104a6b4
    0x00000000
    0x01036ba8
    0x01036ba8
    0x01036bad
    0x01036bb6
    0x0104a6be
    0x0104a6be
    0x0104a6c5
    0x0104a6cb
    0x00000000
    0x01036bbc
    0x01036bbf
    0x01036bc4
    0x01036bcb
    0x01036bd3
    0x01036bd3
    0x01036be9
    0x01036beb
    0x01036bf7
    0x01036c05
    0x01036c05
    0x01036c0b
    0x01036c10
    0x01036c19
    0x00000000
    0x01036c1f
    0x01036c22
    0x01036c27
    0x01036c29
    0x01036c2e
    0x0104a6cc
    0x0104a6cc
    0x0104a6d8
    0x0104a6de
    0x0104a6df
    0x01036ded
    0x01036df0
    0x0104a6f7
    0x0104a6fc
    0x0104a6fe
    0x0104a6fe
    0x0104a707
    0x0104a714
    0x0104a716
    0x0104a71e
    0x0104a724
    0x0104a729
    0x0104a72b
    0x0104a72b
    0x0104a739
    0x0104a73e
    0x0104a73e
    0x0104a71e
    0x01036df9
    0x01036dfe
    0x01036e03
    0x01036e04
    0x01036e0a
    0x01036e13
    0x01036e15
    0x01036e17
    0x01036e1c
    0x01036e24
    0x01036e29
    0x01036e2b
    0x01036e36
    0x01036e38
    0x01036e39
    0x01036e3f
    0x01036e44
    0x01036e4a
    0x01036e4a
    0x01036e50
    0x01036daf
    0x01036db4
    0x01036dc3
    0x01036dd8
    0x01036dda
    0x01036de3
    0x01036d82
    0x00000000
    0x00000000
    0x00000000
    0x01036de3
    0x01036d83
    0x01036d83
    0x01036d86
    0x01036d8c
    0x01036d8f
    0x01036d95
    0x01036d9b
    0x01036d9c
    0x01036d9f
    0x01036da6
    0x00000000
    0x01036de5
    0x01036de5
    0x01036ded
    0x0104a6e8
    0x0104a6ea
    0x0104a6eb
    0x00000000
    0x01036c34
    0x01036c39
    0x01036c41
    0x01036c44
    0x01036c4a
    0x01036c50
    0x01036c55
    0x01036c5b
    0x0104a6ba
    0x00000000
    0x01036c61
    0x01036c61
    0x01036c63
    0x01036c6d
    0x00000000
    0x01036c73
    0x01036c75
    0x01036c7a
    0x01036c7e
    0x01036c86
    0x01036c86
    0x01036c90
    0x01036c95
    0x01036c98
    0x01036c9a
    0x01036ca4
    0x00000000
    0x01036caa
    0x01036cad
    0x01036cb2
    0x01036cb4
    0x01036cb9
    0x00000000
    0x01036cbf
    0x01036cbf
    0x01036ccb
    0x01036cd3
    0x01036cd6
    0x01036cdc
    0x01036ce2
    0x01036d06
    0x01036ce4
    0x01036ce4
    0x01036ce4
    0x01036ce9
    0x01036cef
    0x01036cef
    0x01036cb9
    0x01036ca4
    0x01036c6d
    0x01036c5b
    0x01036c2e
    0x01036c19
    0x01036bb6
    0x01036ba2
    0x01036b5a
    0x00000000

    APIs
      • Part of subcall function 0103DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0103ACD8,00000001,?,00000000,01038C23,-00000105,0105C9B0,00000240,01041E92,00000000,00000000,0104ACE0,00000000), ref: 0103DCE1
      • Part of subcall function 0103DCD0: RtlAllocateHeap.NTDLL(00000000,?,0103ACD8,00000001,?,00000000,01038C23,-00000105,0105C9B0,00000240,01041E92,00000000,00000000,0104ACE0,00000000,00000000), ref: 0103DCE8
    • _pipe.MSVCRT ref: 01036B4F
    • _get_osfhandle.MSVCRT ref: 01036BF7
    • DuplicateHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 01036C05
      • Part of subcall function 0103E950: memset.MSVCRT ref: 0103E9A0
      • Part of subcall function 0103E950: wcschr.MSVCRT ref: 0103E9FC
      • Part of subcall function 0103E950: wcschr.MSVCRT ref: 0103EA14
      • Part of subcall function 0103E950: _wcsicmp.MSVCRT ref: 0103EA80
    • ??_V@YAXPAX@Z.MSVCRT ref: 01036D8F
    • longjmp.MSVCRT(01070A30,00000001), ref: 0104A6D8
      • Part of subcall function 0103A1A8: _dup.MSVCRT ref: 0103A1AF
      • Part of subcall function 0103A1D6: _dup2.MSVCRT ref: 0103A1EA
      • Part of subcall function 0103A16C: _close.MSVCRT ref: 0103A19B
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: Heapwcschr$AllocateDuplicateHandleProcess_close_dup_dup2_get_osfhandle_pipe_wcsicmplongjmpmemset
    • String ID:
    • API String ID: 4244252868-0
    • Opcode ID: 7518056b9cf39ac984f53ed2f67b53335c123acddf5495656d48194ba08f5b7f
    • Instruction ID: f9e8d65a18c9584e469ec6bffe94e7b9f26c8523e0a4dcc800a4fc1b0759079e
    • Opcode Fuzzy Hash: 7518056b9cf39ac984f53ed2f67b53335c123acddf5495656d48194ba08f5b7f
    • Instruction Fuzzy Hash: 6891A071A10201EFDB34EF28D885A6A77E9EBC8320F14456DE5DADB294DB36E941CB40
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0105A759, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 119COMMON
    Download Yara Rule
    C-Code - Quality: 83%
    			E0105A759(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				int _v20;
				char _v24;
				int _v28;
				void _v548;
				intOrPtr _v552;
				intOrPtr _v560;
				union _ULARGE_INTEGER _v564;
				union _ULARGE_INTEGER _v572;
				union _ULARGE_INTEGER _v580;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t37;
				WCHAR* _t53;
				char _t62;
				int _t68;
				WCHAR* _t73;
				void* _t81;
				void* _t82;
				void* _t83;
				signed int _t84;

				_t80 = __edx;
				_t37 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t37 ^ _t84;
				_t83 = __edx;
				_v552 = _a8;
				_t82 = __ecx;
				E01034A9F(__ecx);
				_v28 = 0;
				_v20 = 0x104;
				_t62 = 1;
				_v24 = 1;
				memset( &_v548, 0, 0x104);
				if(E0103E3F0(((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) >= 0) {
					E0103A641(_t83);
					_t53 = _v28;
					_t73 = _t53;
					if(_t53 == 0) {
						_t73 =  &_v548;
					}
					if( *_t73 != 0 && _t73[1] == 0x3a && _t73[2] == 0) {
						E0104232C(_t80, "\\");
						_t53 = _v28;
					}
					_v560 = 0;
					_v564.LowPart = 0;
					if(_t53 == 0) {
						_t53 =  &_v548;
					}
					GetDiskFreeSpaceExW(_t53,  &_v564,  &_v580,  &_v572);
					_t81 = 6;
					E010580B1(_t82, _t81);
					_t56 = _v28;
					if(_v28 == 0) {
						_t56 =  &_v548;
					}
					_t80 =  &_v564;
					E0105B325(_a4,  &_v564, 0xe, _t56, _v20);
					_t83 = _v28;
					if(_t83 == 0) {
						_t83 =  &_v548;
					}
					E01039ABF(0x1078e30, 0x104, L"%5lu", _v552);
					_push(_t83);
					_t62 = E0105832A(0x1078e30, _t80, _t82, 0x2379, 2, 0x1078e30);
				}
				_t68 = _v28;
				_v28 = _v28 & 0x00000000;
				if(_t68 != 0) {
					__imp__??_V@YAXPAX@Z(_t68);
				}
				return E01046B30(_t62, _t62, _v8 ^ _t84, _t80, _t82, _t83);
			}

























    0x0105a759
    0x0105a764
    0x0105a76b
    0x0105a774
    0x0105a776
    0x0105a77c
    0x0105a77e
    0x0105a78c
    0x0105a797
    0x0105a79a
    0x0105a79c
    0x0105a79f
    0x0105a7c8
    0x0105a7d5
    0x0105a7da
    0x0105a7dd
    0x0105a7e1
    0x0105a7e3
    0x0105a7e3
    0x0105a7ee
    0x0105a808
    0x0105a80d
    0x0105a80d
    0x0105a810
    0x0105a816
    0x0105a81e
    0x0105a820
    0x0105a820
    0x0105a83c
    0x0105a844
    0x0105a847
    0x0105a84c
    0x0105a851
    0x0105a853
    0x0105a853
    0x0105a85f
    0x0105a868
    0x0105a86d
    0x0105a872
    0x0105a874
    0x0105a874
    0x0105a890
    0x0105a895
    0x0105a8a7
    0x0105a8a7
    0x0105a8a9
    0x0105a8ac
    0x0105a8b2
    0x0105a8b5
    0x0105a8bb
    0x0105a8cc

    APIs
    • memset.MSVCRT ref: 0105A79F
      • Part of subcall function 0103E3F0: memset.MSVCRT ref: 0103E455
    • GetDiskFreeSpaceExW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,-00000105,?,?,?), ref: 0105A83C
    • ??_V@YAXPAX@Z.MSVCRT ref: 0105A8B5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: memset$DiskFreeSpace
    • String ID: %5lu
    • API String ID: 2448137811-2100233843
    • Opcode ID: 50285a88ab85a6391c16c4b8e79837a65fce74ead0d3faf413bb4425a5f62af3
    • Instruction ID: 71a7b940531a37e59bc82bce5d089b19b4acb6de0ff0bc9d570abc91209bcb54
    • Opcode Fuzzy Hash: 50285a88ab85a6391c16c4b8e79837a65fce74ead0d3faf413bb4425a5f62af3
    • Instruction Fuzzy Hash: 6641C471A00219ABDB64DBA4DCC5BFFB7B8EF08304F0441A9E945A7141E7749E85CB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01046B40, Relevance: 6.0, APIs: 4, Instructions: 13COMMONLIBRARYCODE
    Download Yara Rule
    C-Code - Quality: 100%
    			E01046B40(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				UnhandledExceptionFilter(_a4);
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}



    0x01046b47
    0x01046b50
    0x01046b69

    APIs
    • SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,01046C76,01031000), ref: 01046B47
    • UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(01046C76,?,01046C76,01031000), ref: 01046B50
    • GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(C0000409,?,01046C76,01031000), ref: 01046B5B
    • TerminateProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,01046C76,01031000), ref: 01046B62
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
    • String ID:
    • API String ID: 3231755760-0
    • Opcode ID: 62c4ea90de55f4ee6134fe1fbf69ec9d4d30c19f15d8a9a1b270c19f9afb8621
    • Instruction ID: 2167408eacd46d4633a412e70f6c6c3154efd3ecd09e029a4ba1f5d95914f805
    • Opcode Fuzzy Hash: 62c4ea90de55f4ee6134fe1fbf69ec9d4d30c19f15d8a9a1b270c19f9afb8621
    • Instruction Fuzzy Hash: FAD01272A40208FBCB212BE5E80CA4D3F28EB44352F084400F34DE3015DB3F44028BA5
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01053E66, Relevance: 4.8, APIs: 3, Instructions: 274fileCOMMONCrypto
    Download Yara Rule
    C-Code - Quality: 94%
    			E01053E66(short* __ecx, long __edx, intOrPtr _a4, intOrPtr _a8, signed short* _a12) {
				signed int _v8;
				void* _v564;
				struct _WIN32_FIND_DATAW _v608;
				intOrPtr _v612;
				signed int _v616;
				signed int _v620;
				void* _v624;
				short* _v628;
				signed int _v632;
				intOrPtr _v636;
				intOrPtr* _v640;
				intOrPtr _v644;
				signed int _v652;
				void* _v656;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t65;
				intOrPtr _t68;
				signed int _t69;
				signed int _t71;
				intOrPtr _t84;
				WCHAR* _t87;
				signed int _t96;
				signed int _t97;
				signed int _t98;
				signed int _t99;
				short _t100;
				intOrPtr _t101;
				WCHAR* _t107;
				signed short* _t119;
				void* _t120;
				short* _t121;
				short* _t123;
				signed int _t124;
				signed int _t125;
				void* _t129;
				signed short* _t130;
				intOrPtr* _t137;
				WCHAR* _t142;
				char* _t146;
				char* _t147;
				short* _t148;
				intOrPtr* _t149;
				WCHAR* _t157;
				intOrPtr* _t162;
				WCHAR* _t168;
				signed int _t170;
				void* _t177;
				signed short* _t178;
				short* _t179;
				signed int _t180;
				void* _t181;
				signed int _t183;
				signed int _t185;
				void* _t186;
				WCHAR* _t189;
				intOrPtr* _t191;
				signed int _t192;
				signed int _t194;

				_t194 = (_t192 & 0xfffffff8) - 0x274;
				_t65 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t65 ^ _t194;
				_v608.dwFileAttributes = __edx;
				_t162 = __ecx;
				_t119 = _a12;
				_v612 = _a4;
				_v628 = __ecx;
				_t7 = _t162 + 2; // 0x2
				_t129 = _t7;
				_v616 = _t119;
				_t185 = 0;
				do {
					_t68 =  *_t162;
					_t162 = _t162 + 2;
				} while (_t68 != 0);
				_t130 = _t119;
				_t164 = _t162 - _t129 >> 1;
				if( *_t119 == 0) {
					L53:
					_t69 = 0;
				} else {
					do {
						_t178 = _t130;
						do {
							_t71 =  *_t130 & 0x0000ffff;
							_t130 =  &(_t130[1]);
						} while (_t71 != 0);
						_t185 = _t185 + (_t130 - _t178 >> 1) + _t164;
					} while ( *_t130 != 0);
					if(0 == _t185) {
						goto L53;
					} else {
						_t9 = _t185 + 1; // 0x1
						_t187 = _t9 & 0x0000ffff;
						_v624 = _t9 & 0x0000ffff;
						_t179 = E0103DCD0(_t187 + _t187);
						if(_t179 == 0) {
							L52:
							_t69 = 1;
						} else {
							_t134 = 0;
							_v632 = _t119;
							_t121 = _t179;
							if( *_v616 != 0) {
								do {
									E0103F3A0(_t121, _t187 - (_t121 - _t179 >> 1), _v628);
									E0103FC40(_t121, _t187 - (_t121 - _t179 >> 1), _v636);
									_t191 = E0103A7D5(_v640);
									_t134 = _t121;
									_v640 = _t191;
									_t121 = E0103A7D5(_t121);
									_t187 = _v632;
								} while ( *_t191 != 0);
							}
							 *_t121 = 0;
							_v644 = E01036E57(_t121, _v608.dwFileAttributes, _v612, _a8, _t179, _t134);
							E0103DC60(_t179);
							_t122 = _v640;
							_t137 = _v640;
							_t24 = _t137 + 2; // 0x2
							_t164 = _t24;
							do {
								_t84 =  *_t137;
								_t137 = _t137 + 2;
							} while (_t84 != 0);
							_t25 = (_t137 - _t164 >> 1) + 2; // 0x0
							_t180 = _t25;
							_v620 = _t180;
							_t189 = E0103DCD0(_t180 + _t180);
							if(_t189 == 0) {
								goto L52;
							} else {
								E0103F3A0(_t189, _t180, _t122);
								_t87 = _t189;
								_t142 = _t189;
								if( *_t189 != 0) {
									do {
										_t142 = _t87;
										_t87 =  &(_t87[1]);
									} while ( *_t87 != 0);
								}
								_t28 =  &(_t142[1]); // 0x2
								_t164 = _t180;
								_v628 = _t28;
								E0103FC40(_t189, _t180, "*");
								_t123 = FindFirstFileW(_t189,  &_v608);
								_v628 = _t123;
								 *_v632 = 0;
								if(_t123 == 0xffffffff) {
									_t124 = _v632;
								} else {
									do {
										if(( *(_t194 + 0x28) & 0x00000010) == 0) {
											L45:
											_t124 = _v632;
											goto L46;
										} else {
											_t146 = ".";
											_t96 = _t194 + 0x54;
											while(1) {
												_t164 =  *_t96;
												if(_t164 !=  *_t146) {
													break;
												}
												if(_t164 == 0) {
													L22:
													_t125 = 0;
													_t97 = 0;
												} else {
													_t164 =  *((intOrPtr*)(_t96 + 2));
													_t38 =  &(_t146[2]); // 0x750000
													if(_t164 !=  *_t38) {
														break;
													} else {
														_t96 = _t96 + 4;
														_t146 =  &(_t146[4]);
														if(_t164 != 0) {
															continue;
														} else {
															goto L22;
														}
													}
												}
												L24:
												if(_t97 == 0) {
													goto L45;
												} else {
													_t147 = L"..";
													_t98 = _t194 + 0x54;
													while(1) {
														_t164 =  *_t98;
														if(_t164 !=  *_t147) {
															break;
														}
														if(_t164 == 0) {
															L30:
															_t99 = _t125;
														} else {
															_t164 =  *((intOrPtr*)(_t98 + 2));
															_t41 =  &(_t147[2]); // 0x2e
															if(_t164 !=  *_t41) {
																break;
															} else {
																_t98 = _t98 + 4;
																_t147 =  &(_t147[4]);
																if(_t164 != 0) {
																	continue;
																} else {
																	goto L30;
																}
															}
														}
														L32:
														if(_t99 == 0) {
															goto L45;
														} else {
															_t168 = _t189;
															_t42 =  &(_t168[1]); // 0x2
															_t148 = _t42;
															do {
																_t100 =  *_t168;
																_t168 =  &(_t168[1]);
															} while (_t100 != _t125);
															_t149 = _t194 + 0x54;
															_t170 = _t168 - _t148 >> 1;
															_t181 = _t149 + 2;
															do {
																_t101 =  *_t149;
																_t149 = _t149 + 2;
															} while (_t101 != _t125);
															_t45 = _t170 + 2; // 0x0
															_t183 = _t45 + (_t149 - _t181 >> 1);
															if(_t183 <= _v620) {
																_t183 = _v620;
																goto L44;
															} else {
																_t164 = _t183 + _t183;
																_t107 = E0103DD20(_t189, _t183 + _t183);
																if(_t107 == 0) {
																	_t124 = 1;
																} else {
																	_t189 = _t107;
																	_v620 = _t183;
																	_t157 = _t107;
																	while( *_t107 != _t125) {
																		_t157 = _t107;
																		_t107 =  &(_t107[1]);
																	}
																	_t49 =  &(_t157[1]); // 0x2
																	_v628 = _t49;
																	L44:
																	E0103FC40(_t189, _t183, _t194 + 0x54);
																	E0103FC40(_t189, _t183, "\\");
																	_t164 = _v616;
																	_t124 = E01053E66(_t189, _v616, _v620, _a8, _v624);
																	_v652 = _t124;
																	 *((short*)( *((intOrPtr*)(_t194 + 0x10)))) = 0;
																	goto L46;
																}
															}
														}
														goto L49;
													}
													asm("sbb eax, eax");
													_t99 = _t98 | 0x00000001;
													goto L32;
												}
												goto L49;
											}
											asm("sbb eax, eax");
											_t97 = _t96 | 0x00000001;
											_t125 = 0;
											goto L24;
										}
										L49:
										FindClose(_v624);
										goto L51;
										L46:
									} while (FindNextFileW(_v624, _t194 + 0x28) != 0);
									goto L49;
								}
								L51:
								E0103DC60(_t189);
								_t69 = _t124;
							}
						}
					}
				}
				_pop(_t177);
				_pop(_t186);
				_pop(_t120);
				return E01046B30(_t69, _t120, _v8 ^ _t194, _t164, _t177, _t186);
			}
































































    0x01053e6e
    0x01053e74
    0x01053e7b
    0x01053e84
    0x01053e8b
    0x01053e8e
    0x01053e95
    0x01053e99
    0x01053e9d
    0x01053e9d
    0x01053ea0
    0x01053ea4
    0x01053ea6
    0x01053ea6
    0x01053ea9
    0x01053eac
    0x01053eb3
    0x01053eb5
    0x01053eba
    0x01054178
    0x01054178
    0x01053ec0
    0x01053ec0
    0x01053ec0
    0x01053ec2
    0x01053ec2
    0x01053ec5
    0x01053ec8
    0x01053ed5
    0x01053ed9
    0x01053ee1
    0x00000000
    0x01053ee7
    0x01053ee7
    0x01053eea
    0x01053eed
    0x01053ef9
    0x01053efd
    0x01054173
    0x01054175
    0x01053f03
    0x01053f07
    0x01053f09
    0x01053f0d
    0x01053f12
    0x01053f14
    0x01053f24
    0x01053f31
    0x01053f3f
    0x01053f41
    0x01053f43
    0x01053f4c
    0x01053f53
    0x01053f53
    0x01053f14
    0x01053f68
    0x01053f72
    0x01053f76
    0x01053f7b
    0x01053f81
    0x01053f83
    0x01053f83
    0x01053f86
    0x01053f86
    0x01053f89
    0x01053f8c
    0x01053f95
    0x01053f95
    0x01053f9b
    0x01053fa4
    0x01053fa8
    0x00000000
    0x01053fae
    0x01053fb3
    0x01053fba
    0x01053fbc
    0x01053fc1
    0x01053fc3
    0x01053fc3
    0x01053fc5
    0x01053fc8
    0x01053fc3
    0x01053fcd
    0x01053fd0
    0x01053fd9
    0x01053fdd
    0x01053fee
    0x01053ff6
    0x01053ffa
    0x01054000
    0x01054164
    0x01054006
    0x01054006
    0x0105400b
    0x01054138
    0x01054138
    0x00000000
    0x01054011
    0x01054011
    0x01054016
    0x0105401a
    0x0105401a
    0x01054020
    0x00000000
    0x00000000
    0x01054025
    0x0105403c
    0x0105403c
    0x0105403e
    0x01054027
    0x01054027
    0x0105402b
    0x0105402f
    0x00000000
    0x01054031
    0x01054031
    0x01054034
    0x0105403a
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0105403a
    0x0105402f
    0x01054049
    0x0105404b
    0x00000000
    0x01054051
    0x01054051
    0x01054056
    0x0105405a
    0x0105405a
    0x01054060
    0x00000000
    0x00000000
    0x01054065
    0x0105407c
    0x0105407c
    0x01054067
    0x01054067
    0x0105406b
    0x0105406f
    0x00000000
    0x01054071
    0x01054071
    0x01054074
    0x0105407a
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0105407a
    0x0105406f
    0x01054085
    0x01054087
    0x00000000
    0x0105408d
    0x0105408d
    0x0105408f
    0x0105408f
    0x01054092
    0x01054092
    0x01054095
    0x01054098
    0x0105409f
    0x010540a3
    0x010540a5
    0x010540a8
    0x010540a8
    0x010540ab
    0x010540ae
    0x010540b5
    0x010540ba
    0x010540c0
    0x010540f1
    0x00000000
    0x010540c2
    0x010540c2
    0x010540c7
    0x010540ce
    0x01054157
    0x010540d4
    0x010540d4
    0x010540d6
    0x010540da
    0x010540e3
    0x010540de
    0x010540e0
    0x010540e0
    0x010540e8
    0x010540eb
    0x010540f5
    0x010540fe
    0x0105410c
    0x01054115
    0x01054127
    0x0105412f
    0x01054133
    0x00000000
    0x01054133
    0x010540ce
    0x010540c0
    0x00000000
    0x01054087
    0x01054080
    0x01054082
    0x00000000
    0x01054082
    0x00000000
    0x0105404b
    0x01054042
    0x01054044
    0x01054047
    0x00000000
    0x01054047
    0x01054158
    0x0105415c
    0x00000000
    0x0105413c
    0x0105414b
    0x00000000
    0x01054153
    0x01054168
    0x0105416a
    0x0105416f
    0x0105416f
    0x01053fa8
    0x01053efd
    0x01053ee1
    0x01054181
    0x01054182
    0x01054183
    0x0105418e

    APIs
    • FindFirstFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,01032670,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 01053FE8
    • FindNextFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000010), ref: 01054145
    • FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 0105415C
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: Find$File$CloseFirstNext
    • String ID:
    • API String ID: 3541575487-0
    • Opcode ID: f1221497bfee1e90f3569340e626868d2172fca970f1a905177f9b3f0a9127e9
    • Instruction ID: f169f653f2e7f27a3e2e1b2c231bfcd3ee7388ba49732efdc998ebb7c7582947
    • Opcode Fuzzy Hash: f1221497bfee1e90f3569340e626868d2172fca970f1a905177f9b3f0a9127e9
    • Instruction Fuzzy Hash: B391D0317042028B8BA5DF28C8405ABB7E6EFE8340B55896DEDC6C7250EB31D986CB81
    Uniqueness

    Uniqueness Score: -1.00%

    Function 010374B1, Relevance: 3.2, APIs: 2, Instructions: 220COMMONCrypto
    Download Yara Rule
    C-Code - Quality: 33%
    			E010374B1(signed int __edx) {
				signed int _v8;
				short _v24;
				short _v26;
				short _v28;
				signed short _v29;
				signed int _v36;
				signed int _v40;
				signed short* _v44;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t77;
				short _t79;
				signed short* _t81;
				signed int _t82;
				signed int _t83;
				signed int _t84;
				signed int _t86;
				signed int _t87;
				signed int _t89;
				signed int _t93;
				void* _t95;
				signed int _t97;
				intOrPtr _t101;
				signed int _t104;
				signed short _t114;
				signed short _t119;
				void* _t121;
				void* _t126;
				signed int _t129;
				signed int _t130;
				signed int _t132;
				void* _t135;
				void* _t137;
				signed int _t138;
				signed int _t140;
				short _t141;
				signed int _t144;
				void* _t145;
				signed short* _t147;
				void* _t151;
				void* _t154;
				void* _t155;
				signed int _t156;
				signed int _t160;
				intOrPtr _t162;
				void* _t173;
				signed short* _t179;
				void* _t180;
				signed short* _t185;
				signed int _t190;
				signed short* _t198;
				void* _t199;
				void* _t200;
				signed int* _t203;
				void* _t204;
				signed int _t206;
				signed int* _t208;
				signed int _t209;
				signed int _t211;
				signed int _t214;

				_t211 = _t214;
				_t77 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t77 ^ _t211;
				_t79 = 0x2f;
				_t203 = __edx;
				_v28 = _t79;
				_v36 = __edx;
				_push(2);
				_v26 = 0;
				_t81 = E0103BC30(_t151,  &_v28);
				_t193 = 0;
				_t144 = __edx + 0x4c;
				_t198 = _t81;
				_v40 = _t144;
				if( *((intOrPtr*)(__edx + 0x48)) != 0) {
					_t82 =  *(_t144 + 0xc);
					__eflags = _t82;
					if(__eflags != 0) {
						do {
							_t209 = _t82;
							_v40 = _t209;
							_t82 =  *(_t209 + 0xc);
							__eflags = _t82;
						} while (__eflags != 0);
						_t203 = _v36;
						_t144 = _v40;
					}
				}
				_t83 =  *_t198 & 0x0000ffff;
				if(_t83 == 0) {
					L19:
					_t84 = 0;
					__eflags = 0;
					goto L20;
				} else {
					while(1) {
						_t154 = 0x2f;
						_v29 = _t193;
						if(_t83 != _t154) {
							goto L17;
						}
						_t10 =  &(_t198[2]); // 0x4
						_t179 = _t10;
						_t114 = _t193;
						_v44 = _t179;
						_v36 = _t114;
						if( *_t179 == 0x2d) {
							_v29 = 1;
							_t114 = 1;
							_v36 = 1;
						}
						_t147 =  &(_t198[(_t114 & 0x0000ffff) + 2]);
						_t119 = towupper( *_t147 & 0x0000ffff);
						_pop(_t180);
						_t121 = (_t119 & 0x0000ffff) - 0x3f;
						if(_t121 == 0) {
							E01059A0E(_t193, __eflags);
							__eflags = 0;
							_push(0);
							_push(0x2381);
							E010363BD(_t180);
							 *0x107905b = 0;
							 *0x107950c = 0;
							goto L68;
						} else {
							_t126 = _t121;
							if(_t126 == 0) {
								__eflags = _v29;
								if(_v29 == 0) {
									_t193 = _t203;
									_t129 = E0105A37A( &(_t198[(_v36 & 0x0000ffff) + 3]), _t203);
									__eflags = _t129;
									if(_t129 != 0) {
										goto L68;
									} else {
										__eflags = _t203[2] & 0x00000001;
										if((_t203[2] & 0x00000001) != 0) {
											 *_t203 =  *_t203 | 0x00001000;
										}
										goto L14;
									}
								} else {
									_t185 =  &(_t147[1]);
									_t193 = 0;
									__eflags = 0;
									do {
										_t130 =  *_t147;
										_t147 =  &(_t147[1]);
										__eflags = _t130;
									} while (_t130 != 0);
									__eflags = _t147 - _t185 >> 1 - 1;
									if(_t147 - _t185 >> 1 > 1) {
										_t186 = _v36;
										goto L65;
									} else {
										_t203[1] = 6;
										_t203[2] = 0;
										goto L14;
									}
								}
							} else {
								_t135 = _t126 - 5;
								if(_t135 == 0) {
									__eflags = _v29;
									if(_v29 != 0) {
										 *_t203 =  *_t203 ^ 0x00001000;
									} else {
										 *_t203 =  *_t203 | 0x00001000;
										__eflags =  *_t203;
									}
									L13:
									_t186 = _v36;
									_t193 = 0;
									if( *((intOrPtr*)(_t198 + 6 + (_t186 & 0x0000ffff) * 2)) != 0) {
										L65:
										_t132 = (_t186 & 0x0000ffff) + 2;
										__eflags = _t132;
										_push( &(_t198[_t132]));
										_push(1);
										_push(0x2376);
										goto L66;
									} else {
										L14:
										_t198 = _v44;
										_t144 = _v40;
										L15:
										_t198 = E0103A7D5(_t198);
										_t83 =  *_t198 & 0x0000ffff;
										if(_t83 == 0) {
											goto L19;
										} else {
											_t193 = 0;
											continue;
										}
									}
								} else {
									_t137 = _t135 - 0xa;
									if(_t137 == 0) {
										__eflags = _v29;
										if(_v29 == 0) {
											 *_t203 =  *_t203 | 0x00000800;
										} else {
											 *_t203 =  *_t203 ^ 0x00000800;
										}
										goto L13;
									} else {
										_t138 = _t137 - 1;
										if(_t138 != 0) {
											_t140 = _t138;
											__eflags = _t140;
											if(_t140 != 0) {
												_t141 = 0x2f;
												_v28 = _t141;
												_v24 = 0;
												_t190 = (_v36 & 0x0000ffff) + 2;
												_v26 = _t198[2];
												_t186 =  &(_t198[_t190]);
												_push( &(_t198[_t190]));
												_push(1);
												_push(0x2375);
												L66:
												E010378E4(_t186);
												L68:
												_t84 = 1;
												L20:
												_pop(_t199);
												_pop(_t204);
												__eflags = _v8 ^ _t211;
												_pop(_t145);
												return E01046B30(_t84, _t145, _v8 ^ _t211, _t193, _t199, _t204);
											} else {
												__eflags = _v29 - _t140;
												if(_v29 != _t140) {
													 *_t203 =  *_t203 ^ 0x00000010;
												} else {
													 *_t203 =  *_t203 | 0x00000010;
												}
												goto L13;
											}
										} else {
											if(_v29 != _t138) {
												 *_t203 =  *_t203 ^ 0x00002000;
											} else {
												 *_t203 =  *_t203 | 0x00002000;
											}
											goto L13;
										}
									}
								}
							}
						}
						goto L77;
						L17:
						_t86 = _t203[0x12];
						__eflags = _t86;
						if(_t86 != 0) {
							_t155 = 0x10;
							_t87 = E0103DCD0(_t155);
							__eflags = _t87;
							if(_t87 == 0) {
								E01059922();
								__imp__longjmp(0x1070a30, 1);
								asm("int3");
								_t156 = 0x1078bf0;
								__eflags = 0;
								do {
									_t89 =  *_t156;
									_t156 = _t156 + 2;
									__eflags = _t89;
								} while (_t89 != 0);
								_t200 = (_t156 - 0x1078bf2 >> 1) + 1;
								_t206 = HeapAlloc(GetProcessHeap(), 8, 0xc);
								__eflags = _t206;
								if(_t206 == 0) {
									L76:
									_t93 = 1;
								} else {
									_t95 = HeapAlloc(GetProcessHeap(), 8, _t200 + _t200);
									 *_t206 = _t95;
									__eflags = _t95;
									if(_t95 == 0) {
										goto L76;
									} else {
										_t160 =  *0x1078df8;
										__eflags = _t160;
										if(_t160 == 0) {
											_t160 = 0x1078bf0;
										}
										E0103F3A0(_t95, _t200, _t160);
										_t97 = E01038B96(_t95);
										 *(_t206 + 4) = _t97;
										__eflags = _t97;
										if(_t97 == 0) {
											goto L76;
										} else {
											_t162 =  *0x1066748;
											 *((char*)(_t206 + 8)) =  *0x1066755;
											 *((char*)(_t206 + 9)) =  *0x1066754;
											 *(_t162 + 0x90 +  *(_t162 + 0x14) * 4) = _t206;
											_t101 =  *0x1066778;
											 *(_t162 + 0x14) =  *(_t162 + 0x14) + 1;
											 *((intOrPtr*)(_t162 + 0xc)) = _t101;
											__eflags =  *((intOrPtr*)(_t162 + 0x10)) - _t101;
											if( *((intOrPtr*)(_t162 + 0x10)) < _t101) {
												 *((intOrPtr*)(_t162 + 0x10)) = _t101;
											}
											_push(0);
											_t208 = E0103BC30( *((intOrPtr*)( *((intOrPtr*)(_t144 + 8)) + 0x3c)), 0);
											_t104 = 0;
											 *0x10665dc = 0;
											while(1) {
												__eflags =  *_t208 - _t104;
												if( *_t208 == _t104) {
													break;
												}
												__imp___wcsicmp(_t208, L"ENABLEEXTENSIONS");
												__eflags = _t104;
												if(_t104 != 0) {
													__imp___wcsicmp(_t208, L"DISABLEEXTENSIONS");
													__eflags = _t104;
													if(_t104 == 0) {
														 *0x1066755 = 0;
														goto L37;
													} else {
														__imp___wcsicmp(_t208, L"ENABLEDELAYEDEXPANSION");
														__eflags = _t104;
														if(_t104 != 0) {
															__imp___wcsicmp(L"DISABLEDELAYEDEXPANSION");
															_t173 = _t208;
															__eflags = _t104;
															if(_t104 != 0) {
																__eflags =  *_t208;
																if( *_t208 == 0) {
																	goto L37;
																} else {
																	_push(0);
																	_push(0x400023a6);
																	E010378E4(_t173);
																	_t93 = 1;
																	 *0x10665dc = 1;
																}
															} else {
																 *0x1066754 = _t104;
																goto L37;
															}
														} else {
															 *0x1066754 = 1;
															goto L37;
														}
													}
												} else {
													 *0x1066755 = 1;
													L37:
													_t208 = E0103A7D5(_t208);
													_t104 = 0;
													__eflags = 0;
													continue;
												}
												goto L42;
											}
											_t93 = 0;
											__eflags = 0;
										}
									}
								}
								L42:
								return _t93;
							} else {
								 *(_t144 + 0xc) = _t87;
								_t193 = 0;
								_t144 = _t87;
								 *((intOrPtr*)(_t87 + 0xc)) = 0;
								_t86 = _t203[0x12];
								_v40 = _t144;
								goto L18;
							}
						} else {
							L18:
							_t203[0x12] = _t86 + 1;
							 *_t144 = E0104054B(_t144, E01040060(_t198, _t198), _t198, _t203);
							 *((char*)(_t144 + 8)) = 1;
							goto L15;
						}
						goto L77;
					}
				}
				L77:
			}

































































    0x010374b4
    0x010374b9
    0x010374c0
    0x010374c8
    0x010374c9
    0x010374cb
    0x010374d1
    0x010374d4
    0x010374d9
    0x010374dd
    0x010374e2
    0x010374e4
    0x010374e7
    0x010374e9
    0x010374ef
    0x0104a8f1
    0x0104a8f4
    0x0104a8f6
    0x0104a8fc
    0x0104a8fc
    0x0104a8fe
    0x0104a901
    0x0104a904
    0x0104a904
    0x0104a908
    0x0104a90b
    0x0104a90b
    0x0104a8f6
    0x010374f5
    0x010374fb
    0x010375dd
    0x010375dd
    0x010375dd
    0x00000000
    0x00000000
    0x01037501
    0x01037503
    0x01037504
    0x0103750a
    0x00000000
    0x00000000
    0x01037510
    0x01037510
    0x01037513
    0x01037519
    0x0103751c
    0x0103751f
    0x0104a915
    0x0104a919
    0x0104a91a
    0x0104a91a
    0x0103752b
    0x01037532
    0x0103753b
    0x0103753c
    0x0103753f
    0x0104aa24
    0x0104aa29
    0x0104aa2b
    0x0104aa2c
    0x0104aa31
    0x0104aa38
    0x0104aa3e
    0x00000000
    0x01037545
    0x01037546
    0x01037549
    0x0104a954
    0x0104a958
    0x0104a989
    0x0104a994
    0x0104a999
    0x0104a99b
    0x00000000
    0x0104a9a1
    0x0104a9a1
    0x0104a9a5
    0x0104a9ab
    0x0104a9ab
    0x00000000
    0x0104a9a5
    0x0104a95a
    0x0104a95a
    0x0104a95d
    0x0104a95d
    0x0104a95f
    0x0104a95f
    0x0104a962
    0x0104a965
    0x0104a965
    0x0104a96e
    0x0104a971
    0x0104aa06
    0x00000000
    0x0104a977
    0x0104a977
    0x0104a97e
    0x00000000
    0x0104a97e
    0x0104a971
    0x0103754f
    0x0103754f
    0x01037552
    0x01037577
    0x0103757b
    0x0104a949
    0x01037581
    0x01037581
    0x01037581
    0x01037581
    0x01037587
    0x01037587
    0x0103758a
    0x01037594
    0x0104aa09
    0x0104aa0c
    0x0104aa0c
    0x0104aa12
    0x0104aa13
    0x0104aa15
    0x00000000
    0x0103759a
    0x0103759a
    0x0103759a
    0x0103759d
    0x010375a0
    0x010375a7
    0x010375a9
    0x010375af
    0x00000000
    0x010375b1
    0x010375b1
    0x00000000
    0x010375b1
    0x010375af
    0x01037554
    0x01037554
    0x01037557
    0x0104a92d
    0x0104a931
    0x0104a93e
    0x0104a933
    0x0104a933
    0x0104a933
    0x00000000
    0x0103755d
    0x0103755d
    0x01037560
    0x010375ef
    0x010375ef
    0x010375f2
    0x0104a9dd
    0x0104a9e0
    0x0104a9e8
    0x0104a9f2
    0x0104a9f5
    0x0104a9f9
    0x0104a9fc
    0x0104a9fd
    0x0104a9ff
    0x0104aa1a
    0x0104aa1a
    0x0104aa44
    0x0104aa46
    0x010375df
    0x010375e2
    0x010375e3
    0x010375e4
    0x010375e6
    0x010375ed
    0x010375f8
    0x010375f8
    0x010375fb
    0x01037602
    0x010375fd
    0x010375fd
    0x010375fd
    0x00000000
    0x010375fb
    0x01037566
    0x01037569
    0x0104a922
    0x0103756f
    0x0103756f
    0x0103756f
    0x00000000
    0x01037569
    0x01037560
    0x01037557
    0x01037552
    0x01037549
    0x00000000
    0x010375b8
    0x010375b8
    0x010375bb
    0x010375bd
    0x0104a9b8
    0x0104a9b9
    0x0104a9be
    0x0104a9c0
    0x0104aa4c
    0x0104aa58
    0x0104aa5e
    0x0104aa5f
    0x01037651
    0x01037653
    0x01037653
    0x01037656
    0x01037659
    0x01037659
    0x01037666
    0x01037676
    0x01037678
    0x0103767a
    0x0104aac2
    0x0104aac4
    0x01037680
    0x0103768d
    0x01037693
    0x01037695
    0x01037697
    0x00000000
    0x0103769d
    0x0103769d
    0x010376a3
    0x010376a5
    0x0104aa69
    0x0104aa69
    0x010376b0
    0x010376b5
    0x010376ba
    0x010376bd
    0x010376bf
    0x00000000
    0x010376c5
    0x010376c5
    0x010376d0
    0x010376d8
    0x010376de
    0x010376e5
    0x010376ea
    0x010376ed
    0x010376f0
    0x010376f3
    0x010376f5
    0x010376f5
    0x010376fd
    0x01037708
    0x0103770a
    0x0103770c
    0x0103774d
    0x0103774d
    0x01037750
    0x00000000
    0x00000000
    0x01037758
    0x01037760
    0x01037762
    0x01037719
    0x01037721
    0x01037723
    0x0103777c
    0x00000000
    0x01037725
    0x0103772b
    0x01037733
    0x01037735
    0x0104aa79
    0x0104aa80
    0x0104aa81
    0x0104aa83
    0x0104aa91
    0x0104aa94
    0x00000000
    0x0104aa9a
    0x0104aa9a
    0x0104aa9b
    0x0104aaa0
    0x0104aaa8
    0x0104aaaa
    0x0104aaaa
    0x0104aa85
    0x0104aa85
    0x00000000
    0x0104aa85
    0x0103773b
    0x0103773b
    0x00000000
    0x0103773b
    0x01037735
    0x01037764
    0x01037764
    0x01037742
    0x01037749
    0x0103774b
    0x0103774b
    0x00000000
    0x0103774b
    0x00000000
    0x01037762
    0x0103776d
    0x0103776d
    0x0103776d
    0x010376bf
    0x01037697
    0x0103776f
    0x01037777
    0x0104a9c6
    0x0104a9c6
    0x0104a9c9
    0x0104a9cb
    0x0104a9cd
    0x0104a9d0
    0x0104a9d3
    0x00000000
    0x0104a9d3
    0x010375c3
    0x010375c3
    0x010375c6
    0x010375d5
    0x010375d7
    0x00000000
    0x010375d7
    0x00000000
    0x010375bd
    0x01037501
    0x00000000

    APIs
      • Part of subcall function 0103BC30: wcschr.MSVCRT ref: 0103BCA7
      • Part of subcall function 0103BC30: iswspace.MSVCRT ref: 0103BD1D
      • Part of subcall function 0103BC30: wcschr.MSVCRT ref: 0103BD39
      • Part of subcall function 0103BC30: wcschr.MSVCRT ref: 0103BD5D
    • towupper.MSVCRT ref: 01037532
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: wcschr$iswspacetowupper
    • String ID:
    • API String ID: 1352934581-0
    • Opcode ID: 8b8b403097983d6ea6d6905ad811719065b8f58c6a1d460c020f4ac6fa1bd122
    • Instruction ID: 30cd67f3003106faa9d2039f0c1747e42e6ac500e45be8e548e042a973dd3c0d
    • Opcode Fuzzy Hash: 8b8b403097983d6ea6d6905ad811719065b8f58c6a1d460c020f4ac6fa1bd122
    • Instruction Fuzzy Hash: B371C1B4A04256DBEB69CF6884857BEBBF5FB88300F14446ED5C2D7281E7B49980C761
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01044823, Relevance: 3.0, APIs: 2, Instructions: 47filenativeCOMMON
    Download Yara Rule
    C-Code - Quality: 38%
    			E01044823(void* __ecx) {
				signed int _v8;
				void* _v116;
				intOrPtr _v120;
				char _v124;
				signed char _v128;
				void _v132;
				void* _v140;
				void* __edi;
				void* __esi;
				signed int _t11;
				signed int _t18;
				void* _t19;
				void* _t23;
				void* _t24;
				signed int _t27;

				_t11 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t11 ^ _t27;
				_t24 = __ecx;
				_t26 = 1;
				if(NtQueryVolumeInformationFile(__ecx,  &_v140,  &_v132, 8, 4) >= 0) {
					if((_v128 & 0x00000010) != 0) {
						_t18 =  &_v124;
						__imp__GetFileInformationByHandleEx(_t24, 0xd, _t18, 0x74);
						if(_t18 != 0 && _v120 == 0x20000) {
							asm("sbb eax, eax");
							_t26 = 1 & _t18;
						}
					} else {
						_t26 = 0;
					}
				}
				return E01046B30(_t26, _t19, _v8 ^ _t27, _t23, _t24, _t26);
			}


















    0x0104482e
    0x01044835
    0x01044841
    0x0104484e
    0x01044857
    0x0104485d
    0x0105098c
    0x01050993
    0x0105099b
    0x010509b3
    0x010509b5
    0x010509b5
    0x01044863
    0x01044863
    0x01044863
    0x0104485d
    0x01044874

    APIs
    • NtQueryVolumeInformationFile.NTDLL(000000FF,?,?,00000008,00000004), ref: 0104484F
    • GetFileInformationByHandleEx.API-MS-WIN-CORE-FILE-L2-1-0(000000FF,0000000D,?,00000074), ref: 01050993
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: FileInformation$HandleQueryVolume
    • String ID:
    • API String ID: 2149833895-0
    • Opcode ID: 7ffefd8ebd256b4555a6077b84513ab12634418d2be74bbc4695938c94d3dd8c
    • Instruction ID: e39b8505cd68f65218c989713e86356ad6ec9e40a3e70f975affcaf16a53900f
    • Opcode Fuzzy Hash: 7ffefd8ebd256b4555a6077b84513ab12634418d2be74bbc4695938c94d3dd8c
    • Instruction Fuzzy Hash: 5B01D871B002189BE7708A669845FAE7AFCAB44714F01407DE980E3081DB749945CB91
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01039144, Relevance: 1.8, APIs: 1, Instructions: 330COMMONCrypto
    Download Yara Rule
    C-Code - Quality: 60%
    			E01039144(void* __ecx, signed int __edx, signed int _a8) {
				signed int _v8;
				short _v24;
				short _v26;
				short _v28;
				signed int _v32;
				signed int _v36;
				int _v40;
				signed short* _v44;
				short _v76;
				short _v332;
				signed short _v334;
				signed short _v336;
				signed int _v338;
				signed int _v340;
				struct _SYSTEMTIME _v348;
				signed int _v352;
				void* _v356;
				signed int _v360;
				signed int _v364;
				struct _FILETIME _v372;
				struct _FILETIME _v380;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t145;
				short _t147;
				signed short* _t149;
				signed int _t150;
				signed int _t151;
				void* _t152;
				signed int _t154;
				int _t155;
				char* _t164;
				void* _t170;
				intOrPtr _t173;
				signed int _t174;
				signed int _t177;
				signed short _t178;
				signed int _t183;
				intOrPtr* _t186;
				signed int _t187;
				signed int _t190;
				signed int _t197;
				signed int _t198;
				signed int _t204;
				signed short* _t209;
				signed int _t210;
				signed int _t213;
				signed int _t214;
				signed int _t215;
				signed int _t219;
				signed int _t222;
				signed int _t223;
				signed int _t224;
				signed int _t225;
				signed int _t228;
				signed int _t230;
				short _t232;
				signed int _t238;
				signed int _t239;
				signed int _t240;
				signed int _t243;
				signed int _t244;
				signed int _t247;
				signed int _t248;
				void* _t249;
				void* _t252;
				void* _t254;
				signed int _t257;
				int _t259;
				void* _t266;
				intOrPtr* _t267;
				signed int _t268;
				void* _t270;
				void* _t273;
				signed int _t275;
				intOrPtr* _t276;
				signed int _t277;
				signed int _t280;
				signed int _t281;
				signed int _t290;
				void* _t292;
				signed int _t297;
				signed int _t298;
				intOrPtr* _t308;
				signed int _t309;
				signed int _t310;
				signed int _t311;
				void* _t312;
				signed int _t314;
				void* _t316;
				signed short* _t317;
				int _t318;
				void* _t319;
				signed int _t320;
				signed int _t321;
				signed int _t322;
				signed int _t323;
				signed int _t325;
				void* _t326;
				void* _t335;
				void* _t336;

				_t145 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t145 ^ _t325;
				_t147 = 0x2f;
				_v28 = _t147;
				_t321 = __edx;
				_t305 =  &_v28;
				_push(2);
				_v26 = 0;
				_t149 = E0103BC30(__ecx,  &_v28);
				_t259 = __edx + 0x4c;
				_t317 = _t149;
				_v40 = _t259;
				_v32 = _t317;
				if( *((intOrPtr*)(__edx + 0x48)) != 0) {
					_t150 =  *(_t259 + 0xc);
					__eflags = _t150;
					if(_t150 != 0) {
						do {
							_t320 = _t150;
							_v40 = _t320;
							_t150 =  *(_t320 + 0xc);
							__eflags = _t150;
						} while (_t150 != 0);
						_t317 = _v32;
						_t259 = _v40;
					}
					L157:
				}
				 *((intOrPtr*)(_t321 + 0xc)) = 0;
				while(1) {
					_t151 =  *_t317 & 0x0000ffff;
					if(_t151 == 0) {
						_t152 = 0;
						__eflags = 0;
						break;
					}
					_t305 = 0x2d;
					_t266 = 0x2f;
					if(_t151 != _t266) {
						_t154 =  *(_t321 + 0x48);
						__eflags = _t154;
						if(_t154 != 0) {
							_t267 = 0x10;
							_t155 = E0103DCD0(_t267);
							__eflags = _t155;
							if(_t155 == 0) {
								E01059922();
								__imp__longjmp(0x1070a30, 1);
								asm("int3");
								E010548D7(_t267,  &_v372);
								FileTimeToLocalFileTime( &_v372,  &_v380);
								FileTimeToSystemTime( &_v380,  &_v348);
								__eflags = _t317 - 1;
								if(_t317 != 1) {
									_t317 = 0;
									__eflags =  *0x1066755;
									_t259 = 2;
									if( *0x1066755 == 0) {
										_t164 = "a";
										_t268 = _v340 & 0x0000ffff;
										__eflags =  *0x105e0c4 - _t317; // 0xffffffff
										if(__eflags == 0) {
											_t164 = " ";
										} else {
											_t310 = 0xc;
											__eflags = _t268 - _t310;
											if(__eflags < 0) {
												__eflags = _t268;
												if(_t268 == 0) {
													_t268 = _t310;
												}
											} else {
												if(__eflags > 0) {
													__eflags = _t268;
												}
												_t164 = "p";
											}
										}
										_push(_t164);
										_push(_v338 & 0x0000ffff);
										_push(0x106c9e0);
										E01039ABF( &_v76, 0x20, L"%02d%s%02d%s", _t268);
									} else {
										_v352 = 0;
										_t108 = _t259 + 0x7e; // 0x80
										_t318 = _t108;
										_t177 = GetLocaleInfoW(E01038791(), 0x1003,  &_v332, _t318);
										__eflags = _t177;
										if(_t177 == 0) {
											_t280 =  &_v332;
											_t314 = L"HH:mm:ss t" - _t280;
											__eflags = _t314;
											while(1) {
												_t110 = _t318 + 0x7fffff7e; // 0x7ffffffe
												__eflags = _t110;
												if(_t110 == 0) {
													break;
												}
												_t197 =  *(_t314 + _t280) & 0x0000ffff;
												__eflags = _t197;
												if(_t197 != 0) {
													 *_t280 = _t197;
													_t280 = _t280 + _t259;
													_t318 = _t318 - 1;
													__eflags = _t318;
													if(_t318 != 0) {
														continue;
													}
												}
												break;
											}
											__eflags = _t318;
											if(_t318 == 0) {
												_t280 = _t280 - _t259;
												__eflags = _t280;
											}
											__eflags = 0;
											 *_t280 = 0;
										}
										_t178 = _v332;
										_t319 =  &_v332;
										__eflags = _t178;
										if(_t178 != 0) {
											_t275 = _t178 & 0x0000ffff;
											__eflags = 0;
											_v360 = _t275;
											do {
												__eflags = _t275 - 0x27;
												if(_t275 != 0x27) {
													__eflags = _v352;
													if(_v352 == 0) {
														__eflags = _t275 - 0x68;
														if(_t275 == 0x68) {
															L129:
															_t311 = 0;
															do {
																_t319 = _t319 + _t259;
																_t311 = _t311 + 1;
																__eflags =  *_t319 - _t275;
															} while ( *_t319 == _t275);
															_t186 = _t319 +  ~_t311 * 2;
															_v356 = _t186;
															_t123 = _t186 + 2; // 0x3
															_t319 = _t123;
															__eflags = _t311 - 1;
															if(_t311 == 1) {
																_t276 = _t186;
																_t124 = _t276 + 2; // 0x3
																_t312 = _t124;
																do {
																	_t190 =  *_t276;
																	_t276 = _t276 + _t259;
																	__eflags = _t190;
																} while (_t190 != 0);
																_t277 = _t276 - _t312;
																__eflags = _t277;
																memmove(_t319, _v356, 2 + (_t277 >> 1) * 2);
																_t326 = _t326 + 0xc;
																 *_v356 = _v360;
															}
														} else {
															__eflags = _t275 - 0x48;
															if(_t275 == 0x48) {
																goto L129;
															} else {
																__eflags = _t275 - 0x6d;
																if(_t275 == 0x6d) {
																	goto L129;
																}
															}
														}
													} else {
														_t319 = _t319 + _t259;
													}
												} else {
													_t319 = _t319 + _t259;
													__eflags = _v352;
													_v352 = 0 | _v352 == 0x00000000;
												}
												_t319 = _t319 + _t259;
												_t187 =  *_t319 & 0x0000ffff;
												_t275 = _t187;
												_v360 = _t275;
												__eflags = _t187;
											} while (_t187 != 0);
											_t321 = _v364;
										}
										_t183 = GetTimeFormatW(E01038791(), _t259,  &_v348,  &_v332,  &_v76, 0x20);
										__eflags = _t183;
										if(_t183 == 0) {
											_v76 = _t183;
										}
										_t317 = 0;
										__eflags = 0;
									}
									__eflags = _t321;
									if(_t321 != 0) {
										_t307 = _a8;
										E0103F3A0(_t321, _a8,  &_v76);
										_t270 = _t321 + 2;
										do {
											_t170 =  *_t321;
											_t321 = _t321 + _t259;
											__eflags = _t170 - _t317;
										} while (_t170 != _t317);
										_t322 = _t321 - _t270;
										goto L42;
									} else {
										_t308 =  &_v76;
										_t273 = _t308 + 2;
										do {
											_t173 =  *_t308;
											_t308 = _t308 + _t259;
											__eflags = _t173 - _t317;
										} while (_t173 != _t317);
										_t309 = _t308 - _t273;
										__eflags = _t309;
										_t307 = _t309 >> 1;
										_t174 = E0103998D( &_v76, _t309 >> 1);
										goto L144;
									}
								} else {
									_t198 = _v334 & 0x0000ffff;
									_t281 = 0xa;
									_t307 = _t198 % _t281;
									_push(_t198 / _t281);
									_push(0x106c9c0);
									_push(_v336 & 0x0000ffff);
									_push(0x106c9e0);
									_push(_v338 & 0x0000ffff);
									_push(0x106c9e0);
									_push(_v340 & 0x0000ffff);
									_push(L"%2d%s%02d%s%02d%s%02d");
									__eflags = _t321;
									if(_t321 == 0) {
										_t174 = E01039950();
										L144:
										_t323 = _t174;
									} else {
										_push(_a8);
										_push(_t321);
										E01039ABF();
										_t307 = _t321 + 2;
										__eflags = 0;
										_t259 = 2;
										goto L40;
										L42:
										_t323 = _t322 >> 1;
										goto L43;
										L40:
										_t204 =  *_t321;
										_t321 = _t321 + _t259;
										__eflags = _t204;
										if(_t204 != 0) {
											goto L40;
										} else {
											_t322 = _t321 - _t307;
											__eflags = _t322;
										}
										goto L42;
									}
								}
								L43:
								__eflags = _v8 ^ _t325;
								return E01046B30(_t323, _t259, _v8 ^ _t325, _t307, _t317, _t323);
							} else {
								 *(_t259 + 0xc) = _t155;
								_t259 = _t155;
								 *((intOrPtr*)(_t155 + 0xc)) = 0;
								_t154 =  *(_t321 + 0x48);
								_v40 = _t259;
								goto L18;
							}
						} else {
							L18:
							 *(_t321 + 0x48) = _t154 + 1;
							 *_t259 = E0104054B(_t259, E01040060(_t317, _t317), _t317, _t321);
							 *((char*)(_t259 + 8)) = 1;
							goto L16;
						}
					} else {
						_t10 =  &(_t317[2]); // 0x4
						_t209 = _t10;
						_v44 = _t209;
						_t210 =  *_t209 & 0x0000ffff;
						_v36 = _t210;
						_t290 = 0 | _t210 == _t305;
						_v32 = _t290;
						_t259 =  &(_t317[_t290 + 2]);
						_t213 = towupper( *_t259 & 0x0000ffff) & 0x0000ffff;
						_pop(_t292);
						_t335 = _t213 - 0x4f;
						if(_t335 > 0) {
							_t214 = _t213 - 0x50;
							__eflags = _t214;
							if(_t214 == 0) {
								_t293 = _v36;
								_t259 = 0x2d;
								__eflags = _t293 - _t259;
								if(_t293 != _t259) {
									 *_t321 =  *_t321 | 0x00000008;
								} else {
									 *_t321 =  *_t321 ^ 0x00000008;
								}
								goto L27;
							} else {
								_t222 = _t214 - 1;
								__eflags = _t222;
								if(_t222 == 0) {
									_t293 = _v36;
									_t259 = 0x2d;
									__eflags = _t293 - _t259;
									if(_t293 != _t259) {
										 *_t321 =  *_t321 | 0x00040000;
									} else {
										 *_t321 =  *_t321 ^ 0x00040000;
									}
									goto L27;
								} else {
									_t223 = _t222 - 1;
									__eflags = _t223;
									if(_t223 == 0) {
										_t293 = _v36;
										_t259 = 0x2d;
										__eflags = _t293 - _t259;
										if(_t293 != _t259) {
											 *_t321 =  *_t321 | 0x00100000;
										} else {
											 *_t321 =  *_t321 ^ 0x00100000;
										}
										goto L27;
									} else {
										_t224 = _t223 - 1;
										__eflags = _t224;
										if(_t224 != 0) {
											_t225 = _t224 - 1;
											__eflags = _t225;
											if(_t225 == 0) {
												_t259 = 0x2d;
												__eflags = _v36 - _t259;
												if(_v36 != _t259) {
													_t305 = _t321;
													_t228 = E0105A53D(_t321);
													goto L33;
												} else {
													 *((intOrPtr*)(_t321 + 0x5c)) = 0;
													goto L15;
												}
											} else {
												_t230 = _t225 - 3;
												__eflags = _t230;
												if(_t230 == 0) {
													_t293 = _v36;
													_t259 = 0x2d;
													__eflags = _t293 - _t259;
													if(_t293 != _t259) {
														 *_t321 =  *_t321 | 0x00000004;
													} else {
														 *_t321 =  *_t321 ^ 0x00000004;
													}
													goto L27;
												} else {
													__eflags = _t230 != 1;
													if(_t230 != 1) {
														_push(0x2d);
														goto L106;
													} else {
														_t238 = _v32;
														 *_t321 =  *_t321 | 0x00000402;
														__eflags =  *(_t317 + 6 + _t238 * 2);
														if( *(_t317 + 6 + _t238 * 2) == 0) {
															goto L15;
														} else {
															_t293 = _v36;
															goto L82;
														}
													}
												}
											}
										} else {
											_t293 = _v36;
											_t259 = 0x2d;
											__eflags = _t293 - _t259;
											if(_t293 == _t259) {
												 *_t321 =  *_t321 ^ 0x00000010;
											} else {
												 *_t321 =  *_t321 | 0x00000010;
												__eflags =  *_t321;
											}
											goto L27;
										}
									}
								}
							}
						} else {
							_push(0x2d);
							if(_t335 == 0) {
								_t239 = _v36;
								_t297 =  *_t321;
								_pop(_t316);
								__eflags = _t239 - _t316;
								if(_t239 == _t316) {
									_t298 = _t297 ^ 0x00004000;
								} else {
									_t298 = _t297 | 0x00004000;
									__eflags = _t298;
								}
								 *_t321 = _t298;
								__eflags = _t239 - _t316;
								if(_t239 == _t316) {
									_t293 = _t259 + 2;
									_t305 = 0;
									__eflags = 0;
									do {
										_t240 =  *_t259;
										_t259 = _t259 + 2;
										__eflags = _t240;
									} while (_t240 != 0);
									_t259 = _t259 - _t293 >> 1;
									__eflags = _t259 - 1;
									if(_t259 > 1) {
										goto L104;
									} else {
										 *((intOrPtr*)(_t321 + 0xc)) = 0;
										 *((intOrPtr*)(_t321 + 0x14)) = 0;
										goto L15;
									}
								} else {
									_t305 = _t321;
									__eflags = _v32 + 3;
									_t228 = E0104669F( &(_t317[_v32 + 3]), _t321);
									goto L33;
								}
							} else {
								_t336 = _t213 - 0x43;
								if(_t336 > 0) {
									_t243 = _t213 - 0x44;
									__eflags = _t243;
									if(_t243 == 0) {
										_t293 = _v36;
										_pop(_t259);
										__eflags = _t293 - _t259;
										if(_t293 != _t259) {
											 *_t321 =  *_t321 | 0x00000200;
										} else {
											 *_t321 =  *_t321 ^ 0x00000200;
										}
										goto L27;
									} else {
										_t244 = _t243 - 8;
										__eflags = _t244;
										if(_t244 == 0) {
											_t293 = _v36;
											_pop(_t259);
											__eflags = _t293 - _t259;
											if(_t293 != _t259) {
												 *_t321 =  *_t321 | 0x00000080;
											} else {
												 *_t321 =  *_t321 ^ 0x00000080;
											}
											goto L27;
										} else {
											__eflags = _t244 != 0;
											if(_t244 != 0) {
												L106:
												_pop(_t305);
												goto L107;
											} else {
												_t293 = _v36;
												_pop(_t259);
												__eflags = _t293 - _t259;
												if(_t293 != _t259) {
													 *_t321 =  *_t321 | 0x00000002;
												} else {
													 *_t321 =  *_t321 | 0x00020000;
												}
												goto L27;
											}
										}
									}
								} else {
									if(_t336 == 0) {
										_t293 = _v36;
										_t247 =  *_t321;
										_pop(_t259);
										__eflags = _t293 - _t259;
										if(_t293 != _t259) {
											_t248 = _t247 | 0x00008000;
											__eflags = _t248;
										} else {
											_t248 = _t247 ^ 0x00008000;
										}
										 *_t321 = _t248;
										L27:
										_t215 = _v32;
										_t305 = 0;
										__eflags =  *(_t317 + 6 + _t215 * 2);
										if( *(_t317 + 6 + _t215 * 2) == 0) {
											goto L15;
										} else {
											goto L83;
										}
									} else {
										_pop(_t305);
										_t249 = _t213 - _t305;
										if(_t249 == 0) {
											_push(0);
											_push(0x2382);
											E010363BD(_t292);
											goto L34;
										} else {
											_t252 = _t249 - 7;
											if(_t252 == 0) {
												_t293 = _v36;
												__eflags = _t293 - _t305;
												if(_t293 != _t305) {
													 *_t321 =  *_t321 | 0x00080000;
												} else {
													 *_t321 =  *_t321 ^ 0x00080000;
												}
												goto L14;
											} else {
												_t254 = _t252 - 0xd;
												if(_t254 == 0) {
													__eflags = _v36 - _t305;
													if(_v36 != _t305) {
														_t305 = _t321;
														_t228 = E0105A37A( &(_t317[_v32 + 3]), _t321);
														L33:
														__eflags = _t228;
														if(_t228 == 0) {
															goto L15;
														} else {
															goto L34;
														}
													} else {
														_t293 = _t259 + 2;
														_t305 = 0;
														__eflags = 0;
														do {
															_t257 =  *_t259;
															_t259 = _t259 + 2;
															__eflags = _t257;
														} while (_t257 != 0);
														_t259 = _t259 - _t293 >> 1;
														__eflags = _t259 - 1;
														if(_t259 > 1) {
															L104:
															_t95 =  &(_t317[3]); // 0x6
															_t219 = _t95;
															goto L84;
														} else {
															 *((intOrPtr*)(_t321 + 4)) = 6;
															 *((intOrPtr*)(_t321 + 8)) = 0;
															goto L15;
														}
													}
												} else {
													if(_t254 != 1) {
														L107:
														_t293 = _v36;
														_t232 = 0x2f;
														_v28 = _t232;
														_v26 = _t317[2];
														__eflags = _v36 - _t305;
														_v24 = 0;
														_push(4 + (0 | _v36 == _t305) * 2 + _t317);
														_push(1);
														_push(0x2375);
														goto L85;
													} else {
														_t293 = _v36;
														if(_t293 == _t305) {
															 *_t321 =  *_t321 ^ 0x00000040;
														} else {
															 *_t321 =  *_t321 | 0x00000040;
														}
														L14:
														_t305 = 0;
														if( *((intOrPtr*)(_t317 + 6 + _v32 * 2)) != 0) {
															L82:
															_t259 = 0x2d;
															L83:
															__eflags = _t293 - _t259;
															_t219 = 4 + (0 | _t293 == _t259) * 2 + _t317;
															__eflags = _t219;
															L84:
															_push(_t219);
															_push(1);
															_push(0x2376);
															L85:
															E010378E4(_t293);
															L34:
															_t152 = 1;
															break;
														} else {
															L15:
															_t317 = _v44;
															_t259 = _v40;
															L16:
															_t317 = E0103A7D5(_t317);
															continue;
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
					goto L157;
				}
				__eflags = _v8 ^ _t325;
				return E01046B30(_t152, _t259, _v8 ^ _t325, _t305, _t317, _t321);
				goto L157;
			}










































































































    0x0103914c
    0x01039153
    0x0103915b
    0x0103915c
    0x01039160
    0x01039164
    0x01039167
    0x01039169
    0x0103916d
    0x01039174
    0x01039177
    0x01039179
    0x0103917c
    0x01039182
    0x0104b8f9
    0x0104b8fc
    0x0104b8fe
    0x0104b904
    0x0104b904
    0x0104b906
    0x0104b909
    0x0104b90c
    0x0104b90c
    0x0104b910
    0x0104b913
    0x0104b913
    0x00000000
    0x0104b8fe
    0x01039188
    0x0103918b
    0x0103918b
    0x01039191
    0x0103926f
    0x0103926f
    0x0103926f
    0x0103926f
    0x01039199
    0x0103919c
    0x010391a0
    0x0103924a
    0x0103924d
    0x0103924f
    0x0104bb37
    0x0104bb38
    0x0104bb3d
    0x0104bb3f
    0x0104bba9
    0x0104bbb5
    0x0104bbbb
    0x0104bbc2
    0x0103936a
    0x0103937e
    0x01039384
    0x01039387
    0x0104bbdb
    0x0104bbdd
    0x0104bbe4
    0x0104bbe5
    0x0104bd68
    0x0104bd6d
    0x0104bd74
    0x0104bd7a
    0x0104bd96
    0x0104bd7c
    0x0104bd7e
    0x0104bd7f
    0x0104bd81
    0x0104bd8e
    0x0104bd90
    0x0104bd92
    0x0104bd92
    0x0104bd83
    0x0104bd83
    0x0104bd85
    0x0104bd85
    0x0104bd87
    0x0104bd87
    0x0104bd81
    0x0104bd9b
    0x0104bda3
    0x0104bda4
    0x0104bdb5
    0x0104bbeb
    0x0104bbeb
    0x0104bbf7
    0x0104bbf7
    0x0104bc07
    0x0104bc0d
    0x0104bc0f
    0x0104bc11
    0x0104bc1e
    0x0104bc1e
    0x0104bc20
    0x0104bc20
    0x0104bc26
    0x0104bc28
    0x00000000
    0x00000000
    0x0104bc2a
    0x0104bc2e
    0x0104bc31
    0x0104bc33
    0x0104bc36
    0x0104bc38
    0x0104bc38
    0x0104bc3b
    0x00000000
    0x00000000
    0x0104bc3b
    0x00000000
    0x0104bc31
    0x0104bc3d
    0x0104bc3f
    0x0104bc41
    0x0104bc41
    0x0104bc41
    0x0104bc43
    0x0104bc45
    0x0104bc45
    0x0104bc48
    0x0104bc4f
    0x0104bc55
    0x0104bc58
    0x0104bc5e
    0x0104bc61
    0x0104bc63
    0x0104bc69
    0x0104bc69
    0x0104bc6d
    0x0104bc84
    0x0104bc8a
    0x0104bc90
    0x0104bc94
    0x0104bca2
    0x0104bca2
    0x0104bca4
    0x0104bca4
    0x0104bca6
    0x0104bca7
    0x0104bca7
    0x0104bcb0
    0x0104bcb3
    0x0104bcb9
    0x0104bcb9
    0x0104bcbc
    0x0104bcbf
    0x0104bcc1
    0x0104bcc3
    0x0104bcc3
    0x0104bcc6
    0x0104bcc6
    0x0104bcc9
    0x0104bccb
    0x0104bccb
    0x0104bcd0
    0x0104bcd0
    0x0104bce3
    0x0104bcee
    0x0104bcf7
    0x0104bcf7
    0x0104bc96
    0x0104bc96
    0x0104bc9a
    0x00000000
    0x0104bc9c
    0x0104bc9c
    0x0104bca0
    0x00000000
    0x00000000
    0x0104bca0
    0x0104bc9a
    0x0104bc8c
    0x0104bc8c
    0x0104bc8c
    0x0104bc6f
    0x0104bc71
    0x0104bc73
    0x0104bc7c
    0x0104bc7c
    0x0104bcfa
    0x0104bcfc
    0x0104bcff
    0x0104bd01
    0x0104bd07
    0x0104bd07
    0x0104bd10
    0x0104bd10
    0x0104bd31
    0x0104bd37
    0x0104bd39
    0x0104bd3b
    0x0104bd3b
    0x0104bd3f
    0x0104bd3f
    0x0104bd3f
    0x0104bd41
    0x0104bd43
    0x0104bdbf
    0x0104bdc8
    0x0104bdcd
    0x0104bdd0
    0x0104bdd0
    0x0104bdd3
    0x0104bdd5
    0x0104bdd5
    0x0104bdda
    0x00000000
    0x0104bd45
    0x0104bd45
    0x0104bd48
    0x0104bd4b
    0x0104bd4b
    0x0104bd4e
    0x0104bd50
    0x0104bd50
    0x0104bd55
    0x0104bd55
    0x0104bd5a
    0x0104bd5c
    0x00000000
    0x0104bd5c
    0x0103938d
    0x0103938d
    0x01039398
    0x01039399
    0x010393a0
    0x010393a8
    0x010393ad
    0x010393b5
    0x010393b6
    0x010393be
    0x010393bf
    0x010393c0
    0x010393c5
    0x010393c7
    0x0104bbcc
    0x0104bd61
    0x0104bd61
    0x010393cd
    0x010393cd
    0x010393d0
    0x010393d1
    0x010393d9
    0x010393dc
    0x010393e0
    0x010393e0
    0x010393ed
    0x010393ed
    0x00000000
    0x010393e1
    0x010393e1
    0x010393e4
    0x010393e6
    0x010393e9
    0x00000000
    0x010393eb
    0x010393eb
    0x010393eb
    0x010393eb
    0x00000000
    0x010393e9
    0x010393c7
    0x010393ef
    0x010393f6
    0x010393ff
    0x0104bb41
    0x0104bb41
    0x0104bb46
    0x0104bb48
    0x0104bb4b
    0x0104bb4e
    0x00000000
    0x0104bb4e
    0x01039255
    0x01039255
    0x01039258
    0x01039267
    0x01039269
    0x00000000
    0x01039269
    0x010391a6
    0x010391a6
    0x010391a6
    0x010391a9
    0x010391ac
    0x010391b1
    0x010391b9
    0x010391bc
    0x010391c2
    0x010391cf
    0x010391d2
    0x010391d3
    0x010391d6
    0x01039280
    0x01039280
    0x01039283
    0x0104bb1a
    0x0104bb1f
    0x0104bb20
    0x0104bb23
    0x0104bb2d
    0x0104bb25
    0x0104bb25
    0x0104bb25
    0x00000000
    0x01039289
    0x01039289
    0x01039289
    0x0103928c
    0x0104baf9
    0x0104bafe
    0x0104baff
    0x0104bb02
    0x0104bb0f
    0x0104bb04
    0x0104bb04
    0x0104bb04
    0x00000000
    0x01039292
    0x01039292
    0x01039292
    0x01039295
    0x0104bad8
    0x0104badd
    0x0104bade
    0x0104bae1
    0x0104baee
    0x0104bae3
    0x0104bae3
    0x0104bae3
    0x00000000
    0x0103929b
    0x0103929b
    0x0103929b
    0x0103929e
    0x0104ba3e
    0x0104ba3e
    0x0104ba41
    0x0104bab3
    0x0104bab4
    0x0104bab7
    0x0104bac6
    0x0104bace
    0x00000000
    0x0104bab9
    0x0104babb
    0x00000000
    0x0104babb
    0x0104ba43
    0x0104ba43
    0x0104ba43
    0x0104ba46
    0x0104ba93
    0x0104ba98
    0x0104ba99
    0x0104ba9c
    0x0104baa6
    0x0104ba9e
    0x0104ba9e
    0x0104ba9e
    0x00000000
    0x0104ba48
    0x0104ba48
    0x0104ba4b
    0x0104bb72
    0x00000000
    0x0104ba51
    0x0104ba51
    0x0104ba56
    0x0104ba5c
    0x0104ba61
    0x00000000
    0x0104ba67
    0x0104ba67
    0x00000000
    0x0104ba67
    0x0104ba61
    0x0104ba4b
    0x0104ba46
    0x010392a4
    0x010392a4
    0x010392a9
    0x010392aa
    0x010392ad
    0x0103930b
    0x010392af
    0x010392af
    0x010392af
    0x010392af
    0x00000000
    0x010392ad
    0x0103929e
    0x01039295
    0x0103928c
    0x010391dc
    0x010391dc
    0x010391de
    0x010392c7
    0x010392ca
    0x010392cc
    0x010392cd
    0x010392d0
    0x01039303
    0x010392d2
    0x010392d2
    0x010392d2
    0x010392d2
    0x010392d8
    0x010392da
    0x010392dd
    0x0104ba16
    0x0104ba19
    0x0104ba19
    0x0104ba1b
    0x0104ba1b
    0x0104ba1e
    0x0104ba21
    0x0104ba21
    0x0104ba28
    0x0104ba2a
    0x0104ba2d
    0x00000000
    0x0104ba33
    0x0104ba33
    0x0104ba36
    0x00000000
    0x0104ba36
    0x010392e3
    0x010392e6
    0x010392e8
    0x010392ee
    0x00000000
    0x010392ee
    0x010391e4
    0x010391e4
    0x010391e7
    0x0104b9a8
    0x0104b9a8
    0x0104b9ab
    0x0104b9f7
    0x0104b9fa
    0x0104b9fb
    0x0104b9fe
    0x0104ba0b
    0x0104ba00
    0x0104ba00
    0x0104ba00
    0x00000000
    0x0104b9ad
    0x0104b9ad
    0x0104b9ad
    0x0104b9b0
    0x0104b9d8
    0x0104b9db
    0x0104b9dc
    0x0104b9df
    0x0104b9ec
    0x0104b9e1
    0x0104b9e1
    0x0104b9e1
    0x00000000
    0x0104b9b2
    0x0104b9b3
    0x0104b9b6
    0x0104bb74
    0x0104bb74
    0x00000000
    0x0104b9bc
    0x0104b9bc
    0x0104b9bf
    0x0104b9c0
    0x0104b9c3
    0x0104b9d0
    0x0104b9c5
    0x0104b9c5
    0x0104b9c5
    0x00000000
    0x0104b9c3
    0x0104b9b6
    0x0104b9b0
    0x010391ed
    0x010391ed
    0x0104b98a
    0x0104b98d
    0x0104b98f
    0x0104b990
    0x0104b993
    0x0104b99c
    0x0104b99c
    0x0104b995
    0x0104b995
    0x0104b995
    0x0104b9a1
    0x010392b2
    0x010392b2
    0x010392b5
    0x010392b7
    0x010392bc
    0x00000000
    0x010392c2
    0x00000000
    0x010392c2
    0x010391f3
    0x010391f3
    0x010391f4
    0x010391f6
    0x0104bb58
    0x0104bb59
    0x0104bb5e
    0x00000000
    0x010391fc
    0x010391fc
    0x010391ff
    0x0104b96c
    0x0104b96f
    0x0104b972
    0x0104b97f
    0x0104b974
    0x0104b974
    0x0104b974
    0x00000000
    0x01039205
    0x01039205
    0x01039208
    0x0104b926
    0x0104b929
    0x0104b95a
    0x0104b962
    0x010392f3
    0x010392f3
    0x010392f5
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0104b92b
    0x0104b92b
    0x0104b92e
    0x0104b92e
    0x0104b930
    0x0104b930
    0x0104b933
    0x0104b936
    0x0104b936
    0x0104b93d
    0x0104b93f
    0x0104b942
    0x0104bb6a
    0x0104bb6a
    0x0104bb6a
    0x00000000
    0x0104b948
    0x0104b948
    0x0104b94f
    0x00000000
    0x0104b94f
    0x0104b942
    0x0103920e
    0x01039211
    0x0104bb75
    0x0104bb75
    0x0104bb7a
    0x0104bb7b
    0x0104bb83
    0x0104bb89
    0x0104bb8c
    0x0104bb9c
    0x0104bb9d
    0x0104bb9f
    0x00000000
    0x01039217
    0x01039217
    0x0103921d
    0x0104b91b
    0x01039223
    0x01039223
    0x01039223
    0x01039226
    0x01039229
    0x01039230
    0x0104ba6a
    0x0104ba6c
    0x0104ba6d
    0x0104ba6f
    0x0104ba7c
    0x0104ba7c
    0x0104ba7e
    0x0104ba7e
    0x0104ba7f
    0x0104ba81
    0x0104ba86
    0x0104ba86
    0x010392fb
    0x010392fd
    0x00000000
    0x01039236
    0x01039236
    0x01039236
    0x01039239
    0x0103923c
    0x01039243
    0x00000000
    0x01039243
    0x01039230
    0x01039211
    0x01039208
    0x010391ff
    0x010391f6
    0x010391ed
    0x010391e7
    0x010391de
    0x010391d6
    0x00000000
    0x010391a0
    0x01039276
    0x0103927f
    0x00000000

    APIs
      • Part of subcall function 0103BC30: wcschr.MSVCRT ref: 0103BCA7
      • Part of subcall function 0103BC30: iswspace.MSVCRT ref: 0103BD1D
      • Part of subcall function 0103BC30: wcschr.MSVCRT ref: 0103BD39
      • Part of subcall function 0103BC30: wcschr.MSVCRT ref: 0103BD5D
    • towupper.MSVCRT ref: 010391C9
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: wcschr$iswspacetowupper
    • String ID:
    • API String ID: 1352934581-0
    • Opcode ID: 149d649b32929d15ea84bb5832aec30e082eac1c69d68ae6612c2726e31e3a46
    • Instruction ID: 0cef3dcf15801be4c3b957380d69095786bd6ad1dc76e98efb12df979e0e629f
    • Opcode Fuzzy Hash: 149d649b32929d15ea84bb5832aec30e082eac1c69d68ae6612c2726e31e3a46
    • Instruction Fuzzy Hash: A9B1E3B56006168BDB68DEA8C4D5BBABBF4FB98304F54442AC6C397294E7B4D980CB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01052E37, Relevance: 1.5, APIs: 1, Instructions: 24COMMON
    Download Yara Rule
    C-Code - Quality: 16%
    			E01052E37() {
				signed int _t3;
				signed int _t6;
				intOrPtr* _t8;

				if( *0x1079068 != 0) {
					L6:
					_t6 = 1;
				} else {
					_t8 =  *0x1079064;
					_t6 = 0;
					if(_t8 == 0) {
						if(IsDebuggerPresent() != 0) {
							goto L6;
						} else {
							_t3 = 0;
							goto L5;
						}
					} else {
						 *0x107a4c4();
						_t3 =  *_t8() & 0x000000ff;
						L5:
						if(_t3 != 0) {
							goto L6;
						}
					}
				}
				return _t6;
			}






    0x01052e40
    0x01052e6d
    0x01052e6d
    0x01052e42
    0x01052e42
    0x01052e48
    0x01052e4c
    0x01052e65
    0x00000000
    0x01052e67
    0x01052e67
    0x00000000
    0x01052e67
    0x01052e4e
    0x01052e50
    0x01052e58
    0x01052e69
    0x01052e6b
    0x00000000
    0x00000000
    0x01052e6b
    0x01052e4c
    0x01052e73

    APIs
    • IsDebuggerPresent.API-MS-WIN-CORE-DEBUG-L1-1-0(?,?,01052FDD), ref: 01052E5D
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: DebuggerPresent
    • String ID:
    • API String ID: 1347740429-0
    • Opcode ID: 701d025b7a1ed45853bd0b5c2de3375232488947bcf124973c095af85aad772e
    • Instruction ID: 8ff34203c5cc934ce0e61ba5478f164b4a7c71594dd40f388d13319aac66547c
    • Opcode Fuzzy Hash: 701d025b7a1ed45853bd0b5c2de3375232488947bcf124973c095af85aad772e
    • Instruction Fuzzy Hash: B7E08630B51231DBE7B21A58688437F36CC1F11B54B080495ACD1AB145C70AA804A7A0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0105A135, Relevance: 1.5, APIs: 1, Instructions: 19filenativeCOMMON
    Download Yara Rule
    APIs
    • NtSetInformationFile.NTDLL(000000FF,?,?,00000001,0000000D), ref: 0105A14E
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: FileInformation
    • String ID:
    • API String ID: 4253254148-0
    • Opcode ID: 61b9704d0446cbd73f1468550936a24f7b2b08d9a71e690a24758114bfa9da76
    • Instruction ID: 7b34b4fd0f937939c03f2236eb4f21ff1fcf363265aca347084b81daaabc7cd4
    • Opcode Fuzzy Hash: 61b9704d0446cbd73f1468550936a24f7b2b08d9a71e690a24758114bfa9da76
    • Instruction Fuzzy Hash: 74D05E75B442097BDB1592B4984AFCF7BAC9B84304F444165B512F21C0DAB6D50986A1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01034710, Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 435fileCOMMON
    Download Yara Rule
    C-Code - Quality: 52%
    			E01034710(int _a4, unsigned int _a8, long _a12, union _LARGE_INTEGER _a16, signed int _a20, int _a24, signed int _a28, int _a32, signed int _a36, intOrPtr _a40, signed int _a44, int _a48, int _a52, signed int _a56, char _a60, void* _a64, WCHAR* _a68, void _a72, void* _a588, signed int _a592, char _a596, long _a600, void* _a604, void* _a606, void* _a1124, void* _a4200, signed int _a4204) {
				void* _v0;
				void* _v4;
				void* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t135;
				signed int _t147;
				WCHAR* _t151;
				int _t152;
				union _LARGE_INTEGER _t153;
				void* _t158;
				long _t160;
				int _t163;
				signed int _t164;
				int _t167;
				void* _t175;
				int _t177;
				void* _t178;
				intOrPtr _t179;
				int _t182;
				int _t183;
				int _t184;
				long _t190;
				int _t195;
				void* _t196;
				int _t197;
				void* _t200;
				void* _t201;
				void* _t205;
				void* _t206;
				WCHAR* _t214;
				int _t215;
				union _LARGE_INTEGER _t217;
				void* _t218;
				int _t223;
				signed int _t224;
				unsigned int _t231;
				void* _t232;
				int _t240;
				long _t241;
				signed char* _t245;
				intOrPtr _t248;
				int _t249;
				WCHAR* _t251;
				void* _t252;
				int _t253;
				long _t255;
				void* _t258;
				void* _t260;
				int _t261;
				unsigned int _t262;
				signed int _t265;
				signed int _t266;
				signed int _t267;

				_t266 = _t265 & 0xfffffff8;
				E01047F80(0x1074);
				_t135 =  *0x105e0b4; // 0x6030efd1
				_a4204 = _t135 ^ _t266;
				_a56 = _a56 | 0xffffffff;
				_t251 = _a4;
				_a52 = 0;
				_a20 = 0;
				_t205 = 1;
				_a32 = 0;
				_a36 = 0;
				_a592 = 0;
				_a68 = _t251;
				_a60 = 0x7fffffff;
				_a44 = 1;
				_a596 = 1;
				_a600 = 0x104;
				memset( &_a72, 0, 0x104);
				_t267 = _t266 + 0xc;
				if(E0103E3F0(((0 | _a596 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					_t208 = 8;
					L14:
					E01059EDB(_t208);
					L8:
					_t147 = _a592;
					_a592 = _a592 & 0x00000000;
					if(_t147 != 0) {
						__imp__??_V@YAXPAX@Z(_t147);
					}
					_pop(_t252);
					_pop(_t258);
					_pop(_t206);
					return E01046B30(_t205, _t206, _a4204 ^ _t267, _t244, _t252, _t258);
				}
				_t244 = 0;
				_t259 = E01040590(_t251, 0,  &_a72);
				_a12 = _t259;
				if(_t259 == 0xffffffff) {
					_t151 = E01041D90(L"DPATH");
					__eflags = _t151;
					if(_t151 == 0) {
						L22:
						_t208 =  *0x10667a8;
						__eflags =  *0x10667a8 - 0x7b;
						if( *0x10667a8 == 0x7b) {
							_t208 = 2;
							 *0x10667a8 = _t208;
						}
						goto L14;
					}
					_t214 = _a592;
					__eflags = _t214;
					if(_t214 == 0) {
						_t214 =  &_a72;
					}
					_t152 = SearchPathW(_t151, _t251, 0, _a600, _t214, 0);
					__eflags = _t152;
					if(_t152 == 0) {
						goto L22;
					} else {
						_t215 = _a592;
						__eflags = _t215;
						if(_t215 == 0) {
							_t215 =  &_a72;
						}
						_t244 = 0;
						_t153 = E01040590(_t215, 0, _t215);
						_t259 = _t153;
						_a12 = _t153;
						__eflags = _t259 - 0xffffffff;
						if(_t259 != 0xffffffff) {
							goto L2;
						} else {
							goto L22;
						}
					}
				}
				L2:
				_a28 = _t267 + 0x270;
				if(E0103DD98(_t267 + 0x270) == 0) {
					_t200 =  &_a60;
					__imp___get_osfhandle(_t200);
					_t201 = GetFileSize(_t200, _t259);
					_a56 = _t201;
					__imp___get_osfhandle(0);
					SetFilePointer(_t201, _t259, 0, 0);
					_a36 = _a36 & 0x00000000;
					_a32 = _t205;
				}
				L4:
				L4:
				if( *0x106259c != 0) {
					_t217 = _t259;
				} else {
					goto L5;
				}
				L91:
				E0103A16C(_t217);
				goto L8;
				L5:
				_t158 = _t267 + 0x27c;
				__imp___get_osfhandle(_t158, 0x200,  &_a4, 0);
				_t218 = _t259;
				if(ReadFile(_t158, ??, ??, ??, ??) == 0) {
					L86:
					_t160 = GetLastError();
					_push(0);
					_push(_t160);
					 *0x10667a8 = _t160;
					E010378E4(_t218);
					L7:
					E0103A16C(_t259);
					_t205 = 0;
					goto L8;
				}
				_t253 = _a4;
				if(_t253 != 0) {
					__eflags = _a44;
					if(_a44 == 0) {
						_t260 = _a20;
						L32:
						_a24 = _t253;
						__eflags = _t260;
						if(_t260 == 0) {
							L28:
							_t222 = _t205;
							_t163 = E01039A11(_t159);
							__eflags = _t163;
							if(_t163 != 0) {
								L30:
								_t261 = _a4;
								_t245 = _t267 + 0x270;
								_t223 = _t261;
								__eflags = _t261;
								while(1) {
									_a8 = _t223;
									if(__eflags == 0) {
										break;
									}
									_t164 =  *_t245 & 0x000000ff;
									__eflags =  *((char*)(_t164 + 0x1078af0));
									if( *((char*)(_t164 + 0x1078af0)) == 0) {
										L40:
										_t245 =  &(_t245[1]);
										_t223 = _t223 - 1;
										__eflags = _t223;
										continue;
									}
									_t245 =  &(_t245[1]);
									_t223 = _t223 - 1;
									__eflags = _t223;
									_a8 = _t223;
									if(_t223 != 0) {
										goto L40;
									}
									_t259 = _a16.LowPart;
									_t196 =  &_a8;
									__imp___get_osfhandle(_a16.LowPart, _t245, _t205, _t196, 0);
									_pop(_t218);
									_t197 = ReadFile(_t196, ??, ??, ??, ??);
									__eflags = _t197;
									if(_t197 == 0) {
										goto L86;
									}
									_t261 = _a4 + 1;
									_a4 = _t261;
									_a24 = _t261;
									break;
								}
								_a28 = _a28 & 0x00000000;
								_t222 = _t205;
								_t244 = _t267 + 0x278;
								_t167 = E010573DD(_t205, _t267 + 0x278,  &_a24,  &_a28);
								__eflags = _t167;
								if(_t167 != 0) {
									L45:
									_t262 = MultiByteToWideChar( *0x10625a0, 0, _t267 + 0x27c, _t261, _t267 + 0x478, 0x400);
									_a8 = _t262;
									__eflags = _t262;
									if(_t262 == 0) {
										_t262 = 0x400;
										_a8 = 0x400;
									}
									_t253 = _a4;
									_a28 = _t267 + 0x478;
									L48:
									__eflags = _a44;
									if(_a44 != 0) {
										__eflags =  *0x1066760;
										if( *0x1066760 != 0) {
											E010378E4(_t222, 0x2354, _t205, _a68);
											_t253 = _a4;
											_t267 = _t267 + 0xc;
											_t262 = _a8;
										}
										_t81 =  &_a44;
										 *_t81 = _a44 & 0x00000000;
										__eflags =  *_t81;
									}
									_t172 = _a28;
									_v0 = _a28;
									__eflags = _t262;
									if(_t262 <= 0) {
										L79:
										_t244 = _a32;
										_t224 = _a36;
										__eflags = _t244 | _t224;
										_t259 = _a16.LowPart;
										if((_t244 | _t224) != 0) {
											_t175 =  &_a32;
											__imp___get_osfhandle(_t175, _t205);
											SetFilePointerEx(_t175, _t259, 0, 0);
											_t224 = _a36;
											_t244 = _a32;
											_t253 = _a4;
										}
										__eflags = _t253 - _a24;
										if(_t253 != _a24) {
											goto L7;
										} else {
											__eflags = _a60 - _t224;
											if(__eflags < 0) {
												goto L7;
											}
											if(__eflags > 0) {
												goto L4;
											}
											__eflags = _a56 - _t244;
											if(_a56 <= _t244) {
												goto L7;
											}
											goto L4;
										}
									} else {
										do {
											__eflags = _t262 - 0x50;
											if(_t262 <= 0x50) {
												_t255 = _t262;
												__eflags = _t262;
												if(_t262 == 0) {
													break;
												}
												L56:
												__eflags =  *0x106259c;
												if( *0x106259c != 0) {
													L90:
													_t217 = _a16.LowPart;
													goto L91;
												}
												_t177 = E01039A11(_t172);
												__eflags = _t177;
												if(_t177 == 0) {
													__eflags =  *0x1079050;
													if( *0x1079050 != 0) {
														__eflags = _a20;
														if(_a20 != 0) {
															L66:
															_t178 = _v0;
															_a52 =  *(_t178 + _t255 * 2) & 0x0000ffff;
															__eflags = 0;
															 *(_t178 + _t255 * 2) = 0;
															L67:
															_t179 = E01039B3B(_t178, _t178, _t255 + _t255,  &_a12);
															__eflags = _a12;
															_t248 =  *((intOrPtr*)(_t267 + 0x10));
															_a40 = _t179;
															if(_a12 != 0) {
																 *((short*)(_t248 + _t255 * 2)) = _a52;
															}
															_t231 = _a12;
															_t262 = _t262 - (_t231 >> 1);
															_t249 = _t248 + _t231;
															__eflags = _t249;
															_v0 = _t249;
															L70:
															_t244 = _a48;
															L71:
															__eflags = _t244;
															if(_t244 == 0) {
																L73:
																_t182 = GetLastError();
																 *0x10667a8 = _t182;
																__eflags = _t182;
																if(_t182 == 0) {
																	 *0x10667a8 = 0x70;
																}
																_t232 = _t205;
																_t183 = E0103DD98(_t182);
																__eflags = _t183;
																if(_t183 == 0) {
																	_t233 = _t205;
																	_t184 = E01059FCF(_t183, _t205);
																	__eflags = _t184;
																	if(_t184 == 0) {
																		E01059EDB( *0x10667a8);
																	} else {
																		_push(0);
																		_push(0x2364);
																		E010378E4(_t233);
																	}
																	goto L90;
																} else {
																	_push(0);
																	_push(0x1d);
																	_t172 = E010378E4(_t232);
																	goto L77;
																}
															}
															_t172 = _t255 + _t255;
															__eflags = _t231 - _t255 + _t255;
															if(_t231 == _t255 + _t255) {
																goto L77;
															}
															goto L73;
														}
														_t178 = _v0;
														goto L67;
													}
													__eflags = _a20;
													if(_a20 != 0) {
														goto L66;
													}
													L63:
													__imp___get_osfhandle(0);
													_t244 = WriteFile( &_a12, _t205, _v0, _t255,  &_a12);
													_t190 = _a12;
													_t262 = _t262 - _t190;
													_v0 = _v0 + _t190;
													_t231 = _t190 + _t190;
													_a12 = _t231;
													goto L71;
												}
												_t240 = WriteConsoleW(GetStdHandle(0xfffffff5), _v0, _t255,  &_a12, 0);
												_a48 = _t240;
												__eflags = _t240;
												if(_t240 == 0) {
													goto L63;
												}
												_t241 = _a12;
												__eflags = _t241 - _t255;
												if(_t241 != _t255) {
													goto L63;
												}
												_t262 = _t262 - _t241;
												_t231 = _t241 + _t241;
												_v0 = _v0 + _t231;
												_a12 = _t231;
												goto L70;
											}
											_t255 = 0x50;
											goto L56;
											L77:
											__eflags = _t262;
										} while (_t262 > 0);
										_t253 = _a4;
										goto L79;
									}
								}
								_t195 = _a24;
								__eflags = _t195;
								if(_t195 == 0) {
									_t259 = _a16;
									goto L7;
								}
								_t261 = _t195;
								goto L45;
							}
							__eflags =  *0x1079050 - _t163;
							if( *0x1079050 == _t163) {
								_t253 = _a4;
								_t262 = _t253;
								L35:
								_a8 = _t262;
								goto L48;
							}
							goto L30;
						}
						_t262 = _t253 >> 1;
						goto L35;
					}
					_t159 = 0xfeff;
					__eflags =  *(_t267 + 0x270) - 0xfeff;
					if( *(_t267 + 0x270) != 0xfeff) {
						_t47 =  &_a20;
						 *_t47 = _a20 & 0x00000000;
						__eflags =  *_t47;
						_a24 = _t253;
						goto L28;
					}
					_t253 = _t253 - 2;
					_a4 = _t253;
					_t260 = _t205;
					_a20 = _t260;
					_t159 = memmove(_t267 + 0x278, _t267 + 0x272, _t253);
					_t267 = _t267 + 0xc;
					goto L32;
				}
				goto L7;
			}


























































    0x01034715
    0x0103471d
    0x01034722
    0x01034729
    0x01034730
    0x0103473a
    0x01034744
    0x0103474a
    0x0103474e
    0x0103474f
    0x01034753
    0x01034757
    0x01034763
    0x01034767
    0x0103476f
    0x01034773
    0x0103477a
    0x01034781
    0x0103478c
    0x010347a9
    0x010480df
    0x010480eb
    0x010480eb
    0x0103485d
    0x0103485d
    0x01034864
    0x0103486e
    0x01034871
    0x01034877
    0x01034881
    0x01034882
    0x01034883
    0x0103488e
    0x0103488e
    0x010347b0
    0x010347b9
    0x010347bb
    0x010347c2
    0x010480fa
    0x010480ff
    0x01048101
    0x01048150
    0x01048150
    0x01048156
    0x01048159
    0x010480e4
    0x010480e5
    0x010480e5
    0x00000000
    0x01048159
    0x01048103
    0x0104810a
    0x0104810c
    0x0104810e
    0x0104810e
    0x01048120
    0x01048126
    0x01048128
    0x00000000
    0x0104812a
    0x0104812a
    0x01048131
    0x01048133
    0x01048135
    0x01048135
    0x0104813a
    0x0104813c
    0x01048141
    0x01048143
    0x01048147
    0x0104814a
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0104814a
    0x01048128
    0x010347c8
    0x010347d1
    0x010347dc
    0x010347de
    0x010347e4
    0x010347ec
    0x010347f9
    0x010347fd
    0x01034805
    0x0103480b
    0x01034810
    0x01034810
    0x00000000
    0x01034814
    0x0103481b
    0x01034891
    0x00000000
    0x00000000
    0x00000000
    0x010484e2
    0x010484e2
    0x00000000
    0x0103481d
    0x01034829
    0x01034832
    0x01034838
    0x01034842
    0x0104849e
    0x0104849e
    0x010484a4
    0x010484a6
    0x010484a7
    0x010484ac
    0x01034854
    0x01034856
    0x0103485b
    0x00000000
    0x0103485b
    0x01034848
    0x0103484e
    0x0104815d
    0x01048162
    0x010481c8
    0x010481cc
    0x010481cc
    0x010481d0
    0x010481d2
    0x010481a4
    0x010481a4
    0x010481a6
    0x010481ab
    0x010481ad
    0x010481b7
    0x010481b7
    0x010481bb
    0x010481c2
    0x010481c4
    0x01048236
    0x01048236
    0x0104823a
    0x00000000
    0x00000000
    0x010481e9
    0x010481ec
    0x010481f3
    0x01048232
    0x01048232
    0x01048233
    0x01048233
    0x00000000
    0x01048233
    0x010481f5
    0x010481f6
    0x010481f6
    0x010481f9
    0x010481fd
    0x00000000
    0x00000000
    0x010481ff
    0x01048203
    0x0104820d
    0x01048213
    0x01048215
    0x0104821b
    0x0104821d
    0x00000000
    0x00000000
    0x01048227
    0x01048228
    0x0104822c
    0x00000000
    0x0104822c
    0x0104823c
    0x0104824a
    0x0104824d
    0x01048254
    0x01048259
    0x0104825b
    0x0104826b
    0x01048290
    0x01048292
    0x01048296
    0x01048298
    0x0104829a
    0x0104829c
    0x0104829c
    0x010482a0
    0x010482ab
    0x010482af
    0x010482af
    0x010482b4
    0x010482b6
    0x010482bd
    0x010482c9
    0x010482ce
    0x010482d2
    0x010482d5
    0x010482d5
    0x010482d9
    0x010482d9
    0x010482d9
    0x010482d9
    0x010482de
    0x010482e2
    0x010482e6
    0x010482e8
    0x0104843e
    0x0104843e
    0x01048444
    0x01048448
    0x0104844a
    0x0104844e
    0x01048451
    0x0104845b
    0x01048463
    0x01048469
    0x0104846d
    0x01048471
    0x01048471
    0x01048475
    0x01048479
    0x00000000
    0x0104847f
    0x0104847f
    0x01048483
    0x00000000
    0x00000000
    0x01048489
    0x00000000
    0x00000000
    0x0104848f
    0x01048493
    0x00000000
    0x00000000
    0x00000000
    0x01048499
    0x010482ee
    0x010482ee
    0x010482ee
    0x010482f1
    0x010482f8
    0x010482fa
    0x010482fc
    0x00000000
    0x00000000
    0x01048302
    0x01048302
    0x01048309
    0x010484de
    0x010484de
    0x00000000
    0x010484de
    0x01048311
    0x01048316
    0x01048318
    0x01048358
    0x0104835f
    0x01048398
    0x0104839d
    0x010483a5
    0x010483a5
    0x010483ad
    0x010483b1
    0x010483b3
    0x010483b7
    0x010483c4
    0x010483c9
    0x010483ce
    0x010483d2
    0x010483d6
    0x010483dc
    0x010483dc
    0x010483e0
    0x010483e8
    0x010483ea
    0x010483ea
    0x010483ec
    0x010483f0
    0x010483f0
    0x010483f4
    0x010483f4
    0x010483f6
    0x010483ff
    0x010483ff
    0x01048405
    0x0104840a
    0x0104840c
    0x0104840e
    0x0104840e
    0x01048418
    0x0104841a
    0x0104841f
    0x01048421
    0x010484b8
    0x010484ba
    0x010484bf
    0x010484c1
    0x010484d9
    0x010484c3
    0x010484c3
    0x010484c5
    0x010484ca
    0x010484d0
    0x00000000
    0x01048427
    0x01048427
    0x01048429
    0x0104842b
    0x00000000
    0x01048431
    0x01048421
    0x010483f8
    0x010483fb
    0x010483fd
    0x00000000
    0x00000000
    0x00000000
    0x010483fd
    0x0104839f
    0x00000000
    0x0104839f
    0x01048361
    0x01048366
    0x00000000
    0x00000000
    0x01048368
    0x01048375
    0x01048383
    0x01048385
    0x01048389
    0x0104838b
    0x0104838f
    0x01048392
    0x00000000
    0x01048392
    0x01048335
    0x01048337
    0x0104833b
    0x0104833d
    0x00000000
    0x00000000
    0x0104833f
    0x01048343
    0x01048345
    0x00000000
    0x00000000
    0x01048347
    0x01048349
    0x0104834b
    0x0104834f
    0x00000000
    0x0104834f
    0x010482f5
    0x00000000
    0x01048432
    0x01048432
    0x01048432
    0x0104843a
    0x00000000
    0x0104843a
    0x010482e8
    0x0104825d
    0x01048261
    0x01048263
    0x010484ec
    0x00000000
    0x010484ec
    0x01048269
    0x00000000
    0x01048269
    0x010481af
    0x010481b5
    0x010481da
    0x010481de
    0x010481e0
    0x010481e0
    0x00000000
    0x010481e0
    0x00000000
    0x010481b5
    0x010481d6
    0x00000000
    0x010481d6
    0x01048164
    0x01048169
    0x01048171
    0x0104819b
    0x0104819b
    0x0104819b
    0x010481a0
    0x00000000
    0x010481a0
    0x01048173
    0x01048186
    0x0104818a
    0x0104818d
    0x01048191
    0x01048196
    0x00000000
    0x01048196
    0x00000000

    APIs
    • memset.MSVCRT ref: 01034781
      • Part of subcall function 0103E3F0: memset.MSVCRT ref: 0103E455
    • _get_osfhandle.MSVCRT ref: 010347E4
    • GetFileSize.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001), ref: 010347EC
    • _get_osfhandle.MSVCRT ref: 010347FD
    • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 01034805
      • Part of subcall function 0103A16C: _close.MSVCRT ref: 0103A19B
    • _get_osfhandle.MSVCRT ref: 01034832
    • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001), ref: 0103483A
    • ??_V@YAXPAX@Z.MSVCRT ref: 01034871
    • SearchPathW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,?,00000000,?,?,00000000,?,-00000001), ref: 01048120
    • memmove.MSVCRT ref: 01048191
    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,?,00000000,?,00000000), ref: 01048328
    • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 0104832F
      • Part of subcall function 0103DD98: _get_osfhandle.MSVCRT ref: 0103DDA3
      • Part of subcall function 0103DD98: GetFileType.KERNELBASE(00000000,0104C050), ref: 0103DDAD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: File_get_osfhandle$memset$ConsoleHandlePathPointerReadSearchSizeTypeWrite_closememmove
    • String ID: DPATH
    • API String ID: 2545859659-2010427443
    • Opcode ID: 19837c9c4d404b115b52b9641661449ae4fe94b27525e73d91c850351950ece2
    • Instruction ID: 67215a8ac9fdc8fae96c4832a5dc627245acccab3b1cec35a8fc2b3f7aaec12d
    • Opcode Fuzzy Hash: 19837c9c4d404b115b52b9641661449ae4fe94b27525e73d91c850351950ece2
    • Instruction Fuzzy Hash: E1F17CB1A083419FD765DF64C884B6FBBE8BBC8710F04892EF9C597290DB759904CB92
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0103E0B0, Relevance: 35.3, APIs: 14, Strings: 6, Instructions: 308COMMON
    Download Yara Rule
    C-Code - Quality: 40%
    			E0103E0B0(void* __eax, void* __ebx, void* __edi, void* __esi, signed int _a8, intOrPtr* _a12, intOrPtr* _a16, signed int* _a20, intOrPtr _a24) {
				signed int _v4;
				signed int _v8;
				signed int* _v12;
				signed int _v16;
				signed int _v20;
				signed short _v26;
				signed short _v28;
				void* _t91;
				void* _t96;
				void* _t111;
				void* _t113;
				signed int _t117;
				intOrPtr _t119;
				signed int _t121;
				signed int _t122;
				signed int _t123;
				signed int _t124;
				signed int _t125;
				void* _t129;
				void* _t132;
				signed int _t134;
				void* _t137;
				signed int _t139;
				intOrPtr* _t140;
				intOrPtr* _t142;

				_t137 = __edi;
				_t113 = __ebx;
				_t146 =  *0x1066700 - 0x4000;
				_push(__esi);
				if( *0x1066700 != 0x4000) {
					_t91 =  *0x1074af0;
					__eflags = _t91 - 0x28;
					if(_t91 != 0x28) {
						__eflags = _t91 - 0x40;
						if(_t91 == 0x40) {
							goto L111;
						} else {
							goto L121;
						}
					} else {
						L111:
						_t114 = 0x50;
						_t139 = E0103DCD0(0x50);
						__eflags = _t139;
						if(_t139 == 0) {
							E01059922();
							__imp__longjmp(0x1070a30, 1);
							asm("int3");
							__eflags = _t132 - 3;
							if(__eflags == 0) {
								_t140 = _a8;
								_push(_a24);
								 *_t140 = E01035DA6(_t113,  *_t140, 0x50, _t137, _t140, __eflags);
								E01038F21(_t94);
								_t117 =  *0x10667a8;
								__eflags = _t117;
								if(_t117 != 0) {
									__eflags = _t117 - 0x7b;
									if(_t117 == 0x7b) {
										goto L5;
									} else {
										goto L8;
									}
								} else {
									L5:
									_t96 = 2;
									 *_a16 =  *_a16 + 1;
									_t119 =  *_t140;
									__eflags =  *(_t119 + 0x1c) & 0x00000008;
									if(( *(_t119 + 0x1c) & 0x00000008) == 0) {
										 *_a20 =  *_a20 & 0x00000000;
									}
									goto L3;
								}
							} else {
								__eflags = _t132 - 5;
								if(__eflags == 0) {
									 *0x1066704 = 2;
									_t142 = _a12;
									_push(_a24);
									 *_t142 = E01035DA6(_t113,  *_t142, 0x50, _t137, _t142, _t146);
									E01038F21(_t105);
									_t117 =  *0x10667a8;
									if(_t117 != 0) {
										__eflags = _t117 - 0x7b;
										if(_t117 == 0x7b) {
											goto L2;
										} else {
											L8:
											_t134 = 0;
											__eflags = 0;
											goto L9;
										}
									} else {
										L2:
										_t96 = 6;
										L3:
										return _t96;
									}
								} else {
									_t134 = 0;
									_t117 = 0x232a;
									L9:
									E01058C50(_t117, _t134);
									_t121 = _t117;
									__eflags = _t121;
									if(_t121 == 0) {
										return 0x106c7f0;
									} else {
										_t122 = _t121 - 1;
										__eflags = _t122;
										if(_t122 == 0) {
											return 0x106c970;
										} else {
											_t123 = _t122 - 1;
											__eflags = _t123;
											if(_t123 == 0) {
												return 0x106c930;
											} else {
												_t124 = _t123 - 1;
												__eflags = _t124;
												if(_t124 == 0) {
													return 0x106c8f0;
												} else {
													_t125 = _t124 - 1;
													__eflags = _t125;
													if(_t125 != 0) {
														__eflags = _t125 == 1;
														if(_t125 == 1) {
															return 0x106c870;
														} else {
															return 0x106c830;
														}
													} else {
														return 0x106c8b0;
													}
												}
											}
										}
									}
								}
							}
						} else {
							__eflags =  *0x1074af0 - 0x28;
							if( *0x1074af0 != 0x28) {
								 *_t139 = 0x3b;
								_t129 = 0;
							} else {
								 *_t139 = 0x33;
								do {
									_t111 = E0103CC70(0x10);
									__eflags =  *0x1074af0 - 0xa;
								} while ( *0x1074af0 == 0xa);
								__eflags = 0;
								E0103CF10(_t111, 0, 0, 0);
								_t129 = 0x33;
							}
							 *((intOrPtr*)(_t139 + 0x38)) = E0103A8C4(_t113, _t129);
							__eflags =  *_t139 - 0x3b;
							if( *_t139 == 0x3b) {
								L118:
								return _t139;
							} else {
								_t114 = 0x10;
								_t91 = E0103CC70(0x10);
								__eflags = _t91 - 0x29;
								if(_t91 != 0x29) {
									L121:
									E01058959(_t91, _t114);
									__eflags = 0;
									return 0;
								} else {
									goto L118;
								}
							}
						}
					}
				} else {
					__imp___wcsicmp(L"FOR", 0x1074af0);
					__esp = __esp + 8;
					__eflags = __eax;
					if(__eax == 0) {
						L123:
						_pop(__esi);
						__edi = 0;
						__imp___wcsicmp(L"FOR/?", __edi, __esi);
						_pop(__ecx);
						__ecx = 0x1074af0;
						__eflags = __eax;
						if(__eflags == 0) {
							__eax = 0;
							__edi = 0;
							 *0x1074af6 = __ax;
							__edi = 1;
						}
						__ecx = 0x2b;
						 *0x10666fc = 0x1e;
						__esi = E0103BB90(__ebx, __ecx, __edi, __esi, __eflags);
						__eax = 0x2f;
						__eflags = __edi;
						if(__eflags != 0) {
							 *0x1074af0 = __ax;
							__eax = 0x3f;
							 *0x1074af2 = __ax;
							__eax = 0;
							 *0x1074af4 = __ax;
						} else {
							__ecx = 0;
							__eflags = 0;
							__eax = E0103CC70(0);
						}
						__edx = 0x2b;
						__eax = E01039907(__ebx, __edx, __edi, __eflags);
						__eflags = __al;
						if(__al != 0) {
							 *(__esi + 0x38) =  *(__esi + 0x38) & 0x00000000;
							 *__esi = 0x3c;
						} else {
							 *(__esi + 0x48) =  *(__esi + 0x48) & 0x00000000;
							__edi = 0x1074af0;
							__eflags =  *0x1066755 - __al;
							if( *0x1066755 != __al) {
								while(1) {
									__imp___wcsicmp(L"/L");
									_pop(__ecx);
									__ecx = __edi;
									__eflags = __eax;
									if(__eax == 0) {
										goto L152;
									}
									L130:
									__imp___wcsicmp(L"/D");
									_pop(__ecx);
									__ecx = __edi;
									__eflags = __eax;
									if(__eax == 0) {
										 *(__esi + 0x48) =  *(__esi + 0x48) | 0x00000002;
										L147:
										__ecx = 0;
										__eax = E0103CC70(0);
										while(1) {
											__imp___wcsicmp(L"/L");
											_pop(__ecx);
											__ecx = __edi;
											__eflags = __eax;
											if(__eax == 0) {
												goto L152;
											}
											goto L130;
										}
										goto L152;
									}
									__imp___wcsicmp(L"/F");
									_pop(__ecx);
									__ecx = __edi;
									__eflags = __eax;
									if(__eax == 0) {
										 *(__esi + 0x48) =  *(__esi + 0x48) | 0x00000008;
										__ecx = 0;
										__eax = E0103CC70(0);
										__ax =  *0x1074af0;
										__ecx = 0x25;
										__eflags = __ax - __cx;
										if(__ax == __cx) {
											continue;
										} else {
											__ecx = 0x2f;
											__eflags = __ax - __cx;
											if(__ax == __cx) {
												continue;
											} else {
												__eflags =  *(__esi + 0x4c);
												if( *(__esi + 0x4c) != 0) {
													__eax = E01058959(__eax, __ecx);
												}
												__eax =  *0x10666fc;
												__ecx = 6 +  *0x10666fc * 2;
												__eax = E0103DCD0(6 +  *0x10666fc * 2);
												__eflags = __eax;
												if(__eax == 0) {
													goto L216;
												} else {
													__edx =  *0x10666fc;
													__edx =  *0x10666fc + 3;
													goto L146;
												}
											}
										}
										goto L140;
									} else {
										__imp___wcsicmp(L"/R");
										_pop(__ecx);
										__ecx = __edi;
										__ecx =  *(__esi + 0x48);
										__eflags = __eax;
										if(__eax == 0) {
											 *(__esi + 0x48) = __ecx;
											__ecx = 0;
											__eax = E0103CC70(0);
											__eflags =  *(__esi + 0x4c);
											if( *(__esi + 0x4c) != 0) {
												__eax = E01058959(__eax, __ecx);
											}
											__ax =  *0x1074af0;
											__ecx = 0x25;
											__eflags = __ax - __cx;
											if(__ax == __cx) {
												continue;
											} else {
												__ecx = 0x2f;
												__eflags = __ax - __cx;
												if(__ax == __cx) {
													continue;
												} else {
													__eax =  *0x10666fc;
													__ecx = 2 +  *0x10666fc * 2;
													__eax = E0103DCD0(2 +  *0x10666fc * 2);
													__eflags = __eax;
													if(__eax == 0) {
														L216:
														__eax = E01059922();
														__imp__longjmp(0x1070a30, 1);
														goto L217;
													} else {
														__edx =  *0x10666fc;
														__edx =  *0x10666fc + 1;
														L146:
														__ecx = __eax;
														 *(__esi + 0x4c) = __eax;
														__eax = E0103F3A0(__eax, __edx, __edi);
														goto L147;
													}
												}
											}
											goto L140;
										} else {
											__eflags = __ecx;
											if(__ecx != 0) {
												__eflags = __ecx - 8;
												if(__ecx != 8) {
													__eflags = __ecx - 2;
													if(__ecx != 2) {
														__eflags = __ecx - 1;
														if(__ecx != 1) {
															L217:
															__eflags = __ecx - 6;
															if(__ecx != 6) {
																__eflags = __ecx - 4;
																if(__ecx != 4) {
																	__eax = E01058959(__eax, __ecx);
																}
															}
														}
													}
												}
											}
										}
									}
									goto L135;
									L152:
									 *(__esi + 0x48) =  *(__esi + 0x48) | 0x00000001;
									goto L147;
								}
							}
							L135:
							__eax = 0x25;
							__eflags =  *0x1074af0 - __ax;
							if( *0x1074af0 != __ax) {
								L220:
								__eax = E01058959(__eax, __ecx);
							} else {
								__eax =  *0x1074af2 & 0x0000ffff;
								__eax = iswspace( *0x1074af2 & 0x0000ffff);
								_pop(__ecx);
								__eflags = __eax;
								if(__eax != 0) {
									goto L220;
								} else {
									__edx =  *0x1074af2 & 0x0000ffff;
									__ecx = L"=,;";
									 *(__esi + 0x44) = __edx;
									__eax = E0103A62F(__ecx, __edx);
									__eflags = __eax;
									if(__eax != 0) {
										goto L220;
									} else {
										__eflags =  *0x10666fc - 3;
										if( *0x10666fc != 3) {
											goto L220;
										}
									}
								}
							}
							__ecx =  *(__esi + 0x38);
							_push(__edi);
							_push(__ecx);
							__edx = 0x1e;
							__eax = E0104204E(__ecx, __edx);
							__ecx = L"IN";
							__eax = E01042C23(L"IN");
							__ecx =  *(__esi + 0x38);
							_push(__edi);
							_push(__ecx);
							__edx = 0x1e;
							__eax = E0104204E(__ecx, __edx);
							__eax = E010433CA(__ecx);
							__ecx = L"DO";
							 *(__esi + 0x3c) = __eax;
							__eax = E01042C23(L"DO");
							__ecx =  *(__esi + 0x38);
							_push(__edi);
							__ecx =  *(__esi + 0x38) + 0x2c;
							__edx = 8;
							__eax = E0103F3A0( *(__esi + 0x38) + 0x2c, __edx);
							__ecx = 0x2b;
							__eax = E0103A8C4(__ebx, __ecx);
							 *(__esi + 0x40) = __eax;
							__eflags = __eax;
							if(__eax == 0) {
								__eax = E01058959(__eax, __ecx);
							}
						}
						L140:
						_pop(__edi);
						__eax = __esi;
						_pop(__esi);
						return __esi;
					} else {
						__imp___wcsicmp(L"FOR/?", 0x1074af0);
						__esp = __esp + 8;
						__eflags = __eax;
						if(__eax == 0) {
							goto L123;
						} else {
							__imp___wcsicmp(L"IF", 0x1074af0);
							__esp = __esp + 8;
							__eflags = __eax;
							if(__eax == 0) {
								L119:
								_pop(__esi);
								__ebx = 0;
								__edi = 0;
								__imp___wcsicmp(L"IF/?", __edi, __esi, __ebx);
								_pop(__ecx);
								__ecx = 0x1074af0;
								__eflags = __eax;
								if(__eflags == 0) {
									__eax = 0;
									__edi = 0;
									 *0x1074af4 = __ax;
									__edi = 1;
								}
								__ecx = 0x2c;
								__esi = E0103BB90(__ebx, __ecx, __edi, __esi, __eflags);
								__eflags = __edi;
								if(__eflags != 0) {
									__eax = 0x2f;
									 *0x1074af0 = __ax;
									__eax = 0x3f;
									 *0x1074af2 = __ax;
									__eax = 0;
									 *0x1074af4 = __ax;
								} else {
									__ecx = 0;
									__eflags = 0;
									__eax = E0103CC70(0);
								}
								__edx = 0x2c;
								__eax = E01039907(__ebx, __edx, __edi, __eflags);
								__eflags = __al;
								if(__al != 0) {
									 *__esi = 0x3c;
									 *(__esi + 0x38) = __ebx;
									goto L33;
								} else {
									__edi = __ebx;
									__eflags =  *0x1066755 - __bl;
									if( *0x1066755 == __bl) {
										L26:
										__edx = 0;
										__ecx = 0;
										__eflags = 0;
										__eax = E0103CF10(__eax, 0, 0, __ebx);
									} else {
										__imp___wcsicmp(L"/I");
										__ecx = 0x1074af0;
										_pop(__ecx);
										__eflags = __eax;
										if(__eax == 0) {
											__edi = 0;
											__edi = 1;
										} else {
											goto L26;
										}
									}
									__ecx = 0;
									__eax = E01040444(0);
									 *(__esi + 0x3c) = __eax;
									__eflags = __eax;
									if(__eax != 0) {
										__eflags = __edi;
										if(__edi != 0) {
											__eflags =  *__eax - 0x38;
											if( *__eax == 0x38) {
												__eax =  *(__eax + 0x3c);
											}
											 *((intOrPtr*)(__eax + 0x40)) = 2;
										}
									}
									__ecx = 0x2c;
									__eax = E0103A8C4(__ebx, __ecx);
									 *(__esi + 0x40) = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E01058959(__eax, __ecx);
									}
									__eax =  *0x10665cc;
									__eflags =  *( *0x10665cc) - __bx;
									if( *( *0x10665cc) == __bx) {
										L33:
										_pop(__edi);
										__eax = __esi;
										_pop(__esi);
										_pop(__ebx);
										return __esi;
									} else {
										__ecx = 0;
										__eax = E0103CC70(0);
										__edi = 0x1074af0;
										__imp___wcsicmp(L"ELSE");
										_pop(__ecx);
										__ecx = 0x1074af0;
										__eflags = __eax;
										if(__eax == 0) {
											__eax =  *0x10666fc;
											__ecx =  *0x10666fc +  *0x10666fc;
											__eax = E0103DCD0( *0x10666fc +  *0x10666fc);
											__eflags = __eax;
											if(__eax == 0) {
												__eax = E01059922();
												__imp__longjmp(0x1070a30, 1);
												asm("int3");
												while(1) {
													__eflags = __edi - 0x2c;
													if(__edi != 0x2c) {
														break;
													}
													__eflags =  *((short*)(__edx + 6));
													if( *((short*)(__edx + 6)) != 0) {
														do {
															__ecx = __edx;
															_t21 = __ecx + 2; // 0x2
															__esi = _t21;
															do {
																__ax =  *__ecx;
																__ecx = __ecx + 2;
																__eflags = __ax;
															} while (__ax != 0);
															__ecx = __ecx - __esi;
															__edx = __edx + __ecx * 2;
															__edx = __edx + 2;
															__eflags =  *__edx - __ax;
															if( *__edx == __ax) {
																L47:
																__eax =  *__edx & 0x0000ffff;
																__ecx = __eax;
																__eflags = __ax;
																if(__ax != 0) {
																	__eflags = __cx - 0x2f;
																	if(__cx == 0x2f) {
																		goto L50;
																	} else {
																		__eflags = __edi - 9;
																		if(__edi == 9) {
																			goto L48;
																		} else {
																			__eax = __edx;
																			_t17 = __eax + 2; // 0x2
																			__esi = _t17;
																			do {
																				__cx =  *__eax;
																				__eax = __eax + 2;
																				__eflags = __cx;
																			} while (__cx != 0);
																			__eax = __eax - __esi;
																			__eflags = __eax;
																			__edx = __edx + __eax * 2;
																			goto L46;
																		}
																	}
																} else {
																	L48:
																	__al = 0;
																	__eflags = 0;
																}
																goto L49;
															} else {
																__ecx = __edx;
																_t24 = __ecx + 2; // 0x0
																__esi = _t24;
																do {
																	__ax =  *__ecx;
																	__ecx = __ecx + 2;
																	__eflags = __ax;
																} while (__ax != 0);
																__ecx = __ecx - __esi;
																__edx = __edx + __ecx * 2;
																L46:
																__edx = __edx + 2;
																__eflags = __edx;
																goto L47;
															}
															goto L222;
															L50:
															__eflags =  *((short*)(__edx + 4)) - 0x3f;
														} while ( *((short*)(__edx + 4)) != 0x3f);
														continue;
													} else {
														break;
													}
													L49:
													_pop(__edi);
													_pop(__esi);
													_pop(__ebx);
													__esp = __ebp;
													_pop(__ebp);
													return __eax;
													goto L222;
												}
												__eflags = __ebx;
												if(__ebx != 0) {
													L174:
													__eax = _v4;
												} else {
													__eflags =  *0x1066755 - __bl;
													if( *0x1066755 == __bl) {
														goto L174;
													} else {
														__ebx = _v4;
														__eax = 0;
													}
												}
												__edi = __ebx;
												__esi = __ebx;
												__eflags = __ebx;
												if(__ebx == 0) {
													__ebx = 0x234a;
												}
												__edi =  ~__edi;
												asm("sbb edi, edi");
												__edi = __edi & _v8;
												__esi =  ~__esi;
												asm("sbb esi, esi");
												__esi = __esi & __eax;
												__eflags = _a8;
												if(__eflags == 0) {
													 *0x1079500 = __ebx;
												} else {
													__eax = E01059A0E(__edx, __eflags);
													__eflags =  *0x106259c;
													if( *0x106259c == 0) {
														_push(0);
														_push(__ebx);
														__eax = E010363BD(__ecx);
														__esp = __esp + 8;
														__eflags =  *0x1066755;
														if( *0x1066755 != 0) {
															__eflags = __esi;
															if(__esi == 0) {
																L183:
																__eflags =  *0x106259c;
																if( *0x106259c == 0) {
																	while(1) {
																		__eax = __edi;
																		__edi = __edi - 1;
																		__eflags = __eax;
																		if(__eax == 0) {
																			goto L186;
																		}
																		__esi = __esi + 1;
																		_push(0);
																		_push(__esi);
																		__eax = E010363BD(__ecx);
																		__esp = __esp + 8;
																		__eflags =  *0x106259c;
																		if( *0x106259c == 0) {
																			continue;
																		}
																		goto L186;
																	}
																}
															} else {
																__eflags =  *0x106259c;
																if( *0x106259c == 0) {
																	_push(0);
																	_push(__esi);
																	__eax = E010363BD(__ecx);
																	__esp = __esp + 8;
																	goto L183;
																}
															}
														}
													}
													L186:
													 *0x107905b = 0;
													 *0x107950c = 0;
												}
												__al = 1;
												goto L49;
											} else {
												__edx =  *0x10666fc;
												__ecx = __eax;
												 *(__esi + 0x44) = __eax;
												__eax = E0103F3A0(__eax,  *0x10666fc, 0x1074af0);
												__ecx = 0x2c;
												__eax = E0103A8C4(__ebx, __ecx);
												 *(__esi + 0x48) = __eax;
												__eflags = __eax;
												if(__eax == 0) {
													__eax = E01058959(__eax, __ecx);
												}
												goto L33;
											}
										} else {
											__edx = 0;
											__ecx = 0;
											__eflags = 0;
											__eax = E0103CF10(__eax, 0, 0, __ebx);
											goto L33;
										}
									}
								}
							} else {
								__imp___wcsicmp(L"IF/?", 0x1074af0);
								__esp = __esp + 8;
								__eflags = __eax;
								if(__eax == 0) {
									goto L119;
								} else {
									__imp___wcsicmp(L"REM", 0x1074af0);
									__esp = __esp + 8;
									__eflags = __eax;
									if(__eax == 0) {
										L109:
										_pop(__esi);
										__ebp = __esp;
										__esp = __esp - 0x1c;
										__eax =  *0x105e0b4; // 0x6030efd1
										__eax = __eax ^ __ebp;
										_v8 = __eax;
										__ebx = 0;
										__edi = 0;
										__imp___wcsicmp(L"REM/?", __edi, __esi, __ebx, __ebp);
										_pop(__ecx);
										__ecx = 0x1074af0;
										__eflags = __eax;
										if(__eflags == 0) {
											__eax = 0;
											__edi = 0;
											 *0x1074af6 = __ax;
											__edi = 1;
										}
										__ecx = 0x2d;
										__esi = E0103BB90(__ebx, __ecx, __edi, __esi, __eflags);
										__eax = 0x2f;
										__eflags = __edi;
										if(__edi != 0) {
											 *0x1074af0 = __ax;
											__eax = 0x3f;
											 *0x1074af2 = __ax;
											__eax = 0;
											 *0x1074af4 = __ax;
										} else {
											__ecx = 0;
											__eflags = 0;
											__eax = E0103CC70(0);
										}
										__eax = 0x2f;
										_v28 = __ax;
										__edx =  &_v28;
										__eax = 0;
										__edi = 0x1074af0;
										_push(2);
										__ecx = 0x1074af0;
										_v26 = __ax;
										__eax = E0103BC30(0x1074af0,  &_v28);
										_push(__ebx);
										__edx = __eax;
										__ecx = 0x2d;
										__eax = E0103A800(0x1074af0, __edx);
										__eflags = __al;
										if(__al != 0) {
											 *__esi = 0x3c;
											 *(__esi + 0x38) = __ebx;
											goto L65;
										} else {
											__edx = 0;
											__ecx = 0;
											__eax =  *0x10665cc;
											__eflags =  *( *0x10665cc) - __bx;
											if( *( *0x10665cc) == __bx) {
												L65:
												__ecx = _v8;
												__eax = __esi;
												_pop(__edi);
												_pop(__esi);
												__ecx = _v8 ^ __ebp;
												__eflags = __ecx;
												_pop(__ebx);
												__eax = E01046B30(__esi, __ebx, __ecx, __edx, __edi, __esi);
												__esp = __ebp;
												_pop(__ebp);
												return __eax;
											} else {
												__ecx = 0x20;
												__eax = E0103CC70(0);
												__eflags = __eax - 0x4000;
												if(__eax != 0x4000) {
													__edx = 0;
													__ecx = 0;
													__eax = E0103CF10(__eax, 0, 0, __ebx);
													goto L65;
												} else {
													__eax =  *0x10666fc;
													__ecx =  *0x10666fc +  *0x10666fc;
													__eax = E0103DCD0( *0x10666fc +  *0x10666fc);
													__eflags = __eax;
													if(__eax == 0) {
														__eax = E01059922();
														__imp__longjmp(0x1070a30, 1);
														asm("int3");
														__eflags = __esi;
														if(__esi != 0) {
															__eax = 0;
															 *__ebx = __ax;
														}
														_pop(__edi);
														_pop(__esi);
														__eax = __ebx;
														_pop(__ebx);
														return __ebx;
													} else {
														__edx =  *0x10666fc;
														__ecx = __eax;
														 *(__esi + 0x3c) = __eax;
														__eax = E0103F3A0(__eax, __edx, 0x1074af0);
														goto L65;
													}
												}
											}
										}
									} else {
										__imp___wcsicmp(L"REM/?", 0x1074af0);
										__esp = __esp + 8;
										__eflags = __eax;
										if(__eax == 0) {
											goto L109;
										} else {
											_pop(__esi);
											_push(__ebp);
											__ebp = __esp;
											__esp = __esp - 0x14;
											_push(__ebx);
											_push(__esi);
											__eax =  &_v16;
											_v16 = 0;
											_push(__edi);
											__ecx = 0;
											__eflags = 0;
											_v12 =  &_v16;
											__ebx = E0103BB90(__ebx, 0, __edi, __esi, 0);
											_v20 = __ebx;
											while(1) {
												__ecx =  *0x10665cc;
												__eflags =  *( *0x10665cc);
												if( *( *0x10665cc) == 0) {
													break;
												}
												__ecx = 1;
												__eax = E0103CC70(1);
												__eflags = __eax - 0x4000;
												if(__eax == 0x4000) {
													__ecx =  *(__ebx + 0x3c);
													__edi =  *0x10666fc;
													__eflags = __ecx;
													if(__ecx != 0) {
														__edx = __ecx + 2;
														do {
															__ax =  *__ecx;
															__ecx = __ecx + 2;
															__eflags = __ax;
														} while (__ax != 0);
														__ecx = __ecx - __edx;
														__edi = __edi + __ecx;
													}
													__ecx = __edi + __edi;
													__esi = E0103DCD0(__edi + __edi);
													_v8 = __esi;
													__eflags = __esi;
													if(__esi == 0) {
														__eax = E01059922();
														__imp__longjmp(0x1070a30, 1);
														asm("int3");
														__eflags =  *0x1066700;
														if( *0x1066700 != 0) {
															__eax = E01058959(__eax, __ecx);
														}
														__eax = 0;
														__eflags = 0;
														__eflags =  *0x107905a;
														 *0x1066790 = 0;
														if( *0x107905a != 0) {
															__edx = 0;
															__ecx = __esi;
															__eax = E01058791(__esi, 0);
														}
														__eax = __esi;
														_pop(__edi);
														_pop(__esi);
														_pop(__ebx);
														__esp = __ebp;
														_pop(__ebp);
														return __eax;
													} else {
														__ecx =  *(__ebx + 0x3c);
														__eflags = __ecx;
														if(__ecx != 0) {
															__edx = __edi;
															__ecx = __esi;
															__eax = E0103F3A0(__esi, __edi, __esi);
														}
														__eax = 0;
														__eflags = __edi;
														if(__edi == 0) {
															L199:
															__eax = 0x80070057;
														} else {
															__eflags = __edi - 0x7fffffff;
															if(__edi > 0x7fffffff) {
																goto L199;
															}
														}
														__eflags = __eax;
														if(__eax < 0) {
															L202:
															__edx = 0;
														} else {
															__eax = 0;
															__ecx = __edi;
															__edx = __esi;
															__eflags = __edi;
															if(__edi == 0) {
																L201:
																__eax = 0x80070057;
																goto L202;
															} else {
																while(1) {
																	__eflags =  *__edx - __ax;
																	if( *__edx == __ax) {
																		break;
																	}
																	__edx = __edx + 2;
																	__ecx = __ecx - 1;
																	__eflags = __ecx;
																	if(__ecx != 0) {
																		continue;
																	} else {
																		goto L201;
																	}
																	goto L85;
																}
																__eflags = __ecx;
																if(__ecx == 0) {
																	goto L201;
																} else {
																	__edx = __edi;
																	__edx = __edi - __ecx;
																	__eflags = __edx;
																}
															}
														}
														L85:
														__eflags = __eax;
														if(__eax >= 0) {
															__eax = _v8;
															__esi = __edi;
															__eax = _v8 + __edx * 2;
															__esi = __edi - __edx;
															__eflags = __esi;
															if(__esi == 0) {
																L91:
																__eax = __eax - 2;
															} else {
																__ecx = __esi;
																__edx = __edx + 0x7ffffffe;
																__ecx = __esi - __edi;
																__edi = 0x1074af0;
																__edx = __edx + __ecx;
																__edi = 0x1074af0 - __eax;
																__eflags = 0x1074af0;
																while(1) {
																	__eflags = __edx;
																	if(__edx == 0) {
																		break;
																	}
																	__ecx =  *(__edi + __eax) & 0x0000ffff;
																	__eflags = __cx;
																	if(__cx == 0) {
																		break;
																	} else {
																		 *__eax = __cx;
																		__edx = __edx - 1;
																		__eax = __eax + 2;
																		__esi = __esi - 1;
																		__eflags = __esi;
																		if(__esi != 0) {
																			continue;
																		} else {
																			goto L91;
																		}
																	}
																	goto L93;
																}
																__eflags = __esi;
																if(__esi == 0) {
																	goto L91;
																}
															}
															L93:
															__esi = _v8;
															__ecx = 0;
															__eflags = 0;
															 *__eax = __cx;
														}
														 *(__ebx + 0x3c) = __esi;
														continue;
													}
												} else {
													__esi = _v12;
													__ecx = __esi;
													__eax = E0103DED0(__ebx, __esi, __edi, __esi);
													__eflags = __eax;
													if(__eax != 0) {
														__eax =  *__esi;
														do {
															_t51 = __eax + 0x14; // 0x14
															__ebx = _t51;
															__eax =  *__ebx;
															_v12 = __ebx;
															__eflags = __eax;
														} while (__eax != 0);
														__ebx = _v20;
														continue;
													} else {
														__edx = 0;
														__ecx = 0;
														__eflags = 0;
														__eax = E0103CF10(__eax, 0, 0, __eax);
														break;
													}
												}
												goto L222;
											}
											__eax = _v16;
											_pop(__edi);
											 *(__ebx + 0x34) = _v16;
											__eax = __ebx;
											_pop(__esi);
											_pop(__ebx);
											__esp = __ebp;
											_pop(__ebp);
											return __ebx;
										}
									}
								}
							}
						}
					}
				}
				L222:
			}




























    0x0103e0b0
    0x0103e0b0
    0x0103e0b0
    0x0103e0ba
    0x0103e0bb
    0x0103e167
    0x0103e16d
    0x0103e171
    0x0103e1ea
    0x0103e1ee
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0103e173
    0x0103e173
    0x0103e173
    0x0103e17d
    0x0103e17f
    0x0103e181
    0x01049ca7
    0x01049cb3
    0x01049cb9
    0x01049cba
    0x01049cbd
    0x01035e22
    0x01035e27
    0x01035e33
    0x01035e35
    0x01035e3a
    0x01035e40
    0x01035e42
    0x01035e5c
    0x01035e5f
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x01035e44
    0x01035e44
    0x01035e49
    0x01035e4a
    0x01035e4c
    0x01035e4e
    0x01035e52
    0x01035e57
    0x01035e57
    0x00000000
    0x01035e52
    0x01049cc3
    0x01049cc3
    0x01049cc6
    0x01049cd4
    0x01035df4
    0x01035df9
    0x01035e05
    0x01035e07
    0x01035e0c
    0x01035e14
    0x01049ce3
    0x01049ce6
    0x00000000
    0x01049cec
    0x01035e61
    0x01035e61
    0x01035e61
    0x00000000
    0x01035e61
    0x01035e1a
    0x01035e1a
    0x01035e1c
    0x01035e1d
    0x01035e1f
    0x01035e1f
    0x01049cc8
    0x01049cc8
    0x01049cca
    0x01035e63
    0x01035e63
    0x01035e68
    0x01035e68
    0x01035e6b
    0x01035ea2
    0x01035e6d
    0x01035e6d
    0x01035e6d
    0x01035e70
    0x01035e9c
    0x01035e72
    0x01035e72
    0x01035e72
    0x01035e75
    0x01035e96
    0x01035e77
    0x01035e77
    0x01035e77
    0x01035e7a
    0x01035e90
    0x01035e7c
    0x01035e7c
    0x01035e7c
    0x01035e7f
    0x01049cf1
    0x01049cf4
    0x01049d01
    0x01049cf6
    0x01049cfb
    0x01049cfb
    0x01035e85
    0x01035e8a
    0x01035e8a
    0x01035e7f
    0x01035e7a
    0x01035e75
    0x01035e70
    0x01035e6b
    0x01049cc6
    0x0103e187
    0x0103e187
    0x0103e18f
    0x0103e1f9
    0x0103e1ff
    0x0103e191
    0x0103e191
    0x0103e1a0
    0x0103e1a5
    0x0103e1aa
    0x0103e1aa
    0x0103e1b8
    0x0103e1ba
    0x0103e1bf
    0x0103e1bf
    0x0103e1c9
    0x0103e1cc
    0x0103e1cf
    0x0103e1e0
    0x0103e1e3
    0x0103e1d1
    0x0103e1d1
    0x0103e1d6
    0x0103e1db
    0x0103e1de
    0x0103e1f0
    0x0103e1f0
    0x0103e1f5
    0x0103e1f8
    0x00000000
    0x00000000
    0x00000000
    0x0103e1de
    0x0103e1cf
    0x0103e181
    0x0103e0c1
    0x0103e0cb
    0x0103e0d1
    0x0103e0d4
    0x0103e0d6
    0x0103e203
    0x0103e203
    0x01042a23
    0x01042a25
    0x01042a2b
    0x01042a2c
    0x01042a2d
    0x01042a2f
    0x0104f43e
    0x0104f440
    0x0104f442
    0x0104f448
    0x0104f448
    0x01042a37
    0x01042a38
    0x01042a47
    0x01042a4b
    0x01042a4c
    0x01042a4e
    0x0104f44e
    0x0104f456
    0x0104f457
    0x0104f45d
    0x0104f45f
    0x01042a54
    0x01042a54
    0x01042a54
    0x01042a56
    0x01042a56
    0x01042a5d
    0x01042a5e
    0x01042a63
    0x01042a65
    0x0104f46a
    0x0104f46e
    0x01042a6b
    0x01042a6b
    0x01042a6f
    0x01042a74
    0x01042a7a
    0x01042a7c
    0x01042a82
    0x01042a88
    0x01042a89
    0x01042a8a
    0x01042a8c
    0x00000000
    0x00000000
    0x01042a92
    0x01042a98
    0x01042a9e
    0x01042a9f
    0x01042aa0
    0x01042aa2
    0x01042c10
    0x01042bed
    0x01042bed
    0x01042bef
    0x01042a7c
    0x01042a82
    0x01042a88
    0x01042a89
    0x01042a8a
    0x01042a8c
    0x00000000
    0x00000000
    0x00000000
    0x01042a8c
    0x00000000
    0x01042a7c
    0x01042aae
    0x01042ab4
    0x01042ab5
    0x01042ab6
    0x01042ab8
    0x01042b91
    0x01042b95
    0x01042b97
    0x01042b9c
    0x01042ba4
    0x01042ba5
    0x01042ba8
    0x00000000
    0x01042bae
    0x01042bb0
    0x01042bb1
    0x01042bb4
    0x00000000
    0x01042bba
    0x01042bba
    0x01042bbe
    0x01042c1c
    0x01042c1c
    0x01042bc0
    0x01042bc5
    0x01042bcc
    0x01042bd1
    0x01042bd3
    0x00000000
    0x01042bd9
    0x01042bd9
    0x01042bdf
    0x00000000
    0x01042bdf
    0x01042bd3
    0x01042bb4
    0x00000000
    0x01042abe
    0x01042ac4
    0x01042aca
    0x01042acb
    0x01042acc
    0x01042acf
    0x01042ad1
    0x0104f47c
    0x0104f47f
    0x0104f481
    0x0104f486
    0x0104f48a
    0x0104f48c
    0x0104f48c
    0x0104f491
    0x0104f499
    0x0104f49a
    0x0104f49d
    0x00000000
    0x0104f4a3
    0x0104f4a5
    0x0104f4a6
    0x0104f4a9
    0x00000000
    0x0104f4af
    0x0104f4af
    0x0104f4b4
    0x0104f4bb
    0x0104f4c0
    0x0104f4c2
    0x0104f4d2
    0x0104f4d2
    0x0104f4de
    0x00000000
    0x0104f4c4
    0x0104f4c4
    0x0104f4ca
    0x01042be2
    0x01042be3
    0x01042be5
    0x01042be8
    0x00000000
    0x01042be8
    0x0104f4c2
    0x0104f4a9
    0x00000000
    0x01042ad7
    0x01042ad7
    0x01042ad9
    0x01042adb
    0x01042ade
    0x01042bf9
    0x01042bfc
    0x01042c02
    0x01042c05
    0x0104f4e4
    0x0104f4e4
    0x0104f4e7
    0x0104f4ed
    0x0104f4f0
    0x0104f4f6
    0x0104f4f6
    0x0104f4f0
    0x0104f4e7
    0x01042c05
    0x01042bfc
    0x01042ade
    0x01042ad9
    0x01042ad1
    0x00000000
    0x01042c16
    0x01042c16
    0x00000000
    0x01042c16
    0x01042a7c
    0x01042ae4
    0x01042ae6
    0x01042ae7
    0x01042aee
    0x0104f500
    0x0104f500
    0x01042af4
    0x01042af4
    0x01042afc
    0x01042b02
    0x01042b03
    0x01042b05
    0x00000000
    0x01042b0b
    0x01042b0b
    0x01042b12
    0x01042b17
    0x01042b1a
    0x01042b1f
    0x01042b21
    0x00000000
    0x01042b27
    0x01042b27
    0x01042b2e
    0x00000000
    0x00000000
    0x01042b2e
    0x01042b21
    0x01042b05
    0x01042b34
    0x01042b37
    0x01042b38
    0x01042b3b
    0x01042b3c
    0x01042b41
    0x01042b46
    0x01042b4b
    0x01042b4e
    0x01042b4f
    0x01042b52
    0x01042b53
    0x01042b58
    0x01042b5d
    0x01042b62
    0x01042b65
    0x01042b6a
    0x01042b6d
    0x01042b70
    0x01042b73
    0x01042b74
    0x01042b7b
    0x01042b7c
    0x01042b81
    0x01042b84
    0x01042b86
    0x0104f50a
    0x0104f50a
    0x01042b86
    0x01042b8c
    0x01042b8c
    0x01042b8d
    0x01042b8f
    0x01042b90
    0x0103e0dc
    0x0103e0e6
    0x0103e0ec
    0x0103e0ef
    0x0103e0f1
    0x00000000
    0x0103e0f7
    0x0103e101
    0x0103e107
    0x0103e10a
    0x0103e10c
    0x0103e1e4
    0x0103e1e4
    0x0103a6aa
    0x0103a6b1
    0x0103a6b3
    0x0103a6b9
    0x0103a6ba
    0x0103a6bb
    0x0103a6bd
    0x0104c8cc
    0x0104c8ce
    0x0104c8d0
    0x0104c8d6
    0x0104c8d6
    0x0103a6c5
    0x0103a6cb
    0x0103a6cd
    0x0103a6cf
    0x0104c8de
    0x0104c8df
    0x0104c8e7
    0x0104c8e8
    0x0104c8ee
    0x0104c8f0
    0x0103a6d5
    0x0103a6d5
    0x0103a6d5
    0x0103a6d7
    0x0103a6d7
    0x0103a6de
    0x0103a6df
    0x0103a6e4
    0x0103a6e6
    0x0104c8fb
    0x0104c901
    0x00000000
    0x0103a6ec
    0x0103a6ec
    0x0103a6ee
    0x0103a6f4
    0x0103a710
    0x0103a711
    0x0103a713
    0x0103a713
    0x0103a715
    0x0103a6f6
    0x0103a700
    0x0103a706
    0x0103a707
    0x0103a708
    0x0103a70a
    0x0103a7b7
    0x0103a7b9
    0x00000000
    0x00000000
    0x00000000
    0x0103a70a
    0x0103a71a
    0x0103a71c
    0x0103a721
    0x0103a724
    0x0103a726
    0x0103a728
    0x0103a72a
    0x0103a7bf
    0x0103a7c2
    0x0103a7d0
    0x0103a7d0
    0x0103a7c4
    0x0103a7c4
    0x0103a72a
    0x0103a732
    0x0103a733
    0x0103a738
    0x0103a73b
    0x0103a73d
    0x0104c909
    0x0104c909
    0x0103a743
    0x0103a748
    0x0103a74b
    0x0103a775
    0x0103a775
    0x0103a776
    0x0103a778
    0x0103a779
    0x0103a77a
    0x0103a74d
    0x0103a74d
    0x0103a74f
    0x0103a754
    0x0103a75f
    0x0103a765
    0x0103a766
    0x0103a767
    0x0103a769
    0x0103a77b
    0x0103a780
    0x0103a783
    0x0103a788
    0x0103a78a
    0x0104c913
    0x0104c91f
    0x0104c925
    0x0104c926
    0x0104c926
    0x0104c929
    0x00000000
    0x00000000
    0x0104c92b
    0x0104c930
    0x0103a885
    0x0103a885
    0x0103a887
    0x0103a887
    0x0103a890
    0x0103a890
    0x0103a893
    0x0103a896
    0x0103a896
    0x0103a89b
    0x0103a89f
    0x0103a8a2
    0x0103a8a5
    0x0103a8a8
    0x0103a865
    0x0103a865
    0x0103a868
    0x0103a86a
    0x0103a86d
    0x0103a840
    0x0103a844
    0x00000000
    0x0103a846
    0x0103a846
    0x0103a849
    0x00000000
    0x0103a84b
    0x0103a84b
    0x0103a84d
    0x0103a84d
    0x0103a850
    0x0103a850
    0x0103a853
    0x0103a856
    0x0103a856
    0x0103a85b
    0x0103a85b
    0x0103a85f
    0x00000000
    0x0103a85f
    0x0103a849
    0x0103a86f
    0x0103a86f
    0x0103a86f
    0x0103a86f
    0x0103a86f
    0x00000000
    0x0103a8aa
    0x0103a8aa
    0x0103a8ac
    0x0103a8ac
    0x0103a8b0
    0x0103a8b0
    0x0103a8b3
    0x0103a8b6
    0x0103a8b6
    0x0103a8bb
    0x0103a8bf
    0x0103a862
    0x0103a862
    0x0103a862
    0x00000000
    0x0103a862
    0x00000000
    0x0103a87a
    0x0103a87a
    0x0103a87a
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0103a871
    0x0103a871
    0x0103a872
    0x0103a873
    0x0103a874
    0x0103a876
    0x0103a877
    0x00000000
    0x0103a877
    0x0104c936
    0x0104c938
    0x0104c949
    0x0104c949
    0x0104c93a
    0x0104c93a
    0x0104c940
    0x00000000
    0x0104c942
    0x0104c942
    0x0104c945
    0x0104c945
    0x0104c940
    0x0104c94c
    0x0104c94e
    0x0104c950
    0x0104c952
    0x0104c954
    0x0104c954
    0x0104c959
    0x0104c95b
    0x0104c95d
    0x0104c960
    0x0104c962
    0x0104c964
    0x0104c966
    0x0104c96a
    0x0104c9de
    0x0104c96c
    0x0104c96c
    0x0104c971
    0x0104c978
    0x0104c97a
    0x0104c97c
    0x0104c97d
    0x0104c982
    0x0104c985
    0x0104c98c
    0x0104c98e
    0x0104c990
    0x0104c9a6
    0x0104c9a6
    0x0104c9ad
    0x0104c9af
    0x0104c9af
    0x0104c9b1
    0x0104c9b2
    0x0104c9b4
    0x00000000
    0x00000000
    0x0104c9b6
    0x0104c9b7
    0x0104c9b9
    0x0104c9ba
    0x0104c9bf
    0x0104c9c2
    0x0104c9c9
    0x00000000
    0x00000000
    0x00000000
    0x0104c9c9
    0x0104c9af
    0x0104c992
    0x0104c992
    0x0104c999
    0x0104c99b
    0x0104c99d
    0x0104c99e
    0x0104c9a3
    0x00000000
    0x0104c9a3
    0x0104c999
    0x0104c990
    0x0104c98c
    0x0104c9cb
    0x0104c9cb
    0x0104c9d2
    0x0104c9d2
    0x0104c9e4
    0x00000000
    0x0103a790
    0x0103a790
    0x0103a796
    0x0103a799
    0x0103a79c
    0x0103a7a3
    0x0103a7a4
    0x0103a7a9
    0x0103a7ac
    0x0103a7ae
    0x0103a7b0
    0x0103a7b0
    0x00000000
    0x0103a7ae
    0x0103a76b
    0x0103a76c
    0x0103a76e
    0x0103a76e
    0x0103a770
    0x00000000
    0x0103a770
    0x0103a769
    0x0103a74b
    0x0103e112
    0x0103e11c
    0x0103e122
    0x0103e125
    0x0103e127
    0x00000000
    0x0103e12d
    0x0103e137
    0x0103e13d
    0x0103e140
    0x0103e142
    0x0103e161
    0x0103e161
    0x0103abc3
    0x0103abc5
    0x0103abc8
    0x0103abcd
    0x0103abcf
    0x0103abda
    0x0103abe1
    0x0103abe3
    0x0103abe9
    0x0103abea
    0x0103abeb
    0x0103abed
    0x0104cb12
    0x0104cb14
    0x0104cb16
    0x0104cb1c
    0x0104cb1c
    0x0103abf5
    0x0103abfb
    0x0103abff
    0x0103ac00
    0x0103ac02
    0x0104cb22
    0x0104cb2a
    0x0104cb2b
    0x0104cb31
    0x0104cb33
    0x0103ac08
    0x0103ac08
    0x0103ac08
    0x0103ac0a
    0x0103ac0a
    0x0103ac11
    0x0103ac12
    0x0103ac16
    0x0103ac19
    0x0103ac1b
    0x0103ac20
    0x0103ac22
    0x0103ac24
    0x0103ac28
    0x0103ac2d
    0x0103ac30
    0x0103ac32
    0x0103ac33
    0x0103ac38
    0x0103ac3a
    0x0104cb3e
    0x0104cb44
    0x00000000
    0x0103ac40
    0x0103ac41
    0x0103ac43
    0x0103ac4a
    0x0103ac4f
    0x0103ac52
    0x0103ac89
    0x0103ac89
    0x0103ac8c
    0x0103ac8e
    0x0103ac8f
    0x0103ac90
    0x0103ac90
    0x0103ac92
    0x0103ac93
    0x0103ac98
    0x0103ac98
    0x0103ac99
    0x0103ac54
    0x0103ac56
    0x0103ac57
    0x0103ac5c
    0x0103ac61
    0x0103ac9b
    0x0103ac9d
    0x0103ac9f
    0x00000000
    0x0103ac63
    0x0103ac63
    0x0103ac68
    0x0103ac6b
    0x0103ac70
    0x0103ac72
    0x0104cb4c
    0x0104cb58
    0x0104cb5e
    0x0104cb5f
    0x0104cb61
    0x0104cb67
    0x0104cb69
    0x0104cb69
    0x0103ad20
    0x0103ad21
    0x0103ad22
    0x0103ad24
    0x0103ad25
    0x0103ac78
    0x0103ac78
    0x0103ac7e
    0x0103ac81
    0x0103ac84
    0x00000000
    0x0103ac84
    0x0103ac72
    0x0103ac61
    0x0103ac52
    0x0103e144
    0x0103e14e
    0x0103e154
    0x0103e157
    0x0103e159
    0x00000000
    0x0103e15b
    0x0103e15b
    0x0103c412
    0x0103c413
    0x0103c415
    0x0103c418
    0x0103c419
    0x0103c41a
    0x0103c41d
    0x0103c424
    0x0103c425
    0x0103c425
    0x0103c427
    0x0103c42f
    0x0103c431
    0x0103c434
    0x0103c434
    0x0103c43a
    0x0103c43e
    0x00000000
    0x00000000
    0x0103c440
    0x0103c445
    0x0103c44a
    0x0103c44f
    0x0103c47c
    0x0103c47f
    0x0103c485
    0x0103c487
    0x0104d073
    0x0104d076
    0x0104d076
    0x0104d079
    0x0104d07c
    0x0104d07c
    0x0104d081
    0x0104d085
    0x0104d085
    0x0103c48d
    0x0103c495
    0x0103c497
    0x0103c49a
    0x0103c49c
    0x0104d0bd
    0x0104d0c9
    0x0104d0cf
    0x0104d0d0
    0x0104d0d7
    0x0104d0dd
    0x0104d0dd
    0x0103c66f
    0x0103c66f
    0x0103c671
    0x0103c678
    0x0103c67d
    0x0104d0e7
    0x0104d0e9
    0x0104d0eb
    0x0104d0eb
    0x0103c683
    0x0103c685
    0x0103c686
    0x0103c687
    0x0103c688
    0x0103c68a
    0x0103c68b
    0x0103c4a2
    0x0103c4a2
    0x0103c4a5
    0x0103c4a7
    0x0104d08d
    0x0104d08f
    0x0104d091
    0x0104d091
    0x0103c4ad
    0x0103c4af
    0x0103c4b1
    0x0104d09b
    0x0104d09b
    0x0103c4b7
    0x0103c4b7
    0x0103c4bd
    0x00000000
    0x00000000
    0x0103c4bd
    0x0103c4c3
    0x0103c4c5
    0x0104d0b6
    0x0104d0b6
    0x0103c4cb
    0x0103c4cb
    0x0103c4cd
    0x0103c4cf
    0x0103c4d1
    0x0103c4d3
    0x0104d0b1
    0x0104d0b1
    0x00000000
    0x0103c4e0
    0x0103c4e0
    0x0103c4e0
    0x0103c4e3
    0x00000000
    0x00000000
    0x0104d0a5
    0x0104d0a8
    0x0104d0a8
    0x0104d0ab
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0104d0ab
    0x0103c4e9
    0x0103c4eb
    0x00000000
    0x0103c4f1
    0x0103c4f1
    0x0103c4f3
    0x0103c4f3
    0x0103c4f3
    0x0103c4eb
    0x0103c4d3
    0x0103c4f5
    0x0103c4f5
    0x0103c4f7
    0x0103c4f9
    0x0103c4fc
    0x0103c4fe
    0x0103c501
    0x0103c501
    0x0103c503
    0x0103c531
    0x0103c531
    0x0103c505
    0x0103c505
    0x0103c507
    0x0103c50d
    0x0103c50f
    0x0103c514
    0x0103c516
    0x0103c516
    0x0103c518
    0x0103c518
    0x0103c51a
    0x00000000
    0x00000000
    0x0103c51c
    0x0103c520
    0x0103c523
    0x00000000
    0x0103c525
    0x0103c525
    0x0103c528
    0x0103c529
    0x0103c52c
    0x0103c52c
    0x0103c52f
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0103c52f
    0x00000000
    0x0103c523
    0x0103c536
    0x0103c538
    0x00000000
    0x00000000
    0x0103c538
    0x0103c53a
    0x0103c53a
    0x0103c53d
    0x0103c53d
    0x0103c53f
    0x0103c53f
    0x0103c542
    0x00000000
    0x0103c542
    0x0103c451
    0x0103c451
    0x0103c454
    0x0103c456
    0x0103c45b
    0x0103c45d
    0x0103c54a
    0x0103c550
    0x0103c550
    0x0103c550
    0x0103c553
    0x0103c555
    0x0103c558
    0x0103c558
    0x0103c55c
    0x00000000
    0x0103c463
    0x0103c464
    0x0103c466
    0x0103c466
    0x0103c468
    0x00000000
    0x0103c468
    0x0103c45d
    0x00000000
    0x0103c44f
    0x0103c46d
    0x0103c470
    0x0103c471
    0x0103c474
    0x0103c476
    0x0103c477
    0x0103c478
    0x0103c47a
    0x0103c47b
    0x0103c47b
    0x0103e159
    0x0103e142
    0x0103e127
    0x0103e10c
    0x0103e0f1
    0x0103e0d6
    0x00000000

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: _wcsicmp$iswspace
    • String ID: =,;$FOR$FOR/?$IF/?$REM$REM/?
    • API String ID: 759518647-875390083
    • Opcode ID: fd52cf8583b947cbb129c1921aedcefa51378ff4dd57b5be283dfba51ecf2cd5
    • Instruction ID: 1896d520dca0e5d7a8af4c92048a8657dc901e86815c399d9520759b5f3b4300
    • Opcode Fuzzy Hash: fd52cf8583b947cbb129c1921aedcefa51378ff4dd57b5be283dfba51ecf2cd5
    • Instruction Fuzzy Hash: ABA1F6B0744203DBE7787B69B849BBB36A8AFC4714F04443EEAC2D6580DEA6D441C759
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0103EC2E, Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 139COMMON
    Download Yara Rule
    APIs
    • GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,$P$G,00002000,?,01078BF0,00000000,?,?,01038F0D), ref: 0103EC51
    • _wcsicmp.MSVCRT ref: 0103EC77
    • _wcsicmp.MSVCRT ref: 0103EC8D
    • _wcsicmp.MSVCRT ref: 0103ECA3
    • _wcsicmp.MSVCRT ref: 0103ECB9
    • _wcsicmp.MSVCRT ref: 0103ECCF
    • _wcsicmp.MSVCRT ref: 0103ECE5
    • _wcsicmp.MSVCRT ref: 0103ECF7
    • _wcsicmp.MSVCRT ref: 0103ED0D
      • Part of subcall function 01039310: GetSystemTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,$P$G,?,00002000), ref: 01039342
      • Part of subcall function 01039310: SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 01039356
      • Part of subcall function 01039310: FileTimeToLocalFileTime.API-MS-WIN-CORE-FILE-L1-1-0(?,?), ref: 0103936A
      • Part of subcall function 01039310: FileTimeToSystemTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 0103937E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: _wcsicmp$Time$File$System$EnvironmentLocalVariable
    • String ID: $P$G$CMDCMDLINE$CMDEXTVERSION$DATE$ERRORLEVEL$HIGHESTNUMANODENUMBER$RANDOM$TIME
    • API String ID: 2447294730-3447537567
    • Opcode ID: 34aecc791e896d8d0c6871d9b751928833ea78631c887973e840464c8edec2b9
    • Instruction ID: bd4cb05e291b01c937458dee0aab695d568f62ade394dd70cda9de172c6f2fe7
    • Opcode Fuzzy Hash: 34aecc791e896d8d0c6871d9b751928833ea78631c887973e840464c8edec2b9
    • Instruction Fuzzy Hash: 6C31FF32708302EBF714262AEC1DB6F3B9DEBC6125B1C451DF5C6E50C4EF6A90018765
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01059C2E, Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 250COMMON
    Download Yara Rule
    C-Code - Quality: 56%
    			E01059C2E(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v12;
				long _v44;
				char _v45;
				char _v46;
				long _v52;
				long _v56;
				long _v60;
				long _v64;
				long _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v80;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t52;
				void* _t55;
				intOrPtr _t59;
				void* _t71;
				void* _t74;
				signed int _t81;
				signed int _t101;
				void _t102;
				void* _t106;
				char _t109;
				void* _t110;
				void* _t111;
				signed int* _t116;
				intOrPtr* _t117;
				void* _t134;
				void* _t142;
				intOrPtr _t145;
				void* _t146;
				void* _t147;
				wchar_t* _t148;
				signed int _t150;
				void* _t151;
				void* _t154;
				void* _t156;
				intOrPtr _t157;
				void* _t158;
				void* _t159;
				long _t160;
				long _t161;
				void* _t162;
				intOrPtr _t163;
				signed int _t164;
				void* _t165;

				_t114 = __ecx;
				_t52 =  *0x105e0b4; // 0x6030efd1
				_v12 = _t52 ^ _t164;
				_v76 = __ecx;
				_v72 = __edx;
				_v60 = 0;
				_v56 = 0;
				_v45 = 0;
				_v46 = 0;
				_t145 = _a4;
				if(__edx != 0x400023d3) {
					L5:
					_push(_t145);
					_t55 = E0104640A(_t114);
					_t110 = 2;
					_t146 = _t55;
					_t142 = 0x10;
					if(_t146 == 0) {
						L10:
						_t116 =  &_v44;
						_t154 = L"NY" - _t116;
						while(1) {
							_t14 = _t142 + 0x7fffffee; // 0x7ffffffe
							if(_t14 == 0) {
								break;
							}
							_t101 =  *(_t154 + _t116) & 0x0000ffff;
							if(_t101 == 0) {
								break;
							}
							 *_t116 = _t101;
							_t116 = _t116 + _t110;
							_t142 = _t142 - 1;
							if(_t142 != 0) {
								continue;
							}
							break;
						}
						if(_t142 == 0) {
							_t116 = _t116 - _t110;
						}
						 *_t116 = 0;
						goto L17;
					} else {
						_t134 = _t146;
						_t9 = _t134 + 2; // 0x2
						_t162 = _t9;
						do {
							_t102 =  *_t134;
							_t134 = _t134 + _t110;
						} while (_t102 != _v60);
						if(_t134 - _t162 >> 1 >= _t142) {
							goto L10;
						}
						E0103F3A0( &_v44, _t142, _t146);
						__imp___wcsupr( &_v44);
						L17:
						_t117 =  &_v44;
						_t143 = _t117 + 2;
						do {
							_t59 =  *_t117;
							_t117 = _t117 + _t110;
						} while (_t59 != 0);
						_t119 = _t117 - _t143 >> 1;
						_v60 = (_t117 - _t143 >> 1) - 1;
						LocalFree(_t146);
						_t111 = GetStdHandle(0xfffffff5);
						_v88 = _t111;
						if(GetConsoleMode(_t111,  &_v64) != 0) {
							_v45 = 1;
							SetConsoleMode(_t111, _v64 | 0x00000001);
						}
						_t156 = GetStdHandle(0xfffffff6);
						_v84 = _t156;
						if(GetConsoleMode(_t156,  &_v68) != 0) {
							_t119 = _v68 | 0x00000007;
							SetConsoleMode(_t156, _v68 | 0x00000007);
							_t161 =  *0x10625b4;
							if(_t161 != 0) {
								_t119 = _t161;
								 *0x107a4c4(L"<noalias>");
								 *_t161();
							}
						}
						_t157 = _v72;
						goto L26;
						do {
							do {
								L26:
								_t109 = 1;
								_v52 = 0;
								_t69 = _v76;
								_t147 = 0xa;
								if(_v76 == 0) {
									_push(0);
									_push(_t157);
									_t71 = E010363BD(_t119);
								} else {
									_t71 = E010363BD(_t119, _t157, 1, _t69);
									_t165 = _t165 + 0xc;
								}
								if(E0103DD98(_t71) != 0) {
									FlushConsoleInputBuffer(GetStdHandle(0xfffffff6));
								}
								while(_v52 != _t147) {
									_t74 = GetStdHandle(0xfffffff6);
									_t143 =  &_v52;
									if(E01054799(_t74,  &_v52, 1,  &_v80) == 0 || _v80 != 1) {
										_v56 = _v44 & 0x0000ffff;
										E01039950(L"\r\n");
										goto L41;
									} else {
										if(_t109 != 0) {
											_v56 = towupper(_v52) & 0x0000ffff;
										}
										_t109 = 0;
										if(E0103DD98(0) == 0 || ( *0x106671c & 0x00000001) == 0) {
											_push(_v52 & 0x0000ffff);
											E01039950(L"%c");
										}
										continue;
									}
								}
								L41:
								_t148 = wcschr( &_v44, _v56);
								_pop(_t119);
							} while (_t148 == 0);
							_t150 = _t148 -  &_v44 >> 1;
						} while (_t150 > _v60);
						_t158 = _v84;
						if(_v45 != 0) {
							SetConsoleMode(_v88, _v64);
						}
						if(_t109 != 0) {
							SetConsoleMode(_t158, _v68);
							_t160 =  *0x10625b4;
							if(_t160 != 0) {
								 *0x107a4c4(L"CMD.EXE");
								 *_t160();
							}
						}
						_t81 = _t150;
						L49:
						_pop(_t151);
						_pop(_t159);
						return E01046B30(_t81, _t109, _v12 ^ _t164, _t143, _t151, _t159);
					}
				}
				_t163 = E0104654B(__ecx, 0, __ecx, __ecx);
				if(_t163 == 0xffffffff) {
					goto L5;
				}
				_t106 = E0103DD98(_t105);
				_t114 = _t163;
				if(_t106 == 0) {
					E0103A16C(_t114);
					goto L5;
				} else {
					E0103A16C(_t114);
					_t81 = 2;
					goto L49;
				}
			}





















































    0x01059c2e
    0x01059c36
    0x01059c3d
    0x01059c43
    0x01059c48
    0x01059c4b
    0x01059c4e
    0x01059c51
    0x01059c54
    0x01059c59
    0x01059c61
    0x01059c90
    0x01059c90
    0x01059c91
    0x01059c99
    0x01059c9a
    0x01059c9e
    0x01059ca1
    0x01059cd1
    0x01059cd1
    0x01059cdb
    0x01059cdd
    0x01059cdd
    0x01059ce5
    0x00000000
    0x00000000
    0x01059ce7
    0x01059cee
    0x00000000
    0x00000000
    0x01059cf0
    0x01059cf3
    0x01059cf5
    0x01059cf8
    0x00000000
    0x00000000
    0x00000000
    0x01059cf8
    0x01059cfc
    0x01059cfe
    0x01059cfe
    0x01059d02
    0x00000000
    0x01059ca3
    0x01059ca3
    0x01059ca5
    0x01059ca5
    0x01059ca8
    0x01059ca8
    0x01059cab
    0x01059cad
    0x01059cb9
    0x00000000
    0x00000000
    0x01059cbf
    0x01059cc8
    0x01059d05
    0x01059d05
    0x01059d0a
    0x01059d0d
    0x01059d0d
    0x01059d10
    0x01059d12
    0x01059d19
    0x01059d1f
    0x01059d22
    0x01059d30
    0x01059d37
    0x01059d42
    0x01059d4a
    0x01059d50
    0x01059d50
    0x01059d5e
    0x01059d65
    0x01059d70
    0x01059d77
    0x01059d7c
    0x01059d82
    0x01059d8a
    0x01059d91
    0x01059d93
    0x01059d99
    0x01059d99
    0x01059d8a
    0x01059da0
    0x01059da0
    0x01059da3
    0x01059da3
    0x01059da3
    0x01059da5
    0x01059da7
    0x01059dab
    0x01059db0
    0x01059db3
    0x01059dc5
    0x01059dc6
    0x01059dc7
    0x01059db5
    0x01059db9
    0x01059dbe
    0x01059dbe
    0x01059dd7
    0x01059de2
    0x01059de2
    0x01059e49
    0x01059df2
    0x01059df8
    0x01059e04
    0x01059e5a
    0x01059e5d
    0x00000000
    0x01059e0c
    0x01059e0e
    0x01059e1d
    0x01059e1d
    0x01059e24
    0x01059e2d
    0x01059e3c
    0x01059e42
    0x01059e48
    0x00000000
    0x01059e2d
    0x01059e04
    0x01059e63
    0x01059e70
    0x01059e73
    0x01059e74
    0x01059e81
    0x01059e83
    0x01059e90
    0x01059e93
    0x01059e9b
    0x01059e9b
    0x01059ea3
    0x01059ea9
    0x01059eaf
    0x01059eb7
    0x01059ec0
    0x01059ec6
    0x01059ec6
    0x01059eb7
    0x01059ec8
    0x01059eca
    0x01059ecd
    0x01059ece
    0x01059ed8
    0x01059ed8
    0x01059ca1
    0x01059c6a
    0x01059c6f
    0x00000000
    0x00000000
    0x01059c73
    0x01059c78
    0x01059c7c
    0x01059c8b
    0x00000000
    0x01059c7e
    0x01059c7e
    0x01059c85
    0x00000000
    0x01059c85

    APIs
    • _wcsupr.MSVCRT ref: 01059CC8
    • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,00000000,?), ref: 01059D22
    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5), ref: 01059D2A
    • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 01059D3A
    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 01059D50
    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6), ref: 01059D58
    • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 01059D68
    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 01059D7C
    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6), ref: 01059DDB
    • FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000), ref: 01059DE2
    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,00000001,?), ref: 01059DF2
    • towupper.MSVCRT ref: 01059E13
      • Part of subcall function 0103A16C: _close.MSVCRT ref: 0103A19B
    • wcschr.MSVCRT ref: 01059E6A
    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?), ref: 01059E9B
    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?), ref: 01059EA9
      • Part of subcall function 0103DD98: _get_osfhandle.MSVCRT ref: 0103DDA3
      • Part of subcall function 0103DD98: GetFileType.KERNELBASE(00000000,0104C050), ref: 0103DDAD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: Console$Mode$Handle$BufferFileFlushFreeInputLocalType_close_get_osfhandle_wcsuprtowupperwcschr
    • String ID: <noalias>$CMD.EXE
    • API String ID: 2015057810-1690691951
    • Opcode ID: 9f8ffad889c36cf203357cea6718c2f0c5d3992853be7cdb67ad0abe32ed4d09
    • Instruction ID: 35969c4875bfe5e6f42b8a2b991251ff755ca799a9096475084ca91271decd33
    • Opcode Fuzzy Hash: 9f8ffad889c36cf203357cea6718c2f0c5d3992853be7cdb67ad0abe32ed4d09
    • Instruction Fuzzy Hash: E681F572E00219DBDF65ABB8D8489EFBBF9AF45714F084159FC82E7184EB369841C760
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01052859, Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 165windowthreadCOMMON
    Download Yara Rule
    C-Code - Quality: 23%
    			E01052859(signed short* __ecx, signed int __edx, intOrPtr* _a4) {
				signed int _v8;
				short _v520;
				char* _v524;
				signed int _v528;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t39;
				intOrPtr _t45;
				signed short* _t50;
				void* _t53;
				void* _t54;
				signed short* _t58;
				void* _t59;
				void* _t60;
				signed short* _t65;
				void* _t74;
				intOrPtr* _t75;
				void* _t76;
				intOrPtr* _t77;
				signed int _t78;
				void* _t79;
				void* _t80;
				void* _t81;
				void* _t82;

				_t73 = __edx;
				_t39 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t39 ^ _t78;
				_t65 = __ecx;
				_v528 = __edx;
				_t77 = _a4;
				if(__edx == 0 || __ecx == 0) {
					L31:
					return E01046B30(0, _t65, _v8 ^ _t78, _t73, _t74, _t77);
				} else {
					_push(_t74);
					_t75 =  *0x107906c;
					 *__ecx = 0;
					if(_t75 == 0 ||  *0x1079071 == 0) {
						L5:
						_v524 = 0x103334c;
						_t45 =  *_t77;
						if(_t45 == 0) {
							_v524 = "Exception";
						} else {
							_t59 = _t45 - 1;
							if(_t59 == 0) {
								_v524 = "ReturnHr";
							} else {
								_t60 = _t59 - 1;
								if(_t60 == 0) {
									_v524 = "LogHr";
								} else {
									if(_t60 == 1) {
										_v524 = "FailFast";
									}
								}
							}
						}
						_v520 = 0;
						FormatMessageW(0x1200, 0,  *(_t77 + 4), 0x400,  &_v520, 0x100, 0);
						_push( *((intOrPtr*)(_t77 + 0x48)));
						_push( *((intOrPtr*)(_t77 + 0x44)));
						_t76 = _t65 + _v528 * 2;
						if( *((intOrPtr*)(_t77 + 0x1c)) == 0) {
							_push( &M010333A0);
							_push(_t76);
							_push(_t65);
							_t50 = E01053067();
							_t80 = _t79 + 0x14;
						} else {
							_push( *((intOrPtr*)(_t77 + 0x20)));
							_t50 = E01053067(_t65, _t76, L"%hs(%u)\\%hs!%p: ",  *((intOrPtr*)(_t77 + 0x1c)));
							_t80 = _t79 + 0x1c;
						}
						_t65 = _t50;
						if( *((intOrPtr*)(_t77 + 0x4c)) != 0) {
							_t58 = E01053067(_t65, _t76, L"(caller: %p) ",  *((intOrPtr*)(_t77 + 0x4c)));
							_t80 = _t80 + 0x10;
							_t65 = _t58;
						}
						_push( &_v520);
						_push( *(_t77 + 4));
						_push(GetCurrentThreadId());
						_push( *((intOrPtr*)(_t77 + 0x24)));
						_t53 = E01053067(_t65, _t76, L"%hs(%d) tid(%x) %08X %ws", _v524);
						_t81 = _t80 + 0x20;
						if( *((intOrPtr*)(_t77 + 0xc)) != 0 ||  *((intOrPtr*)(_t77 + 0x28)) != 0 ||  *((intOrPtr*)(_t77 + 0x18)) != 0) {
							_push(L"    ");
							_push(_t76);
							_push(_t53);
							_t54 = E01053067();
							_t82 = _t81 + 0xc;
							if( *((intOrPtr*)(_t77 + 0xc)) != 0) {
								_t54 = E01053067(_t54, _t76, L"Msg:[%ws] ",  *((intOrPtr*)(_t77 + 0xc)));
								_t82 = _t82 + 0x10;
							}
							if( *((intOrPtr*)(_t77 + 0x28)) != 0) {
								_t54 = E01053067(_t54, _t76, L"CallContext:[%hs] ",  *((intOrPtr*)(_t77 + 0x28)));
								_t82 = _t82 + 0x10;
							}
							if( *((intOrPtr*)(_t77 + 0x14)) == 0) {
								if( *((intOrPtr*)(_t77 + 0x18)) == 0) {
									_push("\n");
									_push(_t76);
									_push(_t54);
									E01053067();
								} else {
									E01053067(_t54, _t76, L"[%hs]\n",  *((intOrPtr*)(_t77 + 0x18)));
								}
							} else {
								_push( *((intOrPtr*)(_t77 + 0x14)));
								E01053067(_t54, _t76, L"[%hs(%hs)]\n",  *((intOrPtr*)(_t77 + 0x18)));
							}
						}
						goto L30;
					} else {
						 *0x107a4c4(_t77, __ecx, __edx);
						 *_t75();
						if(( *__ecx & 0x0000ffff) != 0) {
							L30:
							_pop(_t74);
							goto L31;
						}
						goto L5;
					}
				}
			}




























    0x01052859
    0x01052864
    0x0105286b
    0x01052871
    0x01052873
    0x0105287a
    0x0105287f
    0x01052a52
    0x01052a61
    0x0105288d
    0x0105288d
    0x0105288e
    0x01052896
    0x0105289b
    0x010528be
    0x010528c2
    0x010528cc
    0x010528ce
    0x01052903
    0x010528d0
    0x010528d0
    0x010528d3
    0x010528f7
    0x010528d5
    0x010528d5
    0x010528d8
    0x010528eb
    0x010528da
    0x010528dd
    0x010528df
    0x010528df
    0x010528dd
    0x010528d8
    0x010528d3
    0x01052915
    0x01052931
    0x01052941
    0x01052944
    0x01052947
    0x0105294a
    0x01052963
    0x01052968
    0x01052969
    0x0105296a
    0x0105296f
    0x0105294c
    0x0105294c
    0x01052959
    0x0105295e
    0x0105295e
    0x01052976
    0x01052978
    0x01052984
    0x01052989
    0x0105298c
    0x0105298c
    0x01052994
    0x01052995
    0x0105299e
    0x0105299f
    0x010529af
    0x010529b6
    0x010529bc
    0x010529cc
    0x010529d1
    0x010529d2
    0x010529d3
    0x010529d8
    0x010529df
    0x010529eb
    0x010529f0
    0x010529f0
    0x010529f7
    0x01052a03
    0x01052a08
    0x01052a08
    0x01052a0f
    0x01052a2c
    0x01052a42
    0x01052a47
    0x01052a48
    0x01052a49
    0x01052a2e
    0x01052a38
    0x01052a3d
    0x01052a11
    0x01052a11
    0x01052a1e
    0x01052a23
    0x01052a0f
    0x00000000
    0x010528a5
    0x010528aa
    0x010528b0
    0x010528b8
    0x01052a51
    0x01052a51
    0x00000000
    0x01052a51
    0x00000000
    0x010528b8
    0x0105289b

    APIs
    • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001200,00000000,?,00000400,?,00000100,00000000,?,?,?), ref: 01052931
    • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?), ref: 01052998
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: CurrentFormatMessageThread
    • String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%u)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
    • API String ID: 2411632146-3173542853
    • Opcode ID: 4b67c9944f82506408735ad5013043a97e6b78bbeb079aad305709a648487fdf
    • Instruction ID: 4454fac569b2e511bfecd42e6eb9dcdc9378834a5b9cd6453552e01fe0d45ec1
    • Opcode Fuzzy Hash: 4b67c9944f82506408735ad5013043a97e6b78bbeb079aad305709a648487fdf
    • Instruction Fuzzy Hash: 20511571900304EBEBB15B698C49E7BBBFCFF94700F04859CFAC5AA211DA369590CB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01040590, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 181fileCOMMON
    Download Yara Rule
    C-Code - Quality: 20%
    			E01040590(long __ecx, signed int __edx) {
				void _v8;
				long _v12;
				long _v16;
				long _v20;
				signed int _v24;
				long _v28;
				struct _SECURITY_ATTRIBUTES _v40;
				int _t34;
				long _t37;
				void* _t41;
				signed int _t49;
				signed char _t63;
				void* _t66;
				signed int _t70;
				long _t74;
				void* _t75;
				signed int _t76;
				void* _t77;
				void* _t78;

				_t64 = __ecx;
				_t74 = 3;
				_v20 = __ecx;
				_t63 = __edx;
				_v16 = 3;
				_t70 = __edx & 0x00000003;
				_v40.bInheritHandle = 1;
				_v40.lpSecurityDescriptor = 0;
				_v40.nLength = 0xc;
				if(_t70 > 2) {
					L2:
					return _t34 | 0xffffffff;
				} else {
					_t34 = __edx & 0x00000009;
					if(_t34 != 9) {
						if(_t70 != 0) {
							_t76 = 0x40000000;
							__imp___wcsicmp(__ecx, L"con");
							_t78 = _t78 + 8;
							if(_t34 != 0) {
								_t74 = 1;
								_v16 = 1;
							}
							_t64 = _v20;
							_t37 = 2;
						} else {
							_t76 = 0x80000000;
							_t37 = 3;
						}
						_push(0);
						_push(0x80);
						if(_t63 == 0x10a) {
							_t41 = CreateFileW(_t64, _t76 | 0x80000000, _t74,  &_v40, 3, ??, ??);
							_t75 = _t41;
							if(_t75 != 0xffffffff) {
								goto L8;
							} else {
								_push(0);
								_push(0x80);
								_push(4);
								_push( &_v40);
								_push(_v16);
								_push(_t76);
								_push(_v20);
								goto L7;
							}
						} else {
							_push(_t37);
							_push( &_v40);
							_push(_t74);
							_push(_t76);
							_push(_t64);
							L7:
							_t41 = CreateFileW();
							_t75 = _t41;
							if(_t75 == 0xffffffff) {
								_t34 = GetLastError();
								 *0x10667a8 = _t34;
								if(_t34 == 0x6e) {
									 *0x10667a8 = 2;
								}
								goto L2;
							} else {
								L8:
								__imp___open_osfhandle(_t75, 8);
								_t77 = _t41;
								if((_t63 & 0x00000008) != 0) {
									if(E0103DD98(_t41) != 0) {
										goto L9;
									} else {
										_t49 = GetFileSize(_t75,  &_v20);
										_v24 = _t49;
										if((_t49 | _v20) == 0) {
											goto L9;
										} else {
											_v12 = 0xffffffff;
											_v8 = 0;
											if(SetFilePointer(_t75, 0xffffffff,  &_v12, 2) == 0xffffffff) {
												_t34 = GetLastError();
												 *0x10667a8 = _t34;
												if(_t34 == 0) {
													goto L21;
												} else {
													if(_t77 == 0xffffffff) {
														_t34 = CloseHandle(_t75);
													} else {
														__imp___close(_t77);
													}
													goto L2;
												}
											} else {
												L21:
												if(ReadFile(_t75,  &_v8, 1,  &_v28, 0) == 0) {
													_v12 = 0;
													SetFilePointer(_t75, 0,  &_v12, 2);
												}
												if(_v8 == 0x1a) {
													_v12 = 0xffffffff;
													SetFilePointer(_t75, 0xffffffff,  &_v12, 2);
												}
												goto L9;
											}
										}
									}
								} else {
									L9:
									_t9 = _t77 - 3; // -3
									_t66 = 0;
									if(_t9 <= 0x5b) {
										if(_t77 > 0x1f) {
											_t33 = _t77 - 0x20; // -32
											_t66 = (_t33 >> 5) + 1;
										}
										asm("bts eax, edx");
									}
									return _t77;
								}
							}
						}
					} else {
						goto L2;
					}
				}
			}






















    0x01040590
    0x0104059b
    0x010405a0
    0x010405a3
    0x010405a5
    0x010405a8
    0x010405aa
    0x010405b1
    0x010405b8
    0x010405c2
    0x010405cf
    0x010405d6
    0x010405c4
    0x010405c6
    0x010405cb
    0x010405db
    0x0104065e
    0x01040663
    0x01040669
    0x0104066e
    0x01040670
    0x01040675
    0x01040675
    0x01040678
    0x0104067b
    0x010405dd
    0x010405dd
    0x010405e2
    0x010405e2
    0x010405e4
    0x010405e6
    0x010405f1
    0x01040695
    0x0104069b
    0x010406a0
    0x00000000
    0x010406a6
    0x010406a6
    0x010406a8
    0x010406ad
    0x010406b2
    0x010406b3
    0x010406b6
    0x010406b7
    0x00000000
    0x010406b7
    0x010405f7
    0x010405f7
    0x010405fb
    0x010405fc
    0x010405fd
    0x010405fe
    0x010405ff
    0x010405ff
    0x01040605
    0x0104060a
    0x0104e81c
    0x0104e822
    0x0104e82a
    0x0104e830
    0x0104e830
    0x00000000
    0x01040610
    0x01040610
    0x01040613
    0x0104061c
    0x01040621
    0x010406c8
    0x00000000
    0x010406ce
    0x010406d3
    0x010406d9
    0x010406df
    0x00000000
    0x010406e5
    0x010406e7
    0x010406f0
    0x01040704
    0x0104e83f
    0x0104e845
    0x0104e84c
    0x00000000
    0x0104e852
    0x0104e855
    0x0104e867
    0x0104e857
    0x0104e858
    0x0104e85e
    0x00000000
    0x0104e855
    0x0104070a
    0x0104070a
    0x0104071f
    0x0104e877
    0x0104e882
    0x0104e882
    0x0104072a
    0x0104e892
    0x0104e89d
    0x0104e89d
    0x00000000
    0x0104072a
    0x01040704
    0x010406df
    0x01040627
    0x01040627
    0x01040627
    0x0104062a
    0x01040631
    0x01040636
    0x0104e8a8
    0x0104e8b0
    0x0104e8b6
    0x01040643
    0x01040646
    0x01040655
    0x01040655
    0x01040621
    0x0104060a
    0x00000000
    0x00000000
    0x00000000
    0x010405cb

    APIs
    • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,40000000,0104B7DB,0000000C,00000004,00000080,00000000), ref: 010405FF
    • _open_osfhandle.MSVCRT ref: 01040613
    • _wcsicmp.MSVCRT ref: 01040663
    • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,40000000,00000003,0000000C,00000003,00000080,00000000,?,?), ref: 01040695
    • GetFileSize.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?), ref: 010406D3
    • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,000000FF,FFFFFFFF,00000002), ref: 010406FB
    • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,00000001,?,00000000), ref: 01040717
    • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,000000FF,FFFFFFFF,00000002), ref: 0104E89D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: File$CreatePointer$ReadSize_open_osfhandle_wcsicmp
    • String ID: con
    • API String ID: 58404892-4257191772
    • Opcode ID: 81e8ad248d28949a2fbe38b92a6c491970daec0b9a4446fe8a2a6ef17ff9f494
    • Instruction ID: 593ca0d71e5a64e1a623b416a9b44991e2f7c4aee7dada4ebc71abb918fd9f02
    • Opcode Fuzzy Hash: 81e8ad248d28949a2fbe38b92a6c491970daec0b9a4446fe8a2a6ef17ff9f494
    • Instruction Fuzzy Hash: C051C9B0A00204EBEB219B58DC89BEE76F8FB45720F144279FA95F31C4D77A890187A1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0105C5F2, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 158COMMON
    Download Yara Rule
    C-Code - Quality: 37%
    			E0105C5F2(void* __ecx, char __edx, char _a4) {
				signed int _v8;
				long _v20;
				char _v24;
				WCHAR* _v28;
				void _v548;
				int _v556;
				char _v560;
				WCHAR* _v564;
				void _v1084;
				char _v1085;
				long _v1092;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t43;
				WCHAR* _t57;
				WCHAR* _t58;
				void* _t67;
				WCHAR* _t68;
				int _t69;
				WCHAR* _t70;
				void* _t73;
				void* _t74;
				void* _t75;
				WCHAR* _t77;
				WCHAR* _t85;
				void* _t94;
				signed int _t95;

				_t92 = __edx;
				_t43 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t43 ^ _t95;
				_v1085 = __edx;
				_v20 = 0x104;
				_v28 = 0;
				_t77 = 1;
				_t94 = __ecx;
				_v24 = 1;
				memset( &_v548, 0, 0x104);
				_v564 = 0;
				_v560 = 1;
				_v556 = 0x104;
				memset( &_v1084, 0, 0x104);
				if(E0103E3F0(((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) >= 0 && E0103E3F0(((0 | _v560 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) >= 0) {
					_t67 = _v564;
					if(_t67 == 0) {
						_t67 =  &_v1084;
					}
					__imp__GetVolumePathNameW(_t94, _t67, _v556);
					if(_t67 != 0) {
						_t68 = _v564;
						if(_t68 == 0) {
							_t68 =  &_v1084;
						}
						_t69 = GetDriveTypeW(_t68);
						if(_t69 == 0 || _t69 == 4) {
							L25:
							_t77 = 0;
						} else {
							_t70 = _v28;
							if(_t70 == 0) {
								_t70 =  &_v548;
							}
							_t85 = _v564;
							if(_t85 == 0) {
								_t85 =  &_v1084;
							}
							if(GetVolumeInformationW(_t85, 0, 0, 0,  &_v1092,  &_v1092, _t70, _v20) != 0) {
								_t73 = _v28;
								if(_t73 == 0) {
									_t73 =  &_v548;
								}
								__imp___wcsicmp(_t73, L"NTFS");
								if(_t73 != 0) {
									if(_a4 == 0) {
										L21:
										if(_v1085 == 0) {
											goto L25;
										} else {
											_t74 = _v28;
											if(_t74 == 0) {
												_t74 =  &_v548;
											}
											__imp___wcsicmp(_t74, L"CSVFS");
											if(_t74 != 0) {
												goto L25;
											}
										}
									} else {
										_t75 = _v28;
										if(_t75 == 0) {
											_t75 =  &_v548;
										}
										__imp___wcsicmp(_t75, L"REFS");
										if(_t75 != 0) {
											goto L21;
										}
									}
								}
							}
						}
					}
				}
				_t57 = _v564;
				_v564 = 0;
				if(_t57 != 0) {
					__imp__??_V@YAXPAX@Z(_t57);
				}
				_t58 = _v28;
				_v28 = 0;
				if(_t58 != 0) {
					__imp__??_V@YAXPAX@Z(_t58);
				}
				return E01046B30(_t77, _t77, _v8 ^ _t95, _t92, 0, _t94);
			}































    0x0105c5f2
    0x0105c5fd
    0x0105c604
    0x0105c60f
    0x0105c618
    0x0105c61d
    0x0105c626
    0x0105c629
    0x0105c62b
    0x0105c62e
    0x0105c636
    0x0105c641
    0x0105c647
    0x0105c656
    0x0105c67f
    0x0105c6af
    0x0105c6b7
    0x0105c6b9
    0x0105c6b9
    0x0105c6c7
    0x0105c6cf
    0x0105c6d5
    0x0105c6dd
    0x0105c6df
    0x0105c6df
    0x0105c6e6
    0x0105c6ee
    0x0105c7a0
    0x0105c7a0
    0x0105c6fd
    0x0105c6fd
    0x0105c702
    0x0105c704
    0x0105c704
    0x0105c70a
    0x0105c712
    0x0105c714
    0x0105c714
    0x0105c732
    0x0105c734
    0x0105c739
    0x0105c73b
    0x0105c73b
    0x0105c747
    0x0105c751
    0x0105c757
    0x0105c778
    0x0105c77f
    0x00000000
    0x0105c781
    0x0105c781
    0x0105c786
    0x0105c788
    0x0105c788
    0x0105c794
    0x0105c79e
    0x00000000
    0x00000000
    0x0105c79e
    0x0105c759
    0x0105c759
    0x0105c75e
    0x0105c760
    0x0105c760
    0x0105c76c
    0x0105c776
    0x00000000
    0x00000000
    0x0105c776
    0x0105c757
    0x0105c751
    0x0105c732
    0x0105c6ee
    0x0105c6cf
    0x0105c7a2
    0x0105c7a8
    0x0105c7b0
    0x0105c7b3
    0x0105c7b9
    0x0105c7ba
    0x0105c7bd
    0x0105c7c2
    0x0105c7c5
    0x0105c7cb
    0x0105c7dc

    APIs
    • memset.MSVCRT ref: 0105C62E
    • memset.MSVCRT ref: 0105C656
      • Part of subcall function 0103E3F0: memset.MSVCRT ref: 0103E455
    • GetVolumePathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,-00000105,-00000105,?,?,?,00000001,00000000,00000000), ref: 0105C6C7
    • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,00000001,00000000,00000000), ref: 0105C6E6
    • GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,00000000,?,?,?,00000001,?,?,?,00000001,00000000,00000000), ref: 0105C72A
    • _wcsicmp.MSVCRT ref: 0105C747
    • _wcsicmp.MSVCRT ref: 0105C76C
    • _wcsicmp.MSVCRT ref: 0105C794
    • ??_V@YAXPAX@Z.MSVCRT ref: 0105C7B3
    • ??_V@YAXPAX@Z.MSVCRT ref: 0105C7C5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: _wcsicmpmemset$Volume$DriveInformationNamePathType
    • String ID: CSVFS$NTFS$REFS
    • API String ID: 3510147486-2605508654
    • Opcode ID: f9f7e075452c9b9e2e4d6321bde0cb70bfbc06c5abcc70b91c4f389bb002f88e
    • Instruction ID: f83026b30492433e38bf36b41934c8a2dc6be213c7ce4e5633d7c66ae16036a7
    • Opcode Fuzzy Hash: f9f7e075452c9b9e2e4d6321bde0cb70bfbc06c5abcc70b91c4f389bb002f88e
    • Instruction Fuzzy Hash: 815122B1A003599BEB61DA69DD88ADFBBFCFB45344F040099EA45E3140EB34DA84CB64
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01039789, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 128COMMON
    Download Yara Rule
    C-Code - Quality: 15%
    			E01039789(intOrPtr* __ecx) {
				intOrPtr _v8;
				signed int _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t21;
				signed int _t23;
				signed int _t24;
				signed int _t25;
				void* _t27;
				intOrPtr _t28;
				char* _t33;
				signed int _t34;
				signed int _t36;
				void* _t46;
				intOrPtr _t50;
				void* _t51;
				intOrPtr* _t56;
				void* _t63;

				_push(_t51);
				_t56 = __ecx;
				_t21 = E0103A931(_t27, __ecx, _t51, __ecx);
				_t28 = 4;
				 *((intOrPtr*)(__ecx + 0x38)) = _t21;
				if(E0103CC70(_t28) != 0x4000) {
					L34();
				}
				_t33 = L"==";
				_t23 = 0x1074af0;
				while(1) {
					_t46 =  *_t23;
					if(_t46 !=  *_t33) {
						break;
					}
					if(_t46 == 0) {
						L6:
						_t24 = 0;
					} else {
						_t50 =  *((intOrPtr*)(_t23 + 2));
						_t3 =  &(_t33[2]); // 0x3d
						if(_t50 !=  *_t3) {
							break;
						} else {
							_t23 = _t23 + _t28;
							_t33 =  &(_t33[_t28]);
							if(_t50 != 0) {
								continue;
							} else {
								goto L6;
							}
						}
					}
					L7:
					if(_t24 == 0) {
						L22:
						_t25 = E0103A931(_t28, _t33, 0x1074af0, _t56);
						 *(_t56 + 0x3c) = _t25;
						goto L13;
					} else {
						_t34 =  *0x10666fc;
						if(_t34 < _t28) {
							L14:
							if( *0x1066755 == 0) {
								goto L33;
							} else {
								__imp___wcsicmp(L"EQU");
								_t33 = 0x1074af0;
								if(_t24 == 0) {
									 *((intOrPtr*)(_t56 + 0x44)) = 1;
								} else {
									__imp___wcsicmp(L"NEQ");
									_t33 = 0x1074af0;
									if(_t24 == 0) {
										 *((intOrPtr*)(_t56 + 0x44)) = 2;
									} else {
										__imp___wcsicmp(L"LSS");
										_t33 = 0x1074af0;
										if(_t24 == 0) {
											 *((intOrPtr*)(_t56 + 0x44)) = 3;
										} else {
											__imp___wcsicmp(L"LEQ");
											_t33 = 0x1074af0;
											if(_t24 == 0) {
												 *((intOrPtr*)(_t56 + 0x44)) = _t28;
											} else {
												__imp___wcsicmp(L"GTR");
												_t33 = 0x1074af0;
												if(_t24 != 0) {
													__imp___wcsicmp(L"GEQ");
													_t33 = 0x1074af0;
													if(_t24 != 0) {
														L34();
													} else {
														 *((intOrPtr*)(_t56 + 0x44)) = 6;
													}
												} else {
													 *((intOrPtr*)(_t56 + 0x44)) = 5;
												}
											}
										}
									}
								}
								 *_t56 = 0x3a;
								goto L22;
							}
						} else {
							_t24 = 0x3d;
							if( *0x1074af0 != _t24 ||  *0x1074af2 != _t24) {
								goto L14;
							} else {
								_t34 = E0103DCD0(_t34 * 2 - 4);
								if(_t34 == 0) {
									_t24 = E01059922();
									__imp__longjmp(0x1070a30, 1);
									L33:
									_pop(_t29);
									_push(_t34);
									_push(_t34);
									_v8 =  *((intOrPtr*)(_t63 + 4));
									_push(_t34);
									_push(_t34);
									_t36 = 0 |  *0x10665ec != 0x0000234a;
									_v16 = _t36;
									if( *0x10665ec != 3) {
										_t24 =  *0x1074af0;
										if(_t24 != 0xa) {
											if(_t24 != 0) {
												_t24 = E010378E4(_t36, 0x234a, 1, 0x1074af0);
												goto L40;
											}
										} else {
											_push(0);
											_push(0x232a);
											_t24 = E010378E4(_t36);
											L40:
											_t36 = _v16;
										}
									} else {
										 *0x10665ec = 0x234a;
									}
									if(_t36 != 0) {
										__imp__longjmp(0x1070ab0, 1);
									}
									return _t24;
								} else {
									 *(_t56 + 0x3c) = _t34;
									_t25 = E0103F3A0(_t34,  *0x10666fc - 2, 0x1074af4);
									L13:
									return _t25;
								}
							}
						}
					}
				}
				asm("sbb eax, eax");
				_t24 = _t23 | 0x00000001;
				goto L7;
			}






















    0x0103978d
    0x0103978e
    0x01039790
    0x01039797
    0x0103979a
    0x010397a7
    0x0104c006
    0x0104c006
    0x010397b2
    0x010397b7
    0x010397b9
    0x010397b9
    0x010397bf
    0x00000000
    0x00000000
    0x010397c8
    0x010397e1
    0x010397e1
    0x010397ca
    0x010397ca
    0x010397ce
    0x010397d2
    0x00000000
    0x010397d8
    0x010397d8
    0x010397da
    0x010397df
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x010397df
    0x010397d2
    0x010397e3
    0x010397e5
    0x010398ae
    0x010398ae
    0x010398b3
    0x00000000
    0x010397eb
    0x010397eb
    0x010397f3
    0x0103983a
    0x01039841
    0x00000000
    0x01039847
    0x0103984d
    0x01039854
    0x01039857
    0x010398bb
    0x01039859
    0x0103985f
    0x01039866
    0x01039869
    0x010398c4
    0x0103986b
    0x01039871
    0x01039878
    0x0103987b
    0x010398dc
    0x0103987d
    0x01039883
    0x0103988a
    0x0103988d
    0x010398d7
    0x0103988f
    0x01039895
    0x0103989c
    0x0103989f
    0x010398eb
    0x010398f2
    0x010398f5
    0x01039900
    0x010398f7
    0x010398f7
    0x010398f7
    0x010398a1
    0x010398a1
    0x010398a1
    0x0103989f
    0x0103988d
    0x0103987b
    0x01039869
    0x010398a8
    0x00000000
    0x010398a8
    0x010397f5
    0x010397f7
    0x010397ff
    0x00000000
    0x0103980a
    0x01039816
    0x0103981a
    0x0104c010
    0x0104c01c
    0x0104c022
    0x0104c024
    0x0105895e
    0x0105895f
    0x0105896a
    0x01058970
    0x01058971
    0x0105897f
    0x01058989
    0x0105898c
    0x01058996
    0x010589a0
    0x010589b5
    0x010589bf
    0x00000000
    0x010589c4
    0x010589a2
    0x010589a2
    0x010589a4
    0x010589a9
    0x010589c7
    0x010589c7
    0x010589c7
    0x0105898e
    0x0105898e
    0x0105898e
    0x010589cc
    0x010589d5
    0x010589d5
    0x010589e1
    0x01039820
    0x0103982b
    0x01039831
    0x01039836
    0x01039839
    0x01039839
    0x0103981a
    0x010397ff
    0x010397f3
    0x010397e5
    0x010398cd
    0x010398cf
    0x00000000

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: _wcsicmp
    • String ID: EQU$GEQ$GTR$LEQ$LSS$NEQ
    • API String ID: 2081463915-3124875276
    • Opcode ID: 8cd71e107c6a14b546ad503a0fcd872713682eb8896fa59d34cb8ebcfb0282ab
    • Instruction ID: bb594b151c233bc37c056e4cd5eaa010472f14264b245c1a7b0ecf528af88e7d
    • Opcode Fuzzy Hash: 8cd71e107c6a14b546ad503a0fcd872713682eb8896fa59d34cb8ebcfb0282ab
    • Instruction Fuzzy Hash: 6341E135604203DAE7752B29E8997AE77EDEBD172CB18046FE5C296080EBEB9044C721
    Uniqueness

    Uniqueness Score: -1.00%

    Function 010456C4, Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 297COMMON
    Download Yara Rule
    C-Code - Quality: 77%
    			E010456C4(intOrPtr* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* __ebx;
				intOrPtr _t76;
				signed char _t81;
				intOrPtr _t82;
				intOrPtr _t91;
				intOrPtr _t97;
				char* _t98;
				signed char _t110;
				signed char _t126;
				signed int _t128;
				intOrPtr* _t180;
				void* _t183;

				_t154 = __edx;
				_t124 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t180 = __ecx;
				_t114 = 0;
				_t183 = __edx;
				_v8 = 0;
				_t76 =  *__ecx;
				if(_t76 > 0x37) {
					__eflags = _t76 - 0x38;
					if(__eflags == 0) {
						E01045726(0, __edx, _a4,  *((intOrPtr*)(__ecx + 0x38)), 1);
						L77:
						_t126 =  *(_t180 + 0x3c);
						L78:
						E010456C4(_t126, _t183, _a4);
						L7:
						return 0;
					}
					if(__eflags <= 0) {
						L12:
						__imp__longjmp(0x1070a70, 0xffffffff);
						L13:
						E01045726(1, _t183, _a4,  *((intOrPtr*)(_t180 + 0x38)), 1);
						_t81 =  *(_t180 + 0x3c);
						_t128 = 0;
						__eflags =  *_t81 - 0x38;
						if( *_t81 == 0x38) {
							_t82 =  *((intOrPtr*)(_t81 + 0x3c));
							__eflags =  *((intOrPtr*)(_t82 + 0x40)) - 2;
							_t81 =  *(_t180 + 0x3c);
							if( *((intOrPtr*)(_t82 + 0x40)) == 2) {
								_t128 = L"/I";
							}
						} else {
							asm("sbb ecx, ecx");
							_t128 =  !( ~( *((intOrPtr*)(_t81 + 0x40)) - 2)) & L"/I";
						}
						__eflags = _t128;
						if(_t128 != 0) {
							E01045726(1, _t183, _a4, _t128, 1);
							_t81 =  *(_t180 + 0x3c);
						}
						E010456C4(_t81, _t183, _a4);
						E010456C4( *(_t180 + 0x40), _t183, _a4);
						__eflags =  *(_t180 + 0x48);
						if( *(_t180 + 0x48) == 0) {
							goto L7;
						} else {
							E01045726(1, _t183, _a4,  *((intOrPtr*)(_t180 + 0x44)), 1);
							_t126 =  *(_t180 + 0x48);
							goto L78;
						}
					}
					__eflags = _t76 - 0x3a;
					if(_t76 <= 0x3a) {
						_v8 = 0x10338a0;
						__eflags =  *0x1066755;
						if( *0x1066755 != 0) {
							_t91 =  *((intOrPtr*)(__ecx + 0x44));
							__eflags = _t91 - 1;
							if(_t91 != 1) {
								__eflags = _t91 - 2;
								if(_t91 != 2) {
									__eflags = _t91 - 3;
									if(_t91 != 3) {
										__eflags = _t91 - 4;
										if(_t91 != 4) {
											__eflags = _t91 - 5;
											if(_t91 != 5) {
												__eflags = _t91 - 6;
												if(_t91 == 6) {
													_v8 = L"GEQ ";
												}
											} else {
												_v8 = L"GTR ";
											}
										} else {
											_v8 = L"LEQ ";
										}
									} else {
										_v8 = L"LSS ";
									}
								} else {
									_v8 = L"NEQ ";
								}
							} else {
								_v8 = L"EQU ";
							}
						}
						E01045726(1, _t183, _a4,  *((intOrPtr*)(_t180 + 0x38)), 1);
						_t114 = 0;
						_push(0);
						_push(_v8);
						L4:
						E01045726(_t114, _t183, _a4);
						if( *(_t180 + 0x3c) != _t114) {
							E01045726(_t114, _t183, _a4,  *(_t180 + 0x3c), _t114);
						}
						E010457C9(_t180, _t183, _a4);
						goto L7;
					}
					__eflags = _t76 - 0x3b;
					if(_t76 == 0x3b) {
						L46:
						E010457C9(_t124, _t154, _a4);
						__eflags =  *_t180 - 0x2e;
						if( *_t180 >= 0x2e) {
							__eflags =  *_t180 - 0x2f;
							if( *_t180 <= 0x2f) {
								_v8 = "&";
							} else {
								__eflags =  *_t180 - 0x30;
								if( *_t180 == 0x30) {
									_v8 = L"||";
								} else {
									__eflags =  *_t180 - 0x31;
									if( *_t180 == 0x31) {
										_v8 = L"&&";
									} else {
										__eflags =  *_t180 - 0x32;
										if( *_t180 == 0x32) {
											_v8 = "|";
										} else {
											__eflags =  *_t180 - 0x33;
											if( *_t180 == 0x33) {
												E01045726(1, _t183, _a4, "(", 1);
												_v8 = ")";
											} else {
												__eflags =  *_t180 - 0x3b;
												if( *_t180 == 0x3b) {
													E01045726(1, _t183, _a4, "@", 1);
													_v8 = " ";
												}
											}
										}
									}
								}
							}
						}
						E010456C4( *((intOrPtr*)(_t180 + 0x38)), _t183, _a4);
						E01045726(1, _t183, _a4, _v8, 1);
						__eflags =  *_t180 - 0x33;
						if( *_t180 == 0x33) {
							goto L7;
						} else {
							__eflags =  *_t180 - 0x3b;
							if( *_t180 == 0x3b) {
								goto L7;
							}
							goto L77;
						}
					}
					__eflags = _t76 - 0x3c;
					if(_t76 != 0x3c) {
						goto L12;
					}
					_t97 =  *0x1079500;
					__eflags = _t97 - 0x2396;
					if(_t97 != 0x2396) {
						__eflags = _t97 - 0x2395;
						if(_t97 != 0x2395) {
							__eflags = _t97 - 0x2390;
							if(_t97 != 0x2390) {
								goto L12;
							}
							_t98 = L"REM /?";
							goto L45;
						}
						_t98 = L"IF /?";
						goto L45;
					} else {
						_t98 = L"FOR /?";
						L45:
						E01045726(_t114, _t183, _a4, _t98, 1);
						goto L7;
					}
				}
				if(_t76 >= 0x34 || _t76 == 0) {
					L3:
					_push(1);
					_push( *((intOrPtr*)(_t180 + 0x38)));
					goto L4;
				} else {
					__eflags = _t76 - 0x2b;
					if(_t76 == 0x2b) {
						E01045726(1, __edx, _a4, L"FOR", 1);
						__eflags =  *0x1066755;
						if( *0x1066755 == 0) {
							L33:
							E01045726(1, _t183, _a4,  *((intOrPtr*)(_t180 + 0x38)) + 6, 1);
							E01045726(1, _t183, _a4, "(", 1);
							E01045726(1, _t183, _a4,  *(_t180 + 0x3c), 0);
							E01045726(1, _t183, _a4, ")", 0);
							E01045726(1, _t183, _a4,  *((intOrPtr*)(_t180 + 0x38)) + 0x2c, 1);
							_t126 =  *(_t180 + 0x40);
							goto L78;
						}
						_t110 =  *(_t180 + 0x48);
						__eflags = 1 & _t110;
						if((1 & _t110) == 0) {
							__eflags = _t110 & 0x00000002;
							if((_t110 & 0x00000002) == 0) {
								__eflags = _t110 & 0x00000008;
								if((_t110 & 0x00000008) == 0) {
									__eflags = _t110 & 0x00000004;
									if((_t110 & 0x00000004) == 0) {
										goto L33;
									} else {
										_push(1);
										_push(L"/R");
										goto L30;
									}
								} else {
									_push(1);
									_push(L"/F");
									L30:
									E01045726(1, _t183, _a4);
									__eflags =  *(_t180 + 0x4c);
									if( *(_t180 + 0x4c) == 0) {
										goto L33;
									} else {
										_push(1);
										_push( *(_t180 + 0x4c));
										goto L32;
									}
								}
							} else {
								_push(1);
								_push(L"/D");
								goto L32;
							}
						} else {
							_push(1);
							_push(L"/L");
							L32:
							E01045726(1, _t183, _a4);
							goto L33;
						}
					}
					__eflags = _t76 - 0x2c;
					if(_t76 == 0x2c) {
						goto L13;
					}
					__eflags = _t76 - 0x2d;
					if(__eflags == 0) {
						goto L3;
					}
					if(__eflags > 0) {
						goto L46;
					}
					goto L12;
				}
			}
















    0x010456c4
    0x010456c4
    0x010456c9
    0x010456ca
    0x010456ce
    0x010456d0
    0x010456d2
    0x010456d4
    0x010456d7
    0x010456dc
    0x010513ca
    0x010513cd
    0x01051571
    0x01051576
    0x01051576
    0x01051579
    0x0105157e
    0x0104571d
    0x01045723
    0x01045723
    0x010513d3
    0x0105126a
    0x01051271
    0x01051277
    0x01051283
    0x01051288
    0x0105128b
    0x0105128d
    0x01051290
    0x010512a6
    0x010512a9
    0x010512ad
    0x010512b0
    0x010512b2
    0x010512b2
    0x01051292
    0x0105129a
    0x0105129e
    0x0105129e
    0x010512b7
    0x010512b9
    0x010512c2
    0x010512c7
    0x010512c7
    0x010512d1
    0x010512de
    0x010512e3
    0x010512e7
    0x00000000
    0x010512ed
    0x010512f6
    0x010512fb
    0x00000000
    0x010512fb
    0x010512e7
    0x010513d9
    0x010513dc
    0x010514e9
    0x010514f1
    0x010514f8
    0x010514fa
    0x010514fd
    0x010514ff
    0x0105150a
    0x0105150d
    0x01051518
    0x0105151b
    0x01051526
    0x01051529
    0x01051534
    0x01051537
    0x01051542
    0x01051545
    0x01051547
    0x01051547
    0x01051539
    0x01051539
    0x01051539
    0x0105152b
    0x0105152b
    0x0105152b
    0x0105151d
    0x0105151d
    0x0105151d
    0x0105150f
    0x0105150f
    0x0105150f
    0x01051501
    0x01051501
    0x01051501
    0x010514ff
    0x01051557
    0x0105155c
    0x0105155e
    0x0105155f
    0x010456f4
    0x010456f9
    0x01045701
    0x0104570c
    0x0104570c
    0x01045718
    0x00000000
    0x01045718
    0x010513e2
    0x010513e5
    0x01051433
    0x01051436
    0x0105143e
    0x01051441
    0x01051443
    0x01051446
    0x010514ae
    0x01051448
    0x01051448
    0x0105144b
    0x010514a5
    0x0105144d
    0x0105144d
    0x01051450
    0x0105149c
    0x01051452
    0x01051452
    0x01051455
    0x01051493
    0x01051457
    0x01051457
    0x0105145a
    0x01051485
    0x0105148a
    0x0105145c
    0x0105145c
    0x0105145f
    0x0105146c
    0x01051471
    0x01051471
    0x0105145f
    0x0105145a
    0x01051455
    0x01051450
    0x0105144b
    0x01051446
    0x010514bd
    0x010514cb
    0x010514d0
    0x010514d3
    0x00000000
    0x010514d9
    0x010514d9
    0x010514dc
    0x00000000
    0x00000000
    0x00000000
    0x010514e2
    0x010514d3
    0x010513e7
    0x010513ea
    0x00000000
    0x00000000
    0x010513f0
    0x010513f5
    0x010513fa
    0x01051403
    0x01051408
    0x01051411
    0x01051416
    0x00000000
    0x00000000
    0x0105141c
    0x00000000
    0x0105141c
    0x0105140a
    0x00000000
    0x010513fc
    0x010513fc
    0x01051421
    0x01051429
    0x00000000
    0x01051429
    0x010513fa
    0x010456e5
    0x010456ef
    0x010456ef
    0x010456f1
    0x00000000
    0x0105124d
    0x0105124d
    0x01051250
    0x01051311
    0x01051316
    0x0105131d
    0x0105136e
    0x0105137b
    0x0105138b
    0x0105139a
    0x010513ab
    0x010513bd
    0x010513c2
    0x00000000
    0x010513c2
    0x0105131f
    0x01051322
    0x01051324
    0x0105132e
    0x01051330
    0x0105133a
    0x0105133c
    0x01051346
    0x01051348
    0x00000000
    0x0105134a
    0x0105134a
    0x0105134b
    0x00000000
    0x0105134b
    0x0105133e
    0x0105133e
    0x0105133f
    0x01051350
    0x01051355
    0x0105135a
    0x0105135e
    0x00000000
    0x01051360
    0x01051360
    0x01051361
    0x00000000
    0x01051361
    0x0105135e
    0x01051332
    0x01051332
    0x01051333
    0x00000000
    0x01051333
    0x01051326
    0x01051326
    0x01051327
    0x01051364
    0x01051369
    0x00000000
    0x01051369
    0x01051324
    0x01051256
    0x01051259
    0x00000000
    0x00000000
    0x0105125b
    0x0105125e
    0x00000000
    0x00000000
    0x01051264
    0x00000000
    0x00000000
    0x00000000
    0x01051264

    APIs
    • longjmp.MSVCRT(01070A70,000000FF,00000000,?,00000001,?,?,?,01045833,?, /D /c",?,?,?,00000000,?), ref: 01051271
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: longjmp
    • String ID: == $EQU $FOR$FOR /?$GEQ $GTR $IF /?$LEQ $LSS $NEQ $REM /?
    • API String ID: 1832741078-366822981
    • Opcode ID: 0e8262e8db6fb35fb2c8d5d96cb7d55b0fea7d0fea561d69e50f1a6112e616ab
    • Instruction ID: c3b37d8e37f572a02df13e5f6162fc45ce65aef130ab783c534fcb522a380f7f
    • Opcode Fuzzy Hash: 0e8262e8db6fb35fb2c8d5d96cb7d55b0fea7d0fea561d69e50f1a6112e616ab
    • Instruction Fuzzy Hash: 94A1B1B4600205FBDFA9DF59D9C4AAF7FA6FF84294B108065E9C28B650CB70DD91CB81
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0103E950, Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 276COMMON
    Download Yara Rule
    C-Code - Quality: 72%
    			E0103E950(long __ecx, long __edx) {
				signed int _v8;
				int _v20;
				char _v24;
				signed int _v28;
				void _v548;
				signed int _v549;
				long _v556;
				long _v560;
				signed int _v564;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t79;
				int _t83;
				signed int _t85;
				void* _t88;
				WCHAR* _t89;
				signed char _t90;
				intOrPtr _t91;
				intOrPtr _t95;
				long _t103;
				intOrPtr _t107;
				int _t108;
				signed char _t110;
				void* _t111;
				void* _t113;
				wchar_t* _t114;
				wchar_t* _t115;
				signed int _t116;
				signed int _t117;
				signed int _t125;
				long _t126;
				intOrPtr* _t127;
				signed int _t129;
				intOrPtr* _t130;
				long _t132;
				void* _t142;
				signed int _t144;
				signed int _t145;
				signed int _t146;
				long _t147;
				long _t148;
				signed int _t149;
				void* _t150;
				void* _t151;

				_t140 = __edx;
				_t79 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t79 ^ _t149;
				_v560 = __edx;
				_t147 = __ecx;
				_v549 = 0;
				_v556 = __ecx;
				_t117 = _t116 | 0xffffffff;
				_v28 = 0;
				_v24 = 1;
				_v20 = 0x104;
				memset( &_v548, 0, 0x104);
				_t151 = _t150 + 0xc;
				if(_v24 == 0) {
					_t83 = 0x104;
				} else {
					_t83 = 0x7fe7;
				}
				if(E0103E3F0(_t83) < 0) {
					_t144 = 0xfffffffe;
					goto L29;
				} else {
					_t145 = 0;
					while(_t145 < 0x7fe6) {
						_t147 =  *( *((intOrPtr*)(_t147 + 0x38)) + _t145 * 2) & 0x0000ffff;
						if(_t147 == 0x22) {
							_v549 = _v549 == 0;
							L9:
							if(_t117 != 0xffffffff) {
								L11:
								_t113 = _v28;
								if(_t113 == 0) {
									_t113 =  &_v548;
								}
								 *(_t113 + _t145 * 2) = _t147;
								_t145 = _t145 + 1;
								_t147 = _v556;
								continue;
							}
							_t114 = wcschr(L":.\\", _t147);
							_t151 = _t151 + 8;
							if(_t114 != 0) {
								if( *0x1066755 == 0) {
									break;
								}
								_t117 = _t145;
							}
							goto L11;
						}
						if(_t147 == 0) {
							break;
						}
						if(_v549 != 0) {
							goto L9;
						}
						_t115 = wcschr(L"=,;+/[] \t\"", _t147);
						_t151 = _t151 + 8;
						if(_t115 != 0) {
							break;
						}
						goto L9;
					}
					_v564 = _t145;
					if(_t145 == 0) {
						_t144 = _t145 | 0xffffffff;
						L29:
						_t85 = _v28;
						_v28 = 0;
						if(_t85 != 0) {
							__imp__??_V@YAXPAX@Z(_t85);
						}
						return E01046B30(_t144, _t117, _v8 ^ _t149, _t140, _t144, _t147);
					}
					_t88 = _v28;
					if(_t88 == 0) {
						_t88 =  &_v548;
					}
					 *((short*)(_t88 + _t145 * 2)) = 0;
					if(_t117 != 0xffffffff) {
						_t89 = _v28;
						if(_t89 == 0) {
							_t89 =  &_v548;
						}
						_t90 = GetFileAttributesW(_t89);
						if(_t90 != 0xffffffff) {
							if((_t90 & 0x00000010) == 0) {
								goto L16;
							}
							goto L51;
						} else {
							L51:
							_t111 = _v28;
							_v564 = _t117;
							if(_t111 == 0) {
								_t111 =  &_v548;
							}
							 *((short*)(_t111 + _t117 * 2)) = 0;
							goto L16;
						}
					} else {
						L16:
						_t117 = _v28;
						if(_t117 == 0) {
							_t117 =  &_v548;
						}
						_t146 = 0;
						_t147 = 0x1031688;
						do {
							_t24 = _t147 - 8; // 0x10337c0
							_t91 =  *_t24;
							if(_t91 == 0) {
								goto L20;
							}
							__imp___wcsicmp(_t117, _t91);
							_t151 = _t151 + 8;
							if(_t91 == 0) {
								_t110 =  *_t147 & 0x0000ffff;
								if((_t110 & 0x00000004) != 0) {
									if( *0x1066755 != 0) {
										goto L23;
									}
									goto L20;
								}
								L23:
								_t123 = _v560;
								 *_v560 = _t110;
								L24:
								 *0x105e0d8 = _t146;
								if(_t146 == 0xffffffff) {
									if(_v28 == 0) {
										_t140 =  &_v548;
									}
									if(E0103ED90(0x2d, _t140, _t123) == 0x2d) {
										_t144 = 0x2d;
									} else {
										_t125 = 0;
										_t117 = 0;
										_v549 = 0;
										while(1) {
											_t147 =  *( *((intOrPtr*)(_v556 + 0x38)) + _t117 * 2) & 0x0000ffff;
											if(_t147 == 0) {
												break;
											}
											if(_t147 == 0x22) {
												_t125 = _t125 & 0xffffff00 | _t125 == 0x00000000;
												_t117 = _t117 + 1;
												_v549 = _t125;
												continue;
											}
											if(_t125 == 0) {
												_t108 = iswspace(_t147);
												_t151 = _t151 + 4;
												if(_t108 != 0 || E0103A62F(L"=,;", _t147) != 0 || _t147 == 0x2f) {
													break;
												} else {
													_t125 = _v549;
													goto L39;
												}
											}
											L39:
											_t117 = _t117 + 1;
										}
										_t126 = _v556;
										L26:
										_t127 =  *((intOrPtr*)(_t126 + 0x38));
										_t32 = _t127 + 2; // 0x2
										_t140 = _t32;
										do {
											_t95 =  *_t127;
											_t127 = _t127 + 2;
										} while (_t95 != 0);
										_t129 = _t127 - _t140 >> 1;
										if(_t117 != _t129) {
											_t64 = _t129 + 1; // -1
											_t148 = _t64;
											_t130 =  *((intOrPtr*)(_v556 + 0x3c));
											if(_t130 == 0) {
												L71:
												_t132 = E0103DCD0(_t148 + _t148);
												_v560 = _t132;
												if(_t132 == 0) {
													E01059922();
													__imp__longjmp(0x1070a30, 1);
												}
												_t117 = _t117 + _t117;
												_t140 = _t148;
												E0103F3A0(_t132, _t148,  *((intOrPtr*)(_v556 + 0x38)) + _t117);
												_t102 =  *((intOrPtr*)(_v556 + 0x3c));
												if( *((intOrPtr*)(_v556 + 0x3c)) == 0) {
													_t147 = _v560;
												} else {
													_t140 = _t148;
													_t147 = _v560;
													E0103FC40(_t147, _t148, _t102);
												}
												_t103 = _v556;
												 *(_t103 + 0x3c) = _t147;
												 *((short*)(_t117 +  *((intOrPtr*)(_t103 + 0x38)))) = 0;
												goto L29;
											}
											_t142 = _t130 + 2;
											do {
												_t107 =  *_t130;
												_t130 = _t130 + 2;
											} while (_t107 != 0);
											_t148 = _t148 + (_t130 - _t142 >> 1);
											goto L71;
										}
									}
									goto L29;
								}
								_t126 = _v556;
								_t117 = _v564;
								if(_t146 == 0x14) {
									 *((intOrPtr*)(_t126 + 0x40)) = 1;
								}
								goto L26;
							}
							L20:
							_t147 = _t147 + 0x18;
							_t146 = _t146 + 1;
						} while (_t147 <= 0x1031a78);
						_t123 = _v560;
						_t146 = _t146 | 0xffffffff;
						goto L24;
					}
				}
			}
















































    0x0103e950
    0x0103e95b
    0x0103e962
    0x0103e973
    0x0103e979
    0x0103e97b
    0x0103e985
    0x0103e98b
    0x0103e98e
    0x0103e995
    0x0103e999
    0x0103e9a0
    0x0103e9a5
    0x0103e9ac
    0x0104dcf0
    0x0103e9b2
    0x0103e9b2
    0x0103e9b2
    0x0103e9c5
    0x0104dcfa
    0x00000000
    0x0103e9cb
    0x0103e9cb
    0x0103e9d0
    0x0103e9db
    0x0103e9e2
    0x0103ebbb
    0x0103ea09
    0x0103ea0c
    0x0103ea25
    0x0103ea25
    0x0103ea2a
    0x0104dd04
    0x0104dd04
    0x0103ea30
    0x0103ea34
    0x0103ea35
    0x00000000
    0x0103ea35
    0x0103ea14
    0x0103ea1a
    0x0103ea1f
    0x0103ebdc
    0x00000000
    0x00000000
    0x0103ebe2
    0x0103ebe2
    0x00000000
    0x0103ea1f
    0x0103e9eb
    0x00000000
    0x00000000
    0x0103e9f4
    0x00000000
    0x00000000
    0x0103e9fc
    0x0103ea02
    0x0103ea07
    0x00000000
    0x00000000
    0x00000000
    0x0103ea07
    0x0103ea3d
    0x0103ea45
    0x0104dd0f
    0x0103eaf7
    0x0103eaf7
    0x0103eafa
    0x0103eb03
    0x0103eb06
    0x0103eb0c
    0x0103eb21
    0x0103eb21
    0x0103ea4b
    0x0103ea50
    0x0104dd17
    0x0104dd17
    0x0103ea58
    0x0103ea5f
    0x0103ebe9
    0x0103ebee
    0x0103ec1e
    0x0103ec1e
    0x0103ebf1
    0x0103ebfa
    0x0103ec16
    0x00000000
    0x00000000
    0x00000000
    0x0103ebfc
    0x0103ebfc
    0x0103ebfc
    0x0103ebff
    0x0103ec07
    0x0103ec26
    0x0103ec26
    0x0103ec0b
    0x00000000
    0x0103ec0b
    0x0103ea65
    0x0103ea65
    0x0103ea65
    0x0103ea6a
    0x0104dd22
    0x0104dd22
    0x0103ea70
    0x0103ea72
    0x0103ea77
    0x0103ea77
    0x0103ea77
    0x0103ea7c
    0x00000000
    0x00000000
    0x0103ea80
    0x0103ea86
    0x0103ea8b
    0x0103eaa4
    0x0103eaa9
    0x0104dd34
    0x00000000
    0x00000000
    0x00000000
    0x0104dd3a
    0x0103eaaf
    0x0103eaaf
    0x0103eab5
    0x0103eab8
    0x0103eab8
    0x0103eac1
    0x0103eb30
    0x0104dd3f
    0x0104dd3f
    0x0103eb44
    0x0104dd4a
    0x0103eb4a
    0x0103eb4a
    0x0103eb4c
    0x0103eb4e
    0x0103eb60
    0x0103eb69
    0x0103eb70
    0x00000000
    0x00000000
    0x0103eb75
    0x0103ebc9
    0x0103ebcc
    0x0103ebcd
    0x00000000
    0x0103ebcd
    0x0103eb79
    0x0103eb7f
    0x0103eb85
    0x0103eb8a
    0x00000000
    0x0103eba1
    0x0103eba1
    0x00000000
    0x0103eba1
    0x0103eb8a
    0x0103eb7b
    0x0103eb7b
    0x0103eb7b
    0x0103eba9
    0x0103ead4
    0x0103ead4
    0x0103ead7
    0x0103ead7
    0x0103eae0
    0x0103eae0
    0x0103eae3
    0x0103eae6
    0x0103eaed
    0x0103eaf1
    0x0104dd5a
    0x0104dd5a
    0x0104dd5d
    0x0104dd62
    0x0104dd78
    0x0104dd80
    0x0104dd82
    0x0104dd8a
    0x0104dd8c
    0x0104dd98
    0x0104dd98
    0x0104dda4
    0x0104dda6
    0x0104ddae
    0x0104ddb9
    0x0104ddbe
    0x0104ddd2
    0x0104ddc0
    0x0104ddc0
    0x0104ddc2
    0x0104ddcb
    0x0104ddcb
    0x0104ddd8
    0x0104dde0
    0x0104dde6
    0x00000000
    0x0104dde6
    0x0104dd64
    0x0104dd67
    0x0104dd67
    0x0104dd6a
    0x0104dd6d
    0x0104dd76
    0x00000000
    0x0104dd76
    0x0103eaf1
    0x00000000
    0x0103eb44
    0x0103eac3
    0x0103eac9
    0x0103ead2
    0x0103eb22
    0x0103eb22
    0x00000000
    0x0103ead2
    0x0103ea8d
    0x0103ea8d
    0x0103ea90
    0x0103ea91
    0x0103ea99
    0x0103ea9f
    0x00000000
    0x0103ea9f
    0x0103ea5f

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: memsetwcschr$_wcsicmpiswspace
    • String ID: :.\$=,;$=,;+/[] "
    • API String ID: 1913572127-843887632
    • Opcode ID: 623082616a9e22f372424f26febc65bf9419fb3ddcaacf117245b87c53fedff6
    • Instruction ID: 0b34fb6c38532f56e43950237795a009c3656c1c596f9047e929ea0b39c38edc
    • Opcode Fuzzy Hash: 623082616a9e22f372424f26febc65bf9419fb3ddcaacf117245b87c53fedff6
    • Instruction Fuzzy Hash: F5A1E670A042159BDF64CBACD8C4BBE77B9BF84314F1402E9D9C6A7291D770AD82CB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 010553AA, Relevance: 18.2, APIs: 12, Instructions: 169COMMON
    Download Yara Rule
    C-Code - Quality: 85%
    			E010553AA(void* __ecx, void* __eflags) {
				signed int _v8;
				char _v2060;
				char _v2061;
				char _v2062;
				signed int _v2068;
				long _v2072;
				long _v2076;
				void* _v2080;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				void* _t37;
				void* _t39;
				signed int _t42;
				long _t44;
				wchar_t* _t45;
				void* _t47;
				void* _t51;
				void* _t56;
				signed int _t58;
				void* _t59;
				wchar_t* _t66;
				wchar_t* _t68;
				void* _t69;
				wchar_t* _t91;
				wchar_t* _t92;
				signed int _t93;

				_t35 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t35 ^ _t93;
				_v2061 = 0;
				_v2062 = 0;
				_t37 = E0103ACB0(__ecx);
				if(_t37 == 0) {
					L30:
					_t39 = 1;
					L31:
					return E01046B30(_t39, _t69, _v8 ^ _t93, _t90, _t91, _t92);
				}
				_t73 = _t37;
				_t92 = E01039E8E(_t37);
				_t42 =  *_t92 & 0x0000ffff;
				if(_t42 == 0) {
					L29:
					_push(0);
					_push(0x232a);
					E010378E4(_t73);
					goto L30;
				}
				_t69 = 0x22;
				if(_t42 == _t69) {
					_t4 =  &(_t92[0]); // 0x2
					_t92 = E01039E8E(_t4);
					_t68 = wcsrchr(_t92, _t69);
					if(_t68 != 0) {
						 *_t68 = 0;
					}
				}
				_t44 = 0x3d;
				_t45 = wcschr(_t92, _t44);
				_pop(_t73);
				if(_t45 == 0) {
					goto L29;
				}
				 *_t45 = 0;
				_t5 =  &(_t45[0]); // 0x2
				_t73 = _t5;
				_t91 = E01039E8E(_t5);
				if( *_t91 == _t69) {
					_t6 =  &(_t91[0]); // 0x2
					_t91 = E01039E8E(_t6);
					_t66 = wcsrchr(_t91, _t69);
					_pop(_t73);
					if(_t66 != 0) {
						_t73 = 0;
						 *_t66 = 0;
					}
				}
				_t47 = 0x3d;
				if( *_t91 == _t47) {
					goto L29;
				} else {
					_t69 = GetStdHandle(0xfffffff5);
					if(GetConsoleMode(_t69,  &_v2072) != 0) {
						_v2061 = 1;
						SetConsoleMode(_t69, _v2072 | 0x00000001);
					}
					_t51 = GetStdHandle(0xfffffff6);
					_t78 =  &_v2076;
					_v2080 = _t51;
					if(GetConsoleMode(_t51,  &_v2076) != 0) {
						_t78 = _v2076 | 0x00000007;
						_v2062 = 1;
						SetConsoleMode(_v2080, _v2076 | 0x00000007);
					}
					E010363BD(_t78, 0x2371, 1, _t91);
					_v2060 = 0;
					_t56 = GetStdHandle(0xfffffff6);
					_t90 =  &_v2060;
					_t73 = _t56;
					if(E01054799(_t56,  &_v2060, 0x3ff,  &_v2068) == 0) {
						L20:
						_t58 = 0;
						_v2068 = 0;
						goto L21;
					} else {
						_t58 = _v2068;
						if(_t58 == 0) {
							goto L20;
						}
						_t73 = _t93 + _t58 * 2 - 0x80a;
						while( *_t73 < 0x20) {
							_t58 = _t58 - 1;
							_t73 = _t73 - 2;
							_v2068 = _t58;
							if(_t58 != 0) {
								continue;
							}
							break;
						}
						L21:
						if(_v2061 != 0) {
							SetConsoleMode(_t69, _v2072);
							_t58 = _v2068;
						}
						if(_v2062 != 0) {
							SetConsoleMode(_v2080, _v2076);
							_t58 = _v2068;
						}
						if(_t58 == 0) {
							goto L30;
						} else {
							_t59 = _t58 + _t58;
							if(_t59 >= 0x800) {
								E01046C78(_t59, _t69, _t73, _t90, _t91, _t92);
								goto L29;
							}
							_t90 =  &_v2060;
							 *((short*)(_t93 + _t59 - 0x808)) = 0;
							_t39 = E0103A976(_t92,  &_v2060);
							goto L31;
						}
					}
				}
			}































    0x010553b5
    0x010553bc
    0x010553c2
    0x010553c9
    0x010553d0
    0x010553d7
    0x010555bd
    0x010555bf
    0x010555c0
    0x010555ce
    0x010555ce
    0x010553dd
    0x010553e4
    0x010553e6
    0x010553ec
    0x010555af
    0x010555af
    0x010555b1
    0x010555b6
    0x00000000
    0x010555bc
    0x010553f4
    0x010553f8
    0x010553fa
    0x01055402
    0x01055406
    0x01055410
    0x01055414
    0x01055414
    0x01055410
    0x01055419
    0x0105541c
    0x01055423
    0x01055426
    0x00000000
    0x00000000
    0x0105542e
    0x01055431
    0x01055431
    0x01055439
    0x0105543e
    0x01055440
    0x01055448
    0x0105544c
    0x01055453
    0x01055456
    0x01055458
    0x0105545a
    0x0105545a
    0x01055456
    0x0105545f
    0x01055463
    0x00000000
    0x01055469
    0x01055471
    0x01055483
    0x0105548e
    0x01055497
    0x01055497
    0x0105549f
    0x010554a5
    0x010554ab
    0x010554bb
    0x010554c3
    0x010554c6
    0x010554d4
    0x010554d4
    0x010554e2
    0x010554ec
    0x01055501
    0x01055507
    0x0105550d
    0x01055516
    0x0105553f
    0x0105553f
    0x01055541
    0x00000000
    0x01055518
    0x01055518
    0x01055520
    0x00000000
    0x00000000
    0x01055522
    0x01055529
    0x0105552f
    0x01055530
    0x01055533
    0x0105553b
    0x00000000
    0x00000000
    0x00000000
    0x0105553d
    0x01055547
    0x0105554e
    0x01055557
    0x0105555d
    0x0105555d
    0x0105556a
    0x01055578
    0x0105557e
    0x0105557e
    0x01055586
    0x00000000
    0x01055588
    0x01055588
    0x0105558f
    0x010555aa
    0x00000000
    0x010555aa
    0x01055593
    0x01055599
    0x010555a3
    0x00000000
    0x010555a3
    0x01055586
    0x01055516

    APIs
      • Part of subcall function 01039E8E: iswspace.MSVCRT ref: 01039E9E
    • wcsrchr.MSVCRT ref: 01055406
    • wcschr.MSVCRT ref: 0105541C
    • wcsrchr.MSVCRT ref: 0105544C
    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5), ref: 0105546B
    • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 0105547B
    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 01055497
    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6), ref: 0105549F
    • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 010554B3
    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?), ref: 010554D4
    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,000003FF,?), ref: 01055501
    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 01055557
    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?), ref: 01055578
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: ConsoleMode$Handle$wcsrchr$iswspacewcschr
    • String ID:
    • API String ID: 4166807220-0
    • Opcode ID: b95358eb9031ebe38550ef7f05cee905ef78f86a1bb10236cfdc71a6a42178d1
    • Instruction ID: c04d062c3b4f118f5add9eeb9848958a7ff9dffd8a018c6bb5be9f8c46191b26
    • Opcode Fuzzy Hash: b95358eb9031ebe38550ef7f05cee905ef78f86a1bb10236cfdc71a6a42178d1
    • Instruction Fuzzy Hash: 9151A6716002199AEBA5AB34DC157EE7BE9FF40314F1484E9E9C6D31C0EF758A81CBA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01037610, Relevance: 18.2, APIs: 8, Strings: 4, Instructions: 155memoryCOMMON
    Download Yara Rule
    APIs
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,0000000C), ref: 01037669
    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 01037670
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008), ref: 01037686
    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0103768D
    • _wcsicmp.MSVCRT ref: 01037719
    • _wcsicmp.MSVCRT ref: 0103772B
    • _wcsicmp.MSVCRT ref: 01037758
    • _wcsicmp.MSVCRT ref: 0104AA79
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: Heap_wcsicmp$AllocProcess
    • String ID: DISABLEDELAYEDEXPANSION$DISABLEEXTENSIONS$ENABLEDELAYEDEXPANSION$ENABLEEXTENSIONS
    • API String ID: 435930816-3086019870
    • Opcode ID: 0dd69c860e757f189ae84bf83801ec96dc9d3d886cf9481721257de9f249559b
    • Instruction ID: ca2efc563862726473d2bd4fe417b6400f2b9b38c323b04d74769ab47759b334
    • Opcode Fuzzy Hash: 0dd69c860e757f189ae84bf83801ec96dc9d3d886cf9481721257de9f249559b
    • Instruction Fuzzy Hash: C05118B1704242DFE7259F39A849A6A3BD8FF88210B18446ED5C2DB285FF2BD401CB65
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0105AEBD, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 266COMMON
    Download Yara Rule
    C-Code - Quality: 67%
    			E0105AEBD(void* __ecx, DWORD* __edx) {
				signed int _v8;
				char _v524;
				int _v532;
				char _v536;
				int _v540;
				void _v1060;
				long _v1068;
				char _v1072;
				int _v1076;
				void _v1596;
				int _v1604;
				char _v1608;
				void* _v1612;
				void _v2132;
				DWORD* _v2136;
				intOrPtr _v2140;
				signed short _v2142;
				long _v2144;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t67;
				int _t86;
				int _t87;
				intOrPtr _t88;
				intOrPtr _t104;
				WCHAR* _t108;
				short* _t110;
				WCHAR* _t111;
				DWORD* _t113;
				signed short _t114;
				DWORD* _t126;
				WCHAR* _t132;
				void* _t141;
				short* _t143;
				WCHAR* _t145;
				short* _t147;
				intOrPtr* _t149;
				signed int _t151;
				void* _t152;
				DWORD* _t153;
				void* _t155;
				signed int _t157;

				_t148 = __edx;
				_t67 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t67 ^ _t157;
				_t152 = __ecx;
				_v2136 = 0;
				_v1612 = 0;
				_v1604 = 0x104;
				_t126 = 1;
				_t153 = __edx;
				_v1608 = 1;
				memset( &_v2132, 0, 0x104);
				_v1072 = 1;
				_v1076 = 0;
				_v1068 = 0x104;
				memset( &_v1596, 0, 0x104);
				_v536 = 1;
				_v540 = 0;
				_v532 = 0x104;
				memset( &_v1060, 0, 0x104);
				_t132 =  &_v2132;
				if(E0103E3F0(((0 | _v1608 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					L48:
					_push(0);
					_push(8);
					L49:
					E010378E4(_t132);
					L50:
					_t154 = _t126;
					L51:
					_t86 = _v540;
					_v540 = 0;
					if(_t86 != 0) {
						__imp__??_V@YAXPAX@Z(_t86);
					}
					_t87 = _v1076;
					_v1076 = 0;
					if(_t87 != 0) {
						__imp__??_V@YAXPAX@Z(_t87);
					}
					_t88 = _v1612;
					_v1612 = 0;
					if(_t88 != 0) {
						__imp__??_V@YAXPAX@Z(_t88);
					}
					return E01046B30(_t154, 0, _v8 ^ _t157, _t148, _t152, _t154);
				}
				_t132 =  &_v1596;
				if(E0103E3F0(((0 | _v1072 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					goto L48;
				}
				_t132 =  &_v1060;
				if(E0103E3F0(((0 | _v536 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					goto L48;
				}
				E0103A641(_t153);
				_t141 = _v1612;
				_t149 = _t141;
				if(_t141 == 0) {
					_t149 =  &_v2132;
				}
				_t155 = _t149 + 2;
				do {
					_t104 =  *_t149;
					_t149 = _t149 + 2;
				} while (_t104 != _v2136);
				_t105 = _v540;
				_t151 = _t149 - _t155 >> 1;
				if(_v540 == 0) {
					_t105 =  &_v1060;
				}
				if(_t141 == 0) {
					_t141 =  &_v2132;
				}
				_t148 = _t151 + 1;
				if(E01037D65(_t141, _t151 + 1, _t105, _v532) != 0) {
					E0104232C(_t148, "\\");
					_t132 = _v1076;
					if(_t132 == 0) {
						_t132 =  &_v1596;
					}
					_t108 = _v540;
					if(_t108 == 0) {
						_t108 =  &_v1060;
					}
					_t148 =  &_v2144;
					if(GetVolumeInformationW(_t108, _t132, _v1068,  &_v2144, 0, 0, 0, 0) != 0) {
						_t110 = _v540;
						_t143 = _t110;
						if(_t110 == 0) {
							_t143 =  &_v1060;
						}
						if( *_t143 != 0x5c) {
							if(_t110 == 0) {
								_t110 =  &_v1060;
							}
							 *((short*)(_t110 + 2)) = 0;
							goto L33;
						} else {
							if(_t110 == 0) {
								_t110 =  &_v1060;
							}
							_t147 = _t110;
							while( *_t110 != 0) {
								_t147 = _t110;
								_t110 = _t110 + 2;
							}
							 *_t147 = 0;
							L33:
							_t111 = _v1076;
							_t145 = _t111;
							if(_t111 == 0) {
								_t145 =  &_v1596;
							}
							if( *_t145 == 0) {
								_t112 = _v540;
								if(_v540 == 0) {
									_t112 =  &_v1060;
								}
								_t113 = E0105832A(_t126, _t148, _t152, 0x235e, _t126, _t112);
							} else {
								if(_t111 == 0) {
									_t111 =  &_v1596;
								}
								_t146 = _v540;
								if(_v540 == 0) {
									_t146 =  &_v1060;
								}
								_push(_t111);
								_t113 = E0105832A(_t126, _t148, _t152, 0x235f, 2, _t146);
							}
							_t154 = _t113;
							if(_t113 == 0) {
								_t114 = _v2144;
								if(_t114 != 0 || _v2140 != _t114) {
									_push(_t114 & 0x0000ffff);
									E01039ABF( &_v524, 0x100, L"%04X-%04X", _v2142 & 0x0000ffff);
									_t154 = E0105832A(_t126, _t148, _t152, 0x235b, _t126,  &_v524);
								}
							}
							goto L51;
						}
					} else {
						if(GetLastError() != 0x90) {
							_push(0);
							_push(GetLastError());
							goto L49;
						}
						_t126 = 0;
						goto L50;
					}
				} else {
					_t126 = 0;
					goto L50;
				}
			}














































    0x0105aebd
    0x0105aec8
    0x0105aecf
    0x0105aed5
    0x0105aede
    0x0105aee6
    0x0105aef4
    0x0105aefa
    0x0105aefb
    0x0105aefe
    0x0105af04
    0x0105af0c
    0x0105af19
    0x0105af1f
    0x0105af2e
    0x0105af36
    0x0105af43
    0x0105af49
    0x0105af58
    0x0105af5f
    0x0105af84
    0x0105b1b9
    0x0105b1bb
    0x0105b1bc
    0x0105b1be
    0x0105b1be
    0x0105b1c5
    0x0105b1c5
    0x0105b1c7
    0x0105b1c7
    0x0105b1cf
    0x0105b1d7
    0x0105b1da
    0x0105b1e0
    0x0105b1e1
    0x0105b1e7
    0x0105b1ef
    0x0105b1f2
    0x0105b1f8
    0x0105b1f9
    0x0105b1ff
    0x0105b207
    0x0105b20a
    0x0105b210
    0x0105b221
    0x0105b221
    0x0105af8c
    0x0105afae
    0x00000000
    0x00000000
    0x0105afb6
    0x0105afd8
    0x00000000
    0x00000000
    0x0105afe5
    0x0105afea
    0x0105aff0
    0x0105aff4
    0x0105aff6
    0x0105aff6
    0x0105affc
    0x0105afff
    0x0105afff
    0x0105b002
    0x0105b005
    0x0105b00e
    0x0105b016
    0x0105b01a
    0x0105b01c
    0x0105b01c
    0x0105b024
    0x0105b026
    0x0105b026
    0x0105b032
    0x0105b03b
    0x0105b051
    0x0105b056
    0x0105b05e
    0x0105b060
    0x0105b060
    0x0105b066
    0x0105b06e
    0x0105b070
    0x0105b070
    0x0105b078
    0x0105b093
    0x0105b0b6
    0x0105b0bc
    0x0105b0c0
    0x0105b0c2
    0x0105b0c2
    0x0105b0cc
    0x0105b0ef
    0x0105b0f1
    0x0105b0f1
    0x0105b0f9
    0x00000000
    0x0105b0ce
    0x0105b0d0
    0x0105b0d2
    0x0105b0d2
    0x0105b0d8
    0x0105b0e1
    0x0105b0dc
    0x0105b0de
    0x0105b0de
    0x0105b0e8
    0x0105b0fd
    0x0105b0fd
    0x0105b103
    0x0105b107
    0x0105b109
    0x0105b109
    0x0105b112
    0x0105b142
    0x0105b14a
    0x0105b14c
    0x0105b14c
    0x0105b15a
    0x0105b114
    0x0105b116
    0x0105b118
    0x0105b118
    0x0105b11e
    0x0105b126
    0x0105b128
    0x0105b128
    0x0105b12e
    0x0105b138
    0x0105b13d
    0x0105b162
    0x0105b166
    0x0105b168
    0x0105b170
    0x0105b17d
    0x0105b197
    0x0105b1b5
    0x0105b1b5
    0x0105b170
    0x00000000
    0x0105b166
    0x0105b095
    0x0105b0a0
    0x0105b0a9
    0x0105b0b0
    0x00000000
    0x0105b0b0
    0x0105b0a2
    0x00000000
    0x0105b0a2
    0x0105b03d
    0x0105b03f
    0x00000000
    0x0105b03f

    APIs
    • memset.MSVCRT ref: 0105AF04
    • memset.MSVCRT ref: 0105AF2E
    • memset.MSVCRT ref: 0105AF58
      • Part of subcall function 0103E3F0: memset.MSVCRT ref: 0103E455
    • GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,00000000,00000000,00000000,00000000,0103250C,?,?,00000000,-00000105,-00000105,-00000105), ref: 0105B08B
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,?), ref: 0105B095
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?), ref: 0105B0AA
    • ??_V@YAXPAX@Z.MSVCRT ref: 0105B1DA
    • ??_V@YAXPAX@Z.MSVCRT ref: 0105B1F2
    • ??_V@YAXPAX@Z.MSVCRT ref: 0105B20A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: memset$ErrorLast$InformationVolume
    • String ID: %04X-%04X
    • API String ID: 2748242238-1126166780
    • Opcode ID: fc3c025d0c50dd957445c07bf4aa33ba98a1ad227fcdad63e9f5bac6f5bb7592
    • Instruction ID: af57f504a7835f2be08cdb40d957f7b7a46c71364d84c1fff666bcb176beb04f
    • Opcode Fuzzy Hash: fc3c025d0c50dd957445c07bf4aa33ba98a1ad227fcdad63e9f5bac6f5bb7592
    • Instruction Fuzzy Hash: D491A5B1A002199BDBA5DA64CC84BEF77F9EF44304F4445E9F989D3141EB34AE848F94
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0103BC30, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON
    Download Yara Rule
    C-Code - Quality: 65%
    			E0103BC30(void* __ecx, signed int __edx, signed int _a4, intOrPtr _a8) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr _v20;
				wchar_t* _v32;
				void* _v36;
				signed int _v40;
				void* _v44;
				signed int _v48;
				signed short* _v52;
				signed int _v56;
				signed short* _v60;
				intOrPtr _v64;
				signed int _v68;
				signed int _v72;
				int _v76;
				signed short* _v80;
				void* _v84;
				signed short* _v88;
				signed short* _v96;
				intOrPtr _v100;
				signed short* _v104;
				long _v216;
				int _v220;
				int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				intOrPtr _v256;
				signed int _v260;
				char _v268;
				intOrPtr _v284;
				intOrPtr _v288;
				signed int _v300;
				long _v304;
				int _v308;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t177;
				void* _t179;
				signed int* _t181;
				intOrPtr* _t185;
				signed short* _t189;
				wchar_t* _t190;
				intOrPtr _t192;
				intOrPtr _t193;
				short* _t194;
				intOrPtr _t195;
				intOrPtr _t196;
				signed short* _t199;
				wchar_t* _t200;
				intOrPtr _t202;
				intOrPtr _t203;
				intOrPtr _t204;
				intOrPtr _t205;
				intOrPtr _t206;
				intOrPtr _t207;
				signed short* _t211;
				void _t212;
				intOrPtr _t215;
				signed int _t216;
				signed int _t217;
				void* _t218;
				signed int _t221;
				int _t224;
				signed int _t225;
				signed short* _t227;
				long _t229;
				signed int _t231;
				signed int _t232;
				long _t233;
				wchar_t* _t235;
				signed char _t236;
				signed int _t237;
				int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t243;
				long _t245;
				int _t246;
				long _t248;
				wchar_t* _t250;
				wchar_t* _t253;
				wchar_t* _t255;
				wchar_t* _t258;
				wchar_t* _t259;
				wchar_t* _t260;
				signed int _t261;
				signed int _t262;
				signed short* _t264;
				intOrPtr* _t265;
				signed int _t267;
				signed int _t268;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				intOrPtr* _t272;
				signed int _t280;
				intOrPtr* _t282;
				intOrPtr* _t285;
				signed int _t287;
				void* _t288;
				void* _t289;
				intOrPtr* _t293;
				intOrPtr* _t296;
				intOrPtr* _t299;
				void* _t302;
				intOrPtr* _t303;
				signed int _t306;
				signed int _t310;
				signed short* _t311;
				long _t322;
				signed short* _t324;
				signed short* _t326;
				long _t329;
				void* _t330;
				long _t332;
				signed int _t334;
				short* _t335;
				void* _t336;
				void* _t337;
				intOrPtr* _t338;
				signed short* _t342;
				void* _t345;
				void* _t346;
				void* _t347;
				void* _t348;
				signed short* _t349;
				signed short* _t352;
				WCHAR* _t359;
				void* _t360;
				signed int _t361;
				intOrPtr* _t363;
				signed short* _t365;
				signed int* _t366;
				signed int _t367;
				void* _t370;
				intOrPtr* _t372;
				signed int _t374;
				signed int _t375;
				intOrPtr* _t376;
				signed short* _t377;
				signed short* _t378;
				signed short* _t379;
				signed short* _t380;
				intOrPtr _t383;
				signed int _t384;
				signed int _t385;
				signed int _t386;
				void* _t389;

				_t334 = __edx;
				_t272 = __ecx;
				_t177 =  *0x105e0b4; // 0x6030efd1
				_v12 = _t177 ^ _t384;
				_t370 = __ecx;
				_t260 = __edx;
				if(__ecx == 0) {
					_t179 = E0103DCD0(4);
					goto L23;
				} else {
					_t334 = __ecx + 2;
					do {
						_t215 =  *_t272;
						_t272 = _t272 + 2;
					} while (_t215 != 0);
					_t216 = E0103DCD0(4 + (_t272 - _t334 >> 1) * 4);
					_v236 = _t216;
					if(_t216 == 0) {
						L155:
						E01059922();
						__imp__longjmp(0x1070a30, 1);
						asm("int3");
						goto L156;
					} else {
						_v228 = _t216;
						_t365 = L"=,;";
						_t217 = 0;
						_v220 = 0;
						while(1) {
							_t322 =  *_t365 & 0x0000ffff;
							_v224 = _t322;
							if(_t322 == 0) {
								break;
							}
							if(_t260 == 0) {
								L9:
								 *(_t384 + _t217 * 2 - 0xd4) = _t322;
								_t217 = _t217 + 1;
								_v220 = _t217;
							} else {
								_t259 = wcschr(_t260, _t322);
								_t386 = _t386 + 8;
								_t217 = _v220;
								if(_t259 == 0) {
									_t322 = _v224;
									goto L9;
								}
							}
							_t365 =  &(_t365[1]);
							if(_t217 < 0x63) {
								continue;
							}
							break;
						}
						_t366 = _v228;
						_t218 = _t217 + _t217;
						if(_t218 >= 0xc8) {
							E01046C78(_t218, _t260, _t322, _t334, _t366, _t370);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t384);
							_t385 = _t386;
							_push(0xfffffffe);
							_push(0x105ca10);
							_push(E01046E00);
							_push( *[fs:0x0]);
							_t386 = _t386 - 0x54;
							_push(_t260);
							_push(_t370);
							_push(_t366);
							_t221 =  *0x105e0b4; // 0x6030efd1
							_v260 = _v260 ^ _t221;
							_push(_t221 ^ _t385);
							 *[fs:0x0] =  &_v268;
							_t270 = _t334;
							_v300 = _t270;
							_v304 = _t322;
							_v308 = 0;
							_t358 = 0;
							_v288 = 0;
							_t370 = 0;
							_v284 = 0;
							_v256 = 0;
							_t224 = E0103DCD0(0x4000);
							_v308 = _t224;
							if(_t224 == 0) {
								L156:
								_t261 = _v56;
								if(_t261 == 0) {
									goto L135;
								} else {
									__imp__longjmp(_t261, 0xffffffff);
									goto L158;
								}
							} else {
								_t324 = _t270;
								_v36 = _t324;
								_t380 = _t270;
								_t334 =  *0x1066755;
								while(1) {
									_t225 =  *_t324 & 0x0000ffff;
									if(_t225 == 0) {
										break;
									}
									_t271 = _a4;
									if(_t225 != _t271 && (_t334 == 0 || _t225 != 0x3a || _t324[1] == _t271)) {
										_t324 =  &(_t380[1]);
										_v36 = _t324;
										_t380 = _t324;
										continue;
									}
									break;
								}
								if( *_t324 == 0) {
									L134:
									_t370 = _v36;
									L135:
									_t181 = _a4;
									goto L136;
								} else {
									_t264 = _v56;
									if(_t380 == _t264) {
										goto L134;
									} else {
										_t383 = (_t380 - _t264 >> 1) + 1;
										_t358 = E0103DCD0(_t383 + _t383);
										_v44 = _t358;
										if(_t358 == 0) {
											L158:
											_t262 = _v56;
											if(_t262 == 0) {
												goto L134;
											} else {
												__imp__longjmp(_t262, 0xffffffff);
												goto L160;
											}
										} else {
											_t227 = _t383 - 1;
											if(_t383 != 0) {
												if(_t383 > 0x7fffffff) {
													if(_t383 == 0) {
														goto L82;
													} else {
														goto L162;
													}
													goto L171;
												} else {
													if(_t227 > 0x7ffffffe) {
														L162:
														 *_t358 = 0;
													} else {
														_t326 = _t264;
														_t334 = _t358;
														_t262 = 0;
														while(1) {
															_v72 = _t262;
															_v68 = _t334;
															_v100 = _t383;
															_v96 = _t326;
															_v104 = _t227;
															if(_t383 == 0) {
																break;
															}
															if(_t227 == 0) {
																L80:
																if(_t383 == 0) {
																	break;
																}
															} else {
																_t367 =  *_t326 & 0x0000ffff;
																if(_t367 == 0) {
																	goto L80;
																} else {
																	 *_t334 = _t367;
																	_t334 = _t334 + 2;
																	_t326 =  &(_t326[1]);
																	_t383 = _t383 - 1;
																	_t227 = _t227 - 1;
																	_t262 = _t262 + 1;
																	continue;
																}
															}
															L81:
															 *_t335 = 0;
															_t264 = _v52;
															_t359 = _v40;
															goto L82;
														}
														L160:
														_t335 = _t334 - 2;
														_v64 = _t335;
														_v68 = _t262 - 1;
														goto L81;
													}
												}
											}
											L82:
											_t185 = _v32;
											_v32 = _t185 + 2;
											_t360 = E0103EC2E(_t359);
											_v44 = _t360;
											if( *_t185 == 0x3a) {
												if( *0x1066755 == 0 || _t360 == 0) {
													goto L83;
												} else {
													_t189 = _v32;
													_t280 =  *_t189 & 0x0000ffff;
													if(_t280 == 0x7e) {
														_t190 =  &(_t189[1]);
														_v32 = _t190;
														_t361 = wcstol(_t190,  &_v32, 0);
														_v72 = _t361;
														_t265 = _v44;
														if(_t361 < 0) {
															_t303 = _t265;
															_t348 = _t303 + 2;
															do {
																_t207 =  *_t303;
																_t303 = _t303 + 2;
															} while (_t207 != 0);
															_t361 = _t361 + (_t303 - _t348 >> 1);
															_v72 = _t361;
														}
														_t282 = _t265;
														_t336 = _t282 + 2;
														do {
															_t192 =  *_t282;
															_t282 = _t282 + 2;
														} while (_t192 != 0);
														if(_t361 >= _t282 - _t336 >> 1) {
															_t285 = _t265;
															_t337 = _t285 + 2;
															do {
																_t193 =  *_t285;
																_t285 = _t285 + 2;
															} while (_t193 != 0);
															_t287 = _t285 - _t337 >> 1;
														} else {
															_t287 = _t361;
														}
														if(_t287 < 0) {
															_t361 = 0;
														} else {
															_t299 = _t265;
															_t347 = _t299 + 2;
															do {
																_t205 =  *_t299;
																_t299 = _t299 + 2;
															} while (_t205 != 0);
															if(_t361 >= _t299 - _t347 >> 1) {
																_t363 = _t265;
																_t302 = _t363 + 2;
																do {
																	_t206 =  *_t363;
																	_t363 = _t363 + 2;
																} while (_t206 != 0);
																_t361 = _t363 - _t302 >> 1;
															}
														}
														_v72 = _t361;
														_t194 = _v32;
														if( *_t194 != 0x2c) {
															_t362 = _t265 + _t361 * 2;
															_t372 = _t265 + _t361 * 2;
															_t159 = _t372 + 2; // 0x2
															_t288 = _t159;
															do {
																_t195 =  *_t372;
																_t372 = _t372 + 2;
															} while (_t195 != 0);
															goto L133;
														} else {
															_t200 = _t194 + 2;
															_v32 = _t200;
															_t375 = wcstol(_t200,  &_v32, 0);
															_v48 = _t375;
															if(_t375 < 0) {
																_t293 = _t265 + _t361 * 2;
																_t345 = _t293 + 2;
																do {
																	_t202 =  *_t293;
																	_t293 = _t293 + 2;
																} while (_t202 != 0);
																_t374 = _t375 + (_t293 - _t345 >> 1);
																_v48 = _t374;
																if(_t374 < 0) {
																	_t374 = 0;
																}
															}
															_v48 = _t374;
															_t362 = _t265 + _t361 * 2;
															_t296 = _t362;
															_t127 = _t296 + 2; // 0x2
															_t346 = _t127;
															do {
																_t203 =  *_t296;
																_t296 = _t296 + 2;
															} while (_t203 != 0);
															if(_t374 >= _t296 - _t346 >> 1) {
																_t376 = _t362;
																_t150 = _t376 + 2; // 0x2
																_t288 = _t150;
																do {
																	_t204 =  *_t376;
																	_t376 = _t376 + 2;
																} while (_t204 != 0);
																L133:
																_t374 = _t372 - _t288 >> 1;
															}
														}
														_v48 = _t374;
														_t338 = _t265;
														_t289 = _t338 + 2;
														do {
															_t196 =  *_t338;
															_t338 = _t338 + 2;
														} while (_t196 != 0);
														_t360 = _v44;
														E01042298(_t360, (_t338 - _t289 >> 1) + 1, _t362, _t374);
														if( *((short*)(_t360 + _t374 * 2)) != 0) {
															 *((short*)(_t360 + _t374 * 2)) = 0;
														}
														_t199 = _v32;
														_t342 =  &(_t199[1]);
														_v32 = _t342;
														_t181 = _a4;
														if(( *_t199 & 0x0000ffff) != _a8) {
															goto L165;
														} else {
															 *_t181 = _t342 - _v52 >> 1;
															goto L106;
														}
													} else {
														if(_t280 == 0x2a) {
															_t189 =  &(_t189[1]);
															_v32 = _t189;
															_v76 = 1;
														} else {
															_v76 = 0;
														}
														_t377 = _t189;
														_v104 = _t377;
														_t349 = _t377;
														while(1) {
															_t306 =  *_t189 & 0x0000ffff;
															if(_t306 == 0 || _t306 == 0x3d) {
																break;
															}
															_t189 =  &(_t349[1]);
															_v32 = _t189;
															_t349 = _t189;
														}
														if( *_t189 == 0) {
															L167:
															_t358 = _v40;
															goto L134;
														} else {
															_t267 = _t349 - _t377;
															_t268 = _t267 >> 1;
															if(_t267 == 0) {
																_t269 = _v56;
																if(_t269 == 0) {
																	goto L167;
																} else {
																	E010378E4(_t306, 0x234a, 1, _t349);
																	_t389 = _t386 + 0xc;
																	__imp__longjmp(_t269, 0xffffffff);
																	goto L170;
																}
															} else {
																_t211 =  &(_t349[1]);
																_t378 = _t211;
																_v80 = _t378;
																while(1) {
																	_t352 = _t211;
																	_v32 = _t211;
																	_t310 =  *_t211 & 0x0000ffff;
																	if(_t310 == 0 || _t310 == _a8) {
																		break;
																	}
																	_t211 =  &(_t352[1]);
																}
																_t181 = _a4;
																if( *_t211 == 0) {
																	L165:
																	_t370 = _v36;
																	_t358 = _v40;
																	L136:
																	 *_t181 = 0;
																} else {
																	_t311 =  &(_t352[1]);
																	_v32 = _t311;
																	_v56 = _t352 - _t378 >> 1;
																	 *_t181 = _t311 - _v52 >> 1;
																	if( *_t360 != 0) {
																		_t379 = _v60;
																		_t212 = E0103F3A0(_t379, 0x2000, _t360);
																		_v88 = _t379;
																		_v84 = _t360;
																		while(1) {
																			L103:
																			__imp___wcsnicmp(_t379, _v104, _t268);
																			_t389 = _t386 + 0xc;
																			if(_t212 != 0) {
																				break;
																			}
																			_t377 =  &(_t379[_t268]);
																			_push(_v56 + _v56);
																			_push(_v80);
																			if(_v76 != 0) {
																				L170:
																				_t360 = _v44;
																				memcpy(_t360, ??, ??);
																				E0103F3A0(_v56 + _v56 + _t360, 0x2000 - _v56, _t377);
																			} else {
																				_t212 = memcpy(_t360, ??, ??);
																				_t386 = _t389 + 0xc;
																				_t360 = _t360 + _v56 * 2;
																				_v84 = _t360;
																				_v88 = _t377;
																				continue;
																			}
																			goto L106;
																		}
																		_t212 =  *_t379 & 0x0000ffff;
																		 *_t360 = _t212;
																		_t360 = _t360 + 2;
																		_v84 = _t360;
																		_t379 =  &(_t379[1]);
																		_v88 = _t379;
																		if(_t212 != 0) {
																			goto L103;
																		} else {
																			_t360 = _v44;
																		}
																	}
																	L106:
																	_t370 = _t360;
																	_v36 = _t370;
																	_t358 = _v40;
																}
															}
														}
													}
												}
											} else {
												L83:
												 *_a4 = _v32 - _t264 >> 1;
												_t370 = _t360;
												_v36 = _t370;
												_t358 = _v40;
											}
										}
									}
								}
							}
							_v8 = 0xfffffffe;
							E0103C3F4(_t358);
							 *[fs:0x0] = _v20;
							return _t370;
						} else {
							_v224 = 1;
							 *((short*)(_t384 + _t218 - 0xd4)) = 0;
							_t229 =  *_t370 & 0x0000ffff;
							_v220 = 1;
							if(_t229 != 0) {
								_t329 = _t229;
								do {
									if(_t329 == 0x22) {
										L17:
										_v224 = 0;
										if(_t260 == 0) {
											L19:
											 *_t366 =  *_t370;
											_t366 =  &(_t366[0]);
											if( *_t370 == 0x22) {
												while(1) {
													_t231 =  *(_t370 + 2);
													_t330 = _t370;
													_t370 = _t370 + 2;
													 *_t366 = _t231;
													_t366 =  &(_t366[0]);
													_t232 =  *_t370 & 0x0000ffff;
													if(_t232 == 0) {
														break;
													}
													if(_t232 == 0x22) {
														goto L20;
													} else {
														if( *(_t370 + 2) != 0) {
															continue;
														} else {
															goto L20;
														}
													}
													goto L171;
												}
												_t370 = _t330;
											}
											L20:
											_v220 = 0;
										} else {
											_t235 = wcschr(_t260,  *_t370 & 0x0000ffff);
											_t386 = _t386 + 8;
											if(_t235 != 0) {
												_t236 = _a4;
												if((_t236 & 0x00000002) != 0) {
													_t237 =  *_t370 & 0x0000ffff;
													if(_v220 == 0) {
														_t366 =  &(_t366[0]);
													}
													 *_t366 = _t237;
													_v220 = 1;
													_t366 =  &(_t366[1]);
												} else {
													if((_t236 & 0x00000004) != 0) {
														 *_t366 =  *_t370;
													}
													_v220 = 0;
													_t366 =  &(_t366[0]);
												}
											} else {
												goto L19;
											}
										}
										goto L21;
									} else {
										_t239 = iswspace(_t329);
										_t386 = _t386 + 4;
										if(_t239 != 0) {
											L25:
											_t240 = _a4;
											if((_t240 & 0x00000001) != 0) {
												if(_v224 == 0) {
													goto L17;
												} else {
													goto L26;
												}
											} else {
												L26:
												_t241 = _t240 & 0x00000002;
												_v228 = _t241;
												if(_t241 == 0 || _t260 == 0) {
													L29:
													_t243 = _a4 & 0x00000004;
													_v232 = _t243;
													if(_t243 != 0) {
														if(E0103A62F(_t260,  *_t370) != 0) {
															goto L17;
														} else {
															goto L30;
														}
													} else {
														L30:
														_t245 =  *_t370 & 0x0000ffff;
														if(_t245 == 0) {
															goto L22;
														} else {
															_t332 = _t245;
															while(_t332 != 0x22) {
																_t246 = iswspace(_t332);
																_t386 = _t386 + 4;
																if(_t246 != 0) {
																	L40:
																	if(_v228 == 0 || _t260 == 0) {
																		L43:
																		if(_v232 != 0) {
																			if(E0103A62F(_t260,  *_t370) != 0) {
																				break;
																			} else {
																				goto L44;
																			}
																		} else {
																			L44:
																			_t248 =  *(_t370 + 2) & 0x0000ffff;
																			_t370 = _t370 + 2;
																			_t332 = _t248;
																			if(_t248 != 0) {
																				continue;
																			} else {
																				goto L22;
																			}
																		}
																	} else {
																		_t250 = wcschr(_t260,  *_t370 & 0x0000ffff);
																		_t386 = _t386 + 8;
																		if(_t250 != 0) {
																			break;
																		} else {
																			goto L43;
																		}
																	}
																} else {
																	_t253 = wcschr( &_v216,  *_t370 & 0x0000ffff);
																	_t386 = _t386 + 8;
																	if(_t253 != 0) {
																		goto L40;
																	} else {
																		break;
																	}
																}
																goto L171;
															}
															if( *_t370 == 0) {
																goto L22;
															} else {
																if(_v224 == 0 && _v220 == 0) {
																	_t366 =  &(_t366[0]);
																}
																_v220 = 1;
																goto L17;
															}
														}
													}
												} else {
													_t255 = wcschr(_t260,  *_t370 & 0x0000ffff);
													_t386 = _t386 + 8;
													if(_t255 != 0) {
														goto L17;
													} else {
														goto L29;
													}
												}
											}
											goto L171;
										} else {
											_t258 = wcschr( &_v216,  *_t370 & 0x0000ffff);
											_t386 = _t386 + 8;
											if(_t258 != 0) {
												goto L25;
											} else {
												goto L17;
											}
										}
									}
									goto L22;
									L21:
									_t233 =  *(_t370 + 2) & 0x0000ffff;
									_t370 = _t370 + 2;
									_t329 = _t233;
								} while (_t233 != 0);
							}
							L22:
							_t358 = _t366 - _v236 >> 1;
							_t334 = 4 + (_t366 - _v236 >> 1) * 2;
							_t179 = E0103DD20(_v236, _t334);
							L23:
							if(_t179 == 0) {
								goto L155;
							} else {
								return E01046B30(_t179, _t260, _v12 ^ _t384, _t334, _t358, _t370);
							}
						}
					}
				}
				L171:
			}


























































































































































    0x0103bc30
    0x0103bc30
    0x0103bc3b
    0x0103bc42
    0x0103bc47
    0x0103bc49
    0x0103bc4e
    0x0103bf47
    0x00000000
    0x0103bc54
    0x0103bc54
    0x0103bc57
    0x0103bc57
    0x0103bc5a
    0x0103bc5d
    0x0103bc6d
    0x0103bc72
    0x0103bc7a
    0x0104cf8f
    0x0104cf8f
    0x0104cf9b
    0x0104cfa1
    0x00000000
    0x0103bc80
    0x0103bc80
    0x0103bc86
    0x0103bc8b
    0x0103bc8d
    0x0103bc93
    0x0103bc93
    0x0103bc96
    0x0103bc9f
    0x00000000
    0x00000000
    0x0103bca3
    0x0103bcc0
    0x0103bcc0
    0x0103bcc8
    0x0103bcc9
    0x0103bca5
    0x0103bca7
    0x0103bcad
    0x0103bcb2
    0x0103bcb8
    0x0103bcba
    0x00000000
    0x0103bcba
    0x0103bcb8
    0x0103bccf
    0x0103bcd5
    0x00000000
    0x00000000
    0x00000000
    0x0103bcd5
    0x0103bcd7
    0x0103bcdd
    0x0103bce4
    0x0103bf5d
    0x0103bf62
    0x0103bf63
    0x0103bf64
    0x0103bf65
    0x0103bf66
    0x0103bf67
    0x0103bf68
    0x0103bf69
    0x0103bf6a
    0x0103bf6b
    0x0103bf6c
    0x0103bf6d
    0x0103bf6e
    0x0103bf6f
    0x0103bf72
    0x0103bf73
    0x0103bf75
    0x0103bf77
    0x0103bf7c
    0x0103bf87
    0x0103bf88
    0x0103bf8b
    0x0103bf8c
    0x0103bf8d
    0x0103bf8e
    0x0103bf93
    0x0103bf98
    0x0103bf9c
    0x0103bfa2
    0x0103bfa4
    0x0103bfa7
    0x0103bfaa
    0x0103bfb1
    0x0103bfb3
    0x0103bfb6
    0x0103bfb8
    0x0103bfbb
    0x0103bfc3
    0x0103bfc8
    0x0103bfcd
    0x0104cfa2
    0x0104cfa2
    0x0104cfa7
    0x00000000
    0x0104cfad
    0x0104cfb0
    0x00000000
    0x0104cfb0
    0x0103bfd3
    0x0103bfd3
    0x0103bfd5
    0x0103bfd8
    0x0103bfda
    0x0103bfe0
    0x0103bfe0
    0x0103bfe6
    0x00000000
    0x00000000
    0x0103bfe8
    0x0103bfef
    0x0103bffa
    0x0103bffd
    0x0103c000
    0x00000000
    0x0103c000
    0x00000000
    0x0103bfef
    0x0103c00e
    0x0103c366
    0x0103c366
    0x0103c369
    0x0103c369
    0x00000000
    0x0103c014
    0x0103c014
    0x0103c019
    0x00000000
    0x0103c01f
    0x0103c023
    0x0103c02c
    0x0103c02e
    0x0103c033
    0x0104cfb6
    0x0104cfb6
    0x0104cfbb
    0x00000000
    0x0104cfc1
    0x0104cfc4
    0x00000000
    0x0104cfc4
    0x0103c039
    0x0103c039
    0x0103c03e
    0x0103c046
    0x0104cfdb
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0103c04c
    0x0103c051
    0x0104cfe1
    0x0104cfe3
    0x0103c057
    0x0103c057
    0x0103c059
    0x0103c05b
    0x0103c05d
    0x0103c05d
    0x0103c060
    0x0103c063
    0x0103c066
    0x0103c069
    0x0103c06e
    0x00000000
    0x00000000
    0x0103c076
    0x0103c08e
    0x0103c090
    0x00000000
    0x00000000
    0x0103c078
    0x0103c078
    0x0103c07e
    0x00000000
    0x0103c080
    0x0103c080
    0x0103c083
    0x0103c086
    0x0103c089
    0x0103c08a
    0x0103c08b
    0x00000000
    0x0103c08b
    0x0103c07e
    0x0103c096
    0x0103c098
    0x0103c09b
    0x0103c09e
    0x00000000
    0x0103c09e
    0x0104cfca
    0x0104cfca
    0x0104cfcd
    0x0104cfd1
    0x00000000
    0x0104cfd1
    0x0103c051
    0x0103c046
    0x0103c0a1
    0x0103c0a1
    0x0103c0aa
    0x0103c0b4
    0x0103c0b6
    0x0103c0bd
    0x0103c0fc
    0x00000000
    0x0103c102
    0x0103c102
    0x0103c105
    0x0103c10b
    0x0103c1ef
    0x0103c1f2
    0x0103c205
    0x0103c207
    0x0103c20a
    0x0103c20f
    0x0103c211
    0x0103c213
    0x0103c216
    0x0103c216
    0x0103c219
    0x0103c21c
    0x0103c225
    0x0103c227
    0x0103c227
    0x0103c22a
    0x0103c22c
    0x0103c230
    0x0103c230
    0x0103c233
    0x0103c236
    0x0103c241
    0x0103c3bd
    0x0103c3bf
    0x0103c3c2
    0x0103c3c2
    0x0103c3c5
    0x0103c3c8
    0x0103c3cf
    0x0103c247
    0x0103c247
    0x0103c247
    0x0103c24b
    0x0104cfeb
    0x0103c251
    0x0103c251
    0x0103c253
    0x0103c256
    0x0103c256
    0x0103c259
    0x0103c25c
    0x0103c267
    0x0103c3d6
    0x0103c3d8
    0x0103c3e0
    0x0103c3e0
    0x0103c3e3
    0x0103c3e6
    0x0103c3ed
    0x0103c3ed
    0x0103c267
    0x0103c26d
    0x0103c270
    0x0103c277
    0x0103c3a3
    0x0103c3a6
    0x0103c3a8
    0x0103c3a8
    0x0103c3b0
    0x0103c3b0
    0x0103c3b3
    0x0103c3b6
    0x00000000
    0x0103c27d
    0x0103c27d
    0x0103c280
    0x0103c293
    0x0103c295
    0x0103c29a
    0x0103c377
    0x0103c37a
    0x0103c380
    0x0103c380
    0x0103c383
    0x0103c386
    0x0103c38f
    0x0103c391
    0x0103c396
    0x0103c39c
    0x0103c39c
    0x0103c396
    0x0103c2a0
    0x0103c2a3
    0x0103c2a6
    0x0103c2a8
    0x0103c2a8
    0x0103c2b0
    0x0103c2b0
    0x0103c2b3
    0x0103c2b6
    0x0103c2c1
    0x0103c34d
    0x0103c34f
    0x0103c34f
    0x0103c352
    0x0103c352
    0x0103c355
    0x0103c358
    0x0103c35d
    0x0103c35f
    0x0103c35f
    0x0103c2c1
    0x0103c2c7
    0x0103c2ca
    0x0103c2cc
    0x0103c2d0
    0x0103c2d0
    0x0103c2d3
    0x0103c2d6
    0x0103c2e2
    0x0103c2e7
    0x0103c2f1
    0x0104cff4
    0x0104cff4
    0x0103c2f7
    0x0103c2fd
    0x0103c300
    0x0103c303
    0x0103c30a
    0x00000000
    0x0103c310
    0x0103c315
    0x00000000
    0x0103c315
    0x0103c111
    0x0103c114
    0x0104d008
    0x0104d00b
    0x0104d00e
    0x0103c11a
    0x0103c11a
    0x0103c11a
    0x0103c121
    0x0103c123
    0x0103c126
    0x0103c128
    0x0103c128
    0x0103c12e
    0x00000000
    0x00000000
    0x0103c135
    0x0103c138
    0x0103c13b
    0x0103c13b
    0x0103c143
    0x0104d01a
    0x0104d01a
    0x00000000
    0x0103c149
    0x0103c14b
    0x0103c14d
    0x0103c14f
    0x0104d022
    0x0104d027
    0x00000000
    0x0104d029
    0x0104d031
    0x0104d036
    0x0104d03c
    0x00000000
    0x0104d03c
    0x0103c155
    0x0103c155
    0x0103c158
    0x0103c15a
    0x0103c15d
    0x0103c15d
    0x0103c15f
    0x0103c162
    0x0103c168
    0x00000000
    0x00000000
    0x0103c170
    0x0103c170
    0x0103c179
    0x0103c17c
    0x0104cffd
    0x0104cffd
    0x0104d000
    0x0103c36c
    0x0103c36c
    0x0103c182
    0x0103c182
    0x0103c185
    0x0103c18c
    0x0103c194
    0x0103c19a
    0x0103c1a2
    0x0103c1a7
    0x0103c1ac
    0x0103c1af
    0x0103c1b2
    0x0103c1b2
    0x0103c1b7
    0x0103c1bd
    0x0103c1c2
    0x00000000
    0x00000000
    0x0103c322
    0x0103c325
    0x0103c326
    0x0103c32d
    0x0104d042
    0x0104d042
    0x0104d046
    0x0104d05e
    0x0103c333
    0x0103c334
    0x0103c339
    0x0103c33f
    0x0103c342
    0x0103c345
    0x00000000
    0x0103c345
    0x00000000
    0x0103c32d
    0x0103c1c8
    0x0103c1cb
    0x0103c1ce
    0x0103c1d1
    0x0103c1d4
    0x0103c1d7
    0x0103c1dd
    0x00000000
    0x0103c1df
    0x0103c1df
    0x0103c1df
    0x0103c1dd
    0x0103c1e2
    0x0103c1e2
    0x0103c1e4
    0x0103c1e7
    0x0103c1e7
    0x0103c17c
    0x0103c14f
    0x0103c143
    0x0103c10b
    0x0103c0bf
    0x0103c0bf
    0x0103c0c9
    0x0103c0cb
    0x0103c0cd
    0x0103c0d0
    0x0103c0d0
    0x0103c0bd
    0x0103c033
    0x0103c019
    0x0103c00e
    0x0103c0d3
    0x0103c0da
    0x0103c0e4
    0x0103c0f2
    0x0103bcea
    0x0103bcec
    0x0103bcf6
    0x0103bcfe
    0x0103bd01
    0x0103bd0e
    0x0103bd14
    0x0103bd16
    0x0103bd1a
    0x0103bd4a
    0x0103bd4a
    0x0103bd56
    0x0103bd6e
    0x0103bd71
    0x0103bd74
    0x0103bd7b
    0x0103bee0
    0x0103bee0
    0x0103bee4
    0x0103bee6
    0x0103bee9
    0x0103beec
    0x0103beef
    0x0103bef5
    0x00000000
    0x00000000
    0x0103befa
    0x00000000
    0x0103bf00
    0x0103bf05
    0x00000000
    0x0103bf07
    0x00000000
    0x0103bf07
    0x0103bf05
    0x00000000
    0x0103befa
    0x0103bf56
    0x0103bf56
    0x0103bd81
    0x0103bd81
    0x0103bd58
    0x0103bd5d
    0x0103bd63
    0x0103bd68
    0x0103bebd
    0x0103bec2
    0x0103bf13
    0x0103bf16
    0x0103bf51
    0x0103bf51
    0x0103bf18
    0x0103bf1e
    0x0103bf28
    0x0103bec4
    0x0103bec6
    0x0104cf87
    0x0104cf87
    0x0103becc
    0x0103bed6
    0x0103bed6
    0x00000000
    0x00000000
    0x00000000
    0x0103bd68
    0x00000000
    0x0103bd1c
    0x0103bd1d
    0x0103bd23
    0x0103bd28
    0x0103bdce
    0x0103bdce
    0x0103bdd3
    0x0103bf37
    0x00000000
    0x0103bf3d
    0x00000000
    0x0103bf3d
    0x0103bdd9
    0x0103bdd9
    0x0103bdd9
    0x0103bddc
    0x0103bde2
    0x0103bdfe
    0x0103be01
    0x0103be04
    0x0103be0a
    0x0104cf62
    0x00000000
    0x0104cf68
    0x00000000
    0x0104cf68
    0x0103be10
    0x0103be10
    0x0103be10
    0x0103be16
    0x00000000
    0x0103be18
    0x0103be18
    0x0103be20
    0x0103be27
    0x0103be2d
    0x0103be32
    0x0103be7a
    0x0103be81
    0x0103be99
    0x0103bea0
    0x0104cf79
    0x00000000
    0x0104cf7f
    0x00000000
    0x0104cf7f
    0x0103bea6
    0x0103bea6
    0x0103bea6
    0x0103beaa
    0x0103bead
    0x0103beb2
    0x00000000
    0x0103beb8
    0x00000000
    0x0103beb8
    0x0103beb2
    0x0103be87
    0x0103be8c
    0x0103be92
    0x0103be97
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0103be97
    0x0103be34
    0x0103be3f
    0x0103be45
    0x0103be4a
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0103be4a
    0x00000000
    0x0103be32
    0x0103be50
    0x00000000
    0x0103be56
    0x0103be5d
    0x0103be68
    0x0103be68
    0x0103be6b
    0x00000000
    0x0103be6b
    0x0103be50
    0x0103be16
    0x0103bde8
    0x0103bded
    0x0103bdf3
    0x0103bdf8
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0103bdf8
    0x0103bde2
    0x00000000
    0x0103bd2e
    0x0103bd39
    0x0103bd3f
    0x0103bd44
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0103bd44
    0x0103bd28
    0x00000000
    0x0103bd8b
    0x0103bd8b
    0x0103bd8f
    0x0103bd92
    0x0103bd94
    0x0103bd16
    0x0103bd9d
    0x0103bda5
    0x0103bda7
    0x0103bdae
    0x0103bdb3
    0x0103bdb5
    0x00000000
    0x0103bdbb
    0x0103bdcb
    0x0103bdcb
    0x0103bdb5
    0x0103bce4
    0x0103bc7a
    0x00000000

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: wcschr$iswspace
    • String ID: =,;
    • API String ID: 3458554142-1539845467
    • Opcode ID: b4d1537241d822cb5f0ee436736214dc895d34be7ac021a48705e88fb6e2bb0a
    • Instruction ID: 788d602b80e257d539f45a4a84e9accb5878893fdaa6d5e80c6f95a17cc5a6e5
    • Opcode Fuzzy Hash: b4d1537241d822cb5f0ee436736214dc895d34be7ac021a48705e88fb6e2bb0a
    • Instruction Fuzzy Hash: FC81B9B4900216CBEB706F5DC8457BA77FDAF80309F1444AAEDCAA7241FB758984CB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 010423F0, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 176COMMON
    Download Yara Rule
    C-Code - Quality: 63%
    			E010423F0(void* __ecx, WCHAR* __edx) {
				signed int _v8;
				int _v20;
				char _v24;
				signed int _v28;
				void _v548;
				long _v556;
				char _v560;
				signed int _v564;
				void _v1084;
				int _v1092;
				char _v1096;
				signed int _v1100;
				void _v1620;
				long _v1624;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t55;
				signed int _t72;
				signed int _t73;
				WCHAR* _t93;
				signed int _t95;
				void* _t96;
				char _t98;
				WCHAR* _t111;
				void* _t119;
				WCHAR* _t120;
				signed int _t121;

				_t118 = __edx;
				_t55 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t55 ^ _t121;
				_v564 = _v564 & 0x00000000;
				_v556 = 0x104;
				_t98 = 1;
				_t120 = __edx;
				_v560 = 1;
				_t119 = __ecx;
				memset( &_v1084, 0, 0x104);
				_v28 = _v28 & 0x00000000;
				_v24 = 1;
				_v20 = 0x104;
				memset( &_v548, 0, 0x104);
				_v1100 = _v1100 & 0x00000000;
				_v1096 = 1;
				_v1092 = 0x104;
				memset( &_v1620, 0, 0x104);
				if(E0103E3F0(((0 | _v560 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0 || E0103E3F0(((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0 || E0103E3F0(((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					 *0x10667a8 = 8;
					goto L13;
				} else {
					 *0x10667a8 =  *0x10667a8 & 0x00000000;
					_t88 = _v1100;
					if(_v1100 == 0) {
						_t88 =  &_v1620;
					}
					_t118 = _t120;
					if(E01037D65(_t119, _t120, _t88, _v1092) == 0) {
						L13:
						_t98 = 0;
					} else {
						_t90 = _v1100;
						if(_v1100 == 0) {
							_t90 =  &_v1620;
						}
						E0103A641(_t90);
						E0104232C(_t118, "\\");
						_t111 = _v564;
						if(_t111 == 0) {
							_t111 =  &_v1084;
						}
						_t93 = _v28;
						if(_t93 == 0) {
							_t93 =  &_v548;
						}
						_t118 = 0;
						if(GetVolumeInformationW(_t93, 0, 0, 0,  &_v1624, 0, _t111, _v556) == 0) {
							_t95 = GetLastError();
							_t53 = _t95 - 0x90; // -144
							asm("sbb ecx, ecx");
							 *0x10667a8 =  ~_t53 & _t95;
							goto L13;
						} else {
							_t96 = _v564;
							if(_t96 == 0) {
								_t96 =  &_v1084;
							}
							__imp___wcsicmp(_t96, L"FAT");
							if(_t96 == 0) {
								if(_v1624 != 0xc) {
									goto L13;
								}
							} else {
								goto L13;
							}
						}
					}
				}
				if(_v1100 != 0) {
					__imp__??_V@YAXPAX@Z(_v1100);
				}
				_t72 = _v28;
				_v28 = _v28 & 0x00000000;
				if(_t72 != 0) {
					__imp__??_V@YAXPAX@Z(_t72);
				}
				_t73 = _v564;
				_v564 = _v564 & 0x00000000;
				if(_t73 != 0) {
					__imp__??_V@YAXPAX@Z(_t73);
				}
				return E01046B30(_t98, _t98, _v8 ^ _t121, _t118, _t119, _t120);
			}































    0x010423f0
    0x010423fb
    0x01042402
    0x01042405
    0x01042415
    0x01042423
    0x01042427
    0x01042429
    0x0104242f
    0x01042431
    0x01042436
    0x01042442
    0x01042445
    0x01042452
    0x01042457
    0x01042466
    0x0104246c
    0x0104247c
    0x010424a8
    0x0104f316
    0x00000000
    0x010424fc
    0x010424fc
    0x01042503
    0x0104250b
    0x0104250d
    0x0104250d
    0x01042519
    0x01042525
    0x010425af
    0x010425af
    0x0104252b
    0x0104252b
    0x01042533
    0x01042535
    0x01042535
    0x01042542
    0x01042552
    0x01042557
    0x0104255f
    0x0104f2e3
    0x0104f2e3
    0x01042565
    0x0104256a
    0x0104f2ee
    0x0104f2ee
    0x01042576
    0x0104258d
    0x0104f2f9
    0x0104f2ff
    0x0104f307
    0x0104f30b
    0x00000000
    0x01042593
    0x01042593
    0x0104259b
    0x010425fb
    0x010425fb
    0x010425a3
    0x010425ad
    0x0104260a
    0x00000000
    0x0104260c
    0x00000000
    0x00000000
    0x00000000
    0x010425ad
    0x0104258d
    0x01042525
    0x010425b8
    0x0104f32b
    0x0104f331
    0x010425be
    0x010425c1
    0x010425c7
    0x010425ca
    0x010425d0
    0x010425d1
    0x010425d7
    0x010425e0
    0x010425e3
    0x010425e9
    0x010425fa

    APIs
    • memset.MSVCRT ref: 01042431
    • memset.MSVCRT ref: 01042452
    • memset.MSVCRT ref: 0104247C
      • Part of subcall function 0103E3F0: memset.MSVCRT ref: 0103E455
    • GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000000,00000000,?,00000000,00000000,?,0103250C,00000000,00000000,?,-00000105,-00000105,-00000105), ref: 01042585
    • _wcsicmp.MSVCRT ref: 010425A3
    • ??_V@YAXPAX@Z.MSVCRT ref: 010425CA
    • ??_V@YAXPAX@Z.MSVCRT ref: 010425E3
    • ??_V@YAXPAX@Z.MSVCRT ref: 0104F32B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: memset$InformationVolume_wcsicmp
    • String ID: FAT
    • API String ID: 4247940253-238207945
    • Opcode ID: 2f2f6326332c12a8d0f8948fd277effbcf3cd8a0ef78b2a4bbaa536162fd138c
    • Instruction ID: 884b111387a3687576159704fb20ada3b5f33403101d036e83faa105aee0b75f
    • Opcode Fuzzy Hash: 2f2f6326332c12a8d0f8948fd277effbcf3cd8a0ef78b2a4bbaa536162fd138c
    • Instruction Fuzzy Hash: FD5196F1E002159BEF64CA64ECD9BEE77B8EB54305F0440E9E585E3140EB799A84CF64
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01037334, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 159COMMON
    Download Yara Rule
    C-Code - Quality: 82%
    			E01037334(WCHAR* __ecx) {
				signed int _v8;
				void* _v608;
				long _v612;
				char _v616;
				int _v620;
				void* _v624;
				void _v1140;
				char _v1144;
				WCHAR* _v1148;
				void* _v1152;
				void* _v1164;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t31;
				signed int _t33;
				int _t44;
				WCHAR* _t45;
				int _t48;
				wchar_t* _t49;
				intOrPtr* _t53;
				signed int _t59;
				void* _t62;
				signed int _t63;
				void* _t78;
				WCHAR* _t81;
				void* _t82;
				void* _t85;
				signed int _t86;
				WCHAR* _t87;
				wchar_t* _t88;
				signed int _t90;
				signed int _t92;

				_t92 = (_t90 & 0xfffffff8) - 0x47c;
				_t31 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t31 ^ _t92;
				_t81 = __ecx;
				if(__ecx == 0) {
					_t33 = 0;
					L13:
					_pop(_t82);
					_pop(_t85);
					_pop(_t62);
					return E01046B30(_t33, _t62, _v8 ^ _t92, _t79, _t82, _t85);
				}
				_v616 = 1;
				_t86 = 0;
				_v612 = 0x104;
				_v620 = 0;
				memset( &_v1140, 0, 0x104);
				_t92 = _t92 + 0xc;
				if(E0103E3F0(((0 | _v616 == 0x00000000) - 0x00000001 & 0x0000fdc6) + 0x208) < 0) {
					L20:
					_t63 = _t86;
					L10:
					_t44 = _v620;
					_v620 = _t86;
					if(_t44 != 0) {
						__imp__??_V@YAXPAX@Z(_t44);
					}
					_t33 = _t63;
					goto L13;
				}
				_t45 = _v620;
				if(_t45 == 0) {
					_t45 =  &_v1140;
				}
				_t63 = GetFullPathNameW(E01040060(_t81, _t81), _v612, _t45,  &_v1148);
				if(_t63 == 0) {
					goto L10;
				} else {
					_t87 = _v620;
					if(_t87 == 0) {
						_t87 =  &_v1140;
					}
					_t48 = wcsncmp(_t87, L"\\\\.\\", 4);
					_t92 = _t92 + 0xc;
					if(_t48 == 0) {
						_t88 =  &(_t87[4]);
						_v1148 = _t88;
						_t49 = wcsstr(_t81, _t88);
						_v1148 = _t49;
						if(_t49 == 0 || _t49 <= _t81) {
							_t63 = GetFileAttributesW(_t81);
						} else {
							 *_t49 = 0;
							_t63 = GetFileAttributesW(_t81);
							 *_v1148 =  *_t49 & 0x0000ffff;
						}
						_t86 = 0;
						if(_t63 != 0xffffffff) {
							goto L10;
						} else {
							goto L20;
						}
					} else {
						_t53 = _v1148;
						if(_t53 == 0 ||  *_t53 == 0) {
							_t63 = 0 | GetFileAttributesW(_t87) != 0xffffffff;
							goto L9;
						} else {
							_t79 = _t87;
							_t63 = E0104589A(E010459D0, _t87, 0x1037, 0, _t92 + 0x234,  &_v1144) & 0x000000ff;
							E01038B4D( *((intOrPtr*)(_t92 + 0x14)));
							if(_t63 == 0) {
								_t59 = _t87[1] & 0x0000ffff;
								_t78 = 0x5c;
								if(_t59 == _t78) {
									L29:
									if(GetDriveTypeW(_t87) > 1) {
										_t63 = 1;
									}
									goto L9;
								}
								if(_t59 != 0x3a || _t87[2] != _t78 || _t87[3] != 0) {
									goto L9;
								} else {
									goto L29;
								}
							}
							L9:
							_t86 = 0;
							goto L10;
						}
					}
				}
			}




































    0x0103733c
    0x01037342
    0x01037349
    0x01037353
    0x01037357
    0x010374a9
    0x0103746e
    0x01037475
    0x01037476
    0x01037477
    0x01037482
    0x01037482
    0x01037362
    0x0103736b
    0x0103736d
    0x01037378
    0x01037381
    0x0103738c
    0x010373ac
    0x010374ad
    0x010374ad
    0x01037452
    0x01037452
    0x01037459
    0x01037462
    0x01037465
    0x0103746b
    0x0103746c
    0x00000000
    0x0103746c
    0x010373b2
    0x010373bb
    0x0104a863
    0x0104a863
    0x010373dc
    0x010373e0
    0x00000000
    0x010373e2
    0x010373e2
    0x010373eb
    0x0104a86c
    0x0104a86c
    0x010373f9
    0x010373ff
    0x01037404
    0x0104a875
    0x0104a87a
    0x0104a87e
    0x0104a884
    0x0104a88c
    0x0104a8b3
    0x0104a892
    0x0104a898
    0x0104a8a1
    0x0104a8a7
    0x0104a8a7
    0x0104a8b5
    0x0104a8ba
    0x00000000
    0x0104a8c0
    0x00000000
    0x0104a8c0
    0x0103740a
    0x0103740a
    0x01037410
    0x0104a8e9
    0x00000000
    0x01037421
    0x01037425
    0x01037444
    0x01037447
    0x0103744e
    0x01037483
    0x01037489
    0x0103748d
    0x0104a8c5
    0x0104a8cf
    0x0104a8d7
    0x0104a8d7
    0x00000000
    0x0104a8cf
    0x01037496
    0x00000000
    0x010374a4
    0x00000000
    0x010374a4
    0x01037496
    0x01037450
    0x01037450
    0x00000000
    0x01037450
    0x01037410
    0x01037404

    APIs
    • memset.MSVCRT ref: 01037381
      • Part of subcall function 0103E3F0: memset.MSVCRT ref: 0103E455
    • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,?,-00000209,?,00000000,?), ref: 010373D6
    • wcsncmp.MSVCRT(?,\\.\,00000004,?,00000000,?), ref: 010373F9
    • ??_V@YAXPAX@Z.MSVCRT ref: 01037465
    • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,00001037,00000000,?,?), ref: 0104A8C6
      • Part of subcall function 01040060: wcschr.MSVCRT ref: 0104006C
    • wcsstr.MSVCRT ref: 0104A87E
    • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0 ref: 0104A89B
    • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 0104A8DE
      • Part of subcall function 0104589A: FindFirstFileExW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,?,00000000,00000000,00000002,00000000,00000000,?,010459D0,?,01036054,-00001038,00000000,?,?), ref: 010458BB
      • Part of subcall function 0104589A: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,010459D0,?,01036054,-00001038,00000000,?,?,00000000,00000000,-00000001), ref: 010458CD
      • Part of subcall function 01038B4D: FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,010599FD,00000000,?,00000000,0104CF94,00000000,?), ref: 01038B7B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: File$AttributesFindmemset$CloseDriveErrorFirstFullLastNamePathTypewcschrwcsncmpwcsstr
    • String ID: \\.\
    • API String ID: 799470305-2900601889
    • Opcode ID: b948a3db3754ffae182917cdcb6bb37f688e22e58fb09f9f1bca134e39c4be1f
    • Instruction ID: 5a7bec9b35c559c55729d23b2b80ae72fb85daece68d3da0e1d9241a0445c3e7
    • Opcode Fuzzy Hash: b948a3db3754ffae182917cdcb6bb37f688e22e58fb09f9f1bca134e39c4be1f
    • Instruction Fuzzy Hash: EB51F9F1644301DBE7319B74988456F7ADCEF85320F04482EF9DAD3281DB74E80587A2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0103CB09, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 101COMMON
    Download Yara Rule
    C-Code - Quality: 59%
    			E0103CB09(char* __edi) {
				long _t99;
				void* _t100;
				long _t106;
				void* _t108;
				long _t112;
				int _t114;
				int _t116;
				signed char _t117;
				void* _t121;
				signed int _t122;
				intOrPtr _t123;
				intOrPtr* _t126;
				long _t131;
				int _t132;
				int _t133;
				signed int _t134;
				int _t135;
				int _t138;
				intOrPtr _t139;
				char _t140;
				int _t142;
				signed int _t143;
				int _t144;
				wchar_t* _t145;
				void* _t147;
				long _t149;
				int _t150;
				void* _t151;
				long _t152;
				void* _t153;
				wchar_t* _t154;
				signed int _t156;
				signed int _t159;
				int _t160;
				long _t161;
				int _t162;
				int _t170;
				long _t173;
				long _t174;
				int _t175;
				intOrPtr _t179;
				char* _t180;
				long _t181;
				void* _t182;
				int _t183;
				int _t185;
				long _t186;
				long _t187;
				long _t189;
				void* _t190;
				void* _t192;
				long _t193;
				long _t194;
				signed int _t196;
				void* _t198;
				void* _t201;
				void* _t203;
				void* _t204;

				_t180 = __edi;
				while(1) {
					_t193 =  *_t183 & 0x0000ffff;
					_t132 = iswspace(_t193);
					_t203 = _t203 + 4;
					__eflags = _t132;
					if(_t132 != 0) {
						goto L130;
					}
					L63:
					_t133 = wcschr(L"=,;", _t193);
					_t203 = _t203 + 8;
					__eflags = _t133;
					if(_t133 != 0) {
						__eflags = _t193;
						if(_t193 == 0) {
							goto L64;
						} else {
							L133:
							_t183 = _t183 + 2;
							while(1) {
								_t193 =  *_t183 & 0x0000ffff;
								_t132 = iswspace(_t193);
								_t203 = _t203 + 4;
								__eflags = _t132;
								if(_t132 != 0) {
									goto L130;
								}
								goto L63;
							}
						}
						L76:
						 *(_t196 + _t156 * 2 - 0x20c) = 0;
						_t108 = _t196 - 0x10c;
						__imp___wcsicmp(_t108, _t196 - 0x20c);
						_t154 =  *(_t196 - 0x620);
						_t201 = _t204 + 8;
						__eflags = _t108;
						if(_t108 != 0) {
							L46:
							__eflags = _t154;
							if(_t154 == 0) {
								L48:
								_t181 =  *(_t196 - 0x624);
								goto L49;
							} else {
								_t108 = wcschr(_t154, 0x3a);
								_t153 = _t108;
								_t201 = _t201 + 8;
								__eflags = _t153;
								if(_t153 != 0) {
									L34:
									_t187 = _t153;
									_t154 = _t153 + 2;
									 *(_t196 - 0x620) = _t154;
									__eflags =  *_t187 - 0xa;
									if( *_t187 != 0xa) {
										while(1) {
											_t108 = _t196 - 0x614;
											__eflags = _t187 - _t108;
											if(_t187 == _t108) {
												goto L37;
											}
											_t187 = _t187 - 2;
											__eflags =  *_t187 - 0xa;
											if( *_t187 != 0xa) {
												continue;
											}
											goto L37;
										}
									}
									L37:
									__eflags =  *_t187 - 0x3a;
									if( *_t187 != 0x3a) {
										_t187 = _t187 + 2;
										__eflags = _t187;
									}
									_t183 = _t187;
									__eflags = _t187;
									if(_t187 != 0) {
										while(1) {
											_t161 =  *_t183 & 0x0000ffff;
											_t138 = iswspace(_t161);
											_t201 = _t201 + 4;
											__eflags = _t138;
											if(_t138 != 0) {
											}
											L41:
											__eflags = _t161 - 0xa;
											if(_t161 != 0xa) {
												L42:
												_t183 = _t183 + 2;
												_t161 =  *_t183 & 0x0000ffff;
												_t138 = iswspace(_t161);
												_t201 = _t201 + 4;
												__eflags = _t138;
												if(_t138 != 0) {
												}
											}
											L43:
											_t108 = wcschr(L"=,;", _t161);
											_t201 = _t201 + 8;
											__eflags = _t108;
											if(_t108 != 0) {
												__eflags = _t161;
												if(_t161 == 0) {
													goto L44;
												} else {
													goto L42;
												}
												goto L50;
											}
											L44:
											_t154 =  *(_t196 - 0x620);
											goto L45;
										}
									}
									L45:
									__eflags =  *_t183 - 0x3a;
									if( *_t183 == 0x3a) {
										__eflags = _t187;
										if(_t187 == 0) {
											__eflags = 0;
											 *(_t196 - 0x620) = 0;
											goto L125;
										} else {
											_t108 = wcschr(_t187, 0xa);
											_t160 = _t108;
											_t201 = _t201 + 8;
											 *(_t196 - 0x620) = _t160;
											__eflags = _t160;
											if(_t160 == 0) {
												L125:
												__imp___get_osfhandle(1);
												_t203 = _t201 + 4;
												_t131 = SetFilePointer(_t108,  *(_t196 - 0x624), 0, 0);
												__eflags = _t131 -  *((intOrPtr*)(_t196 - 0x63c));
												if(_t131 ==  *((intOrPtr*)(_t196 - 0x63c))) {
													continue;
												} else {
													_t174 =  *(_t196 - 0x618);
													__eflags = _t174 - 0x200;
													if(_t174 == 0x200) {
														while(1) {
															_t193 =  *_t183 & 0x0000ffff;
															_t132 = iswspace(_t193);
															_t203 = _t203 + 4;
															__eflags = _t132;
															if(_t132 != 0) {
																goto L130;
															}
															goto L63;
														}
													} else {
														_t187 = _t187 - _t196 - 0x614 >> 1;
														_t175 = _t174 - _t187;
														_t147 = E01039434();
														__eflags = _t147;
														if(_t147 != 0) {
															_t147 = WideCharToMultiByte( *0x10625a0, 0, _t196 - 0x614, _t175, 0, 0, 0, 0);
															_t175 = _t147;
														}
														_t181 =  *(_t196 - 0x624);
														__imp___get_osfhandle(1);
														_t201 = _t203 + 4;
														_t108 = SetFilePointer(_t147, _t181,  ~_t175, 0);
														L49:
														_t152 =  *(_t196 - 0x61c);
													}
												}
											} else {
												while(1) {
													_t193 =  *_t183 & 0x0000ffff;
													_t132 = iswspace(_t193);
													_t203 = _t203 + 4;
													__eflags = _t132;
													if(_t132 != 0) {
														goto L130;
													}
													goto L63;
												}
											}
										}
									} else {
										goto L46;
									}
								} else {
									goto L48;
								}
							}
						} else {
							_t139 =  *((intOrPtr*)(_t196 - 0x644));
							__eflags =  *(_t139 + 0x40) & 0x00000001;
							if(( *(_t139 + 0x40) & 0x00000001) == 0) {
								_t140 = 0;
							} else {
								_t140 = 1;
							}
							 *0x1066744 = _t140;
							_t108 = E01039434();
							__eflags = _t154;
							if(_t154 == 0) {
								__eflags = _t108;
								if(_t108 == 0) {
									_t152 =  *(_t196 - 0x61c);
									_t108 =  *(_t196 - 0x618);
									_t181 =  *(_t196 - 0x624);
									 *(_t152 + 8) =  *(_t152 + 8) + _t108;
								} else {
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push( *(_t196 - 0x618));
									goto L146;
								}
							} else {
								_t159 = _t154 - _t196 - 0x614 + 2 >> 1;
								__eflags = _t108;
								if(_t108 != 0) {
									_push(0);
									_push(0);
									_push(0);
									_push(0);
									_push(_t159);
									L146:
									_t108 = WideCharToMultiByte( *0x10625a0, 0, _t196 - 0x614, ??, ??, ??, ??, ??);
									_t152 =  *(_t196 - 0x61c);
									_t181 =  *(_t196 - 0x624);
									 *(_t152 + 8) =  *(_t152 + 8) + _t108;
								} else {
									_t187 =  *(_t196 - 0x61c);
									_t181 =  *(_t196 - 0x624);
									 *((intOrPtr*)(_t187 + 8)) =  *((intOrPtr*)(_t187 + 8)) + _t159;
									_t152 = _t187;
								}
							}
						}
						L50:
						__eflags =  *0x1066744 - 1;
						if( *0x1066744 != 1) {
							L19:
							while(1) {
								if( *0x106259c != 0) {
									_t108 = E010598B5(_t152, _t181);
								}
								__imp___get_osfhandle(1);
								_t198 = _t201 + 4;
								_t100 = SetFilePointer(_t108, _t181, 0, 0);
								 *(_t152 + 8) = _t100;
								if( *(_t196 - 0x630) == 0) {
									__eflags = _t100 -  *((intOrPtr*)(_t196 - 0x640));
									if(_t100 <  *((intOrPtr*)(_t196 - 0x640))) {
										goto L21;
									} else {
										_t162 =  *(_t196 - 0x618);
										goto L56;
									}
								} else {
									L21:
									__imp___get_osfhandle(_t181);
									_t198 = _t198 + 4;
									_t150 = _t100;
									 *(_t196 - 0x634) = _t150;
									if((GetFileType(_t150) & 0xffff7fff) == 2) {
										_t177 = _t196 - 0x614;
										_t100 = E01054191(_t150, _t196 - 0x614, 0x200, _t196 - 0x618);
										_t162 =  *(_t196 - 0x618);
									} else {
										_t180 = 0x106a7f0;
										_t112 = SetFilePointer(_t150, 0, 0, 1);
										 *(_t196 - 0x62c) = _t112;
										__imp__AcquireSRWLockShared(0x1078e04);
										_t114 = ReadFile(_t150, 0x106a7f0, 0x200, _t196 - 0x618, 0);
										_t187 = _t114;
										__imp__ReleaseSRWLockShared(0x1078e04);
										_t162 =  *(_t196 - 0x618);
										if(_t187 == 0) {
											_t100 = 0;
											goto L9;
										} else {
											 *(_t196 - 0x620) = _t162;
											if(_t162 == 0) {
												_t100 = 0;
												goto L9;
											} else {
												_t186 = _t162;
												 *(_t196 - 0x628) = _t186;
												_t150 = _t162;
												if( *0x10625a0 == 0xfde9) {
													__eflags =  *(_t196 - 0x62c);
													if( *(_t196 - 0x62c) == 0) {
														_push(3);
														_push(0x10334f8);
														_push(0x106a7f0);
														L01047FB7();
														_t198 = _t198 + 0xc;
														_t162 = _t150;
														__eflags = _t114;
														if(_t114 == 0) {
															_t162 = _t162 + 0xfffffffd;
															 *(_t196 - 0x62c) = 3;
															_t186 = _t162;
															 *(_t196 - 0x620) = _t162;
															_t180 = 0x106a7f3;
															 *(_t196 - 0x618) = _t162;
															 *(_t196 - 0x628) = _t186;
															_t150 = _t162;
														}
													}
												}
												_t177 = _t180;
												 *(_t196 - 0x638) = _t177;
												if(_t150 <= 0) {
													L4:
													_t150 =  *0x10625a0;
													if(_t150 < 0x2b || _t150 >= 0xc42c) {
														__eflags = _t150 - 0xc435;
														if(__eflags > 0) {
															__eflags = _t150 - 0xdeb3;
															if(_t150 > 0xdeb3) {
																__eflags = _t150 - 0xfde8 - 1;
																if(_t150 - 0xfde8 > 1) {
																	goto L6;
																} else {
																	goto L121;
																}
															} else {
																__eflags = _t150 - 0xdeaa;
																if(_t150 >= 0xdeaa) {
																	goto L121;
																} else {
																	__eflags = _t150 - 0xcec8;
																	if(_t150 == 0xcec8) {
																		goto L121;
																	} else {
																		__eflags = _t150 - 0xd698;
																		if(_t150 == 0xd698) {
																			goto L121;
																		} else {
																			goto L6;
																		}
																	}
																}
															}
														} else {
															if(__eflags == 0) {
																L121:
																_t116 = 0;
																goto L7;
															} else {
																__eflags = _t150 - 0xc431;
																if(__eflags > 0) {
																	__eflags = _t150 - 0xc433;
																	if(_t150 == 0xc433) {
																		goto L121;
																	} else {
																		goto L6;
																	}
																} else {
																	if(__eflags == 0) {
																		goto L121;
																	} else {
																		__eflags = _t150 - 0x2a;
																		if(_t150 == 0x2a) {
																			goto L121;
																		} else {
																			__eflags = _t150 - 0xc42b;
																			if(_t150 <= 0xc42b) {
																				goto L6;
																			} else {
																				__eflags = _t150 - 0xc42e;
																				if(_t150 <= 0xc42e) {
																					goto L121;
																				} else {
																					goto L6;
																				}
																			}
																		}
																	}
																}
															}
														}
														goto L150;
													} else {
														L6:
														_t116 = 1;
													}
													L7:
													_t187 = _t196 - 0x614;
													_t100 = MultiByteToWideChar(_t150, _t116, _t177, _t162, _t187, 0x200);
													_t162 = _t100;
													goto L8;
												} else {
													do {
														if(_t186 < 3) {
															L30:
															if( *((char*)(( *_t180 & 0x000000ff) + 0x1078af0)) != 0) {
																__eflags = _t186 - 1;
																if(_t186 == 1) {
																	__imp__AcquireSRWLockShared(0x1078e04);
																	_t69 =  &(_t180[1]); // 0x106a7f1
																	_t99 = ReadFile( *(_t196 - 0x634), _t69, 1, _t196 - 0x628, 0);
																	_t187 = _t99;
																	__imp__ReleaseSRWLockShared(0x1078e04);
																	__eflags = _t187;
																	if(_t187 == 0) {
																		L104:
																		_t162 = 0;
																		_t100 = 0;
																		goto L8;
																	} else {
																		__eflags =  *(_t196 - 0x628);
																		if( *(_t196 - 0x628) == 0) {
																			goto L104;
																		} else {
																			_t162 =  *(_t196 - 0x620) + 1;
																			goto L3;
																		}
																	}
																} else {
																	_t186 = _t186 + 0xfffffffe;
																	_t149 = 2;
																	goto L32;
																}
															} else {
																_t186 = _t186 - 1;
																_t149 = 1;
																goto L32;
															}
														} else {
															_t117 =  *_t180;
															if(_t117 == 0xa) {
																__eflags = _t180[1] - 0xd;
																if(_t180[1] == 0xd) {
																	goto L2;
																} else {
																	goto L30;
																}
															} else {
																if(_t117 == 0xd) {
																	if(_t180[1] != 0xa) {
																		goto L30;
																	} else {
																		L2:
																		_t180[2] = 0;
																		_t185 = _t180 - _t177 + 2;
																		 *(_t196 - 0x620) = _t185;
																		SetFilePointer( *(_t196 - 0x634),  *(_t196 - 0x62c) + _t185, 0, 0);
																		_t162 = _t185;
																		L3:
																		_t177 =  *(_t196 - 0x638);
																		goto L4;
																	}
																	L8:
																	 *(_t196 - 0x618) = _t162;
																	L9:
																	_t181 =  *(_t196 - 0x624);
																} else {
																	goto L30;
																}
															}
														}
														goto L10;
														L32:
														_t180 =  &(_t180[_t149]);
														 *(_t196 - 0x628) = _t186;
													} while (_t186 > 0);
													goto L4;
												}
												goto L10;
											}
										}
										goto L150;
									}
									L10:
									if(_t100 == 0) {
										L56:
										__eflags = _t162;
										if(_t162 != 0) {
											goto L147;
										} else {
											goto L57;
										}
									} else {
										if(_t162 == 0) {
											L57:
											__eflags =  *(_t196 - 0x630);
											if( *(_t196 - 0x630) == 0) {
												L147:
												E01041CB1(_t100);
												 *0x1066748 =  *((intOrPtr*)( *(_t196 - 0x61c) + 0x110));
												E010378E4( *(_t196 - 0x61c), 0x400023ab, 1, _t196 - 0x10c);
												_t189 = 1;
												goto L52;
											} else {
												__imp___get_osfhandle(0);
												_t201 = _t198 + 4;
												_t108 = SetFilePointer(_t100, _t181, 0, 0);
												 *(_t196 - 0x630) = 0;
												goto L18;
											}
										} else {
											if(_t162 == 0xffffffff ||  *(_t196 - 0x614) == 0 ||  *(_t196 - 0x10c) == 0) {
												goto L56;
											} else {
												_t121 = _t162 + _t162;
												if(_t121 >= 0x402) {
													_t122 = E01046C78(_t121, _t150, _t162, _t177, _t181, _t187);
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													asm("int3");
													__eflags =  *0x10665f0;
													_push(_t187);
													if( *0x10665f0 != 0) {
														_t162 = _t162 | 0x00000010;
													}
													_t123 = E0103CF10(_t122, 0x1074af0, 0x2000, _t162); // executed
													_t179 = _t123;
													 *0x1066700 = _t179;
													__eflags = _t179 - 0xffffffff;
													if(_t179 == 0xffffffff) {
														 *0x10665ec = 0x234a;
														__imp__longjmp(0x1070ab0, 1);
														goto L149;
													} else {
														_t126 = 0x1074af0;
														_t58 = _t126 + 2; // 0x1074af2
														_t192 = _t58;
														do {
															_t170 =  *_t126;
															_t126 = _t126 + 2;
															__eflags = _t170;
														} while (_t170 != 0);
														 *0x10666fc = (_t126 - _t192 >> 1) + 1;
														__eflags =  *0x1079059 - _t170;
														if( *0x1079059 != _t170) {
															L149:
															_push(0x1074af0);
															_push(_t179);
															E01039950(L"GeToken: (%x) \'%s\'\n");
															_t179 =  *0x1066700;
														}
													}
													return _t179;
												} else {
													 *((short*)(_t196 + _t121 - 0x614)) = 0;
													_t108 = wcschr(_t196 - 0x614, 0x3a);
													_t153 = _t108;
													_t201 = _t198 + 8;
													if(_t153 != 0) {
														goto L34;
													} else {
														L18:
														_t152 =  *(_t196 - 0x61c);
														continue;
													}
												}
											}
										}
									}
								}
								goto L150;
							}
						} else {
							_t189 = 0;
							__eflags = 0;
							L52:
							E0103A16C(_t181);
							_t106 = _t189;
							_pop(_t182);
							_pop(_t190);
							__eflags =  *(_t196 - 8) ^ _t196;
							_pop(_t151);
							return E01046B30(_t106, _t151,  *(_t196 - 8) ^ _t196, _t177, _t182, _t190);
						}
						L150:
					}
					L64:
					_t134 =  *_t183 & 0x0000ffff;
					__eflags = _t134 - 0x3a;
					if(_t134 != 0x3a) {
						__eflags = _t134 - 0x2b;
						if(_t134 != 0x2b) {
							goto L66;
						} else {
							goto L65;
						}
						while(1) {
							L71:
							_t187 =  *_t183 & 0x0000ffff;
							_t135 = wcschr(L"+:\n\r\t ", _t187);
							_t204 = _t203 + 8;
							__eflags = _t135;
							if(_t135 != 0) {
								goto L76;
							}
							_t142 = wcschr(L"&<|>", _t187);
							_t204 = _t204 + 8;
							__eflags = _t142;
							if(_t142 == 0) {
								__eflags = _t187 - 0x5e;
								if(_t187 == 0x5e) {
									_t173 =  *(_t183 + 2) & 0x0000ffff;
									_t183 = _t183 + 2;
								} else {
									_t173 = _t187;
								}
								_t39 = _t156 + 1; // 0x1
								_t143 = _t39;
								 *(_t196 + _t156 * 2 - 0x20c) = _t173;
								_t183 = _t183 + 2;
								_t156 = _t143;
								__eflags = _t143 - 0x7f;
								if(_t143 < 0x7f) {
									continue;
								}
							}
							goto L76;
						}
						goto L76;
					} else {
						L65:
						_t183 = _t183 + 2;
						__eflags = _t183;
					}
					L66:
					__eflags = _t183;
					if(_t183 != 0) {
						while(1) {
							_t194 =  *_t183 & 0x0000ffff;
							_t144 = iswspace(_t194);
							_t203 = _t203 + 4;
							__eflags = _t144;
							if(_t144 != 0) {
								goto L136;
							}
							L69:
							_t145 = wcschr(L"=,;", _t194);
							_t203 = _t203 + 8;
							__eflags = _t145;
							if(_t145 != 0) {
								__eflags = _t194;
								if(_t194 == 0) {
									goto L70;
								} else {
									L139:
									_t183 = _t183 + 2;
									_t194 =  *_t183 & 0x0000ffff;
									_t144 = iswspace(_t194);
									_t203 = _t203 + 4;
									__eflags = _t144;
									if(_t144 != 0) {
										goto L136;
									}
									goto L69;
								}
								goto L76;
							}
							goto L70;
							L136:
							__eflags = _t194 - 0xa;
							if(_t194 != 0xa) {
								goto L139;
							} else {
								goto L69;
							}
							goto L71;
						}
					}
					L70:
					_t156 = 0;
					__eflags = 0;
					goto L71;
					L130:
					__eflags = _t193 - 0xa;
					if(_t193 != 0xa) {
						goto L133;
					} else {
						goto L63;
					}
					goto L71;
				}
			}





























































    0x0103cb09
    0x0103cb10
    0x0103cb10
    0x0103cb14
    0x0103cb1a
    0x0103cb1d
    0x0103cb1f
    0x00000000
    0x00000000
    0x0103cb25
    0x0103cb2b
    0x0103cb31
    0x0103cb34
    0x0103cb36
    0x0104d34f
    0x0104d352
    0x00000000
    0x0104d358
    0x0104d358
    0x0104d358
    0x0103cb10
    0x0103cb10
    0x0103cb14
    0x0103cb1a
    0x0103cb1d
    0x0103cb1f
    0x00000000
    0x00000000
    0x00000000
    0x0103cb1f
    0x0103cb10
    0x0103cbc9
    0x0103cbcb
    0x0103cbda
    0x0103cbe1
    0x0103cbe7
    0x0103cbed
    0x0103cbf0
    0x0103cbf2
    0x0103ca45
    0x0103ca45
    0x0103ca47
    0x0103ca5f
    0x0103ca5f
    0x00000000
    0x0103ca49
    0x0103ca4c
    0x0103ca52
    0x0103ca54
    0x0103ca57
    0x0103ca59
    0x0103c9d0
    0x0103c9d0
    0x0103c9d2
    0x0103c9d5
    0x0103c9db
    0x0103c9df
    0x0103c9e1
    0x0103c9e1
    0x0103c9e7
    0x0103c9e9
    0x00000000
    0x00000000
    0x0103c9eb
    0x0103c9ee
    0x0103c9f2
    0x00000000
    0x00000000
    0x00000000
    0x0103c9f2
    0x0103c9e1
    0x0103c9f4
    0x0103c9f4
    0x0103c9f8
    0x0103c9fa
    0x0103c9fa
    0x0103c9fa
    0x0103c9fd
    0x0103c9ff
    0x0103ca01
    0x0103ca03
    0x0103ca03
    0x0103ca07
    0x0103ca0d
    0x0103ca10
    0x0103ca12
    0x0103ca12
    0x0103ca14
    0x0103ca14
    0x0103ca17
    0x0103ca19
    0x0103ca19
    0x0103ca03
    0x0103ca07
    0x0103ca0d
    0x0103ca10
    0x0103ca12
    0x0103ca12
    0x0103ca12
    0x0103ca1e
    0x0103ca24
    0x0103ca2a
    0x0103ca2d
    0x0103ca2f
    0x0104d29d
    0x0104d2a0
    0x00000000
    0x0104d2a6
    0x00000000
    0x0104d2a6
    0x00000000
    0x0104d2a0
    0x0103ca35
    0x0103ca35
    0x00000000
    0x0103ca35
    0x0103ca03
    0x0103ca3b
    0x0103ca3b
    0x0103ca3f
    0x0103cae3
    0x0103cae5
    0x0104d2ab
    0x0104d2ad
    0x00000000
    0x0103caeb
    0x0103caee
    0x0103caf4
    0x0103caf6
    0x0103caf9
    0x0103caff
    0x0103cb01
    0x0104d2b3
    0x0104d2bf
    0x0104d2c5
    0x0104d2c9
    0x0104d2cf
    0x0104d2d5
    0x00000000
    0x0104d2db
    0x0104d2db
    0x0104d2e1
    0x0104d2e7
    0x0103cb10
    0x0103cb10
    0x0103cb14
    0x0103cb1a
    0x0103cb1d
    0x0103cb1f
    0x00000000
    0x00000000
    0x00000000
    0x0103cb1f
    0x0104d2ed
    0x0104d2f5
    0x0104d2f7
    0x0104d2f9
    0x0104d2fe
    0x0104d300
    0x0104d31a
    0x0104d320
    0x0104d320
    0x0104d322
    0x0104d330
    0x0104d336
    0x0104d33a
    0x0103ca65
    0x0103ca65
    0x0103ca65
    0x0104d2e7
    0x0103cb07
    0x0103cb10
    0x0103cb10
    0x0103cb14
    0x0103cb1a
    0x0103cb1d
    0x0103cb1f
    0x00000000
    0x00000000
    0x00000000
    0x0103cb1f
    0x0103cb10
    0x0103cb01
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0103ca59
    0x0103cbf8
    0x0103cbf8
    0x0103cbfe
    0x0103cc02
    0x0104d395
    0x0103cc08
    0x0103cc08
    0x0103cc08
    0x0103cc0a
    0x0103cc0f
    0x0103cc14
    0x0103cc16
    0x0104d39c
    0x0104d39e
    0x0104d3b0
    0x0104d3b6
    0x0104d3bc
    0x0104d3c2
    0x0104d3a0
    0x0104d3a0
    0x0104d3a2
    0x0104d3a4
    0x0104d3a6
    0x0104d3a8
    0x00000000
    0x0104d3a8
    0x0103cc1c
    0x0103cc27
    0x0103cc29
    0x0103cc2b
    0x0104d3ca
    0x0104d3cc
    0x0104d3ce
    0x0104d3d0
    0x0104d3d2
    0x0104d3d3
    0x0104d3e2
    0x0104d3e8
    0x0104d3ee
    0x0104d3f4
    0x0103cc31
    0x0103cc31
    0x0103cc37
    0x0103cc3d
    0x0103cc40
    0x0103cc40
    0x0103cc2b
    0x0103cc16
    0x0103ca6b
    0x0103ca6b
    0x0103ca72
    0x00000000
    0x0103c8a6
    0x0103c8ad
    0x0104d120
    0x0104d120
    0x0103c8ba
    0x0103c8c0
    0x0103c8c4
    0x0103c8d1
    0x0103c8d4
    0x0103ca96
    0x0103ca9c
    0x00000000
    0x0103caa2
    0x0103caa2
    0x00000000
    0x0103caa2
    0x0103c8da
    0x0103c8da
    0x0103c8db
    0x0103c8e1
    0x0103c8e4
    0x0103c8e6
    0x0103c8fb
    0x0104d138
    0x0104d13e
    0x0104d143
    0x0103c901
    0x0103c908
    0x0103c90d
    0x0103c918
    0x0103c91e
    0x0103c934
    0x0103c93f
    0x0103c941
    0x0103c947
    0x0103c94f
    0x0104d14e
    0x00000000
    0x0103c955
    0x0103c955
    0x0103c95d
    0x0103cc5e
    0x00000000
    0x0103c963
    0x0103c96d
    0x0103c96f
    0x0103c975
    0x0103c977
    0x0104d155
    0x0104d15c
    0x0104d162
    0x0104d164
    0x0104d169
    0x0104d16e
    0x0104d173
    0x0104d176
    0x0104d178
    0x0104d17a
    0x0104d180
    0x0104d183
    0x0104d18d
    0x0104d18f
    0x0104d195
    0x0104d19a
    0x0104d1a0
    0x0104d1a6
    0x0104d1a6
    0x0104d17a
    0x0104d15c
    0x0103c97d
    0x0103c97f
    0x0103c987
    0x0103c7e8
    0x0103c7e8
    0x0103c7f1
    0x0104d223
    0x0104d229
    0x0104d262
    0x0104d268
    0x0104d28d
    0x0104d290
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0104d26a
    0x0104d26a
    0x0104d270
    0x00000000
    0x0104d272
    0x0104d272
    0x0104d278
    0x00000000
    0x0104d27a
    0x0104d27a
    0x0104d280
    0x00000000
    0x0104d282
    0x00000000
    0x0104d282
    0x0104d280
    0x0104d278
    0x0104d270
    0x0104d22b
    0x0104d22b
    0x0104d296
    0x0104d296
    0x00000000
    0x0104d22d
    0x0104d22d
    0x0104d233
    0x0104d255
    0x0104d25b
    0x00000000
    0x0104d25d
    0x00000000
    0x0104d25d
    0x0104d235
    0x0104d235
    0x00000000
    0x0104d237
    0x0104d237
    0x0104d23a
    0x00000000
    0x0104d23c
    0x0104d23c
    0x0104d242
    0x00000000
    0x0104d248
    0x0104d248
    0x0104d24e
    0x00000000
    0x0104d250
    0x00000000
    0x0104d250
    0x0104d24e
    0x0104d242
    0x0104d23a
    0x0104d235
    0x0104d233
    0x0104d22b
    0x00000000
    0x0103c803
    0x0103c803
    0x0103c803
    0x0103c803
    0x0103c808
    0x0103c80d
    0x0103c818
    0x0103c81e
    0x00000000
    0x0103c990
    0x0103c990
    0x0103c993
    0x0103c9a7
    0x0103c9b1
    0x0104d1bc
    0x0104d1bf
    0x0104d1d3
    0x0104d1e4
    0x0104d1ee
    0x0104d1f9
    0x0104d1fb
    0x0104d201
    0x0104d203
    0x0104d21a
    0x0104d21a
    0x0104d21c
    0x00000000
    0x0104d205
    0x0104d205
    0x0104d20c
    0x00000000
    0x0104d20e
    0x0104d214
    0x00000000
    0x0104d214
    0x0104d20c
    0x0104d1c1
    0x0104d1c1
    0x0104d1c4
    0x00000000
    0x0104d1c4
    0x0103c9b7
    0x0103c9b7
    0x0103c9b8
    0x00000000
    0x0103c9b8
    0x0103c995
    0x0103c995
    0x0103c999
    0x0104d1ad
    0x0104d1b1
    0x00000000
    0x0104d1b7
    0x00000000
    0x0104d1b7
    0x0103c99f
    0x0103c9a1
    0x0103c7b2
    0x00000000
    0x0103c7b8
    0x0103c7b8
    0x0103c7be
    0x0103c7c6
    0x0103c7cd
    0x0103c7da
    0x0103c7e0
    0x0103c7e2
    0x0103c7e2
    0x00000000
    0x0103c7e2
    0x0103c820
    0x0103c820
    0x0103c826
    0x0103c826
    0x00000000
    0x00000000
    0x00000000
    0x0103c9a1
    0x0103c999
    0x00000000
    0x0103c9bd
    0x0103c9bd
    0x0103c9bf
    0x0103c9c5
    0x00000000
    0x0103c9c9
    0x00000000
    0x0103c987
    0x0103c95d
    0x00000000
    0x0103c94f
    0x0103c82c
    0x0103c82e
    0x0103caa8
    0x0103caa8
    0x0103caaa
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0103c834
    0x0103c836
    0x0103cab0
    0x0103cab0
    0x0103cab7
    0x0104d3fc
    0x0104d404
    0x0104d40f
    0x0104d422
    0x0104d42a
    0x00000000
    0x0103cabd
    0x0103cac4
    0x0103caca
    0x0103cace
    0x0103cad4
    0x00000000
    0x0103cad4
    0x0103c83c
    0x0103c83f
    0x00000000
    0x0103c861
    0x0103c861
    0x0103c869
    0x0103cc65
    0x0103cc6a
    0x0103cc6b
    0x0103cc6c
    0x0103cc6d
    0x0103cc6e
    0x0103cc6f
    0x0103cc70
    0x0103cc77
    0x0103cc78
    0x0103ccc8
    0x0103ccc8
    0x0103cc85
    0x0103cc8a
    0x0103cc8c
    0x0103cc92
    0x0103cc95
    0x0104d43b
    0x0104d445
    0x00000000
    0x0103cc9b
    0x0103cc9b
    0x0103cca0
    0x0103cca0
    0x0103cca3
    0x0103cca3
    0x0103cca6
    0x0103cca9
    0x0103cca9
    0x0103ccb3
    0x0103ccb8
    0x0103ccbe
    0x0104d44b
    0x0104d44b
    0x0104d450
    0x0104d456
    0x0104d45e
    0x0104d45e
    0x0103ccbe
    0x0103ccc7
    0x0103c86f
    0x0103c871
    0x0103c882
    0x0103c888
    0x0103c88a
    0x0103c88f
    0x00000000
    0x0103c895
    0x0103c8a0
    0x0103c8a0
    0x00000000
    0x0103c8a0
    0x0103c88f
    0x0103c869
    0x0103c83f
    0x0103c836
    0x0103c82e
    0x00000000
    0x0103c8d4
    0x0103ca78
    0x0103ca78
    0x0103ca78
    0x0103ca7a
    0x0103ca7c
    0x0103ca81
    0x0103ca86
    0x0103ca87
    0x0103ca88
    0x0103ca8a
    0x0103ca93
    0x0103ca93
    0x00000000
    0x0103ca72
    0x0103cb3c
    0x0103cb3c
    0x0103cb3f
    0x0103cb42
    0x0104d360
    0x0104d363
    0x00000000
    0x0104d369
    0x00000000
    0x0104d369
    0x0103cb80
    0x0103cb80
    0x0103cb80
    0x0103cb89
    0x0103cb8f
    0x0103cb92
    0x0103cb94
    0x00000000
    0x00000000
    0x0103cb9c
    0x0103cba2
    0x0103cba5
    0x0103cba7
    0x0103cba9
    0x0103cbac
    0x0104d389
    0x0104d38d
    0x0103cbb2
    0x0103cbb2
    0x0103cbb2
    0x0103cbb4
    0x0103cbb4
    0x0103cbb7
    0x0103cbbf
    0x0103cbc2
    0x0103cbc4
    0x0103cbc7
    0x00000000
    0x00000000
    0x0103cbc7
    0x00000000
    0x0103cba7
    0x00000000
    0x0103cb48
    0x0103cb48
    0x0103cb48
    0x0103cb48
    0x0103cb48
    0x0103cb4b
    0x0103cb4b
    0x0103cb4d
    0x0103cb50
    0x0103cb50
    0x0103cb54
    0x0103cb5a
    0x0103cb5d
    0x0103cb5f
    0x00000000
    0x00000000
    0x0103cb65
    0x0103cb6b
    0x0103cb71
    0x0103cb74
    0x0103cb76
    0x0104d378
    0x0104d37b
    0x00000000
    0x0104d381
    0x0104d381
    0x0104d381
    0x0103cb50
    0x0103cb54
    0x0103cb5a
    0x0103cb5d
    0x0103cb5f
    0x00000000
    0x00000000
    0x00000000
    0x0103cb5f
    0x00000000
    0x0104d37b
    0x00000000
    0x0104d36e
    0x0104d36e
    0x0104d371
    0x00000000
    0x0104d373
    0x00000000
    0x0104d373
    0x00000000
    0x0104d371
    0x0103cb50
    0x0103cb7c
    0x0103cb7c
    0x0103cb7c
    0x00000000
    0x0104d345
    0x0104d345
    0x0104d348
    0x00000000
    0x0104d34a
    0x00000000
    0x0104d34a
    0x00000000
    0x0104d348

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: wcschr$iswspace$_wcsicmp
    • String ID: &<|>$+: $=,;
    • API String ID: 3089800946-2256444845
    • Opcode ID: bf6a1df887f656c15f44a0ab7154346b5ddbd7c4eb72146b39219c89511c69b2
    • Instruction ID: a33dd76674d013aef0d1cdd6a5481ffda19819a09fb8f7dfc7e5935e7a97e403
    • Opcode Fuzzy Hash: bf6a1df887f656c15f44a0ab7154346b5ddbd7c4eb72146b39219c89511c69b2
    • Instruction Fuzzy Hash: 43312CB1B0022487DB304FA99D8879E77D9AF95305F0480A6ECC9E3212FB769564CBA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0105BAF8, Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 336COMMON
    Download Yara Rule
    C-Code - Quality: 82%
    			E0105BAF8(void* __ecx, void* __eflags, signed int _a4, int _a8) {
				signed int _v8;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void* _v66;
				intOrPtr _v70;
				intOrPtr _v74;
				intOrPtr _v78;
				intOrPtr _v82;
				intOrPtr _v86;
				intOrPtr _v90;
				intOrPtr _v94;
				intOrPtr _v98;
				short _v100;
				intOrPtr _v104;
				signed int _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				char _v124;
				signed char _v125;
				signed int _v132;
				int _v136;
				signed int _v140;
				signed short* _v144;
				void* _v148;
				signed int _v152;
				int _v156;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t96;
				signed int _t105;
				void* _t111;
				long _t113;
				void* _t115;
				signed int _t122;
				signed int _t123;
				signed int _t124;
				signed int _t125;
				void* _t126;
				void* _t129;
				signed int _t138;
				void _t142;
				long _t144;
				long _t146;
				signed short* _t154;
				void* _t157;
				signed short _t164;
				signed int _t171;
				signed int _t173;
				signed char _t177;
				signed char _t179;
				long _t180;
				int _t185;
				void* _t188;
				signed int _t191;
				void* _t192;
				void* _t193;
				signed int* _t194;
				int _t197;
				signed short* _t198;
				void* _t199;
				int _t200;
				signed short* _t203;
				intOrPtr _t204;
				signed int _t205;
				void* _t206;

				_t96 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t96 ^ _t205;
				_t154 = __ecx;
				_v148 = __ecx;
				_v136 = _a8;
				_v108 = 0;
				_v100 = 0;
				_v124 = 0;
				_v120 = 0;
				_v116 = 0;
				_v112 = 0;
				_v104 = 0;
				_v98 = 0;
				_v94 = 0;
				_v90 = 0;
				_v86 = 0;
				_v82 = 0;
				_v78 = 0;
				_v74 = 0;
				_v70 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_v52 = 0;
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v28 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				E0105C0F8(0);
				_t157 = 0x2c;
				_t191 = E0103DCD0(_t157);
				if(_t191 == 0) {
					E01059922();
					__imp__longjmp(0x1070a30, 1);
				}
				_t187 =  &_v124;
				 *((intOrPtr*)(_t191 + 8)) = 0x800;
				asm("sbb esi, esi");
				_t197 =  ~_a4 & 0x00000010;
				E01039144(_t154,  &_v124);
				_t159 = _v48;
				if(_v48 == 0 || E0103802C(_t154, _t159, _t191) == 1) {
					L57:
					E01036468();
					_t105 = 0;
				} else {
					_t187 = 0;
					if(E01037A34( &_v124, 0, 1,  &_v132) == 1) {
						goto L57;
					} else {
						_t187 = _t191;
						_t197 = _v132;
						_t111 = E01036513(_t197, _t191, _t197, _t197, 0, 0,  &_v124, 0, 0, 0);
						if(_t111 != 0) {
							goto L57;
						} else {
							if( *(_t197 + 0x14) != _t111) {
								qsort( *(_t197 + 0x1c),  *(_t197 + 0x14), 4, E0105A2C0);
								_t206 = _t206 + 0x10;
							}
							_t164 = 0x22;
							_t198 = _t154;
							_v125 = 0;
							_t191 = 0;
							_t187 = 2;
							while(1) {
								_t113 =  *_t198 & 0x0000ffff;
								if(_t113 == 0) {
									break;
								}
								if(_t113 != _t164) {
									if(wcschr(L" &()[]{}^=;!%\'+,`~", _t113) != 0) {
										_v125 = 1;
									}
									_t187 = 2;
									 *_t154 =  *_t198;
									_t164 = 0x22;
									goto L18;
								} else {
									_t185 = _v136;
									_t191 = _t191 + _t187;
									_v125 = 1;
									_t198 = _t198 + _t187;
									if(_t185 >= _t191 >> 1) {
										_v136 = _t185 - 1;
									}
									_t164 = 0x22;
									if( *_t198 == _t164) {
										 *_t154 = _t164;
										L18:
										_t154 = _t154 + _t187;
										_t198 = _t198 + _t187;
										_t191 = _t191 + _t187;
									}
								}
								if((_t191 & 0xfffffffe) < 0x4000) {
									continue;
								}
								break;
							}
							 *_t154 = 0;
							_t154 = _v132;
							_t197 = _t154[0xa];
							_v156 = _t197;
							_t115 = calloc(4, _t197);
							 *0x1079534 = _t115;
							if(_t115 == 0) {
								goto L57;
							} else {
								_v140 = 0;
								_t191 = 0;
								_v132 = 0;
								if(_t197 > 0) {
									do {
										_t187 = ".";
										_t171 =  *((intOrPtr*)(_t154[0xe] + _t191 * 4)) + 0x30;
										_t122 = _t171;
										while(1) {
											_t197 =  *_t122;
											if(_t197 !=  *_t187) {
												break;
											}
											if(_t197 == 0) {
												L27:
												_t123 = 0;
											} else {
												_t197 =  *((intOrPtr*)(_t122 + 2));
												_t53 = _t187 + 2; // 0x750000
												if(_t197 !=  *_t53) {
													break;
												} else {
													_t122 = _t122 + 4;
													_t187 = _t187 + 4;
													if(_t197 != 0) {
														continue;
													} else {
														goto L27;
													}
												}
											}
											L29:
											if(_t123 != 0) {
												_t187 = L"..";
												_t124 = _t171;
												while(1) {
													_t199 =  *_t124;
													if(_t199 !=  *_t187) {
														break;
													}
													if(_t199 == 0) {
														L35:
														_t197 = 0;
														_t125 = 0;
													} else {
														_t204 =  *((intOrPtr*)(_t124 + 2));
														_t55 = _t187 + 2; // 0x2e
														if(_t204 !=  *_t55) {
															break;
														} else {
															_t124 = _t124 + 4;
															_t187 = _t187 + 4;
															if(_t204 != 0) {
																continue;
															} else {
																goto L35;
															}
														}
													}
													L37:
													if(_t125 != 0) {
														_t56 = _t171 + 2; // -46
														_t188 = _t56;
														do {
															_t126 =  *_t171;
															_t171 = _t171 + 2;
														} while (_t126 != _t197);
														_t197 = _v136;
														_t173 = _t171 - _t188 >> 1;
														_v152 = _t173;
														_t129 = calloc(_t197 + 4 + _t173, 2);
														_t187 =  *0x1079534;
														 *(_t187 + _v140 * 4) = _t129;
														if(_t129 != 0) {
															_t177 = _v125;
															if(_t177 != 0) {
																_v144 = 0;
															} else {
																_t203 =  *((intOrPtr*)(_t154[0xe] + _t191 * 4)) + 0x30;
																_v144 = _t203;
																_t144 =  *_t203 & 0x0000ffff;
																if(_t144 != 0) {
																	_t180 = _t144;
																	do {
																		if(wcschr(L" &()[]{}^=;!%\'+,`~", _t180) != 0) {
																			_v125 = 1;
																		}
																		_t203 =  &(_t203[1]);
																		_t146 =  *_t203 & 0x0000ffff;
																		_t180 = _t146;
																	} while (_t146 != 0);
																	_t177 = _v125;
																	_t187 =  *0x1079534;
																	_v144 = _t203;
																}
																_t197 = _v136;
															}
															_t192 =  *(_t187 + _v140 * 4);
															if(_t177 != 0) {
																_t142 = 0x22;
																 *_t192 = _t142;
																_t192 = _t192 + 2;
															}
															_t200 = _t197 + _t197;
															memcpy(_t192, _v148, _t200);
															_t193 = _t192 + _t200;
															_t197 = _v152 + _v152;
															memcpy(_t193,  *((intOrPtr*)(_t154[0xe] + _v132 * 4)) + 0x30, _t197);
															_t179 = _v125;
															_t206 = _t206 + 0x18;
															_t194 = _t193 + _t197;
															if(_t179 != 0) {
																_t138 = 0x22;
																 *_t194 = _t138;
																_t194 =  &(_t194[0]);
																_v125 = (_t138 & 0xffffff00 | _v144 != 0x00000000) - 0x00000001 & _t179;
															}
															_v140 = _v140 + 1;
															 *_t194 = 0;
															_t191 = _v132;
														}
													}
													goto L54;
												}
												asm("sbb eax, eax");
												_t125 = _t124 | 0x00000001;
												_t197 = 0;
												goto L37;
											}
											goto L54;
										}
										asm("sbb eax, eax");
										_t123 = _t122 | 0x00000001;
										goto L29;
										L54:
										_t191 = _t191 + 1;
										_v132 = _t191;
									} while (_t191 < _v156);
								}
								E0103DC60(_t154[0xc]);
								E0103DC60(_t154[2]);
								E0103DC60(_t154);
								E01036468();
								_t105 = _v140;
							}
						}
					}
				}
				return E01046B30(_t105, _t154, _v8 ^ _t205, _t187, _t191, _t197);
			}












































































    0x0105bb03
    0x0105bb0a
    0x0105bb10
    0x0105bb12
    0x0105bb1b
    0x0105bb23
    0x0105bb28
    0x0105bb2c
    0x0105bb2f
    0x0105bb32
    0x0105bb35
    0x0105bb38
    0x0105bb3b
    0x0105bb3e
    0x0105bb41
    0x0105bb44
    0x0105bb47
    0x0105bb4a
    0x0105bb4d
    0x0105bb50
    0x0105bb56
    0x0105bb57
    0x0105bb58
    0x0105bb59
    0x0105bb5d
    0x0105bb63
    0x0105bb66
    0x0105bb69
    0x0105bb6c
    0x0105bb6f
    0x0105bb72
    0x0105bb75
    0x0105bb76
    0x0105bb77
    0x0105bb78
    0x0105bb7f
    0x0105bb85
    0x0105bb89
    0x0105bb8b
    0x0105bb97
    0x0105bb97
    0x0105bba0
    0x0105bba5
    0x0105bbae
    0x0105bbb0
    0x0105bbb3
    0x0105bbb8
    0x0105bbbd
    0x0105beb8
    0x0105beb8
    0x0105bebd
    0x0105bbd1
    0x0105bbd4
    0x0105bbe4
    0x00000000
    0x0105bbea
    0x0105bbec
    0x0105bbf6
    0x0105bbfb
    0x0105bc02
    0x00000000
    0x0105bc08
    0x0105bc0b
    0x0105bc1a
    0x0105bc20
    0x0105bc20
    0x0105bc25
    0x0105bc28
    0x0105bc2c
    0x0105bc2f
    0x0105bc31
    0x0105bc32
    0x0105bc32
    0x0105bc38
    0x00000000
    0x00000000
    0x0105bc3d
    0x0105bc79
    0x0105bc7b
    0x0105bc7b
    0x0105bc84
    0x0105bc87
    0x0105bc8a
    0x00000000
    0x0105bc3f
    0x0105bc3f
    0x0105bc45
    0x0105bc49
    0x0105bc4f
    0x0105bc53
    0x0105bc56
    0x0105bc56
    0x0105bc5e
    0x0105bc62
    0x0105bc64
    0x0105bc8b
    0x0105bc8b
    0x0105bc8d
    0x0105bc8f
    0x0105bc8f
    0x0105bc62
    0x0105bc9b
    0x00000000
    0x00000000
    0x00000000
    0x0105bc9b
    0x0105bc9f
    0x0105bca2
    0x0105bca5
    0x0105bcab
    0x0105bcb1
    0x0105bcb7
    0x0105bcc0
    0x00000000
    0x0105bcc6
    0x0105bcc8
    0x0105bcce
    0x0105bcd0
    0x0105bcd5
    0x0105bcdb
    0x0105bcde
    0x0105bce6
    0x0105bce9
    0x0105bceb
    0x0105bceb
    0x0105bcf1
    0x00000000
    0x00000000
    0x0105bcf6
    0x0105bd0d
    0x0105bd0d
    0x0105bcf8
    0x0105bcf8
    0x0105bcfc
    0x0105bd00
    0x00000000
    0x0105bd02
    0x0105bd02
    0x0105bd05
    0x0105bd0b
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0105bd0b
    0x0105bd00
    0x0105bd16
    0x0105bd18
    0x0105bd1e
    0x0105bd23
    0x0105bd25
    0x0105bd25
    0x0105bd2b
    0x00000000
    0x00000000
    0x0105bd30
    0x0105bd47
    0x0105bd47
    0x0105bd49
    0x0105bd32
    0x0105bd32
    0x0105bd36
    0x0105bd3a
    0x00000000
    0x0105bd3c
    0x0105bd3c
    0x0105bd3f
    0x0105bd45
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0105bd45
    0x0105bd3a
    0x0105bd54
    0x0105bd56
    0x0105bd5c
    0x0105bd5c
    0x0105bd5f
    0x0105bd5f
    0x0105bd62
    0x0105bd65
    0x0105bd6a
    0x0105bd72
    0x0105bd76
    0x0105bd82
    0x0105bd88
    0x0105bd96
    0x0105bd9b
    0x0105bda1
    0x0105bda6
    0x0105bead
    0x0105bdac
    0x0105bdb2
    0x0105bdb5
    0x0105bdbb
    0x0105bdc1
    0x0105bdc3
    0x0105bdc5
    0x0105bdd5
    0x0105bdd7
    0x0105bdd7
    0x0105bddb
    0x0105bdde
    0x0105bde1
    0x0105bde3
    0x0105bde8
    0x0105bdeb
    0x0105bdf1
    0x0105bdf1
    0x0105bdf7
    0x0105bdf7
    0x0105be03
    0x0105be08
    0x0105be0c
    0x0105be0d
    0x0105be10
    0x0105be10
    0x0105be13
    0x0105be1d
    0x0105be2b
    0x0105be33
    0x0105be3e
    0x0105be43
    0x0105be46
    0x0105be49
    0x0105be4d
    0x0105be51
    0x0105be52
    0x0105be55
    0x0105be66
    0x0105be66
    0x0105be6b
    0x0105be71
    0x0105be74
    0x0105be74
    0x0105bd9b
    0x00000000
    0x0105bd56
    0x0105bd4d
    0x0105bd4f
    0x0105bd52
    0x00000000
    0x0105bd52
    0x00000000
    0x0105bd18
    0x0105bd11
    0x0105bd13
    0x00000000
    0x0105be77
    0x0105be77
    0x0105be78
    0x0105be7b
    0x0105bcdb
    0x0105be8a
    0x0105be92
    0x0105be99
    0x0105be9e
    0x0105bea3
    0x0105bea3
    0x0105bcc0
    0x0105bc02
    0x0105bbe4
    0x0105becd

    APIs
      • Part of subcall function 0105C0F8: free.MSVCRT(?,?,00000000,?,0105424F), ref: 0105C116
      • Part of subcall function 0105C0F8: free.MSVCRT(?,?,00000000,?,0105424F), ref: 0105C123
      • Part of subcall function 0103DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0103ACD8,00000001,?,00000000,01038C23,-00000105,0105C9B0,00000240,01041E92,00000000,00000000,0104ACE0,00000000), ref: 0103DCE1
      • Part of subcall function 0103DCD0: RtlAllocateHeap.NTDLL(00000000,?,0103ACD8,00000001,?,00000000,01038C23,-00000105,0105C9B0,00000240,01041E92,00000000,00000000,0104ACE0,00000000,00000000), ref: 0103DCE8
    • longjmp.MSVCRT(01070A30,00000001,00000000,?,00000000), ref: 0105BB97
    • qsort.MSVCRT ref: 0105BC1A
    • wcschr.MSVCRT ref: 0105BC6F
    • calloc.MSVCRT ref: 0105BCB1
    • calloc.MSVCRT ref: 0105BD82
    • wcschr.MSVCRT ref: 0105BDCB
    • memcpy.MSVCRT ref: 0105BE1D
    • memcpy.MSVCRT ref: 0105BE3E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: Heapcallocfreememcpywcschr$AllocateProcesslongjmpqsort
    • String ID: &()[]{}^=;!%'+,`~
    • API String ID: 512418710-381716982
    • Opcode ID: 74bb4d260c1cc7d362a3ea42dcb95bc32b43b640f7bd82900b7dd45f4e866426
    • Instruction ID: 25afcf6759375e017a4cb3a799d0a8e9443678c8267fd241393113871e221d17
    • Opcode Fuzzy Hash: 74bb4d260c1cc7d362a3ea42dcb95bc32b43b640f7bd82900b7dd45f4e866426
    • Instruction Fuzzy Hash: A6C1D376A002159BEBA49F6CD8417AEBBF6FF44710F1440ADE984EB341EB30AD41CB65
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0103B760, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 286COMMON
    Download Yara Rule
    C-Code - Quality: 73%
    			E0103B760(signed int* __ecx, signed int __edx) {
				signed int _v8;
				char _v24;
				signed int _v28;
				void* _v32;
				int _v36;
				void* _v40;
				void* _v44;
				void* _v52;
				signed int _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				signed int _v568;
				intOrPtr _v572;
				void* _v584;
				void* _v588;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t62;
				signed int _t65;
				signed int _t69;
				signed int _t73;
				signed int _t74;
				void* _t76;
				int _t79;
				signed int _t82;
				int _t85;
				signed int _t90;
				signed int _t91;
				void* _t92;
				signed int _t93;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				signed int _t108;
				signed int* _t110;
				void* _t111;
				signed int _t117;
				void* _t123;
				signed int _t141;
				void* _t142;
				signed int _t143;
				signed int _t145;
				void* _t146;
				signed int _t147;
				signed int _t149;
				void* _t150;

				_t134 = __edx;
				_t149 = (_t147 & 0xfffffff8) - 0x234;
				_t62 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t62 ^ _t149;
				_t110 = __ecx;
				_v556 = __edx;
				_t145 = 0;
				_t141 = 1;
				_v564 = 0;
				_v560 = 1;
				_v552 = 0;
				if( *0x1066748 != __ecx) {
					L73:
					_t65 = _t145;
					goto L33;
				} else {
					goto L2;
					L34:
					__eflags =  *((short*)( *((intOrPtr*)(_t134 + 0x38)))) - 0x3a;
					if( *((short*)( *((intOrPtr*)(_t134 + 0x38)))) != 0x3a) {
						goto L5;
					}
					_t145 = E0103DCD0(0x50);
					__eflags = _t145;
					if(_t145 == 0) {
						L68:
						_t65 = 1;
						L33:
						_pop(_t142);
						_pop(_t146);
						_pop(_t111);
						__eflags = _v8 ^ _t149;
						return E01046B30(_t65, _t111, _v8 ^ _t149, _t134, _t142, _t146);
					}
					 *_t145 = 0;
					_t73 = E0103ACB0(L"GOTO");
					 *(_t145 + 0x38) = _t73;
					__eflags = _t73;
					if(_t73 == 0) {
						goto L68;
					}
					_t74 = E0103ACB0( *((intOrPtr*)(_v556 + 0x38)));
					 *(_t145 + 0x3c) = _t74;
					__eflags = _t74;
					if(_t74 == 0) {
						goto L68;
					}
					_t134 = 1;
					 *_t74 = 0x20;
					 *(_t145 + 0x40) = 0;
					_v552 = 1;
					L14:
					if(_t141 != 0) {
						__eflags = _t145;
						if(_t145 != 0) {
							_v560 = 0;
						}
					}
					_t123 =  *_t145;
					if(_t123 != 0 ||  *( *(_t145 + 0x38)) != 0x3a) {
						if(_t134 != 0) {
							_v552 = 0;
							_t76 = _t123;
						} else {
							_t76 = _t123;
							if( *0x105e0c0 == 1) {
								_t76 = _t123;
								__eflags = _t123 - 0x3b;
								if(_t123 != 0x3b) {
									__eflags =  *0x107951c;
									_t76 = _t123;
									if( *0x107951c == 0) {
										E0105769E(_t123);
										_t134 = 0;
										E01053B4E(_t145, 0);
										E01039950(L"\r\n");
										_t76 =  *_t145;
										_t149 = _t149 + 4;
									}
								}
							}
						}
						if(_t76 == 0x3b) {
							_t145 =  *(_t145 + 0x38);
						}
						_v28 = 0;
						_v24 = 1;
						 *(_t149 + 0x23c) = 0x104;
						memset(_t149 + 0x24, 0, 0x104);
						_t149 = _t149 + 0xc;
						if(_v24 == 0) {
							_t79 = 0x104;
						} else {
							_t79 = 0x7fe7;
						}
						if(E0103E3F0(_t79) < 0) {
							E010461E6(_t149 + 0x20);
							goto L68;
						} else {
							if(_t145 == 0) {
								_t145 = 0;
								_v564 = 0;
								L27:
								_t82 = _v28;
								_v28 = 0;
								if(_t82 != 0) {
									__imp__??_V@YAXPAX@Z(_t82);
									_t149 = _t149 + 4;
								}
								goto L29;
							}
							if( *_t145 != 0 || E0103ED90(0x2a,  *(_t145 + 0x38),  &_v564) != 0xffffffff) {
								L26:
								_t134 = _t145;
								_v564 = E0103E470(2, _t145);
								E0103E310(_t83);
								_t85 = GetConsoleOutputCP();
								 *0x10625a0 = _t85;
								GetCPInfo(_t85, 0x106c9f0);
								E0103E2AF();
								_t145 = _v564;
								goto L27;
							} else {
								_t90 = E0103A62F( *(_t145 + 0x38), 0x2a);
								__eflags = _t90;
								if(_t90 != 0) {
									goto L26;
								}
								_t45 = _t90 + 0x3f; // 0x3f
								_t91 = E0103A62F( *(_t145 + 0x38), _t45);
								__eflags = _t91;
								if(_t91 != 0) {
									goto L26;
								}
								_t139 = _v28;
								__eflags = _v28;
								if(__eflags == 0) {
									_t139 = _t149 + 0x20;
								}
								_t92 = E0103F410(_t145, _t139, __eflags,  *((intOrPtr*)(_t149 + 0x230)));
								__eflags = _t92 - 2;
								if(_t92 != 2) {
									goto L26;
								} else {
									__eflags =  *(_t145 + 0x34);
									if( *(_t145 + 0x34) == 0) {
										L61:
										_t93 = _v28;
										__eflags = _t93;
										if(__eflags == 0) {
											_t93 = _t149 + 0x20;
										}
										_t134 =  *_t110;
										_push(_t93);
										_push(_t110[1]);
										_t94 = E0103FCE9(_t110, _t145,  *_t110, _t141, _t145, __eflags);
										__eflags = _t94;
										if(_t94 != 0) {
											goto L65;
										} else {
											_t145 = 0;
											_v568 = 1;
											_v572 = 0;
											goto L27;
										}
									} else {
										_t134 = _t145;
										_t96 = E01057D6E(_v556, _t145);
										__eflags = _t96;
										if(_t96 != 0) {
											L65:
											_t95 = _v36;
											_v36 = 0;
											__eflags = _t95;
											if(_t95 != 0) {
												__imp__??_V@YAXPAX@Z(_t95);
												_t149 = _t149 + 4;
											}
											goto L68;
										}
										goto L61;
									}
								}
							}
						}
					} else {
						L31:
						_t145 = _v564;
						L29:
						if( *0x1066748 != _t110) {
							goto L73;
						} else {
							_t141 = _v560;
							_t134 = _v556;
							L2:
							if( *0x106259c != 0) {
								E010598B5(_t110, _t141);
								_t134 = _v556;
							}
							 *0x1066744 = 0;
							if( *0x1066755 == 0 || _t141 == 0) {
								goto L5;
							} else {
								goto L34;
							}
						}
					}
					L5:
					_t143 = E0103E272(_t110);
					if(_t143 == 0xffffffff) {
						goto L68;
					}
					_t69 = E0103C570(3, _t143, _t110[4]);
					_t145 = _t69;
					__imp___tell(_t143);
					_t110[2] = _t69;
					_t150 = _t149 + 4;
					_t8 = _t143 - 3; // -3
					_t70 = _t8;
					_t117 = 0;
					_t134 = _t143;
					if(_t8 > 0x5b) {
						L9:
						__imp___close(_t143);
						_t149 = _t150 + 4;
						if(_t145 == 0) {
							goto L31;
						}
						if(_t145 == 1 ||  *0x10665ec == 0x234a) {
							E01058959(_t70, _t117);
							__eflags =  *0x105e0c0 - 1;
							if( *0x105e0c0 == 1) {
								__eflags =  *0x107951c;
								if( *0x107951c == 0) {
									E0105769E(_t117);
									E010363BD(_t117, 0x2371, 1, 0x10625c2);
									_t149 = _t149 + 0xc;
								}
							}
							E01059922();
							__imp__longjmp(0x1070a30, 1);
							goto L73;
						} else {
							if(_t145 == 0xffffffff) {
								_t65 = _v564;
								goto L33;
							} else {
								_t141 = _v560;
								_t134 = _v552;
								goto L14;
							}
						}
					}
					if(_t143 > 0x1f) {
						_t50 = _t143 - 0x20; // -32
						_t108 = (_t50 >> 5) + 1;
						__eflags = _t108;
						_t117 = _t108;
						do {
							_t134 = _t134 - 0x20;
							_t108 = _t108 - 1;
							__eflags = _t108;
						} while (_t108 != 0);
					}
					_t70 =  *((intOrPtr*)(0x10667ac + _t117 * 4));
					asm("btr eax, edx");
					goto L9;
				}
			}




















































    0x0103b760
    0x0103b768
    0x0103b76e
    0x0103b775
    0x0103b77f
    0x0103b781
    0x0103b785
    0x0103b789
    0x0103b78e
    0x0103b792
    0x0103b796
    0x0103b7a0
    0x0104cf4f
    0x0104cf4f
    0x00000000
    0x0103b7a6
    0x0103b7a6
    0x0103b9ae
    0x0103b9b1
    0x0103b9b5
    0x00000000
    0x00000000
    0x0103b9c5
    0x0103b9c7
    0x0103b9c9
    0x0104cf03
    0x0104cf03
    0x0103b999
    0x0103b9a0
    0x0103b9a1
    0x0103b9a2
    0x0103b9a3
    0x0103b9ad
    0x0103b9ad
    0x0103b9d4
    0x0103b9da
    0x0103b9df
    0x0103b9e2
    0x0103b9e4
    0x00000000
    0x00000000
    0x0103b9f1
    0x0103b9f6
    0x0103b9f9
    0x0103b9fb
    0x00000000
    0x00000000
    0x0103ba06
    0x0103ba0b
    0x0103ba0e
    0x0103ba15
    0x0103b867
    0x0103b869
    0x0103ba1e
    0x0103ba20
    0x0103ba28
    0x0103ba28
    0x0103ba20
    0x0103b86f
    0x0103b873
    0x0103b884
    0x0103ba33
    0x0103ba37
    0x0103b88a
    0x0103b891
    0x0103b893
    0x0103ba95
    0x0103ba97
    0x0103ba9a
    0x0104ce4a
    0x0104ce51
    0x0104ce53
    0x0104ce59
    0x0104ce5e
    0x0104ce62
    0x0104ce6c
    0x0104ce71
    0x0104ce73
    0x0104ce73
    0x0104ce53
    0x0103ba9a
    0x0103b893
    0x0103b89c
    0x0103ba3e
    0x0103ba3e
    0x0103b8ab
    0x0103b8b9
    0x0103b8c1
    0x0103b8cc
    0x0103b8d1
    0x0103b8dc
    0x0104ce7b
    0x0103b8e2
    0x0103b8e2
    0x0103b8e2
    0x0103b8f3
    0x0104cefe
    0x00000000
    0x0103b8f9
    0x0103b8fb
    0x0104ce85
    0x0104ce87
    0x0103b956
    0x0103b956
    0x0103b95d
    0x0103b96a
    0x0103b96d
    0x0103b973
    0x0103b973
    0x00000000
    0x0103b96a
    0x0103b904
    0x0103b921
    0x0103b921
    0x0103b92d
    0x0103b931
    0x0103b936
    0x0103b942
    0x0103b947
    0x0103b94d
    0x0103b952
    0x00000000
    0x0103ba46
    0x0103ba4e
    0x0103ba53
    0x0103ba55
    0x00000000
    0x00000000
    0x0103ba5e
    0x0103ba61
    0x0103ba66
    0x0103ba68
    0x00000000
    0x00000000
    0x0103ba6e
    0x0103ba75
    0x0103ba77
    0x0103baa5
    0x0103baa5
    0x0103ba82
    0x0103ba87
    0x0103ba8a
    0x00000000
    0x0103ba90
    0x0104ce90
    0x0104ce94
    0x0104cea5
    0x0104cea5
    0x0104ceac
    0x0104ceae
    0x0104ceb0
    0x0104ceb0
    0x0104ceb4
    0x0104ceb8
    0x0104ceb9
    0x0104cebc
    0x0104cec1
    0x0104cec3
    0x00000000
    0x0104cec5
    0x0104cec5
    0x0104cec7
    0x0104cecf
    0x00000000
    0x0104cecf
    0x0104ce96
    0x0104ce9a
    0x0104ce9c
    0x0104cea1
    0x0104cea3
    0x0104ced8
    0x0104ced8
    0x0104cedf
    0x0104ceea
    0x0104ceec
    0x0104ceef
    0x0104cef5
    0x0104cef5
    0x00000000
    0x0104ceec
    0x00000000
    0x0104cea3
    0x0104ce94
    0x0103ba8a
    0x0103b904
    0x0103b98f
    0x0103b98f
    0x0103b98f
    0x0103b976
    0x0103b97c
    0x00000000
    0x0103b982
    0x0103b982
    0x0103b986
    0x0103b7b0
    0x0103b7b7
    0x0104ce26
    0x0104ce2b
    0x0104ce2b
    0x0103b7c4
    0x0103b7cb
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0103b7cb
    0x0103b97c
    0x0103b7d5
    0x0103b7dc
    0x0103b7e1
    0x00000000
    0x00000000
    0x0103b7f1
    0x0103b7f7
    0x0103b7f9
    0x0103b7ff
    0x0103b802
    0x0103b805
    0x0103b805
    0x0103b808
    0x0103b80a
    0x0103b80f
    0x0103b82b
    0x0103b82c
    0x0103b832
    0x0103b837
    0x00000000
    0x00000000
    0x0103b840
    0x0104cf0d
    0x0104cf12
    0x0104cf19
    0x0104cf1b
    0x0104cf22
    0x0104cf24
    0x0104cf35
    0x0104cf3a
    0x0104cf3a
    0x0104cf22
    0x0104cf3d
    0x0104cf49
    0x00000000
    0x0103b856
    0x0103b859
    0x0103b995
    0x00000000
    0x0103b85f
    0x0103b85f
    0x0103b863
    0x00000000
    0x0103b863
    0x0103b859
    0x0103b840
    0x0103b814
    0x0104ce34
    0x0104ce3a
    0x0104ce3a
    0x0104ce3b
    0x0104ce3d
    0x0104ce3d
    0x0104ce40
    0x0104ce40
    0x0104ce40
    0x0104ce45
    0x0103b81a
    0x0103b821
    0x00000000
    0x0103b824

    APIs
    • _tell.MSVCRT ref: 0103B7F9
    • _close.MSVCRT ref: 0103B82C
    • memset.MSVCRT ref: 0103B8CC
    • GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(00007FE7), ref: 0103B936
    • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0106C9F0), ref: 0103B947
    • ??_V@YAXPAX@Z.MSVCRT ref: 0103B96D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: ConsoleInfoOutput_close_tellmemset
    • String ID: GOTO
    • API String ID: 1380661413-1693823284
    • Opcode ID: 319ff822ce3ec292bf94b9ef97bb1dcd38d28fc0f38da4f0addae97a418dcd20
    • Instruction ID: e74c7874c8b99203965893f57e23dad4dde28317a343fba5e534236aed26089d
    • Opcode Fuzzy Hash: 319ff822ce3ec292bf94b9ef97bb1dcd38d28fc0f38da4f0addae97a418dcd20
    • Instruction Fuzzy Hash: 13B1C070A053028BE771DF29C58476EB7E9BBC4708F04096DE8C697290EB75D945CB92
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01043065, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 152COMMON
    Download Yara Rule
    C-Code - Quality: 28%
    			E01043065(void* __eflags, intOrPtr _a4, wchar_t* _a8, long _a12, intOrPtr _a16) {
				char _v8;
				char _v12;
				char _v28;
				signed short* _t39;
				short* _t45;
				int _t50;
				wchar_t* _t54;
				long _t55;
				long _t62;
				signed int _t71;

				E010459F6( &_a8);
				_t39 = _a8;
				_t62 =  *_t39 & 0x0000ffff;
				if(_t62 == 0) {
					L27:
					_a16 = 0x400023cd;
					L9:
					L10:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					return _a4;
				}
				if(_t62 == 0x28) {
					_a8 =  &(_t39[1]);
					_push( &_v28);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					E01042DC2();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					__eflags = _a16;
					if(_a16 != 0) {
						L21:
						goto L10;
					}
					E010459F6( &_a8);
					_t45 = _a8;
					__eflags =  *_t45 - 0x29;
					if( *_t45 != 0x29) {
						_a16 = 0x400023cc;
					} else {
						_a8 = _t45 + 2;
					}
					goto L9;
				}
				if(wcschr(L"+-~!", _t62) != 0) {
					_a8 =  &(_a8[0]);
					_push( &_v28);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					E01043065(__eflags);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					__eflags = _a16;
					if(_a16 != 0) {
						goto L21;
					}
					E010452C2( &_a8, _t62, _a12);
					goto L9;
				}
				_t50 = iswdigit(_t62);
				if(_t50 == 0) {
					__eflags = E010431EA( &_a8,  &_v12, __eflags,  &_v8);
					if(__eflags == 0) {
						goto L27;
					} else {
						_a12 = E01042239(_v8, __eflags);
						goto L9;
					}
				}
				__imp___errno();
				 *_t50 = 0;
				_t54 = _a8;
				if( *_t54 == 0x30) {
					_t71 = _t54[0] & 0x0000ffff;
					__eflags = _t71 - 0x78;
					if(_t71 == 0x78) {
						L23:
						_t55 = wcstoul(_t54,  &_a8, 0);
						L6:
						_a12 = _t55;
						if(_t55 == 0x7fffffff) {
							__imp___errno();
							__eflags =  *_t55 - 0x22;
							if( *_t55 != 0x22) {
								goto L7;
							}
							_a16 = 0x400023d0;
							goto L9;
						}
						L7:
						if(iswdigit( *_a8 & 0x0000ffff) != 0 || iswalpha( *_a8 & 0x0000ffff) != 0) {
							_a16 = 0x400023cf;
						}
						goto L9;
					}
					__eflags = _t71 - 0x58;
					if(_t71 != 0x58) {
						goto L5;
					}
					goto L23;
				}
				L5:
				_t55 = wcstol(_t54,  &_a8, 0);
				goto L6;
			}













    0x01043073
    0x01043078
    0x0104307b
    0x01043081
    0x0104f6a2
    0x0104f6a2
    0x01043112
    0x01043115
    0x0104311a
    0x0104311b
    0x0104311c
    0x01043121
    0x01043121
    0x0104308a
    0x01043156
    0x0104315c
    0x0104315d
    0x0104315e
    0x0104315f
    0x01043160
    0x0104316a
    0x0104316b
    0x0104316c
    0x0104316d
    0x01043171
    0x010431e3
    0x00000000
    0x010431e3
    0x01043176
    0x0104317b
    0x0104317e
    0x01043182
    0x0104f65e
    0x01043188
    0x0104318b
    0x0104318b
    0x00000000
    0x01043182
    0x010430a0
    0x010431ab
    0x010431ba
    0x010431bb
    0x010431bc
    0x010431bd
    0x010431be
    0x010431c8
    0x010431c9
    0x010431ca
    0x010431cb
    0x010431cf
    0x00000000
    0x00000000
    0x010431d9
    0x00000000
    0x010431d9
    0x010430a7
    0x010430b0
    0x01043133
    0x01043135
    0x00000000
    0x0104313b
    0x01043146
    0x00000000
    0x01043146
    0x01043135
    0x010430b2
    0x010430ba
    0x010430bc
    0x010430c3
    0x01043190
    0x01043194
    0x01043197
    0x0104f66a
    0x0104f670
    0x010430d5
    0x010430d8
    0x010430e0
    0x0104f67b
    0x0104f681
    0x0104f684
    0x00000000
    0x00000000
    0x0104f68a
    0x00000000
    0x0104f68a
    0x010430e6
    0x010430f6
    0x0104f696
    0x0104f696
    0x00000000
    0x010430f6
    0x0104319d
    0x010431a0
    0x00000000
    0x00000000
    0x00000000
    0x010431a6
    0x010430c9
    0x010430cf
    0x00000000

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: _errnoiswdigit$iswalphawcschrwcstolwcstoul
    • String ID: +-~!
    • API String ID: 2191331888-2604099254
    • Opcode ID: e84f446da3ebd884f3dd69e04461ff19b25ff50d04940e0a37b7e247e756c4ae
    • Instruction ID: 49d2511fd6c652f28ac4ea5393fca3ff6fbdc70e25ecf2bda0aff5a0afc11083
    • Opcode Fuzzy Hash: e84f446da3ebd884f3dd69e04461ff19b25ff50d04940e0a37b7e247e756c4ae
    • Instruction Fuzzy Hash: 4D517DB190021AEBCB15DF28D8859EF37B5FF09320B148565FD86AF150EBB5DA00CBA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01057220, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 138COMMON
    Download Yara Rule
    C-Code - Quality: 38%
    			E01057220(void* __ebx, signed short* _a4) {
				signed int _v8;
				char _v268;
				intOrPtr _v272;
				short _v276;
				short _v790;
				signed short _v802;
				long _v804;
				void* __edi;
				void* __esi;
				signed int _t20;
				signed short _t22;
				void* _t27;
				signed short _t31;
				signed short _t32;
				long _t50;
				signed short* _t52;
				void* _t54;
				signed short* _t55;
				long _t58;
				void* _t64;
				long _t66;
				DWORD* _t68;
				signed short* _t69;
				void* _t70;
				signed short* _t72;
				void* _t73;
				signed int _t74;
				signed int _t76;
				signed int _t78;
				void* _t79;

				_t54 = __ebx;
				_t78 = (_t76 & 0xfffffff8) - 0x320;
				_t20 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t20 ^ _t78;
				_t72 = _a4;
				_t68 = 0;
				_v276 = 0x3a0020;
				_v272 = 0x5c;
				_t66 =  *_t72 & 0x0000ffff;
				_v804 = 0;
				if(_t66 != 0) {
					_t55 = _t72;
					_t69 =  &(_t55[1]);
					do {
						_t22 =  *_t55;
						_t55 =  &(_t55[1]);
					} while (_t22 != _v804);
					if(_t55 - _t69 >> 1 != 2 || _t72[1] != 0x3a || iswalpha(_t66) == 0) {
						E01039950(L"\r\n");
						_pop(_t58);
						_push(0);
						_push(0xf);
						goto L19;
					} else {
						_t31 = towupper( *_t72 & 0x0000ffff);
						_t68 = 0;
						goto L10;
					}
				} else {
					_t52 =  *0x1078df8;
					if(_t52 == 0) {
						_t52 = 0x1078bf0;
					}
					_t31 = towupper( *_t52 & 0x0000ffff);
					L10:
					_pop(_t64);
					_t32 = _t31 & 0x0000ffff;
					_t74 = _t32 & 0x0000ffff;
					_v276 = _t32;
					if(GetVolumeInformationW( &_v276,  &_v790, 0x101,  &_v804, _t68, _t68, _t68, _t68) != 0) {
						_push(_t74);
						_push(L"%c");
						_push(0x104);
						_push(0x1078e30);
						if(_v790 == 0) {
							E01039ABF();
							E010363BD(_t64, 0x235e, 1, 0x1078e30);
							_t79 = _t78 + 0x1c;
						} else {
							E01039ABF();
							_push( &_v790);
							E010363BD(_t64, 0x235f, 2, 0x1078e30);
							_t79 = _t78 + 0x20;
						}
						_push(_v804 & 0x0000ffff);
						E01039ABF( &_v268, 0x80, L"%04X-%04X", _v802 & 0x0000ffff);
						E010363BD(_t64, 0x235b, 1,  &_v268);
						_t78 = _t79 + 0x20;
						_t27 = 0;
					} else {
						E01039950(L"\r\n");
						_t50 = GetLastError();
						_t58 = 0x15;
						if(_t50 != _t58) {
							_t58 = GetLastError();
						}
						_push(_t68);
						_push(_t58);
						L19:
						E010378E4(_t58);
						_t27 = 1;
					}
				}
				_pop(_t70);
				_pop(_t73);
				return E01046B30(_t27, _t54, _v8 ^ _t78, _t66, _t70, _t73);
			}

































    0x01057220
    0x01057228
    0x0105722e
    0x01057235
    0x0105723d
    0x01057241
    0x01057243
    0x0105724e
    0x01057259
    0x0105725c
    0x01057263
    0x0105727f
    0x01057281
    0x01057284
    0x01057284
    0x01057287
    0x0105728a
    0x01057298
    0x010573b2
    0x010573b7
    0x010573ba
    0x010573bb
    0x00000000
    0x010572b9
    0x010572bd
    0x010572c3
    0x00000000
    0x010572c3
    0x01057265
    0x01057265
    0x0105726c
    0x0105726e
    0x0105726e
    0x01057277
    0x010572c5
    0x010572c5
    0x010572c8
    0x010572cc
    0x010572cf
    0x010572f7
    0x01057328
    0x01057329
    0x01057333
    0x01057338
    0x01057339
    0x01057357
    0x01057364
    0x01057369
    0x0105733b
    0x0105733b
    0x01057344
    0x0105734d
    0x01057352
    0x01057352
    0x01057371
    0x0105738a
    0x010573a1
    0x010573a6
    0x010573a9
    0x010572f9
    0x010572fe
    0x01057304
    0x0105730c
    0x0105730f
    0x01057317
    0x01057317
    0x01057319
    0x0105731a
    0x010573bd
    0x010573bd
    0x010573c5
    0x010573c6
    0x010572f7
    0x010573ce
    0x010573cf
    0x010573da

    APIs
    • towupper.MSVCRT ref: 01057277
    • iswalpha.MSVCRT ref: 010572AA
    • towupper.MSVCRT ref: 010572BD
    • GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000101,?,00000000,00000000,00000000,00000000), ref: 010572EF
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 01057304
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 01057311
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: ErrorLasttowupper$InformationVolumeiswalpha
    • String ID: $%04X-%04X$\
    • API String ID: 4001382275-467840296
    • Opcode ID: 4b2520de3a63eecfb272526a503ed87f798517b25e5fa465b7bcf34657144763
    • Instruction ID: 3f5eec15cf3ce96d5a7fe9d3682ff2e4012c1db3d43336a6de497551ee9092ee
    • Opcode Fuzzy Hash: 4b2520de3a63eecfb272526a503ed87f798517b25e5fa465b7bcf34657144763
    • Instruction Fuzzy Hash: 9A412671604311AAD770ABA58C0AEBB77ECEFD8B10F44841EFDC9D7080E6759540D7A2
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01052D1F, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 101synchronizationCOMMON
    Download Yara Rule
    C-Code - Quality: 93%
    			E01052D1F(void* __ecx, intOrPtr* __edx) {
				intOrPtr _v0;
				long _v8;
				long _v12;
				long _t11;
				void* _t16;
				long _t18;
				void* _t27;
				intOrPtr* _t41;
				void* _t44;

				_t27 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_t41 = __edx;
				_t11 = WaitForSingleObject(__ecx, 0);
				if(_t11 != 0xffffffff) {
					if(_t11 == 0 || _t11 == 0x102) {
						_v8 = 0;
						if(_t11 != 0) {
							_v12 = 0;
							if(ReleaseSemaphore(_t44, 1,  &_v12) != 0) {
								if(_v12 == 0) {
									if(ReleaseSemaphore(_t44, 1, 0) != 0 || GetLastError() != 0x12a) {
										goto L24;
									} else {
										_t18 = WaitForSingleObject(_t44, 0);
										if(_t18 != 0xffffffff) {
											if(_t18 == 0) {
												goto L22;
											} else {
												goto L24;
											}
										} else {
											goto L2;
										}
									}
								} else {
									goto L24;
								}
							} else {
								goto L2;
							}
						} else {
							if(ReleaseSemaphore(_t44, 1,  &_v8) != 0) {
								_v8 = _v8 + 1;
								if(ReleaseSemaphore(_t44, 1, 0) != 0 || GetLastError() != 0x12a) {
									goto L24;
								} else {
									L22:
									 *_t41 = _v8;
									_t16 = 0;
								}
							} else {
								goto L2;
							}
						}
					} else {
						L24:
						E010534D4("wil", 0x8000ffff);
						_t16 = 0x8000ffff;
					}
				} else {
					L2:
					_t16 = E010534BF(_v0, _t27);
				}
				return _t16;
			}












    0x01052d1f
    0x01052d24
    0x01052d25
    0x01052d2b
    0x01052d2f
    0x01052d31
    0x01052d3a
    0x01052d51
    0x01052d64
    0x01052d69
    0x01052dab
    0x01052dba
    0x01052dc9
    0x01052dde
    0x00000000
    0x01052ded
    0x01052def
    0x01052df8
    0x01052e06
    0x00000000
    0x01052e08
    0x00000000
    0x01052e08
    0x01052dfa
    0x00000000
    0x01052dfa
    0x01052df8
    0x01052dcb
    0x00000000
    0x01052dcb
    0x01052dbc
    0x00000000
    0x01052dbc
    0x01052d6b
    0x01052d7a
    0x01052d83
    0x01052d92
    0x00000000
    0x01052e0f
    0x01052e0f
    0x01052e12
    0x01052e14
    0x01052e14
    0x01052d7c
    0x00000000
    0x01052d7c
    0x01052d7a
    0x01052d5a
    0x01052e1d
    0x01052e2b
    0x01052e30
    0x01052e30
    0x01052d3c
    0x01052d41
    0x01052d45
    0x01052d45
    0x01052e36

    APIs
    • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000000,00000000,00000000,?,00000000,00000000,?,01053877), ref: 01052D31
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: ObjectSingleWait
    • String ID: wil
    • API String ID: 24740636-1589926490
    • Opcode ID: ce152b6993000ee4656fbf9ba0e204df83fdd0adfc744f4a4731455fcae011d7
    • Instruction ID: 0a96c7e42a7996ba0e46c10a2f22116f3baf1b25c62f72cd5a4e41a847fc3f71
    • Opcode Fuzzy Hash: ce152b6993000ee4656fbf9ba0e204df83fdd0adfc744f4a4731455fcae011d7
    • Instruction Fuzzy Hash: BD319330704205EBEBA1AA68C848BAF369DEF40350F608475FDC2D7185D779CD1297A1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0105832A, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 90windowCOMMON
    Download Yara Rule
    C-Code - Quality: 81%
    			E0105832A(void* __ebx, intOrPtr __edx, intOrPtr _a4, long _a8, char _a16) {
				signed int _v12;
				char _v44;
				short _v112;
				short _v116;
				char* _v120;
				char* _v124;
				char* _v128;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t24;
				long _t29;
				void* _t33;
				signed int _t40;
				char* _t45;
				long _t48;
				void* _t49;
				intOrPtr _t59;
				signed int _t60;

				_t56 = __edx;
				_t49 = __ebx;
				_t24 =  *0x105e0b4; // 0x6030efd1
				_v12 = _t24 ^ _t60;
				_t59 = _a4;
				_v120 =  &_a16;
				_v116 = 0;
				_t29 = FormatMessageW(0x1900, 0, _a8, 0,  &_v116, 0xa,  &_v120);
				_v120 = 0;
				if(_t29 != 0) {
					L5:
					E01046604(_t59, 0x1031f00, _v116);
					_t56 =  *((intOrPtr*)(_t59 + 0x10));
					if(E010349C5(_t59,  *((intOrPtr*)(_t59 + 0x10))) != 0) {
						E0103498F(_t59);
					}
					LocalFree(_v116);
					_t33 = 0;
				} else {
					__imp___ultoa(_a8,  &_v44, 0x10);
					_t40 = E0103E248(GetACP());
					asm("sbb eax, eax");
					MultiByteToWideChar(0,  ~( ~_t40),  &_v44, 0xffffffff,  &_v112, 0x20);
					_v128 =  &_v112;
					_t45 = L"Application";
					if(_a8 < 0x2328) {
						_t45 = L"System";
					}
					_v124 = _t45;
					_t48 = FormatMessageW(0x3100, 0, 0x13d, 0,  &_v116, 0xa,  &_v128);
					if(_t48 != 0) {
						goto L5;
					} else {
						_t33 = _t48 + 1;
					}
				}
				return E01046B30(_t33, _t49, _v12 ^ _t60, _t56, 0, _t59);
			}






















    0x0105832a
    0x0105832a
    0x01058332
    0x01058339
    0x0105833d
    0x01058344
    0x0105834c
    0x01058360
    0x01058366
    0x0105836b
    0x010583e5
    0x010583ef
    0x010583f4
    0x01058400
    0x01058404
    0x01058404
    0x0105840c
    0x01058412
    0x0105836d
    0x01058376
    0x01058393
    0x0105839a
    0x010583a0
    0x010583b0
    0x010583b3
    0x010583b8
    0x010583ba
    0x010583ba
    0x010583bf
    0x010583d8
    0x010583e0
    0x00000000
    0x010583e2
    0x010583e2
    0x010583e2
    0x010583e0
    0x01058421

    APIs
    • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001900,00000000,?,00000000,?,0000000A,?), ref: 01058360
    • _ultoa.MSVCRT ref: 01058376
    • GetACP.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(?,000000FF,?,00000020), ref: 0105838B
    • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00000000), ref: 010583A0
    • FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00003100,00000000,0000013D,00000000,?,0000000A,?), ref: 010583D8
    • LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?), ref: 0105840C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: FormatMessage$ByteCharFreeLocalMultiWide_ultoa
    • String ID: (#$Application$System
    • API String ID: 3377411628-593978566
    • Opcode ID: a00f27b9abb1db351168229bf4a00966aea506b20b15bf683e9a61a9300dd216
    • Instruction ID: d2b760d7ec6b5d4ac21a8423107ba93d6078c49cc2024a763009959a0d2d5d8f
    • Opcode Fuzzy Hash: a00f27b9abb1db351168229bf4a00966aea506b20b15bf683e9a61a9300dd216
    • Instruction Fuzzy Hash: C3315C71A00208ABDB20DFA5D844DEEBBBDFB89751F10412AFD41E7181E7359901CB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01045271, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 63COMMON
    Download Yara Rule
    C-Code - Quality: 92%
    			E01045271(WCHAR* __ecx) {
				signed int _v8;
				short _v12;
				short _v14;
				short _v16;
				WCHAR* _v20;
				void* __edi;
				void* __esi;
				signed int _t8;
				long _t15;
				signed int _t17;
				void* _t22;
				void* _t26;
				WCHAR* _t27;
				long _t28;
				signed int _t29;

				_t8 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t8 ^ _t29;
				_t27 = __ecx;
				_t28 = 0;
				if(GetFullPathNameW(__ecx, 4,  &_v16,  &_v20) == 3) {
					if(_v14 != 0x3a || _v12 != 0x5c) {
						goto L1;
					} else {
						_t15 = 0;
						L3:
						return E01046B30(_t15, _t22, _v8 ^ _t29, _t26, _t27, _t28);
					}
				}
				L1:
				if(RemoveDirectoryW(_t27) == 0) {
					_t28 = GetLastError();
					if(_t28 == 5) {
						_t17 = GetFileAttributesW(_t27);
						if(_t17 != 0xffffffff && (_t17 & 0x00000001) != 0 && SetFileAttributesW(_t27, _t17 & 0xfffffffe) != 0) {
							if(RemoveDirectoryW(_t27) == 0) {
								_t28 = GetLastError();
							} else {
								_t28 = 0;
							}
						}
					}
				}
				_t15 = _t28;
				goto L3;
			}


















    0x01045279
    0x01045280
    0x01045288
    0x0104528e
    0x0104529d
    0x0105101e
    0x00000000
    0x0105102f
    0x0105102f
    0x010452b4
    0x010452c1
    0x010452c1
    0x0105101e
    0x010452a3
    0x010452ac
    0x0105103c
    0x01051041
    0x01051048
    0x01051051
    0x0105107b
    0x0105108a
    0x0105107d
    0x0105107d
    0x0105107d
    0x0105107b
    0x01051051
    0x01051041
    0x010452b2
    0x00000000

    APIs
    • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000004,?,?,00000000,?,?,?,01045134,-00000001), ref: 01045294
    • RemoveDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000004,?,?,00000000,?,?,?,01045134,-00000001), ref: 010452A4
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000004,?,?,00000000,?,?,?,01045134,-00000001), ref: 01051036
    • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00000004,?,?,00000000,?,?,?,01045134,-00000001), ref: 01051048
    • SetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,?,?,?,00000004,?,?,00000000,?,?,?,01045134,-00000001), ref: 01051064
    • RemoveDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,?,?,?,00000004,?,?,00000000,?,?,?,01045134,-00000001), ref: 01051073
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: AttributesDirectoryFileRemove$ErrorFullLastNamePath
    • String ID: :$\
    • API String ID: 3961617410-1166558509
    • Opcode ID: 6903214d9f904f6bfce76e3b25d7861d3ad5720fde68e6d13c2063cc7eb15fda
    • Instruction ID: 1dc983a1988af1d85bf12be0b9e5581a2b069d8a8706076c03ae812631afa2fc
    • Opcode Fuzzy Hash: 6903214d9f904f6bfce76e3b25d7861d3ad5720fde68e6d13c2063cc7eb15fda
    • Instruction Fuzzy Hash: 6C11E771F00214EB97725F388D8857F7BF8EF467607080569F992E3184EB799985D2E0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0104161D, Relevance: 15.4, APIs: 10, Instructions: 419COMMON
    Download Yara Rule
    C-Code - Quality: 63%
    			E0104161D(signed char* __ecx, signed int __edx) {
				signed int _v8;
				int _v20;
				char _v24;
				int _v28;
				void _v548;
				int _v556;
				char _v560;
				int _v564;
				void _v1084;
				int _v1092;
				char _v1096;
				int _v1100;
				void _v1620;
				int _v1628;
				char _v1632;
				int _v1636;
				void _v2156;
				signed int _v2160;
				signed int _v2164;
				int _v2168;
				int _v2172;
				signed int _v2176;
				intOrPtr* _v2180;
				signed char* _v2184;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t135;
				signed int _t154;
				int _t155;
				int _t156;
				void* _t176;
				signed int _t178;
				signed int _t188;
				signed int _t189;
				void* _t191;
				signed int _t192;
				signed int _t194;
				signed int _t198;
				signed int _t199;
				intOrPtr* _t201;
				signed int _t202;
				signed int _t208;
				signed int _t221;
				signed int _t222;
				signed int _t224;
				intOrPtr _t225;
				signed int _t226;
				signed int _t228;
				signed int _t229;
				signed int _t232;
				signed int _t234;
				int _t237;
				void* _t255;
				signed int _t257;
				signed int _t261;
				signed int _t278;
				void* _t284;
				signed int _t291;
				signed int _t293;
				intOrPtr* _t294;
				signed int _t296;
				signed char* _t297;
				intOrPtr* _t298;
				signed int _t301;
				signed int _t303;

				_t290 = __edx;
				_t135 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t135 ^ _t303;
				_v20 = 0x104;
				_v2164 = 1;
				_v24 = 1;
				_t297 = __ecx;
				_v2184 = __ecx;
				_v2172 = 0;
				_v28 = 0;
				memset( &_v548, 0, 0x104);
				_v1636 = 0;
				_v1632 = 1;
				_v1628 = 0x104;
				memset( &_v2156, 0, 0x104);
				_v564 = 0;
				_v560 = 1;
				_v556 = 0x104;
				memset( &_v1084, 0, 0x104);
				_v1100 = 0;
				_v1096 = 1;
				_v1092 = 0x104;
				memset( &_v1620, 0, 0x104);
				if(E0103E3F0(((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0 || E0103E3F0(((0 | _v1632 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0 || E0103E3F0(((0 | _v560 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					L10:
					_t154 = 1;
					goto L11;
				} else {
					_t176 = E0103E3F0(((0 | _v1096 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104);
					_t316 = _t176;
					if(_t176 < 0 || E0104260E( &_v2176, _t290, _t316) == 1) {
						goto L10;
					} else {
						_t301 = _v2176;
						_t178 =  *_t297;
						if( *_t301 == 0) {
							_t178 = _t178 & 0xfffffff7;
							 *_t297 = _t178;
						}
						if((_t178 & 0x00000008) != 0) {
							 *((intOrPtr*)(_t301 + 0x24)) =  *((intOrPtr*)(_t301 + 0x1c)) - 1;
							_t178 =  *_t297;
						}
						if((_t178 & 0x00000200) != 0) {
							 *_t297 = _t178 | 0x00000004;
						}
						 *0x10667a8 = 0;
						_t290 = 1;
						if(E01037A34(_t297, 1, 1,  &_v2160) != 1) {
							_v2168 = 0;
							E0103A641(0x10320b8);
							E0103A641(0x10320b8);
							_t234 = _v2160;
							while(1) {
								__eflags = _t234;
								if(_t234 == 0) {
									break;
								}
								E0103A641( *(_t234 + 4));
								__eflags =  *((char*)(_t234 + 0x10));
								_t188 =  *_t297;
								if( *((char*)(_t234 + 0x10)) != 0) {
									_t188 = _t188 | 0x00000100;
									 *_t297 = _t188;
									__eflags = _t297[0x5c];
									if(_t297[0x5c] == 0) {
										L26:
										__eflags = _t188 & 0x00000040;
										if((_t188 & 0x00000040) == 0) {
											_t189 = _v28;
											__eflags = _t189;
											if(_t189 == 0) {
												_t189 =  &_v548;
											}
											E0103A641(_t189);
											_t291 =  *(_t234 + 4);
											_t99 = _t291 + 2; // 0x2
											_t255 = _t99;
											do {
												_t191 =  *_t291;
												_t291 = _t291 + 2;
												__eflags = _t191 - _v2172;
											} while (_t191 != _v2172);
											_t192 = _v28;
											_t293 = _t291 - _t255 >> 1;
											__eflags = _t192;
											if(_t192 == 0) {
												_t192 =  &_v548;
											}
											_t290 = _t293 + 1;
											E01037D65( *(_t234 + 4), _t293 + 1, _t192, _v20);
											_t257 = _v1636;
											__eflags = _t257;
											if(_t257 == 0) {
												_t257 =  &_v2156;
											}
											_t194 = _v28;
											__eflags = _t194;
											if(_t194 == 0) {
												_t194 =  &_v548;
											}
											__imp___wcsicmp(_t194, _t257);
											__eflags = _t194;
											if(_t194 == 0) {
												goto L27;
											} else {
												__eflags = _v2168;
												if(_v2168 == 0) {
													L56:
													_t290 =  *(_t234 + 4);
													_t228 = E0105AEBD(_t301,  *(_t234 + 4));
													__eflags = _t228;
													if(_t228 != 0) {
														goto L10;
													}
													goto L27;
												}
												_t229 = E010349F8(_t234, _t301, _t297);
												__eflags = _t229;
												if(_t229 != 0) {
													goto L10;
												}
												goto L56;
											}
										}
										L27:
										_t297[0x64] = 0;
										_t297[0x60] = 0;
										_t297[0x68] = 0;
										_t297[0x6c] = 0;
										_t261 =  *_t297;
										_t198 = (_t261 & 0x00000010 | 0x00000020) >> 4;
										__eflags = _t261 & 0x00020400;
										if((_t261 & 0x00020400) != 0) {
											_t198 = _t198 | 0x00000004;
										}
										_t290 = _t301;
										asm("sbb ecx, ecx");
										_t266 = _t234;
										_t199 = E01036488(_t234, _t301, _t297[4], _t297[8], _t198, _t297,  !( ~(_t261 & 0x00004004)) & E01034C10, E01034BF0,  !( ~(_t261 & 0x00004004)) & E01034C10, E01034CB0);
										_v2164 = _t199;
										__eflags = _t199;
										if(_t199 != 0) {
											L78:
											__eflags =  *0x106259c;
											if( *0x106259c != 0) {
												goto L31;
											}
											__eflags = _t199 - 5;
											if(_t199 != 5) {
												__eflags = _t297[0x60] + _t297[0x64];
												if(_t297[0x60] + _t297[0x64] != 0) {
													goto L31;
												}
												E0103498F(_t301);
												_push(0);
												_push(0x40002711);
												E010378E4(_t301);
												__eflags = 1;
												_v2164 = 1;
												L83:
												goto L31;
											}
											_push(0);
											_push(5);
											E010378E4(_t266);
											goto L83;
										} else {
											__eflags = _t297[0x60] + _t297[0x64];
											if(_t297[0x60] + _t297[0x64] == 0) {
												_t199 = _v2164;
												goto L78;
											}
											__eflags =  *_t297 & 0x00000040;
											if(( *_t297 & 0x00000040) == 0) {
												E0103A641(0x10320b8);
												_t221 =  *_t234;
												__eflags = _t221;
												if(_t221 == 0) {
													L65:
													_t278 = _v28;
													__eflags = _t278;
													if(_t278 == 0) {
														_t278 =  &_v548;
													}
													_t222 = _v564;
													__eflags = _t222;
													if(_t222 == 0) {
														_t222 =  &_v1084;
													}
													__imp___wcsicmp(_t222, _t278);
													__eflags = _t222;
													if(_t222 == 0) {
														goto L31;
													} else {
														__eflags =  *_t297 & 0x00000010;
														if(( *_t297 & 0x00000010) == 0) {
															L73:
															_t290 = _v1100;
															__eflags = _v1100;
															if(__eflags == 0) {
																_t290 =  &_v1620;
															}
															_t154 = E0105A759(_t301, _t290, __eflags,  *_t297, _t297[0x64]);
															__eflags = _t154;
															if(_t154 != 0) {
																L11:
																_t232 = _t154;
																L12:
																if(_v1100 != 0) {
																	__imp__??_V@YAXPAX@Z(_v1100);
																}
																_t155 = _v564;
																_v564 = 0;
																if(_t155 != 0) {
																	__imp__??_V@YAXPAX@Z(_t155);
																}
																_t156 = _v1636;
																_v1636 = 0;
																if(_t156 != 0) {
																	__imp__??_V@YAXPAX@Z(_t156);
																}
																_t237 = _v28;
																_v28 = 0;
																if(_t237 != 0) {
																	__imp__??_V@YAXPAX@Z(_t237);
																}
																return E01046B30(_t232, _t232, _v8 ^ _t303, _t290, _t297, 0);
															} else {
																goto L31;
															}
														}
														_t154 = E010349F8(_t234, _t301, _t297);
														__eflags = _t154;
														if(__eflags != 0) {
															goto L11;
														}
														_t290 = _t297[0x60];
														_t154 = E0105AE7F(_t234, _t301, _t297[0x60], __eflags,  &(_t297[0x68]),  *_t297);
														__eflags = _t154;
														if(_t154 != 0) {
															goto L11;
														}
														goto L73;
													}
												}
												_t224 =  *((intOrPtr*)(_t221 + 4));
												_t294 = _t224;
												_v2160 = _t224;
												_t284 = _t294 + 2;
												do {
													_t225 =  *_t294;
													_t294 = _t294 + 2;
													__eflags = _t225 - _v2172;
												} while (_t225 != _v2172);
												_t226 = _v564;
												_t296 = _t294 - _t284 >> 1;
												__eflags = _t226;
												if(_t226 == 0) {
													_t226 =  &_v1084;
												}
												_t290 = _t296 + 1;
												__eflags = _t296 + 1;
												E01037D65(_v2160, _t296 + 1, _t226, _v556);
												goto L65;
											}
											L31:
											E0103DC60( *(_t234 + 4));
											_t201 =  *((intOrPtr*)(_t234 + 0xc));
											_v2180 = _t201;
											_v2160 = 1;
											__eflags =  *((intOrPtr*)(_t234 + 8)) - 1;
											if( *((intOrPtr*)(_t234 + 8)) < 1) {
												L35:
												_t202 = _v2168;
												__eflags = _t202;
												if(_t202 != 0) {
													E0103DC60(_t202);
												}
												_v2168 = _t234;
												_t234 =  *_t234;
												continue;
											}
											_t298 = _t201;
											do {
												E0103DC60( *_t298);
												E0103DC60( *((intOrPtr*)(_t298 + 4)));
												E0103DC60(_t298);
												_t298 =  *((intOrPtr*)(_t298 + 0xc));
												_t208 = _v2160 + 1;
												_v2160 = _t208;
												__eflags = _t208 -  *((intOrPtr*)(_t234 + 8));
											} while (_t208 <=  *((intOrPtr*)(_t234 + 8)));
											_t297 = _v2184;
											_t301 = _v2176;
											goto L35;
										}
									}
									_push(0);
									_push(0x40002713);
									E010378E4(0);
									goto L10;
								}
								__eflags = _t188 & 0x00020000;
								if((_t188 & 0x00020000) == 0) {
									_t188 = _t188 | 0x00000002;
									__eflags = _t188;
									 *_t297 = _t188;
								}
								goto L26;
							}
							E0103498F(_t301);
							_t232 = _v2164;
							goto L12;
						} else {
							goto L10;
						}
					}
				}
			}






































































    0x0104161d
    0x01041628
    0x0104162f
    0x0104163d
    0x01041642
    0x01041649
    0x0104164c
    0x01041654
    0x0104165c
    0x01041662
    0x01041665
    0x0104166d
    0x01041679
    0x01041680
    0x01041689
    0x01041691
    0x0104169d
    0x010416a4
    0x010416ad
    0x010416b5
    0x010416c1
    0x010416c8
    0x010416d1
    0x010416f7
    0x010417bb
    0x010417bd
    0x00000000
    0x01041747
    0x01041761
    0x01041766
    0x01041768
    0x00000000
    0x0104177a
    0x0104177a
    0x01041780
    0x01041784
    0x01041786
    0x01041789
    0x01041789
    0x0104178d
    0x0104ed30
    0x0104ed33
    0x0104ed33
    0x01041798
    0x0104ed3d
    0x0104ed3d
    0x010417a4
    0x010417ad
    0x010417b9
    0x0104182b
    0x0104183d
    0x01041849
    0x0104184e
    0x01041854
    0x01041854
    0x01041856
    0x00000000
    0x00000000
    0x01041865
    0x0104186a
    0x0104186e
    0x01041870
    0x0104ed44
    0x0104ed4b
    0x0104ed4d
    0x0104ed50
    0x01041882
    0x01041882
    0x01041884
    0x0104ed68
    0x0104ed6b
    0x0104ed6d
    0x0104ed6f
    0x0104ed6f
    0x0104ed7c
    0x0104ed81
    0x0104ed84
    0x0104ed84
    0x0104ed87
    0x0104ed87
    0x0104ed8a
    0x0104ed8d
    0x0104ed8d
    0x0104ed96
    0x0104ed9b
    0x0104ed9d
    0x0104ed9f
    0x0104eda1
    0x0104eda1
    0x0104edad
    0x0104edaf
    0x0104edb4
    0x0104edba
    0x0104edbc
    0x0104edbe
    0x0104edbe
    0x0104edc4
    0x0104edc7
    0x0104edc9
    0x0104edcb
    0x0104edcb
    0x0104edd3
    0x0104eddb
    0x0104eddd
    0x00000000
    0x0104ede3
    0x0104ede3
    0x0104edea
    0x0104edfb
    0x0104edfb
    0x0104ee00
    0x0104ee05
    0x0104ee07
    0x00000000
    0x00000000
    0x00000000
    0x0104ee0d
    0x0104edee
    0x0104edf3
    0x0104edf5
    0x00000000
    0x00000000
    0x00000000
    0x0104edf5
    0x0104eddd
    0x0104188a
    0x0104188c
    0x0104188f
    0x01041892
    0x01041895
    0x01041898
    0x010418a2
    0x010418a5
    0x010418ab
    0x0104ee12
    0x0104ee12
    0x010418b7
    0x010418c0
    0x010418d6
    0x010418db
    0x010418e0
    0x010418e6
    0x010418e8
    0x0104eefe
    0x0104eefe
    0x0104ef05
    0x00000000
    0x00000000
    0x0104ef0b
    0x0104ef0e
    0x0104ef1f
    0x0104ef22
    0x00000000
    0x00000000
    0x0104ef2a
    0x0104ef31
    0x0104ef32
    0x0104ef37
    0x0104ef3e
    0x0104ef3f
    0x0104ef45
    0x00000000
    0x0104ef46
    0x0104ef12
    0x0104ef13
    0x0104ef15
    0x00000000
    0x010418ee
    0x010418f1
    0x010418f4
    0x0104eef8
    0x00000000
    0x0104eef8
    0x010418fa
    0x010418fd
    0x0104ee25
    0x0104ee2a
    0x0104ee2c
    0x0104ee2e
    0x0104ee74
    0x0104ee74
    0x0104ee77
    0x0104ee79
    0x0104ee7b
    0x0104ee7b
    0x0104ee81
    0x0104ee87
    0x0104ee89
    0x0104ee8b
    0x0104ee8b
    0x0104ee93
    0x0104ee9b
    0x0104ee9d
    0x00000000
    0x0104eea3
    0x0104eea3
    0x0104eea6
    0x0104eecf
    0x0104eecf
    0x0104eed5
    0x0104eed7
    0x0104eed9
    0x0104eed9
    0x0104eee6
    0x0104eeeb
    0x0104eeed
    0x010417be
    0x010417be
    0x010417c0
    0x010417c7
    0x010417cf
    0x010417d5
    0x010417d6
    0x010417de
    0x010417e6
    0x010417e9
    0x010417ef
    0x010417f0
    0x010417f6
    0x010417fe
    0x01041801
    0x01041807
    0x01041808
    0x0104180b
    0x01041810
    0x01041813
    0x01041819
    0x0104182a
    0x0104eef3
    0x00000000
    0x0104eef3
    0x0104eeed
    0x0104eeaa
    0x0104eeaf
    0x0104eeb1
    0x00000000
    0x00000000
    0x0104eeb9
    0x0104eec2
    0x0104eec7
    0x0104eec9
    0x00000000
    0x00000000
    0x00000000
    0x0104eec9
    0x0104ee9d
    0x0104ee30
    0x0104ee33
    0x0104ee35
    0x0104ee3b
    0x0104ee3e
    0x0104ee3e
    0x0104ee41
    0x0104ee44
    0x0104ee44
    0x0104ee4d
    0x0104ee55
    0x0104ee57
    0x0104ee59
    0x0104ee5b
    0x0104ee5b
    0x0104ee6d
    0x0104ee6d
    0x0104ee6f
    0x00000000
    0x0104ee6f
    0x01041903
    0x01041906
    0x0104190b
    0x01041911
    0x01041917
    0x0104191d
    0x01041920
    0x0104195d
    0x0104195d
    0x01041963
    0x01041965
    0x01041988
    0x01041988
    0x01041967
    0x0104196d
    0x00000000
    0x0104196d
    0x01041922
    0x01041924
    0x01041929
    0x01041931
    0x01041938
    0x01041943
    0x01041945
    0x01041946
    0x0104194c
    0x0104194c
    0x01041951
    0x01041957
    0x00000000
    0x01041957
    0x010418e8
    0x0104ed56
    0x0104ed57
    0x0104ed5c
    0x00000000
    0x0104ed62
    0x01041876
    0x0104187b
    0x0104187d
    0x0104187d
    0x01041880
    0x01041880
    0x00000000
    0x0104187b
    0x01041976
    0x0104197b
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x010417b9
    0x01041768

    APIs
    • memset.MSVCRT ref: 01041665
    • memset.MSVCRT ref: 01041689
    • memset.MSVCRT ref: 010416AD
    • memset.MSVCRT ref: 010416D1
      • Part of subcall function 0103E3F0: memset.MSVCRT ref: 0103E455
    • ??_V@YAXPAX@Z.MSVCRT ref: 010417CF
    • ??_V@YAXPAX@Z.MSVCRT ref: 010417E9
    • ??_V@YAXPAX@Z.MSVCRT ref: 01041801
    • ??_V@YAXPAX@Z.MSVCRT ref: 01041813
      • Part of subcall function 0104260E: GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,01041775,-00000001,-00000001,-00000001,-00000001), ref: 01042650
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: memset$BufferConsoleInfoScreen
    • String ID:
    • API String ID: 1034426908-0
    • Opcode ID: ea7549939cab4d3f05cb36b91988419bc44520fca0b21bebedba15b2434e7ab7
    • Instruction ID: a7b58cc66f51cd05d5bb74e844d139baa5e182ac7a605f7b1936ecb6c771c7ec
    • Opcode Fuzzy Hash: ea7549939cab4d3f05cb36b91988419bc44520fca0b21bebedba15b2434e7ab7
    • Instruction Fuzzy Hash: 04F151B1A0421A9BDB65DF29C8C4AAABBF5FF44304F0441E9D989D7241DB35EA81CF50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 010359C0, Relevance: 15.3, APIs: 10, Instructions: 270COMMON
    Download Yara Rule
    C-Code - Quality: 65%
    			E010359C0(short* __edx, WCHAR* _a4) {
				signed int _v8;
				long _v20;
				char _v24;
				struct _SECURITY_ATTRIBUTES* _v28;
				void _v548;
				WCHAR* _v552;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t45;
				void* _t47;
				long _t57;
				struct _SECURITY_ATTRIBUTES* _t59;
				struct _SECURITY_ATTRIBUTES* _t60;
				WCHAR* _t62;
				long _t63;
				WCHAR* _t67;
				WCHAR* _t68;
				WCHAR* _t69;
				signed int _t70;
				signed int _t71;
				void* _t74;
				WCHAR* _t76;
				WCHAR* _t80;
				signed int _t81;
				signed int _t82;
				struct _SECURITY_ATTRIBUTES* _t86;
				signed int _t88;
				signed int _t89;
				void* _t97;
				void* _t98;
				short* _t102;
				WCHAR* _t103;
				WCHAR* _t105;
				struct _SECURITY_ATTRIBUTES* _t106;
				short* _t108;
				short* _t109;
				WCHAR* _t110;
				signed int _t111;

				_t102 = __edx;
				_t45 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t45 ^ _t111;
				_t110 = _a4;
				_t47 = 0x3a;
				if(_t110[1] != _t47) {
					L2:
					_v28 = 0;
					_v20 = 0x104;
					_t86 = 1;
					_v24 = 1;
					memset( &_v548, 0, 0x104);
					_t91 =  &_v548;
					if(E0103E3F0(((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
						_t57 = 8;
						L39:
						_t106 = 0;
						L40:
						_push(_t106);
						_push(_t57);
						L41:
						E010378E4(_t91);
						L8:
						_t59 = _v28;
						_v28 = _t106;
						if(_t59 != 0) {
							__imp__??_V@YAXPAX@Z(_t59);
						}
						_t60 = _t86;
						L11:
						return E01046B30(_t60, _t86, _v8 ^ _t111, _t102, _t106, _t110);
					}
					_t62 = _v28;
					if(_t62 == 0) {
						_t62 =  &_v548;
					}
					_t91 =  &_v552;
					_t63 = GetFullPathNameW(_t110, _v20, _t62,  &_v552);
					if(_t63 == 0) {
						_t57 = GetLastError();
						goto L39;
					} else {
						if(_t63 >= 0x7fe7) {
							E010378E4( &_v552, 0x400023d9, _t86, _t110);
							_t106 = 0;
							goto L8;
						}
						_t106 = 0;
						if(CreateDirectoryW(_t110, 0) == 0) {
							_t57 = GetLastError();
							if(_t57 == 0xb7) {
								E010378E4( &_v552, 0x235c, _t86, _t110);
								goto L8;
							}
							if(_t57 != 3) {
								goto L40;
							}
							if( *0x1066755 == 0) {
								L34:
								_push(_t106);
								_push(0x52);
								goto L41;
							}
							_t91 = _v28;
							_t67 = _t91;
							if(_t91 == 0) {
								_t67 =  &_v548;
							}
							_t102 = 0x5c;
							_t110 = 0x3a;
							if(_t67[1] != _t110) {
								_t68 = _t91;
								if(_t91 == 0) {
									_t68 =  &_v548;
								}
								if( *_t68 != _t102) {
									goto L34;
								} else {
									_t69 = _t91;
									if(_t91 == 0) {
										_t69 =  &_v548;
									}
									if(_t69[1] != _t102) {
										goto L34;
									} else {
										_t103 = _t91;
										if(_t91 == 0) {
											_t103 =  &_v548;
										}
										_t102 =  &(_t103[2]);
										_v552 = _t102;
										_t110 = _t102;
										_t70 =  *_t102 & 0x0000ffff;
										if(_t70 == 0) {
											L59:
											if( *_t102 != _t106) {
												_t102 =  &(_t110[1]);
												_v552 = _t102;
												_t110 = _t102;
											}
											_t71 =  *_t102 & 0x0000ffff;
											if(_t71 == 0) {
												goto L30;
											}
											_t88 = _t71;
											_t97 = 0x5c;
											while(1) {
												_t108 = _t110;
												if(_t88 == _t97) {
													break;
												}
												_t102 =  &(_t110[1]);
												_v552 = _t102;
												_t110 = _t102;
												_t81 =  *_t102 & 0x0000ffff;
												_t108 = _t102;
												_t88 = _t81;
												if(_t81 != 0) {
													continue;
												}
												break;
											}
											_t91 = _v28;
											_t86 = 1;
											if( *_t102 == 0) {
												goto L30;
											}
											_t102 =  &(_t108[1]);
											_t106 = 0;
											goto L24;
										}
										_t109 = _t102;
										_t89 = _t70;
										_t98 = 0x5c;
										while(1) {
											_t110 = _t109;
											if(_t89 == _t98) {
												break;
											}
											_t102 =  &(_t109[1]);
											_v552 = _t102;
											_t109 = _t102;
											_t82 =  *_t102 & 0x0000ffff;
											_t110 = _t102;
											_t89 = _t82;
											if(_t82 != 0) {
												continue;
											}
											break;
										}
										_t91 = _v28;
										_t86 = 1;
										_t106 = 0;
										goto L59;
									}
								}
							} else {
								_t105 = _t91;
								if(_t91 == 0) {
									_t105 =  &_v548;
								}
								_t102 =  &(_t105[3]);
								while(1) {
									L24:
									_v552 = _t102;
									while(1) {
										L25:
										_t110 =  *_t102 & 0x0000ffff;
										if(_t110 == 0) {
											break;
										} else {
											goto L26;
										}
										while(1) {
											L26:
											_t74 = 0x5c;
											if(_t110 == _t74) {
												break;
											}
											_t102 =  &(_t102[1]);
											_v552 = _t102;
											_t80 =  *_t102 & 0x0000ffff;
											_t110 = _t80;
											if(_t80 != 0) {
												continue;
											}
											_t110 = 0x5c;
											if( *_t102 != _t110) {
												goto L25;
											}
											L20:
											 *_t102 = 0;
											_t76 = _v28;
											if(_t76 == 0) {
												_t76 =  &_v548;
											}
											if(CreateDirectoryW(_t76, _t106) != 0 || GetLastError() == 0xb7) {
												 *_v552 = _t110;
												_t91 = _v28;
												_t102 =  &(_v552[1]);
												goto L24;
											} else {
												goto L34;
											}
										}
										_t110 = 0x5c;
										goto L20;
									}
									L30:
									if(_t91 == 0) {
										_t91 =  &_v548;
									}
									_t106 = 0;
									if(CreateDirectoryW(_t91, 0) != 0) {
										goto L7;
									} else {
										_t57 = GetLastError();
										if(_t57 == 0xb7) {
											goto L7;
										} else {
											goto L40;
										}
									}
								}
							}
						}
						L7:
						_t86 = _t106;
						goto L8;
					}
				}
				_t99 =  *_t110;
				if(E01040B12( *_t110) == 0) {
					_push(0);
					_push(0xf);
					E010378E4(_t99);
					_t60 = 1;
					goto L11;
				}
				goto L2;
			}










































    0x010359c0
    0x010359cb
    0x010359d2
    0x010359d7
    0x010359dd
    0x010359e2
    0x010359f4
    0x010359fd
    0x01035a08
    0x01035a0b
    0x01035a0d
    0x01035a10
    0x01035a17
    0x01035a36
    0x01049a3c
    0x01049a50
    0x01049a50
    0x01049a52
    0x01049a52
    0x01049a53
    0x01049a54
    0x01049a54
    0x01035a7c
    0x01035a7c
    0x01035a7f
    0x01035a84
    0x01035a87
    0x01035a8d
    0x01035a8e
    0x01035a90
    0x01035a9e
    0x01035a9e
    0x01035a3c
    0x01035a41
    0x01049a3f
    0x01049a3f
    0x01035a47
    0x01035a53
    0x01035a5b
    0x01049a4a
    0x00000000
    0x01035a61
    0x01035a66
    0x01049a67
    0x01049a6f
    0x00000000
    0x01049a6f
    0x01035a6c
    0x01035a78
    0x01035aa1
    0x01035aac
    0x01049a7d
    0x00000000
    0x01049a82
    0x01035ab5
    0x00000000
    0x00000000
    0x01035ac2
    0x01035b8b
    0x01035b8b
    0x01035b8c
    0x00000000
    0x01035b8c
    0x01035ac8
    0x01035acb
    0x01035acf
    0x01049a8a
    0x01049a8a
    0x01035ad7
    0x01035ada
    0x01035adf
    0x01049aa0
    0x01049aa4
    0x01049aa6
    0x01049aa6
    0x01049aaf
    0x00000000
    0x01049ab5
    0x01049ab5
    0x01049ab9
    0x01049abb
    0x01049abb
    0x01049ac5
    0x00000000
    0x01049acb
    0x01049acb
    0x01049acf
    0x01049ad1
    0x01049ad1
    0x01049ad7
    0x01049ada
    0x01049ae0
    0x01049ae2
    0x01049ae8
    0x01049b17
    0x01049b1a
    0x01049b1c
    0x01049b1f
    0x01049b25
    0x01049b25
    0x01049b27
    0x01049b2d
    0x00000000
    0x00000000
    0x01049b35
    0x01049b37
    0x01049b38
    0x01049b38
    0x01049b3d
    0x00000000
    0x00000000
    0x01049b3f
    0x01049b42
    0x01049b48
    0x01049b4a
    0x01049b4d
    0x01049b4f
    0x01049b54
    0x00000000
    0x00000000
    0x00000000
    0x01049b54
    0x01049b56
    0x01049b5d
    0x01049b61
    0x00000000
    0x00000000
    0x01049b67
    0x01049b6a
    0x00000000
    0x01049b6a
    0x01049aec
    0x01049aee
    0x01049af0
    0x01049af1
    0x01049af1
    0x01049af6
    0x00000000
    0x00000000
    0x01049af8
    0x01049afb
    0x01049b01
    0x01049b03
    0x01049b06
    0x01049b08
    0x01049b0d
    0x00000000
    0x00000000
    0x00000000
    0x01049b0d
    0x01049b0f
    0x01049b14
    0x01049b15
    0x00000000
    0x01049b15
    0x01049ac5
    0x01035ae5
    0x01035ae5
    0x01035ae9
    0x01049a95
    0x01049a95
    0x01035aef
    0x01035b35
    0x01035b35
    0x01035b35
    0x01035b3b
    0x01035b3b
    0x01035b3b
    0x01035b41
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x01035b43
    0x01035b43
    0x01035b45
    0x01035b49
    0x00000000
    0x00000000
    0x01035b4b
    0x01035b4e
    0x01035b54
    0x01035b57
    0x01035b5c
    0x00000000
    0x00000000
    0x01035b60
    0x01035b64
    0x00000000
    0x00000000
    0x01035af7
    0x01035af9
    0x01035afc
    0x01035b01
    0x01049b71
    0x01049b71
    0x01035b11
    0x01035b26
    0x01035b2f
    0x01035b32
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x01035b11
    0x01035af6
    0x00000000
    0x01035af6
    0x01035b68
    0x01035b6a
    0x01035b83
    0x01035b83
    0x01035b6c
    0x01035b78
    0x00000000
    0x01035b7e
    0x01049b7c
    0x01049b87
    0x00000000
    0x01049b8d
    0x00000000
    0x01049b8d
    0x01049b87
    0x01035b78
    0x01035b35
    0x01035adf
    0x01035a7a
    0x01035a7a
    0x00000000
    0x01035a7a
    0x01035a5b
    0x010359e4
    0x010359ee
    0x01049a27
    0x01049a29
    0x01049a2b
    0x01049a34
    0x00000000
    0x01049a34
    0x00000000

    APIs
    • memset.MSVCRT ref: 01035A10
    • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,-00000001), ref: 01035A53
    • CreateDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000), ref: 01035A70
    • ??_V@YAXPAX@Z.MSVCRT ref: 01035A87
      • Part of subcall function 01040B12: GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 01040B40
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 01035AA1
    • CreateDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000), ref: 01035B09
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 01035B13
    • CreateDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000), ref: 01035B70
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 01049B7C
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: CreateDirectoryErrorLast$DriveFullNamePathTypememset
    • String ID:
    • API String ID: 402963468-0
    • Opcode ID: 60f365f98c1c1880e51dfb2fd687177b535b32aef3a0fe6b7cfea202fb9caded
    • Instruction ID: 559a68aef612dbb72f53d85079cbca32c2c005286ea2f193893b334be78180ba
    • Opcode Fuzzy Hash: 60f365f98c1c1880e51dfb2fd687177b535b32aef3a0fe6b7cfea202fb9caded
    • Instruction Fuzzy Hash: AD91C271A006069BEB79DB69DC84ABBB7F8FFC8354F0440B5E589E7190E7748981CB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 010545F9, Relevance: 15.2, APIs: 10, Instructions: 150fileCOMMON
    Download Yara Rule
    C-Code - Quality: 45%
    			E010545F9(void* __ecx, signed int __edx, int _a4, DWORD* _a8) {
				long _v8;
				long _v12;
				void* _v16;
				char* _v20;
				short* _v24;
				long _t31;
				int _t34;
				signed int _t36;
				long _t39;
				void _t43;
				int _t50;
				void* _t52;
				int _t54;
				int _t55;
				signed int _t56;
				void* _t57;
				int _t58;
				long _t61;
				DWORD* _t63;

				_t56 = __edx;
				_t57 = __ecx;
				_v24 = __edx;
				_v16 = __ecx;
				_t52 = 0x106a7f0;
				_t31 = SetFilePointer(__ecx, 0, 0, 1);
				_t61 = _a4;
				_v12 = _t31;
				if(_t61 >= 0x1fff) {
					_a4 = 0x1fff;
					_t61 = 0x1fff;
				}
				__imp__AcquireSRWLockShared(0x1078e04);
				_t34 = ReadFile(_t57, _t52, _t61, _a8, 0);
				__imp__ReleaseSRWLockShared(0x1078e04);
				if(_t34 == 0) {
					L26:
					return 0;
				} else {
					_t63 = _a8;
					_t58 =  *_t63;
					if(_t58 == 0) {
						goto L26;
					}
					_t54 = _t58;
					_v8 = _t58;
					if( *0x10625a0 == 0xfde9 && _v12 == 0 && _a4 > 3) {
						_push(3);
						_push(0x10334f8);
						_push(_t52);
						L01047FB7();
						_t54 = _t58;
						if(_t34 == 0) {
							_t58 = _t58 + 0xfffffffd;
							_v12 = 3;
							_t52 = 0x106a7f3;
							 *_t63 = _t58;
							_v8 = _t58;
							_t54 = _t58;
						}
					}
					_v20 = _t52;
					if(_t58 <= 0) {
						L20:
						_t55 =  *0x10625a0;
						_t36 = E0103E248(_t55);
						asm("sbb eax, eax");
						_t39 = MultiByteToWideChar(_t55,  ~( ~_t36), _v20, _t58, _v24, _a4);
						 *_t63 = _t39;
						return _t39;
					} else {
						do {
							if(_t54 < 3) {
								L15:
								if( *((char*)(( *_t52 & 0x000000ff) + 0x1078af0)) == 0) {
									_t56 = _t56 | 0xffffffff;
									goto L19;
								}
								if(_t54 == 1) {
									__imp__AcquireSRWLockShared(0x1078e04);
									_t26 = _t52 + 1; // 0x106a7f1
									_t50 = ReadFile(_v16, _t26, 1,  &_v8, 0);
									__imp__ReleaseSRWLockShared(0x1078e04);
									if(_t50 == 0 || _v8 == 0) {
										 *_a8 =  *_a8 & 0x00000000;
										goto L26;
									} else {
										_t63 = _a8;
										_t58 = _t58 + 1;
										goto L20;
									}
								}
								_push(2);
								_pop(1);
								_t56 = 0xfffffffe;
								goto L19;
							}
							_t43 =  *_t52;
							if(_t43 != 0xa ||  *(_t52 + 1) != 0xd) {
								if(_t43 != 0xd ||  *(_t52 + 1) != 0xa) {
									goto L15;
								} else {
									goto L21;
								}
							} else {
								L21:
								 *((char*)(_t52 + 2)) = 0;
								_t58 = _t52 - _v20 + 2;
								SetFilePointer(_v16, _v12 + _t58, 0, 0);
								goto L20;
							}
							L19:
							_t54 = _t54 + _t56;
							_t52 = _t52 + 1;
							_v8 = _t54;
						} while (_t54 > 0);
						goto L20;
					}
				}
			}






















    0x010545f9
    0x01054608
    0x0105460a
    0x01054610
    0x01054613
    0x01054618
    0x0105461e
    0x01054621
    0x0105462b
    0x0105462d
    0x01054630
    0x01054630
    0x01054637
    0x01054646
    0x01054653
    0x0105465b
    0x01054790
    0x00000000
    0x01054661
    0x01054661
    0x01054664
    0x01054668
    0x00000000
    0x00000000
    0x01054678
    0x0105467a
    0x0105467d
    0x0105468b
    0x0105468d
    0x01054692
    0x01054693
    0x0105469b
    0x0105469f
    0x010546a1
    0x010546a4
    0x010546ab
    0x010546b0
    0x010546b2
    0x010546b5
    0x010546b5
    0x0105469f
    0x010546b7
    0x010546bc
    0x01054703
    0x01054706
    0x01054713
    0x0105471a
    0x01054720
    0x01054726
    0x00000000
    0x010546be
    0x010546be
    0x010546c1
    0x010546d9
    0x010546e3
    0x010546f5
    0x00000000
    0x010546f5
    0x010546e8
    0x0105474f
    0x0105475d
    0x01054764
    0x01054771
    0x01054779
    0x0105478d
    0x00000000
    0x01054781
    0x01054781
    0x01054784
    0x00000000
    0x01054784
    0x01054779
    0x010546ea
    0x010546ec
    0x010546ef
    0x00000000
    0x010546ef
    0x010546c3
    0x010546c7
    0x010546d1
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0105472a
    0x0105472a
    0x01054733
    0x01054736
    0x01054742
    0x00000000
    0x01054742
    0x010546f8
    0x010546f8
    0x010546fa
    0x010546fc
    0x010546ff
    0x00000000
    0x010546be
    0x010546bc

    APIs
    • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000000,00000001,?,00000000,00000001,01059E02,?,?,01059E02), ref: 01054618
    • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01078E04,?,01059E02), ref: 01054637
    • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0106A7F0,01059E02,?,00000000,?,01059E02), ref: 01054646
    • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01078E04,?,01059E02), ref: 01054653
    • memcmp.MSVCRT ref: 01054693
    • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(?,00000000,01059E02,00000000,?,01059E02,?,01059E02), ref: 01054720
    • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(?,01059E02,00000000,00000000,?,01059E02), ref: 01054742
    • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01078E04,?,01059E02), ref: 0105474F
    • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(?,0106A7F1,00000001,?,00000000,?,01059E02), ref: 01054764
    • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01078E04,?,01059E02), ref: 01054771
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: FileLockShared$AcquirePointerReadRelease$ByteCharMultiWidememcmp
    • String ID:
    • API String ID: 2002953238-0
    • Opcode ID: 679e2effd04f30f46e30a0673e55a8b054a5ab4d7eebaed2e8e5bd656d4b1712
    • Instruction ID: 55589ffc3303d0c4efe399af22dd3b052029ad301539c2576da39a5423825330
    • Opcode Fuzzy Hash: 679e2effd04f30f46e30a0673e55a8b054a5ab4d7eebaed2e8e5bd656d4b1712
    • Instruction Fuzzy Hash: 4D51D571E00209EFDBA18F68C848BAE7BB9FB45310F184159EDD5EB280E7754980CB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0103C897, Relevance: 15.1, APIs: 10, Instructions: 119fileCOMMON
    Download Yara Rule
    C-Code - Quality: 57%
    			E0103C897(void* __eax, char* __edi) {
				long _t100;
				void* _t101;
				long _t107;
				void* _t109;
				long _t113;
				wchar_t* _t115;
				int _t117;
				signed char _t118;
				void* _t122;
				signed int _t123;
				intOrPtr _t124;
				intOrPtr* _t127;
				long _t132;
				wchar_t* _t133;
				wchar_t* _t134;
				signed int _t135;
				wchar_t* _t136;
				wchar_t* _t139;
				intOrPtr _t140;
				char _t141;
				wchar_t* _t143;
				signed int _t144;
				wchar_t* _t145;
				wchar_t* _t146;
				void* _t148;
				long _t150;
				int _t151;
				void* _t152;
				long _t153;
				void* _t154;
				wchar_t* _t155;
				signed int _t157;
				signed int _t160;
				wchar_t* _t161;
				long _t162;
				int _t163;
				wchar_t* _t171;
				long _t174;
				long _t175;
				int _t176;
				intOrPtr _t180;
				char* _t181;
				long _t182;
				void* _t183;
				wchar_t* _t184;
				int _t186;
				long _t187;
				long _t188;
				long _t190;
				void* _t191;
				void* _t193;
				long _t194;
				long _t195;
				signed int _t197;
				void* _t199;
				void* _t202;
				void* _t204;
				void* _t205;

				_t181 = __edi;
				while(1) {
					L18:
					_t153 =  *(_t197 - 0x61c);
					do {
						L19:
						if( *0x106259c != 0) {
							_t109 = E010598B5(_t153, _t182);
						}
						__imp___get_osfhandle(1);
						_t199 = _t202 + 4;
						_t101 = SetFilePointer(_t109, _t182, 0, 0);
						 *(_t153 + 8) = _t101;
						if( *(_t197 - 0x630) == 0) {
							__eflags = _t101 -  *((intOrPtr*)(_t197 - 0x640));
							if(_t101 <  *((intOrPtr*)(_t197 - 0x640))) {
								goto L21;
							} else {
								_t163 =  *(_t197 - 0x618);
								goto L56;
							}
						} else {
							L21:
							__imp___get_osfhandle(_t182);
							_t199 = _t199 + 4;
							_t151 = _t101;
							 *(_t197 - 0x634) = _t151;
							if((GetFileType(_t151) & 0xffff7fff) == 2) {
								_t178 = _t197 - 0x614;
								_t101 = E01054191(_t151, _t197 - 0x614, 0x200, _t197 - 0x618);
								_t163 =  *(_t197 - 0x618);
							} else {
								_t181 = 0x106a7f0;
								_t113 = SetFilePointer(_t151, 0, 0, 1);
								 *(_t197 - 0x62c) = _t113;
								__imp__AcquireSRWLockShared(0x1078e04);
								_t115 = ReadFile(_t151, 0x106a7f0, 0x200, _t197 - 0x618, 0);
								_t188 = _t115;
								__imp__ReleaseSRWLockShared(0x1078e04);
								_t163 =  *(_t197 - 0x618);
								if(_t188 == 0) {
									_t101 = 0;
									goto L9;
								} else {
									 *(_t197 - 0x620) = _t163;
									if(_t163 == 0) {
										_t101 = 0;
										goto L9;
									} else {
										_t187 = _t163;
										 *(_t197 - 0x628) = _t187;
										_t151 = _t163;
										if( *0x10625a0 == 0xfde9) {
											__eflags =  *(_t197 - 0x62c);
											if( *(_t197 - 0x62c) == 0) {
												_push(3);
												_push(0x10334f8);
												_push(0x106a7f0);
												L01047FB7();
												_t199 = _t199 + 0xc;
												_t163 = _t151;
												__eflags = _t115;
												if(_t115 == 0) {
													_t163 = _t163 + 0xfffffffd;
													 *(_t197 - 0x62c) = 3;
													_t187 = _t163;
													 *(_t197 - 0x620) = _t163;
													_t181 = 0x106a7f3;
													 *(_t197 - 0x618) = _t163;
													 *(_t197 - 0x628) = _t187;
													_t151 = _t163;
												}
											}
										}
										_t178 = _t181;
										 *(_t197 - 0x638) = _t178;
										if(_t151 <= 0) {
											L4:
											_t151 =  *0x10625a0;
											if(_t151 < 0x2b || _t151 >= 0xc42c) {
												__eflags = _t151 - 0xc435;
												if(__eflags > 0) {
													__eflags = _t151 - 0xdeb3;
													if(_t151 > 0xdeb3) {
														__eflags = _t151 - 0xfde8 - 1;
														if(_t151 - 0xfde8 > 1) {
															goto L6;
														} else {
															goto L121;
														}
													} else {
														__eflags = _t151 - 0xdeaa;
														if(_t151 >= 0xdeaa) {
															goto L121;
														} else {
															__eflags = _t151 - 0xcec8;
															if(_t151 == 0xcec8) {
																goto L121;
															} else {
																__eflags = _t151 - 0xd698;
																if(_t151 == 0xd698) {
																	goto L121;
																} else {
																	goto L6;
																}
															}
														}
													}
												} else {
													if(__eflags == 0) {
														L121:
														_t117 = 0;
														goto L7;
													} else {
														__eflags = _t151 - 0xc431;
														if(__eflags > 0) {
															__eflags = _t151 - 0xc433;
															if(_t151 == 0xc433) {
																goto L121;
															} else {
																goto L6;
															}
														} else {
															if(__eflags == 0) {
																goto L121;
															} else {
																__eflags = _t151 - 0x2a;
																if(_t151 == 0x2a) {
																	goto L121;
																} else {
																	__eflags = _t151 - 0xc42b;
																	if(_t151 <= 0xc42b) {
																		goto L6;
																	} else {
																		__eflags = _t151 - 0xc42e;
																		if(_t151 <= 0xc42e) {
																			goto L121;
																		} else {
																			goto L6;
																		}
																	}
																}
															}
														}
													}
												}
												goto L150;
											} else {
												L6:
												_t117 = 1;
											}
											L7:
											_t188 = _t197 - 0x614;
											_t101 = MultiByteToWideChar(_t151, _t117, _t178, _t163, _t188, 0x200);
											_t163 = _t101;
											goto L8;
										} else {
											do {
												if(_t187 < 3) {
													L30:
													if( *((char*)(( *_t181 & 0x000000ff) + 0x1078af0)) != 0) {
														__eflags = _t187 - 1;
														if(_t187 == 1) {
															__imp__AcquireSRWLockShared(0x1078e04);
															_t69 =  &(_t181[1]); // 0x106a7f1
															_t100 = ReadFile( *(_t197 - 0x634), _t69, 1, _t197 - 0x628, 0);
															_t188 = _t100;
															__imp__ReleaseSRWLockShared(0x1078e04);
															__eflags = _t188;
															if(_t188 == 0) {
																L104:
																_t163 = 0;
																_t101 = 0;
																goto L8;
															} else {
																__eflags =  *(_t197 - 0x628);
																if( *(_t197 - 0x628) == 0) {
																	goto L104;
																} else {
																	_t163 =  &(( *(_t197 - 0x620))[0]);
																	goto L3;
																}
															}
														} else {
															_t187 = _t187 + 0xfffffffe;
															_t150 = 2;
															goto L32;
														}
													} else {
														_t187 = _t187 - 1;
														_t150 = 1;
														goto L32;
													}
												} else {
													_t118 =  *_t181;
													if(_t118 == 0xa) {
														__eflags = _t181[1] - 0xd;
														if(_t181[1] == 0xd) {
															goto L2;
														} else {
															goto L30;
														}
													} else {
														if(_t118 == 0xd) {
															if(_t181[1] != 0xa) {
																goto L30;
															} else {
																L2:
																_t181[2] = 0;
																_t186 = _t181 - _t178 + 2;
																 *(_t197 - 0x620) = _t186;
																SetFilePointer( *(_t197 - 0x634),  *(_t197 - 0x62c) + _t186, 0, 0);
																_t163 = _t186;
																L3:
																_t178 =  *(_t197 - 0x638);
																goto L4;
															}
															L8:
															 *(_t197 - 0x618) = _t163;
															L9:
															_t182 =  *(_t197 - 0x624);
														} else {
															goto L30;
														}
													}
												}
												goto L10;
												L32:
												_t181 =  &(_t181[_t150]);
												 *(_t197 - 0x628) = _t187;
											} while (_t187 > 0);
											goto L4;
										}
										goto L10;
									}
								}
								goto L150;
							}
							L10:
							if(_t101 == 0) {
								L56:
								__eflags = _t163;
								if(_t163 != 0) {
									goto L147;
								} else {
									goto L57;
								}
							} else {
								if(_t163 == 0) {
									L57:
									__eflags =  *(_t197 - 0x630);
									if( *(_t197 - 0x630) == 0) {
										L147:
										E01041CB1(_t101);
										 *0x1066748 =  *((intOrPtr*)( *(_t197 - 0x61c) + 0x110));
										E010378E4( *(_t197 - 0x61c), 0x400023ab, 1, _t197 - 0x10c);
										_t190 = 1;
										L52:
										E0103A16C(_t182);
										_t107 = _t190;
										_pop(_t183);
										_pop(_t191);
										__eflags =  *(_t197 - 8) ^ _t197;
										_pop(_t152);
										return E01046B30(_t107, _t152,  *(_t197 - 8) ^ _t197, _t178, _t183, _t191);
									} else {
										__imp___get_osfhandle(0);
										_t202 = _t199 + 4;
										_t109 = SetFilePointer(_t101, _t182, 0, 0);
										 *(_t197 - 0x630) = 0;
										goto L18;
									}
								} else {
									if(_t163 == 0xffffffff ||  *(_t197 - 0x614) == 0 ||  *(_t197 - 0x10c) == 0) {
										goto L56;
									} else {
										_t122 = _t163 + _t163;
										if(_t122 >= 0x402) {
											_t123 = E01046C78(_t122, _t151, _t163, _t178, _t182, _t188);
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											asm("int3");
											__eflags =  *0x10665f0;
											_push(_t188);
											if( *0x10665f0 != 0) {
												_t163 = _t163 | 0x00000010;
											}
											_t124 = E0103CF10(_t123, 0x1074af0, 0x2000, _t163); // executed
											_t180 = _t124;
											 *0x1066700 = _t180;
											__eflags = _t180 - 0xffffffff;
											if(_t180 == 0xffffffff) {
												 *0x10665ec = 0x234a;
												__imp__longjmp(0x1070ab0, 1);
												goto L149;
											} else {
												_t127 = 0x1074af0;
												_t58 = _t127 + 2; // 0x1074af2
												_t193 = _t58;
												do {
													_t171 =  *_t127;
													_t127 = _t127 + 2;
													__eflags = _t171;
												} while (_t171 != 0);
												 *0x10666fc = (_t127 - _t193 >> 1) + 1;
												__eflags =  *0x1079059 - _t171;
												if( *0x1079059 != _t171) {
													L149:
													_push(0x1074af0);
													_push(_t180);
													E01039950(L"GeToken: (%x) \'%s\'\n");
													_t180 =  *0x1066700;
												}
											}
											return _t180;
										} else {
											 *((short*)(_t197 + _t122 - 0x614)) = 0;
											_t109 = wcschr(_t197 - 0x614, 0x3a);
											_t154 = _t109;
											_t202 = _t199 + 8;
											if(_t154 != 0) {
												do {
													_t188 = _t154;
													_t155 = _t154 + 2;
													 *(_t197 - 0x620) = _t155;
													__eflags =  *_t188 - 0xa;
													if( *_t188 != 0xa) {
														while(1) {
															_t109 = _t197 - 0x614;
															__eflags = _t188 - _t109;
															if(_t188 == _t109) {
																goto L37;
															}
															_t188 = _t188 - 2;
															__eflags =  *_t188 - 0xa;
															if( *_t188 != 0xa) {
																continue;
															}
															goto L37;
														}
													}
													L37:
													__eflags =  *_t188 - 0x3a;
													if( *_t188 != 0x3a) {
														_t188 = _t188 + 2;
														__eflags = _t188;
													}
													_t184 = _t188;
													__eflags = _t188;
													if(_t188 != 0) {
														while(1) {
															_t162 =  *_t184 & 0x0000ffff;
															_t139 = iswspace(_t162);
															_t202 = _t202 + 4;
															__eflags = _t139;
															if(_t139 != 0) {
															}
															L41:
															__eflags = _t162 - 0xa;
															if(_t162 != 0xa) {
																L42:
																_t184 =  &(_t184[0]);
																_t162 =  *_t184 & 0x0000ffff;
																_t139 = iswspace(_t162);
																_t202 = _t202 + 4;
																__eflags = _t139;
																if(_t139 != 0) {
																}
															}
															L43:
															_t109 = wcschr(L"=,;", _t162);
															_t202 = _t202 + 8;
															__eflags = _t109;
															if(_t109 != 0) {
																__eflags = _t162;
																if(_t162 == 0) {
																	goto L44;
																} else {
																	goto L42;
																}
																goto L50;
															}
															L44:
															_t155 =  *(_t197 - 0x620);
															goto L45;
														}
													}
													L45:
													__eflags =  *_t184 - 0x3a;
													if( *_t184 == 0x3a) {
														__eflags = _t188;
														if(_t188 == 0) {
															__eflags = 0;
															 *(_t197 - 0x620) = 0;
															goto L125;
														} else {
															_t109 = wcschr(_t188, 0xa);
															_t161 = _t109;
															_t202 = _t202 + 8;
															 *(_t197 - 0x620) = _t161;
															__eflags = _t161;
															if(_t161 == 0) {
																L125:
																__imp___get_osfhandle(1);
																_t204 = _t202 + 4;
																_t132 = SetFilePointer(_t109,  *(_t197 - 0x624), 0, 0);
																__eflags = _t132 -  *((intOrPtr*)(_t197 - 0x63c));
																if(_t132 ==  *((intOrPtr*)(_t197 - 0x63c))) {
																	goto L62;
																} else {
																	_t175 =  *(_t197 - 0x618);
																	__eflags = _t175 - 0x200;
																	if(_t175 == 0x200) {
																		goto L62;
																	} else {
																		_t188 = _t188 - _t197 - 0x614 >> 1;
																		_t176 = _t175 - _t188;
																		_t148 = E01039434();
																		__eflags = _t148;
																		if(_t148 != 0) {
																			_t148 = WideCharToMultiByte( *0x10625a0, 0, _t197 - 0x614, _t176, 0, 0, 0, 0);
																			_t176 = _t148;
																		}
																		_t182 =  *(_t197 - 0x624);
																		__imp___get_osfhandle(1);
																		_t202 = _t204 + 4;
																		_t109 = SetFilePointer(_t148, _t182,  ~_t176, 0);
																		L49:
																		_t153 =  *(_t197 - 0x61c);
																	}
																}
															} else {
																while(1) {
																	L62:
																	_t194 =  *_t184 & 0x0000ffff;
																	_t133 = iswspace(_t194);
																	_t204 = _t204 + 4;
																	__eflags = _t133;
																	if(_t133 != 0) {
																		goto L130;
																	}
																	L63:
																	_t134 = wcschr(L"=,;", _t194);
																	_t204 = _t204 + 8;
																	__eflags = _t134;
																	if(_t134 != 0) {
																		__eflags = _t194;
																		if(_t194 == 0) {
																			goto L64;
																		} else {
																			L133:
																			_t184 =  &(_t184[0]);
																			L62:
																			_t194 =  *_t184 & 0x0000ffff;
																			_t133 = iswspace(_t194);
																			_t204 = _t204 + 4;
																			__eflags = _t133;
																			if(_t133 != 0) {
																				goto L130;
																			}
																			goto L63;
																		}
																		L76:
																		 *(_t197 + _t157 * 2 - 0x20c) = 0;
																		_t109 = _t197 - 0x10c;
																		__imp___wcsicmp(_t109, _t197 - 0x20c);
																		_t155 =  *(_t197 - 0x620);
																		_t202 = _t205 + 8;
																		__eflags = _t109;
																		if(_t109 != 0) {
																			goto L46;
																		} else {
																			_t140 =  *((intOrPtr*)(_t197 - 0x644));
																			__eflags =  *(_t140 + 0x40) & 0x00000001;
																			if(( *(_t140 + 0x40) & 0x00000001) == 0) {
																				_t141 = 0;
																			} else {
																				_t141 = 1;
																			}
																			 *0x1066744 = _t141;
																			_t109 = E01039434();
																			__eflags = _t155;
																			if(_t155 == 0) {
																				__eflags = _t109;
																				if(_t109 == 0) {
																					_t153 =  *(_t197 - 0x61c);
																					_t109 =  *(_t197 - 0x618);
																					_t182 =  *(_t197 - 0x624);
																					 *(_t153 + 8) =  *(_t153 + 8) + _t109;
																				} else {
																					_push(0);
																					_push(0);
																					_push(0);
																					_push(0);
																					_push( *(_t197 - 0x618));
																					goto L146;
																				}
																			} else {
																				_t160 = _t155 - _t197 - 0x614 + 2 >> 1;
																				__eflags = _t109;
																				if(_t109 != 0) {
																					_push(0);
																					_push(0);
																					_push(0);
																					_push(0);
																					_push(_t160);
																					L146:
																					_t109 = WideCharToMultiByte( *0x10625a0, 0, _t197 - 0x614, ??, ??, ??, ??, ??);
																					_t153 =  *(_t197 - 0x61c);
																					_t182 =  *(_t197 - 0x624);
																					 *(_t153 + 8) =  *(_t153 + 8) + _t109;
																				} else {
																					_t188 =  *(_t197 - 0x61c);
																					_t182 =  *(_t197 - 0x624);
																					 *((intOrPtr*)(_t188 + 8)) =  *((intOrPtr*)(_t188 + 8)) + _t160;
																					_t153 = _t188;
																				}
																			}
																		}
																		goto L50;
																	}
																	L64:
																	_t135 =  *_t184 & 0x0000ffff;
																	__eflags = _t135 - 0x3a;
																	if(_t135 != 0x3a) {
																		__eflags = _t135 - 0x2b;
																		if(_t135 != 0x2b) {
																			goto L66;
																		} else {
																			goto L65;
																		}
																		while(1) {
																			L71:
																			_t188 =  *_t184 & 0x0000ffff;
																			_t136 = wcschr(L"+:\n\r\t ", _t188);
																			_t205 = _t204 + 8;
																			__eflags = _t136;
																			if(_t136 != 0) {
																				goto L76;
																			}
																			_t143 = wcschr(L"&<|>", _t188);
																			_t205 = _t205 + 8;
																			__eflags = _t143;
																			if(_t143 == 0) {
																				__eflags = _t188 - 0x5e;
																				if(_t188 == 0x5e) {
																					_t174 = _t184[0] & 0x0000ffff;
																					_t184 =  &(_t184[0]);
																				} else {
																					_t174 = _t188;
																				}
																				_t39 = _t157 + 1; // 0x1
																				_t144 = _t39;
																				 *(_t197 + _t157 * 2 - 0x20c) = _t174;
																				_t184 =  &(_t184[0]);
																				_t157 = _t144;
																				__eflags = _t144 - 0x7f;
																				if(_t144 < 0x7f) {
																					continue;
																				}
																			}
																			goto L76;
																		}
																		goto L76;
																	} else {
																		L65:
																		_t184 =  &(_t184[0]);
																		__eflags = _t184;
																	}
																	L66:
																	__eflags = _t184;
																	if(_t184 != 0) {
																		while(1) {
																			_t195 =  *_t184 & 0x0000ffff;
																			_t145 = iswspace(_t195);
																			_t204 = _t204 + 4;
																			__eflags = _t145;
																			if(_t145 != 0) {
																				goto L136;
																			}
																			L69:
																			_t146 = wcschr(L"=,;", _t195);
																			_t204 = _t204 + 8;
																			__eflags = _t146;
																			if(_t146 != 0) {
																				__eflags = _t195;
																				if(_t195 == 0) {
																					goto L70;
																				} else {
																					L139:
																					_t184 =  &(_t184[0]);
																					_t195 =  *_t184 & 0x0000ffff;
																					_t145 = iswspace(_t195);
																					_t204 = _t204 + 4;
																					__eflags = _t145;
																					if(_t145 != 0) {
																						goto L136;
																					}
																					goto L69;
																				}
																				goto L76;
																			}
																			goto L70;
																			L136:
																			__eflags = _t195 - 0xa;
																			if(_t195 != 0xa) {
																				goto L139;
																			} else {
																				goto L69;
																			}
																			goto L71;
																		}
																	}
																	L70:
																	_t157 = 0;
																	__eflags = 0;
																	goto L71;
																	L130:
																	__eflags = _t194 - 0xa;
																	if(_t194 != 0xa) {
																		goto L133;
																	} else {
																		goto L63;
																	}
																	goto L71;
																}
															}
														}
													} else {
														L46:
														__eflags = _t155;
														if(_t155 == 0) {
															break;
														} else {
															goto L47;
														}
													}
													goto L50;
													L47:
													_t109 = wcschr(_t155, 0x3a);
													_t154 = _t109;
													_t202 = _t202 + 8;
													__eflags = _t154;
												} while (_t154 != 0);
												_t182 =  *(_t197 - 0x624);
												goto L49;
											} else {
												while(1) {
													L18:
													_t153 =  *(_t197 - 0x61c);
													goto L19;
												}
											}
										}
									}
								}
							}
						}
						L150:
						L50:
						__eflags =  *0x1066744 - 1;
					} while ( *0x1066744 != 1);
					_t190 = 0;
					__eflags = 0;
					goto L52;
				}
			}





























































    0x0103c897
    0x0103c8a0
    0x0103c8a0
    0x0103c8a0
    0x0103c8a6
    0x0103c8a6
    0x0103c8ad
    0x0104d120
    0x0104d120
    0x0103c8ba
    0x0103c8c0
    0x0103c8c4
    0x0103c8d1
    0x0103c8d4
    0x0103ca96
    0x0103ca9c
    0x00000000
    0x0103caa2
    0x0103caa2
    0x00000000
    0x0103caa2
    0x0103c8da
    0x0103c8da
    0x0103c8db
    0x0103c8e1
    0x0103c8e4
    0x0103c8e6
    0x0103c8fb
    0x0104d138
    0x0104d13e
    0x0104d143
    0x0103c901
    0x0103c908
    0x0103c90d
    0x0103c918
    0x0103c91e
    0x0103c934
    0x0103c93f
    0x0103c941
    0x0103c947
    0x0103c94f
    0x0104d14e
    0x00000000
    0x0103c955
    0x0103c955
    0x0103c95d
    0x0103cc5e
    0x00000000
    0x0103c963
    0x0103c96d
    0x0103c96f
    0x0103c975
    0x0103c977
    0x0104d155
    0x0104d15c
    0x0104d162
    0x0104d164
    0x0104d169
    0x0104d16e
    0x0104d173
    0x0104d176
    0x0104d178
    0x0104d17a
    0x0104d180
    0x0104d183
    0x0104d18d
    0x0104d18f
    0x0104d195
    0x0104d19a
    0x0104d1a0
    0x0104d1a6
    0x0104d1a6
    0x0104d17a
    0x0104d15c
    0x0103c97d
    0x0103c97f
    0x0103c987
    0x0103c7e8
    0x0103c7e8
    0x0103c7f1
    0x0104d223
    0x0104d229
    0x0104d262
    0x0104d268
    0x0104d28d
    0x0104d290
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0104d26a
    0x0104d26a
    0x0104d270
    0x00000000
    0x0104d272
    0x0104d272
    0x0104d278
    0x00000000
    0x0104d27a
    0x0104d27a
    0x0104d280
    0x00000000
    0x0104d282
    0x00000000
    0x0104d282
    0x0104d280
    0x0104d278
    0x0104d270
    0x0104d22b
    0x0104d22b
    0x0104d296
    0x0104d296
    0x00000000
    0x0104d22d
    0x0104d22d
    0x0104d233
    0x0104d255
    0x0104d25b
    0x00000000
    0x0104d25d
    0x00000000
    0x0104d25d
    0x0104d235
    0x0104d235
    0x00000000
    0x0104d237
    0x0104d237
    0x0104d23a
    0x00000000
    0x0104d23c
    0x0104d23c
    0x0104d242
    0x00000000
    0x0104d248
    0x0104d248
    0x0104d24e
    0x00000000
    0x0104d250
    0x00000000
    0x0104d250
    0x0104d24e
    0x0104d242
    0x0104d23a
    0x0104d235
    0x0104d233
    0x0104d22b
    0x00000000
    0x0103c803
    0x0103c803
    0x0103c803
    0x0103c803
    0x0103c808
    0x0103c80d
    0x0103c818
    0x0103c81e
    0x00000000
    0x0103c990
    0x0103c990
    0x0103c993
    0x0103c9a7
    0x0103c9b1
    0x0104d1bc
    0x0104d1bf
    0x0104d1d3
    0x0104d1e4
    0x0104d1ee
    0x0104d1f9
    0x0104d1fb
    0x0104d201
    0x0104d203
    0x0104d21a
    0x0104d21a
    0x0104d21c
    0x00000000
    0x0104d205
    0x0104d205
    0x0104d20c
    0x00000000
    0x0104d20e
    0x0104d214
    0x00000000
    0x0104d214
    0x0104d20c
    0x0104d1c1
    0x0104d1c1
    0x0104d1c4
    0x00000000
    0x0104d1c4
    0x0103c9b7
    0x0103c9b7
    0x0103c9b8
    0x00000000
    0x0103c9b8
    0x0103c995
    0x0103c995
    0x0103c999
    0x0104d1ad
    0x0104d1b1
    0x00000000
    0x0104d1b7
    0x00000000
    0x0104d1b7
    0x0103c99f
    0x0103c9a1
    0x0103c7b2
    0x00000000
    0x0103c7b8
    0x0103c7b8
    0x0103c7be
    0x0103c7c6
    0x0103c7cd
    0x0103c7da
    0x0103c7e0
    0x0103c7e2
    0x0103c7e2
    0x00000000
    0x0103c7e2
    0x0103c820
    0x0103c820
    0x0103c826
    0x0103c826
    0x00000000
    0x00000000
    0x00000000
    0x0103c9a1
    0x0103c999
    0x00000000
    0x0103c9bd
    0x0103c9bd
    0x0103c9bf
    0x0103c9c5
    0x00000000
    0x0103c9c9
    0x00000000
    0x0103c987
    0x0103c95d
    0x00000000
    0x0103c94f
    0x0103c82c
    0x0103c82e
    0x0103caa8
    0x0103caa8
    0x0103caaa
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0103c834
    0x0103c836
    0x0103cab0
    0x0103cab0
    0x0103cab7
    0x0104d3fc
    0x0104d404
    0x0104d40f
    0x0104d422
    0x0104d42a
    0x0103ca7a
    0x0103ca7c
    0x0103ca81
    0x0103ca86
    0x0103ca87
    0x0103ca88
    0x0103ca8a
    0x0103ca93
    0x0103cabd
    0x0103cac4
    0x0103caca
    0x0103cace
    0x0103cad4
    0x00000000
    0x0103cad4
    0x0103c83c
    0x0103c83f
    0x00000000
    0x0103c861
    0x0103c861
    0x0103c869
    0x0103cc65
    0x0103cc6a
    0x0103cc6b
    0x0103cc6c
    0x0103cc6d
    0x0103cc6e
    0x0103cc6f
    0x0103cc70
    0x0103cc77
    0x0103cc78
    0x0103ccc8
    0x0103ccc8
    0x0103cc85
    0x0103cc8a
    0x0103cc8c
    0x0103cc92
    0x0103cc95
    0x0104d43b
    0x0104d445
    0x00000000
    0x0103cc9b
    0x0103cc9b
    0x0103cca0
    0x0103cca0
    0x0103cca3
    0x0103cca3
    0x0103cca6
    0x0103cca9
    0x0103cca9
    0x0103ccb3
    0x0103ccb8
    0x0103ccbe
    0x0104d44b
    0x0104d44b
    0x0104d450
    0x0104d456
    0x0104d45e
    0x0104d45e
    0x0103ccbe
    0x0103ccc7
    0x0103c86f
    0x0103c871
    0x0103c882
    0x0103c888
    0x0103c88a
    0x0103c88f
    0x0103c9d0
    0x0103c9d0
    0x0103c9d2
    0x0103c9d5
    0x0103c9db
    0x0103c9df
    0x0103c9e1
    0x0103c9e1
    0x0103c9e7
    0x0103c9e9
    0x00000000
    0x00000000
    0x0103c9eb
    0x0103c9ee
    0x0103c9f2
    0x00000000
    0x00000000
    0x00000000
    0x0103c9f2
    0x0103c9e1
    0x0103c9f4
    0x0103c9f4
    0x0103c9f8
    0x0103c9fa
    0x0103c9fa
    0x0103c9fa
    0x0103c9fd
    0x0103c9ff
    0x0103ca01
    0x0103ca03
    0x0103ca03
    0x0103ca07
    0x0103ca0d
    0x0103ca10
    0x0103ca12
    0x0103ca12
    0x0103ca14
    0x0103ca14
    0x0103ca17
    0x0103ca19
    0x0103ca19
    0x0103ca03
    0x0103ca07
    0x0103ca0d
    0x0103ca10
    0x0103ca12
    0x0103ca12
    0x0103ca12
    0x0103ca1e
    0x0103ca24
    0x0103ca2a
    0x0103ca2d
    0x0103ca2f
    0x0104d29d
    0x0104d2a0
    0x00000000
    0x0104d2a6
    0x00000000
    0x0104d2a6
    0x00000000
    0x0104d2a0
    0x0103ca35
    0x0103ca35
    0x00000000
    0x0103ca35
    0x0103ca03
    0x0103ca3b
    0x0103ca3b
    0x0103ca3f
    0x0103cae3
    0x0103cae5
    0x0104d2ab
    0x0104d2ad
    0x00000000
    0x0103caeb
    0x0103caee
    0x0103caf4
    0x0103caf6
    0x0103caf9
    0x0103caff
    0x0103cb01
    0x0104d2b3
    0x0104d2bf
    0x0104d2c5
    0x0104d2c9
    0x0104d2cf
    0x0104d2d5
    0x00000000
    0x0104d2db
    0x0104d2db
    0x0104d2e1
    0x0104d2e7
    0x00000000
    0x0104d2ed
    0x0104d2f5
    0x0104d2f7
    0x0104d2f9
    0x0104d2fe
    0x0104d300
    0x0104d31a
    0x0104d320
    0x0104d320
    0x0104d322
    0x0104d330
    0x0104d336
    0x0104d33a
    0x0103ca65
    0x0103ca65
    0x0103ca65
    0x0104d2e7
    0x0103cb07
    0x0103cb10
    0x0103cb10
    0x0103cb10
    0x0103cb14
    0x0103cb1a
    0x0103cb1d
    0x0103cb1f
    0x00000000
    0x00000000
    0x0103cb25
    0x0103cb2b
    0x0103cb31
    0x0103cb34
    0x0103cb36
    0x0104d34f
    0x0104d352
    0x00000000
    0x0104d358
    0x0104d358
    0x0104d358
    0x0103cb10
    0x0103cb10
    0x0103cb14
    0x0103cb1a
    0x0103cb1d
    0x0103cb1f
    0x00000000
    0x00000000
    0x00000000
    0x0103cb1f
    0x0103cbc9
    0x0103cbcb
    0x0103cbda
    0x0103cbe1
    0x0103cbe7
    0x0103cbed
    0x0103cbf0
    0x0103cbf2
    0x00000000
    0x0103cbf8
    0x0103cbf8
    0x0103cbfe
    0x0103cc02
    0x0104d395
    0x0103cc08
    0x0103cc08
    0x0103cc08
    0x0103cc0a
    0x0103cc0f
    0x0103cc14
    0x0103cc16
    0x0104d39c
    0x0104d39e
    0x0104d3b0
    0x0104d3b6
    0x0104d3bc
    0x0104d3c2
    0x0104d3a0
    0x0104d3a0
    0x0104d3a2
    0x0104d3a4
    0x0104d3a6
    0x0104d3a8
    0x00000000
    0x0104d3a8
    0x0103cc1c
    0x0103cc27
    0x0103cc29
    0x0103cc2b
    0x0104d3ca
    0x0104d3cc
    0x0104d3ce
    0x0104d3d0
    0x0104d3d2
    0x0104d3d3
    0x0104d3e2
    0x0104d3e8
    0x0104d3ee
    0x0104d3f4
    0x0103cc31
    0x0103cc31
    0x0103cc37
    0x0103cc3d
    0x0103cc40
    0x0103cc40
    0x0103cc2b
    0x0103cc16
    0x00000000
    0x0103cbf2
    0x0103cb3c
    0x0103cb3c
    0x0103cb3f
    0x0103cb42
    0x0104d360
    0x0104d363
    0x00000000
    0x0104d369
    0x00000000
    0x0104d369
    0x0103cb80
    0x0103cb80
    0x0103cb80
    0x0103cb89
    0x0103cb8f
    0x0103cb92
    0x0103cb94
    0x00000000
    0x00000000
    0x0103cb9c
    0x0103cba2
    0x0103cba5
    0x0103cba7
    0x0103cba9
    0x0103cbac
    0x0104d389
    0x0104d38d
    0x0103cbb2
    0x0103cbb2
    0x0103cbb2
    0x0103cbb4
    0x0103cbb4
    0x0103cbb7
    0x0103cbbf
    0x0103cbc2
    0x0103cbc4
    0x0103cbc7
    0x00000000
    0x00000000
    0x0103cbc7
    0x00000000
    0x0103cba7
    0x00000000
    0x0103cb48
    0x0103cb48
    0x0103cb48
    0x0103cb48
    0x0103cb48
    0x0103cb4b
    0x0103cb4b
    0x0103cb4d
    0x0103cb50
    0x0103cb50
    0x0103cb54
    0x0103cb5a
    0x0103cb5d
    0x0103cb5f
    0x00000000
    0x00000000
    0x0103cb65
    0x0103cb6b
    0x0103cb71
    0x0103cb74
    0x0103cb76
    0x0104d378
    0x0104d37b
    0x00000000
    0x0104d381
    0x0104d381
    0x0104d381
    0x0103cb50
    0x0103cb54
    0x0103cb5a
    0x0103cb5d
    0x0103cb5f
    0x00000000
    0x00000000
    0x00000000
    0x0103cb5f
    0x00000000
    0x0104d37b
    0x00000000
    0x0104d36e
    0x0104d36e
    0x0104d371
    0x00000000
    0x0104d373
    0x00000000
    0x0104d373
    0x00000000
    0x0104d371
    0x0103cb50
    0x0103cb7c
    0x0103cb7c
    0x0103cb7c
    0x00000000
    0x0104d345
    0x0104d345
    0x0104d348
    0x00000000
    0x0104d34a
    0x00000000
    0x0104d34a
    0x00000000
    0x0104d348
    0x0103cb10
    0x0103cb01
    0x0103ca45
    0x0103ca45
    0x0103ca45
    0x0103ca47
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0103ca47
    0x00000000
    0x0103ca49
    0x0103ca4c
    0x0103ca52
    0x0103ca54
    0x0103ca57
    0x0103ca57
    0x0103ca5f
    0x00000000
    0x0103c895
    0x0103c8a0
    0x0103c8a0
    0x0103c8a0
    0x00000000
    0x0103c8a0
    0x0103c8a0
    0x0103c88f
    0x0103c869
    0x0103c83f
    0x0103c836
    0x0103c82e
    0x00000000
    0x0103ca6b
    0x0103ca6b
    0x0103ca6b
    0x0103ca78
    0x0103ca78
    0x00000000
    0x0103ca78

    APIs
    • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(?,00000001,0106A7F0,00000000,?,00000200), ref: 0103C818
    • wcschr.MSVCRT ref: 0103C882
    • _get_osfhandle.MSVCRT ref: 0103C8BA
    • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 0103C8C4
    • _get_osfhandle.MSVCRT ref: 0103C8DB
    • GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 0103C8ED
    • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000000,00000001), ref: 0103C90D
    • AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01078E04), ref: 0103C91E
    • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,0106A7F0,00000200,00000000,00000000), ref: 0103C934
    • ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01078E04), ref: 0103C941
    • _get_osfhandle.MSVCRT ref: 0103CAC4
    • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 0103CACE
    • memcmp.MSVCRT ref: 0104D16E
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: File$Pointer_get_osfhandle$LockShared$AcquireByteCharMultiReadReleaseTypeWidememcmpwcschr
    • String ID:
    • API String ID: 1383533039-0
    • Opcode ID: 9a0e2e464c8182db6e62dfab863af3ca8750d9ceeb613ef261fd48722576df94
    • Instruction ID: c20aa6b0ee4caf8c4fcff4a19a26ddacb2a532af811c1d3c18ec3c536965bf81
    • Opcode Fuzzy Hash: 9a0e2e464c8182db6e62dfab863af3ca8750d9ceeb613ef261fd48722576df94
    • Instruction Fuzzy Hash: C2412C71E003149BFF318F288D8D7A97ABABB84310F1800EAF589F7180C77A4991CB55
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01040444, Relevance: 15.1, APIs: 5, Strings: 5, Instructions: 97COMMON
    Download Yara Rule
    C-Code - Quality: 36%
    			E01040444(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t2;
				signed int _t4;
				intOrPtr _t6;
				void* _t11;
				signed int _t18;
				void* _t23;
				void* _t33;
				void* _t35;
				intOrPtr* _t36;

				_push(__ecx);
				_push(_t11);
				_push(_t35);
				_t33 = __ecx;
				_t2 = E0103CC70(0);
				_t40 = _t2 - 0x4000;
				if(_t2 != 0x4000) {
					E01058959(_t2, 0);
				}
				_t4 = E0103BB90(_t11, 0, _t33, _t35, _t40);
				_t36 = _t4;
				__imp___wcsicmp(L"ERRORLEVEL", 0x1074af0);
				_pop(_t18);
				if(_t4 == 0) {
					 *_t36 = 0x35;
					goto L14;
				} else {
					__imp___wcsicmp(L"EXIST", 0x1074af0);
					_pop(_t18);
					if(_t4 == 0) {
						 *_t36 = 0x37;
						L14:
						_t6 = E0103BC30(E0103A931(0x1074af0, _t18, _t33, _t36), 0, _t18, 0);
						L12:
						 *((intOrPtr*)(_t36 + 0x3c)) = _t6;
						L9:
						return _t36;
					}
					if( *0x1066755 == 0) {
						L7:
						__imp___wcsicmp(L"NOT", 0x1074af0);
						_pop(_t23);
						if(_t4 == 0) {
							__eflags = _t33;
							if(_t33 != 0) {
								E01058959(_t4, _t23);
							}
							 *_t36 = 0x38;
							__eflags = 1;
							_t6 = E01040444(1);
							goto L12;
						}
						E0103CF10(_t4, 0, 0, 0);
						 *_t36 = 0x39;
						E01039789(_t36);
						goto L9;
					}
					__imp___wcsicmp(L"CMDEXTVERSION", 0x1074af0);
					_pop(_t18);
					if(_t4 == 0) {
						 *_t36 = 0x34;
						goto L14;
					}
					if( *0x1066755 == 0) {
						goto L7;
					}
					__imp___wcsicmp(L"DEFINED", 0x1074af0);
					_pop(_t18);
					if(_t4 == 0) {
						 *_t36 = 0x36;
						goto L14;
					}
					goto L7;
				}
			}
















    0x0104044c
    0x0104044d
    0x0104044e
    0x01040450
    0x01040454
    0x01040459
    0x0104045e
    0x0104e7fc
    0x0104e7fc
    0x01040466
    0x01040470
    0x01040478
    0x0104047f
    0x01040482
    0x0104e806
    0x00000000
    0x01040488
    0x0104048e
    0x01040495
    0x01040498
    0x0104053c
    0x01040528
    0x01040535
    0x0104051d
    0x0104051d
    0x01040502
    0x0104050a
    0x0104050a
    0x010404a5
    0x010404d8
    0x010404de
    0x010404e5
    0x010404e8
    0x0104050b
    0x0104050d
    0x01040544
    0x01040544
    0x01040511
    0x01040517
    0x01040518
    0x00000000
    0x01040518
    0x010404f0
    0x010404f7
    0x010404fd
    0x00000000
    0x010404fd
    0x010404ad
    0x010404b4
    0x010404b7
    0x0104e811
    0x00000000
    0x0104e811
    0x010404c4
    0x00000000
    0x00000000
    0x010404cc
    0x010404d3
    0x010404d6
    0x01040522
    0x00000000
    0x01040522
    0x00000000
    0x010404d6

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: _wcsicmp
    • String ID: CMDEXTVERSION$DEFINED$ERRORLEVEL$EXIST$NOT
    • API String ID: 2081463915-1668778490
    • Opcode ID: 2751c695a37bf413c2d0785864129995eadbd39eaebf0dd4de88487c6353372b
    • Instruction ID: 743f7bce8fa6ee66d975605f646a0756c4eadddb67789a42db8123f89189549d
    • Opcode Fuzzy Hash: 2751c695a37bf413c2d0785864129995eadbd39eaebf0dd4de88487c6353372b
    • Instruction Fuzzy Hash: 0E21EAF16083079BF7791A29A8997BF76DCEFC0264F18447EF6C2A60C4EE7A84408755
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01039EF2, Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 278COMMON
    Download Yara Rule
    C-Code - Quality: 68%
    			E01039EF2(intOrPtr __ecx, intOrPtr* __edx) {
				signed int _v8;
				long _v20;
				char _v24;
				WCHAR* _v28;
				void _v548;
				intOrPtr* _v552;
				intOrPtr _v556;
				intOrPtr* _v560;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t58;
				WCHAR* _t69;
				intOrPtr* _t72;
				void* _t80;
				WCHAR* _t86;
				signed int _t90;
				intOrPtr _t97;
				void* _t98;
				intOrPtr _t101;
				intOrPtr _t102;
				char _t105;
				WCHAR* _t112;
				WCHAR* _t118;
				void* _t124;
				intOrPtr* _t128;
				signed int _t131;
				void* _t136;
				intOrPtr* _t138;
				signed int _t140;
				void* _t141;
				WCHAR* _t142;
				intOrPtr _t143;
				intOrPtr _t144;
				intOrPtr* _t145;
				signed int _t146;

				_t132 = __edx;
				_t58 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t58 ^ _t146;
				_v560 = __edx;
				_t142 = 0;
				_v20 = 0x104;
				_v552 = 0;
				_v28 = 0;
				_t137 = __ecx;
				_t105 = 1;
				_v556 = __ecx;
				_v24 = 1;
				memset( &_v548, 0, 0x104);
				if(E0103E3F0(((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					L31:
					_t69 = _v28;
					_v28 = _t142;
					if(_t69 != 0) {
						__imp__??_V@YAXPAX@Z(_t69);
					}
					return E01046B30(_t105, _t105, _v8 ^ _t146, _t132, _t137, _t142);
				}
				_t143 =  *((intOrPtr*)(_t137 + 0x34));
				if(_t143 == 0) {
					L11:
					_t144 = _v560;
					if(_t144 == 3) {
						_t72 =  *0x1066774;
						_v552 = _t72;
						L14:
						_t145 =  *((intOrPtr*)(_t137 + 0x34));
						if(_t145 == 0) {
							L30:
							_t142 = 0;
							_t105 = 0;
							goto L31;
						}
						_t137 = 0;
						do {
							if( *(_t145 + 8) != _t137) {
								goto L29;
							}
							__imp___get_osfhandle( *_t145);
							if(_t72 == 0xffffffff) {
								L42:
								 *(_t145 + 8) =  *(_t145 + 8) | 0xffffffff;
								L22:
								_t112 =  *(_t145 + 4);
								if( *_t112 == 0x26) {
									_t112[2] = 0;
									_t132 =  *_t145;
									_t114 = (( *(_t145 + 4))[1] & 0x0000ffff) - 0x30;
									if(E0103A1D6((( *(_t145 + 4))[1] & 0x0000ffff) - 0x30,  *_t145) != 0xffffffff) {
										goto L29;
									}
									L56:
									E0103A125();
									_t137 = 0x1078e30;
									E01039ABF(0x1078e30, 0x104, L"%d",  *_t145);
									E010378E4(_t114, 0x2344, _t105, 0x1078e30);
									L36:
									_t142 = 0;
									goto L31;
								}
								_push(_t112);
								if( *((short*)(_t145 + 0x10)) == 0x3c) {
									_t132 = 0x8000;
									_t137 = E01040590(_t112, 0x8000);
									if(_t137 != 0xffffffff) {
										L26:
										if(_t137 !=  *_t145) {
											_t132 =  *_t145;
											_t80 = E0103A1D6(_t137,  *_t145);
											_t114 = _t137;
											if(_t80 == 0xffffffff) {
												E0103A16C(_t114);
												goto L56;
											}
											E0103A16C(_t114);
											_t137 =  *_t145;
										}
										if(_t137 == 0xffffffff) {
											L57:
											E0103A125();
											E01059EDB( *0x10667a8);
											goto L36;
										}
										 *((intOrPtr*)(_v552 + 4)) = _t137;
										_t137 = 0;
										goto L29;
									}
									_t86 = E01041D90(L"DPATH");
									if(_t86 == 0) {
										goto L57;
									}
									_t118 = _v28;
									if(_t118 == 0) {
										_t118 =  &_v548;
									}
									_t132 = 0;
									if(SearchPathW(_t86,  *(_t145 + 4), 0, _v20, _t118, 0) == 0) {
										goto L57;
									} else {
										_t112 = _v28;
										if(_t112 == 0) {
											_t112 =  &_v548;
										}
										_push(_t112);
										_t132 = 0x8000;
										L25:
										_t137 = E01040590(_t112, _t132);
										if(_t137 == 0xffffffff) {
											goto L57;
										}
										goto L26;
									}
								}
								asm("sbb edx, edx");
								_t132 = ( ~( *(_t145 + 0xc)) & 0xfffffe09) + 0x301;
								goto L25;
							}
							__imp___get_osfhandle( *_t145);
							if(_t72 == 0xfffffffe) {
								goto L42;
							}
							if(E0103DD98(_t72) == 0) {
								_t89 = E01059FCF(_t89,  *_t145);
								if(_t89 != 0) {
									goto L20;
								}
								__imp___get_osfhandle( *_t145, _t137, _t137, _t105);
								_pop(_t122);
								if(_t89 != 0xffffffff) {
									goto L20;
								}
								_t137 = 0x1078e30;
								E01039ABF(0x1078e30, 0x104, L"%d",  *_t145);
								_push(0x1078e30);
								_push(_t105);
								_push(0x40002721);
								L54:
								E010378E4(_t122);
								 *(_t145 + 8) = 0;
								E0103A125();
								goto L36;
							}
							L20:
							_t122 =  *_t145;
							_t90 = E0103A1A8(_t89,  *_t145);
							 *(_t145 + 8) = _t90;
							if(_t90 == 0xffffffff) {
								_t137 = 0x1078e30;
								E01039ABF(0x1078e30, 0x104, L"%d",  *_t145);
								_push(0x1078e30);
								_push(_t105);
								_push(0x2344);
								goto L54;
							}
							E0103A16C( *_t145);
							goto L22;
							L29:
							_t72 =  *((intOrPtr*)(_t145 + 0x14));
							_t145 = _t72;
						} while (_t72 != 0);
						goto L30;
					}
					_t124 = 0x10;
					_t72 = E0103DCD0(_t124);
					_v552 = _t72;
					if(_t72 == 0) {
						goto L36;
					}
					 *((intOrPtr*)(_t72 + 0xc)) =  *0x1066774;
					 *0x1066774 = _t72;
					 *((intOrPtr*)(_t72 + 8)) = _t137;
					 *_t72 = _t144;
					goto L14;
				} else {
					goto L2;
				}
				do {
					L2:
					_t126 =  *((intOrPtr*)(_t143 + 4));
					_t138 =  *((intOrPtr*)(_t143 + 4));
					_t136 = _t138 + 2;
					do {
						_t97 =  *_t138;
						_t138 = _t138 + 2;
					} while (_t97 != _v552);
					_t140 = _t138 - _t136 >> 1;
					_t98 = E01040060(_t126, _t140);
					_t132 = _t140 + 1;
					E0103F3A0( *((intOrPtr*)(_t143 + 4)), _t140 + 1, _t98);
					if( *((intOrPtr*)(_t143 + 8)) != 0) {
						goto L9;
					}
					_t132 =  *((intOrPtr*)(_t143 + 4));
					_t128 = _t132;
					_t141 = _t128 + 2;
					do {
						_t102 =  *_t128;
						_t128 = _t128 + 2;
					} while (_t102 != _v552);
					_t131 = (_t128 - _t141 >> 1) - 1;
					if(_t131 > _t105 &&  *((short*)(_t132 + _t131 * 2)) == 0x3a) {
						 *((short*)(_t132 + _t131 * 2)) = 0;
					}
					L9:
					_t101 =  *((intOrPtr*)(_t143 + 0x14));
					_t143 = _t101;
				} while (_t101 != 0);
				_t137 = _v556;
				goto L11;
			}







































    0x01039ef2
    0x01039efd
    0x01039f04
    0x01039f0f
    0x01039f16
    0x01039f18
    0x01039f1d
    0x01039f29
    0x01039f2c
    0x01039f2e
    0x01039f31
    0x01039f37
    0x01039f3a
    0x01039f63
    0x0103a0dd
    0x0103a0dd
    0x0103a0e0
    0x0103a0e5
    0x0103a0e8
    0x0103a0ee
    0x0103a0ff
    0x0103a0ff
    0x01039f69
    0x01039f6e
    0x01039fdd
    0x01039fdd
    0x01039fe6
    0x0104c357
    0x0104c35c
    0x0103a015
    0x0103a015
    0x0103a01a
    0x0103a0d9
    0x0103a0d9
    0x0103a0db
    0x00000000
    0x0103a0db
    0x0103a020
    0x0103a022
    0x0103a025
    0x00000000
    0x00000000
    0x0103a02d
    0x0103a037
    0x0104c3b5
    0x0104c3b5
    0x0103a078
    0x0103a078
    0x0103a07f
    0x0103a102
    0x0103a109
    0x0103a10f
    0x0103a11a
    0x00000000
    0x00000000
    0x0104c47a
    0x0104c47a
    0x0104c481
    0x0104c491
    0x0104c49d
    0x0103a121
    0x0103a121
    0x00000000
    0x0103a121
    0x0103a086
    0x0103a087
    0x0104c3be
    0x0104c3c8
    0x0104c3cd
    0x0103a0b0
    0x0103a0b2
    0x0104c424
    0x0104c428
    0x0104c42d
    0x0104c432
    0x0104c475
    0x00000000
    0x0104c475
    0x0104c434
    0x0104c439
    0x0104c439
    0x0103a0bb
    0x0104c4aa
    0x0104c4aa
    0x0104c4b5
    0x00000000
    0x0104c4b5
    0x0103a0c7
    0x0103a0ca
    0x00000000
    0x0103a0ca
    0x0104c3d8
    0x0104c3df
    0x00000000
    0x00000000
    0x0104c3e5
    0x0104c3ea
    0x0104c3ec
    0x0104c3ec
    0x0104c3f2
    0x0104c406
    0x00000000
    0x0104c40c
    0x0104c40c
    0x0104c411
    0x0104c413
    0x0104c413
    0x0104c419
    0x0104c41a
    0x0103a0a0
    0x0103a0a5
    0x0103a0aa
    0x00000000
    0x00000000
    0x00000000
    0x0103a0aa
    0x0104c406
    0x0103a092
    0x0103a09a
    0x00000000
    0x0103a09a
    0x0103a03f
    0x0103a049
    0x00000000
    0x00000000
    0x0103a058
    0x0104c369
    0x0104c370
    0x00000000
    0x00000000
    0x0104c37b
    0x0104c381
    0x0104c38c
    0x00000000
    0x00000000
    0x0104c394
    0x0104c3a4
    0x0104c3a9
    0x0104c3aa
    0x0104c3ab
    0x0104c45e
    0x0104c45e
    0x0104c468
    0x0104c46b
    0x00000000
    0x0104c46b
    0x0103a05e
    0x0103a05e
    0x0103a060
    0x0103a065
    0x0103a06b
    0x0104c442
    0x0104c452
    0x0104c457
    0x0104c458
    0x0104c459
    0x00000000
    0x0104c459
    0x0103a073
    0x00000000
    0x0103a0cc
    0x0103a0cc
    0x0103a0cf
    0x0103a0d1
    0x00000000
    0x0103a022
    0x01039fee
    0x01039fef
    0x01039ff4
    0x01039ffc
    0x00000000
    0x00000000
    0x0103a008
    0x0103a00b
    0x0103a010
    0x0103a013
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x01039f70
    0x01039f70
    0x01039f70
    0x01039f73
    0x01039f75
    0x01039f78
    0x01039f78
    0x01039f7b
    0x01039f7e
    0x01039f89
    0x01039f8b
    0x01039f93
    0x01039f97
    0x01039fa1
    0x00000000
    0x00000000
    0x01039fa3
    0x01039fa6
    0x01039fa8
    0x01039fab
    0x01039fab
    0x01039fae
    0x01039fb1
    0x01039fbe
    0x01039fc1
    0x0104c34e
    0x0104c34e
    0x01039fce
    0x01039fce
    0x01039fd1
    0x01039fd3
    0x01039fd7
    0x00000000

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: _get_osfhandlememset
    • String ID: DPATH
    • API String ID: 3784859044-2010427443
    • Opcode ID: a1b20fac4933922a1c2605a2c6e0681625f8ea7f26e4fa24b23c70db25b11229
    • Instruction ID: a6a7f2f26cbf1f534a8b558eb2fd0450eb43607a7a5d5c9c456ec9d59072c692
    • Opcode Fuzzy Hash: a1b20fac4933922a1c2605a2c6e0681625f8ea7f26e4fa24b23c70db25b11229
    • Instruction Fuzzy Hash: B0A10471A00102DBD734AF78C984AAEB7E9EFC4760B148669E5D6D7290DB31DC41CB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01056650, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 214registryCOMMON
    Download Yara Rule
    C-Code - Quality: 75%
    			E01056650(void* __ecx, signed int __edx, char* _a4) {
				signed int _v8;
				short _v528;
				void* _v532;
				signed int _v536;
				void* _v540;
				long _v544;
				int _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t36;
				intOrPtr _t38;
				intOrPtr* _t41;
				signed short* _t50;
				char _t53;
				signed short _t62;
				long _t68;
				signed short _t70;
				signed int _t72;
				short* _t74;
				char* _t77;
				char* _t87;
				void* _t90;
				signed short _t94;
				signed int _t97;
				signed int _t98;
				intOrPtr* _t99;
				signed short* _t103;
				void* _t105;
				signed int _t106;

				_t36 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t36 ^ _t106;
				_t77 = _a4;
				_t97 = __edx;
				_v540 = __ecx;
				_t99 = __edx;
				_v536 = __edx;
				_t94 = __edx + 2;
				do {
					_t38 =  *_t99;
					_t99 = _t99 + 2;
				} while (_t38 != 0);
				if((_t99 - _t94 >> 1) + 0x14 <= 0x104) {
					E0103F3A0( &_v528, 0x104, __edx);
					_t94 = 0x104;
					_t41 =  &_v528;
					while( *_t41 != 0) {
						_t41 = _t41 + 2;
						_t94 = _t94 - 1;
						if(_t94 != 0) {
							continue;
						}
						break;
					}
					asm("sbb ecx, ecx");
					_t84 =  ~_t94 & 0x00000104 - _t94;
					if(_t94 != 0) {
						_t74 =  &(( &_v528)[_t84]);
						_t105 = 0x104 - _t84;
						if(_t105 == 0) {
							L14:
							_t74 = _t74 - 2;
						} else {
							_t90 = 0x7ffffffe;
							_t94 = L"\\Shell\\Open\\Command" - _t74;
							while(_t90 != 0) {
								_t98 =  *(_t74 + _t94) & 0x0000ffff;
								if(_t98 != 0) {
									 *_t74 = _t98;
									_t74 =  &(_t74[1]);
									_t90 = _t90 - 1;
									_t105 = _t105 - 1;
									if(_t105 != 0) {
										continue;
									}
								}
								break;
							}
							_t97 = _v536;
							if(_t105 == 0) {
								goto L14;
							}
						}
						_t84 = 0;
						 *_t74 = 0;
					}
					_t103 = RegOpenKeyExW(_v540,  &_v528, 0, 0x2000000,  &_v532);
					if(_t103 == 0) {
						L29:
						if(_t77 == 0 ||  *_t77 == 0) {
							_t103 = RegDeleteValueW(_v532, 0);
							if(_t103 != 0) {
								E010378E4(_t84, 0x400023a5, 1, _t97);
								goto L38;
							}
						} else {
							_t87 = _t77;
							_t94 =  &(_t87[2]);
							do {
								_t53 =  *_t87;
								_t87 =  &(_t87[2]);
							} while (_t53 != 0);
							_t89 = _t87 - _t94 >> 1;
							_t103 = RegSetValueExW(_v532, 0x10320b8, 0, 2, _t77, 2 + (_t87 - _t94 >> 1) * 2);
							if(_t103 != 0) {
								_push(0);
								_push(_t103);
								E010378E4(_t89);
								E010378E4(_t89, 0x235d, 1, _t97);
							} else {
								_push(_t77);
								_push(_t97);
								E01039950(L"%s=%s\r\n");
								L38:
							}
						}
						RegCloseKey(_v532);
						goto L40;
					} else {
						if(_t77 == 0 ||  *_t77 == 0) {
							E010378E4(_t84, 0x400023a5, 1, _t97);
							L40:
							_t50 = _t103;
						} else {
							_t103 =  &_v528;
							while(1) {
								_t62 =  *_t103 & 0x0000ffff;
								_t84 = _t62;
								_v536 = _t62;
								if(_t62 == 0) {
									goto L24;
								}
								_t94 = _t62;
								while(1) {
									_t84 = _t94 & 0x0000ffff;
									_v536 = _t94 & 0x0000ffff;
									if(_t94 == 0x5c) {
										goto L24;
									}
									_t103 =  &(_t103[1]);
									_t72 =  *_t103 & 0x0000ffff;
									_t84 = _t72;
									_t94 = _t72;
									_v536 = _t72;
									if(_t72 != 0) {
										continue;
									}
									goto L24;
								}
								L24:
								 *_t103 = 0;
								_t68 = RegCreateKeyExW(_v540,  &_v528, 0, 0, 0, 0x2000000, 0,  &_v532,  &_v548);
								_v544 = _t68;
								if(_t68 != 0) {
									E010378E4(_t84, 0x400023a5, 1, _t97);
									_t50 = _v544;
								} else {
									_t70 = _v536;
									if(_t70 == 0) {
										goto L29;
									} else {
										 *_t103 = _t70;
										_t103 =  &(_t103[1]);
										RegCloseKey(_v532);
										continue;
									}
								}
								goto L41;
							}
						}
					}
				} else {
					_push(0);
					_push(0x400023db);
					E010378E4(0);
					_t50 = 1;
				}
				L41:
				return E01046B30(_t50, _t77, _v8 ^ _t106, _t94, _t97, _t103);
			}

































    0x0105665b
    0x01056662
    0x01056666
    0x0105666b
    0x0105666d
    0x01056673
    0x01056675
    0x0105667d
    0x01056680
    0x01056680
    0x01056683
    0x01056686
    0x01056699
    0x010566b9
    0x010566be
    0x010566c0
    0x010566c8
    0x010566cd
    0x010566d0
    0x010566d3
    0x00000000
    0x00000000
    0x00000000
    0x010566d3
    0x010566dd
    0x010566df
    0x010566e3
    0x010566eb
    0x010566ee
    0x010566f0
    0x01056721
    0x01056721
    0x010566f2
    0x010566f7
    0x010566fc
    0x010566fe
    0x01056702
    0x01056709
    0x0105670b
    0x0105670e
    0x01056711
    0x01056712
    0x01056715
    0x00000000
    0x00000000
    0x01056715
    0x00000000
    0x01056709
    0x01056717
    0x0105671f
    0x00000000
    0x00000000
    0x0105671f
    0x01056724
    0x01056726
    0x01056726
    0x0105674b
    0x0105674f
    0x01056831
    0x01056835
    0x010568a9
    0x010568ad
    0x010568b7
    0x00000000
    0x010568b7
    0x0105683c
    0x0105683c
    0x0105683e
    0x01056841
    0x01056841
    0x01056844
    0x01056847
    0x0105684e
    0x0105686d
    0x01056871
    0x01056883
    0x01056884
    0x01056885
    0x01056892
    0x01056873
    0x01056873
    0x01056874
    0x0105687a
    0x010568bc
    0x010568bc
    0x01056871
    0x010568c5
    0x00000000
    0x01056755
    0x01056757
    0x01056824
    0x010568cb
    0x010568cb
    0x01056768
    0x01056768
    0x0105676e
    0x0105676e
    0x01056771
    0x01056773
    0x0105677c
    0x00000000
    0x00000000
    0x0105677e
    0x01056780
    0x01056780
    0x01056783
    0x0105678d
    0x00000000
    0x00000000
    0x0105678f
    0x01056792
    0x01056795
    0x01056797
    0x01056799
    0x010567a2
    0x00000000
    0x00000000
    0x00000000
    0x010567a2
    0x010567a4
    0x010567a6
    0x010567cf
    0x010567d5
    0x010567dd
    0x01056809
    0x0105680e
    0x010567df
    0x010567df
    0x010567e8
    0x00000000
    0x010567ea
    0x010567f0
    0x010567f3
    0x010567f6
    0x00000000
    0x010567f6
    0x010567e8
    0x00000000
    0x010567dd
    0x0105676e
    0x01056757
    0x0105669b
    0x0105669b
    0x0105669c
    0x010566a1
    0x010566aa
    0x010566aa
    0x010568cd
    0x010568db

    APIs
    • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,02000000,?), ref: 01056745
    • RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,00000000,02000000,00000000,?,?), ref: 010567CF
    • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 010567F6
    • RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,010320B8,00000000,00000002,?,00000000), ref: 01056867
    • RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000), ref: 010568A3
    • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 010568C5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: CloseValue$CreateDeleteOpen
    • String ID: %s=%s$\Shell\Open\Command
    • API String ID: 4081037667-3301834661
    • Opcode ID: dd18c448138213998bc54253c257a22f4cf1fd574620ae8ba33444d05588818f
    • Instruction ID: 2b204c62670a01c2b619200a06c2b0f6ef31e1c108232a4d65b000bcc081f59b
    • Opcode Fuzzy Hash: dd18c448138213998bc54253c257a22f4cf1fd574620ae8ba33444d05588818f
    • Instruction Fuzzy Hash: B561DAB5E401299BEB759B28CC44AFF77B8FF54700F4441E9ED89E7240EA329E44C6A0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 010564DB, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 128registryCOMMON
    Download Yara Rule
    C-Code - Quality: 40%
    			E010564DB(void* __ebx, void* __ecx, short* __edx, void* __edi, void* __esi, void* __eflags) {
				char* _t24;
				char _t38;
				short* _t44;
				char* _t51;
				char* _t54;
				char* _t59;
				char* _t61;
				char* _t62;
				void* _t63;

				_t46 = __ecx;
				_push(0x18);
				_push(0x105cd00);
				E010471A8(__ebx, __edi, __esi);
				_t44 = __edx;
				 *(_t63 - 0x20) = __ecx;
				_t24 =  *(_t63 + 8);
				if(_t24 == 0 ||  *_t24 == 0) {
					__imp__RegDeleteKeyExW(_t46, _t44, 0, 0);
					_t59 = _t24;
					 *(_t63 - 0x1c) = _t59;
					if(_t59 == 0) {
						goto L16;
					}
					_t61 = RegOpenKeyExW( *(_t63 - 0x20), _t44, 0, 0x2000000, _t63 - 0x24);
					 *(_t63 - 0x1c) = _t61;
					if(_t61 == 0) {
						_t59 = RegDeleteValueW( *(_t63 - 0x24), 0x10320b8);
						 *(_t63 - 0x1c) = _t59;
						if(_t59 != 0) {
							_push(0);
							E010378E4(_t46);
							_t46 = _t59;
						}
						RegCloseKey( *(_t63 - 0x24));
					} else {
						if(_t61 != 2) {
							_push(0);
							E010378E4(_t46);
							_t46 = _t61;
						}
					}
					goto L15;
				} else {
					_t59 = RegCreateKeyExW(__ecx, __edx, 0, 0, 0, 2, 0, _t63 - 0x20, 0);
					 *(_t63 - 0x1c) = _t59;
					if(_t59 != 0) {
						L7:
						_push(0);
						_push(_t59);
						E010378E4(_t46);
						E010378E4(_t46, 0x235d, 1, _t44);
						goto L15;
					} else {
						_t54 =  *(_t63 + 8);
						_t51 = _t54;
						_t62 =  &(_t51[2]);
						do {
							_t38 =  *_t51;
							_t51 =  &(_t51[2]);
						} while (_t38 != 0);
						_t46 = _t51 - _t62 >> 1;
						_t59 = RegSetValueExW( *(_t63 - 0x20), 0, 0, 1, _t54, 2 + (_t51 - _t62 >> 1) * 2);
						 *(_t63 - 0x1c) = _t59;
						RegCloseKey( *(_t63 - 0x20));
						if(_t59 != 0) {
							goto L7;
						}
						_push( *(_t63 + 8));
						_push(_t44);
						E01039950(L"%s=%s\r\n");
						L15:
						if(_t59 != 0) {
							L19:
							 *[fs:0x0] =  *((intOrPtr*)(_t63 - 0x10));
							return _t59;
						}
						L16:
						 *((intOrPtr*)(_t63 - 4)) = 0;
						if(E010472EF(_t46) != 0) {
							 *0x107d020(0x8000000, 0, 0, 0);
						}
						 *((intOrPtr*)(_t63 - 4)) = 0xfffffffe;
						goto L19;
					}
				}
			}












    0x010564db
    0x010564db
    0x010564dd
    0x010564e2
    0x010564e7
    0x010564e9
    0x010564ec
    0x010564f3
    0x01056590
    0x01056596
    0x01056598
    0x0105659d
    0x00000000
    0x00000000
    0x010565b3
    0x010565b5
    0x010565ba
    0x010565da
    0x010565dc
    0x010565e1
    0x010565e3
    0x010565e5
    0x010565eb
    0x010565eb
    0x010565ef
    0x010565bc
    0x010565bf
    0x010565c1
    0x010565c3
    0x010565c9
    0x010565c9
    0x010565bf
    0x00000000
    0x01056502
    0x01056515
    0x01056517
    0x0105651c
    0x01056573
    0x01056573
    0x01056574
    0x01056575
    0x01056582
    0x00000000
    0x0105651e
    0x0105651e
    0x01056521
    0x01056523
    0x01056526
    0x01056526
    0x01056529
    0x0105652c
    0x01056533
    0x0105654b
    0x0105654d
    0x01056553
    0x0105655b
    0x00000000
    0x00000000
    0x0105655d
    0x01056560
    0x01056566
    0x010565f5
    0x010565f7
    0x0105663c
    0x01056641
    0x0105664d
    0x0105664d
    0x010565f9
    0x010565f9
    0x01056603
    0x0105660d
    0x0105660d
    0x01056613
    0x00000000
    0x01056613
    0x0105651c

    APIs
    • RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,0105CD00,00000018,?,?,0104BFD6), ref: 0105650F
    • RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,00000000,00000000,00000001,?,00000000,?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,0105CD00), ref: 01056545
    • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,0105CD00,00000018,?,?,0104BFD6), ref: 01056553
    • RegDeleteKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,0105CD00,00000018,?,?,0104BFD6), ref: 01056590
    • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,02000000,?,?,?,00000000,00000000,0105CD00,00000018,?,?,0104BFD6), ref: 010565AD
    • RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,010320B8,?,00000000,02000000,?,?,?,00000000,00000000,0105CD00,00000018,?,?,0104BFD6), ref: 010565D4
    • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,02000000,?,?,?,00000000,00000000,0105CD00,00000018,?,?,0104BFD6), ref: 010565EF
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: CloseDeleteValue$CreateOpen
    • String ID: %s=%s
    • API String ID: 1019019434-1087296587
    • Opcode ID: 30f776d0c02157dc509410201548f441c3f7155b53d9c49cc4e69d40ec34873b
    • Instruction ID: 0404c4d6c9d07ed488b474f61a0aa861d9d42cc8de3c333fe4e2b27f48910684
    • Opcode Fuzzy Hash: 30f776d0c02157dc509410201548f441c3f7155b53d9c49cc4e69d40ec34873b
    • Instruction Fuzzy Hash: 5E41F0B2D40225ABEB719B59CC09EAF7EB8EBC9B40F440159FC8577244D6274E02CBB0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01037150, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 119COMMON
    Download Yara Rule
    C-Code - Quality: 89%
    			E01037150(void* __ebx, void* __ecx, void _a4) {
				signed int _v8;
				void* __edi;
				void* __esi;
				signed short _t12;
				signed short _t13;
				char _t23;
				signed int _t29;
				signed short _t33;
				void* _t39;
				void* _t40;
				void* _t41;
				void _t45;
				wchar_t* _t49;
				void* _t50;

				_t45 = _a4;
				_t29 = 0;
				_t49 =  *(_t45 + 0x3c);
				if(_t49 == 0) {
					L15:
					if( *_t45 != 0x14) {
						goto L26;
					} else {
						goto L16;
					}
				} else {
					_t39 = 0x20;
					while(1) {
						_t10 =  *_t49 & 0x0000ffff;
						if(_t10 == 0 || _t10 > _t39) {
							break;
						}
						_t49 =  &(_t49[0]);
						__eflags = _t49;
						if(_t49 != 0) {
							continue;
						} else {
						}
						break;
					}
					if(_t49 == 0) {
						goto L15;
					} else {
						__imp___wcsnicmp(_t49, L"/B", 2);
						if(_t10 != 0) {
							L11:
							if(_t49 != 0 && swscanf(_t49, L"%d",  &_v8) == 1) {
								_t10 = _v8;
								 *0x10665dc = _t10;
								if( *0x1066758 != _t29) {
									_t29 = _t10;
								}
							}
							goto L15;
						} else {
							 *_t45 = 0x14;
							 *(_t45 + 0x3c) = L":EOF";
							_t49 =  &(_t49[1]);
							if(_t49 == 0) {
								L16:
								if( *0x1066748 == 0) {
									L26:
									E010421D2(_t10,  *0x10625a8);
									_t50 =  *0x10665dc;
									do {
										_t12 = E01041E70(__eflags, 0);
										__eflags = _t12;
									} while (__eflags == 0);
									exit(_t50);
									asm("int3");
									__eflags = _t12 - 0x7a;
									if(_t12 > 0x7a) {
										_t33 = _t12;
									} else {
										_t33 = _t12 + 0xffffffe0 & 0x0000ffff;
									}
									_t13 =  *0x1078df8;
									__eflags = _t13;
									if(_t13 == 0) {
										_t13 = 0x1078bf0;
									}
									__eflags =  *_t13 - _t33;
									if( *_t13 != _t33) {
										E01059A7D((_t33 & 0x0000ffff) - 0x40, _t41);
										_t45 =  *_t50;
									}
									__eflags = 1;
									E01038BC7(_t29, _t45, 1, _t45, _t50, 1);
									RtlFreeHeap(GetProcessHeap(), 0,  *_t50);
									E010372EE( *((intOrPtr*)(_t50 + 4)));
									E010372C6( *((intOrPtr*)(_t50 + 4)));
									 *0x1066755 =  *((intOrPtr*)(_t50 + 8));
									 *0x1066754 =  *((intOrPtr*)(_t50 + 9));
									_t23 = RtlFreeHeap(GetProcessHeap(), 0, _t50);
									return _t23;
								} else {
									E0103C6C0(_t29, _t45, _t45);
									return _t29;
								}
							} else {
								_t40 = 0x20;
								while(1) {
									_t10 =  *_t49 & 0x0000ffff;
									if(_t10 == 0 || _t10 > _t40) {
										goto L11;
									}
									_t49 =  &(_t49[0]);
									if(_t49 != 0) {
										continue;
									}
									goto L11;
								}
								goto L11;
							}
						}
					}
				}
			}

















    0x0103715a
    0x0103715d
    0x0103715f
    0x01037164
    0x010371ed
    0x010371f0
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0103716a
    0x0103716c
    0x0103716d
    0x0103716d
    0x01037173
    0x00000000
    0x00000000
    0x01037213
    0x01037213
    0x01037216
    0x00000000
    0x00000000
    0x0103721c
    0x00000000
    0x01037216
    0x01037180
    0x00000000
    0x01037182
    0x0103718a
    0x01037195
    0x010371bf
    0x010371c1
    0x010371db
    0x010371de
    0x010371e9
    0x010371eb
    0x010371eb
    0x010371e9
    0x00000000
    0x01037197
    0x01037197
    0x0103719d
    0x010371a4
    0x010371a7
    0x010371f6
    0x010371fd
    0x0104a819
    0x0104a81f
    0x0104a824
    0x0104a82a
    0x0104a82c
    0x0104a831
    0x0104a831
    0x0104a836
    0x0104a83c
    0x0104a83d
    0x0104a840
    0x0103725d
    0x0104a846
    0x0104a849
    0x0104a849
    0x0103725f
    0x01037264
    0x01037266
    0x010372bf
    0x010372bf
    0x01037268
    0x0103726b
    0x0104a857
    0x0104a85c
    0x0104a85c
    0x01037275
    0x01037276
    0x01037286
    0x0103728f
    0x01037297
    0x0103729f
    0x010372aa
    0x010372b6
    0x010372be
    0x01037203
    0x01037204
    0x0103720f
    0x0103720f
    0x010371a9
    0x010371ab
    0x010371ac
    0x010371ac
    0x010371b2
    0x00000000
    0x00000000
    0x010371ba
    0x010371bd
    0x00000000
    0x00000000
    0x00000000
    0x010371bd
    0x00000000
    0x010371ac
    0x010371a7
    0x01037195
    0x01037180

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: _wcsnicmpswscanf
    • String ID: :EOF
    • API String ID: 1534968528-551370653
    • Opcode ID: 5a545e77a079d02f1f21c4f2bf423d057fea6e02b59736a32801bb07a5bfbc30
    • Instruction ID: 36811d74d7335636fe039302b77e20725549e8aeecaba4e29fbfac59d4fb3930
    • Opcode Fuzzy Hash: 5a545e77a079d02f1f21c4f2bf423d057fea6e02b59736a32801bb07a5bfbc30
    • Instruction Fuzzy Hash: 43313BB2A00251EBE7706F5CD844B6A7BEDEFC5650F044069FEC2A7285DB3A9841C760
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01056035, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 113libraryloaderCOMMON
    Download Yara Rule
    C-Code - Quality: 71%
    			E01056035(void* __ecx, void* __edx) {
				signed int _v8;
				intOrPtr _v984;
				intOrPtr _v1020;
				intOrPtr _v1156;
				void _v1164;
				void _v1168;
				void _v1172;
				void _v1176;
				long _v1180;
				void* _v1200;
				char _v1204;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t22;
				void* _t42;
				struct HINSTANCE__* _t47;
				void* _t62;
				void* _t63;
				signed int _t64;

				_t60 = __edx;
				_t22 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t22 ^ _t64;
				_t62 = __ecx;
				_v1168 = 0;
				if( *0x10790f4 != 0) {
					L4:
					_t63 =  *0x10790f0;
					L5:
					if(_t63 != 0) {
						 *0x107a4c4(_t62, 0,  &_v1204, 0x18, 0);
						if( *_t63() >= 0) {
							_t63 = _v1200;
							if(ReadProcessMemory(_t62, _t63,  &_v1164, 0x480,  &_v1180) != 0) {
								if(_v1180 < 0xb4 || _v1020 - _t63 <= 0xb4) {
									if(ReadProcessMemory(_t62, _v1156 + 0x3c,  &_v1176, 4, 0) != 0 && ReadProcessMemory(_t62, _v1156 + _v1176 + 4,  &_v1172, 2, 0) != 0) {
										_t60 = _v1176 + _v1156 + 0x18;
										_t42 = E01056396(_v1172, _v1176 + _v1156 + 0x18);
										if(_t42 != 0) {
											ReadProcessMemory(_t62, _t42,  &_v1168, 2, 0);
										}
									}
								} else {
									_v1168 = _v984;
								}
							}
						}
					}
					return E01046B30(_v1168, 0, _v8 ^ _t64, _t60, _t62, _t63);
				}
				_t47 = LoadLibraryExW(L"NTDLL.DLL", 0, 0);
				 *0x10790f4 = _t47;
				if(_t47 == 0) {
					 *0x10790f4 =  *0x10790f4 | 0xffffffff;
					goto L4;
				} else {
					_t63 = GetProcAddress(_t47, "NtQueryInformationProcess");
					 *0x10790f0 = _t63;
					goto L5;
				}
			}























    0x01056035
    0x01056040
    0x01056047
    0x01056051
    0x01056053
    0x01056060
    0x01056095
    0x01056095
    0x0105609b
    0x0105609d
    0x010560b1
    0x010560bb
    0x010560c1
    0x010560e4
    0x010560f5
    0x01056130
    0x0105616f
    0x01056171
    0x01056178
    0x01056186
    0x01056186
    0x01056178
    0x01056103
    0x0105610a
    0x0105610a
    0x010560f5
    0x010560e4
    0x010560bb
    0x010561a1
    0x010561a1
    0x01056069
    0x0105606f
    0x01056076
    0x0105608e
    0x00000000
    0x01056078
    0x01056084
    0x01056086
    0x00000000
    0x01056086

    APIs
    • LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(NTDLL.DLL,00000000,00000000,?,00000000,?), ref: 01056069
    • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,NtQueryInformationProcess), ref: 0105607E
    • ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,?,00000480,?), ref: 010560DC
    • ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,?,00000004,00000000), ref: 01056128
    • ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,?,00000002,00000000), ref: 0105614F
    • ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0(?,00000000,?,00000002,00000000), ref: 01056186
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: MemoryProcessRead$AddressLibraryLoadProc
    • String ID: NTDLL.DLL$NtQueryInformationProcess
    • API String ID: 1580871199-2613899276
    • Opcode ID: ddb113312ad9ea7fcde3b21c19211cd913eca288c74fef16b1c3613d8ac8e66d
    • Instruction ID: cd6e53880df88fce90820ac0127c9255972b00557f93016a294d2f436327a05f
    • Opcode Fuzzy Hash: ddb113312ad9ea7fcde3b21c19211cd913eca288c74fef16b1c3613d8ac8e66d
    • Instruction Fuzzy Hash: CC417FB0E00219ABEB709B25DC84EBF77BDEB41754F4440A8FA45E3241DB369E45CB68
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0104654B, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 107fileCOMMON
    Download Yara Rule
    C-Code - Quality: 48%
    			E0104654B(void* __ecx, signed int __edx) {
				long _v8;
				WCHAR* _v12;
				struct _SECURITY_ATTRIBUTES _v24;
				void* __edi;
				signed int _t15;
				long _t17;
				void* _t19;
				long _t22;
				long _t23;
				WCHAR* _t32;
				signed int _t38;
				void* _t39;
				void* _t40;
				signed int _t42;

				_v24.lpSecurityDescriptor = _v24.lpSecurityDescriptor & 0x00000000;
				_t39 = __ecx;
				_v24.nLength = 0xc;
				_t23 = 3;
				_t41 = __edx;
				_t38 = __edx & _t23;
				_v24.bInheritHandle = 1;
				if(_t38 > 2) {
					L2:
					_t42 = _t41 | 0xffffffff;
					L3:
					return _t42;
				}
				_t15 = __edx & 0x00000009;
				if(_t15 != 9) {
					_push(L"con");
					_push(__ecx);
					if(_t38 != 0) {
						_t41 = (__edx | 1) << 0x1e;
						__imp___wcsicmp();
						if(_t15 != 0) {
							_t23 = 1;
						}
						_v8 = 2;
					} else {
						_t41 = 0x80000000;
						_v8 = 3;
						__imp___wcsicmp();
						if(_t15 == 0) {
							_t23 = 1;
						}
					}
					_t32 = E01040060(_t39, _t39);
					_t17 = _v8;
					_v12 = _t32;
					if(_t17 == 2) {
						_t19 = CreateFileW(_t32, _t41, _t23,  &_v24, 3, 0x8000080, 0);
						_t40 = _t19;
						if(_t40 != 0xffffffff) {
							goto L8;
						}
						_t17 = _v8;
						_t32 = _v12;
						goto L7;
					} else {
						L7:
						_t19 = CreateFileW(_t32, _t41, _t23,  &_v24, _t17, 0x8000080, 0);
						_t40 = _t19;
						if(_t40 == 0xffffffff) {
							_t22 = GetLastError();
							 *0x10667a8 = _t22;
							if(_t22 == 0x6e) {
								 *0x10667a8 = 2;
							}
							goto L2;
						}
						L8:
						__imp___open_osfhandle(_t40, 8);
						_t42 = _t19;
						if(_t42 == 0xffffffff) {
							CloseHandle(_t40);
						}
						goto L3;
					}
				}
				goto L2;
			}

















    0x01046553
    0x0104655c
    0x0104655e
    0x01046565
    0x01046568
    0x0104656b
    0x0104656d
    0x01046573
    0x0104657e
    0x0104657e
    0x01046582
    0x01046587
    0x01046587
    0x01046577
    0x0104657c
    0x0104658a
    0x0104658f
    0x01046592
    0x01052047
    0x0105204a
    0x01052054
    0x01052058
    0x01052058
    0x01052059
    0x01046598
    0x01046598
    0x0104659d
    0x010465a4
    0x010465ae
    0x01046601
    0x01046601
    0x010465ae
    0x010465b7
    0x010465b9
    0x010465bc
    0x010465c2
    0x01052075
    0x0105207b
    0x01052080
    0x00000000
    0x00000000
    0x01052086
    0x01052089
    0x00000000
    0x010465c8
    0x010465c8
    0x010465d7
    0x010465dd
    0x010465e2
    0x0105209d
    0x010520a3
    0x010520ab
    0x010520b1
    0x010520b1
    0x00000000
    0x010520ab
    0x010465e8
    0x010465eb
    0x010465f1
    0x010465f8
    0x01052092
    0x01052092
    0x00000000
    0x010465f8
    0x010465c2
    0x00000000

    APIs
    • _wcsicmp.MSVCRT ref: 010465A4
    • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,80000000,00000001,00000000,00000003,08000080,00000000), ref: 010465D7
    • _open_osfhandle.MSVCRT ref: 010465EB
    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000,?), ref: 01052092
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: CloseCreateFileHandle_open_osfhandle_wcsicmp
    • String ID: con
    • API String ID: 689241570-4257191772
    • Opcode ID: 5a5858d48095a54a9d167ebd008a40663e20502210110e2da0de704bb736c156
    • Instruction ID: b95755dd11efec794ff5f21334ac73eaa1063785a3fa69456b86c2352ed325ed
    • Opcode Fuzzy Hash: 5a5858d48095a54a9d167ebd008a40663e20502210110e2da0de704bb736c156
    • Instruction Fuzzy Hash: 19312D72E00204EFE7745AAC9889B6F7AE9EB45731F244279F991F31C4EB769900C790
    Uniqueness

    Uniqueness Score: -1.00%

    Function 010561A2, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98memoryfileCOMMON
    Download Yara Rule
    C-Code - Quality: 96%
    			E010561A2(WCHAR* __ecx, void* __edx) {
				signed int _v8;
				long _v16;
				char _v76;
				signed short _v80;
				char _v96;
				char _v100;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t12;
				signed int _t15;
				signed short _t23;
				signed short* _t31;
				signed int _t32;
				void* _t42;
				void* _t43;
				signed int _t44;

				_t41 = __edx;
				_t12 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t12 ^ _t44;
				_t42 = 0;
				_t32 = 0;
				if(__ecx != 0) {
					_t43 = CreateFileW(__ecx, 0x80000000, 1, 0, 3, 0x80, 0);
					if(_t43 == 0xffffffff) {
						L16:
						_t15 = _t32;
						goto L17;
					}
					_t41 =  &_v76;
					if(E010563C3(_t43,  &_v76, 0x40) != 0 && 0x5a4d == _v76 && SetFilePointer(_t43, _v16, 0, 0) != 0xffffffff) {
						_t41 =  &_v100;
						if(E010563C3(_t43,  &_v100, 4) != 0 && _v100 == 0x4550) {
							_t41 =  &_v96;
							if(E010563C3(_t43,  &_v96, 0x14) != 0) {
								_t23 = _v80;
								if(_t23 != 0) {
									_t42 = HeapAlloc(GetProcessHeap(), 8, _t23 & 0x0000ffff);
									if(_t42 != 0) {
										_t41 = _t42;
										if(E010563C3(_t43, _t42, _v80 & 0x0000ffff) != 0) {
											_t41 = _t42;
											_t31 = E01056396(_v96, _t42);
											if(_t31 != 0) {
												_t32 =  *_t31 & 0x0000ffff;
											}
										}
										RtlFreeHeap(GetProcessHeap(), 0, _t42);
									}
								}
							}
						}
					}
					CloseHandle(_t43);
					goto L16;
				} else {
					_t15 = 0;
					L17:
					return E01046B30(_t15, _t32, _v8 ^ _t44, _t41, _t42, _t43);
				}
			}




















    0x010561a2
    0x010561aa
    0x010561b1
    0x010561b7
    0x010561b9
    0x010561bd
    0x010561dd
    0x010561e2
    0x010562a1
    0x010562a1
    0x00000000
    0x010562a1
    0x010561ea
    0x010561f6
    0x0105621e
    0x0105622a
    0x01056237
    0x01056243
    0x01056245
    0x0105624c
    0x01056261
    0x01056265
    0x0105626b
    0x01056277
    0x0105627c
    0x0105627e
    0x01056285
    0x01056287
    0x01056287
    0x01056285
    0x01056294
    0x01056294
    0x01056265
    0x0105624c
    0x01056243
    0x0105622a
    0x0105629b
    0x00000000
    0x010561bf
    0x010561bf
    0x010562a4
    0x010562b2
    0x010562b2

    APIs
    • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00000104), ref: 010561D7
    • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,00000000,00000000,00000040), ref: 01056211
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,00000014,00000004), ref: 01056254
    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0105625B
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?), ref: 0105628D
    • RtlFreeHeap.NTDLL(00000000), ref: 01056294
    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000,00000040), ref: 0105629B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: Heap$FileProcess$AllocCloseCreateFreeHandlePointer
    • String ID: PE
    • API String ID: 3093239467-4258593460
    • Opcode ID: 5701b98d1653f33a2178ffc5ce2fe9e837a0b2c985ba8b4725859f10a0d6b999
    • Instruction ID: fab732ec23660e5049cffa74b26dc21eca0cc72386f4c46ad4d1ccadf634d96a
    • Opcode Fuzzy Hash: 5701b98d1653f33a2178ffc5ce2fe9e837a0b2c985ba8b4725859f10a0d6b999
    • Instruction Fuzzy Hash: 9A31C434B0070596FBA06BA99C08BAF7BA9AFC8751F844154FED1E71C4DF768846C660
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01038F21, Relevance: 13.9, APIs: 9, Instructions: 389COMMON
    Download Yara Rule
    C-Code - Quality: 68%
    			E01038F21(int* __ecx, signed int _a8) {
				signed int _v8;
				intOrPtr _v12;
				int _v16;
				signed int _v20;
				short _v24;
				short _v26;
				short _v28;
				WCHAR** _v32;
				signed int _v36;
				int _v40;
				WCHAR** _v44;
				short _v76;
				short _v332;
				signed short _v334;
				signed short _v336;
				signed int _v338;
				signed int _v340;
				struct _SYSTEMTIME _v348;
				signed int _v352;
				void* _v356;
				signed int _v360;
				signed int _v364;
				struct _FILETIME _v372;
				struct _FILETIME _v380;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t169;
				signed int _t170;
				short _t171;
				WCHAR* _t172;
				signed int _t174;
				signed int _t175;
				void* _t176;
				signed int _t178;
				int _t179;
				char* _t188;
				void* _t194;
				intOrPtr _t197;
				signed int _t198;
				signed int _t201;
				signed short _t202;
				signed int _t207;
				intOrPtr* _t210;
				signed int _t211;
				signed int _t214;
				signed int _t221;
				signed int _t222;
				signed int _t228;
				signed short* _t233;
				signed int _t234;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				signed int _t243;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				signed int _t252;
				signed int _t254;
				short _t256;
				signed int _t262;
				signed int _t263;
				signed int _t264;
				signed int _t267;
				signed int _t268;
				signed int _t271;
				signed int _t272;
				signed int _t273;
				signed int _t276;
				signed int _t277;
				signed int _t278;
				signed int _t281;
				signed int _t285;
				signed int _t286;
				signed int _t287;
				WCHAR* _t288;
				WCHAR* _t293;
				signed int _t294;
				signed int _t295;
				void* _t300;
				signed int _t301;
				long _t303;
				int _t307;
				void* _t309;
				signed int _t314;
				signed int _t315;
				int _t317;
				int _t319;
				void* _t324;
				intOrPtr _t325;
				signed char _t326;
				int _t328;
				intOrPtr _t329;
				void* _t332;
				void* _t333;
				signed int _t334;
				void* _t336;
				void* _t339;
				signed int _t341;
				intOrPtr* _t342;
				signed int _t343;
				signed int _t346;
				signed int _t347;
				signed int _t356;
				void* _t358;
				signed int _t363;
				signed int _t364;
				WCHAR* _t371;
				signed int _t376;
				WCHAR* _t381;
				void* _t393;
				intOrPtr* _t397;
				signed int _t398;
				signed int _t399;
				signed int _t400;
				void* _t401;
				signed int _t403;
				void* _t405;
				WCHAR* _t408;
				void* _t409;
				void* _t410;
				void* _t411;
				short* _t413;
				WCHAR** _t415;
				int _t416;
				void* _t417;
				signed int _t418;
				int _t419;
				signed int _t421;
				signed int _t422;
				signed int _t423;
				int _t425;
				WCHAR* _t426;
				WCHAR* _t428;
				signed int _t429;
				WCHAR* _t430;
				signed int _t431;
				void* _t432;

				_t415 = __ecx;
				_v12 = 0x103206c;
				 *0x10667a8 = 0;
				_t328 =  *__ecx;
				_t419 = _t328;
				_t393 = _t419 + 2;
				do {
					_t169 =  *_t419;
					_t419 = _t419 + 2;
				} while (_t169 != 0);
				_t170 =  *_t328 & 0x0000ffff;
				_t421 = _t419 - _t393 >> 1;
				_t319 = _t328;
				_v20 = _t421;
				_t394 = _t170;
				if(_t170 != 0) {
					goto L4;
					L4:
					_t317 = _t328;
					_t319 = _t328;
					_t328 = _t328 + 2;
					if( *_t328 != 0) {
						goto L4;
					} else {
						_t394 =  *_t317 & 0x0000ffff;
					}
				}
				_t171 = 0x3a;
				_v8 = _t319;
				_v24 = _t171;
				if(_t394 == _t171) {
					__eflags = _t421 - 2;
					if(_t421 > 2) {
						 *_t319 = 0;
						_v8 = _t319 - 2;
						_t307 = SetErrorMode(0);
						_t388 =  *_t415;
						_t394 = 0x8000;
						_v16 = _t307;
						_t421 = E01040590( *_t415, 0x8000, _t328);
						__eflags = _t421 - 0xffffffff;
						if(_t421 == 0xffffffff) {
							L92:
							__eflags =  *0x105e0d8 - 4;
							_t309 = 0x3a;
							_v8 = _t319;
							 *_t319 = _t309;
							if( *0x105e0d8 != 4) {
								E010378E4(_t388, 0x236b, 1,  *_t415);
								_t432 = _t432 + 0xc;
							} else {
								__eflags =  *0x106676c;
								if( *0x106676c == 0) {
									E010378E4(_t388, 0x236b, 1,  *_t415);
									_t432 = _t432 + 0xc;
								}
								 *0x1066768 = 1;
							}
							__eflags = _t421 - 0xffffffff;
							goto L98;
						} else {
							_t314 = E0103DD98(_t308);
							__eflags = _t314;
							if(_t314 != 0) {
								L90:
								_t315 = E0103DD98(_t314);
								__eflags = _t315;
								if(_t315 != 0) {
									L99:
									E0103A16C(_t421);
								} else {
									__eflags = E01059FCF(_t315, _t421);
									L98:
									if(__eflags != 0) {
										goto L99;
									}
								}
							} else {
								_t388 = _t421;
								_t314 = E01059FCF(_t314, _t421);
								__eflags = _t314;
								if(_t314 == 0) {
									goto L92;
								} else {
									goto L90;
								}
							}
						}
						SetErrorMode(_v16);
					}
				}
				_t329 = 0x250;
				_t172 = E0103DCD0(0x250);
				if(_t172 == 0) {
					L113:
					E01059922();
					__imp__longjmp(0x1070a30, 1);
					asm("int3");
					_t174 =  *(_t319 + 0xc);
					__eflags = _t174;
					if(_t174 == 0) {
						L43:
						 *((intOrPtr*)(_t421 + 0xc)) = _t329;
						while(1) {
							_t175 =  *_t415 & 0x0000ffff;
							__eflags = _t175;
							if(_t175 == 0) {
								break;
							}
							_t394 = 0x2d;
							_t332 = 0x2f;
							__eflags = _t175 - _t332;
							if(_t175 != _t332) {
								_t178 =  *(_t421 + 0x48);
								__eflags = _t178;
								if(_t178 != 0) {
									_t333 = 0x10;
									_t179 = E0103DCD0(_t333);
									__eflags = _t179;
									if(_t179 == 0) {
										E01059922();
										__imp__longjmp(0x1070a30, 1);
										asm("int3");
										E010548D7(_t333,  &_v372);
										FileTimeToLocalFileTime( &_v372,  &_v380);
										FileTimeToSystemTime( &_v380,  &_v348);
										__eflags = _t415 - 1;
										if(_t415 != 1) {
											_t415 = 0;
											__eflags =  *0x1066755;
											_t319 = 2;
											if( *0x1066755 == 0) {
												_t188 = "a";
												_t334 = _v340 & 0x0000ffff;
												__eflags =  *0x105e0c4 - _t415; // 0xffffffff
												if(__eflags == 0) {
													_t188 = " ";
												} else {
													_t399 = 0xc;
													__eflags = _t334 - _t399;
													if(__eflags < 0) {
														__eflags = _t334;
														if(_t334 == 0) {
															_t334 = _t399;
														}
													} else {
														if(__eflags > 0) {
															__eflags = _t334;
														}
														_t188 = "p";
													}
												}
												_push(_t188);
												_push(_v338 & 0x0000ffff);
												_push(0x106c9e0);
												E01039ABF( &_v76, 0x20, L"%02d%s%02d%s", _t334);
											} else {
												_v352 = 0;
												_t132 = _t319 + 0x7e; // 0x80
												_t416 = _t132;
												_t201 = GetLocaleInfoW(E01038791(), 0x1003,  &_v332, _t416);
												__eflags = _t201;
												if(_t201 == 0) {
													_t346 =  &_v332;
													_t403 = L"HH:mm:ss t" - _t346;
													__eflags = _t403;
													while(1) {
														_t134 = _t416 + 0x7fffff7e; // 0x7ffffffe
														__eflags = _t134;
														if(_t134 == 0) {
															break;
														}
														_t221 =  *(_t403 + _t346) & 0x0000ffff;
														__eflags = _t221;
														if(_t221 != 0) {
															 *_t346 = _t221;
															_t346 = _t346 + _t319;
															_t416 = _t416 - 1;
															__eflags = _t416;
															if(_t416 != 0) {
																continue;
															}
														}
														break;
													}
													__eflags = _t416;
													if(_t416 == 0) {
														_t346 = _t346 - _t319;
														__eflags = _t346;
													}
													__eflags = 0;
													 *_t346 = 0;
												}
												_t202 = _v332;
												_t417 =  &_v332;
												__eflags = _t202;
												if(_t202 != 0) {
													_t341 = _t202 & 0x0000ffff;
													__eflags = 0;
													_v360 = _t341;
													do {
														__eflags = _t341 - 0x27;
														if(_t341 != 0x27) {
															__eflags = _v352;
															if(_v352 == 0) {
																__eflags = _t341 - 0x68;
																if(_t341 == 0x68) {
																	L199:
																	_t400 = 0;
																	do {
																		_t417 = _t417 + _t319;
																		_t400 = _t400 + 1;
																		__eflags =  *_t417 - _t341;
																	} while ( *_t417 == _t341);
																	_t210 = _t417 +  ~_t400 * 2;
																	_v356 = _t210;
																	_t147 = _t210 + 2; // 0x3
																	_t417 = _t147;
																	__eflags = _t400 - 1;
																	if(_t400 == 1) {
																		_t342 = _t210;
																		_t148 = _t342 + 2; // 0x3
																		_t401 = _t148;
																		do {
																			_t214 =  *_t342;
																			_t342 = _t342 + _t319;
																			__eflags = _t214;
																		} while (_t214 != 0);
																		_t343 = _t342 - _t401;
																		__eflags = _t343;
																		memmove(_t417, _v356, 2 + (_t343 >> 1) * 2);
																		_t432 = _t432 + 0xc;
																		 *_v356 = _v360;
																	}
																} else {
																	__eflags = _t341 - 0x48;
																	if(_t341 == 0x48) {
																		goto L199;
																	} else {
																		__eflags = _t341 - 0x6d;
																		if(_t341 == 0x6d) {
																			goto L199;
																		}
																	}
																}
															} else {
																_t417 = _t417 + _t319;
															}
														} else {
															_t417 = _t417 + _t319;
															__eflags = _v352;
															_v352 = 0 | _v352 == 0x00000000;
														}
														_t417 = _t417 + _t319;
														_t211 =  *_t417 & 0x0000ffff;
														_t341 = _t211;
														_v360 = _t341;
														__eflags = _t211;
													} while (_t211 != 0);
													_t421 = _v364;
												}
												_t207 = GetTimeFormatW(E01038791(), _t319,  &_v348,  &_v332,  &_v76, 0x20);
												__eflags = _t207;
												if(_t207 == 0) {
													_v76 = _t207;
												}
												_t415 = 0;
												__eflags = 0;
											}
											__eflags = _t421;
											if(_t421 != 0) {
												_t396 = _a8;
												E0103F3A0(_t421, _a8,  &_v76);
												_t336 = _t421 + 2;
												do {
													_t194 =  *_t421;
													_t421 = _t421 + _t319;
													__eflags = _t194 - _t415;
												} while (_t194 != _t415);
												_t422 = _t421 - _t336;
												goto L84;
											} else {
												_t397 =  &_v76;
												_t339 = _t397 + 2;
												do {
													_t197 =  *_t397;
													_t397 = _t397 + _t319;
													__eflags = _t197 - _t415;
												} while (_t197 != _t415);
												_t398 = _t397 - _t339;
												__eflags = _t398;
												_t396 = _t398 >> 1;
												_t198 = E0103998D( &_v76, _t398 >> 1);
												goto L214;
											}
										} else {
											_t222 = _v334 & 0x0000ffff;
											_t347 = 0xa;
											_t396 = _t222 % _t347;
											_push(_t222 / _t347);
											_push(0x106c9c0);
											_push(_v336 & 0x0000ffff);
											_push(0x106c9e0);
											_push(_v338 & 0x0000ffff);
											_push(0x106c9e0);
											_push(_v340 & 0x0000ffff);
											_push(L"%2d%s%02d%s%02d%s%02d");
											__eflags = _t421;
											if(_t421 == 0) {
												_t198 = E01039950();
												L214:
												_t423 = _t198;
											} else {
												_push(_a8);
												_push(_t421);
												E01039ABF();
												_t396 = _t421 + 2;
												__eflags = 0;
												_t319 = 2;
												do {
													_t228 =  *_t421;
													_t421 = _t421 + _t319;
													__eflags = _t228;
												} while (_t228 != 0);
												_t422 = _t421 - _t396;
												__eflags = _t422;
												L84:
												_t423 = _t422 >> 1;
											}
										}
										__eflags = _v8 ^ _t431;
										return E01046B30(_t423, _t319, _v8 ^ _t431, _t396, _t415, _t423);
									} else {
										 *(_t319 + 0xc) = _t179;
										_t319 = _t179;
										 *((intOrPtr*)(_t179 + 0xc)) = 0;
										_t178 =  *(_t421 + 0x48);
										_v40 = _t319;
										goto L60;
									}
								} else {
									L60:
									 *(_t421 + 0x48) = _t178 + 1;
									 *_t319 = E0104054B(_t319, E01040060(_t415, _t415), _t415, _t421);
									 *((char*)(_t319 + 8)) = 1;
									goto L58;
								}
							} else {
								_t25 =  &(_t415[1]); // 0x4
								_t233 = _t25;
								_v44 = _t233;
								_t234 =  *_t233 & 0x0000ffff;
								_v36 = _t234;
								__eflags = _t234 - _t394;
								_t356 = 0 | _t234 == _t394;
								_v32 = _t356;
								_t319 = _t415 + (_t356 + 2) * 2;
								_t237 = towupper( *_t319 & 0x0000ffff) & 0x0000ffff;
								_pop(_t358);
								__eflags = _t237 - 0x4f;
								if(__eflags > 0) {
									_t238 = _t237 - 0x50;
									__eflags = _t238;
									if(_t238 == 0) {
										_t359 = _v36;
										_t319 = 0x2d;
										__eflags = _t359 - _t319;
										if(_t359 != _t319) {
											 *_t421 =  *_t421 | 0x00000008;
										} else {
											 *_t421 =  *_t421 ^ 0x00000008;
										}
										goto L69;
									} else {
										_t246 = _t238 - 1;
										__eflags = _t246;
										if(_t246 == 0) {
											_t359 = _v36;
											_t319 = 0x2d;
											__eflags = _t359 - _t319;
											if(_t359 != _t319) {
												 *_t421 =  *_t421 | 0x00040000;
											} else {
												 *_t421 =  *_t421 ^ 0x00040000;
											}
											goto L69;
										} else {
											_t247 = _t246 - 1;
											__eflags = _t247;
											if(_t247 == 0) {
												_t359 = _v36;
												_t319 = 0x2d;
												__eflags = _t359 - _t319;
												if(_t359 != _t319) {
													 *_t421 =  *_t421 | 0x00100000;
												} else {
													 *_t421 =  *_t421 ^ 0x00100000;
												}
												goto L69;
											} else {
												_t248 = _t247 - 1;
												__eflags = _t248;
												if(_t248 != 0) {
													_t249 = _t248 - 1;
													__eflags = _t249;
													if(_t249 == 0) {
														_t319 = 0x2d;
														__eflags = _v36 - _t319;
														if(_v36 != _t319) {
															_t394 = _t421;
															_t252 = E0105A53D(_t421);
															goto L75;
														} else {
															 *((intOrPtr*)(_t421 + 0x5c)) = 0;
															goto L57;
														}
													} else {
														_t254 = _t249 - 3;
														__eflags = _t254;
														if(_t254 == 0) {
															_t359 = _v36;
															_t319 = 0x2d;
															__eflags = _t359 - _t319;
															if(_t359 != _t319) {
																 *_t421 =  *_t421 | 0x00000004;
															} else {
																 *_t421 =  *_t421 ^ 0x00000004;
															}
															goto L69;
														} else {
															__eflags = _t254 != 1;
															if(_t254 != 1) {
																_push(0x2d);
																goto L176;
															} else {
																_t262 = _v32;
																 *_t421 =  *_t421 | 0x00000402;
																__eflags =  *(_t415 + 6 + _t262 * 2);
																if( *(_t415 + 6 + _t262 * 2) == 0) {
																	goto L57;
																} else {
																	_t359 = _v36;
																	goto L152;
																}
															}
														}
													}
												} else {
													_t359 = _v36;
													_t319 = 0x2d;
													__eflags = _t359 - _t319;
													if(_t359 == _t319) {
														 *_t421 =  *_t421 ^ 0x00000010;
													} else {
														 *_t421 =  *_t421 | 0x00000010;
														__eflags =  *_t421;
													}
													goto L69;
												}
											}
										}
									}
								} else {
									_push(0x2d);
									if(__eflags == 0) {
										_t263 = _v36;
										_t363 =  *_t421;
										_pop(_t405);
										__eflags = _t263 - _t405;
										if(_t263 == _t405) {
											_t364 = _t363 ^ 0x00004000;
										} else {
											_t364 = _t363 | 0x00004000;
											__eflags = _t364;
										}
										 *_t421 = _t364;
										__eflags = _t263 - _t405;
										if(_t263 == _t405) {
											_t359 = _t319 + 2;
											_t394 = 0;
											__eflags = 0;
											do {
												_t264 =  *_t319;
												_t319 = _t319 + 2;
												__eflags = _t264;
											} while (_t264 != 0);
											_t319 = _t319 - _t359 >> 1;
											__eflags = _t319 - 1;
											if(_t319 > 1) {
												goto L174;
											} else {
												 *((intOrPtr*)(_t421 + 0xc)) = 0;
												 *((intOrPtr*)(_t421 + 0x14)) = 0;
												goto L57;
											}
										} else {
											_t394 = _t421;
											__eflags =  &(_v32[0]);
											_t252 = E0104669F(_t415 +  &(_v32[0]) * 2, _t421);
											goto L75;
										}
									} else {
										__eflags = _t237 - 0x43;
										if(__eflags > 0) {
											_t267 = _t237 - 0x44;
											__eflags = _t267;
											if(_t267 == 0) {
												_t359 = _v36;
												_pop(_t319);
												__eflags = _t359 - _t319;
												if(_t359 != _t319) {
													 *_t421 =  *_t421 | 0x00000200;
												} else {
													 *_t421 =  *_t421 ^ 0x00000200;
												}
												goto L69;
											} else {
												_t268 = _t267 - 8;
												__eflags = _t268;
												if(_t268 == 0) {
													_t359 = _v36;
													_pop(_t319);
													__eflags = _t359 - _t319;
													if(_t359 != _t319) {
														 *_t421 =  *_t421 | 0x00000080;
													} else {
														 *_t421 =  *_t421 ^ 0x00000080;
													}
													goto L69;
												} else {
													__eflags = _t268 != 0;
													if(_t268 != 0) {
														L176:
														_pop(_t394);
														goto L177;
													} else {
														_t359 = _v36;
														_pop(_t319);
														__eflags = _t359 - _t319;
														if(_t359 != _t319) {
															 *_t421 =  *_t421 | 0x00000002;
														} else {
															 *_t421 =  *_t421 | 0x00020000;
														}
														goto L69;
													}
												}
											}
										} else {
											if(__eflags == 0) {
												_t359 = _v36;
												_t271 =  *_t421;
												_pop(_t319);
												__eflags = _t359 - _t319;
												if(_t359 != _t319) {
													_t272 = _t271 | 0x00008000;
													__eflags = _t272;
												} else {
													_t272 = _t271 ^ 0x00008000;
												}
												 *_t421 = _t272;
												L69:
												_t239 = _v32;
												_t394 = 0;
												__eflags =  *(_t415 + 6 + _t239 * 2);
												if( *(_t415 + 6 + _t239 * 2) == 0) {
													goto L57;
												} else {
													goto L153;
												}
											} else {
												_pop(_t394);
												_t273 = _t237 - _t394;
												__eflags = _t273;
												if(_t273 == 0) {
													_push(0);
													_push(0x2382);
													E010363BD(_t358);
													goto L76;
												} else {
													_t276 = _t273 - 7;
													__eflags = _t276;
													if(_t276 == 0) {
														_t359 = _v36;
														__eflags = _t359 - _t394;
														if(_t359 != _t394) {
															 *_t421 =  *_t421 | 0x00080000;
														} else {
															 *_t421 =  *_t421 ^ 0x00080000;
														}
														goto L56;
													} else {
														_t278 = _t276 - 0xd;
														__eflags = _t278;
														if(_t278 == 0) {
															__eflags = _v36 - _t394;
															if(_v36 != _t394) {
																_t394 = _t421;
																_t252 = E0105A37A(_t415 +  &(_v32[0]) * 2, _t421);
																L75:
																__eflags = _t252;
																if(_t252 == 0) {
																	goto L57;
																} else {
																	goto L76;
																}
															} else {
																_t359 = _t319 + 2;
																_t394 = 0;
																__eflags = 0;
																do {
																	_t281 =  *_t319;
																	_t319 = _t319 + 2;
																	__eflags = _t281;
																} while (_t281 != 0);
																_t319 = _t319 - _t359 >> 1;
																__eflags = _t319 - 1;
																if(_t319 > 1) {
																	L174:
																	_t119 =  &(_t415[1]); // 0x6
																	_t243 = _t119;
																	goto L154;
																} else {
																	 *((intOrPtr*)(_t421 + 4)) = 6;
																	 *((intOrPtr*)(_t421 + 8)) = 0;
																	goto L57;
																}
															}
														} else {
															__eflags = _t278 != 1;
															if(_t278 != 1) {
																L177:
																_t359 = _v36;
																_t256 = 0x2f;
																_v28 = _t256;
																_v26 = _t415[1];
																__eflags = _v36 - _t394;
																_v24 = 0;
																_push(4 + (0 | _v36 == _t394) * 2 + _t415);
																_push(1);
																_push(0x2375);
																goto L155;
															} else {
																_t359 = _v36;
																__eflags = _t359 - _t394;
																if(_t359 == _t394) {
																	 *_t421 =  *_t421 ^ 0x00000040;
																} else {
																	 *_t421 =  *_t421 | 0x00000040;
																	__eflags =  *_t421;
																}
																L56:
																_t277 = _v32;
																_t394 = 0;
																__eflags =  *(_t415 + 6 + _t277 * 2);
																if( *(_t415 + 6 + _t277 * 2) != 0) {
																	L152:
																	_t319 = 0x2d;
																	L153:
																	__eflags = _t359 - _t319;
																	_t243 = 4 + (0 | _t359 == _t319) * 2 + _t415;
																	__eflags = _t243;
																	L154:
																	_push(_t243);
																	_push(1);
																	_push(0x2376);
																	L155:
																	E010378E4(_t359);
																	L76:
																	_t176 = 1;
																	L62:
																	__eflags = _v8 ^ _t431;
																	return E01046B30(_t176, _t319, _v8 ^ _t431, _t394, _t415, _t421);
																} else {
																	L57:
																	_t415 = _v44;
																	_t319 = _v40;
																	L58:
																	_t415 = E0103A7D5(_t415);
																	continue;
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
							goto L227;
						}
						_t176 = 0;
						__eflags = 0;
						goto L62;
					} else {
						do {
							_t418 = _t174;
							_v40 = _t418;
							_t174 =  *(_t418 + 0xc);
							__eflags = _t174;
						} while (_t174 != 0);
						_t415 = _v32;
						_t319 = _v40;
						goto L43;
					}
				} else {
					_t415[6] = _t172;
					_t425 = 0x5c;
					_v16 = _t425;
					if(( *_v8 & 0x0000ffff) == _t425) {
						_v12 = 0x103206e;
						L39:
						_t426 =  *_t415;
						_t285 = 0x5c;
						_t394 = _t285;
						_t286 = E010401F5(_t426, _t285);
						__eflags = _t286;
						if(_t286 == 0) {
							_t371 = _t426;
							__eflags = 0;
							_t75 =  &(_t371[1]); // 0x5e
							_t394 = _t75;
							do {
								_t287 =  *_t371;
								_t371 =  &(_t371[1]);
								__eflags = _t287;
							} while (_t287 != 0);
							__eflags = _t371 - _t394 >> 1 - 2;
							if(_t371 - _t394 >> 1 != 2) {
								goto L40;
							} else {
								_t300 = 0x3a;
								__eflags = _t426[1] - _t300;
								if(_t426[1] == _t300) {
									goto L42;
								} else {
									goto L40;
								}
							}
						} else {
							L40:
							_t319 =  *_t415;
							_t421 = _v20 + 5;
							_t329 = _t421 + _t421;
							_t288 = E0103DCD0(_t329);
							__eflags = _t288;
							if(_t288 == 0) {
								goto L113;
							} else {
								 *_t415 = _t288;
								E0103F3A0(_t288, _t421, _t319);
								E0103FC40( *_t415, _t421, _v12);
								L42:
								 *(_t415[6]) = 0x10;
								goto L17;
							}
						}
					} else {
						_t301 = E010401F5( *_t415, _t425);
						_t429 = _t301;
						if(_t429 == 0) {
							_t430 =  *_t415;
							_t325 = 0;
							__eflags = 0;
							_t381 = _t430;
							_t73 =  &(_t381[1]); // 0x2
							_t413 = _t73;
							do {
								_t301 =  *_t381;
								_t381 =  &(_t381[1]);
								__eflags = _t301;
							} while (_t301 != 0);
							__eflags = _t381 - _t413 >> 1 - 2;
							if(_t381 - _t413 >> 1 >= 2) {
								_t301 = 0x3a;
								__eflags = _t430[1] - _t301;
								if(_t430[1] == _t301) {
									_t430 =  &(_t430[2]);
								}
							}
						} else {
							_t430 = _t429 + 2;
							_t325 = 0;
						}
						__imp___wcsicmp(_t430, ".");
						if(_t301 == 0) {
							goto L39;
						} else {
							__imp___wcsicmp(_t430, L"..");
							if(_t301 == 0) {
								goto L39;
							} else {
								if( *0x105e0d8 == 4) {
									__eflags =  *0x1066770 - 1;
									if( *0x1066770 == 1) {
										goto L14;
									} else {
										__eflags =  *0x105e0d4 - 1;
										if( *0x105e0d4 != 1) {
											goto L17;
										} else {
											 *0x105e0d4 = _t325;
											goto L14;
										}
									}
								} else {
									L14:
									_t326 = GetFileAttributesW( *_t415);
									if(_t326 != 0xffffffff) {
										_t303 = 0;
									} else {
										_t303 = GetLastError();
									}
									 *0x10667a8 = _t303;
									if(_t326 != 0xffffffff) {
										__eflags = _t326 & 0x00000010;
										if((_t326 & 0x00000010) == 0) {
											goto L17;
										} else {
											goto L39;
										}
									} else {
										L17:
										_t324 = 1;
										_t428 = 0;
										_t293 =  *_t415;
										_t408 = _t293;
										while(1) {
											_t376 =  *_t408 & 0x0000ffff;
											if(_t376 == 0) {
												break;
											}
											if(_t376 == _v16) {
												L23:
												_t428 = _t408;
											} else {
												if(_t376 == _v24) {
													__eflags = _t324 - 2;
													if(_t324 != 2) {
														goto L21;
													} else {
														goto L23;
													}
													goto L227;
												}
											}
											L21:
											_t408 =  &(_t408[1]);
											_t324 = _t324 + 1;
										}
										_t415[3] = _t428;
										__eflags = _t428;
										if(_t428 == 0) {
											_t428 = _t293;
										} else {
											__eflags =  *_t428;
											if( *_t428 == 0) {
												_t293 = _t428;
											} else {
												_t12 =  &(_t428[1]); // 0x2
												_t293 = _t12;
											}
										}
										_t409 = 0x2a;
										_t415[4] = _t293;
										_t294 = E0103A62F(_t428, _t409);
										__eflags = _t294;
										if(_t294 == 0) {
											_t410 = 0x3f;
											_t295 = E0103A62F(_t428, _t410);
											__eflags = _t295;
											if(_t295 != 0) {
												goto L28;
											}
										} else {
											L28:
											_t14 =  &(_t415[7]);
											 *_t14 = _t415[7] | 0x00000008;
											__eflags =  *_t14;
											 *0x1066760 = 1;
										}
										_t411 = 0x2e;
										_t415[5] = E0103A62F(_t428, _t411);
										__eflags = 1;
										return 1;
									}
								}
							}
						}
					}
				}
				L227:
			}
















































































































































    0x01038f2c
    0x01038f2e
    0x01038f37
    0x01038f3d
    0x01038f3f
    0x01038f41
    0x01038f44
    0x01038f44
    0x01038f47
    0x01038f4a
    0x01038f4f
    0x01038f54
    0x01038f56
    0x01038f58
    0x01038f5b
    0x01038f60
    0x01038f62
    0x01038f64
    0x01038f64
    0x01038f66
    0x01038f68
    0x01038f6e
    0x00000000
    0x01038f70
    0x01038f70
    0x01038f70
    0x01038f6e
    0x01038f75
    0x01038f76
    0x01038f79
    0x01038f7f
    0x0104b7ae
    0x0104b7b1
    0x0104b7b9
    0x0104b7bf
    0x0104b7c5
    0x0104b7cc
    0x0104b7ce
    0x0104b7d3
    0x0104b7db
    0x0104b7dd
    0x0104b7e0
    0x0104b80e
    0x0104b80e
    0x0104b817
    0x0104b818
    0x0104b81b
    0x0104b81e
    0x0104b84f
    0x0104b854
    0x0104b820
    0x0104b820
    0x0104b827
    0x0104b832
    0x0104b837
    0x0104b837
    0x0104b83a
    0x0104b83a
    0x0104b857
    0x00000000
    0x0104b7e2
    0x0104b7e4
    0x0104b7e9
    0x0104b7eb
    0x0104b7f8
    0x0104b7fa
    0x0104b7ff
    0x0104b801
    0x0104b85c
    0x0104b85e
    0x0104b803
    0x0104b80a
    0x0104b85a
    0x0104b85a
    0x00000000
    0x00000000
    0x0104b85a
    0x0104b7ed
    0x0104b7ed
    0x0104b7ef
    0x0104b7f4
    0x0104b7f6
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0104b7f6
    0x0104b7eb
    0x0104b866
    0x0104b866
    0x0104b7b1
    0x01038f85
    0x01038f8a
    0x01038f91
    0x0104b8e6
    0x0104b8e6
    0x0104b8f2
    0x0104b8f8
    0x0104b8f9
    0x0104b8fc
    0x0104b8fe
    0x01039188
    0x01039188
    0x0103918b
    0x0103918b
    0x0103918e
    0x01039191
    0x00000000
    0x00000000
    0x01039199
    0x0103919c
    0x0103919d
    0x010391a0
    0x0103924a
    0x0103924d
    0x0103924f
    0x0104bb37
    0x0104bb38
    0x0104bb3d
    0x0104bb3f
    0x0104bba9
    0x0104bbb5
    0x0104bbbb
    0x0104bbc2
    0x0103936a
    0x0103937e
    0x01039384
    0x01039387
    0x0104bbdb
    0x0104bbdd
    0x0104bbe4
    0x0104bbe5
    0x0104bd68
    0x0104bd6d
    0x0104bd74
    0x0104bd7a
    0x0104bd96
    0x0104bd7c
    0x0104bd7e
    0x0104bd7f
    0x0104bd81
    0x0104bd8e
    0x0104bd90
    0x0104bd92
    0x0104bd92
    0x0104bd83
    0x0104bd83
    0x0104bd85
    0x0104bd85
    0x0104bd87
    0x0104bd87
    0x0104bd81
    0x0104bd9b
    0x0104bda3
    0x0104bda4
    0x0104bdb5
    0x0104bbeb
    0x0104bbeb
    0x0104bbf7
    0x0104bbf7
    0x0104bc07
    0x0104bc0d
    0x0104bc0f
    0x0104bc11
    0x0104bc1e
    0x0104bc1e
    0x0104bc20
    0x0104bc20
    0x0104bc26
    0x0104bc28
    0x00000000
    0x00000000
    0x0104bc2a
    0x0104bc2e
    0x0104bc31
    0x0104bc33
    0x0104bc36
    0x0104bc38
    0x0104bc38
    0x0104bc3b
    0x00000000
    0x00000000
    0x0104bc3b
    0x00000000
    0x0104bc31
    0x0104bc3d
    0x0104bc3f
    0x0104bc41
    0x0104bc41
    0x0104bc41
    0x0104bc43
    0x0104bc45
    0x0104bc45
    0x0104bc48
    0x0104bc4f
    0x0104bc55
    0x0104bc58
    0x0104bc5e
    0x0104bc61
    0x0104bc63
    0x0104bc69
    0x0104bc69
    0x0104bc6d
    0x0104bc84
    0x0104bc8a
    0x0104bc90
    0x0104bc94
    0x0104bca2
    0x0104bca2
    0x0104bca4
    0x0104bca4
    0x0104bca6
    0x0104bca7
    0x0104bca7
    0x0104bcb0
    0x0104bcb3
    0x0104bcb9
    0x0104bcb9
    0x0104bcbc
    0x0104bcbf
    0x0104bcc1
    0x0104bcc3
    0x0104bcc3
    0x0104bcc6
    0x0104bcc6
    0x0104bcc9
    0x0104bccb
    0x0104bccb
    0x0104bcd0
    0x0104bcd0
    0x0104bce3
    0x0104bcee
    0x0104bcf7
    0x0104bcf7
    0x0104bc96
    0x0104bc96
    0x0104bc9a
    0x00000000
    0x0104bc9c
    0x0104bc9c
    0x0104bca0
    0x00000000
    0x00000000
    0x0104bca0
    0x0104bc9a
    0x0104bc8c
    0x0104bc8c
    0x0104bc8c
    0x0104bc6f
    0x0104bc71
    0x0104bc73
    0x0104bc7c
    0x0104bc7c
    0x0104bcfa
    0x0104bcfc
    0x0104bcff
    0x0104bd01
    0x0104bd07
    0x0104bd07
    0x0104bd10
    0x0104bd10
    0x0104bd31
    0x0104bd37
    0x0104bd39
    0x0104bd3b
    0x0104bd3b
    0x0104bd3f
    0x0104bd3f
    0x0104bd3f
    0x0104bd41
    0x0104bd43
    0x0104bdbf
    0x0104bdc8
    0x0104bdcd
    0x0104bdd0
    0x0104bdd0
    0x0104bdd3
    0x0104bdd5
    0x0104bdd5
    0x0104bdda
    0x00000000
    0x0104bd45
    0x0104bd45
    0x0104bd48
    0x0104bd4b
    0x0104bd4b
    0x0104bd4e
    0x0104bd50
    0x0104bd50
    0x0104bd55
    0x0104bd55
    0x0104bd5a
    0x0104bd5c
    0x00000000
    0x0104bd5c
    0x0103938d
    0x0103938d
    0x01039398
    0x01039399
    0x010393a0
    0x010393a8
    0x010393ad
    0x010393b5
    0x010393b6
    0x010393be
    0x010393bf
    0x010393c0
    0x010393c5
    0x010393c7
    0x0104bbcc
    0x0104bd61
    0x0104bd61
    0x010393cd
    0x010393cd
    0x010393d0
    0x010393d1
    0x010393d9
    0x010393dc
    0x010393e0
    0x010393e1
    0x010393e1
    0x010393e4
    0x010393e6
    0x010393e6
    0x010393eb
    0x010393eb
    0x010393ed
    0x010393ed
    0x010393ed
    0x010393c7
    0x010393f6
    0x010393ff
    0x0104bb41
    0x0104bb41
    0x0104bb46
    0x0104bb48
    0x0104bb4b
    0x0104bb4e
    0x00000000
    0x0104bb4e
    0x01039255
    0x01039255
    0x01039258
    0x01039267
    0x01039269
    0x00000000
    0x01039269
    0x010391a6
    0x010391a6
    0x010391a6
    0x010391a9
    0x010391ac
    0x010391b1
    0x010391b6
    0x010391b9
    0x010391bc
    0x010391c2
    0x010391cf
    0x010391d2
    0x010391d3
    0x010391d6
    0x01039280
    0x01039280
    0x01039283
    0x0104bb1a
    0x0104bb1f
    0x0104bb20
    0x0104bb23
    0x0104bb2d
    0x0104bb25
    0x0104bb25
    0x0104bb25
    0x00000000
    0x01039289
    0x01039289
    0x01039289
    0x0103928c
    0x0104baf9
    0x0104bafe
    0x0104baff
    0x0104bb02
    0x0104bb0f
    0x0104bb04
    0x0104bb04
    0x0104bb04
    0x00000000
    0x01039292
    0x01039292
    0x01039292
    0x01039295
    0x0104bad8
    0x0104badd
    0x0104bade
    0x0104bae1
    0x0104baee
    0x0104bae3
    0x0104bae3
    0x0104bae3
    0x00000000
    0x0103929b
    0x0103929b
    0x0103929b
    0x0103929e
    0x0104ba3e
    0x0104ba3e
    0x0104ba41
    0x0104bab3
    0x0104bab4
    0x0104bab7
    0x0104bac6
    0x0104bace
    0x00000000
    0x0104bab9
    0x0104babb
    0x00000000
    0x0104babb
    0x0104ba43
    0x0104ba43
    0x0104ba43
    0x0104ba46
    0x0104ba93
    0x0104ba98
    0x0104ba99
    0x0104ba9c
    0x0104baa6
    0x0104ba9e
    0x0104ba9e
    0x0104ba9e
    0x00000000
    0x0104ba48
    0x0104ba48
    0x0104ba4b
    0x0104bb72
    0x00000000
    0x0104ba51
    0x0104ba51
    0x0104ba56
    0x0104ba5c
    0x0104ba61
    0x00000000
    0x0104ba67
    0x0104ba67
    0x00000000
    0x0104ba67
    0x0104ba61
    0x0104ba4b
    0x0104ba46
    0x010392a4
    0x010392a4
    0x010392a9
    0x010392aa
    0x010392ad
    0x0103930b
    0x010392af
    0x010392af
    0x010392af
    0x010392af
    0x00000000
    0x010392ad
    0x0103929e
    0x01039295
    0x0103928c
    0x010391dc
    0x010391dc
    0x010391de
    0x010392c7
    0x010392ca
    0x010392cc
    0x010392cd
    0x010392d0
    0x01039303
    0x010392d2
    0x010392d2
    0x010392d2
    0x010392d2
    0x010392d8
    0x010392da
    0x010392dd
    0x0104ba16
    0x0104ba19
    0x0104ba19
    0x0104ba1b
    0x0104ba1b
    0x0104ba1e
    0x0104ba21
    0x0104ba21
    0x0104ba28
    0x0104ba2a
    0x0104ba2d
    0x00000000
    0x0104ba33
    0x0104ba33
    0x0104ba36
    0x00000000
    0x0104ba36
    0x010392e3
    0x010392e6
    0x010392e8
    0x010392ee
    0x00000000
    0x010392ee
    0x010391e4
    0x010391e4
    0x010391e7
    0x0104b9a8
    0x0104b9a8
    0x0104b9ab
    0x0104b9f7
    0x0104b9fa
    0x0104b9fb
    0x0104b9fe
    0x0104ba0b
    0x0104ba00
    0x0104ba00
    0x0104ba00
    0x00000000
    0x0104b9ad
    0x0104b9ad
    0x0104b9ad
    0x0104b9b0
    0x0104b9d8
    0x0104b9db
    0x0104b9dc
    0x0104b9df
    0x0104b9ec
    0x0104b9e1
    0x0104b9e1
    0x0104b9e1
    0x00000000
    0x0104b9b2
    0x0104b9b3
    0x0104b9b6
    0x0104bb74
    0x0104bb74
    0x00000000
    0x0104b9bc
    0x0104b9bc
    0x0104b9bf
    0x0104b9c0
    0x0104b9c3
    0x0104b9d0
    0x0104b9c5
    0x0104b9c5
    0x0104b9c5
    0x00000000
    0x0104b9c3
    0x0104b9b6
    0x0104b9b0
    0x010391ed
    0x010391ed
    0x0104b98a
    0x0104b98d
    0x0104b98f
    0x0104b990
    0x0104b993
    0x0104b99c
    0x0104b99c
    0x0104b995
    0x0104b995
    0x0104b995
    0x0104b9a1
    0x010392b2
    0x010392b2
    0x010392b5
    0x010392b7
    0x010392bc
    0x00000000
    0x010392c2
    0x00000000
    0x010392c2
    0x010391f3
    0x010391f3
    0x010391f4
    0x010391f4
    0x010391f6
    0x0104bb58
    0x0104bb59
    0x0104bb5e
    0x00000000
    0x010391fc
    0x010391fc
    0x010391fc
    0x010391ff
    0x0104b96c
    0x0104b96f
    0x0104b972
    0x0104b97f
    0x0104b974
    0x0104b974
    0x0104b974
    0x00000000
    0x01039205
    0x01039205
    0x01039205
    0x01039208
    0x0104b926
    0x0104b929
    0x0104b95a
    0x0104b962
    0x010392f3
    0x010392f3
    0x010392f5
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0104b92b
    0x0104b92b
    0x0104b92e
    0x0104b92e
    0x0104b930
    0x0104b930
    0x0104b933
    0x0104b936
    0x0104b936
    0x0104b93d
    0x0104b93f
    0x0104b942
    0x0104bb6a
    0x0104bb6a
    0x0104bb6a
    0x00000000
    0x0104b948
    0x0104b948
    0x0104b94f
    0x00000000
    0x0104b94f
    0x0104b942
    0x0103920e
    0x0103920e
    0x01039211
    0x0104bb75
    0x0104bb75
    0x0104bb7a
    0x0104bb7b
    0x0104bb83
    0x0104bb89
    0x0104bb8c
    0x0104bb9c
    0x0104bb9d
    0x0104bb9f
    0x00000000
    0x01039217
    0x01039217
    0x0103921a
    0x0103921d
    0x0104b91b
    0x01039223
    0x01039223
    0x01039223
    0x01039223
    0x01039226
    0x01039226
    0x01039229
    0x0103922b
    0x01039230
    0x0104ba6a
    0x0104ba6c
    0x0104ba6d
    0x0104ba6f
    0x0104ba7c
    0x0104ba7c
    0x0104ba7e
    0x0104ba7e
    0x0104ba7f
    0x0104ba81
    0x0104ba86
    0x0104ba86
    0x010392fb
    0x010392fd
    0x01039271
    0x01039276
    0x0103927f
    0x01039236
    0x01039236
    0x01039236
    0x01039239
    0x0103923c
    0x01039243
    0x00000000
    0x01039243
    0x01039230
    0x01039211
    0x01039208
    0x010391ff
    0x010391f6
    0x010391ed
    0x010391e7
    0x010391de
    0x010391d6
    0x00000000
    0x010391a0
    0x0103926f
    0x0103926f
    0x00000000
    0x0104b904
    0x0104b904
    0x0104b904
    0x0104b906
    0x0104b909
    0x0104b90c
    0x0104b90c
    0x0104b910
    0x0104b913
    0x00000000
    0x0104b913
    0x01038f97
    0x01038f97
    0x01038f9f
    0x01038fa0
    0x01038fa9
    0x010390e9
    0x010390f0
    0x010390f0
    0x010390f6
    0x010390f7
    0x010390f9
    0x010390fe
    0x01039100
    0x0104b8a7
    0x0104b8a9
    0x0104b8ab
    0x0104b8ab
    0x0104b8ae
    0x0104b8ae
    0x0104b8b1
    0x0104b8b4
    0x0104b8b4
    0x0104b8bd
    0x0104b8c0
    0x00000000
    0x0104b8c6
    0x0104b8c8
    0x0104b8c9
    0x0104b8cd
    0x00000000
    0x0104b8d3
    0x00000000
    0x0104b8d3
    0x0104b8cd
    0x01039106
    0x01039106
    0x01039109
    0x0103910b
    0x0103910e
    0x01039111
    0x01039116
    0x01039118
    0x00000000
    0x0103911e
    0x01039121
    0x01039125
    0x01039131
    0x01039136
    0x01039139
    0x00000000
    0x01039139
    0x01039118
    0x01038faf
    0x01038fb3
    0x01038fb8
    0x01038fbc
    0x0104b871
    0x0104b873
    0x0104b873
    0x0104b875
    0x0104b877
    0x0104b877
    0x0104b87a
    0x0104b87a
    0x0104b87d
    0x0104b880
    0x0104b880
    0x0104b889
    0x0104b88c
    0x0104b894
    0x0104b895
    0x0104b899
    0x0104b89f
    0x0104b89f
    0x0104b899
    0x01038fc2
    0x01038fc2
    0x01038fc5
    0x01038fc5
    0x01038fcd
    0x01038fd7
    0x00000000
    0x01038fdd
    0x01038fe3
    0x01038fed
    0x00000000
    0x01038ff3
    0x01038ffa
    0x010390c4
    0x010390cb
    0x00000000
    0x010390d1
    0x010390d1
    0x010390d8
    0x00000000
    0x010390de
    0x010390de
    0x00000000
    0x010390de
    0x010390d8
    0x01039000
    0x01039000
    0x01039008
    0x0103900d
    0x010390b2
    0x01039013
    0x01039013
    0x01039013
    0x01039019
    0x01039021
    0x010390b9
    0x010390bc
    0x00000000
    0x010390c2
    0x00000000
    0x010390c2
    0x01039027
    0x01039027
    0x01039029
    0x0103902c
    0x0103902e
    0x01039030
    0x01039032
    0x01039032
    0x01039038
    0x00000000
    0x00000000
    0x0103903e
    0x01039051
    0x01039051
    0x01039040
    0x01039044
    0x0103904c
    0x0103904f
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0103904f
    0x01039044
    0x01039046
    0x01039046
    0x01039049
    0x01039049
    0x01039055
    0x01039058
    0x0103905a
    0x0104b8df
    0x01039060
    0x01039062
    0x01039065
    0x0104b8d8
    0x0103906b
    0x0103906b
    0x0103906b
    0x0103906b
    0x01039065
    0x01039070
    0x01039073
    0x01039076
    0x0103907b
    0x0103907d
    0x010390a4
    0x010390a7
    0x010390ac
    0x010390ae
    0x00000000
    0x010390b0
    0x0103907f
    0x0103907f
    0x0103907f
    0x0103907f
    0x0103907f
    0x01039083
    0x01039083
    0x0103908f
    0x01039097
    0x0103909e
    0x010390a1
    0x010390a1
    0x01039021
    0x01038ffa
    0x01038fed
    0x01038fd7
    0x01038fa9
    0x00000000

    APIs
    • _wcsicmp.MSVCRT ref: 01038FCD
    • _wcsicmp.MSVCRT ref: 01038FE3
    • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 01039002
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 01039013
      • Part of subcall function 0103A62F: wcschr.MSVCRT ref: 0103A635
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: _wcsicmp$AttributesErrorFileLastwcschr
    • String ID:
    • API String ID: 2943530692-0
    • Opcode ID: 46daf43f78da555becb67cfcd84988fbda54615e2e0c994383fa048cab1cd2a8
    • Instruction ID: ece29ab0dd93451cec4afb4bdd9ce71f15ebe2ff4f60cfe916470bc8970e096d
    • Opcode Fuzzy Hash: 46daf43f78da555becb67cfcd84988fbda54615e2e0c994383fa048cab1cd2a8
    • Instruction Fuzzy Hash: A7C12971B00212DFEB64AF6C84846BEB7F9EB88314F148579E6C6D7284EBB5C941C750
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0103802C, Relevance: 13.7, APIs: 9, Instructions: 175COMMON
    Download Yara Rule
    C-Code - Quality: 71%
    			E0103802C(void* __ebx, void __ecx, void* __edi) {
				signed int _v8;
				int _v20;
				char _v24;
				void* _v28;
				void _v548;
				WCHAR* _v552;
				intOrPtr _v556;
				void* __esi;
				signed int _t29;
				intOrPtr _t40;
				void* _t44;
				intOrPtr _t53;
				int _t56;
				signed int _t62;
				long _t65;
				signed short* _t66;
				signed int _t67;
				void* _t69;
				void _t70;
				signed int _t71;
				void* _t78;
				void* _t88;
				signed short* _t89;
				void* _t90;
				void _t94;
				void* _t95;
				signed short* _t96;
				void* _t100;
				void* _t101;
				signed int _t103;

				_t29 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t29 ^ _t103;
				_push(__ebx);
				_push(__edi);
				_v24 = 1;
				_v28 = 0;
				_v20 = 0x104;
				_t94 = __ecx;
				memset( &_v548, 0, 0x104);
				if(E0103E3F0(((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					L19:
					_t100 = 1;
					goto L20;
				} else {
					_t78 = 0x24;
					_t100 = E0103DCD0(_t78);
					if(_t100 == 0) {
						L30:
						_t44 = E01059922();
						__imp__longjmp(0x1070a30, 1);
						asm("int3");
						EnterCriticalSection( *0x10625a4);
						 *0x106259c = 1;
						LeaveCriticalSection( *0x10625a4);
						fflush(E0104727B(fprintf(E0104727B(_t44, 2), "^C"), 2));
						 *0x105e0d3 = 1;
						CloseHandle(_t100);
						return _v8;
					} else {
						 *_t100 = _t94;
						E01038F21(_t100);
						_t70 =  *_t100;
						_t96 =  *(_t100 + 0xc);
						_v556 =  *((intOrPtr*)(_t100 + 0x18));
						_v552 = _t70;
						_t53 = E0103DCD0(0xffce);
						if(_t53 == 0) {
							goto L30;
						} else {
							 *0x10667a4 = _t53;
							E01038E9E(_t70, _t53, 0x7fe7, 0);
							_t83 = _v28;
							if(_v28 == 0) {
								_t83 =  &_v548;
							}
							_t91 = _v20;
							if(E01041CD5(_t83, _v20, _t70) != 0) {
								goto L19;
							} else {
								_t84 = _v28;
								if(_v28 == 0) {
									_t84 =  &_v548;
								}
								_t56 = 0x5c;
								_t91 = _t56;
								 *((short*)(E010401F5(_t84, _t56) + 2)) = 0;
								_t58 = _v28;
								if(_v28 == 0) {
									_t58 =  &_v548;
								}
								E0103A641(_t58);
								if(_t96 == 0) {
									L24:
									E01038F21(_t100);
									 *((intOrPtr*)(_t100 + 0x18)) = _v556;
								} else {
									_t62 =  *_t96 & 0x0000ffff;
									_t91 = 0x3a;
									if(_t62 == _t91) {
										goto L24;
									} else {
										_t88 = 0x5c;
										if(_t62 == _t88) {
											if(_t96 == _t70) {
												L29:
												_t96 =  &(_t96[1]);
											} else {
												_t66 = _t70;
												while(1) {
													_t89 = 0;
													if( *_t66 == 0) {
														break;
													}
													_t89 = _t66;
													_t66 =  &(_t66[1]);
													if(_t66 != _t96) {
														continue;
													}
													break;
												}
												_t67 =  *_t89 & 0x0000ffff;
												if(_t67 == _t91) {
													goto L29;
												} else {
													_t90 = 0x5c;
													if(_t67 == _t90) {
														goto L29;
													}
												}
											}
										}
										_t71 =  *_t96 & 0x0000ffff;
										 *_t96 = 0;
										if(GetFileAttributesW(_v552) != 0xffffffff) {
											_t65 = 0;
										} else {
											_t65 = GetLastError();
										}
										 *0x10667a8 = _t65;
										 *_t96 = _t71;
										if( *0x10667a8 == 0) {
											goto L24;
										} else {
											goto L19;
										}
									}
								}
							}
							L20:
							_t40 = _v28;
							_v28 = 0;
							if(_t40 != 0) {
								__imp__??_V@YAXPAX@Z(_t40);
							}
							_pop(_t95);
							_pop(_t101);
							_pop(_t69);
							return E01046B30(_t100, _t69, _v8 ^ _t103, _t91, _t95, _t101);
						}
					}
				}
			}

































    0x01038037
    0x0103803e
    0x01038041
    0x01038043
    0x01038046
    0x0103804f
    0x0103805a
    0x0103805e
    0x01038060
    0x01038086
    0x010381ae
    0x010381b0
    0x00000000
    0x0103808c
    0x0103808e
    0x01038094
    0x01038098
    0x0104b092
    0x0104b092
    0x0104b09e
    0x0104b0a4
    0x0104b0ab
    0x0104b0b7
    0x0104b0c1
    0x0104b0e3
    0x01038222
    0x01038229
    0x01038234
    0x0103809e
    0x010380a0
    0x010380a2
    0x010380af
    0x010380b1
    0x010380b4
    0x010380ba
    0x010380c0
    0x010380c7
    0x00000000
    0x010380cd
    0x010380d4
    0x010380db
    0x010380e0
    0x010380e5
    0x0104b069
    0x0104b069
    0x010380eb
    0x010380f6
    0x00000000
    0x010380fc
    0x010380fc
    0x01038101
    0x0104b074
    0x0104b074
    0x01038109
    0x0103810a
    0x01038113
    0x01038117
    0x0103811c
    0x0104b07f
    0x0104b07f
    0x01038128
    0x0103812f
    0x010381da
    0x010381dc
    0x010381e7
    0x01038135
    0x01038135
    0x0103813a
    0x0103813e
    0x00000000
    0x01038144
    0x01038146
    0x0103814a
    0x0103814e
    0x0104b08a
    0x0104b08a
    0x01038154
    0x01038154
    0x01038156
    0x01038156
    0x0103815b
    0x00000000
    0x00000000
    0x0103815d
    0x0103815f
    0x01038164
    0x00000000
    0x00000000
    0x00000000
    0x01038164
    0x01038166
    0x0103816c
    0x00000000
    0x01038172
    0x01038174
    0x01038178
    0x00000000
    0x00000000
    0x01038178
    0x0103816c
    0x0103814e
    0x0103817e
    0x01038189
    0x01038195
    0x010381d6
    0x01038197
    0x01038197
    0x01038197
    0x0103819d
    0x010381a2
    0x010381ac
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x010381ac
    0x0103813e
    0x0103812f
    0x010381b1
    0x010381b1
    0x010381b6
    0x010381bb
    0x010381be
    0x010381c4
    0x010381ca
    0x010381cb
    0x010381ce
    0x010381d5
    0x010381d5
    0x010380c7
    0x01038098

    APIs
    • memset.MSVCRT ref: 01038060
      • Part of subcall function 0103E3F0: memset.MSVCRT ref: 0103E455
    • ??_V@YAXPAX@Z.MSVCRT ref: 010381BE
      • Part of subcall function 0103DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0103ACD8,00000001,?,00000000,01038C23,-00000105,0105C9B0,00000240,01041E92,00000000,00000000,0104ACE0,00000000), ref: 0103DCE1
      • Part of subcall function 0103DCD0: RtlAllocateHeap.NTDLL(00000000,?,0103ACD8,00000001,?,00000000,01038C23,-00000105,0105C9B0,00000240,01041E92,00000000,00000000,0104ACE0,00000000,00000000), ref: 0103DCE8
    • GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,00000000,-00000001,00000000,?,00000000), ref: 0103818C
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 01038197
    • longjmp.MSVCRT(01070A30,00000001,-00000001,00000000,?,00000000), ref: 0104B09E
    • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,01057FC9,?,010599AE,00000000,?,00000000,0104CF94,00000000,?), ref: 0104B0AB
    • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,01057FC9,?,010599AE,00000000,?,00000000,0104CF94,00000000,?), ref: 0104B0C1
    • fprintf.MSVCRT ref: 0104B0D5
    • fflush.MSVCRT ref: 0104B0E3
      • Part of subcall function 01038F21: _wcsicmp.MSVCRT ref: 01038FCD
      • Part of subcall function 01038F21: _wcsicmp.MSVCRT ref: 01038FE3
      • Part of subcall function 01038F21: GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 01039002
      • Part of subcall function 01038F21: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 01039013
      • Part of subcall function 01038E9E: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,01078BF0,00000000,?), ref: 01038EC3
      • Part of subcall function 01041CD5: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,?,00000000,00000000,?,?,?,010380F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 01041D3A
      • Part of subcall function 01041CD5: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,010380F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 01041D44
      • Part of subcall function 01041CD5: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001,?,00000000,?,010380F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 01041D57
      • Part of subcall function 01041CD5: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,010380F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 01041D61
      • Part of subcall function 010401F5: wcsrchr.MSVCRT ref: 010401FB
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: Error$Mode$AttributesCriticalFileHeapLastSection_wcsicmpmemset$AllocateCurrentDirectoryEnterFullLeaveNamePathProcessfflushfprintflongjmpwcsrchr
    • String ID:
    • API String ID: 313199821-0
    • Opcode ID: 336d9b2339ebc20d5bef9e7a4df3f99309b62e50908b9a19712ceec1dd6b4d43
    • Instruction ID: 618d52e1ebca820e497241d205b02b2f290c5b3aed973d24852ca5a5e3466d0f
    • Opcode Fuzzy Hash: 336d9b2339ebc20d5bef9e7a4df3f99309b62e50908b9a19712ceec1dd6b4d43
    • Instruction Fuzzy Hash: 3651E770A00216DBDB34ABB8D8956BE77F8EF44310F1445AAF6C6E7280DB35D980CB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01058B6C, Relevance: 13.6, APIs: 9, Instructions: 93fileCOMMON
    Download Yara Rule
    C-Code - Quality: 57%
    			E01058B6C(void* __eax, void** __ecx, long __edx, void* __eflags, DWORD* _a4, intOrPtr _a8, long _a12) {
				char _v8;
				void* _t13;
				void* _t15;
				void* _t17;
				int _t18;
				void* _t21;
				void* _t23;
				DWORD* _t25;
				void* _t39;
				long _t40;
				void* _t42;
				void** _t43;
				void* _t45;

				_t43 = __ecx;
				_t40 = __edx;
				__imp___get_osfhandle( *((intOrPtr*)(__ecx)), _t39, _t42, _t23, __ecx);
				FlushFileBuffers(__eax);
				_t28 =  *_t43;
				E0103A16C( *_t43);
				_t30 = E0104654B(_t40, 0, _t28, _t28);
				 *_t43 = _t30;
				if(_t30 == 0xffffffff) {
					L7:
					E010378E4(_t30, 0x4000271f, 1, _t40);
					_t13 = 1;
				} else {
					_t25 = _a4;
					_t15 =  ~_t25;
					__imp___get_osfhandle(2);
					SetFilePointer(_t15, _t30, _t15, 0);
					_t17 =  &_v8;
					__imp___get_osfhandle(0);
					_t18 = ReadFile(_t17,  *_t43, _a12, _t25, _t17);
					if(_t18 == 0 || _v8 != _t25) {
						L6:
						_t30 =  *_t43;
						E0103A16C( *_t43);
						 *_t43 =  *_t43 | 0xffffffff;
						goto L7;
					} else {
						_push(_t25);
						_push(_a12);
						_push(_a8);
						L01047FB7();
						_t45 = _t45 + 0xc;
						if(_t18 != 0) {
							goto L6;
						} else {
							_t33 =  *_t43;
							E0103A16C( *_t43);
							_t30 = _t40;
							_t21 = E0104654B(_t40, 1, _t33, _t33);
							 *_t43 = _t21;
							if(_t21 == 0xffffffff) {
								goto L7;
							} else {
								__imp___get_osfhandle(2);
								SetFilePointer(_t21, _t21, 0, 0);
								_t13 = 0;
							}
						}
					}
				}
				return _t13;
			}
















    0x01058b74
    0x01058b77
    0x01058b7b
    0x01058b83
    0x01058b89
    0x01058b8b
    0x01058b9b
    0x01058b9d
    0x01058ba2
    0x01058c36
    0x01058c3e
    0x01058c48
    0x01058ba8
    0x01058ba8
    0x01058bb1
    0x01058bb5
    0x01058bbd
    0x01058bc5
    0x01058bcf
    0x01058bd7
    0x01058bdf
    0x01058c2c
    0x01058c2c
    0x01058c2e
    0x01058c33
    0x00000000
    0x01058be6
    0x01058be6
    0x01058be7
    0x01058bea
    0x01058bed
    0x01058bf2
    0x01058bf7
    0x00000000
    0x01058bf9
    0x01058bf9
    0x01058bfb
    0x01058c05
    0x01058c07
    0x01058c0c
    0x01058c11
    0x00000000
    0x01058c13
    0x01058c1a
    0x01058c22
    0x01058c28
    0x01058c28
    0x01058c11
    0x01058bf7
    0x01058bdf
    0x01058c4d

    APIs
    • _get_osfhandle.MSVCRT ref: 01058B7B
    • FlushFileBuffers.API-MS-WIN-CORE-FILE-L1-1-0(00000000,01059323,?,?,?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 01058B83
      • Part of subcall function 0103A16C: _close.MSVCRT ref: 0103A19B
    • _get_osfhandle.MSVCRT ref: 01058BB5
    • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 01058BBD
    • _get_osfhandle.MSVCRT ref: 01058BCF
    • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 01058BD7
    • memcmp.MSVCRT ref: 01058BED
      • Part of subcall function 0104654B: _wcsicmp.MSVCRT ref: 010465A4
      • Part of subcall function 0104654B: CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,80000000,00000001,00000000,00000003,08000080,00000000), ref: 010465D7
      • Part of subcall function 0104654B: _open_osfhandle.MSVCRT ref: 010465EB
      • Part of subcall function 0104654B: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000,?), ref: 01052092
    • _get_osfhandle.MSVCRT ref: 01058C1A
    • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 01058C22
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: File$_get_osfhandle$Pointer$BuffersCloseCreateFlushHandleRead_close_open_osfhandle_wcsicmpmemcmp
    • String ID:
    • API String ID: 4208585293-0
    • Opcode ID: 735fe230402d4f873365890e19ce0dab8467a8b4fc35d703e7f6c722e1878d5d
    • Instruction ID: aeaba5196bf7f18e32f8cfcff83bd3a8a3d4ef0b8b0801d6c14e8ecd3a7bae78
    • Opcode Fuzzy Hash: 735fe230402d4f873365890e19ce0dab8467a8b4fc35d703e7f6c722e1878d5d
    • Instruction Fuzzy Hash: A7217E71600205EFEB286F75DC49F6B7A9DEB94360F148929F9D2D21D4EA769C018720
    Uniqueness

    Uniqueness Score: -1.00%

    Function 010438D0, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 247COMMON
    Download Yara Rule
    C-Code - Quality: 72%
    			E010438D0(long __edx, intOrPtr _a4, intOrPtr _a8, signed int* _a16) {
				signed int _v8;
				int _v20;
				char _v24;
				signed int _v28;
				void _v548;
				long _v556;
				char _v560;
				signed int _v564;
				void _v1084;
				signed int* _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t96;
				signed int* _t98;
				signed int _t99;
				signed int _t108;
				signed int _t109;
				WCHAR* _t126;
				int _t127;
				signed char* _t130;
				signed int _t138;
				char _t143;
				void* _t144;
				signed int _t156;
				signed int _t165;
				intOrPtr _t167;
				void* _t168;
				intOrPtr _t170;
				void* _t171;
				void* _t172;
				signed int _t173;
				signed int _t175;
				signed int _t177;

				_t163 = __edx;
				_t175 = (_t173 & 0xfffffff8) - 0x44c;
				_t96 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t96 ^ _t175;
				_t98 = _a16;
				_v564 = _v564 & 0x00000000;
				_t170 = _a4;
				_t167 = _a8;
				_t143 = 1;
				_v1088 = _t98;
				_t99 =  *_t98;
				_v560 = 1;
				_v1096 =  *(_t167 + 2) & 0x0000ffff;
				_v1100 = _t99 & 0x00002000;
				_v556 = 0x104;
				_v1092 = _t99 & 0x00000800;
				memset( &_v1084, 0, 0x104);
				_v28 = _v28 & 0x00000000;
				_v24 = 1;
				_v20 = 0x104;
				memset( &_v548, 0, 0x104);
				_t177 = _t175 + 0x18;
				if(E0103E3F0(0x7fe9) < 0 || E0103E3F0(0x7fe9) < 0) {
					L18:
					_t108 = _v28;
					_v28 = _v28 & 0x00000000;
					if(_t108 != 0) {
						__imp__??_V@YAXPAX@Z(_t108);
					}
					_t109 = _v564;
					_v564 = _v564 & 0x00000000;
					if(_t109 != 0) {
						__imp__??_V@YAXPAX@Z(_t109);
					}
					_pop(_t168);
					_pop(_t171);
					_pop(_t144);
					return E01046B30(_t143, _t144, _v8 ^ _t177, _t163, _t168, _t171);
				} else {
					if(_v1100 != 0 || _v1092 != 0 ||  *((char*)(_t170 + 0x11)) != 0) {
						L6:
						if(( *(_t167 + 4) & 0x00000010) != 0) {
							L17:
							_t143 = 0;
							goto L18;
						}
						_t154 = _v564;
						if(_v564 == 0) {
							_t154 =  &_v1084;
						}
						_t163 = _v556;
						_v1096 = _t167 + ((_v1096 & 0x0000ffff) + 0x18) * 2;
						if(E010434B8(_t154, _v556,  *((intOrPtr*)(_t170 + 4)), _t167 + ((_v1096 & 0x0000ffff) + 0x18) * 2) != 0) {
							_push(_v1096);
							goto L28;
						} else {
							_t155 = _v28;
							if(_v28 == 0) {
								_t155 =  &_v548;
							}
							if(E010434B8(_t155, _v20,  *((intOrPtr*)(_t170 + 4)), _t167 + 0x30) != 0) {
								_t121 = _v564;
								if(_v564 == 0) {
									_t121 =  &_v1084;
								}
								_t156 =  &_v548;
								E0103A641(_t121);
							}
							if(_v1092 != 0) {
								_t156 = _v28;
								if(_t156 == 0) {
									_t156 =  &_v548;
								}
								_t163 = 0x232c;
								if(E01059C2E(_t156, 0x232c, 0x2328) == _t143) {
									goto L12;
								} else {
									if( *0x106259c != 0) {
										goto L18;
									}
									goto L17;
								}
							} else {
								L12:
								_t165 =  *(_t167 + 4);
								_t157 = _t156 & 0xffffff00 | (_t165 & 0x00000001) != 0x00000000;
								if(((_v1088 & 0xffffff00 | ( *_v1088 & 0x00001000) != 0x00000000) & (_t156 & 0xffffff00 | (_t165 & 0x00000001) != 0x00000000)) != 0) {
									_t126 = _v564;
									if(_t126 == 0) {
										_t126 =  &_v1084;
									}
									_t163 = _t165 & 0xfffffffe;
									_t127 = SetFileAttributesW(_t126, _t165 & 0xfffffffe);
									if(_t127 != 0) {
										goto L13;
									} else {
										_push(_t127);
										_push(GetLastError());
										E010378E4(_t157);
										goto L18;
									}
								}
								L13:
								_t158 = _v28;
								if(_v28 == 0) {
									_t158 =  &_v548;
								}
								_t163 =  *(_t167 + 4);
								if(E01044759(_t158,  *(_t167 + 4)) != 0) {
									_t158 = _v564;
									if(_v564 == 0) {
										_t158 =  &_v1084;
									}
									_t163 =  *(_t167 + 4);
									_t172 = E01044759(_t158,  *(_t167 + 4));
									if(_t172 == 0) {
										goto L15;
									} else {
										if(_t172 == 0x4d3) {
											goto L18;
										}
										_t133 = _v28;
										if(_v28 == 0) {
											_t133 =  &_v548;
										}
										E01039950(L"%s\r\n");
										E010378E4(_t158, _t172, 0, _t133);
										_t177 = _t177 + 0x10;
										goto L17;
									}
								} else {
									L15:
									_t130 = _v1088;
									_t130[0x60] = _t130[0x60] + 1;
									if( *0x1066755 != 0 && ( *_t130 & 0x00000010) != 0) {
										_t131 = _v28;
										if(_v28 == 0) {
											_t131 =  &_v548;
										}
										E010363BD(_t158, 0x400023a1, _t143, _t131);
										_t177 = _t177 + 0xc;
									}
									goto L17;
								}
							}
						}
					} else {
						_t163 =  *(_t170 + 0xc);
						_t138 = E01044DD0( *((intOrPtr*)(_t170 + 8)),  *(_t170 + 0xc));
						_v1100 = _t138;
						if(_t138 != 0) {
							_t154 = _v564;
							if(_v564 == 0) {
								_t154 =  &_v1084;
							}
							_t163 = _v556;
							if(E010434B8(_t154, _v556,  *((intOrPtr*)(_t170 + 4)), _t138) == 0) {
								_t162 = _v564;
								 *((char*)(_t170 + 0x11)) = _t143;
								if(_v564 == 0) {
									_t162 =  &_v1084;
								}
								_t163 = 0x234e;
								if(E01059C2E(_t162, 0x234e, 0x2328) != _t143) {
									goto L18;
								} else {
									goto L6;
								}
							} else {
								_push(_v1100);
								L28:
								E010378E4(_t154, 0x400023da, 2,  *((intOrPtr*)(_t170 + 4)));
								_t177 = _t177 + 0x10;
								goto L18;
							}
						}
						goto L6;
					}
				}
			}








































    0x010438d0
    0x010438d8
    0x010438de
    0x010438e5
    0x010438ec
    0x010438ef
    0x010438f9
    0x010438ff
    0x01043902
    0x01043903
    0x01043907
    0x01043909
    0x01043914
    0x01043925
    0x0104392f
    0x0104393d
    0x01043941
    0x01043946
    0x01043956
    0x0104395d
    0x0104396f
    0x01043974
    0x01043987
    0x01043aa0
    0x01043aa0
    0x01043aa7
    0x01043ab1
    0x01043ab4
    0x01043aba
    0x01043abb
    0x01043ac2
    0x01043acc
    0x01043acf
    0x01043ad5
    0x01043adf
    0x01043ae0
    0x01043ae1
    0x01043aec
    0x010439a6
    0x010439ab
    0x010439d1
    0x010439d5
    0x01043a9e
    0x01043a9e
    0x00000000
    0x01043a9e
    0x010439db
    0x010439e4
    0x0104f8af
    0x0104f8af
    0x010439ee
    0x01043a02
    0x01043a0d
    0x0104f866
    0x00000000
    0x01043a13
    0x01043a13
    0x01043a1c
    0x0104f8b8
    0x0104f8b8
    0x01043a37
    0x0104f8c4
    0x0104f8cd
    0x0104f8cf
    0x0104f8cf
    0x0104f8d4
    0x0104f8db
    0x0104f8db
    0x01043a42
    0x0104f8e5
    0x0104f8ee
    0x0104f8f0
    0x0104f8f0
    0x0104f8fc
    0x0104f908
    0x00000000
    0x0104f90e
    0x0104f915
    0x00000000
    0x00000000
    0x00000000
    0x0104f91b
    0x01043a48
    0x01043a48
    0x01043a4c
    0x01043a52
    0x01043a60
    0x0104f920
    0x0104f929
    0x0104f92b
    0x0104f92b
    0x0104f92f
    0x0104f934
    0x0104f93c
    0x00000000
    0x0104f942
    0x0104f942
    0x0104f949
    0x0104f94a
    0x00000000
    0x0104f950
    0x0104f93c
    0x01043a66
    0x01043a66
    0x01043a6f
    0x0104f956
    0x0104f956
    0x01043a75
    0x01043a7f
    0x0104f962
    0x0104f96b
    0x0104f96d
    0x0104f96d
    0x0104f971
    0x0104f979
    0x0104f97d
    0x00000000
    0x0104f983
    0x0104f989
    0x00000000
    0x00000000
    0x0104f98f
    0x0104f998
    0x0104f99a
    0x0104f99a
    0x0104f9a7
    0x0104f9af
    0x0104f9b4
    0x00000000
    0x0104f9b4
    0x01043a85
    0x01043a85
    0x01043a85
    0x01043a89
    0x01043a93
    0x0104f9bc
    0x0104f9c5
    0x0104f9c7
    0x0104f9c7
    0x0104f9d5
    0x0104f9da
    0x0104f9da
    0x00000000
    0x01043a93
    0x01043a7f
    0x01043a42
    0x010439ba
    0x010439ba
    0x010439c0
    0x010439c5
    0x010439cb
    0x0104f83d
    0x0104f846
    0x0104f848
    0x0104f848
    0x0104f84c
    0x0104f85e
    0x0104f881
    0x0104f888
    0x0104f88d
    0x0104f88f
    0x0104f88f
    0x0104f898
    0x0104f8a4
    0x00000000
    0x0104f8aa
    0x00000000
    0x0104f8aa
    0x0104f860
    0x0104f860
    0x0104f86a
    0x0104f874
    0x0104f879
    0x00000000
    0x0104f879
    0x0104f85e
    0x00000000
    0x010439cb
    0x010439ab

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: memset
    • String ID: %s
    • API String ID: 2221118986-3043279178
    • Opcode ID: e9ea4b96daa46c25c94a9b9b2d2b8cc76d1a6871f18b056c76d30e47c866ea4d
    • Instruction ID: 8b6fe6f38550adca856fbcf133e4f8d80cf3bc88e4e63464e4a13df334fd5ccc
    • Opcode Fuzzy Hash: e9ea4b96daa46c25c94a9b9b2d2b8cc76d1a6871f18b056c76d30e47c866ea4d
    • Instruction Fuzzy Hash: 8E9180B1A083429BE771DE18D8C4BABB7E4BF84304F04497DE9C99B181EB34E954CB52
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0103BF70, Relevance: 12.4, APIs: 8, Instructions: 447COMMON
    Download Yara Rule
    C-Code - Quality: 49%
    			E0103BF70(signed int __ecx, wchar_t* __edx, signed int* _a4, intOrPtr _a8) {
				void* _v8;
				signed int _v12;
				char _v20;
				wchar_t* _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				signed int _v48;
				wchar_t* _v52;
				signed int _v56;
				int _v60;
				wchar_t* _v64;
				intOrPtr _v68;
				signed int _v72;
				int _v76;
				signed short* _v80;
				void* _v84;
				signed short* _v88;
				signed short* _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				signed short* _v104;
				void* __edi;
				void* __ebp;
				signed int _t127;
				int _t130;
				signed int* _t131;
				intOrPtr* _t135;
				signed short* _t139;
				wchar_t* _t140;
				intOrPtr _t142;
				intOrPtr _t143;
				short* _t144;
				intOrPtr _t145;
				intOrPtr _t146;
				signed short* _t149;
				wchar_t* _t150;
				intOrPtr _t152;
				intOrPtr _t153;
				intOrPtr _t154;
				intOrPtr _t155;
				intOrPtr _t156;
				intOrPtr _t157;
				signed short* _t161;
				void _t162;
				signed int _t164;
				intOrPtr _t166;
				signed int _t170;
				signed int _t172;
				signed short* _t174;
				intOrPtr* _t175;
				signed int _t177;
				signed int _t178;
				signed int _t179;
				intOrPtr _t180;
				signed int _t189;
				intOrPtr* _t191;
				intOrPtr* _t194;
				signed int _t196;
				void* _t197;
				void* _t198;
				intOrPtr* _t202;
				intOrPtr* _t205;
				intOrPtr* _t208;
				void* _t211;
				intOrPtr* _t212;
				signed int _t215;
				signed int _t219;
				signed short* _t220;
				signed short* _t226;
				signed short* _t228;
				wchar_t* _t229;
				short* _t230;
				void* _t231;
				void* _t232;
				intOrPtr* _t233;
				signed short* _t237;
				void* _t240;
				void* _t241;
				void* _t242;
				void* _t243;
				signed short* _t244;
				signed short* _t247;
				wchar_t* _t252;
				WCHAR* _t254;
				void* _t255;
				signed int _t256;
				intOrPtr* _t258;
				signed int _t260;
				void* _t262;
				intOrPtr* _t265;
				signed int _t267;
				signed int _t268;
				intOrPtr* _t269;
				signed short* _t270;
				signed short* _t271;
				signed short* _t272;
				signed short* _t273;
				intOrPtr _t276;
				signed int _t277;
				void* _t278;
				void* _t279;
				void* _t282;

				_t229 = __edx;
				_push(0xfffffffe);
				_push(0x105ca10);
				_push(E01046E00);
				_push( *[fs:0x0]);
				_t279 = _t278 - 0x54;
				_t127 =  *0x105e0b4; // 0x6030efd1
				_v12 = _v12 ^ _t127;
				_push(_t127 ^ _t277);
				 *[fs:0x0] =  &_v20;
				_v52 = __edx;
				_v56 = __ecx;
				_v60 = 0;
				_t252 = 0;
				_v40 = 0;
				_t262 = 0;
				_v36 = 0;
				_v8 = 0;
				_t130 = E0103DCD0(0x4000);
				_v60 = _t130;
				if(_t130 == 0) {
					_t170 = _v56;
					if(_t170 == 0) {
						L74:
						_t131 = _a4;
						L75:
						 *_t131 = 0;
						L23:
						_v8 = 0xfffffffe;
						E0103C3F4(_t252);
						 *[fs:0x0] = _v20;
						return _t262;
					}
					__imp__longjmp(_t170, 0xffffffff);
					L91:
					_t172 = _v56;
					if(_t172 == 0) {
						L73:
						_t262 = _v36;
						goto L74;
					}
					__imp__longjmp(_t172, 0xffffffff);
					L93:
					_t230 = _t229 - 2;
					_v64 = _t230;
					_v68 = _t172 - 1;
					L20:
					 *_t230 = 0;
					_t174 = _v52;
					_t254 = _v40;
					L21:
					_t135 = _v32;
					_v32 = _t135 + 2;
					_t255 = E0103EC2E(_t254);
					_v44 = _t255;
					if( *_t135 == 0x3a) {
						if( *0x1066755 == 0 || _t255 == 0) {
							goto L22;
						} else {
							_t139 = _v32;
							_t189 =  *_t139 & 0x0000ffff;
							if(_t189 == 0x7e) {
								_t140 =  &(_t139[1]);
								_v32 = _t140;
								_t256 = wcstol(_t140,  &_v32, 0);
								_v72 = _t256;
								_t175 = _v44;
								if(_t256 >= 0) {
									L50:
									_t191 = _t175;
									_t231 = _t191 + 2;
									do {
										_t142 =  *_t191;
										_t191 = _t191 + 2;
									} while (_t142 != 0);
									if(_t256 >= _t191 - _t231 >> 1) {
										_t194 = _t175;
										_t232 = _t194 + 2;
										do {
											_t143 =  *_t194;
											_t194 = _t194 + 2;
										} while (_t143 != 0);
										_t196 = _t194 - _t232 >> 1;
										L54:
										if(_t196 < 0) {
											_t256 = 0;
											L58:
											_v72 = _t256;
											_t144 = _v32;
											if( *_t144 != 0x2c) {
												_t257 = _t175 + _t256 * 2;
												_t265 = _t175 + _t256 * 2;
												_t108 = _t265 + 2; // 0x2
												_t197 = _t108;
												do {
													_t145 =  *_t265;
													_t265 = _t265 + 2;
												} while (_t145 != 0);
												L72:
												_t267 = _t265 - _t197 >> 1;
												L63:
												_v48 = _t267;
												_t233 = _t175;
												_t198 = _t233 + 2;
												do {
													_t146 =  *_t233;
													_t233 = _t233 + 2;
												} while (_t146 != 0);
												_t255 = _v44;
												E01042298(_t255, (_t233 - _t198 >> 1) + 1, _t257, _t267);
												if( *((short*)(_t255 + _t267 * 2)) != 0) {
													 *((short*)(_t255 + _t267 * 2)) = 0;
												}
												_t149 = _v32;
												_t237 =  &(_t149[1]);
												_v32 = _t237;
												_t131 = _a4;
												if(( *_t149 & 0x0000ffff) != _a8) {
													L98:
													_t262 = _v36;
													_t252 = _v40;
													goto L75;
												} else {
													 *_t131 = _t237 - _v52 >> 1;
													L45:
													_t262 = _t255;
													_v36 = _t262;
													_t252 = _v40;
													goto L23;
												}
											}
											_t150 = _t144 + 2;
											_v32 = _t150;
											_t268 = wcstol(_t150,  &_v32, 0);
											_v48 = _t268;
											if(_t268 < 0) {
												_t202 = _t175 + _t256 * 2;
												_t240 = _t202 + 2;
												do {
													_t152 =  *_t202;
													_t202 = _t202 + 2;
												} while (_t152 != 0);
												_t267 = _t268 + (_t202 - _t240 >> 1);
												_v48 = _t267;
												if(_t267 < 0) {
													_t267 = 0;
												}
											}
											_v48 = _t267;
											_t257 = _t175 + _t256 * 2;
											_t205 = _t257;
											_t76 = _t205 + 2; // 0x2
											_t241 = _t76;
											do {
												_t153 =  *_t205;
												_t205 = _t205 + 2;
											} while (_t153 != 0);
											if(_t267 >= _t205 - _t241 >> 1) {
												_t269 = _t257;
												_t99 = _t269 + 2; // 0x2
												_t197 = _t99;
												do {
													_t154 =  *_t269;
													_t269 = _t269 + 2;
												} while (_t154 != 0);
												goto L72;
											}
											goto L63;
										}
										_t208 = _t175;
										_t242 = _t208 + 2;
										do {
											_t155 =  *_t208;
											_t208 = _t208 + 2;
										} while (_t155 != 0);
										if(_t256 >= _t208 - _t242 >> 1) {
											_t258 = _t175;
											_t211 = _t258 + 2;
											do {
												_t156 =  *_t258;
												_t258 = _t258 + 2;
											} while (_t156 != 0);
											_t256 = _t258 - _t211 >> 1;
										}
										goto L58;
									}
									_t196 = _t256;
									goto L54;
								}
								_t212 = _t175;
								_t243 = _t212 + 2;
								do {
									_t157 =  *_t212;
									_t212 = _t212 + 2;
								} while (_t157 != 0);
								_t256 = _t256 + (_t212 - _t243 >> 1);
								_v72 = _t256;
								goto L50;
							}
							if(_t189 == 0x2a) {
								_t139 =  &(_t139[1]);
								_v32 = _t139;
								_v76 = 1;
							} else {
								_v76 = 0;
							}
							_t270 = _t139;
							_v104 = _t270;
							_t244 = _t270;
							while(1) {
								_t215 =  *_t139 & 0x0000ffff;
								if(_t215 == 0 || _t215 == 0x3d) {
									break;
								}
								_t139 =  &(_t244[1]);
								_v32 = _t139;
								_t244 = _t139;
							}
							if( *_t139 == 0) {
								L100:
								_t252 = _v40;
								goto L73;
							}
							_t177 = _t244 - _t270;
							_t178 = _t177 >> 1;
							if(_t177 == 0) {
								_t179 = _v56;
								if(_t179 == 0) {
									goto L100;
								}
								E010378E4(_t215, 0x234a, 1, _t244);
								_t282 = _t279 + 0xc;
								__imp__longjmp(_t179, 0xffffffff);
								L103:
								_t255 = _v44;
								memcpy(_t255, ??, ??);
								E0103F3A0(_v56 + _v56 + _t255, 0x2000 - _v56, _t270);
								goto L45;
							}
							_t161 =  &(_t244[1]);
							_t271 = _t161;
							_v80 = _t271;
							while(1) {
								_t247 = _t161;
								_v32 = _t161;
								_t219 =  *_t161 & 0x0000ffff;
								if(_t219 == 0 || _t219 == _a8) {
									break;
								}
								_t161 =  &(_t247[1]);
							}
							_t131 = _a4;
							if( *_t161 == 0) {
								goto L98;
							}
							_t220 =  &(_t247[1]);
							_v32 = _t220;
							_v56 = _t247 - _t271 >> 1;
							 *_t131 = _t220 - _v52 >> 1;
							if( *_t255 == 0) {
								goto L45;
							}
							_t272 = _v60;
							_t162 = E0103F3A0(_t272, 0x2000, _t255);
							_v88 = _t272;
							_v84 = _t255;
							while(1) {
								L42:
								__imp___wcsnicmp(_t272, _v104, _t178);
								_t282 = _t279 + 0xc;
								if(_t162 != 0) {
									break;
								}
								_t270 =  &(_t272[_t178]);
								_push(_v56 + _v56);
								_push(_v80);
								if(_v76 != 0) {
									goto L103;
								}
								_t162 = memcpy(_t255, ??, ??);
								_t279 = _t282 + 0xc;
								_t255 = _t255 + _v56 * 2;
								_v84 = _t255;
								_v88 = _t270;
							}
							_t162 =  *_t272 & 0x0000ffff;
							 *_t255 = _t162;
							_t255 = _t255 + 2;
							_v84 = _t255;
							_t272 =  &(_t272[1]);
							_v88 = _t272;
							if(_t162 != 0) {
								goto L42;
							}
							_t255 = _v44;
							goto L45;
						}
					}
					L22:
					 *_a4 = _v32 - _t174 >> 1;
					_t262 = _t255;
					_v36 = _t262;
					_t252 = _v40;
					goto L23;
				}
				_t226 = __edx;
				_v32 = __edx;
				_t273 = __edx;
				_t229 =  *0x1066755;
				while(1) {
					_t164 =  *_t226 & 0x0000ffff;
					if(_t164 == 0) {
						break;
					}
					_t180 = _a8;
					if(_t164 == _t180 || _t229 != 0 && _t164 == 0x3a && _t226[1] != _t180) {
						break;
					} else {
						_t226 =  &(_t273[1]);
						_v32 = _t226;
						_t273 = _t226;
						continue;
					}
				}
				if( *_t226 == 0) {
					goto L73;
				}
				_t174 = _v52;
				if(_t273 == _t174) {
					goto L73;
				}
				_t276 = (_t273 - _t174 >> 1) + 1;
				_t252 = E0103DCD0(_t276 + _t276);
				_v40 = _t252;
				if(_t252 == 0) {
					goto L91;
				}
				_t166 = _t276 - 1;
				if(_t276 == 0) {
					goto L21;
				}
				if(_t276 > 0x7fffffff) {
					if(_t276 == 0) {
						goto L21;
					}
					L95:
					 *_t252 = 0;
					goto L21;
				}
				if(_t166 > 0x7ffffffe) {
					goto L95;
				}
				_t228 = _t174;
				_t229 = _t252;
				_t172 = 0;
				while(1) {
					_v68 = _t172;
					_v64 = _t229;
					_v96 = _t276;
					_v92 = _t228;
					_v100 = _t166;
					if(_t276 == 0) {
						goto L93;
					}
					if(_t166 == 0) {
						L19:
						if(_t276 == 0) {
							goto L93;
						}
						goto L20;
					}
					_t260 =  *_t228 & 0x0000ffff;
					if(_t260 == 0) {
						goto L19;
					}
					 *_t229 = _t260;
					_t229 =  &(_t229[0]);
					_t228 =  &(_t228[1]);
					_t276 = _t276 - 1;
					_t166 = _t166 - 1;
					_t172 = _t172 + 1;
				}
				goto L93;
			}










































































































    0x0103bf70
    0x0103bf75
    0x0103bf77
    0x0103bf7c
    0x0103bf87
    0x0103bf88
    0x0103bf8e
    0x0103bf93
    0x0103bf98
    0x0103bf9c
    0x0103bfa4
    0x0103bfa7
    0x0103bfaa
    0x0103bfb1
    0x0103bfb3
    0x0103bfb6
    0x0103bfb8
    0x0103bfbb
    0x0103bfc3
    0x0103bfc8
    0x0103bfcd
    0x0104cfa2
    0x0104cfa7
    0x0103c369
    0x0103c369
    0x0103c36c
    0x0103c36c
    0x0103c0d3
    0x0103c0d3
    0x0103c0da
    0x0103c0e4
    0x0103c0f2
    0x0103c0f2
    0x0104cfb0
    0x0104cfb6
    0x0104cfb6
    0x0104cfbb
    0x0103c366
    0x0103c366
    0x00000000
    0x0103c366
    0x0104cfc4
    0x0104cfca
    0x0104cfca
    0x0104cfcd
    0x0104cfd1
    0x0103c096
    0x0103c098
    0x0103c09b
    0x0103c09e
    0x0103c0a1
    0x0103c0a1
    0x0103c0aa
    0x0103c0b4
    0x0103c0b6
    0x0103c0bd
    0x0103c0fc
    0x00000000
    0x0103c102
    0x0103c102
    0x0103c105
    0x0103c10b
    0x0103c1ef
    0x0103c1f2
    0x0103c205
    0x0103c207
    0x0103c20a
    0x0103c20f
    0x0103c22a
    0x0103c22a
    0x0103c22c
    0x0103c230
    0x0103c230
    0x0103c233
    0x0103c236
    0x0103c241
    0x0103c3bd
    0x0103c3bf
    0x0103c3c2
    0x0103c3c2
    0x0103c3c5
    0x0103c3c8
    0x0103c3cf
    0x0103c249
    0x0103c24b
    0x0104cfeb
    0x0103c26d
    0x0103c26d
    0x0103c270
    0x0103c277
    0x0103c3a3
    0x0103c3a6
    0x0103c3a8
    0x0103c3a8
    0x0103c3b0
    0x0103c3b0
    0x0103c3b3
    0x0103c3b6
    0x0103c35d
    0x0103c35f
    0x0103c2c7
    0x0103c2c7
    0x0103c2ca
    0x0103c2cc
    0x0103c2d0
    0x0103c2d0
    0x0103c2d3
    0x0103c2d6
    0x0103c2e2
    0x0103c2e7
    0x0103c2f1
    0x0104cff4
    0x0104cff4
    0x0103c2f7
    0x0103c2fd
    0x0103c300
    0x0103c303
    0x0103c30a
    0x0104cffd
    0x0104cffd
    0x0104d000
    0x00000000
    0x0103c310
    0x0103c315
    0x0103c1e2
    0x0103c1e2
    0x0103c1e4
    0x0103c1e7
    0x00000000
    0x0103c1e7
    0x0103c30a
    0x0103c27d
    0x0103c280
    0x0103c293
    0x0103c295
    0x0103c29a
    0x0103c377
    0x0103c37a
    0x0103c380
    0x0103c380
    0x0103c383
    0x0103c386
    0x0103c38f
    0x0103c391
    0x0103c396
    0x0103c39c
    0x0103c39c
    0x0103c396
    0x0103c2a0
    0x0103c2a3
    0x0103c2a6
    0x0103c2a8
    0x0103c2a8
    0x0103c2b0
    0x0103c2b0
    0x0103c2b3
    0x0103c2b6
    0x0103c2c1
    0x0103c34d
    0x0103c34f
    0x0103c34f
    0x0103c352
    0x0103c352
    0x0103c355
    0x0103c358
    0x00000000
    0x0103c352
    0x00000000
    0x0103c2c1
    0x0103c251
    0x0103c253
    0x0103c256
    0x0103c256
    0x0103c259
    0x0103c25c
    0x0103c267
    0x0103c3d6
    0x0103c3d8
    0x0103c3e0
    0x0103c3e0
    0x0103c3e3
    0x0103c3e6
    0x0103c3ed
    0x0103c3ed
    0x00000000
    0x0103c267
    0x0103c247
    0x00000000
    0x0103c247
    0x0103c211
    0x0103c213
    0x0103c216
    0x0103c216
    0x0103c219
    0x0103c21c
    0x0103c225
    0x0103c227
    0x00000000
    0x0103c227
    0x0103c114
    0x0104d008
    0x0104d00b
    0x0104d00e
    0x0103c11a
    0x0103c11a
    0x0103c11a
    0x0103c121
    0x0103c123
    0x0103c126
    0x0103c128
    0x0103c128
    0x0103c12e
    0x00000000
    0x00000000
    0x0103c135
    0x0103c138
    0x0103c13b
    0x0103c13b
    0x0103c143
    0x0104d01a
    0x0104d01a
    0x00000000
    0x0104d01a
    0x0103c14b
    0x0103c14d
    0x0103c14f
    0x0104d022
    0x0104d027
    0x00000000
    0x00000000
    0x0104d031
    0x0104d036
    0x0104d03c
    0x0104d042
    0x0104d042
    0x0104d046
    0x0104d05e
    0x00000000
    0x0104d05e
    0x0103c155
    0x0103c158
    0x0103c15a
    0x0103c15d
    0x0103c15d
    0x0103c15f
    0x0103c162
    0x0103c168
    0x00000000
    0x00000000
    0x0103c170
    0x0103c170
    0x0103c179
    0x0103c17c
    0x00000000
    0x00000000
    0x0103c182
    0x0103c185
    0x0103c18c
    0x0103c194
    0x0103c19a
    0x00000000
    0x00000000
    0x0103c1a2
    0x0103c1a7
    0x0103c1ac
    0x0103c1af
    0x0103c1b2
    0x0103c1b2
    0x0103c1b7
    0x0103c1bd
    0x0103c1c2
    0x00000000
    0x00000000
    0x0103c322
    0x0103c325
    0x0103c326
    0x0103c32d
    0x00000000
    0x00000000
    0x0103c334
    0x0103c339
    0x0103c33f
    0x0103c342
    0x0103c345
    0x0103c345
    0x0103c1c8
    0x0103c1cb
    0x0103c1ce
    0x0103c1d1
    0x0103c1d4
    0x0103c1d7
    0x0103c1dd
    0x00000000
    0x00000000
    0x0103c1df
    0x00000000
    0x0103c1df
    0x0103c0fc
    0x0103c0bf
    0x0103c0c9
    0x0103c0cb
    0x0103c0cd
    0x0103c0d0
    0x00000000
    0x0103c0d0
    0x0103bfd3
    0x0103bfd5
    0x0103bfd8
    0x0103bfda
    0x0103bfe0
    0x0103bfe0
    0x0103bfe6
    0x00000000
    0x00000000
    0x0103bfe8
    0x0103bfef
    0x00000000
    0x0103bffa
    0x0103bffa
    0x0103bffd
    0x0103c000
    0x00000000
    0x0103c000
    0x0103bfef
    0x0103c00e
    0x00000000
    0x00000000
    0x0103c014
    0x0103c019
    0x00000000
    0x00000000
    0x0103c023
    0x0103c02c
    0x0103c02e
    0x0103c033
    0x00000000
    0x00000000
    0x0103c039
    0x0103c03e
    0x00000000
    0x00000000
    0x0103c046
    0x0104cfdb
    0x00000000
    0x00000000
    0x0104cfe1
    0x0104cfe3
    0x00000000
    0x0104cfe3
    0x0103c051
    0x00000000
    0x00000000
    0x0103c057
    0x0103c059
    0x0103c05b
    0x0103c05d
    0x0103c05d
    0x0103c060
    0x0103c063
    0x0103c066
    0x0103c069
    0x0103c06e
    0x00000000
    0x00000000
    0x0103c076
    0x0103c08e
    0x0103c090
    0x00000000
    0x00000000
    0x00000000
    0x0103c090
    0x0103c078
    0x0103c07e
    0x00000000
    0x00000000
    0x0103c080
    0x0103c083
    0x0103c086
    0x0103c089
    0x0103c08a
    0x0103c08b
    0x0103c08b
    0x00000000

    APIs
      • Part of subcall function 0103DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0103ACD8,00000001,?,00000000,01038C23,-00000105,0105C9B0,00000240,01041E92,00000000,00000000,0104ACE0,00000000), ref: 0103DCE1
      • Part of subcall function 0103DCD0: RtlAllocateHeap.NTDLL(00000000,?,0103ACD8,00000001,?,00000000,01038C23,-00000105,0105C9B0,00000240,01041E92,00000000,00000000,0104ACE0,00000000,00000000), ref: 0103DCE8
    • _wcsnicmp.MSVCRT ref: 0103C1B7
    • wcstol.MSVCRT ref: 0103C1FC
    • wcstol.MSVCRT ref: 0103C28A
    • longjmp.MSVCRT(?,000000FF), ref: 0104CFB0
    • longjmp.MSVCRT(?,000000FF), ref: 0104CFC4
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: Heaplongjmpwcstol$AllocateProcess_wcsnicmp
    • String ID:
    • API String ID: 2414476164-0
    • Opcode ID: 59b43decb7e0bcf8aa69e94ad5bbafdc29450d7f11d1796d57eee05a9fcce6a3
    • Instruction ID: 92bc112b507cb7b4f652a8162de5ff1d95fdce08a68b49d93841a7071cbd6ebc
    • Opcode Fuzzy Hash: 59b43decb7e0bcf8aa69e94ad5bbafdc29450d7f11d1796d57eee05a9fcce6a3
    • Instruction Fuzzy Hash: 65F1B375D002158BEB24CF98C6806FEBBF9BF85700F19826AD996F7344E7755A01CB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 010426DC, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 193COMMON
    Download Yara Rule
    C-Code - Quality: 54%
    			E010426DC(intOrPtr __ecx, signed int __edx) {
				signed int _v8;
				long _v20;
				char _v24;
				WCHAR* _v28;
				signed int _v540;
				void _v548;
				int _v556;
				char _v560;
				WCHAR* _v564;
				char _v1068;
				void _v1084;
				WCHAR* _v1092;
				char _v1096;
				WCHAR* _v1100;
				WCHAR* _v1104;
				char _v1108;
				char _v1112;
				int _v1116;
				int _v1120;
				WCHAR* _v1124;
				void* _v1138;
				int _v1142;
				int _v1146;
				int _v1150;
				int _v1154;
				int _v1158;
				int _v1162;
				int _v1166;
				int _v1170;
				short _v1172;
				int _v1176;
				WCHAR* _v1180;
				int _v1184;
				char _v1188;
				int _v1192;
				char _v1196;
				intOrPtr _v1200;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t80;
				intOrPtr _t92;
				intOrPtr _t100;
				WCHAR* _t101;
				signed int _t105;
				char _t116;
				void* _t117;
				void* _t140;
				void* _t143;
				intOrPtr _t144;
				signed int _t145;
				signed int _t147;
				signed int _t148;

				_t134 = __edx;
				_t147 = (_t145 & 0xfffffff8) - 0x4ac;
				_t80 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t80 ^ _t147;
				_v1200 = __ecx;
				_v1180 = 0;
				_v1172 = 0;
				_v1196 = 0;
				_v1192 = 0;
				_v1188 = 0;
				_t116 = 1;
				_v1184 = 0;
				_v1176 = 0;
				_v1170 = 0;
				_v1166 = 0;
				_v1162 = 0;
				_v1158 = 0;
				_v1154 = 0;
				_v1150 = 0;
				_v1146 = 0;
				_v1142 = 0;
				asm("stosd");
				_v564 = 0;
				asm("stosd");
				_v560 = 1;
				_v556 = 0x104;
				asm("stosd");
				asm("stosw");
				_v1124 = 0;
				_v1120 = 0;
				_v1116 = 0;
				_v1112 = 0;
				_v1108 = 0;
				_v1104 = 0;
				_v1100 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				memset( &_v1084, 0, 0x104);
				_t148 = _t147 + 0xc;
				if(E0103E3F0(((0 | _v560 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) >= 0) {
					_t144 =  *0x1066778;
					_v20 = 0x104;
					_v1192 = 6;
					_v1188 = 0;
					_v1196 = 0x8000;
					_v1124 = 0;
					_v1104 = 0;
					_v28 = 0;
					_v24 = 1;
					memset( &_v548, 0, 0x104);
					_t148 = _t148 + 0xc;
					if(E0103E3F0(GetEnvironmentVariableW(L"DIRCMD", 0, 0)) >= 0) {
						if(GetEnvironmentVariableW(L"DIRCMD", _t101, _v20) != 0) {
							_t126 = _v28;
							if(_v28 == 0) {
								_t126 =  &_v548;
							}
							if(E01039144(_t126,  &_v1196) == _t116) {
								_push(0);
								_push(0x2377);
								E010378E4(_t126);
							}
						}
						_t134 =  &_v1188;
						if(E01039144(_v1192,  &_v1188) != _t116) {
							_t105 = _v1180;
							if((_t105 & 0x00000040) != 0) {
								_t105 = _t105 & 0xfffb79fb;
								_v1180 = _t105;
							}
							if((_t105 & 0x00000400) != 0) {
								_v1180 = _t105 & 0xfffffdbb;
							}
							_t128 = _v548;
							if(_v548 == 0) {
								_t128 =  &_v1068;
							}
							_t134 = _v540;
							E01038E9E(_t116, _t128, _v540, 0);
							if(_v1112 == 0) {
								_t129 = _v548;
								_v1108 = _t116;
								if(_v548 == 0) {
									_t129 =  &_v1068;
								}
								_v1104 = E0104054B(_t116, _t129, 0, _t144);
								_v1096 = _t116;
								_v1100 = 0;
								_v1092 = 0;
							}
							_t116 = E0104161D( &_v1180, _t134);
							_t110 = _v548;
							if(_v548 == 0) {
								_t110 =  &_v1068;
							}
							E0104238B(_t134, _t110, _v540);
							E0104198F(_t144, 0);
						}
					}
					_t100 = _v28;
					_v28 = 0;
					if(_t100 != 0) {
						__imp__??_V@YAXPAX@Z(_t100);
					}
				}
				_t92 = _v564;
				_v564 = 0;
				if(_t92 != 0) {
					__imp__??_V@YAXPAX@Z(_t92);
				}
				_pop(_t140);
				_pop(_t143);
				_pop(_t117);
				return E01046B30(_t116, _t117, _v8 ^ _t148, _t134, _t140, _t143);
			}

























































    0x010426dc
    0x010426e4
    0x010426ea
    0x010426f1
    0x010426fb
    0x01042701
    0x01042705
    0x0104270e
    0x01042716
    0x0104271f
    0x01042723
    0x01042724
    0x01042728
    0x0104272c
    0x01042730
    0x01042734
    0x01042738
    0x0104273c
    0x01042740
    0x01042744
    0x01042748
    0x0104274c
    0x0104274f
    0x01042756
    0x01042757
    0x0104275e
    0x01042765
    0x01042766
    0x0104276a
    0x01042772
    0x01042776
    0x0104277a
    0x0104277e
    0x01042782
    0x01042786
    0x0104278a
    0x0104278b
    0x0104278c
    0x01042795
    0x010427a3
    0x010427c2
    0x010427c8
    0x010427d4
    0x010427e4
    0x010427ec
    0x010427f0
    0x010427f8
    0x010427fc
    0x01042800
    0x01042807
    0x0104280e
    0x01042813
    0x01042832
    0x0104285f
    0x0104f3b2
    0x0104f3bb
    0x0104f3bd
    0x0104f3bd
    0x0104f3cf
    0x0104f3d5
    0x0104f3d6
    0x0104f3db
    0x0104f3e1
    0x0104f3cf
    0x01042869
    0x01042874
    0x01042876
    0x0104287c
    0x0104287e
    0x01042883
    0x01042883
    0x0104288c
    0x0104f3ec
    0x0104f3ec
    0x01042892
    0x0104289b
    0x0104f3f5
    0x0104f3f5
    0x010428a1
    0x010428a9
    0x010428b2
    0x0104f401
    0x0104f408
    0x0104f40e
    0x0104f410
    0x0104f410
    0x0104f41c
    0x0104f420
    0x0104f424
    0x0104f428
    0x0104f428
    0x010428c1
    0x010428c3
    0x010428cc
    0x01042929
    0x01042929
    0x010428d6
    0x010428dd
    0x010428dd
    0x01042874
    0x010428e2
    0x010428e9
    0x010428f2
    0x0104f432
    0x0104f438
    0x010428f2
    0x010428f8
    0x010428ff
    0x01042908
    0x0104290b
    0x01042911
    0x0104291b
    0x0104291c
    0x0104291d
    0x01042928

    APIs
    • memset.MSVCRT ref: 01042795
      • Part of subcall function 0103E3F0: memset.MSVCRT ref: 0103E455
    • memset.MSVCRT ref: 0104280E
    • GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(DIRCMD,00000000,00000000,00000000,00000104,-00000001,?,00000002,00000000), ref: 0104281D
    • GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(DIRCMD,?,?,00000000), ref: 01042857
    • ??_V@YAXPAX@Z.MSVCRT ref: 0104290B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: memset$EnvironmentVariable
    • String ID: DIRCMD
    • API String ID: 1405722092-1465291664
    • Opcode ID: 1f5d1fe3fdc653dd27cfce4bcabf535e8e7d97511dbb6fc69446cd76a7e039b7
    • Instruction ID: b5a43e20126f10b084fe68c26ba4db64156417372dd1adb3f24f465229b73211
    • Opcode Fuzzy Hash: 1f5d1fe3fdc653dd27cfce4bcabf535e8e7d97511dbb6fc69446cd76a7e039b7
    • Instruction Fuzzy Hash: 0D7115B1A0D3829BE764DF29D484A9FBBE8BFD9300F00492EF6D983250DB349544CB56
    Uniqueness

    Uniqueness Score: -1.00%

    Function 010431EA, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 73COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E010431EA(signed short** __ecx, signed short** __edx, void* __eflags, signed short** _a4) {
				signed short* _t8;
				signed short _t9;
				long _t13;
				signed short** _t18;
				signed short _t25;
				long _t32;
				wchar_t* _t33;
				signed short** _t34;

				_t18 = __edx;
				_t34 = __ecx;
				E010459F6(__ecx);
				_t32 =  *( *_t34) & 0x0000ffff;
				if(_t32 == 0 || iswdigit(_t32) != 0 || wcschr(L"<>+-*/%()|^&=,", _t32) != 0) {
					L12:
					return 0;
				} else {
					_t33 = L"+-~!";
					if(wcschr(_t33, _t32) != 0) {
						goto L12;
					}
					_t8 =  *_t34;
					 *_t18 = _t8;
					while(1) {
						_t9 =  *_t8 & 0x0000ffff;
						_t25 = _t9;
						if(_t9 == 0) {
							break;
						}
						_t13 = _t25 & 0x0000ffff;
						if(_t13 <= 0x20 || wcschr(_t33, _t13) != 0 || wcschr(L"<>+-*/%()|^&=,",  *( *_t34) & 0x0000ffff) != 0) {
							break;
						} else {
							 *_t34 =  &(( *_t34)[1]);
							_t8 =  *_t34;
							continue;
						}
					}
					 *_a4 =  *_t34;
					return 1;
				}
			}











    0x010431f2
    0x010431f4
    0x010431f6
    0x010431fd
    0x01043203
    0x0104328d
    0x00000000
    0x01043227
    0x01043228
    0x01043238
    0x00000000
    0x00000000
    0x0104323a
    0x0104323c
    0x0104323e
    0x0104323e
    0x01043241
    0x01043246
    0x00000000
    0x00000000
    0x01043248
    0x0104324e
    0x00000000
    0x01043275
    0x01043275
    0x01043278
    0x00000000
    0x01043278
    0x0104324e
    0x01043281
    0x00000000
    0x01043285

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: wcschr$iswdigit
    • String ID: +-~!$<>+-*/%()|^&=,
    • API String ID: 2770779731-632268628
    • Opcode ID: d7c12cf19966e12ce84baa9a956b68df4c22007ebd822146380836b0a4e8d5ad
    • Instruction ID: a40ef8c73a550e25491b5bc97a1bd0912e56adacff42e69ab887d72216416952
    • Opcode Fuzzy Hash: d7c12cf19966e12ce84baa9a956b68df4c22007ebd822146380836b0a4e8d5ad
    • Instruction Fuzzy Hash: F91194B6704222DF97785E6ED98487A77E8FF8A661324007EF5C1DB184EB25D800C660
    Uniqueness

    Uniqueness Score: -1.00%

    Function 010349F8, Relevance: 12.2, APIs: 8, Instructions: 187COMMON
    Download Yara Rule
    C-Code - Quality: 63%
    			E010349F8(void* __ebx, void** __ecx, void* __edi) {
				void _v8;
				intOrPtr _v12;
				void* _v16;
				void* _t37;
				intOrPtr _t39;
				void* _t40;
				void* _t52;
				long _t55;
				long _t56;
				void* _t57;
				long _t61;
				void* _t66;
				long _t73;
				void* _t85;
				void** _t102;
				long _t105;

				_t102 = __ecx;
				_t37 = E01039A11(E01034A9F(__ecx));
				_t105 = _t102[4];
				if(_t37 != 0) {
					_t39 = _t105 + _t102[2] * 2;
					_v12 = _t39;
					__eflags = _t105 - _t39;
					if(_t105 < _t39) {
						_t85 = 0x2022;
						while(1) {
							_t73 = _t105;
							__eflags = _t105 - _t39;
							if(_t105 >= _t39) {
								goto L3;
							} else {
								goto L12;
							}
							while(1) {
								L12:
								__eflags =  *_t73 - _t85;
								if( *_t73 == _t85) {
									break;
								}
								_t73 = 2 + _t73;
								__eflags = _t73 - _t39;
								if(_t73 < _t39) {
									continue;
								}
								break;
							}
							__eflags = _t73 - _t105;
							if(_t73 == _t105) {
								goto L20;
							} else {
								_t66 = _t73 - _t105 >> 1;
								_v16 = _t66;
								__imp___get_osfhandle(0);
								_t54 = WriteConsoleW(_t66, 1, _t105, _t66,  &_v8);
								__eflags = _t54;
								if(_t54 == 0) {
									goto L30;
								} else {
									_t54 = _v16;
									__eflags = _v8 - _v16;
									if(_v8 != _v16) {
										goto L30;
									} else {
										_t39 = _v12;
										_t105 = _t73;
										_t85 = 0x2022;
										while(1) {
											L20:
											__eflags = _t73 - _t39;
											if(_t73 >= _t39) {
												break;
											}
											__eflags =  *_t73 - _t85;
											if( *_t73 == _t85) {
												_t73 = 2 + _t73;
												__eflags = _t73;
												continue;
											}
											break;
										}
										__eflags = _t73 - _t105;
										if(_t73 == _t105) {
											L27:
											_t85 = 0x2022;
											__eflags = _t105 - _t39;
											if(_t105 < _t39) {
												continue;
											} else {
												goto L3;
											}
										} else {
											__eflags =  *_t102;
											if( *_t102 != 0) {
												SetConsoleMode( *_t102, 2);
											}
											_t52 = _t73 - _t105 >> 1;
											_v16 = _t52;
											__imp___get_osfhandle(0);
											_t105 = WriteConsoleW(_t52, 1, _t105, _t52,  &_v8);
											_t54 = E0103E310(_t53);
											__eflags = _t105;
											if(_t105 == 0) {
												goto L30;
											} else {
												_t54 = _v16;
												__eflags = _v8 - _v16;
												if(_v8 != _v16) {
													goto L30;
												} else {
													_t39 = _v12;
													_t105 = _t73;
													goto L27;
												}
											}
										}
									}
								}
							}
							goto L38;
						}
					}
					goto L3;
				} else {
					if(E01039B3B(_t102[2] + _t102[2], _t105, _t102[2] + _t102[2],  &_v8) == 0) {
						L30:
						_t89 = 1;
						_t55 = E0103DD98(_t54);
						__eflags = _t55;
						if(_t55 == 0) {
							_t89 = 1;
							_t56 = E01059FCF(_t55, 1);
							__eflags = _t56;
							if(_t56 == 0) {
								_push(_t56);
								_push(0x70);
								goto L34;
							}
						} else {
							_push(0);
							_push(0x1d);
							L34:
							E010378E4(_t89);
						}
						_t57 = E01059922();
						__imp__longjmp(0x1070a30, 1);
						asm("int3");
						__eflags =  *(_t105 + 4) - _t57;
						if(__eflags < 0) {
							return _t57;
						} else {
							E01054840(__eflags, 0);
							 *(_t105 + 4) =  *(_t105 + 4) & 0x00000000;
							E010426A1(_t105);
							_t61 =  *((intOrPtr*)(_t105 + 0x1c)) - 1;
							__eflags = _t61;
							 *(_t105 + 0x24) = _t61;
							return _t61;
						}
					} else {
						_t70 = _t102[2];
						_t54 = _t102[2] + _t70;
						if(_v8 != _t102[2] + _t70) {
							goto L30;
						} else {
							L3:
							_t40 = E01039A11(_t39);
							_t41 =  &_v8;
							if(_t40 != 0) {
								__imp___get_osfhandle(0);
								WriteConsoleW( &_v8, 1, L"\r\n", 2, _t41);
							} else {
								E01039B3B( &_v8, L"\r\n", 4,  &_v8);
							}
							_t102[1] = _t102[1] + E010349C5(_t102, _t102[4]) + 1;
							E01034A9F(_t102);
							if(_t102[1] > _t102[7]) {
								_t102[1] = _t102[1] & 0x00000000;
							}
							 *(_t102[4]) = 0;
							_t102[2] = _t102[2] & 0;
							return 0;
						}
					}
				}
				L38:
			}



















    0x01034a03
    0x01034a0d
    0x01034a12
    0x01034a17
    0x010486a3
    0x010486a6
    0x010486a9
    0x010486ab
    0x010486b1
    0x010486b6
    0x010486b6
    0x010486b8
    0x010486ba
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x010486c0
    0x010486c0
    0x010486c0
    0x010486c3
    0x00000000
    0x00000000
    0x010486c5
    0x010486c8
    0x010486ca
    0x00000000
    0x00000000
    0x00000000
    0x010486ca
    0x010486cc
    0x010486ce
    0x00000000
    0x010486d0
    0x010486da
    0x010486e0
    0x010486e3
    0x010486eb
    0x010486f1
    0x010486f3
    0x00000000
    0x010486f9
    0x010486f9
    0x010486fc
    0x010486ff
    0x00000000
    0x01048705
    0x01048705
    0x01048708
    0x0104870a
    0x01048719
    0x01048719
    0x01048719
    0x0104871b
    0x00000000
    0x00000000
    0x01048711
    0x01048714
    0x01048716
    0x01048716
    0x00000000
    0x01048716
    0x00000000
    0x01048714
    0x0104871d
    0x0104871f
    0x01048769
    0x01048769
    0x0104876e
    0x01048770
    0x00000000
    0x01048776
    0x00000000
    0x01048776
    0x01048721
    0x01048721
    0x01048724
    0x0104872a
    0x0104872a
    0x0104873a
    0x01048740
    0x01048743
    0x01048751
    0x01048753
    0x01048758
    0x0104875a
    0x00000000
    0x0104875c
    0x0104875c
    0x0104875f
    0x01048762
    0x00000000
    0x01048764
    0x01048764
    0x01048767
    0x00000000
    0x01048767
    0x01048762
    0x0104875a
    0x0104871f
    0x010486ff
    0x010486f3
    0x00000000
    0x010486ce
    0x010486b6
    0x00000000
    0x01034a1d
    0x01034a33
    0x0104879a
    0x0104879c
    0x0104879d
    0x010487a2
    0x010487a4
    0x010487ae
    0x010487af
    0x010487b4
    0x010487b6
    0x010487b8
    0x010487b9
    0x00000000
    0x010487b9
    0x010487a6
    0x010487a6
    0x010487a8
    0x010487bb
    0x010487bb
    0x010487c1
    0x010487c2
    0x010487ce
    0x010487d4
    0x010487d5
    0x010487d8
    0x01034ab0
    0x010487de
    0x010487e0
    0x010487e5
    0x010487eb
    0x010487f3
    0x010487f3
    0x010487f4
    0x010487f8
    0x010487f8
    0x01034a39
    0x01034a39
    0x01034a3c
    0x01034a41
    0x00000000
    0x01034a47
    0x01034a47
    0x01034a4a
    0x01034a51
    0x01034a54
    0x01048787
    0x0104878f
    0x01034a5a
    0x01034a65
    0x01034a65
    0x01034a77
    0x01034a7a
    0x01034a85
    0x01034a99
    0x01034a99
    0x01034a8c
    0x01034a8f
    0x01034a98
    0x01034a98
    0x01034a41
    0x01034a33
    0x00000000

    APIs
      • Part of subcall function 01039A11: _get_osfhandle.MSVCRT ref: 01039A1C
      • Part of subcall function 01039A11: GetFileType.KERNELBASE(00000000,0103793A,00000104,?), ref: 01039A2B
      • Part of subcall function 01039A11: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,01037908,00002374,-00000001), ref: 01039A47
      • Part of subcall function 01039A11: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01078E04,00000002,?,?,?,?,?,?,?,?,?,?,?,?,01037908,00002374), ref: 01039A56
      • Part of subcall function 01039A11: GetConsoleMode.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,01037908,00002374), ref: 01039A61
      • Part of subcall function 01039A11: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(01078E04,?,?,?,?,?,?,?,?,?,?,?,?,01037908,00002374,-00000001), ref: 01039A6A
    • _get_osfhandle.MSVCRT ref: 010486E3
    • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 010486EB
    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000002), ref: 0104872A
    • _get_osfhandle.MSVCRT ref: 01048743
    • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 0104874B
      • Part of subcall function 01039B3B: _get_osfhandle.MSVCRT ref: 01039B4E
      • Part of subcall function 01039B3B: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,01070AF0,000000FF,0106A7F0,00002000,00000000,00000000), ref: 01039B8E
      • Part of subcall function 01039B3B: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,0106A7F0,-00000001,?,00000000), ref: 01039BA3
    • longjmp.MSVCRT(01070A30,00000001), ref: 010487CE
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: Console_get_osfhandle$Write$FileLockModeShared$AcquireByteCharHandleMultiReleaseTypeWidelongjmp
    • String ID:
    • API String ID: 1333215474-0
    • Opcode ID: 49b1bc9bdb62789c489af1a72a554f2a7bed7a6c473c47451a10f9063df1d3e4
    • Instruction ID: 8e3ec508c4eceaa6f6cc9f40291bf0e42b7243d91513cae07de699b3ebee123c
    • Opcode Fuzzy Hash: 49b1bc9bdb62789c489af1a72a554f2a7bed7a6c473c47451a10f9063df1d3e4
    • Instruction Fuzzy Hash: 3051EA70B00301EBDB65EBB4C899BAEB7E8FB44715F04897AE5C2D7281EB75D8418B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01036150, Relevance: 10.8, APIs: 7, Instructions: 264COMMON
    Download Yara Rule
    C-Code - Quality: 73%
    			E01036150(void* __ecx) {
				intOrPtr _v8;
				long _v16;
				signed int _v20;
				char _v28;
				intOrPtr _v36;
				signed int _v48;
				short _v52;
				WCHAR* _v54;
				signed char _v56;
				signed int _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				long _v72;
				long _v80;
				WCHAR* _v88;
				signed char* _v92;
				short _v104;
				char _v108;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t60;
				WCHAR* _t65;
				short _t66;
				void* _t67;
				void* _t68;
				void* _t74;
				short _t77;
				void* _t78;
				short _t82;
				wchar_t* _t85;
				signed char _t86;
				short _t89;
				short _t90;
				wchar_t* _t102;
				long _t103;
				short* _t104;
				short _t105;
				long _t106;
				short* _t109;
				signed int _t110;
				WCHAR* _t114;
				WCHAR* _t126;
				short _t132;
				long _t134;
				WCHAR* _t138;
				short* _t142;
				void* _t147;
				WCHAR* _t149;
				void* _t150;
				signed int _t155;
				signed int _t157;
				short _t163;

				_t110 = _t155;
				_push(__ecx);
				_push(__ecx);
				_t157 = (_t155 & 0xfffffff8) + 4;
				_v8 =  *((intOrPtr*)(_t110 + 4));
				_t153 = _t157;
				_push(0xfffffffe);
				_push(0x105c990);
				_push(E01046E00);
				_push( *[fs:0x0]);
				_push(__ecx);
				_push(__ecx);
				_push(_t110);
				_t60 =  *0x105e0b4; // 0x6030efd1
				_v20 = _v20 ^ _t60;
				_v48 = _t60 ^ _t157;
				 *[fs:0x0] =  &_v28;
				_v36 = _t157 - 0x48;
				_t65 = E0103BC30( *((intOrPtr*)( *((intOrPtr*)(_t110 + 8)) + 0x3c)), 0, 0 |  *0x1066755 != 0x00000000, _t60 ^ _t157);
				_t149 = _t65;
				_v64 = _t149;
				_v68 = _t149;
				if( *0x1066755 == 0) {
					L6:
					_t114 = _t149;
					_t15 =  &(_t114[1]); // 0x2
					_t142 = _t15;
					do {
						_t66 =  *_t114;
						_t114 =  &(_t114[1]);
					} while (_t66 != 0);
					_v60 = _t114 - _t142 >> 1;
					_t67 = E01040060(_t149, 0);
					_t144 = _v60 + 1;
					_t118 = _t149;
					_t68 = E0103F3A0(_t149, _v60 + 1, _t67);
					 *0x10665dc = 0;
					if( *_t149 == 0) {
						E01058A6E(_t68, _t118);
						L18:
						 *[fs:0x0] = _v28;
						_pop(_t147);
						_pop(_t150);
						return E01046B30( *0x10665dc, _t110, _v48 ^ _t153, _t144, _t147, _t150);
					}
					if(E010362C8() == 0) {
						_push(0);
						_push(0x40002728);
						L47:
						E010378E4(_t118);
						 *0x10665dc = 1;
						goto L18;
					}
					if( *0x1066755 == 0) {
						L12:
						_t171 =  *0x10665dc;
						if( *0x10665dc != 0) {
							L45:
							_t74 = E01041EA6(_t110, 0, _t149, __eflags);
							RtlFreeHeap(GetProcessHeap(), 0, _t74);
							_push(0);
							_push( *0x10665dc);
							goto L47;
						}
						_t144 = 0;
						_t118 = _t149;
						_t77 = E01038BC7(_t110, _t149, 0, 0, _t149, _t171);
						 *0x10665dc = _t77;
						if(_t77 == 0) {
							_t78 = 0x3a;
							if(_t149[1] == _t78) {
								if( *0x1078df8 == 0) {
									_t118 = 0x1078bf0;
								}
								_t144 =  *0x1078e00;
								E01038E9E(_t110, _t118,  *0x1078e00,  *_t149 & 0x0000ffff);
							}
						}
						if( *0x10665dc != 0) {
							goto L45;
						}
						goto L18;
					}
					_t144 = 0x5c;
					if( *_t149 == _t144) {
						__eflags = _t149[1] - _t144;
						if(__eflags != 0) {
							goto L12;
						}
						_t126 = _t149;
						_t24 =  &(_t126[1]); // 0x2
						_v60 = _t24;
						do {
							_t82 =  *_t126;
							_t126 =  &(_t126[1]);
							__eflags = _t82;
						} while (_t82 != 0);
						_v72 = (_t126 - _v60 >> 1) + 1;
						_t29 =  &(_t149[2]); // 0x4
						_t85 = wcschr(_t29, _t144);
						_v60 = _t85;
						__eflags = _t85;
						if(_t85 != 0) {
							_t134 = 0x5c;
							_t102 = wcschr( &(_t85[0]), _t134);
							_v60 = _t102;
							__eflags = _t102;
							if(_t102 != 0) {
								_t103 = GetFileAttributesW(_t149);
								__eflags = _t103 - 0xffffffff;
								if(_t103 != 0xffffffff) {
									_t104 = _v60;
									 *_t104 = 0;
									_t105 = _t104 + 2;
									__eflags = _t105;
									_v60 = _t105;
								} else {
									_t106 = GetLastError();
									 *0x10665dc = _t106;
									__eflags = _t106 - 2;
									if(_t106 == 2) {
										 *0x10665dc = 3;
									}
								}
							}
						}
						_t86 = 0x5a;
						_v56 = _t86;
						_t118 = 0x3a;
						_v54 = _t118;
						__eflags = 0;
						_v52 = 0;
						_v104 = 1;
						_v92 =  &_v56;
						_v88 = _t149;
						_v80 = 0;
						while(1) {
							__eflags =  *0x10665dc;
							if(__eflags != 0) {
								goto L45;
							}
							__eflags = _v56 - 0x41;
							if(__eflags == 0) {
								goto L12;
							}
							_v16 = 0;
							_t89 = E010472EF(_t118);
							__eflags = _t89;
							if(_t89 == 0) {
								 *0x10665dc = 0x78;
							} else {
								 *0x10665dc =  *0x107d030( &_v108, 0, 0, 0);
							}
							_v16 = 0xfffffffe;
							_t90 =  *0x10665dc;
							__eflags = _t90;
							if(_t90 == 0) {
								_t144 = _v56;
								 *((short*)( *0x106679c +  *0x1066798 * 8 - 4)) = _v56;
								 *_t149 = _v56;
								_t149[1] = _v54;
								_t132 = 0x5c;
								_t149[2] = _t132;
								_t118 =  &(_v68[3]);
								_t94 = _v60;
								__eflags = _v60;
								if(__eflags == 0) {
									 *_t118 = 0;
								} else {
									_t144 = _v72;
									E0103F3A0(_t118, _v72, _t94);
								}
								goto L12;
							} else {
								__eflags = _t90 - 0x55;
								if(_t90 == 0x55) {
									L41:
									_v56 = (_v56 & 0x000000ff) - 1;
									 *0x10665dc = 0;
									continue;
								}
								__eflags = _t90 - 0x4b2;
								if(_t90 != 0x4b2) {
									continue;
								}
								goto L41;
							}
						}
						goto L45;
					}
					goto L12;
				} else {
					_t138 = _t149;
					_t163 =  *_t149;
					L3:
					_v60 = _t65;
					if(_t163 != 0) {
						_t65 = _t138;
						_t138 =  &(_t138[1]);
						__eflags =  *_t138;
						goto L3;
					}
					L4:
					while(_t65 > _t149 && iswspace( *_t65 & 0x0000ffff) != 0) {
						_t109 = _v60;
						 *_t109 = 0;
						_t65 = _t109 - 2;
						_v60 = _t65;
					}
					goto L6;
				}
			}

























































    0x01036153
    0x01036155
    0x01036156
    0x0103615a
    0x01036161
    0x01036165
    0x01036167
    0x01036169
    0x0103616e
    0x01036179
    0x0103617a
    0x0103617b
    0x0103617c
    0x01036180
    0x01036185
    0x0103618a
    0x01036193
    0x01036199
    0x010361b0
    0x010361b5
    0x010361b7
    0x010361ba
    0x010361c6
    0x010361f3
    0x010361f3
    0x010361f5
    0x010361f5
    0x010361f8
    0x010361f8
    0x010361fb
    0x010361fe
    0x01036207
    0x0103620c
    0x01036215
    0x01036216
    0x01036218
    0x0103621d
    0x01036226
    0x01049e5c
    0x0103629c
    0x010362a4
    0x010362ac
    0x010362ad
    0x010362be
    0x010362be
    0x01036233
    0x0104a023
    0x0104a024
    0x0104a029
    0x0104a029
    0x0104a02f
    0x00000000
    0x0104a039
    0x01036240
    0x0103624e
    0x0103624e
    0x01036255
    0x0104a006
    0x0104a006
    0x0104a014
    0x0104a01a
    0x0104a01b
    0x00000000
    0x0104a01b
    0x0103625b
    0x0103625d
    0x0103625f
    0x01036264
    0x0103626b
    0x0103626f
    0x01036274
    0x0103627e
    0x010362c1
    0x010362c1
    0x01036284
    0x0103628a
    0x0103628a
    0x01036274
    0x01036296
    0x00000000
    0x00000000
    0x00000000
    0x01036296
    0x01036244
    0x01036248
    0x01049e66
    0x01049e6a
    0x00000000
    0x00000000
    0x01049e70
    0x01049e72
    0x01049e75
    0x01049e78
    0x01049e78
    0x01049e7b
    0x01049e7e
    0x01049e7e
    0x01049e8b
    0x01049e8f
    0x01049e93
    0x01049e9b
    0x01049e9e
    0x01049ea0
    0x01049ea4
    0x01049eaa
    0x01049eb2
    0x01049eb5
    0x01049eb7
    0x01049eba
    0x01049ec0
    0x01049ec3
    0x01049ee3
    0x01049ee6
    0x01049ee9
    0x01049ee9
    0x01049eec
    0x01049ec5
    0x01049ec5
    0x01049ecb
    0x01049ed0
    0x01049ed3
    0x01049ed5
    0x01049ed5
    0x01049ed3
    0x01049ec3
    0x01049eb7
    0x01049ef1
    0x01049ef2
    0x01049ef8
    0x01049ef9
    0x01049efd
    0x01049eff
    0x01049f03
    0x01049f0d
    0x01049f10
    0x01049f13
    0x01049f16
    0x01049f16
    0x01049f1d
    0x00000000
    0x00000000
    0x01049f23
    0x01049f28
    0x00000000
    0x00000000
    0x01049f2e
    0x01049f31
    0x01049f36
    0x01049f38
    0x01049f4e
    0x01049f3a
    0x01049f47
    0x01049f47
    0x01049f58
    0x01049f89
    0x01049f8e
    0x01049f90
    0x01049fb7
    0x01049fc6
    0x01049fcf
    0x01049fd6
    0x01049fdc
    0x01049fdd
    0x01049fe4
    0x01049fe7
    0x01049fea
    0x01049fec
    0x01049ffe
    0x01049fee
    0x01049fef
    0x01049ff2
    0x01049ff2
    0x00000000
    0x01049f92
    0x01049f92
    0x01049f95
    0x01049fa2
    0x01049fa8
    0x01049fac
    0x00000000
    0x01049fac
    0x01049f97
    0x01049f9c
    0x00000000
    0x00000000
    0x00000000
    0x01049f9c
    0x01049f90
    0x00000000
    0x01049f16
    0x00000000
    0x010361c8
    0x010361c8
    0x010361ca
    0x010361d7
    0x010361d7
    0x010361da
    0x010361cf
    0x010361d1
    0x010361d4
    0x00000000
    0x010361d4
    0x00000000
    0x010361dc
    0x01049e4b
    0x01049e4e
    0x01049e51
    0x01049e54
    0x01049e54
    0x00000000
    0x010361dc

    APIs
      • Part of subcall function 0103BC30: wcschr.MSVCRT ref: 0103BCA7
      • Part of subcall function 0103BC30: iswspace.MSVCRT ref: 0103BD1D
      • Part of subcall function 0103BC30: wcschr.MSVCRT ref: 0103BD39
      • Part of subcall function 0103BC30: wcschr.MSVCRT ref: 0103BD5D
    • iswspace.MSVCRT ref: 010361E4
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: wcschr$iswspace
    • String ID:
    • API String ID: 3458554142-0
    • Opcode ID: 2e92186c9372df546a028e78249c23673c1d600bebdf67cce13350a6b3226193
    • Instruction ID: f70b84b2ecaacddb700e34dcab09598a04cf926a838c65d2c39a2047916fd5a9
    • Opcode Fuzzy Hash: 2e92186c9372df546a028e78249c23673c1d600bebdf67cce13350a6b3226193
    • Instruction Fuzzy Hash: FB91D2B0A00204EFDB25DF69E845AAE77F8FF88304F04816EE886E7294EB765540CB55
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0103A6A0, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 191COMMON
    Download Yara Rule
    C-Code - Quality: 39%
    			E0103A6A0(void* __eax) {
				void* __ebx;
				void* __edi;
				void* __esi;
				short _t27;
				short _t28;
				signed int _t30;
				intOrPtr* _t33;
				intOrPtr _t34;
				signed int _t37;
				signed int _t39;
				signed int _t41;
				signed int _t42;
				signed int _t45;
				signed int _t48;
				signed int _t49;
				signed int _t50;
				signed int _t51;
				signed int _t53;
				signed int _t55;
				void* _t59;
				signed int _t60;
				void* _t65;
				void* _t68;
				signed int _t73;
				signed int _t76;
				signed int _t77;
				void* _t81;
				signed int _t86;
				void* _t88;
				void* _t91;
				signed int _t92;
				signed int _t95;
				signed int _t97;
				signed int _t99;
				void* _t102;
				intOrPtr* _t103;
				signed int _t105;
				signed int _t107;
				void* _t109;
				void* _t110;
				void* _t111;
				void* _t112;
				void* _t114;
				void* _t116;

				_t60 = 0;
				_t92 = 0;
				__imp___wcsicmp(L"IF/?", 0x1074af0, _t91, _t102, _t59);
				_t117 = __eax;
				if(__eax == 0) {
					 *0x1074af4 = 0;
					_t92 = 1;
				}
				_t65 = 0x2c;
				_t103 = E0103BB90(_t60, _t65, _t92, _t102, _t117);
				if(_t92 != 0) {
					_t27 = 0x2f;
					 *0x1074af0 = _t27;
					_t28 = 0x3f;
					 *0x1074af2 = _t28;
					 *0x1074af4 = 0;
				} else {
					E0103CC70(0);
				}
				_t86 = 0x2c;
				_t30 = E01039907(_t60, _t86, _t92, 0);
				if(_t30 != 0) {
					 *_t103 = 0x3c;
					 *(_t103 + 0x38) = _t60;
					goto L13;
				} else {
					_t95 = _t60;
					if( *0x1066755 == _t60) {
						L6:
						_t86 = 0;
						E0103CF10(_t30, 0, 0, _t60);
					} else {
						__imp___wcsicmp(0x1074af0, L"/I");
						if(_t30 == 0) {
							_t95 = 1;
						} else {
							goto L6;
						}
					}
					_t33 = E01040444(0);
					 *((intOrPtr*)(_t103 + 0x3c)) = _t33;
					if(_t33 != 0 && _t95 != 0) {
						__eflags =  *_t33 - 0x38;
						if( *_t33 == 0x38) {
							_t33 =  *((intOrPtr*)(_t33 + 0x3c));
						}
						 *((intOrPtr*)(_t33 + 0x40)) = 2;
					}
					_t68 = 0x2c;
					_t34 = E0103A8C4(_t60, _t68);
					 *((intOrPtr*)(_t103 + 0x40)) = _t34;
					if(_t34 == 0) {
						E01058959(_t34, _t68);
					}
					if( *((intOrPtr*)( *0x10665cc)) == _t60) {
						L13:
						return _t103;
					} else {
						_t37 = E0103CC70(0);
						__imp___wcsicmp(L"ELSE", 0x1074af0);
						if(_t37 == 0) {
							_t72 =  *0x10666fc +  *0x10666fc;
							_t39 = E0103DCD0( *0x10666fc +  *0x10666fc);
							__eflags = _t39;
							if(_t39 == 0) {
								E01059922();
								__imp__longjmp(0x1070a30, 1);
								asm("int3");
								while(1) {
									__eflags = 0x1074af0 - 0x2c;
									if(0x1074af0 != 0x2c) {
										break;
									}
									__eflags =  *((short*)(_t86 + 6));
									if( *((short*)(_t86 + 6)) != 0) {
										do {
											_t73 = _t86;
											_t12 = _t73 + 2; // 0x2
											_t109 = _t12;
											do {
												_t48 =  *_t73;
												_t73 = _t73 + 2;
												__eflags = _t48;
											} while (_t48 != 0);
											_t86 = _t86 + (_t73 - _t109 >> 1) * 2 + 2;
											__eflags =  *_t86 - _t48;
											if( *_t86 == _t48) {
												L27:
												_t49 =  *_t86 & 0x0000ffff;
												_t72 = _t49;
												__eflags = _t49;
												if(_t49 != 0) {
													__eflags = _t72 - 0x2f;
													if(_t72 == 0x2f) {
														goto L30;
													} else {
														__eflags = 0x1074af0 - 9;
														if(0x1074af0 == 9) {
															goto L28;
														} else {
															_t50 = _t86;
															_t8 = _t50 + 2; // 0x2
															_t110 = _t8;
															do {
																_t76 =  *_t50;
																_t50 = _t50 + 2;
																__eflags = _t76;
															} while (_t76 != 0);
															_t51 = _t50 - _t110;
															__eflags = _t51;
															_t88 = _t86 + (_t51 >> 1) * 2;
															goto L26;
														}
													}
												} else {
													L28:
													_t42 = 0;
													__eflags = 0;
												}
												goto L29;
											} else {
												_t77 = _t86;
												_t15 = _t77 + 2; // 0x0
												_t111 = _t15;
												do {
													_t53 =  *_t77;
													_t77 = _t77 + 2;
													__eflags = _t53;
												} while (_t53 != 0);
												_t88 = _t86 + (_t77 - _t111 >> 1) * 2;
												L26:
												_t86 = _t88 + 2;
												__eflags = _t86;
												goto L27;
											}
											goto L62;
											L30:
											__eflags =  *((short*)(_t86 + 4)) - 0x3f;
										} while ( *((short*)(_t86 + 4)) != 0x3f);
										continue;
									} else {
										break;
									}
									L29:
									return _t42;
									goto L62;
								}
								__eflags = _t60;
								if(_t60 != 0) {
									L47:
									_t41 =  *(_t112 - 4);
								} else {
									__eflags =  *0x1066755 - _t60;
									if( *0x1066755 == _t60) {
										goto L47;
									} else {
										_t60 =  *(_t112 - 4);
										_t41 = 0;
									}
								}
								_t97 = _t60;
								_t105 = _t60;
								__eflags = _t60;
								if(_t60 == 0) {
									_t60 = 0x234a;
								}
								asm("sbb edi, edi");
								_t99 =  ~_t97 &  *(_t112 - 8);
								asm("sbb esi, esi");
								_t107 =  ~_t105 & _t41;
								__eflags =  *(_t112 + 8);
								if(__eflags == 0) {
									 *0x1079500 = _t60;
								} else {
									E01059A0E(_t86, __eflags);
									__eflags =  *0x106259c;
									if( *0x106259c == 0) {
										_push(0);
										_push(_t60);
										E010363BD(_t72);
										_t116 = _t114 + 8;
										__eflags =  *0x1066755;
										if( *0x1066755 != 0) {
											__eflags = _t107;
											if(_t107 == 0) {
												L56:
												__eflags =  *0x106259c;
												if( *0x106259c == 0) {
													while(1) {
														_t45 = _t99;
														_t99 = _t99 - 1;
														__eflags = _t45;
														if(_t45 == 0) {
															goto L59;
														}
														_t107 = _t107 + 1;
														_push(0);
														_push(_t107);
														E010363BD(_t72);
														_t116 = _t116 + 8;
														__eflags =  *0x106259c;
														if( *0x106259c == 0) {
															continue;
														}
														goto L59;
													}
												}
											} else {
												__eflags =  *0x106259c;
												if( *0x106259c == 0) {
													_push(0);
													_push(_t107);
													E010363BD(_t72);
													_t116 = _t116 + 8;
													goto L56;
												}
											}
										}
									}
									L59:
									 *0x107905b = 0;
									 *0x107950c = 0;
								}
								_t42 = 1;
								goto L29;
							} else {
								 *(_t103 + 0x44) = _t39;
								E0103F3A0(_t39,  *0x10666fc, 0x1074af0);
								_t81 = 0x2c;
								_t55 = E0103A8C4(_t60, _t81);
								 *(_t103 + 0x48) = _t55;
								__eflags = _t55;
								if(_t55 == 0) {
									E01058959(_t55, _t81);
								}
								goto L13;
							}
						} else {
							E0103CF10(_t37, 0, 0, _t60);
							goto L13;
						}
					}
				}
				L62:
			}















































    0x0103a6aa
    0x0103a6b1
    0x0103a6b3
    0x0103a6bb
    0x0103a6bd
    0x0104c8d0
    0x0104c8d6
    0x0104c8d6
    0x0103a6c5
    0x0103a6cb
    0x0103a6cf
    0x0104c8de
    0x0104c8df
    0x0104c8e7
    0x0104c8e8
    0x0104c8f0
    0x0103a6d5
    0x0103a6d7
    0x0103a6d7
    0x0103a6de
    0x0103a6df
    0x0103a6e6
    0x0104c8fb
    0x0104c901
    0x00000000
    0x0103a6ec
    0x0103a6ec
    0x0103a6f4
    0x0103a710
    0x0103a711
    0x0103a715
    0x0103a6f6
    0x0103a700
    0x0103a70a
    0x0103a7b9
    0x00000000
    0x00000000
    0x00000000
    0x0103a70a
    0x0103a71c
    0x0103a721
    0x0103a726
    0x0103a7bf
    0x0103a7c2
    0x0103a7d0
    0x0103a7d0
    0x0103a7c4
    0x0103a7c4
    0x0103a732
    0x0103a733
    0x0103a738
    0x0103a73d
    0x0104c909
    0x0104c909
    0x0103a74b
    0x0103a775
    0x0103a77a
    0x0103a74d
    0x0103a74f
    0x0103a75f
    0x0103a769
    0x0103a780
    0x0103a783
    0x0103a788
    0x0103a78a
    0x0104c913
    0x0104c91f
    0x0104c925
    0x0104c926
    0x0104c926
    0x0104c929
    0x00000000
    0x00000000
    0x0104c92b
    0x0104c930
    0x0103a885
    0x0103a885
    0x0103a887
    0x0103a887
    0x0103a890
    0x0103a890
    0x0103a893
    0x0103a896
    0x0103a896
    0x0103a8a2
    0x0103a8a5
    0x0103a8a8
    0x0103a865
    0x0103a865
    0x0103a868
    0x0103a86a
    0x0103a86d
    0x0103a840
    0x0103a844
    0x00000000
    0x0103a846
    0x0103a846
    0x0103a849
    0x00000000
    0x0103a84b
    0x0103a84b
    0x0103a84d
    0x0103a84d
    0x0103a850
    0x0103a850
    0x0103a853
    0x0103a856
    0x0103a856
    0x0103a85b
    0x0103a85b
    0x0103a85f
    0x00000000
    0x0103a85f
    0x0103a849
    0x0103a86f
    0x0103a86f
    0x0103a86f
    0x0103a86f
    0x0103a86f
    0x00000000
    0x0103a8aa
    0x0103a8aa
    0x0103a8ac
    0x0103a8ac
    0x0103a8b0
    0x0103a8b0
    0x0103a8b3
    0x0103a8b6
    0x0103a8b6
    0x0103a8bf
    0x0103a862
    0x0103a862
    0x0103a862
    0x00000000
    0x0103a862
    0x00000000
    0x0103a87a
    0x0103a87a
    0x0103a87a
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0103a871
    0x0103a877
    0x00000000
    0x0103a877
    0x0104c936
    0x0104c938
    0x0104c949
    0x0104c949
    0x0104c93a
    0x0104c93a
    0x0104c940
    0x00000000
    0x0104c942
    0x0104c942
    0x0104c945
    0x0104c945
    0x0104c940
    0x0104c94c
    0x0104c94e
    0x0104c950
    0x0104c952
    0x0104c954
    0x0104c954
    0x0104c95b
    0x0104c95d
    0x0104c962
    0x0104c964
    0x0104c966
    0x0104c96a
    0x0104c9de
    0x0104c96c
    0x0104c96c
    0x0104c971
    0x0104c978
    0x0104c97a
    0x0104c97c
    0x0104c97d
    0x0104c982
    0x0104c985
    0x0104c98c
    0x0104c98e
    0x0104c990
    0x0104c9a6
    0x0104c9a6
    0x0104c9ad
    0x0104c9af
    0x0104c9af
    0x0104c9b1
    0x0104c9b2
    0x0104c9b4
    0x00000000
    0x00000000
    0x0104c9b6
    0x0104c9b7
    0x0104c9b9
    0x0104c9ba
    0x0104c9bf
    0x0104c9c2
    0x0104c9c9
    0x00000000
    0x00000000
    0x00000000
    0x0104c9c9
    0x0104c9af
    0x0104c992
    0x0104c992
    0x0104c999
    0x0104c99b
    0x0104c99d
    0x0104c99e
    0x0104c9a3
    0x00000000
    0x0104c9a3
    0x0104c999
    0x0104c990
    0x0104c98c
    0x0104c9cb
    0x0104c9cb
    0x0104c9d2
    0x0104c9d2
    0x0104c9e4
    0x00000000
    0x0103a790
    0x0103a799
    0x0103a79c
    0x0103a7a3
    0x0103a7a4
    0x0103a7a9
    0x0103a7ac
    0x0103a7ae
    0x0103a7b0
    0x0103a7b0
    0x00000000
    0x0103a7ae
    0x0103a76b
    0x0103a770
    0x00000000
    0x0103a770
    0x0103a769
    0x0103a74b
    0x00000000

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: _wcsicmp
    • String ID: ELSE$IF/?
    • API String ID: 2081463915-1134991328
    • Opcode ID: 7b2f5a1e6226b91e1b2b01c358c0aae1c646f37a7e4679832b08dc202c29d055
    • Instruction ID: da0bb170d0af308af594b5be3ef4783257e6072d468fb54ad8b67c0ea725a4ed
    • Opcode Fuzzy Hash: 7b2f5a1e6226b91e1b2b01c358c0aae1c646f37a7e4679832b08dc202c29d055
    • Instruction Fuzzy Hash: F6512772704342EBF771AB3AA889B6A37E8ABD4220F04447ED5C3DB180EB76C841C755
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01059A7D, Relevance: 10.6, APIs: 7, Instructions: 138COMMON
    Download Yara Rule
    C-Code - Quality: 61%
    			E01059A7D(void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				signed int _v16;
				short _v18;
				short _v20;
				short _v22;
				char _v24;
				int _v36;
				char _v40;
				signed int _v44;
				void _v564;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t44;
				short _t55;
				short _t57;
				void* _t62;
				void* _t63;
				WCHAR* _t65;
				int _t66;
				signed int _t68;
				short* _t79;
				void* _t80;
				short _t81;
				int _t93;
				void* _t94;
				void* _t96;
				WCHAR* _t97;
				void* _t98;
				signed int _t103;

				_t90 = __edx;
				_t75 = _t103;
				_push(__ecx);
				_push(__ecx);
				_v8 =  *((intOrPtr*)(_t103 + 4));
				_t101 = (_t103 & 0xfffffff8) + 4;
				_t44 =  *0x105e0b4; // 0x6030efd1
				_v16 = _t44 ^ (_t103 & 0xfffffff8) + 0x00000004;
				_v40 = 1;
				_t93 = 0;
				_v36 = 0x104;
				_v44 = _v44 & 0;
				_t96 = __ecx;
				memset( &_v564, 0, 0x104);
				if(E0103E3F0(((0 | _v40 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) >= 0) {
					_t55 = 0x3d;
					_v24 = _t55;
					_v22 = _t96 + 0x40;
					_t57 = 0x3a;
					_v20 = _t57;
					_v18 = 0;
					_t97 = E0103EC2E( &_v24);
					if(_t97 == 0) {
						L5:
						_t79 = _v44;
						if(_t79 == 0) {
							_t79 =  &_v564;
						}
						 *_t79 = _v22;
						_t80 = _v44;
						if(_t80 == 0) {
							_t80 =  &_v564;
						}
						 *((short*)(_t80 + 2)) = _v20;
						_t62 = _v44;
						if(_t62 == 0) {
							_t62 =  &_v564;
						}
						_t81 = 0x5c;
						 *((short*)(_t62 + 4)) = _t81;
						_t63 = _v44;
						if(_t63 == 0) {
							_t63 =  &_v564;
						}
						 *((short*)(_t63 + 6)) = 0;
						_t91 = _v44;
						if(_v44 == 0) {
							_t91 =  &_v564;
						}
						_t83 =  &_v24;
						E0103A976( &_v24, _t91);
						_t65 = _v44;
						if(_t65 == 0) {
							_t65 =  &_v564;
						}
						_t66 = SetCurrentDirectoryW(_t65);
						if(_t66 == 0) {
							_push(_t66);
							_push(GetLastError());
							E010378E4(_t83);
						}
						if(_t97 != 0) {
							SetErrorMode(_t93);
						}
						L21:
						_t84 =  *0x1078df8;
						if( *0x1078df8 == 0) {
							_t84 = 0x1078bf0;
						}
						_t90 =  *0x1078e00;
						E01038E9E(_t75, _t84,  *0x1078e00, 0);
						_t68 = _v44;
						_v44 = _v44 & 0x00000000;
						L24:
						if(_t68 != 0) {
							__imp__??_V@YAXPAX@Z(_t68);
						}
						_pop(_t94);
						_pop(_t98);
						return E01046B30(_t68, _t75, _v16 ^ _t101, _t90, _t94, _t98);
					}
					if(SetCurrentDirectoryW(_t97) != 0) {
						goto L21;
					}
					_t93 = SetErrorMode(1);
					goto L5;
				}
				_t68 = _v44;
				_v44 = _v44 & 0;
				goto L24;
			}

































    0x01059a7d
    0x01059a80
    0x01059a82
    0x01059a83
    0x01059a8e
    0x01059a92
    0x01059a9a
    0x01059aa1
    0x01059aab
    0x01059ab0
    0x01059ab2
    0x01059ab5
    0x01059ac0
    0x01059ac2
    0x01059aeb
    0x01059afa
    0x01059afb
    0x01059b05
    0x01059b0b
    0x01059b0c
    0x01059b12
    0x01059b1b
    0x01059b1f
    0x01059b3a
    0x01059b3a
    0x01059b3f
    0x01059b41
    0x01059b41
    0x01059b4b
    0x01059b4e
    0x01059b53
    0x01059b55
    0x01059b55
    0x01059b5f
    0x01059b63
    0x01059b68
    0x01059b6a
    0x01059b6a
    0x01059b72
    0x01059b73
    0x01059b77
    0x01059b7c
    0x01059b7e
    0x01059b7e
    0x01059b86
    0x01059b8a
    0x01059b8f
    0x01059b91
    0x01059b91
    0x01059b97
    0x01059b9a
    0x01059b9f
    0x01059ba4
    0x01059ba6
    0x01059ba6
    0x01059bad
    0x01059bb5
    0x01059bb7
    0x01059bbe
    0x01059bbf
    0x01059bc5
    0x01059bc8
    0x01059bcb
    0x01059bcb
    0x01059bd1
    0x01059bd1
    0x01059bd9
    0x01059bdb
    0x01059bdb
    0x01059be0
    0x01059be8
    0x01059bed
    0x01059bf0
    0x01059bf4
    0x01059bf6
    0x01059bf9
    0x01059bff
    0x01059c03
    0x01059c06
    0x01059c12
    0x01059c12
    0x01059b2a
    0x00000000
    0x00000000
    0x01059b38
    0x00000000
    0x01059b38
    0x01059aed
    0x01059af0
    0x00000000

    APIs
    • memset.MSVCRT ref: 01059AC2
      • Part of subcall function 0103E3F0: memset.MSVCRT ref: 0103E455
    • SetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,-00000105,?,00000000,?), ref: 01059B22
    • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,00000000,?), ref: 01059B32
    • SetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,-00000105,?,00000000,?), ref: 01059BAD
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,?), ref: 01059BB8
    • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,?), ref: 01059BCB
    • ??_V@YAXPAX@Z.MSVCRT ref: 01059BF9
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: Error$CurrentDirectoryModememset$Last
    • String ID:
    • API String ID: 1725644760-0
    • Opcode ID: 3c64e684477c06280b368ee9a211e1fbfe7f08591f4010e6883eebfa6da50c53
    • Instruction ID: a3af12788631da0cab0377c73705a8b3d0360c34d4b4e3ac101cd832c8c015d4
    • Opcode Fuzzy Hash: 3c64e684477c06280b368ee9a211e1fbfe7f08591f4010e6883eebfa6da50c53
    • Instruction Fuzzy Hash: 79419F31E00219DBEF65DBA8D884BEEB7B8EF48314F048199E945E7240EB399940CB55
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0105B701, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86COMMON
    Download Yara Rule
    C-Code - Quality: 37%
    			E0105B701(char __eax, signed char __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, char _a16, char _a20, intOrPtr* _a24) {
				char _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				void* _v72;
				void _v76;
				char _v80;
				void* _t43;
				intOrPtr _t51;
				signed char _t53;
				int _t61;
				char _t62;

				_t53 = __ecx;
				_v20 = __edx;
				_t61 = 0;
				_v12 = __ecx;
				__imp__RoInitialize(0);
				_t62 = __eax;
				_t65 = __eax;
				if(__eax < 0) {
					L12:
					return _t61;
				}
				_v8 = 0;
				__imp__GetConsoleWindow();
				_v16 = __eax;
				E0105B8B0( &_v8);
				if(E0105B5F1( &_v8,  &_v16, _t65,  &_a16,  &_a20,  &_v12) >= 0) {
					E01038235();
					_v80 = 0x3c;
					_t43 = memset( &_v76, 0, 0x38);
					_v76 = 0x8008140;
					if((_t53 & 0x00000010) != 0) {
						_v76 = 0x8000140;
					}
					__imp__GetConsoleWindow();
					_v72 = _t43;
					_v64 = _v20;
					_v60 = _a4;
					_v56 = _a8;
					_v52 = _a12;
					_v48 = _v8;
					_t61 =  *0x107d040( &_v80);
					if(_t61 == 0) {
						_t51 = _v48;
						__eflags = _t51;
						if(_t51 != 0) {
							 *0x10667a8 = 2;
							__eflags = _t51 - 0x20;
							if(_t51 != 0x20) {
								 *0x10667a8 = _t51;
							}
						} else {
							 *0x10667a8 = 8;
						}
					} else {
						 *_a24 = _v24;
					}
				}
				E0105B8B0( &_v8);
				if(_t62 >= 0) {
					__imp__RoUninitialize();
				}
				goto L12;
			}





















    0x0105b70c
    0x0105b70e
    0x0105b711
    0x0105b713
    0x0105b717
    0x0105b71d
    0x0105b71f
    0x0105b721
    0x0105b802
    0x0105b808
    0x0105b808
    0x0105b727
    0x0105b72a
    0x0105b733
    0x0105b736
    0x0105b754
    0x0105b75a
    0x0105b764
    0x0105b76d
    0x0105b775
    0x0105b77f
    0x0105b781
    0x0105b781
    0x0105b788
    0x0105b78e
    0x0105b794
    0x0105b79a
    0x0105b7a0
    0x0105b7a6
    0x0105b7ac
    0x0105b7b9
    0x0105b7bd
    0x0105b7c9
    0x0105b7cc
    0x0105b7ce
    0x0105b7dc
    0x0105b7e6
    0x0105b7e9
    0x0105b7eb
    0x0105b7eb
    0x0105b7d0
    0x0105b7d0
    0x0105b7d0
    0x0105b7bf
    0x0105b7c5
    0x0105b7c5
    0x0105b7bd
    0x0105b7f3
    0x0105b7fa
    0x0105b7fc
    0x0105b7fc
    0x00000000

    APIs
    • RoInitialize.API-MS-WIN-CORE-WINRT-L1-1-0(00000000,00000000,00000000,00000001), ref: 0105B717
    • GetConsoleWindow.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-0 ref: 0105B72A
    • RoUninitialize.API-MS-WIN-CORE-WINRT-L1-1-0(?,?,?), ref: 0105B7FC
      • Part of subcall function 01038235: _get_osfhandle.MSVCRT ref: 0103824E
      • Part of subcall function 01038235: SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 01038256
      • Part of subcall function 01038235: _get_osfhandle.MSVCRT ref: 01038264
      • Part of subcall function 01038235: SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 0103826C
    • memset.MSVCRT ref: 0105B76D
    • GetConsoleWindow.API-MS-WIN-CORE-KERNEL32-LEGACY-L1-1-0(?,?,?), ref: 0105B788
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: Console$ModeWindow_get_osfhandle$InitializeUninitializememset
    • String ID: <
    • API String ID: 1664749912-4251816714
    • Opcode ID: 355b3e612d2faf23cc6d6cec3a64a1d3122082e43762d45e85d447c61df0c10a
    • Instruction ID: cf9869f5dcf95d848cf8fd0595c663fea0f45573ded45a5c54c21574c49108b9
    • Opcode Fuzzy Hash: 355b3e612d2faf23cc6d6cec3a64a1d3122082e43762d45e85d447c61df0c10a
    • Instruction Fuzzy Hash: 4331F9B5D0020DAFDB51DFA9D484AEEBBF9BF44340F144066ED45A3340E735AA45CB60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 010381EC, Relevance: 10.5, APIs: 7, Instructions: 41synchronizationCOMMON
    Download Yara Rule
    C-Code - Quality: 91%
    			E010381EC(void* __ecx) {
				long _v8;
				int _t8;
				void* _t18;

				_push(__ecx);
				_v8 = _v8 | 0xffffffff;
				_t18 = __ecx;
				 *0x105e0d3 = 0;
				WaitForSingleObject(__ecx, 0xffffffff);
				_t8 = GetExitCodeProcess(_t18,  &_v8);
				if(_v8 == 0xc000013a) {
					EnterCriticalSection( *0x10625a4);
					 *0x106259c = 1;
					LeaveCriticalSection( *0x10625a4);
					fflush(E0104727B(fprintf(E0104727B(_t8, 2), "^C"), 2));
				}
				 *0x105e0d3 = 1;
				CloseHandle(_t18);
				return _v8;
			}






    0x010381f1
    0x010381f2
    0x010381f7
    0x010381f9
    0x01038203
    0x0103820e
    0x0103821b
    0x0104b0ab
    0x0104b0b7
    0x0104b0c1
    0x0104b0e3
    0x0104b0e9
    0x01038222
    0x01038229
    0x01038234

    APIs
    • WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,000000FF,?,?,?,01057FC9,?,010599AE,00000000,?,00000000,0104CF94,00000000,?), ref: 01038203
    • GetExitCodeProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,000000FF,?,01057FC9,?,010599AE,00000000,?,00000000,0104CF94,00000000,?), ref: 0103820E
    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,01057FC9,?,010599AE,00000000,?,00000000,0104CF94,00000000,?), ref: 01038229
    • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,01057FC9,?,010599AE,00000000,?,00000000,0104CF94,00000000,?), ref: 0104B0AB
    • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,01057FC9,?,010599AE,00000000,?,00000000,0104CF94,00000000,?), ref: 0104B0C1
    • fprintf.MSVCRT ref: 0104B0D5
    • fflush.MSVCRT ref: 0104B0E3
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: CriticalSection$CloseCodeEnterExitHandleLeaveObjectProcessSingleWaitfflushfprintf
    • String ID:
    • API String ID: 4271573189-0
    • Opcode ID: ffbd0f41e5c25853803673ec11cc396c93e3482c6f15b805c3189a54debbd26c
    • Instruction ID: e432a632ad075c9a52bd1939cf04069280d3d3cd4c29753d4c943496e7c85506
    • Opcode Fuzzy Hash: ffbd0f41e5c25853803673ec11cc396c93e3482c6f15b805c3189a54debbd26c
    • Instruction Fuzzy Hash: C7018F70905214EFDB206BA8EE0EA8E7A6CAB05325F144254F1D1A21A9CBBF46419B61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01043CD0, Relevance: 9.4, APIs: 6, Instructions: 438COMMON
    Download Yara Rule
    C-Code - Quality: 85%
    			E01043CD0(void* __ecx, signed int __edx) {
				intOrPtr _v8;
				signed int _v16;
				long _v28;
				char _v32;
				LPWSTR* _v36;
				void _v556;
				signed short _v560;
				signed short** _v564;
				LPWSTR* _v568;
				WCHAR* _v572;
				LPWSTR* _v576;
				signed int _v580;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t149;
				signed short** _t164;
				intOrPtr _t168;
				signed short _t169;
				intOrPtr _t171;
				intOrPtr _t173;
				signed int _t179;
				void* _t182;
				signed short** _t186;
				void* _t189;
				void* _t190;
				intOrPtr _t191;
				void* _t193;
				signed int _t197;
				void* _t198;
				signed short _t200;
				intOrPtr _t202;
				void* _t208;
				void* _t210;
				void* _t212;
				signed short _t214;
				void* _t216;
				WCHAR* _t224;
				signed short* _t228;
				intOrPtr* _t230;
				void* _t232;
				intOrPtr _t234;
				signed short* _t239;
				signed int _t240;
				LPWSTR* _t244;
				intOrPtr* _t249;
				short* _t252;
				void* _t253;
				intOrPtr* _t254;
				signed int _t261;
				signed int _t264;
				void* _t267;
				signed int _t268;
				signed short* _t271;
				signed short* _t272;
				intOrPtr* _t274;
				signed int _t278;
				signed int _t281;
				signed short* _t285;
				signed int _t287;
				void* _t292;
				signed int _t293;
				void* _t296;
				short* _t297;
				void* _t302;
				short _t303;
				intOrPtr* _t304;
				signed int _t307;
				signed short* _t308;
				signed short _t314;
				void* _t315;
				intOrPtr* _t317;
				signed short* _t321;
				intOrPtr* _t324;
				void* _t325;
				void* _t326;
				WCHAR* _t327;
				void* _t328;
				void* _t329;
				void* _t331;
				LPWSTR* _t333;
				void* _t334;
				intOrPtr* _t336;
				intOrPtr* _t337;
				short* _t340;
				void* _t341;
				intOrPtr* _t342;
				signed int _t344;
				signed int _t349;

				_t300 = __edx;
				_t240 = _t349;
				_push(__ecx);
				_push(__ecx);
				_v8 =  *((intOrPtr*)(_t240 + 4));
				_t347 = (_t349 & 0xfffffff8) + 4;
				_t149 =  *0x105e0b4; // 0x6030efd1
				_v16 = _t149 ^ (_t349 & 0xfffffff8) + 0x00000004;
				_t324 =  *((intOrPtr*)(_t240 + 8));
				_t331 = __ecx;
				_v28 = 0x104;
				_v580 = __edx;
				_v572 = _t324;
				_v568 = 0;
				_v576 = 0;
				_v36 = 0;
				_v32 = 1;
				memset( &_v556, 0, 0x104);
				if(E0103E3F0(((0 | _v32 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					_t333 = 1;
					L25:
					_t244 = _v36;
					_v36 = 0;
					if(_t244 != 0) {
						__imp__??_V@YAXPAX@Z(_t244);
					}
					_pop(_t325);
					_pop(_t334);
					return E01046B30(_t333, _t240, _v16 ^ _t347, _t300, _t325, _t334);
				}
				_t164 =  *(_v580 + 0x20);
				_v564 = _t164;
				if(_t164 == 0) {
					_t165 =  *0x1078df8;
					if( *0x1078df8 == 0) {
						_t165 = 0x1078bf0;
					}
					E0103F3A0(_t324,  *(_t240 + 0xc), _t165);
					_t249 = _t324;
					_v560 = 0;
					_t326 = 2;
					_t302 = _t249 + 2;
					do {
						_t168 =  *_t249;
						_t249 = _t249 + _t326;
					} while (_t168 != _v568);
					_t169 = _v572;
					_t303 = 0x5c;
					_t252 = _t169 + (_t249 - _t302 >> 1) * 2;
					if(_t169 >= _t252) {
						L40:
						 *_t252 = _t303;
						 *((short*)(_t252 + 2)) = 0;
						L41:
						if(( *(_t331 + 0x1c) & 0x00000200) == 0) {
							L56:
							_t304 = _v572;
							_t253 = _t304 + 2;
							do {
								_t171 =  *_t304;
								_t304 = _t304 + _t326;
							} while (_t171 != _v568);
							_t300 = _t304 - _t253 >> 1;
							_t336 =  *((intOrPtr*)(_t331 + 0x18)) + 0x2c;
							_t254 = _t336;
							_v560 = _t254 + 2;
							do {
								_t173 =  *_t254;
								_t254 = _t254 + _t326;
							} while (_t173 != _v568);
							_t327 = _v572;
							if(_t300 + 1 + (_t254 - _v560 >> 1) > 0x7fe7) {
								L55:
								_t337 = _v564;
								L91:
								_v576 = 1;
								L20:
								if( *((intOrPtr*)(_t240 + 0x10)) == 0) {
									L24:
									_t333 = _v576;
									goto L25;
								}
								if(_t337 == 0 || ( *(_t337 + 0x1c) & 0x00002000) == 0) {
									if(( *(_v580 + 0x1c) & 0x00002000) != 0) {
										goto L92;
									}
								} else {
									L92:
									_t328 = CreateFileW(_t327, 0x80000000, 1, 0, 3, 0x80, 0);
									if(_t328 != 0xffffffff) {
										_t179 = GetFileType(_t328);
										CloseHandle(_t328);
										if((_t179 & 0xffff7fff) == 1) {
											_t340 = _v572;
											_t300 = 0x400023d3;
											_t182 = E01059C2E(_t340, 0x400023d3, 0x400023d4);
											if(_t182 == 0) {
												 *_t340 = 0;
											} else {
												if(_t182 == 0) {
													_t186 = _v564;
													if(_t186 == 0) {
														_t186 = _v580;
													}
													 *(_t186 + 0x1c) =  *(_t186 + 0x1c) & 0xffffdfff;
												}
											}
										}
									}
								}
								goto L24;
							}
							_push(_t336);
							L82:
							_t300 =  *(_t240 + 0xc);
							E0103FC40(_t327,  *(_t240 + 0xc));
							_t337 = _v564;
							goto L20;
						}
						_t300 =  *((intOrPtr*)(_t331 + 0x18)) + 0x234;
						_t261 = _t300;
						_v560 = _t261 + 2;
						do {
							_t189 =  *_t261;
							_t261 = _t261 + _t326;
						} while (_t189 != _v568);
						if(_t261 == _v560) {
							goto L56;
						}
						_t264 = _t300;
						_t341 = _t264 + 2;
						do {
							_t190 =  *_t264;
							_t264 = _t264 + _t326;
						} while (_t190 != _v568);
						if(_t264 == _t341) {
							L54:
							_t327 = _v572;
							goto L55;
						}
						_t342 = _v572;
						_t267 = _t342 + 2;
						do {
							_t191 =  *_t342;
							_t342 = _t342 + _t326;
						} while (_t191 != _v568);
						_t268 = _t300;
						_t344 = _t342 - _t267 >> 1;
						_v560 = _t268 + 2;
						do {
							_t193 =  *_t268;
							_t268 = _t268 + _t326;
						} while (_t193 != _v568);
						if(_t344 + 1 + (_t268 - _v560 >> 1) > 0x7fe7) {
							goto L54;
						}
						_t327 = _v572;
						_push(_t300);
						goto L82;
					} else {
						goto L35;
					}
					do {
						L35:
						if( *_t169 == _t303) {
							_v560 = _t169;
						}
						_t169 = _t169 + _t326;
					} while (_t169 < _t252);
					if(_v560 == 0 || _v560 < _t252 - 2) {
						goto L40;
					} else {
						goto L41;
					}
				}
				_t271 =  *_t164;
				_t329 = 2;
				_t197 =  *_t271 & 0x0000ffff;
				_t307 = _t197;
				_v560 = _t307;
				if(_t197 == 0) {
					L6:
					_t198 = 0x3a;
					if(_t307 == _t198) {
						if(( *(_t331 + 0x1c) & 0x00000200) == 0) {
							L75:
							_t308 =  *_v564;
							_t272 =  &(_t308[1]);
							do {
								_t200 =  *_t308;
								_t308 = _t308 + _t329;
							} while (_t200 != _v568);
							_t300 = _t308 - _t272 >> 1;
							_t274 =  *((intOrPtr*)(_t331 + 0x18)) + 0x2c;
							_v560 = _t274 + 2;
							do {
								_t202 =  *_t274;
								_t274 = _t274 + _t329;
							} while (_t202 != _v568);
							_t327 = _v572;
							if(_t300 + 1 + (_t274 - _v560 >> 1) > 0x7fe7) {
								goto L55;
							}
							E0103F3A0(_t327,  *(_t240 + 0xc),  *_v564);
							_t208 =  *((intOrPtr*)(_t331 + 0x18)) + 0x2c;
							L81:
							_push(_t208);
							goto L82;
						}
						_t300 =  *((intOrPtr*)(_t331 + 0x18)) + 0x234;
						_t278 = _t300;
						_v560 = _t278 + 2;
						do {
							_t210 =  *_t278;
							_t278 = _t278 + _t329;
						} while (_t210 != _v568);
						if(_t278 == _v560) {
							goto L75;
						}
						_t281 = _t300;
						_v560 = _t281 + 2;
						do {
							_t212 =  *_t281;
							_t281 = _t281 + _t329;
						} while (_t212 != _v568);
						if(_t281 == _v560) {
							goto L54;
						}
						_t285 =  *_v564;
						_v560 =  &(_t285[1]);
						do {
							_t214 =  *_t285;
							_t285 = _t285 + _t329;
						} while (_t214 != _v568);
						_t287 = _t285 - _v560 >> 1;
						_v560 = _t300 + 2;
						do {
							_t216 =  *_t300;
							_t300 = _t300 + _t329;
						} while (_t216 != _v568);
						if(_t287 + 1 + _t300 > 0x7fe7) {
							goto L54;
						}
						_t327 = _v572;
						E0103F3A0(_t327,  *(_t240 + 0xc),  *_v564);
						_t208 =  *((intOrPtr*)(_t331 + 0x18)) + 0x234;
						goto L81;
					}
					if( *((intOrPtr*)(_t240 + 0x10)) == 0) {
						L17:
						_t337 = _v564;
						_t327 = _v572;
						_t300 =  *(_t240 + 0xc);
						if(E01043719(_t327,  *(_t240 + 0xc),  *_t337,  *((intOrPtr*)(_t331 + 4))) != 0) {
							E01059EDB(_t222);
							_v576 = 1;
						}
						_t224 = _v36;
						if(_t224 == 0) {
							_t224 =  &_v556;
						}
						if(GetFullPathNameW(_t327, _v28, _t224, 0) > 0x7fe7) {
							_t292 = 0x6f;
							E01059EDB(_t292);
							goto L91;
						} else {
							goto L20;
						}
					}
					_t314 = _v560;
					_t293 = _t314 & 0x0000ffff;
					_t228 =  *_v564;
					if(_t314 == 0) {
						L12:
						if(_t293 != 0x2a) {
							goto L17;
						}
						_t230 = E01044EA8( *_v564);
						_t315 = 0x5c;
						if( *_t230 != _t315) {
							goto L17;
						}
						_t296 = E010401F5( *((intOrPtr*)(_t331 + 4)), _t315);
						if(_t296 == 0) {
							_t297 =  *((intOrPtr*)(_t331 + 4));
							_t232 = 0x3a;
							if( *((intOrPtr*)(_t297 + 2)) == _t232) {
								_t297 = _t297 + 4;
							}
						} else {
							_t297 = _t296 + _t329;
						}
						if(( *(_t331 + 0x1c) & 0x00000200) != 0) {
							_t317 =  *((intOrPtr*)(_t331 + 0x18)) + 0x234;
							_v560 = _t317 + 2;
							do {
								_t234 =  *_t317;
								_t317 = _t317 + _t329;
							} while (_t234 != _v568);
							if(_t317 != _v560) {
								 *_t297 = 0;
								E0103FC40( *((intOrPtr*)(_t331 + 4)),  *((intOrPtr*)(_t331 + 8)),  *((intOrPtr*)(_t331 + 0x18)) + 0x234);
							}
						}
						goto L17;
					} else {
						goto L10;
						L10:
						_t321 = _t228;
						_t228 = _t228 + _t329;
						if( *_t228 != 0) {
							goto L10;
						} else {
							_t293 =  *_t321 & 0x0000ffff;
							goto L12;
						}
					}
				} else {
					goto L4;
					L4:
					_t239 = _t271;
					_t271 = _t271 + _t329;
					if( *_t271 != 0) {
						goto L4;
					} else {
						_t307 =  *_t239 & 0x0000ffff;
						goto L6;
					}
				}
			}




























































































    0x01043cd0
    0x01043cd3
    0x01043cd5
    0x01043cd6
    0x01043ce1
    0x01043ce5
    0x01043ced
    0x01043cf4
    0x01043cf9
    0x01043d02
    0x01043d04
    0x01043d09
    0x01043d16
    0x01043d1d
    0x01043d23
    0x01043d29
    0x01043d2c
    0x01043d30
    0x01043d59
    0x01043ea8
    0x01043e7b
    0x01043e7b
    0x01043e80
    0x01043e85
    0x01043e88
    0x01043e8e
    0x01043e94
    0x01043e97
    0x01043ea3
    0x01043ea3
    0x01043d65
    0x01043d68
    0x01043d70
    0x0104fa23
    0x0104fa2a
    0x0104fa2c
    0x0104fa2c
    0x0104fa37
    0x0104fa3c
    0x0104fa42
    0x0104fa48
    0x0104fa49
    0x0104fa4c
    0x0104fa4c
    0x0104fa4f
    0x0104fa51
    0x0104fa5a
    0x0104fa66
    0x0104fa67
    0x0104fa6c
    0x0104fa93
    0x0104fa95
    0x0104fa98
    0x0104fa9c
    0x0104faa3
    0x0104fb53
    0x0104fb53
    0x0104fb59
    0x0104fb5c
    0x0104fb5c
    0x0104fb5f
    0x0104fb61
    0x0104fb6f
    0x0104fb71
    0x0104fb74
    0x0104fb79
    0x0104fb7f
    0x0104fb7f
    0x0104fb82
    0x0104fb84
    0x0104fb96
    0x0104fba5
    0x0104fb48
    0x0104fb48
    0x0104fd91
    0x0104fd91
    0x01043e4e
    0x01043e52
    0x01043e75
    0x01043e75
    0x00000000
    0x01043e75
    0x01043e5b
    0x01043e6f
    0x00000000
    0x00000000
    0x0104fda0
    0x0104fda0
    0x0104fdb9
    0x0104fdbe
    0x0104fdc5
    0x0104fdd4
    0x0104fddd
    0x0104fde3
    0x0104fde9
    0x0104fdfc
    0x0104fdfe
    0x0104fe28
    0x0104fe00
    0x0104fe04
    0x0104fe0a
    0x0104fe12
    0x0104fe14
    0x0104fe14
    0x0104fe1a
    0x0104fe1a
    0x0104fe04
    0x0104fdfe
    0x0104fddd
    0x0104fdbe
    0x00000000
    0x01043e5b
    0x0104fba7
    0x0104fcfa
    0x0104fcfa
    0x0104fcff
    0x0104fd04
    0x00000000
    0x0104fd04
    0x0104faac
    0x0104fab2
    0x0104fab7
    0x0104fabd
    0x0104fabd
    0x0104fac0
    0x0104fac2
    0x0104fad3
    0x00000000
    0x00000000
    0x0104fad5
    0x0104fad7
    0x0104fada
    0x0104fada
    0x0104fadd
    0x0104fadf
    0x0104faec
    0x0104fb42
    0x0104fb42
    0x00000000
    0x0104fb42
    0x0104faee
    0x0104faf4
    0x0104faf7
    0x0104faf7
    0x0104fafa
    0x0104fafc
    0x0104fb07
    0x0104fb09
    0x0104fb0e
    0x0104fb14
    0x0104fb14
    0x0104fb17
    0x0104fb19
    0x0104fb34
    0x00000000
    0x00000000
    0x0104fb36
    0x0104fb3c
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0104fa6e
    0x0104fa6e
    0x0104fa71
    0x0104fa73
    0x0104fa73
    0x0104fa79
    0x0104fa7b
    0x0104fa86
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0104fa86
    0x01043d76
    0x01043d7a
    0x01043d7b
    0x01043d7e
    0x01043d80
    0x01043d89
    0x01043d99
    0x01043d9b
    0x01043d9f
    0x0104fbb4
    0x0104fc89
    0x0104fc8f
    0x0104fc91
    0x0104fc94
    0x0104fc94
    0x0104fc97
    0x0104fc99
    0x0104fca7
    0x0104fca9
    0x0104fcaf
    0x0104fcb5
    0x0104fcb5
    0x0104fcb8
    0x0104fcba
    0x0104fccc
    0x0104fcdb
    0x00000000
    0x00000000
    0x0104fcee
    0x0104fcf6
    0x0104fcf9
    0x0104fcf9
    0x00000000
    0x0104fcf9
    0x0104fbbd
    0x0104fbc3
    0x0104fbc8
    0x0104fbce
    0x0104fbce
    0x0104fbd1
    0x0104fbd3
    0x0104fbe4
    0x00000000
    0x00000000
    0x0104fbea
    0x0104fbef
    0x0104fbf5
    0x0104fbf5
    0x0104fbf8
    0x0104fbfa
    0x0104fc0b
    0x00000000
    0x00000000
    0x0104fc17
    0x0104fc1c
    0x0104fc22
    0x0104fc22
    0x0104fc25
    0x0104fc27
    0x0104fc39
    0x0104fc3b
    0x0104fc41
    0x0104fc41
    0x0104fc44
    0x0104fc46
    0x0104fc61
    0x00000000
    0x00000000
    0x0104fc6d
    0x0104fc7a
    0x0104fc82
    0x00000000
    0x0104fc82
    0x01043da9
    0x01043e0b
    0x01043e0e
    0x01043e14
    0x01043e1c
    0x01043e28
    0x0104fd75
    0x0104fd7a
    0x0104fd7a
    0x01043e2e
    0x01043e33
    0x01043eab
    0x01043eab
    0x01043e48
    0x0104fd8b
    0x0104fd8c
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x01043e48
    0x01043db1
    0x01043db7
    0x01043dba
    0x01043dbf
    0x01043dcf
    0x01043dd3
    0x00000000
    0x00000000
    0x01043ddd
    0x01043de4
    0x01043de8
    0x00000000
    0x00000000
    0x01043df2
    0x01043df6
    0x0104fd0f
    0x0104fd14
    0x0104fd19
    0x0104fd1f
    0x0104fd1f
    0x01043dfc
    0x01043dfc
    0x01043dfc
    0x01043e05
    0x0104fd2a
    0x0104fd33
    0x0104fd39
    0x0104fd39
    0x0104fd3c
    0x0104fd3e
    0x0104fd4f
    0x0104fd57
    0x0104fd69
    0x0104fd69
    0x0104fd4f
    0x00000000
    0x01043dc1
    0x01043dc1
    0x01043dc3
    0x01043dc3
    0x01043dc5
    0x01043dca
    0x00000000
    0x01043dcc
    0x01043dcc
    0x00000000
    0x01043dcc
    0x01043dca
    0x01043d8b
    0x01043d8b
    0x01043d8d
    0x01043d8d
    0x01043d8f
    0x01043d94
    0x00000000
    0x01043d96
    0x01043d96
    0x00000000
    0x01043d96
    0x01043d94

    APIs
    • memset.MSVCRT ref: 01043D30
      • Part of subcall function 0103E3F0: memset.MSVCRT ref: 0103E455
    • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00000000,?,?,-00000105,?,?,00000000), ref: 01043E3D
    • ??_V@YAXPAX@Z.MSVCRT ref: 01043E88
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: memset$FullNamePath
    • String ID:
    • API String ID: 3158150540-0
    • Opcode ID: 9bf8a146fcea680d93aa4e368e807e3f78b13ed06663ca97dec4aa6633306080
    • Instruction ID: 68a389566881e80dbf59f687eca9bc7a8e0fc5ef0441f2181fcfddbf56bca846
    • Opcode Fuzzy Hash: 9bf8a146fcea680d93aa4e368e807e3f78b13ed06663ca97dec4aa6633306080
    • Instruction Fuzzy Hash: 5202A475A011169BCB65EF6CD8946B9B3F1FF48310F0881F8D8869B295D734AE82CF54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0103AD60, Relevance: 9.3, APIs: 6, Instructions: 328COMMON
    Download Yara Rule
    C-Code - Quality: 54%
    			E0103AD60(long __ecx) {
				intOrPtr _v8;
				signed int _v12;
				char _v20;
				signed int _v32;
				short _v564;
				char _v576;
				char* _v580;
				char _v1100;
				void* _v1104;
				long _v1108;
				intOrPtr _v1112;
				signed int _v1116;
				intOrPtr* _v1120;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t65;
				signed int _t66;
				int _t70;
				long _t73;
				signed short* _t76;
				signed short _t86;
				intOrPtr* _t93;
				short* _t94;
				char* _t95;
				intOrPtr _t98;
				intOrPtr _t102;
				wchar_t* _t103;
				long _t106;
				signed int _t107;
				signed char _t111;
				long _t112;
				wchar_t* _t117;
				int _t119;
				void* _t121;
				wchar_t* _t122;
				signed short* _t133;
				wchar_t* _t150;
				signed int _t154;
				signed int _t158;
				long _t160;
				void* _t161;
				wchar_t* _t164;
				signed int _t166;
				void* _t168;
				void* _t170;
				signed int _t171;
				intOrPtr _t172;
				signed int _t173;
				intOrPtr* _t174;
				intOrPtr* _t175;
				signed int _t177;
				void* _t178;
				signed int _t179;
				void* _t180;
				void* _t181;

				_push(0xfffffffe);
				_push(0x105c9f0);
				_push(E01046E00);
				_push( *[fs:0x0]);
				_t181 = _t180 - 0x450;
				_t65 =  *0x105e0b4; // 0x6030efd1
				_v12 = _v12 ^ _t65;
				_t66 = _t65 ^ _t179;
				_v32 = _t66;
				_push(_t66);
				 *[fs:0x0] =  &_v20;
				_t160 = __ecx;
				_v1108 = __ecx;
				_v1112 = 0;
				GetConsoleTitleW( &_v564, 0x104);
				if( *(_t160 + 0x38) == 0) {
					L82:
					_t70 = 1;
					L44:
					 *[fs:0x0] = _v20;
					_pop(_t161);
					_pop(_t170);
					_pop(_t121);
					return E01046B30(_t70, _t121, _v32 ^ _t179, _t156, _t161, _t170);
				}
				E01045A2E( &_v1100);
				if(_v576 == 0) {
					_t73 = 0x104;
				} else {
					_t73 = 0x7fe7;
				}
				if(E0103E3F0(_t73) < 0) {
					L81:
					E010461E6( &_v1100);
					goto L82;
				} else {
					_t76 =  *(_t160 + 0x38);
					if(_t76[1] == 0x3a) {
						_t132 =  *_t76;
						if(E01040B12( *_t76) == 0) {
							_push(0);
							_push(0xf);
							L79:
							E010378E4(_t132);
							L80:
							goto L81;
						}
						_t132 =  *( *(_t160 + 0x38));
						if(E01037F47( *( *(_t160 + 0x38))) != 0) {
							_push(0);
							_push(GetLastError());
							goto L79;
						}
						_t171 = towupper( *( *(_t160 + 0x38)) & 0x0000ffff) - 0x00000040 & 0x0000ffff;
						_t133 =  *(_t160 + 0x38);
						_t55 =  &(_t133[1]); // 0x2
						_t156 = _t55;
						do {
							_t86 =  *_t133;
							_t133 =  &(_t133[1]);
						} while (_t86 != 0);
						if(_t133 - _t156 >> 1 == 2) {
							E01059A7D(_t171, _t156);
							L85:
							E010461E6( &_v1100);
							_t70 = 0;
							goto L44;
						}
						L66:
						_t172 = E010421EE(_t160);
						L43:
						E010461E6( &_v1100);
						_t70 = _t172;
						goto L44;
					}
					_t156 =  &_v1104;
					_t173 = E0103E950(_t160,  &_v1104);
					_v1116 = _t173;
					if(_t173 == 0xffffffff) {
						goto L66;
					}
					if(_t173 == 0xfffffffe) {
						goto L81;
					}
					_t93 =  *((intOrPtr*)(0x1031684 + (_t173 + _t173 * 2) * 8));
					_v1120 = _t93;
					if(_t93 == 0) {
						goto L85;
					}
					_t94 = _v580;
					if(_t94 == 0) {
						_t94 =  &_v1100;
					}
					 *_t94 = 0x2f;
					_t95 = _v580;
					if(_t95 == 0) {
						_t95 =  &_v1100;
					}
					 *((short*)(_t95 + 2)) = 0;
					if(_v580 == 0) {
						_t156 =  &_v1100;
					}
					_push(2);
					_t122 = E0103BC30( *((intOrPtr*)(_t160 + 0x3c)), _t156);
					if(_t173 == 0xa) {
						if(_t122 == 0) {
							goto L12;
						}
						_t119 = wcsncmp(_t122, "/", 4);
						_t181 = _t181 + 0xc;
						if(_t119 != 0) {
							goto L14;
						}
						goto L12;
					} else {
						L12:
						if(_t173 == 0x1f) {
							L14:
							if(_t122 == 0) {
								L34:
								if(E0103B1B0(_t160) != 0) {
									E0103AD26(_t97, _t97);
								}
								_v8 = 0;
								_t174 = _v1120;
								_push(_t160);
								if(_t174 == E0103AA50) {
									_t98 = E0103AA50();
								} else {
									if(_t174 == E0103C6C0) {
										_t98 = E0103C6C0(_t122, _t160);
									} else {
										if(_t174 == E01039DC0) {
											_t98 = E01039DC0();
										} else {
											if(_t174 != E01039770) {
												if(_t174 == E01042940) {
													_t98 = E01042940();
												} else {
													 *0x107a4c4();
													_t98 =  *_t174();
												}
											} else {
												_t98 = E01039770();
											}
										}
									}
								}
								_t172 = _t98;
								_v1112 = _t172;
								_v8 = 0xfffffffe;
								E0103B17B(_t98);
								goto L43;
							}
							while( *_t122 != 0) {
								do {
									_t102 =  *_t175;
									_t175 = _t175 + 2;
								} while (_t102 != 0);
								_t177 = _t175 - _t147 >> 1;
								_t103 = wcschr(_t122, 0x22);
								_t181 = _t181 + 8;
								if(_t103 != 0) {
									memset(0x10667d0, 0, 0x1000 << 2);
									_t181 = _t181 + 0xc;
									_t164 = _t122;
									_t46 =  &(_t164[0]); // 0x2
									_t147 = _t46;
									do {
										_t106 =  *_t164;
										_t164 =  &(_t164[0]);
									} while (_t106 != 0);
									_t166 = _t164 - _t147 >> 1;
									_t158 = 0;
									_t107 = 0;
									if(_t166 <= 0) {
										L56:
										_t156 = _t158 + _t158;
										if(_t156 >= 0x4000) {
											E01046C78(_t107, _t122, _t147, _t156, _t166, _t177);
											goto L76;
										}
										_t156[0x4199f4] = 0;
										_t156 = 0x10667d0;
										goto L20;
									}
									do {
										_t147 =  *(_t122 + _t107 * 2) & 0x0000ffff;
										if(_t147 != 0x22) {
											 *(0x10667d0 + _t158 * 2) = _t147;
											_t158 = _t158 + 1;
										}
										_t107 = _t107 + 1;
									} while (_t107 < _t166);
									goto L56;
								} else {
									_t156 = _t122;
									L20:
									_t178 = _t177 + 1;
									if(_t178 == 0 || _t178 > 0x7fffffff) {
										if(_t178 != 0) {
											 *_t122 = 0;
										}
										goto L28;
									} else {
										_t117 = _t122;
										_t168 = 0x7ffffffe - _t178;
										_t156 = _t156 - _t122;
										while(_t168 + _t178 != 0) {
											_t154 =  *(_t156 + _t117) & 0x0000ffff;
											if(_t154 == 0) {
												break;
											}
											 *_t117 = _t154;
											_t117 =  &(_t117[0]);
											_t178 = _t178 - 1;
											if(_t178 != 0) {
												continue;
											}
											break;
										}
										if(_t178 == 0) {
											_t117 = _t117 - 2;
										}
										_t147 = 0;
										 *_t117 = 0;
										L28:
										_t111 = _v1104;
										if((_t111 & 0x00000001) != 0) {
											if(_t122[0] != 0x3a) {
												goto L29;
											}
											_t147 =  *_t122;
											if(E01040B12( *_t122) == 0) {
												L76:
												_push(0);
												_push(0xf);
												L94:
												E010378E4(_t147);
												 *0x10665dc = 1;
												goto L80;
											}
											if(_v1116 == 4) {
												L72:
												_t111 = _v1104;
												goto L29;
											}
											_t147 =  *_t122;
											if(E01037F47( *_t122) != 0) {
												_push(0);
												_push(GetLastError());
												goto L94;
											}
											goto L72;
										}
										L29:
										if((_t111 & 0x00000002) != 0) {
											if( *_t122 != 0x2f) {
												goto L30;
											}
											_push(0);
											_push(0x232a);
											goto L94;
										}
										L30:
										_t150 = _t122;
										_t34 =  &(_t150[0]); // 0x2
										_t156 = _t34;
										do {
											_t112 =  *_t150;
											_t150 =  &(_t150[0]);
										} while (_t112 != 0);
										_t122 = _t122 + (_t150 - _t156 >> 1) * 2 + 2;
										if(_t122 != 0) {
											continue;
										}
										break;
									}
								}
							}
							_t160 = _v1108;
							goto L34;
						}
						_t156 = _t122;
						if(E0103A800(_t173, _t122, 1) != 0) {
							goto L81;
						}
						goto L14;
					}
				}
			}




























































    0x0103ad65
    0x0103ad67
    0x0103ad6c
    0x0103ad77
    0x0103ad78
    0x0103ad7e
    0x0103ad83
    0x0103ad86
    0x0103ad88
    0x0103ad8e
    0x0103ad92
    0x0103ad98
    0x0103ad9a
    0x0103ada0
    0x0103adb6
    0x0103adc0
    0x0104cc60
    0x0104cc60
    0x0103afea
    0x0103afed
    0x0103aff5
    0x0103aff6
    0x0103aff7
    0x0103b005
    0x0103b005
    0x0103adcc
    0x0103add8
    0x0104cc3f
    0x0103adde
    0x0103adde
    0x0103adde
    0x0103adf1
    0x0104cc55
    0x0104cc5b
    0x00000000
    0x0103adf7
    0x0103adf7
    0x0103adff
    0x0103b0b9
    0x0103b0c3
    0x0104cc49
    0x0104cc4b
    0x0104cc4d
    0x0104cc4d
    0x0104cc52
    0x00000000
    0x0104cc52
    0x0103b0cc
    0x0103b0d6
    0x0104cc6a
    0x0104cc72
    0x00000000
    0x0104cc72
    0x0103b0f0
    0x0103b0f3
    0x0103b0f6
    0x0103b0f6
    0x0103b100
    0x0103b100
    0x0103b103
    0x0103b106
    0x0103b112
    0x0104cc77
    0x0104cc7c
    0x0104cc82
    0x0104cc87
    0x00000000
    0x0104cc87
    0x0103b118
    0x0103b11f
    0x0103afdd
    0x0103afe3
    0x0103afe8
    0x00000000
    0x0103afe8
    0x0103ae05
    0x0103ae12
    0x0103ae14
    0x0103ae1d
    0x00000000
    0x00000000
    0x0103ae26
    0x00000000
    0x00000000
    0x0103ae2f
    0x0103ae36
    0x0103ae3e
    0x00000000
    0x00000000
    0x0103ae44
    0x0103ae4c
    0x0104cc8e
    0x0104cc8e
    0x0103ae57
    0x0103ae5a
    0x0103ae62
    0x0104cc99
    0x0104cc99
    0x0103ae6a
    0x0103ae76
    0x0104cca4
    0x0104cca4
    0x0103ae7c
    0x0103ae86
    0x0103ae8b
    0x0103b008
    0x00000000
    0x00000000
    0x0103b016
    0x0103b01c
    0x0103b021
    0x00000000
    0x00000000
    0x00000000
    0x0103ae91
    0x0103ae91
    0x0103ae94
    0x0103aea9
    0x0103aeab
    0x0103af71
    0x0103af7a
    0x0103af7e
    0x0103af7e
    0x0103af83
    0x0103af8a
    0x0103af90
    0x0103af97
    0x0103afc4
    0x0103af99
    0x0103af9f
    0x0103b02c
    0x0103afa5
    0x0103afab
    0x0103b098
    0x0103afb1
    0x0103afb7
    0x0103b0a8
    0x0103b126
    0x0103b0aa
    0x0103b0ac
    0x0103b0b2
    0x0103b0b2
    0x0103afbd
    0x0103afbd
    0x0103afbd
    0x0103afb7
    0x0103afab
    0x0103af9f
    0x0103afc9
    0x0103afcb
    0x0103afd1
    0x0103afd8
    0x00000000
    0x0103afd8
    0x0103aeb1
    0x0103aec0
    0x0103aec0
    0x0103aec3
    0x0103aec6
    0x0103aecd
    0x0103aed2
    0x0103aed8
    0x0103aedd
    0x0103b03f
    0x0103b03f
    0x0103b041
    0x0103b043
    0x0103b043
    0x0103b046
    0x0103b046
    0x0103b049
    0x0103b04c
    0x0103b053
    0x0103b055
    0x0103b057
    0x0103b05b
    0x0103b077
    0x0103b077
    0x0103b07f
    0x0103b193
    0x00000000
    0x0103b193
    0x0103b087
    0x0103b08e
    0x00000000
    0x0103b08e
    0x0103b060
    0x0103b060
    0x0103b067
    0x0103b069
    0x0103b071
    0x0103b071
    0x0103b072
    0x0103b073
    0x00000000
    0x0103aee3
    0x0103aee3
    0x0103aee5
    0x0103aee5
    0x0103aee8
    0x0104ccb9
    0x0104ccc1
    0x0104ccc1
    0x00000000
    0x0103aefa
    0x0103aefa
    0x0103af01
    0x0103af03
    0x0103af05
    0x0103af0c
    0x0103af13
    0x00000000
    0x00000000
    0x0103af15
    0x0103af18
    0x0103af1b
    0x0103af1e
    0x00000000
    0x00000000
    0x00000000
    0x0103af1e
    0x0103af22
    0x0104ccaf
    0x0104ccaf
    0x0103af28
    0x0103af2a
    0x0103af2d
    0x0103af2d
    0x0103af36
    0x0103b135
    0x00000000
    0x00000000
    0x0103b13b
    0x0103b145
    0x0103b198
    0x0103b198
    0x0103b19a
    0x0104ccdb
    0x0104ccdb
    0x0104cce0
    0x00000000
    0x0104cce0
    0x0103b14e
    0x0103b160
    0x0103b160
    0x00000000
    0x0103b160
    0x0103b150
    0x0103b15a
    0x0104ccc9
    0x0104ccd1
    0x00000000
    0x0104ccd1
    0x00000000
    0x0103b15a
    0x0103af3c
    0x0103af3e
    0x0103b170
    0x00000000
    0x00000000
    0x0104ccd4
    0x0104ccd6
    0x00000000
    0x0104ccd6
    0x0103af44
    0x0103af44
    0x0103af46
    0x0103af46
    0x0103af50
    0x0103af50
    0x0103af53
    0x0103af56
    0x0103af62
    0x0103af65
    0x00000000
    0x00000000
    0x00000000
    0x0103af65
    0x0103aee8
    0x0103aedd
    0x0103af6b
    0x00000000
    0x0103af6b
    0x0103ae98
    0x0103aea3
    0x00000000
    0x00000000
    0x00000000
    0x0103aea3
    0x0103ae8b

    APIs
    • GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(?,00000104,6030EFD1,00000001,?), ref: 0103ADB6
      • Part of subcall function 01045A2E: memset.MSVCRT ref: 01045A5A
      • Part of subcall function 0103E3F0: memset.MSVCRT ref: 0103E455
    • towupper.MSVCRT ref: 0103B0E3
      • Part of subcall function 0103E950: memset.MSVCRT ref: 0103E9A0
      • Part of subcall function 0103E950: wcschr.MSVCRT ref: 0103E9FC
      • Part of subcall function 0103E950: wcschr.MSVCRT ref: 0103EA14
      • Part of subcall function 0103E950: _wcsicmp.MSVCRT ref: 0103EA80
    • wcschr.MSVCRT ref: 0103AED2
    • wcsncmp.MSVCRT(00000000,010322A8,00000004,00000002,00007FE7), ref: 0103B016
      • Part of subcall function 0103BC30: wcschr.MSVCRT ref: 0103BCA7
      • Part of subcall function 0103BC30: iswspace.MSVCRT ref: 0103BD1D
      • Part of subcall function 0103BC30: wcschr.MSVCRT ref: 0103BD39
      • Part of subcall function 0103BC30: wcschr.MSVCRT ref: 0103BD5D
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00007FE7), ref: 0104CC6C
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 0104CCCB
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: wcschr$memset$ErrorLast$ConsoleTitle_wcsicmpiswspacetowupperwcsncmp
    • String ID:
    • API String ID: 4198873954-0
    • Opcode ID: a83ba37beff3f636866493b9e066b08ba56bccd6c06e7c7eed1f94f60f9693c3
    • Instruction ID: 8ccd9c7bab2d5d376236eaf534d1f6fb615d0d401e7ce4ffb315d83889a502d6
    • Opcode Fuzzy Hash: a83ba37beff3f636866493b9e066b08ba56bccd6c06e7c7eed1f94f60f9693c3
    • Instruction Fuzzy Hash: B2B138B1B00216CBDB64AB6CC9847BE73A8AF80304F0445B9DACAD72D0EB759945C795
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0103498F, Relevance: 9.2, APIs: 6, Instructions: 157COMMON
    Download Yara Rule
    C-Code - Quality: 53%
    			E0103498F(void** __ecx) {
				void _v8;
				intOrPtr _v12;
				void* _v16;
				char _v20;
				void* _t37;
				void* _t38;
				void* _t44;
				signed int _t48;
				intOrPtr _t59;
				void* _t62;
				void* _t67;
				void** _t69;
				void* _t78;
				void* _t84;
				void* _t90;
				long _t94;
				long _t98;

				_t69 = __ecx;
				_push(_t94);
				if( *(__ecx + 8) != 0) {
					_t38 = E01039A11(_t37);
					_t98 =  *(__ecx + 0x10);
					if(_t38 == 0) {
						if(E01039B3B( *(__ecx + 8) +  *(__ecx + 8), _t98,  *(__ecx + 8) +  *(__ecx + 8),  &_v20) == 0) {
							goto L29;
						} else {
							_t54 =  *(__ecx + 8);
							_t42 =  *(__ecx + 8) + _t54;
							if(_v20 >=  *(__ecx + 8) + _t54) {
								goto L1;
							} else {
								goto L29;
							}
						}
					} else {
						_t59 = _t98 +  *(__ecx + 8) * 2;
						_v12 = _t59;
						if(_t98 < _t59) {
							_t84 = 0x2022;
							while(1) {
								_t94 = _t98;
								if(_t98 >= _t59) {
									goto L1;
								}
								while( *_t94 != _t84) {
									_t94 = _t94 + 2;
									if(_t94 < _t59) {
										continue;
									}
									break;
								}
								if(_t94 == _t98) {
									goto L18;
								} else {
									_t67 = _t94 - _t98 >> 1;
									_v16 = _t67;
									__imp___get_osfhandle(0);
									if(WriteConsoleW(_t67, 1, _t98, _t67,  &_v8) == 0) {
										L29:
										_t78 = 1;
										if(E0103DD98(_t42) == 0) {
											_t78 = 1;
											_t44 = E01059FCF(_t43, 1);
											if(_t44 == 0) {
												_push(_t44);
												_push(0x70);
												goto L33;
											}
										} else {
											_push(0);
											_push(0x1d);
											L33:
											E010378E4(_t78);
											_pop(_t78);
										}
										E01059922();
										__imp__longjmp(0x1070a30, 1);
										asm("int3");
										do {
											_t48 = _t78 - _t94 >> 1;
											while(_t48 > _t69[8]) {
												_t48 = _t48 - _t69[8];
												_t98 = 1 + _t98;
											}
											_t98 = 1 + _t98;
											_t36 = _t78 + 2; // 0x2
											_t94 = _t36;
											_t90 = 0xa;
											_t78 = E0103A62F(_t94, _t90);
										} while (_t78 != 0);
										if(_t98 == 0) {
											_t98 = _t69[2] / _t69[8];
										}
										return _t98;
									} else {
										_t42 = _v16;
										if(_v8 != _v16) {
											goto L29;
										} else {
											_t59 = _v12;
											_t98 = _t94;
											_t84 = 0x2022;
											L18:
											while(_t94 < _t59) {
												if( *_t94 == _t84) {
													_t94 = _t94 + 2;
													continue;
												}
												break;
											}
											if(_t94 == _t98) {
												L25:
												_t84 = 0x2022;
												if(_t98 < _t59) {
													continue;
												} else {
													goto L1;
												}
											} else {
												if( *_t69 != 0) {
													SetConsoleMode( *_t69, 2);
												}
												_t62 = _t94 - _t98 >> 1;
												_v16 = _t62;
												__imp___get_osfhandle(0);
												_t98 = WriteConsoleW(_t62, 1, _t98, _t62,  &_v8);
												_t42 = E0103E310(_t63);
												if(_t98 == 0) {
													goto L29;
												} else {
													_t42 = _v16;
													if(_v8 != _v16) {
														goto L29;
													} else {
														_t59 = _v12;
														_t98 = _t94;
														goto L25;
													}
												}
											}
										}
									}
								}
								goto L39;
							}
						}
						goto L1;
					}
				} else {
					L1:
					_t69[1] = _t69[1] + E010349C5(_t69, _t69[4]);
					 *(_t69[4]) = 0;
					_t69[2] = _t69[2] & 0;
					return 0;
				}
				L39:
			}




















    0x01034998
    0x0103499b
    0x010349a0
    0x0104853a
    0x0104853f
    0x01048544
    0x0104863b
    0x00000000
    0x0104863d
    0x0104863d
    0x01048640
    0x01048645
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x01048645
    0x0104854a
    0x0104854d
    0x01048550
    0x01048555
    0x0104855b
    0x01048560
    0x01048560
    0x01048564
    0x00000000
    0x00000000
    0x0104856a
    0x0104856f
    0x01048574
    0x00000000
    0x00000000
    0x00000000
    0x01048574
    0x01048578
    0x00000000
    0x0104857a
    0x01048584
    0x0104858a
    0x0104858d
    0x0104859d
    0x0104864b
    0x0104864d
    0x01048655
    0x0104865f
    0x01048660
    0x01048667
    0x01048669
    0x0104866a
    0x00000000
    0x0104866a
    0x01048657
    0x01048657
    0x01048659
    0x0104866c
    0x0104866c
    0x01048672
    0x01048672
    0x01048673
    0x0104867f
    0x01048685
    0x01048686
    0x0104868a
    0x01048692
    0x0104868e
    0x01048691
    0x01048691
    0x01048697
    0x01048698
    0x01048698
    0x010349d2
    0x010349da
    0x010349dc
    0x010349e6
    0x010349f0
    0x010349f0
    0x010349f7
    0x010485a3
    0x010485a3
    0x010485a9
    0x00000000
    0x010485af
    0x010485af
    0x010485b2
    0x010485b4
    0x00000000
    0x010485c3
    0x010485be
    0x010485c0
    0x00000000
    0x010485c0
    0x00000000
    0x010485be
    0x010485c9
    0x01048613
    0x01048613
    0x0104861a
    0x00000000
    0x01048620
    0x00000000
    0x01048620
    0x010485cb
    0x010485ce
    0x010485d4
    0x010485d4
    0x010485e4
    0x010485ea
    0x010485ed
    0x010485fb
    0x010485fd
    0x01048604
    0x00000000
    0x01048606
    0x01048606
    0x0104860c
    0x00000000
    0x0104860e
    0x0104860e
    0x01048611
    0x00000000
    0x01048611
    0x0104860c
    0x01048604
    0x010485c9
    0x010485a9
    0x0104859d
    0x00000000
    0x01048578
    0x01048560
    0x00000000
    0x01048555
    0x010349a6
    0x010349a6
    0x010349b0
    0x010349ba
    0x010349bd
    0x010349c4
    0x010349c4
    0x00000000

    APIs
    • _get_osfhandle.MSVCRT ref: 0104858D
    • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 01048595
    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000002), ref: 010485D4
    • _get_osfhandle.MSVCRT ref: 010485ED
    • WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 010485F5
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: Console$Write_get_osfhandle$Mode
    • String ID:
    • API String ID: 1066134489-0
    • Opcode ID: b63001e717c804a99a1649b81ac8dab4dbfe43368374612d5944020c774be53f
    • Instruction ID: 8ec830e630c1a22b521a3a6a0a9790a41e7c7dd563dd5aeacf60d34f30e84958
    • Opcode Fuzzy Hash: b63001e717c804a99a1649b81ac8dab4dbfe43368374612d5944020c774be53f
    • Instruction Fuzzy Hash: FF41C8B1B00201DBDF649EBCD8C9AAE77E8EB44714F088977E9C6DB185EA71D940C790
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0103B7A8, Relevance: 9.1, APIs: 6, Instructions: 113COMMON
    Download Yara Rule
    C-Code - Quality: 72%
    			E0103B7A8(signed int* __ebx, signed int __edx, intOrPtr __edi, void* __ebp, void* _a4, signed int _a12, signed int _a16, intOrPtr _a20, signed int _a24, signed int _a28, void _a32, void* _a536, int _a544, void* _a548, int _a552, char _a556, int _a560, signed int _a572) {
				void* _v0;
				signed int _t59;
				signed int _t61;
				signed int _t65;
				signed int _t66;
				void* _t68;
				int _t71;
				int _t74;
				int _t77;
				signed int _t82;
				signed int _t83;
				void* _t84;
				signed int _t85;
				signed int _t86;
				signed int _t87;
				signed int _t88;
				signed int _t100;
				signed int* _t101;
				void* _t102;
				signed int _t107;
				void* _t113;
				intOrPtr _t130;
				signed int _t131;
				void* _t132;
				void* _t133;
				signed int _t134;
				signed int _t137;
				void* _t139;

				_t130 = __edi;
				_t124 = __edx;
				_t101 = __ebx;
				L1:
				while(1) {
					if( *0x106259c != 0) {
						E010598B5(_t101, _t130);
						_t124 = _a24;
					}
					 *0x1066744 = 0;
					if( *0x1066755 == 0 || _t130 == 0) {
						L4:
						_t131 = E0103E272(_t101);
						if(_t131 == 0xffffffff) {
							goto L67;
						}
						_t61 = E0103C570(3, _t131, _t101[4]);
						_t134 = _t61;
						__imp___tell(_t131);
						_t101[2] = _t61;
						_t139 = _t137 + 4;
						_t3 = _t131 - 3; // -3
						_t62 = _t3;
						_t107 = 0;
						_t124 = _t131;
						if(_t3 > 0x5b) {
							L8:
							__imp___close(_t131);
							_t137 = _t139 + 4;
							if(_t134 == 0) {
								goto L30;
							}
							if(_t134 == 1 ||  *0x10665ec == 0x234a) {
								E01058959(_t62, _t107);
								__eflags =  *0x105e0c0 - 1;
								if( *0x105e0c0 == 1) {
									__eflags =  *0x107951c;
									if( *0x107951c == 0) {
										E0105769E(_t107);
										E010363BD(_t107, 0x2371, 1, 0x10625c2);
										_t137 = _t137 + 0xc;
									}
								}
								E01059922();
								__imp__longjmp(0x1070a30, 1);
								goto L72;
							} else {
								if(_t134 == 0xffffffff) {
									_t59 = _a16;
									goto L32;
								} else {
									_t130 = _a20;
									_t124 = _a28;
									goto L13;
								}
							}
						}
						if(_t131 > 0x1f) {
							_t45 = _t131 - 0x20; // -32
							_t100 = (_t45 >> 5) + 1;
							__eflags = _t100;
							_t107 = _t100;
							do {
								_t124 = _t124 - 0x20;
								_t100 = _t100 - 1;
								__eflags = _t100;
							} while (_t100 != 0);
						}
						_t62 =  *((intOrPtr*)(0x10667ac + _t107 * 4));
						asm("btr eax, edx");
						goto L8;
					} else {
						__eflags =  *((short*)( *((intOrPtr*)(_t124 + 0x38)))) - 0x3a;
						if( *((short*)( *((intOrPtr*)(_t124 + 0x38)))) != 0x3a) {
							goto L4;
						}
						_t134 = E0103DCD0(0x50);
						__eflags = _t134;
						if(_t134 == 0) {
							L67:
							_t59 = 1;
							L32:
							_pop(_t132);
							_pop(_t133);
							_pop(_t102);
							__eflags = _a572 ^ _t137;
							return E01046B30(_t59, _t102, _a572 ^ _t137, _t124, _t132, _t133);
						}
						 *_t134 = 0;
						_t65 = E0103ACB0(L"GOTO");
						 *(_t134 + 0x38) = _t65;
						__eflags = _t65;
						if(_t65 == 0) {
							goto L67;
						}
						_t66 = E0103ACB0( *((intOrPtr*)(_a24 + 0x38)));
						 *(_t134 + 0x3c) = _t66;
						__eflags = _t66;
						if(_t66 == 0) {
							goto L67;
						}
						_t124 = 1;
						 *_t66 = 0x20;
						 *(_t134 + 0x40) = 0;
						_a28 = 1;
						L13:
						if(_t130 != 0) {
							__eflags = _t134;
							if(_t134 != 0) {
								_a20 = 0;
							}
						}
						_t113 =  *_t134;
						if(_t113 != 0 ||  *( *(_t134 + 0x38)) != 0x3a) {
							if(_t124 != 0) {
								_a28 = 0;
								_t68 = _t113;
							} else {
								_t68 = _t113;
								if( *0x105e0c0 == 1) {
									_t68 = _t113;
									__eflags = _t113 - 0x3b;
									if(_t113 != 0x3b) {
										__eflags =  *0x107951c;
										_t68 = _t113;
										if( *0x107951c == 0) {
											E0105769E(_t113);
											_t124 = 0;
											E01053B4E(_t134, 0);
											E01039950(L"\r\n");
											_t68 =  *_t134;
											_t137 = _t137 + 4;
										}
									}
								}
							}
							if(_t68 == 0x3b) {
								_t134 =  *(_t134 + 0x38);
							}
							_a552 = 0;
							_a556 = 1;
							_a560 = 0x104;
							memset( &_a32, 0, 0x104);
							_t137 = _t137 + 0xc;
							if(_a556 == 0) {
								_t71 = 0x104;
							} else {
								_t71 = 0x7fe7;
							}
							if(E0103E3F0(_t71) < 0) {
								E010461E6( &_a32);
								goto L67;
							} else {
								if(_t134 == 0) {
									_t134 = 0;
									_a16 = 0;
									L26:
									_t74 = _a552;
									_a552 = 0;
									if(_t74 != 0) {
										__imp__??_V@YAXPAX@Z(_t74);
										_t137 = _t137 + 4;
									}
									goto L28;
								}
								if( *_t134 != 0 || E0103ED90(0x2a,  *(_t134 + 0x38),  &_a16) != 0xffffffff) {
									L25:
									_t124 = _t134;
									_a16 = E0103E470(2, _t134);
									E0103E310(_t75);
									_t77 = GetConsoleOutputCP();
									 *0x10625a0 = _t77;
									GetCPInfo(_t77, 0x106c9f0);
									E0103E2AF();
									_t134 = _a16;
									goto L26;
								} else {
									_t82 = E0103A62F( *(_t134 + 0x38), 0x2a);
									__eflags = _t82;
									if(_t82 != 0) {
										goto L25;
									}
									_t40 = _t82 + 0x3f; // 0x3f
									_t83 = E0103A62F( *(_t134 + 0x38), _t40);
									__eflags = _t83;
									if(_t83 != 0) {
										goto L25;
									}
									_t129 = _a552;
									__eflags = _a552;
									if(__eflags == 0) {
										_t129 =  &_a32;
									}
									_t84 = E0103F410(_t134, _t129, __eflags, _a560);
									__eflags = _t84 - 2;
									if(_t84 != 2) {
										goto L25;
									} else {
										__eflags =  *(_t134 + 0x34);
										if( *(_t134 + 0x34) == 0) {
											L60:
											_t85 = _a552;
											__eflags = _t85;
											if(__eflags == 0) {
												_t85 =  &_a32;
											}
											_t124 =  *_t101;
											_push(_t85);
											_push(_t101[1]);
											_t86 = E0103FCE9(_t101, _t134,  *_t101, _t130, _t134, __eflags);
											__eflags = _t86;
											if(_t86 != 0) {
												goto L64;
											} else {
												_t134 = 0;
												_a12 = 1;
												 *((intOrPtr*)(_t137 + 0x10)) = 0;
												goto L26;
											}
										} else {
											_t124 = _t134;
											_t88 = E01057D6E(_a24, _t134);
											__eflags = _t88;
											if(_t88 != 0) {
												L64:
												_t87 = _a544;
												_a544 = 0;
												__eflags = _t87;
												if(_t87 != 0) {
													__imp__??_V@YAXPAX@Z(_t87);
													_t137 = _t137 + 4;
												}
												goto L67;
											}
											goto L60;
										}
									}
								}
							}
						} else {
							L30:
							_t134 = _a16;
							L28:
							if( *0x1066748 != _t101) {
								L72:
								_t59 = _t134;
								goto L32;
							}
							_t130 = _a20;
							_t124 = _a24;
							continue;
						}
					}
				}
			}































    0x0103b7a8
    0x0103b7a8
    0x0103b7a8
    0x00000000
    0x0103b7b0
    0x0103b7b7
    0x0104ce26
    0x0104ce2b
    0x0104ce2b
    0x0103b7c4
    0x0103b7cb
    0x0103b7d5
    0x0103b7dc
    0x0103b7e1
    0x00000000
    0x00000000
    0x0103b7f1
    0x0103b7f7
    0x0103b7f9
    0x0103b7ff
    0x0103b802
    0x0103b805
    0x0103b805
    0x0103b808
    0x0103b80a
    0x0103b80f
    0x0103b82b
    0x0103b82c
    0x0103b832
    0x0103b837
    0x00000000
    0x00000000
    0x0103b840
    0x0104cf0d
    0x0104cf12
    0x0104cf19
    0x0104cf1b
    0x0104cf22
    0x0104cf24
    0x0104cf35
    0x0104cf3a
    0x0104cf3a
    0x0104cf22
    0x0104cf3d
    0x0104cf49
    0x00000000
    0x0103b856
    0x0103b859
    0x0103b995
    0x00000000
    0x0103b85f
    0x0103b85f
    0x0103b863
    0x00000000
    0x0103b863
    0x0103b859
    0x0103b840
    0x0103b814
    0x0104ce34
    0x0104ce3a
    0x0104ce3a
    0x0104ce3b
    0x0104ce3d
    0x0104ce3d
    0x0104ce40
    0x0104ce40
    0x0104ce40
    0x0104ce45
    0x0103b81a
    0x0103b821
    0x00000000
    0x0103b9ae
    0x0103b9b1
    0x0103b9b5
    0x00000000
    0x00000000
    0x0103b9c5
    0x0103b9c7
    0x0103b9c9
    0x0104cf03
    0x0104cf03
    0x0103b999
    0x0103b9a0
    0x0103b9a1
    0x0103b9a2
    0x0103b9a3
    0x0103b9ad
    0x0103b9ad
    0x0103b9d4
    0x0103b9da
    0x0103b9df
    0x0103b9e2
    0x0103b9e4
    0x00000000
    0x00000000
    0x0103b9f1
    0x0103b9f6
    0x0103b9f9
    0x0103b9fb
    0x00000000
    0x00000000
    0x0103ba06
    0x0103ba0b
    0x0103ba0e
    0x0103ba15
    0x0103b867
    0x0103b869
    0x0103ba1e
    0x0103ba20
    0x0103ba28
    0x0103ba28
    0x0103ba20
    0x0103b86f
    0x0103b873
    0x0103b884
    0x0103ba33
    0x0103ba37
    0x0103b88a
    0x0103b891
    0x0103b893
    0x0103ba95
    0x0103ba97
    0x0103ba9a
    0x0104ce4a
    0x0104ce51
    0x0104ce53
    0x0104ce59
    0x0104ce5e
    0x0104ce62
    0x0104ce6c
    0x0104ce71
    0x0104ce73
    0x0104ce73
    0x0104ce53
    0x0103ba9a
    0x0103b893
    0x0103b89c
    0x0103ba3e
    0x0103ba3e
    0x0103b8ab
    0x0103b8b9
    0x0103b8c1
    0x0103b8cc
    0x0103b8d1
    0x0103b8dc
    0x0104ce7b
    0x0103b8e2
    0x0103b8e2
    0x0103b8e2
    0x0103b8f3
    0x0104cefe
    0x00000000
    0x0103b8f9
    0x0103b8fb
    0x0104ce85
    0x0104ce87
    0x0103b956
    0x0103b956
    0x0103b95d
    0x0103b96a
    0x0103b96d
    0x0103b973
    0x0103b973
    0x00000000
    0x0103b96a
    0x0103b904
    0x0103b921
    0x0103b921
    0x0103b92d
    0x0103b931
    0x0103b936
    0x0103b942
    0x0103b947
    0x0103b94d
    0x0103b952
    0x00000000
    0x0103ba46
    0x0103ba4e
    0x0103ba53
    0x0103ba55
    0x00000000
    0x00000000
    0x0103ba5e
    0x0103ba61
    0x0103ba66
    0x0103ba68
    0x00000000
    0x00000000
    0x0103ba6e
    0x0103ba75
    0x0103ba77
    0x0103baa5
    0x0103baa5
    0x0103ba82
    0x0103ba87
    0x0103ba8a
    0x00000000
    0x0103ba90
    0x0104ce90
    0x0104ce94
    0x0104cea5
    0x0104cea5
    0x0104ceac
    0x0104ceae
    0x0104ceb0
    0x0104ceb0
    0x0104ceb4
    0x0104ceb8
    0x0104ceb9
    0x0104cebc
    0x0104cec1
    0x0104cec3
    0x00000000
    0x0104cec5
    0x0104cec5
    0x0104cec7
    0x0104cecf
    0x00000000
    0x0104cecf
    0x0104ce96
    0x0104ce9a
    0x0104ce9c
    0x0104cea1
    0x0104cea3
    0x0104ced8
    0x0104ced8
    0x0104cedf
    0x0104ceea
    0x0104ceec
    0x0104ceef
    0x0104cef5
    0x0104cef5
    0x00000000
    0x0104ceec
    0x00000000
    0x0104cea3
    0x0104ce94
    0x0103ba8a
    0x0103b904
    0x0103b98f
    0x0103b98f
    0x0103b98f
    0x0103b976
    0x0103b97c
    0x0104cf4f
    0x0104cf4f
    0x00000000
    0x0104cf4f
    0x0103b982
    0x0103b986
    0x00000000
    0x0103b986
    0x0103b873
    0x0103b7cb

    APIs
    • _tell.MSVCRT ref: 0103B7F9
    • _close.MSVCRT ref: 0103B82C
    • memset.MSVCRT ref: 0103B8CC
    • GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(00007FE7), ref: 0103B936
    • GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0106C9F0), ref: 0103B947
    • ??_V@YAXPAX@Z.MSVCRT ref: 0103B96D
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: ConsoleInfoOutput_close_tellmemset
    • String ID:
    • API String ID: 1380661413-0
    • Opcode ID: 76ecd46ed19d6e6a0db5abac82b37e5c57f1b65ed8cd286089950d1c619c0276
    • Instruction ID: dedce1824e259ee928f1cfee61a08779094289e81198282d77ecf3a365873782
    • Opcode Fuzzy Hash: 76ecd46ed19d6e6a0db5abac82b37e5c57f1b65ed8cd286089950d1c619c0276
    • Instruction Fuzzy Hash: A1412670A013418BE771DF2CD48836ABBE9ABC4314F14096DE9D5972A4EB39D845CB52
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01037F47, Relevance: 9.1, APIs: 6, Instructions: 104COMMON
    Download Yara Rule
    C-Code - Quality: 57%
    			E01037F47(short __ecx) {
				signed int _v8;
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				long _v28;
				char _v32;
				DWORD* _v36;
				void _v556;
				long _v564;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t27;
				DWORD* _t37;
				void* _t38;
				short _t40;
				short _t41;
				int _t44;
				DWORD* _t45;
				WCHAR* _t47;
				DWORD* _t59;
				void* _t60;
				short _t62;
				signed int _t63;

				_t27 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t27 ^ _t63;
				_v32 = 1;
				_v28 = 0x104;
				_v36 = 0;
				_t62 = __ecx;
				memset( &_v556, 0, 0x104);
				if(E0103E3F0(((0 | _v32 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					L6:
					_t37 = _v36;
					_v36 = 0;
					if(_t37 != 0) {
						__imp__??_V@YAXPAX@Z(_t37);
					}
					_t38 = 0;
				} else {
					_t40 = 0x3a;
					_v18 = _t40;
					_t41 = 0x5c;
					_v16 = _t41;
					_v14 = 0;
					_v20 = _t62;
					_t44 = GetDriveTypeW( &_v20);
					if(_t44 <= 1) {
						_t45 = _v36;
						_v36 = 0;
						if(_t45 != 0) {
							_push(_t45);
							goto L16;
						}
						goto L17;
					} else {
						if(_t44 == 2 || _t44 == 5) {
							goto L6;
						} else {
							_t47 = _v36;
							if(_t47 == 0) {
								_t47 =  &_v556;
							}
							if(GetVolumeInformationW( &_v20, _t47, _v28,  &_v564, 0, 0, 0, 0) == 0) {
								if(GetLastError() != 5) {
									goto L6;
								} else {
									_t59 = _v36;
									_v36 = 0;
									if(_t59 != 0) {
										_push(_t59);
										L16:
										__imp__??_V@YAXPAX@Z();
									}
									L17:
									_t38 = 1;
								}
							} else {
								goto L6;
							}
						}
					}
				}
				return E01046B30(_t38, 0, _v8 ^ _t63, _t60, 0x104, _t62);
			}




























    0x01037f52
    0x01037f59
    0x01037f64
    0x01037f6a
    0x01037f74
    0x01037f79
    0x01037f7c
    0x01037fa2
    0x01038001
    0x01038001
    0x01038004
    0x01038009
    0x0103800c
    0x01038012
    0x01038013
    0x01037fa4
    0x01037fa6
    0x01037fa7
    0x01037fad
    0x01037fae
    0x01037fb4
    0x01037fbc
    0x01037fc0
    0x01037fc9
    0x0104b033
    0x0104b036
    0x0104b03b
    0x0104b03d
    0x00000000
    0x0104b03d
    0x00000000
    0x01037fcf
    0x01037fd2
    0x00000000
    0x01037fd9
    0x01037fd9
    0x01037fde
    0x01038024
    0x01038024
    0x01037ffb
    0x0104b049
    0x00000000
    0x0104b04f
    0x0104b04f
    0x0104b052
    0x0104b057
    0x0104b059
    0x0104b05a
    0x0104b05a
    0x0104b060
    0x0104b061
    0x0104b063
    0x0104b063
    0x00000000
    0x00000000
    0x00000000
    0x01037ffb
    0x01037fd2
    0x01037fc9
    0x01038023

    APIs
    • memset.MSVCRT ref: 01037F7C
      • Part of subcall function 0103E3F0: memset.MSVCRT ref: 0103E455
    • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,-00000001,?,?,00000001), ref: 01037FC0
    • GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,00000000,00000000,00000000,00000000), ref: 01037FF3
    • ??_V@YAXPAX@Z.MSVCRT ref: 0103800C
    • ??_V@YAXPAX@Z.MSVCRT ref: 0104B05A
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: memset$DriveInformationTypeVolume
    • String ID:
    • API String ID: 285405857-0
    • Opcode ID: 7a188999d82239e3f8c890acbdfe24e549b434085ce1422d0ff8b078a3351541
    • Instruction ID: fa69e78576d651add29f048222d598dc8d2dfbae9fb43f39131e4d7a8eea5080
    • Opcode Fuzzy Hash: 7a188999d82239e3f8c890acbdfe24e549b434085ce1422d0ff8b078a3351541
    • Instruction Fuzzy Hash: F2312FB1E10219ABDF64DBA9DC84AEFBBBCEF48344F0445AAF545E2140D739DA40CB61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01039B3B, Relevance: 9.1, APIs: 6, Instructions: 88fileCOMMON
    Download Yara Rule
    C-Code - Quality: 71%
    			E01039B3B(void* __eax, void* __edx, long _a4, DWORD* _a8) {
				void* _v8;
				long _v12;
				long _v16;
				long _t15;
				void* _t17;
				void* _t24;
				DWORD* _t30;
				long _t32;
				long _t33;

				_t32 = _a4;
				_t23 = __edx;
				_v16 = _t32;
				__imp___get_osfhandle(_t24);
				_v8 = __eax;
				if( *0x1079050 != 0) {
					return WriteFile(__eax, __edx, _t32, _a8, 0);
				}
				_t30 = _a8;
				while(_t32 > 0x2000) {
					_t15 = WideCharToMultiByte( *0x10625a0, 0, _t23, 0x1000, 0x106a7f0, 0x2000, 0, 0);
					_v12 = _t15;
					_t23 =  &(_t23[0x1000]);
					_t32 = _t32 - 0x2000;
					if(WriteFile(_v8, 0x106a7f0, _t15, _t30, 0) == 0 ||  *_t30 != _v12) {
						L9:
						_t17 = 0;
						L7:
						return _t17;
					} else {
						_push(0);
						_pop(0);
						continue;
					}
				}
				if(_t32 == 0) {
					L6:
					 *_t30 = _v16;
					_t17 = 1;
					goto L7;
				}
				_t5 = WideCharToMultiByte( *0x10625a0, 0, _t23, 0xffffffff, 0x106a7f0, 0x2000, 0, 0) - 1; // -1
				_t33 = _t5;
				if(WriteFile(_v8, 0x106a7f0, _t33, _t30, 0) == 0 ||  *_t30 != _t33) {
					goto L9;
				} else {
					goto L6;
				}
			}












    0x01039b45
    0x01039b48
    0x01039b4b
    0x01039b4e
    0x01039b5c
    0x01039b5f
    0x00000000
    0x0104c0bc
    0x01039b66
    0x01039b6b
    0x0104c0dc
    0x0104c0f3
    0x0104c0f6
    0x0104c0f8
    0x0104c102
    0x01039bc0
    0x01039bc0
    0x01039bb9
    0x00000000
    0x0104c113
    0x0104c113
    0x0104c115
    0x00000000
    0x0104c115
    0x0104c102
    0x01039b7a
    0x01039bb1
    0x01039bb4
    0x01039bb8
    0x00000000
    0x01039bb8
    0x01039b97
    0x01039b97
    0x01039bab
    0x00000000
    0x00000000
    0x00000000
    0x00000000

    APIs
    • _get_osfhandle.MSVCRT ref: 01039B4E
    • WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,01070AF0,000000FF,0106A7F0,00002000,00000000,00000000), ref: 01039B8E
    • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,0106A7F0,-00000001,?,00000000), ref: 01039BA3
    • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,01070AF0,?,?,00000000), ref: 0104C0BC
    • WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,01070AF0,00001000,0106A7F0,00002000,00000000,00000000,01070AEE), ref: 0104C0DC
    • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,0106A7F0,00000000,?,00000000), ref: 0104C0FA
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: FileWrite$ByteCharMultiWide$_get_osfhandle
    • String ID:
    • API String ID: 3249344982-0
    • Opcode ID: e74132ad40dd028dc47dec7178edf37e9859ea40a4d51ce561bca6c2a5b125e9
    • Instruction ID: 719836fd7266355d0136fa046ef96d9b9c1d72bccca6858ad122bbbbedc1cee5
    • Opcode Fuzzy Hash: e74132ad40dd028dc47dec7178edf37e9859ea40a4d51ce561bca6c2a5b125e9
    • Instruction Fuzzy Hash: AC21CFB1A00201FFEB255A689D49F6F7BBDFB84754F104165F982F7280D6B99D00CBA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01057540, Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 80COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0103BC30: wcschr.MSVCRT ref: 0103BCA7
      • Part of subcall function 0103BC30: iswspace.MSVCRT ref: 0103BD1D
      • Part of subcall function 0103BC30: wcschr.MSVCRT ref: 0103BD39
      • Part of subcall function 0103BC30: wcschr.MSVCRT ref: 0103BD5D
    • _wcsicmp.MSVCRT ref: 010575AC
    • _wcsicmp.MSVCRT ref: 010575CB
    • _wcsicmp.MSVCRT ref: 010575F1
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: _wcsicmpwcschr$iswspace
    • String ID: KEYS$LIST$OFF
    • API String ID: 3924973218-4129271751
    • Opcode ID: 7304f4ecdbbf652fc2682d76b2999ab41e3fb22b81bce711af966e1afcf283c5
    • Instruction ID: 516a901634f43f5c519fc4ba03e45ab571d1a9fd1b5f57e1947691b62bb162bd
    • Opcode Fuzzy Hash: 7304f4ecdbbf652fc2682d76b2999ab41e3fb22b81bce711af966e1afcf283c5
    • Instruction Fuzzy Hash: B011AF31648305EBE369571DEC4997B77DCFBC46683D4401EEDC2960C0EEA64641D365
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0103DA30, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 219COMMON
    Download Yara Rule
    C-Code - Quality: 56%
    			E0103DA30(void* __ebx, void* __edi, void* __eflags) {
				signed short* _v8;
				char _v12;
				signed short* _v16;
				signed int _v20;
				signed short* _t35;
				signed int _t38;
				signed short _t49;
				signed int _t54;
				void _t59;
				signed short* _t60;
				signed int _t73;
				signed short* _t75;
				void* _t78;
				signed int* _t79;
				short* _t80;
				signed short* _t83;
				void* _t89;
				signed int _t91;
				intOrPtr _t93;
				signed short* _t95;
				void* _t99;
				void* _t102;
				signed short* _t104;
				signed short* _t108;
				signed int _t110;
				void* _t113;
				void* _t116;
				void* _t120;
				void* _t121;

				_t121 = _t120 - 0x14;
				_push(_t113);
				_t79 = 0x4002;
				_t35 = E0103DCD0(0x4002);
				_v8 = _t35;
				_t104 = _t35;
				if(_t35 == 0) {
					memset(0x10625c0, 0, 0x4006);
					_t121 = _t121 + 0xc;
					 *0x10665cc = 0x10625c2;
					__imp__longjmp(0x1070a70, 0xffffffff);
					goto L37;
				} else {
					_t113 =  *0x10665cc;
					_t102 = 0x2001;
					_t79 = _t35;
					_t78 = _t113 - _t35;
					while(1) {
						_t2 = _t102 + 0x7fffdffd; // 0x7ffffffe
						if(_t2 == 0) {
							break;
						}
						_t73 =  *(_t78 + _t79) & 0x0000ffff;
						if(_t73 == 0) {
							break;
						} else {
							 *_t79 = _t73;
							_t79 =  &(_t79[0]);
							_t102 = _t102 - 1;
							if(_t102 != 0) {
								continue;
							} else {
								L37:
								_t80 = _t79 - 2;
							}
						}
						goto L7;
					}
					if(_t102 == 0) {
						goto L37;
					}
				}
				L7:
				_t75 = 0;
				 *_t80 = 0;
				_t81 = _t104;
				_v12 = 0;
				_t38 =  *_t104 & 0x0000ffff;
				if(_t38 == 0) {
					L13:
					 *0x10665cc = 0x10625c2;
					 *_t113 = 0;
					if(_t75 > 0x2001) {
						 *0x10625c2 = 0;
						goto L40;
					} else {
						return E0103DC60(_t81);
					}
				} else {
					while(1) {
						_t83 = _t104;
						_t104 =  &(_t104[1]);
						_v16 = _t83;
						if(_t75 > 0x2001) {
							break;
						}
						if(_t38 == 0x25) {
							_t93 =  *0x1066748;
							if(_t93 == 0) {
								L19:
								_t81 = E0103BF70(0x1070a70, _t104,  &_v12, 0x25);
								if(_t81 == 0) {
									_t113 =  *0x10665cc;
									if( *0x1066748 == 0) {
										goto L33;
									} else {
										_t104 =  &(_v16[_v12 + 1]);
									}
									goto L11;
								} else {
									goto L20;
								}
							} else {
								_t54 =  *_t104 & 0x0000ffff;
								if(_t54 == 0x25) {
									_t29 =  &(_t83[2]); // 0x4
									_t104 = _t29;
									L33:
									 *_t113 = 0x25;
									_t113 = _t113 + 2;
									_t75 = _t75 + 1;
									goto L24;
								} else {
									if(_t54 == 0x2a) {
										if( *0x1066755 == 0) {
											goto L18;
										} else {
											_t99 =  *(_t93 + 0x34);
											_t18 =  &(_t83[2]); // 0x4
											_t104 = _t18;
											if(_t99 == 0) {
												goto L11;
											} else {
												_t89 = _t99;
												_t19 = _t89 + 2; // 0x2
												_v16 = _t19;
												do {
													_t59 =  *_t89;
													_t89 = _t89 + 2;
												} while (_t59 != 0);
												_t91 = _t89 - _v16 >> 1;
												_v20 = _t91;
												if(_t91 <= 0) {
													goto L11;
												} else {
													_t60 = _t91 + _t75;
													_v16 = _t60;
													if(_t60 > 0x2000) {
														memcpy(_t113, _t99, 0x2000 - _t75 + 0x2000 - _t75);
														 *0x10665c2 = 0;
														E010378E4(_t91, 0x234f, 1, 0x10625c2);
														goto L41;
													} else {
														E0103F3A0(_t113, 0x2003 - (_t113 - 0x10625c0 >> 1), _t99);
														_t75 = _v16;
														_t113 = _t113 + _v20 * 2;
														 *0x10665cc = _t113;
														goto L11;
													}
												}
											}
										}
									} else {
										L18:
										_t81 = E0103EE03(0x1070a70, _t104,  &_v12, L"0123456789", _t93 + 0x3c);
										if(_t81 != 0) {
											L20:
											_t108 = _t81;
											_t10 =  &(_t108[1]); // 0x2
											_t95 = _t10;
											do {
												_t49 =  *_t108;
												_t108 =  &(_t108[1]);
											} while (_t49 != 0);
											_t110 = _t108 - _t95 >> 1;
											_t75 = _t75 + _t110;
											if(_t75 > 0x2001) {
												L40:
												_push(0);
												_push(0x233f);
												E010378E4(_t81);
												L41:
												_t82 = _v8;
												E0103DC60(_v8);
												__imp__longjmp(0x1070a70, 0xffffffff);
												asm("int3");
												_push(0);
												_push(8);
												E010378E4(_t82);
												return 0;
											} else {
												_t116 =  *0x10665cc;
												E0103F3A0(_t116, 0x2003 - (_t116 - 0x10625c0 >> 1), _t81);
												_t113 = _t116 + _t110 * 2;
												_t104 =  &(_v16[_v12 + 1]);
												L24:
												 *0x10665cc = _t113;
												goto L11;
											}
										} else {
											goto L19;
										}
									}
								}
							}
						} else {
							 *_t113 = _t38;
							_t75 = _t75 + 1;
							_t113 = _t113 + 2;
							 *0x10665cc = _t113;
							if(_t38 == 0xa) {
								break;
							} else {
								L11:
								_t38 =  *_t104 & 0x0000ffff;
								if(_t38 != 0) {
									continue;
								} else {
									break;
								}
							}
						}
						goto L43;
					}
					_t81 = _v8;
					goto L13;
				}
				L43:
			}
































    0x0103da35
    0x0103da39
    0x0103da3b
    0x0103da40
    0x0103da45
    0x0103da48
    0x0103da4c
    0x0104d954
    0x0104d959
    0x0104d95c
    0x0104d96d
    0x00000000
    0x0103da52
    0x0103da52
    0x0103da58
    0x0103da5f
    0x0103da61
    0x0103da63
    0x0103da63
    0x0103da6b
    0x00000000
    0x00000000
    0x0103da6d
    0x0103da74
    0x00000000
    0x0103da76
    0x0103da76
    0x0103da79
    0x0103da7c
    0x0103da7f
    0x00000000
    0x0103da81
    0x0104d973
    0x0104d973
    0x0104d973
    0x0103da7f
    0x00000000
    0x0103da74
    0x0103da88
    0x00000000
    0x00000000
    0x0103da88
    0x0103da8e
    0x0103da90
    0x0103da92
    0x0103da95
    0x0103da97
    0x0103da9a
    0x0103daa0
    0x0103dad6
    0x0103dad8
    0x0103dae2
    0x0103daeb
    0x0104d9af
    0x00000000
    0x0103daf1
    0x0103dafc
    0x0103dafc
    0x0103daa2
    0x0103daa2
    0x0103daa2
    0x0103daa4
    0x0103daa7
    0x0103dab0
    0x00000000
    0x00000000
    0x0103dab6
    0x0103dafd
    0x0103db05
    0x0103db3b
    0x0103db4d
    0x0103db51
    0x0103dc49
    0x0103dc4f
    0x00000000
    0x0103dc51
    0x0103dc58
    0x0103dc58
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0103db07
    0x0103db07
    0x0103db0d
    0x0103dc2e
    0x0103dc2e
    0x0103dc31
    0x0103dc36
    0x0103dc39
    0x0103dc3c
    0x00000000
    0x0103db13
    0x0103db16
    0x0103dbba
    0x00000000
    0x0103dbc0
    0x0103dbc0
    0x0103dbc3
    0x0103dbc3
    0x0103dbc8
    0x00000000
    0x0103dbce
    0x0103dbce
    0x0103dbd0
    0x0103dbd3
    0x0103dbd6
    0x0103dbd6
    0x0103dbd9
    0x0103dbdc
    0x0103dbe4
    0x0103dbe6
    0x0103dbeb
    0x00000000
    0x0103dbf1
    0x0103dbf1
    0x0103dbf4
    0x0103dbfc
    0x0104d987
    0x0104d991
    0x0104d9a3
    0x00000000
    0x0103dc02
    0x0103dc15
    0x0103dc1d
    0x0103dc20
    0x0103dc23
    0x00000000
    0x0103dc23
    0x0103dbfc
    0x0103dbeb
    0x0103dbc8
    0x0103db1c
    0x0103db1c
    0x0103db35
    0x0103db39
    0x0103db57
    0x0103db57
    0x0103db59
    0x0103db59
    0x0103db60
    0x0103db60
    0x0103db63
    0x0103db66
    0x0103db6d
    0x0103db6f
    0x0103db77
    0x0104d9b5
    0x0104d9b5
    0x0104d9b7
    0x0104d9bc
    0x0104d9c4
    0x0104d9c4
    0x0104d9c7
    0x0104d9d3
    0x0104d9d9
    0x0104d9da
    0x0104d9dc
    0x0104d9de
    0x0104d9e9
    0x0103db7d
    0x0103db7d
    0x0103db96
    0x0103db9e
    0x0103dba5
    0x0103dba8
    0x0103dba8
    0x00000000
    0x0103dba8
    0x00000000
    0x00000000
    0x00000000
    0x0103db39
    0x0103db16
    0x0103db0d
    0x0103dab8
    0x0103dab8
    0x0103dabb
    0x0103dabc
    0x0103dabf
    0x0103dac9
    0x00000000
    0x0103dacb
    0x0103dacb
    0x0103dacb
    0x0103dad1
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0103dad1
    0x0103dac9
    0x00000000
    0x0103dab6
    0x0103dad3
    0x00000000
    0x0103dad3
    0x00000000

    APIs
      • Part of subcall function 0103DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0103ACD8,00000001,?,00000000,01038C23,-00000105,0105C9B0,00000240,01041E92,00000000,00000000,0104ACE0,00000000), ref: 0103DCE1
      • Part of subcall function 0103DCD0: RtlAllocateHeap.NTDLL(00000000,?,0103ACD8,00000001,?,00000000,01038C23,-00000105,0105C9B0,00000240,01041E92,00000000,00000000,0104ACE0,00000000,00000000), ref: 0103DCE8
    • memset.MSVCRT ref: 0104D954
    • longjmp.MSVCRT(01070A70,000000FF,00000000,010625C2,010625C0,?,?,?,?,0103D980), ref: 0104D96D
    • memcpy.MSVCRT ref: 0104D987
    • longjmp.MSVCRT(01070A70,000000FF,010625C2,010625C0,?,?,?,?,0103D980), ref: 0104D9D3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: Heaplongjmp$AllocateProcessmemcpymemset
    • String ID: 0123456789
    • API String ID: 3123626474-2793719750
    • Opcode ID: 4768dee92cfcc2b4afac03ebc0e2b4fa5960f7616f5ca367c8b38d1ec33c2ac2
    • Instruction ID: e2307f85731481da3f99ea920dff6be72560161f1755bd7da30fe6c0e2f9f31a
    • Opcode Fuzzy Hash: 4768dee92cfcc2b4afac03ebc0e2b4fa5960f7616f5ca367c8b38d1ec33c2ac2
    • Instruction Fuzzy Hash: DD710975B103069BDB249FA8C8856AD77FAFBC0300F5881ADD9C5D7284EB769906C790
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01035020, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191COMMON
    Download Yara Rule
    C-Code - Quality: 68%
    			E01035020(void* __ecx) {
				intOrPtr _v8;
				signed int _v16;
				long _v28;
				char _v32;
				void* _v36;
				void _v556;
				signed short* _v560;
				signed short* _v564;
				int _v568;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t38;
				intOrPtr _t50;
				signed short _t57;
				void* _t58;
				signed short* _t61;
				void* _t64;
				signed int _t69;
				signed int _t73;
				signed int _t74;
				signed int _t76;
				signed short* _t85;
				signed short* _t88;
				signed short* _t97;
				signed int _t104;
				void* _t107;
				signed short* _t108;
				signed short* _t109;
				intOrPtr _t111;
				signed short* _t112;
				void* _t113;
				signed short* _t114;
				signed int _t116;
				signed short* _t117;
				signed int* _t119;
				signed int _t124;

				_t76 = _t124;
				_push(__ecx);
				_push(__ecx);
				_v8 =  *((intOrPtr*)(_t76 + 4));
				_t122 = (_t124 & 0xfffffff8) + 4;
				_t38 =  *0x105e0b4; // 0x6030efd1
				_v16 = _t38 ^ (_t124 & 0xfffffff8) + 0x00000004;
				_t111 =  *((intOrPtr*)(_t76 + 8));
				_v560 = 1;
				_v32 = 1;
				_v568 = 0;
				_v36 = 0;
				_v28 = 0x104;
				memset( &_v556, 0, 0x104);
				if(E0103E3F0(((0 | _v32 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					L15:
					_t112 = _v560;
					L10:
					_t50 = _v36;
					_v36 = 0;
					if(_t50 != 0) {
						__imp__??_V@YAXPAX@Z(_t50);
					}
					_pop(_t107);
					_pop(_t113);
					return E01046B30(_t112, _t76, _v16 ^ _t122, _t100, _t107, _t113);
				}
				_push((0 |  *0x1066755 != 0x00000000) + 2);
				_t108 = E0103BC30( *((intOrPtr*)(_t111 + 0x3c)), 0x10320b8);
				_v564 = _t108;
				if( *0x1066755 == 0) {
					L4:
					_t114 = _t108;
					_t19 =  &(_t114[1]); // 0x2
					_t85 = _t19;
					do {
						_t57 =  *_t114;
						_t114 =  &(_t114[1]);
					} while (_t57 != 0);
					_t116 = _t114 - _t85 >> 1;
					_t58 = E01040060(_t108, _t108);
					_t20 = _t116 + 1; // -1
					E0103F3A0(_t108, _t20, _t58);
					_t100 =  *_t108 & 0x0000ffff;
					if(_t100 != 0) {
						_t88 = _t108;
						_t29 =  &(_t88[1]); // 0x2
						_t117 = _t29;
						do {
							_t60 =  *_t88;
							_t88 =  &(_t88[1]);
						} while (_t60 != _v568);
						if(_t88 - _t117 >> 1 != 2 || _t108[1] != 0x3a || iswalpha(_t100) == 0) {
							_t61 = E010589E2(_t60, _t108);
							_v560 = _t61;
							 *0x10665dc = _t61;
							goto L15;
						} else {
							_t93 = _v36;
							if(_v36 == 0) {
								_t93 =  &_v556;
							}
							_t100 = _v28;
							E01038E9E(_t76, _t93, _v28,  *_t108 & 0x0000ffff);
							_t64 = _v36;
							if(_t64 == 0) {
								_t64 =  &_v556;
							}
							L9:
							_push(_t64);
							E01039950(L"%s\r\n");
							 *0x10665dc = 0;
							_t112 = 0;
							goto L10;
						}
					}
					_t96 =  *0x1078df8;
					if( *0x1078df8 == 0) {
						_t96 = 0x1078bf0;
					}
					_t100 =  *0x1078e00;
					E01038E9E(_t76, _t96,  *0x1078e00, 0);
					_t64 =  *0x1078df8;
					if(_t64 == 0) {
						_t64 = 0x1078bf0;
					}
					goto L9;
				}
				_t69 =  *_t108 & 0x0000ffff;
				_t97 = _t108;
				_t119 = _t108;
				if(_t69 != 0) {
					_t104 = _t69;
					do {
						 *_t119 = _t104;
						if(_t104 == 0) {
							L19:
							_v560 =  &(_t97[1]);
							while(1) {
								_t26 = _t119 - 2; // -4
								_t109 = _t26;
								if(iswspace( *_t109 & 0x0000ffff) == 0) {
									goto L22;
								}
								_t119 = _t109;
							}
							goto L22;
						} else {
							goto L18;
						}
						do {
							L18:
							_t97 =  &(_t97[1]);
							_t119 =  &(_t119[0]);
							_t74 =  *_t97 & 0x0000ffff;
							 *_t119 = _t74;
						} while (_t74 != 0);
						goto L19;
						L22:
						_t97 = _v560;
						 *_t119 = 0;
						_t119 =  &(_t119[0]);
						_t73 =  *_t97 & 0x0000ffff;
						_t104 = _t73;
					} while (_t73 != 0);
					_t108 = _v564;
				}
				 *_t119 = 0;
				goto L4;
			}









































    0x01035023
    0x01035025
    0x01035026
    0x01035031
    0x01035035
    0x0103503d
    0x01035044
    0x01035048
    0x01035056
    0x0103505d
    0x01035068
    0x0103506e
    0x01035071
    0x01035074
    0x0103509a
    0x01035185
    0x01035185
    0x01035152
    0x01035152
    0x01035157
    0x0103515c
    0x0103515f
    0x01035165
    0x0103516b
    0x0103516e
    0x0103517a
    0x0103517a
    0x010350b6
    0x010350c3
    0x010350c5
    0x010350cb
    0x010350e2
    0x010350e2
    0x010350e6
    0x010350e6
    0x010350e9
    0x010350e9
    0x010350ec
    0x010350ef
    0x010350f8
    0x010350fa
    0x01035100
    0x01035105
    0x0103510a
    0x01035110
    0x010492b7
    0x010492b9
    0x010492b9
    0x010492bc
    0x010492bc
    0x010492bf
    0x010492c2
    0x010492d2
    0x01049318
    0x0104931d
    0x01049323
    0x00000000
    0x010492e7
    0x010492e7
    0x010492ec
    0x010492ee
    0x010492ee
    0x010492f7
    0x010492fb
    0x01049300
    0x01049305
    0x0104930b
    0x0104930b
    0x0103513c
    0x0103513c
    0x01035142
    0x0103514b
    0x01035150
    0x00000000
    0x01035150
    0x010492d2
    0x01035116
    0x01035123
    0x0103517d
    0x0103517d
    0x01035125
    0x0103512e
    0x01035133
    0x0103513a
    0x01035181
    0x01035181
    0x00000000
    0x0103513a
    0x010350cd
    0x010350d0
    0x010350d2
    0x010350d7
    0x0104925a
    0x0104925c
    0x0104925c
    0x01049262
    0x01049275
    0x01049278
    0x01049282
    0x01049282
    0x01049282
    0x01049292
    0x00000000
    0x00000000
    0x01049280
    0x01049280
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x01049264
    0x01049264
    0x01049264
    0x01049267
    0x0104926a
    0x0104926d
    0x01049270
    0x00000000
    0x01049294
    0x01049294
    0x0104929c
    0x0104929f
    0x010492a2
    0x010492a5
    0x010492a7
    0x010492ac
    0x010492ac
    0x010350df
    0x00000000

    APIs
    • memset.MSVCRT ref: 01035074
      • Part of subcall function 0103E3F0: memset.MSVCRT ref: 0103E455
    • ??_V@YAXPAX@Z.MSVCRT ref: 0103515F
      • Part of subcall function 0103BC30: wcschr.MSVCRT ref: 0103BCA7
      • Part of subcall function 0103BC30: iswspace.MSVCRT ref: 0103BD1D
      • Part of subcall function 0103BC30: wcschr.MSVCRT ref: 0103BD39
      • Part of subcall function 0103BC30: wcschr.MSVCRT ref: 0103BD5D
    • iswspace.MSVCRT ref: 01049289
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: wcschr$iswspacememset
    • String ID: %s
    • API String ID: 2220997661-3043279178
    • Opcode ID: 6bdc28d6fa744c846e5eecf5424b6b6f75974232c649c0f66c93c5aa3a066c02
    • Instruction ID: 42ea7a716824ba63d7ff6b329289d44f006018811c1a3043a2122409fd6d8274
    • Opcode Fuzzy Hash: 6bdc28d6fa744c846e5eecf5424b6b6f75974232c649c0f66c93c5aa3a066c02
    • Instruction Fuzzy Hash: 0A51D3B5E001129BDB24DF68D8856BFB7F9EF88214F1445AEE8C5E7240EB359D41CB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01052584, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 114COMMON
    Download Yara Rule
    C-Code - Quality: 76%
    			E01052584(signed int* __ecx, intOrPtr _a4, signed int _a12, signed int _a16) {
				void* _v0;
				signed int _v8;
				char _v532;
				signed int* _v536;
				signed int _v540;
				char _v544;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t22;
				intOrPtr* _t28;
				signed int _t32;
				void* _t34;
				signed int* _t37;
				long _t38;
				signed int* _t41;
				signed int _t43;
				signed int _t44;
				signed int _t45;
				signed int _t46;
				signed int _t51;
				signed int _t56;
				void* _t59;
				void* _t63;
				signed int _t65;

				_t22 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t22 ^ _t65;
				_t43 = _a12;
				_v536 = __ecx;
				_t26 = _t43 & 0x80000000 | _a16;
				if((_t43 & 0x80000000 | _a16) != 0) {
					E01047D12(_t26);
				}
				_t64 = 0x104;
				E0103F3A0( &_v532, 0x104, _a4);
				_t61 = 0x104;
				_t28 =  &_v532;
				_t63 = 0;
				while( *_t28 != _t63) {
					_t28 = _t28 + 2;
					_t61 = _t61 - 1;
					if(_t61 != 0) {
						continue;
					}
					break;
				}
				asm("sbb ecx, ecx");
				_t51 =  ~_t61 & _t64 - _t61;
				if(_t61 != 0) {
					_t41 =  &_v532 + _t51 * 2;
					_t64 = _t64 - _t51;
					if(_t64 == 0) {
						L12:
						_t41 = _t41 - 2;
					} else {
						_t59 = 0x7ffffffe;
						_t61 = L"_p0" - _t41;
						while(_t59 != 0) {
							_t46 =  *(_t41 + _t61) & 0x0000ffff;
							if(_t46 != 0) {
								 *_t41 = _t46;
								_t41 =  &(_t41[0]);
								_t59 = _t59 - 1;
								_t64 = _t64 - 1;
								if(_t64 != 0) {
									continue;
								}
							}
							break;
						}
						_t43 = _a12;
						if(_t64 == 0) {
							goto L12;
						}
					}
					 *_t41 = 0;
				}
				_t44 = _t43 & 0x7fffffff;
				if(_t44 <= 0) {
					_t32 = 1;
				} else {
					_t32 = _t44;
				}
				__imp__CreateSemaphoreExW(_t63, _t44, _t32,  &_v532, _t63, 0x1f0003);
				_t45 = _t32;
				if(_t45 == 0) {
					_t63 = E01052A9C( &_v532);
				} else {
					_t37 = _v536;
					_t56 =  *_t37;
					if(_t56 != 0) {
						_v540 = _t56;
						_t38 = GetLastError();
						_t61 =  &_v540;
						_v544 = E01052560;
						_t64 = _t38;
						E01047C7A( &_v544,  &_v540);
						SetLastError(_t38);
						_t37 = _v536;
					}
					 *_t37 = _t45;
				}
				if(_t63 >= 0) {
					_t34 = 0;
				} else {
					_t61 = 0x85;
					E010534D4("wil", _t63);
					_t34 = _t63;
				}
				return E01046B30(_t34, _t45, _v8 ^ _t65, _t61, _t63, _t64);
			}




























    0x0105258f
    0x01052596
    0x0105259a
    0x010525a4
    0x010525aa
    0x010525af
    0x010525b1
    0x010525b1
    0x010525b9
    0x010525c6
    0x010525cb
    0x010525cd
    0x010525d3
    0x010525d5
    0x010525da
    0x010525dd
    0x010525e0
    0x00000000
    0x00000000
    0x00000000
    0x010525e0
    0x010525ea
    0x010525ec
    0x010525f0
    0x010525f8
    0x010525fb
    0x010525fd
    0x0105262b
    0x0105262b
    0x010525ff
    0x01052604
    0x01052609
    0x0105260b
    0x0105260f
    0x01052616
    0x01052618
    0x0105261b
    0x0105261e
    0x0105261f
    0x01052622
    0x00000000
    0x00000000
    0x01052622
    0x00000000
    0x01052616
    0x01052624
    0x01052629
    0x00000000
    0x00000000
    0x01052629
    0x01052630
    0x01052630
    0x01052633
    0x01052639
    0x01052641
    0x0105263b
    0x0105263b
    0x0105263b
    0x01052652
    0x01052658
    0x0105265c
    0x010526a9
    0x0105265e
    0x0105265e
    0x01052664
    0x01052668
    0x0105266a
    0x01052670
    0x01052676
    0x0105267c
    0x0105268c
    0x0105268e
    0x01052694
    0x0105269a
    0x0105269a
    0x010526a0
    0x010526a0
    0x010526ad
    0x010526c6
    0x010526af
    0x010526b2
    0x010526bd
    0x010526c2
    0x010526c2
    0x010526d6

    APIs
    • CreateSemaphoreExW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000000,00000001,?,00000000,001F0003,?,?,?,?), ref: 01052652
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 01052670
    • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 01052694
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: ErrorLast$CreateSemaphore
    • String ID: _p0$wil
    • API String ID: 4049970386-1814513734
    • Opcode ID: a52820fcf42c07cd31a4f74a264ee8c3876dd16a1a4c26f58514307409c64423
    • Instruction ID: 0c7420dd0ac4453be1a31b6e06e009afcd7d8ffc61779d871b4698db10df9c78
    • Opcode Fuzzy Hash: a52820fcf42c07cd31a4f74a264ee8c3876dd16a1a4c26f58514307409c64423
    • Instruction Fuzzy Hash: 5931B175B4021ACBDBA5DF28C998AAB77B5FF98310F1441A8ED8697240DA74DE408B70
    Uniqueness

    Uniqueness Score: -1.00%

    Function 010551E8, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 109COMMON
    Download Yara Rule
    C-Code - Quality: 74%
    			E010551E8(intOrPtr __ecx) {
				intOrPtr _v8;
				intOrPtr* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short* _t23;
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr* _t33;
				void* _t38;
				intOrPtr _t41;
				void* _t47;
				void* _t49;
				intOrPtr* _t50;
				signed int _t52;
				intOrPtr* _t53;
				intOrPtr* _t54;
				signed int _t55;
				signed int _t56;
				intOrPtr* _t57;
				signed int _t58;
				void* _t59;

				_t33 =  *0x1062594;
				_v20 = __ecx;
				if(_t33 != 0) {
					_t53 = E0103ACB0(E0103AB7F(__ecx));
					_v12 = _t53;
					if(_t53 == 0) {
						L2:
						return 1;
					}
					_t47 = 0x20;
					_t23 = E010401F5(_t53, _t47);
					if(_t23 != 0) {
						 *_t23 = 0;
					}
					_t50 = _t53;
					_v16 = 0;
					_t4 = _t50 + 2; // 0x2
					_t38 = _t4;
					do {
						_t24 =  *_t50;
						_t50 = _t50 + 2;
					} while (_t24 != 0);
					_t54 = _t33;
					_t52 = _t50 - _t38 >> 1;
					_v8 = 1;
					_t41 = _t54 + 2;
					do {
						_t25 =  *_t54;
						_t54 = _t54 + 2;
					} while (_t25 != 0);
					_t55 = _t54 - _t41;
					_t56 = _t55 >> 1;
					if(_t55 == 0) {
						L22:
						E010378E4(_t41, 0x400023a9, 1, _v20);
						L23:
						E0103DC60(_v12);
						return _v8;
					}
					while( *0x106259c == 0) {
						if(_t56 < _t52) {
							L15:
							_t41 = _v8;
							L16:
							_t33 = _t33 + _t56 * 2 + 2;
							_t57 = _t33;
							_t49 = _t57 + 2;
							do {
								_t25 =  *_t57;
								_t57 = _t57 + 2;
							} while (_t25 != _v16);
							_t58 = _t57 - _t49;
							_t56 = _t58 >> 1;
							if(_t58 != 0) {
								continue;
							}
							L21:
							if(_t41 == 0) {
								goto L23;
							}
							goto L22;
						}
						__imp___wcsnicmp(_t33, _v12, _t52);
						_t59 = _t59 + 0xc;
						if(_t25 != 0) {
							goto L15;
						}
						_push(_t33);
						E01039950(L"%s\r\n");
						_t41 = 0;
						_v8 = 0;
						goto L16;
					}
					_t41 = _v8;
					goto L21;
				}
				_push("Null environment");
				fprintf(E0104727B(__ecx, 2), "\nCMD Internal Error %s\n");
				goto L2;
			}
























    0x010551f1
    0x010551f9
    0x01055200
    0x01055232
    0x01055234
    0x01055239
    0x0105521e
    0x00000000
    0x01055220
    0x0105523d
    0x01055240
    0x01055247
    0x0105524b
    0x0105524b
    0x0105524e
    0x01055252
    0x01055255
    0x01055255
    0x01055258
    0x01055258
    0x0105525b
    0x0105525e
    0x01055265
    0x01055269
    0x0105526c
    0x0105526f
    0x01055272
    0x01055272
    0x01055275
    0x01055278
    0x0105527d
    0x0105527f
    0x01055281
    0x010552e1
    0x010552eb
    0x010552f3
    0x010552f6
    0x00000000
    0x010552fb
    0x01055283
    0x0105528e
    0x010552b8
    0x010552b8
    0x010552bb
    0x010552be
    0x010552c1
    0x010552c3
    0x010552c6
    0x010552c6
    0x010552c9
    0x010552cc
    0x010552d2
    0x010552d4
    0x010552d6
    0x00000000
    0x00000000
    0x010552dd
    0x010552df
    0x00000000
    0x00000000
    0x00000000
    0x010552df
    0x01055295
    0x0105529b
    0x010552a0
    0x00000000
    0x00000000
    0x010552a2
    0x010552a8
    0x010552b1
    0x010552b3
    0x00000000
    0x010552b3
    0x010552da
    0x00000000
    0x010552da
    0x01055202
    0x01055215
    0x00000000

    APIs
    • _wcsnicmp.MSVCRT ref: 01055295
      • Part of subcall function 0104727B: __iob_func.MSVCRT ref: 01047280
    • fprintf.MSVCRT ref: 01055215
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: __iob_func_wcsnicmpfprintf
    • String ID: CMD Internal Error %s$%s$Null environment
    • API String ID: 1828771275-2781220306
    • Opcode ID: f00e59899f34fa5c0451dbc9ce052a575270d1fd3720f52b14aa9c8e09d8caf7
    • Instruction ID: 4598c6bbedc3846715c404e94832c7640cda1b0e08ee94983928d32360b52bb4
    • Opcode Fuzzy Hash: f00e59899f34fa5c0451dbc9ce052a575270d1fd3720f52b14aa9c8e09d8caf7
    • Instruction Fuzzy Hash: 56315932E00212DBCBB8ABAC9C45AAFB7A4EF95640F04046DFDCAA7241EA715E01C754
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0103B3C1, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 74COMMON
    Download Yara Rule
    C-Code - Quality: 94%
    			E0103B3C1(void* __ecx, intOrPtr __edx, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				signed int _t16;
				signed int _t19;
				signed int _t21;
				intOrPtr _t24;
				signed int _t38;
				long _t40;
				signed short* _t44;

				_push(__ecx);
				_push(__ecx);
				_v12 = __edx;
				_t44 = E0103AB7F(__ecx);
				_t16 =  *_t44 & 0x0000ffff;
				if(_t16 != 0x3a) {
					if(_t16 != 0x2b) {
						goto L2;
					} else {
						goto L1;
					}
					L10:
					_t19 = _v8;
					 *((short*)(_v12 + _t19 * 2)) = 0;
					return _t19;
					L17:
				} else {
					L1:
					_t44 =  &(_t44[1]);
				}
				L2:
				_t24 = _a8;
				if(_t24 == 0) {
					_t44 = E0103AB7F(_t44);
				}
				_v8 = _v8 & 0x00000000;
				_t40 =  *_t44 & 0x0000ffff;
				while(_t24 == 0 || wcschr(L"=,;", _t40) == 0) {
					if(wcschr(L"+:\n\r\t ", _t40) == 0) {
						if(_t24 == 0) {
							if(E0103A62F(L"&<|>", _t40) == 0) {
								if(_t40 != 0x5e) {
									goto L8;
								} else {
									_t44 =  &(_t44[1]);
									_t38 =  *_t44 & 0x0000ffff;
									goto L9;
								}
								goto L17;
							}
						} else {
							L8:
							_t38 = _t40 & 0x0000ffff;
							L9:
							_t32 = _v8;
							_t44 =  &(_t44[1]);
							_t7 = _t32 + 1; // 0x1
							_t21 = _t7;
							 *(_v12 + _v8 * 2) = _t38;
							_t40 =  *_t44 & 0x0000ffff;
							_v8 = _t21;
							if(_t21 < 0x7f) {
								continue;
							}
						}
					}
					goto L10;
				}
				goto L10;
			}












    0x0103b3c6
    0x0103b3c7
    0x0103b3cb
    0x0103b3d3
    0x0103b3d5
    0x0103b3db
    0x0103b456
    0x00000000
    0x0103b458
    0x00000000
    0x0103b458
    0x0103b440
    0x0103b440
    0x0103b44b
    0x0103b450
    0x00000000
    0x0103b3dd
    0x0103b3dd
    0x0103b3dd
    0x0103b3dd
    0x0103b3e0
    0x0103b3e0
    0x0103b3e5
    0x0104cd68
    0x0104cd68
    0x0103b3eb
    0x0103b3ef
    0x0103b3f2
    0x0103b418
    0x0103b41c
    0x0104cd7d
    0x0104cd87
    0x00000000
    0x0104cd8d
    0x0104cd8d
    0x0104cd90
    0x00000000
    0x0104cd90
    0x00000000
    0x0104cd87
    0x0103b422
    0x0103b422
    0x0103b422
    0x0103b425
    0x0103b425
    0x0103b428
    0x0103b42e
    0x0103b42e
    0x0103b431
    0x0103b435
    0x0103b438
    0x0103b43e
    0x00000000
    0x00000000
    0x0103b43e
    0x0103b41c
    0x00000000
    0x0103b418
    0x00000000

    APIs
      • Part of subcall function 0103AB7F: iswspace.MSVCRT ref: 0103AB8D
      • Part of subcall function 0103AB7F: wcschr.MSVCRT ref: 0103AB9E
    • wcschr.MSVCRT ref: 0103B3FC
    • wcschr.MSVCRT ref: 0103B40E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: wcschr$iswspace
    • String ID: &<|>$+: $=,;
    • API String ID: 3458554142-2256444845
    • Opcode ID: e2275edf5b8e0dcab4027fa5fe88b08f1026ccb47ef0f7c3791c795dd0e43d73
    • Instruction ID: 8f47e9d066e8e6c1ac41f7cc4e4192d2e9a30186584e42aeb1519beb5b9d6eb3
    • Opcode Fuzzy Hash: e2275edf5b8e0dcab4027fa5fe88b08f1026ccb47ef0f7c3791c795dd0e43d73
    • Instruction Fuzzy Hash: 4A110A72F04125E6D7349B2AC4406BEB7EEEFE5658B19405AE8C5DB340FA718901D324
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0103FCE9, Relevance: 7.8, APIs: 5, Instructions: 297COMMON
    Download Yara Rule
    C-Code - Quality: 61%
    			E0103FCE9(void* __ebx, signed int* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				wchar_t* _t93;
				char _t101;
				void* _t104;
				void* _t108;
				intOrPtr _t110;
				intOrPtr* _t111;
				signed short _t116;
				signed short* _t117;
				void _t120;
				void* _t122;
				long _t127;
				wchar_t* _t129;
				signed int* _t136;
				void* _t145;
				intOrPtr _t154;
				intOrPtr* _t157;
				void _t164;
				wchar_t* _t168;
				void _t171;
				intOrPtr _t176;
				signed short* _t181;
				void* _t189;
				signed int _t192;
				void _t200;
				void* _t204;
				void* _t205;
				intOrPtr _t206;
				signed short* _t207;
				void* _t208;
				wchar_t* _t210;
				intOrPtr _t217;
				wchar_t* _t220;
				signed short* _t221;
				signed short* _t222;
				wchar_t* _t223;
				signed int* _t224;
				void _t225;
				signed int _t227;
				signed int* _t230;
				void* _t231;
				void _t232;
				intOrPtr* _t234;
				void* _t235;

				_push(0xc0);
				_push(0x105ca30);
				E01047D90(__ebx, __edi, __esi);
				_t217 = __edx;
				_t230 = __ecx;
				 *(_t235 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t235 - 0xc4)) = __edx;
				_t93 =  *(_t235 + 0xc);
				 *(_t235 - 0xc0) = _t93;
				 *(_t235 - 0xb8) = _t93;
				 *((intOrPtr*)(_t235 - 0xb4)) = 0x90;
				 *((intOrPtr*)(_t235 - 0xb0)) = 5;
				memset(_t235 - 0xac, 0, 0x88);
				 *((intOrPtr*)(_t235 - 0xcc)) = 0;
				_t154 =  *0x1066748;
				 *((intOrPtr*)(_t154 + 0x30)) = 0;
				 *0x105e0d2 = 0;
				 *((intOrPtr*)(_t235 - 4)) = 0;
				 *(_t235 - 0xac) =  *(_t235 - 0xc0);
				_push(0x3a);
				if( *0x1066755 == 0) {
					_pop(_t231);
				} else {
					_pop(_t231);
					if( *((intOrPtr*)( *((intOrPtr*)(_t230 + 0x38)))) == _t231) {
						 *(_t235 - 0xac) =  *( *(_t154 + 0x110));
					}
				}
				if(E010472EF(_t154) == 0) {
					_t156 = 1;
					goto L5;
				} else {
					 *((intOrPtr*)(_t235 - 0xc8)) = 0;
					_t145 =  *0x107d010(_t235 - 0xb4, _t235 - 0xcc,  *0x1066748 + 0x30, _t217, _t235 - 0xc8);
					_t156 = 1;
					if(_t145 == 1) {
						__eflags =  *((intOrPtr*)(_t235 - 0xc8)) - 1;
						if( *((intOrPtr*)(_t235 - 0xc8)) == 1) {
							_push(0);
							_push(0x4ec);
							E010378E4(1);
							_t156 = 1;
							__eflags = 1;
						}
						 *((intOrPtr*)(_t235 - 4)) = 0xfffffffe;
						_t101 = _t156;
						L36:
						 *[fs:0x0] =  *((intOrPtr*)(_t235 - 0x10));
						return _t101;
					}
					L5:
					 *((intOrPtr*)(_t235 - 4)) = 0xfffffffe;
					_t200 =  *(_t235 - 0xc0);
					 *0x105e0d2 = _t156;
					_t157 =  *0x1066748;
					 *((intOrPtr*)(_t157 + 8)) = 0;
					 *_t157 = _t217;
					_t98 =  *((intOrPtr*)(_t235 + 8));
					 *((intOrPtr*)(_t157 + 4)) =  *((intOrPtr*)(_t235 + 8));
					if( *0x1066755 == 0) {
						L39:
						__eflags = E01041CD5(_t217, _t98, _t200);
						if(__eflags == 0) {
							goto L9;
						}
						goto L40;
					} else {
						_t136 =  *(_t235 - 0xbc);
						_t246 =  *(_t136[0xe]) - _t231;
						if( *(_t136[0xe]) != _t231) {
							_t98 =  *((intOrPtr*)(_t235 + 8));
							goto L39;
						}
						_t234 =  *((intOrPtr*)(_t157 + 0x110));
						E0103F3A0(_t217,  *((intOrPtr*)(_t235 + 8)),  *_t234);
						 *((intOrPtr*)( *0x1066748 + 8)) =  *((intOrPtr*)(_t234 + 8));
						L9:
						_t218 = 0x2000;
						E01041A05(_t235 - 0xc0, 0x2000, _t246);
						_t232 =  *(_t235 - 0xc0);
						if(_t232 == 0) {
							L40:
							_t101 = 1;
							goto L36;
						}
						E0103F3A0(_t232, 0x2000, ( *(_t235 - 0xbc))[0xe]);
						_t164 = _t232;
						_t204 = _t164 + 2;
						do {
							_t104 =  *_t164;
							_t164 = _t164 + 2;
						} while (_t104 != 0);
						_t168 = _t232 + ((_t164 - _t204 >> 1) + 1) * 2;
						 *(_t235 - 0xb8) = _t168;
						 *_t168 = 0;
						_t106 =  *(_t235 - 0xbc);
						if(( *(_t235 - 0xbc))[0xf] != 0) {
							_t218 = 0x2000 - (_t168 - _t232 >> 1);
							E0103F3A0(_t168, 0x2000, _t106[0xf]);
						}
						E0104198F( *((intOrPtr*)( *0x1066748 + 0xc)), _t218);
						_t171 = _t232;
						_t205 = _t171 + 2;
						do {
							_t108 =  *_t171;
							_t171 = _t171 + 2;
						} while (_t108 != 0);
						 *( *0x1066748 + 0x64) = _t171 - _t205 >> 1;
						_t110 = E0103ACB0(_t232);
						_t206 =  *0x1066748;
						 *((intOrPtr*)(_t206 + 0x3c)) = _t110;
						if(_t110 == 0) {
							L47:
							__imp__??_V@YAXPAX@Z(_t232);
							goto L40;
						}
						 *((intOrPtr*)(_t206 + 0x8c)) = _t110;
						_t111 = _t206 + 0x68;
						_t176 = 9;
						 *((intOrPtr*)(_t235 - 0xc4)) = _t176;
						do {
							 *((intOrPtr*)(_t111 - 0x28)) = 0;
							 *_t111 = 0;
							_t111 = _t111 + 4;
							_t176 = _t176 - 1;
						} while (_t176 != 0);
						_t220 =  *(_t235 - 0xb8);
						if( *_t220 == 0) {
							 *(_t206 + 0x38) = 0;
							 *((intOrPtr*)(_t206 + 0x34)) = 0;
							L35:
							 *((intOrPtr*)(_t206 + 0x10)) =  *0x1066778;
							__imp__??_V@YAXPAX@Z(_t232);
							_t101 = 0;
							goto L36;
						}
						_t207 = E0103ACB0(_t220 + wcsspn(_t220, L" \t") * 2);
						 *( *0x1066748 + 0x34) = _t207;
						if(_t207 == 0) {
							goto L47;
						}
						_t181 = _t207;
						_t56 =  &(_t181[1]); // 0x2
						_t221 = _t56;
						do {
							_t116 =  *_t181;
							_t181 =  &(_t181[1]);
						} while (_t116 != 0);
						_t117 =  &(_t207[_t181 - _t221 >> 1]);
						while(_t117 != _t207) {
							_t192 =  *(_t117 - 2) & 0x0000ffff;
							if(_t192 == 0x20 || _t192 ==  *((intOrPtr*)(_t235 - 0xc4))) {
								_t117 =  &(_t117[0xffffffffffffffff]);
								continue;
							} else {
								break;
							}
						}
						 *_t117 = 0;
						if( *0x1066755 == 0) {
							_t222 =  *( *0x1066748 + 0x34);
							while(1) {
								_t208 = 0x2f;
								_t223 = E0103A62F(_t222, _t208);
								 *(_t235 - 0xb8) = _t223;
								__eflags = _t223;
								if(_t223 == 0) {
									goto L28;
								}
								_t222 =  &(_t223[0]);
								_t127 = towupper( *_t222 & 0x0000ffff);
								__eflags = _t127 - 0x51;
								if(_t127 != 0x51) {
									continue;
								}
								 *0x105e0c0 = 0;
								_t191 =  *(_t235 - 0xb8);
								_t210 =  *(_t235 - 0xb8);
								 *(_t235 - 0xb8) =  &(_t210[0]);
								do {
									_t129 =  *_t210;
									_t210 =  &(_t210[0]);
									__eflags = _t129;
								} while (_t129 != 0);
								_t91 =  &(_t222[1]); // 0x0
								E0103F3A0(_t191, (_t210 -  *(_t235 - 0xb8) >> 1) + 1, _t91);
								goto L28;
							}
						}
						L28:
						_push(0);
						_t120 = E0103BC30( *( *0x1066748 + 0x34), 0);
						 *(_t235 - 0xc0) = _t120;
						_t206 =  *0x1066748;
						if( *_t120 == 0) {
							L34:
							 *(_t206 + 0x38) = _t120;
							goto L35;
						}
						_t224 = _t206 + 0x68;
						 *(_t235 - 0xbc) = _t224;
						_t189 = 1;
						while(_t189 < 0xa) {
							 *(_t224 - 0x28) = _t120;
							_t225 = _t120;
							_t66 = _t225 + 2; // 0x2
							 *(_t235 - 0xb8) = _t66;
							do {
								_t122 =  *_t225;
								_t225 = _t225 + 2;
							} while (_t122 != 0);
							_t227 = _t225 -  *(_t235 - 0xb8) >> 1;
							 *( *(_t235 - 0xbc)) = _t227;
							_t120 =  *(_t235 - 0xc0) + _t227 * 2 + 2;
							 *(_t235 - 0xc0) = _t120;
							_t189 = _t189 + 1;
							_t224 =  &(( *(_t235 - 0xbc))[1]);
							 *(_t235 - 0xbc) = _t224;
							if( *_t120 != 0) {
								continue;
							}
							goto L34;
						}
						goto L34;
					}
				}
			}














































    0x0103fce9
    0x0103fcee
    0x0103fcf3
    0x0103fcf8
    0x0103fcfa
    0x0103fcfc
    0x0103fd02
    0x0103fd08
    0x0103fd0b
    0x0103fd11
    0x0103fd17
    0x0103fd21
    0x0103fd3a
    0x0103fd42
    0x0103fd48
    0x0103fd4e
    0x0103fd51
    0x0103fd57
    0x0103fd60
    0x0103fd66
    0x0103fd6e
    0x0104e515
    0x0103fd74
    0x0103fd77
    0x0103fd7b
    0x0103fd85
    0x0103fd85
    0x0103fd7b
    0x0103fd92
    0x0104e543
    0x00000000
    0x0103fd98
    0x0103fd98
    0x0103fdbd
    0x0103fdc5
    0x0103fdc8
    0x0104e51b
    0x0104e521
    0x0104e523
    0x0104e524
    0x0104e529
    0x0104e532
    0x0104e532
    0x0104e532
    0x0104e533
    0x0104e53a
    0x01040018
    0x0104001b
    0x01040027
    0x01040027
    0x0103fdce
    0x0103fdce
    0x0103fdd5
    0x0103fddb
    0x0103fde1
    0x0103fde7
    0x0103fdea
    0x0103fdec
    0x0103fdef
    0x0103fdf9
    0x01040035
    0x0104003f
    0x01040041
    0x00000000
    0x00000000
    0x00000000
    0x0103fdff
    0x0103fdff
    0x0103fe08
    0x0103fe0b
    0x01040032
    0x00000000
    0x01040032
    0x0103fe11
    0x0103fe1e
    0x0103fe2c
    0x0103fe2f
    0x0103fe2f
    0x0103fe3c
    0x0103fe41
    0x0103fe49
    0x01040047
    0x01040049
    0x00000000
    0x01040049
    0x0103fe5c
    0x0103fe61
    0x0103fe63
    0x0103fe66
    0x0103fe66
    0x0103fe69
    0x0103fe6c
    0x0103fe76
    0x0103fe79
    0x0103fe81
    0x0103fe84
    0x0103fe8e
    0x0103fe99
    0x0103fe9d
    0x0103fe9d
    0x0103feab
    0x0103feb0
    0x0103feb2
    0x0103feb5
    0x0103feb5
    0x0103feb8
    0x0103febb
    0x0103fec9
    0x0103fece
    0x0103fed3
    0x0103fed9
    0x0103fede
    0x0104e599
    0x0104e59a
    0x00000000
    0x0104e5a0
    0x0103fee4
    0x0103feea
    0x0103feef
    0x0103fef0
    0x0103fef6
    0x0103fef6
    0x0103fef9
    0x0103fefb
    0x0103fefe
    0x0103fefe
    0x0103ff03
    0x0103ff0c
    0x0104004e
    0x01040051
    0x01040006
    0x0104000b
    0x0104000f
    0x01040016
    0x00000000
    0x01040016
    0x0103ff28
    0x0103ff2f
    0x0103ff34
    0x00000000
    0x00000000
    0x0103ff3a
    0x0103ff3c
    0x0103ff3c
    0x0103ff3f
    0x0103ff3f
    0x0103ff42
    0x0103ff45
    0x0103ff4e
    0x0103ff51
    0x0103ff55
    0x0103ff5c
    0x0104002a
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0103ff5c
    0x0103ff71
    0x0103ff7a
    0x0104e5ab
    0x0104e5ae
    0x0104e5b0
    0x0104e5b8
    0x0104e5ba
    0x0104e5c0
    0x0104e5c2
    0x00000000
    0x00000000
    0x0104e5c8
    0x0104e5cf
    0x0104e5d6
    0x0104e5da
    0x00000000
    0x00000000
    0x0104e5dc
    0x0104e5e2
    0x0104e5e8
    0x0104e5ed
    0x0104e5f3
    0x0104e5f3
    0x0104e5f6
    0x0104e5f9
    0x0104e5f9
    0x0104e606
    0x0104e60b
    0x00000000
    0x0104e60b
    0x0104e5ae
    0x0103ff80
    0x0103ff80
    0x0103ff8c
    0x0103ff91
    0x0103ff97
    0x0103ffa0
    0x01040003
    0x01040003
    0x00000000
    0x01040003
    0x0103ffa2
    0x0103ffa5
    0x0103ffad
    0x0103ffae
    0x0103ffb3
    0x0103ffb6
    0x0103ffb8
    0x0103ffbb
    0x0103ffc1
    0x0103ffc1
    0x0103ffc4
    0x0103ffc7
    0x0103ffd2
    0x0103ffda
    0x0103ffe5
    0x0103ffe8
    0x0103ffee
    0x0103fff5
    0x0103fff8
    0x01040001
    0x00000000
    0x00000000
    0x00000000
    0x01040001
    0x00000000
    0x0103ffae
    0x0103fdf9

    APIs
    • memset.MSVCRT ref: 0103FD3A
    • wcsspn.MSVCRT ref: 0103FF18
    • ??_V@YAXPAX@Z.MSVCRT ref: 0104000F
      • Part of subcall function 01041CD5: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,?,00000000,00000000,?,?,?,010380F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 01041D3A
      • Part of subcall function 01041CD5: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,010380F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 01041D44
      • Part of subcall function 01041CD5: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001,?,00000000,?,010380F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 01041D57
      • Part of subcall function 01041CD5: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,010380F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 01041D61
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: ErrorMode$FullNamePathmemsetwcsspn
    • String ID:
    • API String ID: 1535828850-0
    • Opcode ID: 1b1e69e674e2889699b73ec90d2ab4d19ee0c9ed2d66b95b113ce56bced465f2
    • Instruction ID: 85d6cf614a6c327f02298738dbb73816bcc576687d742d17d8d81c94973d01c6
    • Opcode Fuzzy Hash: 1b1e69e674e2889699b73ec90d2ab4d19ee0c9ed2d66b95b113ce56bced465f2
    • Instruction Fuzzy Hash: 8FC180B1A00215CFDB65DF18C880BA9B7F5FF84300F1481EEE58A9B255EB359981CF81
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01035190, Relevance: 7.6, APIs: 5, Instructions: 138COMMON
    Download Yara Rule
    C-Code - Quality: 66%
    			E01035190(intOrPtr _a4) {
				signed int _v8;
				int _v20;
				char _v24;
				void* _v28;
				void _v548;
				int _v556;
				char _v560;
				void* _v564;
				void _v1084;
				char _v1088;
				intOrPtr _v1092;
				void* _v1096;
				char _v1100;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t43;
				intOrPtr _t45;
				int _t48;
				intOrPtr _t59;
				intOrPtr _t60;
				char _t71;
				signed int _t89;

				_t43 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t43 ^ _t89;
				_t45 = _a4;
				_v1092 = _t45;
				_push(0);
				_push(0x1070a70);
				L01047FB1();
				_t71 = 1;
				if(_t45 != 0) {
					 *0x10665dc = 1;
					L15:
					return E01046B30(_t71, _t71, _v8 ^ _t89, _t83, 0x104, 0);
				}
				if( *0x1066758 == 0) {
					if( *0x107904c != 0) {
						goto L2;
					}
					_t48 = 1;
					if( *0x1066748 == 0) {
						L3:
						_v1088 = _t48;
						_v564 = 0;
						_v560 = _t71;
						_v556 = 0x104;
						memset( &_v1084, 0, 0x104);
						_v28 = 0;
						_v24 = _t71;
						_v20 = 0x104;
						memset( &_v548, 0, 0x104);
						if(E0103E3F0(((0 | _v560 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) >= 0 && E0103E3F0(((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) >= 0) {
							_t67 = _v28;
							if(_v28 == 0) {
								_t67 =  &_v548;
							}
							_t80 = _v564;
							if(_v564 == 0) {
								_t80 =  &_v1084;
							}
							_t83 =  &_v1088;
							_t71 = E01044875(_v1092,  &_v1088, _t80, _v556, _t67, _v20,  &_v1100,  &_v1096);
							if(_t71 == 0) {
								if(_v28 == 0) {
									_t83 =  &_v548;
								}
								_t82 = _v564;
								if(_v564 == 0) {
									_t82 =  &_v1084;
								}
								_t71 = E0103540A(_t82, _t83, _v1088, _v1100, _v1096);
							}
						}
						_t59 = _v28;
						 *0x10665dc = _t71;
						_v28 = 0;
						if(_t59 != 0) {
							__imp__??_V@YAXPAX@Z(_t59);
						}
						_t60 = _v564;
						_v564 = 0;
						if(_t60 != 0) {
							__imp__??_V@YAXPAX@Z(_t60);
						}
						goto L15;
					}
				}
				L2:
				_t48 = 0;
				goto L3;
			}


























    0x0103519b
    0x010351a2
    0x010351a5
    0x010351ad
    0x010351b3
    0x010351b4
    0x010351b9
    0x010351c1
    0x010351c5
    0x0104932d
    0x0103530b
    0x0103531b
    0x0103531b
    0x010351d1
    0x0104933e
    0x00000000
    0x00000000
    0x01049344
    0x0104934c
    0x010351d9
    0x010351de
    0x010351eb
    0x010351f3
    0x010351f9
    0x010351ff
    0x01035207
    0x01035210
    0x01035213
    0x01035219
    0x01035242
    0x01035268
    0x0103526d
    0x01049357
    0x01049357
    0x01035273
    0x0103527b
    0x01049362
    0x01049362
    0x01035292
    0x010352ab
    0x010352af
    0x010352b6
    0x0103531e
    0x0103531e
    0x010352b8
    0x010352c0
    0x01035326
    0x01035326
    0x010352d9
    0x010352d9
    0x010352af
    0x010352db
    0x010352de
    0x010352e4
    0x010352e9
    0x010352ec
    0x010352f2
    0x010352f3
    0x010352f9
    0x01035301
    0x01035304
    0x0103530a
    0x00000000
    0x01035301
    0x01049352
    0x010351d7
    0x010351d7
    0x00000000

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: memset$_setjmp3
    • String ID:
    • API String ID: 4215035025-0
    • Opcode ID: b6c59d9ca1d75ed9a9802e600ac0265e1614e8ec84a72ba4c9b6fde4ff57d21a
    • Instruction ID: adb854aa6c84044eb755d3a8ce7d94ea872d1344983a389f70396fabb8452b22
    • Opcode Fuzzy Hash: b6c59d9ca1d75ed9a9802e600ac0265e1614e8ec84a72ba4c9b6fde4ff57d21a
    • Instruction Fuzzy Hash: 185182B1E012299BDB64CB65DCD4AEEBBB8FB85304F0440E9E649A3150DB349A84CF64
    Uniqueness

    Uniqueness Score: -1.00%

    Function 010595F2, Relevance: 7.6, APIs: 5, Instructions: 114COMMON
    Download Yara Rule
    C-Code - Quality: 53%
    			E010595F2(void* __ecx, int __edx) {
				signed int _v8;
				int _v20;
				char _v24;
				signed int _v28;
				void _v548;
				int _v556;
				char _v560;
				signed int _v564;
				void _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t47;
				signed int _t48;
				signed int _t59;
				void* _t71;
				int _t75;
				void* _t76;
				int _t77;
				signed int _t80;

				_t74 = __edx;
				_t35 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t35 ^ _t80;
				_v564 = _v564 & 0x00000000;
				_v560 = 1;
				_t75 = __edx;
				_v556 = 0x104;
				_t76 = __ecx;
				memset( &_v1084, 0, 0x104);
				_v28 = _v28 & 0x00000000;
				_v20 = 0x104;
				_v24 = 1;
				memset( &_v548, 0, 0x104);
				if(E0103E3F0(((0 | _v560 == 0x00000000) - 0x00000001 & 0x0000fdc6) + 0x208) < 0 || E0103E3F0(((0 | _v24 == 0x00000000) - 0x00000001 & 0x0000fdc6) + 0x208) < 0) {
					L13:
					_t77 = 0;
				} else {
					_t69 = _v564;
					if(_v564 == 0) {
						_t69 =  &_v1084;
					}
					_t74 = _v556;
					if(E01041CD5(_t69, _v556, _t76) != 0) {
						goto L13;
					} else {
						_t70 = _v28;
						if(_v28 == 0) {
							_t70 =  &_v548;
						}
						_t74 = _v20;
						if(E01041CD5(_t70, _v20, _t75) != 0) {
							goto L13;
						} else {
							_t59 = _v28;
							if(_t59 == 0) {
								_t59 =  &_v548;
							}
							_t71 = _v564;
							if(_t71 == 0) {
								_t71 =  &_v1084;
							}
							__imp___wcsicmp(_t71, _t59);
							asm("sbb esi, esi");
							_t77 =  ~_t59 + 1;
						}
					}
				}
				_t47 = _v28;
				_v28 = 0;
				if(_t47 != 0) {
					__imp__??_V@YAXPAX@Z(_t47);
				}
				_t48 = _v564;
				_v564 = 0;
				if(_t48 != 0) {
					__imp__??_V@YAXPAX@Z(_t48);
				}
				return E01046B30(_t77, 0, _v8 ^ _t80, _t74, _t75, _t77);
			}
























    0x010595f2
    0x010595fd
    0x01059604
    0x01059607
    0x0105961c
    0x01059627
    0x01059629
    0x0105962f
    0x01059631
    0x01059636
    0x01059643
    0x01059646
    0x0105964f
    0x0105967b
    0x0105970e
    0x0105970e
    0x010596a4
    0x010596a4
    0x010596ac
    0x010596ae
    0x010596ae
    0x010596b4
    0x010596c2
    0x00000000
    0x010596c4
    0x010596c4
    0x010596c9
    0x010596cb
    0x010596cb
    0x010596d1
    0x010596dc
    0x00000000
    0x010596de
    0x010596de
    0x010596e3
    0x010596e5
    0x010596e5
    0x010596eb
    0x010596f3
    0x010596f5
    0x010596f5
    0x010596fd
    0x01059708
    0x0105970b
    0x0105970b
    0x010596dc
    0x010596c2
    0x01059710
    0x01059713
    0x01059718
    0x0105971b
    0x01059721
    0x01059722
    0x01059728
    0x01059730
    0x01059733
    0x01059739
    0x0105974a

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: memset$_wcsicmp
    • String ID:
    • API String ID: 1670951261-0
    • Opcode ID: 0f963eab2f0959eb77253cd46e1219c8f439a2756793864b4a432d22d6df2451
    • Instruction ID: 87251c507510f6035220e233c811e1a7e5cbe9d561856099513161f6d1488680
    • Opcode Fuzzy Hash: 0f963eab2f0959eb77253cd46e1219c8f439a2756793864b4a432d22d6df2451
    • Instruction Fuzzy Hash: 07417471A102199BDB64CAA5DCD8BEFB7B8EF58344F0400A9E945E3141DB34DE84CB60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 010594E0, Relevance: 7.6, APIs: 5, Instructions: 102fileCOMMON
    Download Yara Rule
    C-Code - Quality: 48%
    			E010594E0(intOrPtr __edx, long _a4, DWORD* _a8) {
				void _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				void* __ecx;
				void _t29;
				long _t38;
				void* _t39;
				signed int _t45;
				long _t46;
				void* _t52;
				void* _t54;
				intOrPtr _t57;
				void _t60;
				long _t61;

				_v16 = _v16 & 0x00000000;
				_v20 = _v20 & 0x00000000;
				_push(_t39);
				_push(_t39);
				_v12 = __edx;
				_t54 = 2;
				_t61 = E0104654B(_t39, _t54);
				if(_t61 == 0xffffffff) {
					_t52 = 0x6e;
					E01059EDB(_t52);
					L2:
					E01058C50(0, 1);
				}
				_t38 = _a4;
				while(1) {
					_t23 =  &_v8;
					__imp___get_osfhandle(0);
					if(ReadFile( &_v8, _t61, _t38, _a8, _t23) == 0) {
						break;
					}
					_t57 = _v12;
					_t29 = _v8;
					_t60 = _t29;
					_t45 =  *(_t57 + 0x1c);
					if((_t45 & 0x0000c000) == 0) {
						if(_t60 <= 2) {
							L9:
							_t45 = _t45 | 0x00008000;
						} else {
							_t57 = _v12;
							if( *_t38 != 0xfeff) {
								goto L9;
							} else {
								_t45 = _t45 | 0x00004000;
							}
						}
						 *(_t57 + 0x1c) = _t45;
					}
					if(_t60 == 0) {
						_t46 = _v16;
					} else {
						asm("sbb ecx, ecx");
						_t46 = E010573DD( ~((_t45 & 0x00008002) - 0x8002) + 1, _t38,  &_v8,  &_v20);
						_t29 = _v8;
						_v16 = _t46;
					}
					if(_t29 == _a8) {
						continue;
					}
					if(_t46 == 0) {
						_t31 = _t29 - _t60;
						__imp___get_osfhandle(1);
						SetFilePointer(_t29 - _t60, _t61, _t31, _t46);
					}
					return _t61;
				}
				 *0x10667a8 = GetLastError();
				E0103A16C(_t61);
				_push(0);
				_push( *0x10667a8);
				E010378E4(_t61);
				goto L2;
			}


















    0x010594e8
    0x010594ec
    0x010594f3
    0x010594f4
    0x010594f7
    0x010594fa
    0x01059500
    0x01059505
    0x01059509
    0x0105950a
    0x0105950f
    0x01059514
    0x01059514
    0x01059519
    0x0105951c
    0x0105951e
    0x01059527
    0x01059537
    0x00000000
    0x00000000
    0x0105953d
    0x01059540
    0x01059543
    0x01059545
    0x0105954e
    0x01059553
    0x0105956a
    0x0105956a
    0x01059555
    0x0105955d
    0x01059560
    0x00000000
    0x01059562
    0x01059562
    0x01059562
    0x01059560
    0x01059570
    0x01059570
    0x01059575
    0x0105959e
    0x01059577
    0x0105958c
    0x01059594
    0x01059596
    0x01059599
    0x01059599
    0x010595a4
    0x00000000
    0x00000000
    0x010595ac
    0x010595b1
    0x010595b5
    0x010595bd
    0x010595bd
    0x010595c9
    0x010595c9
    0x010595d4
    0x010595d9
    0x010595de
    0x010595e0
    0x010595e6
    0x00000000

    APIs
    • _get_osfhandle.MSVCRT ref: 01059527
    • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 0105952F
    • _get_osfhandle.MSVCRT ref: 010595B5
    • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 010595BD
      • Part of subcall function 01058C50: longjmp.MSVCRT(01070A70,00000001,0103206C,01035E68,?,?,?,?,00000000), ref: 01058CC4
      • Part of subcall function 01058C50: memset.MSVCRT ref: 01058D1D
      • Part of subcall function 01058C50: memset.MSVCRT ref: 01058D45
      • Part of subcall function 01058C50: memset.MSVCRT ref: 01058D6D
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 010595CC
      • Part of subcall function 0103A16C: _close.MSVCRT ref: 0103A19B
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: memset$File_get_osfhandle$ErrorLastPointerRead_closelongjmp
    • String ID:
    • API String ID: 288106245-0
    • Opcode ID: 5d9edf7f4bb6a5fd973d121d9526f48b4f17f19d419f25a700d6b6b410ce93d8
    • Instruction ID: 579ae232736a7729b33c43a5b14ff73c7fdd77b104cd8b295ceaced223d4d746
    • Opcode Fuzzy Hash: 5d9edf7f4bb6a5fd973d121d9526f48b4f17f19d419f25a700d6b6b410ce93d8
    • Instruction Fuzzy Hash: 4A31C171E00204EFEF689F78D848BAF77A9EB84328F108169E982D7184DB75D9418B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0104260E, Relevance: 7.6, APIs: 5, Instructions: 99COMMON
    Download Yara Rule
    C-Code - Quality: 65%
    			E0104260E(void* __ecx, void* __edx, void* __eflags) {
				signed int _v8;
				short _v16;
				short _v20;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t20;
				void* _t27;
				signed int _t28;
				void** _t32;
				void* _t33;
				void* _t38;
				void* _t40;
				void* _t51;
				void** _t52;
				void** _t53;
				signed int _t56;

				_t51 = __edx;
				_t20 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t20 ^ _t56;
				_t38 = __ecx;
				_t40 = 0x2c;
				_t53 = E0103DCD0(_t40);
				if(_t53 == 0) {
					L11:
					E01059922();
					__imp__longjmp(0x1070a30, 1);
					asm("int3");
					if(GetConsoleScreenBufferInfo( *_t52,  &_v32) != 0) {
						_t25 = _v20;
						_t38 = _v32.dwSize;
						_t53 = _v16 - _v20 + 1;
					}
					_t52[7] = _t53;
					_t52[8] = _t38;
					return E01046B30(_t25, _t38, _v8 ^ _t56, _t51, _t52, _t53);
				} else {
					 *_t53 =  *_t53 & 0x00000000;
					_t27 = E0103DD98(_t22);
					if(_t27 != 0) {
						__imp___get_osfhandle(1);
						 *_t53 = _t27;
						_t28 = GetConsoleScreenBufferInfo(_t27,  &_v32);
						if(_t28 == 0) {
							 *_t53 =  *_t53 & _t28;
						}
					}
					if(GetConsoleScreenBufferInfo( *_t53,  &_v32) != 0) {
						_t52 = 0x2000;
						_t32 = _v32.dwSize + 2;
						if(_t32 >= 0x2000) {
							_t52 = _t32;
						}
					} else {
						_t52 = 0x2002;
					}
					_t33 = E0103DCD0(_t52 + _t52);
					if(_t33 == 0) {
						goto L11;
					} else {
						_t53[4] = _t33;
						_t53[3] = _t52;
						_t53[5] = 0;
						_t53[2] = 0;
						_t53[1] = 0;
						_t53[9] = 0;
						E010426A1(_t53);
						 *_t38 = _t53;
						return E01046B30(0, _t38, _v8 ^ _t56, _t51, _t52, _t53);
					}
				}
			}





















    0x0104260e
    0x01042616
    0x0104261d
    0x01042625
    0x01042627
    0x0104262d
    0x01042631
    0x0104f377
    0x0104f377
    0x0104f383
    0x0104f389
    0x0104f398
    0x0104f39e
    0x0104f3a6
    0x0104f3ac
    0x0104f3ac
    0x010426ca
    0x010426cf
    0x010426db
    0x01042637
    0x01042637
    0x0104263d
    0x01042644
    0x0104f339
    0x0104f343
    0x0104f347
    0x0104f34f
    0x0104f355
    0x0104f355
    0x0104f34f
    0x01042658
    0x0104f360
    0x0104f365
    0x0104f36a
    0x0104f370
    0x0104f370
    0x0104265e
    0x0104265e
    0x0104265e
    0x01042666
    0x0104266d
    0x00000000
    0x01042673
    0x01042673
    0x0104267a
    0x0104267d
    0x01042680
    0x01042683
    0x01042686
    0x01042689
    0x01042694
    0x010426a0
    0x010426a0
    0x0104266d

    APIs
      • Part of subcall function 0103DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0103ACD8,00000001,?,00000000,01038C23,-00000105,0105C9B0,00000240,01041E92,00000000,00000000,0104ACE0,00000000), ref: 0103DCE1
      • Part of subcall function 0103DCD0: RtlAllocateHeap.NTDLL(00000000,?,0103ACD8,00000001,?,00000000,01038C23,-00000105,0105C9B0,00000240,01041E92,00000000,00000000,0104ACE0,00000000,00000000), ref: 0103DCE8
    • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,01041775,-00000001,-00000001,-00000001,-00000001), ref: 01042650
    • _get_osfhandle.MSVCRT ref: 0104F339
    • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,01041775,-00000001,-00000001,-00000001,-00000001), ref: 0104F347
    • longjmp.MSVCRT(01070A30,00000001,?,00000104,00000000,?,?,01041775,-00000001,-00000001,-00000001,-00000001), ref: 0104F383
    • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,010487F0,?,?,?,010487F0,00000000,?,01034A0A), ref: 0104F390
      • Part of subcall function 0103DD98: _get_osfhandle.MSVCRT ref: 0103DDA3
      • Part of subcall function 0103DD98: GetFileType.KERNELBASE(00000000,0104C050), ref: 0103DDAD
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: BufferConsoleInfoScreen$Heap_get_osfhandle$AllocateFileProcessTypelongjmp
    • String ID:
    • API String ID: 2587586462-0
    • Opcode ID: c478aa1fedcf7127d1b1452dd8c0cb6f55322e97cc49485f5fd4c1521a50d5ee
    • Instruction ID: bc7f8e93e77bddb6a624412c4d4e0eec06237f69db1c99bc5741e18fa8c2c97d
    • Opcode Fuzzy Hash: c478aa1fedcf7127d1b1452dd8c0cb6f55322e97cc49485f5fd4c1521a50d5ee
    • Instruction Fuzzy Hash: 26318FB1F003069BD724AF79D484AAEB7E8EF58716B04457EE8C6D2140EB75D801CB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01044CA0, Relevance: 7.6, APIs: 5, Instructions: 98fileCOMMON
    Download Yara Rule
    C-Code - Quality: 86%
    			E01044CA0(void* __ecx, long __edx, DWORD* _a4, struct _OVERLAPPED* _a8, intOrPtr _a12, intOrPtr _a16, WCHAR* _a20) {
				char _v8;
				intOrPtr _v16;
				void* _t19;
				signed int _t27;
				void* _t32;
				void* _t33;
				intOrPtr* _t34;
				intOrPtr _t41;
				signed int _t44;
				intOrPtr _t53;
				void* _t55;
				struct _OVERLAPPED* _t56;
				void* _t59;
				void* _t60;

				_t56 = _a8;
				_t34 = __edx;
				_v8 = 0;
				_t60 = __ecx;
				 *0x10667a0 = 0;
				__imp___get_osfhandle(0, _t55, _t59, _t33, __ecx, __ecx);
				if(ReadFile(0, __ecx, __edx, _a4, _t56) == 0) {
					L18:
					 *0x10667a8 = GetLastError();
					_t19 = E0103DD98(E0103A16C(_t60));
					_t41 = _a16;
					if(_t19 != 0) {
						E0103A16C(_t41);
					} else {
						E0103A16C(_t41);
						DeleteFileW(_a20);
					}
					E01058C50( *0x10667a8, 1);
					asm("int3");
					E0103F3A0(_v8, _t56, _v16);
					return 0;
				} else {
					_t44 = _t56->Internal;
					if(_t44 == 0) {
						if(GetLastError() == 0x3e3) {
							goto L18;
						} else {
							_t44 = _t56->Internal;
							if(_t44 != 0) {
								goto L2;
							} else {
								 *0x10667a8 =  *0x10667a8 & _t44;
								_t32 = 0;
							}
							goto L5;
						}
					} else {
						L2:
						_t53 = _a12;
						_t27 =  *(_t53 + 0x1c);
						if((_t27 & 0x0000c000) == 0) {
							if(_t44 < 2 ||  *_t34 != 0xfeff) {
								_t27 = _t27 | 0x00008000;
							} else {
								_t27 = _t27 | 0x00004000;
							}
							 *(_t53 + 0x1c) = _t27;
						}
						if((_t27 & 0x00008002) == 0x8002) {
							E010573DD(1, _t34, _t56,  &_v8);
							if(_t56->Internal != _t56->Internal) {
								 *0x10667a0 = 1;
							}
						}
						_t32 = 1;
						L5:
						return _t32;
					}
				}
			}

















    0x01044caa
    0x01044cb4
    0x01044cb6
    0x01044cb9
    0x01044cbb
    0x01044cc2
    0x01044cd2
    0x01050c48
    0x01050c50
    0x01050c5d
    0x01050c62
    0x01050c67
    0x01050c79
    0x01050c69
    0x01050c69
    0x01050c71
    0x01050c71
    0x01050c87
    0x01050c8c
    0x01050c95
    0x01044dc8
    0x01044cd8
    0x01044cd8
    0x01044cdc
    0x01050c07
    0x00000000
    0x01050c09
    0x01050c09
    0x01050c0d
    0x00000000
    0x01050c13
    0x01050c13
    0x01050c19
    0x01050c19
    0x00000000
    0x01050c0d
    0x01044ce2
    0x01044ce2
    0x01044ce2
    0x01044ce5
    0x01044ced
    0x01044d0b
    0x01044d17
    0x01044d21
    0x01044d21
    0x01044d21
    0x01044d1c
    0x01044d1c
    0x01044cf8
    0x01050c2c
    0x01050c33
    0x01050c39
    0x01050c39
    0x01050c33
    0x01044d00
    0x01044d01
    0x01044d05
    0x01044d05
    0x01044cdc

    APIs
    • _get_osfhandle.MSVCRT ref: 01044CC2
    • ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,01058FB3,?,00000000,?,?,?,?,?,?,?,00000000,?,00000021,00000000,?), ref: 01044CCA
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 01050BFC
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 01050C48
    • DeleteFileW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 01050C71
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: ErrorFileLast$DeleteRead_get_osfhandle
    • String ID:
    • API String ID: 3588551418-0
    • Opcode ID: 2a71e89eb712f5e586d549ff55c2e9ec1052d7811246dc0248ee31f21b73df58
    • Instruction ID: c1ad042175870ca337529e9c85309481ac4cb5b0db5bee4f3ded5a861f5e2192
    • Opcode Fuzzy Hash: 2a71e89eb712f5e586d549ff55c2e9ec1052d7811246dc0248ee31f21b73df58
    • Instruction Fuzzy Hash: 46319171B10109EFEBA8AF64D88467F7BA9FF85311B144439E9C2D3294DB3A9840CB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0103E272, Relevance: 7.6, APIs: 5, Instructions: 64COMMON
    Download Yara Rule
    C-Code - Quality: 27%
    			E0103E272(signed short** __ecx) {
				void* _t2;
				signed int _t6;
				void* _t7;
				signed int _t11;
				signed int _t12;
				void* _t15;
				void* _t17;
				signed short** _t23;
				long _t24;

				_t23 = __ecx;
				_t14 =  *__ecx;
				_t2 = E01040590( *__ecx, 0x8000, __ecx);
				_t12 = _t11 | 0xffffffff;
				while(1) {
					_t24 = _t2;
					if(_t24 != _t12) {
						break;
					}
					if( *0x10667a8 != 2) {
						_t15 = 0x6e;
						E01059EDB(_t15);
						L12:
						return _t12;
					}
					_t6 =  *( *_t23) & 0x0000ffff;
					if(_t6 == 0x41 || _t6 == 0x42) {
						_t7 = E010378E4(_t14);
						_t17 = 0x2341;
						__imp___getch(0);
						if(_t7 == 3) {
							EnterCriticalSection( *0x10625a4);
							 *0x106259c = 1;
							LeaveCriticalSection( *0x10625a4);
							goto L12;
						}
						_t14 =  *_t23;
						_t2 = E01040590( *_t23, 0x8000, _t17);
						continue;
					} else {
						_push(0);
						_push(0x236c);
						E010378E4(_t14);
						goto L12;
					}
				}
				__imp___get_osfhandle(0);
				SetFilePointer(_t2, _t24, _t23[2], 0);
				return _t24;
			}












    0x0103e277
    0x0103e27f
    0x0103e281
    0x0103e286
    0x0103e289
    0x0103e289
    0x0103e28d
    0x00000000
    0x00000000
    0x0104db84
    0x0104dbf6
    0x0104dbf7
    0x0104dbfc
    0x00000000
    0x0104dbfc
    0x0104db88
    0x0104db8e
    0x0104dbac
    0x0104dbb2
    0x0104dbb3
    0x0104dbbc
    0x0104dbd6
    0x0104dbe2
    0x0104dbec
    0x00000000
    0x0104dbec
    0x0104dbbf
    0x0104dbc6
    0x00000000
    0x0104db95
    0x0104db95
    0x0104db97
    0x0104db9c
    0x00000000
    0x0104dba2
    0x0104db8e
    0x0103e29b
    0x0103e2a3
    0x00000000

    APIs
    • _get_osfhandle.MSVCRT ref: 0103E29B
    • SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 0103E2A3
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: FilePointer_get_osfhandle
    • String ID:
    • API String ID: 1013686580-0
    • Opcode ID: c879d3043d36a27682505f280e5a76a00d5cccd7e4ef547ee4b5c4d28fa801f9
    • Instruction ID: acedc7c4ebdeda69dde131a574d5a5c3fa1aaf3e0691cca12194bfbdd412dde9
    • Opcode Fuzzy Hash: c879d3043d36a27682505f280e5a76a00d5cccd7e4ef547ee4b5c4d28fa801f9
    • Instruction Fuzzy Hash: 2411A3B1204201EFE3342BA8EC89B593B95FB54721F244529F2C5A71D4DF7A9840C790
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01058550, Relevance: 7.6, APIs: 5, Instructions: 63COMMON
    Download Yara Rule
    C-Code - Quality: 88%
    			E01058550(void* __ebx, void* __edx, void* __edi) {
				signed int _v8;
				signed int _v30;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v32;
				struct _CHAR_INFO _v36;
				struct _COORD _v40;
				struct _SMALL_RECT _v48;
				void* __esi;
				signed int _t19;
				union %anon259 _t31;
				void* _t39;
				void* _t47;
				void* _t48;
				void* _t49;
				signed int _t50;

				_t48 = __edi;
				_t47 = __edx;
				_t39 = __ebx;
				_t19 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t19 ^ _t50;
				if(E0103DD98(_t19 ^ _t50) == 0) {
					L3:
					E01039950(0x1033e98);
				} else {
					_t49 = GetStdHandle(0xfffffff5);
					if(GetConsoleScreenBufferInfo(_t49,  &_v32) == 0) {
						goto L3;
					} else {
						_v40.X = 0;
						_v48.Left = 0;
						_v48.Bottom = _v30;
						_v48.Right = _v32.dwSize;
						_t31 = 0x20;
						_v36.UnicodeChar = _t31;
						_v36.Attributes = _v32.wAttributes;
						_v40.Y =  ~_v30;
						ScrollConsoleScreenBufferW(_t49,  &_v48, 0, _v40,  &_v36);
						_v32.dwCursorPosition = 0;
						SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0);
					}
				}
				return E01046B30(0, _t39, _v8 ^ _t50, _t47, _t48, _t49);
			}

















    0x01058550
    0x01058550
    0x01058550
    0x01058558
    0x0105855f
    0x0105856d
    0x010585e4
    0x010585e9
    0x0105856f
    0x01058577
    0x01058586
    0x00000000
    0x01058588
    0x0105858d
    0x01058593
    0x0105859a
    0x010585a4
    0x010585a8
    0x010585a9
    0x010585b1
    0x010585b9
    0x010585c7
    0x010585d2
    0x010585dc
    0x010585dc
    0x01058586
    0x010585fd

    APIs
      • Part of subcall function 0103DD98: _get_osfhandle.MSVCRT ref: 0103DDA3
      • Part of subcall function 0103DD98: GetFileType.KERNELBASE(00000000,0104C050), ref: 0103DDAD
    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5), ref: 01058571
    • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?), ref: 0105857E
    • ScrollConsoleScreenBufferW.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,00000000,?,?), ref: 010585C7
    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,00000000), ref: 010585D5
    • SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000), ref: 010585DC
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: Console$BufferHandleScreen$CursorFileInfoPositionScrollType_get_osfhandle
    • String ID:
    • API String ID: 3008996577-0
    • Opcode ID: 1faf84bb4cbb55837b897c26f85d8df7fe466a087a6ee627540456d304a06fc3
    • Instruction ID: 42cb290fb7a38b3f9d6e2a9604384b7756e5688cc6c7e88c8978bd6943a220cb
    • Opcode Fuzzy Hash: 1faf84bb4cbb55837b897c26f85d8df7fe466a087a6ee627540456d304a06fc3
    • Instruction Fuzzy Hash: 16116775E0020A9ACB15EFF8D804AEEB7B8AF0D710F14415AE951F7280EB358A40CB79
    Uniqueness

    Uniqueness Score: -1.00%

    Function 010470F5, Relevance: 7.6, APIs: 5, Instructions: 50timethreadCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E010470F5() {
				void* _v8;
				struct _FILETIME _v16;
				signed int _v20;
				union _LARGE_INTEGER _v24;
				signed int _t23;
				signed int _t36;
				signed int _t37;
				signed int _t39;

				_v16.dwLowDateTime = _v16.dwLowDateTime & 0x00000000;
				_v16.dwHighDateTime = _v16.dwHighDateTime & 0x00000000;
				_t23 =  *0x105e0b4; // 0x6030efd1
				if(_t23 == 0xbb40e64e || (0xffff0000 & _t23) == 0) {
					GetSystemTimeAsFileTime( &_v16);
					_v8 = _v16.dwHighDateTime ^ _v16.dwLowDateTime;
					_v8 = _v8 ^ GetCurrentProcessId();
					_v8 = _v8 ^ GetCurrentThreadId();
					_v8 = GetTickCount() ^ _v8 ^  &_v8;
					QueryPerformanceCounter( &_v24);
					_t36 = _v20 ^ _v24.LowPart ^ _v8;
					_t39 = _t36;
					if(_t36 == 0xbb40e64e || ( *0x105e0b4 & 0xffff0000) == 0) {
						_t36 = 0xbb40e64f;
						_t39 = 0xbb40e64f;
					}
					 *0x105e0b4 = _t39;
				}
				_t37 =  !_t36;
				 *0x105e0b8 = _t37;
				return _t37;
			}











    0x010470fd
    0x01047101
    0x01047105
    0x01047118
    0x01047122
    0x0104712e
    0x01047137
    0x01047140
    0x01047151
    0x01047158
    0x01047164
    0x01047167
    0x0104716b
    0x01047175
    0x0104717a
    0x0104717a
    0x0104717c
    0x0104717c
    0x01047182
    0x01047185
    0x0104718c

    APIs
    • GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(00000000), ref: 01047122
    • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 01047131
    • GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 0104713A
    • GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 01047143
    • QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0(?), ref: 01047158
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
    • String ID:
    • API String ID: 1445889803-0
    • Opcode ID: 5032d31d6130ccb05dae1a883c6eee3442e2ca3455d9ee98bbe436617a6ac699
    • Instruction ID: 4e4e3864ea06e7261e670222498b31959277a6c0d3c7b58c8024023305b81038
    • Opcode Fuzzy Hash: 5032d31d6130ccb05dae1a883c6eee3442e2ca3455d9ee98bbe436617a6ac699
    • Instruction Fuzzy Hash: 86114F71E01208EBCB20DBBCD54869EB7F5FF48311F5508A5E481E7254E7359B408B01
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01054840, Relevance: 7.5, APIs: 5, Instructions: 48COMMON
    Download Yara Rule
    C-Code - Quality: 63%
    			E01054840(void* __eflags) {
				signed int _v8;
				char _v12;
				void* __ecx;
				void* _t7;
				signed short _t13;
				signed int _t14;
				void* _t15;
				void* _t22;
				void* _t23;

				_push(_t15);
				_push(_t15);
				_t23 = GetStdHandle(0xfffffff6);
				_t7 = E010363BD(_t15, 0x232b, 0, _t22);
				if(_t23 != 0) {
					if(E0103DD98(_t7) == 0 || ( *0x106671c & 0x00000001) == 0) {
						E01054799(_t23,  &_v8, 1,  &_v12);
					} else {
						_t13 = FlushConsoleInputBuffer(_t23);
						__imp___getch();
						_t14 = _t13 & 0x0000ffff;
						_v8 = _t14;
						if(_t14 == 3) {
							EnterCriticalSection( *0x10625a4);
							 *0x106259c = 1;
							LeaveCriticalSection( *0x10625a4);
						}
					}
				}
				E01039950(L"\r\n");
				return 0;
			}












    0x01054845
    0x01054846
    0x01054857
    0x01054859
    0x01054862
    0x0105486d
    0x010548c0
    0x01054878
    0x01054879
    0x0105487f
    0x01054885
    0x01054888
    0x0105488f
    0x01054897
    0x010548a3
    0x010548ad
    0x010548ad
    0x0105488f
    0x0105486d
    0x010548ca
    0x010548d4

    APIs
    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,010487E5,00000000,?,01034A0A), ref: 0105484A
      • Part of subcall function 0103DD98: _get_osfhandle.MSVCRT ref: 0103DDA3
      • Part of subcall function 0103DD98: GetFileType.KERNELBASE(00000000,0104C050), ref: 0103DDAD
    • FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,?,?,010487E5,00000000,?,01034A0A), ref: 01054879
    • _getch.MSVCRT ref: 0105487F
    • EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,010487E5,00000000,?,01034A0A), ref: 01054897
    • LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?,?,?,010487E5,00000000,?,01034A0A), ref: 010548AD
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: CriticalSection$BufferConsoleEnterFileFlushHandleInputLeaveType_get_osfhandle_getch
    • String ID:
    • API String ID: 491502236-0
    • Opcode ID: 9fa8946114db84f19022af3308fdf50460d4d3be5efe9cf34be73771b41cb625
    • Instruction ID: 1a2eabec4872202d69c8f440875d8b37c0e0a0d16034f00ae3c733d36b96c4cb
    • Opcode Fuzzy Hash: 9fa8946114db84f19022af3308fdf50460d4d3be5efe9cf34be73771b41cb625
    • Instruction Fuzzy Hash: 2C01D831500251EFE7756BA5980DBEF3BA8DF41721F044119EDC1E6194EB7B4980CB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01036488, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 296COMMON
    Download Yara Rule
    C-Code - Quality: 66%
    			E01036488(signed int __ecx, signed int __edx, signed int _a4, signed int _a8, unsigned int _a12, intOrPtr _a16, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				signed int _v12;
				int _v16;
				signed int _v20;
				signed int _v24;
				int _v28;
				intOrPtr _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				char** _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				void _v124;
				short _v332;
				signed short _v342;
				signed short _v344;
				signed short _v346;
				struct _SYSTEMTIME _v348;
				void* _v352;
				void* _v356;
				intOrPtr _v360;
				intOrPtr _v364;
				signed int _v368;
				struct _FILETIME _v376;
				struct _FILETIME _v384;
				void _v420;
				char _v548;
				char _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				signed int _v572;
				intOrPtr _v576;
				signed int _v580;
				intOrPtr* _v584;
				intOrPtr _v588;
				intOrPtr* _v592;
				signed int _v596;
				signed int _v600;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				unsigned int _t259;
				void* _t266;
				intOrPtr _t270;
				long _t274;
				intOrPtr _t275;
				intOrPtr _t284;
				long _t286;
				intOrPtr _t287;
				intOrPtr _t298;
				void* _t299;
				signed int _t305;
				signed int _t306;
				void* _t309;
				void* _t310;
				void* _t319;
				void* _t320;
				signed short _t327;
				long _t337;
				short* _t339;
				void* _t345;
				signed int _t348;
				void* _t352;
				void _t354;
				void _t358;
				intOrPtr _t370;
				void* _t374;
				signed int _t380;
				signed short* _t382;
				char _t387;
				char* _t388;
				void* _t399;
				signed int _t401;
				signed int _t402;
				signed int _t404;
				signed int _t405;
				signed int _t406;
				intOrPtr _t407;
				void* _t408;
				intOrPtr _t413;
				intOrPtr _t423;
				signed int _t424;
				signed int _t426;
				void* _t431;
				char** _t432;
				signed int _t443;
				void* _t454;
				signed int _t455;
				signed int _t463;
				signed int _t467;
				void* _t468;
				void* _t471;
				signed short* _t474;
				intOrPtr* _t480;
				signed int _t483;
				signed int _t484;
				intOrPtr _t488;
				signed int _t489;
				signed int _t490;
				char* _t505;
				char* _t506;
				void* _t507;
				signed int _t508;
				signed int _t518;
				signed int _t521;
				signed int _t526;
				signed int _t531;
				intOrPtr* _t532;
				void* _t537;
				void* _t538;
				intOrPtr* _t539;
				intOrPtr _t543;
				intOrPtr _t544;
				long _t548;
				intOrPtr* _t550;
				signed int _t551;
				long _t552;
				void* _t557;
				void* _t558;
				signed int _t562;
				void* _t563;
				intOrPtr* _t564;
				intOrPtr _t567;
				signed int _t568;
				signed int _t571;
				void* _t572;
				void* _t575;
				void* _t576;
				signed int _t577;
				void* _t579;
				signed int _t582;
				void* _t583;
				void* _t584;
				void* _t585;

				_t518 = __edx;
				_v20 = __edx;
				_t424 = __ecx;
				_v28 = 0;
				_v16 = 0;
				if( *0x106259c != 0) {
					L6:
					return 1;
				}
				_t259 = _a12;
				_v8 = _t259;
				_t547 = _t259 >> 0x00000002 & 0x00000001;
				_t266 = E01036513(__ecx, __edx, _a4, _a8, _t259 >> 0x00000002 & 0x00000001, _a16, __ecx, _a24, _a28, _a32);
				if(_t266 != 0) {
					if(_t266 == 2 || _t266 == 3) {
						_t571 = _v8 & 0x00000001;
						if(_t571 == 0) {
							goto L5;
						} else {
							goto L3;
						}
					} else {
						goto L5;
					}
				} else {
					_v16 = 1;
					_t571 = _v8 & 0x00000001;
					L3:
					E0103DC60( *((intOrPtr*)(_t424 + 0x18)));
					_t266 = 0;
					 *((intOrPtr*)(_t424 + 0x18)) = 0;
					if( *0x106259c != 0) {
						goto L6;
					}
					if(_t571 != 0) {
						_t572 = 0;
						memset( &_v76, 0, 0x30);
						_t584 = _t583 + 0xc;
						_t270 = E0104054B(_t424,  *(_t424 + 4), _t547, 0);
						_t431 = 0x10;
						_v72 = _t270;
						_t432 = E0103DCD0(_t431);
						if(_t432 != 0) {
							_t387 =  *((intOrPtr*)(_t424 + 0x10));
							_v60 = _t387;
							_v64 = _t432;
							_t388 = L"*.*";
							_v68 = 1;
							_v76 = 0;
							if(_t387 == 0) {
								_t388 = "*";
							}
							 *_t432 = _t388;
							_v64[1] = E0104054B(_t424, _v72, _t547, _t572);
							_v64[3] = _t572;
							_t577 = E01036513( &_v76, _v20, 0x10, 0x10, _t547, _t572, _v64, _t572, _t572, _t572);
							if(_t577 != 0) {
								_v56 = 0;
								_t577 = 0;
							}
							if( *0x106259c != 0) {
								goto L6;
							}
							_v12 = 0;
							if(_v56 <= 0) {
								L124:
								E0103DC60(_v48);
								E0103DC60(_v52);
								E0103DC60(_v64[1]);
								E0103DC60(_v64);
								E0103DC60(_v72);
								if(_t577 != 0 || _v16 != _t577) {
									return _t577;
								} else {
									_push(2);
									L129:
									_pop(_t399);
									return _t399;
								}
							} else {
								goto L88;
							}
							do {
								L88:
								_t505 = ".";
								_t567 =  *((intOrPtr*)(_v48 + _v12 * 4));
								_t401 = _t567 + 0x30;
								_v24 = _t401;
								while(1) {
									_t537 =  *_t401;
									if(_t537 !=  *_t505) {
										break;
									}
									if(_t537 == 0) {
										L93:
										_t402 = 0;
									} else {
										_t544 =  *((intOrPtr*)(_t401 + 2));
										_t132 =  &(_t505[2]); // 0x750000
										if(_t544 !=  *_t132) {
											break;
										} else {
											_t401 = _t401 + 4;
											_t505 =  &(_t505[4]);
											if(_t544 != 0) {
												continue;
											} else {
												goto L93;
											}
										}
									}
									L95:
									if(_t402 == 0) {
										goto L123;
									}
									_t506 = L"..";
									_t405 = _t567 + 0x30;
									while(1) {
										_t538 =  *_t405;
										if(_t538 !=  *_t506) {
											break;
										}
										if(_t538 == 0) {
											L101:
											_t406 = 0;
										} else {
											_t543 =  *((intOrPtr*)(_t405 + 2));
											_t135 =  &(_t506[2]); // 0x2e
											if(_t543 !=  *_t135) {
												break;
											} else {
												_t405 = _t405 + 4;
												_t506 =  &(_t506[4]);
												if(_t543 != 0) {
													continue;
												} else {
													goto L101;
												}
											}
										}
										L103:
										if(_t406 == 0 || (_v8 & 0x00000002) == 0 && ( *(_t567 + 4) & 0x00000400) != 0 && (( *(_t567 + 0x28) & 0x20000000) != 0 ||  *(_t567 + 0x28) == 0x8000000a)) {
											goto L123;
										}
										_t539 =  *(_t424 + 4);
										_t147 = _t539 + 2; // 0x4
										_t507 = _t147;
										do {
											_t407 =  *_t539;
											_t539 = _t539 + 2;
										} while (_t407 != 0);
										_t568 = _v24;
										_t508 = _t568;
										_t518 = _t539 - _t507 >> 1;
										_t579 = _t508 + 2;
										do {
											_t408 =  *_t508;
											_t508 = _t508 + 2;
										} while (_t408 != _v28);
										_t151 = _t518 + 2; // 0x2
										_t510 = _t508 - _t579 >> 1;
										_t572 = _t151 + (_t508 - _t579 >> 1);
										if(_t572 > 0x7fe7) {
											_push(_t568);
											E010378E4(_t510, 0x400023d8, 2,  *(_t424 + 4));
											_push(0x6f);
											goto L129;
										}
										memset( &_v124, 0, 0x30);
										_t584 = _t584 + 0xc;
										_t413 = E0103DCD0(_t572 + _t572);
										if(_t413 != 0) {
											_v120 = _t413;
											E010434B8(_t413, _t572,  *(_t424 + 4), _t568);
											_push(_a32);
											_push(_a28);
											_push(_a24);
											_v112 =  *((intOrPtr*)(_t424 + 0xc));
											_push(0);
											_push(_a16);
											_v116 =  *((intOrPtr*)(_t424 + 8));
											_push(_v8);
											_v108 =  *((intOrPtr*)(_t424 + 0x10));
											_t577 = E01036488( &_v124, _v20, _a4, _a8);
											E0103DC60(_v100);
											_v100 = 0;
											E0103DC60(_v96);
											_v96 = 0;
											E0103DC60(_v120);
											_v120 = 0;
											if(_t577 != 0) {
												if(_t577 != 0x6f && _t577 != 2 && _t577 != 3) {
													_t423 =  *((intOrPtr*)(_v48 + _v12 * 4));
													if(( *(_t423 + 4) & 0x00000400) == 0 || ( *(_t423 + 0x28) & 0x20000000) == 0 &&  *(_t423 + 0x28) != 0x8000000a) {
														goto L124;
													}
												}
												_t577 = 0;
											} else {
												_v16 = 1;
											}
											goto L123;
										}
										goto L130;
									}
									asm("sbb eax, eax");
									_t406 = _t405 | 0x00000001;
									goto L103;
								}
								asm("sbb eax, eax");
								_t402 = _t401 | 0x00000001;
								goto L95;
								L123:
								_t404 = _v12 + 1;
								_v12 = _t404;
							} while (_t404 < _v56);
							goto L124;
						}
						L130:
						E01059922();
						__imp__longjmp(0x1070a30, 1);
						asm("int3");
						while(1) {
							L131:
							_t433 =  &_v548;
							while(1) {
								L9:
								_t519 = _v20;
								if(E010434B8(_t433, _v20,  *((intOrPtr*)(_t572 + 4)),  *_t518) != 0) {
									break;
								}
								_t550 = _v592;
								if(_t550 != 0) {
									 *0x107a4c4(_t572, _v564, _v560);
									_t548 =  *_t550();
									if(_t548 == 0) {
										goto L11;
									} else {
										goto L39;
									}
								} else {
									L11:
									if(_v28 == 0) {
										_t519 =  &_v548;
									}
									_t22 = _t424 + 4; // 0x4
									_t551 = _t22;
									if(E0104589A(E010459F0, _t519, 0, _a12, _t551,  &_v552) == 0) {
										_t552 =  *0x10667a8;
										if(_t552 == 0) {
											goto L29;
										} else {
											if(_t552 == 0x12 || _t552 == 5) {
												_t548 = 2;
												 *0x10667a8 = _t548;
											}
											goto L27;
										}
									} else {
										while( *0x106259c == 0) {
											if(( *_t551 & _a4) != (_a4 & _a8)) {
												L25:
												_t49 = _t424 + 4; // 0x4
												_t551 = _t49;
												_t519 = _t551;
												if(E01045851(E010459F0, _t551, 0, _v552) != 0) {
													continue;
												} else {
													E01038B4D(_v552);
													_t548 =  *0x10667a8;
													L27:
													if(_t548 == 0 || _t548 == 0x12) {
														L29:
														_t521 = _v580;
														_t284 = _v576 + 1;
														_v576 = _t284;
														_t519 =  *(_t521 + 0xc);
														_v580 =  *(_t521 + 0xc);
														if(_t284 <=  *((intOrPtr*)(_t572 + 8))) {
															if( *0x106259c != 0) {
																L147:
																_t548 = 1;
																goto L39;
															} else {
																_t433 = _v28;
																if(_v28 == 0) {
																	goto L131;
																}
																goto L9;
															}
														} else {
															_t549 = 0;
															if(_v584 == 0) {
																_t440 =  *(_t572 + 0x14);
																if( *(_t572 + 0x14) == 0) {
																	goto L32;
																} else {
																	_t287 = E0103DCD0(_t440 << 2);
																	if(_t287 == 0) {
																		E01059922();
																		__imp__longjmp(0x1070a30, 1);
																		asm("int3");
																		_t443 = 9;
																		memcpy( &_v420, _t572, _t443 << 2);
																		_t585 = _t584 + 0xc;
																		E010548D7( &_v420,  &_v376);
																		FileTimeToLocalFileTime( &_v376,  &_v384);
																		FileTimeToSystemTime( &_v384,  &_v348);
																		_v352 = 0;
																		if( *0x1066755 == 0) {
																			_t523 = _v348 & 0x0000ffff;
																			_t573 = _v346 & 0x0000ffff;
																			_t557 = _v342 & 0x0000ffff;
																			_v352 = _t523;
																			if(_v364 == 0) {
																				_t463 = 0x64;
																				_t523 = _t523 % _t463;
																				_v352 = _t523;
																			}
																			_t298 =  *0x105e58c; // 0x0
																			if(_t298 != 2) {
																				if(_t298 == 1) {
																					_t319 = _t573;
																					_t573 = _t557;
																					_t557 = _t319;
																				}
																			} else {
																				_t320 = _t523;
																				_t523 = _t557;
																				_t557 = _t573;
																				_v352 = _t523;
																				_t573 = _t320;
																			}
																			_t446 =  *0x1066750;
																			if( *0x1066750 >= 0x20) {
																				_t299 =  *0x106674c;
																				goto L184;
																			} else {
																				_t299 = realloc( *0x106674c, 0x40);
																				_pop(0);
																				if(_t299 != 0) {
																					_t523 = _v352;
																					_t446 = 0x20;
																					 *0x106674c = _t299;
																					 *0x1066750 = _t446;
																					L184:
																					_push(_t523);
																					_push(0x106c9d0);
																					_push(_t557);
																					_push(0x106c9d0);
																					E01039ABF(_t299, _t446, L"%02d%s%02d%s%02d", _t573);
																					_t585 = _t585 + 0x20;
																					_t557 = 2;
																					goto L76;
																				} else {
																					_push(_t299);
																					goto L171;
																				}
																			}
																		} else {
																			_v356 = 0;
																			if(GetLocaleInfoW(E01038791(), 0x1f,  &_v332, 0x80) == 0) {
																				_t523 = 0x80;
																				E0103F3A0( &_v332, 0x80,  *0x105e588);
																			}
																			_t327 = _v332;
																			_t575 =  &_v332;
																			_t557 = 2;
																			if(_t327 != 0) {
																				_t426 = _v356;
																				_t467 = _t327 & 0x0000ffff;
																				_t345 = 0x64;
																				do {
																					if(_t467 == 0x27) {
																						_t575 = _t575 + _t557;
																						_t426 = 0 | _t426 == 0x00000000;
																					} else {
																						if(_t426 != 0 || _t467 != _t345 && _t467 != 0x4d) {
																							_t575 = _t575 + _t557;
																						} else {
																							_t531 = 0;
																							do {
																								_t575 = _t575 + _t557;
																								_t531 = _t531 + 1;
																							} while ( *_t575 == _t467);
																							_v356 = _t575;
																							_t576 = _t575 +  ~_t531 * 2;
																							if(_t531 != 1) {
																								_t352 = 0x64;
																								if(_t467 == _t352) {
																									_v360 = 0;
																								}
																								if(_t531 <= 3) {
																									_t575 = _v356;
																								} else {
																									_t523 = _v356;
																									_t468 = _t523;
																									_v356 = _t468 + 2;
																									do {
																										_t354 =  *_t468;
																										_t468 = _t468 + _t557;
																									} while (_t354 != _v352);
																									_t575 = _t576 + 6;
																									memmove(_t575, _t523, 2 + (_t468 - _v356 >> 1) * 2);
																									_t585 = _t585 + 0xc;
																								}
																							} else {
																								_t471 = _t576;
																								_t523 = _t471 + 2;
																								do {
																									_t358 =  *_t471;
																									_t471 = _t471 + _t557;
																								} while (_t358 != _v352);
																								memmove(_t576 + 2, _t576, 2 + (_t471 - _t523 >> 1) * 2);
																								_t585 = _t585 + 0xc;
																								_t575 = _t576 + 4;
																							}
																						}
																					}
																					_t348 =  *_t575 & 0x0000ffff;
																					_t467 = _t348;
																					_t345 = 0x64;
																				} while (_t348 != 0);
																				_t424 = _v368;
																			}
																			if(GetDateFormatW(E01038791(), 0,  &_v348,  &_v332,  *0x106674c,  *0x1066750) == 0) {
																				L73:
																				_t573 = GetDateFormatW(E01038791(), 0,  &_v348,  &_v332, 0, 0);
																				if(_t573 == 0) {
																					_t337 = GetLastError();
																					_push(0);
																					goto L169;
																				} else {
																					_t573 = _t573 + 1;
																					_t339 = realloc( *0x106674c, _t573 + _t573);
																					_pop(0);
																					if(_t339 == 0) {
																						_push(0);
																						L171:
																						_push(8);
																						goto L172;
																					} else {
																						 *0x106674c = _t339;
																						 *0x1066750 = _t573;
																						_t573 = 0;
																						if(GetDateFormatW(E01038791(), 0,  &_v348,  &_v332, _t339, 0) == 0) {
																							_t337 = GetLastError();
																							_push(0);
																							L169:
																							 *0x10667a8 = _t337;
																							_push(_t337);
																							L172:
																							E010378E4(0);
																							_t306 = 0;
																						} else {
																							L76:
																							_t573 =  *0x106674c;
																							goto L56;
																						}
																					}
																				}
																			} else {
																				_t573 =  *0x106674c;
																				if(_t573 == 0) {
																					goto L73;
																				} else {
																					L56:
																					_push(E01035E68(_v344 & 0x0000ffff));
																					_t523 = 0x20;
																					E0103F3A0( &_v76, _t523);
																					if(_t424 == 0) {
																						if(_v360 != 0) {
																							if(E01039434() == 0) {
																								_push(_t573);
																								_push( &_v76);
																							} else {
																								_push( &_v76);
																								_push(_t573);
																							}
																							_t305 = E01039950(L"%s %s ");
																						} else {
																							_push(_t573);
																							_t305 = E01039950(L"%s ");
																						}
																						_t424 = _t305;
																					} else {
																						if(_v360 == 0 || _v364 != 1) {
																							E0103F3A0(_t424, _a8, _t573);
																						} else {
																							_t310 = E01039434();
																							_t526 = _a8;
																							_t455 = _t424;
																							if(_t310 != 0) {
																								E0103F3A0(_t455, _t526, _t573);
																								E0103FC40(_t424, _a8, " ");
																								_push( &_v76);
																							} else {
																								E0103F3A0(_t455, _t526,  &_v76);
																								E0103FC40(_t424, _a8, " ");
																								_push(_t573);
																							}
																							E0103FC40(_t424, _a8);
																						}
																						_t454 = _t424 + 2;
																						_t523 = 0;
																						do {
																							_t309 =  *_t424;
																							_t424 = _t557 + _t424;
																						} while (_t309 != 0);
																						_t424 = _t424 - _t454 >> 1;
																					}
																					_t306 = _t424;
																				}
																			}
																		}
																		return E01046B30(_t306, _t424, _v8 ^ _t582, _t523, _t557, _t573);
																	} else {
																		_t519 = 0;
																		_t474 =  *(_t572 + 0x18);
																		 *((intOrPtr*)(_t572 + 0x1c)) = _t287;
																		if( *(_t572 + 0x14) > 0) {
																			do {
																				 *( *((intOrPtr*)(_t572 + 0x1c)) + _t519 * 4) = _t474;
																				_t474 = _t474 + ( *_t474 & 0x0000ffff);
																				_t519 = _t519 + 1;
																			} while (_t519 <  *(_t572 + 0x14));
																		}
																		goto L32;
																	}
																}
															} else {
																L32:
																_t424 = _v600;
																if(_t424 != 0) {
																	 *0x107a4c4(_t572, _v564, _v560);
																	_t286 =  *_t424();
																	_t549 = _t286;
																	if(_t286 == 0) {
																		goto L33;
																	} else {
																	}
																} else {
																	L33:
																	if(_v588 == 0) {
																		_t274 = 2;
																		goto L155;
																	}
																}
																goto L34;
															}
														}
													} else {
														if( *((intOrPtr*)(_t572 + 8)) <= 1) {
															goto L39;
														} else {
															goto L29;
														}
													}
												}
											} else {
												_t27 = _t424 + 0x30; // 0x30
												_t532 = _t27;
												_v588 = 1;
												_t480 = _t532;
												_t29 = _t480 + 2; // 0x32
												_t558 = _t29;
												do {
													_t370 =  *_t480;
													_t480 = _t480 + 2;
												} while (_t370 != _v568);
												_t31 = _t424 + 0x238; // 0x238
												_t483 = _t532 + 2 + (_t480 - _t558 >> 1) * 2;
												_v596 = _t483;
												_t562 = _t483 - _t424 - 0x30 >> 1;
												E0103F3A0(_t483, 0x104 - _t562, _t31);
												_t519 = _v596;
												if( *_t519 != 0) {
													 *(_t424 + 2) = _t562;
												} else {
													 *(_t424 + 2) = 0;
												}
												_t484 = _t519;
												_t563 = _t484 + 2;
												do {
													_t374 =  *_t484;
													_t484 = _t484 + 2;
												} while (_t374 != _v568);
												 *_t424 = (_t484 - _t563 >> 0x00000001) + (_t484 - _t563 >> 0x00000001) - _t424 + 0x00000005 + _t519 & 0x0000fffc;
												if(( *(_t424 + 4) & 0x00000010) != 0) {
													 *((intOrPtr*)(_t572 + 0x24)) =  *((intOrPtr*)(_t572 + 0x24)) + 1;
												} else {
													 *((intOrPtr*)(_t572 + 0x20)) =  *((intOrPtr*)(_t572 + 0x20)) + 1;
												}
												_t564 = _v584;
												if(_t564 == 0) {
													 *(_t572 + 0x14) =  *(_t572 + 0x14) + 1;
													_t380 =  *_t424 & 0x0000ffff;
													_t424 = _t424 + _t380;
													_t488 = _v556 + _t380;
													_v556 = _t488;
													_t489 = _v572;
													if(_t488 + 0x254 < _t489) {
														goto L25;
													} else {
														_t565 =  *(_t572 + 0x18);
														_t490 = _t489 + 0x10000;
														_v572 = _t490;
														_t519 = _t490;
														_t382 = E0103DD20( *(_t572 + 0x18), _t490);
														if(_t382 == 0) {
															E0103DC60(_t565);
															_t382 = 0;
														}
														 *(_t572 + 0x18) = _t382;
														if(_t382 == 0) {
															_t548 = 0x2374;
															goto L39;
														} else {
															_t424 = _v556 + _t382;
															goto L25;
														}
													}
												} else {
													 *0x107a4c4(_t572, _t424, _v564, _v560);
													_t548 =  *_t564();
													if(_t548 != 0) {
														E01038B4D(_v552);
														L39:
														_t274 = _t548;
														L155:
														_t549 = _t274;
														L34:
														_t275 = _v28;
														_v28 = 0;
														if(_t275 != 0) {
															__imp__??_V@YAXPAX@Z(_t275);
														}
														return E01046B30(_t549, _t424, _v8 ^ _t582, _t519, _t549, _t572);
													} else {
														goto L25;
													}
												}
											}
											goto L194;
										}
										E01038B4D(_v552);
										goto L147;
									}
								}
								goto L194;
							}
							_t548 = 0x6f;
							goto L39;
						}
					} else {
						L5:
						return _t266;
					}
				}
				L194:
			}




















































































































































    0x01036488
    0x01036493
    0x01036496
    0x01036498
    0x0103649d
    0x010364a6
    0x0103650e
    0x00000000
    0x01036510
    0x010364a8
    0x010364ad
    0x010364c7
    0x010364d0
    0x010364d7
    0x0104a072
    0x0104a080
    0x0104a083
    0x00000000
    0x0104a089
    0x00000000
    0x0104a089
    0x00000000
    0x00000000
    0x00000000
    0x010364dd
    0x010364e0
    0x010364e7
    0x010364ea
    0x010364ed
    0x010364f2
    0x010364f4
    0x010364fd
    0x00000000
    0x00000000
    0x01036501
    0x0104a090
    0x0104a097
    0x0104a09f
    0x0104a0a2
    0x0104a0a9
    0x0104a0aa
    0x0104a0b2
    0x0104a0b6
    0x0104a0bc
    0x0104a0bf
    0x0104a0c4
    0x0104a0c7
    0x0104a0cc
    0x0104a0d3
    0x0104a0d6
    0x0104a0d8
    0x0104a0d8
    0x0104a0dd
    0x0104a0f2
    0x0104a100
    0x0104a108
    0x0104a10e
    0x0104a110
    0x0104a113
    0x0104a113
    0x0104a11c
    0x00000000
    0x00000000
    0x0104a126
    0x0104a129
    0x0104a2f5
    0x0104a2f8
    0x0104a300
    0x0104a30b
    0x0104a313
    0x0104a31b
    0x0104a322
    0x00000000
    0x0104a347
    0x0104a347
    0x0104a349
    0x0104a349
    0x00000000
    0x0104a349
    0x00000000
    0x00000000
    0x00000000
    0x0104a12f
    0x0104a12f
    0x0104a132
    0x0104a13a
    0x0104a13d
    0x0104a140
    0x0104a143
    0x0104a143
    0x0104a149
    0x00000000
    0x00000000
    0x0104a14e
    0x0104a165
    0x0104a165
    0x0104a150
    0x0104a150
    0x0104a154
    0x0104a158
    0x00000000
    0x0104a15a
    0x0104a15a
    0x0104a15d
    0x0104a163
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0104a163
    0x0104a158
    0x0104a16e
    0x0104a170
    0x00000000
    0x00000000
    0x0104a176
    0x0104a17b
    0x0104a17e
    0x0104a17e
    0x0104a184
    0x00000000
    0x00000000
    0x0104a189
    0x0104a1a0
    0x0104a1a0
    0x0104a18b
    0x0104a18b
    0x0104a18f
    0x0104a193
    0x00000000
    0x0104a195
    0x0104a195
    0x0104a198
    0x0104a19e
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0104a19e
    0x0104a193
    0x0104a1a9
    0x0104a1ab
    0x00000000
    0x00000000
    0x0104a1da
    0x0104a1df
    0x0104a1df
    0x0104a1e2
    0x0104a1e2
    0x0104a1e5
    0x0104a1e8
    0x0104a1ed
    0x0104a1f2
    0x0104a1f4
    0x0104a1f6
    0x0104a1f9
    0x0104a1f9
    0x0104a1fc
    0x0104a1ff
    0x0104a207
    0x0104a20a
    0x0104a20c
    0x0104a214
    0x0104a330
    0x0104a33b
    0x0104a343
    0x00000000
    0x0104a343
    0x0104a223
    0x0104a228
    0x0104a22e
    0x0104a235
    0x0104a241
    0x0104a246
    0x0104a24b
    0x0104a254
    0x0104a25c
    0x0104a25f
    0x0104a265
    0x0104a266
    0x0104a269
    0x0104a26c
    0x0104a275
    0x0104a283
    0x0104a285
    0x0104a28d
    0x0104a290
    0x0104a298
    0x0104a29b
    0x0104a2a0
    0x0104a2a5
    0x0104a2b3
    0x0104a2c5
    0x0104a2cf
    0x00000000
    0x00000000
    0x0104a2cf
    0x0104a2e3
    0x0104a2a7
    0x0104a2a7
    0x0104a2a7
    0x00000000
    0x0104a2a5
    0x00000000
    0x0104a235
    0x0104a1a4
    0x0104a1a6
    0x00000000
    0x0104a1a6
    0x0104a169
    0x0104a16b
    0x00000000
    0x0104a2e5
    0x0104a2e8
    0x0104a2e9
    0x0104a2ec
    0x00000000
    0x0104a12f
    0x0104a34f
    0x0104a34f
    0x0104a35b
    0x0104a361
    0x0104a362
    0x0104a362
    0x0104a362
    0x0103660b
    0x0103660b
    0x0103660d
    0x0103661a
    0x00000000
    0x00000000
    0x01036620
    0x01036628
    0x0103680d
    0x01036815
    0x01036819
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0103662e
    0x0103662e
    0x01036633
    0x0104a36d
    0x0104a36d
    0x01036645
    0x01036645
    0x01036656
    0x0104a378
    0x0104a380
    0x00000000
    0x0104a386
    0x0104a389
    0x0104a396
    0x0104a397
    0x0104a397
    0x00000000
    0x0104a389
    0x0103665c
    0x0103665c
    0x01036676
    0x01036745
    0x0103674d
    0x0103674d
    0x01036751
    0x0103675f
    0x00000000
    0x01036765
    0x0103676b
    0x01036770
    0x01036776
    0x01036778
    0x01036783
    0x01036783
    0x0103678f
    0x01036790
    0x01036796
    0x01036799
    0x010367a2
    0x010365fa
    0x0104a43b
    0x0104a43d
    0x00000000
    0x01036600
    0x01036600
    0x01036605
    0x00000000
    0x00000000
    0x00000000
    0x01036605
    0x010367a8
    0x010367a8
    0x010367b1
    0x0104a44b
    0x0104a450
    0x00000000
    0x0104a456
    0x0104a459
    0x0104a460
    0x0104a493
    0x0104a49f
    0x0104a4a5
    0x0104a4a8
    0x0104a4af
    0x0104a4af
    0x0104a4bd
    0x010368be
    0x010368d2
    0x010368da
    0x010368e6
    0x0104a57d
    0x0104a584
    0x0104a58b
    0x0104a592
    0x0104a59e
    0x0104a5a6
    0x0104a5a7
    0x0104a5a9
    0x0104a5a9
    0x0104a5af
    0x0104a5b7
    0x0104a5cc
    0x0104a5ce
    0x0104a5d0
    0x0104a5d2
    0x0104a5d2
    0x0104a5b9
    0x0104a5b9
    0x0104a5bb
    0x0104a5bd
    0x0104a5bf
    0x0104a5c5
    0x0104a5c5
    0x0104a5d4
    0x0104a5dd
    0x0104a60f
    0x00000000
    0x0104a5df
    0x0104a5e7
    0x0104a5ee
    0x0104a5f1
    0x0104a5f9
    0x0104a601
    0x0104a602
    0x0104a607
    0x0104a614
    0x0104a614
    0x0104a61a
    0x0104a61b
    0x0104a61c
    0x0104a625
    0x0104a62a
    0x0104a62f
    0x00000000
    0x0104a5f3
    0x0104a5f3
    0x00000000
    0x0104a5f3
    0x0104a5f1
    0x010368ec
    0x010368ec
    0x0103690f
    0x0104a4cd
    0x0104a4d5
    0x0104a4d5
    0x01036915
    0x0103691c
    0x01036924
    0x01036928
    0x0103692a
    0x01036932
    0x01036935
    0x01036936
    0x0103693a
    0x0104a4e1
    0x0104a4e8
    0x01036940
    0x01036942
    0x01036957
    0x01036a40
    0x01036a42
    0x01036a44
    0x01036a44
    0x01036a46
    0x01036a47
    0x01036a4e
    0x01036a56
    0x01036a5c
    0x0104a4f1
    0x0104a4f5
    0x0104a4f9
    0x0104a4f9
    0x0104a502
    0x0104a545
    0x0104a504
    0x0104a504
    0x0104a50a
    0x0104a50f
    0x0104a515
    0x0104a515
    0x0104a518
    0x0104a51a
    0x0104a529
    0x0104a538
    0x0104a53d
    0x0104a53d
    0x01036a62
    0x01036a62
    0x01036a64
    0x01036a67
    0x01036a67
    0x01036a6a
    0x01036a6c
    0x01036a86
    0x01036a8b
    0x01036a8e
    0x01036a8e
    0x01036a5c
    0x01036942
    0x01036959
    0x0103695e
    0x01036963
    0x01036963
    0x01036966
    0x01036966
    0x01036997
    0x01036a96
    0x01036ab5
    0x01036ab9
    0x0104a550
    0x0104a558
    0x00000000
    0x01036abf
    0x01036abf
    0x01036aca
    0x01036ad1
    0x01036ad4
    0x0104a56c
    0x0104a56d
    0x0104a56d
    0x00000000
    0x01036ada
    0x01036adc
    0x01036aee
    0x01036af5
    0x01036b06
    0x0104a55b
    0x0104a561
    0x0104a562
    0x0104a562
    0x0104a567
    0x0104a56f
    0x0104a56f
    0x0104a576
    0x01036b0c
    0x01036b0c
    0x01036b0c
    0x00000000
    0x01036b0c
    0x01036b06
    0x01036ad4
    0x0103699d
    0x0103699d
    0x010369a5
    0x00000000
    0x010369ab
    0x010369ab
    0x010369b7
    0x010369ba
    0x010369be
    0x010369c5
    0x0104a63c
    0x0104a657
    0x0104a65d
    0x0104a65e
    0x0104a659
    0x0104a659
    0x0104a65a
    0x0104a65a
    0x0104a664
    0x0104a63e
    0x0104a63e
    0x0104a644
    0x0104a64a
    0x0104a66c
    0x010369cb
    0x010369d2
    0x0104a697
    0x010369e5
    0x010369e5
    0x010369ea
    0x010369ed
    0x010369f1
    0x0104a674
    0x0104a683
    0x0104a68b
    0x010369f7
    0x010369fb
    0x01036a0a
    0x01036a0f
    0x01036a0f
    0x01036a15
    0x01036a15
    0x01036a1a
    0x01036a1d
    0x01036a1f
    0x01036a1f
    0x01036a22
    0x01036a24
    0x01036a2b
    0x01036a2b
    0x01036a2d
    0x01036a2d
    0x010369a5
    0x01036997
    0x01036a3d
    0x0104a462
    0x0104a462
    0x0104a464
    0x0104a467
    0x0104a46d
    0x0104a473
    0x0104a476
    0x0104a47c
    0x0104a47e
    0x0104a47f
    0x0104a484
    0x00000000
    0x0104a46d
    0x0104a460
    0x010367b7
    0x010367b7
    0x010367b7
    0x010367bf
    0x0103683d
    0x01036843
    0x01036845
    0x01036849
    0x00000000
    0x00000000
    0x0103684f
    0x010367c1
    0x010367c1
    0x010367c8
    0x0104a48b
    0x00000000
    0x0104a48b
    0x010367c8
    0x00000000
    0x010367bf
    0x010367b1
    0x0104a407
    0x0104a40b
    0x00000000
    0x0104a411
    0x00000000
    0x0104a411
    0x0104a40b
    0x01036778
    0x0103667c
    0x0103667c
    0x0103667c
    0x0103667f
    0x01036689
    0x0103668b
    0x0103668b
    0x0103668e
    0x0103668e
    0x01036691
    0x01036694
    0x0103669f
    0x010366ab
    0x010366b5
    0x010366c0
    0x010366c4
    0x010366c9
    0x010366d4
    0x010367f5
    0x010366da
    0x010366da
    0x010366da
    0x010366de
    0x010366e0
    0x010366e3
    0x010366e3
    0x010366e6
    0x010366e9
    0x01036709
    0x0103670c
    0x01036826
    0x01036712
    0x01036712
    0x01036712
    0x01036715
    0x0103671d
    0x0104a3a2
    0x0104a3a5
    0x0104a3ae
    0x0104a3b0
    0x0104a3b2
    0x0104a3be
    0x0104a3c6
    0x00000000
    0x0104a3cc
    0x0104a3cc
    0x0104a3cf
    0x0104a3d5
    0x0104a3db
    0x0104a3df
    0x0104a3e6
    0x0104a3ea
    0x0104a3f1
    0x0104a3f1
    0x0104a3f3
    0x0104a3f8
    0x0104a426
    0x00000000
    0x0104a3fa
    0x0104a400
    0x00000000
    0x0104a400
    0x0104a3f8
    0x01036723
    0x01036733
    0x0103673b
    0x0103673f
    0x0104a41c
    0x0103681f
    0x0103681f
    0x0104a48c
    0x0104a48c
    0x010367ce
    0x010367ce
    0x010367d3
    0x010367d8
    0x010367db
    0x010367e1
    0x010367f2
    0x00000000
    0x00000000
    0x00000000
    0x0103673f
    0x0103671d
    0x00000000
    0x01036676
    0x0104a436
    0x00000000
    0x0104a436
    0x01036656
    0x00000000
    0x01036628
    0x0104a445
    0x00000000
    0x0104a445
    0x0103650b
    0x0103650b
    0x0103650b
    0x0103650b
    0x01036501
    0x00000000

    APIs
      • Part of subcall function 01036513: memset.MSVCRT ref: 01036593
      • Part of subcall function 0103DC60: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,?,00000000,01038E86,01038E5A,00000000), ref: 0103DC98
      • Part of subcall function 0103DC60: RtlFreeHeap.NTDLL(00000000), ref: 0103DC9F
    • memset.MSVCRT ref: 0104A097
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: Heapmemset$FreeProcess
    • String ID: *.*
    • API String ID: 1291122668-438819550
    • Opcode ID: 6be7b73b3f9e12eb7409069986875422dc33d04e93edad02d3b065d68eb4e37d
    • Instruction ID: c78eb95abd020eb1f2d4f2b7853098d0b7576f14bdd23704ccf83b1a399f7a8e
    • Opcode Fuzzy Hash: 6be7b73b3f9e12eb7409069986875422dc33d04e93edad02d3b065d68eb4e37d
    • Instruction Fuzzy Hash: 29B1E5B1E00119EFDF25DFA8C980AEEBBF5EF98300F1440A9E986AB251D731D941CB50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01055948, Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 252registryCOMMON
    Download Yara Rule
    C-Code - Quality: 60%
    			E01055948(void* __ecx, short* __edx) {
				signed int _v8;
				short _v528;
				void* _v532;
				signed int _v536;
				signed int _v540;
				signed int _v544;
				void* _v552;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t45;
				signed int _t49;
				signed int _t50;
				signed int _t61;
				signed int _t64;
				signed int _t72;
				void* _t73;
				signed int _t75;
				intOrPtr _t76;
				intOrPtr* _t78;
				signed int _t81;
				void* _t84;
				short* _t88;
				signed int _t89;
				void* _t91;
				void* _t96;
				signed int _t98;
				signed int _t106;
				signed int _t107;
				void* _t111;
				signed int _t114;
				signed int _t117;
				void* _t121;
				void* _t123;
				void* _t124;
				signed int _t128;
				void* _t131;
				void* _t132;
				intOrPtr* _t133;
				signed int _t135;
				void* _t136;
				signed int _t137;
				signed int _t141;
				signed int _t142;
				void* _t143;

				_t45 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t45 ^ _t142;
				_t132 = __ecx;
				_v532 = __ecx;
				if(__edx != 0) {
					__eflags =  *__edx - 0x2e;
					if( *__edx != 0x2e) {
						_t132 = E0103ACB0(E0103AB7F(__edx));
						__eflags = _t132;
						if(_t132 != 0) {
							_t123 = 0x20;
							_t49 = E010401F5(_t132, _t123);
							__eflags = _t49;
							if(_t49 != 0) {
								__eflags = 0;
								 *_t49 = 0;
							}
							_t96 = _t132;
							_t89 = 0;
							__eflags = 0;
							_t30 = _t96 + 2; // 0x2
							_t124 = _t30;
							do {
								_t50 =  *_t96;
								_t96 = _t96 + 2;
								__eflags = _t50;
							} while (_t50 != 0);
							_t98 = _t96 - _t124 >> 1;
							_push(_t132);
							_t31 = _t98 + 0x14; // 0x12
							__eflags = _t31 - 0x104;
							if(_t31 <= 0x104) {
								E0103F3A0( &_v528, 0x104);
								_t126 = 0x104;
								E0103FC40( &_v528, 0x104, L"\\Shell\\Open\\Command");
								_t137 = RegOpenKeyExW(_v532,  &_v528, 0, 0x2000000,  &_v552);
								__eflags = _t137;
								if(__eflags == 0) {
									_t101 = _v532;
									_t126 = E010562B3(0, _v532,  &_v528, _t132, _t137, __eflags);
									_v536 = _t126;
									__eflags = _t126;
									if(_t126 == 0) {
										L48:
										E010378E4(_t101, 0x400023a5, 1, _t132);
										L49:
										E0103DC60(_v536);
										L50:
										E0103DC60(_t132);
										L51:
										_t61 = _t137;
										L52:
										__eflags = _v8 ^ _t142;
										return E01046B30(_t61, _t89, _v8 ^ _t142, _t126, _t132, _t137);
									}
									_t106 = _t126;
									_t40 = _t106 + 2; // 0x2
									_v544 = _t40;
									do {
										_t64 =  *_t106;
										_t106 = _t106 + 2;
										__eflags = _t64;
									} while (_t64 != 0);
									_t107 = _t106 - _v544;
									__eflags = _t107;
									_t101 = _t107 >> 1;
									if(_t107 == 0) {
										goto L48;
									}
									_push(_t126);
									_push(_t132);
									E01039950(L"%s=%s\r\n");
									goto L49;
								}
								E010378E4( &_v528, 0x400023a5, 1, _t132);
								goto L50;
							}
							_push(1);
							_push(0x400023db);
							E010378E4(_t98);
							_t137 = 0x7b;
							goto L50;
						}
						L34:
						_t61 = 1;
						goto L52;
					}
					E010378E4(__ecx, 0x400023a5, 1, __edx);
					_t61 = 0x7b;
					goto L52;
				}
				_t89 = 0;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v540);
				_v536 = 0;
				_push( &_v528);
				_t137 = 0x104;
				_push(0);
				while(1) {
					_v540 = _t137;
					_t72 = RegEnumKeyExW(_t132, ??, ??, ??, ??, ??, ??, ??);
					if(_t72 != 0) {
						break;
					}
					_t73 = 0x2e;
					if(_v528 == _t73) {
						L27:
						if( *0x106259c != 0) {
							goto L34;
						}
						_push(_t89);
						_push(_t89);
						_push(_t89);
						_push(_t89);
						_push( &_v540);
						_t75 = _v536 + 1;
						_push( &_v528);
						_v536 = _t75;
						_push(_t75);
						continue;
					}
					_t133 =  &_v528;
					_t111 = _t133 + 2;
					do {
						_t76 =  *_t133;
						_t133 = _t133 + 2;
					} while (_t76 != _t89);
					_t135 = _t133 - _t111 >> 1;
					if(_t135 + 0x14 > _t137) {
						L26:
						_t132 = _v532;
						goto L27;
					}
					_t128 = _t137;
					_t78 =  &_v528;
					while( *_t78 != _t89) {
						_t78 = _t78 + 2;
						_t128 = _t128 - 1;
						if(_t128 != 0) {
							continue;
						}
						break;
					}
					asm("sbb ecx, ecx");
					_t114 =  ~_t128 & _t137 - _t128;
					if(_t128 == 0) {
						L19:
						_t115 = _v532;
						_t81 = E010562B3(_t89, _v532,  &_v528, _t135, _t137, 0);
						_t132 = _t135 + _t135;
						_t126 = _t81;
						_v544 = _t126;
						if(_t132 >= 0x208) {
							_t72 = E01046C78(_t81, _t89, _t115, _t126, _t132, _t137);
							break;
						}
						 *((short*)(_t142 + _t132 - 0x20c)) = 0;
						if(_t126 == 0) {
							L25:
							E0103DC60(_t126);
							goto L26;
						}
						_t117 = _t126;
						_t21 = _t117 + 2; // 0x2
						_t136 = _t21;
						do {
							_t84 =  *_t117;
							_t117 = _t117 + 2;
						} while (_t84 != _t89);
						if(_t117 != _t136) {
							_push(_t126);
							_push( &_v528);
							E01039950(L"%s=%s\r\n");
							_t126 = _v544;
							_t143 = _t143 + 0xc;
						}
						goto L25;
					}
					_t88 =  &(( &_v528)[_t114]);
					_t131 = _t137 - _t114;
					if(_t131 == 0) {
						L17:
						_t88 = _t88 - 2;
						L18:
						 *_t88 = 0;
						goto L19;
					}
					_t121 = 0x7ffffffe;
					_t91 = L"\\Shell\\Open\\Command" - _t88;
					while(_t121 != 0) {
						_t141 =  *(_t91 + _t88) & 0x0000ffff;
						if(_t141 == 0) {
							break;
						}
						 *_t88 = _t141;
						_t88 =  &(_t88[1]);
						_t121 = _t121 - 1;
						_t131 = _t131 - 1;
						if(_t131 != 0) {
							continue;
						}
						break;
					}
					_t137 = 0x104;
					_t89 = 0;
					if(_t131 != 0) {
						goto L18;
					}
					goto L17;
				}
				_t29 = _t72 - 0x103; // -259
				asm("sbb esi, esi");
				_t137 =  ~_t29 & _t72;
				goto L51;
			}

















































    0x01055953
    0x0105595a
    0x01055960
    0x01055962
    0x0105596a
    0x01055af8
    0x01055afc
    0x01055b24
    0x01055b26
    0x01055b28
    0x01055b34
    0x01055b37
    0x01055b3c
    0x01055b3e
    0x01055b40
    0x01055b42
    0x01055b42
    0x01055b45
    0x01055b47
    0x01055b47
    0x01055b49
    0x01055b49
    0x01055b4c
    0x01055b4c
    0x01055b4f
    0x01055b52
    0x01055b52
    0x01055b5e
    0x01055b60
    0x01055b61
    0x01055b64
    0x01055b66
    0x01055b87
    0x01055b91
    0x01055b99
    0x01055bbe
    0x01055bc0
    0x01055bc2
    0x01055bd6
    0x01055be7
    0x01055be9
    0x01055bef
    0x01055bf1
    0x01055c21
    0x01055c29
    0x01055c2e
    0x01055c37
    0x01055c3c
    0x01055c3e
    0x01055c43
    0x01055c43
    0x01055c45
    0x01055c4a
    0x01055c53
    0x01055c53
    0x01055bf3
    0x01055bf5
    0x01055bf8
    0x01055bfe
    0x01055bfe
    0x01055c01
    0x01055c04
    0x01055c04
    0x01055c09
    0x01055c09
    0x01055c0f
    0x01055c11
    0x00000000
    0x00000000
    0x01055c13
    0x01055c14
    0x01055c1a
    0x00000000
    0x01055c1a
    0x01055bcc
    0x00000000
    0x01055bd1
    0x01055b68
    0x01055b6a
    0x01055b6f
    0x01055b79
    0x00000000
    0x01055b79
    0x01055b2a
    0x01055b2c
    0x00000000
    0x01055b2c
    0x01055b06
    0x01055b10
    0x00000000
    0x01055b10
    0x01055970
    0x01055978
    0x01055979
    0x0105597a
    0x0105597b
    0x0105597c
    0x01055983
    0x01055989
    0x0105598a
    0x0105598f
    0x01055990
    0x01055991
    0x01055997
    0x0105599f
    0x00000000
    0x00000000
    0x010559a7
    0x010559af
    0x01055ab4
    0x01055abb
    0x00000000
    0x00000000
    0x01055ac9
    0x01055aca
    0x01055acb
    0x01055acc
    0x01055acd
    0x01055ad4
    0x01055ad5
    0x01055ad6
    0x01055adc
    0x00000000
    0x01055adc
    0x010559b5
    0x010559bb
    0x010559be
    0x010559be
    0x010559c1
    0x010559c4
    0x010559cb
    0x010559d2
    0x01055aae
    0x01055aae
    0x00000000
    0x01055aae
    0x010559d8
    0x010559da
    0x010559e0
    0x010559e5
    0x010559e8
    0x010559eb
    0x00000000
    0x00000000
    0x00000000
    0x010559eb
    0x010559f5
    0x010559f7
    0x010559fb
    0x01055a45
    0x01055a45
    0x01055a51
    0x01055a56
    0x01055a58
    0x01055a5a
    0x01055a66
    0x01055ae2
    0x00000000
    0x01055ae2
    0x01055a6a
    0x01055a74
    0x01055aa7
    0x01055aa9
    0x00000000
    0x01055aa9
    0x01055a76
    0x01055a78
    0x01055a78
    0x01055a7b
    0x01055a7b
    0x01055a7e
    0x01055a81
    0x01055a8a
    0x01055a8c
    0x01055a93
    0x01055a99
    0x01055a9e
    0x01055aa4
    0x01055aa4
    0x00000000
    0x01055a8a
    0x01055a05
    0x01055a08
    0x01055a0a
    0x01055a3d
    0x01055a3d
    0x01055a40
    0x01055a42
    0x00000000
    0x01055a42
    0x01055a11
    0x01055a16
    0x01055a18
    0x01055a1c
    0x01055a23
    0x00000000
    0x00000000
    0x01055a25
    0x01055a28
    0x01055a2b
    0x01055a2c
    0x01055a2f
    0x00000000
    0x00000000
    0x00000000
    0x01055a2f
    0x01055a31
    0x01055a38
    0x01055a3b
    0x00000000
    0x00000000
    0x00000000
    0x01055a3b
    0x01055ae7
    0x01055aef
    0x01055af1
    0x00000000

    APIs
    • RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 01055997
      • Part of subcall function 0103AB7F: iswspace.MSVCRT ref: 0103AB8D
      • Part of subcall function 0103AB7F: wcschr.MSVCRT ref: 0103AB9E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: Enumiswspacewcschr
    • String ID: %s=%s$\Shell\Open\Command
    • API String ID: 3493821229-3301834661
    • Opcode ID: 231c989fc8bd47b9af0dda4fa1091e044f4a20b69aa4c15e858da0eac0e6e7ec
    • Instruction ID: c61d92579b4d6cea749418a8f839c2438e6260292497a8cb6eb00810938bd9e7
    • Opcode Fuzzy Hash: 231c989fc8bd47b9af0dda4fa1091e044f4a20b69aa4c15e858da0eac0e6e7ec
    • Instruction Fuzzy Hash: 45811A75E0021E9BDBA49B2CCC94AFF73BAEFD4700F1441E9DD8A97240EA709E418B50
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0103CCD0, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 178COMMON
    Download Yara Rule
    C-Code - Quality: 43%
    			E0103CCD0(intOrPtr* __ecx, intOrPtr __edx, intOrPtr* _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				intOrPtr _t14;
				signed int _t17;
				signed int _t20;
				signed int _t21;
				signed int _t22;
				intOrPtr _t31;
				signed int _t34;
				void* _t36;
				intOrPtr _t40;
				intOrPtr* _t46;
				intOrPtr _t52;
				intOrPtr _t54;
				signed int _t55;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t65;
				intOrPtr* _t67;
				intOrPtr _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				void* _t79;
				void* _t80;

				_push(__ecx);
				_t74 = _a8;
				_v8 = __edx;
				_t67 = __ecx;
				if(_t74 == E0103DE30) {
					_t14 = E0103DE30(__ecx);
				} else {
					if(_t74 == E0103E090) {
						_t14 = E0103E090();
					} else {
						if(_t74 == E0103E210) {
							_t14 = E0103E210();
						} else {
							if(_t74 != E0103E230) {
								 *0x107a4c4();
								_t14 =  *_t74();
							} else {
								_t14 = E0103E230();
							}
						}
					}
				}
				_t40 = _t14;
				if( *((short*)( *0x10665cc)) == 0) {
					L21:
					return _t40;
				} else {
					_t17 = 0;
					if( *0x10665f0 != 0) {
						_t17 = 0x10;
					}
					_t61 = E0103CF10(_t17, 0x1074af0, 0x2000, _t17);
					 *0x1066700 = _t61;
					if(_t61 == 0xffffffff) {
						 *0x10665ec = 0x234a;
						__imp__longjmp(0x1070ab0, 1);
						goto L49;
					} else {
						_t55 = 0x1074af0;
						_t3 = _t55 + 2; // 0x1074af2
						_t79 = _t3;
						do {
							_t36 =  *_t55;
							_t55 = _t55 + 2;
						} while (_t36 != 0);
						_t4 = (_t55 - _t79 >> 1) + 1; // 0x1074aef
						 *0x10666fc = _t4;
						if( *0x1079059 != 0) {
							L49:
							_push(0x1074af0);
							_push(_t61);
							E01039950(L"GeToken: (%x) \'%s\'\n");
							_t80 = _t80 + 0xc;
						}
					}
					_t20 = 0x1074af0;
					_t46 = _t67;
					while(1) {
						_t62 =  *_t46;
						if(_t62 !=  *_t20) {
							break;
						}
						if(_t62 == 0) {
							L17:
							_t21 = 0;
						} else {
							_t5 = _t46 + 2; // 0x2b0000
							_t65 =  *_t5;
							if(_t65 !=  *((intOrPtr*)(_t20 + 2))) {
								break;
							} else {
								_t46 = _t46 + 4;
								_t20 = _t20 + 4;
								if(_t65 != 0) {
									continue;
								} else {
									goto L17;
								}
							}
						}
						L18:
						if(_t21 == 0) {
							if( *0x1074af0 == 0xa) {
								goto L34;
							} else {
								_t69 = _v8;
								goto L37;
							}
						} else {
							_t33 =  *0x10666f8;
							if( *((char*)( *0x10666f8 + 0x10665f7)) == 0x33) {
								_t34 = "&";
								while(1) {
									_t52 =  *_t67;
									if(_t52 !=  *_t34) {
										break;
									}
									if(_t52 == 0) {
										L30:
										_t33 = 0;
									} else {
										_t8 = _t67 + 2; // 0x2b0000
										_t54 =  *_t8;
										_t9 = _t34 + 2; // 0x2b0000
										if(_t54 !=  *_t9) {
											break;
										} else {
											_t67 = _t67 + 4;
											_t34 = _t34 + 4;
											if(_t54 != 0) {
												continue;
											} else {
												goto L30;
											}
										}
									}
									L31:
									if(_t33 != 0 ||  *0x1074af0 != 0xa) {
										goto L20;
									} else {
										do {
											L34:
											_t22 = E0103CC70(0);
										} while ( *0x1074af0 == 0xa);
										E0103CF10(_t22, 0, 0, 0);
										if( *0x1074af0 == 0x29) {
											goto L21;
										} else {
											_t69 = 0x2e;
											L37:
											_t76 = E0103DCD0(0x50);
											if(_t76 == 0) {
												E01059922();
												__imp__longjmp(0x1070a30, 1);
												asm("int3");
												_push( *0x10665c8);
												E01039950(L"Ungetting: \'%s\'\n");
												 *0x10665cc =  *0x10665c8;
												return 0;
											} else {
												 *_t76 = _t69;
												 *((intOrPtr*)(_t76 + 0x38)) = _t40;
												 *0x10665d0 = 1;
												E0103CC70(8);
												_t71 = _a4;
												 *0x10665d0 = 0;
												if(_t71 != E0103BAB0) {
													 *0x107a4c4();
													_t31 =  *_t71();
												} else {
													_t31 = E0103BAB0();
												}
												 *((intOrPtr*)(_t76 + 0x3c)) = _t31;
												return _t76;
											}
										}
									}
									goto L52;
								}
								asm("sbb eax, eax");
								_t33 = _t34 | 0x00000001;
								goto L31;
							} else {
								L20:
								E0103CF10(_t33, 0, 0, 0);
								goto L21;
							}
						}
						goto L52;
					}
					asm("sbb eax, eax");
					_t21 = _t20 | 0x00000001;
					goto L18;
				}
				L52:
			}



























    0x0103ccd5
    0x0103ccd8
    0x0103ccdb
    0x0103ccdf
    0x0103cce7
    0x0103cd14
    0x0103cce9
    0x0103ccef
    0x0103cde8
    0x0103ccf5
    0x0103ccfb
    0x0103cdf2
    0x0103cd01
    0x0103cd07
    0x0104d46b
    0x0104d471
    0x0103cd0d
    0x0103cd0d
    0x0103cd0d
    0x0103cd07
    0x0103ccfb
    0x0103ccef
    0x0103cd19
    0x0103cd24
    0x0103cddd
    0x0103cde5
    0x0103cd2a
    0x0103cd2a
    0x0103cd32
    0x0103cdfc
    0x0103cdfc
    0x0103cd48
    0x0103cd4a
    0x0103cd53
    0x0104d47f
    0x0104d489
    0x00000000
    0x0103cd59
    0x0103cd59
    0x0103cd5e
    0x0103cd5e
    0x0103cd61
    0x0103cd61
    0x0103cd64
    0x0103cd67
    0x0103cd77
    0x0103cd7a
    0x0103cd7f
    0x0104d48f
    0x0104d48f
    0x0104d494
    0x0104d49a
    0x0104d49f
    0x0104d49f
    0x0103cd7f
    0x0103cd85
    0x0103cd8a
    0x0103cd90
    0x0103cd90
    0x0103cd96
    0x00000000
    0x00000000
    0x0103cd9f
    0x0103cdba
    0x0103cdba
    0x0103cda1
    0x0103cda1
    0x0103cda1
    0x0103cda9
    0x00000000
    0x0103cdaf
    0x0103cdaf
    0x0103cdb2
    0x0103cdb8
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0103cdb8
    0x0103cda9
    0x0103cdbc
    0x0103cdbe
    0x0103cef0
    0x00000000
    0x0103cef6
    0x0103cef6
    0x00000000
    0x0103cef6
    0x0103cdc4
    0x0103cdc4
    0x0103cdd0
    0x0103ce06
    0x0103ce10
    0x0103ce10
    0x0103ce16
    0x00000000
    0x00000000
    0x0103ce1f
    0x0103ce3a
    0x0103ce3a
    0x0103ce21
    0x0103ce21
    0x0103ce21
    0x0103ce25
    0x0103ce29
    0x00000000
    0x0103ce2f
    0x0103ce2f
    0x0103ce32
    0x0103ce38
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0103ce38
    0x0103ce29
    0x0103ce3c
    0x0103ce3e
    0x00000000
    0x0103ce50
    0x0103ce50
    0x0103ce50
    0x0103ce52
    0x0103ce57
    0x0103ce67
    0x0103ce74
    0x00000000
    0x0103ce7a
    0x0103ce7a
    0x0103ce7f
    0x0103ce89
    0x0103ce8d
    0x0104d4a7
    0x0104d4b3
    0x0104d4b9
    0x0104d4ba
    0x0104d4c5
    0x0103d04d
    0x0103d05a
    0x0103ce93
    0x0103ce98
    0x0103ce9a
    0x0103ce9d
    0x0103cea7
    0x0103ceac
    0x0103ceaf
    0x0103cebf
    0x0103cefd
    0x0103cf03
    0x0103cec1
    0x0103cec1
    0x0103cec1
    0x0103cec6
    0x0103ced1
    0x0103ced1
    0x0103ce8d
    0x0103ce74
    0x00000000
    0x0103ce3e
    0x0103cede
    0x0103cee0
    0x00000000
    0x0103cdd2
    0x0103cdd2
    0x0103cdd8
    0x00000000
    0x0103cdd8
    0x0103cdd0
    0x00000000
    0x0103cdbe
    0x0103ced4
    0x0103ced6
    0x00000000
    0x0103ced6
    0x00000000

    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID:
    • String ID: GeToken: (%x) '%s'$Ungetting: '%s'
    • API String ID: 0-1704545398
    • Opcode ID: 38ab4e19667471eced4b44a45510ce2b6eb33f0954252fd02e9fffcc844873b4
    • Instruction ID: 12905c1700ee5a38f23a46297e863ad264965dd4ea4e5e1c53680025b86f80f7
    • Opcode Fuzzy Hash: 38ab4e19667471eced4b44a45510ce2b6eb33f0954252fd02e9fffcc844873b4
    • Instruction Fuzzy Hash: 58513631A001029BF7707B68D6097AA7AAEFBD0314F48416BE5C7F7255EB76D840C7A1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01054DBD, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 145COMMON
    Download Yara Rule
    C-Code - Quality: 89%
    			E01054DBD(signed int __ecx, wchar_t* __edx, intOrPtr _a4) {
				signed int _v8;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				signed int _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t26;
				long _t29;
				void* _t30;
				void* _t32;
				int _t36;
				signed int _t39;
				signed int _t40;
				signed int _t41;
				signed short _t42;
				long _t45;
				long _t46;
				signed int _t48;
				wchar_t* _t52;
				int _t55;
				signed int _t59;
				void* _t64;
				long* _t66;
				intOrPtr _t69;
				long* _t73;
				void* _t77;
				void* _t78;
				void* _t79;
				wchar_t* _t81;
				signed int _t83;
				signed int _t84;
				void* _t85;

				_t26 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t26 ^ _t84;
				_v32 = __ecx;
				_v28 = _a4;
				_t52 = __edx;
				asm("movsd");
				asm("movsd");
				asm("movsw");
				_t55 = 0;
				_v24 = __ecx + 8;
				_t77 = 0;
				while(1) {
					_t81 = _t52;
					_t8 =  &(_t81[0]); // 0x2
					_t73 = _t8;
					do {
						_t29 =  *_t81;
						_t81 =  &(_t81[0]);
					} while (_t29 != _t55);
					_t83 = _t81 - _t73 >> 1;
					if(_t83 > 2 || iswdigit( *_t52 & 0x0000ffff) == 0) {
						L16:
						_t74 =  *_t52 & 0x0000ffff;
						if(( *_t52 & 0x0000ffff) == 0) {
							goto L29;
						} else {
							if(E0103A62F( &_v20, _t74) == 0) {
								goto L12;
							} else {
								goto L18;
							}
						}
					} else {
						_t45 = _t52[0] & 0x0000ffff;
						if(_t45 == 0 || iswdigit(_t45) != 0) {
							_t46 = wcstol(_t52, 0, 0xa);
							_t66 = _v24;
							_t52 = _t52 + _t83 * 2 + 2;
							_t85 = _t85 + 0xc;
							 *_t66 = _t46;
							_t74 =  *_t52 & 0x0000ffff;
							_v24 =  &(_t66[0]);
							if(( *_t52 & 0x0000ffff) == 0) {
								L29:
								_t77 = _t77 + 1;
								_t30 = 4;
								if(_t77 < _t30) {
									_t78 = _v24;
									_t59 = _t30 - _t77 >> 1;
									_t36 = memset(_t78, 0, _t59 << 2);
									_t79 = _t78 + _t59;
									asm("adc ecx, ecx");
									memset(_t79, _t36, 0);
									_t77 = _t79;
								}
								_t32 = 1;
							} else {
								if(E0103A62F( &_v20, _t74) != 0) {
									L18:
									_t39 =  *_t52 & 0x0000ffff;
									if(_t39 == 0x70 || _t39 == 0x50) {
										_t64 = 1;
									} else {
										_t64 = 0;
									}
									_t40 = _t52[1] & 0x0000ffff;
									if(_t40 == 0 || _t40 == 0x6d || _t40 == 0x4d) {
										_t74 = _v32;
										_t41 =  *(_t74 + 8) & 0x0000ffff;
										if(_t64 == 0) {
											if(_t41 != 0xc) {
												goto L29;
											} else {
												_t42 = 0;
												goto L28;
											}
											L35:
										} else {
											if(_t41 != 0xc) {
												_t42 = _t41 + 0xc;
												L28:
												 *(_t74 + 8) = _t42;
											}
										}
										goto L29;
									} else {
										goto L12;
									}
								} else {
									_t48 =  *_t52 & 0x0000ffff;
									_t69 = _v28;
									if(_t77 >= 2) {
										if(_t48 ==  *((intOrPtr*)(_t69 + 2)) || _t48 ==  *((intOrPtr*)(_t69 + 6))) {
											goto L15;
										} else {
											goto L12;
										}
									} else {
										_t74 = _t48;
										if(E0103A62F(_t69, _t48) != 0) {
											L15:
											_t77 = _t77 + 1;
											_t52 = E0103A7D5(_t52);
											if(_t77 < 4) {
												_t55 = 0;
												continue;
											} else {
												goto L16;
											}
										} else {
											L12:
											_t32 = 0;
										}
									}
								}
							}
						} else {
							goto L16;
						}
					}
					return E01046B30(_t32, _t52, _v8 ^ _t84, _t74, _t77, _t83);
					goto L35;
				}
			}





































    0x01054dc5
    0x01054dcc
    0x01054dda
    0x01054de0
    0x01054de3
    0x01054de5
    0x01054de6
    0x01054de7
    0x01054dec
    0x01054dee
    0x01054df1
    0x01054df7
    0x01054df7
    0x01054df9
    0x01054df9
    0x01054dfc
    0x01054dfc
    0x01054dff
    0x01054e02
    0x01054e09
    0x01054e0e
    0x01054eb0
    0x01054eb0
    0x01054eb6
    0x00000000
    0x01054eb8
    0x01054ec2
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x01054ec2
    0x01054e27
    0x01054e27
    0x01054e2e
    0x01054e41
    0x01054e47
    0x01054e4d
    0x01054e50
    0x01054e53
    0x01054e59
    0x01054e5c
    0x01054e62
    0x01054f02
    0x01054f04
    0x01054f05
    0x01054f08
    0x01054f0c
    0x01054f13
    0x01054f15
    0x01054f15
    0x01054f17
    0x01054f19
    0x01054f19
    0x01054f19
    0x01054f1e
    0x01054e68
    0x01054e72
    0x01054ec4
    0x01054ec4
    0x01054eca
    0x01054ed7
    0x01054ed1
    0x01054ed1
    0x01054ed1
    0x01054ed8
    0x01054edf
    0x01054eeb
    0x01054eee
    0x01054ef4
    0x01054f33
    0x00000000
    0x01054f35
    0x01054f35
    0x00000000
    0x01054f35
    0x00000000
    0x01054ef6
    0x01054ef9
    0x01054efb
    0x01054efe
    0x01054efe
    0x01054efe
    0x01054ef9
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x01054e74
    0x01054e74
    0x01054e77
    0x01054e7d
    0x01054e95
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x01054e7f
    0x01054e7f
    0x01054e88
    0x01054e9d
    0x01054e9f
    0x01054ea5
    0x01054eaa
    0x01054df5
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x01054e8a
    0x01054e8a
    0x01054e8a
    0x01054e8a
    0x01054e88
    0x01054e7d
    0x01054e72
    0x00000000
    0x00000000
    0x00000000
    0x01054e2e
    0x01054f2d
    0x00000000
    0x01054f2d

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: iswdigit$wcstol
    • String ID: aApP
    • API String ID: 644763121-2547155087
    • Opcode ID: 11a149e918cb6a799dc6c014c7d981f92aad8aaa81a6162be0f35c7a7c01537b
    • Instruction ID: 297caf1ee87cb184e15f8457070587afb95754e1f042fc6217a10912cf923afb
    • Opcode Fuzzy Hash: 11a149e918cb6a799dc6c014c7d981f92aad8aaa81a6162be0f35c7a7c01537b
    • Instruction Fuzzy Hash: 4941F975A0011286DFA49F6CC4951FFB7F5AF843007144869DDC6DB281FA34D9C2D360
    Uniqueness

    Uniqueness Score: -1.00%

    Function 010557A8, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138registryCOMMON
    Download Yara Rule
    C-Code - Quality: 76%
    			E010557A8(void* __ecx, signed int __edx) {
				signed int _v8;
				short _v528;
				void* _v532;
				int _v536;
				int _v540;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t19;
				void* _t24;
				signed int _t26;
				signed int _t31;
				void* _t39;
				void* _t42;
				int _t43;
				signed int _t53;
				signed int _t54;
				int _t59;
				void* _t64;
				int* _t66;
				void* _t67;
				void* _t69;
				signed int _t70;
				void* _t71;

				_t63 = __edx;
				_t19 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t19 ^ _t70;
				_t67 = __ecx;
				_v532 = __ecx;
				if(__edx != 0) {
					_t43 = E0103ACB0(E0103AB7F(__edx));
					__eflags = _t43;
					if(_t43 == 0) {
						L14:
						_t24 = 1;
						L28:
						__eflags = _v8 ^ _t70;
						return E01046B30(_t24, _t43, _v8 ^ _t70, _t63, _t66, _t67);
					}
					_t64 = 0x20;
					_t26 = E010401F5(_t43, _t64);
					__eflags = _t26;
					if(__eflags != 0) {
						__eflags = 0;
						 *_t26 = 0;
					}
					_t50 = _t67;
					_t63 = E010562B3(_t43, _t67, _t43, _t66, _t67, __eflags);
					_v532 = _t63;
					__eflags = _t63;
					if(_t63 == 0) {
						L25:
						_t67 = 1;
						__eflags = 1;
						E010378E4(_t50, 0x400023a3, 1, _t43);
						goto L26;
					} else {
						_t53 = _t63;
						_t66 = 0;
						__eflags = 0;
						_t16 = _t53 + 2; // 0x2
						_t69 = _t16;
						do {
							_t31 =  *_t53;
							_t53 = _t53 + 2;
							__eflags = _t31;
						} while (_t31 != 0);
						_t54 = _t53 - _t69;
						__eflags = _t54;
						_t50 = _t54 >> 1;
						if(_t54 == 0) {
							goto L25;
						}
						_push(_t63);
						_push(_t43);
						_t67 = E01039950(L"%s=%s\r\n");
						L26:
						E0103DC60(_v532);
						E0103DC60(_t43);
						L27:
						_t24 = _t67;
						goto L28;
					}
				}
				_t66 = 0;
				_t43 = 0;
				_v536 = 0;
				while(1) {
					_v540 = 0x104;
					_t67 = RegEnumKeyExW(_t67, _t43,  &_v528,  &_v540, _t66, _t66, _t66, _t66);
					if(_t67 != 0) {
						break;
					}
					_t76 = _v528 - 0x2e;
					if(_v528 != 0x2e) {
						L10:
						if( *0x106259c != _t66) {
							goto L14;
						}
						_t43 = _t43 + 1;
						_v536 = _t43;
						if(_t67 != 0) {
							goto L27;
						}
						_t67 = _v532;
						continue;
					}
					_t56 = _v532;
					_t63 =  &_v528;
					_t43 = E010562B3(_t43, _v532,  &_v528, _t66, _t67, _t76);
					if(_t43 == 0) {
						_push(_t66);
						_push(GetLastError());
						E010378E4(_t56);
						goto L14;
					}
					_t59 = _t43;
					_t10 = _t59 + 2; // 0x2
					_t63 = _t10;
					do {
						_t39 =  *_t59;
						_t59 = _t59 + 2;
					} while (_t39 != _t66);
					if(_t59 != _t63) {
						_push(_t43);
						_push( &_v528);
						_t42 = E01039950(L"%s=%s\r\n");
						_t71 = _t71 + 0xc;
						_t67 = _t42;
					}
					E0103DC60(_t43);
					_t43 = _v536;
					goto L10;
				}
				__eflags = _t67 - 0x103;
				if(_t67 == 0x103) {
					_t67 = _t66;
				}
				goto L27;
			}




























    0x010557a8
    0x010557b3
    0x010557ba
    0x010557bf
    0x010557c1
    0x010557ca
    0x010558bd
    0x010558bf
    0x010558c1
    0x01055894
    0x01055896
    0x01055939
    0x0105593e
    0x01055947
    0x01055947
    0x010558c5
    0x010558c8
    0x010558cd
    0x010558cf
    0x010558d1
    0x010558d3
    0x010558d3
    0x010558d8
    0x010558df
    0x010558e1
    0x010558e7
    0x010558e9
    0x01055913
    0x01055916
    0x01055916
    0x0105591d
    0x00000000
    0x010558eb
    0x010558eb
    0x010558ed
    0x010558ed
    0x010558ef
    0x010558ef
    0x010558f2
    0x010558f2
    0x010558f5
    0x010558f8
    0x010558f8
    0x010558fd
    0x010558fd
    0x010558ff
    0x01055901
    0x00000000
    0x00000000
    0x01055903
    0x01055904
    0x0105590f
    0x01055922
    0x0105592b
    0x01055932
    0x01055937
    0x01055937
    0x00000000
    0x01055937
    0x010558e9
    0x010557d0
    0x010557d2
    0x010557d4
    0x010557da
    0x010557e4
    0x010557fe
    0x01055802
    0x00000000
    0x00000000
    0x01055808
    0x01055810
    0x01055863
    0x01055869
    0x00000000
    0x00000000
    0x0105586b
    0x0105586c
    0x01055874
    0x00000000
    0x00000000
    0x0105587a
    0x00000000
    0x0105587a
    0x01055812
    0x01055818
    0x01055823
    0x01055827
    0x01055885
    0x0105588c
    0x0105588d
    0x00000000
    0x01055893
    0x01055829
    0x0105582b
    0x0105582b
    0x0105582e
    0x0105582e
    0x01055831
    0x01055834
    0x0105583d
    0x0105583f
    0x01055846
    0x0105584c
    0x01055851
    0x01055854
    0x01055854
    0x01055858
    0x0105585d
    0x00000000
    0x0105585d
    0x0105589c
    0x010558a2
    0x010558a8
    0x010558a8
    0x00000000

    APIs
    • RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 010557F8
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 01055886
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: EnumErrorLast
    • String ID: %s=%s$.
    • API String ID: 1967352920-4275322459
    • Opcode ID: 3cd45504708684f15a5c7152b1e962d7b89646d7527a856566dd21513efc96a3
    • Instruction ID: 6b80a078c559932cf0f9a065183d4ef2a8b1b3c7c98c105152df717c6b410e79
    • Opcode Fuzzy Hash: 3cd45504708684f15a5c7152b1e962d7b89646d7527a856566dd21513efc96a3
    • Instruction Fuzzy Hash: 66412475E0021A97CBB4AB698C94AFF73B9EFD4310F0504E9DDCAA7241DAB04E418B90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0105378A, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 111COMMON
    Download Yara Rule
    C-Code - Quality: 86%
    			E0105378A(void* __ebx, void* __ecx, intOrPtr* _a4) {
				intOrPtr _v0;
				signed int _v8;
				short _v528;
				int* _v532;
				int* _v536;
				int _v540;
				char _v544;
				void* __edi;
				void* __esi;
				signed int _t26;
				intOrPtr* _t28;
				intOrPtr* _t30;
				WCHAR* _t44;
				void* _t45;
				int _t46;
				void* _t47;
				signed int _t48;
				signed int _t53;
				int* _t55;
				void* _t61;
				int _t65;
				int* _t67;
				void* _t68;
				signed int _t69;

				_t45 = __ebx;
				_t26 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t26 ^ _t69;
				_t28 = _a4;
				_t65 = 0;
				_v532 = _t28;
				 *_t28 = 0;
				 *((intOrPtr*)(_t28 + 4)) = 0;
				E0103F3A0( &_v528, 0x104, __ecx);
				_t63 = 0x104;
				_t30 =  &_v528;
				while( *_t30 != _t65) {
					_t30 = _t30 + 2;
					_t63 = _t63 - 1;
					if(_t63 != 0) {
						continue;
					}
					break;
				}
				_push(_t45);
				asm("sbb ecx, ecx");
				_t53 =  ~_t63 & 0x00000104 - _t63;
				if(_t63 != 0) {
					_t44 =  &(( &_v528)[_t53]);
					_t68 = 0x104 - _t53;
					if(_t68 == 0) {
						L10:
						_t44 = _t44 - 2;
					} else {
						_t61 = 0x7ffffffe;
						_t63 = L"_p0" - _t44;
						while(_t61 != 0) {
							_t48 =  *(_t44 + _t63) & 0x0000ffff;
							if(_t48 != 0) {
								 *_t44 = _t48;
								_t44 =  &(_t44[1]);
								_t61 = _t61 - 1;
								_t68 = _t68 - 1;
								if(_t68 != 0) {
									continue;
								}
							}
							break;
						}
						if(_t68 == 0) {
							goto L10;
						}
					}
					_t53 = 0;
					 *_t44 = 0;
				}
				_t67 = OpenSemaphoreW(0x1f0003, _t65,  &_v528);
				_v536 = _t67;
				if(_t67 != 0) {
					_t63 =  &_v540;
					_v540 = _t65;
					_t46 = E01052D1F(_t67, _t63);
					if(_t46 >= 0) {
						_t55 = _v532;
						asm("cdq");
						 *_t55 = _v540;
						_t55[1] = _t63;
					} else {
						_t63 = 0xcf;
						E010534D4("wil", _t46);
						_t65 = _t46;
						goto L17;
					}
				} else {
					if(GetLastError() != 2) {
						_t63 = 0xc9;
						_t65 = E010534BF(_v0, _t53);
						L17:
						_t67 = _v536;
					}
				}
				_pop(_t47);
				if(_t67 != 0) {
					_t63 =  &_v532;
					_v532 = _t67;
					_v544 = E01052560;
					E01047C7A( &_v544,  &_v532);
				}
				return E01046B30(_t65, _t47, _v8 ^ _t69, _t63, _t65, _t67);
			}



























    0x0105378a
    0x01053795
    0x0105379c
    0x0105379f
    0x010537a4
    0x010537a6
    0x010537b2
    0x010537b6
    0x010537bf
    0x010537c4
    0x010537c6
    0x010537cc
    0x010537d1
    0x010537d4
    0x010537d7
    0x00000000
    0x00000000
    0x00000000
    0x010537d7
    0x010537e1
    0x010537e2
    0x010537e4
    0x010537e8
    0x010537f0
    0x010537f3
    0x010537f5
    0x01053820
    0x01053820
    0x010537f7
    0x010537fc
    0x01053801
    0x01053803
    0x01053807
    0x0105380e
    0x01053810
    0x01053813
    0x01053816
    0x01053817
    0x0105381a
    0x00000000
    0x00000000
    0x0105381a
    0x00000000
    0x0105380e
    0x0105381e
    0x00000000
    0x00000000
    0x0105381e
    0x01053823
    0x01053825
    0x01053825
    0x0105383b
    0x0105383d
    0x01053845
    0x01053864
    0x0105386a
    0x01053877
    0x0105387b
    0x0105389a
    0x010538a6
    0x010538a7
    0x010538a9
    0x0105387d
    0x01053880
    0x0105388b
    0x01053890
    0x00000000
    0x01053890
    0x01053847
    0x01053850
    0x01053856
    0x01053860
    0x01053892
    0x01053892
    0x01053892
    0x01053850
    0x010538ac
    0x010538af
    0x010538b1
    0x010538b7
    0x010538c3
    0x010538cd
    0x010538cd
    0x010538e1

    APIs
    • OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0(001F0003,00000000,?), ref: 01053835
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 01053847
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: ErrorLastOpenSemaphore
    • String ID: _p0$wil
    • API String ID: 1909229842-1814513734
    • Opcode ID: 612f22a73688c4ad5683aa405952ba22025f65d251b13ef1dfb265163de3085c
    • Instruction ID: a282d34baef8aa8856c65a55894b1345090d4644c82c37a336add37a7b7d56fd
    • Opcode Fuzzy Hash: 612f22a73688c4ad5683aa405952ba22025f65d251b13ef1dfb265163de3085c
    • Instruction Fuzzy Hash: AF4105B5E012298BDBA9DF28C8586EBB7F5FF94340F1481D9DC469B244DB709E41CB90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0105237E, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 110synchronizationCOMMON
    Download Yara Rule
    C-Code - Quality: 73%
    			E0105237E(void* __ecx, signed int* __edx) {
				void* _v0;
				signed int _v8;
				char _v528;
				char _v532;
				signed int _v536;
				char _v540;
				char _v544;
				char _v548;
				char _v552;
				char _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t26;
				char* _t31;
				void* _t35;
				char _t36;
				signed int* _t45;
				char _t62;
				signed int _t63;
				signed int _t65;

				_t58 = __edx;
				_t46 = __ecx;
				_t26 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t26 ^ _t65;
				_t45 = __edx;
				 *((intOrPtr*)(__edx)) = 0;
				E01039ABF( &_v528, 0x104, L"Local\\SM0:%d:%d:%hs", GetCurrentProcessId());
				_t31 =  &_v528;
				__imp__CreateMutexExW(0, _t31, 0, 0x1f0001, 0x40, __ecx);
				_t62 = _t31;
				_v532 = _t62;
				if(_t62 != 0) {
					E010539DC( &_v532, _t58, 0,  &_v540);
					_t59 =  &_v536;
					_v536 = 0;
					_t63 = 0;
					_t61 = E01052170( &_v528,  &_v536,  &_v532);
					if(_t61 >= 0) {
						_t63 = _v536 << 2;
						_t61 = 0;
					} else {
						_push(_t61);
						_push("wil");
						_t59 = 0x6b;
						E010534D4();
					}
					if(_t61 >= 0) {
						if(_t63 == 0) {
							_t59 =  &_v532;
							_t35 = E010530A6(_t45,  &_v528,  &_v532, _t61, _t63, _t45);
							_t61 = _t35;
							if(_t35 >= 0) {
								goto L9;
							} else {
								_t59 = 0x12e;
								goto L18;
							}
							L19:
						} else {
							 *_t45 = _t63;
							 *( *_t45) =  *_t63 + 1;
							L9:
							_t61 = 0;
						}
					} else {
						_t59 = 0x126;
						L18:
						E010534D4("wil", _t61);
					}
					_t36 = _v540;
					if(_t36 != 0) {
						_t59 =  &_v544;
						_v544 = _t36;
						_v548 = E010532C0;
						E01047C7A( &_v548,  &_v544);
					}
					_t62 = _v532;
				} else {
					_t61 = E01052A9C(_t46);
				}
				if(_t62 != 0) {
					_t59 =  &_v552;
					_v552 = _t62;
					_v556 = E01052560;
					E01047C7A( &_v556,  &_v552);
				}
				return E01046B30(_t61, _t45, _v8 ^ _t65, _t59, _t61, _t62);
				goto L19;
			}

























    0x0105237e
    0x0105237e
    0x01052389
    0x01052390
    0x01052396
    0x0105239d
    0x010523b7
    0x010523bf
    0x010523cd
    0x010523d3
    0x010523d5
    0x010523dd
    0x010523fb
    0x01052401
    0x01052407
    0x01052413
    0x0105241a
    0x0105241e
    0x01052439
    0x0105243c
    0x01052420
    0x01052423
    0x01052424
    0x0105242b
    0x0105242c
    0x0105242c
    0x01052440
    0x0105244e
    0x010524c3
    0x010524cf
    0x010524d4
    0x010524d8
    0x00000000
    0x010524de
    0x010524de
    0x00000000
    0x010524de
    0x00000000
    0x01052450
    0x01052450
    0x01052457
    0x01052459
    0x01052459
    0x01052459
    0x01052442
    0x01052442
    0x010524e3
    0x010524ec
    0x010524ec
    0x0105245b
    0x01052463
    0x01052465
    0x0105246b
    0x01052477
    0x01052481
    0x01052481
    0x01052486
    0x010523df
    0x010523e4
    0x010523e4
    0x0105248e
    0x01052490
    0x01052496
    0x010524a2
    0x010524ac
    0x010524ac
    0x010524c1
    0x00000000

    APIs
    • GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000040), ref: 0105239F
    • CreateMutexExW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,?,00000000,001F0001), ref: 010523CD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: CreateCurrentMutexProcess
    • String ID: Local\SM0:%d:%d:%hs$wil
    • API String ID: 3937467467-2303653343
    • Opcode ID: a9782d82c7deef60b57330da1cbd699e7c2d6f48cef2c4564e3349b9efd0bc38
    • Instruction ID: f012cb1c3b91d8dec89e62ca1c3e129487ac5ef0acffc96ba700f79252c5d5ff
    • Opcode Fuzzy Hash: a9782d82c7deef60b57330da1cbd699e7c2d6f48cef2c4564e3349b9efd0bc38
    • Instruction Fuzzy Hash: DA41B7B5A4022DDBCB61DB54DC88AEF7BB5AF94700F0045D9EC896B240DF709E458F90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0105B222, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90COMMON
    Download Yara Rule
    C-Code - Quality: 65%
    			E0105B222(void* __ecx, char* __edx, signed char* _a4) {
				signed int _v8;
				int _v20;
				char _v24;
				signed int _v28;
				void _v548;
				char* _v552;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t27;
				signed int _t37;
				void* _t42;
				char _t45;
				void* _t47;
				intOrPtr _t50;
				void* _t62;
				signed int _t64;

				_t61 = __edx;
				_t27 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t27 ^ _t64;
				_v28 = _v28 & 0x00000000;
				_t63 = 0x104;
				_v552 = __edx;
				_v20 = 0x104;
				_t49 = 1;
				_t62 = __ecx;
				_v24 = 1;
				memset( &_v548, 0, 0x104);
				if(E0103E3F0(((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) >= 0) {
					_t40 = _a4;
					_t63 = 0x1031f00;
					if(( *_a4 & 0x00000010) != 0) {
						_t63 = L"[%s]";
					}
					_t42 = E0103A641(_t40 + 0x2c);
					_t57 = _v28;
					if(_v28 == 0) {
						_t57 =  &_v548;
					}
					_t50 = _v552;
					E01034979(_t42, _t57, _t50);
					if(_t50 < 0) {
						_t47 = _v28;
						if(_t47 == 0) {
							_t47 =  &_v548;
						}
						__imp___wcslwr(_t47);
					}
					_t44 = _v28;
					if(_v28 == 0) {
						_t44 =  &_v548;
					}
					_t61 = _t63;
					_t45 = E01046604(_t62, _t63, _t44);
					_t49 = _t45;
					if(_t45 == 0) {
						_t49 = E01058422(_t62);
					}
				}
				_t37 = _v28;
				_v28 = _v28 & 0x00000000;
				if(_t37 != 0) {
					__imp__??_V@YAXPAX@Z(_t37);
				}
				return E01046B30(_t49, _t49, _v8 ^ _t64, _t61, _t62, _t63);
			}





















    0x0105b222
    0x0105b22d
    0x0105b234
    0x0105b237
    0x0105b244
    0x0105b249
    0x0105b252
    0x0105b257
    0x0105b258
    0x0105b25b
    0x0105b25e
    0x0105b284
    0x0105b286
    0x0105b289
    0x0105b291
    0x0105b293
    0x0105b293
    0x0105b2a2
    0x0105b2a7
    0x0105b2ac
    0x0105b2ae
    0x0105b2ae
    0x0105b2b4
    0x0105b2bb
    0x0105b2c2
    0x0105b2c4
    0x0105b2c9
    0x0105b2cb
    0x0105b2cb
    0x0105b2d2
    0x0105b2d8
    0x0105b2d9
    0x0105b2de
    0x0105b2e0
    0x0105b2e0
    0x0105b2e7
    0x0105b2eb
    0x0105b2f0
    0x0105b2f4
    0x0105b2fd
    0x0105b2fd
    0x0105b2f4
    0x0105b2ff
    0x0105b302
    0x0105b308
    0x0105b30b
    0x0105b311
    0x0105b322

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: memset$_wcslwr
    • String ID: [%s]
    • API String ID: 886762496-302437576
    • Opcode ID: f8d042b082747b69c3607019d16af51f30cbfd72abfab97151e0cc32ffba11b0
    • Instruction ID: ee16df98e00afa25cfb333f14e0fcdad4cf360eada12bda9622c19b4eaf6d665
    • Opcode Fuzzy Hash: f8d042b082747b69c3607019d16af51f30cbfd72abfab97151e0cc32ffba11b0
    • Instruction Fuzzy Hash: D831B671B002199BDB50DAE9D8C5BFFBBF9AF58340F0400A9E985E7141DB74D9448B60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01044BAF, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: _wcsnicmp
    • String ID: /-Y$COPYCMD
    • API String ID: 1886669725-617350906
    • Opcode ID: 6983f531cc8807a3837ce7c9b035afe1ed2558913cd9ef05044668c930cb5984
    • Instruction ID: 7515e19aef260da6b421fa6767fdebcfa7e97a4cfafb8d46ff65fbd3fc6f9f3a
    • Opcode Fuzzy Hash: 6983f531cc8807a3837ce7c9b035afe1ed2558913cd9ef05044668c930cb5984
    • Instruction Fuzzy Hash: A52149F5E002159BDB688B0E9CC67BFB6E5EF84354B5940B9FCC5EB244EA708D01C294
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01039E09, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 01039E8E: iswspace.MSVCRT ref: 01039E9E
    • iswspace.MSVCRT ref: 01039E28
    • _wcsnicmp.MSVCRT ref: 01039E79
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: iswspace$_wcsnicmp
    • String ID: off
    • API String ID: 3989682491-733764931
    • Opcode ID: 37449ff3572d88a5d18f4b3b154696356a4292b5d1b75b3a2fda31d1854ac8e4
    • Instruction ID: d5e2945531c5baee8fafa78f32e6388e21f5a55c797e6a81ee7bba7fb356ad2e
    • Opcode Fuzzy Hash: 37449ff3572d88a5d18f4b3b154696356a4292b5d1b75b3a2fda31d1854ac8e4
    • Instruction Fuzzy Hash: 4C1148757082119AFB75226D184AB3F529C9BC1F1EB19006DFEC6E70C1EEC2C940C1B1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01055166, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55COMMON
    Download Yara Rule
    C-Code - Quality: 71%
    			E01055166(intOrPtr* __ecx) {
				void* _t5;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t9;
				void* _t19;
				intOrPtr* _t23;
				intOrPtr* _t26;
				signed int _t27;
				signed int _t28;
				intOrPtr* _t30;

				_t23 = __ecx;
				if(__ecx != 0) {
					_t26 = __ecx;
					_t19 = __ecx + 2;
					do {
						_t6 =  *_t26;
						_t26 = _t26 + 2;
					} while (_t6 != 0);
					while(1) {
						_t27 = _t26 - _t19;
						_t28 = _t27 >> 1;
						if(_t27 == 0) {
							break;
						}
						if( *0x106259c != 0) {
							_t8 = 1;
						} else {
							if( *_t23 != 0x3d) {
								_push(_t23);
								E01039950(L"%s\r\n");
							}
							_t23 = _t23 + _t28 * 2 + 2;
							_t30 = _t23;
							_t19 = _t30 + 2;
							do {
								_t9 =  *_t30;
								_t30 = _t30 + 2;
							} while (_t9 != 0);
							continue;
						}
						L12:
						return _t8;
						goto L14;
					}
					_t8 = 0;
					goto L12;
				} else {
					_push("Null environment");
					fprintf(E0104727B(_t5, 2), "\nCMD Internal Error %s\n");
					return 1;
				}
				L14:
			}













    0x01055169
    0x0105516d
    0x01055192
    0x01055196
    0x01055199
    0x01055199
    0x0105519c
    0x0105519f
    0x010551d7
    0x010551d7
    0x010551d9
    0x010551db
    0x00000000
    0x00000000
    0x010551ac
    0x010551e5
    0x010551ae
    0x010551b2
    0x010551b4
    0x010551ba
    0x010551c0
    0x010551c4
    0x010551c7
    0x010551c9
    0x010551cc
    0x010551cc
    0x010551cf
    0x010551d2
    0x00000000
    0x010551cc
    0x010551df
    0x010551e2
    0x00000000
    0x010551e2
    0x010551dd
    0x00000000
    0x0105516f
    0x0105516f
    0x01055182
    0x0105518f
    0x0105518f
    0x00000000

    APIs
      • Part of subcall function 0104727B: __iob_func.MSVCRT ref: 01047280
    • fprintf.MSVCRT ref: 01055182
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: __iob_funcfprintf
    • String ID: CMD Internal Error %s$%s$Null environment
    • API String ID: 620453056-2781220306
    • Opcode ID: 110ffb3f4d81953b64c28795f8c9911c4481094376ba989176c8be104eae66ab
    • Instruction ID: c72a4bd7a36ffdaf41595cee3fd0509d8656b4c9796e598c7568a55dc04a6380
    • Opcode Fuzzy Hash: 110ffb3f4d81953b64c28795f8c9911c4481094376ba989176c8be104eae66ab
    • Instruction Fuzzy Hash: 54019E37E403129BC7B52A5CBC458A377A8EBC0224315056FECDB93140FA615D428188
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01053500, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26libraryloaderCOMMON
    Download Yara Rule
    C-Code - Quality: 37%
    			E01053500() {
				struct HINSTANCE__* _t3;
				_Unknown_base(*)()* _t7;

				_t7 =  *0x1079094;
				if(_t7 != 0) {
					L5:
					 *0x107a4c4();
					return  *_t7();
				} else {
					_t3 =  *0x105e55c; // 0x0
					if(_t3 == 0) {
						_t3 = GetModuleHandleW(L"ntdll.dll");
						 *0x105e55c = _t3;
					}
					_t7 = GetProcAddress(_t3, "RtlDllShutdownInProgress");
					 *0x1079094 = _t7;
					if(_t7 != 0) {
						goto L5;
					} else {
						return 0;
					}
				}
			}





    0x01053503
    0x0105350b
    0x01053542
    0x01053544
    0x0105354d
    0x0105350d
    0x0105350d
    0x01053514
    0x0105351b
    0x01053521
    0x01053521
    0x01053532
    0x01053534
    0x0105353c
    0x00000000
    0x0105353e
    0x01053541
    0x01053541
    0x0105353c

    APIs
    • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(ntdll.dll), ref: 0105351B
    • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,RtlDllShutdownInProgress), ref: 0105352C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: AddressHandleModuleProc
    • String ID: RtlDllShutdownInProgress$ntdll.dll
    • API String ID: 1646373207-582119455
    • Opcode ID: 150a35b08e19edc8d805ddaa374b0d0d58ee7c28c573fe26d10562c0c58de802
    • Instruction ID: d5dfff76b330a496f62d55780adc06f9ec7b6b25ce4ec214b4dffa2e5fcacc85
    • Opcode Fuzzy Hash: 150a35b08e19edc8d805ddaa374b0d0d58ee7c28c573fe26d10562c0c58de802
    • Instruction Fuzzy Hash: E3E01231F42330DB9FB25B39B50955B77D8B684BB93051195FCC9EB209EA299C418FD0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 010538F0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
    Download Yara Rule
    C-Code - Quality: 37%
    			E010538F0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				_Unknown_base(*)()* _t5;
				_Unknown_base(*)()* _t9;

				_t5 = GetProcAddress(GetModuleHandleW(L"kernelbase.dll"), "RaiseFailFastException");
				_t9 = _t5;
				if(_t9 != 0) {
					 *0x107a4c4(_a4, _a8, _a12);
					return  *_t9();
				}
				return _t5;
			}





    0x01053907
    0x0105390d
    0x01053911
    0x0105391e
    0x00000000
    0x01053924
    0x01053928

    APIs
    • GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(kernelbase.dll), ref: 010538FB
    • GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,RaiseFailFastException), ref: 01053907
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: AddressHandleModuleProc
    • String ID: RaiseFailFastException$kernelbase.dll
    • API String ID: 1646373207-919018592
    • Opcode ID: 0ab8a2448443013852e2e51434bd8b485d49d425b1db319ab630bbc13ab6b713
    • Instruction ID: 6d363661446e62ae96b974d8e8804b8c55941cc88d45456cba8b802fc5fb2e8a
    • Opcode Fuzzy Hash: 0ab8a2448443013852e2e51434bd8b485d49d425b1db319ab630bbc13ab6b713
    • Instruction Fuzzy Hash: 55E0E676A41715F78B311F96EC0DC4F7F19FB846F17044065F9499B1148A778850DBA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 010452F5, Relevance: 6.2, APIs: 4, Instructions: 185COMMON
    Download Yara Rule
    C-Code - Quality: 49%
    			E010452F5(void* __ecx, char* __edx) {
				signed int _v8;
				int _v20;
				char _v24;
				int _v28;
				void _v548;
				void* _v560;
				int _v564;
				intOrPtr _v568;
				int _v572;
				char _v576;
				int _v580;
				char _v584;
				intOrPtr _v588;
				intOrPtr _v592;
				void* _v602;
				int _v606;
				int _v610;
				int _v614;
				int _v618;
				int _v622;
				int _v626;
				int _v630;
				int _v634;
				short _v636;
				int _v640;
				int _v644;
				int _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				signed int _v660;
				intOrPtr _v664;
				int _v668;
				char _v672;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t61;
				int _t69;
				intOrPtr _t77;
				signed int _t80;
				long _t85;
				long _t89;
				void* _t91;
				void* _t92;
				intOrPtr _t93;
				intOrPtr* _t105;
				signed int _t106;
				void* _t116;
				intOrPtr _t118;
				WCHAR** _t119;
				void* _t123;
				signed int _t125;
				signed int _t127;
				signed int _t128;

				_t111 = __edx;
				_t127 = (_t125 & 0xfffffff8) - 0x29c;
				_t61 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t61 ^ _t127;
				_v24 = 1;
				_v644 = 0;
				_t91 = __ecx;
				_v636 = 0;
				_v660 = 0;
				_v648 = 0;
				_v640 = 0;
				_v634 = 0;
				_v630 = 0;
				_v626 = 0;
				_v622 = 0;
				_v618 = 0;
				_v614 = 0;
				_v610 = 0;
				_v606 = 0;
				asm("stosd");
				_v668 = 0;
				_v28 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_v584 = 0;
				_v580 = 0;
				_v576 = 0;
				_v572 = 0;
				_v564 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = 0x104;
				memset( &_v548, 0, 0x104);
				_t128 = _t127 + 0xc;
				if(E0103E3F0(0x7fe9) < 0) {
					L20:
					_t122 = 1;
				} else {
					_t111 =  &_v660;
					_v664 =  *0x1066778;
					_v656 = 6;
					_t122 = 0;
					_v652 = 0;
					_v588 = 0;
					_v568 = 0;
					if(E010454F2(_t91, _t91,  &_v660) == 1) {
						goto L20;
					} else {
						_t102 = _v28;
						if(_v28 == 0) {
							_t102 =  &_v548;
						}
						_t111 = _v20;
						E01038E9E(_t91, _t102, _v20, 0);
						_t93 = _v592;
						if(_t93 == 0) {
							_push(0);
							goto L32;
						} else {
							_t111 =  &_v584;
							_t118 = _t93;
							do {
								_t105 =  *_t111;
								_v672 = _t105 + 2;
								do {
									_t77 =  *_t105;
									_t105 = _t105 + 2;
								} while (_t77 != _v668);
								_t106 = _t105 - _v672;
								_t102 = _t106 >> 1;
								if(_t106 == 0) {
									_push(0);
									L32:
									_push(0x232a);
									E010378E4(_t102);
									goto L20;
								} else {
									goto L8;
								}
								goto L16;
								L8:
								_t111 =  *((intOrPtr*)(_t111 + 0xc));
								_t118 = _t118 - 1;
							} while (_t118 != 0);
							_t119 =  &_v584;
							_t80 = _v660 & 0x00000010;
							_v668 = _t80;
							do {
								if(_t80 == 0) {
									if(RemoveDirectoryW( *_t119) != 0) {
										goto L13;
									} else {
										_t85 = GetLastError();
										_t122 = _t85;
										_push(0);
										_push(_t85);
										goto L30;
									}
									goto L16;
								} else {
									if((_v660 & 0x00002000) == 0) {
										if(E01059C2E( *_t119, 0x234e, 0x2328) == 1) {
											goto L12;
										} else {
											_t122 = 1;
											goto L13;
										}
										goto L16;
									} else {
										L12:
										_t108 =  *_t119;
										_t111 =  &_v672;
										_t89 = E01044EC1( *_t119,  &_v672);
										if(_t89 != 0) {
											if(_t89 != 0x91 || _v672 != 0) {
												_t108 = 0;
												_t122 = _t89;
												_push(0);
												_push(_t89);
												L30:
												E010378E4(_t108);
												_pop(_t108);
											}
										}
									}
								}
								L13:
								_t119 = _t119[3];
								_t80 = _v668;
								_t93 = _t93 - 1;
							} while (_t93 != 0);
							_t82 = _v28;
							if(_v28 == 0) {
								_t82 =  &_v548;
							}
							E0104238B(_t111, _t82, _v20);
							E0104198F(_v672, _t119);
						}
					}
				}
				L16:
				_t69 = _v28;
				_v28 = 0;
				if(_t69 != 0) {
					__imp__??_V@YAXPAX@Z(_t69);
				}
				_pop(_t116);
				_pop(_t123);
				_pop(_t92);
				return E01046B30(_t122, _t92, _v8 ^ _t128, _t111, _t116, _t123);
			}

























































    0x010452f5
    0x010452fd
    0x01045303
    0x0104530a
    0x01045313
    0x0104531c
    0x01045320
    0x01045324
    0x0104532b
    0x01045333
    0x01045337
    0x0104533b
    0x0104533f
    0x01045343
    0x01045347
    0x0104534b
    0x0104534f
    0x01045353
    0x01045357
    0x0104535b
    0x0104535c
    0x01045360
    0x01045367
    0x01045368
    0x01045369
    0x0104536d
    0x01045375
    0x01045379
    0x0104537d
    0x01045381
    0x01045385
    0x01045386
    0x01045387
    0x0104538e
    0x0104539e
    0x010453a3
    0x010453b9
    0x010454ed
    0x010454ef
    0x010453bf
    0x010453c4
    0x010453ca
    0x010453d0
    0x010453d8
    0x010453da
    0x010453de
    0x010453e2
    0x010453ee
    0x00000000
    0x010453f4
    0x010453f4
    0x010453fd
    0x010510c0
    0x010510c0
    0x01045403
    0x0104540b
    0x01045410
    0x01045416
    0x010510cc
    0x00000000
    0x0104541c
    0x0104541c
    0x01045420
    0x01045422
    0x01045422
    0x01045427
    0x0104542b
    0x0104542b
    0x0104542e
    0x01045431
    0x01045438
    0x0104543c
    0x0104543e
    0x01051135
    0x01051136
    0x01051136
    0x0105113b
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x01045444
    0x01045444
    0x01045447
    0x01045447
    0x01045450
    0x01045454
    0x01045457
    0x0104545b
    0x0104545d
    0x01051115
    0x00000000
    0x0105111b
    0x0105111b
    0x01051121
    0x01051125
    0x01051126
    0x00000000
    0x01051126
    0x00000000
    0x01045463
    0x0104546b
    0x010510e3
    0x00000000
    0x010510e9
    0x010510eb
    0x00000000
    0x010510eb
    0x00000000
    0x01045471
    0x01045471
    0x01045471
    0x01045473
    0x01045477
    0x0104547e
    0x010510f6
    0x01051103
    0x01051105
    0x01051107
    0x01051108
    0x01051127
    0x01051127
    0x0105112d
    0x0105112d
    0x010510f6
    0x0104547e
    0x0104546b
    0x01045484
    0x01045484
    0x01045487
    0x0104548b
    0x0104548b
    0x01045490
    0x01045499
    0x010454e4
    0x010454e4
    0x010454a3
    0x010454ac
    0x010454ac
    0x01045416
    0x010453ee
    0x010454b1
    0x010454b1
    0x010454ba
    0x010454c3
    0x010454c6
    0x010454cc
    0x010454d6
    0x010454d7
    0x010454d8
    0x010454e3

    APIs
    • memset.MSVCRT ref: 0104539E
      • Part of subcall function 0103E3F0: memset.MSVCRT ref: 0103E455
    • ??_V@YAXPAX@Z.MSVCRT ref: 010454C6
      • Part of subcall function 01038E9E: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,01078BF0,00000000,?), ref: 01038EC3
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: memset$CurrentDirectory
    • String ID:
    • API String ID: 168429351-0
    • Opcode ID: e78887ccb653a51b255ad46bb6262249b59159be8bf711158a19a0ecc1fb3241
    • Instruction ID: 4fca836a97b202c09a702824cdba6b8aa12a367f6b4335a3a115fa5af22505c0
    • Opcode Fuzzy Hash: e78887ccb653a51b255ad46bb6262249b59159be8bf711158a19a0ecc1fb3241
    • Instruction Fuzzy Hash: F66159B1A083429FD368DF28D88466BBBE5BFC8304F04496EF9D9C7250DB759844CB96
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0103AA75, Relevance: 6.2, APIs: 4, Instructions: 182COMMON
    Download Yara Rule
    C-Code - Quality: 53%
    			E0103AA75(void* __ecx) {
				short* _v8;
				signed int _v12;
				void* __edi;
				long _t22;
				intOrPtr _t24;
				short* _t28;
				void* _t29;
				void* _t30;
				long _t32;
				signed int _t34;
				void* _t35;
				signed int _t38;
				signed int _t39;
				wchar_t* _t40;
				long _t41;
				wchar_t* _t42;
				signed int _t44;
				signed int _t45;
				long _t46;
				wchar_t* _t50;
				wchar_t* _t59;
				signed int _t60;
				signed int _t69;
				wchar_t* _t71;
				void* _t73;
				long* _t76;
				long* _t78;
				long _t79;
				void* _t80;
				void* _t81;
				void* _t82;
				signed short* _t83;
				wchar_t* _t84;

				_t83 =  *(__ecx + 0x3c);
				if( *0x1066755 == 0) {
					_push(3);
					_t84 = E0103BC30(_t83, "=");
					_t46 = 0;
					__eflags =  *_t84;
					if( *_t84 == 0) {
						L26:
						return E01055166( *0x1062594);
					}
					_t71 = _t84;
					_v8 = 0;
					_t81 = 2;
					do {
						_t50 = _t71;
						_t6 =  &(_t50[0]); // 0x2
						_v12 = _t6;
						do {
							_t22 =  *_t50;
							_t50 = _t50 + _t81;
							__eflags = _t22 - _t46;
						} while (_t22 != _t46);
						_t52 = _t50 - _v12 >> 1;
						_t71 = _t71 + (_t50 - _v12 >> 1) * 2 + 2;
						_t24 = _v8 + 1;
						_v8 = _t24;
						__eflags =  *_t71 - _t46;
					} while ( *_t71 != _t46);
					__eflags = _t24 - 3;
					if(_t24 > 3) {
						L40:
						_push(_t46);
						_push(0x232a);
						E010378E4(_t52);
						return 1;
					}
					_t52 = _t84;
					_t28 = E0103A7D5(_t52);
					_v8 = _t28;
					__eflags =  *_t28 - 0x3d;
					if( *_t28 != 0x3d) {
						goto L40;
					}
					_t73 = _t52 + 2;
					do {
						_t29 =  *_t52;
						_t52 = _t52 + _t81;
						__eflags = _t29 - _t46;
					} while (_t29 != _t46);
					_v12 = _t52 - _t73 >> 1;
					_t30 = E01040060(_t84, _t81);
					__eflags = _v12 + 1;
					E0103F3A0(_t84, _v12 + 1, _t30);
					_t59 = _t84;
					_t17 =  &(_t59[0]); // 0x2
					_t76 = _t17;
					do {
						_t32 =  *_t59;
						_t59 = _t59 + _t81;
						__eflags = _t32 - _t46;
					} while (_t32 != _t46);
					_t60 = _t59 - _t76;
					__eflags = _t60;
					_t52 = _t60 >> 1;
					if(_t60 == 0) {
						goto L40;
					}
					_t78 = _v8 + 4;
					L14:
					return E0103A976(_t84, _t78);
				}
				if(_t83 == 0) {
					goto L26;
				}
				_t34 =  *_t83 & 0x0000ffff;
				if(_t34 == 0) {
					goto L26;
				}
				_t52 = _t34;
				_t35 = 0x20;
				_t82 = 2;
				while(_t52 <= _t35) {
					_t83 = _t83 + _t82;
					_t45 =  *_t83 & 0x0000ffff;
					_t52 = _t45;
					_t35 = 0x20;
					if(_t45 != 0) {
						continue;
					}
					break;
				}
				_t46 = 0;
				if( *_t83 == 0) {
					goto L26;
				}
				__imp___wcsnicmp(_t83, L"/A", _t82);
				if(_t35 == 0) {
					return E01043326( &(_t83[2]));
				}
				__imp___wcsnicmp(_t83, L"/P", _t82);
				if(_t35 == 0) {
					return E010553AA( &(_t83[2]), __eflags);
				}
				_t38 =  *_t83 & 0x0000ffff;
				if(_t38 == 0x2f) {
					goto L40;
				}
				_t79 = 0x22;
				if(_t38 == _t79) {
					_t84 = _t83 + _t82;
					_t39 =  *_t84 & 0x0000ffff;
					__eflags = _t39;
					if(_t39 == 0) {
						L24:
						_t40 = wcsrchr(_t84, _t79);
						_pop(_t52);
						__eflags = _t40;
						if(_t40 != 0) {
							_t52 = 0;
							 *_t40 = 0;
						}
						goto L11;
					}
					_t69 = _t39;
					_t80 = 0x20;
					while(1) {
						__eflags = _t69 - _t80;
						if(_t69 > _t80) {
							break;
						}
						_t84 = _t84 + _t82;
						_t44 =  *_t84 & 0x0000ffff;
						_t69 = _t44;
						__eflags = _t44;
						if(_t44 != 0) {
							continue;
						}
						break;
					}
					_t79 = 0x22;
					goto L24;
				}
				L11:
				_t41 = 0x3d;
				if( *_t84 == _t41) {
					goto L40;
				}
				_t42 = wcschr(_t84, _t41);
				if(_t42 == 0) {
					return E010551E8(_t84);
				}
				_t2 =  &(_t42[0]); // 0x2
				_t78 = _t2;
				 *_t42 = 0;
				goto L14;
			}




































    0x0103aa86
    0x0103aa8a
    0x0104ca59
    0x0104ca67
    0x0104ca69
    0x0104ca6b
    0x0104ca6e
    0x0104ca49
    0x00000000
    0x0104ca4f
    0x0104ca72
    0x0104ca74
    0x0104ca77
    0x0104ca78
    0x0104ca78
    0x0104ca7a
    0x0104ca7d
    0x0104ca80
    0x0104ca80
    0x0104ca83
    0x0104ca85
    0x0104ca85
    0x0104ca90
    0x0104ca95
    0x0104ca98
    0x0104ca99
    0x0104ca9c
    0x0104ca9c
    0x0104caa1
    0x0104caa4
    0x0104cafd
    0x0104cafd
    0x0104cafe
    0x0104cb03
    0x00000000
    0x0104cb0c
    0x0104caa6
    0x0104caa8
    0x0104caad
    0x0104cab0
    0x0104cab4
    0x00000000
    0x00000000
    0x0104cab6
    0x0104cab9
    0x0104cab9
    0x0104cabc
    0x0104cabe
    0x0104cabe
    0x0104cac7
    0x0104cacc
    0x0104cad7
    0x0104cad8
    0x0104cadd
    0x0104cadf
    0x0104cadf
    0x0104cae2
    0x0104cae2
    0x0104cae5
    0x0104cae7
    0x0104cae7
    0x0104caec
    0x0104caec
    0x0104caee
    0x0104caf0
    0x00000000
    0x00000000
    0x0104caf5
    0x0103ab31
    0x00000000
    0x0103ab33
    0x0103aa92
    0x00000000
    0x00000000
    0x0103aa98
    0x0103aa9e
    0x00000000
    0x00000000
    0x0103aaa6
    0x0103aaa8
    0x0103aaab
    0x0103aaac
    0x0103aab1
    0x0103aab5
    0x0103aab8
    0x0103aabd
    0x0103aabe
    0x00000000
    0x00000000
    0x00000000
    0x0103aabe
    0x0103aac0
    0x0103aac5
    0x00000000
    0x00000000
    0x0103aad2
    0x0103aadd
    0x00000000
    0x0103ab40
    0x0103aae6
    0x0103aaf1
    0x00000000
    0x0104ca00
    0x0103aaf7
    0x0103aafd
    0x00000000
    0x00000000
    0x0103ab05
    0x0103ab09
    0x0104ca0a
    0x0104ca0c
    0x0104ca0f
    0x0104ca12
    0x0104ca2d
    0x0104ca2f
    0x0104ca36
    0x0104ca37
    0x0104ca39
    0x0104ca3f
    0x0104ca41
    0x0104ca41
    0x00000000
    0x0104ca39
    0x0104ca16
    0x0104ca18
    0x0104ca19
    0x0104ca19
    0x0104ca1c
    0x00000000
    0x00000000
    0x0104ca1e
    0x0104ca20
    0x0104ca23
    0x0104ca25
    0x0104ca28
    0x00000000
    0x00000000
    0x00000000
    0x0104ca28
    0x0104ca2c
    0x00000000
    0x0104ca2c
    0x0103ab0f
    0x0103ab11
    0x0103ab15
    0x00000000
    0x00000000
    0x0103ab1d
    0x0103ab27
    0x00000000
    0x0103ab49
    0x0103ab2b
    0x0103ab2b
    0x0103ab2e
    0x00000000

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: _wcsnicmp$wcschr
    • String ID:
    • API String ID: 3270668897-0
    • Opcode ID: fdf50aa6799cf64b230d893f9a03ca3760cc9b913b30019a10f37de11fdda58a
    • Instruction ID: 347709fef59ce958c3a9eceda7035c0e47998e78d54b0e790f295685ecc7cba9
    • Opcode Fuzzy Hash: fdf50aa6799cf64b230d893f9a03ca3760cc9b913b30019a10f37de11fdda58a
    • Instruction Fuzzy Hash: 6F516B79700211DBEB69EB6C9990A7E77E9EFC4604B1844BDD9C2DB2C1EB714A42C390
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0103DED0, Relevance: 6.2, APIs: 4, Instructions: 162COMMON
    Download Yara Rule
    C-Code - Quality: 83%
    			E0103DED0(void* __ebx, signed short* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				signed short* _v16;
				signed short* _v20;
				signed short _v24;
				signed int _t28;
				intOrPtr _t29;
				int _t32;
				signed short* _t34;
				int _t37;
				intOrPtr* _t55;
				signed short* _t59;
				signed short _t65;
				signed short* _t66;
				signed short* _t67;
				signed int _t72;
				signed short** _t73;
				signed short _t79;
				void* _t87;
				void* _t91;

				_push(__ebx);
				_t50 = _t87;
				_v8 =  *((intOrPtr*)(_t87 + 4));
				_t91 = (_t87 - 0x00000008 & 0xfffffff8) + 4 - 0x10;
				_push(__esi);
				_t79 = 0;
				_v16 = __ecx;
				_push(__edi);
				_v24 = 0;
				while(1) {
					_t65 =  *0x1074af0;
					_t72 = _t65 & 0x0000ffff;
					_t28 = _t72;
					if(_t28 == 0x3e || _t28 == 0x3c) {
						goto L7;
					}
					_t39 = iswdigit(_t65 & 0x0000ffff);
					_t91 = _t91 + 4;
					if(_t39 != 0) {
						_t72 =  *0x1074af2 & 0x0000ffff;
						_t39 = _t72;
						if(_t39 != 0x3e) {
							if(_t39 == 0x3c) {
								goto L7;
							} else {
								goto L4;
							}
						} else {
							goto L7;
						}
					} else {
						L4:
						if(_t79 != 0) {
							if(_v24 == _t79) {
								E0103CF10(_t39, 0, 0, 0);
							}
							return 1;
						} else {
							return 0;
						}
					}
					L40:
					L7:
					_t29 = E0103DCD0(0x18);
					_t55 = _v16;
					 *_t55 = _t29;
					if(_t29 == 0) {
						 *0x10665ec = 0x234a;
						__imp__longjmp(0x1070ab0, 1);
						asm("int3");
						if(_t55 <= 0xc42e || _t55 == 0xc431 || _t55 == 0xc433) {
							_t65 = 0;
						}
						return _t65;
					} else {
						 *(_t29 + 0x10) = _t72;
						_t79 = _t79 + 1;
						_v20 = 0x1074af0;
						_t32 = iswdigit( *0x1074af0 & 0x0000ffff);
						_t91 = _t91 + 4;
						_t34 =  *_v16;
						if(_t32 != 0) {
							 *_t34 = ( *0x1074af0 & 0x0000ffff) - 0x30;
							_t59 = 0x1074af2;
						} else {
							_t59 = _v20;
							if(_t72 != 0x3e) {
								 *_t34 = 0;
							} else {
								 *_t34 = 1;
							}
						}
						_t35 =  *_t59;
						_t10 =  &(_t59[1]); // 0x1074af4
						_t66 = _t10;
						_v20 = _t66;
						if( *_t59 !=  *_t66) {
							_t73 = _v16;
						} else {
							if(_t72 == 0x3c) {
								E01058959(_t35, _t59);
								_t66 = _v20;
							}
							_t73 = _v16;
							_t59 = _t66;
							( *_t73)[6] = 1;
						}
						_t60 =  &(_t59[1]);
						_v20 = _t60;
						if( *_t60 == 0x26) {
							_t67 = _t60;
							_t21 =  &(_t67[1]); // 0x1074af2
							_v16 = _t21;
							do {
								_t37 =  *_t67;
								_t67 =  &(_t67[1]);
							} while (_t37 != 0);
							if(_t67 - _v16 >> 1 != 2) {
								L28:
								E01058959(_t37, _t60);
							} else {
								_t37 = iswdigit(_t60[1] & 0x0000ffff);
								_t91 = _t91 + 4;
								if(_t37 == 0) {
									goto L28;
								} else {
									_t37 = E0103ACB0(_v20);
									_t60 =  *_t73;
									( *_t73)[2] = _t37;
									if(_t37 == 0) {
										goto L28;
									}
								}
							}
						} else {
							( *_t73)[2] = E0103A931(_t50, _t60, _t73, _t79);
						}
						_t39 =  *0x10665cc;
						if( *( *0x10665cc) == 0) {
							goto L4;
						} else {
							E0103CC70(0);
							_v24 = _v24 + 1;
							_v16 =  &(( *_t73)[0xa]);
							continue;
						}
					}
					goto L40;
				}
			}






















    0x0103ded2
    0x0103ded3
    0x0103dee2
    0x0103dee8
    0x0103deeb
    0x0103deec
    0x0103deee
    0x0103def1
    0x0103def2
    0x0103df00
    0x0103df00
    0x0103df07
    0x0103df0a
    0x0103df0f
    0x00000000
    0x00000000
    0x0103df1a
    0x0103df20
    0x0103df25
    0x0103df3a
    0x0103df41
    0x0103df46
    0x0104dad6
    0x00000000
    0x0104dadc
    0x00000000
    0x0104dadc
    0x00000000
    0x00000000
    0x00000000
    0x0103df27
    0x0103df27
    0x0103df29
    0x0103e006
    0x0103e00e
    0x0103e00e
    0x0103e020
    0x0103df2f
    0x0103df39
    0x0103df39
    0x0103df29
    0x00000000
    0x0103df4c
    0x0103df51
    0x0103df56
    0x0103df59
    0x0103df5d
    0x0104db00
    0x0104db0a
    0x0104db10
    0x0104db17
    0x0103e26e
    0x0103e26e
    0x0103e26d
    0x0103df63
    0x0103df63
    0x0103df73
    0x0103df75
    0x0103df78
    0x0103df7e
    0x0103df86
    0x0103df88
    0x0103e030
    0x0103e032
    0x0103df8e
    0x0103df8e
    0x0103df95
    0x0104dae1
    0x0103df9b
    0x0103df9b
    0x0103df9b
    0x0103df95
    0x0103dfa1
    0x0103dfa4
    0x0103dfa4
    0x0103dfa7
    0x0103dfad
    0x0103e021
    0x0103dfaf
    0x0103dfb3
    0x0104daec
    0x0104daf1
    0x0104daf1
    0x0103dfb9
    0x0103dfbc
    0x0103dfc0
    0x0103dfc0
    0x0103dfc7
    0x0103dfca
    0x0103dfd1
    0x0103e03c
    0x0103e03e
    0x0103e041
    0x0103e044
    0x0103e044
    0x0103e047
    0x0103e04a
    0x0103e057
    0x0103e080
    0x0103e080
    0x0103e059
    0x0103e05e
    0x0103e064
    0x0103e069
    0x00000000
    0x0103e06b
    0x0103e06e
    0x0103e073
    0x0103e075
    0x0103e07a
    0x00000000
    0x00000000
    0x0103e07a
    0x0103e069
    0x0103dfd3
    0x0103dfda
    0x0103dfda
    0x0103dfdd
    0x0103dfe6
    0x00000000
    0x0103dfec
    0x0103dfee
    0x0103dff8
    0x0103dffb
    0x00000000
    0x0103dffb
    0x0103dfe6
    0x00000000
    0x0103df5d

    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: iswdigit
    • String ID:
    • API String ID: 3849470556-0
    • Opcode ID: 39c8c4ac5d67e87f9c203a0a8738b120dd57863673ea9e3e135f068c77096755
    • Instruction ID: a08e837cd6e3bb6af2f441dfad126f86875c66952a183841e73ceb880fe55d80
    • Opcode Fuzzy Hash: 39c8c4ac5d67e87f9c203a0a8738b120dd57863673ea9e3e135f068c77096755
    • Instruction Fuzzy Hash: 0551E174A04205DFDB259FADC88427EB7F9BBC0300F5481AAE98197281EB76D951CB81
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01041CD5, Relevance: 6.1, APIs: 4, Instructions: 118COMMON
    Download Yara Rule
    C-Code - Quality: 96%
    			E01041CD5(intOrPtr* __ecx, long __edx, WCHAR* _a4) {
				long _v8;
				WCHAR* _v12;
				void* __ebx;
				void* __edi;
				intOrPtr _t30;
				void* _t31;
				intOrPtr _t35;
				short _t38;
				signed short _t40;
				int _t41;
				long _t46;
				intOrPtr _t49;
				short _t50;
				int _t53;
				intOrPtr* _t60;
				signed int _t62;
				signed short* _t63;
				intOrPtr* _t68;
				signed int _t70;
				void* _t72;
				void* _t75;
				signed short* _t76;
				void* _t78;
				WCHAR* _t80;
				long _t82;
				intOrPtr* _t84;
				signed int _t86;
				signed short* _t87;

				_push(__ecx);
				_push(__ecx);
				_t80 = __ecx;
				_v8 = __edx;
				_t57 = _a4;
				_t53 = 0;
				_t84 = _a4;
				_t3 = _t84 + 2; // 0x2
				_t72 = _t3;
				do {
					_t30 =  *_t84;
					_t84 = _t84 + 2;
				} while (_t30 != 0);
				_t86 = _t84 - _t72 >> 1;
				_t31 = E01040060(_t57, __ecx);
				_t4 = _t86 + 1; // -1
				_t87 = _a4;
				E0103F3A0(_t87, _t4, _t31);
				if(( *_t87 & 0x0000ffff) == 0) {
					E01038E9E(0, __ecx, _v8, 0);
					_t60 = __ecx + 4;
					_t75 = _t60 + 2;
					do {
						_t35 =  *_t60;
						_t60 = _t60 + 2;
					} while (_t35 != 0);
					_t62 = _t60 - _t75 >> 1;
					if(_t62 + 3 < 0x7fe7) {
						if(_t62 != 1) {
							_t38 = 0x5c;
							 *((short*)(__ecx + 4 + _t62 * 2)) = _t38;
							 *((short*)(__ecx + 6 + _t62 * 2)) = 0;
						}
						goto L8;
					}
					 *0x10667a8 = 3;
					goto L21;
				} else {
					_t63 = _t87;
					_t6 =  &(_t63[1]); // 0x2
					_t76 = _t6;
					do {
						_t40 =  *_t63;
						_t63 =  &(_t63[1]);
					} while (_t40 != 0);
					if(_t63 - _t76 >> 1 == 2) {
						if(_t87[1] != 0x3a) {
							goto L6;
						}
						E01038E9E(0, __ecx, _v8,  *_t87 & 0x0000ffff);
						_t68 = __ecx;
						_t78 = __ecx + 2;
						do {
							_t49 =  *_t68;
							_t68 = _t68 + 2;
						} while (_t49 != 0);
						_t70 = _t68 - _t78 >> 1;
						if(_t70 > 3) {
							_t50 = 0x5c;
							 *((short*)(__ecx + _t70 * 2)) = _t50;
							 *((short*)(__ecx + 2 + _t70 * 2)) = 0;
						}
						L8:
						return _t53;
					}
					L6:
					_t41 = SetErrorMode(_t53);
					SetErrorMode(1);
					_t82 = _v8;
					_v8 = GetFullPathNameW(_a4, _t82, _t80,  &_v12);
					SetErrorMode(_t41);
					_t46 = _v8;
					if(_t46 == 0 || _t46 > _t82) {
						 *0x10667a8 = 0xce;
						L21:
						_t53 = 1;
					}
					goto L8;
				}
			}































    0x01041cda
    0x01041cdb
    0x01041cdf
    0x01041ce1
    0x01041ce4
    0x01041ce7
    0x01041ce9
    0x01041ceb
    0x01041ceb
    0x01041cee
    0x01041cee
    0x01041cf1
    0x01041cf4
    0x01041cfb
    0x01041cfd
    0x01041d02
    0x01041d05
    0x01041d0b
    0x01041d16
    0x0104f05e
    0x0104f063
    0x0104f066
    0x0104f069
    0x0104f069
    0x0104f06c
    0x0104f06f
    0x0104f076
    0x0104f080
    0x0104f091
    0x0104f099
    0x0104f09a
    0x0104f0a1
    0x0104f0a1
    0x00000000
    0x0104f091
    0x0104f082
    0x00000000
    0x01041d1c
    0x01041d1c
    0x01041d1e
    0x01041d1e
    0x01041d21
    0x01041d21
    0x01041d24
    0x01041d27
    0x01041d33
    0x0104f0b0
    0x00000000
    0x00000000
    0x0104f0bf
    0x0104f0c4
    0x0104f0c6
    0x0104f0c9
    0x0104f0c9
    0x0104f0cc
    0x0104f0cf
    0x0104f0d6
    0x0104f0db
    0x0104f0e3
    0x0104f0e4
    0x0104f0ea
    0x0104f0ea
    0x01041d7a
    0x01041d80
    0x01041d80
    0x01041d39
    0x01041d3a
    0x01041d44
    0x01041d52
    0x01041d5e
    0x01041d61
    0x01041d67
    0x01041d6c
    0x0104f0f4
    0x0104f0fe
    0x0104f100
    0x0104f100
    0x00000000
    0x01041d6c

    APIs
    • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,?,00000000,00000000,?,?,?,010380F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 01041D3A
    • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,010380F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 01041D44
    • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001,?,00000000,?,010380F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 01041D57
    • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,010380F4,00000000,00000000,-00000001,00000000,?,00000000), ref: 01041D61
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: ErrorMode$FullNamePath
    • String ID:
    • API String ID: 268959451-0
    • Opcode ID: 22e8b86517c995dec243d179bb9244f3567fa5d9a369bcdfb20f27f585d97069
    • Instruction ID: a220c6cf7e6dfbf0897fe2177158d18a7bf7f0a2841e2aabffecb1d9beea53c0
    • Opcode Fuzzy Hash: 22e8b86517c995dec243d179bb9244f3567fa5d9a369bcdfb20f27f585d97069
    • Instruction Fuzzy Hash: B3312BB9500102EBCB38EF6CC4959BFB7A5EF84300718896DFAC697254E7B5A941C750
    Uniqueness

    Uniqueness Score: -1.00%

    Function 010563F3, Relevance: 6.1, APIs: 4, Instructions: 86COMMON
    Download Yara Rule
    C-Code - Quality: 40%
    			E010563F3(void* __eflags, char* _a4) {
				short* _v8;
				intOrPtr _v20;
				long _v32;
				void* _v36;
				void* _v40;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t29;
				intOrPtr* _t34;
				long _t35;
				char _t48;
				signed int _t55;
				short _t63;
				char* _t65;
				short* _t67;
				void* _t70;
				char* _t76;
				int _t78;
				short* _t81;
				short* _t84;
				char* _t85;
				void* _t86;
				short* _t88;
				short* _t92;
				long _t99;
				long _t101;
				char* _t102;
				int _t103;

				_push(_t70);
				_push(_t65);
				_t29 = E010472EF(_t70);
				if(_t29 == 0) {
					L13:
					return _t29;
				} else {
					_t29 =  *0x107d018(0, 0);
					if(0 == 0) {
						goto L13;
					} else {
						_t71 = 0;
						_t92 = E0103DCD0(0);
						if(_t92 == 0) {
							L14:
							E01059922();
							__imp__longjmp(0x1070a30, 1);
							asm("int3");
							_push(0x18);
							_push(0x105cd00);
							E010471A8(_t65, _t92, 0);
							_t67 = _t84;
							_v36 = _t71;
							_t34 = _a4;
							__eflags = _t34;
							if(_t34 == 0) {
								L23:
								__imp__RegDeleteKeyExW(_t71, _t67, 0, 0);
								_t99 = _t34;
								_v32 = _t99;
								__eflags = _t99;
								if(_t99 == 0) {
									goto L31;
								} else {
									_t101 = RegOpenKeyExW(_v36, _t67, 0, 0x2000000,  &_v40);
									_v32 = _t101;
									__eflags = _t101;
									if(_t101 == 0) {
										_t99 = RegDeleteValueW(_v40, 0x10320b8);
										_v32 = _t99;
										__eflags = _t99;
										if(_t99 != 0) {
											_push(0);
											E010378E4(_t71);
											_t71 = _t99;
										}
										RegCloseKey(_v40);
									} else {
										__eflags = _t101 - 2;
										if(_t101 != 2) {
											_push(0);
											E010378E4(_t71);
											_t71 = _t101;
										}
									}
									goto L30;
								}
							} else {
								__eflags =  *_t34;
								if( *_t34 == 0) {
									goto L23;
								} else {
									_t99 = RegCreateKeyExW(_t71, _t67, 0, 0, 0, 2, 0,  &_v36, 0);
									_v32 = _t99;
									__eflags = _t99;
									if(_t99 != 0) {
										L22:
										_push(0);
										_push(_t99);
										E010378E4(_t71);
										E010378E4(_t71, 0x235d, 1, _t67);
									} else {
										_t85 = _a4;
										_t76 = _t85;
										_t102 =  &(_t76[2]);
										do {
											_t48 =  *_t76;
											_t76 =  &(_t76[2]);
											__eflags = _t48;
										} while (_t48 != 0);
										_t71 = _t76 - _t102 >> 1;
										_t99 = RegSetValueExW(_v36, 0, 0, 1, _t85, 2 + (_t76 - _t102 >> 1) * 2);
										_v32 = _t99;
										RegCloseKey(_v36);
										__eflags = _t99;
										if(_t99 != 0) {
											goto L22;
										} else {
											_push(_a4);
											_push(_t67);
											E01039950(L"%s=%s\r\n");
										}
									}
									L30:
									__eflags = _t99;
									if(_t99 == 0) {
										L31:
										_v8 = 0;
										_t35 = E010472EF(_t71);
										__eflags = _t35;
										if(_t35 != 0) {
											 *0x107d020(0x8000000, 0, 0, 0);
										}
										_v8 = 0xfffffffe;
									}
								}
							}
							 *[fs:0x0] = _v20;
							return _t99;
						} else {
							_t71 = 0;
							_t65 = E0103DCD0(0);
							_v8 = _t65;
							if(_t65 == 0) {
								goto L14;
							} else {
								if(E010472EF(0) != 0) {
									 *0x107d018(0, _t65);
								}
								_t78 =  *0x10625a0;
								_t55 = E0103E248(_t78);
								asm("sbb eax, eax");
								MultiByteToWideChar(_t78,  ~( ~_t55), _t65, 0xffffffff, _t92, 0);
								_t103 = SetErrorMode(1);
								if( *_t92 != 0) {
									_t86 = 0;
									do {
										E01038BC7(0, _t92, _t86 + _t86, _t92, _t103, _t86 + _t86);
										_t81 = _t92;
										_t3 =  &(_t81[1]); // 0x2
										_t88 = _t3;
										do {
											_t63 =  *_t81;
											_t81 =  &(_t81[1]);
										} while (_t63 != 0);
										_t86 = 1;
										_t92 =  &(( &(_t92[_t81 - _t88 >> 1]))[1]);
									} while ( *_t92 != 0);
									_t65 = _v8;
								}
								SetErrorMode(_t103);
								_t29 = E0103DC60(_t65);
								goto L13;
							}
						}
					}
				}
			}


































    0x010563f8
    0x010563f9
    0x010563fc
    0x01056403
    0x010564c3
    0x010564c7
    0x01056409
    0x0105640d
    0x01056417
    0x00000000
    0x0105641d
    0x0105641d
    0x01056425
    0x01056429
    0x010564c8
    0x010564c8
    0x010564d4
    0x010564da
    0x010564db
    0x010564dd
    0x010564e2
    0x010564e7
    0x010564e9
    0x010564ec
    0x010564f1
    0x010564f3
    0x0105658c
    0x01056590
    0x01056596
    0x01056598
    0x0105659b
    0x0105659d
    0x00000000
    0x0105659f
    0x010565b3
    0x010565b5
    0x010565b8
    0x010565ba
    0x010565da
    0x010565dc
    0x010565df
    0x010565e1
    0x010565e3
    0x010565e5
    0x010565eb
    0x010565eb
    0x010565ef
    0x010565bc
    0x010565bc
    0x010565bf
    0x010565c1
    0x010565c3
    0x010565c9
    0x010565c9
    0x010565bf
    0x00000000
    0x010565ba
    0x010564f9
    0x010564f9
    0x010564fc
    0x00000000
    0x01056502
    0x01056515
    0x01056517
    0x0105651a
    0x0105651c
    0x01056573
    0x01056573
    0x01056574
    0x01056575
    0x01056582
    0x0105651e
    0x0105651e
    0x01056521
    0x01056523
    0x01056526
    0x01056526
    0x01056529
    0x0105652c
    0x0105652c
    0x01056533
    0x0105654b
    0x0105654d
    0x01056553
    0x01056559
    0x0105655b
    0x00000000
    0x0105655d
    0x0105655d
    0x01056560
    0x01056566
    0x0105656b
    0x0105655b
    0x010565f5
    0x010565f5
    0x010565f7
    0x010565f9
    0x010565f9
    0x010565fc
    0x01056601
    0x01056603
    0x0105660d
    0x0105660d
    0x01056613
    0x01056613
    0x010565f7
    0x010564fc
    0x01056641
    0x0105664d
    0x0105642f
    0x0105642f
    0x01056436
    0x01056438
    0x0105643d
    0x00000000
    0x01056443
    0x0105644a
    0x0105644e
    0x0105644e
    0x01056454
    0x0105645f
    0x01056466
    0x0105646c
    0x0105647a
    0x01056481
    0x01056483
    0x01056487
    0x0105648b
    0x01056490
    0x01056492
    0x01056492
    0x01056495
    0x01056495
    0x01056498
    0x0105649b
    0x010564a6
    0x010564aa
    0x010564ad
    0x010564b2
    0x010564b2
    0x010564b6
    0x010564be
    0x00000000
    0x010564be
    0x0105643d
    0x01056429
    0x01056417

    APIs
    • longjmp.MSVCRT(01070A30,00000001,?,?,0104BFD6,?,?,?,?,?,?,?,?), ref: 010564D4
      • Part of subcall function 0103DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0103ACD8,00000001,?,00000000,01038C23,-00000105,0105C9B0,00000240,01041E92,00000000,00000000,0104ACE0,00000000), ref: 0103DCE1
      • Part of subcall function 0103DCD0: RtlAllocateHeap.NTDLL(00000000,?,0103ACD8,00000001,?,00000000,01038C23,-00000105,0105C9B0,00000240,01041E92,00000000,00000000,0104ACE0,00000000,00000000), ref: 0103DCE8
      • Part of subcall function 010472EF: ApiSetQueryApiSetPresence.API-MS-WIN-CORE-APIQUERY-L1-1-0(01031028,?,?,?,0104F12E,0105CA50,00000018,01041E7C,00000000,00000000,0104ACE0,00000000,00000000,?,00000104,?), ref: 01047314
    • MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(?,00000000,00000000,000000FF,00000000,00000000,?,?,0104BFD6), ref: 0105646C
    • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,00000000,00000000,000000FF,00000000,00000000,?,?,0104BFD6), ref: 01056474
    • SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,00000000,000000FF,00000000,00000000,?,?,0104BFD6), ref: 010564B6
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: ErrorHeapMode$AllocateByteCharMultiPresenceProcessQueryWidelongjmp
    • String ID:
    • API String ID: 1207214719-0
    • Opcode ID: 0fd1b3f49451a74b5912ec6425054fcf802a73da1cf5a460c5ab45c57acdca99
    • Instruction ID: 41e57a5193bf82f40278abaffc3a0128708b80e92cec0b1fab7c19e6b0165f79
    • Opcode Fuzzy Hash: 0fd1b3f49451a74b5912ec6425054fcf802a73da1cf5a460c5ab45c57acdca99
    • Instruction Fuzzy Hash: BC212C71700206ABD765AFB888549BF3F9BDFD03107484668FD8297284DE7A8C0587A0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01059FF8, Relevance: 6.1, APIs: 4, Instructions: 81COMMON
    Download Yara Rule
    C-Code - Quality: 71%
    			E01059FF8(WCHAR* __ecx) {
				signed int _v8;
				long _v20;
				char _v24;
				int _v28;
				void _v548;
				WCHAR* _v552;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				WCHAR* _t36;
				long _t37;
				void* _t38;
				WCHAR* _t39;
				int _t42;
				int _t45;
				void* _t51;
				WCHAR* _t53;
				signed int _t54;

				_t23 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t23 ^ _t54;
				_v20 = 0x104;
				_v552 = 0;
				_t42 = 1;
				_v28 = 0;
				_t53 = __ecx;
				_v24 = 1;
				memset( &_v548, 0, 0x104);
				if(E0103E3F0(((0 | _v24 == 0x00000000) - 0x00000001 & 0x0000fdc6) + 0x208) < 0) {
					L10:
					_t42 = 0;
				} else {
					_t36 = _v28;
					if(_t36 == 0) {
						_t36 =  &_v548;
					}
					_t37 = GetFullPathNameW(_t53, _v20, _t36,  &_v552);
					if(_t37 == 0 || _t37 <= 0xffce) {
						goto L10;
					} else {
						_t38 = _v28;
						if(_t38 == 0) {
							_t38 =  &_v548;
						}
						 *((short*)(_t38 + 6)) = 0;
						_t39 = _v28;
						if(_t39 == 0) {
							_t39 =  &_v548;
						}
						if(GetDriveTypeW(_t39) != 4) {
							goto L10;
						}
					}
				}
				_t45 = _v28;
				_v28 = 0;
				if(_t45 != 0) {
					__imp__??_V@YAXPAX@Z(_t45);
				}
				return E01046B30(_t42, _t42, _v8 ^ _t54, _t51, 0, _t53);
			}






















    0x0105a003
    0x0105a00a
    0x0105a018
    0x0105a023
    0x0105a02a
    0x0105a02b
    0x0105a02f
    0x0105a031
    0x0105a034
    0x0105a05d
    0x0105a0b5
    0x0105a0b5
    0x0105a05f
    0x0105a05f
    0x0105a064
    0x0105a066
    0x0105a066
    0x0105a078
    0x0105a080
    0x00000000
    0x0105a089
    0x0105a089
    0x0105a08e
    0x0105a090
    0x0105a090
    0x0105a098
    0x0105a09c
    0x0105a0a1
    0x0105a0a3
    0x0105a0a3
    0x0105a0b3
    0x00000000
    0x00000000
    0x0105a0b3
    0x0105a080
    0x0105a0b7
    0x0105a0ba
    0x0105a0bf
    0x0105a0c2
    0x0105a0c8
    0x0105a0d9

    APIs
    • memset.MSVCRT ref: 0105A034
      • Part of subcall function 0103E3F0: memset.MSVCRT ref: 0103E455
    • GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00450052,-00000209,00000000,?,-00000209,0020005D,0103234C,0020005D), ref: 0105A078
    • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 0105A0AA
    • ??_V@YAXPAX@Z.MSVCRT ref: 0105A0C2
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: memset$DriveFullNamePathType
    • String ID:
    • API String ID: 3442494845-0
    • Opcode ID: 573ccacb4bd431f2a26dcc689e048cc632078a84a8f01aa0b2bb142040f618a3
    • Instruction ID: 857803b22aa67b39dc4503427dd5b42dd0b60c79da914f5ded3c6969b1c4fa51
    • Opcode Fuzzy Hash: 573ccacb4bd431f2a26dcc689e048cc632078a84a8f01aa0b2bb142040f618a3
    • Instruction Fuzzy Hash: 3F219771B1020A9BDB65DFA9DD89DAFBBF8EF44300F0401A9B545E3101D635DA448BA1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 010562B3, Relevance: 6.1, APIs: 4, Instructions: 81registryCOMMON
    Download Yara Rule
    C-Code - Quality: 79%
    			E010562B3(void* __ebx, void* __ecx, short* __edx, void* __edi, void* __esi, void* __eflags) {
				long _t22;
				long _t35;
				char* _t47;
				void* _t49;

				_push(0x1c);
				_push(0x105cd20);
				E010471A8(__ebx, __edi, __esi);
				_t44 = __ecx;
				 *((intOrPtr*)(_t49 - 0x2c)) = __ecx;
				_t47 = 0;
				 *(_t49 - 0x20) = 0;
				 *(_t49 - 0x24) = 0;
				 *(_t49 - 0x1c) = __ecx;
				 *((intOrPtr*)(_t49 - 4)) = 0;
				if(__edx == 0 ||  *__edx == 0) {
					L4:
					_t22 = RegQueryValueExW( *(_t49 - 0x1c), 0, 0, _t49 - 0x28, 0, _t49 - 0x24);
					if(_t22 != 2) {
						if(_t22 != 0) {
							goto L3;
						} else {
							_t47 = E0103DCD0( *(_t49 - 0x24));
							 *(_t49 - 0x20) = _t47;
							if(_t47 == 0) {
								_push(8);
								goto L11;
							} else {
								_t35 = RegQueryValueExW( *(_t49 - 0x1c), 0, 0, _t49 - 0x28, _t47, _t49 - 0x24);
								if(_t35 != 0) {
									E0103DC60(_t47);
									_t47 = 0;
									 *(_t49 - 0x20) = 0;
									_push(_t35);
									goto L11;
								}
							}
						}
					} else {
						_t47 = E0103ACB0(0x10320b8);
						 *(_t49 - 0x20) = _t47;
					}
				} else {
					_t22 = RegOpenKeyExW(__ecx, __edx, 0, 1, _t49 - 0x1c);
					if(_t22 == 0) {
						goto L4;
					} else {
						L3:
						_push(_t22);
						L11:
						SetLastError();
					}
				}
				 *((intOrPtr*)(_t49 - 4)) = 0xfffffffe;
				E01056387(_t44);
				 *[fs:0x0] =  *((intOrPtr*)(_t49 - 0x10));
				return _t47;
			}







    0x010562b3
    0x010562b5
    0x010562ba
    0x010562bf
    0x010562c1
    0x010562c6
    0x010562c8
    0x010562cb
    0x010562ce
    0x010562d1
    0x010562d6
    0x010562f3
    0x01056301
    0x0105630a
    0x0105631f
    0x00000000
    0x01056321
    0x01056329
    0x0105632b
    0x01056330
    0x0105635b
    0x00000000
    0x01056332
    0x01056346
    0x0105634a
    0x0105634e
    0x01056353
    0x01056355
    0x01056358
    0x00000000
    0x01056358
    0x0105634a
    0x01056330
    0x0105630c
    0x01056316
    0x01056318
    0x01056318
    0x010562dd
    0x010562e6
    0x010562ee
    0x00000000
    0x010562f0
    0x010562f0
    0x010562f0
    0x0105635d
    0x0105635d
    0x0105635d
    0x010562ee
    0x01056363
    0x0105636a
    0x01056374
    0x01056380

    APIs
    • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000001,?,0105CD20,0000001C,010558DF), ref: 010562E6
    • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,00000000,?,00000000,?,0105CD20,0000001C,010558DF), ref: 01056301
    • RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,00000000,?,00000000,?), ref: 01056340
    • SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 0105635D
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: QueryValue$ErrorLastOpen
    • String ID:
    • API String ID: 4270309053-0
    • Opcode ID: d75d3efcafcdba0e70e46bb594cd686323c0e731f4255a3090e5cea24e2d5a7d
    • Instruction ID: 020418b794fdeaf260480bc4deb42191a4387d823145b65f995aa794a39c077d
    • Opcode Fuzzy Hash: d75d3efcafcdba0e70e46bb594cd686323c0e731f4255a3090e5cea24e2d5a7d
    • Instruction Fuzzy Hash: 152121B1E002199FEB519FD898819EFBBBDFB48650F544166E941F3140D7768D018B60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01042960, Relevance: 6.1, APIs: 4, Instructions: 76stringCOMMON
    Download Yara Rule
    C-Code - Quality: 43%
    			E01042960(void* __ecx, intOrPtr _a4) {
				wchar_t* _v8;
				wchar_t* _v12;
				long _t25;
				signed int _t26;
				void* _t28;
				signed int _t30;
				void* _t31;
				void* _t33;
				void* _t34;
				signed int _t36;
				intOrPtr _t45;
				long _t48;
				signed int _t49;

				_t45 = _a4;
				_t48 = wcstol( *(_t45 + 0x38),  &_v8, 0);
				_t25 = wcstol( *(_t45 + 0x3c),  &_v12, 0);
				if( *_v8 != 0 ||  *_v12 != 0) {
					_push( *(_t45 + 0x3c));
					_push( *(_t45 + 0x38));
					if(( *(_t45 + 0x40) & 0x00000002) != 0) {
						_t26 = lstrcmpiW();
					} else {
						_t26 = lstrcmpW();
					}
					_t49 = _t26;
					goto L3;
				} else {
					_t49 = _t48 - _t25;
					L3:
					_t28 =  *((intOrPtr*)(_t45 + 0x44)) - 1;
					if(_t28 == 0) {
						_t30 = 0 | _t49 == 0x00000000;
						L9:
						return _t30;
					}
					_t31 = _t28 - 1;
					if(_t31 == 0) {
						_t30 = 0 | _t49 != 0x00000000;
						goto L9;
					}
					_t33 = _t31 - 1;
					if(_t33 == 0) {
						L14:
						_t30 = _t49 >> 0x1f;
						goto L9;
					}
					_t34 = _t33 - 1;
					if(_t34 == 0) {
						_t30 = 0 | _t49 <= 0x00000000;
						goto L9;
					}
					_t36 = _t34 - 1;
					if(_t36 != 0) {
						if(_t36 != 1) {
							_t30 = 0;
							goto L9;
						}
						_t49 =  !_t49;
						goto L14;
					}
					_t30 = _t36 & 0xffffff00 | _t49 > 0x00000000;
					goto L9;
				}
			}
















    0x0104296a
    0x0104297d
    0x01042987
    0x01042996
    0x010429f7
    0x010429fa
    0x010429fd
    0x01042a09
    0x010429ff
    0x010429ff
    0x010429ff
    0x01042a05
    0x00000000
    0x010429a0
    0x010429a0
    0x010429a2
    0x010429a5
    0x010429a8
    0x010429ce
    0x010429c3
    0x010429c7
    0x010429c7
    0x010429aa
    0x010429ad
    0x010429d7
    0x00000000
    0x010429d7
    0x010429af
    0x010429b2
    0x010429e3
    0x010429e6
    0x00000000
    0x010429e6
    0x010429b4
    0x010429b7
    0x010429ee
    0x00000000
    0x010429ee
    0x010429b9
    0x010429bc
    0x010429df
    0x01042a11
    0x00000000
    0x01042a11
    0x010429e1
    0x00000000
    0x010429e1
    0x010429c0
    0x00000000
    0x010429c0

    APIs
    • wcstol.MSVCRT ref: 01042977
    • wcstol.MSVCRT ref: 01042987
    • lstrcmpW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(?,?,?,0103E559,?,?,00000000,?), ref: 010429FF
    • lstrcmpiW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(?,?,?,0103E559,?,?,00000000,?), ref: 01042A09
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: wcstol$lstrcmplstrcmpi
    • String ID:
    • API String ID: 4273384694-0
    • Opcode ID: 8224d17ade782ad9d0022f86ab52be3c5031c9077fad60a2e236e131995b2866
    • Instruction ID: 607f49dc88720c8b5d4c70318421db0670c94029254fdca4a2b2d7154de48ddc
    • Opcode Fuzzy Hash: 8224d17ade782ad9d0022f86ab52be3c5031c9077fad60a2e236e131995b2866
    • Instruction Fuzzy Hash: 42110AB6B00126FB87725E7CAA8C97EFBA8FF002907060270F981E7544D726DD60D6E0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0105C535, Relevance: 6.1, APIs: 4, Instructions: 71COMMON
    Download Yara Rule
    C-Code - Quality: 47%
    			E0105C535(void* __ecx) {
				signed int _v8;
				int _v20;
				char _v24;
				signed int _v28;
				void _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t20;
				signed int _t30;
				void* _t33;
				WCHAR* _t34;
				int _t35;
				char _t37;
				void* _t43;
				void* _t45;
				signed int _t46;

				_t20 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t20 ^ _t46;
				_v28 = _v28 & 0x00000000;
				_t37 = 1;
				_v20 = 0x104;
				_t45 = __ecx;
				_v24 = 1;
				memset( &_v548, 0, 0x104);
				if(E0103E3F0(((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) >= 0) {
					_t33 = _v28;
					if(_t33 == 0) {
						_t33 =  &_v548;
					}
					__imp__GetVolumePathNameW(_t45, _t33, _v20);
					if(_t33 == 0) {
						L8:
						_t37 = 0;
					} else {
						_t34 = _v28;
						if(_t34 == 0) {
							_t34 =  &_v548;
						}
						_t35 = GetDriveTypeW(_t34);
						if(_t35 == 0 || _t35 == 4) {
							goto L8;
						}
					}
				}
				_t30 = _v28;
				_v28 = _v28 & 0x00000000;
				if(_t30 != 0) {
					__imp__??_V@YAXPAX@Z(_t30);
				}
				return E01046B30(_t37, _t37, _v8 ^ _t46, _t43, 0x104, _t45);
			}




















    0x0105c540
    0x0105c547
    0x0105c54a
    0x0105c561
    0x0105c562
    0x0105c566
    0x0105c568
    0x0105c56b
    0x0105c591
    0x0105c593
    0x0105c598
    0x0105c59a
    0x0105c59a
    0x0105c5a5
    0x0105c5ad
    0x0105c5cc
    0x0105c5cc
    0x0105c5af
    0x0105c5af
    0x0105c5b4
    0x0105c5b6
    0x0105c5b6
    0x0105c5bd
    0x0105c5c5
    0x00000000
    0x00000000
    0x0105c5c5
    0x0105c5ad
    0x0105c5ce
    0x0105c5d1
    0x0105c5d7
    0x0105c5da
    0x0105c5e0
    0x0105c5f1

    APIs
    • memset.MSVCRT ref: 0105C56B
      • Part of subcall function 0103E3F0: memset.MSVCRT ref: 0103E455
    • GetVolumePathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000001,-00000001,00000001,00000000,00000000), ref: 0105C5A5
    • GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 0105C5BD
    • ??_V@YAXPAX@Z.MSVCRT ref: 0105C5DA
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: memset$DriveNamePathTypeVolume
    • String ID:
    • API String ID: 1029679093-0
    • Opcode ID: 313e8ae8eca1013290376b5191fe407c85c6f9984e073620849520d3f46a9200
    • Instruction ID: 5cd3a559363eb5af68ddf40cf8dc72b7776076c3f98bbde32c0653c341c97329
    • Opcode Fuzzy Hash: 313e8ae8eca1013290376b5191fe407c85c6f9984e073620849520d3f46a9200
    • Instruction Fuzzy Hash: 23216671B003095BEB61DAE9DD85BAFBBFCEB44344F0404A9A945E3141D774DA848B61
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01044C40, Relevance: 6.1, APIs: 4, Instructions: 68COMMON
    Download Yara Rule
    C-Code - Quality: 58%
    			E01044C40(void* __ecx, intOrPtr __edx, FILETIME* _a4, intOrPtr _a8) {
				struct _OVERLAPPED _v12;
				short _t11;
				void* _t14;
				void* _t17;
				void* _t27;
				FILETIME* _t30;

				_push(__ecx);
				_push(__ecx);
				_t27 = __ecx;
				_t19 =  *((intOrPtr*)(__edx + 0x20));
				_t11 = 0x1a;
				_v12.InternalHigh = _t11;
				if( *((intOrPtr*)(__edx + 0x20)) == 0) {
					_t19 = __edx;
				}
				_t30 = _a4;
				if(_t30 != 0xffffffff) {
					if(E01058B41(_t19) != 0) {
						_t12 = E0103DD98(_t12);
						if(_t12 == 0) {
							_t17 =  &(_v12.InternalHigh);
							__imp___get_osfhandle(_t12);
							_t12 = WriteFile(_t17, _t30, _t17, 1,  &_v12);
						}
					}
					if(_t27 != 0 && ( *(_t27 + 0x1c) & 0x00000080) == 0 && E0103DD98(_t12) == 0) {
						_t14 =  *0x1066704;
						if(_t14 != 3 && _a8 != 0 && _t14 != 2) {
							__imp___get_osfhandle(_a8);
							SetFileTime(_t14, _t30, 0, 0);
						}
					}
					_t11 = E0103A16C(_t30);
				}
				 *0x1066714 =  *0x1066714 + 1;
				return _t11;
			}









    0x01044c45
    0x01044c46
    0x01044c4b
    0x01044c4d
    0x01044c50
    0x01044c51
    0x01044c57
    0x01044c71
    0x01044c71
    0x01044c59
    0x01044c5f
    0x01050b64
    0x01050b68
    0x01050b6f
    0x01050b78
    0x01050b7d
    0x01050b85
    0x01050b85
    0x01050b6f
    0x01050b8d
    0x01050ba0
    0x01050ba8
    0x01050bbd
    0x01050bc5
    0x01050bc5
    0x01050ba8
    0x01050bcd
    0x01050bcd
    0x01044c65
    0x01044c6e

    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: e2170f364577d9024ffc84512e2d13f0d97e1feb56f1a8ec79bd573138754c7c
    • Instruction ID: e57be3ba32865f4a6a0598b8acc4e7c528a8b8716073b53534ebbd222e851f78
    • Opcode Fuzzy Hash: e2170f364577d9024ffc84512e2d13f0d97e1feb56f1a8ec79bd573138754c7c
    • Instruction Fuzzy Hash: DD110471600505ABFBA56E2898D8FAF3AADFF81324F184169FD82D31C4DB75D9018791
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01059809, Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
    Download Yara Rule
    C-Code - Quality: 86%
    			E01059809(void* __ecx, long __edx, DWORD* _a4, WCHAR* _a8, intOrPtr _a12) {
				char _v8;
				void* _t6;
				int _t7;
				void* _t14;
				DWORD* _t15;
				void* _t27;
				void* _t28;
				void* _t30;
				intOrPtr _t31;

				_t15 = _a4;
				_t6 =  &_v8;
				_t31 = 0;
				_t28 = __ecx;
				__imp___get_osfhandle(0, _t27, _t30, _t14, __ecx, __ecx);
				_t7 = WriteFile(_t6, __ecx, __edx, _t15, _t6);
				if(_t7 == 0 || _t15 != _v8 ||  *0x106259c != 0) {
					 *0x10667a8 = GetLastError();
					E0103A16C(_a12);
					if(E0103DD98(E0103A16C(_t28)) == 0) {
						DeleteFileW(_a8);
					} else {
						_t31 = 0x1d;
					}
					 *0x10667a0 =  *0x10667a0 & 0x00000000;
					_t22 =  *0x10667a8;
					if( *0x10667a8 == 0) {
						_t22 = 0x70;
						 *0x10667a8 = _t22;
					}
					if( *0x106259c == 0) {
						if(_t31 == 0) {
							E01059EDB(_t22);
						}
					} else {
						_t31 = 0;
					}
					_t7 = E01058C50(_t31, 1);
				}
				return _t7;
			}












    0x01059811
    0x01059814
    0x01059819
    0x0105981b
    0x01059822
    0x0105982a
    0x01059832
    0x0105984a
    0x0105984f
    0x01059864
    0x0105986e
    0x01059866
    0x01059868
    0x01059868
    0x01059874
    0x0105987b
    0x01059883
    0x01059887
    0x01059888
    0x01059888
    0x01059895
    0x0105989d
    0x0105989f
    0x0105989f
    0x01059897
    0x01059897
    0x01059897
    0x010598a9
    0x010598a9
    0x010598b2

    APIs
    • _get_osfhandle.MSVCRT ref: 01059822
    • WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,010592EA,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 0105982A
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 01059841
    • DeleteFileW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 0105986E
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: File$DeleteErrorLastWrite_get_osfhandle
    • String ID:
    • API String ID: 2448200120-0
    • Opcode ID: f3ef5f6ed6644c66aad63f76cd275cca6f9ae4c7057add6fa9f104a6e3e755aa
    • Instruction ID: 6b5f549f52e15fe8e56dab8eff885c15ba580005bafe713fee29c6cac2d9decf
    • Opcode Fuzzy Hash: f3ef5f6ed6644c66aad63f76cd275cca6f9ae4c7057add6fa9f104a6e3e755aa
    • Instruction Fuzzy Hash: 4A11E731600205EFDF766B65D848ABF379DFB84729F14441AFC8593154DB7A9840CBA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01037221, Relevance: 6.1, APIs: 4, Instructions: 61memoryCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E01037221(void* __ecx) {
				void* __edi;
				void* __esi;
				signed int _t16;
				signed int _t17;
				intOrPtr* _t18;
				void* _t30;
				signed short _t32;
				void* _t38;
				void* _t42;

				if(__ecx != 0) {
					_t16 =  *(__ecx + 0x14);
					if(_t16 != 0) {
						_t16 = _t16 - 1;
						 *(__ecx + 0x14) = _t16;
						_t42 =  *(__ecx + 0x90 + _t16 * 4);
						 *(__ecx + 0x90 + _t16 * 4) =  *(__ecx + 0x90 + _t16 * 4) & 0x00000000;
						if(_t42 != 0) {
							_t41 =  *_t42;
							_t17 =  *( *_t42) & 0x0000ffff;
							if(_t17 >= 0x61) {
								__eflags = _t17 - 0x7a;
								if(__eflags > 0) {
									goto L4;
								}
								_t32 = _t17 + 0xffffffe0 & 0x0000ffff;
								L5:
								_t18 =  *0x1078df8;
								if(_t18 == 0) {
									_t18 = 0x1078bf0;
								}
								if( *_t18 != _t32) {
									E01059A7D((_t32 & 0x0000ffff) - 0x40, _t38);
									_t41 =  *_t42;
								}
								E01038BC7(_t30, _t41, 1, _t41, _t42, 1);
								RtlFreeHeap(GetProcessHeap(), 0,  *_t42);
								E010372EE( *((intOrPtr*)(_t42 + 4)));
								E010372C6( *((intOrPtr*)(_t42 + 4)));
								 *0x1066755 =  *((intOrPtr*)(_t42 + 8));
								 *0x1066754 =  *((intOrPtr*)(_t42 + 9));
								return RtlFreeHeap(GetProcessHeap(), 0, _t42);
							}
							L4:
							_t32 = _t17;
							goto L5;
						}
					}
				}
				return _t16;
			}












    0x01037227
    0x0103722d
    0x01037232
    0x01037238
    0x01037239
    0x0103723c
    0x01037243
    0x0103724d
    0x0103724f
    0x01037251
    0x01037257
    0x0104a83d
    0x0104a840
    0x00000000
    0x00000000
    0x0104a849
    0x0103725f
    0x0103725f
    0x01037266
    0x010372bf
    0x010372bf
    0x0103726b
    0x0104a857
    0x0104a85c
    0x0104a85c
    0x01037276
    0x01037286
    0x0103728f
    0x01037297
    0x0103729f
    0x010372aa
    0x00000000
    0x010372b6
    0x0103725d
    0x0103725d
    0x00000000
    0x0103725d
    0x0103724d
    0x01037232
    0x010372be

    APIs
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,?,01059962,00000000,?,00000000,0104CF94,00000000,?), ref: 0103727F
    • RtlFreeHeap.NTDLL(00000000), ref: 01037286
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 010372AF
    • RtlFreeHeap.NTDLL(00000000), ref: 010372B6
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: Heap$FreeProcess
    • String ID:
    • API String ID: 3859560861-0
    • Opcode ID: 810373f84592514f4c42d6bf5c8809f4c44e5f3971e617366439e3e48dc847de
    • Instruction ID: bb75d0d2f52987ec4712d0444f3affd47f1ecddc277dd36dc7b1b9ba583e2a34
    • Opcode Fuzzy Hash: 810373f84592514f4c42d6bf5c8809f4c44e5f3971e617366439e3e48dc847de
    • Instruction Fuzzy Hash: 2C1104B1601241CBEB24AF68A808B7A7BE9EFC5210F18449DF5D7DB245D729D802C760
    Uniqueness

    Uniqueness Score: -1.00%

    Function 010362C8, Relevance: 6.1, APIs: 4, Instructions: 60memoryCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E010362C8() {
				intOrPtr _t4;
				void* _t15;
				intOrPtr* _t16;
				void* _t23;
				void* _t27;
				intOrPtr* _t28;
				void* _t29;

				_t28 =  *0x1078df8;
				_t16 = _t28;
				if(_t28 == 0) {
					_t16 = 0x1078bf0;
				}
				_t23 = _t16 + 2;
				do {
					_t4 =  *_t16;
					_t16 = _t16 + 2;
				} while (_t4 != 0);
				_t27 = (_t16 - _t23 >> 1) + 1;
				if(_t28 == 0) {
					_t28 = 0x1078bf0;
				}
				E01038E9E(_t15, _t28,  *0x1078e00, 0);
				_t29 = HeapAlloc(GetProcessHeap(), 0, _t27 + _t27);
				if(_t29 == 0) {
					L11:
					return 0;
				} else {
					_t20 =  *0x1078df8;
					if( *0x1078df8 == 0) {
						_t20 = 0x1078bf0;
					}
					E0103F3A0(_t29, _t27, _t20);
					if(E01036359(_t29) == 0) {
						RtlFreeHeap(GetProcessHeap(), 0, _t29);
						goto L11;
					} else {
						return 1;
					}
				}
			}










    0x010362cb
    0x010362d1
    0x010362d6
    0x0104a03f
    0x0104a03f
    0x010362dc
    0x010362e1
    0x010362e1
    0x010362e4
    0x010362e7
    0x010362f0
    0x010362f5
    0x01036347
    0x01036347
    0x01036301
    0x01036319
    0x0103631d
    0x01036355
    0x00000000
    0x0103631f
    0x0103631f
    0x01036327
    0x0103634e
    0x0103634e
    0x0103632e
    0x0103633c
    0x0104a053
    0x00000000
    0x01036342
    0x00000000
    0x01036342
    0x0103633c

    APIs
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,00000000,00000000,00000000,01036231,00000000,00000000,6030EFD1), ref: 0103630C
    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 01036313
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: Heap$AllocProcess
    • String ID:
    • API String ID: 1617791916-0
    • Opcode ID: 502bf6154d44227f2f1d472138b8e262bee261573015c796fc32bf3c3d60b5dc
    • Instruction ID: 75720925571b714c744c02fb802ab3bcc10b4a781ce80e94ef6caee7d769e26c
    • Opcode Fuzzy Hash: 502bf6154d44227f2f1d472138b8e262bee261573015c796fc32bf3c3d60b5dc
    • Instruction Fuzzy Hash: 92116B71B00511A7DA346B19A818B7F6B5DEFC4B51B0E805AEBC7AB284CF279D0287D4
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0103DD20, Relevance: 6.1, APIs: 4, Instructions: 56memoryCOMMON
    Download Yara Rule
    C-Code - Quality: 59%
    			E0103DD20(void* __ecx, void* __edx) {
				void* _t12;
				long _t15;
				void* _t16;
				void** _t17;
				void* _t19;
				void* _t20;

				_t16 = __ecx;
				_t15 = __edx + 8;
				_t20 = __ecx - 8;
				if(_t15 < __edx) {
					L12:
					_push(0);
					_push(8);
					E010378E4(_t16);
					return 0;
				}
				_t19 = HeapReAlloc(GetProcessHeap(), 0, _t20, _t15);
				if(_t19 == 0) {
					goto L12;
				}
				 *_t19 = _t15;
				HeapSize(GetProcessHeap(), 0, _t19);
				if(_t19 == _t20) {
					L3:
					_t3 = _t19 + 8; // 0x8
					return _t3;
				}
				_t12 =  *0x1066784;
				if(_t12 != _t20) {
					if(_t12 == 0) {
						goto L3;
					} else {
						goto L8;
					}
					while(1) {
						L8:
						_t17 = _t12 + 4;
						_t12 =  *_t17;
						if(_t12 == _t20) {
							break;
						}
						if(_t12 != 0) {
							continue;
						}
						goto L3;
					}
					 *_t17 = _t19;
					goto L3;
				}
				 *0x1066784 = _t19;
				_t4 = _t19 + 8; // 0x8
				return _t4;
			}









    0x0103dd20
    0x0103dd24
    0x0103dd27
    0x0103dd2d
    0x0104d9ea
    0x0104d9ea
    0x0104d9ec
    0x0104d9ee
    0x00000000
    0x0104d9f6
    0x0103dd44
    0x0103dd48
    0x00000000
    0x00000000
    0x0103dd51
    0x0103dd5a
    0x0103dd62
    0x0103dd64
    0x0103dd64
    0x00000000
    0x0103dd64
    0x0103dd6b
    0x0103dd72
    0x0103dd83
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0103dd85
    0x0103dd85
    0x0103dd85
    0x0103dd88
    0x0103dd8c
    0x00000000
    0x00000000
    0x0103dd90
    0x00000000
    0x00000000
    0x00000000
    0x0103dd92
    0x0103dd94
    0x00000000
    0x0103dd94
    0x0103dd74
    0x0103dd7a
    0x0103dd80

    APIs
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,00000000,0103BDB3,00000000,?), ref: 0103DD37
    • HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0103DD3E
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 0103DD53
    • HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 0103DD5A
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: Heap$Process$AllocSize
    • String ID:
    • API String ID: 2549470565-0
    • Opcode ID: d33ddcab5802a4029c209cb261199be5728f2321a0f15f2470a85af7ab549e51
    • Instruction ID: 8c26286d0122aa39a6f407ddedc85a89ac8d978f54ce0cf4deec7c67017b209b
    • Opcode Fuzzy Hash: d33ddcab5802a4029c209cb261199be5728f2321a0f15f2470a85af7ab549e51
    • Instruction Fuzzy Hash: 55019276600201DBD721ABA8EC8CE9D77ADFBC0792F940065E685D7044D736D804C790
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01058496, Relevance: 6.0, APIs: 4, Instructions: 50COMMON
    Download Yara Rule
    C-Code - Quality: 92%
    			E01058496(unsigned int __ecx) {
				signed int _v8;
				signed short _v30;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v32;
				struct _COORD _v36;
				long _v40;
				void* __ebx;
				void* __esi;
				signed int _t11;
				void* _t17;
				int _t27;
				void* _t33;
				void* _t34;
				void* _t35;
				signed int _t36;

				_t11 =  *0x105e0b4; // 0x6030efd1
				_v8 = _t11 ^ _t36;
				_t27 = __ecx;
				if(((__ecx >> 0x00000004 ^ __ecx) & 0x0000000f) == 0) {
					L3:
					_t17 = 1;
				} else {
					_t35 = GetStdHandle(0xfffffff5);
					if(GetConsoleScreenBufferInfo(_t35,  &_v32) == 0) {
						goto L3;
					} else {
						_v36 = 0;
						FillConsoleOutputAttribute(_t35, _t27, _v32.dwSize * _v30, _v36,  &_v40);
						SetConsoleTextAttribute(_t35, _t27);
						_t17 = 0;
					}
				}
				return E01046B30(_t17, _t27, _v8 ^ _t36, _t33, _t34, _t35);
			}

















    0x0105849e
    0x010584a5
    0x010584a9
    0x010584b5
    0x010584fc
    0x010584fe
    0x010584b7
    0x010584bf
    0x010584ce
    0x00000000
    0x010584d0
    0x010584d6
    0x010584ea
    0x010584f2
    0x010584f8
    0x010584f8
    0x010584ce
    0x0105850c

    APIs
    • GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,?,?,?,?,?,?,?,?,?,?,01038A51), ref: 010584B9
    • GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,?,?,?,?,?,?,?,?,01038A51), ref: 010584C6
    • FillConsoleOutputAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,01038A51), ref: 010584EA
    • SetConsoleTextAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,?,?,?,?,?,?,?,?,01038A51), ref: 010584F2
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: Console$Attribute$BufferFillHandleInfoOutputScreenText
    • String ID:
    • API String ID: 1033415088-0
    • Opcode ID: 2ce2c8e9b32057bdf8d76cacb618d56a33a96e0247c97f38fe6a216f5cdc50a7
    • Instruction ID: 9423761a86e513055ca052a0c853227fc5a6c90c50a0054ae0c9f123b77f1147
    • Opcode Fuzzy Hash: 2ce2c8e9b32057bdf8d76cacb618d56a33a96e0247c97f38fe6a216f5cdc50a7
    • Instruction Fuzzy Hash: D2018471A10119EF9B559B799C88AFFBBECFF0D310704412AFE42E2180EA299905C7A4
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01045643, Relevance: 6.0, APIs: 4, Instructions: 46fileCOMMON
    Download Yara Rule
    C-Code - Quality: 75%
    			E01045643(void* __ecx, void* __eflags) {
				struct _SECURITY_ATTRIBUTES _v16;
				void* __edi;
				void* _t6;
				long _t7;
				void* _t14;
				void* _t15;
				void* _t17;

				_v16.bInheritHandle = 1;
				_v16.lpSecurityDescriptor = 0;
				_v16.nLength = 0xc;
				_t6 = CreateFileW(E01040060(__ecx, _t14), 0x40000000, 0,  &_v16, 4, 0x8000080, 0);
				_t15 = _t6;
				if(_t15 == 0xffffffff) {
					_t7 = GetLastError();
					 *0x10667a8 = _t7;
					if(_t7 == 0x6e) {
						 *0x10667a8 = 2;
					}
					_t17 = 0xffffffff;
				} else {
					__imp___open_osfhandle(_t15, 8);
					_t17 = _t6;
					if(_t17 == 0xffffffff) {
						CloseHandle(_t15);
					}
				}
				return _t17;
			}










    0x0104564e
    0x01045656
    0x01045659
    0x01045678
    0x0104567e
    0x01045683
    0x0105122b
    0x01051231
    0x01051239
    0x0105123b
    0x0105123b
    0x01051245
    0x01045689
    0x0104568c
    0x01045692
    0x01045699
    0x010456a2
    0x010456a2
    0x01045699
    0x010456a0

    APIs
      • Part of subcall function 01040060: wcschr.MSVCRT ref: 0104006C
    • CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,40000000,00000000,0000000C,00000004,08000080,00000000,00000000,00000000), ref: 01045678
    • _open_osfhandle.MSVCRT ref: 0104568C
    • CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 010456A2
    • GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 0105122B
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: CloseCreateErrorFileHandleLast_open_osfhandlewcschr
    • String ID:
    • API String ID: 22757656-0
    • Opcode ID: 9aca5736dbc92cb6dd1a9e1e21c8e17ad3062a51c01d44dbe3bcbf310e829fd6
    • Instruction ID: 0895a4c3db6281c54fda79b03e56e089fe0088af2c7d563d2cc97b42fb872695
    • Opcode Fuzzy Hash: 9aca5736dbc92cb6dd1a9e1e21c8e17ad3062a51c01d44dbe3bcbf310e829fd6
    • Instruction Fuzzy Hash: B101A2B1900210BBD7206BACAC8DB9E7BA8AB45771F104255F9A1F31D4EBB948058B90
    Uniqueness

    Uniqueness Score: -1.00%

    Function 010524F6, Relevance: 6.0, APIs: 4, Instructions: 36memoryCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E010524F6(void* __ecx) {
				void* _t20;
				void* _t22;
				void* _t23;
				void** _t25;

				_t23 = __ecx;
				_t22 =  *(__ecx + 0x10);
				_t20 = _t22 + ( *(__ecx + 0x14) & 0x0000ffff) * 0x2c;
				if(_t22 != _t20) {
					_t25 = _t22 + 0x24;
					do {
						RtlFreeHeap(GetProcessHeap(), 0,  *_t25);
						 *_t25 =  *_t25 & 0x00000000;
						_t25 =  &(_t25[0xb]);
						 *(_t25 - 0x28) =  *(_t25 - 0x28) & 0x00000000;
					} while (_t25 - 0x24 != _t20);
					_t22 =  *(_t23 + 0x10);
				}
				RtlFreeHeap(GetProcessHeap(), 0, _t22);
				 *(_t23 + 0x10) =  *(_t23 + 0x10) & 0;
				 *((intOrPtr*)(_t23 + 0x14)) = 0;
				return 0;
			}







    0x010524fa
    0x01052500
    0x01052506
    0x0105250a
    0x0105250d
    0x01052510
    0x0105251b
    0x01052521
    0x01052524
    0x01052527
    0x0105252e
    0x01052532
    0x01052535
    0x01052540
    0x01052548
    0x0105254b
    0x01052550

    APIs
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,010522F8), ref: 01052514
    • RtlFreeHeap.NTDLL(00000000,?,?), ref: 0105251B
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,010522F8), ref: 01052539
    • RtlFreeHeap.NTDLL(00000000), ref: 01052540
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: Heap$FreeProcess
    • String ID:
    • API String ID: 3859560861-0
    • Opcode ID: ccde2a6295c64e0ec9e88b5ffb58f1d9d396e4be3d72eec3345ecce5e12f5613
    • Instruction ID: 967d3858fe371bafdcb805583c2889c33f7de293d26c96d0b7b1744c27a3262e
    • Opcode Fuzzy Hash: ccde2a6295c64e0ec9e88b5ffb58f1d9d396e4be3d72eec3345ecce5e12f5613
    • Instruction Fuzzy Hash: 4DF06272610201EFEB249FA0E888B6AB7F8FF48352F14092DE581D7040D779E595CBA0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01038B96, Relevance: 6.0, APIs: 4, Instructions: 30memoryCOMMON
    Download Yara Rule
    C-Code - Quality: 44%
    			E01038B96(void* __ecx) {
				void _t4;
				void* _t9;
				void* _t12;

				_t9 = __ecx;
				_t12 = HeapAlloc(GetProcessHeap(), 8, 4);
				if(_t12 == 0) {
					L4:
					return 0;
				} else {
					_t4 = E0103A9D4();
					 *_t12 = _t4;
					if(_t4 == 0) {
						RtlFreeHeap(GetProcessHeap(), 0, _t12);
						_push(0);
						_push(0x233a);
						E010378E4(_t9);
						goto L4;
					} else {
						return _t12;
					}
				}
			}






    0x01038b96
    0x01038baa
    0x01038bae
    0x0104b5d0
    0x0104b5d3
    0x01038bb4
    0x01038bb4
    0x01038bb9
    0x01038bbd
    0x0104b5bc
    0x0104b5c2
    0x0104b5c4
    0x0104b5c9
    0x00000000
    0x01038bc3
    0x01038bc6
    0x01038bc6
    0x01038bbd

    APIs
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000004,?,0103885E), ref: 01038B9D
    • HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,0103885E), ref: 01038BA4
      • Part of subcall function 0103A9D4: GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,00000000,0103A9C5), ref: 0103A9D8
      • Part of subcall function 0103A9D4: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000,00000000), ref: 0103A9F3
      • Part of subcall function 0103A9D4: RtlAllocateHeap.NTDLL(00000000), ref: 0103A9FA
      • Part of subcall function 0103A9D4: memcpy.MSVCRT ref: 0103AA09
      • Part of subcall function 0103A9D4: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000), ref: 0103AA12
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,0103885E), ref: 0104B5B5
    • RtlFreeHeap.NTDLL(00000000,?,0103885E), ref: 0104B5BC
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: Heap$Process$EnvironmentFreeStrings$AllocAllocatememcpy
    • String ID:
    • API String ID: 3480822025-0
    • Opcode ID: 4dbf4966e09b06d3066161c57e436895149769654d161fe731386210d75ad68a
    • Instruction ID: 16aa7ea37b985e4c7f0fcf570903949418ba9338a35288243ed447b5cf63bf40
    • Opcode Fuzzy Hash: 4dbf4966e09b06d3066161c57e436895149769654d161fe731386210d75ad68a
    • Instruction Fuzzy Hash: 84E01B7274521197FA703BB47C0DB4A7D589B44762F194061F7C5E71C4DD69C440C7A0
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01046860, Relevance: 6.0, APIs: 4, Instructions: 25COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E01046860() {
				intOrPtr* _t4;
				intOrPtr* _t5;
				void* _t6;
				intOrPtr _t11;
				intOrPtr _t12;

				 *0x105e1b0 = E01046AAD();
				__set_app_type(E01046F48(1));
				 *0x105e52c =  *0x105e52c | 0xffffffff;
				 *0x105e530 =  *0x105e530 | 0xffffffff;
				_t4 = __p__fmode();
				_t11 =  *0x105e4e0; // 0x0
				 *_t4 = _t11;
				_t5 = __p__commode();
				_t12 =  *0x105e4d4; // 0x0
				 *_t5 = _t12;
				_t6 = E01046F90();
				if( *0x105e0b0 == 0) {
					__setusermatherr(E01046F90);
				}
				E0104718D(_t6);
				return 0;
			}








    0x01046867
    0x01046872
    0x01046878
    0x0104687f
    0x01046888
    0x0104688e
    0x01046894
    0x01046896
    0x0104689c
    0x010468a2
    0x010468a4
    0x010468b0
    0x010468b7
    0x010468bd
    0x010468be
    0x010468c5

    APIs
      • Part of subcall function 01046F48: GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000), ref: 01046F4F
    • __set_app_type.MSVCRT ref: 01046872
    • __p__fmode.MSVCRT ref: 01046888
    • __p__commode.MSVCRT ref: 01046896
    • __setusermatherr.MSVCRT ref: 010468B7
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: HandleModule__p__commode__p__fmode__set_app_type__setusermatherr
    • String ID:
    • API String ID: 1632413811-0
    • Opcode ID: 0958e3321fafc84710eafbd1624ea96c64418555dbeb09ba15a6d6fc8e59ace7
    • Instruction ID: b8681a771524024f761032f0bcc3fc2be05bfb586c47361e8ca41a865cb99957
    • Opcode Fuzzy Hash: 0958e3321fafc84710eafbd1624ea96c64418555dbeb09ba15a6d6fc8e59ace7
    • Instruction Fuzzy Hash: 38F01CB4604301CFDB346F30E48965A7B65B71A321B004A2DF8E19A2D8EF7F9140CF01
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01059F18, Relevance: 6.0, APIs: 4, Instructions: 24COMMON
    Download Yara Rule
    C-Code - Quality: 37%
    			E01059F18() {
				signed int _v8;
				void* _t4;
				int _t5;
				void* _t7;
				void* _t9;

				_t4 =  &_v8;
				__imp___get_osfhandle(_t4, _t9);
				_t5 = GetConsoleMode(_t4, 1);
				if(_t5 != 0) {
					_t7 = _v8 & 0xfffffffb;
					_v8 = _t7;
					__imp___get_osfhandle(_t7);
					return SetConsoleMode(_t7, 1);
				}
				return _t5;
			}








    0x01059f1e
    0x01059f24
    0x01059f2c
    0x01059f34
    0x01059f39
    0x01059f3f
    0x01059f42
    0x00000000
    0x01059f4a
    0x01059f51

    APIs
    • _get_osfhandle.MSVCRT ref: 01059F24
    • GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?,0105449C,?,?,00000001,?), ref: 01059F2C
    • _get_osfhandle.MSVCRT ref: 01059F42
    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,0105449C,?,?,00000001,?), ref: 01059F4A
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: ConsoleMode_get_osfhandle
    • String ID:
    • API String ID: 1606018815-0
    • Opcode ID: 7c137d24d2735d673a64b8a6f61d1a93ac743d3e921d700501faa5e896325956
    • Instruction ID: 8ac7824e86230c1d639452c5f68df781c3deea91dde0badfac6e6bf15ab5b842
    • Opcode Fuzzy Hash: 7c137d24d2735d673a64b8a6f61d1a93ac743d3e921d700501faa5e896325956
    • Instruction Fuzzy Hash: 79E04F71A00209FFEB209BB0E80EB9E7B6CEB44324F280545F565E70C5EFBAD9009760
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01038235, Relevance: 6.0, APIs: 4, Instructions: 17COMMON
    Download Yara Rule
    C-Code - Quality: 37%
    			E01038235() {
				void* _t1;
				void* _t2;
				intOrPtr _t4;

				_t4 =  *0x106ca20;
				_t1 =  *0x106ca1c;
				 *0x10625ac = _t4;
				 *0x10625b0 = _t1;
				__imp___get_osfhandle(_t4);
				_t2 = SetConsoleMode(_t1, 1);
				__imp___get_osfhandle( *0x10625b0);
				return SetConsoleMode(_t2, 0);
			}






    0x01038235
    0x0103823b
    0x01038243
    0x01038249
    0x0103824e
    0x01038256
    0x01038264
    0x01038272

    APIs
    • _get_osfhandle.MSVCRT ref: 0103824E
    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 01038256
    • _get_osfhandle.MSVCRT ref: 01038264
    • SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 0103826C
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: ConsoleMode_get_osfhandle
    • String ID:
    • API String ID: 1606018815-0
    • Opcode ID: 704e8b97c95c31fb94f5c75bb2c5c54bab4afc469b97f1c6cbf8b49c6b39c09d
    • Instruction ID: 81e982192526387b3c04a1b51826b28e5aab749ff09fe2d040b76d43d19fd67c
    • Opcode Fuzzy Hash: 704e8b97c95c31fb94f5c75bb2c5c54bab4afc469b97f1c6cbf8b49c6b39c09d
    • Instruction Fuzzy Hash: EDE0B6B1A00200DFEB349BA0F62DA5D3B64F748316B084409F282931A8EB7F54008F10
    Uniqueness

    Uniqueness Score: -1.00%

    Function 010372C6, Relevance: 6.0, APIs: 4, Instructions: 15memoryCOMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E010372C6(void** __ecx) {
				void* _t6;

				_t6 = __ecx;
				RtlFreeHeap(GetProcessHeap(), 0,  *__ecx);
				return RtlFreeHeap(GetProcessHeap(), 0, _t6);
			}




    0x010372c9
    0x010372d6
    0x010372ed

    APIs
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,0103729C), ref: 010372CF
    • RtlFreeHeap.NTDLL(00000000), ref: 010372D6
    • GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 010372DF
    • RtlFreeHeap.NTDLL(00000000), ref: 010372E6
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: Heap$FreeProcess
    • String ID:
    • API String ID: 3859560861-0
    • Opcode ID: 71c56a8d3a7d7dcbcc99464b814c0f070024f720f0bd2f2092c1cf605c64324a
    • Instruction ID: 8d8263018c4505391cd75aa52a927306219ee15e6425a80231940358fd7b13b7
    • Opcode Fuzzy Hash: 71c56a8d3a7d7dcbcc99464b814c0f070024f720f0bd2f2092c1cf605c64324a
    • Instruction Fuzzy Hash: 35D09232A05110EBEA603FA0BC0DB8A3A28EB49292F090411B285A30488ABA4800CB60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01039CC0, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 191COMMON
    Download Yara Rule
    C-Code - Quality: 75%
    			E01039CC0(signed short* __ecx) {
				intOrPtr _v8;
				signed int _t19;
				intOrPtr _t20;
				void* _t21;
				void* _t22;
				signed int _t23;
				signed int _t25;
				void* _t27;
				signed int _t33;
				signed int _t34;
				char* _t36;
				signed int _t37;
				void* _t39;
				signed int _t42;
				signed int _t45;
				signed int _t46;
				intOrPtr* _t50;
				signed int _t54;
				void* _t55;
				signed int _t60;
				signed short* _t69;
				signed int _t70;
				signed int _t75;
				signed int _t76;
				void* _t77;
				void* _t78;
				signed int _t81;
				signed int _t84;
				long _t85;
				signed int _t86;
				signed int _t88;

				_push(__ecx);
				_t88 = __ecx;
				if(__ecx == 0) {
					L17:
					_t19 = 1;
					L11:
					return _t19;
				}
				_t20 = E0103DCD0(0xffce);
				_v8 = _t20;
				if(_t20 == 0) {
					goto L17;
				}
				_t21 = 0x5e;
				_t22 = E0103A62F(__ecx, _t21);
				_t45 = 0;
				if(_t22 != 0) {
					_t50 = __ecx;
					_t69 =  &(__ecx[1]);
					do {
						_t23 =  *_t50;
						_t50 = _t50 + 2;
						__eflags = _t23;
					} while (_t23 != 0);
					_t84 = E0103DCD0(2 + (_t50 - _t69 >> 1) * 4);
					__eflags = _t84;
					if(_t84 == 0) {
						goto L17;
					}
					_t25 =  *__ecx & 0x0000ffff;
					_t54 = _t84;
					__eflags = _t25;
					if(_t25 == 0) {
						L27:
						_t70 = _t84;
						__eflags = 0;
						 *_t54 = 0;
						_t11 = _t70 + 2; // 0x2
						_t55 = _t11;
						do {
							_t27 =  *_t70;
							_t70 = _t70 + 2;
							__eflags = _t27 - _t45;
						} while (_t27 != _t45);
						_t88 = E0103DD20(_t84, 2 + (_t70 - _t55 >> 1) * 2);
						__eflags = _t88;
						if(_t88 == 0) {
							goto L17;
						}
						goto L3;
					}
					_t81 = _t25;
					_t46 = 0x5e;
					do {
						 *_t54 = _t81;
						_t88 = _t88 + 2;
						_t54 = _t54 + 2;
						__eflags = _t81 - _t46;
						if(_t81 == _t46) {
							 *_t54 = _t46;
							_t54 = _t54 + 2;
							__eflags = _t54;
						}
						_t42 =  *_t88 & 0x0000ffff;
						_t81 = _t42;
						__eflags = _t42;
					} while (_t42 != 0);
					_t45 = 0;
					__eflags = 0;
					goto L27;
				}
				L3:
				 *0x105e570 = 1;
				_t85 = E0103C570(1, _t88,  *0x1066778);
				 *0x105e570 = _t45;
				if(_t85 == 1) {
					_t86 = E0103ACB0(_t88);
					__eflags = _t86;
					if(_t86 == 0) {
						goto L17;
					}
					__imp___wcsupr(_t86);
					_t60 = L" IF";
					_t33 = _t86;
					while(1) {
						_t75 =  *_t33;
						__eflags = _t75 -  *_t60;
						if(_t75 !=  *_t60) {
							break;
						}
						__eflags = _t75;
						if(_t75 == 0) {
							L37:
							_t34 = _t45;
							L39:
							__eflags = _t34;
							if(_t34 == 0) {
								L48:
								E010378E4(_t60, 0x234a, 1, _t88);
								goto L17;
							}
							_t36 = L" FOR";
							while(1) {
								_t60 =  *_t86;
								__eflags = _t60 -  *_t36;
								if(_t60 !=  *_t36) {
									break;
								}
								__eflags = _t60;
								if(_t60 == 0) {
									L47:
									__eflags = _t45;
									if(_t45 != 0) {
										goto L17;
									}
									goto L48;
								}
								_t60 =  *((intOrPtr*)(_t86 + 2));
								__eflags = _t60 - _t36[2];
								if(_t60 != _t36[2]) {
									break;
								}
								_t86 = _t86 + 4;
								_t36 =  &(_t36[4]);
								__eflags = _t60;
								if(_t60 != 0) {
									continue;
								}
								goto L47;
							}
							asm("sbb ebx, ebx");
							_t45 = _t45 | 0x00000001;
							__eflags = _t45;
							goto L47;
						}
						_t76 =  *((intOrPtr*)(_t33 + 2));
						__eflags = _t76 -  *((intOrPtr*)(_t60 + 2));
						if(_t76 !=  *((intOrPtr*)(_t60 + 2))) {
							break;
						}
						_t33 = _t33 + 4;
						_t60 = _t60 + 4;
						__eflags = _t76;
						if(_t76 != 0) {
							continue;
						}
						goto L37;
					}
					asm("sbb eax, eax");
					_t34 = _t33 | 0x00000001;
					__eflags = _t34;
					goto L39;
				}
				if(_t85 == 0xffffffff) {
					_t19 = 0;
					goto L11;
				}
				if( *0x1066755 == 0 ||  *((short*)( *((intOrPtr*)(_t85 + 0x38)))) != 0x3a) {
					_t77 = 0x2a;
					_t37 = E0103A62F( *((intOrPtr*)(_t85 + 0x38)), _t77);
					__eflags = _t37;
					if(_t37 != 0) {
						L15:
						_t19 = E0103AD60(_t85);
						goto L11;
					}
					_t78 = 0x3f;
					__eflags = E0103A62F( *((intOrPtr*)(_t85 + 0x38)), _t78);
					if(__eflags != 0) {
						goto L15;
					}
					_t90 = _v8;
					_t39 = E0103F410(_t85, _v8, __eflags, 0x7fe7);
					__eflags = _t39 - 2;
					if(_t39 == 2) {
						goto L9;
					}
					goto L15;
				} else {
					if( *0x1066748 == 0) {
						_push(_t45);
						_push(0x400023aa);
						E010378E4(1);
						goto L17;
					}
					_t90 = _v8;
					L9:
					_t19 = E01041A47(_t85, _t90, 0x7fe7, 1);
					if(_t19 == 0) {
						_t19 =  *0x10665dc;
					}
					goto L11;
				}
			}


































    0x01039cc5
    0x01039cc8
    0x01039ccd
    0x01039dac
    0x01039dae
    0x01039d66
    0x01039d6a
    0x01039d6a
    0x01039cd8
    0x01039cdd
    0x01039ce2
    0x00000000
    0x00000000
    0x01039cea
    0x01039cef
    0x01039cf4
    0x01039cf8
    0x0104c17e
    0x0104c180
    0x0104c183
    0x0104c183
    0x0104c186
    0x0104c189
    0x0104c189
    0x0104c19e
    0x0104c1a0
    0x0104c1a2
    0x00000000
    0x00000000
    0x0104c1a8
    0x0104c1ab
    0x0104c1ad
    0x0104c1b0
    0x0104c1d7
    0x0104c1d7
    0x0104c1d9
    0x0104c1db
    0x0104c1de
    0x0104c1de
    0x0104c1e1
    0x0104c1e1
    0x0104c1e4
    0x0104c1e7
    0x0104c1e7
    0x0104c1fe
    0x0104c200
    0x0104c202
    0x00000000
    0x00000000
    0x00000000
    0x0104c208
    0x0104c1b4
    0x0104c1b6
    0x0104c1b7
    0x0104c1b7
    0x0104c1ba
    0x0104c1bd
    0x0104c1c0
    0x0104c1c3
    0x0104c1c5
    0x0104c1c8
    0x0104c1c8
    0x0104c1c8
    0x0104c1cb
    0x0104c1ce
    0x0104c1d0
    0x0104c1d0
    0x0104c1d5
    0x0104c1d5
    0x00000000
    0x0104c1d5
    0x01039cfe
    0x01039d0b
    0x01039d15
    0x01039d17
    0x01039d20
    0x0104c214
    0x0104c216
    0x0104c218
    0x00000000
    0x00000000
    0x0104c21f
    0x0104c226
    0x0104c22b
    0x0104c22d
    0x0104c22d
    0x0104c230
    0x0104c233
    0x00000000
    0x00000000
    0x0104c235
    0x0104c238
    0x0104c24f
    0x0104c24f
    0x0104c258
    0x0104c258
    0x0104c25a
    0x0104c292
    0x0104c29a
    0x00000000
    0x0104c29f
    0x0104c25c
    0x0104c261
    0x0104c261
    0x0104c264
    0x0104c267
    0x00000000
    0x00000000
    0x0104c269
    0x0104c26c
    0x0104c28a
    0x0104c28a
    0x0104c28c
    0x00000000
    0x00000000
    0x00000000
    0x0104c28c
    0x0104c26e
    0x0104c272
    0x0104c276
    0x00000000
    0x00000000
    0x0104c278
    0x0104c27b
    0x0104c27e
    0x0104c281
    0x00000000
    0x00000000
    0x00000000
    0x0104c283
    0x0104c285
    0x0104c287
    0x0104c287
    0x00000000
    0x0104c287
    0x0104c23a
    0x0104c23e
    0x0104c242
    0x00000000
    0x00000000
    0x0104c244
    0x0104c247
    0x0104c24a
    0x0104c24d
    0x00000000
    0x00000000
    0x00000000
    0x0104c24d
    0x0104c253
    0x0104c255
    0x0104c255
    0x00000000
    0x0104c255
    0x01039d29
    0x01039da8
    0x00000000
    0x01039da8
    0x01039d32
    0x01039d70
    0x01039d71
    0x01039d76
    0x01039d78
    0x01039d9f
    0x01039da1
    0x00000000
    0x01039da1
    0x01039d7f
    0x01039d85
    0x01039d87
    0x00000000
    0x00000000
    0x01039d89
    0x01039d95
    0x01039d9a
    0x01039d9d
    0x00000000
    0x00000000
    0x00000000
    0x01039d3d
    0x01039d44
    0x0104c2a7
    0x0104c2a8
    0x0104c2ad
    0x00000000
    0x0104c2b3
    0x01039d4a
    0x01039d4d
    0x01039d58
    0x01039d5f
    0x01039d61
    0x01039d61
    0x00000000
    0x01039d5f

    APIs
      • Part of subcall function 0103DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0103ACD8,00000001,?,00000000,01038C23,-00000105,0105C9B0,00000240,01041E92,00000000,00000000,0104ACE0,00000000), ref: 0103DCE1
      • Part of subcall function 0103DCD0: RtlAllocateHeap.NTDLL(00000000,?,0103ACD8,00000001,?,00000000,01038C23,-00000105,0105C9B0,00000240,01041E92,00000000,00000000,0104ACE0,00000000,00000000), ref: 0103DCE8
      • Part of subcall function 0103A62F: wcschr.MSVCRT ref: 0103A635
      • Part of subcall function 0103C570: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0103C5BD
      • Part of subcall function 0103C570: RtlFreeHeap.NTDLL(00000000), ref: 0103C5C4
      • Part of subcall function 0103C570: _setjmp3.MSVCRT ref: 0103C630
    • _wcsupr.MSVCRT ref: 0104C21F
      • Part of subcall function 01041A47: memset.MSVCRT ref: 01041AE2
      • Part of subcall function 01041A47: ??_V@YAXPAX@Z.MSVCRT ref: 01041BA4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: Heap$Process$AllocateFree_setjmp3_wcsuprmemsetwcschr
    • String ID: FOR$ IF
    • API String ID: 824520502-2924197646
    • Opcode ID: a34629c4a4ef3a243992a5cee540664688817a6c0ab97deca879deac66e7e2b8
    • Instruction ID: 49f149f03218ae3b16b9ffa7ea4c6ed5033fd14f08233085a922427002dd856e
    • Opcode Fuzzy Hash: a34629c4a4ef3a243992a5cee540664688817a6c0ab97deca879deac66e7e2b8
    • Instruction Fuzzy Hash: C051377170020397EBA53B7CC5957BB22EAEFD0718B4800B5DAC6CB294FBA2D941C340
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0105BED0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 183COMMON
    Download Yara Rule
    C-Code - Quality: 98%
    			E0105BED0(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t69;
				signed int _t70;
				int _t73;
				signed int _t78;
				signed int _t79;
				intOrPtr _t82;
				signed int _t88;
				void* _t93;
				intOrPtr _t99;
				signed int _t102;
				signed int _t103;
				intOrPtr* _t104;
				short _t108;
				long _t111;
				signed int _t113;
				signed int _t118;
				signed int _t123;
				signed int _t126;
				signed int _t129;
				void* _t130;
				intOrPtr _t131;
				void* _t133;

				_push(0x30);
				_push(0x105cd80);
				E010471A8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t133 - 0x3c)) = __edx;
				 *((intOrPtr*)(_t133 - 0x24)) = __ecx;
				_t69 = E0103DCD0(0x4000);
				_t93 = _t69;
				 *(_t133 - 0x40) = _t93;
				if(_t93 == 0) {
					L46:
					 *[fs:0x0] =  *((intOrPtr*)(_t133 - 0x10));
					return _t69;
				}
				_t126 = 0;
				 *((intOrPtr*)(_t133 - 4)) = 0;
				if( *((intOrPtr*)(_t133 + 0x14)) != 0) {
					L4:
					_t118 = _t126;
					 *(_t133 - 0x2c) = _t118;
					_t123 = _t126;
					 *(_t133 - 0x28) = _t123;
					_t70 = _t69 | 0xffffffff;
					__eflags = _t70;
					 *(_t133 - 0x1c) = _t70;
					 *(_t133 - 0x30) = _t70;
					 *(_t133 - 0x20) = _t126;
					 *(_t133 - 0x34) = 0x2a;
					while(1) {
						 *(_t133 - 0x38) = _t126;
						_t99 =  *((intOrPtr*)(_t133 + 8));
						__eflags = _t126 - _t99;
						if(_t126 >= _t99) {
							break;
						}
						_t111 =  *( *((intOrPtr*)(_t133 - 0x24)) + _t126 * 2) & 0x0000ffff;
						__eflags = _t111 - 0x2f;
						if(_t111 != 0x2f) {
							__eflags = _t111 - 0x22;
							if(_t111 != 0x22) {
								__eflags = _t118;
								if(_t118 != 0) {
									L17:
									_t113 =  *( *((intOrPtr*)(_t133 - 0x24)) + _t126 * 2) & 0x0000ffff;
									__eflags = _t113 - 0x3a;
									if(_t113 == 0x3a) {
										L22:
										_t35 = _t126 + 1; // 0x1
										_t70 = _t35;
										 *(_t133 - 0x1c) = _t70;
										 *(_t133 - 0x30) = _t70;
										L23:
										__eflags = 0;
										 *(_t133 - 0x20) = 0;
										L24:
										_t126 = _t126 + 1;
										continue;
									}
									__eflags = _t113 - 0x5c;
									if(_t113 == 0x5c) {
										goto L22;
									}
									__eflags = _t113 -  *(_t133 - 0x34);
									if(_t113 ==  *(_t133 - 0x34)) {
										L21:
										 *(_t133 - 0x20) = 1;
										goto L24;
									}
									__eflags = _t113 - 0x3f;
									if(_t113 != 0x3f) {
										goto L24;
									}
									goto L21;
								}
								_t88 = wcschr(L" &()[]{}^=;!%\'+,`~", _t111);
								_t118 =  *(_t133 - 0x2c);
								__eflags = _t88;
								if(_t88 == 0) {
									_t70 =  *(_t133 - 0x1c);
									goto L17;
								}
								_t25 = _t126 + 1; // 0x1
								_t123 = _t25;
								 *(_t133 - 0x28) = _t123;
								__eflags = 0;
								 *(_t133 - 0x20) = 0;
								L15:
								_t70 =  *(_t133 - 0x1c);
								goto L24;
							}
							__eflags = _t118;
							if(_t118 == 0) {
								_t123 = _t126;
								 *(_t133 - 0x28) = _t123;
							}
							__eflags = _t118;
							_t118 = 0 | _t118 == 0x00000000;
							 *(_t133 - 0x2c) = _t118;
							goto L15;
						}
						_t18 = _t126 + 1; // 0x1
						_t123 = _t18;
						 *(_t133 - 0x28) = _t123;
						goto L23;
					}
					__eflags = _t70 - 0xffffffff;
					if(_t70 == 0xffffffff) {
						L27:
						_t127 = _t123;
						 *(_t133 - 0x30) = _t123;
						L29:
						_t73 = _t99 - _t123 + _t99 - _t123;
						 *(_t133 - 0x34) = _t73;
						memcpy(_t93,  *((intOrPtr*)(_t133 - 0x24)) + _t123 * 2, _t73);
						_t78 =  *((intOrPtr*)(_t133 + 8)) - _t123;
						__eflags =  *(_t133 - 0x20);
						if(__eflags != 0) {
							__eflags = 0;
							 *((short*)(_t93 + _t78 * 2)) = 0;
						} else {
							_t108 = 0x2a;
							 *((short*)(_t93 + _t78 * 2)) = _t108;
							 *((short*)( *(_t133 - 0x34) + _t93 + 2)) = 0;
						}
						_t129 =  *(_t133 + 0x10);
						_t79 = E0105BAF8(_t93, __eflags, _t129, _t127 - _t123);
						 *0x106672c = _t79;
						_t102 = _t79;
						 *0x1066728 = _t102;
						 *0x1066720 = _t123;
						 *0x1066724 = _t129;
						_t126 = 0;
						__eflags = 0;
						L33:
						if(_t79 == 0) {
							L45:
							 *((intOrPtr*)(_t133 - 4)) = 0xfffffffe;
							E0105C0F0(_t93);
							_t69 =  *0x106672c;
							goto L46;
						}
						if( *((intOrPtr*)(_t133 + 0xc)) == 0) {
							_t103 = _t102 - 1;
							__eflags = _t103;
							 *0x1066728 = _t103;
							if(_t103 >= 0) {
								L40:
								_t119 =  *((intOrPtr*)( *0x1079534 + _t103 * 4));
								_t104 =  *((intOrPtr*)( *0x1079534 + _t103 * 4));
								_t130 = _t104 + 2;
								do {
									_t82 =  *_t104;
									_t104 = _t104 + 2;
								} while (_t82 !=  *((intOrPtr*)(_t133 - 4)));
								_t131 =  *((intOrPtr*)(_t133 - 0x3c));
								if((_t104 - _t130 >> 1) + _t123 < _t131) {
									__eflags = _t131 - _t123;
									E0103F3A0( *((intOrPtr*)(_t133 - 0x24)) + _t123 * 2, _t131 - _t123, _t119);
								} else {
									 *0x106672c = 0;
								}
								goto L45;
							}
							_t56 = _t79 - 1; // -1
							_t103 = _t56;
							L39:
							 *0x1066728 = _t103;
							goto L40;
						}
						_t103 = _t102 + 1;
						 *0x1066728 = _t103;
						if(_t103 < _t79) {
							goto L40;
						}
						_t103 = _t126;
						goto L39;
					}
					__eflags = _t70 - _t123;
					if(_t70 >= _t123) {
						_t127 =  *(_t133 - 0x1c);
						goto L29;
					}
					goto L27;
				}
				_t69 =  *0x1066724;
				if(_t69 !=  *(_t133 + 0x10)) {
					goto L4;
				}
				_t79 =  *0x106672c;
				_t102 =  *0x1066728;
				_t123 =  *0x1066720;
				goto L33;
			}

























    0x0105bed0
    0x0105bed2
    0x0105bed7
    0x0105bedc
    0x0105bedf
    0x0105bee7
    0x0105beec
    0x0105beee
    0x0105bef3
    0x0105c0db
    0x0105c0de
    0x0105c0ea
    0x0105c0ea
    0x0105bef9
    0x0105befb
    0x0105bf01
    0x0105bf23
    0x0105bf23
    0x0105bf25
    0x0105bf28
    0x0105bf2a
    0x0105bf2d
    0x0105bf2d
    0x0105bf30
    0x0105bf33
    0x0105bf36
    0x0105bf39
    0x0105bf40
    0x0105bf40
    0x0105bf43
    0x0105bf46
    0x0105bf48
    0x00000000
    0x00000000
    0x0105bf51
    0x0105bf55
    0x0105bf58
    0x0105bf62
    0x0105bf65
    0x0105bf7e
    0x0105bf80
    0x0105bfaa
    0x0105bfad
    0x0105bfb1
    0x0105bfb4
    0x0105bfcf
    0x0105bfcf
    0x0105bfcf
    0x0105bfd2
    0x0105bfd5
    0x0105bfd8
    0x0105bfd8
    0x0105bfda
    0x0105bfdd
    0x0105bfdd
    0x00000000
    0x0105bfdd
    0x0105bfb6
    0x0105bfb9
    0x00000000
    0x00000000
    0x0105bfbb
    0x0105bfbf
    0x0105bfc6
    0x0105bfc6
    0x00000000
    0x0105bfc6
    0x0105bfc1
    0x0105bfc4
    0x00000000
    0x00000000
    0x00000000
    0x0105bfc4
    0x0105bf88
    0x0105bf90
    0x0105bf93
    0x0105bf95
    0x0105bfa7
    0x00000000
    0x0105bfa7
    0x0105bf97
    0x0105bf97
    0x0105bf9a
    0x0105bf9d
    0x0105bf9f
    0x0105bfa2
    0x0105bfa2
    0x00000000
    0x0105bfa2
    0x0105bf67
    0x0105bf69
    0x0105bf6b
    0x0105bf6d
    0x0105bf6d
    0x0105bf72
    0x0105bf77
    0x0105bf79
    0x00000000
    0x0105bf79
    0x0105bf5a
    0x0105bf5a
    0x0105bf5d
    0x00000000
    0x0105bf5d
    0x0105bfe3
    0x0105bfe6
    0x0105bfec
    0x0105bfec
    0x0105bfee
    0x0105bff6
    0x0105bffa
    0x0105bffc
    0x0105c008
    0x0105c013
    0x0105c015
    0x0105c019
    0x0105c02e
    0x0105c030
    0x0105c01b
    0x0105c01d
    0x0105c01e
    0x0105c027
    0x0105c027
    0x0105c037
    0x0105c03d
    0x0105c042
    0x0105c047
    0x0105c049
    0x0105c04f
    0x0105c055
    0x0105c05b
    0x0105c05b
    0x0105c05d
    0x0105c05f
    0x0105c0ca
    0x0105c0ca
    0x0105c0d1
    0x0105c0d6
    0x00000000
    0x0105c0d6
    0x0105c065
    0x0105c076
    0x0105c076
    0x0105c079
    0x0105c07f
    0x0105c08a
    0x0105c08f
    0x0105c092
    0x0105c094
    0x0105c097
    0x0105c097
    0x0105c09a
    0x0105c09d
    0x0105c0aa
    0x0105c0af
    0x0105c0bb
    0x0105c0c5
    0x0105c0b1
    0x0105c0b3
    0x0105c0b3
    0x00000000
    0x0105c0af
    0x0105c081
    0x0105c081
    0x0105c084
    0x0105c084
    0x00000000
    0x0105c084
    0x0105c067
    0x0105c068
    0x0105c070
    0x00000000
    0x00000000
    0x0105c072
    0x00000000
    0x0105c072
    0x0105bfe8
    0x0105bfea
    0x0105bff3
    0x00000000
    0x0105bff3
    0x00000000
    0x0105bfea
    0x0105bf03
    0x0105bf0b
    0x00000000
    0x00000000
    0x0105bf0d
    0x0105bf12
    0x0105bf18
    0x00000000

    APIs
      • Part of subcall function 0103DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0103ACD8,00000001,?,00000000,01038C23,-00000105,0105C9B0,00000240,01041E92,00000000,00000000,0104ACE0,00000000), ref: 0103DCE1
      • Part of subcall function 0103DCD0: RtlAllocateHeap.NTDLL(00000000,?,0103ACD8,00000001,?,00000000,01038C23,-00000105,0105C9B0,00000240,01041E92,00000000,00000000,0104ACE0,00000000,00000000), ref: 0103DCE8
    • wcschr.MSVCRT ref: 0105BF88
    • memcpy.MSVCRT ref: 0105C008
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: Heap$AllocateProcessmemcpywcschr
    • String ID: &()[]{}^=;!%'+,`~
    • API String ID: 1486391931-381716982
    • Opcode ID: 32336988059434e76f3dd7370ac9eef1361bfd44aab974fa93e8f8d47184e989
    • Instruction ID: baa9d851e914aff3ee43413b9fcdb28db8cd9bbc319d1ef458a67a658dbb0b97
    • Opcode Fuzzy Hash: 32336988059434e76f3dd7370ac9eef1361bfd44aab974fa93e8f8d47184e989
    • Instruction Fuzzy Hash: 13618D71E042198FCFA8CF68D5906AEBBF6FB48310F10416EE896A7250E776A9418F54
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0103ABC0, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 112COMMON
    Download Yara Rule
    C-Code - Quality: 52%
    			E0103ABC0() {
				signed int _v8;
				short _v26;
				char _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t9;
				signed int _t10;
				void _t13;
				short _t14;
				short _t16;
				intOrPtr _t18;
				intOrPtr _t27;
				void* _t33;
				void* _t35;
				void* _t39;
				void* _t41;
				void* _t45;
				void* _t52;
				short _t53;
				void* _t56;
				void* _t58;
				intOrPtr* _t59;
				void* _t60;
				void* _t62;
				signed int _t65;

				_t63 = _t65;
				_t9 =  *0x105e0b4; // 0x6030efd1
				_t10 = _t9 ^ _t65;
				_v8 = _t10;
				_t53 = 0;
				__imp___wcsicmp(L"REM/?", 0x1074af0, _t52, _t58, _t33, _t62);
				_t68 = _t10;
				if(_t10 == 0) {
					 *0x1074af6 = 0;
					_t53 = 1;
				}
				_t39 = 0x2d;
				_t59 = E0103BB90(0, _t39, _t53, _t58, _t68);
				_t13 = 0x2f;
				if(_t53 != 0) {
					 *0x1074af0 = _t13;
					_t14 = 0x3f;
					 *0x1074af2 = _t14;
					 *0x1074af4 = 0;
				} else {
					E0103CC70(0);
				}
				_t16 = 0x2f;
				_v28 = _t16;
				_push(2);
				_v26 = 0;
				_t18 = E0103BC30(0x1074af0,  &_v28);
				_push(0);
				_t51 = _t18;
				_t41 = 0x2d;
				if(E0103A800(_t41, _t18) != 0) {
					 *_t59 = 0x3c;
					 *((intOrPtr*)(_t59 + 0x38)) = 0;
					goto L8;
				} else {
					_t51 = 0;
					E0103CF10(_t19, 0, 0, 0);
					if( *((intOrPtr*)( *0x10665cc)) == 0) {
						L8:
						_pop(_t56);
						_pop(_t60);
						_pop(_t35);
						return E01046B30(_t59, _t35, _v8 ^ _t63, _t51, _t56, _t60);
					} else {
						_t45 = 0x20;
						if(E0103CC70(_t45) != 0x4000) {
							_t51 = 0;
							E0103CF10(_t24, 0, 0, 0);
							goto L8;
						} else {
							_t27 = E0103DCD0( *0x10666fc +  *0x10666fc);
							if(_t27 == 0) {
								E01059922();
								__imp__longjmp(0x1070a30, 1);
								asm("int3");
								__eflags = _t59;
								if(_t59 != 0) {
									 *((short*)(0)) = 0;
								}
								return 0;
							} else {
								_t51 =  *0x10666fc;
								 *((intOrPtr*)(_t59 + 0x3c)) = _t27;
								E0103F3A0(_t27,  *0x10666fc, 0x1074af0);
								goto L8;
							}
						}
					}
				}
			}





























    0x0103abc3
    0x0103abc8
    0x0103abcd
    0x0103abcf
    0x0103abe1
    0x0103abe3
    0x0103abeb
    0x0103abed
    0x0104cb16
    0x0104cb1c
    0x0104cb1c
    0x0103abf5
    0x0103abfb
    0x0103abff
    0x0103ac02
    0x0104cb22
    0x0104cb2a
    0x0104cb2b
    0x0104cb33
    0x0103ac08
    0x0103ac0a
    0x0103ac0a
    0x0103ac11
    0x0103ac12
    0x0103ac20
    0x0103ac24
    0x0103ac28
    0x0103ac2d
    0x0103ac30
    0x0103ac32
    0x0103ac3a
    0x0104cb3e
    0x0104cb44
    0x00000000
    0x0103ac40
    0x0103ac41
    0x0103ac45
    0x0103ac52
    0x0103ac89
    0x0103ac8e
    0x0103ac8f
    0x0103ac92
    0x0103ac99
    0x0103ac54
    0x0103ac56
    0x0103ac61
    0x0103ac9b
    0x0103ac9f
    0x00000000
    0x0103ac63
    0x0103ac6b
    0x0103ac72
    0x0104cb4c
    0x0104cb58
    0x0104cb5e
    0x0104cb5f
    0x0104cb61
    0x0104cb69
    0x0104cb69
    0x0103ad25
    0x0103ac78
    0x0103ac78
    0x0103ac81
    0x0103ac84
    0x00000000
    0x0103ac84
    0x0103ac72
    0x0103ac61
    0x0103ac52

    APIs
    • _wcsicmp.MSVCRT ref: 0103ABE3
      • Part of subcall function 0103BC30: wcschr.MSVCRT ref: 0103BCA7
      • Part of subcall function 0103BC30: iswspace.MSVCRT ref: 0103BD1D
      • Part of subcall function 0103BC30: wcschr.MSVCRT ref: 0103BD39
      • Part of subcall function 0103BC30: wcschr.MSVCRT ref: 0103BD5D
      • Part of subcall function 0103CF10: _setjmp3.MSVCRT ref: 0103CF28
      • Part of subcall function 0103CF10: iswspace.MSVCRT ref: 0103CF6B
      • Part of subcall function 0103CF10: wcschr.MSVCRT ref: 0103CF8D
      • Part of subcall function 0103CF10: iswdigit.MSVCRT ref: 0103CFEE
      • Part of subcall function 0103DCD0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,0103ACD8,00000001,?,00000000,01038C23,-00000105,0105C9B0,00000240,01041E92,00000000,00000000,0104ACE0,00000000), ref: 0103DCE1
      • Part of subcall function 0103DCD0: RtlAllocateHeap.NTDLL(00000000,?,0103ACD8,00000001,?,00000000,01038C23,-00000105,0105C9B0,00000240,01041E92,00000000,00000000,0104ACE0,00000000,00000000), ref: 0103DCE8
    • longjmp.MSVCRT(01070A30,00000001,00000000,00000000,00000002), ref: 0104CB58
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: wcschr$Heapiswspace$AllocateProcess_setjmp3_wcsicmpiswdigitlongjmp
    • String ID: REM/?
    • API String ID: 2926075608-4093888634
    • Opcode ID: c59886e39eb94c007aca465c557833b02fa3d822037048f72b2f5686aa610516
    • Instruction ID: 2c17e55722aa5577c4795c8dedb3a741c03d96b9aef22155798f78ada4705c70
    • Opcode Fuzzy Hash: c59886e39eb94c007aca465c557833b02fa3d822037048f72b2f5686aa610516
    • Instruction Fuzzy Hash: C131C671720306EBE724EB79A955B6B73ADEFC0210F14583ED5C2DB184DEB6C8448355
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01055679, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94registryCOMMON
    Download Yara Rule
    C-Code - Quality: 69%
    			E01055679(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				long _t23;
				intOrPtr* _t24;
				intOrPtr* _t33;
				long _t34;
				int _t37;
				signed int _t60;
				long _t65;
				void* _t67;

				_push(0x1c);
				_push(0x105cd40);
				E010471A8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t67 - 0x2c)) = __ecx;
				_t62 = 0;
				 *((intOrPtr*)(_t67 - 0x24)) = 0;
				_t37 = 0;
				 *((intOrPtr*)(_t67 - 0x28)) = 0;
				_t23 = RegOpenKeyExW(0x80000002, L"Software\\Classes", 0, 0x2000000, _t67 - 0x20);
				_t65 = _t23;
				 *(_t67 - 0x1c) = _t65;
				if(_t65 == 0) {
					_push(3);
					_t24 = E0103BC30( *((intOrPtr*)( *((intOrPtr*)(_t67 - 0x2c)) + 0x3c)), "=");
					 *((intOrPtr*)(_t67 - 0x2c)) = _t24;
					 *((intOrPtr*)(_t67 - 4)) = 0;
					if( *_t24 != 0) {
						_t62 = E0103ACB0(E01040060(_t24, 0));
						 *((intOrPtr*)(_t67 - 0x24)) = _t62;
						__eflags = _t62;
						if(_t62 != 0) {
							_t49 =  *(E0103A7D5( *((intOrPtr*)(_t67 - 0x2c)))) & 0x0000ffff;
							__eflags = _t49;
							if(_t49 != 0) {
								__eflags = _t49 - 0x3d;
								if(_t49 == 0x3d) {
									 *((intOrPtr*)(_t67 - 0x2c)) = E0103A7D5(_t29);
									_t37 = E0103ACB0(E01040060(_t30, _t62));
									 *((intOrPtr*)(_t67 - 0x28)) = _t37;
									__eflags = _t37;
									if(_t37 != 0) {
										_t33 = E0103A7D5( *((intOrPtr*)(_t67 - 0x2c)));
										_t49 = 0;
										__eflags =  *_t33;
										if(__eflags == 0) {
											_t34 = E010564DB(_t37,  *(_t67 - 0x20), _t62, _t62, _t65, __eflags, _t37);
											goto L14;
										} else {
											_push(0);
											goto L9;
										}
									}
								} else {
									_push(0);
									L9:
									_push(0x232a);
									E010378E4(_t49);
								}
							} else {
								_t60 = _t62;
								goto L3;
							}
						}
					} else {
						_t60 = 0;
						L3:
						_t34 = E010557A8( *(_t67 - 0x20), _t60);
						L14:
						_t65 = _t34;
						 *(_t67 - 0x1c) = _t65;
					}
					 *((intOrPtr*)(_t67 - 4)) = 0xfffffffe;
					E01055799(_t37, _t62);
					RegCloseKey( *(_t67 - 0x20));
					_t23 = _t65;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t67 - 0x10));
				return _t23;
			}











    0x01055679
    0x0105567b
    0x01055680
    0x01055685
    0x0105568a
    0x0105568c
    0x0105568f
    0x01055691
    0x010556a8
    0x010556ae
    0x010556b0
    0x010556b5
    0x010556bb
    0x010556c8
    0x010556cd
    0x010556d2
    0x010556d8
    0x010556f4
    0x010556f6
    0x010556f9
    0x010556fb
    0x01055705
    0x01055708
    0x0105570b
    0x01055711
    0x01055714
    0x0105572d
    0x0105573e
    0x01055740
    0x01055743
    0x01055745
    0x0105574a
    0x0105574f
    0x01055751
    0x01055754
    0x0105575f
    0x00000000
    0x01055756
    0x01055756
    0x00000000
    0x01055756
    0x01055754
    0x01055716
    0x01055716
    0x01055718
    0x01055718
    0x0105571d
    0x01055723
    0x0105570d
    0x0105570d
    0x00000000
    0x0105570d
    0x0105570b
    0x010556da
    0x010556da
    0x010556dc
    0x010556df
    0x01055764
    0x01055764
    0x01055766
    0x01055766
    0x01055769
    0x01055770
    0x01055778
    0x0105577e
    0x0105577e
    0x01055783
    0x0105578f

    APIs
    • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Classes,00000000,02000000,?,0105CD40,0000001C,01056901), ref: 010556A8
      • Part of subcall function 0103BC30: wcschr.MSVCRT ref: 0103BCA7
      • Part of subcall function 0103BC30: iswspace.MSVCRT ref: 0103BD1D
      • Part of subcall function 0103BC30: wcschr.MSVCRT ref: 0103BD39
      • Part of subcall function 0103BC30: wcschr.MSVCRT ref: 0103BD5D
    • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000003), ref: 01055778
      • Part of subcall function 010564DB: RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,0105CD00,00000018,?,?,0104BFD6), ref: 0105650F
      • Part of subcall function 010564DB: RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,00000000,00000000,00000001,?,00000000,?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,0105CD00), ref: 01056545
      • Part of subcall function 010564DB: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(00000000,?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,0105CD00,00000018,?,?,0104BFD6), ref: 01056553
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: wcschr$Close$CreateOpenValueiswspace
    • String ID: Software\Classes
    • API String ID: 1047774138-1656466771
    • Opcode ID: dcab2e3b392096430284c10f35c14ff8ea2d2476a5d1a44a640fdfe2131333a5
    • Instruction ID: ce73814cfd436bea6ecbfe146b661339f89982069fcee8e6c405382eb92faf6b
    • Opcode Fuzzy Hash: dcab2e3b392096430284c10f35c14ff8ea2d2476a5d1a44a640fdfe2131333a5
    • Instruction Fuzzy Hash: 7F317271F14319CBDB98ABA8EC916EE77F5BF88610F14406ED582FB290EE7558008B60
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01055E03, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92registryCOMMON
    Download Yara Rule
    C-Code - Quality: 65%
    			E01055E03(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				long _t23;
				intOrPtr* _t24;
				intOrPtr* _t32;
				long _t33;
				char* _t36;
				short* _t58;
				long _t63;
				void* _t65;

				_push(0x1c);
				_push(0x105cce0);
				E010471A8(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t65 - 0x2c)) = __ecx;
				_t60 = 0;
				 *((intOrPtr*)(_t65 - 0x24)) = 0;
				_t36 = 0;
				 *((intOrPtr*)(_t65 - 0x28)) = 0;
				_t23 = RegOpenKeyExW(0x80000002, L"Software\\Classes", 0, 0x2000000, _t65 - 0x20);
				_t63 = _t23;
				 *(_t65 - 0x1c) = _t63;
				if(_t63 == 0) {
					_push(3);
					_t24 = E0103BC30( *((intOrPtr*)( *((intOrPtr*)(_t65 - 0x2c)) + 0x3c)), "=");
					 *((intOrPtr*)(_t65 - 0x2c)) = _t24;
					 *((intOrPtr*)(_t65 - 4)) = 0;
					if( *_t24 != 0) {
						_t60 = E0103ACB0(E01040060(_t24, 0));
						 *((intOrPtr*)(_t65 - 0x24)) = _t60;
						if(_t60 != 0) {
							_t48 =  *(E0103A7D5( *((intOrPtr*)(_t65 - 0x2c)))) & 0x0000ffff;
							if(_t48 != 0) {
								if(_t48 == 0x3d) {
									 *((intOrPtr*)(_t65 - 0x2c)) = E0103A7D5(_t29);
									_t36 = E0103ACB0(_t30);
									 *((intOrPtr*)(_t65 - 0x28)) = _t36;
									if(_t36 != 0) {
										_t32 = E0103A7D5( *((intOrPtr*)(_t65 - 0x2c)));
										_t48 = 0;
										if( *_t32 == 0) {
											_t33 = E01056650( *(_t65 - 0x20), _t60, _t36);
											goto L14;
										} else {
											_push(0);
											goto L9;
										}
									}
								} else {
									_push(0);
									L9:
									_push(0x232a);
									E010378E4(_t48);
								}
							} else {
								_t58 = _t60;
								goto L3;
							}
						}
					} else {
						_t58 = 0;
						L3:
						_t33 = E01055948( *(_t65 - 0x20), _t58);
						L14:
						_t63 = _t33;
						 *(_t65 - 0x1c) = _t63;
					}
					 *((intOrPtr*)(_t65 - 4)) = 0xfffffffe;
					E01055F1C(_t36, _t60);
					RegCloseKey( *(_t65 - 0x20));
					_t23 = _t63;
				}
				 *[fs:0x0] =  *((intOrPtr*)(_t65 - 0x10));
				return _t23;
			}











    0x01055e03
    0x01055e05
    0x01055e0a
    0x01055e0f
    0x01055e14
    0x01055e16
    0x01055e19
    0x01055e1b
    0x01055e32
    0x01055e38
    0x01055e3a
    0x01055e3f
    0x01055e45
    0x01055e52
    0x01055e57
    0x01055e5c
    0x01055e62
    0x01055e7e
    0x01055e80
    0x01055e85
    0x01055e8f
    0x01055e95
    0x01055e9e
    0x01055eb7
    0x01055ec1
    0x01055ec3
    0x01055ec8
    0x01055ecd
    0x01055ed2
    0x01055ed7
    0x01055ee2
    0x00000000
    0x01055ed9
    0x01055ed9
    0x00000000
    0x01055ed9
    0x01055ed7
    0x01055ea0
    0x01055ea0
    0x01055ea2
    0x01055ea2
    0x01055ea7
    0x01055ead
    0x01055e97
    0x01055e97
    0x00000000
    0x01055e97
    0x01055e95
    0x01055e64
    0x01055e64
    0x01055e66
    0x01055e69
    0x01055ee7
    0x01055ee7
    0x01055ee9
    0x01055ee9
    0x01055eec
    0x01055ef3
    0x01055efb
    0x01055f01
    0x01055f01
    0x01055f06
    0x01055f12

    APIs
    • RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Classes,00000000,02000000,?,0105CCE0,0000001C,01056931), ref: 01055E32
      • Part of subcall function 0103BC30: wcschr.MSVCRT ref: 0103BCA7
      • Part of subcall function 0103BC30: iswspace.MSVCRT ref: 0103BD1D
      • Part of subcall function 0103BC30: wcschr.MSVCRT ref: 0103BD39
      • Part of subcall function 0103BC30: wcschr.MSVCRT ref: 0103BD5D
    • RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000003), ref: 01055EFB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: wcschr$CloseOpeniswspace
    • String ID: Software\Classes
    • API String ID: 2439148603-1656466771
    • Opcode ID: 3c2a99c6783faf67ea9b8126eb9ff065c43860b39493c25059e3409eda541436
    • Instruction ID: 6e8762fddb60575989a71d614822ad9a7f2288a39a3602a2a788af274bc2ac7d
    • Opcode Fuzzy Hash: 3c2a99c6783faf67ea9b8126eb9ff065c43860b39493c25059e3409eda541436
    • Instruction Fuzzy Hash: 6731A171F14219CBDB99EFA8CC416EE77B9AF88710F10802ED486B7290EA715C00DB64
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0103AD26, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0103AD26(long __eax, intOrPtr* __ecx) {
				intOrPtr _v8;
				signed int _v12;
				long _t13;
				intOrPtr _t14;
				short _t21;
				intOrPtr* _t26;
				intOrPtr* _t29;
				WCHAR* _t35;
				long _t40;
				intOrPtr _t43;
				short* _t44;
				WCHAR* _t47;
				void* _t48;
				WCHAR* _t49;

				_t13 = __eax;
				_t26 = __ecx;
				if(__ecx != 0 &&  *0x1066748 == 0 &&  *0x1066758 == 0) {
					_t13 = E0103DCD0(0x20c);
					_t47 = _t13;
					if(_t47 != 0) {
						_t13 = GetConsoleTitleW(_t47, 0x104);
						_t40 = _t13;
						if(_t40 != 0) {
							_v12 = _v12 & 0x00000000;
							_t29 = _t26;
							_t3 = _t29 + 2; // 0x2
							_t48 = _t3;
							do {
								_t14 =  *_t29;
								_t29 = _t29 + 2;
							} while (_t14 != _v12);
							_v8 =  *0x1066718 + (_t29 - _t48 >> 1) + _t40 + 0xa;
							_t49 = E0103DD20(_t47,  *0x1066718 + (_t29 - _t48 >> 1) + _t40 + 0xa +  *0x1066718 + (_t29 - _t48 >> 1) + _t40 + 0xa);
							if(_t49 == 0) {
								L16:
								return E0103DC60(_t47);
							}
							_t47 = _t49;
							_t43 = _v8;
							if( *0x106675c == 0) {
								E0103FC40(_t49, _t43, L" - ");
								_t35 = _t49;
								_t10 =  &(_t35[1]); // 0x2
								_t44 = _t10;
								do {
									_t21 =  *_t35;
									_t35 =  &(_t35[1]);
								} while (_t21 != _v12);
								 *0x1066718 = _t35 - _t44 >> 1;
								E0103FC40(_t49, _v8, _t26);
								 *0x106675c = 1;
								L15:
								SetConsoleTitleW(_t49);
								goto L16;
							}
							E0103F3A0( &(_t49[ *0x1066718]), _t43 -  *0x1066718, _t26);
							goto L15;
						}
					}
				}
				return _t13;
			}

















    0x0103ad26
    0x0103ad2f
    0x0103ad35
    0x0104cb76
    0x0104cb7b
    0x0104cb7f
    0x0104cb8b
    0x0104cb91
    0x0104cb95
    0x0104cb9b
    0x0104cb9f
    0x0104cba1
    0x0104cba1
    0x0104cba4
    0x0104cba4
    0x0104cba7
    0x0104cbaa
    0x0104cbc2
    0x0104cbcd
    0x0104cbd1
    0x0104cc33
    0x00000000
    0x0104cc35
    0x0104cbda
    0x0104cbdc
    0x0104cbdf
    0x0104cbfa
    0x0104cbff
    0x0104cc01
    0x0104cc01
    0x0104cc04
    0x0104cc04
    0x0104cc07
    0x0104cc0a
    0x0104cc17
    0x0104cc20
    0x0104cc25
    0x0104cc2c
    0x0104cc2d
    0x00000000
    0x0104cc2d
    0x0104cbec
    0x00000000
    0x0104cbec
    0x0104cb95
    0x0104cb7f
    0x0103ad44

    APIs
    • GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(00000000,00000104,?,00000000,00000000,?,?,0103B11F), ref: 0104CB8B
    • SetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(00000000,00000000, - ,?,00000000,00000000,?), ref: 0104CC2D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: ConsoleTitle
    • String ID: -
    • API String ID: 3358957663-3695764949
    • Opcode ID: 5543c75851eac4acff57bf32983504ebd47980f569a87a13cc5163bd0f445f37
    • Instruction ID: 9386ea53340bfe628be6e07dcd07f3e522b77faa5547419c7df11a4200cc1b41
    • Opcode Fuzzy Hash: 5543c75851eac4acff57bf32983504ebd47980f569a87a13cc5163bd0f445f37
    • Instruction Fuzzy Hash: 322129717001059BD726A76DD4987BE7BEAEBC4301F18406CD9C39B258EE7E994287C1
    Uniqueness

    Uniqueness Score: -1.00%

    Function 01058AA0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
    Download Yara Rule
    C-Code - Quality: 85%
    			E01058AA0(void* __ecx, void* __edx, signed int _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a52) {
				void* _t14;
				void* _t26;
				void* _t31;

				_t26 = __edx;
				_t25 = __ecx;
				_push(__ecx);
				_push(__ecx);
				if((_a4 | _a8) == 0) {
					_t31 = 0x64;
				} else {
					_t31 = E01047DF0(E01047EA0(_a12, _a16, 0x64, 0), _t26, _a4, _a8);
				}
				_t23 = L"%3d";
				E01039ABF(0x1078e30, 0x104, L"%3d", _t31);
				E010363BD(_t25, 0x40002722, 1, 0x1078e30);
				if( *0x106259c == 0) {
					_t14 = 0;
				} else {
					E01039ABF(0x1078e30, 0x104, _t23, _t31);
					E010363BD(_t25, 0x40002722, 1, 0x1078e30);
					printf("\n");
					_t14 = (0 | _a52 != 0x00000000) + 1;
				}
				return _t14;
			}






    0x01058aa0
    0x01058aa0
    0x01058aa5
    0x01058aa6
    0x01058ab0
    0x01058ad4
    0x01058ab2
    0x01058ace
    0x01058ace
    0x01058ad6
    0x01058ae7
    0x01058af4
    0x01058b03
    0x01058b38
    0x01058b05
    0x01058b0d
    0x01058b1a
    0x01058b24
    0x01058b35
    0x01058b35
    0x01058b3e

    APIs
    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01058AC9
    • printf.MSVCRT ref: 01058B24
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@printf
    • String ID: %3d
    • API String ID: 2845598586-2138283368
    • Opcode ID: 8519acb6138c36b4c84cea7628d3ba434e699a8e579519fcff05d7951af8e099
    • Instruction ID: 641cb1e4c52248f7560fa5e36b0692020442c690cbe5165bd1b8ff232f87baeb
    • Opcode Fuzzy Hash: 8519acb6138c36b4c84cea7628d3ba434e699a8e579519fcff05d7951af8e099
    • Instruction Fuzzy Hash: DB012DB1610105BBFB216E968C86FEB3AADDBD4BA4F048415FF85A9080D7B69C50C771
    Uniqueness

    Uniqueness Score: -1.00%

    Function 0103AB7F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON
    Download Yara Rule
    C-Code - Quality: 100%
    			E0103AB7F(signed short* __ecx) {
				long _t9;
				signed short* _t11;

				_t11 = __ecx;
				if(__ecx != 0) {
					while(1) {
						_t9 =  *_t11 & 0x0000ffff;
						if(iswspace(_t9) != 0) {
							goto L6;
						}
						L3:
						if(wcschr(L"=,;", _t9) != 0) {
							if(_t9 == 0) {
								goto L4;
							} else {
								L7:
								_t11 =  &(_t11[1]);
								continue;
							}
							L10:
						}
						L4:
						goto L5;
						L6:
						if(_t9 == 0xa) {
							goto L3;
						} else {
							goto L7;
						}
						goto L5;
					}
				}
				L5:
				return _t11;
				goto L10;
			}





    0x0103ab82
    0x0103ab86
    0x0103ab89
    0x0103ab89
    0x0103ab96
    0x00000000
    0x00000000
    0x0103ab98
    0x0103aba8
    0x0103abbc
    0x00000000
    0x0103abbe
    0x0103abb4
    0x0103abb4
    0x00000000
    0x0103abb4
    0x00000000
    0x0103abbc
    0x0103abaa
    0x00000000
    0x0103abaf
    0x0103abb2
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x00000000
    0x0103abb2
    0x0103ab89
    0x0103abab
    0x0103abae
    0x00000000

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.523904562.0000000001031000.00000020.00020000.sdmp, Offset: 01030000, based on PE: true
    • Associated: 00000000.00000002.523890421.0000000001030000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524042929.000000000105E000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524052280.0000000001070000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.524067593.000000000107A000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.524103900.000000000107E000.00000002.00020000.sdmp Download File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_1030000_cmd.jbxd
    Similarity
    • API ID: iswspacewcschr
    • String ID: =,;
    • API String ID: 287713880-1539845467
    • Opcode ID: 5bcffee915ae5a8390b44c331c10575e5020217a8ee7007ca6828fb5440c69ba
    • Instruction ID: 8012d8d25391592783a686c8e183690b26e0bc128fbda29535b2f84f6110b0e4
    • Opcode Fuzzy Hash: 5bcffee915ae5a8390b44c331c10575e5020217a8ee7007ca6828fb5440c69ba
    • Instruction Fuzzy Hash: 9CE04F33B04562EAD67D055EBC1887BA6DF9ED7A6131A089BF9C4E7106E7A5484082A0
    Uniqueness

    Uniqueness Score: -1.00%